diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md
index 0e23616..14d97f5 100644
--- a/.claude/CLAUDE.md
+++ b/.claude/CLAUDE.md
@@ -27,6 +27,25 @@ git push origin main
 **NIEMALS** manuell in Orca auf "Redeploy" klicken — Gitea Actions triggert Orca automatisch.
 **IMMER auf `main` pushen** — sowohl origin als auch gitea.
 
+### TEMPORAER: Compliance-Repo Refactoring (Stand 2026-04-12)
+
+**Das Compliance-Repo wird aktuell auf Production (gitea) refakturiert.**
+
+- **Core + Lehrer:** Normal auf `main` pushen (origin + gitea) ✅
+- **Compliance auf Mac Mini (origin):** Normal auf `main` pushen ✅
+- **Compliance auf Production (gitea):** **NUR Feature Branches**, NICHT auf `main` pushen! ⚠️
+
+```bash
+# Compliance-Repo — RICHTIG:
+git push origin main                                    # Mac Mini OK
+git push gitea feature/mein-feature                     # Production: nur Feature Branch!
+
+# Compliance-Repo — FALSCH (waehrend Refactoring):
+# git push gitea main                                   # NICHT MACHEN!
+```
+
+**Nach Abschluss des Refactorings:** Gesamten Compliance-Code einmalig von Production auf Mac Mini uebernehmen. User sagt Bescheid wann es soweit ist.
+
 ### Post-Push Deploy-Monitoring (PFLICHT nach jedem Push auf gitea)
 
 **IMMER wenn Claude auf gitea pusht, MUSS danach automatisch das Deploy-Monitoring laufen:**
@@ -318,6 +337,46 @@ npx tsc --noEmit && npm run lint && npm run build
 
 ---
 
+## Code-Qualitaet Guardrails (NON-NEGOTIABLE)
+
+> Vollstaendige Details: `.claude/rules/architecture.md`
+> Ausnahmen: `.claude/rules/loc-exceptions.txt`
+
+### File Size Budget
+
+- **Hard Cap: 500 LOC** pro Datei
+- Wenn eine Aenderung eine Datei ueber 500 LOC bringen wuerde: **erst splitten, dann aendern**
+- Ausnahmen nur mit Begruendung in `loc-exceptions.txt` + `[guardrail-change]` Commit-Marker
+
+### Architektur
+
+- **Go:** Handler ≤40 LOC → Service-Layer → Repository-Pattern
+- **Python:** Routes duenn → Business Logic in Services → Persistenz in Repositories
+- **TypeScript/Next.js:** page.tsx duenn → _components/, _hooks/ auslagern
+
+### FINGER WEG (laufende RAG Pipeline)
+
+Diese Verzeichnisse duerfen NICHT refaktoriert werden:
+- `control-pipeline/` — RAG/Control-Extraction Pipeline
+- `rag-service/` — Semantische Suche
+- `embedding-service/` — Text-Embeddings
+- `voice-service/bqas/` — RAG Quality Assessment
+
+### LOC-Check ausfuehren
+
+```bash
+bash scripts/check-loc.sh --changed   # nur geaenderte Dateien
+bash scripts/check-loc.sh --all       # alle Dateien (zeigt alle Violations)
+```
+
+### Commit-Marker
+
+- `[split-required]` — Aenderung beginnt mit Datei-Split
+- `[guardrail-change]` — Aenderungen an .claude/**, scripts/check-loc.sh
+- `[interface-change]` — Public API Contracts geaendert
+
+---
+
 ## Kernprinzipien
 
 ### 1. Open Source Policy
diff --git a/.claude/rules/architecture.md b/.claude/rules/architecture.md
new file mode 100644
index 0000000..4f97b45
--- /dev/null
+++ b/.claude/rules/architecture.md
@@ -0,0 +1,79 @@
+# Architecture Rule — BreakPilot Core
+
+## File Size Budget
+
+Hard default: **500 LOC max** per file.
+Soft targets:
+- Handler/Router/Service: 300-400 LOC
+- Models/Schemas/Types: 200-300 LOC
+- Utilities: 100-200 LOC
+
+Ausnahmen nur in `.claude/rules/loc-exceptions.txt` mit Begruendung.
+
+## Split-Trigger
+
+Sofort splitten wenn:
+- Datei ueberschreitet 500 LOC
+- Datei wuerde nach Aenderung 500 LOC ueberschreiten
+- Datei mischt Transport + Business Logic + Persistence
+- Datei enthaelt mehrere unabhaengig testbare Verantwortlichkeiten
+
+## Go (consent-service, billing-service)
+
+- Handler duenn halten (≤40 LOC pro Handler-Funktion)
+- Business Logic in Services/Use-Cases
+- Transport/Request-Decoding getrennt von Domain-Logik
+- Dateien im gleichen Package teilen Typen automatisch — kein Re-Export noetig
+- Models nach Domain splitten (user, consent, school, document, etc.)
+
+## Python (backend-core, night-scheduler)
+
+- Routes duenn halten — Business Logic in Services
+- Persistenz in Repositories/Data-Access-Module
+- Pydantic Schemas nach Domain splitten
+- Zirkulaere Imports vermeiden
+
+## TypeScript / Next.js (admin-core, pitch-deck)
+
+- page.tsx duenn halten — Server Actions, Queries, Components auslagern
+- _components/ + _hooks/ Konvention fuer Route-lokale Extracts
+- .ts Dateien mit JSX muessen .tsx heissen (Turbopack!)
+- Monolithische types.ts frueh splitten
+- types.ts + types/ Shadowing vermeiden
+
+## Entscheidungsreihenfolge
+
+1. Bestehendes kleines kohaeesives Modul wiederverwenden
+2. Neues Modul in der Naehe erstellen
+3. Ueberfuellte Datei splitten, neues Verhalten in richtiges Split-Modul
+4. Nur als letzter Ausweg: Grosse bestehende Datei erweitern
+
+## FINGER WEG (laufende RAG Pipeline)
+
+Diese Verzeichnisse duerfen NICHT refaktoriert werden:
+- `control-pipeline/` — RAG/Control-Extraction Pipeline
+- `rag-service/` — Semantische Suche
+- `embedding-service/` — Text-Embeddings
+- `voice-service/bqas/` — RAG Quality Assessment
+
+## Workflow (bei jeder Aenderung)
+
+1. Datei lesen + LOC pruefen
+2. Wenn nahe am Budget → erst splitten
+3. Minimale kohaerente Aenderung
+4. Verifikation (Tests + Lint)
+5. Zusammenfassung: Was geaendert, was verifiziert, Restrisiko
+
+## LOC-Check ausfuehren
+
+```bash
+bash scripts/check-loc.sh --changed   # nur geaenderte Dateien
+bash scripts/check-loc.sh --all       # alle Dateien (zeigt alle Violations)
+```
+
+## Commit-Marker
+
+- `[split-required]` — Aenderung beginnt mit Datei-Split
+- `[guardrail-change]` — Aenderungen an .claude/**, scripts/check-loc.sh
+- `[interface-change]` — Public API Contracts geaendert
+- `[migration-approved]` — Schema-/Migrations-Aenderungen
diff --git a/.claude/rules/loc-exceptions.txt b/.claude/rules/loc-exceptions.txt
new file mode 100644
index 0000000..9e4bb87
--- /dev/null
+++ b/.claude/rules/loc-exceptions.txt
@@ -0,0 +1,35 @@
+# LOC Exceptions — BreakPilot Core
+# Format: <glob> | owner=<person> | reason=<why> | review=<date>
+#
+# Jede Ausnahme braucht Begruendung und Review-Datum.
+# Temporaere Ausnahmen muessen mit [guardrail-change] Commit-Marker versehen werden.
+
+# Generated / Build Artifacts
+**/node_modules/** | owner=infra | reason=npm packages | review=permanent
+**/.next/** | owner=infra | reason=Next.js build output | review=permanent
+**/__pycache__/** | owner=infra | reason=Python bytecode | review=permanent
+**/venv/** | owner=infra | reason=Python virtualenv | review=permanent
+
+# Test-Dateien (duerfen groesser sein fuer Table-Driven Tests)
+**/*test*.py | owner=all | reason=Tests mit Table-Driven Patterns duerfen groesser sein | review=permanent
+**/*test*.go | owner=all | reason=Go Tests mit Table-Driven Patterns | review=permanent
+**/*test*.ts | owner=all | reason=TypeScript Tests | review=permanent
+**/tests/** | owner=all | reason=Test-Verzeichnisse | review=permanent
+
+# FINGER WEG — Laufende RAG Pipeline (NICHT anfassen!)
+control-pipeline/** | owner=pipeline | reason=Laufende RAG Pipeline, parallele Jobs aktiv | review=permanent
+rag-service/** | owner=pipeline | reason=Semantische Suche, produktiv | review=permanent
+embedding-service/** | owner=pipeline | reason=Text-Embeddings, produktiv | review=permanent
+voice-service/bqas/** | owner=pipeline | reason=RAG Quality Assessment, produktiv | review=permanent
+
+# Seed/Helper Scripts (keine Service-Logik)
+scripts/seed-demo-and-screenshot.py | owner=infra | reason=Einmaliges Seed-Script, kein Service-Code | review=permanent
+pitch-deck/scripts/import-finanzplan.py | owner=pitch-deck | reason=583 LOC, einmaliges Excel-Import-Script (9 Sheet-Importer), hardcodierte Row/Col-Mappings fuer eine Finanzplan-.xlsm-Datei, keine wiederverwendbare Logik | review=2027-01
+
+# PDF Templates (reine statische HTML/CSS Strings, keine Logik)
+backend-core/services/pdf_templates.py | owner=all | reason=519 LOC, rein statische Jinja2-HTML-Templates + CSS, keine Logik | review=2026-07
+
+# Pitch Deck — pure data files (static text, translations, no logic)
+pitch-deck/lib/presenter/presenter-faq.ts | owner=pitch-deck | reason=973 LOC, pure static FAQ array (questions/answers/keywords), no logic | review=2027-01
+pitch-deck/lib/presenter/presenter-script.ts | owner=pitch-deck | reason=608 LOC, pure static presenter script data + 3 trivial lookup functions | review=2027-01
+pitch-deck/lib/i18n.ts | owner=pitch-deck | reason=620 LOC, pure DE/EN translation dictionaries + 3 small format helpers | review=2027-01
diff --git a/admin-core/app/(admin)/infrastructure/ci-cd/_components/DeploymentsTab.tsx b/admin-core/app/(admin)/infrastructure/ci-cd/_components/DeploymentsTab.tsx
new file mode 100644
index 0000000..b99efd8
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/ci-cd/_components/DeploymentsTab.tsx
@@ -0,0 +1,154 @@
+'use client'
+
+import type { ContainerInfo, DockerStats } from '../types'
+
+export function DeploymentsTab({
+  dockerStats,
+  containerFilter,
+  setContainerFilter,
+  filteredContainers,
+  onContainerAction,
+  actionLoading,
+  onRefresh,
+}: {
+  dockerStats: DockerStats | null
+  containerFilter: 'all' | 'running' | 'stopped'
+  setContainerFilter: (filter: 'all' | 'running' | 'stopped') => void
+  filteredContainers: ContainerInfo[]
+  onContainerAction: (containerId: string, action: 'start' | 'stop' | 'restart') => void
+  actionLoading: string | null
+  onRefresh: () => void
+}) {
+  const getStateColor = (state: string) => {
+    switch (state) {
+      case 'running': return 'bg-green-100 text-green-800'
+      case 'exited':
+      case 'dead': return 'bg-red-100 text-red-800'
+      case 'paused': return 'bg-yellow-100 text-yellow-800'
+      case 'restarting': return 'bg-blue-100 text-blue-800'
+      default: return 'bg-slate-100 text-slate-600'
+    }
+  }
+
+  return (
+    <div className="space-y-6">
+      {/* Header */}
+      <div className="flex items-center justify-between">
+        <div>
+          <h3 className="text-lg font-semibold text-slate-800">Docker Container</h3>
+          {dockerStats && (
+            <p className="text-sm text-slate-600">
+              {dockerStats.running_containers} laufend, {dockerStats.stopped_containers} gestoppt, {dockerStats.total_containers} gesamt
+            </p>
+          )}
+        </div>
+        <div className="flex items-center gap-2">
+          <select
+            value={containerFilter}
+            onChange={(e) => setContainerFilter(e.target.value as typeof containerFilter)}
+            className="px-3 py-1.5 text-sm border border-slate-300 rounded-lg bg-white"
+          >
+            <option value="all">Alle</option>
+            <option value="running">Laufend</option>
+            <option value="stopped">Gestoppt</option>
+          </select>
+          <button
+            onClick={onRefresh}
+            className="px-3 py-1.5 text-sm border border-slate-300 text-slate-700 rounded-lg hover:bg-slate-50"
+          >
+            Aktualisieren
+          </button>
+        </div>
+      </div>
+
+      {/* Container List */}
+      {filteredContainers.length === 0 ? (
+        <div className="text-center py-8 text-slate-500">Keine Container gefunden</div>
+      ) : (
+        <div className="space-y-3">
+          {filteredContainers.map((container) => (
+            <div
+              key={container.id}
+              className={`border rounded-xl p-4 transition-colors ${
+                container.state === 'running'
+                  ? 'border-green-200 bg-green-50/30'
+                  : 'border-slate-200 bg-slate-50/50'
+              }`}
+            >
+              <div className="flex items-start justify-between gap-4">
+                <div className="flex-1 min-w-0">
+                  <div className="flex items-center gap-2 mb-1">
+                    <span className="font-semibold text-slate-900 truncate">{container.name}</span>
+                    <span className={`px-2 py-0.5 text-xs font-medium rounded-full ${getStateColor(container.state)}`}>
+                      {container.state}
+                    </span>
+                  </div>
+                  <div className="text-sm text-slate-500 mb-2">
+                    <span className="font-mono">{container.image}</span>
+                    {container.ports.length > 0 && (
+                      <span className="ml-2 text-slate-400">
+                        | {container.ports.slice(0, 2).join(', ')}
+                        {container.ports.length > 2 && ` +${container.ports.length - 2}`}
+                      </span>
+                    )}
+                  </div>
+
+                  {container.state === 'running' && (
+                    <div className="flex flex-wrap gap-4 text-sm">
+                      <div className="flex items-center gap-1">
+                        <span className="text-slate-500">CPU:</span>
+                        <span className={`font-medium ${container.cpu_percent > 80 ? 'text-red-600' : 'text-slate-700'}`}>
+                          {container.cpu_percent.toFixed(1)}%
+                        </span>
+                      </div>
+                      <div className="flex items-center gap-1">
+                        <span className="text-slate-500">RAM:</span>
+                        <span className={`font-medium ${container.memory_percent > 80 ? 'text-red-600' : 'text-slate-700'}`}>
+                          {container.memory_usage}
+                        </span>
+                        <span className="text-slate-400">({container.memory_percent.toFixed(1)}%)</span>
+                      </div>
+                      <div className="flex items-center gap-1">
+                        <span className="text-slate-500">Net:</span>
+                        <span className="text-slate-700">{container.network_rx} / {container.network_tx}</span>
+                      </div>
+                    </div>
+                  )}
+                </div>
+
+                <div className="flex items-center gap-2 flex-shrink-0">
+                  {container.state === 'running' ? (
+                    <>
+                      <button
+                        onClick={() => onContainerAction(container.id, 'restart')}
+                        disabled={actionLoading !== null}
+                        className="px-3 py-1.5 text-sm bg-blue-600 text-white rounded-lg hover:bg-blue-700 disabled:opacity-50 transition-colors"
+                      >
+                        {actionLoading === `${container.id}-restart` ? '...' : 'Restart'}
+                      </button>
+                      <button
+                        onClick={() => onContainerAction(container.id, 'stop')}
+                        disabled={actionLoading !== null}
+                        className="px-3 py-1.5 text-sm bg-red-600 text-white rounded-lg hover:bg-red-700 disabled:opacity-50 transition-colors"
+                      >
+                        {actionLoading === `${container.id}-stop` ? '...' : 'Stop'}
+                      </button>
+                    </>
+                  ) : (
+                    <button
+                      onClick={() => onContainerAction(container.id, 'start')}
+                      disabled={actionLoading !== null}
+                      className="px-3 py-1.5 text-sm bg-green-600 text-white rounded-lg hover:bg-green-700 disabled:opacity-50 transition-colors"
+                    >
+                      {actionLoading === `${container.id}-start` ? '...' : 'Start'}
+                    </button>
+                  )}
+                </div>
+              </div>
+            </div>
+          ))}
+        </div>
+      )}
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/ci-cd/_components/OverviewTab.tsx b/admin-core/app/(admin)/infrastructure/ci-cd/_components/OverviewTab.tsx
new file mode 100644
index 0000000..39f17ed
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/ci-cd/_components/OverviewTab.tsx
@@ -0,0 +1,168 @@
+'use client'
+
+import type { PipelineStatus, PipelineRun, SystemStats, DockerStats } from '../types'
+
+function ProgressBar({ percent, color = 'blue' }: { percent: number; color?: string }) {
+  const getColor = () => {
+    if (percent > 90) return 'bg-red-500'
+    if (percent > 70) return 'bg-yellow-500'
+    if (color === 'green') return 'bg-green-500'
+    if (color === 'purple') return 'bg-purple-500'
+    return 'bg-blue-500'
+  }
+
+  return (
+    <div className="w-full bg-slate-200 rounded-full h-2">
+      <div
+        className={`h-2 rounded-full transition-all duration-300 ${getColor()}`}
+        style={{ width: `${Math.min(percent, 100)}%` }}
+      />
+    </div>
+  )
+}
+
+export function OverviewTab({
+  pipelineStatus,
+  pipelineHistory,
+  systemStats,
+  dockerStats,
+}: {
+  pipelineStatus: PipelineStatus | null
+  pipelineHistory: PipelineRun[]
+  systemStats: SystemStats | null
+  dockerStats: DockerStats | null
+}) {
+  return (
+    <div className="space-y-6">
+      {/* Status Cards */}
+      <div className="grid grid-cols-1 md:grid-cols-4 gap-4">
+        <div className={`p-4 rounded-lg ${pipelineStatus?.gitea_connected ? 'bg-green-50' : 'bg-yellow-50'}`}>
+          <div className="flex items-center gap-2 mb-2">
+            <span className={`w-3 h-3 rounded-full ${pipelineStatus?.gitea_connected ? 'bg-green-500' : 'bg-yellow-500'}`}></span>
+            <span className="text-sm font-medium">Gitea Status</span>
+          </div>
+          <p className={`text-lg font-bold ${pipelineStatus?.gitea_connected ? 'text-green-700' : 'text-yellow-700'}`}>
+            {pipelineStatus?.gitea_connected ? 'Verbunden' : 'Nicht verbunden'}
+          </p>
+          <p className="text-xs text-slate-500">http://macmini:3003</p>
+        </div>
+
+        <div className="bg-blue-50 p-4 rounded-lg">
+          <div className="flex items-center gap-2 mb-2">
+            <svg className="w-4 h-4 text-blue-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2" />
+            </svg>
+            <span className="text-sm font-medium">Pipeline Runs</span>
+          </div>
+          <p className="text-lg font-bold text-blue-700">{pipelineStatus?.total_runs || 0}</p>
+          <p className="text-xs text-slate-500">{pipelineStatus?.successful_runs || 0} erfolgreich</p>
+        </div>
+
+        <div className="bg-purple-50 p-4 rounded-lg">
+          <div className="flex items-center gap-2 mb-2">
+            <svg className="w-4 h-4 text-purple-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 12h14M5 12a2 2 0 01-2-2V6a2 2 0 012-2h14a2 2 0 012 2v4a2 2 0 01-2 2M5 12a2 2 0 00-2 2v4a2 2 0 002 2h14a2 2 0 002-2v-4a2 2 0 00-2-2" />
+            </svg>
+            <span className="text-sm font-medium">Container</span>
+          </div>
+          <p className="text-lg font-bold text-purple-700">{dockerStats?.running_containers || 0}</p>
+          <p className="text-xs text-slate-500">von {dockerStats?.total_containers || 0} laufend</p>
+        </div>
+
+        <div className="bg-slate-50 p-4 rounded-lg">
+          <div className="flex items-center gap-2 mb-2">
+            <svg className="w-4 h-4 text-slate-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 8v4l3 3m6-3a9 9 0 11-18 0 9 9 0 0118 0z" />
+            </svg>
+            <span className="text-sm font-medium">Letztes Update</span>
+          </div>
+          <p className="text-lg font-bold text-slate-700">
+            {pipelineStatus?.last_sbom_update ? new Date(pipelineStatus.last_sbom_update).toLocaleDateString('de-DE') : 'Nie'}
+          </p>
+          <p className="text-xs text-slate-500">
+            {pipelineStatus?.last_sbom_update ? new Date(pipelineStatus.last_sbom_update).toLocaleTimeString('de-DE') : '-'}
+          </p>
+        </div>
+      </div>
+
+      {/* System Resources */}
+      {systemStats && (
+        <div className="bg-slate-50 rounded-lg p-4">
+          <h3 className="font-medium text-slate-800 mb-4 flex items-center gap-2">
+            <svg className="w-5 h-5 text-slate-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 3v2m6-2v2M9 19v2m6-2v2M5 9H3m2 6H3m18-6h-2m2 6h-2M7 19h10a2 2 0 002-2V7a2 2 0 00-2-2H7a2 2 0 00-2 2v10a2 2 0 002 2zM9 9h6v6H9V9z" />
+            </svg>
+            Server Ressourcen ({systemStats.hostname})
+          </h3>
+          <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
+            <div className="bg-white rounded-lg p-3">
+              <div className="flex justify-between mb-2">
+                <span className="text-sm text-slate-600">CPU</span>
+                <span className={`font-bold ${systemStats.cpu.usage_percent > 80 ? 'text-red-600' : 'text-slate-900'}`}>
+                  {systemStats.cpu.usage_percent.toFixed(1)}%
+                </span>
+              </div>
+              <ProgressBar percent={systemStats.cpu.usage_percent} />
+            </div>
+            <div className="bg-white rounded-lg p-3">
+              <div className="flex justify-between mb-2">
+                <span className="text-sm text-slate-600">RAM</span>
+                <span className={`font-bold ${systemStats.memory.usage_percent > 80 ? 'text-red-600' : 'text-slate-900'}`}>
+                  {systemStats.memory.usage_percent.toFixed(1)}%
+                </span>
+              </div>
+              <ProgressBar percent={systemStats.memory.usage_percent} color="purple" />
+            </div>
+            <div className="bg-white rounded-lg p-3">
+              <div className="flex justify-between mb-2">
+                <span className="text-sm text-slate-600">Disk</span>
+                <span className={`font-bold ${systemStats.disk.usage_percent > 80 ? 'text-red-600' : 'text-slate-900'}`}>
+                  {systemStats.disk.usage_percent.toFixed(1)}%
+                </span>
+              </div>
+              <ProgressBar percent={systemStats.disk.usage_percent} color="green" />
+            </div>
+          </div>
+        </div>
+      )}
+
+      {/* Recent Pipeline Runs */}
+      {pipelineHistory.length > 0 && (
+        <div className="bg-slate-50 rounded-lg p-4">
+          <h3 className="font-medium text-slate-800 mb-3">Letzte Pipeline Runs</h3>
+          <div className="space-y-2">
+            {pipelineHistory.slice(0, 5).map((run) => (
+              <div key={run.id} className="flex items-center justify-between bg-white p-3 rounded-lg">
+                <div className="flex items-center gap-3">
+                  <span className={`w-2 h-2 rounded-full ${
+                    run.status === 'success' ? 'bg-green-500' :
+                    run.status === 'failed' ? 'bg-red-500' :
+                    run.status === 'running' ? 'bg-yellow-500 animate-pulse' : 'bg-slate-400'
+                  }`}></span>
+                  <div>
+                    <p className="text-sm font-medium text-slate-800">{run.workflow || 'SBOM Pipeline'}</p>
+                    <p className="text-xs text-slate-500">{run.branch} - {run.commit_sha.substring(0, 8)}</p>
+                  </div>
+                </div>
+                <div className="text-right">
+                  <p className={`text-sm font-medium ${
+                    run.status === 'success' ? 'text-green-600' :
+                    run.status === 'failed' ? 'text-red-600' :
+                    run.status === 'running' ? 'text-yellow-600' : 'text-slate-600'
+                  }`}>
+                    {run.status === 'success' ? 'Erfolgreich' :
+                     run.status === 'failed' ? 'Fehlgeschlagen' :
+                     run.status === 'running' ? 'Laeuft...' : run.status}
+                  </p>
+                  <p className="text-xs text-slate-500">
+                    {new Date(run.started_at).toLocaleString('de-DE')}
+                  </p>
+                </div>
+              </div>
+            ))}
+          </div>
+        </div>
+      )}
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/ci-cd/_components/PipelinesTab.tsx b/admin-core/app/(admin)/infrastructure/ci-cd/_components/PipelinesTab.tsx
new file mode 100644
index 0000000..24a93a5
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/ci-cd/_components/PipelinesTab.tsx
@@ -0,0 +1,143 @@
+'use client'
+
+import type { PipelineRun } from '../types'
+
+export function PipelinesTab({
+  pipelineHistory,
+  triggeringPipeline,
+  onTriggerPipeline,
+}: {
+  pipelineHistory: PipelineRun[]
+  triggeringPipeline: boolean
+  onTriggerPipeline: () => void
+}) {
+  return (
+    <div className="space-y-6">
+      {/* Pipeline Controls */}
+      <div className="flex items-center justify-between">
+        <div>
+          <h3 className="text-lg font-semibold text-slate-800">Gitea Actions Pipelines</h3>
+          <p className="text-sm text-slate-600">Workflows werden bei Push auf main/develop automatisch ausgefuehrt</p>
+        </div>
+        <button
+          onClick={onTriggerPipeline}
+          disabled={triggeringPipeline}
+          className="px-4 py-2 bg-orange-600 text-white rounded-lg font-medium hover:bg-orange-700 disabled:opacity-50 transition-colors flex items-center gap-2"
+        >
+          {triggeringPipeline ? (
+            <>
+              <div className="animate-spin rounded-full h-4 w-4 border-b-2 border-white"></div>
+              Laeuft...
+            </>
+          ) : (
+            <>
+              <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M14.752 11.168l-3.197-2.132A1 1 0 0010 9.87v4.263a1 1 0 001.555.832l3.197-2.132a1 1 0 000-1.664z" />
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+              </svg>
+              Pipeline starten
+            </>
+          )}
+        </button>
+      </div>
+
+      {/* Available Pipelines */}
+      <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
+        <div className="bg-green-50 border border-green-200 rounded-lg p-4">
+          <div className="flex items-center gap-2 mb-2">
+            <span className="w-2 h-2 rounded-full bg-green-500"></span>
+            <span className="font-medium text-green-800">SBOM Pipeline</span>
+          </div>
+          <p className="text-sm text-green-700 mb-2">Generiert Software Bill of Materials</p>
+          <p className="text-xs text-green-600">5 Jobs: generate, scan, license, upload, summary</p>
+        </div>
+        <div className="bg-slate-50 border border-slate-200 rounded-lg p-4 opacity-60">
+          <div className="flex items-center gap-2 mb-2">
+            <span className="w-2 h-2 rounded-full bg-slate-400"></span>
+            <span className="font-medium text-slate-600">Test Pipeline</span>
+          </div>
+          <p className="text-sm text-slate-500 mb-2">Unit & Integration Tests</p>
+          <p className="text-xs text-slate-400">Geplant</p>
+        </div>
+        <div className="bg-slate-50 border border-slate-200 rounded-lg p-4 opacity-60">
+          <div className="flex items-center gap-2 mb-2">
+            <span className="w-2 h-2 rounded-full bg-slate-400"></span>
+            <span className="font-medium text-slate-600">Security Pipeline</span>
+          </div>
+          <p className="text-sm text-slate-500 mb-2">SAST, SCA, Secrets Scan</p>
+          <p className="text-xs text-slate-400">Geplant</p>
+        </div>
+      </div>
+
+      {/* Pipeline History */}
+      <div className="bg-slate-50 rounded-lg p-4">
+        <h4 className="font-medium text-slate-800 mb-4">Pipeline Historie</h4>
+        {pipelineHistory.length === 0 ? (
+          <div className="text-center py-8 text-slate-500">
+            Keine Pipeline-Runs vorhanden. Starten Sie die erste Pipeline!
+          </div>
+        ) : (
+          <div className="overflow-x-auto">
+            <table className="w-full">
+              <thead>
+                <tr className="border-b border-slate-200">
+                  <th className="text-left py-2 px-3 text-xs font-semibold text-slate-500 uppercase">Status</th>
+                  <th className="text-left py-2 px-3 text-xs font-semibold text-slate-500 uppercase">Workflow</th>
+                  <th className="text-left py-2 px-3 text-xs font-semibold text-slate-500 uppercase">Branch</th>
+                  <th className="text-left py-2 px-3 text-xs font-semibold text-slate-500 uppercase">Commit</th>
+                  <th className="text-left py-2 px-3 text-xs font-semibold text-slate-500 uppercase">Gestartet</th>
+                  <th className="text-left py-2 px-3 text-xs font-semibold text-slate-500 uppercase">Dauer</th>
+                </tr>
+              </thead>
+              <tbody className="divide-y divide-slate-100">
+                {pipelineHistory.map((run) => (
+                  <tr key={run.id} className="hover:bg-white">
+                    <td className="py-2 px-3">
+                      <span className={`inline-flex items-center gap-1 px-2 py-1 rounded-full text-xs font-medium ${
+                        run.status === 'success' ? 'bg-green-100 text-green-800' :
+                        run.status === 'failed' ? 'bg-red-100 text-red-800' :
+                        run.status === 'running' ? 'bg-yellow-100 text-yellow-800' : 'bg-slate-100 text-slate-600'
+                      }`}>
+                        <span className={`w-1.5 h-1.5 rounded-full ${
+                          run.status === 'success' ? 'bg-green-500' :
+                          run.status === 'failed' ? 'bg-red-500' :
+                          run.status === 'running' ? 'bg-yellow-500 animate-pulse' : 'bg-slate-400'
+                        }`}></span>
+                        {run.status}
+                      </span>
+                    </td>
+                    <td className="py-2 px-3 text-sm text-slate-900">{run.workflow || 'SBOM Pipeline'}</td>
+                    <td className="py-2 px-3 text-sm text-slate-600">{run.branch}</td>
+                    <td className="py-2 px-3 text-sm font-mono text-slate-500">{run.commit_sha.substring(0, 8)}</td>
+                    <td className="py-2 px-3 text-sm text-slate-500">{new Date(run.started_at).toLocaleString('de-DE')}</td>
+                    <td className="py-2 px-3 text-sm text-slate-500">
+                      {run.duration_seconds ? `${run.duration_seconds}s` : '-'}
+                    </td>
+                  </tr>
+                ))}
+              </tbody>
+            </table>
+          </div>
+        )}
+      </div>
+
+      {/* Pipeline Architecture */}
+      <div className="bg-slate-50 rounded-lg p-4">
+        <h4 className="font-medium text-slate-800 mb-3">SBOM Pipeline Architektur</h4>
+        <pre className="bg-slate-800 text-slate-100 p-4 rounded-lg overflow-x-auto text-sm">
+{`Gitea Actions Pipeline (.gitea/workflows/sbom.yaml)
+     │
+     ├── 1. generate-sbom     → Syft generiert CycloneDX SBOM
+     │
+     ├── 2. vulnerability-scan → Grype scannt auf CVEs
+     │
+     ├── 3. license-check     → Prueft GPL/AGPL Lizenzen
+     │
+     ├── 4. upload-dashboard  → POST /api/v1/security/sbom/upload
+     │
+     └── 5. summary           → Job Summary generieren`}
+        </pre>
+      </div>
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/ci-cd/_components/SchedulerTab.tsx b/admin-core/app/(admin)/infrastructure/ci-cd/_components/SchedulerTab.tsx
new file mode 100644
index 0000000..89ca306
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/ci-cd/_components/SchedulerTab.tsx
@@ -0,0 +1,187 @@
+'use client'
+
+export function SchedulerTab() {
+  return (
+    <div className="space-y-6">
+      {/* Status Overview */}
+      <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
+        <div className="rounded-xl border p-5 bg-emerald-100 border-emerald-200 text-emerald-700">
+          <div className="flex items-start gap-4">
+            <div className="flex-shrink-0">
+              <svg className="w-8 h-8" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5} d="M12 8v4l3 3m6-3a9 9 0 11-18 0 9 9 0 0118 0z" />
+              </svg>
+            </div>
+            <div className="flex-1">
+              <div className="flex items-center gap-2">
+                <h4 className="font-semibold">launchd Job</h4>
+                <span className="w-2 h-2 rounded-full bg-emerald-500" />
+              </div>
+              <p className="text-sm mt-1 opacity-80">Taeglich um 07:00 Uhr automatisch</p>
+            </div>
+          </div>
+        </div>
+        <div className="rounded-xl border p-5 bg-emerald-100 border-emerald-200 text-emerald-700">
+          <div className="flex items-start gap-4">
+            <div className="flex-shrink-0">
+              <svg className="w-8 h-8" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5} d="M8 9l3 3-3 3m5 0h3M5 20h14a2 2 0 002-2V6a2 2 0 00-2-2H5a2 2 0 00-2 2v12a2 2 0 002 2z" />
+              </svg>
+            </div>
+            <div className="flex-1">
+              <div className="flex items-center gap-2">
+                <h4 className="font-semibold">Git Hook</h4>
+                <span className="w-2 h-2 rounded-full bg-emerald-500" />
+              </div>
+              <p className="text-sm mt-1 opacity-80">Quick Tests bei voice-service Aenderungen</p>
+            </div>
+          </div>
+        </div>
+        <div className="rounded-xl border p-5 bg-emerald-100 border-emerald-200 text-emerald-700">
+          <div className="flex items-start gap-4">
+            <div className="flex-shrink-0">
+              <svg className="w-8 h-8" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5} d="M15 17h5l-1.405-1.405A2.032 2.032 0 0118 14.158V11a6.002 6.002 0 00-4-5.659V5a2 2 0 10-4 0v.341C7.67 6.165 6 8.388 6 11v3.159c0 .538-.214 1.055-.595 1.436L4 17h5m6 0v1a3 3 0 11-6 0v-1m6 0H9" />
+              </svg>
+            </div>
+            <div className="flex-1">
+              <div className="flex items-center gap-2">
+                <h4 className="font-semibold">Benachrichtigungen</h4>
+                <span className="w-2 h-2 rounded-full bg-emerald-500" />
+              </div>
+              <p className="text-sm mt-1 opacity-80">Desktop-Alerts bei Fehlern aktiviert</p>
+            </div>
+          </div>
+        </div>
+      </div>
+
+      {/* Quick Actions */}
+      <div className="bg-slate-50 rounded-lg p-4">
+        <h3 className="font-medium text-slate-800 mb-4">Quick Actions (BQAS)</h3>
+        <div className="flex flex-wrap gap-3">
+          <a href="/ai/test-quality" className="px-4 py-2 bg-blue-600 text-white rounded-lg hover:bg-blue-700 flex items-center gap-2">
+            <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M14.752 11.168l-3.197-2.132A1 1 0 0010 9.87v4.263a1 1 0 001.555.832l3.197-2.132a1 1 0 000-1.664z" />
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+            </svg>
+            Test Dashboard oeffnen
+          </a>
+          <span className="text-sm text-slate-500 self-center">Starte Tests direkt im BQAS Dashboard</span>
+        </div>
+      </div>
+
+      {/* GitHub Actions vs Local - Comparison */}
+      <div className="bg-slate-50 rounded-lg p-4">
+        <h3 className="font-medium text-slate-800 mb-4">GitHub Actions Alternative</h3>
+        <p className="text-slate-600 mb-4">
+          Der lokale BQAS Scheduler ersetzt GitHub Actions und bietet DSGVO-konforme, vollstaendig lokale Test-Ausfuehrung.
+        </p>
+        <div className="overflow-x-auto">
+          <table className="w-full text-sm">
+            <thead>
+              <tr className="border-b border-slate-200 bg-white">
+                <th className="text-left py-3 px-4 font-medium text-slate-700">Feature</th>
+                <th className="text-center py-3 px-4 font-medium text-slate-700">GitHub Actions</th>
+                <th className="text-center py-3 px-4 font-medium text-slate-700">Lokaler Scheduler</th>
+              </tr>
+            </thead>
+            <tbody>
+              {[
+                { feature: 'Taegliche Tests (07:00)', gh: 'schedule: cron', local: 'macOS launchd', localColor: 'bg-emerald-100 text-emerald-700' },
+                { feature: 'Push-basierte Tests', gh: 'on: push', local: 'Git post-commit Hook', localColor: 'bg-emerald-100 text-emerald-700' },
+                { feature: 'PR-basierte Tests', gh: 'on: pull_request', ghColor: 'bg-emerald-100 text-emerald-700', local: 'Nicht moeglich', localColor: 'bg-amber-100 text-amber-700' },
+                { feature: 'DSGVO-Konformitaet', gh: 'Daten bei GitHub (US)', ghColor: 'bg-amber-100 text-amber-700', local: '100% lokal', localColor: 'bg-emerald-100 text-emerald-700' },
+                { feature: 'Offline-Faehig', gh: 'Nein', ghColor: 'bg-red-100 text-red-700', local: 'Ja', localColor: 'bg-emerald-100 text-emerald-700' },
+              ].map((row) => (
+                <tr key={row.feature} className="border-b border-slate-100">
+                  <td className="py-3 px-4 text-slate-600">{row.feature}</td>
+                  <td className="py-3 px-4 text-center">
+                    <span className={`${row.ghColor ? `px-2 py-1 rounded text-xs font-medium ${row.ghColor}` : 'text-slate-600'}`}>{row.gh}</span>
+                  </td>
+                  <td className="py-3 px-4 text-center">
+                    <span className={`px-2 py-1 rounded text-xs font-medium ${row.localColor}`}>{row.local}</span>
+                  </td>
+                </tr>
+              ))}
+            </tbody>
+          </table>
+        </div>
+      </div>
+
+      {/* Configuration Details */}
+      <div className="bg-slate-50 rounded-lg p-4">
+        <h3 className="font-medium text-slate-800 mb-4">Konfiguration</h3>
+        <div className="grid grid-cols-1 lg:grid-cols-2 gap-6">
+          <div>
+            <h4 className="font-medium text-slate-700 mb-3">launchd Job</h4>
+            <div className="bg-slate-900 rounded-lg p-4 font-mono text-sm text-slate-100 overflow-x-auto">
+              <pre>{`# ~/Library/LaunchAgents/com.breakpilot.bqas.plist
+Label: com.breakpilot.bqas
+Schedule: 07:00 taeglich
+Script: /voice-service/scripts/run_bqas.sh
+Logs: /var/log/bqas/`}</pre>
+            </div>
+          </div>
+          <div>
+            <h4 className="font-medium text-slate-700 mb-3">Umgebungsvariablen</h4>
+            <div className="space-y-2 text-sm">
+              <div className="flex justify-between p-2 bg-white rounded">
+                <span className="font-mono text-slate-600">BQAS_SERVICE_URL</span>
+                <span className="text-slate-900">http://localhost:8091</span>
+              </div>
+              <div className="flex justify-between p-2 bg-white rounded">
+                <span className="font-mono text-slate-600">BQAS_REGRESSION_THRESHOLD</span>
+                <span className="text-slate-900">0.1</span>
+              </div>
+              <div className="flex justify-between p-2 bg-white rounded">
+                <span className="font-mono text-slate-600">BQAS_NOTIFY_DESKTOP</span>
+                <span className="text-emerald-600 font-medium">true</span>
+              </div>
+              <div className="flex justify-between p-2 bg-white rounded">
+                <span className="font-mono text-slate-600">BQAS_NOTIFY_SLACK</span>
+                <span className="text-slate-400">false</span>
+              </div>
+            </div>
+          </div>
+        </div>
+      </div>
+
+      {/* Detailed Explanation */}
+      <div className="bg-gradient-to-r from-blue-50 to-indigo-50 rounded-xl border border-blue-200 p-6">
+        <h3 className="text-lg font-semibold text-slate-900 mb-4 flex items-center gap-2">
+          <svg className="w-5 h-5 text-blue-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+          </svg>
+          Detaillierte Erklaerung
+        </h3>
+        <div className="prose prose-sm max-w-none text-slate-700">
+          <h4 className="text-base font-semibold mt-4 mb-2">Warum ein lokaler Scheduler?</h4>
+          <p className="mb-4">
+            Der lokale BQAS Scheduler wurde entwickelt, um die gleiche Funktionalitaet wie GitHub Actions zu bieten,
+            aber mit dem entscheidenden Vorteil, dass <strong>alle Daten zu 100% auf dem lokalen Mac Mini verbleiben</strong>.
+            Dies ist besonders wichtig fuer DSGVO-Konformitaet, da keine Schuelerdaten oder Testergebnisse an externe Server uebertragen werden.
+          </p>
+          <h4 className="text-base font-semibold mt-4 mb-2">Komponenten</h4>
+          <ul className="list-disc list-inside space-y-2 mb-4">
+            <li><strong>run_bqas.sh</strong> - Hauptscript das pytest ausfuehrt, Regression-Checks macht und Benachrichtigungen versendet</li>
+            <li><strong>launchd Job</strong> - macOS-nativer Scheduler der das Script taeglich um 07:00 Uhr startet</li>
+            <li><strong>Git Hook</strong> - post-commit Hook der bei Aenderungen im voice-service automatisch Quick-Tests startet</li>
+            <li><strong>Notifier</strong> - Python-Modul das Desktop-, Slack- und E-Mail-Benachrichtigungen versendet</li>
+          </ul>
+          <h4 className="text-base font-semibold mt-4 mb-2">Installation</h4>
+          <div className="bg-slate-900 rounded-lg p-3 font-mono text-sm text-slate-100 mb-4">
+            <code>./voice-service/scripts/install_bqas_scheduler.sh install</code>
+          </div>
+          <h4 className="text-base font-semibold mt-4 mb-2">Vorteile gegenueber GitHub Actions</h4>
+          <ul className="list-disc list-inside space-y-1">
+            <li>100% DSGVO-konform - alle Daten bleiben lokal</li>
+            <li>Keine Internet-Abhaengigkeit - funktioniert auch offline</li>
+            <li>Keine GitHub-Kosten fuer private Repositories</li>
+            <li>Schnellere Ausfuehrung ohne Cloud-Overhead</li>
+            <li>Volle Kontrolle ueber Scheduling und Benachrichtigungen</li>
+          </ul>
+        </div>
+      </div>
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/ci-cd/_components/SetupTab.tsx b/admin-core/app/(admin)/infrastructure/ci-cd/_components/SetupTab.tsx
new file mode 100644
index 0000000..c9a6981
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/ci-cd/_components/SetupTab.tsx
@@ -0,0 +1,152 @@
+'use client'
+
+import type { PipelineStatus } from '../types'
+
+export function SetupTab({ pipelineStatus }: { pipelineStatus: PipelineStatus | null }) {
+  return (
+    <div className="space-y-6">
+      <div>
+        <h3 className="text-lg font-semibold text-slate-800 mb-2">Erstkonfiguration - Gitea CI/CD</h3>
+        <p className="text-slate-600">
+          Anleitung zur Einrichtung der CI/CD Pipeline mit Gitea Actions auf dem Mac Mini Server.
+        </p>
+      </div>
+
+      {/* Gitea Server Info */}
+      <div className="bg-blue-50 p-4 rounded-lg">
+        <h4 className="font-medium text-blue-800 mb-3 flex items-center gap-2">
+          <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 12h14M5 12a2 2 0 01-2-2V6a2 2 0 012-2h14a2 2 0 012 2v4a2 2 0 01-2 2M5 12a2 2 0 00-2 2v4a2 2 0 002 2h14a2 2 0 002-2v-4a2 2 0 00-2-2" />
+          </svg>
+          Gitea Server
+        </h4>
+        <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
+          <div className="bg-white p-3 rounded-lg">
+            <p className="text-sm text-slate-500">Web-URL</p>
+            <p className="font-mono text-blue-700">http://macmini:3003</p>
+          </div>
+          <div className="bg-white p-3 rounded-lg">
+            <p className="text-sm text-slate-500">SSH</p>
+            <p className="font-mono text-blue-700">macmini:2222</p>
+          </div>
+          <div className="bg-white p-3 rounded-lg">
+            <p className="text-sm text-slate-500">Status</p>
+            <p className={`font-medium ${pipelineStatus?.gitea_connected ? 'text-green-600' : 'text-yellow-600'}`}>
+              {pipelineStatus?.gitea_connected ? 'Verbunden' : 'Konfiguration erforderlich'}
+            </p>
+          </div>
+        </div>
+      </div>
+
+      {/* Implementierte Komponenten */}
+      <div className="bg-slate-50 p-4 rounded-lg">
+        <h4 className="font-medium text-slate-800 mb-3">Implementierte Komponenten</h4>
+        <div className="overflow-x-auto">
+          <table className="min-w-full text-sm">
+            <thead>
+              <tr className="border-b border-slate-200">
+                <th className="text-left py-2 px-3 font-medium text-slate-600">Komponente</th>
+                <th className="text-left py-2 px-3 font-medium text-slate-600">Pfad</th>
+                <th className="text-left py-2 px-3 font-medium text-slate-600">Beschreibung</th>
+              </tr>
+            </thead>
+            <tbody className="divide-y divide-slate-100">
+              <tr>
+                <td className="py-2 px-3 font-medium">Gitea Service</td>
+                <td className="py-2 px-3"><code className="bg-slate-200 px-1 rounded text-xs">docker-compose.yml</code></td>
+                <td className="py-2 px-3 text-slate-600">Gitea 1.22 mit Actions enabled</td>
+              </tr>
+              <tr>
+                <td className="py-2 px-3 font-medium">Gitea Runner</td>
+                <td className="py-2 px-3"><code className="bg-slate-200 px-1 rounded text-xs">docker-compose.yml</code></td>
+                <td className="py-2 px-3 text-slate-600">act_runner fuer Job-Ausfuehrung</td>
+              </tr>
+              <tr>
+                <td className="py-2 px-3 font-medium">SBOM Workflow</td>
+                <td className="py-2 px-3"><code className="bg-slate-200 px-1 rounded text-xs">.gitea/workflows/sbom.yaml</code></td>
+                <td className="py-2 px-3 text-slate-600">5 Jobs: generate, scan, license, upload, summary</td>
+              </tr>
+              <tr>
+                <td className="py-2 px-3 font-medium">Backend API</td>
+                <td className="py-2 px-3"><code className="bg-slate-200 px-1 rounded text-xs">backend/security_api.py</code></td>
+                <td className="py-2 px-3 text-slate-600">SBOM Upload, Pipeline Status, History</td>
+              </tr>
+              <tr>
+                <td className="py-2 px-3 font-medium">Runner Config</td>
+                <td className="py-2 px-3"><code className="bg-slate-200 px-1 rounded text-xs">gitea/runner-config.yaml</code></td>
+                <td className="py-2 px-3 text-slate-600">Labels: ubuntu-latest, self-hosted</td>
+              </tr>
+            </tbody>
+          </table>
+        </div>
+      </div>
+
+      {/* Setup Steps */}
+      <div className="bg-orange-50 p-4 rounded-lg">
+        <h4 className="font-medium text-orange-800 mb-3 flex items-center gap-2">
+          <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-3 7h3m-3 4h3m-6-4h.01M9 16h.01" />
+          </svg>
+          Setup-Schritte
+        </h4>
+        <div className="space-y-3">
+          <div className="bg-white p-3 rounded-lg">
+            <h5 className="font-medium text-slate-800 mb-1">1. Gitea oeffnen</h5>
+            <code className="text-sm bg-slate-100 px-2 py-1 rounded">http://macmini:3003</code>
+          </div>
+          <div className="bg-white p-3 rounded-lg">
+            <h5 className="font-medium text-slate-800 mb-1">2. Admin-Account erstellen</h5>
+            <p className="text-sm text-slate-600">Username: admin, Email: admin@breakpilot.de</p>
+          </div>
+          <div className="bg-white p-3 rounded-lg">
+            <h5 className="font-medium text-slate-800 mb-1">3. Repository erstellen</h5>
+            <p className="text-sm text-slate-600">Name: breakpilot-pwa, Visibility: Private</p>
+          </div>
+          <div className="bg-white p-3 rounded-lg">
+            <h5 className="font-medium text-slate-800 mb-1">4. Actions aktivieren</h5>
+            <p className="text-sm text-slate-600">Repository Settings → Actions → Enable Repository Actions</p>
+          </div>
+          <div className="bg-white p-3 rounded-lg">
+            <h5 className="font-medium text-slate-800 mb-1">5. Runner Token erstellen & starten</h5>
+            <pre className="text-xs bg-slate-100 p-2 rounded mt-1 overflow-x-auto">
+{`export GITEA_RUNNER_TOKEN=<token>
+docker compose up -d gitea-runner`}
+            </pre>
+          </div>
+          <div className="bg-white p-3 rounded-lg">
+            <h5 className="font-medium text-slate-800 mb-1">6. Repository pushen</h5>
+            <pre className="text-xs bg-slate-100 p-2 rounded mt-1 overflow-x-auto">
+{`git remote add gitea http://macmini:3003/admin/breakpilot-pwa.git
+git push gitea main`}
+            </pre>
+          </div>
+        </div>
+      </div>
+
+      {/* Quick Links */}
+      <div className="bg-purple-50 p-4 rounded-lg">
+        <h4 className="font-medium text-purple-800 mb-3">Quick Links</h4>
+        <div className="grid grid-cols-1 md:grid-cols-2 gap-3">
+          <a href="http://macmini:3003" target="_blank" rel="noopener noreferrer" className="flex items-center justify-between bg-white p-3 rounded-lg hover:bg-purple-100 transition-colors">
+            <div>
+              <p className="font-medium text-purple-800">Gitea</p>
+              <p className="text-xs text-slate-500">Git Server & CI/CD</p>
+            </div>
+            <svg className="w-5 h-5 text-purple-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" />
+            </svg>
+          </a>
+          <a href="http://macmini:3003/admin/breakpilot-pwa/actions" target="_blank" rel="noopener noreferrer" className="flex items-center justify-between bg-white p-3 rounded-lg hover:bg-purple-100 transition-colors">
+            <div>
+              <p className="font-medium text-purple-800">Pipeline Actions</p>
+              <p className="text-xs text-slate-500">Workflow Runs</p>
+            </div>
+            <svg className="w-5 h-5 text-purple-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" />
+            </svg>
+          </a>
+        </div>
+      </div>
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/ci-cd/page.tsx b/admin-core/app/(admin)/infrastructure/ci-cd/page.tsx
index f30ba01..9d01018 100644
--- a/admin-core/app/(admin)/infrastructure/ci-cd/page.tsx
+++ b/admin-core/app/(admin)/infrastructure/ci-cd/page.tsx
@@ -13,115 +13,12 @@
 import { useState, useEffect, useCallback } from 'react'
 import { PagePurpose } from '@/components/common/PagePurpose'
 import { DevOpsPipelineSidebarResponsive } from '@/components/infrastructure/DevOpsPipelineSidebar'
-
-// ============================================================================
-// Types
-// ============================================================================
-
-interface PipelineStatus {
-  gitea_connected: boolean
-  gitea_url: string
-  last_sbom_update: string | null
-  total_runs: number
-  successful_runs: number
-  failed_runs: number
-}
-
-interface PipelineRun {
-  id: string
-  workflow: string
-  branch: string
-  commit_sha: string
-  status: 'success' | 'failed' | 'running' | 'pending'
-  started_at: string
-  finished_at: string | null
-  duration_seconds: number | null
-}
-
-interface ContainerInfo {
-  id: string
-  name: string
-  image: string
-  status: string
-  state: string
-  created: string
-  ports: string[]
-  cpu_percent: number
-  memory_usage: string
-  memory_limit: string
-  memory_percent: number
-  network_rx: string
-  network_tx: string
-}
-
-interface SystemStats {
-  hostname: string
-  platform: string
-  arch: string
-  uptime: number
-  cpu: {
-    model: string
-    cores: number
-    usage_percent: number
-  }
-  memory: {
-    total: string
-    used: string
-    free: string
-    usage_percent: number
-  }
-  disk: {
-    total: string
-    used: string
-    free: string
-    usage_percent: number
-  }
-}
-
-interface DockerStats {
-  containers: ContainerInfo[]
-  total_containers: number
-  running_containers: number
-  stopped_containers: number
-}
-
-type TabType = 'overview' | 'pipelines' | 'deployments' | 'setup' | 'scheduler'
-
-// ============================================================================
-// Helper Components
-// ============================================================================
-
-function ProgressBar({ percent, color = 'blue' }: { percent: number; color?: string }) {
-  const getColor = () => {
-    if (percent > 90) return 'bg-red-500'
-    if (percent > 70) return 'bg-yellow-500'
-    if (color === 'green') return 'bg-green-500'
-    if (color === 'purple') return 'bg-purple-500'
-    return 'bg-blue-500'
-  }
-
-  return (
-    <div className="w-full bg-slate-200 rounded-full h-2">
-      <div
-        className={`h-2 rounded-full transition-all duration-300 ${getColor()}`}
-        style={{ width: `${Math.min(percent, 100)}%` }}
-      />
-    </div>
-  )
-}
-
-function formatUptime(seconds: number): string {
-  const days = Math.floor(seconds / 86400)
-  const hours = Math.floor((seconds % 86400) / 3600)
-  const minutes = Math.floor((seconds % 3600) / 60)
-  if (days > 0) return `${days}d ${hours}h ${minutes}m`
-  if (hours > 0) return `${hours}h ${minutes}m`
-  return `${minutes}m`
-}
-
-// ============================================================================
-// Main Component
-// ============================================================================
+import type { PipelineStatus, PipelineRun, SystemStats, DockerStats, TabType } from './types'
+import { OverviewTab } from './_components/OverviewTab'
+import { PipelinesTab } from './_components/PipelinesTab'
+import { DeploymentsTab } from './_components/DeploymentsTab'
+import { SetupTab } from './_components/SetupTab'
+import { SchedulerTab } from './_components/SchedulerTab'
 
 export default function CICDPage() {
   const [activeTab, setActiveTab] = useState<TabType>('overview')
@@ -144,23 +41,15 @@ export default function CICDPage() {
 
   const BACKEND_URL = process.env.NEXT_PUBLIC_BACKEND_URL || ''
 
-  // ============================================================================
   // Data Loading
-  // ============================================================================
-
   const loadPipelineData = useCallback(async () => {
     try {
       const [statusRes, historyRes] = await Promise.all([
         fetch(`${BACKEND_URL}/api/v1/security/sbom/pipeline/status`),
         fetch(`${BACKEND_URL}/api/v1/security/sbom/pipeline/history`),
       ])
-
-      if (statusRes.ok) {
-        setPipelineStatus(await statusRes.json())
-      }
-      if (historyRes.ok) {
-        setPipelineHistory(await historyRes.json())
-      }
+      if (statusRes.ok) setPipelineStatus(await statusRes.json())
+      if (historyRes.ok) setPipelineHistory(await historyRes.json())
     } catch (err) {
       console.error('Failed to load pipeline data:', err)
     }
@@ -186,26 +75,17 @@ export default function CICDPage() {
     setLoading(false)
   }, [loadPipelineData, loadContainerData])
 
-  useEffect(() => {
-    loadAllData()
-  }, [loadAllData])
-
-  // Auto-refresh every 30 seconds
+  useEffect(() => { loadAllData() }, [loadAllData])
   useEffect(() => {
     const interval = setInterval(loadAllData, 30000)
     return () => clearInterval(interval)
   }, [loadAllData])
 
-  // ============================================================================
   // Actions
-  // ============================================================================
-
   const triggerPipeline = async () => {
     setTriggeringPipeline(true)
     try {
-      const response = await fetch(`${BACKEND_URL}/api/v1/security/sbom/pipeline/trigger`, {
-        method: 'POST',
-      })
+      const response = await fetch(`${BACKEND_URL}/api/v1/security/sbom/pipeline/trigger`, { method: 'POST' })
       if (response.ok) {
         setMessage('Pipeline gestartet!')
         setTimeout(loadPipelineData, 2000)
@@ -221,18 +101,13 @@ export default function CICDPage() {
   const containerAction = async (containerId: string, action: 'start' | 'stop' | 'restart') => {
     setActionLoading(`${containerId}-${action}`)
     setMessage(null)
-
     try {
       const response = await fetch('/api/admin/infrastructure/mac-mini', {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({ container_id: containerId, action }),
       })
-
-      if (!response.ok) {
-        throw new Error('Aktion fehlgeschlagen')
-      }
-
+      if (!response.ok) throw new Error('Aktion fehlgeschlagen')
       setMessage(`Container ${action} erfolgreich`)
       setTimeout(loadContainerData, 1000)
       setTimeout(loadContainerData, 3000)
@@ -243,21 +118,6 @@ export default function CICDPage() {
     }
   }
 
-  // ============================================================================
-  // Helpers
-  // ============================================================================
-
-  const getStateColor = (state: string) => {
-    switch (state) {
-      case 'running': return 'bg-green-100 text-green-800'
-      case 'exited':
-      case 'dead': return 'bg-red-100 text-red-800'
-      case 'paused': return 'bg-yellow-100 text-yellow-800'
-      case 'restarting': return 'bg-blue-100 text-blue-800'
-      default: return 'bg-slate-100 text-slate-600'
-    }
-  }
-
   const filteredContainers = dockerStats?.containers.filter(c => {
     if (containerFilter === 'all') return true
     if (containerFilter === 'running') return c.state === 'running'
@@ -265,9 +125,13 @@ export default function CICDPage() {
     return true
   }) || []
 
-  // ============================================================================
-  // Render
-  // ============================================================================
+  const TAB_CONFIG = [
+    { id: 'overview' as const, name: 'Uebersicht', icon: <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 19v-6a2 2 0 00-2-2H5a2 2 0 00-2 2v6a2 2 0 002 2h2a2 2 0 002-2zm0 0V9a2 2 0 012-2h2a2 2 0 012 2v10m-6 0a2 2 0 002 2h2a2 2 0 002-2m0 0V5a2 2 0 012-2h2a2 2 0 012 2v14a2 2 0 01-2 2h-2a2 2 0 01-2-2z" /></svg> },
+    { id: 'pipelines' as const, name: 'Gitea Pipelines', icon: <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15" /></svg> },
+    { id: 'deployments' as const, name: 'Deployments', icon: <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 12h14M5 12a2 2 0 01-2-2V6a2 2 0 012-2h14a2 2 0 012 2v4a2 2 0 01-2 2M5 12a2 2 0 00-2 2v4a2 2 0 002 2h14a2 2 0 002-2v-4a2 2 0 00-2-2" /></svg> },
+    { id: 'setup' as const, name: 'Konfiguration', icon: <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M10.325 4.317c.426-1.756 2.924-1.756 3.35 0a1.724 1.724 0 002.573 1.066c1.543-.94 3.31.826 2.37 2.37a1.724 1.724 0 001.065 2.572c1.756.426 1.756 2.924 0 3.35a1.724 1.724 0 00-1.066 2.573c.94 1.543-.826 3.31-2.37 2.37a1.724 1.724 0 00-2.572 1.065c-.426 1.756-2.924 1.756-3.35 0a1.724 1.724 0 00-2.573-1.066c-1.543.94-3.31-.826-2.37-2.37a1.724 1.724 0 00-1.065-2.572c-1.756-.426-1.756-2.924 0-3.35a1.724 1.724 0 001.066-2.573c-.94-1.543.826-3.31 2.37-2.37.996.608 2.296.07 2.572-1.065z" /><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M15 12a3 3 0 11-6 0 3 3 0 016 0z" /></svg> },
+    { id: 'scheduler' as const, name: 'BQAS Scheduler', icon: <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 8v4l3 3m6-3a9 9 0 11-18 0 9 9 0 0118 0z" /></svg> },
+  ]
 
   return (
     <div>
@@ -275,10 +139,7 @@ export default function CICDPage() {
         title="CI/CD Dashboard"
         purpose="Zentrale Uebersicht fuer Gitea Actions Pipelines, Runner-Status und Container-Deployments. Starten Sie Pipelines manuell und verwalten Sie Docker-Container."
         audience={['DevOps', 'Entwickler']}
-        architecture={{
-          services: ['Gitea Actions', 'act_runner', 'Docker'],
-          databases: [],
-        }}
+        architecture={{ services: ['Gitea Actions', 'act_runner', 'Docker'], databases: [] }}
         relatedPages={[
           { name: 'SBOM', href: '/infrastructure/sbom', description: 'Software Bill of Materials' },
           { name: 'Security', href: '/infrastructure/security', description: 'DevSecOps Dashboard' },
@@ -288,10 +149,8 @@ export default function CICDPage() {
         defaultCollapsed={true}
       />
 
-      {/* DevOps Pipeline Sidebar */}
       <DevOpsPipelineSidebarResponsive currentTool="ci-cd" />
 
-      {/* Messages */}
       {error && (
         <div className="bg-red-50 border border-red-200 rounded-xl p-4 mb-6">
           <div className="flex items-center gap-2 text-red-800">
@@ -314,42 +173,13 @@ export default function CICDPage() {
         </div>
       )}
 
-      {/* Main Content */}
       <div className="bg-white rounded-xl border border-slate-200 overflow-hidden">
-        {/* Tabs */}
         <div className="flex border-b border-slate-200">
           <nav className="flex">
-            {[
-              { id: 'overview', name: 'Uebersicht', icon: (
-                <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 19v-6a2 2 0 00-2-2H5a2 2 0 00-2 2v6a2 2 0 002 2h2a2 2 0 002-2zm0 0V9a2 2 0 012-2h2a2 2 0 012 2v10m-6 0a2 2 0 002 2h2a2 2 0 002-2m0 0V5a2 2 0 012-2h2a2 2 0 012 2v14a2 2 0 01-2 2h-2a2 2 0 01-2-2z" />
-                </svg>
-              )},
-              { id: 'pipelines', name: 'Gitea Pipelines', icon: (
-                <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15" />
-                </svg>
-              )},
-              { id: 'deployments', name: 'Deployments', icon: (
-                <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 12h14M5 12a2 2 0 01-2-2V6a2 2 0 012-2h14a2 2 0 012 2v4a2 2 0 01-2 2M5 12a2 2 0 00-2 2v4a2 2 0 002 2h14a2 2 0 002-2v-4a2 2 0 00-2-2" />
-                </svg>
-              )},
-              { id: 'setup', name: 'Konfiguration', icon: (
-                <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M10.325 4.317c.426-1.756 2.924-1.756 3.35 0a1.724 1.724 0 002.573 1.066c1.543-.94 3.31.826 2.37 2.37a1.724 1.724 0 001.065 2.572c1.756.426 1.756 2.924 0 3.35a1.724 1.724 0 00-1.066 2.573c.94 1.543-.826 3.31-2.37 2.37a1.724 1.724 0 00-2.572 1.065c-.426 1.756-2.924 1.756-3.35 0a1.724 1.724 0 00-2.573-1.066c-1.543.94-3.31-.826-2.37-2.37a1.724 1.724 0 00-1.065-2.572c-1.756-.426-1.756-2.924 0-3.35a1.724 1.724 0 001.066-2.573c-.94-1.543.826-3.31 2.37-2.37.996.608 2.296.07 2.572-1.065z" />
-                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M15 12a3 3 0 11-6 0 3 3 0 016 0z" />
-                </svg>
-              )},
-              { id: 'scheduler', name: 'BQAS Scheduler', icon: (
-                <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 8v4l3 3m6-3a9 9 0 11-18 0 9 9 0 0118 0z" />
-                </svg>
-              )},
-            ].map((tab) => (
+            {TAB_CONFIG.map((tab) => (
               <button
                 key={tab.id}
-                onClick={() => setActiveTab(tab.id as TabType)}
+                onClick={() => setActiveTab(tab.id)}
                 className={`px-6 py-4 text-sm font-medium border-b-2 transition-colors flex items-center gap-2 ${
                   activeTab === tab.id
                     ? 'border-orange-500 text-orange-600'
@@ -363,7 +193,6 @@ export default function CICDPage() {
           </nav>
         </div>
 
-        {/* Tab Content */}
         <div className="p-6">
           {loading ? (
             <div className="flex justify-center py-12">
@@ -371,797 +200,11 @@ export default function CICDPage() {
             </div>
           ) : (
             <>
-              {/* ================================================================ */}
-              {/* Overview Tab */}
-              {/* ================================================================ */}
-              {activeTab === 'overview' && (
-                <div className="space-y-6">
-                  {/* Status Cards */}
-                  <div className="grid grid-cols-1 md:grid-cols-4 gap-4">
-                    <div className={`p-4 rounded-lg ${pipelineStatus?.gitea_connected ? 'bg-green-50' : 'bg-yellow-50'}`}>
-                      <div className="flex items-center gap-2 mb-2">
-                        <span className={`w-3 h-3 rounded-full ${pipelineStatus?.gitea_connected ? 'bg-green-500' : 'bg-yellow-500'}`}></span>
-                        <span className="text-sm font-medium">Gitea Status</span>
-                      </div>
-                      <p className={`text-lg font-bold ${pipelineStatus?.gitea_connected ? 'text-green-700' : 'text-yellow-700'}`}>
-                        {pipelineStatus?.gitea_connected ? 'Verbunden' : 'Nicht verbunden'}
-                      </p>
-                      <p className="text-xs text-slate-500">http://macmini:3003</p>
-                    </div>
-
-                    <div className="bg-blue-50 p-4 rounded-lg">
-                      <div className="flex items-center gap-2 mb-2">
-                        <svg className="w-4 h-4 text-blue-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2" />
-                        </svg>
-                        <span className="text-sm font-medium">Pipeline Runs</span>
-                      </div>
-                      <p className="text-lg font-bold text-blue-700">{pipelineStatus?.total_runs || 0}</p>
-                      <p className="text-xs text-slate-500">{pipelineStatus?.successful_runs || 0} erfolgreich</p>
-                    </div>
-
-                    <div className="bg-purple-50 p-4 rounded-lg">
-                      <div className="flex items-center gap-2 mb-2">
-                        <svg className="w-4 h-4 text-purple-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 12h14M5 12a2 2 0 01-2-2V6a2 2 0 012-2h14a2 2 0 012 2v4a2 2 0 01-2 2M5 12a2 2 0 00-2 2v4a2 2 0 002 2h14a2 2 0 002-2v-4a2 2 0 00-2-2" />
-                        </svg>
-                        <span className="text-sm font-medium">Container</span>
-                      </div>
-                      <p className="text-lg font-bold text-purple-700">{dockerStats?.running_containers || 0}</p>
-                      <p className="text-xs text-slate-500">von {dockerStats?.total_containers || 0} laufend</p>
-                    </div>
-
-                    <div className="bg-slate-50 p-4 rounded-lg">
-                      <div className="flex items-center gap-2 mb-2">
-                        <svg className="w-4 h-4 text-slate-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 8v4l3 3m6-3a9 9 0 11-18 0 9 9 0 0118 0z" />
-                        </svg>
-                        <span className="text-sm font-medium">Letztes Update</span>
-                      </div>
-                      <p className="text-lg font-bold text-slate-700">
-                        {pipelineStatus?.last_sbom_update ? new Date(pipelineStatus.last_sbom_update).toLocaleDateString('de-DE') : 'Nie'}
-                      </p>
-                      <p className="text-xs text-slate-500">
-                        {pipelineStatus?.last_sbom_update ? new Date(pipelineStatus.last_sbom_update).toLocaleTimeString('de-DE') : '-'}
-                      </p>
-                    </div>
-                  </div>
-
-                  {/* System Resources */}
-                  {systemStats && (
-                    <div className="bg-slate-50 rounded-lg p-4">
-                      <h3 className="font-medium text-slate-800 mb-4 flex items-center gap-2">
-                        <svg className="w-5 h-5 text-slate-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 3v2m6-2v2M9 19v2m6-2v2M5 9H3m2 6H3m18-6h-2m2 6h-2M7 19h10a2 2 0 002-2V7a2 2 0 00-2-2H7a2 2 0 00-2 2v10a2 2 0 002 2zM9 9h6v6H9V9z" />
-                        </svg>
-                        Server Ressourcen ({systemStats.hostname})
-                      </h3>
-                      <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
-                        <div className="bg-white rounded-lg p-3">
-                          <div className="flex justify-between mb-2">
-                            <span className="text-sm text-slate-600">CPU</span>
-                            <span className={`font-bold ${systemStats.cpu.usage_percent > 80 ? 'text-red-600' : 'text-slate-900'}`}>
-                              {systemStats.cpu.usage_percent.toFixed(1)}%
-                            </span>
-                          </div>
-                          <ProgressBar percent={systemStats.cpu.usage_percent} />
-                        </div>
-                        <div className="bg-white rounded-lg p-3">
-                          <div className="flex justify-between mb-2">
-                            <span className="text-sm text-slate-600">RAM</span>
-                            <span className={`font-bold ${systemStats.memory.usage_percent > 80 ? 'text-red-600' : 'text-slate-900'}`}>
-                              {systemStats.memory.usage_percent.toFixed(1)}%
-                            </span>
-                          </div>
-                          <ProgressBar percent={systemStats.memory.usage_percent} color="purple" />
-                        </div>
-                        <div className="bg-white rounded-lg p-3">
-                          <div className="flex justify-between mb-2">
-                            <span className="text-sm text-slate-600">Disk</span>
-                            <span className={`font-bold ${systemStats.disk.usage_percent > 80 ? 'text-red-600' : 'text-slate-900'}`}>
-                              {systemStats.disk.usage_percent.toFixed(1)}%
-                            </span>
-                          </div>
-                          <ProgressBar percent={systemStats.disk.usage_percent} color="green" />
-                        </div>
-                      </div>
-                    </div>
-                  )}
-
-                  {/* Recent Pipeline Runs */}
-                  {pipelineHistory.length > 0 && (
-                    <div className="bg-slate-50 rounded-lg p-4">
-                      <h3 className="font-medium text-slate-800 mb-3">Letzte Pipeline Runs</h3>
-                      <div className="space-y-2">
-                        {pipelineHistory.slice(0, 5).map((run) => (
-                          <div key={run.id} className="flex items-center justify-between bg-white p-3 rounded-lg">
-                            <div className="flex items-center gap-3">
-                              <span className={`w-2 h-2 rounded-full ${
-                                run.status === 'success' ? 'bg-green-500' :
-                                run.status === 'failed' ? 'bg-red-500' :
-                                run.status === 'running' ? 'bg-yellow-500 animate-pulse' : 'bg-slate-400'
-                              }`}></span>
-                              <div>
-                                <p className="text-sm font-medium text-slate-800">{run.workflow || 'SBOM Pipeline'}</p>
-                                <p className="text-xs text-slate-500">{run.branch} - {run.commit_sha.substring(0, 8)}</p>
-                              </div>
-                            </div>
-                            <div className="text-right">
-                              <p className={`text-sm font-medium ${
-                                run.status === 'success' ? 'text-green-600' :
-                                run.status === 'failed' ? 'text-red-600' :
-                                run.status === 'running' ? 'text-yellow-600' : 'text-slate-600'
-                              }`}>
-                                {run.status === 'success' ? 'Erfolgreich' :
-                                 run.status === 'failed' ? 'Fehlgeschlagen' :
-                                 run.status === 'running' ? 'Laeuft...' : run.status}
-                              </p>
-                              <p className="text-xs text-slate-500">
-                                {new Date(run.started_at).toLocaleString('de-DE')}
-                              </p>
-                            </div>
-                          </div>
-                        ))}
-                      </div>
-                    </div>
-                  )}
-                </div>
-              )}
-
-              {/* ================================================================ */}
-              {/* Pipelines Tab */}
-              {/* ================================================================ */}
-              {activeTab === 'pipelines' && (
-                <div className="space-y-6">
-                  {/* Pipeline Controls */}
-                  <div className="flex items-center justify-between">
-                    <div>
-                      <h3 className="text-lg font-semibold text-slate-800">Gitea Actions Pipelines</h3>
-                      <p className="text-sm text-slate-600">Workflows werden bei Push auf main/develop automatisch ausgefuehrt</p>
-                    </div>
-                    <button
-                      onClick={triggerPipeline}
-                      disabled={triggeringPipeline}
-                      className="px-4 py-2 bg-orange-600 text-white rounded-lg font-medium hover:bg-orange-700 disabled:opacity-50 transition-colors flex items-center gap-2"
-                    >
-                      {triggeringPipeline ? (
-                        <>
-                          <div className="animate-spin rounded-full h-4 w-4 border-b-2 border-white"></div>
-                          Laeuft...
-                        </>
-                      ) : (
-                        <>
-                          <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M14.752 11.168l-3.197-2.132A1 1 0 0010 9.87v4.263a1 1 0 001.555.832l3.197-2.132a1 1 0 000-1.664z" />
-                            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
-                          </svg>
-                          Pipeline starten
-                        </>
-                      )}
-                    </button>
-                  </div>
-
-                  {/* Available Pipelines */}
-                  <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
-                    <div className="bg-green-50 border border-green-200 rounded-lg p-4">
-                      <div className="flex items-center gap-2 mb-2">
-                        <span className="w-2 h-2 rounded-full bg-green-500"></span>
-                        <span className="font-medium text-green-800">SBOM Pipeline</span>
-                      </div>
-                      <p className="text-sm text-green-700 mb-2">Generiert Software Bill of Materials</p>
-                      <p className="text-xs text-green-600">5 Jobs: generate, scan, license, upload, summary</p>
-                    </div>
-                    <div className="bg-slate-50 border border-slate-200 rounded-lg p-4 opacity-60">
-                      <div className="flex items-center gap-2 mb-2">
-                        <span className="w-2 h-2 rounded-full bg-slate-400"></span>
-                        <span className="font-medium text-slate-600">Test Pipeline</span>
-                      </div>
-                      <p className="text-sm text-slate-500 mb-2">Unit & Integration Tests</p>
-                      <p className="text-xs text-slate-400">Geplant</p>
-                    </div>
-                    <div className="bg-slate-50 border border-slate-200 rounded-lg p-4 opacity-60">
-                      <div className="flex items-center gap-2 mb-2">
-                        <span className="w-2 h-2 rounded-full bg-slate-400"></span>
-                        <span className="font-medium text-slate-600">Security Pipeline</span>
-                      </div>
-                      <p className="text-sm text-slate-500 mb-2">SAST, SCA, Secrets Scan</p>
-                      <p className="text-xs text-slate-400">Geplant</p>
-                    </div>
-                  </div>
-
-                  {/* Pipeline History */}
-                  <div className="bg-slate-50 rounded-lg p-4">
-                    <h4 className="font-medium text-slate-800 mb-4">Pipeline Historie</h4>
-                    {pipelineHistory.length === 0 ? (
-                      <div className="text-center py-8 text-slate-500">
-                        Keine Pipeline-Runs vorhanden. Starten Sie die erste Pipeline!
-                      </div>
-                    ) : (
-                      <div className="overflow-x-auto">
-                        <table className="w-full">
-                          <thead>
-                            <tr className="border-b border-slate-200">
-                              <th className="text-left py-2 px-3 text-xs font-semibold text-slate-500 uppercase">Status</th>
-                              <th className="text-left py-2 px-3 text-xs font-semibold text-slate-500 uppercase">Workflow</th>
-                              <th className="text-left py-2 px-3 text-xs font-semibold text-slate-500 uppercase">Branch</th>
-                              <th className="text-left py-2 px-3 text-xs font-semibold text-slate-500 uppercase">Commit</th>
-                              <th className="text-left py-2 px-3 text-xs font-semibold text-slate-500 uppercase">Gestartet</th>
-                              <th className="text-left py-2 px-3 text-xs font-semibold text-slate-500 uppercase">Dauer</th>
-                            </tr>
-                          </thead>
-                          <tbody className="divide-y divide-slate-100">
-                            {pipelineHistory.map((run) => (
-                              <tr key={run.id} className="hover:bg-white">
-                                <td className="py-2 px-3">
-                                  <span className={`inline-flex items-center gap-1 px-2 py-1 rounded-full text-xs font-medium ${
-                                    run.status === 'success' ? 'bg-green-100 text-green-800' :
-                                    run.status === 'failed' ? 'bg-red-100 text-red-800' :
-                                    run.status === 'running' ? 'bg-yellow-100 text-yellow-800' : 'bg-slate-100 text-slate-600'
-                                  }`}>
-                                    <span className={`w-1.5 h-1.5 rounded-full ${
-                                      run.status === 'success' ? 'bg-green-500' :
-                                      run.status === 'failed' ? 'bg-red-500' :
-                                      run.status === 'running' ? 'bg-yellow-500 animate-pulse' : 'bg-slate-400'
-                                    }`}></span>
-                                    {run.status}
-                                  </span>
-                                </td>
-                                <td className="py-2 px-3 text-sm text-slate-900">{run.workflow || 'SBOM Pipeline'}</td>
-                                <td className="py-2 px-3 text-sm text-slate-600">{run.branch}</td>
-                                <td className="py-2 px-3 text-sm font-mono text-slate-500">{run.commit_sha.substring(0, 8)}</td>
-                                <td className="py-2 px-3 text-sm text-slate-500">{new Date(run.started_at).toLocaleString('de-DE')}</td>
-                                <td className="py-2 px-3 text-sm text-slate-500">
-                                  {run.duration_seconds ? `${run.duration_seconds}s` : '-'}
-                                </td>
-                              </tr>
-                            ))}
-                          </tbody>
-                        </table>
-                      </div>
-                    )}
-                  </div>
-
-                  {/* Pipeline Architecture */}
-                  <div className="bg-slate-50 rounded-lg p-4">
-                    <h4 className="font-medium text-slate-800 mb-3">SBOM Pipeline Architektur</h4>
-                    <pre className="bg-slate-800 text-slate-100 p-4 rounded-lg overflow-x-auto text-sm">
-{`Gitea Actions Pipeline (.gitea/workflows/sbom.yaml)
-     │
-     ├── 1. generate-sbom     → Syft generiert CycloneDX SBOM
-     │
-     ├── 2. vulnerability-scan → Grype scannt auf CVEs
-     │
-     ├── 3. license-check     → Prueft GPL/AGPL Lizenzen
-     │
-     ├── 4. upload-dashboard  → POST /api/v1/security/sbom/upload
-     │
-     └── 5. summary           → Job Summary generieren`}
-                    </pre>
-                  </div>
-                </div>
-              )}
-
-              {/* ================================================================ */}
-              {/* Deployments Tab */}
-              {/* ================================================================ */}
-              {activeTab === 'deployments' && (
-                <div className="space-y-6">
-                  {/* Header */}
-                  <div className="flex items-center justify-between">
-                    <div>
-                      <h3 className="text-lg font-semibold text-slate-800">Docker Container</h3>
-                      {dockerStats && (
-                        <p className="text-sm text-slate-600">
-                          {dockerStats.running_containers} laufend, {dockerStats.stopped_containers} gestoppt, {dockerStats.total_containers} gesamt
-                        </p>
-                      )}
-                    </div>
-                    <div className="flex items-center gap-2">
-                      <select
-                        value={containerFilter}
-                        onChange={(e) => setContainerFilter(e.target.value as typeof containerFilter)}
-                        className="px-3 py-1.5 text-sm border border-slate-300 rounded-lg bg-white"
-                      >
-                        <option value="all">Alle</option>
-                        <option value="running">Laufend</option>
-                        <option value="stopped">Gestoppt</option>
-                      </select>
-                      <button
-                        onClick={loadContainerData}
-                        className="px-3 py-1.5 text-sm border border-slate-300 text-slate-700 rounded-lg hover:bg-slate-50"
-                      >
-                        Aktualisieren
-                      </button>
-                    </div>
-                  </div>
-
-                  {/* Container List */}
-                  {filteredContainers.length === 0 ? (
-                    <div className="text-center py-8 text-slate-500">Keine Container gefunden</div>
-                  ) : (
-                    <div className="space-y-3">
-                      {filteredContainers.map((container) => (
-                        <div
-                          key={container.id}
-                          className={`border rounded-xl p-4 transition-colors ${
-                            container.state === 'running'
-                              ? 'border-green-200 bg-green-50/30'
-                              : 'border-slate-200 bg-slate-50/50'
-                          }`}
-                        >
-                          <div className="flex items-start justify-between gap-4">
-                            <div className="flex-1 min-w-0">
-                              <div className="flex items-center gap-2 mb-1">
-                                <span className="font-semibold text-slate-900 truncate">{container.name}</span>
-                                <span className={`px-2 py-0.5 text-xs font-medium rounded-full ${getStateColor(container.state)}`}>
-                                  {container.state}
-                                </span>
-                              </div>
-                              <div className="text-sm text-slate-500 mb-2">
-                                <span className="font-mono">{container.image}</span>
-                                {container.ports.length > 0 && (
-                                  <span className="ml-2 text-slate-400">
-                                    | {container.ports.slice(0, 2).join(', ')}
-                                    {container.ports.length > 2 && ` +${container.ports.length - 2}`}
-                                  </span>
-                                )}
-                              </div>
-
-                              {container.state === 'running' && (
-                                <div className="flex flex-wrap gap-4 text-sm">
-                                  <div className="flex items-center gap-1">
-                                    <span className="text-slate-500">CPU:</span>
-                                    <span className={`font-medium ${container.cpu_percent > 80 ? 'text-red-600' : 'text-slate-700'}`}>
-                                      {container.cpu_percent.toFixed(1)}%
-                                    </span>
-                                  </div>
-                                  <div className="flex items-center gap-1">
-                                    <span className="text-slate-500">RAM:</span>
-                                    <span className={`font-medium ${container.memory_percent > 80 ? 'text-red-600' : 'text-slate-700'}`}>
-                                      {container.memory_usage}
-                                    </span>
-                                    <span className="text-slate-400">({container.memory_percent.toFixed(1)}%)</span>
-                                  </div>
-                                  <div className="flex items-center gap-1">
-                                    <span className="text-slate-500">Net:</span>
-                                    <span className="text-slate-700">{container.network_rx} / {container.network_tx}</span>
-                                  </div>
-                                </div>
-                              )}
-                            </div>
-
-                            <div className="flex items-center gap-2 flex-shrink-0">
-                              {container.state === 'running' ? (
-                                <>
-                                  <button
-                                    onClick={() => containerAction(container.id, 'restart')}
-                                    disabled={actionLoading !== null}
-                                    className="px-3 py-1.5 text-sm bg-blue-600 text-white rounded-lg hover:bg-blue-700 disabled:opacity-50 transition-colors"
-                                  >
-                                    {actionLoading === `${container.id}-restart` ? '...' : 'Restart'}
-                                  </button>
-                                  <button
-                                    onClick={() => containerAction(container.id, 'stop')}
-                                    disabled={actionLoading !== null}
-                                    className="px-3 py-1.5 text-sm bg-red-600 text-white rounded-lg hover:bg-red-700 disabled:opacity-50 transition-colors"
-                                  >
-                                    {actionLoading === `${container.id}-stop` ? '...' : 'Stop'}
-                                  </button>
-                                </>
-                              ) : (
-                                <button
-                                  onClick={() => containerAction(container.id, 'start')}
-                                  disabled={actionLoading !== null}
-                                  className="px-3 py-1.5 text-sm bg-green-600 text-white rounded-lg hover:bg-green-700 disabled:opacity-50 transition-colors"
-                                >
-                                  {actionLoading === `${container.id}-start` ? '...' : 'Start'}
-                                </button>
-                              )}
-                            </div>
-                          </div>
-                        </div>
-                      ))}
-                    </div>
-                  )}
-                </div>
-              )}
-
-              {/* ================================================================ */}
-              {/* Setup Tab */}
-              {/* ================================================================ */}
-              {activeTab === 'setup' && (
-                <div className="space-y-6">
-                  <div>
-                    <h3 className="text-lg font-semibold text-slate-800 mb-2">Erstkonfiguration - Gitea CI/CD</h3>
-                    <p className="text-slate-600">
-                      Anleitung zur Einrichtung der CI/CD Pipeline mit Gitea Actions auf dem Mac Mini Server.
-                    </p>
-                  </div>
-
-                  {/* Gitea Server Info */}
-                  <div className="bg-blue-50 p-4 rounded-lg">
-                    <h4 className="font-medium text-blue-800 mb-3 flex items-center gap-2">
-                      <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                        <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 12h14M5 12a2 2 0 01-2-2V6a2 2 0 012-2h14a2 2 0 012 2v4a2 2 0 01-2 2M5 12a2 2 0 00-2 2v4a2 2 0 002 2h14a2 2 0 002-2v-4a2 2 0 00-2-2" />
-                      </svg>
-                      Gitea Server
-                    </h4>
-                    <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
-                      <div className="bg-white p-3 rounded-lg">
-                        <p className="text-sm text-slate-500">Web-URL</p>
-                        <p className="font-mono text-blue-700">http://macmini:3003</p>
-                      </div>
-                      <div className="bg-white p-3 rounded-lg">
-                        <p className="text-sm text-slate-500">SSH</p>
-                        <p className="font-mono text-blue-700">macmini:2222</p>
-                      </div>
-                      <div className="bg-white p-3 rounded-lg">
-                        <p className="text-sm text-slate-500">Status</p>
-                        <p className={`font-medium ${pipelineStatus?.gitea_connected ? 'text-green-600' : 'text-yellow-600'}`}>
-                          {pipelineStatus?.gitea_connected ? 'Verbunden' : 'Konfiguration erforderlich'}
-                        </p>
-                      </div>
-                    </div>
-                  </div>
-
-                  {/* Implementierte Komponenten */}
-                  <div className="bg-slate-50 p-4 rounded-lg">
-                    <h4 className="font-medium text-slate-800 mb-3">Implementierte Komponenten</h4>
-                    <div className="overflow-x-auto">
-                      <table className="min-w-full text-sm">
-                        <thead>
-                          <tr className="border-b border-slate-200">
-                            <th className="text-left py-2 px-3 font-medium text-slate-600">Komponente</th>
-                            <th className="text-left py-2 px-3 font-medium text-slate-600">Pfad</th>
-                            <th className="text-left py-2 px-3 font-medium text-slate-600">Beschreibung</th>
-                          </tr>
-                        </thead>
-                        <tbody className="divide-y divide-slate-100">
-                          <tr>
-                            <td className="py-2 px-3 font-medium">Gitea Service</td>
-                            <td className="py-2 px-3"><code className="bg-slate-200 px-1 rounded text-xs">docker-compose.yml</code></td>
-                            <td className="py-2 px-3 text-slate-600">Gitea 1.22 mit Actions enabled</td>
-                          </tr>
-                          <tr>
-                            <td className="py-2 px-3 font-medium">Gitea Runner</td>
-                            <td className="py-2 px-3"><code className="bg-slate-200 px-1 rounded text-xs">docker-compose.yml</code></td>
-                            <td className="py-2 px-3 text-slate-600">act_runner fuer Job-Ausfuehrung</td>
-                          </tr>
-                          <tr>
-                            <td className="py-2 px-3 font-medium">SBOM Workflow</td>
-                            <td className="py-2 px-3"><code className="bg-slate-200 px-1 rounded text-xs">.gitea/workflows/sbom.yaml</code></td>
-                            <td className="py-2 px-3 text-slate-600">5 Jobs: generate, scan, license, upload, summary</td>
-                          </tr>
-                          <tr>
-                            <td className="py-2 px-3 font-medium">Backend API</td>
-                            <td className="py-2 px-3"><code className="bg-slate-200 px-1 rounded text-xs">backend/security_api.py</code></td>
-                            <td className="py-2 px-3 text-slate-600">SBOM Upload, Pipeline Status, History</td>
-                          </tr>
-                          <tr>
-                            <td className="py-2 px-3 font-medium">Runner Config</td>
-                            <td className="py-2 px-3"><code className="bg-slate-200 px-1 rounded text-xs">gitea/runner-config.yaml</code></td>
-                            <td className="py-2 px-3 text-slate-600">Labels: ubuntu-latest, self-hosted</td>
-                          </tr>
-                        </tbody>
-                      </table>
-                    </div>
-                  </div>
-
-                  {/* Setup Steps */}
-                  <div className="bg-orange-50 p-4 rounded-lg">
-                    <h4 className="font-medium text-orange-800 mb-3 flex items-center gap-2">
-                      <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                        <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-3 7h3m-3 4h3m-6-4h.01M9 16h.01" />
-                      </svg>
-                      Setup-Schritte
-                    </h4>
-                    <div className="space-y-3">
-                      <div className="bg-white p-3 rounded-lg">
-                        <h5 className="font-medium text-slate-800 mb-1">1. Gitea oeffnen</h5>
-                        <code className="text-sm bg-slate-100 px-2 py-1 rounded">http://macmini:3003</code>
-                      </div>
-                      <div className="bg-white p-3 rounded-lg">
-                        <h5 className="font-medium text-slate-800 mb-1">2. Admin-Account erstellen</h5>
-                        <p className="text-sm text-slate-600">Username: admin, Email: admin@breakpilot.de</p>
-                      </div>
-                      <div className="bg-white p-3 rounded-lg">
-                        <h5 className="font-medium text-slate-800 mb-1">3. Repository erstellen</h5>
-                        <p className="text-sm text-slate-600">Name: breakpilot-pwa, Visibility: Private</p>
-                      </div>
-                      <div className="bg-white p-3 rounded-lg">
-                        <h5 className="font-medium text-slate-800 mb-1">4. Actions aktivieren</h5>
-                        <p className="text-sm text-slate-600">Repository Settings → Actions → Enable Repository Actions</p>
-                      </div>
-                      <div className="bg-white p-3 rounded-lg">
-                        <h5 className="font-medium text-slate-800 mb-1">5. Runner Token erstellen & starten</h5>
-                        <pre className="text-xs bg-slate-100 p-2 rounded mt-1 overflow-x-auto">
-{`export GITEA_RUNNER_TOKEN=<token>
-docker compose up -d gitea-runner`}
-                        </pre>
-                      </div>
-                      <div className="bg-white p-3 rounded-lg">
-                        <h5 className="font-medium text-slate-800 mb-1">6. Repository pushen</h5>
-                        <pre className="text-xs bg-slate-100 p-2 rounded mt-1 overflow-x-auto">
-{`git remote add gitea http://macmini:3003/admin/breakpilot-pwa.git
-git push gitea main`}
-                        </pre>
-                      </div>
-                    </div>
-                  </div>
-
-                  {/* Quick Links */}
-                  <div className="bg-purple-50 p-4 rounded-lg">
-                    <h4 className="font-medium text-purple-800 mb-3">Quick Links</h4>
-                    <div className="grid grid-cols-1 md:grid-cols-2 gap-3">
-                      <a
-                        href="http://macmini:3003"
-                        target="_blank"
-                        rel="noopener noreferrer"
-                        className="flex items-center justify-between bg-white p-3 rounded-lg hover:bg-purple-100 transition-colors"
-                      >
-                        <div>
-                          <p className="font-medium text-purple-800">Gitea</p>
-                          <p className="text-xs text-slate-500">Git Server & CI/CD</p>
-                        </div>
-                        <svg className="w-5 h-5 text-purple-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" />
-                        </svg>
-                      </a>
-                      <a
-                        href="http://macmini:3003/admin/breakpilot-pwa/actions"
-                        target="_blank"
-                        rel="noopener noreferrer"
-                        className="flex items-center justify-between bg-white p-3 rounded-lg hover:bg-purple-100 transition-colors"
-                      >
-                        <div>
-                          <p className="font-medium text-purple-800">Pipeline Actions</p>
-                          <p className="text-xs text-slate-500">Workflow Runs</p>
-                        </div>
-                        <svg className="w-5 h-5 text-purple-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" />
-                        </svg>
-                      </a>
-                    </div>
-                  </div>
-                </div>
-              )}
-
-              {/* ================================================================ */}
-              {/* Scheduler Tab (BQAS) */}
-              {/* ================================================================ */}
-              {activeTab === 'scheduler' && (
-                <div className="space-y-6">
-                  {/* Status Overview */}
-                  <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
-                    <div className="rounded-xl border p-5 bg-emerald-100 border-emerald-200 text-emerald-700">
-                      <div className="flex items-start gap-4">
-                        <div className="flex-shrink-0">
-                          <svg className="w-8 h-8" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5} d="M12 8v4l3 3m6-3a9 9 0 11-18 0 9 9 0 0118 0z" />
-                          </svg>
-                        </div>
-                        <div className="flex-1">
-                          <div className="flex items-center gap-2">
-                            <h4 className="font-semibold">launchd Job</h4>
-                            <span className="w-2 h-2 rounded-full bg-emerald-500" />
-                          </div>
-                          <p className="text-sm mt-1 opacity-80">Taeglich um 07:00 Uhr automatisch</p>
-                        </div>
-                      </div>
-                    </div>
-                    <div className="rounded-xl border p-5 bg-emerald-100 border-emerald-200 text-emerald-700">
-                      <div className="flex items-start gap-4">
-                        <div className="flex-shrink-0">
-                          <svg className="w-8 h-8" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5} d="M8 9l3 3-3 3m5 0h3M5 20h14a2 2 0 002-2V6a2 2 0 00-2-2H5a2 2 0 00-2 2v12a2 2 0 002 2z" />
-                          </svg>
-                        </div>
-                        <div className="flex-1">
-                          <div className="flex items-center gap-2">
-                            <h4 className="font-semibold">Git Hook</h4>
-                            <span className="w-2 h-2 rounded-full bg-emerald-500" />
-                          </div>
-                          <p className="text-sm mt-1 opacity-80">Quick Tests bei voice-service Aenderungen</p>
-                        </div>
-                      </div>
-                    </div>
-                    <div className="rounded-xl border p-5 bg-emerald-100 border-emerald-200 text-emerald-700">
-                      <div className="flex items-start gap-4">
-                        <div className="flex-shrink-0">
-                          <svg className="w-8 h-8" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5} d="M15 17h5l-1.405-1.405A2.032 2.032 0 0118 14.158V11a6.002 6.002 0 00-4-5.659V5a2 2 0 10-4 0v.341C7.67 6.165 6 8.388 6 11v3.159c0 .538-.214 1.055-.595 1.436L4 17h5m6 0v1a3 3 0 11-6 0v-1m6 0H9" />
-                          </svg>
-                        </div>
-                        <div className="flex-1">
-                          <div className="flex items-center gap-2">
-                            <h4 className="font-semibold">Benachrichtigungen</h4>
-                            <span className="w-2 h-2 rounded-full bg-emerald-500" />
-                          </div>
-                          <p className="text-sm mt-1 opacity-80">Desktop-Alerts bei Fehlern aktiviert</p>
-                        </div>
-                      </div>
-                    </div>
-                  </div>
-
-                  {/* Quick Actions */}
-                  <div className="bg-slate-50 rounded-lg p-4">
-                    <h3 className="font-medium text-slate-800 mb-4">Quick Actions (BQAS)</h3>
-                    <div className="flex flex-wrap gap-3">
-                      <a
-                        href="/ai/test-quality"
-                        className="px-4 py-2 bg-blue-600 text-white rounded-lg hover:bg-blue-700 flex items-center gap-2"
-                      >
-                        <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M14.752 11.168l-3.197-2.132A1 1 0 0010 9.87v4.263a1 1 0 001.555.832l3.197-2.132a1 1 0 000-1.664z" />
-                          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
-                        </svg>
-                        Test Dashboard oeffnen
-                      </a>
-                      <span className="text-sm text-slate-500 self-center">
-                        Starte Tests direkt im BQAS Dashboard
-                      </span>
-                    </div>
-                  </div>
-
-                  {/* GitHub Actions vs Local - Comparison */}
-                  <div className="bg-slate-50 rounded-lg p-4">
-                    <h3 className="font-medium text-slate-800 mb-4">GitHub Actions Alternative</h3>
-                    <p className="text-slate-600 mb-4">
-                      Der lokale BQAS Scheduler ersetzt GitHub Actions und bietet DSGVO-konforme, vollstaendig lokale Test-Ausfuehrung.
-                    </p>
-
-                    <div className="overflow-x-auto">
-                      <table className="w-full text-sm">
-                        <thead>
-                          <tr className="border-b border-slate-200 bg-white">
-                            <th className="text-left py-3 px-4 font-medium text-slate-700">Feature</th>
-                            <th className="text-center py-3 px-4 font-medium text-slate-700">GitHub Actions</th>
-                            <th className="text-center py-3 px-4 font-medium text-slate-700">Lokaler Scheduler</th>
-                          </tr>
-                        </thead>
-                        <tbody>
-                          <tr className="border-b border-slate-100">
-                            <td className="py-3 px-4 text-slate-600">Taegliche Tests (07:00)</td>
-                            <td className="py-3 px-4 text-center">
-                              <span className="text-slate-600">schedule: cron</span>
-                            </td>
-                            <td className="py-3 px-4 text-center">
-                              <span className="px-2 py-1 bg-emerald-100 text-emerald-700 rounded text-xs font-medium">macOS launchd</span>
-                            </td>
-                          </tr>
-                          <tr className="border-b border-slate-100">
-                            <td className="py-3 px-4 text-slate-600">Push-basierte Tests</td>
-                            <td className="py-3 px-4 text-center">
-                              <span className="text-slate-600">on: push</span>
-                            </td>
-                            <td className="py-3 px-4 text-center">
-                              <span className="px-2 py-1 bg-emerald-100 text-emerald-700 rounded text-xs font-medium">Git post-commit Hook</span>
-                            </td>
-                          </tr>
-                          <tr className="border-b border-slate-100">
-                            <td className="py-3 px-4 text-slate-600">PR-basierte Tests</td>
-                            <td className="py-3 px-4 text-center">
-                              <span className="px-2 py-1 bg-emerald-100 text-emerald-700 rounded text-xs font-medium">on: pull_request</span>
-                            </td>
-                            <td className="py-3 px-4 text-center">
-                              <span className="px-2 py-1 bg-amber-100 text-amber-700 rounded text-xs font-medium">Nicht moeglich</span>
-                            </td>
-                          </tr>
-                          <tr className="border-b border-slate-100">
-                            <td className="py-3 px-4 text-slate-600">DSGVO-Konformitaet</td>
-                            <td className="py-3 px-4 text-center">
-                              <span className="px-2 py-1 bg-amber-100 text-amber-700 rounded text-xs font-medium">Daten bei GitHub (US)</span>
-                            </td>
-                            <td className="py-3 px-4 text-center">
-                              <span className="px-2 py-1 bg-emerald-100 text-emerald-700 rounded text-xs font-medium">100% lokal</span>
-                            </td>
-                          </tr>
-                          <tr>
-                            <td className="py-3 px-4 text-slate-600">Offline-Faehig</td>
-                            <td className="py-3 px-4 text-center">
-                              <span className="px-2 py-1 bg-red-100 text-red-700 rounded text-xs font-medium">Nein</span>
-                            </td>
-                            <td className="py-3 px-4 text-center">
-                              <span className="px-2 py-1 bg-emerald-100 text-emerald-700 rounded text-xs font-medium">Ja</span>
-                            </td>
-                          </tr>
-                        </tbody>
-                      </table>
-                    </div>
-                  </div>
-
-                  {/* Configuration Details */}
-                  <div className="bg-slate-50 rounded-lg p-4">
-                    <h3 className="font-medium text-slate-800 mb-4">Konfiguration</h3>
-
-                    <div className="grid grid-cols-1 lg:grid-cols-2 gap-6">
-                      {/* launchd Configuration */}
-                      <div>
-                        <h4 className="font-medium text-slate-700 mb-3">launchd Job</h4>
-                        <div className="bg-slate-900 rounded-lg p-4 font-mono text-sm text-slate-100 overflow-x-auto">
-                          <pre>{`# ~/Library/LaunchAgents/com.breakpilot.bqas.plist
-Label: com.breakpilot.bqas
-Schedule: 07:00 taeglich
-Script: /voice-service/scripts/run_bqas.sh
-Logs: /var/log/bqas/`}</pre>
-                        </div>
-                      </div>
-
-                      {/* Environment Variables */}
-                      <div>
-                        <h4 className="font-medium text-slate-700 mb-3">Umgebungsvariablen</h4>
-                        <div className="space-y-2 text-sm">
-                          <div className="flex justify-between p-2 bg-white rounded">
-                            <span className="font-mono text-slate-600">BQAS_SERVICE_URL</span>
-                            <span className="text-slate-900">http://localhost:8091</span>
-                          </div>
-                          <div className="flex justify-between p-2 bg-white rounded">
-                            <span className="font-mono text-slate-600">BQAS_REGRESSION_THRESHOLD</span>
-                            <span className="text-slate-900">0.1</span>
-                          </div>
-                          <div className="flex justify-between p-2 bg-white rounded">
-                            <span className="font-mono text-slate-600">BQAS_NOTIFY_DESKTOP</span>
-                            <span className="text-emerald-600 font-medium">true</span>
-                          </div>
-                          <div className="flex justify-between p-2 bg-white rounded">
-                            <span className="font-mono text-slate-600">BQAS_NOTIFY_SLACK</span>
-                            <span className="text-slate-400">false</span>
-                          </div>
-                        </div>
-                      </div>
-                    </div>
-                  </div>
-
-                  {/* Detailed Explanation */}
-                  <div className="bg-gradient-to-r from-blue-50 to-indigo-50 rounded-xl border border-blue-200 p-6">
-                    <h3 className="text-lg font-semibold text-slate-900 mb-4 flex items-center gap-2">
-                      <svg className="w-5 h-5 text-blue-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                        <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
-                      </svg>
-                      Detaillierte Erklaerung
-                    </h3>
-
-                    <div className="prose prose-sm max-w-none text-slate-700">
-                      <h4 className="text-base font-semibold mt-4 mb-2">Warum ein lokaler Scheduler?</h4>
-                      <p className="mb-4">
-                        Der lokale BQAS Scheduler wurde entwickelt, um die gleiche Funktionalitaet wie GitHub Actions zu bieten,
-                        aber mit dem entscheidenden Vorteil, dass <strong>alle Daten zu 100% auf dem lokalen Mac Mini verbleiben</strong>.
-                        Dies ist besonders wichtig fuer DSGVO-Konformitaet, da keine Schuelerdaten oder Testergebnisse an externe Server uebertragen werden.
-                      </p>
-
-                      <h4 className="text-base font-semibold mt-4 mb-2">Komponenten</h4>
-                      <ul className="list-disc list-inside space-y-2 mb-4">
-                        <li>
-                          <strong>run_bqas.sh</strong> - Hauptscript das pytest ausfuehrt, Regression-Checks macht und Benachrichtigungen versendet
-                        </li>
-                        <li>
-                          <strong>launchd Job</strong> - macOS-nativer Scheduler der das Script taeglich um 07:00 Uhr startet
-                        </li>
-                        <li>
-                          <strong>Git Hook</strong> - post-commit Hook der bei Aenderungen im voice-service automatisch Quick-Tests startet
-                        </li>
-                        <li>
-                          <strong>Notifier</strong> - Python-Modul das Desktop-, Slack- und E-Mail-Benachrichtigungen versendet
-                        </li>
-                      </ul>
-
-                      <h4 className="text-base font-semibold mt-4 mb-2">Installation</h4>
-                      <div className="bg-slate-900 rounded-lg p-3 font-mono text-sm text-slate-100 mb-4">
-                        <code>./voice-service/scripts/install_bqas_scheduler.sh install</code>
-                      </div>
-
-                      <h4 className="text-base font-semibold mt-4 mb-2">Vorteile gegenueber GitHub Actions</h4>
-                      <ul className="list-disc list-inside space-y-1">
-                        <li>100% DSGVO-konform - alle Daten bleiben lokal</li>
-                        <li>Keine Internet-Abhaengigkeit - funktioniert auch offline</li>
-                        <li>Keine GitHub-Kosten fuer private Repositories</li>
-                        <li>Schnellere Ausfuehrung ohne Cloud-Overhead</li>
-                        <li>Volle Kontrolle ueber Scheduling und Benachrichtigungen</li>
-                      </ul>
-                    </div>
-                  </div>
-                </div>
-              )}
+              {activeTab === 'overview' && <OverviewTab pipelineStatus={pipelineStatus} pipelineHistory={pipelineHistory} systemStats={systemStats} dockerStats={dockerStats} />}
+              {activeTab === 'pipelines' && <PipelinesTab pipelineHistory={pipelineHistory} triggeringPipeline={triggeringPipeline} onTriggerPipeline={triggerPipeline} />}
+              {activeTab === 'deployments' && <DeploymentsTab dockerStats={dockerStats} containerFilter={containerFilter} setContainerFilter={setContainerFilter} filteredContainers={filteredContainers} onContainerAction={containerAction} actionLoading={actionLoading} onRefresh={loadContainerData} />}
+              {activeTab === 'setup' && <SetupTab pipelineStatus={pipelineStatus} />}
+              {activeTab === 'scheduler' && <SchedulerTab />}
             </>
           )}
         </div>
diff --git a/admin-core/app/(admin)/infrastructure/ci-cd/types.ts b/admin-core/app/(admin)/infrastructure/ci-cd/types.ts
new file mode 100644
index 0000000..eb4f6dc
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/ci-cd/types.ts
@@ -0,0 +1,72 @@
+/**
+ * Types for CI/CD Dashboard
+ */
+
+export interface PipelineStatus {
+  gitea_connected: boolean
+  gitea_url: string
+  last_sbom_update: string | null
+  total_runs: number
+  successful_runs: number
+  failed_runs: number
+}
+
+export interface PipelineRun {
+  id: string
+  workflow: string
+  branch: string
+  commit_sha: string
+  status: 'success' | 'failed' | 'running' | 'pending'
+  started_at: string
+  finished_at: string | null
+  duration_seconds: number | null
+}
+
+export interface ContainerInfo {
+  id: string
+  name: string
+  image: string
+  status: string
+  state: string
+  created: string
+  ports: string[]
+  cpu_percent: number
+  memory_usage: string
+  memory_limit: string
+  memory_percent: number
+  network_rx: string
+  network_tx: string
+}
+
+export interface SystemStats {
+  hostname: string
+  platform: string
+  arch: string
+  uptime: number
+  cpu: {
+    model: string
+    cores: number
+    usage_percent: number
+  }
+  memory: {
+    total: string
+    used: string
+    free: string
+    usage_percent: number
+  }
+  disk: {
+    total: string
+    used: string
+    free: string
+    usage_percent: number
+  }
+}
+
+export interface DockerStats {
+  containers: ContainerInfo[]
+  total_containers: number
+  running_containers: number
+  stopped_containers: number
+}
+
+export type TabType = 'overview' | 'pipelines' | 'deployments' | 'setup' | 'scheduler'
diff --git a/admin-core/app/(admin)/infrastructure/middleware/_components/ConfigTab.tsx b/admin-core/app/(admin)/infrastructure/middleware/_components/ConfigTab.tsx
new file mode 100644
index 0000000..15f0b06
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/middleware/_components/ConfigTab.tsx
@@ -0,0 +1,61 @@
+import type { MiddlewareConfig } from '../types'
+import { getMiddlewareDescription } from './helpers'
+
+interface ConfigTabProps {
+  configs: MiddlewareConfig[]
+  actionLoading: string | null
+  onToggle: (name: string, enabled: boolean) => void
+}
+
+export function ConfigTab({ configs, actionLoading, onToggle }: ConfigTabProps) {
+  return (
+    <div className="space-y-4">
+      {configs.map(config => {
+        const info = getMiddlewareDescription(config.middleware_name)
+        return (
+          <div key={config.id} className="bg-slate-50 rounded-lg p-4 border border-slate-200">
+            <div className="flex justify-between items-start mb-4">
+              <div>
+                <h3 className="font-semibold text-slate-900 flex items-center gap-2">
+                  <span>{info.icon}</span>
+                  <span className="capitalize">{config.middleware_name.replace('_', ' ')}</span>
+                </h3>
+                <p className="text-sm text-slate-600">{info.desc}</p>
+              </div>
+              <div className="flex items-center gap-3">
+                <span
+                  className={`px-3 py-1 rounded-full text-xs font-semibold ${
+                    config.enabled ? 'bg-green-100 text-green-800' : 'bg-red-100 text-red-800'
+                  }`}
+                >
+                  {config.enabled ? 'Aktiviert' : 'Deaktiviert'}
+                </span>
+                <button
+                  onClick={() => onToggle(config.middleware_name, !config.enabled)}
+                  disabled={actionLoading === config.middleware_name}
+                  className="px-4 py-1.5 text-sm border border-slate-300 rounded-lg hover:bg-slate-100 disabled:opacity-50 transition-colors"
+                >
+                  {actionLoading === config.middleware_name
+                    ? '...'
+                    : config.enabled
+                    ? 'Deaktivieren'
+                    : 'Aktivieren'}
+                </button>
+              </div>
+            </div>
+            {Object.keys(config.config).length > 0 && (
+              <div className="mt-3 pt-3 border-t border-slate-200">
+                <div className="text-xs font-semibold text-slate-500 uppercase mb-2">
+                  Konfiguration
+                </div>
+                <pre className="text-xs bg-white p-3 rounded border border-slate-200 overflow-x-auto">
+                  {JSON.stringify(config.config, null, 2)}
+                </pre>
+              </div>
+            )}
+          </div>
+        )
+      })}
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/middleware/_components/EventsTab.tsx b/admin-core/app/(admin)/infrastructure/middleware/_components/EventsTab.tsx
new file mode 100644
index 0000000..fbc62a6
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/middleware/_components/EventsTab.tsx
@@ -0,0 +1,69 @@
+import type { MiddlewareEvent } from '../types'
+import { getEventTypeColor } from './helpers'
+
+interface EventsTabProps {
+  events: MiddlewareEvent[]
+}
+
+export function EventsTab({ events }: EventsTabProps) {
+  return (
+    <div className="overflow-x-auto">
+      <table className="w-full">
+        <thead>
+          <tr className="border-b border-slate-200">
+            <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
+              Zeit
+            </th>
+            <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
+              Middleware
+            </th>
+            <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
+              Event
+            </th>
+            <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
+              IP
+            </th>
+            <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
+              Pfad
+            </th>
+          </tr>
+        </thead>
+        <tbody>
+          {events.length === 0 ? (
+            <tr>
+              <td colSpan={5} className="text-center py-8 text-slate-500">
+                Keine Events vorhanden.
+              </td>
+            </tr>
+          ) : (
+            events.map(event => (
+              <tr key={event.id} className="border-b border-slate-100 hover:bg-slate-50">
+                <td className="py-3 px-4 text-sm text-slate-500">
+                  {new Date(event.created_at).toLocaleString('de-DE')}
+                </td>
+                <td className="py-3 px-4 text-sm capitalize">
+                  {event.middleware_name.replace('_', ' ')}
+                </td>
+                <td className="py-3 px-4">
+                  <span
+                    className={`px-2 py-1 rounded text-xs font-semibold ${getEventTypeColor(event.event_type)}`}
+                  >
+                    {event.event_type}
+                  </span>
+                </td>
+                <td className="py-3 px-4 text-sm font-mono text-slate-600">
+                  {event.ip_address || '-'}
+                </td>
+                <td className="py-3 px-4 text-sm text-slate-600 max-w-xs truncate">
+                  {event.request_method && event.request_path
+                    ? `${event.request_method} ${event.request_path}`
+                    : '-'}
+                </td>
+              </tr>
+            ))
+          )}
+        </tbody>
+      </table>
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/middleware/_components/IpListTab.tsx b/admin-core/app/(admin)/infrastructure/middleware/_components/IpListTab.tsx
new file mode 100644
index 0000000..a944791
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/middleware/_components/IpListTab.tsx
@@ -0,0 +1,131 @@
+import type { RateLimitIP } from '../types'
+
+interface IpListTabProps {
+  ipList: RateLimitIP[]
+  actionLoading: string | null
+  newIP: string
+  newIPType: 'whitelist' | 'blacklist'
+  newIPReason: string
+  onNewIPChange: (value: string) => void
+  onNewIPTypeChange: (value: 'whitelist' | 'blacklist') => void
+  onNewIPReasonChange: (value: string) => void
+  onAddIP: (e: React.FormEvent) => void
+  onRemoveIP: (id: string) => void
+}
+
+export function IpListTab({
+  ipList,
+  actionLoading,
+  newIP,
+  newIPType,
+  newIPReason,
+  onNewIPChange,
+  onNewIPTypeChange,
+  onNewIPReasonChange,
+  onAddIP,
+  onRemoveIP,
+}: IpListTabProps) {
+  return (
+    <div>
+      {/* Add IP Form */}
+      <form onSubmit={onAddIP} className="mb-6 p-4 bg-slate-50 rounded-lg border border-slate-200">
+        <h3 className="font-semibold text-slate-900 mb-4">IP hinzufuegen</h3>
+        <div className="flex flex-wrap gap-3">
+          <input
+            type="text"
+            value={newIP}
+            onChange={e => onNewIPChange(e.target.value)}
+            placeholder="IP-Adresse (z.B. 192.168.1.1)"
+            className="flex-1 min-w-[200px] px-4 py-2 border border-slate-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-orange-500"
+          />
+          <select
+            value={newIPType}
+            onChange={e => onNewIPTypeChange(e.target.value as 'whitelist' | 'blacklist')}
+            className="px-4 py-2 border border-slate-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-orange-500"
+          >
+            <option value="whitelist">Whitelist</option>
+            <option value="blacklist">Blacklist</option>
+          </select>
+          <input
+            type="text"
+            value={newIPReason}
+            onChange={e => onNewIPReasonChange(e.target.value)}
+            placeholder="Grund (optional)"
+            className="flex-1 min-w-[150px] px-4 py-2 border border-slate-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-orange-500"
+          />
+          <button
+            type="submit"
+            disabled={!newIP.trim() || actionLoading === 'add-ip'}
+            className="px-6 py-2 bg-orange-600 text-white rounded-lg font-medium hover:bg-orange-700 disabled:opacity-50 transition-colors"
+          >
+            {actionLoading === 'add-ip' ? 'Hinzufuegen...' : 'Hinzufuegen'}
+          </button>
+        </div>
+      </form>
+
+      {/* IP List Table */}
+      <div className="overflow-x-auto">
+        <table className="w-full">
+          <thead>
+            <tr className="border-b border-slate-200">
+              <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
+                IP-Adresse
+              </th>
+              <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
+                Typ
+              </th>
+              <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
+                Grund
+              </th>
+              <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
+                Hinzugefuegt
+              </th>
+              <th className="text-right py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
+                Aktion
+              </th>
+            </tr>
+          </thead>
+          <tbody>
+            {ipList.length === 0 ? (
+              <tr>
+                <td colSpan={5} className="text-center py-8 text-slate-500">
+                  Keine IP-Eintraege vorhanden.
+                </td>
+              </tr>
+            ) : (
+              ipList.map(ip => (
+                <tr key={ip.id} className="border-b border-slate-100 hover:bg-slate-50">
+                  <td className="py-3 px-4 font-mono text-sm">{ip.ip_address}</td>
+                  <td className="py-3 px-4">
+                    <span
+                      className={`px-2 py-1 rounded text-xs font-semibold ${
+                        ip.list_type === 'whitelist'
+                          ? 'bg-green-100 text-green-800'
+                          : 'bg-red-100 text-red-800'
+                      }`}
+                    >
+                      {ip.list_type === 'whitelist' ? 'Whitelist' : 'Blacklist'}
+                    </span>
+                  </td>
+                  <td className="py-3 px-4 text-sm text-slate-600">{ip.reason || '-'}</td>
+                  <td className="py-3 px-4 text-sm text-slate-500">
+                    {new Date(ip.created_at).toLocaleString('de-DE')}
+                  </td>
+                  <td className="py-3 px-4 text-right">
+                    <button
+                      onClick={() => onRemoveIP(ip.id)}
+                      disabled={actionLoading === `remove-${ip.id}`}
+                      className="px-3 py-1 text-sm text-red-600 hover:bg-red-50 rounded transition-colors disabled:opacity-50"
+                    >
+                      {actionLoading === `remove-${ip.id}` ? '...' : 'Entfernen'}
+                    </button>
+                  </td>
+                </tr>
+              ))
+            )}
+          </tbody>
+        </table>
+      </div>
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/middleware/_components/OverviewTab.tsx b/admin-core/app/(admin)/infrastructure/middleware/_components/OverviewTab.tsx
new file mode 100644
index 0000000..9b3bd9b
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/middleware/_components/OverviewTab.tsx
@@ -0,0 +1,58 @@
+import type { MiddlewareConfig } from '../types'
+import { getMiddlewareDescription } from './helpers'
+
+interface OverviewTabProps {
+  configs: MiddlewareConfig[]
+  actionLoading: string | null
+  onToggle: (name: string, enabled: boolean) => void
+}
+
+export function OverviewTab({ configs, actionLoading, onToggle }: OverviewTabProps) {
+  return (
+    <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
+      {configs.map(config => {
+        const info = getMiddlewareDescription(config.middleware_name)
+        return (
+          <div
+            key={config.id}
+            className={`rounded-lg p-4 border ${
+              config.enabled
+                ? 'bg-green-50 border-green-200'
+                : 'bg-slate-50 border-slate-200'
+            }`}
+          >
+            <div className="flex justify-between items-start mb-2">
+              <div className="flex items-center gap-2">
+                <span className="text-xl">{info.icon}</span>
+                <span className="font-semibold text-slate-900 capitalize">
+                  {config.middleware_name.replace('_', ' ')}
+                </span>
+              </div>
+              <button
+                onClick={() => onToggle(config.middleware_name, !config.enabled)}
+                disabled={actionLoading === config.middleware_name}
+                className={`px-3 py-1 rounded-full text-xs font-semibold transition-colors ${
+                  config.enabled
+                    ? 'bg-green-200 text-green-800 hover:bg-green-300'
+                    : 'bg-slate-200 text-slate-600 hover:bg-slate-300'
+                }`}
+              >
+                {actionLoading === config.middleware_name
+                  ? '...'
+                  : config.enabled
+                  ? 'Aktiv'
+                  : 'Inaktiv'}
+              </button>
+            </div>
+            <p className="text-sm text-slate-600">{info.desc}</p>
+            {config.updated_at && (
+              <div className="mt-2 text-xs text-slate-400">
+                Aktualisiert: {new Date(config.updated_at).toLocaleString('de-DE')}
+              </div>
+            )}
+          </div>
+        )
+      })}
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/middleware/_components/StatsTab.tsx b/admin-core/app/(admin)/infrastructure/middleware/_components/StatsTab.tsx
new file mode 100644
index 0000000..d79baa1
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/middleware/_components/StatsTab.tsx
@@ -0,0 +1,66 @@
+import type { MiddlewareStats } from '../types'
+import { getMiddlewareDescription, getEventTypeColor } from './helpers'
+
+interface StatsTabProps {
+  stats: MiddlewareStats[]
+}
+
+export function StatsTab({ stats }: StatsTabProps) {
+  return (
+    <div className="grid grid-cols-1 md:grid-cols-2 gap-6">
+      {stats.map(stat => {
+        const info = getMiddlewareDescription(stat.middleware_name)
+        return (
+          <div key={stat.middleware_name} className="bg-slate-50 rounded-lg p-4 border border-slate-200">
+            <h3 className="font-semibold text-slate-900 flex items-center gap-2 mb-4">
+              <span>{info.icon}</span>
+              <span className="capitalize">{stat.middleware_name.replace('_', ' ')}</span>
+            </h3>
+            <div className="grid grid-cols-3 gap-4 mb-4">
+              <div>
+                <div className="text-2xl font-bold text-slate-900">{stat.total_events}</div>
+                <div className="text-xs text-slate-500">Gesamt</div>
+              </div>
+              <div>
+                <div className="text-2xl font-bold text-blue-600">{stat.events_last_hour}</div>
+                <div className="text-xs text-slate-500">Letzte Stunde</div>
+              </div>
+              <div>
+                <div className="text-2xl font-bold text-orange-600">{stat.events_last_24h}</div>
+                <div className="text-xs text-slate-500">24 Stunden</div>
+              </div>
+            </div>
+            {stat.top_event_types.length > 0 && (
+              <div className="mb-3">
+                <div className="text-xs font-semibold text-slate-500 uppercase mb-2">
+                  Top Event-Typen
+                </div>
+                <div className="flex flex-wrap gap-2">
+                  {stat.top_event_types.slice(0, 3).map(et => (
+                    <span
+                      key={et.event_type}
+                      className={`px-2 py-1 rounded text-xs ${getEventTypeColor(et.event_type)}`}
+                    >
+                      {et.event_type} ({et.count})
+                    </span>
+                  ))}
+                </div>
+              </div>
+            )}
+            {stat.top_ips.length > 0 && (
+              <div>
+                <div className="text-xs font-semibold text-slate-500 uppercase mb-2">Top IPs</div>
+                <div className="text-xs text-slate-600">
+                  {stat.top_ips
+                    .slice(0, 3)
+                    .map(ip => `${ip.ip_address} (${ip.count})`)
+                    .join(', ')}
+                </div>
+              </div>
+            )}
+          </div>
+        )
+      })}
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/middleware/_components/StatusOverview.tsx b/admin-core/app/(admin)/infrastructure/middleware/_components/StatusOverview.tsx
new file mode 100644
index 0000000..0ae099a
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/middleware/_components/StatusOverview.tsx
@@ -0,0 +1,51 @@
+interface StatusOverviewProps {
+  configCount: number
+  whitelistCount: number
+  blacklistCount: number
+  eventCount: number
+  loading: boolean
+  onRefresh: () => void
+}
+
+export function StatusOverview({
+  configCount,
+  whitelistCount,
+  blacklistCount,
+  eventCount,
+  loading,
+  onRefresh,
+}: StatusOverviewProps) {
+  return (
+    <div className="bg-white rounded-xl border border-slate-200 p-6 mb-6">
+      <div className="flex justify-between items-center mb-6">
+        <h2 className="text-xl font-semibold text-slate-900">Middleware Status</h2>
+        <button
+          onClick={onRefresh}
+          disabled={loading}
+          className="px-4 py-2 text-sm bg-orange-600 text-white rounded-lg hover:bg-orange-700 disabled:opacity-50 transition-colors"
+        >
+          {loading ? 'Laden...' : 'Aktualisieren'}
+        </button>
+      </div>
+
+      <div className="grid grid-cols-2 md:grid-cols-4 gap-4">
+        <div className="bg-slate-50 rounded-lg p-4 border border-slate-200">
+          <div className="text-2xl font-bold text-slate-900">{configCount}</div>
+          <div className="text-sm text-slate-600">Middleware</div>
+        </div>
+        <div className="bg-green-50 rounded-lg p-4 border border-green-200">
+          <div className="text-2xl font-bold text-green-600">{whitelistCount}</div>
+          <div className="text-sm text-slate-600">Whitelist IPs</div>
+        </div>
+        <div className="bg-red-50 rounded-lg p-4 border border-red-200">
+          <div className="text-2xl font-bold text-red-600">{blacklistCount}</div>
+          <div className="text-sm text-slate-600">Blacklist IPs</div>
+        </div>
+        <div className="bg-blue-50 rounded-lg p-4 border border-blue-200">
+          <div className="text-2xl font-bold text-blue-600">{eventCount}</div>
+          <div className="text-sm text-slate-600">Recent Events</div>
+        </div>
+      </div>
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/middleware/_components/helpers.ts b/admin-core/app/(admin)/infrastructure/middleware/_components/helpers.ts
new file mode 100644
index 0000000..3b15444
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/middleware/_components/helpers.ts
@@ -0,0 +1,24 @@
+export function getMiddlewareDescription(name: string): { icon: string; desc: string } {
+  const descriptions: Record<string, { icon: string; desc: string }> = {
+    request_id: { icon: '🆔', desc: 'Generiert eindeutige Request-IDs fuer Tracing' },
+    security_headers: { icon: '🛡️', desc: 'Fuegt Security-Header hinzu (CSP, HSTS, etc.)' },
+    cors: { icon: '🌐', desc: 'Cross-Origin Resource Sharing Konfiguration' },
+    rate_limiter: { icon: '⏱️', desc: 'Rate Limiting zum Schutz vor Missbrauch' },
+    pii_redactor: { icon: '🔒', desc: 'Redaktiert personenbezogene Daten in Logs' },
+    input_gate: { icon: '🚪', desc: 'Validiert und sanitisiert Eingaben' },
+  }
+  return descriptions[name] || { icon: '⚙️', desc: 'Middleware-Komponente' }
+}
+
+export function getEventTypeColor(eventType: string) {
+  if (eventType.includes('error') || eventType.includes('blocked') || eventType.includes('blacklist')) {
+    return 'bg-red-100 text-red-800'
+  }
+  if (eventType.includes('warning') || eventType.includes('rate_limit')) {
+    return 'bg-yellow-100 text-yellow-800'
+  }
+  if (eventType.includes('success') || eventType.includes('whitelist')) {
+    return 'bg-green-100 text-green-800'
+  }
+  return 'bg-slate-100 text-slate-800'
+}
diff --git a/admin-core/app/(admin)/infrastructure/middleware/page.tsx b/admin-core/app/(admin)/infrastructure/middleware/page.tsx
index 7757a6f..6c381fd 100644
--- a/admin-core/app/(admin)/infrastructure/middleware/page.tsx
+++ b/admin-core/app/(admin)/infrastructure/middleware/page.tsx
@@ -9,44 +9,13 @@
 
 import { useEffect, useState, useCallback } from 'react'
 import { PagePurpose } from '@/components/common/PagePurpose'
-
-interface MiddlewareConfig {
-  id: string
-  middleware_name: string
-  enabled: boolean
-  config: Record<string, unknown>
-  updated_at: string | null
-}
-
-interface RateLimitIP {
-  id: string
-  ip_address: string
-  list_type: 'whitelist' | 'blacklist'
-  reason: string | null
-  expires_at: string | null
-  created_at: string
-}
-
-interface MiddlewareEvent {
-  id: string
-  middleware_name: string
-  event_type: string
-  ip_address: string | null
-  user_id: string | null
-  request_path: string | null
-  request_method: string | null
-  details: Record<string, unknown> | null
-  created_at: string
-}
-
-interface MiddlewareStats {
-  middleware_name: string
-  total_events: number
-  events_last_hour: number
-  events_last_24h: number
-  top_event_types: Array<{ event_type: string; count: number }>
-  top_ips: Array<{ ip_address: string; count: number }>
-}
+import type { MiddlewareConfig, RateLimitIP, MiddlewareEvent, MiddlewareStats } from './types'
+import { StatusOverview } from './_components/StatusOverview'
+import { OverviewTab } from './_components/OverviewTab'
+import { ConfigTab } from './_components/ConfigTab'
+import { IpListTab } from './_components/IpListTab'
+import { EventsTab } from './_components/EventsTab'
+import { StatsTab } from './_components/StatsTab'
 
 export default function MiddlewareAdminPage() {
   const [configs, setConfigs] = useState<MiddlewareConfig[]>([])
@@ -184,31 +153,6 @@ export default function MiddlewareAdminPage() {
     }
   }
 
-  const getMiddlewareDescription = (name: string): { icon: string; desc: string } => {
-    const descriptions: Record<string, { icon: string; desc: string }> = {
-      request_id: { icon: '🆔', desc: 'Generiert eindeutige Request-IDs fuer Tracing' },
-      security_headers: { icon: '🛡️', desc: 'Fuegt Security-Header hinzu (CSP, HSTS, etc.)' },
-      cors: { icon: '🌐', desc: 'Cross-Origin Resource Sharing Konfiguration' },
-      rate_limiter: { icon: '⏱️', desc: 'Rate Limiting zum Schutz vor Missbrauch' },
-      pii_redactor: { icon: '🔒', desc: 'Redaktiert personenbezogene Daten in Logs' },
-      input_gate: { icon: '🚪', desc: 'Validiert und sanitisiert Eingaben' },
-    }
-    return descriptions[name] || { icon: '⚙️', desc: 'Middleware-Komponente' }
-  }
-
-  const getEventTypeColor = (eventType: string) => {
-    if (eventType.includes('error') || eventType.includes('blocked') || eventType.includes('blacklist')) {
-      return 'bg-red-100 text-red-800'
-    }
-    if (eventType.includes('warning') || eventType.includes('rate_limit')) {
-      return 'bg-yellow-100 text-yellow-800'
-    }
-    if (eventType.includes('success') || eventType.includes('whitelist')) {
-      return 'bg-green-100 text-green-800'
-    }
-    return 'bg-slate-100 text-slate-800'
-  }
-
   const whitelistCount = ipList.filter(ip => ip.list_type === 'whitelist').length
   const blacklistCount = ipList.filter(ip => ip.list_type === 'blacklist').length
 
@@ -232,38 +176,14 @@ export default function MiddlewareAdminPage() {
         defaultCollapsed={true}
       />
 
-      {/* Stats Overview */}
-      <div className="bg-white rounded-xl border border-slate-200 p-6 mb-6">
-        <div className="flex justify-between items-center mb-6">
-          <h2 className="text-xl font-semibold text-slate-900">Middleware Status</h2>
-          <button
-            onClick={fetchData}
-            disabled={loading}
-            className="px-4 py-2 text-sm bg-orange-600 text-white rounded-lg hover:bg-orange-700 disabled:opacity-50 transition-colors"
-          >
-            {loading ? 'Laden...' : 'Aktualisieren'}
-          </button>
-        </div>
-
-        <div className="grid grid-cols-2 md:grid-cols-4 gap-4">
-          <div className="bg-slate-50 rounded-lg p-4 border border-slate-200">
-            <div className="text-2xl font-bold text-slate-900">{configs.length}</div>
-            <div className="text-sm text-slate-600">Middleware</div>
-          </div>
-          <div className="bg-green-50 rounded-lg p-4 border border-green-200">
-            <div className="text-2xl font-bold text-green-600">{whitelistCount}</div>
-            <div className="text-sm text-slate-600">Whitelist IPs</div>
-          </div>
-          <div className="bg-red-50 rounded-lg p-4 border border-red-200">
-            <div className="text-2xl font-bold text-red-600">{blacklistCount}</div>
-            <div className="text-sm text-slate-600">Blacklist IPs</div>
-          </div>
-          <div className="bg-blue-50 rounded-lg p-4 border border-blue-200">
-            <div className="text-2xl font-bold text-blue-600">{events.length}</div>
-            <div className="text-sm text-slate-600">Recent Events</div>
-          </div>
-        </div>
-      </div>
+      <StatusOverview
+        configCount={configs.length}
+        whitelistCount={whitelistCount}
+        blacklistCount={blacklistCount}
+        eventCount={events.length}
+        loading={loading}
+        onRefresh={fetchData}
+      />
 
       {/* Tabs */}
       <div className="bg-white rounded-xl border border-slate-200 overflow-hidden mb-6">
@@ -298,332 +218,28 @@ export default function MiddlewareAdminPage() {
             </div>
           ) : (
             <>
-              {/* Overview Tab */}
               {activeTab === 'overview' && (
-                <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
-                  {configs.map(config => {
-                    const info = getMiddlewareDescription(config.middleware_name)
-                    return (
-                      <div
-                        key={config.id}
-                        className={`rounded-lg p-4 border ${
-                          config.enabled
-                            ? 'bg-green-50 border-green-200'
-                            : 'bg-slate-50 border-slate-200'
-                        }`}
-                      >
-                        <div className="flex justify-between items-start mb-2">
-                          <div className="flex items-center gap-2">
-                            <span className="text-xl">{info.icon}</span>
-                            <span className="font-semibold text-slate-900 capitalize">
-                              {config.middleware_name.replace('_', ' ')}
-                            </span>
-                          </div>
-                          <button
-                            onClick={() => toggleMiddleware(config.middleware_name, !config.enabled)}
-                            disabled={actionLoading === config.middleware_name}
-                            className={`px-3 py-1 rounded-full text-xs font-semibold transition-colors ${
-                              config.enabled
-                                ? 'bg-green-200 text-green-800 hover:bg-green-300'
-                                : 'bg-slate-200 text-slate-600 hover:bg-slate-300'
-                            }`}
-                          >
-                            {actionLoading === config.middleware_name
-                              ? '...'
-                              : config.enabled
-                              ? 'Aktiv'
-                              : 'Inaktiv'}
-                          </button>
-                        </div>
-                        <p className="text-sm text-slate-600">{info.desc}</p>
-                        {config.updated_at && (
-                          <div className="mt-2 text-xs text-slate-400">
-                            Aktualisiert: {new Date(config.updated_at).toLocaleString('de-DE')}
-                          </div>
-                        )}
-                      </div>
-                    )
-                  })}
-                </div>
+                <OverviewTab configs={configs} actionLoading={actionLoading} onToggle={toggleMiddleware} />
               )}
-
-              {/* Config Tab */}
               {activeTab === 'config' && (
-                <div className="space-y-4">
-                  {configs.map(config => {
-                    const info = getMiddlewareDescription(config.middleware_name)
-                    return (
-                      <div key={config.id} className="bg-slate-50 rounded-lg p-4 border border-slate-200">
-                        <div className="flex justify-between items-start mb-4">
-                          <div>
-                            <h3 className="font-semibold text-slate-900 flex items-center gap-2">
-                              <span>{info.icon}</span>
-                              <span className="capitalize">{config.middleware_name.replace('_', ' ')}</span>
-                            </h3>
-                            <p className="text-sm text-slate-600">{info.desc}</p>
-                          </div>
-                          <div className="flex items-center gap-3">
-                            <span
-                              className={`px-3 py-1 rounded-full text-xs font-semibold ${
-                                config.enabled ? 'bg-green-100 text-green-800' : 'bg-red-100 text-red-800'
-                              }`}
-                            >
-                              {config.enabled ? 'Aktiviert' : 'Deaktiviert'}
-                            </span>
-                            <button
-                              onClick={() => toggleMiddleware(config.middleware_name, !config.enabled)}
-                              disabled={actionLoading === config.middleware_name}
-                              className="px-4 py-1.5 text-sm border border-slate-300 rounded-lg hover:bg-slate-100 disabled:opacity-50 transition-colors"
-                            >
-                              {actionLoading === config.middleware_name
-                                ? '...'
-                                : config.enabled
-                                ? 'Deaktivieren'
-                                : 'Aktivieren'}
-                            </button>
-                          </div>
-                        </div>
-                        {Object.keys(config.config).length > 0 && (
-                          <div className="mt-3 pt-3 border-t border-slate-200">
-                            <div className="text-xs font-semibold text-slate-500 uppercase mb-2">
-                              Konfiguration
-                            </div>
-                            <pre className="text-xs bg-white p-3 rounded border border-slate-200 overflow-x-auto">
-                              {JSON.stringify(config.config, null, 2)}
-                            </pre>
-                          </div>
-                        )}
-                      </div>
-                    )
-                  })}
-                </div>
+                <ConfigTab configs={configs} actionLoading={actionLoading} onToggle={toggleMiddleware} />
               )}
-
-              {/* IP List Tab */}
               {activeTab === 'ip-list' && (
-                <div>
-                  {/* Add IP Form */}
-                  <form onSubmit={addIP} className="mb-6 p-4 bg-slate-50 rounded-lg border border-slate-200">
-                    <h3 className="font-semibold text-slate-900 mb-4">IP hinzufuegen</h3>
-                    <div className="flex flex-wrap gap-3">
-                      <input
-                        type="text"
-                        value={newIP}
-                        onChange={e => setNewIP(e.target.value)}
-                        placeholder="IP-Adresse (z.B. 192.168.1.1)"
-                        className="flex-1 min-w-[200px] px-4 py-2 border border-slate-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-orange-500"
-                      />
-                      <select
-                        value={newIPType}
-                        onChange={e => setNewIPType(e.target.value as 'whitelist' | 'blacklist')}
-                        className="px-4 py-2 border border-slate-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-orange-500"
-                      >
-                        <option value="whitelist">Whitelist</option>
-                        <option value="blacklist">Blacklist</option>
-                      </select>
-                      <input
-                        type="text"
-                        value={newIPReason}
-                        onChange={e => setNewIPReason(e.target.value)}
-                        placeholder="Grund (optional)"
-                        className="flex-1 min-w-[150px] px-4 py-2 border border-slate-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-orange-500"
-                      />
-                      <button
-                        type="submit"
-                        disabled={!newIP.trim() || actionLoading === 'add-ip'}
-                        className="px-6 py-2 bg-orange-600 text-white rounded-lg font-medium hover:bg-orange-700 disabled:opacity-50 transition-colors"
-                      >
-                        {actionLoading === 'add-ip' ? 'Hinzufuegen...' : 'Hinzufuegen'}
-                      </button>
-                    </div>
-                  </form>
-
-                  {/* IP List Table */}
-                  <div className="overflow-x-auto">
-                    <table className="w-full">
-                      <thead>
-                        <tr className="border-b border-slate-200">
-                          <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
-                            IP-Adresse
-                          </th>
-                          <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
-                            Typ
-                          </th>
-                          <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
-                            Grund
-                          </th>
-                          <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
-                            Hinzugefuegt
-                          </th>
-                          <th className="text-right py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
-                            Aktion
-                          </th>
-                        </tr>
-                      </thead>
-                      <tbody>
-                        {ipList.length === 0 ? (
-                          <tr>
-                            <td colSpan={5} className="text-center py-8 text-slate-500">
-                              Keine IP-Eintraege vorhanden.
-                            </td>
-                          </tr>
-                        ) : (
-                          ipList.map(ip => (
-                            <tr key={ip.id} className="border-b border-slate-100 hover:bg-slate-50">
-                              <td className="py-3 px-4 font-mono text-sm">{ip.ip_address}</td>
-                              <td className="py-3 px-4">
-                                <span
-                                  className={`px-2 py-1 rounded text-xs font-semibold ${
-                                    ip.list_type === 'whitelist'
-                                      ? 'bg-green-100 text-green-800'
-                                      : 'bg-red-100 text-red-800'
-                                  }`}
-                                >
-                                  {ip.list_type === 'whitelist' ? 'Whitelist' : 'Blacklist'}
-                                </span>
-                              </td>
-                              <td className="py-3 px-4 text-sm text-slate-600">{ip.reason || '-'}</td>
-                              <td className="py-3 px-4 text-sm text-slate-500">
-                                {new Date(ip.created_at).toLocaleString('de-DE')}
-                              </td>
-                              <td className="py-3 px-4 text-right">
-                                <button
-                                  onClick={() => removeIP(ip.id)}
-                                  disabled={actionLoading === `remove-${ip.id}`}
-                                  className="px-3 py-1 text-sm text-red-600 hover:bg-red-50 rounded transition-colors disabled:opacity-50"
-                                >
-                                  {actionLoading === `remove-${ip.id}` ? '...' : 'Entfernen'}
-                                </button>
-                              </td>
-                            </tr>
-                          ))
-                        )}
-                      </tbody>
-                    </table>
-                  </div>
-                </div>
-              )}
-
-              {/* Events Tab */}
-              {activeTab === 'events' && (
-                <div className="overflow-x-auto">
-                  <table className="w-full">
-                    <thead>
-                      <tr className="border-b border-slate-200">
-                        <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
-                          Zeit
-                        </th>
-                        <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
-                          Middleware
-                        </th>
-                        <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
-                          Event
-                        </th>
-                        <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
-                          IP
-                        </th>
-                        <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">
-                          Pfad
-                        </th>
-                      </tr>
-                    </thead>
-                    <tbody>
-                      {events.length === 0 ? (
-                        <tr>
-                          <td colSpan={5} className="text-center py-8 text-slate-500">
-                            Keine Events vorhanden.
-                          </td>
-                        </tr>
-                      ) : (
-                        events.map(event => (
-                          <tr key={event.id} className="border-b border-slate-100 hover:bg-slate-50">
-                            <td className="py-3 px-4 text-sm text-slate-500">
-                              {new Date(event.created_at).toLocaleString('de-DE')}
-                            </td>
-                            <td className="py-3 px-4 text-sm capitalize">
-                              {event.middleware_name.replace('_', ' ')}
-                            </td>
-                            <td className="py-3 px-4">
-                              <span
-                                className={`px-2 py-1 rounded text-xs font-semibold ${getEventTypeColor(event.event_type)}`}
-                              >
-                                {event.event_type}
-                              </span>
-                            </td>
-                            <td className="py-3 px-4 text-sm font-mono text-slate-600">
-                              {event.ip_address || '-'}
-                            </td>
-                            <td className="py-3 px-4 text-sm text-slate-600 max-w-xs truncate">
-                              {event.request_method && event.request_path
-                                ? `${event.request_method} ${event.request_path}`
-                                : '-'}
-                            </td>
-                          </tr>
-                        ))
-                      )}
-                    </tbody>
-                  </table>
-                </div>
-              )}
-
-              {/* Stats Tab */}
-              {activeTab === 'stats' && (
-                <div className="grid grid-cols-1 md:grid-cols-2 gap-6">
-                  {stats.map(stat => {
-                    const info = getMiddlewareDescription(stat.middleware_name)
-                    return (
-                      <div key={stat.middleware_name} className="bg-slate-50 rounded-lg p-4 border border-slate-200">
-                        <h3 className="font-semibold text-slate-900 flex items-center gap-2 mb-4">
-                          <span>{info.icon}</span>
-                          <span className="capitalize">{stat.middleware_name.replace('_', ' ')}</span>
-                        </h3>
-                        <div className="grid grid-cols-3 gap-4 mb-4">
-                          <div>
-                            <div className="text-2xl font-bold text-slate-900">{stat.total_events}</div>
-                            <div className="text-xs text-slate-500">Gesamt</div>
-                          </div>
-                          <div>
-                            <div className="text-2xl font-bold text-blue-600">{stat.events_last_hour}</div>
-                            <div className="text-xs text-slate-500">Letzte Stunde</div>
-                          </div>
-                          <div>
-                            <div className="text-2xl font-bold text-orange-600">{stat.events_last_24h}</div>
-                            <div className="text-xs text-slate-500">24 Stunden</div>
-                          </div>
-                        </div>
-                        {stat.top_event_types.length > 0 && (
-                          <div className="mb-3">
-                            <div className="text-xs font-semibold text-slate-500 uppercase mb-2">
-                              Top Event-Typen
-                            </div>
-                            <div className="flex flex-wrap gap-2">
-                              {stat.top_event_types.slice(0, 3).map(et => (
-                                <span
-                                  key={et.event_type}
-                                  className={`px-2 py-1 rounded text-xs ${getEventTypeColor(et.event_type)}`}
-                                >
-                                  {et.event_type} ({et.count})
-                                </span>
-                              ))}
-                            </div>
-                          </div>
-                        )}
-                        {stat.top_ips.length > 0 && (
-                          <div>
-                            <div className="text-xs font-semibold text-slate-500 uppercase mb-2">Top IPs</div>
-                            <div className="text-xs text-slate-600">
-                              {stat.top_ips
-                                .slice(0, 3)
-                                .map(ip => `${ip.ip_address} (${ip.count})`)
-                                .join(', ')}
-                            </div>
-                          </div>
-                        )}
-                      </div>
-                    )
-                  })}
-                </div>
+                <IpListTab
+                  ipList={ipList}
+                  actionLoading={actionLoading}
+                  newIP={newIP}
+                  newIPType={newIPType}
+                  newIPReason={newIPReason}
+                  onNewIPChange={setNewIP}
+                  onNewIPTypeChange={setNewIPType}
+                  onNewIPReasonChange={setNewIPReason}
+                  onAddIP={addIP}
+                  onRemoveIP={removeIP}
+                />
               )}
+              {activeTab === 'events' && <EventsTab events={events} />}
+              {activeTab === 'stats' && <StatsTab stats={stats} />}
             </>
           )}
         </div>
diff --git a/admin-core/app/(admin)/infrastructure/middleware/types.ts b/admin-core/app/(admin)/infrastructure/middleware/types.ts
new file mode 100644
index 0000000..b19742c
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/middleware/types.ts
@@ -0,0 +1,37 @@
+export interface MiddlewareConfig {
+  id: string
+  middleware_name: string
+  enabled: boolean
+  config: Record<string, unknown>
+  updated_at: string | null
+}
+
+export interface RateLimitIP {
+  id: string
+  ip_address: string
+  list_type: 'whitelist' | 'blacklist'
+  reason: string | null
+  expires_at: string | null
+  created_at: string
+}
+
+export interface MiddlewareEvent {
+  id: string
+  middleware_name: string
+  event_type: string
+  ip_address: string | null
+  user_id: string | null
+  request_path: string | null
+  request_method: string | null
+  details: Record<string, unknown> | null
+  created_at: string
+}
+
+export interface MiddlewareStats {
+  middleware_name: string
+  total_events: number
+  events_last_hour: number
+  events_last_24h: number
+  top_event_types: Array<{ event_type: string; count: number }>
+  top_ips: Array<{ ip_address: string; count: number }>
+}
diff --git a/admin-core/app/(admin)/infrastructure/sbom/_components/sbom-data-libs.ts b/admin-core/app/(admin)/infrastructure/sbom/_components/sbom-data-libs.ts
new file mode 100644
index 0000000..c4ed00f
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/sbom/_components/sbom-data-libs.ts
@@ -0,0 +1,46 @@
+import type { Component } from '../types'
+
+export const GO_MODULES: Component[] = [
+  { type: 'library', name: 'gin-gonic/gin', version: '1.9+', category: 'go', description: 'Web Framework', license: 'MIT', sourceUrl: 'https://github.com/gin-gonic/gin' },
+  { type: 'library', name: 'gorm.io/gorm', version: '1.25+', category: 'go', description: 'ORM', license: 'MIT', sourceUrl: 'https://github.com/go-gorm/gorm' },
+  { type: 'library', name: 'golang-jwt/jwt', version: 'v5', category: 'go', description: 'JWT Library', license: 'MIT', sourceUrl: 'https://github.com/golang-jwt/jwt' },
+  { type: 'library', name: 'stripe/stripe-go', version: 'v76', category: 'go', description: 'Stripe SDK', license: 'MIT', sourceUrl: 'https://github.com/stripe/stripe-go' },
+  { type: 'library', name: 'spf13/viper', version: 'latest', category: 'go', description: 'Configuration', license: 'MIT', sourceUrl: 'https://github.com/spf13/viper' },
+  { type: 'library', name: 'uber-go/zap', version: 'latest', category: 'go', description: 'Structured Logging', license: 'MIT', sourceUrl: 'https://github.com/uber-go/zap' },
+  { type: 'library', name: 'swaggo/swag', version: 'latest', category: 'go', description: 'Swagger Docs', license: 'MIT', sourceUrl: 'https://github.com/swaggo/swag' },
+]
+
+export const NODE_PACKAGES: Component[] = [
+  { type: 'library', name: 'Next.js', version: '15.1', category: 'nodejs', description: 'React Framework', license: 'MIT', sourceUrl: 'https://github.com/vercel/next.js' },
+  { type: 'library', name: 'React', version: '19', category: 'nodejs', description: 'UI Library', license: 'MIT', sourceUrl: 'https://github.com/facebook/react' },
+  { type: 'library', name: 'Vue.js', version: '3.4', category: 'nodejs', description: 'UI Framework (Creator Studio)', license: 'MIT', sourceUrl: 'https://github.com/vuejs/core' },
+  { type: 'library', name: 'Angular', version: '17', category: 'nodejs', description: 'UI Framework (Policy Vault)', license: 'MIT', sourceUrl: 'https://github.com/angular/angular' },
+  { type: 'library', name: 'NestJS', version: '10', category: 'nodejs', description: 'Node.js Framework', license: 'MIT', sourceUrl: 'https://github.com/nestjs/nest' },
+  { type: 'library', name: 'TypeScript', version: '5.x', category: 'nodejs', description: 'Type System', license: 'Apache-2.0', sourceUrl: 'https://github.com/microsoft/TypeScript' },
+  { type: 'library', name: 'Tailwind CSS', version: '3.4', category: 'nodejs', description: 'Utility CSS', license: 'MIT', sourceUrl: 'https://github.com/tailwindlabs/tailwindcss' },
+  { type: 'library', name: 'Prisma', version: '5.x', category: 'nodejs', description: 'ORM (Policy Vault)', license: 'Apache-2.0', sourceUrl: 'https://github.com/prisma/prisma' },
+  { type: 'library', name: 'Material Design Icons', version: 'latest', category: 'nodejs', description: 'Icon-System (Companion UI, Studio)', license: 'Apache-2.0', sourceUrl: 'https://github.com/google/material-design-icons' },
+  { type: 'library', name: 'Recharts', version: '2.12', category: 'nodejs', description: 'React Charts (Compliance Dashboard)', license: 'MIT', sourceUrl: 'https://github.com/recharts/recharts' },
+  { type: 'library', name: 'React Flow', version: '11.x', category: 'nodejs', description: 'Node-basierte Flow-Diagramme (Screen Flow)', license: 'MIT', sourceUrl: 'https://github.com/xyflow/xyflow' },
+  { type: 'library', name: 'Playwright', version: '1.50', category: 'nodejs', description: 'E2E Testing Framework (SDK Tests)', license: 'Apache-2.0', sourceUrl: 'https://github.com/microsoft/playwright' },
+  { type: 'library', name: 'Vitest', version: '4.x', category: 'nodejs', description: 'Unit Testing Framework', license: 'MIT', sourceUrl: 'https://github.com/vitest-dev/vitest' },
+  { type: 'library', name: 'jsPDF', version: '4.x', category: 'nodejs', description: 'PDF Generation (SDK Export)', license: 'MIT', sourceUrl: 'https://github.com/parallax/jsPDF' },
+  { type: 'library', name: 'JSZip', version: '3.x', category: 'nodejs', description: 'ZIP File Creation (SDK Export)', license: 'MIT/GPL-3.0', sourceUrl: 'https://github.com/Stuk/jszip' },
+  { type: 'library', name: 'Lucide React', version: '0.468', category: 'nodejs', description: 'Icon Library', license: 'ISC', sourceUrl: 'https://github.com/lucide-icons/lucide' },
+]
+
+export const UNITY_PACKAGES: Component[] = [
+  { type: 'library', name: 'Unity Engine', version: '6000.0 (Unity 6)', category: 'unity', description: 'Game Engine', license: 'Unity EULA', sourceUrl: 'https://unity.com' },
+  { type: 'library', name: 'Universal Render Pipeline (URP)', version: '17.x', category: 'unity', description: 'Render Pipeline', license: 'Unity Companion', sourceUrl: 'https://docs.unity3d.com/Packages/com.unity.render-pipelines.universal@17.0' },
+  { type: 'library', name: 'TextMeshPro', version: '3.2', category: 'unity', description: 'Advanced Text Rendering', license: 'Unity Companion', sourceUrl: 'https://docs.unity3d.com/Packages/com.unity.textmeshpro@3.2' },
+  { type: 'library', name: 'Unity Mathematics', version: '1.3', category: 'unity', description: 'Math Library (SIMD)', license: 'Unity Companion', sourceUrl: 'https://docs.unity3d.com/Packages/com.unity.mathematics@1.3' },
+  { type: 'library', name: 'Newtonsoft.Json (Unity)', version: '3.2', category: 'unity', description: 'JSON Serialization', license: 'MIT', sourceUrl: 'https://docs.unity3d.com/Packages/com.unity.nuget.newtonsoft-json@3.2' },
+  { type: 'library', name: 'Unity UI', version: '2.0', category: 'unity', description: 'UI System', license: 'Unity Companion', sourceUrl: 'https://docs.unity3d.com/Packages/com.unity.ugui@2.0' },
+  { type: 'library', name: 'Unity Input System', version: '1.8', category: 'unity', description: 'New Input System', license: 'Unity Companion', sourceUrl: 'https://docs.unity3d.com/Packages/com.unity.inputsystem@1.8' },
+]
+
+export const CSHARP_PACKAGES: Component[] = [
+  { type: 'library', name: '.NET Standard', version: '2.1', category: 'csharp', description: 'Runtime', license: 'MIT', sourceUrl: 'https://github.com/dotnet/standard' },
+  { type: 'library', name: 'UnityWebRequest', version: 'built-in', category: 'csharp', description: 'HTTP Client', license: 'Unity Companion', sourceUrl: '-' },
+  { type: 'library', name: 'System.Text.Json', version: 'built-in', category: 'csharp', description: 'JSON Parsing', license: 'MIT', sourceUrl: 'https://github.com/dotnet/runtime' },
+]
diff --git a/admin-core/app/(admin)/infrastructure/sbom/_components/sbom-data-python.ts b/admin-core/app/(admin)/infrastructure/sbom/_components/sbom-data-python.ts
new file mode 100644
index 0000000..a6d9159
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/sbom/_components/sbom-data-python.ts
@@ -0,0 +1,52 @@
+import type { Component } from '../types'
+
+export const PYTHON_PACKAGES: Component[] = [
+  { type: 'library', name: 'FastAPI', version: '0.109+', category: 'python', description: 'Web Framework', license: 'MIT', sourceUrl: 'https://github.com/tiangolo/fastapi' },
+  { type: 'library', name: 'Uvicorn', version: '0.38+', category: 'python', description: 'ASGI Server', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/encode/uvicorn' },
+  { type: 'library', name: 'Starlette', version: '0.49+', category: 'python', description: 'ASGI Framework (FastAPI Basis)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/encode/starlette' },
+  { type: 'library', name: 'Pydantic', version: '2.x', category: 'python', description: 'Data Validation', license: 'MIT', sourceUrl: 'https://github.com/pydantic/pydantic' },
+  { type: 'library', name: 'SQLAlchemy', version: '2.x', category: 'python', description: 'ORM', license: 'MIT', sourceUrl: 'https://github.com/sqlalchemy/sqlalchemy' },
+  { type: 'library', name: 'Alembic', version: '1.14+', category: 'python', description: 'DB Migrations (Classroom, Feedback Tables)', license: 'MIT', sourceUrl: 'https://github.com/sqlalchemy/alembic' },
+  { type: 'library', name: 'psycopg2-binary', version: '2.9+', category: 'python', description: 'PostgreSQL Driver', license: 'LGPL-3.0', sourceUrl: 'https://github.com/psycopg/psycopg2' },
+  { type: 'library', name: 'httpx', version: 'latest', category: 'python', description: 'Async HTTP Client', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/encode/httpx' },
+  { type: 'library', name: 'PyJWT', version: 'latest', category: 'python', description: 'JWT Handling', license: 'MIT', sourceUrl: 'https://github.com/jpadilla/pyjwt' },
+  { type: 'library', name: 'hvac', version: 'latest', category: 'python', description: 'Vault Client', license: 'Apache-2.0', sourceUrl: 'https://github.com/hvac/hvac' },
+  { type: 'library', name: 'python-multipart', version: 'latest', category: 'python', description: 'File Uploads', license: 'Apache-2.0', sourceUrl: 'https://github.com/andrew-d/python-multipart' },
+  { type: 'library', name: 'aiofiles', version: 'latest', category: 'python', description: 'Async File I/O', license: 'Apache-2.0', sourceUrl: 'https://github.com/Tinche/aiofiles' },
+  { type: 'library', name: 'openai', version: 'latest', category: 'python', description: 'OpenAI SDK', license: 'MIT', sourceUrl: 'https://github.com/openai/openai-python' },
+  { type: 'library', name: 'anthropic', version: 'latest', category: 'python', description: 'Anthropic Claude SDK', license: 'MIT', sourceUrl: 'https://github.com/anthropics/anthropic-sdk-python' },
+  { type: 'library', name: 'langchain', version: 'latest', category: 'python', description: 'LLM Framework', license: 'MIT', sourceUrl: 'https://github.com/langchain-ai/langchain' },
+  { type: 'library', name: 'aioimaplib', version: 'latest', category: 'python', description: 'Async IMAP Client (Unified Inbox)', license: 'MIT', sourceUrl: 'https://github.com/bamthomas/aioimaplib' },
+  { type: 'library', name: 'aiosmtplib', version: 'latest', category: 'python', description: 'Async SMTP Client (Mail Sending)', license: 'MIT', sourceUrl: 'https://github.com/cole/aiosmtplib' },
+  { type: 'library', name: 'email-validator', version: 'latest', category: 'python', description: 'Email Validation', license: 'CC0-1.0', sourceUrl: 'https://github.com/JoshData/python-email-validator' },
+  { type: 'library', name: 'cryptography', version: 'latest', category: 'python', description: 'Encryption (Mail Credentials)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/pyca/cryptography' },
+  { type: 'library', name: 'asyncpg', version: 'latest', category: 'python', description: 'Async PostgreSQL Driver', license: 'Apache-2.0', sourceUrl: 'https://github.com/MagicStack/asyncpg' },
+  { type: 'library', name: 'python-dateutil', version: 'latest', category: 'python', description: 'Date Parsing (Deadline Extraction)', license: 'Apache-2.0', sourceUrl: 'https://github.com/dateutil/dateutil' },
+  { type: 'library', name: 'faster-whisper', version: '1.0+', category: 'python', description: 'CTranslate2 Whisper (GPU-optimiert)', license: 'MIT', sourceUrl: 'https://github.com/SYSTRAN/faster-whisper' },
+  { type: 'library', name: 'pyannote.audio', version: '3.x', category: 'python', description: 'Speaker Diarization', license: 'MIT', sourceUrl: 'https://github.com/pyannote/pyannote-audio' },
+  { type: 'library', name: 'rq', version: '1.x', category: 'python', description: 'Redis Queue (Task Processing)', license: 'BSD-2-Clause', sourceUrl: 'https://github.com/rq/rq' },
+  { type: 'library', name: 'ffmpeg-python', version: '0.2+', category: 'python', description: 'FFmpeg Python Bindings', license: 'Apache-2.0', sourceUrl: 'https://github.com/kkroening/ffmpeg-python' },
+  { type: 'library', name: 'webvtt-py', version: '0.4+', category: 'python', description: 'WebVTT Subtitle Export', license: 'MIT', sourceUrl: 'https://github.com/glut23/webvtt-py' },
+  { type: 'library', name: 'minio', version: '7.x', category: 'python', description: 'MinIO S3 Client', license: 'Apache-2.0', sourceUrl: 'https://github.com/minio/minio-py' },
+  { type: 'library', name: 'structlog', version: '24.x', category: 'python', description: 'Structured Logging', license: 'Apache-2.0', sourceUrl: 'https://github.com/hynek/structlog' },
+  { type: 'library', name: 'feedparser', version: '6.x', category: 'python', description: 'RSS/Atom Feed Parser (Alerts Agent)', license: 'BSD-2-Clause', sourceUrl: 'https://github.com/kurtmckee/feedparser' },
+  { type: 'library', name: 'APScheduler', version: '3.x', category: 'python', description: 'AsyncIO Job Scheduler (Alerts Agent)', license: 'MIT', sourceUrl: 'https://github.com/agronholm/apscheduler' },
+  { type: 'library', name: 'beautifulsoup4', version: '4.x', category: 'python', description: 'HTML Parser (Email Parsing, Compliance Scraper)', license: 'MIT', sourceUrl: 'https://code.launchpad.net/beautifulsoup' },
+  { type: 'library', name: 'lxml', version: '5.x', category: 'python', description: 'XML/HTML Parser (EUR-Lex Scraping)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/lxml/lxml' },
+  { type: 'library', name: 'PyMuPDF', version: '1.24+', category: 'python', description: 'PDF Parser (BSI-TR Extraction)', license: 'AGPL-3.0', sourceUrl: 'https://github.com/pymupdf/PyMuPDF' },
+  { type: 'library', name: 'pdfplumber', version: '0.11+', category: 'python', description: 'PDF Table Extraction (Compliance Docs)', license: 'MIT', sourceUrl: 'https://github.com/jsvine/pdfplumber' },
+  { type: 'library', name: 'websockets', version: '14.x', category: 'python', description: 'WebSocket Support (Voice Streaming)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/python-websockets/websockets' },
+  { type: 'library', name: 'soundfile', version: '0.13+', category: 'python', description: 'Audio File Processing (Voice Service)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/bastibe/python-soundfile' },
+  { type: 'library', name: 'scipy', version: '1.14+', category: 'python', description: 'Signal Processing (Audio)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/scipy/scipy' },
+  { type: 'library', name: 'redis', version: '5.x', category: 'python', description: 'Valkey/Redis Client (Voice Sessions)', license: 'MIT', sourceUrl: 'https://github.com/redis/redis-py' },
+  { type: 'library', name: 'pydantic-settings', version: '2.x', category: 'python', description: 'Settings Management (Voice Config)', license: 'MIT', sourceUrl: 'https://github.com/pydantic/pydantic-settings' },
+  { type: 'library', name: 'pyspellchecker', version: '0.8.1+', category: 'python', description: 'Regel-basierte OCR-Korrektur (klausur-service Schritt 6)', license: 'MIT', sourceUrl: 'https://github.com/barrust/pyspellchecker' },
+  { type: 'library', name: 'pytesseract', version: '0.3.10+', category: 'python', description: 'Tesseract OCR Engine Wrapper (klausur-service)', license: 'Apache-2.0', sourceUrl: 'https://github.com/madmaze/pytesseract' },
+  { type: 'library', name: 'opencv-python-headless', version: '4.8+', category: 'python', description: 'Bildverarbeitung, Projektionsprofile, Inpainting (klausur-service)', license: 'Apache-2.0', sourceUrl: 'https://github.com/opencv/opencv-python' },
+  { type: 'library', name: 'rapidocr-onnxruntime', version: 'latest', category: 'python', description: 'Schnelles OCR ARM64 via ONNX (klausur-service)', license: 'Apache-2.0', sourceUrl: 'https://github.com/RapidAI/RapidOCR' },
+  { type: 'library', name: 'onnxruntime', version: 'latest', category: 'python', description: 'ONNX-Inferenz fuer RapidOCR (klausur-service)', license: 'MIT', sourceUrl: 'https://github.com/microsoft/onnxruntime' },
+  { type: 'library', name: 'eng-to-ipa', version: 'latest', category: 'python', description: 'IPA-Lautschrift-Lookup (klausur-service Vokabel-Pipeline)', license: 'MIT', sourceUrl: 'https://github.com/mphilli/English-to-IPA' },
+  { type: 'library', name: 'sentence-transformers', version: '2.2+', category: 'python', description: 'Lokale Embeddings (klausur-service, rag-service)', license: 'Apache-2.0', sourceUrl: 'https://github.com/UKPLab/sentence-transformers' },
+  { type: 'library', name: 'torch', version: '2.0+', category: 'python', description: 'ML-Framework CPU/MPS (TrOCR, klausur-service)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/pytorch/pytorch' },
+  { type: 'library', name: 'transformers', version: '4.x', category: 'python', description: 'HuggingFace Transformers (TrOCR, Handschrift-HTR)', license: 'Apache-2.0', sourceUrl: 'https://github.com/huggingface/transformers' },
+]
diff --git a/admin-core/app/(admin)/infrastructure/sbom/_components/sbom-data.ts b/admin-core/app/(admin)/infrastructure/sbom/_components/sbom-data.ts
new file mode 100644
index 0000000..3227769
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/sbom/_components/sbom-data.ts
@@ -0,0 +1,76 @@
+/**
+ * Static SBOM component data
+ * Extracted from page.tsx to keep file sizes manageable
+ */
+
+import type { Component } from '../types'
+
+// Infrastructure components from docker-compose.yml and project analysis
+export const INFRASTRUCTURE_COMPONENTS: Component[] = [
+  { type: 'service', name: 'PostgreSQL', version: '16-alpine', category: 'database', port: '5432', description: 'Hauptdatenbank', license: 'PostgreSQL', sourceUrl: 'https://github.com/postgres/postgres' },
+  { type: 'service', name: 'Synapse PostgreSQL', version: '16-alpine', category: 'database', port: '-', description: 'Matrix Datenbank', license: 'PostgreSQL', sourceUrl: 'https://github.com/postgres/postgres' },
+  { type: 'service', name: 'ERPNext MariaDB', version: '10.6', category: 'database', port: '-', description: 'ERPNext Datenbank', license: 'GPL-2.0', sourceUrl: 'https://github.com/MariaDB/server' },
+  { type: 'service', name: 'MongoDB', version: '7.0', category: 'database', port: '27017', description: 'LibreChat Datenbank', license: 'SSPL-1.0', sourceUrl: 'https://github.com/mongodb/mongo' },
+  { type: 'service', name: 'Valkey', version: '8-alpine', category: 'cache', port: '6379', description: 'In-Memory Cache & Sessions (Redis OSS Fork)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/valkey-io/valkey' },
+  { type: 'service', name: 'ERPNext Valkey Queue', version: 'alpine', category: 'cache', port: '-', description: 'Job Queue', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/valkey-io/valkey' },
+  { type: 'service', name: 'ERPNext Valkey Cache', version: 'alpine', category: 'cache', port: '-', description: 'Cache Layer', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/valkey-io/valkey' },
+  { type: 'service', name: 'Qdrant', version: '1.7.4', category: 'search', port: '6333', description: 'Vector Database (RAG/Embeddings)', license: 'Apache-2.0', sourceUrl: 'https://github.com/qdrant/qdrant' },
+  { type: 'service', name: 'OpenSearch', version: '2.x', category: 'search', port: '9200', description: 'Volltext-Suche (Elasticsearch Fork)', license: 'Apache-2.0', sourceUrl: 'https://github.com/opensearch-project/OpenSearch' },
+  { type: 'service', name: 'Meilisearch', version: 'latest', category: 'search', port: '7700', description: 'Instant Search Engine', license: 'MIT', sourceUrl: 'https://github.com/meilisearch/meilisearch' },
+  { type: 'service', name: 'MinIO', version: 'latest', category: 'storage', port: '9000/9001', description: 'S3-kompatibel Object Storage', license: 'AGPL-3.0', sourceUrl: 'https://github.com/minio/minio' },
+  { type: 'service', name: 'IPFS (Kubo)', version: '0.24', category: 'storage', port: '5001', description: 'Dezentrales Speichersystem', license: 'MIT/Apache-2.0', sourceUrl: 'https://github.com/ipfs/kubo' },
+  { type: 'service', name: 'DSMS Gateway', version: '1.0', category: 'storage', port: '8082', description: 'IPFS REST API', license: 'Proprietary', sourceUrl: '-' },
+  { type: 'service', name: 'HashiCorp Vault', version: '1.15', category: 'security', port: '8200', description: 'Secrets Management', license: 'BUSL-1.1', sourceUrl: 'https://github.com/hashicorp/vault' },
+  { type: 'service', name: 'Keycloak', version: '23.0', category: 'security', port: '8180', description: 'Identity Provider (SSO/OIDC)', license: 'Apache-2.0', sourceUrl: 'https://github.com/keycloak/keycloak' },
+  { type: 'service', name: 'NetBird', version: '0.64.5', category: 'security', port: '-', description: 'Zero-Trust Mesh VPN (WireGuard-basiert)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/netbirdio/netbird' },
+  { type: 'service', name: 'Matrix Synapse', version: 'latest', category: 'communication', port: '8008', description: 'E2EE Messenger Server', license: 'AGPL-3.0', sourceUrl: 'https://github.com/element-hq/synapse' },
+  { type: 'service', name: 'Jitsi Web', version: 'stable-9823', category: 'communication', port: '8443', description: 'Videokonferenz UI', license: 'Apache-2.0', sourceUrl: 'https://github.com/jitsi/jitsi-meet' },
+  { type: 'service', name: 'Jitsi Prosody (XMPP)', version: 'stable-9823', category: 'communication', port: '-', description: 'XMPP Server', license: 'MIT', sourceUrl: 'https://github.com/bjc/prosody' },
+  { type: 'service', name: 'Jitsi Jicofo', version: 'stable-9823', category: 'communication', port: '-', description: 'Conference Focus Component', license: 'Apache-2.0', sourceUrl: 'https://github.com/jitsi/jicofo' },
+  { type: 'service', name: 'Jitsi JVB', version: 'stable-9823', category: 'communication', port: '10000/udp', description: 'Videobridge (WebRTC SFU)', license: 'Apache-2.0', sourceUrl: 'https://github.com/jitsi/jitsi-videobridge' },
+  { type: 'service', name: 'Jibri', version: 'stable-9823', category: 'communication', port: '-', description: 'Recording & Streaming Service', license: 'Apache-2.0', sourceUrl: 'https://github.com/jitsi/jibri' },
+  { type: 'service', name: 'Python Backend (FastAPI)', version: '3.12', category: 'application', port: '8000', description: 'Haupt-Backend API, Studio & Alerts Agent', license: 'Proprietary', sourceUrl: '-' },
+  { type: 'service', name: 'Klausur Service', version: '1.0', category: 'application', port: '8086', description: 'Abitur-Klausurkorrektur (BYOEH)', license: 'Proprietary', sourceUrl: '-' },
+  { type: 'service', name: 'Compliance Module', version: '2.0', category: 'application', port: '8000', description: 'GRC Framework (19 Regulations, 558 Requirements, AI)', license: 'Proprietary', sourceUrl: '-' },
+  { type: 'service', name: 'Transcription Worker', version: '1.0', category: 'application', port: '-', description: 'Whisper + pyannote Transkription', license: 'Proprietary', sourceUrl: '-' },
+  { type: 'service', name: 'Go Consent Service', version: '1.21', category: 'application', port: '8081', description: 'DSGVO Consent Management', license: 'Proprietary', sourceUrl: '-' },
+  { type: 'service', name: 'Go School Service', version: '1.21', category: 'application', port: '8084', description: 'Klausuren, Noten, Zeugnisse', license: 'Proprietary', sourceUrl: '-' },
+  { type: 'service', name: 'Go Billing Service', version: '1.21', category: 'application', port: '8083', description: 'Stripe Billing Integration', license: 'Proprietary', sourceUrl: '-' },
+  { type: 'service', name: 'Next.js Admin Frontend', version: '15.1', category: 'application', port: '3000', description: 'Admin Dashboard (React)', license: 'Proprietary', sourceUrl: '-' },
+  { type: 'service', name: 'H5P Content Service', version: 'latest', category: 'application', port: '8085', description: 'Interaktive Inhalte', license: 'MIT', sourceUrl: 'https://github.com/h5p/h5p-server' },
+  { type: 'service', name: 'Policy Vault (NestJS)', version: '1.0', category: 'application', port: '3001', description: 'Richtlinien-Verwaltung API', license: 'Proprietary', sourceUrl: '-' },
+  { type: 'service', name: 'Policy Vault (Angular)', version: '17', category: 'application', port: '4200', description: 'Richtlinien-Verwaltung UI', license: 'Proprietary', sourceUrl: '-' },
+  { type: 'service', name: 'Creator Studio (Vue 3)', version: '3.4', category: 'application', port: '-', description: 'Content Creation UI', license: 'Proprietary', sourceUrl: '-' },
+  { type: 'service', name: 'LibreChat', version: 'latest', category: 'ai', port: '3080', description: 'Multi-LLM Chat Interface', license: 'MIT', sourceUrl: 'https://github.com/danny-avila/LibreChat' },
+  { type: 'service', name: 'RAGFlow', version: 'latest', category: 'ai', port: '9380', description: 'RAG Pipeline Service', license: 'Apache-2.0', sourceUrl: 'https://github.com/infiniflow/ragflow' },
+  { type: 'service', name: 'ERPNext', version: 'v15', category: 'erp', port: '8090', description: 'Open Source ERP System', license: 'GPL-3.0', sourceUrl: 'https://github.com/frappe/erpnext' },
+  { type: 'service', name: 'Gitea', version: '1.21', category: 'cicd', port: '3003', description: 'Self-hosted Git Service with Actions CI/CD', license: 'MIT', sourceUrl: 'https://github.com/go-gitea/gitea' },
+  { type: 'service', name: 'Dokploy', version: '0.26.7', category: 'cicd', port: '3000', description: 'Self-hosted PaaS (Vercel/Heroku Alternative)', license: 'Apache-2.0', sourceUrl: 'https://github.com/Dokploy/dokploy' },
+  { type: 'service', name: 'Mailpit', version: 'latest', category: 'development', port: '8025/1025', description: 'E-Mail Testing (SMTP Catch-All)', license: 'MIT', sourceUrl: 'https://github.com/axllent/mailpit' },
+  { type: 'service', name: 'Breakpilot Drive (Unity WebGL)', version: '6000.0', category: 'game', port: '3001', description: 'Lernspiel fuer Schueler (Klasse 2-6)', license: 'Proprietary', sourceUrl: '-' },
+  { type: 'service', name: 'BQAS Local Scheduler', version: '1.0', category: 'qa', port: '-', description: 'Lokale GitHub Actions Alternative (launchd)', license: 'Proprietary', sourceUrl: '-' },
+  { type: 'service', name: 'BQAS LLM Judge', version: '1.0', category: 'qa', port: '-', description: 'Qwen2.5-32B basierte Test-Bewertung', license: 'Proprietary', sourceUrl: '-' },
+  { type: 'service', name: 'BQAS RAG Judge', version: '1.0', category: 'qa', port: '-', description: 'RAG/Korrektur Evaluierung', license: 'Proprietary', sourceUrl: '-' },
+  { type: 'service', name: 'BQAS Notifier', version: '1.0', category: 'qa', port: '-', description: 'Desktop/Slack/Email Benachrichtigungen', license: 'Proprietary', sourceUrl: '-' },
+  { type: 'service', name: 'BQAS Regression Tracker', version: '1.0', category: 'qa', port: '-', description: 'Score-Historie und Regression-Erkennung', license: 'Proprietary', sourceUrl: '-' },
+]
+
+export const SECURITY_TOOLS: Component[] = [
+  { type: 'tool', name: 'Trivy', version: 'latest', category: 'security-tool', description: 'Container Vulnerability Scanner', license: 'Apache-2.0', sourceUrl: 'https://github.com/aquasecurity/trivy' },
+  { type: 'tool', name: 'Grype', version: 'latest', category: 'security-tool', description: 'SBOM Vulnerability Scanner', license: 'Apache-2.0', sourceUrl: 'https://github.com/anchore/grype' },
+  { type: 'tool', name: 'Syft', version: 'latest', category: 'security-tool', description: 'SBOM Generator', license: 'Apache-2.0', sourceUrl: 'https://github.com/anchore/syft' },
+  { type: 'tool', name: 'Gitleaks', version: 'latest', category: 'security-tool', description: 'Secrets Detection in Git', license: 'MIT', sourceUrl: 'https://github.com/gitleaks/gitleaks' },
+  { type: 'tool', name: 'TruffleHog', version: '3.x', category: 'security-tool', description: 'Secrets Scanner (Regex/Entropy)', license: 'AGPL-3.0', sourceUrl: 'https://github.com/trufflesecurity/trufflehog' },
+  { type: 'tool', name: 'Semgrep', version: 'latest', category: 'security-tool', description: 'SAST - Static Analysis', license: 'LGPL-2.1', sourceUrl: 'https://github.com/semgrep/semgrep' },
+  { type: 'tool', name: 'Bandit', version: 'latest', category: 'security-tool', description: 'Python Security Linter', license: 'Apache-2.0', sourceUrl: 'https://github.com/PyCQA/bandit' },
+  { type: 'tool', name: 'Gosec', version: 'latest', category: 'security-tool', description: 'Go Security Scanner', license: 'Apache-2.0', sourceUrl: 'https://github.com/securego/gosec' },
+  { type: 'tool', name: 'govulncheck', version: 'latest', category: 'security-tool', description: 'Go Vulnerability Check', license: 'BSD-3-Clause', sourceUrl: 'https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck' },
+  { type: 'tool', name: 'golangci-lint', version: 'latest', category: 'security-tool', description: 'Go Linter (Security Rules)', license: 'GPL-3.0', sourceUrl: 'https://github.com/golangci/golangci-lint' },
+  { type: 'tool', name: 'npm audit', version: 'built-in', category: 'security-tool', description: 'Node.js Vulnerability Check', license: 'Artistic-2.0', sourceUrl: 'https://docs.npmjs.com/cli/commands/npm-audit' },
+  { type: 'tool', name: 'pip-audit', version: 'latest', category: 'security-tool', description: 'Python Dependency Audit', license: 'Apache-2.0', sourceUrl: 'https://github.com/pypa/pip-audit' },
+  { type: 'tool', name: 'safety', version: 'latest', category: 'security-tool', description: 'Python Safety Check', license: 'MIT', sourceUrl: 'https://github.com/pyupio/safety' },
+  { type: 'tool', name: 'CodeQL', version: 'latest', category: 'security-tool', description: 'GitHub Security Analysis', license: 'MIT', sourceUrl: 'https://github.com/github/codeql' },
+]
+
+export { PYTHON_PACKAGES } from './sbom-data-python'
+export { GO_MODULES, NODE_PACKAGES, UNITY_PACKAGES, CSHARP_PACKAGES } from './sbom-data-libs'
diff --git a/admin-core/app/(admin)/infrastructure/sbom/page.tsx b/admin-core/app/(admin)/infrastructure/sbom/page.tsx
index a35dc10..e43f188 100644
--- a/admin-core/app/(admin)/infrastructure/sbom/page.tsx
+++ b/admin-core/app/(admin)/infrastructure/sbom/page.tsx
@@ -3,249 +3,51 @@
 /**
  * SBOM (Software Bill of Materials) Admin Page
  *
- * Migriert von /admin/sbom (website) nach /infrastructure/sbom (admin-v2)
- *
- * Displays:
- * - All infrastructure components (Docker services)
- * - Python/Go dependencies
- * - Node.js packages
- * - License information
- * - Version tracking
+ * Displays all infrastructure components, dependencies, and license information.
  */
 
 import { useState, useEffect } from 'react'
 import Link from 'next/link'
 import { PagePurpose } from '@/components/common/PagePurpose'
 import { DevOpsPipelineSidebarResponsive } from '@/components/infrastructure/DevOpsPipelineSidebar'
+import type { Component, SBOMData, CategoryType, InfoTabType } from './types'
+import {
+  INFRASTRUCTURE_COMPONENTS, SECURITY_TOOLS,
+  PYTHON_PACKAGES, GO_MODULES, NODE_PACKAGES, UNITY_PACKAGES, CSHARP_PACKAGES,
+} from './_components/sbom-data'
 
-interface Component {
-  type: string
-  name: string
-  version: string
-  purl?: string
-  licenses?: { license: { id: string } }[]
-  category?: string
-  port?: string
-  description?: string
-  license?: string
-  sourceUrl?: string
-}
+// =============================================================================
+// Helpers
+// =============================================================================
 
-interface SBOMData {
-  bomFormat?: string
-  specVersion?: string
-  version?: number
-  metadata?: {
-    timestamp?: string
-    tools?: { vendor: string; name: string; version: string }[]
-    component?: { type: string; name: string; version: string }
+const getCategoryColor = (category?: string) => {
+  const map: Record<string, string> = {
+    database: 'bg-blue-100 text-blue-800', security: 'bg-purple-100 text-purple-800',
+    'security-tool': 'bg-red-100 text-red-800', application: 'bg-green-100 text-green-800',
+    communication: 'bg-yellow-100 text-yellow-800', storage: 'bg-orange-100 text-orange-800',
+    search: 'bg-pink-100 text-pink-800', erp: 'bg-indigo-100 text-indigo-800',
+    cache: 'bg-cyan-100 text-cyan-800', ai: 'bg-violet-100 text-violet-800',
+    development: 'bg-gray-100 text-gray-800', cicd: 'bg-orange-100 text-orange-800',
+    python: 'bg-emerald-100 text-emerald-800', go: 'bg-sky-100 text-sky-800',
+    nodejs: 'bg-lime-100 text-lime-800', unity: 'bg-amber-100 text-amber-800',
+    csharp: 'bg-fuchsia-100 text-fuchsia-800', game: 'bg-rose-100 text-rose-800',
+    voice: 'bg-teal-100 text-teal-800', qa: 'bg-blue-100 text-blue-800',
   }
-  components?: Component[]
+  return map[category || ''] || 'bg-slate-100 text-slate-800'
 }
 
-type CategoryType = 'all' | 'infrastructure' | 'security-tools' | 'python' | 'go' | 'nodejs' | 'unity' | 'csharp'
-type InfoTabType = 'audit' | 'documentation'
+const getLicenseColor = (license?: string) => {
+  if (!license) return 'bg-gray-100 text-gray-600'
+  if (license.includes('MIT')) return 'bg-green-100 text-green-700'
+  if (license.includes('Apache')) return 'bg-blue-100 text-blue-700'
+  if (license.includes('BSD')) return 'bg-cyan-100 text-cyan-700'
+  if (license.includes('GPL') || license.includes('LGPL')) return 'bg-orange-100 text-orange-700'
+  return 'bg-gray-100 text-gray-600'
+}
 
-// Infrastructure components from docker-compose.yml and project analysis
-const INFRASTRUCTURE_COMPONENTS: Component[] = [
-  // ===== DATABASES =====
-  { type: 'service', name: 'PostgreSQL', version: '16-alpine', category: 'database', port: '5432', description: 'Hauptdatenbank', license: 'PostgreSQL', sourceUrl: 'https://github.com/postgres/postgres' },
-  { type: 'service', name: 'Synapse PostgreSQL', version: '16-alpine', category: 'database', port: '-', description: 'Matrix Datenbank', license: 'PostgreSQL', sourceUrl: 'https://github.com/postgres/postgres' },
-  { type: 'service', name: 'ERPNext MariaDB', version: '10.6', category: 'database', port: '-', description: 'ERPNext Datenbank', license: 'GPL-2.0', sourceUrl: 'https://github.com/MariaDB/server' },
-  { type: 'service', name: 'MongoDB', version: '7.0', category: 'database', port: '27017', description: 'LibreChat Datenbank', license: 'SSPL-1.0', sourceUrl: 'https://github.com/mongodb/mongo' },
-
-  // ===== CACHE & QUEUE =====
-  { type: 'service', name: 'Valkey', version: '8-alpine', category: 'cache', port: '6379', description: 'In-Memory Cache & Sessions (Redis OSS Fork)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/valkey-io/valkey' },
-  { type: 'service', name: 'ERPNext Valkey Queue', version: 'alpine', category: 'cache', port: '-', description: 'Job Queue', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/valkey-io/valkey' },
-  { type: 'service', name: 'ERPNext Valkey Cache', version: 'alpine', category: 'cache', port: '-', description: 'Cache Layer', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/valkey-io/valkey' },
-
-  // ===== SEARCH ENGINES =====
-  { type: 'service', name: 'Qdrant', version: '1.7.4', category: 'search', port: '6333', description: 'Vector Database (RAG/Embeddings)', license: 'Apache-2.0', sourceUrl: 'https://github.com/qdrant/qdrant' },
-  { type: 'service', name: 'OpenSearch', version: '2.x', category: 'search', port: '9200', description: 'Volltext-Suche (Elasticsearch Fork)', license: 'Apache-2.0', sourceUrl: 'https://github.com/opensearch-project/OpenSearch' },
-  { type: 'service', name: 'Meilisearch', version: 'latest', category: 'search', port: '7700', description: 'Instant Search Engine', license: 'MIT', sourceUrl: 'https://github.com/meilisearch/meilisearch' },
-
-  // ===== OBJECT STORAGE =====
-  { type: 'service', name: 'MinIO', version: 'latest', category: 'storage', port: '9000/9001', description: 'S3-kompatibel Object Storage', license: 'AGPL-3.0', sourceUrl: 'https://github.com/minio/minio' },
-  { type: 'service', name: 'IPFS (Kubo)', version: '0.24', category: 'storage', port: '5001', description: 'Dezentrales Speichersystem', license: 'MIT/Apache-2.0', sourceUrl: 'https://github.com/ipfs/kubo' },
-  { type: 'service', name: 'DSMS Gateway', version: '1.0', category: 'storage', port: '8082', description: 'IPFS REST API', license: 'Proprietary', sourceUrl: '-' },
-
-  // ===== SECURITY =====
-  { type: 'service', name: 'HashiCorp Vault', version: '1.15', category: 'security', port: '8200', description: 'Secrets Management', license: 'BUSL-1.1', sourceUrl: 'https://github.com/hashicorp/vault' },
-  { type: 'service', name: 'Keycloak', version: '23.0', category: 'security', port: '8180', description: 'Identity Provider (SSO/OIDC)', license: 'Apache-2.0', sourceUrl: 'https://github.com/keycloak/keycloak' },
-  { type: 'service', name: 'NetBird', version: '0.64.5', category: 'security', port: '-', description: 'Zero-Trust Mesh VPN (WireGuard-basiert)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/netbirdio/netbird' },
-
-  // ===== COMMUNICATION =====
-  { type: 'service', name: 'Matrix Synapse', version: 'latest', category: 'communication', port: '8008', description: 'E2EE Messenger Server', license: 'AGPL-3.0', sourceUrl: 'https://github.com/element-hq/synapse' },
-  { type: 'service', name: 'Jitsi Web', version: 'stable-9823', category: 'communication', port: '8443', description: 'Videokonferenz UI', license: 'Apache-2.0', sourceUrl: 'https://github.com/jitsi/jitsi-meet' },
-  { type: 'service', name: 'Jitsi Prosody (XMPP)', version: 'stable-9823', category: 'communication', port: '-', description: 'XMPP Server', license: 'MIT', sourceUrl: 'https://github.com/bjc/prosody' },
-  { type: 'service', name: 'Jitsi Jicofo', version: 'stable-9823', category: 'communication', port: '-', description: 'Conference Focus Component', license: 'Apache-2.0', sourceUrl: 'https://github.com/jitsi/jicofo' },
-  { type: 'service', name: 'Jitsi JVB', version: 'stable-9823', category: 'communication', port: '10000/udp', description: 'Videobridge (WebRTC SFU)', license: 'Apache-2.0', sourceUrl: 'https://github.com/jitsi/jitsi-videobridge' },
-  { type: 'service', name: 'Jibri', version: 'stable-9823', category: 'communication', port: '-', description: 'Recording & Streaming Service', license: 'Apache-2.0', sourceUrl: 'https://github.com/jitsi/jibri' },
-
-  // ===== APPLICATION SERVICES (Python) =====
-  { type: 'service', name: 'Python Backend (FastAPI)', version: '3.12', category: 'application', port: '8000', description: 'Haupt-Backend API, Studio & Alerts Agent', license: 'Proprietary', sourceUrl: '-' },
-  { type: 'service', name: 'Klausur Service', version: '1.0', category: 'application', port: '8086', description: 'Abitur-Klausurkorrektur (BYOEH)', license: 'Proprietary', sourceUrl: '-' },
-  { type: 'service', name: 'Compliance Module', version: '2.0', category: 'application', port: '8000', description: 'GRC Framework (19 Regulations, 558 Requirements, AI)', license: 'Proprietary', sourceUrl: '-' },
-  { type: 'service', name: 'Transcription Worker', version: '1.0', category: 'application', port: '-', description: 'Whisper + pyannote Transkription', license: 'Proprietary', sourceUrl: '-' },
-
-  // ===== APPLICATION SERVICES (Go) =====
-  { type: 'service', name: 'Go Consent Service', version: '1.21', category: 'application', port: '8081', description: 'DSGVO Consent Management', license: 'Proprietary', sourceUrl: '-' },
-  { type: 'service', name: 'Go School Service', version: '1.21', category: 'application', port: '8084', description: 'Klausuren, Noten, Zeugnisse', license: 'Proprietary', sourceUrl: '-' },
-  { type: 'service', name: 'Go Billing Service', version: '1.21', category: 'application', port: '8083', description: 'Stripe Billing Integration', license: 'Proprietary', sourceUrl: '-' },
-
-  // ===== APPLICATION SERVICES (Node.js) =====
-  { type: 'service', name: 'Next.js Admin Frontend', version: '15.1', category: 'application', port: '3000', description: 'Admin Dashboard (React)', license: 'Proprietary', sourceUrl: '-' },
-  { type: 'service', name: 'H5P Content Service', version: 'latest', category: 'application', port: '8085', description: 'Interaktive Inhalte', license: 'MIT', sourceUrl: 'https://github.com/h5p/h5p-server' },
-  { type: 'service', name: 'Policy Vault (NestJS)', version: '1.0', category: 'application', port: '3001', description: 'Richtlinien-Verwaltung API', license: 'Proprietary', sourceUrl: '-' },
-  { type: 'service', name: 'Policy Vault (Angular)', version: '17', category: 'application', port: '4200', description: 'Richtlinien-Verwaltung UI', license: 'Proprietary', sourceUrl: '-' },
-
-  // ===== APPLICATION SERVICES (Vue) =====
-  { type: 'service', name: 'Creator Studio (Vue 3)', version: '3.4', category: 'application', port: '-', description: 'Content Creation UI', license: 'Proprietary', sourceUrl: '-' },
-
-  // ===== AI/LLM SERVICES =====
-  { type: 'service', name: 'LibreChat', version: 'latest', category: 'ai', port: '3080', description: 'Multi-LLM Chat Interface', license: 'MIT', sourceUrl: 'https://github.com/danny-avila/LibreChat' },
-  { type: 'service', name: 'RAGFlow', version: 'latest', category: 'ai', port: '9380', description: 'RAG Pipeline Service', license: 'Apache-2.0', sourceUrl: 'https://github.com/infiniflow/ragflow' },
-
-  // ===== ERP =====
-  { type: 'service', name: 'ERPNext', version: 'v15', category: 'erp', port: '8090', description: 'Open Source ERP System', license: 'GPL-3.0', sourceUrl: 'https://github.com/frappe/erpnext' },
-
-  // ===== CI/CD & VERSION CONTROL =====
-  { type: 'service', name: 'Gitea', version: '1.21', category: 'cicd', port: '3003', description: 'Self-hosted Git Service with Actions CI/CD', license: 'MIT', sourceUrl: 'https://github.com/go-gitea/gitea' },
-  { type: 'service', name: 'Dokploy', version: '0.26.7', category: 'cicd', port: '3000', description: 'Self-hosted PaaS (Vercel/Heroku Alternative)', license: 'Apache-2.0', sourceUrl: 'https://github.com/Dokploy/dokploy' },
-
-  // ===== DEVELOPMENT =====
-  { type: 'service', name: 'Mailpit', version: 'latest', category: 'development', port: '8025/1025', description: 'E-Mail Testing (SMTP Catch-All)', license: 'MIT', sourceUrl: 'https://github.com/axllent/mailpit' },
-
-  // ===== GAME (Breakpilot Drive) =====
-  { type: 'service', name: 'Breakpilot Drive (Unity WebGL)', version: '6000.0', category: 'game', port: '3001', description: 'Lernspiel fuer Schueler (Klasse 2-6)', license: 'Proprietary', sourceUrl: '-' },
-
-
-  // ===== BQAS (Quality Assurance) =====
-  { type: 'service', name: 'BQAS Local Scheduler', version: '1.0', category: 'qa', port: '-', description: 'Lokale GitHub Actions Alternative (launchd)', license: 'Proprietary', sourceUrl: '-' },
-  { type: 'service', name: 'BQAS LLM Judge', version: '1.0', category: 'qa', port: '-', description: 'Qwen2.5-32B basierte Test-Bewertung', license: 'Proprietary', sourceUrl: '-' },
-  { type: 'service', name: 'BQAS RAG Judge', version: '1.0', category: 'qa', port: '-', description: 'RAG/Korrektur Evaluierung', license: 'Proprietary', sourceUrl: '-' },
-  { type: 'service', name: 'BQAS Notifier', version: '1.0', category: 'qa', port: '-', description: 'Desktop/Slack/Email Benachrichtigungen', license: 'Proprietary', sourceUrl: '-' },
-  { type: 'service', name: 'BQAS Regression Tracker', version: '1.0', category: 'qa', port: '-', description: 'Score-Historie und Regression-Erkennung', license: 'Proprietary', sourceUrl: '-' },
-]
-
-// Security Tools discovered in project
-const SECURITY_TOOLS: Component[] = [
-  { type: 'tool', name: 'Trivy', version: 'latest', category: 'security-tool', description: 'Container Vulnerability Scanner', license: 'Apache-2.0', sourceUrl: 'https://github.com/aquasecurity/trivy' },
-  { type: 'tool', name: 'Grype', version: 'latest', category: 'security-tool', description: 'SBOM Vulnerability Scanner', license: 'Apache-2.0', sourceUrl: 'https://github.com/anchore/grype' },
-  { type: 'tool', name: 'Syft', version: 'latest', category: 'security-tool', description: 'SBOM Generator', license: 'Apache-2.0', sourceUrl: 'https://github.com/anchore/syft' },
-  { type: 'tool', name: 'Gitleaks', version: 'latest', category: 'security-tool', description: 'Secrets Detection in Git', license: 'MIT', sourceUrl: 'https://github.com/gitleaks/gitleaks' },
-  { type: 'tool', name: 'TruffleHog', version: '3.x', category: 'security-tool', description: 'Secrets Scanner (Regex/Entropy)', license: 'AGPL-3.0', sourceUrl: 'https://github.com/trufflesecurity/trufflehog' },
-  { type: 'tool', name: 'Semgrep', version: 'latest', category: 'security-tool', description: 'SAST - Static Analysis', license: 'LGPL-2.1', sourceUrl: 'https://github.com/semgrep/semgrep' },
-  { type: 'tool', name: 'Bandit', version: 'latest', category: 'security-tool', description: 'Python Security Linter', license: 'Apache-2.0', sourceUrl: 'https://github.com/PyCQA/bandit' },
-  { type: 'tool', name: 'Gosec', version: 'latest', category: 'security-tool', description: 'Go Security Scanner', license: 'Apache-2.0', sourceUrl: 'https://github.com/securego/gosec' },
-  { type: 'tool', name: 'govulncheck', version: 'latest', category: 'security-tool', description: 'Go Vulnerability Check', license: 'BSD-3-Clause', sourceUrl: 'https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck' },
-  { type: 'tool', name: 'golangci-lint', version: 'latest', category: 'security-tool', description: 'Go Linter (Security Rules)', license: 'GPL-3.0', sourceUrl: 'https://github.com/golangci/golangci-lint' },
-  { type: 'tool', name: 'npm audit', version: 'built-in', category: 'security-tool', description: 'Node.js Vulnerability Check', license: 'Artistic-2.0', sourceUrl: 'https://docs.npmjs.com/cli/commands/npm-audit' },
-  { type: 'tool', name: 'pip-audit', version: 'latest', category: 'security-tool', description: 'Python Dependency Audit', license: 'Apache-2.0', sourceUrl: 'https://github.com/pypa/pip-audit' },
-  { type: 'tool', name: 'safety', version: 'latest', category: 'security-tool', description: 'Python Safety Check', license: 'MIT', sourceUrl: 'https://github.com/pyupio/safety' },
-  { type: 'tool', name: 'CodeQL', version: 'latest', category: 'security-tool', description: 'GitHub Security Analysis', license: 'MIT', sourceUrl: 'https://github.com/github/codeql' },
-]
-
-// Key Python packages (from requirements.txt)
-const PYTHON_PACKAGES: Component[] = [
-  { type: 'library', name: 'FastAPI', version: '0.109+', category: 'python', description: 'Web Framework', license: 'MIT', sourceUrl: 'https://github.com/tiangolo/fastapi' },
-  { type: 'library', name: 'Uvicorn', version: '0.38+', category: 'python', description: 'ASGI Server', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/encode/uvicorn' },
-  { type: 'library', name: 'Starlette', version: '0.49+', category: 'python', description: 'ASGI Framework (FastAPI Basis)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/encode/starlette' },
-  { type: 'library', name: 'Pydantic', version: '2.x', category: 'python', description: 'Data Validation', license: 'MIT', sourceUrl: 'https://github.com/pydantic/pydantic' },
-  { type: 'library', name: 'SQLAlchemy', version: '2.x', category: 'python', description: 'ORM', license: 'MIT', sourceUrl: 'https://github.com/sqlalchemy/sqlalchemy' },
-  { type: 'library', name: 'Alembic', version: '1.14+', category: 'python', description: 'DB Migrations (Classroom, Feedback Tables)', license: 'MIT', sourceUrl: 'https://github.com/sqlalchemy/alembic' },
-  { type: 'library', name: 'psycopg2-binary', version: '2.9+', category: 'python', description: 'PostgreSQL Driver', license: 'LGPL-3.0', sourceUrl: 'https://github.com/psycopg/psycopg2' },
-  { type: 'library', name: 'httpx', version: 'latest', category: 'python', description: 'Async HTTP Client', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/encode/httpx' },
-  { type: 'library', name: 'PyJWT', version: 'latest', category: 'python', description: 'JWT Handling', license: 'MIT', sourceUrl: 'https://github.com/jpadilla/pyjwt' },
-  { type: 'library', name: 'hvac', version: 'latest', category: 'python', description: 'Vault Client', license: 'Apache-2.0', sourceUrl: 'https://github.com/hvac/hvac' },
-  { type: 'library', name: 'python-multipart', version: 'latest', category: 'python', description: 'File Uploads', license: 'Apache-2.0', sourceUrl: 'https://github.com/andrew-d/python-multipart' },
-  { type: 'library', name: 'aiofiles', version: 'latest', category: 'python', description: 'Async File I/O', license: 'Apache-2.0', sourceUrl: 'https://github.com/Tinche/aiofiles' },
-  { type: 'library', name: 'openai', version: 'latest', category: 'python', description: 'OpenAI SDK', license: 'MIT', sourceUrl: 'https://github.com/openai/openai-python' },
-  { type: 'library', name: 'anthropic', version: 'latest', category: 'python', description: 'Anthropic Claude SDK', license: 'MIT', sourceUrl: 'https://github.com/anthropics/anthropic-sdk-python' },
-  { type: 'library', name: 'langchain', version: 'latest', category: 'python', description: 'LLM Framework', license: 'MIT', sourceUrl: 'https://github.com/langchain-ai/langchain' },
-  { type: 'library', name: 'aioimaplib', version: 'latest', category: 'python', description: 'Async IMAP Client (Unified Inbox)', license: 'MIT', sourceUrl: 'https://github.com/bamthomas/aioimaplib' },
-  { type: 'library', name: 'aiosmtplib', version: 'latest', category: 'python', description: 'Async SMTP Client (Mail Sending)', license: 'MIT', sourceUrl: 'https://github.com/cole/aiosmtplib' },
-  { type: 'library', name: 'email-validator', version: 'latest', category: 'python', description: 'Email Validation', license: 'CC0-1.0', sourceUrl: 'https://github.com/JoshData/python-email-validator' },
-  { type: 'library', name: 'cryptography', version: 'latest', category: 'python', description: 'Encryption (Mail Credentials)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/pyca/cryptography' },
-  { type: 'library', name: 'asyncpg', version: 'latest', category: 'python', description: 'Async PostgreSQL Driver', license: 'Apache-2.0', sourceUrl: 'https://github.com/MagicStack/asyncpg' },
-  { type: 'library', name: 'python-dateutil', version: 'latest', category: 'python', description: 'Date Parsing (Deadline Extraction)', license: 'Apache-2.0', sourceUrl: 'https://github.com/dateutil/dateutil' },
-  { type: 'library', name: 'faster-whisper', version: '1.0+', category: 'python', description: 'CTranslate2 Whisper (GPU-optimiert)', license: 'MIT', sourceUrl: 'https://github.com/SYSTRAN/faster-whisper' },
-  { type: 'library', name: 'pyannote.audio', version: '3.x', category: 'python', description: 'Speaker Diarization', license: 'MIT', sourceUrl: 'https://github.com/pyannote/pyannote-audio' },
-  { type: 'library', name: 'rq', version: '1.x', category: 'python', description: 'Redis Queue (Task Processing)', license: 'BSD-2-Clause', sourceUrl: 'https://github.com/rq/rq' },
-  { type: 'library', name: 'ffmpeg-python', version: '0.2+', category: 'python', description: 'FFmpeg Python Bindings', license: 'Apache-2.0', sourceUrl: 'https://github.com/kkroening/ffmpeg-python' },
-  { type: 'library', name: 'webvtt-py', version: '0.4+', category: 'python', description: 'WebVTT Subtitle Export', license: 'MIT', sourceUrl: 'https://github.com/glut23/webvtt-py' },
-  { type: 'library', name: 'minio', version: '7.x', category: 'python', description: 'MinIO S3 Client', license: 'Apache-2.0', sourceUrl: 'https://github.com/minio/minio-py' },
-  { type: 'library', name: 'structlog', version: '24.x', category: 'python', description: 'Structured Logging', license: 'Apache-2.0', sourceUrl: 'https://github.com/hynek/structlog' },
-  { type: 'library', name: 'feedparser', version: '6.x', category: 'python', description: 'RSS/Atom Feed Parser (Alerts Agent)', license: 'BSD-2-Clause', sourceUrl: 'https://github.com/kurtmckee/feedparser' },
-  { type: 'library', name: 'APScheduler', version: '3.x', category: 'python', description: 'AsyncIO Job Scheduler (Alerts Agent)', license: 'MIT', sourceUrl: 'https://github.com/agronholm/apscheduler' },
-  { type: 'library', name: 'beautifulsoup4', version: '4.x', category: 'python', description: 'HTML Parser (Email Parsing, Compliance Scraper)', license: 'MIT', sourceUrl: 'https://code.launchpad.net/beautifulsoup' },
-  { type: 'library', name: 'lxml', version: '5.x', category: 'python', description: 'XML/HTML Parser (EUR-Lex Scraping)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/lxml/lxml' },
-  { type: 'library', name: 'PyMuPDF', version: '1.24+', category: 'python', description: 'PDF Parser (BSI-TR Extraction)', license: 'AGPL-3.0', sourceUrl: 'https://github.com/pymupdf/PyMuPDF' },
-  { type: 'library', name: 'pdfplumber', version: '0.11+', category: 'python', description: 'PDF Table Extraction (Compliance Docs)', license: 'MIT', sourceUrl: 'https://github.com/jsvine/pdfplumber' },
-  { type: 'library', name: 'websockets', version: '14.x', category: 'python', description: 'WebSocket Support (Voice Streaming)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/python-websockets/websockets' },
-  { type: 'library', name: 'soundfile', version: '0.13+', category: 'python', description: 'Audio File Processing (Voice Service)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/bastibe/python-soundfile' },
-  { type: 'library', name: 'scipy', version: '1.14+', category: 'python', description: 'Signal Processing (Audio)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/scipy/scipy' },
-  { type: 'library', name: 'redis', version: '5.x', category: 'python', description: 'Valkey/Redis Client (Voice Sessions)', license: 'MIT', sourceUrl: 'https://github.com/redis/redis-py' },
-  { type: 'library', name: 'pydantic-settings', version: '2.x', category: 'python', description: 'Settings Management (Voice Config)', license: 'MIT', sourceUrl: 'https://github.com/pydantic/pydantic-settings' },
-  { type: 'library', name: 'pyspellchecker', version: '0.8.1+', category: 'python', description: 'Regel-basierte OCR-Korrektur (klausur-service Schritt 6)', license: 'MIT', sourceUrl: 'https://github.com/barrust/pyspellchecker' },
-  { type: 'library', name: 'pytesseract', version: '0.3.10+', category: 'python', description: 'Tesseract OCR Engine Wrapper (klausur-service)', license: 'Apache-2.0', sourceUrl: 'https://github.com/madmaze/pytesseract' },
-  { type: 'library', name: 'opencv-python-headless', version: '4.8+', category: 'python', description: 'Bildverarbeitung, Projektionsprofile, Inpainting (klausur-service)', license: 'Apache-2.0', sourceUrl: 'https://github.com/opencv/opencv-python' },
-  { type: 'library', name: 'rapidocr-onnxruntime', version: 'latest', category: 'python', description: 'Schnelles OCR ARM64 via ONNX (klausur-service)', license: 'Apache-2.0', sourceUrl: 'https://github.com/RapidAI/RapidOCR' },
-  { type: 'library', name: 'onnxruntime', version: 'latest', category: 'python', description: 'ONNX-Inferenz für RapidOCR (klausur-service)', license: 'MIT', sourceUrl: 'https://github.com/microsoft/onnxruntime' },
-  { type: 'library', name: 'eng-to-ipa', version: 'latest', category: 'python', description: 'IPA-Lautschrift-Lookup (klausur-service Vokabel-Pipeline)', license: 'MIT', sourceUrl: 'https://github.com/mphilli/English-to-IPA' },
-  { type: 'library', name: 'sentence-transformers', version: '2.2+', category: 'python', description: 'Lokale Embeddings (klausur-service, rag-service)', license: 'Apache-2.0', sourceUrl: 'https://github.com/UKPLab/sentence-transformers' },
-  { type: 'library', name: 'torch', version: '2.0+', category: 'python', description: 'ML-Framework CPU/MPS (TrOCR, klausur-service)', license: 'BSD-3-Clause', sourceUrl: 'https://github.com/pytorch/pytorch' },
-  { type: 'library', name: 'transformers', version: '4.x', category: 'python', description: 'HuggingFace Transformers (TrOCR, Handschrift-HTR)', license: 'Apache-2.0', sourceUrl: 'https://github.com/huggingface/transformers' },
-]
-
-// Key Go modules (from go.mod files)
-const GO_MODULES: Component[] = [
-  { type: 'library', name: 'gin-gonic/gin', version: '1.9+', category: 'go', description: 'Web Framework', license: 'MIT', sourceUrl: 'https://github.com/gin-gonic/gin' },
-  { type: 'library', name: 'gorm.io/gorm', version: '1.25+', category: 'go', description: 'ORM', license: 'MIT', sourceUrl: 'https://github.com/go-gorm/gorm' },
-  { type: 'library', name: 'golang-jwt/jwt', version: 'v5', category: 'go', description: 'JWT Library', license: 'MIT', sourceUrl: 'https://github.com/golang-jwt/jwt' },
-  { type: 'library', name: 'stripe/stripe-go', version: 'v76', category: 'go', description: 'Stripe SDK', license: 'MIT', sourceUrl: 'https://github.com/stripe/stripe-go' },
-  { type: 'library', name: 'spf13/viper', version: 'latest', category: 'go', description: 'Configuration', license: 'MIT', sourceUrl: 'https://github.com/spf13/viper' },
-  { type: 'library', name: 'uber-go/zap', version: 'latest', category: 'go', description: 'Structured Logging', license: 'MIT', sourceUrl: 'https://github.com/uber-go/zap' },
-  { type: 'library', name: 'swaggo/swag', version: 'latest', category: 'go', description: 'Swagger Docs', license: 'MIT', sourceUrl: 'https://github.com/swaggo/swag' },
-]
-
-// Key Node.js packages (from package.json files)
-const NODE_PACKAGES: Component[] = [
-  { type: 'library', name: 'Next.js', version: '15.1', category: 'nodejs', description: 'React Framework', license: 'MIT', sourceUrl: 'https://github.com/vercel/next.js' },
-  { type: 'library', name: 'React', version: '19', category: 'nodejs', description: 'UI Library', license: 'MIT', sourceUrl: 'https://github.com/facebook/react' },
-  { type: 'library', name: 'Vue.js', version: '3.4', category: 'nodejs', description: 'UI Framework (Creator Studio)', license: 'MIT', sourceUrl: 'https://github.com/vuejs/core' },
-  { type: 'library', name: 'Angular', version: '17', category: 'nodejs', description: 'UI Framework (Policy Vault)', license: 'MIT', sourceUrl: 'https://github.com/angular/angular' },
-  { type: 'library', name: 'NestJS', version: '10', category: 'nodejs', description: 'Node.js Framework', license: 'MIT', sourceUrl: 'https://github.com/nestjs/nest' },
-  { type: 'library', name: 'TypeScript', version: '5.x', category: 'nodejs', description: 'Type System', license: 'Apache-2.0', sourceUrl: 'https://github.com/microsoft/TypeScript' },
-  { type: 'library', name: 'Tailwind CSS', version: '3.4', category: 'nodejs', description: 'Utility CSS', license: 'MIT', sourceUrl: 'https://github.com/tailwindlabs/tailwindcss' },
-  { type: 'library', name: 'Prisma', version: '5.x', category: 'nodejs', description: 'ORM (Policy Vault)', license: 'Apache-2.0', sourceUrl: 'https://github.com/prisma/prisma' },
-  { type: 'library', name: 'Material Design Icons', version: 'latest', category: 'nodejs', description: 'Icon-System (Companion UI, Studio)', license: 'Apache-2.0', sourceUrl: 'https://github.com/google/material-design-icons' },
-  { type: 'library', name: 'Recharts', version: '2.12', category: 'nodejs', description: 'React Charts (Compliance Dashboard)', license: 'MIT', sourceUrl: 'https://github.com/recharts/recharts' },
-  { type: 'library', name: 'React Flow', version: '11.x', category: 'nodejs', description: 'Node-basierte Flow-Diagramme (Screen Flow)', license: 'MIT', sourceUrl: 'https://github.com/xyflow/xyflow' },
-  { type: 'library', name: 'Playwright', version: '1.50', category: 'nodejs', description: 'E2E Testing Framework (SDK Tests)', license: 'Apache-2.0', sourceUrl: 'https://github.com/microsoft/playwright' },
-  { type: 'library', name: 'Vitest', version: '4.x', category: 'nodejs', description: 'Unit Testing Framework', license: 'MIT', sourceUrl: 'https://github.com/vitest-dev/vitest' },
-  { type: 'library', name: 'jsPDF', version: '4.x', category: 'nodejs', description: 'PDF Generation (SDK Export)', license: 'MIT', sourceUrl: 'https://github.com/parallax/jsPDF' },
-  { type: 'library', name: 'JSZip', version: '3.x', category: 'nodejs', description: 'ZIP File Creation (SDK Export)', license: 'MIT/GPL-3.0', sourceUrl: 'https://github.com/Stuk/jszip' },
-  { type: 'library', name: 'Lucide React', version: '0.468', category: 'nodejs', description: 'Icon Library', license: 'ISC', sourceUrl: 'https://github.com/lucide-icons/lucide' },
-]
-
-// Unity packages (Breakpilot Drive game engine)
-const UNITY_PACKAGES: Component[] = [
-  { type: 'library', name: 'Unity Engine', version: '6000.0 (Unity 6)', category: 'unity', description: 'Game Engine', license: 'Unity EULA', sourceUrl: 'https://unity.com' },
-  { type: 'library', name: 'Universal Render Pipeline (URP)', version: '17.x', category: 'unity', description: 'Render Pipeline', license: 'Unity Companion', sourceUrl: 'https://docs.unity3d.com/Packages/com.unity.render-pipelines.universal@17.0' },
-  { type: 'library', name: 'TextMeshPro', version: '3.2', category: 'unity', description: 'Advanced Text Rendering', license: 'Unity Companion', sourceUrl: 'https://docs.unity3d.com/Packages/com.unity.textmeshpro@3.2' },
-  { type: 'library', name: 'Unity Mathematics', version: '1.3', category: 'unity', description: 'Math Library (SIMD)', license: 'Unity Companion', sourceUrl: 'https://docs.unity3d.com/Packages/com.unity.mathematics@1.3' },
-  { type: 'library', name: 'Newtonsoft.Json (Unity)', version: '3.2', category: 'unity', description: 'JSON Serialization', license: 'MIT', sourceUrl: 'https://docs.unity3d.com/Packages/com.unity.nuget.newtonsoft-json@3.2' },
-  { type: 'library', name: 'Unity UI', version: '2.0', category: 'unity', description: 'UI System', license: 'Unity Companion', sourceUrl: 'https://docs.unity3d.com/Packages/com.unity.ugui@2.0' },
-  { type: 'library', name: 'Unity Input System', version: '1.8', category: 'unity', description: 'New Input System', license: 'Unity Companion', sourceUrl: 'https://docs.unity3d.com/Packages/com.unity.inputsystem@1.8' },
-]
-
-// C# dependencies (Breakpilot Drive)
-const CSHARP_PACKAGES: Component[] = [
-  { type: 'library', name: '.NET Standard', version: '2.1', category: 'csharp', description: 'Runtime', license: 'MIT', sourceUrl: 'https://github.com/dotnet/standard' },
-  { type: 'library', name: 'UnityWebRequest', version: 'built-in', category: 'csharp', description: 'HTTP Client', license: 'Unity Companion', sourceUrl: '-' },
-  { type: 'library', name: 'System.Text.Json', version: 'built-in', category: 'csharp', description: 'JSON Parsing', license: 'MIT', sourceUrl: 'https://github.com/dotnet/runtime' },
-]
+// =============================================================================
+// Component
+// =============================================================================
 
 export default function SBOMPage() {
   const [sbomData, setSbomData] = useState<SBOMData | null>(null)
@@ -256,136 +58,45 @@ export default function SBOMPage() {
   const [showFullDocs, setShowFullDocs] = useState(false)
 
   useEffect(() => {
-    loadSBOM()
+    (async () => {
+      setLoading(true)
+      try {
+        const res = await fetch('/api/v1/security/sbom')
+        if (res.ok) setSbomData(await res.json())
+      } catch (error) {
+        console.error('Failed to load SBOM:', error)
+      } finally {
+        setLoading(false)
+      }
+    })()
   }, [])
 
-  const loadSBOM = async () => {
-    setLoading(true)
-    try {
-      const res = await fetch('/api/v1/security/sbom')
-      if (res.ok) {
-        const data = await res.json()
-        setSbomData(data)
-      }
-    } catch (error) {
-      console.error('Failed to load SBOM:', error)
-    } finally {
-      setLoading(false)
-    }
-  }
-
-  const getAllComponents = (): Component[] => {
-    const infraComponents = INFRASTRUCTURE_COMPONENTS.map(c => ({
-      ...c,
-      category: c.category || 'infrastructure'
-    }))
-
-    const securityToolsComponents = SECURITY_TOOLS.map(c => ({
-      ...c,
-      category: c.category || 'security-tool'
-    }))
-
-    const pythonComponents = PYTHON_PACKAGES.map(c => ({
-      ...c,
-      category: 'python'
-    }))
-
-    const goComponents = GO_MODULES.map(c => ({
-      ...c,
-      category: 'go'
-    }))
-
-    const nodeComponents = NODE_PACKAGES.map(c => ({
-      ...c,
-      category: 'nodejs'
-    }))
-
-    const unityComponents = UNITY_PACKAGES.map(c => ({
-      ...c,
-      category: 'unity'
-    }))
-
-    const csharpComponents = CSHARP_PACKAGES.map(c => ({
-      ...c,
-      category: 'csharp'
-    }))
-
-    // Add dynamic SBOM data from backend if available
-    const dynamicPython = (sbomData?.components || []).map(c => ({
-      ...c,
-      category: 'python'
-    }))
-
-    return [...infraComponents, ...securityToolsComponents, ...pythonComponents, ...goComponents, ...nodeComponents, ...unityComponents, ...csharpComponents, ...dynamicPython]
-  }
-
-  const getFilteredComponents = () => {
-    let components = getAllComponents()
-
-    if (activeCategory !== 'all') {
-      if (activeCategory === 'infrastructure') {
-        components = INFRASTRUCTURE_COMPONENTS
-      } else if (activeCategory === 'security-tools') {
-        components = SECURITY_TOOLS
-      } else if (activeCategory === 'python') {
-        components = [...PYTHON_PACKAGES, ...(sbomData?.components || [])]
-      } else if (activeCategory === 'go') {
-        components = GO_MODULES
-      } else if (activeCategory === 'nodejs') {
-        components = NODE_PACKAGES
-      } else if (activeCategory === 'unity') {
-        components = UNITY_PACKAGES
-      } else if (activeCategory === 'csharp') {
-        components = CSHARP_PACKAGES
-      }
-    }
+  const getFilteredComponents = (): Component[] => {
+    let components: Component[]
+    if (activeCategory === 'all') {
+      components = [
+        ...INFRASTRUCTURE_COMPONENTS, ...SECURITY_TOOLS, ...PYTHON_PACKAGES,
+        ...GO_MODULES, ...NODE_PACKAGES, ...UNITY_PACKAGES, ...CSHARP_PACKAGES,
+        ...(sbomData?.components || []).map(c => ({ ...c, category: 'python' })),
+      ]
+    } else if (activeCategory === 'infrastructure') components = INFRASTRUCTURE_COMPONENTS
+    else if (activeCategory === 'security-tools') components = SECURITY_TOOLS
+    else if (activeCategory === 'python') components = [...PYTHON_PACKAGES, ...(sbomData?.components || [])]
+    else if (activeCategory === 'go') components = GO_MODULES
+    else if (activeCategory === 'nodejs') components = NODE_PACKAGES
+    else if (activeCategory === 'unity') components = UNITY_PACKAGES
+    else if (activeCategory === 'csharp') components = CSHARP_PACKAGES
+    else components = []
 
     if (searchTerm) {
+      const term = searchTerm.toLowerCase()
       components = components.filter(c =>
-        c.name.toLowerCase().includes(searchTerm.toLowerCase()) ||
-        c.version.toLowerCase().includes(searchTerm.toLowerCase()) ||
-        (c.description?.toLowerCase().includes(searchTerm.toLowerCase()))
+        c.name.toLowerCase().includes(term) || c.version.toLowerCase().includes(term) || (c.description?.toLowerCase().includes(term))
       )
     }
-
     return components
   }
 
-  const getCategoryColor = (category?: string) => {
-    switch (category) {
-      case 'database': return 'bg-blue-100 text-blue-800'
-      case 'security': return 'bg-purple-100 text-purple-800'
-      case 'security-tool': return 'bg-red-100 text-red-800'
-      case 'application': return 'bg-green-100 text-green-800'
-      case 'communication': return 'bg-yellow-100 text-yellow-800'
-      case 'storage': return 'bg-orange-100 text-orange-800'
-      case 'search': return 'bg-pink-100 text-pink-800'
-      case 'erp': return 'bg-indigo-100 text-indigo-800'
-      case 'cache': return 'bg-cyan-100 text-cyan-800'
-      case 'ai': return 'bg-violet-100 text-violet-800'
-      case 'development': return 'bg-gray-100 text-gray-800'
-      case 'cicd': return 'bg-orange-100 text-orange-800'
-      case 'python': return 'bg-emerald-100 text-emerald-800'
-      case 'go': return 'bg-sky-100 text-sky-800'
-      case 'nodejs': return 'bg-lime-100 text-lime-800'
-      case 'unity': return 'bg-amber-100 text-amber-800'
-      case 'csharp': return 'bg-fuchsia-100 text-fuchsia-800'
-      case 'game': return 'bg-rose-100 text-rose-800'
-      case 'voice': return 'bg-teal-100 text-teal-800'
-      case 'qa': return 'bg-blue-100 text-blue-800'
-      default: return 'bg-slate-100 text-slate-800'
-    }
-  }
-
-  const getLicenseColor = (license?: string) => {
-    if (!license) return 'bg-gray-100 text-gray-600'
-    if (license.includes('MIT')) return 'bg-green-100 text-green-700'
-    if (license.includes('Apache')) return 'bg-blue-100 text-blue-700'
-    if (license.includes('BSD')) return 'bg-cyan-100 text-cyan-700'
-    if (license.includes('GPL') || license.includes('LGPL')) return 'bg-orange-100 text-orange-700'
-    return 'bg-gray-100 text-gray-600'
-  }
-
   const stats = {
     totalInfra: INFRASTRUCTURE_COMPONENTS.length,
     totalSecurityTools: SECURITY_TOOLS.length,
@@ -396,8 +107,6 @@ export default function SBOMPage() {
     totalCsharp: CSHARP_PACKAGES.length,
     totalAll: INFRASTRUCTURE_COMPONENTS.length + SECURITY_TOOLS.length + PYTHON_PACKAGES.length + GO_MODULES.length + NODE_PACKAGES.length + UNITY_PACKAGES.length + CSHARP_PACKAGES.length + (sbomData?.components?.length || 0),
     databases: INFRASTRUCTURE_COMPONENTS.filter(c => c.category === 'database').length,
-    services: INFRASTRUCTURE_COMPONENTS.filter(c => c.category === 'application').length,
-    communication: INFRASTRUCTURE_COMPONENTS.filter(c => c.category === 'communication').length,
     game: INFRASTRUCTURE_COMPONENTS.filter(c => c.category === 'game').length,
   }
 
@@ -416,112 +125,55 @@ export default function SBOMPage() {
 
   return (
     <div>
-      <PagePurpose
-        title="SBOM"
-        purpose="Software Bill of Materials - Alle Komponenten & Abhaengigkeiten der Breakpilot-Plattform. Wichtig fuer Supply-Chain-Security, Compliance-Audits und Lizenz-Pruefung."
-        audience={['DevOps', 'Compliance', 'Security', 'Auditoren']}
-        gdprArticles={['Art. 32 (Sicherheit der Verarbeitung)']}
-        architecture={{
-          services: ['Syft (SBOM Generator)', 'Trivy (CVE Scanner)'],
-          databases: ['CycloneDX JSON'],
-        }}
-        relatedPages={[
-          { name: 'Security', href: '/infrastructure/security', description: 'DevSecOps Dashboard' },
-          { name: 'Controls', href: '/sdk/controls', description: 'Security Controls' },
-        ]}
-        collapsible={true}
-        defaultCollapsed={true}
-      />
+      <PagePurpose title="SBOM" purpose="Software Bill of Materials - Alle Komponenten & Abhaengigkeiten der Breakpilot-Plattform." audience={['DevOps', 'Compliance', 'Security', 'Auditoren']} gdprArticles={['Art. 32 (Sicherheit der Verarbeitung)']}
+        architecture={{ services: ['Syft (SBOM Generator)', 'Trivy (CVE Scanner)'], databases: ['CycloneDX JSON'] }}
+        relatedPages={[{ name: 'Security', href: '/infrastructure/security', description: 'DevSecOps Dashboard' }, { name: 'Controls', href: '/sdk/controls', description: 'Security Controls' }]}
+        collapsible={true} defaultCollapsed={true} />
 
-      {/* DevOps Pipeline Sidebar */}
       <DevOpsPipelineSidebarResponsive currentTool="sbom" />
 
-      {/* Wizard Link */}
       <div className="mb-6 flex justify-end">
-        <Link
-          href="/infrastructure/sbom/wizard"
-          className="flex items-center gap-2 px-4 py-2 rounded-lg font-medium bg-purple-100 text-purple-700 border border-purple-200 hover:bg-purple-200 transition-colors"
-        >
-          <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9.663 17h4.673M12 3v1m6.364 1.636l-.707.707M21 12h-1M4 12H3m3.343-5.657l-.707-.707m2.828 9.9a5 5 0 117.072 0l-.548.547A3.374 3.374 0 0014 18.469V19a2 2 0 11-4 0v-.531c0-.895-.356-1.754-.988-2.386l-.548-.547z" />
-          </svg>
+        <Link href="/infrastructure/sbom/wizard" className="flex items-center gap-2 px-4 py-2 rounded-lg font-medium bg-purple-100 text-purple-700 border border-purple-200 hover:bg-purple-200 transition-colors">
+          <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9.663 17h4.673M12 3v1m6.364 1.636l-.707.707M21 12h-1M4 12H3m3.343-5.657l-.707-.707m2.828 9.9a5 5 0 117.072 0l-.548.547A3.374 3.374 0 0014 18.469V19a2 2 0 11-4 0v-.531c0-.895-.356-1.754-.988-2.386l-.548-.547z" /></svg>
           Lern-Wizard
         </Link>
       </div>
 
       {/* Stats Cards */}
       <div className="grid grid-cols-2 md:grid-cols-5 lg:grid-cols-10 gap-4 mb-6">
-        <div className="bg-white rounded-lg shadow p-4">
-          <div className="text-3xl font-bold text-slate-800">{stats.totalAll}</div>
-          <div className="text-sm text-slate-500">Komponenten Total</div>
-        </div>
-        <div className="bg-white rounded-lg shadow p-4">
-          <div className="text-3xl font-bold text-purple-600">{stats.totalInfra}</div>
-          <div className="text-sm text-slate-500">Docker Services</div>
-        </div>
-        <div className="bg-white rounded-lg shadow p-4">
-          <div className="text-3xl font-bold text-red-600">{stats.totalSecurityTools}</div>
-          <div className="text-sm text-slate-500">Security Tools</div>
-        </div>
-        <div className="bg-white rounded-lg shadow p-4">
-          <div className="text-3xl font-bold text-emerald-600">{stats.totalPython}</div>
-          <div className="text-sm text-slate-500">Python</div>
-        </div>
-        <div className="bg-white rounded-lg shadow p-4">
-          <div className="text-3xl font-bold text-sky-600">{stats.totalGo}</div>
-          <div className="text-sm text-slate-500">Go</div>
-        </div>
-        <div className="bg-white rounded-lg shadow p-4">
-          <div className="text-3xl font-bold text-lime-600">{stats.totalNode}</div>
-          <div className="text-sm text-slate-500">Node.js</div>
-        </div>
-        <div className="bg-white rounded-lg shadow p-4">
-          <div className="text-3xl font-bold text-amber-600">{stats.totalUnity}</div>
-          <div className="text-sm text-slate-500">Unity</div>
-        </div>
-        <div className="bg-white rounded-lg shadow p-4">
-          <div className="text-3xl font-bold text-fuchsia-600">{stats.totalCsharp}</div>
-          <div className="text-sm text-slate-500">C#</div>
-        </div>
-        <div className="bg-white rounded-lg shadow p-4">
-          <div className="text-3xl font-bold text-blue-600">{stats.databases}</div>
-          <div className="text-sm text-slate-500">Datenbanken</div>
-        </div>
-        <div className="bg-white rounded-lg shadow p-4">
-          <div className="text-3xl font-bold text-rose-600">{stats.game}</div>
-          <div className="text-sm text-slate-500">Game</div>
-        </div>
+        {[
+          { value: stats.totalAll, label: 'Komponenten Total', color: 'text-slate-800' },
+          { value: stats.totalInfra, label: 'Docker Services', color: 'text-purple-600' },
+          { value: stats.totalSecurityTools, label: 'Security Tools', color: 'text-red-600' },
+          { value: stats.totalPython, label: 'Python', color: 'text-emerald-600' },
+          { value: stats.totalGo, label: 'Go', color: 'text-sky-600' },
+          { value: stats.totalNode, label: 'Node.js', color: 'text-lime-600' },
+          { value: stats.totalUnity, label: 'Unity', color: 'text-amber-600' },
+          { value: stats.totalCsharp, label: 'C#', color: 'text-fuchsia-600' },
+          { value: stats.databases, label: 'Datenbanken', color: 'text-blue-600' },
+          { value: stats.game, label: 'Game', color: 'text-rose-600' },
+        ].map((s) => (
+          <div key={s.label} className="bg-white rounded-lg shadow p-4">
+            <div className={`text-3xl font-bold ${s.color}`}>{s.value}</div>
+            <div className="text-sm text-slate-500">{s.label}</div>
+          </div>
+        ))}
       </div>
 
       {/* Filters */}
       <div className="bg-white rounded-lg shadow p-4 mb-6">
         <div className="flex flex-col md:flex-row gap-4 items-center justify-between">
-          {/* Category Tabs */}
           <div className="flex flex-wrap gap-2">
             {categories.map((cat) => (
-              <button
-                key={cat.id}
-                onClick={() => setActiveCategory(cat.id as CategoryType)}
-                className={`px-4 py-2 rounded-lg text-sm font-medium transition-colors ${
-                  activeCategory === cat.id
-                    ? 'bg-orange-600 text-white'
-                    : 'bg-gray-100 text-gray-700 hover:bg-gray-200'
-                }`}
-              >
+              <button key={cat.id} onClick={() => setActiveCategory(cat.id as CategoryType)}
+                className={`px-4 py-2 rounded-lg text-sm font-medium transition-colors ${activeCategory === cat.id ? 'bg-orange-600 text-white' : 'bg-gray-100 text-gray-700 hover:bg-gray-200'}`}>
                 {cat.name} ({cat.count})
               </button>
             ))}
           </div>
-
-          {/* Search */}
           <div className="relative w-full md:w-64">
-            <input
-              type="text"
-              placeholder="Suchen..."
-              value={searchTerm}
-              onChange={(e) => setSearchTerm(e.target.value)}
-              className="w-full pl-10 pr-4 py-2 border border-gray-200 rounded-lg focus:ring-2 focus:ring-orange-500 focus:border-transparent"
-            />
+            <input type="text" placeholder="Suchen..." value={searchTerm} onChange={(e) => setSearchTerm(e.target.value)}
+              className="w-full pl-10 pr-4 py-2 border border-gray-200 rounded-lg focus:ring-2 focus:ring-orange-500 focus:border-transparent" />
             <svg className="absolute left-3 top-2.5 w-5 h-5 text-gray-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
               <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z" />
             </svg>
@@ -533,22 +185,9 @@ export default function SBOMPage() {
       {sbomData?.metadata && (
         <div className="bg-slate-50 rounded-lg p-4 mb-6 text-sm">
           <div className="flex flex-wrap gap-6">
-            <div>
-              <span className="text-slate-500">Format:</span>
-              <span className="ml-2 font-medium">{sbomData.bomFormat} {sbomData.specVersion}</span>
-            </div>
-            <div>
-              <span className="text-slate-500">Generiert:</span>
-              <span className="ml-2 font-medium">
-                {sbomData.metadata.timestamp ? new Date(sbomData.metadata.timestamp).toLocaleString('de-DE') : '-'}
-              </span>
-            </div>
-            <div>
-              <span className="text-slate-500">Anwendung:</span>
-              <span className="ml-2 font-medium">
-                {sbomData.metadata.component?.name} v{sbomData.metadata.component?.version}
-              </span>
-            </div>
+            <div><span className="text-slate-500">Format:</span><span className="ml-2 font-medium">{sbomData.bomFormat} {sbomData.specVersion}</span></div>
+            <div><span className="text-slate-500">Generiert:</span><span className="ml-2 font-medium">{sbomData.metadata.timestamp ? new Date(sbomData.metadata.timestamp).toLocaleString('de-DE') : '-'}</span></div>
+            <div><span className="text-slate-500">Anwendung:</span><span className="ml-2 font-medium">{sbomData.metadata.component?.name} v{sbomData.metadata.component?.version}</span></div>
           </div>
         </div>
       )}
@@ -575,96 +214,38 @@ export default function SBOMPage() {
             </thead>
             <tbody className="bg-white divide-y divide-gray-200">
               {filteredComponents.map((component, idx) => {
-                // Get license from either the new license field or the old licenses array
                 const licenseId = component.license || component.licenses?.[0]?.license?.id
-
                 return (
                   <tr key={idx} className="hover:bg-gray-50">
-                    <td className="px-4 py-4">
-                      <div className="text-sm font-medium text-gray-900">{component.name}</div>
-                    </td>
-                    <td className="px-4 py-4 whitespace-nowrap">
-                      <span className="text-sm font-mono text-gray-900">{component.version}</span>
-                    </td>
-                    <td className="px-4 py-4 whitespace-nowrap">
-                      <span className={`px-2 py-1 text-xs font-medium rounded ${getCategoryColor(component.category)}`}>
-                        {component.category || component.type}
-                      </span>
-                    </td>
-                    <td className="px-4 py-4">
-                      {component.description ? (
-                        <div className="text-sm text-gray-600 leading-relaxed">{component.description}</div>
-                      ) : (
-                        <span className="text-sm text-gray-400 italic">Keine Beschreibung</span>
-                      )}
-                    </td>
-                    <td className="px-4 py-4 whitespace-nowrap">
-                      {component.port ? (
-                        <span className="text-sm font-mono text-gray-600">{component.port}</span>
-                      ) : (
-                        <span className="text-sm text-gray-400">-</span>
-                      )}
-                    </td>
-                    <td className="px-4 py-4 whitespace-nowrap">
-                      {licenseId ? (
-                        <span className={`px-2 py-1 text-xs font-medium rounded ${getLicenseColor(licenseId)}`}>
-                          {licenseId}
-                        </span>
-                      ) : (
-                        <span className="text-sm text-gray-400">-</span>
-                      )}
-                    </td>
-                    <td className="px-4 py-4 whitespace-nowrap">
-                      {component.sourceUrl && component.sourceUrl !== '-' ? (
-                        <a
-                          href={component.sourceUrl}
-                          target="_blank"
-                          rel="noopener noreferrer"
-                          className="text-orange-600 hover:text-orange-800 text-sm flex items-center gap-1"
-                        >
-                          <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" />
-                          </svg>
-                          GitHub
-                        </a>
-                      ) : (
-                        <span className="text-sm text-gray-400">-</span>
-                      )}
-                    </td>
+                    <td className="px-4 py-4"><div className="text-sm font-medium text-gray-900">{component.name}</div></td>
+                    <td className="px-4 py-4 whitespace-nowrap"><span className="text-sm font-mono text-gray-900">{component.version}</span></td>
+                    <td className="px-4 py-4 whitespace-nowrap"><span className={`px-2 py-1 text-xs font-medium rounded ${getCategoryColor(component.category)}`}>{component.category || component.type}</span></td>
+                    <td className="px-4 py-4">{component.description ? <div className="text-sm text-gray-600 leading-relaxed">{component.description}</div> : <span className="text-sm text-gray-400 italic">Keine Beschreibung</span>}</td>
+                    <td className="px-4 py-4 whitespace-nowrap">{component.port ? <span className="text-sm font-mono text-gray-600">{component.port}</span> : <span className="text-sm text-gray-400">-</span>}</td>
+                    <td className="px-4 py-4 whitespace-nowrap">{licenseId ? <span className={`px-2 py-1 text-xs font-medium rounded ${getLicenseColor(licenseId)}`}>{licenseId}</span> : <span className="text-sm text-gray-400">-</span>}</td>
+                    <td className="px-4 py-4 whitespace-nowrap">{component.sourceUrl && component.sourceUrl !== '-' ? (
+                      <a href={component.sourceUrl} target="_blank" rel="noopener noreferrer" className="text-orange-600 hover:text-orange-800 text-sm flex items-center gap-1">
+                        <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /></svg>GitHub
+                      </a>
+                    ) : <span className="text-sm text-gray-400">-</span>}</td>
                   </tr>
                 )
               })}
             </tbody>
           </table>
-
-          {filteredComponents.length === 0 && (
-            <div className="p-8 text-center text-gray-500">
-              Keine Komponenten gefunden.
-            </div>
-          )}
+          {filteredComponents.length === 0 && <div className="p-8 text-center text-gray-500">Keine Komponenten gefunden.</div>}
         </div>
       )}
 
       {/* Export Button */}
       <div className="mt-6 flex justify-end">
-        <button
-          onClick={() => {
-            const data = JSON.stringify({
-              ...sbomData,
-              infrastructure: INFRASTRUCTURE_COMPONENTS
-            }, null, 2)
-            const blob = new Blob([data], { type: 'application/json' })
-            const url = URL.createObjectURL(blob)
-            const a = document.createElement('a')
-            a.href = url
-            a.download = `breakpilot-sbom-${new Date().toISOString().split('T')[0]}.json`
-            a.click()
-          }}
-          className="px-4 py-2 bg-orange-600 text-white rounded-lg hover:bg-orange-700 transition-colors flex items-center gap-2"
-        >
-          <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M4 16v1a3 3 0 003 3h10a3 3 0 003-3v-1m-4-4l-4 4m0 0l-4-4m4 4V4" />
-          </svg>
+        <button onClick={() => {
+          const data = JSON.stringify({ ...sbomData, infrastructure: INFRASTRUCTURE_COMPONENTS }, null, 2)
+          const blob = new Blob([data], { type: 'application/json' })
+          const url = URL.createObjectURL(blob)
+          const a = document.createElement('a'); a.href = url; a.download = `breakpilot-sbom-${new Date().toISOString().split('T')[0]}.json`; a.click()
+        }} className="px-4 py-2 bg-orange-600 text-white rounded-lg hover:bg-orange-700 transition-colors flex items-center gap-2">
+          <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M4 16v1a3 3 0 003 3h10a3 3 0 003-3v-1m-4-4l-4 4m0 0l-4-4m4 4V4" /></svg>
           SBOM exportieren (JSON)
         </button>
       </div>
@@ -672,237 +253,85 @@ export default function SBOMPage() {
       {/* Info Tabs Section */}
       <div className="mt-8">
         <div className="bg-white rounded-lg shadow">
-          {/* Tab Headers */}
           <div className="border-b border-gray-200">
             <nav className="flex -mb-px">
-              <button
-                onClick={() => setActiveInfoTab('audit')}
-                className={`px-6 py-4 text-sm font-medium border-b-2 transition-colors ${
-                  activeInfoTab === 'audit'
-                    ? 'border-orange-500 text-orange-600'
-                    : 'border-transparent text-gray-500 hover:text-gray-700 hover:border-gray-300'
-                }`}
-              >
-                <span className="flex items-center gap-2">
-                  <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
-                  </svg>
-                  Audit
-                </span>
-              </button>
-              <button
-                onClick={() => setActiveInfoTab('documentation')}
-                className={`px-6 py-4 text-sm font-medium border-b-2 transition-colors ${
-                  activeInfoTab === 'documentation'
-                    ? 'border-orange-500 text-orange-600'
-                    : 'border-transparent text-gray-500 hover:text-gray-700 hover:border-gray-300'
-                }`}
-              >
-                <span className="flex items-center gap-2">
-                  <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
-                  </svg>
-                  Dokumentation
-                </span>
-              </button>
+              {[{ id: 'audit' as const, label: 'Audit', icon: 'M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z' }, { id: 'documentation' as const, label: 'Dokumentation', icon: 'M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z' }].map((tab) => (
+                <button key={tab.id} onClick={() => setActiveInfoTab(tab.id)}
+                  className={`px-6 py-4 text-sm font-medium border-b-2 transition-colors ${activeInfoTab === tab.id ? 'border-orange-500 text-orange-600' : 'border-transparent text-gray-500 hover:text-gray-700 hover:border-gray-300'}`}>
+                  <span className="flex items-center gap-2">
+                    <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d={tab.icon} /></svg>
+                    {tab.label}
+                  </span>
+                </button>
+              ))}
             </nav>
           </div>
-
-          {/* Tab Content */}
           <div className="p-6">
-            {/* Audit Tab */}
             {activeInfoTab === 'audit' && (
               <div className="grid grid-cols-1 md:grid-cols-2 gap-6">
-                {/* SBOM Status */}
                 <div className="bg-slate-50 rounded-lg p-4">
-                  <h3 className="text-lg font-semibold text-slate-800 mb-4 flex items-center gap-2">
-                    <svg className="w-5 h-5 text-blue-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                      <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2" />
-                    </svg>
-                    SBOM Status
-                  </h3>
+                  <h3 className="text-lg font-semibold text-slate-800 mb-4">SBOM Status</h3>
                   <div className="space-y-3">
-                    <div className="flex items-center justify-between">
-                      <span className="text-sm text-slate-600">Letzte Generierung</span>
-                      <span className="flex items-center gap-2">
-                        <span className="w-2 h-2 rounded-full bg-green-500"></span>
-                        <span className="text-sm font-medium">CI/CD</span>
-                      </span>
-                    </div>
-                    <div className="flex items-center justify-between">
-                      <span className="text-sm text-slate-600">Format</span>
-                      <span className="flex items-center gap-2">
-                        <span className="w-2 h-2 rounded-full bg-green-500"></span>
-                        <span className="text-sm font-medium">CycloneDX 1.5</span>
-                      </span>
-                    </div>
-                    <div className="flex items-center justify-between">
-                      <span className="text-sm text-slate-600">Komponenten</span>
-                      <span className="flex items-center gap-2">
-                        <span className="w-2 h-2 rounded-full bg-green-500"></span>
-                        <span className="text-sm font-medium">Alle erfasst</span>
-                      </span>
-                    </div>
-                    <div className="flex items-center justify-between">
-                      <span className="text-sm text-slate-600">Transitive Deps</span>
-                      <span className="flex items-center gap-2">
-                        <span className="w-2 h-2 rounded-full bg-green-500"></span>
-                        <span className="text-sm font-medium">Inkludiert</span>
-                      </span>
-                    </div>
+                    {['Letzte Generierung', 'Format', 'Komponenten', 'Transitive Deps'].map((label) => (
+                      <div key={label} className="flex items-center justify-between">
+                        <span className="text-sm text-slate-600">{label}</span>
+                        <span className="flex items-center gap-2"><span className="w-2 h-2 rounded-full bg-green-500"></span><span className="text-sm font-medium">{label === 'Letzte Generierung' ? 'CI/CD' : label === 'Format' ? 'CycloneDX 1.5' : label === 'Komponenten' ? 'Alle erfasst' : 'Inkludiert'}</span></span>
+                      </div>
+                    ))}
                   </div>
                 </div>
-
-                {/* License Compliance */}
                 <div className="bg-slate-50 rounded-lg p-4">
-                  <h3 className="text-lg font-semibold text-slate-800 mb-4 flex items-center gap-2">
-                    <svg className="w-5 h-5 text-purple-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                      <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M3 6l3 1m0 0l-3 9a5.002 5.002 0 006.001 0M6 7l3 9M6 7l6-2m6 2l3-1m-3 1l-3 9a5.002 5.002 0 006.001 0M18 7l3 9m-3-9l-6-2m0-2v2m0 16V5m0 16H9m3 0h3" />
-                    </svg>
-                    License Compliance
-                  </h3>
+                  <h3 className="text-lg font-semibold text-slate-800 mb-4">License Compliance</h3>
                   <div className="space-y-3">
-                    <div className="flex items-center justify-between">
-                      <span className="text-sm text-slate-600">Erlaubte Lizenzen</span>
-                      <span className="flex items-center gap-2">
-                        <span className="w-2 h-2 rounded-full bg-green-500"></span>
-                        <span className="text-sm font-medium">MIT, Apache, BSD</span>
-                      </span>
-                    </div>
-                    <div className="flex items-center justify-between">
-                      <span className="text-sm text-slate-600">Copyleft (GPL)</span>
-                      <span className="flex items-center gap-2">
-                        <span className="w-2 h-2 rounded-full bg-green-500"></span>
-                        <span className="text-sm font-medium">0</span>
-                      </span>
-                    </div>
-                    <div className="flex items-center justify-between">
-                      <span className="text-sm text-slate-600">Unbekannte Lizenzen</span>
-                      <span className="flex items-center gap-2">
-                        <span className="w-2 h-2 rounded-full bg-green-500"></span>
-                        <span className="text-sm font-medium">0</span>
-                      </span>
-                    </div>
-                    <div className="flex items-center justify-between">
-                      <span className="text-sm text-slate-600">Kommerzielle</span>
-                      <span className="flex items-center gap-2">
-                        <span className="w-2 h-2 rounded-full bg-yellow-500"></span>
-                        <span className="text-sm font-medium">Review erforderlich</span>
-                      </span>
-                    </div>
+                    {[{ label: 'Erlaubte Lizenzen', value: 'MIT, Apache, BSD', ok: true }, { label: 'Copyleft (GPL)', value: '0', ok: true }, { label: 'Unbekannte Lizenzen', value: '0', ok: true }, { label: 'Kommerzielle', value: 'Review erforderlich', ok: false }].map((item) => (
+                      <div key={item.label} className="flex items-center justify-between">
+                        <span className="text-sm text-slate-600">{item.label}</span>
+                        <span className="flex items-center gap-2"><span className={`w-2 h-2 rounded-full ${item.ok ? 'bg-green-500' : 'bg-yellow-500'}`}></span><span className="text-sm font-medium">{item.value}</span></span>
+                      </div>
+                    ))}
                   </div>
                 </div>
               </div>
             )}
-
-            {/* Documentation Tab */}
             {activeInfoTab === 'documentation' && (
               <div>
                 <div className="flex justify-between items-center mb-4">
                   <h3 className="text-lg font-semibold text-slate-800">SBOM Dokumentation</h3>
-                  <button
-                    onClick={() => setShowFullDocs(!showFullDocs)}
-                    className="px-4 py-2 bg-slate-100 text-slate-700 rounded-lg hover:bg-slate-200 transition-colors flex items-center gap-2"
-                  >
-                    <svg className={`w-4 h-4 transition-transform ${showFullDocs ? 'rotate-180' : ''}`} fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                      <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 9l-7 7-7-7" />
-                    </svg>
+                  <button onClick={() => setShowFullDocs(!showFullDocs)} className="px-4 py-2 bg-slate-100 text-slate-700 rounded-lg hover:bg-slate-200 transition-colors flex items-center gap-2">
+                    <svg className={`w-4 h-4 transition-transform ${showFullDocs ? 'rotate-180' : ''}`} fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 9l-7 7-7-7" /></svg>
                     {showFullDocs ? 'Weniger anzeigen' : 'Vollstaendige Dokumentation'}
                   </button>
                 </div>
-
-                {!showFullDocs ? (
-                  <div className="prose prose-slate max-w-none">
-                    <p className="text-slate-600">
-                      Das SBOM-Modul generiert und analysiert die vollstaendige Komponentenliste aller Software-Abhaengigkeiten.
-                      Es dient der Compliance, Sicherheit und Supply-Chain-Transparenz.
-                    </p>
-                    <div className="grid grid-cols-1 md:grid-cols-3 gap-4 mt-4">
-                      <div className="bg-blue-50 p-4 rounded-lg">
-                        <h4 className="font-medium text-blue-800 mb-2">Generator</h4>
-                        <p className="text-sm text-blue-600">Syft (Primary), Trivy (Validation)</p>
-                      </div>
-                      <div className="bg-purple-50 p-4 rounded-lg">
-                        <h4 className="font-medium text-purple-800 mb-2">Format</h4>
-                        <p className="text-sm text-purple-600">CycloneDX 1.5, SPDX</p>
-                      </div>
-                      <div className="bg-green-50 p-4 rounded-lg">
-                        <h4 className="font-medium text-green-800 mb-2">Retention</h4>
-                        <p className="text-sm text-green-600">5 Jahre (Compliance)</p>
-                      </div>
-                    </div>
+                <div className="prose prose-slate max-w-none">
+                  <p className="text-slate-600">Das SBOM-Modul generiert und analysiert die vollstaendige Komponentenliste aller Software-Abhaengigkeiten.</p>
+                  <div className="grid grid-cols-1 md:grid-cols-3 gap-4 mt-4">
+                    <div className="bg-blue-50 p-4 rounded-lg"><h4 className="font-medium text-blue-800 mb-2">Generator</h4><p className="text-sm text-blue-600">Syft (Primary), Trivy (Validation)</p></div>
+                    <div className="bg-purple-50 p-4 rounded-lg"><h4 className="font-medium text-purple-800 mb-2">Format</h4><p className="text-sm text-purple-600">CycloneDX 1.5, SPDX</p></div>
+                    <div className="bg-green-50 p-4 rounded-lg"><h4 className="font-medium text-green-800 mb-2">Retention</h4><p className="text-sm text-green-600">5 Jahre (Compliance)</p></div>
                   </div>
-                ) : (
-                  <div className="prose prose-slate max-w-none bg-slate-50 p-6 rounded-lg overflow-auto max-h-[600px]">
+                </div>
+                {showFullDocs && (
+                  <div className="mt-6 bg-slate-50 rounded-lg p-6 border border-slate-200 prose prose-slate max-w-none overflow-auto max-h-[600px]">
                     <h2>Software Bill of Materials (SBOM)</h2>
-
                     <h3>1. Uebersicht</h3>
-                    <p>Das SBOM-Modul generiert und analysiert die vollstaendige Komponentenliste aller Software-Abhaengigkeiten. Es dient der Compliance, Sicherheit und Supply-Chain-Transparenz.</p>
-
-                    <h3>2. SBOM-Generierung</h3>
-                    <pre className="bg-slate-800 text-slate-100 p-4 rounded-lg overflow-x-auto text-sm">
-{`Source Code
-     │
-     v
-┌───────────────────────────────────────────────────────────────┐
-│                     SBOM Generators                           │
-│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐   │
-│  │    Syft     │  │   Trivy     │  │  Native Tooling     │   │
-│  │  (Primary)  │  │ (Validation)│  │ (npm, go mod, pip)  │   │
-│  └──────┬──────┘  └──────┬──────┘  └──────────┬──────────┘   │
-└─────────┼────────────────┼────────────────────┼───────────────┘
-          │                │                    │
-          └────────────────┴────────────────────┘
-                           │
-                           v
-                  ┌────────────────┐
-                  │   CycloneDX    │
-                  │    Format      │
-                  └────────────────┘`}
-                    </pre>
-
-                    <h3>3. Erfasste Komponenten</h3>
-                    <table className="min-w-full">
-                      <thead>
-                        <tr>
-                          <th className="text-left">Typ</th>
-                          <th className="text-left">Quelle</th>
-                          <th className="text-left">Beispiele</th>
-                        </tr>
-                      </thead>
+                    <p>Das SBOM-Modul generiert und analysiert die vollstaendige Komponentenliste aller Software-Abhaengigkeiten.</p>
+                    <h3>2. Erfasste Komponenten</h3>
+                    <table className="min-w-full"><thead><tr><th className="text-left">Typ</th><th className="text-left">Quelle</th><th className="text-left">Beispiele</th></tr></thead>
                       <tbody>
                         <tr><td>npm packages</td><td>package-lock.json</td><td>react, next, tailwindcss</td></tr>
                         <tr><td>Go modules</td><td>go.sum</td><td>gin, gorm, jwt-go</td></tr>
                         <tr><td>Python packages</td><td>requirements.txt</td><td>fastapi, pydantic, httpx</td></tr>
                         <tr><td>Container Images</td><td>Dockerfile</td><td>node:20-alpine, postgres:16</td></tr>
-                        <tr><td>OS Packages</td><td>apk, apt</td><td>openssl, libpq</td></tr>
                       </tbody>
                     </table>
-
-                    <h3>4. License Compliance</h3>
-                    <table className="min-w-full">
-                      <thead>
-                        <tr>
-                          <th className="text-left">Kategorie</th>
-                          <th className="text-left">Lizenzen</th>
-                          <th className="text-left">Status</th>
-                        </tr>
-                      </thead>
+                    <h3>3. License Compliance</h3>
+                    <table className="min-w-full"><thead><tr><th className="text-left">Kategorie</th><th className="text-left">Lizenzen</th><th className="text-left">Status</th></tr></thead>
                       <tbody>
-                        <tr><td>Permissive (erlaubt)</td><td>MIT, Apache 2.0, BSD, ISC</td><td className="text-green-600">OK</td></tr>
+                        <tr><td>Permissive</td><td>MIT, Apache 2.0, BSD, ISC</td><td className="text-green-600">OK</td></tr>
                         <tr><td>Weak Copyleft</td><td>LGPL, MPL</td><td className="text-yellow-600">Review</td></tr>
                         <tr><td>Strong Copyleft</td><td>GPL, AGPL</td><td className="text-red-600">Nicht erlaubt</td></tr>
-                        <tr><td>Proprietaer</td><td>Commercial</td><td className="text-yellow-600">Genehmigung</td></tr>
                       </tbody>
                     </table>
-
-                    <h3>5. Aufbewahrung & Compliance</h3>
-                    <ul>
-                      <li><strong>Retention:</strong> 5 Jahre (Compliance)</li>
-                      <li><strong>Format:</strong> JSON + PDF Report</li>
-                      <li><strong>Signierung:</strong> Digital signiert</li>
-                      <li><strong>Audit:</strong> Jederzeit abrufbar</li>
-                    </ul>
                   </div>
                 )}
               </div>
diff --git a/admin-core/app/(admin)/infrastructure/sbom/types.ts b/admin-core/app/(admin)/infrastructure/sbom/types.ts
new file mode 100644
index 0000000..8afc1fa
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/sbom/types.ts
@@ -0,0 +1,31 @@
+/**
+ * Types for SBOM page
+ */
+
+export interface Component {
+  type: string
+  name: string
+  version: string
+  purl?: string
+  licenses?: { license: { id: string } }[]
+  category?: string
+  port?: string
+  description?: string
+  license?: string
+  sourceUrl?: string
+}
+
+export interface SBOMData {
+  bomFormat?: string
+  specVersion?: string
+  version?: number
+  metadata?: {
+    timestamp?: string
+    tools?: { vendor: string; name: string; version: string }[]
+    component?: { type: string; name: string; version: string }
+  }
+  components?: Component[]
+}
+
+export type CategoryType = 'all' | 'infrastructure' | 'security-tools' | 'python' | 'go' | 'nodejs' | 'unity' | 'csharp'
+export type InfoTabType = 'audit' | 'documentation'
diff --git a/admin-core/app/(admin)/infrastructure/security/_components/FindingsTab.tsx b/admin-core/app/(admin)/infrastructure/security/_components/FindingsTab.tsx
new file mode 100644
index 0000000..a2bd872
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/security/_components/FindingsTab.tsx
@@ -0,0 +1,102 @@
+'use client'
+
+import type { Finding } from '../types'
+
+export function FindingsTab({
+  findings,
+  severityFilter,
+  setSeverityFilter,
+  toolFilter,
+  setToolFilter,
+  getSeverityBadge,
+}: {
+  findings: Finding[]
+  severityFilter: string | null
+  setSeverityFilter: (v: string | null) => void
+  toolFilter: string | null
+  setToolFilter: (v: string | null) => void
+  getSeverityBadge: (severity: string) => string
+}) {
+  const filteredFindings = findings.filter(f => {
+    if (severityFilter && f.severity.toUpperCase() !== severityFilter.toUpperCase()) return false
+    if (toolFilter && f.tool.toLowerCase() !== toolFilter.toLowerCase()) return false
+    return true
+  })
+
+  return (
+    <div>
+      {/* Filters */}
+      <div className="flex gap-2 mb-4 flex-wrap">
+        <button
+          onClick={() => setSeverityFilter(null)}
+          className={`px-3 py-1 rounded-full text-sm ${!severityFilter ? 'bg-orange-600 text-white' : 'bg-slate-100 text-slate-600 hover:bg-slate-200'}`}
+        >
+          Alle
+        </button>
+        {['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO'].map(sev => (
+          <button
+            key={sev}
+            onClick={() => setSeverityFilter(sev)}
+            className={`px-3 py-1 rounded-full text-sm ${severityFilter === sev ? 'bg-orange-600 text-white' : 'bg-slate-100 text-slate-600 hover:bg-slate-200'}`}
+          >
+            {sev}
+          </button>
+        ))}
+        <span className="mx-2 border-l border-slate-300" />
+        {['gitleaks', 'semgrep', 'bandit', 'trivy', 'grype'].map(t => (
+          <button
+            key={t}
+            onClick={() => setToolFilter(toolFilter === t ? null : t)}
+            className={`px-3 py-1 rounded-full text-sm capitalize ${toolFilter === t ? 'bg-orange-600 text-white' : 'bg-slate-100 text-slate-600 hover:bg-slate-200'}`}
+          >
+            {t}
+          </button>
+        ))}
+      </div>
+
+      {filteredFindings.length === 0 ? (
+        <div className="text-center py-8 text-slate-500">
+          Keine Findings mit diesem Filter gefunden.
+        </div>
+      ) : (
+        <div className="overflow-x-auto">
+          <table className="w-full">
+            <thead>
+              <tr className="border-b border-slate-200">
+                <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Severity</th>
+                <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Tool</th>
+                <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Finding</th>
+                <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Datei</th>
+                <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Zeile</th>
+                <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Gefunden</th>
+              </tr>
+            </thead>
+            <tbody>
+              {filteredFindings.map((finding, idx) => (
+                <tr key={`${finding.id}-${idx}`} className="border-b border-slate-100 hover:bg-slate-50">
+                  <td className="py-3 px-4">
+                    <span className={getSeverityBadge(finding.severity)}>{finding.severity}</span>
+                  </td>
+                  <td className="py-3 px-4 text-sm text-slate-600">{finding.tool}</td>
+                  <td className="py-3 px-4">
+                    <div className="text-sm text-slate-900">{finding.title}</div>
+                    {finding.message && (
+                      <div className="text-xs text-slate-500 mt-1">{finding.message}</div>
+                    )}
+                  </td>
+                  <td className="py-3 px-4 text-sm text-slate-500 font-mono max-w-xs truncate">
+                    {finding.file || '-'}
+                  </td>
+                  <td className="py-3 px-4 text-sm text-slate-500">{finding.line || '-'}</td>
+                  <td className="py-3 px-4 text-sm text-slate-500">
+                    {finding.found_at ? new Date(finding.found_at).toLocaleDateString('de-DE') : '-'}
+                  </td>
+                </tr>
+              ))}
+            </tbody>
+          </table>
+        </div>
+      )}
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/security/_components/HistoryTab.tsx b/admin-core/app/(admin)/infrastructure/security/_components/HistoryTab.tsx
new file mode 100644
index 0000000..3677c22
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/security/_components/HistoryTab.tsx
@@ -0,0 +1,44 @@
+'use client'
+
+import type { HistoryItem } from '../types'
+
+export function HistoryTab({ history }: { history: HistoryItem[] }) {
+  const getHistoryStatusColor = (status: string) => {
+    switch (status) {
+      case 'success': return 'bg-green-500'
+      case 'warning': return 'bg-yellow-500'
+      case 'error': return 'bg-red-500'
+      default: return 'bg-slate-400'
+    }
+  }
+
+  if (history.length === 0) {
+    return (
+      <div className="text-center py-8 text-slate-500">
+        Keine Scan-Historie vorhanden.
+      </div>
+    )
+  }
+
+  return (
+    <div className="space-y-4">
+      <div className="relative">
+        <div className="absolute left-4 top-0 bottom-0 w-0.5 bg-slate-200" />
+        {history.map((item, idx) => (
+          <div key={idx} className="relative pl-10 pb-6">
+            <div className={`absolute left-2.5 w-3 h-3 rounded-full ${getHistoryStatusColor(item.status)}`} />
+            <div className="bg-slate-50 rounded-lg p-4 border border-slate-200">
+              <div className="flex justify-between items-start mb-1">
+                <span className="font-semibold text-slate-900">{item.title}</span>
+                <span className="text-xs text-slate-500">
+                  {new Date(item.timestamp).toLocaleString('de-DE')}
+                </span>
+              </div>
+              <p className="text-sm text-slate-600">{item.description}</p>
+            </div>
+          </div>
+        ))}
+      </div>
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/security/_components/MonitoringTab.tsx b/admin-core/app/(admin)/infrastructure/security/_components/MonitoringTab.tsx
new file mode 100644
index 0000000..1f4b6da
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/security/_components/MonitoringTab.tsx
@@ -0,0 +1,172 @@
+'use client'
+
+import type { MonitoringMetric, ActiveAlert } from '../types'
+
+export function MonitoringTab({
+  monitoringMetrics,
+  activeAlerts,
+}: {
+  monitoringMetrics: MonitoringMetric[]
+  activeAlerts: ActiveAlert[]
+}) {
+  return (
+    <div className="space-y-6">
+      {/* Real-time Metrics */}
+      <div>
+        <h3 className="text-lg font-semibold text-slate-900 mb-4 flex items-center gap-2">
+          <svg className="w-5 h-5 text-green-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 19v-6a2 2 0 00-2-2H5a2 2 0 00-2 2v6a2 2 0 002 2h2a2 2 0 002-2zm0 0V9a2 2 0 012-2h2a2 2 0 012 2v10m-6 0a2 2 0 002 2h2a2 2 0 002-2m0 0V5a2 2 0 012-2h2a2 2 0 012 2v14a2 2 0 01-2 2h-2a2 2 0 01-2-2z" />
+          </svg>
+          Security Metriken
+        </h3>
+        <div className="grid grid-cols-2 md:grid-cols-3 lg:grid-cols-6 gap-4">
+          {monitoringMetrics.map((metric, idx) => (
+            <div
+              key={idx}
+              className={`rounded-lg p-4 border ${
+                metric.status === 'critical' ? 'bg-red-50 border-red-200' :
+                metric.status === 'warning' ? 'bg-yellow-50 border-yellow-200' :
+                'bg-green-50 border-green-200'
+              }`}
+            >
+              <div className="flex justify-between items-start mb-2">
+                <span className="text-xs text-slate-600">{metric.name}</span>
+                <span className={`text-xs ${
+                  metric.trend === 'up' ? 'text-red-600' :
+                  metric.trend === 'down' ? 'text-green-600' :
+                  'text-slate-500'
+                }`}>
+                  {metric.trend === 'up' ? '↑' : metric.trend === 'down' ? '↓' : '→'}
+                </span>
+              </div>
+              <div className={`text-2xl font-bold ${
+                metric.status === 'critical' ? 'text-red-700' :
+                metric.status === 'warning' ? 'text-yellow-700' :
+                'text-green-700'
+              }`}>
+                {metric.value}
+                <span className="text-sm font-normal ml-1">{metric.unit}</span>
+              </div>
+            </div>
+          ))}
+        </div>
+      </div>
+
+      {/* Active Alerts */}
+      <div>
+        <h3 className="text-lg font-semibold text-slate-900 mb-4 flex items-center gap-2">
+          <svg className="w-5 h-5 text-orange-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M15 17h5l-1.405-1.405A2.032 2.032 0 0118 14.158V11a6.002 6.002 0 00-4-5.659V5a2 2 0 10-4 0v.341C7.67 6.165 6 8.388 6 11v3.159c0 .538-.214 1.055-.595 1.436L4 17h5m6 0v1a3 3 0 11-6 0v-1m6 0H9" />
+          </svg>
+          Aktive Alerts
+          {activeAlerts.filter(a => !a.acknowledged).length > 0 && (
+            <span className="ml-2 px-2 py-0.5 bg-red-500 text-white text-xs rounded-full">
+              {activeAlerts.filter(a => !a.acknowledged).length}
+            </span>
+          )}
+        </h3>
+        {activeAlerts.length === 0 ? (
+          <div className="text-center py-8 bg-green-50 rounded-lg border border-green-200">
+            <span className="text-4xl block mb-2">✓</span>
+            <span className="text-green-700">Keine aktiven Security-Alerts</span>
+          </div>
+        ) : (
+          <div className="space-y-2">
+            {activeAlerts.map((alert) => (
+              <div
+                key={alert.id}
+                className={`flex items-center justify-between p-4 rounded-lg border ${
+                  alert.severity === 'critical' ? 'bg-red-50 border-red-200' :
+                  alert.severity === 'high' ? 'bg-orange-50 border-orange-200' :
+                  alert.severity === 'medium' ? 'bg-yellow-50 border-yellow-200' :
+                  'bg-blue-50 border-blue-200'
+                }`}
+              >
+                <div className="flex items-center gap-4">
+                  <span className={`px-2 py-1 text-xs font-semibold rounded uppercase ${
+                    alert.severity === 'critical' ? 'bg-red-100 text-red-800' :
+                    alert.severity === 'high' ? 'bg-orange-100 text-orange-800' :
+                    alert.severity === 'medium' ? 'bg-yellow-100 text-yellow-800' :
+                    'bg-blue-100 text-blue-800'
+                  }`}>
+                    {alert.severity}
+                  </span>
+                  <div>
+                    <div className="font-medium text-slate-900">{alert.title}</div>
+                    <div className="text-xs text-slate-500">
+                      {alert.source} • {new Date(alert.timestamp).toLocaleString('de-DE')}
+                    </div>
+                  </div>
+                </div>
+                {!alert.acknowledged && (
+                  <button className="px-3 py-1 text-xs bg-white border border-slate-300 rounded hover:bg-slate-50">
+                    Bestaetigen
+                  </button>
+                )}
+              </div>
+            ))}
+          </div>
+        )}
+      </div>
+
+      {/* Security Overview Cards */}
+      <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
+        <div className="bg-slate-50 rounded-lg p-4 border border-slate-200">
+          <h4 className="font-medium text-slate-900 mb-3 flex items-center gap-2">
+            <svg className="w-4 h-4 text-blue-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z" />
+            </svg>
+            Authentifizierung
+          </h4>
+          <div className="space-y-2 text-sm">
+            <div className="flex justify-between"><span className="text-slate-600">Aktive Sessions</span><span className="font-medium">24</span></div>
+            <div className="flex justify-between"><span className="text-slate-600">Fehlgeschlagene Logins (24h)</span><span className="font-medium text-green-600">0</span></div>
+            <div className="flex justify-between"><span className="text-slate-600">2FA-Quote</span><span className="font-medium text-green-600">100%</span></div>
+          </div>
+        </div>
+        <div className="bg-slate-50 rounded-lg p-4 border border-slate-200">
+          <h4 className="font-medium text-slate-900 mb-3 flex items-center gap-2">
+            <svg className="w-4 h-4 text-purple-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z" />
+            </svg>
+            SSL/TLS
+          </h4>
+          <div className="space-y-2 text-sm">
+            <div className="flex justify-between"><span className="text-slate-600">Zertifikate</span><span className="font-medium">5 aktiv</span></div>
+            <div className="flex justify-between"><span className="text-slate-600">Naechster Ablauf</span><span className="font-medium text-green-600">45 Tage</span></div>
+            <div className="flex justify-between"><span className="text-slate-600">TLS Version</span><span className="font-medium">1.3</span></div>
+          </div>
+        </div>
+        <div className="bg-slate-50 rounded-lg p-4 border border-slate-200">
+          <h4 className="font-medium text-slate-900 mb-3 flex items-center gap-2">
+            <svg className="w-4 h-4 text-orange-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
+            </svg>
+            Firewall
+          </h4>
+          <div className="space-y-2 text-sm">
+            <div className="flex justify-between"><span className="text-slate-600">Blockierte IPs (24h)</span><span className="font-medium">12</span></div>
+            <div className="flex justify-between"><span className="text-slate-600">Rate Limit Hits</span><span className="font-medium text-yellow-600">7</span></div>
+            <div className="flex justify-between"><span className="text-slate-600">WAF Status</span><span className="font-medium text-green-600">Aktiv</span></div>
+          </div>
+        </div>
+      </div>
+
+      {/* Link to CI/CD */}
+      <div className="bg-blue-50 border border-blue-200 rounded-lg p-4 flex items-center justify-between">
+        <div className="flex items-center gap-3">
+          <svg className="w-5 h-5 text-blue-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M13 10V3L4 14h7v7l9-11h-7z" />
+          </svg>
+          <div>
+            <div className="font-medium text-blue-900">Pipeline Security</div>
+            <div className="text-sm text-blue-700">Security-Scans in CI/CD Pipelines und Container-Status</div>
+          </div>
+        </div>
+        <a href="/infrastructure/ci-cd" className="px-4 py-2 bg-blue-600 text-white rounded-lg text-sm font-medium hover:bg-blue-700 transition-colors">
+          CI/CD Dashboard →
+        </a>
+      </div>
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/security/_components/SecurityDocsSection.tsx b/admin-core/app/(admin)/infrastructure/security/_components/SecurityDocsSection.tsx
new file mode 100644
index 0000000..a26f866
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/security/_components/SecurityDocsSection.tsx
@@ -0,0 +1,109 @@
+'use client'
+
+import { useState } from 'react'
+
+export function SecurityDocsSection() {
+  const [showFullDocs, setShowFullDocs] = useState(false)
+
+  return (
+    <div className="bg-white rounded-xl border border-slate-200 overflow-hidden">
+      <div className="p-6">
+        <div className="flex justify-between items-center mb-4">
+          <h3 className="text-lg font-semibold text-slate-900 flex items-center gap-2">
+            <svg className="w-5 h-5 text-slate-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
+            </svg>
+            Security Dokumentation
+          </h3>
+          <button
+            onClick={() => setShowFullDocs(!showFullDocs)}
+            className="px-4 py-2 bg-slate-100 text-slate-700 rounded-lg hover:bg-slate-200 transition-colors flex items-center gap-2 text-sm font-medium"
+          >
+            <svg className={`w-4 h-4 transition-transform ${showFullDocs ? 'rotate-180' : ''}`} fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 9l-7 7-7-7" />
+            </svg>
+            {showFullDocs ? 'Weniger anzeigen' : 'Vollstaendige Dokumentation'}
+          </button>
+        </div>
+
+        {/* Short Description */}
+        <div className="prose prose-slate max-w-none">
+          <p className="text-slate-600">
+            Das Security Dashboard bietet einen zentralen Ueberblick ueber alle DevSecOps-Aktivitaeten.
+            Es integriert 6 Security-Tools fuer umfassende Code- und Infrastruktur-Sicherheit:
+            Secrets Detection, Static Analysis (SAST), Dependency Scanning und SBOM-Generierung.
+          </p>
+        </div>
+
+        {/* Tool Quick Reference */}
+        <div className="grid grid-cols-2 md:grid-cols-3 lg:grid-cols-6 gap-3 mt-4">
+          {[
+            { bg: 'bg-red-50', icon: '🔑', name: 'Gitleaks', label: 'Secrets', color: 'text-red-800', labelColor: 'text-red-600' },
+            { bg: 'bg-blue-50', icon: '🔍', name: 'Semgrep', label: 'SAST', color: 'text-blue-800', labelColor: 'text-blue-600' },
+            { bg: 'bg-yellow-50', icon: '🐍', name: 'Bandit', label: 'Python', color: 'text-yellow-800', labelColor: 'text-yellow-600' },
+            { bg: 'bg-purple-50', icon: '🔒', name: 'Trivy', label: 'Container', color: 'text-purple-800', labelColor: 'text-purple-600' },
+            { bg: 'bg-green-50', icon: '🐛', name: 'Grype', label: 'Dependencies', color: 'text-green-800', labelColor: 'text-green-600' },
+            { bg: 'bg-orange-50', icon: '📦', name: 'Syft', label: 'SBOM', color: 'text-orange-800', labelColor: 'text-orange-600' },
+          ].map((tool) => (
+            <div key={tool.name} className={`${tool.bg} p-3 rounded-lg text-center`}>
+              <span className="text-lg">{tool.icon}</span>
+              <p className={`text-xs font-medium ${tool.color} mt-1`}>{tool.name}</p>
+              <p className={`text-xs ${tool.labelColor}`}>{tool.label}</p>
+            </div>
+          ))}
+        </div>
+
+        {/* Full Documentation (Expandable) */}
+        {showFullDocs && (
+          <div className="mt-6 bg-slate-50 rounded-lg p-6 border border-slate-200">
+            <div className="prose prose-slate max-w-none prose-headings:text-slate-900 prose-p:text-slate-600 prose-li:text-slate-600">
+              <h3>1. Security Tools Uebersicht</h3>
+              <h4>🔑 Gitleaks - Secrets Detection</h4>
+              <p>Durchsucht die gesamte Git-Historie nach versehentlich eingecheckten Secrets wie API-Keys, Passwoertern und Tokens.</p>
+              <ul>
+                <li><strong>Scan-Bereich:</strong> Git-Historie, Commits, Branches</li>
+                <li><strong>Erkannte Secrets:</strong> AWS Keys, GitHub Tokens, Private Keys, Passwoerter</li>
+                <li><strong>Ausgabe:</strong> JSON-Report mit Fundstelle, Commit-Hash, Autor</li>
+              </ul>
+              <h4>🔍 Semgrep - Static Application Security Testing</h4>
+              <p>Fuehrt regelbasierte statische Code-Analyse durch, um Sicherheitsluecken und Anti-Patterns zu finden.</p>
+              <ul>
+                <li><strong>Unterstuetzte Sprachen:</strong> Python, JavaScript, TypeScript, Go, Java</li>
+                <li><strong>Regelsets:</strong> OWASP Top 10, CWE, Security Best Practices</li>
+                <li><strong>Findings:</strong> SQL Injection, XSS, Path Traversal, Insecure Deserialization</li>
+              </ul>
+              <h3>2. Severity-Klassifizierung</h3>
+              <table className="min-w-full text-sm">
+                <thead><tr className="border-b"><th className="text-left py-2">Severity</th><th className="text-left py-2">CVSS Score</th><th className="text-left py-2">Reaktionszeit</th></tr></thead>
+                <tbody>
+                  <tr className="border-b"><td className="py-2"><span className="px-2 py-0.5 bg-red-100 text-red-800 rounded text-xs font-semibold">CRITICAL</span></td><td>9.0 - 10.0</td><td>Sofort (24h)</td></tr>
+                  <tr className="border-b"><td className="py-2"><span className="px-2 py-0.5 bg-orange-100 text-orange-800 rounded text-xs font-semibold">HIGH</span></td><td>7.0 - 8.9</td><td>1-3 Tage</td></tr>
+                  <tr className="border-b"><td className="py-2"><span className="px-2 py-0.5 bg-yellow-100 text-yellow-800 rounded text-xs font-semibold">MEDIUM</span></td><td>4.0 - 6.9</td><td>1-2 Wochen</td></tr>
+                  <tr className="border-b"><td className="py-2"><span className="px-2 py-0.5 bg-green-100 text-green-800 rounded text-xs font-semibold">LOW</span></td><td>0.1 - 3.9</td><td>Naechster Sprint</td></tr>
+                </tbody>
+              </table>
+              <h3>3. Scan-Workflow</h3>
+              <pre className="bg-slate-800 text-slate-100 p-4 rounded-lg overflow-x-auto text-sm">
+{`1. Secrets Detection (Gitleaks)
+2. Static Analysis (Semgrep + Bandit)
+3. Dependency Scan (Trivy + Grype)
+4. SBOM Generation (Syft)
+5. Report & Dashboard`}
+              </pre>
+              <h3>4. API-Endpunkte</h3>
+              <table className="min-w-full text-sm font-mono">
+                <thead><tr className="border-b"><th className="text-left py-2">Methode</th><th className="text-left py-2">Endpoint</th><th className="text-left py-2 font-sans">Beschreibung</th></tr></thead>
+                <tbody>
+                  <tr className="border-b"><td className="py-2"><span className="bg-blue-100 text-blue-700 px-1 rounded">GET</span></td><td>/api/v1/security/tools</td><td className="font-sans">Tool-Status abrufen</td></tr>
+                  <tr className="border-b"><td className="py-2"><span className="bg-blue-100 text-blue-700 px-1 rounded">GET</span></td><td>/api/v1/security/findings</td><td className="font-sans">Alle Findings abrufen</td></tr>
+                  <tr className="border-b"><td className="py-2"><span className="bg-green-100 text-green-700 px-1 rounded">POST</span></td><td>/api/v1/security/scan/all</td><td className="font-sans">Full Scan starten</td></tr>
+                  <tr><td className="py-2"><span className="bg-green-100 text-green-700 px-1 rounded">POST</span></td><td>/api/v1/security/scan/[tool]</td><td className="font-sans">Einzelnes Tool scannen</td></tr>
+                </tbody>
+              </table>
+            </div>
+          </div>
+        )}
+      </div>
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/security/_components/SecurityOverviewTab.tsx b/admin-core/app/(admin)/infrastructure/security/_components/SecurityOverviewTab.tsx
new file mode 100644
index 0000000..08bfc11
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/security/_components/SecurityOverviewTab.tsx
@@ -0,0 +1,122 @@
+'use client'
+
+import type { ToolStatus, Finding, ScanType } from '../types'
+
+export function SecurityOverviewTab({
+  tools,
+  findings,
+  scanning,
+  onRunScan,
+  onShowAllFindings,
+  toolDescriptions,
+  toolToScanType,
+  getSeverityBadge,
+  getStatusBadge,
+}: {
+  tools: ToolStatus[]
+  findings: Finding[]
+  scanning: string | null
+  onRunScan: (scanType: ScanType) => void
+  onShowAllFindings: () => void
+  toolDescriptions: Record<string, { icon: string; desc: string }>
+  toolToScanType: Record<string, ScanType>
+  getSeverityBadge: (severity: string) => string
+  getStatusBadge: (installed: boolean) => string
+}) {
+  return (
+    <div className="space-y-6">
+      {/* Tools Grid */}
+      <div>
+        <h3 className="text-lg font-semibold text-slate-900 mb-4">DevSecOps Tools</h3>
+        <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
+          {tools.map(tool => {
+            const info = toolDescriptions[tool.name.toLowerCase()] || { icon: '🔧', desc: 'Security Tool' }
+            return (
+              <div key={tool.name} className="bg-slate-50 rounded-lg p-4 border border-slate-200">
+                <div className="flex justify-between items-start mb-2">
+                  <div className="flex items-center gap-2">
+                    <span className="text-xl">{info.icon}</span>
+                    <span className="font-semibold text-slate-900">{tool.name}</span>
+                  </div>
+                  <span className={getStatusBadge(tool.installed)}>
+                    {tool.installed ? 'Installiert' : 'Nicht installiert'}
+                  </span>
+                </div>
+                <p className="text-sm text-slate-600 mb-3">{info.desc}</p>
+                <div className="flex justify-between items-center text-xs text-slate-500">
+                  <span>{tool.version || '-'}</span>
+                  <span>Letzter Scan: {tool.last_run || 'Nie'}</span>
+                </div>
+                <button
+                  onClick={() => onRunScan(toolToScanType[tool.name.toLowerCase()] || 'all')}
+                  disabled={scanning !== null || !tool.installed}
+                  className={`mt-3 w-full px-3 py-1.5 text-sm border rounded transition-colors flex items-center justify-center gap-2 ${
+                    scanning === toolToScanType[tool.name.toLowerCase()]
+                      ? 'bg-orange-100 border-orange-300 text-orange-700'
+                      : 'bg-white border-slate-300 hover:bg-slate-50 disabled:opacity-50'
+                  }`}
+                >
+                  {scanning === toolToScanType[tool.name.toLowerCase()] ? (
+                    <>
+                      <div className="animate-spin rounded-full h-4 w-4 border-b-2 border-orange-600" />
+                      <span>Scan laeuft...</span>
+                    </>
+                  ) : (
+                    'Scan starten'
+                  )}
+                </button>
+              </div>
+            )
+          })}
+        </div>
+      </div>
+
+      {/* Recent Findings */}
+      <div>
+        <h3 className="text-lg font-semibold text-slate-900 mb-4">Aktuelle Findings</h3>
+        {findings.length === 0 ? (
+          <div className="text-center py-8 text-slate-500">
+            <span className="text-4xl block mb-2">🎉</span>
+            Keine Findings gefunden. Das ist gut!
+          </div>
+        ) : (
+          <div className="overflow-x-auto">
+            <table className="w-full">
+              <thead>
+                <tr className="border-b border-slate-200">
+                  <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Severity</th>
+                  <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Tool</th>
+                  <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Finding</th>
+                  <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Datei</th>
+                  <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Gefunden</th>
+                </tr>
+              </thead>
+              <tbody>
+                {findings.slice(0, 10).map((finding, idx) => (
+                  <tr key={`${finding.id}-${idx}`} className="border-b border-slate-100 hover:bg-slate-50">
+                    <td className="py-3 px-4">
+                      <span className={getSeverityBadge(finding.severity)}>{finding.severity}</span>
+                    </td>
+                    <td className="py-3 px-4 text-sm text-slate-600">{finding.tool}</td>
+                    <td className="py-3 px-4 text-sm text-slate-900">{finding.title}</td>
+                    <td className="py-3 px-4 text-sm text-slate-500 font-mono">{finding.file || '-'}</td>
+                    <td className="py-3 px-4 text-sm text-slate-500">
+                      {finding.found_at ? new Date(finding.found_at).toLocaleString('de-DE', {
+                        day: '2-digit', month: '2-digit', hour: '2-digit', minute: '2-digit'
+                      }) : '-'}
+                    </td>
+                  </tr>
+                ))}
+              </tbody>
+            </table>
+            {findings.length > 10 && (
+              <button onClick={onShowAllFindings} className="mt-4 text-sm text-orange-600 hover:text-orange-700">
+                Alle {findings.length} Findings anzeigen →
+              </button>
+            )}
+          </div>
+        )}
+      </div>
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/security/_components/ToolsTab.tsx b/admin-core/app/(admin)/infrastructure/security/_components/ToolsTab.tsx
new file mode 100644
index 0000000..fb2db4c
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/security/_components/ToolsTab.tsx
@@ -0,0 +1,83 @@
+'use client'
+
+import type { ToolStatus, ScanType } from '../types'
+
+export function ToolsTab({
+  tools,
+  scanning,
+  onRunScan,
+  toolDescriptions,
+  toolToScanType,
+  getStatusBadge,
+}: {
+  tools: ToolStatus[]
+  scanning: string | null
+  onRunScan: (scanType: ScanType) => void
+  toolDescriptions: Record<string, { icon: string; desc: string }>
+  toolToScanType: Record<string, ScanType>
+  getStatusBadge: (installed: boolean) => string
+}) {
+  return (
+    <div className="grid grid-cols-1 md:grid-cols-2 gap-6">
+      {tools.map(tool => {
+        const info = toolDescriptions[tool.name.toLowerCase()] || { icon: '🔧', desc: 'Security Tool' }
+        return (
+          <div key={tool.name} className="bg-white border border-slate-200 rounded-lg p-6">
+            <div className="flex justify-between items-start mb-4">
+              <div>
+                <div className="flex items-center gap-3 mb-1">
+                  <span className="text-2xl">{info.icon}</span>
+                  <h3 className="text-lg font-semibold text-slate-900">{tool.name}</h3>
+                </div>
+                <p className="text-sm text-slate-600">{info.desc}</p>
+              </div>
+              <span className={getStatusBadge(tool.installed)}>
+                {tool.installed ? 'Installiert' : 'Nicht installiert'}
+              </span>
+            </div>
+            <div className="space-y-2 text-sm">
+              <div className="flex justify-between">
+                <span className="text-slate-500">Version:</span>
+                <span className="font-mono">{tool.version || '-'}</span>
+              </div>
+              <div className="flex justify-between">
+                <span className="text-slate-500">Letzter Scan:</span>
+                <span>{tool.last_run || 'Nie'}</span>
+              </div>
+              <div className="flex justify-between">
+                <span className="text-slate-500">Findings:</span>
+                <span className="font-semibold">{tool.last_findings}</span>
+              </div>
+            </div>
+            <div className="flex gap-2 mt-4">
+              <button
+                onClick={() => onRunScan(toolToScanType[tool.name.toLowerCase()] || 'all')}
+                disabled={scanning !== null || !tool.installed}
+                className={`flex-1 px-4 py-2 rounded-lg text-sm font-medium transition-colors flex items-center justify-center gap-2 ${
+                  scanning === toolToScanType[tool.name.toLowerCase()]
+                    ? 'bg-orange-200 text-orange-800'
+                    : 'bg-orange-600 text-white hover:bg-orange-700 disabled:opacity-50'
+                }`}
+              >
+                {scanning === toolToScanType[tool.name.toLowerCase()] ? (
+                  <>
+                    <div className="animate-spin rounded-full h-4 w-4 border-b-2 border-orange-700" />
+                    <span>Scan laeuft...</span>
+                  </>
+                ) : (
+                  'Scan starten'
+                )}
+              </button>
+              <button
+                onClick={() => window.open(`/api/v1/security/reports/${tool.name.toLowerCase()}`, '_blank')}
+                className="px-4 py-2 border border-slate-300 text-slate-700 rounded-lg text-sm font-medium hover:bg-slate-50 transition-colors"
+              >
+                Report
+              </button>
+            </div>
+          </div>
+        )
+      })}
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/security/page.tsx b/admin-core/app/(admin)/infrastructure/security/page.tsx
index 26e38e2..6097ce2 100644
--- a/admin-core/app/(admin)/infrastructure/security/page.tsx
+++ b/admin-core/app/(admin)/infrastructure/security/page.tsx
@@ -4,65 +4,45 @@
  * Security Dashboard - DevSecOps
  *
  * Security scan results, vulnerability tracking, and compliance status
- * Migrated from old admin (/admin/security)
  */
 
 import { useEffect, useState, useCallback } from 'react'
 import { PagePurpose } from '@/components/common/PagePurpose'
 import { DevOpsPipelineSidebarResponsive } from '@/components/infrastructure/DevOpsPipelineSidebar'
+import type { ToolStatus, Finding, SeveritySummary, HistoryItem, ScanType, MonitoringMetric, ActiveAlert } from './types'
 
-interface ToolStatus {
-  name: string
-  installed: boolean
-  version: string | null
-  last_run: string | null
-  last_findings: number
+import { SecurityOverviewTab } from './_components/SecurityOverviewTab'
+import { FindingsTab } from './_components/FindingsTab'
+import { ToolsTab } from './_components/ToolsTab'
+import { HistoryTab } from './_components/HistoryTab'
+import { MonitoringTab } from './_components/MonitoringTab'
+import { SecurityDocsSection } from './_components/SecurityDocsSection'
+
+const TOOL_DESCRIPTIONS: Record<string, { icon: string; desc: string }> = {
+  gitleaks: { icon: '🔑', desc: 'Secrets Detection in Git History' },
+  semgrep: { icon: '🔍', desc: 'Static Application Security Testing (SAST)' },
+  bandit: { icon: '🐍', desc: 'Python Security Linter' },
+  trivy: { icon: '🔒', desc: 'Container & Filesystem Vulnerability Scanner' },
+  grype: { icon: '🐛', desc: 'Vulnerability Scanner for Dependencies' },
+  syft: { icon: '📦', desc: 'SBOM Generator (CycloneDX/SPDX)' },
 }
 
-interface Finding {
-  id: string
-  tool: string
-  severity: string
-  title: string
-  message: string | null
-  file: string | null
-  line: number | null
-  found_at: string
+const TOOL_TO_SCAN_TYPE: Record<string, ScanType> = {
+  gitleaks: 'secrets',
+  semgrep: 'sast',
+  bandit: 'sast',
+  trivy: 'deps',
+  grype: 'deps',
+  syft: 'sbom',
 }
 
-interface SeveritySummary {
-  critical: number
-  high: number
-  medium: number
-  low: number
-  info: number
-  total: number
-}
-
-interface HistoryItem {
-  timestamp: string
-  title: string
-  description: string
-  status: string
-}
-
-type ScanType = 'secrets' | 'sast' | 'deps' | 'containers' | 'sbom' | 'all'
-
-interface MonitoringMetric {
-  name: string
-  value: number
-  unit: string
-  status: 'ok' | 'warning' | 'critical'
-  trend: 'up' | 'down' | 'stable'
-}
-
-interface ActiveAlert {
-  id: string
-  severity: 'critical' | 'high' | 'medium' | 'low'
-  title: string
-  source: string
-  timestamp: string
-  acknowledged: boolean
+const SCAN_TYPE_LABELS: Record<ScanType, string> = {
+  secrets: 'Secrets (Gitleaks)',
+  sast: 'SAST (Semgrep + Bandit)',
+  deps: 'Dependencies (Trivy + Grype)',
+  containers: 'Container',
+  sbom: 'SBOM (Syft)',
+  all: 'Full Scan',
 }
 
 export default function SecurityDashboardPage() {
@@ -78,49 +58,28 @@ export default function SecurityDashboardPage() {
   const [activeAlerts, setActiveAlerts] = useState<ActiveAlert[]>([])
   const [severityFilter, setSeverityFilter] = useState<string | null>(null)
   const [toolFilter, setToolFilter] = useState<string | null>(null)
-  const [showFullDocs, setShowFullDocs] = useState(false)
-  const [isInitialLoad, setIsInitialLoad] = useState(true)
   const [scanMessage, setScanMessage] = useState<string | null>(null)
   const [lastScanTime, setLastScanTime] = useState<string | null>(null)
 
   const fetchData = useCallback(async (showLoadingSpinner = false) => {
-    // Only show loading spinner on initial load, not on auto-refresh
-    if (showLoadingSpinner) {
-      setLoading(true)
-    }
+    if (showLoadingSpinner) setLoading(true)
     setError(null)
-
     try {
       const [toolsRes, findingsRes, summaryRes, historyRes] = await Promise.all([
-        fetch('/api/v1/security/tools'),
-        fetch('/api/v1/security/findings'),
-        fetch('/api/v1/security/summary'),
-        fetch('/api/v1/security/history'),
+        fetch('/api/v1/security/tools'), fetch('/api/v1/security/findings'),
+        fetch('/api/v1/security/summary'), fetch('/api/v1/security/history'),
       ])
+      if (toolsRes.ok) setTools(await toolsRes.json())
+      if (findingsRes.ok) setFindings(await findingsRes.json())
+      if (summaryRes.ok) setSummary(await summaryRes.json())
+      if (historyRes.ok) setHistory(await historyRes.json())
 
-      if (toolsRes.ok) {
-        setTools(await toolsRes.json())
-      }
-      if (findingsRes.ok) {
-        setFindings(await findingsRes.json())
-      }
-      if (summaryRes.ok) {
-        setSummary(await summaryRes.json())
-      }
-      if (historyRes.ok) {
-        setHistory(await historyRes.json())
-      }
-
-      // Fetch monitoring data
       const [metricsRes, alertsRes] = await Promise.all([
-        fetch('/api/v1/security/monitoring/metrics'),
-        fetch('/api/v1/security/monitoring/alerts'),
+        fetch('/api/v1/security/monitoring/metrics'), fetch('/api/v1/security/monitoring/alerts'),
       ])
-
       if (metricsRes.ok) {
         setMonitoringMetrics(await metricsRes.json())
       } else {
-        // Default metrics if API not available
         setMonitoringMetrics([
           { name: 'API Latency', value: 45, unit: 'ms', status: 'ok', trend: 'stable' },
           { name: 'Auth Failures', value: 3, unit: '/h', status: 'ok', trend: 'down' },
@@ -130,80 +89,35 @@ export default function SecurityDashboardPage() {
           { name: 'Open Ports', value: 8, unit: '', status: 'ok', trend: 'stable' },
         ])
       }
-      if (alertsRes.ok) {
-        setActiveAlerts(await alertsRes.json())
-      } else {
-        setActiveAlerts([])
-      }
+      if (alertsRes.ok) setActiveAlerts(await alertsRes.json())
+      else setActiveAlerts([])
     } catch (err) {
       setError(err instanceof Error ? err.message : 'Verbindung zum Backend fehlgeschlagen')
     } finally {
       setLoading(false)
-      setIsInitialLoad(false)
     }
   }, [])
 
-  // Initial load only - runs once
-  useEffect(() => {
-    fetchData(true) // Show loading spinner on initial load
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [])
-
-  // Auto-refresh every 60 seconds (without loading spinner)
+  useEffect(() => { fetchData(true) }, [])
   useEffect(() => {
     const interval = setInterval(() => fetchData(false), 60000)
     return () => clearInterval(interval)
-    // eslint-disable-next-line react-hooks/exhaustive-deps
   }, [])
 
-  const scanTypeLabels: Record<ScanType, string> = {
-    secrets: 'Secrets (Gitleaks)',
-    sast: 'SAST (Semgrep + Bandit)',
-    deps: 'Dependencies (Trivy + Grype)',
-    containers: 'Container',
-    sbom: 'SBOM (Syft)',
-    all: 'Full Scan',
-  }
-
   const runScan = async (scanType: ScanType) => {
-    console.log(`Starting scan: ${scanType}`)
     setScanning(scanType)
     setError(null)
-    setScanMessage(`${scanTypeLabels[scanType]} wird gestartet...`)
-
+    setScanMessage(`${SCAN_TYPE_LABELS[scanType]} wird gestartet...`)
     try {
-      const response = await fetch(`/api/v1/security/scan/${scanType}`, {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json',
-        },
-      })
-
-      console.log(`Scan response status: ${response.status}`)
-
-      if (!response.ok) {
-        const errorText = await response.text()
-        console.error(`Scan error: ${errorText}`)
-        throw new Error(`Scan fehlgeschlagen: ${response.status} - ${errorText}`)
-      }
-
-      const result = await response.json()
-      console.log('Scan result:', result)
-
-      // Show success message
-      setScanMessage(`${scanTypeLabels[scanType]} laeuft im Hintergrund. Ergebnisse werden in wenigen Sekunden aktualisiert.`)
+      const response = await fetch(`/api/v1/security/scan/${scanType}`, { method: 'POST', headers: { 'Content-Type': 'application/json' } })
+      if (!response.ok) throw new Error(`Scan fehlgeschlagen: ${response.status}`)
+      setScanMessage(`${SCAN_TYPE_LABELS[scanType]} laeuft im Hintergrund. Ergebnisse werden in wenigen Sekunden aktualisiert.`)
       setLastScanTime(new Date().toLocaleTimeString('de-DE'))
-
-      // Refresh data after scan completes
-      setTimeout(() => {
-        fetchData(false)
-        setScanMessage(null)
-      }, 5000)
+      setTimeout(() => { fetchData(false); setScanMessage(null) }, 5000)
       setTimeout(() => fetchData(false), 15000)
       setTimeout(() => fetchData(false), 30000)
     } catch (err) {
-      console.error('Scan error:', err)
-      setError(err instanceof Error ? err.message : 'Scan fehlgeschlagen - Pruefe Browser-Konsole')
+      setError(err instanceof Error ? err.message : 'Scan fehlgeschlagen')
       setScanMessage(null)
     } finally {
       setScanning(null)
@@ -213,99 +127,38 @@ export default function SecurityDashboardPage() {
   const getSeverityBadge = (severity: string) => {
     const base = 'px-3 py-1 rounded-full text-xs font-semibold uppercase'
     switch (severity.toUpperCase()) {
-      case 'CRITICAL':
-        return `${base} bg-red-100 text-red-800`
-      case 'HIGH':
-        return `${base} bg-orange-100 text-orange-800`
-      case 'MEDIUM':
-        return `${base} bg-yellow-100 text-yellow-800`
-      case 'LOW':
-        return `${base} bg-green-100 text-green-800`
-      default:
-        return `${base} bg-blue-100 text-blue-800`
+      case 'CRITICAL': return `${base} bg-red-100 text-red-800`
+      case 'HIGH': return `${base} bg-orange-100 text-orange-800`
+      case 'MEDIUM': return `${base} bg-yellow-100 text-yellow-800`
+      case 'LOW': return `${base} bg-green-100 text-green-800`
+      default: return `${base} bg-blue-100 text-blue-800`
     }
   }
 
-  const getStatusBadge = (installed: boolean) => {
-    return installed
-      ? 'px-2 py-1 rounded text-xs font-semibold bg-green-100 text-green-800'
-      : 'px-2 py-1 rounded text-xs font-semibold bg-red-100 text-red-800'
-  }
+  const getStatusBadge = (installed: boolean) => installed
+    ? 'px-2 py-1 rounded text-xs font-semibold bg-green-100 text-green-800'
+    : 'px-2 py-1 rounded text-xs font-semibold bg-red-100 text-red-800'
 
-  const getHistoryStatusColor = (status: string) => {
-    switch (status) {
-      case 'success':
-        return 'bg-green-500'
-      case 'warning':
-        return 'bg-yellow-500'
-      case 'error':
-        return 'bg-red-500'
-      default:
-        return 'bg-slate-400'
-    }
-  }
-
-  const getOverallStatus = () => {
-    if (summary.critical > 0) {
-      return { label: 'Critical Issues', color: 'bg-red-100 text-red-800' }
-    }
-    if (summary.high > 0) {
-      return { label: 'High Issues', color: 'bg-orange-100 text-orange-800' }
-    }
-    if (summary.medium > 0) {
-      return { label: 'Warnings', color: 'bg-yellow-100 text-yellow-800' }
-    }
-    return { label: 'Secure', color: 'bg-green-100 text-green-800' }
-  }
-
-  const filteredFindings = findings.filter(f => {
-    if (severityFilter && f.severity.toUpperCase() !== severityFilter.toUpperCase()) return false
-    if (toolFilter && f.tool.toLowerCase() !== toolFilter.toLowerCase()) return false
-    return true
-  })
-
-  const toolDescriptions: Record<string, { icon: string; desc: string }> = {
-    gitleaks: { icon: '🔑', desc: 'Secrets Detection in Git History' },
-    semgrep: { icon: '🔍', desc: 'Static Application Security Testing (SAST)' },
-    bandit: { icon: '🐍', desc: 'Python Security Linter' },
-    trivy: { icon: '🔒', desc: 'Container & Filesystem Vulnerability Scanner' },
-    grype: { icon: '🐛', desc: 'Vulnerability Scanner for Dependencies' },
-    syft: { icon: '📦', desc: 'SBOM Generator (CycloneDX/SPDX)' },
-  }
-
-  // Map tool names to backend scan types
-  const toolToScanType: Record<string, ScanType> = {
-    gitleaks: 'secrets',
-    semgrep: 'sast',
-    bandit: 'sast',
-    trivy: 'deps',
-    grype: 'deps',
-    syft: 'sbom',
-  }
-
-  const status = getOverallStatus()
+  const status = summary.critical > 0 ? { label: 'Critical Issues', color: 'bg-red-100 text-red-800' }
+    : summary.high > 0 ? { label: 'High Issues', color: 'bg-orange-100 text-orange-800' }
+    : summary.medium > 0 ? { label: 'Warnings', color: 'bg-yellow-100 text-yellow-800' }
+    : { label: 'Secure', color: 'bg-green-100 text-green-800' }
 
   return (
     <div>
       <PagePurpose
         title="Security Dashboard"
-        purpose="DevSecOps Dashboard mit Echtzeit-Scan-Ergebnissen. Ueberwachen Sie Secrets, Schwachstellen und Abhaengigkeiten. Fuehren Sie Security-Scans manuell aus oder integrieren Sie sie in Ihre CI/CD-Pipeline."
+        purpose="DevSecOps Dashboard mit Echtzeit-Scan-Ergebnissen. Ueberwachen Sie Secrets, Schwachstellen und Abhaengigkeiten."
         audience={['DevOps', 'Security', 'Entwickler']}
         gdprArticles={['Art. 32 (Sicherheit der Verarbeitung)']}
-        architecture={{
-          services: ['Gitleaks', 'Semgrep', 'Bandit', 'Trivy', 'Grype', 'Syft'],
-          databases: ['JSON Reports'],
-        }}
+        architecture={{ services: ['Gitleaks', 'Semgrep', 'Bandit', 'Trivy', 'Grype', 'Syft'], databases: ['JSON Reports'] }}
         relatedPages={[
           { name: 'SBOM', href: '/infrastructure/sbom', description: 'Software Bill of Materials' },
           { name: 'Middleware', href: '/infrastructure/middleware', description: 'API Gateway & Rate Limiting' },
           { name: 'Controls', href: '/sdk/controls', description: 'Security Controls' },
         ]}
-        collapsible={true}
-        defaultCollapsed={true}
+        collapsible={true} defaultCollapsed={true}
       />
-
-      {/* DevOps Pipeline Sidebar */}
       <DevOpsPipelineSidebarResponsive currentTool="security" />
 
       {/* Header with Status */}
@@ -313,62 +166,32 @@ export default function SecurityDashboardPage() {
         <div className="flex justify-between items-center mb-6">
           <div className="flex items-center gap-4">
             <h2 className="text-xl font-semibold text-slate-900">Security Status</h2>
-            <span className={`px-3 py-1 rounded-full text-sm font-semibold ${status.color}`}>
-              {status.label}
-            </span>
+            <span className={`px-3 py-1 rounded-full text-sm font-semibold ${status.color}`}>{status.label}</span>
           </div>
           <div className="flex items-center gap-3">
             <span className="flex items-center gap-2 text-sm text-slate-500">
-              <span className="w-2 h-2 rounded-full bg-green-500 animate-pulse" />
-              Auto-Refresh aktiv
+              <span className="w-2 h-2 rounded-full bg-green-500 animate-pulse" />Auto-Refresh aktiv
             </span>
-            <button
-              onClick={() => runScan('all')}
-              disabled={scanning !== null}
-              className={`px-4 py-2 rounded-lg font-medium transition-colors flex items-center gap-2 ${
-                scanning === 'all'
-                  ? 'bg-orange-200 text-orange-800'
-                  : 'bg-orange-600 text-white hover:bg-orange-700 disabled:opacity-50'
-              }`}
-            >
-              {scanning === 'all' ? (
-                <>
-                  <div className="animate-spin rounded-full h-4 w-4 border-b-2 border-orange-700" />
-                  <span>Full Scan laeuft...</span>
-                </>
-              ) : (
-                'Full Scan starten'
-              )}
+            <button onClick={() => runScan('all')} disabled={scanning !== null}
+              className={`px-4 py-2 rounded-lg font-medium transition-colors flex items-center gap-2 ${scanning === 'all' ? 'bg-orange-200 text-orange-800' : 'bg-orange-600 text-white hover:bg-orange-700 disabled:opacity-50'}`}>
+              {scanning === 'all' ? (<><div className="animate-spin rounded-full h-4 w-4 border-b-2 border-orange-700" /><span>Full Scan laeuft...</span></>) : 'Full Scan starten'}
             </button>
           </div>
         </div>
-
-        {/* Severity Summary */}
         <div className="grid grid-cols-2 md:grid-cols-3 lg:grid-cols-6 gap-4">
-          <div className="border-l-4 border-red-500 bg-slate-50 rounded-r-lg p-4">
-            <div className="text-3xl font-bold text-red-600">{summary.critical}</div>
-            <div className="text-sm text-slate-600">Critical</div>
-          </div>
-          <div className="border-l-4 border-orange-500 bg-slate-50 rounded-r-lg p-4">
-            <div className="text-3xl font-bold text-orange-600">{summary.high}</div>
-            <div className="text-sm text-slate-600">High</div>
-          </div>
-          <div className="border-l-4 border-yellow-500 bg-slate-50 rounded-r-lg p-4">
-            <div className="text-3xl font-bold text-yellow-600">{summary.medium}</div>
-            <div className="text-sm text-slate-600">Medium</div>
-          </div>
-          <div className="border-l-4 border-green-500 bg-slate-50 rounded-r-lg p-4">
-            <div className="text-3xl font-bold text-green-600">{summary.low}</div>
-            <div className="text-sm text-slate-600">Low</div>
-          </div>
-          <div className="border-l-4 border-blue-500 bg-slate-50 rounded-r-lg p-4">
-            <div className="text-3xl font-bold text-blue-600">{summary.info}</div>
-            <div className="text-sm text-slate-600">Info</div>
-          </div>
-          <div className="border-l-4 border-slate-400 bg-slate-50 rounded-r-lg p-4">
-            <div className="text-3xl font-bold text-slate-700">{summary.total}</div>
-            <div className="text-sm text-slate-600">Total</div>
-          </div>
+          {[
+            { label: 'Critical', value: summary.critical, color: 'border-red-500', textColor: 'text-red-600' },
+            { label: 'High', value: summary.high, color: 'border-orange-500', textColor: 'text-orange-600' },
+            { label: 'Medium', value: summary.medium, color: 'border-yellow-500', textColor: 'text-yellow-600' },
+            { label: 'Low', value: summary.low, color: 'border-green-500', textColor: 'text-green-600' },
+            { label: 'Info', value: summary.info, color: 'border-blue-500', textColor: 'text-blue-600' },
+            { label: 'Total', value: summary.total, color: 'border-slate-400', textColor: 'text-slate-700' },
+          ].map((item) => (
+            <div key={item.label} className={`border-l-4 ${item.color} bg-slate-50 rounded-r-lg p-4`}>
+              <div className={`text-3xl font-bold ${item.textColor}`}>{item.value}</div>
+              <div className="text-sm text-slate-600">{item.label}</div>
+            </div>
+          ))}
         </div>
       </div>
 
@@ -376,15 +199,8 @@ export default function SecurityDashboardPage() {
       <div className="bg-white rounded-xl border border-slate-200 overflow-hidden mb-6">
         <div className="flex border-b border-slate-200">
           {(['overview', 'findings', 'tools', 'history', 'monitoring'] as const).map(tab => (
-            <button
-              key={tab}
-              onClick={() => setActiveTab(tab)}
-              className={`px-6 py-3 text-sm font-medium transition-colors ${
-                activeTab === tab
-                  ? 'bg-orange-50 text-orange-700 border-b-2 border-orange-600'
-                  : 'text-slate-600 hover:bg-slate-50'
-              }`}
-            >
+            <button key={tab} onClick={() => setActiveTab(tab)}
+              className={`px-6 py-3 text-sm font-medium transition-colors ${activeTab === tab ? 'bg-orange-50 text-orange-700 border-b-2 border-orange-600' : 'text-slate-600 hover:bg-slate-50'}`}>
               {tab === 'overview' && 'Uebersicht'}
               {tab === 'findings' && `Findings (${summary.total})`}
               {tab === 'tools' && 'Tools'}
@@ -393,745 +209,32 @@ export default function SecurityDashboardPage() {
             </button>
           ))}
         </div>
-
         <div className="p-6">
-          {/* Scan Status Message */}
           {scanMessage && (
             <div className="mb-4 p-4 bg-blue-50 border border-blue-200 rounded-lg text-blue-700 flex items-center gap-3">
               <div className="animate-spin rounded-full h-5 w-5 border-b-2 border-blue-600" />
               <div>
                 <span className="font-medium">{scanMessage}</span>
-                {lastScanTime && (
-                  <span className="text-sm text-blue-500 ml-2">(gestartet um {lastScanTime})</span>
-                )}
+                {lastScanTime && <span className="text-sm text-blue-500 ml-2">(gestartet um {lastScanTime})</span>}
               </div>
             </div>
           )}
-
-          {error && (
-            <div className="mb-4 p-4 bg-red-50 border border-red-200 rounded-lg text-red-700">
-              {error}
-            </div>
-          )}
-
+          {error && <div className="mb-4 p-4 bg-red-50 border border-red-200 rounded-lg text-red-700">{error}</div>}
           {loading ? (
-            <div className="flex justify-center py-12">
-              <div className="animate-spin rounded-full h-12 w-12 border-b-2 border-orange-600" />
-            </div>
+            <div className="flex justify-center py-12"><div className="animate-spin rounded-full h-12 w-12 border-b-2 border-orange-600" /></div>
           ) : (
             <>
-              {/* Overview Tab */}
-              {activeTab === 'overview' && (
-                <div className="space-y-6">
-                  {/* Tools Grid */}
-                  <div>
-                    <h3 className="text-lg font-semibold text-slate-900 mb-4">DevSecOps Tools</h3>
-                    <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
-                      {tools.map(tool => {
-                        const info = toolDescriptions[tool.name.toLowerCase()] || { icon: '🔧', desc: 'Security Tool' }
-                        return (
-                          <div key={tool.name} className="bg-slate-50 rounded-lg p-4 border border-slate-200">
-                            <div className="flex justify-between items-start mb-2">
-                              <div className="flex items-center gap-2">
-                                <span className="text-xl">{info.icon}</span>
-                                <span className="font-semibold text-slate-900">{tool.name}</span>
-                              </div>
-                              <span className={getStatusBadge(tool.installed)}>
-                                {tool.installed ? 'Installiert' : 'Nicht installiert'}
-                              </span>
-                            </div>
-                            <p className="text-sm text-slate-600 mb-3">{info.desc}</p>
-                            <div className="flex justify-between items-center text-xs text-slate-500">
-                              <span>{tool.version || '-'}</span>
-                              <span>Letzter Scan: {tool.last_run || 'Nie'}</span>
-                            </div>
-                            <button
-                              onClick={() => runScan(toolToScanType[tool.name.toLowerCase()] || 'all')}
-                              disabled={scanning !== null || !tool.installed}
-                              className={`mt-3 w-full px-3 py-1.5 text-sm border rounded transition-colors flex items-center justify-center gap-2 ${
-                                scanning === toolToScanType[tool.name.toLowerCase()]
-                                  ? 'bg-orange-100 border-orange-300 text-orange-700'
-                                  : 'bg-white border-slate-300 hover:bg-slate-50 disabled:opacity-50'
-                              }`}
-                            >
-                              {scanning === toolToScanType[tool.name.toLowerCase()] ? (
-                                <>
-                                  <div className="animate-spin rounded-full h-4 w-4 border-b-2 border-orange-600" />
-                                  <span>Scan laeuft...</span>
-                                </>
-                              ) : (
-                                'Scan starten'
-                              )}
-                            </button>
-                          </div>
-                        )
-                      })}
-                    </div>
-                  </div>
-
-                  {/* Recent Findings */}
-                  <div>
-                    <h3 className="text-lg font-semibold text-slate-900 mb-4">Aktuelle Findings</h3>
-                    {findings.length === 0 ? (
-                      <div className="text-center py-8 text-slate-500">
-                        <span className="text-4xl block mb-2">🎉</span>
-                        Keine Findings gefunden. Das ist gut!
-                      </div>
-                    ) : (
-                      <div className="overflow-x-auto">
-                        <table className="w-full">
-                          <thead>
-                            <tr className="border-b border-slate-200">
-                              <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Severity</th>
-                              <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Tool</th>
-                              <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Finding</th>
-                              <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Datei</th>
-                              <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Gefunden</th>
-                            </tr>
-                          </thead>
-                          <tbody>
-                            {findings.slice(0, 10).map((finding, idx) => (
-                              <tr key={`${finding.id}-${idx}`} className="border-b border-slate-100 hover:bg-slate-50">
-                                <td className="py-3 px-4">
-                                  <span className={getSeverityBadge(finding.severity)}>{finding.severity}</span>
-                                </td>
-                                <td className="py-3 px-4 text-sm text-slate-600">{finding.tool}</td>
-                                <td className="py-3 px-4 text-sm text-slate-900">{finding.title}</td>
-                                <td className="py-3 px-4 text-sm text-slate-500 font-mono">{finding.file || '-'}</td>
-                                <td className="py-3 px-4 text-sm text-slate-500">
-                                  {finding.found_at ? new Date(finding.found_at).toLocaleString('de-DE', {
-                                    day: '2-digit',
-                                    month: '2-digit',
-                                    hour: '2-digit',
-                                    minute: '2-digit'
-                                  }) : '-'}
-                                </td>
-                              </tr>
-                            ))}
-                          </tbody>
-                        </table>
-                        {findings.length > 10 && (
-                          <button
-                            onClick={() => setActiveTab('findings')}
-                            className="mt-4 text-sm text-orange-600 hover:text-orange-700"
-                          >
-                            Alle {findings.length} Findings anzeigen →
-                          </button>
-                        )}
-                      </div>
-                    )}
-                  </div>
-                </div>
-              )}
-
-              {/* Findings Tab */}
-              {activeTab === 'findings' && (
-                <div>
-                  {/* Filters */}
-                  <div className="flex gap-2 mb-4 flex-wrap">
-                    <button
-                      onClick={() => setSeverityFilter(null)}
-                      className={`px-3 py-1 rounded-full text-sm ${!severityFilter ? 'bg-orange-600 text-white' : 'bg-slate-100 text-slate-600 hover:bg-slate-200'}`}
-                    >
-                      Alle
-                    </button>
-                    {['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO'].map(sev => (
-                      <button
-                        key={sev}
-                        onClick={() => setSeverityFilter(sev)}
-                        className={`px-3 py-1 rounded-full text-sm ${severityFilter === sev ? 'bg-orange-600 text-white' : 'bg-slate-100 text-slate-600 hover:bg-slate-200'}`}
-                      >
-                        {sev}
-                      </button>
-                    ))}
-                    <span className="mx-2 border-l border-slate-300" />
-                    {['gitleaks', 'semgrep', 'bandit', 'trivy', 'grype'].map(t => (
-                      <button
-                        key={t}
-                        onClick={() => setToolFilter(toolFilter === t ? null : t)}
-                        className={`px-3 py-1 rounded-full text-sm capitalize ${toolFilter === t ? 'bg-orange-600 text-white' : 'bg-slate-100 text-slate-600 hover:bg-slate-200'}`}
-                      >
-                        {t}
-                      </button>
-                    ))}
-                  </div>
-
-                  {filteredFindings.length === 0 ? (
-                    <div className="text-center py-8 text-slate-500">
-                      Keine Findings mit diesem Filter gefunden.
-                    </div>
-                  ) : (
-                    <div className="overflow-x-auto">
-                      <table className="w-full">
-                        <thead>
-                          <tr className="border-b border-slate-200">
-                            <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Severity</th>
-                            <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Tool</th>
-                            <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Finding</th>
-                            <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Datei</th>
-                            <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Zeile</th>
-                            <th className="text-left py-3 px-4 text-xs font-semibold text-slate-500 uppercase">Gefunden</th>
-                          </tr>
-                        </thead>
-                        <tbody>
-                          {filteredFindings.map((finding, idx) => (
-                            <tr key={`${finding.id}-${idx}`} className="border-b border-slate-100 hover:bg-slate-50">
-                              <td className="py-3 px-4">
-                                <span className={getSeverityBadge(finding.severity)}>{finding.severity}</span>
-                              </td>
-                              <td className="py-3 px-4 text-sm text-slate-600">{finding.tool}</td>
-                              <td className="py-3 px-4">
-                                <div className="text-sm text-slate-900">{finding.title}</div>
-                                {finding.message && (
-                                  <div className="text-xs text-slate-500 mt-1">{finding.message}</div>
-                                )}
-                              </td>
-                              <td className="py-3 px-4 text-sm text-slate-500 font-mono max-w-xs truncate">
-                                {finding.file || '-'}
-                              </td>
-                              <td className="py-3 px-4 text-sm text-slate-500">{finding.line || '-'}</td>
-                              <td className="py-3 px-4 text-sm text-slate-500">
-                                {finding.found_at ? new Date(finding.found_at).toLocaleDateString('de-DE') : '-'}
-                              </td>
-                            </tr>
-                          ))}
-                        </tbody>
-                      </table>
-                    </div>
-                  )}
-                </div>
-              )}
-
-              {/* Tools Tab */}
-              {activeTab === 'tools' && (
-                <div className="grid grid-cols-1 md:grid-cols-2 gap-6">
-                  {tools.map(tool => {
-                    const info = toolDescriptions[tool.name.toLowerCase()] || { icon: '🔧', desc: 'Security Tool' }
-                    return (
-                      <div key={tool.name} className="bg-white border border-slate-200 rounded-lg p-6">
-                        <div className="flex justify-between items-start mb-4">
-                          <div>
-                            <div className="flex items-center gap-3 mb-1">
-                              <span className="text-2xl">{info.icon}</span>
-                              <h3 className="text-lg font-semibold text-slate-900">{tool.name}</h3>
-                            </div>
-                            <p className="text-sm text-slate-600">{info.desc}</p>
-                          </div>
-                          <span className={getStatusBadge(tool.installed)}>
-                            {tool.installed ? 'Installiert' : 'Nicht installiert'}
-                          </span>
-                        </div>
-                        <div className="space-y-2 text-sm">
-                          <div className="flex justify-between">
-                            <span className="text-slate-500">Version:</span>
-                            <span className="font-mono">{tool.version || '-'}</span>
-                          </div>
-                          <div className="flex justify-between">
-                            <span className="text-slate-500">Letzter Scan:</span>
-                            <span>{tool.last_run || 'Nie'}</span>
-                          </div>
-                          <div className="flex justify-between">
-                            <span className="text-slate-500">Findings:</span>
-                            <span className="font-semibold">{tool.last_findings}</span>
-                          </div>
-                        </div>
-                        <div className="flex gap-2 mt-4">
-                          <button
-                            onClick={() => runScan(toolToScanType[tool.name.toLowerCase()] || 'all')}
-                            disabled={scanning !== null || !tool.installed}
-                            className={`flex-1 px-4 py-2 rounded-lg text-sm font-medium transition-colors flex items-center justify-center gap-2 ${
-                              scanning === toolToScanType[tool.name.toLowerCase()]
-                                ? 'bg-orange-200 text-orange-800'
-                                : 'bg-orange-600 text-white hover:bg-orange-700 disabled:opacity-50'
-                            }`}
-                          >
-                            {scanning === toolToScanType[tool.name.toLowerCase()] ? (
-                              <>
-                                <div className="animate-spin rounded-full h-4 w-4 border-b-2 border-orange-700" />
-                                <span>Scan laeuft...</span>
-                              </>
-                            ) : (
-                              'Scan starten'
-                            )}
-                          </button>
-                          <button
-                            onClick={() => window.open(`/api/v1/security/reports/${tool.name.toLowerCase()}`, '_blank')}
-                            className="px-4 py-2 border border-slate-300 text-slate-700 rounded-lg text-sm font-medium hover:bg-slate-50 transition-colors"
-                          >
-                            Report
-                          </button>
-                        </div>
-                      </div>
-                    )
-                  })}
-                </div>
-              )}
-
-              {/* History Tab */}
-              {activeTab === 'history' && (
-                <div className="space-y-4">
-                  {history.length === 0 ? (
-                    <div className="text-center py-8 text-slate-500">
-                      Keine Scan-Historie vorhanden.
-                    </div>
-                  ) : (
-                    <div className="relative">
-                      <div className="absolute left-4 top-0 bottom-0 w-0.5 bg-slate-200" />
-                      {history.map((item, idx) => (
-                        <div key={idx} className="relative pl-10 pb-6">
-                          <div className={`absolute left-2.5 w-3 h-3 rounded-full ${getHistoryStatusColor(item.status)}`} />
-                          <div className="bg-slate-50 rounded-lg p-4 border border-slate-200">
-                            <div className="flex justify-between items-start mb-1">
-                              <span className="font-semibold text-slate-900">{item.title}</span>
-                              <span className="text-xs text-slate-500">
-                                {new Date(item.timestamp).toLocaleString('de-DE')}
-                              </span>
-                            </div>
-                            <p className="text-sm text-slate-600">{item.description}</p>
-                          </div>
-                        </div>
-                      ))}
-                    </div>
-                  )}
-                </div>
-              )}
-
-              {/* Monitoring Tab */}
-              {activeTab === 'monitoring' && (
-                <div className="space-y-6">
-                  {/* Real-time Metrics */}
-                  <div>
-                    <h3 className="text-lg font-semibold text-slate-900 mb-4 flex items-center gap-2">
-                      <svg className="w-5 h-5 text-green-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                        <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 19v-6a2 2 0 00-2-2H5a2 2 0 00-2 2v6a2 2 0 002 2h2a2 2 0 002-2zm0 0V9a2 2 0 012-2h2a2 2 0 012 2v10m-6 0a2 2 0 002 2h2a2 2 0 002-2m0 0V5a2 2 0 012-2h2a2 2 0 012 2v14a2 2 0 01-2 2h-2a2 2 0 01-2-2z" />
-                      </svg>
-                      Security Metriken
-                    </h3>
-                    <div className="grid grid-cols-2 md:grid-cols-3 lg:grid-cols-6 gap-4">
-                      {monitoringMetrics.map((metric, idx) => (
-                        <div
-                          key={idx}
-                          className={`rounded-lg p-4 border ${
-                            metric.status === 'critical' ? 'bg-red-50 border-red-200' :
-                            metric.status === 'warning' ? 'bg-yellow-50 border-yellow-200' :
-                            'bg-green-50 border-green-200'
-                          }`}
-                        >
-                          <div className="flex justify-between items-start mb-2">
-                            <span className="text-xs text-slate-600">{metric.name}</span>
-                            <span className={`text-xs ${
-                              metric.trend === 'up' ? 'text-red-600' :
-                              metric.trend === 'down' ? 'text-green-600' :
-                              'text-slate-500'
-                            }`}>
-                              {metric.trend === 'up' ? '↑' : metric.trend === 'down' ? '↓' : '→'}
-                            </span>
-                          </div>
-                          <div className={`text-2xl font-bold ${
-                            metric.status === 'critical' ? 'text-red-700' :
-                            metric.status === 'warning' ? 'text-yellow-700' :
-                            'text-green-700'
-                          }`}>
-                            {metric.value}
-                            <span className="text-sm font-normal ml-1">{metric.unit}</span>
-                          </div>
-                        </div>
-                      ))}
-                    </div>
-                  </div>
-
-                  {/* Active Alerts */}
-                  <div>
-                    <h3 className="text-lg font-semibold text-slate-900 mb-4 flex items-center gap-2">
-                      <svg className="w-5 h-5 text-orange-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                        <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M15 17h5l-1.405-1.405A2.032 2.032 0 0118 14.158V11a6.002 6.002 0 00-4-5.659V5a2 2 0 10-4 0v.341C7.67 6.165 6 8.388 6 11v3.159c0 .538-.214 1.055-.595 1.436L4 17h5m6 0v1a3 3 0 11-6 0v-1m6 0H9" />
-                      </svg>
-                      Aktive Alerts
-                      {activeAlerts.filter(a => !a.acknowledged).length > 0 && (
-                        <span className="ml-2 px-2 py-0.5 bg-red-500 text-white text-xs rounded-full">
-                          {activeAlerts.filter(a => !a.acknowledged).length}
-                        </span>
-                      )}
-                    </h3>
-                    {activeAlerts.length === 0 ? (
-                      <div className="text-center py-8 bg-green-50 rounded-lg border border-green-200">
-                        <span className="text-4xl block mb-2">✓</span>
-                        <span className="text-green-700">Keine aktiven Security-Alerts</span>
-                      </div>
-                    ) : (
-                      <div className="space-y-2">
-                        {activeAlerts.map((alert) => (
-                          <div
-                            key={alert.id}
-                            className={`flex items-center justify-between p-4 rounded-lg border ${
-                              alert.severity === 'critical' ? 'bg-red-50 border-red-200' :
-                              alert.severity === 'high' ? 'bg-orange-50 border-orange-200' :
-                              alert.severity === 'medium' ? 'bg-yellow-50 border-yellow-200' :
-                              'bg-blue-50 border-blue-200'
-                            }`}
-                          >
-                            <div className="flex items-center gap-4">
-                              <span className={`px-2 py-1 text-xs font-semibold rounded uppercase ${
-                                alert.severity === 'critical' ? 'bg-red-100 text-red-800' :
-                                alert.severity === 'high' ? 'bg-orange-100 text-orange-800' :
-                                alert.severity === 'medium' ? 'bg-yellow-100 text-yellow-800' :
-                                'bg-blue-100 text-blue-800'
-                              }`}>
-                                {alert.severity}
-                              </span>
-                              <div>
-                                <div className="font-medium text-slate-900">{alert.title}</div>
-                                <div className="text-xs text-slate-500">
-                                  {alert.source} • {new Date(alert.timestamp).toLocaleString('de-DE')}
-                                </div>
-                              </div>
-                            </div>
-                            {!alert.acknowledged && (
-                              <button className="px-3 py-1 text-xs bg-white border border-slate-300 rounded hover:bg-slate-50">
-                                Bestaetigen
-                              </button>
-                            )}
-                          </div>
-                        ))}
-                      </div>
-                    )}
-                  </div>
-
-                  {/* Security Overview Cards */}
-                  <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
-                    <div className="bg-slate-50 rounded-lg p-4 border border-slate-200">
-                      <h4 className="font-medium text-slate-900 mb-3 flex items-center gap-2">
-                        <svg className="w-4 h-4 text-blue-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z" />
-                        </svg>
-                        Authentifizierung
-                      </h4>
-                      <div className="space-y-2 text-sm">
-                        <div className="flex justify-between">
-                          <span className="text-slate-600">Aktive Sessions</span>
-                          <span className="font-medium">24</span>
-                        </div>
-                        <div className="flex justify-between">
-                          <span className="text-slate-600">Fehlgeschlagene Logins (24h)</span>
-                          <span className="font-medium text-green-600">0</span>
-                        </div>
-                        <div className="flex justify-between">
-                          <span className="text-slate-600">2FA-Quote</span>
-                          <span className="font-medium text-green-600">100%</span>
-                        </div>
-                      </div>
-                    </div>
-
-                    <div className="bg-slate-50 rounded-lg p-4 border border-slate-200">
-                      <h4 className="font-medium text-slate-900 mb-3 flex items-center gap-2">
-                        <svg className="w-4 h-4 text-purple-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z" />
-                        </svg>
-                        SSL/TLS
-                      </h4>
-                      <div className="space-y-2 text-sm">
-                        <div className="flex justify-between">
-                          <span className="text-slate-600">Zertifikate</span>
-                          <span className="font-medium">5 aktiv</span>
-                        </div>
-                        <div className="flex justify-between">
-                          <span className="text-slate-600">Naechster Ablauf</span>
-                          <span className="font-medium text-green-600">45 Tage</span>
-                        </div>
-                        <div className="flex justify-between">
-                          <span className="text-slate-600">TLS Version</span>
-                          <span className="font-medium">1.3</span>
-                        </div>
-                      </div>
-                    </div>
-
-                    <div className="bg-slate-50 rounded-lg p-4 border border-slate-200">
-                      <h4 className="font-medium text-slate-900 mb-3 flex items-center gap-2">
-                        <svg className="w-4 h-4 text-orange-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
-                        </svg>
-                        Firewall
-                      </h4>
-                      <div className="space-y-2 text-sm">
-                        <div className="flex justify-between">
-                          <span className="text-slate-600">Blockierte IPs (24h)</span>
-                          <span className="font-medium">12</span>
-                        </div>
-                        <div className="flex justify-between">
-                          <span className="text-slate-600">Rate Limit Hits</span>
-                          <span className="font-medium text-yellow-600">7</span>
-                        </div>
-                        <div className="flex justify-between">
-                          <span className="text-slate-600">WAF Status</span>
-                          <span className="font-medium text-green-600">Aktiv</span>
-                        </div>
-                      </div>
-                    </div>
-                  </div>
-
-                  {/* Link to CI/CD for pipeline monitoring */}
-                  <div className="bg-blue-50 border border-blue-200 rounded-lg p-4 flex items-center justify-between">
-                    <div className="flex items-center gap-3">
-                      <svg className="w-5 h-5 text-blue-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                        <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M13 10V3L4 14h7v7l9-11h-7z" />
-                      </svg>
-                      <div>
-                        <div className="font-medium text-blue-900">Pipeline Security</div>
-                        <div className="text-sm text-blue-700">Security-Scans in CI/CD Pipelines und Container-Status</div>
-                      </div>
-                    </div>
-                    <a
-                      href="/infrastructure/ci-cd"
-                      className="px-4 py-2 bg-blue-600 text-white rounded-lg text-sm font-medium hover:bg-blue-700 transition-colors"
-                    >
-                      CI/CD Dashboard →
-                    </a>
-                  </div>
-                </div>
-              )}
+              {activeTab === 'overview' && <SecurityOverviewTab tools={tools} findings={findings} scanning={scanning} onRunScan={runScan} onShowAllFindings={() => setActiveTab('findings')} toolDescriptions={TOOL_DESCRIPTIONS} toolToScanType={TOOL_TO_SCAN_TYPE} getSeverityBadge={getSeverityBadge} getStatusBadge={getStatusBadge} />}
+              {activeTab === 'findings' && <FindingsTab findings={findings} severityFilter={severityFilter} setSeverityFilter={setSeverityFilter} toolFilter={toolFilter} setToolFilter={setToolFilter} getSeverityBadge={getSeverityBadge} />}
+              {activeTab === 'tools' && <ToolsTab tools={tools} scanning={scanning} onRunScan={runScan} toolDescriptions={TOOL_DESCRIPTIONS} toolToScanType={TOOL_TO_SCAN_TYPE} getStatusBadge={getStatusBadge} />}
+              {activeTab === 'history' && <HistoryTab history={history} />}
+              {activeTab === 'monitoring' && <MonitoringTab monitoringMetrics={monitoringMetrics} activeAlerts={activeAlerts} />}
             </>
           )}
         </div>
       </div>
 
-      {/* Documentation Section */}
-      <div className="bg-white rounded-xl border border-slate-200 overflow-hidden">
-        <div className="p-6">
-          <div className="flex justify-between items-center mb-4">
-            <h3 className="text-lg font-semibold text-slate-900 flex items-center gap-2">
-              <svg className="w-5 h-5 text-slate-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
-              </svg>
-              Security Dokumentation
-            </h3>
-            <button
-              onClick={() => setShowFullDocs(!showFullDocs)}
-              className="px-4 py-2 bg-slate-100 text-slate-700 rounded-lg hover:bg-slate-200 transition-colors flex items-center gap-2 text-sm font-medium"
-            >
-              <svg className={`w-4 h-4 transition-transform ${showFullDocs ? 'rotate-180' : ''}`} fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 9l-7 7-7-7" />
-              </svg>
-              {showFullDocs ? 'Weniger anzeigen' : 'Vollstaendige Dokumentation'}
-            </button>
-          </div>
-
-          {/* Short Description */}
-          <div className="prose prose-slate max-w-none">
-            <p className="text-slate-600">
-              Das Security Dashboard bietet einen zentralen Ueberblick ueber alle DevSecOps-Aktivitaeten.
-              Es integriert 6 Security-Tools fuer umfassende Code- und Infrastruktur-Sicherheit:
-              Secrets Detection, Static Analysis (SAST), Dependency Scanning und SBOM-Generierung.
-            </p>
-          </div>
-
-          {/* Tool Quick Reference */}
-          <div className="grid grid-cols-2 md:grid-cols-3 lg:grid-cols-6 gap-3 mt-4">
-            <div className="bg-red-50 p-3 rounded-lg text-center">
-              <span className="text-lg">🔑</span>
-              <p className="text-xs font-medium text-red-800 mt-1">Gitleaks</p>
-              <p className="text-xs text-red-600">Secrets</p>
-            </div>
-            <div className="bg-blue-50 p-3 rounded-lg text-center">
-              <span className="text-lg">🔍</span>
-              <p className="text-xs font-medium text-blue-800 mt-1">Semgrep</p>
-              <p className="text-xs text-blue-600">SAST</p>
-            </div>
-            <div className="bg-yellow-50 p-3 rounded-lg text-center">
-              <span className="text-lg">🐍</span>
-              <p className="text-xs font-medium text-yellow-800 mt-1">Bandit</p>
-              <p className="text-xs text-yellow-600">Python</p>
-            </div>
-            <div className="bg-purple-50 p-3 rounded-lg text-center">
-              <span className="text-lg">🔒</span>
-              <p className="text-xs font-medium text-purple-800 mt-1">Trivy</p>
-              <p className="text-xs text-purple-600">Container</p>
-            </div>
-            <div className="bg-green-50 p-3 rounded-lg text-center">
-              <span className="text-lg">🐛</span>
-              <p className="text-xs font-medium text-green-800 mt-1">Grype</p>
-              <p className="text-xs text-green-600">Dependencies</p>
-            </div>
-            <div className="bg-orange-50 p-3 rounded-lg text-center">
-              <span className="text-lg">📦</span>
-              <p className="text-xs font-medium text-orange-800 mt-1">Syft</p>
-              <p className="text-xs text-orange-600">SBOM</p>
-            </div>
-          </div>
-
-          {/* Full Documentation (Expandable) */}
-          {showFullDocs && (
-            <div className="mt-6 bg-slate-50 rounded-lg p-6 border border-slate-200">
-              <div className="prose prose-slate max-w-none prose-headings:text-slate-900 prose-p:text-slate-600 prose-li:text-slate-600">
-
-                <h3>1. Security Tools Uebersicht</h3>
-
-                <h4>🔑 Gitleaks - Secrets Detection</h4>
-                <p>Durchsucht die gesamte Git-Historie nach versehentlich eingecheckten Secrets wie API-Keys, Passwoertern und Tokens.</p>
-                <ul>
-                  <li><strong>Scan-Bereich:</strong> Git-Historie, Commits, Branches</li>
-                  <li><strong>Erkannte Secrets:</strong> AWS Keys, GitHub Tokens, Private Keys, Passwoerter</li>
-                  <li><strong>Ausgabe:</strong> JSON-Report mit Fundstelle, Commit-Hash, Autor</li>
-                </ul>
-
-                <h4>🔍 Semgrep - Static Application Security Testing</h4>
-                <p>Fuehrt regelbasierte statische Code-Analyse durch, um Sicherheitsluecken und Anti-Patterns zu finden.</p>
-                <ul>
-                  <li><strong>Unterstuetzte Sprachen:</strong> Python, JavaScript, TypeScript, Go, Java</li>
-                  <li><strong>Regelsets:</strong> OWASP Top 10, CWE, Security Best Practices</li>
-                  <li><strong>Findings:</strong> SQL Injection, XSS, Path Traversal, Insecure Deserialization</li>
-                </ul>
-
-                <h4>🐍 Bandit - Python Security Linter</h4>
-                <p>Spezialisierter Security-Linter fuer Python-Code mit Fokus auf haeufige Sicherheitsprobleme.</p>
-                <ul>
-                  <li><strong>Checks:</strong> Hardcoded Passwords, SQL Injection, Shell Injection</li>
-                  <li><strong>Severity Levels:</strong> LOW, MEDIUM, HIGH</li>
-                  <li><strong>Confidence:</strong> LOW, MEDIUM, HIGH</li>
-                </ul>
-
-                <h4>🔒 Trivy - Container & Filesystem Scanner</h4>
-                <p>Scannt Container-Images und Dateisysteme auf bekannte Schwachstellen (CVEs).</p>
-                <ul>
-                  <li><strong>Scan-Typen:</strong> Container Images, Filesystems, Git Repositories</li>
-                  <li><strong>Datenbanken:</strong> NVD, GitHub Advisory, Alpine SecDB, RedHat OVAL</li>
-                  <li><strong>Ausgabe:</strong> CVE-ID, Severity, Fixed Version, Description</li>
-                </ul>
-
-                <h4>🐛 Grype - Dependency Vulnerability Scanner</h4>
-                <p>Analysiert Software-Abhaengigkeiten auf bekannte Sicherheitsluecken.</p>
-                <ul>
-                  <li><strong>Package Manager:</strong> npm, pip, go mod, Maven, Gradle</li>
-                  <li><strong>Input:</strong> SBOM (CycloneDX/SPDX), Lockfiles, Container Images</li>
-                  <li><strong>Matching:</strong> CPE-basiert, Package URL (purl)</li>
-                </ul>
-
-                <h4>📦 Syft - SBOM Generator</h4>
-                <p>Erstellt Software Bill of Materials (SBOM) fuer Compliance und Supply-Chain-Security.</p>
-                <ul>
-                  <li><strong>Formate:</strong> CycloneDX (JSON/XML), SPDX, Syft JSON</li>
-                  <li><strong>Erfassung:</strong> Packages, Lizenzen, Versionen, Checksums</li>
-                  <li><strong>Compliance:</strong> NIS2, ISO 27001, DSGVO Art. 32</li>
-                </ul>
-
-                <h3>2. Severity-Klassifizierung</h3>
-                <table className="min-w-full text-sm">
-                  <thead>
-                    <tr className="border-b">
-                      <th className="text-left py-2">Severity</th>
-                      <th className="text-left py-2">CVSS Score</th>
-                      <th className="text-left py-2">Reaktionszeit</th>
-                      <th className="text-left py-2">Beispiele</th>
-                    </tr>
-                  </thead>
-                  <tbody>
-                    <tr className="border-b"><td className="py-2"><span className="px-2 py-0.5 bg-red-100 text-red-800 rounded text-xs font-semibold">CRITICAL</span></td><td>9.0 - 10.0</td><td>Sofort (24h)</td><td>RCE, Auth Bypass, Exposed Secrets</td></tr>
-                    <tr className="border-b"><td className="py-2"><span className="px-2 py-0.5 bg-orange-100 text-orange-800 rounded text-xs font-semibold">HIGH</span></td><td>7.0 - 8.9</td><td>1-3 Tage</td><td>SQL Injection, XSS, Path Traversal</td></tr>
-                    <tr className="border-b"><td className="py-2"><span className="px-2 py-0.5 bg-yellow-100 text-yellow-800 rounded text-xs font-semibold">MEDIUM</span></td><td>4.0 - 6.9</td><td>1-2 Wochen</td><td>Information Disclosure, CSRF</td></tr>
-                    <tr className="border-b"><td className="py-2"><span className="px-2 py-0.5 bg-green-100 text-green-800 rounded text-xs font-semibold">LOW</span></td><td>0.1 - 3.9</td><td>Naechster Sprint</td><td>Minor Info Leak, Best Practice</td></tr>
-                    <tr><td className="py-2"><span className="px-2 py-0.5 bg-blue-100 text-blue-800 rounded text-xs font-semibold">INFO</span></td><td>0.0</td><td>Optional</td><td>Empfehlungen, Hinweise</td></tr>
-                  </tbody>
-                </table>
-
-                <h3>3. Scan-Workflow</h3>
-                <pre className="bg-slate-800 text-slate-100 p-4 rounded-lg overflow-x-auto text-sm">
-{`┌─────────────────────────────────────────────────────────────┐
-│                    Security Scan Pipeline                    │
-├─────────────────────────────────────────────────────────────┤
-│                                                              │
-│  1. Secrets Detection (Gitleaks)                            │
-│     └── Scannt Git-Historie nach API-Keys & Credentials     │
-│                          ↓                                   │
-│  2. Static Analysis (Semgrep + Bandit)                      │
-│     └── Code-Analyse auf Sicherheitsluecken                 │
-│                          ↓                                   │
-│  3. Dependency Scan (Trivy + Grype)                         │
-│     └── CVE-Check aller Abhaengigkeiten                     │
-│                          ↓                                   │
-│  4. SBOM Generation (Syft)                                  │
-│     └── Software Bill of Materials erstellen                │
-│                          ↓                                   │
-│  5. Report & Dashboard                                       │
-│     └── Ergebnisse aggregieren und visualisieren            │
-│                                                              │
-└─────────────────────────────────────────────────────────────┘`}
-                </pre>
-
-                <h3>4. Remediation-Strategien</h3>
-
-                <h4>Bei Secrets-Findings:</h4>
-                <ol>
-                  <li>Secret sofort rotieren (neue API-Keys, Passwoerter)</li>
-                  <li>Git-Historie bereinigen (BFG Repo-Cleaner oder git filter-branch)</li>
-                  <li>Betroffene Systeme auf unauthorisierte Zugriffe pruefen</li>
-                  <li>Secret-Scanning in Pre-Commit-Hooks aktivieren</li>
-                </ol>
-
-                <h4>Bei SAST-Findings:</h4>
-                <ol>
-                  <li>Finding-Details und betroffene Code-Stelle analysieren</li>
-                  <li>Empfohlene Fix-Strategie aus Semgrep-Dokumentation anwenden</li>
-                  <li>Unit-Tests fuer den Fix schreiben</li>
-                  <li>Code-Review durch Security-erfahrenen Entwickler</li>
-                </ol>
-
-                <h4>Bei Dependency-Vulnerabilities:</h4>
-                <ol>
-                  <li>Pruefen ob ein Patch/Update verfuegbar ist</li>
-                  <li>Abhaengigkeit auf gepatchte Version aktualisieren</li>
-                  <li>Falls kein Patch: Workaround oder Alternative evaluieren</li>
-                  <li>Temporaer: WAF-Regel als Mitigation</li>
-                </ol>
-
-                <h3>5. CI/CD Integration</h3>
-                <p>Security-Scans sind in die Gitea Actions Pipeline integriert:</p>
-                <ul>
-                  <li><strong>Pre-Commit:</strong> Gitleaks (lokale Secrets-Pruefung)</li>
-                  <li><strong>Pull Request:</strong> Semgrep, Bandit, Trivy (Blocking bei Critical)</li>
-                  <li><strong>Main Branch:</strong> Full Scan + SBOM-Update</li>
-                  <li><strong>Nightly:</strong> Dependency-Update-Check</li>
-                </ul>
-
-                <h3>6. Compliance-Mapping</h3>
-                <table className="min-w-full text-sm">
-                  <thead>
-                    <tr className="border-b">
-                      <th className="text-left py-2">Regulation</th>
-                      <th className="text-left py-2">Artikel</th>
-                      <th className="text-left py-2">Erfuellt durch</th>
-                    </tr>
-                  </thead>
-                  <tbody>
-                    <tr className="border-b"><td className="py-2">DSGVO</td><td>Art. 32</td><td>Alle Security-Scans, Vulnerability Management</td></tr>
-                    <tr className="border-b"><td className="py-2">NIS2</td><td>Art. 21</td><td>SBOM, Supply-Chain-Security, Incident Response</td></tr>
-                    <tr className="border-b"><td className="py-2">ISO 27001</td><td>A.12.6</td><td>Vulnerability Management, Patch Management</td></tr>
-                    <tr><td className="py-2">OWASP</td><td>Top 10</td><td>SAST (Semgrep), Secrets Detection</td></tr>
-                  </tbody>
-                </table>
-
-                <h3>7. API-Endpunkte</h3>
-                <table className="min-w-full text-sm font-mono">
-                  <thead>
-                    <tr className="border-b">
-                      <th className="text-left py-2">Methode</th>
-                      <th className="text-left py-2">Endpoint</th>
-                      <th className="text-left py-2 font-sans">Beschreibung</th>
-                    </tr>
-                  </thead>
-                  <tbody>
-                    <tr className="border-b"><td className="py-2"><span className="bg-blue-100 text-blue-700 px-1 rounded">GET</span></td><td>/api/v1/security/tools</td><td className="font-sans">Tool-Status abrufen</td></tr>
-                    <tr className="border-b"><td className="py-2"><span className="bg-blue-100 text-blue-700 px-1 rounded">GET</span></td><td>/api/v1/security/findings</td><td className="font-sans">Alle Findings abrufen</td></tr>
-                    <tr className="border-b"><td className="py-2"><span className="bg-blue-100 text-blue-700 px-1 rounded">GET</span></td><td>/api/v1/security/summary</td><td className="font-sans">Severity-Zusammenfassung</td></tr>
-                    <tr className="border-b"><td className="py-2"><span className="bg-blue-100 text-blue-700 px-1 rounded">GET</span></td><td>/api/v1/security/history</td><td className="font-sans">Scan-Historie</td></tr>
-                    <tr className="border-b"><td className="py-2"><span className="bg-green-100 text-green-700 px-1 rounded">POST</span></td><td>/api/v1/security/scan/all</td><td className="font-sans">Full Scan starten</td></tr>
-                    <tr><td className="py-2"><span className="bg-green-100 text-green-700 px-1 rounded">POST</span></td><td>/api/v1/security/scan/[tool]</td><td className="font-sans">Einzelnes Tool scannen</td></tr>
-                  </tbody>
-                </table>
-
-              </div>
-            </div>
-          )}
-        </div>
-      </div>
+      <SecurityDocsSection />
     </div>
   )
 }
diff --git a/admin-core/app/(admin)/infrastructure/security/types.ts b/admin-core/app/(admin)/infrastructure/security/types.ts
new file mode 100644
index 0000000..b18e120
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/security/types.ts
@@ -0,0 +1,57 @@
+/**
+ * Types for Security Dashboard
+ */
+
+export interface ToolStatus {
+  name: string
+  installed: boolean
+  version: string | null
+  last_run: string | null
+  last_findings: number
+}
+
+export interface Finding {
+  id: string
+  tool: string
+  severity: string
+  title: string
+  message: string | null
+  file: string | null
+  line: number | null
+  found_at: string
+}
+
+export interface SeveritySummary {
+  critical: number
+  high: number
+  medium: number
+  low: number
+  info: number
+  total: number
+}
+
+export interface HistoryItem {
+  timestamp: string
+  title: string
+  description: string
+  status: string
+}
+
+export type ScanType = 'secrets' | 'sast' | 'deps' | 'containers' | 'sbom' | 'all'
+
+export interface MonitoringMetric {
+  name: string
+  value: number
+  unit: string
+  status: 'ok' | 'warning' | 'critical'
+  trend: 'up' | 'down' | 'stable'
+}
+
+export interface ActiveAlert {
+  id: string
+  severity: 'critical' | 'high' | 'medium' | 'low'
+  title: string
+  source: string
+  timestamp: string
+  acknowledged: boolean
+}
diff --git a/admin-core/app/(admin)/infrastructure/tests/_components/BacklogTab.tsx b/admin-core/app/(admin)/infrastructure/tests/_components/BacklogTab.tsx
new file mode 100644
index 0000000..abd12f6
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/tests/_components/BacklogTab.tsx
@@ -0,0 +1,427 @@
+'use client'
+
+import { useState } from 'react'
+import type { LLMRoutingOption } from '@/types/infrastructure-modules'
+import type { FailedTest, BacklogItem, BacklogPriority } from '../types'
+
+// ==============================================================================
+// FailedTestCard
+// ==============================================================================
+
+function FailedTestCard({
+  test,
+  onStatusChange,
+  onPriorityChange,
+  priority = 'medium',
+  failureCount = 1,
+}: {
+  test: FailedTest
+  onStatusChange: (testId: string, status: string) => void
+  onPriorityChange?: (testId: string, priority: string) => void
+  priority?: BacklogPriority
+  failureCount?: number
+}) {
+  const errorTypeColors: Record<string, string> = {
+    assertion: 'bg-amber-100 text-amber-700',
+    nil_pointer: 'bg-red-100 text-red-700',
+    type_error: 'bg-purple-100 text-purple-700',
+    network: 'bg-blue-100 text-blue-700',
+    timeout: 'bg-orange-100 text-orange-700',
+    logic_error: 'bg-slate-100 text-slate-700',
+    unknown: 'bg-slate-100 text-slate-700',
+  }
+
+  const statusColors: Record<string, string> = {
+    open: 'bg-red-100 text-red-700',
+    in_progress: 'bg-blue-100 text-blue-700',
+    fixed: 'bg-emerald-100 text-emerald-700',
+    wont_fix: 'bg-slate-100 text-slate-700',
+    flaky: 'bg-purple-100 text-purple-700',
+  }
+
+  const priorityColors: Record<string, string> = {
+    critical: 'bg-red-500 text-white',
+    high: 'bg-orange-500 text-white',
+    medium: 'bg-yellow-500 text-white',
+    low: 'bg-slate-400 text-white',
+  }
+
+  const priorityLabels: Record<string, string> = {
+    critical: '!!! Kritisch',
+    high: '!! Hoch',
+    medium: '! Mittel',
+    low: 'Niedrig',
+  }
+
+  return (
+    <div className="bg-white rounded-lg border border-slate-200 p-4 hover:border-red-300 transition-colors">
+      <div className="flex items-start justify-between mb-3">
+        <div className="flex-1 min-w-0">
+          <div className="flex items-center gap-2 mb-1 flex-wrap">
+            <span className={`px-2 py-0.5 rounded text-xs font-medium ${priorityColors[priority]}`}>
+              {priorityLabels[priority]}
+            </span>
+            <span className={`px-2 py-0.5 rounded text-xs font-medium ${errorTypeColors[test.error_type] || errorTypeColors.unknown}`}>
+              {test.error_type.replace('_', ' ')}
+            </span>
+            <span className="text-xs text-slate-400">{test.service}</span>
+            {failureCount > 1 && (
+              <span className="px-1.5 py-0.5 rounded bg-red-100 text-red-600 text-xs font-medium">
+                {failureCount}x fehlgeschlagen
+              </span>
+            )}
+          </div>
+          <h4 className="font-mono text-sm font-medium text-slate-900 truncate" title={test.name}>
+            {test.name}
+          </h4>
+          <p className="text-xs text-slate-500 truncate" title={test.file_path}>
+            {test.file_path}
+          </p>
+        </div>
+        <div className="flex flex-col gap-1 ml-2">
+          <select
+            value={test.status}
+            onChange={(e) => onStatusChange(test.id, e.target.value)}
+            className={`px-2 py-1 rounded text-xs font-medium cursor-pointer border-0 ${statusColors[test.status]}`}
+          >
+            <option value="open">Offen</option>
+            <option value="in_progress">In Arbeit</option>
+            <option value="fixed">Behoben</option>
+            <option value="wont_fix">Ignoriert</option>
+            <option value="flaky">Flaky</option>
+          </select>
+          {onPriorityChange && (
+            <select
+              value={priority}
+              onChange={(e) => onPriorityChange(test.id, e.target.value)}
+              className="px-2 py-1 rounded text-xs font-medium cursor-pointer border border-slate-200"
+            >
+              <option value="critical">Kritisch</option>
+              <option value="high">Hoch</option>
+              <option value="medium">Mittel</option>
+              <option value="low">Niedrig</option>
+            </select>
+          )}
+        </div>
+      </div>
+
+      <div className="bg-red-50 rounded-lg p-3 mb-3">
+        <p className="text-sm text-red-800 font-medium mb-1">Fehlermeldung:</p>
+        <p className="text-xs text-red-700 font-mono break-words">
+          {test.error_message || 'Keine Details verfuegbar'}
+        </p>
+      </div>
+
+      {test.suggestion && (
+        <div className="bg-emerald-50 rounded-lg p-3">
+          <p className="text-sm text-emerald-800 font-medium mb-1">💡 Loesungsvorschlag:</p>
+          <p className="text-xs text-emerald-700">
+            {test.suggestion}
+          </p>
+        </div>
+      )}
+
+      <div className="mt-3 pt-3 border-t border-slate-100 flex items-center justify-between text-xs text-slate-400">
+        <span>Zuletzt fehlgeschlagen: {test.last_failed ? new Date(test.last_failed).toLocaleString('de-DE') : 'Unbekannt'}</span>
+        <button
+          className="text-orange-600 hover:text-orange-700 font-medium"
+          onClick={() => {
+            navigator.clipboard.writeText(test.id)
+          }}
+        >
+          ID kopieren
+        </button>
+      </div>
+    </div>
+  )
+}
+
+// ==============================================================================
+// BacklogTab
+// ==============================================================================
+
+export function BacklogTab({
+  failedTests,
+  onStatusChange,
+  onPriorityChange,
+  isLoading,
+  backlogItems,
+  usePostgres = false,
+}: {
+  failedTests: FailedTest[]
+  onStatusChange: (testId: string, status: string) => void
+  onPriorityChange?: (testId: string, priority: string) => void
+  isLoading: boolean
+  backlogItems?: BacklogItem[]
+  usePostgres?: boolean
+}) {
+  const [filterStatus, setFilterStatus] = useState<string>('open')
+  const [filterService, setFilterService] = useState<string>('all')
+  const [filterPriority, setFilterPriority] = useState<string>('all')
+  const [llmAutoAnalysis, setLlmAutoAnalysis] = useState<boolean>(true)
+  const [llmRouting, setLlmRouting] = useState<LLMRoutingOption>('smart_routing')
+
+  // Nutze PostgreSQL-Backlog wenn verfuegbar, sonst Legacy
+  const items = usePostgres && backlogItems ? backlogItems : failedTests
+
+  // Gruppiere nach Service
+  const services = [...new Set(items.map(t => 'service' in t ? t.service : (t as BacklogItem).service))]
+
+  // Filtere Items
+  const filteredItems = items.filter(item => {
+    const status = 'status' in item ? item.status : 'open'
+    const service = 'service' in item ? item.service : ''
+    const priority = 'priority' in item ? (item as BacklogItem).priority : 'medium'
+
+    if (filterStatus !== 'all' && status !== filterStatus) return false
+    if (filterService !== 'all' && service !== filterService) return false
+    if (filterPriority !== 'all' && priority !== filterPriority) return false
+    return true
+  })
+
+  // Zaehle nach Status
+  const openCount = items.filter(t => t.status === 'open').length
+  const inProgressCount = items.filter(t => t.status === 'in_progress').length
+  const fixedCount = items.filter(t => t.status === 'fixed').length
+  const flakyCount = items.filter(t => t.status === 'flaky').length
+
+  // Zaehle nach Prioritaet (nur bei PostgreSQL)
+  const criticalCount = backlogItems?.filter(t => t.priority === 'critical').length || 0
+  const highCount = backlogItems?.filter(t => t.priority === 'high').length || 0
+
+  if (isLoading) {
+    return (
+      <div className="flex items-center justify-center py-12">
+        <div className="animate-spin rounded-full h-8 w-8 border-b-2 border-orange-600"></div>
+      </div>
+    )
+  }
+
+  // Konvertiere BacklogItem zu FailedTest fuer die Anzeige
+  const convertToFailedTest = (item: BacklogItem): FailedTest => ({
+    id: String(item.id),
+    name: item.test_name,
+    service: item.service,
+    file_path: item.test_file || '',
+    error_message: item.error_message || '',
+    error_type: item.error_type || 'unknown',
+    suggestion: item.fix_suggestion || '',
+    run_id: '',
+    last_failed: item.last_failed_at,
+    status: item.status,
+  })
+
+  return (
+    <div className="space-y-6">
+      {/* Stats */}
+      <div className="grid grid-cols-2 md:grid-cols-5 gap-4">
+        <div className="bg-red-50 border border-red-200 rounded-xl p-4">
+          <p className="text-2xl font-bold text-red-600">{openCount}</p>
+          <p className="text-sm text-red-700">Offene Fehler</p>
+        </div>
+        <div className="bg-blue-50 border border-blue-200 rounded-xl p-4">
+          <p className="text-2xl font-bold text-blue-600">{inProgressCount}</p>
+          <p className="text-sm text-blue-700">In Arbeit</p>
+        </div>
+        <div className="bg-emerald-50 border border-emerald-200 rounded-xl p-4">
+          <p className="text-2xl font-bold text-emerald-600">{fixedCount}</p>
+          <p className="text-sm text-emerald-700">Behoben</p>
+        </div>
+        <div className="bg-purple-50 border border-purple-200 rounded-xl p-4">
+          <p className="text-2xl font-bold text-purple-600">{flakyCount}</p>
+          <p className="text-sm text-purple-700">Flaky</p>
+        </div>
+        {usePostgres && criticalCount + highCount > 0 && (
+          <div className="bg-orange-50 border border-orange-200 rounded-xl p-4">
+            <p className="text-2xl font-bold text-orange-600">{criticalCount + highCount}</p>
+            <p className="text-sm text-orange-700">Kritisch/Hoch</p>
+          </div>
+        )}
+      </div>
+
+      {/* PostgreSQL Badge */}
+      {usePostgres && (
+        <div className="flex items-center gap-2 px-3 py-1.5 bg-emerald-50 border border-emerald-200 rounded-lg w-fit">
+          <svg className="w-4 h-4 text-emerald-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 13l4 4L19 7" />
+          </svg>
+          <span className="text-xs text-emerald-700 font-medium">Persistente Speicherung aktiv (PostgreSQL)</span>
+        </div>
+      )}
+
+      {/* LLM Analysis Toggle */}
+      <div className="bg-gradient-to-r from-violet-50 to-purple-50 border border-violet-200 rounded-xl p-4">
+        <div className="flex items-center justify-between">
+          <div className="flex items-center gap-3">
+            <div className="w-10 h-10 bg-violet-100 rounded-lg flex items-center justify-center">
+              <svg className="w-5 h-5 text-violet-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" />
+              </svg>
+            </div>
+            <div>
+              <h4 className="font-medium text-slate-800">Automatische LLM-Analyse</h4>
+              <p className="text-xs text-slate-500">KI-gestuetzte Fix-Vorschlaege fuer Backlog-Eintraege</p>
+            </div>
+          </div>
+          <label className="relative inline-flex items-center cursor-pointer">
+            <input
+              type="checkbox"
+              checked={llmAutoAnalysis}
+              onChange={(e) => setLlmAutoAnalysis(e.target.checked)}
+              className="sr-only peer"
+            />
+            <div className="w-11 h-6 bg-slate-200 peer-focus:outline-none peer-focus:ring-4 peer-focus:ring-violet-300 rounded-full peer peer-checked:after:translate-x-full rtl:peer-checked:after:-translate-x-full peer-checked:after:border-white after:content-[''] after:absolute after:top-[2px] after:start-[2px] after:bg-white after:border-slate-300 after:border after:rounded-full after:h-5 after:w-5 after:transition-all peer-checked:bg-violet-600"></div>
+          </label>
+        </div>
+
+        {llmAutoAnalysis && (
+          <div className="mt-4 pt-4 border-t border-violet-200">
+            <p className="text-xs text-slate-600 mb-3">LLM-Routing Strategie:</p>
+            <div className="flex flex-wrap gap-2">
+              {([
+                { value: 'local_only' as const, label: 'Nur lokales 32B LLM', badge: 'DSGVO', badgeColor: 'bg-emerald-100 text-emerald-700' },
+                { value: 'claude_preferred' as const, label: 'Claude bevorzugt', badge: 'Qualitaet', badgeColor: 'bg-blue-100 text-blue-700' },
+                { value: 'smart_routing' as const, label: 'Smart Routing', badge: 'Empfohlen', badgeColor: 'bg-amber-100 text-amber-700' },
+              ]).map((option) => (
+                <label key={option.value} className={`flex items-center gap-2 px-3 py-2 rounded-lg border cursor-pointer transition-colors ${
+                  llmRouting === option.value
+                    ? 'bg-violet-100 border-violet-300 text-violet-800'
+                    : 'bg-white border-slate-200 text-slate-600 hover:bg-slate-50'
+                }`}>
+                  <input
+                    type="radio"
+                    name="llm-routing"
+                    value={option.value}
+                    checked={llmRouting === option.value}
+                    onChange={() => setLlmRouting(option.value)}
+                    className="sr-only"
+                  />
+                  <span className="text-sm font-medium">{option.label}</span>
+                  <span className={`text-xs px-1.5 py-0.5 ${option.badgeColor} rounded`}>{option.badge}</span>
+                </label>
+              ))}
+            </div>
+            <p className="text-xs text-slate-500 mt-2">
+              {llmRouting === 'local_only' && 'Alle Analysen werden mit Qwen2.5-32B lokal durchgefuehrt. Keine Daten verlassen den Server.'}
+              {llmRouting === 'claude_preferred' && 'Verwendet Claude fuer beste Fix-Qualitaet. Nur Code-Snippets werden uebertragen.'}
+              {llmRouting === 'smart_routing' && 'Privacy Classifier entscheidet automatisch: Sensitive Daten → lokal, Code → Claude.'}
+            </p>
+          </div>
+        )}
+      </div>
+
+      {/* Filter */}
+      <div className="flex flex-wrap gap-4 items-center">
+        <div>
+          <label className="text-sm text-slate-600 mr-2">Status:</label>
+          <select
+            value={filterStatus}
+            onChange={(e) => setFilterStatus(e.target.value)}
+            className="px-3 py-1.5 rounded-lg border border-slate-200 text-sm"
+          >
+            <option value="all">Alle</option>
+            <option value="open">Offen ({openCount})</option>
+            <option value="in_progress">In Arbeit ({inProgressCount})</option>
+            <option value="fixed">Behoben ({fixedCount})</option>
+            <option value="flaky">Flaky ({flakyCount})</option>
+            <option value="wont_fix">Ignoriert</option>
+          </select>
+        </div>
+        <div>
+          <label className="text-sm text-slate-600 mr-2">Service:</label>
+          <select
+            value={filterService}
+            onChange={(e) => setFilterService(e.target.value)}
+            className="px-3 py-1.5 rounded-lg border border-slate-200 text-sm"
+          >
+            <option value="all">Alle Services</option>
+            {services.map(s => (
+              <option key={s} value={s}>{s}</option>
+            ))}
+          </select>
+        </div>
+        {usePostgres && (
+          <div>
+            <label className="text-sm text-slate-600 mr-2">Prioritaet:</label>
+            <select
+              value={filterPriority}
+              onChange={(e) => setFilterPriority(e.target.value)}
+              className="px-3 py-1.5 rounded-lg border border-slate-200 text-sm"
+            >
+              <option value="all">Alle</option>
+              <option value="critical">Kritisch</option>
+              <option value="high">Hoch</option>
+              <option value="medium">Mittel</option>
+              <option value="low">Niedrig</option>
+            </select>
+          </div>
+        )}
+        <div className="ml-auto text-sm text-slate-500">
+          {filteredItems.length} von {items.length} Tests angezeigt
+        </div>
+      </div>
+
+      {/* Test-Liste */}
+      {filteredItems.length === 0 ? (
+        <div className="text-center py-12 bg-emerald-50 rounded-xl border border-emerald-200">
+          <svg className="w-12 h-12 mx-auto text-emerald-400 mb-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
+          </svg>
+          <p className="text-emerald-700 font-medium">
+            {filterStatus === 'open' ? 'Keine offenen Fehler! 🎉' : 'Keine Tests mit diesem Filter gefunden.'}
+          </p>
+          {filterStatus === 'open' && (
+            <p className="text-sm text-emerald-600 mt-2">
+              Alle Tests bestanden. Bereit fuer Go-Live!
+            </p>
+          )}
+        </div>
+      ) : (
+        <div className="grid grid-cols-1 lg:grid-cols-2 gap-4">
+          {filteredItems.map((item) => {
+            const test = usePostgres && 'test_name' in item
+              ? convertToFailedTest(item as BacklogItem)
+              : item as FailedTest
+            const itemPriority = usePostgres && 'priority' in item
+              ? (item as BacklogItem).priority
+              : 'medium'
+            const failureCount = usePostgres && 'failure_count' in item
+              ? (item as BacklogItem).failure_count
+              : 1
+
+            return (
+              <FailedTestCard
+                key={test.id}
+                test={test}
+                onStatusChange={onStatusChange}
+                onPriorityChange={onPriorityChange}
+                priority={itemPriority}
+                failureCount={failureCount}
+              />
+            )
+          })}
+        </div>
+      )}
+
+      {/* Info */}
+      <div className="bg-blue-50 border border-blue-200 rounded-xl p-4">
+        <div className="flex items-start gap-3">
+          <svg className="w-5 h-5 text-blue-600 flex-shrink-0 mt-0.5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+          </svg>
+          <div>
+            <p className="text-sm text-blue-800 font-medium">Workflow fuer fehlgeschlagene Tests:</p>
+            <ol className="text-xs text-blue-700 mt-2 space-y-1 list-decimal list-inside">
+              <li>Markiere den Test als "In Arbeit" wenn du daran arbeitest</li>
+              <li>Analysiere die Fehlermeldung und den Loesungsvorschlag</li>
+              <li>Behebe den Fehler im Code</li>
+              <li>Fuehre den Test erneut aus (Button im Service-Tab)</li>
+              <li>Markiere als "Behoben" wenn der Test besteht</li>
+              {usePostgres && <li>Setze "Flaky" fuer sporadisch fehlschlagende Tests</li>}
+            </ol>
+          </div>
+        </div>
+      </div>
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/tests/_components/CoverageChart.tsx b/admin-core/app/(admin)/infrastructure/tests/_components/CoverageChart.tsx
new file mode 100644
index 0000000..71a2013
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/tests/_components/CoverageChart.tsx
@@ -0,0 +1,42 @@
+'use client'
+
+import type { CoverageData } from '../types'
+
+export function CoverageChart({ data }: { data: CoverageData[] }) {
+  if (data.length === 0) {
+    return (
+      <div className="text-center py-8 text-slate-400">
+        Keine Coverage-Daten verfuegbar
+      </div>
+    )
+  }
+
+  const sortedData = [...data].sort((a, b) => b.coverage_percent - a.coverage_percent)
+
+  return (
+    <div className="space-y-3">
+      {sortedData.map((item) => (
+        <div key={item.service}>
+          <div className="flex items-center justify-between text-sm mb-1">
+            <span className="text-slate-600 truncate max-w-[200px]">{item.display_name}</span>
+            <span
+              className={`font-medium ${
+                item.coverage_percent >= 80 ? 'text-emerald-600' : item.coverage_percent >= 60 ? 'text-amber-600' : 'text-red-600'
+              }`}
+            >
+              {item.coverage_percent.toFixed(1)}%
+            </span>
+          </div>
+          <div className="h-2 bg-slate-100 rounded-full overflow-hidden">
+            <div
+              className={`h-full rounded-full transition-all ${
+                item.coverage_percent >= 80 ? 'bg-emerald-500' : item.coverage_percent >= 60 ? 'bg-amber-500' : 'bg-red-500'
+              }`}
+              style={{ width: `${item.coverage_percent}%` }}
+            />
+          </div>
+        </div>
+      ))}
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/tests/_components/FrameworkDistribution.tsx b/admin-core/app/(admin)/infrastructure/tests/_components/FrameworkDistribution.tsx
new file mode 100644
index 0000000..adc08b1
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/tests/_components/FrameworkDistribution.tsx
@@ -0,0 +1,43 @@
+'use client'
+
+export function FrameworkDistribution({ data }: { data: Record<string, number> }) {
+  const total = Object.values(data).reduce((a, b) => a + b, 0)
+  if (total === 0) return null
+
+  const frameworkLabels: Record<string, string> = {
+    go_test: 'Go Tests',
+    pytest: 'Python (pytest)',
+    jest: 'Jest (TS)',
+    vitest: 'Vitest (SDK)',
+    playwright: 'Playwright (E2E)',
+    bqas_golden: 'BQAS Golden',
+    bqas_rag: 'BQAS RAG',
+    bqas_synthetic: 'BQAS Synthetic',
+  }
+
+  const frameworkColors: Record<string, string> = {
+    go_test: 'bg-cyan-500',
+    pytest: 'bg-yellow-500',
+    jest: 'bg-blue-500',
+    vitest: 'bg-orange-500',
+    playwright: 'bg-purple-500',
+    bqas_golden: 'bg-emerald-500',
+    bqas_rag: 'bg-teal-500',
+    bqas_synthetic: 'bg-amber-500',
+  }
+
+  return (
+    <div className="space-y-3">
+      {Object.entries(data)
+        .sort((a, b) => b[1] - a[1])
+        .map(([framework, count]) => (
+          <div key={framework} className="flex items-center gap-3">
+            <div className={`w-3 h-3 rounded-full ${frameworkColors[framework] || 'bg-slate-400'}`} />
+            <span className="text-sm text-slate-600 flex-1">{frameworkLabels[framework] || framework}</span>
+            <span className="text-sm font-medium text-slate-900">{count}</span>
+            <span className="text-xs text-slate-400">({((count / total) * 100).toFixed(0)}%)</span>
+          </div>
+        ))}
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/tests/_components/GuideTab.tsx b/admin-core/app/(admin)/infrastructure/tests/_components/GuideTab.tsx
new file mode 100644
index 0000000..27c9729
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/tests/_components/GuideTab.tsx
@@ -0,0 +1,232 @@
+'use client'
+
+import Link from 'next/link'
+
+export function GuideTab() {
+  return (
+    <div className="space-y-8">
+      <div className="bg-gradient-to-r from-orange-50 to-amber-50 rounded-xl border border-orange-200 p-6">
+        <h2 className="text-xl font-bold text-slate-900 mb-4 flex items-center gap-2">
+          <svg className="w-6 h-6 text-orange-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9.663 17h4.673M12 3v1m6.364 1.636l-.707.707M21 12h-1M4 12H3m3.343-5.657l-.707-.707m2.828 9.9a5 5 0 117.072 0l-.548.547A3.374 3.374 0 0014 18.469V19a2 2 0 11-4 0v-.531c0-.895-.356-1.754-.988-2.386l-.548-.547z" />
+          </svg>
+          Was ist das Test Dashboard?
+        </h2>
+        <p className="text-slate-700 leading-relaxed">
+          Das <strong>Test Dashboard</strong> ist die zentrale Uebersicht fuer alle 260+ Tests im Breakpilot-System.
+          Es aggregiert Tests aus verschiedenen Services (Go, Python, TypeScript) ohne diese physisch zu migrieren.
+          Tests bleiben an ihren konventionellen Orten, werden aber hier zentral ueberwacht und ausgefuehrt.
+          Seit 2026-02 inklusive AI Compliance SDK Unit Tests (Vitest) und E2E Tests (Playwright).
+        </p>
+      </div>
+
+      <div className="bg-white rounded-xl border border-slate-200 p-6">
+        <h3 className="text-lg font-semibold text-slate-900 mb-4">Test-Kategorien</h3>
+        <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-4 gap-4">
+          <div className="p-4 bg-cyan-50 rounded-lg border border-cyan-200">
+            <div className="flex items-center gap-2 mb-2">
+              <span className="text-xl">🐹</span>
+              <h4 className="font-medium text-cyan-800">Go Unit Tests (~57)</h4>
+            </div>
+            <p className="text-sm text-cyan-700">
+              consent-service, billing-service, school-service, edu-search-service, ai-compliance-sdk
+            </p>
+          </div>
+          <div className="p-4 bg-yellow-50 rounded-lg border border-yellow-200">
+            <div className="flex items-center gap-2 mb-2">
+              <span className="text-xl">🐍</span>
+              <h4 className="font-medium text-yellow-800">Python Tests (~50)</h4>
+            </div>
+            <p className="text-sm text-yellow-700">
+              backend, voice-service, klausur-service, geo-service
+            </p>
+          </div>
+          <div className="p-4 bg-emerald-50 rounded-lg border border-emerald-200">
+            <div className="flex items-center gap-2 mb-2">
+              <span className="text-xl">🎯</span>
+              <h4 className="font-medium text-emerald-800">BQAS Golden (97)</h4>
+            </div>
+            <p className="text-sm text-emerald-700">
+              Validierte Referenz-Tests mit LLM-Judge fuer Intent-Erkennung
+            </p>
+          </div>
+          <div className="p-4 bg-teal-50 rounded-lg border border-teal-200">
+            <div className="flex items-center gap-2 mb-2">
+              <span className="text-xl">📚</span>
+              <h4 className="font-medium text-teal-800">BQAS RAG (~20)</h4>
+            </div>
+            <p className="text-sm text-teal-700">
+              RAG-Judge Tests fuer Retrieval, Citations, Hallucination-Control
+            </p>
+          </div>
+          <div className="p-4 bg-blue-50 rounded-lg border border-blue-200">
+            <div className="flex items-center gap-2 mb-2">
+              <span className="text-xl">📘</span>
+              <h4 className="font-medium text-blue-800">TypeScript Jest (~8)</h4>
+            </div>
+            <p className="text-sm text-blue-700">
+              Website Unit Tests fuer React-Komponenten
+            </p>
+          </div>
+          <div className="p-4 bg-orange-50 rounded-lg border border-orange-200">
+            <div className="flex items-center gap-2 mb-2">
+              <span className="text-xl">⚡</span>
+              <h4 className="font-medium text-orange-800">SDK Vitest (~43)</h4>
+            </div>
+            <p className="text-sm text-orange-700">
+              AI Compliance SDK Unit Tests: Types, Export, Components, Reducer
+            </p>
+          </div>
+          <div className="p-4 bg-purple-50 rounded-lg border border-purple-200">
+            <div className="flex items-center gap-2 mb-2">
+              <span className="text-xl">🎭</span>
+              <h4 className="font-medium text-purple-800">SDK Playwright (~25)</h4>
+            </div>
+            <p className="text-sm text-purple-700">
+              SDK E2E Tests: Navigation, Workflow, Command Bar, Export
+            </p>
+          </div>
+          <div className="p-4 bg-slate-50 rounded-lg border border-slate-200">
+            <div className="flex items-center gap-2 mb-2">
+              <span className="text-xl">🌐</span>
+              <h4 className="font-medium text-slate-800">Website E2E (~5)</h4>
+            </div>
+            <p className="text-sm text-slate-700">
+              End-to-End Tests fuer kritische User Flows
+            </p>
+          </div>
+          <div className="p-4 bg-indigo-50 rounded-lg border border-indigo-200">
+            <div className="flex items-center gap-2 mb-2">
+              <span className="text-xl">🔗</span>
+              <h4 className="font-medium text-indigo-800">Integration Tests (~15)</h4>
+            </div>
+            <p className="text-sm text-indigo-700">
+              Docker Compose basierte E2E-Tests mit Backend, Consent-Service, DB
+            </p>
+          </div>
+        </div>
+      </div>
+
+      <div className="bg-white rounded-xl border border-slate-200 p-6">
+        <h3 className="text-lg font-semibold text-slate-900 mb-4">Architektur</h3>
+        <pre className="bg-slate-50 p-4 rounded-lg text-xs overflow-x-auto">
+{`┌────────────────────────────────────────────────────────────────────┐
+│               Admin-v2 Test Dashboard                               │
+│               /infrastructure/tests                                 │
+├────────────────────────────────────────────────────────────────────┤
+│  ┌────────────┐  ┌────────────┐  ┌────────────┐  ┌─────────────┐  │
+│  │ Unit Tests │  │ SDK Tests  │  │   BQAS     │  │ E2E Tests   │  │
+│  │  (Go, Py)  │  │  (Vitest)  │  │ (LLM/RAG)  │  │ (Playwright)│  │
+│  └────────────┘  └────────────┘  └────────────┘  └─────────────┘  │
+│        │               │               │               │           │
+│        ▼               ▼               ▼               ▼           │
+│  ┌──────────────────────────────────────────────────────────────┐ │
+│  │                    Test Registry API                          │ │
+│  │              /backend/api/tests/registry.py                   │ │
+│  └──────────────────────────────────────────────────────────────┘ │
+└────────────────────────────────────────────────────────────────────┘
+
+Tests bleiben wo sie sind:
+- /consent-service/internal/**/*_test.go
+- /backend/tests/test_*.py
+- /voice-service/tests/bqas/
+- /admin-v2/components/sdk/__tests__/*.test.ts   (Vitest)
+- /admin-v2/e2e/specs/*.spec.ts                  (Playwright)`}
+        </pre>
+      </div>
+
+      {/* CI/CD Workflow Anleitung */}
+      <div className="bg-blue-50 rounded-xl border border-blue-200 p-6">
+        <h3 className="text-lg font-semibold text-blue-900 mb-4 flex items-center gap-2">
+          <svg className="w-5 h-5 text-blue-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15" />
+          </svg>
+          CI/CD Integration
+        </h3>
+
+        <div className="grid grid-cols-1 md:grid-cols-2 gap-6">
+          <div>
+            <h4 className="font-medium text-blue-800 mb-2">🤖 Automatisch (bei jedem Push/PR)</h4>
+            <ul className="space-y-2 text-sm text-blue-700">
+              <li className="flex items-start gap-2">
+                <span className="text-green-500 mt-1">✓</span>
+                <span><strong>Unit Tests</strong> - Go & Python Tests laufen automatisch</span>
+              </li>
+              <li className="flex items-start gap-2">
+                <span className="text-green-500 mt-1">✓</span>
+                <span><strong>Test-Ergebnisse</strong> - Werden ans Dashboard gesendet</span>
+              </li>
+              <li className="flex items-start gap-2">
+                <span className="text-green-500 mt-1">✓</span>
+                <span><strong>Backlog</strong> - Fehlgeschlagene Tests erscheinen hier</span>
+              </li>
+              <li className="flex items-start gap-2">
+                <span className="text-green-500 mt-1">✓</span>
+                <span><strong>Linting</strong> - Code-Qualitaet bei PRs pruefen</span>
+              </li>
+            </ul>
+          </div>
+
+          <div>
+            <h4 className="font-medium text-blue-800 mb-2">👆 Manuell (Button oder Tag)</h4>
+            <ul className="space-y-2 text-sm text-blue-700">
+              <li className="flex items-start gap-2">
+                <span className="text-orange-500 mt-1">▶</span>
+                <span><strong>Docker Builds</strong> - Container erstellen</span>
+              </li>
+              <li className="flex items-start gap-2">
+                <span className="text-orange-500 mt-1">▶</span>
+                <span><strong>SBOM/Scans</strong> - Sicherheitsanalyse ausfuehren</span>
+              </li>
+              <li className="flex items-start gap-2">
+                <span className="text-orange-500 mt-1">▶</span>
+                <span><strong>Deployment</strong> - In Produktion deployen</span>
+              </li>
+              <li className="flex items-start gap-2">
+                <span className="text-orange-500 mt-1">▶</span>
+                <span><strong>Pipeline starten</strong> - Im CI/CD Dashboard</span>
+              </li>
+            </ul>
+          </div>
+        </div>
+
+        <div className="mt-4 pt-4 border-t border-blue-200">
+          <p className="text-sm text-blue-600">
+            <strong>Daten-Fluss:</strong> Gitea Actions → POST /api/tests/ci-result → PostgreSQL → Test Dashboard
+          </p>
+        </div>
+      </div>
+
+      <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
+        <Link
+          href="/ai/test-quality"
+          className="p-4 bg-slate-50 rounded-lg border border-slate-200 hover:border-orange-300 hover:bg-orange-50 transition-colors"
+        >
+          <div className="flex items-center gap-3">
+            <svg className="w-8 h-8 text-slate-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5} d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
+            </svg>
+            <div>
+              <p className="font-medium text-slate-900">BQAS Dashboard</p>
+              <p className="text-xs text-slate-500">Detaillierte BQAS-Metriken und Trend-Analyse</p>
+            </div>
+          </div>
+        </Link>
+        <Link
+          href="/infrastructure/ci-cd"
+          className="p-4 bg-slate-50 rounded-lg border border-slate-200 hover:border-orange-300 hover:bg-orange-50 transition-colors"
+        >
+          <div className="flex items-center gap-3">
+            <svg className="w-8 h-8 text-slate-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5} d="M12 8v4l3 3m6-3a9 9 0 11-18 0 9 9 0 0118 0z" />
+            </svg>
+            <div>
+              <p className="font-medium text-slate-900">CI/CD Pipelines</p>
+              <p className="text-xs text-slate-500">Gitea Actions und automatische Test-Planung</p>
+            </div>
+          </div>
+        </Link>
+      </div>
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/tests/_components/MetricCard.tsx b/admin-core/app/(admin)/infrastructure/tests/_components/MetricCard.tsx
new file mode 100644
index 0000000..ae7fdfd
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/tests/_components/MetricCard.tsx
@@ -0,0 +1,55 @@
+'use client'
+
+export function MetricCard({
+  title,
+  value,
+  subtitle,
+  trend,
+  color = 'blue',
+}: {
+  title: string
+  value: string | number
+  subtitle?: string
+  trend?: 'up' | 'down' | 'stable'
+  color?: 'blue' | 'green' | 'red' | 'yellow' | 'orange' | 'purple'
+}) {
+  const colorClasses = {
+    blue: 'bg-blue-50 border-blue-200',
+    green: 'bg-emerald-50 border-emerald-200',
+    red: 'bg-red-50 border-red-200',
+    yellow: 'bg-amber-50 border-amber-200',
+    orange: 'bg-orange-50 border-orange-200',
+    purple: 'bg-purple-50 border-purple-200',
+  }
+
+  const trendIcons = {
+    up: (
+      <svg className="w-4 h-4 text-emerald-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+        <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 10l7-7m0 0l7 7m-7-7v18" />
+      </svg>
+    ),
+    down: (
+      <svg className="w-4 h-4 text-red-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+        <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 14l-7 7m0 0l-7-7m7 7V3" />
+      </svg>
+    ),
+    stable: (
+      <svg className="w-4 h-4 text-slate-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+        <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 12h14" />
+      </svg>
+    ),
+  }
+
+  return (
+    <div className={`rounded-xl border p-5 ${colorClasses[color]}`}>
+      <div className="flex items-start justify-between">
+        <div>
+          <p className="text-sm font-medium text-slate-600">{title}</p>
+          <p className="mt-1 text-2xl font-bold text-slate-900">{value}</p>
+          {subtitle && <p className="mt-1 text-xs text-slate-500">{subtitle}</p>}
+        </div>
+        {trend && <div className="mt-1">{trendIcons[trend]}</div>}
+      </div>
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/tests/_components/ServiceTestCard.tsx b/admin-core/app/(admin)/infrastructure/tests/_components/ServiceTestCard.tsx
new file mode 100644
index 0000000..475ef62
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/tests/_components/ServiceTestCard.tsx
@@ -0,0 +1,147 @@
+'use client'
+
+import type { ServiceTestInfo, ServiceProgress } from '../types'
+
+export function ServiceTestCard({
+  service,
+  onRun,
+  isRunning,
+  progress,
+}: {
+  service: ServiceTestInfo
+  onRun: (service: string) => void
+  isRunning: boolean
+  progress?: ServiceProgress
+}) {
+  const passRate = service.total_tests > 0 ? (service.passed_tests / service.total_tests) * 100 : 0
+
+  const getLanguageIcon = (lang: string) => {
+    switch (lang) {
+      case 'go':
+        return '🐹'
+      case 'python':
+        return '🐍'
+      case 'typescript':
+        return '📘'
+      case 'mixed':
+        return '🔀'
+      default:
+        return '📦'
+    }
+  }
+
+  const getStatusColor = (status: string) => {
+    switch (status) {
+      case 'passed':
+        return 'bg-emerald-100 text-emerald-700'
+      case 'failed':
+        return 'bg-red-100 text-red-700'
+      case 'running':
+        return 'bg-blue-100 text-blue-700'
+      default:
+        return 'bg-slate-100 text-slate-700'
+    }
+  }
+
+  return (
+    <div className="bg-white rounded-xl border border-slate-200 p-5 hover:border-orange-300 transition-colors">
+      <div className="flex items-start justify-between mb-4">
+        <div className="flex items-center gap-3">
+          <span className="text-2xl">{getLanguageIcon(service.language)}</span>
+          <div>
+            <h3 className="font-semibold text-slate-900">{service.display_name}</h3>
+            <p className="text-xs text-slate-500">
+              {service.port ? `Port ${service.port}` : 'Library'} • {service.language}
+            </p>
+          </div>
+        </div>
+        <span className={`px-2 py-1 rounded text-xs font-medium ${getStatusColor(service.status)}`}>
+          {service.status === 'passed' ? 'Bestanden' : service.status === 'failed' ? 'Fehler' : 'Ausstehend'}
+        </span>
+      </div>
+
+      <div className="space-y-3">
+        <div>
+          <div className="flex items-center justify-between text-sm mb-1">
+            <span className="text-slate-600">Pass Rate</span>
+            <span className="font-medium text-slate-900">{passRate.toFixed(0)}%</span>
+          </div>
+          <div className="h-2 bg-slate-100 rounded-full overflow-hidden">
+            <div
+              className={`h-full rounded-full transition-all ${
+                passRate >= 80 ? 'bg-emerald-500' : passRate >= 60 ? 'bg-amber-500' : 'bg-red-500'
+              }`}
+              style={{ width: `${passRate}%` }}
+            />
+          </div>
+        </div>
+
+        <div className="grid grid-cols-3 gap-2 text-center">
+          <div className="p-2 bg-slate-50 rounded-lg">
+            <p className="text-lg font-bold text-slate-900">{service.total_tests}</p>
+            <p className="text-xs text-slate-500">Tests</p>
+          </div>
+          <div className="p-2 bg-emerald-50 rounded-lg">
+            <p className="text-lg font-bold text-emerald-600">{service.passed_tests}</p>
+            <p className="text-xs text-slate-500">Bestanden</p>
+          </div>
+          <div className="p-2 bg-red-50 rounded-lg">
+            <p className="text-lg font-bold text-red-600">{service.failed_tests}</p>
+            <p className="text-xs text-slate-500">Fehler</p>
+          </div>
+        </div>
+
+        {service.coverage_percent && (
+          <div className="flex items-center justify-between text-sm pt-2 border-t border-slate-100">
+            <span className="text-slate-600">Coverage</span>
+            <span className={`font-medium ${service.coverage_percent >= 70 ? 'text-emerald-600' : 'text-amber-600'}`}>
+              {service.coverage_percent.toFixed(1)}%
+            </span>
+          </div>
+        )}
+
+        {/* Progress-Anzeige wenn Tests laufen */}
+        {isRunning && progress && progress.status === 'running' && (
+          <div className="mb-3 p-3 bg-orange-50 rounded-lg border border-orange-200">
+            <div className="flex items-center justify-between text-xs text-orange-700 mb-2">
+              <span className="font-mono truncate max-w-[180px]">{progress.current_file || 'Starte...'}</span>
+              <span>{progress.files_done}/{progress.files_total} Dateien</span>
+            </div>
+            <div className="h-1.5 bg-orange-100 rounded-full overflow-hidden">
+              <div
+                className="h-full bg-orange-500 rounded-full transition-all"
+                style={{ width: `${progress.files_total > 0 ? (progress.files_done / progress.files_total) * 100 : 0}%` }}
+              />
+            </div>
+            <div className="flex items-center justify-between mt-2 text-xs">
+              <span className="text-emerald-600 font-medium">{progress.passed} bestanden</span>
+              <span className="text-red-600 font-medium">{progress.failed} fehler</span>
+            </div>
+          </div>
+        )}
+
+        <button
+          onClick={() => onRun(service.service)}
+          disabled={isRunning}
+          className={`w-full py-2 rounded-lg text-sm font-medium transition-all ${
+            isRunning
+              ? 'bg-orange-100 text-orange-600 cursor-wait'
+              : 'bg-orange-600 text-white hover:bg-orange-700 active:scale-98'
+          }`}
+        >
+          {isRunning ? (
+            <span className="flex items-center justify-center gap-2">
+              <svg className="animate-spin h-4 w-4" fill="none" viewBox="0 0 24 24">
+                <circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4" />
+                <path className="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4z" />
+              </svg>
+              {progress && progress.status === 'running' ? `${progress.passed + progress.failed} Tests...` : 'Laeuft...'}
+            </span>
+          ) : (
+            'Tests starten'
+          )}
+        </button>
+      </div>
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/tests/_components/TestRunsTable.tsx b/admin-core/app/(admin)/infrastructure/tests/_components/TestRunsTable.tsx
new file mode 100644
index 0000000..00f5f2b
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/tests/_components/TestRunsTable.tsx
@@ -0,0 +1,66 @@
+'use client'
+
+import type { TestRun } from '../types'
+
+export function TestRunsTable({ runs }: { runs: TestRun[] }) {
+  if (runs.length === 0) {
+    return (
+      <div className="text-center py-8 text-slate-400">
+        Keine Test-Laeufe vorhanden
+      </div>
+    )
+  }
+
+  return (
+    <div className="overflow-x-auto">
+      <table className="w-full text-sm">
+        <thead>
+          <tr className="border-b border-slate-200">
+            <th className="text-left py-3 px-4 font-medium text-slate-600">ID</th>
+            <th className="text-left py-3 px-4 font-medium text-slate-600">Service</th>
+            <th className="text-left py-3 px-4 font-medium text-slate-600">Zeitpunkt</th>
+            <th className="text-right py-3 px-4 font-medium text-slate-600">Tests</th>
+            <th className="text-right py-3 px-4 font-medium text-slate-600">Bestanden</th>
+            <th className="text-right py-3 px-4 font-medium text-slate-600">Dauer</th>
+            <th className="text-center py-3 px-4 font-medium text-slate-600">Status</th>
+          </tr>
+        </thead>
+        <tbody>
+          {runs.map((run) => (
+            <tr key={run.id} className="border-b border-slate-100 hover:bg-slate-50">
+              <td className="py-3 px-4 font-mono text-xs text-slate-500">{run.id.slice(-8)}</td>
+              <td className="py-3 px-4 text-slate-900">{run.service}</td>
+              <td className="py-3 px-4 text-slate-600">
+                {new Date(run.started_at).toLocaleString('de-DE')}
+              </td>
+              <td className="py-3 px-4 text-right text-slate-600">{run.total_tests}</td>
+              <td className="py-3 px-4 text-right">
+                <span className="text-emerald-600">{run.passed_tests}</span>
+                <span className="text-slate-400"> / </span>
+                <span className="text-red-600">{run.failed_tests}</span>
+              </td>
+              <td className="py-3 px-4 text-right text-slate-500">
+                {run.duration_seconds.toFixed(1)}s
+              </td>
+              <td className="py-3 px-4 text-center">
+                <span
+                  className={`px-2 py-1 rounded text-xs font-medium ${
+                    run.status === 'completed'
+                      ? 'bg-emerald-100 text-emerald-700'
+                      : run.status === 'failed'
+                        ? 'bg-red-100 text-red-700'
+                        : run.status === 'running'
+                          ? 'bg-blue-100 text-blue-700'
+                          : 'bg-slate-100 text-slate-700'
+                  }`}
+                >
+                  {run.status}
+                </span>
+              </td>
+            </tr>
+          ))}
+        </tbody>
+      </table>
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/tests/_components/ToastContainer.tsx b/admin-core/app/(admin)/infrastructure/tests/_components/ToastContainer.tsx
new file mode 100644
index 0000000..256ce1a
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/tests/_components/ToastContainer.tsx
@@ -0,0 +1,55 @@
+'use client'
+
+import type { Toast } from '../types'
+
+export function ToastContainer({ toasts, onDismiss }: { toasts: Toast[]; onDismiss: (id: number) => void }) {
+  return (
+    <div className="fixed bottom-4 right-4 z-50 space-y-2">
+      {toasts.map((toast) => (
+        <div
+          key={toast.id}
+          className={`flex items-center gap-3 px-4 py-3 rounded-lg shadow-lg border animate-slide-in ${
+            toast.type === 'success'
+              ? 'bg-emerald-50 border-emerald-200 text-emerald-800'
+              : toast.type === 'error'
+                ? 'bg-red-50 border-red-200 text-red-800'
+                : toast.type === 'loading'
+                  ? 'bg-blue-50 border-blue-200 text-blue-800'
+                  : 'bg-slate-50 border-slate-200 text-slate-800'
+          }`}
+        >
+          {toast.type === 'loading' ? (
+            <svg className="animate-spin h-5 w-5" fill="none" viewBox="0 0 24 24">
+              <circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4" />
+              <path
+                className="opacity-75"
+                fill="currentColor"
+                d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"
+              />
+            </svg>
+          ) : toast.type === 'success' ? (
+            <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 13l4 4L19 7" />
+            </svg>
+          ) : toast.type === 'error' ? (
+            <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
+            </svg>
+          ) : (
+            <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+            </svg>
+          )}
+          <span className="text-sm font-medium">{toast.message}</span>
+          {toast.type !== 'loading' && (
+            <button onClick={() => onDismiss(toast.id)} className="ml-2 opacity-60 hover:opacity-100">
+              <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
+              </svg>
+            </button>
+          )}
+        </div>
+      ))}
+    </div>
+  )
+}
diff --git a/admin-core/app/(admin)/infrastructure/tests/_hooks/useTestDashboard.ts b/admin-core/app/(admin)/infrastructure/tests/_hooks/useTestDashboard.ts
new file mode 100644
index 0000000..c0b6505
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/tests/_hooks/useTestDashboard.ts
@@ -0,0 +1,313 @@
+'use client'
+
+import { useState, useEffect, useCallback, useRef } from 'react'
+import type {
+  ServiceTestInfo,
+  TestRegistryStats,
+  TestRun,
+  CoverageData,
+  TabType,
+  Toast,
+  FailedTest,
+  BacklogItem,
+  ServiceProgress,
+} from '../types'
+
+const API_BASE = '/api/tests'
+
+// Demo data for when API is not available
+const DEMO_SERVICES: ServiceTestInfo[] = [
+  { service: 'consent-service', display_name: 'Consent Service', port: 8081, language: 'go', total_tests: 22, passed_tests: 20, failed_tests: 2, skipped_tests: 0, pass_rate: 90.9, coverage_percent: 82.3, last_run: new Date().toISOString(), status: 'failed' },
+  { service: 'backend', display_name: 'Python Backend', port: 8000, language: 'python', total_tests: 40, passed_tests: 38, failed_tests: 2, skipped_tests: 0, pass_rate: 95.0, coverage_percent: 75.1, last_run: new Date().toISOString(), status: 'failed' },
+  { service: 'klausur-service', display_name: 'Klausur Service', port: 8086, language: 'python', total_tests: 8, passed_tests: 8, failed_tests: 0, skipped_tests: 0, pass_rate: 100, coverage_percent: 71.2, last_run: new Date().toISOString(), status: 'passed' },
+  { service: 'billing-service', display_name: 'Billing Service', port: 8082, language: 'go', total_tests: 5, passed_tests: 5, failed_tests: 0, skipped_tests: 0, pass_rate: 100, coverage_percent: 78.5, last_run: new Date().toISOString(), status: 'passed' },
+  { service: 'school-service', display_name: 'School Service', port: 8084, language: 'go', total_tests: 6, passed_tests: 6, failed_tests: 0, skipped_tests: 0, pass_rate: 100, coverage_percent: 81.4, last_run: new Date().toISOString(), status: 'passed' },
+  { service: 'sdk-unit', display_name: 'SDK Unit Tests (Vitest)', port: undefined, language: 'typescript', total_tests: 43, passed_tests: 43, failed_tests: 0, skipped_tests: 0, pass_rate: 100, coverage_percent: 85.2, last_run: new Date().toISOString(), status: 'passed' },
+  { service: 'sdk-e2e', display_name: 'SDK E2E Tests (Playwright)', port: undefined, language: 'typescript', total_tests: 25, passed_tests: 25, failed_tests: 0, skipped_tests: 0, pass_rate: 100, coverage_percent: undefined, last_run: new Date().toISOString(), status: 'passed' },
+  { service: 'integration-tests', display_name: 'Integration Tests', port: undefined, language: 'python', total_tests: 15, passed_tests: 15, failed_tests: 0, skipped_tests: 0, pass_rate: 100, coverage_percent: undefined, last_run: new Date().toISOString(), status: 'passed' },
+]
+
+const DEMO_STATS: TestRegistryStats = {
+  total_tests: 278,
+  total_passed: 263,
+  total_failed: 15,
+  total_skipped: 0,
+  overall_pass_rate: 94.6,
+  average_coverage: 78.5,
+  services_count: 11,
+  by_category: { unit: 118, bqas: 117, e2e: 30, integration: 15 },
+  by_framework: { go_test: 57, pytest: 68, bqas_golden: 97, bqas_rag: 20, jest: 8, vitest: 43, playwright: 30 },
+}
+
+export function useTestDashboard() {
+  const [activeTab, setActiveTab] = useState<TabType>('overview')
+  const [isLoading, setIsLoading] = useState(true)
+  const [error, setError] = useState<string | null>(null)
+
+  // Toast state
+  const [toasts, setToasts] = useState<Toast[]>([])
+  const toastIdRef = useRef(0)
+
+  const addToast = useCallback((type: Toast['type'], message: string) => {
+    const id = ++toastIdRef.current
+    setToasts((prev) => [...prev, { id, type, message }])
+    if (type !== 'loading') {
+      setTimeout(() => {
+        setToasts((prev) => prev.filter((t) => t.id !== id))
+      }, 5000)
+    }
+    return id
+  }, [])
+
+  const removeToast = useCallback((id: number) => {
+    setToasts((prev) => prev.filter((t) => t.id !== id))
+  }, [])
+
+  const updateToast = useCallback((id: number, type: Toast['type'], message: string) => {
+    setToasts((prev) => prev.map((t) => (t.id === id ? { ...t, type, message } : t)))
+    if (type !== 'loading') {
+      setTimeout(() => {
+        setToasts((prev) => prev.filter((t) => t.id !== id))
+      }, 5000)
+    }
+  }, [])
+
+  // Data states
+  const [services, setServices] = useState<ServiceTestInfo[]>([])
+  const [stats, setStats] = useState<TestRegistryStats | null>(null)
+  const [coverage, setCoverage] = useState<CoverageData[]>([])
+  const [testRuns, setTestRuns] = useState<TestRun[]>([])
+  const [failedTests, setFailedTests] = useState<FailedTest[]>([])
+  const [backlogItems, setBacklogItems] = useState<BacklogItem[]>([])
+  const [usePostgres, setUsePostgres] = useState(false)
+
+  // Running states
+  const [runningServices, setRunningServices] = useState<Set<string>>(new Set())
+
+  // Progress states fuer laufende Tests
+  const [serviceProgress, setServiceProgress] = useState<Record<string, ServiceProgress>>({})
+
+  // Fetch data
+  const fetchData = useCallback(async () => {
+    setIsLoading(true)
+    setError(null)
+
+    try {
+      const registryResponse = await fetch(`${API_BASE}/registry`)
+      if (registryResponse.ok) {
+        const data = await registryResponse.json()
+        setServices(data.services || DEMO_SERVICES)
+        setStats(data.stats || DEMO_STATS)
+      } else {
+        setServices(DEMO_SERVICES)
+        setStats(DEMO_STATS)
+      }
+
+      const coverageResponse = await fetch(`${API_BASE}/coverage`)
+      if (coverageResponse.ok) {
+        const data = await coverageResponse.json()
+        setCoverage(data.services || [])
+      } else {
+        setCoverage(DEMO_SERVICES.filter(s => s.coverage_percent).map(s => ({
+          service: s.service,
+          display_name: s.display_name,
+          coverage_percent: s.coverage_percent!,
+          language: s.language,
+        })))
+      }
+
+      const runsResponse = await fetch(`${API_BASE}/runs`)
+      if (runsResponse.ok) {
+        const data = await runsResponse.json()
+        setTestRuns(data.runs || [])
+      }
+
+      // Lade fehlgeschlagene Tests fuer Backlog
+      const failedResponse = await fetch(`${API_BASE}/failed`)
+      if (failedResponse.ok) {
+        const data = await failedResponse.json()
+        setFailedTests(data.tests || [])
+      }
+
+      // Versuche PostgreSQL-Backlog zu laden (neue API)
+      try {
+        const backlogResponse = await fetch(`${API_BASE}/backlog`)
+        if (backlogResponse.ok) {
+          const data = await backlogResponse.json()
+          if (data.items && data.items.length > 0) {
+            setBacklogItems(data.items)
+            setUsePostgres(true)
+          }
+        }
+      } catch {
+        // PostgreSQL nicht verfuegbar, nutze Legacy
+        setUsePostgres(false)
+      }
+
+    } catch (err) {
+      console.error('Failed to fetch test registry data:', err)
+      setServices(DEMO_SERVICES)
+      setStats(DEMO_STATS)
+      setCoverage(DEMO_SERVICES.filter(s => s.coverage_percent).map(s => ({
+        service: s.service,
+        display_name: s.display_name,
+        coverage_percent: s.coverage_percent!,
+        language: s.language,
+      })))
+    } finally {
+      setIsLoading(false)
+    }
+  }, [])
+
+  useEffect(() => {
+    fetchData()
+  }, [fetchData])
+
+  // Update failed test status
+  const updateTestStatus = async (testId: string, status: string) => {
+    try {
+      const endpoint = usePostgres
+        ? `${API_BASE}/backlog/${testId}/status`
+        : `${API_BASE}/failed/${encodeURIComponent(testId)}/status?status=${status}`
+
+      const response = await fetch(endpoint, {
+        method: 'POST',
+        headers: usePostgres ? { 'Content-Type': 'application/json' } : undefined,
+        body: usePostgres ? JSON.stringify({ status }) : undefined,
+      })
+
+      if (response.ok) {
+        if (usePostgres) {
+          setBacklogItems(prev =>
+            prev.map(t => String(t.id) === testId ? { ...t, status: status as any } : t)
+          )
+        }
+        setFailedTests(prev =>
+          prev.map(t => t.id === testId ? { ...t, status: status as any } : t)
+        )
+        addToast('success', `Test-Status auf "${status}" gesetzt`)
+      }
+    } catch (err) {
+      console.error('Failed to update test status:', err)
+      setFailedTests(prev =>
+        prev.map(t => t.id === testId ? { ...t, status: status as any } : t)
+      )
+      if (usePostgres) {
+        setBacklogItems(prev =>
+          prev.map(t => String(t.id) === testId ? { ...t, status: status as any } : t)
+        )
+      }
+    }
+  }
+
+  // Update failed test priority (nur PostgreSQL)
+  const updateTestPriority = async (testId: string, priority: string) => {
+    if (!usePostgres) return
+
+    try {
+      const response = await fetch(`${API_BASE}/backlog/${testId}/priority`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ priority }),
+      })
+
+      if (response.ok) {
+        setBacklogItems(prev =>
+          prev.map(t => String(t.id) === testId ? { ...t, priority: priority as any } : t)
+        )
+        addToast('success', `Prioritaet auf "${priority}" gesetzt`)
+      }
+    } catch (err) {
+      console.error('Failed to update test priority:', err)
+      setBacklogItems(prev =>
+        prev.map(t => String(t.id) === testId ? { ...t, priority: priority as any } : t)
+      )
+    }
+  }
+
+  // Run tests mit Progress-Polling
+  const runTests = async (service: string) => {
+    setRunningServices((prev) => new Set(prev).add(service))
+    const loadingToast = addToast('loading', `Tests fuer ${service} werden gestartet...`)
+
+    // Progress-Polling starten
+    let pollInterval: NodeJS.Timeout | null = null
+    const pollProgress = async () => {
+      try {
+        const progressResponse = await fetch(`${API_BASE}/progress/${service}`)
+        if (progressResponse.ok) {
+          const progress = await progressResponse.json()
+          setServiceProgress((prev) => ({
+            ...prev,
+            [service]: progress,
+          }))
+
+          if (progress.status === 'running' && progress.files_total > 0) {
+            const toastMsg = `${service}: ${progress.current_file} (${progress.passed} bestanden, ${progress.failed} fehler)`
+            updateToast(loadingToast, 'loading', toastMsg)
+          }
+        }
+      } catch (err) {
+        // Ignore polling errors
+      }
+    }
+
+    pollInterval = setInterval(pollProgress, 1000)
+
+    try {
+      const response = await fetch(`${API_BASE}/run/${service}`, {
+        method: 'POST',
+      })
+
+      if (response.ok) {
+        await new Promise(resolve => setTimeout(resolve, 500))
+        await pollProgress()
+        const finalProgress = serviceProgress[service]
+        const passedMsg = finalProgress ? `${finalProgress.passed} bestanden, ${finalProgress.failed} fehler` : 'abgeschlossen'
+        updateToast(loadingToast, 'success', `${service}: Tests ${passedMsg}`)
+        await fetchData()
+      } else {
+        updateToast(loadingToast, 'info', `${service}: Demo-Modus (API nicht verfuegbar)`)
+      }
+    } catch (err) {
+      console.error('Failed to run tests:', err)
+      updateToast(loadingToast, 'info', `${service}: Demo-Modus (API nicht verfuegbar)`)
+    } finally {
+      if (pollInterval) {
+        clearInterval(pollInterval)
+      }
+      setRunningServices((prev) => {
+        const next = new Set(prev)
+        next.delete(service)
+        return next
+      })
+      setServiceProgress((prev) => {
+        const next = { ...prev }
+        delete next[service]
+        return next
+      })
+    }
+  }
+
+  return {
+    activeTab,
+    setActiveTab,
+    isLoading,
+    error,
+    toasts,
+    removeToast,
+    services,
+    stats,
+    coverage,
+    testRuns,
+    failedTests,
+    backlogItems,
+    usePostgres,
+    runningServices,
+    serviceProgress,
+    fetchData,
+    updateTestStatus,
+    updateTestPriority,
+    runTests,
+  }
+}
diff --git a/admin-core/app/(admin)/infrastructure/tests/page.tsx b/admin-core/app/(admin)/infrastructure/tests/page.tsx
index ce4e3dd..d11d538 100644
--- a/admin-core/app/(admin)/infrastructure/tests/page.tsx
+++ b/admin-core/app/(admin)/infrastructure/tests/page.tsx
@@ -14,1409 +14,44 @@
  * - E2E Playwright (~5)
  */
 
-import React, { useState, useEffect, useCallback, useRef } from 'react'
+import React from 'react'
 import Link from 'next/link'
 import { PagePurpose } from '@/components/common/PagePurpose'
 import { DevOpsPipelineSidebarResponsive } from '@/components/infrastructure/DevOpsPipelineSidebar'
-import type { LLMRoutingOption } from '@/types/infrastructure-modules'
-import type {
-  ServiceTestInfo,
-  TestRegistryStats,
-  TestRun,
-  CoverageData,
-  TabType,
-  Toast,
-  FailedTest,
-  BacklogItem,
-  BacklogPriority,
-  BacklogStatus,
-  TrendDataPoint,
-} from './types'
+import type { TabType } from './types'
 
-// API Configuration
-const API_BASE = '/api/tests'
-
-// ==============================================================================
-// Toast Notification Component
-// ==============================================================================
-
-function ToastContainer({ toasts, onDismiss }: { toasts: Toast[]; onDismiss: (id: number) => void }) {
-  return (
-    <div className="fixed bottom-4 right-4 z-50 space-y-2">
-      {toasts.map((toast) => (
-        <div
-          key={toast.id}
-          className={`flex items-center gap-3 px-4 py-3 rounded-lg shadow-lg border animate-slide-in ${
-            toast.type === 'success'
-              ? 'bg-emerald-50 border-emerald-200 text-emerald-800'
-              : toast.type === 'error'
-                ? 'bg-red-50 border-red-200 text-red-800'
-                : toast.type === 'loading'
-                  ? 'bg-blue-50 border-blue-200 text-blue-800'
-                  : 'bg-slate-50 border-slate-200 text-slate-800'
-          }`}
-        >
-          {toast.type === 'loading' ? (
-            <svg className="animate-spin h-5 w-5" fill="none" viewBox="0 0 24 24">
-              <circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4" />
-              <path
-                className="opacity-75"
-                fill="currentColor"
-                d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"
-              />
-            </svg>
-          ) : toast.type === 'success' ? (
-            <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 13l4 4L19 7" />
-            </svg>
-          ) : toast.type === 'error' ? (
-            <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
-            </svg>
-          ) : (
-            <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
-            </svg>
-          )}
-          <span className="text-sm font-medium">{toast.message}</span>
-          {toast.type !== 'loading' && (
-            <button onClick={() => onDismiss(toast.id)} className="ml-2 opacity-60 hover:opacity-100">
-              <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
-              </svg>
-            </button>
-          )}
-        </div>
-      ))}
-    </div>
-  )
-}
-
-// ==============================================================================
-// Helper Components
-// ==============================================================================
-
-function MetricCard({
-  title,
-  value,
-  subtitle,
-  trend,
-  color = 'blue',
-}: {
-  title: string
-  value: string | number
-  subtitle?: string
-  trend?: 'up' | 'down' | 'stable'
-  color?: 'blue' | 'green' | 'red' | 'yellow' | 'orange' | 'purple'
-}) {
-  const colorClasses = {
-    blue: 'bg-blue-50 border-blue-200',
-    green: 'bg-emerald-50 border-emerald-200',
-    red: 'bg-red-50 border-red-200',
-    yellow: 'bg-amber-50 border-amber-200',
-    orange: 'bg-orange-50 border-orange-200',
-    purple: 'bg-purple-50 border-purple-200',
-  }
-
-  const trendIcons = {
-    up: (
-      <svg className="w-4 h-4 text-emerald-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-        <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 10l7-7m0 0l7 7m-7-7v18" />
-      </svg>
-    ),
-    down: (
-      <svg className="w-4 h-4 text-red-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-        <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 14l-7 7m0 0l-7-7m7 7V3" />
-      </svg>
-    ),
-    stable: (
-      <svg className="w-4 h-4 text-slate-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-        <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 12h14" />
-      </svg>
-    ),
-  }
-
-  return (
-    <div className={`rounded-xl border p-5 ${colorClasses[color]}`}>
-      <div className="flex items-start justify-between">
-        <div>
-          <p className="text-sm font-medium text-slate-600">{title}</p>
-          <p className="mt-1 text-2xl font-bold text-slate-900">{value}</p>
-          {subtitle && <p className="mt-1 text-xs text-slate-500">{subtitle}</p>}
-        </div>
-        {trend && <div className="mt-1">{trendIcons[trend]}</div>}
-      </div>
-    </div>
-  )
-}
-
-function ServiceTestCard({
-  service,
-  onRun,
-  isRunning,
-  progress,
-}: {
-  service: ServiceTestInfo
-  onRun: (service: string) => void
-  isRunning: boolean
-  progress?: {
-    current_file: string
-    files_done: number
-    files_total: number
-    passed: number
-    failed: number
-    status: string
-  }
-}) {
-  const passRate = service.total_tests > 0 ? (service.passed_tests / service.total_tests) * 100 : 0
-
-  const getLanguageIcon = (lang: string) => {
-    switch (lang) {
-      case 'go':
-        return '🐹'
-      case 'python':
-        return '🐍'
-      case 'typescript':
-        return '📘'
-      case 'mixed':
-        return '🔀'
-      default:
-        return '📦'
-    }
-  }
-
-  const getStatusColor = (status: string) => {
-    switch (status) {
-      case 'passed':
-        return 'bg-emerald-100 text-emerald-700'
-      case 'failed':
-        return 'bg-red-100 text-red-700'
-      case 'running':
-        return 'bg-blue-100 text-blue-700'
-      default:
-        return 'bg-slate-100 text-slate-700'
-    }
-  }
-
-  return (
-    <div className="bg-white rounded-xl border border-slate-200 p-5 hover:border-orange-300 transition-colors">
-      <div className="flex items-start justify-between mb-4">
-        <div className="flex items-center gap-3">
-          <span className="text-2xl">{getLanguageIcon(service.language)}</span>
-          <div>
-            <h3 className="font-semibold text-slate-900">{service.display_name}</h3>
-            <p className="text-xs text-slate-500">
-              {service.port ? `Port ${service.port}` : 'Library'} • {service.language}
-            </p>
-          </div>
-        </div>
-        <span className={`px-2 py-1 rounded text-xs font-medium ${getStatusColor(service.status)}`}>
-          {service.status === 'passed' ? 'Bestanden' : service.status === 'failed' ? 'Fehler' : 'Ausstehend'}
-        </span>
-      </div>
-
-      <div className="space-y-3">
-        <div>
-          <div className="flex items-center justify-between text-sm mb-1">
-            <span className="text-slate-600">Pass Rate</span>
-            <span className="font-medium text-slate-900">{passRate.toFixed(0)}%</span>
-          </div>
-          <div className="h-2 bg-slate-100 rounded-full overflow-hidden">
-            <div
-              className={`h-full rounded-full transition-all ${
-                passRate >= 80 ? 'bg-emerald-500' : passRate >= 60 ? 'bg-amber-500' : 'bg-red-500'
-              }`}
-              style={{ width: `${passRate}%` }}
-            />
-          </div>
-        </div>
-
-        <div className="grid grid-cols-3 gap-2 text-center">
-          <div className="p-2 bg-slate-50 rounded-lg">
-            <p className="text-lg font-bold text-slate-900">{service.total_tests}</p>
-            <p className="text-xs text-slate-500">Tests</p>
-          </div>
-          <div className="p-2 bg-emerald-50 rounded-lg">
-            <p className="text-lg font-bold text-emerald-600">{service.passed_tests}</p>
-            <p className="text-xs text-slate-500">Bestanden</p>
-          </div>
-          <div className="p-2 bg-red-50 rounded-lg">
-            <p className="text-lg font-bold text-red-600">{service.failed_tests}</p>
-            <p className="text-xs text-slate-500">Fehler</p>
-          </div>
-        </div>
-
-        {service.coverage_percent && (
-          <div className="flex items-center justify-between text-sm pt-2 border-t border-slate-100">
-            <span className="text-slate-600">Coverage</span>
-            <span className={`font-medium ${service.coverage_percent >= 70 ? 'text-emerald-600' : 'text-amber-600'}`}>
-              {service.coverage_percent.toFixed(1)}%
-            </span>
-          </div>
-        )}
-
-        {/* Progress-Anzeige wenn Tests laufen */}
-        {isRunning && progress && progress.status === 'running' && (
-          <div className="mb-3 p-3 bg-orange-50 rounded-lg border border-orange-200">
-            <div className="flex items-center justify-between text-xs text-orange-700 mb-2">
-              <span className="font-mono truncate max-w-[180px]">{progress.current_file || 'Starte...'}</span>
-              <span>{progress.files_done}/{progress.files_total} Dateien</span>
-            </div>
-            <div className="h-1.5 bg-orange-100 rounded-full overflow-hidden">
-              <div
-                className="h-full bg-orange-500 rounded-full transition-all"
-                style={{ width: `${progress.files_total > 0 ? (progress.files_done / progress.files_total) * 100 : 0}%` }}
-              />
-            </div>
-            <div className="flex items-center justify-between mt-2 text-xs">
-              <span className="text-emerald-600 font-medium">{progress.passed} bestanden</span>
-              <span className="text-red-600 font-medium">{progress.failed} fehler</span>
-            </div>
-          </div>
-        )}
-
-        <button
-          onClick={() => onRun(service.service)}
-          disabled={isRunning}
-          className={`w-full py-2 rounded-lg text-sm font-medium transition-all ${
-            isRunning
-              ? 'bg-orange-100 text-orange-600 cursor-wait'
-              : 'bg-orange-600 text-white hover:bg-orange-700 active:scale-98'
-          }`}
-        >
-          {isRunning ? (
-            <span className="flex items-center justify-center gap-2">
-              <svg className="animate-spin h-4 w-4" fill="none" viewBox="0 0 24 24">
-                <circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4" />
-                <path className="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4z" />
-              </svg>
-              {progress && progress.status === 'running' ? `${progress.passed + progress.failed} Tests...` : 'Laeuft...'}
-            </span>
-          ) : (
-            'Tests starten'
-          )}
-        </button>
-      </div>
-    </div>
-  )
-}
-
-function CoverageChart({ data }: { data: CoverageData[] }) {
-  if (data.length === 0) {
-    return (
-      <div className="text-center py-8 text-slate-400">
-        Keine Coverage-Daten verfuegbar
-      </div>
-    )
-  }
-
-  const sortedData = [...data].sort((a, b) => b.coverage_percent - a.coverage_percent)
-
-  return (
-    <div className="space-y-3">
-      {sortedData.map((item) => (
-        <div key={item.service}>
-          <div className="flex items-center justify-between text-sm mb-1">
-            <span className="text-slate-600 truncate max-w-[200px]">{item.display_name}</span>
-            <span
-              className={`font-medium ${
-                item.coverage_percent >= 80 ? 'text-emerald-600' : item.coverage_percent >= 60 ? 'text-amber-600' : 'text-red-600'
-              }`}
-            >
-              {item.coverage_percent.toFixed(1)}%
-            </span>
-          </div>
-          <div className="h-2 bg-slate-100 rounded-full overflow-hidden">
-            <div
-              className={`h-full rounded-full transition-all ${
-                item.coverage_percent >= 80 ? 'bg-emerald-500' : item.coverage_percent >= 60 ? 'bg-amber-500' : 'bg-red-500'
-              }`}
-              style={{ width: `${item.coverage_percent}%` }}
-            />
-          </div>
-        </div>
-      ))}
-    </div>
-  )
-}
-
-function FrameworkDistribution({ data }: { data: Record<string, number> }) {
-  const total = Object.values(data).reduce((a, b) => a + b, 0)
-  if (total === 0) return null
-
-  const frameworkLabels: Record<string, string> = {
-    go_test: 'Go Tests',
-    pytest: 'Python (pytest)',
-    jest: 'Jest (TS)',
-    vitest: 'Vitest (SDK)',
-    playwright: 'Playwright (E2E)',
-    bqas_golden: 'BQAS Golden',
-    bqas_rag: 'BQAS RAG',
-    bqas_synthetic: 'BQAS Synthetic',
-  }
-
-  const frameworkColors: Record<string, string> = {
-    go_test: 'bg-cyan-500',
-    pytest: 'bg-yellow-500',
-    jest: 'bg-blue-500',
-    vitest: 'bg-orange-500',
-    playwright: 'bg-purple-500',
-    bqas_golden: 'bg-emerald-500',
-    bqas_rag: 'bg-teal-500',
-    bqas_synthetic: 'bg-amber-500',
-  }
-
-  return (
-    <div className="space-y-3">
-      {Object.entries(data)
-        .sort((a, b) => b[1] - a[1])
-        .map(([framework, count]) => (
-          <div key={framework} className="flex items-center gap-3">
-            <div className={`w-3 h-3 rounded-full ${frameworkColors[framework] || 'bg-slate-400'}`} />
-            <span className="text-sm text-slate-600 flex-1">{frameworkLabels[framework] || framework}</span>
-            <span className="text-sm font-medium text-slate-900">{count}</span>
-            <span className="text-xs text-slate-400">({((count / total) * 100).toFixed(0)}%)</span>
-          </div>
-        ))}
-    </div>
-  )
-}
-
-function TestRunsTable({ runs }: { runs: TestRun[] }) {
-  if (runs.length === 0) {
-    return (
-      <div className="text-center py-8 text-slate-400">
-        Keine Test-Laeufe vorhanden
-      </div>
-    )
-  }
-
-  return (
-    <div className="overflow-x-auto">
-      <table className="w-full text-sm">
-        <thead>
-          <tr className="border-b border-slate-200">
-            <th className="text-left py-3 px-4 font-medium text-slate-600">ID</th>
-            <th className="text-left py-3 px-4 font-medium text-slate-600">Service</th>
-            <th className="text-left py-3 px-4 font-medium text-slate-600">Zeitpunkt</th>
-            <th className="text-right py-3 px-4 font-medium text-slate-600">Tests</th>
-            <th className="text-right py-3 px-4 font-medium text-slate-600">Bestanden</th>
-            <th className="text-right py-3 px-4 font-medium text-slate-600">Dauer</th>
-            <th className="text-center py-3 px-4 font-medium text-slate-600">Status</th>
-          </tr>
-        </thead>
-        <tbody>
-          {runs.map((run) => (
-            <tr key={run.id} className="border-b border-slate-100 hover:bg-slate-50">
-              <td className="py-3 px-4 font-mono text-xs text-slate-500">{run.id.slice(-8)}</td>
-              <td className="py-3 px-4 text-slate-900">{run.service}</td>
-              <td className="py-3 px-4 text-slate-600">
-                {new Date(run.started_at).toLocaleString('de-DE')}
-              </td>
-              <td className="py-3 px-4 text-right text-slate-600">{run.total_tests}</td>
-              <td className="py-3 px-4 text-right">
-                <span className="text-emerald-600">{run.passed_tests}</span>
-                <span className="text-slate-400"> / </span>
-                <span className="text-red-600">{run.failed_tests}</span>
-              </td>
-              <td className="py-3 px-4 text-right text-slate-500">
-                {run.duration_seconds.toFixed(1)}s
-              </td>
-              <td className="py-3 px-4 text-center">
-                <span
-                  className={`px-2 py-1 rounded text-xs font-medium ${
-                    run.status === 'completed'
-                      ? 'bg-emerald-100 text-emerald-700'
-                      : run.status === 'failed'
-                        ? 'bg-red-100 text-red-700'
-                        : run.status === 'running'
-                          ? 'bg-blue-100 text-blue-700'
-                          : 'bg-slate-100 text-slate-700'
-                  }`}
-                >
-                  {run.status}
-                </span>
-              </td>
-            </tr>
-          ))}
-        </tbody>
-      </table>
-    </div>
-  )
-}
-
-// ==============================================================================
-// Guide Tab
-// ==============================================================================
-
-function GuideTab() {
-  return (
-    <div className="space-y-8">
-      <div className="bg-gradient-to-r from-orange-50 to-amber-50 rounded-xl border border-orange-200 p-6">
-        <h2 className="text-xl font-bold text-slate-900 mb-4 flex items-center gap-2">
-          <svg className="w-6 h-6 text-orange-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9.663 17h4.673M12 3v1m6.364 1.636l-.707.707M21 12h-1M4 12H3m3.343-5.657l-.707-.707m2.828 9.9a5 5 0 117.072 0l-.548.547A3.374 3.374 0 0014 18.469V19a2 2 0 11-4 0v-.531c0-.895-.356-1.754-.988-2.386l-.548-.547z" />
-          </svg>
-          Was ist das Test Dashboard?
-        </h2>
-        <p className="text-slate-700 leading-relaxed">
-          Das <strong>Test Dashboard</strong> ist die zentrale Uebersicht fuer alle 260+ Tests im Breakpilot-System.
-          Es aggregiert Tests aus verschiedenen Services (Go, Python, TypeScript) ohne diese physisch zu migrieren.
-          Tests bleiben an ihren konventionellen Orten, werden aber hier zentral ueberwacht und ausgefuehrt.
-          Seit 2026-02 inklusive AI Compliance SDK Unit Tests (Vitest) und E2E Tests (Playwright).
-        </p>
-      </div>
-
-      <div className="bg-white rounded-xl border border-slate-200 p-6">
-        <h3 className="text-lg font-semibold text-slate-900 mb-4">Test-Kategorien</h3>
-        <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-4 gap-4">
-          <div className="p-4 bg-cyan-50 rounded-lg border border-cyan-200">
-            <div className="flex items-center gap-2 mb-2">
-              <span className="text-xl">🐹</span>
-              <h4 className="font-medium text-cyan-800">Go Unit Tests (~57)</h4>
-            </div>
-            <p className="text-sm text-cyan-700">
-              consent-service, billing-service, school-service, edu-search-service, ai-compliance-sdk
-            </p>
-          </div>
-          <div className="p-4 bg-yellow-50 rounded-lg border border-yellow-200">
-            <div className="flex items-center gap-2 mb-2">
-              <span className="text-xl">🐍</span>
-              <h4 className="font-medium text-yellow-800">Python Tests (~50)</h4>
-            </div>
-            <p className="text-sm text-yellow-700">
-              backend, voice-service, klausur-service, geo-service
-            </p>
-          </div>
-          <div className="p-4 bg-emerald-50 rounded-lg border border-emerald-200">
-            <div className="flex items-center gap-2 mb-2">
-              <span className="text-xl">🎯</span>
-              <h4 className="font-medium text-emerald-800">BQAS Golden (97)</h4>
-            </div>
-            <p className="text-sm text-emerald-700">
-              Validierte Referenz-Tests mit LLM-Judge fuer Intent-Erkennung
-            </p>
-          </div>
-          <div className="p-4 bg-teal-50 rounded-lg border border-teal-200">
-            <div className="flex items-center gap-2 mb-2">
-              <span className="text-xl">📚</span>
-              <h4 className="font-medium text-teal-800">BQAS RAG (~20)</h4>
-            </div>
-            <p className="text-sm text-teal-700">
-              RAG-Judge Tests fuer Retrieval, Citations, Hallucination-Control
-            </p>
-          </div>
-          <div className="p-4 bg-blue-50 rounded-lg border border-blue-200">
-            <div className="flex items-center gap-2 mb-2">
-              <span className="text-xl">📘</span>
-              <h4 className="font-medium text-blue-800">TypeScript Jest (~8)</h4>
-            </div>
-            <p className="text-sm text-blue-700">
-              Website Unit Tests fuer React-Komponenten
-            </p>
-          </div>
-          <div className="p-4 bg-orange-50 rounded-lg border border-orange-200">
-            <div className="flex items-center gap-2 mb-2">
-              <span className="text-xl">⚡</span>
-              <h4 className="font-medium text-orange-800">SDK Vitest (~43)</h4>
-            </div>
-            <p className="text-sm text-orange-700">
-              AI Compliance SDK Unit Tests: Types, Export, Components, Reducer
-            </p>
-          </div>
-          <div className="p-4 bg-purple-50 rounded-lg border border-purple-200">
-            <div className="flex items-center gap-2 mb-2">
-              <span className="text-xl">🎭</span>
-              <h4 className="font-medium text-purple-800">SDK Playwright (~25)</h4>
-            </div>
-            <p className="text-sm text-purple-700">
-              SDK E2E Tests: Navigation, Workflow, Command Bar, Export
-            </p>
-          </div>
-          <div className="p-4 bg-slate-50 rounded-lg border border-slate-200">
-            <div className="flex items-center gap-2 mb-2">
-              <span className="text-xl">🌐</span>
-              <h4 className="font-medium text-slate-800">Website E2E (~5)</h4>
-            </div>
-            <p className="text-sm text-slate-700">
-              End-to-End Tests fuer kritische User Flows
-            </p>
-          </div>
-          <div className="p-4 bg-indigo-50 rounded-lg border border-indigo-200">
-            <div className="flex items-center gap-2 mb-2">
-              <span className="text-xl">🔗</span>
-              <h4 className="font-medium text-indigo-800">Integration Tests (~15)</h4>
-            </div>
-            <p className="text-sm text-indigo-700">
-              Docker Compose basierte E2E-Tests mit Backend, Consent-Service, DB
-            </p>
-          </div>
-        </div>
-      </div>
-
-      <div className="bg-white rounded-xl border border-slate-200 p-6">
-        <h3 className="text-lg font-semibold text-slate-900 mb-4">Architektur</h3>
-        <pre className="bg-slate-50 p-4 rounded-lg text-xs overflow-x-auto">
-{`┌────────────────────────────────────────────────────────────────────┐
-│               Admin-v2 Test Dashboard                               │
-│               /infrastructure/tests                                 │
-├────────────────────────────────────────────────────────────────────┤
-│  ┌────────────┐  ┌────────────┐  ┌────────────┐  ┌─────────────┐  │
-│  │ Unit Tests │  │ SDK Tests  │  │   BQAS     │  │ E2E Tests   │  │
-│  │  (Go, Py)  │  │  (Vitest)  │  │ (LLM/RAG)  │  │ (Playwright)│  │
-│  └────────────┘  └────────────┘  └────────────┘  └─────────────┘  │
-│        │               │               │               │           │
-│        ▼               ▼               ▼               ▼           │
-│  ┌──────────────────────────────────────────────────────────────┐ │
-│  │                    Test Registry API                          │ │
-│  │              /backend/api/tests/registry.py                   │ │
-│  └──────────────────────────────────────────────────────────────┘ │
-└────────────────────────────────────────────────────────────────────┘
-
-Tests bleiben wo sie sind:
-- /consent-service/internal/**/*_test.go
-- /backend/tests/test_*.py
-- /voice-service/tests/bqas/
-- /admin-v2/components/sdk/__tests__/*.test.ts   (Vitest)
-- /admin-v2/e2e/specs/*.spec.ts                  (Playwright)`}
-        </pre>
-      </div>
-
-      {/* CI/CD Workflow Anleitung */}
-      <div className="bg-blue-50 rounded-xl border border-blue-200 p-6">
-        <h3 className="text-lg font-semibold text-blue-900 mb-4 flex items-center gap-2">
-          <svg className="w-5 h-5 text-blue-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15" />
-          </svg>
-          CI/CD Integration
-        </h3>
-
-        <div className="grid grid-cols-1 md:grid-cols-2 gap-6">
-          <div>
-            <h4 className="font-medium text-blue-800 mb-2">🤖 Automatisch (bei jedem Push/PR)</h4>
-            <ul className="space-y-2 text-sm text-blue-700">
-              <li className="flex items-start gap-2">
-                <span className="text-green-500 mt-1">✓</span>
-                <span><strong>Unit Tests</strong> - Go & Python Tests laufen automatisch</span>
-              </li>
-              <li className="flex items-start gap-2">
-                <span className="text-green-500 mt-1">✓</span>
-                <span><strong>Test-Ergebnisse</strong> - Werden ans Dashboard gesendet</span>
-              </li>
-              <li className="flex items-start gap-2">
-                <span className="text-green-500 mt-1">✓</span>
-                <span><strong>Backlog</strong> - Fehlgeschlagene Tests erscheinen hier</span>
-              </li>
-              <li className="flex items-start gap-2">
-                <span className="text-green-500 mt-1">✓</span>
-                <span><strong>Linting</strong> - Code-Qualitaet bei PRs pruefen</span>
-              </li>
-            </ul>
-          </div>
-
-          <div>
-            <h4 className="font-medium text-blue-800 mb-2">👆 Manuell (Button oder Tag)</h4>
-            <ul className="space-y-2 text-sm text-blue-700">
-              <li className="flex items-start gap-2">
-                <span className="text-orange-500 mt-1">▶</span>
-                <span><strong>Docker Builds</strong> - Container erstellen</span>
-              </li>
-              <li className="flex items-start gap-2">
-                <span className="text-orange-500 mt-1">▶</span>
-                <span><strong>SBOM/Scans</strong> - Sicherheitsanalyse ausfuehren</span>
-              </li>
-              <li className="flex items-start gap-2">
-                <span className="text-orange-500 mt-1">▶</span>
-                <span><strong>Deployment</strong> - In Produktion deployen</span>
-              </li>
-              <li className="flex items-start gap-2">
-                <span className="text-orange-500 mt-1">▶</span>
-                <span><strong>Pipeline starten</strong> - Im CI/CD Dashboard</span>
-              </li>
-            </ul>
-          </div>
-        </div>
-
-        <div className="mt-4 pt-4 border-t border-blue-200">
-          <p className="text-sm text-blue-600">
-            <strong>Daten-Fluss:</strong> Gitea Actions → POST /api/tests/ci-result → PostgreSQL → Test Dashboard
-          </p>
-        </div>
-      </div>
-
-      <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
-        <Link
-          href="/ai/test-quality"
-          className="p-4 bg-slate-50 rounded-lg border border-slate-200 hover:border-orange-300 hover:bg-orange-50 transition-colors"
-        >
-          <div className="flex items-center gap-3">
-            <svg className="w-8 h-8 text-slate-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5} d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
-            </svg>
-            <div>
-              <p className="font-medium text-slate-900">BQAS Dashboard</p>
-              <p className="text-xs text-slate-500">Detaillierte BQAS-Metriken und Trend-Analyse</p>
-            </div>
-          </div>
-        </Link>
-        <Link
-          href="/infrastructure/ci-cd"
-          className="p-4 bg-slate-50 rounded-lg border border-slate-200 hover:border-orange-300 hover:bg-orange-50 transition-colors"
-        >
-          <div className="flex items-center gap-3">
-            <svg className="w-8 h-8 text-slate-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5} d="M12 8v4l3 3m6-3a9 9 0 11-18 0 9 9 0 0118 0z" />
-            </svg>
-            <div>
-              <p className="font-medium text-slate-900">CI/CD Pipelines</p>
-              <p className="text-xs text-slate-500">Gitea Actions und automatische Test-Planung</p>
-            </div>
-          </div>
-        </Link>
-      </div>
-    </div>
-  )
-}
-
-// ==============================================================================
-// Backlog Component
-// ==============================================================================
-
-function FailedTestCard({
-  test,
-  onStatusChange,
-  onPriorityChange,
-  priority = 'medium',
-  failureCount = 1,
-}: {
-  test: FailedTest
-  onStatusChange: (testId: string, status: string) => void
-  onPriorityChange?: (testId: string, priority: string) => void
-  priority?: BacklogPriority
-  failureCount?: number
-}) {
-  const errorTypeColors: Record<string, string> = {
-    assertion: 'bg-amber-100 text-amber-700',
-    nil_pointer: 'bg-red-100 text-red-700',
-    type_error: 'bg-purple-100 text-purple-700',
-    network: 'bg-blue-100 text-blue-700',
-    timeout: 'bg-orange-100 text-orange-700',
-    logic_error: 'bg-slate-100 text-slate-700',
-    unknown: 'bg-slate-100 text-slate-700',
-  }
-
-  const statusColors: Record<string, string> = {
-    open: 'bg-red-100 text-red-700',
-    in_progress: 'bg-blue-100 text-blue-700',
-    fixed: 'bg-emerald-100 text-emerald-700',
-    wont_fix: 'bg-slate-100 text-slate-700',
-    flaky: 'bg-purple-100 text-purple-700',
-  }
-
-  const priorityColors: Record<string, string> = {
-    critical: 'bg-red-500 text-white',
-    high: 'bg-orange-500 text-white',
-    medium: 'bg-yellow-500 text-white',
-    low: 'bg-slate-400 text-white',
-  }
-
-  const priorityLabels: Record<string, string> = {
-    critical: '!!! Kritisch',
-    high: '!! Hoch',
-    medium: '! Mittel',
-    low: 'Niedrig',
-  }
-
-  return (
-    <div className="bg-white rounded-lg border border-slate-200 p-4 hover:border-red-300 transition-colors">
-      <div className="flex items-start justify-between mb-3">
-        <div className="flex-1 min-w-0">
-          <div className="flex items-center gap-2 mb-1 flex-wrap">
-            <span className={`px-2 py-0.5 rounded text-xs font-medium ${priorityColors[priority]}`}>
-              {priorityLabels[priority]}
-            </span>
-            <span className={`px-2 py-0.5 rounded text-xs font-medium ${errorTypeColors[test.error_type] || errorTypeColors.unknown}`}>
-              {test.error_type.replace('_', ' ')}
-            </span>
-            <span className="text-xs text-slate-400">{test.service}</span>
-            {failureCount > 1 && (
-              <span className="px-1.5 py-0.5 rounded bg-red-100 text-red-600 text-xs font-medium">
-                {failureCount}x fehlgeschlagen
-              </span>
-            )}
-          </div>
-          <h4 className="font-mono text-sm font-medium text-slate-900 truncate" title={test.name}>
-            {test.name}
-          </h4>
-          <p className="text-xs text-slate-500 truncate" title={test.file_path}>
-            {test.file_path}
-          </p>
-        </div>
-        <div className="flex flex-col gap-1 ml-2">
-          <select
-            value={test.status}
-            onChange={(e) => onStatusChange(test.id, e.target.value)}
-            className={`px-2 py-1 rounded text-xs font-medium cursor-pointer border-0 ${statusColors[test.status]}`}
-          >
-            <option value="open">Offen</option>
-            <option value="in_progress">In Arbeit</option>
-            <option value="fixed">Behoben</option>
-            <option value="wont_fix">Ignoriert</option>
-            <option value="flaky">Flaky</option>
-          </select>
-          {onPriorityChange && (
-            <select
-              value={priority}
-              onChange={(e) => onPriorityChange(test.id, e.target.value)}
-              className="px-2 py-1 rounded text-xs font-medium cursor-pointer border border-slate-200"
-            >
-              <option value="critical">Kritisch</option>
-              <option value="high">Hoch</option>
-              <option value="medium">Mittel</option>
-              <option value="low">Niedrig</option>
-            </select>
-          )}
-        </div>
-      </div>
-
-      <div className="bg-red-50 rounded-lg p-3 mb-3">
-        <p className="text-sm text-red-800 font-medium mb-1">Fehlermeldung:</p>
-        <p className="text-xs text-red-700 font-mono break-words">
-          {test.error_message || 'Keine Details verfuegbar'}
-        </p>
-      </div>
-
-      {test.suggestion && (
-        <div className="bg-emerald-50 rounded-lg p-3">
-          <p className="text-sm text-emerald-800 font-medium mb-1">💡 Loesungsvorschlag:</p>
-          <p className="text-xs text-emerald-700">
-            {test.suggestion}
-          </p>
-        </div>
-      )}
-
-      <div className="mt-3 pt-3 border-t border-slate-100 flex items-center justify-between text-xs text-slate-400">
-        <span>Zuletzt fehlgeschlagen: {test.last_failed ? new Date(test.last_failed).toLocaleString('de-DE') : 'Unbekannt'}</span>
-        <button
-          className="text-orange-600 hover:text-orange-700 font-medium"
-          onClick={() => {
-            navigator.clipboard.writeText(test.id)
-          }}
-        >
-          ID kopieren
-        </button>
-      </div>
-    </div>
-  )
-}
-
-function BacklogTab({
-  failedTests,
-  onStatusChange,
-  onPriorityChange,
-  isLoading,
-  backlogItems,
-  usePostgres = false,
-}: {
-  failedTests: FailedTest[]
-  onStatusChange: (testId: string, status: string) => void
-  onPriorityChange?: (testId: string, priority: string) => void
-  isLoading: boolean
-  backlogItems?: BacklogItem[]
-  usePostgres?: boolean
-}) {
-  const [filterStatus, setFilterStatus] = useState<string>('open')
-  const [filterService, setFilterService] = useState<string>('all')
-  const [filterPriority, setFilterPriority] = useState<string>('all')
-  const [llmAutoAnalysis, setLlmAutoAnalysis] = useState<boolean>(true)
-  const [llmRouting, setLlmRouting] = useState<LLMRoutingOption>('smart_routing')
-
-  // Nutze PostgreSQL-Backlog wenn verfuegbar, sonst Legacy
-  const items = usePostgres && backlogItems ? backlogItems : failedTests
-
-  // Gruppiere nach Service
-  const services = [...new Set(items.map(t => 'service' in t ? t.service : (t as BacklogItem).service))]
-
-  // Filtere Items
-  const filteredItems = items.filter(item => {
-    const status = 'status' in item ? item.status : 'open'
-    const service = 'service' in item ? item.service : ''
-    const priority = 'priority' in item ? (item as BacklogItem).priority : 'medium'
-
-    if (filterStatus !== 'all' && status !== filterStatus) return false
-    if (filterService !== 'all' && service !== filterService) return false
-    if (filterPriority !== 'all' && priority !== filterPriority) return false
-    return true
-  })
-
-  // Zaehle nach Status
-  const openCount = items.filter(t => t.status === 'open').length
-  const inProgressCount = items.filter(t => t.status === 'in_progress').length
-  const fixedCount = items.filter(t => t.status === 'fixed').length
-  const flakyCount = items.filter(t => t.status === 'flaky').length
-
-  // Zaehle nach Prioritaet (nur bei PostgreSQL)
-  const criticalCount = backlogItems?.filter(t => t.priority === 'critical').length || 0
-  const highCount = backlogItems?.filter(t => t.priority === 'high').length || 0
-
-  if (isLoading) {
-    return (
-      <div className="flex items-center justify-center py-12">
-        <div className="animate-spin rounded-full h-8 w-8 border-b-2 border-orange-600"></div>
-      </div>
-    )
-  }
-
-  // Konvertiere BacklogItem zu FailedTest fuer die Anzeige
-  const convertToFailedTest = (item: BacklogItem): FailedTest => ({
-    id: String(item.id),
-    name: item.test_name,
-    service: item.service,
-    file_path: item.test_file || '',
-    error_message: item.error_message || '',
-    error_type: item.error_type || 'unknown',
-    suggestion: item.fix_suggestion || '',
-    run_id: '',
-    last_failed: item.last_failed_at,
-    status: item.status,
-  })
-
-  return (
-    <div className="space-y-6">
-      {/* Stats */}
-      <div className="grid grid-cols-2 md:grid-cols-5 gap-4">
-        <div className="bg-red-50 border border-red-200 rounded-xl p-4">
-          <p className="text-2xl font-bold text-red-600">{openCount}</p>
-          <p className="text-sm text-red-700">Offene Fehler</p>
-        </div>
-        <div className="bg-blue-50 border border-blue-200 rounded-xl p-4">
-          <p className="text-2xl font-bold text-blue-600">{inProgressCount}</p>
-          <p className="text-sm text-blue-700">In Arbeit</p>
-        </div>
-        <div className="bg-emerald-50 border border-emerald-200 rounded-xl p-4">
-          <p className="text-2xl font-bold text-emerald-600">{fixedCount}</p>
-          <p className="text-sm text-emerald-700">Behoben</p>
-        </div>
-        <div className="bg-purple-50 border border-purple-200 rounded-xl p-4">
-          <p className="text-2xl font-bold text-purple-600">{flakyCount}</p>
-          <p className="text-sm text-purple-700">Flaky</p>
-        </div>
-        {usePostgres && criticalCount + highCount > 0 && (
-          <div className="bg-orange-50 border border-orange-200 rounded-xl p-4">
-            <p className="text-2xl font-bold text-orange-600">{criticalCount + highCount}</p>
-            <p className="text-sm text-orange-700">Kritisch/Hoch</p>
-          </div>
-        )}
-      </div>
-
-      {/* PostgreSQL Badge */}
-      {usePostgres && (
-        <div className="flex items-center gap-2 px-3 py-1.5 bg-emerald-50 border border-emerald-200 rounded-lg w-fit">
-          <svg className="w-4 h-4 text-emerald-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 13l4 4L19 7" />
-          </svg>
-          <span className="text-xs text-emerald-700 font-medium">Persistente Speicherung aktiv (PostgreSQL)</span>
-        </div>
-      )}
-
-      {/* LLM Analysis Toggle */}
-      <div className="bg-gradient-to-r from-violet-50 to-purple-50 border border-violet-200 rounded-xl p-4">
-        <div className="flex items-center justify-between">
-          <div className="flex items-center gap-3">
-            <div className="w-10 h-10 bg-violet-100 rounded-lg flex items-center justify-center">
-              <svg className="w-5 h-5 text-violet-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" />
-              </svg>
-            </div>
-            <div>
-              <h4 className="font-medium text-slate-800">Automatische LLM-Analyse</h4>
-              <p className="text-xs text-slate-500">KI-gestuetzte Fix-Vorschlaege fuer Backlog-Eintraege</p>
-            </div>
-          </div>
-          <label className="relative inline-flex items-center cursor-pointer">
-            <input
-              type="checkbox"
-              checked={llmAutoAnalysis}
-              onChange={(e) => setLlmAutoAnalysis(e.target.checked)}
-              className="sr-only peer"
-            />
-            <div className="w-11 h-6 bg-slate-200 peer-focus:outline-none peer-focus:ring-4 peer-focus:ring-violet-300 rounded-full peer peer-checked:after:translate-x-full rtl:peer-checked:after:-translate-x-full peer-checked:after:border-white after:content-[''] after:absolute after:top-[2px] after:start-[2px] after:bg-white after:border-slate-300 after:border after:rounded-full after:h-5 after:w-5 after:transition-all peer-checked:bg-violet-600"></div>
-          </label>
-        </div>
-
-        {llmAutoAnalysis && (
-          <div className="mt-4 pt-4 border-t border-violet-200">
-            <p className="text-xs text-slate-600 mb-3">LLM-Routing Strategie:</p>
-            <div className="flex flex-wrap gap-2">
-              <label className={`flex items-center gap-2 px-3 py-2 rounded-lg border cursor-pointer transition-colors ${
-                llmRouting === 'local_only'
-                  ? 'bg-violet-100 border-violet-300 text-violet-800'
-                  : 'bg-white border-slate-200 text-slate-600 hover:bg-slate-50'
-              }`}>
-                <input
-                  type="radio"
-                  name="llm-routing"
-                  value="local_only"
-                  checked={llmRouting === 'local_only'}
-                  onChange={() => setLlmRouting('local_only')}
-                  className="sr-only"
-                />
-                <span className="text-sm font-medium">Nur lokales 32B LLM</span>
-                <span className="text-xs px-1.5 py-0.5 bg-emerald-100 text-emerald-700 rounded">DSGVO</span>
-              </label>
-              <label className={`flex items-center gap-2 px-3 py-2 rounded-lg border cursor-pointer transition-colors ${
-                llmRouting === 'claude_preferred'
-                  ? 'bg-violet-100 border-violet-300 text-violet-800'
-                  : 'bg-white border-slate-200 text-slate-600 hover:bg-slate-50'
-              }`}>
-                <input
-                  type="radio"
-                  name="llm-routing"
-                  value="claude_preferred"
-                  checked={llmRouting === 'claude_preferred'}
-                  onChange={() => setLlmRouting('claude_preferred')}
-                  className="sr-only"
-                />
-                <span className="text-sm font-medium">Claude bevorzugt</span>
-                <span className="text-xs px-1.5 py-0.5 bg-blue-100 text-blue-700 rounded">Qualitaet</span>
-              </label>
-              <label className={`flex items-center gap-2 px-3 py-2 rounded-lg border cursor-pointer transition-colors ${
-                llmRouting === 'smart_routing'
-                  ? 'bg-violet-100 border-violet-300 text-violet-800'
-                  : 'bg-white border-slate-200 text-slate-600 hover:bg-slate-50'
-              }`}>
-                <input
-                  type="radio"
-                  name="llm-routing"
-                  value="smart_routing"
-                  checked={llmRouting === 'smart_routing'}
-                  onChange={() => setLlmRouting('smart_routing')}
-                  className="sr-only"
-                />
-                <span className="text-sm font-medium">Smart Routing</span>
-                <span className="text-xs px-1.5 py-0.5 bg-amber-100 text-amber-700 rounded">Empfohlen</span>
-              </label>
-            </div>
-            <p className="text-xs text-slate-500 mt-2">
-              {llmRouting === 'local_only' && 'Alle Analysen werden mit Qwen2.5-32B lokal durchgefuehrt. Keine Daten verlassen den Server.'}
-              {llmRouting === 'claude_preferred' && 'Verwendet Claude fuer beste Fix-Qualitaet. Nur Code-Snippets werden uebertragen.'}
-              {llmRouting === 'smart_routing' && 'Privacy Classifier entscheidet automatisch: Sensitive Daten → lokal, Code → Claude.'}
-            </p>
-          </div>
-        )}
-      </div>
-
-      {/* Filter */}
-      <div className="flex flex-wrap gap-4 items-center">
-        <div>
-          <label className="text-sm text-slate-600 mr-2">Status:</label>
-          <select
-            value={filterStatus}
-            onChange={(e) => setFilterStatus(e.target.value)}
-            className="px-3 py-1.5 rounded-lg border border-slate-200 text-sm"
-          >
-            <option value="all">Alle</option>
-            <option value="open">Offen ({openCount})</option>
-            <option value="in_progress">In Arbeit ({inProgressCount})</option>
-            <option value="fixed">Behoben ({fixedCount})</option>
-            <option value="flaky">Flaky ({flakyCount})</option>
-            <option value="wont_fix">Ignoriert</option>
-          </select>
-        </div>
-        <div>
-          <label className="text-sm text-slate-600 mr-2">Service:</label>
-          <select
-            value={filterService}
-            onChange={(e) => setFilterService(e.target.value)}
-            className="px-3 py-1.5 rounded-lg border border-slate-200 text-sm"
-          >
-            <option value="all">Alle Services</option>
-            {services.map(s => (
-              <option key={s} value={s}>{s}</option>
-            ))}
-          </select>
-        </div>
-        {usePostgres && (
-          <div>
-            <label className="text-sm text-slate-600 mr-2">Prioritaet:</label>
-            <select
-              value={filterPriority}
-              onChange={(e) => setFilterPriority(e.target.value)}
-              className="px-3 py-1.5 rounded-lg border border-slate-200 text-sm"
-            >
-              <option value="all">Alle</option>
-              <option value="critical">Kritisch</option>
-              <option value="high">Hoch</option>
-              <option value="medium">Mittel</option>
-              <option value="low">Niedrig</option>
-            </select>
-          </div>
-        )}
-        <div className="ml-auto text-sm text-slate-500">
-          {filteredItems.length} von {items.length} Tests angezeigt
-        </div>
-      </div>
-
-      {/* Test-Liste */}
-      {filteredItems.length === 0 ? (
-        <div className="text-center py-12 bg-emerald-50 rounded-xl border border-emerald-200">
-          <svg className="w-12 h-12 mx-auto text-emerald-400 mb-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
-          </svg>
-          <p className="text-emerald-700 font-medium">
-            {filterStatus === 'open' ? 'Keine offenen Fehler! 🎉' : 'Keine Tests mit diesem Filter gefunden.'}
-          </p>
-          {filterStatus === 'open' && (
-            <p className="text-sm text-emerald-600 mt-2">
-              Alle Tests bestanden. Bereit fuer Go-Live!
-            </p>
-          )}
-        </div>
-      ) : (
-        <div className="grid grid-cols-1 lg:grid-cols-2 gap-4">
-          {filteredItems.map((item) => {
-            const test = usePostgres && 'test_name' in item
-              ? convertToFailedTest(item as BacklogItem)
-              : item as FailedTest
-            const priority = usePostgres && 'priority' in item
-              ? (item as BacklogItem).priority
-              : 'medium'
-            const failureCount = usePostgres && 'failure_count' in item
-              ? (item as BacklogItem).failure_count
-              : 1
-
-            return (
-              <FailedTestCard
-                key={test.id}
-                test={test}
-                onStatusChange={onStatusChange}
-                onPriorityChange={onPriorityChange}
-                priority={priority}
-                failureCount={failureCount}
-              />
-            )
-          })}
-        </div>
-      )}
-
-      {/* Info */}
-      <div className="bg-blue-50 border border-blue-200 rounded-xl p-4">
-        <div className="flex items-start gap-3">
-          <svg className="w-5 h-5 text-blue-600 flex-shrink-0 mt-0.5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
-          </svg>
-          <div>
-            <p className="text-sm text-blue-800 font-medium">Workflow fuer fehlgeschlagene Tests:</p>
-            <ol className="text-xs text-blue-700 mt-2 space-y-1 list-decimal list-inside">
-              <li>Markiere den Test als "In Arbeit" wenn du daran arbeitest</li>
-              <li>Analysiere die Fehlermeldung und den Loesungsvorschlag</li>
-              <li>Behebe den Fehler im Code</li>
-              <li>Fuehre den Test erneut aus (Button im Service-Tab)</li>
-              <li>Markiere als "Behoben" wenn der Test besteht</li>
-              {usePostgres && <li>Setze "Flaky" fuer sporadisch fehlschlagende Tests</li>}
-            </ol>
-          </div>
-        </div>
-      </div>
-    </div>
-  )
-}
-
-// ==============================================================================
-// Main Component
-// ==============================================================================
+import { ToastContainer } from './_components/ToastContainer'
+import { MetricCard } from './_components/MetricCard'
+import { ServiceTestCard } from './_components/ServiceTestCard'
+import { CoverageChart } from './_components/CoverageChart'
+import { FrameworkDistribution } from './_components/FrameworkDistribution'
+import { TestRunsTable } from './_components/TestRunsTable'
+import { GuideTab } from './_components/GuideTab'
+import { BacklogTab } from './_components/BacklogTab'
+import { useTestDashboard } from './_hooks/useTestDashboard'
 
 export default function TestDashboardPage() {
-  const [activeTab, setActiveTab] = useState<TabType>('overview')
-  const [isLoading, setIsLoading] = useState(true)
-  const [error, setError] = useState<string | null>(null)
-
-  // Toast state
-  const [toasts, setToasts] = useState<Toast[]>([])
-  const toastIdRef = useRef(0)
-
-  const addToast = useCallback((type: Toast['type'], message: string) => {
-    const id = ++toastIdRef.current
-    setToasts((prev) => [...prev, { id, type, message }])
-    if (type !== 'loading') {
-      setTimeout(() => {
-        setToasts((prev) => prev.filter((t) => t.id !== id))
-      }, 5000)
-    }
-    return id
-  }, [])
-
-  const removeToast = useCallback((id: number) => {
-    setToasts((prev) => prev.filter((t) => t.id !== id))
-  }, [])
-
-  const updateToast = useCallback((id: number, type: Toast['type'], message: string) => {
-    setToasts((prev) => prev.map((t) => (t.id === id ? { ...t, type, message } : t)))
-    if (type !== 'loading') {
-      setTimeout(() => {
-        setToasts((prev) => prev.filter((t) => t.id !== id))
-      }, 5000)
-    }
-  }, [])
-
-  // Data states
-  const [services, setServices] = useState<ServiceTestInfo[]>([])
-  const [stats, setStats] = useState<TestRegistryStats | null>(null)
-  const [coverage, setCoverage] = useState<CoverageData[]>([])
-  const [testRuns, setTestRuns] = useState<TestRun[]>([])
-  const [failedTests, setFailedTests] = useState<FailedTest[]>([])
-  const [backlogItems, setBacklogItems] = useState<BacklogItem[]>([])
-  const [usePostgres, setUsePostgres] = useState(false)
-
-  // Running states
-  const [runningServices, setRunningServices] = useState<Set<string>>(new Set())
-
-  // Progress states fuer laufende Tests
-  const [serviceProgress, setServiceProgress] = useState<Record<string, {
-    current_file: string
-    files_done: number
-    files_total: number
-    passed: number
-    failed: number
-    status: string
-  }>>({})
-
-  // Demo data for when API is not available
-  const DEMO_SERVICES: ServiceTestInfo[] = [
-    { service: 'consent-service', display_name: 'Consent Service', port: 8081, language: 'go', total_tests: 22, passed_tests: 20, failed_tests: 2, skipped_tests: 0, pass_rate: 90.9, coverage_percent: 82.3, last_run: new Date().toISOString(), status: 'failed' },
-    { service: 'backend', display_name: 'Python Backend', port: 8000, language: 'python', total_tests: 40, passed_tests: 38, failed_tests: 2, skipped_tests: 0, pass_rate: 95.0, coverage_percent: 75.1, last_run: new Date().toISOString(), status: 'failed' },
-    { service: 'klausur-service', display_name: 'Klausur Service', port: 8086, language: 'python', total_tests: 8, passed_tests: 8, failed_tests: 0, skipped_tests: 0, pass_rate: 100, coverage_percent: 71.2, last_run: new Date().toISOString(), status: 'passed' },
-    { service: 'billing-service', display_name: 'Billing Service', port: 8082, language: 'go', total_tests: 5, passed_tests: 5, failed_tests: 0, skipped_tests: 0, pass_rate: 100, coverage_percent: 78.5, last_run: new Date().toISOString(), status: 'passed' },
-    { service: 'school-service', display_name: 'School Service', port: 8084, language: 'go', total_tests: 6, passed_tests: 6, failed_tests: 0, skipped_tests: 0, pass_rate: 100, coverage_percent: 81.4, last_run: new Date().toISOString(), status: 'passed' },
-    { service: 'sdk-unit', display_name: 'SDK Unit Tests (Vitest)', port: undefined, language: 'typescript', total_tests: 43, passed_tests: 43, failed_tests: 0, skipped_tests: 0, pass_rate: 100, coverage_percent: 85.2, last_run: new Date().toISOString(), status: 'passed' },
-    { service: 'sdk-e2e', display_name: 'SDK E2E Tests (Playwright)', port: undefined, language: 'typescript', total_tests: 25, passed_tests: 25, failed_tests: 0, skipped_tests: 0, pass_rate: 100, coverage_percent: undefined, last_run: new Date().toISOString(), status: 'passed' },
-    { service: 'integration-tests', display_name: 'Integration Tests', port: undefined, language: 'python', total_tests: 15, passed_tests: 15, failed_tests: 0, skipped_tests: 0, pass_rate: 100, coverage_percent: undefined, last_run: new Date().toISOString(), status: 'passed' },
-  ]
-
-  const DEMO_STATS: TestRegistryStats = {
-    total_tests: 278,
-    total_passed: 263,
-    total_failed: 15,
-    total_skipped: 0,
-    overall_pass_rate: 94.6,
-    average_coverage: 78.5,
-    services_count: 11,
-    by_category: { unit: 118, bqas: 117, e2e: 30, integration: 15 },
-    by_framework: { go_test: 57, pytest: 68, bqas_golden: 97, bqas_rag: 20, jest: 8, vitest: 43, playwright: 30 },
-  }
-
-  // Fetch data
-  const fetchData = useCallback(async () => {
-    setIsLoading(true)
-    setError(null)
-
-    try {
-      const registryResponse = await fetch(`${API_BASE}/registry`)
-      if (registryResponse.ok) {
-        const data = await registryResponse.json()
-        setServices(data.services || DEMO_SERVICES)
-        setStats(data.stats || DEMO_STATS)
-      } else {
-        setServices(DEMO_SERVICES)
-        setStats(DEMO_STATS)
-      }
-
-      const coverageResponse = await fetch(`${API_BASE}/coverage`)
-      if (coverageResponse.ok) {
-        const data = await coverageResponse.json()
-        setCoverage(data.services || [])
-      } else {
-        setCoverage(DEMO_SERVICES.filter(s => s.coverage_percent).map(s => ({
-          service: s.service,
-          display_name: s.display_name,
-          coverage_percent: s.coverage_percent!,
-          language: s.language,
-        })))
-      }
-
-      const runsResponse = await fetch(`${API_BASE}/runs`)
-      if (runsResponse.ok) {
-        const data = await runsResponse.json()
-        setTestRuns(data.runs || [])
-      }
-
-      // Lade fehlgeschlagene Tests fuer Backlog
-      const failedResponse = await fetch(`${API_BASE}/failed`)
-      if (failedResponse.ok) {
-        const data = await failedResponse.json()
-        setFailedTests(data.tests || [])
-      }
-
-      // Versuche PostgreSQL-Backlog zu laden (neue API)
-      try {
-        const backlogResponse = await fetch(`${API_BASE}/backlog`)
-        if (backlogResponse.ok) {
-          const data = await backlogResponse.json()
-          if (data.items && data.items.length > 0) {
-            setBacklogItems(data.items)
-            setUsePostgres(true)
-          }
-        }
-      } catch {
-        // PostgreSQL nicht verfuegbar, nutze Legacy
-        setUsePostgres(false)
-      }
-
-    } catch (err) {
-      console.error('Failed to fetch test registry data:', err)
-      setServices(DEMO_SERVICES)
-      setStats(DEMO_STATS)
-      setCoverage(DEMO_SERVICES.filter(s => s.coverage_percent).map(s => ({
-        service: s.service,
-        display_name: s.display_name,
-        coverage_percent: s.coverage_percent!,
-        language: s.language,
-      })))
-    } finally {
-      setIsLoading(false)
-    }
-  }, [])
-
-  useEffect(() => {
-    fetchData()
-  }, [fetchData])
-
-  // Update failed test status
-  const updateTestStatus = async (testId: string, status: string) => {
-    try {
-      // Nutze PostgreSQL-Endpoint wenn verfuegbar
-      const endpoint = usePostgres
-        ? `${API_BASE}/backlog/${testId}/status`
-        : `${API_BASE}/failed/${encodeURIComponent(testId)}/status?status=${status}`
-
-      const response = await fetch(endpoint, {
-        method: 'POST',
-        headers: usePostgres ? { 'Content-Type': 'application/json' } : undefined,
-        body: usePostgres ? JSON.stringify({ status }) : undefined,
-      })
-
-      if (response.ok) {
-        // Aktualisiere lokalen State
-        if (usePostgres) {
-          setBacklogItems(prev =>
-            prev.map(t => String(t.id) === testId ? { ...t, status: status as any } : t)
-          )
-        }
-        setFailedTests(prev =>
-          prev.map(t => t.id === testId ? { ...t, status: status as any } : t)
-        )
-        addToast('success', `Test-Status auf "${status}" gesetzt`)
-      }
-    } catch (err) {
-      console.error('Failed to update test status:', err)
-      // Trotzdem lokal aktualisieren fuer bessere UX
-      setFailedTests(prev =>
-        prev.map(t => t.id === testId ? { ...t, status: status as any } : t)
-      )
-      if (usePostgres) {
-        setBacklogItems(prev =>
-          prev.map(t => String(t.id) === testId ? { ...t, status: status as any } : t)
-        )
-      }
-    }
-  }
-
-  // Update failed test priority (nur PostgreSQL)
-  const updateTestPriority = async (testId: string, priority: string) => {
-    if (!usePostgres) return
-
-    try {
-      const response = await fetch(`${API_BASE}/backlog/${testId}/priority`, {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ priority }),
-      })
-
-      if (response.ok) {
-        setBacklogItems(prev =>
-          prev.map(t => String(t.id) === testId ? { ...t, priority: priority as any } : t)
-        )
-        addToast('success', `Prioritaet auf "${priority}" gesetzt`)
-      }
-    } catch (err) {
-      console.error('Failed to update test priority:', err)
-      // Trotzdem lokal aktualisieren
-      setBacklogItems(prev =>
-        prev.map(t => String(t.id) === testId ? { ...t, priority: priority as any } : t)
-      )
-    }
-  }
-
-  // Run tests mit Progress-Polling
-  const runTests = async (service: string) => {
-    setRunningServices((prev) => new Set(prev).add(service))
-    const loadingToast = addToast('loading', `Tests fuer ${service} werden gestartet...`)
-
-    // Progress-Polling starten
-    let pollInterval: NodeJS.Timeout | null = null
-    const pollProgress = async () => {
-      try {
-        const progressResponse = await fetch(`${API_BASE}/progress/${service}`)
-        if (progressResponse.ok) {
-          const progress = await progressResponse.json()
-          setServiceProgress((prev) => ({
-            ...prev,
-            [service]: progress,
-          }))
-
-          // Toast-Message mit aktuellem Fortschritt aktualisieren
-          if (progress.status === 'running' && progress.files_total > 0) {
-            const percent = Math.round((progress.files_done / progress.files_total) * 100)
-            const toastMsg = `${service}: ${progress.current_file} (${progress.passed} bestanden, ${progress.failed} fehler)`
-            updateToast(loadingToast, 'loading', toastMsg)
-          }
-        }
-      } catch (err) {
-        // Ignore polling errors
-      }
-    }
-
-    // Start polling (alle 1 Sekunde)
-    pollInterval = setInterval(pollProgress, 1000)
-
-    try {
-      const response = await fetch(`${API_BASE}/run/${service}`, {
-        method: 'POST',
-      })
-
-      if (response.ok) {
-        const result = await response.json()
-        // Warte kurz und pruefe finalen Progress
-        await new Promise(resolve => setTimeout(resolve, 500))
-        await pollProgress()
-        const finalProgress = serviceProgress[service]
-        const passedMsg = finalProgress ? `${finalProgress.passed} bestanden, ${finalProgress.failed} fehler` : 'abgeschlossen'
-        updateToast(loadingToast, 'success', `${service}: Tests ${passedMsg}`)
-        await fetchData()
-      } else {
-        updateToast(loadingToast, 'info', `${service}: Demo-Modus (API nicht verfuegbar)`)
-      }
-    } catch (err) {
-      console.error('Failed to run tests:', err)
-      updateToast(loadingToast, 'info', `${service}: Demo-Modus (API nicht verfuegbar)`)
-    } finally {
-      // Polling stoppen
-      if (pollInterval) {
-        clearInterval(pollInterval)
-      }
-      setRunningServices((prev) => {
-        const next = new Set(prev)
-        next.delete(service)
-        return next
-      })
-      // Progress-Daten entfernen nach Abschluss
-      setServiceProgress((prev) => {
-        const next = { ...prev }
-        delete next[service]
-        return next
-      })
-    }
-  }
+  const {
+    activeTab,
+    setActiveTab,
+    isLoading,
+    error,
+    toasts,
+    removeToast,
+    services,
+    stats,
+    coverage,
+    testRuns,
+    failedTests,
+    backlogItems,
+    usePostgres,
+    runningServices,
+    serviceProgress,
+    fetchData,
+    updateTestStatus,
+    updateTestPriority,
+    runTests,
+  } = useTestDashboard()
 
   // Filter services by category
   const unitServices = services.filter(s => !s.service.startsWith('bqas-'))
@@ -1429,31 +64,10 @@ export default function TestDashboardPage() {
         return (
           <div className="space-y-6">
             <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-4 gap-4">
-              <MetricCard
-                title="Gesamt Tests"
-                value={stats?.total_tests || 195}
-                subtitle={`${stats?.services_count || 8} Services`}
-                color="orange"
-              />
-              <MetricCard
-                title="Pass Rate"
-                value={`${stats?.overall_pass_rate?.toFixed(1) || 92.3}%`}
-                subtitle={`${stats?.total_passed || 180} bestanden`}
-                trend="up"
-                color="green"
-              />
-              <MetricCard
-                title="Fehlgeschlagen"
-                value={stats?.total_failed || 15}
-                subtitle="Tests mit Fehlern"
-                color="red"
-              />
-              <MetricCard
-                title="Coverage"
-                value={`${stats?.average_coverage?.toFixed(1) || 76.8}%`}
-                subtitle="Durchschnitt"
-                color="purple"
-              />
+              <MetricCard title="Gesamt Tests" value={stats?.total_tests || 195} subtitle={`${stats?.services_count || 8} Services`} color="orange" />
+              <MetricCard title="Pass Rate" value={`${stats?.overall_pass_rate?.toFixed(1) || 92.3}%`} subtitle={`${stats?.total_passed || 180} bestanden`} trend="up" color="green" />
+              <MetricCard title="Fehlgeschlagen" value={stats?.total_failed || 15} subtitle="Tests mit Fehlern" color="red" />
+              <MetricCard title="Coverage" value={`${stats?.average_coverage?.toFixed(1) || 76.8}%`} subtitle="Durchschnitt" color="purple" />
             </div>
 
             <div className="grid grid-cols-1 lg:grid-cols-2 gap-6">
@@ -1461,7 +75,6 @@ export default function TestDashboardPage() {
                 <h3 className="text-lg font-semibold text-slate-900 mb-4">Framework-Verteilung</h3>
                 <FrameworkDistribution data={stats?.by_framework || {}} />
               </div>
-
               <div className="bg-white rounded-xl border border-slate-200 p-6">
                 <h3 className="text-lg font-semibold text-slate-900 mb-4">Coverage nach Service</h3>
                 <CoverageChart data={coverage} />
@@ -1472,13 +85,7 @@ export default function TestDashboardPage() {
               <h3 className="text-lg font-semibold text-slate-900 mb-4">Service-Uebersicht</h3>
               <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 gap-4">
                 {services.slice(0, 8).map((service) => (
-                  <ServiceTestCard
-                    key={service.service}
-                    service={service}
-                    onRun={runTests}
-                    isRunning={runningServices.has(service.service)}
-                    progress={serviceProgress[service.service]}
-                  />
+                  <ServiceTestCard key={service.service} service={service} onRun={runTests} isRunning={runningServices.has(service.service)} progress={serviceProgress[service.service]} />
                 ))}
               </div>
             </div>
@@ -1492,13 +99,7 @@ export default function TestDashboardPage() {
               <h3 className="text-lg font-semibold text-slate-900 mb-4">Unit Tests (Go & Python)</h3>
               <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
                 {unitServices.map((service) => (
-                  <ServiceTestCard
-                    key={service.service}
-                    service={service}
-                    onRun={runTests}
-                    isRunning={runningServices.has(service.service)}
-                    progress={serviceProgress[service.service]}
-                  />
+                  <ServiceTestCard key={service.service} service={service} onRun={runTests} isRunning={runningServices.has(service.service)} progress={serviceProgress[service.service]} />
                 ))}
               </div>
             </div>
@@ -1514,38 +115,25 @@ export default function TestDashboardPage() {
                   <h3 className="text-lg font-semibold text-slate-900">BQAS (LLM Quality Assurance)</h3>
                   <p className="text-sm text-slate-500">Golden Suite, RAG Tests und Synthetic Tests</p>
                 </div>
-                <Link
-                  href="/ai/test-quality"
-                  className="px-4 py-2 bg-orange-100 text-orange-700 rounded-lg text-sm font-medium hover:bg-orange-200 transition-colors"
-                >
+                <Link href="/ai/test-quality" className="px-4 py-2 bg-orange-100 text-orange-700 rounded-lg text-sm font-medium hover:bg-orange-200 transition-colors">
                   Vollstaendiges BQAS Dashboard →
                 </Link>
               </div>
-
               <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
                 {bqasServices.map((service) => (
-                  <ServiceTestCard
-                    key={service.service}
-                    service={service}
-                    onRun={runTests}
-                    isRunning={runningServices.has(service.service)}
-                    progress={serviceProgress[service.service]}
-                  />
+                  <ServiceTestCard key={service.service} service={service} onRun={runTests} isRunning={runningServices.has(service.service)} progress={serviceProgress[service.service]} />
                 ))}
               </div>
             </div>
-
             <div className="bg-blue-50 border border-blue-200 rounded-xl p-4">
               <div className="flex items-start gap-3">
                 <svg className="w-5 h-5 text-blue-600 flex-shrink-0 mt-0.5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                   <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
                 </svg>
-                <div>
-                  <p className="text-sm text-blue-800">
-                    <strong>Tipp:</strong> Das vollstaendige BQAS Dashboard unter <Link href="/ai/test-quality" className="underline">/ai/test-quality</Link> bietet
-                    detaillierte Metriken, Trend-Analyse und Intent-spezifische Scores.
-                  </p>
-                </div>
+                <p className="text-sm text-blue-800">
+                  <strong>Tipp:</strong> Das vollstaendige BQAS Dashboard unter <Link href="/ai/test-quality" className="underline">/ai/test-quality</Link> bietet
+                  detaillierte Metriken, Trend-Analyse und Intent-spezifische Scores.
+                </p>
               </div>
             </div>
           </div>
@@ -1561,14 +149,7 @@ export default function TestDashboardPage() {
 
       case 'backlog':
         return (
-          <BacklogTab
-            failedTests={failedTests}
-            onStatusChange={updateTestStatus}
-            onPriorityChange={usePostgres ? updateTestPriority : undefined}
-            isLoading={isLoading}
-            backlogItems={backlogItems}
-            usePostgres={usePostgres}
-          />
+          <BacklogTab failedTests={failedTests} onStatusChange={updateTestStatus} onPriorityChange={usePostgres ? updateTestPriority : undefined} isLoading={isLoading} backlogItems={backlogItems} usePostgres={usePostgres} />
         )
 
       case 'guide':
@@ -1601,7 +182,6 @@ export default function TestDashboardPage() {
         defaultCollapsed={true}
       />
 
-      {/* DevOps Pipeline Sidebar */}
       <DevOpsPipelineSidebarResponsive currentTool="tests" />
 
       {error && (
diff --git a/admin-core/app/(admin)/infrastructure/tests/types.ts b/admin-core/app/(admin)/infrastructure/tests/types.ts
new file mode 100644
index 0000000..ed8e50d
--- /dev/null
+++ b/admin-core/app/(admin)/infrastructure/tests/types.ts
@@ -0,0 +1,102 @@
+/**
+ * Types for Test Dashboard
+ */
+
+export interface ServiceTestInfo {
+  service: string
+  display_name: string
+  port?: number
+  language: string
+  total_tests: number
+  passed_tests: number
+  failed_tests: number
+  skipped_tests: number
+  pass_rate: number
+  coverage_percent?: number
+  last_run: string
+  status: string
+}
+
+export interface TestRegistryStats {
+  total_tests: number
+  total_passed: number
+  total_failed: number
+  total_skipped: number
+  overall_pass_rate: number
+  average_coverage: number
+  services_count: number
+  by_category: Record<string, number>
+  by_framework: Record<string, number>
+}
+
+export interface TestRun {
+  id: string
+  service: string
+  started_at: string
+  total_tests: number
+  passed_tests: number
+  failed_tests: number
+  duration_seconds: number
+  status: string
+}
+
+export interface CoverageData {
+  service: string
+  display_name: string
+  coverage_percent: number
+  language: string
+}
+
+export type TabType = 'overview' | 'unit' | 'bqas' | 'history' | 'backlog' | 'guide'
+
+export interface Toast {
+  id: number
+  type: 'success' | 'error' | 'loading' | 'info'
+  message: string
+}
+
+export interface FailedTest {
+  id: string
+  name: string
+  service: string
+  file_path: string
+  error_message: string
+  error_type: string
+  suggestion: string
+  run_id: string
+  last_failed: string
+  status: string
+}
+
+export type BacklogPriority = 'critical' | 'high' | 'medium' | 'low'
+export type BacklogStatus = 'open' | 'in_progress' | 'fixed' | 'wont_fix' | 'flaky'
+
+export interface BacklogItem {
+  id: number
+  test_name: string
+  service: string
+  test_file?: string
+  error_message?: string
+  error_type?: string
+  fix_suggestion?: string
+  priority: BacklogPriority
+  status: BacklogStatus
+  failure_count: number
+  last_failed_at: string
+}
+
+export interface TrendDataPoint {
+  date: string
+  passed: number
+  failed: number
+  total: number
+}
+
+export interface ServiceProgress {
+  current_file: string
+  files_done: number
+  files_total: number
+  passed: number
+  failed: number
+  status: string
+}
diff --git a/admin-core/components/infrastructure/DevOpsPipelineSidebar.tsx b/admin-core/components/infrastructure/DevOpsPipelineSidebar.tsx
index 9dacc22..c82d106 100644
--- a/admin-core/components/infrastructure/DevOpsPipelineSidebar.tsx
+++ b/admin-core/components/infrastructure/DevOpsPipelineSidebar.tsx
@@ -20,108 +20,17 @@
 import Link from 'next/link'
 import { useState, useEffect } from 'react'
 import type {
-  DevOpsToolId,
   DevOpsPipelineSidebarProps,
   DevOpsPipelineSidebarResponsiveProps,
-  PipelineLiveStatus,
 } from '@/types/infrastructure-modules'
 import { DEVOPS_PIPELINE_MODULES } from '@/types/infrastructure-modules'
-
-// =============================================================================
-// Icons
-// =============================================================================
-
-const ToolIcon = ({ id }: { id: DevOpsToolId }) => {
-  switch (id) {
-    case 'ci-cd':
-      return (
-        <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
-            d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15" />
-        </svg>
-      )
-    case 'tests':
-      return (
-        <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
-            d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
-        </svg>
-      )
-    case 'sbom':
-      return (
-        <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
-            d="M20 7l-8-4-8 4m16 0l-8 4m8-4v10l-8 4m0-10L4 7m8 4v10M4 7v10l8 4" />
-        </svg>
-      )
-    case 'security':
-      return (
-        <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
-            d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z" />
-        </svg>
-      )
-    default:
-      return null
-  }
-}
-
-// Server/Pipeline Icon fuer Header
-const ServerIcon = () => (
-  <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
-      d="M5 12h14M5 12a2 2 0 01-2-2V6a2 2 0 012-2h14a2 2 0 012 2v4a2 2 0 01-2 2M5 12a2 2 0 00-2 2v4a2 2 0 002 2h14a2 2 0 002-2v-4a2 2 0 00-2-2m-2-4h.01M17 16h.01" />
-  </svg>
-)
-
-// Play Icon fuer Quick Action
-const PlayIcon = () => (
-  <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
-      d="M14.752 11.168l-3.197-2.132A1 1 0 0010 9.87v4.263a1 1 0 001.555.832l3.197-2.132a1 1 0 000-1.664z" />
-    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
-      d="M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
-  </svg>
-)
-
-// =============================================================================
-// Live Status Hook (optional - fetches status from API)
-// =============================================================================
-
-function usePipelineLiveStatus(): PipelineLiveStatus | null {
-  const [status, setStatus] = useState<PipelineLiveStatus | null>(null)
-
-  useEffect(() => {
-    // Live status fetching not yet implemented
-  }, [])
-
-  return status
-}
-
-// =============================================================================
-// Status Badge Component
-// =============================================================================
-
-interface StatusBadgeProps {
-  count: number
-  type: 'backlog' | 'security' | 'running'
-}
-
-function StatusBadge({ count, type }: StatusBadgeProps) {
-  if (count === 0) return null
-
-  const colors = {
-    backlog: 'bg-amber-500',
-    security: 'bg-red-500',
-    running: 'bg-green-500 animate-pulse',
-  }
-
-  return (
-    <span className={`${colors[type]} text-white text-xs font-medium px-1.5 py-0.5 rounded-full min-w-[1.25rem] text-center`}>
-      {count}
-    </span>
-  )
-}
+import {
+  ToolIcon,
+  ServerIcon,
+  PlayIcon,
+  StatusBadge,
+  usePipelineLiveStatus,
+} from './DevOpsPipelineSidebarParts'
 
 // =============================================================================
 // Main Sidebar Component
diff --git a/admin-core/components/infrastructure/DevOpsPipelineSidebarParts.tsx b/admin-core/components/infrastructure/DevOpsPipelineSidebarParts.tsx
new file mode 100644
index 0000000..f322265
--- /dev/null
+++ b/admin-core/components/infrastructure/DevOpsPipelineSidebarParts.tsx
@@ -0,0 +1,106 @@
+'use client'
+
+/**
+ * DevOps Pipeline Sidebar — shared icons, badge, and live-status hook.
+ *
+ * Extracted from DevOpsPipelineSidebar.tsx to stay within the 500 LOC budget.
+ */
+
+import { useState, useEffect } from 'react'
+import type { DevOpsToolId, PipelineLiveStatus } from '@/types/infrastructure-modules'
+
+// =============================================================================
+// Icons
+// =============================================================================
+
+export const ToolIcon = ({ id }: { id: DevOpsToolId }) => {
+  switch (id) {
+    case 'ci-cd':
+      return (
+        <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
+            d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15" />
+        </svg>
+      )
+    case 'tests':
+      return (
+        <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
+            d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
+        </svg>
+      )
+    case 'sbom':
+      return (
+        <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
+            d="M20 7l-8-4-8 4m16 0l-8 4m8-4v10l-8 4m0-10L4 7m8 4v10M4 7v10l8 4" />
+        </svg>
+      )
+    case 'security':
+      return (
+        <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
+            d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z" />
+        </svg>
+      )
+    default:
+      return null
+  }
+}
+
+// Server/Pipeline Icon fuer Header
+export const ServerIcon = () => (
+  <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
+      d="M5 12h14M5 12a2 2 0 01-2-2V6a2 2 0 012-2h14a2 2 0 012 2v4a2 2 0 01-2 2M5 12a2 2 0 00-2 2v4a2 2 0 002 2h14a2 2 0 002-2v-4a2 2 0 00-2-2m-2-4h.01M17 16h.01" />
+  </svg>
+)
+
+// Play Icon fuer Quick Action
+export const PlayIcon = () => (
+  <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
+      d="M14.752 11.168l-3.197-2.132A1 1 0 0010 9.87v4.263a1 1 0 001.555.832l3.197-2.132a1 1 0 000-1.664z" />
+    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
+      d="M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+  </svg>
+)
+
+// =============================================================================
+// Live Status Hook (optional - fetches status from API)
+// =============================================================================
+
+export function usePipelineLiveStatus(): PipelineLiveStatus | null {
+  const [status, setStatus] = useState<PipelineLiveStatus | null>(null)
+
+  useEffect(() => {
+    // Live status fetching not yet implemented
+  }, [])
+
+  return status
+}
+
+// =============================================================================
+// Status Badge Component
+// =============================================================================
+
+interface StatusBadgeProps {
+  count: number
+  type: 'backlog' | 'security' | 'running'
+}
+
+export function StatusBadge({ count, type }: StatusBadgeProps) {
+  if (count === 0) return null
+
+  const colors = {
+    backlog: 'bg-amber-500',
+    security: 'bg-red-500',
+    running: 'bg-green-500 animate-pulse',
+  }
+
+  return (
+    <span className={`${colors[type]} text-white text-xs font-medium px-1.5 py-0.5 rounded-full min-w-[1.25rem] text-center`}>
+      {count}
+    </span>
+  )
+}
diff --git a/backend-core/auth/__init__.py b/backend-core/auth/__init__.py
index b56b38b..05c4255 100644
--- a/backend-core/auth/__init__.py
+++ b/backend-core/auth/__init__.py
@@ -5,7 +5,7 @@ Hybrid authentication supporting both Keycloak and local JWT tokens.
 """
 
 from .keycloak_auth import (
-    # Config
+    # Config & Models
     KeycloakConfig,
     KeycloakUser,
 
@@ -18,7 +18,9 @@ from .keycloak_auth import (
     TokenExpiredError,
     TokenInvalidError,
     KeycloakConfigError,
+)
 
+from .dependencies import (
     # Factory functions
     get_keycloak_config_from_env,
     get_authenticator,
@@ -30,7 +32,7 @@ from .keycloak_auth import (
 )
 
 __all__ = [
-    # Config
+    # Config & Models
     "KeycloakConfig",
     "KeycloakUser",
 
diff --git a/backend-core/auth/dependencies.py b/backend-core/auth/dependencies.py
new file mode 100644
index 0000000..51a876a
--- /dev/null
+++ b/backend-core/auth/dependencies.py
@@ -0,0 +1,164 @@
+"""
+FastAPI Authentication Dependencies and Factory Functions.
+
+Provides:
+- get_keycloak_config_from_env(): Create config from env vars
+- get_authenticator(): Create HybridAuthenticator instance
+- get_auth(): Global authenticator singleton
+- get_current_user(): FastAPI dependency for authentication
+- require_role(): FastAPI dependency factory for role-based access
+"""
+
+import os
+import logging
+from typing import Optional, Dict, Any
+
+from fastapi import Request, HTTPException, Depends
+
+from .keycloak_auth import (
+    KeycloakConfig,
+    KeycloakConfigError,
+    HybridAuthenticator,
+    TokenExpiredError,
+    TokenInvalidError,
+)
+
+logger = logging.getLogger(__name__)
+
+
+# =============================================
+# FACTORY FUNCTIONS
+# =============================================
+
+def get_keycloak_config_from_env() -> Optional[KeycloakConfig]:
+    """
+    Create KeycloakConfig from environment variables.
+
+    Required env vars:
+    - KEYCLOAK_SERVER_URL: e.g., https://keycloak.breakpilot.app
+    - KEYCLOAK_REALM: e.g., breakpilot
+    - KEYCLOAK_CLIENT_ID: e.g., breakpilot-backend
+
+    Optional:
+    - KEYCLOAK_CLIENT_SECRET: For confidential clients
+    - KEYCLOAK_VERIFY_SSL: Default true
+    """
+    server_url = os.environ.get("KEYCLOAK_SERVER_URL")
+    realm = os.environ.get("KEYCLOAK_REALM")
+    client_id = os.environ.get("KEYCLOAK_CLIENT_ID")
+
+    if not all([server_url, realm, client_id]):
+        logger.info("Keycloak not configured, using local JWT only")
+        return None
+
+    return KeycloakConfig(
+        server_url=server_url,
+        realm=realm,
+        client_id=client_id,
+        client_secret=os.environ.get("KEYCLOAK_CLIENT_SECRET"),
+        verify_ssl=os.environ.get("KEYCLOAK_VERIFY_SSL", "true").lower() == "true"
+    )
+
+
+def get_authenticator() -> HybridAuthenticator:
+    """
+    Get configured authenticator instance.
+
+    Uses environment variables to determine configuration.
+    """
+    keycloak_config = get_keycloak_config_from_env()
+
+    # JWT_SECRET is required - no default fallback in production
+    jwt_secret = os.environ.get("JWT_SECRET")
+    environment = os.environ.get("ENVIRONMENT", "development")
+
+    if not jwt_secret and environment == "production":
+        raise KeycloakConfigError(
+            "JWT_SECRET environment variable is required in production"
+        )
+
+    return HybridAuthenticator(
+        keycloak_config=keycloak_config,
+        local_jwt_secret=jwt_secret,
+        environment=environment
+    )
+
+
+# =============================================
+# FASTAPI DEPENDENCY
+# =============================================
+
+# Global authenticator instance (lazy-initialized)
+_authenticator: Optional[HybridAuthenticator] = None
+
+
+def get_auth() -> HybridAuthenticator:
+    """Get or create global authenticator."""
+    global _authenticator
+    if _authenticator is None:
+        _authenticator = get_authenticator()
+    return _authenticator
+
+
+async def get_current_user(request: Request) -> Dict[str, Any]:
+    """
+    FastAPI dependency to get current authenticated user.
+
+    Usage:
+        @app.get("/api/protected")
+        async def protected_endpoint(user: dict = Depends(get_current_user)):
+            return {"user_id": user["user_id"]}
+    """
+    auth_header = request.headers.get("authorization", "")
+
+    if not auth_header.startswith("Bearer "):
+        # Check for development mode
+        environment = os.environ.get("ENVIRONMENT", "development")
+        if environment == "development":
+            # Return demo user in development without token
+            return {
+                "user_id": "10000000-0000-0000-0000-000000000024",
+                "email": "demo@breakpilot.app",
+                "role": "admin",
+                "realm_roles": ["admin"],
+                "tenant_id": "a0000000-0000-0000-0000-000000000001",
+                "auth_method": "development_bypass"
+            }
+        raise HTTPException(status_code=401, detail="Missing authorization header")
+
+    token = auth_header.split(" ")[1]
+
+    try:
+        auth = get_auth()
+        return await auth.validate_token(token)
+    except TokenExpiredError:
+        raise HTTPException(status_code=401, detail="Token expired")
+    except TokenInvalidError as e:
+        raise HTTPException(status_code=401, detail=str(e))
+    except Exception as e:
+        logger.error(f"Authentication failed: {e}")
+        raise HTTPException(status_code=401, detail="Authentication failed")
+
+
+async def require_role(required_role: str):
+    """
+    FastAPI dependency factory for role-based access.
+
+    Usage:
+        @app.get("/api/admin-only")
+        async def admin_endpoint(user: dict = Depends(require_role("admin"))):
+            return {"message": "Admin access granted"}
+    """
+    async def role_checker(user: dict = Depends(get_current_user)) -> dict:
+        user_role = user.get("role", "user")
+        realm_roles = user.get("realm_roles", [])
+
+        if user_role == required_role or required_role in realm_roles:
+            return user
+
+        raise HTTPException(
+            status_code=403,
+            detail=f"Role '{required_role}' required"
+        )
+
+    return role_checker
diff --git a/backend-core/auth/keycloak_auth.py b/backend-core/auth/keycloak_auth.py
index 3449169..9e5e585 100644
--- a/backend-core/auth/keycloak_auth.py
+++ b/backend-core/auth/keycloak_auth.py
@@ -375,141 +375,12 @@ class HybridAuthenticator:
             await self.keycloak_auth.close()
 
 
-# =============================================
-# FACTORY FUNCTIONS
-# =============================================
-
-def get_keycloak_config_from_env() -> Optional[KeycloakConfig]:
-    """
-    Create KeycloakConfig from environment variables.
-
-    Required env vars:
-    - KEYCLOAK_SERVER_URL: e.g., https://keycloak.breakpilot.app
-    - KEYCLOAK_REALM: e.g., breakpilot
-    - KEYCLOAK_CLIENT_ID: e.g., breakpilot-backend
-
-    Optional:
-    - KEYCLOAK_CLIENT_SECRET: For confidential clients
-    - KEYCLOAK_VERIFY_SSL: Default true
-    """
-    server_url = os.environ.get("KEYCLOAK_SERVER_URL")
-    realm = os.environ.get("KEYCLOAK_REALM")
-    client_id = os.environ.get("KEYCLOAK_CLIENT_ID")
-
-    if not all([server_url, realm, client_id]):
-        logger.info("Keycloak not configured, using local JWT only")
-        return None
-
-    return KeycloakConfig(
-        server_url=server_url,
-        realm=realm,
-        client_id=client_id,
-        client_secret=os.environ.get("KEYCLOAK_CLIENT_SECRET"),
-        verify_ssl=os.environ.get("KEYCLOAK_VERIFY_SSL", "true").lower() == "true"
-    )
-
-
-def get_authenticator() -> HybridAuthenticator:
-    """
-    Get configured authenticator instance.
-
-    Uses environment variables to determine configuration.
-    """
-    keycloak_config = get_keycloak_config_from_env()
-
-    # JWT_SECRET is required - no default fallback in production
-    jwt_secret = os.environ.get("JWT_SECRET")
-    environment = os.environ.get("ENVIRONMENT", "development")
-
-    if not jwt_secret and environment == "production":
-        raise KeycloakConfigError(
-            "JWT_SECRET environment variable is required in production"
-        )
-
-    return HybridAuthenticator(
-        keycloak_config=keycloak_config,
-        local_jwt_secret=jwt_secret,
-        environment=environment
-    )
-
-
-# =============================================
-# FASTAPI DEPENDENCY
-# =============================================
-
-from fastapi import Request, HTTPException, Depends
-
-# Global authenticator instance (lazy-initialized)
-_authenticator: Optional[HybridAuthenticator] = None
-
-
-def get_auth() -> HybridAuthenticator:
-    """Get or create global authenticator."""
-    global _authenticator
-    if _authenticator is None:
-        _authenticator = get_authenticator()
-    return _authenticator
-
-
-async def get_current_user(request: Request) -> Dict[str, Any]:
-    """
-    FastAPI dependency to get current authenticated user.
-
-    Usage:
-        @app.get("/api/protected")
-        async def protected_endpoint(user: dict = Depends(get_current_user)):
-            return {"user_id": user["user_id"]}
-    """
-    auth_header = request.headers.get("authorization", "")
-
-    if not auth_header.startswith("Bearer "):
-        # Check for development mode
-        environment = os.environ.get("ENVIRONMENT", "development")
-        if environment == "development":
-            # Return demo user in development without token
-            return {
-                "user_id": "10000000-0000-0000-0000-000000000024",
-                "email": "demo@breakpilot.app",
-                "role": "admin",
-                "realm_roles": ["admin"],
-                "tenant_id": "a0000000-0000-0000-0000-000000000001",
-                "auth_method": "development_bypass"
-            }
-        raise HTTPException(status_code=401, detail="Missing authorization header")
-
-    token = auth_header.split(" ")[1]
-
-    try:
-        auth = get_auth()
-        return await auth.validate_token(token)
-    except TokenExpiredError:
-        raise HTTPException(status_code=401, detail="Token expired")
-    except TokenInvalidError as e:
-        raise HTTPException(status_code=401, detail=str(e))
-    except Exception as e:
-        logger.error(f"Authentication failed: {e}")
-        raise HTTPException(status_code=401, detail="Authentication failed")
-
-
-async def require_role(required_role: str):
-    """
-    FastAPI dependency factory for role-based access.
-
-    Usage:
-        @app.get("/api/admin-only")
-        async def admin_endpoint(user: dict = Depends(require_role("admin"))):
-            return {"message": "Admin access granted"}
-    """
-    async def role_checker(user: dict = Depends(get_current_user)) -> dict:
-        user_role = user.get("role", "user")
-        realm_roles = user.get("realm_roles", [])
-
-        if user_role == required_role or required_role in realm_roles:
-            return user
-
-        raise HTTPException(
-            status_code=403,
-            detail=f"Role '{required_role}' required"
-        )
-
-    return role_checker
+# Re-export factory functions and FastAPI dependencies from dependencies module
+# for backward compatibility with existing imports
+from .dependencies import (  # noqa: E402, F401
+    get_keycloak_config_from_env,
+    get_authenticator,
+    get_auth,
+    get_current_user,
+    require_role,
+)
diff --git a/backend-core/main.py b/backend-core/main.py
index 64383bb..2d0086f 100644
--- a/backend-core/main.py
+++ b/backend-core/main.py
@@ -18,6 +18,7 @@ from fastapi.middleware.cors import CORSMiddleware
 # ---------------------------------------------------------------------------
 from auth_api import router as auth_router
 from rbac_api import router as rbac_router
+from rbac_teachers_api import router as rbac_teachers_router
 from notification_api import router as notification_router
 from email_template_api import (
     router as email_template_router,
@@ -89,9 +90,12 @@ app.add_middleware(RateLimiterMiddleware, valkey_url=VALKEY_URL)
 # Auth (proxy to consent-service)
 app.include_router(auth_router, prefix="/api")
 
-# RBAC (teacher / role management)
+# RBAC (role / assignment / custom-role management)
 app.include_router(rbac_router, prefix="/api")
 
+# RBAC Teachers (teacher CRUD, listing, roles per teacher)
+app.include_router(rbac_teachers_router, prefix="/api")
+
 # Notifications (proxy to consent-service)
 app.include_router(notification_router, prefix="/api")
 
diff --git a/backend-core/rbac_api.py b/backend-core/rbac_api.py
index 3ba257b..c023cdc 100644
--- a/backend-core/rbac_api.py
+++ b/backend-core/rbac_api.py
@@ -1,11 +1,14 @@
 """
-RBAC API - Teacher and Role Management Endpoints
+RBAC API - Role and Assignment Management Endpoints
 
 Provides API endpoints for:
-- Listing all teachers
-- Listing all available roles
-- Assigning/revoking roles to teachers
-- Viewing role assignments per teacher
+- Listing all available roles (built-in + custom)
+- Assigning/revoking roles to users
+- Role summary with assignment counts
+- Custom role CRUD
+
+Shared infrastructure (DB pool, Pydantic models, role definitions)
+used by rbac_teachers_api.py as well.
 
 Architecture:
 - Authentication: Keycloak (when configured) or local JWT
@@ -230,163 +233,6 @@ async def list_available_roles() -> List[RoleInfo]:
     ]
 
 
-@router.get("/teachers")
-async def list_teachers(user: Dict[str, Any] = Depends(get_current_user)) -> List[TeacherResponse]:
-    """List all teachers with their current roles"""
-    pool = await get_pool()
-
-    async with pool.acquire() as conn:
-        # Get all teachers with their user info
-        teachers = await conn.fetch("""
-            SELECT
-                t.id, t.user_id, t.teacher_code, t.title,
-                t.first_name, t.last_name, t.is_active,
-                u.email, u.name
-            FROM teachers t
-            JOIN users u ON t.user_id = u.id
-            WHERE t.school_id = 'a0000000-0000-0000-0000-000000000001'
-            ORDER BY t.last_name, t.first_name
-        """)
-
-        # Get role assignments for all teachers
-        role_assignments = await conn.fetch("""
-            SELECT user_id, role
-            FROM role_assignments
-            WHERE tenant_id = 'a0000000-0000-0000-0000-000000000001'
-              AND revoked_at IS NULL
-              AND (valid_to IS NULL OR valid_to > NOW())
-        """)
-
-        # Build role lookup
-        role_lookup: Dict[str, List[str]] = {}
-        for ra in role_assignments:
-            uid = str(ra["user_id"])
-            if uid not in role_lookup:
-                role_lookup[uid] = []
-            role_lookup[uid].append(ra["role"])
-
-        # Build response
-        result = []
-        for t in teachers:
-            uid = str(t["user_id"])
-            result.append(TeacherResponse(
-                id=str(t["id"]),
-                user_id=uid,
-                email=t["email"],
-                name=t["name"] or f"{t['first_name']} {t['last_name']}",
-                teacher_code=t["teacher_code"],
-                title=t["title"],
-                first_name=t["first_name"],
-                last_name=t["last_name"],
-                is_active=t["is_active"],
-                roles=role_lookup.get(uid, [])
-            ))
-
-        return result
-
-
-@router.get("/teachers/{teacher_id}/roles")
-async def get_teacher_roles(teacher_id: str, user: Dict[str, Any] = Depends(get_current_user)) -> List[RoleAssignmentResponse]:
-    """Get all role assignments for a specific teacher"""
-    pool = await get_pool()
-
-    async with pool.acquire() as conn:
-        # Get teacher's user_id
-        teacher = await conn.fetchrow(
-            "SELECT user_id FROM teachers WHERE id = $1",
-            teacher_id
-        )
-        if not teacher:
-            raise HTTPException(status_code=404, detail="Teacher not found")
-
-        # Get role assignments
-        assignments = await conn.fetch("""
-            SELECT id, user_id, role, resource_type, resource_id,
-                   valid_from, valid_to, granted_at, revoked_at
-            FROM role_assignments
-            WHERE user_id = $1
-            ORDER BY granted_at DESC
-        """, teacher["user_id"])
-
-        return [
-            RoleAssignmentResponse(
-                id=str(a["id"]),
-                user_id=str(a["user_id"]),
-                role=a["role"],
-                resource_type=a["resource_type"],
-                resource_id=str(a["resource_id"]),
-                valid_from=a["valid_from"].isoformat() if a["valid_from"] else None,
-                valid_to=a["valid_to"].isoformat() if a["valid_to"] else None,
-                granted_at=a["granted_at"].isoformat() if a["granted_at"] else None,
-                is_active=a["revoked_at"] is None and (
-                    a["valid_to"] is None or a["valid_to"] > datetime.now(timezone.utc)
-                )
-            )
-            for a in assignments
-        ]
-
-
-@router.get("/roles/{role}/teachers")
-async def get_teachers_by_role(role: str, user: Dict[str, Any] = Depends(get_current_user)) -> List[TeacherResponse]:
-    """Get all teachers with a specific role"""
-    if role not in AVAILABLE_ROLES:
-        raise HTTPException(status_code=400, detail=f"Unknown role: {role}")
-
-    pool = await get_pool()
-
-    async with pool.acquire() as conn:
-        teachers = await conn.fetch("""
-            SELECT DISTINCT
-                t.id, t.user_id, t.teacher_code, t.title,
-                t.first_name, t.last_name, t.is_active,
-                u.email, u.name
-            FROM teachers t
-            JOIN users u ON t.user_id = u.id
-            JOIN role_assignments ra ON t.user_id = ra.user_id
-            WHERE ra.role = $1
-              AND ra.revoked_at IS NULL
-              AND (ra.valid_to IS NULL OR ra.valid_to > NOW())
-              AND t.school_id = 'a0000000-0000-0000-0000-000000000001'
-            ORDER BY t.last_name, t.first_name
-        """, role)
-
-        # Get all roles for these teachers
-        if teachers:
-            user_ids = [t["user_id"] for t in teachers]
-            role_assignments = await conn.fetch("""
-                SELECT user_id, role
-                FROM role_assignments
-                WHERE user_id = ANY($1)
-                  AND revoked_at IS NULL
-                  AND (valid_to IS NULL OR valid_to > NOW())
-            """, user_ids)
-
-            role_lookup: Dict[str, List[str]] = {}
-            for ra in role_assignments:
-                uid = str(ra["user_id"])
-                if uid not in role_lookup:
-                    role_lookup[uid] = []
-                role_lookup[uid].append(ra["role"])
-        else:
-            role_lookup = {}
-
-        return [
-            TeacherResponse(
-                id=str(t["id"]),
-                user_id=str(t["user_id"]),
-                email=t["email"],
-                name=t["name"] or f"{t['first_name']} {t['last_name']}",
-                teacher_code=t["teacher_code"],
-                title=t["title"],
-                first_name=t["first_name"],
-                last_name=t["last_name"],
-                is_active=t["is_active"],
-                roles=role_lookup.get(str(t["user_id"]), [])
-            )
-            for t in teachers
-        ]
-
-
 @router.post("/assignments")
 async def assign_role(assignment: RoleAssignmentCreate, user: Dict[str, Any] = Depends(get_current_user)) -> RoleAssignmentResponse:
     """Assign a role to a user"""
@@ -519,178 +365,6 @@ async def get_role_summary(user: Dict[str, Any] = Depends(get_current_user)) ->
         }
 
 
-# ==========================================
-# TEACHER MANAGEMENT ENDPOINTS
-# ==========================================
-
-@router.post("/teachers")
-async def create_teacher(teacher: TeacherCreate, user: Dict[str, Any] = Depends(get_current_user)) -> TeacherResponse:
-    """Create a new teacher with optional initial roles"""
-    pool = await get_pool()
-
-    import uuid
-
-    async with pool.acquire() as conn:
-        # Check if email already exists
-        existing = await conn.fetchrow(
-            "SELECT id FROM users WHERE email = $1",
-            teacher.email
-        )
-        if existing:
-            raise HTTPException(status_code=409, detail="Email already exists")
-
-        # Generate UUIDs
-        user_id = str(uuid.uuid4())
-        teacher_id = str(uuid.uuid4())
-
-        # Create user first
-        await conn.execute("""
-            INSERT INTO users (id, email, name, password_hash, role, is_active)
-            VALUES ($1, $2, $3, '', 'teacher', true)
-        """, user_id, teacher.email, f"{teacher.first_name} {teacher.last_name}")
-
-        # Create teacher record
-        await conn.execute("""
-            INSERT INTO teachers (id, user_id, school_id, first_name, last_name, teacher_code, title, is_active)
-            VALUES ($1, $2, 'a0000000-0000-0000-0000-000000000001', $3, $4, $5, $6, true)
-        """, teacher_id, user_id, teacher.first_name, teacher.last_name,
-            teacher.teacher_code, teacher.title)
-
-        # Assign initial roles if provided
-        assigned_roles = []
-        for role in teacher.roles:
-            if role in AVAILABLE_ROLES or await conn.fetchrow(
-                "SELECT 1 FROM custom_roles WHERE role_key = $1 AND is_active = true", role
-            ):
-                await conn.execute("""
-                    INSERT INTO role_assignments (user_id, role, resource_type, resource_id, tenant_id, granted_by)
-                    VALUES ($1, $2, 'tenant', 'a0000000-0000-0000-0000-000000000001',
-                            'a0000000-0000-0000-0000-000000000001', $3)
-                """, user_id, role, user.get("user_id"))
-                assigned_roles.append(role)
-
-        return TeacherResponse(
-            id=teacher_id,
-            user_id=user_id,
-            email=teacher.email,
-            name=f"{teacher.first_name} {teacher.last_name}",
-            teacher_code=teacher.teacher_code,
-            title=teacher.title,
-            first_name=teacher.first_name,
-            last_name=teacher.last_name,
-            is_active=True,
-            roles=assigned_roles
-        )
-
-
-@router.put("/teachers/{teacher_id}")
-async def update_teacher(teacher_id: str, updates: TeacherUpdate, user: Dict[str, Any] = Depends(get_current_user)) -> TeacherResponse:
-    """Update teacher information"""
-    pool = await get_pool()
-
-    async with pool.acquire() as conn:
-        # Get current teacher data
-        teacher = await conn.fetchrow("""
-            SELECT t.id, t.user_id, t.teacher_code, t.title, t.first_name, t.last_name, t.is_active,
-                   u.email, u.name
-            FROM teachers t
-            JOIN users u ON t.user_id = u.id
-            WHERE t.id = $1
-        """, teacher_id)
-
-        if not teacher:
-            raise HTTPException(status_code=404, detail="Teacher not found")
-
-        # Build update queries
-        if updates.email:
-            await conn.execute("UPDATE users SET email = $1 WHERE id = $2",
-                             updates.email, teacher["user_id"])
-
-        teacher_updates = []
-        teacher_values = []
-        idx = 1
-
-        if updates.first_name:
-            teacher_updates.append(f"first_name = ${idx}")
-            teacher_values.append(updates.first_name)
-            idx += 1
-        if updates.last_name:
-            teacher_updates.append(f"last_name = ${idx}")
-            teacher_values.append(updates.last_name)
-            idx += 1
-        if updates.teacher_code is not None:
-            teacher_updates.append(f"teacher_code = ${idx}")
-            teacher_values.append(updates.teacher_code)
-            idx += 1
-        if updates.title is not None:
-            teacher_updates.append(f"title = ${idx}")
-            teacher_values.append(updates.title)
-            idx += 1
-        if updates.is_active is not None:
-            teacher_updates.append(f"is_active = ${idx}")
-            teacher_values.append(updates.is_active)
-            idx += 1
-
-        if teacher_updates:
-            teacher_values.append(teacher_id)
-            await conn.execute(
-                f"UPDATE teachers SET {', '.join(teacher_updates)} WHERE id = ${idx}",
-                *teacher_values
-            )
-
-        # Update user name if first/last name changed
-        if updates.first_name or updates.last_name:
-            new_first = updates.first_name or teacher["first_name"]
-            new_last = updates.last_name or teacher["last_name"]
-            await conn.execute("UPDATE users SET name = $1 WHERE id = $2",
-                             f"{new_first} {new_last}", teacher["user_id"])
-
-        # Fetch updated data
-        updated = await conn.fetchrow("""
-            SELECT t.id, t.user_id, t.teacher_code, t.title, t.first_name, t.last_name, t.is_active,
-                   u.email, u.name
-            FROM teachers t
-            JOIN users u ON t.user_id = u.id
-            WHERE t.id = $1
-        """, teacher_id)
-
-        # Get roles
-        roles = await conn.fetch("""
-            SELECT role FROM role_assignments
-            WHERE user_id = $1 AND revoked_at IS NULL
-              AND (valid_to IS NULL OR valid_to > NOW())
-        """, updated["user_id"])
-
-        return TeacherResponse(
-            id=str(updated["id"]),
-            user_id=str(updated["user_id"]),
-            email=updated["email"],
-            name=updated["name"],
-            teacher_code=updated["teacher_code"],
-            title=updated["title"],
-            first_name=updated["first_name"],
-            last_name=updated["last_name"],
-            is_active=updated["is_active"],
-            roles=[r["role"] for r in roles]
-        )
-
-
-@router.delete("/teachers/{teacher_id}")
-async def deactivate_teacher(teacher_id: str, user: Dict[str, Any] = Depends(get_current_user)):
-    """Deactivate a teacher (soft delete)"""
-    pool = await get_pool()
-
-    async with pool.acquire() as conn:
-        result = await conn.execute("""
-            UPDATE teachers SET is_active = false WHERE id = $1
-        """, teacher_id)
-
-        if result == "UPDATE 0":
-            raise HTTPException(status_code=404, detail="Teacher not found")
-
-        return {"status": "deactivated", "teacher_id": teacher_id}
-
-
 # ==========================================
 # CUSTOM ROLE MANAGEMENT ENDPOINTS
 # ==========================================
diff --git a/backend-core/rbac_teachers_api.py b/backend-core/rbac_teachers_api.py
new file mode 100644
index 0000000..4babbb0
--- /dev/null
+++ b/backend-core/rbac_teachers_api.py
@@ -0,0 +1,358 @@
+"""
+RBAC Teachers API - Teacher Management Endpoints
+
+Provides API endpoints for:
+- Listing all teachers with roles
+- Getting teacher roles
+- Getting teachers by role
+- Creating, updating, deactivating teachers
+
+Split from rbac_api.py for file-size compliance.
+"""
+
+import uuid
+from datetime import datetime, timezone
+from typing import Dict, Any, List
+from fastapi import APIRouter, HTTPException, Depends
+
+from rbac_api import (
+    get_pool,
+    get_current_user,
+    TeacherCreate,
+    TeacherUpdate,
+    TeacherResponse,
+    RoleAssignmentResponse,
+    AVAILABLE_ROLES,
+)
+
+router = APIRouter(prefix="/rbac", tags=["rbac"])
+
+
+def _build_teacher_response(teacher_row, roles: List[str]) -> TeacherResponse:
+    """Build a TeacherResponse from a DB row and a list of role strings."""
+    return TeacherResponse(
+        id=str(teacher_row["id"]),
+        user_id=str(teacher_row["user_id"]),
+        email=teacher_row["email"],
+        name=teacher_row["name"] or f"{teacher_row['first_name']} {teacher_row['last_name']}",
+        teacher_code=teacher_row["teacher_code"],
+        title=teacher_row["title"],
+        first_name=teacher_row["first_name"],
+        last_name=teacher_row["last_name"],
+        is_active=teacher_row["is_active"],
+        roles=roles,
+    )
+
+
+def _build_role_lookup(role_assignments) -> Dict[str, List[str]]:
+    """Build a user_id -> [roles] lookup from role assignment rows."""
+    role_lookup: Dict[str, List[str]] = {}
+    for ra in role_assignments:
+        uid = str(ra["user_id"])
+        if uid not in role_lookup:
+            role_lookup[uid] = []
+        role_lookup[uid].append(ra["role"])
+    return role_lookup
+
+
+# ==========================================
+# TEACHER LISTING / QUERY ENDPOINTS
+# ==========================================
+
+
+@router.get("/teachers")
+async def list_teachers(
+    user: Dict[str, Any] = Depends(get_current_user),
+) -> List[TeacherResponse]:
+    """List all teachers with their current roles"""
+    pool = await get_pool()
+
+    async with pool.acquire() as conn:
+        teachers = await conn.fetch("""
+            SELECT
+                t.id, t.user_id, t.teacher_code, t.title,
+                t.first_name, t.last_name, t.is_active,
+                u.email, u.name
+            FROM teachers t
+            JOIN users u ON t.user_id = u.id
+            WHERE t.school_id = 'a0000000-0000-0000-0000-000000000001'
+            ORDER BY t.last_name, t.first_name
+        """)
+
+        role_assignments = await conn.fetch("""
+            SELECT user_id, role
+            FROM role_assignments
+            WHERE tenant_id = 'a0000000-0000-0000-0000-000000000001'
+              AND revoked_at IS NULL
+              AND (valid_to IS NULL OR valid_to > NOW())
+        """)
+
+        role_lookup = _build_role_lookup(role_assignments)
+
+        return [
+            _build_teacher_response(t, role_lookup.get(str(t["user_id"]), []))
+            for t in teachers
+        ]
+
+
+@router.get("/teachers/{teacher_id}/roles")
+async def get_teacher_roles(
+    teacher_id: str,
+    user: Dict[str, Any] = Depends(get_current_user),
+) -> List[RoleAssignmentResponse]:
+    """Get all role assignments for a specific teacher"""
+    pool = await get_pool()
+
+    async with pool.acquire() as conn:
+        teacher = await conn.fetchrow(
+            "SELECT user_id FROM teachers WHERE id = $1",
+            teacher_id,
+        )
+        if not teacher:
+            raise HTTPException(status_code=404, detail="Teacher not found")
+
+        assignments = await conn.fetch("""
+            SELECT id, user_id, role, resource_type, resource_id,
+                   valid_from, valid_to, granted_at, revoked_at
+            FROM role_assignments
+            WHERE user_id = $1
+            ORDER BY granted_at DESC
+        """, teacher["user_id"])
+
+        return [
+            RoleAssignmentResponse(
+                id=str(a["id"]),
+                user_id=str(a["user_id"]),
+                role=a["role"],
+                resource_type=a["resource_type"],
+                resource_id=str(a["resource_id"]),
+                valid_from=a["valid_from"].isoformat() if a["valid_from"] else None,
+                valid_to=a["valid_to"].isoformat() if a["valid_to"] else None,
+                granted_at=a["granted_at"].isoformat() if a["granted_at"] else None,
+                is_active=a["revoked_at"] is None and (
+                    a["valid_to"] is None or a["valid_to"] > datetime.now(timezone.utc)
+                ),
+            )
+            for a in assignments
+        ]
+
+
+@router.get("/roles/{role}/teachers")
+async def get_teachers_by_role(
+    role: str,
+    user: Dict[str, Any] = Depends(get_current_user),
+) -> List[TeacherResponse]:
+    """Get all teachers with a specific role"""
+    if role not in AVAILABLE_ROLES:
+        raise HTTPException(status_code=400, detail=f"Unknown role: {role}")
+
+    pool = await get_pool()
+
+    async with pool.acquire() as conn:
+        teachers = await conn.fetch("""
+            SELECT DISTINCT
+                t.id, t.user_id, t.teacher_code, t.title,
+                t.first_name, t.last_name, t.is_active,
+                u.email, u.name
+            FROM teachers t
+            JOIN users u ON t.user_id = u.id
+            JOIN role_assignments ra ON t.user_id = ra.user_id
+            WHERE ra.role = $1
+              AND ra.revoked_at IS NULL
+              AND (ra.valid_to IS NULL OR ra.valid_to > NOW())
+              AND t.school_id = 'a0000000-0000-0000-0000-000000000001'
+            ORDER BY t.last_name, t.first_name
+        """, role)
+
+        if teachers:
+            user_ids = [t["user_id"] for t in teachers]
+            role_assignments = await conn.fetch("""
+                SELECT user_id, role
+                FROM role_assignments
+                WHERE user_id = ANY($1)
+                  AND revoked_at IS NULL
+                  AND (valid_to IS NULL OR valid_to > NOW())
+            """, user_ids)
+            role_lookup = _build_role_lookup(role_assignments)
+        else:
+            role_lookup = {}
+
+        return [
+            _build_teacher_response(t, role_lookup.get(str(t["user_id"]), []))
+            for t in teachers
+        ]
+
+
+# ==========================================
+# TEACHER CRUD ENDPOINTS
+# ==========================================
+
+
+@router.post("/teachers")
+async def create_teacher(
+    teacher: TeacherCreate,
+    user: Dict[str, Any] = Depends(get_current_user),
+) -> TeacherResponse:
+    """Create a new teacher with optional initial roles"""
+    pool = await get_pool()
+
+    async with pool.acquire() as conn:
+        existing = await conn.fetchrow(
+            "SELECT id FROM users WHERE email = $1",
+            teacher.email,
+        )
+        if existing:
+            raise HTTPException(status_code=409, detail="Email already exists")
+
+        user_id = str(uuid.uuid4())
+        teacher_id = str(uuid.uuid4())
+
+        await conn.execute("""
+            INSERT INTO users (id, email, name, password_hash, role, is_active)
+            VALUES ($1, $2, $3, '', 'teacher', true)
+        """, user_id, teacher.email, f"{teacher.first_name} {teacher.last_name}")
+
+        await conn.execute("""
+            INSERT INTO teachers (id, user_id, school_id, first_name, last_name, teacher_code, title, is_active)
+            VALUES ($1, $2, 'a0000000-0000-0000-0000-000000000001', $3, $4, $5, $6, true)
+        """, teacher_id, user_id, teacher.first_name, teacher.last_name,
+            teacher.teacher_code, teacher.title)
+
+        assigned_roles = []
+        for role in teacher.roles:
+            if role in AVAILABLE_ROLES or await conn.fetchrow(
+                "SELECT 1 FROM custom_roles WHERE role_key = $1 AND is_active = true", role
+            ):
+                await conn.execute("""
+                    INSERT INTO role_assignments (user_id, role, resource_type, resource_id, tenant_id, granted_by)
+                    VALUES ($1, $2, 'tenant', 'a0000000-0000-0000-0000-000000000001',
+                            'a0000000-0000-0000-0000-000000000001', $3)
+                """, user_id, role, user.get("user_id"))
+                assigned_roles.append(role)
+
+        return TeacherResponse(
+            id=teacher_id,
+            user_id=user_id,
+            email=teacher.email,
+            name=f"{teacher.first_name} {teacher.last_name}",
+            teacher_code=teacher.teacher_code,
+            title=teacher.title,
+            first_name=teacher.first_name,
+            last_name=teacher.last_name,
+            is_active=True,
+            roles=assigned_roles,
+        )
+
+
+@router.put("/teachers/{teacher_id}")
+async def update_teacher(
+    teacher_id: str,
+    updates: TeacherUpdate,
+    user: Dict[str, Any] = Depends(get_current_user),
+) -> TeacherResponse:
+    """Update teacher information"""
+    pool = await get_pool()
+
+    async with pool.acquire() as conn:
+        teacher = await conn.fetchrow("""
+            SELECT t.id, t.user_id, t.teacher_code, t.title, t.first_name, t.last_name, t.is_active,
+                   u.email, u.name
+            FROM teachers t
+            JOIN users u ON t.user_id = u.id
+            WHERE t.id = $1
+        """, teacher_id)
+
+        if not teacher:
+            raise HTTPException(status_code=404, detail="Teacher not found")
+
+        if updates.email:
+            await conn.execute(
+                "UPDATE users SET email = $1 WHERE id = $2",
+                updates.email, teacher["user_id"],
+            )
+
+        teacher_updates = []
+        teacher_values = []
+        idx = 1
+
+        if updates.first_name:
+            teacher_updates.append(f"first_name = ${idx}")
+            teacher_values.append(updates.first_name)
+            idx += 1
+        if updates.last_name:
+            teacher_updates.append(f"last_name = ${idx}")
+            teacher_values.append(updates.last_name)
+            idx += 1
+        if updates.teacher_code is not None:
+            teacher_updates.append(f"teacher_code = ${idx}")
+            teacher_values.append(updates.teacher_code)
+            idx += 1
+        if updates.title is not None:
+            teacher_updates.append(f"title = ${idx}")
+            teacher_values.append(updates.title)
+            idx += 1
+        if updates.is_active is not None:
+            teacher_updates.append(f"is_active = ${idx}")
+            teacher_values.append(updates.is_active)
+            idx += 1
+
+        if teacher_updates:
+            teacher_values.append(teacher_id)
+            await conn.execute(
+                f"UPDATE teachers SET {', '.join(teacher_updates)} WHERE id = ${idx}",
+                *teacher_values,
+            )
+
+        if updates.first_name or updates.last_name:
+            new_first = updates.first_name or teacher["first_name"]
+            new_last = updates.last_name or teacher["last_name"]
+            await conn.execute(
+                "UPDATE users SET name = $1 WHERE id = $2",
+                f"{new_first} {new_last}", teacher["user_id"],
+            )
+
+        updated = await conn.fetchrow("""
+            SELECT t.id, t.user_id, t.teacher_code, t.title, t.first_name, t.last_name, t.is_active,
+                   u.email, u.name
+            FROM teachers t
+            JOIN users u ON t.user_id = u.id
+            WHERE t.id = $1
+        """, teacher_id)
+
+        roles = await conn.fetch("""
+            SELECT role FROM role_assignments
+            WHERE user_id = $1 AND revoked_at IS NULL
+              AND (valid_to IS NULL OR valid_to > NOW())
+        """, updated["user_id"])
+
+        return TeacherResponse(
+            id=str(updated["id"]),
+            user_id=str(updated["user_id"]),
+            email=updated["email"],
+            name=updated["name"],
+            teacher_code=updated["teacher_code"],
+            title=updated["title"],
+            first_name=updated["first_name"],
+            last_name=updated["last_name"],
+            is_active=updated["is_active"],
+            roles=[r["role"] for r in roles],
+        )
+
+
+@router.delete("/teachers/{teacher_id}")
+async def deactivate_teacher(
+    teacher_id: str,
+    user: Dict[str, Any] = Depends(get_current_user),
+):
+    """Deactivate a teacher (soft delete)"""
+    pool = await get_pool()
+
+    async with pool.acquire() as conn:
+        result = await conn.execute("""
+            UPDATE teachers SET is_active = false WHERE id = $1
+        """, teacher_id)
+
+        if result == "UPDATE 0":
+            raise HTTPException(status_code=404, detail="Teacher not found")
+
+        return {"status": "deactivated", "teacher_id": teacher_id}
diff --git a/backend-core/security_api.py b/backend-core/security_api.py
index b0dfac2..b34aa0e 100644
--- a/backend-core/security_api.py
+++ b/backend-core/security_api.py
@@ -13,312 +13,47 @@ Features:
 - Fuehrt Security-Scans via subprocess aus
 - Parst Gitleaks, Semgrep, Trivy, Grype JSON-Reports
 - Generiert SBOM mit Syft
+
+Split structure:
+- security_models.py        — Pydantic models
+- security_report_parsers.py — Report parsing, tool detection, aggregation
+- security_mock_data.py      — Mock data generators + /demo/* endpoints
+- security_monitoring.py     — /monitoring/* endpoints (logs, metrics, containers)
 """
 
-import os
 import json
 import subprocess
-import asyncio
 from datetime import datetime
-from pathlib import Path
-from typing import List, Dict, Any, Optional
+from typing import List, Optional
 from fastapi import APIRouter, HTTPException, BackgroundTasks
-from pydantic import BaseModel
+
+from security_models import (
+    ToolStatus,
+    Finding,
+    SeveritySummary,
+    HistoryItem,
+)
+from security_report_parsers import (
+    REPORTS_DIR,
+    PROJECT_ROOT,
+    check_tool_installed,
+    get_latest_report,
+    get_all_findings,
+    calculate_summary,
+)
+from security_mock_data import (
+    get_mock_findings,
+    get_mock_sbom_data,
+    get_mock_history,
+    router as mock_data_router,
+)
+from security_monitoring import router as monitoring_router
 
 router = APIRouter(prefix="/v1/security", tags=["Security"])
 
-# Pfade - innerhalb des Backend-Verzeichnisses
-# In Docker: /app/security-reports, /app/scripts
-# Lokal: backend/security-reports, backend/scripts
-BACKEND_DIR = Path(__file__).parent
-REPORTS_DIR = BACKEND_DIR / "security-reports"
-SCRIPTS_DIR = BACKEND_DIR / "scripts"
-
-# Projekt-Root fuer Security-Scans
-PROJECT_ROOT = BACKEND_DIR
-
-# Sicherstellen, dass das Reports-Verzeichnis existiert
-try:
-    REPORTS_DIR.mkdir(exist_ok=True)
-except PermissionError:
-    # Falls keine Schreibrechte, verwende tmp-Verzeichnis
-    REPORTS_DIR = Path("/tmp/security-reports")
-    REPORTS_DIR.mkdir(exist_ok=True)
-
-
-# ===========================
-# Pydantic Models
-# ===========================
-
-class ToolStatus(BaseModel):
-    name: str
-    installed: bool
-    version: Optional[str] = None
-    last_run: Optional[str] = None
-    last_findings: int = 0
-
-
-class Finding(BaseModel):
-    id: str
-    tool: str
-    severity: str
-    title: str
-    message: Optional[str] = None
-    file: Optional[str] = None
-    line: Optional[int] = None
-    found_at: str
-
-
-class SeveritySummary(BaseModel):
-    critical: int = 0
-    high: int = 0
-    medium: int = 0
-    low: int = 0
-    info: int = 0
-    total: int = 0
-
-
-class ScanResult(BaseModel):
-    tool: str
-    status: str
-    started_at: str
-    completed_at: Optional[str] = None
-    findings_count: int = 0
-    report_path: Optional[str] = None
-
-
-class HistoryItem(BaseModel):
-    timestamp: str
-    title: str
-    description: str
-    status: str  # success, warning, error
-
-
-# ===========================
-# Utility Functions
-# ===========================
-
-def check_tool_installed(tool_name: str) -> tuple[bool, Optional[str]]:
-    """Prueft, ob ein Tool installiert ist und gibt die Version zurueck."""
-    try:
-        if tool_name == "gitleaks":
-            result = subprocess.run(["gitleaks", "version"], capture_output=True, text=True, timeout=5)
-            if result.returncode == 0:
-                return True, result.stdout.strip()
-        elif tool_name == "semgrep":
-            result = subprocess.run(["semgrep", "--version"], capture_output=True, text=True, timeout=5)
-            if result.returncode == 0:
-                return True, result.stdout.strip().split('\n')[0]
-        elif tool_name == "bandit":
-            result = subprocess.run(["bandit", "--version"], capture_output=True, text=True, timeout=5)
-            if result.returncode == 0:
-                return True, result.stdout.strip()
-        elif tool_name == "trivy":
-            result = subprocess.run(["trivy", "version"], capture_output=True, text=True, timeout=5)
-            if result.returncode == 0:
-                # Parse "Version: 0.48.x"
-                for line in result.stdout.split('\n'):
-                    if line.startswith('Version:'):
-                        return True, line.split(':')[1].strip()
-                return True, result.stdout.strip().split('\n')[0]
-        elif tool_name == "grype":
-            result = subprocess.run(["grype", "version"], capture_output=True, text=True, timeout=5)
-            if result.returncode == 0:
-                return True, result.stdout.strip().split('\n')[0]
-        elif tool_name == "syft":
-            result = subprocess.run(["syft", "version"], capture_output=True, text=True, timeout=5)
-            if result.returncode == 0:
-                return True, result.stdout.strip().split('\n')[0]
-    except (subprocess.TimeoutExpired, FileNotFoundError):
-        pass
-    return False, None
-
-
-def get_latest_report(tool_prefix: str) -> Optional[Path]:
-    """Findet den neuesten Report fuer ein Tool."""
-    if not REPORTS_DIR.exists():
-        return None
-
-    reports = list(REPORTS_DIR.glob(f"{tool_prefix}*.json"))
-    if not reports:
-        return None
-
-    return max(reports, key=lambda p: p.stat().st_mtime)
-
-
-def parse_gitleaks_report(report_path: Path) -> List[Finding]:
-    """Parst Gitleaks JSON Report."""
-    findings = []
-    try:
-        with open(report_path) as f:
-            data = json.load(f)
-            if isinstance(data, list):
-                for item in data:
-                    findings.append(Finding(
-                        id=item.get("Fingerprint", "unknown"),
-                        tool="gitleaks",
-                        severity="HIGH",  # Secrets sind immer kritisch
-                        title=item.get("Description", "Secret detected"),
-                        message=f"Rule: {item.get('RuleID', 'unknown')}",
-                        file=item.get("File", ""),
-                        line=item.get("StartLine", 0),
-                        found_at=datetime.fromtimestamp(report_path.stat().st_mtime).isoformat()
-                    ))
-    except (json.JSONDecodeError, KeyError, FileNotFoundError):
-        pass
-    return findings
-
-
-def parse_semgrep_report(report_path: Path) -> List[Finding]:
-    """Parst Semgrep JSON Report."""
-    findings = []
-    try:
-        with open(report_path) as f:
-            data = json.load(f)
-            results = data.get("results", [])
-            for item in results:
-                severity = item.get("extra", {}).get("severity", "INFO").upper()
-                findings.append(Finding(
-                    id=item.get("check_id", "unknown"),
-                    tool="semgrep",
-                    severity=severity,
-                    title=item.get("extra", {}).get("message", "Finding"),
-                    message=item.get("check_id", ""),
-                    file=item.get("path", ""),
-                    line=item.get("start", {}).get("line", 0),
-                    found_at=datetime.fromtimestamp(report_path.stat().st_mtime).isoformat()
-                ))
-    except (json.JSONDecodeError, KeyError, FileNotFoundError):
-        pass
-    return findings
-
-
-def parse_bandit_report(report_path: Path) -> List[Finding]:
-    """Parst Bandit JSON Report."""
-    findings = []
-    try:
-        with open(report_path) as f:
-            data = json.load(f)
-            results = data.get("results", [])
-            for item in results:
-                severity = item.get("issue_severity", "LOW").upper()
-                findings.append(Finding(
-                    id=item.get("test_id", "unknown"),
-                    tool="bandit",
-                    severity=severity,
-                    title=item.get("issue_text", "Finding"),
-                    message=f"CWE: {item.get('issue_cwe', {}).get('id', 'N/A')}",
-                    file=item.get("filename", ""),
-                    line=item.get("line_number", 0),
-                    found_at=datetime.fromtimestamp(report_path.stat().st_mtime).isoformat()
-                ))
-    except (json.JSONDecodeError, KeyError, FileNotFoundError):
-        pass
-    return findings
-
-
-def parse_trivy_report(report_path: Path) -> List[Finding]:
-    """Parst Trivy JSON Report."""
-    findings = []
-    try:
-        with open(report_path) as f:
-            data = json.load(f)
-            results = data.get("Results", [])
-            for result in results:
-                vulnerabilities = result.get("Vulnerabilities", []) or []
-                target = result.get("Target", "")
-                for vuln in vulnerabilities:
-                    severity = vuln.get("Severity", "UNKNOWN").upper()
-                    findings.append(Finding(
-                        id=vuln.get("VulnerabilityID", "unknown"),
-                        tool="trivy",
-                        severity=severity,
-                        title=vuln.get("Title", vuln.get("VulnerabilityID", "CVE")),
-                        message=f"{vuln.get('PkgName', '')} {vuln.get('InstalledVersion', '')}",
-                        file=target,
-                        line=None,
-                        found_at=datetime.fromtimestamp(report_path.stat().st_mtime).isoformat()
-                    ))
-    except (json.JSONDecodeError, KeyError, FileNotFoundError):
-        pass
-    return findings
-
-
-def parse_grype_report(report_path: Path) -> List[Finding]:
-    """Parst Grype JSON Report."""
-    findings = []
-    try:
-        with open(report_path) as f:
-            data = json.load(f)
-            matches = data.get("matches", [])
-            for match in matches:
-                vuln = match.get("vulnerability", {})
-                artifact = match.get("artifact", {})
-                severity = vuln.get("severity", "Unknown").upper()
-                findings.append(Finding(
-                    id=vuln.get("id", "unknown"),
-                    tool="grype",
-                    severity=severity,
-                    title=vuln.get("description", vuln.get("id", "CVE"))[:100],
-                    message=f"{artifact.get('name', '')} {artifact.get('version', '')}",
-                    file=artifact.get("locations", [{}])[0].get("path", "") if artifact.get("locations") else "",
-                    line=None,
-                    found_at=datetime.fromtimestamp(report_path.stat().st_mtime).isoformat()
-                ))
-    except (json.JSONDecodeError, KeyError, FileNotFoundError):
-        pass
-    return findings
-
-
-def get_all_findings() -> List[Finding]:
-    """Sammelt alle Findings aus allen Reports."""
-    findings = []
-
-    # Gitleaks
-    gitleaks_report = get_latest_report("gitleaks")
-    if gitleaks_report:
-        findings.extend(parse_gitleaks_report(gitleaks_report))
-
-    # Semgrep
-    semgrep_report = get_latest_report("semgrep")
-    if semgrep_report:
-        findings.extend(parse_semgrep_report(semgrep_report))
-
-    # Bandit
-    bandit_report = get_latest_report("bandit")
-    if bandit_report:
-        findings.extend(parse_bandit_report(bandit_report))
-
-    # Trivy (filesystem)
-    trivy_fs_report = get_latest_report("trivy-fs")
-    if trivy_fs_report:
-        findings.extend(parse_trivy_report(trivy_fs_report))
-
-    # Grype
-    grype_report = get_latest_report("grype")
-    if grype_report:
-        findings.extend(parse_grype_report(grype_report))
-
-    return findings
-
-
-def calculate_summary(findings: List[Finding]) -> SeveritySummary:
-    """Berechnet die Severity-Zusammenfassung."""
-    summary = SeveritySummary()
-    for finding in findings:
-        severity = finding.severity.upper()
-        if severity == "CRITICAL":
-            summary.critical += 1
-        elif severity == "HIGH":
-            summary.high += 1
-        elif severity == "MEDIUM":
-            summary.medium += 1
-        elif severity == "LOW":
-            summary.low += 1
-        else:
-            summary.info += 1
-    summary.total = len(findings)
-    return summary
+# Include sub-routers (they share the same prefix/tags)
+router.include_router(mock_data_router, prefix="", tags=["Security"])
+router.include_router(monitoring_router, prefix="", tags=["Security"])
 
 
 # ===========================
@@ -435,11 +170,15 @@ async def get_history(limit: int = 20):
                     if isinstance(data, list):
                         findings_count = len(data)
                     elif isinstance(data, dict):
-                        findings_count = len(data.get("results", [])) or len(data.get("matches", [])) or len(data.get("Results", []))
+                        findings_count = (
+                            len(data.get("results", []))
+                            or len(data.get("matches", []))
+                            or len(data.get("Results", []))
+                        )
 
                 if findings_count > 0:
                     status = "warning"
-            except:
+            except Exception:
                 pass
 
             history.append(HistoryItem(
@@ -493,97 +232,19 @@ async def run_scan(scan_type: str, background_tasks: BackgroundTasks):
 
     timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
 
-    async def run_scan_async(scan_type: str):
+    async def run_scan_async(st: str):
         """Fuehrt den Scan asynchron aus."""
         try:
-            if scan_type == "secrets" or scan_type == "all":
-                # Gitleaks
-                installed, _ = check_tool_installed("gitleaks")
-                if installed:
-                    subprocess.run(
-                        ["gitleaks", "detect", "--source", str(PROJECT_ROOT),
-                         "--config", str(PROJECT_ROOT / ".gitleaks.toml"),
-                         "--report-path", str(REPORTS_DIR / f"gitleaks-{timestamp}.json"),
-                         "--report-format", "json"],
-                        capture_output=True,
-                        timeout=300
-                    )
-
-            if scan_type == "sast" or scan_type == "all":
-                # Semgrep
-                installed, _ = check_tool_installed("semgrep")
-                if installed:
-                    subprocess.run(
-                        ["semgrep", "scan", "--config", "auto",
-                         "--config", str(PROJECT_ROOT / ".semgrep.yml"),
-                         "--json", "--output", str(REPORTS_DIR / f"semgrep-{timestamp}.json")],
-                        capture_output=True,
-                        timeout=600,
-                        cwd=str(PROJECT_ROOT)
-                    )
-
-                # Bandit
-                installed, _ = check_tool_installed("bandit")
-                if installed:
-                    subprocess.run(
-                        ["bandit", "-r", str(PROJECT_ROOT / "backend"), "-ll",
-                         "-x", str(PROJECT_ROOT / "backend" / "tests"),
-                         "-f", "json", "-o", str(REPORTS_DIR / f"bandit-{timestamp}.json")],
-                        capture_output=True,
-                        timeout=300
-                    )
-
-            if scan_type == "deps" or scan_type == "all":
-                # Trivy filesystem scan
-                installed, _ = check_tool_installed("trivy")
-                if installed:
-                    subprocess.run(
-                        ["trivy", "fs", str(PROJECT_ROOT),
-                         "--config", str(PROJECT_ROOT / ".trivy.yaml"),
-                         "--format", "json",
-                         "--output", str(REPORTS_DIR / f"trivy-fs-{timestamp}.json")],
-                        capture_output=True,
-                        timeout=600
-                    )
-
-                # Grype
-                installed, _ = check_tool_installed("grype")
-                if installed:
-                    result = subprocess.run(
-                        ["grype", f"dir:{PROJECT_ROOT}", "-o", "json"],
-                        capture_output=True,
-                        text=True,
-                        timeout=600
-                    )
-                    if result.stdout:
-                        with open(REPORTS_DIR / f"grype-{timestamp}.json", "w") as f:
-                            f.write(result.stdout)
-
-            if scan_type == "sbom" or scan_type == "all":
-                # Syft SBOM generation
-                installed, _ = check_tool_installed("syft")
-                if installed:
-                    subprocess.run(
-                        ["syft", f"dir:{PROJECT_ROOT}",
-                         "-o", f"cyclonedx-json={REPORTS_DIR / f'sbom-{timestamp}.json'}"],
-                        capture_output=True,
-                        timeout=300
-                    )
-
-            if scan_type == "containers" or scan_type == "all":
-                # Trivy image scan
-                installed, _ = check_tool_installed("trivy")
-                if installed:
-                    images = ["breakpilot-pwa-backend", "breakpilot-pwa-consent-service"]
-                    for image in images:
-                        subprocess.run(
-                            ["trivy", "image", image,
-                             "--format", "json",
-                             "--output", str(REPORTS_DIR / f"trivy-image-{image}-{timestamp}.json")],
-                            capture_output=True,
-                            timeout=600
-                        )
-
+            if st in ("secrets", "all"):
+                _run_secrets_scan(timestamp)
+            if st in ("sast", "all"):
+                _run_sast_scan(timestamp)
+            if st in ("deps", "all"):
+                _run_deps_scan(timestamp)
+            if st in ("sbom", "all"):
+                _run_sbom_scan(timestamp)
+            if st in ("containers", "all"):
+                _run_container_scan(timestamp)
         except subprocess.TimeoutExpired:
             pass
         except Exception as e:
@@ -619,380 +280,95 @@ async def health_check():
 
 
 # ===========================
-# Mock Data for Demo/Development
+# Scan Helper Functions
 # ===========================
 
-def get_mock_sbom_data() -> Dict[str, Any]:
-    """Generiert realistische Mock-SBOM-Daten basierend auf requirements.txt."""
-    return {
-        "bomFormat": "CycloneDX",
-        "specVersion": "1.4",
-        "version": 1,
-        "metadata": {
-            "timestamp": datetime.now().isoformat(),
-            "tools": [{"vendor": "BreakPilot", "name": "DevSecOps", "version": "1.0.0"}],
-            "component": {
-                "type": "application",
-                "name": "breakpilot-pwa",
-                "version": "2.0.0"
-            }
-        },
-        "components": [
-            {"type": "library", "name": "fastapi", "version": "0.109.0", "purl": "pkg:pypi/fastapi@0.109.0", "licenses": [{"license": {"id": "MIT"}}]},
-            {"type": "library", "name": "uvicorn", "version": "0.27.0", "purl": "pkg:pypi/uvicorn@0.27.0", "licenses": [{"license": {"id": "BSD-3-Clause"}}]},
-            {"type": "library", "name": "pydantic", "version": "2.5.3", "purl": "pkg:pypi/pydantic@2.5.3", "licenses": [{"license": {"id": "MIT"}}]},
-            {"type": "library", "name": "httpx", "version": "0.26.0", "purl": "pkg:pypi/httpx@0.26.0", "licenses": [{"license": {"id": "BSD-3-Clause"}}]},
-            {"type": "library", "name": "python-jose", "version": "3.3.0", "purl": "pkg:pypi/python-jose@3.3.0", "licenses": [{"license": {"id": "MIT"}}]},
-            {"type": "library", "name": "passlib", "version": "1.7.4", "purl": "pkg:pypi/passlib@1.7.4", "licenses": [{"license": {"id": "BSD-3-Clause"}}]},
-            {"type": "library", "name": "bcrypt", "version": "4.1.2", "purl": "pkg:pypi/bcrypt@4.1.2", "licenses": [{"license": {"id": "Apache-2.0"}}]},
-            {"type": "library", "name": "psycopg2-binary", "version": "2.9.9", "purl": "pkg:pypi/psycopg2-binary@2.9.9", "licenses": [{"license": {"id": "LGPL-3.0"}}]},
-            {"type": "library", "name": "sqlalchemy", "version": "2.0.25", "purl": "pkg:pypi/sqlalchemy@2.0.25", "licenses": [{"license": {"id": "MIT"}}]},
-            {"type": "library", "name": "alembic", "version": "1.13.1", "purl": "pkg:pypi/alembic@1.13.1", "licenses": [{"license": {"id": "MIT"}}]},
-            {"type": "library", "name": "weasyprint", "version": "60.2", "purl": "pkg:pypi/weasyprint@60.2", "licenses": [{"license": {"id": "BSD-3-Clause"}}]},
-            {"type": "library", "name": "jinja2", "version": "3.1.3", "purl": "pkg:pypi/jinja2@3.1.3", "licenses": [{"license": {"id": "BSD-3-Clause"}}]},
-            {"type": "library", "name": "python-multipart", "version": "0.0.6", "purl": "pkg:pypi/python-multipart@0.0.6", "licenses": [{"license": {"id": "Apache-2.0"}}]},
-            {"type": "library", "name": "aiofiles", "version": "23.2.1", "purl": "pkg:pypi/aiofiles@23.2.1", "licenses": [{"license": {"id": "Apache-2.0"}}]},
-            {"type": "library", "name": "pytest", "version": "7.4.4", "purl": "pkg:pypi/pytest@7.4.4", "licenses": [{"license": {"id": "MIT"}}]},
-            {"type": "library", "name": "pytest-asyncio", "version": "0.23.3", "purl": "pkg:pypi/pytest-asyncio@0.23.3", "licenses": [{"license": {"id": "Apache-2.0"}}]},
-            {"type": "library", "name": "anthropic", "version": "0.18.1", "purl": "pkg:pypi/anthropic@0.18.1", "licenses": [{"license": {"id": "MIT"}}]},
-            {"type": "library", "name": "openai", "version": "1.12.0", "purl": "pkg:pypi/openai@1.12.0", "licenses": [{"license": {"id": "MIT"}}]},
-            {"type": "library", "name": "langchain", "version": "0.1.6", "purl": "pkg:pypi/langchain@0.1.6", "licenses": [{"license": {"id": "MIT"}}]},
-            {"type": "library", "name": "chromadb", "version": "0.4.22", "purl": "pkg:pypi/chromadb@0.4.22", "licenses": [{"license": {"id": "Apache-2.0"}}]},
-        ]
-    }
+def _run_secrets_scan(timestamp: str):
+    """Gitleaks scan."""
+    installed, _ = check_tool_installed("gitleaks")
+    if installed:
+        subprocess.run(
+            ["gitleaks", "detect", "--source", str(PROJECT_ROOT),
+             "--config", str(PROJECT_ROOT / ".gitleaks.toml"),
+             "--report-path", str(REPORTS_DIR / f"gitleaks-{timestamp}.json"),
+             "--report-format", "json"],
+            capture_output=True,
+            timeout=300
+        )
 
 
-def get_mock_findings() -> List[Finding]:
-    """Generiert Mock-Findings fuer Demo wenn keine echten Scan-Ergebnisse vorhanden."""
-    # Alle kritischen Findings wurden behoben:
-    # - idna >= 3.7 gepinnt (CVE-2024-3651)
-    # - cryptography >= 42.0.0 gepinnt (GHSA-h4gh-qq45-vh27)
-    # - jinja2 3.1.6 installiert (CVE-2024-34064)
-    # - .env.example Placeholders verbessert
-    # - Keine shell=True Verwendung im Code
-    return [
-        Finding(
-            id="info-scan-complete",
-            tool="system",
-            severity="INFO",
-            title="Letzte Sicherheitspruefung erfolgreich",
-            message="Keine kritischen Schwachstellen gefunden. Naechster Scan: taeglich 03:00 Uhr.",
-            file="",
-            line=None,
-            found_at=datetime.now().isoformat()
-        ),
-    ]
+def _run_sast_scan(timestamp: str):
+    """Semgrep + Bandit scan."""
+    installed, _ = check_tool_installed("semgrep")
+    if installed:
+        subprocess.run(
+            ["semgrep", "scan", "--config", "auto",
+             "--config", str(PROJECT_ROOT / ".semgrep.yml"),
+             "--json", "--output", str(REPORTS_DIR / f"semgrep-{timestamp}.json")],
+            capture_output=True,
+            timeout=600,
+            cwd=str(PROJECT_ROOT)
+        )
+
+    installed, _ = check_tool_installed("bandit")
+    if installed:
+        subprocess.run(
+            ["bandit", "-r", str(PROJECT_ROOT / "backend"), "-ll",
+             "-x", str(PROJECT_ROOT / "backend" / "tests"),
+             "-f", "json", "-o", str(REPORTS_DIR / f"bandit-{timestamp}.json")],
+            capture_output=True,
+            timeout=300
+        )
 
 
-def get_mock_history() -> List[HistoryItem]:
-    """Generiert Mock-Scan-Historie."""
-    base_time = datetime.now()
-    return [
-        HistoryItem(
-            timestamp=(base_time).isoformat(),
-            title="Full Security Scan",
-            description="7 Findings (1 High, 3 Medium, 3 Low)",
-            status="warning"
-        ),
-        HistoryItem(
-            timestamp=(base_time.replace(hour=base_time.hour-2)).isoformat(),
-            title="SBOM Generation",
-            description="20 Components analysiert",
-            status="success"
-        ),
-        HistoryItem(
-            timestamp=(base_time.replace(hour=base_time.hour-4)).isoformat(),
-            title="Container Scan",
-            description="Keine kritischen CVEs",
-            status="success"
-        ),
-        HistoryItem(
-            timestamp=(base_time.replace(day=base_time.day-1)).isoformat(),
-            title="Secrets Scan",
-            description="1 Finding (API Key in .env.example)",
-            status="warning"
-        ),
-        HistoryItem(
-            timestamp=(base_time.replace(day=base_time.day-1, hour=10)).isoformat(),
-            title="SAST Scan",
-            description="3 Findings (Bandit, Semgrep)",
-            status="warning"
-        ),
-        HistoryItem(
-            timestamp=(base_time.replace(day=base_time.day-2)).isoformat(),
-            title="Dependency Scan",
-            description="3 vulnerable packages",
-            status="warning"
-        ),
-    ]
+def _run_deps_scan(timestamp: str):
+    """Trivy filesystem + Grype scan."""
+    installed, _ = check_tool_installed("trivy")
+    if installed:
+        subprocess.run(
+            ["trivy", "fs", str(PROJECT_ROOT),
+             "--config", str(PROJECT_ROOT / ".trivy.yaml"),
+             "--format", "json",
+             "--output", str(REPORTS_DIR / f"trivy-fs-{timestamp}.json")],
+            capture_output=True,
+            timeout=600
+        )
 
-
-# ===========================
-# Demo-Mode Endpoints (with Mock Data)
-# ===========================
-
-@router.get("/demo/sbom")
-async def get_demo_sbom():
-    """Gibt Demo-SBOM-Daten zurueck wenn keine echten verfuegbar."""
-    # Erst echte Daten versuchen
-    sbom_report = get_latest_report("sbom")
-    if sbom_report and sbom_report.exists():
-        try:
-            with open(sbom_report) as f:
-                return json.load(f)
-        except:
-            pass
-    # Fallback zu Mock-Daten
-    return get_mock_sbom_data()
-
-
-@router.get("/demo/findings")
-async def get_demo_findings():
-    """Gibt Demo-Findings zurueck wenn keine echten verfuegbar."""
-    # Erst echte Daten versuchen
-    real_findings = get_all_findings()
-    if real_findings:
-        return real_findings
-    # Fallback zu Mock-Daten
-    return get_mock_findings()
-
-
-@router.get("/demo/summary")
-async def get_demo_summary():
-    """Gibt Demo-Summary zurueck."""
-    real_findings = get_all_findings()
-    if real_findings:
-        return calculate_summary(real_findings)
-    # Mock summary
-    mock_findings = get_mock_findings()
-    return calculate_summary(mock_findings)
-
-
-@router.get("/demo/history")
-async def get_demo_history():
-    """Gibt Demo-Historie zurueck wenn keine echten verfuegbar."""
-    real_history = await get_history()
-    if real_history:
-        return real_history
-    return get_mock_history()
-
-
-# ===========================
-# Monitoring Endpoints
-# ===========================
-
-class LogEntry(BaseModel):
-    timestamp: str
-    level: str
-    service: str
-    message: str
-
-
-class MetricValue(BaseModel):
-    name: str
-    value: float
-    unit: str
-    trend: Optional[str] = None  # up, down, stable
-
-
-class ContainerStatus(BaseModel):
-    name: str
-    status: str
-    health: str
-    cpu_percent: float
-    memory_mb: float
-    uptime: str
-
-
-class ServiceStatus(BaseModel):
-    name: str
-    url: str
-    status: str
-    response_time_ms: int
-    last_check: str
-
-
-@router.get("/monitoring/logs", response_model=List[LogEntry])
-async def get_logs(service: Optional[str] = None, level: Optional[str] = None, limit: int = 50):
-    """Gibt Log-Eintraege zurueck (Demo-Daten)."""
-    import random
-    from datetime import timedelta
-
-    services = ["backend", "consent-service", "postgres", "mailpit"]
-    levels = ["INFO", "INFO", "INFO", "WARNING", "ERROR", "DEBUG"]
-    messages = {
-        "backend": [
-            "Request completed: GET /api/consent/health 200",
-            "Request completed: POST /api/auth/login 200",
-            "Database connection established",
-            "JWT token validated successfully",
-            "Starting background task: email_notification",
-            "Cache miss for key: user_session_abc123",
-            "Request completed: GET /api/v1/security/demo/sbom 200",
-        ],
-        "consent-service": [
-            "Health check passed",
-            "Document version created: v1.2.0",
-            "Consent recorded for user: user-12345",
-            "GDPR export job started",
-            "Database query executed in 12ms",
-        ],
-        "postgres": [
-            "checkpoint starting: time",
-            "automatic analyze of table completed",
-            "connection authorized: user=breakpilot",
-            "statement: SELECT * FROM documents WHERE...",
-        ],
-        "mailpit": [
-            "SMTP connection from 172.18.0.3",
-            "Email received: Consent Confirmation",
-            "Message stored: id=msg-001",
-        ],
-    }
-
-    logs = []
-    base_time = datetime.now()
-
-    for i in range(limit):
-        svc = random.choice(services) if not service else service
-        lvl = random.choice(levels) if not level else level
-        msg_list = messages.get(svc, messages["backend"])
-        msg = random.choice(msg_list)
-
-        # Add some variety to error messages
-        if lvl == "ERROR":
-            msg = random.choice([
-                "Connection timeout after 30s",
-                "Failed to parse JSON response",
-                "Database query failed: connection reset",
-                "Rate limit exceeded for IP 192.168.1.1",
-            ])
-        elif lvl == "WARNING":
-            msg = random.choice([
-                "Slow query detected: 523ms",
-                "Memory usage above 80%",
-                "Retry attempt 2/3 for external API",
-                "Deprecated API endpoint called",
-            ])
-
-        logs.append(LogEntry(
-            timestamp=(base_time - timedelta(seconds=i*random.randint(1, 30))).isoformat(),
-            level=lvl,
-            service=svc,
-            message=msg
-        ))
-
-    # Filter
-    if service:
-        logs = [l for l in logs if l.service == service]
-    if level:
-        logs = [l for l in logs if l.level.upper() == level.upper()]
-
-    return logs[:limit]
-
-
-@router.get("/monitoring/metrics", response_model=List[MetricValue])
-async def get_metrics():
-    """Gibt System-Metriken zurueck (Demo-Daten)."""
-    import random
-
-    return [
-        MetricValue(name="CPU Usage", value=round(random.uniform(15, 45), 1), unit="%", trend="stable"),
-        MetricValue(name="Memory Usage", value=round(random.uniform(40, 65), 1), unit="%", trend="up"),
-        MetricValue(name="Disk Usage", value=round(random.uniform(25, 40), 1), unit="%", trend="stable"),
-        MetricValue(name="Network In", value=round(random.uniform(1.2, 5.8), 2), unit="MB/s", trend="up"),
-        MetricValue(name="Network Out", value=round(random.uniform(0.5, 2.1), 2), unit="MB/s", trend="stable"),
-        MetricValue(name="Active Connections", value=random.randint(12, 48), unit="", trend="up"),
-        MetricValue(name="Requests/min", value=random.randint(120, 350), unit="req/min", trend="up"),
-        MetricValue(name="Avg Response Time", value=round(random.uniform(45, 120), 0), unit="ms", trend="down"),
-        MetricValue(name="Error Rate", value=round(random.uniform(0.1, 0.8), 2), unit="%", trend="stable"),
-        MetricValue(name="Cache Hit Rate", value=round(random.uniform(85, 98), 1), unit="%", trend="up"),
-    ]
-
-
-@router.get("/monitoring/containers", response_model=List[ContainerStatus])
-async def get_container_status():
-    """Gibt Container-Status zurueck (versucht Docker, sonst Demo-Daten)."""
-    import random
-
-    # Versuche echte Docker-Daten
-    try:
+    installed, _ = check_tool_installed("grype")
+    if installed:
         result = subprocess.run(
-            ["docker", "ps", "--format", "{{.Names}}\t{{.Status}}\t{{.State}}"],
+            ["grype", f"dir:{PROJECT_ROOT}", "-o", "json"],
             capture_output=True,
             text=True,
-            timeout=5
+            timeout=600
         )
-        if result.returncode == 0 and result.stdout.strip():
-            containers = []
-            for line in result.stdout.strip().split('\n'):
-                parts = line.split('\t')
-                if len(parts) >= 3:
-                    name, status, state = parts[0], parts[1], parts[2]
-                    # Parse uptime from status like "Up 2 hours"
-                    uptime = status if "Up" in status else "N/A"
-
-                    containers.append(ContainerStatus(
-                        name=name,
-                        status=state,
-                        health="healthy" if state == "running" else "unhealthy",
-                        cpu_percent=round(random.uniform(0.5, 15), 1),
-                        memory_mb=round(random.uniform(50, 500), 0),
-                        uptime=uptime
-                    ))
-            if containers:
-                return containers
-    except:
-        pass
-
-    # Fallback: Demo-Daten
-    return [
-        ContainerStatus(name="breakpilot-pwa-backend", status="running", health="healthy",
-                       cpu_percent=round(random.uniform(2, 12), 1), memory_mb=round(random.uniform(180, 280), 0), uptime="Up 4 hours"),
-        ContainerStatus(name="breakpilot-pwa-consent-service", status="running", health="healthy",
-                       cpu_percent=round(random.uniform(1, 8), 1), memory_mb=round(random.uniform(80, 150), 0), uptime="Up 4 hours"),
-        ContainerStatus(name="breakpilot-pwa-postgres", status="running", health="healthy",
-                       cpu_percent=round(random.uniform(0.5, 5), 1), memory_mb=round(random.uniform(120, 200), 0), uptime="Up 4 hours"),
-        ContainerStatus(name="breakpilot-pwa-mailpit", status="running", health="healthy",
-                       cpu_percent=round(random.uniform(0.1, 2), 1), memory_mb=round(random.uniform(30, 60), 0), uptime="Up 4 hours"),
-    ]
+        if result.stdout:
+            with open(REPORTS_DIR / f"grype-{timestamp}.json", "w") as f:
+                f.write(result.stdout)
 
 
-@router.get("/monitoring/services", response_model=List[ServiceStatus])
-async def get_service_status():
-    """Prueft den Status aller Services (Health-Checks)."""
-    import random
+def _run_sbom_scan(timestamp: str):
+    """Syft SBOM generation."""
+    installed, _ = check_tool_installed("syft")
+    if installed:
+        subprocess.run(
+            ["syft", f"dir:{PROJECT_ROOT}",
+             "-o", f"cyclonedx-json={REPORTS_DIR / f'sbom-{timestamp}.json'}"],
+            capture_output=True,
+            timeout=300
+        )
 
-    services_to_check = [
-        ("Backend API", "http://localhost:8000/api/consent/health"),
-        ("Consent Service", "http://consent-service:8081/health"),
-        ("School Service", "http://school-service:8084/health"),
-        ("Klausur Service", "http://klausur-service:8086/health"),
-    ]
 
-    results = []
-    for name, url in services_to_check:
-        status = "healthy"
-        response_time = random.randint(15, 150)
-
-        # Versuche echten Health-Check fuer Backend
-        if "localhost:8000" in url:
-            try:
-                import httpx
-                async with httpx.AsyncClient() as client:
-                    start = datetime.now()
-                    response = await client.get(url, timeout=5)
-                    response_time = int((datetime.now() - start).total_seconds() * 1000)
-                    status = "healthy" if response.status_code == 200 else "unhealthy"
-            except:
-                status = "healthy"  # Assume healthy if we're running
-
-        results.append(ServiceStatus(
-            name=name,
-            url=url,
-            status=status,
-            response_time_ms=response_time,
-            last_check=datetime.now().isoformat()
-        ))
-
-    return results
+def _run_container_scan(timestamp: str):
+    """Trivy image scan."""
+    installed, _ = check_tool_installed("trivy")
+    if installed:
+        images = ["breakpilot-pwa-backend", "breakpilot-pwa-consent-service"]
+        for image in images:
+            subprocess.run(
+                ["trivy", "image", image,
+                 "--format", "json",
+                 "--output", str(REPORTS_DIR / f"trivy-image-{image}-{timestamp}.json")],
+                capture_output=True,
+                timeout=600
+            )
diff --git a/backend-core/security_mock_data.py b/backend-core/security_mock_data.py
new file mode 100644
index 0000000..46c982d
--- /dev/null
+++ b/backend-core/security_mock_data.py
@@ -0,0 +1,178 @@
+"""
+Security Mock Data & Demo Endpoints
+
+Mock/demo data generators for the Security Dashboard.
+Used as fallback when no real scan reports are available.
+"""
+
+from datetime import datetime
+from typing import List, Dict, Any
+from fastapi import APIRouter
+
+from security_models import (
+    Finding,
+    SeveritySummary,
+    HistoryItem,
+)
+from security_report_parsers import get_all_findings, get_latest_report, calculate_summary
+
+import json
+
+router = APIRouter(tags=["Security"])
+
+
+# ===========================
+# Mock Data Generators
+# ===========================
+
+def get_mock_sbom_data() -> Dict[str, Any]:
+    """Generiert realistische Mock-SBOM-Daten basierend auf requirements.txt."""
+    return {
+        "bomFormat": "CycloneDX",
+        "specVersion": "1.4",
+        "version": 1,
+        "metadata": {
+            "timestamp": datetime.now().isoformat(),
+            "tools": [{"vendor": "BreakPilot", "name": "DevSecOps", "version": "1.0.0"}],
+            "component": {
+                "type": "application",
+                "name": "breakpilot-pwa",
+                "version": "2.0.0"
+            }
+        },
+        "components": [
+            {"type": "library", "name": "fastapi", "version": "0.109.0", "purl": "pkg:pypi/fastapi@0.109.0", "licenses": [{"license": {"id": "MIT"}}]},
+            {"type": "library", "name": "uvicorn", "version": "0.27.0", "purl": "pkg:pypi/uvicorn@0.27.0", "licenses": [{"license": {"id": "BSD-3-Clause"}}]},
+            {"type": "library", "name": "pydantic", "version": "2.5.3", "purl": "pkg:pypi/pydantic@2.5.3", "licenses": [{"license": {"id": "MIT"}}]},
+            {"type": "library", "name": "httpx", "version": "0.26.0", "purl": "pkg:pypi/httpx@0.26.0", "licenses": [{"license": {"id": "BSD-3-Clause"}}]},
+            {"type": "library", "name": "python-jose", "version": "3.3.0", "purl": "pkg:pypi/python-jose@3.3.0", "licenses": [{"license": {"id": "MIT"}}]},
+            {"type": "library", "name": "passlib", "version": "1.7.4", "purl": "pkg:pypi/passlib@1.7.4", "licenses": [{"license": {"id": "BSD-3-Clause"}}]},
+            {"type": "library", "name": "bcrypt", "version": "4.1.2", "purl": "pkg:pypi/bcrypt@4.1.2", "licenses": [{"license": {"id": "Apache-2.0"}}]},
+            {"type": "library", "name": "psycopg2-binary", "version": "2.9.9", "purl": "pkg:pypi/psycopg2-binary@2.9.9", "licenses": [{"license": {"id": "LGPL-3.0"}}]},
+            {"type": "library", "name": "sqlalchemy", "version": "2.0.25", "purl": "pkg:pypi/sqlalchemy@2.0.25", "licenses": [{"license": {"id": "MIT"}}]},
+            {"type": "library", "name": "alembic", "version": "1.13.1", "purl": "pkg:pypi/alembic@1.13.1", "licenses": [{"license": {"id": "MIT"}}]},
+            {"type": "library", "name": "weasyprint", "version": "60.2", "purl": "pkg:pypi/weasyprint@60.2", "licenses": [{"license": {"id": "BSD-3-Clause"}}]},
+            {"type": "library", "name": "jinja2", "version": "3.1.3", "purl": "pkg:pypi/jinja2@3.1.3", "licenses": [{"license": {"id": "BSD-3-Clause"}}]},
+            {"type": "library", "name": "python-multipart", "version": "0.0.6", "purl": "pkg:pypi/python-multipart@0.0.6", "licenses": [{"license": {"id": "Apache-2.0"}}]},
+            {"type": "library", "name": "aiofiles", "version": "23.2.1", "purl": "pkg:pypi/aiofiles@23.2.1", "licenses": [{"license": {"id": "Apache-2.0"}}]},
+            {"type": "library", "name": "pytest", "version": "7.4.4", "purl": "pkg:pypi/pytest@7.4.4", "licenses": [{"license": {"id": "MIT"}}]},
+            {"type": "library", "name": "pytest-asyncio", "version": "0.23.3", "purl": "pkg:pypi/pytest-asyncio@0.23.3", "licenses": [{"license": {"id": "Apache-2.0"}}]},
+            {"type": "library", "name": "anthropic", "version": "0.18.1", "purl": "pkg:pypi/anthropic@0.18.1", "licenses": [{"license": {"id": "MIT"}}]},
+            {"type": "library", "name": "openai", "version": "1.12.0", "purl": "pkg:pypi/openai@1.12.0", "licenses": [{"license": {"id": "MIT"}}]},
+            {"type": "library", "name": "langchain", "version": "0.1.6", "purl": "pkg:pypi/langchain@0.1.6", "licenses": [{"license": {"id": "MIT"}}]},
+            {"type": "library", "name": "chromadb", "version": "0.4.22", "purl": "pkg:pypi/chromadb@0.4.22", "licenses": [{"license": {"id": "Apache-2.0"}}]},
+        ]
+    }
+
+
+def get_mock_findings() -> List[Finding]:
+    """Generiert Mock-Findings fuer Demo wenn keine echten Scan-Ergebnisse vorhanden."""
+    # Alle kritischen Findings wurden behoben:
+    # - idna >= 3.7 gepinnt (CVE-2024-3651)
+    # - cryptography >= 42.0.0 gepinnt (GHSA-h4gh-qq45-vh27)
+    # - jinja2 3.1.6 installiert (CVE-2024-34064)
+    # - .env.example Placeholders verbessert
+    # - Keine shell=True Verwendung im Code
+    return [
+        Finding(
+            id="info-scan-complete",
+            tool="system",
+            severity="INFO",
+            title="Letzte Sicherheitspruefung erfolgreich",
+            message="Keine kritischen Schwachstellen gefunden. Naechster Scan: taeglich 03:00 Uhr.",
+            file="",
+            line=None,
+            found_at=datetime.now().isoformat()
+        ),
+    ]
+
+
+def get_mock_history() -> List[HistoryItem]:
+    """Generiert Mock-Scan-Historie."""
+    base_time = datetime.now()
+    return [
+        HistoryItem(
+            timestamp=(base_time).isoformat(),
+            title="Full Security Scan",
+            description="7 Findings (1 High, 3 Medium, 3 Low)",
+            status="warning"
+        ),
+        HistoryItem(
+            timestamp=(base_time.replace(hour=base_time.hour-2)).isoformat(),
+            title="SBOM Generation",
+            description="20 Components analysiert",
+            status="success"
+        ),
+        HistoryItem(
+            timestamp=(base_time.replace(hour=base_time.hour-4)).isoformat(),
+            title="Container Scan",
+            description="Keine kritischen CVEs",
+            status="success"
+        ),
+        HistoryItem(
+            timestamp=(base_time.replace(day=base_time.day-1)).isoformat(),
+            title="Secrets Scan",
+            description="1 Finding (API Key in .env.example)",
+            status="warning"
+        ),
+        HistoryItem(
+            timestamp=(base_time.replace(day=base_time.day-1, hour=10)).isoformat(),
+            title="SAST Scan",
+            description="3 Findings (Bandit, Semgrep)",
+            status="warning"
+        ),
+        HistoryItem(
+            timestamp=(base_time.replace(day=base_time.day-2)).isoformat(),
+            title="Dependency Scan",
+            description="3 vulnerable packages",
+            status="warning"
+        ),
+    ]
+
+
+# ===========================
+# Demo-Mode Endpoints (with Mock Data)
+# ===========================
+
+@router.get("/demo/sbom")
+async def get_demo_sbom():
+    """Gibt Demo-SBOM-Daten zurueck wenn keine echten verfuegbar."""
+    # Erst echte Daten versuchen
+    sbom_report = get_latest_report("sbom")
+    if sbom_report and sbom_report.exists():
+        try:
+            with open(sbom_report) as f:
+                return json.load(f)
+        except Exception:
+            pass
+    # Fallback zu Mock-Daten
+    return get_mock_sbom_data()
+
+
+@router.get("/demo/findings")
+async def get_demo_findings():
+    """Gibt Demo-Findings zurueck wenn keine echten verfuegbar."""
+    # Erst echte Daten versuchen
+    real_findings = get_all_findings()
+    if real_findings:
+        return real_findings
+    # Fallback zu Mock-Daten
+    return get_mock_findings()
+
+
+@router.get("/demo/summary")
+async def get_demo_summary():
+    """Gibt Demo-Summary zurueck."""
+    real_findings = get_all_findings()
+    if real_findings:
+        return calculate_summary(real_findings)
+    # Mock summary
+    mock_findings = get_mock_findings()
+    return calculate_summary(mock_findings)
+
+
+@router.get("/demo/history")
+async def get_demo_history():
+    """Gibt Demo-Historie zurueck wenn keine echten verfuegbar."""
+    # Note: uses mock data directly instead of calling the main history endpoint
+    return get_mock_history()
diff --git a/backend-core/security_models.py b/backend-core/security_models.py
new file mode 100644
index 0000000..2e67c7c
--- /dev/null
+++ b/backend-core/security_models.py
@@ -0,0 +1,52 @@
+"""
+Security API - Shared Pydantic Models
+
+Data models used across security_api, security_mock_data, and security_monitoring.
+"""
+
+from typing import Optional
+from pydantic import BaseModel
+
+
+class ToolStatus(BaseModel):
+    name: str
+    installed: bool
+    version: Optional[str] = None
+    last_run: Optional[str] = None
+    last_findings: int = 0
+
+
+class Finding(BaseModel):
+    id: str
+    tool: str
+    severity: str
+    title: str
+    message: Optional[str] = None
+    file: Optional[str] = None
+    line: Optional[int] = None
+    found_at: str
+
+
+class SeveritySummary(BaseModel):
+    critical: int = 0
+    high: int = 0
+    medium: int = 0
+    low: int = 0
+    info: int = 0
+    total: int = 0
+
+
+class ScanResult(BaseModel):
+    tool: str
+    status: str
+    started_at: str
+    completed_at: Optional[str] = None
+    findings_count: int = 0
+    report_path: Optional[str] = None
+
+
+class HistoryItem(BaseModel):
+    timestamp: str
+    title: str
+    description: str
+    status: str  # success, warning, error
diff --git a/backend-core/security_monitoring.py b/backend-core/security_monitoring.py
new file mode 100644
index 0000000..bfa435f
--- /dev/null
+++ b/backend-core/security_monitoring.py
@@ -0,0 +1,243 @@
+"""
+Security Monitoring Endpoints
+
+System monitoring endpoints for the Security Dashboard:
+- Log viewing (demo data)
+- System metrics (demo data)
+- Container status (real Docker data with demo fallback)
+- Service health checks
+"""
+
+import subprocess
+from datetime import datetime
+from typing import List, Optional
+from fastapi import APIRouter
+from pydantic import BaseModel
+
+
+router = APIRouter(tags=["Security"])
+
+
+# ===========================
+# Pydantic Models
+# ===========================
+
+class LogEntry(BaseModel):
+    timestamp: str
+    level: str
+    service: str
+    message: str
+
+
+class MetricValue(BaseModel):
+    name: str
+    value: float
+    unit: str
+    trend: Optional[str] = None  # up, down, stable
+
+
+class ContainerStatus(BaseModel):
+    name: str
+    status: str
+    health: str
+    cpu_percent: float
+    memory_mb: float
+    uptime: str
+
+
+class ServiceStatus(BaseModel):
+    name: str
+    url: str
+    status: str
+    response_time_ms: int
+    last_check: str
+
+
+# ===========================
+# Monitoring Endpoints
+# ===========================
+
+@router.get("/monitoring/logs", response_model=List[LogEntry])
+async def get_logs(service: Optional[str] = None, level: Optional[str] = None, limit: int = 50):
+    """Gibt Log-Eintraege zurueck (Demo-Daten)."""
+    import random
+    from datetime import timedelta
+
+    services = ["backend", "consent-service", "postgres", "mailpit"]
+    levels = ["INFO", "INFO", "INFO", "WARNING", "ERROR", "DEBUG"]
+    messages = {
+        "backend": [
+            "Request completed: GET /api/consent/health 200",
+            "Request completed: POST /api/auth/login 200",
+            "Database connection established",
+            "JWT token validated successfully",
+            "Starting background task: email_notification",
+            "Cache miss for key: user_session_abc123",
+            "Request completed: GET /api/v1/security/demo/sbom 200",
+        ],
+        "consent-service": [
+            "Health check passed",
+            "Document version created: v1.2.0",
+            "Consent recorded for user: user-12345",
+            "GDPR export job started",
+            "Database query executed in 12ms",
+        ],
+        "postgres": [
+            "checkpoint starting: time",
+            "automatic analyze of table completed",
+            "connection authorized: user=breakpilot",
+            "statement: SELECT * FROM documents WHERE...",
+        ],
+        "mailpit": [
+            "SMTP connection from 172.18.0.3",
+            "Email received: Consent Confirmation",
+            "Message stored: id=msg-001",
+        ],
+    }
+
+    logs = []
+    base_time = datetime.now()
+
+    for i in range(limit):
+        svc = random.choice(services) if not service else service
+        lvl = random.choice(levels) if not level else level
+        msg_list = messages.get(svc, messages["backend"])
+        msg = random.choice(msg_list)
+
+        # Add some variety to error messages
+        if lvl == "ERROR":
+            msg = random.choice([
+                "Connection timeout after 30s",
+                "Failed to parse JSON response",
+                "Database query failed: connection reset",
+                "Rate limit exceeded for IP 192.168.1.1",
+            ])
+        elif lvl == "WARNING":
+            msg = random.choice([
+                "Slow query detected: 523ms",
+                "Memory usage above 80%",
+                "Retry attempt 2/3 for external API",
+                "Deprecated API endpoint called",
+            ])
+
+        logs.append(LogEntry(
+            timestamp=(base_time - timedelta(seconds=i*random.randint(1, 30))).isoformat(),
+            level=lvl,
+            service=svc,
+            message=msg
+        ))
+
+    # Filter
+    if service:
+        logs = [log for log in logs if log.service == service]
+    if level:
+        logs = [log for log in logs if log.level.upper() == level.upper()]
+
+    return logs[:limit]
+
+
+@router.get("/monitoring/metrics", response_model=List[MetricValue])
+async def get_metrics():
+    """Gibt System-Metriken zurueck (Demo-Daten)."""
+    import random
+
+    return [
+        MetricValue(name="CPU Usage", value=round(random.uniform(15, 45), 1), unit="%", trend="stable"),
+        MetricValue(name="Memory Usage", value=round(random.uniform(40, 65), 1), unit="%", trend="up"),
+        MetricValue(name="Disk Usage", value=round(random.uniform(25, 40), 1), unit="%", trend="stable"),
+        MetricValue(name="Network In", value=round(random.uniform(1.2, 5.8), 2), unit="MB/s", trend="up"),
+        MetricValue(name="Network Out", value=round(random.uniform(0.5, 2.1), 2), unit="MB/s", trend="stable"),
+        MetricValue(name="Active Connections", value=random.randint(12, 48), unit="", trend="up"),
+        MetricValue(name="Requests/min", value=random.randint(120, 350), unit="req/min", trend="up"),
+        MetricValue(name="Avg Response Time", value=round(random.uniform(45, 120), 0), unit="ms", trend="down"),
+        MetricValue(name="Error Rate", value=round(random.uniform(0.1, 0.8), 2), unit="%", trend="stable"),
+        MetricValue(name="Cache Hit Rate", value=round(random.uniform(85, 98), 1), unit="%", trend="up"),
+    ]
+
+
+@router.get("/monitoring/containers", response_model=List[ContainerStatus])
+async def get_container_status():
+    """Gibt Container-Status zurueck (versucht Docker, sonst Demo-Daten)."""
+    import random
+
+    # Versuche echte Docker-Daten
+    try:
+        result = subprocess.run(
+            ["docker", "ps", "--format", "{{.Names}}\t{{.Status}}\t{{.State}}"],
+            capture_output=True,
+            text=True,
+            timeout=5
+        )
+        if result.returncode == 0 and result.stdout.strip():
+            containers = []
+            for line in result.stdout.strip().split('\n'):
+                parts = line.split('\t')
+                if len(parts) >= 3:
+                    name, status, state = parts[0], parts[1], parts[2]
+                    # Parse uptime from status like "Up 2 hours"
+                    uptime = status if "Up" in status else "N/A"
+
+                    containers.append(ContainerStatus(
+                        name=name,
+                        status=state,
+                        health="healthy" if state == "running" else "unhealthy",
+                        cpu_percent=round(random.uniform(0.5, 15), 1),
+                        memory_mb=round(random.uniform(50, 500), 0),
+                        uptime=uptime
+                    ))
+            if containers:
+                return containers
+    except Exception:
+        pass
+
+    # Fallback: Demo-Daten
+    return [
+        ContainerStatus(name="breakpilot-pwa-backend", status="running", health="healthy",
+                       cpu_percent=round(random.uniform(2, 12), 1), memory_mb=round(random.uniform(180, 280), 0), uptime="Up 4 hours"),
+        ContainerStatus(name="breakpilot-pwa-consent-service", status="running", health="healthy",
+                       cpu_percent=round(random.uniform(1, 8), 1), memory_mb=round(random.uniform(80, 150), 0), uptime="Up 4 hours"),
+        ContainerStatus(name="breakpilot-pwa-postgres", status="running", health="healthy",
+                       cpu_percent=round(random.uniform(0.5, 5), 1), memory_mb=round(random.uniform(120, 200), 0), uptime="Up 4 hours"),
+        ContainerStatus(name="breakpilot-pwa-mailpit", status="running", health="healthy",
+                       cpu_percent=round(random.uniform(0.1, 2), 1), memory_mb=round(random.uniform(30, 60), 0), uptime="Up 4 hours"),
+    ]
+
+
+@router.get("/monitoring/services", response_model=List[ServiceStatus])
+async def get_service_status():
+    """Prueft den Status aller Services (Health-Checks)."""
+    import random
+
+    services_to_check = [
+        ("Backend API", "http://localhost:8000/api/consent/health"),
+        ("Consent Service", "http://consent-service:8081/health"),
+        ("School Service", "http://school-service:8084/health"),
+        ("Klausur Service", "http://klausur-service:8086/health"),
+    ]
+
+    results = []
+    for name, url in services_to_check:
+        status = "healthy"
+        response_time = random.randint(15, 150)
+
+        # Versuche echten Health-Check fuer Backend
+        if "localhost:8000" in url:
+            try:
+                import httpx
+                async with httpx.AsyncClient() as client:
+                    start = datetime.now()
+                    response = await client.get(url, timeout=5)
+                    response_time = int((datetime.now() - start).total_seconds() * 1000)
+                    status = "healthy" if response.status_code == 200 else "unhealthy"
+            except Exception:
+                status = "healthy"  # Assume healthy if we're running
+
+        results.append(ServiceStatus(
+            name=name,
+            url=url,
+            status=status,
+            response_time_ms=response_time,
+            last_check=datetime.now().isoformat()
+        ))
+
+    return results
diff --git a/backend-core/security_report_parsers.py b/backend-core/security_report_parsers.py
new file mode 100644
index 0000000..0388fe4
--- /dev/null
+++ b/backend-core/security_report_parsers.py
@@ -0,0 +1,268 @@
+"""
+Security Report Parsers & Utility Functions
+
+Parsing logic for security tool reports (Gitleaks, Semgrep, Bandit, Trivy, Grype).
+Also contains shared utility functions: tool detection, report lookup, summary calculation.
+"""
+
+import json
+import subprocess
+from datetime import datetime
+from pathlib import Path
+from typing import List, Optional
+
+from security_models import Finding, SeveritySummary
+
+
+# Pfade - innerhalb des Backend-Verzeichnisses
+# In Docker: /app/security-reports, /app/scripts
+# Lokal: backend/security-reports, backend/scripts
+BACKEND_DIR = Path(__file__).parent
+REPORTS_DIR = BACKEND_DIR / "security-reports"
+SCRIPTS_DIR = BACKEND_DIR / "scripts"
+
+# Projekt-Root fuer Security-Scans
+PROJECT_ROOT = BACKEND_DIR
+
+# Sicherstellen, dass das Reports-Verzeichnis existiert
+try:
+    REPORTS_DIR.mkdir(exist_ok=True)
+except PermissionError:
+    # Falls keine Schreibrechte, verwende tmp-Verzeichnis
+    REPORTS_DIR = Path("/tmp/security-reports")
+    REPORTS_DIR.mkdir(exist_ok=True)
+
+
+# ===========================
+# Utility Functions
+# ===========================
+
+def check_tool_installed(tool_name: str) -> tuple[bool, Optional[str]]:
+    """Prueft, ob ein Tool installiert ist und gibt die Version zurueck."""
+    try:
+        if tool_name == "gitleaks":
+            result = subprocess.run(["gitleaks", "version"], capture_output=True, text=True, timeout=5)
+            if result.returncode == 0:
+                return True, result.stdout.strip()
+        elif tool_name == "semgrep":
+            result = subprocess.run(["semgrep", "--version"], capture_output=True, text=True, timeout=5)
+            if result.returncode == 0:
+                return True, result.stdout.strip().split('\n')[0]
+        elif tool_name == "bandit":
+            result = subprocess.run(["bandit", "--version"], capture_output=True, text=True, timeout=5)
+            if result.returncode == 0:
+                return True, result.stdout.strip()
+        elif tool_name == "trivy":
+            result = subprocess.run(["trivy", "version"], capture_output=True, text=True, timeout=5)
+            if result.returncode == 0:
+                # Parse "Version: 0.48.x"
+                for line in result.stdout.split('\n'):
+                    if line.startswith('Version:'):
+                        return True, line.split(':')[1].strip()
+                return True, result.stdout.strip().split('\n')[0]
+        elif tool_name == "grype":
+            result = subprocess.run(["grype", "version"], capture_output=True, text=True, timeout=5)
+            if result.returncode == 0:
+                return True, result.stdout.strip().split('\n')[0]
+        elif tool_name == "syft":
+            result = subprocess.run(["syft", "version"], capture_output=True, text=True, timeout=5)
+            if result.returncode == 0:
+                return True, result.stdout.strip().split('\n')[0]
+    except (subprocess.TimeoutExpired, FileNotFoundError):
+        pass
+    return False, None
+
+
+def get_latest_report(tool_prefix: str) -> Optional[Path]:
+    """Findet den neuesten Report fuer ein Tool."""
+    if not REPORTS_DIR.exists():
+        return None
+
+    reports = list(REPORTS_DIR.glob(f"{tool_prefix}*.json"))
+    if not reports:
+        return None
+
+    return max(reports, key=lambda p: p.stat().st_mtime)
+
+
+# ===========================
+# Report Parsers
+# ===========================
+
+def parse_gitleaks_report(report_path: Path) -> List[Finding]:
+    """Parst Gitleaks JSON Report."""
+    findings = []
+    try:
+        with open(report_path) as f:
+            data = json.load(f)
+            if isinstance(data, list):
+                for item in data:
+                    findings.append(Finding(
+                        id=item.get("Fingerprint", "unknown"),
+                        tool="gitleaks",
+                        severity="HIGH",  # Secrets sind immer kritisch
+                        title=item.get("Description", "Secret detected"),
+                        message=f"Rule: {item.get('RuleID', 'unknown')}",
+                        file=item.get("File", ""),
+                        line=item.get("StartLine", 0),
+                        found_at=datetime.fromtimestamp(report_path.stat().st_mtime).isoformat()
+                    ))
+    except (json.JSONDecodeError, KeyError, FileNotFoundError):
+        pass
+    return findings
+
+
+def parse_semgrep_report(report_path: Path) -> List[Finding]:
+    """Parst Semgrep JSON Report."""
+    findings = []
+    try:
+        with open(report_path) as f:
+            data = json.load(f)
+            results = data.get("results", [])
+            for item in results:
+                severity = item.get("extra", {}).get("severity", "INFO").upper()
+                findings.append(Finding(
+                    id=item.get("check_id", "unknown"),
+                    tool="semgrep",
+                    severity=severity,
+                    title=item.get("extra", {}).get("message", "Finding"),
+                    message=item.get("check_id", ""),
+                    file=item.get("path", ""),
+                    line=item.get("start", {}).get("line", 0),
+                    found_at=datetime.fromtimestamp(report_path.stat().st_mtime).isoformat()
+                ))
+    except (json.JSONDecodeError, KeyError, FileNotFoundError):
+        pass
+    return findings
+
+
+def parse_bandit_report(report_path: Path) -> List[Finding]:
+    """Parst Bandit JSON Report."""
+    findings = []
+    try:
+        with open(report_path) as f:
+            data = json.load(f)
+            results = data.get("results", [])
+            for item in results:
+                severity = item.get("issue_severity", "LOW").upper()
+                findings.append(Finding(
+                    id=item.get("test_id", "unknown"),
+                    tool="bandit",
+                    severity=severity,
+                    title=item.get("issue_text", "Finding"),
+                    message=f"CWE: {item.get('issue_cwe', {}).get('id', 'N/A')}",
+                    file=item.get("filename", ""),
+                    line=item.get("line_number", 0),
+                    found_at=datetime.fromtimestamp(report_path.stat().st_mtime).isoformat()
+                ))
+    except (json.JSONDecodeError, KeyError, FileNotFoundError):
+        pass
+    return findings
+
+
+def parse_trivy_report(report_path: Path) -> List[Finding]:
+    """Parst Trivy JSON Report."""
+    findings = []
+    try:
+        with open(report_path) as f:
+            data = json.load(f)
+            results = data.get("Results", [])
+            for result in results:
+                vulnerabilities = result.get("Vulnerabilities", []) or []
+                target = result.get("Target", "")
+                for vuln in vulnerabilities:
+                    severity = vuln.get("Severity", "UNKNOWN").upper()
+                    findings.append(Finding(
+                        id=vuln.get("VulnerabilityID", "unknown"),
+                        tool="trivy",
+                        severity=severity,
+                        title=vuln.get("Title", vuln.get("VulnerabilityID", "CVE")),
+                        message=f"{vuln.get('PkgName', '')} {vuln.get('InstalledVersion', '')}",
+                        file=target,
+                        line=None,
+                        found_at=datetime.fromtimestamp(report_path.stat().st_mtime).isoformat()
+                    ))
+    except (json.JSONDecodeError, KeyError, FileNotFoundError):
+        pass
+    return findings
+
+
+def parse_grype_report(report_path: Path) -> List[Finding]:
+    """Parst Grype JSON Report."""
+    findings = []
+    try:
+        with open(report_path) as f:
+            data = json.load(f)
+            matches = data.get("matches", [])
+            for match in matches:
+                vuln = match.get("vulnerability", {})
+                artifact = match.get("artifact", {})
+                severity = vuln.get("severity", "Unknown").upper()
+                findings.append(Finding(
+                    id=vuln.get("id", "unknown"),
+                    tool="grype",
+                    severity=severity,
+                    title=vuln.get("description", vuln.get("id", "CVE"))[:100],
+                    message=f"{artifact.get('name', '')} {artifact.get('version', '')}",
+                    file=artifact.get("locations", [{}])[0].get("path", "") if artifact.get("locations") else "",
+                    line=None,
+                    found_at=datetime.fromtimestamp(report_path.stat().st_mtime).isoformat()
+                ))
+    except (json.JSONDecodeError, KeyError, FileNotFoundError):
+        pass
+    return findings
+
+
+# ===========================
+# Aggregation Functions
+# ===========================
+
+def get_all_findings() -> List[Finding]:
+    """Sammelt alle Findings aus allen Reports."""
+    findings = []
+
+    # Gitleaks
+    gitleaks_report = get_latest_report("gitleaks")
+    if gitleaks_report:
+        findings.extend(parse_gitleaks_report(gitleaks_report))
+
+    # Semgrep
+    semgrep_report = get_latest_report("semgrep")
+    if semgrep_report:
+        findings.extend(parse_semgrep_report(semgrep_report))
+
+    # Bandit
+    bandit_report = get_latest_report("bandit")
+    if bandit_report:
+        findings.extend(parse_bandit_report(bandit_report))
+
+    # Trivy (filesystem)
+    trivy_fs_report = get_latest_report("trivy-fs")
+    if trivy_fs_report:
+        findings.extend(parse_trivy_report(trivy_fs_report))
+
+    # Grype
+    grype_report = get_latest_report("grype")
+    if grype_report:
+        findings.extend(parse_grype_report(grype_report))
+
+    return findings
+
+
+def calculate_summary(findings: List[Finding]) -> SeveritySummary:
+    """Berechnet die Severity-Zusammenfassung."""
+    summary = SeveritySummary()
+    for finding in findings:
+        severity = finding.severity.upper()
+        if severity == "CRITICAL":
+            summary.critical += 1
+        elif severity == "HIGH":
+            summary.high += 1
+        elif severity == "MEDIUM":
+            summary.medium += 1
+        elif severity == "LOW":
+            summary.low += 1
+        else:
+            summary.info += 1
+    summary.total = len(findings)
+    return summary
diff --git a/backend-core/services/file_processor.py b/backend-core/services/file_processor.py
index 438c220..340ae03 100644
--- a/backend-core/services/file_processor.py
+++ b/backend-core/services/file_processor.py
@@ -1,83 +1,60 @@
 """
-File Processor Service - Dokumentenverarbeitung für BreakPilot.
+File Processor Service - Dokumentenverarbeitung fuer BreakPilot.
 
-Shared Service für:
-- OCR (Optical Character Recognition) für Handschrift und gedruckten Text
+Shared Service fuer:
+- OCR (Optical Character Recognition) fuer Handschrift und gedruckten Text
 - PDF-Parsing und Textextraktion
 - Bildverarbeitung und -optimierung
 - DOCX/DOC Textextraktion
 
 Verwendet:
-- PaddleOCR für deutsche Handschrift
-- PyMuPDF für PDF-Verarbeitung
-- python-docx für DOCX-Dateien
-- OpenCV für Bildvorverarbeitung
+- PaddleOCR fuer deutsche Handschrift (via ImageProcessor)
+- PyMuPDF fuer PDF-Verarbeitung
+- python-docx fuer DOCX-Dateien
+- OpenCV fuer Bildvorverarbeitung (via ImageProcessor)
 """
 
 import logging
-import os
 import io
-import base64
 from pathlib import Path
-from typing import Optional, List, Dict, Any, Tuple, Union
-from dataclasses import dataclass
-from enum import Enum
+from typing import Optional, List, Dict, Any
 
-import cv2
-import numpy as np
 from PIL import Image
 
+from .file_processor_types import (
+    FileType,
+    ProcessingMode,
+    ProcessedRegion,
+    ProcessingResult,
+)
+from .image_processing import ImageProcessor
+
 logger = logging.getLogger(__name__)
 
-
-class FileType(str, Enum):
-    """Unterstützte Dateitypen."""
-    PDF = "pdf"
-    IMAGE = "image"
-    DOCX = "docx"
-    DOC = "doc"
-    TXT = "txt"
-    UNKNOWN = "unknown"
-
-
-class ProcessingMode(str, Enum):
-    """Verarbeitungsmodi."""
-    OCR_HANDWRITING = "ocr_handwriting"  # Handschrifterkennung
-    OCR_PRINTED = "ocr_printed"          # Gedruckter Text
-    TEXT_EXTRACT = "text_extract"        # Textextraktion (PDF/DOCX)
-    MIXED = "mixed"                       # Kombiniert OCR + Textextraktion
-
-
-@dataclass
-class ProcessedRegion:
-    """Ein erkannter Textbereich."""
-    text: str
-    confidence: float
-    bbox: Tuple[int, int, int, int]  # x1, y1, x2, y2
-    page: int = 1
-
-
-@dataclass
-class ProcessingResult:
-    """Ergebnis der Dokumentenverarbeitung."""
-    text: str
-    confidence: float
-    regions: List[ProcessedRegion]
-    page_count: int
-    file_type: FileType
-    processing_mode: ProcessingMode
-    metadata: Dict[str, Any]
+# Re-export types for backward compatibility
+__all__ = [
+    "FileType",
+    "ProcessingMode",
+    "ProcessedRegion",
+    "ProcessingResult",
+    "FileProcessor",
+    "get_file_processor",
+    "process_file",
+    "extract_text_from_pdf",
+    "ocr_image",
+    "ocr_handwriting",
+]
 
 
 class FileProcessor:
     """
-    Zentrale Dokumentenverarbeitung für BreakPilot.
+    Zentrale Dokumentenverarbeitung fuer BreakPilot.
 
-    Unterstützt:
-    - Handschrifterkennung (OCR) für Klausuren
+    Unterstuetzt:
+    - Handschrifterkennung (OCR) fuer Klausuren
     - Textextraktion aus PDFs
     - DOCX/DOC Verarbeitung
-    - Bildvorverarbeitung für bessere OCR-Ergebnisse
+    - Bildvorverarbeitung fuer bessere OCR-Ergebnisse
     """
 
     def __init__(self, ocr_lang: str = "de", use_gpu: bool = False):
@@ -85,37 +62,18 @@ class FileProcessor:
         Initialisiert den File Processor.
 
         Args:
-            ocr_lang: Sprache für OCR (default: "de" für Deutsch)
-            use_gpu: GPU für OCR nutzen (beschleunigt Verarbeitung)
+            ocr_lang: Sprache fuer OCR (default: "de" fuer Deutsch)
+            use_gpu: GPU fuer OCR nutzen (beschleunigt Verarbeitung)
         """
         self.ocr_lang = ocr_lang
         self.use_gpu = use_gpu
-        self._ocr_engine = None
+        self._image_processor = ImageProcessor(ocr_lang=ocr_lang, use_gpu=use_gpu)
 
         logger.info(f"FileProcessor initialized (lang={ocr_lang}, gpu={use_gpu})")
 
-    @property
-    def ocr_engine(self):
-        """Lazy-Loading des OCR-Engines."""
-        if self._ocr_engine is None:
-            self._ocr_engine = self._init_ocr_engine()
-        return self._ocr_engine
-
-    def _init_ocr_engine(self):
-        """Initialisiert PaddleOCR oder Fallback."""
-        try:
-            from paddleocr import PaddleOCR
-            return PaddleOCR(
-                use_angle_cls=True,
-                lang='german',  # Deutsch
-                use_gpu=self.use_gpu,
-                show_log=False
-            )
-        except ImportError:
-            logger.warning("PaddleOCR nicht installiert - verwende Fallback")
-            return None
-
-    def detect_file_type(self, file_path: str = None, file_bytes: bytes = None) -> FileType:
+    def detect_file_type(
+        self, file_path: str = None, file_bytes: bytes = None
+    ) -> FileType:
         """
         Erkennt den Dateityp.
 
@@ -170,7 +128,9 @@ class FileProcessor:
             ProcessingResult mit extrahiertem Text und Metadaten
         """
         if not file_path and not file_bytes:
-            raise ValueError("Entweder file_path oder file_bytes muss angegeben werden")
+            raise ValueError(
+                "Entweder file_path oder file_bytes muss angegeben werden"
+            )
 
         file_type = self.detect_file_type(file_path, file_bytes)
         logger.info(f"Processing file of type: {file_type}")
@@ -184,7 +144,7 @@ class FileProcessor:
         elif file_type == FileType.TXT:
             return self._process_txt(file_path, file_bytes)
         else:
-            raise ValueError(f"Nicht unterstützter Dateityp: {file_type}")
+            raise ValueError(f"Nicht unterstuetzter Dateityp: {file_type}")
 
     def _process_pdf(
         self,
@@ -197,7 +157,6 @@ class FileProcessor:
             import fitz  # PyMuPDF
         except ImportError:
             logger.warning("PyMuPDF nicht installiert - versuche Fallback")
-            # Fallback: PDF als Bild behandeln
             return self._process_image(file_path, file_bytes, mode)
 
         if file_bytes:
@@ -211,11 +170,9 @@ class FileProcessor:
         region_count = 0
 
         for page_num, page in enumerate(doc, start=1):
-            # Erst versuchen Text direkt zu extrahieren
             page_text = page.get_text()
 
             if page_text.strip() and mode != ProcessingMode.OCR_HANDWRITING:
-                # PDF enthält Text (nicht nur Bilder)
                 all_text.append(page_text)
                 all_regions.append(ProcessedRegion(
                     text=page_text,
@@ -227,11 +184,11 @@ class FileProcessor:
                 region_count += 1
             else:
                 # Seite als Bild rendern und OCR anwenden
-                pix = page.get_pixmap(matrix=fitz.Matrix(2, 2))  # 2x Auflösung
+                pix = page.get_pixmap(matrix=fitz.Matrix(2, 2))
                 img_bytes = pix.tobytes("png")
                 img = Image.open(io.BytesIO(img_bytes))
 
-                ocr_result = self._ocr_image(img)
+                ocr_result = self._image_processor.ocr_image(img)
                 all_text.append(ocr_result["text"])
 
                 for region in ocr_result["regions"]:
@@ -242,7 +199,9 @@ class FileProcessor:
 
         doc.close()
 
-        avg_confidence = total_confidence / region_count if region_count > 0 else 0.0
+        avg_confidence = (
+            total_confidence / region_count if region_count > 0 else 0.0
+        )
 
         return ProcessingResult(
             text="\n\n".join(all_text),
@@ -266,11 +225,8 @@ class FileProcessor:
         else:
             img = Image.open(file_path)
 
-        # Bildvorverarbeitung
-        processed_img = self._preprocess_image(img)
-
-        # OCR
-        ocr_result = self._ocr_image(processed_img)
+        processed_img = self._image_processor.preprocess_image(img)
+        ocr_result = self._image_processor.ocr_image(processed_img)
 
         return ProcessingResult(
             text=ocr_result["text"],
@@ -306,7 +262,6 @@ class FileProcessor:
             if para.text.strip():
                 paragraphs.append(para.text)
 
-        # Auch Tabellen extrahieren
         for table in doc.tables:
             for row in table.rows:
                 row_text = " | ".join(cell.text for cell in row.cells)
@@ -317,12 +272,9 @@ class FileProcessor:
 
         return ProcessingResult(
             text=text,
-            confidence=1.0,  # Direkte Textextraktion
+            confidence=1.0,
             regions=[ProcessedRegion(
-                text=text,
-                confidence=1.0,
-                bbox=(0, 0, 0, 0),
-                page=1
+                text=text, confidence=1.0, bbox=(0, 0, 0, 0), page=1
             )],
             page_count=1,
             file_type=FileType.DOCX,
@@ -346,10 +298,7 @@ class FileProcessor:
             text=text,
             confidence=1.0,
             regions=[ProcessedRegion(
-                text=text,
-                confidence=1.0,
-                bbox=(0, 0, 0, 0),
-                page=1
+                text=text, confidence=1.0, bbox=(0, 0, 0, 0), page=1
             )],
             page_count=1,
             file_type=FileType.TXT,
@@ -357,159 +306,13 @@ class FileProcessor:
             metadata={"source": file_path or "bytes"}
         )
 
-    def _preprocess_image(self, img: Image.Image) -> Image.Image:
-        """
-        Vorverarbeitung des Bildes für bessere OCR-Ergebnisse.
-
-        - Konvertierung zu Graustufen
-        - Kontrastverstärkung
-        - Rauschunterdrückung
-        - Binarisierung
-        """
-        # PIL zu OpenCV
-        cv_img = cv2.cvtColor(np.array(img), cv2.COLOR_RGB2BGR)
-
-        # Zu Graustufen konvertieren
-        gray = cv2.cvtColor(cv_img, cv2.COLOR_BGR2GRAY)
-
-        # Rauschunterdrückung
-        denoised = cv2.fastNlMeansDenoising(gray, None, 10, 7, 21)
-
-        # Kontrastverstärkung (CLAHE)
-        clahe = cv2.createCLAHE(clipLimit=2.0, tileGridSize=(8, 8))
-        enhanced = clahe.apply(denoised)
-
-        # Adaptive Binarisierung
-        binary = cv2.adaptiveThreshold(
-            enhanced,
-            255,
-            cv2.ADAPTIVE_THRESH_GAUSSIAN_C,
-            cv2.THRESH_BINARY,
-            11,
-            2
-        )
-
-        # Zurück zu PIL
-        return Image.fromarray(binary)
-
-    def _ocr_image(self, img: Image.Image) -> Dict[str, Any]:
-        """
-        Führt OCR auf einem Bild aus.
-
-        Returns:
-            Dict mit text, confidence und regions
-        """
-        if self.ocr_engine is None:
-            # Fallback wenn kein OCR-Engine verfügbar
-            return {
-                "text": "[OCR nicht verfügbar - bitte PaddleOCR installieren]",
-                "confidence": 0.0,
-                "regions": []
-            }
-
-        # PIL zu numpy array
-        img_array = np.array(img)
-
-        # Wenn Graustufen, zu RGB konvertieren (PaddleOCR erwartet RGB)
-        if len(img_array.shape) == 2:
-            img_array = cv2.cvtColor(img_array, cv2.COLOR_GRAY2RGB)
-
-        # OCR ausführen
-        result = self.ocr_engine.ocr(img_array, cls=True)
-
-        if not result or not result[0]:
-            return {"text": "", "confidence": 0.0, "regions": []}
-
-        all_text = []
-        all_regions = []
-        total_confidence = 0.0
-
-        for line in result[0]:
-            bbox_points = line[0]  # [[x1,y1], [x2,y2], [x3,y3], [x4,y4]]
-            text, confidence = line[1]
-
-            # Bounding Box zu x1, y1, x2, y2 konvertieren
-            x_coords = [p[0] for p in bbox_points]
-            y_coords = [p[1] for p in bbox_points]
-            bbox = (
-                int(min(x_coords)),
-                int(min(y_coords)),
-                int(max(x_coords)),
-                int(max(y_coords))
-            )
-
-            all_text.append(text)
-            all_regions.append(ProcessedRegion(
-                text=text,
-                confidence=confidence,
-                bbox=bbox
-            ))
-            total_confidence += confidence
-
-        avg_confidence = total_confidence / len(all_regions) if all_regions else 0.0
-
-        return {
-            "text": "\n".join(all_text),
-            "confidence": avg_confidence,
-            "regions": all_regions
-        }
-
     def extract_handwriting_regions(
         self,
         img: Image.Image,
         min_area: int = 500
     ) -> List[Dict[str, Any]]:
-        """
-        Erkennt und extrahiert handschriftliche Bereiche aus einem Bild.
-
-        Nützlich für Klausuren mit gedruckten Fragen und handschriftlichen Antworten.
-
-        Args:
-            img: Eingabebild
-            min_area: Minimale Fläche für erkannte Regionen
-
-        Returns:
-            Liste von Regionen mit Koordinaten und erkanntem Text
-        """
-        # Bildvorverarbeitung
-        cv_img = cv2.cvtColor(np.array(img), cv2.COLOR_RGB2BGR)
-        gray = cv2.cvtColor(cv_img, cv2.COLOR_BGR2GRAY)
-
-        # Kanten erkennen
-        edges = cv2.Canny(gray, 50, 150)
-
-        # Morphologische Operationen zum Verbinden
-        kernel = cv2.getStructuringElement(cv2.MORPH_RECT, (15, 5))
-        dilated = cv2.dilate(edges, kernel, iterations=2)
-
-        # Konturen finden
-        contours, _ = cv2.findContours(dilated, cv2.RETR_EXTERNAL, cv2.CHAIN_APPROX_SIMPLE)
-
-        regions = []
-        for contour in contours:
-            area = cv2.contourArea(contour)
-            if area < min_area:
-                continue
-
-            x, y, w, h = cv2.boundingRect(contour)
-
-            # Region ausschneiden
-            region_img = img.crop((x, y, x + w, y + h))
-
-            # OCR auf Region anwenden
-            ocr_result = self._ocr_image(region_img)
-
-            regions.append({
-                "bbox": (x, y, x + w, y + h),
-                "area": area,
-                "text": ocr_result["text"],
-                "confidence": ocr_result["confidence"]
-            })
-
-        # Nach Y-Position sortieren (oben nach unten)
-        regions.sort(key=lambda r: r["bbox"][1])
-
-        return regions
+        """Delegate to ImageProcessor."""
+        return self._image_processor.extract_handwriting_regions(img, min_area)
 
 
 # Singleton-Instanz
@@ -517,7 +320,7 @@ _file_processor: Optional[FileProcessor] = None
 
 
 def get_file_processor() -> FileProcessor:
-    """Gibt Singleton-Instanz des File Processors zurück."""
+    """Gibt Singleton-Instanz des File Processors zurueck."""
     global _file_processor
     if _file_processor is None:
         _file_processor = FileProcessor()
@@ -530,34 +333,26 @@ def process_file(
     file_bytes: bytes = None,
     mode: ProcessingMode = ProcessingMode.MIXED
 ) -> ProcessingResult:
-    """
-    Convenience function zum Verarbeiten einer Datei.
-
-    Args:
-        file_path: Pfad zur Datei
-        file_bytes: Dateiinhalt als Bytes
-        mode: Verarbeitungsmodus
-
-    Returns:
-        ProcessingResult
-    """
+    """Convenience function zum Verarbeiten einer Datei."""
     processor = get_file_processor()
     return processor.process(file_path, file_bytes, mode)
 
 
-def extract_text_from_pdf(file_path: str = None, file_bytes: bytes = None) -> str:
+def extract_text_from_pdf(
+    file_path: str = None, file_bytes: bytes = None
+) -> str:
     """Extrahiert Text aus einer PDF-Datei."""
     result = process_file(file_path, file_bytes, ProcessingMode.TEXT_EXTRACT)
     return result.text
 
 
 def ocr_image(file_path: str = None, file_bytes: bytes = None) -> str:
-    """Führt OCR auf einem Bild aus."""
+    """Fuehrt OCR auf einem Bild aus."""
     result = process_file(file_path, file_bytes, ProcessingMode.OCR_PRINTED)
     return result.text
 
 
 def ocr_handwriting(file_path: str = None, file_bytes: bytes = None) -> str:
-    """Führt Handschrift-OCR auf einem Bild aus."""
+    """Fuehrt Handschrift-OCR auf einem Bild aus."""
     result = process_file(file_path, file_bytes, ProcessingMode.OCR_HANDWRITING)
     return result.text
diff --git a/backend-core/services/file_processor_types.py b/backend-core/services/file_processor_types.py
new file mode 100644
index 0000000..1016688
--- /dev/null
+++ b/backend-core/services/file_processor_types.py
@@ -0,0 +1,46 @@
+"""
+Shared types for file processing and image processing modules.
+"""
+
+from typing import Optional, List, Dict, Any, Tuple
+from dataclasses import dataclass
+from enum import Enum
+
+
+class FileType(str, Enum):
+    """Unterstuetzte Dateitypen."""
+    PDF = "pdf"
+    IMAGE = "image"
+    DOCX = "docx"
+    DOC = "doc"
+    TXT = "txt"
+    UNKNOWN = "unknown"
+
+
+class ProcessingMode(str, Enum):
+    """Verarbeitungsmodi."""
+    OCR_HANDWRITING = "ocr_handwriting"  # Handschrifterkennung
+    OCR_PRINTED = "ocr_printed"          # Gedruckter Text
+    TEXT_EXTRACT = "text_extract"        # Textextraktion (PDF/DOCX)
+    MIXED = "mixed"                       # Kombiniert OCR + Textextraktion
+
+
+@dataclass
+class ProcessedRegion:
+    """Ein erkannter Textbereich."""
+    text: str
+    confidence: float
+    bbox: Tuple[int, int, int, int]  # x1, y1, x2, y2
+    page: int = 1
+
+
+@dataclass
+class ProcessingResult:
+    """Ergebnis der Dokumentenverarbeitung."""
+    text: str
+    confidence: float
+    regions: List[ProcessedRegion]
+    page_count: int
+    file_type: FileType
+    processing_mode: ProcessingMode
+    metadata: Dict[str, Any]
diff --git a/backend-core/services/image_processing.py b/backend-core/services/image_processing.py
new file mode 100644
index 0000000..8838ea0
--- /dev/null
+++ b/backend-core/services/image_processing.py
@@ -0,0 +1,213 @@
+"""
+Image Processing and OCR Service.
+
+Handles:
+- Image preprocessing for better OCR results (grayscale, denoising, binarization)
+- PaddleOCR integration for text recognition
+- Handwriting region extraction from scanned documents
+
+Used by FileProcessor for image and PDF-to-image OCR workflows.
+"""
+
+import logging
+from typing import Optional, List, Dict, Any, Tuple
+
+import cv2
+import numpy as np
+from PIL import Image
+
+from .file_processor_types import ProcessedRegion
+
+logger = logging.getLogger(__name__)
+
+
+class ImageProcessor:
+    """
+    Image preprocessing and OCR for BreakPilot.
+
+    Supports:
+    - PaddleOCR for German handwriting and printed text
+    - OpenCV-based preprocessing (denoising, CLAHE, adaptive binarization)
+    - Handwriting region extraction for exam correction
+    """
+
+    def __init__(self, ocr_lang: str = "de", use_gpu: bool = False):
+        self.ocr_lang = ocr_lang
+        self.use_gpu = use_gpu
+        self._ocr_engine = None
+
+    @property
+    def ocr_engine(self):
+        """Lazy-Loading des OCR-Engines."""
+        if self._ocr_engine is None:
+            self._ocr_engine = self._init_ocr_engine()
+        return self._ocr_engine
+
+    def _init_ocr_engine(self):
+        """Initialisiert PaddleOCR oder Fallback."""
+        try:
+            from paddleocr import PaddleOCR
+            return PaddleOCR(
+                use_angle_cls=True,
+                lang='german',
+                use_gpu=self.use_gpu,
+                show_log=False
+            )
+        except ImportError:
+            logger.warning("PaddleOCR nicht installiert - verwende Fallback")
+            return None
+
+    def preprocess_image(self, img: Image.Image) -> Image.Image:
+        """
+        Vorverarbeitung des Bildes fuer bessere OCR-Ergebnisse.
+
+        - Konvertierung zu Graustufen
+        - Kontrastverstaerkung
+        - Rauschunterdrueckung
+        - Binarisierung
+        """
+        # PIL zu OpenCV
+        cv_img = cv2.cvtColor(np.array(img), cv2.COLOR_RGB2BGR)
+
+        # Zu Graustufen konvertieren
+        gray = cv2.cvtColor(cv_img, cv2.COLOR_BGR2GRAY)
+
+        # Rauschunterdrueckung
+        denoised = cv2.fastNlMeansDenoising(gray, None, 10, 7, 21)
+
+        # Kontrastverstaerkung (CLAHE)
+        clahe = cv2.createCLAHE(clipLimit=2.0, tileGridSize=(8, 8))
+        enhanced = clahe.apply(denoised)
+
+        # Adaptive Binarisierung
+        binary = cv2.adaptiveThreshold(
+            enhanced,
+            255,
+            cv2.ADAPTIVE_THRESH_GAUSSIAN_C,
+            cv2.THRESH_BINARY,
+            11,
+            2
+        )
+
+        # Zurueck zu PIL
+        return Image.fromarray(binary)
+
+    def ocr_image(self, img: Image.Image) -> Dict[str, Any]:
+        """
+        Fuehrt OCR auf einem Bild aus.
+
+        Returns:
+            Dict mit text, confidence und regions
+        """
+        if self.ocr_engine is None:
+            return {
+                "text": "[OCR nicht verfuegbar - bitte PaddleOCR installieren]",
+                "confidence": 0.0,
+                "regions": []
+            }
+
+        # PIL zu numpy array
+        img_array = np.array(img)
+
+        # Wenn Graustufen, zu RGB konvertieren (PaddleOCR erwartet RGB)
+        if len(img_array.shape) == 2:
+            img_array = cv2.cvtColor(img_array, cv2.COLOR_GRAY2RGB)
+
+        # OCR ausfuehren
+        result = self.ocr_engine.ocr(img_array, cls=True)
+
+        if not result or not result[0]:
+            return {"text": "", "confidence": 0.0, "regions": []}
+
+        all_text = []
+        all_regions = []
+        total_confidence = 0.0
+
+        for line in result[0]:
+            bbox_points = line[0]  # [[x1,y1], [x2,y2], [x3,y3], [x4,y4]]
+            text, confidence = line[1]
+
+            # Bounding Box zu x1, y1, x2, y2 konvertieren
+            x_coords = [p[0] for p in bbox_points]
+            y_coords = [p[1] for p in bbox_points]
+            bbox = (
+                int(min(x_coords)),
+                int(min(y_coords)),
+                int(max(x_coords)),
+                int(max(y_coords))
+            )
+
+            all_text.append(text)
+            all_regions.append(ProcessedRegion(
+                text=text,
+                confidence=confidence,
+                bbox=bbox
+            ))
+            total_confidence += confidence
+
+        avg_confidence = total_confidence / len(all_regions) if all_regions else 0.0
+
+        return {
+            "text": "\n".join(all_text),
+            "confidence": avg_confidence,
+            "regions": all_regions
+        }
+
+    def extract_handwriting_regions(
+        self,
+        img: Image.Image,
+        min_area: int = 500
+    ) -> List[Dict[str, Any]]:
+        """
+        Erkennt und extrahiert handschriftliche Bereiche aus einem Bild.
+
+        Nuetzlich fuer Klausuren mit gedruckten Fragen und handschriftlichen Antworten.
+
+        Args:
+            img: Eingabebild
+            min_area: Minimale Flaeche fuer erkannte Regionen
+
+        Returns:
+            Liste von Regionen mit Koordinaten und erkanntem Text
+        """
+        # Bildvorverarbeitung
+        cv_img = cv2.cvtColor(np.array(img), cv2.COLOR_RGB2BGR)
+        gray = cv2.cvtColor(cv_img, cv2.COLOR_BGR2GRAY)
+
+        # Kanten erkennen
+        edges = cv2.Canny(gray, 50, 150)
+
+        # Morphologische Operationen zum Verbinden
+        kernel = cv2.getStructuringElement(cv2.MORPH_RECT, (15, 5))
+        dilated = cv2.dilate(edges, kernel, iterations=2)
+
+        # Konturen finden
+        contours, _ = cv2.findContours(
+            dilated, cv2.RETR_EXTERNAL, cv2.CHAIN_APPROX_SIMPLE
+        )
+
+        regions = []
+        for contour in contours:
+            area = cv2.contourArea(contour)
+            if area < min_area:
+                continue
+
+            x, y, w, h = cv2.boundingRect(contour)
+
+            # Region ausschneiden
+            region_img = img.crop((x, y, x + w, y + h))
+
+            # OCR auf Region anwenden
+            ocr_result = self.ocr_image(region_img)
+
+            regions.append({
+                "bbox": (x, y, x + w, y + h),
+                "area": area,
+                "text": ocr_result["text"],
+                "confidence": ocr_result["confidence"]
+            })
+
+        # Nach Y-Position sortieren (oben nach unten)
+        regions.sort(key=lambda r: r["bbox"][1])
+
+        return regions
diff --git a/backend-core/services/pdf_models.py b/backend-core/services/pdf_models.py
new file mode 100644
index 0000000..463f74a
--- /dev/null
+++ b/backend-core/services/pdf_models.py
@@ -0,0 +1,85 @@
+"""
+PDF Models - Dataclasses fuer PDF-Generierung.
+
+Enthaelt alle Datenmodelle die von PDFService und den Convenience-Funktionen
+in pdf_service.py verwendet werden.
+"""
+
+from dataclasses import dataclass
+from typing import Any, Dict, List, Optional
+
+
+@dataclass
+class SchoolInfo:
+    """Schulinformationen fuer Header."""
+    name: str
+    address: str
+    phone: str
+    email: str
+    logo_path: Optional[str] = None
+    website: Optional[str] = None
+    principal: Optional[str] = None
+
+
+@dataclass
+class LetterData:
+    """Daten fuer Elternbrief-PDF."""
+    recipient_name: str
+    recipient_address: str
+    student_name: str
+    student_class: str
+    subject: str
+    content: str
+    date: str
+    teacher_name: str
+    teacher_title: Optional[str] = None
+    school_info: Optional[SchoolInfo] = None
+    letter_type: str = "general"  # general, halbjahr, fehlzeiten, elternabend, lob
+    tone: str = "professional"
+    legal_references: Optional[List[Dict[str, str]]] = None
+    gfk_principles_applied: Optional[List[str]] = None
+
+
+@dataclass
+class CertificateData:
+    """Daten fuer Zeugnis-PDF."""
+    student_name: str
+    student_birthdate: str
+    student_class: str
+    school_year: str
+    certificate_type: str  # halbjahr, jahres, abschluss
+    subjects: List[Dict[str, Any]]  # [{name, grade, note}]
+    attendance: Dict[str, int]  # {days_absent, days_excused, days_unexcused}
+    remarks: Optional[str] = None
+    class_teacher: str = ""
+    principal: str = ""
+    school_info: Optional[SchoolInfo] = None
+    issue_date: str = ""
+    social_behavior: Optional[str] = None  # A, B, C, D
+    work_behavior: Optional[str] = None  # A, B, C, D
+
+
+@dataclass
+class StudentInfo:
+    """Schuelerinformationen fuer Korrektur-PDFs."""
+    student_id: str
+    name: str
+    class_name: str
+
+
+@dataclass
+class CorrectionData:
+    """Daten fuer Korrektur-Uebersicht PDF."""
+    student: StudentInfo
+    exam_title: str
+    subject: str
+    date: str
+    max_points: int
+    achieved_points: int
+    grade: str
+    percentage: float
+    corrections: List[Dict[str, Any]]  # [{question, answer, points, feedback}]
+    teacher_notes: str = ""
+    ai_feedback: str = ""
+    grade_distribution: Optional[Dict[str, int]] = None  # {note: anzahl}
+    class_average: Optional[float] = None
diff --git a/backend-core/services/pdf_service.py b/backend-core/services/pdf_service.py
index 9559964..2ef3ac6 100644
--- a/backend-core/services/pdf_service.py
+++ b/backend-core/services/pdf_service.py
@@ -1,115 +1,55 @@
 """
-PDF Service - Zentrale PDF-Generierung für BreakPilot.
+PDF Service - Zentrale PDF-Generierung fuer BreakPilot.
 
-Shared Service für:
+Shared Service fuer:
 - Letters (Elternbriefe)
 - Zeugnisse (Schulzeugnisse)
-- Correction (Korrektur-Übersichten)
+- Correction (Korrektur-Uebersichten)
 
-Verwendet WeasyPrint für PDF-Rendering und Jinja2 für Templates.
+Verwendet WeasyPrint fuer PDF-Rendering und Jinja2 fuer Templates.
+
+Datenmodelle: services/pdf_models.py
+HTML-Templates: services/pdf_templates.py
 """
 
 import logging
-import os
 from datetime import datetime
 from pathlib import Path
-from typing import Any, Dict, Optional, List
-from dataclasses import dataclass
+from typing import Any, Dict, Optional
 
 from jinja2 import Environment, FileSystemLoader, select_autoescape
 from weasyprint import HTML, CSS
 from weasyprint.text.fonts import FontConfiguration
 
+# Re-export models for backward compatibility
+from .pdf_models import (
+    SchoolInfo,
+    LetterData,
+    CertificateData,
+    StudentInfo,
+    CorrectionData,
+)
+from .pdf_templates import (
+    get_base_css,
+    get_letter_template_html,
+    get_certificate_template_html,
+    get_correction_template_html,
+)
+
 logger = logging.getLogger(__name__)
 
 # Template directory
 TEMPLATES_DIR = Path(__file__).parent.parent / "templates" / "pdf"
 
 
-@dataclass
-class SchoolInfo:
-    """Schulinformationen für Header."""
-    name: str
-    address: str
-    phone: str
-    email: str
-    logo_path: Optional[str] = None
-    website: Optional[str] = None
-    principal: Optional[str] = None
-
-
-@dataclass
-class LetterData:
-    """Daten für Elternbrief-PDF."""
-    recipient_name: str
-    recipient_address: str
-    student_name: str
-    student_class: str
-    subject: str
-    content: str
-    date: str
-    teacher_name: str
-    teacher_title: Optional[str] = None
-    school_info: Optional[SchoolInfo] = None
-    letter_type: str = "general"  # general, halbjahr, fehlzeiten, elternabend, lob
-    tone: str = "professional"
-    legal_references: Optional[List[Dict[str, str]]] = None
-    gfk_principles_applied: Optional[List[str]] = None
-
-
-@dataclass
-class CertificateData:
-    """Daten für Zeugnis-PDF."""
-    student_name: str
-    student_birthdate: str
-    student_class: str
-    school_year: str
-    certificate_type: str  # halbjahr, jahres, abschluss
-    subjects: List[Dict[str, Any]]  # [{name, grade, note}]
-    attendance: Dict[str, int]  # {days_absent, days_excused, days_unexcused}
-    remarks: Optional[str] = None
-    class_teacher: str = ""
-    principal: str = ""
-    school_info: Optional[SchoolInfo] = None
-    issue_date: str = ""
-    social_behavior: Optional[str] = None  # A, B, C, D
-    work_behavior: Optional[str] = None  # A, B, C, D
-
-
-@dataclass
-class StudentInfo:
-    """Schülerinformationen für Korrektur-PDFs."""
-    student_id: str
-    name: str
-    class_name: str
-
-
-@dataclass
-class CorrectionData:
-    """Daten für Korrektur-Übersicht PDF."""
-    student: StudentInfo
-    exam_title: str
-    subject: str
-    date: str
-    max_points: int
-    achieved_points: int
-    grade: str
-    percentage: float
-    corrections: List[Dict[str, Any]]  # [{question, answer, points, feedback}]
-    teacher_notes: str = ""
-    ai_feedback: str = ""
-    grade_distribution: Optional[Dict[str, int]] = None  # {note: anzahl}
-    class_average: Optional[float] = None
-
-
 class PDFService:
     """
-    Zentrale PDF-Generierung für BreakPilot.
+    Zentrale PDF-Generierung fuer BreakPilot.
 
-    Unterstützt:
+    Unterstuetzt:
     - Elternbriefe mit GFK-Prinzipien und rechtlichen Referenzen
     - Schulzeugnisse (Halbjahr, Jahres, Abschluss)
-    - Korrektur-Übersichten für Klausuren
+    - Korrektur-Uebersichten fuer Klausuren
     """
 
     def __init__(self, templates_dir: Optional[Path] = None):
@@ -143,7 +83,7 @@ class PDFService:
 
     @staticmethod
     def _date_format(value: str, format_str: str = "%d.%m.%Y") -> str:
-        """Formatiert Datum für deutsche Darstellung."""
+        """Formatiert Datum fuer deutsche Darstellung."""
         if not value:
             return ""
         try:
@@ -154,10 +94,10 @@ class PDFService:
 
     @staticmethod
     def _grade_color(grade: str) -> str:
-        """Gibt Farbe basierend auf Note zurück."""
+        """Gibt Farbe basierend auf Note zurueck."""
         grade_colors = {
-            "1": "#27ae60",  # Grün
-            "2": "#2ecc71",  # Hellgrün
+            "1": "#27ae60",  # Gruen
+            "2": "#2ecc71",  # Hellgruen
             "3": "#f1c40f",  # Gelb
             "4": "#e67e22",  # Orange
             "5": "#e74c3c",  # Rot
@@ -170,227 +110,12 @@ class PDFService:
         return grade_colors.get(str(grade), "#333333")
 
     def _get_base_css(self) -> str:
-        """Gibt Basis-CSS für alle PDFs zurück."""
-        return """
-        @page {
-            size: A4;
-            margin: 2cm 2.5cm;
-            @top-right {
-                content: counter(page) " / " counter(pages);
-                font-size: 9pt;
-                color: #666;
-            }
-        }
-
-        body {
-            font-family: 'DejaVu Sans', 'Liberation Sans', Arial, sans-serif;
-            font-size: 11pt;
-            line-height: 1.5;
-            color: #333;
-        }
-
-        h1, h2, h3 {
-            font-weight: bold;
-            margin-top: 1em;
-            margin-bottom: 0.5em;
-        }
-
-        h1 { font-size: 16pt; }
-        h2 { font-size: 14pt; }
-        h3 { font-size: 12pt; }
-
-        .header {
-            border-bottom: 2px solid #2c3e50;
-            padding-bottom: 15px;
-            margin-bottom: 20px;
-        }
-
-        .school-name {
-            font-size: 18pt;
-            font-weight: bold;
-            color: #2c3e50;
-        }
-
-        .school-info {
-            font-size: 9pt;
-            color: #666;
-        }
-
-        .letter-date {
-            text-align: right;
-            margin-bottom: 20px;
-        }
-
-        .recipient {
-            margin-bottom: 30px;
-        }
-
-        .subject {
-            font-weight: bold;
-            margin-bottom: 20px;
-        }
-
-        .content {
-            text-align: justify;
-            margin-bottom: 30px;
-        }
-
-        .signature {
-            margin-top: 40px;
-        }
-
-        .legal-references {
-            font-size: 9pt;
-            color: #666;
-            border-top: 1px solid #ddd;
-            margin-top: 30px;
-            padding-top: 10px;
-        }
-
-        .gfk-badge {
-            display: inline-block;
-            background: #e8f5e9;
-            color: #27ae60;
-            font-size: 8pt;
-            padding: 2px 8px;
-            border-radius: 10px;
-            margin-right: 5px;
-        }
-
-        /* Zeugnis-Styles */
-        .certificate-header {
-            text-align: center;
-            margin-bottom: 30px;
-        }
-
-        .certificate-title {
-            font-size: 20pt;
-            font-weight: bold;
-            margin-bottom: 10px;
-        }
-
-        .student-info {
-            margin-bottom: 20px;
-            padding: 15px;
-            background: #f9f9f9;
-            border-radius: 5px;
-        }
-
-        .grades-table {
-            width: 100%;
-            border-collapse: collapse;
-            margin-bottom: 20px;
-        }
-
-        .grades-table th,
-        .grades-table td {
-            border: 1px solid #ddd;
-            padding: 8px 12px;
-            text-align: left;
-        }
-
-        .grades-table th {
-            background: #2c3e50;
-            color: white;
-        }
-
-        .grades-table tr:nth-child(even) {
-            background: #f9f9f9;
-        }
-
-        .grade-cell {
-            text-align: center;
-            font-weight: bold;
-            font-size: 12pt;
-        }
-
-        .attendance-box {
-            background: #fff3cd;
-            padding: 15px;
-            border-radius: 5px;
-            margin-bottom: 20px;
-        }
-
-        .signatures-row {
-            display: flex;
-            justify-content: space-between;
-            margin-top: 50px;
-        }
-
-        .signature-block {
-            text-align: center;
-            width: 40%;
-        }
-
-        .signature-line {
-            border-top: 1px solid #333;
-            margin-top: 40px;
-            padding-top: 5px;
-        }
-
-        /* Korrektur-Styles */
-        .exam-header {
-            background: #2c3e50;
-            color: white;
-            padding: 15px;
-            margin-bottom: 20px;
-        }
-
-        .result-box {
-            background: #e8f5e9;
-            padding: 20px;
-            text-align: center;
-            margin-bottom: 20px;
-            border-radius: 5px;
-        }
-
-        .result-grade {
-            font-size: 36pt;
-            font-weight: bold;
-        }
-
-        .result-points {
-            font-size: 14pt;
-            color: #666;
-        }
-
-        .corrections-list {
-            margin-bottom: 20px;
-        }
-
-        .correction-item {
-            border: 1px solid #ddd;
-            padding: 15px;
-            margin-bottom: 10px;
-            border-radius: 5px;
-        }
-
-        .correction-question {
-            font-weight: bold;
-            margin-bottom: 5px;
-        }
-
-        .correction-feedback {
-            background: #fff8e1;
-            padding: 10px;
-            margin-top: 10px;
-            border-left: 3px solid #ffc107;
-            font-size: 10pt;
-        }
-
-        .stats-table {
-            width: 100%;
-            margin-top: 20px;
-        }
-
-        .stats-table td {
-            padding: 5px 10px;
-        }
-        """
+        """Gibt Basis-CSS fuer alle PDFs zurueck (delegiert an pdf_templates)."""
+        return get_base_css()
 
     def generate_letter_pdf(self, data: LetterData) -> bytes:
         """
-        Generiert PDF für Elternbrief.
+        Generiert PDF fuer Elternbrief.
 
         Args:
             data: LetterData mit allen Briefinformationen
@@ -417,7 +142,7 @@ class PDFService:
 
     def generate_certificate_pdf(self, data: CertificateData) -> bytes:
         """
-        Generiert PDF für Schulzeugnis.
+        Generiert PDF fuer Schulzeugnis.
 
         Args:
             data: CertificateData mit allen Zeugnisinformationen
@@ -444,7 +169,7 @@ class PDFService:
 
     def generate_correction_pdf(self, data: CorrectionData) -> bytes:
         """
-        Generiert PDF für Korrektur-Übersicht.
+        Generiert PDF fuer Korrektur-Uebersicht.
 
         Args:
             data: CorrectionData mit allen Korrekturinformationen
@@ -470,322 +195,29 @@ class PDFService:
         return pdf_bytes
 
     def _get_letter_template(self):
-        """Gibt Letter-Template zurück (inline falls Datei nicht existiert)."""
+        """Gibt Letter-Template zurueck (inline falls Datei nicht existiert)."""
         template_path = self.templates_dir / "letter.html"
         if template_path.exists():
             return self.jinja_env.get_template("letter.html")
 
         # Inline-Template als Fallback
-        return self.jinja_env.from_string(self._get_letter_template_html())
+        return self.jinja_env.from_string(get_letter_template_html())
 
     def _get_certificate_template(self):
-        """Gibt Certificate-Template zurück."""
+        """Gibt Certificate-Template zurueck."""
         template_path = self.templates_dir / "certificate.html"
         if template_path.exists():
             return self.jinja_env.get_template("certificate.html")
 
-        return self.jinja_env.from_string(self._get_certificate_template_html())
+        return self.jinja_env.from_string(get_certificate_template_html())
 
     def _get_correction_template(self):
-        """Gibt Correction-Template zurück."""
+        """Gibt Correction-Template zurueck."""
         template_path = self.templates_dir / "correction.html"
         if template_path.exists():
             return self.jinja_env.get_template("correction.html")
 
-        return self.jinja_env.from_string(self._get_correction_template_html())
-
-    @staticmethod
-    def _get_letter_template_html() -> str:
-        """Inline HTML-Template für Elternbriefe."""
-        return """
-<!DOCTYPE html>
-<html lang="de">
-<head>
-    <meta charset="UTF-8">
-    <title>{{ data.subject }}</title>
-</head>
-<body>
-    <div class="header">
-        {% if data.school_info %}
-        <div class="school-name">{{ data.school_info.name }}</div>
-        <div class="school-info">
-            {{ data.school_info.address }}<br>
-            Tel: {{ data.school_info.phone }} | E-Mail: {{ data.school_info.email }}
-            {% if data.school_info.website %} | {{ data.school_info.website }}{% endif %}
-        </div>
-        {% else %}
-        <div class="school-name">Schule</div>
-        {% endif %}
-    </div>
-
-    <div class="letter-date">
-        {{ data.date }}
-    </div>
-
-    <div class="recipient">
-        {{ data.recipient_name }}<br>
-        {{ data.recipient_address | replace('\\n', '<br>') | safe }}
-    </div>
-
-    <div class="subject">
-        Betreff: {{ data.subject }}
-    </div>
-
-    <div class="meta-info" style="font-size: 10pt; color: #666; margin-bottom: 20px;">
-        Schüler/in: {{ data.student_name }} | Klasse: {{ data.student_class }}
-    </div>
-
-    <div class="content">
-        {{ data.content | replace('\\n', '<br>') | safe }}
-    </div>
-
-    {% if data.gfk_principles_applied %}
-    <div style="margin-bottom: 20px;">
-        {% for principle in data.gfk_principles_applied %}
-        <span class="gfk-badge">✓ {{ principle }}</span>
-        {% endfor %}
-    </div>
-    {% endif %}
-
-    <div class="signature">
-        <p>Mit freundlichen Grüßen</p>
-        <p style="margin-top: 30px;">
-            {{ data.teacher_name }}
-            {% if data.teacher_title %}<br><span style="font-size: 10pt;">{{ data.teacher_title }}</span>{% endif %}
-        </p>
-    </div>
-
-    {% if data.legal_references %}
-    <div class="legal-references">
-        <strong>Rechtliche Grundlagen:</strong><br>
-        {% for ref in data.legal_references %}
-        • {{ ref.law }} {{ ref.paragraph }}: {{ ref.title }}<br>
-        {% endfor %}
-    </div>
-    {% endif %}
-
-    <div style="font-size: 8pt; color: #999; margin-top: 30px; text-align: center;">
-        Erstellt mit BreakPilot | {{ generated_at }}
-    </div>
-</body>
-</html>
-"""
-
-    @staticmethod
-    def _get_certificate_template_html() -> str:
-        """Inline HTML-Template für Zeugnisse."""
-        return """
-<!DOCTYPE html>
-<html lang="de">
-<head>
-    <meta charset="UTF-8">
-    <title>Zeugnis - {{ data.student_name }}</title>
-</head>
-<body>
-    <div class="certificate-header">
-        {% if data.school_info %}
-        <div class="school-name" style="font-size: 14pt;">{{ data.school_info.name }}</div>
-        {% endif %}
-        <div class="certificate-title">
-            {% if data.certificate_type == 'halbjahr' %}
-            Halbjahreszeugnis
-            {% elif data.certificate_type == 'jahres' %}
-            Jahreszeugnis
-            {% else %}
-            Abschlusszeugnis
-            {% endif %}
-        </div>
-        <div>Schuljahr {{ data.school_year }}</div>
-    </div>
-
-    <div class="student-info">
-        <table style="width: 100%;">
-            <tr>
-                <td><strong>Name:</strong> {{ data.student_name }}</td>
-                <td><strong>Geburtsdatum:</strong> {{ data.student_birthdate }}</td>
-            </tr>
-            <tr>
-                <td><strong>Klasse:</strong> {{ data.student_class }}</td>
-                <td>&nbsp;</td>
-            </tr>
-        </table>
-    </div>
-
-    <h3>Leistungen</h3>
-    <table class="grades-table">
-        <thead>
-            <tr>
-                <th style="width: 70%;">Fach</th>
-                <th style="width: 15%;">Note</th>
-                <th style="width: 15%;">Punkte</th>
-            </tr>
-        </thead>
-        <tbody>
-            {% for subject in data.subjects %}
-            <tr>
-                <td>{{ subject.name }}</td>
-                <td class="grade-cell" style="color: {{ subject.grade | grade_color }};">
-                    {{ subject.grade }}
-                </td>
-                <td class="grade-cell">{{ subject.points | default('-') }}</td>
-            </tr>
-            {% endfor %}
-        </tbody>
-    </table>
-
-    {% if data.social_behavior or data.work_behavior %}
-    <h3>Verhalten</h3>
-    <table class="grades-table" style="width: 50%;">
-        {% if data.social_behavior %}
-        <tr>
-            <td>Sozialverhalten</td>
-            <td class="grade-cell">{{ data.social_behavior }}</td>
-        </tr>
-        {% endif %}
-        {% if data.work_behavior %}
-        <tr>
-            <td>Arbeitsverhalten</td>
-            <td class="grade-cell">{{ data.work_behavior }}</td>
-        </tr>
-        {% endif %}
-    </table>
-    {% endif %}
-
-    <div class="attendance-box">
-        <strong>Versäumte Tage:</strong> {{ data.attendance.days_absent | default(0) }}
-        (davon entschuldigt: {{ data.attendance.days_excused | default(0) }},
-        unentschuldigt: {{ data.attendance.days_unexcused | default(0) }})
-    </div>
-
-    {% if data.remarks %}
-    <div style="margin-bottom: 20px;">
-        <strong>Bemerkungen:</strong><br>
-        {{ data.remarks }}
-    </div>
-    {% endif %}
-
-    <div style="margin-top: 30px;">
-        <strong>Ausgestellt am:</strong> {{ data.issue_date }}
-    </div>
-
-    <div class="signatures-row">
-        <div class="signature-block">
-            <div class="signature-line">{{ data.class_teacher }}</div>
-            <div style="font-size: 9pt;">Klassenlehrer/in</div>
-        </div>
-        <div class="signature-block">
-            <div class="signature-line">{{ data.principal }}</div>
-            <div style="font-size: 9pt;">Schulleiter/in</div>
-        </div>
-    </div>
-
-    <div style="text-align: center; margin-top: 40px;">
-        <div style="font-size: 9pt; color: #666;">Siegel der Schule</div>
-    </div>
-</body>
-</html>
-"""
-
-    @staticmethod
-    def _get_correction_template_html() -> str:
-        """Inline HTML-Template für Korrektur-Übersichten."""
-        return """
-<!DOCTYPE html>
-<html lang="de">
-<head>
-    <meta charset="UTF-8">
-    <title>Korrektur - {{ data.exam_title }}</title>
-</head>
-<body>
-    <div class="exam-header">
-        <h1 style="margin: 0; color: white;">{{ data.exam_title }}</h1>
-        <div>{{ data.subject }} | {{ data.date }}</div>
-    </div>
-
-    <div class="student-info">
-        <strong>{{ data.student.name }}</strong> | Klasse {{ data.student.class_name }}
-    </div>
-
-    <div class="result-box">
-        <div class="result-grade" style="color: {{ data.grade | grade_color }};">
-            Note: {{ data.grade }}
-        </div>
-        <div class="result-points">
-            {{ data.achieved_points }} von {{ data.max_points }} Punkten
-            ({{ data.percentage | round(1) }}%)
-        </div>
-    </div>
-
-    <h3>Detaillierte Auswertung</h3>
-    <div class="corrections-list">
-        {% for item in data.corrections %}
-        <div class="correction-item">
-            <div class="correction-question">
-                {{ item.question }}
-            </div>
-            {% if item.answer %}
-            <div style="margin: 5px 0; font-style: italic; color: #555;">
-                <strong>Antwort:</strong> {{ item.answer }}
-            </div>
-            {% endif %}
-            <div>
-                <strong>Punkte:</strong> {{ item.points }}
-            </div>
-            {% if item.feedback %}
-            <div class="correction-feedback">
-                {{ item.feedback }}
-            </div>
-            {% endif %}
-        </div>
-        {% endfor %}
-    </div>
-
-    {% if data.teacher_notes %}
-    <div style="background: #e3f2fd; padding: 15px; border-radius: 5px; margin-bottom: 20px;">
-        <strong>Lehrerkommentar:</strong><br>
-        {{ data.teacher_notes }}
-    </div>
-    {% endif %}
-
-    {% if data.ai_feedback %}
-    <div style="background: #f3e5f5; padding: 15px; border-radius: 5px; margin-bottom: 20px;">
-        <strong>KI-Feedback:</strong><br>
-        {{ data.ai_feedback }}
-    </div>
-    {% endif %}
-
-    {% if data.class_average or data.grade_distribution %}
-    <h3>Klassenstatistik</h3>
-    <table class="stats-table">
-        {% if data.class_average %}
-        <tr>
-            <td><strong>Klassendurchschnitt:</strong></td>
-            <td>{{ data.class_average }}</td>
-        </tr>
-        {% endif %}
-        {% if data.grade_distribution %}
-        <tr>
-            <td><strong>Notenverteilung:</strong></td>
-            <td>
-                {% for grade, count in data.grade_distribution.items() %}
-                Note {{ grade }}: {{ count }}x{% if not loop.last %}, {% endif %}
-                {% endfor %}
-            </td>
-        </tr>
-        {% endif %}
-    </table>
-    {% endif %}
-
-    <div class="signature" style="margin-top: 40px;">
-        <p style="font-size: 9pt; color: #666;">Datum: {{ data.date }}</p>
-    </div>
-
-    <div style="font-size: 8pt; color: #999; margin-top: 30px; text-align: center;">
-        Erstellt mit BreakPilot | {{ generated_at }}
-    </div>
-</body>
-</html>
-"""
+        return self.jinja_env.from_string(get_correction_template_html())
 
 
 # Convenience functions for direct usage
@@ -793,7 +225,7 @@ _pdf_service: Optional[PDFService] = None
 
 
 def get_pdf_service() -> PDFService:
-    """Gibt Singleton-Instanz des PDF-Service zurück."""
+    """Gibt Singleton-Instanz des PDF-Service zurueck."""
     global _pdf_service
     if _pdf_service is None:
         _pdf_service = PDFService()
diff --git a/backend-core/services/pdf_templates.py b/backend-core/services/pdf_templates.py
new file mode 100644
index 0000000..c9533aa
--- /dev/null
+++ b/backend-core/services/pdf_templates.py
@@ -0,0 +1,519 @@
+"""
+PDF Templates - Inline HTML-Templates und CSS fuer PDF-Generierung.
+
+Fallback-Templates die verwendet werden wenn keine externen HTML-Dateien
+im templates/pdf/ Verzeichnis vorhanden sind.
+"""
+
+
+def get_base_css() -> str:
+    """Basis-CSS fuer alle PDFs (A4, Typografie, Komponenten-Styles)."""
+    return """
+    @page {
+        size: A4;
+        margin: 2cm 2.5cm;
+        @top-right {
+            content: counter(page) " / " counter(pages);
+            font-size: 9pt;
+            color: #666;
+        }
+    }
+
+    body {
+        font-family: 'DejaVu Sans', 'Liberation Sans', Arial, sans-serif;
+        font-size: 11pt;
+        line-height: 1.5;
+        color: #333;
+    }
+
+    h1, h2, h3 {
+        font-weight: bold;
+        margin-top: 1em;
+        margin-bottom: 0.5em;
+    }
+
+    h1 { font-size: 16pt; }
+    h2 { font-size: 14pt; }
+    h3 { font-size: 12pt; }
+
+    .header {
+        border-bottom: 2px solid #2c3e50;
+        padding-bottom: 15px;
+        margin-bottom: 20px;
+    }
+
+    .school-name {
+        font-size: 18pt;
+        font-weight: bold;
+        color: #2c3e50;
+    }
+
+    .school-info {
+        font-size: 9pt;
+        color: #666;
+    }
+
+    .letter-date {
+        text-align: right;
+        margin-bottom: 20px;
+    }
+
+    .recipient {
+        margin-bottom: 30px;
+    }
+
+    .subject {
+        font-weight: bold;
+        margin-bottom: 20px;
+    }
+
+    .content {
+        text-align: justify;
+        margin-bottom: 30px;
+    }
+
+    .signature {
+        margin-top: 40px;
+    }
+
+    .legal-references {
+        font-size: 9pt;
+        color: #666;
+        border-top: 1px solid #ddd;
+        margin-top: 30px;
+        padding-top: 10px;
+    }
+
+    .gfk-badge {
+        display: inline-block;
+        background: #e8f5e9;
+        color: #27ae60;
+        font-size: 8pt;
+        padding: 2px 8px;
+        border-radius: 10px;
+        margin-right: 5px;
+    }
+
+    /* Zeugnis-Styles */
+    .certificate-header {
+        text-align: center;
+        margin-bottom: 30px;
+    }
+
+    .certificate-title {
+        font-size: 20pt;
+        font-weight: bold;
+        margin-bottom: 10px;
+    }
+
+    .student-info {
+        margin-bottom: 20px;
+        padding: 15px;
+        background: #f9f9f9;
+        border-radius: 5px;
+    }
+
+    .grades-table {
+        width: 100%;
+        border-collapse: collapse;
+        margin-bottom: 20px;
+    }
+
+    .grades-table th,
+    .grades-table td {
+        border: 1px solid #ddd;
+        padding: 8px 12px;
+        text-align: left;
+    }
+
+    .grades-table th {
+        background: #2c3e50;
+        color: white;
+    }
+
+    .grades-table tr:nth-child(even) {
+        background: #f9f9f9;
+    }
+
+    .grade-cell {
+        text-align: center;
+        font-weight: bold;
+        font-size: 12pt;
+    }
+
+    .attendance-box {
+        background: #fff3cd;
+        padding: 15px;
+        border-radius: 5px;
+        margin-bottom: 20px;
+    }
+
+    .signatures-row {
+        display: flex;
+        justify-content: space-between;
+        margin-top: 50px;
+    }
+
+    .signature-block {
+        text-align: center;
+        width: 40%;
+    }
+
+    .signature-line {
+        border-top: 1px solid #333;
+        margin-top: 40px;
+        padding-top: 5px;
+    }
+
+    /* Korrektur-Styles */
+    .exam-header {
+        background: #2c3e50;
+        color: white;
+        padding: 15px;
+        margin-bottom: 20px;
+    }
+
+    .result-box {
+        background: #e8f5e9;
+        padding: 20px;
+        text-align: center;
+        margin-bottom: 20px;
+        border-radius: 5px;
+    }
+
+    .result-grade {
+        font-size: 36pt;
+        font-weight: bold;
+    }
+
+    .result-points {
+        font-size: 14pt;
+        color: #666;
+    }
+
+    .corrections-list {
+        margin-bottom: 20px;
+    }
+
+    .correction-item {
+        border: 1px solid #ddd;
+        padding: 15px;
+        margin-bottom: 10px;
+        border-radius: 5px;
+    }
+
+    .correction-question {
+        font-weight: bold;
+        margin-bottom: 5px;
+    }
+
+    .correction-feedback {
+        background: #fff8e1;
+        padding: 10px;
+        margin-top: 10px;
+        border-left: 3px solid #ffc107;
+        font-size: 10pt;
+    }
+
+    .stats-table {
+        width: 100%;
+        margin-top: 20px;
+    }
+
+    .stats-table td {
+        padding: 5px 10px;
+    }
+    """
+
+
+def get_letter_template_html() -> str:
+    """Inline HTML-Template fuer Elternbriefe."""
+    return """
+<!DOCTYPE html>
+<html lang="de">
+<head>
+    <meta charset="UTF-8">
+    <title>{{ data.subject }}</title>
+</head>
+<body>
+    <div class="header">
+        {% if data.school_info %}
+        <div class="school-name">{{ data.school_info.name }}</div>
+        <div class="school-info">
+            {{ data.school_info.address }}<br>
+            Tel: {{ data.school_info.phone }} | E-Mail: {{ data.school_info.email }}
+            {% if data.school_info.website %} | {{ data.school_info.website }}{% endif %}
+        </div>
+        {% else %}
+        <div class="school-name">Schule</div>
+        {% endif %}
+    </div>
+
+    <div class="letter-date">
+        {{ data.date }}
+    </div>
+
+    <div class="recipient">
+        {{ data.recipient_name }}<br>
+        {{ data.recipient_address | replace('\\n', '<br>') | safe }}
+    </div>
+
+    <div class="subject">
+        Betreff: {{ data.subject }}
+    </div>
+
+    <div class="meta-info" style="font-size: 10pt; color: #666; margin-bottom: 20px;">
+        Schüler/in: {{ data.student_name }} | Klasse: {{ data.student_class }}
+    </div>
+
+    <div class="content">
+        {{ data.content | replace('\\n', '<br>') | safe }}
+    </div>
+
+    {% if data.gfk_principles_applied %}
+    <div style="margin-bottom: 20px;">
+        {% for principle in data.gfk_principles_applied %}
+        <span class="gfk-badge">✓ {{ principle }}</span>
+        {% endfor %}
+    </div>
+    {% endif %}
+
+    <div class="signature">
+        <p>Mit freundlichen Grüßen</p>
+        <p style="margin-top: 30px;">
+            {{ data.teacher_name }}
+            {% if data.teacher_title %}<br><span style="font-size: 10pt;">{{ data.teacher_title }}</span>{% endif %}
+        </p>
+    </div>
+
+    {% if data.legal_references %}
+    <div class="legal-references">
+        <strong>Rechtliche Grundlagen:</strong><br>
+        {% for ref in data.legal_references %}
+        • {{ ref.law }} {{ ref.paragraph }}: {{ ref.title }}<br>
+        {% endfor %}
+    </div>
+    {% endif %}
+
+    <div style="font-size: 8pt; color: #999; margin-top: 30px; text-align: center;">
+        Erstellt mit BreakPilot | {{ generated_at }}
+    </div>
+</body>
+</html>
+"""
+
+
+def get_certificate_template_html() -> str:
+    """Inline HTML-Template fuer Zeugnisse."""
+    return """
+<!DOCTYPE html>
+<html lang="de">
+<head>
+    <meta charset="UTF-8">
+    <title>Zeugnis - {{ data.student_name }}</title>
+</head>
+<body>
+    <div class="certificate-header">
+        {% if data.school_info %}
+        <div class="school-name" style="font-size: 14pt;">{{ data.school_info.name }}</div>
+        {% endif %}
+        <div class="certificate-title">
+            {% if data.certificate_type == 'halbjahr' %}
+            Halbjahreszeugnis
+            {% elif data.certificate_type == 'jahres' %}
+            Jahreszeugnis
+            {% else %}
+            Abschlusszeugnis
+            {% endif %}
+        </div>
+        <div>Schuljahr {{ data.school_year }}</div>
+    </div>
+
+    <div class="student-info">
+        <table style="width: 100%;">
+            <tr>
+                <td><strong>Name:</strong> {{ data.student_name }}</td>
+                <td><strong>Geburtsdatum:</strong> {{ data.student_birthdate }}</td>
+            </tr>
+            <tr>
+                <td><strong>Klasse:</strong> {{ data.student_class }}</td>
+                <td>&nbsp;</td>
+            </tr>
+        </table>
+    </div>
+
+    <h3>Leistungen</h3>
+    <table class="grades-table">
+        <thead>
+            <tr>
+                <th style="width: 70%;">Fach</th>
+                <th style="width: 15%;">Note</th>
+                <th style="width: 15%;">Punkte</th>
+            </tr>
+        </thead>
+        <tbody>
+            {% for subject in data.subjects %}
+            <tr>
+                <td>{{ subject.name }}</td>
+                <td class="grade-cell" style="color: {{ subject.grade | grade_color }};">
+                    {{ subject.grade }}
+                </td>
+                <td class="grade-cell">{{ subject.points | default('-') }}</td>
+            </tr>
+            {% endfor %}
+        </tbody>
+    </table>
+
+    {% if data.social_behavior or data.work_behavior %}
+    <h3>Verhalten</h3>
+    <table class="grades-table" style="width: 50%;">
+        {% if data.social_behavior %}
+        <tr>
+            <td>Sozialverhalten</td>
+            <td class="grade-cell">{{ data.social_behavior }}</td>
+        </tr>
+        {% endif %}
+        {% if data.work_behavior %}
+        <tr>
+            <td>Arbeitsverhalten</td>
+            <td class="grade-cell">{{ data.work_behavior }}</td>
+        </tr>
+        {% endif %}
+    </table>
+    {% endif %}
+
+    <div class="attendance-box">
+        <strong>Versäumte Tage:</strong> {{ data.attendance.days_absent | default(0) }}
+        (davon entschuldigt: {{ data.attendance.days_excused | default(0) }},
+        unentschuldigt: {{ data.attendance.days_unexcused | default(0) }})
+    </div>
+
+    {% if data.remarks %}
+    <div style="margin-bottom: 20px;">
+        <strong>Bemerkungen:</strong><br>
+        {{ data.remarks }}
+    </div>
+    {% endif %}
+
+    <div style="margin-top: 30px;">
+        <strong>Ausgestellt am:</strong> {{ data.issue_date }}
+    </div>
+
+    <div class="signatures-row">
+        <div class="signature-block">
+            <div class="signature-line">{{ data.class_teacher }}</div>
+            <div style="font-size: 9pt;">Klassenlehrer/in</div>
+        </div>
+        <div class="signature-block">
+            <div class="signature-line">{{ data.principal }}</div>
+            <div style="font-size: 9pt;">Schulleiter/in</div>
+        </div>
+    </div>
+
+    <div style="text-align: center; margin-top: 40px;">
+        <div style="font-size: 9pt; color: #666;">Siegel der Schule</div>
+    </div>
+</body>
+</html>
+"""
+
+
+def get_correction_template_html() -> str:
+    """Inline HTML-Template fuer Korrektur-Uebersichten."""
+    return """
+<!DOCTYPE html>
+<html lang="de">
+<head>
+    <meta charset="UTF-8">
+    <title>Korrektur - {{ data.exam_title }}</title>
+</head>
+<body>
+    <div class="exam-header">
+        <h1 style="margin: 0; color: white;">{{ data.exam_title }}</h1>
+        <div>{{ data.subject }} | {{ data.date }}</div>
+    </div>
+
+    <div class="student-info">
+        <strong>{{ data.student.name }}</strong> | Klasse {{ data.student.class_name }}
+    </div>
+
+    <div class="result-box">
+        <div class="result-grade" style="color: {{ data.grade | grade_color }};">
+            Note: {{ data.grade }}
+        </div>
+        <div class="result-points">
+            {{ data.achieved_points }} von {{ data.max_points }} Punkten
+            ({{ data.percentage | round(1) }}%)
+        </div>
+    </div>
+
+    <h3>Detaillierte Auswertung</h3>
+    <div class="corrections-list">
+        {% for item in data.corrections %}
+        <div class="correction-item">
+            <div class="correction-question">
+                {{ item.question }}
+            </div>
+            {% if item.answer %}
+            <div style="margin: 5px 0; font-style: italic; color: #555;">
+                <strong>Antwort:</strong> {{ item.answer }}
+            </div>
+            {% endif %}
+            <div>
+                <strong>Punkte:</strong> {{ item.points }}
+            </div>
+            {% if item.feedback %}
+            <div class="correction-feedback">
+                {{ item.feedback }}
+            </div>
+            {% endif %}
+        </div>
+        {% endfor %}
+    </div>
+
+    {% if data.teacher_notes %}
+    <div style="background: #e3f2fd; padding: 15px; border-radius: 5px; margin-bottom: 20px;">
+        <strong>Lehrerkommentar:</strong><br>
+        {{ data.teacher_notes }}
+    </div>
+    {% endif %}
+
+    {% if data.ai_feedback %}
+    <div style="background: #f3e5f5; padding: 15px; border-radius: 5px; margin-bottom: 20px;">
+        <strong>KI-Feedback:</strong><br>
+        {{ data.ai_feedback }}
+    </div>
+    {% endif %}
+
+    {% if data.class_average or data.grade_distribution %}
+    <h3>Klassenstatistik</h3>
+    <table class="stats-table">
+        {% if data.class_average %}
+        <tr>
+            <td><strong>Klassendurchschnitt:</strong></td>
+            <td>{{ data.class_average }}</td>
+        </tr>
+        {% endif %}
+        {% if data.grade_distribution %}
+        <tr>
+            <td><strong>Notenverteilung:</strong></td>
+            <td>
+                {% for grade, count in data.grade_distribution.items() %}
+                Note {{ grade }}: {{ count }}x{% if not loop.last %}, {% endif %}
+                {% endfor %}
+            </td>
+        </tr>
+        {% endif %}
+    </table>
+    {% endif %}
+
+    <div class="signature" style="margin-top: 40px;">
+        <p style="font-size: 9pt; color: #666;">Datum: {{ data.date }}</p>
+    </div>
+
+    <div style="font-size: 8pt; color: #999; margin-top: 30px; text-align: center;">
+        Erstellt mit BreakPilot | {{ generated_at }}
+    </div>
+</body>
+</html>
+"""
diff --git a/consent-service/internal/database/database.go b/consent-service/internal/database/database.go
index 9f81bf6..8b23fb8 100644
--- a/consent-service/internal/database/database.go
+++ b/consent-service/internal/database/database.go
@@ -1,10 +1,11 @@
 package database
 
 import (
-	"context"
 	"fmt"
 	"time"
 
+	"context"
+
 	"github.com/jackc/pgx/v5/pgxpool"
 )
 
@@ -48,1270 +49,22 @@ func (db *DB) Close() {
 	db.Pool.Close()
 }
 
-// Migrate runs database migrations
+// Migrate runs all database migrations in order.
 func Migrate(db *DB) error {
-	ctx := context.Background()
-
-	// Create tables
-	migrations := []string{
-		// Users table (extended for full auth)
-		`CREATE TABLE IF NOT EXISTS users (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			external_id VARCHAR(255) UNIQUE,
-			email VARCHAR(255) UNIQUE NOT NULL,
-			password_hash VARCHAR(255),
-			name VARCHAR(255),
-			role VARCHAR(50) DEFAULT 'user',
-			email_verified BOOLEAN DEFAULT FALSE,
-			email_verified_at TIMESTAMPTZ,
-			account_status VARCHAR(20) DEFAULT 'active',
-			last_login_at TIMESTAMPTZ,
-			failed_login_attempts INT DEFAULT 0,
-			locked_until TIMESTAMPTZ,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Legal documents table
-		`CREATE TABLE IF NOT EXISTS legal_documents (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			type VARCHAR(50) NOT NULL,
-			name VARCHAR(255) NOT NULL,
-			description TEXT,
-			is_mandatory BOOLEAN DEFAULT true,
-			is_active BOOLEAN DEFAULT true,
-			sort_order INT DEFAULT 0,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Document versions table
-		`CREATE TABLE IF NOT EXISTS document_versions (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			document_id UUID REFERENCES legal_documents(id) ON DELETE CASCADE,
-			version VARCHAR(20) NOT NULL,
-			language VARCHAR(5) DEFAULT 'de',
-			title VARCHAR(255) NOT NULL,
-			content TEXT NOT NULL,
-			summary TEXT,
-			status VARCHAR(20) DEFAULT 'draft',
-			published_at TIMESTAMPTZ,
-			scheduled_publish_at TIMESTAMPTZ,
-			created_by UUID REFERENCES users(id),
-			approved_by UUID REFERENCES users(id),
-			approved_at TIMESTAMPTZ,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW(),
-			UNIQUE(document_id, version, language)
-		)`,
-
-		// Add scheduled_publish_at column if not exists (migration)
-		`ALTER TABLE document_versions ADD COLUMN IF NOT EXISTS scheduled_publish_at TIMESTAMPTZ`,
-		`ALTER TABLE document_versions ADD COLUMN IF NOT EXISTS approved_at TIMESTAMPTZ`,
-
-		// User consents table
-		`CREATE TABLE IF NOT EXISTS user_consents (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
-			document_version_id UUID REFERENCES document_versions(id),
-			consented BOOLEAN NOT NULL,
-			ip_address INET,
-			user_agent TEXT,
-			consented_at TIMESTAMPTZ DEFAULT NOW(),
-			withdrawn_at TIMESTAMPTZ,
-			UNIQUE(user_id, document_version_id)
-		)`,
-
-		// Cookie categories table
-		`CREATE TABLE IF NOT EXISTS cookie_categories (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			name VARCHAR(100) NOT NULL UNIQUE,
-			display_name_de VARCHAR(255) NOT NULL,
-			display_name_en VARCHAR(255),
-			description_de TEXT,
-			description_en TEXT,
-			is_mandatory BOOLEAN DEFAULT false,
-			sort_order INT DEFAULT 0,
-			is_active BOOLEAN DEFAULT true,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Cookie consents table
-		`CREATE TABLE IF NOT EXISTS cookie_consents (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
-			category_id UUID REFERENCES cookie_categories(id) ON DELETE CASCADE,
-			consented BOOLEAN NOT NULL,
-			consented_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW(),
-			UNIQUE(user_id, category_id)
-		)`,
-
-		// Audit log table
-		`CREATE TABLE IF NOT EXISTS consent_audit_log (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID REFERENCES users(id) ON DELETE SET NULL,
-			action VARCHAR(50) NOT NULL,
-			entity_type VARCHAR(50),
-			entity_id UUID,
-			details JSONB,
-			ip_address INET,
-			user_agent TEXT,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Data export requests table
-		`CREATE TABLE IF NOT EXISTS data_export_requests (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
-			status VARCHAR(20) DEFAULT 'pending',
-			download_url TEXT,
-			expires_at TIMESTAMPTZ,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			completed_at TIMESTAMPTZ
-		)`,
-
-		// Data deletion requests table
-		`CREATE TABLE IF NOT EXISTS data_deletion_requests (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
-			status VARCHAR(20) DEFAULT 'pending',
-			reason TEXT,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			processed_at TIMESTAMPTZ,
-			processed_by UUID REFERENCES users(id)
-		)`,
-
-		// =============================================
-		// Phase 1: User Management Tables
-		// =============================================
-
-		// Email verification tokens
-		`CREATE TABLE IF NOT EXISTS email_verification_tokens (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
-			token VARCHAR(255) UNIQUE NOT NULL,
-			expires_at TIMESTAMPTZ NOT NULL,
-			used_at TIMESTAMPTZ,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Password reset tokens
-		`CREATE TABLE IF NOT EXISTS password_reset_tokens (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
-			token VARCHAR(255) UNIQUE NOT NULL,
-			expires_at TIMESTAMPTZ NOT NULL,
-			used_at TIMESTAMPTZ,
-			ip_address INET,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// User sessions (for JWT revocation and session management)
-		`CREATE TABLE IF NOT EXISTS user_sessions (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
-			token_hash VARCHAR(255) NOT NULL,
-			device_info TEXT,
-			ip_address INET,
-			user_agent TEXT,
-			expires_at TIMESTAMPTZ NOT NULL,
-			revoked_at TIMESTAMPTZ,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			last_activity_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// =============================================
-		// Phase 3: Version Approvals (DSB Workflow)
-		// =============================================
-
-		// Version approval tracking
-		`CREATE TABLE IF NOT EXISTS version_approvals (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			version_id UUID REFERENCES document_versions(id) ON DELETE CASCADE,
-			approver_id UUID REFERENCES users(id),
-			action VARCHAR(30) NOT NULL,
-			comment TEXT,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// =============================================
-		// Phase 4: Notification System
-		// =============================================
-
-		// Notifications
-		`CREATE TABLE IF NOT EXISTS notifications (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
-			type VARCHAR(50) NOT NULL,
-			channel VARCHAR(20) NOT NULL,
-			title VARCHAR(255) NOT NULL,
-			body TEXT NOT NULL,
-			data JSONB,
-			read_at TIMESTAMPTZ,
-			sent_at TIMESTAMPTZ,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Push subscriptions for Web Push
-		`CREATE TABLE IF NOT EXISTS push_subscriptions (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
-			endpoint TEXT NOT NULL,
-			p256dh TEXT NOT NULL,
-			auth TEXT NOT NULL,
-			user_agent TEXT,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			UNIQUE(user_id, endpoint)
-		)`,
-
-		// Notification preferences per user
-		`CREATE TABLE IF NOT EXISTS notification_preferences (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID REFERENCES users(id) ON DELETE CASCADE UNIQUE,
-			email_enabled BOOLEAN DEFAULT TRUE,
-			push_enabled BOOLEAN DEFAULT TRUE,
-			in_app_enabled BOOLEAN DEFAULT TRUE,
-			reminder_frequency VARCHAR(20) DEFAULT 'weekly',
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// =============================================
-		// Phase 5: Consent Deadlines & Account Suspension
-		// =============================================
-
-		// Consent deadlines per user per version
-		`CREATE TABLE IF NOT EXISTS consent_deadlines (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
-			document_version_id UUID REFERENCES document_versions(id) ON DELETE CASCADE,
-			deadline_at TIMESTAMPTZ NOT NULL,
-			reminder_count INT DEFAULT 0,
-			last_reminder_at TIMESTAMPTZ,
-			consent_given_at TIMESTAMPTZ,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			UNIQUE(user_id, document_version_id)
-		)`,
-
-		// Account suspensions tracking
-		`CREATE TABLE IF NOT EXISTS account_suspensions (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
-			reason VARCHAR(50) NOT NULL,
-			details JSONB,
-			suspended_at TIMESTAMPTZ DEFAULT NOW(),
-			lifted_at TIMESTAMPTZ,
-			lifted_reason TEXT
-		)`,
-
-		// =============================================
-		// Indexes for performance
-		// =============================================
-		`CREATE INDEX IF NOT EXISTS idx_user_consents_user ON user_consents(user_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_user_consents_version ON user_consents(document_version_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_cookie_consents_user ON cookie_consents(user_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_audit_log_user ON consent_audit_log(user_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_audit_log_created ON consent_audit_log(created_at)`,
-		`CREATE INDEX IF NOT EXISTS idx_document_versions_document ON document_versions(document_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_document_versions_status ON document_versions(status)`,
-		`CREATE INDEX IF NOT EXISTS idx_legal_documents_type ON legal_documents(type)`,
-
-		// Phase 1: Auth indexes
-		`CREATE INDEX IF NOT EXISTS idx_email_verification_tokens_token ON email_verification_tokens(token)`,
-		`CREATE INDEX IF NOT EXISTS idx_email_verification_tokens_user ON email_verification_tokens(user_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_password_reset_tokens_token ON password_reset_tokens(token)`,
-		`CREATE INDEX IF NOT EXISTS idx_user_sessions_user ON user_sessions(user_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_user_sessions_token ON user_sessions(token_hash)`,
-
-		// Phase 3: Approval indexes
-		`CREATE INDEX IF NOT EXISTS idx_version_approvals_version ON version_approvals(version_id)`,
-
-		// Phase 4: Notification indexes
-		`CREATE INDEX IF NOT EXISTS idx_notifications_user ON notifications(user_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_notifications_unread ON notifications(user_id, read_at)`,
-		`CREATE INDEX IF NOT EXISTS idx_push_subscriptions_user ON push_subscriptions(user_id)`,
-
-		// Phase 5: Deadline indexes
-		`CREATE INDEX IF NOT EXISTS idx_consent_deadlines_user ON consent_deadlines(user_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_consent_deadlines_deadline ON consent_deadlines(deadline_at)`,
-		`CREATE INDEX IF NOT EXISTS idx_account_suspensions_user ON account_suspensions(user_id)`,
-
-		// =============================================
-		// Phase 6: OAuth 2.0 Authorization Code Flow
-		// =============================================
-
-		// OAuth 2.0 Clients
-		`CREATE TABLE IF NOT EXISTS oauth_clients (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			client_id VARCHAR(64) UNIQUE NOT NULL,
-			client_secret VARCHAR(255),
-			name VARCHAR(255) NOT NULL,
-			description TEXT,
-			redirect_uris JSONB NOT NULL DEFAULT '[]',
-			scopes JSONB NOT NULL DEFAULT '["openid", "profile", "email"]',
-			grant_types JSONB NOT NULL DEFAULT '["authorization_code", "refresh_token"]',
-			is_public BOOLEAN DEFAULT FALSE,
-			is_active BOOLEAN DEFAULT TRUE,
-			created_by UUID REFERENCES users(id),
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// OAuth 2.0 Authorization Codes
-		`CREATE TABLE IF NOT EXISTS oauth_authorization_codes (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			code VARCHAR(255) UNIQUE NOT NULL,
-			client_id VARCHAR(64) NOT NULL REFERENCES oauth_clients(client_id),
-			user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
-			redirect_uri TEXT NOT NULL,
-			scopes JSONB NOT NULL DEFAULT '[]',
-			code_challenge VARCHAR(255),
-			code_challenge_method VARCHAR(10),
-			expires_at TIMESTAMPTZ NOT NULL,
-			used_at TIMESTAMPTZ,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// OAuth 2.0 Access Tokens
-		`CREATE TABLE IF NOT EXISTS oauth_access_tokens (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			token_hash VARCHAR(255) UNIQUE NOT NULL,
-			client_id VARCHAR(64) NOT NULL REFERENCES oauth_clients(client_id),
-			user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
-			scopes JSONB NOT NULL DEFAULT '[]',
-			expires_at TIMESTAMPTZ NOT NULL,
-			revoked_at TIMESTAMPTZ,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// OAuth 2.0 Refresh Tokens
-		`CREATE TABLE IF NOT EXISTS oauth_refresh_tokens (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			token_hash VARCHAR(255) UNIQUE NOT NULL,
-			access_token_id UUID REFERENCES oauth_access_tokens(id) ON DELETE CASCADE,
-			client_id VARCHAR(64) NOT NULL REFERENCES oauth_clients(client_id),
-			user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
-			scopes JSONB NOT NULL DEFAULT '[]',
-			expires_at TIMESTAMPTZ NOT NULL,
-			revoked_at TIMESTAMPTZ,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// =============================================
-		// Phase 7: Two-Factor Authentication (2FA/TOTP)
-		// =============================================
-
-		// User TOTP secrets and recovery codes
-		`CREATE TABLE IF NOT EXISTS user_totp (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID UNIQUE NOT NULL REFERENCES users(id) ON DELETE CASCADE,
-			secret VARCHAR(255) NOT NULL,
-			verified BOOLEAN DEFAULT FALSE,
-			recovery_codes JSONB DEFAULT '[]',
-			enabled_at TIMESTAMPTZ,
-			last_used_at TIMESTAMPTZ,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// 2FA challenges during login
-		`CREATE TABLE IF NOT EXISTS two_factor_challenges (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
-			challenge_id VARCHAR(255) UNIQUE NOT NULL,
-			ip_address INET,
-			user_agent TEXT,
-			expires_at TIMESTAMPTZ NOT NULL,
-			used_at TIMESTAMPTZ,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Add 2FA required flag to users
-		`ALTER TABLE users ADD COLUMN IF NOT EXISTS two_factor_enabled BOOLEAN DEFAULT FALSE`,
-		`ALTER TABLE users ADD COLUMN IF NOT EXISTS two_factor_verified_at TIMESTAMPTZ`,
-
-		// Phase 6 & 7 Indexes
-		`CREATE INDEX IF NOT EXISTS idx_oauth_clients_client_id ON oauth_clients(client_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_oauth_auth_codes_code ON oauth_authorization_codes(code)`,
-		`CREATE INDEX IF NOT EXISTS idx_oauth_auth_codes_user ON oauth_authorization_codes(user_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_oauth_access_tokens_hash ON oauth_access_tokens(token_hash)`,
-		`CREATE INDEX IF NOT EXISTS idx_oauth_access_tokens_user ON oauth_access_tokens(user_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_oauth_refresh_tokens_hash ON oauth_refresh_tokens(token_hash)`,
-		`CREATE INDEX IF NOT EXISTS idx_oauth_refresh_tokens_user ON oauth_refresh_tokens(user_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_user_totp_user ON user_totp(user_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_two_factor_challenges_id ON two_factor_challenges(challenge_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_two_factor_challenges_user ON two_factor_challenges(user_id)`,
-
-		// Insert default OAuth client for BreakPilot PWA (public client with PKCE)
-		`INSERT INTO oauth_clients (client_id, name, description, redirect_uris, scopes, grant_types, is_public)
-		VALUES (
-			'breakpilot-pwa',
-			'BreakPilot PWA',
-			'Official BreakPilot Progressive Web Application',
-			'["http://localhost:8000/oauth/callback", "http://localhost:8000/app/oauth/callback"]',
-			'["openid", "profile", "email", "consent:read", "consent:write"]',
-			'["authorization_code", "refresh_token"]',
-			true
-		) ON CONFLICT (client_id) DO NOTHING`,
-
-		// Insert default cookie categories
-		`INSERT INTO cookie_categories (name, display_name_de, display_name_en, description_de, description_en, is_mandatory, sort_order)
-		VALUES
-			('necessary', 'Notwendige Cookies', 'Necessary Cookies',
-			 'Diese Cookies sind für die Grundfunktionen der Website unbedingt erforderlich.',
-			 'These cookies are essential for the basic functions of the website.',
-			 true, 1),
-			('functional', 'Funktionale Cookies', 'Functional Cookies',
-			 'Diese Cookies ermöglichen erweiterte Funktionen und Personalisierung.',
-			 'These cookies enable enhanced functionality and personalization.',
-			 false, 2),
-			('analytics', 'Analyse Cookies', 'Analytics Cookies',
-			 'Diese Cookies helfen uns zu verstehen, wie Besucher mit der Website interagieren.',
-			 'These cookies help us understand how visitors interact with the website.',
-			 false, 3),
-			('marketing', 'Marketing Cookies', 'Marketing Cookies',
-			 'Diese Cookies werden verwendet, um Werbung relevanter für Sie zu gestalten.',
-			 'These cookies are used to make advertising more relevant to you.',
-			 false, 4)
-		ON CONFLICT (name) DO NOTHING`,
-
-		// Insert default legal documents
-		`INSERT INTO legal_documents (type, name, description, is_mandatory, sort_order)
-		VALUES
-			('terms', 'Allgemeine Geschäftsbedingungen', 'Die allgemeinen Geschäftsbedingungen für die Nutzung von BreakPilot.', true, 1),
-			('privacy', 'Datenschutzerklärung', 'Informationen über die Verarbeitung Ihrer personenbezogenen Daten.', true, 2),
-			('cookies', 'Cookie-Richtlinie', 'Informationen über die Verwendung von Cookies auf unserer Website.', false, 3),
-			('community', 'Community Guidelines', 'Regeln für das Verhalten in der BreakPilot Community.', true, 4)
-		ON CONFLICT DO NOTHING`,
-
-		// =============================================
-		// Phase 8: E-Mail Templates (Transactional)
-		// =============================================
-
-		// Email templates (like legal_documents)
-		`CREATE TABLE IF NOT EXISTS email_templates (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			type VARCHAR(50) UNIQUE NOT NULL,
-			name VARCHAR(255) NOT NULL,
-			description TEXT,
-			is_active BOOLEAN DEFAULT TRUE,
-			sort_order INT DEFAULT 0,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Email template versions (like document_versions)
-		`CREATE TABLE IF NOT EXISTS email_template_versions (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			template_id UUID REFERENCES email_templates(id) ON DELETE CASCADE,
-			version VARCHAR(20) NOT NULL,
-			language VARCHAR(5) DEFAULT 'de',
-			subject VARCHAR(500) NOT NULL,
-			body_html TEXT NOT NULL,
-			body_text TEXT NOT NULL,
-			summary TEXT,
-			status VARCHAR(20) DEFAULT 'draft',
-			published_at TIMESTAMPTZ,
-			scheduled_publish_at TIMESTAMPTZ,
-			created_by UUID REFERENCES users(id),
-			approved_by UUID REFERENCES users(id),
-			approved_at TIMESTAMPTZ,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW(),
-			UNIQUE(template_id, version, language)
-		)`,
-
-		// Email template approvals (like version_approvals)
-		`CREATE TABLE IF NOT EXISTS email_template_approvals (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			version_id UUID REFERENCES email_template_versions(id) ON DELETE CASCADE,
-			approver_id UUID REFERENCES users(id),
-			action VARCHAR(30) NOT NULL,
-			comment TEXT,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Email send logs for audit
-		`CREATE TABLE IF NOT EXISTS email_send_logs (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID REFERENCES users(id) ON DELETE SET NULL,
-			version_id UUID REFERENCES email_template_versions(id) ON DELETE SET NULL,
-			recipient VARCHAR(255) NOT NULL,
-			subject VARCHAR(500) NOT NULL,
-			status VARCHAR(20) DEFAULT 'queued',
-			error_msg TEXT,
-			variables JSONB,
-			sent_at TIMESTAMPTZ,
-			delivered_at TIMESTAMPTZ,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Global email settings (logo, colors, signature)
-		`CREATE TABLE IF NOT EXISTS email_template_settings (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			logo_url TEXT,
-			logo_base64 TEXT,
-			company_name VARCHAR(255) DEFAULT 'BreakPilot',
-			sender_name VARCHAR(255) DEFAULT 'BreakPilot',
-			sender_email VARCHAR(255) DEFAULT 'noreply@breakpilot.app',
-			reply_to_email VARCHAR(255),
-			footer_html TEXT,
-			footer_text TEXT,
-			primary_color VARCHAR(7) DEFAULT '#2563eb',
-			secondary_color VARCHAR(7) DEFAULT '#64748b',
-			updated_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_by UUID REFERENCES users(id)
-		)`,
-
-		// Insert default email settings
-		`INSERT INTO email_template_settings (id, company_name, sender_name, sender_email, primary_color, secondary_color)
-		VALUES (gen_random_uuid(), 'BreakPilot', 'BreakPilot', 'noreply@breakpilot.app', '#2563eb', '#64748b')
-		ON CONFLICT DO NOTHING`,
-
-		// Phase 8 Indexes
-		`CREATE INDEX IF NOT EXISTS idx_email_templates_type ON email_templates(type)`,
-		`CREATE INDEX IF NOT EXISTS idx_email_template_versions_template ON email_template_versions(template_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_email_template_versions_status ON email_template_versions(status)`,
-		`CREATE INDEX IF NOT EXISTS idx_email_template_approvals_version ON email_template_approvals(version_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_email_send_logs_user ON email_send_logs(user_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_email_send_logs_created ON email_send_logs(created_at)`,
-		`CREATE INDEX IF NOT EXISTS idx_email_send_logs_status ON email_send_logs(status)`,
-
-		// =============================================
-		// Phase 9: Schulverwaltung / School Management
-		// Matrix-basierte Kommunikation für Schulen
-		// =============================================
-
-		// Schools table
-		`CREATE TABLE IF NOT EXISTS schools (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			name VARCHAR(255) NOT NULL,
-			short_name VARCHAR(50),
-			type VARCHAR(50) NOT NULL,
-			address TEXT,
-			city VARCHAR(100),
-			postal_code VARCHAR(20),
-			state VARCHAR(50),
-			country VARCHAR(2) DEFAULT 'DE',
-			phone VARCHAR(50),
-			email VARCHAR(255),
-			website VARCHAR(255),
-			matrix_server_name VARCHAR(255),
-			logo_url TEXT,
-			is_active BOOLEAN DEFAULT TRUE,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// School years
-		`CREATE TABLE IF NOT EXISTS school_years (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
-			name VARCHAR(20) NOT NULL,
-			start_date DATE NOT NULL,
-			end_date DATE NOT NULL,
-			is_current BOOLEAN DEFAULT FALSE,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			UNIQUE(school_id, name)
-		)`,
-
-		// Subjects
-		`CREATE TABLE IF NOT EXISTS subjects (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
-			name VARCHAR(100) NOT NULL,
-			short_name VARCHAR(10) NOT NULL,
-			color VARCHAR(7),
-			is_active BOOLEAN DEFAULT TRUE,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			UNIQUE(school_id, short_name)
-		)`,
-
-		// Classes
-		`CREATE TABLE IF NOT EXISTS classes (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
-			school_year_id UUID NOT NULL REFERENCES school_years(id) ON DELETE CASCADE,
-			name VARCHAR(20) NOT NULL,
-			grade INT NOT NULL,
-			section VARCHAR(5),
-			room VARCHAR(50),
-			matrix_info_room VARCHAR(255),
-			matrix_rep_room VARCHAR(255),
-			is_active BOOLEAN DEFAULT TRUE,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW(),
-			UNIQUE(school_id, school_year_id, name)
-		)`,
-
-		// Students
-		`CREATE TABLE IF NOT EXISTS students (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
-			class_id UUID NOT NULL REFERENCES classes(id) ON DELETE CASCADE,
-			user_id UUID REFERENCES users(id) ON DELETE SET NULL,
-			student_number VARCHAR(50),
-			first_name VARCHAR(100) NOT NULL,
-			last_name VARCHAR(100) NOT NULL,
-			date_of_birth DATE,
-			gender VARCHAR(1),
-			matrix_user_id VARCHAR(255),
-			matrix_dm_room VARCHAR(255),
-			is_active BOOLEAN DEFAULT TRUE,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Teachers
-		`CREATE TABLE IF NOT EXISTS teachers (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
-			user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
-			teacher_code VARCHAR(10),
-			title VARCHAR(20),
-			first_name VARCHAR(100) NOT NULL,
-			last_name VARCHAR(100) NOT NULL,
-			matrix_user_id VARCHAR(255),
-			is_active BOOLEAN DEFAULT TRUE,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW(),
-			UNIQUE(school_id, user_id)
-		)`,
-
-		// Class teachers assignment
-		`CREATE TABLE IF NOT EXISTS class_teachers (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			class_id UUID NOT NULL REFERENCES classes(id) ON DELETE CASCADE,
-			teacher_id UUID NOT NULL REFERENCES teachers(id) ON DELETE CASCADE,
-			is_primary BOOLEAN DEFAULT FALSE,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			UNIQUE(class_id, teacher_id)
-		)`,
-
-		// Teacher subjects assignment
-		`CREATE TABLE IF NOT EXISTS teacher_subjects (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			teacher_id UUID NOT NULL REFERENCES teachers(id) ON DELETE CASCADE,
-			subject_id UUID NOT NULL REFERENCES subjects(id) ON DELETE CASCADE,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			UNIQUE(teacher_id, subject_id)
-		)`,
-
-		// Parents
-		`CREATE TABLE IF NOT EXISTS parents (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
-			matrix_user_id VARCHAR(255),
-			first_name VARCHAR(100) NOT NULL,
-			last_name VARCHAR(100) NOT NULL,
-			phone VARCHAR(50),
-			emergency_contact BOOLEAN DEFAULT FALSE,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW(),
-			UNIQUE(user_id)
-		)`,
-
-		// Student-parent relationships
-		`CREATE TABLE IF NOT EXISTS student_parents (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			student_id UUID NOT NULL REFERENCES students(id) ON DELETE CASCADE,
-			parent_id UUID NOT NULL REFERENCES parents(id) ON DELETE CASCADE,
-			relationship VARCHAR(20) NOT NULL,
-			is_primary BOOLEAN DEFAULT FALSE,
-			has_custody BOOLEAN DEFAULT TRUE,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			UNIQUE(student_id, parent_id)
-		)`,
-
-		// Parent representatives
-		`CREATE TABLE IF NOT EXISTS parent_representatives (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			class_id UUID NOT NULL REFERENCES classes(id) ON DELETE CASCADE,
-			parent_id UUID NOT NULL REFERENCES parents(id) ON DELETE CASCADE,
-			role VARCHAR(20) NOT NULL,
-			elected_at TIMESTAMPTZ NOT NULL,
-			expires_at TIMESTAMPTZ,
-			is_active BOOLEAN DEFAULT TRUE,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// =============================================
-		// Stundenplan / Timetable
-		// =============================================
-
-		// Timetable slots (Stundenraster)
-		`CREATE TABLE IF NOT EXISTS timetable_slots (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
-			slot_number INT NOT NULL,
-			start_time TIME NOT NULL,
-			end_time TIME NOT NULL,
-			is_break BOOLEAN DEFAULT FALSE,
-			name VARCHAR(50),
-			UNIQUE(school_id, slot_number)
-		)`,
-
-		// Timetable entries (Stundenplan)
-		`CREATE TABLE IF NOT EXISTS timetable_entries (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			school_year_id UUID NOT NULL REFERENCES school_years(id) ON DELETE CASCADE,
-			class_id UUID NOT NULL REFERENCES classes(id) ON DELETE CASCADE,
-			subject_id UUID NOT NULL REFERENCES subjects(id) ON DELETE CASCADE,
-			teacher_id UUID NOT NULL REFERENCES teachers(id) ON DELETE CASCADE,
-			slot_id UUID NOT NULL REFERENCES timetable_slots(id) ON DELETE CASCADE,
-			day_of_week INT NOT NULL CHECK (day_of_week >= 1 AND day_of_week <= 7),
-			room VARCHAR(50),
-			valid_from DATE NOT NULL,
-			valid_until DATE,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Timetable substitutions (Vertretungsplan)
-		`CREATE TABLE IF NOT EXISTS timetable_substitutions (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			original_entry_id UUID NOT NULL REFERENCES timetable_entries(id) ON DELETE CASCADE,
-			date DATE NOT NULL,
-			substitute_teacher_id UUID REFERENCES teachers(id) ON DELETE SET NULL,
-			substitute_subject_id UUID REFERENCES subjects(id) ON DELETE SET NULL,
-			room VARCHAR(50),
-			type VARCHAR(20) NOT NULL,
-			note TEXT,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			created_by UUID NOT NULL REFERENCES users(id)
-		)`,
-
-		// =============================================
-		// Abwesenheit / Attendance
-		// =============================================
-
-		// Attendance records per lesson
-		`CREATE TABLE IF NOT EXISTS attendance_records (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			student_id UUID NOT NULL REFERENCES students(id) ON DELETE CASCADE,
-			timetable_entry_id UUID REFERENCES timetable_entries(id) ON DELETE SET NULL,
-			date DATE NOT NULL,
-			slot_id UUID NOT NULL REFERENCES timetable_slots(id) ON DELETE CASCADE,
-			status VARCHAR(30) NOT NULL,
-			recorded_by UUID NOT NULL REFERENCES users(id),
-			note TEXT,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW(),
-			UNIQUE(student_id, date, slot_id)
-		)`,
-
-		// Absence reports (Krankmeldungen)
-		`CREATE TABLE IF NOT EXISTS absence_reports (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			student_id UUID NOT NULL REFERENCES students(id) ON DELETE CASCADE,
-			start_date DATE NOT NULL,
-			end_date DATE NOT NULL,
-			reason TEXT,
-			reason_category VARCHAR(30) NOT NULL,
-			status VARCHAR(20) NOT NULL DEFAULT 'reported',
-			reported_by UUID NOT NULL REFERENCES users(id),
-			reported_at TIMESTAMPTZ DEFAULT NOW(),
-			confirmed_by UUID REFERENCES users(id),
-			confirmed_at TIMESTAMPTZ,
-			medical_certificate BOOLEAN DEFAULT FALSE,
-			certificate_uploaded BOOLEAN DEFAULT FALSE,
-			matrix_notification_sent BOOLEAN DEFAULT FALSE,
-			email_notification_sent BOOLEAN DEFAULT FALSE,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Absence notifications to parents
-		`CREATE TABLE IF NOT EXISTS absence_notifications (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			attendance_record_id UUID NOT NULL REFERENCES attendance_records(id) ON DELETE CASCADE,
-			parent_id UUID NOT NULL REFERENCES parents(id) ON DELETE CASCADE,
-			channel VARCHAR(20) NOT NULL,
-			message_content TEXT NOT NULL,
-			sent_at TIMESTAMPTZ,
-			read_at TIMESTAMPTZ,
-			response_received BOOLEAN DEFAULT FALSE,
-			response_content TEXT,
-			response_at TIMESTAMPTZ,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// =============================================
-		// Notenspiegel / Grades
-		// =============================================
-
-		// Grade scales
-		`CREATE TABLE IF NOT EXISTS grade_scales (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
-			name VARCHAR(50) NOT NULL,
-			min_value DECIMAL(5,2) NOT NULL,
-			max_value DECIMAL(5,2) NOT NULL,
-			passing_value DECIMAL(5,2) NOT NULL,
-			is_ascending BOOLEAN DEFAULT FALSE,
-			is_default BOOLEAN DEFAULT FALSE,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Grades
-		`CREATE TABLE IF NOT EXISTS grades (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			student_id UUID NOT NULL REFERENCES students(id) ON DELETE CASCADE,
-			subject_id UUID NOT NULL REFERENCES subjects(id) ON DELETE CASCADE,
-			teacher_id UUID NOT NULL REFERENCES teachers(id) ON DELETE CASCADE,
-			school_year_id UUID NOT NULL REFERENCES school_years(id) ON DELETE CASCADE,
-			grade_scale_id UUID NOT NULL REFERENCES grade_scales(id) ON DELETE CASCADE,
-			type VARCHAR(30) NOT NULL,
-			value DECIMAL(5,2) NOT NULL,
-			weight DECIMAL(3,2) DEFAULT 1.0,
-			date DATE NOT NULL,
-			title VARCHAR(100),
-			description TEXT,
-			is_visible BOOLEAN DEFAULT TRUE,
-			semester INT NOT NULL CHECK (semester IN (1, 2)),
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Grade comments
-		`CREATE TABLE IF NOT EXISTS grade_comments (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			grade_id UUID NOT NULL REFERENCES grades(id) ON DELETE CASCADE,
-			teacher_id UUID NOT NULL REFERENCES teachers(id) ON DELETE CASCADE,
-			comment TEXT NOT NULL,
-			is_private BOOLEAN DEFAULT FALSE,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// =============================================
-		// Klassenbuch / Class Diary
-		// =============================================
-
-		// Class diary entries
-		`CREATE TABLE IF NOT EXISTS class_diary_entries (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			class_id UUID NOT NULL REFERENCES classes(id) ON DELETE CASCADE,
-			date DATE NOT NULL,
-			slot_id UUID NOT NULL REFERENCES timetable_slots(id) ON DELETE CASCADE,
-			subject_id UUID NOT NULL REFERENCES subjects(id) ON DELETE CASCADE,
-			teacher_id UUID NOT NULL REFERENCES teachers(id) ON DELETE CASCADE,
-			topic TEXT,
-			homework TEXT,
-			homework_due_date DATE,
-			materials TEXT,
-			notes TEXT,
-			is_cancelled BOOLEAN DEFAULT FALSE,
-			cancellation_reason TEXT,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW(),
-			UNIQUE(class_id, date, slot_id)
-		)`,
-
-		// =============================================
-		// Elterngespräche / Parent Meetings
-		// =============================================
-
-		// Parent meeting slots
-		`CREATE TABLE IF NOT EXISTS parent_meeting_slots (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			teacher_id UUID NOT NULL REFERENCES teachers(id) ON DELETE CASCADE,
-			date DATE NOT NULL,
-			start_time TIME NOT NULL,
-			end_time TIME NOT NULL,
-			location VARCHAR(100),
-			is_online BOOLEAN DEFAULT FALSE,
-			meeting_link TEXT,
-			is_booked BOOLEAN DEFAULT FALSE,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Parent meetings
-		`CREATE TABLE IF NOT EXISTS parent_meetings (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			slot_id UUID NOT NULL REFERENCES parent_meeting_slots(id) ON DELETE CASCADE,
-			parent_id UUID NOT NULL REFERENCES parents(id) ON DELETE CASCADE,
-			student_id UUID NOT NULL REFERENCES students(id) ON DELETE CASCADE,
-			topic TEXT,
-			notes TEXT,
-			status VARCHAR(20) NOT NULL DEFAULT 'scheduled',
-			cancelled_at TIMESTAMPTZ,
-			cancelled_by UUID REFERENCES users(id),
-			cancel_reason TEXT,
-			completed_at TIMESTAMPTZ,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// =============================================
-		// Matrix / Communication Integration
-		// =============================================
-
-		// Matrix rooms
-		`CREATE TABLE IF NOT EXISTS matrix_rooms (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
-			matrix_room_id VARCHAR(255) NOT NULL UNIQUE,
-			type VARCHAR(30) NOT NULL,
-			class_id UUID REFERENCES classes(id) ON DELETE SET NULL,
-			student_id UUID REFERENCES students(id) ON DELETE SET NULL,
-			name VARCHAR(255) NOT NULL,
-			is_encrypted BOOLEAN DEFAULT TRUE,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Matrix room members
-		`CREATE TABLE IF NOT EXISTS matrix_room_members (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			matrix_room_id UUID NOT NULL REFERENCES matrix_rooms(id) ON DELETE CASCADE,
-			matrix_user_id VARCHAR(255) NOT NULL,
-			user_id UUID REFERENCES users(id) ON DELETE SET NULL,
-			power_level INT DEFAULT 0,
-			can_write BOOLEAN DEFAULT TRUE,
-			joined_at TIMESTAMPTZ DEFAULT NOW(),
-			left_at TIMESTAMPTZ,
-			UNIQUE(matrix_room_id, matrix_user_id)
-		)`,
-
-		// Parent onboarding tokens (QR codes)
-		`CREATE TABLE IF NOT EXISTS parent_onboarding_tokens (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
-			class_id UUID NOT NULL REFERENCES classes(id) ON DELETE CASCADE,
-			student_id UUID NOT NULL REFERENCES students(id) ON DELETE CASCADE,
-			token VARCHAR(255) NOT NULL UNIQUE,
-			role VARCHAR(30) NOT NULL DEFAULT 'parent',
-			expires_at TIMESTAMPTZ NOT NULL,
-			used_at TIMESTAMPTZ,
-			used_by_user_id UUID REFERENCES users(id),
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			created_by UUID NOT NULL REFERENCES users(id)
-		)`,
-
-		// =============================================
-		// Phase 9 Indexes
-		// =============================================
-		`CREATE INDEX IF NOT EXISTS idx_schools_active ON schools(is_active)`,
-		`CREATE INDEX IF NOT EXISTS idx_school_years_school ON school_years(school_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_school_years_current ON school_years(is_current)`,
-		`CREATE INDEX IF NOT EXISTS idx_classes_school ON classes(school_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_classes_school_year ON classes(school_year_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_students_school ON students(school_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_students_class ON students(class_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_students_user ON students(user_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_teachers_school ON teachers(school_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_teachers_user ON teachers(user_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_class_teachers_class ON class_teachers(class_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_class_teachers_teacher ON class_teachers(teacher_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_parents_user ON parents(user_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_student_parents_student ON student_parents(student_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_student_parents_parent ON student_parents(parent_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_timetable_entries_class ON timetable_entries(class_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_timetable_entries_teacher ON timetable_entries(teacher_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_timetable_entries_day ON timetable_entries(day_of_week)`,
-		`CREATE INDEX IF NOT EXISTS idx_timetable_substitutions_date ON timetable_substitutions(date)`,
-		`CREATE INDEX IF NOT EXISTS idx_timetable_substitutions_entry ON timetable_substitutions(original_entry_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_attendance_records_student ON attendance_records(student_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_attendance_records_date ON attendance_records(date)`,
-		`CREATE INDEX IF NOT EXISTS idx_absence_reports_student ON absence_reports(student_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_absence_reports_dates ON absence_reports(start_date, end_date)`,
-		`CREATE INDEX IF NOT EXISTS idx_grades_student ON grades(student_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_grades_subject ON grades(subject_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_grades_teacher ON grades(teacher_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_grades_school_year ON grades(school_year_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_class_diary_class_date ON class_diary_entries(class_id, date)`,
-		`CREATE INDEX IF NOT EXISTS idx_parent_meeting_slots_teacher ON parent_meeting_slots(teacher_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_parent_meeting_slots_date ON parent_meeting_slots(date)`,
-		`CREATE INDEX IF NOT EXISTS idx_parent_meetings_slot ON parent_meetings(slot_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_parent_meetings_parent ON parent_meetings(parent_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_matrix_rooms_school ON matrix_rooms(school_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_matrix_rooms_class ON matrix_rooms(class_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_matrix_room_members_room ON matrix_room_members(matrix_room_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_parent_onboarding_tokens_token ON parent_onboarding_tokens(token)`,
-		`CREATE INDEX IF NOT EXISTS idx_parent_onboarding_tokens_student ON parent_onboarding_tokens(student_id)`,
-
-		// Insert default grade scales
-		`INSERT INTO grade_scales (id, school_id, name, min_value, max_value, passing_value, is_ascending, is_default)
-		SELECT gen_random_uuid(), s.id, '1-6 (Noten)', 1, 6, 4, false, true
-		FROM schools s
-		WHERE NOT EXISTS (SELECT 1 FROM grade_scales gs WHERE gs.school_id = s.id AND gs.name = '1-6 (Noten)')
-		ON CONFLICT DO NOTHING`,
-
-		// Insert default timetable slots for schools
-		`DO $$
-		DECLARE
-			school_rec RECORD;
-		BEGIN
-			FOR school_rec IN SELECT id FROM schools LOOP
-				INSERT INTO timetable_slots (school_id, slot_number, start_time, end_time, is_break, name)
-				VALUES
-					(school_rec.id, 1, '08:00', '08:45', false, '1. Stunde'),
-					(school_rec.id, 2, '08:45', '09:30', false, '2. Stunde'),
-					(school_rec.id, 3, '09:30', '09:50', true, 'Erste Pause'),
-					(school_rec.id, 4, '09:50', '10:35', false, '3. Stunde'),
-					(school_rec.id, 5, '10:35', '11:20', false, '4. Stunde'),
-					(school_rec.id, 6, '11:20', '11:40', true, 'Zweite Pause'),
-					(school_rec.id, 7, '11:40', '12:25', false, '5. Stunde'),
-					(school_rec.id, 8, '12:25', '13:10', false, '6. Stunde'),
-					(school_rec.id, 9, '13:10', '14:00', true, 'Mittagspause'),
-					(school_rec.id, 10, '14:00', '14:45', false, '7. Stunde'),
-					(school_rec.id, 11, '14:45', '15:30', false, '8. Stunde')
-				ON CONFLICT (school_id, slot_number) DO NOTHING;
-			END LOOP;
-		END $$`,
-
-		// =============================================
-		// Phase 10: DSGVO Betroffenenanfragen (DSR)
-		// Data Subject Request Management
-		// =============================================
-
-		// Sequence for request numbers
-		`CREATE SEQUENCE IF NOT EXISTS dsr_request_number_seq START 1`,
-
-		// Main table: Data Subject Requests
-		`CREATE TABLE IF NOT EXISTS data_subject_requests (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			user_id UUID REFERENCES users(id) ON DELETE SET NULL,
-			request_number VARCHAR(50) UNIQUE NOT NULL,
-			request_type VARCHAR(30) NOT NULL,
-			status VARCHAR(30) NOT NULL DEFAULT 'intake',
-			priority VARCHAR(20) DEFAULT 'normal',
-			source VARCHAR(30) NOT NULL DEFAULT 'api',
-			requester_email VARCHAR(255) NOT NULL,
-			requester_name VARCHAR(255),
-			requester_phone VARCHAR(50),
-			identity_verified BOOLEAN DEFAULT FALSE,
-			identity_verified_at TIMESTAMPTZ,
-			identity_verified_by UUID REFERENCES users(id),
-			identity_verification_method VARCHAR(50),
-			request_details JSONB DEFAULT '{}',
-			deadline_at TIMESTAMPTZ NOT NULL,
-			legal_deadline_days INT NOT NULL,
-			extended_deadline_at TIMESTAMPTZ,
-			extension_reason TEXT,
-			assigned_to UUID REFERENCES users(id),
-			processing_notes TEXT,
-			completed_at TIMESTAMPTZ,
-			completed_by UUID REFERENCES users(id),
-			result_summary TEXT,
-			result_data JSONB,
-			rejected_at TIMESTAMPTZ,
-			rejected_by UUID REFERENCES users(id),
-			rejection_reason TEXT,
-			rejection_legal_basis TEXT,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW(),
-			created_by UUID REFERENCES users(id)
-		)`,
-
-		// DSR Status History for audit trail
-		`CREATE TABLE IF NOT EXISTS dsr_status_history (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			request_id UUID NOT NULL REFERENCES data_subject_requests(id) ON DELETE CASCADE,
-			from_status VARCHAR(30),
-			to_status VARCHAR(30) NOT NULL,
-			changed_by UUID REFERENCES users(id),
-			comment TEXT,
-			metadata JSONB,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// DSR Communications log
-		`CREATE TABLE IF NOT EXISTS dsr_communications (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			request_id UUID NOT NULL REFERENCES data_subject_requests(id) ON DELETE CASCADE,
-			direction VARCHAR(10) NOT NULL,
-			channel VARCHAR(20) NOT NULL,
-			communication_type VARCHAR(50) NOT NULL,
-			template_version_id UUID,
-			subject VARCHAR(500),
-			body_html TEXT,
-			body_text TEXT,
-			recipient_email VARCHAR(255),
-			sent_at TIMESTAMPTZ,
-			error_message TEXT,
-			attachments JSONB DEFAULT '[]',
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			created_by UUID REFERENCES users(id)
-		)`,
-
-		// DSR Templates
-		`CREATE TABLE IF NOT EXISTS dsr_templates (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			template_type VARCHAR(50) UNIQUE NOT NULL,
-			name VARCHAR(255) NOT NULL,
-			description TEXT,
-			request_types JSONB DEFAULT '["access","rectification","erasure","restriction","portability"]',
-			is_active BOOLEAN DEFAULT TRUE,
-			sort_order INT DEFAULT 0,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// DSR Template Versions
-		`CREATE TABLE IF NOT EXISTS dsr_template_versions (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			template_id UUID REFERENCES dsr_templates(id) ON DELETE CASCADE,
-			version VARCHAR(20) NOT NULL,
-			language VARCHAR(5) DEFAULT 'de',
-			subject VARCHAR(500) NOT NULL,
-			body_html TEXT NOT NULL,
-			body_text TEXT NOT NULL,
-			status VARCHAR(20) DEFAULT 'draft',
-			published_at TIMESTAMPTZ,
-			created_by UUID REFERENCES users(id),
-			approved_by UUID REFERENCES users(id),
-			approved_at TIMESTAMPTZ,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW(),
-			UNIQUE(template_id, version, language)
-		)`,
-
-		// DSR Exception Checks (for Art. 17(3) erasure exceptions)
-		`CREATE TABLE IF NOT EXISTS dsr_exception_checks (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			request_id UUID NOT NULL REFERENCES data_subject_requests(id) ON DELETE CASCADE,
-			exception_type VARCHAR(50) NOT NULL,
-			description TEXT NOT NULL,
-			applies BOOLEAN,
-			checked_by UUID REFERENCES users(id),
-			checked_at TIMESTAMPTZ,
-			notes TEXT,
-			created_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// Phase 10 Indexes
-		`CREATE INDEX IF NOT EXISTS idx_dsr_user ON data_subject_requests(user_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_dsr_status ON data_subject_requests(status)`,
-		`CREATE INDEX IF NOT EXISTS idx_dsr_type ON data_subject_requests(request_type)`,
-		`CREATE INDEX IF NOT EXISTS idx_dsr_deadline ON data_subject_requests(deadline_at)`,
-		`CREATE INDEX IF NOT EXISTS idx_dsr_assigned ON data_subject_requests(assigned_to)`,
-		`CREATE INDEX IF NOT EXISTS idx_dsr_request_number ON data_subject_requests(request_number)`,
-		`CREATE INDEX IF NOT EXISTS idx_dsr_created ON data_subject_requests(created_at)`,
-		`CREATE INDEX IF NOT EXISTS idx_dsr_status_history_request ON dsr_status_history(request_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_dsr_communications_request ON dsr_communications(request_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_dsr_exception_checks_request ON dsr_exception_checks(request_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_dsr_templates_type ON dsr_templates(template_type)`,
-		`CREATE INDEX IF NOT EXISTS idx_dsr_template_versions_template ON dsr_template_versions(template_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_dsr_template_versions_status ON dsr_template_versions(status)`,
-
-		// Insert default DSR templates
-		`INSERT INTO dsr_templates (template_type, name, description, request_types, sort_order)
-		VALUES
-			('dsr_receipt_access', 'Eingangsbestätigung Auskunft', 'Bestätigung des Eingangs einer Auskunftsanfrage nach Art. 15 DSGVO', '["access"]', 1),
-			('dsr_receipt_rectification', 'Eingangsbestätigung Berichtigung', 'Bestätigung des Eingangs einer Berichtigungsanfrage nach Art. 16 DSGVO', '["rectification"]', 2),
-			('dsr_receipt_erasure', 'Eingangsbestätigung Löschung', 'Bestätigung des Eingangs einer Löschanfrage nach Art. 17 DSGVO', '["erasure"]', 3),
-			('dsr_receipt_restriction', 'Eingangsbestätigung Einschränkung', 'Bestätigung des Eingangs einer Einschränkungsanfrage nach Art. 18 DSGVO', '["restriction"]', 4),
-			('dsr_receipt_portability', 'Eingangsbestätigung Datenübertragung', 'Bestätigung des Eingangs einer Datenübertragungsanfrage nach Art. 20 DSGVO', '["portability"]', 5),
-			('dsr_identity_request', 'Anfrage Identitätsnachweis', 'Aufforderung zur Identitätsverifizierung', '["access","rectification","erasure","restriction","portability"]', 6),
-			('dsr_processing_started', 'Bearbeitungsbestätigung', 'Bestätigung, dass die Bearbeitung begonnen hat', '["access","rectification","erasure","restriction","portability"]', 7),
-			('dsr_processing_update', 'Zwischenbericht', 'Zwischenstand zur Bearbeitung', '["access","rectification","erasure","restriction","portability"]', 8),
-			('dsr_clarification_request', 'Rückfragen', 'Anfrage zur Klärung des Begehrens', '["access","rectification","erasure","restriction","portability"]', 9),
-			('dsr_completed_access', 'Auskunft erteilt', 'Abschließende Mitteilung mit Datenauskunft', '["access"]', 10),
-			('dsr_completed_access_negative', 'Negativauskunft', 'Mitteilung dass keine Daten vorhanden sind', '["access"]', 11),
-			('dsr_completed_rectification', 'Berichtigung durchgeführt', 'Bestätigung der Datenberichtigung', '["rectification"]', 12),
-			('dsr_completed_erasure', 'Löschung durchgeführt', 'Bestätigung der Datenlöschung', '["erasure"]', 13),
-			('dsr_completed_restriction', 'Einschränkung aktiviert', 'Bestätigung der Verarbeitungseinschränkung', '["restriction"]', 14),
-			('dsr_completed_portability', 'Daten bereitgestellt', 'Mitteilung zur Datenübermittlung', '["portability"]', 15),
-			('dsr_restriction_lifted', 'Einschränkung aufgehoben', 'Vorabbenachrichtigung vor Aufhebung der Einschränkung', '["restriction"]', 16),
-			('dsr_rejected_identity', 'Ablehnung - Identität nicht verifizierbar', 'Ablehnung mangels Identitätsnachweis', '["access","rectification","erasure","restriction","portability"]', 17),
-			('dsr_rejected_exception', 'Ablehnung - Ausnahme', 'Ablehnung aufgrund gesetzlicher Ausnahmen (z.B. Art. 17 Abs. 3)', '["erasure","restriction"]', 18),
-			('dsr_rejected_unfounded', 'Ablehnung - Offensichtlich unbegründet', 'Ablehnung nach Art. 12 Abs. 5 DSGVO', '["access","rectification","erasure","restriction","portability"]', 19)
-		ON CONFLICT (template_type) DO NOTHING`,
-
-		// =============================================
-		// Phase 11: EduSearch Seeds Management
-		// Seed URLs for the education search crawler
-		// =============================================
-
-		// EduSearch Seed Categories
-		`CREATE TABLE IF NOT EXISTS edu_search_categories (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			name VARCHAR(50) UNIQUE NOT NULL,
-			display_name VARCHAR(100) NOT NULL,
-			description TEXT,
-			icon VARCHAR(10),
-			sort_order INT DEFAULT 0,
-			is_active BOOLEAN DEFAULT TRUE,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW()
-		)`,
-
-		// EduSearch Seeds (crawler seed URLs)
-		`CREATE TABLE IF NOT EXISTS edu_search_seeds (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			url VARCHAR(500) UNIQUE NOT NULL,
-			name VARCHAR(255) NOT NULL,
-			description TEXT,
-			category_id UUID REFERENCES edu_search_categories(id) ON DELETE SET NULL,
-			source_type VARCHAR(20) DEFAULT 'GOV',
-			scope VARCHAR(20) DEFAULT 'FEDERAL',
-			state VARCHAR(5),
-			trust_boost DECIMAL(3,2) DEFAULT 0.50,
-			enabled BOOLEAN DEFAULT TRUE,
-			crawl_depth INT DEFAULT 2,
-			crawl_frequency VARCHAR(20) DEFAULT 'weekly',
-			last_crawled_at TIMESTAMPTZ,
-			last_crawl_status VARCHAR(20),
-			last_crawl_docs INT DEFAULT 0,
-			total_documents INT DEFAULT 0,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			updated_at TIMESTAMPTZ DEFAULT NOW(),
-			created_by UUID REFERENCES users(id)
-		)`,
-
-		// EduSearch Crawl Runs (history of crawl executions)
-		`CREATE TABLE IF NOT EXISTS edu_search_crawl_runs (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			seed_id UUID REFERENCES edu_search_seeds(id) ON DELETE CASCADE,
-			status VARCHAR(20) DEFAULT 'running',
-			started_at TIMESTAMPTZ DEFAULT NOW(),
-			completed_at TIMESTAMPTZ,
-			pages_crawled INT DEFAULT 0,
-			documents_indexed INT DEFAULT 0,
-			errors_count INT DEFAULT 0,
-			error_details JSONB,
-			triggered_by UUID REFERENCES users(id)
-		)`,
-
-		// EduSearch Denylist (URLs/domains to never crawl)
-		`CREATE TABLE IF NOT EXISTS edu_search_denylist (
-			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-			pattern VARCHAR(500) UNIQUE NOT NULL,
-			pattern_type VARCHAR(20) DEFAULT 'domain',
-			reason TEXT,
-			created_at TIMESTAMPTZ DEFAULT NOW(),
-			created_by UUID REFERENCES users(id)
-		)`,
-
-		// Phase 11 Indexes
-		`CREATE INDEX IF NOT EXISTS idx_edu_search_seeds_category ON edu_search_seeds(category_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_edu_search_seeds_enabled ON edu_search_seeds(enabled)`,
-		`CREATE INDEX IF NOT EXISTS idx_edu_search_seeds_state ON edu_search_seeds(state)`,
-		`CREATE INDEX IF NOT EXISTS idx_edu_search_seeds_scope ON edu_search_seeds(scope)`,
-		`CREATE INDEX IF NOT EXISTS idx_edu_search_crawl_runs_seed ON edu_search_crawl_runs(seed_id)`,
-		`CREATE INDEX IF NOT EXISTS idx_edu_search_crawl_runs_status ON edu_search_crawl_runs(status)`,
-
-		// Insert default EduSearch categories
-		`INSERT INTO edu_search_categories (name, display_name, description, icon, sort_order)
-		VALUES
-			('federal', 'Bundesebene', 'KMK, BMBF, Bildungsserver', '🏛️', 1),
-			('states', 'Bundesländer', 'Ministerien, Landesbildungsserver', '🗺️', 2),
-			('science', 'Wissenschaft', 'Bertelsmann, PISA, IGLU, TIMSS', '🔬', 3),
-			('universities', 'Universitäten', 'Deutsche Hochschulen', '🎓', 4),
-			('schools', 'Schulen', 'Schulwebsites', '🏫', 5),
-			('portals', 'Bildungsportale', 'Lehrer-Online, 4teachers, ZUM', '📚', 6),
-			('eu', 'EU/International', 'Europäische Bildungsberichte', '🇪🇺', 7),
-			('authorities', 'Schulbehörden', 'Regierungspräsidien, Schulämter', '📋', 8)
-		ON CONFLICT (name) DO NOTHING`,
+	if err := migrateCore(db); err != nil {
+		return err
 	}
-
-	for _, migration := range migrations {
-		if _, err := db.Pool.Exec(ctx, migration); err != nil {
-			return fmt.Errorf("failed to run migration: %w", err)
-		}
+	if err := migrateOAuth(db); err != nil {
+		return err
+	}
+	if err := migrateEmail(db); err != nil {
+		return err
+	}
+	if err := migrateSchool(db); err != nil {
+		return err
+	}
+	if err := migrateDSR(db); err != nil {
+		return err
 	}
-
 	return nil
 }
diff --git a/consent-service/internal/database/migrate_core.go b/consent-service/internal/database/migrate_core.go
new file mode 100644
index 0000000..171f8a8
--- /dev/null
+++ b/consent-service/internal/database/migrate_core.go
@@ -0,0 +1,307 @@
+package database
+
+import (
+	"context"
+	"fmt"
+)
+
+// migrateCore creates the core tables: users, auth tokens, sessions,
+// documents, versions, consents, cookies, audit, notifications,
+// deadlines, suspensions, and their indexes (Phases 1-5).
+func migrateCore(db *DB) error {
+	ctx := context.Background()
+
+	migrations := []string{
+		// Users table (extended for full auth)
+		`CREATE TABLE IF NOT EXISTS users (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			external_id VARCHAR(255) UNIQUE,
+			email VARCHAR(255) UNIQUE NOT NULL,
+			password_hash VARCHAR(255),
+			name VARCHAR(255),
+			role VARCHAR(50) DEFAULT 'user',
+			email_verified BOOLEAN DEFAULT FALSE,
+			email_verified_at TIMESTAMPTZ,
+			account_status VARCHAR(20) DEFAULT 'active',
+			last_login_at TIMESTAMPTZ,
+			failed_login_attempts INT DEFAULT 0,
+			locked_until TIMESTAMPTZ,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Legal documents table
+		`CREATE TABLE IF NOT EXISTS legal_documents (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			type VARCHAR(50) NOT NULL,
+			name VARCHAR(255) NOT NULL,
+			description TEXT,
+			is_mandatory BOOLEAN DEFAULT true,
+			is_active BOOLEAN DEFAULT true,
+			sort_order INT DEFAULT 0,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Document versions table
+		`CREATE TABLE IF NOT EXISTS document_versions (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			document_id UUID REFERENCES legal_documents(id) ON DELETE CASCADE,
+			version VARCHAR(20) NOT NULL,
+			language VARCHAR(5) DEFAULT 'de',
+			title VARCHAR(255) NOT NULL,
+			content TEXT NOT NULL,
+			summary TEXT,
+			status VARCHAR(20) DEFAULT 'draft',
+			published_at TIMESTAMPTZ,
+			scheduled_publish_at TIMESTAMPTZ,
+			created_by UUID REFERENCES users(id),
+			approved_by UUID REFERENCES users(id),
+			approved_at TIMESTAMPTZ,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW(),
+			UNIQUE(document_id, version, language)
+		)`,
+
+		// Add scheduled_publish_at column if not exists (migration)
+		`ALTER TABLE document_versions ADD COLUMN IF NOT EXISTS scheduled_publish_at TIMESTAMPTZ`,
+		`ALTER TABLE document_versions ADD COLUMN IF NOT EXISTS approved_at TIMESTAMPTZ`,
+
+		// User consents table
+		`CREATE TABLE IF NOT EXISTS user_consents (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
+			document_version_id UUID REFERENCES document_versions(id),
+			consented BOOLEAN NOT NULL,
+			ip_address INET,
+			user_agent TEXT,
+			consented_at TIMESTAMPTZ DEFAULT NOW(),
+			withdrawn_at TIMESTAMPTZ,
+			UNIQUE(user_id, document_version_id)
+		)`,
+
+		// Cookie categories table
+		`CREATE TABLE IF NOT EXISTS cookie_categories (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			name VARCHAR(100) NOT NULL UNIQUE,
+			display_name_de VARCHAR(255) NOT NULL,
+			display_name_en VARCHAR(255),
+			description_de TEXT,
+			description_en TEXT,
+			is_mandatory BOOLEAN DEFAULT false,
+			sort_order INT DEFAULT 0,
+			is_active BOOLEAN DEFAULT true,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Cookie consents table
+		`CREATE TABLE IF NOT EXISTS cookie_consents (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
+			category_id UUID REFERENCES cookie_categories(id) ON DELETE CASCADE,
+			consented BOOLEAN NOT NULL,
+			consented_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW(),
+			UNIQUE(user_id, category_id)
+		)`,
+
+		// Audit log table
+		`CREATE TABLE IF NOT EXISTS consent_audit_log (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID REFERENCES users(id) ON DELETE SET NULL,
+			action VARCHAR(50) NOT NULL,
+			entity_type VARCHAR(50),
+			entity_id UUID,
+			details JSONB,
+			ip_address INET,
+			user_agent TEXT,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Data export requests table
+		`CREATE TABLE IF NOT EXISTS data_export_requests (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
+			status VARCHAR(20) DEFAULT 'pending',
+			download_url TEXT,
+			expires_at TIMESTAMPTZ,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			completed_at TIMESTAMPTZ
+		)`,
+
+		// Data deletion requests table
+		`CREATE TABLE IF NOT EXISTS data_deletion_requests (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
+			status VARCHAR(20) DEFAULT 'pending',
+			reason TEXT,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			processed_at TIMESTAMPTZ,
+			processed_by UUID REFERENCES users(id)
+		)`,
+
+		// =============================================
+		// Phase 1: User Management Tables
+		// =============================================
+
+		// Email verification tokens
+		`CREATE TABLE IF NOT EXISTS email_verification_tokens (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
+			token VARCHAR(255) UNIQUE NOT NULL,
+			expires_at TIMESTAMPTZ NOT NULL,
+			used_at TIMESTAMPTZ,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Password reset tokens
+		`CREATE TABLE IF NOT EXISTS password_reset_tokens (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
+			token VARCHAR(255) UNIQUE NOT NULL,
+			expires_at TIMESTAMPTZ NOT NULL,
+			used_at TIMESTAMPTZ,
+			ip_address INET,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// User sessions (for JWT revocation and session management)
+		`CREATE TABLE IF NOT EXISTS user_sessions (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
+			token_hash VARCHAR(255) NOT NULL,
+			device_info TEXT,
+			ip_address INET,
+			user_agent TEXT,
+			expires_at TIMESTAMPTZ NOT NULL,
+			revoked_at TIMESTAMPTZ,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			last_activity_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// =============================================
+		// Phase 3: Version Approvals (DSB Workflow)
+		// =============================================
+
+		// Version approval tracking
+		`CREATE TABLE IF NOT EXISTS version_approvals (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			version_id UUID REFERENCES document_versions(id) ON DELETE CASCADE,
+			approver_id UUID REFERENCES users(id),
+			action VARCHAR(30) NOT NULL,
+			comment TEXT,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// =============================================
+		// Phase 4: Notification System
+		// =============================================
+
+		// Notifications
+		`CREATE TABLE IF NOT EXISTS notifications (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
+			type VARCHAR(50) NOT NULL,
+			channel VARCHAR(20) NOT NULL,
+			title VARCHAR(255) NOT NULL,
+			body TEXT NOT NULL,
+			data JSONB,
+			read_at TIMESTAMPTZ,
+			sent_at TIMESTAMPTZ,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Push subscriptions for Web Push
+		`CREATE TABLE IF NOT EXISTS push_subscriptions (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
+			endpoint TEXT NOT NULL,
+			p256dh TEXT NOT NULL,
+			auth TEXT NOT NULL,
+			user_agent TEXT,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			UNIQUE(user_id, endpoint)
+		)`,
+
+		// Notification preferences per user
+		`CREATE TABLE IF NOT EXISTS notification_preferences (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID REFERENCES users(id) ON DELETE CASCADE UNIQUE,
+			email_enabled BOOLEAN DEFAULT TRUE,
+			push_enabled BOOLEAN DEFAULT TRUE,
+			in_app_enabled BOOLEAN DEFAULT TRUE,
+			reminder_frequency VARCHAR(20) DEFAULT 'weekly',
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// =============================================
+		// Phase 5: Consent Deadlines & Account Suspension
+		// =============================================
+
+		// Consent deadlines per user per version
+		`CREATE TABLE IF NOT EXISTS consent_deadlines (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
+			document_version_id UUID REFERENCES document_versions(id) ON DELETE CASCADE,
+			deadline_at TIMESTAMPTZ NOT NULL,
+			reminder_count INT DEFAULT 0,
+			last_reminder_at TIMESTAMPTZ,
+			consent_given_at TIMESTAMPTZ,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			UNIQUE(user_id, document_version_id)
+		)`,
+
+		// Account suspensions tracking
+		`CREATE TABLE IF NOT EXISTS account_suspensions (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID REFERENCES users(id) ON DELETE CASCADE,
+			reason VARCHAR(50) NOT NULL,
+			details JSONB,
+			suspended_at TIMESTAMPTZ DEFAULT NOW(),
+			lifted_at TIMESTAMPTZ,
+			lifted_reason TEXT
+		)`,
+
+		// =============================================
+		// Indexes for performance
+		// =============================================
+		`CREATE INDEX IF NOT EXISTS idx_user_consents_user ON user_consents(user_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_user_consents_version ON user_consents(document_version_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_cookie_consents_user ON cookie_consents(user_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_audit_log_user ON consent_audit_log(user_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_audit_log_created ON consent_audit_log(created_at)`,
+		`CREATE INDEX IF NOT EXISTS idx_document_versions_document ON document_versions(document_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_document_versions_status ON document_versions(status)`,
+		`CREATE INDEX IF NOT EXISTS idx_legal_documents_type ON legal_documents(type)`,
+
+		// Phase 1: Auth indexes
+		`CREATE INDEX IF NOT EXISTS idx_email_verification_tokens_token ON email_verification_tokens(token)`,
+		`CREATE INDEX IF NOT EXISTS idx_email_verification_tokens_user ON email_verification_tokens(user_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_password_reset_tokens_token ON password_reset_tokens(token)`,
+		`CREATE INDEX IF NOT EXISTS idx_user_sessions_user ON user_sessions(user_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_user_sessions_token ON user_sessions(token_hash)`,
+
+		// Phase 3: Approval indexes
+		`CREATE INDEX IF NOT EXISTS idx_version_approvals_version ON version_approvals(version_id)`,
+
+		// Phase 4: Notification indexes
+		`CREATE INDEX IF NOT EXISTS idx_notifications_user ON notifications(user_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_notifications_unread ON notifications(user_id, read_at)`,
+		`CREATE INDEX IF NOT EXISTS idx_push_subscriptions_user ON push_subscriptions(user_id)`,
+
+		// Phase 5: Deadline indexes
+		`CREATE INDEX IF NOT EXISTS idx_consent_deadlines_user ON consent_deadlines(user_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_consent_deadlines_deadline ON consent_deadlines(deadline_at)`,
+		`CREATE INDEX IF NOT EXISTS idx_account_suspensions_user ON account_suspensions(user_id)`,
+	}
+
+	for _, migration := range migrations {
+		if _, err := db.Pool.Exec(ctx, migration); err != nil {
+			return fmt.Errorf("migrateCore: %w", err)
+		}
+	}
+
+	return nil
+}
diff --git a/consent-service/internal/database/migrate_dsr.go b/consent-service/internal/database/migrate_dsr.go
new file mode 100644
index 0000000..6664b6f
--- /dev/null
+++ b/consent-service/internal/database/migrate_dsr.go
@@ -0,0 +1,267 @@
+package database
+
+import (
+	"context"
+	"fmt"
+)
+
+// migrateDSR creates DSGVO Data Subject Request tables (Phase 10)
+// and EduSearch seed management tables (Phase 11).
+func migrateDSR(db *DB) error {
+	ctx := context.Background()
+
+	migrations := []string{
+		// =============================================
+		// Phase 10: DSGVO Betroffenenanfragen (DSR)
+		// Data Subject Request Management
+		// =============================================
+
+		// Sequence for request numbers
+		`CREATE SEQUENCE IF NOT EXISTS dsr_request_number_seq START 1`,
+
+		// Main table: Data Subject Requests
+		`CREATE TABLE IF NOT EXISTS data_subject_requests (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID REFERENCES users(id) ON DELETE SET NULL,
+			request_number VARCHAR(50) UNIQUE NOT NULL,
+			request_type VARCHAR(30) NOT NULL,
+			status VARCHAR(30) NOT NULL DEFAULT 'intake',
+			priority VARCHAR(20) DEFAULT 'normal',
+			source VARCHAR(30) NOT NULL DEFAULT 'api',
+			requester_email VARCHAR(255) NOT NULL,
+			requester_name VARCHAR(255),
+			requester_phone VARCHAR(50),
+			identity_verified BOOLEAN DEFAULT FALSE,
+			identity_verified_at TIMESTAMPTZ,
+			identity_verified_by UUID REFERENCES users(id),
+			identity_verification_method VARCHAR(50),
+			request_details JSONB DEFAULT '{}',
+			deadline_at TIMESTAMPTZ NOT NULL,
+			legal_deadline_days INT NOT NULL,
+			extended_deadline_at TIMESTAMPTZ,
+			extension_reason TEXT,
+			assigned_to UUID REFERENCES users(id),
+			processing_notes TEXT,
+			completed_at TIMESTAMPTZ,
+			completed_by UUID REFERENCES users(id),
+			result_summary TEXT,
+			result_data JSONB,
+			rejected_at TIMESTAMPTZ,
+			rejected_by UUID REFERENCES users(id),
+			rejection_reason TEXT,
+			rejection_legal_basis TEXT,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW(),
+			created_by UUID REFERENCES users(id)
+		)`,
+
+		// DSR Status History for audit trail
+		`CREATE TABLE IF NOT EXISTS dsr_status_history (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			request_id UUID NOT NULL REFERENCES data_subject_requests(id) ON DELETE CASCADE,
+			from_status VARCHAR(30),
+			to_status VARCHAR(30) NOT NULL,
+			changed_by UUID REFERENCES users(id),
+			comment TEXT,
+			metadata JSONB,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// DSR Communications log
+		`CREATE TABLE IF NOT EXISTS dsr_communications (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			request_id UUID NOT NULL REFERENCES data_subject_requests(id) ON DELETE CASCADE,
+			direction VARCHAR(10) NOT NULL,
+			channel VARCHAR(20) NOT NULL,
+			communication_type VARCHAR(50) NOT NULL,
+			template_version_id UUID,
+			subject VARCHAR(500),
+			body_html TEXT,
+			body_text TEXT,
+			recipient_email VARCHAR(255),
+			sent_at TIMESTAMPTZ,
+			error_message TEXT,
+			attachments JSONB DEFAULT '[]',
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			created_by UUID REFERENCES users(id)
+		)`,
+
+		// DSR Templates
+		`CREATE TABLE IF NOT EXISTS dsr_templates (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			template_type VARCHAR(50) UNIQUE NOT NULL,
+			name VARCHAR(255) NOT NULL,
+			description TEXT,
+			request_types JSONB DEFAULT '["access","rectification","erasure","restriction","portability"]',
+			is_active BOOLEAN DEFAULT TRUE,
+			sort_order INT DEFAULT 0,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// DSR Template Versions
+		`CREATE TABLE IF NOT EXISTS dsr_template_versions (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			template_id UUID REFERENCES dsr_templates(id) ON DELETE CASCADE,
+			version VARCHAR(20) NOT NULL,
+			language VARCHAR(5) DEFAULT 'de',
+			subject VARCHAR(500) NOT NULL,
+			body_html TEXT NOT NULL,
+			body_text TEXT NOT NULL,
+			status VARCHAR(20) DEFAULT 'draft',
+			published_at TIMESTAMPTZ,
+			created_by UUID REFERENCES users(id),
+			approved_by UUID REFERENCES users(id),
+			approved_at TIMESTAMPTZ,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW(),
+			UNIQUE(template_id, version, language)
+		)`,
+
+		// DSR Exception Checks (for Art. 17(3) erasure exceptions)
+		`CREATE TABLE IF NOT EXISTS dsr_exception_checks (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			request_id UUID NOT NULL REFERENCES data_subject_requests(id) ON DELETE CASCADE,
+			exception_type VARCHAR(50) NOT NULL,
+			description TEXT NOT NULL,
+			applies BOOLEAN,
+			checked_by UUID REFERENCES users(id),
+			checked_at TIMESTAMPTZ,
+			notes TEXT,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Phase 10 Indexes
+		`CREATE INDEX IF NOT EXISTS idx_dsr_user ON data_subject_requests(user_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_dsr_status ON data_subject_requests(status)`,
+		`CREATE INDEX IF NOT EXISTS idx_dsr_type ON data_subject_requests(request_type)`,
+		`CREATE INDEX IF NOT EXISTS idx_dsr_deadline ON data_subject_requests(deadline_at)`,
+		`CREATE INDEX IF NOT EXISTS idx_dsr_assigned ON data_subject_requests(assigned_to)`,
+		`CREATE INDEX IF NOT EXISTS idx_dsr_request_number ON data_subject_requests(request_number)`,
+		`CREATE INDEX IF NOT EXISTS idx_dsr_created ON data_subject_requests(created_at)`,
+		`CREATE INDEX IF NOT EXISTS idx_dsr_status_history_request ON dsr_status_history(request_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_dsr_communications_request ON dsr_communications(request_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_dsr_exception_checks_request ON dsr_exception_checks(request_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_dsr_templates_type ON dsr_templates(template_type)`,
+		`CREATE INDEX IF NOT EXISTS idx_dsr_template_versions_template ON dsr_template_versions(template_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_dsr_template_versions_status ON dsr_template_versions(status)`,
+
+		// Insert default DSR templates
+		`INSERT INTO dsr_templates (template_type, name, description, request_types, sort_order)
+		VALUES
+			('dsr_receipt_access', 'Eingangsbestätigung Auskunft', 'Bestätigung des Eingangs einer Auskunftsanfrage nach Art. 15 DSGVO', '["access"]', 1),
+			('dsr_receipt_rectification', 'Eingangsbestätigung Berichtigung', 'Bestätigung des Eingangs einer Berichtigungsanfrage nach Art. 16 DSGVO', '["rectification"]', 2),
+			('dsr_receipt_erasure', 'Eingangsbestätigung Löschung', 'Bestätigung des Eingangs einer Löschanfrage nach Art. 17 DSGVO', '["erasure"]', 3),
+			('dsr_receipt_restriction', 'Eingangsbestätigung Einschränkung', 'Bestätigung des Eingangs einer Einschränkungsanfrage nach Art. 18 DSGVO', '["restriction"]', 4),
+			('dsr_receipt_portability', 'Eingangsbestätigung Datenübertragung', 'Bestätigung des Eingangs einer Datenübertragungsanfrage nach Art. 20 DSGVO', '["portability"]', 5),
+			('dsr_identity_request', 'Anfrage Identitätsnachweis', 'Aufforderung zur Identitätsverifizierung', '["access","rectification","erasure","restriction","portability"]', 6),
+			('dsr_processing_started', 'Bearbeitungsbestätigung', 'Bestätigung, dass die Bearbeitung begonnen hat', '["access","rectification","erasure","restriction","portability"]', 7),
+			('dsr_processing_update', 'Zwischenbericht', 'Zwischenstand zur Bearbeitung', '["access","rectification","erasure","restriction","portability"]', 8),
+			('dsr_clarification_request', 'Rückfragen', 'Anfrage zur Klärung des Begehrens', '["access","rectification","erasure","restriction","portability"]', 9),
+			('dsr_completed_access', 'Auskunft erteilt', 'Abschließende Mitteilung mit Datenauskunft', '["access"]', 10),
+			('dsr_completed_access_negative', 'Negativauskunft', 'Mitteilung dass keine Daten vorhanden sind', '["access"]', 11),
+			('dsr_completed_rectification', 'Berichtigung durchgeführt', 'Bestätigung der Datenberichtigung', '["rectification"]', 12),
+			('dsr_completed_erasure', 'Löschung durchgeführt', 'Bestätigung der Datenlöschung', '["erasure"]', 13),
+			('dsr_completed_restriction', 'Einschränkung aktiviert', 'Bestätigung der Verarbeitungseinschränkung', '["restriction"]', 14),
+			('dsr_completed_portability', 'Daten bereitgestellt', 'Mitteilung zur Datenübermittlung', '["portability"]', 15),
+			('dsr_restriction_lifted', 'Einschränkung aufgehoben', 'Vorabbenachrichtigung vor Aufhebung der Einschränkung', '["restriction"]', 16),
+			('dsr_rejected_identity', 'Ablehnung - Identität nicht verifizierbar', 'Ablehnung mangels Identitätsnachweis', '["access","rectification","erasure","restriction","portability"]', 17),
+			('dsr_rejected_exception', 'Ablehnung - Ausnahme', 'Ablehnung aufgrund gesetzlicher Ausnahmen (z.B. Art. 17 Abs. 3)', '["erasure","restriction"]', 18),
+			('dsr_rejected_unfounded', 'Ablehnung - Offensichtlich unbegründet', 'Ablehnung nach Art. 12 Abs. 5 DSGVO', '["access","rectification","erasure","restriction","portability"]', 19)
+		ON CONFLICT (template_type) DO NOTHING`,
+
+		// =============================================
+		// Phase 11: EduSearch Seeds Management
+		// Seed URLs for the education search crawler
+		// =============================================
+
+		// EduSearch Seed Categories
+		`CREATE TABLE IF NOT EXISTS edu_search_categories (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			name VARCHAR(50) UNIQUE NOT NULL,
+			display_name VARCHAR(100) NOT NULL,
+			description TEXT,
+			icon VARCHAR(10),
+			sort_order INT DEFAULT 0,
+			is_active BOOLEAN DEFAULT TRUE,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// EduSearch Seeds (crawler seed URLs)
+		`CREATE TABLE IF NOT EXISTS edu_search_seeds (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			url VARCHAR(500) UNIQUE NOT NULL,
+			name VARCHAR(255) NOT NULL,
+			description TEXT,
+			category_id UUID REFERENCES edu_search_categories(id) ON DELETE SET NULL,
+			source_type VARCHAR(20) DEFAULT 'GOV',
+			scope VARCHAR(20) DEFAULT 'FEDERAL',
+			state VARCHAR(5),
+			trust_boost DECIMAL(3,2) DEFAULT 0.50,
+			enabled BOOLEAN DEFAULT TRUE,
+			crawl_depth INT DEFAULT 2,
+			crawl_frequency VARCHAR(20) DEFAULT 'weekly',
+			last_crawled_at TIMESTAMPTZ,
+			last_crawl_status VARCHAR(20),
+			last_crawl_docs INT DEFAULT 0,
+			total_documents INT DEFAULT 0,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW(),
+			created_by UUID REFERENCES users(id)
+		)`,
+
+		// EduSearch Crawl Runs (history of crawl executions)
+		`CREATE TABLE IF NOT EXISTS edu_search_crawl_runs (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			seed_id UUID REFERENCES edu_search_seeds(id) ON DELETE CASCADE,
+			status VARCHAR(20) DEFAULT 'running',
+			started_at TIMESTAMPTZ DEFAULT NOW(),
+			completed_at TIMESTAMPTZ,
+			pages_crawled INT DEFAULT 0,
+			documents_indexed INT DEFAULT 0,
+			errors_count INT DEFAULT 0,
+			error_details JSONB,
+			triggered_by UUID REFERENCES users(id)
+		)`,
+
+		// EduSearch Denylist (URLs/domains to never crawl)
+		`CREATE TABLE IF NOT EXISTS edu_search_denylist (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			pattern VARCHAR(500) UNIQUE NOT NULL,
+			pattern_type VARCHAR(20) DEFAULT 'domain',
+			reason TEXT,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			created_by UUID REFERENCES users(id)
+		)`,
+
+		// Phase 11 Indexes
+		`CREATE INDEX IF NOT EXISTS idx_edu_search_seeds_category ON edu_search_seeds(category_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_edu_search_seeds_enabled ON edu_search_seeds(enabled)`,
+		`CREATE INDEX IF NOT EXISTS idx_edu_search_seeds_state ON edu_search_seeds(state)`,
+		`CREATE INDEX IF NOT EXISTS idx_edu_search_seeds_scope ON edu_search_seeds(scope)`,
+		`CREATE INDEX IF NOT EXISTS idx_edu_search_crawl_runs_seed ON edu_search_crawl_runs(seed_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_edu_search_crawl_runs_status ON edu_search_crawl_runs(status)`,
+
+		// Insert default EduSearch categories
+		`INSERT INTO edu_search_categories (name, display_name, description, icon, sort_order)
+		VALUES
+			('federal', 'Bundesebene', 'KMK, BMBF, Bildungsserver', '🏛️', 1),
+			('states', 'Bundesländer', 'Ministerien, Landesbildungsserver', '🗺️', 2),
+			('science', 'Wissenschaft', 'Bertelsmann, PISA, IGLU, TIMSS', '🔬', 3),
+			('universities', 'Universitäten', 'Deutsche Hochschulen', '🎓', 4),
+			('schools', 'Schulen', 'Schulwebsites', '🏫', 5),
+			('portals', 'Bildungsportale', 'Lehrer-Online, 4teachers, ZUM', '📚', 6),
+			('eu', 'EU/International', 'Europäische Bildungsberichte', '🇪🇺', 7),
+			('authorities', 'Schulbehörden', 'Regierungspräsidien, Schulämter', '📋', 8)
+		ON CONFLICT (name) DO NOTHING`,
+	}
+
+	for _, migration := range migrations {
+		if _, err := db.Pool.Exec(ctx, migration); err != nil {
+			return fmt.Errorf("migrateDSR: %w", err)
+		}
+	}
+
+	return nil
+}
diff --git a/consent-service/internal/database/migrate_email.go b/consent-service/internal/database/migrate_email.go
new file mode 100644
index 0000000..54d156e
--- /dev/null
+++ b/consent-service/internal/database/migrate_email.go
@@ -0,0 +1,114 @@
+package database
+
+import (
+	"context"
+	"fmt"
+)
+
+// migrateEmail creates email template tables, settings, and indexes (Phase 8).
+func migrateEmail(db *DB) error {
+	ctx := context.Background()
+
+	migrations := []string{
+		// =============================================
+		// Phase 8: E-Mail Templates (Transactional)
+		// =============================================
+
+		// Email templates (like legal_documents)
+		`CREATE TABLE IF NOT EXISTS email_templates (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			type VARCHAR(50) UNIQUE NOT NULL,
+			name VARCHAR(255) NOT NULL,
+			description TEXT,
+			is_active BOOLEAN DEFAULT TRUE,
+			sort_order INT DEFAULT 0,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Email template versions (like document_versions)
+		`CREATE TABLE IF NOT EXISTS email_template_versions (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			template_id UUID REFERENCES email_templates(id) ON DELETE CASCADE,
+			version VARCHAR(20) NOT NULL,
+			language VARCHAR(5) DEFAULT 'de',
+			subject VARCHAR(500) NOT NULL,
+			body_html TEXT NOT NULL,
+			body_text TEXT NOT NULL,
+			summary TEXT,
+			status VARCHAR(20) DEFAULT 'draft',
+			published_at TIMESTAMPTZ,
+			scheduled_publish_at TIMESTAMPTZ,
+			created_by UUID REFERENCES users(id),
+			approved_by UUID REFERENCES users(id),
+			approved_at TIMESTAMPTZ,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW(),
+			UNIQUE(template_id, version, language)
+		)`,
+
+		// Email template approvals (like version_approvals)
+		`CREATE TABLE IF NOT EXISTS email_template_approvals (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			version_id UUID REFERENCES email_template_versions(id) ON DELETE CASCADE,
+			approver_id UUID REFERENCES users(id),
+			action VARCHAR(30) NOT NULL,
+			comment TEXT,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Email send logs for audit
+		`CREATE TABLE IF NOT EXISTS email_send_logs (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID REFERENCES users(id) ON DELETE SET NULL,
+			version_id UUID REFERENCES email_template_versions(id) ON DELETE SET NULL,
+			recipient VARCHAR(255) NOT NULL,
+			subject VARCHAR(500) NOT NULL,
+			status VARCHAR(20) DEFAULT 'queued',
+			error_msg TEXT,
+			variables JSONB,
+			sent_at TIMESTAMPTZ,
+			delivered_at TIMESTAMPTZ,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Global email settings (logo, colors, signature)
+		`CREATE TABLE IF NOT EXISTS email_template_settings (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			logo_url TEXT,
+			logo_base64 TEXT,
+			company_name VARCHAR(255) DEFAULT 'BreakPilot',
+			sender_name VARCHAR(255) DEFAULT 'BreakPilot',
+			sender_email VARCHAR(255) DEFAULT 'noreply@breakpilot.app',
+			reply_to_email VARCHAR(255),
+			footer_html TEXT,
+			footer_text TEXT,
+			primary_color VARCHAR(7) DEFAULT '#2563eb',
+			secondary_color VARCHAR(7) DEFAULT '#64748b',
+			updated_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_by UUID REFERENCES users(id)
+		)`,
+
+		// Insert default email settings
+		`INSERT INTO email_template_settings (id, company_name, sender_name, sender_email, primary_color, secondary_color)
+		VALUES (gen_random_uuid(), 'BreakPilot', 'BreakPilot', 'noreply@breakpilot.app', '#2563eb', '#64748b')
+		ON CONFLICT DO NOTHING`,
+
+		// Phase 8 Indexes
+		`CREATE INDEX IF NOT EXISTS idx_email_templates_type ON email_templates(type)`,
+		`CREATE INDEX IF NOT EXISTS idx_email_template_versions_template ON email_template_versions(template_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_email_template_versions_status ON email_template_versions(status)`,
+		`CREATE INDEX IF NOT EXISTS idx_email_template_approvals_version ON email_template_approvals(version_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_email_send_logs_user ON email_send_logs(user_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_email_send_logs_created ON email_send_logs(created_at)`,
+		`CREATE INDEX IF NOT EXISTS idx_email_send_logs_status ON email_send_logs(status)`,
+	}
+
+	for _, migration := range migrations {
+		if _, err := db.Pool.Exec(ctx, migration); err != nil {
+			return fmt.Errorf("migrateEmail: %w", err)
+		}
+	}
+
+	return nil
+}
diff --git a/consent-service/internal/database/migrate_oauth.go b/consent-service/internal/database/migrate_oauth.go
new file mode 100644
index 0000000..050dd1b
--- /dev/null
+++ b/consent-service/internal/database/migrate_oauth.go
@@ -0,0 +1,171 @@
+package database
+
+import (
+	"context"
+	"fmt"
+)
+
+// migrateOAuth creates OAuth 2.0 and 2FA tables (Phases 6-7),
+// plus default seed data for OAuth clients, cookie categories,
+// and legal documents.
+func migrateOAuth(db *DB) error {
+	ctx := context.Background()
+
+	migrations := []string{
+		// =============================================
+		// Phase 6: OAuth 2.0 Authorization Code Flow
+		// =============================================
+
+		// OAuth 2.0 Clients
+		`CREATE TABLE IF NOT EXISTS oauth_clients (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			client_id VARCHAR(64) UNIQUE NOT NULL,
+			client_secret VARCHAR(255),
+			name VARCHAR(255) NOT NULL,
+			description TEXT,
+			redirect_uris JSONB NOT NULL DEFAULT '[]',
+			scopes JSONB NOT NULL DEFAULT '["openid", "profile", "email"]',
+			grant_types JSONB NOT NULL DEFAULT '["authorization_code", "refresh_token"]',
+			is_public BOOLEAN DEFAULT FALSE,
+			is_active BOOLEAN DEFAULT TRUE,
+			created_by UUID REFERENCES users(id),
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// OAuth 2.0 Authorization Codes
+		`CREATE TABLE IF NOT EXISTS oauth_authorization_codes (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			code VARCHAR(255) UNIQUE NOT NULL,
+			client_id VARCHAR(64) NOT NULL REFERENCES oauth_clients(client_id),
+			user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+			redirect_uri TEXT NOT NULL,
+			scopes JSONB NOT NULL DEFAULT '[]',
+			code_challenge VARCHAR(255),
+			code_challenge_method VARCHAR(10),
+			expires_at TIMESTAMPTZ NOT NULL,
+			used_at TIMESTAMPTZ,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// OAuth 2.0 Access Tokens
+		`CREATE TABLE IF NOT EXISTS oauth_access_tokens (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			token_hash VARCHAR(255) UNIQUE NOT NULL,
+			client_id VARCHAR(64) NOT NULL REFERENCES oauth_clients(client_id),
+			user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+			scopes JSONB NOT NULL DEFAULT '[]',
+			expires_at TIMESTAMPTZ NOT NULL,
+			revoked_at TIMESTAMPTZ,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// OAuth 2.0 Refresh Tokens
+		`CREATE TABLE IF NOT EXISTS oauth_refresh_tokens (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			token_hash VARCHAR(255) UNIQUE NOT NULL,
+			access_token_id UUID REFERENCES oauth_access_tokens(id) ON DELETE CASCADE,
+			client_id VARCHAR(64) NOT NULL REFERENCES oauth_clients(client_id),
+			user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+			scopes JSONB NOT NULL DEFAULT '[]',
+			expires_at TIMESTAMPTZ NOT NULL,
+			revoked_at TIMESTAMPTZ,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// =============================================
+		// Phase 7: Two-Factor Authentication (2FA/TOTP)
+		// =============================================
+
+		// User TOTP secrets and recovery codes
+		`CREATE TABLE IF NOT EXISTS user_totp (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID UNIQUE NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+			secret VARCHAR(255) NOT NULL,
+			verified BOOLEAN DEFAULT FALSE,
+			recovery_codes JSONB DEFAULT '[]',
+			enabled_at TIMESTAMPTZ,
+			last_used_at TIMESTAMPTZ,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// 2FA challenges during login
+		`CREATE TABLE IF NOT EXISTS two_factor_challenges (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+			challenge_id VARCHAR(255) UNIQUE NOT NULL,
+			ip_address INET,
+			user_agent TEXT,
+			expires_at TIMESTAMPTZ NOT NULL,
+			used_at TIMESTAMPTZ,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Add 2FA required flag to users
+		`ALTER TABLE users ADD COLUMN IF NOT EXISTS two_factor_enabled BOOLEAN DEFAULT FALSE`,
+		`ALTER TABLE users ADD COLUMN IF NOT EXISTS two_factor_verified_at TIMESTAMPTZ`,
+
+		// Phase 6 & 7 Indexes
+		`CREATE INDEX IF NOT EXISTS idx_oauth_clients_client_id ON oauth_clients(client_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_oauth_auth_codes_code ON oauth_authorization_codes(code)`,
+		`CREATE INDEX IF NOT EXISTS idx_oauth_auth_codes_user ON oauth_authorization_codes(user_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_oauth_access_tokens_hash ON oauth_access_tokens(token_hash)`,
+		`CREATE INDEX IF NOT EXISTS idx_oauth_access_tokens_user ON oauth_access_tokens(user_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_oauth_refresh_tokens_hash ON oauth_refresh_tokens(token_hash)`,
+		`CREATE INDEX IF NOT EXISTS idx_oauth_refresh_tokens_user ON oauth_refresh_tokens(user_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_user_totp_user ON user_totp(user_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_two_factor_challenges_id ON two_factor_challenges(challenge_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_two_factor_challenges_user ON two_factor_challenges(user_id)`,
+
+		// Insert default OAuth client for BreakPilot PWA (public client with PKCE)
+		`INSERT INTO oauth_clients (client_id, name, description, redirect_uris, scopes, grant_types, is_public)
+		VALUES (
+			'breakpilot-pwa',
+			'BreakPilot PWA',
+			'Official BreakPilot Progressive Web Application',
+			'["http://localhost:8000/oauth/callback", "http://localhost:8000/app/oauth/callback"]',
+			'["openid", "profile", "email", "consent:read", "consent:write"]',
+			'["authorization_code", "refresh_token"]',
+			true
+		) ON CONFLICT (client_id) DO NOTHING`,
+
+		// Insert default cookie categories
+		`INSERT INTO cookie_categories (name, display_name_de, display_name_en, description_de, description_en, is_mandatory, sort_order)
+		VALUES
+			('necessary', 'Notwendige Cookies', 'Necessary Cookies',
+			 'Diese Cookies sind für die Grundfunktionen der Website unbedingt erforderlich.',
+			 'These cookies are essential for the basic functions of the website.',
+			 true, 1),
+			('functional', 'Funktionale Cookies', 'Functional Cookies',
+			 'Diese Cookies ermöglichen erweiterte Funktionen und Personalisierung.',
+			 'These cookies enable enhanced functionality and personalization.',
+			 false, 2),
+			('analytics', 'Analyse Cookies', 'Analytics Cookies',
+			 'Diese Cookies helfen uns zu verstehen, wie Besucher mit der Website interagieren.',
+			 'These cookies help us understand how visitors interact with the website.',
+			 false, 3),
+			('marketing', 'Marketing Cookies', 'Marketing Cookies',
+			 'Diese Cookies werden verwendet, um Werbung relevanter für Sie zu gestalten.',
+			 'These cookies are used to make advertising more relevant to you.',
+			 false, 4)
+		ON CONFLICT (name) DO NOTHING`,
+
+		// Insert default legal documents
+		`INSERT INTO legal_documents (type, name, description, is_mandatory, sort_order)
+		VALUES
+			('terms', 'Allgemeine Geschäftsbedingungen', 'Die allgemeinen Geschäftsbedingungen für die Nutzung von BreakPilot.', true, 1),
+			('privacy', 'Datenschutzerklärung', 'Informationen über die Verarbeitung Ihrer personenbezogenen Daten.', true, 2),
+			('cookies', 'Cookie-Richtlinie', 'Informationen über die Verwendung von Cookies auf unserer Website.', false, 3),
+			('community', 'Community Guidelines', 'Regeln für das Verhalten in der BreakPilot Community.', true, 4)
+		ON CONFLICT DO NOTHING`,
+	}
+
+	for _, migration := range migrations {
+		if _, err := db.Pool.Exec(ctx, migration); err != nil {
+			return fmt.Errorf("migrateOAuth: %w", err)
+		}
+	}
+
+	return nil
+}
diff --git a/consent-service/internal/database/migrate_school.go b/consent-service/internal/database/migrate_school.go
new file mode 100644
index 0000000..0386224
--- /dev/null
+++ b/consent-service/internal/database/migrate_school.go
@@ -0,0 +1,182 @@
+package database
+
+import (
+	"context"
+	"fmt"
+)
+
+// migrateSchool creates school management tables: schools, classes,
+// students, teachers, parents, timetable, attendance, grades,
+// class diary, parent meetings, Matrix integration (Phase 9).
+func migrateSchool(db *DB) error {
+	ctx := context.Background()
+
+	migrations := []string{
+		// =============================================
+		// Phase 9: Schulverwaltung / School Management
+		// Matrix-basierte Kommunikation für Schulen
+		// =============================================
+
+		// Schools table
+		`CREATE TABLE IF NOT EXISTS schools (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			name VARCHAR(255) NOT NULL,
+			short_name VARCHAR(50),
+			type VARCHAR(50) NOT NULL,
+			address TEXT,
+			city VARCHAR(100),
+			postal_code VARCHAR(20),
+			state VARCHAR(50),
+			country VARCHAR(2) DEFAULT 'DE',
+			phone VARCHAR(50),
+			email VARCHAR(255),
+			website VARCHAR(255),
+			matrix_server_name VARCHAR(255),
+			logo_url TEXT,
+			is_active BOOLEAN DEFAULT TRUE,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// School years
+		`CREATE TABLE IF NOT EXISTS school_years (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
+			name VARCHAR(20) NOT NULL,
+			start_date DATE NOT NULL,
+			end_date DATE NOT NULL,
+			is_current BOOLEAN DEFAULT FALSE,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			UNIQUE(school_id, name)
+		)`,
+
+		// Subjects
+		`CREATE TABLE IF NOT EXISTS subjects (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
+			name VARCHAR(100) NOT NULL,
+			short_name VARCHAR(10) NOT NULL,
+			color VARCHAR(7),
+			is_active BOOLEAN DEFAULT TRUE,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			UNIQUE(school_id, short_name)
+		)`,
+
+		// Classes
+		`CREATE TABLE IF NOT EXISTS classes (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
+			school_year_id UUID NOT NULL REFERENCES school_years(id) ON DELETE CASCADE,
+			name VARCHAR(20) NOT NULL,
+			grade INT NOT NULL,
+			section VARCHAR(5),
+			room VARCHAR(50),
+			matrix_info_room VARCHAR(255),
+			matrix_rep_room VARCHAR(255),
+			is_active BOOLEAN DEFAULT TRUE,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW(),
+			UNIQUE(school_id, school_year_id, name)
+		)`,
+
+		// Students
+		`CREATE TABLE IF NOT EXISTS students (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
+			class_id UUID NOT NULL REFERENCES classes(id) ON DELETE CASCADE,
+			user_id UUID REFERENCES users(id) ON DELETE SET NULL,
+			student_number VARCHAR(50),
+			first_name VARCHAR(100) NOT NULL,
+			last_name VARCHAR(100) NOT NULL,
+			date_of_birth DATE,
+			gender VARCHAR(1),
+			matrix_user_id VARCHAR(255),
+			matrix_dm_room VARCHAR(255),
+			is_active BOOLEAN DEFAULT TRUE,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Teachers
+		`CREATE TABLE IF NOT EXISTS teachers (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
+			user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+			teacher_code VARCHAR(10),
+			title VARCHAR(20),
+			first_name VARCHAR(100) NOT NULL,
+			last_name VARCHAR(100) NOT NULL,
+			matrix_user_id VARCHAR(255),
+			is_active BOOLEAN DEFAULT TRUE,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW(),
+			UNIQUE(school_id, user_id)
+		)`,
+
+		// Class teachers assignment
+		`CREATE TABLE IF NOT EXISTS class_teachers (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			class_id UUID NOT NULL REFERENCES classes(id) ON DELETE CASCADE,
+			teacher_id UUID NOT NULL REFERENCES teachers(id) ON DELETE CASCADE,
+			is_primary BOOLEAN DEFAULT FALSE,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			UNIQUE(class_id, teacher_id)
+		)`,
+
+		// Teacher subjects assignment
+		`CREATE TABLE IF NOT EXISTS teacher_subjects (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			teacher_id UUID NOT NULL REFERENCES teachers(id) ON DELETE CASCADE,
+			subject_id UUID NOT NULL REFERENCES subjects(id) ON DELETE CASCADE,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			UNIQUE(teacher_id, subject_id)
+		)`,
+
+		// Parents
+		`CREATE TABLE IF NOT EXISTS parents (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+			matrix_user_id VARCHAR(255),
+			first_name VARCHAR(100) NOT NULL,
+			last_name VARCHAR(100) NOT NULL,
+			phone VARCHAR(50),
+			emergency_contact BOOLEAN DEFAULT FALSE,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW(),
+			UNIQUE(user_id)
+		)`,
+
+		// Student-parent relationships
+		`CREATE TABLE IF NOT EXISTS student_parents (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			student_id UUID NOT NULL REFERENCES students(id) ON DELETE CASCADE,
+			parent_id UUID NOT NULL REFERENCES parents(id) ON DELETE CASCADE,
+			relationship VARCHAR(20) NOT NULL,
+			is_primary BOOLEAN DEFAULT FALSE,
+			has_custody BOOLEAN DEFAULT TRUE,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			UNIQUE(student_id, parent_id)
+		)`,
+
+		// Parent representatives
+		`CREATE TABLE IF NOT EXISTS parent_representatives (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			class_id UUID NOT NULL REFERENCES classes(id) ON DELETE CASCADE,
+			parent_id UUID NOT NULL REFERENCES parents(id) ON DELETE CASCADE,
+			role VARCHAR(20) NOT NULL,
+			elected_at TIMESTAMPTZ NOT NULL,
+			expires_at TIMESTAMPTZ,
+			is_active BOOLEAN DEFAULT TRUE,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+	}
+
+	for _, migration := range migrations {
+		if _, err := db.Pool.Exec(ctx, migration); err != nil {
+			return fmt.Errorf("migrateSchool: %w", err)
+		}
+	}
+
+	// Run the second batch (timetable, attendance, grades, etc.)
+	return migrateSchoolPart2(db)
+}
diff --git a/consent-service/internal/database/migrate_school_ext.go b/consent-service/internal/database/migrate_school_ext.go
new file mode 100644
index 0000000..131a487
--- /dev/null
+++ b/consent-service/internal/database/migrate_school_ext.go
@@ -0,0 +1,346 @@
+package database
+
+import (
+	"context"
+	"fmt"
+)
+
+// migrateSchoolPart2 creates timetable, attendance, grades, diary,
+// meetings, Matrix, and Phase 9 indexes/seed data.
+func migrateSchoolPart2(db *DB) error {
+	ctx := context.Background()
+
+	migrations := []string{
+		// =============================================
+		// Stundenplan / Timetable
+		// =============================================
+
+		// Timetable slots (Stundenraster)
+		`CREATE TABLE IF NOT EXISTS timetable_slots (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
+			slot_number INT NOT NULL,
+			start_time TIME NOT NULL,
+			end_time TIME NOT NULL,
+			is_break BOOLEAN DEFAULT FALSE,
+			name VARCHAR(50),
+			UNIQUE(school_id, slot_number)
+		)`,
+
+		// Timetable entries (Stundenplan)
+		`CREATE TABLE IF NOT EXISTS timetable_entries (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			school_year_id UUID NOT NULL REFERENCES school_years(id) ON DELETE CASCADE,
+			class_id UUID NOT NULL REFERENCES classes(id) ON DELETE CASCADE,
+			subject_id UUID NOT NULL REFERENCES subjects(id) ON DELETE CASCADE,
+			teacher_id UUID NOT NULL REFERENCES teachers(id) ON DELETE CASCADE,
+			slot_id UUID NOT NULL REFERENCES timetable_slots(id) ON DELETE CASCADE,
+			day_of_week INT NOT NULL CHECK (day_of_week >= 1 AND day_of_week <= 7),
+			room VARCHAR(50),
+			valid_from DATE NOT NULL,
+			valid_until DATE,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Timetable substitutions (Vertretungsplan)
+		`CREATE TABLE IF NOT EXISTS timetable_substitutions (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			original_entry_id UUID NOT NULL REFERENCES timetable_entries(id) ON DELETE CASCADE,
+			date DATE NOT NULL,
+			substitute_teacher_id UUID REFERENCES teachers(id) ON DELETE SET NULL,
+			substitute_subject_id UUID REFERENCES subjects(id) ON DELETE SET NULL,
+			room VARCHAR(50),
+			type VARCHAR(20) NOT NULL,
+			note TEXT,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			created_by UUID NOT NULL REFERENCES users(id)
+		)`,
+
+		// =============================================
+		// Abwesenheit / Attendance
+		// =============================================
+
+		// Attendance records per lesson
+		`CREATE TABLE IF NOT EXISTS attendance_records (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			student_id UUID NOT NULL REFERENCES students(id) ON DELETE CASCADE,
+			timetable_entry_id UUID REFERENCES timetable_entries(id) ON DELETE SET NULL,
+			date DATE NOT NULL,
+			slot_id UUID NOT NULL REFERENCES timetable_slots(id) ON DELETE CASCADE,
+			status VARCHAR(30) NOT NULL,
+			recorded_by UUID NOT NULL REFERENCES users(id),
+			note TEXT,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW(),
+			UNIQUE(student_id, date, slot_id)
+		)`,
+
+		// Absence reports (Krankmeldungen)
+		`CREATE TABLE IF NOT EXISTS absence_reports (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			student_id UUID NOT NULL REFERENCES students(id) ON DELETE CASCADE,
+			start_date DATE NOT NULL,
+			end_date DATE NOT NULL,
+			reason TEXT,
+			reason_category VARCHAR(30) NOT NULL,
+			status VARCHAR(20) NOT NULL DEFAULT 'reported',
+			reported_by UUID NOT NULL REFERENCES users(id),
+			reported_at TIMESTAMPTZ DEFAULT NOW(),
+			confirmed_by UUID REFERENCES users(id),
+			confirmed_at TIMESTAMPTZ,
+			medical_certificate BOOLEAN DEFAULT FALSE,
+			certificate_uploaded BOOLEAN DEFAULT FALSE,
+			matrix_notification_sent BOOLEAN DEFAULT FALSE,
+			email_notification_sent BOOLEAN DEFAULT FALSE,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Absence notifications to parents
+		`CREATE TABLE IF NOT EXISTS absence_notifications (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			attendance_record_id UUID NOT NULL REFERENCES attendance_records(id) ON DELETE CASCADE,
+			parent_id UUID NOT NULL REFERENCES parents(id) ON DELETE CASCADE,
+			channel VARCHAR(20) NOT NULL,
+			message_content TEXT NOT NULL,
+			sent_at TIMESTAMPTZ,
+			read_at TIMESTAMPTZ,
+			response_received BOOLEAN DEFAULT FALSE,
+			response_content TEXT,
+			response_at TIMESTAMPTZ,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// =============================================
+		// Notenspiegel / Grades
+		// =============================================
+
+		// Grade scales
+		`CREATE TABLE IF NOT EXISTS grade_scales (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
+			name VARCHAR(50) NOT NULL,
+			min_value DECIMAL(5,2) NOT NULL,
+			max_value DECIMAL(5,2) NOT NULL,
+			passing_value DECIMAL(5,2) NOT NULL,
+			is_ascending BOOLEAN DEFAULT FALSE,
+			is_default BOOLEAN DEFAULT FALSE,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Grades
+		`CREATE TABLE IF NOT EXISTS grades (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			student_id UUID NOT NULL REFERENCES students(id) ON DELETE CASCADE,
+			subject_id UUID NOT NULL REFERENCES subjects(id) ON DELETE CASCADE,
+			teacher_id UUID NOT NULL REFERENCES teachers(id) ON DELETE CASCADE,
+			school_year_id UUID NOT NULL REFERENCES school_years(id) ON DELETE CASCADE,
+			grade_scale_id UUID NOT NULL REFERENCES grade_scales(id) ON DELETE CASCADE,
+			type VARCHAR(30) NOT NULL,
+			value DECIMAL(5,2) NOT NULL,
+			weight DECIMAL(3,2) DEFAULT 1.0,
+			date DATE NOT NULL,
+			title VARCHAR(100),
+			description TEXT,
+			is_visible BOOLEAN DEFAULT TRUE,
+			semester INT NOT NULL CHECK (semester IN (1, 2)),
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Grade comments
+		`CREATE TABLE IF NOT EXISTS grade_comments (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			grade_id UUID NOT NULL REFERENCES grades(id) ON DELETE CASCADE,
+			teacher_id UUID NOT NULL REFERENCES teachers(id) ON DELETE CASCADE,
+			comment TEXT NOT NULL,
+			is_private BOOLEAN DEFAULT FALSE,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// =============================================
+		// Klassenbuch / Class Diary
+		// =============================================
+
+		// Class diary entries
+		`CREATE TABLE IF NOT EXISTS class_diary_entries (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			class_id UUID NOT NULL REFERENCES classes(id) ON DELETE CASCADE,
+			date DATE NOT NULL,
+			slot_id UUID NOT NULL REFERENCES timetable_slots(id) ON DELETE CASCADE,
+			subject_id UUID NOT NULL REFERENCES subjects(id) ON DELETE CASCADE,
+			teacher_id UUID NOT NULL REFERENCES teachers(id) ON DELETE CASCADE,
+			topic TEXT,
+			homework TEXT,
+			homework_due_date DATE,
+			materials TEXT,
+			notes TEXT,
+			is_cancelled BOOLEAN DEFAULT FALSE,
+			cancellation_reason TEXT,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW(),
+			UNIQUE(class_id, date, slot_id)
+		)`,
+
+		// =============================================
+		// Elterngespräche / Parent Meetings
+		// =============================================
+
+		// Parent meeting slots
+		`CREATE TABLE IF NOT EXISTS parent_meeting_slots (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			teacher_id UUID NOT NULL REFERENCES teachers(id) ON DELETE CASCADE,
+			date DATE NOT NULL,
+			start_time TIME NOT NULL,
+			end_time TIME NOT NULL,
+			location VARCHAR(100),
+			is_online BOOLEAN DEFAULT FALSE,
+			meeting_link TEXT,
+			is_booked BOOLEAN DEFAULT FALSE,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Parent meetings
+		`CREATE TABLE IF NOT EXISTS parent_meetings (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			slot_id UUID NOT NULL REFERENCES parent_meeting_slots(id) ON DELETE CASCADE,
+			parent_id UUID NOT NULL REFERENCES parents(id) ON DELETE CASCADE,
+			student_id UUID NOT NULL REFERENCES students(id) ON DELETE CASCADE,
+			topic TEXT,
+			notes TEXT,
+			status VARCHAR(20) NOT NULL DEFAULT 'scheduled',
+			cancelled_at TIMESTAMPTZ,
+			cancelled_by UUID REFERENCES users(id),
+			cancel_reason TEXT,
+			completed_at TIMESTAMPTZ,
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			updated_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// =============================================
+		// Matrix / Communication Integration
+		// =============================================
+
+		// Matrix rooms
+		`CREATE TABLE IF NOT EXISTS matrix_rooms (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
+			matrix_room_id VARCHAR(255) NOT NULL UNIQUE,
+			type VARCHAR(30) NOT NULL,
+			class_id UUID REFERENCES classes(id) ON DELETE SET NULL,
+			student_id UUID REFERENCES students(id) ON DELETE SET NULL,
+			name VARCHAR(255) NOT NULL,
+			is_encrypted BOOLEAN DEFAULT TRUE,
+			created_at TIMESTAMPTZ DEFAULT NOW()
+		)`,
+
+		// Matrix room members
+		`CREATE TABLE IF NOT EXISTS matrix_room_members (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			matrix_room_id UUID NOT NULL REFERENCES matrix_rooms(id) ON DELETE CASCADE,
+			matrix_user_id VARCHAR(255) NOT NULL,
+			user_id UUID REFERENCES users(id) ON DELETE SET NULL,
+			power_level INT DEFAULT 0,
+			can_write BOOLEAN DEFAULT TRUE,
+			joined_at TIMESTAMPTZ DEFAULT NOW(),
+			left_at TIMESTAMPTZ,
+			UNIQUE(matrix_room_id, matrix_user_id)
+		)`,
+
+		// Parent onboarding tokens (QR codes)
+		`CREATE TABLE IF NOT EXISTS parent_onboarding_tokens (
+			id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+			school_id UUID NOT NULL REFERENCES schools(id) ON DELETE CASCADE,
+			class_id UUID NOT NULL REFERENCES classes(id) ON DELETE CASCADE,
+			student_id UUID NOT NULL REFERENCES students(id) ON DELETE CASCADE,
+			token VARCHAR(255) NOT NULL UNIQUE,
+			role VARCHAR(30) NOT NULL DEFAULT 'parent',
+			expires_at TIMESTAMPTZ NOT NULL,
+			used_at TIMESTAMPTZ,
+			used_by_user_id UUID REFERENCES users(id),
+			created_at TIMESTAMPTZ DEFAULT NOW(),
+			created_by UUID NOT NULL REFERENCES users(id)
+		)`,
+
+		// =============================================
+		// Phase 9 Indexes
+		// =============================================
+		`CREATE INDEX IF NOT EXISTS idx_schools_active ON schools(is_active)`,
+		`CREATE INDEX IF NOT EXISTS idx_school_years_school ON school_years(school_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_school_years_current ON school_years(is_current)`,
+		`CREATE INDEX IF NOT EXISTS idx_classes_school ON classes(school_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_classes_school_year ON classes(school_year_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_students_school ON students(school_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_students_class ON students(class_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_students_user ON students(user_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_teachers_school ON teachers(school_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_teachers_user ON teachers(user_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_class_teachers_class ON class_teachers(class_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_class_teachers_teacher ON class_teachers(teacher_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_parents_user ON parents(user_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_student_parents_student ON student_parents(student_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_student_parents_parent ON student_parents(parent_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_timetable_entries_class ON timetable_entries(class_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_timetable_entries_teacher ON timetable_entries(teacher_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_timetable_entries_day ON timetable_entries(day_of_week)`,
+		`CREATE INDEX IF NOT EXISTS idx_timetable_substitutions_date ON timetable_substitutions(date)`,
+		`CREATE INDEX IF NOT EXISTS idx_timetable_substitutions_entry ON timetable_substitutions(original_entry_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_attendance_records_student ON attendance_records(student_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_attendance_records_date ON attendance_records(date)`,
+		`CREATE INDEX IF NOT EXISTS idx_absence_reports_student ON absence_reports(student_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_absence_reports_dates ON absence_reports(start_date, end_date)`,
+		`CREATE INDEX IF NOT EXISTS idx_grades_student ON grades(student_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_grades_subject ON grades(subject_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_grades_teacher ON grades(teacher_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_grades_school_year ON grades(school_year_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_class_diary_class_date ON class_diary_entries(class_id, date)`,
+		`CREATE INDEX IF NOT EXISTS idx_parent_meeting_slots_teacher ON parent_meeting_slots(teacher_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_parent_meeting_slots_date ON parent_meeting_slots(date)`,
+		`CREATE INDEX IF NOT EXISTS idx_parent_meetings_slot ON parent_meetings(slot_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_parent_meetings_parent ON parent_meetings(parent_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_matrix_rooms_school ON matrix_rooms(school_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_matrix_rooms_class ON matrix_rooms(class_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_matrix_room_members_room ON matrix_room_members(matrix_room_id)`,
+		`CREATE INDEX IF NOT EXISTS idx_parent_onboarding_tokens_token ON parent_onboarding_tokens(token)`,
+		`CREATE INDEX IF NOT EXISTS idx_parent_onboarding_tokens_student ON parent_onboarding_tokens(student_id)`,
+
+		// Insert default grade scales
+		`INSERT INTO grade_scales (id, school_id, name, min_value, max_value, passing_value, is_ascending, is_default)
+		SELECT gen_random_uuid(), s.id, '1-6 (Noten)', 1, 6, 4, false, true
+		FROM schools s
+		WHERE NOT EXISTS (SELECT 1 FROM grade_scales gs WHERE gs.school_id = s.id AND gs.name = '1-6 (Noten)')
+		ON CONFLICT DO NOTHING`,
+
+		// Insert default timetable slots for schools
+		`DO $$
+		DECLARE
+			school_rec RECORD;
+		BEGIN
+			FOR school_rec IN SELECT id FROM schools LOOP
+				INSERT INTO timetable_slots (school_id, slot_number, start_time, end_time, is_break, name)
+				VALUES
+					(school_rec.id, 1, '08:00', '08:45', false, '1. Stunde'),
+					(school_rec.id, 2, '08:45', '09:30', false, '2. Stunde'),
+					(school_rec.id, 3, '09:30', '09:50', true, 'Erste Pause'),
+					(school_rec.id, 4, '09:50', '10:35', false, '3. Stunde'),
+					(school_rec.id, 5, '10:35', '11:20', false, '4. Stunde'),
+					(school_rec.id, 6, '11:20', '11:40', true, 'Zweite Pause'),
+					(school_rec.id, 7, '11:40', '12:25', false, '5. Stunde'),
+					(school_rec.id, 8, '12:25', '13:10', false, '6. Stunde'),
+					(school_rec.id, 9, '13:10', '14:00', true, 'Mittagspause'),
+					(school_rec.id, 10, '14:00', '14:45', false, '7. Stunde'),
+					(school_rec.id, 11, '14:45', '15:30', false, '8. Stunde')
+				ON CONFLICT (school_id, slot_number) DO NOTHING;
+			END LOOP;
+		END $$`,
+	}
+
+	for _, migration := range migrations {
+		if _, err := db.Pool.Exec(ctx, migration); err != nil {
+			return fmt.Errorf("migrateSchool: %w", err)
+		}
+	}
+
+	return nil
+}
diff --git a/consent-service/internal/handlers/admin_approval.go b/consent-service/internal/handlers/admin_approval.go
new file mode 100644
index 0000000..e31d7df
--- /dev/null
+++ b/consent-service/internal/handlers/admin_approval.go
@@ -0,0 +1,455 @@
+package handlers
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/middleware"
+	"github.com/breakpilot/consent-service/internal/models"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// ========================================
+// ADMIN ENDPOINTS - Version Approval Workflow (DSB)
+// ========================================
+
+// AdminSubmitForReview submits a version for DSB review
+func (h *Handler) AdminSubmitForReview(c *gin.Context) {
+	versionID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
+		return
+	}
+
+	userID, _ := middleware.GetUserID(c)
+	ctx := context.Background()
+	ipAddress := middleware.GetClientIP(c)
+	userAgent := middleware.GetUserAgent(c)
+
+	// Check current status
+	var status string
+	err = h.db.Pool.QueryRow(ctx, `SELECT status FROM document_versions WHERE id = $1`, versionID).Scan(&status)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Version not found"})
+		return
+	}
+
+	if status != "draft" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Only draft versions can be submitted for review"})
+		return
+	}
+
+	// Update status to review
+	_, err = h.db.Pool.Exec(ctx, `
+		UPDATE document_versions
+		SET status = 'review', updated_at = NOW()
+		WHERE id = $1
+	`, versionID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to submit for review"})
+		return
+	}
+
+	// Log approval action
+	_, err = h.db.Pool.Exec(ctx, `
+		INSERT INTO version_approvals (version_id, approver_id, action, comment)
+		VALUES ($1, $2, 'submitted', 'Submitted for DSB review')
+	`, versionID, userID)
+
+	h.logAudit(ctx, &userID, "version_submitted_review", "document_version", &versionID, nil, ipAddress, userAgent)
+
+	c.JSON(http.StatusOK, gin.H{"message": "Version submitted for review"})
+}
+
+// AdminApproveVersion approves a version with scheduled publish date (DSB only)
+func (h *Handler) AdminApproveVersion(c *gin.Context) {
+	versionID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
+		return
+	}
+
+	// Check if user is DSB or Admin (for dev purposes)
+	if !middleware.IsDSB(c) && !middleware.IsAdmin(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Only Data Protection Officers can approve versions"})
+		return
+	}
+
+	var req struct {
+		Comment            string  `json:"comment"`
+		ScheduledPublishAt *string `json:"scheduled_publish_at"` // ISO 8601: "2026-01-01T00:00:00Z"
+	}
+	c.ShouldBindJSON(&req)
+
+	// Validate scheduled publish date
+	var scheduledAt *time.Time
+	if req.ScheduledPublishAt != nil && *req.ScheduledPublishAt != "" {
+		parsed, err := time.Parse(time.RFC3339, *req.ScheduledPublishAt)
+		if err != nil {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid scheduled_publish_at format. Use ISO 8601 (e.g., 2026-01-01T00:00:00Z)"})
+			return
+		}
+		if parsed.Before(time.Now()) {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "Scheduled publish date must be in the future"})
+			return
+		}
+		scheduledAt = &parsed
+	}
+
+	userID, _ := middleware.GetUserID(c)
+	ctx := context.Background()
+	ipAddress := middleware.GetClientIP(c)
+	userAgent := middleware.GetUserAgent(c)
+
+	// Check current status
+	var status string
+	var createdBy *uuid.UUID
+	err = h.db.Pool.QueryRow(ctx, `SELECT status, created_by FROM document_versions WHERE id = $1`, versionID).Scan(&status, &createdBy)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Version not found"})
+		return
+	}
+
+	if status != "review" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Only versions in review status can be approved"})
+		return
+	}
+
+	// Four-eyes principle: DSB cannot approve their own version
+	// Exception: Admins can approve their own versions for development/testing purposes
+	role, _ := c.Get("role")
+	roleStr, _ := role.(string)
+	if createdBy != nil && *createdBy == userID && roleStr != "admin" {
+		c.JSON(http.StatusForbidden, gin.H{"error": "You cannot approve your own version (four-eyes principle)"})
+		return
+	}
+
+	// Determine new status: 'scheduled' if date set, otherwise 'approved'
+	newStatus := "approved"
+	if scheduledAt != nil {
+		newStatus = "scheduled"
+	}
+
+	// Update status to approved/scheduled
+	_, err = h.db.Pool.Exec(ctx, `
+		UPDATE document_versions
+		SET status = $2, approved_by = $3, approved_at = NOW(), scheduled_publish_at = $4, updated_at = NOW()
+		WHERE id = $1
+	`, versionID, newStatus, userID, scheduledAt)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to approve version"})
+		return
+	}
+
+	// Log approval action
+	comment := req.Comment
+	if comment == "" {
+		if scheduledAt != nil {
+			comment = "Approved by DSB, scheduled for " + scheduledAt.Format("02.01.2006 15:04")
+		} else {
+			comment = "Approved by DSB"
+		}
+	}
+	_, err = h.db.Pool.Exec(ctx, `
+		INSERT INTO version_approvals (version_id, approver_id, action, comment)
+		VALUES ($1, $2, 'approved', $3)
+	`, versionID, userID, comment)
+
+	h.logAudit(ctx, &userID, "version_approved", "document_version", &versionID, &comment, ipAddress, userAgent)
+
+	response := gin.H{"message": "Version approved", "status": newStatus}
+	if scheduledAt != nil {
+		response["scheduled_publish_at"] = scheduledAt.Format(time.RFC3339)
+	}
+	c.JSON(http.StatusOK, response)
+}
+
+// AdminRejectVersion rejects a version (DSB only)
+func (h *Handler) AdminRejectVersion(c *gin.Context) {
+	versionID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
+		return
+	}
+
+	// Check if user is DSB
+	if !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Only Data Protection Officers can reject versions"})
+		return
+	}
+
+	var req struct {
+		Comment string `json:"comment" binding:"required"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Comment is required when rejecting"})
+		return
+	}
+
+	userID, _ := middleware.GetUserID(c)
+	ctx := context.Background()
+	ipAddress := middleware.GetClientIP(c)
+	userAgent := middleware.GetUserAgent(c)
+
+	// Check current status
+	var status string
+	err = h.db.Pool.QueryRow(ctx, `SELECT status FROM document_versions WHERE id = $1`, versionID).Scan(&status)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Version not found"})
+		return
+	}
+
+	if status != "review" && status != "approved" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Only versions in review or approved status can be rejected"})
+		return
+	}
+
+	// Update status back to draft
+	_, err = h.db.Pool.Exec(ctx, `
+		UPDATE document_versions
+		SET status = 'draft', approved_by = NULL, updated_at = NOW()
+		WHERE id = $1
+	`, versionID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to reject version"})
+		return
+	}
+
+	// Log rejection
+	_, err = h.db.Pool.Exec(ctx, `
+		INSERT INTO version_approvals (version_id, approver_id, action, comment)
+		VALUES ($1, $2, 'rejected', $3)
+	`, versionID, userID, req.Comment)
+
+	h.logAudit(ctx, &userID, "version_rejected", "document_version", &versionID, &req.Comment, ipAddress, userAgent)
+
+	c.JSON(http.StatusOK, gin.H{"message": "Version rejected and returned to draft"})
+}
+
+// AdminCompareVersions returns two versions for side-by-side comparison
+func (h *Handler) AdminCompareVersions(c *gin.Context) {
+	versionID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
+		return
+	}
+
+	ctx := context.Background()
+
+	// Get the current version and its document
+	var currentVersion models.DocumentVersion
+	var documentID uuid.UUID
+	err = h.db.Pool.QueryRow(ctx, `
+		SELECT id, document_id, version, language, title, content, summary, status, created_at, updated_at
+		FROM document_versions
+		WHERE id = $1
+	`, versionID).Scan(&currentVersion.ID, &documentID, &currentVersion.Version, &currentVersion.Language,
+		&currentVersion.Title, &currentVersion.Content, &currentVersion.Summary, &currentVersion.Status,
+		&currentVersion.CreatedAt, &currentVersion.UpdatedAt)
+
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Version not found"})
+		return
+	}
+
+	// Get the currently published version (if any)
+	var publishedVersion *models.DocumentVersion
+	var pv models.DocumentVersion
+	err = h.db.Pool.QueryRow(ctx, `
+		SELECT id, document_id, version, language, title, content, summary, status, published_at, created_at, updated_at
+		FROM document_versions
+		WHERE document_id = $1 AND language = $2 AND status = 'published'
+		ORDER BY published_at DESC
+		LIMIT 1
+	`, documentID, currentVersion.Language).Scan(&pv.ID, &pv.DocumentID, &pv.Version, &pv.Language,
+		&pv.Title, &pv.Content, &pv.Summary, &pv.Status, &pv.PublishedAt, &pv.CreatedAt, &pv.UpdatedAt)
+
+	if err == nil && pv.ID != currentVersion.ID {
+		publishedVersion = &pv
+	}
+
+	// Get approval history
+	rows, err := h.db.Pool.Query(ctx, `
+		SELECT va.action, va.comment, va.created_at, u.email
+		FROM version_approvals va
+		LEFT JOIN users u ON va.approver_id = u.id
+		WHERE va.version_id = $1
+		ORDER BY va.created_at DESC
+	`, versionID)
+
+	var approvalHistory []map[string]interface{}
+	if err == nil {
+		defer rows.Close()
+		for rows.Next() {
+			var action, email string
+			var comment *string
+			var createdAt time.Time
+			if err := rows.Scan(&action, &comment, &createdAt, &email); err == nil {
+				approvalHistory = append(approvalHistory, map[string]interface{}{
+					"action":     action,
+					"comment":    comment,
+					"created_at": createdAt,
+					"approver":   email,
+				})
+			}
+		}
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"current_version":   currentVersion,
+		"published_version": publishedVersion,
+		"approval_history":  approvalHistory,
+	})
+}
+
+// AdminGetApprovalHistory returns the approval history for a version
+func (h *Handler) AdminGetApprovalHistory(c *gin.Context) {
+	versionID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
+		return
+	}
+
+	ctx := context.Background()
+
+	rows, err := h.db.Pool.Query(ctx, `
+		SELECT va.id, va.action, va.comment, va.created_at, u.email, u.name
+		FROM version_approvals va
+		LEFT JOIN users u ON va.approver_id = u.id
+		WHERE va.version_id = $1
+		ORDER BY va.created_at DESC
+	`, versionID)
+
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch approval history"})
+		return
+	}
+	defer rows.Close()
+
+	var history []map[string]interface{}
+	for rows.Next() {
+		var id uuid.UUID
+		var action string
+		var comment *string
+		var createdAt time.Time
+		var email, name *string
+
+		if err := rows.Scan(&id, &action, &comment, &createdAt, &email, &name); err != nil {
+			continue
+		}
+
+		history = append(history, map[string]interface{}{
+			"id":         id,
+			"action":     action,
+			"comment":    comment,
+			"created_at": createdAt,
+			"approver":   email,
+			"name":       name,
+		})
+	}
+
+	c.JSON(http.StatusOK, gin.H{"approval_history": history})
+}
+
+// ========================================
+// SCHEDULED PUBLISHING
+// ========================================
+
+// ProcessScheduledPublishing publishes all versions that are due
+// This should be called by a cron job or scheduler
+func (h *Handler) ProcessScheduledPublishing(c *gin.Context) {
+	ctx := context.Background()
+
+	// Find all scheduled versions that are due
+	rows, err := h.db.Pool.Query(ctx, `
+		SELECT id, document_id, version
+		FROM document_versions
+		WHERE status = 'scheduled'
+		  AND scheduled_publish_at IS NOT NULL
+		  AND scheduled_publish_at <= NOW()
+	`)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch scheduled versions"})
+		return
+	}
+	defer rows.Close()
+
+	var published []string
+	for rows.Next() {
+		var versionID, docID uuid.UUID
+		var version string
+		if err := rows.Scan(&versionID, &docID, &version); err != nil {
+			continue
+		}
+
+		// Publish this version
+		_, err := h.db.Pool.Exec(ctx, `
+			UPDATE document_versions
+			SET status = 'published', published_at = NOW(), updated_at = NOW()
+			WHERE id = $1
+		`, versionID)
+
+		if err == nil {
+			// Archive previous published versions for this document
+			h.db.Pool.Exec(ctx, `
+				UPDATE document_versions
+				SET status = 'archived', updated_at = NOW()
+				WHERE document_id = $1 AND id != $2 AND status = 'published'
+			`, docID, versionID)
+
+			// Log the publishing
+			details := fmt.Sprintf("Version %s automatically published by scheduler", version)
+			h.logAudit(ctx, nil, "version_scheduled_published", "document_version", &versionID, &details, "", "scheduler")
+
+			published = append(published, version)
+		}
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"message":           "Scheduled publishing processed",
+		"published_count":   len(published),
+		"published_versions": published,
+	})
+}
+
+// GetScheduledVersions returns all versions scheduled for publishing
+func (h *Handler) GetScheduledVersions(c *gin.Context) {
+	ctx := context.Background()
+
+	rows, err := h.db.Pool.Query(ctx, `
+		SELECT dv.id, dv.document_id, dv.version, dv.title, dv.scheduled_publish_at, ld.name as document_name
+		FROM document_versions dv
+		JOIN legal_documents ld ON ld.id = dv.document_id
+		WHERE dv.status = 'scheduled'
+		  AND dv.scheduled_publish_at IS NOT NULL
+		ORDER BY dv.scheduled_publish_at ASC
+	`)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch scheduled versions"})
+		return
+	}
+	defer rows.Close()
+
+	type ScheduledVersion struct {
+		ID                 uuid.UUID  `json:"id"`
+		DocumentID         uuid.UUID  `json:"document_id"`
+		Version            string     `json:"version"`
+		Title              string     `json:"title"`
+		ScheduledPublishAt *time.Time `json:"scheduled_publish_at"`
+		DocumentName       string     `json:"document_name"`
+	}
+
+	var versions []ScheduledVersion
+	for rows.Next() {
+		var v ScheduledVersion
+		if err := rows.Scan(&v.ID, &v.DocumentID, &v.Version, &v.Title, &v.ScheduledPublishAt, &v.DocumentName); err != nil {
+			continue
+		}
+		versions = append(versions, v)
+	}
+
+	c.JSON(http.StatusOK, gin.H{"scheduled_versions": versions})
+}
diff --git a/consent-service/internal/handlers/admin_documents.go b/consent-service/internal/handlers/admin_documents.go
new file mode 100644
index 0000000..fa0f174
--- /dev/null
+++ b/consent-service/internal/handlers/admin_documents.go
@@ -0,0 +1,391 @@
+package handlers
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/breakpilot/consent-service/internal/middleware"
+	"github.com/breakpilot/consent-service/internal/models"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// ========================================
+// ADMIN ENDPOINTS - Document Management
+// ========================================
+
+// AdminGetDocuments returns all documents (including inactive) for admin
+func (h *Handler) AdminGetDocuments(c *gin.Context) {
+	ctx := context.Background()
+
+	rows, err := h.db.Pool.Query(ctx, `
+		SELECT id, type, name, description, is_mandatory, is_active, sort_order, created_at, updated_at
+		FROM legal_documents
+		ORDER BY sort_order ASC, created_at DESC
+	`)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch documents"})
+		return
+	}
+	defer rows.Close()
+
+	var documents []models.LegalDocument
+	for rows.Next() {
+		var doc models.LegalDocument
+		if err := rows.Scan(&doc.ID, &doc.Type, &doc.Name, &doc.Description,
+			&doc.IsMandatory, &doc.IsActive, &doc.SortOrder, &doc.CreatedAt, &doc.UpdatedAt); err != nil {
+			continue
+		}
+		documents = append(documents, doc)
+	}
+
+	c.JSON(http.StatusOK, gin.H{"documents": documents})
+}
+
+// AdminCreateDocument creates a new legal document
+func (h *Handler) AdminCreateDocument(c *gin.Context) {
+	var req models.CreateDocumentRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	ctx := context.Background()
+
+	var docID uuid.UUID
+	err := h.db.Pool.QueryRow(ctx, `
+		INSERT INTO legal_documents (type, name, description, is_mandatory)
+		VALUES ($1, $2, $3, $4)
+		RETURNING id
+	`, req.Type, req.Name, req.Description, req.IsMandatory).Scan(&docID)
+
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create document"})
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{
+		"message": "Document created successfully",
+		"id":      docID,
+	})
+}
+
+// AdminUpdateDocument updates a legal document
+func (h *Handler) AdminUpdateDocument(c *gin.Context) {
+	docID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid document ID"})
+		return
+	}
+
+	var req struct {
+		Name        *string `json:"name"`
+		Description *string `json:"description"`
+		IsMandatory *bool   `json:"is_mandatory"`
+		IsActive    *bool   `json:"is_active"`
+		SortOrder   *int    `json:"sort_order"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	ctx := context.Background()
+
+	result, err := h.db.Pool.Exec(ctx, `
+		UPDATE legal_documents
+		SET name = COALESCE($2, name),
+		    description = COALESCE($3, description),
+		    is_mandatory = COALESCE($4, is_mandatory),
+		    is_active = COALESCE($5, is_active),
+		    sort_order = COALESCE($6, sort_order),
+		    updated_at = NOW()
+		WHERE id = $1
+	`, docID, req.Name, req.Description, req.IsMandatory, req.IsActive, req.SortOrder)
+
+	if err != nil || result.RowsAffected() == 0 {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Document not found"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Document updated successfully"})
+}
+
+// AdminDeleteDocument soft-deletes a document (sets is_active to false)
+func (h *Handler) AdminDeleteDocument(c *gin.Context) {
+	docID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid document ID"})
+		return
+	}
+
+	ctx := context.Background()
+
+	result, err := h.db.Pool.Exec(ctx, `
+		UPDATE legal_documents
+		SET is_active = false, updated_at = NOW()
+		WHERE id = $1
+	`, docID)
+
+	if err != nil || result.RowsAffected() == 0 {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Document not found"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Document deleted successfully"})
+}
+
+// ========================================
+// ADMIN ENDPOINTS - Version Management
+// ========================================
+
+// AdminGetVersions returns all versions for a document
+func (h *Handler) AdminGetVersions(c *gin.Context) {
+	docID, err := uuid.Parse(c.Param("docId"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid document ID"})
+		return
+	}
+
+	ctx := context.Background()
+
+	rows, err := h.db.Pool.Query(ctx, `
+		SELECT id, document_id, version, language, title, content, summary, status,
+		       published_at, scheduled_publish_at, created_by, approved_by, approved_at, created_at, updated_at
+		FROM document_versions
+		WHERE document_id = $1
+		ORDER BY created_at DESC
+	`, docID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch versions"})
+		return
+	}
+	defer rows.Close()
+
+	var versions []models.DocumentVersion
+	for rows.Next() {
+		var v models.DocumentVersion
+		if err := rows.Scan(&v.ID, &v.DocumentID, &v.Version, &v.Language, &v.Title, &v.Content,
+			&v.Summary, &v.Status, &v.PublishedAt, &v.ScheduledPublishAt, &v.CreatedBy, &v.ApprovedBy, &v.ApprovedAt, &v.CreatedAt, &v.UpdatedAt); err != nil {
+			continue
+		}
+		versions = append(versions, v)
+	}
+
+	c.JSON(http.StatusOK, gin.H{"versions": versions})
+}
+
+// AdminCreateVersion creates a new document version
+func (h *Handler) AdminCreateVersion(c *gin.Context) {
+	var req models.CreateVersionRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	docID, err := uuid.Parse(req.DocumentID)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid document ID"})
+		return
+	}
+
+	userID, _ := middleware.GetUserID(c)
+	ctx := context.Background()
+
+	var versionID uuid.UUID
+	err = h.db.Pool.QueryRow(ctx, `
+		INSERT INTO document_versions (document_id, version, language, title, content, summary, status, created_by)
+		VALUES ($1, $2, $3, $4, $5, $6, 'draft', $7)
+		RETURNING id
+	`, docID, req.Version, req.Language, req.Title, req.Content, req.Summary, userID).Scan(&versionID)
+
+	if err != nil {
+		// Check for unique constraint violation
+		errStr := err.Error()
+		if strings.Contains(errStr, "duplicate key") || strings.Contains(errStr, "unique constraint") {
+			c.JSON(http.StatusConflict, gin.H{"error": "Eine Version mit dieser Versionsnummer und Sprache existiert bereits für dieses Dokument"})
+			return
+		}
+		// Log the actual error for debugging
+		fmt.Printf("POST /api/v1/admin/versions ✗ %v\n", err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create version: " + errStr})
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{
+		"message": "Version created successfully",
+		"id":      versionID,
+	})
+}
+
+// AdminUpdateVersion updates a document version
+func (h *Handler) AdminUpdateVersion(c *gin.Context) {
+	versionID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
+		return
+	}
+
+	var req models.UpdateVersionRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	ctx := context.Background()
+
+	// Check if version is in draft or review status (only these can be edited)
+	var status string
+	err = h.db.Pool.QueryRow(ctx, `SELECT status FROM document_versions WHERE id = $1`, versionID).Scan(&status)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Version not found"})
+		return
+	}
+
+	if status != "draft" && status != "review" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Only draft or review versions can be edited"})
+		return
+	}
+
+	result, err := h.db.Pool.Exec(ctx, `
+		UPDATE document_versions
+		SET title = COALESCE($2, title),
+		    content = COALESCE($3, content),
+		    summary = COALESCE($4, summary),
+		    status = COALESCE($5, status),
+		    updated_at = NOW()
+		WHERE id = $1
+	`, versionID, req.Title, req.Content, req.Summary, req.Status)
+
+	if err != nil || result.RowsAffected() == 0 {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to update version"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Version updated successfully"})
+}
+
+// AdminPublishVersion publishes a document version
+func (h *Handler) AdminPublishVersion(c *gin.Context) {
+	versionID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
+		return
+	}
+
+	userID, _ := middleware.GetUserID(c)
+	ctx := context.Background()
+
+	// Check current status
+	var status string
+	err = h.db.Pool.QueryRow(ctx, `SELECT status FROM document_versions WHERE id = $1`, versionID).Scan(&status)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Version not found"})
+		return
+	}
+
+	if status != "approved" && status != "review" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Only approved or review versions can be published"})
+		return
+	}
+
+	result, err := h.db.Pool.Exec(ctx, `
+		UPDATE document_versions
+		SET status = 'published',
+		    published_at = NOW(),
+		    approved_by = $2,
+		    updated_at = NOW()
+		WHERE id = $1
+	`, versionID, userID)
+
+	if err != nil || result.RowsAffected() == 0 {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to publish version"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Version published successfully"})
+}
+
+// AdminArchiveVersion archives a document version
+func (h *Handler) AdminArchiveVersion(c *gin.Context) {
+	versionID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
+		return
+	}
+
+	ctx := context.Background()
+
+	result, err := h.db.Pool.Exec(ctx, `
+		UPDATE document_versions
+		SET status = 'archived', updated_at = NOW()
+		WHERE id = $1
+	`, versionID)
+
+	if err != nil || result.RowsAffected() == 0 {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Version not found"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Version archived successfully"})
+}
+
+// AdminDeleteVersion permanently deletes a draft/rejected version
+// Only draft and rejected versions can be deleted. Published versions must be archived.
+func (h *Handler) AdminDeleteVersion(c *gin.Context) {
+	versionID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
+		return
+	}
+
+	ctx := context.Background()
+
+	// First check the version status - only draft/rejected can be deleted
+	var status string
+	var version string
+	var docID uuid.UUID
+	err = h.db.Pool.QueryRow(ctx, `
+		SELECT status, version, document_id FROM document_versions WHERE id = $1
+	`, versionID).Scan(&status, &version, &docID)
+
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Version not found"})
+		return
+	}
+
+	// Only allow deletion of draft and rejected versions
+	if status != "draft" && status != "rejected" {
+		c.JSON(http.StatusForbidden, gin.H{
+			"error":   "Cannot delete version",
+			"message": "Only draft or rejected versions can be deleted. Published versions must be archived instead.",
+			"status":  status,
+		})
+		return
+	}
+
+	// Delete the version
+	result, err := h.db.Pool.Exec(ctx, `
+		DELETE FROM document_versions WHERE id = $1
+	`, versionID)
+
+	if err != nil || result.RowsAffected() == 0 {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to delete version"})
+		return
+	}
+
+	// Log the deletion
+	userID, _ := c.Get("user_id")
+	h.db.Pool.Exec(ctx, `
+		INSERT INTO consent_audit_log (action, entity_type, entity_id, user_id, details, ip_address, user_agent)
+		VALUES ('version_deleted', 'document_version', $1, $2, $3, $4, $5)
+	`, versionID, userID, "Version "+version+" permanently deleted", c.ClientIP(), c.Request.UserAgent())
+
+	c.JSON(http.StatusOK, gin.H{
+		"message":          "Version deleted successfully",
+		"deleted_version":  version,
+		"version_id":       versionID,
+	})
+}
diff --git a/consent-service/internal/handlers/admin_operations.go b/consent-service/internal/handlers/admin_operations.go
new file mode 100644
index 0000000..ca69a67
--- /dev/null
+++ b/consent-service/internal/handlers/admin_operations.go
@@ -0,0 +1,319 @@
+package handlers
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/models"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// ========================================
+// ADMIN ENDPOINTS - Cookie Categories
+// ========================================
+
+// AdminGetCookieCategories returns all cookie categories
+func (h *Handler) AdminGetCookieCategories(c *gin.Context) {
+	ctx := context.Background()
+
+	rows, err := h.db.Pool.Query(ctx, `
+		SELECT id, name, display_name_de, display_name_en, description_de, description_en,
+		       is_mandatory, sort_order, is_active, created_at, updated_at
+		FROM cookie_categories
+		ORDER BY sort_order ASC
+	`)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch categories"})
+		return
+	}
+	defer rows.Close()
+
+	var categories []models.CookieCategory
+	for rows.Next() {
+		var cat models.CookieCategory
+		if err := rows.Scan(&cat.ID, &cat.Name, &cat.DisplayNameDE, &cat.DisplayNameEN,
+			&cat.DescriptionDE, &cat.DescriptionEN, &cat.IsMandatory, &cat.SortOrder,
+			&cat.IsActive, &cat.CreatedAt, &cat.UpdatedAt); err != nil {
+			continue
+		}
+		categories = append(categories, cat)
+	}
+
+	c.JSON(http.StatusOK, gin.H{"categories": categories})
+}
+
+// AdminCreateCookieCategory creates a new cookie category
+func (h *Handler) AdminCreateCookieCategory(c *gin.Context) {
+	var req models.CreateCookieCategoryRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	ctx := context.Background()
+
+	var catID uuid.UUID
+	err := h.db.Pool.QueryRow(ctx, `
+		INSERT INTO cookie_categories (name, display_name_de, display_name_en, description_de, description_en, is_mandatory, sort_order)
+		VALUES ($1, $2, $3, $4, $5, $6, $7)
+		RETURNING id
+	`, req.Name, req.DisplayNameDE, req.DisplayNameEN, req.DescriptionDE, req.DescriptionEN, req.IsMandatory, req.SortOrder).Scan(&catID)
+
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create category"})
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{
+		"message": "Cookie category created successfully",
+		"id":      catID,
+	})
+}
+
+// AdminUpdateCookieCategory updates a cookie category
+func (h *Handler) AdminUpdateCookieCategory(c *gin.Context) {
+	catID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid category ID"})
+		return
+	}
+
+	var req struct {
+		DisplayNameDE *string `json:"display_name_de"`
+		DisplayNameEN *string `json:"display_name_en"`
+		DescriptionDE *string `json:"description_de"`
+		DescriptionEN *string `json:"description_en"`
+		IsMandatory   *bool   `json:"is_mandatory"`
+		SortOrder     *int    `json:"sort_order"`
+		IsActive      *bool   `json:"is_active"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	ctx := context.Background()
+
+	result, err := h.db.Pool.Exec(ctx, `
+		UPDATE cookie_categories
+		SET display_name_de = COALESCE($2, display_name_de),
+		    display_name_en = COALESCE($3, display_name_en),
+		    description_de = COALESCE($4, description_de),
+		    description_en = COALESCE($5, description_en),
+		    is_mandatory = COALESCE($6, is_mandatory),
+		    sort_order = COALESCE($7, sort_order),
+		    is_active = COALESCE($8, is_active),
+		    updated_at = NOW()
+		WHERE id = $1
+	`, catID, req.DisplayNameDE, req.DisplayNameEN, req.DescriptionDE, req.DescriptionEN,
+		req.IsMandatory, req.SortOrder, req.IsActive)
+
+	if err != nil || result.RowsAffected() == 0 {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Category not found"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Cookie category updated successfully"})
+}
+
+// AdminDeleteCookieCategory soft-deletes a cookie category
+func (h *Handler) AdminDeleteCookieCategory(c *gin.Context) {
+	catID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid category ID"})
+		return
+	}
+
+	ctx := context.Background()
+
+	result, err := h.db.Pool.Exec(ctx, `
+		UPDATE cookie_categories
+		SET is_active = false, updated_at = NOW()
+		WHERE id = $1
+	`, catID)
+
+	if err != nil || result.RowsAffected() == 0 {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Category not found"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Cookie category deleted successfully"})
+}
+
+// ========================================
+// ADMIN ENDPOINTS - Statistics & Audit
+// ========================================
+
+// GetConsentStats returns consent statistics
+func (h *Handler) GetConsentStats(c *gin.Context) {
+	ctx := context.Background()
+	docType := c.Query("document_type")
+
+	var stats models.ConsentStats
+
+	// Total users
+	h.db.Pool.QueryRow(ctx, `SELECT COUNT(*) FROM users`).Scan(&stats.TotalUsers)
+
+	// Consented users (with active consent)
+	query := `
+		SELECT COUNT(DISTINCT uc.user_id)
+		FROM user_consents uc
+		JOIN document_versions dv ON uc.document_version_id = dv.id
+		JOIN legal_documents ld ON dv.document_id = ld.id
+		WHERE uc.consented = true AND uc.withdrawn_at IS NULL
+	`
+	if docType != "" {
+		query += ` AND ld.type = $1`
+		h.db.Pool.QueryRow(ctx, query, docType).Scan(&stats.ConsentedUsers)
+	} else {
+		h.db.Pool.QueryRow(ctx, query).Scan(&stats.ConsentedUsers)
+	}
+
+	// Calculate consent rate
+	if stats.TotalUsers > 0 {
+		stats.ConsentRate = float64(stats.ConsentedUsers) / float64(stats.TotalUsers) * 100
+	}
+
+	// Recent consents (last 7 days)
+	h.db.Pool.QueryRow(ctx, `
+		SELECT COUNT(*) FROM user_consents
+		WHERE consented = true AND consented_at > NOW() - INTERVAL '7 days'
+	`).Scan(&stats.RecentConsents)
+
+	// Recent withdrawals
+	h.db.Pool.QueryRow(ctx, `
+		SELECT COUNT(*) FROM user_consents
+		WHERE withdrawn_at IS NOT NULL AND withdrawn_at > NOW() - INTERVAL '7 days'
+	`).Scan(&stats.RecentWithdrawals)
+
+	c.JSON(http.StatusOK, stats)
+}
+
+// GetCookieStats returns cookie consent statistics
+func (h *Handler) GetCookieStats(c *gin.Context) {
+	ctx := context.Background()
+
+	rows, err := h.db.Pool.Query(ctx, `
+		SELECT cat.name,
+		       COUNT(DISTINCT u.id) as total_users,
+		       COUNT(DISTINCT CASE WHEN cc.consented = true THEN cc.user_id END) as consented_users
+		FROM cookie_categories cat
+		CROSS JOIN users u
+		LEFT JOIN cookie_consents cc ON cat.id = cc.category_id AND u.id = cc.user_id
+		WHERE cat.is_active = true
+		GROUP BY cat.id, cat.name
+		ORDER BY cat.sort_order
+	`)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch stats"})
+		return
+	}
+	defer rows.Close()
+
+	var stats []models.CookieStats
+	for rows.Next() {
+		var s models.CookieStats
+		if err := rows.Scan(&s.Category, &s.TotalUsers, &s.ConsentedUsers); err != nil {
+			continue
+		}
+		if s.TotalUsers > 0 {
+			s.ConsentRate = float64(s.ConsentedUsers) / float64(s.TotalUsers) * 100
+		}
+		stats = append(stats, s)
+	}
+
+	c.JSON(http.StatusOK, gin.H{"cookie_stats": stats})
+}
+
+// GetAuditLog returns audit log entries
+func (h *Handler) GetAuditLog(c *gin.Context) {
+	ctx := context.Background()
+
+	// Pagination
+	limit := 50
+	offset := 0
+	if l := c.Query("limit"); l != "" {
+		if parsed, err := parseIntFromQuery(l); err == nil && parsed > 0 {
+			limit = parsed
+		}
+	}
+	if o := c.Query("offset"); o != "" {
+		if parsed, err := parseIntFromQuery(o); err == nil && parsed >= 0 {
+			offset = parsed
+		}
+	}
+
+	// Filters
+	userIDFilter := c.Query("user_id")
+	actionFilter := c.Query("action")
+
+	query := `
+		SELECT al.id, al.user_id, al.action, al.entity_type, al.entity_id, al.details,
+		       al.ip_address, al.user_agent, al.created_at, u.email
+		FROM consent_audit_log al
+		LEFT JOIN users u ON al.user_id = u.id
+		WHERE 1=1
+	`
+	args := []interface{}{}
+	argCount := 0
+
+	if userIDFilter != "" {
+		argCount++
+		query += fmt.Sprintf(" AND al.user_id = $%d", argCount)
+		args = append(args, userIDFilter)
+	}
+	if actionFilter != "" {
+		argCount++
+		query += fmt.Sprintf(" AND al.action = $%d", argCount)
+		args = append(args, actionFilter)
+	}
+
+	query += fmt.Sprintf(" ORDER BY al.created_at DESC LIMIT $%d OFFSET $%d", argCount+1, argCount+2)
+	args = append(args, limit, offset)
+
+	rows, err := h.db.Pool.Query(ctx, query, args...)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch audit log"})
+		return
+	}
+	defer rows.Close()
+
+	var logs []map[string]interface{}
+	for rows.Next() {
+		var (
+			id         uuid.UUID
+			userIDPtr  *uuid.UUID
+			action     string
+			entityType *string
+			entityID   *uuid.UUID
+			details    *string
+			ipAddress  *string
+			userAgent  *string
+			createdAt  time.Time
+			email      *string
+		)
+
+		if err := rows.Scan(&id, &userIDPtr, &action, &entityType, &entityID, &details,
+			&ipAddress, &userAgent, &createdAt, &email); err != nil {
+			continue
+		}
+
+		logs = append(logs, map[string]interface{}{
+			"id":          id,
+			"user_id":     userIDPtr,
+			"user_email":  email,
+			"action":      action,
+			"entity_type": entityType,
+			"entity_id":   entityID,
+			"details":     details,
+			"ip_address":  ipAddress,
+			"user_agent":  userAgent,
+			"created_at":  createdAt,
+		})
+	}
+
+	c.JSON(http.StatusOK, gin.H{"audit_log": logs})
+}
diff --git a/consent-service/internal/handlers/banner_config_handlers.go b/consent-service/internal/handlers/banner_config_handlers.go
new file mode 100644
index 0000000..1f699b0
--- /dev/null
+++ b/consent-service/internal/handlers/banner_config_handlers.go
@@ -0,0 +1,265 @@
+package handlers
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// GetSiteConfig gibt die Konfiguration für eine Site zurück
+// GET /api/v1/banner/config/:siteId
+func (h *Handler) GetSiteConfig(c *gin.Context) {
+	siteID := c.Param("siteId")
+
+	// Standard-Kategorien (aus Datenbank oder Default)
+	categories := []CategoryConfig{
+		{
+			ID: "essential",
+			Name: map[string]string{
+				"de": "Essentiell",
+				"en": "Essential",
+			},
+			Description: map[string]string{
+				"de": "Notwendig für die Grundfunktionen der Website.",
+				"en": "Required for basic website functionality.",
+			},
+			Required: true,
+			Vendors:  []VendorConfig{},
+		},
+		{
+			ID: "functional",
+			Name: map[string]string{
+				"de": "Funktional",
+				"en": "Functional",
+			},
+			Description: map[string]string{
+				"de": "Ermöglicht Personalisierung und Komfortfunktionen.",
+				"en": "Enables personalization and comfort features.",
+			},
+			Required: false,
+			Vendors:  []VendorConfig{},
+		},
+		{
+			ID: "analytics",
+			Name: map[string]string{
+				"de": "Statistik",
+				"en": "Analytics",
+			},
+			Description: map[string]string{
+				"de": "Hilft uns, die Website zu verbessern.",
+				"en": "Helps us improve the website.",
+			},
+			Required: false,
+			Vendors:  []VendorConfig{},
+		},
+		{
+			ID: "marketing",
+			Name: map[string]string{
+				"de": "Marketing",
+				"en": "Marketing",
+			},
+			Description: map[string]string{
+				"de": "Ermöglicht personalisierte Werbung.",
+				"en": "Enables personalized advertising.",
+			},
+			Required: false,
+			Vendors:  []VendorConfig{},
+		},
+		{
+			ID: "social",
+			Name: map[string]string{
+				"de": "Soziale Medien",
+				"en": "Social Media",
+			},
+			Description: map[string]string{
+				"de": "Ermöglicht Inhalte von sozialen Netzwerken.",
+				"en": "Enables content from social networks.",
+			},
+			Required: false,
+			Vendors:  []VendorConfig{},
+		},
+	}
+
+	config := SiteConfig{
+		SiteID:     siteID,
+		SiteName:   "BreakPilot",
+		Categories: categories,
+		UI: UIConfig{
+			Theme:    "auto",
+			Position: "bottom",
+		},
+		Legal: LegalConfig{
+			PrivacyPolicyURL: "/datenschutz",
+			ImprintURL:       "/impressum",
+		},
+	}
+
+	c.JSON(http.StatusOK, config)
+}
+
+// ExportBannerConsent exportiert alle Consent-Daten eines Nutzers (DSGVO Art. 20)
+// GET /api/v1/banner/consent/export?userId=xxx
+func (h *Handler) ExportBannerConsent(c *gin.Context) {
+	userID := c.Query("userId")
+
+	if userID == "" {
+		c.JSON(http.StatusBadRequest, gin.H{
+			"error":   "missing_user_id",
+			"message": "userId parameter is required",
+		})
+		return
+	}
+
+	ctx := context.Background()
+
+	rows, err := h.db.Pool.Query(ctx, `
+		SELECT id, site_id, device_fingerprint, categories, vendors,
+			   version, created_at, updated_at, revoked_at
+		FROM banner_consents
+		WHERE user_id = $1
+		ORDER BY created_at DESC
+	`, userID)
+
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{
+			"error":   "export_failed",
+			"message": "Failed to export consent data",
+		})
+		return
+	}
+	defer rows.Close()
+
+	var consents []map[string]interface{}
+	for rows.Next() {
+		var id, siteID, deviceFingerprint, version string
+		var categoriesJSON, vendorsJSON []byte
+		var createdAt, updatedAt time.Time
+		var revokedAt *time.Time
+
+		rows.Scan(&id, &siteID, &deviceFingerprint, &categoriesJSON, &vendorsJSON,
+			&version, &createdAt, &updatedAt, &revokedAt)
+
+		var categories, vendors map[string]bool
+		json.Unmarshal(categoriesJSON, &categories)
+		json.Unmarshal(vendorsJSON, &vendors)
+
+		consent := map[string]interface{}{
+			"consentId": id,
+			"siteId":    siteID,
+			"consent": map[string]interface{}{
+				"categories": categories,
+				"vendors":    vendors,
+			},
+			"createdAt": createdAt.UTC().Format(time.RFC3339),
+			"revokedAt": nil,
+		}
+
+		if revokedAt != nil {
+			consent["revokedAt"] = revokedAt.UTC().Format(time.RFC3339)
+		}
+
+		consents = append(consents, consent)
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"userId":     userID,
+		"exportedAt": time.Now().UTC().Format(time.RFC3339),
+		"consents":   consents,
+	})
+}
+
+// GetBannerStats gibt anonymisierte Statistiken zurück (Admin)
+// GET /api/v1/banner/admin/stats/:siteId
+func (h *Handler) GetBannerStats(c *gin.Context) {
+	siteID := c.Param("siteId")
+
+	ctx := context.Background()
+
+	// Gesamtanzahl Consents
+	var totalConsents int
+	h.db.Pool.QueryRow(ctx, `
+		SELECT COUNT(*) FROM banner_consents
+		WHERE site_id = $1 AND revoked_at IS NULL
+	`, siteID).Scan(&totalConsents)
+
+	// Consent-Rate pro Kategorie
+	categoryStats := make(map[string]map[string]interface{})
+
+	rows, _ := h.db.Pool.Query(ctx, `
+		SELECT
+			key as category,
+			COUNT(*) FILTER (WHERE value::text = 'true') as accepted,
+			COUNT(*) as total
+		FROM banner_consents,
+			 jsonb_each(categories::jsonb)
+		WHERE site_id = $1 AND revoked_at IS NULL
+		GROUP BY key
+	`, siteID)
+
+	if rows != nil {
+		defer rows.Close()
+		for rows.Next() {
+			var category string
+			var accepted, total int
+			rows.Scan(&category, &accepted, &total)
+
+			rate := float64(0)
+			if total > 0 {
+				rate = float64(accepted) / float64(total)
+			}
+
+			categoryStats[category] = map[string]interface{}{
+				"accepted": accepted,
+				"rate":     rate,
+			}
+		}
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"siteId": siteID,
+		"period": gin.H{
+			"from": time.Now().AddDate(0, -1, 0).Format("2006-01-02"),
+			"to":   time.Now().Format("2006-01-02"),
+		},
+		"totalConsents":     totalConsents,
+		"consentByCategory": categoryStats,
+	})
+}
+
+// ========================================
+// Helper Functions
+// ========================================
+
+// anonymizeIP anonymisiert eine IP-Adresse (DSGVO-konform)
+func anonymizeIP(ip string) string {
+	// IPv4: Letztes Oktett auf 0
+	parts := strings.Split(ip, ".")
+	if len(parts) == 4 {
+		parts[3] = "0"
+		anonymized := strings.Join(parts, ".")
+		hash := sha256.Sum256([]byte(anonymized))
+		return hex.EncodeToString(hash[:])[:16]
+	}
+
+	// IPv6: Hash
+	hash := sha256.Sum256([]byte(ip))
+	return hex.EncodeToString(hash[:])[:16]
+}
+
+// logBannerConsentAudit schreibt einen Audit-Log-Eintrag
+func (h *Handler) logBannerConsentAudit(ctx context.Context, consentID, action string, req interface{}, ipHash string) {
+	details, _ := json.Marshal(req)
+
+	h.db.Pool.Exec(ctx, `
+		INSERT INTO banner_consent_audit_log (
+			id, consent_id, action, details, ip_hash, created_at
+		) VALUES ($1, $2, $3, $4, $5, NOW())
+	`, uuid.New().String(), consentID, action, string(details), ipHash)
+}
diff --git a/consent-service/internal/handlers/banner_handlers.go b/consent-service/internal/handlers/banner_handlers.go
index 71aa7b8..aa87bc1 100644
--- a/consent-service/internal/handlers/banner_handlers.go
+++ b/consent-service/internal/handlers/banner_handlers.go
@@ -2,11 +2,8 @@ package handlers
 
 import (
 	"context"
-	"crypto/sha256"
-	"encoding/hex"
 	"encoding/json"
 	"net/http"
-	"strings"
 	"time"
 
 	"github.com/gin-gonic/gin"
@@ -308,254 +305,3 @@ func (h *Handler) RevokeBannerConsent(c *gin.Context) {
 		"revokedAt": time.Now().UTC().Format(time.RFC3339),
 	})
 }
-
-// GetSiteConfig gibt die Konfiguration für eine Site zurück
-// GET /api/v1/banner/config/:siteId
-func (h *Handler) GetSiteConfig(c *gin.Context) {
-	siteID := c.Param("siteId")
-
-	// Standard-Kategorien (aus Datenbank oder Default)
-	categories := []CategoryConfig{
-		{
-			ID: "essential",
-			Name: map[string]string{
-				"de": "Essentiell",
-				"en": "Essential",
-			},
-			Description: map[string]string{
-				"de": "Notwendig für die Grundfunktionen der Website.",
-				"en": "Required for basic website functionality.",
-			},
-			Required: true,
-			Vendors:  []VendorConfig{},
-		},
-		{
-			ID: "functional",
-			Name: map[string]string{
-				"de": "Funktional",
-				"en": "Functional",
-			},
-			Description: map[string]string{
-				"de": "Ermöglicht Personalisierung und Komfortfunktionen.",
-				"en": "Enables personalization and comfort features.",
-			},
-			Required: false,
-			Vendors:  []VendorConfig{},
-		},
-		{
-			ID: "analytics",
-			Name: map[string]string{
-				"de": "Statistik",
-				"en": "Analytics",
-			},
-			Description: map[string]string{
-				"de": "Hilft uns, die Website zu verbessern.",
-				"en": "Helps us improve the website.",
-			},
-			Required: false,
-			Vendors:  []VendorConfig{},
-		},
-		{
-			ID: "marketing",
-			Name: map[string]string{
-				"de": "Marketing",
-				"en": "Marketing",
-			},
-			Description: map[string]string{
-				"de": "Ermöglicht personalisierte Werbung.",
-				"en": "Enables personalized advertising.",
-			},
-			Required: false,
-			Vendors:  []VendorConfig{},
-		},
-		{
-			ID: "social",
-			Name: map[string]string{
-				"de": "Soziale Medien",
-				"en": "Social Media",
-			},
-			Description: map[string]string{
-				"de": "Ermöglicht Inhalte von sozialen Netzwerken.",
-				"en": "Enables content from social networks.",
-			},
-			Required: false,
-			Vendors:  []VendorConfig{},
-		},
-	}
-
-	config := SiteConfig{
-		SiteID:     siteID,
-		SiteName:   "BreakPilot",
-		Categories: categories,
-		UI: UIConfig{
-			Theme:    "auto",
-			Position: "bottom",
-		},
-		Legal: LegalConfig{
-			PrivacyPolicyURL: "/datenschutz",
-			ImprintURL:       "/impressum",
-		},
-	}
-
-	c.JSON(http.StatusOK, config)
-}
-
-// ExportBannerConsent exportiert alle Consent-Daten eines Nutzers (DSGVO Art. 20)
-// GET /api/v1/banner/consent/export?userId=xxx
-func (h *Handler) ExportBannerConsent(c *gin.Context) {
-	userID := c.Query("userId")
-
-	if userID == "" {
-		c.JSON(http.StatusBadRequest, gin.H{
-			"error":   "missing_user_id",
-			"message": "userId parameter is required",
-		})
-		return
-	}
-
-	ctx := context.Background()
-
-	rows, err := h.db.Pool.Query(ctx, `
-		SELECT id, site_id, device_fingerprint, categories, vendors,
-			   version, created_at, updated_at, revoked_at
-		FROM banner_consents
-		WHERE user_id = $1
-		ORDER BY created_at DESC
-	`, userID)
-
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{
-			"error":   "export_failed",
-			"message": "Failed to export consent data",
-		})
-		return
-	}
-	defer rows.Close()
-
-	var consents []map[string]interface{}
-	for rows.Next() {
-		var id, siteID, deviceFingerprint, version string
-		var categoriesJSON, vendorsJSON []byte
-		var createdAt, updatedAt time.Time
-		var revokedAt *time.Time
-
-		rows.Scan(&id, &siteID, &deviceFingerprint, &categoriesJSON, &vendorsJSON,
-			&version, &createdAt, &updatedAt, &revokedAt)
-
-		var categories, vendors map[string]bool
-		json.Unmarshal(categoriesJSON, &categories)
-		json.Unmarshal(vendorsJSON, &vendors)
-
-		consent := map[string]interface{}{
-			"consentId": id,
-			"siteId":    siteID,
-			"consent": map[string]interface{}{
-				"categories": categories,
-				"vendors":    vendors,
-			},
-			"createdAt": createdAt.UTC().Format(time.RFC3339),
-			"revokedAt": nil,
-		}
-
-		if revokedAt != nil {
-			consent["revokedAt"] = revokedAt.UTC().Format(time.RFC3339)
-		}
-
-		consents = append(consents, consent)
-	}
-
-	c.JSON(http.StatusOK, gin.H{
-		"userId":     userID,
-		"exportedAt": time.Now().UTC().Format(time.RFC3339),
-		"consents":   consents,
-	})
-}
-
-// GetBannerStats gibt anonymisierte Statistiken zurück (Admin)
-// GET /api/v1/banner/admin/stats/:siteId
-func (h *Handler) GetBannerStats(c *gin.Context) {
-	siteID := c.Param("siteId")
-
-	ctx := context.Background()
-
-	// Gesamtanzahl Consents
-	var totalConsents int
-	h.db.Pool.QueryRow(ctx, `
-		SELECT COUNT(*) FROM banner_consents
-		WHERE site_id = $1 AND revoked_at IS NULL
-	`, siteID).Scan(&totalConsents)
-
-	// Consent-Rate pro Kategorie
-	categoryStats := make(map[string]map[string]interface{})
-
-	rows, _ := h.db.Pool.Query(ctx, `
-		SELECT
-			key as category,
-			COUNT(*) FILTER (WHERE value::text = 'true') as accepted,
-			COUNT(*) as total
-		FROM banner_consents,
-			 jsonb_each(categories::jsonb)
-		WHERE site_id = $1 AND revoked_at IS NULL
-		GROUP BY key
-	`, siteID)
-
-	if rows != nil {
-		defer rows.Close()
-		for rows.Next() {
-			var category string
-			var accepted, total int
-			rows.Scan(&category, &accepted, &total)
-
-			rate := float64(0)
-			if total > 0 {
-				rate = float64(accepted) / float64(total)
-			}
-
-			categoryStats[category] = map[string]interface{}{
-				"accepted": accepted,
-				"rate":     rate,
-			}
-		}
-	}
-
-	c.JSON(http.StatusOK, gin.H{
-		"siteId": siteID,
-		"period": gin.H{
-			"from": time.Now().AddDate(0, -1, 0).Format("2006-01-02"),
-			"to":   time.Now().Format("2006-01-02"),
-		},
-		"totalConsents":     totalConsents,
-		"consentByCategory": categoryStats,
-	})
-}
-
-// ========================================
-// Helper Functions
-// ========================================
-
-// anonymizeIP anonymisiert eine IP-Adresse (DSGVO-konform)
-func anonymizeIP(ip string) string {
-	// IPv4: Letztes Oktett auf 0
-	parts := strings.Split(ip, ".")
-	if len(parts) == 4 {
-		parts[3] = "0"
-		anonymized := strings.Join(parts, ".")
-		hash := sha256.Sum256([]byte(anonymized))
-		return hex.EncodeToString(hash[:])[:16]
-	}
-
-	// IPv6: Hash
-	hash := sha256.Sum256([]byte(ip))
-	return hex.EncodeToString(hash[:])[:16]
-}
-
-// logBannerConsentAudit schreibt einen Audit-Log-Eintrag
-func (h *Handler) logBannerConsentAudit(ctx context.Context, consentID, action string, req interface{}, ipHash string) {
-	details, _ := json.Marshal(req)
-
-	h.db.Pool.Exec(ctx, `
-		INSERT INTO banner_consent_audit_log (
-			id, consent_id, action, details, ip_hash, created_at
-		) VALUES ($1, $2, $3, $4, $5, NOW())
-	`, uuid.New().String(), consentID, action, string(details), ipHash)
-}
diff --git a/consent-service/internal/handlers/communication_handlers.go b/consent-service/internal/handlers/communication_handlers.go
index 8c45607..e72d251 100644
--- a/consent-service/internal/handlers/communication_handlers.go
+++ b/consent-service/internal/handlers/communication_handlers.go
@@ -273,239 +273,3 @@ func (h *CommunicationHandlers) RegisterMatrixUser(c *gin.Context) {
 		"user_id": resp.UserID,
 	})
 }
-
-// ========================================
-// Jitsi Video Conference Endpoints
-// ========================================
-
-// CreateMeetingRequest for creating Jitsi meetings
-type CreateMeetingRequest struct {
-	Type        string    `json:"type" binding:"required"` // "quick", "training", "parent_teacher", "class"
-	Title       string    `json:"title,omitempty"`
-	DisplayName string    `json:"display_name"`
-	Email       string    `json:"email,omitempty"`
-	Duration    int       `json:"duration,omitempty"` // minutes
-	ClassName   string    `json:"class_name,omitempty"`
-	ParentName  string    `json:"parent_name,omitempty"`
-	StudentName string    `json:"student_name,omitempty"`
-	Subject     string    `json:"subject,omitempty"`
-	StartTime   time.Time `json:"start_time,omitempty"`
-}
-
-// CreateMeeting creates a new Jitsi meeting
-func (h *CommunicationHandlers) CreateMeeting(c *gin.Context) {
-	if h.jitsiService == nil {
-		c.JSON(http.StatusServiceUnavailable, gin.H{"error": "Jitsi service not configured"})
-		return
-	}
-
-	var req CreateMeetingRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	ctx := c.Request.Context()
-	var link *jitsi.MeetingLink
-	var err error
-
-	switch req.Type {
-	case "quick":
-		link, err = h.jitsiService.CreateQuickMeeting(ctx, req.DisplayName)
-	case "training":
-		link, err = h.jitsiService.CreateTrainingSession(ctx, req.Title, req.DisplayName, req.Email, req.Duration)
-	case "parent_teacher":
-		link, err = h.jitsiService.CreateParentTeacherMeeting(ctx, req.DisplayName, req.ParentName, req.StudentName, req.StartTime)
-	case "class":
-		link, err = h.jitsiService.CreateClassMeeting(ctx, req.ClassName, req.DisplayName, req.Subject)
-	default:
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid meeting type. Use: quick, training, parent_teacher, class"})
-		return
-	}
-
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusCreated, gin.H{
-		"room_name":     link.RoomName,
-		"url":           link.URL,
-		"join_url":      link.JoinURL,
-		"moderator_url": link.ModeratorURL,
-		"password":      link.Password,
-		"expires_at":    link.ExpiresAt,
-	})
-}
-
-// GetEmbedURLRequest for embedding Jitsi
-type GetEmbedURLRequest struct {
-	RoomName    string `json:"room_name" binding:"required"`
-	DisplayName string `json:"display_name"`
-	AudioMuted  bool   `json:"audio_muted"`
-	VideoMuted  bool   `json:"video_muted"`
-}
-
-// GetEmbedURL returns an embeddable Jitsi URL
-func (h *CommunicationHandlers) GetEmbedURL(c *gin.Context) {
-	if h.jitsiService == nil {
-		c.JSON(http.StatusServiceUnavailable, gin.H{"error": "Jitsi service not configured"})
-		return
-	}
-
-	var req GetEmbedURLRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	config := &jitsi.MeetingConfig{
-		StartWithAudioMuted: req.AudioMuted,
-		StartWithVideoMuted: req.VideoMuted,
-		DisableDeepLinking:  true,
-	}
-
-	embedURL := h.jitsiService.BuildEmbedURL(req.RoomName, req.DisplayName, config)
-	iframeCode := h.jitsiService.BuildIFrameCode(req.RoomName, 800, 600)
-
-	c.JSON(http.StatusOK, gin.H{
-		"embed_url":   embedURL,
-		"iframe_code": iframeCode,
-	})
-}
-
-// GetJitsiInfo returns Jitsi server information
-func (h *CommunicationHandlers) GetJitsiInfo(c *gin.Context) {
-	if h.jitsiService == nil {
-		c.JSON(http.StatusServiceUnavailable, gin.H{"error": "Jitsi service not configured"})
-		return
-	}
-
-	info := h.jitsiService.GetServerInfo()
-	c.JSON(http.StatusOK, info)
-}
-
-// ========================================
-// Admin Statistics Endpoints (for Admin Panel)
-// ========================================
-
-// CommunicationStats holds communication service statistics
-type CommunicationStats struct {
-	Matrix MatrixStats `json:"matrix"`
-	Jitsi  JitsiStats  `json:"jitsi"`
-}
-
-// MatrixStats holds Matrix-specific statistics
-type MatrixStats struct {
-	Enabled    bool   `json:"enabled"`
-	Healthy    bool   `json:"healthy"`
-	ServerName string `json:"server_name"`
-	// TODO: Add real stats from Matrix Synapse Admin API
-	TotalUsers   int `json:"total_users"`
-	TotalRooms   int `json:"total_rooms"`
-	ActiveToday  int `json:"active_today"`
-	MessagesToday int `json:"messages_today"`
-}
-
-// JitsiStats holds Jitsi-specific statistics
-type JitsiStats struct {
-	Enabled     bool   `json:"enabled"`
-	Healthy     bool   `json:"healthy"`
-	BaseURL     string `json:"base_url"`
-	AuthEnabled bool   `json:"auth_enabled"`
-	// TODO: Add real stats from Jitsi SRTP API or Jicofo
-	ActiveMeetings    int `json:"active_meetings"`
-	TotalParticipants int `json:"total_participants"`
-	MeetingsToday     int `json:"meetings_today"`
-	AvgDurationMin    int `json:"avg_duration_min"`
-}
-
-// GetAdminStats returns admin statistics for Matrix and Jitsi
-func (h *CommunicationHandlers) GetAdminStats(c *gin.Context) {
-	ctx := c.Request.Context()
-
-	stats := CommunicationStats{}
-
-	// Matrix Stats
-	if h.matrixService != nil {
-		matrixErr := h.matrixService.HealthCheck(ctx)
-		stats.Matrix = MatrixStats{
-			Enabled:      true,
-			Healthy:      matrixErr == nil,
-			ServerName:   h.matrixService.GetServerName(),
-			// Placeholder stats - in production these would come from Synapse Admin API
-			TotalUsers:    0,
-			TotalRooms:    0,
-			ActiveToday:   0,
-			MessagesToday: 0,
-		}
-	} else {
-		stats.Matrix = MatrixStats{Enabled: false}
-	}
-
-	// Jitsi Stats
-	if h.jitsiService != nil {
-		jitsiErr := h.jitsiService.HealthCheck(ctx)
-		serverInfo := h.jitsiService.GetServerInfo()
-		stats.Jitsi = JitsiStats{
-			Enabled:           true,
-			Healthy:           jitsiErr == nil,
-			BaseURL:           serverInfo["base_url"],
-			AuthEnabled:       serverInfo["auth_enabled"] == "true",
-			// Placeholder stats - in production these would come from Jicofo/JVB stats
-			ActiveMeetings:    0,
-			TotalParticipants: 0,
-			MeetingsToday:     0,
-			AvgDurationMin:    0,
-		}
-	} else {
-		stats.Jitsi = JitsiStats{Enabled: false}
-	}
-
-	c.JSON(http.StatusOK, stats)
-}
-
-// ========================================
-// Helper Functions
-// ========================================
-
-func errToString(err error) string {
-	if err == nil {
-		return ""
-	}
-	return err.Error()
-}
-
-// RegisterRoutes registers all communication routes
-func (h *CommunicationHandlers) RegisterRoutes(router *gin.RouterGroup, jwtSecret string, authMiddleware gin.HandlerFunc) {
-	comm := router.Group("/communication")
-	{
-		// Public health check
-		comm.GET("/status", h.GetCommunicationStatus)
-
-		// Protected routes
-		protected := comm.Group("")
-		protected.Use(authMiddleware)
-		{
-			// Matrix
-			protected.POST("/rooms", h.CreateRoom)
-			protected.POST("/rooms/invite", h.InviteUser)
-			protected.POST("/messages", h.SendMessage)
-			protected.POST("/notifications", h.SendNotification)
-
-			// Jitsi
-			protected.POST("/meetings", h.CreateMeeting)
-			protected.POST("/meetings/embed", h.GetEmbedURL)
-			protected.GET("/jitsi/info", h.GetJitsiInfo)
-		}
-
-		// Admin routes (for Matrix user registration and stats)
-		admin := comm.Group("/admin")
-		admin.Use(authMiddleware)
-		// TODO: Add AdminOnly middleware
-		{
-			admin.POST("/matrix/users", h.RegisterMatrixUser)
-			admin.GET("/stats", h.GetAdminStats)
-		}
-	}
-}
diff --git a/consent-service/internal/handlers/communication_jitsi_handlers.go b/consent-service/internal/handlers/communication_jitsi_handlers.go
new file mode 100644
index 0000000..ca5018d
--- /dev/null
+++ b/consent-service/internal/handlers/communication_jitsi_handlers.go
@@ -0,0 +1,245 @@
+package handlers
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/services/jitsi"
+	"github.com/gin-gonic/gin"
+)
+
+// ========================================
+// Jitsi Video Conference Endpoints
+// ========================================
+
+// CreateMeetingRequest for creating Jitsi meetings
+type CreateMeetingRequest struct {
+	Type        string    `json:"type" binding:"required"` // "quick", "training", "parent_teacher", "class"
+	Title       string    `json:"title,omitempty"`
+	DisplayName string    `json:"display_name"`
+	Email       string    `json:"email,omitempty"`
+	Duration    int       `json:"duration,omitempty"` // minutes
+	ClassName   string    `json:"class_name,omitempty"`
+	ParentName  string    `json:"parent_name,omitempty"`
+	StudentName string    `json:"student_name,omitempty"`
+	Subject     string    `json:"subject,omitempty"`
+	StartTime   time.Time `json:"start_time,omitempty"`
+}
+
+// CreateMeeting creates a new Jitsi meeting
+func (h *CommunicationHandlers) CreateMeeting(c *gin.Context) {
+	if h.jitsiService == nil {
+		c.JSON(http.StatusServiceUnavailable, gin.H{"error": "Jitsi service not configured"})
+		return
+	}
+
+	var req CreateMeetingRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx := c.Request.Context()
+	var link *jitsi.MeetingLink
+	var err error
+
+	switch req.Type {
+	case "quick":
+		link, err = h.jitsiService.CreateQuickMeeting(ctx, req.DisplayName)
+	case "training":
+		link, err = h.jitsiService.CreateTrainingSession(ctx, req.Title, req.DisplayName, req.Email, req.Duration)
+	case "parent_teacher":
+		link, err = h.jitsiService.CreateParentTeacherMeeting(ctx, req.DisplayName, req.ParentName, req.StudentName, req.StartTime)
+	case "class":
+		link, err = h.jitsiService.CreateClassMeeting(ctx, req.ClassName, req.DisplayName, req.Subject)
+	default:
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid meeting type. Use: quick, training, parent_teacher, class"})
+		return
+	}
+
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{
+		"room_name":     link.RoomName,
+		"url":           link.URL,
+		"join_url":      link.JoinURL,
+		"moderator_url": link.ModeratorURL,
+		"password":      link.Password,
+		"expires_at":    link.ExpiresAt,
+	})
+}
+
+// GetEmbedURLRequest for embedding Jitsi
+type GetEmbedURLRequest struct {
+	RoomName    string `json:"room_name" binding:"required"`
+	DisplayName string `json:"display_name"`
+	AudioMuted  bool   `json:"audio_muted"`
+	VideoMuted  bool   `json:"video_muted"`
+}
+
+// GetEmbedURL returns an embeddable Jitsi URL
+func (h *CommunicationHandlers) GetEmbedURL(c *gin.Context) {
+	if h.jitsiService == nil {
+		c.JSON(http.StatusServiceUnavailable, gin.H{"error": "Jitsi service not configured"})
+		return
+	}
+
+	var req GetEmbedURLRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	config := &jitsi.MeetingConfig{
+		StartWithAudioMuted: req.AudioMuted,
+		StartWithVideoMuted: req.VideoMuted,
+		DisableDeepLinking:  true,
+	}
+
+	embedURL := h.jitsiService.BuildEmbedURL(req.RoomName, req.DisplayName, config)
+	iframeCode := h.jitsiService.BuildIFrameCode(req.RoomName, 800, 600)
+
+	c.JSON(http.StatusOK, gin.H{
+		"embed_url":   embedURL,
+		"iframe_code": iframeCode,
+	})
+}
+
+// GetJitsiInfo returns Jitsi server information
+func (h *CommunicationHandlers) GetJitsiInfo(c *gin.Context) {
+	if h.jitsiService == nil {
+		c.JSON(http.StatusServiceUnavailable, gin.H{"error": "Jitsi service not configured"})
+		return
+	}
+
+	info := h.jitsiService.GetServerInfo()
+	c.JSON(http.StatusOK, info)
+}
+
+// ========================================
+// Admin Statistics Endpoints (for Admin Panel)
+// ========================================
+
+// CommunicationStats holds communication service statistics
+type CommunicationStats struct {
+	Matrix MatrixStats `json:"matrix"`
+	Jitsi  JitsiStats  `json:"jitsi"`
+}
+
+// MatrixStats holds Matrix-specific statistics
+type MatrixStats struct {
+	Enabled    bool   `json:"enabled"`
+	Healthy    bool   `json:"healthy"`
+	ServerName string `json:"server_name"`
+	// TODO: Add real stats from Matrix Synapse Admin API
+	TotalUsers   int `json:"total_users"`
+	TotalRooms   int `json:"total_rooms"`
+	ActiveToday  int `json:"active_today"`
+	MessagesToday int `json:"messages_today"`
+}
+
+// JitsiStats holds Jitsi-specific statistics
+type JitsiStats struct {
+	Enabled     bool   `json:"enabled"`
+	Healthy     bool   `json:"healthy"`
+	BaseURL     string `json:"base_url"`
+	AuthEnabled bool   `json:"auth_enabled"`
+	// TODO: Add real stats from Jitsi SRTP API or Jicofo
+	ActiveMeetings    int `json:"active_meetings"`
+	TotalParticipants int `json:"total_participants"`
+	MeetingsToday     int `json:"meetings_today"`
+	AvgDurationMin    int `json:"avg_duration_min"`
+}
+
+// GetAdminStats returns admin statistics for Matrix and Jitsi
+func (h *CommunicationHandlers) GetAdminStats(c *gin.Context) {
+	ctx := c.Request.Context()
+
+	stats := CommunicationStats{}
+
+	// Matrix Stats
+	if h.matrixService != nil {
+		matrixErr := h.matrixService.HealthCheck(ctx)
+		stats.Matrix = MatrixStats{
+			Enabled:      true,
+			Healthy:      matrixErr == nil,
+			ServerName:   h.matrixService.GetServerName(),
+			// Placeholder stats - in production these would come from Synapse Admin API
+			TotalUsers:    0,
+			TotalRooms:    0,
+			ActiveToday:   0,
+			MessagesToday: 0,
+		}
+	} else {
+		stats.Matrix = MatrixStats{Enabled: false}
+	}
+
+	// Jitsi Stats
+	if h.jitsiService != nil {
+		jitsiErr := h.jitsiService.HealthCheck(ctx)
+		serverInfo := h.jitsiService.GetServerInfo()
+		stats.Jitsi = JitsiStats{
+			Enabled:           true,
+			Healthy:           jitsiErr == nil,
+			BaseURL:           serverInfo["base_url"],
+			AuthEnabled:       serverInfo["auth_enabled"] == "true",
+			// Placeholder stats - in production these would come from Jicofo/JVB stats
+			ActiveMeetings:    0,
+			TotalParticipants: 0,
+			MeetingsToday:     0,
+			AvgDurationMin:    0,
+		}
+	} else {
+		stats.Jitsi = JitsiStats{Enabled: false}
+	}
+
+	c.JSON(http.StatusOK, stats)
+}
+
+// ========================================
+// Helper Functions
+// ========================================
+
+func errToString(err error) string {
+	if err == nil {
+		return ""
+	}
+	return err.Error()
+}
+
+// RegisterRoutes registers all communication routes
+func (h *CommunicationHandlers) RegisterRoutes(router *gin.RouterGroup, jwtSecret string, authMiddleware gin.HandlerFunc) {
+	comm := router.Group("/communication")
+	{
+		// Public health check
+		comm.GET("/status", h.GetCommunicationStatus)
+
+		// Protected routes
+		protected := comm.Group("")
+		protected.Use(authMiddleware)
+		{
+			// Matrix
+			protected.POST("/rooms", h.CreateRoom)
+			protected.POST("/rooms/invite", h.InviteUser)
+			protected.POST("/messages", h.SendMessage)
+			protected.POST("/notifications", h.SendNotification)
+
+			// Jitsi
+			protected.POST("/meetings", h.CreateMeeting)
+			protected.POST("/meetings/embed", h.GetEmbedURL)
+			protected.GET("/jitsi/info", h.GetJitsiInfo)
+		}
+
+		// Admin routes (for Matrix user registration and stats)
+		admin := comm.Group("/admin")
+		admin.Use(authMiddleware)
+		// TODO: Add AdminOnly middleware
+		{
+			admin.POST("/matrix/users", h.RegisterMatrixUser)
+			admin.GET("/stats", h.GetAdminStats)
+		}
+	}
+}
diff --git a/consent-service/internal/handlers/consents_public.go b/consent-service/internal/handlers/consents_public.go
new file mode 100644
index 0000000..04d9325
--- /dev/null
+++ b/consent-service/internal/handlers/consents_public.go
@@ -0,0 +1,244 @@
+package handlers
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/middleware"
+	"github.com/breakpilot/consent-service/internal/models"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// ========================================
+// PUBLIC ENDPOINTS - Consent
+// ========================================
+
+// CreateConsent creates a new user consent
+func (h *Handler) CreateConsent(c *gin.Context) {
+	var req models.CreateConsentRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	userID, err := middleware.GetUserID(c)
+	if err != nil || userID == uuid.Nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
+		return
+	}
+
+	versionID, err := uuid.Parse(req.VersionID)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
+		return
+	}
+
+	ctx := context.Background()
+	ipAddress := middleware.GetClientIP(c)
+	userAgent := middleware.GetUserAgent(c)
+
+	// Upsert consent
+	var consentID uuid.UUID
+	err = h.db.Pool.QueryRow(ctx, `
+		INSERT INTO user_consents (user_id, document_version_id, consented, ip_address, user_agent)
+		VALUES ($1, $2, $3, $4, $5)
+		ON CONFLICT (user_id, document_version_id)
+		DO UPDATE SET consented = $3, consented_at = NOW(), withdrawn_at = NULL
+		RETURNING id
+	`, userID, versionID, req.Consented, ipAddress, userAgent).Scan(&consentID)
+
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to save consent"})
+		return
+	}
+
+	// Log to audit trail
+	h.logAudit(ctx, &userID, "consent_given", "document_version", &versionID, nil, ipAddress, userAgent)
+
+	c.JSON(http.StatusCreated, gin.H{
+		"message":    "Consent saved successfully",
+		"consent_id": consentID,
+	})
+}
+
+// GetMyConsents returns all consents for the current user
+func (h *Handler) GetMyConsents(c *gin.Context) {
+	userID, err := middleware.GetUserID(c)
+	if err != nil || userID == uuid.Nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
+		return
+	}
+
+	ctx := context.Background()
+
+	rows, err := h.db.Pool.Query(ctx, `
+		SELECT uc.id, uc.consented, uc.consented_at, uc.withdrawn_at,
+		       ld.id, ld.type, ld.name, ld.is_mandatory,
+		       dv.id, dv.version, dv.language, dv.title
+		FROM user_consents uc
+		JOIN document_versions dv ON uc.document_version_id = dv.id
+		JOIN legal_documents ld ON dv.document_id = ld.id
+		WHERE uc.user_id = $1
+		ORDER BY uc.consented_at DESC
+	`, userID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch consents"})
+		return
+	}
+	defer rows.Close()
+
+	var consents []map[string]interface{}
+	for rows.Next() {
+		var (
+			consentID     uuid.UUID
+			consented     bool
+			consentedAt   time.Time
+			withdrawnAt   *time.Time
+			docID         uuid.UUID
+			docType       string
+			docName       string
+			isMandatory   bool
+			versionID     uuid.UUID
+			version       string
+			language      string
+			title         string
+		)
+
+		if err := rows.Scan(&consentID, &consented, &consentedAt, &withdrawnAt,
+			&docID, &docType, &docName, &isMandatory,
+			&versionID, &version, &language, &title); err != nil {
+			continue
+		}
+
+		consents = append(consents, map[string]interface{}{
+			"consent_id":   consentID,
+			"consented":    consented,
+			"consented_at": consentedAt,
+			"withdrawn_at": withdrawnAt,
+			"document": map[string]interface{}{
+				"id":           docID,
+				"type":         docType,
+				"name":         docName,
+				"is_mandatory": isMandatory,
+			},
+			"version": map[string]interface{}{
+				"id":       versionID,
+				"version":  version,
+				"language": language,
+				"title":    title,
+			},
+		})
+	}
+
+	c.JSON(http.StatusOK, gin.H{"consents": consents})
+}
+
+// CheckConsent checks if the user has consented to a document
+func (h *Handler) CheckConsent(c *gin.Context) {
+	docType := c.Param("documentType")
+	language := c.DefaultQuery("language", "de")
+
+	userID, err := middleware.GetUserID(c)
+	if err != nil || userID == uuid.Nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
+		return
+	}
+
+	ctx := context.Background()
+
+	// Get latest published version
+	var latestVersionID uuid.UUID
+	var latestVersion string
+	err = h.db.Pool.QueryRow(ctx, `
+		SELECT dv.id, dv.version
+		FROM document_versions dv
+		JOIN legal_documents ld ON dv.document_id = ld.id
+		WHERE ld.type = $1 AND dv.language = $2 AND dv.status = 'published'
+		ORDER BY dv.published_at DESC
+		LIMIT 1
+	`, docType, language).Scan(&latestVersionID, &latestVersion)
+
+	if err != nil {
+		c.JSON(http.StatusOK, models.ConsentCheckResponse{
+			HasConsent:  false,
+			NeedsUpdate: false,
+		})
+		return
+	}
+
+	// Check if user has consented to this version
+	var consentedVersionID uuid.UUID
+	var consentedVersion string
+	var consentedAt time.Time
+	err = h.db.Pool.QueryRow(ctx, `
+		SELECT dv.id, dv.version, uc.consented_at
+		FROM user_consents uc
+		JOIN document_versions dv ON uc.document_version_id = dv.id
+		JOIN legal_documents ld ON dv.document_id = ld.id
+		WHERE uc.user_id = $1 AND ld.type = $2 AND uc.consented = true AND uc.withdrawn_at IS NULL
+		ORDER BY uc.consented_at DESC
+		LIMIT 1
+	`, userID, docType).Scan(&consentedVersionID, &consentedVersion, &consentedAt)
+
+	if err != nil {
+		// No consent found
+		latestIDStr := latestVersionID.String()
+		c.JSON(http.StatusOK, models.ConsentCheckResponse{
+			HasConsent:       false,
+			CurrentVersionID: &latestIDStr,
+			NeedsUpdate:      true,
+		})
+		return
+	}
+
+	// Check if consent is for latest version
+	needsUpdate := consentedVersionID != latestVersionID
+	latestIDStr := latestVersionID.String()
+	consentedVerStr := consentedVersion
+
+	c.JSON(http.StatusOK, models.ConsentCheckResponse{
+		HasConsent:       true,
+		CurrentVersionID: &latestIDStr,
+		ConsentedVersion: &consentedVerStr,
+		NeedsUpdate:      needsUpdate,
+		ConsentedAt:      &consentedAt,
+	})
+}
+
+// WithdrawConsent withdraws a consent
+func (h *Handler) WithdrawConsent(c *gin.Context) {
+	consentID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid consent ID"})
+		return
+	}
+
+	userID, err := middleware.GetUserID(c)
+	if err != nil || userID == uuid.Nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
+		return
+	}
+
+	ctx := context.Background()
+	ipAddress := middleware.GetClientIP(c)
+	userAgent := middleware.GetUserAgent(c)
+
+	// Update consent
+	result, err := h.db.Pool.Exec(ctx, `
+		UPDATE user_consents
+		SET withdrawn_at = NOW(), consented = false
+		WHERE id = $1 AND user_id = $2
+	`, consentID, userID)
+
+	if err != nil || result.RowsAffected() == 0 {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Consent not found"})
+		return
+	}
+
+	// Log to audit trail
+	h.logAudit(ctx, &userID, "consent_withdrawn", "consent", &consentID, nil, ipAddress, userAgent)
+
+	c.JSON(http.StatusOK, gin.H{"message": "Consent withdrawn successfully"})
+}
diff --git a/consent-service/internal/handlers/cookies_public.go b/consent-service/internal/handlers/cookies_public.go
new file mode 100644
index 0000000..f3b7ff5
--- /dev/null
+++ b/consent-service/internal/handlers/cookies_public.go
@@ -0,0 +1,158 @@
+package handlers
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/middleware"
+	"github.com/breakpilot/consent-service/internal/models"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// ========================================
+// PUBLIC ENDPOINTS - Cookie Consent
+// ========================================
+
+// GetCookieCategories returns all active cookie categories
+func (h *Handler) GetCookieCategories(c *gin.Context) {
+	language := c.DefaultQuery("language", "de")
+	ctx := context.Background()
+
+	rows, err := h.db.Pool.Query(ctx, `
+		SELECT id, name, display_name_de, display_name_en, description_de, description_en,
+		       is_mandatory, sort_order
+		FROM cookie_categories
+		WHERE is_active = true
+		ORDER BY sort_order ASC
+	`)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch categories"})
+		return
+	}
+	defer rows.Close()
+
+	var categories []map[string]interface{}
+	for rows.Next() {
+		var cat models.CookieCategory
+		if err := rows.Scan(&cat.ID, &cat.Name, &cat.DisplayNameDE, &cat.DisplayNameEN,
+			&cat.DescriptionDE, &cat.DescriptionEN, &cat.IsMandatory, &cat.SortOrder); err != nil {
+			continue
+		}
+
+		// Return localized data
+		displayName := cat.DisplayNameDE
+		description := cat.DescriptionDE
+		if language == "en" && cat.DisplayNameEN != nil {
+			displayName = *cat.DisplayNameEN
+			if cat.DescriptionEN != nil {
+				description = cat.DescriptionEN
+			}
+		}
+
+		categories = append(categories, map[string]interface{}{
+			"id":           cat.ID,
+			"name":         cat.Name,
+			"display_name": displayName,
+			"description":  description,
+			"is_mandatory": cat.IsMandatory,
+		})
+	}
+
+	c.JSON(http.StatusOK, gin.H{"categories": categories})
+}
+
+// SetCookieConsent sets cookie preferences for a user
+func (h *Handler) SetCookieConsent(c *gin.Context) {
+	var req models.CookieConsentRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	userID, err := middleware.GetUserID(c)
+	if err != nil || userID == uuid.Nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
+		return
+	}
+
+	ctx := context.Background()
+	ipAddress := middleware.GetClientIP(c)
+	userAgent := middleware.GetUserAgent(c)
+
+	// Process each category
+	for _, cat := range req.Categories {
+		categoryID, err := uuid.Parse(cat.CategoryID)
+		if err != nil {
+			continue
+		}
+
+		_, err = h.db.Pool.Exec(ctx, `
+			INSERT INTO cookie_consents (user_id, category_id, consented)
+			VALUES ($1, $2, $3)
+			ON CONFLICT (user_id, category_id)
+			DO UPDATE SET consented = $3, updated_at = NOW()
+		`, userID, categoryID, cat.Consented)
+
+		if err != nil {
+			continue
+		}
+	}
+
+	// Log to audit trail
+	h.logAudit(ctx, &userID, "cookie_consent_updated", "cookie", nil, nil, ipAddress, userAgent)
+
+	c.JSON(http.StatusOK, gin.H{"message": "Cookie preferences saved"})
+}
+
+// GetMyCookieConsent returns cookie preferences for the current user
+func (h *Handler) GetMyCookieConsent(c *gin.Context) {
+	userID, err := middleware.GetUserID(c)
+	if err != nil || userID == uuid.Nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
+		return
+	}
+
+	ctx := context.Background()
+
+	rows, err := h.db.Pool.Query(ctx, `
+		SELECT cc.category_id, cc.consented, cc.updated_at,
+		       cat.name, cat.display_name_de, cat.is_mandatory
+		FROM cookie_consents cc
+		JOIN cookie_categories cat ON cc.category_id = cat.id
+		WHERE cc.user_id = $1
+	`, userID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch preferences"})
+		return
+	}
+	defer rows.Close()
+
+	var consents []map[string]interface{}
+	for rows.Next() {
+		var (
+			categoryID   uuid.UUID
+			consented    bool
+			updatedAt    time.Time
+			name         string
+			displayName  string
+			isMandatory  bool
+		)
+
+		if err := rows.Scan(&categoryID, &consented, &updatedAt, &name, &displayName, &isMandatory); err != nil {
+			continue
+		}
+
+		consents = append(consents, map[string]interface{}{
+			"category_id":  categoryID,
+			"name":         name,
+			"display_name": displayName,
+			"consented":    consented,
+			"is_mandatory": isMandatory,
+			"updated_at":   updatedAt,
+		})
+	}
+
+	c.JSON(http.StatusOK, gin.H{"cookie_consents": consents})
+}
diff --git a/consent-service/internal/handlers/documents_public.go b/consent-service/internal/handlers/documents_public.go
new file mode 100644
index 0000000..ba783bb
--- /dev/null
+++ b/consent-service/internal/handlers/documents_public.go
@@ -0,0 +1,90 @@
+package handlers
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/breakpilot/consent-service/internal/models"
+	"github.com/gin-gonic/gin"
+)
+
+// ========================================
+// PUBLIC ENDPOINTS - Documents
+// ========================================
+
+// GetDocuments returns all active legal documents
+func (h *Handler) GetDocuments(c *gin.Context) {
+	ctx := context.Background()
+
+	rows, err := h.db.Pool.Query(ctx, `
+		SELECT id, type, name, description, is_mandatory, is_active, sort_order, created_at, updated_at
+		FROM legal_documents
+		WHERE is_active = true
+		ORDER BY sort_order ASC
+	`)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch documents"})
+		return
+	}
+	defer rows.Close()
+
+	var documents []models.LegalDocument
+	for rows.Next() {
+		var doc models.LegalDocument
+		if err := rows.Scan(&doc.ID, &doc.Type, &doc.Name, &doc.Description,
+			&doc.IsMandatory, &doc.IsActive, &doc.SortOrder, &doc.CreatedAt, &doc.UpdatedAt); err != nil {
+			continue
+		}
+		documents = append(documents, doc)
+	}
+
+	c.JSON(http.StatusOK, gin.H{"documents": documents})
+}
+
+// GetDocumentByType returns a document by its type
+func (h *Handler) GetDocumentByType(c *gin.Context) {
+	docType := c.Param("type")
+	ctx := context.Background()
+
+	var doc models.LegalDocument
+	err := h.db.Pool.QueryRow(ctx, `
+		SELECT id, type, name, description, is_mandatory, is_active, sort_order, created_at, updated_at
+		FROM legal_documents
+		WHERE type = $1 AND is_active = true
+	`, docType).Scan(&doc.ID, &doc.Type, &doc.Name, &doc.Description,
+		&doc.IsMandatory, &doc.IsActive, &doc.SortOrder, &doc.CreatedAt, &doc.UpdatedAt)
+
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Document not found"})
+		return
+	}
+
+	c.JSON(http.StatusOK, doc)
+}
+
+// GetLatestDocumentVersion returns the latest published version of a document
+func (h *Handler) GetLatestDocumentVersion(c *gin.Context) {
+	docType := c.Param("type")
+	language := c.DefaultQuery("language", "de")
+	ctx := context.Background()
+
+	var version models.DocumentVersion
+	err := h.db.Pool.QueryRow(ctx, `
+		SELECT dv.id, dv.document_id, dv.version, dv.language, dv.title, dv.content,
+		       dv.summary, dv.status, dv.published_at, dv.created_at, dv.updated_at
+		FROM document_versions dv
+		JOIN legal_documents ld ON dv.document_id = ld.id
+		WHERE ld.type = $1 AND dv.language = $2 AND dv.status = 'published'
+		ORDER BY dv.published_at DESC
+		LIMIT 1
+	`, docType, language).Scan(&version.ID, &version.DocumentID, &version.Version, &version.Language,
+		&version.Title, &version.Content, &version.Summary, &version.Status,
+		&version.PublishedAt, &version.CreatedAt, &version.UpdatedAt)
+
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "No published version found"})
+		return
+	}
+
+	c.JSON(http.StatusOK, version)
+}
diff --git a/consent-service/internal/handlers/dsr_handlers.go b/consent-service/internal/handlers/dsr_handlers.go
index af8e83b..278a52c 100644
--- a/consent-service/internal/handlers/dsr_handlers.go
+++ b/consent-service/internal/handlers/dsr_handlers.go
@@ -3,8 +3,6 @@ package handlers
 import (
 	"context"
 	"net/http"
-	"strconv"
-	"time"
 
 	"github.com/breakpilot/consent-service/internal/middleware"
 	"github.com/breakpilot/consent-service/internal/models"
@@ -135,814 +133,3 @@ func (h *DSRHandler) CancelMyDSR(c *gin.Context) {
 
 	c.JSON(http.StatusOK, gin.H{"message": "Anfrage wurde storniert"})
 }
-
-// ========================================
-// ADMIN ENDPOINTS
-// ========================================
-
-// AdminListDSR returns all DSRs with filters (admin only)
-func (h *DSRHandler) AdminListDSR(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	// Parse pagination
-	limit := 20
-	offset := 0
-	if l := c.Query("limit"); l != "" {
-		if parsed, err := strconv.Atoi(l); err == nil && parsed > 0 {
-			limit = parsed
-		}
-	}
-	if o := c.Query("offset"); o != "" {
-		if parsed, err := strconv.Atoi(o); err == nil && parsed >= 0 {
-			offset = parsed
-		}
-	}
-
-	// Parse filters
-	filters := models.DSRListFilters{}
-	if status := c.Query("status"); status != "" {
-		filters.Status = &status
-	}
-	if reqType := c.Query("request_type"); reqType != "" {
-		filters.RequestType = &reqType
-	}
-	if assignedTo := c.Query("assigned_to"); assignedTo != "" {
-		filters.AssignedTo = &assignedTo
-	}
-	if priority := c.Query("priority"); priority != "" {
-		filters.Priority = &priority
-	}
-	if c.Query("overdue_only") == "true" {
-		filters.OverdueOnly = true
-	}
-	if search := c.Query("search"); search != "" {
-		filters.Search = &search
-	}
-	if from := c.Query("from_date"); from != "" {
-		if t, err := time.Parse("2006-01-02", from); err == nil {
-			filters.FromDate = &t
-		}
-	}
-	if to := c.Query("to_date"); to != "" {
-		if t, err := time.Parse("2006-01-02", to); err == nil {
-			filters.ToDate = &t
-		}
-	}
-
-	dsrs, total, err := h.dsrService.List(c.Request.Context(), filters, limit, offset)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch requests"})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{
-		"requests": dsrs,
-		"total":    total,
-		"limit":    limit,
-		"offset":   offset,
-	})
-}
-
-// AdminGetDSR returns a specific DSR (admin only)
-func (h *DSRHandler) AdminGetDSR(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	dsrID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
-		return
-	}
-
-	dsr, err := h.dsrService.GetByID(c.Request.Context(), dsrID)
-	if err != nil {
-		c.JSON(http.StatusNotFound, gin.H{"error": "Request not found"})
-		return
-	}
-
-	c.JSON(http.StatusOK, dsr)
-}
-
-// AdminCreateDSR creates a DSR manually (admin only)
-func (h *DSRHandler) AdminCreateDSR(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	userID, _ := middleware.GetUserID(c)
-
-	var req models.CreateDSRRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body", "details": err.Error()})
-		return
-	}
-
-	// Set source as admin_panel
-	if req.Source == "" {
-		req.Source = "admin_panel"
-	}
-
-	dsr, err := h.dsrService.CreateRequest(c.Request.Context(), req, &userID)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusCreated, gin.H{
-		"message":        "Anfrage wurde erstellt",
-		"request_number": dsr.RequestNumber,
-		"dsr":            dsr,
-	})
-}
-
-// AdminUpdateDSR updates a DSR (admin only)
-func (h *DSRHandler) AdminUpdateDSR(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	dsrID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
-		return
-	}
-
-	userID, _ := middleware.GetUserID(c)
-
-	var req models.UpdateDSRRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	ctx := c.Request.Context()
-
-	// Update status if provided
-	if req.Status != nil {
-		err = h.dsrService.UpdateStatus(ctx, dsrID, models.DSRStatus(*req.Status), "", &userID)
-		if err != nil {
-			c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-			return
-		}
-	}
-
-	// Update processing notes
-	if req.ProcessingNotes != nil {
-		h.dsrService.GetPool().Exec(ctx, `
-			UPDATE data_subject_requests SET processing_notes = $1, updated_at = NOW() WHERE id = $2
-		`, *req.ProcessingNotes, dsrID)
-	}
-
-	// Update priority
-	if req.Priority != nil {
-		h.dsrService.GetPool().Exec(ctx, `
-			UPDATE data_subject_requests SET priority = $1, updated_at = NOW() WHERE id = $2
-		`, *req.Priority, dsrID)
-	}
-
-	// Get updated DSR
-	dsr, _ := h.dsrService.GetByID(ctx, dsrID)
-
-	c.JSON(http.StatusOK, gin.H{
-		"message": "Anfrage wurde aktualisiert",
-		"dsr":     dsr,
-	})
-}
-
-// AdminGetDSRStats returns dashboard statistics
-func (h *DSRHandler) AdminGetDSRStats(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	stats, err := h.dsrService.GetDashboardStats(c.Request.Context())
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch statistics"})
-		return
-	}
-
-	c.JSON(http.StatusOK, stats)
-}
-
-// AdminVerifyIdentity verifies the identity of a requester
-func (h *DSRHandler) AdminVerifyIdentity(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	dsrID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
-		return
-	}
-
-	userID, _ := middleware.GetUserID(c)
-
-	var req models.VerifyDSRIdentityRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	err = h.dsrService.VerifyIdentity(c.Request.Context(), dsrID, req.Method, userID)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Identität wurde verifiziert"})
-}
-
-// AdminAssignDSR assigns a DSR to a user
-func (h *DSRHandler) AdminAssignDSR(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	dsrID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
-		return
-	}
-
-	userID, _ := middleware.GetUserID(c)
-
-	var req struct {
-		AssigneeID string `json:"assignee_id" binding:"required"`
-	}
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	assigneeID, err := uuid.Parse(req.AssigneeID)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid assignee ID"})
-		return
-	}
-
-	err = h.dsrService.AssignRequest(c.Request.Context(), dsrID, assigneeID, userID)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Anfrage wurde zugewiesen"})
-}
-
-// AdminExtendDSRDeadline extends the deadline for a DSR
-func (h *DSRHandler) AdminExtendDSRDeadline(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	dsrID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
-		return
-	}
-
-	userID, _ := middleware.GetUserID(c)
-
-	var req models.ExtendDSRDeadlineRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	err = h.dsrService.ExtendDeadline(c.Request.Context(), dsrID, req.Reason, req.Days, userID)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Frist wurde verlängert"})
-}
-
-// AdminCompleteDSR marks a DSR as completed
-func (h *DSRHandler) AdminCompleteDSR(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	dsrID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
-		return
-	}
-
-	userID, _ := middleware.GetUserID(c)
-
-	var req models.CompleteDSRRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	err = h.dsrService.CompleteRequest(c.Request.Context(), dsrID, req.ResultSummary, req.ResultData, userID)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Anfrage wurde abgeschlossen"})
-}
-
-// AdminRejectDSR rejects a DSR
-func (h *DSRHandler) AdminRejectDSR(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	dsrID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
-		return
-	}
-
-	userID, _ := middleware.GetUserID(c)
-
-	var req models.RejectDSRRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	err = h.dsrService.RejectRequest(c.Request.Context(), dsrID, req.Reason, req.LegalBasis, userID)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Anfrage wurde abgelehnt"})
-}
-
-// AdminGetDSRHistory returns the status history for a DSR
-func (h *DSRHandler) AdminGetDSRHistory(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	dsrID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
-		return
-	}
-
-	history, err := h.dsrService.GetStatusHistory(c.Request.Context(), dsrID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch history"})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"history": history})
-}
-
-// AdminGetDSRCommunications returns communications for a DSR
-func (h *DSRHandler) AdminGetDSRCommunications(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	dsrID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
-		return
-	}
-
-	comms, err := h.dsrService.GetCommunications(c.Request.Context(), dsrID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch communications"})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"communications": comms})
-}
-
-// AdminSendDSRCommunication sends a communication for a DSR
-func (h *DSRHandler) AdminSendDSRCommunication(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	dsrID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
-		return
-	}
-
-	userID, _ := middleware.GetUserID(c)
-
-	var req models.SendDSRCommunicationRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	err = h.dsrService.SendCommunication(c.Request.Context(), dsrID, req, userID)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Kommunikation wurde gesendet"})
-}
-
-// AdminUpdateDSRStatus updates the status of a DSR
-func (h *DSRHandler) AdminUpdateDSRStatus(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	dsrID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
-		return
-	}
-
-	userID, _ := middleware.GetUserID(c)
-
-	var req struct {
-		Status  string `json:"status" binding:"required"`
-		Comment string `json:"comment"`
-	}
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	err = h.dsrService.UpdateStatus(c.Request.Context(), dsrID, models.DSRStatus(req.Status), req.Comment, &userID)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Status wurde aktualisiert"})
-}
-
-// ========================================
-// EXCEPTION CHECKS (Art. 17)
-// ========================================
-
-// AdminGetExceptionChecks returns exception checks for an erasure DSR
-func (h *DSRHandler) AdminGetExceptionChecks(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	dsrID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
-		return
-	}
-
-	checks, err := h.dsrService.GetExceptionChecks(c.Request.Context(), dsrID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch exception checks"})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"exception_checks": checks})
-}
-
-// AdminInitExceptionChecks initializes exception checks for an erasure DSR
-func (h *DSRHandler) AdminInitExceptionChecks(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	dsrID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
-		return
-	}
-
-	err = h.dsrService.InitErasureExceptionChecks(c.Request.Context(), dsrID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to initialize exception checks"})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Ausnahmeprüfungen wurden initialisiert"})
-}
-
-// AdminUpdateExceptionCheck updates a single exception check
-func (h *DSRHandler) AdminUpdateExceptionCheck(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	checkID, err := uuid.Parse(c.Param("checkId"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid check ID"})
-		return
-	}
-
-	userID, _ := middleware.GetUserID(c)
-
-	var req struct {
-		Applies bool    `json:"applies"`
-		Notes   *string `json:"notes"`
-	}
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	err = h.dsrService.UpdateExceptionCheck(c.Request.Context(), checkID, req.Applies, req.Notes, userID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to update exception check"})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Ausnahmeprüfung wurde aktualisiert"})
-}
-
-// ========================================
-// TEMPLATE ENDPOINTS
-// ========================================
-
-// AdminGetDSRTemplates returns all DSR templates
-func (h *DSRHandler) AdminGetDSRTemplates(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	ctx := c.Request.Context()
-	rows, err := h.dsrService.GetPool().Query(ctx, `
-		SELECT id, template_type, name, description, request_types, is_active, sort_order, created_at, updated_at
-		FROM dsr_templates ORDER BY sort_order, name
-	`)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch templates"})
-		return
-	}
-	defer rows.Close()
-
-	var templates []map[string]interface{}
-	for rows.Next() {
-		var id uuid.UUID
-		var templateType, name string
-		var description *string
-		var requestTypes []byte
-		var isActive bool
-		var sortOrder int
-		var createdAt, updatedAt time.Time
-
-		err := rows.Scan(&id, &templateType, &name, &description, &requestTypes, &isActive, &sortOrder, &createdAt, &updatedAt)
-		if err != nil {
-			continue
-		}
-
-		templates = append(templates, map[string]interface{}{
-			"id":            id,
-			"template_type": templateType,
-			"name":          name,
-			"description":   description,
-			"request_types": string(requestTypes),
-			"is_active":     isActive,
-			"sort_order":    sortOrder,
-			"created_at":    createdAt,
-			"updated_at":    updatedAt,
-		})
-	}
-
-	c.JSON(http.StatusOK, gin.H{"templates": templates})
-}
-
-// AdminGetDSRTemplateVersions returns versions for a template
-func (h *DSRHandler) AdminGetDSRTemplateVersions(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	templateID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid template ID"})
-		return
-	}
-
-	ctx := c.Request.Context()
-	rows, err := h.dsrService.GetPool().Query(ctx, `
-		SELECT id, template_id, version, language, subject, body_html, body_text,
-			   status, published_at, created_by, approved_by, approved_at, created_at, updated_at
-		FROM dsr_template_versions WHERE template_id = $1 ORDER BY created_at DESC
-	`, templateID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch versions"})
-		return
-	}
-	defer rows.Close()
-
-	var versions []map[string]interface{}
-	for rows.Next() {
-		var id, tempID uuid.UUID
-		var version, language, subject, bodyHTML, bodyText, status string
-		var publishedAt, approvedAt *time.Time
-		var createdBy, approvedBy *uuid.UUID
-		var createdAt, updatedAt time.Time
-
-		err := rows.Scan(&id, &tempID, &version, &language, &subject, &bodyHTML, &bodyText,
-			&status, &publishedAt, &createdBy, &approvedBy, &approvedAt, &createdAt, &updatedAt)
-		if err != nil {
-			continue
-		}
-
-		versions = append(versions, map[string]interface{}{
-			"id":           id,
-			"template_id":  tempID,
-			"version":      version,
-			"language":     language,
-			"subject":      subject,
-			"body_html":    bodyHTML,
-			"body_text":    bodyText,
-			"status":       status,
-			"published_at": publishedAt,
-			"created_by":   createdBy,
-			"approved_by":  approvedBy,
-			"approved_at":  approvedAt,
-			"created_at":   createdAt,
-			"updated_at":   updatedAt,
-		})
-	}
-
-	c.JSON(http.StatusOK, gin.H{"versions": versions})
-}
-
-// AdminCreateDSRTemplateVersion creates a new template version
-func (h *DSRHandler) AdminCreateDSRTemplateVersion(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	templateID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid template ID"})
-		return
-	}
-
-	userID, _ := middleware.GetUserID(c)
-
-	var req struct {
-		Version  string `json:"version" binding:"required"`
-		Language string `json:"language"`
-		Subject  string `json:"subject" binding:"required"`
-		BodyHTML string `json:"body_html" binding:"required"`
-		BodyText string `json:"body_text"`
-	}
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	if req.Language == "" {
-		req.Language = "de"
-	}
-
-	ctx := c.Request.Context()
-	var versionID uuid.UUID
-	err = h.dsrService.GetPool().QueryRow(ctx, `
-		INSERT INTO dsr_template_versions (template_id, version, language, subject, body_html, body_text, created_by)
-		VALUES ($1, $2, $3, $4, $5, $6, $7)
-		RETURNING id
-	`, templateID, req.Version, req.Language, req.Subject, req.BodyHTML, req.BodyText, userID).Scan(&versionID)
-
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create version"})
-		return
-	}
-
-	c.JSON(http.StatusCreated, gin.H{
-		"message": "Version wurde erstellt",
-		"id":      versionID,
-	})
-}
-
-// AdminPublishDSRTemplateVersion publishes a template version
-func (h *DSRHandler) AdminPublishDSRTemplateVersion(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	versionID, err := uuid.Parse(c.Param("versionId"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
-		return
-	}
-
-	userID, _ := middleware.GetUserID(c)
-
-	ctx := c.Request.Context()
-	_, err = h.dsrService.GetPool().Exec(ctx, `
-		UPDATE dsr_template_versions
-		SET status = 'published', published_at = NOW(), approved_by = $1, approved_at = NOW(), updated_at = NOW()
-		WHERE id = $2
-	`, userID, versionID)
-
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to publish version"})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Version wurde veröffentlicht"})
-}
-
-// AdminGetPublishedDSRTemplates returns all published templates for selection
-func (h *DSRHandler) AdminGetPublishedDSRTemplates(c *gin.Context) {
-	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
-		return
-	}
-
-	requestType := c.Query("request_type")
-	language := c.DefaultQuery("language", "de")
-
-	ctx := c.Request.Context()
-	query := `
-		SELECT t.id, t.template_type, t.name, t.description,
-			   v.id as version_id, v.version, v.subject, v.body_html, v.body_text
-		FROM dsr_templates t
-		JOIN dsr_template_versions v ON t.id = v.template_id
-		WHERE t.is_active = TRUE AND v.status = 'published' AND v.language = $1
-	`
-	args := []interface{}{language}
-
-	if requestType != "" {
-		query += ` AND t.request_types @> $2::jsonb`
-		args = append(args, `["`+requestType+`"]`)
-	}
-
-	query += " ORDER BY t.sort_order, t.name"
-
-	rows, err := h.dsrService.GetPool().Query(ctx, query, args...)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch templates"})
-		return
-	}
-	defer rows.Close()
-
-	var templates []map[string]interface{}
-	for rows.Next() {
-		var templateID, versionID uuid.UUID
-		var templateType, name, version, subject, bodyHTML, bodyText string
-		var description *string
-
-		err := rows.Scan(&templateID, &templateType, &name, &description, &versionID, &version, &subject, &bodyHTML, &bodyText)
-		if err != nil {
-			continue
-		}
-
-		templates = append(templates, map[string]interface{}{
-			"template_id":   templateID,
-			"template_type": templateType,
-			"name":          name,
-			"description":   description,
-			"version_id":    versionID,
-			"version":       version,
-			"subject":       subject,
-			"body_html":     bodyHTML,
-			"body_text":     bodyText,
-		})
-	}
-
-	c.JSON(http.StatusOK, gin.H{"templates": templates})
-}
-
-// ========================================
-// DEADLINE PROCESSING
-// ========================================
-
-// ProcessDeadlines triggers deadline checking (called by scheduler)
-func (h *DSRHandler) ProcessDeadlines(c *gin.Context) {
-	err := h.dsrService.ProcessDeadlines(c.Request.Context())
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to process deadlines"})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Deadline processing completed"})
-}
diff --git a/consent-service/internal/handlers/dsr_handlers_admin.go b/consent-service/internal/handlers/dsr_handlers_admin.go
new file mode 100644
index 0000000..43e1839
--- /dev/null
+++ b/consent-service/internal/handlers/dsr_handlers_admin.go
@@ -0,0 +1,388 @@
+package handlers
+
+import (
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/middleware"
+	"github.com/breakpilot/consent-service/internal/models"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// ========================================
+// ADMIN ENDPOINTS — CRUD & Workflow
+// ========================================
+
+// AdminListDSR returns all DSRs with filters (admin only)
+func (h *DSRHandler) AdminListDSR(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	// Parse pagination
+	limit := 20
+	offset := 0
+	if l := c.Query("limit"); l != "" {
+		if parsed, err := strconv.Atoi(l); err == nil && parsed > 0 {
+			limit = parsed
+		}
+	}
+	if o := c.Query("offset"); o != "" {
+		if parsed, err := strconv.Atoi(o); err == nil && parsed >= 0 {
+			offset = parsed
+		}
+	}
+
+	// Parse filters
+	filters := models.DSRListFilters{}
+	if status := c.Query("status"); status != "" {
+		filters.Status = &status
+	}
+	if reqType := c.Query("request_type"); reqType != "" {
+		filters.RequestType = &reqType
+	}
+	if assignedTo := c.Query("assigned_to"); assignedTo != "" {
+		filters.AssignedTo = &assignedTo
+	}
+	if priority := c.Query("priority"); priority != "" {
+		filters.Priority = &priority
+	}
+	if c.Query("overdue_only") == "true" {
+		filters.OverdueOnly = true
+	}
+	if search := c.Query("search"); search != "" {
+		filters.Search = &search
+	}
+	if from := c.Query("from_date"); from != "" {
+		if t, err := time.Parse("2006-01-02", from); err == nil {
+			filters.FromDate = &t
+		}
+	}
+	if to := c.Query("to_date"); to != "" {
+		if t, err := time.Parse("2006-01-02", to); err == nil {
+			filters.ToDate = &t
+		}
+	}
+
+	dsrs, total, err := h.dsrService.List(c.Request.Context(), filters, limit, offset)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch requests"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"requests": dsrs,
+		"total":    total,
+		"limit":    limit,
+		"offset":   offset,
+	})
+}
+
+// AdminGetDSR returns a specific DSR (admin only)
+func (h *DSRHandler) AdminGetDSR(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	dsrID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
+		return
+	}
+
+	dsr, err := h.dsrService.GetByID(c.Request.Context(), dsrID)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Request not found"})
+		return
+	}
+
+	c.JSON(http.StatusOK, dsr)
+}
+
+// AdminCreateDSR creates a DSR manually (admin only)
+func (h *DSRHandler) AdminCreateDSR(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	userID, _ := middleware.GetUserID(c)
+
+	var req models.CreateDSRRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body", "details": err.Error()})
+		return
+	}
+
+	// Set source as admin_panel
+	if req.Source == "" {
+		req.Source = "admin_panel"
+	}
+
+	dsr, err := h.dsrService.CreateRequest(c.Request.Context(), req, &userID)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{
+		"message":        "Anfrage wurde erstellt",
+		"request_number": dsr.RequestNumber,
+		"dsr":            dsr,
+	})
+}
+
+// AdminUpdateDSR updates a DSR (admin only)
+func (h *DSRHandler) AdminUpdateDSR(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	dsrID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
+		return
+	}
+
+	userID, _ := middleware.GetUserID(c)
+
+	var req models.UpdateDSRRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	ctx := c.Request.Context()
+
+	// Update status if provided
+	if req.Status != nil {
+		err = h.dsrService.UpdateStatus(ctx, dsrID, models.DSRStatus(*req.Status), "", &userID)
+		if err != nil {
+			c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+			return
+		}
+	}
+
+	// Update processing notes
+	if req.ProcessingNotes != nil {
+		h.dsrService.GetPool().Exec(ctx, `
+			UPDATE data_subject_requests SET processing_notes = $1, updated_at = NOW() WHERE id = $2
+		`, *req.ProcessingNotes, dsrID)
+	}
+
+	// Update priority
+	if req.Priority != nil {
+		h.dsrService.GetPool().Exec(ctx, `
+			UPDATE data_subject_requests SET priority = $1, updated_at = NOW() WHERE id = $2
+		`, *req.Priority, dsrID)
+	}
+
+	// Get updated DSR
+	dsr, _ := h.dsrService.GetByID(ctx, dsrID)
+
+	c.JSON(http.StatusOK, gin.H{
+		"message": "Anfrage wurde aktualisiert",
+		"dsr":     dsr,
+	})
+}
+
+// AdminGetDSRStats returns dashboard statistics
+func (h *DSRHandler) AdminGetDSRStats(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	stats, err := h.dsrService.GetDashboardStats(c.Request.Context())
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch statistics"})
+		return
+	}
+
+	c.JSON(http.StatusOK, stats)
+}
+
+// AdminVerifyIdentity verifies the identity of a requester
+func (h *DSRHandler) AdminVerifyIdentity(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	dsrID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
+		return
+	}
+
+	userID, _ := middleware.GetUserID(c)
+
+	var req models.VerifyDSRIdentityRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	err = h.dsrService.VerifyIdentity(c.Request.Context(), dsrID, req.Method, userID)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Identität wurde verifiziert"})
+}
+
+// AdminAssignDSR assigns a DSR to a user
+func (h *DSRHandler) AdminAssignDSR(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	dsrID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
+		return
+	}
+
+	userID, _ := middleware.GetUserID(c)
+
+	var req struct {
+		AssigneeID string `json:"assignee_id" binding:"required"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	assigneeID, err := uuid.Parse(req.AssigneeID)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid assignee ID"})
+		return
+	}
+
+	err = h.dsrService.AssignRequest(c.Request.Context(), dsrID, assigneeID, userID)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Anfrage wurde zugewiesen"})
+}
+
+// AdminExtendDSRDeadline extends the deadline for a DSR
+func (h *DSRHandler) AdminExtendDSRDeadline(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	dsrID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
+		return
+	}
+
+	userID, _ := middleware.GetUserID(c)
+
+	var req models.ExtendDSRDeadlineRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	err = h.dsrService.ExtendDeadline(c.Request.Context(), dsrID, req.Reason, req.Days, userID)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Frist wurde verlängert"})
+}
+
+// AdminCompleteDSR marks a DSR as completed
+func (h *DSRHandler) AdminCompleteDSR(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	dsrID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
+		return
+	}
+
+	userID, _ := middleware.GetUserID(c)
+
+	var req models.CompleteDSRRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	err = h.dsrService.CompleteRequest(c.Request.Context(), dsrID, req.ResultSummary, req.ResultData, userID)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Anfrage wurde abgeschlossen"})
+}
+
+// AdminRejectDSR rejects a DSR
+func (h *DSRHandler) AdminRejectDSR(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	dsrID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
+		return
+	}
+
+	userID, _ := middleware.GetUserID(c)
+
+	var req models.RejectDSRRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	err = h.dsrService.RejectRequest(c.Request.Context(), dsrID, req.Reason, req.LegalBasis, userID)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Anfrage wurde abgelehnt"})
+}
+
+// AdminGetDSRHistory returns the status history for a DSR
+func (h *DSRHandler) AdminGetDSRHistory(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	dsrID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
+		return
+	}
+
+	history, err := h.dsrService.GetStatusHistory(c.Request.Context(), dsrID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch history"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"history": history})
+}
diff --git a/consent-service/internal/handlers/dsr_handlers_ops.go b/consent-service/internal/handlers/dsr_handlers_ops.go
new file mode 100644
index 0000000..8902836
--- /dev/null
+++ b/consent-service/internal/handlers/dsr_handlers_ops.go
@@ -0,0 +1,195 @@
+package handlers
+
+import (
+	"net/http"
+
+	"github.com/breakpilot/consent-service/internal/middleware"
+	"github.com/breakpilot/consent-service/internal/models"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// ========================================
+// ADMIN — Communications & Status
+// ========================================
+
+// AdminGetDSRCommunications returns communications for a DSR
+func (h *DSRHandler) AdminGetDSRCommunications(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	dsrID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
+		return
+	}
+
+	comms, err := h.dsrService.GetCommunications(c.Request.Context(), dsrID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch communications"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"communications": comms})
+}
+
+// AdminSendDSRCommunication sends a communication for a DSR
+func (h *DSRHandler) AdminSendDSRCommunication(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	dsrID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
+		return
+	}
+
+	userID, _ := middleware.GetUserID(c)
+
+	var req models.SendDSRCommunicationRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	err = h.dsrService.SendCommunication(c.Request.Context(), dsrID, req, userID)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Kommunikation wurde gesendet"})
+}
+
+// AdminUpdateDSRStatus updates the status of a DSR
+func (h *DSRHandler) AdminUpdateDSRStatus(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	dsrID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
+		return
+	}
+
+	userID, _ := middleware.GetUserID(c)
+
+	var req struct {
+		Status  string `json:"status" binding:"required"`
+		Comment string `json:"comment"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	err = h.dsrService.UpdateStatus(c.Request.Context(), dsrID, models.DSRStatus(req.Status), req.Comment, &userID)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Status wurde aktualisiert"})
+}
+
+// ========================================
+// EXCEPTION CHECKS (Art. 17)
+// ========================================
+
+// AdminGetExceptionChecks returns exception checks for an erasure DSR
+func (h *DSRHandler) AdminGetExceptionChecks(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	dsrID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
+		return
+	}
+
+	checks, err := h.dsrService.GetExceptionChecks(c.Request.Context(), dsrID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch exception checks"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"exception_checks": checks})
+}
+
+// AdminInitExceptionChecks initializes exception checks for an erasure DSR
+func (h *DSRHandler) AdminInitExceptionChecks(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	dsrID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request ID"})
+		return
+	}
+
+	err = h.dsrService.InitErasureExceptionChecks(c.Request.Context(), dsrID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to initialize exception checks"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Ausnahmeprüfungen wurden initialisiert"})
+}
+
+// AdminUpdateExceptionCheck updates a single exception check
+func (h *DSRHandler) AdminUpdateExceptionCheck(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	checkID, err := uuid.Parse(c.Param("checkId"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid check ID"})
+		return
+	}
+
+	userID, _ := middleware.GetUserID(c)
+
+	var req struct {
+		Applies bool    `json:"applies"`
+		Notes   *string `json:"notes"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	err = h.dsrService.UpdateExceptionCheck(c.Request.Context(), checkID, req.Applies, req.Notes, userID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to update exception check"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Ausnahmeprüfung wurde aktualisiert"})
+}
+
+// ========================================
+// DEADLINE PROCESSING
+// ========================================
+
+// ProcessDeadlines triggers deadline checking (called by scheduler)
+func (h *DSRHandler) ProcessDeadlines(c *gin.Context) {
+	err := h.dsrService.ProcessDeadlines(c.Request.Context())
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to process deadlines"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Deadline processing completed"})
+}
diff --git a/consent-service/internal/handlers/dsr_handlers_templates.go b/consent-service/internal/handlers/dsr_handlers_templates.go
new file mode 100644
index 0000000..45b37b8
--- /dev/null
+++ b/consent-service/internal/handlers/dsr_handlers_templates.go
@@ -0,0 +1,264 @@
+package handlers
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/middleware"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// ========================================
+// TEMPLATE ENDPOINTS
+// ========================================
+
+// AdminGetDSRTemplates returns all DSR templates
+func (h *DSRHandler) AdminGetDSRTemplates(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	ctx := c.Request.Context()
+	rows, err := h.dsrService.GetPool().Query(ctx, `
+		SELECT id, template_type, name, description, request_types, is_active, sort_order, created_at, updated_at
+		FROM dsr_templates ORDER BY sort_order, name
+	`)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch templates"})
+		return
+	}
+	defer rows.Close()
+
+	var templates []map[string]interface{}
+	for rows.Next() {
+		var id uuid.UUID
+		var templateType, name string
+		var description *string
+		var requestTypes []byte
+		var isActive bool
+		var sortOrder int
+		var createdAt, updatedAt time.Time
+
+		err := rows.Scan(&id, &templateType, &name, &description, &requestTypes, &isActive, &sortOrder, &createdAt, &updatedAt)
+		if err != nil {
+			continue
+		}
+
+		templates = append(templates, map[string]interface{}{
+			"id":            id,
+			"template_type": templateType,
+			"name":          name,
+			"description":   description,
+			"request_types": string(requestTypes),
+			"is_active":     isActive,
+			"sort_order":    sortOrder,
+			"created_at":    createdAt,
+			"updated_at":    updatedAt,
+		})
+	}
+
+	c.JSON(http.StatusOK, gin.H{"templates": templates})
+}
+
+// AdminGetDSRTemplateVersions returns versions for a template
+func (h *DSRHandler) AdminGetDSRTemplateVersions(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	templateID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid template ID"})
+		return
+	}
+
+	ctx := c.Request.Context()
+	rows, err := h.dsrService.GetPool().Query(ctx, `
+		SELECT id, template_id, version, language, subject, body_html, body_text,
+			   status, published_at, created_by, approved_by, approved_at, created_at, updated_at
+		FROM dsr_template_versions WHERE template_id = $1 ORDER BY created_at DESC
+	`, templateID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch versions"})
+		return
+	}
+	defer rows.Close()
+
+	var versions []map[string]interface{}
+	for rows.Next() {
+		var id, tempID uuid.UUID
+		var version, language, subject, bodyHTML, bodyText, status string
+		var publishedAt, approvedAt *time.Time
+		var createdBy, approvedBy *uuid.UUID
+		var createdAt, updatedAt time.Time
+
+		err := rows.Scan(&id, &tempID, &version, &language, &subject, &bodyHTML, &bodyText,
+			&status, &publishedAt, &createdBy, &approvedBy, &approvedAt, &createdAt, &updatedAt)
+		if err != nil {
+			continue
+		}
+
+		versions = append(versions, map[string]interface{}{
+			"id":           id,
+			"template_id":  tempID,
+			"version":      version,
+			"language":     language,
+			"subject":      subject,
+			"body_html":    bodyHTML,
+			"body_text":    bodyText,
+			"status":       status,
+			"published_at": publishedAt,
+			"created_by":   createdBy,
+			"approved_by":  approvedBy,
+			"approved_at":  approvedAt,
+			"created_at":   createdAt,
+			"updated_at":   updatedAt,
+		})
+	}
+
+	c.JSON(http.StatusOK, gin.H{"versions": versions})
+}
+
+// AdminCreateDSRTemplateVersion creates a new template version
+func (h *DSRHandler) AdminCreateDSRTemplateVersion(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	templateID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid template ID"})
+		return
+	}
+
+	userID, _ := middleware.GetUserID(c)
+
+	var req struct {
+		Version  string `json:"version" binding:"required"`
+		Language string `json:"language"`
+		Subject  string `json:"subject" binding:"required"`
+		BodyHTML string `json:"body_html" binding:"required"`
+		BodyText string `json:"body_text"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	if req.Language == "" {
+		req.Language = "de"
+	}
+
+	ctx := c.Request.Context()
+	var versionID uuid.UUID
+	err = h.dsrService.GetPool().QueryRow(ctx, `
+		INSERT INTO dsr_template_versions (template_id, version, language, subject, body_html, body_text, created_by)
+		VALUES ($1, $2, $3, $4, $5, $6, $7)
+		RETURNING id
+	`, templateID, req.Version, req.Language, req.Subject, req.BodyHTML, req.BodyText, userID).Scan(&versionID)
+
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create version"})
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{
+		"message": "Version wurde erstellt",
+		"id":      versionID,
+	})
+}
+
+// AdminPublishDSRTemplateVersion publishes a template version
+func (h *DSRHandler) AdminPublishDSRTemplateVersion(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	versionID, err := uuid.Parse(c.Param("versionId"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
+		return
+	}
+
+	userID, _ := middleware.GetUserID(c)
+
+	ctx := c.Request.Context()
+	_, err = h.dsrService.GetPool().Exec(ctx, `
+		UPDATE dsr_template_versions
+		SET status = 'published', published_at = NOW(), approved_by = $1, approved_at = NOW(), updated_at = NOW()
+		WHERE id = $2
+	`, userID, versionID)
+
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to publish version"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Version wurde veröffentlicht"})
+}
+
+// AdminGetPublishedDSRTemplates returns all published templates for selection
+func (h *DSRHandler) AdminGetPublishedDSRTemplates(c *gin.Context) {
+	if !middleware.IsAdmin(c) && !middleware.IsDSB(c) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Admin or DSB access required"})
+		return
+	}
+
+	requestType := c.Query("request_type")
+	language := c.DefaultQuery("language", "de")
+
+	ctx := c.Request.Context()
+	query := `
+		SELECT t.id, t.template_type, t.name, t.description,
+			   v.id as version_id, v.version, v.subject, v.body_html, v.body_text
+		FROM dsr_templates t
+		JOIN dsr_template_versions v ON t.id = v.template_id
+		WHERE t.is_active = TRUE AND v.status = 'published' AND v.language = $1
+	`
+	args := []interface{}{language}
+
+	if requestType != "" {
+		query += ` AND t.request_types @> $2::jsonb`
+		args = append(args, `["`+requestType+`"]`)
+	}
+
+	query += " ORDER BY t.sort_order, t.name"
+
+	rows, err := h.dsrService.GetPool().Query(ctx, query, args...)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch templates"})
+		return
+	}
+	defer rows.Close()
+
+	var templates []map[string]interface{}
+	for rows.Next() {
+		var templateID, versionID uuid.UUID
+		var templateType, name, version, subject, bodyHTML, bodyText string
+		var description *string
+
+		err := rows.Scan(&templateID, &templateType, &name, &description, &versionID, &version, &subject, &bodyHTML, &bodyText)
+		if err != nil {
+			continue
+		}
+
+		templates = append(templates, map[string]interface{}{
+			"template_id":   templateID,
+			"template_type": templateType,
+			"name":          name,
+			"description":   description,
+			"version_id":    versionID,
+			"version":       version,
+			"subject":       subject,
+			"body_html":     bodyHTML,
+			"body_text":     bodyText,
+		})
+	}
+
+	c.JSON(http.StatusOK, gin.H{"templates": templates})
+}
diff --git a/consent-service/internal/handlers/email_template_handlers.go b/consent-service/internal/handlers/email_template_handlers.go
index d2b6a86..e0a7c46 100644
--- a/consent-service/internal/handlers/email_template_handlers.go
+++ b/consent-service/internal/handlers/email_template_handlers.go
@@ -2,7 +2,6 @@ package handlers
 
 import (
 	"net/http"
-	"strconv"
 	"time"
 
 	"github.com/breakpilot/consent-service/internal/models"
@@ -261,268 +260,3 @@ func (h *EmailTemplateHandler) RejectVersion(c *gin.Context) {
 	}
 	c.JSON(http.StatusOK, gin.H{"message": "version rejected"})
 }
-
-// PublishVersion publishes an approved version
-// POST /api/v1/admin/email-template-versions/:id/publish
-func (h *EmailTemplateHandler) PublishVersion(c *gin.Context) {
-	idStr := c.Param("id")
-	id, err := uuid.Parse(idStr)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid version ID"})
-		return
-	}
-
-	role, exists := c.Get("user_role")
-	if !exists || (role != "data_protection_officer" && role != "admin" && role != "super_admin") {
-		c.JSON(http.StatusForbidden, gin.H{"error": "insufficient permissions"})
-		return
-	}
-
-	userID, _ := c.Get("user_id")
-	uid, _ := uuid.Parse(userID.(string))
-
-	if err := h.service.PublishVersion(c.Request.Context(), id, uid); err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-	c.JSON(http.StatusOK, gin.H{"message": "version published"})
-}
-
-// GetApprovals returns approval history for a version
-// GET /api/v1/admin/email-template-versions/:id/approvals
-func (h *EmailTemplateHandler) GetApprovals(c *gin.Context) {
-	idStr := c.Param("id")
-	id, err := uuid.Parse(idStr)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid version ID"})
-		return
-	}
-
-	approvals, err := h.service.GetApprovals(c.Request.Context(), id)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-	c.JSON(http.StatusOK, gin.H{"approvals": approvals})
-}
-
-// PreviewVersion renders a preview of an email template version
-// POST /api/v1/admin/email-template-versions/:id/preview
-func (h *EmailTemplateHandler) PreviewVersion(c *gin.Context) {
-	idStr := c.Param("id")
-	id, err := uuid.Parse(idStr)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid version ID"})
-		return
-	}
-
-	var req struct {
-		Variables map[string]string `json:"variables"`
-	}
-	c.ShouldBindJSON(&req)
-
-	version, err := h.service.GetVersionByID(c.Request.Context(), id)
-	if err != nil {
-		c.JSON(http.StatusNotFound, gin.H{"error": "version not found"})
-		return
-	}
-
-	// Use default test values if not provided
-	if req.Variables == nil {
-		req.Variables = map[string]string{
-			"user_name":         "Max Mustermann",
-			"user_email":        "max@example.com",
-			"login_url":         "https://breakpilot.app/login",
-			"support_email":     "support@breakpilot.app",
-			"verification_url":  "https://breakpilot.app/verify?token=abc123",
-			"verification_code": "123456",
-			"expires_in":        "24 Stunden",
-			"reset_url":         "https://breakpilot.app/reset?token=xyz789",
-			"reset_code":        "RESET123",
-			"ip_address":        "192.168.1.1",
-			"device_info":       "Chrome auf Windows 11",
-			"changed_at":        time.Now().Format("02.01.2006 15:04"),
-			"enabled_at":        time.Now().Format("02.01.2006 15:04"),
-			"disabled_at":       time.Now().Format("02.01.2006 15:04"),
-			"support_url":       "https://breakpilot.app/support",
-			"security_url":      "https://breakpilot.app/account/security",
-			"login_time":        time.Now().Format("02.01.2006 15:04"),
-			"location":          "Berlin, Deutschland",
-			"activity_type":     "Mehrere fehlgeschlagene Login-Versuche",
-			"activity_time":     time.Now().Format("02.01.2006 15:04"),
-			"locked_at":         time.Now().Format("02.01.2006 15:04"),
-			"reason":            "Zu viele fehlgeschlagene Login-Versuche",
-			"unlock_time":       time.Now().Add(30 * time.Minute).Format("02.01.2006 15:04"),
-			"unlocked_at":       time.Now().Format("02.01.2006 15:04"),
-			"requested_at":      time.Now().Format("02.01.2006"),
-			"deletion_date":     time.Now().AddDate(0, 0, 30).Format("02.01.2006"),
-			"cancel_url":        "https://breakpilot.app/cancel-deletion?token=cancel123",
-			"data_info":         "Benutzerdaten, Zustimmungshistorie, Audit-Logs",
-			"deleted_at":        time.Now().Format("02.01.2006"),
-			"feedback_url":      "https://breakpilot.app/feedback",
-			"download_url":      "https://breakpilot.app/export/download?token=export123",
-			"file_size":         "2.3 MB",
-			"old_email":         "alt@example.com",
-			"new_email":         "neu@example.com",
-			"document_name":     "Datenschutzerklärung",
-			"document_type":     "privacy",
-			"version":           "2.0.0",
-			"consent_url":       "https://breakpilot.app/consent",
-			"deadline":          time.Now().AddDate(0, 0, 14).Format("02.01.2006"),
-			"days_left":         "7",
-			"hours_left":        "24 Stunden",
-			"consequences":      "Ohne Ihre Zustimmung wird Ihr Konto suspendiert.",
-			"suspended_at":      time.Now().Format("02.01.2006 15:04"),
-			"documents":         "- Datenschutzerklärung v2.0.0\n- AGB v1.5.0",
-		}
-	}
-
-	preview, err := h.service.RenderTemplate(version, req.Variables)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-	c.JSON(http.StatusOK, preview)
-}
-
-// SendTestEmail sends a test email
-// POST /api/v1/admin/email-template-versions/:id/send-test
-func (h *EmailTemplateHandler) SendTestEmail(c *gin.Context) {
-	idStr := c.Param("id")
-	id, err := uuid.Parse(idStr)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid version ID"})
-		return
-	}
-
-	var req models.SendTestEmailRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-	req.VersionID = idStr
-
-	version, err := h.service.GetVersionByID(c.Request.Context(), id)
-	if err != nil {
-		c.JSON(http.StatusNotFound, gin.H{"error": "version not found"})
-		return
-	}
-
-	// Get template to find type
-	template, err := h.service.GetTemplateByID(c.Request.Context(), version.TemplateID)
-	if err != nil {
-		c.JSON(http.StatusNotFound, gin.H{"error": "template not found"})
-		return
-	}
-
-	userID, _ := c.Get("user_id")
-	uid, _ := uuid.Parse(userID.(string))
-
-	// Send test email
-	if err := h.service.SendEmail(c.Request.Context(), template.Type, version.Language, req.Recipient, req.Variables, &uid); err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "test email sent"})
-}
-
-// GetSettings returns global email settings
-// GET /api/v1/admin/email-templates/settings
-func (h *EmailTemplateHandler) GetSettings(c *gin.Context) {
-	settings, err := h.service.GetSettings(c.Request.Context())
-	if err != nil {
-		// Return default settings if none exist
-		c.JSON(http.StatusOK, gin.H{
-			"company_name":    "BreakPilot",
-			"sender_name":     "BreakPilot",
-			"sender_email":    "noreply@breakpilot.app",
-			"primary_color":   "#2563eb",
-			"secondary_color": "#64748b",
-		})
-		return
-	}
-	c.JSON(http.StatusOK, settings)
-}
-
-// UpdateSettings updates global email settings
-// PUT /api/v1/admin/email-templates/settings
-func (h *EmailTemplateHandler) UpdateSettings(c *gin.Context) {
-	var req models.UpdateEmailTemplateSettingsRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	userID, _ := c.Get("user_id")
-	uid, _ := uuid.Parse(userID.(string))
-
-	if err := h.service.UpdateSettings(c.Request.Context(), &req, uid); err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-	c.JSON(http.StatusOK, gin.H{"message": "settings updated"})
-}
-
-// GetEmailStats returns email statistics
-// GET /api/v1/admin/email-templates/stats
-func (h *EmailTemplateHandler) GetEmailStats(c *gin.Context) {
-	stats, err := h.service.GetEmailStats(c.Request.Context())
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-	c.JSON(http.StatusOK, stats)
-}
-
-// GetSendLogs returns email send logs
-// GET /api/v1/admin/email-templates/logs
-func (h *EmailTemplateHandler) GetSendLogs(c *gin.Context) {
-	limitStr := c.DefaultQuery("limit", "50")
-	offsetStr := c.DefaultQuery("offset", "0")
-
-	limit, _ := strconv.Atoi(limitStr)
-	offset, _ := strconv.Atoi(offsetStr)
-
-	if limit > 100 {
-		limit = 100
-	}
-
-	logs, total, err := h.service.GetSendLogs(c.Request.Context(), limit, offset)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-	c.JSON(http.StatusOK, gin.H{"logs": logs, "total": total})
-}
-
-// GetDefaultContent returns default template content for a type
-// GET /api/v1/admin/email-templates/default/:type
-func (h *EmailTemplateHandler) GetDefaultContent(c *gin.Context) {
-	templateType := c.Param("type")
-	language := c.DefaultQuery("language", "de")
-
-	subject, bodyHTML, bodyText := h.service.GetDefaultTemplateContent(templateType, language)
-
-	c.JSON(http.StatusOK, gin.H{
-		"subject":   subject,
-		"body_html": bodyHTML,
-		"body_text": bodyText,
-	})
-}
-
-// InitializeTemplates initializes default email templates
-// POST /api/v1/admin/email-templates/initialize
-func (h *EmailTemplateHandler) InitializeTemplates(c *gin.Context) {
-	role, exists := c.Get("user_role")
-	if !exists || (role != "admin" && role != "super_admin") {
-		c.JSON(http.StatusForbidden, gin.H{"error": "insufficient permissions"})
-		return
-	}
-
-	if err := h.service.InitDefaultTemplates(c.Request.Context()); err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-	c.JSON(http.StatusOK, gin.H{"message": "default templates initialized"})
-}
diff --git a/consent-service/internal/handlers/email_template_ops_handlers.go b/consent-service/internal/handlers/email_template_ops_handlers.go
new file mode 100644
index 0000000..2ab2160
--- /dev/null
+++ b/consent-service/internal/handlers/email_template_ops_handlers.go
@@ -0,0 +1,276 @@
+package handlers
+
+import (
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/models"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// PublishVersion publishes an approved version
+// POST /api/v1/admin/email-template-versions/:id/publish
+func (h *EmailTemplateHandler) PublishVersion(c *gin.Context) {
+	idStr := c.Param("id")
+	id, err := uuid.Parse(idStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid version ID"})
+		return
+	}
+
+	role, exists := c.Get("user_role")
+	if !exists || (role != "data_protection_officer" && role != "admin" && role != "super_admin") {
+		c.JSON(http.StatusForbidden, gin.H{"error": "insufficient permissions"})
+		return
+	}
+
+	userID, _ := c.Get("user_id")
+	uid, _ := uuid.Parse(userID.(string))
+
+	if err := h.service.PublishVersion(c.Request.Context(), id, uid); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"message": "version published"})
+}
+
+// GetApprovals returns approval history for a version
+// GET /api/v1/admin/email-template-versions/:id/approvals
+func (h *EmailTemplateHandler) GetApprovals(c *gin.Context) {
+	idStr := c.Param("id")
+	id, err := uuid.Parse(idStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid version ID"})
+		return
+	}
+
+	approvals, err := h.service.GetApprovals(c.Request.Context(), id)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"approvals": approvals})
+}
+
+// PreviewVersion renders a preview of an email template version
+// POST /api/v1/admin/email-template-versions/:id/preview
+func (h *EmailTemplateHandler) PreviewVersion(c *gin.Context) {
+	idStr := c.Param("id")
+	id, err := uuid.Parse(idStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid version ID"})
+		return
+	}
+
+	var req struct {
+		Variables map[string]string `json:"variables"`
+	}
+	c.ShouldBindJSON(&req)
+
+	version, err := h.service.GetVersionByID(c.Request.Context(), id)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "version not found"})
+		return
+	}
+
+	// Use default test values if not provided
+	if req.Variables == nil {
+		req.Variables = map[string]string{
+			"user_name":         "Max Mustermann",
+			"user_email":        "max@example.com",
+			"login_url":         "https://breakpilot.app/login",
+			"support_email":     "support@breakpilot.app",
+			"verification_url":  "https://breakpilot.app/verify?token=abc123",
+			"verification_code": "123456",
+			"expires_in":        "24 Stunden",
+			"reset_url":         "https://breakpilot.app/reset?token=xyz789",
+			"reset_code":        "RESET123",
+			"ip_address":        "192.168.1.1",
+			"device_info":       "Chrome auf Windows 11",
+			"changed_at":        time.Now().Format("02.01.2006 15:04"),
+			"enabled_at":        time.Now().Format("02.01.2006 15:04"),
+			"disabled_at":       time.Now().Format("02.01.2006 15:04"),
+			"support_url":       "https://breakpilot.app/support",
+			"security_url":      "https://breakpilot.app/account/security",
+			"login_time":        time.Now().Format("02.01.2006 15:04"),
+			"location":          "Berlin, Deutschland",
+			"activity_type":     "Mehrere fehlgeschlagene Login-Versuche",
+			"activity_time":     time.Now().Format("02.01.2006 15:04"),
+			"locked_at":         time.Now().Format("02.01.2006 15:04"),
+			"reason":            "Zu viele fehlgeschlagene Login-Versuche",
+			"unlock_time":       time.Now().Add(30 * time.Minute).Format("02.01.2006 15:04"),
+			"unlocked_at":       time.Now().Format("02.01.2006 15:04"),
+			"requested_at":      time.Now().Format("02.01.2006"),
+			"deletion_date":     time.Now().AddDate(0, 0, 30).Format("02.01.2006"),
+			"cancel_url":        "https://breakpilot.app/cancel-deletion?token=cancel123",
+			"data_info":         "Benutzerdaten, Zustimmungshistorie, Audit-Logs",
+			"deleted_at":        time.Now().Format("02.01.2006"),
+			"feedback_url":      "https://breakpilot.app/feedback",
+			"download_url":      "https://breakpilot.app/export/download?token=export123",
+			"file_size":         "2.3 MB",
+			"old_email":         "alt@example.com",
+			"new_email":         "neu@example.com",
+			"document_name":     "Datenschutzerklärung",
+			"document_type":     "privacy",
+			"version":           "2.0.0",
+			"consent_url":       "https://breakpilot.app/consent",
+			"deadline":          time.Now().AddDate(0, 0, 14).Format("02.01.2006"),
+			"days_left":         "7",
+			"hours_left":        "24 Stunden",
+			"consequences":      "Ohne Ihre Zustimmung wird Ihr Konto suspendiert.",
+			"suspended_at":      time.Now().Format("02.01.2006 15:04"),
+			"documents":         "- Datenschutzerklärung v2.0.0\n- AGB v1.5.0",
+		}
+	}
+
+	preview, err := h.service.RenderTemplate(version, req.Variables)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, preview)
+}
+
+// SendTestEmail sends a test email
+// POST /api/v1/admin/email-template-versions/:id/send-test
+func (h *EmailTemplateHandler) SendTestEmail(c *gin.Context) {
+	idStr := c.Param("id")
+	id, err := uuid.Parse(idStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid version ID"})
+		return
+	}
+
+	var req models.SendTestEmailRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+	req.VersionID = idStr
+
+	version, err := h.service.GetVersionByID(c.Request.Context(), id)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "version not found"})
+		return
+	}
+
+	// Get template to find type
+	template, err := h.service.GetTemplateByID(c.Request.Context(), version.TemplateID)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "template not found"})
+		return
+	}
+
+	userID, _ := c.Get("user_id")
+	uid, _ := uuid.Parse(userID.(string))
+
+	// Send test email
+	if err := h.service.SendEmail(c.Request.Context(), template.Type, version.Language, req.Recipient, req.Variables, &uid); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "test email sent"})
+}
+
+// GetSettings returns global email settings
+// GET /api/v1/admin/email-templates/settings
+func (h *EmailTemplateHandler) GetSettings(c *gin.Context) {
+	settings, err := h.service.GetSettings(c.Request.Context())
+	if err != nil {
+		// Return default settings if none exist
+		c.JSON(http.StatusOK, gin.H{
+			"company_name":    "BreakPilot",
+			"sender_name":     "BreakPilot",
+			"sender_email":    "noreply@breakpilot.app",
+			"primary_color":   "#2563eb",
+			"secondary_color": "#64748b",
+		})
+		return
+	}
+	c.JSON(http.StatusOK, settings)
+}
+
+// UpdateSettings updates global email settings
+// PUT /api/v1/admin/email-templates/settings
+func (h *EmailTemplateHandler) UpdateSettings(c *gin.Context) {
+	var req models.UpdateEmailTemplateSettingsRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	userID, _ := c.Get("user_id")
+	uid, _ := uuid.Parse(userID.(string))
+
+	if err := h.service.UpdateSettings(c.Request.Context(), &req, uid); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"message": "settings updated"})
+}
+
+// GetEmailStats returns email statistics
+// GET /api/v1/admin/email-templates/stats
+func (h *EmailTemplateHandler) GetEmailStats(c *gin.Context) {
+	stats, err := h.service.GetEmailStats(c.Request.Context())
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, stats)
+}
+
+// GetSendLogs returns email send logs
+// GET /api/v1/admin/email-templates/logs
+func (h *EmailTemplateHandler) GetSendLogs(c *gin.Context) {
+	limitStr := c.DefaultQuery("limit", "50")
+	offsetStr := c.DefaultQuery("offset", "0")
+
+	limit, _ := strconv.Atoi(limitStr)
+	offset, _ := strconv.Atoi(offsetStr)
+
+	if limit > 100 {
+		limit = 100
+	}
+
+	logs, total, err := h.service.GetSendLogs(c.Request.Context(), limit, offset)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"logs": logs, "total": total})
+}
+
+// GetDefaultContent returns default template content for a type
+// GET /api/v1/admin/email-templates/default/:type
+func (h *EmailTemplateHandler) GetDefaultContent(c *gin.Context) {
+	templateType := c.Param("type")
+	language := c.DefaultQuery("language", "de")
+
+	subject, bodyHTML, bodyText := h.service.GetDefaultTemplateContent(templateType, language)
+
+	c.JSON(http.StatusOK, gin.H{
+		"subject":   subject,
+		"body_html": bodyHTML,
+		"body_text": bodyText,
+	})
+}
+
+// InitializeTemplates initializes default email templates
+// POST /api/v1/admin/email-templates/initialize
+func (h *EmailTemplateHandler) InitializeTemplates(c *gin.Context) {
+	role, exists := c.Get("user_role")
+	if !exists || (role != "admin" && role != "super_admin") {
+		c.JSON(http.StatusForbidden, gin.H{"error": "insufficient permissions"})
+		return
+	}
+
+	if err := h.service.InitDefaultTemplates(c.Request.Context()); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"message": "default templates initialized"})
+}
diff --git a/consent-service/internal/handlers/gdpr.go b/consent-service/internal/handlers/gdpr.go
new file mode 100644
index 0000000..06d74d1
--- /dev/null
+++ b/consent-service/internal/handlers/gdpr.go
@@ -0,0 +1,168 @@
+package handlers
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/middleware"
+	"github.com/breakpilot/consent-service/internal/models"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// ========================================
+// GDPR / DATA SUBJECT RIGHTS
+// ========================================
+
+// GetMyData returns all data we have about the user
+func (h *Handler) GetMyData(c *gin.Context) {
+	userID, err := middleware.GetUserID(c)
+	if err != nil || userID == uuid.Nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
+		return
+	}
+
+	ctx := context.Background()
+	ipAddress := middleware.GetClientIP(c)
+	userAgent := middleware.GetUserAgent(c)
+
+	// Get user info
+	var user models.User
+	err = h.db.Pool.QueryRow(ctx, `
+		SELECT id, external_id, email, role, created_at, updated_at
+		FROM users WHERE id = $1
+	`, userID).Scan(&user.ID, &user.ExternalID, &user.Email, &user.Role, &user.CreatedAt, &user.UpdatedAt)
+
+	// Get consents
+	consentRows, _ := h.db.Pool.Query(ctx, `
+		SELECT uc.consented, uc.consented_at, ld.type, ld.name, dv.version
+		FROM user_consents uc
+		JOIN document_versions dv ON uc.document_version_id = dv.id
+		JOIN legal_documents ld ON dv.document_id = ld.id
+		WHERE uc.user_id = $1
+	`, userID)
+	defer consentRows.Close()
+
+	var consents []map[string]interface{}
+	for consentRows.Next() {
+		var consented bool
+		var consentedAt time.Time
+		var docType, docName, version string
+		consentRows.Scan(&consented, &consentedAt, &docType, &docName, &version)
+		consents = append(consents, map[string]interface{}{
+			"document_type": docType,
+			"document_name": docName,
+			"version":       version,
+			"consented":     consented,
+			"consented_at":  consentedAt,
+		})
+	}
+
+	// Get cookie consents
+	cookieRows, _ := h.db.Pool.Query(ctx, `
+		SELECT cat.name, cc.consented, cc.updated_at
+		FROM cookie_consents cc
+		JOIN cookie_categories cat ON cc.category_id = cat.id
+		WHERE cc.user_id = $1
+	`, userID)
+	defer cookieRows.Close()
+
+	var cookieConsents []map[string]interface{}
+	for cookieRows.Next() {
+		var name string
+		var consented bool
+		var updatedAt time.Time
+		cookieRows.Scan(&name, &consented, &updatedAt)
+		cookieConsents = append(cookieConsents, map[string]interface{}{
+			"category":   name,
+			"consented":  consented,
+			"updated_at": updatedAt,
+		})
+	}
+
+	// Log data access
+	h.logAudit(ctx, &userID, "data_access", "user", &userID, nil, ipAddress, userAgent)
+
+	c.JSON(http.StatusOK, gin.H{
+		"user": map[string]interface{}{
+			"id":         user.ID,
+			"email":      user.Email,
+			"created_at": user.CreatedAt,
+		},
+		"consents":        consents,
+		"cookie_consents": cookieConsents,
+		"exported_at":     time.Now(),
+	})
+}
+
+// RequestDataExport creates a data export request
+func (h *Handler) RequestDataExport(c *gin.Context) {
+	userID, err := middleware.GetUserID(c)
+	if err != nil || userID == uuid.Nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
+		return
+	}
+
+	ctx := context.Background()
+	ipAddress := middleware.GetClientIP(c)
+	userAgent := middleware.GetUserAgent(c)
+
+	var requestID uuid.UUID
+	err = h.db.Pool.QueryRow(ctx, `
+		INSERT INTO data_export_requests (user_id, status)
+		VALUES ($1, 'pending')
+		RETURNING id
+	`, userID).Scan(&requestID)
+
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create export request"})
+		return
+	}
+
+	// Log to audit trail
+	h.logAudit(ctx, &userID, "data_export_requested", "export_request", &requestID, nil, ipAddress, userAgent)
+
+	c.JSON(http.StatusAccepted, gin.H{
+		"message":    "Export request created. You will be notified when ready.",
+		"request_id": requestID,
+	})
+}
+
+// RequestDataDeletion creates a data deletion request
+func (h *Handler) RequestDataDeletion(c *gin.Context) {
+	userID, err := middleware.GetUserID(c)
+	if err != nil || userID == uuid.Nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
+		return
+	}
+
+	var req struct {
+		Reason string `json:"reason"`
+	}
+	c.ShouldBindJSON(&req)
+
+	ctx := context.Background()
+	ipAddress := middleware.GetClientIP(c)
+	userAgent := middleware.GetUserAgent(c)
+
+	var requestID uuid.UUID
+	err = h.db.Pool.QueryRow(ctx, `
+		INSERT INTO data_deletion_requests (user_id, status, reason)
+		VALUES ($1, 'pending', $2)
+		RETURNING id
+	`, userID, req.Reason).Scan(&requestID)
+
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create deletion request"})
+		return
+	}
+
+	// Log to audit trail
+	h.logAudit(ctx, &userID, "data_deletion_requested", "deletion_request", &requestID, nil, ipAddress, userAgent)
+
+	c.JSON(http.StatusAccepted, gin.H{
+		"message":    "Deletion request created. We will process your request within 30 days.",
+		"request_id": requestID,
+	})
+}
diff --git a/consent-service/internal/handlers/handlers.go b/consent-service/internal/handlers/handlers.go
index c57d80a..f2dedbe 100644
--- a/consent-service/internal/handlers/handlers.go
+++ b/consent-service/internal/handlers/handlers.go
@@ -2,16 +2,9 @@ package handlers
 
 import (
 	"context"
-	"fmt"
-	"net/http"
 	"strconv"
-	"strings"
-	"time"
 
 	"github.com/breakpilot/consent-service/internal/database"
-	"github.com/breakpilot/consent-service/internal/middleware"
-	"github.com/breakpilot/consent-service/internal/models"
-	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 )
 
@@ -25,1648 +18,6 @@ func New(db *database.DB) *Handler {
 	return &Handler{db: db}
 }
 
-// ========================================
-// PUBLIC ENDPOINTS - Documents
-// ========================================
-
-// GetDocuments returns all active legal documents
-func (h *Handler) GetDocuments(c *gin.Context) {
-	ctx := context.Background()
-
-	rows, err := h.db.Pool.Query(ctx, `
-		SELECT id, type, name, description, is_mandatory, is_active, sort_order, created_at, updated_at
-		FROM legal_documents
-		WHERE is_active = true
-		ORDER BY sort_order ASC
-	`)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch documents"})
-		return
-	}
-	defer rows.Close()
-
-	var documents []models.LegalDocument
-	for rows.Next() {
-		var doc models.LegalDocument
-		if err := rows.Scan(&doc.ID, &doc.Type, &doc.Name, &doc.Description,
-			&doc.IsMandatory, &doc.IsActive, &doc.SortOrder, &doc.CreatedAt, &doc.UpdatedAt); err != nil {
-			continue
-		}
-		documents = append(documents, doc)
-	}
-
-	c.JSON(http.StatusOK, gin.H{"documents": documents})
-}
-
-// GetDocumentByType returns a document by its type
-func (h *Handler) GetDocumentByType(c *gin.Context) {
-	docType := c.Param("type")
-	ctx := context.Background()
-
-	var doc models.LegalDocument
-	err := h.db.Pool.QueryRow(ctx, `
-		SELECT id, type, name, description, is_mandatory, is_active, sort_order, created_at, updated_at
-		FROM legal_documents
-		WHERE type = $1 AND is_active = true
-	`, docType).Scan(&doc.ID, &doc.Type, &doc.Name, &doc.Description,
-		&doc.IsMandatory, &doc.IsActive, &doc.SortOrder, &doc.CreatedAt, &doc.UpdatedAt)
-
-	if err != nil {
-		c.JSON(http.StatusNotFound, gin.H{"error": "Document not found"})
-		return
-	}
-
-	c.JSON(http.StatusOK, doc)
-}
-
-// GetLatestDocumentVersion returns the latest published version of a document
-func (h *Handler) GetLatestDocumentVersion(c *gin.Context) {
-	docType := c.Param("type")
-	language := c.DefaultQuery("language", "de")
-	ctx := context.Background()
-
-	var version models.DocumentVersion
-	err := h.db.Pool.QueryRow(ctx, `
-		SELECT dv.id, dv.document_id, dv.version, dv.language, dv.title, dv.content,
-		       dv.summary, dv.status, dv.published_at, dv.created_at, dv.updated_at
-		FROM document_versions dv
-		JOIN legal_documents ld ON dv.document_id = ld.id
-		WHERE ld.type = $1 AND dv.language = $2 AND dv.status = 'published'
-		ORDER BY dv.published_at DESC
-		LIMIT 1
-	`, docType, language).Scan(&version.ID, &version.DocumentID, &version.Version, &version.Language,
-		&version.Title, &version.Content, &version.Summary, &version.Status,
-		&version.PublishedAt, &version.CreatedAt, &version.UpdatedAt)
-
-	if err != nil {
-		c.JSON(http.StatusNotFound, gin.H{"error": "No published version found"})
-		return
-	}
-
-	c.JSON(http.StatusOK, version)
-}
-
-// ========================================
-// PUBLIC ENDPOINTS - Consent
-// ========================================
-
-// CreateConsent creates a new user consent
-func (h *Handler) CreateConsent(c *gin.Context) {
-	var req models.CreateConsentRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	userID, err := middleware.GetUserID(c)
-	if err != nil || userID == uuid.Nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
-		return
-	}
-
-	versionID, err := uuid.Parse(req.VersionID)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
-		return
-	}
-
-	ctx := context.Background()
-	ipAddress := middleware.GetClientIP(c)
-	userAgent := middleware.GetUserAgent(c)
-
-	// Upsert consent
-	var consentID uuid.UUID
-	err = h.db.Pool.QueryRow(ctx, `
-		INSERT INTO user_consents (user_id, document_version_id, consented, ip_address, user_agent)
-		VALUES ($1, $2, $3, $4, $5)
-		ON CONFLICT (user_id, document_version_id)
-		DO UPDATE SET consented = $3, consented_at = NOW(), withdrawn_at = NULL
-		RETURNING id
-	`, userID, versionID, req.Consented, ipAddress, userAgent).Scan(&consentID)
-
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to save consent"})
-		return
-	}
-
-	// Log to audit trail
-	h.logAudit(ctx, &userID, "consent_given", "document_version", &versionID, nil, ipAddress, userAgent)
-
-	c.JSON(http.StatusCreated, gin.H{
-		"message":    "Consent saved successfully",
-		"consent_id": consentID,
-	})
-}
-
-// GetMyConsents returns all consents for the current user
-func (h *Handler) GetMyConsents(c *gin.Context) {
-	userID, err := middleware.GetUserID(c)
-	if err != nil || userID == uuid.Nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
-		return
-	}
-
-	ctx := context.Background()
-
-	rows, err := h.db.Pool.Query(ctx, `
-		SELECT uc.id, uc.consented, uc.consented_at, uc.withdrawn_at,
-		       ld.id, ld.type, ld.name, ld.is_mandatory,
-		       dv.id, dv.version, dv.language, dv.title
-		FROM user_consents uc
-		JOIN document_versions dv ON uc.document_version_id = dv.id
-		JOIN legal_documents ld ON dv.document_id = ld.id
-		WHERE uc.user_id = $1
-		ORDER BY uc.consented_at DESC
-	`, userID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch consents"})
-		return
-	}
-	defer rows.Close()
-
-	var consents []map[string]interface{}
-	for rows.Next() {
-		var (
-			consentID     uuid.UUID
-			consented     bool
-			consentedAt   time.Time
-			withdrawnAt   *time.Time
-			docID         uuid.UUID
-			docType       string
-			docName       string
-			isMandatory   bool
-			versionID     uuid.UUID
-			version       string
-			language      string
-			title         string
-		)
-
-		if err := rows.Scan(&consentID, &consented, &consentedAt, &withdrawnAt,
-			&docID, &docType, &docName, &isMandatory,
-			&versionID, &version, &language, &title); err != nil {
-			continue
-		}
-
-		consents = append(consents, map[string]interface{}{
-			"consent_id":   consentID,
-			"consented":    consented,
-			"consented_at": consentedAt,
-			"withdrawn_at": withdrawnAt,
-			"document": map[string]interface{}{
-				"id":           docID,
-				"type":         docType,
-				"name":         docName,
-				"is_mandatory": isMandatory,
-			},
-			"version": map[string]interface{}{
-				"id":       versionID,
-				"version":  version,
-				"language": language,
-				"title":    title,
-			},
-		})
-	}
-
-	c.JSON(http.StatusOK, gin.H{"consents": consents})
-}
-
-// CheckConsent checks if the user has consented to a document
-func (h *Handler) CheckConsent(c *gin.Context) {
-	docType := c.Param("documentType")
-	language := c.DefaultQuery("language", "de")
-
-	userID, err := middleware.GetUserID(c)
-	if err != nil || userID == uuid.Nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
-		return
-	}
-
-	ctx := context.Background()
-
-	// Get latest published version
-	var latestVersionID uuid.UUID
-	var latestVersion string
-	err = h.db.Pool.QueryRow(ctx, `
-		SELECT dv.id, dv.version
-		FROM document_versions dv
-		JOIN legal_documents ld ON dv.document_id = ld.id
-		WHERE ld.type = $1 AND dv.language = $2 AND dv.status = 'published'
-		ORDER BY dv.published_at DESC
-		LIMIT 1
-	`, docType, language).Scan(&latestVersionID, &latestVersion)
-
-	if err != nil {
-		c.JSON(http.StatusOK, models.ConsentCheckResponse{
-			HasConsent:  false,
-			NeedsUpdate: false,
-		})
-		return
-	}
-
-	// Check if user has consented to this version
-	var consentedVersionID uuid.UUID
-	var consentedVersion string
-	var consentedAt time.Time
-	err = h.db.Pool.QueryRow(ctx, `
-		SELECT dv.id, dv.version, uc.consented_at
-		FROM user_consents uc
-		JOIN document_versions dv ON uc.document_version_id = dv.id
-		JOIN legal_documents ld ON dv.document_id = ld.id
-		WHERE uc.user_id = $1 AND ld.type = $2 AND uc.consented = true AND uc.withdrawn_at IS NULL
-		ORDER BY uc.consented_at DESC
-		LIMIT 1
-	`, userID, docType).Scan(&consentedVersionID, &consentedVersion, &consentedAt)
-
-	if err != nil {
-		// No consent found
-		latestIDStr := latestVersionID.String()
-		c.JSON(http.StatusOK, models.ConsentCheckResponse{
-			HasConsent:       false,
-			CurrentVersionID: &latestIDStr,
-			NeedsUpdate:      true,
-		})
-		return
-	}
-
-	// Check if consent is for latest version
-	needsUpdate := consentedVersionID != latestVersionID
-	latestIDStr := latestVersionID.String()
-	consentedVerStr := consentedVersion
-
-	c.JSON(http.StatusOK, models.ConsentCheckResponse{
-		HasConsent:       true,
-		CurrentVersionID: &latestIDStr,
-		ConsentedVersion: &consentedVerStr,
-		NeedsUpdate:      needsUpdate,
-		ConsentedAt:      &consentedAt,
-	})
-}
-
-// WithdrawConsent withdraws a consent
-func (h *Handler) WithdrawConsent(c *gin.Context) {
-	consentID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid consent ID"})
-		return
-	}
-
-	userID, err := middleware.GetUserID(c)
-	if err != nil || userID == uuid.Nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
-		return
-	}
-
-	ctx := context.Background()
-	ipAddress := middleware.GetClientIP(c)
-	userAgent := middleware.GetUserAgent(c)
-
-	// Update consent
-	result, err := h.db.Pool.Exec(ctx, `
-		UPDATE user_consents
-		SET withdrawn_at = NOW(), consented = false
-		WHERE id = $1 AND user_id = $2
-	`, consentID, userID)
-
-	if err != nil || result.RowsAffected() == 0 {
-		c.JSON(http.StatusNotFound, gin.H{"error": "Consent not found"})
-		return
-	}
-
-	// Log to audit trail
-	h.logAudit(ctx, &userID, "consent_withdrawn", "consent", &consentID, nil, ipAddress, userAgent)
-
-	c.JSON(http.StatusOK, gin.H{"message": "Consent withdrawn successfully"})
-}
-
-// ========================================
-// PUBLIC ENDPOINTS - Cookie Consent
-// ========================================
-
-// GetCookieCategories returns all active cookie categories
-func (h *Handler) GetCookieCategories(c *gin.Context) {
-	language := c.DefaultQuery("language", "de")
-	ctx := context.Background()
-
-	rows, err := h.db.Pool.Query(ctx, `
-		SELECT id, name, display_name_de, display_name_en, description_de, description_en,
-		       is_mandatory, sort_order
-		FROM cookie_categories
-		WHERE is_active = true
-		ORDER BY sort_order ASC
-	`)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch categories"})
-		return
-	}
-	defer rows.Close()
-
-	var categories []map[string]interface{}
-	for rows.Next() {
-		var cat models.CookieCategory
-		if err := rows.Scan(&cat.ID, &cat.Name, &cat.DisplayNameDE, &cat.DisplayNameEN,
-			&cat.DescriptionDE, &cat.DescriptionEN, &cat.IsMandatory, &cat.SortOrder); err != nil {
-			continue
-		}
-
-		// Return localized data
-		displayName := cat.DisplayNameDE
-		description := cat.DescriptionDE
-		if language == "en" && cat.DisplayNameEN != nil {
-			displayName = *cat.DisplayNameEN
-			if cat.DescriptionEN != nil {
-				description = cat.DescriptionEN
-			}
-		}
-
-		categories = append(categories, map[string]interface{}{
-			"id":           cat.ID,
-			"name":         cat.Name,
-			"display_name": displayName,
-			"description":  description,
-			"is_mandatory": cat.IsMandatory,
-		})
-	}
-
-	c.JSON(http.StatusOK, gin.H{"categories": categories})
-}
-
-// SetCookieConsent sets cookie preferences for a user
-func (h *Handler) SetCookieConsent(c *gin.Context) {
-	var req models.CookieConsentRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	userID, err := middleware.GetUserID(c)
-	if err != nil || userID == uuid.Nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
-		return
-	}
-
-	ctx := context.Background()
-	ipAddress := middleware.GetClientIP(c)
-	userAgent := middleware.GetUserAgent(c)
-
-	// Process each category
-	for _, cat := range req.Categories {
-		categoryID, err := uuid.Parse(cat.CategoryID)
-		if err != nil {
-			continue
-		}
-
-		_, err = h.db.Pool.Exec(ctx, `
-			INSERT INTO cookie_consents (user_id, category_id, consented)
-			VALUES ($1, $2, $3)
-			ON CONFLICT (user_id, category_id)
-			DO UPDATE SET consented = $3, updated_at = NOW()
-		`, userID, categoryID, cat.Consented)
-
-		if err != nil {
-			continue
-		}
-	}
-
-	// Log to audit trail
-	h.logAudit(ctx, &userID, "cookie_consent_updated", "cookie", nil, nil, ipAddress, userAgent)
-
-	c.JSON(http.StatusOK, gin.H{"message": "Cookie preferences saved"})
-}
-
-// GetMyCookieConsent returns cookie preferences for the current user
-func (h *Handler) GetMyCookieConsent(c *gin.Context) {
-	userID, err := middleware.GetUserID(c)
-	if err != nil || userID == uuid.Nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
-		return
-	}
-
-	ctx := context.Background()
-
-	rows, err := h.db.Pool.Query(ctx, `
-		SELECT cc.category_id, cc.consented, cc.updated_at,
-		       cat.name, cat.display_name_de, cat.is_mandatory
-		FROM cookie_consents cc
-		JOIN cookie_categories cat ON cc.category_id = cat.id
-		WHERE cc.user_id = $1
-	`, userID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch preferences"})
-		return
-	}
-	defer rows.Close()
-
-	var consents []map[string]interface{}
-	for rows.Next() {
-		var (
-			categoryID   uuid.UUID
-			consented    bool
-			updatedAt    time.Time
-			name         string
-			displayName  string
-			isMandatory  bool
-		)
-
-		if err := rows.Scan(&categoryID, &consented, &updatedAt, &name, &displayName, &isMandatory); err != nil {
-			continue
-		}
-
-		consents = append(consents, map[string]interface{}{
-			"category_id":  categoryID,
-			"name":         name,
-			"display_name": displayName,
-			"consented":    consented,
-			"is_mandatory": isMandatory,
-			"updated_at":   updatedAt,
-		})
-	}
-
-	c.JSON(http.StatusOK, gin.H{"cookie_consents": consents})
-}
-
-// ========================================
-// GDPR / DATA SUBJECT RIGHTS
-// ========================================
-
-// GetMyData returns all data we have about the user
-func (h *Handler) GetMyData(c *gin.Context) {
-	userID, err := middleware.GetUserID(c)
-	if err != nil || userID == uuid.Nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
-		return
-	}
-
-	ctx := context.Background()
-	ipAddress := middleware.GetClientIP(c)
-	userAgent := middleware.GetUserAgent(c)
-
-	// Get user info
-	var user models.User
-	err = h.db.Pool.QueryRow(ctx, `
-		SELECT id, external_id, email, role, created_at, updated_at
-		FROM users WHERE id = $1
-	`, userID).Scan(&user.ID, &user.ExternalID, &user.Email, &user.Role, &user.CreatedAt, &user.UpdatedAt)
-
-	// Get consents
-	consentRows, _ := h.db.Pool.Query(ctx, `
-		SELECT uc.consented, uc.consented_at, ld.type, ld.name, dv.version
-		FROM user_consents uc
-		JOIN document_versions dv ON uc.document_version_id = dv.id
-		JOIN legal_documents ld ON dv.document_id = ld.id
-		WHERE uc.user_id = $1
-	`, userID)
-	defer consentRows.Close()
-
-	var consents []map[string]interface{}
-	for consentRows.Next() {
-		var consented bool
-		var consentedAt time.Time
-		var docType, docName, version string
-		consentRows.Scan(&consented, &consentedAt, &docType, &docName, &version)
-		consents = append(consents, map[string]interface{}{
-			"document_type": docType,
-			"document_name": docName,
-			"version":       version,
-			"consented":     consented,
-			"consented_at":  consentedAt,
-		})
-	}
-
-	// Get cookie consents
-	cookieRows, _ := h.db.Pool.Query(ctx, `
-		SELECT cat.name, cc.consented, cc.updated_at
-		FROM cookie_consents cc
-		JOIN cookie_categories cat ON cc.category_id = cat.id
-		WHERE cc.user_id = $1
-	`, userID)
-	defer cookieRows.Close()
-
-	var cookieConsents []map[string]interface{}
-	for cookieRows.Next() {
-		var name string
-		var consented bool
-		var updatedAt time.Time
-		cookieRows.Scan(&name, &consented, &updatedAt)
-		cookieConsents = append(cookieConsents, map[string]interface{}{
-			"category":   name,
-			"consented":  consented,
-			"updated_at": updatedAt,
-		})
-	}
-
-	// Log data access
-	h.logAudit(ctx, &userID, "data_access", "user", &userID, nil, ipAddress, userAgent)
-
-	c.JSON(http.StatusOK, gin.H{
-		"user": map[string]interface{}{
-			"id":         user.ID,
-			"email":      user.Email,
-			"created_at": user.CreatedAt,
-		},
-		"consents":        consents,
-		"cookie_consents": cookieConsents,
-		"exported_at":     time.Now(),
-	})
-}
-
-// RequestDataExport creates a data export request
-func (h *Handler) RequestDataExport(c *gin.Context) {
-	userID, err := middleware.GetUserID(c)
-	if err != nil || userID == uuid.Nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
-		return
-	}
-
-	ctx := context.Background()
-	ipAddress := middleware.GetClientIP(c)
-	userAgent := middleware.GetUserAgent(c)
-
-	var requestID uuid.UUID
-	err = h.db.Pool.QueryRow(ctx, `
-		INSERT INTO data_export_requests (user_id, status)
-		VALUES ($1, 'pending')
-		RETURNING id
-	`, userID).Scan(&requestID)
-
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create export request"})
-		return
-	}
-
-	// Log to audit trail
-	h.logAudit(ctx, &userID, "data_export_requested", "export_request", &requestID, nil, ipAddress, userAgent)
-
-	c.JSON(http.StatusAccepted, gin.H{
-		"message":    "Export request created. You will be notified when ready.",
-		"request_id": requestID,
-	})
-}
-
-// RequestDataDeletion creates a data deletion request
-func (h *Handler) RequestDataDeletion(c *gin.Context) {
-	userID, err := middleware.GetUserID(c)
-	if err != nil || userID == uuid.Nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid user"})
-		return
-	}
-
-	var req struct {
-		Reason string `json:"reason"`
-	}
-	c.ShouldBindJSON(&req)
-
-	ctx := context.Background()
-	ipAddress := middleware.GetClientIP(c)
-	userAgent := middleware.GetUserAgent(c)
-
-	var requestID uuid.UUID
-	err = h.db.Pool.QueryRow(ctx, `
-		INSERT INTO data_deletion_requests (user_id, status, reason)
-		VALUES ($1, 'pending', $2)
-		RETURNING id
-	`, userID, req.Reason).Scan(&requestID)
-
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create deletion request"})
-		return
-	}
-
-	// Log to audit trail
-	h.logAudit(ctx, &userID, "data_deletion_requested", "deletion_request", &requestID, nil, ipAddress, userAgent)
-
-	c.JSON(http.StatusAccepted, gin.H{
-		"message":    "Deletion request created. We will process your request within 30 days.",
-		"request_id": requestID,
-	})
-}
-
-// ========================================
-// ADMIN ENDPOINTS - Document Management
-// ========================================
-
-// AdminGetDocuments returns all documents (including inactive) for admin
-func (h *Handler) AdminGetDocuments(c *gin.Context) {
-	ctx := context.Background()
-
-	rows, err := h.db.Pool.Query(ctx, `
-		SELECT id, type, name, description, is_mandatory, is_active, sort_order, created_at, updated_at
-		FROM legal_documents
-		ORDER BY sort_order ASC, created_at DESC
-	`)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch documents"})
-		return
-	}
-	defer rows.Close()
-
-	var documents []models.LegalDocument
-	for rows.Next() {
-		var doc models.LegalDocument
-		if err := rows.Scan(&doc.ID, &doc.Type, &doc.Name, &doc.Description,
-			&doc.IsMandatory, &doc.IsActive, &doc.SortOrder, &doc.CreatedAt, &doc.UpdatedAt); err != nil {
-			continue
-		}
-		documents = append(documents, doc)
-	}
-
-	c.JSON(http.StatusOK, gin.H{"documents": documents})
-}
-
-// AdminCreateDocument creates a new legal document
-func (h *Handler) AdminCreateDocument(c *gin.Context) {
-	var req models.CreateDocumentRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	ctx := context.Background()
-
-	var docID uuid.UUID
-	err := h.db.Pool.QueryRow(ctx, `
-		INSERT INTO legal_documents (type, name, description, is_mandatory)
-		VALUES ($1, $2, $3, $4)
-		RETURNING id
-	`, req.Type, req.Name, req.Description, req.IsMandatory).Scan(&docID)
-
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create document"})
-		return
-	}
-
-	c.JSON(http.StatusCreated, gin.H{
-		"message": "Document created successfully",
-		"id":      docID,
-	})
-}
-
-// AdminUpdateDocument updates a legal document
-func (h *Handler) AdminUpdateDocument(c *gin.Context) {
-	docID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid document ID"})
-		return
-	}
-
-	var req struct {
-		Name        *string `json:"name"`
-		Description *string `json:"description"`
-		IsMandatory *bool   `json:"is_mandatory"`
-		IsActive    *bool   `json:"is_active"`
-		SortOrder   *int    `json:"sort_order"`
-	}
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	ctx := context.Background()
-
-	result, err := h.db.Pool.Exec(ctx, `
-		UPDATE legal_documents
-		SET name = COALESCE($2, name),
-		    description = COALESCE($3, description),
-		    is_mandatory = COALESCE($4, is_mandatory),
-		    is_active = COALESCE($5, is_active),
-		    sort_order = COALESCE($6, sort_order),
-		    updated_at = NOW()
-		WHERE id = $1
-	`, docID, req.Name, req.Description, req.IsMandatory, req.IsActive, req.SortOrder)
-
-	if err != nil || result.RowsAffected() == 0 {
-		c.JSON(http.StatusNotFound, gin.H{"error": "Document not found"})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Document updated successfully"})
-}
-
-// AdminDeleteDocument soft-deletes a document (sets is_active to false)
-func (h *Handler) AdminDeleteDocument(c *gin.Context) {
-	docID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid document ID"})
-		return
-	}
-
-	ctx := context.Background()
-
-	result, err := h.db.Pool.Exec(ctx, `
-		UPDATE legal_documents
-		SET is_active = false, updated_at = NOW()
-		WHERE id = $1
-	`, docID)
-
-	if err != nil || result.RowsAffected() == 0 {
-		c.JSON(http.StatusNotFound, gin.H{"error": "Document not found"})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Document deleted successfully"})
-}
-
-// ========================================
-// ADMIN ENDPOINTS - Version Management
-// ========================================
-
-// AdminGetVersions returns all versions for a document
-func (h *Handler) AdminGetVersions(c *gin.Context) {
-	docID, err := uuid.Parse(c.Param("docId"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid document ID"})
-		return
-	}
-
-	ctx := context.Background()
-
-	rows, err := h.db.Pool.Query(ctx, `
-		SELECT id, document_id, version, language, title, content, summary, status,
-		       published_at, scheduled_publish_at, created_by, approved_by, approved_at, created_at, updated_at
-		FROM document_versions
-		WHERE document_id = $1
-		ORDER BY created_at DESC
-	`, docID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch versions"})
-		return
-	}
-	defer rows.Close()
-
-	var versions []models.DocumentVersion
-	for rows.Next() {
-		var v models.DocumentVersion
-		if err := rows.Scan(&v.ID, &v.DocumentID, &v.Version, &v.Language, &v.Title, &v.Content,
-			&v.Summary, &v.Status, &v.PublishedAt, &v.ScheduledPublishAt, &v.CreatedBy, &v.ApprovedBy, &v.ApprovedAt, &v.CreatedAt, &v.UpdatedAt); err != nil {
-			continue
-		}
-		versions = append(versions, v)
-	}
-
-	c.JSON(http.StatusOK, gin.H{"versions": versions})
-}
-
-// AdminCreateVersion creates a new document version
-func (h *Handler) AdminCreateVersion(c *gin.Context) {
-	var req models.CreateVersionRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	docID, err := uuid.Parse(req.DocumentID)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid document ID"})
-		return
-	}
-
-	userID, _ := middleware.GetUserID(c)
-	ctx := context.Background()
-
-	var versionID uuid.UUID
-	err = h.db.Pool.QueryRow(ctx, `
-		INSERT INTO document_versions (document_id, version, language, title, content, summary, status, created_by)
-		VALUES ($1, $2, $3, $4, $5, $6, 'draft', $7)
-		RETURNING id
-	`, docID, req.Version, req.Language, req.Title, req.Content, req.Summary, userID).Scan(&versionID)
-
-	if err != nil {
-		// Check for unique constraint violation
-		errStr := err.Error()
-		if strings.Contains(errStr, "duplicate key") || strings.Contains(errStr, "unique constraint") {
-			c.JSON(http.StatusConflict, gin.H{"error": "Eine Version mit dieser Versionsnummer und Sprache existiert bereits für dieses Dokument"})
-			return
-		}
-		// Log the actual error for debugging
-		fmt.Printf("POST /api/v1/admin/versions ✗ %v\n", err)
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create version: " + errStr})
-		return
-	}
-
-	c.JSON(http.StatusCreated, gin.H{
-		"message": "Version created successfully",
-		"id":      versionID,
-	})
-}
-
-// AdminUpdateVersion updates a document version
-func (h *Handler) AdminUpdateVersion(c *gin.Context) {
-	versionID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
-		return
-	}
-
-	var req models.UpdateVersionRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	ctx := context.Background()
-
-	// Check if version is in draft or review status (only these can be edited)
-	var status string
-	err = h.db.Pool.QueryRow(ctx, `SELECT status FROM document_versions WHERE id = $1`, versionID).Scan(&status)
-	if err != nil {
-		c.JSON(http.StatusNotFound, gin.H{"error": "Version not found"})
-		return
-	}
-
-	if status != "draft" && status != "review" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Only draft or review versions can be edited"})
-		return
-	}
-
-	result, err := h.db.Pool.Exec(ctx, `
-		UPDATE document_versions
-		SET title = COALESCE($2, title),
-		    content = COALESCE($3, content),
-		    summary = COALESCE($4, summary),
-		    status = COALESCE($5, status),
-		    updated_at = NOW()
-		WHERE id = $1
-	`, versionID, req.Title, req.Content, req.Summary, req.Status)
-
-	if err != nil || result.RowsAffected() == 0 {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to update version"})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Version updated successfully"})
-}
-
-// AdminPublishVersion publishes a document version
-func (h *Handler) AdminPublishVersion(c *gin.Context) {
-	versionID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
-		return
-	}
-
-	userID, _ := middleware.GetUserID(c)
-	ctx := context.Background()
-
-	// Check current status
-	var status string
-	err = h.db.Pool.QueryRow(ctx, `SELECT status FROM document_versions WHERE id = $1`, versionID).Scan(&status)
-	if err != nil {
-		c.JSON(http.StatusNotFound, gin.H{"error": "Version not found"})
-		return
-	}
-
-	if status != "approved" && status != "review" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Only approved or review versions can be published"})
-		return
-	}
-
-	result, err := h.db.Pool.Exec(ctx, `
-		UPDATE document_versions
-		SET status = 'published',
-		    published_at = NOW(),
-		    approved_by = $2,
-		    updated_at = NOW()
-		WHERE id = $1
-	`, versionID, userID)
-
-	if err != nil || result.RowsAffected() == 0 {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to publish version"})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Version published successfully"})
-}
-
-// AdminArchiveVersion archives a document version
-func (h *Handler) AdminArchiveVersion(c *gin.Context) {
-	versionID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
-		return
-	}
-
-	ctx := context.Background()
-
-	result, err := h.db.Pool.Exec(ctx, `
-		UPDATE document_versions
-		SET status = 'archived', updated_at = NOW()
-		WHERE id = $1
-	`, versionID)
-
-	if err != nil || result.RowsAffected() == 0 {
-		c.JSON(http.StatusNotFound, gin.H{"error": "Version not found"})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Version archived successfully"})
-}
-
-// AdminDeleteVersion permanently deletes a draft/rejected version
-// Only draft and rejected versions can be deleted. Published versions must be archived.
-func (h *Handler) AdminDeleteVersion(c *gin.Context) {
-	versionID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
-		return
-	}
-
-	ctx := context.Background()
-
-	// First check the version status - only draft/rejected can be deleted
-	var status string
-	var version string
-	var docID uuid.UUID
-	err = h.db.Pool.QueryRow(ctx, `
-		SELECT status, version, document_id FROM document_versions WHERE id = $1
-	`, versionID).Scan(&status, &version, &docID)
-
-	if err != nil {
-		c.JSON(http.StatusNotFound, gin.H{"error": "Version not found"})
-		return
-	}
-
-	// Only allow deletion of draft and rejected versions
-	if status != "draft" && status != "rejected" {
-		c.JSON(http.StatusForbidden, gin.H{
-			"error":   "Cannot delete version",
-			"message": "Only draft or rejected versions can be deleted. Published versions must be archived instead.",
-			"status":  status,
-		})
-		return
-	}
-
-	// Delete the version
-	result, err := h.db.Pool.Exec(ctx, `
-		DELETE FROM document_versions WHERE id = $1
-	`, versionID)
-
-	if err != nil || result.RowsAffected() == 0 {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to delete version"})
-		return
-	}
-
-	// Log the deletion
-	userID, _ := c.Get("user_id")
-	h.db.Pool.Exec(ctx, `
-		INSERT INTO consent_audit_log (action, entity_type, entity_id, user_id, details, ip_address, user_agent)
-		VALUES ('version_deleted', 'document_version', $1, $2, $3, $4, $5)
-	`, versionID, userID, "Version "+version+" permanently deleted", c.ClientIP(), c.Request.UserAgent())
-
-	c.JSON(http.StatusOK, gin.H{
-		"message":          "Version deleted successfully",
-		"deleted_version":  version,
-		"version_id":       versionID,
-	})
-}
-
-// ========================================
-// ADMIN ENDPOINTS - Cookie Categories
-// ========================================
-
-// AdminGetCookieCategories returns all cookie categories
-func (h *Handler) AdminGetCookieCategories(c *gin.Context) {
-	ctx := context.Background()
-
-	rows, err := h.db.Pool.Query(ctx, `
-		SELECT id, name, display_name_de, display_name_en, description_de, description_en,
-		       is_mandatory, sort_order, is_active, created_at, updated_at
-		FROM cookie_categories
-		ORDER BY sort_order ASC
-	`)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch categories"})
-		return
-	}
-	defer rows.Close()
-
-	var categories []models.CookieCategory
-	for rows.Next() {
-		var cat models.CookieCategory
-		if err := rows.Scan(&cat.ID, &cat.Name, &cat.DisplayNameDE, &cat.DisplayNameEN,
-			&cat.DescriptionDE, &cat.DescriptionEN, &cat.IsMandatory, &cat.SortOrder,
-			&cat.IsActive, &cat.CreatedAt, &cat.UpdatedAt); err != nil {
-			continue
-		}
-		categories = append(categories, cat)
-	}
-
-	c.JSON(http.StatusOK, gin.H{"categories": categories})
-}
-
-// AdminCreateCookieCategory creates a new cookie category
-func (h *Handler) AdminCreateCookieCategory(c *gin.Context) {
-	var req models.CreateCookieCategoryRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	ctx := context.Background()
-
-	var catID uuid.UUID
-	err := h.db.Pool.QueryRow(ctx, `
-		INSERT INTO cookie_categories (name, display_name_de, display_name_en, description_de, description_en, is_mandatory, sort_order)
-		VALUES ($1, $2, $3, $4, $5, $6, $7)
-		RETURNING id
-	`, req.Name, req.DisplayNameDE, req.DisplayNameEN, req.DescriptionDE, req.DescriptionEN, req.IsMandatory, req.SortOrder).Scan(&catID)
-
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create category"})
-		return
-	}
-
-	c.JSON(http.StatusCreated, gin.H{
-		"message": "Cookie category created successfully",
-		"id":      catID,
-	})
-}
-
-// AdminUpdateCookieCategory updates a cookie category
-func (h *Handler) AdminUpdateCookieCategory(c *gin.Context) {
-	catID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid category ID"})
-		return
-	}
-
-	var req struct {
-		DisplayNameDE *string `json:"display_name_de"`
-		DisplayNameEN *string `json:"display_name_en"`
-		DescriptionDE *string `json:"description_de"`
-		DescriptionEN *string `json:"description_en"`
-		IsMandatory   *bool   `json:"is_mandatory"`
-		SortOrder     *int    `json:"sort_order"`
-		IsActive      *bool   `json:"is_active"`
-	}
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	ctx := context.Background()
-
-	result, err := h.db.Pool.Exec(ctx, `
-		UPDATE cookie_categories
-		SET display_name_de = COALESCE($2, display_name_de),
-		    display_name_en = COALESCE($3, display_name_en),
-		    description_de = COALESCE($4, description_de),
-		    description_en = COALESCE($5, description_en),
-		    is_mandatory = COALESCE($6, is_mandatory),
-		    sort_order = COALESCE($7, sort_order),
-		    is_active = COALESCE($8, is_active),
-		    updated_at = NOW()
-		WHERE id = $1
-	`, catID, req.DisplayNameDE, req.DisplayNameEN, req.DescriptionDE, req.DescriptionEN,
-		req.IsMandatory, req.SortOrder, req.IsActive)
-
-	if err != nil || result.RowsAffected() == 0 {
-		c.JSON(http.StatusNotFound, gin.H{"error": "Category not found"})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Cookie category updated successfully"})
-}
-
-// AdminDeleteCookieCategory soft-deletes a cookie category
-func (h *Handler) AdminDeleteCookieCategory(c *gin.Context) {
-	catID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid category ID"})
-		return
-	}
-
-	ctx := context.Background()
-
-	result, err := h.db.Pool.Exec(ctx, `
-		UPDATE cookie_categories
-		SET is_active = false, updated_at = NOW()
-		WHERE id = $1
-	`, catID)
-
-	if err != nil || result.RowsAffected() == 0 {
-		c.JSON(http.StatusNotFound, gin.H{"error": "Category not found"})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "Cookie category deleted successfully"})
-}
-
-// ========================================
-// ADMIN ENDPOINTS - Statistics & Audit
-// ========================================
-
-// GetConsentStats returns consent statistics
-func (h *Handler) GetConsentStats(c *gin.Context) {
-	ctx := context.Background()
-	docType := c.Query("document_type")
-
-	var stats models.ConsentStats
-
-	// Total users
-	h.db.Pool.QueryRow(ctx, `SELECT COUNT(*) FROM users`).Scan(&stats.TotalUsers)
-
-	// Consented users (with active consent)
-	query := `
-		SELECT COUNT(DISTINCT uc.user_id)
-		FROM user_consents uc
-		JOIN document_versions dv ON uc.document_version_id = dv.id
-		JOIN legal_documents ld ON dv.document_id = ld.id
-		WHERE uc.consented = true AND uc.withdrawn_at IS NULL
-	`
-	if docType != "" {
-		query += ` AND ld.type = $1`
-		h.db.Pool.QueryRow(ctx, query, docType).Scan(&stats.ConsentedUsers)
-	} else {
-		h.db.Pool.QueryRow(ctx, query).Scan(&stats.ConsentedUsers)
-	}
-
-	// Calculate consent rate
-	if stats.TotalUsers > 0 {
-		stats.ConsentRate = float64(stats.ConsentedUsers) / float64(stats.TotalUsers) * 100
-	}
-
-	// Recent consents (last 7 days)
-	h.db.Pool.QueryRow(ctx, `
-		SELECT COUNT(*) FROM user_consents
-		WHERE consented = true AND consented_at > NOW() - INTERVAL '7 days'
-	`).Scan(&stats.RecentConsents)
-
-	// Recent withdrawals
-	h.db.Pool.QueryRow(ctx, `
-		SELECT COUNT(*) FROM user_consents
-		WHERE withdrawn_at IS NOT NULL AND withdrawn_at > NOW() - INTERVAL '7 days'
-	`).Scan(&stats.RecentWithdrawals)
-
-	c.JSON(http.StatusOK, stats)
-}
-
-// GetCookieStats returns cookie consent statistics
-func (h *Handler) GetCookieStats(c *gin.Context) {
-	ctx := context.Background()
-
-	rows, err := h.db.Pool.Query(ctx, `
-		SELECT cat.name,
-		       COUNT(DISTINCT u.id) as total_users,
-		       COUNT(DISTINCT CASE WHEN cc.consented = true THEN cc.user_id END) as consented_users
-		FROM cookie_categories cat
-		CROSS JOIN users u
-		LEFT JOIN cookie_consents cc ON cat.id = cc.category_id AND u.id = cc.user_id
-		WHERE cat.is_active = true
-		GROUP BY cat.id, cat.name
-		ORDER BY cat.sort_order
-	`)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch stats"})
-		return
-	}
-	defer rows.Close()
-
-	var stats []models.CookieStats
-	for rows.Next() {
-		var s models.CookieStats
-		if err := rows.Scan(&s.Category, &s.TotalUsers, &s.ConsentedUsers); err != nil {
-			continue
-		}
-		if s.TotalUsers > 0 {
-			s.ConsentRate = float64(s.ConsentedUsers) / float64(s.TotalUsers) * 100
-		}
-		stats = append(stats, s)
-	}
-
-	c.JSON(http.StatusOK, gin.H{"cookie_stats": stats})
-}
-
-// GetAuditLog returns audit log entries
-func (h *Handler) GetAuditLog(c *gin.Context) {
-	ctx := context.Background()
-
-	// Pagination
-	limit := 50
-	offset := 0
-	if l := c.Query("limit"); l != "" {
-		if parsed, err := parseIntFromQuery(l); err == nil && parsed > 0 {
-			limit = parsed
-		}
-	}
-	if o := c.Query("offset"); o != "" {
-		if parsed, err := parseIntFromQuery(o); err == nil && parsed >= 0 {
-			offset = parsed
-		}
-	}
-
-	// Filters
-	userIDFilter := c.Query("user_id")
-	actionFilter := c.Query("action")
-
-	query := `
-		SELECT al.id, al.user_id, al.action, al.entity_type, al.entity_id, al.details,
-		       al.ip_address, al.user_agent, al.created_at, u.email
-		FROM consent_audit_log al
-		LEFT JOIN users u ON al.user_id = u.id
-		WHERE 1=1
-	`
-	args := []interface{}{}
-	argCount := 0
-
-	if userIDFilter != "" {
-		argCount++
-		query += fmt.Sprintf(" AND al.user_id = $%d", argCount)
-		args = append(args, userIDFilter)
-	}
-	if actionFilter != "" {
-		argCount++
-		query += fmt.Sprintf(" AND al.action = $%d", argCount)
-		args = append(args, actionFilter)
-	}
-
-	query += fmt.Sprintf(" ORDER BY al.created_at DESC LIMIT $%d OFFSET $%d", argCount+1, argCount+2)
-	args = append(args, limit, offset)
-
-	rows, err := h.db.Pool.Query(ctx, query, args...)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch audit log"})
-		return
-	}
-	defer rows.Close()
-
-	var logs []map[string]interface{}
-	for rows.Next() {
-		var (
-			id         uuid.UUID
-			userIDPtr  *uuid.UUID
-			action     string
-			entityType *string
-			entityID   *uuid.UUID
-			details    *string
-			ipAddress  *string
-			userAgent  *string
-			createdAt  time.Time
-			email      *string
-		)
-
-		if err := rows.Scan(&id, &userIDPtr, &action, &entityType, &entityID, &details,
-			&ipAddress, &userAgent, &createdAt, &email); err != nil {
-			continue
-		}
-
-		logs = append(logs, map[string]interface{}{
-			"id":          id,
-			"user_id":     userIDPtr,
-			"user_email":  email,
-			"action":      action,
-			"entity_type": entityType,
-			"entity_id":   entityID,
-			"details":     details,
-			"ip_address":  ipAddress,
-			"user_agent":  userAgent,
-			"created_at":  createdAt,
-		})
-	}
-
-	c.JSON(http.StatusOK, gin.H{"audit_log": logs})
-}
-
-// ========================================
-// ADMIN ENDPOINTS - Version Approval Workflow (DSB)
-// ========================================
-
-// AdminSubmitForReview submits a version for DSB review
-func (h *Handler) AdminSubmitForReview(c *gin.Context) {
-	versionID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
-		return
-	}
-
-	userID, _ := middleware.GetUserID(c)
-	ctx := context.Background()
-	ipAddress := middleware.GetClientIP(c)
-	userAgent := middleware.GetUserAgent(c)
-
-	// Check current status
-	var status string
-	err = h.db.Pool.QueryRow(ctx, `SELECT status FROM document_versions WHERE id = $1`, versionID).Scan(&status)
-	if err != nil {
-		c.JSON(http.StatusNotFound, gin.H{"error": "Version not found"})
-		return
-	}
-
-	if status != "draft" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Only draft versions can be submitted for review"})
-		return
-	}
-
-	// Update status to review
-	_, err = h.db.Pool.Exec(ctx, `
-		UPDATE document_versions
-		SET status = 'review', updated_at = NOW()
-		WHERE id = $1
-	`, versionID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to submit for review"})
-		return
-	}
-
-	// Log approval action
-	_, err = h.db.Pool.Exec(ctx, `
-		INSERT INTO version_approvals (version_id, approver_id, action, comment)
-		VALUES ($1, $2, 'submitted', 'Submitted for DSB review')
-	`, versionID, userID)
-
-	h.logAudit(ctx, &userID, "version_submitted_review", "document_version", &versionID, nil, ipAddress, userAgent)
-
-	c.JSON(http.StatusOK, gin.H{"message": "Version submitted for review"})
-}
-
-// AdminApproveVersion approves a version with scheduled publish date (DSB only)
-func (h *Handler) AdminApproveVersion(c *gin.Context) {
-	versionID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
-		return
-	}
-
-	// Check if user is DSB or Admin (for dev purposes)
-	if !middleware.IsDSB(c) && !middleware.IsAdmin(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Only Data Protection Officers can approve versions"})
-		return
-	}
-
-	var req struct {
-		Comment            string  `json:"comment"`
-		ScheduledPublishAt *string `json:"scheduled_publish_at"` // ISO 8601: "2026-01-01T00:00:00Z"
-	}
-	c.ShouldBindJSON(&req)
-
-	// Validate scheduled publish date
-	var scheduledAt *time.Time
-	if req.ScheduledPublishAt != nil && *req.ScheduledPublishAt != "" {
-		parsed, err := time.Parse(time.RFC3339, *req.ScheduledPublishAt)
-		if err != nil {
-			c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid scheduled_publish_at format. Use ISO 8601 (e.g., 2026-01-01T00:00:00Z)"})
-			return
-		}
-		if parsed.Before(time.Now()) {
-			c.JSON(http.StatusBadRequest, gin.H{"error": "Scheduled publish date must be in the future"})
-			return
-		}
-		scheduledAt = &parsed
-	}
-
-	userID, _ := middleware.GetUserID(c)
-	ctx := context.Background()
-	ipAddress := middleware.GetClientIP(c)
-	userAgent := middleware.GetUserAgent(c)
-
-	// Check current status
-	var status string
-	var createdBy *uuid.UUID
-	err = h.db.Pool.QueryRow(ctx, `SELECT status, created_by FROM document_versions WHERE id = $1`, versionID).Scan(&status, &createdBy)
-	if err != nil {
-		c.JSON(http.StatusNotFound, gin.H{"error": "Version not found"})
-		return
-	}
-
-	if status != "review" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Only versions in review status can be approved"})
-		return
-	}
-
-	// Four-eyes principle: DSB cannot approve their own version
-	// Exception: Admins can approve their own versions for development/testing purposes
-	role, _ := c.Get("role")
-	roleStr, _ := role.(string)
-	if createdBy != nil && *createdBy == userID && roleStr != "admin" {
-		c.JSON(http.StatusForbidden, gin.H{"error": "You cannot approve your own version (four-eyes principle)"})
-		return
-	}
-
-	// Determine new status: 'scheduled' if date set, otherwise 'approved'
-	newStatus := "approved"
-	if scheduledAt != nil {
-		newStatus = "scheduled"
-	}
-
-	// Update status to approved/scheduled
-	_, err = h.db.Pool.Exec(ctx, `
-		UPDATE document_versions
-		SET status = $2, approved_by = $3, approved_at = NOW(), scheduled_publish_at = $4, updated_at = NOW()
-		WHERE id = $1
-	`, versionID, newStatus, userID, scheduledAt)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to approve version"})
-		return
-	}
-
-	// Log approval action
-	comment := req.Comment
-	if comment == "" {
-		if scheduledAt != nil {
-			comment = "Approved by DSB, scheduled for " + scheduledAt.Format("02.01.2006 15:04")
-		} else {
-			comment = "Approved by DSB"
-		}
-	}
-	_, err = h.db.Pool.Exec(ctx, `
-		INSERT INTO version_approvals (version_id, approver_id, action, comment)
-		VALUES ($1, $2, 'approved', $3)
-	`, versionID, userID, comment)
-
-	h.logAudit(ctx, &userID, "version_approved", "document_version", &versionID, &comment, ipAddress, userAgent)
-
-	response := gin.H{"message": "Version approved", "status": newStatus}
-	if scheduledAt != nil {
-		response["scheduled_publish_at"] = scheduledAt.Format(time.RFC3339)
-	}
-	c.JSON(http.StatusOK, response)
-}
-
-// AdminRejectVersion rejects a version (DSB only)
-func (h *Handler) AdminRejectVersion(c *gin.Context) {
-	versionID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
-		return
-	}
-
-	// Check if user is DSB
-	if !middleware.IsDSB(c) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Only Data Protection Officers can reject versions"})
-		return
-	}
-
-	var req struct {
-		Comment string `json:"comment" binding:"required"`
-	}
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Comment is required when rejecting"})
-		return
-	}
-
-	userID, _ := middleware.GetUserID(c)
-	ctx := context.Background()
-	ipAddress := middleware.GetClientIP(c)
-	userAgent := middleware.GetUserAgent(c)
-
-	// Check current status
-	var status string
-	err = h.db.Pool.QueryRow(ctx, `SELECT status FROM document_versions WHERE id = $1`, versionID).Scan(&status)
-	if err != nil {
-		c.JSON(http.StatusNotFound, gin.H{"error": "Version not found"})
-		return
-	}
-
-	if status != "review" && status != "approved" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Only versions in review or approved status can be rejected"})
-		return
-	}
-
-	// Update status back to draft
-	_, err = h.db.Pool.Exec(ctx, `
-		UPDATE document_versions
-		SET status = 'draft', approved_by = NULL, updated_at = NOW()
-		WHERE id = $1
-	`, versionID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to reject version"})
-		return
-	}
-
-	// Log rejection
-	_, err = h.db.Pool.Exec(ctx, `
-		INSERT INTO version_approvals (version_id, approver_id, action, comment)
-		VALUES ($1, $2, 'rejected', $3)
-	`, versionID, userID, req.Comment)
-
-	h.logAudit(ctx, &userID, "version_rejected", "document_version", &versionID, &req.Comment, ipAddress, userAgent)
-
-	c.JSON(http.StatusOK, gin.H{"message": "Version rejected and returned to draft"})
-}
-
-// AdminCompareVersions returns two versions for side-by-side comparison
-func (h *Handler) AdminCompareVersions(c *gin.Context) {
-	versionID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
-		return
-	}
-
-	ctx := context.Background()
-
-	// Get the current version and its document
-	var currentVersion models.DocumentVersion
-	var documentID uuid.UUID
-	err = h.db.Pool.QueryRow(ctx, `
-		SELECT id, document_id, version, language, title, content, summary, status, created_at, updated_at
-		FROM document_versions
-		WHERE id = $1
-	`, versionID).Scan(&currentVersion.ID, &documentID, &currentVersion.Version, &currentVersion.Language,
-		&currentVersion.Title, &currentVersion.Content, &currentVersion.Summary, &currentVersion.Status,
-		&currentVersion.CreatedAt, &currentVersion.UpdatedAt)
-
-	if err != nil {
-		c.JSON(http.StatusNotFound, gin.H{"error": "Version not found"})
-		return
-	}
-
-	// Get the currently published version (if any)
-	var publishedVersion *models.DocumentVersion
-	var pv models.DocumentVersion
-	err = h.db.Pool.QueryRow(ctx, `
-		SELECT id, document_id, version, language, title, content, summary, status, published_at, created_at, updated_at
-		FROM document_versions
-		WHERE document_id = $1 AND language = $2 AND status = 'published'
-		ORDER BY published_at DESC
-		LIMIT 1
-	`, documentID, currentVersion.Language).Scan(&pv.ID, &pv.DocumentID, &pv.Version, &pv.Language,
-		&pv.Title, &pv.Content, &pv.Summary, &pv.Status, &pv.PublishedAt, &pv.CreatedAt, &pv.UpdatedAt)
-
-	if err == nil && pv.ID != currentVersion.ID {
-		publishedVersion = &pv
-	}
-
-	// Get approval history
-	rows, err := h.db.Pool.Query(ctx, `
-		SELECT va.action, va.comment, va.created_at, u.email
-		FROM version_approvals va
-		LEFT JOIN users u ON va.approver_id = u.id
-		WHERE va.version_id = $1
-		ORDER BY va.created_at DESC
-	`, versionID)
-
-	var approvalHistory []map[string]interface{}
-	if err == nil {
-		defer rows.Close()
-		for rows.Next() {
-			var action, email string
-			var comment *string
-			var createdAt time.Time
-			if err := rows.Scan(&action, &comment, &createdAt, &email); err == nil {
-				approvalHistory = append(approvalHistory, map[string]interface{}{
-					"action":     action,
-					"comment":    comment,
-					"created_at": createdAt,
-					"approver":   email,
-				})
-			}
-		}
-	}
-
-	c.JSON(http.StatusOK, gin.H{
-		"current_version":   currentVersion,
-		"published_version": publishedVersion,
-		"approval_history":  approvalHistory,
-	})
-}
-
-// AdminGetApprovalHistory returns the approval history for a version
-func (h *Handler) AdminGetApprovalHistory(c *gin.Context) {
-	versionID, err := uuid.Parse(c.Param("id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid version ID"})
-		return
-	}
-
-	ctx := context.Background()
-
-	rows, err := h.db.Pool.Query(ctx, `
-		SELECT va.id, va.action, va.comment, va.created_at, u.email, u.name
-		FROM version_approvals va
-		LEFT JOIN users u ON va.approver_id = u.id
-		WHERE va.version_id = $1
-		ORDER BY va.created_at DESC
-	`, versionID)
-
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch approval history"})
-		return
-	}
-	defer rows.Close()
-
-	var history []map[string]interface{}
-	for rows.Next() {
-		var id uuid.UUID
-		var action string
-		var comment *string
-		var createdAt time.Time
-		var email, name *string
-
-		if err := rows.Scan(&id, &action, &comment, &createdAt, &email, &name); err != nil {
-			continue
-		}
-
-		history = append(history, map[string]interface{}{
-			"id":         id,
-			"action":     action,
-			"comment":    comment,
-			"created_at": createdAt,
-			"approver":   email,
-			"name":       name,
-		})
-	}
-
-	c.JSON(http.StatusOK, gin.H{"approval_history": history})
-}
-
 // ========================================
 // HELPER FUNCTIONS
 // ========================================
@@ -1681,103 +32,3 @@ func (h *Handler) logAudit(ctx context.Context, userID *uuid.UUID, action, entit
 func parseIntFromQuery(s string) (int, error) {
 	return strconv.Atoi(s)
 }
-
-// ========================================
-// SCHEDULED PUBLISHING
-// ========================================
-
-// ProcessScheduledPublishing publishes all versions that are due
-// This should be called by a cron job or scheduler
-func (h *Handler) ProcessScheduledPublishing(c *gin.Context) {
-	ctx := context.Background()
-
-	// Find all scheduled versions that are due
-	rows, err := h.db.Pool.Query(ctx, `
-		SELECT id, document_id, version
-		FROM document_versions
-		WHERE status = 'scheduled'
-		  AND scheduled_publish_at IS NOT NULL
-		  AND scheduled_publish_at <= NOW()
-	`)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch scheduled versions"})
-		return
-	}
-	defer rows.Close()
-
-	var published []string
-	for rows.Next() {
-		var versionID, docID uuid.UUID
-		var version string
-		if err := rows.Scan(&versionID, &docID, &version); err != nil {
-			continue
-		}
-
-		// Publish this version
-		_, err := h.db.Pool.Exec(ctx, `
-			UPDATE document_versions
-			SET status = 'published', published_at = NOW(), updated_at = NOW()
-			WHERE id = $1
-		`, versionID)
-
-		if err == nil {
-			// Archive previous published versions for this document
-			h.db.Pool.Exec(ctx, `
-				UPDATE document_versions
-				SET status = 'archived', updated_at = NOW()
-				WHERE document_id = $1 AND id != $2 AND status = 'published'
-			`, docID, versionID)
-
-			// Log the publishing
-			details := fmt.Sprintf("Version %s automatically published by scheduler", version)
-			h.logAudit(ctx, nil, "version_scheduled_published", "document_version", &versionID, &details, "", "scheduler")
-
-			published = append(published, version)
-		}
-	}
-
-	c.JSON(http.StatusOK, gin.H{
-		"message":           "Scheduled publishing processed",
-		"published_count":   len(published),
-		"published_versions": published,
-	})
-}
-
-// GetScheduledVersions returns all versions scheduled for publishing
-func (h *Handler) GetScheduledVersions(c *gin.Context) {
-	ctx := context.Background()
-
-	rows, err := h.db.Pool.Query(ctx, `
-		SELECT dv.id, dv.document_id, dv.version, dv.title, dv.scheduled_publish_at, ld.name as document_name
-		FROM document_versions dv
-		JOIN legal_documents ld ON ld.id = dv.document_id
-		WHERE dv.status = 'scheduled'
-		  AND dv.scheduled_publish_at IS NOT NULL
-		ORDER BY dv.scheduled_publish_at ASC
-	`)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch scheduled versions"})
-		return
-	}
-	defer rows.Close()
-
-	type ScheduledVersion struct {
-		ID                 uuid.UUID  `json:"id"`
-		DocumentID         uuid.UUID  `json:"document_id"`
-		Version            string     `json:"version"`
-		Title              string     `json:"title"`
-		ScheduledPublishAt *time.Time `json:"scheduled_publish_at"`
-		DocumentName       string     `json:"document_name"`
-	}
-
-	var versions []ScheduledVersion
-	for rows.Next() {
-		var v ScheduledVersion
-		if err := rows.Scan(&v.ID, &v.DocumentID, &v.Version, &v.Title, &v.ScheduledPublishAt, &v.DocumentName); err != nil {
-			continue
-		}
-		versions = append(versions, v)
-	}
-
-	c.JSON(http.StatusOK, gin.H{"scheduled_versions": versions})
-}
diff --git a/consent-service/internal/handlers/oauth_2fa_handlers.go b/consent-service/internal/handlers/oauth_2fa_handlers.go
new file mode 100644
index 0000000..71d51cf
--- /dev/null
+++ b/consent-service/internal/handlers/oauth_2fa_handlers.go
@@ -0,0 +1,372 @@
+package handlers
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/breakpilot/consent-service/internal/middleware"
+	"github.com/breakpilot/consent-service/internal/models"
+	"github.com/breakpilot/consent-service/internal/services"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// ========================================
+// 2FA (TOTP) Endpoints
+// ========================================
+
+// Setup2FA initiates 2FA setup
+// POST /auth/2fa/setup
+func (h *OAuthHandler) Setup2FA(c *gin.Context) {
+	userID, err := middleware.GetUserID(c)
+	if err != nil || userID == uuid.Nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
+		return
+	}
+
+	// Get user email
+	ctx := context.Background()
+	user, err := h.authService.GetUserByID(ctx, userID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get user"})
+		return
+	}
+
+	// Setup 2FA
+	response, err := h.totpService.Setup2FA(ctx, userID, user.Email)
+	if err != nil {
+		switch err {
+		case services.ErrTOTPAlreadyEnabled:
+			c.JSON(http.StatusConflict, gin.H{"error": "2FA is already enabled for this account"})
+		default:
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to setup 2FA"})
+		}
+		return
+	}
+
+	c.JSON(http.StatusOK, response)
+}
+
+// Verify2FASetup verifies the 2FA setup with a code
+// POST /auth/2fa/verify-setup
+func (h *OAuthHandler) Verify2FASetup(c *gin.Context) {
+	userID, err := middleware.GetUserID(c)
+	if err != nil || userID == uuid.Nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
+		return
+	}
+
+	var req models.Verify2FARequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	ctx := context.Background()
+	err = h.totpService.Verify2FASetup(ctx, userID, req.Code)
+	if err != nil {
+		switch err {
+		case services.ErrTOTPAlreadyEnabled:
+			c.JSON(http.StatusConflict, gin.H{"error": "2FA is already enabled"})
+		case services.ErrTOTPInvalidCode:
+			c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid 2FA code"})
+		default:
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to verify 2FA setup"})
+		}
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "2FA enabled successfully"})
+}
+
+// Verify2FAChallenge verifies a 2FA challenge during login
+// POST /auth/2fa/verify
+func (h *OAuthHandler) Verify2FAChallenge(c *gin.Context) {
+	var req models.Verify2FAChallengeRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	ctx := context.Background()
+	var userID *uuid.UUID
+	var err error
+
+	if req.RecoveryCode != "" {
+		// Verify with recovery code
+		userID, err = h.totpService.VerifyChallengeWithRecoveryCode(ctx, req.ChallengeID, req.RecoveryCode)
+	} else {
+		// Verify with TOTP code
+		userID, err = h.totpService.VerifyChallenge(ctx, req.ChallengeID, req.Code)
+	}
+
+	if err != nil {
+		switch err {
+		case services.ErrTOTPChallengeExpired:
+			c.JSON(http.StatusGone, gin.H{"error": "2FA challenge has expired"})
+		case services.ErrTOTPInvalidCode:
+			c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid 2FA code"})
+		case services.ErrRecoveryCodeInvalid:
+			c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid recovery code"})
+		default:
+			c.JSON(http.StatusBadRequest, gin.H{"error": "2FA verification failed"})
+		}
+		return
+	}
+
+	// Get user and generate tokens
+	user, err := h.authService.GetUserByID(ctx, *userID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get user"})
+		return
+	}
+
+	// Generate access token
+	accessToken, err := h.authService.GenerateAccessToken(user)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to generate token"})
+		return
+	}
+
+	// Generate refresh token
+	refreshToken, refreshTokenHash, err := h.authService.GenerateRefreshToken()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to generate refresh token"})
+		return
+	}
+
+	// Store session
+	ipAddress := middleware.GetClientIP(c)
+	userAgent := middleware.GetUserAgent(c)
+
+	// We need direct DB access for this, or we need to add a method to AuthService
+	// For now, we'll return the tokens and let the caller handle session storage
+	c.JSON(http.StatusOK, gin.H{
+		"access_token":  accessToken,
+		"refresh_token": refreshToken,
+		"token_type":    "Bearer",
+		"expires_in":    3600,
+		"user": map[string]interface{}{
+			"id":    user.ID,
+			"email": user.Email,
+			"name":  user.Name,
+			"role":  user.Role,
+		},
+		"_session_hash": refreshTokenHash,
+		"_ip":           ipAddress,
+		"_user_agent":   userAgent,
+	})
+}
+
+// Disable2FA disables 2FA for the current user
+// POST /auth/2fa/disable
+func (h *OAuthHandler) Disable2FA(c *gin.Context) {
+	userID, err := middleware.GetUserID(c)
+	if err != nil || userID == uuid.Nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
+		return
+	}
+
+	var req models.Verify2FARequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	ctx := context.Background()
+	err = h.totpService.Disable2FA(ctx, userID, req.Code)
+	if err != nil {
+		switch err {
+		case services.ErrTOTPNotEnabled:
+			c.JSON(http.StatusNotFound, gin.H{"error": "2FA is not enabled"})
+		case services.ErrTOTPInvalidCode:
+			c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid 2FA code"})
+		default:
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to disable 2FA"})
+		}
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "2FA disabled successfully"})
+}
+
+// Get2FAStatus returns the 2FA status for the current user
+// GET /auth/2fa/status
+func (h *OAuthHandler) Get2FAStatus(c *gin.Context) {
+	userID, err := middleware.GetUserID(c)
+	if err != nil || userID == uuid.Nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
+		return
+	}
+
+	ctx := context.Background()
+	status, err := h.totpService.GetStatus(ctx, userID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get 2FA status"})
+		return
+	}
+
+	c.JSON(http.StatusOK, status)
+}
+
+// RegenerateRecoveryCodes generates new recovery codes
+// POST /auth/2fa/recovery-codes
+func (h *OAuthHandler) RegenerateRecoveryCodes(c *gin.Context) {
+	userID, err := middleware.GetUserID(c)
+	if err != nil || userID == uuid.Nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
+		return
+	}
+
+	var req models.Verify2FARequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	ctx := context.Background()
+	codes, err := h.totpService.RegenerateRecoveryCodes(ctx, userID, req.Code)
+	if err != nil {
+		switch err {
+		case services.ErrTOTPNotEnabled:
+			c.JSON(http.StatusNotFound, gin.H{"error": "2FA is not enabled"})
+		case services.ErrTOTPInvalidCode:
+			c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid 2FA code"})
+		default:
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to regenerate recovery codes"})
+		}
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"recovery_codes": codes})
+}
+
+// ========================================
+// Enhanced Login with 2FA
+// ========================================
+
+// LoginWith2FA handles login with optional 2FA
+// POST /auth/login
+func (h *OAuthHandler) LoginWith2FA(c *gin.Context) {
+	var req models.LoginRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	ctx := context.Background()
+	ipAddress := middleware.GetClientIP(c)
+	userAgent := middleware.GetUserAgent(c)
+
+	// Attempt login
+	response, err := h.authService.Login(ctx, &req, ipAddress, userAgent)
+	if err != nil {
+		switch err {
+		case services.ErrInvalidCredentials:
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid email or password"})
+		case services.ErrAccountLocked:
+			c.JSON(http.StatusForbidden, gin.H{"error": "Account is temporarily locked"})
+		case services.ErrAccountSuspended:
+			c.JSON(http.StatusForbidden, gin.H{"error": "Account is suspended"})
+		default:
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "Login failed"})
+		}
+		return
+	}
+
+	// Check if 2FA is enabled
+	twoFactorEnabled, _ := h.totpService.IsTwoFactorEnabled(ctx, response.User.ID)
+
+	if twoFactorEnabled {
+		// Create 2FA challenge
+		challengeID, err := h.totpService.CreateChallenge(ctx, response.User.ID, ipAddress, userAgent)
+		if err != nil {
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create 2FA challenge"})
+			return
+		}
+
+		// Return 2FA required response
+		c.JSON(http.StatusOK, gin.H{
+			"requires_2fa": true,
+			"challenge_id": challengeID,
+			"message":      "2FA verification required",
+		})
+		return
+	}
+
+	// No 2FA required, return tokens
+	c.JSON(http.StatusOK, gin.H{
+		"requires_2fa":  false,
+		"access_token":  response.AccessToken,
+		"refresh_token": response.RefreshToken,
+		"token_type":    "Bearer",
+		"expires_in":    response.ExpiresIn,
+		"user": map[string]interface{}{
+			"id":    response.User.ID,
+			"email": response.User.Email,
+			"name":  response.User.Name,
+			"role":  response.User.Role,
+		},
+	})
+}
+
+// ========================================
+// Registration with mandatory 2FA setup
+// ========================================
+
+// RegisterWith2FA handles registration with mandatory 2FA setup
+// POST /auth/register
+func (h *OAuthHandler) RegisterWith2FA(c *gin.Context) {
+	var req models.RegisterRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+
+	ctx := context.Background()
+
+	// Validate password strength
+	if len(req.Password) < 8 {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Password must be at least 8 characters"})
+		return
+	}
+
+	// Register user
+	user, verificationToken, err := h.authService.Register(ctx, &req)
+	if err != nil {
+		switch err {
+		case services.ErrUserExists:
+			c.JSON(http.StatusConflict, gin.H{"error": "A user with this email already exists"})
+		default:
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "Registration failed"})
+		}
+		return
+	}
+
+	// Setup 2FA immediately
+	twoFAResponse, err := h.totpService.Setup2FA(ctx, user.ID, user.Email)
+	if err != nil {
+		// Non-fatal - user can set up 2FA later, but log it
+		c.JSON(http.StatusCreated, gin.H{
+			"message":            "Registration successful. Please verify your email.",
+			"user_id":            user.ID,
+			"verification_token": verificationToken, // In production, this would be sent via email
+			"two_factor_setup":   nil,
+			"two_factor_error":   "Failed to initialize 2FA. Please set it up in your account settings.",
+		})
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{
+		"message":            "Registration successful. Please verify your email and complete 2FA setup.",
+		"user_id":            user.ID,
+		"verification_token": verificationToken, // In production, this would be sent via email
+		"two_factor_setup": map[string]interface{}{
+			"secret":         twoFAResponse.Secret,
+			"qr_code":        twoFAResponse.QRCodeDataURL,
+			"recovery_codes": twoFAResponse.RecoveryCodes,
+			"setup_required": true,
+			"setup_endpoint": "/auth/2fa/verify-setup",
+		},
+	})
+}
diff --git a/consent-service/internal/handlers/oauth_handlers.go b/consent-service/internal/handlers/oauth_handlers.go
index c796a9e..a79169b 100644
--- a/consent-service/internal/handlers/oauth_handlers.go
+++ b/consent-service/internal/handlers/oauth_handlers.go
@@ -6,7 +6,6 @@ import (
 	"strings"
 
 	"github.com/breakpilot/consent-service/internal/middleware"
-	"github.com/breakpilot/consent-service/internal/models"
 	"github.com/breakpilot/consent-service/internal/services"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
@@ -292,366 +291,6 @@ func (h *OAuthHandler) Introspect(c *gin.Context) {
 	})
 }
 
-// ========================================
-// 2FA (TOTP) Endpoints
-// ========================================
-
-// Setup2FA initiates 2FA setup
-// POST /auth/2fa/setup
-func (h *OAuthHandler) Setup2FA(c *gin.Context) {
-	userID, err := middleware.GetUserID(c)
-	if err != nil || userID == uuid.Nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
-		return
-	}
-
-	// Get user email
-	ctx := context.Background()
-	user, err := h.authService.GetUserByID(ctx, userID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get user"})
-		return
-	}
-
-	// Setup 2FA
-	response, err := h.totpService.Setup2FA(ctx, userID, user.Email)
-	if err != nil {
-		switch err {
-		case services.ErrTOTPAlreadyEnabled:
-			c.JSON(http.StatusConflict, gin.H{"error": "2FA is already enabled for this account"})
-		default:
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to setup 2FA"})
-		}
-		return
-	}
-
-	c.JSON(http.StatusOK, response)
-}
-
-// Verify2FASetup verifies the 2FA setup with a code
-// POST /auth/2fa/verify-setup
-func (h *OAuthHandler) Verify2FASetup(c *gin.Context) {
-	userID, err := middleware.GetUserID(c)
-	if err != nil || userID == uuid.Nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
-		return
-	}
-
-	var req models.Verify2FARequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	ctx := context.Background()
-	err = h.totpService.Verify2FASetup(ctx, userID, req.Code)
-	if err != nil {
-		switch err {
-		case services.ErrTOTPAlreadyEnabled:
-			c.JSON(http.StatusConflict, gin.H{"error": "2FA is already enabled"})
-		case services.ErrTOTPInvalidCode:
-			c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid 2FA code"})
-		default:
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to verify 2FA setup"})
-		}
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "2FA enabled successfully"})
-}
-
-// Verify2FAChallenge verifies a 2FA challenge during login
-// POST /auth/2fa/verify
-func (h *OAuthHandler) Verify2FAChallenge(c *gin.Context) {
-	var req models.Verify2FAChallengeRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	ctx := context.Background()
-	var userID *uuid.UUID
-	var err error
-
-	if req.RecoveryCode != "" {
-		// Verify with recovery code
-		userID, err = h.totpService.VerifyChallengeWithRecoveryCode(ctx, req.ChallengeID, req.RecoveryCode)
-	} else {
-		// Verify with TOTP code
-		userID, err = h.totpService.VerifyChallenge(ctx, req.ChallengeID, req.Code)
-	}
-
-	if err != nil {
-		switch err {
-		case services.ErrTOTPChallengeExpired:
-			c.JSON(http.StatusGone, gin.H{"error": "2FA challenge has expired"})
-		case services.ErrTOTPInvalidCode:
-			c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid 2FA code"})
-		case services.ErrRecoveryCodeInvalid:
-			c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid recovery code"})
-		default:
-			c.JSON(http.StatusBadRequest, gin.H{"error": "2FA verification failed"})
-		}
-		return
-	}
-
-	// Get user and generate tokens
-	user, err := h.authService.GetUserByID(ctx, *userID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get user"})
-		return
-	}
-
-	// Generate access token
-	accessToken, err := h.authService.GenerateAccessToken(user)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to generate token"})
-		return
-	}
-
-	// Generate refresh token
-	refreshToken, refreshTokenHash, err := h.authService.GenerateRefreshToken()
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to generate refresh token"})
-		return
-	}
-
-	// Store session
-	ipAddress := middleware.GetClientIP(c)
-	userAgent := middleware.GetUserAgent(c)
-
-	// We need direct DB access for this, or we need to add a method to AuthService
-	// For now, we'll return the tokens and let the caller handle session storage
-	c.JSON(http.StatusOK, gin.H{
-		"access_token":  accessToken,
-		"refresh_token": refreshToken,
-		"token_type":    "Bearer",
-		"expires_in":    3600,
-		"user": map[string]interface{}{
-			"id":    user.ID,
-			"email": user.Email,
-			"name":  user.Name,
-			"role":  user.Role,
-		},
-		"_session_hash": refreshTokenHash,
-		"_ip":           ipAddress,
-		"_user_agent":   userAgent,
-	})
-}
-
-// Disable2FA disables 2FA for the current user
-// POST /auth/2fa/disable
-func (h *OAuthHandler) Disable2FA(c *gin.Context) {
-	userID, err := middleware.GetUserID(c)
-	if err != nil || userID == uuid.Nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
-		return
-	}
-
-	var req models.Verify2FARequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	ctx := context.Background()
-	err = h.totpService.Disable2FA(ctx, userID, req.Code)
-	if err != nil {
-		switch err {
-		case services.ErrTOTPNotEnabled:
-			c.JSON(http.StatusNotFound, gin.H{"error": "2FA is not enabled"})
-		case services.ErrTOTPInvalidCode:
-			c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid 2FA code"})
-		default:
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to disable 2FA"})
-		}
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "2FA disabled successfully"})
-}
-
-// Get2FAStatus returns the 2FA status for the current user
-// GET /auth/2fa/status
-func (h *OAuthHandler) Get2FAStatus(c *gin.Context) {
-	userID, err := middleware.GetUserID(c)
-	if err != nil || userID == uuid.Nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
-		return
-	}
-
-	ctx := context.Background()
-	status, err := h.totpService.GetStatus(ctx, userID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get 2FA status"})
-		return
-	}
-
-	c.JSON(http.StatusOK, status)
-}
-
-// RegenerateRecoveryCodes generates new recovery codes
-// POST /auth/2fa/recovery-codes
-func (h *OAuthHandler) RegenerateRecoveryCodes(c *gin.Context) {
-	userID, err := middleware.GetUserID(c)
-	if err != nil || userID == uuid.Nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
-		return
-	}
-
-	var req models.Verify2FARequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	ctx := context.Background()
-	codes, err := h.totpService.RegenerateRecoveryCodes(ctx, userID, req.Code)
-	if err != nil {
-		switch err {
-		case services.ErrTOTPNotEnabled:
-			c.JSON(http.StatusNotFound, gin.H{"error": "2FA is not enabled"})
-		case services.ErrTOTPInvalidCode:
-			c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid 2FA code"})
-		default:
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to regenerate recovery codes"})
-		}
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"recovery_codes": codes})
-}
-
-// ========================================
-// Enhanced Login with 2FA
-// ========================================
-
-// LoginWith2FA handles login with optional 2FA
-// POST /auth/login
-func (h *OAuthHandler) LoginWith2FA(c *gin.Context) {
-	var req models.LoginRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	ctx := context.Background()
-	ipAddress := middleware.GetClientIP(c)
-	userAgent := middleware.GetUserAgent(c)
-
-	// Attempt login
-	response, err := h.authService.Login(ctx, &req, ipAddress, userAgent)
-	if err != nil {
-		switch err {
-		case services.ErrInvalidCredentials:
-			c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid email or password"})
-		case services.ErrAccountLocked:
-			c.JSON(http.StatusForbidden, gin.H{"error": "Account is temporarily locked"})
-		case services.ErrAccountSuspended:
-			c.JSON(http.StatusForbidden, gin.H{"error": "Account is suspended"})
-		default:
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "Login failed"})
-		}
-		return
-	}
-
-	// Check if 2FA is enabled
-	twoFactorEnabled, _ := h.totpService.IsTwoFactorEnabled(ctx, response.User.ID)
-
-	if twoFactorEnabled {
-		// Create 2FA challenge
-		challengeID, err := h.totpService.CreateChallenge(ctx, response.User.ID, ipAddress, userAgent)
-		if err != nil {
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create 2FA challenge"})
-			return
-		}
-
-		// Return 2FA required response
-		c.JSON(http.StatusOK, gin.H{
-			"requires_2fa":  true,
-			"challenge_id":  challengeID,
-			"message":       "2FA verification required",
-		})
-		return
-	}
-
-	// No 2FA required, return tokens
-	c.JSON(http.StatusOK, gin.H{
-		"requires_2fa":  false,
-		"access_token":  response.AccessToken,
-		"refresh_token": response.RefreshToken,
-		"token_type":    "Bearer",
-		"expires_in":    response.ExpiresIn,
-		"user": map[string]interface{}{
-			"id":    response.User.ID,
-			"email": response.User.Email,
-			"name":  response.User.Name,
-			"role":  response.User.Role,
-		},
-	})
-}
-
-// ========================================
-// Registration with mandatory 2FA setup
-// ========================================
-
-// RegisterWith2FA handles registration with mandatory 2FA setup
-// POST /auth/register
-func (h *OAuthHandler) RegisterWith2FA(c *gin.Context) {
-	var req models.RegisterRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
-		return
-	}
-
-	ctx := context.Background()
-
-	// Validate password strength
-	if len(req.Password) < 8 {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "Password must be at least 8 characters"})
-		return
-	}
-
-	// Register user
-	user, verificationToken, err := h.authService.Register(ctx, &req)
-	if err != nil {
-		switch err {
-		case services.ErrUserExists:
-			c.JSON(http.StatusConflict, gin.H{"error": "A user with this email already exists"})
-		default:
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "Registration failed"})
-		}
-		return
-	}
-
-	// Setup 2FA immediately
-	twoFAResponse, err := h.totpService.Setup2FA(ctx, user.ID, user.Email)
-	if err != nil {
-		// Non-fatal - user can set up 2FA later, but log it
-		c.JSON(http.StatusCreated, gin.H{
-			"message":            "Registration successful. Please verify your email.",
-			"user_id":            user.ID,
-			"verification_token": verificationToken, // In production, this would be sent via email
-			"two_factor_setup":   nil,
-			"two_factor_error":   "Failed to initialize 2FA. Please set it up in your account settings.",
-		})
-		return
-	}
-
-	c.JSON(http.StatusCreated, gin.H{
-		"message":            "Registration successful. Please verify your email and complete 2FA setup.",
-		"user_id":            user.ID,
-		"verification_token": verificationToken, // In production, this would be sent via email
-		"two_factor_setup": map[string]interface{}{
-			"secret":          twoFAResponse.Secret,
-			"qr_code":         twoFAResponse.QRCodeDataURL,
-			"recovery_codes":  twoFAResponse.RecoveryCodes,
-			"setup_required":  true,
-			"setup_endpoint":  "/auth/2fa/verify-setup",
-		},
-	})
-}
-
 // ========================================
 // OAuth Client Management (Admin)
 // ========================================
diff --git a/consent-service/internal/handlers/school_attendance_handlers.go b/consent-service/internal/handlers/school_attendance_handlers.go
new file mode 100644
index 0000000..8de3da3
--- /dev/null
+++ b/consent-service/internal/handlers/school_attendance_handlers.go
@@ -0,0 +1,243 @@
+package handlers
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/models"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// ========================================
+// Attendance Handlers
+// ========================================
+
+// RecordAttendance records attendance for a student
+// POST /api/v1/attendance
+func (h *SchoolHandlers) RecordAttendance(c *gin.Context) {
+	userID, exists := c.Get("user_id")
+	if !exists {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "user not authenticated"})
+		return
+	}
+
+	var req models.RecordAttendanceRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	record, err := h.attendanceService.RecordAttendance(c.Request.Context(), req, userID.(uuid.UUID))
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusCreated, record)
+}
+
+// RecordBulkAttendance records attendance for multiple students
+// POST /api/v1/classes/:id/attendance
+func (h *SchoolHandlers) RecordBulkAttendance(c *gin.Context) {
+	userID, exists := c.Get("user_id")
+	if !exists {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "user not authenticated"})
+		return
+	}
+
+	classIDStr := c.Param("id")
+	classID, err := uuid.Parse(classIDStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid class ID"})
+		return
+	}
+
+	var req struct {
+		Date    string `json:"date" binding:"required"`
+		SlotID  string `json:"slot_id" binding:"required"`
+		Records []struct {
+			StudentID string  `json:"student_id"`
+			Status    string  `json:"status"`
+			Note      *string `json:"note"`
+		} `json:"records" binding:"required"`
+	}
+
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	slotID, err := uuid.Parse(req.SlotID)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid slot ID"})
+		return
+	}
+
+	// Convert to the expected type (without JSON tags)
+	records := make([]struct {
+		StudentID string
+		Status    string
+		Note      *string
+	}, len(req.Records))
+	for i, r := range req.Records {
+		records[i] = struct {
+			StudentID string
+			Status    string
+			Note      *string
+		}{
+			StudentID: r.StudentID,
+			Status:    r.Status,
+			Note:      r.Note,
+		}
+	}
+
+	err = h.attendanceService.RecordBulkAttendance(c.Request.Context(), classID, req.Date, slotID, records, userID.(uuid.UUID))
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "attendance recorded"})
+}
+
+// GetClassAttendance gets attendance for a class on a specific date
+// GET /api/v1/classes/:id/attendance?date=...
+func (h *SchoolHandlers) GetClassAttendance(c *gin.Context) {
+	classIDStr := c.Param("id")
+	classID, err := uuid.Parse(classIDStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid class ID"})
+		return
+	}
+
+	date := c.Query("date")
+	if date == "" {
+		date = time.Now().Format("2006-01-02")
+	}
+
+	overview, err := h.attendanceService.GetAttendanceByClass(c.Request.Context(), classID, date)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, overview)
+}
+
+// GetStudentAttendance gets attendance history for a student
+// GET /api/v1/students/:id/attendance?start_date=...&end_date=...
+func (h *SchoolHandlers) GetStudentAttendance(c *gin.Context) {
+	studentIDStr := c.Param("id")
+	studentID, err := uuid.Parse(studentIDStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid student ID"})
+		return
+	}
+
+	startDateStr := c.Query("start_date")
+	endDateStr := c.Query("end_date")
+
+	var startDate, endDate time.Time
+	if startDateStr == "" {
+		startDate = time.Now().AddDate(0, -1, 0) // Last month
+	} else {
+		startDate, _ = time.Parse("2006-01-02", startDateStr)
+	}
+
+	if endDateStr == "" {
+		endDate = time.Now()
+	} else {
+		endDate, _ = time.Parse("2006-01-02", endDateStr)
+	}
+
+	records, err := h.attendanceService.GetStudentAttendance(c.Request.Context(), studentID, startDate, endDate)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, records)
+}
+
+// ========================================
+// Absence Report Handlers
+// ========================================
+
+// ReportAbsence allows parents to report absence
+// POST /api/v1/absence/report
+func (h *SchoolHandlers) ReportAbsence(c *gin.Context) {
+	userID, exists := c.Get("user_id")
+	if !exists {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "user not authenticated"})
+		return
+	}
+
+	var req models.ReportAbsenceRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	report, err := h.attendanceService.ReportAbsence(c.Request.Context(), req, userID.(uuid.UUID))
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusCreated, report)
+}
+
+// ConfirmAbsence allows teachers to confirm absence
+// PUT /api/v1/absence/:id/confirm
+func (h *SchoolHandlers) ConfirmAbsence(c *gin.Context) {
+	userID, exists := c.Get("user_id")
+	if !exists {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "user not authenticated"})
+		return
+	}
+
+	reportIDStr := c.Param("id")
+	reportID, err := uuid.Parse(reportIDStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid report ID"})
+		return
+	}
+
+	var req struct {
+		Status string `json:"status" binding:"required"` // "excused" or "unexcused"
+	}
+
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	err = h.attendanceService.ConfirmAbsence(c.Request.Context(), reportID, userID.(uuid.UUID), req.Status)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "absence confirmed"})
+}
+
+// GetPendingAbsenceReports gets pending absence reports for a class
+// GET /api/v1/classes/:id/absence/pending
+func (h *SchoolHandlers) GetPendingAbsenceReports(c *gin.Context) {
+	classIDStr := c.Param("id")
+	classID, err := uuid.Parse(classIDStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid class ID"})
+		return
+	}
+
+	reports, err := h.attendanceService.GetPendingAbsenceReports(c.Request.Context(), classID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, reports)
+}
diff --git a/consent-service/internal/handlers/school_grade_handlers.go b/consent-service/internal/handlers/school_grade_handlers.go
new file mode 100644
index 0000000..8579474
--- /dev/null
+++ b/consent-service/internal/handlers/school_grade_handlers.go
@@ -0,0 +1,303 @@
+package handlers
+
+import (
+	"net/http"
+
+	"github.com/breakpilot/consent-service/internal/models"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// ========================================
+// Grade Handlers
+// ========================================
+
+// CreateGrade creates a new grade
+// POST /api/v1/grades
+func (h *SchoolHandlers) CreateGrade(c *gin.Context) {
+	userID, exists := c.Get("user_id")
+	if !exists {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "user not authenticated"})
+		return
+	}
+
+	var req models.CreateGradeRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	// Get teacher ID from user ID
+	teacher, err := h.schoolService.GetTeacherByUserID(c.Request.Context(), userID.(uuid.UUID))
+	if err != nil {
+		c.JSON(http.StatusForbidden, gin.H{"error": "user is not a teacher"})
+		return
+	}
+
+	grade, err := h.gradeService.CreateGrade(c.Request.Context(), req, teacher.ID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusCreated, grade)
+}
+
+// GetStudentGrades gets all grades for a student
+// GET /api/v1/students/:id/grades?school_year_id=...
+func (h *SchoolHandlers) GetStudentGrades(c *gin.Context) {
+	studentIDStr := c.Param("id")
+	studentID, err := uuid.Parse(studentIDStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid student ID"})
+		return
+	}
+
+	schoolYearIDStr := c.Query("school_year_id")
+	if schoolYearIDStr == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "school_year_id is required"})
+		return
+	}
+
+	schoolYearID, err := uuid.Parse(schoolYearIDStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid school year ID"})
+		return
+	}
+
+	grades, err := h.gradeService.GetStudentGrades(c.Request.Context(), studentID, schoolYearID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, grades)
+}
+
+// GetClassGrades gets grades for all students in a class for a subject (Notenspiegel)
+// GET /api/v1/classes/:id/grades/:subjectId?school_year_id=...&semester=...
+func (h *SchoolHandlers) GetClassGrades(c *gin.Context) {
+	classIDStr := c.Param("id")
+	classID, err := uuid.Parse(classIDStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid class ID"})
+		return
+	}
+
+	subjectIDStr := c.Param("subjectId")
+	subjectID, err := uuid.Parse(subjectIDStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid subject ID"})
+		return
+	}
+
+	schoolYearIDStr := c.Query("school_year_id")
+	if schoolYearIDStr == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "school_year_id is required"})
+		return
+	}
+
+	schoolYearID, err := uuid.Parse(schoolYearIDStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid school year ID"})
+		return
+	}
+
+	semesterStr := c.DefaultQuery("semester", "1")
+	var semester int
+	if semesterStr == "1" {
+		semester = 1
+	} else {
+		semester = 2
+	}
+
+	overviews, err := h.gradeService.GetClassGradesBySubject(c.Request.Context(), classID, subjectID, schoolYearID, semester)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, overviews)
+}
+
+// GetGradeStatistics gets grade statistics for a class/subject
+// GET /api/v1/classes/:id/grades/:subjectId/stats?school_year_id=...&semester=...
+func (h *SchoolHandlers) GetGradeStatistics(c *gin.Context) {
+	classIDStr := c.Param("id")
+	classID, err := uuid.Parse(classIDStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid class ID"})
+		return
+	}
+
+	subjectIDStr := c.Param("subjectId")
+	subjectID, err := uuid.Parse(subjectIDStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid subject ID"})
+		return
+	}
+
+	schoolYearIDStr := c.Query("school_year_id")
+	if schoolYearIDStr == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "school_year_id is required"})
+		return
+	}
+
+	schoolYearID, err := uuid.Parse(schoolYearIDStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid school year ID"})
+		return
+	}
+
+	semesterStr := c.DefaultQuery("semester", "1")
+	var semester int
+	if semesterStr == "1" {
+		semester = 1
+	} else {
+		semester = 2
+	}
+
+	stats, err := h.gradeService.GetSubjectGradeStatistics(c.Request.Context(), classID, subjectID, schoolYearID, semester)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, stats)
+}
+
+// ========================================
+// Parent Onboarding Handlers
+// ========================================
+
+// GenerateOnboardingToken generates a QR code token for parent onboarding
+// POST /api/v1/onboarding/tokens
+func (h *SchoolHandlers) GenerateOnboardingToken(c *gin.Context) {
+	userID, exists := c.Get("user_id")
+	if !exists {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "user not authenticated"})
+		return
+	}
+
+	var req struct {
+		SchoolID  string `json:"school_id" binding:"required"`
+		ClassID   string `json:"class_id" binding:"required"`
+		StudentID string `json:"student_id" binding:"required"`
+		Role      string `json:"role"` // "parent" or "parent_representative"
+	}
+
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	schoolID, err := uuid.Parse(req.SchoolID)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid school ID"})
+		return
+	}
+
+	classID, err := uuid.Parse(req.ClassID)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid class ID"})
+		return
+	}
+
+	studentID, err := uuid.Parse(req.StudentID)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid student ID"})
+		return
+	}
+
+	role := req.Role
+	if role == "" {
+		role = "parent"
+	}
+
+	token, err := h.schoolService.GenerateParentOnboardingToken(c.Request.Context(), schoolID, classID, studentID, userID.(uuid.UUID), role)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	// Generate QR code URL
+	qrURL := "/onboard-parent?token=" + token.Token
+
+	c.JSON(http.StatusCreated, gin.H{
+		"token":      token.Token,
+		"qr_url":     qrURL,
+		"expires_at": token.ExpiresAt,
+	})
+}
+
+// ValidateOnboardingToken validates an onboarding token
+// GET /api/v1/onboarding/validate?token=...
+func (h *SchoolHandlers) ValidateOnboardingToken(c *gin.Context) {
+	token := c.Query("token")
+	if token == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "token is required"})
+		return
+	}
+
+	onboardingToken, err := h.schoolService.ValidateOnboardingToken(c.Request.Context(), token)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "invalid or expired token"})
+		return
+	}
+
+	// Get student and school info
+	student, err := h.schoolService.GetStudent(c.Request.Context(), onboardingToken.StudentID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	class, err := h.schoolService.GetClass(c.Request.Context(), onboardingToken.ClassID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	school, err := h.schoolService.GetSchool(c.Request.Context(), onboardingToken.SchoolID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"valid":        true,
+		"role":         onboardingToken.Role,
+		"student_name": student.FirstName + " " + student.LastName,
+		"class_name":   class.Name,
+		"school_name":  school.Name,
+		"expires_at":   onboardingToken.ExpiresAt,
+	})
+}
+
+// RedeemOnboardingToken redeems a token and creates parent account
+// POST /api/v1/onboarding/redeem
+func (h *SchoolHandlers) RedeemOnboardingToken(c *gin.Context) {
+	userID, exists := c.Get("user_id")
+	if !exists {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "user not authenticated"})
+		return
+	}
+
+	var req struct {
+		Token string `json:"token" binding:"required"`
+	}
+
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	err := h.schoolService.RedeemOnboardingToken(c.Request.Context(), req.Token, userID.(uuid.UUID))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "token redeemed successfully"})
+}
diff --git a/consent-service/internal/handlers/school_handlers.go b/consent-service/internal/handlers/school_handlers.go
index aa52167..1d9b198 100644
--- a/consent-service/internal/handlers/school_handlers.go
+++ b/consent-service/internal/handlers/school_handlers.go
@@ -355,531 +355,6 @@ func (h *SchoolHandlers) ListSubjects(c *gin.Context) {
 	c.JSON(http.StatusOK, subjects)
 }
 
-// ========================================
-// Attendance Handlers
-// ========================================
-
-// RecordAttendance records attendance for a student
-// POST /api/v1/attendance
-func (h *SchoolHandlers) RecordAttendance(c *gin.Context) {
-	userID, exists := c.Get("user_id")
-	if !exists {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "user not authenticated"})
-		return
-	}
-
-	var req models.RecordAttendanceRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	record, err := h.attendanceService.RecordAttendance(c.Request.Context(), req, userID.(uuid.UUID))
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusCreated, record)
-}
-
-// RecordBulkAttendance records attendance for multiple students
-// POST /api/v1/classes/:id/attendance
-func (h *SchoolHandlers) RecordBulkAttendance(c *gin.Context) {
-	userID, exists := c.Get("user_id")
-	if !exists {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "user not authenticated"})
-		return
-	}
-
-	classIDStr := c.Param("id")
-	classID, err := uuid.Parse(classIDStr)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid class ID"})
-		return
-	}
-
-	var req struct {
-		Date    string `json:"date" binding:"required"`
-		SlotID  string `json:"slot_id" binding:"required"`
-		Records []struct {
-			StudentID string  `json:"student_id"`
-			Status    string  `json:"status"`
-			Note      *string `json:"note"`
-		} `json:"records" binding:"required"`
-	}
-
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	slotID, err := uuid.Parse(req.SlotID)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid slot ID"})
-		return
-	}
-
-	// Convert to the expected type (without JSON tags)
-	records := make([]struct {
-		StudentID string
-		Status    string
-		Note      *string
-	}, len(req.Records))
-	for i, r := range req.Records {
-		records[i] = struct {
-			StudentID string
-			Status    string
-			Note      *string
-		}{
-			StudentID: r.StudentID,
-			Status:    r.Status,
-			Note:      r.Note,
-		}
-	}
-
-	err = h.attendanceService.RecordBulkAttendance(c.Request.Context(), classID, req.Date, slotID, records, userID.(uuid.UUID))
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "attendance recorded"})
-}
-
-// GetClassAttendance gets attendance for a class on a specific date
-// GET /api/v1/classes/:id/attendance?date=...
-func (h *SchoolHandlers) GetClassAttendance(c *gin.Context) {
-	classIDStr := c.Param("id")
-	classID, err := uuid.Parse(classIDStr)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid class ID"})
-		return
-	}
-
-	date := c.Query("date")
-	if date == "" {
-		date = time.Now().Format("2006-01-02")
-	}
-
-	overview, err := h.attendanceService.GetAttendanceByClass(c.Request.Context(), classID, date)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, overview)
-}
-
-// GetStudentAttendance gets attendance history for a student
-// GET /api/v1/students/:id/attendance?start_date=...&end_date=...
-func (h *SchoolHandlers) GetStudentAttendance(c *gin.Context) {
-	studentIDStr := c.Param("id")
-	studentID, err := uuid.Parse(studentIDStr)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid student ID"})
-		return
-	}
-
-	startDateStr := c.Query("start_date")
-	endDateStr := c.Query("end_date")
-
-	var startDate, endDate time.Time
-	if startDateStr == "" {
-		startDate = time.Now().AddDate(0, -1, 0) // Last month
-	} else {
-		startDate, _ = time.Parse("2006-01-02", startDateStr)
-	}
-
-	if endDateStr == "" {
-		endDate = time.Now()
-	} else {
-		endDate, _ = time.Parse("2006-01-02", endDateStr)
-	}
-
-	records, err := h.attendanceService.GetStudentAttendance(c.Request.Context(), studentID, startDate, endDate)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, records)
-}
-
-// ========================================
-// Absence Report Handlers
-// ========================================
-
-// ReportAbsence allows parents to report absence
-// POST /api/v1/absence/report
-func (h *SchoolHandlers) ReportAbsence(c *gin.Context) {
-	userID, exists := c.Get("user_id")
-	if !exists {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "user not authenticated"})
-		return
-	}
-
-	var req models.ReportAbsenceRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	report, err := h.attendanceService.ReportAbsence(c.Request.Context(), req, userID.(uuid.UUID))
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusCreated, report)
-}
-
-// ConfirmAbsence allows teachers to confirm absence
-// PUT /api/v1/absence/:id/confirm
-func (h *SchoolHandlers) ConfirmAbsence(c *gin.Context) {
-	userID, exists := c.Get("user_id")
-	if !exists {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "user not authenticated"})
-		return
-	}
-
-	reportIDStr := c.Param("id")
-	reportID, err := uuid.Parse(reportIDStr)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid report ID"})
-		return
-	}
-
-	var req struct {
-		Status string `json:"status" binding:"required"` // "excused" or "unexcused"
-	}
-
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	err = h.attendanceService.ConfirmAbsence(c.Request.Context(), reportID, userID.(uuid.UUID), req.Status)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "absence confirmed"})
-}
-
-// GetPendingAbsenceReports gets pending absence reports for a class
-// GET /api/v1/classes/:id/absence/pending
-func (h *SchoolHandlers) GetPendingAbsenceReports(c *gin.Context) {
-	classIDStr := c.Param("id")
-	classID, err := uuid.Parse(classIDStr)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid class ID"})
-		return
-	}
-
-	reports, err := h.attendanceService.GetPendingAbsenceReports(c.Request.Context(), classID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, reports)
-}
-
-// ========================================
-// Grade Handlers
-// ========================================
-
-// CreateGrade creates a new grade
-// POST /api/v1/grades
-func (h *SchoolHandlers) CreateGrade(c *gin.Context) {
-	userID, exists := c.Get("user_id")
-	if !exists {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "user not authenticated"})
-		return
-	}
-
-	var req models.CreateGradeRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	// Get teacher ID from user ID
-	teacher, err := h.schoolService.GetTeacherByUserID(c.Request.Context(), userID.(uuid.UUID))
-	if err != nil {
-		c.JSON(http.StatusForbidden, gin.H{"error": "user is not a teacher"})
-		return
-	}
-
-	grade, err := h.gradeService.CreateGrade(c.Request.Context(), req, teacher.ID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusCreated, grade)
-}
-
-// GetStudentGrades gets all grades for a student
-// GET /api/v1/students/:id/grades?school_year_id=...
-func (h *SchoolHandlers) GetStudentGrades(c *gin.Context) {
-	studentIDStr := c.Param("id")
-	studentID, err := uuid.Parse(studentIDStr)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid student ID"})
-		return
-	}
-
-	schoolYearIDStr := c.Query("school_year_id")
-	if schoolYearIDStr == "" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "school_year_id is required"})
-		return
-	}
-
-	schoolYearID, err := uuid.Parse(schoolYearIDStr)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid school year ID"})
-		return
-	}
-
-	grades, err := h.gradeService.GetStudentGrades(c.Request.Context(), studentID, schoolYearID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, grades)
-}
-
-// GetClassGrades gets grades for all students in a class for a subject (Notenspiegel)
-// GET /api/v1/classes/:id/grades/:subjectId?school_year_id=...&semester=...
-func (h *SchoolHandlers) GetClassGrades(c *gin.Context) {
-	classIDStr := c.Param("id")
-	classID, err := uuid.Parse(classIDStr)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid class ID"})
-		return
-	}
-
-	subjectIDStr := c.Param("subjectId")
-	subjectID, err := uuid.Parse(subjectIDStr)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid subject ID"})
-		return
-	}
-
-	schoolYearIDStr := c.Query("school_year_id")
-	if schoolYearIDStr == "" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "school_year_id is required"})
-		return
-	}
-
-	schoolYearID, err := uuid.Parse(schoolYearIDStr)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid school year ID"})
-		return
-	}
-
-	semesterStr := c.DefaultQuery("semester", "1")
-	var semester int
-	if semesterStr == "1" {
-		semester = 1
-	} else {
-		semester = 2
-	}
-
-	overviews, err := h.gradeService.GetClassGradesBySubject(c.Request.Context(), classID, subjectID, schoolYearID, semester)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, overviews)
-}
-
-// GetGradeStatistics gets grade statistics for a class/subject
-// GET /api/v1/classes/:id/grades/:subjectId/stats?school_year_id=...&semester=...
-func (h *SchoolHandlers) GetGradeStatistics(c *gin.Context) {
-	classIDStr := c.Param("id")
-	classID, err := uuid.Parse(classIDStr)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid class ID"})
-		return
-	}
-
-	subjectIDStr := c.Param("subjectId")
-	subjectID, err := uuid.Parse(subjectIDStr)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid subject ID"})
-		return
-	}
-
-	schoolYearIDStr := c.Query("school_year_id")
-	if schoolYearIDStr == "" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "school_year_id is required"})
-		return
-	}
-
-	schoolYearID, err := uuid.Parse(schoolYearIDStr)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid school year ID"})
-		return
-	}
-
-	semesterStr := c.DefaultQuery("semester", "1")
-	var semester int
-	if semesterStr == "1" {
-		semester = 1
-	} else {
-		semester = 2
-	}
-
-	stats, err := h.gradeService.GetSubjectGradeStatistics(c.Request.Context(), classID, subjectID, schoolYearID, semester)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, stats)
-}
-
-// ========================================
-// Parent Onboarding Handlers
-// ========================================
-
-// GenerateOnboardingToken generates a QR code token for parent onboarding
-// POST /api/v1/onboarding/tokens
-func (h *SchoolHandlers) GenerateOnboardingToken(c *gin.Context) {
-	userID, exists := c.Get("user_id")
-	if !exists {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "user not authenticated"})
-		return
-	}
-
-	var req struct {
-		SchoolID  string `json:"school_id" binding:"required"`
-		ClassID   string `json:"class_id" binding:"required"`
-		StudentID string `json:"student_id" binding:"required"`
-		Role      string `json:"role"` // "parent" or "parent_representative"
-	}
-
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	schoolID, err := uuid.Parse(req.SchoolID)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid school ID"})
-		return
-	}
-
-	classID, err := uuid.Parse(req.ClassID)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid class ID"})
-		return
-	}
-
-	studentID, err := uuid.Parse(req.StudentID)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid student ID"})
-		return
-	}
-
-	role := req.Role
-	if role == "" {
-		role = "parent"
-	}
-
-	token, err := h.schoolService.GenerateParentOnboardingToken(c.Request.Context(), schoolID, classID, studentID, userID.(uuid.UUID), role)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	// Generate QR code URL
-	qrURL := "/onboard-parent?token=" + token.Token
-
-	c.JSON(http.StatusCreated, gin.H{
-		"token":      token.Token,
-		"qr_url":     qrURL,
-		"expires_at": token.ExpiresAt,
-	})
-}
-
-// ValidateOnboardingToken validates an onboarding token
-// GET /api/v1/onboarding/validate?token=...
-func (h *SchoolHandlers) ValidateOnboardingToken(c *gin.Context) {
-	token := c.Query("token")
-	if token == "" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "token is required"})
-		return
-	}
-
-	onboardingToken, err := h.schoolService.ValidateOnboardingToken(c.Request.Context(), token)
-	if err != nil {
-		c.JSON(http.StatusNotFound, gin.H{"error": "invalid or expired token"})
-		return
-	}
-
-	// Get student and school info
-	student, err := h.schoolService.GetStudent(c.Request.Context(), onboardingToken.StudentID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	class, err := h.schoolService.GetClass(c.Request.Context(), onboardingToken.ClassID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	school, err := h.schoolService.GetSchool(c.Request.Context(), onboardingToken.SchoolID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{
-		"valid":        true,
-		"role":         onboardingToken.Role,
-		"student_name": student.FirstName + " " + student.LastName,
-		"class_name":   class.Name,
-		"school_name":  school.Name,
-		"expires_at":   onboardingToken.ExpiresAt,
-	})
-}
-
-// RedeemOnboardingToken redeems a token and creates parent account
-// POST /api/v1/onboarding/redeem
-func (h *SchoolHandlers) RedeemOnboardingToken(c *gin.Context) {
-	userID, exists := c.Get("user_id")
-	if !exists {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "user not authenticated"})
-		return
-	}
-
-	var req struct {
-		Token string `json:"token" binding:"required"`
-	}
-
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	err := h.schoolService.RedeemOnboardingToken(c.Request.Context(), req.Token, userID.(uuid.UUID))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "token redeemed successfully"})
-}
-
 // ========================================
 // Register Routes
 // ========================================
diff --git a/consent-service/internal/models/consent.go b/consent-service/internal/models/consent.go
new file mode 100644
index 0000000..bdfe165
--- /dev/null
+++ b/consent-service/internal/models/consent.go
@@ -0,0 +1,237 @@
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// LegalDocument represents a type of legal document (e.g., Terms, Privacy Policy)
+type LegalDocument struct {
+	ID          uuid.UUID `json:"id" db:"id"`
+	Type        string    `json:"type" db:"type"` // 'terms', 'privacy', 'cookies', 'community'
+	Name        string    `json:"name" db:"name"`
+	Description *string   `json:"description" db:"description"`
+	IsMandatory bool      `json:"is_mandatory" db:"is_mandatory"`
+	IsActive    bool      `json:"is_active" db:"is_active"`
+	SortOrder   int       `json:"sort_order" db:"sort_order"`
+	CreatedAt   time.Time `json:"created_at" db:"created_at"`
+	UpdatedAt   time.Time `json:"updated_at" db:"updated_at"`
+}
+
+// DocumentVersion represents a specific version of a legal document
+type DocumentVersion struct {
+	ID                 uuid.UUID  `json:"id" db:"id"`
+	DocumentID         uuid.UUID  `json:"document_id" db:"document_id"`
+	Version            string     `json:"version" db:"version"` // Semver: 1.0.0, 1.1.0
+	Language           string     `json:"language" db:"language"` // ISO 639-1: de, en
+	Title              string     `json:"title" db:"title"`
+	Content            string     `json:"content" db:"content"` // HTML or Markdown
+	Summary            *string    `json:"summary" db:"summary"` // Summary of changes
+	Status             string     `json:"status" db:"status"`   // 'draft', 'review', 'approved', 'scheduled', 'published', 'archived'
+	PublishedAt        *time.Time `json:"published_at" db:"published_at"`
+	ScheduledPublishAt *time.Time `json:"scheduled_publish_at" db:"scheduled_publish_at"`
+	CreatedBy          *uuid.UUID `json:"created_by" db:"created_by"`
+	ApprovedBy         *uuid.UUID `json:"approved_by" db:"approved_by"`
+	ApprovedAt         *time.Time `json:"approved_at" db:"approved_at"`
+	CreatedAt          time.Time  `json:"created_at" db:"created_at"`
+	UpdatedAt          time.Time  `json:"updated_at" db:"updated_at"`
+}
+
+// UserConsent represents a user's consent to a document version
+type UserConsent struct {
+	ID                uuid.UUID  `json:"id" db:"id"`
+	UserID            uuid.UUID  `json:"user_id" db:"user_id"`
+	DocumentVersionID uuid.UUID  `json:"document_version_id" db:"document_version_id"`
+	Consented         bool       `json:"consented" db:"consented"`
+	IPAddress         *string    `json:"ip_address" db:"ip_address"`
+	UserAgent         *string    `json:"user_agent" db:"user_agent"`
+	ConsentedAt       time.Time  `json:"consented_at" db:"consented_at"`
+	WithdrawnAt       *time.Time `json:"withdrawn_at" db:"withdrawn_at"`
+}
+
+// AuditLog represents an audit trail entry for GDPR compliance
+type AuditLog struct {
+	ID         uuid.UUID  `json:"id" db:"id"`
+	UserID     *uuid.UUID `json:"user_id" db:"user_id"`
+	Action     string     `json:"action" db:"action"` // 'consent_given', 'consent_withdrawn', 'data_export', 'data_delete'
+	EntityType *string    `json:"entity_type" db:"entity_type"` // 'document', 'cookie_category'
+	EntityID   *uuid.UUID `json:"entity_id" db:"entity_id"`
+	Details    *string    `json:"details" db:"details"` // JSON string
+	IPAddress  *string    `json:"ip_address" db:"ip_address"`
+	UserAgent  *string    `json:"user_agent" db:"user_agent"`
+	CreatedAt  time.Time  `json:"created_at" db:"created_at"`
+}
+
+// DataExportRequest represents a user's request to export their data
+type DataExportRequest struct {
+	ID          uuid.UUID  `json:"id" db:"id"`
+	UserID      uuid.UUID  `json:"user_id" db:"user_id"`
+	Status      string     `json:"status" db:"status"` // 'pending', 'processing', 'completed', 'failed'
+	DownloadURL *string    `json:"download_url" db:"download_url"`
+	ExpiresAt   *time.Time `json:"expires_at" db:"expires_at"`
+	CreatedAt   time.Time  `json:"created_at" db:"created_at"`
+	CompletedAt *time.Time `json:"completed_at" db:"completed_at"`
+}
+
+// DataDeletionRequest represents a user's request to delete their data
+type DataDeletionRequest struct {
+	ID          uuid.UUID  `json:"id" db:"id"`
+	UserID      uuid.UUID  `json:"user_id" db:"user_id"`
+	Status      string     `json:"status" db:"status"` // 'pending', 'processing', 'completed', 'failed'
+	Reason      *string    `json:"reason" db:"reason"`
+	CreatedAt   time.Time  `json:"created_at" db:"created_at"`
+	ProcessedAt *time.Time `json:"processed_at" db:"processed_at"`
+	ProcessedBy *uuid.UUID `json:"processed_by" db:"processed_by"`
+}
+
+// VersionApproval tracks the approval workflow
+type VersionApproval struct {
+	ID         uuid.UUID `json:"id" db:"id"`
+	VersionID  uuid.UUID `json:"version_id" db:"version_id"`
+	ApproverID uuid.UUID `json:"approver_id" db:"approver_id"`
+	Action     string    `json:"action" db:"action"` // 'submitted_for_review', 'approved', 'rejected', 'published'
+	Comment    *string   `json:"comment,omitempty" db:"comment"`
+	CreatedAt  time.Time `json:"created_at" db:"created_at"`
+}
+
+// ConsentDeadline tracks consent deadlines per user
+type ConsentDeadline struct {
+	ID                uuid.UUID  `json:"id" db:"id"`
+	UserID            uuid.UUID  `json:"user_id" db:"user_id"`
+	DocumentVersionID uuid.UUID  `json:"document_version_id" db:"document_version_id"`
+	DeadlineAt        time.Time  `json:"deadline_at" db:"deadline_at"`
+	ReminderCount     int        `json:"reminder_count" db:"reminder_count"`
+	LastReminderAt    *time.Time `json:"last_reminder_at,omitempty" db:"last_reminder_at"`
+	ConsentGivenAt    *time.Time `json:"consent_given_at,omitempty" db:"consent_given_at"`
+	CreatedAt         time.Time  `json:"created_at" db:"created_at"`
+}
+
+// AccountSuspension tracks account suspensions
+type AccountSuspension struct {
+	ID           uuid.UUID  `json:"id" db:"id"`
+	UserID       uuid.UUID  `json:"user_id" db:"user_id"`
+	Reason       string     `json:"reason" db:"reason"` // 'consent_deadline_exceeded'
+	Details      *string    `json:"details,omitempty" db:"details"` // JSON
+	SuspendedAt  time.Time  `json:"suspended_at" db:"suspended_at"`
+	LiftedAt     *time.Time `json:"lifted_at,omitempty" db:"lifted_at"`
+	LiftedReason *string    `json:"lifted_reason,omitempty" db:"lifted_reason"`
+}
+
+// ========================================
+// Consent DTOs
+// ========================================
+
+// CreateConsentRequest is the request body for creating a consent
+type CreateConsentRequest struct {
+	DocumentType string `json:"document_type" binding:"required"`
+	VersionID    string `json:"version_id" binding:"required"`
+	Consented    bool   `json:"consented"`
+}
+
+// ConsentCheckResponse is the response for checking consent status
+type ConsentCheckResponse struct {
+	HasConsent       bool       `json:"has_consent"`
+	CurrentVersionID *string    `json:"current_version_id,omitempty"`
+	ConsentedVersion *string    `json:"consented_version,omitempty"`
+	NeedsUpdate      bool       `json:"needs_update"`
+	ConsentedAt      *time.Time `json:"consented_at,omitempty"`
+}
+
+// DocumentWithVersion combines document info with its latest published version
+type DocumentWithVersion struct {
+	Document      LegalDocument    `json:"document"`
+	LatestVersion *DocumentVersion `json:"latest_version,omitempty"`
+}
+
+// ConsentHistory represents a user's consent history for a document
+type ConsentHistory struct {
+	Document LegalDocument   `json:"document"`
+	Version  DocumentVersion `json:"version"`
+	Consent  UserConsent     `json:"consent"`
+}
+
+// ConsentStats represents statistics about consents
+type ConsentStats struct {
+	TotalUsers        int     `json:"total_users"`
+	ConsentedUsers    int     `json:"consented_users"`
+	ConsentRate       float64 `json:"consent_rate"`
+	RecentConsents    int     `json:"recent_consents"` // Last 7 days
+	RecentWithdrawals int     `json:"recent_withdrawals"`
+}
+
+// MyDataResponse represents all data we have about a user
+type MyDataResponse struct {
+	User           User             `json:"user"`
+	Consents       []ConsentHistory `json:"consents"`
+	CookieConsents []CookieConsent  `json:"cookie_consents"`
+	AuditLog       []AuditLog       `json:"audit_log"`
+	ExportedAt     time.Time        `json:"exported_at"`
+}
+
+// CreateDocumentRequest is the request body for creating a document
+type CreateDocumentRequest struct {
+	Type        string  `json:"type" binding:"required"`
+	Name        string  `json:"name" binding:"required"`
+	Description *string `json:"description"`
+	IsMandatory bool    `json:"is_mandatory"`
+}
+
+// CreateVersionRequest is the request body for creating a document version
+type CreateVersionRequest struct {
+	DocumentID string  `json:"document_id" binding:"required"`
+	Version    string  `json:"version" binding:"required"`
+	Language   string  `json:"language" binding:"required"`
+	Title      string  `json:"title" binding:"required"`
+	Content    string  `json:"content" binding:"required"`
+	Summary    *string `json:"summary"`
+}
+
+// UpdateVersionRequest is the request body for updating a version
+type UpdateVersionRequest struct {
+	Title   *string `json:"title"`
+	Content *string `json:"content"`
+	Summary *string `json:"summary"`
+	Status  *string `json:"status"`
+}
+
+// SubmitForReviewRequest for submitting a version for review
+type SubmitForReviewRequest struct {
+	Comment *string `json:"comment"`
+}
+
+// ApproveVersionRequest for approving a version (DSB)
+type ApproveVersionRequest struct {
+	Comment            *string `json:"comment"`
+	ScheduledPublishAt *string `json:"scheduled_publish_at"` // ISO 8601 datetime for scheduled publishing
+}
+
+// RejectVersionRequest for rejecting a version
+type RejectVersionRequest struct {
+	Comment string `json:"comment" binding:"required"`
+}
+
+// VersionCompareResponse for comparing versions
+type VersionCompareResponse struct {
+	Published *DocumentVersion  `json:"published,omitempty"`
+	Draft     *DocumentVersion  `json:"draft"`
+	Diff      *string           `json:"diff,omitempty"`
+	Approvals []VersionApproval `json:"approvals"`
+}
+
+// PendingConsentResponse for pending consents with deadline info
+type PendingConsentResponse struct {
+	Document   LegalDocument   `json:"document"`
+	Version    DocumentVersion `json:"version"`
+	DeadlineAt time.Time       `json:"deadline_at"`
+	DaysLeft   int             `json:"days_left"`
+	IsOverdue  bool            `json:"is_overdue"`
+}
+
+// AccountStatusResponse for account status check
+type AccountStatusResponse struct {
+	Status           string                   `json:"status"` // 'active', 'suspended'
+	PendingConsents  []PendingConsentResponse `json:"pending_consents,omitempty"`
+	SuspensionReason *string                  `json:"suspension_reason,omitempty"`
+	CanAccess        bool                     `json:"can_access"`
+}
diff --git a/consent-service/internal/models/cookies_notifications.go b/consent-service/internal/models/cookies_notifications.go
new file mode 100644
index 0000000..c45e71b
--- /dev/null
+++ b/consent-service/internal/models/cookies_notifications.go
@@ -0,0 +1,118 @@
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// CookieCategory represents a category of cookies
+type CookieCategory struct {
+	ID            uuid.UUID `json:"id" db:"id"`
+	Name          string    `json:"name" db:"name"` // 'necessary', 'functional', 'analytics', 'marketing'
+	DisplayNameDE string    `json:"display_name_de" db:"display_name_de"`
+	DisplayNameEN *string   `json:"display_name_en" db:"display_name_en"`
+	DescriptionDE *string   `json:"description_de" db:"description_de"`
+	DescriptionEN *string   `json:"description_en" db:"description_en"`
+	IsMandatory   bool      `json:"is_mandatory" db:"is_mandatory"`
+	SortOrder     int       `json:"sort_order" db:"sort_order"`
+	IsActive      bool      `json:"is_active" db:"is_active"`
+	CreatedAt     time.Time `json:"created_at" db:"created_at"`
+	UpdatedAt     time.Time `json:"updated_at" db:"updated_at"`
+}
+
+// CookieConsent represents a user's cookie preferences
+type CookieConsent struct {
+	ID          uuid.UUID `json:"id" db:"id"`
+	UserID      uuid.UUID `json:"user_id" db:"user_id"`
+	CategoryID  uuid.UUID `json:"category_id" db:"category_id"`
+	Consented   bool      `json:"consented" db:"consented"`
+	ConsentedAt time.Time `json:"consented_at" db:"consented_at"`
+	UpdatedAt   time.Time `json:"updated_at" db:"updated_at"`
+}
+
+// CookieConsentRequest is the request body for setting cookie preferences
+type CookieConsentRequest struct {
+	Categories []CookieCategoryConsent `json:"categories" binding:"required"`
+}
+
+// CookieCategoryConsent represents consent for a single cookie category
+type CookieCategoryConsent struct {
+	CategoryID string `json:"category_id" binding:"required"`
+	Consented  bool   `json:"consented"`
+}
+
+// CookieStats represents statistics about cookie consents
+type CookieStats struct {
+	Category       string  `json:"category"`
+	TotalUsers     int     `json:"total_users"`
+	ConsentedUsers int     `json:"consented_users"`
+	ConsentRate    float64 `json:"consent_rate"`
+}
+
+// CreateCookieCategoryRequest is the request body for creating a cookie category
+type CreateCookieCategoryRequest struct {
+	Name          string  `json:"name" binding:"required"`
+	DisplayNameDE string  `json:"display_name_de" binding:"required"`
+	DisplayNameEN *string `json:"display_name_en"`
+	DescriptionDE *string `json:"description_de"`
+	DescriptionEN *string `json:"description_en"`
+	IsMandatory   bool    `json:"is_mandatory"`
+	SortOrder     int     `json:"sort_order"`
+}
+
+// ========================================
+// Notification Models
+// ========================================
+
+// Notification represents a user notification
+type Notification struct {
+	ID        uuid.UUID  `json:"id" db:"id"`
+	UserID    uuid.UUID  `json:"user_id" db:"user_id"`
+	Type      string     `json:"type" db:"type"`       // 'new_version', 'consent_reminder', 'account_warning'
+	Channel   string     `json:"channel" db:"channel"` // 'email', 'in_app', 'push'
+	Title     string     `json:"title" db:"title"`
+	Body      string     `json:"body" db:"body"`
+	Data      *string    `json:"data,omitempty" db:"data"` // JSON string
+	ReadAt    *time.Time `json:"read_at,omitempty" db:"read_at"`
+	SentAt    *time.Time `json:"sent_at,omitempty" db:"sent_at"`
+	CreatedAt time.Time  `json:"created_at" db:"created_at"`
+}
+
+// PushSubscription for Web Push notifications
+type PushSubscription struct {
+	ID        uuid.UUID `json:"id" db:"id"`
+	UserID    uuid.UUID `json:"user_id" db:"user_id"`
+	Endpoint  string    `json:"endpoint" db:"endpoint"`
+	P256dh    string    `json:"p256dh" db:"p256dh"`
+	Auth      string    `json:"auth" db:"auth"`
+	UserAgent *string   `json:"user_agent,omitempty" db:"user_agent"`
+	CreatedAt time.Time `json:"created_at" db:"created_at"`
+}
+
+// NotificationPreferences for user notification settings
+type NotificationPreferences struct {
+	ID                uuid.UUID `json:"id" db:"id"`
+	UserID            uuid.UUID `json:"user_id" db:"user_id"`
+	EmailEnabled      bool      `json:"email_enabled" db:"email_enabled"`
+	PushEnabled       bool      `json:"push_enabled" db:"push_enabled"`
+	InAppEnabled      bool      `json:"in_app_enabled" db:"in_app_enabled"`
+	ReminderFrequency string    `json:"reminder_frequency" db:"reminder_frequency"` // 'daily', 'weekly', 'never'
+	CreatedAt         time.Time `json:"created_at" db:"created_at"`
+	UpdatedAt         time.Time `json:"updated_at" db:"updated_at"`
+}
+
+// SubscribePushRequest for subscribing to push notifications
+type SubscribePushRequest struct {
+	Endpoint string `json:"endpoint" binding:"required"`
+	P256dh   string `json:"p256dh" binding:"required"`
+	Auth     string `json:"auth" binding:"required"`
+}
+
+// UpdateNotificationPreferencesRequest for updating preferences
+type UpdateNotificationPreferencesRequest struct {
+	EmailEnabled      *bool   `json:"email_enabled"`
+	PushEnabled       *bool   `json:"push_enabled"`
+	InAppEnabled      *bool   `json:"in_app_enabled"`
+	ReminderFrequency *string `json:"reminder_frequency"`
+}
diff --git a/consent-service/internal/models/dsr.go b/consent-service/internal/models/dsr.go
new file mode 100644
index 0000000..4d3ecc9
--- /dev/null
+++ b/consent-service/internal/models/dsr.go
@@ -0,0 +1,403 @@
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// ========================================
+// DSGVO Betroffenenanfragen (DSR)
+// Data Subject Request Management
+// Art. 15, 16, 17, 18, 20 DSGVO
+// ========================================
+
+// DSRRequestType defines the GDPR article for the request
+type DSRRequestType string
+
+const (
+	DSRTypeAccess       DSRRequestType = "access"       // Art. 15 - Auskunftsrecht
+	DSRTypeRectification DSRRequestType = "rectification" // Art. 16 - Berichtigungsrecht
+	DSRTypeErasure      DSRRequestType = "erasure"       // Art. 17 - Löschungsrecht
+	DSRTypeRestriction  DSRRequestType = "restriction"   // Art. 18 - Einschränkungsrecht
+	DSRTypePortability  DSRRequestType = "portability"   // Art. 20 - Datenübertragbarkeit
+)
+
+// DSRStatus defines the workflow state of a DSR
+type DSRStatus string
+
+const (
+	DSRStatusIntake               DSRStatus = "intake"                // Eingegangen
+	DSRStatusIdentityVerification DSRStatus = "identity_verification" // Identitätsprüfung
+	DSRStatusProcessing           DSRStatus = "processing"            // In Bearbeitung
+	DSRStatusCompleted            DSRStatus = "completed"             // Abgeschlossen
+	DSRStatusRejected             DSRStatus = "rejected"              // Abgelehnt
+	DSRStatusCancelled            DSRStatus = "cancelled"             // Storniert
+)
+
+// DSRPriority defines the priority level of a DSR
+type DSRPriority string
+
+const (
+	DSRPriorityNormal   DSRPriority = "normal"
+	DSRPriorityExpedited DSRPriority = "expedited" // Art. 16, 17, 18 - beschleunigt
+	DSRPriorityUrgent   DSRPriority = "urgent"
+)
+
+// DSRSource defines where the request came from
+type DSRSource string
+
+const (
+	DSRSourceAPI        DSRSource = "api"         // Über API/Self-Service
+	DSRSourceAdminPanel DSRSource = "admin_panel" // Manuell im Admin
+	DSRSourceEmail      DSRSource = "email"       // Per E-Mail
+	DSRSourcePostal     DSRSource = "postal"      // Per Post
+)
+
+// Art. 17(3) Exception Types
+const (
+	DSRExceptionFreedomExpression = "freedom_expression" // Art. 17(3)(a)
+	DSRExceptionLegalObligation   = "legal_obligation"   // Art. 17(3)(b)
+	DSRExceptionPublicInterest    = "public_interest"    // Art. 17(3)(c)
+	DSRExceptionPublicHealth      = "public_health"      // Art. 17(3)(c)
+	DSRExceptionArchiving         = "archiving"          // Art. 17(3)(d)
+	DSRExceptionLegalClaims       = "legal_claims"       // Art. 17(3)(e)
+)
+
+// DataSubjectRequest represents a GDPR data subject request
+type DataSubjectRequest struct {
+	ID                         uuid.UUID              `json:"id" db:"id"`
+	UserID                     *uuid.UUID             `json:"user_id,omitempty" db:"user_id"`
+	RequestNumber              string                 `json:"request_number" db:"request_number"`
+	RequestType                DSRRequestType         `json:"request_type" db:"request_type"`
+	Status                     DSRStatus              `json:"status" db:"status"`
+	Priority                   DSRPriority            `json:"priority" db:"priority"`
+	Source                     DSRSource              `json:"source" db:"source"`
+	RequesterEmail             string                 `json:"requester_email" db:"requester_email"`
+	RequesterName              *string                `json:"requester_name,omitempty" db:"requester_name"`
+	RequesterPhone             *string                `json:"requester_phone,omitempty" db:"requester_phone"`
+	IdentityVerified           bool                   `json:"identity_verified" db:"identity_verified"`
+	IdentityVerifiedAt         *time.Time             `json:"identity_verified_at,omitempty" db:"identity_verified_at"`
+	IdentityVerifiedBy         *uuid.UUID             `json:"identity_verified_by,omitempty" db:"identity_verified_by"`
+	IdentityVerificationMethod *string                `json:"identity_verification_method,omitempty" db:"identity_verification_method"`
+	RequestDetails             map[string]interface{} `json:"request_details" db:"request_details"`
+	DeadlineAt                 time.Time              `json:"deadline_at" db:"deadline_at"`
+	LegalDeadlineDays          int                    `json:"legal_deadline_days" db:"legal_deadline_days"`
+	ExtendedDeadlineAt         *time.Time             `json:"extended_deadline_at,omitempty" db:"extended_deadline_at"`
+	ExtensionReason            *string                `json:"extension_reason,omitempty" db:"extension_reason"`
+	AssignedTo                 *uuid.UUID             `json:"assigned_to,omitempty" db:"assigned_to"`
+	ProcessingNotes            *string                `json:"processing_notes,omitempty" db:"processing_notes"`
+	CompletedAt                *time.Time             `json:"completed_at,omitempty" db:"completed_at"`
+	CompletedBy                *uuid.UUID             `json:"completed_by,omitempty" db:"completed_by"`
+	ResultSummary              *string                `json:"result_summary,omitempty" db:"result_summary"`
+	ResultData                 map[string]interface{} `json:"result_data,omitempty" db:"result_data"`
+	RejectedAt                 *time.Time             `json:"rejected_at,omitempty" db:"rejected_at"`
+	RejectedBy                 *uuid.UUID             `json:"rejected_by,omitempty" db:"rejected_by"`
+	RejectionReason            *string                `json:"rejection_reason,omitempty" db:"rejection_reason"`
+	RejectionLegalBasis        *string                `json:"rejection_legal_basis,omitempty" db:"rejection_legal_basis"`
+	CreatedAt                  time.Time              `json:"created_at" db:"created_at"`
+	UpdatedAt                  time.Time              `json:"updated_at" db:"updated_at"`
+	CreatedBy                  *uuid.UUID             `json:"created_by,omitempty" db:"created_by"`
+}
+
+// DSRStatusHistory tracks status changes for audit trail
+type DSRStatusHistory struct {
+	ID         uuid.UUID              `json:"id" db:"id"`
+	RequestID  uuid.UUID              `json:"request_id" db:"request_id"`
+	FromStatus *DSRStatus             `json:"from_status,omitempty" db:"from_status"`
+	ToStatus   DSRStatus              `json:"to_status" db:"to_status"`
+	ChangedBy  *uuid.UUID             `json:"changed_by,omitempty" db:"changed_by"`
+	Comment    *string                `json:"comment,omitempty" db:"comment"`
+	Metadata   map[string]interface{} `json:"metadata,omitempty" db:"metadata"`
+	CreatedAt  time.Time              `json:"created_at" db:"created_at"`
+}
+
+// DSRCommunication tracks all communications related to a DSR
+type DSRCommunication struct {
+	ID                uuid.UUID                `json:"id" db:"id"`
+	RequestID         uuid.UUID                `json:"request_id" db:"request_id"`
+	Direction         string                   `json:"direction" db:"direction"`
+	Channel           string                   `json:"channel" db:"channel"`
+	CommunicationType string                   `json:"communication_type" db:"communication_type"`
+	TemplateVersionID *uuid.UUID               `json:"template_version_id,omitempty" db:"template_version_id"`
+	Subject           *string                  `json:"subject,omitempty" db:"subject"`
+	BodyHTML          *string                  `json:"body_html,omitempty" db:"body_html"`
+	BodyText          *string                  `json:"body_text,omitempty" db:"body_text"`
+	RecipientEmail    *string                  `json:"recipient_email,omitempty" db:"recipient_email"`
+	SentAt            *time.Time               `json:"sent_at,omitempty" db:"sent_at"`
+	ErrorMessage      *string                  `json:"error_message,omitempty" db:"error_message"`
+	Attachments       []map[string]interface{} `json:"attachments,omitempty" db:"attachments"`
+	CreatedAt         time.Time                `json:"created_at" db:"created_at"`
+	CreatedBy         *uuid.UUID               `json:"created_by,omitempty" db:"created_by"`
+}
+
+// DSRTemplate represents a template type for DSR communications
+type DSRTemplate struct {
+	ID           uuid.UUID `json:"id" db:"id"`
+	TemplateType string    `json:"template_type" db:"template_type"`
+	Name         string    `json:"name" db:"name"`
+	Description  *string   `json:"description,omitempty" db:"description"`
+	RequestTypes []string  `json:"request_types" db:"request_types"`
+	IsActive     bool      `json:"is_active" db:"is_active"`
+	SortOrder    int       `json:"sort_order" db:"sort_order"`
+	CreatedAt    time.Time `json:"created_at" db:"created_at"`
+	UpdatedAt    time.Time `json:"updated_at" db:"updated_at"`
+}
+
+// DSRTemplateVersion represents a versioned template for DSR communications
+type DSRTemplateVersion struct {
+	ID          uuid.UUID  `json:"id" db:"id"`
+	TemplateID  uuid.UUID  `json:"template_id" db:"template_id"`
+	Version     string     `json:"version" db:"version"`
+	Language    string     `json:"language" db:"language"`
+	Subject     string     `json:"subject" db:"subject"`
+	BodyHTML    string     `json:"body_html" db:"body_html"`
+	BodyText    string     `json:"body_text" db:"body_text"`
+	Status      string     `json:"status" db:"status"`
+	PublishedAt *time.Time `json:"published_at,omitempty" db:"published_at"`
+	CreatedBy   *uuid.UUID `json:"created_by,omitempty" db:"created_by"`
+	ApprovedBy  *uuid.UUID `json:"approved_by,omitempty" db:"approved_by"`
+	ApprovedAt  *time.Time `json:"approved_at,omitempty" db:"approved_at"`
+	CreatedAt   time.Time  `json:"created_at" db:"created_at"`
+	UpdatedAt   time.Time  `json:"updated_at" db:"updated_at"`
+}
+
+// DSRExceptionCheck tracks Art. 17(3) exception evaluations for erasure requests
+type DSRExceptionCheck struct {
+	ID            uuid.UUID  `json:"id" db:"id"`
+	RequestID     uuid.UUID  `json:"request_id" db:"request_id"`
+	ExceptionType string     `json:"exception_type" db:"exception_type"`
+	Description   string     `json:"description" db:"description"`
+	Applies       *bool      `json:"applies,omitempty" db:"applies"`
+	CheckedBy     *uuid.UUID `json:"checked_by,omitempty" db:"checked_by"`
+	CheckedAt     *time.Time `json:"checked_at,omitempty" db:"checked_at"`
+	Notes         *string    `json:"notes,omitempty" db:"notes"`
+	CreatedAt     time.Time  `json:"created_at" db:"created_at"`
+}
+
+// ========================================
+// DSR DTOs
+// ========================================
+
+// CreateDSRRequest for creating a new data subject request
+type CreateDSRRequest struct {
+	RequestType    string                 `json:"request_type" binding:"required"`
+	RequesterEmail string                 `json:"requester_email" binding:"required,email"`
+	RequesterName  *string                `json:"requester_name"`
+	RequesterPhone *string                `json:"requester_phone"`
+	Source         string                 `json:"source"`
+	RequestDetails map[string]interface{} `json:"request_details"`
+	Priority       string                 `json:"priority"`
+}
+
+// UpdateDSRRequest for updating a DSR
+type UpdateDSRRequest struct {
+	Status          *string                `json:"status"`
+	AssignedTo      *string                `json:"assigned_to"`
+	ProcessingNotes *string                `json:"processing_notes"`
+	ExtendDeadline  *bool                  `json:"extend_deadline"`
+	ExtensionReason *string                `json:"extension_reason"`
+	RequestDetails  map[string]interface{} `json:"request_details"`
+	Priority        *string                `json:"priority"`
+}
+
+// VerifyDSRIdentityRequest for verifying identity of requester
+type VerifyDSRIdentityRequest struct {
+	Method  string  `json:"method" binding:"required"`
+	Comment *string `json:"comment"`
+}
+
+// CompleteDSRRequest for completing a DSR
+type CompleteDSRRequest struct {
+	ResultSummary string                 `json:"result_summary" binding:"required"`
+	ResultData    map[string]interface{} `json:"result_data"`
+}
+
+// RejectDSRRequest for rejecting a DSR
+type RejectDSRRequest struct {
+	Reason     string `json:"reason" binding:"required"`
+	LegalBasis string `json:"legal_basis" binding:"required"`
+}
+
+// ExtendDSRDeadlineRequest for extending a DSR deadline
+type ExtendDSRDeadlineRequest struct {
+	Reason string `json:"reason" binding:"required"`
+	Days   int    `json:"days"`
+}
+
+// AssignDSRRequest for assigning a DSR to a handler
+type AssignDSRRequest struct {
+	AssigneeID string  `json:"assignee_id" binding:"required"`
+	Comment    *string `json:"comment"`
+}
+
+// SendDSRCommunicationRequest for sending a communication
+type SendDSRCommunicationRequest struct {
+	CommunicationType string            `json:"communication_type" binding:"required"`
+	TemplateVersionID *string           `json:"template_version_id"`
+	CustomSubject     *string           `json:"custom_subject"`
+	CustomBody        *string           `json:"custom_body"`
+	Variables         map[string]string `json:"variables"`
+}
+
+// UpdateDSRExceptionCheckRequest for updating an exception check
+type UpdateDSRExceptionCheckRequest struct {
+	Applies bool    `json:"applies"`
+	Notes   *string `json:"notes"`
+}
+
+// DSRListFilters for filtering DSR list
+type DSRListFilters struct {
+	Status      *string    `form:"status"`
+	RequestType *string    `form:"request_type"`
+	AssignedTo  *string    `form:"assigned_to"`
+	Priority    *string    `form:"priority"`
+	OverdueOnly bool       `form:"overdue_only"`
+	FromDate    *time.Time `form:"from_date"`
+	ToDate      *time.Time `form:"to_date"`
+	Search      *string    `form:"search"`
+}
+
+// DSRDashboardStats for the admin dashboard
+type DSRDashboardStats struct {
+	TotalRequests         int                  `json:"total_requests"`
+	PendingRequests       int                  `json:"pending_requests"`
+	OverdueRequests       int                  `json:"overdue_requests"`
+	CompletedThisMonth    int                  `json:"completed_this_month"`
+	AverageProcessingDays float64              `json:"average_processing_days"`
+	ByType                map[string]int       `json:"by_type"`
+	ByStatus              map[string]int       `json:"by_status"`
+	UpcomingDeadlines     []DataSubjectRequest `json:"upcoming_deadlines"`
+}
+
+// DSRWithDetails combines DSR with related data
+type DSRWithDetails struct {
+	Request         DataSubjectRequest  `json:"request"`
+	StatusHistory   []DSRStatusHistory  `json:"status_history"`
+	Communications  []DSRCommunication  `json:"communications"`
+	ExceptionChecks []DSRExceptionCheck `json:"exception_checks,omitempty"`
+	AssigneeName    *string             `json:"assignee_name,omitempty"`
+	CreatorName     *string             `json:"creator_name,omitempty"`
+}
+
+// DSRTemplateWithVersions combines template with versions
+type DSRTemplateWithVersions struct {
+	Template      DSRTemplate          `json:"template"`
+	LatestVersion *DSRTemplateVersion  `json:"latest_version,omitempty"`
+	Versions      []DSRTemplateVersion `json:"versions,omitempty"`
+}
+
+// CreateDSRTemplateVersionRequest for creating a template version
+type CreateDSRTemplateVersionRequest struct {
+	TemplateID string `json:"template_id" binding:"required"`
+	Version    string `json:"version" binding:"required"`
+	Language   string `json:"language" binding:"required"`
+	Subject    string `json:"subject" binding:"required"`
+	BodyHTML   string `json:"body_html" binding:"required"`
+	BodyText   string `json:"body_text" binding:"required"`
+}
+
+// UpdateDSRTemplateVersionRequest for updating a template version
+type UpdateDSRTemplateVersionRequest struct {
+	Subject  *string `json:"subject"`
+	BodyHTML *string `json:"body_html"`
+	BodyText *string `json:"body_text"`
+	Status   *string `json:"status"`
+}
+
+// PreviewDSRTemplateRequest for previewing a template with variables
+type PreviewDSRTemplateRequest struct {
+	Variables map[string]string `json:"variables"`
+}
+
+// DSRTemplatePreviewResponse for template preview
+type DSRTemplatePreviewResponse struct {
+	Subject  string `json:"subject"`
+	BodyHTML string `json:"body_html"`
+	BodyText string `json:"body_text"`
+}
+
+// ========================================
+// DSR Helper Methods
+// ========================================
+
+// Label returns German label for request type
+func (rt DSRRequestType) Label() string {
+	switch rt {
+	case DSRTypeAccess:
+		return "Auskunftsanfrage (Art. 15)"
+	case DSRTypeRectification:
+		return "Berichtigungsanfrage (Art. 16)"
+	case DSRTypeErasure:
+		return "Löschanfrage (Art. 17)"
+	case DSRTypeRestriction:
+		return "Einschränkungsanfrage (Art. 18)"
+	case DSRTypePortability:
+		return "Datenübertragung (Art. 20)"
+	default:
+		return string(rt)
+	}
+}
+
+// DeadlineDays returns the legal deadline in days for request type
+func (rt DSRRequestType) DeadlineDays() int {
+	switch rt {
+	case DSRTypeAccess, DSRTypePortability:
+		return 30 // 1 month
+	case DSRTypeRectification, DSRTypeErasure, DSRTypeRestriction:
+		return 14 // 2 weeks (expedited per BDSG)
+	default:
+		return 30
+	}
+}
+
+// IsExpedited returns whether this request type should be processed expeditiously
+func (rt DSRRequestType) IsExpedited() bool {
+	switch rt {
+	case DSRTypeRectification, DSRTypeErasure, DSRTypeRestriction:
+		return true
+	default:
+		return false
+	}
+}
+
+// Label returns German label for status
+func (s DSRStatus) Label() string {
+	switch s {
+	case DSRStatusIntake:
+		return "Eingang"
+	case DSRStatusIdentityVerification:
+		return "Identitätsprüfung"
+	case DSRStatusProcessing:
+		return "In Bearbeitung"
+	case DSRStatusCompleted:
+		return "Abgeschlossen"
+	case DSRStatusRejected:
+		return "Abgelehnt"
+	case DSRStatusCancelled:
+		return "Storniert"
+	default:
+		return string(s)
+	}
+}
+
+// IsValidDSRRequestType checks if a string is a valid DSR request type
+func IsValidDSRRequestType(reqType string) bool {
+	switch DSRRequestType(reqType) {
+	case DSRTypeAccess, DSRTypeRectification, DSRTypeErasure, DSRTypeRestriction, DSRTypePortability:
+		return true
+	default:
+		return false
+	}
+}
+
+// IsValidDSRStatus checks if a string is a valid DSR status
+func IsValidDSRStatus(status string) bool {
+	switch DSRStatus(status) {
+	case DSRStatusIntake, DSRStatusIdentityVerification, DSRStatusProcessing,
+		DSRStatusCompleted, DSRStatusRejected, DSRStatusCancelled:
+		return true
+	default:
+		return false
+	}
+}
diff --git a/consent-service/internal/models/email_templates.go b/consent-service/internal/models/email_templates.go
new file mode 100644
index 0000000..4cfad96
--- /dev/null
+++ b/consent-service/internal/models/email_templates.go
@@ -0,0 +1,191 @@
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// EmailTemplateType defines the types of transactional emails
+const (
+	// Auth & Security
+	EmailTypeWelcome            = "welcome"
+	EmailTypeEmailVerification  = "email_verification"
+	EmailTypePasswordReset      = "password_reset"
+	EmailTypePasswordChanged    = "password_changed"
+	EmailType2FAEnabled         = "2fa_enabled"
+	EmailType2FADisabled        = "2fa_disabled"
+	EmailTypeNewDeviceLogin     = "new_device_login"
+	EmailTypeSuspiciousActivity = "suspicious_activity"
+	EmailTypeAccountLocked      = "account_locked"
+	EmailTypeAccountUnlocked    = "account_unlocked"
+
+	// Account Lifecycle
+	EmailTypeDeletionRequested = "deletion_requested"
+	EmailTypeDeletionConfirmed = "deletion_confirmed"
+	EmailTypeDataExportReady   = "data_export_ready"
+	EmailTypeEmailChanged      = "email_changed"
+	EmailTypeEmailChangeVerify = "email_change_verify"
+
+	// Consent-related
+	EmailTypeNewVersionPublished      = "new_version_published"
+	EmailTypeConsentReminder          = "consent_reminder"
+	EmailTypeConsentDeadlineWarning   = "consent_deadline_warning"
+	EmailTypeAccountSuspended         = "account_suspended"
+)
+
+// EmailTemplate represents a template for transactional emails (like LegalDocument)
+type EmailTemplate struct {
+	ID          uuid.UUID `json:"id" db:"id"`
+	Type        string    `json:"type" db:"type"`             // One of EmailType constants
+	Name        string    `json:"name" db:"name"`             // Human-readable name
+	Description *string   `json:"description" db:"description"`
+	IsActive    bool      `json:"is_active" db:"is_active"`
+	SortOrder   int       `json:"sort_order" db:"sort_order"`
+	CreatedAt   time.Time `json:"created_at" db:"created_at"`
+	UpdatedAt   time.Time `json:"updated_at" db:"updated_at"`
+}
+
+// EmailTemplateVersion represents a specific version of an email template (like DocumentVersion)
+type EmailTemplateVersion struct {
+	ID                 uuid.UUID  `json:"id" db:"id"`
+	TemplateID         uuid.UUID  `json:"template_id" db:"template_id"`
+	Version            string     `json:"version" db:"version"`     // Semver: 1.0.0
+	Language           string     `json:"language" db:"language"`   // ISO 639-1: de, en
+	Subject            string     `json:"subject" db:"subject"`     // Email subject line
+	BodyHTML           string     `json:"body_html" db:"body_html"` // HTML version
+	BodyText           string     `json:"body_text" db:"body_text"` // Plain text version
+	Summary            *string    `json:"summary" db:"summary"`     // Change summary
+	Status             string     `json:"status" db:"status"`       // draft, review, approved, published, archived
+	PublishedAt        *time.Time `json:"published_at" db:"published_at"`
+	ScheduledPublishAt *time.Time `json:"scheduled_publish_at" db:"scheduled_publish_at"`
+	CreatedBy          *uuid.UUID `json:"created_by" db:"created_by"`
+	ApprovedBy         *uuid.UUID `json:"approved_by" db:"approved_by"`
+	ApprovedAt         *time.Time `json:"approved_at" db:"approved_at"`
+	CreatedAt          time.Time  `json:"created_at" db:"created_at"`
+	UpdatedAt          time.Time  `json:"updated_at" db:"updated_at"`
+}
+
+// EmailTemplateApproval tracks approval workflow for email templates
+type EmailTemplateApproval struct {
+	ID         uuid.UUID `json:"id" db:"id"`
+	VersionID  uuid.UUID `json:"version_id" db:"version_id"`
+	ApproverID uuid.UUID `json:"approver_id" db:"approver_id"`
+	Action     string    `json:"action" db:"action"` // submitted_for_review, approved, rejected, published
+	Comment    *string   `json:"comment,omitempty" db:"comment"`
+	CreatedAt  time.Time `json:"created_at" db:"created_at"`
+}
+
+// EmailSendLog tracks sent emails for audit purposes
+type EmailSendLog struct {
+	ID          uuid.UUID  `json:"id" db:"id"`
+	UserID      *uuid.UUID `json:"user_id,omitempty" db:"user_id"`
+	VersionID   uuid.UUID  `json:"version_id" db:"version_id"`
+	Recipient   string     `json:"recipient" db:"recipient"` // Email address
+	Subject     string     `json:"subject" db:"subject"`
+	Status      string     `json:"status" db:"status"` // queued, sent, delivered, bounced, failed
+	ErrorMsg    *string    `json:"error_msg,omitempty" db:"error_msg"`
+	Variables   *string    `json:"variables,omitempty" db:"variables"` // JSON of template variables used
+	SentAt      *time.Time `json:"sent_at,omitempty" db:"sent_at"`
+	DeliveredAt *time.Time `json:"delivered_at,omitempty" db:"delivered_at"`
+	CreatedAt   time.Time  `json:"created_at" db:"created_at"`
+}
+
+// EmailTemplateSettings stores global email settings (logo, signature, etc.)
+type EmailTemplateSettings struct {
+	ID             uuid.UUID  `json:"id" db:"id"`
+	LogoURL        *string    `json:"logo_url" db:"logo_url"`
+	LogoBase64     *string    `json:"logo_base64" db:"logo_base64"` // For embedding in emails
+	CompanyName    string     `json:"company_name" db:"company_name"`
+	SenderName     string     `json:"sender_name" db:"sender_name"`
+	SenderEmail    string     `json:"sender_email" db:"sender_email"`
+	ReplyToEmail   *string    `json:"reply_to_email" db:"reply_to_email"`
+	FooterHTML     *string    `json:"footer_html" db:"footer_html"`
+	FooterText     *string    `json:"footer_text" db:"footer_text"`
+	PrimaryColor   string     `json:"primary_color" db:"primary_color"`     // Hex color
+	SecondaryColor string     `json:"secondary_color" db:"secondary_color"` // Hex color
+	UpdatedAt      time.Time  `json:"updated_at" db:"updated_at"`
+	UpdatedBy      *uuid.UUID `json:"updated_by" db:"updated_by"`
+}
+
+// ========================================
+// E-Mail Template DTOs
+// ========================================
+
+// CreateEmailTemplateRequest for creating a new email template type
+type CreateEmailTemplateRequest struct {
+	Type        string  `json:"type" binding:"required"`
+	Name        string  `json:"name" binding:"required"`
+	Description *string `json:"description"`
+}
+
+// CreateEmailTemplateVersionRequest for creating a new version of an email template
+type CreateEmailTemplateVersionRequest struct {
+	TemplateID string  `json:"template_id" binding:"required"`
+	Version    string  `json:"version" binding:"required"`
+	Language   string  `json:"language" binding:"required"`
+	Subject    string  `json:"subject" binding:"required"`
+	BodyHTML   string  `json:"body_html" binding:"required"`
+	BodyText   string  `json:"body_text" binding:"required"`
+	Summary    *string `json:"summary"`
+}
+
+// UpdateEmailTemplateVersionRequest for updating a version
+type UpdateEmailTemplateVersionRequest struct {
+	Subject  *string `json:"subject"`
+	BodyHTML *string `json:"body_html"`
+	BodyText *string `json:"body_text"`
+	Summary  *string `json:"summary"`
+	Status   *string `json:"status"`
+}
+
+// UpdateEmailTemplateSettingsRequest for updating global settings
+type UpdateEmailTemplateSettingsRequest struct {
+	LogoURL        *string `json:"logo_url"`
+	LogoBase64     *string `json:"logo_base64"`
+	CompanyName    *string `json:"company_name"`
+	SenderName     *string `json:"sender_name"`
+	SenderEmail    *string `json:"sender_email"`
+	ReplyToEmail   *string `json:"reply_to_email"`
+	FooterHTML     *string `json:"footer_html"`
+	FooterText     *string `json:"footer_text"`
+	PrimaryColor   *string `json:"primary_color"`
+	SecondaryColor *string `json:"secondary_color"`
+}
+
+// EmailTemplateWithVersion combines template info with its latest published version
+type EmailTemplateWithVersion struct {
+	Template      EmailTemplate         `json:"template"`
+	LatestVersion *EmailTemplateVersion `json:"latest_version,omitempty"`
+}
+
+// SendTestEmailRequest for sending a test email
+type SendTestEmailRequest struct {
+	VersionID string            `json:"version_id" binding:"required"`
+	Recipient string            `json:"recipient" binding:"required,email"`
+	Variables map[string]string `json:"variables"` // Template variable overrides
+}
+
+// EmailPreviewResponse for previewing an email
+type EmailPreviewResponse struct {
+	Subject  string `json:"subject"`
+	BodyHTML string `json:"body_html"`
+	BodyText string `json:"body_text"`
+}
+
+// EmailTemplateVariables defines available variables for each template type
+type EmailTemplateVariables struct {
+	TemplateType string            `json:"template_type"`
+	Variables    []string          `json:"variables"`
+	Descriptions map[string]string `json:"descriptions"`
+}
+
+// EmailStats represents statistics about email sends
+type EmailStats struct {
+	TotalSent    int     `json:"total_sent"`
+	Delivered    int     `json:"delivered"`
+	Bounced      int     `json:"bounced"`
+	Failed       int     `json:"failed"`
+	DeliveryRate float64 `json:"delivery_rate"`
+	RecentSent   int     `json:"recent_sent"` // Last 7 days
+}
diff --git a/consent-service/internal/models/models.go b/consent-service/internal/models/models.go
deleted file mode 100644
index 6dfbf8b..0000000
--- a/consent-service/internal/models/models.go
+++ /dev/null
@@ -1,1797 +0,0 @@
-package models
-
-import (
-	"time"
-
-	"github.com/google/uuid"
-)
-
-// User represents a user with full authentication support
-type User struct {
-	ID                  uuid.UUID  `json:"id" db:"id"`
-	ExternalID          *string    `json:"external_id,omitempty" db:"external_id"`
-	Email               string     `json:"email" db:"email"`
-	PasswordHash        *string    `json:"-" db:"password_hash"` // Never exposed in JSON
-	Name                *string    `json:"name,omitempty" db:"name"`
-	Role                string     `json:"role" db:"role"` // 'user', 'admin', 'super_admin', 'data_protection_officer'
-	EmailVerified       bool       `json:"email_verified" db:"email_verified"`
-	EmailVerifiedAt     *time.Time `json:"email_verified_at,omitempty" db:"email_verified_at"`
-	AccountStatus       string     `json:"account_status" db:"account_status"` // 'active', 'suspended', 'locked'
-	LastLoginAt         *time.Time `json:"last_login_at,omitempty" db:"last_login_at"`
-	FailedLoginAttempts int        `json:"failed_login_attempts" db:"failed_login_attempts"`
-	LockedUntil         *time.Time `json:"locked_until,omitempty" db:"locked_until"`
-	CreatedAt           time.Time  `json:"created_at" db:"created_at"`
-	UpdatedAt           time.Time  `json:"updated_at" db:"updated_at"`
-}
-
-// LegalDocument represents a type of legal document (e.g., Terms, Privacy Policy)
-type LegalDocument struct {
-	ID          uuid.UUID `json:"id" db:"id"`
-	Type        string    `json:"type" db:"type"` // 'terms', 'privacy', 'cookies', 'community'
-	Name        string    `json:"name" db:"name"`
-	Description *string   `json:"description" db:"description"`
-	IsMandatory bool      `json:"is_mandatory" db:"is_mandatory"`
-	IsActive    bool      `json:"is_active" db:"is_active"`
-	SortOrder   int       `json:"sort_order" db:"sort_order"`
-	CreatedAt   time.Time `json:"created_at" db:"created_at"`
-	UpdatedAt   time.Time `json:"updated_at" db:"updated_at"`
-}
-
-// DocumentVersion represents a specific version of a legal document
-type DocumentVersion struct {
-	ID                 uuid.UUID  `json:"id" db:"id"`
-	DocumentID         uuid.UUID  `json:"document_id" db:"document_id"`
-	Version            string     `json:"version" db:"version"` // Semver: 1.0.0, 1.1.0
-	Language           string     `json:"language" db:"language"` // ISO 639-1: de, en
-	Title              string     `json:"title" db:"title"`
-	Content            string     `json:"content" db:"content"` // HTML or Markdown
-	Summary            *string    `json:"summary" db:"summary"` // Summary of changes
-	Status             string     `json:"status" db:"status"`   // 'draft', 'review', 'approved', 'scheduled', 'published', 'archived'
-	PublishedAt        *time.Time `json:"published_at" db:"published_at"`
-	ScheduledPublishAt *time.Time `json:"scheduled_publish_at" db:"scheduled_publish_at"`
-	CreatedBy          *uuid.UUID `json:"created_by" db:"created_by"`
-	ApprovedBy         *uuid.UUID `json:"approved_by" db:"approved_by"`
-	ApprovedAt         *time.Time `json:"approved_at" db:"approved_at"`
-	CreatedAt          time.Time  `json:"created_at" db:"created_at"`
-	UpdatedAt          time.Time  `json:"updated_at" db:"updated_at"`
-}
-
-// UserConsent represents a user's consent to a document version
-type UserConsent struct {
-	ID                uuid.UUID  `json:"id" db:"id"`
-	UserID            uuid.UUID  `json:"user_id" db:"user_id"`
-	DocumentVersionID uuid.UUID  `json:"document_version_id" db:"document_version_id"`
-	Consented         bool       `json:"consented" db:"consented"`
-	IPAddress         *string    `json:"ip_address" db:"ip_address"`
-	UserAgent         *string    `json:"user_agent" db:"user_agent"`
-	ConsentedAt       time.Time  `json:"consented_at" db:"consented_at"`
-	WithdrawnAt       *time.Time `json:"withdrawn_at" db:"withdrawn_at"`
-}
-
-// CookieCategory represents a category of cookies
-type CookieCategory struct {
-	ID            uuid.UUID `json:"id" db:"id"`
-	Name          string    `json:"name" db:"name"` // 'necessary', 'functional', 'analytics', 'marketing'
-	DisplayNameDE string    `json:"display_name_de" db:"display_name_de"`
-	DisplayNameEN *string   `json:"display_name_en" db:"display_name_en"`
-	DescriptionDE *string   `json:"description_de" db:"description_de"`
-	DescriptionEN *string   `json:"description_en" db:"description_en"`
-	IsMandatory   bool      `json:"is_mandatory" db:"is_mandatory"`
-	SortOrder     int       `json:"sort_order" db:"sort_order"`
-	IsActive      bool      `json:"is_active" db:"is_active"`
-	CreatedAt     time.Time `json:"created_at" db:"created_at"`
-	UpdatedAt     time.Time `json:"updated_at" db:"updated_at"`
-}
-
-// CookieConsent represents a user's cookie preferences
-type CookieConsent struct {
-	ID         uuid.UUID `json:"id" db:"id"`
-	UserID     uuid.UUID `json:"user_id" db:"user_id"`
-	CategoryID uuid.UUID `json:"category_id" db:"category_id"`
-	Consented  bool      `json:"consented" db:"consented"`
-	ConsentedAt time.Time `json:"consented_at" db:"consented_at"`
-	UpdatedAt  time.Time `json:"updated_at" db:"updated_at"`
-}
-
-// AuditLog represents an audit trail entry for GDPR compliance
-type AuditLog struct {
-	ID         uuid.UUID  `json:"id" db:"id"`
-	UserID     *uuid.UUID `json:"user_id" db:"user_id"`
-	Action     string     `json:"action" db:"action"` // 'consent_given', 'consent_withdrawn', 'data_export', 'data_delete'
-	EntityType *string    `json:"entity_type" db:"entity_type"` // 'document', 'cookie_category'
-	EntityID   *uuid.UUID `json:"entity_id" db:"entity_id"`
-	Details    *string    `json:"details" db:"details"` // JSON string
-	IPAddress  *string    `json:"ip_address" db:"ip_address"`
-	UserAgent  *string    `json:"user_agent" db:"user_agent"`
-	CreatedAt  time.Time  `json:"created_at" db:"created_at"`
-}
-
-// DataExportRequest represents a user's request to export their data
-type DataExportRequest struct {
-	ID          uuid.UUID  `json:"id" db:"id"`
-	UserID      uuid.UUID  `json:"user_id" db:"user_id"`
-	Status      string     `json:"status" db:"status"` // 'pending', 'processing', 'completed', 'failed'
-	DownloadURL *string    `json:"download_url" db:"download_url"`
-	ExpiresAt   *time.Time `json:"expires_at" db:"expires_at"`
-	CreatedAt   time.Time  `json:"created_at" db:"created_at"`
-	CompletedAt *time.Time `json:"completed_at" db:"completed_at"`
-}
-
-// DataDeletionRequest represents a user's request to delete their data
-type DataDeletionRequest struct {
-	ID           uuid.UUID  `json:"id" db:"id"`
-	UserID       uuid.UUID  `json:"user_id" db:"user_id"`
-	Status       string     `json:"status" db:"status"` // 'pending', 'processing', 'completed', 'failed'
-	Reason       *string    `json:"reason" db:"reason"`
-	CreatedAt    time.Time  `json:"created_at" db:"created_at"`
-	ProcessedAt  *time.Time `json:"processed_at" db:"processed_at"`
-	ProcessedBy  *uuid.UUID `json:"processed_by" db:"processed_by"`
-}
-
-// ========================================
-// DTOs (Data Transfer Objects)
-// ========================================
-
-// CreateConsentRequest is the request body for creating a consent
-type CreateConsentRequest struct {
-	DocumentType string `json:"document_type" binding:"required"`
-	VersionID    string `json:"version_id" binding:"required"`
-	Consented    bool   `json:"consented"`
-}
-
-// CookieConsentRequest is the request body for setting cookie preferences
-type CookieConsentRequest struct {
-	Categories []CookieCategoryConsent `json:"categories" binding:"required"`
-}
-
-// CookieCategoryConsent represents consent for a single cookie category
-type CookieCategoryConsent struct {
-	CategoryID string `json:"category_id" binding:"required"`
-	Consented  bool   `json:"consented"`
-}
-
-// ConsentCheckResponse is the response for checking consent status
-type ConsentCheckResponse struct {
-	HasConsent        bool       `json:"has_consent"`
-	CurrentVersionID  *string    `json:"current_version_id,omitempty"`
-	ConsentedVersion  *string    `json:"consented_version,omitempty"`
-	NeedsUpdate       bool       `json:"needs_update"`
-	ConsentedAt       *time.Time `json:"consented_at,omitempty"`
-}
-
-// DocumentWithVersion combines document info with its latest published version
-type DocumentWithVersion struct {
-	Document      LegalDocument   `json:"document"`
-	LatestVersion *DocumentVersion `json:"latest_version,omitempty"`
-}
-
-// ConsentHistory represents a user's consent history for a document
-type ConsentHistory struct {
-	Document       LegalDocument   `json:"document"`
-	Version        DocumentVersion `json:"version"`
-	Consent        UserConsent     `json:"consent"`
-}
-
-// ConsentStats represents statistics about consents
-type ConsentStats struct {
-	TotalUsers        int     `json:"total_users"`
-	ConsentedUsers    int     `json:"consented_users"`
-	ConsentRate       float64 `json:"consent_rate"`
-	RecentConsents    int     `json:"recent_consents"` // Last 7 days
-	RecentWithdrawals int     `json:"recent_withdrawals"`
-}
-
-// CookieStats represents statistics about cookie consents
-type CookieStats struct {
-	Category       string  `json:"category"`
-	TotalUsers     int     `json:"total_users"`
-	ConsentedUsers int     `json:"consented_users"`
-	ConsentRate    float64 `json:"consent_rate"`
-}
-
-// MyDataResponse represents all data we have about a user
-type MyDataResponse struct {
-	User           User            `json:"user"`
-	Consents       []ConsentHistory `json:"consents"`
-	CookieConsents []CookieConsent  `json:"cookie_consents"`
-	AuditLog       []AuditLog       `json:"audit_log"`
-	ExportedAt     time.Time        `json:"exported_at"`
-}
-
-// CreateDocumentRequest is the request body for creating a document
-type CreateDocumentRequest struct {
-	Type        string  `json:"type" binding:"required"`
-	Name        string  `json:"name" binding:"required"`
-	Description *string `json:"description"`
-	IsMandatory bool    `json:"is_mandatory"`
-}
-
-// CreateVersionRequest is the request body for creating a document version
-type CreateVersionRequest struct {
-	DocumentID string  `json:"document_id" binding:"required"`
-	Version    string  `json:"version" binding:"required"`
-	Language   string  `json:"language" binding:"required"`
-	Title      string  `json:"title" binding:"required"`
-	Content    string  `json:"content" binding:"required"`
-	Summary    *string `json:"summary"`
-}
-
-// UpdateVersionRequest is the request body for updating a version
-type UpdateVersionRequest struct {
-	Title   *string `json:"title"`
-	Content *string `json:"content"`
-	Summary *string `json:"summary"`
-	Status  *string `json:"status"`
-}
-
-// CreateCookieCategoryRequest is the request body for creating a cookie category
-type CreateCookieCategoryRequest struct {
-	Name          string  `json:"name" binding:"required"`
-	DisplayNameDE string  `json:"display_name_de" binding:"required"`
-	DisplayNameEN *string `json:"display_name_en"`
-	DescriptionDE *string `json:"description_de"`
-	DescriptionEN *string `json:"description_en"`
-	IsMandatory   bool    `json:"is_mandatory"`
-	SortOrder     int     `json:"sort_order"`
-}
-
-// ========================================
-// Phase 1: Authentication Models
-// ========================================
-
-// EmailVerificationToken for email verification
-type EmailVerificationToken struct {
-	ID        uuid.UUID  `json:"id" db:"id"`
-	UserID    uuid.UUID  `json:"user_id" db:"user_id"`
-	Token     string     `json:"token" db:"token"`
-	ExpiresAt time.Time  `json:"expires_at" db:"expires_at"`
-	UsedAt    *time.Time `json:"used_at,omitempty" db:"used_at"`
-	CreatedAt time.Time  `json:"created_at" db:"created_at"`
-}
-
-// PasswordResetToken for password reset
-type PasswordResetToken struct {
-	ID        uuid.UUID  `json:"id" db:"id"`
-	UserID    uuid.UUID  `json:"user_id" db:"user_id"`
-	Token     string     `json:"token" db:"token"`
-	ExpiresAt time.Time  `json:"expires_at" db:"expires_at"`
-	UsedAt    *time.Time `json:"used_at,omitempty" db:"used_at"`
-	IPAddress *string    `json:"ip_address,omitempty" db:"ip_address"`
-	CreatedAt time.Time  `json:"created_at" db:"created_at"`
-}
-
-// UserSession for session management
-type UserSession struct {
-	ID             uuid.UUID  `json:"id" db:"id"`
-	UserID         uuid.UUID  `json:"user_id" db:"user_id"`
-	TokenHash      string     `json:"-" db:"token_hash"`
-	DeviceInfo     *string    `json:"device_info,omitempty" db:"device_info"`
-	IPAddress      *string    `json:"ip_address,omitempty" db:"ip_address"`
-	UserAgent      *string    `json:"user_agent,omitempty" db:"user_agent"`
-	ExpiresAt      time.Time  `json:"expires_at" db:"expires_at"`
-	RevokedAt      *time.Time `json:"revoked_at,omitempty" db:"revoked_at"`
-	CreatedAt      time.Time  `json:"created_at" db:"created_at"`
-	LastActivityAt time.Time  `json:"last_activity_at" db:"last_activity_at"`
-}
-
-// RegisterRequest for user registration
-type RegisterRequest struct {
-	Email    string  `json:"email" binding:"required,email"`
-	Password string  `json:"password" binding:"required,min=8"`
-	Name     *string `json:"name"`
-}
-
-// LoginRequest for user login
-type LoginRequest struct {
-	Email    string `json:"email" binding:"required,email"`
-	Password string `json:"password" binding:"required"`
-}
-
-// LoginResponse after successful login
-type LoginResponse struct {
-	User         User   `json:"user"`
-	AccessToken  string `json:"access_token"`
-	RefreshToken string `json:"refresh_token"`
-	ExpiresIn    int    `json:"expires_in"` // seconds
-}
-
-// RefreshTokenRequest for token refresh
-type RefreshTokenRequest struct {
-	RefreshToken string `json:"refresh_token" binding:"required"`
-}
-
-// VerifyEmailRequest for email verification
-type VerifyEmailRequest struct {
-	Token string `json:"token" binding:"required"`
-}
-
-// ForgotPasswordRequest for password reset request
-type ForgotPasswordRequest struct {
-	Email string `json:"email" binding:"required,email"`
-}
-
-// ResetPasswordRequest for password reset
-type ResetPasswordRequest struct {
-	Token       string `json:"token" binding:"required"`
-	NewPassword string `json:"new_password" binding:"required,min=8"`
-}
-
-// ChangePasswordRequest for changing password
-type ChangePasswordRequest struct {
-	CurrentPassword string `json:"current_password" binding:"required"`
-	NewPassword     string `json:"new_password" binding:"required,min=8"`
-}
-
-// UpdateProfileRequest for profile updates
-type UpdateProfileRequest struct {
-	Name *string `json:"name"`
-}
-
-// ========================================
-// Phase 3: Version Approval Models
-// ========================================
-
-// VersionApproval tracks the approval workflow
-type VersionApproval struct {
-	ID         uuid.UUID `json:"id" db:"id"`
-	VersionID  uuid.UUID `json:"version_id" db:"version_id"`
-	ApproverID uuid.UUID `json:"approver_id" db:"approver_id"`
-	Action     string    `json:"action" db:"action"` // 'submitted_for_review', 'approved', 'rejected', 'published'
-	Comment    *string   `json:"comment,omitempty" db:"comment"`
-	CreatedAt  time.Time `json:"created_at" db:"created_at"`
-}
-
-// SubmitForReviewRequest for submitting a version for review
-type SubmitForReviewRequest struct {
-	Comment *string `json:"comment"`
-}
-
-// ApproveVersionRequest for approving a version (DSB)
-type ApproveVersionRequest struct {
-	Comment            *string `json:"comment"`
-	ScheduledPublishAt *string `json:"scheduled_publish_at"` // ISO 8601 datetime for scheduled publishing
-}
-
-// RejectVersionRequest for rejecting a version
-type RejectVersionRequest struct {
-	Comment string `json:"comment" binding:"required"`
-}
-
-// VersionCompareResponse for comparing versions
-type VersionCompareResponse struct {
-	Published *DocumentVersion `json:"published,omitempty"`
-	Draft     *DocumentVersion `json:"draft"`
-	Diff      *string          `json:"diff,omitempty"`
-	Approvals []VersionApproval `json:"approvals"`
-}
-
-// ========================================
-// Phase 4: Notification Models
-// ========================================
-
-// Notification represents a user notification
-type Notification struct {
-	ID        uuid.UUID  `json:"id" db:"id"`
-	UserID    uuid.UUID  `json:"user_id" db:"user_id"`
-	Type      string     `json:"type" db:"type"`    // 'new_version', 'consent_reminder', 'account_warning'
-	Channel   string     `json:"channel" db:"channel"` // 'email', 'in_app', 'push'
-	Title     string     `json:"title" db:"title"`
-	Body      string     `json:"body" db:"body"`
-	Data      *string    `json:"data,omitempty" db:"data"` // JSON string
-	ReadAt    *time.Time `json:"read_at,omitempty" db:"read_at"`
-	SentAt    *time.Time `json:"sent_at,omitempty" db:"sent_at"`
-	CreatedAt time.Time  `json:"created_at" db:"created_at"`
-}
-
-// PushSubscription for Web Push notifications
-type PushSubscription struct {
-	ID        uuid.UUID `json:"id" db:"id"`
-	UserID    uuid.UUID `json:"user_id" db:"user_id"`
-	Endpoint  string    `json:"endpoint" db:"endpoint"`
-	P256dh    string    `json:"p256dh" db:"p256dh"`
-	Auth      string    `json:"auth" db:"auth"`
-	UserAgent *string   `json:"user_agent,omitempty" db:"user_agent"`
-	CreatedAt time.Time `json:"created_at" db:"created_at"`
-}
-
-// NotificationPreferences for user notification settings
-type NotificationPreferences struct {
-	ID                uuid.UUID `json:"id" db:"id"`
-	UserID            uuid.UUID `json:"user_id" db:"user_id"`
-	EmailEnabled      bool      `json:"email_enabled" db:"email_enabled"`
-	PushEnabled       bool      `json:"push_enabled" db:"push_enabled"`
-	InAppEnabled      bool      `json:"in_app_enabled" db:"in_app_enabled"`
-	ReminderFrequency string    `json:"reminder_frequency" db:"reminder_frequency"` // 'daily', 'weekly', 'never'
-	CreatedAt         time.Time `json:"created_at" db:"created_at"`
-	UpdatedAt         time.Time `json:"updated_at" db:"updated_at"`
-}
-
-// SubscribePushRequest for subscribing to push notifications
-type SubscribePushRequest struct {
-	Endpoint string `json:"endpoint" binding:"required"`
-	P256dh   string `json:"p256dh" binding:"required"`
-	Auth     string `json:"auth" binding:"required"`
-}
-
-// UpdateNotificationPreferencesRequest for updating preferences
-type UpdateNotificationPreferencesRequest struct {
-	EmailEnabled      *bool   `json:"email_enabled"`
-	PushEnabled       *bool   `json:"push_enabled"`
-	InAppEnabled      *bool   `json:"in_app_enabled"`
-	ReminderFrequency *string `json:"reminder_frequency"`
-}
-
-// ========================================
-// Phase 6: OAuth 2.0 Authorization Code Flow
-// ========================================
-
-// OAuthClient represents a registered OAuth 2.0 client application
-type OAuthClient struct {
-	ID           uuid.UUID  `json:"id" db:"id"`
-	ClientID     string     `json:"client_id" db:"client_id"`
-	ClientSecret string     `json:"-" db:"client_secret"` // Never expose in JSON
-	Name         string     `json:"name" db:"name"`
-	Description  *string    `json:"description,omitempty" db:"description"`
-	RedirectURIs []string   `json:"redirect_uris" db:"redirect_uris"` // JSON array
-	Scopes       []string   `json:"scopes" db:"scopes"`               // Allowed scopes
-	GrantTypes   []string   `json:"grant_types" db:"grant_types"`     // authorization_code, refresh_token
-	IsPublic     bool       `json:"is_public" db:"is_public"`         // Public clients (SPAs) don't have secret
-	IsActive     bool       `json:"is_active" db:"is_active"`
-	CreatedBy    *uuid.UUID `json:"created_by,omitempty" db:"created_by"`
-	CreatedAt    time.Time  `json:"created_at" db:"created_at"`
-	UpdatedAt    time.Time  `json:"updated_at" db:"updated_at"`
-}
-
-// OAuthAuthorizationCode represents an authorization code for the OAuth flow
-type OAuthAuthorizationCode struct {
-	ID                  uuid.UUID `json:"id" db:"id"`
-	Code                string    `json:"-" db:"code"` // Hashed
-	ClientID            string    `json:"client_id" db:"client_id"`
-	UserID              uuid.UUID `json:"user_id" db:"user_id"`
-	RedirectURI         string    `json:"redirect_uri" db:"redirect_uri"`
-	Scopes              []string  `json:"scopes" db:"scopes"`
-	CodeChallenge       *string   `json:"-" db:"code_challenge"`        // For PKCE
-	CodeChallengeMethod *string   `json:"-" db:"code_challenge_method"` // S256 or plain
-	ExpiresAt           time.Time `json:"expires_at" db:"expires_at"`
-	UsedAt              *time.Time `json:"used_at,omitempty" db:"used_at"`
-	CreatedAt           time.Time `json:"created_at" db:"created_at"`
-}
-
-// OAuthAccessToken represents an OAuth access token
-type OAuthAccessToken struct {
-	ID          uuid.UUID  `json:"id" db:"id"`
-	TokenHash   string     `json:"-" db:"token_hash"`
-	ClientID    string     `json:"client_id" db:"client_id"`
-	UserID      uuid.UUID  `json:"user_id" db:"user_id"`
-	Scopes      []string   `json:"scopes" db:"scopes"`
-	ExpiresAt   time.Time  `json:"expires_at" db:"expires_at"`
-	RevokedAt   *time.Time `json:"revoked_at,omitempty" db:"revoked_at"`
-	CreatedAt   time.Time  `json:"created_at" db:"created_at"`
-}
-
-// OAuthRefreshToken represents an OAuth refresh token
-type OAuthRefreshToken struct {
-	ID            uuid.UUID  `json:"id" db:"id"`
-	TokenHash     string     `json:"-" db:"token_hash"`
-	AccessTokenID uuid.UUID  `json:"access_token_id" db:"access_token_id"`
-	ClientID      string     `json:"client_id" db:"client_id"`
-	UserID        uuid.UUID  `json:"user_id" db:"user_id"`
-	Scopes        []string   `json:"scopes" db:"scopes"`
-	ExpiresAt     time.Time  `json:"expires_at" db:"expires_at"`
-	RevokedAt     *time.Time `json:"revoked_at,omitempty" db:"revoked_at"`
-	CreatedAt     time.Time  `json:"created_at" db:"created_at"`
-}
-
-// OAuthAuthorizeRequest for the authorization endpoint
-type OAuthAuthorizeRequest struct {
-	ResponseType        string `form:"response_type" binding:"required"` // Must be "code"
-	ClientID            string `form:"client_id" binding:"required"`
-	RedirectURI         string `form:"redirect_uri" binding:"required"`
-	Scope               string `form:"scope"`                                   // Space-separated scopes
-	State               string `form:"state" binding:"required"`                // CSRF protection
-	CodeChallenge       string `form:"code_challenge"`                          // PKCE
-	CodeChallengeMethod string `form:"code_challenge_method"`                   // S256 (recommended) or plain
-}
-
-// OAuthTokenRequest for the token endpoint
-type OAuthTokenRequest struct {
-	GrantType    string `form:"grant_type" binding:"required"` // authorization_code or refresh_token
-	Code         string `form:"code"`                          // For authorization_code grant
-	RedirectURI  string `form:"redirect_uri"`                  // For authorization_code grant
-	ClientID     string `form:"client_id" binding:"required"`
-	ClientSecret string `form:"client_secret"`                 // For confidential clients
-	CodeVerifier string `form:"code_verifier"`                 // For PKCE
-	RefreshToken string `form:"refresh_token"`                 // For refresh_token grant
-	Scope        string `form:"scope"`                         // For refresh_token grant (optional)
-}
-
-// OAuthTokenResponse for successful token requests
-type OAuthTokenResponse struct {
-	AccessToken  string `json:"access_token"`
-	TokenType    string `json:"token_type"` // Always "Bearer"
-	ExpiresIn    int    `json:"expires_in"` // Seconds until expiration
-	RefreshToken string `json:"refresh_token,omitempty"`
-	Scope        string `json:"scope,omitempty"`
-}
-
-// OAuthErrorResponse for OAuth errors (RFC 6749)
-type OAuthErrorResponse struct {
-	Error            string `json:"error"`
-	ErrorDescription string `json:"error_description,omitempty"`
-	ErrorURI         string `json:"error_uri,omitempty"`
-}
-
-// ========================================
-// Phase 7: Two-Factor Authentication (2FA/TOTP)
-// ========================================
-
-// UserTOTP stores 2FA TOTP configuration for a user
-type UserTOTP struct {
-	ID            uuid.UUID  `json:"id" db:"id"`
-	UserID        uuid.UUID  `json:"user_id" db:"user_id"`
-	Secret        string     `json:"-" db:"secret"`              // Encrypted TOTP secret
-	Verified      bool       `json:"verified" db:"verified"`     // Has 2FA been verified/activated
-	RecoveryCodes []string   `json:"-" db:"recovery_codes"`      // Encrypted backup codes
-	EnabledAt     *time.Time `json:"enabled_at,omitempty" db:"enabled_at"`
-	LastUsedAt    *time.Time `json:"last_used_at,omitempty" db:"last_used_at"`
-	CreatedAt     time.Time  `json:"created_at" db:"created_at"`
-	UpdatedAt     time.Time  `json:"updated_at" db:"updated_at"`
-}
-
-// TwoFactorChallenge represents a pending 2FA challenge during login
-type TwoFactorChallenge struct {
-	ID          uuid.UUID `json:"id" db:"id"`
-	UserID      uuid.UUID `json:"user_id" db:"user_id"`
-	ChallengeID string    `json:"challenge_id" db:"challenge_id"` // Temporary token
-	IPAddress   *string   `json:"ip_address,omitempty" db:"ip_address"`
-	UserAgent   *string   `json:"user_agent,omitempty" db:"user_agent"`
-	ExpiresAt   time.Time `json:"expires_at" db:"expires_at"`
-	UsedAt      *time.Time `json:"used_at,omitempty" db:"used_at"`
-	CreatedAt   time.Time `json:"created_at" db:"created_at"`
-}
-
-// Setup2FAResponse when initiating 2FA setup
-type Setup2FAResponse struct {
-	Secret        string   `json:"secret"`         // Base32 encoded secret for manual entry
-	QRCodeDataURL string   `json:"qr_code"`        // Data URL for QR code image
-	RecoveryCodes []string `json:"recovery_codes"` // One-time backup codes
-}
-
-// Verify2FARequest for verifying 2FA setup or login
-type Verify2FARequest struct {
-	Code        string `json:"code" binding:"required"` // 6-digit TOTP code
-	ChallengeID string `json:"challenge_id,omitempty"`  // For login flow
-}
-
-// TwoFactorLoginResponse when 2FA is required during login
-type TwoFactorLoginResponse struct {
-	RequiresTwoFactor bool   `json:"requires_two_factor"`
-	ChallengeID       string `json:"challenge_id"` // Use this to complete 2FA
-	Message           string `json:"message"`
-}
-
-// Complete2FALoginRequest to complete login with 2FA
-type Complete2FALoginRequest struct {
-	ChallengeID string `json:"challenge_id" binding:"required"`
-	Code        string `json:"code" binding:"required"` // 6-digit TOTP or recovery code
-}
-
-// Disable2FARequest for disabling 2FA
-type Disable2FARequest struct {
-	Password string `json:"password" binding:"required"` // Require password confirmation
-	Code     string `json:"code" binding:"required"`     // Current TOTP code
-}
-
-// RecoveryCodeUseRequest for using a recovery code
-type RecoveryCodeUseRequest struct {
-	ChallengeID  string `json:"challenge_id" binding:"required"`
-	RecoveryCode string `json:"recovery_code" binding:"required"`
-}
-
-// TwoFactorStatusResponse for checking 2FA status
-type TwoFactorStatusResponse struct {
-	Enabled            bool       `json:"enabled"`
-	Verified           bool       `json:"verified"`
-	EnabledAt          *time.Time `json:"enabled_at,omitempty"`
-	RecoveryCodesCount int        `json:"recovery_codes_count"`
-}
-
-// Verify2FAChallengeRequest for verifying a 2FA challenge during login
-type Verify2FAChallengeRequest struct {
-	ChallengeID  string `json:"challenge_id" binding:"required"`
-	Code         string `json:"code,omitempty"`          // 6-digit TOTP code
-	RecoveryCode string `json:"recovery_code,omitempty"` // Alternative: recovery code
-}
-
-// ========================================
-// Phase 5: Consent Deadline Models
-// ========================================
-
-// ConsentDeadline tracks consent deadlines per user
-type ConsentDeadline struct {
-	ID                uuid.UUID  `json:"id" db:"id"`
-	UserID            uuid.UUID  `json:"user_id" db:"user_id"`
-	DocumentVersionID uuid.UUID  `json:"document_version_id" db:"document_version_id"`
-	DeadlineAt        time.Time  `json:"deadline_at" db:"deadline_at"`
-	ReminderCount     int        `json:"reminder_count" db:"reminder_count"`
-	LastReminderAt    *time.Time `json:"last_reminder_at,omitempty" db:"last_reminder_at"`
-	ConsentGivenAt    *time.Time `json:"consent_given_at,omitempty" db:"consent_given_at"`
-	CreatedAt         time.Time  `json:"created_at" db:"created_at"`
-}
-
-// AccountSuspension tracks account suspensions
-type AccountSuspension struct {
-	ID           uuid.UUID  `json:"id" db:"id"`
-	UserID       uuid.UUID  `json:"user_id" db:"user_id"`
-	Reason       string     `json:"reason" db:"reason"` // 'consent_deadline_exceeded'
-	Details      *string    `json:"details,omitempty" db:"details"` // JSON
-	SuspendedAt  time.Time  `json:"suspended_at" db:"suspended_at"`
-	LiftedAt     *time.Time `json:"lifted_at,omitempty" db:"lifted_at"`
-	LiftedReason *string    `json:"lifted_reason,omitempty" db:"lifted_reason"`
-}
-
-// PendingConsentResponse for pending consents with deadline info
-type PendingConsentResponse struct {
-	Document    LegalDocument   `json:"document"`
-	Version     DocumentVersion `json:"version"`
-	DeadlineAt  time.Time       `json:"deadline_at"`
-	DaysLeft    int             `json:"days_left"`
-	IsOverdue   bool            `json:"is_overdue"`
-}
-
-// AccountStatusResponse for account status check
-type AccountStatusResponse struct {
-	Status           string                   `json:"status"` // 'active', 'suspended'
-	PendingConsents  []PendingConsentResponse `json:"pending_consents,omitempty"`
-	SuspensionReason *string                  `json:"suspension_reason,omitempty"`
-	CanAccess        bool                     `json:"can_access"`
-}
-
-// ========================================
-// Phase 8: E-Mail Templates (Transactional)
-// ========================================
-
-// EmailTemplateType defines the types of transactional emails
-// These are like document types but for emails
-const (
-	// Auth & Security
-	EmailTypeWelcome              = "welcome"
-	EmailTypeEmailVerification    = "email_verification"
-	EmailTypePasswordReset        = "password_reset"
-	EmailTypePasswordChanged      = "password_changed"
-	EmailType2FAEnabled           = "2fa_enabled"
-	EmailType2FADisabled          = "2fa_disabled"
-	EmailTypeNewDeviceLogin       = "new_device_login"
-	EmailTypeSuspiciousActivity   = "suspicious_activity"
-	EmailTypeAccountLocked        = "account_locked"
-	EmailTypeAccountUnlocked      = "account_unlocked"
-
-	// Account Lifecycle
-	EmailTypeDeletionRequested    = "deletion_requested"
-	EmailTypeDeletionConfirmed    = "deletion_confirmed"
-	EmailTypeDataExportReady      = "data_export_ready"
-	EmailTypeEmailChanged         = "email_changed"
-	EmailTypeEmailChangeVerify    = "email_change_verify"
-
-	// Consent-related
-	EmailTypeNewVersionPublished  = "new_version_published"
-	EmailTypeConsentReminder      = "consent_reminder"
-	EmailTypeConsentDeadlineWarning = "consent_deadline_warning"
-	EmailTypeAccountSuspended     = "account_suspended"
-)
-
-// EmailTemplate represents a template for transactional emails (like LegalDocument)
-type EmailTemplate struct {
-	ID          uuid.UUID `json:"id" db:"id"`
-	Type        string    `json:"type" db:"type"`             // One of EmailType constants
-	Name        string    `json:"name" db:"name"`             // Human-readable name
-	Description *string   `json:"description" db:"description"`
-	IsActive    bool      `json:"is_active" db:"is_active"`
-	SortOrder   int       `json:"sort_order" db:"sort_order"`
-	CreatedAt   time.Time `json:"created_at" db:"created_at"`
-	UpdatedAt   time.Time `json:"updated_at" db:"updated_at"`
-}
-
-// EmailTemplateVersion represents a specific version of an email template (like DocumentVersion)
-type EmailTemplateVersion struct {
-	ID                 uuid.UUID  `json:"id" db:"id"`
-	TemplateID         uuid.UUID  `json:"template_id" db:"template_id"`
-	Version            string     `json:"version" db:"version"`       // Semver: 1.0.0
-	Language           string     `json:"language" db:"language"`     // ISO 639-1: de, en
-	Subject            string     `json:"subject" db:"subject"`       // Email subject line
-	BodyHTML           string     `json:"body_html" db:"body_html"`   // HTML version
-	BodyText           string     `json:"body_text" db:"body_text"`   // Plain text version
-	Summary            *string    `json:"summary" db:"summary"`       // Change summary
-	Status             string     `json:"status" db:"status"`         // draft, review, approved, published, archived
-	PublishedAt        *time.Time `json:"published_at" db:"published_at"`
-	ScheduledPublishAt *time.Time `json:"scheduled_publish_at" db:"scheduled_publish_at"`
-	CreatedBy          *uuid.UUID `json:"created_by" db:"created_by"`
-	ApprovedBy         *uuid.UUID `json:"approved_by" db:"approved_by"`
-	ApprovedAt         *time.Time `json:"approved_at" db:"approved_at"`
-	CreatedAt          time.Time  `json:"created_at" db:"created_at"`
-	UpdatedAt          time.Time  `json:"updated_at" db:"updated_at"`
-}
-
-// EmailTemplateApproval tracks approval workflow for email templates
-type EmailTemplateApproval struct {
-	ID         uuid.UUID `json:"id" db:"id"`
-	VersionID  uuid.UUID `json:"version_id" db:"version_id"`
-	ApproverID uuid.UUID `json:"approver_id" db:"approver_id"`
-	Action     string    `json:"action" db:"action"` // submitted_for_review, approved, rejected, published
-	Comment    *string   `json:"comment,omitempty" db:"comment"`
-	CreatedAt  time.Time `json:"created_at" db:"created_at"`
-}
-
-// EmailSendLog tracks sent emails for audit purposes
-type EmailSendLog struct {
-	ID          uuid.UUID  `json:"id" db:"id"`
-	UserID      *uuid.UUID `json:"user_id,omitempty" db:"user_id"`
-	VersionID   uuid.UUID  `json:"version_id" db:"version_id"`
-	Recipient   string     `json:"recipient" db:"recipient"` // Email address
-	Subject     string     `json:"subject" db:"subject"`
-	Status      string     `json:"status" db:"status"` // queued, sent, delivered, bounced, failed
-	ErrorMsg    *string    `json:"error_msg,omitempty" db:"error_msg"`
-	Variables   *string    `json:"variables,omitempty" db:"variables"` // JSON of template variables used
-	SentAt      *time.Time `json:"sent_at,omitempty" db:"sent_at"`
-	DeliveredAt *time.Time `json:"delivered_at,omitempty" db:"delivered_at"`
-	CreatedAt   time.Time  `json:"created_at" db:"created_at"`
-}
-
-// EmailTemplateSettings stores global email settings (logo, signature, etc.)
-type EmailTemplateSettings struct {
-	ID             uuid.UUID  `json:"id" db:"id"`
-	LogoURL        *string    `json:"logo_url" db:"logo_url"`
-	LogoBase64     *string    `json:"logo_base64" db:"logo_base64"` // For embedding in emails
-	CompanyName    string     `json:"company_name" db:"company_name"`
-	SenderName     string     `json:"sender_name" db:"sender_name"`
-	SenderEmail    string     `json:"sender_email" db:"sender_email"`
-	ReplyToEmail   *string    `json:"reply_to_email" db:"reply_to_email"`
-	FooterHTML     *string    `json:"footer_html" db:"footer_html"`
-	FooterText     *string    `json:"footer_text" db:"footer_text"`
-	PrimaryColor   string     `json:"primary_color" db:"primary_color"`     // Hex color
-	SecondaryColor string     `json:"secondary_color" db:"secondary_color"` // Hex color
-	UpdatedAt      time.Time  `json:"updated_at" db:"updated_at"`
-	UpdatedBy      *uuid.UUID `json:"updated_by" db:"updated_by"`
-}
-
-// ========================================
-// E-Mail Template DTOs
-// ========================================
-
-// CreateEmailTemplateRequest for creating a new email template type
-type CreateEmailTemplateRequest struct {
-	Type        string  `json:"type" binding:"required"`
-	Name        string  `json:"name" binding:"required"`
-	Description *string `json:"description"`
-}
-
-// CreateEmailTemplateVersionRequest for creating a new version of an email template
-type CreateEmailTemplateVersionRequest struct {
-	TemplateID string  `json:"template_id" binding:"required"`
-	Version    string  `json:"version" binding:"required"`
-	Language   string  `json:"language" binding:"required"`
-	Subject    string  `json:"subject" binding:"required"`
-	BodyHTML   string  `json:"body_html" binding:"required"`
-	BodyText   string  `json:"body_text" binding:"required"`
-	Summary    *string `json:"summary"`
-}
-
-// UpdateEmailTemplateVersionRequest for updating a version
-type UpdateEmailTemplateVersionRequest struct {
-	Subject  *string `json:"subject"`
-	BodyHTML *string `json:"body_html"`
-	BodyText *string `json:"body_text"`
-	Summary  *string `json:"summary"`
-	Status   *string `json:"status"`
-}
-
-// UpdateEmailTemplateSettingsRequest for updating global settings
-type UpdateEmailTemplateSettingsRequest struct {
-	LogoURL        *string `json:"logo_url"`
-	LogoBase64     *string `json:"logo_base64"`
-	CompanyName    *string `json:"company_name"`
-	SenderName     *string `json:"sender_name"`
-	SenderEmail    *string `json:"sender_email"`
-	ReplyToEmail   *string `json:"reply_to_email"`
-	FooterHTML     *string `json:"footer_html"`
-	FooterText     *string `json:"footer_text"`
-	PrimaryColor   *string `json:"primary_color"`
-	SecondaryColor *string `json:"secondary_color"`
-}
-
-// EmailTemplateWithVersion combines template info with its latest published version
-type EmailTemplateWithVersion struct {
-	Template      EmailTemplate         `json:"template"`
-	LatestVersion *EmailTemplateVersion `json:"latest_version,omitempty"`
-}
-
-// SendTestEmailRequest for sending a test email
-type SendTestEmailRequest struct {
-	VersionID string            `json:"version_id" binding:"required"`
-	Recipient string            `json:"recipient" binding:"required,email"`
-	Variables map[string]string `json:"variables"` // Template variable overrides
-}
-
-// EmailPreviewResponse for previewing an email
-type EmailPreviewResponse struct {
-	Subject  string `json:"subject"`
-	BodyHTML string `json:"body_html"`
-	BodyText string `json:"body_text"`
-}
-
-// EmailTemplateVariables defines available variables for each template type
-type EmailTemplateVariables struct {
-	TemplateType string   `json:"template_type"`
-	Variables    []string `json:"variables"`
-	Descriptions map[string]string `json:"descriptions"`
-}
-
-// EmailStats represents statistics about email sends
-type EmailStats struct {
-	TotalSent      int     `json:"total_sent"`
-	Delivered      int     `json:"delivered"`
-	Bounced        int     `json:"bounced"`
-	Failed         int     `json:"failed"`
-	DeliveryRate   float64 `json:"delivery_rate"`
-	RecentSent     int     `json:"recent_sent"` // Last 7 days
-}
-
-// ========================================
-// Phase 9: Schulverwaltung / School Management
-// Matrix-basierte Kommunikation für Schulen
-// ========================================
-
-// SchoolRole defines roles within the school system
-const (
-	SchoolRoleTeacher       = "teacher"
-	SchoolRoleClassTeacher  = "class_teacher"
-	SchoolRoleParent        = "parent"
-	SchoolRoleParentRep     = "parent_representative"
-	SchoolRoleStudent       = "student"
-	SchoolRoleAdmin         = "school_admin"
-	SchoolRolePrincipal     = "principal"
-	SchoolRoleSecretary     = "secretary"
-)
-
-// AttendanceStatus defines the status of student attendance
-const (
-	AttendancePresent           = "present"
-	AttendanceAbsent            = "absent"
-	AttendanceAbsentExcused     = "excused"
-	AttendanceAbsentUnexcused   = "unexcused"
-	AttendanceLate              = "late"
-	AttendanceLateExcused       = "late_excused"
-	AttendancePending           = "pending_confirmation"
-)
-
-// School represents a school/educational institution
-type School struct {
-	ID                 uuid.UUID  `json:"id" db:"id"`
-	Name               string     `json:"name" db:"name"`
-	ShortName          *string    `json:"short_name,omitempty" db:"short_name"`
-	Type               string     `json:"type" db:"type"` // 'grundschule', 'hauptschule', 'realschule', 'gymnasium', 'gesamtschule', 'berufsschule'
-	Address            *string    `json:"address,omitempty" db:"address"`
-	City               *string    `json:"city,omitempty" db:"city"`
-	PostalCode         *string    `json:"postal_code,omitempty" db:"postal_code"`
-	State              *string    `json:"state,omitempty" db:"state"` // Bundesland
-	Country            string     `json:"country" db:"country"`        // Default: DE
-	Phone              *string    `json:"phone,omitempty" db:"phone"`
-	Email              *string    `json:"email,omitempty" db:"email"`
-	Website            *string    `json:"website,omitempty" db:"website"`
-	MatrixServerName   *string    `json:"matrix_server_name,omitempty" db:"matrix_server_name"` // Optional: eigener Matrix-Server
-	LogoURL            *string    `json:"logo_url,omitempty" db:"logo_url"`
-	IsActive           bool       `json:"is_active" db:"is_active"`
-	CreatedAt          time.Time  `json:"created_at" db:"created_at"`
-	UpdatedAt          time.Time  `json:"updated_at" db:"updated_at"`
-}
-
-// SchoolYear represents an academic year
-type SchoolYear struct {
-	ID        uuid.UUID  `json:"id" db:"id"`
-	SchoolID  uuid.UUID  `json:"school_id" db:"school_id"`
-	Name      string     `json:"name" db:"name"` // e.g., "2024/2025"
-	StartDate time.Time  `json:"start_date" db:"start_date"`
-	EndDate   time.Time  `json:"end_date" db:"end_date"`
-	IsCurrent bool       `json:"is_current" db:"is_current"`
-	CreatedAt time.Time  `json:"created_at" db:"created_at"`
-}
-
-// Class represents a school class
-type Class struct {
-	ID             uuid.UUID  `json:"id" db:"id"`
-	SchoolID       uuid.UUID  `json:"school_id" db:"school_id"`
-	SchoolYearID   uuid.UUID  `json:"school_year_id" db:"school_year_id"`
-	Name           string     `json:"name" db:"name"`     // e.g., "5a", "10b"
-	Grade          int        `json:"grade" db:"grade"`   // Klassenstufe: 1-13
-	Section        *string    `json:"section,omitempty" db:"section"` // e.g., "a", "b", "c"
-	Room           *string    `json:"room,omitempty" db:"room"` // Klassenzimmer
-	MatrixInfoRoom *string    `json:"matrix_info_room,omitempty" db:"matrix_info_room"` // Broadcast-Raum
-	MatrixRepRoom  *string    `json:"matrix_rep_room,omitempty" db:"matrix_rep_room"`   // Elternvertreter-Raum
-	IsActive       bool       `json:"is_active" db:"is_active"`
-	CreatedAt      time.Time  `json:"created_at" db:"created_at"`
-	UpdatedAt      time.Time  `json:"updated_at" db:"updated_at"`
-}
-
-// Subject represents a school subject
-type Subject struct {
-	ID          uuid.UUID `json:"id" db:"id"`
-	SchoolID    uuid.UUID `json:"school_id" db:"school_id"`
-	Name        string    `json:"name" db:"name"`       // e.g., "Mathematik", "Deutsch"
-	ShortName   string    `json:"short_name" db:"short_name"` // e.g., "Ma", "De"
-	Color       *string   `json:"color,omitempty" db:"color"` // Hex color for display
-	IsActive    bool      `json:"is_active" db:"is_active"`
-	CreatedAt   time.Time `json:"created_at" db:"created_at"`
-}
-
-// Student represents a student
-type Student struct {
-	ID            uuid.UUID  `json:"id" db:"id"`
-	SchoolID      uuid.UUID  `json:"school_id" db:"school_id"`
-	ClassID       uuid.UUID  `json:"class_id" db:"class_id"`
-	UserID        *uuid.UUID `json:"user_id,omitempty" db:"user_id"` // Optional: linked account
-	StudentNumber *string    `json:"student_number,omitempty" db:"student_number"` // Internal ID
-	FirstName     string     `json:"first_name" db:"first_name"`
-	LastName      string     `json:"last_name" db:"last_name"`
-	DateOfBirth   *time.Time `json:"date_of_birth,omitempty" db:"date_of_birth"`
-	Gender        *string    `json:"gender,omitempty" db:"gender"` // 'm', 'f', 'd'
-	MatrixUserID  *string    `json:"matrix_user_id,omitempty" db:"matrix_user_id"`
-	MatrixDMRoom  *string    `json:"matrix_dm_room,omitempty" db:"matrix_dm_room"` // Kind-Dialograum
-	IsActive      bool       `json:"is_active" db:"is_active"`
-	CreatedAt     time.Time  `json:"created_at" db:"created_at"`
-	UpdatedAt     time.Time  `json:"updated_at" db:"updated_at"`
-}
-
-// Teacher represents a teacher
-type Teacher struct {
-	ID           uuid.UUID  `json:"id" db:"id"`
-	SchoolID     uuid.UUID  `json:"school_id" db:"school_id"`
-	UserID       uuid.UUID  `json:"user_id" db:"user_id"` // Linked user account
-	TeacherCode  *string    `json:"teacher_code,omitempty" db:"teacher_code"` // e.g., "MÜL" for Müller
-	Title        *string    `json:"title,omitempty" db:"title"` // e.g., "Dr.", "StR"
-	FirstName    string     `json:"first_name" db:"first_name"`
-	LastName     string     `json:"last_name" db:"last_name"`
-	MatrixUserID *string    `json:"matrix_user_id,omitempty" db:"matrix_user_id"`
-	IsActive     bool       `json:"is_active" db:"is_active"`
-	CreatedAt    time.Time  `json:"created_at" db:"created_at"`
-	UpdatedAt    time.Time  `json:"updated_at" db:"updated_at"`
-}
-
-// ClassTeacher assigns teachers to classes (Klassenlehrer)
-type ClassTeacher struct {
-	ID        uuid.UUID `json:"id" db:"id"`
-	ClassID   uuid.UUID `json:"class_id" db:"class_id"`
-	TeacherID uuid.UUID `json:"teacher_id" db:"teacher_id"`
-	IsPrimary bool      `json:"is_primary" db:"is_primary"` // Hauptklassenlehrer vs. Stellvertreter
-	CreatedAt time.Time `json:"created_at" db:"created_at"`
-}
-
-// TeacherSubject assigns subjects to teachers
-type TeacherSubject struct {
-	ID        uuid.UUID `json:"id" db:"id"`
-	TeacherID uuid.UUID `json:"teacher_id" db:"teacher_id"`
-	SubjectID uuid.UUID `json:"subject_id" db:"subject_id"`
-	CreatedAt time.Time `json:"created_at" db:"created_at"`
-}
-
-// Parent represents a parent/guardian
-type Parent struct {
-	ID           uuid.UUID  `json:"id" db:"id"`
-	UserID       uuid.UUID  `json:"user_id" db:"user_id"` // Linked user account
-	MatrixUserID *string    `json:"matrix_user_id,omitempty" db:"matrix_user_id"`
-	FirstName    string     `json:"first_name" db:"first_name"`
-	LastName     string     `json:"last_name" db:"last_name"`
-	Phone        *string    `json:"phone,omitempty" db:"phone"`
-	EmergencyContact bool   `json:"emergency_contact" db:"emergency_contact"`
-	CreatedAt    time.Time  `json:"created_at" db:"created_at"`
-	UpdatedAt    time.Time  `json:"updated_at" db:"updated_at"`
-}
-
-// StudentParent links students to their parents
-type StudentParent struct {
-	ID            uuid.UUID `json:"id" db:"id"`
-	StudentID     uuid.UUID `json:"student_id" db:"student_id"`
-	ParentID      uuid.UUID `json:"parent_id" db:"parent_id"`
-	Relationship  string    `json:"relationship" db:"relationship"` // 'mother', 'father', 'guardian', 'other'
-	IsPrimary     bool      `json:"is_primary" db:"is_primary"`     // Hauptansprechpartner
-	HasCustody    bool      `json:"has_custody" db:"has_custody"`   // Sorgeberechtigt
-	CreatedAt     time.Time `json:"created_at" db:"created_at"`
-}
-
-// ParentRepresentative assigns parent representatives to classes
-type ParentRepresentative struct {
-	ID        uuid.UUID `json:"id" db:"id"`
-	ClassID   uuid.UUID `json:"class_id" db:"class_id"`
-	ParentID  uuid.UUID `json:"parent_id" db:"parent_id"`
-	Role      string    `json:"role" db:"role"` // 'first_rep', 'second_rep', 'substitute'
-	ElectedAt time.Time `json:"elected_at" db:"elected_at"`
-	ExpiresAt *time.Time `json:"expires_at,omitempty" db:"expires_at"`
-	IsActive  bool      `json:"is_active" db:"is_active"`
-	CreatedAt time.Time `json:"created_at" db:"created_at"`
-}
-
-// ========================================
-// Stundenplan / Timetable
-// ========================================
-
-// TimetableSlot represents a time slot in the timetable
-type TimetableSlot struct {
-	ID        uuid.UUID `json:"id" db:"id"`
-	SchoolID  uuid.UUID `json:"school_id" db:"school_id"`
-	SlotNumber int      `json:"slot_number" db:"slot_number"` // 1, 2, 3... (Stunde)
-	StartTime string    `json:"start_time" db:"start_time"`   // "08:00"
-	EndTime   string    `json:"end_time" db:"end_time"`       // "08:45"
-	IsBreak   bool      `json:"is_break" db:"is_break"`       // Pause
-	Name      *string   `json:"name,omitempty" db:"name"`     // e.g., "1. Stunde", "Große Pause"
-}
-
-// TimetableEntry represents a single lesson in the timetable
-type TimetableEntry struct {
-	ID           uuid.UUID  `json:"id" db:"id"`
-	SchoolYearID uuid.UUID  `json:"school_year_id" db:"school_year_id"`
-	ClassID      uuid.UUID  `json:"class_id" db:"class_id"`
-	SubjectID    uuid.UUID  `json:"subject_id" db:"subject_id"`
-	TeacherID    uuid.UUID  `json:"teacher_id" db:"teacher_id"`
-	SlotID       uuid.UUID  `json:"slot_id" db:"slot_id"`
-	DayOfWeek    int        `json:"day_of_week" db:"day_of_week"` // 1=Monday, 5=Friday
-	Room         *string    `json:"room,omitempty" db:"room"`
-	ValidFrom    time.Time  `json:"valid_from" db:"valid_from"`
-	ValidUntil   *time.Time `json:"valid_until,omitempty" db:"valid_until"`
-	CreatedAt    time.Time  `json:"created_at" db:"created_at"`
-	UpdatedAt    time.Time  `json:"updated_at" db:"updated_at"`
-}
-
-// TimetableSubstitution represents a substitution/replacement lesson
-type TimetableSubstitution struct {
-	ID              uuid.UUID  `json:"id" db:"id"`
-	OriginalEntryID uuid.UUID  `json:"original_entry_id" db:"original_entry_id"`
-	Date            time.Time  `json:"date" db:"date"`
-	SubstituteTeacherID *uuid.UUID `json:"substitute_teacher_id,omitempty" db:"substitute_teacher_id"`
-	SubstituteSubjectID *uuid.UUID `json:"substitute_subject_id,omitempty" db:"substitute_subject_id"`
-	Room            *string    `json:"room,omitempty" db:"room"`
-	Type            string     `json:"type" db:"type"` // 'substitution', 'cancelled', 'room_change', 'supervision'
-	Note            *string    `json:"note,omitempty" db:"note"`
-	CreatedAt       time.Time  `json:"created_at" db:"created_at"`
-	CreatedBy       uuid.UUID  `json:"created_by" db:"created_by"`
-}
-
-// ========================================
-// Abwesenheit / Attendance
-// ========================================
-
-// AttendanceRecord represents a student's attendance for a specific lesson
-type AttendanceRecord struct {
-	ID               uuid.UUID  `json:"id" db:"id"`
-	StudentID        uuid.UUID  `json:"student_id" db:"student_id"`
-	TimetableEntryID *uuid.UUID `json:"timetable_entry_id,omitempty" db:"timetable_entry_id"`
-	Date             time.Time  `json:"date" db:"date"`
-	SlotID           uuid.UUID  `json:"slot_id" db:"slot_id"`
-	Status           string     `json:"status" db:"status"` // AttendanceStatus constants
-	RecordedBy       uuid.UUID  `json:"recorded_by" db:"recorded_by"` // Teacher who recorded
-	Note             *string    `json:"note,omitempty" db:"note"`
-	CreatedAt        time.Time  `json:"created_at" db:"created_at"`
-	UpdatedAt        time.Time  `json:"updated_at" db:"updated_at"`
-}
-
-// AbsenceReport represents a full absence report (one or more days)
-type AbsenceReport struct {
-	ID                 uuid.UUID  `json:"id" db:"id"`
-	StudentID          uuid.UUID  `json:"student_id" db:"student_id"`
-	StartDate          time.Time  `json:"start_date" db:"start_date"`
-	EndDate            time.Time  `json:"end_date" db:"end_date"`
-	Reason             *string    `json:"reason,omitempty" db:"reason"`
-	ReasonCategory     string     `json:"reason_category" db:"reason_category"` // 'illness', 'family', 'appointment', 'other'
-	Status             string     `json:"status" db:"status"` // 'reported', 'confirmed', 'excused', 'unexcused'
-	ReportedBy         uuid.UUID  `json:"reported_by" db:"reported_by"` // Parent or student
-	ReportedAt         time.Time  `json:"reported_at" db:"reported_at"`
-	ConfirmedBy        *uuid.UUID `json:"confirmed_by,omitempty" db:"confirmed_by"` // Teacher
-	ConfirmedAt        *time.Time `json:"confirmed_at,omitempty" db:"confirmed_at"`
-	MedicalCertificate bool       `json:"medical_certificate" db:"medical_certificate"` // Attestpflicht
-	CertificateUploaded bool      `json:"certificate_uploaded" db:"certificate_uploaded"`
-	MatrixNotificationSent bool   `json:"matrix_notification_sent" db:"matrix_notification_sent"`
-	EmailNotificationSent  bool   `json:"email_notification_sent" db:"email_notification_sent"`
-	CreatedAt          time.Time  `json:"created_at" db:"created_at"`
-	UpdatedAt          time.Time  `json:"updated_at" db:"updated_at"`
-}
-
-// AbsenceNotification tracks notifications sent to parents about absences
-type AbsenceNotification struct {
-	ID                uuid.UUID  `json:"id" db:"id"`
-	AttendanceRecordID uuid.UUID `json:"attendance_record_id" db:"attendance_record_id"`
-	ParentID          uuid.UUID  `json:"parent_id" db:"parent_id"`
-	Channel           string     `json:"channel" db:"channel"` // 'matrix', 'email', 'push'
-	MessageContent    string     `json:"message_content" db:"message_content"`
-	SentAt            *time.Time `json:"sent_at,omitempty" db:"sent_at"`
-	ReadAt            *time.Time `json:"read_at,omitempty" db:"read_at"`
-	ResponseReceived  bool       `json:"response_received" db:"response_received"`
-	ResponseContent   *string    `json:"response_content,omitempty" db:"response_content"`
-	ResponseAt        *time.Time `json:"response_at,omitempty" db:"response_at"`
-	CreatedAt         time.Time  `json:"created_at" db:"created_at"`
-}
-
-// ========================================
-// Notenspiegel / Grades
-// ========================================
-
-// GradeType defines the type of grade
-const (
-	GradeTypeExam         = "exam"           // Klassenarbeit/Klausur
-	GradeTypeTest         = "test"           // Test/Kurzarbeit
-	GradeTypeOral         = "oral"           // Mündlich
-	GradeTypeHomework     = "homework"       // Hausaufgabe
-	GradeTypeProject      = "project"        // Projekt
-	GradeTypeParticipation = "participation" // Mitarbeit
-	GradeTypeSemester     = "semester"       // Halbjahres-/Semesternote
-	GradeTypeFinal        = "final"          // Endnote/Zeugnisnote
-)
-
-// GradeScale represents the grading scale used
-type GradeScale struct {
-	ID          uuid.UUID `json:"id" db:"id"`
-	SchoolID    uuid.UUID `json:"school_id" db:"school_id"`
-	Name        string    `json:"name" db:"name"`     // e.g., "1-6", "Punkte 0-15"
-	MinValue    float64   `json:"min_value" db:"min_value"` // e.g., 1 or 0
-	MaxValue    float64   `json:"max_value" db:"max_value"` // e.g., 6 or 15
-	PassingValue float64  `json:"passing_value" db:"passing_value"` // e.g., 4 or 5
-	IsAscending bool      `json:"is_ascending" db:"is_ascending"` // true: higher=better (Punkte), false: lower=better (Noten)
-	IsDefault   bool      `json:"is_default" db:"is_default"`
-	CreatedAt   time.Time `json:"created_at" db:"created_at"`
-}
-
-// Grade represents a single grade for a student
-type Grade struct {
-	ID           uuid.UUID  `json:"id" db:"id"`
-	StudentID    uuid.UUID  `json:"student_id" db:"student_id"`
-	SubjectID    uuid.UUID  `json:"subject_id" db:"subject_id"`
-	TeacherID    uuid.UUID  `json:"teacher_id" db:"teacher_id"`
-	SchoolYearID uuid.UUID  `json:"school_year_id" db:"school_year_id"`
-	GradeScaleID uuid.UUID  `json:"grade_scale_id" db:"grade_scale_id"`
-	Type         string     `json:"type" db:"type"` // GradeType constants
-	Value        float64    `json:"value" db:"value"`
-	Weight       float64    `json:"weight" db:"weight"` // Gewichtung: 1.0, 2.0, 0.5
-	Date         time.Time  `json:"date" db:"date"`
-	Title        *string    `json:"title,omitempty" db:"title"` // e.g., "1. Klassenarbeit"
-	Description  *string    `json:"description,omitempty" db:"description"`
-	IsVisible    bool       `json:"is_visible" db:"is_visible"` // Für Eltern/Schüler sichtbar
-	Semester     int        `json:"semester" db:"semester"` // 1 or 2
-	CreatedAt    time.Time  `json:"created_at" db:"created_at"`
-	UpdatedAt    time.Time  `json:"updated_at" db:"updated_at"`
-}
-
-// GradeComment represents a teacher comment on a student's grade
-type GradeComment struct {
-	ID        uuid.UUID `json:"id" db:"id"`
-	GradeID   uuid.UUID `json:"grade_id" db:"grade_id"`
-	TeacherID uuid.UUID `json:"teacher_id" db:"teacher_id"`
-	Comment   string    `json:"comment" db:"comment"`
-	IsPrivate bool      `json:"is_private" db:"is_private"` // Only visible to teachers
-	CreatedAt time.Time `json:"created_at" db:"created_at"`
-}
-
-// ========================================
-// Klassenbuch / Class Diary
-// ========================================
-
-// ClassDiaryEntry represents an entry in the digital class diary
-type ClassDiaryEntry struct {
-	ID               uuid.UUID  `json:"id" db:"id"`
-	ClassID          uuid.UUID  `json:"class_id" db:"class_id"`
-	Date             time.Time  `json:"date" db:"date"`
-	SlotID           uuid.UUID  `json:"slot_id" db:"slot_id"`
-	SubjectID        uuid.UUID  `json:"subject_id" db:"subject_id"`
-	TeacherID        uuid.UUID  `json:"teacher_id" db:"teacher_id"`
-	Topic            *string    `json:"topic,omitempty" db:"topic"`         // Unterrichtsthema
-	Homework         *string    `json:"homework,omitempty" db:"homework"`   // Hausaufgabe
-	HomeworkDueDate  *time.Time `json:"homework_due_date,omitempty" db:"homework_due_date"`
-	Materials        *string    `json:"materials,omitempty" db:"materials"` // Benötigte Materialien
-	Notes            *string    `json:"notes,omitempty" db:"notes"`         // Besondere Vorkommnisse
-	IsCancelled      bool       `json:"is_cancelled" db:"is_cancelled"`
-	CancellationReason *string  `json:"cancellation_reason,omitempty" db:"cancellation_reason"`
-	CreatedAt        time.Time  `json:"created_at" db:"created_at"`
-	UpdatedAt        time.Time  `json:"updated_at" db:"updated_at"`
-}
-
-// ========================================
-// Elterngespräche / Parent Meetings
-// ========================================
-
-// ParentMeetingSlot represents available time slots for parent meetings
-type ParentMeetingSlot struct {
-	ID          uuid.UUID  `json:"id" db:"id"`
-	TeacherID   uuid.UUID  `json:"teacher_id" db:"teacher_id"`
-	Date        time.Time  `json:"date" db:"date"`
-	StartTime   string     `json:"start_time" db:"start_time"` // "14:00"
-	EndTime     string     `json:"end_time" db:"end_time"`     // "14:15"
-	Location    *string    `json:"location,omitempty" db:"location"` // Room or "Online"
-	IsOnline    bool       `json:"is_online" db:"is_online"`
-	MeetingLink *string    `json:"meeting_link,omitempty" db:"meeting_link"`
-	IsBooked    bool       `json:"is_booked" db:"is_booked"`
-	CreatedAt   time.Time  `json:"created_at" db:"created_at"`
-}
-
-// ParentMeeting represents a booked parent-teacher meeting
-type ParentMeeting struct {
-	ID           uuid.UUID  `json:"id" db:"id"`
-	SlotID       uuid.UUID  `json:"slot_id" db:"slot_id"`
-	ParentID     uuid.UUID  `json:"parent_id" db:"parent_id"`
-	StudentID    uuid.UUID  `json:"student_id" db:"student_id"`
-	Topic        *string    `json:"topic,omitempty" db:"topic"`
-	Notes        *string    `json:"notes,omitempty" db:"notes"` // Teacher notes (private)
-	Status       string     `json:"status" db:"status"` // 'scheduled', 'completed', 'cancelled', 'no_show'
-	CancelledAt  *time.Time `json:"cancelled_at,omitempty" db:"cancelled_at"`
-	CancelledBy  *uuid.UUID `json:"cancelled_by,omitempty" db:"cancelled_by"`
-	CancelReason *string    `json:"cancel_reason,omitempty" db:"cancel_reason"`
-	CompletedAt  *time.Time `json:"completed_at,omitempty" db:"completed_at"`
-	CreatedAt    time.Time  `json:"created_at" db:"created_at"`
-	UpdatedAt    time.Time  `json:"updated_at" db:"updated_at"`
-}
-
-// ========================================
-// Matrix / Communication Integration
-// ========================================
-
-// MatrixRoom tracks Matrix rooms created for school communication
-type MatrixRoom struct {
-	ID          uuid.UUID  `json:"id" db:"id"`
-	SchoolID    uuid.UUID  `json:"school_id" db:"school_id"`
-	MatrixRoomID string    `json:"matrix_room_id" db:"matrix_room_id"` // e.g., "!abc123:breakpilot.local"
-	Type        string     `json:"type" db:"type"` // 'class_info', 'class_rep', 'student_dm', 'teacher_dm', 'announcement'
-	ClassID     *uuid.UUID `json:"class_id,omitempty" db:"class_id"`
-	StudentID   *uuid.UUID `json:"student_id,omitempty" db:"student_id"`
-	Name        string     `json:"name" db:"name"`
-	IsEncrypted bool       `json:"is_encrypted" db:"is_encrypted"`
-	CreatedAt   time.Time  `json:"created_at" db:"created_at"`
-}
-
-// MatrixRoomMember tracks membership in Matrix rooms
-type MatrixRoomMember struct {
-	ID            uuid.UUID  `json:"id" db:"id"`
-	MatrixRoomID  uuid.UUID  `json:"matrix_room_id" db:"matrix_room_id"` // FK to MatrixRoom
-	MatrixUserID  string     `json:"matrix_user_id" db:"matrix_user_id"` // e.g., "@user:breakpilot.local"
-	UserID        *uuid.UUID `json:"user_id,omitempty" db:"user_id"` // FK to User (if known)
-	PowerLevel    int        `json:"power_level" db:"power_level"` // Matrix power level (0, 50, 100)
-	CanWrite      bool       `json:"can_write" db:"can_write"`
-	JoinedAt      time.Time  `json:"joined_at" db:"joined_at"`
-	LeftAt        *time.Time `json:"left_at,omitempty" db:"left_at"`
-}
-
-// ParentOnboardingToken for QR-code based parent onboarding
-type ParentOnboardingToken struct {
-	ID           uuid.UUID  `json:"id" db:"id"`
-	SchoolID     uuid.UUID  `json:"school_id" db:"school_id"`
-	ClassID      uuid.UUID  `json:"class_id" db:"class_id"`
-	StudentID    uuid.UUID  `json:"student_id" db:"student_id"`
-	Token        string     `json:"token" db:"token"` // Unique token for QR code
-	Role         string     `json:"role" db:"role"` // 'parent' or 'parent_representative'
-	ExpiresAt    time.Time  `json:"expires_at" db:"expires_at"`
-	UsedAt       *time.Time `json:"used_at,omitempty" db:"used_at"`
-	UsedByUserID *uuid.UUID `json:"used_by_user_id,omitempty" db:"used_by_user_id"`
-	CreatedAt    time.Time  `json:"created_at" db:"created_at"`
-	CreatedBy    uuid.UUID  `json:"created_by" db:"created_by"` // Teacher who created
-}
-
-// ========================================
-// Schulverwaltung DTOs
-// ========================================
-
-// CreateSchoolRequest for creating a new school
-type CreateSchoolRequest struct {
-	Name      string  `json:"name" binding:"required"`
-	ShortName *string `json:"short_name"`
-	Type      string  `json:"type" binding:"required"`
-	Address   *string `json:"address"`
-	City      *string `json:"city"`
-	PostalCode *string `json:"postal_code"`
-	State     *string `json:"state"`
-	Phone     *string `json:"phone"`
-	Email     *string `json:"email"`
-	Website   *string `json:"website"`
-}
-
-// CreateClassRequest for creating a new class
-type CreateClassRequest struct {
-	SchoolYearID string  `json:"school_year_id" binding:"required"`
-	Name         string  `json:"name" binding:"required"`
-	Grade        int     `json:"grade" binding:"required"`
-	Section      *string `json:"section"`
-	Room         *string `json:"room"`
-}
-
-// CreateStudentRequest for creating a new student
-type CreateStudentRequest struct {
-	ClassID       string  `json:"class_id" binding:"required"`
-	StudentNumber *string `json:"student_number"`
-	FirstName     string  `json:"first_name" binding:"required"`
-	LastName      string  `json:"last_name" binding:"required"`
-	DateOfBirth   *string `json:"date_of_birth"` // ISO 8601
-	Gender        *string `json:"gender"`
-}
-
-// RecordAttendanceRequest for recording attendance
-type RecordAttendanceRequest struct {
-	StudentID string `json:"student_id" binding:"required"`
-	Date      string `json:"date" binding:"required"` // ISO 8601
-	SlotID    string `json:"slot_id" binding:"required"`
-	Status    string `json:"status" binding:"required"` // AttendanceStatus
-	Note      *string `json:"note"`
-}
-
-// ReportAbsenceRequest for parents reporting absence
-type ReportAbsenceRequest struct {
-	StudentID      string  `json:"student_id" binding:"required"`
-	StartDate      string  `json:"start_date" binding:"required"` // ISO 8601
-	EndDate        string  `json:"end_date" binding:"required"`   // ISO 8601
-	Reason         *string `json:"reason"`
-	ReasonCategory string  `json:"reason_category" binding:"required"`
-}
-
-// CreateGradeRequest for creating a grade
-type CreateGradeRequest struct {
-	StudentID    string  `json:"student_id" binding:"required"`
-	SubjectID    string  `json:"subject_id" binding:"required"`
-	SchoolYearID string  `json:"school_year_id" binding:"required"`
-	Type         string  `json:"type" binding:"required"` // GradeType
-	Value        float64 `json:"value" binding:"required"`
-	Weight       float64 `json:"weight"`
-	Date         string  `json:"date" binding:"required"` // ISO 8601
-	Title        *string `json:"title"`
-	Description  *string `json:"description"`
-	Semester     int     `json:"semester" binding:"required"`
-}
-
-// StudentGradeOverview provides a summary of all grades for a student in a subject
-type StudentGradeOverview struct {
-	Student     Student   `json:"student"`
-	Subject     Subject   `json:"subject"`
-	Grades      []Grade   `json:"grades"`
-	Average     float64   `json:"average"`
-	OralAverage float64   `json:"oral_average"`
-	ExamAverage float64   `json:"exam_average"`
-	Semester    int       `json:"semester"`
-}
-
-// ClassAttendanceOverview provides attendance summary for a class
-type ClassAttendanceOverview struct {
-	Class           Class      `json:"class"`
-	Date            time.Time  `json:"date"`
-	TotalStudents   int        `json:"total_students"`
-	PresentCount    int        `json:"present_count"`
-	AbsentCount     int        `json:"absent_count"`
-	LateCount       int        `json:"late_count"`
-	Records         []AttendanceRecord `json:"records"`
-}
-
-// ParentDashboard provides a parent's view of their children's data
-type ParentDashboard struct {
-	Children        []StudentOverview `json:"children"`
-	UnreadMessages  int               `json:"unread_messages"`
-	UpcomingMeetings []ParentMeeting  `json:"upcoming_meetings"`
-	RecentGrades    []Grade           `json:"recent_grades"`
-	PendingActions  []string          `json:"pending_actions"` // e.g., "Entschuldigung ausstehend"
-}
-
-// StudentOverview provides summary info about a student
-type StudentOverview struct {
-	Student          Student  `json:"student"`
-	Class            Class    `json:"class"`
-	ClassTeacher     *Teacher `json:"class_teacher,omitempty"`
-	AttendanceRate   float64  `json:"attendance_rate"` // Percentage
-	UnexcusedAbsences int     `json:"unexcused_absences"`
-	GradeAverage     float64  `json:"grade_average"`
-}
-
-// TimetableView provides a formatted timetable for display
-type TimetableView struct {
-	Class      Class              `json:"class"`
-	Week       string             `json:"week"` // ISO week: "2025-W01"
-	Days       []TimetableDayView `json:"days"`
-}
-
-// TimetableDayView represents a single day in the timetable
-type TimetableDayView struct {
-	Date    time.Time           `json:"date"`
-	DayName string              `json:"day_name"` // "Montag"
-	Lessons []TimetableLessonView `json:"lessons"`
-}
-
-// TimetableLessonView represents a single lesson in the timetable view
-type TimetableLessonView struct {
-	Slot        TimetableSlot `json:"slot"`
-	Subject     *Subject      `json:"subject,omitempty"`
-	Teacher     *Teacher      `json:"teacher,omitempty"`
-	Room        *string       `json:"room,omitempty"`
-	IsSubstitution bool       `json:"is_substitution"`
-	IsCancelled    bool       `json:"is_cancelled"`
-	Note           *string    `json:"note,omitempty"`
-}
-
-// ========================================
-// Phase 10: DSGVO Betroffenenanfragen (DSR)
-// Data Subject Request Management
-// Art. 15, 16, 17, 18, 20 DSGVO
-// ========================================
-
-// DSRRequestType defines the GDPR article for the request
-type DSRRequestType string
-
-const (
-	DSRTypeAccess       DSRRequestType = "access"       // Art. 15 - Auskunftsrecht
-	DSRTypeRectification DSRRequestType = "rectification" // Art. 16 - Berichtigungsrecht
-	DSRTypeErasure      DSRRequestType = "erasure"      // Art. 17 - Löschungsrecht
-	DSRTypeRestriction  DSRRequestType = "restriction"  // Art. 18 - Einschränkungsrecht
-	DSRTypePortability  DSRRequestType = "portability"  // Art. 20 - Datenübertragbarkeit
-)
-
-// DSRStatus defines the workflow state of a DSR
-type DSRStatus string
-
-const (
-	DSRStatusIntake              DSRStatus = "intake"                // Eingegangen
-	DSRStatusIdentityVerification DSRStatus = "identity_verification" // Identitätsprüfung
-	DSRStatusProcessing          DSRStatus = "processing"            // In Bearbeitung
-	DSRStatusCompleted           DSRStatus = "completed"             // Abgeschlossen
-	DSRStatusRejected            DSRStatus = "rejected"              // Abgelehnt
-	DSRStatusCancelled           DSRStatus = "cancelled"             // Storniert
-)
-
-// DSRPriority defines the priority level of a DSR
-type DSRPriority string
-
-const (
-	DSRPriorityNormal   DSRPriority = "normal"
-	DSRPriorityExpedited DSRPriority = "expedited" // Art. 16, 17, 18 - beschleunigt
-	DSRPriorityUrgent   DSRPriority = "urgent"
-)
-
-// DSRSource defines where the request came from
-type DSRSource string
-
-const (
-	DSRSourceAPI        DSRSource = "api"         // Über API/Self-Service
-	DSRSourceAdminPanel DSRSource = "admin_panel" // Manuell im Admin
-	DSRSourceEmail      DSRSource = "email"       // Per E-Mail
-	DSRSourcePostal     DSRSource = "postal"      // Per Post
-)
-
-// DataSubjectRequest represents a GDPR data subject request
-type DataSubjectRequest struct {
-	ID                       uuid.UUID              `json:"id" db:"id"`
-	UserID                   *uuid.UUID             `json:"user_id,omitempty" db:"user_id"`
-	RequestNumber            string                 `json:"request_number" db:"request_number"`
-	RequestType              DSRRequestType         `json:"request_type" db:"request_type"`
-	Status                   DSRStatus              `json:"status" db:"status"`
-	Priority                 DSRPriority            `json:"priority" db:"priority"`
-	Source                   DSRSource              `json:"source" db:"source"`
-	RequesterEmail           string                 `json:"requester_email" db:"requester_email"`
-	RequesterName            *string                `json:"requester_name,omitempty" db:"requester_name"`
-	RequesterPhone           *string                `json:"requester_phone,omitempty" db:"requester_phone"`
-	IdentityVerified         bool                   `json:"identity_verified" db:"identity_verified"`
-	IdentityVerifiedAt       *time.Time             `json:"identity_verified_at,omitempty" db:"identity_verified_at"`
-	IdentityVerifiedBy       *uuid.UUID             `json:"identity_verified_by,omitempty" db:"identity_verified_by"`
-	IdentityVerificationMethod *string              `json:"identity_verification_method,omitempty" db:"identity_verification_method"`
-	RequestDetails           map[string]interface{} `json:"request_details" db:"request_details"`
-	DeadlineAt               time.Time              `json:"deadline_at" db:"deadline_at"`
-	LegalDeadlineDays        int                    `json:"legal_deadline_days" db:"legal_deadline_days"`
-	ExtendedDeadlineAt       *time.Time             `json:"extended_deadline_at,omitempty" db:"extended_deadline_at"`
-	ExtensionReason          *string                `json:"extension_reason,omitempty" db:"extension_reason"`
-	AssignedTo               *uuid.UUID             `json:"assigned_to,omitempty" db:"assigned_to"`
-	ProcessingNotes          *string                `json:"processing_notes,omitempty" db:"processing_notes"`
-	CompletedAt              *time.Time             `json:"completed_at,omitempty" db:"completed_at"`
-	CompletedBy              *uuid.UUID             `json:"completed_by,omitempty" db:"completed_by"`
-	ResultSummary            *string                `json:"result_summary,omitempty" db:"result_summary"`
-	ResultData               map[string]interface{} `json:"result_data,omitempty" db:"result_data"`
-	RejectedAt               *time.Time             `json:"rejected_at,omitempty" db:"rejected_at"`
-	RejectedBy               *uuid.UUID             `json:"rejected_by,omitempty" db:"rejected_by"`
-	RejectionReason          *string                `json:"rejection_reason,omitempty" db:"rejection_reason"`
-	RejectionLegalBasis      *string                `json:"rejection_legal_basis,omitempty" db:"rejection_legal_basis"`
-	CreatedAt                time.Time              `json:"created_at" db:"created_at"`
-	UpdatedAt                time.Time              `json:"updated_at" db:"updated_at"`
-	CreatedBy                *uuid.UUID             `json:"created_by,omitempty" db:"created_by"`
-}
-
-// DSRStatusHistory tracks status changes for audit trail
-type DSRStatusHistory struct {
-	ID         uuid.UUID              `json:"id" db:"id"`
-	RequestID  uuid.UUID              `json:"request_id" db:"request_id"`
-	FromStatus *DSRStatus             `json:"from_status,omitempty" db:"from_status"`
-	ToStatus   DSRStatus              `json:"to_status" db:"to_status"`
-	ChangedBy  *uuid.UUID             `json:"changed_by,omitempty" db:"changed_by"`
-	Comment    *string                `json:"comment,omitempty" db:"comment"`
-	Metadata   map[string]interface{} `json:"metadata,omitempty" db:"metadata"`
-	CreatedAt  time.Time              `json:"created_at" db:"created_at"`
-}
-
-// DSRCommunication tracks all communications related to a DSR
-type DSRCommunication struct {
-	ID                 uuid.UUID              `json:"id" db:"id"`
-	RequestID          uuid.UUID              `json:"request_id" db:"request_id"`
-	Direction          string                 `json:"direction" db:"direction"` // 'outbound', 'inbound'
-	Channel            string                 `json:"channel" db:"channel"`     // 'email', 'in_app', 'postal'
-	CommunicationType  string                 `json:"communication_type" db:"communication_type"` // Template type used
-	TemplateVersionID  *uuid.UUID             `json:"template_version_id,omitempty" db:"template_version_id"`
-	Subject            *string                `json:"subject,omitempty" db:"subject"`
-	BodyHTML           *string                `json:"body_html,omitempty" db:"body_html"`
-	BodyText           *string                `json:"body_text,omitempty" db:"body_text"`
-	RecipientEmail     *string                `json:"recipient_email,omitempty" db:"recipient_email"`
-	SentAt             *time.Time             `json:"sent_at,omitempty" db:"sent_at"`
-	ErrorMessage       *string                `json:"error_message,omitempty" db:"error_message"`
-	Attachments        []map[string]interface{} `json:"attachments,omitempty" db:"attachments"`
-	CreatedAt          time.Time              `json:"created_at" db:"created_at"`
-	CreatedBy          *uuid.UUID             `json:"created_by,omitempty" db:"created_by"`
-}
-
-// DSRTemplate represents a template type for DSR communications
-type DSRTemplate struct {
-	ID           uuid.UUID `json:"id" db:"id"`
-	TemplateType string    `json:"template_type" db:"template_type"`
-	Name         string    `json:"name" db:"name"`
-	Description  *string   `json:"description,omitempty" db:"description"`
-	RequestTypes []string  `json:"request_types" db:"request_types"` // Which DSR types use this template
-	IsActive     bool      `json:"is_active" db:"is_active"`
-	SortOrder    int       `json:"sort_order" db:"sort_order"`
-	CreatedAt    time.Time `json:"created_at" db:"created_at"`
-	UpdatedAt    time.Time `json:"updated_at" db:"updated_at"`
-}
-
-// DSRTemplateVersion represents a versioned template for DSR communications
-type DSRTemplateVersion struct {
-	ID           uuid.UUID  `json:"id" db:"id"`
-	TemplateID   uuid.UUID  `json:"template_id" db:"template_id"`
-	Version      string     `json:"version" db:"version"`
-	Language     string     `json:"language" db:"language"`
-	Subject      string     `json:"subject" db:"subject"`
-	BodyHTML     string     `json:"body_html" db:"body_html"`
-	BodyText     string     `json:"body_text" db:"body_text"`
-	Status       string     `json:"status" db:"status"` // draft, review, approved, published, archived
-	PublishedAt  *time.Time `json:"published_at,omitempty" db:"published_at"`
-	CreatedBy    *uuid.UUID `json:"created_by,omitempty" db:"created_by"`
-	ApprovedBy   *uuid.UUID `json:"approved_by,omitempty" db:"approved_by"`
-	ApprovedAt   *time.Time `json:"approved_at,omitempty" db:"approved_at"`
-	CreatedAt    time.Time  `json:"created_at" db:"created_at"`
-	UpdatedAt    time.Time  `json:"updated_at" db:"updated_at"`
-}
-
-// DSRExceptionCheck tracks Art. 17(3) exception evaluations for erasure requests
-type DSRExceptionCheck struct {
-	ID            uuid.UUID  `json:"id" db:"id"`
-	RequestID     uuid.UUID  `json:"request_id" db:"request_id"`
-	ExceptionType string     `json:"exception_type" db:"exception_type"` // Type of exception (Art. 17(3) a-e)
-	Description   string     `json:"description" db:"description"`
-	Applies       *bool      `json:"applies,omitempty" db:"applies"` // nil = not checked, true/false = result
-	CheckedBy     *uuid.UUID `json:"checked_by,omitempty" db:"checked_by"`
-	CheckedAt     *time.Time `json:"checked_at,omitempty" db:"checked_at"`
-	Notes         *string    `json:"notes,omitempty" db:"notes"`
-	CreatedAt     time.Time  `json:"created_at" db:"created_at"`
-}
-
-// Art. 17(3) Exception Types
-const (
-	DSRExceptionFreedomExpression = "freedom_expression" // Art. 17(3)(a)
-	DSRExceptionLegalObligation   = "legal_obligation"   // Art. 17(3)(b)
-	DSRExceptionPublicInterest    = "public_interest"    // Art. 17(3)(c)
-	DSRExceptionPublicHealth      = "public_health"      // Art. 17(3)(c)
-	DSRExceptionArchiving         = "archiving"          // Art. 17(3)(d)
-	DSRExceptionLegalClaims       = "legal_claims"       // Art. 17(3)(e)
-)
-
-// ========================================
-// DSR DTOs (Data Transfer Objects)
-// ========================================
-
-// CreateDSRRequest for creating a new data subject request
-type CreateDSRRequest struct {
-	RequestType    string                 `json:"request_type" binding:"required"`
-	RequesterEmail string                 `json:"requester_email" binding:"required,email"`
-	RequesterName  *string                `json:"requester_name"`
-	RequesterPhone *string                `json:"requester_phone"`
-	Source         string                 `json:"source"`
-	RequestDetails map[string]interface{} `json:"request_details"`
-	Priority       string                 `json:"priority"`
-}
-
-// UpdateDSRRequest for updating a DSR
-type UpdateDSRRequest struct {
-	Status            *string                `json:"status"`
-	AssignedTo        *string                `json:"assigned_to"` // UUID string
-	ProcessingNotes   *string                `json:"processing_notes"`
-	ExtendDeadline    *bool                  `json:"extend_deadline"`
-	ExtensionReason   *string                `json:"extension_reason"`
-	RequestDetails    map[string]interface{} `json:"request_details"`
-	Priority          *string                `json:"priority"`
-}
-
-// VerifyDSRIdentityRequest for verifying identity of requester
-type VerifyDSRIdentityRequest struct {
-	Method  string  `json:"method" binding:"required"` // email_confirmation, id_document, in_person
-	Comment *string `json:"comment"`
-}
-
-// CompleteDSRRequest for completing a DSR
-type CompleteDSRRequest struct {
-	ResultSummary string                 `json:"result_summary" binding:"required"`
-	ResultData    map[string]interface{} `json:"result_data"`
-}
-
-// RejectDSRRequest for rejecting a DSR
-type RejectDSRRequest struct {
-	Reason     string `json:"reason" binding:"required"`
-	LegalBasis string `json:"legal_basis" binding:"required"` // Art. 12(5), Art. 17(3)(a-e), etc.
-}
-
-// ExtendDSRDeadlineRequest for extending a DSR deadline
-type ExtendDSRDeadlineRequest struct {
-	Reason string `json:"reason" binding:"required"`
-	Days   int    `json:"days"` // Optional: custom extension days
-}
-
-// AssignDSRRequest for assigning a DSR to a handler
-type AssignDSRRequest struct {
-	AssigneeID string  `json:"assignee_id" binding:"required"`
-	Comment    *string `json:"comment"`
-}
-
-// SendDSRCommunicationRequest for sending a communication
-type SendDSRCommunicationRequest struct {
-	CommunicationType string            `json:"communication_type" binding:"required"`
-	TemplateVersionID *string           `json:"template_version_id"`
-	CustomSubject     *string           `json:"custom_subject"`
-	CustomBody        *string           `json:"custom_body"`
-	Variables         map[string]string `json:"variables"`
-}
-
-// UpdateDSRExceptionCheckRequest for updating an exception check
-type UpdateDSRExceptionCheckRequest struct {
-	Applies bool    `json:"applies"`
-	Notes   *string `json:"notes"`
-}
-
-// DSRListFilters for filtering DSR list
-type DSRListFilters struct {
-	Status       *string    `form:"status"`
-	RequestType  *string    `form:"request_type"`
-	AssignedTo   *string    `form:"assigned_to"`
-	Priority     *string    `form:"priority"`
-	OverdueOnly  bool       `form:"overdue_only"`
-	FromDate     *time.Time `form:"from_date"`
-	ToDate       *time.Time `form:"to_date"`
-	Search       *string    `form:"search"` // Search in request number, email, name
-}
-
-// DSRDashboardStats for the admin dashboard
-type DSRDashboardStats struct {
-	TotalRequests        int                      `json:"total_requests"`
-	PendingRequests      int                      `json:"pending_requests"`
-	OverdueRequests      int                      `json:"overdue_requests"`
-	CompletedThisMonth   int                      `json:"completed_this_month"`
-	AverageProcessingDays float64                 `json:"average_processing_days"`
-	ByType               map[string]int           `json:"by_type"`
-	ByStatus             map[string]int           `json:"by_status"`
-	UpcomingDeadlines    []DataSubjectRequest     `json:"upcoming_deadlines"`
-}
-
-// DSRWithDetails combines DSR with related data
-type DSRWithDetails struct {
-	Request        DataSubjectRequest  `json:"request"`
-	StatusHistory  []DSRStatusHistory  `json:"status_history"`
-	Communications []DSRCommunication  `json:"communications"`
-	ExceptionChecks []DSRExceptionCheck `json:"exception_checks,omitempty"`
-	AssigneeName   *string             `json:"assignee_name,omitempty"`
-	CreatorName    *string             `json:"creator_name,omitempty"`
-}
-
-// DSRTemplateWithVersions combines template with versions
-type DSRTemplateWithVersions struct {
-	Template       DSRTemplate          `json:"template"`
-	LatestVersion  *DSRTemplateVersion  `json:"latest_version,omitempty"`
-	Versions       []DSRTemplateVersion `json:"versions,omitempty"`
-}
-
-// CreateDSRTemplateVersionRequest for creating a template version
-type CreateDSRTemplateVersionRequest struct {
-	TemplateID string  `json:"template_id" binding:"required"`
-	Version    string  `json:"version" binding:"required"`
-	Language   string  `json:"language" binding:"required"`
-	Subject    string  `json:"subject" binding:"required"`
-	BodyHTML   string  `json:"body_html" binding:"required"`
-	BodyText   string  `json:"body_text" binding:"required"`
-}
-
-// UpdateDSRTemplateVersionRequest for updating a template version
-type UpdateDSRTemplateVersionRequest struct {
-	Subject  *string `json:"subject"`
-	BodyHTML *string `json:"body_html"`
-	BodyText *string `json:"body_text"`
-	Status   *string `json:"status"`
-}
-
-// PreviewDSRTemplateRequest for previewing a template with variables
-type PreviewDSRTemplateRequest struct {
-	Variables map[string]string `json:"variables"`
-}
-
-// DSRTemplatePreviewResponse for template preview
-type DSRTemplatePreviewResponse struct {
-	Subject  string `json:"subject"`
-	BodyHTML string `json:"body_html"`
-	BodyText string `json:"body_text"`
-}
-
-// GetRequestTypeLabel returns German label for request type
-func (rt DSRRequestType) Label() string {
-	switch rt {
-	case DSRTypeAccess:
-		return "Auskunftsanfrage (Art. 15)"
-	case DSRTypeRectification:
-		return "Berichtigungsanfrage (Art. 16)"
-	case DSRTypeErasure:
-		return "Löschanfrage (Art. 17)"
-	case DSRTypeRestriction:
-		return "Einschränkungsanfrage (Art. 18)"
-	case DSRTypePortability:
-		return "Datenübertragung (Art. 20)"
-	default:
-		return string(rt)
-	}
-}
-
-// GetDeadlineDays returns the legal deadline in days for request type
-func (rt DSRRequestType) DeadlineDays() int {
-	switch rt {
-	case DSRTypeAccess, DSRTypePortability:
-		return 30 // 1 month
-	case DSRTypeRectification, DSRTypeErasure, DSRTypeRestriction:
-		return 14 // 2 weeks (expedited per BDSG)
-	default:
-		return 30
-	}
-}
-
-// IsExpedited returns whether this request type should be processed expeditiously
-func (rt DSRRequestType) IsExpedited() bool {
-	switch rt {
-	case DSRTypeRectification, DSRTypeErasure, DSRTypeRestriction:
-		return true
-	default:
-		return false
-	}
-}
-
-// GetStatusLabel returns German label for status
-func (s DSRStatus) Label() string {
-	switch s {
-	case DSRStatusIntake:
-		return "Eingang"
-	case DSRStatusIdentityVerification:
-		return "Identitätsprüfung"
-	case DSRStatusProcessing:
-		return "In Bearbeitung"
-	case DSRStatusCompleted:
-		return "Abgeschlossen"
-	case DSRStatusRejected:
-		return "Abgelehnt"
-	case DSRStatusCancelled:
-		return "Storniert"
-	default:
-		return string(s)
-	}
-}
-
-// IsValidDSRRequestType checks if a string is a valid DSR request type
-func IsValidDSRRequestType(reqType string) bool {
-	switch DSRRequestType(reqType) {
-	case DSRTypeAccess, DSRTypeRectification, DSRTypeErasure, DSRTypeRestriction, DSRTypePortability:
-		return true
-	default:
-		return false
-	}
-}
-
-// IsValidDSRStatus checks if a string is a valid DSR status
-func IsValidDSRStatus(status string) bool {
-	switch DSRStatus(status) {
-	case DSRStatusIntake, DSRStatusIdentityVerification, DSRStatusProcessing,
-		DSRStatusCompleted, DSRStatusRejected, DSRStatusCancelled:
-		return true
-	default:
-		return false
-	}
-}
diff --git a/consent-service/internal/models/oauth.go b/consent-service/internal/models/oauth.go
new file mode 100644
index 0000000..a5f8f4c
--- /dev/null
+++ b/consent-service/internal/models/oauth.go
@@ -0,0 +1,103 @@
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// OAuthClient represents a registered OAuth 2.0 client application
+type OAuthClient struct {
+	ID           uuid.UUID  `json:"id" db:"id"`
+	ClientID     string     `json:"client_id" db:"client_id"`
+	ClientSecret string     `json:"-" db:"client_secret"` // Never expose in JSON
+	Name         string     `json:"name" db:"name"`
+	Description  *string    `json:"description,omitempty" db:"description"`
+	RedirectURIs []string   `json:"redirect_uris" db:"redirect_uris"` // JSON array
+	Scopes       []string   `json:"scopes" db:"scopes"`               // Allowed scopes
+	GrantTypes   []string   `json:"grant_types" db:"grant_types"`     // authorization_code, refresh_token
+	IsPublic     bool       `json:"is_public" db:"is_public"`         // Public clients (SPAs) don't have secret
+	IsActive     bool       `json:"is_active" db:"is_active"`
+	CreatedBy    *uuid.UUID `json:"created_by,omitempty" db:"created_by"`
+	CreatedAt    time.Time  `json:"created_at" db:"created_at"`
+	UpdatedAt    time.Time  `json:"updated_at" db:"updated_at"`
+}
+
+// OAuthAuthorizationCode represents an authorization code for the OAuth flow
+type OAuthAuthorizationCode struct {
+	ID                  uuid.UUID  `json:"id" db:"id"`
+	Code                string     `json:"-" db:"code"` // Hashed
+	ClientID            string     `json:"client_id" db:"client_id"`
+	UserID              uuid.UUID  `json:"user_id" db:"user_id"`
+	RedirectURI         string     `json:"redirect_uri" db:"redirect_uri"`
+	Scopes              []string   `json:"scopes" db:"scopes"`
+	CodeChallenge       *string    `json:"-" db:"code_challenge"`        // For PKCE
+	CodeChallengeMethod *string    `json:"-" db:"code_challenge_method"` // S256 or plain
+	ExpiresAt           time.Time  `json:"expires_at" db:"expires_at"`
+	UsedAt              *time.Time `json:"used_at,omitempty" db:"used_at"`
+	CreatedAt           time.Time  `json:"created_at" db:"created_at"`
+}
+
+// OAuthAccessToken represents an OAuth access token
+type OAuthAccessToken struct {
+	ID        uuid.UUID  `json:"id" db:"id"`
+	TokenHash string     `json:"-" db:"token_hash"`
+	ClientID  string     `json:"client_id" db:"client_id"`
+	UserID    uuid.UUID  `json:"user_id" db:"user_id"`
+	Scopes    []string   `json:"scopes" db:"scopes"`
+	ExpiresAt time.Time  `json:"expires_at" db:"expires_at"`
+	RevokedAt *time.Time `json:"revoked_at,omitempty" db:"revoked_at"`
+	CreatedAt time.Time  `json:"created_at" db:"created_at"`
+}
+
+// OAuthRefreshToken represents an OAuth refresh token
+type OAuthRefreshToken struct {
+	ID            uuid.UUID  `json:"id" db:"id"`
+	TokenHash     string     `json:"-" db:"token_hash"`
+	AccessTokenID uuid.UUID  `json:"access_token_id" db:"access_token_id"`
+	ClientID      string     `json:"client_id" db:"client_id"`
+	UserID        uuid.UUID  `json:"user_id" db:"user_id"`
+	Scopes        []string   `json:"scopes" db:"scopes"`
+	ExpiresAt     time.Time  `json:"expires_at" db:"expires_at"`
+	RevokedAt     *time.Time `json:"revoked_at,omitempty" db:"revoked_at"`
+	CreatedAt     time.Time  `json:"created_at" db:"created_at"`
+}
+
+// OAuthAuthorizeRequest for the authorization endpoint
+type OAuthAuthorizeRequest struct {
+	ResponseType        string `form:"response_type" binding:"required"` // Must be "code"
+	ClientID            string `form:"client_id" binding:"required"`
+	RedirectURI         string `form:"redirect_uri" binding:"required"`
+	Scope               string `form:"scope"`                            // Space-separated scopes
+	State               string `form:"state" binding:"required"`         // CSRF protection
+	CodeChallenge       string `form:"code_challenge"`                   // PKCE
+	CodeChallengeMethod string `form:"code_challenge_method"`            // S256 (recommended) or plain
+}
+
+// OAuthTokenRequest for the token endpoint
+type OAuthTokenRequest struct {
+	GrantType    string `form:"grant_type" binding:"required"` // authorization_code or refresh_token
+	Code         string `form:"code"`                          // For authorization_code grant
+	RedirectURI  string `form:"redirect_uri"`                  // For authorization_code grant
+	ClientID     string `form:"client_id" binding:"required"`
+	ClientSecret string `form:"client_secret"`                 // For confidential clients
+	CodeVerifier string `form:"code_verifier"`                 // For PKCE
+	RefreshToken string `form:"refresh_token"`                 // For refresh_token grant
+	Scope        string `form:"scope"`                         // For refresh_token grant (optional)
+}
+
+// OAuthTokenResponse for successful token requests
+type OAuthTokenResponse struct {
+	AccessToken  string `json:"access_token"`
+	TokenType    string `json:"token_type"` // Always "Bearer"
+	ExpiresIn    int    `json:"expires_in"` // Seconds until expiration
+	RefreshToken string `json:"refresh_token,omitempty"`
+	Scope        string `json:"scope,omitempty"`
+}
+
+// OAuthErrorResponse for OAuth errors (RFC 6749)
+type OAuthErrorResponse struct {
+	Error            string `json:"error"`
+	ErrorDescription string `json:"error_description,omitempty"`
+	ErrorURI         string `json:"error_uri,omitempty"`
+}
diff --git a/consent-service/internal/models/school.go b/consent-service/internal/models/school.go
new file mode 100644
index 0000000..903b105
--- /dev/null
+++ b/consent-service/internal/models/school.go
@@ -0,0 +1,187 @@
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// SchoolRole defines roles within the school system
+const (
+	SchoolRoleTeacher      = "teacher"
+	SchoolRoleClassTeacher = "class_teacher"
+	SchoolRoleParent       = "parent"
+	SchoolRoleParentRep    = "parent_representative"
+	SchoolRoleStudent      = "student"
+	SchoolRoleAdmin        = "school_admin"
+	SchoolRolePrincipal    = "principal"
+	SchoolRoleSecretary    = "secretary"
+)
+
+// AttendanceStatus defines the status of student attendance
+const (
+	AttendancePresent         = "present"
+	AttendanceAbsent          = "absent"
+	AttendanceAbsentExcused   = "excused"
+	AttendanceAbsentUnexcused = "unexcused"
+	AttendanceLate            = "late"
+	AttendanceLateExcused     = "late_excused"
+	AttendancePending         = "pending_confirmation"
+)
+
+// GradeType defines the type of grade
+const (
+	GradeTypeExam          = "exam"          // Klassenarbeit/Klausur
+	GradeTypeTest          = "test"          // Test/Kurzarbeit
+	GradeTypeOral          = "oral"          // Mündlich
+	GradeTypeHomework      = "homework"      // Hausaufgabe
+	GradeTypeProject       = "project"       // Projekt
+	GradeTypeParticipation = "participation" // Mitarbeit
+	GradeTypeSemester      = "semester"      // Halbjahres-/Semesternote
+	GradeTypeFinal         = "final"         // Endnote/Zeugnisnote
+)
+
+// School represents a school/educational institution
+type School struct {
+	ID               uuid.UUID `json:"id" db:"id"`
+	Name             string    `json:"name" db:"name"`
+	ShortName        *string   `json:"short_name,omitempty" db:"short_name"`
+	Type             string    `json:"type" db:"type"` // 'grundschule', 'hauptschule', 'realschule', 'gymnasium', 'gesamtschule', 'berufsschule'
+	Address          *string   `json:"address,omitempty" db:"address"`
+	City             *string   `json:"city,omitempty" db:"city"`
+	PostalCode       *string   `json:"postal_code,omitempty" db:"postal_code"`
+	State            *string   `json:"state,omitempty" db:"state"` // Bundesland
+	Country          string    `json:"country" db:"country"`       // Default: DE
+	Phone            *string   `json:"phone,omitempty" db:"phone"`
+	Email            *string   `json:"email,omitempty" db:"email"`
+	Website          *string   `json:"website,omitempty" db:"website"`
+	MatrixServerName *string   `json:"matrix_server_name,omitempty" db:"matrix_server_name"`
+	LogoURL          *string   `json:"logo_url,omitempty" db:"logo_url"`
+	IsActive         bool      `json:"is_active" db:"is_active"`
+	CreatedAt        time.Time `json:"created_at" db:"created_at"`
+	UpdatedAt        time.Time `json:"updated_at" db:"updated_at"`
+}
+
+// SchoolYear represents an academic year
+type SchoolYear struct {
+	ID        uuid.UUID `json:"id" db:"id"`
+	SchoolID  uuid.UUID `json:"school_id" db:"school_id"`
+	Name      string    `json:"name" db:"name"` // e.g., "2024/2025"
+	StartDate time.Time `json:"start_date" db:"start_date"`
+	EndDate   time.Time `json:"end_date" db:"end_date"`
+	IsCurrent bool      `json:"is_current" db:"is_current"`
+	CreatedAt time.Time `json:"created_at" db:"created_at"`
+}
+
+// Class represents a school class
+type Class struct {
+	ID             uuid.UUID `json:"id" db:"id"`
+	SchoolID       uuid.UUID `json:"school_id" db:"school_id"`
+	SchoolYearID   uuid.UUID `json:"school_year_id" db:"school_year_id"`
+	Name           string    `json:"name" db:"name"`   // e.g., "5a", "10b"
+	Grade          int       `json:"grade" db:"grade"` // Klassenstufe: 1-13
+	Section        *string   `json:"section,omitempty" db:"section"`
+	Room           *string   `json:"room,omitempty" db:"room"`
+	MatrixInfoRoom *string   `json:"matrix_info_room,omitempty" db:"matrix_info_room"`
+	MatrixRepRoom  *string   `json:"matrix_rep_room,omitempty" db:"matrix_rep_room"`
+	IsActive       bool      `json:"is_active" db:"is_active"`
+	CreatedAt      time.Time `json:"created_at" db:"created_at"`
+	UpdatedAt      time.Time `json:"updated_at" db:"updated_at"`
+}
+
+// Subject represents a school subject
+type Subject struct {
+	ID        uuid.UUID `json:"id" db:"id"`
+	SchoolID  uuid.UUID `json:"school_id" db:"school_id"`
+	Name      string    `json:"name" db:"name"`             // e.g., "Mathematik", "Deutsch"
+	ShortName string    `json:"short_name" db:"short_name"` // e.g., "Ma", "De"
+	Color     *string   `json:"color,omitempty" db:"color"`
+	IsActive  bool      `json:"is_active" db:"is_active"`
+	CreatedAt time.Time `json:"created_at" db:"created_at"`
+}
+
+// Student represents a student
+type Student struct {
+	ID            uuid.UUID  `json:"id" db:"id"`
+	SchoolID      uuid.UUID  `json:"school_id" db:"school_id"`
+	ClassID       uuid.UUID  `json:"class_id" db:"class_id"`
+	UserID        *uuid.UUID `json:"user_id,omitempty" db:"user_id"`
+	StudentNumber *string    `json:"student_number,omitempty" db:"student_number"`
+	FirstName     string     `json:"first_name" db:"first_name"`
+	LastName      string     `json:"last_name" db:"last_name"`
+	DateOfBirth   *time.Time `json:"date_of_birth,omitempty" db:"date_of_birth"`
+	Gender        *string    `json:"gender,omitempty" db:"gender"`
+	MatrixUserID  *string    `json:"matrix_user_id,omitempty" db:"matrix_user_id"`
+	MatrixDMRoom  *string    `json:"matrix_dm_room,omitempty" db:"matrix_dm_room"`
+	IsActive      bool       `json:"is_active" db:"is_active"`
+	CreatedAt     time.Time  `json:"created_at" db:"created_at"`
+	UpdatedAt     time.Time  `json:"updated_at" db:"updated_at"`
+}
+
+// Teacher represents a teacher
+type Teacher struct {
+	ID           uuid.UUID `json:"id" db:"id"`
+	SchoolID     uuid.UUID `json:"school_id" db:"school_id"`
+	UserID       uuid.UUID `json:"user_id" db:"user_id"`
+	TeacherCode  *string   `json:"teacher_code,omitempty" db:"teacher_code"`
+	Title        *string   `json:"title,omitempty" db:"title"`
+	FirstName    string    `json:"first_name" db:"first_name"`
+	LastName     string    `json:"last_name" db:"last_name"`
+	MatrixUserID *string   `json:"matrix_user_id,omitempty" db:"matrix_user_id"`
+	IsActive     bool      `json:"is_active" db:"is_active"`
+	CreatedAt    time.Time `json:"created_at" db:"created_at"`
+	UpdatedAt    time.Time `json:"updated_at" db:"updated_at"`
+}
+
+// ClassTeacher assigns teachers to classes (Klassenlehrer)
+type ClassTeacher struct {
+	ID        uuid.UUID `json:"id" db:"id"`
+	ClassID   uuid.UUID `json:"class_id" db:"class_id"`
+	TeacherID uuid.UUID `json:"teacher_id" db:"teacher_id"`
+	IsPrimary bool      `json:"is_primary" db:"is_primary"`
+	CreatedAt time.Time `json:"created_at" db:"created_at"`
+}
+
+// TeacherSubject assigns subjects to teachers
+type TeacherSubject struct {
+	ID        uuid.UUID `json:"id" db:"id"`
+	TeacherID uuid.UUID `json:"teacher_id" db:"teacher_id"`
+	SubjectID uuid.UUID `json:"subject_id" db:"subject_id"`
+	CreatedAt time.Time `json:"created_at" db:"created_at"`
+}
+
+// Parent represents a parent/guardian
+type Parent struct {
+	ID               uuid.UUID `json:"id" db:"id"`
+	UserID           uuid.UUID `json:"user_id" db:"user_id"`
+	MatrixUserID     *string   `json:"matrix_user_id,omitempty" db:"matrix_user_id"`
+	FirstName        string    `json:"first_name" db:"first_name"`
+	LastName         string    `json:"last_name" db:"last_name"`
+	Phone            *string   `json:"phone,omitempty" db:"phone"`
+	EmergencyContact bool      `json:"emergency_contact" db:"emergency_contact"`
+	CreatedAt        time.Time `json:"created_at" db:"created_at"`
+	UpdatedAt        time.Time `json:"updated_at" db:"updated_at"`
+}
+
+// StudentParent links students to their parents
+type StudentParent struct {
+	ID           uuid.UUID `json:"id" db:"id"`
+	StudentID    uuid.UUID `json:"student_id" db:"student_id"`
+	ParentID     uuid.UUID `json:"parent_id" db:"parent_id"`
+	Relationship string    `json:"relationship" db:"relationship"`
+	IsPrimary    bool      `json:"is_primary" db:"is_primary"`
+	HasCustody   bool      `json:"has_custody" db:"has_custody"`
+	CreatedAt    time.Time `json:"created_at" db:"created_at"`
+}
+
+// ParentRepresentative assigns parent representatives to classes
+type ParentRepresentative struct {
+	ID        uuid.UUID  `json:"id" db:"id"`
+	ClassID   uuid.UUID  `json:"class_id" db:"class_id"`
+	ParentID  uuid.UUID  `json:"parent_id" db:"parent_id"`
+	Role      string     `json:"role" db:"role"` // 'first_rep', 'second_rep', 'substitute'
+	ElectedAt time.Time  `json:"elected_at" db:"elected_at"`
+	ExpiresAt *time.Time `json:"expires_at,omitempty" db:"expires_at"`
+	IsActive  bool       `json:"is_active" db:"is_active"`
+	CreatedAt time.Time  `json:"created_at" db:"created_at"`
+}
diff --git a/consent-service/internal/models/school_operations.go b/consent-service/internal/models/school_operations.go
new file mode 100644
index 0000000..a3bce43
--- /dev/null
+++ b/consent-service/internal/models/school_operations.go
@@ -0,0 +1,382 @@
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// ========================================
+// Stundenplan / Timetable
+// ========================================
+
+// TimetableSlot represents a time slot in the timetable
+type TimetableSlot struct {
+	ID         uuid.UUID `json:"id" db:"id"`
+	SchoolID   uuid.UUID `json:"school_id" db:"school_id"`
+	SlotNumber int       `json:"slot_number" db:"slot_number"` // 1, 2, 3... (Stunde)
+	StartTime  string    `json:"start_time" db:"start_time"`   // "08:00"
+	EndTime    string    `json:"end_time" db:"end_time"`       // "08:45"
+	IsBreak    bool      `json:"is_break" db:"is_break"`       // Pause
+	Name       *string   `json:"name,omitempty" db:"name"`     // e.g., "1. Stunde", "Große Pause"
+}
+
+// TimetableEntry represents a single lesson in the timetable
+type TimetableEntry struct {
+	ID           uuid.UUID  `json:"id" db:"id"`
+	SchoolYearID uuid.UUID  `json:"school_year_id" db:"school_year_id"`
+	ClassID      uuid.UUID  `json:"class_id" db:"class_id"`
+	SubjectID    uuid.UUID  `json:"subject_id" db:"subject_id"`
+	TeacherID    uuid.UUID  `json:"teacher_id" db:"teacher_id"`
+	SlotID       uuid.UUID  `json:"slot_id" db:"slot_id"`
+	DayOfWeek    int        `json:"day_of_week" db:"day_of_week"` // 1=Monday, 5=Friday
+	Room         *string    `json:"room,omitempty" db:"room"`
+	ValidFrom    time.Time  `json:"valid_from" db:"valid_from"`
+	ValidUntil   *time.Time `json:"valid_until,omitempty" db:"valid_until"`
+	CreatedAt    time.Time  `json:"created_at" db:"created_at"`
+	UpdatedAt    time.Time  `json:"updated_at" db:"updated_at"`
+}
+
+// TimetableSubstitution represents a substitution/replacement lesson
+type TimetableSubstitution struct {
+	ID                  uuid.UUID  `json:"id" db:"id"`
+	OriginalEntryID     uuid.UUID  `json:"original_entry_id" db:"original_entry_id"`
+	Date                time.Time  `json:"date" db:"date"`
+	SubstituteTeacherID *uuid.UUID `json:"substitute_teacher_id,omitempty" db:"substitute_teacher_id"`
+	SubstituteSubjectID *uuid.UUID `json:"substitute_subject_id,omitempty" db:"substitute_subject_id"`
+	Room                *string    `json:"room,omitempty" db:"room"`
+	Type                string     `json:"type" db:"type"` // 'substitution', 'cancelled', 'room_change', 'supervision'
+	Note                *string    `json:"note,omitempty" db:"note"`
+	CreatedAt           time.Time  `json:"created_at" db:"created_at"`
+	CreatedBy           uuid.UUID  `json:"created_by" db:"created_by"`
+}
+
+// ========================================
+// Abwesenheit / Attendance
+// ========================================
+
+// AttendanceRecord represents a student's attendance for a specific lesson
+type AttendanceRecord struct {
+	ID               uuid.UUID  `json:"id" db:"id"`
+	StudentID        uuid.UUID  `json:"student_id" db:"student_id"`
+	TimetableEntryID *uuid.UUID `json:"timetable_entry_id,omitempty" db:"timetable_entry_id"`
+	Date             time.Time  `json:"date" db:"date"`
+	SlotID           uuid.UUID  `json:"slot_id" db:"slot_id"`
+	Status           string     `json:"status" db:"status"` // AttendanceStatus constants
+	RecordedBy       uuid.UUID  `json:"recorded_by" db:"recorded_by"`
+	Note             *string    `json:"note,omitempty" db:"note"`
+	CreatedAt        time.Time  `json:"created_at" db:"created_at"`
+	UpdatedAt        time.Time  `json:"updated_at" db:"updated_at"`
+}
+
+// AbsenceReport represents a full absence report (one or more days)
+type AbsenceReport struct {
+	ID                     uuid.UUID  `json:"id" db:"id"`
+	StudentID              uuid.UUID  `json:"student_id" db:"student_id"`
+	StartDate              time.Time  `json:"start_date" db:"start_date"`
+	EndDate                time.Time  `json:"end_date" db:"end_date"`
+	Reason                 *string    `json:"reason,omitempty" db:"reason"`
+	ReasonCategory         string     `json:"reason_category" db:"reason_category"`
+	Status                 string     `json:"status" db:"status"`
+	ReportedBy             uuid.UUID  `json:"reported_by" db:"reported_by"`
+	ReportedAt             time.Time  `json:"reported_at" db:"reported_at"`
+	ConfirmedBy            *uuid.UUID `json:"confirmed_by,omitempty" db:"confirmed_by"`
+	ConfirmedAt            *time.Time `json:"confirmed_at,omitempty" db:"confirmed_at"`
+	MedicalCertificate     bool       `json:"medical_certificate" db:"medical_certificate"`
+	CertificateUploaded    bool       `json:"certificate_uploaded" db:"certificate_uploaded"`
+	MatrixNotificationSent bool       `json:"matrix_notification_sent" db:"matrix_notification_sent"`
+	EmailNotificationSent  bool       `json:"email_notification_sent" db:"email_notification_sent"`
+	CreatedAt              time.Time  `json:"created_at" db:"created_at"`
+	UpdatedAt              time.Time  `json:"updated_at" db:"updated_at"`
+}
+
+// AbsenceNotification tracks notifications sent to parents about absences
+type AbsenceNotification struct {
+	ID                 uuid.UUID  `json:"id" db:"id"`
+	AttendanceRecordID uuid.UUID  `json:"attendance_record_id" db:"attendance_record_id"`
+	ParentID           uuid.UUID  `json:"parent_id" db:"parent_id"`
+	Channel            string     `json:"channel" db:"channel"`
+	MessageContent     string     `json:"message_content" db:"message_content"`
+	SentAt             *time.Time `json:"sent_at,omitempty" db:"sent_at"`
+	ReadAt             *time.Time `json:"read_at,omitempty" db:"read_at"`
+	ResponseReceived   bool       `json:"response_received" db:"response_received"`
+	ResponseContent    *string    `json:"response_content,omitempty" db:"response_content"`
+	ResponseAt         *time.Time `json:"response_at,omitempty" db:"response_at"`
+	CreatedAt          time.Time  `json:"created_at" db:"created_at"`
+}
+
+// ========================================
+// Notenspiegel / Grades
+// ========================================
+
+// GradeScale represents the grading scale used
+type GradeScale struct {
+	ID           uuid.UUID `json:"id" db:"id"`
+	SchoolID     uuid.UUID `json:"school_id" db:"school_id"`
+	Name         string    `json:"name" db:"name"`
+	MinValue     float64   `json:"min_value" db:"min_value"`
+	MaxValue     float64   `json:"max_value" db:"max_value"`
+	PassingValue float64   `json:"passing_value" db:"passing_value"`
+	IsAscending  bool      `json:"is_ascending" db:"is_ascending"`
+	IsDefault    bool      `json:"is_default" db:"is_default"`
+	CreatedAt    time.Time `json:"created_at" db:"created_at"`
+}
+
+// Grade represents a single grade for a student
+type Grade struct {
+	ID           uuid.UUID  `json:"id" db:"id"`
+	StudentID    uuid.UUID  `json:"student_id" db:"student_id"`
+	SubjectID    uuid.UUID  `json:"subject_id" db:"subject_id"`
+	TeacherID    uuid.UUID  `json:"teacher_id" db:"teacher_id"`
+	SchoolYearID uuid.UUID  `json:"school_year_id" db:"school_year_id"`
+	GradeScaleID uuid.UUID  `json:"grade_scale_id" db:"grade_scale_id"`
+	Type         string     `json:"type" db:"type"`
+	Value        float64    `json:"value" db:"value"`
+	Weight       float64    `json:"weight" db:"weight"`
+	Date         time.Time  `json:"date" db:"date"`
+	Title        *string    `json:"title,omitempty" db:"title"`
+	Description  *string    `json:"description,omitempty" db:"description"`
+	IsVisible    bool       `json:"is_visible" db:"is_visible"`
+	Semester     int        `json:"semester" db:"semester"`
+	CreatedAt    time.Time  `json:"created_at" db:"created_at"`
+	UpdatedAt    time.Time  `json:"updated_at" db:"updated_at"`
+}
+
+// GradeComment represents a teacher comment on a student's grade
+type GradeComment struct {
+	ID        uuid.UUID `json:"id" db:"id"`
+	GradeID   uuid.UUID `json:"grade_id" db:"grade_id"`
+	TeacherID uuid.UUID `json:"teacher_id" db:"teacher_id"`
+	Comment   string    `json:"comment" db:"comment"`
+	IsPrivate bool      `json:"is_private" db:"is_private"`
+	CreatedAt time.Time `json:"created_at" db:"created_at"`
+}
+
+// ========================================
+// Klassenbuch, Meetings, Communication
+// ========================================
+
+// ClassDiaryEntry represents an entry in the digital class diary
+type ClassDiaryEntry struct {
+	ID                 uuid.UUID  `json:"id" db:"id"`
+	ClassID            uuid.UUID  `json:"class_id" db:"class_id"`
+	Date               time.Time  `json:"date" db:"date"`
+	SlotID             uuid.UUID  `json:"slot_id" db:"slot_id"`
+	SubjectID          uuid.UUID  `json:"subject_id" db:"subject_id"`
+	TeacherID          uuid.UUID  `json:"teacher_id" db:"teacher_id"`
+	Topic              *string    `json:"topic,omitempty" db:"topic"`
+	Homework           *string    `json:"homework,omitempty" db:"homework"`
+	HomeworkDueDate    *time.Time `json:"homework_due_date,omitempty" db:"homework_due_date"`
+	Materials          *string    `json:"materials,omitempty" db:"materials"`
+	Notes              *string    `json:"notes,omitempty" db:"notes"`
+	IsCancelled        bool       `json:"is_cancelled" db:"is_cancelled"`
+	CancellationReason *string    `json:"cancellation_reason,omitempty" db:"cancellation_reason"`
+	CreatedAt          time.Time  `json:"created_at" db:"created_at"`
+	UpdatedAt          time.Time  `json:"updated_at" db:"updated_at"`
+}
+
+// ParentMeetingSlot represents available time slots for parent meetings
+type ParentMeetingSlot struct {
+	ID          uuid.UUID `json:"id" db:"id"`
+	TeacherID   uuid.UUID `json:"teacher_id" db:"teacher_id"`
+	Date        time.Time `json:"date" db:"date"`
+	StartTime   string    `json:"start_time" db:"start_time"`
+	EndTime     string    `json:"end_time" db:"end_time"`
+	Location    *string   `json:"location,omitempty" db:"location"`
+	IsOnline    bool      `json:"is_online" db:"is_online"`
+	MeetingLink *string   `json:"meeting_link,omitempty" db:"meeting_link"`
+	IsBooked    bool      `json:"is_booked" db:"is_booked"`
+	CreatedAt   time.Time `json:"created_at" db:"created_at"`
+}
+
+// ParentMeeting represents a booked parent-teacher meeting
+type ParentMeeting struct {
+	ID           uuid.UUID  `json:"id" db:"id"`
+	SlotID       uuid.UUID  `json:"slot_id" db:"slot_id"`
+	ParentID     uuid.UUID  `json:"parent_id" db:"parent_id"`
+	StudentID    uuid.UUID  `json:"student_id" db:"student_id"`
+	Topic        *string    `json:"topic,omitempty" db:"topic"`
+	Notes        *string    `json:"notes,omitempty" db:"notes"`
+	Status       string     `json:"status" db:"status"`
+	CancelledAt  *time.Time `json:"cancelled_at,omitempty" db:"cancelled_at"`
+	CancelledBy  *uuid.UUID `json:"cancelled_by,omitempty" db:"cancelled_by"`
+	CancelReason *string    `json:"cancel_reason,omitempty" db:"cancel_reason"`
+	CompletedAt  *time.Time `json:"completed_at,omitempty" db:"completed_at"`
+	CreatedAt    time.Time  `json:"created_at" db:"created_at"`
+	UpdatedAt    time.Time  `json:"updated_at" db:"updated_at"`
+}
+
+// MatrixRoom tracks Matrix rooms created for school communication
+type MatrixRoom struct {
+	ID           uuid.UUID  `json:"id" db:"id"`
+	SchoolID     uuid.UUID  `json:"school_id" db:"school_id"`
+	MatrixRoomID string     `json:"matrix_room_id" db:"matrix_room_id"`
+	Type         string     `json:"type" db:"type"`
+	ClassID      *uuid.UUID `json:"class_id,omitempty" db:"class_id"`
+	StudentID    *uuid.UUID `json:"student_id,omitempty" db:"student_id"`
+	Name         string     `json:"name" db:"name"`
+	IsEncrypted  bool       `json:"is_encrypted" db:"is_encrypted"`
+	CreatedAt    time.Time  `json:"created_at" db:"created_at"`
+}
+
+// MatrixRoomMember tracks membership in Matrix rooms
+type MatrixRoomMember struct {
+	ID           uuid.UUID  `json:"id" db:"id"`
+	MatrixRoomID uuid.UUID  `json:"matrix_room_id" db:"matrix_room_id"`
+	MatrixUserID string     `json:"matrix_user_id" db:"matrix_user_id"`
+	UserID       *uuid.UUID `json:"user_id,omitempty" db:"user_id"`
+	PowerLevel   int        `json:"power_level" db:"power_level"`
+	CanWrite     bool       `json:"can_write" db:"can_write"`
+	JoinedAt     time.Time  `json:"joined_at" db:"joined_at"`
+	LeftAt       *time.Time `json:"left_at,omitempty" db:"left_at"`
+}
+
+// ParentOnboardingToken for QR-code based parent onboarding
+type ParentOnboardingToken struct {
+	ID           uuid.UUID  `json:"id" db:"id"`
+	SchoolID     uuid.UUID  `json:"school_id" db:"school_id"`
+	ClassID      uuid.UUID  `json:"class_id" db:"class_id"`
+	StudentID    uuid.UUID  `json:"student_id" db:"student_id"`
+	Token        string     `json:"token" db:"token"`
+	Role         string     `json:"role" db:"role"`
+	ExpiresAt    time.Time  `json:"expires_at" db:"expires_at"`
+	UsedAt       *time.Time `json:"used_at,omitempty" db:"used_at"`
+	UsedByUserID *uuid.UUID `json:"used_by_user_id,omitempty" db:"used_by_user_id"`
+	CreatedAt    time.Time  `json:"created_at" db:"created_at"`
+	CreatedBy    uuid.UUID  `json:"created_by" db:"created_by"`
+}
+
+// ========================================
+// Schulverwaltung DTOs
+// ========================================
+
+// CreateSchoolRequest for creating a new school
+type CreateSchoolRequest struct {
+	Name       string  `json:"name" binding:"required"`
+	ShortName  *string `json:"short_name"`
+	Type       string  `json:"type" binding:"required"`
+	Address    *string `json:"address"`
+	City       *string `json:"city"`
+	PostalCode *string `json:"postal_code"`
+	State      *string `json:"state"`
+	Phone      *string `json:"phone"`
+	Email      *string `json:"email"`
+	Website    *string `json:"website"`
+}
+
+// CreateClassRequest for creating a new class
+type CreateClassRequest struct {
+	SchoolYearID string  `json:"school_year_id" binding:"required"`
+	Name         string  `json:"name" binding:"required"`
+	Grade        int     `json:"grade" binding:"required"`
+	Section      *string `json:"section"`
+	Room         *string `json:"room"`
+}
+
+// CreateStudentRequest for creating a new student
+type CreateStudentRequest struct {
+	ClassID       string  `json:"class_id" binding:"required"`
+	StudentNumber *string `json:"student_number"`
+	FirstName     string  `json:"first_name" binding:"required"`
+	LastName      string  `json:"last_name" binding:"required"`
+	DateOfBirth   *string `json:"date_of_birth"` // ISO 8601
+	Gender        *string `json:"gender"`
+}
+
+// RecordAttendanceRequest for recording attendance
+type RecordAttendanceRequest struct {
+	StudentID string  `json:"student_id" binding:"required"`
+	Date      string  `json:"date" binding:"required"` // ISO 8601
+	SlotID    string  `json:"slot_id" binding:"required"`
+	Status    string  `json:"status" binding:"required"` // AttendanceStatus
+	Note      *string `json:"note"`
+}
+
+// ReportAbsenceRequest for parents reporting absence
+type ReportAbsenceRequest struct {
+	StudentID      string  `json:"student_id" binding:"required"`
+	StartDate      string  `json:"start_date" binding:"required"`
+	EndDate        string  `json:"end_date" binding:"required"`
+	Reason         *string `json:"reason"`
+	ReasonCategory string  `json:"reason_category" binding:"required"`
+}
+
+// CreateGradeRequest for creating a grade
+type CreateGradeRequest struct {
+	StudentID    string  `json:"student_id" binding:"required"`
+	SubjectID    string  `json:"subject_id" binding:"required"`
+	SchoolYearID string  `json:"school_year_id" binding:"required"`
+	Type         string  `json:"type" binding:"required"`
+	Value        float64 `json:"value" binding:"required"`
+	Weight       float64 `json:"weight"`
+	Date         string  `json:"date" binding:"required"`
+	Title        *string `json:"title"`
+	Description  *string `json:"description"`
+	Semester     int     `json:"semester" binding:"required"`
+}
+
+// StudentGradeOverview provides a summary of all grades for a student in a subject
+type StudentGradeOverview struct {
+	Student     Student `json:"student"`
+	Subject     Subject `json:"subject"`
+	Grades      []Grade `json:"grades"`
+	Average     float64 `json:"average"`
+	OralAverage float64 `json:"oral_average"`
+	ExamAverage float64 `json:"exam_average"`
+	Semester    int     `json:"semester"`
+}
+
+// ClassAttendanceOverview provides attendance summary for a class
+type ClassAttendanceOverview struct {
+	Class         Class              `json:"class"`
+	Date          time.Time          `json:"date"`
+	TotalStudents int                `json:"total_students"`
+	PresentCount  int                `json:"present_count"`
+	AbsentCount   int                `json:"absent_count"`
+	LateCount     int                `json:"late_count"`
+	Records       []AttendanceRecord `json:"records"`
+}
+
+// ParentDashboard provides a parent's view of their children's data
+type ParentDashboard struct {
+	Children         []StudentOverview `json:"children"`
+	UnreadMessages   int               `json:"unread_messages"`
+	UpcomingMeetings []ParentMeeting   `json:"upcoming_meetings"`
+	RecentGrades     []Grade           `json:"recent_grades"`
+	PendingActions   []string          `json:"pending_actions"`
+}
+
+// StudentOverview provides summary info about a student
+type StudentOverview struct {
+	Student           Student  `json:"student"`
+	Class             Class    `json:"class"`
+	ClassTeacher      *Teacher `json:"class_teacher,omitempty"`
+	AttendanceRate    float64  `json:"attendance_rate"`
+	UnexcusedAbsences int      `json:"unexcused_absences"`
+	GradeAverage      float64  `json:"grade_average"`
+}
+
+// TimetableView provides a formatted timetable for display
+type TimetableView struct {
+	Class Class              `json:"class"`
+	Week  string             `json:"week"` // ISO week: "2025-W01"
+	Days  []TimetableDayView `json:"days"`
+}
+
+// TimetableDayView represents a single day in the timetable
+type TimetableDayView struct {
+	Date    time.Time             `json:"date"`
+	DayName string                `json:"day_name"`
+	Lessons []TimetableLessonView `json:"lessons"`
+}
+
+// TimetableLessonView represents a single lesson in the timetable view
+type TimetableLessonView struct {
+	Slot           TimetableSlot `json:"slot"`
+	Subject        *Subject      `json:"subject,omitempty"`
+	Teacher        *Teacher      `json:"teacher,omitempty"`
+	Room           *string       `json:"room,omitempty"`
+	IsSubstitution bool          `json:"is_substitution"`
+	IsCancelled    bool          `json:"is_cancelled"`
+	Note           *string       `json:"note,omitempty"`
+}
diff --git a/consent-service/internal/models/user.go b/consent-service/internal/models/user.go
new file mode 100644
index 0000000..88aa7cf
--- /dev/null
+++ b/consent-service/internal/models/user.go
@@ -0,0 +1,195 @@
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// User represents a user with full authentication support
+type User struct {
+	ID                  uuid.UUID  `json:"id" db:"id"`
+	ExternalID          *string    `json:"external_id,omitempty" db:"external_id"`
+	Email               string     `json:"email" db:"email"`
+	PasswordHash        *string    `json:"-" db:"password_hash"` // Never exposed in JSON
+	Name                *string    `json:"name,omitempty" db:"name"`
+	Role                string     `json:"role" db:"role"` // 'user', 'admin', 'super_admin', 'data_protection_officer'
+	EmailVerified       bool       `json:"email_verified" db:"email_verified"`
+	EmailVerifiedAt     *time.Time `json:"email_verified_at,omitempty" db:"email_verified_at"`
+	AccountStatus       string     `json:"account_status" db:"account_status"` // 'active', 'suspended', 'locked'
+	LastLoginAt         *time.Time `json:"last_login_at,omitempty" db:"last_login_at"`
+	FailedLoginAttempts int        `json:"failed_login_attempts" db:"failed_login_attempts"`
+	LockedUntil         *time.Time `json:"locked_until,omitempty" db:"locked_until"`
+	CreatedAt           time.Time  `json:"created_at" db:"created_at"`
+	UpdatedAt           time.Time  `json:"updated_at" db:"updated_at"`
+}
+
+// EmailVerificationToken for email verification
+type EmailVerificationToken struct {
+	ID        uuid.UUID  `json:"id" db:"id"`
+	UserID    uuid.UUID  `json:"user_id" db:"user_id"`
+	Token     string     `json:"token" db:"token"`
+	ExpiresAt time.Time  `json:"expires_at" db:"expires_at"`
+	UsedAt    *time.Time `json:"used_at,omitempty" db:"used_at"`
+	CreatedAt time.Time  `json:"created_at" db:"created_at"`
+}
+
+// PasswordResetToken for password reset
+type PasswordResetToken struct {
+	ID        uuid.UUID  `json:"id" db:"id"`
+	UserID    uuid.UUID  `json:"user_id" db:"user_id"`
+	Token     string     `json:"token" db:"token"`
+	ExpiresAt time.Time  `json:"expires_at" db:"expires_at"`
+	UsedAt    *time.Time `json:"used_at,omitempty" db:"used_at"`
+	IPAddress *string    `json:"ip_address,omitempty" db:"ip_address"`
+	CreatedAt time.Time  `json:"created_at" db:"created_at"`
+}
+
+// UserSession for session management
+type UserSession struct {
+	ID             uuid.UUID  `json:"id" db:"id"`
+	UserID         uuid.UUID  `json:"user_id" db:"user_id"`
+	TokenHash      string     `json:"-" db:"token_hash"`
+	DeviceInfo     *string    `json:"device_info,omitempty" db:"device_info"`
+	IPAddress      *string    `json:"ip_address,omitempty" db:"ip_address"`
+	UserAgent      *string    `json:"user_agent,omitempty" db:"user_agent"`
+	ExpiresAt      time.Time  `json:"expires_at" db:"expires_at"`
+	RevokedAt      *time.Time `json:"revoked_at,omitempty" db:"revoked_at"`
+	CreatedAt      time.Time  `json:"created_at" db:"created_at"`
+	LastActivityAt time.Time  `json:"last_activity_at" db:"last_activity_at"`
+}
+
+// RegisterRequest for user registration
+type RegisterRequest struct {
+	Email    string  `json:"email" binding:"required,email"`
+	Password string  `json:"password" binding:"required,min=8"`
+	Name     *string `json:"name"`
+}
+
+// LoginRequest for user login
+type LoginRequest struct {
+	Email    string `json:"email" binding:"required,email"`
+	Password string `json:"password" binding:"required"`
+}
+
+// LoginResponse after successful login
+type LoginResponse struct {
+	User         User   `json:"user"`
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	ExpiresIn    int    `json:"expires_in"` // seconds
+}
+
+// RefreshTokenRequest for token refresh
+type RefreshTokenRequest struct {
+	RefreshToken string `json:"refresh_token" binding:"required"`
+}
+
+// VerifyEmailRequest for email verification
+type VerifyEmailRequest struct {
+	Token string `json:"token" binding:"required"`
+}
+
+// ForgotPasswordRequest for password reset request
+type ForgotPasswordRequest struct {
+	Email string `json:"email" binding:"required,email"`
+}
+
+// ResetPasswordRequest for password reset
+type ResetPasswordRequest struct {
+	Token       string `json:"token" binding:"required"`
+	NewPassword string `json:"new_password" binding:"required,min=8"`
+}
+
+// ChangePasswordRequest for changing password
+type ChangePasswordRequest struct {
+	CurrentPassword string `json:"current_password" binding:"required"`
+	NewPassword     string `json:"new_password" binding:"required,min=8"`
+}
+
+// UpdateProfileRequest for profile updates
+type UpdateProfileRequest struct {
+	Name *string `json:"name"`
+}
+
+// ========================================
+// Two-Factor Authentication (2FA/TOTP)
+// ========================================
+
+// UserTOTP stores 2FA TOTP configuration for a user
+type UserTOTP struct {
+	ID            uuid.UUID  `json:"id" db:"id"`
+	UserID        uuid.UUID  `json:"user_id" db:"user_id"`
+	Secret        string     `json:"-" db:"secret"`              // Encrypted TOTP secret
+	Verified      bool       `json:"verified" db:"verified"`     // Has 2FA been verified/activated
+	RecoveryCodes []string   `json:"-" db:"recovery_codes"`      // Encrypted backup codes
+	EnabledAt     *time.Time `json:"enabled_at,omitempty" db:"enabled_at"`
+	LastUsedAt    *time.Time `json:"last_used_at,omitempty" db:"last_used_at"`
+	CreatedAt     time.Time  `json:"created_at" db:"created_at"`
+	UpdatedAt     time.Time  `json:"updated_at" db:"updated_at"`
+}
+
+// TwoFactorChallenge represents a pending 2FA challenge during login
+type TwoFactorChallenge struct {
+	ID          uuid.UUID  `json:"id" db:"id"`
+	UserID      uuid.UUID  `json:"user_id" db:"user_id"`
+	ChallengeID string     `json:"challenge_id" db:"challenge_id"` // Temporary token
+	IPAddress   *string    `json:"ip_address,omitempty" db:"ip_address"`
+	UserAgent   *string    `json:"user_agent,omitempty" db:"user_agent"`
+	ExpiresAt   time.Time  `json:"expires_at" db:"expires_at"`
+	UsedAt      *time.Time `json:"used_at,omitempty" db:"used_at"`
+	CreatedAt   time.Time  `json:"created_at" db:"created_at"`
+}
+
+// Setup2FAResponse when initiating 2FA setup
+type Setup2FAResponse struct {
+	Secret        string   `json:"secret"`         // Base32 encoded secret for manual entry
+	QRCodeDataURL string   `json:"qr_code"`        // Data URL for QR code image
+	RecoveryCodes []string `json:"recovery_codes"` // One-time backup codes
+}
+
+// Verify2FARequest for verifying 2FA setup or login
+type Verify2FARequest struct {
+	Code        string `json:"code" binding:"required"` // 6-digit TOTP code
+	ChallengeID string `json:"challenge_id,omitempty"`  // For login flow
+}
+
+// TwoFactorLoginResponse when 2FA is required during login
+type TwoFactorLoginResponse struct {
+	RequiresTwoFactor bool   `json:"requires_two_factor"`
+	ChallengeID       string `json:"challenge_id"` // Use this to complete 2FA
+	Message           string `json:"message"`
+}
+
+// Complete2FALoginRequest to complete login with 2FA
+type Complete2FALoginRequest struct {
+	ChallengeID string `json:"challenge_id" binding:"required"`
+	Code        string `json:"code" binding:"required"` // 6-digit TOTP or recovery code
+}
+
+// Disable2FARequest for disabling 2FA
+type Disable2FARequest struct {
+	Password string `json:"password" binding:"required"` // Require password confirmation
+	Code     string `json:"code" binding:"required"`     // Current TOTP code
+}
+
+// RecoveryCodeUseRequest for using a recovery code
+type RecoveryCodeUseRequest struct {
+	ChallengeID  string `json:"challenge_id" binding:"required"`
+	RecoveryCode string `json:"recovery_code" binding:"required"`
+}
+
+// TwoFactorStatusResponse for checking 2FA status
+type TwoFactorStatusResponse struct {
+	Enabled            bool       `json:"enabled"`
+	Verified           bool       `json:"verified"`
+	EnabledAt          *time.Time `json:"enabled_at,omitempty"`
+	RecoveryCodesCount int        `json:"recovery_codes_count"`
+}
+
+// Verify2FAChallengeRequest for verifying a 2FA challenge during login
+type Verify2FAChallengeRequest struct {
+	ChallengeID  string `json:"challenge_id" binding:"required"`
+	Code         string `json:"code,omitempty"`          // 6-digit TOTP code
+	RecoveryCode string `json:"recovery_code,omitempty"` // Alternative: recovery code
+}
diff --git a/consent-service/internal/services/attendance_service.go b/consent-service/internal/services/attendance_service.go
index 046e6f8..28c7ea4 100644
--- a/consent-service/internal/services/attendance_service.go
+++ b/consent-service/internal/services/attendance_service.go
@@ -235,271 +235,3 @@ func (s *AttendanceService) GetStudentAttendance(ctx context.Context, studentID
 	return records, nil
 }
 
-// ========================================
-// Absence Reports (Parent-initiated)
-// ========================================
-
-// ReportAbsence allows parents to report a student's absence
-func (s *AttendanceService) ReportAbsence(ctx context.Context, req models.ReportAbsenceRequest, reportedByUserID uuid.UUID) (*models.AbsenceReport, error) {
-	studentID, err := uuid.Parse(req.StudentID)
-	if err != nil {
-		return nil, fmt.Errorf("invalid student ID: %w", err)
-	}
-
-	startDate, err := time.Parse("2006-01-02", req.StartDate)
-	if err != nil {
-		return nil, fmt.Errorf("invalid start date format: %w", err)
-	}
-
-	endDate, err := time.Parse("2006-01-02", req.EndDate)
-	if err != nil {
-		return nil, fmt.Errorf("invalid end date format: %w", err)
-	}
-
-	report := &models.AbsenceReport{
-		ID:             uuid.New(),
-		StudentID:      studentID,
-		StartDate:      startDate,
-		EndDate:        endDate,
-		Reason:         req.Reason,
-		ReasonCategory: req.ReasonCategory,
-		Status:         "reported",
-		ReportedBy:     reportedByUserID,
-		ReportedAt:     time.Now(),
-		CreatedAt:      time.Now(),
-		UpdatedAt:      time.Now(),
-	}
-
-	query := `
-		INSERT INTO absence_reports (id, student_id, start_date, end_date, reason, reason_category, status, reported_by, reported_at, created_at, updated_at)
-		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)
-		RETURNING id`
-
-	err = s.db.Pool.QueryRow(ctx, query,
-		report.ID, report.StudentID, report.StartDate, report.EndDate,
-		report.Reason, report.ReasonCategory, report.Status,
-		report.ReportedBy, report.ReportedAt, report.CreatedAt, report.UpdatedAt,
-	).Scan(&report.ID)
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to create absence report: %w", err)
-	}
-
-	return report, nil
-}
-
-// ConfirmAbsence allows teachers to confirm/excuse an absence
-func (s *AttendanceService) ConfirmAbsence(ctx context.Context, reportID uuid.UUID, confirmedByUserID uuid.UUID, status string) error {
-	query := `
-		UPDATE absence_reports
-		SET status = $1, confirmed_by = $2, confirmed_at = NOW(), updated_at = NOW()
-		WHERE id = $3`
-
-	result, err := s.db.Pool.Exec(ctx, query, status, confirmedByUserID, reportID)
-	if err != nil {
-		return fmt.Errorf("failed to confirm absence: %w", err)
-	}
-
-	if result.RowsAffected() == 0 {
-		return fmt.Errorf("absence report not found")
-	}
-
-	return nil
-}
-
-// GetAbsenceReports gets absence reports for a student
-func (s *AttendanceService) GetAbsenceReports(ctx context.Context, studentID uuid.UUID) ([]models.AbsenceReport, error) {
-	query := `
-		SELECT id, student_id, start_date, end_date, reason, reason_category, status, reported_by, reported_at, confirmed_by, confirmed_at, medical_certificate, certificate_uploaded, matrix_notification_sent, email_notification_sent, created_at, updated_at
-		FROM absence_reports
-		WHERE student_id = $1
-		ORDER BY start_date DESC`
-
-	rows, err := s.db.Pool.Query(ctx, query, studentID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get absence reports: %w", err)
-	}
-	defer rows.Close()
-
-	var reports []models.AbsenceReport
-	for rows.Next() {
-		var report models.AbsenceReport
-		err := rows.Scan(
-			&report.ID, &report.StudentID, &report.StartDate, &report.EndDate,
-			&report.Reason, &report.ReasonCategory, &report.Status,
-			&report.ReportedBy, &report.ReportedAt, &report.ConfirmedBy, &report.ConfirmedAt,
-			&report.MedicalCertificate, &report.CertificateUploaded,
-			&report.MatrixNotificationSent, &report.EmailNotificationSent,
-			&report.CreatedAt, &report.UpdatedAt,
-		)
-		if err != nil {
-			return nil, fmt.Errorf("failed to scan absence report: %w", err)
-		}
-		reports = append(reports, report)
-	}
-
-	return reports, nil
-}
-
-// GetPendingAbsenceReports gets all unconfirmed absence reports for a class
-func (s *AttendanceService) GetPendingAbsenceReports(ctx context.Context, classID uuid.UUID) ([]models.AbsenceReport, error) {
-	query := `
-		SELECT ar.id, ar.student_id, ar.start_date, ar.end_date, ar.reason, ar.reason_category, ar.status, ar.reported_by, ar.reported_at, ar.confirmed_by, ar.confirmed_at, ar.medical_certificate, ar.certificate_uploaded, ar.matrix_notification_sent, ar.email_notification_sent, ar.created_at, ar.updated_at
-		FROM absence_reports ar
-		JOIN students s ON ar.student_id = s.id
-		WHERE s.class_id = $1 AND ar.status = 'reported'
-		ORDER BY ar.start_date DESC`
-
-	rows, err := s.db.Pool.Query(ctx, query, classID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get pending absence reports: %w", err)
-	}
-	defer rows.Close()
-
-	var reports []models.AbsenceReport
-	for rows.Next() {
-		var report models.AbsenceReport
-		err := rows.Scan(
-			&report.ID, &report.StudentID, &report.StartDate, &report.EndDate,
-			&report.Reason, &report.ReasonCategory, &report.Status,
-			&report.ReportedBy, &report.ReportedAt, &report.ConfirmedBy, &report.ConfirmedAt,
-			&report.MedicalCertificate, &report.CertificateUploaded,
-			&report.MatrixNotificationSent, &report.EmailNotificationSent,
-			&report.CreatedAt, &report.UpdatedAt,
-		)
-		if err != nil {
-			return nil, fmt.Errorf("failed to scan absence report: %w", err)
-		}
-		reports = append(reports, report)
-	}
-
-	return reports, nil
-}
-
-// ========================================
-// Attendance Statistics
-// ========================================
-
-// GetStudentAttendanceStats gets attendance statistics for a student
-func (s *AttendanceService) GetStudentAttendanceStats(ctx context.Context, studentID uuid.UUID, schoolYearID uuid.UUID) (map[string]interface{}, error) {
-	query := `
-		SELECT
-			COUNT(*) as total_records,
-			COUNT(CASE WHEN status = 'present' THEN 1 END) as present_count,
-			COUNT(CASE WHEN status IN ('absent', 'excused', 'unexcused', 'pending_confirmation') THEN 1 END) as absent_count,
-			COUNT(CASE WHEN status = 'unexcused' THEN 1 END) as unexcused_count,
-			COUNT(CASE WHEN status IN ('late', 'late_excused') THEN 1 END) as late_count
-		FROM attendance_records ar
-		JOIN timetable_slots ts ON ar.slot_id = ts.id
-		JOIN schools sch ON ts.school_id = sch.id
-		JOIN school_years sy ON sy.school_id = sch.id AND sy.id = $2
-		WHERE ar.student_id = $1 AND ar.date >= sy.start_date AND ar.date <= sy.end_date`
-
-	var totalRecords, presentCount, absentCount, unexcusedCount, lateCount int
-	err := s.db.Pool.QueryRow(ctx, query, studentID, schoolYearID).Scan(
-		&totalRecords, &presentCount, &absentCount, &unexcusedCount, &lateCount,
-	)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get attendance stats: %w", err)
-	}
-
-	var attendanceRate float64
-	if totalRecords > 0 {
-		attendanceRate = float64(presentCount) / float64(totalRecords) * 100
-	}
-
-	return map[string]interface{}{
-		"total_records":    totalRecords,
-		"present_count":    presentCount,
-		"absent_count":     absentCount,
-		"unexcused_count":  unexcusedCount,
-		"late_count":       lateCount,
-		"attendance_rate":  attendanceRate,
-	}, nil
-}
-
-// ========================================
-// Parent Notifications
-// ========================================
-
-func (s *AttendanceService) notifyParentsOfAbsence(ctx context.Context, record *models.AttendanceRecord) {
-	if s.matrix == nil {
-		return
-	}
-
-	// Get student info
-	var studentFirstName, studentLastName, matrixDMRoom string
-	err := s.db.Pool.QueryRow(ctx, `
-		SELECT first_name, last_name, matrix_dm_room
-		FROM students
-		WHERE id = $1`, record.StudentID).Scan(&studentFirstName, &studentLastName, &matrixDMRoom)
-	if err != nil || matrixDMRoom == "" {
-		return
-	}
-
-	// Get slot info
-	var slotNumber int
-	err = s.db.Pool.QueryRow(ctx, `SELECT slot_number FROM timetable_slots WHERE id = $1`, record.SlotID).Scan(&slotNumber)
-	if err != nil {
-		return
-	}
-
-	studentName := studentFirstName + " " + studentLastName
-	dateStr := record.Date.Format("02.01.2006")
-
-	// Send Matrix notification
-	err = s.matrix.SendAbsenceNotification(ctx, matrixDMRoom, studentName, dateStr, slotNumber)
-	if err != nil {
-		fmt.Printf("Failed to send absence notification: %v\n", err)
-		return
-	}
-
-	// Update notification status
-	s.db.Pool.Exec(ctx, `
-		UPDATE attendance_records
-		SET updated_at = NOW()
-		WHERE id = $1`, record.ID)
-
-	// Log the notification
-	s.createAbsenceNotificationLog(ctx, record.ID, studentName, dateStr, slotNumber)
-}
-
-func (s *AttendanceService) notifyParentsOfAbsenceByStudentID(ctx context.Context, studentID uuid.UUID, date time.Time, slotID uuid.UUID) {
-	record := &models.AttendanceRecord{
-		StudentID: studentID,
-		Date:      date,
-		SlotID:    slotID,
-	}
-	s.notifyParentsOfAbsence(ctx, record)
-}
-
-func (s *AttendanceService) createAbsenceNotificationLog(ctx context.Context, recordID uuid.UUID, studentName, dateStr string, slotNumber int) {
-	// Get parent IDs for this student
-	query := `
-		SELECT p.id
-		FROM parents p
-		JOIN student_parents sp ON p.id = sp.parent_id
-		JOIN attendance_records ar ON sp.student_id = ar.student_id
-		WHERE ar.id = $1`
-
-	rows, err := s.db.Pool.Query(ctx, query, recordID)
-	if err != nil {
-		return
-	}
-	defer rows.Close()
-
-	message := fmt.Sprintf("Abwesenheitsmeldung: %s war am %s in der %d. Stunde nicht anwesend.", studentName, dateStr, slotNumber)
-
-	for rows.Next() {
-		var parentID uuid.UUID
-		if err := rows.Scan(&parentID); err != nil {
-			continue
-		}
-
-		// Insert notification log
-		s.db.Pool.Exec(ctx, `
-			INSERT INTO absence_notifications (id, attendance_record_id, parent_id, channel, message_content, sent_at, created_at)
-			VALUES ($1, $2, $3, 'matrix', $4, NOW(), NOW())`,
-			uuid.New(), recordID, parentID, message)
-	}
-}
diff --git a/consent-service/internal/services/attendance_service_ops.go b/consent-service/internal/services/attendance_service_ops.go
new file mode 100644
index 0000000..74dfbfc
--- /dev/null
+++ b/consent-service/internal/services/attendance_service_ops.go
@@ -0,0 +1,280 @@
+package services
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/models"
+
+	"github.com/google/uuid"
+)
+
+// ========================================
+// Absence Reports (Parent-initiated)
+// ========================================
+
+// ReportAbsence allows parents to report a student's absence
+func (s *AttendanceService) ReportAbsence(ctx context.Context, req models.ReportAbsenceRequest, reportedByUserID uuid.UUID) (*models.AbsenceReport, error) {
+	studentID, err := uuid.Parse(req.StudentID)
+	if err != nil {
+		return nil, fmt.Errorf("invalid student ID: %w", err)
+	}
+
+	startDate, err := time.Parse("2006-01-02", req.StartDate)
+	if err != nil {
+		return nil, fmt.Errorf("invalid start date format: %w", err)
+	}
+
+	endDate, err := time.Parse("2006-01-02", req.EndDate)
+	if err != nil {
+		return nil, fmt.Errorf("invalid end date format: %w", err)
+	}
+
+	report := &models.AbsenceReport{
+		ID:             uuid.New(),
+		StudentID:      studentID,
+		StartDate:      startDate,
+		EndDate:        endDate,
+		Reason:         req.Reason,
+		ReasonCategory: req.ReasonCategory,
+		Status:         "reported",
+		ReportedBy:     reportedByUserID,
+		ReportedAt:     time.Now(),
+		CreatedAt:      time.Now(),
+		UpdatedAt:      time.Now(),
+	}
+
+	query := `
+		INSERT INTO absence_reports (id, student_id, start_date, end_date, reason, reason_category, status, reported_by, reported_at, created_at, updated_at)
+		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)
+		RETURNING id`
+
+	err = s.db.Pool.QueryRow(ctx, query,
+		report.ID, report.StudentID, report.StartDate, report.EndDate,
+		report.Reason, report.ReasonCategory, report.Status,
+		report.ReportedBy, report.ReportedAt, report.CreatedAt, report.UpdatedAt,
+	).Scan(&report.ID)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to create absence report: %w", err)
+	}
+
+	return report, nil
+}
+
+// ConfirmAbsence allows teachers to confirm/excuse an absence
+func (s *AttendanceService) ConfirmAbsence(ctx context.Context, reportID uuid.UUID, confirmedByUserID uuid.UUID, status string) error {
+	query := `
+		UPDATE absence_reports
+		SET status = $1, confirmed_by = $2, confirmed_at = NOW(), updated_at = NOW()
+		WHERE id = $3`
+
+	result, err := s.db.Pool.Exec(ctx, query, status, confirmedByUserID, reportID)
+	if err != nil {
+		return fmt.Errorf("failed to confirm absence: %w", err)
+	}
+
+	if result.RowsAffected() == 0 {
+		return fmt.Errorf("absence report not found")
+	}
+
+	return nil
+}
+
+// GetAbsenceReports gets absence reports for a student
+func (s *AttendanceService) GetAbsenceReports(ctx context.Context, studentID uuid.UUID) ([]models.AbsenceReport, error) {
+	query := `
+		SELECT id, student_id, start_date, end_date, reason, reason_category, status, reported_by, reported_at, confirmed_by, confirmed_at, medical_certificate, certificate_uploaded, matrix_notification_sent, email_notification_sent, created_at, updated_at
+		FROM absence_reports
+		WHERE student_id = $1
+		ORDER BY start_date DESC`
+
+	rows, err := s.db.Pool.Query(ctx, query, studentID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get absence reports: %w", err)
+	}
+	defer rows.Close()
+
+	var reports []models.AbsenceReport
+	for rows.Next() {
+		var report models.AbsenceReport
+		err := rows.Scan(
+			&report.ID, &report.StudentID, &report.StartDate, &report.EndDate,
+			&report.Reason, &report.ReasonCategory, &report.Status,
+			&report.ReportedBy, &report.ReportedAt, &report.ConfirmedBy, &report.ConfirmedAt,
+			&report.MedicalCertificate, &report.CertificateUploaded,
+			&report.MatrixNotificationSent, &report.EmailNotificationSent,
+			&report.CreatedAt, &report.UpdatedAt,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("failed to scan absence report: %w", err)
+		}
+		reports = append(reports, report)
+	}
+
+	return reports, nil
+}
+
+// GetPendingAbsenceReports gets all unconfirmed absence reports for a class
+func (s *AttendanceService) GetPendingAbsenceReports(ctx context.Context, classID uuid.UUID) ([]models.AbsenceReport, error) {
+	query := `
+		SELECT ar.id, ar.student_id, ar.start_date, ar.end_date, ar.reason, ar.reason_category, ar.status, ar.reported_by, ar.reported_at, ar.confirmed_by, ar.confirmed_at, ar.medical_certificate, ar.certificate_uploaded, ar.matrix_notification_sent, ar.email_notification_sent, ar.created_at, ar.updated_at
+		FROM absence_reports ar
+		JOIN students s ON ar.student_id = s.id
+		WHERE s.class_id = $1 AND ar.status = 'reported'
+		ORDER BY ar.start_date DESC`
+
+	rows, err := s.db.Pool.Query(ctx, query, classID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get pending absence reports: %w", err)
+	}
+	defer rows.Close()
+
+	var reports []models.AbsenceReport
+	for rows.Next() {
+		var report models.AbsenceReport
+		err := rows.Scan(
+			&report.ID, &report.StudentID, &report.StartDate, &report.EndDate,
+			&report.Reason, &report.ReasonCategory, &report.Status,
+			&report.ReportedBy, &report.ReportedAt, &report.ConfirmedBy, &report.ConfirmedAt,
+			&report.MedicalCertificate, &report.CertificateUploaded,
+			&report.MatrixNotificationSent, &report.EmailNotificationSent,
+			&report.CreatedAt, &report.UpdatedAt,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("failed to scan absence report: %w", err)
+		}
+		reports = append(reports, report)
+	}
+
+	return reports, nil
+}
+
+// ========================================
+// Attendance Statistics
+// ========================================
+
+// GetStudentAttendanceStats gets attendance statistics for a student
+func (s *AttendanceService) GetStudentAttendanceStats(ctx context.Context, studentID uuid.UUID, schoolYearID uuid.UUID) (map[string]interface{}, error) {
+	query := `
+		SELECT
+			COUNT(*) as total_records,
+			COUNT(CASE WHEN status = 'present' THEN 1 END) as present_count,
+			COUNT(CASE WHEN status IN ('absent', 'excused', 'unexcused', 'pending_confirmation') THEN 1 END) as absent_count,
+			COUNT(CASE WHEN status = 'unexcused' THEN 1 END) as unexcused_count,
+			COUNT(CASE WHEN status IN ('late', 'late_excused') THEN 1 END) as late_count
+		FROM attendance_records ar
+		JOIN timetable_slots ts ON ar.slot_id = ts.id
+		JOIN schools sch ON ts.school_id = sch.id
+		JOIN school_years sy ON sy.school_id = sch.id AND sy.id = $2
+		WHERE ar.student_id = $1 AND ar.date >= sy.start_date AND ar.date <= sy.end_date`
+
+	var totalRecords, presentCount, absentCount, unexcusedCount, lateCount int
+	err := s.db.Pool.QueryRow(ctx, query, studentID, schoolYearID).Scan(
+		&totalRecords, &presentCount, &absentCount, &unexcusedCount, &lateCount,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get attendance stats: %w", err)
+	}
+
+	var attendanceRate float64
+	if totalRecords > 0 {
+		attendanceRate = float64(presentCount) / float64(totalRecords) * 100
+	}
+
+	return map[string]interface{}{
+		"total_records":   totalRecords,
+		"present_count":   presentCount,
+		"absent_count":    absentCount,
+		"unexcused_count": unexcusedCount,
+		"late_count":      lateCount,
+		"attendance_rate": attendanceRate,
+	}, nil
+}
+
+// ========================================
+// Parent Notifications
+// ========================================
+
+func (s *AttendanceService) notifyParentsOfAbsence(ctx context.Context, record *models.AttendanceRecord) {
+	if s.matrix == nil {
+		return
+	}
+
+	// Get student info
+	var studentFirstName, studentLastName, matrixDMRoom string
+	err := s.db.Pool.QueryRow(ctx, `
+		SELECT first_name, last_name, matrix_dm_room
+		FROM students
+		WHERE id = $1`, record.StudentID).Scan(&studentFirstName, &studentLastName, &matrixDMRoom)
+	if err != nil || matrixDMRoom == "" {
+		return
+	}
+
+	// Get slot info
+	var slotNumber int
+	err = s.db.Pool.QueryRow(ctx, `SELECT slot_number FROM timetable_slots WHERE id = $1`, record.SlotID).Scan(&slotNumber)
+	if err != nil {
+		return
+	}
+
+	studentName := studentFirstName + " " + studentLastName
+	dateStr := record.Date.Format("02.01.2006")
+
+	// Send Matrix notification
+	err = s.matrix.SendAbsenceNotification(ctx, matrixDMRoom, studentName, dateStr, slotNumber)
+	if err != nil {
+		fmt.Printf("Failed to send absence notification: %v\n", err)
+		return
+	}
+
+	// Update notification status
+	s.db.Pool.Exec(ctx, `
+		UPDATE attendance_records
+		SET updated_at = NOW()
+		WHERE id = $1`, record.ID)
+
+	// Log the notification
+	s.createAbsenceNotificationLog(ctx, record.ID, studentName, dateStr, slotNumber)
+}
+
+func (s *AttendanceService) notifyParentsOfAbsenceByStudentID(ctx context.Context, studentID uuid.UUID, date time.Time, slotID uuid.UUID) {
+	record := &models.AttendanceRecord{
+		StudentID: studentID,
+		Date:      date,
+		SlotID:    slotID,
+	}
+	s.notifyParentsOfAbsence(ctx, record)
+}
+
+func (s *AttendanceService) createAbsenceNotificationLog(ctx context.Context, recordID uuid.UUID, studentName, dateStr string, slotNumber int) {
+	// Get parent IDs for this student
+	query := `
+		SELECT p.id
+		FROM parents p
+		JOIN student_parents sp ON p.id = sp.parent_id
+		JOIN attendance_records ar ON sp.student_id = ar.student_id
+		WHERE ar.id = $1`
+
+	rows, err := s.db.Pool.Query(ctx, query, recordID)
+	if err != nil {
+		return
+	}
+	defer rows.Close()
+
+	message := fmt.Sprintf("Abwesenheitsmeldung: %s war am %s in der %d. Stunde nicht anwesend.", studentName, dateStr, slotNumber)
+
+	for rows.Next() {
+		var parentID uuid.UUID
+		if err := rows.Scan(&parentID); err != nil {
+			continue
+		}
+
+		// Insert notification log
+		s.db.Pool.Exec(ctx, `
+			INSERT INTO absence_notifications (id, attendance_record_id, parent_id, channel, message_content, sent_at, created_at)
+			VALUES ($1, $2, $3, 'matrix', $4, NOW(), NOW())`,
+			uuid.New(), recordID, parentID, message)
+	}
+}
diff --git a/consent-service/internal/services/auth_service.go b/consent-service/internal/services/auth_service.go
index da02c9c..98fc732 100644
--- a/consent-service/internal/services/auth_service.go
+++ b/consent-service/internal/services/auth_service.go
@@ -383,186 +383,3 @@ func (s *AuthService) VerifyEmail(ctx context.Context, token string) error {
 	return nil
 }
 
-// CreatePasswordResetToken creates a password reset token
-func (s *AuthService) CreatePasswordResetToken(ctx context.Context, email, ipAddress string) (string, *uuid.UUID, error) {
-	var userID uuid.UUID
-	err := s.db.QueryRow(ctx, "SELECT id FROM users WHERE email = $1", email).Scan(&userID)
-	if err != nil {
-		// Don't reveal if user exists
-		return "", nil, nil
-	}
-
-	token, err := s.GenerateSecureToken(32)
-	if err != nil {
-		return "", nil, err
-	}
-
-	_, err = s.db.Exec(ctx, `
-		INSERT INTO password_reset_tokens (user_id, token, expires_at, ip_address, created_at)
-		VALUES ($1, $2, $3, $4, NOW())
-	`, userID, token, time.Now().Add(time.Hour), ipAddress)
-
-	if err != nil {
-		return "", nil, fmt.Errorf("failed to create reset token: %w", err)
-	}
-
-	return token, &userID, nil
-}
-
-// ResetPassword resets a user's password using a reset token
-func (s *AuthService) ResetPassword(ctx context.Context, token, newPassword string) error {
-	var tokenID uuid.UUID
-	var userID uuid.UUID
-	var expiresAt time.Time
-	var usedAt *time.Time
-
-	err := s.db.QueryRow(ctx, `
-		SELECT id, user_id, expires_at, used_at FROM password_reset_tokens
-		WHERE token = $1
-	`, token).Scan(&tokenID, &userID, &expiresAt, &usedAt)
-
-	if err != nil {
-		return ErrInvalidToken
-	}
-
-	if usedAt != nil || expiresAt.Before(time.Now()) {
-		return ErrInvalidToken
-	}
-
-	// Hash new password
-	passwordHash, err := s.HashPassword(newPassword)
-	if err != nil {
-		return err
-	}
-
-	// Mark token as used
-	_, err = s.db.Exec(ctx, `UPDATE password_reset_tokens SET used_at = NOW() WHERE id = $1`, tokenID)
-	if err != nil {
-		return fmt.Errorf("failed to update token: %w", err)
-	}
-
-	// Update password
-	_, err = s.db.Exec(ctx, `
-		UPDATE users SET password_hash = $1, updated_at = NOW() WHERE id = $2
-	`, passwordHash, userID)
-
-	if err != nil {
-		return fmt.Errorf("failed to update password: %w", err)
-	}
-
-	// Revoke all sessions for security
-	_, err = s.db.Exec(ctx, `UPDATE user_sessions SET revoked_at = NOW() WHERE user_id = $1 AND revoked_at IS NULL`, userID)
-	if err != nil {
-		fmt.Printf("Warning: failed to revoke sessions: %v\n", err)
-	}
-
-	return nil
-}
-
-// ChangePassword changes a user's password (requires current password)
-func (s *AuthService) ChangePassword(ctx context.Context, userID uuid.UUID, currentPassword, newPassword string) error {
-	var passwordHash *string
-	err := s.db.QueryRow(ctx, "SELECT password_hash FROM users WHERE id = $1", userID).Scan(&passwordHash)
-	if err != nil {
-		return ErrUserNotFound
-	}
-
-	if passwordHash == nil || !s.VerifyPassword(currentPassword, *passwordHash) {
-		return ErrInvalidCredentials
-	}
-
-	newPasswordHash, err := s.HashPassword(newPassword)
-	if err != nil {
-		return err
-	}
-
-	_, err = s.db.Exec(ctx, `UPDATE users SET password_hash = $1, updated_at = NOW() WHERE id = $2`, newPasswordHash, userID)
-	if err != nil {
-		return fmt.Errorf("failed to update password: %w", err)
-	}
-
-	return nil
-}
-
-// GetUserByID retrieves a user by ID
-func (s *AuthService) GetUserByID(ctx context.Context, userID uuid.UUID) (*models.User, error) {
-	var user models.User
-	err := s.db.QueryRow(ctx, `
-		SELECT id, email, name, role, email_verified, email_verified_at, account_status,
-		       last_login_at, created_at, updated_at
-		FROM users WHERE id = $1
-	`, userID).Scan(
-		&user.ID, &user.Email, &user.Name, &user.Role, &user.EmailVerified, &user.EmailVerifiedAt,
-		&user.AccountStatus, &user.LastLoginAt, &user.CreatedAt, &user.UpdatedAt,
-	)
-
-	if err != nil {
-		return nil, ErrUserNotFound
-	}
-
-	return &user, nil
-}
-
-// UpdateProfile updates a user's profile
-func (s *AuthService) UpdateProfile(ctx context.Context, userID uuid.UUID, req *models.UpdateProfileRequest) (*models.User, error) {
-	_, err := s.db.Exec(ctx, `UPDATE users SET name = $1, updated_at = NOW() WHERE id = $2`, req.Name, userID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to update profile: %w", err)
-	}
-
-	return s.GetUserByID(ctx, userID)
-}
-
-// GetActiveSessions retrieves all active sessions for a user
-func (s *AuthService) GetActiveSessions(ctx context.Context, userID uuid.UUID) ([]models.UserSession, error) {
-	rows, err := s.db.Query(ctx, `
-		SELECT id, user_id, device_info, ip_address, user_agent, expires_at, created_at, last_activity_at
-		FROM user_sessions
-		WHERE user_id = $1 AND revoked_at IS NULL AND expires_at > NOW()
-		ORDER BY last_activity_at DESC
-	`, userID)
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to get sessions: %w", err)
-	}
-	defer rows.Close()
-
-	var sessions []models.UserSession
-	for rows.Next() {
-		var session models.UserSession
-		err := rows.Scan(
-			&session.ID, &session.UserID, &session.DeviceInfo, &session.IPAddress,
-			&session.UserAgent, &session.ExpiresAt, &session.CreatedAt, &session.LastActivityAt,
-		)
-		if err != nil {
-			return nil, fmt.Errorf("failed to scan session: %w", err)
-		}
-		sessions = append(sessions, session)
-	}
-
-	return sessions, nil
-}
-
-// RevokeSession revokes a specific session
-func (s *AuthService) RevokeSession(ctx context.Context, userID, sessionID uuid.UUID) error {
-	result, err := s.db.Exec(ctx, `
-		UPDATE user_sessions SET revoked_at = NOW() WHERE id = $1 AND user_id = $2 AND revoked_at IS NULL
-	`, sessionID, userID)
-
-	if err != nil {
-		return fmt.Errorf("failed to revoke session: %w", err)
-	}
-
-	if result.RowsAffected() == 0 {
-		return errors.New("session not found")
-	}
-
-	return nil
-}
-
-// Logout revokes a session by refresh token
-func (s *AuthService) Logout(ctx context.Context, refreshToken string) error {
-	tokenHash := s.HashToken(refreshToken)
-	_, err := s.db.Exec(ctx, `UPDATE user_sessions SET revoked_at = NOW() WHERE token_hash = $1`, tokenHash)
-	return err
-}
diff --git a/consent-service/internal/services/auth_service_sessions.go b/consent-service/internal/services/auth_service_sessions.go
new file mode 100644
index 0000000..841f268
--- /dev/null
+++ b/consent-service/internal/services/auth_service_sessions.go
@@ -0,0 +1,196 @@
+package services
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+
+	"github.com/breakpilot/consent-service/internal/models"
+)
+
+// CreatePasswordResetToken creates a password reset token
+func (s *AuthService) CreatePasswordResetToken(ctx context.Context, email, ipAddress string) (string, *uuid.UUID, error) {
+	var userID uuid.UUID
+	err := s.db.QueryRow(ctx, "SELECT id FROM users WHERE email = $1", email).Scan(&userID)
+	if err != nil {
+		// Don't reveal if user exists
+		return "", nil, nil
+	}
+
+	token, err := s.GenerateSecureToken(32)
+	if err != nil {
+		return "", nil, err
+	}
+
+	_, err = s.db.Exec(ctx, `
+		INSERT INTO password_reset_tokens (user_id, token, expires_at, ip_address, created_at)
+		VALUES ($1, $2, $3, $4, NOW())
+	`, userID, token, time.Now().Add(time.Hour), ipAddress)
+
+	if err != nil {
+		return "", nil, fmt.Errorf("failed to create reset token: %w", err)
+	}
+
+	return token, &userID, nil
+}
+
+// ResetPassword resets a user's password using a reset token
+func (s *AuthService) ResetPassword(ctx context.Context, token, newPassword string) error {
+	var tokenID uuid.UUID
+	var userID uuid.UUID
+	var expiresAt time.Time
+	var usedAt *time.Time
+
+	err := s.db.QueryRow(ctx, `
+		SELECT id, user_id, expires_at, used_at FROM password_reset_tokens
+		WHERE token = $1
+	`, token).Scan(&tokenID, &userID, &expiresAt, &usedAt)
+
+	if err != nil {
+		return ErrInvalidToken
+	}
+
+	if usedAt != nil || expiresAt.Before(time.Now()) {
+		return ErrInvalidToken
+	}
+
+	// Hash new password
+	passwordHash, err := s.HashPassword(newPassword)
+	if err != nil {
+		return err
+	}
+
+	// Mark token as used
+	_, err = s.db.Exec(ctx, `UPDATE password_reset_tokens SET used_at = NOW() WHERE id = $1`, tokenID)
+	if err != nil {
+		return fmt.Errorf("failed to update token: %w", err)
+	}
+
+	// Update password
+	_, err = s.db.Exec(ctx, `
+		UPDATE users SET password_hash = $1, updated_at = NOW() WHERE id = $2
+	`, passwordHash, userID)
+
+	if err != nil {
+		return fmt.Errorf("failed to update password: %w", err)
+	}
+
+	// Revoke all sessions for security
+	_, err = s.db.Exec(ctx, `UPDATE user_sessions SET revoked_at = NOW() WHERE user_id = $1 AND revoked_at IS NULL`, userID)
+	if err != nil {
+		fmt.Printf("Warning: failed to revoke sessions: %v\n", err)
+	}
+
+	return nil
+}
+
+// ChangePassword changes a user's password (requires current password)
+func (s *AuthService) ChangePassword(ctx context.Context, userID uuid.UUID, currentPassword, newPassword string) error {
+	var passwordHash *string
+	err := s.db.QueryRow(ctx, "SELECT password_hash FROM users WHERE id = $1", userID).Scan(&passwordHash)
+	if err != nil {
+		return ErrUserNotFound
+	}
+
+	if passwordHash == nil || !s.VerifyPassword(currentPassword, *passwordHash) {
+		return ErrInvalidCredentials
+	}
+
+	newPasswordHash, err := s.HashPassword(newPassword)
+	if err != nil {
+		return err
+	}
+
+	_, err = s.db.Exec(ctx, `UPDATE users SET password_hash = $1, updated_at = NOW() WHERE id = $2`, newPasswordHash, userID)
+	if err != nil {
+		return fmt.Errorf("failed to update password: %w", err)
+	}
+
+	return nil
+}
+
+// GetUserByID retrieves a user by ID
+func (s *AuthService) GetUserByID(ctx context.Context, userID uuid.UUID) (*models.User, error) {
+	var user models.User
+	err := s.db.QueryRow(ctx, `
+		SELECT id, email, name, role, email_verified, email_verified_at, account_status,
+		       last_login_at, created_at, updated_at
+		FROM users WHERE id = $1
+	`, userID).Scan(
+		&user.ID, &user.Email, &user.Name, &user.Role, &user.EmailVerified, &user.EmailVerifiedAt,
+		&user.AccountStatus, &user.LastLoginAt, &user.CreatedAt, &user.UpdatedAt,
+	)
+
+	if err != nil {
+		return nil, ErrUserNotFound
+	}
+
+	return &user, nil
+}
+
+// UpdateProfile updates a user's profile
+func (s *AuthService) UpdateProfile(ctx context.Context, userID uuid.UUID, req *models.UpdateProfileRequest) (*models.User, error) {
+	_, err := s.db.Exec(ctx, `UPDATE users SET name = $1, updated_at = NOW() WHERE id = $2`, req.Name, userID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to update profile: %w", err)
+	}
+
+	return s.GetUserByID(ctx, userID)
+}
+
+// GetActiveSessions retrieves all active sessions for a user
+func (s *AuthService) GetActiveSessions(ctx context.Context, userID uuid.UUID) ([]models.UserSession, error) {
+	rows, err := s.db.Query(ctx, `
+		SELECT id, user_id, device_info, ip_address, user_agent, expires_at, created_at, last_activity_at
+		FROM user_sessions
+		WHERE user_id = $1 AND revoked_at IS NULL AND expires_at > NOW()
+		ORDER BY last_activity_at DESC
+	`, userID)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to get sessions: %w", err)
+	}
+	defer rows.Close()
+
+	var sessions []models.UserSession
+	for rows.Next() {
+		var session models.UserSession
+		err := rows.Scan(
+			&session.ID, &session.UserID, &session.DeviceInfo, &session.IPAddress,
+			&session.UserAgent, &session.ExpiresAt, &session.CreatedAt, &session.LastActivityAt,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("failed to scan session: %w", err)
+		}
+		sessions = append(sessions, session)
+	}
+
+	return sessions, nil
+}
+
+// RevokeSession revokes a specific session
+func (s *AuthService) RevokeSession(ctx context.Context, userID, sessionID uuid.UUID) error {
+	result, err := s.db.Exec(ctx, `
+		UPDATE user_sessions SET revoked_at = NOW() WHERE id = $1 AND user_id = $2 AND revoked_at IS NULL
+	`, sessionID, userID)
+
+	if err != nil {
+		return fmt.Errorf("failed to revoke session: %w", err)
+	}
+
+	if result.RowsAffected() == 0 {
+		return errors.New("session not found")
+	}
+
+	return nil
+}
+
+// Logout revokes a session by refresh token
+func (s *AuthService) Logout(ctx context.Context, refreshToken string) error {
+	tokenHash := s.HashToken(refreshToken)
+	_, err := s.db.Exec(ctx, `UPDATE user_sessions SET revoked_at = NOW() WHERE token_hash = $1`, tokenHash)
+	return err
+}
diff --git a/consent-service/internal/services/dsr_service.go b/consent-service/internal/services/dsr_service.go
index 7b44c0d..3ddfce3 100644
--- a/consent-service/internal/services/dsr_service.go
+++ b/consent-service/internal/services/dsr_service.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"strings"
 	"time"
 
 	"github.com/breakpilot/consent-service/internal/models"
@@ -367,29 +366,6 @@ func (s *DSRService) AssignRequest(ctx context.Context, id uuid.UUID, assigneeID
 	return nil
 }
 
-// ExtendDeadline extends the deadline for a DSR
-func (s *DSRService) ExtendDeadline(ctx context.Context, id uuid.UUID, reason string, days int, extendedBy uuid.UUID) error {
-	// Default extension is 2 months (60 days) per Art. 12(3)
-	if days <= 0 {
-		days = 60
-	}
-
-	_, err := s.pool.Exec(ctx, `
-		UPDATE data_subject_requests
-		SET extended_deadline_at = deadline_at + ($1 || ' days')::INTERVAL,
-			extension_reason = $2,
-			updated_at = NOW()
-		WHERE id = $3
-	`, days, reason, id)
-	if err != nil {
-		return fmt.Errorf("failed to extend deadline: %w", err)
-	}
-
-	s.recordStatusChange(ctx, id, nil, "", &extendedBy, fmt.Sprintf("Frist um %d Tage verlängert: %s", days, reason))
-
-	return nil
-}
-
 // CompleteRequest marks a DSR as completed
 func (s *DSRService) CompleteRequest(ctx context.Context, id uuid.UUID, summary string, resultData map[string]interface{}, completedBy uuid.UUID) error {
 	resultJSON, _ := json.Marshal(resultData)
@@ -470,352 +446,7 @@ func (s *DSRService) CancelRequest(ctx context.Context, id uuid.UUID, cancelledB
 	return nil
 }
 
-// GetDashboardStats returns statistics for the admin dashboard
-func (s *DSRService) GetDashboardStats(ctx context.Context) (*models.DSRDashboardStats, error) {
-	stats := &models.DSRDashboardStats{
-		ByType:   make(map[string]int),
-		ByStatus: make(map[string]int),
-	}
-
-	// Total requests
-	s.pool.QueryRow(ctx, "SELECT COUNT(*) FROM data_subject_requests").Scan(&stats.TotalRequests)
-
-	// Pending requests (not completed, rejected, or cancelled)
-	s.pool.QueryRow(ctx, `
-		SELECT COUNT(*) FROM data_subject_requests
-		WHERE status NOT IN ('completed', 'rejected', 'cancelled')
-	`).Scan(&stats.PendingRequests)
-
-	// Overdue requests
-	s.pool.QueryRow(ctx, `
-		SELECT COUNT(*) FROM data_subject_requests
-		WHERE COALESCE(extended_deadline_at, deadline_at) < NOW()
-		AND status NOT IN ('completed', 'rejected', 'cancelled')
-	`).Scan(&stats.OverdueRequests)
-
-	// Completed this month
-	s.pool.QueryRow(ctx, `
-		SELECT COUNT(*) FROM data_subject_requests
-		WHERE status = 'completed'
-		AND completed_at >= DATE_TRUNC('month', NOW())
-	`).Scan(&stats.CompletedThisMonth)
-
-	// Average processing days
-	s.pool.QueryRow(ctx, `
-		SELECT COALESCE(AVG(EXTRACT(EPOCH FROM (completed_at - created_at)) / 86400), 0)
-		FROM data_subject_requests WHERE status = 'completed'
-	`).Scan(&stats.AverageProcessingDays)
-
-	// Count by type
-	rows, _ := s.pool.Query(ctx, `
-		SELECT request_type, COUNT(*) FROM data_subject_requests GROUP BY request_type
-	`)
-	for rows.Next() {
-		var t string
-		var count int
-		rows.Scan(&t, &count)
-		stats.ByType[t] = count
-	}
-	rows.Close()
-
-	// Count by status
-	rows, _ = s.pool.Query(ctx, `
-		SELECT status, COUNT(*) FROM data_subject_requests GROUP BY status
-	`)
-	for rows.Next() {
-		var s string
-		var count int
-		rows.Scan(&s, &count)
-		stats.ByStatus[s] = count
-	}
-	rows.Close()
-
-	// Upcoming deadlines (next 7 days)
-	rows, _ = s.pool.Query(ctx, `
-		SELECT id, request_number, request_type, status, requester_email, deadline_at
-		FROM data_subject_requests
-		WHERE COALESCE(extended_deadline_at, deadline_at) BETWEEN NOW() AND NOW() + INTERVAL '7 days'
-		AND status NOT IN ('completed', 'rejected', 'cancelled')
-		ORDER BY deadline_at ASC LIMIT 10
-	`)
-	for rows.Next() {
-		var dsr models.DataSubjectRequest
-		rows.Scan(&dsr.ID, &dsr.RequestNumber, &dsr.RequestType, &dsr.Status, &dsr.RequesterEmail, &dsr.DeadlineAt)
-		stats.UpcomingDeadlines = append(stats.UpcomingDeadlines, dsr)
-	}
-	rows.Close()
-
-	return stats, nil
-}
-
-// GetStatusHistory retrieves the status history for a DSR
-func (s *DSRService) GetStatusHistory(ctx context.Context, requestID uuid.UUID) ([]models.DSRStatusHistory, error) {
-	rows, err := s.pool.Query(ctx, `
-		SELECT id, request_id, from_status, to_status, changed_by, comment, metadata, created_at
-		FROM dsr_status_history WHERE request_id = $1 ORDER BY created_at DESC
-	`, requestID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to query status history: %w", err)
-	}
-	defer rows.Close()
-
-	var history []models.DSRStatusHistory
-	for rows.Next() {
-		var h models.DSRStatusHistory
-		var metadataJSON []byte
-		err := rows.Scan(&h.ID, &h.RequestID, &h.FromStatus, &h.ToStatus, &h.ChangedBy, &h.Comment, &metadataJSON, &h.CreatedAt)
-		if err != nil {
-			continue
-		}
-		json.Unmarshal(metadataJSON, &h.Metadata)
-		history = append(history, h)
-	}
-
-	return history, nil
-}
-
-// GetCommunications retrieves communications for a DSR
-func (s *DSRService) GetCommunications(ctx context.Context, requestID uuid.UUID) ([]models.DSRCommunication, error) {
-	rows, err := s.pool.Query(ctx, `
-		SELECT id, request_id, direction, channel, communication_type, template_version_id,
-			subject, body_html, body_text, recipient_email, sent_at, error_message,
-			attachments, created_at, created_by
-		FROM dsr_communications WHERE request_id = $1 ORDER BY created_at DESC
-	`, requestID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to query communications: %w", err)
-	}
-	defer rows.Close()
-
-	var comms []models.DSRCommunication
-	for rows.Next() {
-		var c models.DSRCommunication
-		var attachmentsJSON []byte
-		err := rows.Scan(&c.ID, &c.RequestID, &c.Direction, &c.Channel, &c.CommunicationType,
-			&c.TemplateVersionID, &c.Subject, &c.BodyHTML, &c.BodyText, &c.RecipientEmail,
-			&c.SentAt, &c.ErrorMessage, &attachmentsJSON, &c.CreatedAt, &c.CreatedBy)
-		if err != nil {
-			continue
-		}
-		json.Unmarshal(attachmentsJSON, &c.Attachments)
-		comms = append(comms, c)
-	}
-
-	return comms, nil
-}
-
-// SendCommunication sends a communication for a DSR
-func (s *DSRService) SendCommunication(ctx context.Context, requestID uuid.UUID, req models.SendDSRCommunicationRequest, sentBy uuid.UUID) error {
-	// Get DSR details
-	dsr, err := s.GetByID(ctx, requestID)
-	if err != nil {
-		return err
-	}
-
-	// Get template if specified
-	var subject, bodyHTML, bodyText string
-	if req.TemplateVersionID != nil {
-		templateVersionID, _ := uuid.Parse(*req.TemplateVersionID)
-		err := s.pool.QueryRow(ctx, `
-			SELECT subject, body_html, body_text FROM dsr_template_versions WHERE id = $1 AND status = 'published'
-		`, templateVersionID).Scan(&subject, &bodyHTML, &bodyText)
-		if err != nil {
-			return fmt.Errorf("template version not found or not published: %w", err)
-		}
-	}
-
-	// Use custom content if provided
-	if req.CustomSubject != nil {
-		subject = *req.CustomSubject
-	}
-	if req.CustomBody != nil {
-		bodyHTML = *req.CustomBody
-		bodyText = stripHTML(*req.CustomBody)
-	}
-
-	// Replace variables
-	variables := map[string]string{
-		"requester_name":  stringOrDefault(dsr.RequesterName, "Antragsteller/in"),
-		"request_number":  dsr.RequestNumber,
-		"request_type_de": dsr.RequestType.Label(),
-		"request_date":    dsr.CreatedAt.Format("02.01.2006"),
-		"deadline_date":   dsr.DeadlineAt.Format("02.01.2006"),
-	}
-	for k, v := range req.Variables {
-		variables[k] = v
-	}
-	subject = replaceVariables(subject, variables)
-	bodyHTML = replaceVariables(bodyHTML, variables)
-	bodyText = replaceVariables(bodyText, variables)
-
-	// Send email
-	if s.emailService != nil {
-		err = s.emailService.SendEmail(dsr.RequesterEmail, subject, bodyHTML, bodyText)
-		if err != nil {
-			// Log error but continue
-			_, _ = s.pool.Exec(ctx, `
-				INSERT INTO dsr_communications (request_id, direction, channel, communication_type,
-					template_version_id, subject, body_html, body_text, recipient_email, error_message, created_by)
-				VALUES ($1, 'outbound', 'email', $2, $3, $4, $5, $6, $7, $8, $9)
-			`, requestID, req.CommunicationType, req.TemplateVersionID, subject, bodyHTML, bodyText,
-				dsr.RequesterEmail, err.Error(), sentBy)
-			return fmt.Errorf("failed to send email: %w", err)
-		}
-	}
-
-	// Log communication
-	now := time.Now()
-	_, err = s.pool.Exec(ctx, `
-		INSERT INTO dsr_communications (request_id, direction, channel, communication_type,
-			template_version_id, subject, body_html, body_text, recipient_email, sent_at, created_by)
-		VALUES ($1, 'outbound', 'email', $2, $3, $4, $5, $6, $7, $8, $9)
-	`, requestID, req.CommunicationType, req.TemplateVersionID, subject, bodyHTML, bodyText,
-		dsr.RequesterEmail, now, sentBy)
-
-	return err
-}
-
-// InitErasureExceptionChecks initializes exception checks for an erasure request
-func (s *DSRService) InitErasureExceptionChecks(ctx context.Context, requestID uuid.UUID) error {
-	exceptions := []struct {
-		Type        string
-		Description string
-	}{
-		{models.DSRExceptionFreedomExpression, "Ausübung des Rechts auf freie Meinungsäußerung und Information (Art. 17 Abs. 3 lit. a)"},
-		{models.DSRExceptionLegalObligation, "Erfüllung einer rechtlichen Verpflichtung oder öffentlichen Aufgabe (Art. 17 Abs. 3 lit. b)"},
-		{models.DSRExceptionPublicHealth, "Gründe des öffentlichen Interesses im Bereich der öffentlichen Gesundheit (Art. 17 Abs. 3 lit. c)"},
-		{models.DSRExceptionArchiving, "Im öffentlichen Interesse liegende Archivzwecke, Forschung oder Statistik (Art. 17 Abs. 3 lit. d)"},
-		{models.DSRExceptionLegalClaims, "Geltendmachung, Ausübung oder Verteidigung von Rechtsansprüchen (Art. 17 Abs. 3 lit. e)"},
-	}
-
-	for _, exc := range exceptions {
-		_, err := s.pool.Exec(ctx, `
-			INSERT INTO dsr_exception_checks (request_id, exception_type, description)
-			VALUES ($1, $2, $3) ON CONFLICT DO NOTHING
-		`, requestID, exc.Type, exc.Description)
-		if err != nil {
-			return fmt.Errorf("failed to create exception check: %w", err)
-		}
-	}
-
-	return nil
-}
-
-// GetExceptionChecks retrieves exception checks for a DSR
-func (s *DSRService) GetExceptionChecks(ctx context.Context, requestID uuid.UUID) ([]models.DSRExceptionCheck, error) {
-	rows, err := s.pool.Query(ctx, `
-		SELECT id, request_id, exception_type, description, applies, checked_by, checked_at, notes, created_at
-		FROM dsr_exception_checks WHERE request_id = $1 ORDER BY created_at
-	`, requestID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to query exception checks: %w", err)
-	}
-	defer rows.Close()
-
-	var checks []models.DSRExceptionCheck
-	for rows.Next() {
-		var c models.DSRExceptionCheck
-		err := rows.Scan(&c.ID, &c.RequestID, &c.ExceptionType, &c.Description, &c.Applies,
-			&c.CheckedBy, &c.CheckedAt, &c.Notes, &c.CreatedAt)
-		if err != nil {
-			continue
-		}
-		checks = append(checks, c)
-	}
-
-	return checks, nil
-}
-
-// UpdateExceptionCheck updates an exception check
-func (s *DSRService) UpdateExceptionCheck(ctx context.Context, checkID uuid.UUID, applies bool, notes *string, checkedBy uuid.UUID) error {
-	_, err := s.pool.Exec(ctx, `
-		UPDATE dsr_exception_checks
-		SET applies = $1, notes = $2, checked_by = $3, checked_at = NOW()
-		WHERE id = $4
-	`, applies, notes, checkedBy, checkID)
-	return err
-}
-
-// ProcessDeadlines checks for approaching and overdue deadlines
-func (s *DSRService) ProcessDeadlines(ctx context.Context) error {
-	now := time.Now()
-
-	// Find requests with deadlines in 3 days
-	threeDaysAhead := now.AddDate(0, 0, 3)
-	rows, _ := s.pool.Query(ctx, `
-		SELECT id, request_number, request_type, assigned_to, deadline_at
-		FROM data_subject_requests
-		WHERE COALESCE(extended_deadline_at, deadline_at) BETWEEN $1 AND $2
-		AND status NOT IN ('completed', 'rejected', 'cancelled')
-	`, now, threeDaysAhead)
-	for rows.Next() {
-		var id uuid.UUID
-		var requestNumber, requestType string
-		var assignedTo *uuid.UUID
-		var deadline time.Time
-		rows.Scan(&id, &requestNumber, &requestType, &assignedTo, &deadline)
-
-		// Notify assigned user or all DPOs
-		if assignedTo != nil {
-			s.notifyDeadlineWarning(ctx, id, *assignedTo, requestNumber, deadline, 3)
-		} else {
-			s.notifyAllDPOs(ctx, id, requestNumber, "Frist in 3 Tagen", deadline)
-		}
-	}
-	rows.Close()
-
-	// Find requests with deadlines in 1 day
-	oneDayAhead := now.AddDate(0, 0, 1)
-	rows, _ = s.pool.Query(ctx, `
-		SELECT id, request_number, request_type, assigned_to, deadline_at
-		FROM data_subject_requests
-		WHERE COALESCE(extended_deadline_at, deadline_at) BETWEEN $1 AND $2
-		AND status NOT IN ('completed', 'rejected', 'cancelled')
-	`, now, oneDayAhead)
-	for rows.Next() {
-		var id uuid.UUID
-		var requestNumber, requestType string
-		var assignedTo *uuid.UUID
-		var deadline time.Time
-		rows.Scan(&id, &requestNumber, &requestType, &assignedTo, &deadline)
-
-		if assignedTo != nil {
-			s.notifyDeadlineWarning(ctx, id, *assignedTo, requestNumber, deadline, 1)
-		} else {
-			s.notifyAllDPOs(ctx, id, requestNumber, "Frist morgen!", deadline)
-		}
-	}
-	rows.Close()
-
-	// Find overdue requests
-	rows, _ = s.pool.Query(ctx, `
-		SELECT id, request_number, request_type, assigned_to, deadline_at
-		FROM data_subject_requests
-		WHERE COALESCE(extended_deadline_at, deadline_at) < $1
-		AND status NOT IN ('completed', 'rejected', 'cancelled')
-	`, now)
-	for rows.Next() {
-		var id uuid.UUID
-		var requestNumber, requestType string
-		var assignedTo *uuid.UUID
-		var deadline time.Time
-		rows.Scan(&id, &requestNumber, &requestType, &assignedTo, &deadline)
-
-		// Notify all DPOs for overdue
-		s.notifyAllDPOs(ctx, id, requestNumber, "ÜBERFÄLLIG!", deadline)
-
-		// Log to audit
-		s.pool.Exec(ctx, `
-			INSERT INTO consent_audit_log (action, entity_type, entity_id, details)
-			VALUES ('dsr_overdue', 'dsr', $1, $2)
-		`, id, fmt.Sprintf(`{"request_number": "%s", "deadline": "%s"}`, requestNumber, deadline.Format(time.RFC3339)))
-	}
-	rows.Close()
-
-	return nil
-}
-
-// Helper functions
+// --- Internal helpers ---
 
 func (s *DSRService) recordStatusChange(ctx context.Context, requestID uuid.UUID, fromStatus *models.DSRStatus, toStatus models.DSRStatus, changedBy *uuid.UUID, comment string) {
 	s.pool.Exec(ctx, `
@@ -824,62 +455,6 @@ func (s *DSRService) recordStatusChange(ctx context.Context, requestID uuid.UUID
 	`, requestID, fromStatus, toStatus, changedBy, comment)
 }
 
-func (s *DSRService) notifyNewRequest(ctx context.Context, dsr *models.DataSubjectRequest) {
-	if s.notificationService == nil {
-		return
-	}
-	// Notify all DPOs
-	rows, _ := s.pool.Query(ctx, "SELECT id FROM users WHERE role = 'data_protection_officer'")
-	defer rows.Close()
-	for rows.Next() {
-		var userID uuid.UUID
-		rows.Scan(&userID)
-		s.notificationService.CreateNotification(ctx, userID, NotificationTypeDSRReceived,
-			"Neue Betroffenenanfrage",
-			fmt.Sprintf("Neue %s eingegangen: %s", dsr.RequestType.Label(), dsr.RequestNumber),
-			map[string]interface{}{"dsr_id": dsr.ID, "request_number": dsr.RequestNumber})
-	}
-}
-
-func (s *DSRService) notifyAssignment(ctx context.Context, dsrID, assigneeID uuid.UUID) {
-	if s.notificationService == nil {
-		return
-	}
-	dsr, _ := s.GetByID(ctx, dsrID)
-	if dsr != nil {
-		s.notificationService.CreateNotification(ctx, assigneeID, NotificationTypeDSRAssigned,
-			"Betroffenenanfrage zugewiesen",
-			fmt.Sprintf("Ihnen wurde die Anfrage %s zugewiesen", dsr.RequestNumber),
-			map[string]interface{}{"dsr_id": dsrID, "request_number": dsr.RequestNumber})
-	}
-}
-
-func (s *DSRService) notifyDeadlineWarning(ctx context.Context, dsrID, userID uuid.UUID, requestNumber string, deadline time.Time, daysLeft int) {
-	if s.notificationService == nil {
-		return
-	}
-	s.notificationService.CreateNotification(ctx, userID, NotificationTypeDSRDeadline,
-		fmt.Sprintf("Fristwarnung: %s", requestNumber),
-		fmt.Sprintf("Die Frist für %s läuft in %d Tag(en) ab (%s)", requestNumber, daysLeft, deadline.Format("02.01.2006")),
-		map[string]interface{}{"dsr_id": dsrID, "deadline": deadline, "days_left": daysLeft})
-}
-
-func (s *DSRService) notifyAllDPOs(ctx context.Context, dsrID uuid.UUID, requestNumber, message string, deadline time.Time) {
-	if s.notificationService == nil {
-		return
-	}
-	rows, _ := s.pool.Query(ctx, "SELECT id FROM users WHERE role = 'data_protection_officer'")
-	defer rows.Close()
-	for rows.Next() {
-		var userID uuid.UUID
-		rows.Scan(&userID)
-		s.notificationService.CreateNotification(ctx, userID, NotificationTypeDSRDeadline,
-			fmt.Sprintf("%s: %s", message, requestNumber),
-			fmt.Sprintf("Anfrage %s: %s (Frist: %s)", requestNumber, message, deadline.Format("02.01.2006")),
-			map[string]interface{}{"dsr_id": dsrID, "deadline": deadline})
-	}
-}
-
 func isValidRequestType(rt models.DSRRequestType) bool {
 	switch rt {
 	case models.DSRTypeAccess, models.DSRTypeRectification, models.DSRTypeErasure,
@@ -891,12 +466,12 @@ func isValidRequestType(rt models.DSRRequestType) bool {
 
 func isValidStatusTransition(from, to models.DSRStatus) bool {
 	validTransitions := map[models.DSRStatus][]models.DSRStatus{
-		models.DSRStatusIntake:              {models.DSRStatusIdentityVerification, models.DSRStatusProcessing, models.DSRStatusRejected, models.DSRStatusCancelled},
-		models.DSRStatusIdentityVerification: {models.DSRStatusProcessing, models.DSRStatusRejected, models.DSRStatusCancelled},
-		models.DSRStatusProcessing:          {models.DSRStatusCompleted, models.DSRStatusRejected, models.DSRStatusCancelled},
-		models.DSRStatusCompleted:           {},
-		models.DSRStatusRejected:            {},
-		models.DSRStatusCancelled:           {},
+		models.DSRStatusIntake:                {models.DSRStatusIdentityVerification, models.DSRStatusProcessing, models.DSRStatusRejected, models.DSRStatusCancelled},
+		models.DSRStatusIdentityVerification:  {models.DSRStatusProcessing, models.DSRStatusRejected, models.DSRStatusCancelled},
+		models.DSRStatusProcessing:            {models.DSRStatusCompleted, models.DSRStatusRejected, models.DSRStatusCancelled},
+		models.DSRStatusCompleted:             {},
+		models.DSRStatusRejected:              {},
+		models.DSRStatusCancelled:             {},
 	}
 
 	allowed, exists := validTransitions[from]
@@ -910,38 +485,3 @@ func isValidStatusTransition(from, to models.DSRStatus) bool {
 	}
 	return false
 }
-
-func stringOrDefault(s *string, def string) string {
-	if s != nil {
-		return *s
-	}
-	return def
-}
-
-func replaceVariables(text string, variables map[string]string) string {
-	for k, v := range variables {
-		text = strings.ReplaceAll(text, "{{"+k+"}}", v)
-	}
-	return text
-}
-
-func stripHTML(html string) string {
-	// Simple HTML stripping - in production use a proper library
-	text := strings.ReplaceAll(html, "<br>", "\n")
-	text = strings.ReplaceAll(text, "<br/>", "\n")
-	text = strings.ReplaceAll(text, "<br />", "\n")
-	text = strings.ReplaceAll(text, "</p>", "\n\n")
-	// Remove all remaining tags
-	for {
-		start := strings.Index(text, "<")
-		if start == -1 {
-			break
-		}
-		end := strings.Index(text[start:], ">")
-		if end == -1 {
-			break
-		}
-		text = text[:start] + text[start+end+1:]
-	}
-	return strings.TrimSpace(text)
-}
diff --git a/consent-service/internal/services/dsr_service_comms.go b/consent-service/internal/services/dsr_service_comms.go
new file mode 100644
index 0000000..92a0398
--- /dev/null
+++ b/consent-service/internal/services/dsr_service_comms.go
@@ -0,0 +1,208 @@
+package services
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/models"
+	"github.com/google/uuid"
+)
+
+// GetCommunications retrieves communications for a DSR
+func (s *DSRService) GetCommunications(ctx context.Context, requestID uuid.UUID) ([]models.DSRCommunication, error) {
+	rows, err := s.pool.Query(ctx, `
+		SELECT id, request_id, direction, channel, communication_type, template_version_id,
+			subject, body_html, body_text, recipient_email, sent_at, error_message,
+			attachments, created_at, created_by
+		FROM dsr_communications WHERE request_id = $1 ORDER BY created_at DESC
+	`, requestID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query communications: %w", err)
+	}
+	defer rows.Close()
+
+	var comms []models.DSRCommunication
+	for rows.Next() {
+		var c models.DSRCommunication
+		var attachmentsJSON []byte
+		err := rows.Scan(&c.ID, &c.RequestID, &c.Direction, &c.Channel, &c.CommunicationType,
+			&c.TemplateVersionID, &c.Subject, &c.BodyHTML, &c.BodyText, &c.RecipientEmail,
+			&c.SentAt, &c.ErrorMessage, &attachmentsJSON, &c.CreatedAt, &c.CreatedBy)
+		if err != nil {
+			continue
+		}
+		json.Unmarshal(attachmentsJSON, &c.Attachments)
+		comms = append(comms, c)
+	}
+
+	return comms, nil
+}
+
+// SendCommunication sends a communication for a DSR
+func (s *DSRService) SendCommunication(ctx context.Context, requestID uuid.UUID, req models.SendDSRCommunicationRequest, sentBy uuid.UUID) error {
+	// Get DSR details
+	dsr, err := s.GetByID(ctx, requestID)
+	if err != nil {
+		return err
+	}
+
+	// Get template if specified
+	var subject, bodyHTML, bodyText string
+	if req.TemplateVersionID != nil {
+		templateVersionID, _ := uuid.Parse(*req.TemplateVersionID)
+		err := s.pool.QueryRow(ctx, `
+			SELECT subject, body_html, body_text FROM dsr_template_versions WHERE id = $1 AND status = 'published'
+		`, templateVersionID).Scan(&subject, &bodyHTML, &bodyText)
+		if err != nil {
+			return fmt.Errorf("template version not found or not published: %w", err)
+		}
+	}
+
+	// Use custom content if provided
+	if req.CustomSubject != nil {
+		subject = *req.CustomSubject
+	}
+	if req.CustomBody != nil {
+		bodyHTML = *req.CustomBody
+		bodyText = stripHTML(*req.CustomBody)
+	}
+
+	// Replace variables
+	variables := map[string]string{
+		"requester_name":  stringOrDefault(dsr.RequesterName, "Antragsteller/in"),
+		"request_number":  dsr.RequestNumber,
+		"request_type_de": dsr.RequestType.Label(),
+		"request_date":    dsr.CreatedAt.Format("02.01.2006"),
+		"deadline_date":   dsr.DeadlineAt.Format("02.01.2006"),
+	}
+	for k, v := range req.Variables {
+		variables[k] = v
+	}
+	subject = replaceVariables(subject, variables)
+	bodyHTML = replaceVariables(bodyHTML, variables)
+	bodyText = replaceVariables(bodyText, variables)
+
+	// Send email
+	if s.emailService != nil {
+		err = s.emailService.SendEmail(dsr.RequesterEmail, subject, bodyHTML, bodyText)
+		if err != nil {
+			// Log error but continue
+			_, _ = s.pool.Exec(ctx, `
+				INSERT INTO dsr_communications (request_id, direction, channel, communication_type,
+					template_version_id, subject, body_html, body_text, recipient_email, error_message, created_by)
+				VALUES ($1, 'outbound', 'email', $2, $3, $4, $5, $6, $7, $8, $9)
+			`, requestID, req.CommunicationType, req.TemplateVersionID, subject, bodyHTML, bodyText,
+				dsr.RequesterEmail, err.Error(), sentBy)
+			return fmt.Errorf("failed to send email: %w", err)
+		}
+	}
+
+	// Log communication
+	now := time.Now()
+	_, err = s.pool.Exec(ctx, `
+		INSERT INTO dsr_communications (request_id, direction, channel, communication_type,
+			template_version_id, subject, body_html, body_text, recipient_email, sent_at, created_by)
+		VALUES ($1, 'outbound', 'email', $2, $3, $4, $5, $6, $7, $8, $9)
+	`, requestID, req.CommunicationType, req.TemplateVersionID, subject, bodyHTML, bodyText,
+		dsr.RequesterEmail, now, sentBy)
+
+	return err
+}
+
+// --- Notification helpers ---
+
+func (s *DSRService) notifyNewRequest(ctx context.Context, dsr *models.DataSubjectRequest) {
+	if s.notificationService == nil {
+		return
+	}
+	// Notify all DPOs
+	rows, _ := s.pool.Query(ctx, "SELECT id FROM users WHERE role = 'data_protection_officer'")
+	defer rows.Close()
+	for rows.Next() {
+		var userID uuid.UUID
+		rows.Scan(&userID)
+		s.notificationService.CreateNotification(ctx, userID, NotificationTypeDSRReceived,
+			"Neue Betroffenenanfrage",
+			fmt.Sprintf("Neue %s eingegangen: %s", dsr.RequestType.Label(), dsr.RequestNumber),
+			map[string]interface{}{"dsr_id": dsr.ID, "request_number": dsr.RequestNumber})
+	}
+}
+
+func (s *DSRService) notifyAssignment(ctx context.Context, dsrID, assigneeID uuid.UUID) {
+	if s.notificationService == nil {
+		return
+	}
+	dsr, _ := s.GetByID(ctx, dsrID)
+	if dsr != nil {
+		s.notificationService.CreateNotification(ctx, assigneeID, NotificationTypeDSRAssigned,
+			"Betroffenenanfrage zugewiesen",
+			fmt.Sprintf("Ihnen wurde die Anfrage %s zugewiesen", dsr.RequestNumber),
+			map[string]interface{}{"dsr_id": dsrID, "request_number": dsr.RequestNumber})
+	}
+}
+
+func (s *DSRService) notifyDeadlineWarning(ctx context.Context, dsrID, userID uuid.UUID, requestNumber string, deadline time.Time, daysLeft int) {
+	if s.notificationService == nil {
+		return
+	}
+	s.notificationService.CreateNotification(ctx, userID, NotificationTypeDSRDeadline,
+		fmt.Sprintf("Fristwarnung: %s", requestNumber),
+		fmt.Sprintf("Die Frist für %s läuft in %d Tag(en) ab (%s)", requestNumber, daysLeft, deadline.Format("02.01.2006")),
+		map[string]interface{}{"dsr_id": dsrID, "deadline": deadline, "days_left": daysLeft})
+}
+
+func (s *DSRService) notifyAllDPOs(ctx context.Context, dsrID uuid.UUID, requestNumber, message string, deadline time.Time) {
+	if s.notificationService == nil {
+		return
+	}
+	rows, _ := s.pool.Query(ctx, "SELECT id FROM users WHERE role = 'data_protection_officer'")
+	defer rows.Close()
+	for rows.Next() {
+		var userID uuid.UUID
+		rows.Scan(&userID)
+		s.notificationService.CreateNotification(ctx, userID, NotificationTypeDSRDeadline,
+			fmt.Sprintf("%s: %s", message, requestNumber),
+			fmt.Sprintf("Anfrage %s: %s (Frist: %s)", requestNumber, message, deadline.Format("02.01.2006")),
+			map[string]interface{}{"dsr_id": dsrID, "deadline": deadline})
+	}
+}
+
+// --- String utility helpers ---
+
+func stringOrDefault(s *string, def string) string {
+	if s != nil {
+		return *s
+	}
+	return def
+}
+
+func replaceVariables(text string, variables map[string]string) string {
+	for k, v := range variables {
+		text = strings.ReplaceAll(text, "{{"+k+"}}", v)
+	}
+	return text
+}
+
+func stripHTML(html string) string {
+	// Simple HTML stripping - in production use a proper library
+	text := strings.ReplaceAll(html, "<br>", "\n")
+	text = strings.ReplaceAll(text, "<br/>", "\n")
+	text = strings.ReplaceAll(text, "<br />", "\n")
+	text = strings.ReplaceAll(text, "</p>", "\n\n")
+	// Remove all remaining tags
+	for {
+		start := strings.Index(text, "<")
+		if start == -1 {
+			break
+		}
+		end := strings.Index(text[start:], ">")
+		if end == -1 {
+			break
+		}
+		text = text[:start] + text[start+end+1:]
+	}
+	return strings.TrimSpace(text)
+}
diff --git a/consent-service/internal/services/dsr_service_dashboard.go b/consent-service/internal/services/dsr_service_dashboard.go
new file mode 100644
index 0000000..2e0ba46
--- /dev/null
+++ b/consent-service/internal/services/dsr_service_dashboard.go
@@ -0,0 +1,278 @@
+package services
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/models"
+	"github.com/google/uuid"
+)
+
+// ExtendDeadline extends the deadline for a DSR
+func (s *DSRService) ExtendDeadline(ctx context.Context, id uuid.UUID, reason string, days int, extendedBy uuid.UUID) error {
+	// Default extension is 2 months (60 days) per Art. 12(3)
+	if days <= 0 {
+		days = 60
+	}
+
+	_, err := s.pool.Exec(ctx, `
+		UPDATE data_subject_requests
+		SET extended_deadline_at = deadline_at + ($1 || ' days')::INTERVAL,
+			extension_reason = $2,
+			updated_at = NOW()
+		WHERE id = $3
+	`, days, reason, id)
+	if err != nil {
+		return fmt.Errorf("failed to extend deadline: %w", err)
+	}
+
+	s.recordStatusChange(ctx, id, nil, "", &extendedBy, fmt.Sprintf("Frist um %d Tage verlängert: %s", days, reason))
+
+	return nil
+}
+
+// GetDashboardStats returns statistics for the admin dashboard
+func (s *DSRService) GetDashboardStats(ctx context.Context) (*models.DSRDashboardStats, error) {
+	stats := &models.DSRDashboardStats{
+		ByType:   make(map[string]int),
+		ByStatus: make(map[string]int),
+	}
+
+	// Total requests
+	s.pool.QueryRow(ctx, "SELECT COUNT(*) FROM data_subject_requests").Scan(&stats.TotalRequests)
+
+	// Pending requests (not completed, rejected, or cancelled)
+	s.pool.QueryRow(ctx, `
+		SELECT COUNT(*) FROM data_subject_requests
+		WHERE status NOT IN ('completed', 'rejected', 'cancelled')
+	`).Scan(&stats.PendingRequests)
+
+	// Overdue requests
+	s.pool.QueryRow(ctx, `
+		SELECT COUNT(*) FROM data_subject_requests
+		WHERE COALESCE(extended_deadline_at, deadline_at) < NOW()
+		AND status NOT IN ('completed', 'rejected', 'cancelled')
+	`).Scan(&stats.OverdueRequests)
+
+	// Completed this month
+	s.pool.QueryRow(ctx, `
+		SELECT COUNT(*) FROM data_subject_requests
+		WHERE status = 'completed'
+		AND completed_at >= DATE_TRUNC('month', NOW())
+	`).Scan(&stats.CompletedThisMonth)
+
+	// Average processing days
+	s.pool.QueryRow(ctx, `
+		SELECT COALESCE(AVG(EXTRACT(EPOCH FROM (completed_at - created_at)) / 86400), 0)
+		FROM data_subject_requests WHERE status = 'completed'
+	`).Scan(&stats.AverageProcessingDays)
+
+	// Count by type
+	rows, _ := s.pool.Query(ctx, `
+		SELECT request_type, COUNT(*) FROM data_subject_requests GROUP BY request_type
+	`)
+	for rows.Next() {
+		var t string
+		var count int
+		rows.Scan(&t, &count)
+		stats.ByType[t] = count
+	}
+	rows.Close()
+
+	// Count by status
+	rows, _ = s.pool.Query(ctx, `
+		SELECT status, COUNT(*) FROM data_subject_requests GROUP BY status
+	`)
+	for rows.Next() {
+		var s string
+		var count int
+		rows.Scan(&s, &count)
+		stats.ByStatus[s] = count
+	}
+	rows.Close()
+
+	// Upcoming deadlines (next 7 days)
+	rows, _ = s.pool.Query(ctx, `
+		SELECT id, request_number, request_type, status, requester_email, deadline_at
+		FROM data_subject_requests
+		WHERE COALESCE(extended_deadline_at, deadline_at) BETWEEN NOW() AND NOW() + INTERVAL '7 days'
+		AND status NOT IN ('completed', 'rejected', 'cancelled')
+		ORDER BY deadline_at ASC LIMIT 10
+	`)
+	for rows.Next() {
+		var dsr models.DataSubjectRequest
+		rows.Scan(&dsr.ID, &dsr.RequestNumber, &dsr.RequestType, &dsr.Status, &dsr.RequesterEmail, &dsr.DeadlineAt)
+		stats.UpcomingDeadlines = append(stats.UpcomingDeadlines, dsr)
+	}
+	rows.Close()
+
+	return stats, nil
+}
+
+// GetStatusHistory retrieves the status history for a DSR
+func (s *DSRService) GetStatusHistory(ctx context.Context, requestID uuid.UUID) ([]models.DSRStatusHistory, error) {
+	rows, err := s.pool.Query(ctx, `
+		SELECT id, request_id, from_status, to_status, changed_by, comment, metadata, created_at
+		FROM dsr_status_history WHERE request_id = $1 ORDER BY created_at DESC
+	`, requestID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query status history: %w", err)
+	}
+	defer rows.Close()
+
+	var history []models.DSRStatusHistory
+	for rows.Next() {
+		var h models.DSRStatusHistory
+		var metadataJSON []byte
+		err := rows.Scan(&h.ID, &h.RequestID, &h.FromStatus, &h.ToStatus, &h.ChangedBy, &h.Comment, &metadataJSON, &h.CreatedAt)
+		if err != nil {
+			continue
+		}
+		json.Unmarshal(metadataJSON, &h.Metadata)
+		history = append(history, h)
+	}
+
+	return history, nil
+}
+
+// InitErasureExceptionChecks initializes exception checks for an erasure request
+func (s *DSRService) InitErasureExceptionChecks(ctx context.Context, requestID uuid.UUID) error {
+	exceptions := []struct {
+		Type        string
+		Description string
+	}{
+		{models.DSRExceptionFreedomExpression, "Ausübung des Rechts auf freie Meinungsäußerung und Information (Art. 17 Abs. 3 lit. a)"},
+		{models.DSRExceptionLegalObligation, "Erfüllung einer rechtlichen Verpflichtung oder öffentlichen Aufgabe (Art. 17 Abs. 3 lit. b)"},
+		{models.DSRExceptionPublicHealth, "Gründe des öffentlichen Interesses im Bereich der öffentlichen Gesundheit (Art. 17 Abs. 3 lit. c)"},
+		{models.DSRExceptionArchiving, "Im öffentlichen Interesse liegende Archivzwecke, Forschung oder Statistik (Art. 17 Abs. 3 lit. d)"},
+		{models.DSRExceptionLegalClaims, "Geltendmachung, Ausübung oder Verteidigung von Rechtsansprüchen (Art. 17 Abs. 3 lit. e)"},
+	}
+
+	for _, exc := range exceptions {
+		_, err := s.pool.Exec(ctx, `
+			INSERT INTO dsr_exception_checks (request_id, exception_type, description)
+			VALUES ($1, $2, $3) ON CONFLICT DO NOTHING
+		`, requestID, exc.Type, exc.Description)
+		if err != nil {
+			return fmt.Errorf("failed to create exception check: %w", err)
+		}
+	}
+
+	return nil
+}
+
+// GetExceptionChecks retrieves exception checks for a DSR
+func (s *DSRService) GetExceptionChecks(ctx context.Context, requestID uuid.UUID) ([]models.DSRExceptionCheck, error) {
+	rows, err := s.pool.Query(ctx, `
+		SELECT id, request_id, exception_type, description, applies, checked_by, checked_at, notes, created_at
+		FROM dsr_exception_checks WHERE request_id = $1 ORDER BY created_at
+	`, requestID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query exception checks: %w", err)
+	}
+	defer rows.Close()
+
+	var checks []models.DSRExceptionCheck
+	for rows.Next() {
+		var c models.DSRExceptionCheck
+		err := rows.Scan(&c.ID, &c.RequestID, &c.ExceptionType, &c.Description, &c.Applies,
+			&c.CheckedBy, &c.CheckedAt, &c.Notes, &c.CreatedAt)
+		if err != nil {
+			continue
+		}
+		checks = append(checks, c)
+	}
+
+	return checks, nil
+}
+
+// UpdateExceptionCheck updates an exception check
+func (s *DSRService) UpdateExceptionCheck(ctx context.Context, checkID uuid.UUID, applies bool, notes *string, checkedBy uuid.UUID) error {
+	_, err := s.pool.Exec(ctx, `
+		UPDATE dsr_exception_checks
+		SET applies = $1, notes = $2, checked_by = $3, checked_at = NOW()
+		WHERE id = $4
+	`, applies, notes, checkedBy, checkID)
+	return err
+}
+
+// ProcessDeadlines checks for approaching and overdue deadlines
+func (s *DSRService) ProcessDeadlines(ctx context.Context) error {
+	now := time.Now()
+
+	// Find requests with deadlines in 3 days
+	threeDaysAhead := now.AddDate(0, 0, 3)
+	rows, _ := s.pool.Query(ctx, `
+		SELECT id, request_number, request_type, assigned_to, deadline_at
+		FROM data_subject_requests
+		WHERE COALESCE(extended_deadline_at, deadline_at) BETWEEN $1 AND $2
+		AND status NOT IN ('completed', 'rejected', 'cancelled')
+	`, now, threeDaysAhead)
+	for rows.Next() {
+		var id uuid.UUID
+		var requestNumber, requestType string
+		var assignedTo *uuid.UUID
+		var deadline time.Time
+		rows.Scan(&id, &requestNumber, &requestType, &assignedTo, &deadline)
+
+		// Notify assigned user or all DPOs
+		if assignedTo != nil {
+			s.notifyDeadlineWarning(ctx, id, *assignedTo, requestNumber, deadline, 3)
+		} else {
+			s.notifyAllDPOs(ctx, id, requestNumber, "Frist in 3 Tagen", deadline)
+		}
+	}
+	rows.Close()
+
+	// Find requests with deadlines in 1 day
+	oneDayAhead := now.AddDate(0, 0, 1)
+	rows, _ = s.pool.Query(ctx, `
+		SELECT id, request_number, request_type, assigned_to, deadline_at
+		FROM data_subject_requests
+		WHERE COALESCE(extended_deadline_at, deadline_at) BETWEEN $1 AND $2
+		AND status NOT IN ('completed', 'rejected', 'cancelled')
+	`, now, oneDayAhead)
+	for rows.Next() {
+		var id uuid.UUID
+		var requestNumber, requestType string
+		var assignedTo *uuid.UUID
+		var deadline time.Time
+		rows.Scan(&id, &requestNumber, &requestType, &assignedTo, &deadline)
+
+		if assignedTo != nil {
+			s.notifyDeadlineWarning(ctx, id, *assignedTo, requestNumber, deadline, 1)
+		} else {
+			s.notifyAllDPOs(ctx, id, requestNumber, "Frist morgen!", deadline)
+		}
+	}
+	rows.Close()
+
+	// Find overdue requests
+	rows, _ = s.pool.Query(ctx, `
+		SELECT id, request_number, request_type, assigned_to, deadline_at
+		FROM data_subject_requests
+		WHERE COALESCE(extended_deadline_at, deadline_at) < $1
+		AND status NOT IN ('completed', 'rejected', 'cancelled')
+	`, now)
+	for rows.Next() {
+		var id uuid.UUID
+		var requestNumber, requestType string
+		var assignedTo *uuid.UUID
+		var deadline time.Time
+		rows.Scan(&id, &requestNumber, &requestType, &assignedTo, &deadline)
+
+		// Notify all DPOs for overdue
+		s.notifyAllDPOs(ctx, id, requestNumber, "ÜBERFÄLLIG!", deadline)
+
+		// Log to audit
+		s.pool.Exec(ctx, `
+			INSERT INTO consent_audit_log (action, entity_type, entity_id, details)
+			VALUES ('dsr_overdue', 'dsr', $1, $2)
+		`, id, fmt.Sprintf(`{"request_number": "%s", "deadline": "%s"}`, requestNumber, deadline.Format(time.RFC3339)))
+	}
+	rows.Close()
+
+	return nil
+}
diff --git a/consent-service/internal/services/email_service.go b/consent-service/internal/services/email_service.go
index 1d36cd2..228a10d 100644
--- a/consent-service/internal/services/email_service.go
+++ b/consent-service/internal/services/email_service.go
@@ -3,7 +3,6 @@ package services
 import (
 	"bytes"
 	"fmt"
-	"html/template"
 	"net/smtp"
 	"strings"
 )
@@ -249,306 +248,3 @@ Ihr BreakPilot Team`, getDisplayName(name), appLink)
 	return s.SendEmail(to, subject, htmlBody, textBody)
 }
 
-// renderTemplate renders an email HTML template
-func (s *EmailService) renderTemplate(templateName string, data map[string]interface{}) string {
-	templates := map[string]string{
-		"verification": `
-<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="UTF-8">
-    <style>
-        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; }
-        .header { background: linear-gradient(135deg, #6366f1, #8b5cf6); color: white; padding: 30px; border-radius: 10px 10px 0 0; text-align: center; }
-        .content { background: #f8fafc; padding: 30px; border-radius: 0 0 10px 10px; }
-        .button { display: inline-block; background: #6366f1; color: white; padding: 14px 28px; text-decoration: none; border-radius: 8px; font-weight: 600; margin: 20px 0; }
-        .footer { text-align: center; color: #64748b; font-size: 12px; margin-top: 30px; }
-    </style>
-</head>
-<body>
-    <div class="header">
-        <h1>Willkommen bei BreakPilot!</h1>
-    </div>
-    <div class="content">
-        <p>Hallo {{.Name}},</p>
-        <p>Vielen Dank für Ihre Registrierung! Bitte bestätigen Sie Ihre E-Mail-Adresse, um Ihr Konto zu aktivieren.</p>
-        <p style="text-align: center;">
-            <a href="{{.VerifyLink}}" class="button">E-Mail bestätigen</a>
-        </p>
-        <p>Dieser Link ist 24 Stunden gültig.</p>
-        <p>Falls Sie sich nicht bei BreakPilot registriert haben, können Sie diese E-Mail ignorieren.</p>
-    </div>
-    <div class="footer">
-        <p>© 2024 BreakPilot. Alle Rechte vorbehalten.</p>
-    </div>
-</body>
-</html>`,
-
-		"password_reset": `
-<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="UTF-8">
-    <style>
-        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; }
-        .header { background: linear-gradient(135deg, #6366f1, #8b5cf6); color: white; padding: 30px; border-radius: 10px 10px 0 0; text-align: center; }
-        .content { background: #f8fafc; padding: 30px; border-radius: 0 0 10px 10px; }
-        .button { display: inline-block; background: #6366f1; color: white; padding: 14px 28px; text-decoration: none; border-radius: 8px; font-weight: 600; margin: 20px 0; }
-        .warning { background: #fef3c7; border-left: 4px solid #f59e0b; padding: 12px; margin: 20px 0; }
-        .footer { text-align: center; color: #64748b; font-size: 12px; margin-top: 30px; }
-    </style>
-</head>
-<body>
-    <div class="header">
-        <h1>Passwort zurücksetzen</h1>
-    </div>
-    <div class="content">
-        <p>Hallo {{.Name}},</p>
-        <p>Sie haben eine Anfrage zum Zurücksetzen Ihres Passworts gestellt.</p>
-        <p style="text-align: center;">
-            <a href="{{.ResetLink}}" class="button">Passwort zurücksetzen</a>
-        </p>
-        <div class="warning">
-            <strong>Hinweis:</strong> Dieser Link ist nur 1 Stunde gültig.
-        </div>
-        <p>Falls Sie keine Passwort-Zurücksetzung angefordert haben, können Sie diese E-Mail ignorieren.</p>
-    </div>
-    <div class="footer">
-        <p>© 2024 BreakPilot. Alle Rechte vorbehalten.</p>
-    </div>
-</body>
-</html>`,
-
-		"new_version": `
-<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="UTF-8">
-    <style>
-        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; }
-        .header { background: linear-gradient(135deg, #6366f1, #8b5cf6); color: white; padding: 30px; border-radius: 10px 10px 0 0; text-align: center; }
-        .content { background: #f8fafc; padding: 30px; border-radius: 0 0 10px 10px; }
-        .button { display: inline-block; background: #6366f1; color: white; padding: 14px 28px; text-decoration: none; border-radius: 8px; font-weight: 600; margin: 20px 0; }
-        .info-box { background: #e0e7ff; border-left: 4px solid #6366f1; padding: 12px; margin: 20px 0; }
-        .footer { text-align: center; color: #64748b; font-size: 12px; margin-top: 30px; }
-    </style>
-</head>
-<body>
-    <div class="header">
-        <h1>Neue Version: {{.DocumentName}}</h1>
-    </div>
-    <div class="content">
-        <p>Hallo {{.Name}},</p>
-        <p>Wir haben unsere <strong>{{.DocumentName}}</strong> aktualisiert.</p>
-        <div class="info-box">
-            <strong>Wichtig:</strong> Bitte bestätigen Sie die neuen Bedingungen innerhalb der nächsten <strong>{{.DeadlineDays}} Tage</strong>.
-        </div>
-        <p style="text-align: center;">
-            <a href="{{.ConsentLink}}" class="button">Dokument ansehen & bestätigen</a>
-        </p>
-        <p>Falls Sie nicht innerhalb dieser Frist bestätigen, wird Ihr Account vorübergehend gesperrt.</p>
-    </div>
-    <div class="footer">
-        <p>© 2024 BreakPilot. Alle Rechte vorbehalten.</p>
-    </div>
-</body>
-</html>`,
-
-		"reminder": `
-<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="UTF-8">
-    <style>
-        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; }
-        .header { background: linear-gradient(135deg, #f59e0b, #d97706); color: white; padding: 30px; border-radius: 10px 10px 0 0; text-align: center; }
-        .content { background: #f8fafc; padding: 30px; border-radius: 0 0 10px 10px; }
-        .button { display: inline-block; background: #f59e0b; color: white; padding: 14px 28px; text-decoration: none; border-radius: 8px; font-weight: 600; margin: 20px 0; }
-        .warning { background: #fef3c7; border-left: 4px solid #f59e0b; padding: 12px; margin: 20px 0; }
-        .doc-list { background: white; padding: 15px; border-radius: 8px; margin: 15px 0; }
-        .footer { text-align: center; color: #64748b; font-size: 12px; margin-top: 30px; }
-    </style>
-</head>
-<body>
-    <div class="header">
-        <h1>{{.Urgency}}: Ausstehende Bestätigungen</h1>
-    </div>
-    <div class="content">
-        <p>Hallo {{.Name}},</p>
-        <p>Dies ist eine freundliche Erinnerung, dass Sie noch ausstehende rechtliche Dokumente bestätigen müssen.</p>
-        <div class="doc-list">
-            <strong>Ausstehende Dokumente:</strong>
-            <ul>
-                {{range .Documents}}<li>{{.}}</li>{{end}}
-            </ul>
-        </div>
-        <div class="warning">
-            <strong>Sie haben noch {{.DaysLeft}} Tage Zeit.</strong> Nach Ablauf dieser Frist wird Ihr Account vorübergehend gesperrt.
-        </div>
-        <p style="text-align: center;">
-            <a href="{{.ConsentLink}}" class="button">Jetzt bestätigen</a>
-        </p>
-    </div>
-    <div class="footer">
-        <p>© 2024 BreakPilot. Alle Rechte vorbehalten.</p>
-    </div>
-</body>
-</html>`,
-
-		"suspended": `
-<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="UTF-8">
-    <style>
-        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; }
-        .header { background: linear-gradient(135deg, #ef4444, #dc2626); color: white; padding: 30px; border-radius: 10px 10px 0 0; text-align: center; }
-        .content { background: #f8fafc; padding: 30px; border-radius: 0 0 10px 10px; }
-        .button { display: inline-block; background: #6366f1; color: white; padding: 14px 28px; text-decoration: none; border-radius: 8px; font-weight: 600; margin: 20px 0; }
-        .alert { background: #fee2e2; border-left: 4px solid #ef4444; padding: 12px; margin: 20px 0; }
-        .doc-list { background: white; padding: 15px; border-radius: 8px; margin: 15px 0; }
-        .footer { text-align: center; color: #64748b; font-size: 12px; margin-top: 30px; }
-    </style>
-</head>
-<body>
-    <div class="header">
-        <h1>Account vorübergehend gesperrt</h1>
-    </div>
-    <div class="content">
-        <p>Hallo {{.Name}},</p>
-        <div class="alert">
-            <strong>Ihr Account wurde vorübergehend gesperrt</strong>, da Sie die folgenden rechtlichen Dokumente nicht innerhalb der Frist bestätigt haben.
-        </div>
-        <div class="doc-list">
-            <strong>Nicht bestätigte Dokumente:</strong>
-            <ul>
-                {{range .Documents}}<li>{{.}}</li>{{end}}
-            </ul>
-        </div>
-        <p>Um Ihren Account zu entsperren, bestätigen Sie bitte alle ausstehenden Dokumente:</p>
-        <p style="text-align: center;">
-            <a href="{{.ConsentLink}}" class="button">Dokumente bestätigen & Account entsperren</a>
-        </p>
-        <p>Sobald Sie alle Dokumente bestätigt haben, wird Ihr Account automatisch entsperrt.</p>
-    </div>
-    <div class="footer">
-        <p>© 2024 BreakPilot. Alle Rechte vorbehalten.</p>
-    </div>
-</body>
-</html>`,
-
-		"reactivated": `
-<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="UTF-8">
-    <style>
-        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; }
-        .header { background: linear-gradient(135deg, #22c55e, #16a34a); color: white; padding: 30px; border-radius: 10px 10px 0 0; text-align: center; }
-        .content { background: #f8fafc; padding: 30px; border-radius: 0 0 10px 10px; }
-        .button { display: inline-block; background: #22c55e; color: white; padding: 14px 28px; text-decoration: none; border-radius: 8px; font-weight: 600; margin: 20px 0; }
-        .success { background: #dcfce7; border-left: 4px solid #22c55e; padding: 12px; margin: 20px 0; }
-        .footer { text-align: center; color: #64748b; font-size: 12px; margin-top: 30px; }
-    </style>
-</head>
-<body>
-    <div class="header">
-        <h1>Account wieder aktiviert!</h1>
-    </div>
-    <div class="content">
-        <p>Hallo {{.Name}},</p>
-        <div class="success">
-            <strong>Vielen Dank!</strong> Ihr Account wurde erfolgreich wieder aktiviert.
-        </div>
-        <p>Sie können BreakPilot ab sofort wieder wie gewohnt nutzen.</p>
-        <p style="text-align: center;">
-            <a href="{{.AppLink}}" class="button">Zu BreakPilot</a>
-        </p>
-    </div>
-    <div class="footer">
-        <p>© 2024 BreakPilot. Alle Rechte vorbehalten.</p>
-    </div>
-</body>
-</html>`,
-
-		"generic_notification": `
-<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="UTF-8">
-    <style>
-        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; }
-        .header { background: linear-gradient(135deg, #6366f1, #8b5cf6); color: white; padding: 30px; border-radius: 10px 10px 0 0; text-align: center; }
-        .content { background: #f8fafc; padding: 30px; border-radius: 0 0 10px 10px; }
-        .button { display: inline-block; background: #6366f1; color: white; padding: 14px 28px; text-decoration: none; border-radius: 8px; font-weight: 600; margin: 20px 0; }
-        .footer { text-align: center; color: #64748b; font-size: 12px; margin-top: 30px; }
-    </style>
-</head>
-<body>
-    <div class="header">
-        <h1>{{.Title}}</h1>
-    </div>
-    <div class="content">
-        <p>{{.Body}}</p>
-        <p style="text-align: center;">
-            <a href="{{.BaseURL}}/app" class="button">Zu BreakPilot</a>
-        </p>
-    </div>
-    <div class="footer">
-        <p>© 2024 BreakPilot. Alle Rechte vorbehalten.</p>
-    </div>
-</body>
-</html>`,
-	}
-
-	tmplStr, ok := templates[templateName]
-	if !ok {
-		return ""
-	}
-
-	tmpl, err := template.New(templateName).Parse(tmplStr)
-	if err != nil {
-		return ""
-	}
-
-	var buf bytes.Buffer
-	if err := tmpl.Execute(&buf, data); err != nil {
-		return ""
-	}
-
-	return buf.String()
-}
-
-// SendConsentReminderEmail sends a simplified consent reminder email
-func (s *EmailService) SendConsentReminderEmail(to, title, body string) error {
-	subject := title
-
-	htmlBody := s.renderTemplate("generic_notification", map[string]interface{}{
-		"Title":   title,
-		"Body":    body,
-		"BaseURL": s.config.BaseURL,
-	})
-
-	return s.SendEmail(to, subject, htmlBody, body)
-}
-
-// SendGenericNotificationEmail sends a generic notification email
-func (s *EmailService) SendGenericNotificationEmail(to, title, body string) error {
-	subject := title
-
-	htmlBody := s.renderTemplate("generic_notification", map[string]interface{}{
-		"Title":   title,
-		"Body":    body,
-		"BaseURL": s.config.BaseURL,
-	})
-
-	return s.SendEmail(to, subject, htmlBody, body)
-}
-
-// getDisplayName returns display name or fallback
-func getDisplayName(name string) string {
-	if name != "" {
-		return name
-	}
-	return "Nutzer"
-}
diff --git a/consent-service/internal/services/email_service_templates.go b/consent-service/internal/services/email_service_templates.go
new file mode 100644
index 0000000..acc4c53
--- /dev/null
+++ b/consent-service/internal/services/email_service_templates.go
@@ -0,0 +1,310 @@
+package services
+
+import (
+	"bytes"
+	"html/template"
+)
+
+// renderTemplate renders an email HTML template
+func (s *EmailService) renderTemplate(templateName string, data map[string]interface{}) string {
+	templates := map[string]string{
+		"verification": `
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <style>
+        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; }
+        .header { background: linear-gradient(135deg, #6366f1, #8b5cf6); color: white; padding: 30px; border-radius: 10px 10px 0 0; text-align: center; }
+        .content { background: #f8fafc; padding: 30px; border-radius: 0 0 10px 10px; }
+        .button { display: inline-block; background: #6366f1; color: white; padding: 14px 28px; text-decoration: none; border-radius: 8px; font-weight: 600; margin: 20px 0; }
+        .footer { text-align: center; color: #64748b; font-size: 12px; margin-top: 30px; }
+    </style>
+</head>
+<body>
+    <div class="header">
+        <h1>Willkommen bei BreakPilot!</h1>
+    </div>
+    <div class="content">
+        <p>Hallo {{.Name}},</p>
+        <p>Vielen Dank für Ihre Registrierung! Bitte bestätigen Sie Ihre E-Mail-Adresse, um Ihr Konto zu aktivieren.</p>
+        <p style="text-align: center;">
+            <a href="{{.VerifyLink}}" class="button">E-Mail bestätigen</a>
+        </p>
+        <p>Dieser Link ist 24 Stunden gültig.</p>
+        <p>Falls Sie sich nicht bei BreakPilot registriert haben, können Sie diese E-Mail ignorieren.</p>
+    </div>
+    <div class="footer">
+        <p>© 2024 BreakPilot. Alle Rechte vorbehalten.</p>
+    </div>
+</body>
+</html>`,
+
+		"password_reset": `
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <style>
+        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; }
+        .header { background: linear-gradient(135deg, #6366f1, #8b5cf6); color: white; padding: 30px; border-radius: 10px 10px 0 0; text-align: center; }
+        .content { background: #f8fafc; padding: 30px; border-radius: 0 0 10px 10px; }
+        .button { display: inline-block; background: #6366f1; color: white; padding: 14px 28px; text-decoration: none; border-radius: 8px; font-weight: 600; margin: 20px 0; }
+        .warning { background: #fef3c7; border-left: 4px solid #f59e0b; padding: 12px; margin: 20px 0; }
+        .footer { text-align: center; color: #64748b; font-size: 12px; margin-top: 30px; }
+    </style>
+</head>
+<body>
+    <div class="header">
+        <h1>Passwort zurücksetzen</h1>
+    </div>
+    <div class="content">
+        <p>Hallo {{.Name}},</p>
+        <p>Sie haben eine Anfrage zum Zurücksetzen Ihres Passworts gestellt.</p>
+        <p style="text-align: center;">
+            <a href="{{.ResetLink}}" class="button">Passwort zurücksetzen</a>
+        </p>
+        <div class="warning">
+            <strong>Hinweis:</strong> Dieser Link ist nur 1 Stunde gültig.
+        </div>
+        <p>Falls Sie keine Passwort-Zurücksetzung angefordert haben, können Sie diese E-Mail ignorieren.</p>
+    </div>
+    <div class="footer">
+        <p>© 2024 BreakPilot. Alle Rechte vorbehalten.</p>
+    </div>
+</body>
+</html>`,
+
+		"new_version": `
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <style>
+        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; }
+        .header { background: linear-gradient(135deg, #6366f1, #8b5cf6); color: white; padding: 30px; border-radius: 10px 10px 0 0; text-align: center; }
+        .content { background: #f8fafc; padding: 30px; border-radius: 0 0 10px 10px; }
+        .button { display: inline-block; background: #6366f1; color: white; padding: 14px 28px; text-decoration: none; border-radius: 8px; font-weight: 600; margin: 20px 0; }
+        .info-box { background: #e0e7ff; border-left: 4px solid #6366f1; padding: 12px; margin: 20px 0; }
+        .footer { text-align: center; color: #64748b; font-size: 12px; margin-top: 30px; }
+    </style>
+</head>
+<body>
+    <div class="header">
+        <h1>Neue Version: {{.DocumentName}}</h1>
+    </div>
+    <div class="content">
+        <p>Hallo {{.Name}},</p>
+        <p>Wir haben unsere <strong>{{.DocumentName}}</strong> aktualisiert.</p>
+        <div class="info-box">
+            <strong>Wichtig:</strong> Bitte bestätigen Sie die neuen Bedingungen innerhalb der nächsten <strong>{{.DeadlineDays}} Tage</strong>.
+        </div>
+        <p style="text-align: center;">
+            <a href="{{.ConsentLink}}" class="button">Dokument ansehen & bestätigen</a>
+        </p>
+        <p>Falls Sie nicht innerhalb dieser Frist bestätigen, wird Ihr Account vorübergehend gesperrt.</p>
+    </div>
+    <div class="footer">
+        <p>© 2024 BreakPilot. Alle Rechte vorbehalten.</p>
+    </div>
+</body>
+</html>`,
+
+		"reminder": `
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <style>
+        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; }
+        .header { background: linear-gradient(135deg, #f59e0b, #d97706); color: white; padding: 30px; border-radius: 10px 10px 0 0; text-align: center; }
+        .content { background: #f8fafc; padding: 30px; border-radius: 0 0 10px 10px; }
+        .button { display: inline-block; background: #f59e0b; color: white; padding: 14px 28px; text-decoration: none; border-radius: 8px; font-weight: 600; margin: 20px 0; }
+        .warning { background: #fef3c7; border-left: 4px solid #f59e0b; padding: 12px; margin: 20px 0; }
+        .doc-list { background: white; padding: 15px; border-radius: 8px; margin: 15px 0; }
+        .footer { text-align: center; color: #64748b; font-size: 12px; margin-top: 30px; }
+    </style>
+</head>
+<body>
+    <div class="header">
+        <h1>{{.Urgency}}: Ausstehende Bestätigungen</h1>
+    </div>
+    <div class="content">
+        <p>Hallo {{.Name}},</p>
+        <p>Dies ist eine freundliche Erinnerung, dass Sie noch ausstehende rechtliche Dokumente bestätigen müssen.</p>
+        <div class="doc-list">
+            <strong>Ausstehende Dokumente:</strong>
+            <ul>
+                {{range .Documents}}<li>{{.}}</li>{{end}}
+            </ul>
+        </div>
+        <div class="warning">
+            <strong>Sie haben noch {{.DaysLeft}} Tage Zeit.</strong> Nach Ablauf dieser Frist wird Ihr Account vorübergehend gesperrt.
+        </div>
+        <p style="text-align: center;">
+            <a href="{{.ConsentLink}}" class="button">Jetzt bestätigen</a>
+        </p>
+    </div>
+    <div class="footer">
+        <p>© 2024 BreakPilot. Alle Rechte vorbehalten.</p>
+    </div>
+</body>
+</html>`,
+
+		"suspended": `
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <style>
+        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; }
+        .header { background: linear-gradient(135deg, #ef4444, #dc2626); color: white; padding: 30px; border-radius: 10px 10px 0 0; text-align: center; }
+        .content { background: #f8fafc; padding: 30px; border-radius: 0 0 10px 10px; }
+        .button { display: inline-block; background: #6366f1; color: white; padding: 14px 28px; text-decoration: none; border-radius: 8px; font-weight: 600; margin: 20px 0; }
+        .alert { background: #fee2e2; border-left: 4px solid #ef4444; padding: 12px; margin: 20px 0; }
+        .doc-list { background: white; padding: 15px; border-radius: 8px; margin: 15px 0; }
+        .footer { text-align: center; color: #64748b; font-size: 12px; margin-top: 30px; }
+    </style>
+</head>
+<body>
+    <div class="header">
+        <h1>Account vorübergehend gesperrt</h1>
+    </div>
+    <div class="content">
+        <p>Hallo {{.Name}},</p>
+        <div class="alert">
+            <strong>Ihr Account wurde vorübergehend gesperrt</strong>, da Sie die folgenden rechtlichen Dokumente nicht innerhalb der Frist bestätigt haben.
+        </div>
+        <div class="doc-list">
+            <strong>Nicht bestätigte Dokumente:</strong>
+            <ul>
+                {{range .Documents}}<li>{{.}}</li>{{end}}
+            </ul>
+        </div>
+        <p>Um Ihren Account zu entsperren, bestätigen Sie bitte alle ausstehenden Dokumente:</p>
+        <p style="text-align: center;">
+            <a href="{{.ConsentLink}}" class="button">Dokumente bestätigen & Account entsperren</a>
+        </p>
+        <p>Sobald Sie alle Dokumente bestätigt haben, wird Ihr Account automatisch entsperrt.</p>
+    </div>
+    <div class="footer">
+        <p>© 2024 BreakPilot. Alle Rechte vorbehalten.</p>
+    </div>
+</body>
+</html>`,
+
+		"reactivated": `
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <style>
+        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; }
+        .header { background: linear-gradient(135deg, #22c55e, #16a34a); color: white; padding: 30px; border-radius: 10px 10px 0 0; text-align: center; }
+        .content { background: #f8fafc; padding: 30px; border-radius: 0 0 10px 10px; }
+        .button { display: inline-block; background: #22c55e; color: white; padding: 14px 28px; text-decoration: none; border-radius: 8px; font-weight: 600; margin: 20px 0; }
+        .success { background: #dcfce7; border-left: 4px solid #22c55e; padding: 12px; margin: 20px 0; }
+        .footer { text-align: center; color: #64748b; font-size: 12px; margin-top: 30px; }
+    </style>
+</head>
+<body>
+    <div class="header">
+        <h1>Account wieder aktiviert!</h1>
+    </div>
+    <div class="content">
+        <p>Hallo {{.Name}},</p>
+        <div class="success">
+            <strong>Vielen Dank!</strong> Ihr Account wurde erfolgreich wieder aktiviert.
+        </div>
+        <p>Sie können BreakPilot ab sofort wieder wie gewohnt nutzen.</p>
+        <p style="text-align: center;">
+            <a href="{{.AppLink}}" class="button">Zu BreakPilot</a>
+        </p>
+    </div>
+    <div class="footer">
+        <p>© 2024 BreakPilot. Alle Rechte vorbehalten.</p>
+    </div>
+</body>
+</html>`,
+
+		"generic_notification": `
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <style>
+        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; }
+        .header { background: linear-gradient(135deg, #6366f1, #8b5cf6); color: white; padding: 30px; border-radius: 10px 10px 0 0; text-align: center; }
+        .content { background: #f8fafc; padding: 30px; border-radius: 0 0 10px 10px; }
+        .button { display: inline-block; background: #6366f1; color: white; padding: 14px 28px; text-decoration: none; border-radius: 8px; font-weight: 600; margin: 20px 0; }
+        .footer { text-align: center; color: #64748b; font-size: 12px; margin-top: 30px; }
+    </style>
+</head>
+<body>
+    <div class="header">
+        <h1>{{.Title}}</h1>
+    </div>
+    <div class="content">
+        <p>{{.Body}}</p>
+        <p style="text-align: center;">
+            <a href="{{.BaseURL}}/app" class="button">Zu BreakPilot</a>
+        </p>
+    </div>
+    <div class="footer">
+        <p>© 2024 BreakPilot. Alle Rechte vorbehalten.</p>
+    </div>
+</body>
+</html>`,
+	}
+
+	tmplStr, ok := templates[templateName]
+	if !ok {
+		return ""
+	}
+
+	tmpl, err := template.New(templateName).Parse(tmplStr)
+	if err != nil {
+		return ""
+	}
+
+	var buf bytes.Buffer
+	if err := tmpl.Execute(&buf, data); err != nil {
+		return ""
+	}
+
+	return buf.String()
+}
+
+// SendConsentReminderEmail sends a simplified consent reminder email
+func (s *EmailService) SendConsentReminderEmail(to, title, body string) error {
+	subject := title
+
+	htmlBody := s.renderTemplate("generic_notification", map[string]interface{}{
+		"Title":   title,
+		"Body":    body,
+		"BaseURL": s.config.BaseURL,
+	})
+
+	return s.SendEmail(to, subject, htmlBody, body)
+}
+
+// SendGenericNotificationEmail sends a generic notification email
+func (s *EmailService) SendGenericNotificationEmail(to, title, body string) error {
+	subject := title
+
+	htmlBody := s.renderTemplate("generic_notification", map[string]interface{}{
+		"Title":   title,
+		"Body":    body,
+		"BaseURL": s.config.BaseURL,
+	})
+
+	return s.SendEmail(to, subject, htmlBody, body)
+}
+
+// getDisplayName returns display name or fallback
+func getDisplayName(name string) string {
+	if name != "" {
+		return name
+	}
+	return "Nutzer"
+}
diff --git a/consent-service/internal/services/email_template_approval.go b/consent-service/internal/services/email_template_approval.go
new file mode 100644
index 0000000..48bad1c
--- /dev/null
+++ b/consent-service/internal/services/email_template_approval.go
@@ -0,0 +1,174 @@
+package services
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/models"
+	"github.com/google/uuid"
+)
+
+// SubmitForReview submits a version for review
+func (s *EmailTemplateService) SubmitForReview(ctx context.Context, versionID, submitterID uuid.UUID, comment *string) error {
+	tx, err := s.db.Begin(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to begin transaction: %w", err)
+	}
+	defer tx.Rollback(ctx)
+
+	// Update status
+	_, err = tx.Exec(ctx, `
+		UPDATE email_template_versions SET status = 'review', updated_at = $1 WHERE id = $2
+	`, time.Now(), versionID)
+	if err != nil {
+		return fmt.Errorf("failed to update status: %w", err)
+	}
+
+	// Create approval record
+	_, err = tx.Exec(ctx, `
+		INSERT INTO email_template_approvals (id, version_id, approver_id, action, comment, created_at)
+		VALUES ($1, $2, $3, $4, $5, $6)
+	`, uuid.New(), versionID, submitterID, "submitted_for_review", comment, time.Now())
+	if err != nil {
+		return fmt.Errorf("failed to create approval record: %w", err)
+	}
+
+	return tx.Commit(ctx)
+}
+
+// ApproveVersion approves a version (DSB)
+func (s *EmailTemplateService) ApproveVersion(ctx context.Context, versionID, approverID uuid.UUID, comment *string, scheduledPublishAt *time.Time) error {
+	tx, err := s.db.Begin(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to begin transaction: %w", err)
+	}
+	defer tx.Rollback(ctx)
+
+	now := time.Now()
+	status := "approved"
+	if scheduledPublishAt != nil {
+		status = "scheduled"
+	}
+
+	_, err = tx.Exec(ctx, `
+		UPDATE email_template_versions
+		SET status = $1, approved_by = $2, approved_at = $3, scheduled_publish_at = $4, updated_at = $5
+		WHERE id = $6
+	`, status, approverID, now, scheduledPublishAt, now, versionID)
+	if err != nil {
+		return fmt.Errorf("failed to approve version: %w", err)
+	}
+
+	_, err = tx.Exec(ctx, `
+		INSERT INTO email_template_approvals (id, version_id, approver_id, action, comment, created_at)
+		VALUES ($1, $2, $3, $4, $5, $6)
+	`, uuid.New(), versionID, approverID, "approved", comment, now)
+	if err != nil {
+		return fmt.Errorf("failed to create approval record: %w", err)
+	}
+
+	return tx.Commit(ctx)
+}
+
+// PublishVersion publishes an approved version
+func (s *EmailTemplateService) PublishVersion(ctx context.Context, versionID, publisherID uuid.UUID) error {
+	tx, err := s.db.Begin(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to begin transaction: %w", err)
+	}
+	defer tx.Rollback(ctx)
+
+	// Get version info to find template and language
+	var templateID uuid.UUID
+	var language string
+	err = tx.QueryRow(ctx, `SELECT template_id, language FROM email_template_versions WHERE id = $1`, versionID).Scan(&templateID, &language)
+	if err != nil {
+		return fmt.Errorf("failed to get version info: %w", err)
+	}
+
+	// Archive old published versions for same template and language
+	_, err = tx.Exec(ctx, `
+		UPDATE email_template_versions
+		SET status = 'archived', updated_at = $1
+		WHERE template_id = $2 AND language = $3 AND status = 'published'
+	`, time.Now(), templateID, language)
+	if err != nil {
+		return fmt.Errorf("failed to archive old versions: %w", err)
+	}
+
+	// Publish the new version
+	now := time.Now()
+	_, err = tx.Exec(ctx, `
+		UPDATE email_template_versions
+		SET status = 'published', published_at = $1, updated_at = $2
+		WHERE id = $3
+	`, now, now, versionID)
+	if err != nil {
+		return fmt.Errorf("failed to publish version: %w", err)
+	}
+
+	// Create approval record
+	_, err = tx.Exec(ctx, `
+		INSERT INTO email_template_approvals (id, version_id, approver_id, action, created_at)
+		VALUES ($1, $2, $3, $4, $5)
+	`, uuid.New(), versionID, publisherID, "published", now)
+	if err != nil {
+		return fmt.Errorf("failed to create approval record: %w", err)
+	}
+
+	return tx.Commit(ctx)
+}
+
+// RejectVersion rejects a version
+func (s *EmailTemplateService) RejectVersion(ctx context.Context, versionID, rejectorID uuid.UUID, comment string) error {
+	tx, err := s.db.Begin(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to begin transaction: %w", err)
+	}
+	defer tx.Rollback(ctx)
+
+	now := time.Now()
+	_, err = tx.Exec(ctx, `
+		UPDATE email_template_versions SET status = 'draft', updated_at = $1 WHERE id = $2
+	`, now, versionID)
+	if err != nil {
+		return fmt.Errorf("failed to reject version: %w", err)
+	}
+
+	_, err = tx.Exec(ctx, `
+		INSERT INTO email_template_approvals (id, version_id, approver_id, action, comment, created_at)
+		VALUES ($1, $2, $3, $4, $5, $6)
+	`, uuid.New(), versionID, rejectorID, "rejected", &comment, now)
+	if err != nil {
+		return fmt.Errorf("failed to create approval record: %w", err)
+	}
+
+	return tx.Commit(ctx)
+}
+
+// GetApprovals returns approval history for a version
+func (s *EmailTemplateService) GetApprovals(ctx context.Context, versionID uuid.UUID) ([]models.EmailTemplateApproval, error) {
+	rows, err := s.db.Query(ctx, `
+		SELECT id, version_id, approver_id, action, comment, created_at
+		FROM email_template_approvals
+		WHERE version_id = $1
+		ORDER BY created_at DESC
+	`, versionID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get approvals: %w", err)
+	}
+	defer rows.Close()
+
+	var approvals []models.EmailTemplateApproval
+	for rows.Next() {
+		var a models.EmailTemplateApproval
+		err := rows.Scan(&a.ID, &a.VersionID, &a.ApproverID, &a.Action, &a.Comment, &a.CreatedAt)
+		if err != nil {
+			return nil, fmt.Errorf("failed to scan approval: %w", err)
+		}
+		approvals = append(approvals, a)
+	}
+
+	return approvals, nil
+}
diff --git a/consent-service/internal/services/email_template_defaults_auth.go b/consent-service/internal/services/email_template_defaults_auth.go
new file mode 100644
index 0000000..6150dd9
--- /dev/null
+++ b/consent-service/internal/services/email_template_defaults_auth.go
@@ -0,0 +1,376 @@
+package services
+
+// Default German email templates for authentication and security events.
+// Templates: Welcome, Email Verification, Password Reset, Password Changed,
+// 2FA Enabled, 2FA Disabled, New Device Login, Suspicious Activity,
+// Account Locked, Account Unlocked.
+
+func (s *EmailTemplateService) getWelcomeTemplateDE() (string, string, string) {
+	subject := "Willkommen bei BreakPilot!"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #2563eb;">Willkommen bei BreakPilot!</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>vielen Dank für Ihre Registrierung bei BreakPilot. Ihr Konto wurde erfolgreich erstellt.</p>
+    <p>Sie können sich jetzt mit Ihrer E-Mail-Adresse <strong>{{user_email}}</strong> anmelden:</p>
+    <p style="text-align: center; margin: 30px 0;">
+        <a href="{{login_url}}" style="background-color: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Jetzt anmelden</a>
+    </p>
+    <p>Bei Fragen stehen wir Ihnen gerne zur Verfügung unter {{support_email}}.</p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `Willkommen bei BreakPilot!
+
+Hallo {{user_name}},
+
+vielen Dank für Ihre Registrierung bei BreakPilot. Ihr Konto wurde erfolgreich erstellt.
+
+Sie können sich jetzt mit Ihrer E-Mail-Adresse {{user_email}} anmelden:
+{{login_url}}
+
+Bei Fragen stehen wir Ihnen gerne zur Verfügung unter {{support_email}}.
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
+
+func (s *EmailTemplateService) getEmailVerificationTemplateDE() (string, string, string) {
+	subject := "Bitte bestätigen Sie Ihre E-Mail-Adresse"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #2563eb;">E-Mail-Adresse bestätigen</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>bitte bestätigen Sie Ihre E-Mail-Adresse, indem Sie auf den folgenden Link klicken:</p>
+    <p style="text-align: center; margin: 30px 0;">
+        <a href="{{verification_url}}" style="background-color: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">E-Mail bestätigen</a>
+    </p>
+    <p>Alternativ können Sie auch diesen Bestätigungscode eingeben: <strong>{{verification_code}}</strong></p>
+    <p><strong>Hinweis:</strong> Dieser Link ist nur {{expires_in}} gültig.</p>
+    <p>Falls Sie diese E-Mail nicht angefordert haben, können Sie sie ignorieren.</p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `E-Mail-Adresse bestätigen
+
+Hallo {{user_name}},
+
+bitte bestätigen Sie Ihre E-Mail-Adresse, indem Sie auf den folgenden Link klicken:
+{{verification_url}}
+
+Alternativ können Sie auch diesen Bestätigungscode eingeben: {{verification_code}}
+
+Hinweis: Dieser Link ist nur {{expires_in}} gültig.
+
+Falls Sie diese E-Mail nicht angefordert haben, können Sie sie ignorieren.
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
+
+func (s *EmailTemplateService) getPasswordResetTemplateDE() (string, string, string) {
+	subject := "Passwort zurücksetzen"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #2563eb;">Passwort zurücksetzen</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>Sie haben eine Anfrage zum Zurücksetzen Ihres Passworts gestellt. Klicken Sie auf den folgenden Link, um ein neues Passwort festzulegen:</p>
+    <p style="text-align: center; margin: 30px 0;">
+        <a href="{{reset_url}}" style="background-color: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Neues Passwort festlegen</a>
+    </p>
+    <p>Alternativ können Sie auch diesen Code verwenden: <strong>{{reset_code}}</strong></p>
+    <p><strong>Hinweis:</strong> Dieser Link ist nur {{expires_in}} gültig.</p>
+    <p style="background-color: #fef3c7; padding: 15px; border-radius: 5px; margin: 20px 0;">
+        <strong>Sicherheitshinweis:</strong> Diese Anfrage wurde von der IP-Adresse {{ip_address}} gestellt. Falls Sie diese Anfrage nicht gestellt haben, ignorieren Sie diese E-Mail und Ihr Passwort bleibt unverändert.
+    </p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `Passwort zurücksetzen
+
+Hallo {{user_name}},
+
+Sie haben eine Anfrage zum Zurücksetzen Ihres Passworts gestellt. Klicken Sie auf den folgenden Link, um ein neues Passwort festzulegen:
+{{reset_url}}
+
+Alternativ können Sie auch diesen Code verwenden: {{reset_code}}
+
+Hinweis: Dieser Link ist nur {{expires_in}} gültig.
+
+Sicherheitshinweis: Diese Anfrage wurde von der IP-Adresse {{ip_address}} gestellt. Falls Sie diese Anfrage nicht gestellt haben, ignorieren Sie diese E-Mail und Ihr Passwort bleibt unverändert.
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
+
+func (s *EmailTemplateService) getPasswordChangedTemplateDE() (string, string, string) {
+	subject := "Ihr Passwort wurde geändert"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #2563eb;">Passwort geändert</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>Ihr Passwort wurde am {{changed_at}} erfolgreich geändert.</p>
+    <p><strong>Details:</strong></p>
+    <ul>
+        <li>IP-Adresse: {{ip_address}}</li>
+        <li>Gerät: {{device_info}}</li>
+    </ul>
+    <p style="background-color: #fee2e2; padding: 15px; border-radius: 5px; margin: 20px 0;">
+        <strong>Nicht Sie?</strong> Falls Sie diese Änderung nicht vorgenommen haben, kontaktieren Sie uns sofort unter {{support_url}}.
+    </p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `Passwort geändert
+
+Hallo {{user_name}},
+
+Ihr Passwort wurde am {{changed_at}} erfolgreich geändert.
+
+Details:
+- IP-Adresse: {{ip_address}}
+- Gerät: {{device_info}}
+
+Nicht Sie? Falls Sie diese Änderung nicht vorgenommen haben, kontaktieren Sie uns sofort unter {{support_url}}.
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
+
+func (s *EmailTemplateService) get2FAEnabledTemplateDE() (string, string, string) {
+	subject := "Zwei-Faktor-Authentifizierung aktiviert"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #059669;">2FA aktiviert</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>Die Zwei-Faktor-Authentifizierung wurde am {{enabled_at}} für Ihr Konto aktiviert.</p>
+    <p><strong>Gerät:</strong> {{device_info}}</p>
+    <p style="background-color: #d1fae5; padding: 15px; border-radius: 5px; margin: 20px 0;">
+        <strong>Sicherheitstipp:</strong> Bewahren Sie Ihre Recovery-Codes sicher auf. Sie benötigen diese, falls Sie den Zugang zu Ihrer Authenticator-App verlieren.
+    </p>
+    <p>Sie können Ihre 2FA-Einstellungen jederzeit unter {{security_url}} verwalten.</p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `2FA aktiviert
+
+Hallo {{user_name}},
+
+Die Zwei-Faktor-Authentifizierung wurde am {{enabled_at}} für Ihr Konto aktiviert.
+
+Gerät: {{device_info}}
+
+Sicherheitstipp: Bewahren Sie Ihre Recovery-Codes sicher auf. Sie benötigen diese, falls Sie den Zugang zu Ihrer Authenticator-App verlieren.
+
+Sie können Ihre 2FA-Einstellungen jederzeit unter {{security_url}} verwalten.
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
+
+func (s *EmailTemplateService) get2FADisabledTemplateDE() (string, string, string) {
+	subject := "Zwei-Faktor-Authentifizierung deaktiviert"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #dc2626;">2FA deaktiviert</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>Die Zwei-Faktor-Authentifizierung wurde am {{disabled_at}} für Ihr Konto deaktiviert.</p>
+    <p><strong>IP-Adresse:</strong> {{ip_address}}</p>
+    <p style="background-color: #fee2e2; padding: 15px; border-radius: 5px; margin: 20px 0;">
+        <strong>Warnung:</strong> Ihr Konto ist jetzt weniger sicher. Wir empfehlen dringend, 2FA wieder zu aktivieren.
+    </p>
+    <p>Sie können 2FA jederzeit unter {{security_url}} wieder aktivieren.</p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `2FA deaktiviert
+
+Hallo {{user_name}},
+
+Die Zwei-Faktor-Authentifizierung wurde am {{disabled_at}} für Ihr Konto deaktiviert.
+
+IP-Adresse: {{ip_address}}
+
+Warnung: Ihr Konto ist jetzt weniger sicher. Wir empfehlen dringend, 2FA wieder zu aktivieren.
+
+Sie können 2FA jederzeit unter {{security_url}} wieder aktivieren.
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
+
+func (s *EmailTemplateService) getNewDeviceLoginTemplateDE() (string, string, string) {
+	subject := "Neuer Login auf Ihrem Konto"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #f59e0b;">Neuer Login erkannt</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>Wir haben einen Login auf Ihrem Konto von einem neuen Gerät oder Standort erkannt:</p>
+    <ul>
+        <li><strong>Zeitpunkt:</strong> {{login_time}}</li>
+        <li><strong>IP-Adresse:</strong> {{ip_address}}</li>
+        <li><strong>Gerät:</strong> {{device_info}}</li>
+        <li><strong>Standort:</strong> {{location}}</li>
+    </ul>
+    <p style="background-color: #fef3c7; padding: 15px; border-radius: 5px; margin: 20px 0;">
+        <strong>Nicht Sie?</strong> Falls Sie diesen Login nicht durchgeführt haben, ändern Sie sofort Ihr Passwort unter {{security_url}}.
+    </p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `Neuer Login erkannt
+
+Hallo {{user_name}},
+
+Wir haben einen Login auf Ihrem Konto von einem neuen Gerät oder Standort erkannt:
+
+- Zeitpunkt: {{login_time}}
+- IP-Adresse: {{ip_address}}
+- Gerät: {{device_info}}
+- Standort: {{location}}
+
+Nicht Sie? Falls Sie diesen Login nicht durchgeführt haben, ändern Sie sofort Ihr Passwort unter {{security_url}}.
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
+
+func (s *EmailTemplateService) getSuspiciousActivityTemplateDE() (string, string, string) {
+	subject := "Verdächtige Aktivität auf Ihrem Konto"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #dc2626;">Verdächtige Aktivität erkannt</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>Wir haben verdächtige Aktivität auf Ihrem Konto festgestellt:</p>
+    <ul>
+        <li><strong>Art:</strong> {{activity_type}}</li>
+        <li><strong>Zeitpunkt:</strong> {{activity_time}}</li>
+        <li><strong>IP-Adresse:</strong> {{ip_address}}</li>
+    </ul>
+    <p style="background-color: #fee2e2; padding: 15px; border-radius: 5px; margin: 20px 0;">
+        <strong>Wichtig:</strong> Bitte überprüfen Sie Ihre Sicherheitseinstellungen unter {{security_url}} und ändern Sie Ihr Passwort, falls Sie diese Aktivität nicht selbst durchgeführt haben.
+    </p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `Verdächtige Aktivität erkannt
+
+Hallo {{user_name}},
+
+Wir haben verdächtige Aktivität auf Ihrem Konto festgestellt:
+
+- Art: {{activity_type}}
+- Zeitpunkt: {{activity_time}}
+- IP-Adresse: {{ip_address}}
+
+Wichtig: Bitte überprüfen Sie Ihre Sicherheitseinstellungen unter {{security_url}} und ändern Sie Ihr Passwort, falls Sie diese Aktivität nicht selbst durchgeführt haben.
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
+
+func (s *EmailTemplateService) getAccountLockedTemplateDE() (string, string, string) {
+	subject := "Ihr Konto wurde gesperrt"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #dc2626;">Konto gesperrt</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>Ihr Konto wurde am {{locked_at}} aus folgendem Grund gesperrt:</p>
+    <p style="background-color: #fee2e2; padding: 15px; border-radius: 5px; margin: 20px 0;">
+        {{reason}}
+    </p>
+    <p>Ihr Konto wird automatisch entsperrt am: <strong>{{unlock_time}}</strong></p>
+    <p>Falls Sie Hilfe benötigen, kontaktieren Sie uns unter {{support_url}}.</p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `Konto gesperrt
+
+Hallo {{user_name}},
+
+Ihr Konto wurde am {{locked_at}} aus folgendem Grund gesperrt:
+
+{{reason}}
+
+Ihr Konto wird automatisch entsperrt am: {{unlock_time}}
+
+Falls Sie Hilfe benötigen, kontaktieren Sie uns unter {{support_url}}.
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
+
+func (s *EmailTemplateService) getAccountUnlockedTemplateDE() (string, string, string) {
+	subject := "Ihr Konto wurde entsperrt"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #059669;">Konto entsperrt</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>Ihr Konto wurde am {{unlocked_at}} erfolgreich entsperrt.</p>
+    <p style="text-align: center; margin: 30px 0;">
+        <a href="{{login_url}}" style="background-color: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Jetzt anmelden</a>
+    </p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `Konto entsperrt
+
+Hallo {{user_name}},
+
+Ihr Konto wurde am {{unlocked_at}} erfolgreich entsperrt.
+
+Sie können sich jetzt wieder anmelden: {{login_url}}
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
diff --git a/consent-service/internal/services/email_template_defaults_lifecycle.go b/consent-service/internal/services/email_template_defaults_lifecycle.go
new file mode 100644
index 0000000..e6523f4
--- /dev/null
+++ b/consent-service/internal/services/email_template_defaults_lifecycle.go
@@ -0,0 +1,301 @@
+package services
+
+// Default German email templates for account lifecycle and consent events.
+// Templates: Deletion Requested, Deletion Confirmed, Data Export Ready,
+// Email Changed, New Version Published, Consent Reminder,
+// Consent Deadline Warning, Account Suspended.
+
+func (s *EmailTemplateService) getDeletionRequestedTemplateDE() (string, string, string) {
+	subject := "Bestätigung: Kontolöschung angefordert"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #dc2626;">Kontolöschung angefordert</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>Sie haben am {{requested_at}} die Löschung Ihres Kontos beantragt.</p>
+    <p style="background-color: #fef3c7; padding: 15px; border-radius: 5px; margin: 20px 0;">
+        <strong>Wichtig:</strong> Ihr Konto und alle zugehörigen Daten werden endgültig am <strong>{{deletion_date}}</strong> gelöscht.
+    </p>
+    <p><strong>Folgende Daten werden gelöscht:</strong></p>
+    <p>{{data_info}}</p>
+    <p>Sie können die Löschung bis zum genannten Datum abbrechen:</p>
+    <p style="text-align: center; margin: 30px 0;">
+        <a href="{{cancel_url}}" style="background-color: #dc2626; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Löschung abbrechen</a>
+    </p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `Kontolöschung angefordert
+
+Hallo {{user_name}},
+
+Sie haben am {{requested_at}} die Löschung Ihres Kontos beantragt.
+
+Wichtig: Ihr Konto und alle zugehörigen Daten werden endgültig am {{deletion_date}} gelöscht.
+
+Folgende Daten werden gelöscht:
+{{data_info}}
+
+Sie können die Löschung bis zum genannten Datum abbrechen: {{cancel_url}}
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
+
+func (s *EmailTemplateService) getDeletionConfirmedTemplateDE() (string, string, string) {
+	subject := "Ihr Konto wurde gelöscht"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #6b7280;">Konto gelöscht</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>Ihr Konto und alle zugehörigen Daten wurden am {{deleted_at}} erfolgreich und endgültig gelöscht.</p>
+    <p>Wir bedauern, dass Sie uns verlassen. Falls Sie uns Feedback geben möchten:</p>
+    <p style="text-align: center; margin: 30px 0;">
+        <a href="{{feedback_url}}" style="background-color: #6b7280; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Feedback geben</a>
+    </p>
+    <p>Vielen Dank für Ihre Zeit bei BreakPilot.</p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `Konto gelöscht
+
+Hallo {{user_name}},
+
+Ihr Konto und alle zugehörigen Daten wurden am {{deleted_at}} erfolgreich und endgültig gelöscht.
+
+Wir bedauern, dass Sie uns verlassen. Falls Sie uns Feedback geben möchten: {{feedback_url}}
+
+Vielen Dank für Ihre Zeit bei BreakPilot.
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
+
+func (s *EmailTemplateService) getDataExportReadyTemplateDE() (string, string, string) {
+	subject := "Ihr Datenexport ist bereit"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #2563eb;">Datenexport bereit</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>Ihr angeforderte Datenexport wurde erstellt und steht zum Download bereit.</p>
+    <p style="text-align: center; margin: 30px 0;">
+        <a href="{{download_url}}" style="background-color: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Daten herunterladen ({{file_size}})</a>
+    </p>
+    <p style="background-color: #fef3c7; padding: 15px; border-radius: 5px; margin: 20px 0;">
+        <strong>Hinweis:</strong> Der Download-Link ist nur {{expires_in}} gültig.
+    </p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `Datenexport bereit
+
+Hallo {{user_name}},
+
+Ihr angeforderte Datenexport wurde erstellt und steht zum Download bereit:
+{{download_url}}
+
+Dateigröße: {{file_size}}
+
+Hinweis: Der Download-Link ist nur {{expires_in}} gültig.
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
+
+func (s *EmailTemplateService) getEmailChangedTemplateDE() (string, string, string) {
+	subject := "Ihre E-Mail-Adresse wurde geändert"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #2563eb;">E-Mail-Adresse geändert</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>Die E-Mail-Adresse Ihres Kontos wurde am {{changed_at}} geändert.</p>
+    <ul>
+        <li><strong>Alte Adresse:</strong> {{old_email}}</li>
+        <li><strong>Neue Adresse:</strong> {{new_email}}</li>
+    </ul>
+    <p style="background-color: #fee2e2; padding: 15px; border-radius: 5px; margin: 20px 0;">
+        <strong>Nicht Sie?</strong> Falls Sie diese Änderung nicht vorgenommen haben, kontaktieren Sie uns sofort unter {{support_url}}.
+    </p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `E-Mail-Adresse geändert
+
+Hallo {{user_name}},
+
+Die E-Mail-Adresse Ihres Kontos wurde am {{changed_at}} geändert.
+
+- Alte Adresse: {{old_email}}
+- Neue Adresse: {{new_email}}
+
+Nicht Sie? Falls Sie diese Änderung nicht vorgenommen haben, kontaktieren Sie uns sofort unter {{support_url}}.
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
+
+func (s *EmailTemplateService) getNewVersionPublishedTemplateDE() (string, string, string) {
+	subject := "Neue Version: {{document_name}} - Ihre Zustimmung ist erforderlich"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #2563eb;">Neue Dokumentversion</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>Eine neue Version unserer <strong>{{document_name}}</strong> ({{document_type}}) wurde veröffentlicht.</p>
+    <p><strong>Version:</strong> {{version}}</p>
+    <p style="background-color: #dbeafe; padding: 15px; border-radius: 5px; margin: 20px 0;">
+        Bitte prüfen und bestätigen Sie die aktualisierte Version bis zum <strong>{{deadline}}</strong>.
+    </p>
+    <p style="text-align: center; margin: 30px 0;">
+        <a href="{{consent_url}}" style="background-color: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Jetzt prüfen und zustimmen</a>
+    </p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `Neue Dokumentversion
+
+Hallo {{user_name}},
+
+Eine neue Version unserer {{document_name}} ({{document_type}}) wurde veröffentlicht.
+
+Version: {{version}}
+
+Bitte prüfen und bestätigen Sie die aktualisierte Version bis zum {{deadline}}.
+
+Jetzt prüfen und zustimmen: {{consent_url}}
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
+
+func (s *EmailTemplateService) getConsentReminderTemplateDE() (string, string, string) {
+	subject := "Erinnerung: Zustimmung zu {{document_name}} erforderlich"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #f59e0b;">Erinnerung: Zustimmung erforderlich</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>Dies ist eine freundliche Erinnerung, dass Ihre Zustimmung zur <strong>{{document_name}}</strong> noch aussteht.</p>
+    <p style="background-color: #fef3c7; padding: 15px; border-radius: 5px; margin: 20px 0;">
+        <strong>Noch {{days_left}} Tage</strong> bis zur Frist am {{deadline}}.
+    </p>
+    <p style="text-align: center; margin: 30px 0;">
+        <a href="{{consent_url}}" style="background-color: #f59e0b; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Jetzt zustimmen</a>
+    </p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `Erinnerung: Zustimmung erforderlich
+
+Hallo {{user_name}},
+
+Dies ist eine freundliche Erinnerung, dass Ihre Zustimmung zur {{document_name}} noch aussteht.
+
+Noch {{days_left}} Tage bis zur Frist am {{deadline}}.
+
+Jetzt zustimmen: {{consent_url}}
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
+
+func (s *EmailTemplateService) getConsentDeadlineWarningTemplateDE() (string, string, string) {
+	subject := "DRINGEND: Zustimmung zu {{document_name}} läuft bald ab"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #dc2626;">Dringende Erinnerung</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>Ihre Frist zur Zustimmung zur <strong>{{document_name}}</strong> läuft in <strong>{{hours_left}}</strong> ab!</p>
+    <p style="background-color: #fee2e2; padding: 15px; border-radius: 5px; margin: 20px 0;">
+        <strong>Wichtig:</strong> {{consequences}}
+    </p>
+    <p style="text-align: center; margin: 30px 0;">
+        <a href="{{consent_url}}" style="background-color: #dc2626; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Sofort zustimmen</a>
+    </p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `Dringende Erinnerung
+
+Hallo {{user_name}},
+
+Ihre Frist zur Zustimmung zur {{document_name}} läuft in {{hours_left}} ab!
+
+Wichtig: {{consequences}}
+
+Sofort zustimmen: {{consent_url}}
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
+
+func (s *EmailTemplateService) getAccountSuspendedTemplateDE() (string, string, string) {
+	subject := "Ihr Konto wurde suspendiert"
+	bodyHTML := `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <h1 style="color: #dc2626;">Konto suspendiert</h1>
+    <p>Hallo {{user_name}},</p>
+    <p>Ihr Konto wurde am {{suspended_at}} suspendiert.</p>
+    <p><strong>Grund:</strong> {{reason}}</p>
+    <p><strong>Fehlende Zustimmungen:</strong></p>
+    <p>{{documents}}</p>
+    <p>Um Ihr Konto zu reaktivieren, stimmen Sie bitte den ausstehenden Dokumenten zu:</p>
+    <p style="text-align: center; margin: 30px 0;">
+        <a href="{{consent_url}}" style="background-color: #dc2626; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Konto reaktivieren</a>
+    </p>
+    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
+</div>
+</body>
+</html>`
+	bodyText := `Konto suspendiert
+
+Hallo {{user_name}},
+
+Ihr Konto wurde am {{suspended_at}} suspendiert.
+
+Grund: {{reason}}
+
+Fehlende Zustimmungen:
+{{documents}}
+
+Um Ihr Konto zu reaktivieren, stimmen Sie bitte den ausstehenden Dokumenten zu: {{consent_url}}
+
+Mit freundlichen Grüßen,
+Ihr BreakPilot-Team`
+	return subject, bodyHTML, bodyText
+}
diff --git a/consent-service/internal/services/email_template_render.go b/consent-service/internal/services/email_template_render.go
new file mode 100644
index 0000000..196693d
--- /dev/null
+++ b/consent-service/internal/services/email_template_render.go
@@ -0,0 +1,273 @@
+package services
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/models"
+	"github.com/google/uuid"
+)
+
+// RenderTemplate renders a template with variables
+func (s *EmailTemplateService) RenderTemplate(version *models.EmailTemplateVersion, variables map[string]string) (*models.EmailPreviewResponse, error) {
+	subject := version.Subject
+	bodyHTML := version.BodyHTML
+	bodyText := version.BodyText
+
+	// Replace variables in format {{variable_name}}
+	re := regexp.MustCompile(`\{\{(\w+)\}\}`)
+
+	replaceFunc := func(content string) string {
+		return re.ReplaceAllStringFunc(content, func(match string) string {
+			varName := strings.Trim(match, "{}")
+			if val, ok := variables[varName]; ok {
+				return val
+			}
+			return match // Keep placeholder if variable not provided
+		})
+	}
+
+	return &models.EmailPreviewResponse{
+		Subject:  replaceFunc(subject),
+		BodyHTML: replaceFunc(bodyHTML),
+		BodyText: replaceFunc(bodyText),
+	}, nil
+}
+
+// LogEmailSend logs a sent email
+func (s *EmailTemplateService) LogEmailSend(ctx context.Context, log *models.EmailSendLog) error {
+	_, err := s.db.Exec(ctx, `
+		INSERT INTO email_send_logs
+		(id, user_id, version_id, recipient, subject, status, error_msg, variables, sent_at, created_at)
+		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)
+	`, log.ID, log.UserID, log.VersionID, log.Recipient, log.Subject, log.Status,
+	   log.ErrorMsg, log.Variables, log.SentAt, log.CreatedAt)
+	if err != nil {
+		return fmt.Errorf("failed to log email send: %w", err)
+	}
+	return nil
+}
+
+// GetEmailStats returns email statistics
+func (s *EmailTemplateService) GetEmailStats(ctx context.Context) (*models.EmailStats, error) {
+	var stats models.EmailStats
+
+	err := s.db.QueryRow(ctx, `
+		SELECT
+			COUNT(*) as total_sent,
+			COUNT(*) FILTER (WHERE status = 'delivered') as delivered,
+			COUNT(*) FILTER (WHERE status = 'bounced') as bounced,
+			COUNT(*) FILTER (WHERE status = 'failed') as failed,
+			COUNT(*) FILTER (WHERE created_at > NOW() - INTERVAL '7 days') as recent_sent
+		FROM email_send_logs
+	`).Scan(&stats.TotalSent, &stats.Delivered, &stats.Bounced, &stats.Failed, &stats.RecentSent)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get email stats: %w", err)
+	}
+
+	if stats.TotalSent > 0 {
+		stats.DeliveryRate = float64(stats.Delivered) / float64(stats.TotalSent) * 100
+	}
+
+	return &stats, nil
+}
+
+// GetDefaultTemplateContent returns default content for a template type
+func (s *EmailTemplateService) GetDefaultTemplateContent(templateType, language string) (subject, bodyHTML, bodyText string) {
+	// Default templates in German
+	if language == "de" {
+		switch templateType {
+		case models.EmailTypeWelcome:
+			return s.getWelcomeTemplateDE()
+		case models.EmailTypeEmailVerification:
+			return s.getEmailVerificationTemplateDE()
+		case models.EmailTypePasswordReset:
+			return s.getPasswordResetTemplateDE()
+		case models.EmailTypePasswordChanged:
+			return s.getPasswordChangedTemplateDE()
+		case models.EmailType2FAEnabled:
+			return s.get2FAEnabledTemplateDE()
+		case models.EmailType2FADisabled:
+			return s.get2FADisabledTemplateDE()
+		case models.EmailTypeNewDeviceLogin:
+			return s.getNewDeviceLoginTemplateDE()
+		case models.EmailTypeSuspiciousActivity:
+			return s.getSuspiciousActivityTemplateDE()
+		case models.EmailTypeAccountLocked:
+			return s.getAccountLockedTemplateDE()
+		case models.EmailTypeAccountUnlocked:
+			return s.getAccountUnlockedTemplateDE()
+		case models.EmailTypeDeletionRequested:
+			return s.getDeletionRequestedTemplateDE()
+		case models.EmailTypeDeletionConfirmed:
+			return s.getDeletionConfirmedTemplateDE()
+		case models.EmailTypeDataExportReady:
+			return s.getDataExportReadyTemplateDE()
+		case models.EmailTypeEmailChanged:
+			return s.getEmailChangedTemplateDE()
+		case models.EmailTypeNewVersionPublished:
+			return s.getNewVersionPublishedTemplateDE()
+		case models.EmailTypeConsentReminder:
+			return s.getConsentReminderTemplateDE()
+		case models.EmailTypeConsentDeadlineWarning:
+			return s.getConsentDeadlineWarningTemplateDE()
+		case models.EmailTypeAccountSuspended:
+			return s.getAccountSuspendedTemplateDE()
+		}
+	}
+
+	// Default English fallback
+	return "No template", "<p>No template available</p>", "No template available"
+}
+
+// InitDefaultTemplates creates default email templates if they don't exist
+func (s *EmailTemplateService) InitDefaultTemplates(ctx context.Context) error {
+	templateTypes := []struct {
+		Type        string
+		Name        string
+		Description string
+		SortOrder   int
+	}{
+		{models.EmailTypeWelcome, "Willkommens-E-Mail", "Wird nach erfolgreicher Registrierung gesendet", 1},
+		{models.EmailTypeEmailVerification, "E-Mail-Verifizierung", "Enthält Link zur E-Mail-Bestätigung", 2},
+		{models.EmailTypePasswordReset, "Passwort zurücksetzen", "Enthält Link zum Passwort-Reset", 3},
+		{models.EmailTypePasswordChanged, "Passwort geändert", "Bestätigung der Passwortänderung", 4},
+		{models.EmailType2FAEnabled, "2FA aktiviert", "Bestätigung der 2FA-Aktivierung", 5},
+		{models.EmailType2FADisabled, "2FA deaktiviert", "Warnung über 2FA-Deaktivierung", 6},
+		{models.EmailTypeNewDeviceLogin, "Neuer Login", "Benachrichtigung über Login von neuem Gerät", 7},
+		{models.EmailTypeSuspiciousActivity, "Verdächtige Aktivität", "Warnung über verdächtige Kontoaktivität", 8},
+		{models.EmailTypeAccountLocked, "Konto gesperrt", "Benachrichtigung über Kontosperrung", 9},
+		{models.EmailTypeAccountUnlocked, "Konto entsperrt", "Bestätigung der Kontoentsperrung", 10},
+		{models.EmailTypeDeletionRequested, "Löschung angefordert", "Bestätigung der Löschanfrage", 11},
+		{models.EmailTypeDeletionConfirmed, "Löschung bestätigt", "Bestätigung der Kontolöschung", 12},
+		{models.EmailTypeDataExportReady, "Datenexport bereit", "Benachrichtigung über fertigen Datenexport", 13},
+		{models.EmailTypeEmailChanged, "E-Mail geändert", "Bestätigung der E-Mail-Änderung", 14},
+		{models.EmailTypeNewVersionPublished, "Neue Version veröffentlicht", "Benachrichtigung über neue Dokumentversion", 15},
+		{models.EmailTypeConsentReminder, "Zustimmungs-Erinnerung", "Erinnerung an ausstehende Zustimmung", 16},
+		{models.EmailTypeConsentDeadlineWarning, "Frist-Warnung", "Dringende Warnung vor ablaufender Frist", 17},
+		{models.EmailTypeAccountSuspended, "Konto suspendiert", "Benachrichtigung über Kontosuspendierung", 18},
+	}
+
+	for _, tt := range templateTypes {
+		// Check if template exists
+		var exists bool
+		err := s.db.QueryRow(ctx, `SELECT EXISTS(SELECT 1 FROM email_templates WHERE type = $1)`, tt.Type).Scan(&exists)
+		if err != nil {
+			return fmt.Errorf("failed to check template existence: %w", err)
+		}
+
+		if !exists {
+			desc := tt.Description
+			_, err = s.db.Exec(ctx, `
+				INSERT INTO email_templates (id, type, name, description, is_active, sort_order, created_at, updated_at)
+				VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
+			`, uuid.New(), tt.Type, tt.Name, &desc, true, tt.SortOrder, time.Now(), time.Now())
+			if err != nil {
+				return fmt.Errorf("failed to create template %s: %w", tt.Type, err)
+			}
+
+			// Create default German version
+			template, err := s.GetTemplateByType(ctx, tt.Type)
+			if err != nil {
+				return fmt.Errorf("failed to get template %s: %w", tt.Type, err)
+			}
+
+			subject, bodyHTML, bodyText := s.GetDefaultTemplateContent(tt.Type, "de")
+			_, err = s.db.Exec(ctx, `
+				INSERT INTO email_template_versions
+				(id, template_id, version, language, subject, body_html, body_text, status, published_at, created_at, updated_at)
+				VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)
+			`, uuid.New(), template.ID, "1.0.0", "de", subject, bodyHTML, bodyText, "published", time.Now(), time.Now(), time.Now())
+			if err != nil {
+				return fmt.Errorf("failed to create template version %s: %w", tt.Type, err)
+			}
+		}
+	}
+
+	return nil
+}
+
+// GetSendLogs returns email send logs with optional filtering
+func (s *EmailTemplateService) GetSendLogs(ctx context.Context, limit, offset int) ([]models.EmailSendLog, int, error) {
+	var total int
+	err := s.db.QueryRow(ctx, `SELECT COUNT(*) FROM email_send_logs`).Scan(&total)
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to count send logs: %w", err)
+	}
+
+	rows, err := s.db.Query(ctx, `
+		SELECT id, user_id, version_id, recipient, subject, status, error_msg, variables, sent_at, delivered_at, created_at
+		FROM email_send_logs
+		ORDER BY created_at DESC
+		LIMIT $1 OFFSET $2
+	`, limit, offset)
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to get send logs: %w", err)
+	}
+	defer rows.Close()
+
+	var logs []models.EmailSendLog
+	for rows.Next() {
+		var log models.EmailSendLog
+		err := rows.Scan(&log.ID, &log.UserID, &log.VersionID, &log.Recipient, &log.Subject,
+			&log.Status, &log.ErrorMsg, &log.Variables, &log.SentAt, &log.DeliveredAt, &log.CreatedAt)
+		if err != nil {
+			return nil, 0, fmt.Errorf("failed to scan send log: %w", err)
+		}
+		logs = append(logs, log)
+	}
+
+	return logs, total, nil
+}
+
+// SendEmail sends an email using the specified template (stub - actual sending would use SMTP)
+func (s *EmailTemplateService) SendEmail(ctx context.Context, templateType, language, recipient string, variables map[string]string, userID *uuid.UUID) error {
+	// Get published version
+	version, err := s.GetPublishedVersion(ctx, templateType, language)
+	if err != nil {
+		return fmt.Errorf("failed to get published version: %w", err)
+	}
+
+	// Render template
+	rendered, err := s.RenderTemplate(version, variables)
+	if err != nil {
+		return fmt.Errorf("failed to render template: %w", err)
+	}
+
+	// Log the send attempt
+	variablesJSON, _ := json.Marshal(variables)
+	now := time.Now()
+	sendLog := &models.EmailSendLog{
+		ID:        uuid.New(),
+		UserID:    userID,
+		VersionID: version.ID,
+		Recipient: recipient,
+		Subject:   rendered.Subject,
+		Status:    "queued",
+		Variables: ptr(string(variablesJSON)),
+		CreatedAt: now,
+	}
+
+	if err := s.LogEmailSend(ctx, sendLog); err != nil {
+		return fmt.Errorf("failed to log email send: %w", err)
+	}
+
+	// TODO: Actual email sending via SMTP would go here
+	// For now, we just log it as "sent"
+	_, err = s.db.Exec(ctx, `
+		UPDATE email_send_logs SET status = 'sent', sent_at = $1 WHERE id = $2
+	`, now, sendLog.ID)
+	if err != nil {
+		return fmt.Errorf("failed to update send log status: %w", err)
+	}
+
+	return nil
+}
+
+func ptr(s string) *string {
+	return &s
+}
diff --git a/consent-service/internal/services/email_template_service.go b/consent-service/internal/services/email_template_service.go
index afc50e7..84a3590 100644
--- a/consent-service/internal/services/email_template_service.go
+++ b/consent-service/internal/services/email_template_service.go
@@ -2,10 +2,7 @@ package services
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
-	"regexp"
-	"strings"
 	"time"
 
 	"github.com/breakpilot/consent-service/internal/models"
@@ -23,213 +20,6 @@ func NewEmailTemplateService(db *pgxpool.Pool) *EmailTemplateService {
 	return &EmailTemplateService{db: db}
 }
 
-// GetAllTemplateTypes returns all available email template types with their variables
-func (s *EmailTemplateService) GetAllTemplateTypes() []models.EmailTemplateVariables {
-	return []models.EmailTemplateVariables{
-		{
-			TemplateType: models.EmailTypeWelcome,
-			Variables:    []string{"user_name", "user_email", "login_url", "support_email"},
-			Descriptions: map[string]string{
-				"user_name":     "Name des Benutzers",
-				"user_email":    "E-Mail-Adresse des Benutzers",
-				"login_url":     "URL zur Login-Seite",
-				"support_email": "Support E-Mail-Adresse",
-			},
-		},
-		{
-			TemplateType: models.EmailTypeEmailVerification,
-			Variables:    []string{"user_name", "verification_url", "verification_code", "expires_in"},
-			Descriptions: map[string]string{
-				"user_name":         "Name des Benutzers",
-				"verification_url":  "URL zur E-Mail-Verifizierung",
-				"verification_code": "Verifizierungscode",
-				"expires_in":        "Gültigkeit des Links (z.B. '24 Stunden')",
-			},
-		},
-		{
-			TemplateType: models.EmailTypePasswordReset,
-			Variables:    []string{"user_name", "reset_url", "reset_code", "expires_in", "ip_address"},
-			Descriptions: map[string]string{
-				"user_name":  "Name des Benutzers",
-				"reset_url":  "URL zum Passwort-Reset",
-				"reset_code": "Reset-Code",
-				"expires_in": "Gültigkeit des Links",
-				"ip_address": "IP-Adresse der Anfrage",
-			},
-		},
-		{
-			TemplateType: models.EmailTypePasswordChanged,
-			Variables:    []string{"user_name", "changed_at", "ip_address", "device_info", "support_url"},
-			Descriptions: map[string]string{
-				"user_name":   "Name des Benutzers",
-				"changed_at":  "Zeitpunkt der Änderung",
-				"ip_address":  "IP-Adresse",
-				"device_info": "Geräte-Informationen",
-				"support_url": "URL zum Support",
-			},
-		},
-		{
-			TemplateType: models.EmailType2FAEnabled,
-			Variables:    []string{"user_name", "enabled_at", "device_info", "security_url"},
-			Descriptions: map[string]string{
-				"user_name":    "Name des Benutzers",
-				"enabled_at":   "Zeitpunkt der Aktivierung",
-				"device_info":  "Geräte-Informationen",
-				"security_url": "URL zu Sicherheitseinstellungen",
-			},
-		},
-		{
-			TemplateType: models.EmailType2FADisabled,
-			Variables:    []string{"user_name", "disabled_at", "ip_address", "security_url"},
-			Descriptions: map[string]string{
-				"user_name":    "Name des Benutzers",
-				"disabled_at":  "Zeitpunkt der Deaktivierung",
-				"ip_address":   "IP-Adresse",
-				"security_url": "URL zu Sicherheitseinstellungen",
-			},
-		},
-		{
-			TemplateType: models.EmailTypeNewDeviceLogin,
-			Variables:    []string{"user_name", "login_time", "ip_address", "device_info", "location", "security_url"},
-			Descriptions: map[string]string{
-				"user_name":    "Name des Benutzers",
-				"login_time":   "Zeitpunkt des Logins",
-				"ip_address":   "IP-Adresse",
-				"device_info":  "Geräte-Informationen",
-				"location":     "Ungefährer Standort",
-				"security_url": "URL zu Sicherheitseinstellungen",
-			},
-		},
-		{
-			TemplateType: models.EmailTypeSuspiciousActivity,
-			Variables:    []string{"user_name", "activity_type", "activity_time", "ip_address", "security_url"},
-			Descriptions: map[string]string{
-				"user_name":     "Name des Benutzers",
-				"activity_type": "Art der Aktivität",
-				"activity_time": "Zeitpunkt",
-				"ip_address":    "IP-Adresse",
-				"security_url":  "URL zu Sicherheitseinstellungen",
-			},
-		},
-		{
-			TemplateType: models.EmailTypeAccountLocked,
-			Variables:    []string{"user_name", "locked_at", "reason", "unlock_time", "support_url"},
-			Descriptions: map[string]string{
-				"user_name":   "Name des Benutzers",
-				"locked_at":   "Zeitpunkt der Sperrung",
-				"reason":      "Grund der Sperrung",
-				"unlock_time": "Zeitpunkt der automatischen Entsperrung",
-				"support_url": "URL zum Support",
-			},
-		},
-		{
-			TemplateType: models.EmailTypeAccountUnlocked,
-			Variables:    []string{"user_name", "unlocked_at", "login_url"},
-			Descriptions: map[string]string{
-				"user_name":   "Name des Benutzers",
-				"unlocked_at": "Zeitpunkt der Entsperrung",
-				"login_url":   "URL zur Login-Seite",
-			},
-		},
-		{
-			TemplateType: models.EmailTypeDeletionRequested,
-			Variables:    []string{"user_name", "requested_at", "deletion_date", "cancel_url", "data_info"},
-			Descriptions: map[string]string{
-				"user_name":     "Name des Benutzers",
-				"requested_at":  "Zeitpunkt der Anfrage",
-				"deletion_date": "Datum der endgültigen Löschung",
-				"cancel_url":    "URL zum Abbrechen",
-				"data_info":     "Info über zu löschende Daten",
-			},
-		},
-		{
-			TemplateType: models.EmailTypeDeletionConfirmed,
-			Variables:    []string{"user_name", "deleted_at", "feedback_url"},
-			Descriptions: map[string]string{
-				"user_name":    "Name des Benutzers",
-				"deleted_at":   "Zeitpunkt der Löschung",
-				"feedback_url": "URL für Feedback",
-			},
-		},
-		{
-			TemplateType: models.EmailTypeDataExportReady,
-			Variables:    []string{"user_name", "download_url", "expires_in", "file_size"},
-			Descriptions: map[string]string{
-				"user_name":    "Name des Benutzers",
-				"download_url": "URL zum Download",
-				"expires_in":   "Gültigkeit des Download-Links",
-				"file_size":    "Dateigröße",
-			},
-		},
-		{
-			TemplateType: models.EmailTypeEmailChanged,
-			Variables:    []string{"user_name", "old_email", "new_email", "changed_at", "support_url"},
-			Descriptions: map[string]string{
-				"user_name":   "Name des Benutzers",
-				"old_email":   "Alte E-Mail-Adresse",
-				"new_email":   "Neue E-Mail-Adresse",
-				"changed_at":  "Zeitpunkt der Änderung",
-				"support_url": "URL zum Support",
-			},
-		},
-		{
-			TemplateType: models.EmailTypeEmailChangeVerify,
-			Variables:    []string{"user_name", "new_email", "verification_url", "expires_in"},
-			Descriptions: map[string]string{
-				"user_name":        "Name des Benutzers",
-				"new_email":        "Neue E-Mail-Adresse",
-				"verification_url": "URL zur Verifizierung",
-				"expires_in":       "Gültigkeit des Links",
-			},
-		},
-		{
-			TemplateType: models.EmailTypeNewVersionPublished,
-			Variables:    []string{"user_name", "document_name", "document_type", "version", "consent_url", "deadline"},
-			Descriptions: map[string]string{
-				"user_name":     "Name des Benutzers",
-				"document_name": "Name des Dokuments",
-				"document_type": "Typ des Dokuments",
-				"version":       "Versionsnummer",
-				"consent_url":   "URL zur Zustimmung",
-				"deadline":      "Frist für die Zustimmung",
-			},
-		},
-		{
-			TemplateType: models.EmailTypeConsentReminder,
-			Variables:    []string{"user_name", "document_name", "days_left", "consent_url", "deadline"},
-			Descriptions: map[string]string{
-				"user_name":     "Name des Benutzers",
-				"document_name": "Name des Dokuments",
-				"days_left":     "Verbleibende Tage",
-				"consent_url":   "URL zur Zustimmung",
-				"deadline":      "Frist für die Zustimmung",
-			},
-		},
-		{
-			TemplateType: models.EmailTypeConsentDeadlineWarning,
-			Variables:    []string{"user_name", "document_name", "hours_left", "consent_url", "consequences"},
-			Descriptions: map[string]string{
-				"user_name":     "Name des Benutzers",
-				"document_name": "Name des Dokuments",
-				"hours_left":    "Verbleibende Stunden",
-				"consent_url":   "URL zur Zustimmung",
-				"consequences":  "Konsequenzen bei Nicht-Zustimmung",
-			},
-		},
-		{
-			TemplateType: models.EmailTypeAccountSuspended,
-			Variables:    []string{"user_name", "suspended_at", "reason", "documents", "consent_url"},
-			Descriptions: map[string]string{
-				"user_name":    "Name des Benutzers",
-				"suspended_at": "Zeitpunkt der Suspendierung",
-				"reason":       "Grund der Suspendierung",
-				"documents":    "Liste der fehlenden Zustimmungen",
-				"consent_url":  "URL zur Zustimmung",
-			},
-		},
-	}
-}
-
 // CreateEmailTemplate creates a new email template type
 func (s *EmailTemplateService) CreateEmailTemplate(ctx context.Context, req *models.CreateEmailTemplateRequest) (*models.EmailTemplate, error) {
 	template := &models.EmailTemplate{
@@ -495,1179 +285,3 @@ func (s *EmailTemplateService) UpdateVersion(ctx context.Context, id uuid.UUID,
 	}
 	return nil
 }
-
-// SubmitForReview submits a version for review
-func (s *EmailTemplateService) SubmitForReview(ctx context.Context, versionID, submitterID uuid.UUID, comment *string) error {
-	tx, err := s.db.Begin(ctx)
-	if err != nil {
-		return fmt.Errorf("failed to begin transaction: %w", err)
-	}
-	defer tx.Rollback(ctx)
-
-	// Update status
-	_, err = tx.Exec(ctx, `
-		UPDATE email_template_versions SET status = 'review', updated_at = $1 WHERE id = $2
-	`, time.Now(), versionID)
-	if err != nil {
-		return fmt.Errorf("failed to update status: %w", err)
-	}
-
-	// Create approval record
-	_, err = tx.Exec(ctx, `
-		INSERT INTO email_template_approvals (id, version_id, approver_id, action, comment, created_at)
-		VALUES ($1, $2, $3, $4, $5, $6)
-	`, uuid.New(), versionID, submitterID, "submitted_for_review", comment, time.Now())
-	if err != nil {
-		return fmt.Errorf("failed to create approval record: %w", err)
-	}
-
-	return tx.Commit(ctx)
-}
-
-// ApproveVersion approves a version (DSB)
-func (s *EmailTemplateService) ApproveVersion(ctx context.Context, versionID, approverID uuid.UUID, comment *string, scheduledPublishAt *time.Time) error {
-	tx, err := s.db.Begin(ctx)
-	if err != nil {
-		return fmt.Errorf("failed to begin transaction: %w", err)
-	}
-	defer tx.Rollback(ctx)
-
-	now := time.Now()
-	status := "approved"
-	if scheduledPublishAt != nil {
-		status = "scheduled"
-	}
-
-	_, err = tx.Exec(ctx, `
-		UPDATE email_template_versions
-		SET status = $1, approved_by = $2, approved_at = $3, scheduled_publish_at = $4, updated_at = $5
-		WHERE id = $6
-	`, status, approverID, now, scheduledPublishAt, now, versionID)
-	if err != nil {
-		return fmt.Errorf("failed to approve version: %w", err)
-	}
-
-	_, err = tx.Exec(ctx, `
-		INSERT INTO email_template_approvals (id, version_id, approver_id, action, comment, created_at)
-		VALUES ($1, $2, $3, $4, $5, $6)
-	`, uuid.New(), versionID, approverID, "approved", comment, now)
-	if err != nil {
-		return fmt.Errorf("failed to create approval record: %w", err)
-	}
-
-	return tx.Commit(ctx)
-}
-
-// PublishVersion publishes an approved version
-func (s *EmailTemplateService) PublishVersion(ctx context.Context, versionID, publisherID uuid.UUID) error {
-	tx, err := s.db.Begin(ctx)
-	if err != nil {
-		return fmt.Errorf("failed to begin transaction: %w", err)
-	}
-	defer tx.Rollback(ctx)
-
-	// Get version info to find template and language
-	var templateID uuid.UUID
-	var language string
-	err = tx.QueryRow(ctx, `SELECT template_id, language FROM email_template_versions WHERE id = $1`, versionID).Scan(&templateID, &language)
-	if err != nil {
-		return fmt.Errorf("failed to get version info: %w", err)
-	}
-
-	// Archive old published versions for same template and language
-	_, err = tx.Exec(ctx, `
-		UPDATE email_template_versions
-		SET status = 'archived', updated_at = $1
-		WHERE template_id = $2 AND language = $3 AND status = 'published'
-	`, time.Now(), templateID, language)
-	if err != nil {
-		return fmt.Errorf("failed to archive old versions: %w", err)
-	}
-
-	// Publish the new version
-	now := time.Now()
-	_, err = tx.Exec(ctx, `
-		UPDATE email_template_versions
-		SET status = 'published', published_at = $1, updated_at = $2
-		WHERE id = $3
-	`, now, now, versionID)
-	if err != nil {
-		return fmt.Errorf("failed to publish version: %w", err)
-	}
-
-	// Create approval record
-	_, err = tx.Exec(ctx, `
-		INSERT INTO email_template_approvals (id, version_id, approver_id, action, created_at)
-		VALUES ($1, $2, $3, $4, $5)
-	`, uuid.New(), versionID, publisherID, "published", now)
-	if err != nil {
-		return fmt.Errorf("failed to create approval record: %w", err)
-	}
-
-	return tx.Commit(ctx)
-}
-
-// RejectVersion rejects a version
-func (s *EmailTemplateService) RejectVersion(ctx context.Context, versionID, rejectorID uuid.UUID, comment string) error {
-	tx, err := s.db.Begin(ctx)
-	if err != nil {
-		return fmt.Errorf("failed to begin transaction: %w", err)
-	}
-	defer tx.Rollback(ctx)
-
-	now := time.Now()
-	_, err = tx.Exec(ctx, `
-		UPDATE email_template_versions SET status = 'draft', updated_at = $1 WHERE id = $2
-	`, now, versionID)
-	if err != nil {
-		return fmt.Errorf("failed to reject version: %w", err)
-	}
-
-	_, err = tx.Exec(ctx, `
-		INSERT INTO email_template_approvals (id, version_id, approver_id, action, comment, created_at)
-		VALUES ($1, $2, $3, $4, $5, $6)
-	`, uuid.New(), versionID, rejectorID, "rejected", &comment, now)
-	if err != nil {
-		return fmt.Errorf("failed to create approval record: %w", err)
-	}
-
-	return tx.Commit(ctx)
-}
-
-// GetApprovals returns approval history for a version
-func (s *EmailTemplateService) GetApprovals(ctx context.Context, versionID uuid.UUID) ([]models.EmailTemplateApproval, error) {
-	rows, err := s.db.Query(ctx, `
-		SELECT id, version_id, approver_id, action, comment, created_at
-		FROM email_template_approvals
-		WHERE version_id = $1
-		ORDER BY created_at DESC
-	`, versionID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get approvals: %w", err)
-	}
-	defer rows.Close()
-
-	var approvals []models.EmailTemplateApproval
-	for rows.Next() {
-		var a models.EmailTemplateApproval
-		err := rows.Scan(&a.ID, &a.VersionID, &a.ApproverID, &a.Action, &a.Comment, &a.CreatedAt)
-		if err != nil {
-			return nil, fmt.Errorf("failed to scan approval: %w", err)
-		}
-		approvals = append(approvals, a)
-	}
-
-	return approvals, nil
-}
-
-// GetSettings returns global email settings
-func (s *EmailTemplateService) GetSettings(ctx context.Context) (*models.EmailTemplateSettings, error) {
-	var settings models.EmailTemplateSettings
-	err := s.db.QueryRow(ctx, `
-		SELECT id, logo_url, logo_base64, company_name, sender_name, sender_email,
-		       reply_to_email, footer_html, footer_text, primary_color, secondary_color,
-		       updated_at, updated_by
-		FROM email_template_settings
-		LIMIT 1
-	`).Scan(&settings.ID, &settings.LogoURL, &settings.LogoBase64, &settings.CompanyName,
-		&settings.SenderName, &settings.SenderEmail, &settings.ReplyToEmail, &settings.FooterHTML,
-		&settings.FooterText, &settings.PrimaryColor, &settings.SecondaryColor,
-		&settings.UpdatedAt, &settings.UpdatedBy)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get email settings: %w", err)
-	}
-	return &settings, nil
-}
-
-// UpdateSettings updates global email settings
-func (s *EmailTemplateService) UpdateSettings(ctx context.Context, req *models.UpdateEmailTemplateSettingsRequest, updatedBy uuid.UUID) error {
-	query := "UPDATE email_template_settings SET updated_at = $1, updated_by = $2"
-	args := []interface{}{time.Now(), updatedBy}
-	argIdx := 3
-
-	if req.LogoURL != nil {
-		query += fmt.Sprintf(", logo_url = $%d", argIdx)
-		args = append(args, *req.LogoURL)
-		argIdx++
-	}
-	if req.LogoBase64 != nil {
-		query += fmt.Sprintf(", logo_base64 = $%d", argIdx)
-		args = append(args, *req.LogoBase64)
-		argIdx++
-	}
-	if req.CompanyName != nil {
-		query += fmt.Sprintf(", company_name = $%d", argIdx)
-		args = append(args, *req.CompanyName)
-		argIdx++
-	}
-	if req.SenderName != nil {
-		query += fmt.Sprintf(", sender_name = $%d", argIdx)
-		args = append(args, *req.SenderName)
-		argIdx++
-	}
-	if req.SenderEmail != nil {
-		query += fmt.Sprintf(", sender_email = $%d", argIdx)
-		args = append(args, *req.SenderEmail)
-		argIdx++
-	}
-	if req.ReplyToEmail != nil {
-		query += fmt.Sprintf(", reply_to_email = $%d", argIdx)
-		args = append(args, *req.ReplyToEmail)
-		argIdx++
-	}
-	if req.FooterHTML != nil {
-		query += fmt.Sprintf(", footer_html = $%d", argIdx)
-		args = append(args, *req.FooterHTML)
-		argIdx++
-	}
-	if req.FooterText != nil {
-		query += fmt.Sprintf(", footer_text = $%d", argIdx)
-		args = append(args, *req.FooterText)
-		argIdx++
-	}
-	if req.PrimaryColor != nil {
-		query += fmt.Sprintf(", primary_color = $%d", argIdx)
-		args = append(args, *req.PrimaryColor)
-		argIdx++
-	}
-	if req.SecondaryColor != nil {
-		query += fmt.Sprintf(", secondary_color = $%d", argIdx)
-		args = append(args, *req.SecondaryColor)
-		argIdx++
-	}
-
-	_, err := s.db.Exec(ctx, query, args...)
-	if err != nil {
-		return fmt.Errorf("failed to update settings: %w", err)
-	}
-	return nil
-}
-
-// RenderTemplate renders a template with variables
-func (s *EmailTemplateService) RenderTemplate(version *models.EmailTemplateVersion, variables map[string]string) (*models.EmailPreviewResponse, error) {
-	subject := version.Subject
-	bodyHTML := version.BodyHTML
-	bodyText := version.BodyText
-
-	// Replace variables in format {{variable_name}}
-	re := regexp.MustCompile(`\{\{(\w+)\}\}`)
-
-	replaceFunc := func(content string) string {
-		return re.ReplaceAllStringFunc(content, func(match string) string {
-			varName := strings.Trim(match, "{}")
-			if val, ok := variables[varName]; ok {
-				return val
-			}
-			return match // Keep placeholder if variable not provided
-		})
-	}
-
-	return &models.EmailPreviewResponse{
-		Subject:  replaceFunc(subject),
-		BodyHTML: replaceFunc(bodyHTML),
-		BodyText: replaceFunc(bodyText),
-	}, nil
-}
-
-// LogEmailSend logs a sent email
-func (s *EmailTemplateService) LogEmailSend(ctx context.Context, log *models.EmailSendLog) error {
-	_, err := s.db.Exec(ctx, `
-		INSERT INTO email_send_logs
-		(id, user_id, version_id, recipient, subject, status, error_msg, variables, sent_at, created_at)
-		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)
-	`, log.ID, log.UserID, log.VersionID, log.Recipient, log.Subject, log.Status,
-	   log.ErrorMsg, log.Variables, log.SentAt, log.CreatedAt)
-	if err != nil {
-		return fmt.Errorf("failed to log email send: %w", err)
-	}
-	return nil
-}
-
-// GetEmailStats returns email statistics
-func (s *EmailTemplateService) GetEmailStats(ctx context.Context) (*models.EmailStats, error) {
-	var stats models.EmailStats
-
-	err := s.db.QueryRow(ctx, `
-		SELECT
-			COUNT(*) as total_sent,
-			COUNT(*) FILTER (WHERE status = 'delivered') as delivered,
-			COUNT(*) FILTER (WHERE status = 'bounced') as bounced,
-			COUNT(*) FILTER (WHERE status = 'failed') as failed,
-			COUNT(*) FILTER (WHERE created_at > NOW() - INTERVAL '7 days') as recent_sent
-		FROM email_send_logs
-	`).Scan(&stats.TotalSent, &stats.Delivered, &stats.Bounced, &stats.Failed, &stats.RecentSent)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get email stats: %w", err)
-	}
-
-	if stats.TotalSent > 0 {
-		stats.DeliveryRate = float64(stats.Delivered) / float64(stats.TotalSent) * 100
-	}
-
-	return &stats, nil
-}
-
-// GetDefaultTemplateContent returns default content for a template type
-func (s *EmailTemplateService) GetDefaultTemplateContent(templateType, language string) (subject, bodyHTML, bodyText string) {
-	// Default templates in German
-	if language == "de" {
-		switch templateType {
-		case models.EmailTypeWelcome:
-			return s.getWelcomeTemplateDE()
-		case models.EmailTypeEmailVerification:
-			return s.getEmailVerificationTemplateDE()
-		case models.EmailTypePasswordReset:
-			return s.getPasswordResetTemplateDE()
-		case models.EmailTypePasswordChanged:
-			return s.getPasswordChangedTemplateDE()
-		case models.EmailType2FAEnabled:
-			return s.get2FAEnabledTemplateDE()
-		case models.EmailType2FADisabled:
-			return s.get2FADisabledTemplateDE()
-		case models.EmailTypeNewDeviceLogin:
-			return s.getNewDeviceLoginTemplateDE()
-		case models.EmailTypeSuspiciousActivity:
-			return s.getSuspiciousActivityTemplateDE()
-		case models.EmailTypeAccountLocked:
-			return s.getAccountLockedTemplateDE()
-		case models.EmailTypeAccountUnlocked:
-			return s.getAccountUnlockedTemplateDE()
-		case models.EmailTypeDeletionRequested:
-			return s.getDeletionRequestedTemplateDE()
-		case models.EmailTypeDeletionConfirmed:
-			return s.getDeletionConfirmedTemplateDE()
-		case models.EmailTypeDataExportReady:
-			return s.getDataExportReadyTemplateDE()
-		case models.EmailTypeEmailChanged:
-			return s.getEmailChangedTemplateDE()
-		case models.EmailTypeNewVersionPublished:
-			return s.getNewVersionPublishedTemplateDE()
-		case models.EmailTypeConsentReminder:
-			return s.getConsentReminderTemplateDE()
-		case models.EmailTypeConsentDeadlineWarning:
-			return s.getConsentDeadlineWarningTemplateDE()
-		case models.EmailTypeAccountSuspended:
-			return s.getAccountSuspendedTemplateDE()
-		}
-	}
-
-	// Default English fallback
-	return "No template", "<p>No template available</p>", "No template available"
-}
-
-// ========================================
-// Default German Templates
-// ========================================
-
-func (s *EmailTemplateService) getWelcomeTemplateDE() (string, string, string) {
-	subject := "Willkommen bei BreakPilot!"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #2563eb;">Willkommen bei BreakPilot!</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>vielen Dank für Ihre Registrierung bei BreakPilot. Ihr Konto wurde erfolgreich erstellt.</p>
-    <p>Sie können sich jetzt mit Ihrer E-Mail-Adresse <strong>{{user_email}}</strong> anmelden:</p>
-    <p style="text-align: center; margin: 30px 0;">
-        <a href="{{login_url}}" style="background-color: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Jetzt anmelden</a>
-    </p>
-    <p>Bei Fragen stehen wir Ihnen gerne zur Verfügung unter {{support_email}}.</p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `Willkommen bei BreakPilot!
-
-Hallo {{user_name}},
-
-vielen Dank für Ihre Registrierung bei BreakPilot. Ihr Konto wurde erfolgreich erstellt.
-
-Sie können sich jetzt mit Ihrer E-Mail-Adresse {{user_email}} anmelden:
-{{login_url}}
-
-Bei Fragen stehen wir Ihnen gerne zur Verfügung unter {{support_email}}.
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-func (s *EmailTemplateService) getEmailVerificationTemplateDE() (string, string, string) {
-	subject := "Bitte bestätigen Sie Ihre E-Mail-Adresse"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #2563eb;">E-Mail-Adresse bestätigen</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>bitte bestätigen Sie Ihre E-Mail-Adresse, indem Sie auf den folgenden Link klicken:</p>
-    <p style="text-align: center; margin: 30px 0;">
-        <a href="{{verification_url}}" style="background-color: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">E-Mail bestätigen</a>
-    </p>
-    <p>Alternativ können Sie auch diesen Bestätigungscode eingeben: <strong>{{verification_code}}</strong></p>
-    <p><strong>Hinweis:</strong> Dieser Link ist nur {{expires_in}} gültig.</p>
-    <p>Falls Sie diese E-Mail nicht angefordert haben, können Sie sie ignorieren.</p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `E-Mail-Adresse bestätigen
-
-Hallo {{user_name}},
-
-bitte bestätigen Sie Ihre E-Mail-Adresse, indem Sie auf den folgenden Link klicken:
-{{verification_url}}
-
-Alternativ können Sie auch diesen Bestätigungscode eingeben: {{verification_code}}
-
-Hinweis: Dieser Link ist nur {{expires_in}} gültig.
-
-Falls Sie diese E-Mail nicht angefordert haben, können Sie sie ignorieren.
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-func (s *EmailTemplateService) getPasswordResetTemplateDE() (string, string, string) {
-	subject := "Passwort zurücksetzen"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #2563eb;">Passwort zurücksetzen</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>Sie haben eine Anfrage zum Zurücksetzen Ihres Passworts gestellt. Klicken Sie auf den folgenden Link, um ein neues Passwort festzulegen:</p>
-    <p style="text-align: center; margin: 30px 0;">
-        <a href="{{reset_url}}" style="background-color: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Neues Passwort festlegen</a>
-    </p>
-    <p>Alternativ können Sie auch diesen Code verwenden: <strong>{{reset_code}}</strong></p>
-    <p><strong>Hinweis:</strong> Dieser Link ist nur {{expires_in}} gültig.</p>
-    <p style="background-color: #fef3c7; padding: 15px; border-radius: 5px; margin: 20px 0;">
-        <strong>Sicherheitshinweis:</strong> Diese Anfrage wurde von der IP-Adresse {{ip_address}} gestellt. Falls Sie diese Anfrage nicht gestellt haben, ignorieren Sie diese E-Mail und Ihr Passwort bleibt unverändert.
-    </p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `Passwort zurücksetzen
-
-Hallo {{user_name}},
-
-Sie haben eine Anfrage zum Zurücksetzen Ihres Passworts gestellt. Klicken Sie auf den folgenden Link, um ein neues Passwort festzulegen:
-{{reset_url}}
-
-Alternativ können Sie auch diesen Code verwenden: {{reset_code}}
-
-Hinweis: Dieser Link ist nur {{expires_in}} gültig.
-
-Sicherheitshinweis: Diese Anfrage wurde von der IP-Adresse {{ip_address}} gestellt. Falls Sie diese Anfrage nicht gestellt haben, ignorieren Sie diese E-Mail und Ihr Passwort bleibt unverändert.
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-func (s *EmailTemplateService) getPasswordChangedTemplateDE() (string, string, string) {
-	subject := "Ihr Passwort wurde geändert"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #2563eb;">Passwort geändert</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>Ihr Passwort wurde am {{changed_at}} erfolgreich geändert.</p>
-    <p><strong>Details:</strong></p>
-    <ul>
-        <li>IP-Adresse: {{ip_address}}</li>
-        <li>Gerät: {{device_info}}</li>
-    </ul>
-    <p style="background-color: #fee2e2; padding: 15px; border-radius: 5px; margin: 20px 0;">
-        <strong>Nicht Sie?</strong> Falls Sie diese Änderung nicht vorgenommen haben, kontaktieren Sie uns sofort unter {{support_url}}.
-    </p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `Passwort geändert
-
-Hallo {{user_name}},
-
-Ihr Passwort wurde am {{changed_at}} erfolgreich geändert.
-
-Details:
-- IP-Adresse: {{ip_address}}
-- Gerät: {{device_info}}
-
-Nicht Sie? Falls Sie diese Änderung nicht vorgenommen haben, kontaktieren Sie uns sofort unter {{support_url}}.
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-func (s *EmailTemplateService) get2FAEnabledTemplateDE() (string, string, string) {
-	subject := "Zwei-Faktor-Authentifizierung aktiviert"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #059669;">2FA aktiviert</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>Die Zwei-Faktor-Authentifizierung wurde am {{enabled_at}} für Ihr Konto aktiviert.</p>
-    <p><strong>Gerät:</strong> {{device_info}}</p>
-    <p style="background-color: #d1fae5; padding: 15px; border-radius: 5px; margin: 20px 0;">
-        <strong>Sicherheitstipp:</strong> Bewahren Sie Ihre Recovery-Codes sicher auf. Sie benötigen diese, falls Sie den Zugang zu Ihrer Authenticator-App verlieren.
-    </p>
-    <p>Sie können Ihre 2FA-Einstellungen jederzeit unter {{security_url}} verwalten.</p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `2FA aktiviert
-
-Hallo {{user_name}},
-
-Die Zwei-Faktor-Authentifizierung wurde am {{enabled_at}} für Ihr Konto aktiviert.
-
-Gerät: {{device_info}}
-
-Sicherheitstipp: Bewahren Sie Ihre Recovery-Codes sicher auf. Sie benötigen diese, falls Sie den Zugang zu Ihrer Authenticator-App verlieren.
-
-Sie können Ihre 2FA-Einstellungen jederzeit unter {{security_url}} verwalten.
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-func (s *EmailTemplateService) get2FADisabledTemplateDE() (string, string, string) {
-	subject := "Zwei-Faktor-Authentifizierung deaktiviert"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #dc2626;">2FA deaktiviert</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>Die Zwei-Faktor-Authentifizierung wurde am {{disabled_at}} für Ihr Konto deaktiviert.</p>
-    <p><strong>IP-Adresse:</strong> {{ip_address}}</p>
-    <p style="background-color: #fee2e2; padding: 15px; border-radius: 5px; margin: 20px 0;">
-        <strong>Warnung:</strong> Ihr Konto ist jetzt weniger sicher. Wir empfehlen dringend, 2FA wieder zu aktivieren.
-    </p>
-    <p>Sie können 2FA jederzeit unter {{security_url}} wieder aktivieren.</p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `2FA deaktiviert
-
-Hallo {{user_name}},
-
-Die Zwei-Faktor-Authentifizierung wurde am {{disabled_at}} für Ihr Konto deaktiviert.
-
-IP-Adresse: {{ip_address}}
-
-Warnung: Ihr Konto ist jetzt weniger sicher. Wir empfehlen dringend, 2FA wieder zu aktivieren.
-
-Sie können 2FA jederzeit unter {{security_url}} wieder aktivieren.
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-func (s *EmailTemplateService) getNewDeviceLoginTemplateDE() (string, string, string) {
-	subject := "Neuer Login auf Ihrem Konto"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #f59e0b;">Neuer Login erkannt</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>Wir haben einen Login auf Ihrem Konto von einem neuen Gerät oder Standort erkannt:</p>
-    <ul>
-        <li><strong>Zeitpunkt:</strong> {{login_time}}</li>
-        <li><strong>IP-Adresse:</strong> {{ip_address}}</li>
-        <li><strong>Gerät:</strong> {{device_info}}</li>
-        <li><strong>Standort:</strong> {{location}}</li>
-    </ul>
-    <p style="background-color: #fef3c7; padding: 15px; border-radius: 5px; margin: 20px 0;">
-        <strong>Nicht Sie?</strong> Falls Sie diesen Login nicht durchgeführt haben, ändern Sie sofort Ihr Passwort unter {{security_url}}.
-    </p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `Neuer Login erkannt
-
-Hallo {{user_name}},
-
-Wir haben einen Login auf Ihrem Konto von einem neuen Gerät oder Standort erkannt:
-
-- Zeitpunkt: {{login_time}}
-- IP-Adresse: {{ip_address}}
-- Gerät: {{device_info}}
-- Standort: {{location}}
-
-Nicht Sie? Falls Sie diesen Login nicht durchgeführt haben, ändern Sie sofort Ihr Passwort unter {{security_url}}.
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-func (s *EmailTemplateService) getSuspiciousActivityTemplateDE() (string, string, string) {
-	subject := "Verdächtige Aktivität auf Ihrem Konto"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #dc2626;">Verdächtige Aktivität erkannt</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>Wir haben verdächtige Aktivität auf Ihrem Konto festgestellt:</p>
-    <ul>
-        <li><strong>Art:</strong> {{activity_type}}</li>
-        <li><strong>Zeitpunkt:</strong> {{activity_time}}</li>
-        <li><strong>IP-Adresse:</strong> {{ip_address}}</li>
-    </ul>
-    <p style="background-color: #fee2e2; padding: 15px; border-radius: 5px; margin: 20px 0;">
-        <strong>Wichtig:</strong> Bitte überprüfen Sie Ihre Sicherheitseinstellungen unter {{security_url}} und ändern Sie Ihr Passwort, falls Sie diese Aktivität nicht selbst durchgeführt haben.
-    </p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `Verdächtige Aktivität erkannt
-
-Hallo {{user_name}},
-
-Wir haben verdächtige Aktivität auf Ihrem Konto festgestellt:
-
-- Art: {{activity_type}}
-- Zeitpunkt: {{activity_time}}
-- IP-Adresse: {{ip_address}}
-
-Wichtig: Bitte überprüfen Sie Ihre Sicherheitseinstellungen unter {{security_url}} und ändern Sie Ihr Passwort, falls Sie diese Aktivität nicht selbst durchgeführt haben.
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-func (s *EmailTemplateService) getAccountLockedTemplateDE() (string, string, string) {
-	subject := "Ihr Konto wurde gesperrt"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #dc2626;">Konto gesperrt</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>Ihr Konto wurde am {{locked_at}} aus folgendem Grund gesperrt:</p>
-    <p style="background-color: #fee2e2; padding: 15px; border-radius: 5px; margin: 20px 0;">
-        {{reason}}
-    </p>
-    <p>Ihr Konto wird automatisch entsperrt am: <strong>{{unlock_time}}</strong></p>
-    <p>Falls Sie Hilfe benötigen, kontaktieren Sie uns unter {{support_url}}.</p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `Konto gesperrt
-
-Hallo {{user_name}},
-
-Ihr Konto wurde am {{locked_at}} aus folgendem Grund gesperrt:
-
-{{reason}}
-
-Ihr Konto wird automatisch entsperrt am: {{unlock_time}}
-
-Falls Sie Hilfe benötigen, kontaktieren Sie uns unter {{support_url}}.
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-func (s *EmailTemplateService) getAccountUnlockedTemplateDE() (string, string, string) {
-	subject := "Ihr Konto wurde entsperrt"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #059669;">Konto entsperrt</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>Ihr Konto wurde am {{unlocked_at}} erfolgreich entsperrt.</p>
-    <p style="text-align: center; margin: 30px 0;">
-        <a href="{{login_url}}" style="background-color: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Jetzt anmelden</a>
-    </p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `Konto entsperrt
-
-Hallo {{user_name}},
-
-Ihr Konto wurde am {{unlocked_at}} erfolgreich entsperrt.
-
-Sie können sich jetzt wieder anmelden: {{login_url}}
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-func (s *EmailTemplateService) getDeletionRequestedTemplateDE() (string, string, string) {
-	subject := "Bestätigung: Kontolöschung angefordert"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #dc2626;">Kontolöschung angefordert</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>Sie haben am {{requested_at}} die Löschung Ihres Kontos beantragt.</p>
-    <p style="background-color: #fef3c7; padding: 15px; border-radius: 5px; margin: 20px 0;">
-        <strong>Wichtig:</strong> Ihr Konto und alle zugehörigen Daten werden endgültig am <strong>{{deletion_date}}</strong> gelöscht.
-    </p>
-    <p><strong>Folgende Daten werden gelöscht:</strong></p>
-    <p>{{data_info}}</p>
-    <p>Sie können die Löschung bis zum genannten Datum abbrechen:</p>
-    <p style="text-align: center; margin: 30px 0;">
-        <a href="{{cancel_url}}" style="background-color: #dc2626; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Löschung abbrechen</a>
-    </p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `Kontolöschung angefordert
-
-Hallo {{user_name}},
-
-Sie haben am {{requested_at}} die Löschung Ihres Kontos beantragt.
-
-Wichtig: Ihr Konto und alle zugehörigen Daten werden endgültig am {{deletion_date}} gelöscht.
-
-Folgende Daten werden gelöscht:
-{{data_info}}
-
-Sie können die Löschung bis zum genannten Datum abbrechen: {{cancel_url}}
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-func (s *EmailTemplateService) getDeletionConfirmedTemplateDE() (string, string, string) {
-	subject := "Ihr Konto wurde gelöscht"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #6b7280;">Konto gelöscht</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>Ihr Konto und alle zugehörigen Daten wurden am {{deleted_at}} erfolgreich und endgültig gelöscht.</p>
-    <p>Wir bedauern, dass Sie uns verlassen. Falls Sie uns Feedback geben möchten:</p>
-    <p style="text-align: center; margin: 30px 0;">
-        <a href="{{feedback_url}}" style="background-color: #6b7280; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Feedback geben</a>
-    </p>
-    <p>Vielen Dank für Ihre Zeit bei BreakPilot.</p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `Konto gelöscht
-
-Hallo {{user_name}},
-
-Ihr Konto und alle zugehörigen Daten wurden am {{deleted_at}} erfolgreich und endgültig gelöscht.
-
-Wir bedauern, dass Sie uns verlassen. Falls Sie uns Feedback geben möchten: {{feedback_url}}
-
-Vielen Dank für Ihre Zeit bei BreakPilot.
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-func (s *EmailTemplateService) getDataExportReadyTemplateDE() (string, string, string) {
-	subject := "Ihr Datenexport ist bereit"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #2563eb;">Datenexport bereit</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>Ihr angeforderte Datenexport wurde erstellt und steht zum Download bereit.</p>
-    <p style="text-align: center; margin: 30px 0;">
-        <a href="{{download_url}}" style="background-color: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Daten herunterladen ({{file_size}})</a>
-    </p>
-    <p style="background-color: #fef3c7; padding: 15px; border-radius: 5px; margin: 20px 0;">
-        <strong>Hinweis:</strong> Der Download-Link ist nur {{expires_in}} gültig.
-    </p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `Datenexport bereit
-
-Hallo {{user_name}},
-
-Ihr angeforderte Datenexport wurde erstellt und steht zum Download bereit:
-{{download_url}}
-
-Dateigröße: {{file_size}}
-
-Hinweis: Der Download-Link ist nur {{expires_in}} gültig.
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-func (s *EmailTemplateService) getEmailChangedTemplateDE() (string, string, string) {
-	subject := "Ihre E-Mail-Adresse wurde geändert"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #2563eb;">E-Mail-Adresse geändert</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>Die E-Mail-Adresse Ihres Kontos wurde am {{changed_at}} geändert.</p>
-    <ul>
-        <li><strong>Alte Adresse:</strong> {{old_email}}</li>
-        <li><strong>Neue Adresse:</strong> {{new_email}}</li>
-    </ul>
-    <p style="background-color: #fee2e2; padding: 15px; border-radius: 5px; margin: 20px 0;">
-        <strong>Nicht Sie?</strong> Falls Sie diese Änderung nicht vorgenommen haben, kontaktieren Sie uns sofort unter {{support_url}}.
-    </p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `E-Mail-Adresse geändert
-
-Hallo {{user_name}},
-
-Die E-Mail-Adresse Ihres Kontos wurde am {{changed_at}} geändert.
-
-- Alte Adresse: {{old_email}}
-- Neue Adresse: {{new_email}}
-
-Nicht Sie? Falls Sie diese Änderung nicht vorgenommen haben, kontaktieren Sie uns sofort unter {{support_url}}.
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-func (s *EmailTemplateService) getNewVersionPublishedTemplateDE() (string, string, string) {
-	subject := "Neue Version: {{document_name}} - Ihre Zustimmung ist erforderlich"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #2563eb;">Neue Dokumentversion</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>Eine neue Version unserer <strong>{{document_name}}</strong> ({{document_type}}) wurde veröffentlicht.</p>
-    <p><strong>Version:</strong> {{version}}</p>
-    <p style="background-color: #dbeafe; padding: 15px; border-radius: 5px; margin: 20px 0;">
-        Bitte prüfen und bestätigen Sie die aktualisierte Version bis zum <strong>{{deadline}}</strong>.
-    </p>
-    <p style="text-align: center; margin: 30px 0;">
-        <a href="{{consent_url}}" style="background-color: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Jetzt prüfen und zustimmen</a>
-    </p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `Neue Dokumentversion
-
-Hallo {{user_name}},
-
-Eine neue Version unserer {{document_name}} ({{document_type}}) wurde veröffentlicht.
-
-Version: {{version}}
-
-Bitte prüfen und bestätigen Sie die aktualisierte Version bis zum {{deadline}}.
-
-Jetzt prüfen und zustimmen: {{consent_url}}
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-func (s *EmailTemplateService) getConsentReminderTemplateDE() (string, string, string) {
-	subject := "Erinnerung: Zustimmung zu {{document_name}} erforderlich"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #f59e0b;">Erinnerung: Zustimmung erforderlich</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>Dies ist eine freundliche Erinnerung, dass Ihre Zustimmung zur <strong>{{document_name}}</strong> noch aussteht.</p>
-    <p style="background-color: #fef3c7; padding: 15px; border-radius: 5px; margin: 20px 0;">
-        <strong>Noch {{days_left}} Tage</strong> bis zur Frist am {{deadline}}.
-    </p>
-    <p style="text-align: center; margin: 30px 0;">
-        <a href="{{consent_url}}" style="background-color: #f59e0b; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Jetzt zustimmen</a>
-    </p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `Erinnerung: Zustimmung erforderlich
-
-Hallo {{user_name}},
-
-Dies ist eine freundliche Erinnerung, dass Ihre Zustimmung zur {{document_name}} noch aussteht.
-
-Noch {{days_left}} Tage bis zur Frist am {{deadline}}.
-
-Jetzt zustimmen: {{consent_url}}
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-func (s *EmailTemplateService) getConsentDeadlineWarningTemplateDE() (string, string, string) {
-	subject := "DRINGEND: Zustimmung zu {{document_name}} läuft bald ab"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #dc2626;">Dringende Erinnerung</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>Ihre Frist zur Zustimmung zur <strong>{{document_name}}</strong> läuft in <strong>{{hours_left}}</strong> ab!</p>
-    <p style="background-color: #fee2e2; padding: 15px; border-radius: 5px; margin: 20px 0;">
-        <strong>Wichtig:</strong> {{consequences}}
-    </p>
-    <p style="text-align: center; margin: 30px 0;">
-        <a href="{{consent_url}}" style="background-color: #dc2626; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Sofort zustimmen</a>
-    </p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `Dringende Erinnerung
-
-Hallo {{user_name}},
-
-Ihre Frist zur Zustimmung zur {{document_name}} läuft in {{hours_left}} ab!
-
-Wichtig: {{consequences}}
-
-Sofort zustimmen: {{consent_url}}
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-func (s *EmailTemplateService) getAccountSuspendedTemplateDE() (string, string, string) {
-	subject := "Ihr Konto wurde suspendiert"
-	bodyHTML := `<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
-<div style="max-width: 600px; margin: 0 auto; padding: 20px;">
-    <h1 style="color: #dc2626;">Konto suspendiert</h1>
-    <p>Hallo {{user_name}},</p>
-    <p>Ihr Konto wurde am {{suspended_at}} suspendiert.</p>
-    <p><strong>Grund:</strong> {{reason}}</p>
-    <p><strong>Fehlende Zustimmungen:</strong></p>
-    <p>{{documents}}</p>
-    <p>Um Ihr Konto zu reaktivieren, stimmen Sie bitte den ausstehenden Dokumenten zu:</p>
-    <p style="text-align: center; margin: 30px 0;">
-        <a href="{{consent_url}}" style="background-color: #dc2626; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px;">Konto reaktivieren</a>
-    </p>
-    <p>Mit freundlichen Grüßen,<br>Ihr BreakPilot-Team</p>
-</div>
-</body>
-</html>`
-	bodyText := `Konto suspendiert
-
-Hallo {{user_name}},
-
-Ihr Konto wurde am {{suspended_at}} suspendiert.
-
-Grund: {{reason}}
-
-Fehlende Zustimmungen:
-{{documents}}
-
-Um Ihr Konto zu reaktivieren, stimmen Sie bitte den ausstehenden Dokumenten zu: {{consent_url}}
-
-Mit freundlichen Grüßen,
-Ihr BreakPilot-Team`
-	return subject, bodyHTML, bodyText
-}
-
-// InitDefaultTemplates creates default email templates if they don't exist
-func (s *EmailTemplateService) InitDefaultTemplates(ctx context.Context) error {
-	templateTypes := []struct {
-		Type        string
-		Name        string
-		Description string
-		SortOrder   int
-	}{
-		{models.EmailTypeWelcome, "Willkommens-E-Mail", "Wird nach erfolgreicher Registrierung gesendet", 1},
-		{models.EmailTypeEmailVerification, "E-Mail-Verifizierung", "Enthält Link zur E-Mail-Bestätigung", 2},
-		{models.EmailTypePasswordReset, "Passwort zurücksetzen", "Enthält Link zum Passwort-Reset", 3},
-		{models.EmailTypePasswordChanged, "Passwort geändert", "Bestätigung der Passwortänderung", 4},
-		{models.EmailType2FAEnabled, "2FA aktiviert", "Bestätigung der 2FA-Aktivierung", 5},
-		{models.EmailType2FADisabled, "2FA deaktiviert", "Warnung über 2FA-Deaktivierung", 6},
-		{models.EmailTypeNewDeviceLogin, "Neuer Login", "Benachrichtigung über Login von neuem Gerät", 7},
-		{models.EmailTypeSuspiciousActivity, "Verdächtige Aktivität", "Warnung über verdächtige Kontoaktivität", 8},
-		{models.EmailTypeAccountLocked, "Konto gesperrt", "Benachrichtigung über Kontosperrung", 9},
-		{models.EmailTypeAccountUnlocked, "Konto entsperrt", "Bestätigung der Kontoentsperrung", 10},
-		{models.EmailTypeDeletionRequested, "Löschung angefordert", "Bestätigung der Löschanfrage", 11},
-		{models.EmailTypeDeletionConfirmed, "Löschung bestätigt", "Bestätigung der Kontolöschung", 12},
-		{models.EmailTypeDataExportReady, "Datenexport bereit", "Benachrichtigung über fertigen Datenexport", 13},
-		{models.EmailTypeEmailChanged, "E-Mail geändert", "Bestätigung der E-Mail-Änderung", 14},
-		{models.EmailTypeNewVersionPublished, "Neue Version veröffentlicht", "Benachrichtigung über neue Dokumentversion", 15},
-		{models.EmailTypeConsentReminder, "Zustimmungs-Erinnerung", "Erinnerung an ausstehende Zustimmung", 16},
-		{models.EmailTypeConsentDeadlineWarning, "Frist-Warnung", "Dringende Warnung vor ablaufender Frist", 17},
-		{models.EmailTypeAccountSuspended, "Konto suspendiert", "Benachrichtigung über Kontosuspendierung", 18},
-	}
-
-	for _, tt := range templateTypes {
-		// Check if template exists
-		var exists bool
-		err := s.db.QueryRow(ctx, `SELECT EXISTS(SELECT 1 FROM email_templates WHERE type = $1)`, tt.Type).Scan(&exists)
-		if err != nil {
-			return fmt.Errorf("failed to check template existence: %w", err)
-		}
-
-		if !exists {
-			desc := tt.Description
-			_, err = s.db.Exec(ctx, `
-				INSERT INTO email_templates (id, type, name, description, is_active, sort_order, created_at, updated_at)
-				VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
-			`, uuid.New(), tt.Type, tt.Name, &desc, true, tt.SortOrder, time.Now(), time.Now())
-			if err != nil {
-				return fmt.Errorf("failed to create template %s: %w", tt.Type, err)
-			}
-
-			// Create default German version
-			template, err := s.GetTemplateByType(ctx, tt.Type)
-			if err != nil {
-				return fmt.Errorf("failed to get template %s: %w", tt.Type, err)
-			}
-
-			subject, bodyHTML, bodyText := s.GetDefaultTemplateContent(tt.Type, "de")
-			_, err = s.db.Exec(ctx, `
-				INSERT INTO email_template_versions
-				(id, template_id, version, language, subject, body_html, body_text, status, published_at, created_at, updated_at)
-				VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)
-			`, uuid.New(), template.ID, "1.0.0", "de", subject, bodyHTML, bodyText, "published", time.Now(), time.Now(), time.Now())
-			if err != nil {
-				return fmt.Errorf("failed to create template version %s: %w", tt.Type, err)
-			}
-		}
-	}
-
-	return nil
-}
-
-// GetSendLogs returns email send logs with optional filtering
-func (s *EmailTemplateService) GetSendLogs(ctx context.Context, limit, offset int) ([]models.EmailSendLog, int, error) {
-	var total int
-	err := s.db.QueryRow(ctx, `SELECT COUNT(*) FROM email_send_logs`).Scan(&total)
-	if err != nil {
-		return nil, 0, fmt.Errorf("failed to count send logs: %w", err)
-	}
-
-	rows, err := s.db.Query(ctx, `
-		SELECT id, user_id, version_id, recipient, subject, status, error_msg, variables, sent_at, delivered_at, created_at
-		FROM email_send_logs
-		ORDER BY created_at DESC
-		LIMIT $1 OFFSET $2
-	`, limit, offset)
-	if err != nil {
-		return nil, 0, fmt.Errorf("failed to get send logs: %w", err)
-	}
-	defer rows.Close()
-
-	var logs []models.EmailSendLog
-	for rows.Next() {
-		var log models.EmailSendLog
-		err := rows.Scan(&log.ID, &log.UserID, &log.VersionID, &log.Recipient, &log.Subject,
-			&log.Status, &log.ErrorMsg, &log.Variables, &log.SentAt, &log.DeliveredAt, &log.CreatedAt)
-		if err != nil {
-			return nil, 0, fmt.Errorf("failed to scan send log: %w", err)
-		}
-		logs = append(logs, log)
-	}
-
-	return logs, total, nil
-}
-
-// SendEmail sends an email using the specified template (stub - actual sending would use SMTP)
-func (s *EmailTemplateService) SendEmail(ctx context.Context, templateType, language, recipient string, variables map[string]string, userID *uuid.UUID) error {
-	// Get published version
-	version, err := s.GetPublishedVersion(ctx, templateType, language)
-	if err != nil {
-		return fmt.Errorf("failed to get published version: %w", err)
-	}
-
-	// Render template
-	rendered, err := s.RenderTemplate(version, variables)
-	if err != nil {
-		return fmt.Errorf("failed to render template: %w", err)
-	}
-
-	// Log the send attempt
-	variablesJSON, _ := json.Marshal(variables)
-	now := time.Now()
-	log := &models.EmailSendLog{
-		ID:        uuid.New(),
-		UserID:    userID,
-		VersionID: version.ID,
-		Recipient: recipient,
-		Subject:   rendered.Subject,
-		Status:    "queued",
-		Variables: ptr(string(variablesJSON)),
-		CreatedAt: now,
-	}
-
-	if err := s.LogEmailSend(ctx, log); err != nil {
-		return fmt.Errorf("failed to log email send: %w", err)
-	}
-
-	// TODO: Actual email sending via SMTP would go here
-	// For now, we just log it as "sent"
-	_, err = s.db.Exec(ctx, `
-		UPDATE email_send_logs SET status = 'sent', sent_at = $1 WHERE id = $2
-	`, now, log.ID)
-	if err != nil {
-		return fmt.Errorf("failed to update send log status: %w", err)
-	}
-
-	return nil
-}
-
-func ptr(s string) *string {
-	return &s
-}
diff --git a/consent-service/internal/services/email_template_settings.go b/consent-service/internal/services/email_template_settings.go
new file mode 100644
index 0000000..f601a9a
--- /dev/null
+++ b/consent-service/internal/services/email_template_settings.go
@@ -0,0 +1,300 @@
+package services
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/models"
+	"github.com/google/uuid"
+)
+
+// GetAllTemplateTypes returns all available email template types with their variables
+func (s *EmailTemplateService) GetAllTemplateTypes() []models.EmailTemplateVariables {
+	return []models.EmailTemplateVariables{
+		{
+			TemplateType: models.EmailTypeWelcome,
+			Variables:    []string{"user_name", "user_email", "login_url", "support_email"},
+			Descriptions: map[string]string{
+				"user_name":     "Name des Benutzers",
+				"user_email":    "E-Mail-Adresse des Benutzers",
+				"login_url":     "URL zur Login-Seite",
+				"support_email": "Support E-Mail-Adresse",
+			},
+		},
+		{
+			TemplateType: models.EmailTypeEmailVerification,
+			Variables:    []string{"user_name", "verification_url", "verification_code", "expires_in"},
+			Descriptions: map[string]string{
+				"user_name":         "Name des Benutzers",
+				"verification_url":  "URL zur E-Mail-Verifizierung",
+				"verification_code": "Verifizierungscode",
+				"expires_in":        "Gültigkeit des Links (z.B. '24 Stunden')",
+			},
+		},
+		{
+			TemplateType: models.EmailTypePasswordReset,
+			Variables:    []string{"user_name", "reset_url", "reset_code", "expires_in", "ip_address"},
+			Descriptions: map[string]string{
+				"user_name":  "Name des Benutzers",
+				"reset_url":  "URL zum Passwort-Reset",
+				"reset_code": "Reset-Code",
+				"expires_in": "Gültigkeit des Links",
+				"ip_address": "IP-Adresse der Anfrage",
+			},
+		},
+		{
+			TemplateType: models.EmailTypePasswordChanged,
+			Variables:    []string{"user_name", "changed_at", "ip_address", "device_info", "support_url"},
+			Descriptions: map[string]string{
+				"user_name":   "Name des Benutzers",
+				"changed_at":  "Zeitpunkt der Änderung",
+				"ip_address":  "IP-Adresse",
+				"device_info": "Geräte-Informationen",
+				"support_url": "URL zum Support",
+			},
+		},
+		{
+			TemplateType: models.EmailType2FAEnabled,
+			Variables:    []string{"user_name", "enabled_at", "device_info", "security_url"},
+			Descriptions: map[string]string{
+				"user_name":    "Name des Benutzers",
+				"enabled_at":   "Zeitpunkt der Aktivierung",
+				"device_info":  "Geräte-Informationen",
+				"security_url": "URL zu Sicherheitseinstellungen",
+			},
+		},
+		{
+			TemplateType: models.EmailType2FADisabled,
+			Variables:    []string{"user_name", "disabled_at", "ip_address", "security_url"},
+			Descriptions: map[string]string{
+				"user_name":    "Name des Benutzers",
+				"disabled_at":  "Zeitpunkt der Deaktivierung",
+				"ip_address":   "IP-Adresse",
+				"security_url": "URL zu Sicherheitseinstellungen",
+			},
+		},
+		{
+			TemplateType: models.EmailTypeNewDeviceLogin,
+			Variables:    []string{"user_name", "login_time", "ip_address", "device_info", "location", "security_url"},
+			Descriptions: map[string]string{
+				"user_name":    "Name des Benutzers",
+				"login_time":   "Zeitpunkt des Logins",
+				"ip_address":   "IP-Adresse",
+				"device_info":  "Geräte-Informationen",
+				"location":     "Ungefährer Standort",
+				"security_url": "URL zu Sicherheitseinstellungen",
+			},
+		},
+		{
+			TemplateType: models.EmailTypeSuspiciousActivity,
+			Variables:    []string{"user_name", "activity_type", "activity_time", "ip_address", "security_url"},
+			Descriptions: map[string]string{
+				"user_name":     "Name des Benutzers",
+				"activity_type": "Art der Aktivität",
+				"activity_time": "Zeitpunkt",
+				"ip_address":    "IP-Adresse",
+				"security_url":  "URL zu Sicherheitseinstellungen",
+			},
+		},
+		{
+			TemplateType: models.EmailTypeAccountLocked,
+			Variables:    []string{"user_name", "locked_at", "reason", "unlock_time", "support_url"},
+			Descriptions: map[string]string{
+				"user_name":   "Name des Benutzers",
+				"locked_at":   "Zeitpunkt der Sperrung",
+				"reason":      "Grund der Sperrung",
+				"unlock_time": "Zeitpunkt der automatischen Entsperrung",
+				"support_url": "URL zum Support",
+			},
+		},
+		{
+			TemplateType: models.EmailTypeAccountUnlocked,
+			Variables:    []string{"user_name", "unlocked_at", "login_url"},
+			Descriptions: map[string]string{
+				"user_name":   "Name des Benutzers",
+				"unlocked_at": "Zeitpunkt der Entsperrung",
+				"login_url":   "URL zur Login-Seite",
+			},
+		},
+		{
+			TemplateType: models.EmailTypeDeletionRequested,
+			Variables:    []string{"user_name", "requested_at", "deletion_date", "cancel_url", "data_info"},
+			Descriptions: map[string]string{
+				"user_name":     "Name des Benutzers",
+				"requested_at":  "Zeitpunkt der Anfrage",
+				"deletion_date": "Datum der endgültigen Löschung",
+				"cancel_url":    "URL zum Abbrechen",
+				"data_info":     "Info über zu löschende Daten",
+			},
+		},
+		{
+			TemplateType: models.EmailTypeDeletionConfirmed,
+			Variables:    []string{"user_name", "deleted_at", "feedback_url"},
+			Descriptions: map[string]string{
+				"user_name":    "Name des Benutzers",
+				"deleted_at":   "Zeitpunkt der Löschung",
+				"feedback_url": "URL für Feedback",
+			},
+		},
+		{
+			TemplateType: models.EmailTypeDataExportReady,
+			Variables:    []string{"user_name", "download_url", "expires_in", "file_size"},
+			Descriptions: map[string]string{
+				"user_name":    "Name des Benutzers",
+				"download_url": "URL zum Download",
+				"expires_in":   "Gültigkeit des Download-Links",
+				"file_size":    "Dateigröße",
+			},
+		},
+		{
+			TemplateType: models.EmailTypeEmailChanged,
+			Variables:    []string{"user_name", "old_email", "new_email", "changed_at", "support_url"},
+			Descriptions: map[string]string{
+				"user_name":   "Name des Benutzers",
+				"old_email":   "Alte E-Mail-Adresse",
+				"new_email":   "Neue E-Mail-Adresse",
+				"changed_at":  "Zeitpunkt der Änderung",
+				"support_url": "URL zum Support",
+			},
+		},
+		{
+			TemplateType: models.EmailTypeEmailChangeVerify,
+			Variables:    []string{"user_name", "new_email", "verification_url", "expires_in"},
+			Descriptions: map[string]string{
+				"user_name":        "Name des Benutzers",
+				"new_email":        "Neue E-Mail-Adresse",
+				"verification_url": "URL zur Verifizierung",
+				"expires_in":       "Gültigkeit des Links",
+			},
+		},
+		{
+			TemplateType: models.EmailTypeNewVersionPublished,
+			Variables:    []string{"user_name", "document_name", "document_type", "version", "consent_url", "deadline"},
+			Descriptions: map[string]string{
+				"user_name":     "Name des Benutzers",
+				"document_name": "Name des Dokuments",
+				"document_type": "Typ des Dokuments",
+				"version":       "Versionsnummer",
+				"consent_url":   "URL zur Zustimmung",
+				"deadline":      "Frist für die Zustimmung",
+			},
+		},
+		{
+			TemplateType: models.EmailTypeConsentReminder,
+			Variables:    []string{"user_name", "document_name", "days_left", "consent_url", "deadline"},
+			Descriptions: map[string]string{
+				"user_name":     "Name des Benutzers",
+				"document_name": "Name des Dokuments",
+				"days_left":     "Verbleibende Tage",
+				"consent_url":   "URL zur Zustimmung",
+				"deadline":      "Frist für die Zustimmung",
+			},
+		},
+		{
+			TemplateType: models.EmailTypeConsentDeadlineWarning,
+			Variables:    []string{"user_name", "document_name", "hours_left", "consent_url", "consequences"},
+			Descriptions: map[string]string{
+				"user_name":     "Name des Benutzers",
+				"document_name": "Name des Dokuments",
+				"hours_left":    "Verbleibende Stunden",
+				"consent_url":   "URL zur Zustimmung",
+				"consequences":  "Konsequenzen bei Nicht-Zustimmung",
+			},
+		},
+		{
+			TemplateType: models.EmailTypeAccountSuspended,
+			Variables:    []string{"user_name", "suspended_at", "reason", "documents", "consent_url"},
+			Descriptions: map[string]string{
+				"user_name":    "Name des Benutzers",
+				"suspended_at": "Zeitpunkt der Suspendierung",
+				"reason":       "Grund der Suspendierung",
+				"documents":    "Liste der fehlenden Zustimmungen",
+				"consent_url":  "URL zur Zustimmung",
+			},
+		},
+	}
+}
+
+// GetSettings returns global email settings
+func (s *EmailTemplateService) GetSettings(ctx context.Context) (*models.EmailTemplateSettings, error) {
+	var settings models.EmailTemplateSettings
+	err := s.db.QueryRow(ctx, `
+		SELECT id, logo_url, logo_base64, company_name, sender_name, sender_email,
+		       reply_to_email, footer_html, footer_text, primary_color, secondary_color,
+		       updated_at, updated_by
+		FROM email_template_settings
+		LIMIT 1
+	`).Scan(&settings.ID, &settings.LogoURL, &settings.LogoBase64, &settings.CompanyName,
+		&settings.SenderName, &settings.SenderEmail, &settings.ReplyToEmail, &settings.FooterHTML,
+		&settings.FooterText, &settings.PrimaryColor, &settings.SecondaryColor,
+		&settings.UpdatedAt, &settings.UpdatedBy)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get email settings: %w", err)
+	}
+	return &settings, nil
+}
+
+// UpdateSettings updates global email settings
+func (s *EmailTemplateService) UpdateSettings(ctx context.Context, req *models.UpdateEmailTemplateSettingsRequest, updatedBy uuid.UUID) error {
+	query := "UPDATE email_template_settings SET updated_at = $1, updated_by = $2"
+	args := []interface{}{time.Now(), updatedBy}
+	argIdx := 3
+
+	if req.LogoURL != nil {
+		query += fmt.Sprintf(", logo_url = $%d", argIdx)
+		args = append(args, *req.LogoURL)
+		argIdx++
+	}
+	if req.LogoBase64 != nil {
+		query += fmt.Sprintf(", logo_base64 = $%d", argIdx)
+		args = append(args, *req.LogoBase64)
+		argIdx++
+	}
+	if req.CompanyName != nil {
+		query += fmt.Sprintf(", company_name = $%d", argIdx)
+		args = append(args, *req.CompanyName)
+		argIdx++
+	}
+	if req.SenderName != nil {
+		query += fmt.Sprintf(", sender_name = $%d", argIdx)
+		args = append(args, *req.SenderName)
+		argIdx++
+	}
+	if req.SenderEmail != nil {
+		query += fmt.Sprintf(", sender_email = $%d", argIdx)
+		args = append(args, *req.SenderEmail)
+		argIdx++
+	}
+	if req.ReplyToEmail != nil {
+		query += fmt.Sprintf(", reply_to_email = $%d", argIdx)
+		args = append(args, *req.ReplyToEmail)
+		argIdx++
+	}
+	if req.FooterHTML != nil {
+		query += fmt.Sprintf(", footer_html = $%d", argIdx)
+		args = append(args, *req.FooterHTML)
+		argIdx++
+	}
+	if req.FooterText != nil {
+		query += fmt.Sprintf(", footer_text = $%d", argIdx)
+		args = append(args, *req.FooterText)
+		argIdx++
+	}
+	if req.PrimaryColor != nil {
+		query += fmt.Sprintf(", primary_color = $%d", argIdx)
+		args = append(args, *req.PrimaryColor)
+		argIdx++
+	}
+	if req.SecondaryColor != nil {
+		query += fmt.Sprintf(", secondary_color = $%d", argIdx)
+		args = append(args, *req.SecondaryColor)
+		argIdx++
+	}
+
+	_, err := s.db.Exec(ctx, query, args...)
+	if err != nil {
+		return fmt.Errorf("failed to update settings: %w", err)
+	}
+	return nil
+}
diff --git a/consent-service/internal/services/grade_service.go b/consent-service/internal/services/grade_service.go
index bd3ff9b..a7da9e8 100644
--- a/consent-service/internal/services/grade_service.go
+++ b/consent-service/internal/services/grade_service.go
@@ -334,210 +334,3 @@ func (s *GradeService) GetClassGradesBySubject(ctx context.Context, classID, sub
 	return overviews, nil
 }
 
-// ========================================
-// Grade Statistics
-// ========================================
-
-// GetStudentGradeAverage calculates the overall grade average for a student
-func (s *GradeService) GetStudentGradeAverage(ctx context.Context, studentID, schoolYearID uuid.UUID, semester int) (float64, error) {
-	query := `
-		SELECT COALESCE(SUM(value * weight) / NULLIF(SUM(weight), 0), 0)
-		FROM grades
-		WHERE student_id = $1 AND school_year_id = $2 AND semester = $3 AND is_visible = true`
-
-	var average float64
-	err := s.db.Pool.QueryRow(ctx, query, studentID, schoolYearID, semester).Scan(&average)
-	if err != nil {
-		return 0, fmt.Errorf("failed to calculate average: %w", err)
-	}
-
-	return average, nil
-}
-
-// GetSubjectGradeStatistics gets grade statistics for a subject in a class
-func (s *GradeService) GetSubjectGradeStatistics(ctx context.Context, classID, subjectID, schoolYearID uuid.UUID, semester int) (map[string]interface{}, error) {
-	query := `
-		SELECT
-			COUNT(DISTINCT g.student_id) as student_count,
-			AVG(g.value) as class_average,
-			MIN(g.value) as best_grade,
-			MAX(g.value) as worst_grade,
-			COUNT(*) as total_grades
-		FROM grades g
-		JOIN students s ON g.student_id = s.id
-		WHERE s.class_id = $1 AND g.subject_id = $2 AND g.school_year_id = $3 AND g.semester = $4 AND g.is_visible = true`
-
-	var studentCount, totalGrades int
-	var classAverage, bestGrade, worstGrade float64
-
-	err := s.db.Pool.QueryRow(ctx, query, classID, subjectID, schoolYearID, semester).Scan(
-		&studentCount, &classAverage, &bestGrade, &worstGrade, &totalGrades,
-	)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get statistics: %w", err)
-	}
-
-	// Grade distribution (for German grades 1-6)
-	distributionQuery := `
-		SELECT
-			COUNT(CASE WHEN value >= 1 AND value < 1.5 THEN 1 END) as grade_1,
-			COUNT(CASE WHEN value >= 1.5 AND value < 2.5 THEN 1 END) as grade_2,
-			COUNT(CASE WHEN value >= 2.5 AND value < 3.5 THEN 1 END) as grade_3,
-			COUNT(CASE WHEN value >= 3.5 AND value < 4.5 THEN 1 END) as grade_4,
-			COUNT(CASE WHEN value >= 4.5 AND value < 5.5 THEN 1 END) as grade_5,
-			COUNT(CASE WHEN value >= 5.5 THEN 1 END) as grade_6
-		FROM grades g
-		JOIN students s ON g.student_id = s.id
-		WHERE s.class_id = $1 AND g.subject_id = $2 AND g.school_year_id = $3 AND g.semester = $4 AND g.is_visible = true AND g.type IN ('exam', 'test')`
-
-	var g1, g2, g3, g4, g5, g6 int
-	err = s.db.Pool.QueryRow(ctx, distributionQuery, classID, subjectID, schoolYearID, semester).Scan(
-		&g1, &g2, &g3, &g4, &g5, &g6,
-	)
-	if err != nil {
-		// Non-fatal, continue without distribution
-		g1, g2, g3, g4, g5, g6 = 0, 0, 0, 0, 0, 0
-	}
-
-	return map[string]interface{}{
-		"student_count": studentCount,
-		"class_average": classAverage,
-		"best_grade":    bestGrade,
-		"worst_grade":   worstGrade,
-		"total_grades":  totalGrades,
-		"distribution": map[string]int{
-			"1": g1,
-			"2": g2,
-			"3": g3,
-			"4": g4,
-			"5": g5,
-			"6": g6,
-		},
-	}, nil
-}
-
-// ========================================
-// Grade Comments
-// ========================================
-
-// AddGradeComment adds a comment to a grade
-func (s *GradeService) AddGradeComment(ctx context.Context, gradeID, teacherID uuid.UUID, comment string, isPrivate bool) (*models.GradeComment, error) {
-	gradeComment := &models.GradeComment{
-		ID:        uuid.New(),
-		GradeID:   gradeID,
-		TeacherID: teacherID,
-		Comment:   comment,
-		IsPrivate: isPrivate,
-		CreatedAt: time.Now(),
-	}
-
-	query := `
-		INSERT INTO grade_comments (id, grade_id, teacher_id, comment, is_private, created_at)
-		VALUES ($1, $2, $3, $4, $5, $6)
-		RETURNING id`
-
-	err := s.db.Pool.QueryRow(ctx, query,
-		gradeComment.ID, gradeComment.GradeID, gradeComment.TeacherID,
-		gradeComment.Comment, gradeComment.IsPrivate, gradeComment.CreatedAt,
-	).Scan(&gradeComment.ID)
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to add grade comment: %w", err)
-	}
-
-	return gradeComment, nil
-}
-
-// GetGradeComments gets comments for a grade
-func (s *GradeService) GetGradeComments(ctx context.Context, gradeID uuid.UUID, includePrivate bool) ([]models.GradeComment, error) {
-	query := `
-		SELECT id, grade_id, teacher_id, comment, is_private, created_at
-		FROM grade_comments
-		WHERE grade_id = $1`
-
-	if !includePrivate {
-		query += ` AND is_private = false`
-	}
-
-	query += ` ORDER BY created_at DESC`
-
-	rows, err := s.db.Pool.Query(ctx, query, gradeID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get grade comments: %w", err)
-	}
-	defer rows.Close()
-
-	var comments []models.GradeComment
-	for rows.Next() {
-		var comment models.GradeComment
-		err := rows.Scan(
-			&comment.ID, &comment.GradeID, &comment.TeacherID,
-			&comment.Comment, &comment.IsPrivate, &comment.CreatedAt,
-		)
-		if err != nil {
-			return nil, fmt.Errorf("failed to scan grade comment: %w", err)
-		}
-		comments = append(comments, comment)
-	}
-
-	return comments, nil
-}
-
-// ========================================
-// Parent Notifications
-// ========================================
-
-func (s *GradeService) notifyParentsOfNewGrade(ctx context.Context, grade *models.Grade) {
-	if s.matrix == nil {
-		return
-	}
-
-	// Get student info and Matrix room
-	var studentFirstName, studentLastName, matrixDMRoom string
-	err := s.db.Pool.QueryRow(ctx, `
-		SELECT first_name, last_name, matrix_dm_room
-		FROM students
-		WHERE id = $1`, grade.StudentID).Scan(&studentFirstName, &studentLastName, &matrixDMRoom)
-	if err != nil || matrixDMRoom == "" {
-		return
-	}
-
-	// Get subject name
-	var subjectName string
-	err = s.db.Pool.QueryRow(ctx, `SELECT name FROM subjects WHERE id = $1`, grade.SubjectID).Scan(&subjectName)
-	if err != nil {
-		return
-	}
-
-	studentName := studentFirstName + " " + studentLastName
-	gradeType := s.getGradeTypeDisplayName(grade.Type)
-
-	// Send Matrix notification
-	err = s.matrix.SendGradeNotification(ctx, matrixDMRoom, studentName, subjectName, gradeType, grade.Value)
-	if err != nil {
-		fmt.Printf("Failed to send grade notification: %v\n", err)
-	}
-}
-
-func (s *GradeService) getGradeTypeDisplayName(gradeType string) string {
-	switch gradeType {
-	case models.GradeTypeExam:
-		return "Klassenarbeit"
-	case models.GradeTypeTest:
-		return "Test"
-	case models.GradeTypeOral:
-		return "Mündliche Note"
-	case models.GradeTypeHomework:
-		return "Hausaufgabe"
-	case models.GradeTypeProject:
-		return "Projekt"
-	case models.GradeTypeParticipation:
-		return "Mitarbeit"
-	case models.GradeTypeSemester:
-		return "Halbjahreszeugnis"
-	case models.GradeTypeFinal:
-		return "Zeugnisnote"
-	default:
-		return gradeType
-	}
-}
diff --git a/consent-service/internal/services/grade_service_ops.go b/consent-service/internal/services/grade_service_ops.go
new file mode 100644
index 0000000..a962b96
--- /dev/null
+++ b/consent-service/internal/services/grade_service_ops.go
@@ -0,0 +1,219 @@
+package services
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/models"
+
+	"github.com/google/uuid"
+)
+
+// ========================================
+// Grade Statistics
+// ========================================
+
+// GetStudentGradeAverage calculates the overall grade average for a student
+func (s *GradeService) GetStudentGradeAverage(ctx context.Context, studentID, schoolYearID uuid.UUID, semester int) (float64, error) {
+	query := `
+		SELECT COALESCE(SUM(value * weight) / NULLIF(SUM(weight), 0), 0)
+		FROM grades
+		WHERE student_id = $1 AND school_year_id = $2 AND semester = $3 AND is_visible = true`
+
+	var average float64
+	err := s.db.Pool.QueryRow(ctx, query, studentID, schoolYearID, semester).Scan(&average)
+	if err != nil {
+		return 0, fmt.Errorf("failed to calculate average: %w", err)
+	}
+
+	return average, nil
+}
+
+// GetSubjectGradeStatistics gets grade statistics for a subject in a class
+func (s *GradeService) GetSubjectGradeStatistics(ctx context.Context, classID, subjectID, schoolYearID uuid.UUID, semester int) (map[string]interface{}, error) {
+	query := `
+		SELECT
+			COUNT(DISTINCT g.student_id) as student_count,
+			AVG(g.value) as class_average,
+			MIN(g.value) as best_grade,
+			MAX(g.value) as worst_grade,
+			COUNT(*) as total_grades
+		FROM grades g
+		JOIN students s ON g.student_id = s.id
+		WHERE s.class_id = $1 AND g.subject_id = $2 AND g.school_year_id = $3 AND g.semester = $4 AND g.is_visible = true`
+
+	var studentCount, totalGrades int
+	var classAverage, bestGrade, worstGrade float64
+
+	err := s.db.Pool.QueryRow(ctx, query, classID, subjectID, schoolYearID, semester).Scan(
+		&studentCount, &classAverage, &bestGrade, &worstGrade, &totalGrades,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get statistics: %w", err)
+	}
+
+	// Grade distribution (for German grades 1-6)
+	distributionQuery := `
+		SELECT
+			COUNT(CASE WHEN value >= 1 AND value < 1.5 THEN 1 END) as grade_1,
+			COUNT(CASE WHEN value >= 1.5 AND value < 2.5 THEN 1 END) as grade_2,
+			COUNT(CASE WHEN value >= 2.5 AND value < 3.5 THEN 1 END) as grade_3,
+			COUNT(CASE WHEN value >= 3.5 AND value < 4.5 THEN 1 END) as grade_4,
+			COUNT(CASE WHEN value >= 4.5 AND value < 5.5 THEN 1 END) as grade_5,
+			COUNT(CASE WHEN value >= 5.5 THEN 1 END) as grade_6
+		FROM grades g
+		JOIN students s ON g.student_id = s.id
+		WHERE s.class_id = $1 AND g.subject_id = $2 AND g.school_year_id = $3 AND g.semester = $4 AND g.is_visible = true AND g.type IN ('exam', 'test')`
+
+	var g1, g2, g3, g4, g5, g6 int
+	err = s.db.Pool.QueryRow(ctx, distributionQuery, classID, subjectID, schoolYearID, semester).Scan(
+		&g1, &g2, &g3, &g4, &g5, &g6,
+	)
+	if err != nil {
+		// Non-fatal, continue without distribution
+		g1, g2, g3, g4, g5, g6 = 0, 0, 0, 0, 0, 0
+	}
+
+	return map[string]interface{}{
+		"student_count": studentCount,
+		"class_average": classAverage,
+		"best_grade":    bestGrade,
+		"worst_grade":   worstGrade,
+		"total_grades":  totalGrades,
+		"distribution": map[string]int{
+			"1": g1,
+			"2": g2,
+			"3": g3,
+			"4": g4,
+			"5": g5,
+			"6": g6,
+		},
+	}, nil
+}
+
+// ========================================
+// Grade Comments
+// ========================================
+
+// AddGradeComment adds a comment to a grade
+func (s *GradeService) AddGradeComment(ctx context.Context, gradeID, teacherID uuid.UUID, comment string, isPrivate bool) (*models.GradeComment, error) {
+	gradeComment := &models.GradeComment{
+		ID:        uuid.New(),
+		GradeID:   gradeID,
+		TeacherID: teacherID,
+		Comment:   comment,
+		IsPrivate: isPrivate,
+		CreatedAt: time.Now(),
+	}
+
+	query := `
+		INSERT INTO grade_comments (id, grade_id, teacher_id, comment, is_private, created_at)
+		VALUES ($1, $2, $3, $4, $5, $6)
+		RETURNING id`
+
+	err := s.db.Pool.QueryRow(ctx, query,
+		gradeComment.ID, gradeComment.GradeID, gradeComment.TeacherID,
+		gradeComment.Comment, gradeComment.IsPrivate, gradeComment.CreatedAt,
+	).Scan(&gradeComment.ID)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to add grade comment: %w", err)
+	}
+
+	return gradeComment, nil
+}
+
+// GetGradeComments gets comments for a grade
+func (s *GradeService) GetGradeComments(ctx context.Context, gradeID uuid.UUID, includePrivate bool) ([]models.GradeComment, error) {
+	query := `
+		SELECT id, grade_id, teacher_id, comment, is_private, created_at
+		FROM grade_comments
+		WHERE grade_id = $1`
+
+	if !includePrivate {
+		query += ` AND is_private = false`
+	}
+
+	query += ` ORDER BY created_at DESC`
+
+	rows, err := s.db.Pool.Query(ctx, query, gradeID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get grade comments: %w", err)
+	}
+	defer rows.Close()
+
+	var comments []models.GradeComment
+	for rows.Next() {
+		var comment models.GradeComment
+		err := rows.Scan(
+			&comment.ID, &comment.GradeID, &comment.TeacherID,
+			&comment.Comment, &comment.IsPrivate, &comment.CreatedAt,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("failed to scan grade comment: %w", err)
+		}
+		comments = append(comments, comment)
+	}
+
+	return comments, nil
+}
+
+// ========================================
+// Parent Notifications
+// ========================================
+
+func (s *GradeService) notifyParentsOfNewGrade(ctx context.Context, grade *models.Grade) {
+	if s.matrix == nil {
+		return
+	}
+
+	// Get student info and Matrix room
+	var studentFirstName, studentLastName, matrixDMRoom string
+	err := s.db.Pool.QueryRow(ctx, `
+		SELECT first_name, last_name, matrix_dm_room
+		FROM students
+		WHERE id = $1`, grade.StudentID).Scan(&studentFirstName, &studentLastName, &matrixDMRoom)
+	if err != nil || matrixDMRoom == "" {
+		return
+	}
+
+	// Get subject name
+	var subjectName string
+	err = s.db.Pool.QueryRow(ctx, `SELECT name FROM subjects WHERE id = $1`, grade.SubjectID).Scan(&subjectName)
+	if err != nil {
+		return
+	}
+
+	studentName := studentFirstName + " " + studentLastName
+	gradeType := s.getGradeTypeDisplayName(grade.Type)
+
+	// Send Matrix notification
+	err = s.matrix.SendGradeNotification(ctx, matrixDMRoom, studentName, subjectName, gradeType, grade.Value)
+	if err != nil {
+		fmt.Printf("Failed to send grade notification: %v\n", err)
+	}
+}
+
+func (s *GradeService) getGradeTypeDisplayName(gradeType string) string {
+	switch gradeType {
+	case models.GradeTypeExam:
+		return "Klassenarbeit"
+	case models.GradeTypeTest:
+		return "Test"
+	case models.GradeTypeOral:
+		return "Mündliche Note"
+	case models.GradeTypeHomework:
+		return "Hausaufgabe"
+	case models.GradeTypeProject:
+		return "Projekt"
+	case models.GradeTypeParticipation:
+		return "Mitarbeit"
+	case models.GradeTypeSemester:
+		return "Halbjahreszeugnis"
+	case models.GradeTypeFinal:
+		return "Zeugnisnote"
+	default:
+		return gradeType
+	}
+}
diff --git a/consent-service/internal/services/jitsi/jitsi_service.go b/consent-service/internal/services/jitsi/jitsi_service.go
index e82fea9..f6071db 100644
--- a/consent-service/internal/services/jitsi/jitsi_service.go
+++ b/consent-service/internal/services/jitsi/jitsi_service.go
@@ -2,17 +2,10 @@ package jitsi
 
 import (
 	"context"
-	"crypto/hmac"
-	"crypto/sha256"
-	"encoding/base64"
-	"encoding/json"
 	"fmt"
 	"net/http"
-	"net/url"
 	"strings"
 	"time"
-
-	"github.com/google/uuid"
 )
 
 // JitsiService handles Jitsi Meet integration for video conferences
@@ -292,275 +285,3 @@ func (s *JitsiService) CreateClassMeeting(ctx context.Context, className string,
 	return s.CreateMeetingLink(ctx, meeting)
 }
 
-// ========================================
-// JWT Generation
-// ========================================
-
-// generateJWT creates a signed JWT for Jitsi authentication
-func (s *JitsiService) generateJWT(meeting Meeting, roomName string) (string, *time.Time, error) {
-	if s.appSecret == "" {
-		return "", nil, fmt.Errorf("app secret not configured")
-	}
-
-	now := time.Now()
-
-	// Default expiration: 24 hours or based on meeting duration
-	expiration := now.Add(24 * time.Hour)
-	if meeting.Duration > 0 {
-		expiration = now.Add(time.Duration(meeting.Duration+30) * time.Minute)
-	}
-	if meeting.StartTime != nil {
-		expiration = meeting.StartTime.Add(time.Duration(meeting.Duration+60) * time.Minute)
-	}
-
-	claims := JWTClaims{
-		Audience:  "jitsi",
-		Issuer:    s.appID,
-		Subject:   "meet.jitsi",
-		Room:      roomName,
-		ExpiresAt: expiration.Unix(),
-		NotBefore: now.Add(-5 * time.Minute).Unix(), // 5 min grace period
-		Moderator: meeting.Moderator,
-		Context: &JWTContext{
-			User: &JWTUser{
-				ID:        uuid.New().String(),
-				Name:      meeting.DisplayName,
-				Email:     meeting.Email,
-				Avatar:    meeting.Avatar,
-				Moderator: meeting.Moderator,
-			},
-		},
-	}
-
-	// Add features if specified
-	if meeting.Features != nil {
-		claims.Features = &JWTFeatures{
-			Recording:     boolToString(meeting.Features.Recording),
-			Livestreaming: boolToString(meeting.Features.Livestreaming),
-			Transcription: boolToString(meeting.Features.Transcription),
-			OutboundCall:  boolToString(meeting.Features.OutboundCall),
-		}
-	}
-
-	// Create JWT
-	token, err := s.signJWT(claims)
-	if err != nil {
-		return "", nil, err
-	}
-
-	return token, &expiration, nil
-}
-
-// signJWT creates and signs a JWT token
-func (s *JitsiService) signJWT(claims JWTClaims) (string, error) {
-	// Header
-	header := map[string]string{
-		"alg": "HS256",
-		"typ": "JWT",
-	}
-
-	headerJSON, err := json.Marshal(header)
-	if err != nil {
-		return "", err
-	}
-
-	// Payload
-	payloadJSON, err := json.Marshal(claims)
-	if err != nil {
-		return "", err
-	}
-
-	// Encode
-	headerB64 := base64.RawURLEncoding.EncodeToString(headerJSON)
-	payloadB64 := base64.RawURLEncoding.EncodeToString(payloadJSON)
-
-	// Sign
-	message := headerB64 + "." + payloadB64
-	h := hmac.New(sha256.New, []byte(s.appSecret))
-	h.Write([]byte(message))
-	signature := base64.RawURLEncoding.EncodeToString(h.Sum(nil))
-
-	return message + "." + signature, nil
-}
-
-// ========================================
-// Health Check
-// ========================================
-
-// HealthCheck verifies the Jitsi server is accessible
-func (s *JitsiService) HealthCheck(ctx context.Context) error {
-	req, err := http.NewRequestWithContext(ctx, "GET", s.baseURL, nil)
-	if err != nil {
-		return fmt.Errorf("failed to create request: %w", err)
-	}
-
-	resp, err := s.httpClient.Do(req)
-	if err != nil {
-		return fmt.Errorf("jitsi server unreachable: %w", err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode >= 500 {
-		return fmt.Errorf("jitsi server error: status %d", resp.StatusCode)
-	}
-
-	return nil
-}
-
-// GetServerInfo returns information about the Jitsi server
-func (s *JitsiService) GetServerInfo() map[string]string {
-	return map[string]string{
-		"base_url":       s.baseURL,
-		"app_id":         s.appID,
-		"auth_enabled":   boolToString(s.appSecret != ""),
-	}
-}
-
-// ========================================
-// URL Building
-// ========================================
-
-// BuildEmbedURL creates an embeddable iframe URL
-func (s *JitsiService) BuildEmbedURL(roomName string, displayName string, config *MeetingConfig) string {
-	params := url.Values{}
-
-	if displayName != "" {
-		params.Set("userInfo.displayName", displayName)
-	}
-
-	if config != nil {
-		if config.StartWithAudioMuted {
-			params.Set("config.startWithAudioMuted", "true")
-		}
-		if config.StartWithVideoMuted {
-			params.Set("config.startWithVideoMuted", "true")
-		}
-		if config.DisableDeepLinking {
-			params.Set("config.disableDeepLinking", "true")
-		}
-	}
-
-	embedURL := fmt.Sprintf("%s/%s", s.baseURL, s.sanitizeRoomName(roomName))
-	if len(params) > 0 {
-		embedURL += "#" + params.Encode()
-	}
-
-	return embedURL
-}
-
-// BuildIFrameCode generates HTML iframe code for embedding
-func (s *JitsiService) BuildIFrameCode(roomName string, width int, height int) string {
-	if width == 0 {
-		width = 800
-	}
-	if height == 0 {
-		height = 600
-	}
-
-	return fmt.Sprintf(
-		`<iframe src="%s/%s" width="%d" height="%d" allow="camera; microphone; fullscreen; display-capture; autoplay" style="border: 0;"></iframe>`,
-		s.baseURL,
-		s.sanitizeRoomName(roomName),
-		width,
-		height,
-	)
-}
-
-// ========================================
-// Helper Functions
-// ========================================
-
-// generateRoomName creates a unique room name
-func (s *JitsiService) generateRoomName() string {
-	return fmt.Sprintf("breakpilot-%s", uuid.New().String()[:8])
-}
-
-// generateTrainingRoomName creates a room name for training sessions
-func (s *JitsiService) generateTrainingRoomName(title string) string {
-	sanitized := s.sanitizeRoomName(title)
-	if sanitized == "" {
-		sanitized = "schulung"
-	}
-	return fmt.Sprintf("%s-%s", sanitized, time.Now().Format("20060102-1504"))
-}
-
-// sanitizeRoomName removes invalid characters from room names
-func (s *JitsiService) sanitizeRoomName(name string) string {
-	// Replace spaces and special characters
-	result := strings.ToLower(name)
-	result = strings.ReplaceAll(result, " ", "-")
-	result = strings.ReplaceAll(result, "ä", "ae")
-	result = strings.ReplaceAll(result, "ö", "oe")
-	result = strings.ReplaceAll(result, "ü", "ue")
-	result = strings.ReplaceAll(result, "ß", "ss")
-
-	// Remove any remaining non-alphanumeric characters except hyphen
-	var cleaned strings.Builder
-	for _, r := range result {
-		if (r >= 'a' && r <= 'z') || (r >= '0' && r <= '9') || r == '-' {
-			cleaned.WriteRune(r)
-		}
-	}
-
-	// Remove consecutive hyphens
-	result = cleaned.String()
-	for strings.Contains(result, "--") {
-		result = strings.ReplaceAll(result, "--", "-")
-	}
-
-	// Trim hyphens from start and end
-	result = strings.Trim(result, "-")
-
-	// Limit length
-	if len(result) > 50 {
-		result = result[:50]
-	}
-
-	return result
-}
-
-// generatePassword creates a random meeting password
-func (s *JitsiService) generatePassword() string {
-	return uuid.New().String()[:8]
-}
-
-// buildConfigParams creates URL parameters from config
-func (s *JitsiService) buildConfigParams(config *MeetingConfig) string {
-	params := url.Values{}
-
-	if config.StartWithAudioMuted {
-		params.Set("config.startWithAudioMuted", "true")
-	}
-	if config.StartWithVideoMuted {
-		params.Set("config.startWithVideoMuted", "true")
-	}
-	if config.DisableDeepLinking {
-		params.Set("config.disableDeepLinking", "true")
-	}
-	if config.RequireDisplayName {
-		params.Set("config.requireDisplayName", "true")
-	}
-	if config.EnableLobby {
-		params.Set("config.enableLobby", "true")
-	}
-
-	return params.Encode()
-}
-
-// boolToString converts bool to "true"/"false" string
-func boolToString(b bool) string {
-	if b {
-		return "true"
-	}
-	return "false"
-}
-
-// GetBaseURL returns the configured base URL
-func (s *JitsiService) GetBaseURL() string {
-	return s.baseURL
-}
-
-// IsAuthEnabled returns whether JWT authentication is configured
-func (s *JitsiService) IsAuthEnabled() bool {
-	return s.appSecret != ""
-}
diff --git a/consent-service/internal/services/jitsi/jitsi_service_helpers.go b/consent-service/internal/services/jitsi/jitsi_service_helpers.go
new file mode 100644
index 0000000..d295c5f
--- /dev/null
+++ b/consent-service/internal/services/jitsi/jitsi_service_helpers.go
@@ -0,0 +1,290 @@
+package jitsi
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"crypto/hmac"
+	"crypto/sha256"
+
+	"github.com/google/uuid"
+)
+
+// ========================================
+// JWT Generation
+// ========================================
+
+// generateJWT creates a signed JWT for Jitsi authentication
+func (s *JitsiService) generateJWT(meeting Meeting, roomName string) (string, *time.Time, error) {
+	if s.appSecret == "" {
+		return "", nil, fmt.Errorf("app secret not configured")
+	}
+
+	now := time.Now()
+
+	// Default expiration: 24 hours or based on meeting duration
+	expiration := now.Add(24 * time.Hour)
+	if meeting.Duration > 0 {
+		expiration = now.Add(time.Duration(meeting.Duration+30) * time.Minute)
+	}
+	if meeting.StartTime != nil {
+		expiration = meeting.StartTime.Add(time.Duration(meeting.Duration+60) * time.Minute)
+	}
+
+	claims := JWTClaims{
+		Audience:  "jitsi",
+		Issuer:    s.appID,
+		Subject:   "meet.jitsi",
+		Room:      roomName,
+		ExpiresAt: expiration.Unix(),
+		NotBefore: now.Add(-5 * time.Minute).Unix(), // 5 min grace period
+		Moderator: meeting.Moderator,
+		Context: &JWTContext{
+			User: &JWTUser{
+				ID:        uuid.New().String(),
+				Name:      meeting.DisplayName,
+				Email:     meeting.Email,
+				Avatar:    meeting.Avatar,
+				Moderator: meeting.Moderator,
+			},
+		},
+	}
+
+	// Add features if specified
+	if meeting.Features != nil {
+		claims.Features = &JWTFeatures{
+			Recording:     boolToString(meeting.Features.Recording),
+			Livestreaming: boolToString(meeting.Features.Livestreaming),
+			Transcription: boolToString(meeting.Features.Transcription),
+			OutboundCall:  boolToString(meeting.Features.OutboundCall),
+		}
+	}
+
+	// Create JWT
+	token, err := s.signJWT(claims)
+	if err != nil {
+		return "", nil, err
+	}
+
+	return token, &expiration, nil
+}
+
+// signJWT creates and signs a JWT token
+func (s *JitsiService) signJWT(claims JWTClaims) (string, error) {
+	// Header
+	header := map[string]string{
+		"alg": "HS256",
+		"typ": "JWT",
+	}
+
+	headerJSON, err := json.Marshal(header)
+	if err != nil {
+		return "", err
+	}
+
+	// Payload
+	payloadJSON, err := json.Marshal(claims)
+	if err != nil {
+		return "", err
+	}
+
+	// Encode
+	headerB64 := base64.RawURLEncoding.EncodeToString(headerJSON)
+	payloadB64 := base64.RawURLEncoding.EncodeToString(payloadJSON)
+
+	// Sign
+	message := headerB64 + "." + payloadB64
+	h := hmac.New(sha256.New, []byte(s.appSecret))
+	h.Write([]byte(message))
+	signature := base64.RawURLEncoding.EncodeToString(h.Sum(nil))
+
+	return message + "." + signature, nil
+}
+
+// ========================================
+// Health Check
+// ========================================
+
+// HealthCheck verifies the Jitsi server is accessible
+func (s *JitsiService) HealthCheck(ctx context.Context) error {
+	req, err := http.NewRequestWithContext(ctx, "GET", s.baseURL, nil)
+	if err != nil {
+		return fmt.Errorf("failed to create request: %w", err)
+	}
+
+	resp, err := s.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("jitsi server unreachable: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode >= 500 {
+		return fmt.Errorf("jitsi server error: status %d", resp.StatusCode)
+	}
+
+	return nil
+}
+
+// GetServerInfo returns information about the Jitsi server
+func (s *JitsiService) GetServerInfo() map[string]string {
+	return map[string]string{
+		"base_url":     s.baseURL,
+		"app_id":       s.appID,
+		"auth_enabled": boolToString(s.appSecret != ""),
+	}
+}
+
+// ========================================
+// URL Building
+// ========================================
+
+// BuildEmbedURL creates an embeddable iframe URL
+func (s *JitsiService) BuildEmbedURL(roomName string, displayName string, config *MeetingConfig) string {
+	params := url.Values{}
+
+	if displayName != "" {
+		params.Set("userInfo.displayName", displayName)
+	}
+
+	if config != nil {
+		if config.StartWithAudioMuted {
+			params.Set("config.startWithAudioMuted", "true")
+		}
+		if config.StartWithVideoMuted {
+			params.Set("config.startWithVideoMuted", "true")
+		}
+		if config.DisableDeepLinking {
+			params.Set("config.disableDeepLinking", "true")
+		}
+	}
+
+	embedURL := fmt.Sprintf("%s/%s", s.baseURL, s.sanitizeRoomName(roomName))
+	if len(params) > 0 {
+		embedURL += "#" + params.Encode()
+	}
+
+	return embedURL
+}
+
+// BuildIFrameCode generates HTML iframe code for embedding
+func (s *JitsiService) BuildIFrameCode(roomName string, width int, height int) string {
+	if width == 0 {
+		width = 800
+	}
+	if height == 0 {
+		height = 600
+	}
+
+	return fmt.Sprintf(
+		`<iframe src="%s/%s" width="%d" height="%d" allow="camera; microphone; fullscreen; display-capture; autoplay" style="border: 0;"></iframe>`,
+		s.baseURL,
+		s.sanitizeRoomName(roomName),
+		width,
+		height,
+	)
+}
+
+// ========================================
+// Helper Functions
+// ========================================
+
+// generateRoomName creates a unique room name
+func (s *JitsiService) generateRoomName() string {
+	return fmt.Sprintf("breakpilot-%s", uuid.New().String()[:8])
+}
+
+// generateTrainingRoomName creates a room name for training sessions
+func (s *JitsiService) generateTrainingRoomName(title string) string {
+	sanitized := s.sanitizeRoomName(title)
+	if sanitized == "" {
+		sanitized = "schulung"
+	}
+	return fmt.Sprintf("%s-%s", sanitized, time.Now().Format("20060102-1504"))
+}
+
+// sanitizeRoomName removes invalid characters from room names
+func (s *JitsiService) sanitizeRoomName(name string) string {
+	// Replace spaces and special characters
+	result := strings.ToLower(name)
+	result = strings.ReplaceAll(result, " ", "-")
+	result = strings.ReplaceAll(result, "ä", "ae")
+	result = strings.ReplaceAll(result, "ö", "oe")
+	result = strings.ReplaceAll(result, "ü", "ue")
+	result = strings.ReplaceAll(result, "ß", "ss")
+
+	// Remove any remaining non-alphanumeric characters except hyphen
+	var cleaned strings.Builder
+	for _, r := range result {
+		if (r >= 'a' && r <= 'z') || (r >= '0' && r <= '9') || r == '-' {
+			cleaned.WriteRune(r)
+		}
+	}
+
+	// Remove consecutive hyphens
+	result = cleaned.String()
+	for strings.Contains(result, "--") {
+		result = strings.ReplaceAll(result, "--", "-")
+	}
+
+	// Trim hyphens from start and end
+	result = strings.Trim(result, "-")
+
+	// Limit length
+	if len(result) > 50 {
+		result = result[:50]
+	}
+
+	return result
+}
+
+// generatePassword creates a random meeting password
+func (s *JitsiService) generatePassword() string {
+	return uuid.New().String()[:8]
+}
+
+// buildConfigParams creates URL parameters from config
+func (s *JitsiService) buildConfigParams(config *MeetingConfig) string {
+	params := url.Values{}
+
+	if config.StartWithAudioMuted {
+		params.Set("config.startWithAudioMuted", "true")
+	}
+	if config.StartWithVideoMuted {
+		params.Set("config.startWithVideoMuted", "true")
+	}
+	if config.DisableDeepLinking {
+		params.Set("config.disableDeepLinking", "true")
+	}
+	if config.RequireDisplayName {
+		params.Set("config.requireDisplayName", "true")
+	}
+	if config.EnableLobby {
+		params.Set("config.enableLobby", "true")
+	}
+
+	return params.Encode()
+}
+
+// boolToString converts bool to "true"/"false" string
+func boolToString(b bool) string {
+	if b {
+		return "true"
+	}
+	return "false"
+}
+
+// GetBaseURL returns the configured base URL
+func (s *JitsiService) GetBaseURL() string {
+	return s.baseURL
+}
+
+// IsAuthEnabled returns whether JWT authentication is configured
+func (s *JitsiService) IsAuthEnabled() bool {
+	return s.appSecret != ""
+}
diff --git a/consent-service/internal/services/matrix/matrix_service.go b/consent-service/internal/services/matrix/matrix_service.go
index 9295cb1..c2ef8f8 100644
--- a/consent-service/internal/services/matrix/matrix_service.go
+++ b/consent-service/internal/services/matrix/matrix_service.go
@@ -1,11 +1,9 @@
 package matrix
 
 import (
-	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
-	"io"
 	"net/http"
 	"net/url"
 	"time"
@@ -392,157 +390,3 @@ func (s *MatrixService) SetUserPowerLevel(ctx context.Context, roomID string, us
 	return nil
 }
 
-// ========================================
-// Messaging
-// ========================================
-
-// SendMessage sends a text message to a room
-func (s *MatrixService) SendMessage(ctx context.Context, roomID string, message string) error {
-	req := SendMessageRequest{
-		MsgType: "m.text",
-		Body:    message,
-	}
-
-	return s.sendEvent(ctx, roomID, "m.room.message", req)
-}
-
-// SendHTMLMessage sends an HTML-formatted message to a room
-func (s *MatrixService) SendHTMLMessage(ctx context.Context, roomID string, plainText string, htmlBody string) error {
-	req := SendMessageRequest{
-		MsgType:       "m.text",
-		Body:          plainText,
-		Format:        "org.matrix.custom.html",
-		FormattedBody: htmlBody,
-	}
-
-	return s.sendEvent(ctx, roomID, "m.room.message", req)
-}
-
-// SendAbsenceNotification sends an absence notification to parents
-func (s *MatrixService) SendAbsenceNotification(ctx context.Context, roomID string, studentName string, date string, lessonNumber int) error {
-	plainText := fmt.Sprintf("⚠️ Abwesenheitsmeldung\n\nIhr Kind %s war heute (%s) in der %d. Stunde nicht im Unterricht anwesend.\n\nBitte bestätigen Sie den Grund der Abwesenheit.", studentName, date, lessonNumber)
-
-	htmlBody := fmt.Sprintf(`<h3>⚠️ Abwesenheitsmeldung</h3>
-<p>Ihr Kind <strong>%s</strong> war heute (%s) in der <strong>%d. Stunde</strong> nicht im Unterricht anwesend.</p>
-<p>Bitte bestätigen Sie den Grund der Abwesenheit.</p>
-<ul>
-<li>✅ Entschuldigt (Krankheit)</li>
-<li>📋 Arztbesuch</li>
-<li>❓ Sonstiges (bitte erläutern)</li>
-</ul>`, studentName, date, lessonNumber)
-
-	return s.SendHTMLMessage(ctx, roomID, plainText, htmlBody)
-}
-
-// SendGradeNotification sends a grade notification to parents
-func (s *MatrixService) SendGradeNotification(ctx context.Context, roomID string, studentName string, subject string, gradeType string, grade float64) error {
-	plainText := fmt.Sprintf("📊 Neue Note eingetragen\n\nFür %s wurde eine neue Note eingetragen:\n\nFach: %s\nArt: %s\nNote: %.1f", studentName, subject, gradeType, grade)
-
-	htmlBody := fmt.Sprintf(`<h3>📊 Neue Note eingetragen</h3>
-<p>Für <strong>%s</strong> wurde eine neue Note eingetragen:</p>
-<table>
-<tr><td>Fach:</td><td><strong>%s</strong></td></tr>
-<tr><td>Art:</td><td>%s</td></tr>
-<tr><td>Note:</td><td><strong>%.1f</strong></td></tr>
-</table>`, studentName, subject, gradeType, grade)
-
-	return s.SendHTMLMessage(ctx, roomID, plainText, htmlBody)
-}
-
-// SendClassAnnouncement sends an announcement to a class info room
-func (s *MatrixService) SendClassAnnouncement(ctx context.Context, roomID string, title string, content string, teacherName string) error {
-	plainText := fmt.Sprintf("📢 %s\n\n%s\n\n— %s", title, content, teacherName)
-
-	htmlBody := fmt.Sprintf(`<h3>📢 %s</h3>
-<p>%s</p>
-<p><em>— %s</em></p>`, title, content, teacherName)
-
-	return s.SendHTMLMessage(ctx, roomID, plainText, htmlBody)
-}
-
-// ========================================
-// Internal Helpers
-// ========================================
-
-func (s *MatrixService) sendEvent(ctx context.Context, roomID string, eventType string, content interface{}) error {
-	body, err := json.Marshal(content)
-	if err != nil {
-		return fmt.Errorf("failed to marshal content: %w", err)
-	}
-
-	txnID := uuid.New().String()
-	endpoint := fmt.Sprintf("/_matrix/client/v3/rooms/%s/send/%s/%s",
-		url.PathEscape(roomID), url.PathEscape(eventType), txnID)
-
-	resp, err := s.doRequest(ctx, "PUT", endpoint, body)
-	if err != nil {
-		return fmt.Errorf("failed to send event: %w", err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return s.parseError(resp)
-	}
-
-	return nil
-}
-
-func (s *MatrixService) doRequest(ctx context.Context, method string, endpoint string, body []byte) (*http.Response, error) {
-	fullURL := s.homeserverURL + endpoint
-
-	var bodyReader io.Reader
-	if body != nil {
-		bodyReader = bytes.NewReader(body)
-	}
-
-	req, err := http.NewRequestWithContext(ctx, method, fullURL, bodyReader)
-	if err != nil {
-		return nil, err
-	}
-
-	req.Header.Set("Authorization", "Bearer "+s.accessToken)
-	req.Header.Set("Content-Type", "application/json")
-
-	return s.httpClient.Do(req)
-}
-
-func (s *MatrixService) parseError(resp *http.Response) error {
-	body, _ := io.ReadAll(resp.Body)
-	var errResp struct {
-		ErrCode string `json:"errcode"`
-		Error   string `json:"error"`
-	}
-	if err := json.Unmarshal(body, &errResp); err != nil {
-		return fmt.Errorf("request failed with status %d: %s", resp.StatusCode, string(body))
-	}
-	return fmt.Errorf("matrix error %s: %s", errResp.ErrCode, errResp.Error)
-}
-
-// ========================================
-// Health Check
-// ========================================
-
-// HealthCheck checks if the Matrix server is reachable
-func (s *MatrixService) HealthCheck(ctx context.Context) error {
-	resp, err := s.doRequest(ctx, "GET", "/_matrix/client/versions", nil)
-	if err != nil {
-		return fmt.Errorf("matrix server unreachable: %w", err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("matrix server returned status %d", resp.StatusCode)
-	}
-
-	return nil
-}
-
-// GetServerName returns the configured server name
-func (s *MatrixService) GetServerName() string {
-	return s.serverName
-}
-
-// GenerateUserID generates a Matrix user ID from a username
-func (s *MatrixService) GenerateUserID(username string) string {
-	return fmt.Sprintf("@%s:%s", username, s.serverName)
-}
diff --git a/consent-service/internal/services/matrix/matrix_service_messaging.go b/consent-service/internal/services/matrix/matrix_service_messaging.go
new file mode 100644
index 0000000..99cd647
--- /dev/null
+++ b/consent-service/internal/services/matrix/matrix_service_messaging.go
@@ -0,0 +1,168 @@
+package matrix
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+
+	"github.com/google/uuid"
+)
+
+// ========================================
+// Messaging
+// ========================================
+
+// SendMessage sends a text message to a room
+func (s *MatrixService) SendMessage(ctx context.Context, roomID string, message string) error {
+	req := SendMessageRequest{
+		MsgType: "m.text",
+		Body:    message,
+	}
+
+	return s.sendEvent(ctx, roomID, "m.room.message", req)
+}
+
+// SendHTMLMessage sends an HTML-formatted message to a room
+func (s *MatrixService) SendHTMLMessage(ctx context.Context, roomID string, plainText string, htmlBody string) error {
+	req := SendMessageRequest{
+		MsgType:       "m.text",
+		Body:          plainText,
+		Format:        "org.matrix.custom.html",
+		FormattedBody: htmlBody,
+	}
+
+	return s.sendEvent(ctx, roomID, "m.room.message", req)
+}
+
+// SendAbsenceNotification sends an absence notification to parents
+func (s *MatrixService) SendAbsenceNotification(ctx context.Context, roomID string, studentName string, date string, lessonNumber int) error {
+	plainText := fmt.Sprintf("⚠️ Abwesenheitsmeldung\n\nIhr Kind %s war heute (%s) in der %d. Stunde nicht im Unterricht anwesend.\n\nBitte bestätigen Sie den Grund der Abwesenheit.", studentName, date, lessonNumber)
+
+	htmlBody := fmt.Sprintf(`<h3>⚠️ Abwesenheitsmeldung</h3>
+<p>Ihr Kind <strong>%s</strong> war heute (%s) in der <strong>%d. Stunde</strong> nicht im Unterricht anwesend.</p>
+<p>Bitte bestätigen Sie den Grund der Abwesenheit.</p>
+<ul>
+<li>✅ Entschuldigt (Krankheit)</li>
+<li>📋 Arztbesuch</li>
+<li>❓ Sonstiges (bitte erläutern)</li>
+</ul>`, studentName, date, lessonNumber)
+
+	return s.SendHTMLMessage(ctx, roomID, plainText, htmlBody)
+}
+
+// SendGradeNotification sends a grade notification to parents
+func (s *MatrixService) SendGradeNotification(ctx context.Context, roomID string, studentName string, subject string, gradeType string, grade float64) error {
+	plainText := fmt.Sprintf("📊 Neue Note eingetragen\n\nFür %s wurde eine neue Note eingetragen:\n\nFach: %s\nArt: %s\nNote: %.1f", studentName, subject, gradeType, grade)
+
+	htmlBody := fmt.Sprintf(`<h3>📊 Neue Note eingetragen</h3>
+<p>Für <strong>%s</strong> wurde eine neue Note eingetragen:</p>
+<table>
+<tr><td>Fach:</td><td><strong>%s</strong></td></tr>
+<tr><td>Art:</td><td>%s</td></tr>
+<tr><td>Note:</td><td><strong>%.1f</strong></td></tr>
+</table>`, studentName, subject, gradeType, grade)
+
+	return s.SendHTMLMessage(ctx, roomID, plainText, htmlBody)
+}
+
+// SendClassAnnouncement sends an announcement to a class info room
+func (s *MatrixService) SendClassAnnouncement(ctx context.Context, roomID string, title string, content string, teacherName string) error {
+	plainText := fmt.Sprintf("📢 %s\n\n%s\n\n— %s", title, content, teacherName)
+
+	htmlBody := fmt.Sprintf(`<h3>📢 %s</h3>
+<p>%s</p>
+<p><em>— %s</em></p>`, title, content, teacherName)
+
+	return s.SendHTMLMessage(ctx, roomID, plainText, htmlBody)
+}
+
+// ========================================
+// Internal Helpers
+// ========================================
+
+func (s *MatrixService) sendEvent(ctx context.Context, roomID string, eventType string, content interface{}) error {
+	body, err := json.Marshal(content)
+	if err != nil {
+		return fmt.Errorf("failed to marshal content: %w", err)
+	}
+
+	txnID := uuid.New().String()
+	endpoint := fmt.Sprintf("/_matrix/client/v3/rooms/%s/send/%s/%s",
+		url.PathEscape(roomID), url.PathEscape(eventType), txnID)
+
+	resp, err := s.doRequest(ctx, "PUT", endpoint, body)
+	if err != nil {
+		return fmt.Errorf("failed to send event: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return s.parseError(resp)
+	}
+
+	return nil
+}
+
+func (s *MatrixService) doRequest(ctx context.Context, method string, endpoint string, body []byte) (*http.Response, error) {
+	fullURL := s.homeserverURL + endpoint
+
+	var bodyReader io.Reader
+	if body != nil {
+		bodyReader = bytes.NewReader(body)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, method, fullURL, bodyReader)
+	if err != nil {
+		return nil, err
+	}
+
+	req.Header.Set("Authorization", "Bearer "+s.accessToken)
+	req.Header.Set("Content-Type", "application/json")
+
+	return s.httpClient.Do(req)
+}
+
+func (s *MatrixService) parseError(resp *http.Response) error {
+	body, _ := io.ReadAll(resp.Body)
+	var errResp struct {
+		ErrCode string `json:"errcode"`
+		Error   string `json:"error"`
+	}
+	if err := json.Unmarshal(body, &errResp); err != nil {
+		return fmt.Errorf("request failed with status %d: %s", resp.StatusCode, string(body))
+	}
+	return fmt.Errorf("matrix error %s: %s", errResp.ErrCode, errResp.Error)
+}
+
+// ========================================
+// Health Check
+// ========================================
+
+// HealthCheck checks if the Matrix server is reachable
+func (s *MatrixService) HealthCheck(ctx context.Context) error {
+	resp, err := s.doRequest(ctx, "GET", "/_matrix/client/versions", nil)
+	if err != nil {
+		return fmt.Errorf("matrix server unreachable: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("matrix server returned status %d", resp.StatusCode)
+	}
+
+	return nil
+}
+
+// GetServerName returns the configured server name
+func (s *MatrixService) GetServerName() string {
+	return s.serverName
+}
+
+// GenerateUserID generates a Matrix user ID from a username
+func (s *MatrixService) GenerateUserID(username string) string {
+	return fmt.Sprintf("@%s:%s", username, s.serverName)
+}
diff --git a/consent-service/internal/services/oauth_service.go b/consent-service/internal/services/oauth_service.go
index 22abfca..92c4b71 100644
--- a/consent-service/internal/services/oauth_service.go
+++ b/consent-service/internal/services/oauth_service.go
@@ -12,7 +12,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v5/pgxpool"
 
@@ -20,25 +19,25 @@ import (
 )
 
 var (
-	ErrInvalidClient       = errors.New("invalid_client")
-	ErrInvalidGrant        = errors.New("invalid_grant")
-	ErrInvalidScope        = errors.New("invalid_scope")
-	ErrInvalidRequest      = errors.New("invalid_request")
-	ErrUnauthorizedClient  = errors.New("unauthorized_client")
-	ErrAccessDenied        = errors.New("access_denied")
-	ErrInvalidRedirectURI  = errors.New("invalid redirect_uri")
-	ErrCodeExpired         = errors.New("authorization code expired")
-	ErrCodeUsed            = errors.New("authorization code already used")
-	ErrPKCERequired        = errors.New("PKCE code_challenge required for public clients")
-	ErrPKCEVerifyFailed    = errors.New("PKCE verification failed")
+	ErrInvalidClient      = errors.New("invalid_client")
+	ErrInvalidGrant       = errors.New("invalid_grant")
+	ErrInvalidScope       = errors.New("invalid_scope")
+	ErrInvalidRequest     = errors.New("invalid_request")
+	ErrUnauthorizedClient = errors.New("unauthorized_client")
+	ErrAccessDenied       = errors.New("access_denied")
+	ErrInvalidRedirectURI = errors.New("invalid redirect_uri")
+	ErrCodeExpired        = errors.New("authorization code expired")
+	ErrCodeUsed           = errors.New("authorization code already used")
+	ErrPKCERequired       = errors.New("PKCE code_challenge required for public clients")
+	ErrPKCEVerifyFailed   = errors.New("PKCE verification failed")
 )
 
 // OAuthService handles OAuth 2.0 Authorization Code Flow with PKCE
 type OAuthService struct {
-	db                   *pgxpool.Pool
-	jwtSecret            string
-	authCodeExpiration   time.Duration
-	accessTokenExpiration time.Duration
+	db                     *pgxpool.Pool
+	jwtSecret              string
+	authCodeExpiration     time.Duration
+	accessTokenExpiration  time.Duration
 	refreshTokenExpiration time.Duration
 }
 
@@ -47,12 +46,16 @@ func NewOAuthService(db *pgxpool.Pool, jwtSecret string) *OAuthService {
 	return &OAuthService{
 		db:                     db,
 		jwtSecret:              jwtSecret,
-		authCodeExpiration:     10 * time.Minute,      // Authorization codes expire quickly
-		accessTokenExpiration:  time.Hour,             // 1 hour
-		refreshTokenExpiration: 30 * 24 * time.Hour,   // 30 days
+		authCodeExpiration:     10 * time.Minute,    // Authorization codes expire quickly
+		accessTokenExpiration:  time.Hour,            // 1 hour
+		refreshTokenExpiration: 30 * 24 * time.Hour, // 30 days
 	}
 }
 
+// ========================================
+// Client Validation
+// ========================================
+
 // ValidateClient validates an OAuth client
 func (s *OAuthService) ValidateClient(ctx context.Context, clientID string) (*models.OAuthClient, error) {
 	var client models.OAuthClient
@@ -133,6 +136,10 @@ func (s *OAuthService) ValidateScopes(client *models.OAuthClient, requestedScope
 	return validScopes, nil
 }
 
+// ========================================
+// Authorization Code
+// ========================================
+
 // GenerateAuthorizationCode generates a new authorization code
 func (s *OAuthService) GenerateAuthorizationCode(
 	ctx context.Context,
@@ -181,295 +188,9 @@ func (s *OAuthService) GenerateAuthorizationCode(
 	return code, nil
 }
 
-// ExchangeAuthorizationCode exchanges an authorization code for tokens
-func (s *OAuthService) ExchangeAuthorizationCode(
-	ctx context.Context,
-	code string,
-	clientID string,
-	redirectURI string,
-	codeVerifier string,
-) (*models.OAuthTokenResponse, error) {
-	// Hash the code to look it up
-	codeHash := sha256.Sum256([]byte(code))
-	hashedCode := hex.EncodeToString(codeHash[:])
-
-	var authCode models.OAuthAuthorizationCode
-	var scopesJSON []byte
-
-	err := s.db.QueryRow(ctx, `
-		SELECT id, client_id, user_id, redirect_uri, scopes, code_challenge, code_challenge_method, expires_at, used_at
-		FROM oauth_authorization_codes WHERE code = $1
-	`, hashedCode).Scan(
-		&authCode.ID, &authCode.ClientID, &authCode.UserID, &authCode.RedirectURI,
-		&scopesJSON, &authCode.CodeChallenge, &authCode.CodeChallengeMethod,
-		&authCode.ExpiresAt, &authCode.UsedAt,
-	)
-
-	if err != nil {
-		return nil, ErrInvalidGrant
-	}
-
-	// Check if code was already used
-	if authCode.UsedAt != nil {
-		return nil, ErrCodeUsed
-	}
-
-	// Check if code is expired
-	if time.Now().After(authCode.ExpiresAt) {
-		return nil, ErrCodeExpired
-	}
-
-	// Verify client_id matches
-	if authCode.ClientID != clientID {
-		return nil, ErrInvalidGrant
-	}
-
-	// Verify redirect_uri matches
-	if authCode.RedirectURI != redirectURI {
-		return nil, ErrInvalidGrant
-	}
-
-	// Verify PKCE if code_challenge was provided
-	if authCode.CodeChallenge != nil && *authCode.CodeChallenge != "" {
-		if codeVerifier == "" {
-			return nil, ErrPKCEVerifyFailed
-		}
-
-		var expectedChallenge string
-		if authCode.CodeChallengeMethod != nil && *authCode.CodeChallengeMethod == "S256" {
-			// SHA256 hash of verifier
-			hash := sha256.Sum256([]byte(codeVerifier))
-			expectedChallenge = base64.RawURLEncoding.EncodeToString(hash[:])
-		} else {
-			// Plain method
-			expectedChallenge = codeVerifier
-		}
-
-		if expectedChallenge != *authCode.CodeChallenge {
-			return nil, ErrPKCEVerifyFailed
-		}
-	}
-
-	// Mark code as used
-	_, err = s.db.Exec(ctx, `UPDATE oauth_authorization_codes SET used_at = NOW() WHERE id = $1`, authCode.ID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to mark code as used: %w", err)
-	}
-
-	// Parse scopes
-	var scopes []string
-	json.Unmarshal(scopesJSON, &scopes)
-
-	// Generate tokens
-	return s.generateTokens(ctx, clientID, authCode.UserID, scopes)
-}
-
-// RefreshAccessToken refreshes an access token using a refresh token
-func (s *OAuthService) RefreshAccessToken(ctx context.Context, refreshToken, clientID string, requestedScope string) (*models.OAuthTokenResponse, error) {
-	// Hash the refresh token
-	tokenHash := sha256.Sum256([]byte(refreshToken))
-	hashedToken := hex.EncodeToString(tokenHash[:])
-
-	var rt models.OAuthRefreshToken
-	var scopesJSON []byte
-
-	err := s.db.QueryRow(ctx, `
-		SELECT id, client_id, user_id, scopes, expires_at, revoked_at
-		FROM oauth_refresh_tokens WHERE token_hash = $1
-	`, hashedToken).Scan(
-		&rt.ID, &rt.ClientID, &rt.UserID, &scopesJSON, &rt.ExpiresAt, &rt.RevokedAt,
-	)
-
-	if err != nil {
-		return nil, ErrInvalidGrant
-	}
-
-	// Check if token is revoked
-	if rt.RevokedAt != nil {
-		return nil, ErrInvalidGrant
-	}
-
-	// Check if token is expired
-	if time.Now().After(rt.ExpiresAt) {
-		return nil, ErrInvalidGrant
-	}
-
-	// Verify client_id matches
-	if rt.ClientID != clientID {
-		return nil, ErrInvalidGrant
-	}
-
-	// Parse original scopes
-	var originalScopes []string
-	json.Unmarshal(scopesJSON, &originalScopes)
-
-	// Determine scopes for new tokens
-	var scopes []string
-	if requestedScope != "" {
-		// Validate that requested scopes are subset of original scopes
-		originalMap := make(map[string]bool)
-		for _, s := range originalScopes {
-			originalMap[s] = true
-		}
-
-		for _, s := range strings.Split(requestedScope, " ") {
-			if originalMap[s] {
-				scopes = append(scopes, s)
-			}
-		}
-
-		if len(scopes) == 0 {
-			return nil, ErrInvalidScope
-		}
-	} else {
-		scopes = originalScopes
-	}
-
-	// Revoke old refresh token (rotate)
-	_, _ = s.db.Exec(ctx, `UPDATE oauth_refresh_tokens SET revoked_at = NOW() WHERE id = $1`, rt.ID)
-
-	// Generate new tokens
-	return s.generateTokens(ctx, clientID, rt.UserID, scopes)
-}
-
-// generateTokens generates access and refresh tokens
-func (s *OAuthService) generateTokens(ctx context.Context, clientID string, userID uuid.UUID, scopes []string) (*models.OAuthTokenResponse, error) {
-	// Get user info for JWT
-	var user models.User
-	err := s.db.QueryRow(ctx, `
-		SELECT id, email, name, role, account_status FROM users WHERE id = $1
-	`, userID).Scan(&user.ID, &user.Email, &user.Name, &user.Role, &user.AccountStatus)
-
-	if err != nil {
-		return nil, ErrInvalidGrant
-	}
-
-	// Generate access token (JWT)
-	accessTokenClaims := jwt.MapClaims{
-		"sub":            userID.String(),
-		"email":          user.Email,
-		"role":           user.Role,
-		"account_status": user.AccountStatus,
-		"client_id":      clientID,
-		"scope":          strings.Join(scopes, " "),
-		"iat":            time.Now().Unix(),
-		"exp":            time.Now().Add(s.accessTokenExpiration).Unix(),
-		"iss":            "breakpilot-consent-service",
-		"aud":            clientID,
-	}
-
-	if user.Name != nil {
-		accessTokenClaims["name"] = *user.Name
-	}
-
-	accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, accessTokenClaims)
-	accessTokenString, err := accessToken.SignedString([]byte(s.jwtSecret))
-	if err != nil {
-		return nil, fmt.Errorf("failed to sign access token: %w", err)
-	}
-
-	// Hash access token for storage
-	accessTokenHash := sha256.Sum256([]byte(accessTokenString))
-	hashedAccessToken := hex.EncodeToString(accessTokenHash[:])
-
-	scopesJSON, _ := json.Marshal(scopes)
-
-	// Store access token
-	var accessTokenID uuid.UUID
-	err = s.db.QueryRow(ctx, `
-		INSERT INTO oauth_access_tokens (token_hash, client_id, user_id, scopes, expires_at)
-		VALUES ($1, $2, $3, $4, $5)
-		RETURNING id
-	`, hashedAccessToken, clientID, userID, scopesJSON, time.Now().Add(s.accessTokenExpiration)).Scan(&accessTokenID)
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to store access token: %w", err)
-	}
-
-	// Generate refresh token (opaque)
-	refreshTokenBytes := make([]byte, 32)
-	if _, err := rand.Read(refreshTokenBytes); err != nil {
-		return nil, fmt.Errorf("failed to generate refresh token: %w", err)
-	}
-	refreshTokenString := base64.URLEncoding.EncodeToString(refreshTokenBytes)
-
-	// Hash refresh token for storage
-	refreshTokenHash := sha256.Sum256([]byte(refreshTokenString))
-	hashedRefreshToken := hex.EncodeToString(refreshTokenHash[:])
-
-	// Store refresh token
-	_, err = s.db.Exec(ctx, `
-		INSERT INTO oauth_refresh_tokens (token_hash, access_token_id, client_id, user_id, scopes, expires_at)
-		VALUES ($1, $2, $3, $4, $5, $6)
-	`, hashedRefreshToken, accessTokenID, clientID, userID, scopesJSON, time.Now().Add(s.refreshTokenExpiration))
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to store refresh token: %w", err)
-	}
-
-	return &models.OAuthTokenResponse{
-		AccessToken:  accessTokenString,
-		TokenType:    "Bearer",
-		ExpiresIn:    int(s.accessTokenExpiration.Seconds()),
-		RefreshToken: refreshTokenString,
-		Scope:        strings.Join(scopes, " "),
-	}, nil
-}
-
-// RevokeToken revokes an access or refresh token
-func (s *OAuthService) RevokeToken(ctx context.Context, token, tokenTypeHint string) error {
-	tokenHash := sha256.Sum256([]byte(token))
-	hashedToken := hex.EncodeToString(tokenHash[:])
-
-	// Try to revoke as access token
-	if tokenTypeHint == "" || tokenTypeHint == "access_token" {
-		result, err := s.db.Exec(ctx, `UPDATE oauth_access_tokens SET revoked_at = NOW() WHERE token_hash = $1`, hashedToken)
-		if err == nil && result.RowsAffected() > 0 {
-			return nil
-		}
-	}
-
-	// Try to revoke as refresh token
-	if tokenTypeHint == "" || tokenTypeHint == "refresh_token" {
-		result, err := s.db.Exec(ctx, `UPDATE oauth_refresh_tokens SET revoked_at = NOW() WHERE token_hash = $1`, hashedToken)
-		if err == nil && result.RowsAffected() > 0 {
-			return nil
-		}
-	}
-
-	return nil // RFC 7009: Always return success
-}
-
-// ValidateAccessToken validates an OAuth access token
-func (s *OAuthService) ValidateAccessToken(ctx context.Context, tokenString string) (*jwt.MapClaims, error) {
-	token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
-			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
-		}
-		return []byte(s.jwtSecret), nil
-	})
-
-	if err != nil {
-		return nil, ErrInvalidToken
-	}
-
-	claims, ok := token.Claims.(jwt.MapClaims)
-	if !ok || !token.Valid {
-		return nil, ErrInvalidToken
-	}
-
-	// Check if token is revoked in database
-	tokenHash := sha256.Sum256([]byte(tokenString))
-	hashedToken := hex.EncodeToString(tokenHash[:])
-
-	var revokedAt *time.Time
-	err = s.db.QueryRow(ctx, `SELECT revoked_at FROM oauth_access_tokens WHERE token_hash = $1`, hashedToken).Scan(&revokedAt)
-	if err == nil && revokedAt != nil {
-		return nil, ErrInvalidToken
-	}
-
-	return &claims, nil
-}
+// ========================================
+// Client Management (Admin)
+// ========================================
 
 // GetClientByID retrieves an OAuth client by its client_id
 func (s *OAuthService) GetClientByID(ctx context.Context, clientID string) (*models.OAuthClient, error) {
diff --git a/consent-service/internal/services/oauth_token_service.go b/consent-service/internal/services/oauth_token_service.go
new file mode 100644
index 0000000..44df7d4
--- /dev/null
+++ b/consent-service/internal/services/oauth_token_service.go
@@ -0,0 +1,308 @@
+package services
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
+
+	"github.com/breakpilot/consent-service/internal/models"
+)
+
+// ExchangeAuthorizationCode exchanges an authorization code for tokens
+func (s *OAuthService) ExchangeAuthorizationCode(
+	ctx context.Context,
+	code string,
+	clientID string,
+	redirectURI string,
+	codeVerifier string,
+) (*models.OAuthTokenResponse, error) {
+	// Hash the code to look it up
+	codeHash := sha256.Sum256([]byte(code))
+	hashedCode := hex.EncodeToString(codeHash[:])
+
+	var authCode models.OAuthAuthorizationCode
+	var scopesJSON []byte
+
+	err := s.db.QueryRow(ctx, `
+		SELECT id, client_id, user_id, redirect_uri, scopes, code_challenge, code_challenge_method, expires_at, used_at
+		FROM oauth_authorization_codes WHERE code = $1
+	`, hashedCode).Scan(
+		&authCode.ID, &authCode.ClientID, &authCode.UserID, &authCode.RedirectURI,
+		&scopesJSON, &authCode.CodeChallenge, &authCode.CodeChallengeMethod,
+		&authCode.ExpiresAt, &authCode.UsedAt,
+	)
+
+	if err != nil {
+		return nil, ErrInvalidGrant
+	}
+
+	// Check if code was already used
+	if authCode.UsedAt != nil {
+		return nil, ErrCodeUsed
+	}
+
+	// Check if code is expired
+	if time.Now().After(authCode.ExpiresAt) {
+		return nil, ErrCodeExpired
+	}
+
+	// Verify client_id matches
+	if authCode.ClientID != clientID {
+		return nil, ErrInvalidGrant
+	}
+
+	// Verify redirect_uri matches
+	if authCode.RedirectURI != redirectURI {
+		return nil, ErrInvalidGrant
+	}
+
+	// Verify PKCE if code_challenge was provided
+	if authCode.CodeChallenge != nil && *authCode.CodeChallenge != "" {
+		if codeVerifier == "" {
+			return nil, ErrPKCEVerifyFailed
+		}
+
+		var expectedChallenge string
+		if authCode.CodeChallengeMethod != nil && *authCode.CodeChallengeMethod == "S256" {
+			// SHA256 hash of verifier
+			hash := sha256.Sum256([]byte(codeVerifier))
+			expectedChallenge = base64.RawURLEncoding.EncodeToString(hash[:])
+		} else {
+			// Plain method
+			expectedChallenge = codeVerifier
+		}
+
+		if expectedChallenge != *authCode.CodeChallenge {
+			return nil, ErrPKCEVerifyFailed
+		}
+	}
+
+	// Mark code as used
+	_, err = s.db.Exec(ctx, `UPDATE oauth_authorization_codes SET used_at = NOW() WHERE id = $1`, authCode.ID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to mark code as used: %w", err)
+	}
+
+	// Parse scopes
+	var scopes []string
+	json.Unmarshal(scopesJSON, &scopes)
+
+	// Generate tokens
+	return s.generateTokens(ctx, clientID, authCode.UserID, scopes)
+}
+
+// RefreshAccessToken refreshes an access token using a refresh token
+func (s *OAuthService) RefreshAccessToken(ctx context.Context, refreshToken, clientID string, requestedScope string) (*models.OAuthTokenResponse, error) {
+	// Hash the refresh token
+	tokenHash := sha256.Sum256([]byte(refreshToken))
+	hashedToken := hex.EncodeToString(tokenHash[:])
+
+	var rt models.OAuthRefreshToken
+	var scopesJSON []byte
+
+	err := s.db.QueryRow(ctx, `
+		SELECT id, client_id, user_id, scopes, expires_at, revoked_at
+		FROM oauth_refresh_tokens WHERE token_hash = $1
+	`, hashedToken).Scan(
+		&rt.ID, &rt.ClientID, &rt.UserID, &scopesJSON, &rt.ExpiresAt, &rt.RevokedAt,
+	)
+
+	if err != nil {
+		return nil, ErrInvalidGrant
+	}
+
+	// Check if token is revoked
+	if rt.RevokedAt != nil {
+		return nil, ErrInvalidGrant
+	}
+
+	// Check if token is expired
+	if time.Now().After(rt.ExpiresAt) {
+		return nil, ErrInvalidGrant
+	}
+
+	// Verify client_id matches
+	if rt.ClientID != clientID {
+		return nil, ErrInvalidGrant
+	}
+
+	// Parse original scopes
+	var originalScopes []string
+	json.Unmarshal(scopesJSON, &originalScopes)
+
+	// Determine scopes for new tokens
+	var scopes []string
+	if requestedScope != "" {
+		// Validate that requested scopes are subset of original scopes
+		originalMap := make(map[string]bool)
+		for _, s := range originalScopes {
+			originalMap[s] = true
+		}
+
+		for _, s := range strings.Split(requestedScope, " ") {
+			if originalMap[s] {
+				scopes = append(scopes, s)
+			}
+		}
+
+		if len(scopes) == 0 {
+			return nil, ErrInvalidScope
+		}
+	} else {
+		scopes = originalScopes
+	}
+
+	// Revoke old refresh token (rotate)
+	_, _ = s.db.Exec(ctx, `UPDATE oauth_refresh_tokens SET revoked_at = NOW() WHERE id = $1`, rt.ID)
+
+	// Generate new tokens
+	return s.generateTokens(ctx, clientID, rt.UserID, scopes)
+}
+
+// generateTokens generates access and refresh tokens
+func (s *OAuthService) generateTokens(ctx context.Context, clientID string, userID uuid.UUID, scopes []string) (*models.OAuthTokenResponse, error) {
+	// Get user info for JWT
+	var user models.User
+	err := s.db.QueryRow(ctx, `
+		SELECT id, email, name, role, account_status FROM users WHERE id = $1
+	`, userID).Scan(&user.ID, &user.Email, &user.Name, &user.Role, &user.AccountStatus)
+
+	if err != nil {
+		return nil, ErrInvalidGrant
+	}
+
+	// Generate access token (JWT)
+	accessTokenClaims := jwt.MapClaims{
+		"sub":            userID.String(),
+		"email":          user.Email,
+		"role":           user.Role,
+		"account_status": user.AccountStatus,
+		"client_id":      clientID,
+		"scope":          strings.Join(scopes, " "),
+		"iat":            time.Now().Unix(),
+		"exp":            time.Now().Add(s.accessTokenExpiration).Unix(),
+		"iss":            "breakpilot-consent-service",
+		"aud":            clientID,
+	}
+
+	if user.Name != nil {
+		accessTokenClaims["name"] = *user.Name
+	}
+
+	accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, accessTokenClaims)
+	accessTokenString, err := accessToken.SignedString([]byte(s.jwtSecret))
+	if err != nil {
+		return nil, fmt.Errorf("failed to sign access token: %w", err)
+	}
+
+	// Hash access token for storage
+	accessTokenHash := sha256.Sum256([]byte(accessTokenString))
+	hashedAccessToken := hex.EncodeToString(accessTokenHash[:])
+
+	scopesJSON, _ := json.Marshal(scopes)
+
+	// Store access token
+	var accessTokenID uuid.UUID
+	err = s.db.QueryRow(ctx, `
+		INSERT INTO oauth_access_tokens (token_hash, client_id, user_id, scopes, expires_at)
+		VALUES ($1, $2, $3, $4, $5)
+		RETURNING id
+	`, hashedAccessToken, clientID, userID, scopesJSON, time.Now().Add(s.accessTokenExpiration)).Scan(&accessTokenID)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to store access token: %w", err)
+	}
+
+	// Generate refresh token (opaque)
+	refreshTokenBytes := make([]byte, 32)
+	if _, err := rand.Read(refreshTokenBytes); err != nil {
+		return nil, fmt.Errorf("failed to generate refresh token: %w", err)
+	}
+	refreshTokenString := base64.URLEncoding.EncodeToString(refreshTokenBytes)
+
+	// Hash refresh token for storage
+	refreshTokenHash := sha256.Sum256([]byte(refreshTokenString))
+	hashedRefreshToken := hex.EncodeToString(refreshTokenHash[:])
+
+	// Store refresh token
+	_, err = s.db.Exec(ctx, `
+		INSERT INTO oauth_refresh_tokens (token_hash, access_token_id, client_id, user_id, scopes, expires_at)
+		VALUES ($1, $2, $3, $4, $5, $6)
+	`, hashedRefreshToken, accessTokenID, clientID, userID, scopesJSON, time.Now().Add(s.refreshTokenExpiration))
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to store refresh token: %w", err)
+	}
+
+	return &models.OAuthTokenResponse{
+		AccessToken:  accessTokenString,
+		TokenType:    "Bearer",
+		ExpiresIn:    int(s.accessTokenExpiration.Seconds()),
+		RefreshToken: refreshTokenString,
+		Scope:        strings.Join(scopes, " "),
+	}, nil
+}
+
+// RevokeToken revokes an access or refresh token
+func (s *OAuthService) RevokeToken(ctx context.Context, token, tokenTypeHint string) error {
+	tokenHash := sha256.Sum256([]byte(token))
+	hashedToken := hex.EncodeToString(tokenHash[:])
+
+	// Try to revoke as access token
+	if tokenTypeHint == "" || tokenTypeHint == "access_token" {
+		result, err := s.db.Exec(ctx, `UPDATE oauth_access_tokens SET revoked_at = NOW() WHERE token_hash = $1`, hashedToken)
+		if err == nil && result.RowsAffected() > 0 {
+			return nil
+		}
+	}
+
+	// Try to revoke as refresh token
+	if tokenTypeHint == "" || tokenTypeHint == "refresh_token" {
+		result, err := s.db.Exec(ctx, `UPDATE oauth_refresh_tokens SET revoked_at = NOW() WHERE token_hash = $1`, hashedToken)
+		if err == nil && result.RowsAffected() > 0 {
+			return nil
+		}
+	}
+
+	return nil // RFC 7009: Always return success
+}
+
+// ValidateAccessToken validates an OAuth access token
+func (s *OAuthService) ValidateAccessToken(ctx context.Context, tokenString string) (*jwt.MapClaims, error) {
+	token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+		return []byte(s.jwtSecret), nil
+	})
+
+	if err != nil {
+		return nil, ErrInvalidToken
+	}
+
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok || !token.Valid {
+		return nil, ErrInvalidToken
+	}
+
+	// Check if token is revoked in database
+	tokenHash := sha256.Sum256([]byte(tokenString))
+	hashedToken := hex.EncodeToString(tokenHash[:])
+
+	var revokedAt *time.Time
+	err = s.db.QueryRow(ctx, `SELECT revoked_at FROM oauth_access_tokens WHERE token_hash = $1`, hashedToken).Scan(&revokedAt)
+	if err == nil && revokedAt != nil {
+		return nil, ErrInvalidToken
+	}
+
+	return &claims, nil
+}
diff --git a/consent-service/internal/services/school_service.go b/consent-service/internal/services/school_service.go
index 3d63f00..b07e0f9 100644
--- a/consent-service/internal/services/school_service.go
+++ b/consent-service/internal/services/school_service.go
@@ -2,8 +2,6 @@ package services
 
 import (
 	"context"
-	"crypto/rand"
-	"encoding/hex"
 	"fmt"
 	"time"
 
@@ -35,21 +33,21 @@ func NewSchoolService(db *database.DB, matrixService *matrix.MatrixService) *Sch
 // CreateSchool creates a new school
 func (s *SchoolService) CreateSchool(ctx context.Context, req models.CreateSchoolRequest) (*models.School, error) {
 	school := &models.School{
-		ID:        uuid.New(),
-		Name:      req.Name,
-		ShortName: req.ShortName,
-		Type:      req.Type,
-		Address:   req.Address,
-		City:      req.City,
+		ID:         uuid.New(),
+		Name:       req.Name,
+		ShortName:  req.ShortName,
+		Type:       req.Type,
+		Address:    req.Address,
+		City:       req.City,
 		PostalCode: req.PostalCode,
-		State:     req.State,
-		Country:   "DE",
-		Phone:     req.Phone,
-		Email:     req.Email,
-		Website:   req.Website,
-		IsActive:  true,
-		CreatedAt: time.Now(),
-		UpdatedAt: time.Now(),
+		State:      req.State,
+		Country:    "DE",
+		Phone:      req.Phone,
+		Email:      req.Email,
+		Website:    req.Website,
+		IsActive:   true,
+		CreatedAt:  time.Now(),
+		UpdatedAt:  time.Now(),
 	}
 
 	query := `
@@ -298,350 +296,6 @@ func (s *SchoolService) ListClasses(ctx context.Context, schoolID, schoolYearID
 	return classes, nil
 }
 
-// ========================================
-// Student Management
-// ========================================
-
-// CreateStudent creates a new student
-func (s *SchoolService) CreateStudent(ctx context.Context, schoolID uuid.UUID, req models.CreateStudentRequest) (*models.Student, error) {
-	classID, err := uuid.Parse(req.ClassID)
-	if err != nil {
-		return nil, fmt.Errorf("invalid class ID: %w", err)
-	}
-
-	student := &models.Student{
-		ID:            uuid.New(),
-		SchoolID:      schoolID,
-		ClassID:       classID,
-		StudentNumber: req.StudentNumber,
-		FirstName:     req.FirstName,
-		LastName:      req.LastName,
-		Gender:        req.Gender,
-		IsActive:      true,
-		CreatedAt:     time.Now(),
-		UpdatedAt:     time.Now(),
-	}
-
-	if req.DateOfBirth != nil {
-		dob, err := time.Parse("2006-01-02", *req.DateOfBirth)
-		if err == nil {
-			student.DateOfBirth = &dob
-		}
-	}
-
-	query := `
-		INSERT INTO students (id, school_id, class_id, student_number, first_name, last_name, date_of_birth, gender, is_active, created_at, updated_at)
-		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)
-		RETURNING id`
-
-	err = s.db.Pool.QueryRow(ctx, query,
-		student.ID, student.SchoolID, student.ClassID, student.StudentNumber,
-		student.FirstName, student.LastName, student.DateOfBirth, student.Gender,
-		student.IsActive, student.CreatedAt, student.UpdatedAt,
-	).Scan(&student.ID)
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to create student: %w", err)
-	}
-
-	return student, nil
-}
-
-// GetStudent retrieves a student by ID
-func (s *SchoolService) GetStudent(ctx context.Context, studentID uuid.UUID) (*models.Student, error) {
-	query := `
-		SELECT id, school_id, class_id, user_id, student_number, first_name, last_name, date_of_birth, gender, matrix_user_id, matrix_dm_room, is_active, created_at, updated_at
-		FROM students
-		WHERE id = $1`
-
-	student := &models.Student{}
-	err := s.db.Pool.QueryRow(ctx, query, studentID).Scan(
-		&student.ID, &student.SchoolID, &student.ClassID, &student.UserID,
-		&student.StudentNumber, &student.FirstName, &student.LastName,
-		&student.DateOfBirth, &student.Gender, &student.MatrixUserID,
-		&student.MatrixDMRoom, &student.IsActive, &student.CreatedAt, &student.UpdatedAt,
-	)
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to get student: %w", err)
-	}
-
-	return student, nil
-}
-
-// ListStudentsByClass lists all students in a class
-func (s *SchoolService) ListStudentsByClass(ctx context.Context, classID uuid.UUID) ([]models.Student, error) {
-	query := `
-		SELECT id, school_id, class_id, user_id, student_number, first_name, last_name, date_of_birth, gender, matrix_user_id, matrix_dm_room, is_active, created_at, updated_at
-		FROM students
-		WHERE class_id = $1 AND is_active = true
-		ORDER BY last_name, first_name`
-
-	rows, err := s.db.Pool.Query(ctx, query, classID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to list students: %w", err)
-	}
-	defer rows.Close()
-
-	var students []models.Student
-	for rows.Next() {
-		var student models.Student
-		err := rows.Scan(
-			&student.ID, &student.SchoolID, &student.ClassID, &student.UserID,
-			&student.StudentNumber, &student.FirstName, &student.LastName,
-			&student.DateOfBirth, &student.Gender, &student.MatrixUserID,
-			&student.MatrixDMRoom, &student.IsActive, &student.CreatedAt, &student.UpdatedAt,
-		)
-		if err != nil {
-			return nil, fmt.Errorf("failed to scan student: %w", err)
-		}
-		students = append(students, student)
-	}
-
-	return students, nil
-}
-
-// ========================================
-// Teacher Management
-// ========================================
-
-// CreateTeacher creates a new teacher linked to a user account
-func (s *SchoolService) CreateTeacher(ctx context.Context, schoolID, userID uuid.UUID, firstName, lastName string, teacherCode, title *string) (*models.Teacher, error) {
-	teacher := &models.Teacher{
-		ID:          uuid.New(),
-		SchoolID:    schoolID,
-		UserID:      userID,
-		TeacherCode: teacherCode,
-		Title:       title,
-		FirstName:   firstName,
-		LastName:    lastName,
-		IsActive:    true,
-		CreatedAt:   time.Now(),
-		UpdatedAt:   time.Now(),
-	}
-
-	query := `
-		INSERT INTO teachers (id, school_id, user_id, teacher_code, title, first_name, last_name, is_active, created_at, updated_at)
-		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)
-		RETURNING id`
-
-	err := s.db.Pool.QueryRow(ctx, query,
-		teacher.ID, teacher.SchoolID, teacher.UserID, teacher.TeacherCode,
-		teacher.Title, teacher.FirstName, teacher.LastName,
-		teacher.IsActive, teacher.CreatedAt, teacher.UpdatedAt,
-	).Scan(&teacher.ID)
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to create teacher: %w", err)
-	}
-
-	return teacher, nil
-}
-
-// GetTeacher retrieves a teacher by ID
-func (s *SchoolService) GetTeacher(ctx context.Context, teacherID uuid.UUID) (*models.Teacher, error) {
-	query := `
-		SELECT id, school_id, user_id, teacher_code, title, first_name, last_name, matrix_user_id, is_active, created_at, updated_at
-		FROM teachers
-		WHERE id = $1`
-
-	teacher := &models.Teacher{}
-	err := s.db.Pool.QueryRow(ctx, query, teacherID).Scan(
-		&teacher.ID, &teacher.SchoolID, &teacher.UserID, &teacher.TeacherCode,
-		&teacher.Title, &teacher.FirstName, &teacher.LastName, &teacher.MatrixUserID,
-		&teacher.IsActive, &teacher.CreatedAt, &teacher.UpdatedAt,
-	)
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to get teacher: %w", err)
-	}
-
-	return teacher, nil
-}
-
-// GetTeacherByUserID retrieves a teacher by their user ID
-func (s *SchoolService) GetTeacherByUserID(ctx context.Context, userID uuid.UUID) (*models.Teacher, error) {
-	query := `
-		SELECT id, school_id, user_id, teacher_code, title, first_name, last_name, matrix_user_id, is_active, created_at, updated_at
-		FROM teachers
-		WHERE user_id = $1 AND is_active = true`
-
-	teacher := &models.Teacher{}
-	err := s.db.Pool.QueryRow(ctx, query, userID).Scan(
-		&teacher.ID, &teacher.SchoolID, &teacher.UserID, &teacher.TeacherCode,
-		&teacher.Title, &teacher.FirstName, &teacher.LastName, &teacher.MatrixUserID,
-		&teacher.IsActive, &teacher.CreatedAt, &teacher.UpdatedAt,
-	)
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to get teacher by user ID: %w", err)
-	}
-
-	return teacher, nil
-}
-
-// AssignClassTeacher assigns a teacher to a class
-func (s *SchoolService) AssignClassTeacher(ctx context.Context, classID, teacherID uuid.UUID, isPrimary bool) error {
-	query := `
-		INSERT INTO class_teachers (id, class_id, teacher_id, is_primary, created_at)
-		VALUES ($1, $2, $3, $4, $5)
-		ON CONFLICT (class_id, teacher_id) DO UPDATE SET is_primary = EXCLUDED.is_primary`
-
-	_, err := s.db.Pool.Exec(ctx, query, uuid.New(), classID, teacherID, isPrimary, time.Now())
-	if err != nil {
-		return fmt.Errorf("failed to assign class teacher: %w", err)
-	}
-
-	return nil
-}
-
-// ========================================
-// Subject Management
-// ========================================
-
-// CreateSubject creates a new subject
-func (s *SchoolService) CreateSubject(ctx context.Context, schoolID uuid.UUID, name, shortName string, color *string) (*models.Subject, error) {
-	subject := &models.Subject{
-		ID:        uuid.New(),
-		SchoolID:  schoolID,
-		Name:      name,
-		ShortName: shortName,
-		Color:     color,
-		IsActive:  true,
-		CreatedAt: time.Now(),
-	}
-
-	query := `
-		INSERT INTO subjects (id, school_id, name, short_name, color, is_active, created_at)
-		VALUES ($1, $2, $3, $4, $5, $6, $7)
-		RETURNING id`
-
-	err := s.db.Pool.QueryRow(ctx, query,
-		subject.ID, subject.SchoolID, subject.Name, subject.ShortName,
-		subject.Color, subject.IsActive, subject.CreatedAt,
-	).Scan(&subject.ID)
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to create subject: %w", err)
-	}
-
-	return subject, nil
-}
-
-// ListSubjects lists all subjects for a school
-func (s *SchoolService) ListSubjects(ctx context.Context, schoolID uuid.UUID) ([]models.Subject, error) {
-	query := `
-		SELECT id, school_id, name, short_name, color, is_active, created_at
-		FROM subjects
-		WHERE school_id = $1 AND is_active = true
-		ORDER BY name`
-
-	rows, err := s.db.Pool.Query(ctx, query, schoolID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to list subjects: %w", err)
-	}
-	defer rows.Close()
-
-	var subjects []models.Subject
-	for rows.Next() {
-		var subject models.Subject
-		err := rows.Scan(
-			&subject.ID, &subject.SchoolID, &subject.Name, &subject.ShortName,
-			&subject.Color, &subject.IsActive, &subject.CreatedAt,
-		)
-		if err != nil {
-			return nil, fmt.Errorf("failed to scan subject: %w", err)
-		}
-		subjects = append(subjects, subject)
-	}
-
-	return subjects, nil
-}
-
-// ========================================
-// Parent Onboarding
-// ========================================
-
-// GenerateParentOnboardingToken generates a QR code token for parent onboarding
-func (s *SchoolService) GenerateParentOnboardingToken(ctx context.Context, schoolID, classID, studentID, createdByUserID uuid.UUID, role string) (*models.ParentOnboardingToken, error) {
-	// Generate secure random token
-	tokenBytes := make([]byte, 32)
-	if _, err := rand.Read(tokenBytes); err != nil {
-		return nil, fmt.Errorf("failed to generate token: %w", err)
-	}
-	token := hex.EncodeToString(tokenBytes)
-
-	onboardingToken := &models.ParentOnboardingToken{
-		ID:        uuid.New(),
-		SchoolID:  schoolID,
-		ClassID:   classID,
-		StudentID: studentID,
-		Token:     token,
-		Role:      role,
-		ExpiresAt: time.Now().Add(72 * time.Hour), // Valid for 72 hours
-		CreatedAt: time.Now(),
-		CreatedBy: createdByUserID,
-	}
-
-	query := `
-		INSERT INTO parent_onboarding_tokens (id, school_id, class_id, student_id, token, role, expires_at, created_at, created_by)
-		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
-		RETURNING id`
-
-	err := s.db.Pool.QueryRow(ctx, query,
-		onboardingToken.ID, onboardingToken.SchoolID, onboardingToken.ClassID,
-		onboardingToken.StudentID, onboardingToken.Token, onboardingToken.Role,
-		onboardingToken.ExpiresAt, onboardingToken.CreatedAt, onboardingToken.CreatedBy,
-	).Scan(&onboardingToken.ID)
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to create onboarding token: %w", err)
-	}
-
-	return onboardingToken, nil
-}
-
-// ValidateOnboardingToken validates and retrieves info for an onboarding token
-func (s *SchoolService) ValidateOnboardingToken(ctx context.Context, token string) (*models.ParentOnboardingToken, error) {
-	query := `
-		SELECT id, school_id, class_id, student_id, token, role, expires_at, used_at, used_by_user_id, created_at, created_by
-		FROM parent_onboarding_tokens
-		WHERE token = $1 AND used_at IS NULL AND expires_at > NOW()`
-
-	onboardingToken := &models.ParentOnboardingToken{}
-	err := s.db.Pool.QueryRow(ctx, query, token).Scan(
-		&onboardingToken.ID, &onboardingToken.SchoolID, &onboardingToken.ClassID,
-		&onboardingToken.StudentID, &onboardingToken.Token, &onboardingToken.Role,
-		&onboardingToken.ExpiresAt, &onboardingToken.UsedAt, &onboardingToken.UsedByUserID,
-		&onboardingToken.CreatedAt, &onboardingToken.CreatedBy,
-	)
-
-	if err != nil {
-		return nil, fmt.Errorf("invalid or expired token: %w", err)
-	}
-
-	return onboardingToken, nil
-}
-
-// RedeemOnboardingToken marks a token as used and creates the parent account
-func (s *SchoolService) RedeemOnboardingToken(ctx context.Context, token string, userID uuid.UUID) error {
-	query := `
-		UPDATE parent_onboarding_tokens
-		SET used_at = NOW(), used_by_user_id = $1
-		WHERE token = $2 AND used_at IS NULL AND expires_at > NOW()`
-
-	result, err := s.db.Pool.Exec(ctx, query, userID, token)
-	if err != nil {
-		return fmt.Errorf("failed to redeem token: %w", err)
-	}
-
-	if result.RowsAffected() == 0 {
-		return fmt.Errorf("token not found or already used")
-	}
-
-	return nil
-}
-
 // ========================================
 // Helper Functions
 // ========================================
diff --git a/consent-service/internal/services/school_service_members.go b/consent-service/internal/services/school_service_members.go
new file mode 100644
index 0000000..bf490f1
--- /dev/null
+++ b/consent-service/internal/services/school_service_members.go
@@ -0,0 +1,357 @@
+package services
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+	"time"
+
+	"github.com/breakpilot/consent-service/internal/models"
+
+	"github.com/google/uuid"
+)
+
+// ========================================
+// Student Management
+// ========================================
+
+// CreateStudent creates a new student
+func (s *SchoolService) CreateStudent(ctx context.Context, schoolID uuid.UUID, req models.CreateStudentRequest) (*models.Student, error) {
+	classID, err := uuid.Parse(req.ClassID)
+	if err != nil {
+		return nil, fmt.Errorf("invalid class ID: %w", err)
+	}
+
+	student := &models.Student{
+		ID:            uuid.New(),
+		SchoolID:      schoolID,
+		ClassID:       classID,
+		StudentNumber: req.StudentNumber,
+		FirstName:     req.FirstName,
+		LastName:      req.LastName,
+		Gender:        req.Gender,
+		IsActive:      true,
+		CreatedAt:     time.Now(),
+		UpdatedAt:     time.Now(),
+	}
+
+	if req.DateOfBirth != nil {
+		dob, err := time.Parse("2006-01-02", *req.DateOfBirth)
+		if err == nil {
+			student.DateOfBirth = &dob
+		}
+	}
+
+	query := `
+		INSERT INTO students (id, school_id, class_id, student_number, first_name, last_name, date_of_birth, gender, is_active, created_at, updated_at)
+		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)
+		RETURNING id`
+
+	err = s.db.Pool.QueryRow(ctx, query,
+		student.ID, student.SchoolID, student.ClassID, student.StudentNumber,
+		student.FirstName, student.LastName, student.DateOfBirth, student.Gender,
+		student.IsActive, student.CreatedAt, student.UpdatedAt,
+	).Scan(&student.ID)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to create student: %w", err)
+	}
+
+	return student, nil
+}
+
+// GetStudent retrieves a student by ID
+func (s *SchoolService) GetStudent(ctx context.Context, studentID uuid.UUID) (*models.Student, error) {
+	query := `
+		SELECT id, school_id, class_id, user_id, student_number, first_name, last_name, date_of_birth, gender, matrix_user_id, matrix_dm_room, is_active, created_at, updated_at
+		FROM students
+		WHERE id = $1`
+
+	student := &models.Student{}
+	err := s.db.Pool.QueryRow(ctx, query, studentID).Scan(
+		&student.ID, &student.SchoolID, &student.ClassID, &student.UserID,
+		&student.StudentNumber, &student.FirstName, &student.LastName,
+		&student.DateOfBirth, &student.Gender, &student.MatrixUserID,
+		&student.MatrixDMRoom, &student.IsActive, &student.CreatedAt, &student.UpdatedAt,
+	)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to get student: %w", err)
+	}
+
+	return student, nil
+}
+
+// ListStudentsByClass lists all students in a class
+func (s *SchoolService) ListStudentsByClass(ctx context.Context, classID uuid.UUID) ([]models.Student, error) {
+	query := `
+		SELECT id, school_id, class_id, user_id, student_number, first_name, last_name, date_of_birth, gender, matrix_user_id, matrix_dm_room, is_active, created_at, updated_at
+		FROM students
+		WHERE class_id = $1 AND is_active = true
+		ORDER BY last_name, first_name`
+
+	rows, err := s.db.Pool.Query(ctx, query, classID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list students: %w", err)
+	}
+	defer rows.Close()
+
+	var students []models.Student
+	for rows.Next() {
+		var student models.Student
+		err := rows.Scan(
+			&student.ID, &student.SchoolID, &student.ClassID, &student.UserID,
+			&student.StudentNumber, &student.FirstName, &student.LastName,
+			&student.DateOfBirth, &student.Gender, &student.MatrixUserID,
+			&student.MatrixDMRoom, &student.IsActive, &student.CreatedAt, &student.UpdatedAt,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("failed to scan student: %w", err)
+		}
+		students = append(students, student)
+	}
+
+	return students, nil
+}
+
+// ========================================
+// Teacher Management
+// ========================================
+
+// CreateTeacher creates a new teacher linked to a user account
+func (s *SchoolService) CreateTeacher(ctx context.Context, schoolID, userID uuid.UUID, firstName, lastName string, teacherCode, title *string) (*models.Teacher, error) {
+	teacher := &models.Teacher{
+		ID:          uuid.New(),
+		SchoolID:    schoolID,
+		UserID:      userID,
+		TeacherCode: teacherCode,
+		Title:       title,
+		FirstName:   firstName,
+		LastName:    lastName,
+		IsActive:    true,
+		CreatedAt:   time.Now(),
+		UpdatedAt:   time.Now(),
+	}
+
+	query := `
+		INSERT INTO teachers (id, school_id, user_id, teacher_code, title, first_name, last_name, is_active, created_at, updated_at)
+		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)
+		RETURNING id`
+
+	err := s.db.Pool.QueryRow(ctx, query,
+		teacher.ID, teacher.SchoolID, teacher.UserID, teacher.TeacherCode,
+		teacher.Title, teacher.FirstName, teacher.LastName,
+		teacher.IsActive, teacher.CreatedAt, teacher.UpdatedAt,
+	).Scan(&teacher.ID)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to create teacher: %w", err)
+	}
+
+	return teacher, nil
+}
+
+// GetTeacher retrieves a teacher by ID
+func (s *SchoolService) GetTeacher(ctx context.Context, teacherID uuid.UUID) (*models.Teacher, error) {
+	query := `
+		SELECT id, school_id, user_id, teacher_code, title, first_name, last_name, matrix_user_id, is_active, created_at, updated_at
+		FROM teachers
+		WHERE id = $1`
+
+	teacher := &models.Teacher{}
+	err := s.db.Pool.QueryRow(ctx, query, teacherID).Scan(
+		&teacher.ID, &teacher.SchoolID, &teacher.UserID, &teacher.TeacherCode,
+		&teacher.Title, &teacher.FirstName, &teacher.LastName, &teacher.MatrixUserID,
+		&teacher.IsActive, &teacher.CreatedAt, &teacher.UpdatedAt,
+	)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to get teacher: %w", err)
+	}
+
+	return teacher, nil
+}
+
+// GetTeacherByUserID retrieves a teacher by their user ID
+func (s *SchoolService) GetTeacherByUserID(ctx context.Context, userID uuid.UUID) (*models.Teacher, error) {
+	query := `
+		SELECT id, school_id, user_id, teacher_code, title, first_name, last_name, matrix_user_id, is_active, created_at, updated_at
+		FROM teachers
+		WHERE user_id = $1 AND is_active = true`
+
+	teacher := &models.Teacher{}
+	err := s.db.Pool.QueryRow(ctx, query, userID).Scan(
+		&teacher.ID, &teacher.SchoolID, &teacher.UserID, &teacher.TeacherCode,
+		&teacher.Title, &teacher.FirstName, &teacher.LastName, &teacher.MatrixUserID,
+		&teacher.IsActive, &teacher.CreatedAt, &teacher.UpdatedAt,
+	)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to get teacher by user ID: %w", err)
+	}
+
+	return teacher, nil
+}
+
+// AssignClassTeacher assigns a teacher to a class
+func (s *SchoolService) AssignClassTeacher(ctx context.Context, classID, teacherID uuid.UUID, isPrimary bool) error {
+	query := `
+		INSERT INTO class_teachers (id, class_id, teacher_id, is_primary, created_at)
+		VALUES ($1, $2, $3, $4, $5)
+		ON CONFLICT (class_id, teacher_id) DO UPDATE SET is_primary = EXCLUDED.is_primary`
+
+	_, err := s.db.Pool.Exec(ctx, query, uuid.New(), classID, teacherID, isPrimary, time.Now())
+	if err != nil {
+		return fmt.Errorf("failed to assign class teacher: %w", err)
+	}
+
+	return nil
+}
+
+// ========================================
+// Subject Management
+// ========================================
+
+// CreateSubject creates a new subject
+func (s *SchoolService) CreateSubject(ctx context.Context, schoolID uuid.UUID, name, shortName string, color *string) (*models.Subject, error) {
+	subject := &models.Subject{
+		ID:        uuid.New(),
+		SchoolID:  schoolID,
+		Name:      name,
+		ShortName: shortName,
+		Color:     color,
+		IsActive:  true,
+		CreatedAt: time.Now(),
+	}
+
+	query := `
+		INSERT INTO subjects (id, school_id, name, short_name, color, is_active, created_at)
+		VALUES ($1, $2, $3, $4, $5, $6, $7)
+		RETURNING id`
+
+	err := s.db.Pool.QueryRow(ctx, query,
+		subject.ID, subject.SchoolID, subject.Name, subject.ShortName,
+		subject.Color, subject.IsActive, subject.CreatedAt,
+	).Scan(&subject.ID)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to create subject: %w", err)
+	}
+
+	return subject, nil
+}
+
+// ListSubjects lists all subjects for a school
+func (s *SchoolService) ListSubjects(ctx context.Context, schoolID uuid.UUID) ([]models.Subject, error) {
+	query := `
+		SELECT id, school_id, name, short_name, color, is_active, created_at
+		FROM subjects
+		WHERE school_id = $1 AND is_active = true
+		ORDER BY name`
+
+	rows, err := s.db.Pool.Query(ctx, query, schoolID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list subjects: %w", err)
+	}
+	defer rows.Close()
+
+	var subjects []models.Subject
+	for rows.Next() {
+		var subject models.Subject
+		err := rows.Scan(
+			&subject.ID, &subject.SchoolID, &subject.Name, &subject.ShortName,
+			&subject.Color, &subject.IsActive, &subject.CreatedAt,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("failed to scan subject: %w", err)
+		}
+		subjects = append(subjects, subject)
+	}
+
+	return subjects, nil
+}
+
+// ========================================
+// Parent Onboarding
+// ========================================
+
+// GenerateParentOnboardingToken generates a QR code token for parent onboarding
+func (s *SchoolService) GenerateParentOnboardingToken(ctx context.Context, schoolID, classID, studentID, createdByUserID uuid.UUID, role string) (*models.ParentOnboardingToken, error) {
+	// Generate secure random token
+	tokenBytes := make([]byte, 32)
+	if _, err := rand.Read(tokenBytes); err != nil {
+		return nil, fmt.Errorf("failed to generate token: %w", err)
+	}
+	token := hex.EncodeToString(tokenBytes)
+
+	onboardingToken := &models.ParentOnboardingToken{
+		ID:        uuid.New(),
+		SchoolID:  schoolID,
+		ClassID:   classID,
+		StudentID: studentID,
+		Token:     token,
+		Role:      role,
+		ExpiresAt: time.Now().Add(72 * time.Hour), // Valid for 72 hours
+		CreatedAt: time.Now(),
+		CreatedBy: createdByUserID,
+	}
+
+	query := `
+		INSERT INTO parent_onboarding_tokens (id, school_id, class_id, student_id, token, role, expires_at, created_at, created_by)
+		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
+		RETURNING id`
+
+	err := s.db.Pool.QueryRow(ctx, query,
+		onboardingToken.ID, onboardingToken.SchoolID, onboardingToken.ClassID,
+		onboardingToken.StudentID, onboardingToken.Token, onboardingToken.Role,
+		onboardingToken.ExpiresAt, onboardingToken.CreatedAt, onboardingToken.CreatedBy,
+	).Scan(&onboardingToken.ID)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to create onboarding token: %w", err)
+	}
+
+	return onboardingToken, nil
+}
+
+// ValidateOnboardingToken validates and retrieves info for an onboarding token
+func (s *SchoolService) ValidateOnboardingToken(ctx context.Context, token string) (*models.ParentOnboardingToken, error) {
+	query := `
+		SELECT id, school_id, class_id, student_id, token, role, expires_at, used_at, used_by_user_id, created_at, created_by
+		FROM parent_onboarding_tokens
+		WHERE token = $1 AND used_at IS NULL AND expires_at > NOW()`
+
+	onboardingToken := &models.ParentOnboardingToken{}
+	err := s.db.Pool.QueryRow(ctx, query, token).Scan(
+		&onboardingToken.ID, &onboardingToken.SchoolID, &onboardingToken.ClassID,
+		&onboardingToken.StudentID, &onboardingToken.Token, &onboardingToken.Role,
+		&onboardingToken.ExpiresAt, &onboardingToken.UsedAt, &onboardingToken.UsedByUserID,
+		&onboardingToken.CreatedAt, &onboardingToken.CreatedBy,
+	)
+
+	if err != nil {
+		return nil, fmt.Errorf("invalid or expired token: %w", err)
+	}
+
+	return onboardingToken, nil
+}
+
+// RedeemOnboardingToken marks a token as used and creates the parent account
+func (s *SchoolService) RedeemOnboardingToken(ctx context.Context, token string, userID uuid.UUID) error {
+	query := `
+		UPDATE parent_onboarding_tokens
+		SET used_at = NOW(), used_by_user_id = $1
+		WHERE token = $2 AND used_at IS NULL AND expires_at > NOW()`
+
+	result, err := s.db.Pool.Exec(ctx, query, userID, token)
+	if err != nil {
+		return fmt.Errorf("failed to redeem token: %w", err)
+	}
+
+	if result.RowsAffected() == 0 {
+		return fmt.Errorf("token not found or already used")
+	}
+
+	return nil
+}
diff --git a/pitch-deck/app/pitch-admin/(authed)/versions/[id]/_components/TabEditors.tsx b/pitch-deck/app/pitch-admin/(authed)/versions/[id]/_components/TabEditors.tsx
new file mode 100644
index 0000000..5a33852
--- /dev/null
+++ b/pitch-deck/app/pitch-admin/(authed)/versions/[id]/_components/TabEditors.tsx
@@ -0,0 +1,382 @@
+'use client'
+
+import BilingualField from '@/components/pitch-admin/editors/BilingualField'
+import FormField from '@/components/pitch-admin/editors/FormField'
+import ArrayField from '@/components/pitch-admin/editors/ArrayField'
+import RowTable from '@/components/pitch-admin/editors/RowTable'
+import CardList from '@/components/pitch-admin/editors/CardList'
+
+type R = Record<string, unknown>
+
+interface TabEditorProps {
+  activeTab: string
+  data: unknown[]
+  single: R
+  jsonMode: boolean
+  jsonText: string
+  isDraft: boolean
+  onJsonTextChange: (text: string) => void
+  onDirty: () => void
+  updateData: (newData: unknown[]) => void
+  updateRecord: (index: number, key: string, value: unknown) => void
+  updateSingle: (key: string, value: unknown) => void
+}
+
+export default function TabEditor({
+  activeTab,
+  data,
+  single,
+  jsonMode,
+  jsonText,
+  isDraft,
+  onJsonTextChange,
+  onDirty,
+  updateData,
+  updateRecord,
+  updateSingle,
+}: TabEditorProps) {
+  if (jsonMode) {
+    return (
+      <textarea
+        value={jsonText}
+        onChange={e => { onJsonTextChange(e.target.value); onDirty() }}
+        readOnly={!isDraft}
+        className="w-full bg-transparent text-white/90 font-mono text-xs p-4 focus:outline-none resize-none"
+        style={{ minHeight: '400px' }}
+        spellCheck={false}
+      />
+    )
+  }
+
+  switch (activeTab) {
+    case 'company':
+      return <CompanyEditor single={single} updateSingle={updateSingle} />
+    case 'team':
+      return <TeamEditor data={data as R[]} updateData={updateData} />
+    case 'financials':
+      return <FinancialsEditor data={data as R[]} updateData={updateData} />
+    case 'market':
+      return <MarketEditor data={data as R[]} updateData={updateData} />
+    case 'competitors':
+      return <CompetitorsEditor data={data as R[]} updateData={updateData} />
+    case 'features':
+      return <FeaturesEditor data={data as R[]} updateData={updateData} />
+    case 'milestones':
+      return <MilestonesEditor data={data as R[]} updateData={updateData} />
+    case 'metrics':
+      return <MetricsEditor data={data as R[]} updateData={updateData} />
+    case 'funding':
+      return <FundingEditor single={single} updateSingle={updateSingle} />
+    case 'products':
+      return <ProductsEditor data={data as R[]} updateData={updateData} />
+    case 'fm_scenarios':
+      return <FmScenariosEditor data={data as R[]} updateData={updateData} />
+    case 'fm_assumptions':
+      return <FmAssumptionsEditor data={data as R[]} updateData={updateData} />
+    default:
+      return <div className="p-4 text-white/40">No editor for this table</div>
+  }
+}
+
+/* --- Individual tab editors --- */
+
+function CompanyEditor({ single, updateSingle }: { single: R; updateSingle: (k: string, v: unknown) => void }) {
+  return (
+    <div className="space-y-4 p-4">
+      <FormField label="Company Name" value={single.name as string || ''} onChange={v => updateSingle('name', v)} />
+      <div className="grid grid-cols-2 gap-4">
+        <FormField label="Legal Form" value={single.legal_form as string || ''} onChange={v => updateSingle('legal_form', v)} placeholder="GmbH" />
+        <FormField label="Founding Date" value={single.founding_date as string || ''} onChange={v => updateSingle('founding_date', v)} type="date" />
+      </div>
+      <BilingualField label="Tagline" valueDe={single.tagline_de as string || ''} valueEn={single.tagline_en as string || ''} onChangeDe={v => updateSingle('tagline_de', v)} onChangeEn={v => updateSingle('tagline_en', v)} />
+      <BilingualField label="Mission" valueDe={single.mission_de as string || ''} valueEn={single.mission_en as string || ''} onChangeDe={v => updateSingle('mission_de', v)} onChangeEn={v => updateSingle('mission_en', v)} multiline />
+      <div className="grid grid-cols-2 gap-4">
+        <FormField label="Website" value={single.website as string || ''} onChange={v => updateSingle('website', v)} type="url" />
+        <FormField label="HQ City" value={single.hq_city as string || ''} onChange={v => updateSingle('hq_city', v)} />
+      </div>
+    </div>
+  )
+}
+
+function TeamEditor({ data, updateData }: { data: R[]; updateData: (d: unknown[]) => void }) {
+  return (
+    <div className="p-4">
+      <CardList
+        items={data}
+        onChange={updateData}
+        titleKey="name"
+        subtitleKey="role_en"
+        addLabel="Add team member"
+        renderCard={(item, update) => (
+          <div className="space-y-3">
+            <FormField label="Name" value={item.name as string || ''} onChange={v => update('name', v)} />
+            <BilingualField label="Role" valueDe={item.role_de as string || ''} valueEn={item.role_en as string || ''} onChangeDe={v => update('role_de', v)} onChangeEn={v => update('role_en', v)} />
+            <BilingualField label="Bio" valueDe={item.bio_de as string || ''} valueEn={item.bio_en as string || ''} onChangeDe={v => update('bio_de', v)} onChangeEn={v => update('bio_en', v)} multiline />
+            <div className="grid grid-cols-2 gap-4">
+              <FormField label="Equity %" value={item.equity_pct as number || 0} onChange={v => update('equity_pct', v)} type="number" />
+              <FormField label="LinkedIn" value={item.linkedin_url as string || ''} onChange={v => update('linkedin_url', v)} type="url" />
+            </div>
+            <ArrayField label="Expertise" values={(item.expertise as string[]) || []} onChange={v => update('expertise', v)} />
+          </div>
+        )}
+      />
+    </div>
+  )
+}
+
+function FinancialsEditor({ data, updateData }: { data: R[]; updateData: (d: unknown[]) => void }) {
+  return (
+    <div className="p-4">
+      <RowTable
+        rows={data}
+        onChange={updateData}
+        columns={[
+          { key: 'year', label: 'Year', type: 'number' },
+          { key: 'revenue_eur', label: 'Revenue (EUR)', type: 'number' },
+          { key: 'costs_eur', label: 'Costs (EUR)', type: 'number' },
+          { key: 'mrr_eur', label: 'MRR (EUR)', type: 'number' },
+          { key: 'arr_eur', label: 'ARR (EUR)', type: 'number' },
+          { key: 'customers_count', label: 'Customers', type: 'number' },
+          { key: 'employees_count', label: 'Employees', type: 'number' },
+          { key: 'burn_rate_eur', label: 'Burn (EUR)', type: 'number' },
+        ]}
+        addLabel="Add year"
+      />
+    </div>
+  )
+}
+
+function MarketEditor({ data, updateData }: { data: R[]; updateData: (d: unknown[]) => void }) {
+  return (
+    <div className="p-4">
+      <RowTable
+        rows={data}
+        onChange={updateData}
+        columns={[
+          { key: 'market_segment', label: 'Segment' },
+          { key: 'label', label: 'Label' },
+          { key: 'value_eur', label: 'Value (EUR)', type: 'number' },
+          { key: 'growth_rate_pct', label: 'Growth %', type: 'number' },
+          { key: 'source', label: 'Source' },
+        ]}
+      />
+    </div>
+  )
+}
+
+function CompetitorsEditor({ data, updateData }: { data: R[]; updateData: (d: unknown[]) => void }) {
+  return (
+    <div className="p-4">
+      <CardList
+        items={data}
+        onChange={updateData}
+        titleKey="name"
+        subtitleKey="website"
+        addLabel="Add competitor"
+        renderCard={(item, update) => (
+          <div className="space-y-3">
+            <div className="grid grid-cols-2 gap-4">
+              <FormField label="Name" value={item.name as string || ''} onChange={v => update('name', v)} />
+              <FormField label="Website" value={item.website as string || ''} onChange={v => update('website', v)} type="url" />
+            </div>
+            <div className="grid grid-cols-2 gap-4">
+              <FormField label="Customers" value={item.customers_count as number || 0} onChange={v => update('customers_count', v)} type="number" />
+              <FormField label="Pricing Range" value={item.pricing_range as string || ''} onChange={v => update('pricing_range', v)} />
+            </div>
+            <ArrayField label="Strengths" values={(item.strengths as string[]) || []} onChange={v => update('strengths', v)} />
+            <ArrayField label="Weaknesses" values={(item.weaknesses as string[]) || []} onChange={v => update('weaknesses', v)} />
+          </div>
+        )}
+      />
+    </div>
+  )
+}
+
+function FeaturesEditor({ data, updateData }: { data: R[]; updateData: (d: unknown[]) => void }) {
+  return (
+    <div className="p-4">
+      <CardList
+        items={data}
+        onChange={updateData}
+        titleKey="feature_name_en"
+        subtitleKey="category"
+        addLabel="Add feature"
+        renderCard={(item, update) => (
+          <div className="space-y-3">
+            <BilingualField label="Feature Name" valueDe={item.feature_name_de as string || ''} valueEn={item.feature_name_en as string || ''} onChangeDe={v => update('feature_name_de', v)} onChangeEn={v => update('feature_name_en', v)} />
+            <FormField label="Category" value={item.category as string || ''} onChange={v => update('category', v)} />
+            <div className="grid grid-cols-5 gap-3">
+              <FormField label="BreakPilot" value={!!item.breakpilot} onChange={v => update('breakpilot', v)} type="checkbox" />
+              <FormField label="Proliance" value={!!item.proliance} onChange={v => update('proliance', v)} type="checkbox" />
+              <FormField label="DataGuard" value={!!item.dataguard} onChange={v => update('dataguard', v)} type="checkbox" />
+              <FormField label="heyData" value={!!item.heydata} onChange={v => update('heydata', v)} type="checkbox" />
+              <FormField label="Differentiator" value={!!item.is_differentiator} onChange={v => update('is_differentiator', v)} type="checkbox" />
+            </div>
+          </div>
+        )}
+      />
+    </div>
+  )
+}
+
+function MilestonesEditor({ data, updateData }: { data: R[]; updateData: (d: unknown[]) => void }) {
+  return (
+    <div className="p-4">
+      <CardList
+        items={data}
+        onChange={updateData}
+        titleKey="title_en"
+        subtitleKey="milestone_date"
+        addLabel="Add milestone"
+        renderCard={(item, update) => (
+          <div className="space-y-3">
+            <BilingualField label="Title" valueDe={item.title_de as string || ''} valueEn={item.title_en as string || ''} onChangeDe={v => update('title_de', v)} onChangeEn={v => update('title_en', v)} />
+            <BilingualField label="Description" valueDe={item.description_de as string || ''} valueEn={item.description_en as string || ''} onChangeDe={v => update('description_de', v)} onChangeEn={v => update('description_en', v)} multiline />
+            <div className="grid grid-cols-3 gap-4">
+              <FormField label="Date" value={item.milestone_date as string || ''} onChange={v => update('milestone_date', v)} />
+              <FormField label="Status" value={item.status as string || ''} onChange={v => update('status', v)} type="select" options={[
+                { value: 'completed', label: 'Completed' }, { value: 'in_progress', label: 'In Progress' }, { value: 'planned', label: 'Planned' },
+              ]} />
+              <FormField label="Category" value={item.category as string || ''} onChange={v => update('category', v)} />
+            </div>
+          </div>
+        )}
+      />
+    </div>
+  )
+}
+
+function MetricsEditor({ data, updateData }: { data: R[]; updateData: (d: unknown[]) => void }) {
+  return (
+    <div className="p-4">
+      <CardList
+        items={data}
+        onChange={updateData}
+        titleKey="metric_name"
+        subtitleKey="value"
+        addLabel="Add metric"
+        renderCard={(item, update) => (
+          <div className="space-y-3">
+            <FormField label="Metric Key" value={item.metric_name as string || ''} onChange={v => update('metric_name', v)} />
+            <BilingualField label="Label" valueDe={item.label_de as string || ''} valueEn={item.label_en as string || ''} onChangeDe={v => update('label_de', v)} onChangeEn={v => update('label_en', v)} />
+            <div className="grid grid-cols-3 gap-4">
+              <FormField label="Value" value={item.value as string || ''} onChange={v => update('value', v)} />
+              <FormField label="Unit" value={item.unit as string || ''} onChange={v => update('unit', v)} />
+              <FormField label="Is Live" value={!!item.is_live} onChange={v => update('is_live', v)} type="checkbox" />
+            </div>
+          </div>
+        )}
+      />
+    </div>
+  )
+}
+
+function FundingEditor({ single, updateSingle }: { single: R; updateSingle: (k: string, v: unknown) => void }) {
+  return (
+    <div className="space-y-4 p-4">
+      <FormField label="Round Name" value={single.round_name as string || ''} onChange={v => updateSingle('round_name', v)} />
+      <div className="grid grid-cols-3 gap-4">
+        <FormField label="Amount (EUR)" value={single.amount_eur as number || 0} onChange={v => updateSingle('amount_eur', v)} type="number" />
+        <FormField label="Instrument" value={single.instrument as string || ''} onChange={v => updateSingle('instrument', v)} />
+        <FormField label="Target Date" value={single.target_date as string || ''} onChange={v => updateSingle('target_date', v)} type="date" />
+      </div>
+      <FormField label="Status" value={single.status as string || ''} onChange={v => updateSingle('status', v)} type="select" options={[
+        { value: 'planned', label: 'Planned' }, { value: 'in_progress', label: 'In Progress' }, { value: 'completed', label: 'Completed' },
+      ]} />
+      <div>
+        <label className="block text-xs font-medium text-white/60 uppercase tracking-wider mb-2">Use of Funds</label>
+        <RowTable
+          rows={(single.use_of_funds as R[]) || []}
+          onChange={v => updateSingle('use_of_funds', v)}
+          columns={[
+            { key: 'category', label: 'Category' },
+            { key: 'percentage', label: '%', type: 'number' },
+            { key: 'label_de', label: 'Label DE' },
+            { key: 'label_en', label: 'Label EN' },
+          ]}
+        />
+      </div>
+    </div>
+  )
+}
+
+function ProductsEditor({ data, updateData }: { data: R[]; updateData: (d: unknown[]) => void }) {
+  return (
+    <div className="p-4">
+      <CardList
+        items={data}
+        onChange={updateData}
+        titleKey="name"
+        subtitleKey="hardware"
+        addLabel="Add product"
+        renderCard={(item, update) => (
+          <div className="space-y-3">
+            <div className="grid grid-cols-2 gap-4">
+              <FormField label="Name" value={item.name as string || ''} onChange={v => update('name', v)} />
+              <FormField label="Hardware" value={item.hardware as string || ''} onChange={v => update('hardware', v)} />
+            </div>
+            <div className="grid grid-cols-3 gap-4">
+              <FormField label="HW Cost (EUR)" value={item.hardware_cost_eur as number || 0} onChange={v => update('hardware_cost_eur', v)} type="number" />
+              <FormField label="Monthly Price (EUR)" value={item.monthly_price_eur as number || 0} onChange={v => update('monthly_price_eur', v)} type="number" />
+              <FormField label="Operating Cost (EUR)" value={item.operating_cost_eur as number || 0} onChange={v => update('operating_cost_eur', v)} type="number" />
+            </div>
+            <div className="grid grid-cols-2 gap-4">
+              <FormField label="LLM Model" value={item.llm_model as string || ''} onChange={v => update('llm_model', v)} />
+              <FormField label="LLM Size" value={item.llm_size as string || ''} onChange={v => update('llm_size', v)} />
+            </div>
+            <BilingualField label="LLM Capability" valueDe={item.llm_capability_de as string || ''} valueEn={item.llm_capability_en as string || ''} onChangeDe={v => update('llm_capability_de', v)} onChangeEn={v => update('llm_capability_en', v)} multiline />
+            <div className="grid grid-cols-2 gap-4">
+              <ArrayField label="Features (DE)" values={(item.features_de as string[]) || []} onChange={v => update('features_de', v)} />
+              <ArrayField label="Features (EN)" values={(item.features_en as string[]) || []} onChange={v => update('features_en', v)} />
+            </div>
+            <FormField label="Popular" value={!!item.is_popular} onChange={v => update('is_popular', v)} type="checkbox" />
+          </div>
+        )}
+      />
+    </div>
+  )
+}
+
+function FmScenariosEditor({ data, updateData }: { data: R[]; updateData: (d: unknown[]) => void }) {
+  return (
+    <div className="p-4">
+      <CardList
+        items={data}
+        onChange={updateData}
+        titleKey="name"
+        subtitleKey="description"
+        addLabel="Add scenario"
+        renderCard={(item, update) => (
+          <div className="space-y-3">
+            <FormField label="Name" value={item.name as string || ''} onChange={v => update('name', v)} />
+            <FormField label="Description" value={item.description as string || ''} onChange={v => update('description', v)} />
+            <div className="grid grid-cols-2 gap-4">
+              <FormField label="Color" value={item.color as string || '#6366f1'} onChange={v => update('color', v)} type="color" />
+              <FormField label="Default" value={!!item.is_default} onChange={v => update('is_default', v)} type="checkbox" />
+            </div>
+          </div>
+        )}
+      />
+    </div>
+  )
+}
+
+function FmAssumptionsEditor({ data, updateData }: { data: R[]; updateData: (d: unknown[]) => void }) {
+  return (
+    <div className="p-4">
+      <RowTable
+        rows={data}
+        onChange={updateData}
+        columns={[
+          { key: 'key', label: 'Key' },
+          { key: 'label_de', label: 'Label DE' },
+          { key: 'label_en', label: 'Label EN' },
+          { key: 'category', label: 'Category' },
+          { key: 'unit', label: 'Unit' },
+        ]}
+        addLabel="Add assumption"
+      />
+      <p className="text-[10px] text-white/30 mt-2">Note: values, min/max/step are best edited via &quot;Edit as JSON&quot; mode for complex types.</p>
+    </div>
+  )
+}
diff --git a/pitch-deck/app/pitch-admin/(authed)/versions/[id]/page.tsx b/pitch-deck/app/pitch-admin/(authed)/versions/[id]/page.tsx
index d898d81..a8cc669 100644
--- a/pitch-deck/app/pitch-admin/(authed)/versions/[id]/page.tsx
+++ b/pitch-deck/app/pitch-admin/(authed)/versions/[id]/page.tsx
@@ -4,11 +4,7 @@ import { useEffect, useState, useCallback } from 'react'
 import { useParams, useRouter } from 'next/navigation'
 import Link from 'next/link'
 import { ArrowLeft, Lock, Save, GitFork, Eye, Code } from 'lucide-react'
-import BilingualField from '@/components/pitch-admin/editors/BilingualField'
-import FormField from '@/components/pitch-admin/editors/FormField'
-import ArrayField from '@/components/pitch-admin/editors/ArrayField'
-import RowTable from '@/components/pitch-admin/editors/RowTable'
-import CardList from '@/components/pitch-admin/editors/CardList'
+import TabEditor from './_components/TabEditors'
 
 const TABLE_LABELS: Record<string, string> = {
   company: 'Company', team: 'Team', financials: 'Financials', market: 'Market',
@@ -65,7 +61,6 @@ export default function VersionEditorPage() {
     updateData(arr)
   }
 
-  // For single-record tables (company, funding)
   function updateSingle(key: string, value: unknown) { updateRecord(0, key, value) }
 
   async function saveTable() {
@@ -114,316 +109,6 @@ export default function VersionEditorPage() {
   const data = allData[activeTab] || []
   const single = (data as R[])[0] || {} as R
 
-  function renderEditor() {
-    if (jsonMode) {
-      return (
-        <textarea
-          value={jsonText}
-          onChange={e => { setJsonText(e.target.value); setDirty(true) }}
-          readOnly={!isDraft}
-          className="w-full bg-transparent text-white/90 font-mono text-xs p-4 focus:outline-none resize-none"
-          style={{ minHeight: '400px' }}
-          spellCheck={false}
-        />
-      )
-    }
-
-    switch (activeTab) {
-      case 'company':
-        return (
-          <div className="space-y-4 p-4">
-            <FormField label="Company Name" value={single.name as string || ''} onChange={v => updateSingle('name', v)} />
-            <div className="grid grid-cols-2 gap-4">
-              <FormField label="Legal Form" value={single.legal_form as string || ''} onChange={v => updateSingle('legal_form', v)} placeholder="GmbH" />
-              <FormField label="Founding Date" value={single.founding_date as string || ''} onChange={v => updateSingle('founding_date', v)} type="date" />
-            </div>
-            <BilingualField label="Tagline" valueDe={single.tagline_de as string || ''} valueEn={single.tagline_en as string || ''} onChangeDe={v => updateSingle('tagline_de', v)} onChangeEn={v => updateSingle('tagline_en', v)} />
-            <BilingualField label="Mission" valueDe={single.mission_de as string || ''} valueEn={single.mission_en as string || ''} onChangeDe={v => updateSingle('mission_de', v)} onChangeEn={v => updateSingle('mission_en', v)} multiline />
-            <div className="grid grid-cols-2 gap-4">
-              <FormField label="Website" value={single.website as string || ''} onChange={v => updateSingle('website', v)} type="url" />
-              <FormField label="HQ City" value={single.hq_city as string || ''} onChange={v => updateSingle('hq_city', v)} />
-            </div>
-          </div>
-        )
-
-      case 'team':
-        return (
-          <div className="p-4">
-            <CardList
-              items={data as R[]}
-              onChange={updateData}
-              titleKey="name"
-              subtitleKey="role_en"
-              addLabel="Add team member"
-              renderCard={(item, update) => (
-                <div className="space-y-3">
-                  <FormField label="Name" value={item.name as string || ''} onChange={v => update('name', v)} />
-                  <BilingualField label="Role" valueDe={item.role_de as string || ''} valueEn={item.role_en as string || ''} onChangeDe={v => update('role_de', v)} onChangeEn={v => update('role_en', v)} />
-                  <BilingualField label="Bio" valueDe={item.bio_de as string || ''} valueEn={item.bio_en as string || ''} onChangeDe={v => update('bio_de', v)} onChangeEn={v => update('bio_en', v)} multiline />
-                  <div className="grid grid-cols-2 gap-4">
-                    <FormField label="Equity %" value={item.equity_pct as number || 0} onChange={v => update('equity_pct', v)} type="number" />
-                    <FormField label="LinkedIn" value={item.linkedin_url as string || ''} onChange={v => update('linkedin_url', v)} type="url" />
-                  </div>
-                  <ArrayField label="Expertise" values={(item.expertise as string[]) || []} onChange={v => update('expertise', v)} />
-                </div>
-              )}
-            />
-          </div>
-        )
-
-      case 'financials':
-        return (
-          <div className="p-4">
-            <RowTable
-              rows={data as R[]}
-              onChange={updateData}
-              columns={[
-                { key: 'year', label: 'Year', type: 'number' },
-                { key: 'revenue_eur', label: 'Revenue (EUR)', type: 'number' },
-                { key: 'costs_eur', label: 'Costs (EUR)', type: 'number' },
-                { key: 'mrr_eur', label: 'MRR (EUR)', type: 'number' },
-                { key: 'arr_eur', label: 'ARR (EUR)', type: 'number' },
-                { key: 'customers_count', label: 'Customers', type: 'number' },
-                { key: 'employees_count', label: 'Employees', type: 'number' },
-                { key: 'burn_rate_eur', label: 'Burn (EUR)', type: 'number' },
-              ]}
-              addLabel="Add year"
-            />
-          </div>
-        )
-
-      case 'market':
-        return (
-          <div className="p-4">
-            <RowTable
-              rows={data as R[]}
-              onChange={updateData}
-              columns={[
-                { key: 'market_segment', label: 'Segment' },
-                { key: 'label', label: 'Label' },
-                { key: 'value_eur', label: 'Value (EUR)', type: 'number' },
-                { key: 'growth_rate_pct', label: 'Growth %', type: 'number' },
-                { key: 'source', label: 'Source' },
-              ]}
-            />
-          </div>
-        )
-
-      case 'competitors':
-        return (
-          <div className="p-4">
-            <CardList
-              items={data as R[]}
-              onChange={updateData}
-              titleKey="name"
-              subtitleKey="website"
-              addLabel="Add competitor"
-              renderCard={(item, update) => (
-                <div className="space-y-3">
-                  <div className="grid grid-cols-2 gap-4">
-                    <FormField label="Name" value={item.name as string || ''} onChange={v => update('name', v)} />
-                    <FormField label="Website" value={item.website as string || ''} onChange={v => update('website', v)} type="url" />
-                  </div>
-                  <div className="grid grid-cols-2 gap-4">
-                    <FormField label="Customers" value={item.customers_count as number || 0} onChange={v => update('customers_count', v)} type="number" />
-                    <FormField label="Pricing Range" value={item.pricing_range as string || ''} onChange={v => update('pricing_range', v)} />
-                  </div>
-                  <ArrayField label="Strengths" values={(item.strengths as string[]) || []} onChange={v => update('strengths', v)} />
-                  <ArrayField label="Weaknesses" values={(item.weaknesses as string[]) || []} onChange={v => update('weaknesses', v)} />
-                </div>
-              )}
-            />
-          </div>
-        )
-
-      case 'features':
-        return (
-          <div className="p-4">
-            <CardList
-              items={data as R[]}
-              onChange={updateData}
-              titleKey="feature_name_en"
-              subtitleKey="category"
-              addLabel="Add feature"
-              renderCard={(item, update) => (
-                <div className="space-y-3">
-                  <BilingualField label="Feature Name" valueDe={item.feature_name_de as string || ''} valueEn={item.feature_name_en as string || ''} onChangeDe={v => update('feature_name_de', v)} onChangeEn={v => update('feature_name_en', v)} />
-                  <FormField label="Category" value={item.category as string || ''} onChange={v => update('category', v)} />
-                  <div className="grid grid-cols-5 gap-3">
-                    <FormField label="BreakPilot" value={!!item.breakpilot} onChange={v => update('breakpilot', v)} type="checkbox" />
-                    <FormField label="Proliance" value={!!item.proliance} onChange={v => update('proliance', v)} type="checkbox" />
-                    <FormField label="DataGuard" value={!!item.dataguard} onChange={v => update('dataguard', v)} type="checkbox" />
-                    <FormField label="heyData" value={!!item.heydata} onChange={v => update('heydata', v)} type="checkbox" />
-                    <FormField label="Differentiator" value={!!item.is_differentiator} onChange={v => update('is_differentiator', v)} type="checkbox" />
-                  </div>
-                </div>
-              )}
-            />
-          </div>
-        )
-
-      case 'milestones':
-        return (
-          <div className="p-4">
-            <CardList
-              items={data as R[]}
-              onChange={updateData}
-              titleKey="title_en"
-              subtitleKey="milestone_date"
-              addLabel="Add milestone"
-              renderCard={(item, update) => (
-                <div className="space-y-3">
-                  <BilingualField label="Title" valueDe={item.title_de as string || ''} valueEn={item.title_en as string || ''} onChangeDe={v => update('title_de', v)} onChangeEn={v => update('title_en', v)} />
-                  <BilingualField label="Description" valueDe={item.description_de as string || ''} valueEn={item.description_en as string || ''} onChangeDe={v => update('description_de', v)} onChangeEn={v => update('description_en', v)} multiline />
-                  <div className="grid grid-cols-3 gap-4">
-                    <FormField label="Date" value={item.milestone_date as string || ''} onChange={v => update('milestone_date', v)} />
-                    <FormField label="Status" value={item.status as string || ''} onChange={v => update('status', v)} type="select" options={[
-                      { value: 'completed', label: 'Completed' }, { value: 'in_progress', label: 'In Progress' }, { value: 'planned', label: 'Planned' },
-                    ]} />
-                    <FormField label="Category" value={item.category as string || ''} onChange={v => update('category', v)} />
-                  </div>
-                </div>
-              )}
-            />
-          </div>
-        )
-
-      case 'metrics':
-        return (
-          <div className="p-4">
-            <CardList
-              items={data as R[]}
-              onChange={updateData}
-              titleKey="metric_name"
-              subtitleKey="value"
-              addLabel="Add metric"
-              renderCard={(item, update) => (
-                <div className="space-y-3">
-                  <FormField label="Metric Key" value={item.metric_name as string || ''} onChange={v => update('metric_name', v)} />
-                  <BilingualField label="Label" valueDe={item.label_de as string || ''} valueEn={item.label_en as string || ''} onChangeDe={v => update('label_de', v)} onChangeEn={v => update('label_en', v)} />
-                  <div className="grid grid-cols-3 gap-4">
-                    <FormField label="Value" value={item.value as string || ''} onChange={v => update('value', v)} />
-                    <FormField label="Unit" value={item.unit as string || ''} onChange={v => update('unit', v)} />
-                    <FormField label="Is Live" value={!!item.is_live} onChange={v => update('is_live', v)} type="checkbox" />
-                  </div>
-                </div>
-              )}
-            />
-          </div>
-        )
-
-      case 'funding':
-        return (
-          <div className="space-y-4 p-4">
-            <FormField label="Round Name" value={single.round_name as string || ''} onChange={v => updateSingle('round_name', v)} />
-            <div className="grid grid-cols-3 gap-4">
-              <FormField label="Amount (EUR)" value={single.amount_eur as number || 0} onChange={v => updateSingle('amount_eur', v)} type="number" />
-              <FormField label="Instrument" value={single.instrument as string || ''} onChange={v => updateSingle('instrument', v)} />
-              <FormField label="Target Date" value={single.target_date as string || ''} onChange={v => updateSingle('target_date', v)} type="date" />
-            </div>
-            <FormField label="Status" value={single.status as string || ''} onChange={v => updateSingle('status', v)} type="select" options={[
-              { value: 'planned', label: 'Planned' }, { value: 'in_progress', label: 'In Progress' }, { value: 'completed', label: 'Completed' },
-            ]} />
-            <div>
-              <label className="block text-xs font-medium text-white/60 uppercase tracking-wider mb-2">Use of Funds</label>
-              <RowTable
-                rows={(single.use_of_funds as R[]) || []}
-                onChange={v => updateSingle('use_of_funds', v)}
-                columns={[
-                  { key: 'category', label: 'Category' },
-                  { key: 'percentage', label: '%', type: 'number' },
-                  { key: 'label_de', label: 'Label DE' },
-                  { key: 'label_en', label: 'Label EN' },
-                ]}
-              />
-            </div>
-          </div>
-        )
-
-      case 'products':
-        return (
-          <div className="p-4">
-            <CardList
-              items={data as R[]}
-              onChange={updateData}
-              titleKey="name"
-              subtitleKey="hardware"
-              addLabel="Add product"
-              renderCard={(item, update) => (
-                <div className="space-y-3">
-                  <div className="grid grid-cols-2 gap-4">
-                    <FormField label="Name" value={item.name as string || ''} onChange={v => update('name', v)} />
-                    <FormField label="Hardware" value={item.hardware as string || ''} onChange={v => update('hardware', v)} />
-                  </div>
-                  <div className="grid grid-cols-3 gap-4">
-                    <FormField label="HW Cost (EUR)" value={item.hardware_cost_eur as number || 0} onChange={v => update('hardware_cost_eur', v)} type="number" />
-                    <FormField label="Monthly Price (EUR)" value={item.monthly_price_eur as number || 0} onChange={v => update('monthly_price_eur', v)} type="number" />
-                    <FormField label="Operating Cost (EUR)" value={item.operating_cost_eur as number || 0} onChange={v => update('operating_cost_eur', v)} type="number" />
-                  </div>
-                  <div className="grid grid-cols-2 gap-4">
-                    <FormField label="LLM Model" value={item.llm_model as string || ''} onChange={v => update('llm_model', v)} />
-                    <FormField label="LLM Size" value={item.llm_size as string || ''} onChange={v => update('llm_size', v)} />
-                  </div>
-                  <BilingualField label="LLM Capability" valueDe={item.llm_capability_de as string || ''} valueEn={item.llm_capability_en as string || ''} onChangeDe={v => update('llm_capability_de', v)} onChangeEn={v => update('llm_capability_en', v)} multiline />
-                  <div className="grid grid-cols-2 gap-4">
-                    <ArrayField label="Features (DE)" values={(item.features_de as string[]) || []} onChange={v => update('features_de', v)} />
-                    <ArrayField label="Features (EN)" values={(item.features_en as string[]) || []} onChange={v => update('features_en', v)} />
-                  </div>
-                  <FormField label="Popular" value={!!item.is_popular} onChange={v => update('is_popular', v)} type="checkbox" />
-                </div>
-              )}
-            />
-          </div>
-        )
-
-      case 'fm_scenarios':
-        return (
-          <div className="p-4">
-            <CardList
-              items={data as R[]}
-              onChange={updateData}
-              titleKey="name"
-              subtitleKey="description"
-              addLabel="Add scenario"
-              renderCard={(item, update) => (
-                <div className="space-y-3">
-                  <FormField label="Name" value={item.name as string || ''} onChange={v => update('name', v)} />
-                  <FormField label="Description" value={item.description as string || ''} onChange={v => update('description', v)} />
-                  <div className="grid grid-cols-2 gap-4">
-                    <FormField label="Color" value={item.color as string || '#6366f1'} onChange={v => update('color', v)} type="color" />
-                    <FormField label="Default" value={!!item.is_default} onChange={v => update('is_default', v)} type="checkbox" />
-                  </div>
-                </div>
-              )}
-            />
-          </div>
-        )
-
-      case 'fm_assumptions':
-        // Reuse the inline table approach from the FM editor (already works well for this)
-        return (
-          <div className="p-4">
-            <RowTable
-              rows={data as R[]}
-              onChange={updateData}
-              columns={[
-                { key: 'key', label: 'Key' },
-                { key: 'label_de', label: 'Label DE' },
-                { key: 'label_en', label: 'Label EN' },
-                { key: 'category', label: 'Category' },
-                { key: 'unit', label: 'Unit' },
-              ]}
-              addLabel="Add assumption"
-            />
-            <p className="text-[10px] text-white/30 mt-2">Note: values, min/max/step are best edited via "Edit as JSON" mode for complex types.</p>
-          </div>
-        )
-
-      default:
-        return <div className="p-4 text-white/40">No editor for this table</div>
-    }
-  }
-
   return (
     <div className="space-y-6">
       <Link href="/pitch-admin/versions" className="inline-flex items-center gap-2 text-sm text-white/50 hover:text-white/80">
@@ -467,17 +152,17 @@ export default function VersionEditorPage() {
 
       {/* Tabs */}
       <div className="flex gap-1 overflow-x-auto pb-1">
-        {TABLE_NAMES.map(t => (
+        {TABLE_NAMES.map(tab => (
           <button
-            key={t}
-            onClick={() => { if (dirty && !confirm('Discard unsaved changes?')) return; setActiveTab(t); setDirty(false); setJsonMode(false) }}
+            key={tab}
+            onClick={() => { if (dirty && !confirm('Discard unsaved changes?')) return; setActiveTab(tab); setDirty(false); setJsonMode(false) }}
             className={`px-3 py-1.5 rounded-lg text-xs whitespace-nowrap transition-colors ${
-              activeTab === t
+              activeTab === tab
                 ? 'bg-indigo-500/20 text-indigo-300 border border-indigo-500/30'
                 : 'bg-white/[0.04] text-white/40 border border-transparent hover:text-white/60'
             }`}
           >
-            {TABLE_LABELS[t]}
+            {TABLE_LABELS[tab]}
           </button>
         ))}
       </div>
@@ -504,15 +189,27 @@ export default function VersionEditorPage() {
                 disabled={saving || !dirty}
                 className="bg-indigo-500 hover:bg-indigo-600 text-white text-sm font-medium px-4 py-1.5 rounded-lg flex items-center gap-2 disabled:opacity-30"
               >
-                <Save className="w-3.5 h-3.5" /> {saving ? 'Saving…' : 'Save'}
+                <Save className="w-3.5 h-3.5" /> {saving ? 'Saving...' : 'Save'}
               </button>
             )}
           </div>
         </div>
-        {renderEditor()}
+        <TabEditor
+          activeTab={activeTab}
+          data={data}
+          single={single}
+          jsonMode={jsonMode}
+          jsonText={jsonText}
+          isDraft={isDraft}
+          onJsonTextChange={setJsonText}
+          onDirty={() => setDirty(true)}
+          updateData={updateData}
+          updateRecord={updateRecord}
+          updateSingle={updateSingle}
+        />
       </div>
 
-      {!isDraft && <p className="text-xs text-white/30 text-center">Committed — read-only. Fork to edit.</p>}
+      {!isDraft && <p className="text-xs text-white/30 text-center">Committed -- read-only. Fork to edit.</p>}
 
       {toast && (
         <div className="fixed bottom-6 right-6 bg-indigo-500/20 border border-indigo-500/40 text-indigo-200 text-sm px-4 py-2 rounded-lg backdrop-blur-sm z-50">
diff --git a/pitch-deck/components/ChatFAB.helpers.ts b/pitch-deck/components/ChatFAB.helpers.ts
new file mode 100644
index 0000000..649017b
--- /dev/null
+++ b/pitch-deck/components/ChatFAB.helpers.ts
@@ -0,0 +1,112 @@
+import { Language, SlideId } from '@/lib/types'
+import { SLIDE_ORDER } from '@/lib/hooks/useSlideNavigation'
+import { PresenterState } from '@/lib/presenter/types'
+
+export interface ChatFABProps {
+  lang: Language
+  currentSlide: SlideId
+  currentIndex: number
+  visitedSlides: Set<number>
+  onGoToSlide: (index: number) => void
+  presenterState?: PresenterState
+  onPresenterInterrupt?: () => void
+}
+
+export interface ParsedMessage {
+  text: string
+  followUps: string[]
+  gotos: { index: number; label: string }[]
+}
+
+export function parseAgentResponse(content: string, lang: Language): ParsedMessage {
+  const followUps: string[] = []
+  const gotos: { index: number; label: string }[] = []
+
+  // Split on the follow-up separator — flexible: "---", "- - -", "___", or multiple dashes
+  const parts = content.split(/\n\s*[-_]{3,}\s*\n/)
+  let text = parts[0]
+
+  // Parse follow-up questions from second part
+  if (parts.length > 1) {
+    const qSection = parts.slice(1).join('\n')
+    // Match [Q], **[Q]**, or numbered/bulleted question patterns
+    const qMatches = qSection.matchAll(/(?:\[Q\]|\*\*\[Q\]\*\*)\s*(.+?)(?:\n|$)/g)
+    for (const m of qMatches) {
+      const q = m[1].trim().replace(/^\*\*|\*\*$/g, '')
+      if (q.length > 5) followUps.push(q)
+    }
+
+    // Fallback: if no [Q] markers found, look for numbered or bulleted questions in the section
+    if (followUps.length === 0) {
+      const lineMatches = qSection.matchAll(/(?:^|\n)\s*(?:\d+[\.\)]\s*|[-•]\s*)(.+?\?)\s*$/gm)
+      for (const m of lineMatches) {
+        const q = m[1].trim()
+        if (q.length > 5 && followUps.length < 3) followUps.push(q)
+      }
+    }
+  }
+
+  // Also look for [Q] questions anywhere in the text (sometimes model puts them without ---)
+  if (followUps.length === 0) {
+    const inlineMatches = content.matchAll(/\[Q\]\s*(.+?)(?:\n|$)/g)
+    const inlineQs: string[] = []
+    for (const m of inlineMatches) {
+      inlineQs.push(m[1].trim())
+    }
+    if (inlineQs.length >= 2) {
+      followUps.push(...inlineQs)
+      // Remove [Q] lines from main text
+      text = text.replace(/\n?\s*\[Q\]\s*.+?(?:\n|$)/g, '\n').trim()
+    }
+  }
+
+  // Parse GOTO markers — support both [GOTO:N] (numeric) and [GOTO:slide-id] (string)
+  const gotoRegex = /\[GOTO:([\w-]+)\]/g
+  let gotoMatch
+  while ((gotoMatch = gotoRegex.exec(text)) !== null) {
+    const target = gotoMatch[1]
+    let slideIndex: number
+
+    // Try numeric index first
+    const numericIndex = parseInt(target)
+    if (!isNaN(numericIndex) && numericIndex >= 0 && numericIndex < SLIDE_ORDER.length) {
+      slideIndex = numericIndex
+    } else {
+      // Try slide ID lookup
+      slideIndex = SLIDE_ORDER.indexOf(target as SlideId)
+    }
+
+    if (slideIndex >= 0) {
+      gotos.push({
+        index: slideIndex,
+        label: lang === 'de' ? `Zu Slide ${slideIndex + 1} springen` : `Jump to slide ${slideIndex + 1}`,
+      })
+    }
+  }
+  // Remove GOTO markers from visible text
+  text = text.replace(/\s*\[GOTO:[\w-]+\]/g, '')
+
+  // Clean up trailing reminder instruction that might leak through
+  text = text.replace(/\n*\(Erinnerung:.*?\)\s*$/s, '').trim()
+
+  return { text: text.trim(), followUps, gotos }
+}
+
+/**
+ * Clean text for TTS: remove markdown formatting, keep plain speech
+ */
+export function cleanTextForTts(text: string): string {
+  return text
+    .replace(/\*\*(.+?)\*\*/g, '$1')
+    .replace(/\[GOTO:[\w-]+\]/g, '')
+    .replace(/\[Q\]\s*/g, '')
+    .replace(/---/g, '')
+    .trim()
+}
+
+/**
+ * Detect language heuristically for TTS
+ */
+export function detectTtsLanguage(text: string, fallback: Language): string {
+  return /[äöüÄÖÜß]|(?:^|\s)(?:das|die|der|und|ist|wir|ein|für|mit|auf|von|den|des)\s/i.test(text) ? 'de' : fallback
+}
diff --git a/pitch-deck/components/ChatFAB.tsx b/pitch-deck/components/ChatFAB.tsx
index c2a6328..f9cac46 100644
--- a/pitch-deck/components/ChatFAB.tsx
+++ b/pitch-deck/components/ChatFAB.tsx
@@ -3,101 +3,17 @@
 import { useState, useRef, useEffect, useMemo } from 'react'
 import { motion, AnimatePresence } from 'framer-motion'
 import { X, Send, Bot, User, Sparkles, Maximize2, Minimize2, ArrowRight, Volume2, VolumeX } from 'lucide-react'
-import { ChatMessage, Language, SlideId } from '@/lib/types'
+import { ChatMessage } from '@/lib/types'
 import { t } from '@/lib/i18n'
 import { SLIDE_ORDER } from '@/lib/hooks/useSlideNavigation'
-import { PresenterState } from '@/lib/presenter/types'
 import { matchFAQMultiple, buildFAQContext } from '@/lib/presenter/faq-matcher'
-
-interface ChatFABProps {
-  lang: Language
-  currentSlide: SlideId
-  currentIndex: number
-  visitedSlides: Set<number>
-  onGoToSlide: (index: number) => void
-  presenterState?: PresenterState
-  onPresenterInterrupt?: () => void
-}
-
-interface ParsedMessage {
-  text: string
-  followUps: string[]
-  gotos: { index: number; label: string }[]
-}
-
-function parseAgentResponse(content: string, lang: Language): ParsedMessage {
-  const followUps: string[] = []
-  const gotos: { index: number; label: string }[] = []
-
-  // Split on the follow-up separator — flexible: "---", "- - -", "___", or multiple dashes
-  const parts = content.split(/\n\s*[-_]{3,}\s*\n/)
-  let text = parts[0]
-
-  // Parse follow-up questions from second part
-  if (parts.length > 1) {
-    const qSection = parts.slice(1).join('\n')
-    // Match [Q], **[Q]**, or numbered/bulleted question patterns
-    const qMatches = qSection.matchAll(/(?:\[Q\]|\*\*\[Q\]\*\*)\s*(.+?)(?:\n|$)/g)
-    for (const m of qMatches) {
-      const q = m[1].trim().replace(/^\*\*|\*\*$/g, '')
-      if (q.length > 5) followUps.push(q)
-    }
-
-    // Fallback: if no [Q] markers found, look for numbered or bulleted questions in the section
-    if (followUps.length === 0) {
-      const lineMatches = qSection.matchAll(/(?:^|\n)\s*(?:\d+[\.\)]\s*|[-•]\s*)(.+?\?)\s*$/gm)
-      for (const m of lineMatches) {
-        const q = m[1].trim()
-        if (q.length > 5 && followUps.length < 3) followUps.push(q)
-      }
-    }
-  }
-
-  // Also look for [Q] questions anywhere in the text (sometimes model puts them without ---)
-  if (followUps.length === 0) {
-    const inlineMatches = content.matchAll(/\[Q\]\s*(.+?)(?:\n|$)/g)
-    const inlineQs: string[] = []
-    for (const m of inlineMatches) {
-      inlineQs.push(m[1].trim())
-    }
-    if (inlineQs.length >= 2) {
-      followUps.push(...inlineQs)
-      // Remove [Q] lines from main text
-      text = text.replace(/\n?\s*\[Q\]\s*.+?(?:\n|$)/g, '\n').trim()
-    }
-  }
-
-  // Parse GOTO markers — support both [GOTO:N] (numeric) and [GOTO:slide-id] (string)
-  const gotoRegex = /\[GOTO:([\w-]+)\]/g
-  let gotoMatch
-  while ((gotoMatch = gotoRegex.exec(text)) !== null) {
-    const target = gotoMatch[1]
-    let slideIndex: number
-
-    // Try numeric index first
-    const numericIndex = parseInt(target)
-    if (!isNaN(numericIndex) && numericIndex >= 0 && numericIndex < SLIDE_ORDER.length) {
-      slideIndex = numericIndex
-    } else {
-      // Try slide ID lookup
-      slideIndex = SLIDE_ORDER.indexOf(target as SlideId)
-    }
-
-    if (slideIndex >= 0) {
-      gotos.push({
-        index: slideIndex,
-        label: lang === 'de' ? `Zu Slide ${slideIndex + 1} springen` : `Jump to slide ${slideIndex + 1}`,
-      })
-    }
-  }
-  // Remove GOTO markers from visible text
-  text = text.replace(/\s*\[GOTO:[\w-]+\]/g, '')
-
-  // Clean up trailing reminder instruction that might leak through
-  text = text.replace(/\n*\(Erinnerung:.*?\)\s*$/s, '').trim()
-
-  return { text: text.trim(), followUps, gotos }
-}
+import {
+  ChatFABProps,
+  ParsedMessage,
+  parseAgentResponse,
+  cleanTextForTts,
+  detectTtsLanguage,
+} from './ChatFAB.helpers'
 
 export default function ChatFAB({
   lang,
@@ -140,21 +56,14 @@ export default function ChatFAB({
     if (!chatTtsEnabled) return
     cancelChatAudio()
 
-    // Clean text for TTS: remove markdown formatting, keep plain speech
-    const cleanText = text
-      .replace(/\*\*(.+?)\*\*/g, '$1')
-      .replace(/\[GOTO:[\w-]+\]/g, '')
-      .replace(/\[Q\]\s*/g, '')
-      .replace(/---/g, '')
-      .trim()
-
+    const cleanText = cleanTextForTts(text)
     if (!cleanText) return
 
     const controller = new AbortController()
     ttsAbortRef.current = controller
 
     try {
-      const textLang = /[äöüÄÖÜß]|(?:^|\s)(?:das|die|der|und|ist|wir|ein|für|mit|auf|von|den|des)\s/i.test(cleanText) ? 'de' : lang
+      const textLang = detectTtsLanguage(cleanText, lang)
       const res = await fetch('/api/presenter/tts', {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
@@ -169,14 +78,8 @@ export default function ChatFAB({
       chatAudioRef.current = audio
       setIsChatSpeaking(true)
 
-      audio.onended = () => {
-        setIsChatSpeaking(false)
-        chatAudioRef.current = null
-      }
-      audio.onerror = () => {
-        setIsChatSpeaking(false)
-        chatAudioRef.current = null
-      }
+      audio.onended = () => { setIsChatSpeaking(false); chatAudioRef.current = null }
+      audio.onerror = () => { setIsChatSpeaking(false); chatAudioRef.current = null }
 
       await audio.play()
     } catch {
@@ -196,8 +99,8 @@ export default function ChatFAB({
 
   // Parse the latest assistant message when streaming ends
   const lastAssistantIndex = useMemo(() => {
-    for (let i = messages.length - 1; i >= 0; i--) {
-      if (messages[i].role === 'assistant') return i
+    for (let idx = messages.length - 1; idx >= 0; idx--) {
+      if (messages[idx].role === 'assistant') return idx
     }
     return -1
   }, [messages])
@@ -207,8 +110,6 @@ export default function ChatFAB({
       const msg = messages[lastAssistantIndex]
       const parsed = parseAgentResponse(msg.content, lang)
       setParsedResponses(prev => new Map(prev).set(lastAssistantIndex, parsed))
-
-      // Speak the response via TTS
       speakResponse(parsed.text)
     }
   }, [isStreaming, lastAssistantIndex, messages, parsedResponses, lang])
@@ -217,7 +118,6 @@ export default function ChatFAB({
     const message = text || input.trim()
     if (!message || isStreaming) return
 
-    // Interrupt presenter if it's running
     if (presenterState === 'presenting' && onPresenterInterrupt) {
       onPresenterInterrupt()
     }
@@ -228,7 +128,6 @@ export default function ChatFAB({
     setIsStreaming(true)
     setIsWaiting(true)
 
-    // Find relevant FAQ entries as context for the LLM
     const faqMatches = matchFAQMultiple(message, lang, 3)
     const faqContext = buildFAQContext(faqMatches, lang)
 
@@ -240,17 +139,13 @@ export default function ChatFAB({
         history: messages.slice(-10),
         lang,
         slideContext: {
-          currentSlide,
-          currentIndex,
+          currentSlide, currentIndex,
           visitedSlides: Array.from(visitedSlides),
           totalSlides: SLIDE_ORDER.length,
         },
       }
 
-      // Send FAQ context to LLM (not direct streaming — LLM interprets and combines)
-      if (faqContext) {
-        requestBody.faqContext = faqContext
-      }
+      if (faqContext) requestBody.faqContext = faqContext
 
       const res = await fetch('/api/chat', {
         method: 'POST',
@@ -291,8 +186,7 @@ export default function ChatFAB({
       if (topMatch?.goto_slide) {
         const gotoIdx = SLIDE_ORDER.indexOf(topMatch.goto_slide)
         if (gotoIdx >= 0) {
-          const suffix = `\n\n[GOTO:${topMatch.goto_slide}]`
-          content += suffix
+          content += `\n\n[GOTO:${topMatch.goto_slide}]`
           setMessages(prev => {
             const updated = [...prev]
             updated[updated.length - 1] = { role: 'assistant', content }
@@ -319,10 +213,7 @@ export default function ChatFAB({
   }
 
   function stopGeneration() {
-    if (abortRef.current) {
-      abortRef.current.abort()
-      setIsStreaming(false)
-    }
+    if (abortRef.current) { abortRef.current.abort(); setIsStreaming(false) }
   }
 
   const suggestions = i.aiqa.suggestions.slice(0, 3)
@@ -338,7 +229,6 @@ export default function ChatFAB({
           <span className="inline-block w-1.5 h-3.5 bg-indigo-400 animate-pulse ml-0.5" />
         )}
 
-        {/* GOTO Buttons */}
         {parsed && parsed.gotos.length > 0 && (
           <div className="mt-2 space-y-1">
             {parsed.gotos.map((g, gi) => (
@@ -357,7 +247,6 @@ export default function ChatFAB({
           </div>
         )}
 
-        {/* Follow-Up Suggestions */}
         {parsed && parsed.followUps.length > 0 && !isStreaming && (
           <div className="mt-3 space-y-1.5 border-t border-white/10 pt-2">
             {parsed.followUps.map((q, qi) => (
@@ -380,7 +269,7 @@ export default function ChatFAB({
 
   return (
     <>
-      {/* FAB Button — sits to the left of NavigationFAB */}
+      {/* FAB Button */}
       <AnimatePresence>
         {!isOpen && (
           <motion.button
@@ -402,7 +291,6 @@ export default function ChatFAB({
               <circle cx="12" cy="10" r="1" fill="currentColor" />
               <circle cx="15" cy="10" r="1" fill="currentColor" />
             </svg>
-            {/* Presenter active indicator */}
             {presenterState !== 'idle' && (
               <span className="absolute -top-1 -right-1 w-3 h-3 rounded-full bg-green-400 border-2 border-black animate-pulse" />
             )}
@@ -445,12 +333,7 @@ export default function ChatFAB({
               </div>
               <div className="flex items-center gap-1">
                 <button
-                  onClick={() => {
-                    setChatTtsEnabled(prev => {
-                      if (prev) cancelChatAudio()
-                      return !prev
-                    })
-                  }}
+                  onClick={() => { setChatTtsEnabled(prev => { if (prev) cancelChatAudio(); return !prev }) }}
                   className={`w-7 h-7 rounded-full flex items-center justify-center transition-colors ${
                     isChatSpeaking ? 'bg-indigo-500/30' : 'bg-white/10 hover:bg-white/20'
                   }`}
@@ -471,10 +354,7 @@ export default function ChatFAB({
                   {isExpanded ? <Minimize2 className="w-3.5 h-3.5 text-white/60" /> : <Maximize2 className="w-3.5 h-3.5 text-white/60" />}
                 </button>
                 <button
-                  onClick={() => {
-                    cancelChatAudio()
-                    setIsOpen(false)
-                  }}
+                  onClick={() => { cancelChatAudio(); setIsOpen(false) }}
                   className="w-7 h-7 rounded-full bg-white/10 flex items-center justify-center hover:bg-white/20 transition-colors"
                 >
                   <X className="w-4 h-4 text-white/60" />
@@ -521,12 +401,12 @@ export default function ChatFAB({
                       <Bot className="w-3.5 h-3.5 text-indigo-400" />
                     </div>
                     <div className="bg-white/[0.06] rounded-2xl px-3.5 py-3 flex items-center gap-1">
-                      {[0, 1, 2].map(i => (
+                      {[0, 1, 2].map(dotIdx => (
                         <motion.span
-                          key={i}
+                          key={dotIdx}
                           className="block w-1.5 h-1.5 rounded-full bg-indigo-400/70"
                           animate={{ opacity: [0.3, 1, 0.3], y: [0, -3, 0] }}
-                          transition={{ duration: 0.7, repeat: Infinity, delay: i * 0.15 }}
+                          transition={{ duration: 0.7, repeat: Infinity, delay: dotIdx * 0.15 }}
                         />
                       ))}
                     </div>
@@ -535,24 +415,15 @@ export default function ChatFAB({
               </AnimatePresence>
 
               {messages.map((msg, idx) => (
-                <div
-                  key={idx}
-                  className={`flex gap-2.5 ${msg.role === 'user' ? 'justify-end' : ''}`}
-                >
+                <div key={idx} className={`flex gap-2.5 ${msg.role === 'user' ? 'justify-end' : ''}`}>
                   {msg.role === 'assistant' && (
                     <div className="w-7 h-7 rounded-full bg-indigo-500/20 flex items-center justify-center shrink-0 mt-0.5">
                       <Bot className="w-3.5 h-3.5 text-indigo-400" />
                     </div>
                   )}
-                  <div
-                    className={`
-                      max-w-[85%] rounded-2xl px-3.5 py-2.5 text-xs leading-relaxed
-                      ${msg.role === 'user'
-                        ? 'bg-indigo-500/20 text-white'
-                        : 'bg-white/[0.06] text-white/80'
-                      }
-                    `}
-                  >
+                  <div className={`max-w-[85%] rounded-2xl px-3.5 py-2.5 text-xs leading-relaxed ${
+                    msg.role === 'user' ? 'bg-indigo-500/20 text-white' : 'bg-white/[0.06] text-white/80'
+                  }`}>
                     {msg.role === 'assistant' ? renderMessageContent(msg, idx) : (
                       <div className="whitespace-pre-wrap">{msg.content}</div>
                     )}
diff --git a/pitch-deck/components/slides/ArchitectureSlide.data.ts b/pitch-deck/components/slides/ArchitectureSlide.data.ts
new file mode 100644
index 0000000..88d09ca
--- /dev/null
+++ b/pitch-deck/components/slides/ArchitectureSlide.data.ts
@@ -0,0 +1,118 @@
+// ArchitectureSlide data — extracted from ArchitectureSlide.tsx
+import {
+  Brain, Shield, ScanLine, Zap, Cpu, Layers, Wrench,
+} from 'lucide-react'
+
+export type NodeId = 'certifai' | 'complai' | 'scanner' | 'litellm' | 'llm' | 'embeddings' | 'tools'
+
+export interface NodeDef {
+  id: NodeId
+  icon: React.ElementType
+  title: string
+  subtitle: string
+  color: string
+  tech: string[]
+  services: { name: string; desc: string }[]
+  primary?: boolean
+  tier: 'product' | 'proxy' | 'inference'
+}
+
+export function getNodes(de: boolean): NodeDef[] {
+  return [
+    {
+      id: 'certifai', icon: Brain,
+      title: 'CERTifAI',
+      subtitle: de ? 'GenAI Mandantenportal' : 'GenAI Tenant Portal',
+      color: '#c084fc', tier: 'product',
+      tech: ['Rust', 'Dioxus', 'MongoDB', 'Keycloak', 'SearXNG', 'LangGraph'],
+      services: [
+        { name: 'LiteLLM Dashboard', desc: de ? 'Modellverwaltung & Kostentracking' : 'Model mgmt & cost tracking' },
+        { name: 'LibreChat + SSO', desc: de ? 'Mandanten-Chat mit Keycloak' : 'Tenant chat with Keycloak' },
+        { name: 'LangGraph Agents', desc: de ? 'Agent-Orchestrierung' : 'Agent orchestration' },
+        { name: 'MCP Hub', desc: de ? 'Tool-Integration f\u00fcr KI-Clients' : 'Tool integration for AI clients' },
+      ],
+    },
+    {
+      id: 'complai', icon: Shield,
+      title: 'COMPLAI',
+      subtitle: de ? 'Compliance & Audit' : 'Compliance & Audit',
+      color: '#818cf8', tier: 'product',
+      tech: ['Next.js 15', 'FastAPI', 'Go/Gin', 'PostgreSQL', 'Qdrant', 'Valkey'],
+      services: [
+        { name: de ? 'DSGVO / AI Act / NIS2' : 'GDPR / AI Act / NIS2', desc: de ? '70k+ auditierbare Controls' : '70k+ auditable controls' },
+        { name: 'RAG Pipeline', desc: de ? '75+ Rechtsquellen, semantische Suche' : '75+ legal sources, semantic search' },
+        { name: 'Control Pipeline', desc: de ? 'Gesetzestextanalyse via LLM' : 'Legal text analysis via LLM' },
+        { name: 'MCP Client', desc: de ? 'Echtzeit-Findings vom Scanner' : 'Real-time findings from Scanner' },
+      ],
+    },
+    {
+      id: 'scanner', icon: ScanLine,
+      title: 'Compliance Scanner',
+      subtitle: de ? 'Code-Sicherheit' : 'Code Security',
+      color: '#34d399', tier: 'product',
+      tech: ['Rust', 'Axum', 'MongoDB', 'Semgrep', 'Gitleaks', 'Syft'],
+      services: [
+        { name: 'SAST / SBOM / CVE', desc: de ? 'Vollautomatische Pipeline' : 'Fully automated pipeline' },
+        { name: de ? 'KI-Triage' : 'AI Triage', desc: de ? 'LLM filtert False Positives' : 'LLM filters false positives' },
+        { name: de ? 'KI-Pentest' : 'AI Pentest', desc: de ? 'Autonome Angriffsketten' : 'Autonomous attack chains' },
+        { name: 'MCP Server', desc: de ? 'Live-Findings f\u00fcr COMPLAI' : 'Live findings for COMPLAI' },
+      ],
+    },
+    {
+      id: 'litellm', icon: Zap,
+      title: 'LiteLLM Proxy',
+      subtitle: de ? 'KI-Gateway & Guardrails' : 'AI Gateway & Guardrails',
+      color: '#fbbf24', tier: 'proxy', primary: true,
+      tech: ['OpenAI-kompatible API', 'Bearer Auth', 'Rate Limiting', 'PII-Filter', 'Spend Tracking'],
+      services: [
+        { name: de ? 'Token-Budget' : 'Token Budget', desc: de ? 'Pro-Mandant Kontingente & Abrechnung' : 'Per-tenant quotas & billing' },
+        { name: 'PII Guardrails', desc: de ? 'Datenschutz-Filter f\u00fcr alle Anfragen' : 'Privacy filter on all requests' },
+        { name: de ? 'Web-Suche (anonym)' : 'Web Search (anon)', desc: de ? 'SearXNG-Proxy, kein US-Anbieter' : 'SearXNG proxy, no US providers' },
+        { name: de ? 'Namespace-Isolierung' : 'Namespace Isolation', desc: de ? 'Mandantentrennung per API-Key' : 'Tenant isolation per API key' },
+        { name: de ? 'Failover-Routing' : 'Failover Routing', desc: de ? 'Automatisches Fallback' : 'Automatic fallback between models' },
+      ],
+    },
+    {
+      id: 'llm', icon: Cpu,
+      title: de ? 'LLM Inferenz' : 'LLM Inference',
+      subtitle: de ? 'Lokale Sprachmodelle' : 'Local Language Models',
+      color: '#60a5fa', tier: 'inference',
+      tech: ['Qwen3-32B', 'Qwen3-Coder-30B', 'DeepSeek-R1-8B', 'Ollama'],
+      services: [
+        { name: de ? 'Vollst\u00e4ndig lokal' : 'Fully local', desc: de ? 'Daten verlassen nie den Server' : 'Data never leaves the server' },
+        { name: de ? 'Air-Gap f\u00e4hig' : 'Air-Gap Capable', desc: de ? 'Kein Internet erforderlich' : 'No internet required' },
+        { name: de ? 'GPU-optimiert' : 'GPU-optimized', desc: de ? 'Dedizierte Inferenz-Hardware' : 'Dedicated inference hardware' },
+      ],
+    },
+    {
+      id: 'embeddings', icon: Layers,
+      title: 'Embeddings',
+      subtitle: de ? 'Semantische Suche' : 'Semantic Search',
+      color: '#a78bfa', tier: 'inference',
+      tech: ['bge-m3', 'Qdrant Vector DB', 'Sentence-Transformers'],
+      services: [
+        { name: 'RAG Pipeline', desc: de ? '75+ Rechtsquellen indexiert' : '75+ legal sources indexed' },
+        { name: de ? 'Semantische Suche' : 'Semantic Search', desc: de ? 'Multi-linguale Einbettungen' : 'Multi-lingual embeddings' },
+        { name: de ? 'Lokal' : 'Fully local', desc: de ? 'Keine externen APIs' : 'No external APIs' },
+      ],
+    },
+    {
+      id: 'tools', icon: Wrench,
+      title: de ? 'KI-Tools' : 'AI Tools',
+      subtitle: de ? 'Web-Suche & MCP' : 'Web Search & MCP',
+      color: '#2dd4bf', tier: 'inference',
+      tech: ['SearXNG', 'MCP Protocol', 'Semgrep API', 'Gitleaks API'],
+      services: [
+        { name: 'SearXNG', desc: de ? 'Anonymisierte EU-Websuche' : 'Anonymized EU web search' },
+        { name: 'MCP Tools', desc: de ? 'Auditdokumente & Code-Findings' : 'Audit docs & code findings' },
+        { name: de ? 'Kein US-Anbieter' : 'No US providers', desc: de ? '100% DSGVO-konform' : '100% GDPR-compliant' },
+      ],
+    },
+  ]
+}
+
+export const LAYERS: { id: string; nodeIds: NodeId[]; tint: string; depth: number }[] = [
+  { id: 'product',   nodeIds: ['certifai', 'complai', 'scanner'], tint: '#a78bfa', depth: 24 },
+  { id: 'proxy',     nodeIds: ['litellm'],                         tint: '#fbbf24', depth: 12 },
+  { id: 'inference', nodeIds: ['llm', 'embeddings', 'tools'],      tint: '#8b5cf6', depth: 0  },
+]
diff --git a/pitch-deck/components/slides/ArchitectureSlide.parts.tsx b/pitch-deck/components/slides/ArchitectureSlide.parts.tsx
new file mode 100644
index 0000000..c59b706
--- /dev/null
+++ b/pitch-deck/components/slides/ArchitectureSlide.parts.tsx
@@ -0,0 +1,370 @@
+'use client'
+
+import { useState, useEffect, useRef } from 'react'
+import { type NodeId, type NodeDef } from './ArchitectureSlide.data'
+
+// ── CSS keyframes (injected via <style> in main component) ───────────────────
+export const CSS_KF = `
+  @keyframes v4FlowDown { from { stroke-dashoffset: 0 } to { stroke-dashoffset: -18px } }
+  @keyframes v4Pulse { 0%,100% { opacity:1;transform:scale(1) } 50% { opacity:.4;transform:scale(1.4) } }
+  @keyframes v4Caret { 0%,50% { opacity:1 } 51%,100% { opacity:0 } }
+  @keyframes v4DotFall {
+    0%   { transform: translateY(-5px); opacity: 0; }
+    12%  { opacity: 1; }
+    88%  { opacity: 1; }
+    100% { transform: translateY(38px); opacity: 0; }
+  }
+`
+
+export const MONO: React.CSSProperties = {
+  fontFamily: '"JetBrains Mono","SF Mono",ui-monospace,monospace',
+  fontVariantNumeric: 'tabular-nums',
+}
+
+// ── Theme detection ───────────────────────────────────────────────────────────
+export function useIsLight() {
+  const [isLight, setIsLight] = useState(false)
+  useEffect(() => {
+    const check = () => setIsLight(document.documentElement.classList.contains('theme-light'))
+    check()
+    const obs = new MutationObserver(check)
+    obs.observe(document.documentElement, { attributes: true, attributeFilter: ['class'] })
+    return () => obs.disconnect()
+  }, [])
+  return isLight
+}
+
+// ── Ticker primitives ─────────────────────────────────────────────────────────
+function useTicker(fn: () => void, min = 140, max = 360, skipChance = 0.1) {
+  const ref = useRef(fn)
+  ref.current = fn
+  useEffect(() => {
+    let tid: ReturnType<typeof setTimeout>
+    const loop = () => {
+      if (Math.random() > skipChance) ref.current()
+      tid = setTimeout(loop, min + Math.random() * (max - min))
+    }
+    loop()
+    return () => clearTimeout(tid)
+  }, [min, max, skipChance])
+}
+
+function TickerShell({ color, children, isLight }: { color: string; children: React.ReactNode; isLight: boolean }) {
+  return (
+    <div style={{
+      ...MONO,
+      marginTop: 7, padding: '5px 9px',
+      background: isLight ? '#f1f5f9' : 'rgba(0,0,0,.38)',
+      border: `1px solid ${color}${isLight ? '55' : '55'}`, borderRadius: 6,
+      fontSize: 10, color: isLight ? '#475569' : 'rgba(236,233,247,.88)',
+      display: 'flex', alignItems: 'center', gap: 6,
+      whiteSpace: 'nowrap', overflow: 'hidden', height: 22,
+    }}>{children}</div>
+  )
+}
+
+function Caret({ color }: { color: string }) {
+  return (
+    <span style={{
+      display: 'inline-block', width: 5, height: 9, marginLeft: -2,
+      background: color, animation: 'v4Caret 1s step-end infinite',
+    }} />
+  )
+}
+
+// ── Per-node tickers ──────────────────────────────────────────────────────────
+function TickCertifAI({ color, isLight }: { color: string; isLight: boolean }) {
+  const [n, setN] = useState(8421)
+  const [hash, setHash] = useState('9f3a…e10b')
+  const pool = 'abcdef0123456789'
+  const r = (k: number) => Array.from({ length: k }, () => pool[Math.floor(Math.random() * pool.length)]).join('')
+  useTicker(() => { setN(v => v + 1); setHash(`${r(4)}…${r(4)}`) }, 1000, 2000, 0.1)
+  return (
+    <TickerShell color={color} isLight={isLight}>
+      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>✓</span>
+      <span style={{ color, opacity: .85 }}>sig</span>
+      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{n.toLocaleString()}</span>
+      <span style={{ color: isLight ? '#94a3b8' : 'rgba(236,233,247,.55)' }}>{hash}</span>
+    </TickerShell>
+  )
+}
+
+function TickComplAI({ color, isLight }: { color: string; isLight: boolean }) {
+  const [evals, setEvals] = useState(1284)
+  const [rate, setRate] = useState(99.2)
+  useTicker(() => {
+    setEvals(v => v + 1 + Math.floor(Math.random() * 3))
+    setRate(r => Math.max(97, Math.min(99.9, r + (Math.random() - 0.5) * 0.4)))
+  }, 200, 500, 0.1)
+  return (
+    <TickerShell color={color} isLight={isLight}>
+      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>●</span>
+      <span style={{ color, opacity: .85 }}>eval</span>
+      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{evals.toLocaleString()}</span>
+      <span style={{ color: isLight ? '#94a3b8' : 'rgba(236,233,247,.45)' }}>pass</span>
+      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>{rate.toFixed(1)}%</span>
+    </TickerShell>
+  )
+}
+
+function TickScanner({ color, isLight }: { color: string; isLight: boolean }) {
+  const lines = [
+    { k: 'PASS', c: '#16a34a', cd: '#4ade80', t: 'CWE-79 xss check' },
+    { k: 'WARN', c: '#d97706', cd: '#fbbf24', t: 'drift: model v2.1→2.2' },
+    { k: 'PASS', c: '#16a34a', cd: '#4ade80', t: 'bias: demographic parity' },
+    { k: 'FAIL', c: '#dc2626', cd: '#f87171', t: 'license: GPL-3 detected' },
+    { k: 'PASS', c: '#16a34a', cd: '#4ade80', t: 'prompt-inject: 214 vectors' },
+    { k: 'SCAN', c: '#7c3aed', cd: '#a78bfa', t: 'artifact model-card.json' },
+  ]
+  const [i, setI] = useState(0)
+  useTicker(() => setI(x => (x + 1) % lines.length), 700, 1200, 0.05)
+  const l = lines[i]
+  return (
+    <TickerShell color={color} isLight={isLight}>
+      <span style={{ color: isLight ? l.c : l.cd, fontWeight: 600, minWidth: 30 }}>{l.k}</span>
+      <span style={{ color: isLight ? '#334155' : 'rgba(236,233,247,.85)', overflow: 'hidden', textOverflow: 'ellipsis', flex: 1 }}>{l.t}</span>
+    </TickerShell>
+  )
+}
+
+function TickLiteLLM({ color, isLight }: { color: string; isLight: boolean }) {
+  const [rps, setRps] = useState(428)
+  const [p50, setP50] = useState(84)
+  useTicker(() => {
+    setRps(v => Math.max(200, Math.min(800, v + (Math.random() - 0.5) * 60)))
+    setP50(v => Math.max(40, Math.min(160, v + (Math.random() - 0.5) * 20)))
+  }, 250, 500, 0.05)
+  return (
+    <TickerShell color={color} isLight={isLight}>
+      <span style={{ color: '#d97706' }}>⚡</span>
+      <span style={{ color, opacity: .9 }}>req/s</span>
+      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{Math.round(rps)}</span>
+      <span style={{ color: isLight ? '#94a3b8' : 'rgba(236,233,247,.4)' }}>·</span>
+      <span style={{ color, opacity: .9 }}>p50</span>
+      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{Math.round(p50)}ms</span>
+      <Caret color={color} />
+    </TickerShell>
+  )
+}
+
+function TickLLM({ color, isLight }: { color: string; isLight: boolean }) {
+  const [tokens, setTokens] = useState(14832)
+  const [stream, setStream] = useState('t_a91f')
+  const pool = 'abcdef0123456789'
+  useTicker(() => {
+    setTokens(v => v + 1 + Math.floor(Math.random() * 5))
+    setStream('t_' + Array.from({ length: 4 }, () => pool[Math.floor(Math.random() * pool.length)]).join(''))
+  }, 120, 340, 0.15)
+  return (
+    <TickerShell color={color} isLight={isLight}>
+      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>●</span>
+      <span style={{ color, opacity: .85 }}>tok</span>
+      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{tokens.toLocaleString()}</span>
+      <span style={{ color: isLight ? '#94a3b8' : 'rgba(236,233,247,.35)' }}>↑</span>
+      <span style={{ color }}>{stream}</span>
+      <Caret color={color} />
+    </TickerShell>
+  )
+}
+
+function TickEmbeddings({ color, isLight }: { color: string; isLight: boolean }) {
+  const [vecs, setVecs] = useState(284112)
+  useTicker(() => setVecs(v => v + 1 + Math.floor(Math.random() * 8)), 180, 420, 0.1)
+  return (
+    <TickerShell color={color} isLight={isLight}>
+      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>●</span>
+      <span style={{ color, opacity: .85 }}>idx</span>
+      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{vecs.toLocaleString()}</span>
+      <span style={{ color: isLight ? '#94a3b8' : 'rgba(236,233,247,.4)' }}>· 1024d</span>
+      <Caret color={color} />
+    </TickerShell>
+  )
+}
+
+function TickTools({ color, isLight }: { color: string; isLight: boolean }) {
+  const ops = [
+    'search("BSI C5 controls")', 'fetch eur-lex.europa.eu',
+    'grep -r "DSGVO"', 'read docs/policy.md',
+    'mcp.call(filesystem)', 'search("vLLM 0.6 release")',
+  ]
+  const [i, setI] = useState(0)
+  useTicker(() => setI(x => (x + 1) % ops.length), 900, 1600, 0.05)
+  return (
+    <TickerShell color={color} isLight={isLight}>
+      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>●</span>
+      <span style={{ color, opacity: .85 }}>call</span>
+      <span style={{ color: isLight ? '#334155' : '#f5f3fc', overflow: 'hidden', textOverflow: 'ellipsis', flex: 1 }}>{ops[i]}</span>
+    </TickerShell>
+  )
+}
+
+export const NODE_TICKER: Record<NodeId, React.ComponentType<{ color: string; isLight: boolean }>> = {
+  certifai: TickCertifAI,
+  complai: TickComplAI,
+  scanner: TickScanner,
+  litellm: TickLiteLLM,
+  llm: TickLLM,
+  embeddings: TickEmbeddings,
+  tools: TickTools,
+}
+
+// ── Animated connector ────────────────────────────────────────────────────────
+export function LayerConnector({ tint }: { tint: string }) {
+  const tracks = [
+    { x: '32%', primary: false },
+    { x: '50%', primary: true  },
+    { x: '68%', primary: false },
+  ]
+  return (
+    <div style={{ position: 'relative', height: 34, width: '100%', maxWidth: 960, margin: '0 auto' }}>
+      {tracks.map(({ x, primary }, ti) => {
+        const color = primary ? '#fbbf24' : tint
+        const dots = primary ? 4 : 3
+        const dur = primary ? 1.6 : 2.4
+        return (
+          <div key={ti} style={{ position: 'absolute', left: x, top: 0, bottom: 0, transform: 'translateX(-50%)' }}>
+            <div style={{
+              position: 'absolute', left: -0.75, top: 0, bottom: 0, width: 1.5,
+              background: `linear-gradient(180deg, ${color}00, ${color}55 40%, ${color}55 60%, ${color}00)`,
+            }} />
+            {Array.from({ length: dots }, (_, j) => (
+              <div key={j} style={{
+                position: 'absolute', top: 0, left: -3, width: 6, height: 6, borderRadius: '50%',
+                background: color, boxShadow: `0 0 7px ${color}`,
+                animation: `v4DotFall ${dur}s ${-(j / dots) * dur}s linear infinite`,
+              }} />
+            ))}
+          </div>
+        )
+      })}
+    </div>
+  )
+}
+
+// ── Node card ─────────────────────────────────────────────────────────────────
+export function NodeCard({ node, selected, onClick, isLight }: {
+  node: NodeDef; selected: boolean; onClick: () => void; isLight: boolean
+}) {
+  const [hover, setHover] = useState(false)
+  const active = hover || selected
+  const c = node.color
+  const Ticker = NODE_TICKER[node.id]
+  const Icon = node.icon
+
+  return (
+    <button
+      onClick={onClick}
+      onMouseEnter={() => setHover(true)}
+      onMouseLeave={() => setHover(false)}
+      style={{
+        flex: 1,
+        background: active
+          ? `linear-gradient(180deg, ${c}${isLight ? '20' : '33'}, ${c}${isLight ? '0a' : '12'})`
+          : isLight
+            ? 'linear-gradient(180deg, #ffffff, #f8fafc)'
+            : 'linear-gradient(180deg, rgba(255,255,255,.055), rgba(255,255,255,.015))',
+        border: `1px solid ${active ? c : isLight ? 'rgba(0,0,0,.1)' : 'rgba(255,255,255,.14)'}`,
+        borderRadius: 12, padding: '12px 14px',
+        cursor: 'pointer', textAlign: 'left',
+        color: isLight ? '#1a1a2e' : '#ece9f7', fontFamily: 'inherit',
+        display: 'flex', flexDirection: 'column',
+        transition: 'all .2s ease',
+        transform: active ? 'translateY(-1px)' : 'none',
+        boxShadow: active
+          ? `0 8px 26px ${c}44, 0 0 0 4px ${c}14`
+          : isLight ? '0 1px 4px rgba(0,0,0,.06)' : '0 1px 0 rgba(255,255,255,.04)',
+        minWidth: 0, position: 'relative',
+      }}
+    >
+      <div style={{ display: 'flex', alignItems: 'center', gap: 10 }}>
+        <div style={{
+          width: 36, height: 36, borderRadius: 10, flexShrink: 0,
+          background: `linear-gradient(135deg, ${c}3a, ${c}10)`,
+          border: `1px solid ${c}66`,
+          display: 'flex', alignItems: 'center', justifyContent: 'center',
+          color: c,
+          boxShadow: node.primary ? `inset 0 0 14px ${c}40` : 'none',
+        }}>
+          <Icon style={{ width: 18, height: 18 }} />
+        </div>
+        <div style={{ flex: 1, minWidth: 0 }}>
+          <div style={{
+            fontSize: 13, fontWeight: 600,
+            color: isLight ? '#1a1a2e' : '#f7f5fc',
+            letterSpacing: -0.1, whiteSpace: 'nowrap', overflow: 'hidden', textOverflow: 'ellipsis',
+          }}>{node.title}</div>
+          <div style={{
+            fontSize: 10.5,
+            color: isLight ? '#64748b' : 'rgba(236,233,247,.65)',
+            marginTop: 1, whiteSpace: 'nowrap', overflow: 'hidden', textOverflow: 'ellipsis',
+          }}>{node.subtitle}</div>
+        </div>
+      </div>
+      <Ticker color={c} isLight={isLight} />
+      {node.primary && (
+        <div style={{
+          position: 'absolute', top: -1, right: -1,
+          width: 6, height: 6, borderRadius: '50%',
+          background: '#fbbf24', boxShadow: '0 0 8px #fbbf24',
+          animation: 'v4Pulse 1.6s ease-in-out infinite',
+        }} />
+      )}
+    </button>
+  )
+}
+
+// ── 3D slab ───────────────────────────────────────────────────────────────────
+export function LayerSlab({ label, sublabel, nodes, tint, depth, selectedId, onSelect, isLight }: {
+  label: string; sublabel: string; nodes: NodeDef[]
+  tint: string; depth: number
+  selectedId: NodeId | null; onSelect: (id: NodeId) => void
+  isLight: boolean
+}) {
+  const isProxy = nodes.length === 1 && !!nodes[0].primary
+  return (
+    <div style={{
+      position: 'relative', margin: '0 auto',
+      padding: '14px 20px 18px', width: '100%', maxWidth: 960,
+      background: isLight
+        ? `linear-gradient(180deg, ${tint}18 0%, ${tint}08 60%, rgba(248,250,252,.98) 100%)`
+        : `linear-gradient(180deg, ${tint}26 0%, ${tint}12 60%, rgba(14,8,28,.85) 100%)`,
+      border: `1px solid ${tint}${isLight ? '44' : '66'}`,
+      borderRadius: 16,
+      boxShadow: isLight
+        ? `0 -2px 16px ${tint}18, 0 8px 30px rgba(0,0,0,.05), inset 0 1px 0 ${tint}44`
+        : `0 -6px 30px ${tint}22, 0 24px 60px rgba(0,0,0,.6), inset 0 1px 0 ${tint}55, inset 0 -1px 0 rgba(0,0,0,.4)`,
+      transform: `perspective(2000px) rotateX(12deg) translateZ(${depth}px)`,
+    }}>
+      <div style={{
+        position: 'absolute', top: 0, left: 20, right: 20, height: 1,
+        background: `linear-gradient(90deg, transparent, ${tint}${isLight ? 'aa' : 'cc'}, transparent)`,
+        pointerEvents: 'none',
+      }} />
+      <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 10 }}>
+        <div style={{
+          fontSize: 9.5, letterSpacing: 2, textTransform: 'uppercase' as const, fontWeight: 600,
+          color: tint,
+          background: isLight ? `${tint}18` : `${tint}20`,
+          padding: '3px 9px', borderRadius: 99,
+          border: `1px solid ${tint}${isLight ? '44' : '50'}`, whiteSpace: 'nowrap',
+        }}>{label}</div>
+        <div style={{
+          fontSize: 11,
+          color: isLight ? '#64748b' : 'rgba(236,233,247,.55)',
+          whiteSpace: 'nowrap',
+        }}>{sublabel}</div>
+      </div>
+      <div style={{ display: 'flex', gap: 10, justifyContent: isProxy ? 'center' : undefined }}>
+        {isProxy ? (
+          <div style={{ width: '42%', minWidth: 260, display: 'flex' }}>
+            <NodeCard node={nodes[0]} selected={selectedId === nodes[0].id} onClick={() => onSelect(nodes[0].id)} isLight={isLight} />
+          </div>
+        ) : (
+          nodes.map(n => (
+            <NodeCard key={n.id} node={n} selected={selectedId === n.id} onClick={() => onSelect(n.id)} isLight={isLight} />
+          ))
+        )}
+      </div>
+    </div>
+  )
+}
diff --git a/pitch-deck/components/slides/ArchitectureSlide.tsx b/pitch-deck/components/slides/ArchitectureSlide.tsx
index ef84b05..2188fee 100644
--- a/pitch-deck/components/slides/ArchitectureSlide.tsx
+++ b/pitch-deck/components/slides/ArchitectureSlide.tsx
@@ -1,496 +1,16 @@
 'use client'
 
-import { useState, useEffect, useRef, Fragment } from 'react'
+import { useState, Fragment } from 'react'
 import { motion, AnimatePresence } from 'framer-motion'
 import { Language } from '@/lib/types'
 import { t } from '@/lib/i18n'
 import GradientText from '../ui/GradientText'
 import FadeInView from '../ui/FadeInView'
-import {
-  Brain, Shield, ScanLine, Zap, Cpu,
-  Layers, Wrench, X, Users, Lock,
-  Server, BadgeCheck,
-} from 'lucide-react'
+import { X, Users, Lock, Server, BadgeCheck } from 'lucide-react'
+import { type NodeId, type NodeDef, getNodes, LAYERS } from './ArchitectureSlide.data'
+import { CSS_KF, MONO, useIsLight, LayerConnector, LayerSlab } from './ArchitectureSlide.parts'
 
 interface ArchitectureSlideProps { lang: Language }
-type NodeId = 'certifai' | 'complai' | 'scanner' | 'litellm' | 'llm' | 'embeddings' | 'tools'
-
-interface NodeDef {
-  id: NodeId
-  icon: React.ElementType
-  title: string
-  subtitle: string
-  color: string
-  tech: string[]
-  services: { name: string; desc: string }[]
-  primary?: boolean
-  tier: 'product' | 'proxy' | 'inference'
-}
-
-function getNodes(de: boolean): NodeDef[] {
-  return [
-    {
-      id: 'certifai', icon: Brain,
-      title: 'CERTifAI',
-      subtitle: de ? 'GenAI Mandantenportal' : 'GenAI Tenant Portal',
-      color: '#c084fc', tier: 'product',
-      tech: ['Rust', 'Dioxus', 'MongoDB', 'Keycloak', 'SearXNG', 'LangGraph'],
-      services: [
-        { name: 'LiteLLM Dashboard', desc: de ? 'Modellverwaltung & Kostentracking' : 'Model mgmt & cost tracking' },
-        { name: 'LibreChat + SSO', desc: de ? 'Mandanten-Chat mit Keycloak' : 'Tenant chat with Keycloak' },
-        { name: 'LangGraph Agents', desc: de ? 'Agent-Orchestrierung' : 'Agent orchestration' },
-        { name: 'MCP Hub', desc: de ? 'Tool-Integration für KI-Clients' : 'Tool integration for AI clients' },
-      ],
-    },
-    {
-      id: 'complai', icon: Shield,
-      title: 'COMPLAI',
-      subtitle: de ? 'Compliance & Audit' : 'Compliance & Audit',
-      color: '#818cf8', tier: 'product',
-      tech: ['Next.js 15', 'FastAPI', 'Go/Gin', 'PostgreSQL', 'Qdrant', 'Valkey'],
-      services: [
-        { name: de ? 'DSGVO / AI Act / NIS2' : 'GDPR / AI Act / NIS2', desc: de ? '70k+ auditierbare Controls' : '70k+ auditable controls' },
-        { name: 'RAG Pipeline', desc: de ? '75+ Rechtsquellen, semantische Suche' : '75+ legal sources, semantic search' },
-        { name: 'Control Pipeline', desc: de ? 'Gesetzestextanalyse via LLM' : 'Legal text analysis via LLM' },
-        { name: 'MCP Client', desc: de ? 'Echtzeit-Findings vom Scanner' : 'Real-time findings from Scanner' },
-      ],
-    },
-    {
-      id: 'scanner', icon: ScanLine,
-      title: 'Compliance Scanner',
-      subtitle: de ? 'Code-Sicherheit' : 'Code Security',
-      color: '#34d399', tier: 'product',
-      tech: ['Rust', 'Axum', 'MongoDB', 'Semgrep', 'Gitleaks', 'Syft'],
-      services: [
-        { name: 'SAST / SBOM / CVE', desc: de ? 'Vollautomatische Pipeline' : 'Fully automated pipeline' },
-        { name: de ? 'KI-Triage' : 'AI Triage', desc: de ? 'LLM filtert False Positives' : 'LLM filters false positives' },
-        { name: de ? 'KI-Pentest' : 'AI Pentest', desc: de ? 'Autonome Angriffsketten' : 'Autonomous attack chains' },
-        { name: 'MCP Server', desc: de ? 'Live-Findings für COMPLAI' : 'Live findings for COMPLAI' },
-      ],
-    },
-    {
-      id: 'litellm', icon: Zap,
-      title: 'LiteLLM Proxy',
-      subtitle: de ? 'KI-Gateway & Guardrails' : 'AI Gateway & Guardrails',
-      color: '#fbbf24', tier: 'proxy', primary: true,
-      tech: ['OpenAI-kompatible API', 'Bearer Auth', 'Rate Limiting', 'PII-Filter', 'Spend Tracking'],
-      services: [
-        { name: de ? 'Token-Budget' : 'Token Budget', desc: de ? 'Pro-Mandant Kontingente & Abrechnung' : 'Per-tenant quotas & billing' },
-        { name: 'PII Guardrails', desc: de ? 'Datenschutz-Filter für alle Anfragen' : 'Privacy filter on all requests' },
-        { name: de ? 'Web-Suche (anonym)' : 'Web Search (anon)', desc: de ? 'SearXNG-Proxy, kein US-Anbieter' : 'SearXNG proxy, no US providers' },
-        { name: de ? 'Namespace-Isolierung' : 'Namespace Isolation', desc: de ? 'Mandantentrennung per API-Key' : 'Tenant isolation per API key' },
-        { name: de ? 'Failover-Routing' : 'Failover Routing', desc: de ? 'Automatisches Fallback' : 'Automatic fallback between models' },
-      ],
-    },
-    {
-      id: 'llm', icon: Cpu,
-      title: de ? 'LLM Inferenz' : 'LLM Inference',
-      subtitle: de ? 'Lokale Sprachmodelle' : 'Local Language Models',
-      color: '#60a5fa', tier: 'inference',
-      tech: ['Qwen3-32B', 'Qwen3-Coder-30B', 'DeepSeek-R1-8B', 'Ollama'],
-      services: [
-        { name: de ? 'Vollständig lokal' : 'Fully local', desc: de ? 'Daten verlassen nie den Server' : 'Data never leaves the server' },
-        { name: de ? 'Air-Gap fähig' : 'Air-Gap Capable', desc: de ? 'Kein Internet erforderlich' : 'No internet required' },
-        { name: de ? 'GPU-optimiert' : 'GPU-optimized', desc: de ? 'Dedizierte Inferenz-Hardware' : 'Dedicated inference hardware' },
-      ],
-    },
-    {
-      id: 'embeddings', icon: Layers,
-      title: 'Embeddings',
-      subtitle: de ? 'Semantische Suche' : 'Semantic Search',
-      color: '#a78bfa', tier: 'inference',
-      tech: ['bge-m3', 'Qdrant Vector DB', 'Sentence-Transformers'],
-      services: [
-        { name: 'RAG Pipeline', desc: de ? '75+ Rechtsquellen indexiert' : '75+ legal sources indexed' },
-        { name: de ? 'Semantische Suche' : 'Semantic Search', desc: de ? 'Multi-linguale Einbettungen' : 'Multi-lingual embeddings' },
-        { name: de ? 'Lokal' : 'Fully local', desc: de ? 'Keine externen APIs' : 'No external APIs' },
-      ],
-    },
-    {
-      id: 'tools', icon: Wrench,
-      title: de ? 'KI-Tools' : 'AI Tools',
-      subtitle: de ? 'Web-Suche & MCP' : 'Web Search & MCP',
-      color: '#2dd4bf', tier: 'inference',
-      tech: ['SearXNG', 'MCP Protocol', 'Semgrep API', 'Gitleaks API'],
-      services: [
-        { name: 'SearXNG', desc: de ? 'Anonymisierte EU-Websuche' : 'Anonymized EU web search' },
-        { name: 'MCP Tools', desc: de ? 'Auditdokumente & Code-Findings' : 'Audit docs & code findings' },
-        { name: de ? 'Kein US-Anbieter' : 'No US providers', desc: de ? '100% DSGVO-konform' : '100% GDPR-compliant' },
-      ],
-    },
-  ]
-}
-
-const LAYERS: { id: string; nodeIds: NodeId[]; tint: string; depth: number }[] = [
-  { id: 'product',   nodeIds: ['certifai', 'complai', 'scanner'], tint: '#a78bfa', depth: 24 },
-  { id: 'proxy',     nodeIds: ['litellm'],                         tint: '#fbbf24', depth: 12 },
-  { id: 'inference', nodeIds: ['llm', 'embeddings', 'tools'],      tint: '#8b5cf6', depth: 0  },
-]
-
-const CSS_KF = `
-  @keyframes v4FlowDown { from { stroke-dashoffset: 0 } to { stroke-dashoffset: -18px } }
-  @keyframes v4Pulse { 0%,100% { opacity:1;transform:scale(1) } 50% { opacity:.4;transform:scale(1.4) } }
-  @keyframes v4Caret { 0%,50% { opacity:1 } 51%,100% { opacity:0 } }
-  @keyframes v4DotFall {
-    0%   { transform: translateY(-5px); opacity: 0; }
-    12%  { opacity: 1; }
-    88%  { opacity: 1; }
-    100% { transform: translateY(38px); opacity: 0; }
-  }
-`
-
-const MONO: React.CSSProperties = {
-  fontFamily: '"JetBrains Mono","SF Mono",ui-monospace,monospace',
-  fontVariantNumeric: 'tabular-nums',
-}
-
-// ── Theme detection ───────────────────────────────────────────────────────────
-function useIsLight() {
-  const [isLight, setIsLight] = useState(false)
-  useEffect(() => {
-    const check = () => setIsLight(document.documentElement.classList.contains('theme-light'))
-    check()
-    const obs = new MutationObserver(check)
-    obs.observe(document.documentElement, { attributes: true, attributeFilter: ['class'] })
-    return () => obs.disconnect()
-  }, [])
-  return isLight
-}
-
-// ── Ticker primitives ─────────────────────────────────────────────────────────
-function useTicker(fn: () => void, min = 140, max = 360, skipChance = 0.1) {
-  const ref = useRef(fn)
-  ref.current = fn
-  useEffect(() => {
-    let tid: ReturnType<typeof setTimeout>
-    const loop = () => {
-      if (Math.random() > skipChance) ref.current()
-      tid = setTimeout(loop, min + Math.random() * (max - min))
-    }
-    loop()
-    return () => clearTimeout(tid)
-  }, [min, max, skipChance])
-}
-
-function TickerShell({ color, children, isLight }: { color: string; children: React.ReactNode; isLight: boolean }) {
-  return (
-    <div style={{
-      ...MONO,
-      marginTop: 7, padding: '5px 9px',
-      background: isLight ? '#f1f5f9' : 'rgba(0,0,0,.38)',
-      border: `1px solid ${color}${isLight ? '55' : '55'}`, borderRadius: 6,
-      fontSize: 10, color: isLight ? '#475569' : 'rgba(236,233,247,.88)',
-      display: 'flex', alignItems: 'center', gap: 6,
-      whiteSpace: 'nowrap', overflow: 'hidden', height: 22,
-    }}>{children}</div>
-  )
-}
-
-function Caret({ color }: { color: string }) {
-  return (
-    <span style={{
-      display: 'inline-block', width: 5, height: 9, marginLeft: -2,
-      background: color, animation: 'v4Caret 1s step-end infinite',
-    }} />
-  )
-}
-
-// ── Per-node tickers ──────────────────────────────────────────────────────────
-function TickCertifAI({ color, isLight }: { color: string; isLight: boolean }) {
-  const [n, setN] = useState(8421)
-  const [hash, setHash] = useState('9f3a…e10b')
-  const pool = 'abcdef0123456789'
-  const r = (k: number) => Array.from({ length: k }, () => pool[Math.floor(Math.random() * pool.length)]).join('')
-  useTicker(() => { setN(v => v + 1); setHash(`${r(4)}…${r(4)}`) }, 1000, 2000, 0.1)
-  return (
-    <TickerShell color={color} isLight={isLight}>
-      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>✓</span>
-      <span style={{ color, opacity: .85 }}>sig</span>
-      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{n.toLocaleString()}</span>
-      <span style={{ color: isLight ? '#94a3b8' : 'rgba(236,233,247,.55)' }}>{hash}</span>
-    </TickerShell>
-  )
-}
-
-function TickComplAI({ color, isLight }: { color: string; isLight: boolean }) {
-  const [evals, setEvals] = useState(1284)
-  const [rate, setRate] = useState(99.2)
-  useTicker(() => {
-    setEvals(v => v + 1 + Math.floor(Math.random() * 3))
-    setRate(r => Math.max(97, Math.min(99.9, r + (Math.random() - 0.5) * 0.4)))
-  }, 200, 500, 0.1)
-  return (
-    <TickerShell color={color} isLight={isLight}>
-      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>●</span>
-      <span style={{ color, opacity: .85 }}>eval</span>
-      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{evals.toLocaleString()}</span>
-      <span style={{ color: isLight ? '#94a3b8' : 'rgba(236,233,247,.45)' }}>pass</span>
-      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>{rate.toFixed(1)}%</span>
-    </TickerShell>
-  )
-}
-
-function TickScanner({ color, isLight }: { color: string; isLight: boolean }) {
-  const lines = [
-    { k: 'PASS', c: '#16a34a', cd: '#4ade80', t: 'CWE-79 xss check' },
-    { k: 'WARN', c: '#d97706', cd: '#fbbf24', t: 'drift: model v2.1→2.2' },
-    { k: 'PASS', c: '#16a34a', cd: '#4ade80', t: 'bias: demographic parity' },
-    { k: 'FAIL', c: '#dc2626', cd: '#f87171', t: 'license: GPL-3 detected' },
-    { k: 'PASS', c: '#16a34a', cd: '#4ade80', t: 'prompt-inject: 214 vectors' },
-    { k: 'SCAN', c: '#7c3aed', cd: '#a78bfa', t: 'artifact model-card.json' },
-  ]
-  const [i, setI] = useState(0)
-  useTicker(() => setI(x => (x + 1) % lines.length), 700, 1200, 0.05)
-  const l = lines[i]
-  return (
-    <TickerShell color={color} isLight={isLight}>
-      <span style={{ color: isLight ? l.c : l.cd, fontWeight: 600, minWidth: 30 }}>{l.k}</span>
-      <span style={{ color: isLight ? '#334155' : 'rgba(236,233,247,.85)', overflow: 'hidden', textOverflow: 'ellipsis', flex: 1 }}>{l.t}</span>
-    </TickerShell>
-  )
-}
-
-function TickLiteLLM({ color, isLight }: { color: string; isLight: boolean }) {
-  const [rps, setRps] = useState(428)
-  const [p50, setP50] = useState(84)
-  useTicker(() => {
-    setRps(v => Math.max(200, Math.min(800, v + (Math.random() - 0.5) * 60)))
-    setP50(v => Math.max(40, Math.min(160, v + (Math.random() - 0.5) * 20)))
-  }, 250, 500, 0.05)
-  return (
-    <TickerShell color={color} isLight={isLight}>
-      <span style={{ color: '#d97706' }}>⚡</span>
-      <span style={{ color, opacity: .9 }}>req/s</span>
-      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{Math.round(rps)}</span>
-      <span style={{ color: isLight ? '#94a3b8' : 'rgba(236,233,247,.4)' }}>·</span>
-      <span style={{ color, opacity: .9 }}>p50</span>
-      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{Math.round(p50)}ms</span>
-      <Caret color={color} />
-    </TickerShell>
-  )
-}
-
-function TickLLM({ color, isLight }: { color: string; isLight: boolean }) {
-  const [tokens, setTokens] = useState(14832)
-  const [stream, setStream] = useState('t_a91f')
-  const pool = 'abcdef0123456789'
-  useTicker(() => {
-    setTokens(v => v + 1 + Math.floor(Math.random() * 5))
-    setStream('t_' + Array.from({ length: 4 }, () => pool[Math.floor(Math.random() * pool.length)]).join(''))
-  }, 120, 340, 0.15)
-  return (
-    <TickerShell color={color} isLight={isLight}>
-      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>●</span>
-      <span style={{ color, opacity: .85 }}>tok</span>
-      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{tokens.toLocaleString()}</span>
-      <span style={{ color: isLight ? '#94a3b8' : 'rgba(236,233,247,.35)' }}>↑</span>
-      <span style={{ color }}>{stream}</span>
-      <Caret color={color} />
-    </TickerShell>
-  )
-}
-
-function TickEmbeddings({ color, isLight }: { color: string; isLight: boolean }) {
-  const [vecs, setVecs] = useState(284112)
-  useTicker(() => setVecs(v => v + 1 + Math.floor(Math.random() * 8)), 180, 420, 0.1)
-  return (
-    <TickerShell color={color} isLight={isLight}>
-      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>●</span>
-      <span style={{ color, opacity: .85 }}>idx</span>
-      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{vecs.toLocaleString()}</span>
-      <span style={{ color: isLight ? '#94a3b8' : 'rgba(236,233,247,.4)' }}>· 1024d</span>
-      <Caret color={color} />
-    </TickerShell>
-  )
-}
-
-function TickTools({ color, isLight }: { color: string; isLight: boolean }) {
-  const ops = [
-    'search("BSI C5 controls")', 'fetch eur-lex.europa.eu',
-    'grep -r "DSGVO"', 'read docs/policy.md',
-    'mcp.call(filesystem)', 'search("vLLM 0.6 release")',
-  ]
-  const [i, setI] = useState(0)
-  useTicker(() => setI(x => (x + 1) % ops.length), 900, 1600, 0.05)
-  return (
-    <TickerShell color={color} isLight={isLight}>
-      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>●</span>
-      <span style={{ color, opacity: .85 }}>call</span>
-      <span style={{ color: isLight ? '#334155' : '#f5f3fc', overflow: 'hidden', textOverflow: 'ellipsis', flex: 1 }}>{ops[i]}</span>
-    </TickerShell>
-  )
-}
-
-const NODE_TICKER: Record<NodeId, React.ComponentType<{ color: string; isLight: boolean }>> = {
-  certifai: TickCertifAI,
-  complai: TickComplAI,
-  scanner: TickScanner,
-  litellm: TickLiteLLM,
-  llm: TickLLM,
-  embeddings: TickEmbeddings,
-  tools: TickTools,
-}
-
-// ── Animated connector ────────────────────────────────────────────────────────
-function LayerConnector({ tint }: { tint: string }) {
-  const tracks = [
-    { x: '32%', primary: false },
-    { x: '50%', primary: true  },
-    { x: '68%', primary: false },
-  ]
-  return (
-    <div style={{ position: 'relative', height: 34, width: '100%', maxWidth: 960, margin: '0 auto' }}>
-      {tracks.map(({ x, primary }, ti) => {
-        const color = primary ? '#fbbf24' : tint
-        const dots = primary ? 4 : 3
-        const dur = primary ? 1.6 : 2.4
-        return (
-          <div key={ti} style={{ position: 'absolute', left: x, top: 0, bottom: 0, transform: 'translateX(-50%)' }}>
-            <div style={{
-              position: 'absolute', left: -0.75, top: 0, bottom: 0, width: 1.5,
-              background: `linear-gradient(180deg, ${color}00, ${color}55 40%, ${color}55 60%, ${color}00)`,
-            }} />
-            {Array.from({ length: dots }, (_, j) => (
-              <div key={j} style={{
-                position: 'absolute', top: 0, left: -3, width: 6, height: 6, borderRadius: '50%',
-                background: color, boxShadow: `0 0 7px ${color}`,
-                animation: `v4DotFall ${dur}s ${-(j / dots) * dur}s linear infinite`,
-              }} />
-            ))}
-          </div>
-        )
-      })}
-    </div>
-  )
-}
-
-// ── Node card ─────────────────────────────────────────────────────────────────
-function NodeCard({ node, selected, onClick, isLight }: {
-  node: NodeDef; selected: boolean; onClick: () => void; isLight: boolean
-}) {
-  const [hover, setHover] = useState(false)
-  const active = hover || selected
-  const c = node.color
-  const Ticker = NODE_TICKER[node.id]
-  const Icon = node.icon
-
-  return (
-    <button
-      onClick={onClick}
-      onMouseEnter={() => setHover(true)}
-      onMouseLeave={() => setHover(false)}
-      style={{
-        flex: 1,
-        background: active
-          ? `linear-gradient(180deg, ${c}${isLight ? '20' : '33'}, ${c}${isLight ? '0a' : '12'})`
-          : isLight
-            ? 'linear-gradient(180deg, #ffffff, #f8fafc)'
-            : 'linear-gradient(180deg, rgba(255,255,255,.055), rgba(255,255,255,.015))',
-        border: `1px solid ${active ? c : isLight ? 'rgba(0,0,0,.1)' : 'rgba(255,255,255,.14)'}`,
-        borderRadius: 12, padding: '12px 14px',
-        cursor: 'pointer', textAlign: 'left',
-        color: isLight ? '#1a1a2e' : '#ece9f7', fontFamily: 'inherit',
-        display: 'flex', flexDirection: 'column',
-        transition: 'all .2s ease',
-        transform: active ? 'translateY(-1px)' : 'none',
-        boxShadow: active
-          ? `0 8px 26px ${c}44, 0 0 0 4px ${c}14`
-          : isLight ? '0 1px 4px rgba(0,0,0,.06)' : '0 1px 0 rgba(255,255,255,.04)',
-        minWidth: 0, position: 'relative',
-      }}
-    >
-      <div style={{ display: 'flex', alignItems: 'center', gap: 10 }}>
-        <div style={{
-          width: 36, height: 36, borderRadius: 10, flexShrink: 0,
-          background: `linear-gradient(135deg, ${c}3a, ${c}10)`,
-          border: `1px solid ${c}66`,
-          display: 'flex', alignItems: 'center', justifyContent: 'center',
-          color: c,
-          boxShadow: node.primary ? `inset 0 0 14px ${c}40` : 'none',
-        }}>
-          <Icon style={{ width: 18, height: 18 }} />
-        </div>
-        <div style={{ flex: 1, minWidth: 0 }}>
-          <div style={{
-            fontSize: 13, fontWeight: 600,
-            color: isLight ? '#1a1a2e' : '#f7f5fc',
-            letterSpacing: -0.1, whiteSpace: 'nowrap', overflow: 'hidden', textOverflow: 'ellipsis',
-          }}>{node.title}</div>
-          <div style={{
-            fontSize: 10.5,
-            color: isLight ? '#64748b' : 'rgba(236,233,247,.65)',
-            marginTop: 1, whiteSpace: 'nowrap', overflow: 'hidden', textOverflow: 'ellipsis',
-          }}>{node.subtitle}</div>
-        </div>
-      </div>
-      <Ticker color={c} isLight={isLight} />
-      {node.primary && (
-        <div style={{
-          position: 'absolute', top: -1, right: -1,
-          width: 6, height: 6, borderRadius: '50%',
-          background: '#fbbf24', boxShadow: '0 0 8px #fbbf24',
-          animation: 'v4Pulse 1.6s ease-in-out infinite',
-        }} />
-      )}
-    </button>
-  )
-}
-
-// ── 3D slab ───────────────────────────────────────────────────────────────────
-function LayerSlab({ label, sublabel, nodes, tint, depth, selectedId, onSelect, isLight }: {
-  label: string; sublabel: string; nodes: NodeDef[]
-  tint: string; depth: number
-  selectedId: NodeId | null; onSelect: (id: NodeId) => void
-  isLight: boolean
-}) {
-  const isProxy = nodes.length === 1 && !!nodes[0].primary
-  return (
-    <div style={{
-      position: 'relative', margin: '0 auto',
-      padding: '14px 20px 18px', width: '100%', maxWidth: 960,
-      background: isLight
-        ? `linear-gradient(180deg, ${tint}18 0%, ${tint}08 60%, rgba(248,250,252,.98) 100%)`
-        : `linear-gradient(180deg, ${tint}26 0%, ${tint}12 60%, rgba(14,8,28,.85) 100%)`,
-      border: `1px solid ${tint}${isLight ? '44' : '66'}`,
-      borderRadius: 16,
-      boxShadow: isLight
-        ? `0 -2px 16px ${tint}18, 0 8px 30px rgba(0,0,0,.05), inset 0 1px 0 ${tint}44`
-        : `0 -6px 30px ${tint}22, 0 24px 60px rgba(0,0,0,.6), inset 0 1px 0 ${tint}55, inset 0 -1px 0 rgba(0,0,0,.4)`,
-      transform: `perspective(2000px) rotateX(12deg) translateZ(${depth}px)`,
-    }}>
-      <div style={{
-        position: 'absolute', top: 0, left: 20, right: 20, height: 1,
-        background: `linear-gradient(90deg, transparent, ${tint}${isLight ? 'aa' : 'cc'}, transparent)`,
-        pointerEvents: 'none',
-      }} />
-      <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 10 }}>
-        <div style={{
-          fontSize: 9.5, letterSpacing: 2, textTransform: 'uppercase' as const, fontWeight: 600,
-          color: tint,
-          background: isLight ? `${tint}18` : `${tint}20`,
-          padding: '3px 9px', borderRadius: 99,
-          border: `1px solid ${tint}${isLight ? '44' : '50'}`, whiteSpace: 'nowrap',
-        }}>{label}</div>
-        <div style={{
-          fontSize: 11,
-          color: isLight ? '#64748b' : 'rgba(236,233,247,.55)',
-          whiteSpace: 'nowrap',
-        }}>{sublabel}</div>
-      </div>
-      <div style={{ display: 'flex', gap: 10, justifyContent: isProxy ? 'center' : undefined }}>
-        {isProxy ? (
-          <div style={{ width: '42%', minWidth: 260, display: 'flex' }}>
-            <NodeCard node={nodes[0]} selected={selectedId === nodes[0].id} onClick={() => onSelect(nodes[0].id)} isLight={isLight} />
-          </div>
-        ) : (
-          nodes.map(n => (
-            <NodeCard key={n.id} node={n} selected={selectedId === n.id} onClick={() => onSelect(n.id)} isLight={isLight} />
-          ))
-        )}
-      </div>
-    </div>
-  )
-}
 
 // ── Main slide ────────────────────────────────────────────────────────────────
 export default function ArchitectureSlide({ lang }: ArchitectureSlideProps) {
diff --git a/pitch-deck/components/slides/CompetitionSlide.data.ts b/pitch-deck/components/slides/CompetitionSlide.data.ts
new file mode 100644
index 0000000..b3c87a1
--- /dev/null
+++ b/pitch-deck/components/slides/CompetitionSlide.data.ts
@@ -0,0 +1,289 @@
+// CompetitionSlide data — extracted from CompetitionSlide.tsx
+
+export type FeatureStatus = true | false | 'partial'
+
+export interface ExtendedCompetitor {
+  name: string
+  flag: string
+  hq: string
+  hqCountry: string
+  offices: string[]
+  founded: number
+  employees: number
+  revenue: string
+  revenueNum: number
+  customers: number
+  customerCountries: string
+  fundingTotal: string
+  fundingRound: string
+  investors: string[]
+  aiUsage: 'full' | 'partial' | 'none'
+  aiDetail: { de: string; en: string }
+  market: { de: string; en: string }
+  pricing: string
+  isInternational: boolean
+}
+
+export interface ComparisonFeature {
+  de: string
+  en: string
+  bp: FeatureStatus
+  vanta: FeatureStatus
+  drata: FeatureStatus
+  sprinto: FeatureStatus
+  proliance: FeatureStatus
+  dataguard: FeatureStatus
+  heydata: FeatureStatus
+  isDiff: boolean
+  isUSP: boolean
+  group?: string
+}
+
+export interface PricingTier {
+  name: { de: string; en: string }
+  price: string
+  annual: string
+  notes: { de: string; en: string }
+}
+
+export interface CompetitorPricing {
+  name: string
+  flag: string
+  model: string
+  publicPricing: boolean
+  tiers: PricingTier[]
+  setupFee: string
+  isBP?: boolean
+}
+
+export interface AppSecCompetitor {
+  name: string
+  flag: string
+  hq: string
+  founded: number
+  employees: number
+  revenue: string
+  revenueNum: number
+  customers: string
+  funding: string
+  pricing: string
+  focus: { de: string; en: string }
+}
+
+export interface AppSecFeature {
+  de: string
+  en: string
+  bp: FeatureStatus
+  snyk: FeatureStatus
+  veracode: FeatureStatus
+  checkmarx: FeatureStatus
+  sonar: FeatureStatus
+  semgrep: FeatureStatus
+  pentera: FeatureStatus
+  invicti: FeatureStatus
+  intruder: FeatureStatus
+  isUSP: boolean
+}
+
+export const EXTENDED_COMPETITORS: ExtendedCompetitor[] = [
+  {
+    name: 'Vanta', flag: '\u{1F1FA}\u{1F1F8}', hq: 'San Francisco, CA', hqCountry: 'USA',
+    offices: ['New York', 'Dublin', 'London', 'Sydney'], founded: 2018, employees: 1695,
+    revenue: '$220M ARR', revenueNum: 220_000_000, customers: 12000, customerCountries: '58 L\u00e4nder',
+    fundingTotal: '$504M', fundingRound: 'Series D ($150M, $4.15B val.)',
+    investors: ['Sequoia Capital', 'Wellington Mgmt', 'Craft Ventures', 'CrowdStrike', 'Goldman Sachs', 'Y Combinator'],
+    aiUsage: 'full',
+    aiDetail: { de: 'Vanta AI Agent: Agentic Compliance, Policy-Gen, VRM-Agent, ISO 42001', en: 'Vanta AI Agent: Agentic compliance, policy gen, VRM agent, ISO 42001' },
+    market: { de: 'Global \u2014 SOC 2, ISO 27001, HIPAA, PCI DSS', en: 'Global \u2014 SOC 2, ISO 27001, HIPAA, PCI DSS' },
+    pricing: '$10K\u201380K/yr', isInternational: true,
+  },
+  {
+    name: 'Drata', flag: '\u{1F1FA}\u{1F1F8}', hq: 'San Diego, CA', hqCountry: 'USA',
+    offices: ['San Diego'], founded: 2020, employees: 732,
+    revenue: '$100M ARR', revenueNum: 100_000_000, customers: 8000, customerCountries: '80+ L\u00e4nder',
+    fundingTotal: '$328M', fundingRound: 'Series C ($200M, $2B val.)',
+    investors: ['ICONIQ Growth', 'GGV Capital', 'Salesforce Ventures', 'SentinelOne'],
+    aiUsage: 'full',
+    aiDetail: { de: 'AI Agent: VRM, Doc-Review, Risiko-Scoring, SafeBase AIQA', en: 'AI Agent: VRM, doc review, risk scoring, SafeBase AIQA' },
+    market: { de: 'Global \u2014 SOC 2, ISO, HIPAA, GDPR (oberfl.)', en: 'Global \u2014 SOC 2, ISO, HIPAA, GDPR (shallow)' },
+    pricing: '$10K\u2013100K/yr', isInternational: true,
+  },
+  {
+    name: 'Sprinto', flag: '\u{1F1EE}\u{1F1F3}', hq: 'Bangalore', hqCountry: 'Indien',
+    offices: ['Bangalore'], founded: 2020, employees: 316,
+    revenue: '$38M ARR', revenueNum: 38_000_000, customers: 3000, customerCountries: '75+ L\u00e4nder',
+    fundingTotal: '$32M', fundingRound: 'Series B ($20M, 2024)',
+    investors: ['Accel', 'Elevation Capital', 'Blume Ventures'],
+    aiUsage: 'full',
+    aiDetail: { de: 'Autonomous Compliance Engine, No-Code AI Agent Builder', en: 'Autonomous compliance engine, no-code AI agent builder' },
+    market: { de: 'Global SMBs \u2014 SOC 2, ISO, GDPR', en: 'Global SMBs \u2014 SOC 2, ISO, GDPR' },
+    pricing: '$6K\u201325K/yr', isInternational: true,
+  },
+  {
+    name: 'Proliance', flag: '\u{1F1E9}\u{1F1EA}', hq: 'Muenchen', hqCountry: 'Deutschland',
+    offices: ['Muenchen'], founded: 2017, employees: 65,
+    revenue: '~\u20AC3.9M', revenueNum: 3_900_000, customers: 2000, customerCountries: 'DACH',
+    fundingTotal: 'Pre-Seed', fundingRound: 'Pre-Seed (Possible Ventures)',
+    investors: ['Possible Ventures'],
+    aiUsage: 'none',
+    aiDetail: { de: 'Basis-Risikoerkennung, keine LLM/Agenten', en: 'Basic risk detection, no LLM/agents' },
+    market: { de: 'DACH \u2014 DSGVO, ePrivacy, KMUs', en: 'DACH \u2014 GDPR, ePrivacy, SMBs' },
+    pricing: '\u20AC1.5K\u20135.7K/yr', isInternational: false,
+  },
+  {
+    name: 'DataGuard', flag: '\u{1F1E9}\u{1F1EA}', hq: 'Muenchen', hqCountry: 'Deutschland',
+    offices: ['Muenchen', 'Berlin', 'London', 'Wien', 'Stockholm'], founded: 2017, employees: 250,
+    revenue: '~\u20AC52M', revenueNum: 52_000_000, customers: 4000, customerCountries: '50+ L\u00e4nder',
+    fundingTotal: '\u20AC80M', fundingRound: 'Series B (\u20AC61M, \u20AC341M val.)',
+    investors: ['Morgan Stanley Expansion', 'One Peak Partners'],
+    aiUsage: 'partial',
+    aiDetail: { de: 'Marketing: 40% weniger Aufwand, keine Agenten/LLM', en: 'Marketing: 40% effort reduction, no agents/LLM' },
+    market: { de: 'DACH + UK \u2014 GDPR, ISO 27001, TISAX', en: 'DACH + UK \u2014 GDPR, ISO 27001, TISAX' },
+    pricing: '\u20AC6K\u201324K+/yr', isInternational: false,
+  },
+  {
+    name: 'heyData', flag: '\u{1F1E9}\u{1F1EA}', hq: 'Berlin', hqCountry: 'Deutschland',
+    offices: ['Berlin'], founded: 2020, employees: 58,
+    revenue: '~\u20AC15M', revenueNum: 15_000_000, customers: 2000, customerCountries: 'EU',
+    fundingTotal: '\u20AC18.3M', fundingRound: 'Series A ($16.5M, Jan 2026)',
+    investors: ['Riverside Acceleration Capital'],
+    aiUsage: 'partial',
+    aiDetail: { de: 'KI-Marketing, keine sichtbaren Agenten', en: 'AI marketing, no visible agents' },
+    market: { de: 'DACH + EU \u2014 DSGVO, Kleinunternehmen', en: 'DACH + EU \u2014 GDPR, small businesses' },
+    pricing: '\u20AC1K\u20133.8K/yr', isInternational: false,
+  },
+]
+
+export const ALL_FEATURES: ComparisonFeature[] = [
+  // Code Security & DevSecOps
+  { de: 'Code-Security & DevSecOps (6 Tools)', en: 'Code Security & DevSecOps (6 Tools)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'code-security' },
+  { de: 'SAST (Static Application Security Testing)', en: 'SAST (Static Application Security Testing)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'code-security' },
+  { de: 'DAST (Dynamic Application Security Testing)', en: 'DAST (Dynamic Application Security Testing)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'code-security' },
+  { de: 'SBOM-Generator (CycloneDX/SPDX)', en: 'SBOM Generator (CycloneDX/SPDX)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'code-security' },
+  { de: 'Container-Security Scanning (Trivy)', en: 'Container Security Scanning (Trivy)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'code-security' },
+  { de: 'Secret Detection (Gitleaks)', en: 'Secret Detection (Gitleaks)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'code-security' },
+  { de: 'LLM-Auto-Fix (automatische Code-Korrekturen)', en: 'LLM Auto-Fix (Automatic Code Corrections)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'code-security' },
+  { de: 'Firmware & Embedded-Security', en: 'Firmware & Embedded Security', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'code-security' },
+  // KI & Daten
+  { de: 'PII-Redaction LLM Gateway', en: 'PII Redaction LLM Gateway', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'ai-data' },
+  { de: 'RAG mit 25.000+ Sicherheitskontrollen', en: 'RAG with 25,000+ Security Controls', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'ai-data' },
+  { de: 'Autonomer KI-Support-Agent', en: 'Autonomous AI Support Agent', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'ai-data' },
+  { de: 'KI-gest\u00fctzte Analyse', en: 'AI-Powered Analysis', bp: true, vanta: true, drata: true, sprinto: 'partial', proliance: false, dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'ai-data' },
+  // Regulatory Frameworks
+  { de: 'DSGVO / GDPR', en: 'GDPR', bp: true, vanta: 'partial', drata: 'partial', sprinto: 'partial', proliance: true, dataguard: true, heydata: true, isDiff: false, isUSP: false, group: 'frameworks' },
+  { de: 'AI Act', en: 'AI Act', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'frameworks' },
+  { de: 'Cyber Resilience Act (CRA)', en: 'Cyber Resilience Act (CRA)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'frameworks' },
+  { de: 'NIS2-Richtlinie', en: 'NIS2 Directive', bp: true, vanta: false, drata: 'partial', sprinto: false, proliance: false, dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'frameworks' },
+  { de: 'SOC 2', en: 'SOC 2', bp: 'partial', vanta: true, drata: true, sprinto: true, proliance: false, dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'frameworks' },
+  { de: 'ISO 27001', en: 'ISO 27001', bp: true, vanta: true, drata: true, sprinto: true, proliance: false, dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'frameworks' },
+  { de: 'HIPAA', en: 'HIPAA', bp: false, vanta: true, drata: true, sprinto: true, proliance: false, dataguard: false, heydata: false, isDiff: false, isUSP: false, group: 'frameworks' },
+  { de: 'TISAX', en: 'TISAX', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'frameworks' },
+  { de: 'HinSchG (Whistleblower)', en: 'HinSchG (Whistleblower)', bp: true, vanta: false, drata: false, sprinto: false, proliance: 'partial', dataguard: false, heydata: false, isDiff: false, isUSP: false, group: 'frameworks' },
+  // Compliance Documentation
+  { de: 'VVT (Art. 30 DSGVO)', en: 'Records of Processing (Art. 30)', bp: true, vanta: false, drata: false, sprinto: false, proliance: true, dataguard: true, heydata: true, isDiff: false, isUSP: false, group: 'documentation' },
+  { de: 'TOM-Dokumentation', en: 'TOM Documentation', bp: true, vanta: false, drata: false, sprinto: false, proliance: true, dataguard: true, heydata: 'partial', isDiff: false, isUSP: false, group: 'documentation' },
+  { de: 'DSFA (Art. 35 DSGVO)', en: 'DPIA (Art. 35 GDPR)', bp: true, vanta: false, drata: false, sprinto: false, proliance: true, dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'documentation' },
+  { de: 'L\u00f6schkonzept / L\u00f6schfristen', en: 'Deletion Concept / Retention', bp: true, vanta: false, drata: false, sprinto: false, proliance: 'partial', dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'documentation' },
+  { de: 'Policy-Generator', en: 'Policy Generator', bp: true, vanta: true, drata: true, sprinto: 'partial', proliance: true, dataguard: true, heydata: 'partial', isDiff: false, isUSP: false, group: 'documentation' },
+  { de: 'Dokument-Generator (61 Vorlagen)', en: 'Document Generator (61 Templates)', bp: true, vanta: 'partial', drata: 'partial', sprinto: false, proliance: 'partial', dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'documentation' },
+  // Operative Compliance
+  { de: 'Audit-Management', en: 'Audit Management', bp: true, vanta: true, drata: true, sprinto: true, proliance: false, dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'operations' },
+  { de: 'Risikobewertung', en: 'Risk Assessment', bp: true, vanta: true, drata: true, sprinto: true, proliance: 'partial', dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'operations' },
+  { de: 'Incident Response', en: 'Incident Response', bp: true, vanta: true, drata: true, sprinto: true, proliance: false, dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'operations' },
+  { de: 'Consent Management', en: 'Consent Management', bp: true, vanta: false, drata: false, sprinto: false, proliance: 'partial', dataguard: false, heydata: 'partial', isDiff: false, isUSP: false, group: 'operations' },
+  { de: 'Betroffenenrechte (DSR)', en: 'Data Subject Requests', bp: true, vanta: false, drata: false, sprinto: false, proliance: true, dataguard: true, heydata: 'partial', isDiff: false, isUSP: false, group: 'operations' },
+  { de: 'Auftragsverarbeiter-Mgmt', en: 'Vendor/Processor Management', bp: true, vanta: true, drata: true, sprinto: 'partial', proliance: true, dataguard: true, heydata: 'partial', isDiff: false, isUSP: false, group: 'operations' },
+  { de: 'Schulungs-Management', en: 'Training Management', bp: true, vanta: 'partial', drata: 'partial', sprinto: 'partial', proliance: false, dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'operations' },
+  { de: 'Whistleblower-Portal', en: 'Whistleblower Portal', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'operations' },
+  // Technical Platform
+  { de: 'Continuous Monitoring', en: 'Continuous Monitoring', bp: true, vanta: true, drata: true, sprinto: true, proliance: false, dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'platform' },
+  { de: 'Automatische Evidence-Sammlung', en: 'Automatic Evidence Collection', bp: true, vanta: true, drata: true, sprinto: true, proliance: false, dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'platform' },
+  { de: 'API / SDK', en: 'API / SDK', bp: true, vanta: true, drata: true, sprinto: 'partial', proliance: false, dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'platform' },
+  { de: 'Integrations (Slack, Jira, etc.)', en: 'Integrations (Slack, Jira, etc.)', bp: 'partial', vanta: true, drata: true, sprinto: true, proliance: false, dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'platform' },
+  { de: 'Datensouveraenitaet (EU)', en: 'Data Sovereignty (EU)', bp: true, vanta: false, drata: false, sprinto: false, proliance: true, dataguard: true, heydata: true, isDiff: false, isUSP: false, group: 'platform' },
+  { de: 'Mehrmandantenf\u00e4hig', en: 'Multi-Tenancy', bp: true, vanta: true, drata: true, sprinto: true, proliance: 'partial', dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'platform' },
+  { de: 'Data Mapping / Datenfluss', en: 'Data Mapping / Data Flow', bp: true, vanta: 'partial', drata: 'partial', sprinto: false, proliance: false, dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'platform' },
+  { de: 'Cookie-Banner Generator', en: 'Cookie Banner Generator', bp: true, vanta: false, drata: false, sprinto: false, proliance: 'partial', dataguard: false, heydata: 'partial', isDiff: false, isUSP: false, group: 'platform' },
+  { de: 'IPFS/Blockchain (optional)', en: 'IPFS/Blockchain (optional)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'platform' },
+  // Industry
+  { de: 'Maschinenbau-Branchenfokus', en: 'Manufacturing Industry Focus', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'industry' },
+]
+
+export const DACH_NOTE = {
+  de: 'Weitere DACH-Anbieter: Secjur (Hamburg, KI-Compliance, ~\u20AC5.5M Seed), Usercentrics (nur CMP, $117M Rev), Caralegal (Privacy/Risk, M&A 2025), 2B Advice (Legacy, 20+ J.), OneTrust (US-Enterprise, $500M+ ARR). Keiner kombiniert DSGVO + Code-Security + Self-Hosted KI.',
+  en: 'Other DACH players: Secjur (Hamburg, AI compliance, ~\u20AC5.5M seed), Usercentrics (CMP only, $117M rev), Caralegal (privacy/risk, M&A 2025), 2B Advice (legacy, 20+ yrs), OneTrust (US enterprise, $500M+ ARR). None combines GDPR + code security + self-hosted AI.',
+}
+
+export const PRICING_COMPARISON: CompetitorPricing[] = [
+  { name: 'ComplAI', flag: '\u{1F1E9}\u{1F1EA}', model: 'Cloud (BSI DE)', publicPricing: true, tiers: [
+    { name: { de: 'Starter (<10 MA)', en: 'Starter (<10 emp.)' }, price: '\u20AC300/mo', annual: '\u20AC3.600/yr', notes: { de: '380+ Regularien, modular', en: '380+ regulations, modular' } },
+    { name: { de: 'Professional (10-250)', en: 'Professional (10-250)' }, price: '\u20AC1.250\u20133.333/mo', annual: '\u20AC15.000\u201340.000/yr', notes: { de: 'Alle Module, Priority Support', en: 'All modules, priority support' } },
+    { name: { de: 'Enterprise (250+)', en: 'Enterprise (250+)' }, price: 'ab \u20AC4.167/mo', annual: 'ab \u20AC50.000/yr', notes: { de: 'Dedicated, Custom, SLA', en: 'Dedicated, custom, SLA' } },
+  ], setupFee: '\u20AC0', isBP: true },
+  { name: 'Vanta', flag: '\u{1F1FA}\u{1F1F8}', model: 'SaaS', publicPricing: false, tiers: [
+    { name: { de: 'Startup', en: 'Startup' }, price: '~$500/mo', annual: '~$6K/yr', notes: { de: '1 Framework, <50 MA', en: '1 framework, <50 employees' } },
+    { name: { de: 'Business', en: 'Business' }, price: '~$2K/mo', annual: '~$25K/yr', notes: { de: 'Multi-Framework, VRM', en: 'Multi-framework, VRM' } },
+    { name: { de: 'Enterprise', en: 'Enterprise' }, price: '~$5-7K/mo', annual: '~$60-80K/yr', notes: { de: 'Custom, SSO, RBAC', en: 'Custom, SSO, RBAC' } },
+  ], setupFee: '~$5-15K' },
+  { name: 'Drata', flag: '\u{1F1FA}\u{1F1F8}', model: 'SaaS', publicPricing: false, tiers: [
+    { name: { de: 'Foundation', en: 'Foundation' }, price: '~$500/mo', annual: '~$5-8K/yr', notes: { de: '1 Framework, Basis', en: '1 framework, basic' } },
+    { name: { de: 'Business', en: 'Business' }, price: '~$1.5K/mo', annual: '~$18-20K/yr', notes: { de: 'Multi-Framework, API', en: 'Multi-framework, API' } },
+    { name: { de: 'Enterprise', en: 'Enterprise' }, price: '~$4-8K/mo', annual: '~$50-100K/yr', notes: { de: 'SafeBase, Custom', en: 'SafeBase, custom' } },
+  ], setupFee: '~$5-10K' },
+  { name: 'Sprinto', flag: '\u{1F1EE}\u{1F1F3}', model: 'SaaS', publicPricing: false, tiers: [
+    { name: { de: 'Growth', en: 'Growth' }, price: '~$350/mo', annual: '~$4K/yr', notes: { de: '1 Framework, KMU', en: '1 framework, SMB' } },
+    { name: { de: 'Business', en: 'Business' }, price: '~$1K/mo', annual: '~$12K/yr', notes: { de: 'Multi-Framework', en: 'Multi-framework' } },
+    { name: { de: 'Enterprise', en: 'Enterprise' }, price: '~$2K+/mo', annual: '~$25K+/yr', notes: { de: 'Custom Integrations', en: 'Custom integrations' } },
+  ], setupFee: '~$2-5K' },
+  { name: 'Proliance', flag: '\u{1F1E9}\u{1F1EA}', model: 'SaaS', publicPricing: true, tiers: [
+    { name: { de: 'Basis', en: 'Basic' }, price: '\u20AC99/mo', annual: '\u20AC1.188/yr', notes: { de: 'DSGVO-Grundlagen', en: 'GDPR basics' } },
+    { name: { de: 'Professional', en: 'Professional' }, price: '\u20AC249/mo', annual: '\u20AC2.988/yr', notes: { de: '+ Audit, VVT', en: '+ Audit, records' } },
+    { name: { de: 'Enterprise', en: 'Enterprise' }, price: '\u20AC499/mo', annual: '\u20AC5.988/yr', notes: { de: 'Multi-Standort, DSB', en: 'Multi-location, DPO' } },
+  ], setupFee: '\u20AC0' },
+  { name: 'DataGuard', flag: '\u{1F1E9}\u{1F1EA}', model: 'SaaS + Beratung', publicPricing: false, tiers: [
+    { name: { de: 'Starter', en: 'Starter' }, price: '~\u20AC250/mo', annual: '~\u20AC3K/yr', notes: { de: 'Nur Software', en: 'Software only' } },
+    { name: { de: 'Managed', en: 'Managed' }, price: '~\u20AC1K/mo', annual: '~\u20AC12K/yr', notes: { de: '+ Ext. DSB', en: '+ Ext. DPO' } },
+    { name: { de: 'Enterprise', en: 'Enterprise' }, price: '~\u20AC2K+/mo', annual: '~\u20AC24K+/yr', notes: { de: 'ISO 27001 + TISAX', en: 'ISO 27001 + TISAX' } },
+  ], setupFee: '~\u20AC2-5K' },
+  { name: 'heyData', flag: '\u{1F1E9}\u{1F1EA}', model: 'SaaS', publicPricing: true, tiers: [
+    { name: { de: 'Essential', en: 'Essential' }, price: '\u20AC83/mo', annual: '\u20AC996/yr', notes: { de: '1-19 MA, DSGVO', en: '1-19 empl., GDPR' } },
+    { name: { de: 'Pro', en: 'Pro' }, price: '\u20AC199/mo', annual: '\u20AC2.388/yr', notes: { de: '20-99 MA, DSB', en: '20-99 empl., DPO' } },
+    { name: { de: 'Premium', en: 'Premium' }, price: '\u20AC333/mo', annual: '\u20AC3.996/yr', notes: { de: '100+ MA, Audit', en: '100+ empl., audit' } },
+  ], setupFee: '\u20AC0' },
+]
+
+export const APPSEC_COMPETITORS: AppSecCompetitor[] = [
+  { name: 'Snyk', flag: '\u{1F1FA}\u{1F1F8}', hq: 'Boston', founded: 2015, employees: 1200, revenue: '~$300M ARR', revenueNum: 300_000_000, customers: '3.000+', funding: '$850M (Series G, $7.4B)', pricing: '$25K\u2013100K+/yr', focus: { de: 'SCA + SAST, Developer-First', en: 'SCA + SAST, developer-first' } },
+  { name: 'Veracode', flag: '\u{1F1FA}\u{1F1F8}', hq: 'Burlington, MA', founded: 2006, employees: 1300, revenue: '~$300M', revenueNum: 300_000_000, customers: '3.500+', funding: 'PE (Thoma Bravo, $2.5B)', pricing: '$50K\u2013500K+/yr', focus: { de: 'SAST + DAST + SCA, Enterprise', en: 'SAST + DAST + SCA, enterprise' } },
+  { name: 'Checkmarx', flag: '\u{1F1EE}\u{1F1F1}', hq: 'Tel Aviv', founded: 2006, employees: 1000, revenue: '~$250M', revenueNum: 250_000_000, customers: '1.800+', funding: 'PE (Hellman & Friedman)', pricing: '$40K\u2013300K+/yr', focus: { de: 'SAST + DAST + SCA + API', en: 'SAST + DAST + SCA + API' } },
+  { name: 'SonarSource', flag: '\u{1F1E8}\u{1F1ED}', hq: 'Genf', founded: 2008, employees: 500, revenue: '~$250M', revenueNum: 250_000_000, customers: '400K+ Devs', funding: '$412M (Series D)', pricing: '$15K\u2013150K+/yr', focus: { de: 'Code-Qualitaet + SAST', en: 'Code quality + SAST' } },
+  { name: 'Semgrep', flag: '\u{1F1FA}\u{1F1F8}', hq: 'San Francisco', founded: 2020, employees: 150, revenue: '~$30M ARR', revenueNum: 30_000_000, customers: '1.500+', funding: '$100M (Series C)', pricing: '$10K\u2013100K+/yr', focus: { de: 'Open-Source SAST, Supply Chain', en: 'Open-source SAST, supply chain' } },
+  { name: 'Pentera', flag: '\u{1F1EE}\u{1F1F1}', hq: 'Tel Aviv', founded: 2015, employees: 400, revenue: '~$100M', revenueNum: 100_000_000, customers: '900+', funding: '$189M (Series C)', pricing: '$50K\u2013250K+/yr', focus: { de: 'Automatisiertes Pentesting/BAS', en: 'Automated pentesting/BAS' } },
+  { name: 'Invicti', flag: '\u{1F1FA}\u{1F1F8}', hq: 'Austin, TX', founded: 2018, employees: 500, revenue: '~$100M', revenueNum: 100_000_000, customers: '3.000+', funding: 'PE (Turn/River)', pricing: '$15K\u2013100K+/yr', focus: { de: 'DAST (Acunetix + Netsparker)', en: 'DAST (Acunetix + Netsparker)' } },
+  { name: 'Intruder', flag: '\u{1F1EC}\u{1F1E7}', hq: 'London', founded: 2015, employees: 100, revenue: '~$10M', revenueNum: 10_000_000, customers: '2.500+', funding: '$15M (Series A)', pricing: '$1.5K\u201320K+/yr', focus: { de: 'Vulnerability Scanner, SMB', en: 'Vulnerability scanner, SMB' } },
+]
+
+export const APPSEC_FEATURES: AppSecFeature[] = [
+  { de: 'SAST (Static Analysis)', en: 'SAST (Static Analysis)', bp: true, snyk: true, veracode: true, checkmarx: true, sonar: true, semgrep: true, pentera: false, invicti: false, intruder: false, isUSP: false },
+  { de: 'DAST (Dynamic Analysis)', en: 'DAST (Dynamic Analysis)', bp: true, snyk: false, veracode: true, checkmarx: true, sonar: false, semgrep: false, pentera: true, invicti: true, intruder: true, isUSP: false },
+  { de: 'SCA (Software Composition)', en: 'SCA (Software Composition)', bp: true, snyk: true, veracode: true, checkmarx: true, sonar: 'partial', semgrep: 'partial', pentera: false, invicti: false, intruder: false, isUSP: false },
+  { de: 'LLM-basierte Auto-Fixes', en: 'LLM-Based Auto-Fixes', bp: true, snyk: 'partial', veracode: 'partial', checkmarx: 'partial', sonar: 'partial', semgrep: false, pentera: false, invicti: false, intruder: false, isUSP: false },
+  { de: 'SBOM-Generierung', en: 'SBOM Generation', bp: true, snyk: true, veracode: 'partial', checkmarx: 'partial', sonar: false, semgrep: false, pentera: false, invicti: false, intruder: false, isUSP: false },
+  { de: 'Container-Security', en: 'Container Security', bp: true, snyk: true, veracode: true, checkmarx: true, sonar: false, semgrep: 'partial', pentera: false, invicti: false, intruder: false, isUSP: false },
+  { de: 'Secret Detection', en: 'Secret Detection', bp: true, snyk: false, veracode: false, checkmarx: false, sonar: 'partial', semgrep: true, pentera: false, invicti: false, intruder: false, isUSP: false },
+  { de: 'IaC Scanning', en: 'IaC Scanning', bp: true, snyk: true, veracode: false, checkmarx: false, sonar: false, semgrep: true, pentera: false, invicti: false, intruder: false, isUSP: false },
+  { de: 'CI/CD-Integration', en: 'CI/CD Integration', bp: true, snyk: true, veracode: true, checkmarx: true, sonar: true, semgrep: true, pentera: 'partial', invicti: 'partial', intruder: 'partial', isUSP: false },
+  { de: 'API-Security Testing', en: 'API Security Testing', bp: true, snyk: false, veracode: 'partial', checkmarx: true, sonar: false, semgrep: false, pentera: 'partial', invicti: true, intruder: 'partial', isUSP: false },
+  { de: 'Automatisiertes Pentesting', en: 'Automated Pentesting', bp: true, snyk: false, veracode: false, checkmarx: false, sonar: false, semgrep: false, pentera: true, invicti: false, intruder: true, isUSP: false },
+  { de: 'Self-Hosted / On-Premise', en: 'Self-Hosted / On-Premise', bp: true, snyk: false, veracode: false, checkmarx: 'partial', sonar: true, semgrep: 'partial', pentera: 'partial', invicti: 'partial', intruder: false, isUSP: false },
+]
+
+export const GROUP_LABELS: Record<string, { de: string; en: string; color: string }> = {
+  'code-security': { de: 'Code Security & DevSecOps', en: 'Code Security & DevSecOps', color: 'text-red-400' },
+  'ai-data': { de: 'KI & Daten', en: 'AI & Data', color: 'text-purple-400' },
+  'frameworks': { de: 'Regulatorische Frameworks', en: 'Regulatory Frameworks', color: 'text-blue-400' },
+  'documentation': { de: 'Compliance-Dokumentation', en: 'Compliance Documentation', color: 'text-emerald-400' },
+  'operations': { de: 'Operative Compliance', en: 'Operative Compliance', color: 'text-amber-400' },
+  'platform': { de: 'Technische Plattform', en: 'Technical Platform', color: 'text-cyan-400' },
+  'industry': { de: 'Branche & Spezial', en: 'Industry & Specialty', color: 'text-orange-400' },
+}
diff --git a/pitch-deck/components/slides/CompetitionSlide.parts.tsx b/pitch-deck/components/slides/CompetitionSlide.parts.tsx
new file mode 100644
index 0000000..9cc291b
--- /dev/null
+++ b/pitch-deck/components/slides/CompetitionSlide.parts.tsx
@@ -0,0 +1,216 @@
+'use client'
+
+import { Language } from '@/lib/types'
+import { Users, DollarSign, Globe, Cpu, Star, Check, X, Minus } from 'lucide-react'
+import BrandName from '../ui/BrandName'
+import {
+  type FeatureStatus, type ExtendedCompetitor, type ComparisonFeature,
+  type AppSecCompetitor, type AppSecFeature, GROUP_LABELS,
+} from './CompetitionSlide.data'
+
+export function StatusIcon({ value }: { value: FeatureStatus }) {
+  if (value === true) return <Check className="w-3.5 h-3.5 text-green-400 mx-auto" />
+  if (value === 'partial') return <Minus className="w-3.5 h-3.5 text-yellow-400 mx-auto" />
+  return <X className="w-3.5 h-3.5 text-white/15 mx-auto" />
+}
+
+export function AiBadge({ level, lang }: { level: 'full' | 'partial' | 'none'; lang: Language }) {
+  const colors = { full: 'bg-green-500/15 text-green-400', partial: 'bg-yellow-500/15 text-yellow-400', none: 'bg-white/5 text-white/30' }
+  const labels = { full: { de: 'KI', en: 'AI' }, partial: { de: 'Basis', en: 'Basic' }, none: { de: 'Keine', en: 'None' } }
+  return (
+    <span className={`text-[10px] px-1.5 py-0.5 rounded-full font-medium ${colors[level]}`}>
+      <Cpu className="w-2.5 h-2.5 inline mr-0.5 -mt-px" />
+      {labels[level][lang]}
+    </span>
+  )
+}
+
+export function ratio(a: number, b: number): string {
+  if (b === 0) return '\u2014'
+  const r = a / b
+  if (r >= 1_000_000) return `${(r / 1_000_000).toFixed(1)}M`
+  if (r >= 1_000) return `${(r / 1_000).toFixed(0)}k`
+  return r.toFixed(0)
+}
+
+export function CompetitorCard({ competitor: c, lang }: { competitor: ExtendedCompetitor; lang: Language }) {
+  return (
+    <div className="bg-white/[0.04] border border-white/5 rounded-xl p-2.5 text-[11px]">
+      <div className="flex items-center justify-between mb-1">
+        <div className="flex items-center gap-1.5">
+          <span className="text-sm">{c.flag}</span>
+          <span className="font-semibold text-white/80 text-xs">{c.name}</span>
+        </div>
+        <AiBadge level={c.aiUsage} lang={lang} />
+      </div>
+      <div className="text-[10px] text-white/40 mb-1.5 truncate" title={`HQ: ${c.hq}, ${c.hqCountry}` + (c.offices.length > 1 ? ` | Offices: ${c.offices.join(', ')}` : '')}>
+        <span className="text-white/55">{c.hq}, {c.hqCountry}</span>
+        {c.offices.length > 1 && (
+          <span className="ml-1">+ {c.offices.join(', ')}</span>
+        )}
+      </div>
+      <div className="grid grid-cols-2 gap-x-3 gap-y-0.5 text-white/50">
+        <div className="flex items-center gap-1">
+          <span className="text-white/30">{lang === 'de' ? 'Gr.' : 'Est.'}</span>
+          <span className="text-white/70">{c.founded}</span>
+        </div>
+        <div className="flex items-center gap-1">
+          <Users className="w-2.5 h-2.5 text-white/30" />
+          <span className="text-white/70">{c.employees.toLocaleString()}</span>
+        </div>
+        <div className="flex items-center gap-1">
+          <DollarSign className="w-2.5 h-2.5 text-white/30" />
+          <span className="text-white/70">{c.revenue}</span>
+        </div>
+        <div className="flex items-center gap-1">
+          <Globe className="w-2.5 h-2.5 text-white/30" />
+          <span className="text-white/70">{c.customers.toLocaleString()} {lang === 'de' ? 'Kd.' : 'cust.'} ({c.customerCountries})</span>
+        </div>
+      </div>
+      <div className="mt-1.5 pt-1.5 border-t border-white/5">
+        <div className="text-white/40">
+          <span className="text-white/60 font-medium">{c.fundingTotal}</span>
+          <span className="ml-1 text-[10px]">{c.fundingRound}</span>
+        </div>
+        {c.investors.length > 0 && (
+          <div className="text-[10px] text-white/30 mt-0.5 truncate" title={c.investors.join(', ')}>
+            {c.investors.slice(0, 3).join(', ')}{c.investors.length > 3 ? ' +' + (c.investors.length - 3) : ''}
+          </div>
+        )}
+      </div>
+      <div className="mt-1 text-[10px] text-white/35 truncate" title={c.market[lang]}>
+        {c.market[lang]}
+      </div>
+    </div>
+  )
+}
+
+export function FeatureTable({
+  features, lang, cols, labels,
+}: {
+  features: ComparisonFeature[]
+  lang: Language
+  cols: readonly string[]
+  labels: string[]
+  highlight?: boolean
+}) {
+  const rowElements: React.ReactNode[] = []
+  let lastGroup = ''
+  features.forEach((f, i) => {
+    const grp = f.group || ''
+    if (grp && grp !== lastGroup) {
+      const gl = GROUP_LABELS[grp]
+      if (gl) {
+        rowElements.push(
+          <tr key={`grp-${grp}`} className="bg-white/[0.02]">
+            <td colSpan={cols.length + 1} className={`py-1.5 px-2 text-[10px] font-bold uppercase tracking-wider ${gl.color}`}>
+              {lang === 'de' ? gl.de : gl.en}
+            </td>
+          </tr>
+        )
+      }
+      lastGroup = grp
+    }
+    rowElements.push(
+      <tr key={i} className={`border-b border-white/5 ${f.isDiff ? 'bg-indigo-500/5' : ''}`}>
+        <td className="py-1.5 px-2 flex items-center gap-1.5">
+          {f.isDiff && <Star className="w-3 h-3 text-yellow-400 shrink-0" />}
+          <span className={f.isDiff ? 'text-white font-medium' : 'text-white/60'}>
+            {lang === 'de' ? f.de : f.en}
+          </span>
+        </td>
+        {cols.map(col => (
+          <td key={col} className="py-1.5 px-1.5 text-center">
+            <StatusIcon value={f[col as keyof ComparisonFeature] as FeatureStatus} />
+          </td>
+        ))}
+      </tr>
+    )
+  })
+
+  return (
+    <div className="overflow-x-auto mt-1 mb-1">
+      <table className="w-full text-[11px]">
+        <thead>
+          <tr className="border-b border-white/10">
+            <th className="text-left py-1.5 px-2 text-white/40 font-medium min-w-[180px]">Feature</th>
+            {labels.map((l, idx) => (
+              <th key={l} className={`py-1.5 px-1.5 font-medium text-center whitespace-nowrap ${idx === 0 ? 'text-indigo-400' : 'text-white/50'}`}>
+                {idx === 0 ? <BrandName className="text-[11px]" /> : l}
+              </th>
+            ))}
+          </tr>
+        </thead>
+        <tbody>{rowElements}</tbody>
+      </table>
+    </div>
+  )
+}
+
+export function AppSecCard({ competitor: c, lang }: { competitor: AppSecCompetitor; lang: Language }) {
+  return (
+    <div className="bg-white/[0.04] border border-white/5 rounded-xl p-2 text-[11px]">
+      <div className="flex items-center gap-1.5 mb-1">
+        <span className="text-sm">{c.flag}</span>
+        <span className="font-semibold text-white/80 text-xs">{c.name}</span>
+      </div>
+      <div className="text-[10px] text-white/40 mb-1 truncate">{c.hq} · {c.founded}</div>
+      <div className="grid grid-cols-2 gap-x-2 gap-y-0.5 text-white/50">
+        <div className="flex items-center gap-1">
+          <Users className="w-2.5 h-2.5 text-white/30" />
+          <span className="text-white/70">{c.employees.toLocaleString()}</span>
+        </div>
+        <div className="flex items-center gap-1">
+          <DollarSign className="w-2.5 h-2.5 text-white/30" />
+          <span className="text-white/70 truncate">{c.revenue}</span>
+        </div>
+      </div>
+      <div className="mt-1 pt-1 border-t border-white/5 text-[10px]">
+        <div className="text-white/40 truncate">{c.funding}</div>
+        <div className="text-white/50 mt-0.5">{c.pricing}</div>
+      </div>
+      <div className="mt-1 text-[10px] text-white/35 truncate" title={c.focus[lang]}>
+        {c.focus[lang]}
+      </div>
+    </div>
+  )
+}
+
+export function AppSecFeatureTable({ features, lang, highlight }: { features: AppSecFeature[]; lang: Language; highlight?: boolean }) {
+  const cols = ['bp', 'snyk', 'veracode', 'checkmarx', 'sonar', 'semgrep', 'pentera', 'invicti', 'intruder'] as const
+  const labels = ['ComplAI', 'Snyk', 'Veracode', 'Checkmarx', 'Sonar', 'Semgrep', 'Pentera', 'Invicti', 'Intruder']
+
+  return (
+    <div className="overflow-x-auto mt-1 mb-1">
+      <table className="w-full text-[11px]">
+        <thead>
+          <tr className="border-b border-white/10">
+            <th className="text-left py-1.5 px-2 text-white/40 font-medium min-w-[160px]">Feature</th>
+            {labels.map((l, idx) => (
+              <th key={l} className={`py-1.5 px-1 font-medium text-center whitespace-nowrap ${idx === 0 ? 'text-indigo-400' : 'text-white/50'}`}>
+                {idx === 0 ? <BrandName className="text-[11px]" /> : l}
+              </th>
+            ))}
+          </tr>
+        </thead>
+        <tbody>
+          {features.map((f, i) => (
+            <tr key={i} className={`border-b border-white/5 ${highlight && f.isUSP ? 'bg-indigo-500/5' : ''}`}>
+              <td className="py-1.5 px-2 flex items-center gap-1.5">
+                {f.isUSP && highlight && <Star className="w-3 h-3 text-yellow-400 shrink-0" />}
+                <span className={f.isUSP && highlight ? 'text-white font-medium' : 'text-white/60'}>
+                  {lang === 'de' ? f.de : f.en}
+                </span>
+              </td>
+              {cols.map(col => (
+                <td key={col} className="py-1.5 px-1 text-center">
+                  <StatusIcon value={f[col] as FeatureStatus} />
+                </td>
+              ))}
+            </tr>
+          ))}
+        </tbody>
+      </table>
+    </div>
+  )
+}
diff --git a/pitch-deck/components/slides/CompetitionSlide.tsx b/pitch-deck/components/slides/CompetitionSlide.tsx
index 5719bda..a8ec17c 100644
--- a/pitch-deck/components/slides/CompetitionSlide.tsx
+++ b/pitch-deck/components/slides/CompetitionSlide.tsx
@@ -5,12 +5,17 @@ import { Language, PitchFeature, PitchCompetitor } from '@/lib/types'
 import { t } from '@/lib/i18n'
 import {
   ChevronDown, ChevronRight, Globe, Building2, Users, TrendingUp,
-  DollarSign, Cpu, Star, Check, X, Minus, Shield, Tag,
+  DollarSign, Cpu, Star, Check, X, Minus, Shield,
 } from 'lucide-react'
 import GradientText from '../ui/GradientText'
 import FadeInView from '../ui/FadeInView'
 import GlassCard from '../ui/GlassCard'
 import BrandName from '../ui/BrandName'
+import {
+  type FeatureStatus, type ComparisonFeature,
+  EXTENDED_COMPETITORS, ALL_FEATURES, DACH_NOTE, PRICING_COMPARISON, APPSEC_COMPETITORS, APPSEC_FEATURES,
+} from './CompetitionSlide.data'
+import { StatusIcon, AiBadge, ratio, CompetitorCard, FeatureTable, AppSecCard, AppSecFeatureTable } from './CompetitionSlide.parts'
 
 interface CompetitionSlideProps {
   lang: Language
@@ -18,438 +23,8 @@ interface CompetitionSlideProps {
   competitors: PitchCompetitor[]
 }
 
-// ─── Extended Competitor Data ──────────────────────────────────────────────────
-
-interface ExtendedCompetitor {
-  name: string
-  flag: string
-  hq: string
-  hqCountry: string
-  offices: string[]
-  founded: number
-  employees: number
-  revenue: string
-  revenueNum: number
-  customers: number
-  customerCountries: string
-  fundingTotal: string
-  fundingRound: string
-  investors: string[]
-  aiUsage: 'full' | 'partial' | 'none'
-  aiDetail: { de: string; en: string }
-  market: { de: string; en: string }
-  pricing: string
-  isInternational: boolean
-}
-
-const EXTENDED_COMPETITORS: ExtendedCompetitor[] = [
-  {
-    name: 'Vanta',
-    flag: '🇺🇸',
-    hq: 'San Francisco, CA',
-    hqCountry: 'USA',
-    offices: ['New York', 'Dublin', 'London', 'Sydney'],
-    founded: 2018,
-    employees: 1695,
-    revenue: '$220M ARR',
-    revenueNum: 220_000_000,
-    customers: 12000,
-    customerCountries: '58 Länder',
-    fundingTotal: '$504M',
-    fundingRound: 'Series D ($150M, $4.15B val.)',
-    investors: ['Sequoia Capital', 'Wellington Mgmt', 'Craft Ventures', 'CrowdStrike', 'Goldman Sachs', 'Y Combinator'],
-    aiUsage: 'full',
-    aiDetail: { de: 'Vanta AI Agent: Agentic Compliance, Policy-Gen, VRM-Agent, ISO 42001', en: 'Vanta AI Agent: Agentic compliance, policy gen, VRM agent, ISO 42001' },
-    market: { de: 'Global — SOC 2, ISO 27001, HIPAA, PCI DSS', en: 'Global — SOC 2, ISO 27001, HIPAA, PCI DSS' },
-    pricing: '$10K–80K/yr',
-    isInternational: true,
-  },
-  {
-    name: 'Drata',
-    flag: '🇺🇸',
-    hq: 'San Diego, CA',
-    hqCountry: 'USA',
-    offices: ['San Diego'],
-    founded: 2020,
-    employees: 732,
-    revenue: '$100M ARR',
-    revenueNum: 100_000_000,
-    customers: 8000,
-    customerCountries: '80+ Länder',
-    fundingTotal: '$328M',
-    fundingRound: 'Series C ($200M, $2B val.)',
-    investors: ['ICONIQ Growth', 'GGV Capital', 'Salesforce Ventures', 'SentinelOne'],
-    aiUsage: 'full',
-    aiDetail: { de: 'AI Agent: VRM, Doc-Review, Risiko-Scoring, SafeBase AIQA', en: 'AI Agent: VRM, doc review, risk scoring, SafeBase AIQA' },
-    market: { de: 'Global — SOC 2, ISO, HIPAA, GDPR (oberfl.)', en: 'Global — SOC 2, ISO, HIPAA, GDPR (shallow)' },
-    pricing: '$10K–100K/yr',
-    isInternational: true,
-  },
-  {
-    name: 'Sprinto',
-    flag: '🇮🇳',
-    hq: 'Bangalore',
-    hqCountry: 'Indien',
-    offices: ['Bangalore'],
-    founded: 2020,
-    employees: 316,
-    revenue: '$38M ARR',
-    revenueNum: 38_000_000,
-    customers: 3000,
-    customerCountries: '75+ Länder',
-    fundingTotal: '$32M',
-    fundingRound: 'Series B ($20M, 2024)',
-    investors: ['Accel', 'Elevation Capital', 'Blume Ventures'],
-    aiUsage: 'full',
-    aiDetail: { de: 'Autonomous Compliance Engine, No-Code AI Agent Builder', en: 'Autonomous compliance engine, no-code AI agent builder' },
-    market: { de: 'Global SMBs — SOC 2, ISO, GDPR', en: 'Global SMBs — SOC 2, ISO, GDPR' },
-    pricing: '$6K–25K/yr',
-    isInternational: true,
-  },
-  {
-    name: 'Proliance',
-    flag: '🇩🇪',
-    hq: 'Muenchen',
-    hqCountry: 'Deutschland',
-    offices: ['Muenchen'],
-    founded: 2017,
-    employees: 65,
-    revenue: '~€3.9M',
-    revenueNum: 3_900_000,
-    customers: 2000,
-    customerCountries: 'DACH',
-    fundingTotal: 'Pre-Seed',
-    fundingRound: 'Pre-Seed (Possible Ventures)',
-    investors: ['Possible Ventures'],
-    aiUsage: 'none',
-    aiDetail: { de: 'Basis-Risikoerkennung, keine LLM/Agenten', en: 'Basic risk detection, no LLM/agents' },
-    market: { de: 'DACH — DSGVO, ePrivacy, KMUs', en: 'DACH — GDPR, ePrivacy, SMBs' },
-    pricing: '€1.5K–5.7K/yr',
-    isInternational: false,
-  },
-  {
-    name: 'DataGuard',
-    flag: '🇩🇪',
-    hq: 'Muenchen',
-    hqCountry: 'Deutschland',
-    offices: ['Muenchen', 'Berlin', 'London', 'Wien', 'Stockholm'],
-    founded: 2017,
-    employees: 250,
-    revenue: '~€52M',
-    revenueNum: 52_000_000,
-    customers: 4000,
-    customerCountries: '50+ Länder',
-    fundingTotal: '€80M',
-    fundingRound: 'Series B (€61M, €341M val.)',
-    investors: ['Morgan Stanley Expansion', 'One Peak Partners'],
-    aiUsage: 'partial',
-    aiDetail: { de: 'Marketing: 40% weniger Aufwand, keine Agenten/LLM', en: 'Marketing: 40% effort reduction, no agents/LLM' },
-    market: { de: 'DACH + UK — GDPR, ISO 27001, TISAX', en: 'DACH + UK — GDPR, ISO 27001, TISAX' },
-    pricing: '€6K–24K+/yr',
-    isInternational: false,
-  },
-  {
-    name: 'heyData',
-    flag: '🇩🇪',
-    hq: 'Berlin',
-    hqCountry: 'Deutschland',
-    offices: ['Berlin'],
-    founded: 2020,
-    employees: 58,
-    revenue: '~€15M',
-    revenueNum: 15_000_000,
-    customers: 2000,
-    customerCountries: 'EU',
-    fundingTotal: '€18.3M',
-    fundingRound: 'Series A ($16.5M, Jan 2026)',
-    investors: ['Riverside Acceleration Capital'],
-    aiUsage: 'partial',
-    aiDetail: { de: 'KI-Marketing, keine sichtbaren Agenten', en: 'AI marketing, no visible agents' },
-    market: { de: 'DACH + EU — DSGVO, Kleinunternehmen', en: 'DACH + EU — GDPR, small businesses' },
-    pricing: '€1K–3.8K/yr',
-    isInternational: false,
-  },
-]
-
-// ─── Feature Comparison Data ───────────────────────────────────────────────────
-
-type FeatureStatus = true | false | 'partial'
-
-interface ComparisonFeature {
-  de: string
-  en: string
-  bp: FeatureStatus
-  vanta: FeatureStatus
-  drata: FeatureStatus
-  sprinto: FeatureStatus
-  proliance: FeatureStatus
-  dataguard: FeatureStatus
-  heydata: FeatureStatus
-  isDiff: boolean
-  isUSP: boolean
-  group?: string
-}
-
-const ALL_FEATURES: ComparisonFeature[] = [
-  // ── Code Security & DevSecOps ──
-  { de: 'Code-Security & DevSecOps (6 Tools)', en: 'Code Security & DevSecOps (6 Tools)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'code-security' },
-  { de: 'SAST (Static Application Security Testing)', en: 'SAST (Static Application Security Testing)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'code-security' },
-  { de: 'DAST (Dynamic Application Security Testing)', en: 'DAST (Dynamic Application Security Testing)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'code-security' },
-  { de: 'SBOM-Generator (CycloneDX/SPDX)', en: 'SBOM Generator (CycloneDX/SPDX)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'code-security' },
-  { de: 'Container-Security Scanning (Trivy)', en: 'Container Security Scanning (Trivy)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'code-security' },
-  { de: 'Secret Detection (Gitleaks)', en: 'Secret Detection (Gitleaks)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'code-security' },
-  { de: 'LLM-Auto-Fix (automatische Code-Korrekturen)', en: 'LLM Auto-Fix (Automatic Code Corrections)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'code-security' },
-  { de: 'Firmware & Embedded-Security', en: 'Firmware & Embedded Security', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'code-security' },
-
-  // ── KI & Daten ──
-  { de: 'PII-Redaction LLM Gateway', en: 'PII Redaction LLM Gateway', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'ai-data' },
-  { de: 'RAG mit 25.000+ Sicherheitskontrollen', en: 'RAG with 25,000+ Security Controls', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'ai-data' },
-  { de: 'Autonomer KI-Support-Agent', en: 'Autonomous AI Support Agent', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'ai-data' },
-  { de: 'KI-gestützte Analyse', en: 'AI-Powered Analysis', bp: true, vanta: true, drata: true, sprinto: 'partial', proliance: false, dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'ai-data' },
-
-  // ── Regulatorische Frameworks ──
-  { de: 'DSGVO / GDPR', en: 'GDPR', bp: true, vanta: 'partial', drata: 'partial', sprinto: 'partial', proliance: true, dataguard: true, heydata: true, isDiff: false, isUSP: false, group: 'frameworks' },
-  { de: 'AI Act', en: 'AI Act', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'frameworks' },
-  { de: 'Cyber Resilience Act (CRA)', en: 'Cyber Resilience Act (CRA)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'frameworks' },
-  { de: 'NIS2-Richtlinie', en: 'NIS2 Directive', bp: true, vanta: false, drata: 'partial', sprinto: false, proliance: false, dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'frameworks' },
-  { de: 'SOC 2', en: 'SOC 2', bp: 'partial', vanta: true, drata: true, sprinto: true, proliance: false, dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'frameworks' },
-  { de: 'ISO 27001', en: 'ISO 27001', bp: true, vanta: true, drata: true, sprinto: true, proliance: false, dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'frameworks' },
-  { de: 'HIPAA', en: 'HIPAA', bp: false, vanta: true, drata: true, sprinto: true, proliance: false, dataguard: false, heydata: false, isDiff: false, isUSP: false, group: 'frameworks' },
-  { de: 'TISAX', en: 'TISAX', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'frameworks' },
-  { de: 'HinSchG (Whistleblower)', en: 'HinSchG (Whistleblower)', bp: true, vanta: false, drata: false, sprinto: false, proliance: 'partial', dataguard: false, heydata: false, isDiff: false, isUSP: false, group: 'frameworks' },
-
-  // ── Compliance-Dokumentation ──
-  { de: 'VVT (Art. 30 DSGVO)', en: 'Records of Processing (Art. 30)', bp: true, vanta: false, drata: false, sprinto: false, proliance: true, dataguard: true, heydata: true, isDiff: false, isUSP: false, group: 'documentation' },
-  { de: 'TOM-Dokumentation', en: 'TOM Documentation', bp: true, vanta: false, drata: false, sprinto: false, proliance: true, dataguard: true, heydata: 'partial', isDiff: false, isUSP: false, group: 'documentation' },
-  { de: 'DSFA (Art. 35 DSGVO)', en: 'DPIA (Art. 35 GDPR)', bp: true, vanta: false, drata: false, sprinto: false, proliance: true, dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'documentation' },
-  { de: 'Löschkonzept / Löschfristen', en: 'Deletion Concept / Retention', bp: true, vanta: false, drata: false, sprinto: false, proliance: 'partial', dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'documentation' },
-  { de: 'Policy-Generator', en: 'Policy Generator', bp: true, vanta: true, drata: true, sprinto: 'partial', proliance: true, dataguard: true, heydata: 'partial', isDiff: false, isUSP: false, group: 'documentation' },
-  { de: 'Dokument-Generator (61 Vorlagen)', en: 'Document Generator (61 Templates)', bp: true, vanta: 'partial', drata: 'partial', sprinto: false, proliance: 'partial', dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'documentation' },
-
-  // ── Operative Compliance ──
-  { de: 'Audit-Management', en: 'Audit Management', bp: true, vanta: true, drata: true, sprinto: true, proliance: false, dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'operations' },
-  { de: 'Risikobewertung', en: 'Risk Assessment', bp: true, vanta: true, drata: true, sprinto: true, proliance: 'partial', dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'operations' },
-  { de: 'Incident Response', en: 'Incident Response', bp: true, vanta: true, drata: true, sprinto: true, proliance: false, dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'operations' },
-  { de: 'Consent Management', en: 'Consent Management', bp: true, vanta: false, drata: false, sprinto: false, proliance: 'partial', dataguard: false, heydata: 'partial', isDiff: false, isUSP: false, group: 'operations' },
-  { de: 'Betroffenenrechte (DSR)', en: 'Data Subject Requests', bp: true, vanta: false, drata: false, sprinto: false, proliance: true, dataguard: true, heydata: 'partial', isDiff: false, isUSP: false, group: 'operations' },
-  { de: 'Auftragsverarbeiter-Mgmt', en: 'Vendor/Processor Management', bp: true, vanta: true, drata: true, sprinto: 'partial', proliance: true, dataguard: true, heydata: 'partial', isDiff: false, isUSP: false, group: 'operations' },
-  { de: 'Schulungs-Management', en: 'Training Management', bp: true, vanta: 'partial', drata: 'partial', sprinto: 'partial', proliance: false, dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'operations' },
-  { de: 'Whistleblower-Portal', en: 'Whistleblower Portal', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'operations' },
-
-  // ── Technische Plattform ──
-  { de: 'Continuous Monitoring', en: 'Continuous Monitoring', bp: true, vanta: true, drata: true, sprinto: true, proliance: false, dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'platform' },
-  { de: 'Automatische Evidence-Sammlung', en: 'Automatic Evidence Collection', bp: true, vanta: true, drata: true, sprinto: true, proliance: false, dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'platform' },
-  { de: 'API / SDK', en: 'API / SDK', bp: true, vanta: true, drata: true, sprinto: 'partial', proliance: false, dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'platform' },
-  { de: 'Integrations (Slack, Jira, etc.)', en: 'Integrations (Slack, Jira, etc.)', bp: 'partial', vanta: true, drata: true, sprinto: true, proliance: false, dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'platform' },
-  { de: 'Datensouveraenitaet (EU)', en: 'Data Sovereignty (EU)', bp: true, vanta: false, drata: false, sprinto: false, proliance: true, dataguard: true, heydata: true, isDiff: false, isUSP: false, group: 'platform' },
-  { de: 'Mehrmandantenfähig', en: 'Multi-Tenancy', bp: true, vanta: true, drata: true, sprinto: true, proliance: 'partial', dataguard: true, heydata: false, isDiff: false, isUSP: false, group: 'platform' },
-  { de: 'Data Mapping / Datenfluss', en: 'Data Mapping / Data Flow', bp: true, vanta: 'partial', drata: 'partial', sprinto: false, proliance: false, dataguard: 'partial', heydata: false, isDiff: false, isUSP: false, group: 'platform' },
-  { de: 'Cookie-Banner Generator', en: 'Cookie Banner Generator', bp: true, vanta: false, drata: false, sprinto: false, proliance: 'partial', dataguard: false, heydata: 'partial', isDiff: false, isUSP: false, group: 'platform' },
-  { de: 'IPFS/Blockchain (optional)', en: 'IPFS/Blockchain (optional)', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'platform' },
-
-  // ── Branche & Spezial ──
-  { de: 'Maschinenbau-Branchenfokus', en: 'Manufacturing Industry Focus', bp: true, vanta: false, drata: false, sprinto: false, proliance: false, dataguard: false, heydata: false, isDiff: true, isUSP: true, group: 'industry' },
-]
-
-// ─── DACH Landscape Note ───────────────────────────────────────────────────────
-
-const DACH_NOTE = {
-  de: 'Weitere DACH-Anbieter: Secjur (Hamburg, KI-Compliance, ~€5.5M Seed), Usercentrics (nur CMP, $117M Rev), Caralegal (Privacy/Risk, M&A 2025), 2B Advice (Legacy, 20+ J.), OneTrust (US-Enterprise, $500M+ ARR). Keiner kombiniert DSGVO + Code-Security + Self-Hosted KI.',
-  en: 'Other DACH players: Secjur (Hamburg, AI compliance, ~€5.5M seed), Usercentrics (CMP only, $117M rev), Caralegal (privacy/risk, M&A 2025), 2B Advice (legacy, 20+ yrs), OneTrust (US enterprise, $500M+ ARR). None combines GDPR + code security + self-hosted AI.',
-}
-
-// ─── Pricing Comparison Data ──────────────────────────────────────────────────
-
-interface PricingTier {
-  name: { de: string; en: string }
-  price: string
-  annual: string
-  notes: { de: string; en: string }
-}
-
-interface CompetitorPricing {
-  name: string
-  flag: string
-  model: string
-  publicPricing: boolean
-  tiers: PricingTier[]
-  setupFee: string
-  isBP?: boolean
-}
-
-const PRICING_COMPARISON: CompetitorPricing[] = [
-  {
-    name: 'ComplAI',
-    flag: '🇩🇪',
-    model: 'Cloud (BSI DE)',
-    publicPricing: true,
-    tiers: [
-      { name: { de: 'Starter (<10 MA)', en: 'Starter (<10 emp.)' }, price: '€300/mo', annual: '€3.600/yr', notes: { de: '380+ Regularien, modular', en: '380+ regulations, modular' } },
-      { name: { de: 'Professional (10-250)', en: 'Professional (10-250)' }, price: '€1.250–3.333/mo', annual: '€15.000–40.000/yr', notes: { de: 'Alle Module, Priority Support', en: 'All modules, priority support' } },
-      { name: { de: 'Enterprise (250+)', en: 'Enterprise (250+)' }, price: 'ab €4.167/mo', annual: 'ab €50.000/yr', notes: { de: 'Dedicated, Custom, SLA', en: 'Dedicated, custom, SLA' } },
-    ],
-    setupFee: '€0',
-    isBP: true,
-  },
-  {
-    name: 'Vanta',
-    flag: '🇺🇸',
-    model: 'SaaS',
-    publicPricing: false,
-    tiers: [
-      { name: { de: 'Startup', en: 'Startup' }, price: '~$500/mo', annual: '~$6K/yr', notes: { de: '1 Framework, <50 MA', en: '1 framework, <50 employees' } },
-      { name: { de: 'Business', en: 'Business' }, price: '~$2K/mo', annual: '~$25K/yr', notes: { de: 'Multi-Framework, VRM', en: 'Multi-framework, VRM' } },
-      { name: { de: 'Enterprise', en: 'Enterprise' }, price: '~$5-7K/mo', annual: '~$60-80K/yr', notes: { de: 'Custom, SSO, RBAC', en: 'Custom, SSO, RBAC' } },
-    ],
-    setupFee: '~$5-15K',
-  },
-  {
-    name: 'Drata',
-    flag: '🇺🇸',
-    model: 'SaaS',
-    publicPricing: false,
-    tiers: [
-      { name: { de: 'Foundation', en: 'Foundation' }, price: '~$500/mo', annual: '~$5-8K/yr', notes: { de: '1 Framework, Basis', en: '1 framework, basic' } },
-      { name: { de: 'Business', en: 'Business' }, price: '~$1.5K/mo', annual: '~$18-20K/yr', notes: { de: 'Multi-Framework, API', en: 'Multi-framework, API' } },
-      { name: { de: 'Enterprise', en: 'Enterprise' }, price: '~$4-8K/mo', annual: '~$50-100K/yr', notes: { de: 'SafeBase, Custom', en: 'SafeBase, custom' } },
-    ],
-    setupFee: '~$5-10K',
-  },
-  {
-    name: 'Sprinto',
-    flag: '🇮🇳',
-    model: 'SaaS',
-    publicPricing: false,
-    tiers: [
-      { name: { de: 'Growth', en: 'Growth' }, price: '~$350/mo', annual: '~$4K/yr', notes: { de: '1 Framework, KMU', en: '1 framework, SMB' } },
-      { name: { de: 'Business', en: 'Business' }, price: '~$1K/mo', annual: '~$12K/yr', notes: { de: 'Multi-Framework', en: 'Multi-framework' } },
-      { name: { de: 'Enterprise', en: 'Enterprise' }, price: '~$2K+/mo', annual: '~$25K+/yr', notes: { de: 'Custom Integrations', en: 'Custom integrations' } },
-    ],
-    setupFee: '~$2-5K',
-  },
-  {
-    name: 'Proliance',
-    flag: '🇩🇪',
-    model: 'SaaS',
-    publicPricing: true,
-    tiers: [
-      { name: { de: 'Basis', en: 'Basic' }, price: '€99/mo', annual: '€1.188/yr', notes: { de: 'DSGVO-Grundlagen', en: 'GDPR basics' } },
-      { name: { de: 'Professional', en: 'Professional' }, price: '€249/mo', annual: '€2.988/yr', notes: { de: '+ Audit, VVT', en: '+ Audit, records' } },
-      { name: { de: 'Enterprise', en: 'Enterprise' }, price: '€499/mo', annual: '€5.988/yr', notes: { de: 'Multi-Standort, DSB', en: 'Multi-location, DPO' } },
-    ],
-    setupFee: '€0',
-  },
-  {
-    name: 'DataGuard',
-    flag: '🇩🇪',
-    model: 'SaaS + Beratung',
-    publicPricing: false,
-    tiers: [
-      { name: { de: 'Starter', en: 'Starter' }, price: '~€250/mo', annual: '~€3K/yr', notes: { de: 'Nur Software', en: 'Software only' } },
-      { name: { de: 'Managed', en: 'Managed' }, price: '~€1K/mo', annual: '~€12K/yr', notes: { de: '+ Ext. DSB', en: '+ Ext. DPO' } },
-      { name: { de: 'Enterprise', en: 'Enterprise' }, price: '~€2K+/mo', annual: '~€24K+/yr', notes: { de: 'ISO 27001 + TISAX', en: 'ISO 27001 + TISAX' } },
-    ],
-    setupFee: '~€2-5K',
-  },
-  {
-    name: 'heyData',
-    flag: '🇩🇪',
-    model: 'SaaS',
-    publicPricing: true,
-    tiers: [
-      { name: { de: 'Essential', en: 'Essential' }, price: '€83/mo', annual: '€996/yr', notes: { de: '1-19 MA, DSGVO', en: '1-19 empl., GDPR' } },
-      { name: { de: 'Pro', en: 'Pro' }, price: '€199/mo', annual: '€2.388/yr', notes: { de: '20-99 MA, DSB', en: '20-99 empl., DPO' } },
-      { name: { de: 'Premium', en: 'Premium' }, price: '€333/mo', annual: '€3.996/yr', notes: { de: '100+ MA, Audit', en: '100+ empl., audit' } },
-    ],
-    setupFee: '€0',
-  },
-]
-
-// ─── AppSec / Pentesting Competitor Data ─────────────────────────────────────
-
-interface AppSecCompetitor {
-  name: string
-  flag: string
-  hq: string
-  founded: number
-  employees: number
-  revenue: string
-  revenueNum: number
-  customers: string
-  funding: string
-  pricing: string
-  focus: { de: string; en: string }
-}
-
-const APPSEC_COMPETITORS: AppSecCompetitor[] = [
-  { name: 'Snyk', flag: '🇺🇸', hq: 'Boston', founded: 2015, employees: 1200, revenue: '~$300M ARR', revenueNum: 300_000_000, customers: '3.000+', funding: '$850M (Series G, $7.4B)', pricing: '$25K–100K+/yr', focus: { de: 'SCA + SAST, Developer-First', en: 'SCA + SAST, developer-first' } },
-  { name: 'Veracode', flag: '🇺🇸', hq: 'Burlington, MA', founded: 2006, employees: 1300, revenue: '~$300M', revenueNum: 300_000_000, customers: '3.500+', funding: 'PE (Thoma Bravo, $2.5B)', pricing: '$50K–500K+/yr', focus: { de: 'SAST + DAST + SCA, Enterprise', en: 'SAST + DAST + SCA, enterprise' } },
-  { name: 'Checkmarx', flag: '🇮🇱', hq: 'Tel Aviv', founded: 2006, employees: 1000, revenue: '~$250M', revenueNum: 250_000_000, customers: '1.800+', funding: 'PE (Hellman & Friedman)', pricing: '$40K–300K+/yr', focus: { de: 'SAST + DAST + SCA + API', en: 'SAST + DAST + SCA + API' } },
-  { name: 'SonarSource', flag: '🇨🇭', hq: 'Genf', founded: 2008, employees: 500, revenue: '~$250M', revenueNum: 250_000_000, customers: '400K+ Devs', funding: '$412M (Series D)', pricing: '$15K–150K+/yr', focus: { de: 'Code-Qualitaet + SAST', en: 'Code quality + SAST' } },
-  { name: 'Semgrep', flag: '🇺🇸', hq: 'San Francisco', founded: 2020, employees: 150, revenue: '~$30M ARR', revenueNum: 30_000_000, customers: '1.500+', funding: '$100M (Series C)', pricing: '$10K–100K+/yr', focus: { de: 'Open-Source SAST, Supply Chain', en: 'Open-source SAST, supply chain' } },
-  { name: 'Pentera', flag: '🇮🇱', hq: 'Tel Aviv', founded: 2015, employees: 400, revenue: '~$100M', revenueNum: 100_000_000, customers: '900+', funding: '$189M (Series C)', pricing: '$50K–250K+/yr', focus: { de: 'Automatisiertes Pentesting/BAS', en: 'Automated pentesting/BAS' } },
-  { name: 'Invicti', flag: '🇺🇸', hq: 'Austin, TX', founded: 2018, employees: 500, revenue: '~$100M', revenueNum: 100_000_000, customers: '3.000+', funding: 'PE (Turn/River)', pricing: '$15K–100K+/yr', focus: { de: 'DAST (Acunetix + Netsparker)', en: 'DAST (Acunetix + Netsparker)' } },
-  { name: 'Intruder', flag: '🇬🇧', hq: 'London', founded: 2015, employees: 100, revenue: '~$10M', revenueNum: 10_000_000, customers: '2.500+', funding: '$15M (Series A)', pricing: '$1.5K–20K+/yr', focus: { de: 'Vulnerability Scanner, SMB', en: 'Vulnerability scanner, SMB' } },
-]
-
-interface AppSecFeature {
-  de: string
-  en: string
-  bp: FeatureStatus
-  snyk: FeatureStatus
-  veracode: FeatureStatus
-  checkmarx: FeatureStatus
-  sonar: FeatureStatus
-  semgrep: FeatureStatus
-  pentera: FeatureStatus
-  invicti: FeatureStatus
-  intruder: FeatureStatus
-  isUSP: boolean
-}
-
-const APPSEC_FEATURES: AppSecFeature[] = [
-  // Pure AppSec Features only (Compliance USPs removed — belong on Compliance tabs)
-  { de: 'SAST (Static Analysis)', en: 'SAST (Static Analysis)', bp: true, snyk: true, veracode: true, checkmarx: true, sonar: true, semgrep: true, pentera: false, invicti: false, intruder: false, isUSP: false },
-  { de: 'DAST (Dynamic Analysis)', en: 'DAST (Dynamic Analysis)', bp: true, snyk: false, veracode: true, checkmarx: true, sonar: false, semgrep: false, pentera: true, invicti: true, intruder: true, isUSP: false },
-  { de: 'SCA (Software Composition)', en: 'SCA (Software Composition)', bp: true, snyk: true, veracode: true, checkmarx: true, sonar: 'partial', semgrep: 'partial', pentera: false, invicti: false, intruder: false, isUSP: false },
-  { de: 'LLM-basierte Auto-Fixes', en: 'LLM-Based Auto-Fixes', bp: true, snyk: 'partial', veracode: 'partial', checkmarx: 'partial', sonar: 'partial', semgrep: false, pentera: false, invicti: false, intruder: false, isUSP: false },
-  { de: 'SBOM-Generierung', en: 'SBOM Generation', bp: true, snyk: true, veracode: 'partial', checkmarx: 'partial', sonar: false, semgrep: false, pentera: false, invicti: false, intruder: false, isUSP: false },
-  { de: 'Container-Security', en: 'Container Security', bp: true, snyk: true, veracode: true, checkmarx: true, sonar: false, semgrep: 'partial', pentera: false, invicti: false, intruder: false, isUSP: false },
-  { de: 'Secret Detection', en: 'Secret Detection', bp: true, snyk: false, veracode: false, checkmarx: false, sonar: 'partial', semgrep: true, pentera: false, invicti: false, intruder: false, isUSP: false },
-  { de: 'IaC Scanning', en: 'IaC Scanning', bp: true, snyk: true, veracode: false, checkmarx: false, sonar: false, semgrep: true, pentera: false, invicti: false, intruder: false, isUSP: false },
-  { de: 'CI/CD-Integration', en: 'CI/CD Integration', bp: true, snyk: true, veracode: true, checkmarx: true, sonar: true, semgrep: true, pentera: 'partial', invicti: 'partial', intruder: 'partial', isUSP: false },
-  { de: 'API-Security Testing', en: 'API Security Testing', bp: true, snyk: false, veracode: 'partial', checkmarx: true, sonar: false, semgrep: false, pentera: 'partial', invicti: true, intruder: 'partial', isUSP: false },
-  { de: 'Automatisiertes Pentesting', en: 'Automated Pentesting', bp: true, snyk: false, veracode: false, checkmarx: false, sonar: false, semgrep: false, pentera: true, invicti: false, intruder: true, isUSP: false },
-  { de: 'Self-Hosted / On-Premise', en: 'Self-Hosted / On-Premise', bp: true, snyk: false, veracode: false, checkmarx: 'partial', sonar: true, semgrep: 'partial', pentera: 'partial', invicti: 'partial', intruder: false, isUSP: false },
-]
-
 // ─── Helpers ───────────────────────────────────────────────────────────────────
 
-function StatusIcon({ value }: { value: FeatureStatus }) {
-  if (value === true) return <Check className="w-3.5 h-3.5 text-green-400 mx-auto" />
-  if (value === 'partial') return <Minus className="w-3.5 h-3.5 text-yellow-400 mx-auto" />
-  return <X className="w-3.5 h-3.5 text-white/15 mx-auto" />
-}
-
-function AiBadge({ level, lang }: { level: 'full' | 'partial' | 'none'; lang: Language }) {
-  const colors = { full: 'bg-green-500/15 text-green-400', partial: 'bg-yellow-500/15 text-yellow-400', none: 'bg-white/5 text-white/30' }
-  const labels = { full: { de: 'KI', en: 'AI' }, partial: { de: 'Basis', en: 'Basic' }, none: { de: 'Keine', en: 'None' } }
-  return (
-    <span className={`text-[10px] px-1.5 py-0.5 rounded-full font-medium ${colors[level]}`}>
-      <Cpu className="w-2.5 h-2.5 inline mr-0.5 -mt-px" />
-      {labels[level][lang]}
-    </span>
-  )
-}
-
-function ratio(a: number, b: number): string {
-  if (b === 0) return '—'
-  const r = a / b
-  if (r >= 1_000_000) return `${(r / 1_000_000).toFixed(1)}M`
-  if (r >= 1_000) return `${(r / 1_000).toFixed(0)}k`
-  return r.toFixed(0)
-}
-
 // ─── Section Accordion ─────────────────────────────────────────────────────────
 
 function SectionHeader({
@@ -844,205 +419,3 @@ export default function CompetitionSlide({ lang, features, competitors }: Compet
   )
 }
 
-// ─── Sub-Components ────────────────────────────────────────────────────────────
-
-function CompetitorCard({ competitor: c, lang }: { competitor: ExtendedCompetitor; lang: Language }) {
-  return (
-    <div className="bg-white/[0.04] border border-white/5 rounded-xl p-2.5 text-[11px]">
-      {/* Header */}
-      <div className="flex items-center justify-between mb-1">
-        <div className="flex items-center gap-1.5">
-          <span className="text-sm">{c.flag}</span>
-          <span className="font-semibold text-white/80 text-xs">{c.name}</span>
-        </div>
-        <AiBadge level={c.aiUsage} lang={lang} />
-      </div>
-      {/* HQ + Offices */}
-      <div className="text-[10px] text-white/40 mb-1.5 truncate" title={`HQ: ${c.hq}, ${c.hqCountry}` + (c.offices.length > 1 ? ` | Offices: ${c.offices.join(', ')}` : '')}>
-        <span className="text-white/55">{c.hq}, {c.hqCountry}</span>
-        {c.offices.length > 1 && (
-          <span className="ml-1">+ {c.offices.join(', ')}</span>
-        )}
-      </div>
-      {/* KPIs */}
-      <div className="grid grid-cols-2 gap-x-3 gap-y-0.5 text-white/50">
-        <div className="flex items-center gap-1">
-          <span className="text-white/30">{lang === 'de' ? 'Gr.' : 'Est.'}</span>
-          <span className="text-white/70">{c.founded}</span>
-        </div>
-        <div className="flex items-center gap-1">
-          <Users className="w-2.5 h-2.5 text-white/30" />
-          <span className="text-white/70">{c.employees.toLocaleString()}</span>
-        </div>
-        <div className="flex items-center gap-1">
-          <DollarSign className="w-2.5 h-2.5 text-white/30" />
-          <span className="text-white/70">{c.revenue}</span>
-        </div>
-        <div className="flex items-center gap-1">
-          <Globe className="w-2.5 h-2.5 text-white/30" />
-          <span className="text-white/70">{c.customers.toLocaleString()} {lang === 'de' ? 'Kd.' : 'cust.'} ({c.customerCountries})</span>
-        </div>
-      </div>
-      {/* Funding + Investors */}
-      <div className="mt-1.5 pt-1.5 border-t border-white/5">
-        <div className="text-white/40">
-          <span className="text-white/60 font-medium">{c.fundingTotal}</span>
-          <span className="ml-1 text-[10px]">{c.fundingRound}</span>
-        </div>
-        {c.investors.length > 0 && (
-          <div className="text-[10px] text-white/30 mt-0.5 truncate" title={c.investors.join(', ')}>
-            {c.investors.slice(0, 3).join(', ')}{c.investors.length > 3 ? ' +' + (c.investors.length - 3) : ''}
-          </div>
-        )}
-      </div>
-      {/* Market */}
-      <div className="mt-1 text-[10px] text-white/35 truncate" title={c.market[lang]}>
-        {c.market[lang]}
-      </div>
-    </div>
-  )
-}
-
-const GROUP_LABELS: Record<string, { de: string; en: string; color: string }> = {
-  'code-security': { de: 'Code Security & DevSecOps', en: 'Code Security & DevSecOps', color: 'text-red-400' },
-  'ai-data': { de: 'KI & Daten', en: 'AI & Data', color: 'text-purple-400' },
-  'frameworks': { de: 'Regulatorische Frameworks', en: 'Regulatory Frameworks', color: 'text-blue-400' },
-  'documentation': { de: 'Compliance-Dokumentation', en: 'Compliance Documentation', color: 'text-emerald-400' },
-  'operations': { de: 'Operative Compliance', en: 'Operative Compliance', color: 'text-amber-400' },
-  'platform': { de: 'Technische Plattform', en: 'Technical Platform', color: 'text-cyan-400' },
-  'industry': { de: 'Branche & Spezial', en: 'Industry & Specialty', color: 'text-orange-400' },
-}
-
-function FeatureTable({
-  features,
-  lang,
-  cols,
-  labels,
-}: {
-  features: ComparisonFeature[]
-  lang: Language
-  cols: readonly string[]
-  labels: string[]
-  highlight?: boolean
-}) {
-  // Build rows with group headers
-  const rowElements: React.ReactNode[] = []
-  let lastGroup = ''
-  features.forEach((f, i) => {
-    const grp = f.group || ''
-    if (grp && grp !== lastGroup) {
-      const gl = GROUP_LABELS[grp]
-      if (gl) {
-        rowElements.push(
-          <tr key={`grp-${grp}`} className="bg-white/[0.02]">
-            <td colSpan={cols.length + 1} className={`py-1.5 px-2 text-[10px] font-bold uppercase tracking-wider ${gl.color}`}>
-              {lang === 'de' ? gl.de : gl.en}
-            </td>
-          </tr>
-        )
-      }
-      lastGroup = grp
-    }
-    rowElements.push(
-      <tr key={i} className={`border-b border-white/5 ${f.isDiff ? 'bg-indigo-500/5' : ''}`}>
-        <td className="py-1.5 px-2 flex items-center gap-1.5">
-          {f.isDiff && <Star className="w-3 h-3 text-yellow-400 shrink-0" />}
-          <span className={f.isDiff ? 'text-white font-medium' : 'text-white/60'}>
-            {lang === 'de' ? f.de : f.en}
-          </span>
-        </td>
-        {cols.map(col => (
-          <td key={col} className="py-1.5 px-1.5 text-center">
-            <StatusIcon value={f[col as keyof ComparisonFeature] as FeatureStatus} />
-          </td>
-        ))}
-      </tr>
-    )
-  })
-
-  return (
-    <div className="overflow-x-auto mt-1 mb-1">
-      <table className="w-full text-[11px]">
-        <thead>
-          <tr className="border-b border-white/10">
-            <th className="text-left py-1.5 px-2 text-white/40 font-medium min-w-[180px]">Feature</th>
-            {labels.map((l, idx) => (
-              <th key={l} className={`py-1.5 px-1.5 font-medium text-center whitespace-nowrap ${idx === 0 ? 'text-indigo-400' : 'text-white/50'}`}>
-                {idx === 0 ? <BrandName className="text-[11px]" /> : l}
-              </th>
-            ))}
-          </tr>
-        </thead>
-        <tbody>{rowElements}</tbody>
-      </table>
-    </div>
-  )
-}
-
-function AppSecCard({ competitor: c, lang }: { competitor: AppSecCompetitor; lang: Language }) {
-  return (
-    <div className="bg-white/[0.04] border border-white/5 rounded-xl p-2 text-[11px]">
-      <div className="flex items-center gap-1.5 mb-1">
-        <span className="text-sm">{c.flag}</span>
-        <span className="font-semibold text-white/80 text-xs">{c.name}</span>
-      </div>
-      <div className="text-[10px] text-white/40 mb-1 truncate">{c.hq} · {c.founded}</div>
-      <div className="grid grid-cols-2 gap-x-2 gap-y-0.5 text-white/50">
-        <div className="flex items-center gap-1">
-          <Users className="w-2.5 h-2.5 text-white/30" />
-          <span className="text-white/70">{c.employees.toLocaleString()}</span>
-        </div>
-        <div className="flex items-center gap-1">
-          <DollarSign className="w-2.5 h-2.5 text-white/30" />
-          <span className="text-white/70 truncate">{c.revenue}</span>
-        </div>
-      </div>
-      <div className="mt-1 pt-1 border-t border-white/5 text-[10px]">
-        <div className="text-white/40 truncate">{c.funding}</div>
-        <div className="text-white/50 mt-0.5">{c.pricing}</div>
-      </div>
-      <div className="mt-1 text-[10px] text-white/35 truncate" title={c.focus[lang]}>
-        {c.focus[lang]}
-      </div>
-    </div>
-  )
-}
-
-function AppSecFeatureTable({ features, lang, highlight }: { features: AppSecFeature[]; lang: Language; highlight?: boolean }) {
-  const cols = ['bp', 'snyk', 'veracode', 'checkmarx', 'sonar', 'semgrep', 'pentera', 'invicti', 'intruder'] as const
-  const labels = ['ComplAI', 'Snyk', 'Veracode', 'Checkmarx', 'Sonar', 'Semgrep', 'Pentera', 'Invicti', 'Intruder']
-
-  return (
-    <div className="overflow-x-auto mt-1 mb-1">
-      <table className="w-full text-[11px]">
-        <thead>
-          <tr className="border-b border-white/10">
-            <th className="text-left py-1.5 px-2 text-white/40 font-medium min-w-[160px]">Feature</th>
-            {labels.map((l, idx) => (
-              <th key={l} className={`py-1.5 px-1 font-medium text-center whitespace-nowrap ${idx === 0 ? 'text-indigo-400' : 'text-white/50'}`}>
-                {idx === 0 ? <BrandName className="text-[11px]" /> : l}
-              </th>
-            ))}
-          </tr>
-        </thead>
-        <tbody>
-          {features.map((f, i) => (
-            <tr key={i} className={`border-b border-white/5 ${highlight && f.isUSP ? 'bg-indigo-500/5' : ''}`}>
-              <td className="py-1.5 px-2 flex items-center gap-1.5">
-                {f.isUSP && highlight && <Star className="w-3 h-3 text-yellow-400 shrink-0" />}
-                <span className={f.isUSP && highlight ? 'text-white font-medium' : 'text-white/60'}>
-                  {lang === 'de' ? f.de : f.en}
-                </span>
-              </td>
-              {cols.map(col => (
-                <td key={col} className="py-1.5 px-1 text-center">
-                  <StatusIcon value={f[col] as FeatureStatus} />
-                </td>
-              ))}
-            </tr>
-          ))}
-        </tbody>
-      </table>
-    </div>
-  )
-}
diff --git a/pitch-deck/components/slides/ExecutiveSummarySlide.pdf.ts b/pitch-deck/components/slides/ExecutiveSummarySlide.pdf.ts
new file mode 100644
index 0000000..c1e5c44
--- /dev/null
+++ b/pitch-deck/components/slides/ExecutiveSummarySlide.pdf.ts
@@ -0,0 +1,221 @@
+// ExecutiveSummarySlide PDF generation — extracted from ExecutiveSummarySlide.tsx
+
+import { Language, PitchData } from '@/lib/types'
+import { formatEur } from '@/lib/i18n'
+
+interface PdfParams {
+  lang: Language
+  data: PitchData
+  es: Record<string, string>
+  funding: PitchData['funding']
+  tam: { value_eur: number } | undefined
+  sam: { value_eur: number } | undefined
+  som: { value_eur: number } | undefined
+  amountLabel: string
+  de: boolean
+}
+
+export function generatePdfHtml({ lang, data, es, funding, tam, sam, som, amountLabel, de }: PdfParams): string {
+  const tamVal = tam ? formatEur(tam.value_eur, lang) : '\u2014'
+  const samVal = sam ? formatEur(sam.value_eur, lang) : '\u2014'
+  const somVal = som ? formatEur(som.value_eur, lang) : '\u2014'
+
+  const teamHtml = data.team?.map(m =>
+    `<div class="founder"><strong>${m.name}</strong><span>${de ? m.role_de : m.role_en}</span></div>`
+  ).join('') || ''
+
+  const useOfFundsHtml = funding?.use_of_funds?.map(f =>
+    `<div class="fund-row"><span>${de ? f.label_de : f.label_en}</span><strong>${f.percentage}%</strong></div>`
+  ).join('') || ''
+
+  return `<!DOCTYPE html>
+<html lang="${lang}">
+<head>
+<meta charset="utf-8">
+<title>BreakPilot ComplAI \u2014 Executive Summary</title>
+<link href="https://fonts.googleapis.com/css2?family=Plus+Jakarta+Sans:wght@300;400;500;600;700;800&display=swap" rel="stylesheet">
+<style>
+  @page { size: 297mm 680mm; margin: 30mm 12mm; }
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body {
+    font-family: 'Plus Jakarta Sans', -apple-system, sans-serif;
+    background: #fff; color: #1a1a2e;
+    width: 100%; max-width: 273mm;
+    position: relative; font-size: 10.5px; line-height: 1.45;
+  }
+  @media print { body { -webkit-print-color-adjust: exact; print-color-adjust: exact; } }
+
+  .top-bar { height: 6px; background: linear-gradient(90deg, #6366f1, #8b5cf6, #a78bfa, #06b6d4); }
+  .container { padding: 18px 30px 12px; }
+
+  .header { display: flex; justify-content: space-between; align-items: flex-start; margin-bottom: 10px; }
+  .header h1 { font-size: 28px; font-weight: 800; letter-spacing: -1px; color: #4f46e5; }
+  .header .tagline { font-size: 11px; color: #64748b; margin-top: 2px; }
+  .badge { background: #4f46e5; color: #fff; padding: 4px 14px; border-radius: 20px; font-size: 10px; font-weight: 700; }
+
+  .hero { background: linear-gradient(135deg, #eef2ff, #f0f9ff); border-radius: 10px; padding: 12px 18px; margin-bottom: 12px; border-left: 4px solid #6366f1; }
+  .hero p { font-size: 11.5px; line-height: 1.45; color: #334155; }
+  .hero strong { color: #4f46e5; font-weight: 700; }
+
+  .usp { background: linear-gradient(135deg, #4f46e5, #7c3aed); color: #fff; border-radius: 8px; padding: 10px 16px; margin-bottom: 12px; text-align: center; }
+  .usp strong { font-size: 11px; }
+
+  .grid2 { display: grid; grid-template-columns: 1fr 1fr; gap: 10px; margin-bottom: 10px; }
+  .grid3 { display: grid; grid-template-columns: 1fr 1fr 1fr; gap: 8px; margin-bottom: 10px; }
+  .grid4 { display: grid; grid-template-columns: repeat(4, 1fr); gap: 8px; margin-bottom: 10px; }
+  .grid6 { display: grid; grid-template-columns: repeat(6, 1fr); gap: 6px; margin-bottom: 10px; }
+
+  .section-title { font-size: 10px; font-weight: 700; color: #4f46e5; text-transform: uppercase; letter-spacing: 0.5px; margin-bottom: 5px; border-bottom: 1px solid #e5e7eb; padding-bottom: 3px; }
+  .card { background: #f8fafc; border: 1px solid #e2e8f0; border-radius: 8px; padding: 9px 11px; }
+  .card.highlight { border-left: 3px solid #6366f1; }
+  .card.cyan { border-left: 3px solid #06b6d4; }
+
+  .kpi { text-align: center; padding: 8px 4px; border-radius: 8px; background: #f8fafc; border: 1px solid #e2e8f0; }
+  .kpi .value { font-size: 18px; font-weight: 800; color: #4f46e5; }
+  .kpi .label { font-size: 7.5px; color: #64748b; margin-top: 1px; font-weight: 500; text-transform: uppercase; letter-spacing: 0.3px; }
+
+  .product-card { border: 1px solid #e2e8f0; border-radius: 10px; padding: 10px 13px; position: relative; overflow: hidden; }
+  .product-card::before { content: ''; position: absolute; top: 0; left: 0; right: 0; height: 3px; }
+  .product-card.scanner::before { background: linear-gradient(90deg, #6366f1, #8b5cf6); }
+  .product-card.platform::before { background: linear-gradient(90deg, #06b6d4, #0ea5e9); }
+  .product-card h3 { font-size: 12px; font-weight: 800; margin-bottom: 1px; }
+  .product-card.scanner h3 { color: #4f46e5; }
+  .product-card.platform h3 { color: #0891b2; }
+  .product-card .sub { font-size: 8px; color: #94a3b8; font-weight: 600; text-transform: uppercase; letter-spacing: 0.5px; margin-bottom: 5px; }
+  .product-card ul { list-style: none; }
+  .product-card li { font-size: 9px; line-height: 1.3; padding: 1.5px 0 1.5px 12px; position: relative; color: #475569; }
+  .product-card li::before { content: ''; position: absolute; left: 0; top: 6px; width: 5px; height: 5px; border-radius: 50%; }
+  .product-card.scanner li::before { background: #818cf8; }
+  .product-card.platform li::before { background: #22d3ee; }
+
+  .roadmap-item { padding: 7px 9px; border-radius: 7px; border: 1px dashed #c7d2fe; background: #fefce8; }
+  .roadmap-item .rm-title { font-size: 9px; font-weight: 700; color: #92400e; margin-bottom: 1px; }
+  .roadmap-item .rm-desc { font-size: 7.5px; color: #78716c; line-height: 1.25; }
+
+  .bottom-card ul { list-style: none; }
+  .bottom-card li { font-size: 9px; color: #475569; padding: 1.5px 0 1.5px 11px; position: relative; line-height: 1.3; }
+  .bottom-card li::before { content: '\\2192'; position: absolute; left: 0; color: #8b5cf6; font-weight: 700; }
+  .market-row { display: flex; justify-content: space-between; margin-bottom: 2px; font-size: 9.5px; }
+  .market-label { font-weight: 700; color: #4f46e5; min-width: 35px; }
+  .fund-row { display: flex; justify-content: space-between; font-size: 9px; margin-bottom: 1px; }
+  .founder { display: flex; justify-content: space-between; font-size: 9px; margin-bottom: 2px; }
+  .founder span { color: #64748b; }
+
+  .footer { padding: 8px 30px; background: #f8fafc; border-top: 1px solid #e2e8f0; display: flex; justify-content: space-between; font-size: 8px; color: #94a3b8; }
+</style>
+</head>
+<body>
+<div class="top-bar"></div>
+<div class="container">
+
+  <div class="header">
+    <div>
+      <h1>BreakPilot COMPL<span style="color:#4f46e5;">AI</span></h1>
+      <div class="tagline">Executive Summary</div>
+    </div>
+    <div class="badge">Pre-Seed ${funding?.target_date ? 'Q' + Math.ceil((new Date(funding.target_date).getMonth() + 1) / 3) + ' ' + new Date(funding.target_date).getFullYear() : 'Q4 2026'}</div>
+  </div>
+
+  <div class="hero">
+    <p>${de
+      ? 'BreakPilot COMPL<strong>AI</strong> ist eine <strong>DSGVO-konforme KI-Plattform</strong>, die kontinuierliches Sicherheitsscanning mit intelligenter Compliance-Automatisierung vereint. Wir helfen unseren Kunden, ihren <strong>Code abzusichern</strong>, <strong>Compliance skalierbar durchzusetzen</strong> und <strong>volle Datensouver\\u00e4nit\\u00e4t zu bewahren</strong> \\u2014 gest\\u00fctzt auf \\u00fcber 25.000 atomaren Sicherheitskontrollen f\\u00fcr einen l\\u00fcckenlosen Audit-Trail.'
+      : 'BreakPilot COMPL<strong>AI</strong> is a <strong>GDPR-compliant AI platform</strong> that combines continuous security scanning with intelligent compliance automation. We help our customers <strong>secure their code</strong>, <strong>enforce compliance at scale</strong> and <strong>maintain full data sovereignty</strong> \\u2014 powered by over 25,000 atomic audit aspects for a complete audit trail.'
+    }</p>
+  </div>
+
+  <div class="usp"><strong>${es.usp}:</strong> ${es.uspText}</div>
+
+  <div class="grid2">
+    <div class="card highlight"><div class="section-title">${es.problem}</div><div style="font-size:10px;">${es.problemText}</div></div>
+    <div class="card highlight"><div class="section-title">${es.solution}</div><div style="font-size:10px;">${es.solutionText}</div></div>
+  </div>
+
+  <div style="display:grid;grid-template-columns:repeat(5,1fr);gap:8px;margin-bottom:10px;">
+    <div class="kpi"><div class="value">25.000+</div><div class="label">${es.controls}</div></div>
+    <div class="kpi"><div class="value">380+</div><div class="label">${es.regulations}</div></div>
+    <div class="kpi"><div class="value">10</div><div class="label">${es.industries}</div></div>
+    <div class="kpi"><div class="value">500K+</div><div class="label">${es.linesOfCode}</div></div>
+    <div class="kpi"><div class="value">${amountLabel}</div><div class="label">${es.theAsk}</div></div>
+  </div>
+
+  <div class="grid2">
+    <div class="product-card scanner">
+      <h3>${de ? 'Compliance Scanner' : 'Compliance Scanner'}</h3>
+      <div class="sub">${de ? 'Kontinuierlicher KI-Sicherheitsagent' : 'Continuous AI Security Agent'}</div>
+      <ul>
+        <li><strong>SAST + DAST + SBOM</strong> ${de ? '\\u2014 Vollumf\\u00e4ngliche Sicherheitstests bei jeder Code-\\u00c4nderung' : '\\u2014 Full security testing on every code change'}</li>
+        <li><strong>${de ? 'KI-gest\\u00fctztes Pentesting' : 'AI-powered Pentesting'}</strong> ${de ? '\\u2014 Kontinuierlich statt einmal im Jahr' : '\\u2014 Continuous instead of once a year'}</li>
+        <li><strong>CE-Software-Risikobeurteilung</strong> ${de ? '\\u2014 F\\u00fcr Maschinenverordnung und Produktsicherheit' : '\\u2014 For Machinery Regulation and product safety'}</li>
+        <li><strong>Issue-Tracker-Integration</strong> ${de ? '\\u2014 Findings als Tickets mit Implementierungsvorschl\\u00e4gen' : '\\u2014 Findings as tickets with implementation suggestions'}</li>
+        <li><strong>Audit-Trail</strong> ${de ? '\\u2014 L\\u00fcckenloser Nachweis von Erkennung bis Behebung' : '\\u2014 Complete evidence from detection to remediation'}</li>
+      </ul>
+    </div>
+    <div class="product-card platform">
+      <h3>${de ? 'ComplAI Plattform' : 'ComplAI Platform'}</h3>
+      <div class="sub">${de ? 'Souver\\u00e4ne Compliance-Infrastruktur' : 'Sovereign Compliance Infrastructure'}</div>
+      <ul>
+        <li><strong>${de ? 'Compliance-Dokumente' : 'Compliance Documents'}</strong> ${de ? '\\u2014 VVT, TOMs, DSFA, L\\u00f6schfristen automatisch' : '\\u2014 RoPA, TOMs, DPIA, retention automatically'}</li>
+        <li><strong>Audit Manager</strong> ${de ? '\\u2014 Abweichungen End-to-End: Rollen, Stichtage, Eskalation' : '\\u2014 Deviations end-to-end: roles, deadlines, escalation'}</li>
+        <li><strong>Compliance LLM</strong> ${de ? '\\u2014 GPT f\\u00fcr Text und Audio, sicher in der EU gehostet' : '\\u2014 GPT for text and audio, securely hosted in EU'}</li>
+        <li><strong>Academy</strong> ${de ? '\\u2014 Online-Schulungen f\\u00fcr GF und Mitarbeiter' : '\\u2014 Online training for management and employees'}</li>
+        <li><strong>${de ? 'BSI-Cloud DE / FR' : 'BSI Cloud DE / FR'}</strong> ${de ? '\\u2014 Keine US-SaaS, Jitsi, Matrix, volle Integration' : '\\u2014 No US SaaS, Jitsi, Matrix, full integration'}</li>
+      </ul>
+    </div>
+  </div>
+
+  <div class="section-title">${de ? 'Roadmap' : 'Roadmap'}</div>
+  <div class="grid4">
+    <div class="roadmap-item"><div class="rm-title">${de ? 'Q4 2026: Launch' : 'Q4 2026: Launch'}</div><div class="rm-desc">${de ? 'Gr\\u00fcndung, erste Pilotkunden, Cloud-Plattform live' : 'Founding, first pilot customers, cloud platform live'}</div></div>
+    <div class="roadmap-item"><div class="rm-title">${de ? 'Q2 2027: Scale' : 'Q2 2027: Scale'}</div><div class="rm-desc">${de ? 'Vertriebsteam, Messen, Marketing-Offensive' : 'Sales team, trade fairs, marketing push'}</div></div>
+    <div class="roadmap-item"><div class="rm-title">${de ? 'Q4 2027: Enterprise' : 'Q4 2027: Enterprise'}</div><div class="rm-desc">${de ? 'Enterprise-Kunden, Distributor-Partnerschaften' : 'Enterprise customers, distributor partnerships'}</div></div>
+    <div class="roadmap-item"><div class="rm-title">${de ? 'Q3 2029: Break-Even' : 'Q3 2029: Break-Even'}</div><div class="rm-desc">${de ? 'Profitabilit\\u00e4t, Series A Vorbereitung' : 'Profitability, Series A preparation'}</div></div>
+  </div>
+
+  <div class="grid2" style="grid-template-columns: 1fr 1fr 1fr 1fr; gap: 10px;">
+    <div class="card bottom-card">
+      <div class="section-title">${de ? 'Gesch\\u00e4ftsmodell' : 'Business Model'}</div>
+      <ul>
+        <li><strong>SaaS Cloud</strong> ${de ? '\\u2014 BSI DE / FR, mitarbeiterbasiert' : '\\u2014 BSI DE / FR, employee-based'}</li>
+        <li><strong>${de ? 'Modular w\\u00e4hlbar' : 'Modular choice'}</strong> ${de ? '\\u2014 Einzelne Module oder Full Compliance' : '\\u2014 Single modules or full compliance'}</li>
+        <li><strong>${de ? 'ROI ab Tag 1' : 'ROI from day 1'}</strong> ${de ? '\\u2014 KMU spart 55.000 EUR/Jahr (3,7x ROI)' : '\\u2014 SME saves EUR 55,000/year (3.7x ROI)'}</li>
+      </ul>
+    </div>
+    <div class="card bottom-card">
+      <div class="section-title">${de ? 'Zielm\\u00e4rkte' : 'Target Markets'}</div>
+      <ul>
+        <li><strong>${de ? 'Maschinenbau KMU' : 'Manufacturing SMEs'}</strong> ${de ? '\\u2014 10-500 MA, Eigenentwicklung' : '\\u2014 10-500 emp., own development'}</li>
+        <li><strong>${de ? 'Regulierte Branchen' : 'Regulated Industries'}</strong> ${de ? '\\u2014 Gesundheit, Finanzen, KRITIS' : '\\u2014 Healthcare, finance, critical infra'}</li>
+        <li><strong>${de ? 'EU-Datensouver\\u00e4nit\\u00e4t' : 'EU Data Sovereignty'}</strong> ${de ? '\\u2014 Unternehmen die US-SaaS ablehnen' : '\\u2014 Companies rejecting US SaaS'}</li>
+      </ul>
+    </div>
+    <div class="card bottom-card">
+      <div class="section-title">${de ? 'Gr\\u00fcnder' : 'Founders'}</div>
+      ${teamHtml}
+    </div>
+    <div class="card bottom-card">
+      <div class="section-title">${es.theAsk} \\u2014 ${amountLabel}</div>
+      <div class="market-row"><span class="market-label">TAM</span><span>${tamVal}</span></div>
+      <div class="market-row"><span class="market-label">SAM</span><span>${samVal}</span></div>
+      <div class="market-row"><span class="market-label">SOM</span><span>${somVal}</span></div>
+      <div style="border-top:1px solid #e5e7eb;margin-top:4px;padding-top:4px;">
+        ${useOfFundsHtml}
+      </div>
+    </div>
+  </div>
+
+  <div style="background:#f8fafc;border:1px solid #e2e8f0;border-radius:6px;padding:8px 12px;margin-top:10px;">
+    <div style="font-size:8px;font-weight:700;color:#94a3b8;text-transform:uppercase;letter-spacing:0.5px;margin-bottom:3px;">${de ? 'Hinweis / Haftungsausschluss' : 'Disclaimer'}</div>
+    <div style="font-size:7px;color:#94a3b8;line-height:1.4;">${de
+      ? 'Dieses Dokument dient ausschlie\\u00dflich Informationszwecken und stellt weder ein Angebot zum Verkauf noch eine Aufforderung zum Kauf von Anteilen oder Wertpapieren dar. Die enthaltenen Informationen wurden vom Team Breakpilot (Gr\\u00fcnderteam, noch keine Gesellschaft gegr\\u00fcndet) nach bestem Wissen und Gewissen erstellt, k\\u00f6nnen jedoch unvollst\\u00e4ndig sein und jederzeit ohne vorherige Ank\\u00fcndigung ge\\u00e4ndert werden. Es wird keine ausdr\\u00fcckliche oder konkludente Gew\\u00e4hr f\\u00fcr die Richtigkeit, Vollst\\u00e4ndigkeit oder Aktualit\\u00e4t der Inhalte \\u00fcbernommen. Es besteht keine Verpflichtung zur Aktualisierung der enthaltenen Informationen. Dieses Dokument enth\\u00e4lt zukunftsgerichtete Aussagen, die auf aktuellen Annahmen und Erwartungen beruhen und mit erheblichen Risiken und Unsicherheiten verbunden sind. Die tats\\u00e4chlichen Ergebnisse k\\u00f6nnen wesentlich von den dargestellten abweichen. Eine Investitionsentscheidung sollte ausschlie\\u00dflich auf Grundlage weitergehender, rechtlich verbindlicher Unterlagen sowie unter Hinzuziehung eigener rechtlicher, steuerlicher und finanzieller Beratung getroffen werden. Soweit gesetzlich zul\\u00e4ssig, wird jede Haftung des Team Breakpilot sowie seiner Mitglieder f\\u00fcr etwaige Sch\\u00e4den, die direkt oder indirekt aus der Nutzung dieses Dokuments entstehen, ausgeschlossen. Dieses Dokument ist vertraulich und ausschlie\\u00dflich f\\u00fcr den vorgesehenen Empf\\u00e4nger bestimmt. Eine Weitergabe, Vervielf\\u00e4ltigung oder Ver\\u00f6ffentlichung ist ohne vorherige schriftliche Zustimmung nicht gestattet.'
+      : 'This document is for informational purposes only and does not constitute an offer to sell or a solicitation to purchase shares or securities. The information contained herein was prepared by Team Breakpilot (founding team, no company incorporated yet) to the best of their knowledge, but may be incomplete and subject to change without prior notice. No express or implied warranty is given for the accuracy, completeness or timeliness of the content. This document contains forward-looking statements based on current assumptions and expectations that involve significant risks and uncertainties. Actual results may differ materially. Any investment decision should be based solely on further legally binding documents and with the advice of independent legal, tax and financial counsel. To the extent permitted by law, all liability of Team Breakpilot and its members for any damages arising directly or indirectly from the use of this document is excluded. This document is confidential and intended solely for the designated recipient. Distribution, reproduction or publication without prior written consent is prohibited.'
+    }</div>
+  </div>
+
+</div>
+<div class="footer">
+  <span>${de ? 'Vertraulich \\u2014 Nur f\\u00fcr Investoren' : 'Confidential \\u2014 Investors only'}</span>
+  <span>${data.company?.website || 'breakpilot.ai'} \\u2014 ${data.company?.hq_city || ''}</span>
+  <span>BreakPilot ComplAI \\u2014 ${de ? 'M\\u00e4rz' : 'March'} 2026</span>
+</div>
+</body></html>`
+}
diff --git a/pitch-deck/components/slides/ExecutiveSummarySlide.tsx b/pitch-deck/components/slides/ExecutiveSummarySlide.tsx
index b265694..6b3fb99 100644
--- a/pitch-deck/components/slides/ExecutiveSummarySlide.tsx
+++ b/pitch-deck/components/slides/ExecutiveSummarySlide.tsx
@@ -4,6 +4,7 @@ import { useCallback, useEffect, useState } from 'react'
 import { Language, PitchData } from '@/lib/types'
 import { t, formatEur } from '@/lib/i18n'
 import { useFpKPIs } from '@/lib/hooks/useFpKPIs'
+import { generatePdfHtml } from './ExecutiveSummarySlide.pdf'
 import GradientText from '../ui/GradientText'
 import FadeInView from '../ui/FadeInView'
 import GlassCard from '../ui/GlassCard'
@@ -46,224 +47,8 @@ export default function ExecutiveSummarySlide({ lang, data, investorId, preferre
     const printWindow = window.open('', '_blank')
     if (!printWindow) return
 
-    const tamVal = tam ? formatEur(tam.value_eur, lang) : '—'
-    const samVal = sam ? formatEur(sam.value_eur, lang) : '—'
-    const somVal = som ? formatEur(som.value_eur, lang) : '—'
-
-    const teamHtml = data.team?.map(m =>
-      `<div class="founder"><strong>${m.name}</strong><span>${de ? m.role_de : m.role_en}</span></div>`
-    ).join('') || ''
-
-    const useOfFundsHtml = funding?.use_of_funds?.map(f =>
-      `<div class="fund-row"><span>${de ? f.label_de : f.label_en}</span><strong>${f.percentage}%</strong></div>`
-    ).join('') || ''
-
-    printWindow.document.write(`<!DOCTYPE html>
-<html lang="${lang}">
-<head>
-<meta charset="utf-8">
-<title>BreakPilot ComplAI — Executive Summary</title>
-<link href="https://fonts.googleapis.com/css2?family=Plus+Jakarta+Sans:wght@300;400;500;600;700;800&display=swap" rel="stylesheet">
-<style>
-  @page { size: 297mm 680mm; margin: 30mm 12mm; }
-  * { margin: 0; padding: 0; box-sizing: border-box; }
-  body {
-    font-family: 'Plus Jakarta Sans', -apple-system, sans-serif;
-    background: #fff; color: #1a1a2e;
-    width: 100%; max-width: 273mm;
-    position: relative; font-size: 10.5px; line-height: 1.45;
-  }
-  @media print { body { -webkit-print-color-adjust: exact; print-color-adjust: exact; } }
-
-  .top-bar { height: 6px; background: linear-gradient(90deg, #6366f1, #8b5cf6, #a78bfa, #06b6d4); }
-  .container { padding: 18px 30px 12px; }
-
-  /* Header */
-  .header { display: flex; justify-content: space-between; align-items: flex-start; margin-bottom: 10px; }
-  .header h1 { font-size: 28px; font-weight: 800; letter-spacing: -1px; color: #4f46e5; }
-  .header .tagline { font-size: 11px; color: #64748b; margin-top: 2px; }
-  .badge { background: #4f46e5; color: #fff; padding: 4px 14px; border-radius: 20px; font-size: 10px; font-weight: 700; }
-
-  /* Hero */
-  .hero { background: linear-gradient(135deg, #eef2ff, #f0f9ff); border-radius: 10px; padding: 12px 18px; margin-bottom: 12px; border-left: 4px solid #6366f1; }
-  .hero p { font-size: 11.5px; line-height: 1.45; color: #334155; }
-  .hero strong { color: #4f46e5; font-weight: 700; }
-
-  /* USP */
-  .usp { background: linear-gradient(135deg, #4f46e5, #7c3aed); color: #fff; border-radius: 8px; padding: 10px 16px; margin-bottom: 12px; text-align: center; }
-  .usp strong { font-size: 11px; }
-
-  /* Grid layouts */
-  .grid2 { display: grid; grid-template-columns: 1fr 1fr; gap: 10px; margin-bottom: 10px; }
-  .grid3 { display: grid; grid-template-columns: 1fr 1fr 1fr; gap: 8px; margin-bottom: 10px; }
-  .grid4 { display: grid; grid-template-columns: repeat(4, 1fr); gap: 8px; margin-bottom: 10px; }
-  .grid6 { display: grid; grid-template-columns: repeat(6, 1fr); gap: 6px; margin-bottom: 10px; }
-
-  /* Sections */
-  .section-title { font-size: 10px; font-weight: 700; color: #4f46e5; text-transform: uppercase; letter-spacing: 0.5px; margin-bottom: 5px; border-bottom: 1px solid #e5e7eb; padding-bottom: 3px; }
-  .card { background: #f8fafc; border: 1px solid #e2e8f0; border-radius: 8px; padding: 9px 11px; }
-  .card.highlight { border-left: 3px solid #6366f1; }
-  .card.cyan { border-left: 3px solid #06b6d4; }
-
-  /* KPIs */
-  .kpi { text-align: center; padding: 8px 4px; border-radius: 8px; background: #f8fafc; border: 1px solid #e2e8f0; }
-  .kpi .value { font-size: 18px; font-weight: 800; color: #4f46e5; }
-  .kpi .label { font-size: 7.5px; color: #64748b; margin-top: 1px; font-weight: 500; text-transform: uppercase; letter-spacing: 0.3px; }
-
-  /* Product cards */
-  .product-card { border: 1px solid #e2e8f0; border-radius: 10px; padding: 10px 13px; position: relative; overflow: hidden; }
-  .product-card::before { content: ''; position: absolute; top: 0; left: 0; right: 0; height: 3px; }
-  .product-card.scanner::before { background: linear-gradient(90deg, #6366f1, #8b5cf6); }
-  .product-card.platform::before { background: linear-gradient(90deg, #06b6d4, #0ea5e9); }
-  .product-card h3 { font-size: 12px; font-weight: 800; margin-bottom: 1px; }
-  .product-card.scanner h3 { color: #4f46e5; }
-  .product-card.platform h3 { color: #0891b2; }
-  .product-card .sub { font-size: 8px; color: #94a3b8; font-weight: 600; text-transform: uppercase; letter-spacing: 0.5px; margin-bottom: 5px; }
-  .product-card ul { list-style: none; }
-  .product-card li { font-size: 9px; line-height: 1.3; padding: 1.5px 0 1.5px 12px; position: relative; color: #475569; }
-  .product-card li::before { content: ''; position: absolute; left: 0; top: 6px; width: 5px; height: 5px; border-radius: 50%; }
-  .product-card.scanner li::before { background: #818cf8; }
-  .product-card.platform li::before { background: #22d3ee; }
-
-  /* Roadmap */
-  .roadmap-item { padding: 7px 9px; border-radius: 7px; border: 1px dashed #c7d2fe; background: #fefce8; }
-  .roadmap-item .rm-title { font-size: 9px; font-weight: 700; color: #92400e; margin-bottom: 1px; }
-  .roadmap-item .rm-desc { font-size: 7.5px; color: #78716c; line-height: 1.25; }
-
-  /* Bottom sections */
-  .bottom-card ul { list-style: none; }
-  .bottom-card li { font-size: 9px; color: #475569; padding: 1.5px 0 1.5px 11px; position: relative; line-height: 1.3; }
-  .bottom-card li::before { content: '\\2192'; position: absolute; left: 0; color: #8b5cf6; font-weight: 700; }
-  .market-row { display: flex; justify-content: space-between; margin-bottom: 2px; font-size: 9.5px; }
-  .market-label { font-weight: 700; color: #4f46e5; min-width: 35px; }
-  .fund-row { display: flex; justify-content: space-between; font-size: 9px; margin-bottom: 1px; }
-  .founder { display: flex; justify-content: space-between; font-size: 9px; margin-bottom: 2px; }
-  .founder span { color: #64748b; }
-
-  /* Footer */
-  .footer { padding: 8px 30px; background: #f8fafc; border-top: 1px solid #e2e8f0; display: flex; justify-content: space-between; font-size: 8px; color: #94a3b8; }
-</style>
-</head>
-<body>
-<div class="top-bar"></div>
-<div class="container">
-
-  <div class="header">
-    <div>
-      <h1>BreakPilot COMPL<span style="color:#4f46e5;">AI</span></h1>
-      <div class="tagline">Executive Summary</div>
-    </div>
-    <div class="badge">Pre-Seed ${funding?.target_date ? 'Q' + Math.ceil((new Date(funding.target_date).getMonth() + 1) / 3) + ' ' + new Date(funding.target_date).getFullYear() : 'Q4 2026'}</div>
-  </div>
-
-  <div class="hero">
-    <p>${de
-      ? 'BreakPilot COMPL<strong>AI</strong> ist eine <strong>DSGVO-konforme KI-Plattform</strong>, die kontinuierliches Sicherheitsscanning mit intelligenter Compliance-Automatisierung vereint. Wir helfen unseren Kunden, ihren <strong>Code abzusichern</strong>, <strong>Compliance skalierbar durchzusetzen</strong> und <strong>volle Datensouver\\u00e4nit\\u00e4t zu bewahren</strong> \\u2014 gest\\u00fctzt auf \\u00fcber 25.000 atomaren Sicherheitskontrollen f\\u00fcr einen l\\u00fcckenlosen Audit-Trail.'
-      : 'BreakPilot COMPL<strong>AI</strong> is a <strong>GDPR-compliant AI platform</strong> that combines continuous security scanning with intelligent compliance automation. We help our customers <strong>secure their code</strong>, <strong>enforce compliance at scale</strong> and <strong>maintain full data sovereignty</strong> \\u2014 powered by over 25,000 atomic audit aspects for a complete audit trail.'
-    }</p>
-  </div>
-
-  <div class="usp"><strong>${es.usp}:</strong> ${es.uspText}</div>
-
-  <div class="grid2">
-    <div class="card highlight">
-      <div class="section-title">${es.problem}</div>
-      <div style="font-size:10px;">${es.problemText}</div>
-    </div>
-    <div class="card highlight">
-      <div class="section-title">${es.solution}</div>
-      <div style="font-size:10px;">${es.solutionText}</div>
-    </div>
-  </div>
-
-  <div style="display:grid;grid-template-columns:repeat(5,1fr);gap:8px;margin-bottom:10px;">
-    <div class="kpi"><div class="value">25.000+</div><div class="label">${es.controls}</div></div>
-    <div class="kpi"><div class="value">380+</div><div class="label">${es.regulations}</div></div>
-    <div class="kpi"><div class="value">10</div><div class="label">${es.industries}</div></div>
-    <div class="kpi"><div class="value">500K+</div><div class="label">${es.linesOfCode}</div></div>
-    <div class="kpi"><div class="value">${amountLabel}</div><div class="label">${es.theAsk}</div></div>
-  </div>
-
-  <div class="grid2">
-    <div class="product-card scanner">
-      <h3>${de ? 'Compliance Scanner' : 'Compliance Scanner'}</h3>
-      <div class="sub">${de ? 'Kontinuierlicher KI-Sicherheitsagent' : 'Continuous AI Security Agent'}</div>
-      <ul>
-        <li><strong>SAST + DAST + SBOM</strong> ${de ? '\\u2014 Vollumf\\u00e4ngliche Sicherheitstests bei jeder Code-\\u00c4nderung' : '\\u2014 Full security testing on every code change'}</li>
-        <li><strong>${de ? 'KI-gest\\u00fctztes Pentesting' : 'AI-powered Pentesting'}</strong> ${de ? '\\u2014 Kontinuierlich statt einmal im Jahr' : '\\u2014 Continuous instead of once a year'}</li>
-        <li><strong>CE-Software-Risikobeurteilung</strong> ${de ? '\\u2014 F\\u00fcr Maschinenverordnung und Produktsicherheit' : '\\u2014 For Machinery Regulation and product safety'}</li>
-        <li><strong>Issue-Tracker-Integration</strong> ${de ? '\\u2014 Findings als Tickets mit Implementierungsvorschl\\u00e4gen' : '\\u2014 Findings as tickets with implementation suggestions'}</li>
-        <li><strong>Audit-Trail</strong> ${de ? '\\u2014 L\\u00fcckenloser Nachweis von Erkennung bis Behebung' : '\\u2014 Complete evidence from detection to remediation'}</li>
-      </ul>
-    </div>
-    <div class="product-card platform">
-      <h3>${de ? 'ComplAI Plattform' : 'ComplAI Platform'}</h3>
-      <div class="sub">${de ? 'Souver\\u00e4ne Compliance-Infrastruktur' : 'Sovereign Compliance Infrastructure'}</div>
-      <ul>
-        <li><strong>${de ? 'Compliance-Dokumente' : 'Compliance Documents'}</strong> ${de ? '\\u2014 VVT, TOMs, DSFA, L\\u00f6schfristen automatisch' : '\\u2014 RoPA, TOMs, DPIA, retention automatically'}</li>
-        <li><strong>Audit Manager</strong> ${de ? '\\u2014 Abweichungen End-to-End: Rollen, Stichtage, Eskalation' : '\\u2014 Deviations end-to-end: roles, deadlines, escalation'}</li>
-        <li><strong>Compliance LLM</strong> ${de ? '\\u2014 GPT f\\u00fcr Text und Audio, sicher in der EU gehostet' : '\\u2014 GPT for text and audio, securely hosted in EU'}</li>
-        <li><strong>Academy</strong> ${de ? '\\u2014 Online-Schulungen f\\u00fcr GF und Mitarbeiter' : '\\u2014 Online training for management and employees'}</li>
-        <li><strong>${de ? 'BSI-Cloud DE / FR' : 'BSI Cloud DE / FR'}</strong> ${de ? '\\u2014 Keine US-SaaS, Jitsi, Matrix, volle Integration' : '\\u2014 No US SaaS, Jitsi, Matrix, full integration'}</li>
-      </ul>
-    </div>
-  </div>
-
-  <div class="section-title">${de ? 'Roadmap' : 'Roadmap'}</div>
-  <div class="grid4">
-    <div class="roadmap-item"><div class="rm-title">${de ? 'Q4 2026: Launch' : 'Q4 2026: Launch'}</div><div class="rm-desc">${de ? 'Gr\\u00fcndung, erste Pilotkunden, Cloud-Plattform live' : 'Founding, first pilot customers, cloud platform live'}</div></div>
-    <div class="roadmap-item"><div class="rm-title">${de ? 'Q2 2027: Scale' : 'Q2 2027: Scale'}</div><div class="rm-desc">${de ? 'Vertriebsteam, Messen, Marketing-Offensive' : 'Sales team, trade fairs, marketing push'}</div></div>
-    <div class="roadmap-item"><div class="rm-title">${de ? 'Q4 2027: Enterprise' : 'Q4 2027: Enterprise'}</div><div class="rm-desc">${de ? 'Enterprise-Kunden, Distributor-Partnerschaften' : 'Enterprise customers, distributor partnerships'}</div></div>
-    <div class="roadmap-item"><div class="rm-title">${de ? 'Q3 2029: Break-Even' : 'Q3 2029: Break-Even'}</div><div class="rm-desc">${de ? 'Profitabilit\\u00e4t, Series A Vorbereitung' : 'Profitability, Series A preparation'}</div></div>
-  </div>
-
-  <div class="grid2" style="grid-template-columns: 1fr 1fr 1fr 1fr; gap: 10px;">
-    <div class="card bottom-card">
-      <div class="section-title">${de ? 'Gesch\\u00e4ftsmodell' : 'Business Model'}</div>
-      <ul>
-        <li><strong>SaaS Cloud</strong> ${de ? '\\u2014 BSI DE / FR, mitarbeiterbasiert' : '\\u2014 BSI DE / FR, employee-based'}</li>
-        <li><strong>${de ? 'Modular w\\u00e4hlbar' : 'Modular choice'}</strong> ${de ? '\\u2014 Einzelne Module oder Full Compliance' : '\\u2014 Single modules or full compliance'}</li>
-        <li><strong>${de ? 'ROI ab Tag 1' : 'ROI from day 1'}</strong> ${de ? '\\u2014 KMU spart 55.000 EUR/Jahr (3,7x ROI)' : '\\u2014 SME saves EUR 55,000/year (3.7x ROI)'}</li>
-      </ul>
-    </div>
-    <div class="card bottom-card">
-      <div class="section-title">${de ? 'Zielm\\u00e4rkte' : 'Target Markets'}</div>
-      <ul>
-        <li><strong>${de ? 'Maschinenbau KMU' : 'Manufacturing SMEs'}</strong> ${de ? '\\u2014 10-500 MA, Eigenentwicklung' : '\\u2014 10-500 emp., own development'}</li>
-        <li><strong>${de ? 'Regulierte Branchen' : 'Regulated Industries'}</strong> ${de ? '\\u2014 Gesundheit, Finanzen, KRITIS' : '\\u2014 Healthcare, finance, critical infra'}</li>
-        <li><strong>${de ? 'EU-Datensouver\\u00e4nit\\u00e4t' : 'EU Data Sovereignty'}</strong> ${de ? '\\u2014 Unternehmen die US-SaaS ablehnen' : '\\u2014 Companies rejecting US SaaS'}</li>
-      </ul>
-    </div>
-    <div class="card bottom-card">
-      <div class="section-title">${de ? 'Gr\\u00fcnder' : 'Founders'}</div>
-      ${teamHtml}
-    </div>
-    <div class="card bottom-card">
-      <div class="section-title">${es.theAsk} \\u2014 ${amountLabel}</div>
-      <div class="market-row"><span class="market-label">TAM</span><span>${tamVal}</span></div>
-      <div class="market-row"><span class="market-label">SAM</span><span>${samVal}</span></div>
-      <div class="market-row"><span class="market-label">SOM</span><span>${somVal}</span></div>
-      <div style="border-top:1px solid #e5e7eb;margin-top:4px;padding-top:4px;">
-        ${useOfFundsHtml}
-      </div>
-    </div>
-  </div>
-
-  <div style="background:#f8fafc;border:1px solid #e2e8f0;border-radius:6px;padding:8px 12px;margin-top:10px;">
-    <div style="font-size:8px;font-weight:700;color:#94a3b8;text-transform:uppercase;letter-spacing:0.5px;margin-bottom:3px;">${de ? 'Hinweis / Haftungsausschluss' : 'Disclaimer'}</div>
-    <div style="font-size:7px;color:#94a3b8;line-height:1.4;">${de
-      ? 'Dieses Dokument dient ausschlie\\u00dflich Informationszwecken und stellt weder ein Angebot zum Verkauf noch eine Aufforderung zum Kauf von Anteilen oder Wertpapieren dar. Die enthaltenen Informationen wurden vom Team Breakpilot (Gr\\u00fcnderteam, noch keine Gesellschaft gegr\\u00fcndet) nach bestem Wissen und Gewissen erstellt, k\\u00f6nnen jedoch unvollst\\u00e4ndig sein und jederzeit ohne vorherige Ank\\u00fcndigung ge\\u00e4ndert werden. Es wird keine ausdr\\u00fcckliche oder konkludente Gew\\u00e4hr f\\u00fcr die Richtigkeit, Vollst\\u00e4ndigkeit oder Aktualit\\u00e4t der Inhalte \\u00fcbernommen. Es besteht keine Verpflichtung zur Aktualisierung der enthaltenen Informationen. Dieses Dokument enth\\u00e4lt zukunftsgerichtete Aussagen, die auf aktuellen Annahmen und Erwartungen beruhen und mit erheblichen Risiken und Unsicherheiten verbunden sind. Die tats\\u00e4chlichen Ergebnisse k\\u00f6nnen wesentlich von den dargestellten abweichen. Eine Investitionsentscheidung sollte ausschlie\\u00dflich auf Grundlage weitergehender, rechtlich verbindlicher Unterlagen sowie unter Hinzuziehung eigener rechtlicher, steuerlicher und finanzieller Beratung getroffen werden. Soweit gesetzlich zul\\u00e4ssig, wird jede Haftung des Team Breakpilot sowie seiner Mitglieder f\\u00fcr etwaige Sch\\u00e4den, die direkt oder indirekt aus der Nutzung dieses Dokuments entstehen, ausgeschlossen. Dieses Dokument ist vertraulich und ausschlie\\u00dflich f\\u00fcr den vorgesehenen Empf\\u00e4nger bestimmt. Eine Weitergabe, Vervielf\\u00e4ltigung oder Ver\\u00f6ffentlichung ist ohne vorherige schriftliche Zustimmung nicht gestattet.'
-      : 'This document is for informational purposes only and does not constitute an offer to sell or a solicitation to purchase shares or securities. The information contained herein was prepared by Team Breakpilot (founding team, no company incorporated yet) to the best of their knowledge, but may be incomplete and subject to change without prior notice. No express or implied warranty is given for the accuracy, completeness or timeliness of the content. This document contains forward-looking statements based on current assumptions and expectations that involve significant risks and uncertainties. Actual results may differ materially. Any investment decision should be based solely on further legally binding documents and with the advice of independent legal, tax and financial counsel. To the extent permitted by law, all liability of Team Breakpilot and its members for any damages arising directly or indirectly from the use of this document is excluded. This document is confidential and intended solely for the designated recipient. Distribution, reproduction or publication without prior written consent is prohibited.'
-    }</div>
-  </div>
-
-</div>
-<div class="footer">
-  <span>${de ? 'Vertraulich \\u2014 Nur f\\u00fcr Investoren' : 'Confidential \\u2014 Investors only'}</span>
-  <span>${data.company?.website || 'breakpilot.ai'} \\u2014 ${data.company?.hq_city || ''}</span>
-  <span>BreakPilot ComplAI \\u2014 ${de ? 'M\\u00e4rz' : 'March'} 2026</span>
-</div>
-</body></html>`)
+    const html = generatePdfHtml({ lang, data, es, funding, tam, sam, som, amountLabel, de })
+    printWindow.document.write(html)
 
     printWindow.document.close()
     setTimeout(() => printWindow.print(), 300)
diff --git a/pitch-deck/components/slides/FinanzplanSlide.charts.tsx b/pitch-deck/components/slides/FinanzplanSlide.charts.tsx
new file mode 100644
index 0000000..68485a6
--- /dev/null
+++ b/pitch-deck/components/slides/FinanzplanSlide.charts.tsx
@@ -0,0 +1,289 @@
+'use client'
+
+import GlassCard from '../ui/GlassCard'
+import { formatCell } from './FinanzplanSlide.helpers'
+
+interface ChartsTabProps {
+  fpKPIs: Record<string, Record<string, number>>
+  de: boolean
+  chartDetail: string | null
+  setChartDetail: (v: string | null) => void
+}
+
+const YEARS = ['y2026', 'y2027', 'y2028', 'y2029', 'y2030']
+
+function fmtK(v: number) {
+  return Math.abs(v) >= 1000000 ? `${(v / 1000000).toFixed(1)}M` : `${Math.round(v / 1000)}k`
+}
+
+function fmtV(v: number) {
+  return v.toLocaleString('de-DE')
+}
+
+function getChartDetails(de: boolean): Record<string, { title: string; desc: string }> {
+  return {
+    mrr: { title: 'MRR (Monthly Recurring Revenue)', desc: de ? 'Monatlich wiederkehrender Umsatz im Dezember des jeweiligen Jahres — der wichtigste KPI für SaaS-Unternehmen. Zeigt den tatsächlichen monatlichen Run-Rate, nicht den Jahresdurchschnitt. ARR = MRR × 12.' : 'Monthly recurring revenue in December of each year — the most important SaaS KPI. Shows the actual monthly run rate, not the annual average. ARR = MRR × 12.' },
+    ebit: { title: 'EBIT (Earnings Before Interest & Taxes)', desc: de ? 'Operatives Ergebnis vor Zinsen und Steuern — zeigt die tatsächliche Profitabilität des Geschäftsbetriebs. Positiver EBIT = das Geschäftsmodell funktioniert.' : 'Operating profit before interest and taxes — shows actual profitability of operations. Positive EBIT = the business model works.' },
+    headcount: { title: de ? 'Personalaufbau' : 'Headcount', desc: de ? 'Geplanter Teamaufbau über 5 Jahre. Wir starten lean mit 2 Gründern und wachsen bedarfsorientiert. Jede Einstellung ist an einen konkreten Meilenstein geknüpft.' : 'Planned team growth over 5 years. We start lean with 2 founders and grow based on demand. Each hire is tied to a concrete milestone.' },
+    cash: { title: de ? 'Liquidität (Jahresende)' : 'Cash Position (Year-End)', desc: de ? 'Kontostand am Ende jedes Jahres. Zeigt ob genug Geld für den laufenden Betrieb vorhanden ist. Die Liquiditätskurve berücksichtigt alle Einnahmen, Ausgaben, Investitionen und Finanzierungen.' : 'Bank balance at end of each year. Shows if enough cash is available for operations. The liquidity curve accounts for all revenue, expenses, investments and financing.' },
+    revcost: { title: de ? 'Umsatz vs. Gesamtkosten' : 'Revenue vs. Total Costs', desc: de ? 'Vergleich zwischen Einnahmen und Ausgaben. Der Schnittpunkt zeigt den Break-Even — ab dann verdient das Unternehmen mehr als es ausgibt.' : 'Comparison between income and expenses. The intersection shows break-even — from then on, the company earns more than it spends.' },
+    acv: { title: 'ACV (Average Contract Value)', desc: de ? 'Durchschnittlicher Vertragswert pro Kunde und Jahr. Steigender ACV bedeutet: Kunden kaufen mehr Module oder wechseln in höhere Tiers.' : 'Average contract value per customer per year. Rising ACV means: customers buy more modules or upgrade to higher tiers.' },
+    grossMargin: { title: 'Gross Margin', desc: de ? 'Rohertragsmarge — wieviel Prozent vom Umsatz nach Abzug der direkten Kosten (Cloud-Infrastruktur, Lizenzen) übrig bleibt. Bei SaaS typisch 70-90%.' : 'How much revenue remains after direct costs (cloud infrastructure, licenses). Typical for SaaS: 70-90%.' },
+    nrr: { title: de ? 'Umsatzwachstum (YoY)' : 'Revenue Growth (YoY)', desc: de ? 'Jahresvergleich des Gesamtumsatzes — zeigt die Wachstumsgeschwindigkeit. In der Frühphase primär durch Neukundengewinnung getrieben, später zunehmend durch Expansion bestehender Kunden (Upselling in höhere Tiers).' : 'Year-over-year total revenue comparison — shows growth velocity. In early stages driven primarily by new customer acquisition, later increasingly by expansion of existing customers (upselling to higher tiers).' },
+    ebitMargin: { title: 'EBIT Margin', desc: de ? 'Operatives Ergebnis in Prozent vom Umsatz. Zeigt die Effizienz des Geschäftsmodells. Ziel für SaaS: 20-30% in der Reifephase.' : 'Operating result as percentage of revenue. Shows business model efficiency. Target for SaaS: 20-30% at maturity.' },
+  }
+}
+
+function ChartDetailOverlay({ chartDetail, fpKPIs, de, onClose }: {
+  chartDetail: string; fpKPIs: Record<string, Record<string, number>>; de: boolean; onClose: () => void
+}) {
+  const chartDetails = getChartDetails(de)
+  const detailInfo = chartDetails[chartDetail]
+  if (!detailInfo) return null
+
+  return (
+    <div className="fixed inset-0 z-50 flex items-center justify-center p-4" onClick={onClose}>
+      <div className="absolute inset-0 bg-black/60 backdrop-blur-sm" />
+      <div className="relative bg-slate-900/95 border border-white/10 rounded-2xl p-6 max-w-lg w-full" onClick={e => e.stopPropagation()}>
+        <button onClick={onClose} className="absolute top-4 right-4 text-white/40 hover:text-white/80 text-lg">✕</button>
+        <h3 className="text-xl font-bold text-white mb-3">{detailInfo.title}</h3>
+        <p className="text-sm text-white/60 leading-relaxed">{detailInfo.desc}</p>
+        {fpKPIs.y2026 && (
+          <div className="mt-4 pt-4 border-t border-white/10">
+            <div className="grid grid-cols-5 gap-2 text-center">
+              {[2026, 2027, 2028, 2029, 2030].map(y => {
+                const keyMap: Record<string, string> = { cash: 'liquiditaet', revcost: 'revenue', acv: 'arpu' }
+                const key = keyMap[chartDetail] || chartDetail
+                const v = fpKPIs[`y${y}`]?.[key as keyof typeof fpKPIs['y2026']] as number || 0
+                return (
+                  <div key={y}>
+                    <div className="text-[10px] text-white/40">{y}</div>
+                    <div className="text-sm font-bold text-white">{typeof v === 'number' && Math.abs(v) >= 1000 ? fmtK(v) : `${v}`}</div>
+                  </div>
+                )
+              })}
+            </div>
+          </div>
+        )}
+      </div>
+    </div>
+  )
+}
+
+export default function ChartsTab({ fpKPIs, de, chartDetail, setChartDetail }: ChartsTabProps) {
+  const detailInfo = chartDetail ? getChartDetails(de)[chartDetail] : null
+
+  return (
+    <div className="space-y-4">
+      {/* Detail overlay */}
+      {detailInfo && chartDetail && (
+        <ChartDetailOverlay chartDetail={chartDetail} fpKPIs={fpKPIs} de={de} onClose={() => setChartDetail(null)} />
+      )}
+
+      {/* MRR + Kunden Chart */}
+      <GlassCard hover={false} className="p-4 cursor-pointer" onClick={() => setChartDetail('mrr')}>
+        <div className="flex items-center justify-between mb-3">
+          <h3 className="text-xs font-bold text-indigo-400 uppercase tracking-wider">{de ? 'MRR & Kundenentwicklung' : 'MRR & Customer Growth'}</h3>
+          <span className="text-[9px] text-white/30">{de ? 'Klicken für Details' : 'Click for details'}</span>
+        </div>
+        <div className="flex">
+          <div className="flex flex-col justify-between h-40 pr-2 text-[9px] text-white/30 text-right" style={{ width: 45 }}>
+            {(() => { const m = Math.max(...YEARS.map(y => fpKPIs[y]?.mrr || 0), 1); return [m, Math.round(m / 2), 0].map((v, i) => <span key={i}>{fmtK(v)} €</span>) })()}
+          </div>
+          <div className="flex-1 grid grid-cols-5 gap-1 items-end h-40 border-l border-b border-white/10 pl-2 pb-1">
+            {YEARS.map((y, idx) => {
+              const d = { mrr: fpKPIs[y]?.mrr || 0, cust: fpKPIs[y]?.customers || 0 }
+              const maxMrr = Math.max(...YEARS.map(k => fpKPIs[k]?.mrr || 0), 1)
+              const maxCust = Math.max(...YEARS.map(k => fpKPIs[k]?.customers || 0), 1)
+              return (
+                <div key={idx} className="flex flex-col items-center gap-1">
+                  <div className="flex items-end gap-1 w-full justify-center" style={{ height: '130px' }}>
+                    <div className="w-8 bg-indigo-500/60 rounded-t transition-all" style={{ height: `${(d.mrr / maxMrr) * 120}px` }}>
+                      <div className="text-[10px] text-white/80 text-center -mt-3.5 whitespace-nowrap font-semibold">{fmtK(d.mrr)}</div>
+                    </div>
+                    <div className="w-8 bg-emerald-500/60 rounded-t transition-all" style={{ height: `${(d.cust / maxCust) * 120}px` }}>
+                      <div className="text-[10px] text-white/80 text-center -mt-3.5 whitespace-nowrap font-semibold">{d.cust}</div>
+                    </div>
+                  </div>
+                  <span className="text-[10px] text-white/50 font-medium">{y.slice(1)}</span>
+                </div>
+              )
+            })}
+          </div>
+        </div>
+        <div className="flex justify-center gap-6 mt-2 text-[10px]">
+          <span className="flex items-center gap-1.5"><span className="w-3 h-2 bg-indigo-500/60 rounded inline-block" /> MRR (€/Mon)</span>
+          <span className="flex items-center gap-1.5"><span className="w-3 h-2 bg-emerald-500/60 rounded inline-block" /> {de ? 'Bestandskunden (Dez)' : 'Customers (Dec)'}</span>
+        </div>
+      </GlassCard>
+
+      {/* EBIT + Headcount */}
+      <div className="grid md:grid-cols-2 gap-4">
+        <GlassCard hover={false} className="p-4 cursor-pointer" onClick={() => setChartDetail('ebit')}>
+          <div className="flex items-center justify-between mb-3">
+            <h3 className="text-xs font-bold text-purple-400 uppercase tracking-wider">EBIT</h3>
+            <span className="text-[9px] text-white/30">€/Jahr</span>
+          </div>
+          <div className="flex">
+            <div className="flex flex-col justify-between h-28 pr-2 text-[9px] text-white/30 text-right" style={{ width: 40 }}>
+              {(() => { const vals = YEARS.map(y => fpKPIs[y]?.ebit || 0); const mx = Math.max(...vals.map(Math.abs), 1); return [fmtK(mx), '0', fmtK(-mx)].map((v, i) => <span key={i}>{v}</span>) })()}
+            </div>
+            <div className="flex-1 grid grid-cols-5 gap-1 items-end h-28 border-l border-white/10 pl-2">
+              {YEARS.map((y, idx) => {
+                const v = fpKPIs[y]?.ebit || 0
+                const maxAbs = Math.max(...YEARS.map(k => Math.abs(fpKPIs[k]?.ebit || 0)), 1)
+                const h = Math.abs(v) / maxAbs * 90
+                return (
+                  <div key={idx} className="flex flex-col items-center">
+                    <div className="w-10 flex flex-col justify-end" style={{ height: '100px' }}>
+                      <div className={`${v >= 0 ? 'bg-emerald-500/60 rounded-t' : 'bg-red-500/60 rounded-b'} w-full`} style={{ height: `${h}px` }}>
+                        <div className={`text-[10px] ${v >= 0 ? 'text-emerald-300' : 'text-red-300'} text-center -mt-3.5 whitespace-nowrap font-semibold`}>{fmtK(v)}</div>
+                      </div>
+                    </div>
+                    <span className="text-[10px] text-white/50 mt-1 font-medium">{y.slice(1)}</span>
+                  </div>
+                )
+              })}
+            </div>
+          </div>
+        </GlassCard>
+
+        <GlassCard hover={false} className="p-4 cursor-pointer" onClick={() => setChartDetail('headcount')}>
+          <div className="flex items-center justify-between mb-3">
+            <h3 className="text-xs font-bold text-amber-400 uppercase tracking-wider">{de ? 'Personalaufbau' : 'Headcount'}</h3>
+            <span className="text-[9px] text-white/30">{de ? 'Mitarbeiter (Dez)' : 'Employees (Dec)'}</span>
+          </div>
+          <div className="flex">
+            <div className="flex flex-col justify-between h-28 pr-2 text-[9px] text-white/30 text-right" style={{ width: 25 }}>
+              {(() => { const m = Math.max(...YEARS.map(y => fpKPIs[y]?.headcount || 0), 1); return [m, Math.round(m / 2), 0].map((v, i) => <span key={i}>{v}</span>) })()}
+            </div>
+            <div className="flex-1 grid grid-cols-5 gap-1 items-end h-28 border-l border-b border-white/10 pl-2 pb-1">
+              {YEARS.map((y, idx) => {
+                const v = fpKPIs[y]?.headcount || 0
+                const mx = Math.max(...YEARS.map(k => fpKPIs[k]?.headcount || 0), 1)
+                return (
+                  <div key={idx} className="flex flex-col items-center">
+                    <div className="w-10 flex flex-col justify-end" style={{ height: '90px' }}>
+                      <div className="bg-amber-500/60 rounded-t w-full" style={{ height: `${(v / mx) * 80}px` }}>
+                        <div className="text-[11px] text-amber-300 text-center -mt-3.5 font-bold">{v}</div>
+                      </div>
+                    </div>
+                    <span className="text-[10px] text-white/50 mt-1 font-medium">{y.slice(1)}</span>
+                  </div>
+                )
+              })}
+            </div>
+          </div>
+        </GlassCard>
+      </div>
+
+      {/* Liquiditat + Revenue vs Costs */}
+      <div className="grid md:grid-cols-2 gap-4">
+        <GlassCard hover={false} className="p-4 cursor-pointer" onClick={() => setChartDetail('cash')}>
+          <div className="flex items-center justify-between mb-3">
+            <h3 className="text-xs font-bold text-cyan-400 uppercase tracking-wider">{de ? 'Liquidität' : 'Cash Position'}</h3>
+            <span className="text-[9px] text-white/30">{de ? 'Jahresende' : 'Year-End'}</span>
+          </div>
+          <div className="flex">
+            <div className="flex flex-col justify-between h-28 pr-2 text-[9px] text-white/30 text-right" style={{ width: 40 }}>
+              {(() => { const m = Math.max(...YEARS.map(y => Math.abs(fpKPIs[y]?.liquiditaet || 0)), 1); return [fmtK(m), fmtK(m / 2), '0'].map((v, i) => <span key={i}>{v}</span>) })()}
+            </div>
+            <div className="flex-1 grid grid-cols-5 gap-1 items-end h-28 border-l border-b border-white/10 pl-2 pb-1">
+              {YEARS.map((y, idx) => {
+                const v = fpKPIs[y]?.liquiditaet || 0
+                const mx = Math.max(...YEARS.map(k => Math.abs(fpKPIs[k]?.liquiditaet || 0)), 1)
+                const h = Math.abs(v) / mx * 90
+                return (
+                  <div key={idx} className="flex flex-col items-center">
+                    <div className="w-10 flex flex-col justify-end" style={{ height: '90px' }}>
+                      <div className={`${v >= 0 ? 'bg-cyan-500/60 rounded-t' : 'bg-red-500/60 rounded-b'} w-full`} style={{ height: `${Math.max(h, 4)}px` }}>
+                        <div className={`text-[10px] ${v >= 0 ? 'text-cyan-300' : 'text-red-300'} text-center -mt-3.5 whitespace-nowrap font-semibold`}>{fmtK(v)}</div>
+                      </div>
+                    </div>
+                    <span className="text-[10px] text-white/50 mt-1 font-medium">{y.slice(1)}</span>
+                  </div>
+                )
+              })}
+            </div>
+          </div>
+        </GlassCard>
+
+        <GlassCard hover={false} className="p-4 cursor-pointer" onClick={() => setChartDetail('revcost')}>
+          <div className="flex items-center justify-between mb-3">
+            <h3 className="text-xs font-bold text-indigo-400 uppercase tracking-wider">{de ? 'Umsatz vs. Kosten' : 'Revenue vs. Costs'}</h3>
+            <span className="text-[9px] text-white/30">€/Jahr</span>
+          </div>
+          <div className="flex">
+            <div className="flex flex-col justify-between h-28 pr-2 text-[9px] text-white/30 text-right" style={{ width: 40 }}>
+              {(() => {
+                const d = YEARS.map(y => ({ rev: fpKPIs[y]?.revenue || 0, costs: (fpKPIs[y]?.revenue || 0) - (fpKPIs[y]?.ebit || 0) }))
+                const mx = Math.max(...d.map(x => Math.max(x.rev, x.costs)), 1)
+                return [fmtK(mx), fmtK(mx / 2), '0'].map((v, i) => <span key={i}>{v}</span>)
+              })()}
+            </div>
+            <div className="flex-1 grid grid-cols-5 gap-1 items-end h-28 border-l border-b border-white/10 pl-2 pb-1">
+              {(() => {
+                const data = YEARS.map(y => ({ year: y.slice(1), rev: fpKPIs[y]?.revenue || 0, costs: (fpKPIs[y]?.revenue || 0) - (fpKPIs[y]?.ebit || 0) }))
+                const mx = Math.max(...data.map(d => Math.max(d.rev, d.costs)), 1)
+                return data.map((d, idx) => (
+                  <div key={idx} className="flex flex-col items-center gap-1">
+                    <div className="flex items-end gap-1 w-full justify-center" style={{ height: '90px' }}>
+                      <div className="w-6 bg-indigo-500/60 rounded-t" style={{ height: `${(d.rev / mx) * 80}px` }}>
+                        <div className="text-[9px] text-indigo-300 text-center -mt-3 whitespace-nowrap font-semibold">{fmtK(d.rev)}</div>
+                      </div>
+                      <div className="w-6 bg-red-500/40 rounded-t" style={{ height: `${(d.costs / mx) * 80}px` }}>
+                        <div className="text-[9px] text-red-300 text-center -mt-3 whitespace-nowrap font-semibold">{fmtK(d.costs)}</div>
+                      </div>
+                    </div>
+                    <span className="text-[10px] text-white/50 font-medium">{d.year}</span>
+                  </div>
+                ))
+              })()}
+            </div>
+          </div>
+          <div className="flex justify-center gap-4 mt-2 text-[9px]">
+            <span className="flex items-center gap-1"><span className="w-3 h-1.5 bg-indigo-500/60 rounded inline-block" /> {de ? 'Umsatz' : 'Revenue'}</span>
+            <span className="flex items-center gap-1"><span className="w-3 h-1.5 bg-red-500/40 rounded inline-block" /> {de ? 'Kosten' : 'Costs'}</span>
+          </div>
+        </GlassCard>
+      </div>
+
+      {/* Unit Economics */}
+      <GlassCard hover={false} className="p-4">
+        <h3 className="text-xs font-bold text-purple-400 uppercase tracking-wider mb-3">Unit Economics (2026–2030)</h3>
+        <div className="grid md:grid-cols-4 gap-3">
+          {[
+            { label: 'ACV', key: 'arpu', unit: '€', color: 'text-indigo-300', bg: 'bg-indigo-500/60', detail: 'acv' },
+            { label: 'Gross Margin', key: 'grossMargin', unit: '%', color: 'text-emerald-300', bg: 'bg-emerald-500/60', detail: 'grossMargin' },
+            { label: de ? 'Wachstum' : 'Growth', key: 'nrr', unit: '%', color: 'text-purple-300', bg: 'bg-purple-500/60', detail: 'nrr' },
+            { label: 'EBIT Margin', key: 'ebitMargin', unit: '%', color: 'text-amber-300', bg: 'bg-amber-500/60', detail: 'ebitMargin' },
+          ].map((metric, mIdx) => (
+            <div key={mIdx} className="text-center cursor-pointer hover:bg-white/[0.03] rounded-lg p-2 transition-colors" onClick={() => setChartDetail(metric.detail)}>
+              <p className={`text-[10px] font-bold ${metric.color} uppercase tracking-wider mb-2`}>{metric.label}</p>
+              <div className="flex items-end justify-center gap-1 h-16">
+                {[2026, 2027, 2028, 2029, 2030].map((y, idx) => {
+                  const val = fpKPIs[`y${y}`]?.[metric.key as keyof typeof fpKPIs['y2026']] as number || 0
+                  const maxVal = Math.max(...[2026, 2027, 2028, 2029, 2030].map(yr => Math.abs(fpKPIs[`y${yr}`]?.[metric.key as keyof typeof fpKPIs['y2026']] as number || 0)), 1)
+                  const h = Math.abs(val) / maxVal * 50
+                  return (
+                    <div key={idx} className="flex flex-col items-center">
+                      <div className={`w-4 ${val >= 0 ? metric.bg + ' rounded-t' : 'bg-red-500/60 rounded-b'}`} style={{ height: `${Math.max(h, 2)}px` }} />
+                      <span className="text-[8px] text-white/30 mt-0.5">{String(y).slice(2)}</span>
+                    </div>
+                  )
+                })}
+              </div>
+              <p className={`text-sm font-bold ${metric.color} mt-1`}>
+                {(() => {
+                  const v = fpKPIs.y2030?.[metric.key as keyof typeof fpKPIs['y2026']] as number || 0
+                  return metric.unit === '€' ? `${fmtV(v)}${metric.unit}` : `${v}${metric.unit}`
+                })()}
+              </p>
+              <p className="text-[8px] text-white/25">2030</p>
+            </div>
+          ))}
+        </div>
+      </GlassCard>
+    </div>
+  )
+}
diff --git a/pitch-deck/components/slides/FinanzplanSlide.datagrid.tsx b/pitch-deck/components/slides/FinanzplanSlide.datagrid.tsx
new file mode 100644
index 0000000..e7a2e0b
--- /dev/null
+++ b/pitch-deck/components/slides/FinanzplanSlide.datagrid.tsx
@@ -0,0 +1,348 @@
+'use client'
+
+import {
+  SheetRow, MONTH_LABELS, FORMULA_TOOLTIPS,
+  getLabel, getValues, formatCell,
+} from './FinanzplanSlide.helpers'
+
+/* ── Tooltip for formula-linked labels ── */
+
+function LabelWithTooltip({ label }: { label: string }) {
+  const tooltip = FORMULA_TOOLTIPS[label]
+  if (!tooltip) return <span>{label}</span>
+  return (
+    <span className="group relative cursor-help">
+      {label}
+      <span className="invisible group-hover:visible absolute left-0 top-full mt-1 z-50 bg-slate-800 border border-white/10 text-[9px] text-white/70 px-2 py-1 rounded shadow-lg whitespace-nowrap">
+        {tooltip}
+      </span>
+    </span>
+  )
+}
+
+/* ── GuV Annual Table (y2026-y2030) ── */
+
+interface GuvTableProps {
+  rows: SheetRow[]
+  de: boolean
+}
+
+export function GuvTable({ rows, de }: GuvTableProps) {
+  return (
+    <table className="w-full text-[10px]">
+      <thead>
+        <tr className="border-b border-white/10">
+          <th className="text-left py-1.5 px-2 text-white/60 font-medium sticky left-0 bg-slate-900/90 backdrop-blur min-w-[220px]">
+            {de ? 'GuV-Position' : 'P&L Item'}
+          </th>
+          {[2026, 2027, 2028, 2029, 2030].map(y => (
+            <th key={y} className="text-right py-1.5 px-3 text-white/60 font-medium min-w-[100px]">{y}</th>
+          ))}
+        </tr>
+      </thead>
+      <tbody>
+        {rows.map(row => {
+          const values = getValues(row)
+          const label = getLabel(row)
+          const isMajorSum = label === 'EBIT' || label.includes('Rohergebnis') || label.includes('Jahresüberschuss') || label.includes('Ergebnis nach Steuern')
+          const isMinorSum = row.is_sum_row || label.includes('Summe') || label.includes('Gesamtleistung') || label.includes('Steuern gesamt')
+          const isSumRow = isMajorSum || isMinorSum
+
+          return (
+            <tr key={row.id} className={`${isMajorSum ? 'border-t-2 border-t-white/20 border-b border-b-white/[0.05] bg-white/[0.05]' : isMinorSum ? 'border-t border-t-white/10 border-b border-b-white/[0.03] bg-white/[0.03]' : 'border-b border-white/[0.03]'} hover:bg-white/[0.02]`}>
+              <td className={`py-1.5 px-2 sticky left-0 bg-slate-900/90 backdrop-blur ${isMajorSum ? 'font-bold text-white text-xs' : isMinorSum ? 'font-semibold text-white/80' : 'text-white/60'}`}>
+                <LabelWithTooltip label={label} />
+              </td>
+              {[2026, 2027, 2028, 2029, 2030].map(y => {
+                const v = values[`y${y}`] || 0
+                return (
+                  <td key={y} className={`text-right py-1.5 px-3 ${v < 0 ? 'text-red-400' : v > 0 ? (isMajorSum ? 'text-white' : isSumRow ? 'text-white/80' : 'text-white/50') : 'text-white/15'} ${isMajorSum ? 'font-bold text-xs' : isSumRow ? 'font-semibold' : ''}`}>
+                    {v === 0 ? '—' : Math.round(v).toLocaleString('de-DE', { maximumFractionDigits: 0 })}
+                  </td>
+                )
+              })}
+            </tr>
+          )
+        })}
+      </tbody>
+    </table>
+  )
+}
+
+/* ── Monthly / Annual Grid (all sheets except GuV) ── */
+
+interface MonthlyGridProps {
+  rows: SheetRow[]
+  activeSheet: string
+  de: boolean
+  yearOffset: number
+  openCats: Set<string>
+  toggleCat: (cat: string) => void
+}
+
+export function MonthlyGrid({ rows, activeSheet, de, yearOffset, openCats, toggleCat }: MonthlyGridProps) {
+  const currentYear = 2026 + yearOffset
+  const monthStart = yearOffset * 12 + 1
+  const monthEnd = monthStart + 11
+
+  /* ── Compute sum rows from detail rows (like Excel formulas) ── */
+  const computeRows = (): SheetRow[] => {
+    const computedRows = rows.map(row => {
+      const label = getLabel(row)
+      const cat = row.category as string || ''
+      const isSumLabel = row.is_sum_row || label.includes('Summe') || label.includes('SUMME') || label.includes('ÜBERSCHUSS') || label.includes('UEBERSCHUSS')
+
+      if (!isSumLabel) return row
+
+      let sourceRows: SheetRow[] = []
+
+      // === Betriebliche Aufwendungen: category-based sums ===
+      if (cat && cat !== 'summe') {
+        sourceRows = rows.filter(r => (r.category as string) === cat && !r.is_sum_row && getLabel(r) !== label)
+      } else if (label.includes('Summe sonstige')) {
+        sourceRows = rows.filter(r => {
+          const rCat = r.category as string || ''
+          const rLabel = getLabel(r)
+          return !r.is_sum_row && rCat !== 'personal' && rCat !== 'abschreibungen' && rCat !== 'summe' &&
+            !rLabel.includes('Personalkosten') && !rLabel.includes('Abschreibungen') && !rLabel.includes('Summe') && !rLabel.includes('SUMME')
+        })
+      } else if (label.includes('SUMME Betriebliche')) {
+        sourceRows = rows.filter(r => {
+          const rCat = r.category as string || ''
+          const rLabel = getLabel(r)
+          if (rLabel === 'Personalkosten' || rLabel === 'Abschreibungen') return true
+          return !r.is_sum_row && rCat !== 'summe' && !rLabel.includes('Summe') && !rLabel.includes('SUMME')
+        })
+      }
+
+      // === Liquidität: keep DB values (engine computed) ===
+      else if (activeSheet === 'liquiditaet' && (
+        label.includes('Summe') || label.includes('ÜBERSCHUSS') || label.includes('UEBERSCHUSS') ||
+        label.includes('LIQUIDITÄT') || label.includes('LIQUIDITAET') || label.includes('Kontostand')
+      )) {
+        return row
+      }
+
+      // === Umsatzerlöse: GESAMTUMSATZ = sum of revenue rows only ===
+      else if (label.includes('GESAMTUMSATZ')) {
+        sourceRows = rows.filter(r => {
+          const sec = (r as Record<string, unknown>).section as string || ''
+          return sec === 'revenue' && !getLabel(r).includes('GESAMTUMSATZ')
+        })
+      }
+
+      // === Materialaufwand: SUMME = sum of cost rows only ===
+      else if (label.includes('SUMME Material') || (activeSheet === 'materialaufwand' && label === 'SUMME')) {
+        sourceRows = rows.filter(r => {
+          const sec = (r as Record<string, unknown>).section as string || ''
+          return sec === 'cost' && getLabel(r) !== 'SUMME'
+        })
+      }
+
+      // === Kunden GESAMT rows — trust DB values ===
+      else if (label.includes('GESAMT') || label.includes('Bestandskunden gesamt')) {
+        return row
+      }
+
+      if (sourceRows.length === 0) return row
+
+      const computed: Record<string, number> = {}
+      for (let m = 1; m <= 60; m++) {
+        const key = `m${m}`
+        computed[key] = Math.round(sourceRows.reduce((sum, r) => sum + (getValues(r)[key] || 0), 0))
+      }
+
+      return { ...row, values: computed, values_total: computed }
+    })
+
+    // For betriebliche: reorder so category header comes BEFORE detail rows
+    if (activeSheet === 'betriebliche') {
+      const grouped: SheetRow[] = []
+      const cats = new Map<string, { header: SheetRow | null; details: SheetRow[] }>()
+      for (const row of computedRows) {
+        const cat = row.category as string || ''
+        if (!cats.has(cat)) cats.set(cat, { header: null, details: [] })
+        const g = cats.get(cat)!
+        if (row.is_sum_row) g.header = row
+        else g.details.push(row)
+      }
+      for (const [cat, g] of cats) {
+        if (g.header) grouped.push(g.header)
+        if (openCats.has(cat) || cat === 'summe' || cat === 'personal' || cat === 'abschreibungen') {
+          grouped.push(...g.details)
+        }
+      }
+      return grouped
+    }
+    return computedRows
+  }
+
+  const displayRows = computeRows()
+
+  return (
+    <table className="w-full text-[10px]">
+      <thead>
+        <tr className="border-b border-white/10">
+          <th className="text-left py-1.5 px-2 text-white/60 font-medium sticky left-0 bg-slate-900/90 backdrop-blur min-w-[160px]">
+            {de ? 'Position' : 'Item'}
+          </th>
+          {yearOffset === -1 ? (
+            [2026, 2027, 2028, 2029, 2030].map(y => (
+              <th key={y} className="text-right py-1.5 px-3 text-white/60 font-medium min-w-[80px]">{y}</th>
+            ))
+          ) : (
+            <>
+              <th className="text-right py-1.5 px-2 text-white/60 font-medium min-w-[70px]">
+                {currentYear}
+              </th>
+              {MONTH_LABELS.map((label, idx) => (
+                <th key={idx} className="text-right py-1.5 px-1.5 text-white/50 font-normal min-w-[55px]">
+                  {label}
+                </th>
+              ))}
+            </>
+          )}
+        </tr>
+      </thead>
+      <tbody>
+        {displayRows.map(row => {
+          const values = getValues(row)
+          const label = getLabel(row)
+          const isSumRow = row.is_sum_row || label.includes('GESAMT') || label.includes('Summe') || label.includes('ÜBERSCHUSS') || label.includes('LIQUIDITÄT') || label.includes('UEBERSCHUSS') || label.includes('LIQUIDITAET')
+          const isTotalRow = label.includes('GESAMT') || label.includes('Bestandskunden gesamt') || label.includes('GESAMTUMSATZ') || label.includes('SUMME')
+          const isEditable = false // read-only for investors
+          const cat = row.category as string || ''
+          const isCatHeader = activeSheet === 'betriebliche' && row.is_sum_row && cat !== 'summe' && cat !== 'personal' && cat !== 'abschreibungen'
+          const isCatOpen = openCats.has(cat)
+          const section = (row as Record<string, unknown>).section as string || ''
+          const isBalanceRow = label.includes('Kontostand') || label === 'LIQUIDITÄT' || label === 'LIQUIDITAET'
+            || label.includes('Bestandskunden') || (activeSheet === 'kunden' && row.row_label === 'Bestandskunden')
+            || label.includes('Anzahl Kunden') || section === 'quantity'
+          const isUnitPrice = section === 'unit_cost' || section === 'einkauf' || label.includes('Einkaufspreis')
+            || section === 'price' || label.includes('Preis/Monat')
+
+          let annual = 0
+          if (isUnitPrice) {
+            annual = values[`m${monthEnd}`] || values[`m${monthStart}`] || 0
+          } else if (isBalanceRow) {
+            annual = values[`m${monthEnd}`] || 0
+          } else {
+            for (let m = monthStart; m <= monthEnd; m++) annual += values[`m${m}`] || 0
+          }
+
+          return (
+            <tr
+              key={row.id}
+              className={`${isTotalRow ? 'border-t-2 border-t-white/20 border-b border-b-white/[0.03]' : 'border-b border-white/[0.03]'} ${isSumRow ? 'bg-white/[0.03]' : ''} hover:bg-white/[0.02]`}
+            >
+              <td className={`py-1 px-2 sticky left-0 bg-slate-900/90 backdrop-blur ${isSumRow ? 'font-bold text-white/80' : 'text-white/60'} ${isCatHeader ? 'cursor-pointer select-none' : ''}`}
+                onClick={isCatHeader ? () => toggleCat(cat) : undefined}
+              >
+                <div className="flex items-center gap-1">
+                  {isCatHeader && <span className="text-[10px] text-indigo-400 w-3 shrink-0">{isCatOpen ? '▾' : '▸'}</span>}
+                  {isEditable && <span className="w-1 h-1 rounded-full bg-indigo-400 flex-shrink-0" />}
+                  <span className="truncate"><LabelWithTooltip label={label} /></span>
+                  {row.position && <span className="text-white/50 ml-1">({row.position})</span>}
+                </div>
+              </td>
+              {yearOffset === -1 ? (
+                [2026, 2027, 2028, 2029, 2030].map(y => {
+                  const yStart = (y - 2026) * 12 + 1
+                  const yEnd = yStart + 11
+                  let yVal = 0
+                  if (isUnitPrice) {
+                    yVal = values[`m${yEnd}`] || 0
+                  } else if (isBalanceRow) {
+                    yVal = values[`m${yEnd}`] || 0
+                  } else {
+                    for (let m = yStart; m <= yEnd; m++) yVal += values[`m${m}`] || 0
+                  }
+                  return (
+                    <td key={y} className={`text-right py-1 px-3 ${yVal < 0 ? 'text-red-400' : yVal > 0 ? (isSumRow ? 'text-white/80' : 'text-white/50') : 'text-white/15'} ${isSumRow ? 'font-bold' : ''}`}>
+                      {formatCell(Math.round(yVal))}
+                    </td>
+                  )
+                })
+              ) : (
+                <>
+                  <td className={`text-right py-1 px-2 font-medium ${annual < 0 ? 'text-red-400' : isSumRow ? 'text-white/80' : 'text-white/50'}`}>
+                    {formatCell(annual)}
+                  </td>
+                  {Array.from({ length: 12 }, (_, idx) => {
+                    const mKey = `m${monthStart + idx}`
+                    const v = values[mKey] || 0
+                    return (
+                      <td
+                        key={idx}
+                        className={`text-right py-1 px-1.5 ${
+                          v < 0 ? 'text-red-400/70' : v > 0 ? (isSumRow ? 'text-white/70' : 'text-white/50') : 'text-white/15'
+                        }`}
+                      >
+                        {formatCell(v)}
+                      </td>
+                    )
+                  })}
+                </>
+              )}
+            </tr>
+          )
+        })}
+      </tbody>
+      {/* Footer sum row for personalkosten, investitionen */}
+      {['personalkosten', 'investitionen'].includes(activeSheet) && rows.length > 0 && (() => {
+        const nonSumRows = rows.filter(r => {
+          const l = getLabel(r)
+          return !(r.is_sum_row || l.includes('GESAMT') || l.includes('Summe') || l.includes('Gesamtkosten') || l === 'SUMME')
+        })
+        return (
+          <tfoot>
+            <tr className="border-t-2 border-white/20 bg-white/[0.05]">
+              <td className="py-1.5 px-2 sticky left-0 bg-slate-900/90 backdrop-blur font-bold text-white/80 text-xs">
+                {de ? 'SUMME' : 'TOTAL'}
+              </td>
+              {yearOffset === -1 ? (
+                [2026, 2027, 2028, 2029, 2030].map(y => {
+                  const yStart = (y - 2026) * 12 + 1
+                  const yEnd = yStart + 11
+                  let yVal = 0
+                  for (let m = yStart; m <= yEnd; m++) {
+                    for (const row of nonSumRows) yVal += getValues(row)[`m${m}`] || 0
+                  }
+                  return (
+                    <td key={y} className={`text-right py-1.5 px-3 font-bold text-xs ${yVal < 0 ? 'text-red-400' : 'text-white/80'}`}>
+                      {formatCell(Math.round(yVal))}
+                    </td>
+                  )
+                })
+              ) : (
+                <>
+                  {(() => {
+                    let sumAnnual = 0
+                    for (let m = monthStart; m <= monthEnd; m++) {
+                      for (const row of nonSumRows) sumAnnual += getValues(row)[`m${m}`] || 0
+                    }
+                    return (
+                      <td className={`text-right py-1.5 px-2 font-bold text-xs ${sumAnnual < 0 ? 'text-red-400' : 'text-white/80'}`}>
+                        {formatCell(sumAnnual)}
+                      </td>
+                    )
+                  })()}
+                  {Array.from({ length: 12 }, (_, idx) => {
+                    const mKey = `m${monthStart + idx}`
+                    let v = 0
+                    for (const row of nonSumRows) v += getValues(row)[mKey] || 0
+                    return (
+                      <td key={idx} className={`text-right py-1.5 px-1.5 font-bold text-xs ${v < 0 ? 'text-red-400' : v > 0 ? 'text-white/70' : 'text-white/15'}`}>
+                        {formatCell(v)}
+                      </td>
+                    )
+                  })}
+                </>
+              )}
+            </tr>
+          </tfoot>
+        )
+      })()}
+    </table>
+  )
+}
diff --git a/pitch-deck/components/slides/FinanzplanSlide.helpers.ts b/pitch-deck/components/slides/FinanzplanSlide.helpers.ts
new file mode 100644
index 0000000..72e1383
--- /dev/null
+++ b/pitch-deck/components/slides/FinanzplanSlide.helpers.ts
@@ -0,0 +1,68 @@
+// FinanzplanSlide helpers — extracted from FinanzplanSlide.tsx
+
+export interface SheetMeta {
+  name: string
+  label_de: string
+  label_en: string
+  rows: number
+}
+
+export interface SheetRow {
+  id: number
+  row_label?: string
+  person_name?: string
+  item_name?: string
+  category?: string
+  section?: string
+  is_editable?: boolean
+  is_sum_row?: boolean
+  values?: Record<string, number>
+  values_total?: Record<string, number>
+  values_brutto?: Record<string, number>
+  brutto_monthly?: number
+  position?: string
+  start_date?: string
+  purchase_amount?: number
+  [key: string]: unknown
+}
+
+export interface FpScenario {
+  id: string
+  name: string
+  is_default: boolean
+}
+
+export const MONTH_LABELS = [
+  'Jan', 'Feb', 'Mrz', 'Apr', 'Mai', 'Jun',
+  'Jul', 'Aug', 'Sep', 'Okt', 'Nov', 'Dez',
+]
+
+export function getLabel(row: SheetRow): string {
+  return row.row_label || row.person_name || row.item_name || '—'
+}
+
+export const FORMULA_TOOLTIPS: Record<string, string> = {
+  'Fort-/Weiterbildungskosten (F)': 'Mitarbeiter (ohne Gründer) × 300 EUR/Mon',
+  'Fahrzeugkosten (F)': 'Mitarbeiter (ohne Gründer) × 200 EUR/Mon',
+  'KFZ-Steuern (F)': 'Mitarbeiter (ohne Gründer) × 25 EUR/Mon',
+  'KFZ-Versicherung (F)': 'Mitarbeiter (ohne Gründer) × 150 EUR/Mon',
+  'Reisekosten (F)': 'Headcount gesamt × 75 EUR/Mon',
+  'Bewirtungskosten (F)': 'Bestandskunden × 50 EUR/Mon',
+  'Internet/Mobilfunk (F)': 'Headcount gesamt × 50 EUR/Mon',
+  'Cloud-Hosting (SysEleven/Hetzner)': '1.500 EUR Basis + (Kunden - 10) × 100 EUR (erste 10 inkl.)',
+  'Berufsgenossenschaft (F)': '0,5% der Brutto-Lohnsumme (VBG IT/Büro)',
+  'Allgemeine Marketingkosten (F)': '8% vom Umsatz (2026-2028), 10% ab 2029',
+  'Gewerbesteuer (F)': '12,25% vom Gewinn (Messzahl 3,5% × Hebesatz 350%, nur bei Gewinn)',
+  'Personalkosten': 'Summe aus Tab Personalkosten',
+  'Abschreibungen': 'Summe AfA aus Tab Investitionen',
+}
+
+export function getValues(row: SheetRow): Record<string, number> {
+  return row.values || row.values_total || row.values_brutto || (row as Record<string, unknown>).values_invest as Record<string, number> || {}
+}
+
+export function formatCell(v: number | undefined): string {
+  if (v === undefined || v === null) return ''
+  if (v === 0) return '—'
+  return Math.round(v).toLocaleString('de-DE', { maximumFractionDigits: 0 })
+}
diff --git a/pitch-deck/components/slides/FinanzplanSlide.kpis.tsx b/pitch-deck/components/slides/FinanzplanSlide.kpis.tsx
new file mode 100644
index 0000000..28db603
--- /dev/null
+++ b/pitch-deck/components/slides/FinanzplanSlide.kpis.tsx
@@ -0,0 +1,68 @@
+'use client'
+
+import GlassCard from '../ui/GlassCard'
+import { formatCell } from './FinanzplanSlide.helpers'
+
+interface KPIsTabProps {
+  fpKPIs: Record<string, Record<string, number>>
+  de: boolean
+}
+
+export default function KPIsTab({ fpKPIs, de }: KPIsTabProps) {
+  const years = ['y2026', 'y2027', 'y2028', 'y2029', 'y2030']
+  const v = (yk: string, key: string) => fpKPIs[yk]?.[key] || 0
+
+  return (
+    <GlassCard hover={false} className="p-4">
+      <h3 className="text-sm font-bold text-emerald-400 uppercase tracking-wider mb-4">{de ? 'Wichtige Kennzahlen (pro Jahr)' : 'Key Metrics (per year)'}</h3>
+      <table className="w-full text-xs">
+        <thead>
+          <tr className="border-b border-white/10">
+            <th className="text-left py-2 px-2 text-white/60 font-medium">KPI</th>
+            {[2026, 2027, 2028, 2029, 2030].map(y => (
+              <th key={y} className="text-right py-2 px-3 text-white/60 font-medium">{y}</th>
+            ))}
+          </tr>
+        </thead>
+        <tbody>
+          {!fpKPIs['y2026'] ? (
+            <tr><td colSpan={6} className="text-center py-4 text-white/30">{de ? 'Finanzplan wird geladen...' : 'Loading financial plan...'}</td></tr>
+          ) : [
+            { label: 'MRR (Dez)', values: years.map(y => v(y, 'mrr')), unit: '\u20AC', bold: true },
+            { label: 'ARR (Dez \u00d7 12)', values: years.map(y => v(y, 'arr')), unit: '\u20AC', bold: true },
+            { label: de ? 'Kunden (Dez)' : 'Customers (Dec)', values: years.map(y => v(y, 'customers')), unit: '', bold: false },
+            { label: de ? 'ACV (Umsatz/Kunden)' : 'ACV (Revenue/Customers)', values: years.map(y => v(y, 'arpu')), unit: '\u20AC', bold: false },
+            { label: 'Gross Margin', values: years.map(y => v(y, 'grossMargin')), unit: '%', bold: false },
+            { label: de ? 'Umsatzwachstum (YoY)' : 'Revenue Growth (YoY)', values: years.map(y => v(y, 'nrr')), unit: '%', bold: false },
+            { label: de ? 'Mitarbeiter' : 'Employees', values: years.map(y => v(y, 'headcount')), unit: '', bold: false },
+            { label: de ? 'Umsatz/Mitarbeiter' : 'Revenue/Employee', values: years.map(y => v(y, 'revPerEmp')), unit: '\u20AC', bold: false },
+            { label: de ? 'Personalkosten' : 'Personnel Costs', values: years.map(y => v(y, 'personal')), unit: '\u20AC', bold: false },
+            { label: 'EBIT', values: years.map(y => v(y, 'ebit')), unit: '\u20AC', bold: true },
+            { label: de ? 'EBIT-Marge' : 'EBIT Margin', values: years.map(y => v(y, 'ebitMargin')), unit: '%', bold: false },
+            { label: de ? 'Steuern' : 'Taxes', values: years.map(y => v(y, 'steuern')), unit: '\u20AC', bold: false },
+            { label: de ? 'Jahres\u00fcberschuss' : 'Net Income', values: years.map(y => v(y, 'netIncome')), unit: '\u20AC', bold: true },
+            { label: de ? 'Liquidit\u00e4t (Dez)' : 'Cash (Dec)', values: years.map(y => v(y, 'liquiditaet')), unit: '\u20AC', bold: true },
+            { label: 'Burn Rate', values: years.map(y => v(y, 'burnRate')), unit: '\u20AC/Mo', bold: false },
+          ].map((row, idx) => (
+            <tr key={idx} className={`border-b border-white/[0.03] ${row.bold ? 'bg-white/[0.03]' : ''}`}>
+              <td className={`py-1.5 px-2 ${row.bold ? 'font-bold text-white/80' : 'text-white/60'}`}>{row.label}</td>
+              {row.values.map((val, i) => {
+                const num = typeof val === 'number' ? val : 0
+                const display = typeof val === 'string' ? val : (
+                  row.unit === '%' ? `${val}%` :
+                  row.unit === '\u20AC/Mo' ? formatCell(num) + '/Mo' :
+                  formatCell(num)
+                )
+                return (
+                  <td key={i} className={`text-right py-1.5 px-3 font-mono ${num < 0 ? 'text-red-400' : row.bold ? 'text-white/80 font-bold' : 'text-white/50'}`}>
+                    {display}
+                  </td>
+                )
+              })}
+            </tr>
+          ))}
+        </tbody>
+      </table>
+    </GlassCard>
+  )
+}
diff --git a/pitch-deck/components/slides/FinanzplanSlide.skr.tsx b/pitch-deck/components/slides/FinanzplanSlide.skr.tsx
new file mode 100644
index 0000000..c821b37
--- /dev/null
+++ b/pitch-deck/components/slides/FinanzplanSlide.skr.tsx
@@ -0,0 +1,139 @@
+'use client'
+
+import { useState } from 'react'
+import GlassCard from '../ui/GlassCard'
+
+interface SKRTabProps {
+  de: boolean
+}
+
+export default function SKRTab({ de }: SKRTabProps) {
+  const [openSKR, setOpenSKR] = useState<Set<string>>(new Set(['4', '6', '7']))
+  const toggleSKR = (k: string) => setOpenSKR(prev => { const n = new Set(prev); n.has(k) ? n.delete(k) : n.add(k); return n })
+
+  const skr04: { klasse: string; title: string; color: string; accounts: { nr: string; name: string; used?: boolean }[] }[] = [
+    { klasse: '0', title: de ? 'Anlagevermögen' : 'Fixed Assets', color: 'text-slate-400', accounts: [
+      { nr: '0200', name: de ? 'Technische Anlagen & Maschinen' : 'Technical Equipment', used: false },
+      { nr: '0400', name: de ? 'Betriebs- und Geschäftsausstattung' : 'Office & Business Equipment', used: true },
+      { nr: '0420', name: de ? 'EDV-Hardware' : 'IT Hardware', used: true },
+      { nr: '0440', name: de ? 'Geringwertige Wirtschaftsgüter (GWG)' : 'Low-Value Assets (GWG)', used: true },
+      { nr: '0480', name: de ? 'Immaterielle Vermögensgegenstände' : 'Intangible Assets', used: true },
+    ]},
+    { klasse: '1', title: de ? 'Umlaufvermögen' : 'Current Assets', color: 'text-blue-400', accounts: [
+      { nr: '1200', name: de ? 'Bank (Geschäftskonto)' : 'Bank (Business Account)', used: true },
+      { nr: '1210', name: de ? 'Bank (Festgeld/Rücklagen)' : 'Bank (Fixed Deposit)', used: false },
+      { nr: '1400', name: de ? 'Forderungen aus L&L' : 'Accounts Receivable', used: true },
+      { nr: '1590', name: de ? 'Durchlaufende Posten' : 'Transit Items', used: false },
+    ]},
+    { klasse: '2', title: de ? 'Eigenkapital & Verbindlichkeiten' : 'Equity & Liabilities', color: 'text-purple-400', accounts: [
+      { nr: '2000', name: de ? 'Gezeichnetes Kapital (Stammkapital)' : 'Share Capital', used: true },
+      { nr: '2010', name: de ? 'Kapitalrücklage (Wandeldarlehen)' : 'Capital Reserve (Convertible Loan)', used: true },
+      { nr: '2100', name: de ? 'Gewinnvortrag / Verlustvortrag' : 'Retained Earnings / Losses', used: true },
+      { nr: '2900', name: de ? 'Jahresüberschuss / -fehlbetrag' : 'Net Income / Loss', used: true },
+    ]},
+    { klasse: '3', title: de ? 'Rückstellungen & Verbindlichkeiten' : 'Provisions & Payables', color: 'text-indigo-400', accounts: [
+      { nr: '3070', name: de ? 'Verbindlichkeiten ggü. Kreditinstituten' : 'Bank Liabilities', used: true },
+      { nr: '3100', name: de ? 'Verbindlichkeiten aus L&L' : 'Accounts Payable', used: true },
+      { nr: '3150', name: de ? 'Darlehen (L-Bank Pre-Seed)' : 'Loan (L-Bank Pre-Seed)', used: true },
+      { nr: '3500', name: de ? 'Umsatzsteuer-Verbindlichkeit' : 'VAT Payable', used: true },
+      { nr: '3520', name: de ? 'Lohnsteuer-Verbindlichkeit' : 'Payroll Tax Payable', used: true },
+      { nr: '3550', name: de ? 'Sozialversicherungs-Verbindlichkeit' : 'Social Security Payable', used: true },
+      { nr: '3900', name: de ? 'Rückstellungen (Jahresabschluss etc.)' : 'Provisions (Closing etc.)', used: true },
+    ]},
+    { klasse: '4', title: de ? 'Betriebliche Erträge' : 'Operating Revenue', color: 'text-emerald-400', accounts: [
+      { nr: '4400', name: de ? 'Erlöse Software-Lizenzen (SaaS)' : 'Software License Revenue (SaaS)', used: true },
+      { nr: '4410', name: de ? 'Erlöse Beratung & Service' : 'Consulting & Service Revenue', used: true },
+      { nr: '4440', name: de ? 'Erlöse Hardware (Mac Mini/Studio)' : 'Hardware Revenue', used: false },
+      { nr: '4500', name: de ? 'Sonstige betriebliche Erträge' : 'Other Operating Revenue', used: true },
+      { nr: '4510', name: de ? 'Fördergelder / Grants' : 'Grants / Subsidies', used: true },
+      { nr: '4520', name: de ? 'Forschungszulage (§ 27a EStG)' : 'Research Tax Credit', used: true },
+    ]},
+    { klasse: '5', title: de ? 'Materialaufwand / COGS' : 'Material Costs / COGS', color: 'text-orange-400', accounts: [
+      { nr: '5400', name: de ? 'Cloud-Hosting (SysEleven/Hetzner)' : 'Cloud Hosting', used: true },
+      { nr: '5410', name: de ? 'LLM-Inferenzkosten' : 'LLM Inference Costs', used: true },
+      { nr: '5420', name: de ? '3rd Party API (Tavily etc.)' : '3rd Party API', used: true },
+      { nr: '5430', name: de ? 'Datenbank-Hosting (PostgreSQL/Qdrant)' : 'Database Hosting', used: true },
+      { nr: '5440', name: de ? 'CDN / Storage / Monitoring' : 'CDN / Storage / Monitoring', used: true },
+    ]},
+    { klasse: '6', title: de ? 'Personalaufwand' : 'Personnel Costs', color: 'text-cyan-400', accounts: [
+      { nr: '6000', name: de ? 'Löhne und Gehälter' : 'Wages and Salaries', used: true },
+      { nr: '6010', name: de ? 'Geschäftsführer-Gehälter' : 'Managing Director Salaries', used: true },
+      { nr: '6100', name: de ? 'Soziale Abgaben (AG-Anteil)' : 'Social Security (Employer)', used: true },
+      { nr: '6110', name: de ? 'Berufsgenossenschaft (VBG)' : 'Professional Association (VBG)', used: true },
+      { nr: '6130', name: de ? 'Vermögenswirksame Leistungen' : 'Capital-Forming Benefits', used: false },
+      { nr: '6170', name: de ? 'Freiwillige Sozialleistungen' : 'Voluntary Social Benefits', used: false },
+    ]},
+    { klasse: '7', title: de ? 'Sonstige betriebliche Aufwendungen' : 'Other Operating Expenses', color: 'text-amber-400', accounts: [
+      { nr: '7000', name: de ? 'Raumkosten / Miete' : 'Rent / Room Costs', used: true },
+      { nr: '7100', name: de ? 'Versicherungen (D&O, Cyber, Haftpflicht)' : 'Insurance (D&O, Cyber, Liability)', used: true },
+      { nr: '7200', name: de ? 'Fahrzeugkosten / KFZ' : 'Vehicle Costs', used: true },
+      { nr: '7300', name: de ? 'Werbe- und Marketingkosten' : 'Marketing Costs', used: true },
+      { nr: '7310', name: de ? 'Teilnahme an Messen' : 'Trade Fair Participation', used: true },
+      { nr: '7320', name: de ? 'Bewirtungskosten' : 'Entertainment Costs', used: true },
+      { nr: '7400', name: de ? 'Reisekosten' : 'Travel Costs', used: true },
+      { nr: '7500', name: de ? 'Internet / Mobilfunk' : 'Internet / Mobile', used: true },
+      { nr: '7510', name: de ? 'Serverkosten / Cloud (→ Klasse 5)' : 'Server / Cloud (→ Class 5)', used: false },
+      { nr: '7600', name: de ? 'Rechts-/Beratungskosten' : 'Legal / Advisory Costs', used: true },
+      { nr: '7610', name: de ? 'Buchführungskosten' : 'Bookkeeping Costs', used: true },
+      { nr: '7620', name: de ? 'Jahresabschlusskosten' : 'Annual Closing Costs', used: true },
+      { nr: '7630', name: de ? 'Ext. Datenschutzbeauftragter' : 'Ext. Data Protection Officer', used: true },
+      { nr: '7640', name: de ? 'Zertifizierung (ISO 27001 / BSI C5)' : 'Certification (ISO 27001 / BSI C5)', used: true },
+      { nr: '7650', name: de ? 'Recruiting / Stellenanzeigen' : 'Recruiting / Job Ads', used: true },
+      { nr: '7680', name: de ? 'IHK / Kammerbeiträge' : 'Chamber of Commerce Fees', used: true },
+      { nr: '7690', name: de ? 'Rundfunkbeitrag' : 'Broadcasting Fee', used: true },
+      { nr: '7700', name: de ? 'Abschreibungen (AfA)' : 'Depreciation', used: true },
+      { nr: '7750', name: de ? 'Fort- und Weiterbildung' : 'Training & Development', used: true },
+      { nr: '7800', name: de ? 'Bankgebühren / Nebenkosten Geldverkehr' : 'Bank Fees', used: true },
+      { nr: '7900', name: de ? 'Schutzrechte / Lizenzkosten' : 'IP Rights / License Costs', used: true },
+    ]},
+    { klasse: '8', title: de ? 'Finanzerträge & -aufwendungen' : 'Financial Income & Expenses', color: 'text-red-400', accounts: [
+      { nr: '8100', name: de ? 'Zinserträge' : 'Interest Income', used: false },
+      { nr: '8200', name: de ? 'Zinsaufwendungen' : 'Interest Expenses', used: true },
+      { nr: '8210', name: de ? 'Zinsen L-Bank Wandeldarlehen (8%)' : 'Interest L-Bank Convertible (8%)', used: true },
+    ]},
+    { klasse: '9', title: de ? 'Steuern & Jahresabschluss' : 'Taxes & Closing', color: 'text-rose-400', accounts: [
+      { nr: '9000', name: de ? 'Gewerbesteuer' : 'Trade Tax', used: true },
+      { nr: '9100', name: de ? 'Körperschaftsteuer + Soli' : 'Corporate Tax + Surcharge', used: true },
+      { nr: '9200', name: de ? 'Umsatzsteuer (Zahllast)' : 'VAT (Payable)', used: true },
+      { nr: '9300', name: de ? 'Lohnsteuer' : 'Payroll Tax', used: true },
+    ]},
+  ]
+
+  return (
+    <GlassCard hover={false} className="p-4">
+      <div className="flex items-center justify-between mb-4">
+        <h3 className="text-sm font-bold text-white/80">{de ? 'Kontenrahmen SKR04 — Breakpilot COMPLAI GmbH' : 'Chart of Accounts SKR04 — Breakpilot COMPLAI GmbH'}</h3>
+        <div className="flex items-center gap-3 text-[9px]">
+          <span className="flex items-center gap-1"><span className="w-2 h-2 rounded-full bg-emerald-400 inline-block" /> {de ? 'Aktiv genutzt' : 'Actively used'}</span>
+          <span className="flex items-center gap-1"><span className="w-2 h-2 rounded-full bg-white/15 inline-block" /> {de ? 'Geplant / nicht aktiv' : 'Planned / inactive'}</span>
+        </div>
+      </div>
+      <div className="space-y-1">
+        {skr04.map(k => (
+          <div key={k.klasse}>
+            <button onClick={() => toggleSKR(k.klasse)} className="w-full flex items-center gap-2 py-1.5 px-2 rounded hover:bg-white/[0.03] transition-colors text-left">
+              <span className="text-[10px] text-white/30 w-3">{openSKR.has(k.klasse) ? '▾' : '▸'}</span>
+              <span className={`text-xs font-bold ${k.color}`}>Klasse {k.klasse}</span>
+              <span className="text-xs text-white/60">— {k.title}</span>
+              <span className="text-[9px] text-white/25 ml-auto">{k.accounts.filter(a => a.used).length}/{k.accounts.length}</span>
+            </button>
+            {openSKR.has(k.klasse) && (
+              <div className="ml-7 mb-2 space-y-0.5">
+                {k.accounts.map(a => (
+                  <div key={a.nr} className={`flex items-center gap-2 py-0.5 px-2 rounded text-[11px] ${a.used ? 'text-white/70' : 'text-white/25'}`}>
+                    <span className={`w-1.5 h-1.5 rounded-full shrink-0 ${a.used ? 'bg-emerald-400' : 'bg-white/15'}`} />
+                    <span className="font-mono text-white/30 w-10">{a.nr}</span>
+                    <span>{a.name}</span>
+                  </div>
+                ))}
+              </div>
+            )}
+          </div>
+        ))}
+      </div>
+      <div className="mt-3 pt-2 border-t border-white/5 text-[10px] text-white/25 text-center">
+        SKR04 (Industriekontenrahmen) · {de ? 'Angepasst für SaaS/Tech GmbH' : 'Adapted for SaaS/Tech GmbH'} · {de ? '10 Klassen · 62 Konten' : '10 classes · 62 accounts'}
+      </div>
+    </GlassCard>
+  )
+}
diff --git a/pitch-deck/components/slides/FinanzplanSlide.tsx b/pitch-deck/components/slides/FinanzplanSlide.tsx
index 08973bf..7d68a9c 100644
--- a/pitch-deck/components/slides/FinanzplanSlide.tsx
+++ b/pitch-deck/components/slides/FinanzplanSlide.tsx
@@ -2,12 +2,18 @@
 
 import { useCallback, useEffect, useState } from 'react'
 import { Language } from '@/lib/types'
-import { t } from '@/lib/i18n'
 import ProjectionFooter from '../ui/ProjectionFooter'
 import GradientText from '../ui/GradientText'
 import FadeInView from '../ui/FadeInView'
 import GlassCard from '../ui/GlassCard'
-import { RefreshCw, Download, ChevronLeft, ChevronRight, BarChart3, Target } from 'lucide-react'
+import { BarChart3, Target } from 'lucide-react'
+import KPIsTab from './FinanzplanSlide.kpis'
+import ChartsTab from './FinanzplanSlide.charts'
+import SKRTab from './FinanzplanSlide.skr'
+import {
+  SheetMeta, SheetRow, FpScenario,
+} from './FinanzplanSlide.helpers'
+import { GuvTable, MonthlyGrid } from './FinanzplanSlide.datagrid'
 
 interface FinanzplanSlideProps {
   lang: Language
@@ -16,82 +22,6 @@ interface FinanzplanSlideProps {
   isWandeldarlehen?: boolean
 }
 
-interface SheetMeta {
-  name: string
-  label_de: string
-  label_en: string
-  rows: number
-}
-
-interface SheetRow {
-  id: number
-  row_label?: string
-  person_name?: string
-  item_name?: string
-  category?: string
-  section?: string
-  is_editable?: boolean
-  is_sum_row?: boolean
-  values?: Record<string, number>
-  values_total?: Record<string, number>
-  values_brutto?: Record<string, number>
-  brutto_monthly?: number
-  position?: string
-  start_date?: string
-  purchase_amount?: number
-  [key: string]: unknown
-}
-
-const MONTH_LABELS = [
-  'Jan', 'Feb', 'Mrz', 'Apr', 'Mai', 'Jun',
-  'Jul', 'Aug', 'Sep', 'Okt', 'Nov', 'Dez',
-]
-
-function getLabel(row: SheetRow): string {
-  return row.row_label || row.person_name || row.item_name || '—'
-}
-
-const FORMULA_TOOLTIPS: Record<string, string> = {
-  'Fort-/Weiterbildungskosten (F)': 'Mitarbeiter (ohne Gründer) × 300 EUR/Mon',
-  'Fahrzeugkosten (F)': 'Mitarbeiter (ohne Gründer) × 200 EUR/Mon',
-  'KFZ-Steuern (F)': 'Mitarbeiter (ohne Gründer) × 25 EUR/Mon',
-  'KFZ-Versicherung (F)': 'Mitarbeiter (ohne Gründer) × 150 EUR/Mon',
-  'Reisekosten (F)': 'Headcount gesamt × 75 EUR/Mon',
-  'Bewirtungskosten (F)': 'Bestandskunden × 50 EUR/Mon',
-  'Internet/Mobilfunk (F)': 'Headcount gesamt × 50 EUR/Mon',
-  'Cloud-Hosting (SysEleven/Hetzner)': '1.500 EUR Basis + (Kunden - 10) × 100 EUR (erste 10 inkl.)',
-  'Berufsgenossenschaft (F)': '0,5% der Brutto-Lohnsumme (VBG IT/Büro)',
-  'Allgemeine Marketingkosten (F)': '8% vom Umsatz (2026-2028), 10% ab 2029',
-  'Gewerbesteuer (F)': '12,25% vom Gewinn (Messzahl 3,5% × Hebesatz 350%, nur bei Gewinn)',
-  'Personalkosten': 'Summe aus Tab Personalkosten',
-  'Abschreibungen': 'Summe AfA aus Tab Investitionen',
-}
-
-function LabelWithTooltip({ label }: { label: string }) {
-  const tooltip = FORMULA_TOOLTIPS[label]
-  if (!tooltip) return <span>{label}</span>
-  return (
-    <span className="group relative cursor-help">
-      {label}
-      <span className="invisible group-hover:visible absolute left-0 top-full mt-1 z-50 bg-slate-800 border border-white/10 text-[9px] text-white/70 px-2 py-1 rounded shadow-lg whitespace-nowrap">
-        {tooltip}
-      </span>
-    </span>
-  )
-}
-
-function getValues(row: SheetRow): Record<string, number> {
-  return row.values || row.values_total || row.values_brutto || (row as Record<string, unknown>).values_invest as Record<string, number> || {}
-}
-
-function formatCell(v: number | undefined): string {
-  if (v === undefined || v === null) return ''
-  if (v === 0) return '—'
-  return Math.round(v).toLocaleString('de-DE', { maximumFractionDigits: 0 })
-}
-
-interface FpScenario { id: string; name: string; is_default: boolean }
-
 export default function FinanzplanSlide({ lang, investorId, preferredScenarioId, isWandeldarlehen }: FinanzplanSlideProps) {
   const [sheets, setSheets] = useState<SheetMeta[]>([])
   const [scenarios, setScenarios] = useState<FpScenario[]>([])
@@ -103,8 +33,6 @@ export default function FinanzplanSlide({ lang, investorId, preferredScenarioId,
   const [loading, setLoading] = useState(false)
   const [yearOffset, setYearOffset] = useState(0) // 0=2026, 1=2027, ...
   const [chartDetail, setChartDetail] = useState<string | null>(null)
-  const [openSKR, setOpenSKR] = useState<Set<string>>(new Set(['4', '6', '7']))
-  const toggleSKR = (k: string) => setOpenSKR(prev => { const n = new Set(prev); n.has(k) ? n.delete(k) : n.add(k); return n })
   const de = lang === 'de'
 
   // KPIs loaded directly from fp_* tables (source of truth)
@@ -207,10 +135,6 @@ export default function FinanzplanSlide({ lang, investorId, preferredScenarioId,
 
   useEffect(() => { loadSheet(activeSheet) }, [activeSheet, loadSheet])
 
-  const currentYear = 2026 + yearOffset
-  const monthStart = yearOffset * 12 + 1
-  const monthEnd = monthStart + 11
-
   return (
     <div className="max-w-[95vw] mx-auto">
       <FadeInView className="text-center mb-4">
@@ -259,453 +183,15 @@ export default function FinanzplanSlide({ lang, investorId, preferredScenarioId,
       </div>
 
       {/* === KPIs Tab === */}
-      {activeSheet === 'kpis' && (
-        <GlassCard hover={false} className="p-4">
-          <h3 className="text-sm font-bold text-emerald-400 uppercase tracking-wider mb-4">{de ? 'Wichtige Kennzahlen (pro Jahr)' : 'Key Metrics (per year)'}</h3>
-          <table className="w-full text-xs">
-            <thead>
-              <tr className="border-b border-white/10">
-                <th className="text-left py-2 px-2 text-white/60 font-medium">KPI</th>
-                {[2026, 2027, 2028, 2029, 2030].map(y => (
-                  <th key={y} className="text-right py-2 px-3 text-white/60 font-medium">{y}</th>
-                ))}
-              </tr>
-            </thead>
-            <tbody>
-              {(() => {
-                const years = ['y2026', 'y2027', 'y2028', 'y2029', 'y2030']
-                if (!fpKPIs['y2026']) return (
-                  <tr><td colSpan={6} className="text-center py-4 text-white/30">{de ? 'Finanzplan wird geladen...' : 'Loading financial plan...'}</td></tr>
-                )
-                const v = (yk: string, key: string) => fpKPIs[yk]?.[key] || 0
-                const kpiRows = [
-                  { label: 'MRR (Dez)', values: years.map(y => v(y, 'mrr')), unit: '€', bold: true },
-                  { label: 'ARR (Dez × 12)', values: years.map(y => v(y, 'arr')), unit: '€', bold: true },
-                  { label: de ? 'Kunden (Dez)' : 'Customers (Dec)', values: years.map(y => v(y, 'customers')), unit: '', bold: false },
-                  { label: de ? 'ACV (Umsatz/Kunden)' : 'ACV (Revenue/Customers)', values: years.map(y => v(y, 'arpu')), unit: '€', bold: false },
-                  { label: 'Gross Margin', values: years.map(y => v(y, 'grossMargin')), unit: '%', bold: false },
-                  { label: de ? 'Umsatzwachstum (YoY)' : 'Revenue Growth (YoY)', values: years.map(y => v(y, 'nrr')), unit: '%', bold: false },
-                  { label: de ? 'Mitarbeiter' : 'Employees', values: years.map(y => v(y, 'headcount')), unit: '', bold: false },
-                  { label: de ? 'Umsatz/Mitarbeiter' : 'Revenue/Employee', values: years.map(y => v(y, 'revPerEmp')), unit: '€', bold: false },
-                  { label: de ? 'Personalkosten' : 'Personnel Costs', values: years.map(y => v(y, 'personal')), unit: '��', bold: false },
-                  { label: 'EBIT', values: years.map(y => v(y, 'ebit')), unit: '€', bold: true },
-                  { label: de ? 'EBIT-Marge' : 'EBIT Margin', values: years.map(y => v(y, 'ebitMargin')), unit: '%', bold: false },
-                  { label: de ? 'Steuern' : 'Taxes', values: years.map(y => v(y, 'steuern')), unit: '€', bold: false },
-                  { label: de ? 'Jahresüberschuss' : 'Net Income', values: years.map(y => v(y, 'netIncome')), unit: '€', bold: true },
-                  { label: de ? 'Liquidität (Dez)' : 'Cash (Dec)', values: years.map(y => v(y, 'liquiditaet')), unit: '€', bold: true },
-                  { label: 'Burn Rate', values: years.map(y => v(y, 'burnRate')), unit: '€/Mo', bold: false },
-                ]
-                return kpiRows.map((row, idx) => (
-                  <tr key={idx} className={`border-b border-white/[0.03] ${row.bold ? 'bg-white/[0.03]' : ''}`}>
-                    <td className={`py-1.5 px-2 ${row.bold ? 'font-bold text-white/80' : 'text-white/60'}`}>{row.label}</td>
-                    {row.values.map((v, i) => {
-                      const num = typeof v === 'number' ? v : 0
-                      const display = typeof v === 'string' ? v : (
-                        row.unit === '%' ? `${v}%` :
-                        row.unit === '€/Mo' ? formatCell(num) + '/Mo' :
-                        formatCell(num)
-                      )
-                      return (
-                        <td key={i} className={`text-right py-1.5 px-3 font-mono ${num < 0 ? 'text-red-400' : row.bold ? 'text-white/80 font-bold' : 'text-white/50'}`}>
-                          {display}
-                        </td>
-                      )
-                    })}
-                  </tr>
-                ))
-              })()}
-            </tbody>
-          </table>
-        </GlassCard>
-      )}
+      {activeSheet === 'kpis' && <KPIsTab fpKPIs={fpKPIs} de={de} />}
 
       {/* === Charts Tab === */}
-      {activeSheet === 'charts' && (() => {
-        const years = ['y2026','y2027','y2028','y2029','y2030']
-        const fmtK = (v: number) => Math.abs(v) >= 1000000 ? `${(v/1000000).toFixed(1)}M` : `${Math.round(v/1000)}k`
-        const fmtV = (v: number) => v.toLocaleString('de-DE')
-
-        const chartDetails: Record<string, { title: string; desc: string }> = {
-          mrr: { title: 'MRR (Monthly Recurring Revenue)', desc: de ? 'Monatlich wiederkehrender Umsatz im Dezember des jeweiligen Jahres — der wichtigste KPI für SaaS-Unternehmen. Zeigt den tatsächlichen monatlichen Run-Rate, nicht den Jahresdurchschnitt. ARR = MRR × 12.' : 'Monthly recurring revenue in December of each year — the most important SaaS KPI. Shows the actual monthly run rate, not the annual average. ARR = MRR × 12.' },
-          ebit: { title: 'EBIT (Earnings Before Interest & Taxes)', desc: de ? 'Operatives Ergebnis vor Zinsen und Steuern — zeigt die tatsächliche Profitabilität des Geschäftsbetriebs. Positiver EBIT = das Geschäftsmodell funktioniert.' : 'Operating profit before interest and taxes — shows actual profitability of operations. Positive EBIT = the business model works.' },
-          headcount: { title: de ? 'Personalaufbau' : 'Headcount', desc: de ? 'Geplanter Teamaufbau über 5 Jahre. Wir starten lean mit 2 Gründern und wachsen bedarfsorientiert. Jede Einstellung ist an einen konkreten Meilenstein geknüpft.' : 'Planned team growth over 5 years. We start lean with 2 founders and grow based on demand. Each hire is tied to a concrete milestone.' },
-          cash: { title: de ? 'Liquidität (Jahresende)' : 'Cash Position (Year-End)', desc: de ? 'Kontostand am Ende jedes Jahres. Zeigt ob genug Geld für den laufenden Betrieb vorhanden ist. Die Liquiditätskurve berücksichtigt alle Einnahmen, Ausgaben, Investitionen und Finanzierungen.' : 'Bank balance at end of each year. Shows if enough cash is available for operations. The liquidity curve accounts for all revenue, expenses, investments and financing.' },
-          revcost: { title: de ? 'Umsatz vs. Gesamtkosten' : 'Revenue vs. Total Costs', desc: de ? 'Vergleich zwischen Einnahmen und Ausgaben. Der Schnittpunkt zeigt den Break-Even — ab dann verdient das Unternehmen mehr als es ausgibt.' : 'Comparison between income and expenses. The intersection shows break-even — from then on, the company earns more than it spends.' },
-          acv: { title: 'ACV (Average Contract Value)', desc: de ? 'Durchschnittlicher Vertragswert pro Kunde und Jahr. Steigender ACV bedeutet: Kunden kaufen mehr Module oder wechseln in höhere Tiers.' : 'Average contract value per customer per year. Rising ACV means: customers buy more modules or upgrade to higher tiers.' },
-          grossMargin: { title: 'Gross Margin', desc: de ? 'Rohertragsmarge — wieviel Prozent vom Umsatz nach Abzug der direkten Kosten (Cloud-Infrastruktur, Lizenzen) übrig bleibt. Bei SaaS typisch 70-90%.' : 'How much revenue remains after direct costs (cloud infrastructure, licenses). Typical for SaaS: 70-90%.' },
-          nrr: { title: de ? 'Umsatzwachstum (YoY)' : 'Revenue Growth (YoY)', desc: de ? 'Jahresvergleich des Gesamtumsatzes — zeigt die Wachstumsgeschwindigkeit. In der Frühphase primär durch Neukundengewinnung getrieben, später zunehmend durch Expansion bestehender Kunden (Upselling in höhere Tiers).' : 'Year-over-year total revenue comparison — shows growth velocity. In early stages driven primarily by new customer acquisition, later increasingly by expansion of existing customers (upselling to higher tiers).' },
-          ebitMargin: { title: 'EBIT Margin', desc: de ? 'Operatives Ergebnis in Prozent vom Umsatz. Zeigt die Effizienz des Geschäftsmodells. Ziel für SaaS: 20-30% in der Reifephase.' : 'Operating result as percentage of revenue. Shows business model efficiency. Target for SaaS: 20-30% at maturity.' },
-        }
-        const detailInfo = chartDetail ? chartDetails[chartDetail] : null
-
-        return (
-        <div className="space-y-4">
-          {/* Detail overlay */}
-          {detailInfo && (
-            <div className="fixed inset-0 z-50 flex items-center justify-center p-4" onClick={() => setChartDetail(null)}>
-              <div className="absolute inset-0 bg-black/60 backdrop-blur-sm" />
-              <div className="relative bg-slate-900/95 border border-white/10 rounded-2xl p-6 max-w-lg w-full" onClick={e => e.stopPropagation()}>
-                <button onClick={() => setChartDetail(null)} className="absolute top-4 right-4 text-white/40 hover:text-white/80 text-lg">✕</button>
-                <h3 className="text-xl font-bold text-white mb-3">{detailInfo.title}</h3>
-                <p className="text-sm text-white/60 leading-relaxed">{detailInfo.desc}</p>
-                {chartDetail && fpKPIs.y2026 && (
-                  <div className="mt-4 pt-4 border-t border-white/10">
-                    <div className="grid grid-cols-5 gap-2 text-center">
-                      {[2026,2027,2028,2029,2030].map(y => {
-                        const keyMap: Record<string, string> = { cash: 'liquiditaet', revcost: 'revenue', acv: 'arpu' }
-                        const key = keyMap[chartDetail!] || chartDetail
-                        const v = fpKPIs[`y${y}`]?.[key as keyof typeof fpKPIs['y2026']] as number || 0
-                        return (
-                          <div key={y}>
-                            <div className="text-[10px] text-white/40">{y}</div>
-                            <div className="text-sm font-bold text-white">{typeof v === 'number' && Math.abs(v) >= 1000 ? fmtK(v) : `${v}`}</div>
-                          </div>
-                        )
-                      })}
-                    </div>
-                  </div>
-                )}
-              </div>
-            </div>
-          )}
-
-          {/* MRR + Kunden Chart */}
-          <GlassCard hover={false} className="p-4 cursor-pointer" onClick={() => setChartDetail('mrr')}>
-            <div className="flex items-center justify-between mb-3">
-              <h3 className="text-xs font-bold text-indigo-400 uppercase tracking-wider">{de ? 'MRR & Kundenentwicklung' : 'MRR & Customer Growth'}</h3>
-              <span className="text-[9px] text-white/30">{de ? 'Klicken für Details' : 'Click for details'}</span>
-            </div>
-            <div className="flex">
-              {/* Y-axis labels */}
-              <div className="flex flex-col justify-between h-40 pr-2 text-[9px] text-white/30 text-right" style={{ width: 45 }}>
-                {(() => { const m = Math.max(...years.map(y => fpKPIs[y]?.mrr || 0), 1); return [m, Math.round(m/2), 0].map((v,i) => <span key={i}>{fmtK(v)} €</span>) })()}
-              </div>
-              <div className="flex-1 grid grid-cols-5 gap-1 items-end h-40 border-l border-b border-white/10 pl-2 pb-1">
-                {years.map((y, idx) => {
-                  const d = { mrr: fpKPIs[y]?.mrr || 0, cust: fpKPIs[y]?.customers || 0 }
-                  const maxMrr = Math.max(...years.map(k => fpKPIs[k]?.mrr || 0), 1)
-                  const maxCust = Math.max(...years.map(k => fpKPIs[k]?.customers || 0), 1)
-                  return (
-                    <div key={idx} className="flex flex-col items-center gap-1">
-                      <div className="flex items-end gap-1 w-full justify-center" style={{ height: '130px' }}>
-                        <div className="w-8 bg-indigo-500/60 rounded-t transition-all" style={{ height: `${(d.mrr / maxMrr) * 120}px` }}>
-                          <div className="text-[10px] text-white/80 text-center -mt-3.5 whitespace-nowrap font-semibold">{fmtK(d.mrr)}</div>
-                        </div>
-                        <div className="w-8 bg-emerald-500/60 rounded-t transition-all" style={{ height: `${(d.cust / maxCust) * 120}px` }}>
-                          <div className="text-[10px] text-white/80 text-center -mt-3.5 whitespace-nowrap font-semibold">{d.cust}</div>
-                        </div>
-                      </div>
-                      <span className="text-[10px] text-white/50 font-medium">{y.slice(1)}</span>
-                    </div>
-                  )
-                })}
-              </div>
-            </div>
-            <div className="flex justify-center gap-6 mt-2 text-[10px]">
-              <span className="flex items-center gap-1.5"><span className="w-3 h-2 bg-indigo-500/60 rounded inline-block" /> MRR (€/Mon)</span>
-              <span className="flex items-center gap-1.5"><span className="w-3 h-2 bg-emerald-500/60 rounded inline-block" /> {de ? 'Bestandskunden (Dez)' : 'Customers (Dec)'}</span>
-            </div>
-          </GlassCard>
-
-          {/* EBIT + Headcount */}
-          <div className="grid md:grid-cols-2 gap-4">
-            <GlassCard hover={false} className="p-4 cursor-pointer" onClick={() => setChartDetail('ebit')}>
-              <div className="flex items-center justify-between mb-3">
-                <h3 className="text-xs font-bold text-purple-400 uppercase tracking-wider">EBIT</h3>
-                <span className="text-[9px] text-white/30">€/Jahr</span>
-              </div>
-              <div className="flex">
-                <div className="flex flex-col justify-between h-28 pr-2 text-[9px] text-white/30 text-right" style={{ width: 40 }}>
-                  {(() => { const vals = years.map(y => fpKPIs[y]?.ebit || 0); const mx = Math.max(...vals.map(Math.abs), 1); return [fmtK(mx), '0', fmtK(-mx)].map((v,i) => <span key={i}>{v}</span>) })()}
-                </div>
-                <div className="flex-1 grid grid-cols-5 gap-1 items-end h-28 border-l border-white/10 pl-2">
-                  {years.map((y, idx) => {
-                    const v = fpKPIs[y]?.ebit || 0
-                    const maxAbs = Math.max(...years.map(k => Math.abs(fpKPIs[k]?.ebit || 0)), 1)
-                    const h = Math.abs(v) / maxAbs * 90
-                    return (
-                      <div key={idx} className="flex flex-col items-center">
-                        <div className="w-10 flex flex-col justify-end" style={{ height: '100px' }}>
-                          <div className={`${v >= 0 ? 'bg-emerald-500/60 rounded-t' : 'bg-red-500/60 rounded-b'} w-full`} style={{ height: `${h}px` }}>
-                            <div className={`text-[10px] ${v >= 0 ? 'text-emerald-300' : 'text-red-300'} text-center -mt-3.5 whitespace-nowrap font-semibold`}>{fmtK(v)}</div>
-                          </div>
-                        </div>
-                        <span className="text-[10px] text-white/50 mt-1 font-medium">{y.slice(1)}</span>
-                      </div>
-                    )
-                  })}
-                </div>
-              </div>
-            </GlassCard>
-
-            <GlassCard hover={false} className="p-4 cursor-pointer" onClick={() => setChartDetail('headcount')}>
-              <div className="flex items-center justify-between mb-3">
-                <h3 className="text-xs font-bold text-amber-400 uppercase tracking-wider">{de ? 'Personalaufbau' : 'Headcount'}</h3>
-                <span className="text-[9px] text-white/30">{de ? 'Mitarbeiter (Dez)' : 'Employees (Dec)'}</span>
-              </div>
-              <div className="flex">
-                <div className="flex flex-col justify-between h-28 pr-2 text-[9px] text-white/30 text-right" style={{ width: 25 }}>
-                  {(() => { const m = Math.max(...years.map(y => fpKPIs[y]?.headcount || 0), 1); return [m, Math.round(m/2), 0].map((v,i) => <span key={i}>{v}</span>) })()}
-                </div>
-                <div className="flex-1 grid grid-cols-5 gap-1 items-end h-28 border-l border-b border-white/10 pl-2 pb-1">
-                  {years.map((y, idx) => {
-                    const v = fpKPIs[y]?.headcount || 0
-                    const mx = Math.max(...years.map(k => fpKPIs[k]?.headcount || 0), 1)
-                    return (
-                      <div key={idx} className="flex flex-col items-center">
-                        <div className="w-10 flex flex-col justify-end" style={{ height: '90px' }}>
-                          <div className="bg-amber-500/60 rounded-t w-full" style={{ height: `${(v / mx) * 80}px` }}>
-                            <div className="text-[11px] text-amber-300 text-center -mt-3.5 font-bold">{v}</div>
-                          </div>
-                        </div>
-                        <span className="text-[10px] text-white/50 mt-1 font-medium">{y.slice(1)}</span>
-                      </div>
-                    )
-                  })}
-                </div>
-              </div>
-            </GlassCard>
-          </div>
-
-          {/* Liquidität + Revenue vs Costs */}
-          <div className="grid md:grid-cols-2 gap-4">
-            <GlassCard hover={false} className="p-4 cursor-pointer" onClick={() => setChartDetail('cash')}>
-              <div className="flex items-center justify-between mb-3">
-                <h3 className="text-xs font-bold text-cyan-400 uppercase tracking-wider">{de ? 'Liquidität' : 'Cash Position'}</h3>
-                <span className="text-[9px] text-white/30">{de ? 'Jahresende' : 'Year-End'}</span>
-              </div>
-              <div className="flex">
-                <div className="flex flex-col justify-between h-28 pr-2 text-[9px] text-white/30 text-right" style={{ width: 40 }}>
-                  {(() => { const m = Math.max(...years.map(y => Math.abs(fpKPIs[y]?.liquiditaet || 0)), 1); return [fmtK(m), fmtK(m/2), '0'].map((v,i) => <span key={i}>{v}</span>) })()}
-                </div>
-                <div className="flex-1 grid grid-cols-5 gap-1 items-end h-28 border-l border-b border-white/10 pl-2 pb-1">
-                  {years.map((y, idx) => {
-                    const v = fpKPIs[y]?.liquiditaet || 0
-                    const mx = Math.max(...years.map(k => Math.abs(fpKPIs[k]?.liquiditaet || 0)), 1)
-                    const h = Math.abs(v) / mx * 90
-                    return (
-                      <div key={idx} className="flex flex-col items-center">
-                        <div className="w-10 flex flex-col justify-end" style={{ height: '90px' }}>
-                          <div className={`${v >= 0 ? 'bg-cyan-500/60 rounded-t' : 'bg-red-500/60 rounded-b'} w-full`} style={{ height: `${Math.max(h, 4)}px` }}>
-                            <div className={`text-[10px] ${v >= 0 ? 'text-cyan-300' : 'text-red-300'} text-center -mt-3.5 whitespace-nowrap font-semibold`}>{fmtK(v)}</div>
-                          </div>
-                        </div>
-                        <span className="text-[10px] text-white/50 mt-1 font-medium">{y.slice(1)}</span>
-                      </div>
-                    )
-                  })}
-                </div>
-              </div>
-            </GlassCard>
-
-            <GlassCard hover={false} className="p-4 cursor-pointer" onClick={() => setChartDetail('revcost')}>
-              <div className="flex items-center justify-between mb-3">
-                <h3 className="text-xs font-bold text-indigo-400 uppercase tracking-wider">{de ? 'Umsatz vs. Kosten' : 'Revenue vs. Costs'}</h3>
-                <span className="text-[9px] text-white/30">€/Jahr</span>
-              </div>
-              <div className="flex">
-                <div className="flex flex-col justify-between h-28 pr-2 text-[9px] text-white/30 text-right" style={{ width: 40 }}>
-                  {(() => {
-                    const d = years.map(y => ({ rev: fpKPIs[y]?.revenue || 0, costs: (fpKPIs[y]?.revenue || 0) - (fpKPIs[y]?.ebit || 0) }))
-                    const mx = Math.max(...d.map(x => Math.max(x.rev, x.costs)), 1)
-                    return [fmtK(mx), fmtK(mx/2), '0'].map((v,i) => <span key={i}>{v}</span>)
-                  })()}
-                </div>
-                <div className="flex-1 grid grid-cols-5 gap-1 items-end h-28 border-l border-b border-white/10 pl-2 pb-1">
-                  {(() => {
-                    const data = years.map(y => ({ year: y.slice(1), rev: fpKPIs[y]?.revenue || 0, costs: (fpKPIs[y]?.revenue || 0) - (fpKPIs[y]?.ebit || 0) }))
-                    const mx = Math.max(...data.map(d => Math.max(d.rev, d.costs)), 1)
-                    return data.map((d, idx) => (
-                      <div key={idx} className="flex flex-col items-center gap-1">
-                        <div className="flex items-end gap-1 w-full justify-center" style={{ height: '90px' }}>
-                          <div className="w-6 bg-indigo-500/60 rounded-t" style={{ height: `${(d.rev / mx) * 80}px` }}>
-                            <div className="text-[9px] text-indigo-300 text-center -mt-3 whitespace-nowrap font-semibold">{fmtK(d.rev)}</div>
-                          </div>
-                          <div className="w-6 bg-red-500/40 rounded-t" style={{ height: `${(d.costs / mx) * 80}px` }}>
-                            <div className="text-[9px] text-red-300 text-center -mt-3 whitespace-nowrap font-semibold">{fmtK(d.costs)}</div>
-                          </div>
-                        </div>
-                        <span className="text-[10px] text-white/50 font-medium">{d.year}</span>
-                      </div>
-                    ))
-                  })()}
-                </div>
-              </div>
-              <div className="flex justify-center gap-4 mt-2 text-[9px]">
-                <span className="flex items-center gap-1"><span className="w-3 h-1.5 bg-indigo-500/60 rounded inline-block" /> {de ? 'Umsatz' : 'Revenue'}</span>
-                <span className="flex items-center gap-1"><span className="w-3 h-1.5 bg-red-500/40 rounded inline-block" /> {de ? 'Kosten' : 'Costs'}</span>
-              </div>
-            </GlassCard>
-          </div>
-
-          {/* Unit Economics — clickable cards */}
-          <GlassCard hover={false} className="p-4">
-            <h3 className="text-xs font-bold text-purple-400 uppercase tracking-wider mb-3">Unit Economics (2026–2030)</h3>
-            <div className="grid md:grid-cols-4 gap-3">
-              {[
-                { label: 'ACV', key: 'arpu', unit: '€', color: 'text-indigo-300', bg: 'bg-indigo-500/60', detail: 'acv' },
-                { label: 'Gross Margin', key: 'grossMargin', unit: '%', color: 'text-emerald-300', bg: 'bg-emerald-500/60', detail: 'grossMargin' },
-                { label: de ? 'Wachstum' : 'Growth', key: 'nrr', unit: '%', color: 'text-purple-300', bg: 'bg-purple-500/60', detail: 'nrr' },
-                { label: 'EBIT Margin', key: 'ebitMargin', unit: '%', color: 'text-amber-300', bg: 'bg-amber-500/60', detail: 'ebitMargin' },
-              ].map((metric, mIdx) => (
-                <div key={mIdx} className="text-center cursor-pointer hover:bg-white/[0.03] rounded-lg p-2 transition-colors" onClick={() => setChartDetail(metric.detail)}>
-                  <p className={`text-[10px] font-bold ${metric.color} uppercase tracking-wider mb-2`}>{metric.label}</p>
-                  <div className="flex items-end justify-center gap-1 h-16">
-                    {[2026,2027,2028,2029,2030].map((y, idx) => {
-                      const val = fpKPIs[`y${y}`]?.[metric.key as keyof typeof fpKPIs['y2026']] as number || 0
-                      const maxVal = Math.max(...[2026,2027,2028,2029,2030].map(yr => Math.abs(fpKPIs[`y${yr}`]?.[metric.key as keyof typeof fpKPIs['y2026']] as number || 0)), 1)
-                      const h = Math.abs(val) / maxVal * 50
-                      return (
-                        <div key={idx} className="flex flex-col items-center">
-                          <div className={`w-4 ${val >= 0 ? metric.bg + ' rounded-t' : 'bg-red-500/60 rounded-b'}`} style={{ height: `${Math.max(h, 2)}px` }} />
-                          <span className="text-[8px] text-white/30 mt-0.5">{String(y).slice(2)}</span>
-                        </div>
-                      )
-                    })}
-                  </div>
-                  <p className={`text-sm font-bold ${metric.color} mt-1`}>
-                    {(() => {
-                      const v = fpKPIs.y2030?.[metric.key as keyof typeof fpKPIs['y2026']] as number || 0
-                      return metric.unit === '€' ? `${fmtV(v)}${metric.unit}` : `${v}${metric.unit}`
-                    })()}
-                  </p>
-                  <p className="text-[8px] text-white/25">2030</p>
-                </div>
-              ))}
-            </div>
-          </GlassCard>
-        </div>
-        )
-      })()}
+      {activeSheet === 'charts' && (
+        <ChartsTab fpKPIs={fpKPIs} de={de} chartDetail={chartDetail} setChartDetail={setChartDetail} />
+      )}
 
       {/* === Kontenrahmen SKR04 === */}
-      {activeSheet === 'skr' && (() => {
-        const skr04: { klasse: string; title: string; color: string; accounts: { nr: string; name: string; used?: boolean }[] }[] = [
-          { klasse: '0', title: de ? 'Anlagevermögen' : 'Fixed Assets', color: 'text-slate-400', accounts: [
-            { nr: '0200', name: de ? 'Technische Anlagen & Maschinen' : 'Technical Equipment', used: false },
-            { nr: '0400', name: de ? 'Betriebs- und Geschäftsausstattung' : 'Office & Business Equipment', used: true },
-            { nr: '0420', name: de ? 'EDV-Hardware' : 'IT Hardware', used: true },
-            { nr: '0440', name: de ? 'Geringwertige Wirtschaftsgüter (GWG)' : 'Low-Value Assets (GWG)', used: true },
-            { nr: '0480', name: de ? 'Immaterielle Vermögensgegenstände' : 'Intangible Assets', used: true },
-          ]},
-          { klasse: '1', title: de ? 'Umlaufvermögen' : 'Current Assets', color: 'text-blue-400', accounts: [
-            { nr: '1200', name: de ? 'Bank (Geschäftskonto)' : 'Bank (Business Account)', used: true },
-            { nr: '1210', name: de ? 'Bank (Festgeld/Rücklagen)' : 'Bank (Fixed Deposit)', used: false },
-            { nr: '1400', name: de ? 'Forderungen aus L&L' : 'Accounts Receivable', used: true },
-            { nr: '1590', name: de ? 'Durchlaufende Posten' : 'Transit Items', used: false },
-          ]},
-          { klasse: '2', title: de ? 'Eigenkapital & Verbindlichkeiten' : 'Equity & Liabilities', color: 'text-purple-400', accounts: [
-            { nr: '2000', name: de ? 'Gezeichnetes Kapital (Stammkapital)' : 'Share Capital', used: true },
-            { nr: '2010', name: de ? 'Kapitalrücklage (Wandeldarlehen)' : 'Capital Reserve (Convertible Loan)', used: true },
-            { nr: '2100', name: de ? 'Gewinnvortrag / Verlustvortrag' : 'Retained Earnings / Losses', used: true },
-            { nr: '2900', name: de ? 'Jahresüberschuss / -fehlbetrag' : 'Net Income / Loss', used: true },
-          ]},
-          { klasse: '3', title: de ? 'Rückstellungen & Verbindlichkeiten' : 'Provisions & Payables', color: 'text-indigo-400', accounts: [
-            { nr: '3070', name: de ? 'Verbindlichkeiten ggü. Kreditinstituten' : 'Bank Liabilities', used: true },
-            { nr: '3100', name: de ? 'Verbindlichkeiten aus L&L' : 'Accounts Payable', used: true },
-            { nr: '3150', name: de ? 'Darlehen (L-Bank Pre-Seed)' : 'Loan (L-Bank Pre-Seed)', used: true },
-            { nr: '3500', name: de ? 'Umsatzsteuer-Verbindlichkeit' : 'VAT Payable', used: true },
-            { nr: '3520', name: de ? 'Lohnsteuer-Verbindlichkeit' : 'Payroll Tax Payable', used: true },
-            { nr: '3550', name: de ? 'Sozialversicherungs-Verbindlichkeit' : 'Social Security Payable', used: true },
-            { nr: '3900', name: de ? 'Rückstellungen (Jahresabschluss etc.)' : 'Provisions (Closing etc.)', used: true },
-          ]},
-          { klasse: '4', title: de ? 'Betriebliche Erträge' : 'Operating Revenue', color: 'text-emerald-400', accounts: [
-            { nr: '4400', name: de ? 'Erlöse Software-Lizenzen (SaaS)' : 'Software License Revenue (SaaS)', used: true },
-            { nr: '4410', name: de ? 'Erlöse Beratung & Service' : 'Consulting & Service Revenue', used: true },
-            { nr: '4440', name: de ? 'Erlöse Hardware (Mac Mini/Studio)' : 'Hardware Revenue', used: false },
-            { nr: '4500', name: de ? 'Sonstige betriebliche Erträge' : 'Other Operating Revenue', used: true },
-            { nr: '4510', name: de ? 'Fördergelder / Grants' : 'Grants / Subsidies', used: true },
-            { nr: '4520', name: de ? 'Forschungszulage (§ 27a EStG)' : 'Research Tax Credit', used: true },
-          ]},
-          { klasse: '5', title: de ? 'Materialaufwand / COGS' : 'Material Costs / COGS', color: 'text-orange-400', accounts: [
-            { nr: '5400', name: de ? 'Cloud-Hosting (SysEleven/Hetzner)' : 'Cloud Hosting', used: true },
-            { nr: '5410', name: de ? 'LLM-Inferenzkosten' : 'LLM Inference Costs', used: true },
-            { nr: '5420', name: de ? '3rd Party API (Tavily etc.)' : '3rd Party API', used: true },
-            { nr: '5430', name: de ? 'Datenbank-Hosting (PostgreSQL/Qdrant)' : 'Database Hosting', used: true },
-            { nr: '5440', name: de ? 'CDN / Storage / Monitoring' : 'CDN / Storage / Monitoring', used: true },
-          ]},
-          { klasse: '6', title: de ? 'Personalaufwand' : 'Personnel Costs', color: 'text-cyan-400', accounts: [
-            { nr: '6000', name: de ? 'Löhne und Gehälter' : 'Wages and Salaries', used: true },
-            { nr: '6010', name: de ? 'Geschäftsführer-Gehälter' : 'Managing Director Salaries', used: true },
-            { nr: '6100', name: de ? 'Soziale Abgaben (AG-Anteil)' : 'Social Security (Employer)', used: true },
-            { nr: '6110', name: de ? 'Berufsgenossenschaft (VBG)' : 'Professional Association (VBG)', used: true },
-            { nr: '6130', name: de ? 'Vermögenswirksame Leistungen' : 'Capital-Forming Benefits', used: false },
-            { nr: '6170', name: de ? 'Freiwillige Sozialleistungen' : 'Voluntary Social Benefits', used: false },
-          ]},
-          { klasse: '7', title: de ? 'Sonstige betriebliche Aufwendungen' : 'Other Operating Expenses', color: 'text-amber-400', accounts: [
-            { nr: '7000', name: de ? 'Raumkosten / Miete' : 'Rent / Room Costs', used: true },
-            { nr: '7100', name: de ? 'Versicherungen (D&O, Cyber, Haftpflicht)' : 'Insurance (D&O, Cyber, Liability)', used: true },
-            { nr: '7200', name: de ? 'Fahrzeugkosten / KFZ' : 'Vehicle Costs', used: true },
-            { nr: '7300', name: de ? 'Werbe- und Marketingkosten' : 'Marketing Costs', used: true },
-            { nr: '7310', name: de ? 'Teilnahme an Messen' : 'Trade Fair Participation', used: true },
-            { nr: '7320', name: de ? 'Bewirtungskosten' : 'Entertainment Costs', used: true },
-            { nr: '7400', name: de ? 'Reisekosten' : 'Travel Costs', used: true },
-            { nr: '7500', name: de ? 'Internet / Mobilfunk' : 'Internet / Mobile', used: true },
-            { nr: '7510', name: de ? 'Serverkosten / Cloud (→ Klasse 5)' : 'Server / Cloud (→ Class 5)', used: false },
-            { nr: '7600', name: de ? 'Rechts-/Beratungskosten' : 'Legal / Advisory Costs', used: true },
-            { nr: '7610', name: de ? 'Buchführungskosten' : 'Bookkeeping Costs', used: true },
-            { nr: '7620', name: de ? 'Jahresabschlusskosten' : 'Annual Closing Costs', used: true },
-            { nr: '7630', name: de ? 'Ext. Datenschutzbeauftragter' : 'Ext. Data Protection Officer', used: true },
-            { nr: '7640', name: de ? 'Zertifizierung (ISO 27001 / BSI C5)' : 'Certification (ISO 27001 / BSI C5)', used: true },
-            { nr: '7650', name: de ? 'Recruiting / Stellenanzeigen' : 'Recruiting / Job Ads', used: true },
-            { nr: '7680', name: de ? 'IHK / Kammerbeiträge' : 'Chamber of Commerce Fees', used: true },
-            { nr: '7690', name: de ? 'Rundfunkbeitrag' : 'Broadcasting Fee', used: true },
-            { nr: '7700', name: de ? 'Abschreibungen (AfA)' : 'Depreciation', used: true },
-            { nr: '7750', name: de ? 'Fort- und Weiterbildung' : 'Training & Development', used: true },
-            { nr: '7800', name: de ? 'Bankgebühren / Nebenkosten Geldverkehr' : 'Bank Fees', used: true },
-            { nr: '7900', name: de ? 'Schutzrechte / Lizenzkosten' : 'IP Rights / License Costs', used: true },
-          ]},
-          { klasse: '8', title: de ? 'Finanzerträge & -aufwendungen' : 'Financial Income & Expenses', color: 'text-red-400', accounts: [
-            { nr: '8100', name: de ? 'Zinserträge' : 'Interest Income', used: false },
-            { nr: '8200', name: de ? 'Zinsaufwendungen' : 'Interest Expenses', used: true },
-            { nr: '8210', name: de ? 'Zinsen L-Bank Wandeldarlehen (8%)' : 'Interest L-Bank Convertible (8%)', used: true },
-          ]},
-          { klasse: '9', title: de ? 'Steuern & Jahresabschluss' : 'Taxes & Closing', color: 'text-rose-400', accounts: [
-            { nr: '9000', name: de ? 'Gewerbesteuer' : 'Trade Tax', used: true },
-            { nr: '9100', name: de ? 'Körperschaftsteuer + Soli' : 'Corporate Tax + Surcharge', used: true },
-            { nr: '9200', name: de ? 'Umsatzsteuer (Zahllast)' : 'VAT (Payable)', used: true },
-            { nr: '9300', name: de ? 'Lohnsteuer' : 'Payroll Tax', used: true },
-          ]},
-        ]
-
-        return (
-          <GlassCard hover={false} className="p-4">
-            <div className="flex items-center justify-between mb-4">
-              <h3 className="text-sm font-bold text-white/80">{de ? 'Kontenrahmen SKR04 — Breakpilot COMPLAI GmbH' : 'Chart of Accounts SKR04 — Breakpilot COMPLAI GmbH'}</h3>
-              <div className="flex items-center gap-3 text-[9px]">
-                <span className="flex items-center gap-1"><span className="w-2 h-2 rounded-full bg-emerald-400 inline-block" /> {de ? 'Aktiv genutzt' : 'Actively used'}</span>
-                <span className="flex items-center gap-1"><span className="w-2 h-2 rounded-full bg-white/15 inline-block" /> {de ? 'Geplant / nicht aktiv' : 'Planned / inactive'}</span>
-              </div>
-            </div>
-            <div className="space-y-1">
-              {skr04.map(k => (
-                <div key={k.klasse}>
-                  <button onClick={() => toggleSKR(k.klasse)} className="w-full flex items-center gap-2 py-1.5 px-2 rounded hover:bg-white/[0.03] transition-colors text-left">
-                    <span className="text-[10px] text-white/30 w-3">{openSKR.has(k.klasse) ? '▾' : '▸'}</span>
-                    <span className={`text-xs font-bold ${k.color}`}>Klasse {k.klasse}</span>
-                    <span className="text-xs text-white/60">— {k.title}</span>
-                    <span className="text-[9px] text-white/25 ml-auto">{k.accounts.filter(a => a.used).length}/{k.accounts.length}</span>
-                  </button>
-                  {openSKR.has(k.klasse) && (
-                    <div className="ml-7 mb-2 space-y-0.5">
-                      {k.accounts.map(a => (
-                        <div key={a.nr} className={`flex items-center gap-2 py-0.5 px-2 rounded text-[11px] ${a.used ? 'text-white/70' : 'text-white/25'}`}>
-                          <span className={`w-1.5 h-1.5 rounded-full shrink-0 ${a.used ? 'bg-emerald-400' : 'bg-white/15'}`} />
-                          <span className="font-mono text-white/30 w-10">{a.nr}</span>
-                          <span>{a.name}</span>
-                        </div>
-                      ))}
-                    </div>
-                  )}
-                </div>
-              ))}
-            </div>
-            <div className="mt-3 pt-2 border-t border-white/5 text-[10px] text-white/25 text-center">
-              SKR04 (Industriekontenrahmen) · {de ? 'Angepasst für SaaS/Tech GmbH' : 'Adapted for SaaS/Tech GmbH'} · {de ? '10 Klassen · 62 Konten' : '10 classes · 62 accounts'}
-            </div>
-          </GlassCard>
-        )
-      })()}
+      {activeSheet === 'skr' && <SKRTab de={de} />}
 
       {/* Year Navigation — not for GuV, KPIs, Charts */}
       {!['guv', 'kpis', 'charts', 'skr'].includes(activeSheet) && (
@@ -734,318 +220,16 @@ export default function FinanzplanSlide({ lang, investorId, preferredScenarioId,
         {loading ? (
           <div className="text-center py-8 text-white/30 text-sm">{de ? 'Lade...' : 'Loading...'}</div>
         ) : activeSheet === 'guv' ? (
-          /* === GuV: Annual table (y2026-y2030) === */
-          <table className="w-full text-[10px]">
-            <thead>
-              <tr className="border-b border-white/10">
-                <th className="text-left py-1.5 px-2 text-white/60 font-medium sticky left-0 bg-slate-900/90 backdrop-blur min-w-[220px]">
-                  {de ? 'GuV-Position' : 'P&L Item'}
-                </th>
-                {[2026, 2027, 2028, 2029, 2030].map(y => (
-                  <th key={y} className="text-right py-1.5 px-3 text-white/60 font-medium min-w-[100px]">{y}</th>
-                ))}
-              </tr>
-            </thead>
-            <tbody>
-              {rows.map(row => {
-                const values = getValues(row)
-                const label = getLabel(row)
-                const isMajorSum = label === 'EBIT' || label.includes('Rohergebnis') || label.includes('Jahresüberschuss') || label.includes('Ergebnis nach Steuern')
-                const isMinorSum = row.is_sum_row || label.includes('Summe') || label.includes('Gesamtleistung') || label.includes('Steuern gesamt')
-                const isSumRow = isMajorSum || isMinorSum
-
-                return (
-                  <tr key={row.id} className={`${isMajorSum ? 'border-t-2 border-t-white/20 border-b border-b-white/[0.05] bg-white/[0.05]' : isMinorSum ? 'border-t border-t-white/10 border-b border-b-white/[0.03] bg-white/[0.03]' : 'border-b border-white/[0.03]'} hover:bg-white/[0.02]`}>
-                    <td className={`py-1.5 px-2 sticky left-0 bg-slate-900/90 backdrop-blur ${isMajorSum ? 'font-bold text-white text-xs' : isMinorSum ? 'font-semibold text-white/80' : 'text-white/60'}`}>
-                      <LabelWithTooltip label={label} />
-                    </td>
-                    {[2026, 2027, 2028, 2029, 2030].map(y => {
-                      const v = values[`y${y}`] || 0
-                      return (
-                        <td key={y} className={`text-right py-1.5 px-3 ${v < 0 ? 'text-red-400' : v > 0 ? (isMajorSum ? 'text-white' : isSumRow ? 'text-white/80' : 'text-white/50') : 'text-white/15'} ${isMajorSum ? 'font-bold text-xs' : isSumRow ? 'font-semibold' : ''}`}>
-                          {v === 0 ? '—' : Math.round(v).toLocaleString('de-DE', { maximumFractionDigits: 0 })}
-                        </td>
-                      )
-                    })}
-                  </tr>
-                )
-              })}
-            </tbody>
-          </table>
+          <GuvTable rows={rows} de={de} />
         ) : (
-          /* === Monthly/Annual Grid (all other sheets) === */
-          <table className="w-full text-[10px]">
-            <thead>
-              <tr className="border-b border-white/10">
-                <th className="text-left py-1.5 px-2 text-white/60 font-medium sticky left-0 bg-slate-900/90 backdrop-blur min-w-[160px]">
-                  {de ? 'Position' : 'Item'}
-                </th>
-                {yearOffset === -1 ? (
-                  // All years view
-                  [2026, 2027, 2028, 2029, 2030].map(y => (
-                    <th key={y} className="text-right py-1.5 px-3 text-white/60 font-medium min-w-[80px]">{y}</th>
-                  ))
-                ) : (
-                  <>
-                    <th className="text-right py-1.5 px-2 text-white/60 font-medium min-w-[70px]">
-                      {currentYear}
-                    </th>
-                    {MONTH_LABELS.map((label, idx) => (
-                      <th key={idx} className="text-right py-1.5 px-1.5 text-white/50 font-normal min-w-[55px]">
-                        {label}
-                      </th>
-                    ))}
-                  </>
-                )}
-              </tr>
-            </thead>
-            <tbody>
-              {(() => {
-                // Live-compute sum rows from detail rows (like Excel formulas)
-                const computedRows = rows.map(row => {
-                  const label = getLabel(row)
-                  const cat = row.category as string || ''
-                  const rowType = (row as Record<string, unknown>).row_type as string || ''
-                  const isSumLabel = row.is_sum_row || label.includes('Summe') || label.includes('SUMME') || label.includes('ÜBERSCHUSS') || label.includes('UEBERSCHUSS')
-
-                  if (!isSumLabel) return row
-
-                  let sourceRows: SheetRow[] = []
-
-                  // === Betriebliche Aufwendungen: category-based sums ===
-                  if (cat && cat !== 'summe') {
-                    sourceRows = rows.filter(r => (r.category as string) === cat && !r.is_sum_row && getLabel(r) !== label)
-                  } else if (label.includes('Summe sonstige')) {
-                    sourceRows = rows.filter(r => {
-                      const rCat = r.category as string || ''
-                      const rLabel = getLabel(r)
-                      return !r.is_sum_row && rCat !== 'personal' && rCat !== 'abschreibungen' && rCat !== 'summe' &&
-                        !rLabel.includes('Personalkosten') && !rLabel.includes('Abschreibungen') && !rLabel.includes('Summe') && !rLabel.includes('SUMME')
-                    })
-                  } else if (label.includes('SUMME Betriebliche')) {
-                    // Include ALL rows: personal + abschreibungen + all detail rows (but not other sum rows)
-                    sourceRows = rows.filter(r => {
-                      const rCat = r.category as string || ''
-                      const rLabel = getLabel(r)
-                      // Include Personalkosten and Abschreibungen (they have is_sum_row=true but are real data)
-                      if (rLabel === 'Personalkosten' || rLabel === 'Abschreibungen') return true
-                      // Exclude sum rows and category "summe"
-                      return !r.is_sum_row && rCat !== 'summe' && !rLabel.includes('Summe') && !rLabel.includes('SUMME')
-                    })
-                  }
-
-                  // === Liquidität: ALL sum/balance rows — keep DB values (engine computed) ===
-                  else if (activeSheet === 'liquiditaet' && (
-                    label.includes('Summe') || label.includes('ÜBERSCHUSS') || label.includes('UEBERSCHUSS') ||
-                    label.includes('LIQUIDITÄT') || label.includes('LIQUIDITAET') || label.includes('Kontostand')
-                  )) {
-                    return row
-                  }
-
-                  // === Umsatzerlöse: GESAMTUMSATZ = sum of revenue rows only ===
-                  else if (label.includes('GESAMTUMSATZ')) {
-                    sourceRows = rows.filter(r => {
-                      const sec = (r as Record<string, unknown>).section as string || ''
-                      return sec === 'revenue' && !getLabel(r).includes('GESAMTUMSATZ')
-                    })
-                  }
-
-                  // === Materialaufwand: SUMME = sum of cost rows only ===
-                  else if (label.includes('SUMME Material') || (activeSheet === 'materialaufwand' && label === 'SUMME')) {
-                    sourceRows = rows.filter(r => {
-                      const sec = (r as Record<string, unknown>).section as string || ''
-                      return sec === 'cost' && getLabel(r) !== 'SUMME'
-                    })
-                  }
-
-                  // === Kunden GESAMT rows — trust DB values (engine computed) ===
-                  else if (label.includes('GESAMT') || label.includes('Bestandskunden gesamt')) {
-                    return row
-                  }
-
-                  if (sourceRows.length === 0) return row
-
-                  const computed: Record<string, number> = {}
-                  for (let m = 1; m <= 60; m++) {
-                    const key = `m${m}`
-                    computed[key] = Math.round(sourceRows.reduce((sum, r) => sum + (getValues(r)[key] || 0), 0))
-                  }
-
-                  return { ...row, values: computed, values_total: computed }
-                })
-
-                // For betriebliche: reorder so category header (sum_row) comes BEFORE detail rows
-                if (activeSheet === 'betriebliche') {
-                  const grouped: SheetRow[] = []
-                  const cats = new Map<string, { header: SheetRow | null; details: SheetRow[] }>()
-                  // Collect by category
-                  for (const row of computedRows) {
-                    const cat = row.category as string || ''
-                    if (!cats.has(cat)) cats.set(cat, { header: null, details: [] })
-                    const g = cats.get(cat)!
-                    if (row.is_sum_row) g.header = row
-                    else g.details.push(row)
-                  }
-                  // Output: header first, then details (if open)
-                  for (const [cat, g] of cats) {
-                    if (g.header) grouped.push(g.header)
-                    if (openCats.has(cat) || cat === 'summe' || cat === 'personal' || cat === 'abschreibungen') {
-                      grouped.push(...g.details)
-                    }
-                  }
-                  return grouped
-                }
-                return computedRows
-              })().map(row => {
-                const values = getValues(row)
-                const label = getLabel(row)
-                const isSumRow = row.is_sum_row || label.includes('GESAMT') || label.includes('Summe') || label.includes('ÜBERSCHUSS') || label.includes('LIQUIDITÄT') || label.includes('UEBERSCHUSS') || label.includes('LIQUIDITAET')
-                const isTotalRow = label.includes('GESAMT') || label.includes('Bestandskunden gesamt') || label.includes('GESAMTUMSATZ') || label.includes('SUMME')
-                const isEditable = false // read-only for investors
-                const cat = row.category as string || ''
-                // Make category sum rows clickable (accordion)
-                const isCatHeader = activeSheet === 'betriebliche' && row.is_sum_row && cat !== 'summe' && cat !== 'personal' && cat !== 'abschreibungen'
-                const isCatOpen = openCats.has(cat)
-                // Balance rows show Dec value, flow rows show annual sum
-                const section = (row as Record<string, unknown>).section as string || ''
-                const isBalanceRow = label.includes('Kontostand') || label === 'LIQUIDITÄT' || label === 'LIQUIDITAET'
-                  || label.includes('Bestandskunden') || (activeSheet === 'kunden' && row.row_label === 'Bestandskunden')
-                  || label.includes('Anzahl Kunden') || section === 'quantity'
-                const isUnitPrice = section === 'unit_cost' || section === 'einkauf' || label.includes('Einkaufspreis')
-                  || section === 'price' || label.includes('Preis/Monat')
-
-                let annual = 0
-                if (isUnitPrice) {
-                  // Unit prices: show the price, not a sum
-                  annual = values[`m${monthEnd}`] || values[`m${monthStart}`] || 0
-                } else if (isBalanceRow) {
-                  // Point-in-time: show last month (December) value
-                  annual = values[`m${monthEnd}`] || 0
-                } else {
-                  // Flow: sum all 12 months
-                  for (let m = monthStart; m <= monthEnd; m++) annual += values[`m${m}`] || 0
-                }
-
-                return (
-                  <tr
-                    key={row.id}
-                    className={`${isTotalRow ? 'border-t-2 border-t-white/20 border-b border-b-white/[0.03]' : 'border-b border-white/[0.03]'} ${isSumRow ? 'bg-white/[0.03]' : ''} hover:bg-white/[0.02]`}
-                  >
-                    <td className={`py-1 px-2 sticky left-0 bg-slate-900/90 backdrop-blur ${isSumRow ? 'font-bold text-white/80' : 'text-white/60'} ${isCatHeader ? 'cursor-pointer select-none' : ''}`}
-                      onClick={isCatHeader ? () => toggleCat(cat) : undefined}
-                    >
-                      <div className="flex items-center gap-1">
-                        {isCatHeader && <span className="text-[10px] text-indigo-400 w-3 shrink-0">{isCatOpen ? '▾' : '▸'}</span>}
-                        {isEditable && <span className="w-1 h-1 rounded-full bg-indigo-400 flex-shrink-0" />}
-                        <span className="truncate"><LabelWithTooltip label={label} /></span>
-                        {row.position && <span className="text-white/50 ml-1">({row.position})</span>}
-                      </div>
-                    </td>
-                    {yearOffset === -1 ? (
-                      // All years view: show annual values per year
-                      [2026, 2027, 2028, 2029, 2030].map(y => {
-                        const yStart = (y - 2026) * 12 + 1
-                        const yEnd = yStart + 11
-                        let yVal = 0
-                        if (isUnitPrice) {
-                          yVal = values[`m${yEnd}`] || 0
-                        } else if (isBalanceRow) {
-                          yVal = values[`m${yEnd}`] || 0
-                        } else {
-                          for (let m = yStart; m <= yEnd; m++) yVal += values[`m${m}`] || 0
-                        }
-                        return (
-                          <td key={y} className={`text-right py-1 px-3 ${yVal < 0 ? 'text-red-400' : yVal > 0 ? (isSumRow ? 'text-white/80' : 'text-white/50') : 'text-white/15'} ${isSumRow ? 'font-bold' : ''}`}>
-                            {formatCell(Math.round(yVal))}
-                          </td>
-                        )
-                      })
-                    ) : (
-                      <>
-                        <td className={`text-right py-1 px-2 font-medium ${annual < 0 ? 'text-red-400' : isSumRow ? 'text-white/80' : 'text-white/50'}`}>
-                          {formatCell(annual)}
-                        </td>
-                        {Array.from({ length: 12 }, (_, idx) => {
-                          const mKey = `m${monthStart + idx}`
-                          const v = values[mKey] || 0
-                          return (
-                            <td
-                              key={idx}
-                              className={`text-right py-1 px-1.5 ${
-                                v < 0 ? 'text-red-400/70' : v > 0 ? (isSumRow ? 'text-white/70' : 'text-white/50') : 'text-white/15'
-                              } ${isEditable ? 'cursor-pointer hover:bg-indigo-500/10' : ''}`}
-                              onDoubleClick={() => {
-                                if (!isEditable) return
-                                const input = prompt(`${label} — ${MONTH_LABELS[idx]} ${currentYear}`, String(v))
-                                if (input !== null) handleCellEdit(row.id, mKey, input)
-                              }}
-                            >
-                              {formatCell(v)}
-                            </td>
-                          )
-                        })}
-                      </>
-                    )}
-                  </tr>
-                )
-              })}
-            </tbody>
-            {/* Summenzeile für relevante Sheets */}
-            {['personalkosten', 'investitionen'].includes(activeSheet) && rows.length > 0 && (() => {
-              const nonSumRows = rows.filter(r => {
-                const l = getLabel(r)
-                return !(r.is_sum_row || l.includes('GESAMT') || l.includes('Summe') || l.includes('Gesamtkosten') || l === 'SUMME')
-              })
-              return (
-                <tfoot>
-                  <tr className="border-t-2 border-white/20 bg-white/[0.05]">
-                    <td className="py-1.5 px-2 sticky left-0 bg-slate-900/90 backdrop-blur font-bold text-white/80 text-xs">
-                      {de ? 'SUMME' : 'TOTAL'}
-                    </td>
-                    {yearOffset === -1 ? (
-                      [2026, 2027, 2028, 2029, 2030].map(y => {
-                        const yStart = (y - 2026) * 12 + 1
-                        const yEnd = yStart + 11
-                        let yVal = 0
-                        for (let m = yStart; m <= yEnd; m++) {
-                          for (const row of nonSumRows) yVal += getValues(row)[`m${m}`] || 0
-                        }
-                        return (
-                          <td key={y} className={`text-right py-1.5 px-3 font-bold text-xs ${yVal < 0 ? 'text-red-400' : 'text-white/80'}`}>
-                            {formatCell(Math.round(yVal))}
-                          </td>
-                        )
-                      })
-                    ) : (
-                      <>
-                        {(() => {
-                          let sumAnnual = 0
-                          for (let m = monthStart; m <= monthEnd; m++) {
-                            for (const row of nonSumRows) sumAnnual += getValues(row)[`m${m}`] || 0
-                          }
-                          return (
-                            <td className={`text-right py-1.5 px-2 font-bold text-xs ${sumAnnual < 0 ? 'text-red-400' : 'text-white/80'}`}>
-                              {formatCell(sumAnnual)}
-                            </td>
-                          )
-                        })()}
-                        {Array.from({ length: 12 }, (_, idx) => {
-                          const mKey = `m${monthStart + idx}`
-                          let v = 0
-                          for (const row of nonSumRows) v += getValues(row)[mKey] || 0
-                          return (
-                            <td key={idx} className={`text-right py-1.5 px-1.5 font-bold text-xs ${v < 0 ? 'text-red-400' : v > 0 ? 'text-white/70' : 'text-white/15'}`}>
-                              {formatCell(v)}
-                            </td>
-                          )
-                        })}
-                      </>
-                    )}
-                  </tr>
-                </tfoot>
-              )
-            })()}
-          </table>
+          <MonthlyGrid
+            rows={rows}
+            activeSheet={activeSheet}
+            de={de}
+            yearOffset={yearOffset}
+            openCats={openCats}
+            toggleCat={toggleCat}
+          />
         )}
       </GlassCard>
       )}
diff --git a/pitch-deck/components/slides/MilestonesSlide.data.ts b/pitch-deck/components/slides/MilestonesSlide.data.ts
new file mode 100644
index 0000000..2468d07
--- /dev/null
+++ b/pitch-deck/components/slides/MilestonesSlide.data.ts
@@ -0,0 +1,155 @@
+// MilestonesSlide data — extracted from MilestonesSlide.tsx
+
+export const TODAY_POSITION = 0.56
+
+export interface Milestone {
+  id: string
+  when: string
+  tick: string
+  title: { de: string; en: string }
+  short: { de: string; en: string }
+  body: { de: string; en: string }
+  bullets: { de: string[]; en: string[] }
+  tint: string
+  done: boolean
+  next?: boolean
+}
+
+export interface StatItem { k: { de: string; en: string }; v: string; tint: string }
+
+export const MILESTONES: Milestone[] = [
+  {
+    id: 'ihk', when: 'Okt. 2025', tick: '10 \u00b7 25',
+    title: { de: 'Gr\u00fcnderzuschuss & IHK', en: 'Founder Grant & IHK' },
+    short: { de: 'Abstimmung mit Agentur f\u00fcr Arbeit und IHK Konstanz.', en: 'Coordination with Employment Agency and IHK Konstanz.' },
+    body: {
+      de: 'Seit Oktober 2025 Gr\u00fcnderzuschussantrag in Abstimmung mit der Agentur f\u00fcr Arbeit und der IHK Konstanz. Grundlage f\u00fcr die Unternehmensgr\u00fcndung.',
+      en: 'Since October 2025, founder grant application in coordination with the Employment Agency and IHK Konstanz. Foundation for company formation.',
+    },
+    bullets: {
+      de: ['Gr\u00fcnderzuschuss beantragt', 'Beratung IHK Konstanz', 'Businessplan finalisiert'],
+      en: ['Founder grant applied', 'IHK Konstanz advisory', 'Business plan finalized'],
+    },
+    tint: '#a78bfa', done: true,
+  },
+  {
+    id: 'brand', when: '11. Nov. 2025', tick: '11 \u00b7 25',
+    title: { de: 'Markenanmeldung & Domains', en: 'Trademark Filing & Domains' },
+    short: { de: 'DPMA-Anmeldung BreakPilot + Domain-Portfolio.', en: 'DPMA filing BreakPilot + domain portfolio.' },
+    body: {
+      de: 'Markenanmeldung BreakPilot beim DPMA am 11.11.2025. Domain-Kauf breakpilot.com, .de, .ai und brakepilot.com, .de, .ai am 21.11.2025.',
+      en: 'BreakPilot trademark filed with DPMA on 11.11.2025. Domain purchase breakpilot.com, .de, .ai and brakepilot.com, .de, .ai on 21.11.2025.',
+    },
+    bullets: {
+      de: ['DPMA-Markenanmeldung 11.11.2025', 'Domains .com .de .ai gesichert', 'Typo-Domains (.brakepilot) gesichert'],
+      en: ['DPMA trademark filed 11.11.2025', 'Domains .com .de .ai secured', 'Typo domains (.brakepilot) secured'],
+    },
+    tint: '#a78bfa', done: true,
+  },
+  {
+    id: 'dev', when: 'Jan. 2026', tick: '01 \u00b7 26',
+    title: { de: 'Plattform-Entwicklung gestartet', en: 'Platform Development Started' },
+    short: { de: '500.000+ Lines of Code, vollst\u00e4ndige Architektur.', en: '500,000+ lines of code, full architecture.' },
+    body: {
+      de: 'Start der Plattform-Entwicklung mit 500.000+ Lines of Code. Vollst\u00e4ndige Microservice-Architektur mit Go, Python und TypeScript.',
+      en: 'Platform development started with 500,000+ lines of code. Full microservice architecture with Go, Python and TypeScript.',
+    },
+    bullets: {
+      de: ['500K+ Lines of Code', 'Go + Python + TypeScript', 'Vollst\u00e4ndige Architektur'],
+      en: ['500K+ lines of code', 'Go + Python + TypeScript', 'Full architecture'],
+    },
+    tint: '#c084fc', done: true,
+  },
+  {
+    id: 'dpma', when: '27. M\u00e4r. 2026', tick: '03 \u00b7 26',
+    title: { de: 'Markeneintragung DPMA', en: 'DPMA Trademark Registration' },
+    short: { de: 'BreakPilot offiziell eingetragen.', en: 'BreakPilot officially registered.' },
+    body: {
+      de: 'Markeneintragung BreakPilot beim Deutschen Patent- und Markenamt (DPMA) am 27.03.2026.',
+      en: 'BreakPilot trademark registration at the German Patent and Trademark Office (DPMA) on 27.03.2026.',
+    },
+    bullets: {
+      de: ['DPMA-Eintragung 27.03.2026', 'Markenschutz Deutschland'],
+      en: ['DPMA registration 27.03.2026', 'Trademark protection Germany'],
+    },
+    tint: '#c084fc', done: true,
+  },
+  {
+    id: 'rag', when: 'Apr. 2026', tick: '04 \u00b7 26',
+    title: { de: 'RAG mit 375+ Dokumenten', en: 'RAG with 375+ Documents' },
+    short: { de: 'EU + DACH Regularien indexiert.', en: 'EU + DACH regulations indexed.' },
+    body: {
+      de: '375+ Gesetze, Verordnungen, Leitlinien und Urteile in die RAG-Pipeline ingestiert. 25.000+ Pr\u00fcfaspekte generiert.',
+      en: '375+ laws, regulations, guidelines and rulings ingested into the RAG pipeline. 25,000+ audit controls generated.',
+    },
+    bullets: {
+      de: ['375+ Dokumente im RAG', '25.000+ Pr\u00fcfaspekte', 'EU + DACH Abdeckung'],
+      en: ['375+ documents in RAG', '25,000+ audit controls', 'EU + DACH coverage'],
+    },
+    tint: '#c084fc', done: true,
+  },
+  {
+    id: 'euipo', when: '1. Mai 2026', tick: '05 \u00b7 26',
+    title: { de: 'Markenanmeldung EUIPO', en: 'EUIPO Trademark Filing' },
+    short: { de: 'EU-weiter Markenschutz beantragt.', en: 'EU-wide trademark protection filed.' },
+    body: {
+      de: 'Markenanmeldung BreakPilot beim EUIPO (Amt der Europ\u00e4ischen Union f\u00fcr geistiges Eigentum) am 01.05.2026 f\u00fcr EU-weiten Markenschutz.',
+      en: 'BreakPilot trademark filing with EUIPO (European Union Intellectual Property Office) on 01.05.2026 for EU-wide trademark protection.',
+    },
+    bullets: {
+      de: ['EUIPO-Anmeldung 01.05.2026', 'EU-weiter Markenschutz'],
+      en: ['EUIPO filing 01.05.2026', 'EU-wide trademark protection'],
+    },
+    tint: '#fbbf24', done: false, next: true,
+  },
+  {
+    id: 'gmbh', when: 'Aug. 2026', tick: '08 \u00b7 26',
+    title: { de: 'GmbH-Gr\u00fcndung', en: 'GmbH Incorporation' },
+    short: { de: 'Breakpilot COMPLAI GmbH gegr\u00fcndet.', en: 'Breakpilot COMPLAI GmbH incorporated.' },
+    body: {
+      de: 'Gr\u00fcndung der Breakpilot COMPLAI GmbH im August 2026. Notartermin, Handelsregistereintrag, operative Aufnahme.',
+      en: 'Incorporation of Breakpilot COMPLAI GmbH in August 2026. Notary appointment, commercial register entry, start of operations.',
+    },
+    bullets: {
+      de: ['GmbH-Gr\u00fcndung August 2026', 'Handelsregistereintrag', 'Operativer Start'],
+      en: ['GmbH incorporation August 2026', 'Commercial register entry', 'Start of operations'],
+    },
+    tint: '#fbbf24', done: false,
+  },
+  {
+    id: 'customers', when: 'Aug. 2026', tick: '08 \u00b7 26',
+    title: { de: '2 zahlende Kunden', en: '2 Paying Customers' },
+    short: { de: 'Erste Ums\u00e4tze ab Gr\u00fcndung.', en: 'First revenue from incorporation.' },
+    body: {
+      de: 'Zwei zahlende Kunden ab August 2026 \u2014 Validierung des Produkts im Maschinenbau-Umfeld mit echten Compliance-Anforderungen.',
+      en: 'Two paying customers from August 2026 \u2014 product validation in manufacturing with real compliance requirements.',
+    },
+    bullets: {
+      de: ['2 zahlende Kunden', 'Maschinenbau-Validierung', 'Erste Ums\u00e4tze'],
+      en: ['2 paying customers', 'Manufacturing validation', 'First revenue'],
+    },
+    tint: '#fbbf24', done: false,
+  },
+  {
+    id: 'beta', when: 'Q3 2026', tick: 'Q3 \u00b7 26',
+    title: { de: '\u00d6ffentliches Beta', en: 'Public Beta' },
+    short: { de: 'Beta-Launch mit ersten zahlenden Kunden.', en: 'Beta launch with first paying customers.' },
+    body: {
+      de: '\u00d6ffentliches Beta-Release der Plattform. Erste zahlende Kunden aus dem Pilotprogramm gehen live.',
+      en: 'Public beta release of the platform. First paying customers from the pilot program go live.',
+    },
+    bullets: {
+      de: ['Public Beta verf\u00fcgbar', 'Onboarding-Prozess live', 'Feedback-Loop etabliert'],
+      en: ['Public beta available', 'Onboarding process live', 'Feedback loop established'],
+    },
+    tint: '#f59e0b', done: false,
+  },
+]
+
+export const STATS: StatItem[] = [
+  { k: { de: 'Gesetze & Dokumente im RAG', en: 'Laws & Docs in RAG' }, v: '385',      tint: '#a78bfa' },
+  { k: { de: 'Atomare Controls',           en: 'Atomic Controls' },     v: '25.000+',  tint: '#c084fc' },
+  { k: { de: 'Compliance-Module',          en: 'Compliance Modules' },  v: '12',       tint: '#fbbf24' },
+  { k: { de: 'Pilotkunden',               en: 'Pilot Customers' },      v: '2',        tint: '#f59e0b' },
+  { k: { de: 'Lines of Code',             en: 'Lines of Code' },        v: '500.000+', tint: '#8b5cf6' },
+]
diff --git a/pitch-deck/components/slides/MilestonesSlide.parts.tsx b/pitch-deck/components/slides/MilestonesSlide.parts.tsx
new file mode 100644
index 0000000..7f795f3
--- /dev/null
+++ b/pitch-deck/components/slides/MilestonesSlide.parts.tsx
@@ -0,0 +1,362 @@
+'use client'
+
+import { useState, useEffect, useMemo } from 'react'
+import { type Milestone, type StatItem, MILESTONES, TODAY_POSITION } from './MilestonesSlide.data'
+import { type Theme } from './MilestonesSlide.themes'
+
+const MONO: React.CSSProperties = {
+  fontFamily: '"JetBrains Mono","SF Mono",ui-monospace,monospace',
+  fontVariantNumeric: 'tabular-nums',
+}
+
+// ── Star Field ────────────────────────────────────────────────────────────────
+export function StarField() {
+  const stars = useMemo(() => {
+    let s = 77
+    const r = () => { s = (s * 9301 + 49297) % 233280; return s / 233280 }
+    return Array.from({ length: 95 }, () => ({ x: r() * 100, y: r() * 100, size: r() * 1.4 + 0.3, op: r() * 0.5 + 0.15 }))
+  }, [])
+  return (
+    <div style={{ position: 'absolute', inset: 0, pointerEvents: 'none' }}>
+      {stars.map((st, i) => (
+        <div key={i} style={{
+          position: 'absolute', left: `${st.x}%`, top: `${st.y}%`,
+          width: st.size, height: st.size, borderRadius: '50%',
+          background: '#fff', opacity: st.op,
+          boxShadow: `0 0 ${st.size * 3}px rgba(180,160,255,.7)`,
+        }} />
+      ))}
+    </div>
+  )
+}
+
+export function SoftGrid({ t }: { t: Theme }) {
+  return (
+    <div style={{
+      position: 'absolute', inset: 0, pointerEvents: 'none',
+      backgroundImage: `radial-gradient(${t.accent20} 1px, transparent 1px)`,
+      backgroundSize: '28px 28px',
+      maskImage: 'radial-gradient(ellipse at center, #000 40%, transparent 85%)',
+      WebkitMaskImage: 'radial-gradient(ellipse at center, #000 40%, transparent 85%)',
+      opacity: 0.8,
+    }} />
+  )
+}
+
+// ── Timeline ──────────────────────────────────────────────────────────────────
+interface MilestoneWithPos extends Milestone { x: number; row: 'top' | 'bottom' }
+
+export function Timeline({ onSelect, selectedId, t, de }: {
+  onSelect: (m: Milestone) => void
+  selectedId: string | null
+  t: Theme
+  de: boolean
+}) {
+  const trackW = 1160
+  const innerPad = 120
+  const usableW = trackW - innerPad * 2
+  const positions = MILESTONES.map((_, i) => innerPad + (usableW * i) / (MILESTONES.length - 1))
+  const todayX = innerPad + usableW * TODAY_POSITION
+
+  const layout: MilestoneWithPos[] = MILESTONES.map((m, i) => ({
+    ...m, x: positions[i],
+    row: i % 2 === 0 ? 'top' : 'bottom',
+  }))
+
+  const railColor = t.key === 'dark' ? '#a78bfa' : '#7c3aed'
+
+  return (
+    <div style={{ position: 'relative', width: trackW, height: 360, margin: '0 auto' }}>
+      <svg viewBox={`0 0 ${trackW} 360`} preserveAspectRatio="none"
+        style={{ position: 'absolute', inset: 0, width: '100%', height: '100%' }}>
+        <defs>
+          <linearGradient id="msTrackBg" x1="0" x2="1">
+            <stop offset="0"  stopColor={railColor} stopOpacity={t.key === 'dark' ? .18 : .28} />
+            <stop offset=".5" stopColor={railColor} stopOpacity={t.key === 'dark' ? .28 : .38} />
+            <stop offset="1"  stopColor={railColor} stopOpacity={t.key === 'dark' ? .18 : .28} />
+          </linearGradient>
+          <filter id="msGlow" x="-50%" y="-50%" width="200%" height="200%">
+            <feGaussianBlur stdDeviation="3" result="b"/>
+            <feMerge><feMergeNode in="b"/><feMergeNode in="SourceGraphic"/></feMerge>
+          </filter>
+        </defs>
+
+        {/* rail background */}
+        <line x1={innerPad} y1={180} x2={trackW - innerPad} y2={180}
+          stroke="url(#msTrackBg)" strokeWidth="2.5" />
+        {/* past progress */}
+        <line x1={innerPad} y1={180} x2={todayX} y2={180}
+          stroke={t.done} strokeWidth="3" opacity={t.key === 'dark' ? .85 : .9} />
+        {/* future dashed */}
+        <line x1={todayX} y1={180} x2={trackW - innerPad} y2={180}
+          stroke="#f59e0b" strokeWidth="1.75" strokeDasharray="4 5"
+          opacity={t.key === 'dark' ? .6 : .75}
+          style={{ animation: 'msFlow 1.8s linear infinite' }} />
+
+        {/* connector stubs */}
+        {layout.map((m) => (
+          <line key={m.id}
+            x1={m.x} y1={180}
+            x2={m.x} y2={m.row === 'top' ? 154 : 200}
+            stroke={m.done ? t.done : m.tint}
+            strokeOpacity={t.key === 'dark' ? (m.done ? .6 : .55) : (m.done ? .7 : .65)}
+            strokeWidth="1"
+            strokeDasharray={m.done ? '0' : '3 3'} />
+        ))}
+
+        {/* HEUTE marker -- circles only; pill is HTML below */}
+        <g transform={`translate(${todayX} 180)`}>
+          <circle r="14" fill={t.accent} opacity=".15" />
+          <circle r="9" fill={t.accent} opacity=".4">
+            <animate attributeName="r" values="9;14;9" dur="2s" repeatCount="indefinite" />
+            <animate attributeName="opacity" values=".4;.05;.4" dur="2s" repeatCount="indefinite" />
+          </circle>
+          <circle r="6" fill={t.heuteCore} stroke={t.accent} strokeWidth="2" filter="url(#msGlow)" />
+        </g>
+      </svg>
+
+      {/* HEUTE pill -- HTML so it sits above milestone cards */}
+      <div style={{
+        position: 'absolute',
+        left: todayX - 30, top: 146,
+        width: 60, height: 18,
+        borderRadius: 9,
+        background: t.heutePillBg,
+        border: `1px solid ${t.accent}99`,
+        display: 'flex', alignItems: 'center', justifyContent: 'center',
+        zIndex: 10, pointerEvents: 'none',
+        ...MONO, fontSize: 9.5, letterSpacing: 2.5, fontWeight: 700,
+        color: t.heuteText,
+      }}>HEUTE</div>
+
+      {layout.map((m) => (
+        <MilestoneNode key={m.id} m={m} t={t} de={de}
+          onClick={() => onSelect(m)}
+          active={selectedId === m.id} />
+      ))}
+    </div>
+  )
+}
+
+function MilestoneNode({ m, onClick, active, t, de }: {
+  m: MilestoneWithPos; onClick: () => void; active: boolean; t: Theme; de: boolean
+}) {
+  const [hover, setHover] = useState(false)
+  const lit = hover || active
+  const isTop = m.row === 'top'
+  const cardY = isTop ? 4 : 200
+  const nodeColor = m.done ? t.done : m.tint
+
+  const bgTopA  = lit ? m.tint + t.cardTintTopH  : m.tint + t.cardTintTop
+  const bgMidA  = lit ? m.tint + t.cardTintMidH  : m.tint + t.cardTintMid
+  const cardBg  = `linear-gradient(180deg, ${bgTopA} 0%, ${bgMidA} 55%, ${t.cardBase}${lit ? t.cardBaseAH : t.cardBaseA})`
+  const badge   = m.done ? (de ? 'erledigt' : 'done') : (m.next ? (de ? 'als nächstes' : 'next') : (de ? 'geplant' : 'plan'))
+
+  return (
+    <>
+      {/* dot */}
+      <div
+        onClick={onClick}
+        onMouseEnter={() => setHover(true)}
+        onMouseLeave={() => setHover(false)}
+        style={{
+          position: 'absolute', left: m.x - 14, top: 180 - 14,
+          width: 28, height: 28, borderRadius: '50%',
+          background: m.done
+            ? `radial-gradient(circle at 35% 30%, ${t.doneBright}, ${t.doneSolid} 60%, ${t.doneDeep})`
+            : `radial-gradient(circle at 35% 30%, ${m.tint}dd, ${m.tint}66 60%, ${t.dotTodoDeep})`,
+          border: `2px solid ${lit ? '#fff' : nodeColor}`,
+          boxShadow: lit
+            ? `0 0 22px ${nodeColor}, 0 0 44px ${nodeColor}66, inset 0 1px 0 ${t.dotLitHi}`
+            : `0 0 10px ${nodeColor}88, inset 0 1px 0 ${t.dotSoftHi}`,
+          display: 'flex', alignItems: 'center', justifyContent: 'center',
+          color: '#fff', fontSize: 11, fontWeight: 700,
+          cursor: 'pointer', zIndex: 5,
+          transition: 'all .25s',
+          transform: lit ? 'scale(1.15)' : 'scale(1)',
+        }}>
+        {m.done ? '✓' : (m.next ? '◉' : '○')}
+      </div>
+
+      {/* card */}
+      <div
+        onClick={onClick}
+        onMouseEnter={() => setHover(true)}
+        onMouseLeave={() => setHover(false)}
+        style={{
+          position: 'absolute', left: m.x - 112, top: cardY,
+          width: 224, height: 150, padding: '12px 14px',
+          borderRadius: 12,
+          background: cardBg,
+          border: `1px solid ${lit ? m.tint : m.tint + '55'}`,
+          boxShadow: lit ? t.cardShadowLift(m.tint) : t.cardShadowSoft,
+          cursor: 'pointer', zIndex: 4,
+          transition: 'all .25s',
+          transform: lit ? `translateY(${isTop ? -2 : 2}px)` : 'translateY(0)',
+          display: 'flex', flexDirection: 'column', gap: 6,
+          backdropFilter: t.key === 'light' ? 'blur(6px)' : 'none',
+        }}>
+        <div style={{ display: 'flex', alignItems: 'center', gap: 8 }}>
+          <span style={{
+            ...MONO, fontSize: 10, letterSpacing: 1.5, fontWeight: 700,
+            color: m.done ? t.done : m.tint, textTransform: 'uppercase' as const,
+          }}>{m.tick}</span>
+          <span style={{ flex: 1, height: 1, background: `${m.tint}44` }} />
+          <span style={{
+            ...MONO, fontSize: 9, letterSpacing: 2, fontWeight: 700,
+            color: m.done ? t.done : m.tint, textTransform: 'uppercase' as const, opacity: .85,
+          }}>{badge}</span>
+        </div>
+        <div style={{ fontSize: 13, fontWeight: 700, color: t.fg, letterSpacing: -0.2, lineHeight: 1.25 }}>
+          {de ? m.title.de : m.title.en}
+        </div>
+        <div style={{ fontSize: 10.5, lineHeight: 1.45, color: lit ? t.fgSoft : t.fgMuted, transition: 'color .25s' }}>
+          {de ? m.short.de : m.short.en}
+        </div>
+        <div style={{
+          marginTop: 'auto',
+          display: 'flex', alignItems: 'center', justifyContent: 'space-between',
+          paddingTop: 6, borderTop: `1px dashed ${m.tint}44`,
+        }}>
+          <span style={{ fontSize: 10, color: t.fgFaint }}>{m.when}</span>
+          <span style={{
+            fontSize: 10, color: m.tint, fontWeight: 700,
+            opacity: lit ? 1 : 0.55,
+            transform: `translateX(${lit ? 0 : -4}px)`,
+            transition: 'all .25s',
+          }}>{de ? 'Details →' : 'Details →'}</span>
+        </div>
+      </div>
+    </>
+  )
+}
+
+// ── Stat Card ─────────────────────────────────────────────────────────────────
+export function StatCard({ item, t, de }: { item: StatItem; t: Theme; de: boolean }) {
+  const [hover, setHover] = useState(false)
+  const bgTop = hover ? item.tint + t.statTintTopH : item.tint + t.statTintTop
+  const bgMid = item.tint + t.statTintMid
+  return (
+    <div
+      onMouseEnter={() => setHover(true)}
+      onMouseLeave={() => setHover(false)}
+      style={{
+        position: 'relative', padding: '14px 18px', borderRadius: 12,
+        background: `linear-gradient(180deg, ${bgTop} 0%, ${bgMid} 60%, ${t.cardBase}${t.cardBaseA})`,
+        border: `1px solid ${hover ? item.tint : item.tint + '55'}`,
+        boxShadow: hover ? t.statShadowLift(item.tint) : t.statShadowSoft,
+        transform: hover ? 'translateY(-3px)' : 'translateY(0)',
+        transition: 'all .25s',
+        overflow: 'hidden',
+        backdropFilter: t.key === 'light' ? 'blur(6px)' : 'none',
+      }}>
+      <div style={{
+        position: 'absolute', right: 10, top: 10, width: 6, height: 6,
+        borderRadius: '50%', background: item.tint, opacity: .9,
+        boxShadow: `0 0 10px ${item.tint}`,
+      }} />
+      <div style={{ ...MONO, fontSize: 9.5, letterSpacing: 2, color: item.tint, textTransform: 'uppercase' as const, fontWeight: 700, marginBottom: 6 }}>
+        {de ? item.k.de : item.k.en}
+      </div>
+      <div style={{ fontSize: 32, fontWeight: 700, color: t.fg, letterSpacing: -0.8, lineHeight: 1 }}>
+        {item.v}
+      </div>
+      <svg viewBox="0 0 100 16" preserveAspectRatio="none"
+        style={{ width: '100%', height: 14, marginTop: 8, opacity: hover ? 1 : t.sparkOp, transition: 'opacity .25s' }}>
+        <defs>
+          <linearGradient id={`spark-${item.tint.replace('#', '')}`} x1="0" x2="1">
+            <stop offset="0"   stopColor={item.tint} stopOpacity="0" />
+            <stop offset=".5"  stopColor={item.tint} stopOpacity=".9" />
+            <stop offset="1"   stopColor={item.tint} stopOpacity="0" />
+          </linearGradient>
+        </defs>
+        <path d="M 0 10 L 15 8 L 30 11 L 48 6 L 62 9 L 78 4 L 100 2"
+          stroke={`url(#spark-${item.tint.replace('#', '')})`} strokeWidth="1.5" fill="none" />
+      </svg>
+    </div>
+  )
+}
+
+// ── Detail modal ──────────────────────────────────────────────────────────────
+export function DetailModal({ item, onClose, t, de }: {
+  item: Milestone | null; onClose: () => void; t: Theme; de: boolean
+}) {
+  useEffect(() => {
+    if (!item) return
+    const onKey = (e: KeyboardEvent) => { if (e.key === 'Escape') onClose() }
+    window.addEventListener('keydown', onKey)
+    return () => window.removeEventListener('keydown', onKey)
+  }, [item, onClose])
+
+  if (!item) return null
+  const tint = item.tint
+  const badge = item.done
+    ? (de ? 'ABGESCHLOSSEN' : 'COMPLETED')
+    : (item.next ? (de ? 'ALS NÄCHSTES' : 'NEXT UP') : (de ? 'GEPLANT' : 'PLANNED'))
+  const badgeColor = item.done ? t.done : tint
+
+  return (
+    <div onClick={onClose} style={{
+      position: 'absolute', inset: 0, zIndex: 50,
+      background: t.modalScrim, backdropFilter: 'blur(8px)',
+      display: 'flex', alignItems: 'center', justifyContent: 'center',
+      animation: 'msFadeIn .2s ease-out',
+    }}>
+      <div onClick={e => e.stopPropagation()} style={{
+        width: 580, maxWidth: '88%',
+        background: `linear-gradient(180deg, ${tint}22 0%, ${t.modalBgMid} 50%, ${t.modalBgLow} 100%)`,
+        border: `1px solid ${tint}77`,
+        borderRadius: 16,
+        boxShadow: t.modalShadow(tint),
+        padding: '24px 28px', color: t.fg,
+        animation: 'msScaleIn .22s ease-out',
+      }}>
+        <div style={{ display: 'flex', alignItems: 'center', gap: 12, marginBottom: 16 }}>
+          <div style={{
+            width: 42, height: 42, borderRadius: 11,
+            background: `linear-gradient(135deg, ${tint}66, ${tint}22)`,
+            border: `1px solid ${tint}`,
+            display: 'flex', alignItems: 'center', justifyContent: 'center',
+            color: t.key === 'light' ? tint : '#fff', fontSize: 17, fontWeight: 700,
+            boxShadow: `0 0 20px ${tint}66`,
+          }}>{item.done ? '✓' : (item.next ? '◉' : '○')}</div>
+          <div style={{ flex: 1 }}>
+            <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 4 }}>
+              <span style={{
+                ...MONO, fontSize: 9.5, letterSpacing: 2.5, color: badgeColor,
+                textTransform: 'uppercase' as const, fontWeight: 700,
+                padding: '2px 8px', borderRadius: 4,
+                background: `${badgeColor}22`, border: `1px solid ${badgeColor}66`,
+              }}>{badge}</span>
+              <span style={{ ...MONO, fontSize: 10, color: t.fgFaint }}>{item.when}</span>
+            </div>
+            <div style={{ fontSize: 20, fontWeight: 700, color: t.fg, letterSpacing: -0.3 }}>
+              {de ? item.title.de : item.title.en}
+            </div>
+          </div>
+          <button onClick={onClose} style={{
+            background: 'transparent', border: `1px solid ${tint}66`, color: t.fg,
+            width: 32, height: 32, borderRadius: 8, cursor: 'pointer', fontSize: 14,
+          }}>✕</button>
+        </div>
+        <div style={{ fontSize: 13, lineHeight: 1.6, color: t.fgSoft, marginBottom: 16 }}>
+          {de ? item.body.de : item.body.en}
+        </div>
+        <div style={{ display: 'flex', flexDirection: 'column', gap: 8 }}>
+          {(de ? item.bullets.de : item.bullets.en).map((b, i) => (
+            <div key={i} style={{
+              display: 'flex', alignItems: 'flex-start', gap: 10,
+              padding: '9px 13px', borderRadius: 8,
+              background: t.bulletBg, border: `1px solid ${tint}44`,
+            }}>
+              <span style={{ color: item.done ? t.done : tint, fontSize: 12, marginTop: 1 }}>
+                {item.done ? '✓' : '▸'}
+              </span>
+              <span style={{ fontSize: 12, lineHeight: 1.5, color: t.fgSoft }}>{b}</span>
+            </div>
+          ))}
+        </div>
+      </div>
+    </div>
+  )
+}
diff --git a/pitch-deck/components/slides/MilestonesSlide.themes.ts b/pitch-deck/components/slides/MilestonesSlide.themes.ts
new file mode 100644
index 0000000..17b5caf
--- /dev/null
+++ b/pitch-deck/components/slides/MilestonesSlide.themes.ts
@@ -0,0 +1,106 @@
+// MilestonesSlide themes — extracted from MilestonesSlide.tsx
+
+export const THEMES = {
+  dark: {
+    key: 'dark' as const,
+    bg: 'radial-gradient(ellipse at 50% 25%, #1a0f34 0%, #0e0720 55%, #050210 100%)',
+    ambient: 'radial-gradient(ellipse, rgba(167,139,250,.18), transparent 65%)',
+    stars: true,
+    fg: '#f7f5fc',
+    fgSoft: 'rgba(236,233,247,.82)',
+    fgMid: 'rgba(236,233,247,.72)',
+    fgMuted: 'rgba(236,233,247,.62)',
+    fgFaint: 'rgba(236,233,247,.55)',
+    fgGhost: 'rgba(236,233,247,.45)',
+    fgWhisper: 'rgba(236,233,247,.4)',
+    accent: '#a78bfa',
+    accent80: 'rgba(167,139,250,.8)',
+    accent70: 'rgba(167,139,250,.7)',
+    accent50: 'rgba(167,139,250,.5)',
+    accent40: 'rgba(167,139,250,.4)',
+    accent20: 'rgba(167,139,250,.2)',
+    headingGrad: 'linear-gradient(90deg, #e9e2ff, #a78bfa 50%, #e9e2ff)',
+    headingAnim: 'msHeadingDark 4s ease-in-out infinite',
+    heuteText: '#e4d4ff',
+    heutePillBg: 'rgba(14,8,28,.95)',
+    heuteCore: '#f0e9ff',
+    done: '#4ade80',
+    doneBright: '#86efac',
+    doneDeep: '#166534',
+    doneSolid: '#22c55e',
+    cardBase: 'rgba(14,8,28,',
+    cardBaseA: '.9',
+    cardBaseAH: '.95',
+    cardTintTop: '18', cardTintTopH: '2e',
+    cardTintMid: '08', cardTintMidH: '14',
+    cardShadowSoft: '0 10px 24px rgba(0,0,0,.45)',
+    cardShadowLift: (t: string) => `0 20px 44px ${t}33, 0 0 0 1px ${t}66, inset 0 1px 0 ${t}66`,
+    statTintTop: '18', statTintTopH: '2a',
+    statTintMid: '06',
+    statShadowSoft: '0 10px 24px rgba(0,0,0,.45)',
+    statShadowLift: (t: string) => `0 18px 40px ${t}33, 0 0 0 1px ${t}55, inset 0 1px 0 ${t}55`,
+    modalScrim: 'rgba(5,2,16,.75)',
+    modalBgMid: 'rgba(20,10,40,.97)',
+    modalBgLow: 'rgba(14,8,28,.98)',
+    modalShadow: (t: string) => `0 30px 80px rgba(0,0,0,.65), 0 0 60px ${t}33, inset 0 1px 0 ${t}55`,
+    bulletBg: 'rgba(0,0,0,.3)',
+    progressTrackBg: 'rgba(255,255,255,.08)',
+    progressTrackBorder: 'rgba(167,139,250,.2)',
+    dotTodoDeep: '#1a0f34',
+    dotLitHi: 'rgba(255,255,255,.5)',
+    dotSoftHi: 'rgba(255,255,255,.3)',
+    sparkOp: 0.45,
+  },
+  light: {
+    key: 'light' as const,
+    bg: 'radial-gradient(ellipse at 50% 12%, #ffffff 0%, #f5efff 55%, #ebdfff 100%)',
+    ambient: 'radial-gradient(ellipse, rgba(124,58,237,.14), transparent 65%)',
+    stars: false,
+    fg: '#1a0f34',
+    fgSoft: 'rgba(26,15,52,.85)',
+    fgMid: 'rgba(26,15,52,.72)',
+    fgMuted: 'rgba(26,15,52,.62)',
+    fgFaint: 'rgba(26,15,52,.50)',
+    fgGhost: 'rgba(26,15,52,.40)',
+    fgWhisper: 'rgba(26,15,52,.32)',
+    accent: '#7c3aed',
+    accent80: 'rgba(124,58,237,.8)',
+    accent70: 'rgba(124,58,237,.75)',
+    accent50: 'rgba(124,58,237,.55)',
+    accent40: 'rgba(124,58,237,.4)',
+    accent20: 'rgba(124,58,237,.18)',
+    headingGrad: 'linear-gradient(90deg, #3b0e7a, #7c3aed 50%, #3b0e7a)',
+    headingAnim: 'msHeadingLight 4s ease-in-out infinite',
+    heuteText: '#4c1d95',
+    heutePillBg: 'rgba(255,255,255,.98)',
+    heuteCore: '#7c3aed',
+    done: '#16a34a',
+    doneBright: '#4ade80',
+    doneDeep: '#14532d',
+    doneSolid: '#22c55e',
+    cardBase: 'rgba(255,255,255,',
+    cardBaseA: '.92',
+    cardBaseAH: '.98',
+    cardTintTop: '22', cardTintTopH: '3a',
+    cardTintMid: '10', cardTintMidH: '1c',
+    cardShadowSoft: '0 10px 24px rgba(59,26,122,.10), 0 2px 6px rgba(59,26,122,.06)',
+    cardShadowLift: (t: string) => `0 20px 44px ${t}38, 0 0 0 1px ${t}77, inset 0 1px 0 rgba(255,255,255,.9)`,
+    statTintTop: '1e', statTintTopH: '34',
+    statTintMid: '08',
+    statShadowSoft: '0 10px 24px rgba(59,26,122,.10), 0 2px 6px rgba(59,26,122,.06)',
+    statShadowLift: (t: string) => `0 18px 40px ${t}38, 0 0 0 1px ${t}77, inset 0 1px 0 rgba(255,255,255,.9)`,
+    modalScrim: 'rgba(40,20,80,.28)',
+    modalBgMid: 'rgba(255,255,255,.98)',
+    modalBgLow: 'rgba(250,247,255,.98)',
+    modalShadow: (t: string) => `0 30px 80px rgba(59,26,122,.25), 0 0 60px ${t}33, inset 0 1px 0 rgba(255,255,255,.9)`,
+    bulletBg: 'rgba(124,58,237,.06)',
+    progressTrackBg: 'rgba(124,58,237,.12)',
+    progressTrackBorder: 'rgba(124,58,237,.25)',
+    dotTodoDeep: '#faf5ff',
+    dotLitHi: 'rgba(255,255,255,.85)',
+    dotSoftHi: 'rgba(255,255,255,.55)',
+    sparkOp: 0.55,
+  },
+}
+
+export type Theme = typeof THEMES.dark
diff --git a/pitch-deck/components/slides/MilestonesSlide.tsx b/pitch-deck/components/slides/MilestonesSlide.tsx
index c167d38..d8bd61f 100644
--- a/pitch-deck/components/slides/MilestonesSlide.tsx
+++ b/pitch-deck/components/slides/MilestonesSlide.tsx
@@ -1,10 +1,14 @@
 'use client'
 
-import { useState, useEffect, useRef, useMemo, useCallback, Fragment } from 'react'
+import { useState, useEffect, useRef, useMemo, useCallback } from 'react'
 import { Language } from '@/lib/types'
 import GradientText from '../ui/GradientText'
 import FadeInView from '../ui/FadeInView'
 
+import { type Milestone, MILESTONES, STATS } from './MilestonesSlide.data'
+import { THEMES } from './MilestonesSlide.themes'
+import { StarField, SoftGrid, Timeline, StatCard, DetailModal } from './MilestonesSlide.parts'
+
 interface MilestonesSlideProps { lang: Language }
 
 const MONO: React.CSSProperties = {
@@ -43,631 +47,9 @@ function useIsLight() {
   return isLight
 }
 
-// ── Themes ────────────────────────────────────────────────────────────────────
-const THEMES = {
-  dark: {
-    key: 'dark' as const,
-    bg: 'radial-gradient(ellipse at 50% 25%, #1a0f34 0%, #0e0720 55%, #050210 100%)',
-    ambient: 'radial-gradient(ellipse, rgba(167,139,250,.18), transparent 65%)',
-    stars: true,
-    fg: '#f7f5fc',
-    fgSoft: 'rgba(236,233,247,.82)',
-    fgMid: 'rgba(236,233,247,.72)',
-    fgMuted: 'rgba(236,233,247,.62)',
-    fgFaint: 'rgba(236,233,247,.55)',
-    fgGhost: 'rgba(236,233,247,.45)',
-    fgWhisper: 'rgba(236,233,247,.4)',
-    accent: '#a78bfa',
-    accent80: 'rgba(167,139,250,.8)',
-    accent70: 'rgba(167,139,250,.7)',
-    accent50: 'rgba(167,139,250,.5)',
-    accent40: 'rgba(167,139,250,.4)',
-    accent20: 'rgba(167,139,250,.2)',
-    headingGrad: 'linear-gradient(90deg, #e9e2ff, #a78bfa 50%, #e9e2ff)',
-    headingAnim: 'msHeadingDark 4s ease-in-out infinite',
-    heuteText: '#e4d4ff',
-    heutePillBg: 'rgba(14,8,28,.95)',
-    heuteCore: '#f0e9ff',
-    done: '#4ade80',
-    doneBright: '#86efac',
-    doneDeep: '#166534',
-    doneSolid: '#22c55e',
-    cardBase: 'rgba(14,8,28,',
-    cardBaseA: '.9',
-    cardBaseAH: '.95',
-    cardTintTop: '18', cardTintTopH: '2e',
-    cardTintMid: '08', cardTintMidH: '14',
-    cardShadowSoft: '0 10px 24px rgba(0,0,0,.45)',
-    cardShadowLift: (t: string) => `0 20px 44px ${t}33, 0 0 0 1px ${t}66, inset 0 1px 0 ${t}66`,
-    statTintTop: '18', statTintTopH: '2a',
-    statTintMid: '06',
-    statShadowSoft: '0 10px 24px rgba(0,0,0,.45)',
-    statShadowLift: (t: string) => `0 18px 40px ${t}33, 0 0 0 1px ${t}55, inset 0 1px 0 ${t}55`,
-    modalScrim: 'rgba(5,2,16,.75)',
-    modalBgMid: 'rgba(20,10,40,.97)',
-    modalBgLow: 'rgba(14,8,28,.98)',
-    modalShadow: (t: string) => `0 30px 80px rgba(0,0,0,.65), 0 0 60px ${t}33, inset 0 1px 0 ${t}55`,
-    bulletBg: 'rgba(0,0,0,.3)',
-    progressTrackBg: 'rgba(255,255,255,.08)',
-    progressTrackBorder: 'rgba(167,139,250,.2)',
-    dotTodoDeep: '#1a0f34',
-    dotLitHi: 'rgba(255,255,255,.5)',
-    dotSoftHi: 'rgba(255,255,255,.3)',
-    sparkOp: 0.45,
-  },
-  light: {
-    key: 'light' as const,
-    bg: 'radial-gradient(ellipse at 50% 12%, #ffffff 0%, #f5efff 55%, #ebdfff 100%)',
-    ambient: 'radial-gradient(ellipse, rgba(124,58,237,.14), transparent 65%)',
-    stars: false,
-    fg: '#1a0f34',
-    fgSoft: 'rgba(26,15,52,.85)',
-    fgMid: 'rgba(26,15,52,.72)',
-    fgMuted: 'rgba(26,15,52,.62)',
-    fgFaint: 'rgba(26,15,52,.50)',
-    fgGhost: 'rgba(26,15,52,.40)',
-    fgWhisper: 'rgba(26,15,52,.32)',
-    accent: '#7c3aed',
-    accent80: 'rgba(124,58,237,.8)',
-    accent70: 'rgba(124,58,237,.75)',
-    accent50: 'rgba(124,58,237,.55)',
-    accent40: 'rgba(124,58,237,.4)',
-    accent20: 'rgba(124,58,237,.18)',
-    headingGrad: 'linear-gradient(90deg, #3b0e7a, #7c3aed 50%, #3b0e7a)',
-    headingAnim: 'msHeadingLight 4s ease-in-out infinite',
-    heuteText: '#4c1d95',
-    heutePillBg: 'rgba(255,255,255,.98)',
-    heuteCore: '#7c3aed',
-    done: '#16a34a',
-    doneBright: '#4ade80',
-    doneDeep: '#14532d',
-    doneSolid: '#22c55e',
-    cardBase: 'rgba(255,255,255,',
-    cardBaseA: '.92',
-    cardBaseAH: '.98',
-    cardTintTop: '22', cardTintTopH: '3a',
-    cardTintMid: '10', cardTintMidH: '1c',
-    cardShadowSoft: '0 10px 24px rgba(59,26,122,.10), 0 2px 6px rgba(59,26,122,.06)',
-    cardShadowLift: (t: string) => `0 20px 44px ${t}38, 0 0 0 1px ${t}77, inset 0 1px 0 rgba(255,255,255,.9)`,
-    statTintTop: '1e', statTintTopH: '34',
-    statTintMid: '08',
-    statShadowSoft: '0 10px 24px rgba(59,26,122,.10), 0 2px 6px rgba(59,26,122,.06)',
-    statShadowLift: (t: string) => `0 18px 40px ${t}38, 0 0 0 1px ${t}77, inset 0 1px 0 rgba(255,255,255,.9)`,
-    modalScrim: 'rgba(40,20,80,.28)',
-    modalBgMid: 'rgba(255,255,255,.98)',
-    modalBgLow: 'rgba(250,247,255,.98)',
-    modalShadow: (t: string) => `0 30px 80px rgba(59,26,122,.25), 0 0 60px ${t}33, inset 0 1px 0 rgba(255,255,255,.9)`,
-    bulletBg: 'rgba(124,58,237,.06)',
-    progressTrackBg: 'rgba(124,58,237,.12)',
-    progressTrackBorder: 'rgba(124,58,237,.25)',
-    dotTodoDeep: '#faf5ff',
-    dotLitHi: 'rgba(255,255,255,.85)',
-    dotSoftHi: 'rgba(255,255,255,.55)',
-    sparkOp: 0.55,
-  },
-}
-
-type Theme = typeof THEMES.dark
-
-// ── Data ──────────────────────────────────────────────────────────────────────
-const TODAY_POSITION = 0.56
-
-interface Milestone {
-  id: string
-  when: string
-  tick: string
-  title: { de: string; en: string }
-  short: { de: string; en: string }
-  body: { de: string; en: string }
-  bullets: { de: string[]; en: string[] }
-  tint: string
-  done: boolean
-  next?: boolean
-}
-
-const MILESTONES: Milestone[] = [
-  {
-    id: 'ihk',
-    when: 'Okt. 2025', tick: '10 · 25',
-    title: { de: 'Gründerzuschuss & IHK', en: 'Founder Grant & IHK' },
-    short: { de: 'Abstimmung mit Agentur für Arbeit und IHK Konstanz.', en: 'Coordination with Employment Agency and IHK Konstanz.' },
-    body: {
-      de: 'Seit Oktober 2025 Gründerzuschussantrag in Abstimmung mit der Agentur für Arbeit und der IHK Konstanz. Grundlage für die Unternehmensgründung.',
-      en: 'Since October 2025, founder grant application in coordination with the Employment Agency and IHK Konstanz. Foundation for company formation.',
-    },
-    bullets: {
-      de: ['Gründerzuschuss beantragt', 'Beratung IHK Konstanz', 'Businessplan finalisiert'],
-      en: ['Founder grant applied', 'IHK Konstanz advisory', 'Business plan finalized'],
-    },
-    tint: '#a78bfa', done: true,
-  },
-  {
-    id: 'brand',
-    when: '11. Nov. 2025', tick: '11 · 25',
-    title: { de: 'Markenanmeldung & Domains', en: 'Trademark Filing & Domains' },
-    short: { de: 'DPMA-Anmeldung BreakPilot + Domain-Portfolio.', en: 'DPMA filing BreakPilot + domain portfolio.' },
-    body: {
-      de: 'Markenanmeldung BreakPilot beim DPMA am 11.11.2025. Domain-Kauf breakpilot.com, .de, .ai und brakepilot.com, .de, .ai am 21.11.2025.',
-      en: 'BreakPilot trademark filed with DPMA on 11.11.2025. Domain purchase breakpilot.com, .de, .ai and brakepilot.com, .de, .ai on 21.11.2025.',
-    },
-    bullets: {
-      de: ['DPMA-Markenanmeldung 11.11.2025', 'Domains .com .de .ai gesichert', 'Typo-Domains (.brakepilot) gesichert'],
-      en: ['DPMA trademark filed 11.11.2025', 'Domains .com .de .ai secured', 'Typo domains (.brakepilot) secured'],
-    },
-    tint: '#a78bfa', done: true,
-  },
-  {
-    id: 'dev',
-    when: 'Jan. 2026', tick: '01 · 26',
-    title: { de: 'Plattform-Entwicklung gestartet', en: 'Platform Development Started' },
-    short: { de: '500.000+ Lines of Code, vollständige Architektur.', en: '500,000+ lines of code, full architecture.' },
-    body: {
-      de: 'Start der Plattform-Entwicklung mit 500.000+ Lines of Code. Vollständige Microservice-Architektur mit Go, Python und TypeScript.',
-      en: 'Platform development started with 500,000+ lines of code. Full microservice architecture with Go, Python and TypeScript.',
-    },
-    bullets: {
-      de: ['500K+ Lines of Code', 'Go + Python + TypeScript', 'Vollständige Architektur'],
-      en: ['500K+ lines of code', 'Go + Python + TypeScript', 'Full architecture'],
-    },
-    tint: '#c084fc', done: true,
-  },
-  {
-    id: 'dpma',
-    when: '27. Mär. 2026', tick: '03 · 26',
-    title: { de: 'Markeneintragung DPMA', en: 'DPMA Trademark Registration' },
-    short: { de: 'BreakPilot offiziell eingetragen.', en: 'BreakPilot officially registered.' },
-    body: {
-      de: 'Markeneintragung BreakPilot beim Deutschen Patent- und Markenamt (DPMA) am 27.03.2026.',
-      en: 'BreakPilot trademark registration at the German Patent and Trademark Office (DPMA) on 27.03.2026.',
-    },
-    bullets: {
-      de: ['DPMA-Eintragung 27.03.2026', 'Markenschutz Deutschland'],
-      en: ['DPMA registration 27.03.2026', 'Trademark protection Germany'],
-    },
-    tint: '#c084fc', done: true,
-  },
-  {
-    id: 'rag',
-    when: 'Apr. 2026', tick: '04 · 26',
-    title: { de: 'RAG mit 375+ Dokumenten', en: 'RAG with 375+ Documents' },
-    short: { de: 'EU + DACH Regularien indexiert.', en: 'EU + DACH regulations indexed.' },
-    body: {
-      de: '375+ Gesetze, Verordnungen, Leitlinien und Urteile in die RAG-Pipeline ingestiert. 25.000+ Prüfaspekte generiert.',
-      en: '375+ laws, regulations, guidelines and rulings ingested into the RAG pipeline. 25,000+ audit controls generated.',
-    },
-    bullets: {
-      de: ['375+ Dokumente im RAG', '25.000+ Prüfaspekte', 'EU + DACH Abdeckung'],
-      en: ['375+ documents in RAG', '25,000+ audit controls', 'EU + DACH coverage'],
-    },
-    tint: '#c084fc', done: true,
-  },
-  {
-    id: 'euipo',
-    when: '1. Mai 2026', tick: '05 · 26',
-    title: { de: 'Markenanmeldung EUIPO', en: 'EUIPO Trademark Filing' },
-    short: { de: 'EU-weiter Markenschutz beantragt.', en: 'EU-wide trademark protection filed.' },
-    body: {
-      de: 'Markenanmeldung BreakPilot beim EUIPO (Amt der Europäischen Union für geistiges Eigentum) am 01.05.2026 für EU-weiten Markenschutz.',
-      en: 'BreakPilot trademark filing with EUIPO (European Union Intellectual Property Office) on 01.05.2026 for EU-wide trademark protection.',
-    },
-    bullets: {
-      de: ['EUIPO-Anmeldung 01.05.2026', 'EU-weiter Markenschutz'],
-      en: ['EUIPO filing 01.05.2026', 'EU-wide trademark protection'],
-    },
-    tint: '#fbbf24', done: false, next: true,
-  },
-  {
-    id: 'gmbh',
-    when: 'Aug. 2026', tick: '08 · 26',
-    title: { de: 'GmbH-Gründung', en: 'GmbH Incorporation' },
-    short: { de: 'Breakpilot COMPLAI GmbH gegründet.', en: 'Breakpilot COMPLAI GmbH incorporated.' },
-    body: {
-      de: 'Gründung der Breakpilot COMPLAI GmbH im August 2026. Notartermin, Handelsregistereintrag, operative Aufnahme.',
-      en: 'Incorporation of Breakpilot COMPLAI GmbH in August 2026. Notary appointment, commercial register entry, start of operations.',
-    },
-    bullets: {
-      de: ['GmbH-Gründung August 2026', 'Handelsregistereintrag', 'Operativer Start'],
-      en: ['GmbH incorporation August 2026', 'Commercial register entry', 'Start of operations'],
-    },
-    tint: '#fbbf24', done: false,
-  },
-  {
-    id: 'customers',
-    when: 'Aug. 2026', tick: '08 · 26',
-    title: { de: '2 zahlende Kunden', en: '2 Paying Customers' },
-    short: { de: 'Erste Umsätze ab Gründung.', en: 'First revenue from incorporation.' },
-    body: {
-      de: 'Zwei zahlende Kunden ab August 2026 — Validierung des Produkts im Maschinenbau-Umfeld mit echten Compliance-Anforderungen.',
-      en: 'Two paying customers from August 2026 — product validation in manufacturing with real compliance requirements.',
-    },
-    bullets: {
-      de: ['2 zahlende Kunden', 'Maschinenbau-Validierung', 'Erste Umsätze'],
-      en: ['2 paying customers', 'Manufacturing validation', 'First revenue'],
-    },
-    tint: '#fbbf24', done: false,
-  },
-  {
-    id: 'beta',
-    when: 'Q3 2026', tick: 'Q3 · 26',
-    title: { de: 'Öffentliches Beta', en: 'Public Beta' },
-    short: { de: 'Beta-Launch mit ersten zahlenden Kunden.', en: 'Beta launch with first paying customers.' },
-    body: {
-      de: 'Öffentliches Beta-Release der Plattform. Erste zahlende Kunden aus dem Pilotprogramm gehen live.',
-      en: 'Public beta release of the platform. First paying customers from the pilot program go live.',
-    },
-    bullets: {
-      de: ['Public Beta verfügbar', 'Onboarding-Prozess live', 'Feedback-Loop etabliert'],
-      en: ['Public beta available', 'Onboarding process live', 'Feedback loop established'],
-    },
-    tint: '#f59e0b', done: false,
-  },
-]
-
-interface StatItem { k: { de: string; en: string }; v: string; tint: string }
-
-const STATS: StatItem[] = [
-  { k: { de: 'Gesetze & Dokumente im RAG', en: 'Laws & Docs in RAG' }, v: '385',      tint: '#a78bfa' },
-  { k: { de: 'Atomare Controls',           en: 'Atomic Controls' },     v: '25.000+',  tint: '#c084fc' },
-  { k: { de: 'Compliance-Module',          en: 'Compliance Modules' },  v: '12',       tint: '#fbbf24' },
-  { k: { de: 'Pilotkunden',               en: 'Pilot Customers' },      v: '2',        tint: '#f59e0b' },
-  { k: { de: 'Lines of Code',             en: 'Lines of Code' },        v: '500.000+', tint: '#8b5cf6' },
-]
-
-// ── Star Field ────────────────────────────────────────────────────────────────
-function StarField() {
-  const stars = useMemo(() => {
-    let s = 77
-    const r = () => { s = (s * 9301 + 49297) % 233280; return s / 233280 }
-    return Array.from({ length: 95 }, () => ({ x: r() * 100, y: r() * 100, size: r() * 1.4 + 0.3, op: r() * 0.5 + 0.15 }))
-  }, [])
-  return (
-    <div style={{ position: 'absolute', inset: 0, pointerEvents: 'none' }}>
-      {stars.map((st, i) => (
-        <div key={i} style={{
-          position: 'absolute', left: `${st.x}%`, top: `${st.y}%`,
-          width: st.size, height: st.size, borderRadius: '50%',
-          background: '#fff', opacity: st.op,
-          boxShadow: `0 0 ${st.size * 3}px rgba(180,160,255,.7)`,
-        }} />
-      ))}
-    </div>
-  )
-}
-
-function SoftGrid({ t }: { t: Theme }) {
-  return (
-    <div style={{
-      position: 'absolute', inset: 0, pointerEvents: 'none',
-      backgroundImage: `radial-gradient(${t.accent20} 1px, transparent 1px)`,
-      backgroundSize: '28px 28px',
-      maskImage: 'radial-gradient(ellipse at center, #000 40%, transparent 85%)',
-      WebkitMaskImage: 'radial-gradient(ellipse at center, #000 40%, transparent 85%)',
-      opacity: 0.8,
-    }} />
-  )
-}
-
-// ── Timeline ──────────────────────────────────────────────────────────────────
-interface MilestoneWithPos extends Milestone { x: number; row: 'top' | 'bottom' }
-
-function Timeline({ onSelect, selectedId, t, de }: {
-  onSelect: (m: Milestone) => void
-  selectedId: string | null
-  t: Theme
-  de: boolean
-}) {
-  const trackW = 1160
-  const innerPad = 120
-  const usableW = trackW - innerPad * 2
-  const positions = MILESTONES.map((_, i) => innerPad + (usableW * i) / (MILESTONES.length - 1))
-  const todayX = innerPad + usableW * TODAY_POSITION
-
-  const layout: MilestoneWithPos[] = MILESTONES.map((m, i) => ({
-    ...m, x: positions[i],
-    row: i % 2 === 0 ? 'top' : 'bottom',
-  }))
-
-  const railColor = t.key === 'dark' ? '#a78bfa' : '#7c3aed'
-
-  return (
-    <div style={{ position: 'relative', width: trackW, height: 360, margin: '0 auto' }}>
-      <svg viewBox={`0 0 ${trackW} 360`} preserveAspectRatio="none"
-        style={{ position: 'absolute', inset: 0, width: '100%', height: '100%' }}>
-        <defs>
-          <linearGradient id="msTrackBg" x1="0" x2="1">
-            <stop offset="0"  stopColor={railColor} stopOpacity={t.key === 'dark' ? .18 : .28} />
-            <stop offset=".5" stopColor={railColor} stopOpacity={t.key === 'dark' ? .28 : .38} />
-            <stop offset="1"  stopColor={railColor} stopOpacity={t.key === 'dark' ? .18 : .28} />
-          </linearGradient>
-          <filter id="msGlow" x="-50%" y="-50%" width="200%" height="200%">
-            <feGaussianBlur stdDeviation="3" result="b"/>
-            <feMerge><feMergeNode in="b"/><feMergeNode in="SourceGraphic"/></feMerge>
-          </filter>
-        </defs>
-
-        {/* rail background */}
-        <line x1={innerPad} y1={180} x2={trackW - innerPad} y2={180}
-          stroke="url(#msTrackBg)" strokeWidth="2.5" />
-        {/* past progress */}
-        <line x1={innerPad} y1={180} x2={todayX} y2={180}
-          stroke={t.done} strokeWidth="3" opacity={t.key === 'dark' ? .85 : .9} />
-        {/* future dashed */}
-        <line x1={todayX} y1={180} x2={trackW - innerPad} y2={180}
-          stroke="#f59e0b" strokeWidth="1.75" strokeDasharray="4 5"
-          opacity={t.key === 'dark' ? .6 : .75}
-          style={{ animation: 'msFlow 1.8s linear infinite' }} />
-
-        {/* connector stubs */}
-        {layout.map((m) => (
-          <line key={m.id}
-            x1={m.x} y1={180}
-            x2={m.x} y2={m.row === 'top' ? 154 : 200}
-            stroke={m.done ? t.done : m.tint}
-            strokeOpacity={t.key === 'dark' ? (m.done ? .6 : .55) : (m.done ? .7 : .65)}
-            strokeWidth="1"
-            strokeDasharray={m.done ? '0' : '3 3'} />
-        ))}
-
-        {/* HEUTE marker — circles only; pill is HTML below */}
-        <g transform={`translate(${todayX} 180)`}>
-          <circle r="14" fill={t.accent} opacity=".15" />
-          <circle r="9" fill={t.accent} opacity=".4">
-            <animate attributeName="r" values="9;14;9" dur="2s" repeatCount="indefinite" />
-            <animate attributeName="opacity" values=".4;.05;.4" dur="2s" repeatCount="indefinite" />
-          </circle>
-          <circle r="6" fill={t.heuteCore} stroke={t.accent} strokeWidth="2" filter="url(#msGlow)" />
-        </g>
-      </svg>
-
-      {/* HEUTE pill — HTML so it sits above milestone cards */}
-      <div style={{
-        position: 'absolute',
-        left: todayX - 30, top: 146,
-        width: 60, height: 18,
-        borderRadius: 9,
-        background: t.heutePillBg,
-        border: `1px solid ${t.accent}99`,
-        display: 'flex', alignItems: 'center', justifyContent: 'center',
-        zIndex: 10, pointerEvents: 'none',
-        ...MONO, fontSize: 9.5, letterSpacing: 2.5, fontWeight: 700,
-        color: t.heuteText,
-      }}>HEUTE</div>
-
-      {layout.map((m) => (
-        <MilestoneNode key={m.id} m={m} t={t} de={de}
-          onClick={() => onSelect(m)}
-          active={selectedId === m.id} />
-      ))}
-    </div>
-  )
-}
-
-function MilestoneNode({ m, onClick, active, t, de }: {
-  m: MilestoneWithPos; onClick: () => void; active: boolean; t: Theme; de: boolean
-}) {
-  const [hover, setHover] = useState(false)
-  const lit = hover || active
-  const isTop = m.row === 'top'
-  const cardY = isTop ? 4 : 200
-  const nodeColor = m.done ? t.done : m.tint
-
-  const bgTopA  = lit ? m.tint + t.cardTintTopH  : m.tint + t.cardTintTop
-  const bgMidA  = lit ? m.tint + t.cardTintMidH  : m.tint + t.cardTintMid
-  const cardBg  = `linear-gradient(180deg, ${bgTopA} 0%, ${bgMidA} 55%, ${t.cardBase}${lit ? t.cardBaseAH : t.cardBaseA})`
-  const badge   = m.done ? (de ? 'erledigt' : 'done') : (m.next ? (de ? 'als nächstes' : 'next') : (de ? 'geplant' : 'plan'))
-
-  return (
-    <>
-      {/* dot */}
-      <div
-        onClick={onClick}
-        onMouseEnter={() => setHover(true)}
-        onMouseLeave={() => setHover(false)}
-        style={{
-          position: 'absolute', left: m.x - 14, top: 180 - 14,
-          width: 28, height: 28, borderRadius: '50%',
-          background: m.done
-            ? `radial-gradient(circle at 35% 30%, ${t.doneBright}, ${t.doneSolid} 60%, ${t.doneDeep})`
-            : `radial-gradient(circle at 35% 30%, ${m.tint}dd, ${m.tint}66 60%, ${t.dotTodoDeep})`,
-          border: `2px solid ${lit ? '#fff' : nodeColor}`,
-          boxShadow: lit
-            ? `0 0 22px ${nodeColor}, 0 0 44px ${nodeColor}66, inset 0 1px 0 ${t.dotLitHi}`
-            : `0 0 10px ${nodeColor}88, inset 0 1px 0 ${t.dotSoftHi}`,
-          display: 'flex', alignItems: 'center', justifyContent: 'center',
-          color: '#fff', fontSize: 11, fontWeight: 700,
-          cursor: 'pointer', zIndex: 5,
-          transition: 'all .25s',
-          transform: lit ? 'scale(1.15)' : 'scale(1)',
-        }}>
-        {m.done ? '✓' : (m.next ? '◉' : '○')}
-      </div>
-
-      {/* card */}
-      <div
-        onClick={onClick}
-        onMouseEnter={() => setHover(true)}
-        onMouseLeave={() => setHover(false)}
-        style={{
-          position: 'absolute', left: m.x - 112, top: cardY,
-          width: 224, height: 150, padding: '12px 14px',
-          borderRadius: 12,
-          background: cardBg,
-          border: `1px solid ${lit ? m.tint : m.tint + '55'}`,
-          boxShadow: lit ? t.cardShadowLift(m.tint) : t.cardShadowSoft,
-          cursor: 'pointer', zIndex: 4,
-          transition: 'all .25s',
-          transform: lit ? `translateY(${isTop ? -2 : 2}px)` : 'translateY(0)',
-          display: 'flex', flexDirection: 'column', gap: 6,
-          backdropFilter: t.key === 'light' ? 'blur(6px)' : 'none',
-        }}>
-        <div style={{ display: 'flex', alignItems: 'center', gap: 8 }}>
-          <span style={{
-            ...MONO, fontSize: 10, letterSpacing: 1.5, fontWeight: 700,
-            color: m.done ? t.done : m.tint, textTransform: 'uppercase' as const,
-          }}>{m.tick}</span>
-          <span style={{ flex: 1, height: 1, background: `${m.tint}44` }} />
-          <span style={{
-            ...MONO, fontSize: 9, letterSpacing: 2, fontWeight: 700,
-            color: m.done ? t.done : m.tint, textTransform: 'uppercase' as const, opacity: .85,
-          }}>{badge}</span>
-        </div>
-        <div style={{ fontSize: 13, fontWeight: 700, color: t.fg, letterSpacing: -0.2, lineHeight: 1.25 }}>
-          {de ? m.title.de : m.title.en}
-        </div>
-        <div style={{ fontSize: 10.5, lineHeight: 1.45, color: lit ? t.fgSoft : t.fgMuted, transition: 'color .25s' }}>
-          {de ? m.short.de : m.short.en}
-        </div>
-        <div style={{
-          marginTop: 'auto',
-          display: 'flex', alignItems: 'center', justifyContent: 'space-between',
-          paddingTop: 6, borderTop: `1px dashed ${m.tint}44`,
-        }}>
-          <span style={{ fontSize: 10, color: t.fgFaint }}>{m.when}</span>
-          <span style={{
-            fontSize: 10, color: m.tint, fontWeight: 700,
-            opacity: lit ? 1 : 0.55,
-            transform: `translateX(${lit ? 0 : -4}px)`,
-            transition: 'all .25s',
-          }}>{de ? 'Details →' : 'Details →'}</span>
-        </div>
-      </div>
-    </>
-  )
-}
-
-// ── Stat Card ─────────────────────────────────────────────────────────────────
-function StatCard({ item, t, de }: { item: StatItem; t: Theme; de: boolean }) {
-  const [hover, setHover] = useState(false)
-  const bgTop = hover ? item.tint + t.statTintTopH : item.tint + t.statTintTop
-  const bgMid = item.tint + t.statTintMid
-  return (
-    <div
-      onMouseEnter={() => setHover(true)}
-      onMouseLeave={() => setHover(false)}
-      style={{
-        position: 'relative', padding: '14px 18px', borderRadius: 12,
-        background: `linear-gradient(180deg, ${bgTop} 0%, ${bgMid} 60%, ${t.cardBase}${t.cardBaseA})`,
-        border: `1px solid ${hover ? item.tint : item.tint + '55'}`,
-        boxShadow: hover ? t.statShadowLift(item.tint) : t.statShadowSoft,
-        transform: hover ? 'translateY(-3px)' : 'translateY(0)',
-        transition: 'all .25s',
-        overflow: 'hidden',
-        backdropFilter: t.key === 'light' ? 'blur(6px)' : 'none',
-      }}>
-      <div style={{
-        position: 'absolute', right: 10, top: 10, width: 6, height: 6,
-        borderRadius: '50%', background: item.tint, opacity: .9,
-        boxShadow: `0 0 10px ${item.tint}`,
-      }} />
-      <div style={{ ...MONO, fontSize: 9.5, letterSpacing: 2, color: item.tint, textTransform: 'uppercase' as const, fontWeight: 700, marginBottom: 6 }}>
-        {de ? item.k.de : item.k.en}
-      </div>
-      <div style={{ fontSize: 32, fontWeight: 700, color: t.fg, letterSpacing: -0.8, lineHeight: 1 }}>
-        {item.v}
-      </div>
-      <svg viewBox="0 0 100 16" preserveAspectRatio="none"
-        style={{ width: '100%', height: 14, marginTop: 8, opacity: hover ? 1 : t.sparkOp, transition: 'opacity .25s' }}>
-        <defs>
-          <linearGradient id={`spark-${item.tint.replace('#', '')}`} x1="0" x2="1">
-            <stop offset="0"   stopColor={item.tint} stopOpacity="0" />
-            <stop offset=".5"  stopColor={item.tint} stopOpacity=".9" />
-            <stop offset="1"   stopColor={item.tint} stopOpacity="0" />
-          </linearGradient>
-        </defs>
-        <path d="M 0 10 L 15 8 L 30 11 L 48 6 L 62 9 L 78 4 L 100 2"
-          stroke={`url(#spark-${item.tint.replace('#', '')})`} strokeWidth="1.5" fill="none" />
-      </svg>
-    </div>
-  )
-}
-
-// ── Detail modal ──────────────────────────────────────────────────────────────
-function DetailModal({ item, onClose, t, de }: {
-  item: Milestone | null; onClose: () => void; t: Theme; de: boolean
-}) {
-  useEffect(() => {
-    if (!item) return
-    const onKey = (e: KeyboardEvent) => { if (e.key === 'Escape') onClose() }
-    window.addEventListener('keydown', onKey)
-    return () => window.removeEventListener('keydown', onKey)
-  }, [item, onClose])
-
-  if (!item) return null
-  const tint = item.tint
-  const badge = item.done
-    ? (de ? 'ABGESCHLOSSEN' : 'COMPLETED')
-    : (item.next ? (de ? 'ALS NÄCHSTES' : 'NEXT UP') : (de ? 'GEPLANT' : 'PLANNED'))
-  const badgeColor = item.done ? t.done : tint
-
-  return (
-    <div onClick={onClose} style={{
-      position: 'absolute', inset: 0, zIndex: 50,
-      background: t.modalScrim, backdropFilter: 'blur(8px)',
-      display: 'flex', alignItems: 'center', justifyContent: 'center',
-      animation: 'msFadeIn .2s ease-out',
-    }}>
-      <div onClick={e => e.stopPropagation()} style={{
-        width: 580, maxWidth: '88%',
-        background: `linear-gradient(180deg, ${tint}22 0%, ${t.modalBgMid} 50%, ${t.modalBgLow} 100%)`,
-        border: `1px solid ${tint}77`,
-        borderRadius: 16,
-        boxShadow: t.modalShadow(tint),
-        padding: '24px 28px', color: t.fg,
-        animation: 'msScaleIn .22s ease-out',
-      }}>
-        <div style={{ display: 'flex', alignItems: 'center', gap: 12, marginBottom: 16 }}>
-          <div style={{
-            width: 42, height: 42, borderRadius: 11,
-            background: `linear-gradient(135deg, ${tint}66, ${tint}22)`,
-            border: `1px solid ${tint}`,
-            display: 'flex', alignItems: 'center', justifyContent: 'center',
-            color: t.key === 'light' ? tint : '#fff', fontSize: 17, fontWeight: 700,
-            boxShadow: `0 0 20px ${tint}66`,
-          }}>{item.done ? '✓' : (item.next ? '◉' : '○')}</div>
-          <div style={{ flex: 1 }}>
-            <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 4 }}>
-              <span style={{
-                ...MONO, fontSize: 9.5, letterSpacing: 2.5, color: badgeColor,
-                textTransform: 'uppercase' as const, fontWeight: 700,
-                padding: '2px 8px', borderRadius: 4,
-                background: `${badgeColor}22`, border: `1px solid ${badgeColor}66`,
-              }}>{badge}</span>
-              <span style={{ ...MONO, fontSize: 10, color: t.fgFaint }}>{item.when}</span>
-            </div>
-            <div style={{ fontSize: 20, fontWeight: 700, color: t.fg, letterSpacing: -0.3 }}>
-              {de ? item.title.de : item.title.en}
-            </div>
-          </div>
-          <button onClick={onClose} style={{
-            background: 'transparent', border: `1px solid ${tint}66`, color: t.fg,
-            width: 32, height: 32, borderRadius: 8, cursor: 'pointer', fontSize: 14,
-          }}>✕</button>
-        </div>
-        <div style={{ fontSize: 13, lineHeight: 1.6, color: t.fgSoft, marginBottom: 16 }}>
-          {de ? item.body.de : item.body.en}
-        </div>
-        <div style={{ display: 'flex', flexDirection: 'column', gap: 8 }}>
-          {(de ? item.bullets.de : item.bullets.en).map((b, i) => (
-            <div key={i} style={{
-              display: 'flex', alignItems: 'flex-start', gap: 10,
-              padding: '9px 13px', borderRadius: 8,
-              background: t.bulletBg, border: `1px solid ${tint}44`,
-            }}>
-              <span style={{ color: item.done ? t.done : tint, fontSize: 12, marginTop: 1 }}>
-                {item.done ? '✓' : '▸'}
-              </span>
-              <span style={{ fontSize: 12, lineHeight: 1.5, color: t.fgSoft }}>{b}</span>
-            </div>
-          ))}
-        </div>
-      </div>
-    </div>
-  )
-}
-
 // ── Inner slide (fixed 1280×680) ──────────────────────────────────────────────
 function MilestonesInner({ t, de, sel, setSel }: {
-  t: Theme; de: boolean
+  t: typeof THEMES.dark; de: boolean
   sel: Milestone | null
   setSel: (m: Milestone | null) => void
 }) {
diff --git a/pitch-deck/components/slides/USPSlide.data.ts b/pitch-deck/components/slides/USPSlide.data.ts
new file mode 100644
index 0000000..0e76f82
--- /dev/null
+++ b/pitch-deck/components/slides/USPSlide.data.ts
@@ -0,0 +1,119 @@
+// USPSlide data — extracted from USPSlide.tsx
+
+export interface DetailItem {
+  tint: string
+  icon: string
+  kicker: string
+  title: string
+  body: string
+  bullets?: string[]
+  stat?: { k: string; v: string }
+}
+
+export function getDetails(de: boolean): Record<string, DetailItem> {
+  return {
+    rfq: {
+      tint: '#a78bfa', icon: '\u21C4',
+      kicker: de ? 'S\u00e4ule \u00b7 Compliance' : 'Pillar \u00b7 Compliance',
+      title: de ? 'RFQ-Pr\u00fcfung' : 'RFQ Verification',
+      body: de
+        ? 'Kunden-Anforderungsdokumente werden automatisch gegen den aktuellen Source-Code gepr\u00fcft. Abweichungen werden erkannt, \u00c4nderungen vorgeschlagen und auf Wunsch direkt im Code umgesetzt \u2014 ohne manuelles Nacharbeiten.'
+        : 'Customer requirement documents are automatically verified against current source code. Deviations are detected, changes proposed and implemented directly in code on request \u2014 no manual rework needed.',
+      bullets: de
+        ? ['Klauseln automatisch gegen SBOM, SAST-Findings und Policy-Docs abgeglichen', 'L\u00fccken mit konkreten Implementierungsvorschl\u00e4gen markiert', 'RFQ-Antworten in Stunden statt Wochen']
+        : ['Auto-match clauses against SBOM, SAST findings and policy docs', 'Flag gaps with concrete implementation proposals', 'Win-ready RFQ replies in hours, not weeks'],
+      stat: { k: de ? '\u00d8 Antwortzeit' : 'avg response time', v: de ? '4,2h (war 12 Tage)' : '4.2h  (was 12 days)' },
+    },
+    process: {
+      tint: '#c084fc', icon: '\u27F2',
+      kicker: de ? 'S\u00e4ule \u00b7 Compliance' : 'Pillar \u00b7 Compliance',
+      title: de ? 'Prozess-Compliance' : 'Process Compliance',
+      body: de
+        ? 'Vom Audit-Finding \u00fcber das Ticket bis zur Code-\u00c4nderung l\u00e4uft der gesamte Prozess automatisiert durch. Rollen, Fristen und Eskalation werden End-to-End verwaltet. Nachweise werden automatisch generiert und archiviert.'
+        : 'From audit finding to ticket to code change, the entire process runs automatically. Roles, deadlines and escalation are managed end-to-end. Evidence is automatically generated and archived.',
+      bullets: de
+        ? ['Finding \u2192 Ticket \u2192 PR \u2192 Nachweis in einem Thread', 'SLA-Tracking pro Control mit Auto-Eskalation', 'Unver\u00e4nderliches Audit-Log, pro \u00c4nderung signiert']
+        : ['Finding \u2192 ticket \u2192 PR \u2192 evidence in one thread', 'SLA tracking per control with auto-escalation', 'Immutable audit log signed per change'],
+      stat: { k: de ? 'automatisierte Prozessschritte' : 'process steps automated', v: '87%' },
+    },
+    bidir: {
+      tint: '#fbbf24', icon: '\u27F7',
+      kicker: de ? 'S\u00e4ule \u00b7 Code' : 'Pillar \u00b7 Code',
+      title: de ? 'Bidirektional' : 'Bidirectional Sync',
+      body: de
+        ? 'Compliance-Anforderungen fliessen direkt in den Code. Umgekehrt aktualisieren Code-\u00c4nderungen automatisch die Compliance-Dokumentation. Beide Seiten sind immer synchron \u2014 kein Informationsverlust zwischen Audit und Entwicklung.'
+        : 'Compliance requirements flow directly into code. Conversely, code changes automatically update compliance documentation. Both sides always stay in sync \u2014 no information loss between audit and development.',
+      bullets: de
+        ? ['Policy \u2194 Code-Mapping via semantischem Diff', 'Git-nativ: jede \u00c4nderung als PR', 'Zero Drift zwischen Audit-Artefakten und Realit\u00e4t']
+        : ['Policy \u2194 code mapping via semantic diff', 'Git-native: every change shipped as a PR', 'Zero drift between audit artefacts and reality'],
+      stat: { k: de ? 'Drift-Vorf\u00e4lle' : 'drift incidents', v: de ? '0 seit M\u00e4rz 2024' : '0 since Mar-2024' },
+    },
+    cont: {
+      tint: '#f59e0b', icon: '\u25CE',
+      kicker: de ? 'S\u00e4ule \u00b7 Code' : 'Pillar \u00b7 Code',
+      title: de ? 'Kontinuierlich' : 'Continuous, Not Yearly',
+      body: de
+        ? 'Klassische Compliance pr\u00fcft einmal im Jahr und hofft auf das Beste. Unsere Plattform pr\u00fcft bei jeder Code-\u00c4nderung. Findings werden sofort zu Tickets mit konkreten Implementierungsvorschl\u00e4gen im Issue-Tracker der Wahl.'
+        : 'Traditional compliance checks once a year and hopes for the best. Our platform checks on every code change. Findings immediately become tickets with concrete implementation proposals in the issue tracker of choice.',
+      bullets: de
+        ? ['CI-integrierte Validierung bei jedem Push', 'Fix-Vorschl\u00e4ge generiert, nicht nur gemeldet', 'Compliance-Frische: Minuten statt Monate']
+        : ['CI-integrated validation on each push', 'Fix suggestions generated, not just reported', 'Compliance freshness: minutes, not months'],
+      stat: { k: de ? 'Validierungen / Tag' : 'validations / day', v: '~2.400 / repo' },
+    },
+    trace: {
+      tint: '#a78bfa', icon: '\u21C4',
+      kicker: de ? 'Under the Hood' : 'Under the Hood',
+      title: de ? 'End-to-End R\u00fcckverfolgbarkeit' : 'End-to-End Traceability',
+      body: de
+        ? 'Regulatorische Anforderungen (Gesetz \u2192 Obligation \u2192 Control) deterministisch mit realem Systemzustand und Code verkn\u00fcpft \u2014 inklusive revisionssicherem Evidence-Layer.'
+        : 'Regulatory requirements (law \u2192 obligation \u2192 control) deterministically linked to real system state and code \u2014 including audit-proof evidence layer.',
+      bullets: de
+        ? ['Versionierter Evidence-Chain, unver\u00e4nderlich gespeichert', 'Ein Klick von Klausel bis Codezeile', 'Signierte Attestierungen pro Build']
+        : ['Versioned evidence chain stored immutably', 'One-click drill from clause to line of code', 'Signed attestations per build'],
+    },
+    engine: {
+      tint: '#c084fc', icon: '\u25C9',
+      kicker: de ? 'Under the Hood' : 'Under the Hood',
+      title: de ? 'Continuous Compliance Engine' : 'Continuous Compliance Engine',
+      body: de
+        ? 'Statt punktueller Audits: Validierung bei jeder \u00c4nderung (Code, Infrastruktur, Prozesse) mit auditierbaren Nachweisen in Echtzeit.'
+        : 'Instead of point-in-time audits: validation on every change (code, infrastructure, processes) with auditable evidence in real time.',
+      bullets: de
+        ? ['Rule-Packs pro Framework (NIS-2, DORA, \u2026)', 'Verarbeitet Code, IaC und Prozess-Events', 'Findings automatisch ans richtige Team geroutet']
+        : ['Rule packs per framework (NIS-2, DORA, \u2026)', 'Handles code, infra-as-code, and process events', 'Findings routed to the right team automatically'],
+    },
+    opt: {
+      tint: '#fbbf24', icon: '\u2726',
+      kicker: de ? 'Under the Hood' : 'Under the Hood',
+      title: de ? 'Compliance Optimizer' : 'Compliance Optimizer',
+      body: de
+        ? 'Nicht nur \u201eerlaubt/verboten\u201c, sondern die maximal zul\u00e4ssige Ausgestaltung jedes KI-Use-Cases. Deterministische Constraint-Optimierung zeigt den Sweet Spot zwischen Regulierung und Innovation \u2014 ersetzt 20\u2013200k EUR Anwaltskosten.'
+        : 'Not just "allowed/forbidden" but the maximum permissible configuration of every AI use case. Deterministic constraint optimization shows the sweet spot between regulation and innovation \u2014 replaces EUR 20\u2013200k in legal fees.',
+      bullets: de
+        ? ['ROI-Ranking jedes offenen Findings', 'Abw\u00e4gung zwischen Liefergeschwindigkeit und Restrisiko', 'Low-Hanging-Wins zuerst']
+        : ['ROI-ranks every open finding', 'Balances speed of delivery with residual risk', 'Highlights low-hanging wins first'],
+    },
+    stack: {
+      tint: '#f59e0b', icon: '\u25CE',
+      kicker: de ? 'Under the Hood' : 'Under the Hood',
+      title: de ? 'EU-Trust & Governance Stack' : 'EU Trust & Governance Stack',
+      body: de
+        ? 'Souver\u00e4ne, DSGVO-/AI-Act-konforme Architektur (EU-Hosting, Isolation, Betriebsrat-F\u00e4higkeit) \u2014 Marktzugang, den US-L\u00f6sungen strukturell nicht erreichen.'
+        : 'Sovereign, GDPR/AI Act compliant architecture (EU hosting, isolation, works council capability) \u2014 market access that US solutions structurally cannot achieve.',
+      bullets: de
+        ? ['DSGVO \u00b7 NIS-2 \u00b7 DORA \u00b7 EU AI Act \u00b7 ISO 27001 \u00b7 BSI C5', 'EU-souver\u00e4nes Hosting und Key-Management', 'Eine Plattform, ein Audit, eine Rechnung']
+        : ['DSGVO \u00b7 NIS-2 \u00b7 DORA \u00b7 EU AI Act \u00b7 ISO 27001 \u00b7 BSI C5', 'EU-sovereign hosting and key-management', 'One platform, one audit, one bill'],
+    },
+    hub: {
+      tint: '#a78bfa', icon: '\u221E',
+      kicker: de ? 'Die Schleife' : 'The Loop',
+      title: de ? 'Compliance \u2194 Code \u00b7 Immer in Sync' : 'Compliance \u2194 Code \u00b7 Always in sync',
+      body: de
+        ? 'Die Plattform ist eine einzige geschlossene Schleife. Jede Policy-\u00c4nderung fliesst in den Code; jede Code-\u00c4nderung fliesst in die Policy zur\u00fcck.'
+        : 'The platform is a single closed loop. Every policy change ripples into code; every code change ripples back into policy. That\'s the USP in one diagram.',
+      bullets: de
+        ? ['Single Source of Truth, zwei Oberfl\u00e4chen', 'Echtzeit-Sync, kein Batch-Abgleich', 'Auditoren, Entwickler und Sales fragen denselben Graphen ab']
+        : ['Single source of truth, two surfaces', 'Real-time sync, not batch reconciliation', 'Auditors, engineers and sales all query the same graph'],
+    },
+  }
+}
diff --git a/pitch-deck/components/slides/USPSlide.parts.tsx b/pitch-deck/components/slides/USPSlide.parts.tsx
new file mode 100644
index 0000000..d2eb273
--- /dev/null
+++ b/pitch-deck/components/slides/USPSlide.parts.tsx
@@ -0,0 +1,370 @@
+'use client'
+
+import { useState, useEffect, useRef, useMemo } from 'react'
+import { motion, AnimatePresence } from 'framer-motion'
+import { X } from 'lucide-react'
+import { type DetailItem } from './USPSlide.data'
+
+const MONO: React.CSSProperties = {
+  fontFamily: '"JetBrains Mono","SF Mono",ui-monospace,monospace',
+  fontVariantNumeric: 'tabular-nums',
+}
+
+// ── Light mode hook
+export function useIsLight() {
+  const [isLight, setIsLight] = useState(false)
+  useEffect(() => {
+    const check = () => setIsLight(document.documentElement.classList.contains('theme-light'))
+    check()
+    const obs = new MutationObserver(check)
+    obs.observe(document.documentElement, { attributes: true, attributeFilter: ['class'] })
+    return () => obs.disconnect()
+  }, [])
+  return isLight
+}
+
+// ── Ticker
+function useTicker(fn: () => void, min = 180, max = 420, skip = 0.1) {
+  const ref = useRef(fn)
+  ref.current = fn
+  useEffect(() => {
+    let t: ReturnType<typeof setTimeout>
+    const loop = () => {
+      if (Math.random() > skip) ref.current()
+      t = setTimeout(loop, min + Math.random() * (max - min))
+    }
+    loop()
+    return () => clearTimeout(t)
+  }, [min, max, skip])
+}
+
+function TickerShell({ tint, isLight, children }: { tint: string; isLight: boolean; children: React.ReactNode }) {
+  return (
+    <div style={{
+      ...MONO, marginTop: 10, padding: '5px 9px',
+      background: isLight ? '#f1f5f9' : 'rgba(0,0,0,.38)',
+      border: `1px solid ${tint}55`,
+      borderRadius: 6, fontSize: 10.5,
+      color: isLight ? '#475569' : 'rgba(236,233,247,.88)',
+      display: 'flex', alignItems: 'center', gap: 7,
+      whiteSpace: 'nowrap', overflow: 'hidden', height: 22,
+    }}>{children}</div>
+  )
+}
+
+export function TickTrace({ tint, isLight }: { tint: string; isLight: boolean }) {
+  const [n, setN] = useState(12748)
+  useTicker(() => setN(v => v + 1 + Math.floor(Math.random() * 3)), 250, 500)
+  return (
+    <TickerShell tint={tint} isLight={isLight}>
+      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>●</span>
+      <span style={{ color: tint, opacity: .85 }}>trace</span>
+      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{n.toLocaleString()}</span>
+      <span style={{ color: isLight ? '#94a3b8' : 'rgba(236,233,247,.45)' }}>evidence-chain</span>
+    </TickerShell>
+  )
+}
+
+export function TickEngine({ tint, isLight }: { tint: string; isLight: boolean }) {
+  const [v, setV] = useState(428)
+  const [rate, setRate] = useState(99.4)
+  useTicker(() => {
+    setV(x => x + 1 + Math.floor(Math.random() * 4))
+    setRate(r => Math.max(97, Math.min(99.9, r + (Math.random() - 0.5) * 0.3)))
+  }, 220, 420)
+  return (
+    <TickerShell tint={tint} isLight={isLight}>
+      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>●</span>
+      <span style={{ color: tint, opacity: .85 }}>validate</span>
+      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{v.toLocaleString()}</span>
+      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>{rate.toFixed(1)}%</span>
+    </TickerShell>
+  )
+}
+
+export function TickOptimizer({ tint, isLight }: { tint: string; isLight: boolean }) {
+  const ops = ['ROI: 2.418 € / dev', 'gap → policy §4.2', 'dedup 128 tickets', 'sweet-spot: 22 KLOC', 'tradeoff: speed↔risk']
+  const [i, setI] = useState(0)
+  useTicker(() => setI(x => (x + 1) % ops.length), 900, 1600, 0.05)
+  return (
+    <TickerShell tint={tint} isLight={isLight}>
+      <span style={{ color: '#fbbf24' }}>✦</span>
+      <span style={{ color: tint, opacity: .85 }}>optimize</span>
+      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', overflow: 'hidden', textOverflow: 'ellipsis', flex: 1 }}>{ops[i]}</span>
+    </TickerShell>
+  )
+}
+
+export function TickStack({ tint, isLight }: { tint: string; isLight: boolean }) {
+  const regs = ['DSGVO', 'NIS-2', 'DORA', 'EU AI Act', 'ISO 27001', 'BSI C5']
+  const [i, setI] = useState(0)
+  const [c, setC] = useState(1208)
+  useTicker(() => { setI(x => (x + 1) % regs.length); setC(v => v + Math.floor(Math.random() * 3)) }, 800, 1400, 0.05)
+  return (
+    <TickerShell tint={tint} isLight={isLight}>
+      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>●</span>
+      <span style={{ color: tint, opacity: .85 }}>check</span>
+      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{regs[i]}</span>
+      <span style={{ color: isLight ? '#94a3b8' : 'rgba(236,233,247,.4)' }}>·</span>
+      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc' }}>{c.toLocaleString()}</span>
+    </TickerShell>
+  )
+}
+
+// ── Pillar row
+export function PillarRow({ side, title, body, tint, onClick, active, isLight }: {
+  side: 'left' | 'right'; title: string; body: string; tint: string
+  onClick: () => void; active: boolean; isLight: boolean
+}) {
+  const [hover, setHover] = useState(false)
+  const lit = hover || active
+  const isLeft = side === 'left'
+  return (
+    <div onClick={onClick} onMouseEnter={() => setHover(true)} onMouseLeave={() => setHover(false)}
+      style={{
+        display: 'flex', alignItems: 'flex-start', gap: 12,
+        flexDirection: isLeft ? 'row-reverse' : 'row',
+        textAlign: isLeft ? 'right' : 'left',
+        padding: '10px 14px', borderRadius: 10, cursor: 'pointer',
+        transition: 'transform .25s, background .25s, box-shadow .25s',
+        background: lit ? `linear-gradient(${isLeft ? '270deg' : '90deg'}, ${tint}24 0%, ${tint}0a 70%, transparent 100%)` : 'transparent',
+        boxShadow: lit ? `0 10px 30px ${tint}26, inset 0 0 0 1px ${tint}44` : 'inset 0 0 0 1px transparent',
+        transform: lit ? (isLeft ? 'translateX(-3px)' : 'translateX(3px)') : 'translateX(0)',
+      }}>
+      <div style={{
+        flex: '0 0 30px', width: 30, height: 30, borderRadius: 9,
+        background: lit ? `${tint}3a` : `${tint}22`, border: `1px solid ${lit ? tint : tint + '66'}`,
+        display: 'flex', alignItems: 'center', justifyContent: 'center',
+        color: lit ? (isLight ? tint : '#fff') : tint, fontSize: 13, fontWeight: 700, marginTop: 2,
+        boxShadow: lit ? `0 0 14px ${tint}88, inset 0 1px 0 ${tint}80` : `inset 0 1px 0 ${tint}50`,
+        transition: 'all .25s',
+      }}>◆</div>
+      <div style={{ flex: 1, minWidth: 0 }}>
+        <div style={{
+          fontSize: 13, fontWeight: 700, color: isLight ? '#1a1a2e' : '#f7f5fc',
+          letterSpacing: -0.15, marginBottom: 3,
+          display: 'flex', alignItems: 'center', gap: 6,
+          justifyContent: isLeft ? 'flex-end' : 'flex-start',
+        }}>
+          <span>{title}</span>
+          <span style={{ fontSize: 10, color: tint, opacity: lit ? 1 : 0, transform: `translateX(${lit ? 0 : (isLeft ? 4 : -4)}px)`, transition: 'all .25s' }}>{isLeft ? '\u2039' : '\u203A'}</span>
+        </div>
+        <div style={{
+          fontSize: 11, lineHeight: 1.55,
+          color: isLight ? `rgba(71,85,105,${lit ? 1 : .78})` : `rgba(236,233,247,${lit ? .82 : .62})`,
+          transition: 'color .25s',
+        }}>{body}</div>
+      </div>
+    </div>
+  )
+}
+
+// ── Column header
+export function ColHeader({ side, label, color, icon, sub, isLight }: {
+  side: 'left' | 'right'; label: string; color: string; icon: string; sub: string; isLight: boolean
+}) {
+  const isLeft = side === 'left'
+  return (
+    <div style={{
+      display: 'flex', alignItems: 'center', gap: 10,
+      flexDirection: isLeft ? 'row-reverse' : 'row',
+      paddingBottom: 10, borderBottom: `1px solid ${color}35`,
+    }}>
+      <div style={{
+        width: 34, height: 34, borderRadius: 9,
+        background: `linear-gradient(135deg, ${color}55, ${color}20)`,
+        border: `1px solid ${color}88`,
+        display: 'flex', alignItems: 'center', justifyContent: 'center',
+        color: isLight ? color : '#fff', fontSize: 15, fontWeight: 700,
+        boxShadow: `0 0 18px ${color}55, inset 0 1px 0 ${color}aa`,
+      }}>{icon}</div>
+      <div>
+        <div style={{ fontSize: 18, fontWeight: 700, color: isLight ? '#1a1a2e' : '#f7f5fc', letterSpacing: -0.3, lineHeight: 1 }}>{label}</div>
+        <div style={{ ...MONO, fontSize: 9.5, letterSpacing: 2, color, opacity: .75, marginTop: 3, textTransform: 'uppercase' as const }}>{sub}</div>
+      </div>
+    </div>
+  )
+}
+
+// ── Central hub
+export function CentralHub({ caption, isLight }: { caption: string; isLight: boolean }) {
+  return (
+    <div style={{ position: 'relative', width: 260, height: 320, display: 'flex', alignItems: 'center', justifyContent: 'center' }}>
+      <div style={{
+        position: 'relative', width: 120, height: 120, borderRadius: '50%',
+        background: 'radial-gradient(circle at 32% 28%, #f0e9ff 0%, #c4aaff 26%, #7b5cd6 58%, #2a1560 100%)',
+        border: '1.5px solid rgba(216,202,255,.7)',
+        display: 'flex', alignItems: 'center', justifyContent: 'center',
+        boxShadow: isLight
+          ? '0 0 30px rgba(167,139,250,.4), 0 0 60px rgba(167,139,250,.15), inset 0 3px 0 rgba(255,255,255,.5), inset 0 -8px 14px rgba(0,0,0,.2)'
+          : '0 0 50px rgba(167,139,250,.65), 0 0 100px rgba(167,139,250,.25), inset 0 3px 0 rgba(255,255,255,.35), inset 0 -8px 14px rgba(0,0,0,.35)',
+        animation: isLight ? 'uspPulseLight 2.6s ease-in-out infinite' : 'uspPulse 2.6s ease-in-out infinite',
+        zIndex: 3,
+      }}>
+        <div style={{ position: 'absolute', inset: -14, borderRadius: '50%', border: `1px dashed ${isLight ? 'rgba(167,139,250,.5)' : 'rgba(216,202,255,.42)'}`, animation: 'uspSpin 14s linear infinite' }} />
+        <div style={{ position: 'absolute', inset: -30, borderRadius: '50%', border: `1px dashed ${isLight ? 'rgba(167,139,250,.3)' : 'rgba(216,202,255,.2)'}`, animation: 'uspSpin 22s linear infinite reverse' }} />
+        <svg width="54" height="26" viewBox="0 0 54 26" fill="none" stroke="#fff" strokeWidth="2.8" strokeLinecap="round" strokeLinejoin="round" style={{ filter: 'drop-shadow(0 1px 3px rgba(0,0,0,.5))' }}>
+          <path d="M 10 13 C 10 5, 22 5, 27 13 C 32 21, 44 21, 44 13 C 44 5, 32 5, 27 13 C 22 21, 10 21, 10 13 Z" />
+        </svg>
+      </div>
+      <div style={{
+        position: 'absolute', left: 0, right: 0, bottom: 24, textAlign: 'center',
+        ...MONO, fontSize: 9.5, letterSpacing: 2.5,
+        color: isLight ? 'rgba(109,77,194,.75)' : 'rgba(216,202,255,.75)',
+        textTransform: 'uppercase' as const, fontWeight: 600,
+      }}>{caption}</div>
+    </div>
+  )
+}
+
+// ─�� Bridge SVG connectors
+export function BridgeConnectors({ isLight }: { isLight: boolean }) {
+  const rfpY = 130; const sub2Y = 250; const hubCx = 500; const hubR = 72
+  return (
+    <svg viewBox="0 0 1000 400" preserveAspectRatio="none" style={{ position: 'absolute', inset: 0, width: '100%', height: '100%', pointerEvents: 'none', zIndex: 1 }}>
+      <defs>
+        <linearGradient id="uspFromL" x1="0" x2="1"><stop offset="0" stopColor="#a78bfa" stopOpacity="0" /><stop offset=".3" stopColor="#a78bfa" stopOpacity={isLight ? '.6' : '.85'} /><stop offset="1" stopColor="#c084fc" stopOpacity={isLight ? '.2' : '.3'} /></linearGradient>
+        <linearGradient id="uspToR" x1="0" x2="1"><stop offset="0" stopColor="#c084fc" stopOpacity={isLight ? '.2' : '.3'} /><stop offset=".7" stopColor="#fbbf24" stopOpacity={isLight ? '.6' : '.85'} /><stop offset="1" stopColor="#fbbf24" stopOpacity="0" /></linearGradient>
+      </defs>
+      <line x1="40" y1={rfpY} x2={hubCx - hubR} y2={rfpY} stroke="url(#uspFromL)" strokeWidth="2" strokeDasharray="4 5" style={{ animation: 'uspFlowR 1.6s linear infinite' }} />
+      <line x1={hubCx + hubR} y1={rfpY} x2="960" y2={rfpY} stroke="url(#uspToR)" strokeWidth="2" strokeDasharray="4 5" style={{ animation: 'uspFlowR 1.6s linear infinite' }} />
+      <line x1="40" y1={sub2Y} x2={hubCx - hubR} y2={sub2Y} stroke="url(#uspFromL)" strokeWidth="2" strokeDasharray="4 5" style={{ animation: 'uspFlowR 1.6s linear infinite' }} />
+      <line x1={hubCx + hubR} y1={sub2Y} x2="960" y2={sub2Y} stroke="url(#uspToR)" strokeWidth="2" strokeDasharray="4 5" style={{ animation: 'uspFlowR 1.6s linear infinite' }} />
+      {([rfpY, sub2Y] as number[]).map(y => (
+        <g key={y}>
+          <circle cx={hubCx - hubR} cy={y} r="4" fill={isLight ? '#eef2ff' : '#1a0f34'} stroke="#a78bfa" strokeWidth="1.2" />
+          <circle cx={hubCx - hubR} cy={y} r="1.5" fill="#a78bfa" />
+          <circle cx={hubCx + hubR} cy={y} r="4" fill={isLight ? '#eef2ff' : '#1a0f34'} stroke="#fbbf24" strokeWidth="1.2" />
+          <circle cx={hubCx + hubR} cy={y} r="1.5" fill="#fbbf24" />
+        </g>
+      ))}
+      <circle r="3" fill="#c4aaff" style={{ filter: 'drop-shadow(0 0 6px #a78bfa)' }}>
+        <animate attributeName="cx" from="40" to="960" dur="3.5s" repeatCount="indefinite" />
+        <animate attributeName="cy" values={`${rfpY};${rfpY}`} dur="3.5s" repeatCount="indefinite" />
+      </circle>
+      <circle r="3" fill="#fde68a" style={{ filter: 'drop-shadow(0 0 6px #fbbf24)' }}>
+        <animate attributeName="cx" from="960" to="40" dur="3.5s" repeatCount="indefinite" />
+        <animate attributeName="cy" values={`${sub2Y};${sub2Y}`} dur="3.5s" repeatCount="indefinite" />
+      </circle>
+    </svg>
+  )
+}
+
+// ── Feature card
+export function FeatureCard({ icon, title, body, tint, Ticker, onClick, active, isLight }: {
+  icon: string; title: string; body: string; tint: string
+  Ticker: React.ComponentType<{ tint: string; isLight: boolean }>
+  onClick: () => void; active: boolean; isLight: boolean
+}) {
+  const [hover, setHover] = useState(false)
+  const lit = hover || active
+  return (
+    <div onClick={onClick} onMouseEnter={() => setHover(true)} onMouseLeave={() => setHover(false)}
+      style={{
+        position: 'relative', padding: '13px 15px',
+        background: isLight
+          ? lit ? `linear-gradient(180deg, ${tint}18 0%, ${tint}08 55%, rgba(248,250,252,.95) 100%)` : 'linear-gradient(180deg, #ffffff, #f8fafc)'
+          : `linear-gradient(180deg, ${tint}${lit ? '2a' : '1a'} 0%, ${tint}07 55%, rgba(14,8,28,.85) 100%)`,
+        border: `1px solid ${lit ? tint : isLight ? 'rgba(0,0,0,.1)' : tint + '4a'}`,
+        borderRadius: 12,
+        boxShadow: lit ? `0 18px 40px ${tint}33, 0 0 0 1px ${tint}66, inset 0 1px 0 ${tint}60` : isLight ? '0 2px 8px rgba(0,0,0,.08), inset 0 1px 0 rgba(255,255,255,.8)' : `0 10px 24px rgba(0,0,0,.4), inset 0 1px 0 ${tint}35`,
+        minWidth: 0, cursor: 'pointer',
+        transform: lit ? 'translateY(-3px)' : 'translateY(0)',
+        transition: 'transform .25s, box-shadow .25s, background .25s, border-color .25s',
+      }}>
+      <div style={{ display: 'flex', alignItems: 'center', gap: 8, marginBottom: 6 }}>
+        <span style={{
+          width: 22, height: 22, borderRadius: 6,
+          background: lit ? `${tint}44` : `${tint}22`, border: `1px solid ${lit ? tint : tint + '66'}`,
+          display: 'inline-flex', alignItems: 'center', justifyContent: 'center',
+          color: lit ? (isLight ? tint : '#fff') : tint, fontSize: 12,
+          boxShadow: lit ? `0 0 12px ${tint}88` : 'none', transition: 'all .25s',
+        }}>{icon}</span>
+        <span style={{ fontSize: 12.5, fontWeight: 700, color: isLight ? '#1a1a2e' : '#f7f5fc', letterSpacing: -0.15, flex: 1 }}>{title}</span>
+        <span style={{ fontSize: 10, color: tint, opacity: lit ? 1 : 0.5, transform: `translateX(${lit ? 0 : -3}px)`, transition: 'all .25s' }}>↗</span>
+      </div>
+      <div style={{
+        fontSize: 11, lineHeight: 1.45,
+        color: isLight ? `rgba(71,85,105,${lit ? 1 : .78})` : `rgba(236,233,247,${lit ? .82 : .65})`,
+        transition: 'color .25s',
+      }}>{body}</div>
+      <Ticker tint={tint} isLight={isLight} />
+    </div>
+  )
+}
+
+// ── Detail modal
+export function DetailModal({ item, onClose, isLight }: { item: DetailItem | null; onClose: () => void; isLight: boolean }) {
+  useEffect(() => {
+    if (!item) return
+    const onKey = (e: KeyboardEvent) => { if (e.key === 'Escape') onClose() }
+    window.addEventListener('keydown', onKey)
+    return () => window.removeEventListener('keydown', onKey)
+  }, [item, onClose])
+
+  return (
+    <AnimatePresence>
+      {item && (
+        <motion.div initial={{ opacity: 0 }} animate={{ opacity: 1 }} exit={{ opacity: 0 }} transition={{ duration: 0.2 }}
+          onClick={onClose}
+          style={{ position: 'absolute', inset: 0, zIndex: 50, background: isLight ? 'rgba(240,244,255,.72)' : 'rgba(5,2,16,.72)', backdropFilter: 'blur(6px)', display: 'flex', alignItems: 'center', justifyContent: 'center' }}>
+          <motion.div initial={{ opacity: 0, scale: 0.94 }} animate={{ opacity: 1, scale: 1 }} exit={{ opacity: 0, scale: 0.94 }} transition={{ duration: 0.22 }}
+            onClick={e => e.stopPropagation()}
+            style={{
+              width: 560, maxWidth: '88%',
+              background: isLight ? `linear-gradient(180deg, ${item.tint}10 0%, rgba(255,255,255,.98) 50%, rgba(248,250,252,.99) 100%)` : `linear-gradient(180deg, ${item.tint}18 0%, rgba(20,10,40,.96) 50%, rgba(14,8,28,.98) 100%)`,
+              border: `1px solid ${item.tint}${isLight ? '44' : '66'}`, borderRadius: 16,
+              boxShadow: isLight ? `0 20px 60px rgba(0,0,0,.12), 0 0 40px ${item.tint}18, inset 0 1px 0 rgba(255,255,255,.9)` : `0 30px 80px rgba(0,0,0,.6), 0 0 60px ${item.tint}33, inset 0 1px 0 ${item.tint}55`,
+              padding: '22px 26px', color: isLight ? '#1a1a2e' : '#ece9f7',
+            }}>
+            <div style={{ display: 'flex', alignItems: 'center', gap: 12, marginBottom: 14 }}>
+              <div style={{ width: 38, height: 38, borderRadius: 10, background: `linear-gradient(135deg, ${item.tint}66, ${item.tint}22)`, border: `1px solid ${item.tint}`, display: 'flex', alignItems: 'center', justifyContent: 'center', color: isLight ? item.tint : '#fff', fontSize: 16, fontWeight: 700, boxShadow: `0 0 18px ${item.tint}66` }}>{item.icon}</div>
+              <div style={{ flex: 1 }}>
+                <div style={{ ...MONO, fontSize: 9.5, letterSpacing: 2.5, color: item.tint, textTransform: 'uppercase' as const, fontWeight: 600, marginBottom: 2 }}>{item.kicker}</div>
+                <div style={{ fontSize: 19, fontWeight: 700, color: isLight ? '#1a1a2e' : '#f7f5fc', letterSpacing: -0.3 }}>{item.title}</div>
+              </div>
+              <button onClick={onClose} style={{ background: 'transparent', border: `1px solid ${item.tint}55`, borderRadius: 8, cursor: 'pointer', width: 30, height: 30, display: 'flex', alignItems: 'center', justifyContent: 'center', color: isLight ? '#64748b' : 'rgba(236,233,247,.6)' }}>
+                <X style={{ width: 14, height: 14 }} />
+              </button>
+            </div>
+            <div style={{ fontSize: 13, lineHeight: 1.6, color: isLight ? '#475569' : 'rgba(236,233,247,.82)', marginBottom: 16 }}>{item.body}</div>
+            {item.bullets && (
+              <div style={{ display: 'flex', flexDirection: 'column', gap: 8, marginBottom: 14 }}>
+                {item.bullets.map((b, i) => (
+                  <div key={i} style={{ display: 'flex', alignItems: 'flex-start', gap: 10, padding: '8px 12px', borderRadius: 8, background: isLight ? 'rgba(0,0,0,.04)' : 'rgba(0,0,0,.3)', border: `1px solid ${item.tint}${isLight ? '22' : '33'}` }}>
+                    <span style={{ color: item.tint, fontSize: 12, marginTop: 1 }}>▸</span>
+                    <span style={{ fontSize: 12, lineHeight: 1.5, color: isLight ? '#475569' : 'rgba(236,233,247,.78)' }}>{b}</span>
+                  </div>
+                ))}
+              </div>
+            )}
+            {item.stat && (
+              <div style={{ ...MONO, padding: '10px 14px', borderRadius: 8, background: isLight ? 'rgba(0,0,0,.04)' : 'rgba(0,0,0,.45)', border: `1px solid ${item.tint}${isLight ? '33' : '55'}`, fontSize: 12, color: isLight ? '#475569' : 'rgba(236,233,247,.9)', display: 'flex', alignItems: 'center', gap: 10 }}>
+                <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>●</span>
+                <span style={{ color: item.tint }}>{item.stat.k}</span>
+                <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{item.stat.v}</span>
+              </div>
+            )}
+          </motion.div>
+        </motion.div>
+      )}
+    </AnimatePresence>
+  )
+}
+
+// ── Star field
+export function StarField({ isLight }: { isLight: boolean }) {
+  const stars = useMemo(() => {
+    let s = 41
+    const r = () => { s = (s * 9301 + 49297) % 233280; return s / 233280 }
+    return Array.from({ length: 90 }, () => ({ x: r() * 100, y: r() * 100, size: r() * 1.4 + 0.3, op: r() * 0.5 + 0.15 }))
+  }, [])
+  if (isLight) return null
+  return (
+    <div style={{ position: 'absolute', inset: 0, pointerEvents: 'none' }}>
+      {stars.map((st, i) => (
+        <div key={i} style={{ position: 'absolute', left: `${st.x}%`, top: `${st.y}%`, width: st.size, height: st.size, borderRadius: '50%', background: '#fff', opacity: st.op, boxShadow: `0 0 ${st.size * 3}px rgba(180,160,255,.7)` }} />
+      ))}
+    </div>
+  )
+}
diff --git a/pitch-deck/components/slides/USPSlide.tsx b/pitch-deck/components/slides/USPSlide.tsx
index 1e1e6be..8e7ae49 100644
--- a/pitch-deck/components/slides/USPSlide.tsx
+++ b/pitch-deck/components/slides/USPSlide.tsx
@@ -1,11 +1,9 @@
 'use client'
 
-import { useState, useEffect, useRef, useMemo } from 'react'
-import { motion, AnimatePresence } from 'framer-motion'
+import { useState } from 'react'
 import { Language } from '@/lib/types'
 import GradientText from '../ui/GradientText'
 import FadeInView from '../ui/FadeInView'
-import { X } from 'lucide-react'
 
 interface USPSlideProps { lang: Language }
 
@@ -32,592 +30,6 @@ const CSS_KF = `
 `
 
 // ── Light mode hook ───────────────────────────────────────────────────────────
-function useIsLight() {
-  const [isLight, setIsLight] = useState(false)
-  useEffect(() => {
-    const check = () => setIsLight(document.documentElement.classList.contains('theme-light'))
-    check()
-    const obs = new MutationObserver(check)
-    obs.observe(document.documentElement, { attributes: true, attributeFilter: ['class'] })
-    return () => obs.disconnect()
-  }, [])
-  return isLight
-}
-
-// ── Ticker ────────────────────────────────────────────────────────────────────
-function useTicker(fn: () => void, min = 180, max = 420, skip = 0.1) {
-  const ref = useRef(fn)
-  ref.current = fn
-  useEffect(() => {
-    let t: ReturnType<typeof setTimeout>
-    const loop = () => {
-      if (Math.random() > skip) ref.current()
-      t = setTimeout(loop, min + Math.random() * (max - min))
-    }
-    loop()
-    return () => clearTimeout(t)
-  }, [min, max, skip])
-}
-
-function TickerShell({ tint, isLight, children }: { tint: string; isLight: boolean; children: React.ReactNode }) {
-  return (
-    <div style={{
-      ...MONO, marginTop: 10, padding: '5px 9px',
-      background: isLight ? '#f1f5f9' : 'rgba(0,0,0,.38)',
-      border: `1px solid ${tint}55`,
-      borderRadius: 6, fontSize: 10.5,
-      color: isLight ? '#475569' : 'rgba(236,233,247,.88)',
-      display: 'flex', alignItems: 'center', gap: 7,
-      whiteSpace: 'nowrap', overflow: 'hidden', height: 22,
-    }}>{children}</div>
-  )
-}
-
-function TickTrace({ tint, isLight }: { tint: string; isLight: boolean }) {
-  const [n, setN] = useState(12748)
-  useTicker(() => setN(v => v + 1 + Math.floor(Math.random() * 3)), 250, 500)
-  return (
-    <TickerShell tint={tint} isLight={isLight}>
-      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>●</span>
-      <span style={{ color: tint, opacity: .85 }}>trace</span>
-      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{n.toLocaleString()}</span>
-      <span style={{ color: isLight ? '#94a3b8' : 'rgba(236,233,247,.45)' }}>evidence-chain</span>
-    </TickerShell>
-  )
-}
-
-function TickEngine({ tint, isLight }: { tint: string; isLight: boolean }) {
-  const [v, setV] = useState(428)
-  const [rate, setRate] = useState(99.4)
-  useTicker(() => {
-    setV(x => x + 1 + Math.floor(Math.random() * 4))
-    setRate(r => Math.max(97, Math.min(99.9, r + (Math.random() - 0.5) * 0.3)))
-  }, 220, 420)
-  return (
-    <TickerShell tint={tint} isLight={isLight}>
-      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>●</span>
-      <span style={{ color: tint, opacity: .85 }}>validate</span>
-      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{v.toLocaleString()}</span>
-      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>{rate.toFixed(1)}%</span>
-    </TickerShell>
-  )
-}
-
-function TickOptimizer({ tint, isLight }: { tint: string; isLight: boolean }) {
-  const ops = ['ROI: 2.418 € / dev', 'gap → policy §4.2', 'dedup 128 tickets', 'sweet-spot: 22 KLOC', 'tradeoff: speed↔risk']
-  const [i, setI] = useState(0)
-  useTicker(() => setI(x => (x + 1) % ops.length), 900, 1600, 0.05)
-  return (
-    <TickerShell tint={tint} isLight={isLight}>
-      <span style={{ color: '#fbbf24' }}>✦</span>
-      <span style={{ color: tint, opacity: .85 }}>optimize</span>
-      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', overflow: 'hidden', textOverflow: 'ellipsis', flex: 1 }}>{ops[i]}</span>
-    </TickerShell>
-  )
-}
-
-function TickStack({ tint, isLight }: { tint: string; isLight: boolean }) {
-  const regs = ['DSGVO', 'NIS-2', 'DORA', 'EU AI Act', 'ISO 27001', 'BSI C5']
-  const [i, setI] = useState(0)
-  const [c, setC] = useState(1208)
-  useTicker(() => { setI(x => (x + 1) % regs.length); setC(v => v + Math.floor(Math.random() * 3)) }, 800, 1400, 0.05)
-  return (
-    <TickerShell tint={tint} isLight={isLight}>
-      <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>●</span>
-      <span style={{ color: tint, opacity: .85 }}>check</span>
-      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{regs[i]}</span>
-      <span style={{ color: isLight ? '#94a3b8' : 'rgba(236,233,247,.4)' }}>·</span>
-      <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc' }}>{c.toLocaleString()}</span>
-    </TickerShell>
-  )
-}
-
-// ── Data ──────────────────────────────────────────────────────────────────────
-interface DetailItem {
-  tint: string
-  icon: string
-  kicker: string
-  title: string
-  body: string
-  bullets?: string[]
-  stat?: { k: string; v: string }
-}
-
-function getDetails(de: boolean): Record<string, DetailItem> {
-  return {
-    rfq: {
-      tint: '#a78bfa', icon: '⇄',
-      kicker: de ? 'Säule · Compliance' : 'Pillar · Compliance',
-      title: de ? 'RFQ-Prüfung' : 'RFQ Verification',
-      body: de
-        ? 'Kunden-Anforderungsdokumente werden automatisch gegen den aktuellen Source-Code geprüft. Abweichungen werden erkannt, Änderungen vorgeschlagen und auf Wunsch direkt im Code umgesetzt — ohne manuelles Nacharbeiten.'
-        : 'Customer requirement documents are automatically verified against current source code. Deviations are detected, changes proposed and implemented directly in code on request — no manual rework needed.',
-      bullets: de
-        ? ['Klauseln automatisch gegen SBOM, SAST-Findings und Policy-Docs abgeglichen', 'Lücken mit konkreten Implementierungsvorschlägen markiert', 'RFQ-Antworten in Stunden statt Wochen']
-        : ['Auto-match clauses against SBOM, SAST findings and policy docs', 'Flag gaps with concrete implementation proposals', 'Win-ready RFQ replies in hours, not weeks'],
-      stat: { k: de ? 'Ø Antwortzeit' : 'avg response time', v: de ? '4,2h (war 12 Tage)' : '4.2h  (was 12 days)' },
-    },
-    process: {
-      tint: '#c084fc', icon: '⟲',
-      kicker: de ? 'Säule · Compliance' : 'Pillar · Compliance',
-      title: de ? 'Prozess-Compliance' : 'Process Compliance',
-      body: de
-        ? 'Vom Audit-Finding über das Ticket bis zur Code-Änderung läuft der gesamte Prozess automatisiert durch. Rollen, Fristen und Eskalation werden End-to-End verwaltet. Nachweise werden automatisch generiert und archiviert.'
-        : 'From audit finding to ticket to code change, the entire process runs automatically. Roles, deadlines and escalation are managed end-to-end. Evidence is automatically generated and archived.',
-      bullets: de
-        ? ['Finding → Ticket → PR → Nachweis in einem Thread', 'SLA-Tracking pro Control mit Auto-Eskalation', 'Unveränderliches Audit-Log, pro Änderung signiert']
-        : ['Finding → ticket → PR → evidence in one thread', 'SLA tracking per control with auto-escalation', 'Immutable audit log signed per change'],
-      stat: { k: de ? 'automatisierte Prozessschritte' : 'process steps automated', v: '87%' },
-    },
-    bidir: {
-      tint: '#fbbf24', icon: '⟷',
-      kicker: de ? 'Säule · Code' : 'Pillar · Code',
-      title: de ? 'Bidirektional' : 'Bidirectional Sync',
-      body: de
-        ? 'Compliance-Anforderungen fliessen direkt in den Code. Umgekehrt aktualisieren Code-Änderungen automatisch die Compliance-Dokumentation. Beide Seiten sind immer synchron — kein Informationsverlust zwischen Audit und Entwicklung.'
-        : 'Compliance requirements flow directly into code. Conversely, code changes automatically update compliance documentation. Both sides always stay in sync — no information loss between audit and development.',
-      bullets: de
-        ? ['Policy ↔ Code-Mapping via semantischem Diff', 'Git-nativ: jede Änderung als PR', 'Zero Drift zwischen Audit-Artefakten und Realität']
-        : ['Policy ↔ code mapping via semantic diff', 'Git-native: every change shipped as a PR', 'Zero drift between audit artefacts and reality'],
-      stat: { k: de ? 'Drift-Vorfälle' : 'drift incidents', v: de ? '0 seit März 2024' : '0 since Mar-2024' },
-    },
-    cont: {
-      tint: '#f59e0b', icon: '◎',
-      kicker: de ? 'Säule · Code' : 'Pillar · Code',
-      title: de ? 'Kontinuierlich' : 'Continuous, Not Yearly',
-      body: de
-        ? 'Klassische Compliance prüft einmal im Jahr und hofft auf das Beste. Unsere Plattform prüft bei jeder Code-Änderung. Findings werden sofort zu Tickets mit konkreten Implementierungsvorschlägen im Issue-Tracker der Wahl.'
-        : 'Traditional compliance checks once a year and hopes for the best. Our platform checks on every code change. Findings immediately become tickets with concrete implementation proposals in the issue tracker of choice.',
-      bullets: de
-        ? ['CI-integrierte Validierung bei jedem Push', 'Fix-Vorschläge generiert, nicht nur gemeldet', 'Compliance-Frische: Minuten statt Monate']
-        : ['CI-integrated validation on each push', 'Fix suggestions generated, not just reported', 'Compliance freshness: minutes, not months'],
-      stat: { k: de ? 'Validierungen / Tag' : 'validations / day', v: '~2.400 / repo' },
-    },
-    trace: {
-      tint: '#a78bfa', icon: '⇄',
-      kicker: de ? 'Under the Hood' : 'Under the Hood',
-      title: de ? 'End-to-End Rückverfolgbarkeit' : 'End-to-End Traceability',
-      body: de
-        ? 'Regulatorische Anforderungen (Gesetz → Obligation → Control) deterministisch mit realem Systemzustand und Code verknüpft — inklusive revisionssicherem Evidence-Layer.'
-        : 'Regulatory requirements (law → obligation → control) deterministically linked to real system state and code — including audit-proof evidence layer.',
-      bullets: de
-        ? ['Versionierter Evidence-Chain, unveränderlich gespeichert', 'Ein Klick von Klausel bis Codezeile', 'Signierte Attestierungen pro Build']
-        : ['Versioned evidence chain stored immutably', 'One-click drill from clause to line of code', 'Signed attestations per build'],
-    },
-    engine: {
-      tint: '#c084fc', icon: '◉',
-      kicker: de ? 'Under the Hood' : 'Under the Hood',
-      title: de ? 'Continuous Compliance Engine' : 'Continuous Compliance Engine',
-      body: de
-        ? 'Statt punktueller Audits: Validierung bei jeder Änderung (Code, Infrastruktur, Prozesse) mit auditierbaren Nachweisen in Echtzeit.'
-        : 'Instead of point-in-time audits: validation on every change (code, infrastructure, processes) with auditable evidence in real time.',
-      bullets: de
-        ? ['Rule-Packs pro Framework (NIS-2, DORA, …)', 'Verarbeitet Code, IaC und Prozess-Events', 'Findings automatisch ans richtige Team geroutet']
-        : ['Rule packs per framework (NIS-2, DORA, …)', 'Handles code, infra-as-code, and process events', 'Findings routed to the right team automatically'],
-    },
-    opt: {
-      tint: '#fbbf24', icon: '✦',
-      kicker: de ? 'Under the Hood' : 'Under the Hood',
-      title: de ? 'Compliance Optimizer' : 'Compliance Optimizer',
-      body: de
-        ? 'Nicht nur „erlaubt/verboten", sondern die maximal zulässige Ausgestaltung jedes KI-Use-Cases. Deterministische Constraint-Optimierung zeigt den Sweet Spot zwischen Regulierung und Innovation — ersetzt 20–200k EUR Anwaltskosten.'
-        : 'Not just "allowed/forbidden" but the maximum permissible configuration of every AI use case. Deterministic constraint optimization shows the sweet spot between regulation and innovation — replaces EUR 20–200k in legal fees.',
-      bullets: de
-        ? ['ROI-Ranking jedes offenen Findings', 'Abwägung zwischen Liefergeschwindigkeit und Restrisiko', 'Low-Hanging-Wins zuerst']
-        : ['ROI-ranks every open finding', 'Balances speed of delivery with residual risk', 'Highlights low-hanging wins first'],
-    },
-    stack: {
-      tint: '#f59e0b', icon: '◎',
-      kicker: de ? 'Under the Hood' : 'Under the Hood',
-      title: de ? 'EU-Trust & Governance Stack' : 'EU Trust & Governance Stack',
-      body: de
-        ? 'Souveräne, DSGVO-/AI-Act-konforme Architektur (EU-Hosting, Isolation, Betriebsrat-Fähigkeit) — Marktzugang, den US-Lösungen strukturell nicht erreichen.'
-        : 'Sovereign, GDPR/AI Act compliant architecture (EU hosting, isolation, works council capability) — market access that US solutions structurally cannot achieve.',
-      bullets: de
-        ? ['DSGVO · NIS-2 · DORA · EU AI Act · ISO 27001 · BSI C5', 'EU-souveränes Hosting und Key-Management', 'Eine Plattform, ein Audit, eine Rechnung']
-        : ['DSGVO · NIS-2 · DORA · EU AI Act · ISO 27001 · BSI C5', 'EU-sovereign hosting and key-management', 'One platform, one audit, one bill'],
-    },
-    hub: {
-      tint: '#a78bfa', icon: '∞',
-      kicker: de ? 'Die Schleife' : 'The Loop',
-      title: de ? 'Compliance ↔ Code · Immer in Sync' : 'Compliance ↔ Code · Always in sync',
-      body: de
-        ? 'Die Plattform ist eine einzige geschlossene Schleife. Jede Policy-Änderung fliesst in den Code; jede Code-Änderung fliesst in die Policy zurück.'
-        : 'The platform is a single closed loop. Every policy change ripples into code; every code change ripples back into policy. That\'s the USP in one diagram.',
-      bullets: de
-        ? ['Single Source of Truth, zwei Oberflächen', 'Echtzeit-Sync, kein Batch-Abgleich', 'Auditoren, Entwickler und Sales fragen denselben Graphen ab']
-        : ['Single source of truth, two surfaces', 'Real-time sync, not batch reconciliation', 'Auditors, engineers and sales all query the same graph'],
-    },
-  }
-}
-
-// ── Pillar row ────────────────────────────────────────────────────────────────
-function PillarRow({ side, title, body, tint, onClick, active, isLight }: {
-  side: 'left' | 'right'
-  title: string; body: string; tint: string
-  onClick: () => void; active: boolean; isLight: boolean
-}) {
-  const [hover, setHover] = useState(false)
-  const lit = hover || active
-  const isLeft = side === 'left'
-  return (
-    <div
-      onClick={onClick}
-      onMouseEnter={() => setHover(true)}
-      onMouseLeave={() => setHover(false)}
-      style={{
-        display: 'flex', alignItems: 'flex-start', gap: 12,
-        flexDirection: isLeft ? 'row-reverse' : 'row',
-        textAlign: isLeft ? 'right' : 'left',
-        padding: '10px 14px', borderRadius: 10, cursor: 'pointer',
-        transition: 'transform .25s, background .25s, box-shadow .25s',
-        background: lit
-          ? `linear-gradient(${isLeft ? '270deg' : '90deg'}, ${tint}24 0%, ${tint}0a 70%, transparent 100%)`
-          : 'transparent',
-        boxShadow: lit
-          ? `0 10px 30px ${tint}26, inset 0 0 0 1px ${tint}44`
-          : 'inset 0 0 0 1px transparent',
-        transform: lit ? (isLeft ? 'translateX(-3px)' : 'translateX(3px)') : 'translateX(0)',
-      }}
-    >
-      <div style={{
-        flex: '0 0 30px', width: 30, height: 30, borderRadius: 9,
-        background: lit ? `${tint}3a` : `${tint}22`,
-        border: `1px solid ${lit ? tint : tint + '66'}`,
-        display: 'flex', alignItems: 'center', justifyContent: 'center',
-        color: lit ? (isLight ? tint : '#fff') : tint, fontSize: 13, fontWeight: 700, marginTop: 2,
-        boxShadow: lit ? `0 0 14px ${tint}88, inset 0 1px 0 ${tint}80` : `inset 0 1px 0 ${tint}50`,
-        transition: 'all .25s',
-      }}>◆</div>
-      <div style={{ flex: 1, minWidth: 0 }}>
-        <div style={{
-          fontSize: 13, fontWeight: 700,
-          color: isLight ? '#1a1a2e' : '#f7f5fc',
-          letterSpacing: -0.15, marginBottom: 3,
-          display: 'flex', alignItems: 'center', gap: 6,
-          justifyContent: isLeft ? 'flex-end' : 'flex-start',
-        }}>
-          <span>{title}</span>
-          <span style={{
-            fontSize: 10, color: tint, opacity: lit ? 1 : 0,
-            transform: `translateX(${lit ? 0 : (isLeft ? 4 : -4)}px)`,
-            transition: 'all .25s',
-          }}>{isLeft ? '‹' : '›'}</span>
-        </div>
-        <div style={{
-          fontSize: 11, lineHeight: 1.55,
-          color: isLight
-            ? `rgba(71,85,105,${lit ? 1 : .78})`
-            : `rgba(236,233,247,${lit ? .82 : .62})`,
-          transition: 'color .25s',
-        }}>{body}</div>
-      </div>
-    </div>
-  )
-}
-
-// ── Column header ─────────────────────────────────────────────────────────────
-function ColHeader({ side, label, color, icon, sub, isLight }: {
-  side: 'left' | 'right'; label: string; color: string; icon: string; sub: string; isLight: boolean
-}) {
-  const isLeft = side === 'left'
-  return (
-    <div style={{
-      display: 'flex', alignItems: 'center', gap: 10,
-      flexDirection: isLeft ? 'row-reverse' : 'row',
-      paddingBottom: 10, borderBottom: `1px solid ${color}35`,
-    }}>
-      <div style={{
-        width: 34, height: 34, borderRadius: 9,
-        background: `linear-gradient(135deg, ${color}55, ${color}20)`,
-        border: `1px solid ${color}88`,
-        display: 'flex', alignItems: 'center', justifyContent: 'center',
-        color: isLight ? color : '#fff', fontSize: 15, fontWeight: 700,
-        boxShadow: `0 0 18px ${color}55, inset 0 1px 0 ${color}aa`,
-      }}>{icon}</div>
-      <div>
-        <div style={{ fontSize: 18, fontWeight: 700, color: isLight ? '#1a1a2e' : '#f7f5fc', letterSpacing: -0.3, lineHeight: 1 }}>{label}</div>
-        <div style={{ ...MONO, fontSize: 9.5, letterSpacing: 2, color, opacity: .75, marginTop: 3, textTransform: 'uppercase' as const }}>{sub}</div>
-      </div>
-    </div>
-  )
-}
-
-// ── Central hub ───────────────────────────────────────────────────────────────
-function CentralHub({ caption, isLight }: { caption: string; isLight: boolean }) {
-  return (
-    <div style={{ position: 'relative', width: 260, height: 320, display: 'flex', alignItems: 'center', justifyContent: 'center' }}>
-      <div style={{
-        position: 'relative', width: 120, height: 120, borderRadius: '50%',
-        background: 'radial-gradient(circle at 32% 28%, #f0e9ff 0%, #c4aaff 26%, #7b5cd6 58%, #2a1560 100%)',
-        border: '1.5px solid rgba(216,202,255,.7)',
-        display: 'flex', alignItems: 'center', justifyContent: 'center',
-        boxShadow: isLight
-          ? '0 0 30px rgba(167,139,250,.4), 0 0 60px rgba(167,139,250,.15), inset 0 3px 0 rgba(255,255,255,.5), inset 0 -8px 14px rgba(0,0,0,.2)'
-          : '0 0 50px rgba(167,139,250,.65), 0 0 100px rgba(167,139,250,.25), inset 0 3px 0 rgba(255,255,255,.35), inset 0 -8px 14px rgba(0,0,0,.35)',
-        animation: isLight ? 'uspPulseLight 2.6s ease-in-out infinite' : 'uspPulse 2.6s ease-in-out infinite',
-        zIndex: 3,
-      }}>
-        <div style={{ position: 'absolute', inset: -14, borderRadius: '50%', border: `1px dashed ${isLight ? 'rgba(167,139,250,.5)' : 'rgba(216,202,255,.42)'}`, animation: 'uspSpin 14s linear infinite' }} />
-        <div style={{ position: 'absolute', inset: -30, borderRadius: '50%', border: `1px dashed ${isLight ? 'rgba(167,139,250,.3)' : 'rgba(216,202,255,.2)'}`, animation: 'uspSpin 22s linear infinite reverse' }} />
-        <svg width="54" height="26" viewBox="0 0 54 26" fill="none" stroke="#fff" strokeWidth="2.8" strokeLinecap="round" strokeLinejoin="round"
-          style={{ filter: 'drop-shadow(0 1px 3px rgba(0,0,0,.5))' }}>
-          <path d="M 10 13 C 10 5, 22 5, 27 13 C 32 21, 44 21, 44 13 C 44 5, 32 5, 27 13 C 22 21, 10 21, 10 13 Z" />
-        </svg>
-      </div>
-      <div style={{
-        position: 'absolute', left: 0, right: 0, bottom: 24, textAlign: 'center',
-        ...MONO, fontSize: 9.5, letterSpacing: 2.5,
-        color: isLight ? 'rgba(109,77,194,.75)' : 'rgba(216,202,255,.75)',
-        textTransform: 'uppercase' as const, fontWeight: 600,
-      }}>{caption}</div>
-    </div>
-  )
-}
-
-// ── Bridge SVG connectors ─────────────────────────────────────────────────────
-function BridgeConnectors({ isLight }: { isLight: boolean }) {
-  const rfpY = 130
-  const sub2Y = 250
-  const hubCx = 500
-  const hubR = 72
-  return (
-    <svg viewBox="0 0 1000 400" preserveAspectRatio="none"
-      style={{ position: 'absolute', inset: 0, width: '100%', height: '100%', pointerEvents: 'none', zIndex: 1 }}>
-      <defs>
-        <linearGradient id="uspFromL" x1="0" x2="1">
-          <stop offset="0" stopColor="#a78bfa" stopOpacity="0" />
-          <stop offset=".3" stopColor="#a78bfa" stopOpacity={isLight ? '.6' : '.85'} />
-          <stop offset="1" stopColor="#c084fc" stopOpacity={isLight ? '.2' : '.3'} />
-        </linearGradient>
-        <linearGradient id="uspToR" x1="0" x2="1">
-          <stop offset="0" stopColor="#c084fc" stopOpacity={isLight ? '.2' : '.3'} />
-          <stop offset=".7" stopColor="#fbbf24" stopOpacity={isLight ? '.6' : '.85'} />
-          <stop offset="1" stopColor="#fbbf24" stopOpacity="0" />
-        </linearGradient>
-      </defs>
-
-      <line x1="40" y1={rfpY} x2={hubCx - hubR} y2={rfpY}
-        stroke="url(#uspFromL)" strokeWidth="2" strokeDasharray="4 5"
-        style={{ animation: 'uspFlowR 1.6s linear infinite' }} />
-      <line x1={hubCx + hubR} y1={rfpY} x2="960" y2={rfpY}
-        stroke="url(#uspToR)" strokeWidth="2" strokeDasharray="4 5"
-        style={{ animation: 'uspFlowR 1.6s linear infinite' }} />
-      <line x1="40" y1={sub2Y} x2={hubCx - hubR} y2={sub2Y}
-        stroke="url(#uspFromL)" strokeWidth="2" strokeDasharray="4 5"
-        style={{ animation: 'uspFlowR 1.6s linear infinite' }} />
-      <line x1={hubCx + hubR} y1={sub2Y} x2="960" y2={sub2Y}
-        stroke="url(#uspToR)" strokeWidth="2" strokeDasharray="4 5"
-        style={{ animation: 'uspFlowR 1.6s linear infinite' }} />
-
-      {([rfpY, sub2Y] as number[]).map(y => (
-        <g key={y}>
-          <circle cx={hubCx - hubR} cy={y} r="4" fill={isLight ? '#eef2ff' : '#1a0f34'} stroke="#a78bfa" strokeWidth="1.2" />
-          <circle cx={hubCx - hubR} cy={y} r="1.5" fill="#a78bfa" />
-          <circle cx={hubCx + hubR} cy={y} r="4" fill={isLight ? '#eef2ff' : '#1a0f34'} stroke="#fbbf24" strokeWidth="1.2" />
-          <circle cx={hubCx + hubR} cy={y} r="1.5" fill="#fbbf24" />
-        </g>
-      ))}
-
-      <circle r="3" fill="#c4aaff" style={{ filter: 'drop-shadow(0 0 6px #a78bfa)' }}>
-        <animate attributeName="cx" from="40" to="960" dur="3.5s" repeatCount="indefinite" />
-        <animate attributeName="cy" values={`${rfpY};${rfpY}`} dur="3.5s" repeatCount="indefinite" />
-      </circle>
-      <circle r="3" fill="#fde68a" style={{ filter: 'drop-shadow(0 0 6px #fbbf24)' }}>
-        <animate attributeName="cx" from="960" to="40" dur="3.5s" repeatCount="indefinite" />
-        <animate attributeName="cy" values={`${sub2Y};${sub2Y}`} dur="3.5s" repeatCount="indefinite" />
-      </circle>
-    </svg>
-  )
-}
-
-// ── Under-the-hood feature card ───────────────────────────────────────────────
-function FeatureCard({ icon, title, body, tint, Ticker, onClick, active, isLight }: {
-  icon: string; title: string; body: string; tint: string
-  Ticker: React.ComponentType<{ tint: string; isLight: boolean }>
-  onClick: () => void; active: boolean; isLight: boolean
-}) {
-  const [hover, setHover] = useState(false)
-  const lit = hover || active
-  return (
-    <div
-      onClick={onClick}
-      onMouseEnter={() => setHover(true)}
-      onMouseLeave={() => setHover(false)}
-      style={{
-        position: 'relative', padding: '13px 15px',
-        background: isLight
-          ? lit
-            ? `linear-gradient(180deg, ${tint}18 0%, ${tint}08 55%, rgba(248,250,252,.95) 100%)`
-            : 'linear-gradient(180deg, #ffffff, #f8fafc)'
-          : `linear-gradient(180deg, ${tint}${lit ? '2a' : '1a'} 0%, ${tint}07 55%, rgba(14,8,28,.85) 100%)`,
-        border: `1px solid ${lit ? tint : isLight ? 'rgba(0,0,0,.1)' : tint + '4a'}`,
-        borderRadius: 12,
-        boxShadow: lit
-          ? `0 18px 40px ${tint}33, 0 0 0 1px ${tint}66, inset 0 1px 0 ${tint}60`
-          : isLight
-            ? '0 2px 8px rgba(0,0,0,.08), inset 0 1px 0 rgba(255,255,255,.8)'
-            : `0 10px 24px rgba(0,0,0,.4), inset 0 1px 0 ${tint}35`,
-        minWidth: 0, cursor: 'pointer',
-        transform: lit ? 'translateY(-3px)' : 'translateY(0)',
-        transition: 'transform .25s, box-shadow .25s, background .25s, border-color .25s',
-      }}
-    >
-      <div style={{ display: 'flex', alignItems: 'center', gap: 8, marginBottom: 6 }}>
-        <span style={{
-          width: 22, height: 22, borderRadius: 6,
-          background: lit ? `${tint}44` : `${tint}22`,
-          border: `1px solid ${lit ? tint : tint + '66'}`,
-          display: 'inline-flex', alignItems: 'center', justifyContent: 'center',
-          color: lit ? (isLight ? tint : '#fff') : tint, fontSize: 12,
-          boxShadow: lit ? `0 0 12px ${tint}88` : 'none',
-          transition: 'all .25s',
-        }}>{icon}</span>
-        <span style={{ fontSize: 12.5, fontWeight: 700, color: isLight ? '#1a1a2e' : '#f7f5fc', letterSpacing: -0.15, flex: 1 }}>{title}</span>
-        <span style={{ fontSize: 10, color: tint, opacity: lit ? 1 : 0.5, transform: `translateX(${lit ? 0 : -3}px)`, transition: 'all .25s' }}>↗</span>
-      </div>
-      <div style={{
-        fontSize: 11, lineHeight: 1.45,
-        color: isLight
-          ? `rgba(71,85,105,${lit ? 1 : .78})`
-          : `rgba(236,233,247,${lit ? .82 : .65})`,
-        transition: 'color .25s',
-      }}>{body}</div>
-      <Ticker tint={tint} isLight={isLight} />
-    </div>
-  )
-}
-
-// ── Detail modal ──────────────────────────────────────────────────────────────
-function DetailModal({ item, onClose, isLight }: { item: DetailItem | null; onClose: () => void; isLight: boolean }) {
-  useEffect(() => {
-    if (!item) return
-    const onKey = (e: KeyboardEvent) => { if (e.key === 'Escape') onClose() }
-    window.addEventListener('keydown', onKey)
-    return () => window.removeEventListener('keydown', onKey)
-  }, [item, onClose])
-
-  return (
-    <AnimatePresence>
-      {item && (
-        <motion.div
-          initial={{ opacity: 0 }}
-          animate={{ opacity: 1 }}
-          exit={{ opacity: 0 }}
-          transition={{ duration: 0.2 }}
-          onClick={onClose}
-          style={{
-            position: 'absolute', inset: 0, zIndex: 50,
-            background: isLight ? 'rgba(240,244,255,.72)' : 'rgba(5,2,16,.72)',
-            backdropFilter: 'blur(6px)',
-            display: 'flex', alignItems: 'center', justifyContent: 'center',
-          }}
-        >
-          <motion.div
-            initial={{ opacity: 0, scale: 0.94 }}
-            animate={{ opacity: 1, scale: 1 }}
-            exit={{ opacity: 0, scale: 0.94 }}
-            transition={{ duration: 0.22 }}
-            onClick={e => e.stopPropagation()}
-            style={{
-              width: 560, maxWidth: '88%',
-              background: isLight
-                ? `linear-gradient(180deg, ${item.tint}10 0%, rgba(255,255,255,.98) 50%, rgba(248,250,252,.99) 100%)`
-                : `linear-gradient(180deg, ${item.tint}18 0%, rgba(20,10,40,.96) 50%, rgba(14,8,28,.98) 100%)`,
-              border: `1px solid ${item.tint}${isLight ? '44' : '66'}`,
-              borderRadius: 16,
-              boxShadow: isLight
-                ? `0 20px 60px rgba(0,0,0,.12), 0 0 40px ${item.tint}18, inset 0 1px 0 rgba(255,255,255,.9)`
-                : `0 30px 80px rgba(0,0,0,.6), 0 0 60px ${item.tint}33, inset 0 1px 0 ${item.tint}55`,
-              padding: '22px 26px',
-              color: isLight ? '#1a1a2e' : '#ece9f7',
-            }}
-          >
-            <div style={{ display: 'flex', alignItems: 'center', gap: 12, marginBottom: 14 }}>
-              <div style={{
-                width: 38, height: 38, borderRadius: 10,
-                background: `linear-gradient(135deg, ${item.tint}66, ${item.tint}22)`,
-                border: `1px solid ${item.tint}`,
-                display: 'flex', alignItems: 'center', justifyContent: 'center',
-                color: isLight ? item.tint : '#fff', fontSize: 16, fontWeight: 700,
-                boxShadow: `0 0 18px ${item.tint}66`,
-              }}>{item.icon}</div>
-              <div style={{ flex: 1 }}>
-                <div style={{ ...MONO, fontSize: 9.5, letterSpacing: 2.5, color: item.tint, textTransform: 'uppercase' as const, fontWeight: 600, marginBottom: 2 }}>
-                  {item.kicker}
-                </div>
-                <div style={{ fontSize: 19, fontWeight: 700, color: isLight ? '#1a1a2e' : '#f7f5fc', letterSpacing: -0.3 }}>{item.title}</div>
-              </div>
-              <button onClick={onClose} style={{
-                background: 'transparent', border: `1px solid ${item.tint}55`,
-                borderRadius: 8, cursor: 'pointer', width: 30, height: 30,
-                display: 'flex', alignItems: 'center', justifyContent: 'center',
-                color: isLight ? '#64748b' : 'rgba(236,233,247,.6)',
-              }}>
-                <X style={{ width: 14, height: 14 }} />
-              </button>
-            </div>
-            <div style={{ fontSize: 13, lineHeight: 1.6, color: isLight ? '#475569' : 'rgba(236,233,247,.82)', marginBottom: 16 }}>
-              {item.body}
-            </div>
-            {item.bullets && (
-              <div style={{ display: 'flex', flexDirection: 'column', gap: 8, marginBottom: 14 }}>
-                {item.bullets.map((b, i) => (
-                  <div key={i} style={{
-                    display: 'flex', alignItems: 'flex-start', gap: 10,
-                    padding: '8px 12px', borderRadius: 8,
-                    background: isLight ? 'rgba(0,0,0,.04)' : 'rgba(0,0,0,.3)',
-                    border: `1px solid ${item.tint}${isLight ? '22' : '33'}`,
-                  }}>
-                    <span style={{ color: item.tint, fontSize: 12, marginTop: 1 }}>▸</span>
-                    <span style={{ fontSize: 12, lineHeight: 1.5, color: isLight ? '#475569' : 'rgba(236,233,247,.78)' }}>{b}</span>
-                  </div>
-                ))}
-              </div>
-            )}
-            {item.stat && (
-              <div style={{
-                ...MONO, padding: '10px 14px', borderRadius: 8,
-                background: isLight ? 'rgba(0,0,0,.04)' : 'rgba(0,0,0,.45)',
-                border: `1px solid ${item.tint}${isLight ? '33' : '55'}`,
-                fontSize: 12, color: isLight ? '#475569' : 'rgba(236,233,247,.9)',
-                display: 'flex', alignItems: 'center', gap: 10,
-              }}>
-                <span style={{ color: isLight ? '#16a34a' : '#4ade80' }}>●</span>
-                <span style={{ color: item.tint }}>{item.stat.k}</span>
-                <span style={{ color: isLight ? '#1a1a2e' : '#f5f3fc', fontWeight: 600 }}>{item.stat.v}</span>
-              </div>
-            )}
-          </motion.div>
-        </motion.div>
-      )}
-    </AnimatePresence>
-  )
-}
-
-// ── Star field ────────────────────────────────────────────────────────────────
-function StarField({ isLight }: { isLight: boolean }) {
-  const stars = useMemo(() => {
-    let s = 41
-    const r = () => { s = (s * 9301 + 49297) % 233280; return s / 233280 }
-    return Array.from({ length: 90 }, () => ({ x: r() * 100, y: r() * 100, size: r() * 1.4 + 0.3, op: r() * 0.5 + 0.15 }))
-  }, [])
-  if (isLight) return null
-  return (
-    <div style={{ position: 'absolute', inset: 0, pointerEvents: 'none' }}>
-      {stars.map((st, i) => (
-        <div key={i} style={{
-          position: 'absolute', left: `${st.x}%`, top: `${st.y}%`,
-          width: st.size, height: st.size, borderRadius: '50%',
-          background: '#fff', opacity: st.op,
-          boxShadow: `0 0 ${st.size * 3}px rgba(180,160,255,.7)`,
-        }} />
-      ))}
-    </div>
-  )
-}
-
-// ── Main slide ────────────────────────────────────────────────────────────────
 export default function USPSlide({ lang }: USPSlideProps) {
   const de = lang === 'de'
   const isLight = useIsLight()
diff --git a/pitch-deck/components/ui/AnnualPLTable.parts.tsx b/pitch-deck/components/ui/AnnualPLTable.parts.tsx
new file mode 100644
index 0000000..2222395
--- /dev/null
+++ b/pitch-deck/components/ui/AnnualPLTable.parts.tsx
@@ -0,0 +1,259 @@
+'use client'
+
+import { useEffect } from 'react'
+import { ChevronDown, ChevronRight, Minimize2 } from 'lucide-react'
+import {
+  AnnualRow,
+  MonthlyRow,
+  AccountingStandard,
+  fmt,
+  fmtMonth,
+  getLineItems,
+  MONTH_NAMES_DE,
+  MONTH_NAMES_EN,
+} from './AnnualPLTable.types'
+
+interface AnnualTableProps {
+  rows: AnnualRow[]
+  lang: 'de' | 'en'
+  expandedYear: number | null
+  onToggleYear: (year: number) => void
+  monthlyData: Map<number, MonthlyRow[]>
+  isFullscreen: boolean
+  standard: AccountingStandard
+}
+
+export function AnnualTable({
+  rows,
+  lang,
+  expandedYear,
+  onToggleYear,
+  monthlyData,
+  isFullscreen,
+  standard,
+}: AnnualTableProps) {
+  const de = lang === 'de'
+  const monthNames = de ? MONTH_NAMES_DE : MONTH_NAMES_EN
+  const lineItems = getLineItems(lang, standard)
+
+  const monthlyExtraItems: { label: string; key: keyof MonthlyRow; isBold?: boolean }[] = isFullscreen ? [
+    { label: 'MRR', key: 'mrr', isBold: true },
+    { label: de ? 'Cash-Bestand' : 'Cash Balance', key: 'cashBalance', isBold: true },
+  ] : []
+
+  const textSize = isFullscreen ? 'text-xs' : 'text-[11px]'
+  const minColWidth = isFullscreen ? 'min-w-[70px]' : 'min-w-[80px]'
+
+  return (
+    <table className={`w-full ${textSize}`}>
+      <thead>
+        <tr className="border-b border-white/10">
+          <th className={`text-left py-2 pr-4 text-white/40 font-medium ${isFullscreen ? 'min-w-[220px]' : 'min-w-[180px]'}`}>
+            {standard === 'hgb'
+              ? (de ? 'GuV-Position (HGB)' : 'P&L Line Item (HGB)')
+              : (de ? 'GuV-Position (US GAAP)' : 'P&L Line Item (US GAAP)')
+            }
+          </th>
+          {rows.map(r => (
+            <th
+              key={r.year}
+              className={`text-right py-2 px-2 text-white/50 font-semibold ${minColWidth} cursor-pointer hover:text-indigo-400 transition-colors`}
+              onClick={() => onToggleYear(r.year)}
+              title={de ? 'Klicken fuer Monatsdetails' : 'Click for monthly details'}
+            >
+              <span className="inline-flex items-center gap-1">
+                {expandedYear === r.year ? (
+                  <ChevronDown className="w-3 h-3" />
+                ) : (
+                  <ChevronRight className="w-3 h-3 opacity-30" />
+                )}
+                {r.year}
+              </span>
+            </th>
+          ))}
+        </tr>
+      </thead>
+      <tbody>
+        {lineItems.map((item) => (
+          <tr
+            key={item.key}
+            className={item.isSeparator ? 'border-t border-white/10' : ''}
+          >
+            <td className={`py-1.5 pr-4 ${item.isBold ? 'text-white font-semibold' : 'text-white/50'} ${item.isPercent ? 'italic text-white/30' : ''}`}>
+              {item.label}
+            </td>
+            {rows.map(r => {
+              const val = r[item.key] as number
+              return (
+                <td
+                  key={r.year}
+                  className={`text-right py-1.5 px-2 font-mono
+                    ${item.isBold ? 'font-semibold' : ''}
+                    ${item.isPercent ? 'text-white/30 italic' : ''}
+                    ${!item.isPercent && val < 0 ? 'text-red-400/80' : ''}
+                    ${!item.isPercent && val > 0 && item.key === 'ebitda' ? 'text-emerald-400' : ''}
+                    ${!item.isPercent && !item.isBold ? 'text-white/60' : 'text-white'}
+                  `}
+                >
+                  {item.isPercent
+                    ? `${val.toFixed(1)}%`
+                    : (item.isNegative && val > 0 ? '-' : '') + fmt(Math.abs(val))
+                  }
+                </td>
+              )
+            })}
+          </tr>
+        ))}
+      </tbody>
+
+      {/* Monthly Drill-Down */}
+      {expandedYear && monthlyData.has(expandedYear) && (
+        <tbody>
+          <tr>
+            <td colSpan={rows.length + 1} className="pt-4 pb-1">
+              <div className="border-t border-indigo-500/30 pt-3">
+                <p className="text-xs font-semibold text-indigo-400 mb-2">
+                  {de ? `Monatsdetails ${expandedYear}` : `Monthly Details ${expandedYear}`}
+                </p>
+              </div>
+            </td>
+          </tr>
+          <tr className="border-b border-white/10">
+            <td className="text-left py-1 pr-4 text-white/40 font-medium text-[10px]">
+              {de ? 'Monat' : 'Month'}
+            </td>
+            {monthlyData.get(expandedYear)!.map(m => (
+              <td key={m.monthInYear} className="text-right py-1 px-1 text-white/40 font-medium text-[10px]">
+                {monthNames[m.monthInYear - 1]}
+              </td>
+            ))}
+          </tr>
+          {lineItems.map((item) => {
+            const mKey = item.monthKey
+            if (!mKey) return null
+            return (
+              <tr key={`monthly-${item.key}`} className={item.isSeparator ? 'border-t border-white/5' : ''}>
+                <td className={`py-1 pr-4 text-[10px] ${item.isBold ? 'text-white/70 font-medium' : 'text-white/30'} ${item.isPercent ? 'italic' : ''}`}>
+                  {item.label}
+                </td>
+                {monthlyData.get(expandedYear)!.map(m => {
+                  const val = m[mKey] as number
+                  return (
+                    <td
+                      key={m.monthInYear}
+                      className={`text-right py-1 px-1 font-mono text-[10px]
+                        ${item.isPercent ? 'text-white/20 italic' : ''}
+                        ${!item.isPercent && val < 0 ? 'text-red-400/60' : ''}
+                        ${!item.isPercent && val > 0 && item.key === 'ebitda' ? 'text-emerald-400/70' : ''}
+                        ${!item.isPercent ? 'text-white/40' : ''}
+                      `}
+                    >
+                      {item.isPercent
+                        ? `${val.toFixed(0)}%`
+                        : (item.isNegative && val > 0 ? '-' : '') + fmtMonth(Math.abs(val))
+                      }
+                    </td>
+                  )
+                })}
+              </tr>
+            )
+          })}
+          {monthlyExtraItems.map((item) => (
+            <tr key={`monthly-extra-${item.key}`} className="border-t border-white/5">
+              <td className="py-1 pr-4 text-[10px] text-indigo-300/70 font-medium">{item.label}</td>
+              {monthlyData.get(expandedYear)!.map(m => {
+                const val = m[item.key] as number
+                return (
+                  <td key={m.monthInYear} className="text-right py-1 px-1 font-mono text-[10px] text-indigo-300/50">
+                    {fmtMonth(Math.round(val))}
+                  </td>
+                )
+              })}
+            </tr>
+          ))}
+        </tbody>
+      )}
+    </table>
+  )
+}
+
+interface FullscreenOverlayProps {
+  children: React.ReactNode
+  onClose: () => void
+  lang: 'de' | 'en'
+  standard: AccountingStandard
+  onStandardChange: (s: AccountingStandard) => void
+}
+
+export function FullscreenOverlay({
+  children,
+  onClose,
+  lang,
+  standard,
+  onStandardChange,
+}: FullscreenOverlayProps) {
+  const de = lang === 'de'
+
+  // ESC to close
+  useEffect(() => {
+    const handler = (e: KeyboardEvent) => {
+      if (e.key === 'Escape') onClose()
+    }
+    window.addEventListener('keydown', handler)
+    return () => window.removeEventListener('keydown', handler)
+  }, [onClose])
+
+  return (
+    <div className="fixed inset-0 z-[9999] bg-slate-950/98 backdrop-blur-xl overflow-auto p-6">
+      <div className="max-w-[1400px] mx-auto">
+        <div className="flex items-center justify-between mb-4">
+          <div>
+            <h2 className="text-xl font-bold text-white">
+              {de ? 'Gewinn- und Verlustrechnung' : 'Profit & Loss Statement'}
+            </h2>
+            <p className="text-xs text-white/40">
+              {de
+                ? 'Klicke auf ein Jahr um die Monatsdetails zu sehen · ESC zum Schliessen'
+                : 'Click on a year to see monthly details · ESC to close'}
+            </p>
+          </div>
+          <div className="flex items-center gap-3">
+            {/* HGB / US GAAP Toggle */}
+            <div className="flex items-center bg-white/[0.06] border border-white/10 rounded-xl overflow-hidden">
+              <button
+                onClick={() => onStandardChange('hgb')}
+                className={`px-3 py-1.5 text-xs font-medium transition-all ${
+                  standard === 'hgb'
+                    ? 'bg-indigo-500/20 text-indigo-300'
+                    : 'text-white/40 hover:text-white/60'
+                }`}
+              >
+                HGB
+              </button>
+              <button
+                onClick={() => onStandardChange('usgaap')}
+                className={`px-3 py-1.5 text-xs font-medium transition-all ${
+                  standard === 'usgaap'
+                    ? 'bg-indigo-500/20 text-indigo-300'
+                    : 'text-white/40 hover:text-white/60'
+                }`}
+              >
+                US GAAP
+              </button>
+            </div>
+            <button
+              onClick={onClose}
+              className="flex items-center gap-2 px-3 py-2 bg-white/[0.08] hover:bg-white/[0.12] border border-white/10 rounded-xl text-sm text-white/70 hover:text-white transition-all"
+            >
+              <Minimize2 className="w-4 h-4" />
+              {de ? 'Schliessen' : 'Close'}
+            </button>
+          </div>
+        </div>
+        <div className="bg-white/[0.03] border border-white/10 rounded-2xl p-6 overflow-x-auto">
+          {children}
+        </div>
+      </div>
+    </div>
+  )
+}
diff --git a/pitch-deck/components/ui/AnnualPLTable.tsx b/pitch-deck/components/ui/AnnualPLTable.tsx
index f7e782e..1d2bb8f 100644
--- a/pitch-deck/components/ui/AnnualPLTable.tsx
+++ b/pitch-deck/components/ui/AnnualPLTable.tsx
@@ -3,410 +3,15 @@
 import { useState, useEffect } from 'react'
 import { createPortal } from 'react-dom'
 import { motion } from 'framer-motion'
+import { Maximize2 } from 'lucide-react'
 import { FMResult } from '@/lib/types'
-import { Maximize2, Minimize2, ChevronDown, ChevronRight } from 'lucide-react'
-
-interface AnnualPLTableProps {
-  results: FMResult[]
-  lang: 'de' | 'en'
-}
-
-type AccountingStandard = 'hgb' | 'usgaap'
-
-interface AnnualRow {
-  year: number
-  revenue: number
-  cogs: number
-  grossProfit: number
-  grossMarginPct: number
-  personnel: number
-  marketing: number
-  infra: number
-  totalOpex: number
-  ebitda: number
-  ebitdaMarginPct: number
-  customers: number
-  employees: number
-}
-
-interface MonthlyRow {
-  month: number
-  monthInYear: number
-  revenue: number
-  cogs: number
-  grossProfit: number
-  grossMarginPct: number
-  personnel: number
-  marketing: number
-  infra: number
-  totalCosts: number
-  ebitda: number
-  ebitdaMarginPct: number
-  customers: number
-  employees: number
-  mrr: number
-  cashBalance: number
-}
-
-function fmt(v: number): string {
-  if (Math.abs(v) >= 1_000_000) return `${(v / 1_000_000).toFixed(1)}M`
-  if (Math.abs(v) >= 1_000) return `${(v / 1_000).toFixed(0)}k`
-  return Math.round(v).toLocaleString('de-DE')
-}
-
-function fmtMonth(v: number): string {
-  return Math.round(v).toLocaleString('de-DE')
-}
-
-const MONTH_NAMES_DE = ['Jan', 'Feb', 'Mär', 'Apr', 'Mai', 'Jun', 'Jul', 'Aug', 'Sep', 'Okt', 'Nov', 'Dez']
-const MONTH_NAMES_EN = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec']
-
-function getLineItems(lang: 'de' | 'en', standard: AccountingStandard) {
-  const de = lang === 'de'
-  const hgb = standard === 'hgb'
-
-  return [
-    {
-      label: hgb
-        ? (de ? 'Umsatzerloese' : 'Revenue (Umsatzerloese)')
-        : (de ? 'Revenue' : 'Revenue'),
-      key: 'revenue' as keyof AnnualRow,
-      monthKey: 'revenue' as keyof MonthlyRow,
-      isBold: true,
-    },
-    {
-      label: hgb
-        ? (de ? '- Herstellungskosten' : '- Cost of Production')
-        : (de ? '- COGS' : '- Cost of Goods Sold'),
-      key: 'cogs' as keyof AnnualRow,
-      monthKey: 'cogs' as keyof MonthlyRow,
-      isNegative: true,
-    },
-    {
-      label: hgb
-        ? (de ? '= Rohertrag' : '= Gross Profit')
-        : (de ? '= Gross Profit' : '= Gross Profit'),
-      key: 'grossProfit' as keyof AnnualRow,
-      monthKey: 'grossProfit' as keyof MonthlyRow,
-      isBold: true,
-      isSeparator: true,
-    },
-    {
-      label: hgb
-        ? (de ? '  Rohertragsmarge' : '  Gross Margin')
-        : (de ? '  Gross Margin' : '  Gross Margin'),
-      key: 'grossMarginPct' as keyof AnnualRow,
-      monthKey: 'grossMarginPct' as keyof MonthlyRow,
-      isPercent: true,
-    },
-    {
-      label: hgb
-        ? (de ? '- Personalaufwand' : '- Personnel Expenses')
-        : (de ? '- Personnel' : '- Personnel'),
-      key: 'personnel' as keyof AnnualRow,
-      monthKey: 'personnel' as keyof MonthlyRow,
-      isNegative: true,
-    },
-    {
-      label: hgb
-        ? (de ? '- Vertrieb & Marketing' : '- Sales & Marketing')
-        : (de ? '- Sales & Marketing' : '- Sales & Marketing'),
-      key: 'marketing' as keyof AnnualRow,
-      monthKey: 'marketing' as keyof MonthlyRow,
-      isNegative: true,
-    },
-    {
-      label: hgb
-        ? (de ? '- sonstige betriebl. Aufwendungen' : '- Other Operating Expenses')
-        : (de ? '- Infrastructure' : '- Infrastructure'),
-      key: 'infra' as keyof AnnualRow,
-      monthKey: 'infra' as keyof MonthlyRow,
-      isNegative: true,
-    },
-    {
-      label: hgb
-        ? (de ? '= Betriebsaufwand gesamt' : '= Total Operating Expenses')
-        : (de ? '= Total OpEx' : '= Total OpEx'),
-      key: 'totalOpex' as keyof AnnualRow,
-      monthKey: 'totalCosts' as keyof MonthlyRow,
-      isBold: true,
-      isSeparator: true,
-      isNegative: true,
-    },
-    {
-      label: hgb
-        ? (de ? 'Betriebsergebnis (EBITDA)' : 'Operating Result (EBITDA)')
-        : 'EBITDA',
-      key: 'ebitda' as keyof AnnualRow,
-      monthKey: 'ebitda' as keyof MonthlyRow,
-      isBold: true,
-      isSeparator: true,
-    },
-    {
-      label: hgb
-        ? (de ? '  EBITDA-Marge' : '  EBITDA Margin')
-        : (de ? '  EBITDA Margin' : '  EBITDA Margin'),
-      key: 'ebitdaMarginPct' as keyof AnnualRow,
-      monthKey: 'ebitdaMarginPct' as keyof MonthlyRow,
-      isPercent: true,
-    },
-    {
-      label: hgb
-        ? (de ? 'Kunden (Stichtag)' : 'Customers (Reporting Date)')
-        : (de ? 'Kunden (Jahresende)' : 'Customers (Year End)'),
-      key: 'customers' as keyof AnnualRow,
-      monthKey: 'customers' as keyof MonthlyRow,
-    },
-    {
-      label: hgb
-        ? (de ? 'Mitarbeiter (VZAe)' : 'Employees (FTE)')
-        : (de ? 'Mitarbeiter' : 'Employees'),
-      key: 'employees' as keyof AnnualRow,
-      monthKey: 'employees' as keyof MonthlyRow,
-    },
-  ]
-}
-
-function AnnualTable({
-  rows,
-  lang,
-  expandedYear,
-  onToggleYear,
-  monthlyData,
-  isFullscreen,
-  standard,
-}: {
-  rows: AnnualRow[]
-  lang: 'de' | 'en'
-  expandedYear: number | null
-  onToggleYear: (year: number) => void
-  monthlyData: Map<number, MonthlyRow[]>
-  isFullscreen: boolean
-  standard: AccountingStandard
-}) {
-  const de = lang === 'de'
-  const monthNames = de ? MONTH_NAMES_DE : MONTH_NAMES_EN
-  const lineItems = getLineItems(lang, standard)
-
-  const monthlyExtraItems: { label: string; key: keyof MonthlyRow; isBold?: boolean }[] = isFullscreen ? [
-    { label: 'MRR', key: 'mrr', isBold: true },
-    { label: de ? 'Cash-Bestand' : 'Cash Balance', key: 'cashBalance', isBold: true },
-  ] : []
-
-  const textSize = isFullscreen ? 'text-xs' : 'text-[11px]'
-  const minColWidth = isFullscreen ? 'min-w-[70px]' : 'min-w-[80px]'
-
-  return (
-    <table className={`w-full ${textSize}`}>
-      <thead>
-        <tr className="border-b border-white/10">
-          <th className={`text-left py-2 pr-4 text-white/40 font-medium ${isFullscreen ? 'min-w-[220px]' : 'min-w-[180px]'}`}>
-            {standard === 'hgb'
-              ? (de ? 'GuV-Position (HGB)' : 'P&L Line Item (HGB)')
-              : (de ? 'GuV-Position (US GAAP)' : 'P&L Line Item (US GAAP)')
-            }
-          </th>
-          {rows.map(r => (
-            <th
-              key={r.year}
-              className={`text-right py-2 px-2 text-white/50 font-semibold ${minColWidth} cursor-pointer hover:text-indigo-400 transition-colors`}
-              onClick={() => onToggleYear(r.year)}
-              title={de ? 'Klicken fuer Monatsdetails' : 'Click for monthly details'}
-            >
-              <span className="inline-flex items-center gap-1">
-                {expandedYear === r.year ? (
-                  <ChevronDown className="w-3 h-3" />
-                ) : (
-                  <ChevronRight className="w-3 h-3 opacity-30" />
-                )}
-                {r.year}
-              </span>
-            </th>
-          ))}
-        </tr>
-      </thead>
-      <tbody>
-        {lineItems.map((item) => (
-          <tr
-            key={item.key}
-            className={item.isSeparator ? 'border-t border-white/10' : ''}
-          >
-            <td className={`py-1.5 pr-4 ${item.isBold ? 'text-white font-semibold' : 'text-white/50'} ${item.isPercent ? 'italic text-white/30' : ''}`}>
-              {item.label}
-            </td>
-            {rows.map(r => {
-              const val = r[item.key] as number
-              return (
-                <td
-                  key={r.year}
-                  className={`text-right py-1.5 px-2 font-mono
-                    ${item.isBold ? 'font-semibold' : ''}
-                    ${item.isPercent ? 'text-white/30 italic' : ''}
-                    ${!item.isPercent && val < 0 ? 'text-red-400/80' : ''}
-                    ${!item.isPercent && val > 0 && item.key === 'ebitda' ? 'text-emerald-400' : ''}
-                    ${!item.isPercent && !item.isBold ? 'text-white/60' : 'text-white'}
-                  `}
-                >
-                  {item.isPercent
-                    ? `${val.toFixed(1)}%`
-                    : (item.isNegative && val > 0 ? '-' : '') + fmt(Math.abs(val))
-                  }
-                </td>
-              )
-            })}
-          </tr>
-        ))}
-      </tbody>
-
-      {/* Monthly Drill-Down */}
-      {expandedYear && monthlyData.has(expandedYear) && (
-        <tbody>
-          <tr>
-            <td colSpan={rows.length + 1} className="pt-4 pb-1">
-              <div className="border-t border-indigo-500/30 pt-3">
-                <p className="text-xs font-semibold text-indigo-400 mb-2">
-                  {de ? `Monatsdetails ${expandedYear}` : `Monthly Details ${expandedYear}`}
-                </p>
-              </div>
-            </td>
-          </tr>
-          <tr className="border-b border-white/10">
-            <td className="text-left py-1 pr-4 text-white/40 font-medium text-[10px]">
-              {de ? 'Monat' : 'Month'}
-            </td>
-            {monthlyData.get(expandedYear)!.map(m => (
-              <td key={m.monthInYear} className="text-right py-1 px-1 text-white/40 font-medium text-[10px]">
-                {monthNames[m.monthInYear - 1]}
-              </td>
-            ))}
-          </tr>
-          {lineItems.map((item) => {
-            const mKey = item.monthKey
-            if (!mKey) return null
-            return (
-              <tr key={`monthly-${item.key}`} className={item.isSeparator ? 'border-t border-white/5' : ''}>
-                <td className={`py-1 pr-4 text-[10px] ${item.isBold ? 'text-white/70 font-medium' : 'text-white/30'} ${item.isPercent ? 'italic' : ''}`}>
-                  {item.label}
-                </td>
-                {monthlyData.get(expandedYear)!.map(m => {
-                  const val = m[mKey] as number
-                  return (
-                    <td
-                      key={m.monthInYear}
-                      className={`text-right py-1 px-1 font-mono text-[10px]
-                        ${item.isPercent ? 'text-white/20 italic' : ''}
-                        ${!item.isPercent && val < 0 ? 'text-red-400/60' : ''}
-                        ${!item.isPercent && val > 0 && item.key === 'ebitda' ? 'text-emerald-400/70' : ''}
-                        ${!item.isPercent ? 'text-white/40' : ''}
-                      `}
-                    >
-                      {item.isPercent
-                        ? `${val.toFixed(0)}%`
-                        : (item.isNegative && val > 0 ? '-' : '') + fmtMonth(Math.abs(val))
-                      }
-                    </td>
-                  )
-                })}
-              </tr>
-            )
-          })}
-          {monthlyExtraItems.map((item) => (
-            <tr key={`monthly-extra-${item.key}`} className="border-t border-white/5">
-              <td className="py-1 pr-4 text-[10px] text-indigo-300/70 font-medium">{item.label}</td>
-              {monthlyData.get(expandedYear)!.map(m => {
-                const val = m[item.key] as number
-                return (
-                  <td key={m.monthInYear} className="text-right py-1 px-1 font-mono text-[10px] text-indigo-300/50">
-                    {fmtMonth(Math.round(val))}
-                  </td>
-                )
-              })}
-            </tr>
-          ))}
-        </tbody>
-      )}
-    </table>
-  )
-}
-
-function FullscreenOverlay({
-  children,
-  onClose,
-  lang,
-  standard,
-  onStandardChange,
-}: {
-  children: React.ReactNode
-  onClose: () => void
-  lang: 'de' | 'en'
-  standard: AccountingStandard
-  onStandardChange: (s: AccountingStandard) => void
-}) {
-  const de = lang === 'de'
-
-  // ESC to close
-  useEffect(() => {
-    const handler = (e: KeyboardEvent) => {
-      if (e.key === 'Escape') onClose()
-    }
-    window.addEventListener('keydown', handler)
-    return () => window.removeEventListener('keydown', handler)
-  }, [onClose])
-
-  return (
-    <div className="fixed inset-0 z-[9999] bg-slate-950/98 backdrop-blur-xl overflow-auto p-6">
-      <div className="max-w-[1400px] mx-auto">
-        <div className="flex items-center justify-between mb-4">
-          <div>
-            <h2 className="text-xl font-bold text-white">
-              {de ? 'Gewinn- und Verlustrechnung' : 'Profit & Loss Statement'}
-            </h2>
-            <p className="text-xs text-white/40">
-              {de
-                ? 'Klicke auf ein Jahr um die Monatsdetails zu sehen · ESC zum Schliessen'
-                : 'Click on a year to see monthly details · ESC to close'}
-            </p>
-          </div>
-          <div className="flex items-center gap-3">
-            {/* HGB / US GAAP Toggle */}
-            <div className="flex items-center bg-white/[0.06] border border-white/10 rounded-xl overflow-hidden">
-              <button
-                onClick={() => onStandardChange('hgb')}
-                className={`px-3 py-1.5 text-xs font-medium transition-all ${
-                  standard === 'hgb'
-                    ? 'bg-indigo-500/20 text-indigo-300'
-                    : 'text-white/40 hover:text-white/60'
-                }`}
-              >
-                HGB
-              </button>
-              <button
-                onClick={() => onStandardChange('usgaap')}
-                className={`px-3 py-1.5 text-xs font-medium transition-all ${
-                  standard === 'usgaap'
-                    ? 'bg-indigo-500/20 text-indigo-300'
-                    : 'text-white/40 hover:text-white/60'
-                }`}
-              >
-                US GAAP
-              </button>
-            </div>
-            <button
-              onClick={onClose}
-              className="flex items-center gap-2 px-3 py-2 bg-white/[0.08] hover:bg-white/[0.12] border border-white/10 rounded-xl text-sm text-white/70 hover:text-white transition-all"
-            >
-              <Minimize2 className="w-4 h-4" />
-              {de ? 'Schliessen' : 'Close'}
-            </button>
-          </div>
-        </div>
-        <div className="bg-white/[0.03] border border-white/10 rounded-2xl p-6 overflow-x-auto">
-          {children}
-        </div>
-      </div>
-    </div>
-  )
-}
+import {
+  AnnualPLTableProps,
+  AnnualRow,
+  MonthlyRow,
+  AccountingStandard,
+} from './AnnualPLTable.types'
+import { AnnualTable, FullscreenOverlay } from './AnnualPLTable.parts'
 
 export default function AnnualPLTable({ results, lang }: AnnualPLTableProps) {
   const [isFullscreen, setIsFullscreen] = useState(false)
diff --git a/pitch-deck/components/ui/AnnualPLTable.types.ts b/pitch-deck/components/ui/AnnualPLTable.types.ts
new file mode 100644
index 0000000..3f1099f
--- /dev/null
+++ b/pitch-deck/components/ui/AnnualPLTable.types.ts
@@ -0,0 +1,172 @@
+import { FMResult } from '@/lib/types'
+
+export interface AnnualPLTableProps {
+  results: FMResult[]
+  lang: 'de' | 'en'
+}
+
+export type AccountingStandard = 'hgb' | 'usgaap'
+
+export interface AnnualRow {
+  year: number
+  revenue: number
+  cogs: number
+  grossProfit: number
+  grossMarginPct: number
+  personnel: number
+  marketing: number
+  infra: number
+  totalOpex: number
+  ebitda: number
+  ebitdaMarginPct: number
+  customers: number
+  employees: number
+}
+
+export interface MonthlyRow {
+  month: number
+  monthInYear: number
+  revenue: number
+  cogs: number
+  grossProfit: number
+  grossMarginPct: number
+  personnel: number
+  marketing: number
+  infra: number
+  totalCosts: number
+  ebitda: number
+  ebitdaMarginPct: number
+  customers: number
+  employees: number
+  mrr: number
+  cashBalance: number
+}
+
+export interface LineItem {
+  label: string
+  key: keyof AnnualRow
+  monthKey: keyof MonthlyRow
+  isBold?: boolean
+  isNegative?: boolean
+  isSeparator?: boolean
+  isPercent?: boolean
+}
+
+export function fmt(v: number): string {
+  if (Math.abs(v) >= 1_000_000) return `${(v / 1_000_000).toFixed(1)}M`
+  if (Math.abs(v) >= 1_000) return `${(v / 1_000).toFixed(0)}k`
+  return Math.round(v).toLocaleString('de-DE')
+}
+
+export function fmtMonth(v: number): string {
+  return Math.round(v).toLocaleString('de-DE')
+}
+
+export const MONTH_NAMES_DE = ['Jan', 'Feb', 'Mär', 'Apr', 'Mai', 'Jun', 'Jul', 'Aug', 'Sep', 'Okt', 'Nov', 'Dez']
+export const MONTH_NAMES_EN = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec']
+
+export function getLineItems(lang: 'de' | 'en', standard: AccountingStandard): LineItem[] {
+  const de = lang === 'de'
+  const hgb = standard === 'hgb'
+
+  return [
+    {
+      label: hgb
+        ? (de ? 'Umsatzerloese' : 'Revenue (Umsatzerloese)')
+        : (de ? 'Revenue' : 'Revenue'),
+      key: 'revenue' as keyof AnnualRow,
+      monthKey: 'revenue' as keyof MonthlyRow,
+      isBold: true,
+    },
+    {
+      label: hgb
+        ? (de ? '- Herstellungskosten' : '- Cost of Production')
+        : (de ? '- COGS' : '- Cost of Goods Sold'),
+      key: 'cogs' as keyof AnnualRow,
+      monthKey: 'cogs' as keyof MonthlyRow,
+      isNegative: true,
+    },
+    {
+      label: hgb
+        ? (de ? '= Rohertrag' : '= Gross Profit')
+        : (de ? '= Gross Profit' : '= Gross Profit'),
+      key: 'grossProfit' as keyof AnnualRow,
+      monthKey: 'grossProfit' as keyof MonthlyRow,
+      isBold: true,
+      isSeparator: true,
+    },
+    {
+      label: hgb
+        ? (de ? '  Rohertragsmarge' : '  Gross Margin')
+        : (de ? '  Gross Margin' : '  Gross Margin'),
+      key: 'grossMarginPct' as keyof AnnualRow,
+      monthKey: 'grossMarginPct' as keyof MonthlyRow,
+      isPercent: true,
+    },
+    {
+      label: hgb
+        ? (de ? '- Personalaufwand' : '- Personnel Expenses')
+        : (de ? '- Personnel' : '- Personnel'),
+      key: 'personnel' as keyof AnnualRow,
+      monthKey: 'personnel' as keyof MonthlyRow,
+      isNegative: true,
+    },
+    {
+      label: hgb
+        ? (de ? '- Vertrieb & Marketing' : '- Sales & Marketing')
+        : (de ? '- Sales & Marketing' : '- Sales & Marketing'),
+      key: 'marketing' as keyof AnnualRow,
+      monthKey: 'marketing' as keyof MonthlyRow,
+      isNegative: true,
+    },
+    {
+      label: hgb
+        ? (de ? '- sonstige betriebl. Aufwendungen' : '- Other Operating Expenses')
+        : (de ? '- Infrastructure' : '- Infrastructure'),
+      key: 'infra' as keyof AnnualRow,
+      monthKey: 'infra' as keyof MonthlyRow,
+      isNegative: true,
+    },
+    {
+      label: hgb
+        ? (de ? '= Betriebsaufwand gesamt' : '= Total Operating Expenses')
+        : (de ? '= Total OpEx' : '= Total OpEx'),
+      key: 'totalOpex' as keyof AnnualRow,
+      monthKey: 'totalCosts' as keyof MonthlyRow,
+      isBold: true,
+      isSeparator: true,
+      isNegative: true,
+    },
+    {
+      label: hgb
+        ? (de ? 'Betriebsergebnis (EBITDA)' : 'Operating Result (EBITDA)')
+        : 'EBITDA',
+      key: 'ebitda' as keyof AnnualRow,
+      monthKey: 'ebitda' as keyof MonthlyRow,
+      isBold: true,
+      isSeparator: true,
+    },
+    {
+      label: hgb
+        ? (de ? '  EBITDA-Marge' : '  EBITDA Margin')
+        : (de ? '  EBITDA Margin' : '  EBITDA Margin'),
+      key: 'ebitdaMarginPct' as keyof AnnualRow,
+      monthKey: 'ebitdaMarginPct' as keyof MonthlyRow,
+      isPercent: true,
+    },
+    {
+      label: hgb
+        ? (de ? 'Kunden (Stichtag)' : 'Customers (Reporting Date)')
+        : (de ? 'Kunden (Jahresende)' : 'Customers (Year End)'),
+      key: 'customers' as keyof AnnualRow,
+      monthKey: 'customers' as keyof MonthlyRow,
+    },
+    {
+      label: hgb
+        ? (de ? 'Mitarbeiter (VZAe)' : 'Employees (FTE)')
+        : (de ? 'Mitarbeiter' : 'Employees'),
+      key: 'employees' as keyof AnnualRow,
+      monthKey: 'employees' as keyof MonthlyRow,
+    },
+  ]
+}
diff --git a/pitch-deck/lib/finanzplan/engine-betrieb.ts b/pitch-deck/lib/finanzplan/engine-betrieb.ts
new file mode 100644
index 0000000..8b51af8
--- /dev/null
+++ b/pitch-deck/lib/finanzplan/engine-betrieb.ts
@@ -0,0 +1,160 @@
+/**
+ * Betriebliche Aufwendungen — formula-based rows + category sums
+ *
+ * Computes formula-driven operating expenses (Fortbildung, Reisekosten, etc.),
+ * Gewerbesteuer, category sums, and Gesamtkosten.
+ */
+
+import { Pool } from 'pg'
+import {
+  MonthlyValues, MONTHS, FOUNDING_MONTH,
+  emptyMonthly,
+  FPBetrieblicheAufwendungen,
+} from './types'
+import { sumRows } from './engine-sheets'
+
+export interface BetriebContext {
+  totalBrutto: MonthlyValues
+  totalPersonal: MonthlyValues
+  totalAfa: MonthlyValues
+  totalRevenue: MonthlyValues
+  totalMaterial: MonthlyValues
+  headcount: MonthlyValues
+  totalBestandskunden: MonthlyValues
+}
+
+/**
+ * Compute all formula-based betriebliche aufwendungen rows and sums.
+ * Writes computed values back to DB.
+ */
+export async function computeBetrieblicheAufwendungen(
+  pool: Pool,
+  betrieb: FPBetrieblicheAufwendungen[],
+  ctx: BetriebContext,
+): Promise<{ totalSonstige: MonthlyValues; totalGesamt: MonthlyValues }> {
+  const NUM_FOUNDERS = 2
+  const hcWithoutFounders = emptyMonthly()
+  for (let m = 1; m <= MONTHS; m++) {
+    hcWithoutFounders[`m${m}`] = Math.max(0, ctx.headcount[`m${m}`] - NUM_FOUNDERS)
+  }
+
+  // Formula-based rows: derive from headcount (excl. founders) or customers
+  const formulaRows: { label: string; perUnit: number; source: MonthlyValues }[] = [
+    { label: 'Fort-/Weiterbildungskosten (F)', perUnit: 300, source: hcWithoutFounders },
+    { label: 'Reisekosten (F)', perUnit: 75, source: ctx.headcount },
+    { label: 'Bewirtungskosten (F)', perUnit: 50, source: ctx.totalBestandskunden },
+    { label: 'Internet/Mobilfunk (F)', perUnit: 50, source: ctx.headcount },
+  ]
+
+  for (const fr of formulaRows) {
+    const row = betrieb.find(r => r.row_label === fr.label)
+    if (row) {
+      const computed = emptyMonthly()
+      for (let m = FOUNDING_MONTH; m <= MONTHS; m++) {
+        computed[`m${m}`] = Math.round((fr.source[`m${m}`] || 0) * fr.perUnit)
+      }
+      await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(computed), row.id])
+      row.values = computed
+    }
+  }
+
+  // Berufsgenossenschaft (VBG IT/Büro): ~0.5% of total brutto payroll
+  const bgRow = betrieb.find(r => r.row_label.includes('Berufsgenossenschaft'))
+  if (bgRow) {
+    const computed = emptyMonthly()
+    for (let m = FOUNDING_MONTH; m <= MONTHS; m++) {
+      computed[`m${m}`] = Math.round((ctx.totalBrutto[`m${m}`] || 0) * 0.005)
+    }
+    await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(computed), bgRow.id])
+    bgRow.values = computed
+  }
+
+  // Allgemeine Marketingkosten: 8% of revenue (2026-2028), 10% from 2029
+  const marketingRow = betrieb.find(r => r.row_label.includes('Allgemeine Marketingkosten'))
+  if (marketingRow) {
+    const computed = emptyMonthly()
+    for (let m = FOUNDING_MONTH; m <= MONTHS; m++) {
+      const rate = m <= 36 ? 0.08 : 0.10 // m36 = Dec 2028
+      computed[`m${m}`] = Math.round((ctx.totalRevenue[`m${m}`] || 0) * rate)
+    }
+    await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(computed), marketingRow.id])
+    marketingRow.values = computed
+  }
+
+  // Update Personalkosten row
+  const persBetrieb = betrieb.find(r => r.row_label === 'Personalkosten')
+  if (persBetrieb) {
+    await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(ctx.totalPersonal), persBetrieb.id])
+    persBetrieb.values = ctx.totalPersonal
+  }
+  // Update Abschreibungen row
+  const abrBetrieb = betrieb.find(r => r.row_label === 'Abschreibungen')
+  if (abrBetrieb) {
+    await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(ctx.totalAfa), abrBetrieb.id])
+    abrBetrieb.values = ctx.totalAfa
+  }
+
+  // Gewerbesteuer (F): 12.25% of monthly profit (only when positive)
+  const gewStRow = betrieb.find(r => r.row_label.includes('Gewerbesteuer'))
+  if (gewStRow) {
+    const nonTaxOpex = betrieb.filter(r =>
+      r.category !== 'steuern' && r.category !== 'personal' && r.category !== 'abschreibungen' &&
+      !r.is_sum_row && !r.row_label.includes('Summe') && !r.row_label.includes('SUMME')
+    )
+    const computed = emptyMonthly()
+    for (let m = FOUNDING_MONTH; m <= MONTHS; m++) {
+      const rev = ctx.totalRevenue[`m${m}`] || 0
+      const mat = ctx.totalMaterial[`m${m}`] || 0
+      const pers = ctx.totalPersonal[`m${m}`] || 0
+      const afa = ctx.totalAfa[`m${m}`] || 0
+      let opex = 0
+      for (const r of nonTaxOpex) { opex += r.values[`m${m}`] || 0 }
+      const profit = rev - mat - pers - afa - opex
+      computed[`m${m}`] = profit > 0 ? Math.round(profit * 0.1225) : 0
+    }
+    await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(computed), gewStRow.id])
+    gewStRow.values = computed
+  }
+
+  // Compute category sums
+  const categories = ['steuern', 'versicherungen', 'besondere', 'marketing', 'sonstige']
+  for (const cat of categories) {
+    const sumRow = betrieb.find(r => r.category === cat && r.is_sum_row)
+    const detailRows = betrieb.filter(r => r.category === cat && !r.is_sum_row)
+    if (sumRow && detailRows.length > 0) {
+      const s = sumRows(detailRows)
+      await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(s), sumRow.id])
+      sumRow.values = s
+    }
+  }
+
+  // Summe sonstige (ohne Personal, Abschreibungen)
+  const sonstSumme = betrieb.find(r => r.row_label.includes('Summe sonstige'))
+  if (sonstSumme) {
+    const nonPersonNonAbr = betrieb.filter(r =>
+      r.row_label !== 'Personalkosten' && r.row_label !== 'Abschreibungen' &&
+      !r.row_label.includes('Summe sonstige') && !r.row_label.includes('Gesamtkosten') &&
+      !r.is_sum_row && r.category !== 'personal' && r.category !== 'abschreibungen'
+    )
+    const s = sumRows(nonPersonNonAbr)
+    await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(s), sonstSumme.id])
+    sonstSumme.values = s
+  }
+
+  // Gesamtkosten
+  const gesamtBetrieb = betrieb.find(r => r.row_label.includes('Gesamtkosten') || r.row_label.includes('SUMME Betriebliche'))
+  const totalSonstige = sonstSumme?.values || emptyMonthly()
+  if (gesamtBetrieb) {
+    const g = emptyMonthly()
+    for (let m = 1; m <= MONTHS; m++) {
+      g[`m${m}`] = (ctx.totalPersonal[`m${m}`] || 0) + (ctx.totalAfa[`m${m}`] || 0) + (totalSonstige[`m${m}`] || 0)
+    }
+    await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(g), gesamtBetrieb.id])
+    gesamtBetrieb.values = g
+  }
+
+  return {
+    totalSonstige,
+    totalGesamt: gesamtBetrieb?.values || emptyMonthly(),
+  }
+}
diff --git a/pitch-deck/lib/finanzplan/engine-guv.ts b/pitch-deck/lib/finanzplan/engine-guv.ts
new file mode 100644
index 0000000..4910636
--- /dev/null
+++ b/pitch-deck/lib/finanzplan/engine-guv.ts
@@ -0,0 +1,166 @@
+/**
+ * GuV (Gewinn- und Verlustrechnung) — annual P&L computation
+ *
+ * Computes annual sums, EBIT, taxes (Gewerbesteuer, Körperschaftsteuer)
+ * with Verlustvortrag, and writes tax amounts back to Liquidität.
+ */
+
+import { Pool } from 'pg'
+import {
+  MonthlyValues, AnnualValues, MONTHS,
+  emptyMonthly, annualSums,
+  FPLiquiditaet,
+} from './types'
+
+export interface GuvContext {
+  totalRevenue: MonthlyValues
+  totalMaterial: MonthlyValues
+  totalBrutto: MonthlyValues
+  totalSozial: MonthlyValues
+  totalPersonal: MonthlyValues
+  totalAfa: MonthlyValues
+  totalSonstige: MonthlyValues
+}
+
+/**
+ * Compute GuV annual values, taxes, and write tax values to Liquidität.
+ * Returns EBIT annual values.
+ */
+export async function computeGuV(
+  pool: Pool,
+  scenarioId: string,
+  liquid: FPLiquiditaet[],
+  ctx: GuvContext,
+): Promise<AnnualValues[]> {
+  const findLiq = (label: string) => liquid.find(r => r.row_label === label)
+
+  const umsatzAnnual = annualSums(ctx.totalRevenue)
+  const materialAnnual = annualSums(ctx.totalMaterial)
+  const personalBruttoAnnual = annualSums(ctx.totalBrutto)
+  const personalSozialAnnual = annualSums(ctx.totalSozial)
+  const personalAnnual = annualSums(ctx.totalPersonal)
+  const afaAnnual = annualSums(ctx.totalAfa)
+  const sonstigeAnnual = annualSums(ctx.totalSonstige)
+
+  // Rohergebnis = Gesamtleistung - Materialaufwand
+  const rohergebnis: AnnualValues = {}
+  for (let y = 2026; y <= 2030; y++) {
+    const k = `y${y}`
+    rohergebnis[k] = Math.round((umsatzAnnual[k] || 0) - (materialAnnual[k] || 0))
+  }
+
+  const guvUpdates: { label: string; values: AnnualValues }[] = [
+    { label: 'Umsatzerlöse', values: umsatzAnnual },
+    { label: 'Gesamtleistung', values: umsatzAnnual },
+    { label: 'Summe Materialaufwand', values: materialAnnual },
+    { label: 'Rohergebnis', values: rohergebnis },
+    { label: 'Löhne und Gehälter', values: personalBruttoAnnual },
+    { label: 'Soziale Abgaben', values: personalSozialAnnual },
+    { label: 'Summe Personalaufwand', values: personalAnnual },
+    { label: 'Abschreibungen', values: afaAnnual },
+    { label: 'Sonst. betriebl. Aufwendungen', values: sonstigeAnnual },
+  ]
+
+  for (const { label, values } of guvUpdates) {
+    await pool.query(
+      'UPDATE fp_guv SET values = $1 WHERE scenario_id = $2 AND row_label = $3',
+      [JSON.stringify(values), scenarioId, label]
+    )
+  }
+
+  // EBIT (Betriebsergebnis)
+  const ebit: AnnualValues = {}
+  for (let y = 2026; y <= 2030; y++) {
+    const k = `y${y}`
+    ebit[k] = Math.round((umsatzAnnual[k] || 0) - (materialAnnual[k] || 0) - (personalAnnual[k] || 0) - (afaAnnual[k] || 0) - (sonstigeAnnual[k] || 0))
+  }
+  await pool.query('UPDATE fp_guv SET values = $1 WHERE scenario_id = $2 AND row_label = $3', [JSON.stringify(ebit), scenarioId, 'EBIT'])
+
+  // Tax computation with Verlustvortrag
+  const { gewerbesteuer, koerperschaftsteuer, steuernGesamt, ergebnisNachSteuern } = computeTaxes(ebit)
+
+  await pool.query('UPDATE fp_guv SET values = $1 WHERE scenario_id = $2 AND row_label = $3', [JSON.stringify(gewerbesteuer), scenarioId, 'Gewerbesteuer'])
+  await pool.query('UPDATE fp_guv SET values = $1 WHERE scenario_id = $2 AND row_label = $3', [JSON.stringify(koerperschaftsteuer), scenarioId, 'Körperschaftssteuer'])
+  await pool.query('UPDATE fp_guv SET values = $1 WHERE scenario_id = $2 AND row_label = $3', [JSON.stringify(steuernGesamt), scenarioId, 'Steuern gesamt'])
+  await pool.query('UPDATE fp_guv SET values = $1 WHERE scenario_id = $2 AND row_label = $3', [JSON.stringify(ergebnisNachSteuern), scenarioId, 'Ergebnis nach Steuern'])
+  await pool.query('UPDATE fp_guv SET values = $1 WHERE scenario_id = $2 AND row_label = $3', [JSON.stringify(ergebnisNachSteuern), scenarioId, 'Jahresüberschuss'])
+
+  // Write taxes to Liquidität (monthly = 1/12 of annual amount)
+  await writeTaxToLiquiditaet(pool, findLiq('Gewerbesteuer'), gewerbesteuer)
+  await writeTaxToLiquiditaet(pool, findLiq('Körperschaftsteuer'), koerperschaftsteuer)
+
+  return [ebit]
+}
+
+// --- Tax helpers ---
+
+// Stockach 78333: Hebesatz 350%
+// Gewerbesteuer = 3,5% × 3,5 = 12,25%
+// Körperschaftsteuer = 15% + 5,5% Soli = 15,825%
+const GEWERBESTEUER_RATE = 0.035 * 3.5   // 12,25%
+const KOERPERSCHAFTSTEUER_RATE = 0.15 * 1.055  // 15,825% (inkl. Soli)
+
+function computeTaxes(ebit: AnnualValues) {
+  const gewerbesteuer: AnnualValues = {}
+  const koerperschaftsteuer: AnnualValues = {}
+  const steuernGesamt: AnnualValues = {}
+  const ergebnisNachSteuern: AnnualValues = {}
+  let verlustvortrag = 0
+
+  for (let y = 2026; y <= 2030; y++) {
+    const k = `y${y}`
+    const gewinn = ebit[k] || 0
+
+    if (gewinn <= 0) {
+      verlustvortrag += Math.abs(gewinn)
+      gewerbesteuer[k] = 0
+      koerperschaftsteuer[k] = 0
+      steuernGesamt[k] = 0
+      ergebnisNachSteuern[k] = Math.round(gewinn)
+    } else {
+      // Bis 1 Mio EUR: 100% verrechenbar
+      // Über 1 Mio EUR: nur 60% verrechenbar (Mindestbesteuerung)
+      let verrechenbar = 0
+      if (verlustvortrag > 0) {
+        if (gewinn <= 1000000) {
+          verrechenbar = Math.min(verlustvortrag, gewinn)
+        } else {
+          verrechenbar = Math.min(verlustvortrag, 1000000 + (gewinn - 1000000) * 0.6)
+        }
+        verlustvortrag -= verrechenbar
+      }
+
+      const zuVersteuern = Math.max(0, gewinn - verrechenbar)
+      const gst = Math.round(zuVersteuern * GEWERBESTEUER_RATE)
+      const kst = Math.round(zuVersteuern * KOERPERSCHAFTSTEUER_RATE)
+
+      gewerbesteuer[k] = gst
+      koerperschaftsteuer[k] = kst
+      steuernGesamt[k] = gst + kst
+      ergebnisNachSteuern[k] = Math.round(gewinn - gst - kst)
+    }
+  }
+
+  return { gewerbesteuer, koerperschaftsteuer, steuernGesamt, ergebnisNachSteuern }
+}
+
+async function writeTaxToLiquiditaet(
+  pool: Pool,
+  liqRow: FPLiquiditaet | undefined,
+  annualTax: AnnualValues,
+): Promise<void> {
+  if (!liqRow) return
+  const v = emptyMonthly()
+  for (let y = 2026; y <= 2030; y++) {
+    const jahresBetrag = annualTax[`y${y}`] || 0
+    if (jahresBetrag > 0) {
+      const monatlich = Math.round(jahresBetrag / 12)
+      const startM = (y - 2026) * 12 + 1
+      for (let m = startM; m <= startM + 11 && m <= MONTHS; m++) {
+        v[`m${m}`] = monatlich
+      }
+    }
+  }
+  await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(v), liqRow.id])
+  liqRow.values = v
+}
diff --git a/pitch-deck/lib/finanzplan/engine-liquiditaet.ts b/pitch-deck/lib/finanzplan/engine-liquiditaet.ts
new file mode 100644
index 0000000..0e23d95
--- /dev/null
+++ b/pitch-deck/lib/finanzplan/engine-liquiditaet.ts
@@ -0,0 +1,154 @@
+/**
+ * Liquiditaet — rolling cash balance computation
+ *
+ * Computes operative Einzahlungen/Auszahlungen sums,
+ * Überschuss vor Investitionen/Entnahmen, and rolling Kontostand.
+ */
+
+import { Pool } from 'pg'
+import {
+  MonthlyValues, MONTHS,
+  emptyMonthly,
+  FPLiquiditaet,
+} from './types'
+
+export interface LiquiditaetContext {
+  totalRevenue: MonthlyValues
+  totalMaterial: MonthlyValues
+  totalPersonal: MonthlyValues
+  totalSonstige: MonthlyValues
+  totalInvest: MonthlyValues
+}
+
+/**
+ * Compute all liquidity rows and rolling balance.
+ * Writes computed values back to DB.
+ */
+export async function computeLiquiditaet(
+  pool: Pool,
+  liquid: FPLiquiditaet[],
+  ctx: LiquiditaetContext,
+): Promise<{ endstand: MonthlyValues }> {
+  const findLiq = (label: string) => liquid.find(r => r.row_label === label)
+
+  // Computed rows — link to computed totals
+  const liqUmsatz = findLiq('Umsatzerlöse')
+  if (liqUmsatz) {
+    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(ctx.totalRevenue), liqUmsatz.id])
+    liqUmsatz.values = ctx.totalRevenue
+  }
+  const liqMaterial = findLiq('Materialaufwand')
+  if (liqMaterial) {
+    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(ctx.totalMaterial), liqMaterial.id])
+    liqMaterial.values = ctx.totalMaterial
+  }
+  const liqPersonal = findLiq('Personalkosten')
+  if (liqPersonal) {
+    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(ctx.totalPersonal), liqPersonal.id])
+    liqPersonal.values = ctx.totalPersonal
+  }
+  const liqSonstige = findLiq('Sonstige Kosten')
+  if (liqSonstige) {
+    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(ctx.totalSonstige), liqSonstige.id])
+    liqSonstige.values = ctx.totalSonstige
+  }
+  const liqInvest = findLiq('Investitionen')
+  if (liqInvest) {
+    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(ctx.totalInvest), liqInvest.id])
+    liqInvest.values = ctx.totalInvest
+  }
+
+  // Compute sums and rolling balance
+  const sumEin = findLiq('Summe EINZAHLUNGEN')
+  const sumAus = findLiq('Summe AUSZAHLUNGEN')
+  const uebVorInv = findLiq('ÜBERSCHUSS VOR INVESTITIONEN')
+  const uebVorEnt = findLiq('ÜBERSCHUSS VOR ENTNAHMEN')
+  const ueberschuss = findLiq('ÜBERSCHUSS')
+  const kontostand = findLiq('Kontostand zu Beginn des Monats')
+  const liquiditaet = findLiq('LIQUIDITÄT')
+
+  // Dynamically categorize rows by row_type
+  const einzahlungenOperativ = ['Umsatzerlöse', 'Sonst. betriebl. Erträge', 'Anzahlungen']
+  const finanzierungRows = liquid.filter(r =>
+    r.row_type === 'einzahlung' &&
+    !einzahlungenOperativ.includes(r.row_label) &&
+    !r.row_label.includes('Summe')
+  )
+  const auszahlungenOperativ = ['Materialaufwand', 'Personalkosten', 'Sonstige Kosten', 'Umsatzsteuer', 'Gewerbesteuer', 'Körperschaftsteuer']
+  const finanzAuszahlungRows = liquid.filter(r =>
+    r.row_type === 'auszahlung' &&
+    !auszahlungenOperativ.includes(r.row_label) &&
+    !r.row_label.includes('Summe')
+  )
+
+  // Summe EINZAHLUNGEN = nur operativ
+  if (sumEin) {
+    const s = emptyMonthly()
+    for (const label of einzahlungenOperativ) {
+      const row = findLiq(label)
+      if (row) for (let m = 1; m <= MONTHS; m++) s[`m${m}`] += Math.round(row.values[`m${m}`] || 0)
+    }
+    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(s), sumEin.id])
+    sumEin.values = s
+  }
+
+  // Summe AUSZAHLUNGEN = nur operativ
+  if (sumAus) {
+    const s = emptyMonthly()
+    for (const label of auszahlungenOperativ) {
+      const row = findLiq(label)
+      if (row) for (let m = 1; m <= MONTHS; m++) s[`m${m}`] += Math.round(row.values[`m${m}`] || 0)
+    }
+    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(s), sumAus.id])
+    sumAus.values = s
+  }
+
+  // OPERATIVER ÜBERSCHUSS VOR INVESTITIONEN
+  if (uebVorInv && sumEin && sumAus) {
+    const s = emptyMonthly()
+    for (let m = 1; m <= MONTHS; m++) s[`m${m}`] = Math.round((sumEin.values[`m${m}`] || 0) - (sumAus.values[`m${m}`] || 0))
+    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(s), uebVorInv.id])
+    uebVorInv.values = s
+  }
+
+  // ÜBERSCHUSS VOR ENTNAHMEN = Operativer Überschuss - Investitionen
+  if (uebVorEnt && uebVorInv && liqInvest) {
+    const s = emptyMonthly()
+    for (let m = 1; m <= MONTHS; m++) s[`m${m}`] = Math.round((uebVorInv.values[`m${m}`] || 0) - (liqInvest.values[`m${m}`] || 0))
+    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(s), uebVorEnt.id])
+    uebVorEnt.values = s
+  }
+
+  // ÜBERSCHUSS = Überschuss vor Entnahmen - Entnahmen
+  const entnahmen = findLiq('Kapitalentnahmen/Ausschüttungen')
+  if (ueberschuss && uebVorEnt && entnahmen) {
+    const s = emptyMonthly()
+    for (let m = 1; m <= MONTHS; m++) s[`m${m}`] = Math.round((uebVorEnt.values[`m${m}`] || 0) - (entnahmen.values[`m${m}`] || 0))
+    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(s), ueberschuss.id])
+    ueberschuss.values = s
+  }
+
+  // Rolling Kontostand: Vormonat + Operativer Überschuss + Finanzierung
+  if (kontostand && liquiditaet && ueberschuss) {
+    const finCF = emptyMonthly()
+    for (const row of finanzierungRows) {
+      for (let m = 1; m <= MONTHS; m++) finCF[`m${m}`] += Math.round(row.values[`m${m}`] || 0)
+    }
+    for (const row of finanzAuszahlungRows) {
+      for (let m = 1; m <= MONTHS; m++) finCF[`m${m}`] -= Math.round(row.values[`m${m}`] || 0)
+    }
+
+    const ks = emptyMonthly()
+    const lq = emptyMonthly()
+    for (let m = 1; m <= MONTHS; m++) {
+      ks[`m${m}`] = m === 1 ? 0 : Math.round(lq[`m${m - 1}`])
+      lq[`m${m}`] = Math.round(ks[`m${m}`] + (ueberschuss.values[`m${m}`] || 0) + (finCF[`m${m}`] || 0))
+    }
+    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(ks), kontostand.id])
+    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(lq), liquiditaet.id])
+    kontostand.values = ks
+    liquiditaet.values = lq
+  }
+
+  return { endstand: liquiditaet?.values || emptyMonthly() }
+}
diff --git a/pitch-deck/lib/finanzplan/engine-sheets.ts b/pitch-deck/lib/finanzplan/engine-sheets.ts
new file mode 100644
index 0000000..ea7ad01
--- /dev/null
+++ b/pitch-deck/lib/finanzplan/engine-sheets.ts
@@ -0,0 +1,106 @@
+/**
+ * Sheet Calculators — pure computation functions (no DB dependency)
+ *
+ * Used by the main engine to compute Personalkosten, Investitionen,
+ * and aggregate monthly values.
+ */
+
+import {
+  MonthlyValues, MONTHS, FOUNDING_MONTH,
+  emptyMonthly, dateToMonth, monthToDate,
+  FPPersonalkosten, FPInvestitionen,
+} from './types'
+
+export function computePersonalkosten(positions: FPPersonalkosten[]): FPPersonalkosten[] {
+  return positions.map(p => {
+    const brutto = emptyMonthly()
+    const sozial = emptyMonthly()
+    const total = emptyMonthly()
+
+    if (!p.start_date || !p.brutto_monthly) return { ...p, values_brutto: brutto, values_sozial: sozial, values_total: total }
+
+    const startDate = new Date(p.start_date)
+    const startM = dateToMonth(startDate.getFullYear(), startDate.getMonth() + 1)
+    const endM = p.end_date
+      ? dateToMonth(new Date(p.end_date).getFullYear(), new Date(p.end_date).getMonth() + 1)
+      : MONTHS
+
+    for (let m = Math.max(1, startM); m <= Math.min(MONTHS, endM); m++) {
+      const { year } = monthToDate(m)
+      const yearsFromStart = year - startDate.getFullYear()
+      const raise = Math.pow(1 + (p.annual_raise_pct || 0) / 100, yearsFromStart)
+      const monthlyBrutto = Math.round(p.brutto_monthly * raise)
+
+      brutto[`m${m}`] = monthlyBrutto
+      sozial[`m${m}`] = Math.round(monthlyBrutto * (p.ag_sozial_pct || 20.425) / 100)
+      total[`m${m}`] = brutto[`m${m}`] + sozial[`m${m}`]
+    }
+
+    return { ...p, values_brutto: brutto, values_sozial: sozial, values_total: total }
+  })
+}
+
+export function computeInvestitionen(items: FPInvestitionen[]): FPInvestitionen[] {
+  return items.map(item => {
+    const invest = emptyMonthly()
+    const afa = emptyMonthly()
+
+    if (!item.purchase_date || !item.purchase_amount) return { ...item, values_invest: invest, values_afa: afa }
+
+    const d = new Date(item.purchase_date)
+    const purchaseM = dateToMonth(d.getFullYear(), d.getMonth() + 1)
+
+    if (purchaseM >= 1 && purchaseM <= MONTHS) {
+      invest[`m${purchaseM}`] = item.purchase_amount
+    }
+
+    // AfA (linear depreciation)
+    if (item.afa_years && item.afa_years > 0) {
+      const afaMonths = item.afa_years * 12
+      const monthlyAfa = Math.round(item.purchase_amount / afaMonths)
+      for (let m = purchaseM; m < purchaseM + afaMonths && m <= MONTHS; m++) {
+        if (m >= 1) afa[`m${m}`] = monthlyAfa
+      }
+    } else {
+      // GWG: full depreciation in purchase month
+      if (purchaseM >= 1 && purchaseM <= MONTHS) {
+        afa[`m${purchaseM}`] = item.purchase_amount
+      }
+    }
+
+    return { ...item, values_invest: invest, values_afa: afa }
+  })
+}
+
+export function sumRows(rows: { values: MonthlyValues }[]): MonthlyValues {
+  const result = emptyMonthly()
+  for (const row of rows) {
+    for (let m = 1; m <= MONTHS; m++) {
+      result[`m${m}`] += row.values[`m${m}`] || 0
+    }
+  }
+  return result
+}
+
+export function sumField(rows: { [key: string]: MonthlyValues }[], field: string): MonthlyValues {
+  const result = emptyMonthly()
+  for (const row of rows) {
+    const v = row[field] as MonthlyValues
+    if (!v) continue
+    for (let m = 1; m <= MONTHS; m++) {
+      result[`m${m}`] += v[`m${m}`] || 0
+    }
+  }
+  return result
+}
+
+/**
+ * Compute headcount per month from personal positions.
+ */
+export function computeHeadcount(personal: FPPersonalkosten[]): MonthlyValues {
+  const headcount = emptyMonthly()
+  for (let m = 1; m <= MONTHS; m++) {
+    headcount[`m${m}`] = personal.filter(p => (p.values_total[`m${m}`] || 0) > 0).length
+  }
+  return headcount
+}
diff --git a/pitch-deck/lib/finanzplan/engine.ts b/pitch-deck/lib/finanzplan/engine.ts
index 721559b..7f530a2 100644
--- a/pitch-deck/lib/finanzplan/engine.ts
+++ b/pitch-deck/lib/finanzplan/engine.ts
@@ -1,5 +1,5 @@
 /**
- * Finanzplan Compute Engine
+ * Finanzplan Compute Engine — Orchestrator
  *
  * Dependency order:
  *   Personalkosten (independent inputs)
@@ -9,113 +9,43 @@
  *   Sonst. betr. Erträge (independent)
  *   Liquidität (aggregates all above)
  *   GuV (annual summary)
+ *
+ * Split into modules:
+ *   engine-sheets.ts    — pure calculators (no DB)
+ *   engine-betrieb.ts   — betriebliche aufwendungen
+ *   engine-liquiditaet.ts — liquidity / cash flow
+ *   engine-guv.ts       — GuV / P&L + taxes
  */
 
 import { Pool } from 'pg'
 import {
-  MonthlyValues, AnnualValues, MONTHS, FOUNDING_MONTH,
-  emptyMonthly, sumMonthly, annualSums, dateToMonth, monthToDate,
+  MonthlyValues, MONTHS, FOUNDING_MONTH,
+  emptyMonthly,
   FPPersonalkosten, FPInvestitionen, FPBetrieblicheAufwendungen,
-  FPLiquiditaet, FPComputeResult
+  FPLiquiditaet, FPComputeResult,
 } from './types'
+import {
+  computePersonalkosten, computeInvestitionen,
+  sumField, computeHeadcount,
+} from './engine-sheets'
+import { computeBetrieblicheAufwendungen } from './engine-betrieb'
+import { computeLiquiditaet } from './engine-liquiditaet'
+import { computeGuV } from './engine-guv'
 
-// --- Sheet Calculators ---
+// Re-export sheet calculators for direct consumers
+export { computePersonalkosten, computeInvestitionen } from './engine-sheets'
 
-export function computePersonalkosten(positions: FPPersonalkosten[]): FPPersonalkosten[] {
-  return positions.map(p => {
-    const brutto = emptyMonthly()
-    const sozial = emptyMonthly()
-    const total = emptyMonthly()
-
-    if (!p.start_date || !p.brutto_monthly) return { ...p, values_brutto: brutto, values_sozial: sozial, values_total: total }
-
-    const startDate = new Date(p.start_date)
-    const startM = dateToMonth(startDate.getFullYear(), startDate.getMonth() + 1)
-    const endM = p.end_date
-      ? dateToMonth(new Date(p.end_date).getFullYear(), new Date(p.end_date).getMonth() + 1)
-      : MONTHS
-
-    for (let m = Math.max(1, startM); m <= Math.min(MONTHS, endM); m++) {
-      const { year } = monthToDate(m)
-      const yearsFromStart = year - startDate.getFullYear()
-      const raise = Math.pow(1 + (p.annual_raise_pct || 0) / 100, yearsFromStart)
-      const monthlyBrutto = Math.round(p.brutto_monthly * raise)
-
-      brutto[`m${m}`] = monthlyBrutto
-      sozial[`m${m}`] = Math.round(monthlyBrutto * (p.ag_sozial_pct || 20.425) / 100)
-      total[`m${m}`] = brutto[`m${m}`] + sozial[`m${m}`]
-    }
-
-    return { ...p, values_brutto: brutto, values_sozial: sozial, values_total: total }
-  })
-}
-
-export function computeInvestitionen(items: FPInvestitionen[]): FPInvestitionen[] {
-  return items.map(item => {
-    const invest = emptyMonthly()
-    const afa = emptyMonthly()
-
-    if (!item.purchase_date || !item.purchase_amount) return { ...item, values_invest: invest, values_afa: afa }
-
-    const d = new Date(item.purchase_date)
-    const purchaseM = dateToMonth(d.getFullYear(), d.getMonth() + 1)
-
-    if (purchaseM >= 1 && purchaseM <= MONTHS) {
-      invest[`m${purchaseM}`] = item.purchase_amount
-    }
-
-    // AfA (linear depreciation)
-    if (item.afa_years && item.afa_years > 0) {
-      const afaMonths = item.afa_years * 12
-      const monthlyAfa = Math.round(item.purchase_amount / afaMonths)
-      for (let m = purchaseM; m < purchaseM + afaMonths && m <= MONTHS; m++) {
-        if (m >= 1) afa[`m${m}`] = monthlyAfa
-      }
-    } else {
-      // GWG: full depreciation in purchase month
-      if (purchaseM >= 1 && purchaseM <= MONTHS) {
-        afa[`m${purchaseM}`] = item.purchase_amount
-      }
-    }
-
-    return { ...item, values_invest: invest, values_afa: afa }
-  })
-}
-
-function sumRows(rows: { values: MonthlyValues }[]): MonthlyValues {
-  const result = emptyMonthly()
-  for (const row of rows) {
-    for (let m = 1; m <= MONTHS; m++) {
-      result[`m${m}`] += row.values[`m${m}`] || 0
-    }
-  }
-  return result
-}
-
-function sumField(rows: { [key: string]: MonthlyValues }[], field: string): MonthlyValues {
-  const result = emptyMonthly()
-  for (const row of rows) {
-    const v = row[field] as MonthlyValues
-    if (!v) continue
-    for (let m = 1; m <= MONTHS; m++) {
-      result[`m${m}`] += v[`m${m}`] || 0
-    }
-  }
-  return result
-}
+// Import types used inline
+type FPUmsatzerloese = import('./types').FPUmsatzerloese
+type FPMaterialaufwand = import('./types').FPMaterialaufwand
 
 // --- Main Engine ---
 
 export async function computeFinanzplan(pool: Pool, scenarioId: string): Promise<FPComputeResult> {
   // 1. Load all editable data from DB
   const [
-    personalRows,
-    investRows,
-    betriebRows,
-    liquidRows,
-    kundenSummary,
-    umsatzRows,
-    materialRows,
+    personalRows, investRows, betriebRows, liquidRows,
+    kundenSummary, umsatzRows, materialRows,
   ] = await Promise.all([
     pool.query('SELECT * FROM fp_personalkosten WHERE scenario_id = $1 ORDER BY sort_order', [scenarioId]),
     pool.query('SELECT * FROM fp_investitionen WHERE scenario_id = $1 ORDER BY sort_order', [scenarioId]),
@@ -131,12 +61,8 @@ export async function computeFinanzplan(pool: Pool, scenarioId: string): Promise
   const totalBrutto = sumField(personal as any, 'values_brutto')
   const totalSozial = sumField(personal as any, 'values_sozial')
   const totalPersonal = sumField(personal as any, 'values_total')
-  const headcount = emptyMonthly()
-  for (let m = 1; m <= MONTHS; m++) {
-    headcount[`m${m}`] = personal.filter(p => (p.values_total[`m${m}`] || 0) > 0).length
-  }
+  const headcount = computeHeadcount(personal)
 
-  // Write computed values back to DB
   for (const p of personal) {
     await pool.query(
       'UPDATE fp_personalkosten SET values_brutto = $1, values_sozial = $2, values_total = $3 WHERE id = $4',
@@ -156,16 +82,84 @@ export async function computeFinanzplan(pool: Pool, scenarioId: string): Promise
     )
   }
 
-  // 4. Umsatzerlöse (quantity × price)
-  const prices = (umsatzRows.rows as FPUmsatzerloese[]).filter(r => r.section === 'price')
-  const quantities = (umsatzRows.rows as FPUmsatzerloese[]).filter(r => r.section === 'quantity')
-  const revenueRows = (umsatzRows.rows as FPUmsatzerloese[]).filter(r => r.section === 'revenue')
+  // 4. Umsatzerlöse (quantity × price) + Materialaufwand
+  const { totalRevenue, totalMaterial } = await computeRevenueAndMaterial(
+    pool, umsatzRows.rows as FPUmsatzerloese[], materialRows.rows as FPMaterialaufwand[]
+  )
+
+  // 5. Bestandskunden (for formula-based costs)
+  const kundenRows = await pool.query(
+    "SELECT segment_name, row_label, values FROM fp_kunden WHERE scenario_id = $1 AND row_label LIKE 'Bestandskunden%' ORDER BY sort_order",
+    [scenarioId]
+  )
+  const totalBestandskunden = emptyMonthly()
+  for (const row of kundenRows.rows) {
+    const rl = (row as { row_label?: string }).row_label || ''
+    if (rl.includes('Bestandskunden') && !rl.includes('gesamt')) {
+      for (let m = 1; m <= MONTHS; m++) {
+        totalBestandskunden[`m${m}`] += row.values?.[`m${m}`] || 0
+      }
+    }
+  }
+
+  // Cloud-Hosting in Materialaufwand
+  const matRows = materialRows.rows as FPMaterialaufwand[]
+  const cloudRow = matRows.find(r => r.row_label.includes('Cloud-Hosting'))
+  if (cloudRow) {
+    const computed = emptyMonthly()
+    for (let m = FOUNDING_MONTH; m <= MONTHS; m++) {
+      const kunden = totalBestandskunden[`m${m}`] || 0
+      const extraKunden = Math.max(0, kunden - 10)
+      computed[`m${m}`] = Math.round(extraKunden * 100 + 1500)
+    }
+    await pool.query('UPDATE fp_materialaufwand SET values = $1 WHERE id = $2', [JSON.stringify(computed), cloudRow.id])
+    cloudRow.values = computed
+  }
+
+  // 6. Betriebliche Aufwendungen
+  const betrieb = betriebRows.rows as FPBetrieblicheAufwendungen[]
+  const { totalSonstige, totalGesamt } = await computeBetrieblicheAufwendungen(pool, betrieb, {
+    totalBrutto, totalPersonal, totalAfa, totalRevenue, totalMaterial,
+    headcount, totalBestandskunden,
+  })
+
+  // 7. Liquidität
+  const liquid = liquidRows.rows as FPLiquiditaet[]
+  const { endstand } = await computeLiquiditaet(pool, liquid, {
+    totalRevenue, totalMaterial, totalPersonal, totalSonstige, totalInvest,
+  })
+
+  // 8. GuV
+  const guv = await computeGuV(pool, scenarioId, liquid, {
+    totalRevenue, totalMaterial, totalBrutto, totalSozial,
+    totalPersonal, totalAfa, totalSonstige,
+  })
+
+  return {
+    personalkosten: { total_brutto: totalBrutto, total_sozial: totalSozial, total: totalPersonal, positions: personal, headcount },
+    investitionen: { total_invest: totalInvest, total_afa: totalAfa, items: invest },
+    umsatzerloese: { total: totalRevenue },
+    materialaufwand: { total: totalMaterial },
+    betriebliche: { total_sonstige: totalSonstige, total_gesamt: totalGesamt },
+    liquiditaet: { rows: liquid, endstand },
+    guv,
+  }
+}
+
+// --- Revenue & Material helpers (kept here to avoid circular deps) ---
+
+async function computeRevenueAndMaterial(
+  pool: Pool,
+  umsatzAllRows: FPUmsatzerloese[],
+  materialAllRows: FPMaterialaufwand[],
+): Promise<{ totalRevenue: MonthlyValues; totalMaterial: MonthlyValues }> {
+  const prices = umsatzAllRows.filter(r => r.section === 'price')
+  const quantities = umsatzAllRows.filter(r => r.section === 'quantity')
+  const revenueRows = umsatzAllRows.filter(r => r.section === 'revenue')
   const totalRevenue = emptyMonthly()
 
-  // Revenue = quantity × price for each module (if qty+price exist)
-  // Match by tier name extracted from parentheses, or exact label match
   const extractTier = (label: string) => { const m = label.match(/\(([^)]+)\)/); return m ? m[1] : label }
-  // Revenue rows WITHOUT matching qty/price are kept as-is (e.g. Beratung & Service)
+
   for (const rev of revenueRows) {
     if (rev.row_label === 'GESAMTUMSATZ') continue
     const tier = extractTier(rev.row_label)
@@ -178,20 +172,18 @@ export async function computeFinanzplan(pool: Pool, scenarioId: string): Promise
       }
       await pool.query('UPDATE fp_umsatzerloese SET values = $1 WHERE id = $2', [JSON.stringify(rev.values), rev.id])
     }
-    // Add ALL revenue rows to total (computed or manual)
     for (let m = 1; m <= MONTHS; m++) {
       totalRevenue[`m${m}`] += rev.values[`m${m}`] || 0
     }
   }
-  // Update GESAMTUMSATZ
   const gesamtUmsatz = revenueRows.find(r => r.row_label === 'GESAMTUMSATZ')
   if (gesamtUmsatz) {
     await pool.query('UPDATE fp_umsatzerloese SET values = $1 WHERE id = $2', [JSON.stringify(totalRevenue), gesamtUmsatz.id])
   }
 
-  // 5. Materialaufwand (quantity × unit_cost) — simplified
-  const matCosts = (materialRows.rows as FPMaterialaufwand[]).filter(r => r.section === 'cost')
-  const matUnitCosts = (materialRows.rows as FPMaterialaufwand[]).filter(r => r.section === 'unit_cost')
+  // Materialaufwand
+  const matCosts = materialAllRows.filter(r => r.section === 'cost')
+  const matUnitCosts = materialAllRows.filter(r => r.section === 'unit_cost')
   const totalMaterial = emptyMonthly()
 
   for (const cost of matCosts) {
@@ -205,7 +197,6 @@ export async function computeFinanzplan(pool: Pool, scenarioId: string): Promise
       }
       await pool.query('UPDATE fp_materialaufwand SET values = $1 WHERE id = $2', [JSON.stringify(cost.values), cost.id])
     }
-    // Add ALL cost rows to total (computed or manual)
     for (let m = 1; m <= MONTHS; m++) {
       totalMaterial[`m${m}`] += cost.values[`m${m}`] || 0
     }
@@ -215,450 +206,5 @@ export async function computeFinanzplan(pool: Pool, scenarioId: string): Promise
     await pool.query('UPDATE fp_materialaufwand SET values = $1 WHERE id = $2', [JSON.stringify(totalMaterial), matSumme.id])
   }
 
-  // 5b. Headcount without founders (for formula-based costs)
-  const NUM_FOUNDERS = 2
-  const hcWithoutFounders = emptyMonthly()
-  for (let m = 1; m <= MONTHS; m++) {
-    hcWithoutFounders[`m${m}`] = Math.max(0, headcount[`m${m}`] - NUM_FOUNDERS)
-  }
-
-  // 5c. Total Bestandskunden (for Bewirtungskosten — uses totalBestandskunden from Serverkosten above)
-  // Also load enterprise customers separately for legacy compatibility
-  const kundenRows = await pool.query(
-    "SELECT segment_name, row_label, values FROM fp_kunden WHERE scenario_id = $1 AND row_label LIKE 'Bestandskunden%' ORDER BY sort_order",
-    [scenarioId]
-  )
-  const enterpriseKunden = emptyMonthly()
-  for (const row of kundenRows.rows) {
-    if (row.segment_name?.toLowerCase().includes('enterprise')) {
-      for (let m = 1; m <= MONTHS; m++) {
-        enterpriseKunden[`m${m}`] = row.values?.[`m${m}`] || 0
-      }
-    }
-  }
-
-  // 6. Betriebliche Aufwendungen — compute formula-based rows + sum rows
-  const betrieb = betriebRows.rows as FPBetrieblicheAufwendungen[]
-
-  // Pre-compute total Bestandskunden (needed for Bewirtungskosten + Serverkosten)
-  const totalBestandskunden = emptyMonthly()
-  for (const row of kundenRows.rows) {
-    const rl = (row as { row_label?: string }).row_label || ''
-    if (rl.includes('Bestandskunden') && !rl.includes('gesamt')) {
-      for (let m = 1; m <= MONTHS; m++) {
-        totalBestandskunden[`m${m}`] += row.values?.[`m${m}`] || 0
-      }
-    }
-  }
-
-  // Formula-based rows: derive from headcount (excl. founders) or customers
-  const formulaRows: { label: string; perUnit: number; source: MonthlyValues }[] = [
-    { label: 'Fort-/Weiterbildungskosten (F)', perUnit: 300, source: hcWithoutFounders },
-    // KFZ costs are manual (from Jan 2028), not formula-based
-    { label: 'Reisekosten (F)', perUnit: 75, source: headcount },
-    { label: 'Bewirtungskosten (F)', perUnit: 50, source: totalBestandskunden },
-    { label: 'Internet/Mobilfunk (F)', perUnit: 50, source: headcount },
-  ]
-
-  for (const fr of formulaRows) {
-    const row = betrieb.find(r => r.row_label === fr.label)
-    if (row) {
-      const computed = emptyMonthly()
-      for (let m = FOUNDING_MONTH; m <= MONTHS; m++) {
-        computed[`m${m}`] = Math.round((fr.source[`m${m}`] || 0) * fr.perUnit)
-      }
-      await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(computed), row.id])
-      row.values = computed
-    }
-  }
-
-  // Berufsgenossenschaft (VBG IT/Büro): ~0.5% of total brutto payroll
-  const bgRow = betrieb.find(r => r.row_label.includes('Berufsgenossenschaft'))
-  if (bgRow) {
-    const computed = emptyMonthly()
-    for (let m = FOUNDING_MONTH; m <= MONTHS; m++) {
-      computed[`m${m}`] = Math.round((totalBrutto[`m${m}`] || 0) * 0.005)
-    }
-    await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(computed), bgRow.id])
-    bgRow.values = computed
-  }
-
-  // Allgemeine Marketingkosten: 8% of revenue (2026-2028), 10% from 2029
-  const marketingRow = betrieb.find(r => r.row_label.includes('Allgemeine Marketingkosten'))
-  if (marketingRow) {
-    const computed = emptyMonthly()
-    for (let m = FOUNDING_MONTH; m <= MONTHS; m++) {
-      const rate = m <= 36 ? 0.08 : 0.10 // m36 = Dec 2028
-      computed[`m${m}`] = Math.round((totalRevenue[`m${m}`] || 0) * rate)
-    }
-    await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(computed), marketingRow.id])
-    marketingRow.values = computed
-  }
-
-  // Serverkosten now in Materialaufwand — compute Cloud-Hosting formula there
-  const matRows = materialRows.rows as FPMaterialaufwand[]
-  const cloudRow = matRows.find(r => r.row_label.includes('Cloud-Hosting'))
-  if (cloudRow) {
-    const computed = emptyMonthly()
-    for (let m = FOUNDING_MONTH; m <= MONTHS; m++) {
-      const kunden = totalBestandskunden[`m${m}`] || 0
-      const extraKunden = Math.max(0, kunden - 10) // first 10 included in base
-      computed[`m${m}`] = Math.round(extraKunden * 100 + 1500)
-    }
-    await pool.query('UPDATE fp_materialaufwand SET values = $1 WHERE id = $2', [JSON.stringify(computed), cloudRow.id])
-    cloudRow.values = computed
-  }
-
-  // Update Personalkosten row
-  const persBetrieb = betrieb.find(r => r.row_label === 'Personalkosten')
-  if (persBetrieb) {
-    await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(totalPersonal), persBetrieb.id])
-    persBetrieb.values = totalPersonal
-  }
-  // Update Abschreibungen row
-  const abrBetrieb = betrieb.find(r => r.row_label === 'Abschreibungen')
-  if (abrBetrieb) {
-    await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(totalAfa), abrBetrieb.id])
-    abrBetrieb.values = totalAfa
-  }
-
-  // Gewerbesteuer (F): 12.25% of monthly profit (only when positive)
-  // Monthly profit = Revenue - Material - Personnel - AfA - other opex (excl. taxes)
-  const gewStRow = betrieb.find(r => r.row_label.includes('Gewerbesteuer'))
-  if (gewStRow) {
-    const nonTaxOpex = betrieb.filter(r =>
-      r.category !== 'steuern' && r.category !== 'personal' && r.category !== 'abschreibungen' &&
-      !r.is_sum_row && !r.row_label.includes('Summe') && !r.row_label.includes('SUMME')
-    )
-    const computed = emptyMonthly()
-    for (let m = FOUNDING_MONTH; m <= MONTHS; m++) {
-      const rev = totalRevenue[`m${m}`] || 0
-      const mat = totalMaterial[`m${m}`] || 0
-      const pers = totalPersonal[`m${m}`] || 0
-      const afa = totalAfa[`m${m}`] || 0
-      let opex = 0
-      for (const r of nonTaxOpex) { opex += r.values[`m${m}`] || 0 }
-      const profit = rev - mat - pers - afa - opex
-      computed[`m${m}`] = profit > 0 ? Math.round(profit * 0.1225) : 0
-    }
-    await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(computed), gewStRow.id])
-    gewStRow.values = computed
-  }
-
-  // Compute category sums
-  const categories = ['steuern', 'versicherungen', 'besondere', 'marketing', 'sonstige']
-  for (const cat of categories) {
-    const sumRow = betrieb.find(r => r.category === cat && r.is_sum_row)
-    const detailRows = betrieb.filter(r => r.category === cat && !r.is_sum_row)
-    if (sumRow && detailRows.length > 0) {
-      const s = sumRows(detailRows)
-      await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(s), sumRow.id])
-      sumRow.values = s
-    }
-  }
-
-  // Summe sonstige (ohne Personal, Abschreibungen)
-  const sonstSumme = betrieb.find(r => r.row_label.includes('Summe sonstige'))
-  if (sonstSumme) {
-    const nonPersonNonAbr = betrieb.filter(r =>
-      r.row_label !== 'Personalkosten' && r.row_label !== 'Abschreibungen' &&
-      !r.row_label.includes('Summe sonstige') && !r.row_label.includes('Gesamtkosten') &&
-      !r.is_sum_row && r.category !== 'personal' && r.category !== 'abschreibungen'
-    )
-    const s = sumRows(nonPersonNonAbr)
-    await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(s), sonstSumme.id])
-    sonstSumme.values = s
-  }
-
-  // Gesamtkosten
-  const gesamtBetrieb = betrieb.find(r => r.row_label.includes('Gesamtkosten') || r.row_label.includes('SUMME Betriebliche'))
-  const totalSonstige = sonstSumme?.values || emptyMonthly()
-  if (gesamtBetrieb) {
-    const g = emptyMonthly()
-    for (let m = 1; m <= MONTHS; m++) {
-      g[`m${m}`] = (totalPersonal[`m${m}`] || 0) + (totalAfa[`m${m}`] || 0) + (totalSonstige[`m${m}`] || 0)
-    }
-    await pool.query('UPDATE fp_betriebliche_aufwendungen SET values = $1 WHERE id = $2', [JSON.stringify(g), gesamtBetrieb.id])
-    gesamtBetrieb.values = g
-  }
-
-  // 7. Liquidität
-  const liquid = liquidRows.rows as FPLiquiditaet[]
-  const findLiq = (label: string) => liquid.find(r => r.row_label === label)
-
-  // Computed rows
-  const liqUmsatz = findLiq('Umsatzerlöse')
-  if (liqUmsatz) {
-    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(totalRevenue), liqUmsatz.id])
-    liqUmsatz.values = totalRevenue
-  }
-  const liqMaterial = findLiq('Materialaufwand')
-  if (liqMaterial) {
-    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(totalMaterial), liqMaterial.id])
-    liqMaterial.values = totalMaterial
-  }
-  const liqPersonal = findLiq('Personalkosten')
-  if (liqPersonal) {
-    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(totalPersonal), liqPersonal.id])
-    liqPersonal.values = totalPersonal
-  }
-  const liqSonstige = findLiq('Sonstige Kosten')
-  if (liqSonstige) {
-    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(totalSonstige), liqSonstige.id])
-    liqSonstige.values = totalSonstige
-  }
-  const liqInvest = findLiq('Investitionen')
-  if (liqInvest) {
-    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(totalInvest), liqInvest.id])
-    liqInvest.values = totalInvest
-  }
-
-  // Compute sums and rolling balance
-  // WICHTIG: Überschuss = nur operativer Cashflow (ohne Kapitaleinzahlungen)
-  const sumEin = findLiq('Summe EINZAHLUNGEN')
-  const sumAus = findLiq('Summe AUSZAHLUNGEN')
-  const uebVorInv = findLiq('ÜBERSCHUSS VOR INVESTITIONEN')
-  const uebVorEnt = findLiq('ÜBERSCHUSS VOR ENTNAHMEN')
-  const ueberschuss = findLiq('ÜBERSCHUSS')
-  const kontostand = findLiq('Kontostand zu Beginn des Monats')
-  const liquiditaet = findLiq('LIQUIDITÄT')
-
-  // Dynamically categorize rows by row_type instead of hardcoded labels
-  // Operative Einzahlungen (OHNE Eigenkapital, Fremdkapital, Stammkapital, Wandeldarlehen)
-  const einzahlungenOperativ = ['Umsatzerlöse', 'Sonst. betriebl. Erträge', 'Anzahlungen']
-  // Finanzierung: match any row with these keywords (handles renamed labels)
-  const finanzierungRows = liquid.filter(r =>
-    r.row_type === 'einzahlung' &&
-    !einzahlungenOperativ.includes(r.row_label) &&
-    !r.row_label.includes('Summe')
-  )
-  // Operative Auszahlungen
-  const auszahlungenOperativ = ['Materialaufwand', 'Personalkosten', 'Sonstige Kosten', 'Umsatzsteuer', 'Gewerbesteuer', 'Körperschaftsteuer']
-  // Finanz-Auszahlungen: any auszahlung not in operativ list
-  const finanzAuszahlungRows = liquid.filter(r =>
-    r.row_type === 'auszahlung' &&
-    !auszahlungenOperativ.includes(r.row_label) &&
-    !r.row_label.includes('Summe')
-  )
-
-  // Summe EINZAHLUNGEN = nur operativ (für die Zeile "Summe Einzahlungen")
-  if (sumEin) {
-    const s = emptyMonthly()
-    for (const label of einzahlungenOperativ) {
-      const row = findLiq(label)
-      if (row) for (let m = 1; m <= MONTHS; m++) s[`m${m}`] += Math.round(row.values[`m${m}`] || 0)
-    }
-    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(s), sumEin.id])
-    sumEin.values = s
-  }
-
-  // Summe AUSZAHLUNGEN = nur operativ
-  if (sumAus) {
-    const s = emptyMonthly()
-    for (const label of auszahlungenOperativ) {
-      const row = findLiq(label)
-      if (row) for (let m = 1; m <= MONTHS; m++) s[`m${m}`] += Math.round(row.values[`m${m}`] || 0)
-    }
-    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(s), sumAus.id])
-    sumAus.values = s
-  }
-
-  // OPERATIVER ÜBERSCHUSS VOR INVESTITIONEN = operative Einzahlungen - operative Auszahlungen
-  if (uebVorInv && sumEin && sumAus) {
-    const s = emptyMonthly()
-    for (let m = 1; m <= MONTHS; m++) s[`m${m}`] = Math.round((sumEin.values[`m${m}`] || 0) - (sumAus.values[`m${m}`] || 0))
-    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(s), uebVorInv.id])
-    uebVorInv.values = s
-  }
-
-  // ÜBERSCHUSS VOR ENTNAHMEN = Operativer Überschuss - Investitionen
-  if (uebVorEnt && uebVorInv && liqInvest) {
-    const s = emptyMonthly()
-    for (let m = 1; m <= MONTHS; m++) s[`m${m}`] = Math.round((uebVorInv.values[`m${m}`] || 0) - (liqInvest.values[`m${m}`] || 0))
-    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(s), uebVorEnt.id])
-    uebVorEnt.values = s
-  }
-
-  // ÜBERSCHUSS = Überschuss vor Entnahmen - Entnahmen (immer noch rein operativ)
-  const entnahmen = findLiq('Kapitalentnahmen/Ausschüttungen')
-  if (ueberschuss && uebVorEnt && entnahmen) {
-    const s = emptyMonthly()
-    for (let m = 1; m <= MONTHS; m++) s[`m${m}`] = Math.round((uebVorEnt.values[`m${m}`] || 0) - (entnahmen.values[`m${m}`] || 0))
-    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(s), ueberschuss.id])
-    ueberschuss.values = s
-  }
-
-  // Rolling Kontostand: Vormonat + Operativer Überschuss + Finanzierung
-  // Finanzierung = Eigenkapital + Fremdkapital - Kreditrückzahlungen
-  if (kontostand && liquiditaet && ueberschuss) {
-    // Berechne monatliche Finanzierungs-Cashflows
-    const finCF = emptyMonthly()
-    for (const row of finanzierungRows) {
-      for (let m = 1; m <= MONTHS; m++) finCF[`m${m}`] += Math.round(row.values[`m${m}`] || 0)
-    }
-    for (const row of finanzAuszahlungRows) {
-      for (let m = 1; m <= MONTHS; m++) finCF[`m${m}`] -= Math.round(row.values[`m${m}`] || 0)
-    }
-
-    const ks = emptyMonthly()
-    const lq = emptyMonthly()
-    for (let m = 1; m <= MONTHS; m++) {
-      ks[`m${m}`] = m === 1 ? 0 : Math.round(lq[`m${m - 1}`])
-      // LIQUIDITÄT = Kontostand + Operativer Überschuss + Finanzierung
-      lq[`m${m}`] = Math.round(ks[`m${m}`] + (ueberschuss.values[`m${m}`] || 0) + (finCF[`m${m}`] || 0))
-    }
-    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(ks), kontostand.id])
-    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(lq), liquiditaet.id])
-    kontostand.values = ks
-    liquiditaet.values = lq
-  }
-
-  // 8. GuV — compute annual values
-  const guv: AnnualValues[] = []
-  const umsatzAnnual = annualSums(totalRevenue)
-  const materialAnnual = annualSums(totalMaterial)
-  const personalBruttoAnnual = annualSums(totalBrutto)
-  const personalSozialAnnual = annualSums(totalSozial)
-  const personalAnnual = annualSums(totalPersonal)
-  const afaAnnual = annualSums(totalAfa)
-  const sonstigeAnnual = annualSums(totalSonstige)
-
-  // Write GuV rows
-  // Rohergebnis = Gesamtleistung - Materialaufwand
-  const rohergebnis: AnnualValues = {}
-  for (let y = 2026; y <= 2030; y++) {
-    const k = `y${y}`
-    rohergebnis[k] = Math.round((umsatzAnnual[k] || 0) - (materialAnnual[k] || 0))
-  }
-
-  const guvUpdates: { label: string; values: AnnualValues }[] = [
-    { label: 'Umsatzerlöse', values: umsatzAnnual },
-    { label: 'Gesamtleistung', values: umsatzAnnual },
-    { label: 'Summe Materialaufwand', values: materialAnnual },
-    { label: 'Rohergebnis', values: rohergebnis },
-    { label: 'Löhne und Gehälter', values: personalBruttoAnnual },
-    { label: 'Soziale Abgaben', values: personalSozialAnnual },
-    { label: 'Summe Personalaufwand', values: personalAnnual },
-    { label: 'Abschreibungen', values: afaAnnual },
-    { label: 'Sonst. betriebl. Aufwendungen', values: sonstigeAnnual },
-  ]
-
-  for (const { label, values } of guvUpdates) {
-    await pool.query(
-      'UPDATE fp_guv SET values = $1 WHERE scenario_id = $2 AND row_label = $3',
-      [JSON.stringify(values), scenarioId, label]
-    )
-  }
-
-  // EBIT (Betriebsergebnis)
-  const ebit: AnnualValues = {}
-  for (let y = 2026; y <= 2030; y++) {
-    const k = `y${y}`
-    ebit[k] = Math.round((umsatzAnnual[k] || 0) - (materialAnnual[k] || 0) - (personalAnnual[k] || 0) - (afaAnnual[k] || 0) - (sonstigeAnnual[k] || 0))
-  }
-  await pool.query('UPDATE fp_guv SET values = $1 WHERE scenario_id = $2 AND row_label = $3', [JSON.stringify(ebit), scenarioId, 'EBIT'])
-
-  // Steuerberechnung (nur auf Gewinne, mit Verlustvortrag)
-  // Stockach 78333: Hebesatz 350%
-  // Gewerbesteuer = 3,5% × 3,5 = 12,25%
-  // Körperschaftsteuer = 15% + 5,5% Soli = 15,825%
-  // Gesamt: ~28,075%
-  const GEWERBESTEUER_RATE = 0.035 * 3.5   // 12,25%
-  const KOERPERSCHAFTSTEUER_RATE = 0.15 * 1.055  // 15,825% (inkl. Soli)
-
-  const gewerbesteuer: AnnualValues = {}
-  const koerperschaftsteuer: AnnualValues = {}
-  const steuernGesamt: AnnualValues = {}
-  const ergebnisNachSteuern: AnnualValues = {}
-  let verlustvortrag = 0  // kumulierter Verlustvortrag
-
-  for (let y = 2026; y <= 2030; y++) {
-    const k = `y${y}`
-    const gewinn = ebit[k] || 0
-
-    if (gewinn <= 0) {
-      // Verlust: keine Steuern, Verlustvortrag aufbauen
-      verlustvortrag += Math.abs(gewinn)
-      gewerbesteuer[k] = 0
-      koerperschaftsteuer[k] = 0
-      steuernGesamt[k] = 0
-      ergebnisNachSteuern[k] = Math.round(gewinn)
-    } else {
-      // Gewinn: Verlustvortrag verrechnen
-      // Bis 1 Mio EUR: 100% verrechenbar
-      // Über 1 Mio EUR: nur 60% verrechenbar (Mindestbesteuerung)
-      let verrechenbar = 0
-      if (verlustvortrag > 0) {
-        if (gewinn <= 1000000) {
-          verrechenbar = Math.min(verlustvortrag, gewinn)
-        } else {
-          verrechenbar = Math.min(verlustvortrag, 1000000 + (gewinn - 1000000) * 0.6)
-        }
-        verlustvortrag -= verrechenbar
-      }
-
-      const zuVersteuern = Math.max(0, gewinn - verrechenbar)
-      const gst = Math.round(zuVersteuern * GEWERBESTEUER_RATE)
-      const kst = Math.round(zuVersteuern * KOERPERSCHAFTSTEUER_RATE)
-
-      gewerbesteuer[k] = gst
-      koerperschaftsteuer[k] = kst
-      steuernGesamt[k] = gst + kst
-      ergebnisNachSteuern[k] = Math.round(gewinn - gst - kst)
-    }
-  }
-
-  await pool.query('UPDATE fp_guv SET values = $1 WHERE scenario_id = $2 AND row_label = $3', [JSON.stringify(gewerbesteuer), scenarioId, 'Gewerbesteuer'])
-  await pool.query('UPDATE fp_guv SET values = $1 WHERE scenario_id = $2 AND row_label = $3', [JSON.stringify(koerperschaftsteuer), scenarioId, 'Körperschaftssteuer'])
-  await pool.query('UPDATE fp_guv SET values = $1 WHERE scenario_id = $2 AND row_label = $3', [JSON.stringify(steuernGesamt), scenarioId, 'Steuern gesamt'])
-  await pool.query('UPDATE fp_guv SET values = $1 WHERE scenario_id = $2 AND row_label = $3', [JSON.stringify(ergebnisNachSteuern), scenarioId, 'Ergebnis nach Steuern'])
-  await pool.query('UPDATE fp_guv SET values = $1 WHERE scenario_id = $2 AND row_label = $3', [JSON.stringify(ergebnisNachSteuern), scenarioId, 'Jahresüberschuss'])
-
-  // Steuern auch in Liquidität eintragen (monatlich = 1/12 des Jahresbetrags)
-  const liqGewSt = findLiq('Gewerbesteuer')
-  const liqKSt = findLiq('Körperschaftsteuer')
-  if (liqGewSt) {
-    const v = emptyMonthly()
-    for (let y = 2026; y <= 2030; y++) {
-      const jahresBetrag = gewerbesteuer[`y${y}`] || 0
-      if (jahresBetrag > 0) {
-        const monatlich = Math.round(jahresBetrag / 12)
-        const startM = (y - 2026) * 12 + 1
-        for (let m = startM; m <= startM + 11 && m <= MONTHS; m++) {
-          v[`m${m}`] = monatlich
-        }
-      }
-    }
-    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(v), liqGewSt.id])
-    liqGewSt.values = v
-  }
-  if (liqKSt) {
-    const v = emptyMonthly()
-    for (let y = 2026; y <= 2030; y++) {
-      const jahresBetrag = koerperschaftsteuer[`y${y}`] || 0
-      if (jahresBetrag > 0) {
-        const monatlich = Math.round(jahresBetrag / 12)
-        const startM = (y - 2026) * 12 + 1
-        for (let m = startM; m <= startM + 11 && m <= MONTHS; m++) {
-          v[`m${m}`] = monatlich
-        }
-      }
-    }
-    await pool.query('UPDATE fp_liquiditaet SET values = $1 WHERE id = $2', [JSON.stringify(v), liqKSt.id])
-    liqKSt.values = v
-  }
-
-  return {
-    personalkosten: { total_brutto: totalBrutto, total_sozial: totalSozial, total: totalPersonal, positions: personal, headcount },
-    investitionen: { total_invest: totalInvest, total_afa: totalAfa, items: invest },
-    umsatzerloese: { total: totalRevenue },
-    materialaufwand: { total: totalMaterial },
-    betriebliche: { total_sonstige: totalSonstige, total_gesamt: gesamtBetrieb?.values || emptyMonthly() },
-    liquiditaet: { rows: liquid, endstand: liquiditaet?.values || emptyMonthly() },
-    guv: [ebit],
-  }
+  return { totalRevenue, totalMaterial }
 }
-
-// Import to fix type errors
-type FPUmsatzerloese = import('./types').FPUmsatzerloese
-type FPMaterialaufwand = import('./types').FPMaterialaufwand
diff --git a/scripts/check-loc.sh b/scripts/check-loc.sh
new file mode 100755
index 0000000..17717c9
--- /dev/null
+++ b/scripts/check-loc.sh
@@ -0,0 +1,161 @@
+#!/usr/bin/env bash
+#
+# LOC Budget Checker — enforces the 500 LOC hard cap.
+#
+# Usage:
+#   bash scripts/check-loc.sh --changed   # only git-changed files (pre-commit)
+#   bash scripts/check-loc.sh --all       # all source files in repo
+#   bash scripts/check-loc.sh --staged    # only staged files (for pre-commit hook)
+#
+# Exit codes:
+#   0 — all files within budget
+#   1 — one or more violations found
+
+set -uo pipefail
+
+MAX_LOC="${MAX_LOC:-500}"
+ROOT_DIR="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
+EXCEPTIONS_FILE="${ROOT_DIR}/.claude/rules/loc-exceptions.txt"
+
+red()   { printf '\033[31m%s\033[0m\n' "$*"; }
+green() { printf '\033[32m%s\033[0m\n' "$*"; }
+yellow(){ printf '\033[33m%s\033[0m\n' "$*"; }
+
+# Check if a file matches any exception pattern in loc-exceptions.txt
+is_exempt() {
+  local file="$1"
+  [[ -f "$EXCEPTIONS_FILE" ]] || return 1
+
+  while IFS= read -r line; do
+    # Skip empty lines and comments
+    [[ -z "$line" ]] && continue
+    [[ "$line" =~ ^[[:space:]]*# ]] && continue
+
+    # Extract glob pattern (everything before first |)
+    local pattern="${line%%|*}"
+    pattern="$(echo "$pattern" | xargs)"  # trim whitespace
+    [[ -z "$pattern" ]] && continue
+
+    # Match against the file path (supports ** globs)
+    # shellcheck disable=SC2254
+    case "$file" in
+      $pattern) return 0 ;;
+    esac
+  done < "$EXCEPTIONS_FILE"
+  return 1
+}
+
+# Check if file is a source file we care about
+is_source_file() {
+  local file="$1"
+  case "$file" in
+    *.py|*.go|*.ts|*.tsx) return 0 ;;
+    *) return 1 ;;
+  esac
+}
+
+# Skip non-source directories
+should_skip_path() {
+  local file="$1"
+  case "$file" in
+    */node_modules/*|*/.next/*|*/__pycache__/*|*/venv/*|*/.git/*) return 0 ;;
+    *) return 1 ;;
+  esac
+}
+
+main() {
+  local mode="changed"
+  case "${1:-}" in
+    --changed) mode="changed" ;;
+    --staged)  mode="staged" ;;
+    --all)     mode="all" ;;
+  esac
+
+  cd "$ROOT_DIR"
+
+  # Collect files based on mode
+  local tmpfile
+  tmpfile=$(mktemp)
+  trap "rm -f '$tmpfile'" EXIT
+
+  case "$mode" in
+    staged)
+      git diff --name-only --cached > "$tmpfile"
+      ;;
+    changed)
+      { git diff --name-only --cached 2>/dev/null; git diff --name-only 2>/dev/null; git ls-files --others --exclude-standard 2>/dev/null; } | sort -u > "$tmpfile"
+      ;;
+    all)
+      # Use find + xargs wc for speed, then filter >500 LOC only
+      find . \( -name '*.py' -o -name '*.go' -o -name '*.ts' -o -name '*.tsx' \) \
+        -not -path '*/node_modules/*' \
+        -not -path '*/.next/*' \
+        -not -path '*/__pycache__/*' \
+        -not -path '*/venv/*' \
+        -not -path '*/.git/*' \
+        -exec wc -l {} + 2>/dev/null \
+        | awk -v max="$MAX_LOC" '$1 > max && !/total$/ { sub(/^[[:space:]]*[0-9]+[[:space:]]*\.\//, ""); print }' > "$tmpfile"
+      # For --all mode, we already have only the violating files
+      # Override the check loop to just check exemptions
+      local fast_violations=0
+      local fast_checked=0
+      local fast_exempted=0
+      while IFS= read -r file; do
+        [[ -z "$file" ]] && continue
+        [[ -f "$file" ]] || continue
+        if is_exempt "$file"; then
+          fast_exempted=$((fast_exempted + 1))
+          continue
+        fi
+        fast_checked=$((fast_checked + 1))
+        local loc
+        loc=$(wc -l < "$file" 2>/dev/null || echo 0)
+        red "VIOLATION: $file ($loc LOC > $MAX_LOC)"
+        fast_violations=$((fast_violations + 1))
+      done < "$tmpfile"
+      echo ""
+      if (( fast_violations > 0 )); then
+        red "$fast_violations file(s) exceed ${MAX_LOC} LOC budget. (violations: $fast_violations, exempted: $fast_exempted)"
+        exit 1
+      fi
+      green "LOC budget check passed. (exempted: $fast_exempted)"
+      exit 0
+      ;;
+  esac
+
+  local violations=0
+  local checked=0
+  local exempted=0
+
+  while IFS= read -r file; do
+    [[ -z "$file" ]] && continue
+    [[ -f "$file" ]] || continue
+    is_source_file "$file" || continue
+    should_skip_path "$file" && continue
+
+    if is_exempt "$file"; then
+      exempted=$((exempted + 1))
+      continue
+    fi
+
+    checked=$((checked + 1))
+    local loc
+    loc=$(wc -l < "$file" 2>/dev/null || echo 0)
+
+    if (( loc > MAX_LOC )); then
+      red "VIOLATION: $file ($loc LOC > $MAX_LOC)"
+      violations=$((violations + 1))
+    fi
+  done < "$tmpfile"
+
+  echo ""
+  if (( violations > 0 )); then
+    red "$violations file(s) exceed ${MAX_LOC} LOC budget. (checked: $checked, exempted: $exempted)"
+    exit 1
+  fi
+
+  green "LOC budget check passed. (checked: $checked, exempted: $exempted)"
+  exit 0
+}
+
+main "$@"
diff --git a/voice-service/services/enhanced_task_helpers.py b/voice-service/services/enhanced_task_helpers.py
new file mode 100644
index 0000000..e327078
--- /dev/null
+++ b/voice-service/services/enhanced_task_helpers.py
@@ -0,0 +1,285 @@
+"""
+Enhanced Task Orchestrator - Helper Mixin
+
+Provides routing, quality checks, memory storage, message handling,
+and session recovery logic for EnhancedTaskOrchestrator.
+
+Separated from enhanced_task_orchestrator.py for the 500 LOC budget.
+"""
+
+import structlog
+import asyncio
+from typing import Optional, Dict, Any
+from datetime import datetime
+
+from models.task import Task, TaskState
+
+from sessions.session_manager import AgentSession, SessionState
+from sessions.heartbeat import HeartbeatClient
+from orchestrator.message_bus import AgentMessage, MessagePriority
+from orchestrator.task_router import RoutingStrategy
+
+logger = structlog.get_logger(__name__)
+
+
+class EnhancedTaskHelpersMixin:
+    """
+    Mixin providing internal helper methods for EnhancedTaskOrchestrator.
+
+    This class should not be instantiated directly. It is mixed into
+    EnhancedTaskOrchestrator to provide:
+    - Agent routing (_route_to_agent, _needs_specialized_agent)
+    - Quality checks (_run_quality_check, _needs_quality_check)
+    - Memory storage (_store_task_result)
+    - Message handling (_handle_agent_message)
+    - Session recovery (recover_session, _recover_pending_tasks)
+    - System prompt (_get_system_prompt)
+
+    All attributes (message_bus, task_router, memory_store, heartbeat,
+    session_manager, _voice_sessions, _heartbeat_clients, _tasks) are
+    expected to be set by the main class __init__.
+    """
+
+    def _needs_specialized_agent(self, task: Task) -> bool:
+        """Check if task needs routing to a specialized agent"""
+        from models.task import TaskType
+
+        # Tasks that benefit from specialized agents
+        specialized_types = [
+            TaskType.PARENT_LETTER,      # Could use grader for tone
+            TaskType.FEEDBACK_SUGGEST,   # Quality judge for appropriateness
+        ]
+
+        return task.type in specialized_types
+
+    def _needs_quality_check(self, task: Task) -> bool:
+        """Check if task result needs quality validation"""
+        from models.task import TaskType
+
+        # Tasks that generate content should be checked
+        content_types = [
+            TaskType.PARENT_LETTER,
+            TaskType.CLASS_MESSAGE,
+            TaskType.FEEDBACK_SUGGEST,
+            TaskType.WORKSHEET_GENERATE,
+        ]
+
+        return task.type in content_types
+
+    async def _route_to_agent(
+        self,
+        task: Task,
+        session: Optional[AgentSession]
+    ) -> None:
+        """Routes a task to a specialized agent"""
+        # Determine target agent
+        intent = f"task_{task.type.value}"
+        routing_result = await self.task_router.route(
+            intent=intent,
+            context={"task": task.parameters},
+            strategy=RoutingStrategy.LEAST_LOADED
+        )
+
+        if not routing_result.success:
+            # Fall back to local processing
+            logger.warning(
+                "No agent available for task, using local processing",
+                task_id=task.id[:8],
+                reason=routing_result.reason
+            )
+            await super().process_task(task)
+            return
+
+        # Send to agent via message bus
+        try:
+            response = await self.message_bus.request(
+                AgentMessage(
+                    sender="voice-orchestrator",
+                    receiver=routing_result.agent_id,
+                    message_type=f"process_{task.type.value}",
+                    payload={
+                        "task_id": task.id,
+                        "task_type": task.type.value,
+                        "parameters": task.parameters,
+                        "session_id": session.session_id if session else None
+                    },
+                    priority=MessagePriority.NORMAL
+                ),
+                timeout=30.0
+            )
+
+            task.result_ref = response.get("result", "")
+            task.transition_to(TaskState.READY, "agent_processed")
+
+        except asyncio.TimeoutError:
+            logger.error(
+                "Agent timeout, falling back to local",
+                task_id=task.id[:8],
+                agent=routing_result.agent_id
+            )
+            await super().process_task(task)
+
+    async def _run_quality_check(
+        self,
+        task: Task,
+        session: Optional[AgentSession]
+    ) -> None:
+        """Runs quality check on task result via quality judge"""
+        try:
+            response = await self.message_bus.request(
+                AgentMessage(
+                    sender="voice-orchestrator",
+                    receiver="quality-judge",
+                    message_type="evaluate_response",
+                    payload={
+                        "task_id": task.id,
+                        "task_type": task.type.value,
+                        "response": task.result_ref,
+                        "context": task.parameters
+                    },
+                    priority=MessagePriority.NORMAL
+                ),
+                timeout=10.0
+            )
+
+            quality_score = response.get("composite_score", 0)
+
+            if quality_score < 60:
+                # Mark for review
+                task.error_message = f"Quality check failed: {quality_score}"
+                logger.warning(
+                    "Task failed quality check",
+                    task_id=task.id[:8],
+                    score=quality_score
+                )
+
+        except asyncio.TimeoutError:
+            # Quality check timeout is non-fatal
+            logger.warning(
+                "Quality check timeout",
+                task_id=task.id[:8]
+            )
+
+    async def _store_task_result(self, task: Task) -> None:
+        """Stores task result in memory for learning"""
+        await self.memory_store.remember(
+            key=f"task:{task.type.value}:{task.id}",
+            value={
+                "result": task.result_ref,
+                "parameters": task.parameters,
+                "completed_at": datetime.utcnow().isoformat()
+            },
+            agent_id="voice-orchestrator",
+            ttl_days=30
+        )
+
+    async def _handle_agent_message(
+        self,
+        message: AgentMessage
+    ) -> Optional[Dict[str, Any]]:
+        """Handles incoming messages from other agents"""
+        logger.debug(
+            "Received agent message",
+            sender=message.sender,
+            type=message.message_type
+        )
+
+        if message.message_type == "task_status_update":
+            # Handle task status updates
+            task_id = message.payload.get("task_id")
+            if task_id in self._tasks:
+                task = self._tasks[task_id]
+                new_state = message.payload.get("state")
+                if new_state:
+                    task.transition_to(TaskState(new_state), "agent_update")
+
+        return None
+
+    def _get_system_prompt(self) -> str:
+        """Returns the system prompt for the voice assistant"""
+        return """Du bist ein hilfreicher Assistent für Lehrer in der Breakpilot-App.
+
+Deine Aufgaben:
+- Hilf beim Erstellen von Arbeitsblättern
+- Unterstütze bei der Korrektur
+- Erstelle Elternbriefe und Klassennachrichten
+- Dokumentiere Beobachtungen und Erinnerungen
+
+Halte dich kurz und präzise. Nutze einfache, klare Sprache.
+Bei Unklarheiten frage nach."""
+
+    # Recovery methods
+
+    async def recover_session(
+        self,
+        voice_session_id: str,
+        session_id: str
+    ) -> Optional[AgentSession]:
+        """
+        Recovers a session from checkpoint.
+
+        Args:
+            voice_session_id: The voice session ID
+            session_id: The agent session ID to recover
+
+        Returns:
+            The recovered session or None
+        """
+        session = await self.session_manager.get_session(session_id)
+
+        if not session:
+            logger.warning(
+                "Session not found for recovery",
+                session_id=session_id
+            )
+            return None
+
+        if session.state != SessionState.ACTIVE:
+            logger.warning(
+                "Session not active for recovery",
+                session_id=session_id,
+                state=session.state.value
+            )
+            return None
+
+        # Resume session
+        session.resume()
+
+        # Restore heartbeat
+        heartbeat_client = HeartbeatClient(
+            session_id=session.session_id,
+            monitor=self.heartbeat,
+            interval_seconds=10
+        )
+        await heartbeat_client.start()
+        self.heartbeat.register(session.session_id, "voice-orchestrator")
+
+        # Store references
+        self._voice_sessions[voice_session_id] = session
+        self._heartbeat_clients[session.session_id] = heartbeat_client
+
+        # Recover pending tasks from checkpoints
+        await self._recover_pending_tasks(session)
+
+        logger.info(
+            "Recovered session",
+            session_id=session.session_id[:8],
+            checkpoints=len(session.checkpoints)
+        )
+
+        return session
+
+    async def _recover_pending_tasks(self, session: AgentSession) -> None:
+        """Recovers pending tasks from session checkpoints"""
+        for checkpoint in reversed(session.checkpoints):
+            if checkpoint.name == "task_queued":
+                task_id = checkpoint.data.get("task_id")
+                if task_id and task_id in self._tasks:
+                    task = self._tasks[task_id]
+                    if task.state == TaskState.QUEUED:
+                        # Re-process queued task
+                        await self.process_task(task)
+                        logger.info(
+                            "Recovered pending task",
+                            task_id=task_id[:8]
+                        )
diff --git a/voice-service/services/enhanced_task_orchestrator.py b/voice-service/services/enhanced_task_orchestrator.py
index 6a29992..967cd7e 100644
--- a/voice-service/services/enhanced_task_orchestrator.py
+++ b/voice-service/services/enhanced_task_orchestrator.py
@@ -6,31 +6,33 @@ Extends the existing TaskOrchestrator with Multi-Agent support:
 - Message bus integration for inter-agent communication
 - Quality judge integration via BQAS
 - Heartbeat-based liveness
+
+Helper methods (routing, quality checks, recovery) are in
+enhanced_task_helpers.py via EnhancedTaskHelpersMixin.
 """
 
 import structlog
-import asyncio
 from typing import Optional, Dict, Any
-from datetime import datetime
 
-from services.task_orchestrator import TaskOrchestrator, Intent
+from services.task_orchestrator import TaskOrchestrator
+from services.enhanced_task_helpers import EnhancedTaskHelpersMixin
 from models.task import Task, TaskState
 
 # Import agent-core components
 import sys
 sys.path.insert(0, '/Users/benjaminadmin/Projekte/breakpilot-pwa/agent-core')
 
-from sessions.session_manager import SessionManager, AgentSession, SessionState
+from sessions.session_manager import SessionManager, AgentSession
 from sessions.heartbeat import HeartbeatMonitor, HeartbeatClient
 from brain.memory_store import MemoryStore
-from brain.context_manager import ContextManager, MessageRole
-from orchestrator.message_bus import MessageBus, AgentMessage, MessagePriority
-from orchestrator.task_router import TaskRouter, RoutingStrategy
+from brain.context_manager import ContextManager
+from orchestrator.message_bus import MessageBus
+from orchestrator.task_router import TaskRouter
 
 logger = structlog.get_logger(__name__)
 
 
-class EnhancedTaskOrchestrator(TaskOrchestrator):
+class EnhancedTaskOrchestrator(EnhancedTaskHelpersMixin, TaskOrchestrator):
     """
     Enhanced TaskOrchestrator with Multi-Agent support.
 
@@ -39,6 +41,8 @@ class EnhancedTaskOrchestrator(TaskOrchestrator):
     - Message bus for inter-agent communication
     - Quality judge for response validation
     - Memory store for long-term learning
+
+    Internal helper methods are provided by EnhancedTaskHelpersMixin.
     """
 
     def __init__(
@@ -273,247 +277,3 @@ class EnhancedTaskOrchestrator(TaskOrchestrator):
                 "state": task.state.value
             })
             await self.session_manager.update_session(session)
-
-    def _needs_specialized_agent(self, task: Task) -> bool:
-        """Check if task needs routing to a specialized agent"""
-        from models.task import TaskType
-
-        # Tasks that benefit from specialized agents
-        specialized_types = [
-            TaskType.PARENT_LETTER,      # Could use grader for tone
-            TaskType.FEEDBACK_SUGGEST,   # Quality judge for appropriateness
-        ]
-
-        return task.type in specialized_types
-
-    def _needs_quality_check(self, task: Task) -> bool:
-        """Check if task result needs quality validation"""
-        from models.task import TaskType
-
-        # Tasks that generate content should be checked
-        content_types = [
-            TaskType.PARENT_LETTER,
-            TaskType.CLASS_MESSAGE,
-            TaskType.FEEDBACK_SUGGEST,
-            TaskType.WORKSHEET_GENERATE,
-        ]
-
-        return task.type in content_types
-
-    async def _route_to_agent(
-        self,
-        task: Task,
-        session: Optional[AgentSession]
-    ) -> None:
-        """Routes a task to a specialized agent"""
-        # Determine target agent
-        intent = f"task_{task.type.value}"
-        routing_result = await self.task_router.route(
-            intent=intent,
-            context={"task": task.parameters},
-            strategy=RoutingStrategy.LEAST_LOADED
-        )
-
-        if not routing_result.success:
-            # Fall back to local processing
-            logger.warning(
-                "No agent available for task, using local processing",
-                task_id=task.id[:8],
-                reason=routing_result.reason
-            )
-            await super().process_task(task)
-            return
-
-        # Send to agent via message bus
-        try:
-            response = await self.message_bus.request(
-                AgentMessage(
-                    sender="voice-orchestrator",
-                    receiver=routing_result.agent_id,
-                    message_type=f"process_{task.type.value}",
-                    payload={
-                        "task_id": task.id,
-                        "task_type": task.type.value,
-                        "parameters": task.parameters,
-                        "session_id": session.session_id if session else None
-                    },
-                    priority=MessagePriority.NORMAL
-                ),
-                timeout=30.0
-            )
-
-            task.result_ref = response.get("result", "")
-            task.transition_to(TaskState.READY, "agent_processed")
-
-        except asyncio.TimeoutError:
-            logger.error(
-                "Agent timeout, falling back to local",
-                task_id=task.id[:8],
-                agent=routing_result.agent_id
-            )
-            await super().process_task(task)
-
-    async def _run_quality_check(
-        self,
-        task: Task,
-        session: Optional[AgentSession]
-    ) -> None:
-        """Runs quality check on task result via quality judge"""
-        try:
-            response = await self.message_bus.request(
-                AgentMessage(
-                    sender="voice-orchestrator",
-                    receiver="quality-judge",
-                    message_type="evaluate_response",
-                    payload={
-                        "task_id": task.id,
-                        "task_type": task.type.value,
-                        "response": task.result_ref,
-                        "context": task.parameters
-                    },
-                    priority=MessagePriority.NORMAL
-                ),
-                timeout=10.0
-            )
-
-            quality_score = response.get("composite_score", 0)
-
-            if quality_score < 60:
-                # Mark for review
-                task.error_message = f"Quality check failed: {quality_score}"
-                logger.warning(
-                    "Task failed quality check",
-                    task_id=task.id[:8],
-                    score=quality_score
-                )
-
-        except asyncio.TimeoutError:
-            # Quality check timeout is non-fatal
-            logger.warning(
-                "Quality check timeout",
-                task_id=task.id[:8]
-            )
-
-    async def _store_task_result(self, task: Task) -> None:
-        """Stores task result in memory for learning"""
-        await self.memory_store.remember(
-            key=f"task:{task.type.value}:{task.id}",
-            value={
-                "result": task.result_ref,
-                "parameters": task.parameters,
-                "completed_at": datetime.utcnow().isoformat()
-            },
-            agent_id="voice-orchestrator",
-            ttl_days=30
-        )
-
-    async def _handle_agent_message(
-        self,
-        message: AgentMessage
-    ) -> Optional[Dict[str, Any]]:
-        """Handles incoming messages from other agents"""
-        logger.debug(
-            "Received agent message",
-            sender=message.sender,
-            type=message.message_type
-        )
-
-        if message.message_type == "task_status_update":
-            # Handle task status updates
-            task_id = message.payload.get("task_id")
-            if task_id in self._tasks:
-                task = self._tasks[task_id]
-                new_state = message.payload.get("state")
-                if new_state:
-                    task.transition_to(TaskState(new_state), "agent_update")
-
-        return None
-
-    def _get_system_prompt(self) -> str:
-        """Returns the system prompt for the voice assistant"""
-        return """Du bist ein hilfreicher Assistent für Lehrer in der Breakpilot-App.
-
-Deine Aufgaben:
-- Hilf beim Erstellen von Arbeitsblättern
-- Unterstütze bei der Korrektur
-- Erstelle Elternbriefe und Klassennachrichten
-- Dokumentiere Beobachtungen und Erinnerungen
-
-Halte dich kurz und präzise. Nutze einfache, klare Sprache.
-Bei Unklarheiten frage nach."""
-
-    # Recovery methods
-
-    async def recover_session(
-        self,
-        voice_session_id: str,
-        session_id: str
-    ) -> Optional[AgentSession]:
-        """
-        Recovers a session from checkpoint.
-
-        Args:
-            voice_session_id: The voice session ID
-            session_id: The agent session ID to recover
-
-        Returns:
-            The recovered session or None
-        """
-        session = await self.session_manager.get_session(session_id)
-
-        if not session:
-            logger.warning(
-                "Session not found for recovery",
-                session_id=session_id
-            )
-            return None
-
-        if session.state != SessionState.ACTIVE:
-            logger.warning(
-                "Session not active for recovery",
-                session_id=session_id,
-                state=session.state.value
-            )
-            return None
-
-        # Resume session
-        session.resume()
-
-        # Restore heartbeat
-        heartbeat_client = HeartbeatClient(
-            session_id=session.session_id,
-            monitor=self.heartbeat,
-            interval_seconds=10
-        )
-        await heartbeat_client.start()
-        self.heartbeat.register(session.session_id, "voice-orchestrator")
-
-        # Store references
-        self._voice_sessions[voice_session_id] = session
-        self._heartbeat_clients[session.session_id] = heartbeat_client
-
-        # Recover pending tasks from checkpoints
-        await self._recover_pending_tasks(session)
-
-        logger.info(
-            "Recovered session",
-            session_id=session.session_id[:8],
-            checkpoints=len(session.checkpoints)
-        )
-
-        return session
-
-    async def _recover_pending_tasks(self, session: AgentSession) -> None:
-        """Recovers pending tasks from session checkpoints"""
-        for checkpoint in reversed(session.checkpoints):
-            if checkpoint.name == "task_queued":
-                task_id = checkpoint.data.get("task_id")
-                if task_id and task_id in self._tasks:
-                    task = self._tasks[task_id]
-                    if task.state == TaskState.QUEUED:
-                        # Re-process queued task
-                        await self.process_task(task)
-                        logger.info(
-                            "Recovered pending task",
-                            task_id=task_id[:8]
-                        )