fix: Restore all files lost during destructive rebase

A previous `git pull --rebase origin main` dropped 177 local commits,
losing 3400+ files across admin-v2, backend, studio-v2, website,
klausur-service, and many other services. The partial restore attempt
(660295e2) only recovered some files.

This commit restores all missing files from pre-rebase ref 98933f5e
while preserving post-rebase additions (night-scheduler, night-mode UI,
NightModeWidget dashboard integration).

Restored features include:
- AI Module Sidebar (FAB), OCR Labeling, OCR Compare
- GPU Dashboard, RAG Pipeline, Magic Help
- Klausur-Korrektur (8 files), Abitur-Archiv (5+ files)
- Companion, Zeugnisse-Crawler, Screen Flow
- Full backend, studio-v2, website, klausur-service
- All compliance SDKs, agent-core, voice-service
- CI/CD configs, documentation, scripts

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ai-compliance-sdk/internal/rbac/models.go

@@ -0,0 +1,197 @@
+package rbac
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// IsolationLevel defines namespace isolation strictness
+type IsolationLevel string
+
+const (
+	IsolationStrict IsolationLevel = "strict"
+	IsolationShared IsolationLevel = "shared"
+	IsolationPublic IsolationLevel = "public"
+)
+
+// DataClassification defines data sensitivity levels
+type DataClassification string
+
+const (
+	ClassificationPublic       DataClassification = "public"
+	ClassificationInternal     DataClassification = "internal"
+	ClassificationConfidential DataClassification = "confidential"
+	ClassificationRestricted   DataClassification = "restricted"
+)
+
+// TenantStatus defines tenant status
+type TenantStatus string
+
+const (
+	TenantStatusActive    TenantStatus = "active"
+	TenantStatusSuspended TenantStatus = "suspended"
+	TenantStatusInactive  TenantStatus = "inactive"
+)
+
+// PIIRedactionLevel defines PII redaction strictness
+type PIIRedactionLevel string
+
+const (
+	PIIRedactionStrict   PIIRedactionLevel = "strict"
+	PIIRedactionModerate PIIRedactionLevel = "moderate"
+	PIIRedactionMinimal  PIIRedactionLevel = "minimal"
+	PIIRedactionNone     PIIRedactionLevel = "none"
+)
+
+// Tenant represents a customer/organization (Mandant)
+type Tenant struct {
+	ID              uuid.UUID      `json:"id" db:"id"`
+	Name            string         `json:"name" db:"name"`
+	Slug            string         `json:"slug" db:"slug"`
+	Settings        map[string]any `json:"settings" db:"settings"`
+	MaxUsers        int            `json:"max_users" db:"max_users"`
+	LLMQuotaMonthly int            `json:"llm_quota_monthly" db:"llm_quota_monthly"`
+	Status          TenantStatus   `json:"status" db:"status"`
+	CreatedAt       time.Time      `json:"created_at" db:"created_at"`
+	UpdatedAt       time.Time      `json:"updated_at" db:"updated_at"`
+}
+
+// Namespace represents a department/division within a tenant (z.B. Finance, HR, IT)
+type Namespace struct {
+	ID                uuid.UUID          `json:"id" db:"id"`
+	TenantID          uuid.UUID          `json:"tenant_id" db:"tenant_id"`
+	Name              string             `json:"name" db:"name"`
+	Slug              string             `json:"slug" db:"slug"`
+	ParentNamespaceID *uuid.UUID         `json:"parent_namespace_id,omitempty" db:"parent_namespace_id"`
+	IsolationLevel    IsolationLevel     `json:"isolation_level" db:"isolation_level"`
+	DataClassification DataClassification `json:"data_classification" db:"data_classification"`
+	Metadata          map[string]any     `json:"metadata,omitempty" db:"metadata"`
+	CreatedAt         time.Time          `json:"created_at" db:"created_at"`
+	UpdatedAt         time.Time          `json:"updated_at" db:"updated_at"`
+}
+
+// Role defines a set of permissions
+type Role struct {
+	ID             uuid.UUID  `json:"id" db:"id"`
+	TenantID       *uuid.UUID `json:"tenant_id,omitempty" db:"tenant_id"` // nil for system roles
+	Name           string     `json:"name" db:"name"`
+	Description    string     `json:"description,omitempty" db:"description"`
+	Permissions    []string   `json:"permissions" db:"permissions"`
+	IsSystemRole   bool       `json:"is_system_role" db:"is_system_role"`
+	HierarchyLevel int        `json:"hierarchy_level" db:"hierarchy_level"`
+	CreatedAt      time.Time  `json:"created_at" db:"created_at"`
+	UpdatedAt      time.Time  `json:"updated_at" db:"updated_at"`
+}
+
+// UserRole represents a user's role assignment with optional namespace scope
+type UserRole struct {
+	ID          uuid.UUID  `json:"id" db:"id"`
+	UserID      uuid.UUID  `json:"user_id" db:"user_id"`
+	RoleID      uuid.UUID  `json:"role_id" db:"role_id"`
+	TenantID    uuid.UUID  `json:"tenant_id" db:"tenant_id"`
+	NamespaceID *uuid.UUID `json:"namespace_id,omitempty" db:"namespace_id"` // nil = tenant-wide
+	GrantedBy   uuid.UUID  `json:"granted_by" db:"granted_by"`
+	ExpiresAt   *time.Time `json:"expires_at,omitempty" db:"expires_at"`
+	CreatedAt   time.Time  `json:"created_at" db:"created_at"`
+
+	// Joined fields (populated by queries)
+	RoleName        string   `json:"role_name,omitempty" db:"role_name"`
+	RolePermissions []string `json:"role_permissions,omitempty" db:"role_permissions"`
+	NamespaceName   string   `json:"namespace_name,omitempty" db:"namespace_name"`
+}
+
+// LLMPolicy defines access controls for LLM operations
+type LLMPolicy struct {
+	ID                    uuid.UUID         `json:"id" db:"id"`
+	TenantID              uuid.UUID         `json:"tenant_id" db:"tenant_id"`
+	NamespaceID           *uuid.UUID        `json:"namespace_id,omitempty" db:"namespace_id"`
+	Name                  string            `json:"name" db:"name"`
+	Description           string            `json:"description,omitempty" db:"description"`
+	AllowedDataCategories []string          `json:"allowed_data_categories" db:"allowed_data_categories"`
+	BlockedDataCategories []string          `json:"blocked_data_categories" db:"blocked_data_categories"`
+	RequirePIIRedaction   bool              `json:"require_pii_redaction" db:"require_pii_redaction"`
+	PIIRedactionLevel     PIIRedactionLevel `json:"pii_redaction_level" db:"pii_redaction_level"`
+	AllowedModels         []string          `json:"allowed_models" db:"allowed_models"`
+	MaxTokensPerRequest   int               `json:"max_tokens_per_request" db:"max_tokens_per_request"`
+	MaxRequestsPerDay     int               `json:"max_requests_per_day" db:"max_requests_per_day"`
+	MaxRequestsPerHour    int               `json:"max_requests_per_hour" db:"max_requests_per_hour"`
+	IsActive              bool              `json:"is_active" db:"is_active"`
+	Priority              int               `json:"priority" db:"priority"`
+	CreatedAt             time.Time         `json:"created_at" db:"created_at"`
+	UpdatedAt             time.Time         `json:"updated_at" db:"updated_at"`
+}
+
+// APIKey represents an API key for SDK access
+type APIKey struct {
+	ID                   uuid.UUID   `json:"id" db:"id"`
+	TenantID             uuid.UUID   `json:"tenant_id" db:"tenant_id"`
+	Name                 string      `json:"name" db:"name"`
+	KeyHash              string      `json:"-" db:"key_hash"` // Never expose
+	KeyPrefix            string      `json:"key_prefix" db:"key_prefix"`
+	Permissions          []string    `json:"permissions" db:"permissions"`
+	NamespaceRestrictions []uuid.UUID `json:"namespace_restrictions,omitempty" db:"namespace_restrictions"`
+	RateLimitPerHour     int         `json:"rate_limit_per_hour" db:"rate_limit_per_hour"`
+	ExpiresAt            *time.Time  `json:"expires_at,omitempty" db:"expires_at"`
+	LastUsedAt           *time.Time  `json:"last_used_at,omitempty" db:"last_used_at"`
+	IsActive             bool        `json:"is_active" db:"is_active"`
+	CreatedBy            uuid.UUID   `json:"created_by" db:"created_by"`
+	CreatedAt            time.Time   `json:"created_at" db:"created_at"`
+}
+
+// EffectivePermissions represents a user's computed permissions
+type EffectivePermissions struct {
+	UserID      uuid.UUID            `json:"user_id"`
+	TenantID    uuid.UUID            `json:"tenant_id"`
+	NamespaceID *uuid.UUID           `json:"namespace_id,omitempty"`
+	Permissions []string             `json:"permissions"`
+	Roles       []string             `json:"roles"`
+	LLMPolicy   *LLMPolicy           `json:"llm_policy,omitempty"`
+	Namespaces  []NamespaceAccess    `json:"namespaces,omitempty"`
+}
+
+// NamespaceAccess represents a user's access to a namespace
+type NamespaceAccess struct {
+	NamespaceID        uuid.UUID          `json:"namespace_id"`
+	NamespaceName      string             `json:"namespace_name"`
+	NamespaceSlug      string             `json:"namespace_slug"`
+	DataClassification DataClassification `json:"data_classification"`
+	Roles              []string           `json:"roles"`
+	Permissions        []string           `json:"permissions"`
+}
+
+// System role names (predefined)
+const (
+	RoleComplianceExecutive      = "compliance_executive"
+	RoleComplianceOfficer        = "compliance_officer"
+	RoleDataProtectionOfficer    = "data_protection_officer"
+	RoleNamespaceAdmin           = "namespace_admin"
+	RoleAuditor                  = "auditor"
+	RoleComplianceUser           = "compliance_user"
+)
+
+// Common permission patterns
+const (
+	PermissionComplianceAll      = "compliance:*"
+	PermissionComplianceRead     = "compliance:read"
+	PermissionComplianceWrite    = "compliance:write"
+	PermissionComplianceOwnRead  = "compliance:own:read"
+	PermissionAuditAll           = "audit:*"
+	PermissionAuditRead          = "audit:read"
+	PermissionAuditLogRead       = "audit:log:read"
+	PermissionLLMAll             = "llm:*"
+	PermissionLLMQuery           = "llm:query:execute"
+	PermissionLLMOwnQuery        = "llm:own:query"
+	PermissionNamespaceRead      = "namespace:read"
+	PermissionNamespaceOwnAdmin  = "namespace:own:admin"
+)
+
+// Data categories for LLM access control
+const (
+	DataCategorySalary    = "salary"
+	DataCategoryHealth    = "health"
+	DataCategoryPersonal  = "personal"
+	DataCategoryFinancial = "financial"
+	DataCategoryLegal     = "legal"
+	DataCategoryHR        = "hr"
+)