2026-03-30 07:11:17 +00:00 · 2026-03-29 21:08:19 +00:00 · 2026-03-29 21:18:23 +00:00 · 2026-03-29 21:18:18 +00:00 · 2026-03-29 21:18:23 +00:00 · 2026-03-29 21:18:18 +00:00
8 changed files with 890 additions and 6 deletions
--- a/CERTifAI_Investor_OnePager_DE.pdf
+++ b/CERTifAI_Investor_OnePager_DE.pdf
--- a/CERTifAI_Investor_OnePager_EN.pdf
+++ b/CERTifAI_Investor_OnePager_EN.pdf
--- a/compliance-agent/src/llm/fixes.rs
+++ b/compliance-agent/src/llm/fixes.rs
@@ -11,9 +11,18 @@ Rules:
 - The fix must be a drop-in replacement for the vulnerable code
 - Preserve the original code's style, indentation, and naming conventions
 - Add at most one brief inline comment on the changed line explaining the security fix
- If the fix requires importing a new module, include the import statement on a separate line prefixed with "// Add import: "
+- If the fix requires importing a new module, include the import on a separate line prefixed with the language's comment syntax + "Add import: "
 - Do not refactor, rename variables, or "improve" unrelated code
- If the vulnerability is a false positive and the code is actually safe, return the original code unchanged with a comment "// No fix needed: <reason>""#;
+- If the vulnerability is a false positive and the code is actually safe, return the original code unchanged with a comment explaining why no fix is needed
+
+Language-specific fix guidance:
+- Rust: use `?` for error propagation, prefer `SecretString` for secrets, use parameterized queries with `sqlx`/`diesel`
+- Python: use parameterized queries (never f-strings in SQL), use `secrets` module not `random`, use `subprocess.run([...])` list form, use `markupsafe.escape()` for HTML
+- Go: use `sql.Query` with `$1`/`?` placeholders, use `crypto/rand` not `math/rand`, use `html/template` not `text/template`, return errors don't panic
+- Java/Kotlin: use `PreparedStatement` with `?` params, use `SecureRandom`, use `Jsoup.clean()` for HTML sanitization, use `@Valid` for input validation
+- Ruby: use ActiveRecord parameterized finders, use `SecureRandom`, use `ERB::Util.html_escape`, use `strong_parameters`
+- PHP: use PDO prepared statements with `:param` or `?`, use `random_bytes()`/`random_int()`, use `htmlspecialchars()` with `ENT_QUOTES`, use `password_hash(PASSWORD_BCRYPT)`
+- C/C++: use `snprintf` not `sprintf`, use bounds-checked APIs, free resources in reverse allocation order, use `memset_s` for secret cleanup"#;

 pub async fn suggest_fix(llm: &Arc<LlmClient>, finding: &Finding) -> Result<String, AgentError> {
    let user_prompt = format!(
--- a/compliance-agent/src/llm/review_prompts.rs
+++ b/compliance-agent/src/llm/review_prompts.rs
@@ -15,9 +15,17 @@ Do NOT report:
 - Style, naming, formatting, documentation, or code organization preferences
 - Theoretical issues without a concrete triggering scenario
 - "Potential" problems that require assumptions not supported by the visible code
- Language-idiomatic patterns (e.g. Rust's `||` short-circuit evaluation, variable shadowing, `impl` patterns)
 - Complexity or function length — that's a separate review pass

+Language-idiomatic patterns that are NOT bugs (do not flag these):
+- Rust: `||`/`&&` short-circuit evaluation, variable shadowing, `let` rebinding, `clone()`, `impl` blocks, `match` arms with guards, `?` operator chaining, `unsafe` blocks with safety comments
+- Python: duck typing, EAFP pattern (try/except vs check-first), `*args`/`**kwargs`, walrus operator `:=`, truthiness checks on containers, bare `except:` in top-level handlers
+- Go: multiple return values for errors, `if err != nil` patterns, goroutine + channel patterns, blank identifier `_`, named returns, `defer` for cleanup, `init()` functions
+- Java/Kotlin: checked exception patterns, method overloading, `Optional` vs null checks, Kotlin `?.` safe calls, `!!` non-null assertions in tests, `when` exhaustive matching, companion objects, `lateinit`
+- Ruby: monkey patching in libraries, method_missing, blocks/procs/lambdas, `rescue => e` patterns, `send`/`respond_to?` metaprogramming, `nil` checks via `&.` safe navigation
+- PHP: loose comparisons with `==` (only flag if `===` was clearly intended), `@` error suppression in legacy code, `isset()`/`empty()` patterns, magic methods (`__get`, `__call`), array functions as callbacks
+- C/C++: RAII patterns, move semantics, `const_cast`/`static_cast` in appropriate contexts, macro usage for platform compat, pointer arithmetic in low-level code, `goto` for cleanup in C
+
 Severity guide:
 - high: Will cause incorrect behavior in normal usage
 - medium: Will cause incorrect behavior in edge cases
@@ -47,9 +55,18 @@ Do NOT report:
 - Logging of non-sensitive operational data (finding titles, counts, performance metrics)
 - "Information disclosure" for data that is already public or user-facing
 - Code style, performance, or general quality issues
- Missing validation on internal function parameters (trust the caller within the same crate)
+- Missing validation on internal function parameters (trust the caller within the same module/crate/package)
 - Theoretical attacks that require preconditions not present in the code

+Language-specific patterns that are NOT vulnerabilities (do not flag these):
+- Python: `pickle` used on trusted internal data, `eval()`/`exec()` on hardcoded strings, `subprocess` with hardcoded commands, Django `mark_safe()` on static content, `assert` in non-security contexts
+- Go: `crypto/rand` is secure (don't confuse with `math/rand`), `sql.DB` with parameterized queries is safe, `http.ListenAndServe` without TLS in dev/internal, error strings in responses (Go convention)
+- Java/Kotlin: Spring Security annotations are sufficient auth checks, `@Transactional` provides atomicity, JPA parameterized queries are safe, Kotlin `require()`/`check()` are assertion patterns not vulnerabilities
+- Ruby: Rails `params.permit()` is input validation, `render html:` with `html_safe` on generated content, ActiveRecord parameterized finders are safe, Devise/Warden patterns for auth
+- PHP: PDO prepared statements are safe, Laravel Eloquent is parameterized, `htmlspecialchars()` is XSS mitigation, Symfony security voters are auth checks, `password_hash()`/`password_verify()` are correct bcrypt usage
+- C/C++: `strncpy`/`snprintf` are bounds-checked (vs `strcpy`/`sprintf`), smart pointers manage memory, RAII handles cleanup, `static_assert` is compile-time only, OpenSSL with proper context setup
+- Rust: `sha2`/`blake3` for fingerprinting is not "weak crypto", `unsafe` with documented invariants, `secrecy::SecretString` properly handles secrets
+
 Severity guide:
 - critical: Remote code execution, auth bypass, or data breach with no preconditions
 - high: Exploitable vulnerability requiring minimal preconditions
@@ -73,9 +90,17 @@ Do NOT report:
 - Style preferences, formatting, naming conventions, or documentation
 - Code organization suggestions ("this function should be split")
 - Patterns that are valid in the language even if you'd write them differently
- Rust-specific: variable shadowing, `||`/`&&` short-circuit, `let` rebinding, builder patterns, `clone()` usage
 - "Missing type annotations" unless the code literally won't compile or causes a type inference bug

+Language-specific patterns that are conventional (do not flag these):
+- Rust: variable shadowing, `||`/`&&` short-circuit, `let` rebinding, builder patterns, `clone()`, `From`/`Into` impl chains, `#[allow(...)]` attributes
+- Python: `**kwargs` forwarding, `@property` setters, `__dunder__` methods, list comprehensions with conditions, `if TYPE_CHECKING` imports, `noqa` comments
+- Go: stuttering names (`http.HTTPClient`) discouraged but not a bug, `context.Context` as first param, init() functions, `//nolint` directives, returning concrete types vs interfaces in internal code
+- Java/Kotlin: builder pattern boilerplate, Lombok annotations (`@Data`, `@Builder`), Kotlin data classes, `companion object` factories, `@Suppress` annotations, checked exception wrapping
+- Ruby: `attr_accessor` usage, `Enumerable` mixin patterns, `module_function`, `class << self` syntax, DSL blocks (Rake, RSpec, Sinatra routes)
+- PHP: `__construct` with property promotion, Laravel facades, static factory methods, nullable types with `?`, attribute syntax `#[...]`
+- C/C++: header guards vs `#pragma once`, forward declarations, `const` correctness patterns, template specialization, `auto` type deduction
+
 Severity guide:
 - medium: Convention violation that will likely cause a bug or maintenance problem
 - low: Convention violation that is a minor concern
--- a/compliance-agent/src/llm/triage.rs
+++ b/compliance-agent/src/llm/triage.rs
@@ -17,13 +17,23 @@ Actions:
 - "dismiss": False positive, not exploitable, or not actionable. Remove it.

 Dismiss when:
- The scanner flagged a language idiom as a bug (e.g. Rust short-circuit `||`, variable shadowing, `clone()`)
+- The scanner flagged a language idiom as a bug (see examples below)
 - The finding is in test/example/generated/vendored code
 - The "vulnerability" requires preconditions that don't exist in the code
 - The finding is about code style, complexity, or theoretical concerns rather than actual bugs
 - A hash function is used for non-security purposes (dedup, caching, content addressing)
 - Internal logging of non-sensitive operational data is flagged as "information disclosure"
 - The finding duplicates another finding already in the list
+- Framework-provided security is already in place (e.g. ORM parameterized queries, CSRF middleware, auth decorators)
+
+Common false positive patterns by language (dismiss these):
+- Rust: short-circuit `||`/`&&`, variable shadowing, `clone()`, `unsafe` with safety docs, `sha2` for fingerprinting
+- Python: EAFP try/except, `subprocess` with hardcoded args, `pickle` on trusted data, Django `mark_safe` on static content
+- Go: `if err != nil` is not "swallowed error", `crypto/rand` is secure, returning errors is not "information disclosure"
+- Java/Kotlin: Spring Security annotations are valid auth, JPA parameterized queries are safe, Kotlin `!!` in tests is fine
+- Ruby: Rails `params.permit` is validation, ActiveRecord finders are parameterized, `html_safe` on generated content
+- PHP: PDO prepared statements are safe, Laravel Eloquent is parameterized, `htmlspecialchars` is XSS mitigation
+- C/C++: `strncpy`/`snprintf` are bounds-checked, smart pointers manage memory, RAII handles cleanup

 Confirm only when:
 - You can describe a concrete scenario where the bug manifests or the vulnerability is exploitable
--- a/onepager_de.html
+++ b/onepager_de.html
@@ -0,0 +1,419 @@
+<!DOCTYPE html>
+<html lang="de">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>CERTifAI — Investor One-Pager</title>
+<link href="https://fonts.googleapis.com/css2?family=Plus+Jakarta+Sans:wght@300;400;500;600;700;800&display=swap" rel="stylesheet">
+<style>
+  @page { size: A4; margin: 0; }
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body {
+    font-family: 'Plus Jakarta Sans', -apple-system, sans-serif;
+    background: #fff;
+    color: #1a1a2e;
+    width: 210mm;
+    height: 297mm;
+    overflow: hidden;
+    position: relative;
+  }
+
+  .top-bar {
+    height: 6px;
+    background: linear-gradient(90deg, #6366f1, #8b5cf6, #a78bfa, #06b6d4);
+  }
+
+  .container { padding: 16px 34px 10px; }
+
+  .header {
+    display: flex;
+    justify-content: space-between;
+    align-items: flex-start;
+    margin-bottom: 10px;
+  }
+  .logo-area h1 {
+    font-size: 26px;
+    font-weight: 800;
+    letter-spacing: -1px;
+    color: #4f46e5;
+  }
+  .logo-area .tagline {
+    font-size: 11px;
+    color: #64748b;
+    margin-top: 1px;
+  }
+  .contact-info {
+    text-align: right;
+    font-size: 9px;
+    color: #94a3b8;
+    line-height: 1.5;
+  }
+
+  .hero {
+    background: linear-gradient(135deg, #eef2ff, #f0f9ff);
+    border-radius: 10px;
+    padding: 10px 16px;
+    margin-bottom: 10px;
+    border-left: 4px solid #6366f1;
+  }
+  .hero p {
+    font-size: 11px;
+    line-height: 1.4;
+    color: #334155;
+  }
+  .hero strong { color: #4f46e5; font-weight: 700; }
+
+  .columns {
+    display: grid;
+    grid-template-columns: 1fr 1fr;
+    gap: 12px;
+    margin-bottom: 9px;
+  }
+
+  .product-card {
+    border: 1px solid #e2e8f0;
+    border-radius: 10px;
+    padding: 10px 13px;
+    position: relative;
+    overflow: hidden;
+  }
+  .product-card::before {
+    content: '';
+    position: absolute;
+    top: 0; left: 0; right: 0;
+    height: 3px;
+  }
+  .product-card.scanner::before { background: linear-gradient(90deg, #6366f1, #8b5cf6); }
+  .product-card.platform::before { background: linear-gradient(90deg, #06b6d4, #0ea5e9); }
+  .product-card h2 {
+    font-size: 13px;
+    font-weight: 800;
+    margin-bottom: 1px;
+  }
+  .product-card.scanner h2 { color: #4f46e5; }
+  .product-card.platform h2 { color: #0891b2; }
+  .product-card .subtitle {
+    font-size: 9px;
+    color: #94a3b8;
+    margin-bottom: 6px;
+    font-weight: 600;
+    text-transform: uppercase;
+    letter-spacing: 0.5px;
+  }
+  .product-card ul { list-style: none; padding: 0; }
+  .product-card li {
+    font-size: 9.5px;
+    line-height: 1.25;
+    padding: 1.8px 0;
+    padding-left: 13px;
+    position: relative;
+    color: #475569;
+  }
+  .product-card li::before {
+    content: '';
+    position: absolute;
+    left: 0;
+    top: 6.5px;
+    width: 5px;
+    height: 5px;
+    border-radius: 50%;
+  }
+  .product-card.scanner li::before { background: #818cf8; }
+  .product-card.platform li::before { background: #22d3ee; }
+
+  .metrics {
+    display: grid;
+    grid-template-columns: repeat(5, 1fr);
+    gap: 8px;
+    margin-bottom: 9px;
+  }
+  .metric {
+    text-align: center;
+    padding: 8px 4px;
+    border-radius: 8px;
+    background: #f8fafc;
+    border: 1px solid #e2e8f0;
+  }
+  .metric .number {
+    font-size: 17px;
+    font-weight: 800;
+    color: #4f46e5;
+  }
+  .metric .label {
+    font-size: 8px;
+    color: #64748b;
+    margin-top: 1px;
+    font-weight: 500;
+    text-transform: uppercase;
+    letter-spacing: 0.3px;
+  }
+
+  .diff-section { margin-bottom: 9px; }
+  .section-title {
+    font-size: 10.5px;
+    font-weight: 700;
+    color: #1e293b;
+    margin-bottom: 5px;
+    text-transform: uppercase;
+    letter-spacing: 0.5px;
+  }
+  .diff-grid {
+    display: grid;
+    grid-template-columns: repeat(3, 1fr);
+    gap: 6px;
+  }
+  .diff-item {
+    padding: 7px 9px;
+    border-radius: 7px;
+    background: linear-gradient(135deg, #faf5ff, #f0f9ff);
+    border: 1px solid #e0e7ff;
+  }
+  .diff-item .diff-title {
+    font-size: 9px;
+    font-weight: 700;
+    color: #4f46e5;
+    margin-bottom: 1px;
+  }
+  .diff-item .diff-desc {
+    font-size: 8px;
+    color: #64748b;
+    line-height: 1.25;
+  }
+
+  .roadmap { margin-bottom: 9px; }
+  .roadmap-grid {
+    display: grid;
+    grid-template-columns: repeat(4, 1fr);
+    gap: 6px;
+  }
+  .roadmap-item {
+    padding: 6px 9px;
+    border-radius: 7px;
+    border: 1px dashed #c7d2fe;
+    background: #fefce8;
+  }
+  .roadmap-item .rm-title {
+    font-size: 9px;
+    font-weight: 700;
+    color: #92400e;
+    margin-bottom: 1px;
+  }
+  .roadmap-item .rm-desc {
+    font-size: 7.5px;
+    color: #78716c;
+    line-height: 1.25;
+  }
+
+  .bottom-row {
+    display: grid;
+    grid-template-columns: 1fr 1fr;
+    gap: 12px;
+    margin-bottom: 6px;
+  }
+  .bottom-section .section-title { margin-bottom: 4px; }
+  .bottom-section ul { list-style: none; padding: 0; }
+  .bottom-section li {
+    font-size: 9px;
+    color: #475569;
+    padding: 1.5px 0;
+    padding-left: 11px;
+    position: relative;
+    line-height: 1.3;
+  }
+  .bottom-section li::before {
+    content: '→';
+    position: absolute;
+    left: 0;
+    color: #8b5cf6;
+    font-weight: 700;
+  }
+
+  .footer {
+    position: absolute;
+    bottom: 0;
+    left: 0;
+    right: 0;
+    padding: 9px 34px;
+    background: #f8fafc;
+    border-top: 1px solid #e2e8f0;
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+  }
+  .footer .conf {
+    font-size: 8px;
+    color: #94a3b8;
+    font-weight: 500;
+    text-transform: uppercase;
+    letter-spacing: 0.5px;
+  }
+  .footer .date {
+    font-size: 8px;
+    color: #94a3b8;
+  }
+</style>
+</head>
+<body>
+<div class="top-bar"></div>
+<div class="container">
+
+  <div class="header">
+    <div class="logo-area">
+      <h1>CERTifAI</h1>
+      <div class="tagline">KI-native Sicherheits- & Compliance-Plattform</div>
+    </div>
+    <div class="contact-info">
+      Vertraulich — Nur für Investoren<br>
+      März 2026
+    </div>
+  </div>
+
+  <div class="hero">
+    <p>
+      CERTifAI ist eine <strong>DSGVO-konforme, datensouveräne KI-Plattform</strong>, die autonomes
+      Sicherheitsscanning mit intelligenter Compliance-Automatisierung vereint. Wir helfen Unternehmen,
+      ihren <strong>Code abzusichern</strong>, <strong>Compliance skalierbar durchzusetzen</strong> und
+      <strong>volle Datensouveränität zu bewahren</strong> — gestützt auf über 200 atomare Sicherheitskontrollen,
+      KI-gesteuerte Triage und einen lückenlosen Audit-Trail für jeden Befund.
+    </p>
+  </div>
+
+  <div class="columns">
+    <div class="product-card scanner">
+      <h2>Compliance Scanner</h2>
+      <div class="subtitle">Autonomer KI-Sicherheitsagent</div>
+      <ul>
+        <li><strong>200+ atomare Kontrollen</strong> — Feingranulare Sicherheitsprüfungen mit vollständiger Herkunftsverfolgung</li>
+        <li><strong>SAST + DAST + SBOM</strong> — Vollumfängliche Sicherheitstests mit Schwachstellenverfolgung</li>
+        <li><strong>KI-gesteuerte Pentests</strong> — Autonome, LLM-orchestrierte Penetrationstests mit verschlüsselten Berichten</li>
+        <li><strong>Automatische PR-Reviews</strong> — Sicherheitsbewusste Code-Review-Kommentare bei jedem Pull Request</li>
+        <li><strong>Audit-Trail</strong> — Unveränderliche Befund-Nachverfolgung von Erkennung bis Behebung</li>
+        <li><strong>LLM-basierte Triage</strong> — Intelligente False-Positive-Filterung mit Konfidenz-Scoring</li>
+        <li><strong>Code-Wissensgraph</strong> — Architekturvisualisierung mit Auswirkungs- & Datenflussanalyse</li>
+        <li><strong>Multi-Tracker-Sync</strong> — Automatische Issues in GitHub, GitLab, Jira, Gitea</li>
+        <li><strong>MCP-Server</strong> — Live-Sicherheitsdaten in Claude, Cursor & anderen KI-Tools</li>
+      </ul>
+    </div>
+
+    <div class="product-card platform">
+      <h2>CERTifAI Plattform</h2>
+      <div class="subtitle">Souveräne GenAI-Infrastruktur</div>
+      <ul>
+        <li><strong>Multi-Provider LLM-Verwaltung</strong> — Einheitliche Schnittstelle für LiteLLM, OpenAI, HuggingFace, Anthropic</li>
+        <li><strong>KI-Agenten-Orchestrierung</strong> — LangGraph-Integration mit Live-Monitoring & Agenten-Registry</li>
+        <li><strong>Enterprise SSO</strong> — Keycloak-basiertes OAuth2/PKCE, LDAP, Multi-Realm-Authentifizierung</li>
+        <li><strong>Nutzungs- & Abrechnungsanalyse</strong> — Token-Tracking, modellbasierte Aufschlüsselung</li>
+        <li><strong>News-Intelligence</strong> — KI-gestützte Nachrichtenzusammenfassung, Trendanalyse, Follow-up-Chat</li>
+        <li><strong>Entwickler-Toolchain</strong> — LangFlow, Langfuse, LangChain sofort einsatzbereit</li>
+        <li><strong>RBAC & Feature Flags</strong> — Rollenbasierter Zugriff mit kontrolliertem GenAI-Rollout pro Org</li>
+        <li><strong>Mehrsprachigkeit</strong> — Vollständige i18n-Unterstützung (DE, FR, ES, PT)</li>
+        <li><strong>RAG-basierter Chat</strong> — Natürlichsprachliche Q&A auf Basis Ihrer Codebasis</li>
+      </ul>
+    </div>
+  </div>
+
+  <div class="metrics">
+    <div class="metric">
+      <div class="number">15 Mrd.+</div>
+      <div class="label">AppSec TAM bis 2027</div>
+    </div>
+    <div class="metric">
+      <div class="number">200+</div>
+      <div class="label">Atomare Sicherheits-<br>kontrollen</div>
+    </div>
+    <div class="metric">
+      <div class="number">80%</div>
+      <div class="label">Zeitersparnis bei<br>Compliance-Prüfungen</div>
+    </div>
+    <div class="metric">
+      <div class="number">10x</div>
+      <div class="label">Günstiger als<br>manuelle Pentests</div>
+    </div>
+    <div class="metric">
+      <div class="number">100%</div>
+      <div class="label">Datensouveränität<br>garantiert</div>
+    </div>
+  </div>
+
+  <div class="diff-section">
+    <div class="section-title">Warum CERTifAI gewinnt</div>
+    <div class="diff-grid">
+      <div class="diff-item">
+        <div class="diff-title">KI-native Sicherheit</div>
+        <div class="diff-desc">LLM-gesteuerte Pentests & Triage ersetzen manuelle Audits (5.000–50.000 €). Kein Wettbewerber bietet autonome KI-Pentests.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Volle Provenienz</div>
+        <div class="diff-desc">Jeder Befund rückverfolgbar zu Kontrolle, Regel und Quelle. Lückenloser Audit-Trail von Erkennung bis Behebung.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Datensouveränität</div>
+        <div class="diff-desc">Keine Daten verlassen Ihre Infrastruktur. DSGVO-konform durch Architektur. EU-Hosting-Optionen verfügbar.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Shift-Left PR-Reviews</div>
+        <div class="diff-desc">Sicherheitsbefunde erscheinen als PR-Kommentare vor dem Merge. Entwickler beheben Probleme direkt am Code.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Entwickelt in Rust</div>
+        <div class="diff-desc">Speichersicherer, hochperformanter Stack. Fullstack-WASM + SSR mit Dioxus. Enterprise-taugliche Zuverlässigkeit.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Einheitliche Steuerung</div>
+        <div class="diff-desc">Sicherheit + KI-Infrastruktur in einem Dashboard. Wettbewerber benötigen 5+ separate Tools.</div>
+      </div>
+    </div>
+  </div>
+
+  <div class="roadmap">
+    <div class="section-title">Roadmap — In Kürze verfügbar</div>
+    <div class="roadmap-grid">
+      <div class="roadmap-item">
+        <div class="rm-title">SOC2 & ISO 27001</div>
+        <div class="rm-desc">Vorgefertigte Kontroll-Mappings für Zertifizierungsreife</div>
+      </div>
+      <div class="roadmap-item">
+        <div class="rm-title">Policy-as-Code</div>
+        <div class="rm-desc">Eigene Compliance-Regeln via deklarative YAML-Policies</div>
+      </div>
+      <div class="roadmap-item">
+        <div class="rm-title">CI/CD-Gates</div>
+        <div class="rm-desc">Deployments bei kritischen Befunden blockieren</div>
+      </div>
+      <div class="roadmap-item">
+        <div class="rm-title">Executive Reports</div>
+        <div class="rm-desc">Auto-generierte Compliance-Berichte für die Geschäftsführung</div>
+      </div>
+    </div>
+  </div>
+
+  <div class="bottom-row">
+    <div class="bottom-section">
+      <div class="section-title">Geschäftsmodell</div>
+      <ul>
+        <li><strong>SaaS Cloud</strong> — Verwaltete Multi-Tenant-Plattform für KMUs</li>
+        <li><strong>Enterprise-Lizenz</strong> — Dedizierte Bereitstellung mit Support & Integrationen</li>
+        <li><strong>Professional Services</strong> — Individuelle Regeln, Pentest-Berichte, Compliance-Audits</li>
+        <li><strong>API-Stufen</strong> — Kostenlose Community-Stufe, kostenpflichtiger Enterprise-Zugang</li>
+      </ul>
+    </div>
+    <div class="bottom-section">
+      <div class="section-title">Zielmärkte</div>
+      <ul>
+        <li><strong>Regulierte Branchen</strong> — Finanzen, Gesundheitswesen, Behörden (DSGVO, HIPAA, SOC2)</li>
+        <li><strong>Enterprise DevSecOps</strong> — Shift-Left-Security für Entwicklungsteams</li>
+        <li><strong>EU-Datensouveränität</strong> — Unternehmen mit souveräner KI-Infrastruktur</li>
+        <li><strong>Sicherheitsberatungen</strong> — Automatisierte Pentests & Berichtserstellung</li>
+      </ul>
+    </div>
+  </div>
+
+</div>
+
+<div class="footer">
+  <div class="conf">Vertraulich — Nicht zur Weitergabe bestimmt</div>
+  <div class="date">CERTifAI — März 2026</div>
+</div>
+
+</body>
+</html>
--- a/onepager_en.html
+++ b/onepager_en.html
@@ -0,0 +1,421 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>CERTifAI — Investor One-Pager</title>
+<link href="https://fonts.googleapis.com/css2?family=Plus+Jakarta+Sans:wght@300;400;500;600;700;800&display=swap" rel="stylesheet">
+<style>
+  @page { size: A4; margin: 0; }
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body {
+    font-family: 'Plus Jakarta Sans', -apple-system, sans-serif;
+    background: #fff;
+    color: #1a1a2e;
+    width: 210mm;
+    height: 297mm;
+    overflow: hidden;
+    position: relative;
+  }
+
+  .top-bar {
+    height: 6px;
+    background: linear-gradient(90deg, #6366f1, #8b5cf6, #a78bfa, #06b6d4);
+  }
+
+  .container { padding: 18px 34px 12px; }
+
+  .header {
+    display: flex;
+    justify-content: space-between;
+    align-items: flex-start;
+    margin-bottom: 12px;
+  }
+  .logo-area h1 {
+    font-size: 28px;
+    font-weight: 800;
+    letter-spacing: -1px;
+    color: #4f46e5;
+  }
+  .logo-area .tagline {
+    font-size: 12px;
+    color: #64748b;
+    margin-top: 1px;
+  }
+  .contact-info {
+    text-align: right;
+    font-size: 9.5px;
+    color: #94a3b8;
+    line-height: 1.5;
+  }
+
+  .hero {
+    background: linear-gradient(135deg, #eef2ff, #f0f9ff);
+    border-radius: 10px;
+    padding: 11px 18px;
+    margin-bottom: 11px;
+    border-left: 4px solid #6366f1;
+  }
+  .hero p {
+    font-size: 11.5px;
+    line-height: 1.45;
+    color: #334155;
+  }
+  .hero strong { color: #4f46e5; font-weight: 700; }
+
+  .columns {
+    display: grid;
+    grid-template-columns: 1fr 1fr;
+    gap: 14px;
+    margin-bottom: 10px;
+  }
+
+  .product-card {
+    border: 1px solid #e2e8f0;
+    border-radius: 10px;
+    padding: 12px 14px;
+    position: relative;
+    overflow: hidden;
+  }
+  .product-card::before {
+    content: '';
+    position: absolute;
+    top: 0; left: 0; right: 0;
+    height: 3px;
+  }
+  .product-card.scanner::before { background: linear-gradient(90deg, #6366f1, #8b5cf6); }
+  .product-card.platform::before { background: linear-gradient(90deg, #06b6d4, #0ea5e9); }
+  .product-card h2 {
+    font-size: 13.5px;
+    font-weight: 800;
+    margin-bottom: 2px;
+  }
+  .product-card.scanner h2 { color: #4f46e5; }
+  .product-card.platform h2 { color: #0891b2; }
+  .product-card .subtitle {
+    font-size: 9.5px;
+    color: #94a3b8;
+    margin-bottom: 7px;
+    font-weight: 600;
+    text-transform: uppercase;
+    letter-spacing: 0.5px;
+  }
+  .product-card ul { list-style: none; padding: 0; }
+  .product-card li {
+    font-size: 10px;
+    line-height: 1.3;
+    padding: 2px 0;
+    padding-left: 14px;
+    position: relative;
+    color: #475569;
+  }
+  .product-card li::before {
+    content: '';
+    position: absolute;
+    left: 0;
+    top: 7px;
+    width: 5px;
+    height: 5px;
+    border-radius: 50%;
+  }
+  .product-card.scanner li::before { background: #818cf8; }
+  .product-card.platform li::before { background: #22d3ee; }
+
+  .metrics {
+    display: grid;
+    grid-template-columns: repeat(5, 1fr);
+    gap: 9px;
+    margin-bottom: 10px;
+  }
+  .metric {
+    text-align: center;
+    padding: 9px 5px;
+    border-radius: 8px;
+    background: #f8fafc;
+    border: 1px solid #e2e8f0;
+  }
+  .metric .number {
+    font-size: 18px;
+    font-weight: 800;
+    color: #4f46e5;
+  }
+  .metric .label {
+    font-size: 8.5px;
+    color: #64748b;
+    margin-top: 1px;
+    font-weight: 500;
+    text-transform: uppercase;
+    letter-spacing: 0.3px;
+  }
+
+  .diff-section { margin-bottom: 10px; }
+  .section-title {
+    font-size: 11px;
+    font-weight: 700;
+    color: #1e293b;
+    margin-bottom: 6px;
+    text-transform: uppercase;
+    letter-spacing: 0.5px;
+  }
+  .diff-grid {
+    display: grid;
+    grid-template-columns: repeat(3, 1fr);
+    gap: 7px;
+  }
+  .diff-item {
+    padding: 8px 10px;
+    border-radius: 7px;
+    background: linear-gradient(135deg, #faf5ff, #f0f9ff);
+    border: 1px solid #e0e7ff;
+  }
+  .diff-item .diff-title {
+    font-size: 9.5px;
+    font-weight: 700;
+    color: #4f46e5;
+    margin-bottom: 2px;
+  }
+  .diff-item .diff-desc {
+    font-size: 8.5px;
+    color: #64748b;
+    line-height: 1.3;
+  }
+
+  /* Roadmap */
+  .roadmap {
+    margin-bottom: 10px;
+  }
+  .roadmap-grid {
+    display: grid;
+    grid-template-columns: repeat(4, 1fr);
+    gap: 7px;
+  }
+  .roadmap-item {
+    padding: 7px 10px;
+    border-radius: 7px;
+    border: 1px dashed #c7d2fe;
+    background: #fefce8;
+  }
+  .roadmap-item .rm-title {
+    font-size: 9.5px;
+    font-weight: 700;
+    color: #92400e;
+    margin-bottom: 1px;
+  }
+  .roadmap-item .rm-desc {
+    font-size: 8px;
+    color: #78716c;
+    line-height: 1.3;
+  }
+
+  .bottom-row {
+    display: grid;
+    grid-template-columns: 1fr 1fr;
+    gap: 14px;
+    margin-bottom: 8px;
+  }
+  .bottom-section .section-title { margin-bottom: 5px; }
+  .bottom-section ul { list-style: none; padding: 0; }
+  .bottom-section li {
+    font-size: 9.5px;
+    color: #475569;
+    padding: 2px 0;
+    padding-left: 12px;
+    position: relative;
+    line-height: 1.35;
+  }
+  .bottom-section li::before {
+    content: '→';
+    position: absolute;
+    left: 0;
+    color: #8b5cf6;
+    font-weight: 700;
+  }
+
+  .footer {
+    position: absolute;
+    bottom: 0;
+    left: 0;
+    right: 0;
+    padding: 10px 34px;
+    background: #f8fafc;
+    border-top: 1px solid #e2e8f0;
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+  }
+  .footer .conf {
+    font-size: 8.5px;
+    color: #94a3b8;
+    font-weight: 500;
+    text-transform: uppercase;
+    letter-spacing: 0.5px;
+  }
+  .footer .date {
+    font-size: 8.5px;
+    color: #94a3b8;
+  }
+</style>
+</head>
+<body>
+<div class="top-bar"></div>
+<div class="container">
+
+  <div class="header">
+    <div class="logo-area">
+      <h1>CERTifAI</h1>
+      <div class="tagline">AI-Native Security & Compliance Platform</div>
+    </div>
+    <div class="contact-info">
+      Confidential — For Investor Review<br>
+      March 2026
+    </div>
+  </div>
+
+  <div class="hero">
+    <p>
+      CERTifAI is a <strong>GDPR-compliant, data-sovereign AI platform</strong> combining autonomous security scanning
+      with intelligent compliance automation. We help enterprises <strong>secure their code</strong>,
+      <strong>enforce compliance at scale</strong>, and <strong>maintain full data sovereignty</strong> — powered by
+      200+ atomic security controls, AI-driven triage, and a complete audit trail for every finding.
+    </p>
+  </div>
+
+  <div class="columns">
+    <div class="product-card scanner">
+      <h2>Compliance Scanner</h2>
+      <div class="subtitle">Autonomous AI Security Agent</div>
+      <ul>
+        <li><strong>200+ Atomic Controls</strong> — Fine-grained security checks with full provenance tracking per finding</li>
+        <li><strong>SAST + DAST + SBOM</strong> — Full-spectrum security testing with dependency vulnerability tracking</li>
+        <li><strong>AI-Driven Pentesting</strong> — Autonomous LLM-orchestrated penetration testing with encrypted reports</li>
+        <li><strong>Automated PR Reviews</strong> — Security-aware code review comments on every pull request</li>
+        <li><strong>Audit Trail</strong> — Immutable finding lifecycle tracking from detection to remediation</li>
+        <li><strong>LLM-Powered Triage</strong> — Intelligent false-positive filtering with confidence scoring</li>
+        <li><strong>Code Knowledge Graph</strong> — Architecture visualization with impact & data-flow analysis</li>
+        <li><strong>Multi-Tracker Sync</strong> — Auto-creates issues in GitHub, GitLab, Jira, Gitea</li>
+        <li><strong>MCP Server</strong> — Live security data in Claude, Cursor & other AI dev tools</li>
+      </ul>
+    </div>
+
+    <div class="product-card platform">
+      <h2>CERTifAI Platform</h2>
+      <div class="subtitle">Sovereign GenAI Infrastructure</div>
+      <ul>
+        <li><strong>Multi-Provider LLM Management</strong> — Unified interface for LiteLLM, OpenAI, HuggingFace, Anthropic</li>
+        <li><strong>AI Agent Orchestration</strong> — LangGraph integration with live monitoring & agent registry</li>
+        <li><strong>Enterprise SSO</strong> — Keycloak-based OAuth2/PKCE, LDAP, multi-realm authentication</li>
+        <li><strong>Usage & Billing Analytics</strong> — Token tracking, per-model breakdown, seat management</li>
+        <li><strong>News Intelligence</strong> — AI-powered news summarization, trend analysis, follow-up chat</li>
+        <li><strong>Developer Toolchain</strong> — LangFlow, Langfuse, LangChain integrations out of the box</li>
+        <li><strong>RBAC & Feature Flags</strong> — Role-based access with controlled GenAI rollout per org</li>
+        <li><strong>Full i18n</strong> — Multi-language support (DE, FR, ES, PT) for global teams</li>
+        <li><strong>RAG-Powered Chat</strong> — Natural language Q&A grounded in your codebase</li>
+      </ul>
+    </div>
+  </div>
+
+  <div class="metrics">
+    <div class="metric">
+      <div class="number">$15B+</div>
+      <div class="label">AppSec TAM by 2027</div>
+    </div>
+    <div class="metric">
+      <div class="number">200+</div>
+      <div class="label">Atomic Security<br>Controls</div>
+    </div>
+    <div class="metric">
+      <div class="number">80%</div>
+      <div class="label">Compliance Review<br>Time Saved</div>
+    </div>
+    <div class="metric">
+      <div class="number">10x</div>
+      <div class="label">Cheaper than<br>Manual Pentests</div>
+    </div>
+    <div class="metric">
+      <div class="number">100%</div>
+      <div class="label">Data Sovereignty<br>Guaranteed</div>
+    </div>
+  </div>
+
+  <div class="diff-section">
+    <div class="section-title">Why CERTifAI Wins</div>
+    <div class="diff-grid">
+      <div class="diff-item">
+        <div class="diff-title">AI-Native Security</div>
+        <div class="diff-desc">LLM-driven pentesting & triage replace $5K–$50K manual engagements. No competitor offers autonomous AI pentests.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Full Provenance</div>
+        <div class="diff-desc">Every finding traces back to its control, rule, and source. Complete audit trail from detection through remediation.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Data Sovereignty</div>
+        <div class="diff-desc">Zero data leaves your infrastructure. GDPR-compliant by architecture. EU-hosted deployment options.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Shift-Left PR Reviews</div>
+        <div class="diff-desc">Security findings surface as PR comments before code merges. Developers fix issues at the source, not in production.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Built in Rust</div>
+        <div class="diff-desc">Memory-safe, high-performance stack. Fullstack WASM + SSR with Dioxus. Enterprise-grade reliability.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Unified Control Plane</div>
+        <div class="diff-desc">Security + AI infrastructure in one dashboard. Competitors require 5+ separate tools to match.</div>
+      </div>
+    </div>
+  </div>
+
+  <div class="roadmap">
+    <div class="section-title">Roadmap — Coming Soon</div>
+    <div class="roadmap-grid">
+      <div class="roadmap-item">
+        <div class="rm-title">SOC2 & ISO 27001</div>
+        <div class="rm-desc">Pre-built control mappings for certification readiness</div>
+      </div>
+      <div class="roadmap-item">
+        <div class="rm-title">Policy-as-Code</div>
+        <div class="rm-desc">Custom compliance rules via declarative YAML policies</div>
+      </div>
+      <div class="roadmap-item">
+        <div class="rm-title">CI/CD Gates</div>
+        <div class="rm-desc">Block deploys on critical findings with pipeline integration</div>
+      </div>
+      <div class="roadmap-item">
+        <div class="rm-title">Executive Reports</div>
+        <div class="rm-desc">Auto-generated compliance posture reports for leadership</div>
+      </div>
+    </div>
+  </div>
+
+  <div class="bottom-row">
+    <div class="bottom-section">
+      <div class="section-title">Business Model</div>
+      <ul>
+        <li><strong>SaaS Cloud</strong> — Managed multi-tenant platform for SMBs</li>
+        <li><strong>Enterprise License</strong> — Dedicated deployment with support & custom integrations</li>
+        <li><strong>Professional Services</strong> — Custom rules, pentest reports, compliance audits</li>
+        <li><strong>API Tiers</strong> — Free community tier, paid enterprise API access</li>
+      </ul>
+    </div>
+    <div class="bottom-section">
+      <div class="section-title">Target Markets</div>
+      <ul>
+        <li><strong>Regulated Industries</strong> — Finance, healthcare, government (GDPR, HIPAA, SOC2)</li>
+        <li><strong>Enterprise DevSecOps</strong> — Shift-left security for engineering teams</li>
+        <li><strong>EU Data Sovereignty</strong> — Companies requiring sovereign AI infrastructure</li>
+        <li><strong>Security Consultancies</strong> — Automated pentesting & report generation</li>
+      </ul>
+    </div>
+  </div>
+
+</div>
+
+<div class="footer">
+  <div class="conf">Confidential — Do Not Distribute</div>
+  <div class="date">CERTifAI — March 2026</div>
+</div>
+
+</body>
+</html>
--- a/onepager_en_preview.png
+++ b/onepager_en_preview.png