KI-AGENT: Matrix-Raumdaten nach Tenant-Import zurücksetzen

Dokumentiert Matrix-Kommunikation, Telekom-Telefonie und den VPS-Asterisk-Entwicklungsbetrieb.

.env.example

@@ -0,0 +1,166 @@
+# FEDEO Selfhosting
+DOMAIN=app.example.com
+CONTACT_EMAIL=admin@deine-domain.de
+
+DB_NAME=fedeo
+DB_USER=fedeo
+DB_PASSWORD=change-this-db-password
+DATABASE_URL=postgres://fedeo:change-this-db-password@db:5432/fedeo
+
+MINIO_ROOT_USER=fedeo-minio
+MINIO_ROOT_PASSWORD=change-this-minio-password
+MINIO_BUCKET=fedeo
+
+HOST=0.0.0.0
+PORT=3100
+FEDEO_RUN_MIGRATIONS=true
+COOKIE_SECRET=change-this-cookie-secret
+JWT_SECRET=change-this-jwt-secret
+ENCRYPTION_KEY=change-this-encryption-key
+
+MAILER_SMTP_HOST=smtp.example.com
+MAILER_SMTP_PORT=587
+MAILER_SMTP_SSL=false
+MAILER_SMTP_USER=mailer@example.com
+MAILER_SMTP_PASS=change-this-mail-password
+MAILER_FROM=FEDEO <no-reply@example.com>
+
+# Desktop Push per Web Push. Schlüssel können mit
+# `npx web-push generate-vapid-keys` erzeugt werden.
+WEB_PUSH_PUBLIC_KEY=replace-this-web-push-public-key
+WEB_PUSH_PRIVATE_KEY=replace-this-web-push-private-key
+WEB_PUSH_SUBJECT=mailto:admin@example.com
+
+S3_ENDPOINT=http://minio:9000
+S3_REGION=eu-central-1
+S3_ACCESS_KEY=fedeo-minio
+S3_SECRET_KEY=change-this-minio-password
+S3_BUCKET=fedeo
+
+# Datei-Backend. S3 bleibt aktuell der Standard; Seafile kann als externer
+# Dateidienst angebunden werden, sobald der Backend-Umbau aktiviert ist.
+FEDEO_FILE_BACKEND=s3
+
+# Externer Seafile-Dienst, nicht Teil des Standard-Compose-Stacks.
+SEAFILE_BASE_URL=https://files.example.com
+SEAFILE_INTERNAL_URL=https://files.example.com
+SEAFILE_ADMIN_EMAIL=admin@example.com
+SEAFILE_ADMIN_PASSWORD=change-this-seafile-admin-password
+
+M2M_API_KEY=change-this-m2m-key
+API_BASE_URL=https://app.example.com/backend
+GOCARDLESS_BASE_URL=https://api.gocardless.com
+GOCARDLESS_SECRET_ID=replace-this
+GOCARDLESS_SECRET_KEY=replace-this
+
+DOKUBOX_IMAP_HOST=imap.example.com
+DOKUBOX_IMAP_PORT=993
+DOKUBOX_IMAP_SECURE=true
+DOKUBOX_IMAP_USER=dokubox@example.com
+DOKUBOX_IMAP_PASSWORD=change-this-imap-password
+
+OPENAI_API_KEY=replace-this
+STIRLING_API_KEY=replace-this
+NUXT_PUBLIC_PDF_LICENSE=replace-with-your-pdf-license
+
+# Interner Prometheus Node Exporter für die Admin-Systemstatusseite.
+NODE_EXPORTER_URL=http://node-exporter:9100
+
+# Lokaler Asterisk-Test für SIP/Voice. Aktivieren, wenn das Compose-Profil
+# `telephony-dev` genutzt wird.
+TELEPHONY_ENABLED=false
+ASTERISK_IMAGE=andrius/asterisk:20
+TELEPHONY_ASTERISK_HTTP_URL=http://asterisk-dev:8088/ws
+TELEPHONY_ASTERISK_WS_URL=ws://localhost:8088/ws
+TELEPHONY_ASTERISK_GENERATED_DIR=/var/lib/fedeo/asterisk/generated
+TELEPHONY_ASTERISK_AMI_HOST=asterisk-dev
+TELEPHONY_ASTERISK_AMI_PORT=5038
+TELEPHONY_ASTERISK_AMI_USER=fedeo
+TELEPHONY_ASTERISK_AMI_PASSWORD=fedeo-ami-dev
+TELEPHONY_SIP_DOMAIN=localhost
+TELEPHONY_TEST_EXTENSION=1001
+TELEPHONY_TEST_PASSWORD=fedeo-test-1001
+TELEPHONY_TEST_EXTENSION_2=1002
+TELEPHONY_TEST_PASSWORD_2=fedeo-test-1002
+TELEPHONY_ECHO_EXTENSION=600
+TELEPHONY_DEV_WS_PORT=8088
+TELEPHONY_DEV_AMI_PORT=5038
+TELEPHONY_DEV_SIP_PORT=5060
+TELEPHONY_DEV_RTP_MIN_PORT=10000
+TELEPHONY_DEV_RTP_MAX_PORT=10100
+TELEPHONY_ASTERISK_EXTERNAL_SIGNALING_ADDRESS=
+TELEPHONY_ASTERISK_EXTERNAL_MEDIA_ADDRESS=
+
+# Externe Telefonie über Telekom/tel.t-online.de. Keine echten Zugangsdaten
+# einchecken. SIP-ID ist in der Regel die Rufnummer mit Vorwahl ohne Leerzeichen
+# und ohne Sonderzeichen, z. B. 0301234567. Wenn dein Anschluss noch die
+# Internet-Zugangsdaten als Auth-User nutzt, kann TELEPHONY_TELEKOM_AUTH_USER
+# aus Anschlusskennung + Zugangsnummer + # + Mitbenutzernummer + @t-online.de
+# gebildet werden.
+TELEPHONY_EXTERNAL_PROVIDER=
+TELEPHONY_EXTERNAL_ENABLED=false
+TELEPHONY_EXTERNAL_INBOUND_EXTENSION=1001
+TELEPHONY_TELEKOM_ENABLED=false
+TELEPHONY_TELEKOM_REGISTRAR=tel.t-online.de
+TELEPHONY_TELEKOM_SIP_USER=
+TELEPHONY_TELEKOM_AUTH_USER=
+TELEPHONY_TELEKOM_PASSWORD=
+TELEPHONY_TELEKOM_CALLER_ID=
+TELEPHONY_TELEKOM_INBOUND_EXTENSION=1001
+TELEPHONY_TELEKOM_OUTBOUND_PREFIX=0
+
+# Optionaler Erststart-Bootstrap. Wenn gesetzt, werden Admin, Mandant,
+# Admin-Rolle und Grunddaten beim Backend-Start idempotent angelegt.
+FEDEO_BOOTSTRAP_ADMIN_EMAIL=admin@example.com
+FEDEO_BOOTSTRAP_ADMIN_PASSWORD=change-this-admin-password
+FEDEO_BOOTSTRAP_ADMIN_FIRST_NAME=Admin
+FEDEO_BOOTSTRAP_ADMIN_LAST_NAME=Benutzer
+FEDEO_BOOTSTRAP_TENANT_NAME=Mein Unternehmen
+FEDEO_BOOTSTRAP_TENANT_SHORT=MEIN
+FEDEO_BOOTSTRAP_MATRIX=true
+
+# FEDEO Matrix-Kommunikation
+#
+# Diese Werte werden von docker-compose.selfhost.yml für den integrierten
+# Matrix-Stack gelesen. Für produktive Systeme müssen alle Geheimnisse ersetzt
+# werden.
+
+MATRIX_SERVER_NAME=app.example.com
+
+MATRIX_POSTGRES_DB=synapse
+MATRIX_POSTGRES_USER=synapse
+MATRIX_POSTGRES_PASSWORD=change-this-matrix-db-password
+
+MATRIX_TURN_SHARED_SECRET=change-this-turn-secret
+
+LIVEKIT_KEY=fedeo-livekit
+LIVEKIT_SECRET=change-this-livekit-secret-please-replace
+
+# Backend-Integration im Selfhost-Stack
+MATRIX_HOMESERVER_URL=http://matrix-synapse:8008
+MATRIX_RTC_HOST=app.example.com
+MATRIX_RTC_JWT_URL=https://app.example.com/livekit/jwt
+MATRIX_LIVEKIT_URL=wss://app.example.com/livekit/sfu
+MATRIX_REGISTRATION_SHARED_SECRET=change-this-matrix-registration-secret
+MATRIX_SERVICE_USER_LOCALPART=fedeo_service
+NUXT_PUBLIC_MATRIX_ELEMENT_URL=https://app.example.com/element
+
+# Lokale Matrix-Entwicklung
+MATRIX_DEV_SYNAPSE_PORT=8008
+MATRIX_DEV_ELEMENT_PORT=8080
+MATRIX_DEV_RTC_JWT_PORT=8081
+MATRIX_DEV_LIVEKIT_PORT=7880
+MATRIX_DEV_LIVEKIT_TCP_PORT=7881
+MATRIX_DEV_LIVEKIT_RTC_MIN_PORT=50000
+MATRIX_DEV_LIVEKIT_RTC_MAX_PORT=50100
+MATRIX_DEV_LIVEKIT_NODE_IP=127.0.0.1
+MATRIX_DEV_TURN_PORT=3478
+MATRIX_DEV_TURN_MIN_PORT=49160
+MATRIX_DEV_TURN_MAX_PORT=49200
+
+# Lokale Backend-Integration gegen den Matrix-Entwicklungsstack
+# MATRIX_HOMESERVER_URL=http://localhost:8008
+# MATRIX_RTC_JWT_URL=http://localhost:8081
+# MATRIX_LIVEKIT_URL=ws://localhost:7880
+# MATRIX_REGISTRATION_SHARED_SECRET=copy-from-matrix-dev-synapse-homeserver-yaml
+# NUXT_PUBLIC_MATRIX_ELEMENT_URL=http://localhost:8080

.gitea/workflows/build-push.yaml

@@ -1,5 +1,5 @@
 name: Build and Push Docker Images
-run-name: Build Backend, Frontend & Docs by @${{ github.actor }}
+run-name: Build Backend, Frontend, Website & Docs by @${{ github.actor }}
 
 on: [push]
 
@@ -135,3 +135,35 @@ jobs:
           push: true
           tags: ${{ steps.meta-docs.outputs.tags }}
           labels: ${{ steps.meta-docs.outputs.labels }}
+
+  build-website:
+    #needs: verify-docs-sync
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+
+      - name: Log in to Docker Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY_HOST }}
+          username: ${{ env.ACTOR }}
+          password: ${{ vars.CI_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Website
+        id: meta-website
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY_HOST }}/${{ env.IMAGE_NAME }}/website
+          tags: |
+            type=ref,event=branch
+            type=ref,event=tag
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+
+      - name: Build and push Website
+        uses: docker/build-push-action@v4
+        with:
+          context: ./website
+          push: true
+          tags: ${{ steps.meta-website.outputs.tags }}
+          labels: ${{ steps.meta-website.outputs.labels }}

.gitignore

@@ -0,0 +1,10 @@
+.env
+node_modules/
+.nuxt/
+.output/
+
+# Lokale Runtime-Daten und generierte Konfigurationen
+matrix/postgres/
+matrix/synapse/
+matrix/dev/postgres/
+matrix/dev/synapse/

README.md

@@ -89,13 +89,16 @@ Wenn du MinIO verwendest, setze zusatzlich:
 
 ## Deploy-Struktur
 
-Deploye den Stack direkt aus einem geklonten Checkout dieses Repositories, weil die Compose-Datei die lokalen Build-Kontexte `./frontend` und `./backend` verwendet.
+Deploye den Stack in einem eigenen Betriebsverzeichnis. Der Selfhost-Installer lädt dafür nur die benötigten Betriebsdateien und klont nicht das komplette Repository.
 
-Beispiel:
+Beispiel für die manuelle Vorbereitung:
 
 ```bash
-git clone <DEIN-REPO-URL> /opt/fedeo
-cd /opt/fedeo
+mkdir -p /opt/fedeo/scripts
+curl -fsSL https://git.federspiel.tech/flfeders/FEDEO/raw/branch/dev/docker-compose.selfhost.yml -o /opt/fedeo/docker-compose.yml
+curl -fsSL https://git.federspiel.tech/flfeders/FEDEO/raw/branch/dev/.env.example -o /opt/fedeo/.env.example
+curl -fsSL https://git.federspiel.tech/flfeders/FEDEO/raw/branch/dev/scripts/selfhost-setup.sh -o /opt/fedeo/scripts/selfhost-setup.sh
+chmod +x /opt/fedeo/scripts/selfhost-setup.sh
 ```
 
 Die Verzeichnisstruktur sollte dann mindestens so aussehen:
@@ -104,8 +107,7 @@ Die Verzeichnisstruktur sollte dann mindestens so aussehen:
 /opt/fedeo/
   docker-compose.yml
   .env
-  backend/
-  frontend/
+  scripts/
   traefik/
     letsencrypt/
     logs/
@@ -124,13 +126,55 @@ touch /opt/fedeo/traefik/letsencrypt/acme.json
 chmod 600 /opt/fedeo/traefik/letsencrypt/acme.json
 ```
 
+Als Startpunkt kannst du die Beispielumgebung kopieren:
+
+```bash
+cp .env.example .env
+```
+
+Ersetze anschließend alle Platzhalter und passe mindestens `DOMAIN`, `CONTACT_EMAIL`, Datenbank-, Secret-, SMTP- und S3-Werte an. Seafile ist kein Teil des Standard-Stacks; wenn FEDEO später Seafile als File-Backend nutzen soll, zeigst du die Seafile-Variablen auf einen externen Seafile-Dienst.
+
+Alternativ kannst du die Konfiguration geführt erzeugen lassen:
+
+```bash
+bash scripts/selfhost-setup.sh
+```
+
+Auf einem frischen Server kannst du die Betriebsdateien und die Konfiguration direkt per One-Liner vorbereiten:
+
+```bash
+curl -fsSL https://git.federspiel.tech/flfeders/FEDEO/raw/branch/dev/scripts/selfhost-install.sh | bash
+```
+
+Der schnelle One-Liner mit direktem Stack-Start:
+
+```bash
+curl -fsSL https://git.federspiel.tech/flfeders/FEDEO/raw/branch/dev/scripts/selfhost-install.sh | bash -s -- --simple --start
+```
+
+Der Installer prüft Basispakete, installiert Docker auf Wunsch über das offizielle Docker-Installationsscript, lädt nur die Selfhost-Dateien nach `/opt/fedeo` und startet anschließend den geführten Setup-Assistenten.
+
+Für den schnellen Standardpfad:
+
+```bash
+bash scripts/selfhost-setup.sh --simple
+```
+
+Für mehr Rückfragen zu SMTP, API-Schlüsseln und optionalen Diensten:
+
+```bash
+bash scripts/selfhost-setup.sh --advanced
+```
+
+Der Assistent erklärt zuerst die Selfhost-Verzeichnisstruktur, schreibt anschließend `.env`, legt persistente Verzeichnisse inklusive `traefik/letsencrypt/acme.json` an und kann den Stack optional direkt starten.
+
 ## Beispiel `.env`
 
 Diese Datei liegt neben der `docker-compose.yml`:
 
 ```env
 DOMAIN=app.example.com
-CONTACT_EMAIL=admin@example.com
+CONTACT_EMAIL=admin@deine-domain.de
 
 DB_NAME=fedeo
 DB_USER=fedeo
@@ -160,6 +204,12 @@ S3_ACCESS_KEY=fedeo-minio
 S3_SECRET_KEY=change-this-minio-password
 S3_BUCKET=fedeo
 
+FEDEO_FILE_BACKEND=s3
+SEAFILE_BASE_URL=https://files.example.com
+SEAFILE_INTERNAL_URL=https://files.example.com
+SEAFILE_ADMIN_EMAIL=admin@example.com
+SEAFILE_ADMIN_PASSWORD=change-this-seafile-admin-password
+
 M2M_API_KEY=change-this-m2m-key
 API_BASE_URL=https://app.example.com/backend
 GOCARDLESS_BASE_URL=https://api.gocardless.com
@@ -176,11 +226,41 @@ OPENAI_API_KEY=replace-this
 STIRLING_API_KEY=replace-this
 
 NUXT_PUBLIC_PDF_LICENSE=replace-with-your-pdf-license
+
+FEDEO_BOOTSTRAP_ADMIN_EMAIL=admin@example.com
+FEDEO_BOOTSTRAP_ADMIN_PASSWORD=change-this-admin-password
+FEDEO_BOOTSTRAP_ADMIN_FIRST_NAME=Admin
+FEDEO_BOOTSTRAP_ADMIN_LAST_NAME=Benutzer
+FEDEO_BOOTSTRAP_TENANT_NAME=Mein Unternehmen
+FEDEO_BOOTSTRAP_TENANT_SHORT=MEIN
+
+MATRIX_SERVER_NAME=app.example.com
+MATRIX_POSTGRES_DB=synapse
+MATRIX_POSTGRES_USER=synapse
+MATRIX_POSTGRES_PASSWORD=change-this-matrix-db-password
+MATRIX_TURN_SHARED_SECRET=change-this-turn-secret
+MATRIX_HOMESERVER_URL=http://matrix-synapse:8008
+MATRIX_RTC_HOST=app.example.com
+MATRIX_RTC_JWT_URL=https://app.example.com/livekit/jwt
+MATRIX_LIVEKIT_URL=wss://app.example.com/livekit/sfu
+MATRIX_REGISTRATION_SHARED_SECRET=change-this-matrix-registration-secret
+MATRIX_SERVICE_USER_LOCALPART=fedeo_service
+LIVEKIT_KEY=fedeo-livekit
+LIVEKIT_SECRET=change-this-livekit-secret-please-replace
+NUXT_PUBLIC_MATRIX_ELEMENT_URL=https://app.example.com/element
 ```
 
-## Vollstandiges Docker Compose mit optionaler S3-MinIO-Option
+Die `FEDEO_BOOTSTRAP_*`-Werte sind für den ersten Start gedacht. Wenn `FEDEO_BOOTSTRAP_ADMIN_EMAIL` und `FEDEO_BOOTSTRAP_ADMIN_PASSWORD` gesetzt sind, legt das Backend idempotent einen Admin-Benutzer, einen ersten Mandanten, eine Administrator-Rolle und grundlegende Stammdaten an. Nach erfolgreichem Erstzugriff solltest du das Bootstrap-Passwort aus der `.env` entfernen oder ändern.
 
-Hinweis: Der Stack unten startet MinIO standardmassig mit. Wenn du stattdessen AWS S3, Hetzner Object Storage, Backblaze B2 S3 oder einen anderen externen S3-Dienst nutzen willst, kannst du die Services `minio` und `createbuckets` entfernen und nur die entsprechenden S3-Umgebungsvariablen auf den externen Anbieter zeigen lassen.
+## Docker Compose mit optionalem S3 und Matrix
+
+Die Selfhost-Konfiguration wird im Betriebsverzeichnis als `docker-compose.yml` abgelegt. Sie startet MinIO standardmäßig mit. Wenn du stattdessen AWS S3, Hetzner Object Storage, Backblaze B2 S3 oder einen anderen externen S3-Dienst nutzen willst, kannst du die Services `minio` und `createbuckets` entfernen und nur die entsprechenden S3-Umgebungsvariablen auf den externen Anbieter zeigen lassen.
+
+Seafile wird bewusst nicht im Standard-Compose-Stack gestartet. FEDEO kann später gegen einen extern betriebenen Seafile-Dienst sprechen; dafür bleiben `SEAFILE_BASE_URL`, `SEAFILE_INTERNAL_URL`, `SEAFILE_ADMIN_EMAIL` und `SEAFILE_ADMIN_PASSWORD` als generische Anbindungswerte vorgesehen. `FEDEO_FILE_BACKEND=s3` bleibt der Standard, bis die Backend-Integration für Seafile vollständig umgesetzt ist.
+
+Der Matrix-Stack ist im Selfhost-Compose direkt enthalten. Er umfasst Synapse, eine eigene PostgreSQL-Datenbank für Synapse, Redis, `.well-known/matrix`, coturn, LiveKit, den LiveKit-JWT-Service und Element Web. Das einfache Selfhost-Setup nutzt nur `DOMAIN`: Synapse läuft unter `https://DOMAIN/_matrix`, Matrix-Well-Known unter `https://DOMAIN/.well-known/matrix`, LiveKit unter `https://DOMAIN/livekit/sfu`, der JWT-Service unter `https://DOMAIN/livekit/jwt` und Element Web unter `https://DOMAIN/element`.
+
+Das Backend führt beim Containerstart standardmäßig `npm run migrate` aus. Setze `FEDEO_RUN_MIGRATIONS=false`, wenn du Migrationen bewusst manuell ausführen möchtest.
 
 ```yaml
 services:
@@ -266,8 +346,7 @@ services:
       - internal
 
   backend:
-    build:
-      context: ./backend
+    image: git.federspiel.tech/flfeders/fedeo/backend:dev
     container_name: fedeo-backend
     restart: unless-stopped
     depends_on:
@@ -316,13 +395,13 @@ services:
       - traefik.http.middlewares.fedeo-backend-strip.stripprefix.prefixes=/backend
       - traefik.http.routers.fedeo-backend.middlewares=fedeo-backend-strip
       - traefik.http.services.fedeo-backend.loadbalancer.server.port=3100
+      - traefik.docker.network=fedeo_web
     networks:
       - web
       - internal
 
   frontend:
-    build:
-      context: ./frontend
+    image: git.federspiel.tech/flfeders/fedeo/frontend:dev
     container_name: fedeo-frontend
     restart: unless-stopped
     depends_on:
@@ -337,13 +416,16 @@ services:
       - traefik.http.routers.fedeo-frontend.entrypoints=websecure
       - traefik.http.routers.fedeo-frontend.tls.certresolver=letsencrypt
       - traefik.http.services.fedeo-frontend.loadbalancer.server.port=3000
+      - traefik.docker.network=fedeo_web
     networks:
       - web
 
 networks:
   web:
+    name: fedeo_web
     driver: bridge
   internal:
+    name: fedeo_internal
     driver: bridge
 ```
 
@@ -372,16 +454,23 @@ Hinweis: Das Backend nutzt `forcePathStyle: true`. Das funktioniert sauber mit M
 Im Deploy-Verzeichnis:
 
 ```bash
-docker compose build
-docker compose up -d
+docker compose --env-file /opt/fedeo/.env -f /opt/fedeo/docker-compose.yml up -d
 ```
 
+Synapse erzeugt `matrix/synapse/homeserver.yaml` beim ersten Start automatisch und aktualisiert die für FEDEO relevanten Werte aus der `.env`. `MATRIX_REGISTRATION_SHARED_SECRET` muss in der `.env` gesetzt und geheim bleiben, weil FEDEO damit Matrix-Nutzer provisioniert.
+
 Danach Status prufen:
 
 ```bash
-docker compose ps
-docker compose logs -f traefik
-docker compose logs -f backend
+docker compose --env-file /opt/fedeo/.env -f /opt/fedeo/docker-compose.yml ps
+docker compose --env-file /opt/fedeo/.env -f /opt/fedeo/docker-compose.yml logs -f traefik
+docker compose --env-file /opt/fedeo/.env -f /opt/fedeo/docker-compose.yml logs -f backend
+```
+
+Wenn du Migrationen manuell ausführen möchtest:
+
+```bash
+docker compose --env-file /opt/fedeo/.env -f /opt/fedeo/docker-compose.yml run --rm backend npm run migrate
 ```
 
 ## Funktionsprufung
@@ -398,17 +487,23 @@ Erwartung:
 - Frontend liefert `200` oder `302`
 - Backend liefert JSON wie `{"status":"ok"}`
 
+Wenn der Bootstrap aktiviert ist, kannst du dich danach mit `FEDEO_BOOTSTRAP_ADMIN_EMAIL` und `FEDEO_BOOTSTRAP_ADMIN_PASSWORD` anmelden. Die Mandantensperre wird über `locked` gesteuert; `hasActiveLicense` wird nicht mehr für den Selfhost-Zugriff ausgewertet.
+
 ## Updates
 
 Bei neuen Versionen:
 
 ```bash
-git pull
-docker compose build
-docker compose up -d
+curl -fsSL https://git.federspiel.tech/flfeders/FEDEO/raw/branch/dev/docker-compose.selfhost.yml -o /opt/fedeo/docker-compose.yml
+curl -fsSL https://git.federspiel.tech/flfeders/FEDEO/raw/branch/dev/.env.example -o /opt/fedeo/.env.example
+curl -fsSL https://git.federspiel.tech/flfeders/FEDEO/raw/branch/dev/scripts/selfhost-setup.sh -o /opt/fedeo/scripts/selfhost-setup.sh
+chmod +x /opt/fedeo/scripts/selfhost-setup.sh
+docker compose --env-file /opt/fedeo/.env -f /opt/fedeo/docker-compose.yml up -d
 ```
 
-Falls du statt lokaler Builds vorgebaute Images verwenden willst, kannst du in der Compose-Datei `build:` durch passende `image:`-Eintrage ersetzen. Erst dann ist ein vorgelagertes `docker compose pull` sinnvoll.
+Der Backend-Container wendet Datenbankmigrationen beim Start automatisch an. Bei kritischen Updates sollte vorher ein Backup von `./postgres` und `./minio` erstellt werden.
+
+Die Selfhost-Compose-Datei nutzt vorgebaute Images. Dadurch braucht der Server keinen Repository-Checkout und keine lokalen Build-Kontexte.
 
 ## Backup-Empfehlung
 
@@ -416,6 +511,8 @@ Regelmassig sichern:
 
 - `./postgres`
 - `./minio` falls MinIO lokal genutzt wird
+- `./matrix/postgres` falls Matrix lokal betrieben wird
+- `./matrix/synapse` falls Matrix lokal betrieben wird
 - `./traefik/letsencrypt/acme.json`
 - deine `.env`
 - deine dokumentierten Secret-Werte aus der `.env` oder deinem Secret-Management

agents/fedeo-device-agent/.dockerignore

@@ -0,0 +1,6 @@
+node_modules
+dist
+.venv-opencv
+.env
+*.log
+*.tmp

agents/fedeo-device-agent/.env.example

@@ -0,0 +1,14 @@
+FEDEO_URL=https://fedeo.example.com
+FEDEO_AGENT_TOKEN=fedeo_agent_REPLACE_ME
+FEDEO_POLL_SECONDS=5
+FEDEO_WORK_DIR=/tmp/fedeo-device-agent
+FEDEO_SCANNER_NAME=
+FEDEO_PRINTER_NAME=
+FEDEO_SCAN_FORMAT=pdf
+FEDEO_SCAN_RESOLUTION=300
+FEDEO_SCAN_MODE=Color
+FEDEO_SCAN_SOURCE=
+FEDEO_SCAN_POSTPROCESS=false
+FEDEO_SCAN_POSTPROCESS_PROFILE=document
+FEDEO_SCAN_POSTPROCESS_PYTHON=
+FEDEO_SCAN_POSTPROCESS_STRICT=false

agents/fedeo-device-agent/.gitignore

@@ -0,0 +1,6 @@
+dist
+node_modules
+.venv-opencv
+.env
+*.log
+*.tmp

agents/fedeo-device-agent/Dockerfile

@@ -0,0 +1,45 @@
+FROM node:20-bookworm-slim AS build
+
+WORKDIR /app
+
+COPY package.json tsconfig.json ./
+RUN npm install
+
+COPY src ./src
+RUN npm run build
+
+FROM node:20-bookworm-slim AS runtime
+
+ENV NODE_ENV=production
+ENV FEDEO_WORK_DIR=/work
+ENV FEDEO_SCAN_POSTPROCESS=true
+ENV FEDEO_SCAN_POSTPROCESS_PROFILE=receipt
+ENV FEDEO_SCAN_POSTPROCESS_PYTHON=/opt/fedeo-device-agent/.venv-opencv/bin/python
+ENV FEDEO_SCAN_POSTPROCESS_STRICT=false
+
+WORKDIR /opt/fedeo-device-agent
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+        ca-certificates \
+        cups-client \
+        libgomp1 \
+        python3 \
+        python3-pip \
+        python3-venv \
+        sane-utils \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY requirements-opencv.txt ./
+RUN python3 -m venv .venv-opencv \
+    && .venv-opencv/bin/python -m pip install --no-cache-dir --upgrade pip \
+    && .venv-opencv/bin/python -m pip install --no-cache-dir -r requirements-opencv.txt \
+    && .venv-opencv/bin/python -c "import cv2, PIL, numpy"
+
+COPY --from=build /app/dist ./dist
+COPY scripts ./scripts
+COPY package.json ./
+
+RUN mkdir -p /work
+
+CMD ["node", "dist/main.js"]

agents/fedeo-device-agent/README.md

@@ -0,0 +1,133 @@
+# FEDEO Geräte-Agent
+
+Der FEDEO Geräte-Agent läuft lokal auf macOS, Linux oder Raspberry Pi OS. Er holt instanzweite Scan-Aufträge von FEDEO ab, führt sie auf einem lokal angeschlossenen Scanner aus und lädt das Ergebnis wieder in FEDEO hoch.
+
+Der Agent ist nicht an einen Mandanten gebunden. Jeder Auftrag enthält seinen Tenant selbst.
+
+## Voraussetzungen
+
+### macOS
+
+```bash
+brew install node sane-backends
+scanimage -L
+```
+
+Drucken nutzt später das macOS-Drucksystem/CUPS:
+
+```bash
+lpstat -p
+```
+
+### Linux und Raspberry Pi OS
+
+```bash
+sudo apt update
+sudo apt install -y nodejs npm sane-utils cups
+scanimage -L
+lpstat -p
+```
+
+## Konfiguration
+
+```bash
+cp .env.example .env
+nano .env
+```
+
+Wichtige Werte:
+
+```env
+FEDEO_URL=https://deine-fedeo-instanz
+FEDEO_AGENT_TOKEN=fedeo_agent_...
+FEDEO_SCANNER_NAME=
+FEDEO_POLL_SECONDS=5
+```
+
+Wenn `FEDEO_SCANNER_NAME` leer bleibt, verwendet `scanimage` den Standard-Scanner.
+
+## Entwicklung
+
+```bash
+npm install
+npm run dev
+```
+
+## OpenCV-Nachbearbeitung
+
+Für automatischen Zuschnitt, leichte Entzerrung, Rotation und Kontrastkorrektur kann die OpenCV-Pipeline aktiviert werden.
+
+```bash
+npm run setup:opencv
+```
+
+Konfiguration:
+
+```env
+FEDEO_SCAN_POSTPROCESS=true
+FEDEO_SCAN_POSTPROCESS_PROFILE=receipt
+FEDEO_SCAN_POSTPROCESS_PYTHON=/pfad/zum/agent/.venv-opencv/bin/python
+FEDEO_SCAN_POSTPROCESS_STRICT=false
+```
+
+Wenn `FEDEO_SCAN_POSTPROCESS_PYTHON` leer bleibt, verwendet der Agent automatisch `.venv-opencv/bin/python`, sofern diese Umgebung existiert. Falls OpenCV nicht installiert ist und `FEDEO_SCAN_POSTPROCESS_STRICT=false` gesetzt ist, lädt der Agent den Rohscan hoch, statt den Auftrag komplett fehlschlagen zu lassen.
+
+Profile:
+
+- `receipt`: Bons und schmale Belege werden bevorzugt hochkant zugeschnitten und kontrastiert.
+- `document`: allgemeine Dokumente mit Farberhalt und moderater Verbesserung.
+- `raw`: Zuschnitt/Entzerrung ohne starke Kontrastkorrektur.
+
+## Container-Betrieb
+
+Auf Linux und Raspberry Pi OS kann der Agent komplett im Container laufen. Dadurch bleiben Node.js, Python, OpenCV und SANE im Image. Auf dem Host werden dann nur Docker und Zugriff auf den USB-Scanner benötigt.
+
+```bash
+cp .env.example .env
+nano .env
+docker compose -f docker-compose.example.yml up --build
+```
+
+Wenn FEDEO lokal auf dem Docker-Host läuft, verwende im Container nicht `localhost`, sondern:
+
+```env
+FEDEO_URL=http://host.docker.internal:3100
+```
+
+Scanner im Container prüfen:
+
+```bash
+docker compose -f docker-compose.example.yml run --rm fedeo-device-agent scanimage -L
+```
+
+Wenn der Scanner nicht sichtbar ist, hilft je nach Gerät/Host manchmal `privileged: true` im Compose-Beispiel. Auf macOS ist Docker dafür nur eingeschränkt geeignet, weil Docker Desktop USB-Scanner normalerweise nicht direkt an Linux-Container durchreichen kann. Für macOS bleibt deshalb der native Agent oder später eine signierte App der bessere Weg.
+
+## Build
+
+```bash
+npm run build
+npm start
+```
+
+## FEDEO-Endpunkte
+
+Der Agent nutzt:
+
+- `POST /instance-agent/heartbeat`
+- `GET /instance-agent/scan-jobs/next`
+- `POST /instance-agent/scan-jobs/:id/status`
+- `POST /instance-agent/scan-jobs/:id/upload`
+
+## macOS Autostart
+
+Die Vorlage liegt unter `system/macos/com.fedeo.device-agent.plist`. Nach Anpassung der Pfade kann sie als LaunchAgent installiert werden:
+
+```bash
+mkdir -p ~/Library/LaunchAgents
+cp system/macos/com.fedeo.device-agent.plist ~/Library/LaunchAgents/
+launchctl load ~/Library/LaunchAgents/com.fedeo.device-agent.plist
+```
+
+## Linux Autostart
+
+Die Vorlage liegt unter `system/linux/fedeo-device-agent.service`.

agents/fedeo-device-agent/docker-compose.example.yml

@@ -0,0 +1,28 @@
+services:
+  fedeo-device-agent:
+    build:
+      context: .
+    image: fedeo-device-agent:local
+    container_name: fedeo-device-agent
+    restart: unless-stopped
+    env_file:
+      - .env
+    environment:
+      FEDEO_WORK_DIR: /work
+      FEDEO_SCAN_POSTPROCESS: "true"
+      FEDEO_SCAN_POSTPROCESS_PROFILE: receipt
+      FEDEO_SCAN_POSTPROCESS_PYTHON: /opt/fedeo-device-agent/.venv-opencv/bin/python
+      FEDEO_SCAN_POSTPROCESS_STRICT: "false"
+    volumes:
+      - fedeo-device-agent-work:/work
+      # Optional fuer CUPS-Druck ueber den Host:
+      # - /var/run/cups/cups.sock:/var/run/cups/cups.sock
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    devices:
+      - /dev/bus/usb:/dev/bus/usb
+    # Falls SANE den Scanner trotz devices-Mapping nicht sieht, testweise aktivieren:
+    # privileged: true
+
+volumes:
+  fedeo-device-agent-work:

agents/fedeo-device-agent/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "@fedeo/device-agent",
+  "version": "0.1.0",
+  "private": true,
+  "description": "Lokaler FEDEO Druck- und Scan-Agent für macOS, Linux und Raspberry Pi OS.",
+  "type": "module",
+  "main": "dist/main.js",
+  "bin": {
+    "fedeo-device-agent": "dist/main.js"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "dev": "tsx src/main.ts",
+    "start": "node dist/main.js",
+    "setup:opencv": "sh scripts/setup-opencv.sh"
+  },
+  "dependencies": {},
+  "devDependencies": {
+    "@types/node": "^24.3.0",
+    "tsx": "^4.20.5",
+    "typescript": "^5.9.2"
+  },
+  "engines": {
+    "node": ">=20"
+  }
+}

agents/fedeo-device-agent/requirements-opencv.txt

@@ -0,0 +1,3 @@
+opencv-python-headless>=4.9
+Pillow>=10.0
+numpy>=1.26

agents/fedeo-device-agent/scripts/opencv_postprocess.py

@@ -0,0 +1,219 @@
+#!/usr/bin/env python3
+import argparse
+import math
+from pathlib import Path
+
+import cv2
+import numpy as np
+from PIL import Image
+
+
+def order_points(points):
+    rect = np.zeros((4, 2), dtype="float32")
+    point_sum = points.sum(axis=1)
+    point_diff = np.diff(points, axis=1)
+
+    rect[0] = points[np.argmin(point_sum)]
+    rect[2] = points[np.argmax(point_sum)]
+    rect[1] = points[np.argmin(point_diff)]
+    rect[3] = points[np.argmax(point_diff)]
+    return rect
+
+
+def four_point_transform(image, points):
+    rect = order_points(points)
+    top_left, top_right, bottom_right, bottom_left = rect
+
+    width_a = np.linalg.norm(bottom_right - bottom_left)
+    width_b = np.linalg.norm(top_right - top_left)
+    max_width = int(max(width_a, width_b))
+
+    height_a = np.linalg.norm(top_right - bottom_right)
+    height_b = np.linalg.norm(top_left - bottom_left)
+    max_height = int(max(height_a, height_b))
+
+    destination = np.array([
+        [0, 0],
+        [max_width - 1, 0],
+        [max_width - 1, max_height - 1],
+        [0, max_height - 1],
+    ], dtype="float32")
+
+    matrix = cv2.getPerspectiveTransform(rect, destination)
+    return cv2.warpPerspective(image, matrix, (max_width, max_height), borderValue=(255, 255, 255))
+
+
+def rotate_bound(image, angle):
+    height, width = image.shape[:2]
+    center = (width / 2, height / 2)
+    matrix = cv2.getRotationMatrix2D(center, angle, 1.0)
+    cos = abs(matrix[0, 0])
+    sin = abs(matrix[0, 1])
+
+    new_width = int((height * sin) + (width * cos))
+    new_height = int((height * cos) + (width * sin))
+
+    matrix[0, 2] += (new_width / 2) - center[0]
+    matrix[1, 2] += (new_height / 2) - center[1]
+
+    return cv2.warpAffine(image, matrix, (new_width, new_height), borderValue=(255, 255, 255))
+
+
+def deskew_by_text_angle(image):
+    gray = cv2.cvtColor(image, cv2.COLOR_BGR2GRAY)
+    inverted = cv2.bitwise_not(gray)
+    threshold = cv2.threshold(inverted, 0, 255, cv2.THRESH_BINARY | cv2.THRESH_OTSU)[1]
+    coordinates = np.column_stack(np.where(threshold > 0))
+
+    if len(coordinates) < 500:
+        return image
+
+    angle = cv2.minAreaRect(coordinates)[-1]
+    if angle < -45:
+        angle = -(90 + angle)
+    else:
+        angle = -angle
+
+    if abs(angle) < 0.2 or abs(angle) > 8:
+        return image
+
+    return rotate_bound(image, angle)
+
+
+def find_document_contour(image, profile):
+    ratio = image.shape[0] / 900.0
+    resized = cv2.resize(image, (int(image.shape[1] / ratio), 900))
+    gray = cv2.cvtColor(resized, cv2.COLOR_BGR2GRAY)
+    gray = cv2.GaussianBlur(gray, (5, 5), 0)
+
+    edges = cv2.Canny(gray, 45, 140)
+    kernel = cv2.getStructuringElement(cv2.MORPH_RECT, (7, 7))
+    edges = cv2.morphologyEx(edges, cv2.MORPH_CLOSE, kernel)
+
+    contours, _ = cv2.findContours(edges, cv2.RETR_EXTERNAL, cv2.CHAIN_APPROX_SIMPLE)
+    contours = sorted(contours, key=cv2.contourArea, reverse=True)[:8]
+
+    min_area = resized.shape[0] * resized.shape[1] * (0.03 if profile == "receipt" else 0.12)
+
+    for contour in contours:
+        if cv2.contourArea(contour) < min_area:
+            continue
+
+        perimeter = cv2.arcLength(contour, True)
+        approx = cv2.approxPolyDP(contour, 0.025 * perimeter, True)
+        if len(approx) == 4:
+            return approx.reshape(4, 2) * ratio
+
+    return None
+
+
+def trim_light_border(image):
+    gray = cv2.cvtColor(image, cv2.COLOR_BGR2GRAY)
+    mask = cv2.threshold(gray, 245, 255, cv2.THRESH_BINARY_INV)[1]
+    kernel = cv2.getStructuringElement(cv2.MORPH_RECT, (9, 9))
+    mask = cv2.morphologyEx(mask, cv2.MORPH_CLOSE, kernel)
+
+    contours, _ = cv2.findContours(mask, cv2.RETR_EXTERNAL, cv2.CHAIN_APPROX_SIMPLE)
+    if not contours:
+        return image
+
+    contour = max(contours, key=cv2.contourArea)
+    if cv2.contourArea(contour) < image.shape[0] * image.shape[1] * 0.02:
+        return image
+
+    x, y, width, height = cv2.boundingRect(contour)
+    padding = max(12, int(min(width, height) * 0.025))
+    x = max(0, x - padding)
+    y = max(0, y - padding)
+    width = min(image.shape[1] - x, width + padding * 2)
+    height = min(image.shape[0] - y, height + padding * 2)
+    return image[y:y + height, x:x + width]
+
+
+def enhance_receipt(image):
+    gray = cv2.cvtColor(image, cv2.COLOR_BGR2GRAY)
+    clahe = cv2.createCLAHE(clipLimit=2.0, tileGridSize=(8, 8))
+    gray = clahe.apply(gray)
+    gray = cv2.fastNlMeansDenoising(gray, None, 8, 7, 21)
+    gray = cv2.normalize(gray, None, 0, 255, cv2.NORM_MINMAX)
+    return cv2.cvtColor(gray, cv2.COLOR_GRAY2BGR)
+
+
+def enhance_document(image):
+    lab = cv2.cvtColor(image, cv2.COLOR_BGR2LAB)
+    l_channel, a_channel, b_channel = cv2.split(lab)
+    clahe = cv2.createCLAHE(clipLimit=1.6, tileGridSize=(8, 8))
+    l_channel = clahe.apply(l_channel)
+    return cv2.cvtColor(cv2.merge((l_channel, a_channel, b_channel)), cv2.COLOR_LAB2BGR)
+
+
+def auto_rotate_profile(image, profile):
+    height, width = image.shape[:2]
+
+    if profile == "receipt" and width > height:
+        return cv2.rotate(image, cv2.ROTATE_90_CLOCKWISE)
+
+    return image
+
+
+def postprocess(input_path, output_path, profile):
+    image = cv2.imread(str(input_path), cv2.IMREAD_COLOR)
+    if image is None:
+        raise RuntimeError(f"OpenCV konnte {input_path} nicht lesen")
+
+    contour = find_document_contour(image, profile)
+    if contour is not None:
+        processed = four_point_transform(image, contour.astype("float32"))
+    else:
+        processed = trim_light_border(image)
+
+    processed = deskew_by_text_angle(processed)
+    processed = trim_light_border(processed)
+    processed = auto_rotate_profile(processed, profile)
+
+    if profile == "receipt":
+        processed = enhance_receipt(processed)
+    elif profile != "raw":
+        processed = enhance_document(processed)
+
+    save_output(processed, output_path)
+
+
+def save_output(image, output_path):
+    suffix = output_path.suffix.lower()
+
+    if suffix == ".pdf":
+        rgb = cv2.cvtColor(image, cv2.COLOR_BGR2RGB)
+        pil_image = Image.fromarray(rgb)
+        if pil_image.mode != "RGB":
+            pil_image = pil_image.convert("RGB")
+        pil_image.save(output_path, "PDF", resolution=300.0)
+        return
+
+    if suffix in {".jpg", ".jpeg"}:
+        cv2.imwrite(str(output_path), image, [cv2.IMWRITE_JPEG_QUALITY, 92])
+        return
+
+    if suffix == ".png":
+        cv2.imwrite(str(output_path), image, [cv2.IMWRITE_PNG_COMPRESSION, 3])
+        return
+
+    if suffix in {".tif", ".tiff"}:
+        cv2.imwrite(str(output_path), image)
+        return
+
+    raise RuntimeError(f"Nicht unterstütztes Ausgabeformat: {suffix}")
+
+
+def main():
+    parser = argparse.ArgumentParser(description="FEDEO Scan-Nachbearbeitung mit OpenCV")
+    parser.add_argument("--input", required=True)
+    parser.add_argument("--output", required=True)
+    parser.add_argument("--profile", default="document", choices=["document", "receipt", "raw"])
+    args = parser.parse_args()
+
+    postprocess(Path(args.input), Path(args.output), args.profile)
+
+
+if __name__ == "__main__":
+    main()

agents/fedeo-device-agent/scripts/setup-opencv.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env sh
+set -eu
+
+SCRIPT_DIR="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+AGENT_DIR="$(CDPATH= cd -- "$SCRIPT_DIR/.." && pwd)"
+VENV_DIR="${FEDEO_SCAN_POSTPROCESS_VENV:-$AGENT_DIR/.venv-opencv}"
+PYTHON_BIN="${PYTHON:-python3}"
+
+echo "FEDEO OpenCV-Umgebung wird vorbereitet"
+echo "Agent: $AGENT_DIR"
+echo "Venv:  $VENV_DIR"
+
+if ! command -v "$PYTHON_BIN" >/dev/null 2>&1; then
+  echo "Fehler: $PYTHON_BIN wurde nicht gefunden." >&2
+  exit 1
+fi
+
+"$PYTHON_BIN" -m venv "$VENV_DIR"
+"$VENV_DIR/bin/python" -m pip install --upgrade pip
+"$VENV_DIR/bin/python" -m pip install -r "$AGENT_DIR/requirements-opencv.txt"
+"$VENV_DIR/bin/python" -c "import cv2, PIL, numpy; print('OpenCV OK')"
+
+echo
+echo "Fertig. Verwende in .env:"
+echo "FEDEO_SCAN_POSTPROCESS=true"
+echo "FEDEO_SCAN_POSTPROCESS_PYTHON=$VENV_DIR/bin/python"

agents/fedeo-device-agent/src/api.ts

@@ -0,0 +1,67 @@
+import { readFile } from "node:fs/promises"
+import { basename } from "node:path"
+import { AgentConfig, AgentHeartbeat, NextScanJobResponse, ScanResult } from "./types.js"
+
+export class FedeoApi {
+    constructor(private readonly config: AgentConfig) {}
+
+    private url(path: string) {
+        return `${this.config.fedeoUrl}${path}`
+    }
+
+    private headers(extra?: HeadersInit): HeadersInit {
+        return {
+            "X-Agent-Token": this.config.agentToken,
+            ...extra,
+        }
+    }
+
+    private async request<T>(path: string, init: RequestInit = {}): Promise<T> {
+        const response = await fetch(this.url(path), {
+            ...init,
+            headers: this.headers(init.headers),
+        })
+
+        if (!response.ok) {
+            const body = await response.text().catch(() => "")
+            throw new Error(`${init.method || "GET"} ${path} fehlgeschlagen: ${response.status} ${body}`)
+        }
+
+        return await response.json() as T
+    }
+
+    heartbeat(payload: AgentHeartbeat) {
+        return this.request<{ status: string; pendingScanJobs: number }>("/instance-agent/heartbeat", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(payload),
+        })
+    }
+
+    nextScanJob() {
+        return this.request<NextScanJobResponse>("/instance-agent/scan-jobs/next")
+    }
+
+    updateScanJobStatus(jobId: string, status: "running" | "failed" | "canceled", message?: string) {
+        return this.request(`/instance-agent/scan-jobs/${jobId}/status`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ status, message }),
+        })
+    }
+
+    async uploadScan(jobId: string, result: ScanResult) {
+        const form = new FormData()
+        const fileBuffer = await readFile(result.path)
+        const file = new File([fileBuffer], result.filename || basename(result.path), {
+            type: result.mimeType,
+        })
+
+        form.append("file", file)
+
+        return this.request(`/instance-agent/scan-jobs/${jobId}/upload`, {
+            method: "POST",
+            body: form,
+        })
+    }
+}

agents/fedeo-device-agent/src/commands.ts

@@ -0,0 +1,48 @@
+import { spawn } from "node:child_process"
+
+export type CommandResult = {
+    stdout: string
+    stderr: string
+    code: number
+}
+
+export const commandExists = (command: string) =>
+    new Promise<boolean>((resolve) => {
+        const child = spawn("sh", ["-lc", `command -v ${command}`])
+        child.on("error", () => resolve(false))
+        child.on("close", (code) => resolve(code === 0))
+    })
+
+export const runCommand = (
+    command: string,
+    args: string[],
+    options: { timeoutMs?: number } = {}
+) =>
+    new Promise<CommandResult>((resolve, reject) => {
+        const child = spawn(command, args, {
+            stdio: ["ignore", "pipe", "pipe"],
+        })
+
+        const stdout: Buffer[] = []
+        const stderr: Buffer[] = []
+
+        const timeout = options.timeoutMs
+            ? setTimeout(() => {
+                child.kill("SIGTERM")
+                reject(new Error(`${command} wurde nach ${options.timeoutMs} ms beendet`))
+            }, options.timeoutMs)
+            : null
+
+        child.stdout.on("data", (chunk) => stdout.push(Buffer.from(chunk)))
+        child.stderr.on("data", (chunk) => stderr.push(Buffer.from(chunk)))
+        child.on("error", reject)
+        child.on("close", (code) => {
+            if (timeout) clearTimeout(timeout)
+
+            resolve({
+                stdout: Buffer.concat(stdout).toString("utf8"),
+                stderr: Buffer.concat(stderr).toString("utf8"),
+                code: code ?? 0,
+            })
+        })
+    })

agents/fedeo-device-agent/src/config.ts

@@ -0,0 +1,68 @@
+import path from "node:path"
+import os from "node:os"
+import { existsSync } from "node:fs"
+import { fileURLToPath } from "node:url"
+import { AgentConfig } from "./types.js"
+import { loadDotEnv } from "./env.js"
+
+const currentFile = fileURLToPath(import.meta.url)
+const agentRoot = path.resolve(path.dirname(currentFile), "..")
+
+const optional = (value: string | undefined) => {
+    const trimmed = value?.trim()
+    return trimmed ? trimmed : undefined
+}
+
+const numberFromEnv = (value: string | undefined, fallback: number) => {
+    if (!value) return fallback
+
+    const parsed = Number(value)
+    return Number.isFinite(parsed) && parsed > 0 ? parsed : fallback
+}
+
+const scanFormatFromEnv = (value: string | undefined): AgentConfig["scanFormat"] => {
+    if (value === "png" || value === "tiff" || value === "pdf") return value
+    return "pdf"
+}
+
+const booleanFromEnv = (value: string | undefined, fallback: boolean) => {
+    if (!value) return fallback
+    return ["1", "true", "yes", "ja", "on"].includes(value.trim().toLowerCase())
+}
+
+const postprocessProfileFromEnv = (value: string | undefined): AgentConfig["postprocessProfile"] => {
+    if (value === "document" || value === "receipt" || value === "raw") return value
+    return "document"
+}
+
+const defaultPostprocessPython = () => {
+    const localVenvPython = path.join(agentRoot, ".venv-opencv", "bin", "python")
+    return existsSync(localVenvPython) ? localVenvPython : "python3"
+}
+
+export const loadConfig = (): AgentConfig => {
+    loadDotEnv(process.env.FEDEO_AGENT_ENV || ".env")
+
+    const fedeoUrl = optional(process.env.FEDEO_URL)
+    const agentToken = optional(process.env.FEDEO_AGENT_TOKEN)
+
+    if (!fedeoUrl) throw new Error("FEDEO_URL fehlt")
+    if (!agentToken) throw new Error("FEDEO_AGENT_TOKEN fehlt")
+
+    return {
+        fedeoUrl: fedeoUrl.replace(/\/+$/, ""),
+        agentToken,
+        pollSeconds: numberFromEnv(process.env.FEDEO_POLL_SECONDS, 5),
+        workDir: optional(process.env.FEDEO_WORK_DIR) || path.join(os.tmpdir(), "fedeo-device-agent"),
+        scannerName: optional(process.env.FEDEO_SCANNER_NAME),
+        printerName: optional(process.env.FEDEO_PRINTER_NAME),
+        scanFormat: scanFormatFromEnv(process.env.FEDEO_SCAN_FORMAT),
+        scanResolution: numberFromEnv(process.env.FEDEO_SCAN_RESOLUTION, 300),
+        scanMode: optional(process.env.FEDEO_SCAN_MODE) || "Color",
+        scanSource: optional(process.env.FEDEO_SCAN_SOURCE),
+        scanPostprocess: booleanFromEnv(process.env.FEDEO_SCAN_POSTPROCESS, false),
+        postprocessProfile: postprocessProfileFromEnv(process.env.FEDEO_SCAN_POSTPROCESS_PROFILE),
+        postprocessPython: optional(process.env.FEDEO_SCAN_POSTPROCESS_PYTHON) || defaultPostprocessPython(),
+        postprocessStrict: booleanFromEnv(process.env.FEDEO_SCAN_POSTPROCESS_STRICT, false),
+    }
+}

agents/fedeo-device-agent/src/env.ts

@@ -0,0 +1,32 @@
+import { readFileSync, existsSync } from "node:fs"
+
+const parseEnvLine = (line: string) => {
+    const trimmed = line.trim()
+    if (!trimmed || trimmed.startsWith("#")) return null
+
+    const separator = trimmed.indexOf("=")
+    if (separator === -1) return null
+
+    const key = trimmed.slice(0, separator).trim()
+    let value = trimmed.slice(separator + 1).trim()
+
+    if (
+        (value.startsWith("\"") && value.endsWith("\"")) ||
+        (value.startsWith("'") && value.endsWith("'"))
+    ) {
+        value = value.slice(1, -1)
+    }
+
+    return { key, value }
+}
+
+export const loadDotEnv = (path = ".env") => {
+    if (!existsSync(path)) return
+
+    const content = readFileSync(path, "utf8")
+    for (const line of content.split(/\r?\n/)) {
+        const parsed = parseEnvLine(line)
+        if (!parsed) continue
+        if (process.env[parsed.key] === undefined) process.env[parsed.key] = parsed.value
+    }
+}

agents/fedeo-device-agent/src/logger.ts

@@ -0,0 +1,30 @@
+const timestamp = () => new Date().toISOString()
+
+export const log = {
+    info(message: string, meta?: unknown) {
+        if (meta === undefined) {
+            console.log(`[${timestamp()}] INFO ${message}`)
+            return
+        }
+
+        console.log(`[${timestamp()}] INFO ${message}`, meta)
+    },
+
+    warn(message: string, meta?: unknown) {
+        if (meta === undefined) {
+            console.warn(`[${timestamp()}] WARN ${message}`)
+            return
+        }
+
+        console.warn(`[${timestamp()}] WARN ${message}`, meta)
+    },
+
+    error(message: string, meta?: unknown) {
+        if (meta === undefined) {
+            console.error(`[${timestamp()}] ERROR ${message}`)
+            return
+        }
+
+        console.error(`[${timestamp()}] ERROR ${message}`, meta)
+    },
+}

agents/fedeo-device-agent/src/main.ts

@@ -0,0 +1,93 @@
+#!/usr/bin/env node
+import os from "node:os"
+import { FedeoApi } from "./api.js"
+import { loadConfig } from "./config.js"
+import { log } from "./logger.js"
+import { listPrinters } from "./print/cups.js"
+import { hasSane, listScanners, runScan } from "./scan/sane.js"
+
+const sleep = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms))
+
+const stringifyError = (error: unknown) => {
+    if (error instanceof Error) return error.message
+    return String(error)
+}
+
+const main = async () => {
+    const config = loadConfig()
+    const api = new FedeoApi(config)
+
+    log.info("FEDEO Geräte-Agent startet", {
+        platform: process.platform,
+        workDir: config.workDir,
+        pollSeconds: config.pollSeconds,
+    })
+
+    while (true) {
+        try {
+            const scannerNames = await listScanners()
+            const printerNames = await listPrinters()
+            const scanAvailable = await hasSane()
+
+            const heartbeat = await api.heartbeat({
+                capabilities: {
+                    scan: scanAvailable,
+                    print: printerNames.length > 0,
+                    platform: process.platform,
+                },
+                scannerNames,
+                printerNames,
+                debugInfo: {
+                    hostname: os.hostname(),
+                    release: os.release(),
+                    arch: os.arch(),
+                    node: process.version,
+                    uptimeSeconds: Math.round(os.uptime()),
+                },
+            })
+
+            if (heartbeat.pendingScanJobs > 0) {
+                log.info(`${heartbeat.pendingScanJobs} Scan-Auftrag/Aufträge warten`)
+            }
+
+            const next = await api.nextScanJob()
+            if (!next.job) {
+                await sleep(config.pollSeconds * 1000)
+                continue
+            }
+
+            log.info("Scan-Auftrag wird ausgeführt", {
+                jobId: next.job.id,
+                tenantId: next.job.tenantId,
+                scannerName: next.job.scannerName || config.scannerName || "default",
+            })
+
+            try {
+                await api.updateScanJobStatus(next.job.id, "running")
+                const scanResult = await runScan(config, next.job)
+                await api.uploadScan(next.job.id, scanResult)
+
+                log.info("Scan-Auftrag abgeschlossen", {
+                    jobId: next.job.id,
+                    file: scanResult.filename,
+                })
+            } catch (error) {
+                const message = stringifyError(error)
+                log.error("Scan-Auftrag fehlgeschlagen", {
+                    jobId: next.job.id,
+                    message,
+                })
+
+                await api.updateScanJobStatus(next.job.id, "failed", message)
+            }
+        } catch (error) {
+            log.error("Agent-Schleife fehlgeschlagen", stringifyError(error))
+            await sleep(config.pollSeconds * 1000)
+        }
+    }
+}
+
+main().catch((error) => {
+    log.error("Agent konnte nicht gestartet werden", stringifyError(error))
+    process.exit(1)
+})

agents/fedeo-device-agent/src/print/cups.ts

@@ -0,0 +1,15 @@
+import { commandExists, runCommand } from "../commands.js"
+
+export const hasCups = () => commandExists("lpstat")
+
+export const listPrinters = async () => {
+    if (!await hasCups()) return []
+
+    const result = await runCommand("lpstat", ["-p"], { timeoutMs: 10_000 })
+    if (result.code !== 0) return []
+
+    return result.stdout
+        .split(/\r?\n/)
+        .map((line) => line.match(/^printer\s+(\S+)/)?.[1])
+        .filter((printer): printer is string => Boolean(printer))
+}

agents/fedeo-device-agent/src/scan/postprocess.ts

@@ -0,0 +1,66 @@
+import path from "node:path"
+import { fileURLToPath } from "node:url"
+import { AgentConfig, ScanResult } from "../types.js"
+import { commandExists, runCommand } from "../commands.js"
+
+const currentFile = fileURLToPath(import.meta.url)
+const agentRoot = path.resolve(path.dirname(currentFile), "../..")
+const postprocessScript = path.join(agentRoot, "scripts/opencv_postprocess.py")
+
+const extensionMimeTypes: Record<string, string> = {
+    ".pdf": "application/pdf",
+    ".png": "image/png",
+    ".tif": "image/tiff",
+    ".tiff": "image/tiff",
+    ".jpg": "image/jpeg",
+    ".jpeg": "image/jpeg",
+}
+
+const ensureOutputExtension = (filename: string, format: AgentConfig["scanFormat"]) => {
+    const ext = path.extname(filename)
+    if (ext) return filename
+    return `${filename}.${format}`
+}
+
+export const hasOpenCvPostprocessRuntime = async (config: AgentConfig) => {
+    if (!await commandExists(config.postprocessPython)) return false
+
+    const result = await runCommand(config.postprocessPython, [
+        "-c",
+        "import cv2, PIL, numpy",
+    ], { timeoutMs: 10_000 })
+
+    return result.code === 0
+}
+
+export const postprocessScan = async (
+    config: AgentConfig,
+    inputPath: string,
+    outputFilename: string,
+    outputFormat: AgentConfig["scanFormat"],
+    profile: AgentConfig["postprocessProfile"]
+): Promise<ScanResult> => {
+    const filename = ensureOutputExtension(outputFilename, outputFormat)
+    const outputPath = path.join(config.workDir, filename)
+
+    const result = await runCommand(config.postprocessPython, [
+        postprocessScript,
+        "--input",
+        inputPath,
+        "--output",
+        outputPath,
+        "--profile",
+        profile,
+    ], { timeoutMs: 5 * 60 * 1000 })
+
+    if (result.code !== 0) {
+        throw new Error(result.stderr || `OpenCV-Nachbearbeitung wurde mit Code ${result.code} beendet`)
+    }
+
+    const extension = path.extname(outputPath).toLowerCase()
+    return {
+        path: outputPath,
+        filename,
+        mimeType: extensionMimeTypes[extension] || "application/octet-stream",
+    }
+}

agents/fedeo-device-agent/src/scan/sane.ts

@@ -0,0 +1,149 @@
+import { mkdirSync } from "node:fs"
+import path from "node:path"
+import { AgentConfig, ScanJob, ScanResult } from "../types.js"
+import { commandExists, runCommand } from "../commands.js"
+import { hasOpenCvPostprocessRuntime, postprocessScan } from "./postprocess.js"
+import { log } from "../logger.js"
+
+const mimeTypes = {
+    pdf: "application/pdf",
+    png: "image/png",
+    tiff: "image/tiff",
+}
+
+const stringSetting = (settings: Record<string, unknown> | undefined, key: string) => {
+    const value = settings?.[key]
+    return typeof value === "string" && value.trim() ? value.trim() : undefined
+}
+
+const numberSetting = (settings: Record<string, unknown> | undefined, key: string) => {
+    const value = settings?.[key]
+    if (typeof value === "number" && Number.isFinite(value)) return value
+    if (typeof value === "string" && value.trim()) {
+        const parsed = Number(value)
+        if (Number.isFinite(parsed)) return parsed
+    }
+
+    return undefined
+}
+
+const booleanSetting = (settings: Record<string, unknown> | undefined, key: string, fallback: boolean) => {
+    const value = settings?.[key]
+    if (typeof value === "boolean") return value
+    if (typeof value === "string") return ["1", "true", "yes", "ja", "on"].includes(value.trim().toLowerCase())
+    return fallback
+}
+
+const profileSetting = (
+    settings: Record<string, unknown> | undefined,
+    fallback: AgentConfig["postprocessProfile"]
+): AgentConfig["postprocessProfile"] => {
+    const value = settings?.postprocessProfile
+    if (value === "document" || value === "receipt" || value === "raw") return value
+    return fallback
+}
+
+const ensureFilenameExtension = (filename: string, format: AgentConfig["scanFormat"]) => {
+    const ext = path.extname(filename)
+    if (!ext) return `${filename}.${format}`
+
+    const expectedExt = `.${format}`
+    if (ext.toLowerCase() === expectedExt) return filename
+    return `${filename.slice(0, -ext.length)}${expectedExt}`
+}
+
+const fallbackRawResult = (scanOutputPath: string, jobId: string): ScanResult => ({
+    path: scanOutputPath,
+    filename: `${jobId}.raw.png`,
+    mimeType: "image/png",
+})
+
+export const hasSane = () => commandExists("scanimage")
+
+export const listScanners = async () => {
+    if (!await hasSane()) return []
+
+    const result = await runCommand("scanimage", ["-L"], { timeoutMs: 10_000 })
+    if (result.code !== 0) return []
+
+    return result.stdout
+        .split(/\r?\n/)
+        .map((line) => line.trim())
+        .filter((line) => line.startsWith("device `"))
+        .map((line) => line.match(/device `([^']+)'/)?.[1])
+        .filter((device): device is string => Boolean(device))
+}
+
+export const runScan = async (config: AgentConfig, job: ScanJob): Promise<ScanResult> => {
+    if (!await hasSane()) {
+        throw new Error("scanimage ist nicht installiert oder nicht im PATH")
+    }
+
+    mkdirSync(config.workDir, { recursive: true })
+
+    const settings = job.settings || {}
+    const format = stringSetting(settings, "format") as AgentConfig["scanFormat"] | undefined || config.scanFormat
+    const resolution = numberSetting(settings, "resolution") || config.scanResolution
+    const mode = stringSetting(settings, "mode") || config.scanMode
+    const source = stringSetting(settings, "source") || config.scanSource
+    const scannerName = job.scannerName || config.scannerName
+    const filename = ensureFilenameExtension(job.requestedFilename || `${job.id}.${format}`, format)
+    const outputPath = path.join(config.workDir, filename)
+    const shouldPostprocess = booleanSetting(settings, "postprocess", config.scanPostprocess)
+    const postprocessProfile = profileSetting(settings, config.postprocessProfile)
+    const scanFormat = shouldPostprocess ? "png" : format
+    const scanOutputPath = shouldPostprocess
+        ? path.join(config.workDir, `${job.id}.raw.png`)
+        : outputPath
+
+    const args = [
+        "--format",
+        scanFormat,
+        "--resolution",
+        String(resolution),
+        "--mode",
+        mode,
+        "--output-file",
+        scanOutputPath,
+    ]
+
+    if (source) args.push("--source", source)
+    if (scannerName) args.push("--device-name", scannerName)
+
+    const result = await runCommand("scanimage", args, { timeoutMs: 5 * 60 * 1000 })
+
+    if (result.code !== 0) {
+        throw new Error(result.stderr || `scanimage wurde mit Code ${result.code} beendet`)
+    }
+
+    if (shouldPostprocess) {
+        if (!await hasOpenCvPostprocessRuntime(config)) {
+            const message = "OpenCV-Nachbearbeitung ist aktiviert, aber python3 mit cv2, Pillow und numpy ist nicht verfügbar"
+            if (config.postprocessStrict) throw new Error(message)
+
+            log.warn(`${message}. Rohscan wird ohne Korrektur hochgeladen.`, {
+                jobId: job.id,
+                python: config.postprocessPython,
+            })
+            return fallbackRawResult(scanOutputPath, job.id)
+        }
+
+        try {
+            return await postprocessScan(config, scanOutputPath, filename, format, postprocessProfile)
+        } catch (error) {
+            if (config.postprocessStrict) throw error
+
+            log.warn("OpenCV-Nachbearbeitung fehlgeschlagen. Rohscan wird ohne Korrektur hochgeladen.", {
+                jobId: job.id,
+                error: error instanceof Error ? error.message : String(error),
+            })
+            return fallbackRawResult(scanOutputPath, job.id)
+        }
+    }
+
+    return {
+        path: outputPath,
+        filename,
+        mimeType: mimeTypes[format] || "application/octet-stream",
+    }
+}

agents/fedeo-device-agent/src/types.ts

@@ -0,0 +1,48 @@
+export type AgentConfig = {
+    fedeoUrl: string
+    agentToken: string
+    pollSeconds: number
+    workDir: string
+    scannerName?: string
+    printerName?: string
+    scanFormat: "pdf" | "png" | "tiff"
+    scanResolution: number
+    scanMode: string
+    scanSource?: string
+    scanPostprocess: boolean
+    postprocessProfile: "document" | "receipt" | "raw"
+    postprocessPython: string
+    postprocessStrict: boolean
+}
+
+export type AgentHeartbeat = {
+    capabilities: {
+        scan: boolean
+        print: boolean
+        platform: NodeJS.Platform
+    }
+    scannerNames: string[]
+    printerNames: string[]
+    debugInfo: Record<string, unknown>
+}
+
+export type ScanJob = {
+    id: string
+    tenantId: number
+    agentId: string
+    status: string
+    scannerName?: string | null
+    requestedFilename?: string | null
+    settings?: Record<string, unknown>
+    target?: Record<string, unknown>
+}
+
+export type NextScanJobResponse = {
+    job: ScanJob | null
+}
+
+export type ScanResult = {
+    path: string
+    filename: string
+    mimeType: string
+}

agents/fedeo-device-agent/system/linux/fedeo-device-agent.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=FEDEO Geräte-Agent
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+EnvironmentFile=/etc/fedeo-device-agent/config.env
+WorkingDirectory=/opt/fedeo-device-agent
+ExecStart=/usr/bin/node /opt/fedeo-device-agent/dist/main.js
+Restart=always
+RestartSec=5
+User=fedeo-agent
+
+[Install]
+WantedBy=multi-user.target

agents/fedeo-device-agent/system/macos/com.fedeo.device-agent.plist

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
+  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>com.fedeo.device-agent</string>
+
+  <key>ProgramArguments</key>
+  <array>
+    <string>/usr/local/bin/node</string>
+    <string>/opt/fedeo-device-agent/dist/main.js</string>
+  </array>
+
+  <key>EnvironmentVariables</key>
+  <dict>
+    <key>FEDEO_AGENT_ENV</key>
+    <string>/opt/fedeo-device-agent/.env</string>
+  </dict>
+
+  <key>RunAtLoad</key>
+  <true/>
+
+  <key>KeepAlive</key>
+  <true/>
+
+  <key>StandardOutPath</key>
+  <string>/tmp/fedeo-device-agent.log</string>
+
+  <key>StandardErrorPath</key>
+  <string>/tmp/fedeo-device-agent.err.log</string>
+</dict>
+</plist>

agents/fedeo-device-agent/tsconfig.json

@@ -0,0 +1,17 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "lib": ["ES2022", "DOM"],
+    "types": ["node"],
+    "typeRoots": ["../../backend/node_modules/@types"],
+    "rootDir": "src",
+    "outDir": "dist",
+    "strict": true,
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+    "skipLibCheck": true
+  },
+  "include": ["src/**/*.ts"]
+}

backend/Dockerfile

@@ -12,8 +12,10 @@ RUN apt-get update \
 # Package-Dateien
 COPY package*.json ./
 
-# Dev + Prod Dependencies (für TS-Build nötig)
-RUN npm install
+# Dev + Prod Dependencies (für TS-Build nötig).
+# Sharp benötigt im Linux-Container native optionale Pakete, auch wenn das Lockfile auf macOS erzeugt wurde.
+RUN npm install --include=optional \
+    && npm install --include=optional --os=linux --cpu=x64 sharp
 
 # Restlicher Sourcecode
 COPY . .
@@ -24,5 +26,5 @@ RUN npm run build
 # Port freigeben
 EXPOSE 3100
 
-# Start der App
-CMD ["node", "dist/src/index.js"]
+# Migrationen ausführen und App starten
+CMD ["sh", "./docker-entrypoint.sh"]

backend/db/migrations/0005_green_shinobi_shaw.sql

@@ -14,26 +14,6 @@ CREATE TABLE "m2m_api_keys" (
 	CONSTRAINT "m2m_api_keys_key_hash_unique" UNIQUE("key_hash")
 );
 --> statement-breakpoint
-CREATE TABLE "staff_time_events" (
-	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
-	"tenant_id" bigint NOT NULL,
-	"user_id" uuid NOT NULL,
-	"actor_type" text NOT NULL,
-	"actor_user_id" uuid,
-	"event_time" timestamp with time zone NOT NULL,
-	"event_type" text NOT NULL,
-	"source" text NOT NULL,
-	"invalidates_event_id" uuid,
-	"related_event_id" uuid,
-	"metadata" jsonb,
-	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
-	CONSTRAINT "time_events_actor_user_check" CHECK (
-        (actor_type = 'system' AND actor_user_id IS NULL)
-        OR
-        (actor_type = 'user' AND actor_user_id IS NOT NULL)
-      )
-);
---> statement-breakpoint
 CREATE TABLE "serialtypes" (
 	"id" bigint PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY (sequence name "serialtypes_id_seq" INCREMENT BY 1 MINVALUE 1 MAXVALUE 9223372036854775807 START WITH 1 CACHE 1),
 	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
@@ -89,20 +69,15 @@ CREATE TABLE "wiki_pages" (
 	"updated_by" uuid
 );
 --> statement-breakpoint
-ALTER TABLE "time_events" DISABLE ROW LEVEL SECURITY;--> statement-breakpoint
-DROP TABLE "time_events" CASCADE;--> statement-breakpoint
 ALTER TABLE "projects" ALTER COLUMN "active_phase" SET DEFAULT 'Erstkontakt';--> statement-breakpoint
 ALTER TABLE "createddocuments" ADD COLUMN "serialexecution" uuid;--> statement-breakpoint
 ALTER TABLE "devices" ADD COLUMN "last_seen" timestamp with time zone;--> statement-breakpoint
 ALTER TABLE "devices" ADD COLUMN "last_debug_info" jsonb;--> statement-breakpoint
 ALTER TABLE "files" ADD COLUMN "size" bigint;--> statement-breakpoint
+ALTER TABLE "staff_time_events" ADD COLUMN "related_event_id" uuid;--> statement-breakpoint
 ALTER TABLE "m2m_api_keys" ADD CONSTRAINT "m2m_api_keys_tenant_id_tenants_id_fk" FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
 ALTER TABLE "m2m_api_keys" ADD CONSTRAINT "m2m_api_keys_user_id_auth_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."auth_users"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
 ALTER TABLE "m2m_api_keys" ADD CONSTRAINT "m2m_api_keys_created_by_auth_users_id_fk" FOREIGN KEY ("created_by") REFERENCES "public"."auth_users"("id") ON DELETE set null ON UPDATE cascade;--> statement-breakpoint
-ALTER TABLE "staff_time_events" ADD CONSTRAINT "staff_time_events_tenant_id_tenants_id_fk" FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "staff_time_events" ADD CONSTRAINT "staff_time_events_user_id_auth_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "staff_time_events" ADD CONSTRAINT "staff_time_events_actor_user_id_auth_users_id_fk" FOREIGN KEY ("actor_user_id") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "staff_time_events" ADD CONSTRAINT "staff_time_events_invalidates_event_id_staff_time_events_id_fk" FOREIGN KEY ("invalidates_event_id") REFERENCES "public"."staff_time_events"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "staff_time_events" ADD CONSTRAINT "staff_time_events_related_event_id_staff_time_events_id_fk" FOREIGN KEY ("related_event_id") REFERENCES "public"."staff_time_events"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "serialtypes" ADD CONSTRAINT "serialtypes_tenant_tenants_id_fk" FOREIGN KEY ("tenant") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "serialtypes" ADD CONSTRAINT "serialtypes_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
@@ -113,11 +88,8 @@ ALTER TABLE "wiki_pages" ADD CONSTRAINT "wiki_pages_tenant_id_tenants_id_fk" FOR
 ALTER TABLE "wiki_pages" ADD CONSTRAINT "wiki_pages_parent_id_wiki_pages_id_fk" FOREIGN KEY ("parent_id") REFERENCES "public"."wiki_pages"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "wiki_pages" ADD CONSTRAINT "wiki_pages_created_by_auth_users_id_fk" FOREIGN KEY ("created_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "wiki_pages" ADD CONSTRAINT "wiki_pages_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-CREATE INDEX "idx_time_events_tenant_user_time" ON "staff_time_events" USING btree ("tenant_id","user_id","event_time");--> statement-breakpoint
-CREATE INDEX "idx_time_events_created_at" ON "staff_time_events" USING btree ("created_at");--> statement-breakpoint
-CREATE INDEX "idx_time_events_invalidates" ON "staff_time_events" USING btree ("invalidates_event_id");--> statement-breakpoint
 CREATE INDEX "wiki_pages_tenant_idx" ON "wiki_pages" USING btree ("tenant_id");--> statement-breakpoint
 CREATE INDEX "wiki_pages_parent_idx" ON "wiki_pages" USING btree ("parent_id");--> statement-breakpoint
 CREATE INDEX "wiki_pages_entity_int_idx" ON "wiki_pages" USING btree ("tenant_id","entity_type","entity_id");--> statement-breakpoint
 CREATE INDEX "wiki_pages_entity_uuid_idx" ON "wiki_pages" USING btree ("tenant_id","entity_type","entity_uuid");--> statement-breakpoint
-ALTER TABLE "createddocuments" ADD CONSTRAINT "createddocuments_serialexecution_serial_executions_id_fk" FOREIGN KEY ("serialexecution") REFERENCES "public"."serial_executions"("id") ON DELETE no action ON UPDATE no action;
+ALTER TABLE "createddocuments" ADD CONSTRAINT "createddocuments_serialexecution_serial_executions_id_fk" FOREIGN KEY ("serialexecution") REFERENCES "public"."serial_executions"("id") ON DELETE no action ON UPDATE no action;

backend/db/migrations/0017_slow_the_hood.sql

@@ -1,108 +1 @@
-CREATE TABLE "contracttypes" (
-	"id" bigint PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY (sequence name "contracttypes_id_seq" INCREMENT BY 1 MINVALUE 1 MAXVALUE 9223372036854775807 START WITH 1 CACHE 1),
-	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
-	"tenant" bigint NOT NULL,
-	"name" text NOT NULL,
-	"description" text,
-	"paymentType" text,
-	"recurring" boolean DEFAULT false NOT NULL,
-	"billingInterval" text,
-	"archived" boolean DEFAULT false NOT NULL,
-	"updated_at" timestamp with time zone,
-	"updated_by" uuid
-);
---> statement-breakpoint
-CREATE TABLE "customerinventoryitems" (
-	"id" bigint PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY (sequence name "customerinventoryitems_id_seq" INCREMENT BY 1 MINVALUE 1 MAXVALUE 9223372036854775807 START WITH 1 CACHE 1),
-	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
-	"name" text NOT NULL,
-	"description" text,
-	"tenant" bigint NOT NULL,
-	"customer" bigint NOT NULL,
-	"customerspace" bigint,
-	"customerInventoryId" text NOT NULL,
-	"serialNumber" text,
-	"quantity" bigint DEFAULT 0 NOT NULL,
-	"manufacturer" text,
-	"manufacturerNumber" text,
-	"purchaseDate" date,
-	"purchasePrice" double precision DEFAULT 0,
-	"currentValue" double precision,
-	"product" bigint,
-	"vendor" bigint,
-	"archived" boolean DEFAULT false NOT NULL,
-	"updated_at" timestamp with time zone,
-	"updated_by" uuid
-);
---> statement-breakpoint
-CREATE TABLE "customerspaces" (
-	"id" bigint PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY (sequence name "customerspaces_id_seq" INCREMENT BY 1 MINVALUE 1 MAXVALUE 9223372036854775807 START WITH 1 CACHE 1),
-	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
-	"name" text NOT NULL,
-	"type" text NOT NULL,
-	"tenant" bigint NOT NULL,
-	"customer" bigint NOT NULL,
-	"spaceNumber" text NOT NULL,
-	"parentSpace" bigint,
-	"infoData" jsonb DEFAULT '{"zip":"","city":"","streetNumber":""}'::jsonb NOT NULL,
-	"description" text,
-	"archived" boolean DEFAULT false NOT NULL,
-	"updated_at" timestamp with time zone,
-	"updated_by" uuid
-);
---> statement-breakpoint
-CREATE TABLE "entitybankaccounts" (
-	"id" bigint PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY (sequence name "entitybankaccounts_id_seq" INCREMENT BY 1 MINVALUE 1 MAXVALUE 9223372036854775807 START WITH 1 CACHE 1),
-	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
-	"tenant" bigint NOT NULL,
-	"iban_encrypted" jsonb NOT NULL,
-	"bic_encrypted" jsonb NOT NULL,
-	"bank_name_encrypted" jsonb NOT NULL,
-	"description" text,
-	"updated_at" timestamp with time zone,
-	"updated_by" uuid,
-	"archived" boolean DEFAULT false NOT NULL
-);
---> statement-breakpoint
-CREATE TABLE "memberrelations" (
-	"id" bigint PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY (sequence name "memberrelations_id_seq" INCREMENT BY 1 MINVALUE 1 MAXVALUE 9223372036854775807 START WITH 1 CACHE 1),
-	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
-	"tenant" bigint NOT NULL,
-	"type" text NOT NULL,
-	"billingInterval" text NOT NULL,
-	"billingAmount" double precision DEFAULT 0 NOT NULL,
-	"archived" boolean DEFAULT false NOT NULL,
-	"updated_at" timestamp with time zone,
-	"updated_by" uuid
-);
---> statement-breakpoint
-ALTER TABLE "tenants" ALTER COLUMN "numberRanges" SET DEFAULT '{"vendors":{"prefix":"","suffix":"","nextNumber":10000},"customers":{"prefix":"","suffix":"","nextNumber":10000},"products":{"prefix":"AT-","suffix":"","nextNumber":1000},"quotes":{"prefix":"AN-","suffix":"","nextNumber":1000},"confirmationOrders":{"prefix":"AB-","suffix":"","nextNumber":1000},"invoices":{"prefix":"RE-","suffix":"","nextNumber":1000},"spaces":{"prefix":"LP-","suffix":"","nextNumber":1000},"customerspaces":{"prefix":"KLP-","suffix":"","nextNumber":1000},"inventoryitems":{"prefix":"IA-","suffix":"","nextNumber":1000},"customerinventoryitems":{"prefix":"KIA-","suffix":"","nextNumber":1000},"projects":{"prefix":"PRJ-","suffix":"","nextNumber":1000},"costcentres":{"prefix":"KST-","suffix":"","nextNumber":1000}}'::jsonb;--> statement-breakpoint
-ALTER TABLE "contracts" ADD COLUMN "contracttype" bigint;--> statement-breakpoint
-ALTER TABLE "contracts" ADD COLUMN "billingInterval" text;--> statement-breakpoint
-ALTER TABLE "customers" ADD COLUMN "customTaxType" text;--> statement-breakpoint
-ALTER TABLE "customers" ADD COLUMN "memberrelation" bigint;--> statement-breakpoint
-ALTER TABLE "historyitems" ADD COLUMN "customerspace" bigint;--> statement-breakpoint
-ALTER TABLE "historyitems" ADD COLUMN "customerinventoryitem" bigint;--> statement-breakpoint
-ALTER TABLE "historyitems" ADD COLUMN "memberrelation" bigint;--> statement-breakpoint
-ALTER TABLE "services" ADD COLUMN "priceUpdateLocked" boolean DEFAULT false NOT NULL;--> statement-breakpoint
-ALTER TABLE "contracttypes" ADD CONSTRAINT "contracttypes_tenant_tenants_id_fk" FOREIGN KEY ("tenant") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "contracttypes" ADD CONSTRAINT "contracttypes_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerinventoryitems" ADD CONSTRAINT "customerinventoryitems_tenant_tenants_id_fk" FOREIGN KEY ("tenant") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerinventoryitems" ADD CONSTRAINT "customerinventoryitems_customer_customers_id_fk" FOREIGN KEY ("customer") REFERENCES "public"."customers"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerinventoryitems" ADD CONSTRAINT "customerinventoryitems_customerspace_customerspaces_id_fk" FOREIGN KEY ("customerspace") REFERENCES "public"."customerspaces"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerinventoryitems" ADD CONSTRAINT "customerinventoryitems_product_products_id_fk" FOREIGN KEY ("product") REFERENCES "public"."products"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerinventoryitems" ADD CONSTRAINT "customerinventoryitems_vendor_vendors_id_fk" FOREIGN KEY ("vendor") REFERENCES "public"."vendors"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerinventoryitems" ADD CONSTRAINT "customerinventoryitems_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerspaces" ADD CONSTRAINT "customerspaces_tenant_tenants_id_fk" FOREIGN KEY ("tenant") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerspaces" ADD CONSTRAINT "customerspaces_customer_customers_id_fk" FOREIGN KEY ("customer") REFERENCES "public"."customers"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerspaces" ADD CONSTRAINT "customerspaces_parentSpace_customerspaces_id_fk" FOREIGN KEY ("parentSpace") REFERENCES "public"."customerspaces"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerspaces" ADD CONSTRAINT "customerspaces_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "entitybankaccounts" ADD CONSTRAINT "entitybankaccounts_tenant_tenants_id_fk" FOREIGN KEY ("tenant") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "entitybankaccounts" ADD CONSTRAINT "entitybankaccounts_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "memberrelations" ADD CONSTRAINT "memberrelations_tenant_tenants_id_fk" FOREIGN KEY ("tenant") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "memberrelations" ADD CONSTRAINT "memberrelations_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "contracts" ADD CONSTRAINT "contracts_contracttype_contracttypes_id_fk" FOREIGN KEY ("contracttype") REFERENCES "public"."contracttypes"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customers" ADD CONSTRAINT "customers_memberrelation_memberrelations_id_fk" FOREIGN KEY ("memberrelation") REFERENCES "public"."memberrelations"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "historyitems" ADD CONSTRAINT "historyitems_customerspace_customerspaces_id_fk" FOREIGN KEY ("customerspace") REFERENCES "public"."customerspaces"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "historyitems" ADD CONSTRAINT "historyitems_customerinventoryitem_customerinventoryitems_id_fk" FOREIGN KEY ("customerinventoryitem") REFERENCES "public"."customerinventoryitems"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "historyitems" ADD CONSTRAINT "historyitems_memberrelation_memberrelations_id_fk" FOREIGN KEY ("memberrelation") REFERENCES "public"."memberrelations"("id") ON DELETE no action ON UPDATE no action;
+-- Absichtlich leer: Die Objekte aus dieser generierten Migration existieren bereits in früheren Migrationen.

backend/db/migrations/0034_events_color.sql

@@ -0,0 +1,8 @@
+ALTER TABLE "events" ADD COLUMN "color" text;
+
+UPDATE "events" AS e
+SET "color" = COALESCE(t."calendarConfig"->'quickEntry'->>'color', '#2563eb')
+FROM "tenants" AS t
+WHERE e."tenant" = t."id"
+  AND e."quick" = true
+  AND e."color" IS NULL;

backend/db/migrations/0034_profile_availability_note.sql

@@ -1,2 +1,2 @@
 ALTER TABLE "auth_profiles"
-ADD COLUMN "availability_note" text;
+ADD COLUMN IF NOT EXISTS "availability_note" text;

backend/db/migrations/0037_outgoing_sepa_mandates.sql

@@ -0,0 +1,53 @@
+CREATE TABLE "outgoingsepamandates" (
+	"id" bigint PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY (sequence name "outgoingsepamandates_id_seq" INCREMENT BY 1 MINVALUE 1 MAXVALUE 9223372036854775807 START WITH 1 CACHE 1),
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"tenant" bigint NOT NULL,
+	"customer" bigint NOT NULL,
+	"bankaccount" bigint NOT NULL,
+	"reference" text NOT NULL,
+	"status" text DEFAULT 'Entwurf' NOT NULL,
+	"mandate_type" text DEFAULT 'CORE' NOT NULL,
+	"sequence_type" text DEFAULT 'RCUR' NOT NULL,
+	"signed_at" timestamp with time zone,
+	"valid_from" timestamp with time zone,
+	"valid_until" timestamp with time zone,
+	"default_mandate" boolean DEFAULT false NOT NULL,
+	"notes" text,
+	"archived" boolean DEFAULT false NOT NULL,
+	"updated_at" timestamp with time zone,
+	"updated_by" uuid
+);
+--> statement-breakpoint
+ALTER TABLE "outgoingsepamandates" ADD CONSTRAINT "outgoingsepamandates_tenant_tenants_id_fk" FOREIGN KEY ("tenant") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "outgoingsepamandates" ADD CONSTRAINT "outgoingsepamandates_customer_customers_id_fk" FOREIGN KEY ("customer") REFERENCES "public"."customers"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "outgoingsepamandates" ADD CONSTRAINT "outgoingsepamandates_bankaccount_entitybankaccounts_id_fk" FOREIGN KEY ("bankaccount") REFERENCES "public"."entitybankaccounts"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "outgoingsepamandates" ADD CONSTRAINT "outgoingsepamandates_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "contracts" ADD COLUMN "outgoingsepamandate" bigint;
+--> statement-breakpoint
+ALTER TABLE "contracts" ADD CONSTRAINT "contracts_outgoingsepamandate_outgoingsepamandates_id_fk" FOREIGN KEY ("outgoingsepamandate") REFERENCES "public"."outgoingsepamandates"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "createddocuments" ADD COLUMN "outgoingsepamandate" bigint;
+--> statement-breakpoint
+ALTER TABLE "createddocuments" ADD CONSTRAINT "createddocuments_outgoingsepamandate_outgoingsepamandates_id_fk" FOREIGN KEY ("outgoingsepamandate") REFERENCES "public"."outgoingsepamandates"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "historyitems" ADD COLUMN "outgoingsepamandate" bigint;
+--> statement-breakpoint
+ALTER TABLE "historyitems" ADD CONSTRAINT "historyitems_outgoingsepamandate_outgoingsepamandates_id_fk" FOREIGN KEY ("outgoingsepamandate") REFERENCES "public"."outgoingsepamandates"("id") ON DELETE cascade ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "tenants" ALTER COLUMN "numberRanges" SET DEFAULT '{"vendors":{"prefix":"","suffix":"","nextNumber":10000},"customers":{"prefix":"","suffix":"","nextNumber":10000},"products":{"prefix":"AT-","suffix":"","nextNumber":1000},"quotes":{"prefix":"AN-","suffix":"","nextNumber":1000},"costEstimates":{"prefix":"KS-","suffix":"","nextNumber":1000},"confirmationOrders":{"prefix":"AB-","suffix":"","nextNumber":1000},"invoices":{"prefix":"RE-","suffix":"","nextNumber":1000},"deliveryNotes":{"prefix":"LS-","suffix":"","nextNumber":1000},"packingSlips":{"prefix":"PS-","suffix":"","nextNumber":1000},"spaces":{"prefix":"LP-","suffix":"","nextNumber":1000},"customerspaces":{"prefix":"KLP-","suffix":"","nextNumber":1000},"inventoryitems":{"prefix":"IA-","suffix":"","nextNumber":1000},"customerinventoryitems":{"prefix":"KIA-","suffix":"","nextNumber":1000},"projects":{"prefix":"PRJ-","suffix":"","nextNumber":1000},"costcentres":{"prefix":"KST-","suffix":"","nextNumber":1000},"outgoingsepamandates":{"prefix":"SEPA-","suffix":"","nextNumber":1000}}'::jsonb;
+--> statement-breakpoint
+UPDATE "tenants"
+SET "numberRanges" = COALESCE("numberRanges", '{}'::jsonb) || jsonb_build_object(
+    'outgoingsepamandates',
+    COALESCE("numberRanges"->'outgoingsepamandates', '{"prefix":"SEPA-","suffix":"","nextNumber":1000}'::jsonb)
+);
+--> statement-breakpoint
+UPDATE "tenants"
+SET "features" = COALESCE("features", '{}'::jsonb) || jsonb_build_object(
+    'outgoingsepamandates',
+    COALESCE("features"->'outgoingsepamandates', 'true'::jsonb)
+);

backend/db/migrations/0038_communication_rooms.sql

@@ -0,0 +1,43 @@
+CREATE TABLE "communication_rooms" (
+    "id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+    "tenant_id" bigint NOT NULL,
+    "key" text NOT NULL,
+    "name" text NOT NULL,
+    "topic" text,
+    "type" text DEFAULT 'room' NOT NULL,
+    "entity_type" text,
+    "entity_id" bigint,
+    "entity_uuid" uuid,
+    "matrix_room_id" text,
+    "matrix_alias" text,
+    "parent_space_room_id" text,
+    "archived" boolean DEFAULT false NOT NULL,
+    "created_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "updated_at" timestamp with time zone,
+    "created_by" uuid,
+    "updated_by" uuid
+);
+
+ALTER TABLE "communication_rooms"
+    ADD CONSTRAINT "communication_rooms_tenant_id_tenants_id_fk"
+    FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id")
+    ON DELETE cascade ON UPDATE no action;
+
+ALTER TABLE "communication_rooms"
+    ADD CONSTRAINT "communication_rooms_created_by_auth_users_id_fk"
+    FOREIGN KEY ("created_by") REFERENCES "public"."auth_users"("id")
+    ON DELETE no action ON UPDATE no action;
+
+ALTER TABLE "communication_rooms"
+    ADD CONSTRAINT "communication_rooms_updated_by_auth_users_id_fk"
+    FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id")
+    ON DELETE no action ON UPDATE no action;
+
+CREATE UNIQUE INDEX "communication_rooms_tenant_key_idx"
+    ON "communication_rooms" USING btree ("tenant_id", "key");
+
+CREATE INDEX "communication_rooms_tenant_idx"
+    ON "communication_rooms" USING btree ("tenant_id");
+
+CREATE INDEX "communication_rooms_entity_idx"
+    ON "communication_rooms" USING btree ("tenant_id", "entity_type", "entity_id", "entity_uuid");

backend/db/migrations/0038_events_state.sql

@@ -0,0 +1,5 @@
+ALTER TABLE "events" ADD COLUMN "state" text DEFAULT 'Final' NOT NULL;
+
+UPDATE "events"
+SET "state" = 'Final'
+WHERE "state" IS NULL;

backend/db/migrations/0039_events_repeat_interval.sql

@@ -0,0 +1 @@
+ALTER TABLE "events" ADD COLUMN "repeatInterval" text DEFAULT 'Keine Wiederholung' NOT NULL;

backend/db/migrations/0039_notification_push_subscriptions.sql

@@ -0,0 +1,46 @@
+CREATE TABLE "notification_push_subscriptions" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"tenant_id" bigint NOT NULL,
+	"user_id" uuid NOT NULL,
+	"endpoint" text NOT NULL,
+	"p256dh" text NOT NULL,
+	"auth" text NOT NULL,
+	"user_agent" text,
+	"device_label" text,
+	"meta" jsonb,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"last_seen_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"disabled_at" timestamp with time zone,
+	CONSTRAINT "notification_push_subscriptions_endpoint_key" UNIQUE("endpoint")
+);
+
+ALTER TABLE "notification_push_subscriptions"
+	ADD CONSTRAINT "notification_push_subscriptions_tenant_id_tenants_id_fk"
+	FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id")
+	ON DELETE cascade ON UPDATE cascade;
+
+ALTER TABLE "notification_push_subscriptions"
+	ADD CONSTRAINT "notification_push_subscriptions_user_id_auth_users_id_fk"
+	FOREIGN KEY ("user_id") REFERENCES "public"."auth_users"("id")
+	ON DELETE cascade ON UPDATE cascade;
+
+INSERT INTO "notifications_event_types" (
+	"event_key",
+	"display_name",
+	"description",
+	"category",
+	"severity",
+	"allowed_channels"
+) VALUES
+	('system.test_push', 'Test-Push', 'Testet Desktop-Benachrichtigungen für den angemeldeten Nutzer.', 'system', 'info', '["inapp", "push"]'::jsonb),
+	('communication.message.new', 'Neue Chatnachricht', 'Benachrichtigt über relevante neue Chatnachrichten.', 'communication', 'info', '["inapp", "push"]'::jsonb),
+	('communication.call.started', 'Besprechung gestartet', 'Benachrichtigt Raumteilnehmer über gestartete Audio- oder Videoanrufe.', 'communication', 'info', '["inapp", "push"]'::jsonb),
+	('communication.call.missed', 'Verpasster Anruf', 'Benachrichtigt über verpasste Besprechungen.', 'communication', 'warning', '["inapp", "push"]'::jsonb),
+	('communication.room.invited', 'Raumeinladung', 'Benachrichtigt über Einladungen in Kommunikationsräume.', 'communication', 'info', '["inapp", "push"]'::jsonb)
+ON CONFLICT ("event_key") DO UPDATE SET
+	"display_name" = EXCLUDED."display_name",
+	"description" = EXCLUDED."description",
+	"category" = EXCLUDED."category",
+	"severity" = EXCLUDED."severity",
+	"allowed_channels" = EXCLUDED."allowed_channels",
+	"is_active" = true;

backend/db/migrations/0040_filetag_system_types.sql

@@ -0,0 +1,6 @@
+ALTER TABLE "filetags" ADD COLUMN "isSystemUsed" boolean DEFAULT false NOT NULL;
+
+UPDATE "filetags"
+SET "isSystemUsed" = true
+WHERE COALESCE("createddocumenttype", '') <> ''
+   OR COALESCE("incomingDocumentType", '') <> '';

backend/db/migrations/0041_profile_calendar_subscription.sql

@@ -0,0 +1,2 @@
+ALTER TABLE "auth_profiles"
+ADD COLUMN "calendar_subscription_token" text;

backend/db/migrations/0042_profile_availability_note.sql

@@ -0,0 +1,2 @@
+ALTER TABLE "auth_profiles"
+ADD COLUMN IF NOT EXISTS "availability_note" text;

backend/db/migrations/0043_communication_rooms.sql

@@ -0,0 +1,58 @@
+CREATE TABLE IF NOT EXISTS "communication_rooms" (
+    "id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+    "tenant_id" bigint NOT NULL,
+    "key" text NOT NULL,
+    "name" text NOT NULL,
+    "topic" text,
+    "type" text DEFAULT 'room' NOT NULL,
+    "entity_type" text,
+    "entity_id" bigint,
+    "entity_uuid" uuid,
+    "matrix_room_id" text,
+    "matrix_alias" text,
+    "parent_space_room_id" text,
+    "archived" boolean DEFAULT false NOT NULL,
+    "created_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "updated_at" timestamp with time zone,
+    "created_by" uuid,
+    "updated_by" uuid
+);
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'communication_rooms_tenant_id_tenants_id_fk'
+    ) THEN
+        ALTER TABLE "communication_rooms"
+            ADD CONSTRAINT "communication_rooms_tenant_id_tenants_id_fk"
+            FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id")
+            ON DELETE cascade ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'communication_rooms_created_by_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "communication_rooms"
+            ADD CONSTRAINT "communication_rooms_created_by_auth_users_id_fk"
+            FOREIGN KEY ("created_by") REFERENCES "public"."auth_users"("id")
+            ON DELETE no action ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'communication_rooms_updated_by_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "communication_rooms"
+            ADD CONSTRAINT "communication_rooms_updated_by_auth_users_id_fk"
+            FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id")
+            ON DELETE no action ON UPDATE no action;
+    END IF;
+END $$;
+
+CREATE UNIQUE INDEX IF NOT EXISTS "communication_rooms_tenant_key_idx"
+    ON "communication_rooms" USING btree ("tenant_id", "key");
+
+CREATE INDEX IF NOT EXISTS "communication_rooms_tenant_idx"
+    ON "communication_rooms" USING btree ("tenant_id");
+
+CREATE INDEX IF NOT EXISTS "communication_rooms_entity_idx"
+    ON "communication_rooms" USING btree ("tenant_id", "entity_type", "entity_id", "entity_uuid");

backend/db/migrations/0044_telephony_calls.sql

@@ -0,0 +1,57 @@
+CREATE TABLE IF NOT EXISTS "telephony_calls" (
+    "id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+    "tenant_id" bigint NOT NULL,
+    "direction" text NOT NULL,
+    "status" text DEFAULT 'ringing' NOT NULL,
+    "local_extension" text,
+    "remote_number" text,
+    "remote_display_name" text,
+    "sip_call_id" text,
+    "started_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "answered_at" timestamp with time zone,
+    "ended_at" timestamp with time zone,
+    "duration_seconds" integer,
+    "created_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "updated_at" timestamp with time zone,
+    "created_by" uuid,
+    "updated_by" uuid
+);
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_calls_tenant_id_tenants_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_calls"
+            ADD CONSTRAINT "telephony_calls_tenant_id_tenants_id_fk"
+            FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id")
+            ON DELETE cascade ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_calls_created_by_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_calls"
+            ADD CONSTRAINT "telephony_calls_created_by_auth_users_id_fk"
+            FOREIGN KEY ("created_by") REFERENCES "public"."auth_users"("id")
+            ON DELETE no action ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_calls_updated_by_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_calls"
+            ADD CONSTRAINT "telephony_calls_updated_by_auth_users_id_fk"
+            FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id")
+            ON DELETE no action ON UPDATE no action;
+    END IF;
+END $$;
+
+CREATE INDEX IF NOT EXISTS "telephony_calls_tenant_started_idx"
+    ON "telephony_calls" USING btree ("tenant_id", "started_at");
+
+CREATE INDEX IF NOT EXISTS "telephony_calls_created_by_idx"
+    ON "telephony_calls" USING btree ("tenant_id", "created_by");
+
+CREATE INDEX IF NOT EXISTS "telephony_calls_sip_call_idx"
+    ON "telephony_calls" USING btree ("tenant_id", "sip_call_id");

backend/db/migrations/0045_telephony_trunks.sql

@@ -0,0 +1,50 @@
+CREATE TABLE IF NOT EXISTS "telephony_trunks" (
+    "id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+    "tenant_id" bigint NOT NULL,
+    "provider" text DEFAULT 'telekom' NOT NULL,
+    "enabled" boolean DEFAULT false NOT NULL,
+    "registrar" text DEFAULT 'tel.t-online.de' NOT NULL,
+    "sip_user" text,
+    "auth_user" text,
+    "password" text,
+    "caller_id" text,
+    "inbound_extension" text DEFAULT '1001' NOT NULL,
+    "outbound_prefix" text DEFAULT '0' NOT NULL,
+    "created_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "updated_at" timestamp with time zone,
+    "created_by" uuid,
+    "updated_by" uuid
+);
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_trunks_tenant_id_tenants_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_trunks"
+            ADD CONSTRAINT "telephony_trunks_tenant_id_tenants_id_fk"
+            FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id")
+            ON DELETE cascade ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_trunks_created_by_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_trunks"
+            ADD CONSTRAINT "telephony_trunks_created_by_auth_users_id_fk"
+            FOREIGN KEY ("created_by") REFERENCES "public"."auth_users"("id")
+            ON DELETE no action ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_trunks_updated_by_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_trunks"
+            ADD CONSTRAINT "telephony_trunks_updated_by_auth_users_id_fk"
+            FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id")
+            ON DELETE no action ON UPDATE no action;
+    END IF;
+END $$;
+
+CREATE UNIQUE INDEX IF NOT EXISTS "telephony_trunks_tenant_provider_idx"
+    ON "telephony_trunks" USING btree ("tenant_id", "provider");

backend/db/migrations/0046_telephony_trunk_nat.sql

@@ -0,0 +1,3 @@
+ALTER TABLE "telephony_trunks" ADD COLUMN IF NOT EXISTS "external_signaling_address" text;
+ALTER TABLE "telephony_trunks" ADD COLUMN IF NOT EXISTS "external_media_address" text;
+ALTER TABLE "telephony_trunks" ADD COLUMN IF NOT EXISTS "local_networks" text;

backend/db/migrations/0047_telephony_extensions.sql

@@ -0,0 +1,92 @@
+CREATE TABLE IF NOT EXISTS "telephony_extensions" (
+    "id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+    "tenant_id" bigint NOT NULL,
+    "target_type" text NOT NULL,
+    "target_user_id" uuid,
+    "target_team_id" bigint,
+    "target_branch_id" bigint,
+    "extension" text NOT NULL,
+    "display_name" text,
+    "sip_username" text,
+    "sip_password" text,
+    "enabled" boolean DEFAULT true NOT NULL,
+    "created_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "updated_at" timestamp with time zone,
+    "created_by" uuid,
+    "updated_by" uuid
+);
+
+ALTER TABLE "telephony_trunks"
+    ADD COLUMN IF NOT EXISTS "default_route_extension_id" uuid;
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_extensions_tenant_id_tenants_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_extensions"
+            ADD CONSTRAINT "telephony_extensions_tenant_id_tenants_id_fk"
+            FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id")
+            ON DELETE cascade ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_extensions_target_user_id_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_extensions"
+            ADD CONSTRAINT "telephony_extensions_target_user_id_auth_users_id_fk"
+            FOREIGN KEY ("target_user_id") REFERENCES "public"."auth_users"("id")
+            ON DELETE cascade ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_extensions_target_team_id_teams_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_extensions"
+            ADD CONSTRAINT "telephony_extensions_target_team_id_teams_id_fk"
+            FOREIGN KEY ("target_team_id") REFERENCES "public"."teams"("id")
+            ON DELETE cascade ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_extensions_target_branch_id_branches_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_extensions"
+            ADD CONSTRAINT "telephony_extensions_target_branch_id_branches_id_fk"
+            FOREIGN KEY ("target_branch_id") REFERENCES "public"."branches"("id")
+            ON DELETE cascade ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_extensions_created_by_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_extensions"
+            ADD CONSTRAINT "telephony_extensions_created_by_auth_users_id_fk"
+            FOREIGN KEY ("created_by") REFERENCES "public"."auth_users"("id")
+            ON DELETE no action ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_extensions_updated_by_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_extensions"
+            ADD CONSTRAINT "telephony_extensions_updated_by_auth_users_id_fk"
+            FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id")
+            ON DELETE no action ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_trunks_default_route_extension_id_telephony_extensions_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_trunks"
+            ADD CONSTRAINT "telephony_trunks_default_route_extension_id_telephony_extensions_id_fk"
+            FOREIGN KEY ("default_route_extension_id") REFERENCES "public"."telephony_extensions"("id")
+            ON DELETE set null ON UPDATE no action;
+    END IF;
+END $$;
+
+CREATE UNIQUE INDEX IF NOT EXISTS "telephony_extensions_tenant_extension_idx"
+    ON "telephony_extensions" USING btree ("tenant_id", "extension");
+
+CREATE INDEX IF NOT EXISTS "telephony_extensions_tenant_target_idx"
+    ON "telephony_extensions" USING btree ("tenant_id", "target_type");

backend/db/migrations/0048_mobile_push_devices.sql

@@ -0,0 +1,19 @@
+CREATE TABLE "notification_mobile_push_devices" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"tenant_id" bigint NOT NULL,
+	"user_id" uuid NOT NULL,
+	"local_device_id" text NOT NULL,
+	"central_device_id" text NOT NULL,
+	"platform" text NOT NULL,
+	"provider_token_preview" text,
+	"device_label" text,
+	"meta" jsonb,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"last_seen_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"disabled_at" timestamp with time zone
+);
+--> statement-breakpoint
+ALTER TABLE "notification_mobile_push_devices" ADD CONSTRAINT "notification_mobile_push_devices_tenant_id_tenants_id_fk" FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "notification_mobile_push_devices" ADD CONSTRAINT "notification_mobile_push_devices_user_id_auth_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."auth_users"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+CREATE UNIQUE INDEX "notification_mobile_push_devices_user_device_key" ON "notification_mobile_push_devices" USING btree ("tenant_id","user_id","local_device_id");--> statement-breakpoint
+CREATE UNIQUE INDEX "notification_mobile_push_devices_central_device_key" ON "notification_mobile_push_devices" USING btree ("central_device_id");

backend/db/migrations/0049_email_cache.sql

@@ -0,0 +1,106 @@
+CREATE TABLE "email_mailboxes" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"tenant_id" bigint NOT NULL,
+	"user_id" uuid NOT NULL,
+	"account_id" uuid NOT NULL,
+	"path" text NOT NULL,
+	"delimiter" text,
+	"name" text NOT NULL,
+	"special_use" text,
+	"flags" jsonb,
+	"exists" integer DEFAULT 0 NOT NULL,
+	"unseen" integer DEFAULT 0 NOT NULL,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone
+);
+--> statement-breakpoint
+CREATE TABLE "email_messages" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"tenant_id" bigint NOT NULL,
+	"user_id" uuid NOT NULL,
+	"account_id" uuid NOT NULL,
+	"mailbox_id" uuid NOT NULL,
+	"mailbox_path" text NOT NULL,
+	"uid" bigint NOT NULL,
+	"email_id" text,
+	"message_id" text,
+	"in_reply_to" text,
+	"thread_id" text,
+	"subject" text,
+	"from" jsonb,
+	"to" jsonb,
+	"cc" jsonb,
+	"bcc" jsonb,
+	"reply_to" jsonb,
+	"preview" text,
+	"flags" jsonb,
+	"seen" boolean DEFAULT false NOT NULL,
+	"flagged" boolean DEFAULT false NOT NULL,
+	"has_attachments" boolean DEFAULT false NOT NULL,
+	"size" bigint,
+	"sent_at" timestamp with time zone,
+	"received_at" timestamp with time zone,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone
+);
+--> statement-breakpoint
+CREATE TABLE "email_message_bodies" (
+	"message_id" uuid PRIMARY KEY NOT NULL,
+	"text" text,
+	"html" text,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone
+);
+--> statement-breakpoint
+CREATE TABLE "email_attachments" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"message_id" uuid NOT NULL,
+	"filename" text,
+	"content_type" text,
+	"content_id" text,
+	"disposition" text,
+	"size" bigint,
+	"checksum" text,
+	"storage_key" text,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE "email_sync_state" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"tenant_id" bigint NOT NULL,
+	"user_id" uuid NOT NULL,
+	"account_id" uuid NOT NULL,
+	"mailbox_id" uuid NOT NULL,
+	"mailbox_path" text NOT NULL,
+	"uid_validity" bigint,
+	"highest_uid" bigint DEFAULT 0 NOT NULL,
+	"mod_seq" text,
+	"last_synced_at" timestamp with time zone,
+	"sync_error" text,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone
+);
+--> statement-breakpoint
+ALTER TABLE "email_mailboxes" ADD CONSTRAINT "email_mailboxes_tenant_id_tenants_id_fk" FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_mailboxes" ADD CONSTRAINT "email_mailboxes_user_id_auth_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."auth_users"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_mailboxes" ADD CONSTRAINT "email_mailboxes_account_id_user_credentials_id_fk" FOREIGN KEY ("account_id") REFERENCES "public"."user_credentials"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_messages" ADD CONSTRAINT "email_messages_tenant_id_tenants_id_fk" FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_messages" ADD CONSTRAINT "email_messages_user_id_auth_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."auth_users"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_messages" ADD CONSTRAINT "email_messages_account_id_user_credentials_id_fk" FOREIGN KEY ("account_id") REFERENCES "public"."user_credentials"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_messages" ADD CONSTRAINT "email_messages_mailbox_id_email_mailboxes_id_fk" FOREIGN KEY ("mailbox_id") REFERENCES "public"."email_mailboxes"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_message_bodies" ADD CONSTRAINT "email_message_bodies_message_id_email_messages_id_fk" FOREIGN KEY ("message_id") REFERENCES "public"."email_messages"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_attachments" ADD CONSTRAINT "email_attachments_message_id_email_messages_id_fk" FOREIGN KEY ("message_id") REFERENCES "public"."email_messages"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_sync_state" ADD CONSTRAINT "email_sync_state_tenant_id_tenants_id_fk" FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_sync_state" ADD CONSTRAINT "email_sync_state_user_id_auth_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."auth_users"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_sync_state" ADD CONSTRAINT "email_sync_state_account_id_user_credentials_id_fk" FOREIGN KEY ("account_id") REFERENCES "public"."user_credentials"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_sync_state" ADD CONSTRAINT "email_sync_state_mailbox_id_email_mailboxes_id_fk" FOREIGN KEY ("mailbox_id") REFERENCES "public"."email_mailboxes"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+CREATE UNIQUE INDEX "email_mailboxes_account_path_key" ON "email_mailboxes" USING btree ("account_id","path");--> statement-breakpoint
+CREATE INDEX "email_mailboxes_tenant_account_idx" ON "email_mailboxes" USING btree ("tenant_id","account_id");--> statement-breakpoint
+CREATE UNIQUE INDEX "email_messages_mailbox_uid_key" ON "email_messages" USING btree ("mailbox_id","uid");--> statement-breakpoint
+CREATE INDEX "email_messages_account_mailbox_idx" ON "email_messages" USING btree ("account_id","mailbox_path");--> statement-breakpoint
+CREATE INDEX "email_messages_received_idx" ON "email_messages" USING btree ("received_at");--> statement-breakpoint
+CREATE INDEX "email_messages_message_id_idx" ON "email_messages" USING btree ("message_id");--> statement-breakpoint
+CREATE INDEX "email_messages_thread_idx" ON "email_messages" USING btree ("thread_id");--> statement-breakpoint
+CREATE INDEX "email_attachments_message_idx" ON "email_attachments" USING btree ("message_id");--> statement-breakpoint
+CREATE UNIQUE INDEX "email_sync_state_mailbox_key" ON "email_sync_state" USING btree ("account_id","mailbox_path");--> statement-breakpoint
+CREATE INDEX "email_sync_state_tenant_account_idx" ON "email_sync_state" USING btree ("tenant_id","account_id");

backend/db/migrations/0050_outgoing_document_costcentres.sql

@@ -0,0 +1,7 @@
+ALTER TABLE "createddocuments" ADD COLUMN "costcentre" uuid;
+--> statement-breakpoint
+ALTER TABLE "services" ADD COLUMN "costcentre" uuid;
+--> statement-breakpoint
+ALTER TABLE "createddocuments" ADD CONSTRAINT "createddocuments_costcentre_costcentres_id_fk" FOREIGN KEY ("costcentre") REFERENCES "public"."costcentres"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "services" ADD CONSTRAINT "services_costcentre_costcentres_id_fk" FOREIGN KEY ("costcentre") REFERENCES "public"."costcentres"("id") ON DELETE no action ON UPDATE no action;

backend/db/migrations/0051_instance_scan_agents.sql

@@ -0,0 +1,43 @@
+CREATE TABLE "instance_agents" (
+    "id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+    "created_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "updated_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "name" text NOT NULL,
+    "description" text,
+    "token_prefix" text NOT NULL,
+    "token_hash" text NOT NULL,
+    "active" boolean DEFAULT true NOT NULL,
+    "capabilities" jsonb DEFAULT '{"scan":true,"print":false}'::jsonb NOT NULL,
+    "scanner_names" jsonb DEFAULT '[]'::jsonb NOT NULL,
+    "printer_names" jsonb DEFAULT '[]'::jsonb NOT NULL,
+    "last_seen_at" timestamp with time zone,
+    "last_debug_info" jsonb,
+    CONSTRAINT "instance_agents_token_hash_unique" UNIQUE("token_hash")
+);
+--> statement-breakpoint
+CREATE TABLE "instance_agent_scan_jobs" (
+    "id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+    "created_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "updated_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "tenant_id" bigint NOT NULL,
+    "agent_id" uuid NOT NULL,
+    "requested_by" uuid,
+    "status" text DEFAULT 'pending' NOT NULL,
+    "scanner_name" text,
+    "requested_filename" text,
+    "settings" jsonb DEFAULT '{}'::jsonb NOT NULL,
+    "target" jsonb DEFAULT '{}'::jsonb NOT NULL,
+    "agent_message" text,
+    "attempts" integer DEFAULT 0 NOT NULL,
+    "claimed_at" timestamp with time zone,
+    "finished_at" timestamp with time zone,
+    "file_id" uuid,
+    CONSTRAINT "instance_agent_scan_jobs_tenant_id_tenants_id_fk" FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id") ON DELETE cascade ON UPDATE cascade,
+    CONSTRAINT "instance_agent_scan_jobs_agent_id_instance_agents_id_fk" FOREIGN KEY ("agent_id") REFERENCES "public"."instance_agents"("id") ON DELETE cascade ON UPDATE cascade,
+    CONSTRAINT "instance_agent_scan_jobs_requested_by_auth_users_id_fk" FOREIGN KEY ("requested_by") REFERENCES "public"."auth_users"("id") ON DELETE set null ON UPDATE cascade,
+    CONSTRAINT "instance_agent_scan_jobs_file_id_files_id_fk" FOREIGN KEY ("file_id") REFERENCES "public"."files"("id") ON DELETE set null ON UPDATE cascade
+);
+--> statement-breakpoint
+CREATE INDEX "instance_agent_scan_jobs_agent_status_idx" ON "instance_agent_scan_jobs" USING btree ("agent_id","status","created_at");
+--> statement-breakpoint
+CREATE INDEX "instance_agent_scan_jobs_tenant_idx" ON "instance_agent_scan_jobs" USING btree ("tenant_id","created_at");

backend/db/migrations/0052_instance_agent_scan_defaults.sql

@@ -0,0 +1,3 @@
+ALTER TABLE "instance_agents" ADD COLUMN "preferred_scanner_name" text;
+--> statement-breakpoint
+ALTER TABLE "instance_agents" ADD COLUMN "scan_defaults" jsonb DEFAULT '{"format":"pdf","resolution":300,"mode":"Color","source":null}'::jsonb NOT NULL;

backend/db/migrations/0053_instance_agent_postprocess_defaults.sql

@@ -0,0 +1 @@
+ALTER TABLE "instance_agents" ALTER COLUMN "scan_defaults" SET DEFAULT '{"format":"pdf","resolution":300,"mode":"Color","source":null,"postprocess":false,"postprocessProfile":"document"}'::jsonb;

backend/db/migrations/meta/_journal.json

@@ -243,16 +243,121 @@
     {
       "idx": 34,
       "version": "7",
-      "when": 1778191200000,
-      "tag": "0035_contract_history",
+      "when": 1777420800000,
+      "tag": "0034_events_color",
       "breakpoints": true
     },
     {
       "idx": 35,
       "version": "7",
+      "when": 1778191200000,
+      "tag": "0035_contract_history",
+      "breakpoints": true
+    },
+    {
+      "idx": 36,
+      "version": "7",
       "when": 1778194800000,
       "tag": "0036_allowed_contracttypes",
       "breakpoints": true
+    },
+    {
+      "idx": 37,
+      "version": "7",
+      "when": 1778840100000,
+      "tag": "0037_outgoing_sepa_mandates",
+      "breakpoints": true
+    },
+    {
+      "idx": 38,
+      "version": "7",
+      "when": 1779158400000,
+      "tag": "0038_events_state",
+      "breakpoints": true
+    },
+    {
+      "idx": 39,
+      "version": "7",
+      "when": 1779840000000,
+      "tag": "0039_events_repeat_interval",
+      "breakpoints": true
+    },
+    {
+      "idx": 40,
+      "version": "7",
+      "when": 1779141600000,
+      "tag": "0040_filetag_system_types",
+      "breakpoints": true
+    },
+    {
+      "idx": 41,
+      "version": "7",
+      "when": 1780149600000,
+      "tag": "0041_profile_calendar_subscription",
+      "breakpoints": true
+    },
+    {
+      "idx": 42,
+      "version": "7",
+      "when": 1780153200000,
+      "tag": "0042_profile_availability_note",
+      "breakpoints": true
+    },
+    {
+      "idx": 43,
+      "version": "7",
+      "when": 1780156800000,
+      "tag": "0043_communication_rooms",
+      "breakpoints": true
+    },
+    {
+      "idx": 44,
+      "version": "7",
+      "when": 1780160400000,
+      "tag": "0044_telephony_calls",
+      "breakpoints": true
+    },
+    {
+      "idx": 45,
+      "version": "7",
+      "when": 1780164000000,
+      "tag": "0045_telephony_trunks",
+      "breakpoints": true
+    },
+    {
+      "idx": 46,
+      "version": "7",
+      "when": 1780167600000,
+      "tag": "0046_telephony_trunk_nat",
+      "breakpoints": true
+    },
+    {
+      "idx": 47,
+      "version": "7",
+      "when": 1780171200000,
+      "tag": "0047_telephony_extensions",
+      "breakpoints": true
+    },
+    {
+      "idx": 48,
+      "version": "7",
+      "when": 1780174800000,
+      "tag": "0048_mobile_push_devices",
+      "breakpoints": true
+    },
+    {
+      "idx": 49,
+      "version": "7",
+      "when": 1780178400000,
+      "tag": "0049_email_cache",
+      "breakpoints": true
+    },
+    {
+      "idx": 50,
+      "version": "7",
+      "when": 1780261200000,
+      "tag": "0050_outgoing_document_costcentres",
+      "breakpoints": true
     }
   ]
 }

backend/db/schema/auth_profiles.ts

@@ -63,6 +63,7 @@ export const authProfiles = pgTable("auth_profiles", {
 
     email: text("email"),
     token_id: text("token_id"),
+    calendar_subscription_token: text("calendar_subscription_token"),
 
     weekly_working_days: doublePrecision("weekly_working_days"),
 

backend/db/schema/communication_rooms.ts

@@ -0,0 +1,57 @@
+import {
+    pgTable,
+    uuid,
+    bigint,
+    text,
+    timestamp,
+    boolean,
+    uniqueIndex,
+    index,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+
+export const communicationRooms = pgTable(
+    "communication_rooms",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade" }),
+
+        key: text("key").notNull(),
+        name: text("name").notNull(),
+        topic: text("topic"),
+        type: text("type").notNull().default("room"),
+
+        entityType: text("entity_type"),
+        entityId: bigint("entity_id", { mode: "number" }),
+        entityUuid: uuid("entity_uuid"),
+
+        matrixRoomId: text("matrix_room_id"),
+        matrixAlias: text("matrix_alias"),
+        parentSpaceRoomId: text("parent_space_room_id"),
+
+        archived: boolean("archived").notNull().default(false),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        updatedAt: timestamp("updated_at", { withTimezone: true }),
+        createdBy: uuid("created_by").references(() => authUsers.id),
+        updatedBy: uuid("updated_by").references(() => authUsers.id),
+    },
+    (table) => ({
+        tenantKeyIdx: uniqueIndex("communication_rooms_tenant_key_idx")
+            .on(table.tenantId, table.key),
+        tenantIdx: index("communication_rooms_tenant_idx")
+            .on(table.tenantId),
+        entityIdx: index("communication_rooms_entity_idx")
+            .on(table.tenantId, table.entityType, table.entityId, table.entityUuid),
+    })
+)
+
+export type CommunicationRoom = typeof communicationRooms.$inferSelect
+export type NewCommunicationRoom = typeof communicationRooms.$inferInsert

backend/db/schema/contracts.ts

@@ -13,6 +13,7 @@ import { customers } from "./customers"
 import { contacts } from "./contacts"
 import { contracttypes } from "./contracttypes"
 import { authUsers } from "./auth_users"
+import { outgoingsepamandates } from "./outgoingsepamandates"
 
 export const contracts = pgTable(
     "contracts",
@@ -60,6 +61,9 @@ export const contracts = pgTable(
         bankingOwner: text("bankingOwner"),
         sepaRef: text("sepaRef"),
         sepaDate: timestamp("sepaDate", { withTimezone: true }),
+        outgoingsepamandate: bigint("outgoingsepamandate", { mode: "number" }).references(
+            () => outgoingsepamandates.id
+        ),
 
         paymentType: text("paymentType"),
         billingInterval: text("billingInterval"),

backend/db/schema/createddocuments.ts

@@ -19,6 +19,8 @@ import { projects } from "./projects"
 import { plants } from "./plants"
 import { authUsers } from "./auth_users"
 import {serialExecutions} from "./serialexecutions";
+import { outgoingsepamandates } from "./outgoingsepamandates"
+import { costcentres } from "./costcentres"
 
 export const createddocuments = pgTable("createddocuments", {
     id: bigint("id", { mode: "number" })
@@ -48,6 +50,8 @@ export const createddocuments = pgTable("createddocuments", {
         () => projects.id
     ),
 
+    costcentre: uuid("costcentre").references(() => costcentres.id),
+
     documentNumber: text("documentNumber"),
     documentDate: text("documentDate"),
 
@@ -118,6 +122,10 @@ export const createddocuments = pgTable("createddocuments", {
         () => contracts.id
     ),
 
+    outgoingsepamandate: bigint("outgoingsepamandate", { mode: "number" }).references(
+        () => outgoingsepamandates.id
+    ),
+
     serialexecution: uuid("serialexecution").references(() => serialExecutions.id)
 })
 

backend/db/schema/emails.ts

@@ -0,0 +1,208 @@
+import {
+    bigint,
+    boolean,
+    index,
+    integer,
+    jsonb,
+    pgTable,
+    text,
+    timestamp,
+    uniqueIndex,
+    uuid,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+import { userCredentials } from "./user_credentials"
+
+export const emailMailboxes = pgTable(
+    "email_mailboxes",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        userId: uuid("user_id")
+            .notNull()
+            .references(() => authUsers.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        accountId: uuid("account_id")
+            .notNull()
+            .references(() => userCredentials.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        path: text("path").notNull(),
+        delimiter: text("delimiter"),
+        name: text("name").notNull(),
+        specialUse: text("special_use"),
+        flags: jsonb("flags").$type<string[]>(),
+        exists: integer("exists").notNull().default(0),
+        unseen: integer("unseen").notNull().default(0),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        updatedAt: timestamp("updated_at", { withTimezone: true }),
+    },
+    (table) => ({
+        accountPathKey: uniqueIndex("email_mailboxes_account_path_key")
+            .on(table.accountId, table.path),
+        tenantAccountIdx: index("email_mailboxes_tenant_account_idx")
+            .on(table.tenantId, table.accountId),
+    }),
+)
+
+export const emailMessages = pgTable(
+    "email_messages",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        userId: uuid("user_id")
+            .notNull()
+            .references(() => authUsers.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        accountId: uuid("account_id")
+            .notNull()
+            .references(() => userCredentials.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        mailboxId: uuid("mailbox_id")
+            .notNull()
+            .references(() => emailMailboxes.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        mailboxPath: text("mailbox_path").notNull(),
+        uid: bigint("uid", { mode: "number" }).notNull(),
+        emailId: text("email_id"),
+        messageId: text("message_id"),
+        inReplyTo: text("in_reply_to"),
+        threadId: text("thread_id"),
+        subject: text("subject"),
+        from: jsonb("from").$type<Array<{ name?: string | null; address?: string | null }>>(),
+        to: jsonb("to").$type<Array<{ name?: string | null; address?: string | null }>>(),
+        cc: jsonb("cc").$type<Array<{ name?: string | null; address?: string | null }>>(),
+        bcc: jsonb("bcc").$type<Array<{ name?: string | null; address?: string | null }>>(),
+        replyTo: jsonb("reply_to").$type<Array<{ name?: string | null; address?: string | null }>>(),
+        preview: text("preview"),
+        flags: jsonb("flags").$type<string[]>(),
+        seen: boolean("seen").notNull().default(false),
+        flagged: boolean("flagged").notNull().default(false),
+        hasAttachments: boolean("has_attachments").notNull().default(false),
+        size: bigint("size", { mode: "number" }),
+        sentAt: timestamp("sent_at", { withTimezone: true }),
+        receivedAt: timestamp("received_at", { withTimezone: true }),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        updatedAt: timestamp("updated_at", { withTimezone: true }),
+    },
+    (table) => ({
+        mailboxUidKey: uniqueIndex("email_messages_mailbox_uid_key")
+            .on(table.mailboxId, table.uid),
+        accountMailboxIdx: index("email_messages_account_mailbox_idx")
+            .on(table.accountId, table.mailboxPath),
+        receivedIdx: index("email_messages_received_idx")
+            .on(table.receivedAt),
+        messageIdIdx: index("email_messages_message_id_idx")
+            .on(table.messageId),
+        threadIdx: index("email_messages_thread_idx")
+            .on(table.threadId),
+    }),
+)
+
+export const emailMessageBodies = pgTable("email_message_bodies", {
+    messageId: uuid("message_id")
+        .primaryKey()
+        .references(() => emailMessages.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+    text: text("text"),
+    html: text("html"),
+
+    createdAt: timestamp("created_at", { withTimezone: true })
+        .notNull()
+        .defaultNow(),
+    updatedAt: timestamp("updated_at", { withTimezone: true }),
+})
+
+export const emailAttachments = pgTable(
+    "email_attachments",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        messageId: uuid("message_id")
+            .notNull()
+            .references(() => emailMessages.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        filename: text("filename"),
+        contentType: text("content_type"),
+        contentId: text("content_id"),
+        disposition: text("disposition"),
+        size: bigint("size", { mode: "number" }),
+        checksum: text("checksum"),
+        storageKey: text("storage_key"),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+    },
+    (table) => ({
+        messageIdx: index("email_attachments_message_idx")
+            .on(table.messageId),
+    }),
+)
+
+export const emailSyncState = pgTable(
+    "email_sync_state",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        userId: uuid("user_id")
+            .notNull()
+            .references(() => authUsers.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        accountId: uuid("account_id")
+            .notNull()
+            .references(() => userCredentials.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        mailboxId: uuid("mailbox_id")
+            .notNull()
+            .references(() => emailMailboxes.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        mailboxPath: text("mailbox_path").notNull(),
+        uidValidity: bigint("uid_validity", { mode: "number" }),
+        highestUid: bigint("highest_uid", { mode: "number" }).notNull().default(0),
+        modSeq: text("mod_seq"),
+        lastSyncedAt: timestamp("last_synced_at", { withTimezone: true }),
+        syncError: text("sync_error"),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        updatedAt: timestamp("updated_at", { withTimezone: true }),
+    },
+    (table) => ({
+        mailboxKey: uniqueIndex("email_sync_state_mailbox_key")
+            .on(table.accountId, table.mailboxPath),
+        tenantAccountIdx: index("email_sync_state_tenant_account_idx")
+            .on(table.tenantId, table.accountId),
+    }),
+)
+
+export type EmailMailbox = typeof emailMailboxes.$inferSelect
+export type NewEmailMailbox = typeof emailMailboxes.$inferInsert
+export type EmailMessage = typeof emailMessages.$inferSelect
+export type NewEmailMessage = typeof emailMessages.$inferInsert
+export type EmailMessageBody = typeof emailMessageBodies.$inferSelect
+export type NewEmailMessageBody = typeof emailMessageBodies.$inferInsert
+export type EmailAttachment = typeof emailAttachments.$inferSelect
+export type NewEmailAttachment = typeof emailAttachments.$inferInsert
+export type EmailSyncState = typeof emailSyncState.$inferSelect
+export type NewEmailSyncState = typeof emailSyncState.$inferInsert

backend/db/schema/events.ts

@@ -32,6 +32,9 @@ export const events = pgTable(
 
         eventtype: text("eventtype").default("Umsetzung"),
         quick: boolean("quick").notNull().default(false),
+        state: text("state").notNull().default("Final"),
+        color: text("color"),
+        repeatInterval: text("repeatInterval").notNull().default("Keine Wiederholung"),
 
         project: bigint("project", { mode: "number" }), // FK follows when projects.ts exists
 

backend/db/schema/filetags.ts

@@ -26,6 +26,8 @@ export const filetags = pgTable("filetags", {
     createdDocumentType: text("createddocumenttype").default(""),
     incomingDocumentType: text("incomingDocumentType"),
 
+    isSystemUsed: boolean("isSystemUsed").notNull().default(false),
+
     archived: boolean("archived").notNull().default(false),
 })
 

backend/db/schema/historyitems.ts

@@ -36,6 +36,7 @@ import { authUsers } from "./auth_users"
 import {files} from "./files";
 import { memberrelations } from "./memberrelations";
 import { contracts } from "./contracts";
+import { outgoingsepamandates } from "./outgoingsepamandates";
 
 export const historyitems = pgTable("historyitems", {
     id: bigint("id", { mode: "number" })
@@ -114,6 +115,11 @@ export const historyitems = pgTable("historyitems", {
 
     memberrelation: bigint("memberrelation", { mode: "number" }).references(() => memberrelations.id),
 
+    outgoingsepamandate: bigint("outgoingsepamandate", { mode: "number" }).references(
+        () => outgoingsepamandates.id,
+        { onDelete: "cascade" }
+    ),
+
     config: jsonb("config"),
 
     projecttype: bigint("projecttype", { mode: "number" }).references(

backend/db/schema/index.ts

@@ -14,6 +14,7 @@ export * from "./branches"
 export * from "./checkexecutions"
 export * from "./checks"
 export * from "./citys"
+export * from "./communication_rooms"
 export * from "./contacts"
 export * from "./contracts"
 export * from "./contracttypes"
@@ -26,6 +27,7 @@ export * from "./customerspaces"
 export * from "./customerinventoryitems"
 export * from "./devices"
 export * from "./documentboxes"
+export * from "./emails"
 export * from "./enums"
 export * from "./events"
 export * from "./entitybankaccounts"
@@ -46,6 +48,8 @@ export * from "./historyitems"
 export * from "./holidays"
 export * from "./hourrates"
 export * from "./incominginvoices"
+export * from "./instance_agents"
+export * from "./instance_agent_scan_jobs"
 export * from "./inventoryitemgroups"
 export * from "./inventoryitems"
 export * from "./letterheads"
@@ -54,9 +58,12 @@ export * from "./movements"
 export * from "./m2m_api_keys"
 export * from "./notifications_event_types"
 export * from "./notifications_items"
+export * from "./notification_mobile_push_devices"
 export * from "./notifications_preferences"
 export * from "./notifications_preferences_defaults"
+export * from "./notification_push_subscriptions"
 export * from "./ownaccounts"
+export * from "./outgoingsepamandates"
 export * from "./plants"
 export * from "./productcategories"
 export * from "./products"
@@ -72,6 +79,9 @@ export * from "./statementallocations"
 export * from "./tasks"
 export * from "./teams"
 export * from "./taxtypes"
+export * from "./telephony_calls"
+export * from "./telephony_extensions"
+export * from "./telephony_trunks"
 export * from "./tenants"
 export * from "./texttemplates"
 export * from "./units"

backend/db/schema/instance_agent_scan_jobs.ts

@@ -0,0 +1,59 @@
+import {
+    pgTable,
+    uuid,
+    timestamp,
+    text,
+    bigint,
+    jsonb,
+    integer,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+import { files } from "./files"
+import { instanceAgents } from "./instance_agents"
+
+export const instanceAgentScanJobs = pgTable("instance_agent_scan_jobs", {
+    id: uuid("id").primaryKey().defaultRandom(),
+
+    createdAt: timestamp("created_at", { withTimezone: true })
+        .notNull()
+        .defaultNow(),
+
+    updatedAt: timestamp("updated_at", { withTimezone: true })
+        .notNull()
+        .defaultNow(),
+
+    tenantId: bigint("tenant_id", { mode: "number" })
+        .notNull()
+        .references(() => tenants.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+    agentId: uuid("agent_id")
+        .notNull()
+        .references(() => instanceAgents.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+    requestedBy: uuid("requested_by").references(() => authUsers.id, {
+        onDelete: "set null",
+        onUpdate: "cascade",
+    }),
+
+    status: text("status").notNull().default("pending"),
+    scannerName: text("scanner_name"),
+    requestedFilename: text("requested_filename"),
+
+    settings: jsonb("settings").notNull().default({}),
+    target: jsonb("target").notNull().default({}),
+    agentMessage: text("agent_message"),
+
+    attempts: integer("attempts").notNull().default(0),
+    claimedAt: timestamp("claimed_at", { withTimezone: true }),
+    finishedAt: timestamp("finished_at", { withTimezone: true }),
+
+    fileId: uuid("file_id").references(() => files.id, {
+        onDelete: "set null",
+        onUpdate: "cascade",
+    }),
+})
+
+export type InstanceAgentScanJob = typeof instanceAgentScanJobs.$inferSelect
+export type NewInstanceAgentScanJob = typeof instanceAgentScanJobs.$inferInsert

backend/db/schema/instance_agents.ts

@@ -0,0 +1,47 @@
+import {
+    pgTable,
+    uuid,
+    timestamp,
+    text,
+    boolean,
+    jsonb,
+} from "drizzle-orm/pg-core"
+
+export const instanceAgents = pgTable("instance_agents", {
+    id: uuid("id").primaryKey().defaultRandom(),
+
+    createdAt: timestamp("created_at", { withTimezone: true })
+        .notNull()
+        .defaultNow(),
+
+    updatedAt: timestamp("updated_at", { withTimezone: true })
+        .notNull()
+        .defaultNow(),
+
+    name: text("name").notNull(),
+    description: text("description"),
+
+    tokenPrefix: text("token_prefix").notNull(),
+    tokenHash: text("token_hash").notNull().unique(),
+
+    active: boolean("active").notNull().default(true),
+
+    capabilities: jsonb("capabilities").notNull().default({ scan: true, print: false }),
+    scannerNames: jsonb("scanner_names").notNull().default([]),
+    printerNames: jsonb("printer_names").notNull().default([]),
+    preferredScannerName: text("preferred_scanner_name"),
+    scanDefaults: jsonb("scan_defaults").notNull().default({
+        format: "pdf",
+        resolution: 300,
+        mode: "Color",
+        source: null,
+        postprocess: false,
+        postprocessProfile: "document",
+    }),
+
+    lastSeenAt: timestamp("last_seen_at", { withTimezone: true }),
+    lastDebugInfo: jsonb("last_debug_info"),
+})
+
+export type InstanceAgent = typeof instanceAgents.$inferSelect
+export type NewInstanceAgent = typeof instanceAgents.$inferInsert

backend/db/schema/notification_mobile_push_devices.ts

@@ -0,0 +1,53 @@
+import {
+    pgTable,
+    uuid,
+    bigint,
+    text,
+    jsonb,
+    timestamp,
+    uniqueIndex,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+
+export const notificationMobilePushDevices = pgTable(
+    "notification_mobile_push_devices",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        userId: uuid("user_id")
+            .notNull()
+            .references(() => authUsers.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        localDeviceId: text("local_device_id").notNull(),
+        centralDeviceId: text("central_device_id").notNull(),
+        platform: text("platform").notNull(),
+        providerTokenPreview: text("provider_token_preview"),
+        deviceLabel: text("device_label"),
+        meta: jsonb("meta"),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        lastSeenAt: timestamp("last_seen_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        disabledAt: timestamp("disabled_at", { withTimezone: true }),
+    },
+    (table) => ({
+        uniqueUserDevice: uniqueIndex("notification_mobile_push_devices_user_device_key")
+            .on(table.tenantId, table.userId, table.localDeviceId),
+        uniqueCentralDevice: uniqueIndex("notification_mobile_push_devices_central_device_key")
+            .on(table.centralDeviceId),
+    }),
+)
+
+export type NotificationMobilePushDevice =
+    typeof notificationMobilePushDevices.$inferSelect
+export type NewNotificationMobilePushDevice =
+    typeof notificationMobilePushDevices.$inferInsert

backend/db/schema/notification_push_subscriptions.ts

@@ -0,0 +1,50 @@
+import {
+    pgTable,
+    uuid,
+    bigint,
+    text,
+    jsonb,
+    timestamp,
+    uniqueIndex,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+
+export const notificationPushSubscriptions = pgTable(
+    "notification_push_subscriptions",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        userId: uuid("user_id")
+            .notNull()
+            .references(() => authUsers.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        endpoint: text("endpoint").notNull(),
+        p256dh: text("p256dh").notNull(),
+        auth: text("auth").notNull(),
+        userAgent: text("user_agent"),
+        deviceLabel: text("device_label"),
+        meta: jsonb("meta"),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        lastSeenAt: timestamp("last_seen_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        disabledAt: timestamp("disabled_at", { withTimezone: true }),
+    },
+    (table) => ({
+        uniqueEndpoint: uniqueIndex("notification_push_subscriptions_endpoint_key").on(table.endpoint),
+    }),
+)
+
+export type NotificationPushSubscription =
+    typeof notificationPushSubscriptions.$inferSelect
+export type NewNotificationPushSubscription =
+    typeof notificationPushSubscriptions.$inferInsert

backend/db/schema/outgoingsepamandates.ts

@@ -0,0 +1,61 @@
+import {
+    pgTable,
+    bigint,
+    text,
+    timestamp,
+    boolean,
+    uuid,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { customers } from "./customers"
+import { entitybankaccounts } from "./entitybankaccounts"
+import { authUsers } from "./auth_users"
+
+export const outgoingsepamandates = pgTable("outgoingsepamandates", {
+    id: bigint("id", { mode: "number" })
+        .primaryKey()
+        .generatedByDefaultAsIdentity(),
+
+    createdAt: timestamp("created_at", { withTimezone: true })
+        .notNull()
+        .defaultNow(),
+
+    tenant: bigint("tenant", { mode: "number" })
+        .notNull()
+        .references(() => tenants.id),
+
+    customer: bigint("customer", { mode: "number" })
+        .notNull()
+        .references(() => customers.id),
+
+    bankaccount: bigint("bankaccount", { mode: "number" })
+        .notNull()
+        .references(() => entitybankaccounts.id),
+
+    reference: text("reference").notNull(),
+
+    status: text("status").notNull().default("Entwurf"),
+
+    mandateType: text("mandate_type").notNull().default("CORE"),
+
+    sequenceType: text("sequence_type").notNull().default("RCUR"),
+
+    signedAt: timestamp("signed_at", { withTimezone: true }),
+
+    validFrom: timestamp("valid_from", { withTimezone: true }),
+
+    validUntil: timestamp("valid_until", { withTimezone: true }),
+
+    defaultMandate: boolean("default_mandate").notNull().default(false),
+
+    notes: text("notes"),
+
+    archived: boolean("archived").notNull().default(false),
+
+    updatedAt: timestamp("updated_at", { withTimezone: true }),
+    updatedBy: uuid("updated_by").references(() => authUsers.id),
+})
+
+export type OutgoingSepaMandate = typeof outgoingsepamandates.$inferSelect
+export type NewOutgoingSepaMandate = typeof outgoingsepamandates.$inferInsert

backend/db/schema/services.ts

@@ -13,6 +13,7 @@ import {
 import { tenants } from "./tenants"
 import { units } from "./units"
 import { authUsers } from "./auth_users"
+import { costcentres } from "./costcentres"
 
 export const services = pgTable("services", {
     id: bigint("id", { mode: "number" })
@@ -35,6 +36,8 @@ export const services = pgTable("services", {
 
     unit: bigint("unit", { mode: "number" }).references(() => units.id),
 
+    costcentre: uuid("costcentre").references(() => costcentres.id),
+
     serviceNumber: bigint("serviceNumber", { mode: "number" }),
 
     tags: jsonb("tags").default([]),

backend/db/schema/telephony_calls.ts

@@ -0,0 +1,56 @@
+import {
+    pgTable,
+    uuid,
+    bigint,
+    text,
+    timestamp,
+    integer,
+    index,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+
+export const telephonyCalls = pgTable(
+    "telephony_calls",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade" }),
+
+        direction: text("direction").notNull(),
+        status: text("status").notNull().default("ringing"),
+
+        localExtension: text("local_extension"),
+        remoteNumber: text("remote_number"),
+        remoteDisplayName: text("remote_display_name"),
+        sipCallId: text("sip_call_id"),
+
+        startedAt: timestamp("started_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        answeredAt: timestamp("answered_at", { withTimezone: true }),
+        endedAt: timestamp("ended_at", { withTimezone: true }),
+        durationSeconds: integer("duration_seconds"),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        updatedAt: timestamp("updated_at", { withTimezone: true }),
+        createdBy: uuid("created_by").references(() => authUsers.id),
+        updatedBy: uuid("updated_by").references(() => authUsers.id),
+    },
+    (table) => ({
+        tenantStartedIdx: index("telephony_calls_tenant_started_idx")
+            .on(table.tenantId, table.startedAt),
+        createdByIdx: index("telephony_calls_created_by_idx")
+            .on(table.tenantId, table.createdBy),
+        sipCallIdx: index("telephony_calls_sip_call_idx")
+            .on(table.tenantId, table.sipCallId),
+    })
+)
+
+export type TelephonyCall = typeof telephonyCalls.$inferSelect
+export type NewTelephonyCall = typeof telephonyCalls.$inferInsert

backend/db/schema/telephony_extensions.ts

@@ -0,0 +1,53 @@
+import {
+    pgTable,
+    uuid,
+    bigint,
+    text,
+    timestamp,
+    boolean,
+    index,
+    uniqueIndex,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+import { teams } from "./teams"
+import { branches } from "./branches"
+
+export const telephonyExtensions = pgTable(
+    "telephony_extensions",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade" }),
+
+        targetType: text("target_type").notNull(),
+        targetUserId: uuid("target_user_id").references(() => authUsers.id, { onDelete: "cascade" }),
+        targetTeamId: bigint("target_team_id", { mode: "number" }).references(() => teams.id, { onDelete: "cascade" }),
+        targetBranchId: bigint("target_branch_id", { mode: "number" }).references(() => branches.id, { onDelete: "cascade" }),
+
+        extension: text("extension").notNull(),
+        displayName: text("display_name"),
+        sipUsername: text("sip_username"),
+        sipPassword: text("sip_password"),
+        enabled: boolean("enabled").notNull().default(true),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        updatedAt: timestamp("updated_at", { withTimezone: true }),
+        createdBy: uuid("created_by").references(() => authUsers.id),
+        updatedBy: uuid("updated_by").references(() => authUsers.id),
+    },
+    (table) => ({
+        tenantExtensionIdx: uniqueIndex("telephony_extensions_tenant_extension_idx")
+            .on(table.tenantId, table.extension),
+        tenantTargetIdx: index("telephony_extensions_tenant_target_idx")
+            .on(table.tenantId, table.targetType),
+    })
+)
+
+export type TelephonyExtension = typeof telephonyExtensions.$inferSelect
+export type NewTelephonyExtension = typeof telephonyExtensions.$inferInsert

backend/db/schema/telephony_trunks.ts

@@ -0,0 +1,53 @@
+import {
+    pgTable,
+    uuid,
+    bigint,
+    text,
+    timestamp,
+    boolean,
+    uniqueIndex,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+import { telephonyExtensions } from "./telephony_extensions"
+
+export const telephonyTrunks = pgTable(
+    "telephony_trunks",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade" }),
+
+        provider: text("provider").notNull().default("telekom"),
+        enabled: boolean("enabled").notNull().default(false),
+        registrar: text("registrar").notNull().default("tel.t-online.de"),
+
+        sipUser: text("sip_user"),
+        authUser: text("auth_user"),
+        password: text("password"),
+        callerId: text("caller_id"),
+        inboundExtension: text("inbound_extension").notNull().default("1001"),
+        defaultRouteExtensionId: uuid("default_route_extension_id").references(() => telephonyExtensions.id, { onDelete: "set null" }),
+        outboundPrefix: text("outbound_prefix").notNull().default("0"),
+        externalSignalingAddress: text("external_signaling_address"),
+        externalMediaAddress: text("external_media_address"),
+        localNetworks: text("local_networks"),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        updatedAt: timestamp("updated_at", { withTimezone: true }),
+        createdBy: uuid("created_by").references(() => authUsers.id),
+        updatedBy: uuid("updated_by").references(() => authUsers.id),
+    },
+    (table) => ({
+        tenantProviderIdx: uniqueIndex("telephony_trunks_tenant_provider_idx")
+            .on(table.tenantId, table.provider),
+    })
+)
+
+export type TelephonyTrunk = typeof telephonyTrunks.$inferSelect
+export type NewTelephonyTrunk = typeof telephonyTrunks.$inferInsert

backend/db/schema/tenants.ts

@@ -91,6 +91,7 @@ export const tenants = pgTable(
             createDocument: true,
             serialInvoice: true,
             incomingInvoices: true,
+            outgoingsepamandates: true,
             costcentres: true,
             branches: true,
             teams: true,
@@ -140,6 +141,7 @@ export const tenants = pgTable(
                 customerinventoryitems: { prefix: "KIA-", suffix: "", nextNumber: 1000 },
                 projects: { prefix: "PRJ-", suffix: "", nextNumber: 1000 },
                 costcentres: { prefix: "KST-", suffix: "", nextNumber: 1000 },
+                outgoingsepamandates: { prefix: "SEPA-", suffix: "", nextNumber: 1000 },
             }),
         accountChart: text("accountChart").notNull().default("skr03"),
 

backend/docker-entrypoint.sh

@@ -0,0 +1,7 @@
+set -e
+
+if [ "${FEDEO_RUN_MIGRATIONS:-true}" = "true" ]; then
+  npm run migrate
+fi
+
+exec node dist/src/index.js

backend/package.json

@@ -54,6 +54,7 @@
     "pg": "^8.16.3",
     "pngjs": "^7.0.0",
     "sharp": "^0.34.5",
+    "web-push": "^3.6.7",
     "webdav-server": "^2.6.2",
     "xmlbuilder": "^15.1.1",
     "zpl-image": "^0.2.0",
@@ -63,6 +64,7 @@
     "@types/bcrypt": "^6.0.0",
     "@types/jsonwebtoken": "^9.0.10",
     "@types/node": "^24.3.0",
+    "@types/web-push": "^3.6.4",
     "drizzle-kit": "^0.31.8",
     "prisma": "^6.15.0",
     "tsx": "^4.20.5",

backend/src/index.ts

@@ -30,6 +30,11 @@ import userRoutes from "./routes/auth/user";
 import publiclinksAuthenticatedRoutes from "./routes/publiclinks/publiclinks-authenticated";
 import wikiRoutes from "./routes/wiki";
 import portalContractRoutes from "./routes/portal/contracts";
+import mcpRoutes from "./routes/mcp";
+import communicationRoutes from "./routes/communication";
+import telephonyRoutes from "./routes/telephony";
+import instanceAgentRoutes from "./routes/instanceAgents";
+import instanceAgentGatewayRoutes from "./routes/instanceAgentGateway";
 
 //Public Links
 import publiclinksNonAuthenticatedRoutes from "./routes/publiclinks/publiclinks-non-authenticated";
@@ -54,6 +59,8 @@ import {sendMail} from "./utils/mailer";
 import {loadSecrets, secrets} from "./utils/secrets";
 import {initMailer} from "./utils/mailer"
 import {initS3} from "./utils/s3";
+import { runBootstrap } from "./modules/bootstrap.service";
+import { startMatrixPushWorker } from "./modules/matrix-push-worker.service";
 
 
 //Services
@@ -78,6 +85,8 @@ async function main() {
     await app.register(dayjsPlugin);
     await app.register(dbPlugin);
     await app.register(servicesPlugin);
+    await runBootstrap(app);
+    startMatrixPushWorker(app);
 
     app.addHook('preHandler', (req, reply, done) => {
         console.log(req.method)
@@ -121,6 +130,10 @@ async function main() {
         await devicesApp.register(devicesManagementRoutes)
     },{prefix: "/devices"})
 
+    await app.register(async (agentApp) => {
+        await agentApp.register(instanceAgentGatewayRoutes)
+    },{prefix: "/instance-agent"})
+
     await app.register(corsPlugin);
 
     //Geschützte Routes
@@ -148,6 +161,10 @@ async function main() {
         await subApp.register(resourceRoutes);
         await subApp.register(wikiRoutes);
         await subApp.register(portalContractRoutes);
+        await subApp.register(mcpRoutes);
+        await subApp.register(communicationRoutes);
+        await subApp.register(telephonyRoutes);
+        await subApp.register(instanceAgentRoutes);
 
     },{prefix: "/api"})
 

backend/src/mcp/authz.ts

@@ -0,0 +1,88 @@
+import { FastifyInstance, FastifyRequest } from "fastify"
+import { and, eq, or, isNull, inArray } from "drizzle-orm"
+import {
+    authRoles,
+    authRolePermissions,
+    authUserRoles,
+} from "../../db/schema"
+import { McpContext, McpTool } from "./types"
+
+export async function loadTenantPermissions(
+    server: FastifyInstance,
+    userId: string,
+    tenantId: number
+) {
+    const roleRows = await server.db
+        .select({
+            roleId: authUserRoles.role_id,
+        })
+        .from(authUserRoles)
+        .innerJoin(
+            authRoles,
+            and(
+                eq(authRoles.id, authUserRoles.role_id),
+                or(isNull(authRoles.tenant_id), eq(authRoles.tenant_id, tenantId))
+            )
+        )
+        .where(
+            and(
+                eq(authUserRoles.user_id, userId),
+                eq(authUserRoles.tenant_id, tenantId)
+            )
+        )
+
+    const roleIds = Array.from(new Set(roleRows.map((row) => row.roleId)))
+
+    if (roleIds.length === 0) return []
+
+    const permissionRows = await server.db
+        .select({
+            permission: authRolePermissions.permission,
+        })
+        .from(authRolePermissions)
+        .where(inArray(authRolePermissions.role_id, roleIds))
+
+    return Array.from(new Set(permissionRows.map((row) => row.permission)))
+}
+
+export async function createMcpContext(
+    server: FastifyInstance,
+    request: FastifyRequest
+): Promise<McpContext> {
+    const user = request.user
+
+    if (!user?.user_id) {
+        throw Object.assign(new Error("Authentication required"), { statusCode: 401 })
+    }
+
+    if (!user.tenant_id) {
+        throw Object.assign(new Error("MCP benötigt einen aktiven Mandanten"), { statusCode: 403 })
+    }
+
+    const permissions = await loadTenantPermissions(server, user.user_id, user.tenant_id)
+
+    return {
+        server,
+        request,
+        tenantId: user.tenant_id,
+        userId: user.user_id,
+        isAdmin: Boolean(user.is_admin),
+        permissions,
+    }
+}
+
+export function assertToolPermission(context: McpContext, tool: McpTool) {
+    if (context.isAdmin) return
+
+    const allowed = tool.requiredPermissions.every((permission) =>
+        context.permissions.includes(permission)
+    )
+
+    if (!allowed) {
+        throw Object.assign(
+            new Error(`Fehlende Berechtigung für ${tool.name}: ${tool.requiredPermissions.join(", ")}`),
+            { statusCode: 403 }
+        )
+    }
+}
+

backend/src/mcp/registry.ts

@@ -0,0 +1,11 @@
+import { accountingTools } from "./tools/accounting"
+import { masterdataTools } from "./tools/masterdata"
+import { organisationTools } from "./tools/organisation"
+
+export const mcpTools = [
+    ...accountingTools,
+    ...masterdataTools,
+    ...organisationTools,
+]
+
+export const mcpToolMap = new Map(mcpTools.map((tool) => [tool.name, tool]))

backend/src/mcp/result.ts

@@ -0,0 +1,36 @@
+import { McpToolResult } from "./types"
+
+export function asToolResult(payload: unknown): McpToolResult {
+    const structuredContent =
+        payload && typeof payload === "object" && !Array.isArray(payload)
+            ? payload as Record<string, unknown>
+            : { result: payload }
+
+    return {
+        content: [
+            {
+                type: "text",
+                text: JSON.stringify(payload, null, 2),
+            },
+        ],
+        structuredContent,
+    }
+}
+
+export function asToolError(error: unknown): McpToolResult {
+    const message = error instanceof Error ? error.message : "Unbekannter Fehler"
+
+    return {
+        content: [
+            {
+                type: "text",
+                text: message,
+            },
+        ],
+        isError: true,
+        structuredContent: {
+            error: message,
+        },
+    }
+}
+

backend/src/mcp/tools/masterdata.ts

@@ -0,0 +1,571 @@
+import { and, desc, eq, ilike, or } from "drizzle-orm"
+import {
+    branches,
+    contacts,
+    costcentres,
+    customers,
+    inventoryitems,
+    products,
+    services,
+    teams,
+    units,
+    vehicles,
+    vendors,
+} from "../../../db/schema"
+import { McpTool } from "../types"
+
+const limitFromArgs = (args: Record<string, unknown>, fallback = 25) => {
+    const raw = Number(args.limit ?? fallback)
+    if (!Number.isFinite(raw)) return fallback
+    return Math.min(Math.max(Math.trunc(raw), 1), 100)
+}
+
+const stringArg = (args: Record<string, unknown>, key: string) => {
+    const value = args[key]
+    return typeof value === "string" && value.trim() ? value.trim() : null
+}
+
+const numberArg = (args: Record<string, unknown>, key: string) => {
+    const value = Number(args[key])
+    return Number.isFinite(value) ? value : null
+}
+
+const uuidArg = (args: Record<string, unknown>, key: string) => {
+    const value = stringArg(args, key)
+    return value && /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i.test(value)
+        ? value
+        : null
+}
+
+export const masterdataTools: McpTool[] = [
+    {
+        name: "masterdata.customers.get",
+        title: "Kunde laden",
+        description: "Lädt einen Kunden des aktiven Mandanten anhand seiner ID.",
+        requiredPermissions: ["masterdata.customers.read"],
+        inputSchema: {
+            type: "object",
+            required: ["id"],
+            properties: { id: { type: "number" } },
+        },
+        async handler(context, args) {
+            const id = numberArg(args, "id")
+            if (!id) throw new Error("id ist erforderlich")
+
+            const rows = await context.server.db
+                .select()
+                .from(customers)
+                .where(and(eq(customers.id, id), eq(customers.tenant, context.tenantId)))
+                .limit(1)
+
+            if (!rows[0]) throw new Error("Kunde nicht gefunden")
+            return { customer: rows[0] }
+        },
+    },
+    {
+        name: "masterdata.vendors.search",
+        title: "Lieferanten suchen",
+        description: "Sucht Lieferanten des aktiven Mandanten.",
+        requiredPermissions: ["masterdata.vendors.read"],
+        inputSchema: {
+            type: "object",
+            properties: {
+                query: { type: "string", description: "Suchtext für Name, Lieferantennummer oder Notizen." },
+                includeArchived: { type: "boolean", default: false },
+                limit: { type: "number", minimum: 1, maximum: 100 },
+            },
+        },
+        async handler(context, args) {
+            const conditions = [eq(vendors.tenant, context.tenantId)]
+            const query = stringArg(args, "query")
+
+            if (query) {
+                conditions.push(or(
+                    ilike(vendors.name, `%${query}%`),
+                    ilike(vendors.vendorNumber, `%${query}%`),
+                    ilike(vendors.notes, `%${query}%`)
+                ))
+            }
+            if (args.includeArchived !== true) conditions.push(eq(vendors.archived, false))
+
+            const rows = await context.server.db
+                .select()
+                .from(vendors)
+                .where(and(...conditions))
+                .orderBy(vendors.name)
+                .limit(limitFromArgs(args))
+
+            return { rows }
+        },
+    },
+    {
+        name: "masterdata.vendors.get",
+        title: "Lieferant laden",
+        description: "Lädt einen Lieferanten des aktiven Mandanten anhand seiner ID.",
+        requiredPermissions: ["masterdata.vendors.read"],
+        inputSchema: {
+            type: "object",
+            required: ["id"],
+            properties: { id: { type: "number" } },
+        },
+        async handler(context, args) {
+            const id = numberArg(args, "id")
+            if (!id) throw new Error("id ist erforderlich")
+
+            const rows = await context.server.db
+                .select()
+                .from(vendors)
+                .where(and(eq(vendors.id, id), eq(vendors.tenant, context.tenantId)))
+                .limit(1)
+
+            if (!rows[0]) throw new Error("Lieferant nicht gefunden")
+            return { vendor: rows[0] }
+        },
+    },
+    {
+        name: "masterdata.contacts.search",
+        title: "Kontakte suchen",
+        description: "Sucht Kontakte des aktiven Mandanten, optional zu Kunde oder Lieferant.",
+        requiredPermissions: ["masterdata.contacts.read"],
+        inputSchema: {
+            type: "object",
+            properties: {
+                query: { type: "string", description: "Suchtext für Name, E-Mail, Telefon, Rolle oder Notizen." },
+                customer: { type: "number" },
+                vendor: { type: "number" },
+                includeArchived: { type: "boolean", default: false },
+                limit: { type: "number", minimum: 1, maximum: 100 },
+            },
+        },
+        async handler(context, args) {
+            const conditions = [eq(contacts.tenant, context.tenantId)]
+            const query = stringArg(args, "query")
+            const customer = numberArg(args, "customer")
+            const vendor = numberArg(args, "vendor")
+
+            if (query) {
+                conditions.push(or(
+                    ilike(contacts.fullName, `%${query}%`),
+                    ilike(contacts.firstName, `%${query}%`),
+                    ilike(contacts.lastName, `%${query}%`),
+                    ilike(contacts.email, `%${query}%`),
+                    ilike(contacts.phoneMobile, `%${query}%`),
+                    ilike(contacts.phoneHome, `%${query}%`),
+                    ilike(contacts.role, `%${query}%`),
+                    ilike(contacts.notes, `%${query}%`)
+                ))
+            }
+            if (customer) conditions.push(eq(contacts.customer, customer))
+            if (vendor) conditions.push(eq(contacts.vendor, vendor))
+            if (args.includeArchived !== true) conditions.push(eq(contacts.archived, false))
+
+            const rows = await context.server.db
+                .select()
+                .from(contacts)
+                .where(and(...conditions))
+                .orderBy(contacts.fullName)
+                .limit(limitFromArgs(args))
+
+            return { rows }
+        },
+    },
+    {
+        name: "masterdata.products.search",
+        title: "Artikel suchen",
+        description: "Sucht Artikel und Materialstammdaten des aktiven Mandanten.",
+        requiredPermissions: ["masterdata.products.read"],
+        inputSchema: {
+            type: "object",
+            properties: {
+                query: { type: "string", description: "Suchtext für Name, Artikelnummer, Hersteller, EAN, Barcode oder Beschreibung." },
+                includeArchived: { type: "boolean", default: false },
+                limit: { type: "number", minimum: 1, maximum: 100 },
+            },
+        },
+        async handler(context, args) {
+            const conditions = [eq(products.tenant, context.tenantId)]
+            const query = stringArg(args, "query")
+
+            if (query) {
+                conditions.push(or(
+                    ilike(products.name, `%${query}%`),
+                    ilike(products.article_number, `%${query}%`),
+                    ilike(products.manufacturer, `%${query}%`),
+                    ilike(products.manufacturer_number, `%${query}%`),
+                    ilike(products.ean, `%${query}%`),
+                    ilike(products.barcode, `%${query}%`),
+                    ilike(products.description, `%${query}%`)
+                ))
+            }
+            if (args.includeArchived !== true) conditions.push(eq(products.archived, false))
+
+            const rows = await context.server.db
+                .select()
+                .from(products)
+                .where(and(...conditions))
+                .orderBy(products.name)
+                .limit(limitFromArgs(args))
+
+            return { rows }
+        },
+    },
+    {
+        name: "masterdata.products.get",
+        title: "Artikel laden",
+        description: "Lädt einen Artikel des aktiven Mandanten anhand seiner ID.",
+        requiredPermissions: ["masterdata.products.read"],
+        inputSchema: {
+            type: "object",
+            required: ["id"],
+            properties: { id: { type: "number" } },
+        },
+        async handler(context, args) {
+            const id = numberArg(args, "id")
+            if (!id) throw new Error("id ist erforderlich")
+
+            const rows = await context.server.db
+                .select()
+                .from(products)
+                .where(and(eq(products.id, id), eq(products.tenant, context.tenantId)))
+                .limit(1)
+
+            if (!rows[0]) throw new Error("Artikel nicht gefunden")
+            return { product: rows[0] }
+        },
+    },
+    {
+        name: "masterdata.services.search",
+        title: "Leistungen suchen",
+        description: "Sucht Leistungsstammdaten des aktiven Mandanten.",
+        requiredPermissions: ["masterdata.services.read"],
+        inputSchema: {
+            type: "object",
+            properties: {
+                query: { type: "string", description: "Suchtext für Name, Leistungsnummer oder Beschreibung." },
+                includeArchived: { type: "boolean", default: false },
+                limit: { type: "number", minimum: 1, maximum: 100 },
+            },
+        },
+        async handler(context, args) {
+            const conditions = [eq(services.tenant, context.tenantId)]
+            const query = stringArg(args, "query")
+
+            if (query) {
+                conditions.push(or(
+                    ilike(services.name, `%${query}%`),
+                    ilike(services.description, `%${query}%`)
+                ))
+            }
+            if (args.includeArchived !== true) conditions.push(eq(services.archived, false))
+
+            const rows = await context.server.db
+                .select()
+                .from(services)
+                .where(and(...conditions))
+                .orderBy(services.name)
+                .limit(limitFromArgs(args))
+
+            return { rows }
+        },
+    },
+    {
+        name: "masterdata.services.get",
+        title: "Leistung laden",
+        description: "Lädt eine Leistung des aktiven Mandanten anhand ihrer ID.",
+        requiredPermissions: ["masterdata.services.read"],
+        inputSchema: {
+            type: "object",
+            required: ["id"],
+            properties: { id: { type: "number" } },
+        },
+        async handler(context, args) {
+            const id = numberArg(args, "id")
+            if (!id) throw new Error("id ist erforderlich")
+
+            const rows = await context.server.db
+                .select()
+                .from(services)
+                .where(and(eq(services.id, id), eq(services.tenant, context.tenantId)))
+                .limit(1)
+
+            if (!rows[0]) throw new Error("Leistung nicht gefunden")
+            return { service: rows[0] }
+        },
+    },
+    {
+        name: "masterdata.cost_centres.list",
+        title: "Kostenstellen auflisten",
+        description: "Listet Kostenstellen des aktiven Mandanten.",
+        requiredPermissions: ["masterdata.cost_centres.read"],
+        inputSchema: {
+            type: "object",
+            properties: {
+                query: { type: "string", description: "Suchtext für Nummer, Name oder Beschreibung." },
+                branch: { type: "number" },
+                project: { type: "number" },
+                includeArchived: { type: "boolean", default: false },
+                limit: { type: "number", minimum: 1, maximum: 100 },
+            },
+        },
+        async handler(context, args) {
+            const conditions = [eq(costcentres.tenant, context.tenantId)]
+            const query = stringArg(args, "query")
+            const branch = numberArg(args, "branch")
+            const project = numberArg(args, "project")
+
+            if (query) {
+                conditions.push(or(
+                    ilike(costcentres.number, `%${query}%`),
+                    ilike(costcentres.name, `%${query}%`),
+                    ilike(costcentres.description, `%${query}%`)
+                ))
+            }
+            if (branch) conditions.push(eq(costcentres.branch, branch))
+            if (project) conditions.push(eq(costcentres.project, project))
+            if (args.includeArchived !== true) conditions.push(eq(costcentres.archived, false))
+
+            const rows = await context.server.db
+                .select()
+                .from(costcentres)
+                .where(and(...conditions))
+                .orderBy(costcentres.number)
+                .limit(limitFromArgs(args))
+
+            return { rows }
+        },
+    },
+    {
+        name: "masterdata.cost_centres.get",
+        title: "Kostenstelle laden",
+        description: "Lädt eine Kostenstelle des aktiven Mandanten anhand ihrer UUID.",
+        requiredPermissions: ["masterdata.cost_centres.read"],
+        inputSchema: {
+            type: "object",
+            required: ["id"],
+            properties: { id: { type: "string" } },
+        },
+        async handler(context, args) {
+            const id = uuidArg(args, "id")
+            if (!id) throw new Error("gültige id ist erforderlich")
+
+            const rows = await context.server.db
+                .select()
+                .from(costcentres)
+                .where(and(eq(costcentres.id, id), eq(costcentres.tenant, context.tenantId)))
+                .limit(1)
+
+            if (!rows[0]) throw new Error("Kostenstelle nicht gefunden")
+            return { costCentre: rows[0] }
+        },
+    },
+    {
+        name: "masterdata.branches.list",
+        title: "Niederlassungen auflisten",
+        description: "Listet Niederlassungen des aktiven Mandanten.",
+        requiredPermissions: ["masterdata.branches.read"],
+        inputSchema: {
+            type: "object",
+            properties: {
+                query: { type: "string", description: "Suchtext für Nummer, Name oder Beschreibung." },
+                includeArchived: { type: "boolean", default: false },
+                limit: { type: "number", minimum: 1, maximum: 100 },
+            },
+        },
+        async handler(context, args) {
+            const conditions = [eq(branches.tenant, context.tenantId)]
+            const query = stringArg(args, "query")
+
+            if (query) {
+                conditions.push(or(
+                    ilike(branches.number, `%${query}%`),
+                    ilike(branches.name, `%${query}%`),
+                    ilike(branches.description, `%${query}%`)
+                ))
+            }
+            if (args.includeArchived !== true) conditions.push(eq(branches.archived, false))
+
+            const rows = await context.server.db
+                .select()
+                .from(branches)
+                .where(and(...conditions))
+                .orderBy(branches.name)
+                .limit(limitFromArgs(args))
+
+            return { rows }
+        },
+    },
+    {
+        name: "masterdata.teams.list",
+        title: "Teams auflisten",
+        description: "Listet Teams des aktiven Mandanten.",
+        requiredPermissions: ["masterdata.teams.read"],
+        inputSchema: {
+            type: "object",
+            properties: {
+                query: { type: "string", description: "Suchtext für Name oder Beschreibung." },
+                branch: { type: "number" },
+                includeArchived: { type: "boolean", default: false },
+                limit: { type: "number", minimum: 1, maximum: 100 },
+            },
+        },
+        async handler(context, args) {
+            const conditions = [eq(teams.tenant, context.tenantId)]
+            const query = stringArg(args, "query")
+            const branch = numberArg(args, "branch")
+
+            if (query) {
+                conditions.push(or(
+                    ilike(teams.name, `%${query}%`),
+                    ilike(teams.description, `%${query}%`)
+                ))
+            }
+            if (branch) conditions.push(eq(teams.branch, branch))
+            if (args.includeArchived !== true) conditions.push(eq(teams.archived, false))
+
+            const rows = await context.server.db
+                .select()
+                .from(teams)
+                .where(and(...conditions))
+                .orderBy(teams.name)
+                .limit(limitFromArgs(args))
+
+            return { rows }
+        },
+    },
+    {
+        name: "masterdata.vehicles.list",
+        title: "Fahrzeuge auflisten",
+        description: "Listet Fahrzeuge des aktiven Mandanten.",
+        requiredPermissions: ["masterdata.vehicles.read"],
+        inputSchema: {
+            type: "object",
+            properties: {
+                query: { type: "string", description: "Suchtext für Name, Kennzeichen, FIN oder Farbe." },
+                includeArchived: { type: "boolean", default: false },
+                limit: { type: "number", minimum: 1, maximum: 100 },
+            },
+        },
+        async handler(context, args) {
+            const conditions = [eq(vehicles.tenant, context.tenantId)]
+            const query = stringArg(args, "query")
+
+            if (query) {
+                conditions.push(or(
+                    ilike(vehicles.name, `%${query}%`),
+                    ilike(vehicles.license_plate, `%${query}%`),
+                    ilike(vehicles.vin, `%${query}%`),
+                    ilike(vehicles.color, `%${query}%`)
+                ))
+            }
+            if (args.includeArchived !== true) conditions.push(eq(vehicles.archived, false))
+
+            const rows = await context.server.db
+                .select()
+                .from(vehicles)
+                .where(and(...conditions))
+                .orderBy(vehicles.name)
+                .limit(limitFromArgs(args))
+
+            return { rows }
+        },
+    },
+    {
+        name: "masterdata.inventory_items.search",
+        title: "Inventar suchen",
+        description: "Sucht Inventar- und Geräte-Stammdaten des aktiven Mandanten.",
+        requiredPermissions: ["masterdata.inventory_items.read"],
+        inputSchema: {
+            type: "object",
+            properties: {
+                query: { type: "string", description: "Suchtext für Name, Artikelnummer, Seriennummer, Hersteller oder Beschreibung." },
+                vendor: { type: "number" },
+                includeArchived: { type: "boolean", default: false },
+                limit: { type: "number", minimum: 1, maximum: 100 },
+            },
+        },
+        async handler(context, args) {
+            const conditions = [eq(inventoryitems.tenant, context.tenantId)]
+            const query = stringArg(args, "query")
+            const vendor = numberArg(args, "vendor")
+
+            if (query) {
+                conditions.push(or(
+                    ilike(inventoryitems.name, `%${query}%`),
+                    ilike(inventoryitems.articleNumber, `%${query}%`),
+                    ilike(inventoryitems.serialNumber, `%${query}%`),
+                    ilike(inventoryitems.manufacturer, `%${query}%`),
+                    ilike(inventoryitems.manufacturerNumber, `%${query}%`),
+                    ilike(inventoryitems.description, `%${query}%`)
+                ))
+            }
+            if (vendor) conditions.push(eq(inventoryitems.vendor, vendor))
+            if (args.includeArchived !== true) conditions.push(eq(inventoryitems.archived, false))
+
+            const rows = await context.server.db
+                .select()
+                .from(inventoryitems)
+                .where(and(...conditions))
+                .orderBy(inventoryitems.name)
+                .limit(limitFromArgs(args))
+
+            return { rows }
+        },
+    },
+    {
+        name: "masterdata.inventory_items.get",
+        title: "Inventar laden",
+        description: "Lädt einen Inventar- oder Geräte-Stammdatensatz anhand seiner ID.",
+        requiredPermissions: ["masterdata.inventory_items.read"],
+        inputSchema: {
+            type: "object",
+            required: ["id"],
+            properties: { id: { type: "number" } },
+        },
+        async handler(context, args) {
+            const id = numberArg(args, "id")
+            if (!id) throw new Error("id ist erforderlich")
+
+            const rows = await context.server.db
+                .select()
+                .from(inventoryitems)
+                .where(and(eq(inventoryitems.id, id), eq(inventoryitems.tenant, context.tenantId)))
+                .limit(1)
+
+            if (!rows[0]) throw new Error("Inventar nicht gefunden")
+            return { inventoryItem: rows[0] }
+        },
+    },
+    {
+        name: "masterdata.units.list",
+        title: "Einheiten auflisten",
+        description: "Listet globale Mengeneinheiten.",
+        requiredPermissions: ["masterdata.units.read"],
+        inputSchema: {
+            type: "object",
+            properties: {
+                query: { type: "string", description: "Suchtext für Name, Singular, Plural oder Kürzel." },
+                limit: { type: "number", minimum: 1, maximum: 100 },
+            },
+        },
+        async handler(context, args) {
+            const query = stringArg(args, "query")
+
+            const rows = await context.server.db
+                .select()
+                .from(units)
+                .where(query
+                    ? or(
+                        ilike(units.name, `%${query}%`),
+                        ilike(units.single, `%${query}%`),
+                        ilike(units.multiple, `%${query}%`),
+                        ilike(units.short, `%${query}%`)
+                    )
+                    : undefined)
+                .orderBy(units.name)
+                .limit(limitFromArgs(args))
+
+            return { rows }
+        },
+    },
+]
+

backend/src/mcp/tools/organisation.ts

@@ -0,0 +1,407 @@
+import { and, desc, eq, ilike, or } from "drizzle-orm"
+import { customers, events, plants, projects, tasks } from "../../../db/schema"
+import { McpTool } from "../types"
+
+const limitFromArgs = (args: Record<string, unknown>, fallback = 25) => {
+    const raw = Number(args.limit ?? fallback)
+    if (!Number.isFinite(raw)) return fallback
+    return Math.min(Math.max(Math.trunc(raw), 1), 100)
+}
+
+const stringArg = (args: Record<string, unknown>, key: string) => {
+    const value = args[key]
+    return typeof value === "string" && value.trim() ? value.trim() : null
+}
+
+const numberArg = (args: Record<string, unknown>, key: string) => {
+    const value = Number(args[key])
+    return Number.isFinite(value) ? value : null
+}
+
+export const organisationTools: McpTool[] = [
+    {
+        name: "organisation.customers.search",
+        title: "Kunden suchen",
+        description: "Sucht aktive Kunden des aktiven Mandanten.",
+        requiredPermissions: ["organisation.customers.read"],
+        inputSchema: {
+            type: "object",
+            properties: {
+                query: { type: "string", description: "Suchtext für Name, Kundennummer, Vorname, Nachname oder Notizen." },
+                includeArchived: { type: "boolean", default: false },
+                limit: { type: "number", minimum: 1, maximum: 100 },
+            },
+        },
+        async handler(context, args) {
+            const conditions = [eq(customers.tenant, context.tenantId)]
+            const query = stringArg(args, "query")
+
+            if (query) {
+                conditions.push(or(
+                    ilike(customers.name, `%${query}%`),
+                    ilike(customers.customerNumber, `%${query}%`),
+                    ilike(customers.firstname, `%${query}%`),
+                    ilike(customers.lastname, `%${query}%`),
+                    ilike(customers.notes, `%${query}%`)
+                ))
+            }
+            if (args.includeArchived !== true) conditions.push(eq(customers.archived, false))
+
+            const rows = await context.server.db
+                .select({
+                    id: customers.id,
+                    customerNumber: customers.customerNumber,
+                    name: customers.name,
+                    firstname: customers.firstname,
+                    lastname: customers.lastname,
+                    type: customers.type,
+                    isCompany: customers.isCompany,
+                    active: customers.active,
+                    archived: customers.archived,
+                })
+                .from(customers)
+                .where(and(...conditions))
+                .orderBy(customers.name)
+                .limit(limitFromArgs(args))
+
+            return { rows }
+        },
+    },
+    {
+        name: "organisation.projects.list",
+        title: "Projekte auflisten",
+        description: "Listet Projekte des aktiven Mandanten mit optionalen Filtern.",
+        requiredPermissions: ["organisation.projects.read"],
+        inputSchema: {
+            type: "object",
+            properties: {
+                query: { type: "string", description: "Suchtext für Name, Projektnummer, Kundenreferenz oder Notizen." },
+                customer: { type: "number" },
+                activePhase: { type: "string" },
+                includeArchived: { type: "boolean", default: false },
+                limit: { type: "number", minimum: 1, maximum: 100 },
+            },
+        },
+        async handler(context, args) {
+            const conditions = [eq(projects.tenant, context.tenantId)]
+            const query = stringArg(args, "query")
+            const customer = numberArg(args, "customer")
+            const activePhase = stringArg(args, "activePhase")
+
+            if (query) {
+                conditions.push(or(
+                    ilike(projects.name, `%${query}%`),
+                    ilike(projects.projectNumber, `%${query}%`),
+                    ilike(projects.customerRef, `%${query}%`),
+                    ilike(projects.notes, `%${query}%`)
+                ))
+            }
+            if (customer) conditions.push(eq(projects.customer, customer))
+            if (activePhase) conditions.push(eq(projects.active_phase, activePhase))
+            if (args.includeArchived !== true) conditions.push(eq(projects.archived, false))
+
+            const rows = await context.server.db
+                .select()
+                .from(projects)
+                .where(and(...conditions))
+                .orderBy(desc(projects.createdAt))
+                .limit(limitFromArgs(args))
+
+            return { rows }
+        },
+    },
+    {
+        name: "organisation.projects.get",
+        title: "Projekt laden",
+        description: "Lädt ein Projekt des aktiven Mandanten anhand seiner ID.",
+        requiredPermissions: ["organisation.projects.read"],
+        inputSchema: {
+            type: "object",
+            required: ["id"],
+            properties: {
+                id: { type: "number" },
+            },
+        },
+        async handler(context, args) {
+            const id = numberArg(args, "id")
+            if (!id) throw new Error("id ist erforderlich")
+
+            const rows = await context.server.db
+                .select()
+                .from(projects)
+                .where(and(eq(projects.id, id), eq(projects.tenant, context.tenantId)))
+                .limit(1)
+
+            if (!rows[0]) throw new Error("Projekt nicht gefunden")
+            return { project: rows[0] }
+        },
+    },
+    {
+        name: "organisation.plants.list",
+        title: "Anlagen auflisten",
+        description: "Listet Anlagen des aktiven Mandanten mit optionalem Kundenfilter.",
+        requiredPermissions: ["organisation.plants.read"],
+        inputSchema: {
+            type: "object",
+            properties: {
+                query: { type: "string", description: "Suchtext für Name." },
+                customer: { type: "number" },
+                includeArchived: { type: "boolean", default: false },
+                limit: { type: "number", minimum: 1, maximum: 100 },
+            },
+        },
+        async handler(context, args) {
+            const conditions = [eq(plants.tenant, context.tenantId)]
+            const query = stringArg(args, "query")
+            const customer = numberArg(args, "customer")
+
+            if (query) conditions.push(ilike(plants.name, `%${query}%`))
+            if (customer) conditions.push(eq(plants.customer, customer))
+            if (args.includeArchived !== true) conditions.push(eq(plants.archived, false))
+
+            const rows = await context.server.db
+                .select()
+                .from(plants)
+                .where(and(...conditions))
+                .orderBy(plants.name)
+                .limit(limitFromArgs(args))
+
+            return { rows }
+        },
+    },
+    {
+        name: "organisation.events.list",
+        title: "Termine auflisten",
+        description: "Listet Termine des aktiven Mandanten mit optionalen Projekt- oder Kundenfiltern.",
+        requiredPermissions: ["organisation.events.read"],
+        inputSchema: {
+            type: "object",
+            properties: {
+                query: { type: "string", description: "Suchtext für Name, Notizen oder Link." },
+                project: { type: "number" },
+                customer: { type: "number" },
+                eventtype: { type: "string" },
+                includeArchived: { type: "boolean", default: false },
+                limit: { type: "number", minimum: 1, maximum: 100 },
+            },
+        },
+        async handler(context, args) {
+            const conditions = [eq(events.tenant, context.tenantId)]
+            const query = stringArg(args, "query")
+            const project = numberArg(args, "project")
+            const customer = numberArg(args, "customer")
+            const eventtype = stringArg(args, "eventtype")
+
+            if (query) {
+                conditions.push(or(
+                    ilike(events.name, `%${query}%`),
+                    ilike(events.notes, `%${query}%`),
+                    ilike(events.link, `%${query}%`)
+                ))
+            }
+            if (project) conditions.push(eq(events.project, project))
+            if (customer) conditions.push(eq(events.customer, customer))
+            if (eventtype) conditions.push(eq(events.eventtype, eventtype))
+            if (args.includeArchived !== true) conditions.push(eq(events.archived, false))
+
+            const rows = await context.server.db
+                .select()
+                .from(events)
+                .where(and(...conditions))
+                .orderBy(desc(events.startDate))
+                .limit(limitFromArgs(args))
+
+            return { rows }
+        },
+    },
+    {
+        name: "organisation.tasks.list",
+        title: "Aufgaben auflisten",
+        description: "Listet Aufgaben des aktiven Mandanten mit optionalen Filtern.",
+        requiredPermissions: ["organisation.tasks.read"],
+        inputSchema: {
+            type: "object",
+            properties: {
+                query: { type: "string", description: "Suchtext für Name, Beschreibung oder Kategorie." },
+                project: { type: "number" },
+                customer: { type: "number" },
+                includeArchived: { type: "boolean", default: false },
+                limit: { type: "number", minimum: 1, maximum: 100 },
+            },
+        },
+        async handler(context, args) {
+            const conditions = [eq(tasks.tenant, context.tenantId)]
+            const query = stringArg(args, "query")
+            const project = numberArg(args, "project")
+            const customer = numberArg(args, "customer")
+
+            if (query) {
+                conditions.push(or(
+                    ilike(tasks.name, `%${query}%`),
+                    ilike(tasks.description, `%${query}%`),
+                    ilike(tasks.categorie, `%${query}%`)
+                ))
+            }
+            if (project) conditions.push(eq(tasks.project, project))
+            if (customer) conditions.push(eq(tasks.customer, customer))
+            if (args.includeArchived !== true) conditions.push(eq(tasks.archived, false))
+
+            const rows = await context.server.db
+                .select()
+                .from(tasks)
+                .where(and(...conditions))
+                .orderBy(desc(tasks.createdAt))
+                .limit(limitFromArgs(args))
+
+            return { rows }
+        },
+    },
+    {
+        name: "organisation.tasks.get",
+        title: "Aufgabe laden",
+        description: "Lädt eine Aufgabe des aktiven Mandanten anhand ihrer ID.",
+        requiredPermissions: ["organisation.tasks.read"],
+        inputSchema: {
+            type: "object",
+            required: ["id"],
+            properties: {
+                id: { type: "number" },
+            },
+        },
+        async handler(context, args) {
+            const id = numberArg(args, "id")
+            if (!id) throw new Error("id ist erforderlich")
+
+            const rows = await context.server.db
+                .select()
+                .from(tasks)
+                .where(and(eq(tasks.id, id), eq(tasks.tenant, context.tenantId)))
+                .limit(1)
+
+            if (!rows[0]) throw new Error("Aufgabe nicht gefunden")
+            return { task: rows[0] }
+        },
+    },
+    {
+        name: "organisation.tasks.create",
+        title: "Aufgabe erstellen",
+        description: "Erstellt eine neue Aufgabe im aktiven Mandanten.",
+        requiredPermissions: ["organisation.tasks.write"],
+        inputSchema: {
+            type: "object",
+            required: ["name"],
+            properties: {
+                name: { type: "string" },
+                description: { type: "string" },
+                categorie: { type: "string" },
+                project: { type: "number" },
+                plant: { type: "number" },
+                customer: { type: "number" },
+                userId: { type: "string" },
+                profiles: { type: "array", items: { type: "string" } },
+            },
+        },
+        async handler(context, args) {
+            const name = stringArg(args, "name")
+            if (!name) throw new Error("name ist erforderlich")
+
+            const [created] = await context.server.db
+                .insert(tasks)
+                .values({
+                    name,
+                    description: stringArg(args, "description"),
+                    categorie: stringArg(args, "categorie"),
+                    tenant: context.tenantId,
+                    userId: stringArg(args, "userId") || context.userId,
+                    project: numberArg(args, "project"),
+                    plant: numberArg(args, "plant"),
+                    customer: numberArg(args, "customer"),
+                    profiles: Array.isArray(args.profiles) ? args.profiles : [],
+                    updatedAt: new Date(),
+                    updatedBy: context.userId,
+                })
+                .returning()
+
+            return { task: created }
+        },
+    },
+    {
+        name: "organisation.tasks.update",
+        title: "Aufgabe aktualisieren",
+        description: "Aktualisiert Felder einer Aufgabe im aktiven Mandanten.",
+        requiredPermissions: ["organisation.tasks.write"],
+        inputSchema: {
+            type: "object",
+            required: ["id"],
+            properties: {
+                id: { type: "number" },
+                name: { type: "string" },
+                description: { type: "string" },
+                categorie: { type: "string" },
+                project: { type: "number" },
+                plant: { type: "number" },
+                customer: { type: "number" },
+                userId: { type: "string" },
+                profiles: { type: "array", items: { type: "string" } },
+                archived: { type: "boolean" },
+            },
+        },
+        async handler(context, args) {
+            const id = numberArg(args, "id")
+            if (!id) throw new Error("id ist erforderlich")
+
+            const update: Record<string, unknown> = {
+                updatedAt: new Date(),
+                updatedBy: context.userId,
+            }
+
+            for (const key of ["name", "description", "categorie", "userId"] as const) {
+                if (args[key] !== undefined) update[key] = stringArg(args, key)
+            }
+            for (const key of ["project", "plant", "customer"] as const) {
+                if (args[key] !== undefined) update[key] = numberArg(args, key)
+            }
+            if (Array.isArray(args.profiles)) update.profiles = args.profiles
+            if (typeof args.archived === "boolean") update.archived = args.archived
+
+            const [updated] = await context.server.db
+                .update(tasks)
+                .set(update)
+                .where(and(eq(tasks.id, id), eq(tasks.tenant, context.tenantId)))
+                .returning()
+
+            if (!updated) throw new Error("Aufgabe nicht gefunden")
+            return { task: updated }
+        },
+    },
+    {
+        name: "organisation.tasks.archive",
+        title: "Aufgabe archivieren",
+        description: "Archiviert eine Aufgabe im aktiven Mandanten.",
+        requiredPermissions: ["organisation.tasks.write"],
+        inputSchema: {
+            type: "object",
+            required: ["id"],
+            properties: {
+                id: { type: "number" },
+            },
+        },
+        async handler(context, args) {
+            const id = numberArg(args, "id")
+            if (!id) throw new Error("id ist erforderlich")
+
+            const [updated] = await context.server.db
+                .update(tasks)
+                .set({
+                    archived: true,
+                    updatedAt: new Date(),
+                    updatedBy: context.userId,
+                })
+                .where(and(eq(tasks.id, id), eq(tasks.tenant, context.tenantId)))
+                .returning()
+
+            if (!updated) throw new Error("Aufgabe nicht gefunden")
+            return { task: updated }
+        },
+    },
+]

backend/src/mcp/types.ts

@@ -0,0 +1,36 @@
+import { FastifyInstance, FastifyRequest } from "fastify"
+
+export type McpContext = {
+    server: FastifyInstance
+    request: FastifyRequest
+    tenantId: number
+    userId: string
+    isAdmin: boolean
+    permissions: string[]
+}
+
+export type McpToolResult = {
+    content: Array<{
+        type: "text"
+        text: string
+    }>
+    structuredContent?: Record<string, unknown>
+    isError?: boolean
+}
+
+export type McpTool = {
+    name: string
+    title: string
+    description: string
+    requiredPermissions: string[]
+    inputSchema: Record<string, unknown>
+    handler: (context: McpContext, args: Record<string, unknown>) => Promise<unknown>
+}
+
+export type JsonRpcRequest = {
+    jsonrpc?: string
+    id?: string | number | null
+    method?: string
+    params?: any
+}
+

backend/src/modules/bootstrap.service.ts

@@ -0,0 +1,506 @@
+import { FastifyInstance } from "fastify"
+import { and, eq } from "drizzle-orm"
+import bcrypt from "bcrypt"
+
+import {
+    accounts,
+    authProfiles,
+    authRoles,
+    authRolePermissions,
+    authTenantUsers,
+    authUserRoles,
+    authUsers,
+    branches,
+    filetags,
+    folders,
+    productcategories,
+    servicecategories,
+    taxTypes,
+    teams,
+    tenants,
+    texttemplates,
+    units,
+} from "../../db/schema"
+import { matrixService } from "./matrix.service"
+
+const adminPermissions = [
+    "mcp.tokens.write",
+    "staff.time.read_all",
+    "masterdata.customers.read",
+    "masterdata.vendors.read",
+    "masterdata.contacts.read",
+    "masterdata.products.read",
+    "masterdata.services.read",
+    "masterdata.cost_centres.read",
+    "masterdata.branches.read",
+    "masterdata.teams.read",
+    "masterdata.vehicles.read",
+    "masterdata.inventory_items.read",
+    "masterdata.units.read",
+    "accounting.outgoing_documents.read",
+    "accounting.outgoing_documents.write",
+    "accounting.accounts.read",
+    "accounting.incoming_invoices.read",
+    "accounting.incoming_invoices.write",
+    "accounting.bank.read",
+    "accounting.statement_allocations.read",
+    "organisation.customers.read",
+    "organisation.projects.read",
+    "organisation.plants.read",
+    "organisation.events.read",
+    "organisation.tasks.read",
+    "organisation.tasks.write",
+]
+
+const defaultUnits = [
+    { name: "Stück", single: "Stück", multiple: "Stück", short: "Stk.", step: "1" },
+    { name: "Stunde", single: "Stunde", multiple: "Stunden", short: "Std.", step: "0.25" },
+    { name: "Pauschale", single: "Pauschale", multiple: "Pauschalen", short: "Psch.", step: "1" },
+    { name: "Meter", single: "Meter", multiple: "Meter", short: "m", step: "0.1" },
+]
+
+const defaultTaxTypes = [
+    { label: "Umsatzsteuer 19%", percentage: 19 },
+    { label: "Umsatzsteuer 7%", percentage: 7 },
+    { label: "Steuerfrei", percentage: 0 },
+]
+
+const defaultAccounts = [
+    { number: "8400", label: "Erlöse 19% USt", accountChart: "skr03" },
+    { number: "8300", label: "Erlöse 7% USt", accountChart: "skr03" },
+    { number: "1200", label: "Bank", accountChart: "skr03" },
+    { number: "1000", label: "Kasse", accountChart: "skr03" },
+    { number: "1400", label: "Forderungen aus Lieferungen und Leistungen", accountChart: "skr03" },
+    { number: "1600", label: "Verbindlichkeiten aus Lieferungen und Leistungen", accountChart: "skr03" },
+]
+
+async function ensureGlobalDefaults(server: FastifyInstance, userId: string) {
+    for (const unit of defaultUnits) {
+        const existing = await server.db.select({ id: units.id }).from(units).where(eq(units.name, unit.name)).limit(1)
+        if (!existing.length) await server.db.insert(units).values(unit)
+    }
+
+    for (const taxType of defaultTaxTypes) {
+        const existing = await server.db
+            .select({ id: taxTypes.id })
+            .from(taxTypes)
+            .where(eq(taxTypes.percentage, taxType.percentage))
+            .limit(1)
+
+        if (!existing.length) {
+            await server.db.insert(taxTypes).values({
+                ...taxType,
+                updatedAt: new Date(),
+                updatedBy: userId,
+            })
+        }
+    }
+
+    for (const account of defaultAccounts) {
+        const existing = await server.db
+            .select({ id: accounts.id })
+            .from(accounts)
+            .where(and(eq(accounts.accountChart, account.accountChart), eq(accounts.number, account.number)))
+            .limit(1)
+
+        if (!existing.length) {
+            await server.db.insert(accounts).values({
+                ...account,
+                description: "FEDEO Standardkonto",
+            })
+        }
+    }
+}
+
+async function ensureTenantFileDefaults(server: FastifyInstance, tenantId: number, userId: string) {
+    const currentYear = new Date().getFullYear()
+    const timestamp = new Date()
+
+    const tagDefaults = [
+        { name: "Rechnungen", color: "#16a34a", createdDocumentType: "invoices", isSystemUsed: true },
+        { name: "Angebote", color: "#2563eb", createdDocumentType: "quotes", isSystemUsed: true },
+        { name: "Auftragsbestätigungen", color: "#7c3aed", createdDocumentType: "confirmationOrders", isSystemUsed: true },
+        { name: "Lieferscheine", color: "#ea580c", createdDocumentType: "deliveryNotes", isSystemUsed: true },
+        { name: "Eingangsrechnungen", color: "#dc2626", incomingDocumentType: "invoices", isSystemUsed: true },
+        { name: "Mahnungen", color: "#b91c1c", incomingDocumentType: "reminders", isSystemUsed: true },
+    ]
+
+    for (const tag of tagDefaults) {
+        const existing = await server.db
+            .select({ id: filetags.id })
+            .from(filetags)
+            .where(and(eq(filetags.tenant, tenantId), eq(filetags.name, tag.name)))
+            .limit(1)
+
+        if (!existing.length) {
+            await server.db.insert(filetags).values({
+                tenant: tenantId,
+                ...tag,
+            })
+        }
+    }
+
+    const allTags = await server.db.select().from(filetags).where(eq(filetags.tenant, tenantId))
+    const tagByCreatedType = new Map(allTags.map((tag) => [tag.createdDocumentType, tag.id]))
+    const tagByIncomingType = new Map(allTags.map((tag) => [tag.incomingDocumentType, tag.id]))
+
+    const rootFolders = [
+        { name: "Ausgangsrechnungen", function: "yearSubCategory" as const, icon: "i-heroicons-document-text" },
+        { name: "Angebote", function: "yearSubCategory" as const, icon: "i-heroicons-document-duplicate" },
+        { name: "Auftragsbestätigungen", function: "yearSubCategory" as const, icon: "i-heroicons-clipboard-document-check" },
+        { name: "Lieferscheine", function: "yearSubCategory" as const, icon: "i-heroicons-truck" },
+        { name: "Eingangsrechnungen", function: "yearSubCategory" as const, icon: "i-heroicons-inbox-arrow-down" },
+        { name: "Belege Bankeinzahlung", function: "yearSubCategory" as const, icon: "i-heroicons-banknotes" },
+    ]
+
+    for (const folder of rootFolders) {
+        const existing = await server.db
+            .select({ id: folders.id })
+            .from(folders)
+            .where(and(eq(folders.tenant, tenantId), eq(folders.name, folder.name)))
+            .limit(1)
+
+        if (!existing.length) {
+            await server.db.insert(folders).values({
+                tenant: tenantId,
+                name: folder.name,
+                function: folder.function,
+                icon: folder.icon,
+                isSystemUsed: true,
+                updatedAt: timestamp,
+                updatedBy: userId,
+            })
+        }
+    }
+
+    const allFolders = await server.db.select().from(folders).where(eq(folders.tenant, tenantId))
+    const rootFolderByName = new Map(allFolders.filter((folder) => !folder.parent).map((folder) => [folder.name, folder.id]))
+
+    const yearFolders = [
+        {
+            parentName: "Ausgangsrechnungen",
+            function: "invoices" as const,
+            icon: "i-heroicons-document-text",
+            standardFiletype: tagByCreatedType.get("invoices"),
+        },
+        {
+            parentName: "Angebote",
+            function: "quotes" as const,
+            icon: "i-heroicons-document-duplicate",
+            standardFiletype: tagByCreatedType.get("quotes"),
+        },
+        {
+            parentName: "Auftragsbestätigungen",
+            function: "confirmationOrders" as const,
+            icon: "i-heroicons-clipboard-document-check",
+            standardFiletype: tagByCreatedType.get("confirmationOrders"),
+        },
+        {
+            parentName: "Lieferscheine",
+            function: "deliveryNotes" as const,
+            icon: "i-heroicons-truck",
+            standardFiletype: tagByCreatedType.get("deliveryNotes"),
+        },
+        {
+            parentName: "Eingangsrechnungen",
+            function: "incomingInvoices" as const,
+            icon: "i-heroicons-inbox-arrow-down",
+            standardFiletype: tagByIncomingType.get("invoices"),
+        },
+        {
+            parentName: "Belege Bankeinzahlung",
+            function: "deposit" as const,
+            icon: "i-heroicons-banknotes",
+        },
+    ]
+
+    for (const folder of yearFolders) {
+        const parent = rootFolderByName.get(folder.parentName)
+        if (!parent) continue
+
+        const existing = await server.db
+            .select({ id: folders.id })
+            .from(folders)
+            .where(and(eq(folders.tenant, tenantId), eq(folders.parent, parent), eq(folders.year, currentYear)))
+            .limit(1)
+
+        if (!existing.length) {
+            await server.db.insert(folders).values({
+                tenant: tenantId,
+                name: String(currentYear),
+                parent,
+                function: folder.function,
+                year: currentYear,
+                icon: folder.icon,
+                standardFiletype: folder.standardFiletype,
+                standardFiletypeIsOptional: false,
+                isSystemUsed: true,
+                updatedAt: timestamp,
+                updatedBy: userId,
+            })
+        }
+    }
+}
+
+export async function ensureTenantBaseData(server: FastifyInstance, tenantId: number, adminUserId: string) {
+    await ensureGlobalDefaults(server, adminUserId)
+    await ensureTenantFileDefaults(server, tenantId, adminUserId)
+
+    const [adminRole] = await server.db
+        .select({ id: authRoles.id })
+        .from(authRoles)
+        .where(and(eq(authRoles.tenant_id, tenantId), eq(authRoles.name, "Administrator")))
+        .limit(1)
+
+    let adminRoleId = adminRole?.id
+    if (!adminRoleId) {
+        const [createdRole] = await server.db
+            .insert(authRoles)
+            .values({
+                name: "Administrator",
+                description: "Vollzugriff für die Administration dieses Mandanten",
+                tenant_id: tenantId,
+                created_by: adminUserId,
+            })
+            .returning({ id: authRoles.id })
+
+        adminRoleId = createdRole.id
+    }
+
+    for (const permission of adminPermissions) {
+        const existing = await server.db
+            .select()
+            .from(authRolePermissions)
+            .where(and(eq(authRolePermissions.role_id, adminRoleId), eq(authRolePermissions.permission, permission)))
+            .limit(1)
+
+        if (!existing.length) {
+            await server.db.insert(authRolePermissions).values({
+                role_id: adminRoleId,
+                permission,
+            })
+        }
+    }
+
+    const membership = await server.db
+        .select()
+        .from(authTenantUsers)
+        .where(and(eq(authTenantUsers.tenant_id, tenantId), eq(authTenantUsers.user_id, adminUserId)))
+        .limit(1)
+
+    if (!membership.length) {
+        await server.db.insert(authTenantUsers).values({
+            tenant_id: tenantId,
+            user_id: adminUserId,
+            created_by: adminUserId,
+        })
+    }
+
+    const roleAssignment = await server.db
+        .select()
+        .from(authUserRoles)
+        .where(and(
+            eq(authUserRoles.tenant_id, tenantId),
+            eq(authUserRoles.user_id, adminUserId),
+            eq(authUserRoles.role_id, adminRoleId),
+        ))
+        .limit(1)
+
+    if (!roleAssignment.length) {
+        await server.db.insert(authUserRoles).values({
+            tenant_id: tenantId,
+            user_id: adminUserId,
+            role_id: adminRoleId,
+            created_by: adminUserId,
+        })
+    }
+
+    const profile = await server.db
+        .select()
+        .from(authProfiles)
+        .where(and(eq(authProfiles.tenant_id, tenantId), eq(authProfiles.user_id, adminUserId)))
+        .limit(1)
+
+    if (!profile.length) {
+        await server.db.insert(authProfiles).values({
+            tenant_id: tenantId,
+            user_id: adminUserId,
+            first_name: process.env.FEDEO_BOOTSTRAP_ADMIN_FIRST_NAME || "Admin",
+            last_name: process.env.FEDEO_BOOTSTRAP_ADMIN_LAST_NAME || "Benutzer",
+            email: process.env.FEDEO_BOOTSTRAP_ADMIN_EMAIL?.trim().toLowerCase(),
+            active: true,
+        })
+    }
+
+    const branch = await server.db
+        .select({ id: branches.id })
+        .from(branches)
+        .where(and(eq(branches.tenant, tenantId), eq(branches.name, "Hauptstandort")))
+        .limit(1)
+
+    let branchId = branch[0]?.id
+    if (!branchId) {
+        const [createdBranch] = await server.db.insert(branches).values({
+            tenant: tenantId,
+            name: "Hauptstandort",
+            number: "001",
+            description: "Standardstandort",
+            updatedAt: new Date(),
+            updatedBy: adminUserId,
+        }).returning({ id: branches.id })
+        branchId = createdBranch.id
+    }
+
+    const team = await server.db
+        .select({ id: teams.id })
+        .from(teams)
+        .where(and(eq(teams.tenant, tenantId), eq(teams.name, "Standardteam")))
+        .limit(1)
+
+    if (!team.length) {
+        await server.db.insert(teams).values({
+            tenant: tenantId,
+            name: "Standardteam",
+            description: "Automatisch angelegtes Standardteam",
+            branch: branchId,
+            updatedAt: new Date(),
+            updatedBy: adminUserId,
+        })
+    }
+
+    const defaultProductCategory = await server.db
+        .select({ id: productcategories.id })
+        .from(productcategories)
+        .where(and(eq(productcategories.tenant, tenantId), eq(productcategories.name, "Standard")))
+        .limit(1)
+
+    if (!defaultProductCategory.length) {
+        await server.db.insert(productcategories).values({
+            tenant: tenantId,
+            name: "Standard",
+            description: "Standardkategorie",
+            updatedAt: new Date(),
+            updatedBy: adminUserId,
+        })
+    }
+
+    const defaultServiceCategory = await server.db
+        .select({ id: servicecategories.id })
+        .from(servicecategories)
+        .where(and(eq(servicecategories.tenant, tenantId), eq(servicecategories.name, "Standard")))
+        .limit(1)
+
+    if (!defaultServiceCategory.length) {
+        await server.db.insert(servicecategories).values({
+            tenant: tenantId,
+            name: "Standard",
+            description: "Standardkategorie",
+            updated_at: new Date(),
+            updated_by: adminUserId,
+        })
+    }
+
+    const templateDefaults = [
+        { name: "Standard Einleitung", pos: "startText" as const, text: "<p>vielen Dank für Ihre Anfrage.</p>" },
+        { name: "Standard Schluss", pos: "endText" as const, text: "<p>Mit freundlichen Grüßen</p>" },
+    ]
+
+    for (const template of templateDefaults) {
+        const existing = await server.db
+            .select({ id: texttemplates.id })
+            .from(texttemplates)
+            .where(and(eq(texttemplates.tenant, tenantId), eq(texttemplates.name, template.name)))
+            .limit(1)
+
+        if (!existing.length) {
+            await server.db.insert(texttemplates).values({
+                tenant: tenantId,
+                name: template.name,
+                text: template.text,
+                pos: template.pos,
+                default: true,
+                updatedAt: new Date(),
+                updatedBy: adminUserId,
+            })
+        }
+    }
+}
+
+export async function runBootstrap(server: FastifyInstance) {
+    const email = process.env.FEDEO_BOOTSTRAP_ADMIN_EMAIL?.trim().toLowerCase()
+    const password = process.env.FEDEO_BOOTSTRAP_ADMIN_PASSWORD
+
+    if (!email && !password) return
+    if (!email || !password) {
+        throw new Error("FEDEO_BOOTSTRAP_ADMIN_EMAIL und FEDEO_BOOTSTRAP_ADMIN_PASSWORD müssen gemeinsam gesetzt sein")
+    }
+
+    const [existingUser] = await server.db
+        .select()
+        .from(authUsers)
+        .where(eq(authUsers.email, email))
+        .limit(1)
+
+    let adminUser = existingUser
+    if (!adminUser) {
+        const [createdUser] = await server.db.insert(authUsers).values({
+            email,
+            passwordHash: await bcrypt.hash(password, 10),
+            is_admin: true,
+            multiTenant: true,
+            must_change_password: false,
+            updatedAt: new Date(),
+        }).returning()
+
+        adminUser = createdUser
+        console.log(`✅ Bootstrap-Admin angelegt: ${email}`)
+    } else if (!adminUser.is_admin) {
+        const [updatedUser] = await server.db.update(authUsers).set({
+            is_admin: true,
+            updatedAt: new Date(),
+        }).where(eq(authUsers.id, adminUser.id)).returning()
+
+        adminUser = updatedUser
+        console.log(`✅ Bootstrap-Adminrechte gesetzt: ${email}`)
+    }
+
+    const tenantName = process.env.FEDEO_BOOTSTRAP_TENANT_NAME?.trim() || "FEDEO"
+    const tenantShort = process.env.FEDEO_BOOTSTRAP_TENANT_SHORT?.trim() || "FEDEO"
+
+    const [existingTenant] = await server.db
+        .select()
+        .from(tenants)
+        .where(eq(tenants.short, tenantShort))
+        .limit(1)
+
+    let tenant = existingTenant
+    if (!tenant) {
+        const [createdTenant] = await server.db.insert(tenants).values({
+            name: tenantName,
+            short: tenantShort,
+            updatedAt: new Date(),
+            updatedBy: adminUser.id,
+        }).returning()
+
+        tenant = createdTenant
+        console.log(`✅ Bootstrap-Mandant angelegt: ${tenant.name}`)
+    }
+
+    await ensureTenantBaseData(server, tenant.id, adminUser.id)
+    console.log("✅ Bootstrap-Grunddaten geprüft")
+
+    if (process.env.FEDEO_BOOTSTRAP_MATRIX === "true") {
+        try {
+            const matrix = matrixService(server)
+            await matrix.provisionTenantRoom(adminUser.id, tenant.id, {
+                key: "allgemein",
+                name: "Allgemeiner Chat",
+                type: "general",
+            })
+            console.log("✅ Bootstrap-Matrix-Kommunikation geprüft")
+        } catch (err) {
+            console.error("❌ Bootstrap-Matrix-Kommunikation fehlgeschlagen:", err)
+            throw err
+        }
+    }
+}

backend/src/modules/email/email.sync.service.ts

@@ -0,0 +1,864 @@
+import { FastifyInstance } from "fastify"
+import { and, asc, desc, eq } from "drizzle-orm"
+import { ImapFlow } from "imapflow"
+import { simpleParser } from "mailparser"
+
+import {
+    emailAttachments,
+    emailMailboxes,
+    emailMessageBodies,
+    emailMessages,
+    emailSyncState,
+    userCredentials,
+} from "../../../db/schema"
+import { decrypt } from "../../utils/crypt"
+
+type EmailAddress = {
+    name?: string | null
+    address?: string | null
+}
+
+type SyncOptions = {
+    mailbox?: string
+    limit?: number
+}
+
+type MailAccountConnection = {
+    id: string
+    tenantId: number
+    userId: string
+    email: string
+    password: string
+    imapHost: string
+    imapPort: number
+    imapSsl: boolean
+}
+
+const decryptValue = (value: unknown) => value ? decrypt(value as any) : ""
+
+const normalizeAddressList = (addresses: any): EmailAddress[] => {
+    const value = Array.isArray(addresses?.value) ? addresses.value : []
+    return value.map((item: any) => ({
+        name: item.name || null,
+        address: item.address || null,
+    }))
+}
+
+const previewText = (text?: string | false | null) => {
+    if (!text) return null
+    return text.replace(/\s+/g, " ").trim().slice(0, 240) || null
+}
+
+const attachmentFilename = (node: any) =>
+    node?.dispositionParameters?.filename
+    || node?.parameters?.name
+    || null
+
+const normalizeContentId = (value?: string | null) =>
+    value ? value.replace(/^<|>$/g, "") : null
+
+const collectAttachmentParts = (node: any, parts: any[] = []) => {
+    if (!node) return parts
+
+    if (node.part && !node.childNodes?.length) {
+        const filename = attachmentFilename(node)
+        const disposition = String(node.disposition || "").toLowerCase()
+
+        if (filename || node.id || ["attachment", "inline"].includes(disposition)) {
+            parts.push(node)
+        }
+    }
+
+    for (const child of node.childNodes || []) {
+        collectAttachmentParts(child, parts)
+    }
+
+    return parts
+}
+
+const findAttachmentPart = (bodyStructure: any, attachment: any) => {
+    const parts = collectAttachmentParts(bodyStructure)
+    if (!parts.length) return null
+
+    const scored = parts
+        .map((part) => {
+            let score = 0
+            if (attachmentFilename(part) && attachmentFilename(part) === attachment.filename) score += 4
+            if (part.type && part.type === attachment.contentType) score += 3
+            if (Number(part.size || 0) === Number(attachment.size || 0)) score += 2
+            if (
+                normalizeContentId(part.id)
+                && normalizeContentId(part.id) === normalizeContentId(attachment.contentId)
+            ) {
+                score += 3
+            }
+            return { part, score }
+        })
+        .sort((a, b) => b.score - a.score)
+
+    if (scored[0]?.score > 0) return scored[0].part
+    return parts.length === 1 ? parts[0] : null
+}
+
+const streamToBuffer = async (stream: any, timeoutMs = 45_000) => {
+    const chunks: Buffer[] = []
+    let timeout: NodeJS.Timeout | null = null
+
+    try {
+        await Promise.race([
+            (async () => {
+                for await (const chunk of stream) {
+                    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk))
+                }
+            })(),
+            new Promise((_, reject) => {
+                timeout = setTimeout(() => {
+                    if (typeof stream.destroy === "function") {
+                        stream.destroy()
+                    }
+                    reject(new Error("Anhang-Download hat zu lange gedauert"))
+                }, timeoutMs)
+            }),
+        ])
+    } finally {
+        if (timeout) clearTimeout(timeout)
+    }
+
+    return Buffer.concat(chunks)
+}
+
+const flagsFromMessage = (flags: Set<string> | string[] | undefined) => {
+    if (!flags) return []
+    return Array.isArray(flags) ? flags : Array.from(flags)
+}
+
+const mailboxDisplayName = (path: string) => {
+    const parts = path.split(/[/.]/).filter(Boolean)
+    return parts[parts.length - 1] || path
+}
+
+export function emailSyncService(server: FastifyInstance) {
+    const getAccount = async (
+        tenantId: number,
+        userId: string,
+        accountId: string,
+    ): Promise<MailAccountConnection | null> => {
+        const rows = await server.db
+            .select()
+            .from(userCredentials)
+            .where(and(
+                eq(userCredentials.id, accountId),
+                eq(userCredentials.tenantId, tenantId),
+                eq(userCredentials.userId, userId),
+                eq(userCredentials.type, "mail"),
+            ))
+            .limit(1)
+
+        const row = rows[0]
+        if (!row) return null
+
+        return {
+            id: row.id,
+            tenantId: row.tenantId,
+            userId: row.userId,
+            email: decryptValue(row.emailEncrypted),
+            password: decryptValue(row.passwordEncrypted),
+            imapHost: decryptValue(row.imapHostEncrypted),
+            imapPort: Number(row.imapPort || 993),
+            imapSsl: row.imapSsl !== false,
+        }
+    }
+
+    const createClient = (account: MailAccountConnection) => new ImapFlow({
+        host: account.imapHost,
+        port: account.imapPort,
+        secure: account.imapSsl,
+        auth: {
+            user: account.email,
+            pass: account.password,
+        },
+        logger: false,
+    })
+
+    const upsertMailbox = async (
+        account: MailAccountConnection,
+        mailbox: any,
+        status?: { exists?: number; unseen?: number },
+    ) => {
+        const path = mailbox.path || mailbox.name
+        const [saved] = await server.db
+            .insert(emailMailboxes)
+            .values({
+                tenantId: account.tenantId,
+                userId: account.userId,
+                accountId: account.id,
+                path,
+                delimiter: mailbox.delimiter || null,
+                name: mailbox.name || mailboxDisplayName(path),
+                specialUse: mailbox.specialUse || null,
+                flags: flagsFromMessage(mailbox.flags),
+                exists: status?.exists || 0,
+                unseen: status?.unseen || 0,
+                updatedAt: new Date(),
+            })
+            .onConflictDoUpdate({
+                target: [emailMailboxes.accountId, emailMailboxes.path],
+                set: {
+                    delimiter: mailbox.delimiter || null,
+                    name: mailbox.name || mailboxDisplayName(path),
+                    specialUse: mailbox.specialUse || null,
+                    flags: flagsFromMessage(mailbox.flags),
+                    exists: status?.exists || 0,
+                    unseen: status?.unseen || 0,
+                    updatedAt: new Date(),
+                },
+            })
+            .returning()
+
+        return saved
+    }
+
+    const syncMailboxes = async (account: MailAccountConnection, client: ImapFlow) => {
+        const savedMailboxes = []
+
+        for await (const mailbox of await client.list()) {
+            savedMailboxes.push(await upsertMailbox(account, mailbox))
+        }
+
+        return savedMailboxes
+    }
+
+    const loadSyncState = async (account: MailAccountConnection, mailbox: any) => {
+        const rows = await server.db
+            .select()
+            .from(emailSyncState)
+            .where(and(
+                eq(emailSyncState.accountId, account.id),
+                eq(emailSyncState.mailboxPath, mailbox.path),
+            ))
+            .limit(1)
+
+        return rows[0] || null
+    }
+
+    const saveSyncState = async (
+        account: MailAccountConnection,
+        mailbox: any,
+        highestUid: number,
+        uidValidity?: number | null,
+        syncError?: string | null,
+    ) => {
+        await server.db
+            .insert(emailSyncState)
+            .values({
+                tenantId: account.tenantId,
+                userId: account.userId,
+                accountId: account.id,
+                mailboxId: mailbox.id,
+                mailboxPath: mailbox.path,
+                uidValidity: uidValidity || null,
+                highestUid,
+                lastSyncedAt: new Date(),
+                syncError: syncError || null,
+                updatedAt: new Date(),
+            })
+            .onConflictDoUpdate({
+                target: [emailSyncState.accountId, emailSyncState.mailboxPath],
+                set: {
+                    mailboxId: mailbox.id,
+                    uidValidity: uidValidity || null,
+                    highestUid,
+                    lastSyncedAt: new Date(),
+                    syncError: syncError || null,
+                    updatedAt: new Date(),
+                },
+            })
+    }
+
+    const storeMessage = async (
+        account: MailAccountConnection,
+        mailbox: any,
+        message: any,
+    ) => {
+        if (!message.source) return null
+
+        const parsed = await simpleParser(message.source)
+        const flags = flagsFromMessage(message.flags)
+        const receivedAt = parsed.date || message.envelope?.date || new Date()
+        const threadId = parsed.inReplyTo || parsed.references?.[0] || parsed.messageId || message.emailId || null
+
+        const [saved] = await server.db
+            .insert(emailMessages)
+            .values({
+                tenantId: account.tenantId,
+                userId: account.userId,
+                accountId: account.id,
+                mailboxId: mailbox.id,
+                mailboxPath: mailbox.path,
+                uid: Number(message.uid),
+                emailId: message.emailId || null,
+                messageId: parsed.messageId || null,
+                inReplyTo: parsed.inReplyTo || null,
+                threadId,
+                subject: parsed.subject || "(kein Betreff)",
+                from: normalizeAddressList(parsed.from),
+                to: normalizeAddressList(parsed.to),
+                cc: normalizeAddressList(parsed.cc),
+                bcc: normalizeAddressList(parsed.bcc),
+                replyTo: normalizeAddressList(parsed.replyTo),
+                preview: previewText(parsed.text),
+                flags,
+                seen: flags.includes("\\Seen"),
+                flagged: flags.includes("\\Flagged"),
+                hasAttachments: Boolean(parsed.attachments?.length),
+                size: message.size || null,
+                sentAt: parsed.date || null,
+                receivedAt,
+                updatedAt: new Date(),
+            })
+            .onConflictDoUpdate({
+                target: [emailMessages.mailboxId, emailMessages.uid],
+                set: {
+                    emailId: message.emailId || null,
+                    messageId: parsed.messageId || null,
+                    inReplyTo: parsed.inReplyTo || null,
+                    threadId,
+                    subject: parsed.subject || "(kein Betreff)",
+                    from: normalizeAddressList(parsed.from),
+                    to: normalizeAddressList(parsed.to),
+                    cc: normalizeAddressList(parsed.cc),
+                    bcc: normalizeAddressList(parsed.bcc),
+                    replyTo: normalizeAddressList(parsed.replyTo),
+                    preview: previewText(parsed.text),
+                    flags,
+                    seen: flags.includes("\\Seen"),
+                    flagged: flags.includes("\\Flagged"),
+                    hasAttachments: Boolean(parsed.attachments?.length),
+                    size: message.size || null,
+                    sentAt: parsed.date || null,
+                    receivedAt,
+                    updatedAt: new Date(),
+                },
+            })
+            .returning()
+
+        await server.db
+            .insert(emailMessageBodies)
+            .values({
+                messageId: saved.id,
+                text: parsed.text || null,
+                html: parsed.html || null,
+                updatedAt: new Date(),
+            })
+            .onConflictDoUpdate({
+                target: emailMessageBodies.messageId,
+                set: {
+                    text: parsed.text || null,
+                    html: parsed.html || null,
+                    updatedAt: new Date(),
+                },
+            })
+
+        if (parsed.attachments?.length) {
+            for (const attachment of parsed.attachments) {
+                await server.db
+                    .insert(emailAttachments)
+                    .values({
+                        messageId: saved.id,
+                        filename: attachment.filename || null,
+                        contentType: attachment.contentType || null,
+                        contentId: attachment.contentId || null,
+                        disposition: attachment.contentDisposition || null,
+                        size: attachment.size || null,
+                        checksum: attachment.checksum || null,
+                    })
+                    .onConflictDoNothing()
+            }
+        }
+
+        return saved
+    }
+
+    const updateCachedMessageFlags = async (
+        mailboxId: string,
+        uid: number,
+        flags: string[],
+    ) => {
+        await server.db
+            .update(emailMessages)
+            .set({
+                flags,
+                seen: flags.includes("\\Seen"),
+                flagged: flags.includes("\\Flagged"),
+                updatedAt: new Date(),
+            })
+            .where(and(
+                eq(emailMessages.mailboxId, mailboxId),
+                eq(emailMessages.uid, uid),
+            ))
+    }
+
+    const syncMailboxMessages = async (
+        account: MailAccountConnection,
+        client: ImapFlow,
+        mailbox: any,
+        limit: number,
+    ) => {
+        const lock = await client.getMailboxLock(mailbox.path)
+        let highestUid = 0
+
+        try {
+            const opened: any = await client.mailboxOpen(mailbox.path)
+            await upsertMailbox(account, mailbox, {
+                exists: opened.exists || 0,
+                unseen: opened.unseen || 0,
+            })
+
+            const state = await loadSyncState(account, mailbox)
+            const searchResult = await client.search({ all: true }, { uid: true })
+            const allUids = Array.isArray(searchResult) ? searchResult : []
+            const newUids = allUids
+                .filter((uid: number) => !state?.highestUid || uid > state.highestUid)
+                .slice(-limit)
+            const flagSyncUids = allUids.slice(-limit)
+
+            highestUid = Math.max(state?.highestUid || 0, ...newUids, 0)
+
+            if (flagSyncUids.length) {
+                for await (const message of client.fetch(flagSyncUids, {
+                    uid: true,
+                    flags: true,
+                }, { uid: true })) {
+                    await updateCachedMessageFlags(
+                        mailbox.id,
+                        Number(message.uid),
+                        flagsFromMessage(message.flags),
+                    )
+                }
+            }
+
+            if (newUids.length) {
+                for await (const message of client.fetch(newUids, {
+                    uid: true,
+                    envelope: true,
+                    flags: true,
+                    source: true,
+                    size: true,
+                }, { uid: true })) {
+                    await storeMessage(account, mailbox, message)
+                }
+            }
+
+            await saveSyncState(account, mailbox, highestUid, Number(opened.uidValidity || 0))
+            return { path: mailbox.path, fetched: newUids.length, highestUid }
+        } catch (err: any) {
+            await saveSyncState(account, mailbox, highestUid, null, err.message || "Sync fehlgeschlagen")
+            throw err
+        } finally {
+            lock.release()
+        }
+    }
+
+    const syncAccount = async (
+        tenantId: number,
+        userId: string,
+        accountId: string,
+        options: SyncOptions = {},
+    ) => {
+        const account = await getAccount(tenantId, userId, accountId)
+        if (!account) {
+            throw new Error("E-Mail Konto nicht gefunden")
+        }
+
+        const client = createClient(account)
+        const limit = Math.min(Math.max(Number(options.limit || 50), 1), 200)
+
+        await client.connect()
+
+        try {
+            const mailboxes = await syncMailboxes(account, client)
+            const syncTargets = options.mailbox
+                ? mailboxes.filter((mailbox) => mailbox.path === options.mailbox)
+                : mailboxes.filter((mailbox) => mailbox.specialUse === "\\Inbox" || mailbox.path.toUpperCase() === "INBOX")
+
+            const synced = []
+            for (const mailbox of syncTargets.length ? syncTargets : mailboxes.slice(0, 1)) {
+                synced.push(await syncMailboxMessages(account, client, mailbox, limit))
+            }
+
+            return {
+                accountId,
+                mailboxes: mailboxes.length,
+                synced,
+            }
+        } finally {
+            await client.logout().catch(() => client.close())
+        }
+    }
+
+    const setMessageSeen = async (
+        tenantId: number,
+        userId: string,
+        messageId: string,
+        seen: boolean,
+    ) => {
+        const rows = await server.db
+            .select()
+            .from(emailMessages)
+            .where(and(
+                eq(emailMessages.tenantId, tenantId),
+                eq(emailMessages.userId, userId),
+                eq(emailMessages.id, messageId),
+            ))
+            .limit(1)
+
+        const message = rows[0]
+        if (!message) return null
+
+        const account = await getAccount(tenantId, userId, message.accountId)
+        if (!account) {
+            throw new Error("E-Mail Konto nicht gefunden")
+        }
+
+        const client = createClient(account)
+        await client.connect()
+
+        try {
+            const lock = await client.getMailboxLock(message.mailboxPath)
+            try {
+                await client.mailboxOpen(message.mailboxPath)
+                if (seen) {
+                    await client.messageFlagsAdd(message.uid, ["\\Seen"], { uid: true })
+                } else {
+                    await client.messageFlagsRemove(message.uid, ["\\Seen"], { uid: true })
+                }
+            } finally {
+                lock.release()
+            }
+        } finally {
+            await client.logout().catch(() => client.close())
+        }
+
+        const currentFlags = Array.isArray(message.flags) ? message.flags : []
+        const nextFlags = seen
+            ? Array.from(new Set([...currentFlags, "\\Seen"]))
+            : currentFlags.filter((flag) => flag !== "\\Seen")
+
+        const [updated] = await server.db
+            .update(emailMessages)
+            .set({
+                flags: nextFlags,
+                seen,
+                updatedAt: new Date(),
+            })
+            .where(eq(emailMessages.id, messageId))
+            .returning()
+
+        return updated
+    }
+
+    const loadMessageForAction = async (tenantId: number, userId: string, messageId: string) => {
+        const rows = await server.db
+            .select()
+            .from(emailMessages)
+            .where(and(
+                eq(emailMessages.tenantId, tenantId),
+                eq(emailMessages.userId, userId),
+                eq(emailMessages.id, messageId),
+            ))
+            .limit(1)
+
+        return rows[0] || null
+    }
+
+    const deleteCachedMessage = async (messageId: string) => {
+        await server.db
+            .delete(emailMessages)
+            .where(eq(emailMessages.id, messageId))
+    }
+
+    const moveMessage = async (
+        tenantId: number,
+        userId: string,
+        messageId: string,
+        destinationMailboxPath: string,
+    ) => {
+        const message = await loadMessageForAction(tenantId, userId, messageId)
+        if (!message) return null
+
+        if (message.mailboxPath === destinationMailboxPath) {
+            return message
+        }
+
+        const account = await getAccount(tenantId, userId, message.accountId)
+        if (!account) {
+            throw new Error("E-Mail Konto nicht gefunden")
+        }
+
+        const targetRows = await server.db
+            .select({ path: emailMailboxes.path })
+            .from(emailMailboxes)
+            .where(and(
+                eq(emailMailboxes.tenantId, tenantId),
+                eq(emailMailboxes.userId, userId),
+                eq(emailMailboxes.accountId, message.accountId),
+                eq(emailMailboxes.path, destinationMailboxPath),
+            ))
+            .limit(1)
+
+        if (!targetRows[0]) {
+            throw new Error("Zielordner nicht gefunden")
+        }
+
+        const client = createClient(account)
+        await client.connect()
+
+        try {
+            const lock = await client.getMailboxLock(message.mailboxPath)
+            try {
+                await client.mailboxOpen(message.mailboxPath)
+                await client.messageMove(message.uid, destinationMailboxPath, { uid: true })
+            } finally {
+                lock.release()
+            }
+        } finally {
+            await client.logout().catch(() => client.close())
+        }
+
+        await deleteCachedMessage(messageId)
+        return { success: true, destinationMailboxPath }
+    }
+
+    const archiveMessage = async (tenantId: number, userId: string, messageId: string) => {
+        const message = await loadMessageForAction(tenantId, userId, messageId)
+        if (!message) return null
+
+        const mailboxes = await server.db
+            .select()
+            .from(emailMailboxes)
+            .where(and(
+                eq(emailMailboxes.tenantId, tenantId),
+                eq(emailMailboxes.userId, userId),
+                eq(emailMailboxes.accountId, message.accountId),
+            ))
+
+        const archiveMailbox = mailboxes.find((mailbox) => mailbox.specialUse === "\\Archive")
+            || mailboxes.find((mailbox) => ["archive", "archiv"].includes(mailbox.name.toLowerCase()))
+            || mailboxes.find((mailbox) => ["archive", "archiv"].includes(mailbox.path.toLowerCase()))
+
+        if (!archiveMailbox) {
+            throw new Error("Kein Archivordner gefunden")
+        }
+
+        return await moveMessage(tenantId, userId, messageId, archiveMailbox.path)
+    }
+
+    const deleteMessage = async (tenantId: number, userId: string, messageId: string) => {
+        const message = await loadMessageForAction(tenantId, userId, messageId)
+        if (!message) return null
+
+        const account = await getAccount(tenantId, userId, message.accountId)
+        if (!account) {
+            throw new Error("E-Mail Konto nicht gefunden")
+        }
+
+        const client = createClient(account)
+        await client.connect()
+
+        try {
+            const lock = await client.getMailboxLock(message.mailboxPath)
+            try {
+                await client.mailboxOpen(message.mailboxPath)
+                await client.messageDelete(message.uid, { uid: true })
+            } finally {
+                lock.release()
+            }
+        } finally {
+            await client.logout().catch(() => client.close())
+        }
+
+        await deleteCachedMessage(messageId)
+        return { success: true }
+    }
+
+    const getAttachmentContent = async (
+        tenantId: number,
+        userId: string,
+        attachmentId: string,
+    ) => {
+        const rows = await server.db
+            .select({
+                attachment: emailAttachments,
+                message: emailMessages,
+            })
+            .from(emailAttachments)
+            .innerJoin(emailMessages, eq(emailMessages.id, emailAttachments.messageId))
+            .where(and(
+                eq(emailAttachments.id, attachmentId),
+                eq(emailMessages.tenantId, tenantId),
+                eq(emailMessages.userId, userId),
+            ))
+            .limit(1)
+
+        const row = rows[0]
+        if (!row) return null
+
+        const messageAttachments = await server.db
+            .select()
+            .from(emailAttachments)
+            .where(eq(emailAttachments.messageId, row.message.id))
+            .orderBy(asc(emailAttachments.createdAt), asc(emailAttachments.id))
+        const attachmentIndex = messageAttachments.findIndex((attachment) => attachment.id === attachmentId)
+
+        const account = await getAccount(tenantId, userId, row.message.accountId)
+        if (!account) {
+            throw new Error("E-Mail Konto nicht gefunden")
+        }
+
+        const client = createClient(account)
+        await client.connect()
+
+        try {
+            const lock = await client.getMailboxLock(row.message.mailboxPath)
+            try {
+                await client.mailboxOpen(row.message.mailboxPath)
+
+                const structureMessage = await client.fetchOne(String(row.message.uid), {
+                    uid: true,
+                    bodyStructure: true,
+                }, { uid: true })
+                const attachmentPart = structureMessage
+                    ? findAttachmentPart(structureMessage.bodyStructure, row.attachment)
+                    : null
+
+                if (attachmentPart?.part) {
+                    const downloaded = await client.download(String(row.message.uid), attachmentPart.part, { uid: true })
+                    const content = await streamToBuffer(downloaded.content)
+
+                    if (content.length) {
+                        return {
+                            filename: downloaded.meta?.filename
+                                || attachmentFilename(attachmentPart)
+                                || row.attachment.filename
+                                || "anhang",
+                            contentType: downloaded.meta?.contentType
+                                || attachmentPart.type
+                                || row.attachment.contentType
+                                || "application/octet-stream",
+                            content,
+                        }
+                    }
+                }
+
+                const fetched = await client.fetchOne(String(row.message.uid), {
+                    source: true,
+                }, { uid: true })
+                if (!fetched || !fetched.source) return null
+
+                const parsed = await simpleParser(fetched.source)
+                const matchedAttachment = parsed.attachments.find((item) =>
+                    (row.attachment.checksum && item.checksum === row.attachment.checksum)
+                    || (
+                        item.filename === row.attachment.filename
+                        && item.contentType === row.attachment.contentType
+                        && Number(item.size || 0) === Number(row.attachment.size || 0)
+                    )
+                )
+                const attachment = matchedAttachment
+                    || parsed.attachments[attachmentIndex]
+                    || (parsed.attachments.length === 1 ? parsed.attachments[0] : null)
+
+                if (!attachment) {
+                    return null
+                }
+
+                return {
+                    filename: attachment.filename || row.attachment.filename || "anhang",
+                    contentType: attachment.contentType || row.attachment.contentType || "application/octet-stream",
+                    content: Buffer.isBuffer(attachment.content)
+                        ? attachment.content
+                        : Buffer.from(attachment.content),
+                }
+            } finally {
+                lock.release()
+            }
+        } finally {
+            await client.logout().catch(() => client.close())
+        }
+
+        return null
+    }
+
+    const listMailboxes = async (tenantId: number, userId: string, accountId: string) => {
+        return await server.db
+            .select()
+            .from(emailMailboxes)
+            .where(and(
+                eq(emailMailboxes.tenantId, tenantId),
+                eq(emailMailboxes.userId, userId),
+                eq(emailMailboxes.accountId, accountId),
+            ))
+            .orderBy(emailMailboxes.specialUse, emailMailboxes.name)
+    }
+
+    const listMessages = async (
+        tenantId: number,
+        userId: string,
+        accountId: string,
+        mailboxPath = "INBOX",
+        limit = 50,
+    ) => {
+        return await server.db
+            .select()
+            .from(emailMessages)
+            .where(and(
+                eq(emailMessages.tenantId, tenantId),
+                eq(emailMessages.userId, userId),
+                eq(emailMessages.accountId, accountId),
+                eq(emailMessages.mailboxPath, mailboxPath),
+            ))
+            .orderBy(desc(emailMessages.receivedAt))
+            .limit(Math.min(Math.max(Number(limit), 1), 200))
+    }
+
+    const getMessage = async (tenantId: number, userId: string, messageId: string) => {
+        const rows = await server.db
+            .select({
+                message: emailMessages,
+                body: emailMessageBodies,
+            })
+            .from(emailMessages)
+            .leftJoin(emailMessageBodies, eq(emailMessageBodies.messageId, emailMessages.id))
+            .where(and(
+                eq(emailMessages.tenantId, tenantId),
+                eq(emailMessages.userId, userId),
+                eq(emailMessages.id, messageId),
+            ))
+            .limit(1)
+
+        if (!rows[0]) return null
+
+        const attachments = await server.db
+            .select()
+            .from(emailAttachments)
+            .where(eq(emailAttachments.messageId, messageId))
+
+        return {
+            ...rows[0].message,
+            body: rows[0].body,
+            attachments,
+        }
+    }
+
+    return {
+        syncAccount,
+        listMailboxes,
+        listMessages,
+        getMessage,
+        setMessageSeen,
+        moveMessage,
+        archiveMessage,
+        deleteMessage,
+        getAttachmentContent,
+    }
+}

backend/src/modules/matrix-push-worker.service.ts

@@ -0,0 +1,377 @@
+import { createHash } from "node:crypto"
+import type { FastifyInstance } from "fastify"
+import { and, desc, eq, inArray, isNotNull, ne } from "drizzle-orm"
+import { authProfiles, authTenantUsers, authUsers, communicationRooms, notificationsItems } from "../../db/schema"
+import { matrixService } from "./matrix.service"
+import { NotificationService, UserDirectory } from "./notification.service"
+
+type ChatRecipient = {
+    userId: string
+    email?: string | null
+    firstName?: string | null
+    lastName?: string | null
+    fullName?: string | null
+    matrixUserId?: string
+}
+
+type MatrixPushWorkerEvent = {
+    at: string
+    type: string
+    roomKey?: string
+    roomId?: string | null
+    messageId?: string
+    sender?: string
+    targets?: number
+    created?: number
+    delivered?: number
+    failed?: number
+    error?: string
+}
+
+const matrixPushWorkerState = {
+    enabled: false,
+    startedAt: null as string | null,
+    lastRunAt: null as string | null,
+    lastJoinAt: null as string | null,
+    lastJoinTotal: 0,
+    lastJoinJoined: 0,
+    lastJoinFailed: 0,
+    hasSyncToken: false,
+    lastSyncRooms: 0,
+    lastSyncMessages: 0,
+    lastMatchedRooms: 0,
+    lastNotificationsCreated: 0,
+    lastNotificationsDelivered: 0,
+    lastNotificationsFailed: 0,
+    lastError: null as string | null,
+    events: [] as MatrixPushWorkerEvent[],
+}
+
+const rememberWorkerEvent = (event: MatrixPushWorkerEvent) => {
+    matrixPushWorkerState.events = [
+        {
+            at: new Date().toISOString(),
+            ...event,
+        },
+        ...matrixPushWorkerState.events,
+    ].slice(0, 25)
+}
+
+export const getMatrixPushWorkerState = () => ({
+    ...matrixPushWorkerState,
+    events: [...matrixPushWorkerState.events],
+})
+
+const getUserDirectory: UserDirectory = async (server: FastifyInstance, userId) => {
+    const rows = await server.db
+        .select({ email: authUsers.email })
+        .from(authUsers)
+        .where(eq(authUsers.id, userId))
+        .limit(1)
+
+    return rows[0] || null
+}
+
+const displayUserName = (user: { fullName?: string | null; firstName?: string | null; lastName?: string | null; email?: string | null }) => {
+    const name = user.fullName || [user.firstName, user.lastName].filter(Boolean).join(" ")
+    return name || user.email || "Benutzer"
+}
+
+const directRoomKey = (firstUserId: string, secondUserId: string) => {
+    const hash = createHash("sha256")
+        .update([firstUserId, secondUserId].sort().join(":"))
+        .digest("hex")
+        .slice(0, 16)
+
+    return `direct_${hash}`
+}
+
+const mentionAliasesForUser = (user: ChatRecipient) => {
+    const name = displayUserName(user)
+    return Array.from(new Set([
+        name,
+        user.fullName,
+        [user.firstName, user.lastName].filter(Boolean).join(" "),
+        user.firstName,
+        user.email,
+    ].filter(Boolean).map((value) => String(value).toLowerCase())))
+}
+
+const mentionedRecipientIds = (text: string, recipients: ChatRecipient[]) => {
+    const normalizedText = text.toLowerCase()
+
+    return recipients
+        .filter((recipient) => mentionAliasesForUser(recipient).some((alias) =>
+            normalizedText.includes(`@${alias}`)
+        ))
+        .map((recipient) => recipient.userId)
+}
+
+export function startMatrixPushWorker(server: FastifyInstance) {
+    if (process.env.MATRIX_PUSH_WORKER_DISABLED === "1") {
+        server.log.info("Matrix-Push-Worker ist deaktiviert")
+        return
+    }
+
+    matrixPushWorkerState.enabled = true
+    matrixPushWorkerState.startedAt = new Date().toISOString()
+    rememberWorkerEvent({ at: new Date().toISOString(), type: "started" })
+
+    const matrix = matrixService(server)
+    const notifications = new NotificationService(server, getUserDirectory)
+    const intervalMs = Math.max(Number(process.env.MATRIX_PUSH_WORKER_INTERVAL_MS || 3000), 1000)
+    let since: string | undefined
+    let running = false
+    let stopped = false
+    let timer: ReturnType<typeof setTimeout> | undefined
+    let lastServiceJoinSyncAt = 0
+    let errorBackoffMs = 0
+
+    const getTenantRecipients = async (tenantId: number) => {
+        const rows = await server.db
+            .select({
+                userId: authTenantUsers.user_id,
+                email: authUsers.email,
+                firstName: authProfiles.first_name,
+                lastName: authProfiles.last_name,
+                fullName: authProfiles.full_name,
+            })
+            .from(authTenantUsers)
+            .innerJoin(authUsers, eq(authUsers.id, authTenantUsers.user_id))
+            .leftJoin(authProfiles, and(
+                eq(authProfiles.user_id, authTenantUsers.user_id),
+                eq(authProfiles.tenant_id, tenantId)
+            ))
+            .where(eq(authTenantUsers.tenant_id, tenantId))
+
+        return await Promise.all(rows.map(async (row) => ({
+            ...row,
+            matrixUserId: await matrix.matrixUserIdForUser(row.userId, tenantId),
+        })))
+    }
+
+    const hasChatNotificationForMessage = async (tenantId: number, userId: string, messageId: string) => {
+        const rows = await server.db
+            .select({
+                payload: notificationsItems.payload,
+            })
+            .from(notificationsItems)
+            .where(and(
+                eq(notificationsItems.tenantId, tenantId),
+                eq(notificationsItems.userId, userId),
+                eq(notificationsItems.eventType, "communication.message.new")
+            ))
+            .orderBy(desc(notificationsItems.createdAt))
+            .limit(200)
+
+        return rows.some((row) => (row.payload as any)?.messageId === messageId)
+    }
+
+    const recipientsForMessage = (
+        room: typeof communicationRooms.$inferSelect,
+        recipients: ChatRecipient[],
+        senderUserId: string | null,
+        text: string
+    ) => {
+        const candidates = senderUserId
+            ? recipients.filter((recipient) => recipient.userId !== senderUserId)
+            : recipients
+        const mentioned = new Set(mentionedRecipientIds(text, candidates))
+        const directRecipients = new Set<string>()
+
+        if (room.type === "direct" && room.entityUuid && room.entityUuid !== senderUserId) {
+            directRecipients.add(room.entityUuid)
+        } else if (room.type === "direct" && senderUserId) {
+            candidates
+                .filter((recipient) => directRoomKey(senderUserId, recipient.userId) === room.key)
+                .forEach((recipient) => directRecipients.add(recipient.userId))
+        }
+
+        return candidates
+            .filter((recipient) => directRecipients.has(recipient.userId) || mentioned.has(recipient.userId))
+            .map((recipient) => ({
+                ...recipient,
+                mentioned: mentioned.has(recipient.userId),
+                direct: directRecipients.has(recipient.userId),
+            }))
+    }
+
+    const deliverMessageNotification = async (
+        room: typeof communicationRooms.$inferSelect,
+        message: any,
+        recipients: ChatRecipient[]
+    ) => {
+        if (!message.id || message.own) return
+
+        const sender = recipients.find((recipient) => recipient.matrixUserId === message.sender) || null
+        const text = message.body || message.attachment?.fileName || "Neue Nachricht"
+        const targets = recipientsForMessage(room, recipients, sender?.userId || null, text)
+        rememberWorkerEvent({
+            at: new Date().toISOString(),
+            type: "message_seen",
+            roomKey: room.key,
+            roomId: room.matrixRoomId,
+            messageId: message.id,
+            sender: message.sender,
+            targets: targets.length,
+        })
+        if (!targets.length) return
+
+        const senderName = sender ? displayUserName(sender) : message.senderDisplayName || message.sender || "Matrix"
+        const preview = text.length > 160 ? `${text.slice(0, 157)}...` : text
+
+        for (const target of targets) {
+            if (await hasChatNotificationForMessage(room.tenantId, target.userId, message.id)) {
+                rememberWorkerEvent({
+                    at: new Date().toISOString(),
+                    type: "notification_skipped_duplicate",
+                    roomKey: room.key,
+                    roomId: room.matrixRoomId,
+                    messageId: message.id,
+                    sender: message.sender,
+                    targets: 1,
+                })
+                continue
+            }
+
+            const result = await notifications.trigger({
+                tenantId: room.tenantId,
+                userId: target.userId,
+                eventType: "communication.message.new",
+                title: target.mentioned ? `${senderName} hat dich erwähnt` : `Neue Direktnachricht von ${senderName}`,
+                message: preview,
+                payload: {
+                    link: `/communication/chat?room=${encodeURIComponent(room.key)}`,
+                    roomKey: room.key,
+                    roomName: room.name,
+                    roomType: room.type,
+                    messageId: message.id,
+                    matrixSender: message.sender,
+                    mentioned: target.mentioned,
+                    direct: target.direct,
+                },
+                channels: ["inapp", "push"],
+            })
+            matrixPushWorkerState.lastNotificationsCreated += result.created || 0
+            matrixPushWorkerState.lastNotificationsDelivered += result.delivered || 0
+            matrixPushWorkerState.lastNotificationsFailed += result.failed || 0
+            rememberWorkerEvent({
+                at: new Date().toISOString(),
+                type: "notification_triggered",
+                roomKey: room.key,
+                roomId: room.matrixRoomId,
+                messageId: message.id,
+                sender: message.sender,
+                targets: 1,
+                created: result.created || 0,
+                delivered: result.delivered || 0,
+                failed: result.failed || 0,
+            })
+        }
+    }
+
+    const runOnce = async () => {
+        if (running || stopped) return
+        running = true
+
+        try {
+            matrixPushWorkerState.lastRunAt = new Date().toISOString()
+            matrixPushWorkerState.lastError = null
+            matrixPushWorkerState.lastSyncRooms = 0
+            matrixPushWorkerState.lastSyncMessages = 0
+            matrixPushWorkerState.lastMatchedRooms = 0
+            matrixPushWorkerState.lastNotificationsCreated = 0
+            matrixPushWorkerState.lastNotificationsDelivered = 0
+            matrixPushWorkerState.lastNotificationsFailed = 0
+
+            if (!lastServiceJoinSyncAt || Date.now() - lastServiceJoinSyncAt > 60_000) {
+                const joinResult = await matrix.syncServiceJoinedTenantRooms()
+                lastServiceJoinSyncAt = Date.now()
+                matrixPushWorkerState.lastJoinAt = new Date().toISOString()
+                matrixPushWorkerState.lastJoinTotal = joinResult.total
+                matrixPushWorkerState.lastJoinJoined = joinResult.joined
+                matrixPushWorkerState.lastJoinFailed = joinResult.failed
+                rememberWorkerEvent({
+                    at: new Date().toISOString(),
+                    type: "service_join_sync",
+                    targets: joinResult.total,
+                    delivered: joinResult.joined,
+                    failed: joinResult.failed,
+                })
+                if (joinResult.failed) {
+                    console.warn("Matrix-Push-Worker: Service-User konnte nicht alle Räume joinen", {
+                        total: joinResult.total,
+                        joined: joinResult.joined,
+                        failed: joinResult.failed,
+                    })
+                }
+            }
+
+            const initial = !since
+            const sync = await matrix.syncServiceRoomEvents(since, initial)
+            since = sync.nextBatch || since
+            matrixPushWorkerState.hasSyncToken = Boolean(since)
+            matrixPushWorkerState.lastSyncRooms = sync.rooms?.length || 0
+            matrixPushWorkerState.lastSyncMessages = (sync.rooms || [])
+                .reduce((sum: number, room: any) => sum + (room.messages?.length || 0), 0)
+
+            if (!initial && sync.rooms?.length) {
+                const roomIds = sync.rooms.map((room: any) => room.roomId).filter(Boolean)
+                const rooms = roomIds.length
+                    ? await server.db
+                        .select()
+                        .from(communicationRooms)
+                        .where(and(
+                            inArray(communicationRooms.matrixRoomId, roomIds),
+                            ne(communicationRooms.archived, true),
+                            isNotNull(communicationRooms.matrixRoomId)
+                        ))
+                    : []
+                const roomsByMatrixId = new Map(rooms.map((room) => [room.matrixRoomId, room]))
+                matrixPushWorkerState.lastMatchedRooms = rooms.length
+                const recipientsByTenant = new Map<number, ChatRecipient[]>()
+
+                for (const syncedRoom of sync.rooms) {
+                    const room = roomsByMatrixId.get(syncedRoom.roomId)
+                    if (!room || !syncedRoom.messages?.length) continue
+
+                    if (!recipientsByTenant.has(room.tenantId)) {
+                        recipientsByTenant.set(room.tenantId, await getTenantRecipients(room.tenantId))
+                    }
+
+                    const recipients = recipientsByTenant.get(room.tenantId) || []
+                    for (const message of syncedRoom.messages) {
+                        await deliverMessageNotification(room, message, recipients)
+                    }
+                }
+            }
+            errorBackoffMs = 0
+        } catch (err) {
+            matrixPushWorkerState.lastError = err instanceof Error ? err.message : String(err)
+            const retryAfterMs = Number((err as any)?.retryAfterMs || (err as any)?.body?.retry_after_ms || 0)
+            errorBackoffMs = Math.min(
+                Math.max(retryAfterMs || (errorBackoffMs ? errorBackoffMs * 2 : 30_000), 30_000),
+                5 * 60_000
+            )
+            rememberWorkerEvent({
+                at: new Date().toISOString(),
+                type: "error",
+                error: matrixPushWorkerState.lastError,
+            })
+            console.error("Matrix-Push-Worker konnte Matrix-Events nicht verarbeiten", err)
+            server.log.error({ err }, "Matrix-Push-Worker konnte Matrix-Events nicht verarbeiten")
+        } finally {
+            running = false
+            if (!stopped) {
+                const nextDelay = errorBackoffMs || (since ? 0 : intervalMs)
+                timer = setTimeout(() => void runOnce(), nextDelay)
+            }
+        }
+    }
+
+    timer = setTimeout(() => void runOnce(), intervalMs)
+    server.addHook("onClose", async () => {
+        stopped = true
+        if (timer) clearTimeout(timer)
+    })
+}

backend/src/modules/notification.service.ts

@@ -1,25 +1,53 @@
-// services/notification.service.ts
-import type { FastifyInstance } from 'fastify';
-import {secrets} from "../utils/secrets";
-import { eq } from "drizzle-orm";
-import { notificationsEventTypes, notificationsItems } from "../../db/schema";
+import type { FastifyInstance } from "fastify"
+import webPush from "web-push"
+import { and, desc, eq, inArray, isNull, sql } from "drizzle-orm"
+import {
+    authUsers,
+    notificationMobilePushDevices,
+    notificationPushSubscriptions,
+    notificationsEventTypes,
+    notificationsItems,
+    notificationsPreferences,
+    notificationsPreferencesDefaults,
+} from "../../db/schema"
+import { secrets } from "../utils/secrets"
+import { pushServerClient } from "./push-server.client"
 
-export type NotificationStatus = 'queued' | 'sent' | 'failed';
+export type NotificationChannel = "inapp" | "email" | "push" | "webhook" | "sms"
+export type NotificationStatus = "queued" | "sent" | "failed" | "read"
 
 export interface TriggerInput {
-    tenantId: number;
-    userId: string;                 // muss auf public.auth_users.id zeigen
-    eventType: string;              // muss in notifications_event_types existieren
-    title: string;                  // Betreff/Title
-    message: string;                // Klartext-Inhalt
-    payload?: Record<string, unknown>;
+    tenantId: number
+    userId?: string
+    userIds?: string[]
+    eventType: string
+    title: string
+    message: string
+    payload?: Record<string, unknown>
+    channels?: NotificationChannel[]
+}
+
+export interface PushSubscriptionInput {
+    endpoint: string
+    keys: {
+        p256dh: string
+        auth: string
+    }
+    deviceLabel?: string
+    meta?: Record<string, unknown>
 }
 
 export interface UserDirectoryInfo {
-    email?: string;
+    email?: string
 }
 
-export type UserDirectory = (server: FastifyInstance, userId: string, tenantId: number) => Promise<UserDirectoryInfo | null>;
+export type UserDirectory = (
+    server: FastifyInstance,
+    userId: string,
+    tenantId: number
+) => Promise<UserDirectoryInfo | null>
+
+const DEFAULT_CHANNELS: NotificationChannel[] = ["inapp"]
 
 export class NotificationService {
     constructor(
@@ -27,99 +55,386 @@ export class NotificationService {
         private getUser: UserDirectory
     ) {}
 
-    /**
-     * Löst eine E-Mail-Benachrichtigung aus:
-     *  - Validiert den Event-Typ
-     *  - Legt einen Datensatz in notifications_items an (status: queued)
-     *  - Versendet E-Mail (FEDEO Branding)
-     *  - Aktualisiert status/sent_at bzw. error
-     */
     async trigger(input: TriggerInput) {
-        const { tenantId, userId, eventType, title, message, payload } = input;
+        const tenantId = input.tenantId
+        const userIds = Array.from(new Set([...(input.userIds || []), input.userId].filter(Boolean))) as string[]
 
-        // 1) Event-Typ prüfen (aktiv?)
-        const eventTypeRows = await this.server.db
+        if (!tenantId) throw new Error("tenantId fehlt")
+        if (!userIds.length) throw new Error("Keine Empfänger angegeben")
+
+        const eventType = await this.getActiveEventType(input.eventType)
+        const allowedChannels = this.normalizeChannels(eventType.allowedChannels)
+        const requestedChannels = input.channels?.length ? input.channels : allowedChannels
+        const channels = requestedChannels.filter((channel) => allowedChannels.includes(channel))
+
+        if (!channels.length) {
+            return { success: true, created: 0, delivered: 0, skipped: userIds.length }
+        }
+
+        const results = []
+
+        for (const userId of userIds) {
+            const enabledChannels = await this.resolveEnabledChannels({
+                tenantId,
+                userId,
+                eventType: input.eventType,
+                channels,
+            })
+
+            for (const channel of enabledChannels) {
+                const itemRows = await this.server.db
+                    .insert(notificationsItems)
+                    .values({
+                        tenantId,
+                        userId,
+                        eventType: input.eventType,
+                        title: input.title,
+                        message: input.message,
+                        payload: input.payload ?? null,
+                        channel,
+                        status: "queued",
+                    })
+                    .returning()
+
+                const item = itemRows[0]
+                if (!item) continue
+
+                results.push(await this.deliver(item))
+            }
+        }
+
+        return {
+            success: results.every((result) => result.success),
+            created: results.length,
+            delivered: results.filter((result) => result.success).length,
+            failed: results.filter((result) => !result.success).length,
+        }
+    }
+
+    async listForUser(tenantId: number, userId: string, limit = 50) {
+        return await this.server.db
+            .select()
+            .from(notificationsItems)
+            .where(and(
+                eq(notificationsItems.tenantId, tenantId),
+                eq(notificationsItems.userId, userId),
+                eq(notificationsItems.channel, "inapp")
+            ))
+            .orderBy(desc(notificationsItems.createdAt))
+            .limit(Math.min(Math.max(limit, 1), 100))
+    }
+
+    async markRead(tenantId: number, userId: string, notificationId: string) {
+        const rows = await this.server.db
+            .update(notificationsItems)
+            .set({ readAt: new Date(), status: "read" })
+            .where(and(
+                eq(notificationsItems.id, notificationId),
+                eq(notificationsItems.tenantId, tenantId),
+                eq(notificationsItems.userId, userId)
+            ))
+            .returning()
+
+        return rows[0] || null
+    }
+
+    async registerPushSubscription(
+        tenantId: number,
+        userId: string,
+        subscription: PushSubscriptionInput,
+        userAgent?: string
+    ) {
+        if (!subscription.endpoint || !subscription.keys?.p256dh || !subscription.keys?.auth) {
+            throw new Error("Push-Subscription ist unvollständig")
+        }
+
+        const rows = await this.server.db
+            .insert(notificationPushSubscriptions)
+            .values({
+                tenantId,
+                userId,
+                endpoint: subscription.endpoint,
+                p256dh: subscription.keys.p256dh,
+                auth: subscription.keys.auth,
+                userAgent,
+                deviceLabel: subscription.deviceLabel,
+                meta: subscription.meta ?? null,
+                lastSeenAt: new Date(),
+                disabledAt: null,
+            })
+            .onConflictDoUpdate({
+                target: notificationPushSubscriptions.endpoint,
+                set: {
+                    tenantId,
+                    userId,
+                    p256dh: subscription.keys.p256dh,
+                    auth: subscription.keys.auth,
+                    userAgent,
+                    deviceLabel: subscription.deviceLabel,
+                    meta: subscription.meta ?? null,
+                    lastSeenAt: new Date(),
+                    disabledAt: null,
+                },
+            })
+            .returning()
+
+        return rows[0]
+    }
+
+    async disablePushSubscription(tenantId: number, userId: string, endpoint: string) {
+        await this.server.db
+            .update(notificationPushSubscriptions)
+            .set({ disabledAt: new Date() })
+            .where(and(
+                eq(notificationPushSubscriptions.tenantId, tenantId),
+                eq(notificationPushSubscriptions.userId, userId),
+                eq(notificationPushSubscriptions.endpoint, endpoint)
+            ))
+
+        return { success: true }
+    }
+
+    getPublicPushConfig() {
+        return {
+            configured: Boolean(secrets.WEB_PUSH_PUBLIC_KEY && secrets.WEB_PUSH_PRIVATE_KEY),
+            publicKey: secrets.WEB_PUSH_PUBLIC_KEY || "",
+        }
+    }
+
+    private async getActiveEventType(eventType: string) {
+        const rows = await this.server.db
             .select()
             .from(notificationsEventTypes)
             .where(eq(notificationsEventTypes.eventKey, eventType))
             .limit(1)
-        const eventTypeRow = eventTypeRows[0]
 
-        if (!eventTypeRow || eventTypeRow.isActive !== true) {
-            throw new Error(`Unbekannter oder inaktiver Event-Typ: ${eventType}`);
+        const row = rows[0]
+        if (!row || row.isActive !== true) {
+            throw new Error(`Unbekannter oder inaktiver Event-Typ: ${eventType}`)
         }
 
-        // 2) Zieladresse beschaffen
-        const user = await this.getUser(this.server, userId, tenantId);
-        if (!user?.email) {
-            throw new Error(`Nutzer ${userId} hat keine E-Mail-Adresse`);
+        return row
+    }
+
+    private normalizeChannels(value: unknown): NotificationChannel[] {
+        if (!Array.isArray(value)) return DEFAULT_CHANNELS
+
+        const valid = new Set(["inapp", "email", "push", "webhook", "sms"])
+        const channels = value.filter((channel): channel is NotificationChannel =>
+            typeof channel === "string" && valid.has(channel)
+        )
+
+        return channels.length ? channels : DEFAULT_CHANNELS
+    }
+
+    private async resolveEnabledChannels(input: {
+        tenantId: number
+        userId: string
+        eventType: string
+        channels: NotificationChannel[]
+    }) {
+        const prefs = await this.server.db
+            .select()
+            .from(notificationsPreferences)
+            .where(and(
+                eq(notificationsPreferences.tenantId, input.tenantId),
+                eq(notificationsPreferences.userId, input.userId),
+                eq(notificationsPreferences.eventType, input.eventType),
+                inArray(notificationsPreferences.channel, input.channels)
+            ))
+
+        const defaults = await this.server.db
+            .select()
+            .from(notificationsPreferencesDefaults)
+            .where(and(
+                eq(notificationsPreferencesDefaults.tenantId, input.tenantId),
+                eq(notificationsPreferencesDefaults.eventKey, input.eventType),
+                inArray(notificationsPreferencesDefaults.channel, input.channels)
+            ))
+
+        return input.channels.filter((channel) => {
+            const userPref = prefs.find((pref) => pref.channel === channel)
+            if (userPref) return userPref.enabled
+
+            const defaultPref = defaults.find((pref) => pref.channel === channel)
+            if (defaultPref) return defaultPref.enabled
+
+            return true
+        })
+    }
+
+    private async deliver(item: typeof notificationsItems.$inferSelect) {
+        if (item.channel === "inapp") {
+            await this.markSent(item.id)
+            return { success: true, id: item.id, channel: item.channel }
         }
 
-        // 3) Notification anlegen (status: queued)
-        const insertedRows = await this.server.db
-            .insert(notificationsItems)
-            .values({
-                tenantId,
-                userId,
-                eventType,
-                title,
-                message,
-                payload: payload ?? null,
-                channel: 'email',
-                status: 'queued'
-            })
-            .returning({ id: notificationsItems.id })
-        const inserted = insertedRows[0]
-
-        if (!inserted) {
-            throw new Error("Fehler beim Einfügen der Notification");
+        if (item.channel === "push") {
+            return await this.deliverPush(item)
         }
 
-        // 4) E-Mail versenden
+        if (item.channel === "email") {
+            return await this.deliverEmail(item)
+        }
+
+        await this.markFailed(item.id, `Kein Zusteller für Kanal ${item.channel}`)
+        return { success: false, id: item.id, channel: item.channel }
+    }
+
+    private async deliverPush(item: typeof notificationsItems.$inferSelect) {
+        const subscriptions = secrets.WEB_PUSH_PUBLIC_KEY && secrets.WEB_PUSH_PRIVATE_KEY
+            ? await this.server.db
+            .select()
+            .from(notificationPushSubscriptions)
+            .where(and(
+                eq(notificationPushSubscriptions.tenantId, item.tenantId),
+                eq(notificationPushSubscriptions.userId, item.userId),
+                isNull(notificationPushSubscriptions.disabledAt)
+            ))
+            : []
+
+        const mobileDevices = await this.server.db
+            .select({ centralDeviceId: notificationMobilePushDevices.centralDeviceId })
+            .from(notificationMobilePushDevices)
+            .where(and(
+                eq(notificationMobilePushDevices.tenantId, item.tenantId),
+                eq(notificationMobilePushDevices.userId, item.userId),
+                isNull(notificationMobilePushDevices.disabledAt)
+            ))
+
+        if (!subscriptions.length && !mobileDevices.length) {
+            await this.markFailed(item.id, "Keine aktive Push-Subscription")
+            return { success: false, id: item.id, channel: item.channel }
+        }
+
+        const payload = JSON.stringify({
+            id: item.id,
+            title: item.title,
+            message: item.message,
+            payload: item.payload || {},
+        })
+
+        let delivered = 0
+        const errors: string[] = []
+
+        if (mobileDevices.length) {
+            try {
+                const result = await pushServerClient.sendPush({
+                    idempotencyKey: `notification:${item.id}`,
+                    devices: mobileDevices.map((device) => device.centralDeviceId),
+                    priority: "high",
+                    ttlSeconds: 3600,
+                    notification: {
+                        title: item.title,
+                        body: item.message,
+                    },
+                    data: {
+                        notificationId: item.id,
+                        ...(typeof item.payload === "object" && item.payload !== null ? item.payload as Record<string, unknown> : {}),
+                    },
+                })
+                delivered += result.accepted
+                if (result.rejected) errors.push(`${result.rejected} mobile Geräte vom Push-Server abgelehnt`)
+            } catch (error: any) {
+                errors.push(error?.message || String(error))
+            }
+        }
+
+        if (subscriptions.length) {
+            webPush.setVapidDetails(
+                secrets.WEB_PUSH_SUBJECT || "mailto:admin@example.com",
+                secrets.WEB_PUSH_PUBLIC_KEY!,
+                secrets.WEB_PUSH_PRIVATE_KEY!
+            )
+        }
+
+        for (const subscription of subscriptions) {
+            try {
+                await webPush.sendNotification({
+                    endpoint: subscription.endpoint,
+                    keys: {
+                        p256dh: subscription.p256dh,
+                        auth: subscription.auth,
+                    },
+                }, payload)
+
+                delivered++
+                await this.server.db
+                    .update(notificationPushSubscriptions)
+                    .set({ lastSeenAt: new Date() })
+                    .where(eq(notificationPushSubscriptions.id, subscription.id))
+            } catch (error: any) {
+                errors.push(error?.message || String(error))
+
+                if (error?.statusCode === 404 || error?.statusCode === 410) {
+                    await this.server.db
+                        .update(notificationPushSubscriptions)
+                        .set({ disabledAt: new Date() })
+                        .where(eq(notificationPushSubscriptions.id, subscription.id))
+                }
+            }
+        }
+
+        if (delivered > 0) {
+            await this.markSent(item.id)
+            return { success: true, id: item.id, channel: item.channel, delivered }
+        }
+
+        await this.markFailed(item.id, errors.join("; ") || "Push konnte nicht zugestellt werden")
+        return { success: false, id: item.id, channel: item.channel }
+    }
+
+    private async deliverEmail(item: typeof notificationsItems.$inferSelect) {
         try {
-            await this.sendEmail(user.email, title, message);
+            const user = await this.getUser(this.server, item.userId, item.tenantId)
+            if (!user?.email) throw new Error(`Nutzer ${item.userId} hat keine E-Mail-Adresse`)
 
-            await this.server.db
-                .update(notificationsItems)
-                .set({ status: 'sent', sentAt: new Date() })
-                .where(eq(notificationsItems.id, inserted.id));
-
-            return { success: true, id: inserted.id };
-        } catch (err: any) {
-            await this.server.db
-                .update(notificationsItems)
-                .set({ status: 'failed', error: String(err?.message || err) })
-                .where(eq(notificationsItems.id, inserted.id));
-
-            this.server.log.error({ err, notificationId: inserted.id }, 'E-Mail Versand fehlgeschlagen');
-            return { success: false, error: err?.message || 'E-Mail Versand fehlgeschlagen' };
+            await this.sendEmail(user.email, item.title, item.message)
+            await this.markSent(item.id)
+            return { success: true, id: item.id, channel: item.channel }
+        } catch (error: any) {
+            await this.markFailed(item.id, error?.message || "E-Mail Versand fehlgeschlagen")
+            this.server.log.error({ err: error, notificationId: item.id }, "E-Mail Versand fehlgeschlagen")
+            return { success: false, id: item.id, channel: item.channel }
         }
     }
 
-    // ---- private helpers ------------------------------------------------------
+    private async markSent(id: string) {
+        await this.server.db
+            .update(notificationsItems)
+            .set({ status: "sent", sentAt: new Date() })
+            .where(eq(notificationsItems.id, id))
+    }
+
+    private async markFailed(id: string, error: string) {
+        await this.server.db
+            .update(notificationsItems)
+            .set({ status: "failed", error })
+            .where(eq(notificationsItems.id, id))
+    }
 
     private async sendEmail(to: string, subject: string, message: string) {
-        const nodemailer = await import('nodemailer');
+        const nodemailer = await import("nodemailer")
 
         const transporter = nodemailer.createTransport({
             host: secrets.MAILER_SMTP_HOST,
             port: Number(secrets.MAILER_SMTP_PORT),
-            secure: secrets.MAILER_SMTP_SSL === 'true',
+            secure: secrets.MAILER_SMTP_SSL === "true",
             auth: {
                 user: secrets.MAILER_SMTP_USER,
-                pass: secrets.MAILER_SMTP_PASS
-            }
-        });
+                pass: secrets.MAILER_SMTP_PASS,
+            },
+        })
 
-        const html = this.renderFedeoHtml(subject, message);
+        const html = this.renderFedeoHtml(subject, message)
 
         await transporter.sendMail({
             from: secrets.MAILER_FROM,
             to,
             subject,
             text: message,
-            html
-        });
+            html,
+        })
     }
 
     private renderFedeoHtml(title: string, message: string) {
@@ -133,18 +448,17 @@ export class NotificationService {
           <p style="font-size:12px;color:#666">Automatisch generiert von FEDEO</p>
         </div>
       </body></html>
-    `;
+    `
     }
 
-    // simple escaping (ausreichend für unser Template)
     private escapeHtml(s: string) {
         return s
-            .replace(/&/g, '&amp;')
-            .replace(/</g, '&lt;')
-            .replace(/>/g, '&gt;');
+            .replace(/&/g, "&amp;")
+            .replace(/</g, "&lt;")
+            .replace(/>/g, "&gt;")
     }
 
     private nl2br(s: string) {
-        return s.replace(/\n/g, '<br/>');
+        return s.replace(/\n/g, "<br/>")
     }
 }

backend/src/modules/push-server.client.ts

@@ -0,0 +1,101 @@
+import { createHash, createHmac } from "node:crypto"
+
+import { secrets } from "../utils/secrets"
+
+type PushServerDevicePlatform = "web" | "ios" | "android"
+
+export type RegisterPushServerDeviceInput = {
+    localDeviceId: string
+    platform: PushServerDevicePlatform
+    providerToken?: string
+    subscription?: Record<string, unknown>
+    meta?: Record<string, unknown>
+}
+
+export type RegisterPushServerDeviceResult = {
+    centralDeviceId: string
+    status: string
+}
+
+export type SendPushServerMessageInput = {
+    idempotencyKey: string
+    devices: string[]
+    priority?: "normal" | "high"
+    ttlSeconds?: number
+    collapseKey?: string
+    notification?: {
+        title?: string
+        body?: string
+    }
+    data?: Record<string, unknown>
+}
+
+function configured() {
+    return Boolean(secrets.PUSH_SERVER_URL && secrets.PUSH_SERVER_INSTANCE_ID && secrets.PUSH_SERVER_SECRET)
+}
+
+function normalizeBaseUrl() {
+    return String(secrets.PUSH_SERVER_URL || "").replace(/\/+$/, "")
+}
+
+function bodyHash(body: string) {
+    return createHash("sha256").update(body).digest("hex")
+}
+
+function signature(method: string, path: string, timestamp: string, body: string) {
+    const canonical = [
+        method.toUpperCase(),
+        path,
+        timestamp,
+        bodyHash(body),
+        secrets.PUSH_SERVER_INSTANCE_ID,
+    ].join("\n")
+
+    return createHmac("sha256", secrets.PUSH_SERVER_SECRET).update(canonical).digest("hex")
+}
+
+async function requestPushServer<T>(method: "POST" | "DELETE", path: string, payload?: unknown): Promise<T> {
+    if (!configured()) {
+        throw new Error("Zentraler Push-Server ist nicht konfiguriert")
+    }
+
+    const body = payload === undefined ? "" : JSON.stringify(payload)
+    const timestamp = new Date().toISOString()
+    const response = await fetch(`${normalizeBaseUrl()}${path}`, {
+        method,
+        headers: {
+            Accept: "application/json",
+            "Content-Type": "application/json",
+            "X-Fedeo-Instance-Id": secrets.PUSH_SERVER_INSTANCE_ID,
+            "X-Fedeo-Timestamp": timestamp,
+            "X-Fedeo-Signature": signature(method, path, timestamp, body),
+        },
+        body: body || undefined,
+    })
+
+    const text = await response.text()
+    const data = text ? JSON.parse(text) : null
+
+    if (!response.ok) {
+        const message = data?.message || data?.error || `Push-Server Anfrage fehlgeschlagen (${response.status})`
+        throw new Error(message)
+    }
+
+    return data as T
+}
+
+export const pushServerClient = {
+    configured,
+
+    registerDevice(input: RegisterPushServerDeviceInput) {
+        return requestPushServer<RegisterPushServerDeviceResult>("POST", "/v1/devices", input)
+    },
+
+    sendPush(input: SendPushServerMessageInput) {
+        return requestPushServer<{ accepted: number; rejected: number; deliveryJobId: string }>("POST", "/v1/push", {
+            priority: "normal",
+            ttlSeconds: 3600,
+            ...input,
+        })
+    },
+}

backend/src/modules/serialexecution.service.ts

@@ -378,6 +378,7 @@ async function getSaveData(item: any, tenant: any, firstDate: string, lastDate:
         contract: item.contract,
         address: item.address,
         project: item.project,
+        costcentre: item.costcentre,
         documentDate: executionDate,
         deliveryDate: firstDate,
         deliveryDateEnd: lastDate,

backend/src/modules/system-status.service.ts

@@ -0,0 +1,174 @@
+import { FastifyInstance } from "fastify"
+import { matrixService } from "./matrix.service"
+
+type MetricSample = {
+    labels: Record<string, string>
+    value: number
+}
+
+const metricLinePattern = /^([a-zA-Z_:][a-zA-Z0-9_:]*)(?:\{([^}]*)\})?\s+(-?(?:\d+(?:\.\d+)?|\.\d+)(?:e[+-]?\d+)?|-?Inf|NaN)$/i
+
+const nodeExporterUrl = () =>
+    (process.env.NODE_EXPORTER_URL || "http://node-exporter:9100").replace(/\/+$/, "")
+
+const s3EndpointUrl = () =>
+    (process.env.S3_ENDPOINT || "").replace(/\/+$/, "")
+
+const parseLabels = (value = "") => {
+    const labels: Record<string, string> = {}
+    const labelPattern = /(\w+)="((?:\\"|[^"])*)"/g
+    let match: RegExpExecArray | null
+
+    while ((match = labelPattern.exec(value))) {
+        labels[match[1]] = match[2].replace(/\\"/g, "\"")
+    }
+
+    return labels
+}
+
+const parsePrometheusMetrics = (text: string) => {
+    const metrics = new Map<string, MetricSample[]>()
+
+    for (const line of text.split("\n")) {
+        if (!line || line.startsWith("#")) continue
+
+        const match = line.match(metricLinePattern)
+        if (!match) continue
+
+        const value = Number(match[3])
+        if (!Number.isFinite(value)) continue
+
+        const samples = metrics.get(match[1]) || []
+        samples.push({
+            labels: parseLabels(match[2]),
+            value,
+        })
+        metrics.set(match[1], samples)
+    }
+
+    return metrics
+}
+
+const firstMetricValue = (metrics: Map<string, MetricSample[]>, name: string) =>
+    metrics.get(name)?.[0]?.value ?? null
+
+const findMetricValue = (
+    metrics: Map<string, MetricSample[]>,
+    name: string,
+    predicate: (sample: MetricSample) => boolean
+) => metrics.get(name)?.find(predicate)?.value ?? null
+
+const serviceState = (ok: boolean, detail?: Record<string, any>) => ({
+    ok,
+    status: ok ? "ok" : "error",
+    ...detail,
+})
+
+const checkHttp = async (url: string, timeoutMs = 3000) => {
+    const controller = new AbortController()
+    const timeout = setTimeout(() => controller.abort(), timeoutMs)
+
+    try {
+        const response = await fetch(url, { signal: controller.signal })
+        return serviceState(response.ok, {
+            httpStatus: response.status,
+            url,
+        })
+    } catch (err: any) {
+        return serviceState(false, {
+            url,
+            error: err?.message || "HTTP-Abfrage fehlgeschlagen",
+        })
+    } finally {
+        clearTimeout(timeout)
+    }
+}
+
+export const buildSystemStatus = async (server: FastifyInstance) => {
+    const checkedAt = new Date()
+    const nodeExporterMetricsUrl = `${nodeExporterUrl()}/metrics`
+    let nodeMetrics: Map<string, MetricSample[]> | null = null
+    let nodeExporterError: string | null = null
+
+    try {
+        const response = await fetch(nodeExporterMetricsUrl)
+        if (!response.ok) {
+            throw new Error(`Node Exporter antwortet mit ${response.status}`)
+        }
+        nodeMetrics = parsePrometheusMetrics(await response.text())
+    } catch (err: any) {
+        nodeExporterError = err?.message || "Node Exporter nicht erreichbar"
+    }
+
+    const memoryTotal = nodeMetrics ? firstMetricValue(nodeMetrics, "node_memory_MemTotal_bytes") : null
+    const memoryAvailable = nodeMetrics ? firstMetricValue(nodeMetrics, "node_memory_MemAvailable_bytes") : null
+    const rootSize = nodeMetrics
+        ? findMetricValue(nodeMetrics, "node_filesystem_size_bytes", (sample) => sample.labels.mountpoint === "/")
+        : null
+    const rootAvailable = nodeMetrics
+        ? findMetricValue(nodeMetrics, "node_filesystem_avail_bytes", (sample) => sample.labels.mountpoint === "/")
+        : null
+    const bootTime = nodeMetrics ? firstMetricValue(nodeMetrics, "node_boot_time_seconds") : null
+    const cpuCount = nodeMetrics
+        ? new Set((nodeMetrics.get("node_cpu_seconds_total") || [])
+            .filter((sample) => sample.labels.mode === "idle")
+            .map((sample) => sample.labels.cpu)).size
+        : null
+    const uname = nodeMetrics?.get("node_uname_info")?.[0]?.labels || null
+
+    const databaseCheck = await server.db.execute("SELECT NOW() as now")
+    const matrixStatus = await matrixService(server).getStatus().catch((err: any) => ({
+        reachable: false,
+        error: err?.message || "Matrix-Status nicht verfügbar",
+    }))
+    const minioUrl = s3EndpointUrl()
+
+    return {
+        checkedAt: checkedAt.toISOString(),
+        backend: {
+            status: "ok",
+            uptimeSeconds: Math.round(process.uptime()),
+            nodeVersion: process.version,
+            environment: process.env.NODE_ENV || "development",
+        },
+        server: {
+            status: nodeMetrics ? "ok" : "unavailable",
+            nodeExporterUrl: nodeExporterMetricsUrl,
+            error: nodeExporterError,
+            hostname: uname?.nodename || null,
+            kernel: uname?.release || null,
+            cpuCount,
+            load: {
+                one: nodeMetrics ? firstMetricValue(nodeMetrics, "node_load1") : null,
+                five: nodeMetrics ? firstMetricValue(nodeMetrics, "node_load5") : null,
+                fifteen: nodeMetrics ? firstMetricValue(nodeMetrics, "node_load15") : null,
+            },
+            memory: {
+                totalBytes: memoryTotal,
+                availableBytes: memoryAvailable,
+                usedBytes: memoryTotal !== null && memoryAvailable !== null ? memoryTotal - memoryAvailable : null,
+                usedPercent: memoryTotal ? Math.round(((memoryTotal - (memoryAvailable || 0)) / memoryTotal) * 1000) / 10 : null,
+            },
+            disk: {
+                rootTotalBytes: rootSize,
+                rootAvailableBytes: rootAvailable,
+                rootUsedBytes: rootSize !== null && rootAvailable !== null ? rootSize - rootAvailable : null,
+                rootUsedPercent: rootSize ? Math.round(((rootSize - (rootAvailable || 0)) / rootSize) * 1000) / 10 : null,
+            },
+            uptimeSeconds: bootTime ? Math.max(0, Math.round(Date.now() / 1000 - bootTime)) : null,
+        },
+        services: {
+            database: serviceState(true, {
+                checkedAt: String(databaseCheck.rows?.[0]?.now || checkedAt.toISOString()),
+            }),
+            nodeExporter: serviceState(Boolean(nodeMetrics), {
+                url: nodeExporterMetricsUrl,
+                error: nodeExporterError,
+            }),
+            matrix: serviceState(Boolean((matrixStatus as any).reachable), matrixStatus as Record<string, any>),
+            minio: minioUrl ? await checkHttp(`${minioUrl}/minio/health/live`) : serviceState(false, {
+                error: "S3_ENDPOINT ist nicht gesetzt",
+            }),
+        },
+    }
+}

backend/src/plugins/auth.ts

@@ -2,17 +2,81 @@ import { FastifyInstance } from "fastify"
 import fp from "fastify-plugin"
 import jwt from "jsonwebtoken"
 import { secrets } from "../utils/secrets"
+import { createHash } from "node:crypto"
 
 import {
     authUserRoles,
     authRolePermissions,
     authUsers,
+    m2mApiKeys,
 } from "../../db/schema"
 
-import { eq, and } from "drizzle-orm"
+import { eq, and, inArray } from "drizzle-orm"
 
 export default fp(async (server: FastifyInstance) => {
+    const hashApiKey = (apiKey: string) =>
+        createHash("sha256").update(apiKey, "utf8").digest("hex")
+
+    const isMcpRoute = (url: string) =>
+        url === "/mcp" ||
+        url.startsWith("/mcp/") ||
+        url === "/api/mcp" ||
+        url.startsWith("/api/mcp/")
+
+    const authenticateMcpApiKey = async (apiKey: string) => {
+        if (!apiKey.startsWith("fedeo_mcp_")) return false
+
+        const keyHash = hashApiKey(apiKey)
+
+        const rows = await server.db
+            .select({
+                id: m2mApiKeys.id,
+                tenantId: m2mApiKeys.tenantId,
+                userId: m2mApiKeys.userId,
+                active: m2mApiKeys.active,
+                expiresAt: m2mApiKeys.expiresAt,
+                userEmail: authUsers.email,
+                isAdmin: authUsers.is_admin,
+            })
+            .from(m2mApiKeys)
+            .innerJoin(authUsers, eq(authUsers.id, m2mApiKeys.userId))
+            .where(and(
+                eq(m2mApiKeys.keyHash, keyHash),
+                eq(m2mApiKeys.active, true)
+            ))
+            .limit(1)
+
+        const key = rows[0]
+        if (!key) return false
+        if (key.expiresAt && new Date(key.expiresAt).getTime() < Date.now()) return false
+
+        await server.db
+            .update(m2mApiKeys)
+            .set({ lastUsedAt: new Date(), updatedAt: new Date() })
+            .where(eq(m2mApiKeys.id, key.id))
+
+        return {
+            user_id: key.userId,
+            email: key.userEmail,
+            tenant_id: key.tenantId,
+            is_admin: Boolean(key.isAdmin),
+        }
+    }
+
     server.addHook("preHandler", async (req, reply) => {
+        if (req.method === "OPTIONS") {
+            return
+        }
+
+        const urlPath = req.url.split("?")[0]
+        const queryToken = (req.query as any)?.downloadToken
+        const downloadToken =
+            typeof queryToken === "string"
+            && urlPath.startsWith("/api/email/attachments/")
+            && urlPath.endsWith("/download")
+                ? queryToken
+                : null
+
         // 1️⃣ Token aus Header oder Cookie lesen
         const cookieToken = req.cookies?.token
         const authHeader = req.headers.authorization
@@ -23,18 +87,38 @@ export default fp(async (server: FastifyInstance) => {
         const token =
             headerToken && headerToken.length > 10
                 ? headerToken
-                : cookieToken || null
+                : cookieToken || downloadToken || null
 
         if (!token) {
             return reply.code(401).send({ error: "Authentication required" })
         }
 
         try {
-            // 2️⃣ JWT verifizieren
-            const payload = jwt.verify(token, secrets.JWT_SECRET!) as {
+            // 2️⃣ JWT verifizieren oder für MCP dauerhaften Token akzeptieren
+            let payload: {
                 user_id: string
                 email: string
                 tenant_id: number | null
+                is_admin?: boolean
+            }
+
+            try {
+                payload = jwt.verify(token, secrets.JWT_SECRET!) as {
+                    user_id: string
+                    email: string
+                    tenant_id: number | null
+                }
+            } catch (jwtError) {
+                const mcpPayload = isMcpRoute(req.url)
+                    ? await authenticateMcpApiKey(token)
+                    : false
+
+                if (!mcpPayload) {
+                    throw jwtError
+                }
+
+                payload = mcpPayload
+                ;(req as any).mcpTokenAuth = true
             }
 
             if (!payload?.user_id) {
@@ -44,15 +128,19 @@ export default fp(async (server: FastifyInstance) => {
             // Payload an Request hängen
             req.user = payload
 
-            const [currentUser] = await server.db
-                .select({
-                    is_admin: authUsers.is_admin,
-                })
-                .from(authUsers)
-                .where(eq(authUsers.id, payload.user_id))
-                .limit(1)
+            if (typeof payload.is_admin === "boolean") {
+                req.user.is_admin = payload.is_admin
+            } else {
+                const [currentUser] = await server.db
+                    .select({
+                        is_admin: authUsers.is_admin,
+                    })
+                    .from(authUsers)
+                    .where(eq(authUsers.id, payload.user_id))
+                    .limit(1)
 
-            req.user.is_admin = Boolean(currentUser?.is_admin)
+                req.user.is_admin = Boolean(currentUser?.is_admin)
+            }
 
             // Multi-Tenant Modus ohne ausgewählten Tenant → keine Rollenprüfung
             if (!req.user.tenant_id) {
@@ -63,10 +151,12 @@ export default fp(async (server: FastifyInstance) => {
             const userId = req.user.user_id
 
             // --------------------------------------------------------
-            // 3️⃣ Rolle des Nutzers im Tenant holen
+            // 3️⃣ Rollen des Nutzers im Tenant holen
             // --------------------------------------------------------
             const roleRows = await server.db
-                .select()
+                .select({
+                    role_id: authUserRoles.role_id,
+                })
                 .from(authUserRoles)
                 .where(
                     and(
@@ -74,7 +164,6 @@ export default fp(async (server: FastifyInstance) => {
                         eq(authUserRoles.tenant_id, tenantId)
                     )
                 )
-                .limit(1)
 
             if (roleRows.length === 0) {
                 if (req.user.is_admin) {
@@ -89,22 +178,22 @@ export default fp(async (server: FastifyInstance) => {
                     .send({ error: "No role assigned for this tenant" })
             }
 
-            const roleId = roleRows[0].role_id
+            const roleIds = Array.from(new Set(roleRows.map((role) => role.role_id)))
 
             // --------------------------------------------------------
-            // 4️⃣ Berechtigungen der Rolle laden
+            // 4️⃣ Berechtigungen der Rollen laden
             // --------------------------------------------------------
             const permissionRows = await server.db
                 .select()
                 .from(authRolePermissions)
-                .where(eq(authRolePermissions.role_id, roleId))
+                .where(inArray(authRolePermissions.role_id, roleIds))
 
-            const permissions = permissionRows.map((p) => p.permission)
+            const permissions = Array.from(new Set(permissionRows.map((p) => p.permission)))
 
             // --------------------------------------------------------
             // 5️⃣ An Request hängen für spätere Nutzung
             // --------------------------------------------------------
-            req.role = roleId
+            req.role = roleIds[0]
             req.permissions = permissions
             req.hasPermission = (perm: string) => permissions.includes(perm)
 

backend/src/routes/admin.ts

@@ -14,6 +14,11 @@ import {
 } from "../../db/schema";
 import { generateRandomPassword, hashPassword } from "../utils/password";
 import { sendMail } from "../utils/mailer";
+import { ensureTenantBaseData } from "../modules/bootstrap.service";
+import { buildTenantFullExport, importTenantFullExport } from "../utils/tenantFullExport";
+import type { TenantFullExport } from "../utils/tenantFullExport";
+import { buildSystemStatus } from "../modules/system-status.service";
+import { matrixService } from "../modules/matrix.service";
 
 export default async function adminRoutes(server: FastifyInstance) {
     const deriveNameFromEmail = (email: string) => {
@@ -42,36 +47,42 @@ export default async function adminRoutes(server: FastifyInstance) {
                     name: "Rechnungen",
                     color: "#16a34a",
                     createdDocumentType: "invoices",
+                    isSystemUsed: true,
                 },
                 {
                     tenant: tenantId,
                     name: "Angebote",
                     color: "#2563eb",
                     createdDocumentType: "quotes",
+                    isSystemUsed: true,
                 },
                 {
                     tenant: tenantId,
                     name: "Auftragsbestätigungen",
                     color: "#7c3aed",
                     createdDocumentType: "confirmationOrders",
+                    isSystemUsed: true,
                 },
                 {
                     tenant: tenantId,
                     name: "Lieferscheine",
                     color: "#ea580c",
                     createdDocumentType: "deliveryNotes",
+                    isSystemUsed: true,
                 },
                 {
                     tenant: tenantId,
                     name: "Eingangsrechnungen",
                     color: "#dc2626",
                     incomingDocumentType: "invoices",
+                    isSystemUsed: true,
                 },
                 {
                     tenant: tenantId,
                     name: "Mahnungen",
                     color: "#b91c1c",
                     incomingDocumentType: "reminders",
+                    isSystemUsed: true,
                 },
             ])
             .returning({
@@ -243,6 +254,7 @@ export default async function adminRoutes(server: FastifyInstance) {
         const [currentUser] = await server.db
             .select({
                 id: authUsers.id,
+                email: authUsers.email,
                 is_admin: authUsers.is_admin,
             })
             .from(authUsers)
@@ -383,6 +395,21 @@ export default async function adminRoutes(server: FastifyInstance) {
         }
     });
 
+    // -------------------------------------------------------------
+    // GET /admin/system-status
+    // -------------------------------------------------------------
+    server.get("/admin/system-status", async (req, reply) => {
+        try {
+            const currentUser = await requireAdmin(req, reply);
+            if (!currentUser) return;
+
+            return await buildSystemStatus(server);
+        } catch (err) {
+            console.error("ERROR /admin/system-status:", err);
+            return reply.code(500).send({ error: "Internal Server Error" });
+        }
+    });
+
     // -------------------------------------------------------------
     // POST /admin/users
     // -------------------------------------------------------------
@@ -825,6 +852,7 @@ export default async function adminRoutes(server: FastifyInstance) {
                 });
 
             await createTenantSeeds(createdTenant.id, currentUser.id);
+            await ensureTenantBaseData(server, createdTenant.id, currentUser.id);
 
             return { tenant: createdTenant };
         } catch (err) {
@@ -927,6 +955,115 @@ export default async function adminRoutes(server: FastifyInstance) {
         }
     });
 
+    // -------------------------------------------------------------
+    // GET /admin/tenants/:tenant_id/export
+    // -------------------------------------------------------------
+    server.get("/admin/tenants/:tenant_id/export", async (req, reply) => {
+        try {
+            const currentUser = await requireAdmin(req, reply);
+            if (!currentUser) return;
+
+            const { tenant_id } = req.params as { tenant_id: string };
+            const tenantId = Number(tenant_id);
+            if (!tenantId) {
+                return reply.code(400).send({ error: "tenant_id required" });
+            }
+
+            const exportData = await buildTenantFullExport(server, tenantId);
+            const safeTenantName = String(exportData.tables.tenants?.[0]?.short || exportData.tables.tenants?.[0]?.name || tenantId)
+                .replace(/[^a-z0-9_-]+/gi, "-")
+                .replace(/^-+|-+$/g, "")
+                .toLowerCase();
+            const filename = `fedeo-tenant-${safeTenantName || tenantId}-${new Date().toISOString().slice(0, 10)}.json`;
+
+            reply.header("Content-Type", "application/json");
+            reply.header("Content-Disposition", `attachment; filename="${filename}"`);
+            return reply.send(exportData);
+        } catch (err) {
+            console.error("ERROR /admin/tenants/:tenant_id/export:", err);
+            return reply.code(500).send({ error: "Internal Server Error" });
+        }
+    });
+
+    // -------------------------------------------------------------
+    // POST /admin/tenant-imports
+    // -------------------------------------------------------------
+    server.post("/admin/tenant-imports", { bodyLimit: 1024 * 1024 * 1024 }, async (req, reply) => {
+        try {
+            const currentUser = await requireAdmin(req, reply);
+            if (!currentUser) return;
+
+            const body = req.body as TenantFullExport | { exportData?: TenantFullExport; targetTenantId?: number };
+            const exportData = "format" in body ? body : body.exportData;
+            const targetTenantId = "format" in body ? null : Number(body.targetTenantId || 0) || null;
+
+            if (!exportData) {
+                return reply.code(400).send({ error: "exportData required" });
+            }
+
+            const result = await importTenantFullExport(server, exportData, { targetTenantId });
+            const fallbackName = deriveNameFromEmail(currentUser.email);
+
+            await server.db
+                .insert(authTenantUsers)
+                .values({
+                    tenant_id: result.tenantId,
+                    user_id: currentUser.id,
+                    created_by: currentUser.id,
+                })
+                .onConflictDoNothing();
+
+            const [existingAdminProfile] = await server.db
+                .select({ id: authProfiles.id })
+                .from(authProfiles)
+                .where(and(
+                    eq(authProfiles.tenant_id, result.tenantId),
+                    eq(authProfiles.user_id, currentUser.id)
+                ))
+                .limit(1);
+
+            if (!existingAdminProfile) {
+                await server.db
+                    .insert(authProfiles)
+                    .values({
+                        tenant_id: result.tenantId,
+                        user_id: currentUser.id,
+                        first_name: fallbackName.first_name,
+                        last_name: fallbackName.last_name,
+                        email: currentUser.email,
+                        active: true,
+                    });
+            }
+
+            let matrixProvisioned = false;
+            let matrixProvisioningError: string | null = null;
+            if (process.env.MATRIX_REGISTRATION_SHARED_SECRET) {
+                try {
+                    const matrix = matrixService(server);
+                    await matrix.provisionTenantRoom(currentUser.id, result.tenantId, {
+                        key: "allgemein",
+                        name: "Allgemeiner Chat",
+                        type: "general",
+                    });
+                    matrixProvisioned = true;
+                } catch (err: any) {
+                    matrixProvisioningError = err?.message || String(err);
+                    req.log.warn({ err }, "Matrix-Räume konnten nach Tenant-Import nicht neu provisioniert werden");
+                }
+            }
+
+            return {
+                success: true,
+                matrixProvisioned,
+                matrixProvisioningError,
+                ...result,
+            };
+        } catch (err: any) {
+            console.error("ERROR /admin/tenant-imports:", err);
+            return reply.code(500).send({ error: err?.message || "Internal Server Error" });
+        }
+    });
+
     // -------------------------------------------------------------
     // PUT /admin/users/:user_id/access
     // -------------------------------------------------------------

backend/src/routes/auth/me.ts

@@ -52,6 +52,7 @@ export default async function meRoutes(server: FastifyInstance) {
                     id: tenants.id,
                     name: tenants.name,
                     short: tenants.short,
+                    calendarConfig: tenants.calendarConfig,
                     hasActiveLicense: tenants.hasActiveLicense,
                     locked: tenants.locked,
                     features: tenants.features,

backend/src/routes/banking.ts

@@ -10,6 +10,7 @@ import { DE_BANK_CODE_TO_BIC } from "../utils/deBankBics"
 
 import {
     bankrequisitions,
+    bankaccounts,
     bankstatements,
     accounts,
     createddocuments,
@@ -26,10 +27,12 @@ import {
     and,
     isNull,
     aliasedTable,
+    desc,
 } from "drizzle-orm"
 
 
 export default async function bankingRoutes(server: FastifyInstance) {
+    const CASHBOOK_BANK_ID = "fedeo-cashbook"
     const ContraAccounts = aliasedTable(accounts, "contra_accounts")
     const ContraCustomers = aliasedTable(customers, "contra_customers")
     const ContraVendors = aliasedTable(vendors, "contra_vendors")
@@ -40,6 +43,24 @@ export default async function bankingRoutes(server: FastifyInstance) {
     const normalizeManualSide = (payload: any, keys: string[]) =>
         keys.filter((key) => payload[key] !== null && payload[key] !== undefined && payload[key] !== "")
 
+    const cashbookAccountFilter = (tenantId: number) => and(
+        eq(bankaccounts.tenant, tenantId),
+        eq(bankaccounts.bankId, CASHBOOK_BANK_ID),
+        eq(bankaccounts.archived, false)
+    )
+
+    const buildCashbookCounterPayload = (type: string, id: any) => {
+        const numericId = type === "ownaccount" ? id : Number(id)
+        if (!id || (type !== "ownaccount" && !Number.isFinite(numericId))) return null
+
+        if (type === "account") return { account: numericId }
+        if (type === "customer") return { customer: numericId }
+        if (type === "vendor") return { vendor: numericId }
+        if (type === "ownaccount") return { ownaccount: numericId }
+        if (type === "incominginvoice") return { incominginvoice: numericId }
+        return null
+    }
+
     const prepareStatementAllocationPayload = (payload: any) => {
         const next = { ...payload }
         const isManualBooking = !next.bankstatement
@@ -89,6 +110,276 @@ export default async function bankingRoutes(server: FastifyInstance) {
         return { data: next }
     }
 
+    server.get("/banking/cashbooks", async (req, reply) => {
+        try {
+            if (!req.user) return reply.code(401).send({ error: "Unauthorized" })
+
+            const rows = await server.db
+                .select()
+                .from(bankaccounts)
+                .where(cashbookAccountFilter(req.user.tenant_id))
+                .orderBy(bankaccounts.name)
+
+            return reply.send(rows)
+        } catch (err) {
+            server.log.error(err)
+            return reply.code(500).send({ error: "Failed to load cashbooks" })
+        }
+    })
+
+    server.post("/banking/cashbooks", async (req, reply) => {
+        try {
+            if (!req.user) return reply.code(401).send({ error: "Unauthorized" })
+
+            const body = req.body as {
+                name?: string
+                datevNumber?: string
+                openingBalance?: number
+            }
+
+            const name = String(body.name || "").trim()
+            const datevNumber = String(body.datevNumber || "").trim()
+            const openingBalance = Number(body.openingBalance || 0)
+
+            if (!name) return reply.code(400).send({ error: "Bitte eine Bezeichnung für die Kasse angeben." })
+            if (!datevNumber) return reply.code(400).send({ error: "Bitte eine Kontennummer für die Kasse angeben." })
+            if (!Number.isFinite(openingBalance)) return reply.code(400).send({ error: "Der Anfangsbestand ist ungültig." })
+
+            const uniquePart = `${req.user.tenant_id}-${Date.now()}`
+            const inserted = await server.db.insert(bankaccounts).values({
+                name,
+                iban: `CASH-${uniquePart}`,
+                tenant: req.user.tenant_id,
+                bankId: CASHBOOK_BANK_ID,
+                ownerName: name,
+                accountId: `cashbook-${uniquePart}`,
+                balance: openingBalance,
+                datevNumber,
+                updatedBy: req.user.user_id,
+            }).returning()
+
+            const createdRecord = inserted[0]
+            return reply.send(createdRecord)
+        } catch (err) {
+            server.log.error(err)
+            return reply.code(500).send({ error: "Failed to create cashbook" })
+        }
+    })
+
+    server.patch("/banking/cashbooks/:id/archive", async (req, reply) => {
+        try {
+            if (!req.user) return reply.code(401).send({ error: "Unauthorized" })
+
+            const { id } = req.params as { id: string }
+            const updated = await server.db.update(bankaccounts)
+                .set({
+                    archived: true,
+                    updatedAt: new Date(),
+                    updatedBy: req.user.user_id,
+                })
+                .where(and(
+                    eq(bankaccounts.id, Number(id)),
+                    eq(bankaccounts.tenant, req.user.tenant_id),
+                    eq(bankaccounts.bankId, CASHBOOK_BANK_ID)
+                ))
+                .returning()
+
+            if (!updated[0]) return reply.code(404).send({ error: "Cashbook not found" })
+            return reply.send(updated[0])
+        } catch (err) {
+            server.log.error(err)
+            return reply.code(500).send({ error: "Failed to archive cashbook" })
+        }
+    })
+
+    server.get("/banking/cashbooks/:id/bookings", async (req, reply) => {
+        try {
+            if (!req.user) return reply.code(401).send({ error: "Unauthorized" })
+
+            const { id } = req.params as { id: string }
+            const cashbookId = Number(id)
+            if (!Number.isFinite(cashbookId)) return reply.code(400).send({ error: "Ungültige Kasse." })
+
+            const rows = await server.db.select({
+                statement: bankstatements,
+                allocation: statementallocations,
+                account: accounts,
+                customer: customers,
+                vendor: vendors,
+                ownaccount: ownaccounts,
+                incominginvoice: ManualInvoices,
+                incominginvoiceVendor: ManualInvoiceVendors,
+            })
+                .from(bankstatements)
+                .leftJoin(statementallocations, eq(statementallocations.bankstatement, bankstatements.id))
+                .leftJoin(accounts, eq(statementallocations.account, accounts.id))
+                .leftJoin(customers, eq(statementallocations.customer, customers.id))
+                .leftJoin(vendors, eq(statementallocations.vendor, vendors.id))
+                .leftJoin(ownaccounts, eq(statementallocations.ownaccount, ownaccounts.id))
+                .leftJoin(ManualInvoices, eq(statementallocations.incominginvoice, ManualInvoices.id))
+                .leftJoin(ManualInvoiceVendors, eq(ManualInvoices.vendor, ManualInvoiceVendors.id))
+                .where(and(
+                    eq(bankstatements.tenant, req.user.tenant_id),
+                    eq(bankstatements.account, cashbookId),
+                    eq(bankstatements.archived, false)
+                ))
+                .orderBy(desc(bankstatements.date), desc(bankstatements.createdAt))
+
+            return reply.send(rows.map((row) => ({
+                ...row.statement,
+                allocation: row.allocation,
+                account: row.account,
+                customer: row.customer,
+                vendor: row.vendor,
+                ownaccount: row.ownaccount,
+                incominginvoice: row.incominginvoice ? {
+                    ...row.incominginvoice,
+                    vendor: row.incominginvoiceVendor,
+                } : null,
+            })))
+        } catch (err) {
+            server.log.error(err)
+            return reply.code(500).send({ error: "Failed to load cashbook bookings" })
+        }
+    })
+
+    server.post("/banking/cashbooks/:id/bookings", async (req, reply) => {
+        try {
+            if (!req.user) return reply.code(401).send({ error: "Unauthorized" })
+
+            const { id } = req.params as { id: string }
+            const cashbookId = Number(id)
+            const body = req.body as {
+                date?: string
+                amount?: number
+                direction?: "income" | "expense"
+                counterType?: string
+                counterId?: string | number
+                description?: string
+                datevTaxKey?: string | null
+            }
+
+            if (!Number.isFinite(cashbookId)) return reply.code(400).send({ error: "Ungültige Kasse." })
+            const bookingDate = body.date && dayjs(body.date).isValid() ? dayjs(body.date) : dayjs()
+            if (!Number.isFinite(Number(body.amount)) || Number(body.amount) <= 0) return reply.code(400).send({ error: "Der Betrag muss größer als 0 sein." })
+            if (body.direction !== "income" && body.direction !== "expense") return reply.code(400).send({ error: "Bitte Einnahme oder Ausgabe auswählen." })
+
+            const cashbook = await server.db.select().from(bankaccounts).where(and(
+                eq(bankaccounts.id, cashbookId),
+                eq(bankaccounts.tenant, req.user.tenant_id),
+                eq(bankaccounts.bankId, CASHBOOK_BANK_ID),
+                eq(bankaccounts.archived, false)
+            )).limit(1)
+
+            if (!cashbook[0]) return reply.code(404).send({ error: "Kasse nicht gefunden." })
+
+            const hasCounterInput = Boolean(body.counterType || body.counterId)
+            const counterPayload = hasCounterInput
+                ? buildCashbookCounterPayload(String(body.counterType || ""), body.counterId)
+                : null
+            if (hasCounterInput && !counterPayload) return reply.code(400).send({ error: "Bitte ein gültiges Gegenkonto auswählen." })
+
+            const signedAmount = body.direction === "income"
+                ? Math.abs(Number(body.amount))
+                : -Math.abs(Number(body.amount))
+            const description = String(body.description || "").trim() || (body.direction === "income" ? "Bareinnahme" : "Barausgabe")
+
+            const created = await server.db.transaction(async (tx) => {
+                const insertedStatements = await tx.insert(bankstatements).values({
+                    account: cashbookId,
+                    date: bookingDate.format("YYYY-MM-DD"),
+                    valueDate: bookingDate.format("YYYY-MM-DD"),
+                    amount: signedAmount,
+                    tenant: req.user.tenant_id,
+                    text: description,
+                    currency: "EUR",
+                    credName: body.direction === "income" ? cashbook[0].name : description,
+                    debName: body.direction === "expense" ? cashbook[0].name : description,
+                    updatedBy: req.user.user_id,
+                }).returning()
+
+                const statement = insertedStatements[0]
+                const insertedAllocations = counterPayload
+                    ? await tx.insert(statementallocations).values({
+                        bankstatement: statement.id,
+                        amount: signedAmount,
+                        tenant: req.user.tenant_id,
+                        description,
+                        datevTaxKey: body.datevTaxKey ? String(body.datevTaxKey).trim() : null,
+                        ...counterPayload,
+                    }).returning()
+                    : []
+
+                return {
+                    statement,
+                    allocation: insertedAllocations[0] || null,
+                }
+            })
+
+            await insertHistoryItem(server, {
+                entity: "bankstatements",
+                entityId: Number(created.statement.id),
+                action: "created",
+                created_by: req.user.user_id,
+                tenant_id: req.user.tenant_id,
+                oldVal: null,
+                newVal: created,
+                text: "Kassenbuchung erstellt",
+            })
+
+            return reply.send(created)
+        } catch (err) {
+            server.log.error(err)
+            return reply.code(500).send({ error: "Failed to create cashbook booking" })
+        }
+    })
+
+    server.delete("/banking/cashbook-bookings/:id", async (req, reply) => {
+        try {
+            if (!req.user) return reply.code(401).send({ error: "Unauthorized" })
+
+            const { id } = req.params as { id: string }
+            const statementId = Number(id)
+            if (!Number.isFinite(statementId)) return reply.code(400).send({ error: "Ungültige Buchung." })
+
+            const records = await server.db.select({
+                statement: bankstatements,
+                cashbook: bankaccounts,
+            })
+                .from(bankstatements)
+                .innerJoin(bankaccounts, eq(bankstatements.account, bankaccounts.id))
+                .where(and(
+                    eq(bankstatements.id, statementId),
+                    eq(bankstatements.tenant, req.user.tenant_id),
+                    eq(bankaccounts.bankId, CASHBOOK_BANK_ID)
+                ))
+                .limit(1)
+
+            if (!records[0]) return reply.code(404).send({ error: "Kassenbuchung nicht gefunden." })
+
+            await server.db.transaction(async (tx) => {
+                await tx.delete(statementallocations).where(eq(statementallocations.bankstatement, statementId))
+                await tx.delete(bankstatements).where(eq(bankstatements.id, statementId))
+            })
+
+            await insertHistoryItem(server, {
+                entity: "bankstatements",
+                entityId: statementId,
+                action: "deleted",
+                created_by: req.user.user_id,
+                tenant_id: req.user.tenant_id,
+                oldVal: records[0].statement,
+                newVal: null,
+                text: "Kassenbuchung gelöscht",
+            })
+
+            return reply.send({ success: true })
+        } catch (err) {
+            server.log.error(err)
+            return reply.code(500).send({ error: "Failed to delete cashbook booking" })
+        }
+    })
+
     const normalizeIban = (value?: string | null) =>
         String(value || "").replace(/\s+/g, "").toUpperCase()
 
@@ -402,7 +693,7 @@ export default async function bankingRoutes(server: FastifyInstance) {
 
                     if (matchesBankAccountId && matchesIban) {
                         score = 100
-                        reason = "IBAN und hinterlegte Bankverbindung stimmen ueberein"
+                        reason = "IBAN und hinterlegte Bankverbindung stimmen überein"
                     } else if (matchesBankAccountId) {
                         score = 95
                         reason = "Hinterlegte Bankverbindung passt zur IBAN"
@@ -414,7 +705,7 @@ export default async function bankingRoutes(server: FastifyInstance) {
                         reason = "Name passt exakt zur Buchung"
                     } else if (partialNameMatch) {
                         score = 45
-                        reason = "Name aehnelt der Buchung"
+                        reason = "Name ähnelt der Buchung"
                     }
 
                     if (!score) continue
@@ -458,7 +749,7 @@ export default async function bankingRoutes(server: FastifyInstance) {
 
                     if (matchesBankAccountId && matchesIban) {
                         score = 100
-                        reason = "IBAN und hinterlegte Bankverbindung stimmen ueberein"
+                        reason = "IBAN und hinterlegte Bankverbindung stimmen überein"
                     } else if (matchesBankAccountId) {
                         score = 95
                         reason = "Hinterlegte Bankverbindung passt zur IBAN"
@@ -470,7 +761,7 @@ export default async function bankingRoutes(server: FastifyInstance) {
                         reason = "Name passt exakt zur Buchung"
                     } else if (partialNameMatch) {
                         score = 45
-                        reason = "Name aehnelt der Buchung"
+                        reason = "Name ähnelt der Buchung"
                     }
 
                     if (!score) continue

backend/src/routes/emailAsUser.ts

@@ -1,17 +1,72 @@
 import nodemailer from "nodemailer"
 import { FastifyInstance } from "fastify"
-import { eq } from "drizzle-orm"
+import { and, eq } from "drizzle-orm"
 
-import { sendMailAsUser } from "../utils/emailengine"
 import { encrypt, decrypt } from "../utils/crypt"
 import { userCredentials } from "../../db/schema"
-// Pfad ggf. anpassen
+import { emailSyncService } from "../modules/email/email.sync.service"
 
 // @ts-ignore
 import MailComposer from "nodemailer/lib/mail-composer/index.js"
 import { ImapFlow } from "imapflow"
 
 export default async function emailAsUserRoutes(server: FastifyInstance) {
+    const emailSync = emailSyncService(server)
+
+    const encryptedValue = (value: unknown) => value ? decrypt(value as any) : null
+
+    const accountResponse = (row: any) => ({
+        id: row.id,
+        createdAt: row.createdAt,
+        updatedAt: row.updatedAt,
+        userId: row.userId,
+        tenantId: row.tenantId,
+        type: row.type,
+        email: encryptedValue(row.emailEncrypted),
+        smtpHost: encryptedValue(row.smtpHostEncrypted),
+        smtpPort: row.smtpPort ? Number(row.smtpPort) : null,
+        smtpSsl: row.smtpSsl,
+        imapHost: encryptedValue(row.imapHostEncrypted),
+        imapPort: row.imapPort ? Number(row.imapPort) : null,
+        imapSsl: row.imapSsl,
+        hasPassword: Boolean(row.passwordEncrypted),
+    })
+
+    const accountCredentials = (row: any) => ({
+        ...accountResponse(row),
+        password: encryptedValue(row.passwordEncrypted),
+    })
+
+    const bodyValue = (body: any, camelKey: string, snakeKey: string) => body[camelKey] ?? body[snakeKey]
+
+    const applyDownloadCorsHeaders = (req: any, reply: any) => {
+        const origin = req.headers.origin
+        if (
+            origin
+            && (
+                /^http:\/\/(localhost|127\.0\.0\.1):\d+$/.test(origin)
+                || origin === "https://beta.fedeo.de"
+                || origin === "https://app.fedeo.de"
+                || origin === "capacitor://localhost"
+            )
+        ) {
+            reply.header("Access-Control-Allow-Origin", origin)
+            reply.header("Access-Control-Allow-Credentials", "true")
+            reply.header("Vary", "Origin")
+        }
+
+        reply.header("Access-Control-Expose-Headers", "Authorization, Content-Disposition, Content-Type, Content-Length")
+    }
+
+    const accountWhere = (tenantId: number, userId: string, id?: string) => {
+        const conditions = [
+            eq(userCredentials.tenantId, tenantId),
+            eq(userCredentials.userId, userId),
+            eq(userCredentials.type, "mail"),
+        ]
+        if (id) conditions.push(eq(userCredentials.id, id))
+        return and(...conditions)
+    }
 
 
     // ======================================================================
@@ -28,34 +83,49 @@ export default async function emailAsUserRoutes(server: FastifyInstance) {
             const body = req.body as {
                 email: string
                 password: string
-                smtp_host: string
-                smtp_port: number
-                smtp_ssl: boolean
-                imap_host: string
-                imap_port: number
-                imap_ssl: boolean
+                smtpHost?: string
+                smtpPort?: number
+                smtpSsl?: boolean
+                imapHost?: string
+                imapPort?: number
+                imapSsl?: boolean
+                smtp_host?: string
+                smtp_port?: number
+                smtp_ssl?: boolean
+                imap_host?: string
+                imap_port?: number
+                imap_ssl?: boolean
             }
 
             // -----------------------------
             // UPDATE EXISTING
             // -----------------------------
             if (id) {
+                const rows = await server.db
+                    .select({ id: userCredentials.id })
+                    .from(userCredentials)
+                    .where(accountWhere(req.user.tenant_id, req.user.user_id, id))
+                    .limit(1)
+
+                if (!rows[0]) return reply.code(404).send({ error: "Account not found" })
+
                 const saveData = {
                     emailEncrypted: body.email ? encrypt(body.email) : undefined,
                     passwordEncrypted: body.password ? encrypt(body.password) : undefined,
-                    smtpHostEncrypted: body.smtp_host ? encrypt(body.smtp_host) : undefined,
-                    smtpPort: body.smtp_port,
-                    smtpSsl: body.smtp_ssl,
-                    imapHostEncrypted: body.imap_host ? encrypt(body.imap_host) : undefined,
-                    imapPort: body.imap_port,
-                    imapSsl: body.imap_ssl,
+                    smtpHostEncrypted: bodyValue(body, "smtpHost", "smtp_host") ? encrypt(bodyValue(body, "smtpHost", "smtp_host")) : undefined,
+                    smtpPort: bodyValue(body, "smtpPort", "smtp_port"),
+                    smtpSsl: bodyValue(body, "smtpSsl", "smtp_ssl"),
+                    imapHostEncrypted: bodyValue(body, "imapHost", "imap_host") ? encrypt(bodyValue(body, "imapHost", "imap_host")) : undefined,
+                    imapPort: bodyValue(body, "imapPort", "imap_port"),
+                    imapSsl: bodyValue(body, "imapSsl", "imap_ssl"),
+                    updatedAt: new Date(),
                 }
 
                 await server.db
                     .update(userCredentials)
                     //@ts-ignore
                     .set(saveData)
-                    .where(eq(userCredentials.id, id))
+                    .where(accountWhere(req.user.tenant_id, req.user.user_id, id))
 
                 return reply.send({ success: true })
             }
@@ -71,13 +141,13 @@ export default async function emailAsUserRoutes(server: FastifyInstance) {
                 emailEncrypted: encrypt(body.email),
                 passwordEncrypted: encrypt(body.password),
 
-                smtpHostEncrypted: encrypt(body.smtp_host),
-                smtpPort: body.smtp_port,
-                smtpSsl: body.smtp_ssl,
+                smtpHostEncrypted: encrypt(bodyValue(body, "smtpHost", "smtp_host")),
+                smtpPort: bodyValue(body, "smtpPort", "smtp_port"),
+                smtpSsl: bodyValue(body, "smtpSsl", "smtp_ssl"),
 
-                imapHostEncrypted: encrypt(body.imap_host),
-                imapPort: body.imap_port,
-                imapSsl: body.imap_ssl,
+                imapHostEncrypted: encrypt(bodyValue(body, "imapHost", "imap_host")),
+                imapPort: bodyValue(body, "imapPort", "imap_port"),
+                imapSsl: bodyValue(body, "imapSsl", "imap_ssl"),
             }
 
             //@ts-ignore
@@ -110,24 +180,13 @@ export default async function emailAsUserRoutes(server: FastifyInstance) {
                 const rows = await server.db
                     .select()
                     .from(userCredentials)
-                    .where(eq(userCredentials.id, id))
+                    .where(accountWhere(req.user.tenant_id, req.user.user_id, id))
+                    .limit(1)
 
                 const row = rows[0]
                 if (!row) return reply.code(404).send({ error: "Not found" })
 
-                const returnData: any = {}
-
-                Object.entries(row).forEach(([key, val]) => {
-                    if (key.endsWith("Encrypted")) {
-                        const cleanKey = key.replace("Encrypted", "")
-                        // @ts-ignore
-                        returnData[cleanKey] = decrypt(val as string)
-                    } else {
-                        returnData[key] = val
-                    }
-                })
-
-                return reply.send(returnData)
+                return reply.send(accountResponse(row))
             }
 
             // ============================================================
@@ -136,24 +195,9 @@ export default async function emailAsUserRoutes(server: FastifyInstance) {
             const rows = await server.db
                 .select()
                 .from(userCredentials)
-                .where(eq(userCredentials.tenantId, req.user.tenant_id))
+                .where(accountWhere(req.user.tenant_id, req.user.user_id))
 
-            const accounts = rows.map(row => {
-                const temp: any = {}
-                console.log(row)
-                Object.entries(row).forEach(([key, val]) => {
-                    console.log(key,val)
-                    if (key.endsWith("Encrypted") && val) {
-                        // @ts-ignore
-                        temp[key.replace("Encrypted", "")] = decrypt(val)
-                    } else {
-                        temp[key] = val
-                    }
-                })
-                return temp
-            })
-
-            return reply.send(accounts)
+            return reply.send(rows.map(accountResponse))
 
         } catch (err) {
             console.error("GET /email/accounts error:", err)
@@ -183,21 +227,13 @@ export default async function emailAsUserRoutes(server: FastifyInstance) {
             const rows = await server.db
                 .select()
                 .from(userCredentials)
-                .where(eq(userCredentials.id, body.account))
+                .where(accountWhere(req.user.tenant_id, req.user.user_id, body.account))
+                .limit(1)
 
             const row = rows[0]
             if (!row) return reply.code(404).send({ error: "Account not found" })
 
-            const accountData: any = {}
-
-            Object.entries(row).forEach(([key, val]) => {
-                if (key.endsWith("Encrypted") && val) {
-                    // @ts-ignore
-                    accountData[key.replace("Encrypted", "")] = decrypt(val as string)
-                } else {
-                    accountData[key] = val
-                }
-            })
+            const accountData = accountCredentials(row)
 
             // -------------------------
             // SEND EMAIL VIA SMTP
@@ -243,14 +279,31 @@ export default async function emailAsUserRoutes(server: FastifyInstance) {
             const mail = new MailComposer(message)
             const raw = await mail.compile().build()
 
+            let savedToSent = false
             for await (const mailbox of await imap.list()) {
                 if (mailbox.specialUse === "\\Sent") {
                     await imap.mailboxOpen(mailbox.path)
                     await imap.append(mailbox.path, raw, ["\\Seen"])
-                    await imap.logout()
+                    savedToSent = true
+                    break
                 }
             }
 
+            if (!savedToSent) {
+                const sentFallbacks = ["Sent", "Gesendet", "INBOX.Sent"]
+                for (const path of sentFallbacks) {
+                    try {
+                        await imap.append(path, raw, ["\\Seen"])
+                        savedToSent = true
+                        break
+                    } catch (err) {
+                        // Fallback wird nur genutzt, wenn der Ordner existiert.
+                    }
+                }
+            }
+
+            await imap.logout()
+
             return reply.send({ success: true })
 
         } catch (err) {
@@ -259,4 +312,195 @@ export default async function emailAsUserRoutes(server: FastifyInstance) {
         }
     })
 
+    server.post("/email/accounts/:id/sync", async (req, reply) => {
+        try {
+            if (!req.user?.tenant_id) {
+                return reply.code(400).send({ error: "No tenant selected" })
+            }
+
+            const { id } = req.params as { id: string }
+            const body = (req.body || {}) as { mailbox?: string; limit?: number }
+
+            const result = await emailSync.syncAccount(
+                req.user.tenant_id,
+                req.user.user_id,
+                id,
+                body,
+            )
+
+            return reply.send({ success: true, ...result })
+        } catch (err: any) {
+            req.log.error(err)
+            return reply.code(500).send({ error: err.message || "E-Mail Sync fehlgeschlagen" })
+        }
+    })
+
+    server.get("/email/accounts/:id/mailboxes", async (req, reply) => {
+        try {
+            if (!req.user?.tenant_id) {
+                return reply.code(400).send({ error: "No tenant selected" })
+            }
+
+            const { id } = req.params as { id: string }
+            return reply.send(await emailSync.listMailboxes(req.user.tenant_id, req.user.user_id, id))
+        } catch (err: any) {
+            req.log.error(err)
+            return reply.code(500).send({ error: err.message || "Postfächer konnten nicht geladen werden" })
+        }
+    })
+
+    server.get("/email/accounts/:id/messages", async (req, reply) => {
+        try {
+            if (!req.user?.tenant_id) {
+                return reply.code(400).send({ error: "No tenant selected" })
+            }
+
+            const { id } = req.params as { id: string }
+            const query = req.query as { mailbox?: string; limit?: string }
+
+            return reply.send(await emailSync.listMessages(
+                req.user.tenant_id,
+                req.user.user_id,
+                id,
+                query.mailbox || "INBOX",
+                Number(query.limit || 50),
+            ))
+        } catch (err: any) {
+            req.log.error(err)
+            return reply.code(500).send({ error: err.message || "E-Mails konnten nicht geladen werden" })
+        }
+    })
+
+    server.get("/email/messages/:id", async (req, reply) => {
+        try {
+            if (!req.user?.tenant_id) {
+                return reply.code(400).send({ error: "No tenant selected" })
+            }
+
+            const { id } = req.params as { id: string }
+            const message = await emailSync.getMessage(req.user.tenant_id, req.user.user_id, id)
+            if (!message) return reply.code(404).send({ error: "E-Mail nicht gefunden" })
+
+            return reply.send(message)
+        } catch (err: any) {
+            req.log.error(err)
+            return reply.code(500).send({ error: err.message || "E-Mail konnte nicht geladen werden" })
+        }
+    })
+
+    server.post("/email/messages/:id/read", async (req, reply) => {
+        try {
+            if (!req.user?.tenant_id) {
+                return reply.code(400).send({ error: "No tenant selected" })
+            }
+
+            const { id } = req.params as { id: string }
+            const body = (req.body || {}) as { seen?: boolean }
+            const message = await emailSync.setMessageSeen(
+                req.user.tenant_id,
+                req.user.user_id,
+                id,
+                body.seen !== false,
+            )
+
+            if (!message) return reply.code(404).send({ error: "E-Mail nicht gefunden" })
+
+            return reply.send({ success: true, message })
+        } catch (err: any) {
+            req.log.error(err)
+            return reply.code(500).send({ error: err.message || "Lesestatus konnte nicht synchronisiert werden" })
+        }
+    })
+
+    server.post("/email/messages/:id/move", async (req, reply) => {
+        try {
+            if (!req.user?.tenant_id) {
+                return reply.code(400).send({ error: "No tenant selected" })
+            }
+
+            const { id } = req.params as { id: string }
+            const body = (req.body || {}) as { mailbox?: string }
+
+            if (!body.mailbox) {
+                return reply.code(400).send({ error: "Zielordner fehlt" })
+            }
+
+            const result = await emailSync.moveMessage(
+                req.user.tenant_id,
+                req.user.user_id,
+                id,
+                body.mailbox,
+            )
+
+            if (!result) return reply.code(404).send({ error: "E-Mail nicht gefunden" })
+            return reply.send({ success: true, ...result })
+        } catch (err: any) {
+            req.log.error(err)
+            return reply.code(500).send({ error: err.message || "E-Mail konnte nicht verschoben werden" })
+        }
+    })
+
+    server.post("/email/messages/:id/archive", async (req, reply) => {
+        try {
+            if (!req.user?.tenant_id) {
+                return reply.code(400).send({ error: "No tenant selected" })
+            }
+
+            const { id } = req.params as { id: string }
+            const result = await emailSync.archiveMessage(req.user.tenant_id, req.user.user_id, id)
+
+            if (!result) return reply.code(404).send({ error: "E-Mail nicht gefunden" })
+            return reply.send({ success: true, ...result })
+        } catch (err: any) {
+            req.log.error(err)
+            return reply.code(500).send({ error: err.message || "E-Mail konnte nicht archiviert werden" })
+        }
+    })
+
+    server.delete("/email/messages/:id", async (req, reply) => {
+        try {
+            if (!req.user?.tenant_id) {
+                return reply.code(400).send({ error: "No tenant selected" })
+            }
+
+            const { id } = req.params as { id: string }
+            const result = await emailSync.deleteMessage(req.user.tenant_id, req.user.user_id, id)
+
+            if (!result) return reply.code(404).send({ error: "E-Mail nicht gefunden" })
+            return reply.send({ success: true })
+        } catch (err: any) {
+            req.log.error(err)
+            return reply.code(500).send({ error: err.message || "E-Mail konnte nicht gelöscht werden" })
+        }
+    })
+
+    server.get("/email/attachments/:id/download", async (req, reply) => {
+        applyDownloadCorsHeaders(req, reply)
+
+        try {
+            if (!req.user?.tenant_id) {
+                return reply.code(400).send({ error: "No tenant selected" })
+            }
+
+            const { id } = req.params as { id: string }
+            const attachment = await emailSync.getAttachmentContent(req.user.tenant_id, req.user.user_id, id)
+
+            if (!attachment) return reply.code(404).send({ error: "Anhang nicht gefunden" })
+
+            const buffer = Buffer.isBuffer(attachment.content)
+                ? attachment.content
+                : Buffer.from(attachment.content)
+            const filename = attachment.filename.replace(/["\r\n]/g, "")
+
+            reply.header("Content-Type", attachment.contentType || "application/octet-stream")
+            reply.header("Content-Length", buffer.length)
+            reply.header("Cache-Control", "no-store")
+            reply.header("Content-Disposition", `attachment; filename="${filename}"`)
+            return reply.send(buffer)
+        } catch (err: any) {
+            req.log.error(err)
+            return reply.code(500).send({ error: err.message || "Anhang konnte nicht geladen werden" })
+        }
+    })
+
 }

backend/src/routes/exports.ts

@@ -67,6 +67,45 @@ const createDatevExport = async (server:FastifyInstance,req:any,startDate,endDat
 
 }
 
+const createSepaExport = async (server: FastifyInstance, req: any, idsToExport: number[], creditorBankaccountId: number) => {
+    const exportData = await createSEPAExport(server, idsToExport, req.user.tenant_id, creditorBankaccountId)
+
+    const fileKey = `${req.user.tenant_id}/exports/SEPA_${dayjs().format("YYYY-MM-DD")}_${randomUUID()}.xml`
+
+    await s3.send(
+        new PutObjectCommand({
+            Bucket: secrets.S3_BUCKET,
+            Key: fileKey,
+            Body: exportData.buffer,
+            ContentType: "application/xml",
+        })
+    )
+
+    const url = await getSignedUrl(
+        s3,
+        new GetObjectCommand({
+            Bucket: secrets.S3_BUCKET,
+            Key: fileKey,
+        }),
+        { expiresIn: 60 * 60 * 24 }
+    )
+
+    const inserted = await server.db
+        .insert(generatedexports)
+        .values({
+            tenantId: req.user.tenant_id,
+            startDate: exportData.startDate,
+            endDate: exportData.endDate,
+            validUntil: dayjs().add(24, "hours").toDate(),
+            filePath: fileKey,
+            url,
+            type: "sepa",
+        })
+        .returning()
+
+    console.log(inserted[0])
+}
+
 
 export default async function exportRoutes(server: FastifyInstance) {
     //Export DATEV
@@ -94,17 +133,24 @@ export default async function exportRoutes(server: FastifyInstance) {
     })
 
     server.post("/exports/sepa", async (req, reply) => {
-        const { idsToExport } = req.body as {
+        const { idsToExport, creditorBankaccountId } = req.body as {
             idsToExport: Array<number>
+            creditorBankaccountId: number
         }
 
+        if (!idsToExport?.length || !creditorBankaccountId) {
+            return reply.send({
+                success: false,
+                message: "Belege und Gläubigerkonto sind Pflichtfelder."
+            })
+        }
 
 
         reply.send({success:true})
 
         setImmediate(async () => {
             try {
-                await createSEPAExport(server, idsToExport, req.user.tenant_id)
+                await createSepaExport(server, req, idsToExport, creditorBankaccountId)
                 console.log("Job done ✅")
             } catch (err) {
                 console.error("Job failed ❌", err)

backend/src/routes/history.ts

@@ -27,6 +27,7 @@ const columnMap: Record<string, any> = {
     customerspaces: historyitems.customerspace,
     customerinventoryitems: historyitems.customerinventoryitem,
     memberrelations: historyitems.memberrelation,
+    outgoingsepamandates: historyitems.outgoingsepamandate,
 };
 
 const insertFieldMap: Record<string, string> = {
@@ -53,6 +54,7 @@ const insertFieldMap: Record<string, string> = {
     customerspaces: "customerspace",
     customerinventoryitems: "customerinventoryitem",
     memberrelations: "memberrelation",
+    outgoingsepamandates: "outgoingsepamandate",
 }
 
 const parseId = (value: string) => {

backend/src/routes/instanceAgentGateway.ts

@@ -0,0 +1,249 @@
+import { FastifyInstance, FastifyRequest } from "fastify"
+import multipart from "@fastify/multipart"
+import { createHash } from "node:crypto"
+import { and, asc, eq, sql } from "drizzle-orm"
+import { instanceAgentScanJobs, instanceAgents } from "../../db/schema"
+import { saveFile } from "../utils/files"
+
+const hashToken = (token: string) =>
+    createHash("sha256").update(token, "utf8").digest("hex")
+
+const readAgentToken = (req: FastifyRequest) => {
+    const headerToken = req.headers["x-agent-token"]
+    if (typeof headerToken === "string" && headerToken.length > 0) return headerToken
+
+    const authHeader = req.headers.authorization
+    if (authHeader?.startsWith("Bearer ")) return authHeader.slice(7)
+
+    return null
+}
+
+const pickFileTargets = (target: unknown) => {
+    if (!target || typeof target !== "object" || Array.isArray(target)) return {}
+
+    const allowedFields = [
+        "project",
+        "customer",
+        "contract",
+        "vendor",
+        "incominginvoice",
+        "plant",
+        "createddocument",
+        "vehicle",
+        "product",
+        "check",
+        "inventoryitem",
+        "space",
+        "documentbox",
+        "authProfile",
+    ]
+
+    return Object.fromEntries(
+        Object.entries(target as Record<string, any>)
+            .filter(([key, value]) => allowedFields.includes(key) && value !== undefined && value !== null)
+    )
+}
+
+const readFileFolder = (target: unknown) => {
+    if (!target || typeof target !== "object" || Array.isArray(target)) return null
+
+    const folder = (target as Record<string, any>).folder
+    return typeof folder === "string" && folder.trim() ? folder.trim() : null
+}
+
+const readFileType = (target: unknown) => {
+    if (!target || typeof target !== "object" || Array.isArray(target)) return null
+
+    const type = (target as Record<string, any>).type
+    return typeof type === "string" && type.trim() ? type.trim() : null
+}
+
+export default async function instanceAgentGatewayRoutes(server: FastifyInstance) {
+    await server.register(multipart, {
+        limits: { fileSize: 100 * 1024 * 1024 },
+    })
+
+    const authenticateAgent = async (req: FastifyRequest, reply: any) => {
+        const token = readAgentToken(req)
+        if (!token) {
+            reply.code(401).send({ error: "Agent token required" })
+            return null
+        }
+
+        const [agent] = await server.db
+            .select()
+            .from(instanceAgents)
+            .where(and(
+                eq(instanceAgents.tokenHash, hashToken(token)),
+                eq(instanceAgents.active, true)
+            ))
+            .limit(1)
+
+        if (!agent) {
+            reply.code(401).send({ error: "Invalid agent token" })
+            return null
+        }
+
+        return agent
+    }
+
+    server.post("/heartbeat", async (req, reply) => {
+        const agent = await authenticateAgent(req, reply)
+        if (!agent) return
+
+        const body = (req.body || {}) as {
+            capabilities?: Record<string, any>
+            scannerNames?: string[]
+            printerNames?: string[]
+            debugInfo?: Record<string, any>
+        }
+
+        await server.db
+            .update(instanceAgents)
+            .set({
+                capabilities: body.capabilities || agent.capabilities,
+                scannerNames: body.scannerNames || agent.scannerNames,
+                printerNames: body.printerNames || agent.printerNames,
+                lastDebugInfo: body.debugInfo || null,
+                lastSeenAt: new Date(),
+                updatedAt: new Date(),
+            })
+            .where(eq(instanceAgents.id, agent.id))
+
+        const [pending] = await server.db
+            .select({ count: sql<number>`count(*)::int` })
+            .from(instanceAgentScanJobs)
+            .where(and(
+                eq(instanceAgentScanJobs.agentId, agent.id),
+                eq(instanceAgentScanJobs.status, "pending")
+            ))
+
+        return {
+            status: "ok",
+            pendingScanJobs: pending?.count || 0,
+        }
+    })
+
+    server.get("/scan-jobs/next", async (req, reply) => {
+        const agent = await authenticateAgent(req, reply)
+        if (!agent) return
+
+        const [pendingJob] = await server.db
+            .select()
+            .from(instanceAgentScanJobs)
+            .where(and(
+                eq(instanceAgentScanJobs.agentId, agent.id),
+                eq(instanceAgentScanJobs.status, "pending")
+            ))
+            .orderBy(asc(instanceAgentScanJobs.createdAt))
+            .limit(1)
+
+        if (!pendingJob) return { job: null }
+
+        const [claimedJob] = await server.db
+            .update(instanceAgentScanJobs)
+            .set({
+                status: "running",
+                claimedAt: new Date(),
+                updatedAt: new Date(),
+                attempts: pendingJob.attempts + 1,
+            })
+            .where(and(
+                eq(instanceAgentScanJobs.id, pendingJob.id),
+                eq(instanceAgentScanJobs.status, "pending")
+            ))
+            .returning()
+
+        return { job: claimedJob || null }
+    })
+
+    server.post<{ Params: { id: string } }>("/scan-jobs/:id/status", async (req, reply) => {
+        const agent = await authenticateAgent(req, reply)
+        if (!agent) return
+
+        const body = (req.body || {}) as { status?: string; message?: string }
+        const allowedStatuses = ["running", "failed", "canceled"]
+
+        if (!body.status || !allowedStatuses.includes(body.status)) {
+            return reply.code(400).send({ error: "Invalid status" })
+        }
+
+        const [job] = await server.db
+            .update(instanceAgentScanJobs)
+            .set({
+                status: body.status,
+                agentMessage: body.message,
+                finishedAt: ["failed", "canceled"].includes(body.status) ? new Date() : undefined,
+                updatedAt: new Date(),
+            })
+            .where(and(
+                eq(instanceAgentScanJobs.id, req.params.id),
+                eq(instanceAgentScanJobs.agentId, agent.id)
+            ))
+            .returning()
+
+        if (!job) return reply.code(404).send({ error: "Scan job not found" })
+
+        return { job }
+    })
+
+    server.post<{ Params: { id: string } }>("/scan-jobs/:id/upload", async (req, reply) => {
+        const agent = await authenticateAgent(req, reply)
+        if (!agent) return
+
+        const [job] = await server.db
+            .select()
+            .from(instanceAgentScanJobs)
+            .where(and(
+                eq(instanceAgentScanJobs.id, req.params.id),
+                eq(instanceAgentScanJobs.agentId, agent.id)
+            ))
+            .limit(1)
+
+        if (!job) return reply.code(404).send({ error: "Scan job not found" })
+        if (!["running", "pending"].includes(job.status)) {
+            return reply.code(409).send({ error: "Scan job is not uploadable" })
+        }
+
+        const data: any = await req.file()
+        if (!data?.file) return reply.code(400).send({ error: "No file uploaded" })
+
+        const fileBuffer = await data.toBuffer()
+        const filename = job.requestedFilename || data.filename || `${job.id}.pdf`
+
+        const createdFile = await saveFile(
+            server,
+            job.tenantId,
+            null,
+            {
+                filename,
+                content: fileBuffer,
+                contentType: data.mimetype || "application/pdf",
+            },
+            readFileFolder(job.target),
+            readFileType(job.target),
+            {
+                ...pickFileTargets(job.target),
+                createdBy: job.requestedBy,
+            }
+        )
+
+        if (!createdFile) return reply.code(500).send({ error: "Could not save scan file" })
+
+        const [updatedJob] = await server.db
+            .update(instanceAgentScanJobs)
+            .set({
+                status: "completed",
+                fileId: createdFile.id,
+                finishedAt: new Date(),
+                updatedAt: new Date(),
+            })
+            .where(eq(instanceAgentScanJobs.id, job.id))
+            .returning()
+
+        return {
+            job: updatedJob,
+            file: createdFile,
+        }
+    })
+}

backend/src/routes/instanceAgents.ts

@@ -0,0 +1,209 @@
+import { FastifyInstance } from "fastify"
+import { createHash, randomBytes } from "node:crypto"
+import { and, desc, eq } from "drizzle-orm"
+import { z } from "zod"
+import { instanceAgentScanJobs, instanceAgents } from "../../db/schema"
+
+const createAgentSchema = z.object({
+    name: z.string().min(1),
+    description: z.string().optional().nullable(),
+})
+
+const updateAgentSchema = z.object({
+    name: z.string().min(1).optional(),
+    description: z.string().optional().nullable(),
+    active: z.boolean().optional(),
+    preferredScannerName: z.string().optional().nullable(),
+    scanDefaults: z.record(z.string(), z.any()).optional(),
+})
+
+const createScanJobSchema = z.object({
+    agentId: z.string().uuid(),
+    tenantId: z.number().int().positive().optional(),
+    scannerName: z.string().optional().nullable(),
+    requestedFilename: z.string().optional().nullable(),
+    settings: z.record(z.string(), z.any()).optional(),
+    target: z.record(z.string(), z.any()).optional(),
+})
+
+const hashToken = (token: string) =>
+    createHash("sha256").update(token, "utf8").digest("hex")
+
+const createAgentToken = () => `fedeo_agent_${randomBytes(32).toString("hex")}`
+
+const requireAdmin = (req: any, reply: any) => {
+    if (!req.user?.is_admin) {
+        reply.code(403).send({ error: "Admin required" })
+        return false
+    }
+
+    return true
+}
+
+export default async function instanceAgentRoutes(server: FastifyInstance) {
+    server.get("/instance-agents", async () => {
+        const rows = await server.db
+            .select({
+                id: instanceAgents.id,
+                createdAt: instanceAgents.createdAt,
+                updatedAt: instanceAgents.updatedAt,
+                name: instanceAgents.name,
+                description: instanceAgents.description,
+                tokenPrefix: instanceAgents.tokenPrefix,
+                active: instanceAgents.active,
+                capabilities: instanceAgents.capabilities,
+                scannerNames: instanceAgents.scannerNames,
+                printerNames: instanceAgents.printerNames,
+                preferredScannerName: instanceAgents.preferredScannerName,
+                scanDefaults: instanceAgents.scanDefaults,
+                lastSeenAt: instanceAgents.lastSeenAt,
+                lastDebugInfo: instanceAgents.lastDebugInfo,
+            })
+            .from(instanceAgents)
+            .orderBy(desc(instanceAgents.createdAt))
+
+        return { agents: rows }
+    })
+
+    server.post("/instance-agents", async (req, reply) => {
+        if (!requireAdmin(req, reply)) return
+
+        const body = createAgentSchema.parse(req.body)
+        const token = createAgentToken()
+
+        const [agent] = await server.db
+            .insert(instanceAgents)
+            .values({
+                name: body.name,
+                description: body.description,
+                tokenPrefix: token.slice(0, 24),
+                tokenHash: hashToken(token),
+            })
+            .returning({
+                id: instanceAgents.id,
+                name: instanceAgents.name,
+                description: instanceAgents.description,
+                tokenPrefix: instanceAgents.tokenPrefix,
+                active: instanceAgents.active,
+                preferredScannerName: instanceAgents.preferredScannerName,
+                scanDefaults: instanceAgents.scanDefaults,
+                createdAt: instanceAgents.createdAt,
+            })
+
+        return {
+            agent,
+            token,
+        }
+    })
+
+    server.patch<{ Params: { id: string } }>("/instance-agents/:id", async (req, reply) => {
+        if (!requireAdmin(req, reply)) return
+
+        const body = updateAgentSchema.parse(req.body)
+        const [agent] = await server.db
+            .update(instanceAgents)
+            .set({
+                ...body,
+                updatedAt: new Date(),
+            })
+            .where(eq(instanceAgents.id, req.params.id))
+            .returning({
+                id: instanceAgents.id,
+                name: instanceAgents.name,
+                description: instanceAgents.description,
+                active: instanceAgents.active,
+                preferredScannerName: instanceAgents.preferredScannerName,
+                scanDefaults: instanceAgents.scanDefaults,
+                updatedAt: instanceAgents.updatedAt,
+            })
+
+        if (!agent) return reply.code(404).send({ error: "Agent not found" })
+
+        return { agent }
+    })
+
+    server.post("/scan-jobs", async (req, reply) => {
+        const body = createScanJobSchema.parse(req.body)
+        const requestedTenantId = body.tenantId || req.user?.tenant_id
+
+        if (!requestedTenantId) {
+            return reply.code(400).send({ error: "tenantId required" })
+        }
+
+        if (body.tenantId && body.tenantId !== req.user?.tenant_id && !req.user?.is_admin) {
+            return reply.code(403).send({ error: "Cannot create scan job for another tenant" })
+        }
+
+        const [agent] = await server.db
+            .select({
+                id: instanceAgents.id,
+                active: instanceAgents.active,
+                preferredScannerName: instanceAgents.preferredScannerName,
+                scanDefaults: instanceAgents.scanDefaults,
+            })
+            .from(instanceAgents)
+            .where(eq(instanceAgents.id, body.agentId))
+            .limit(1)
+
+        if (!agent || !agent.active) {
+            return reply.code(404).send({ error: "Active agent not found" })
+        }
+
+        const [job] = await server.db
+            .insert(instanceAgentScanJobs)
+            .values({
+                tenantId: requestedTenantId,
+                agentId: body.agentId,
+                requestedBy: req.user?.user_id,
+                scannerName: body.scannerName || agent.preferredScannerName,
+                requestedFilename: body.requestedFilename,
+                settings: {
+                    ...((agent.scanDefaults || {}) as Record<string, any>),
+                    ...(body.settings || {}),
+                },
+                target: body.target || {},
+            })
+            .returning()
+
+        return { job }
+    })
+
+    server.get("/scan-jobs", async (req) => {
+        const query = req.query as { tenantId?: string }
+        const tenantId = req.user?.is_admin && query.tenantId
+            ? Number(query.tenantId)
+            : req.user?.tenant_id
+
+        const rows = tenantId
+            ? await server.db
+                .select()
+                .from(instanceAgentScanJobs)
+                .where(eq(instanceAgentScanJobs.tenantId, tenantId))
+                .orderBy(desc(instanceAgentScanJobs.createdAt))
+            : await server.db
+                .select()
+                .from(instanceAgentScanJobs)
+                .orderBy(desc(instanceAgentScanJobs.createdAt))
+
+        return { jobs: rows }
+    })
+
+    server.get<{ Params: { id: string } }>("/scan-jobs/:id", async (req, reply) => {
+        const conditions = [eq(instanceAgentScanJobs.id, req.params.id)]
+
+        if (!req.user?.is_admin) {
+            if (!req.user?.tenant_id) return reply.code(400).send({ error: "tenant required" })
+            conditions.push(eq(instanceAgentScanJobs.tenantId, req.user.tenant_id))
+        }
+
+        const [job] = await server.db
+            .select()
+            .from(instanceAgentScanJobs)
+            .where(and(...conditions))
+            .limit(1)
+
+        if (!job) return reply.code(404).send({ error: "Scan job not found" })
+
+        return { job }
+    })
+}