KI-AGENT: Selfhost-Setup nutzt passende Compose-Datei

Dokumentiert Matrix-Kommunikation, Telekom-Telefonie und den VPS-Asterisk-Entwicklungsbetrieb.

.env.example

@@ -0,0 +1,165 @@
+# FEDEO Selfhosting
+DOMAIN=app.example.com
+CONTACT_EMAIL=admin@deine-domain.de
+
+DB_NAME=fedeo
+DB_USER=fedeo
+DB_PASSWORD=change-this-db-password
+DATABASE_URL=postgres://fedeo:change-this-db-password@db:5432/fedeo
+
+MINIO_ROOT_USER=fedeo-minio
+MINIO_ROOT_PASSWORD=change-this-minio-password
+MINIO_BUCKET=fedeo
+
+HOST=0.0.0.0
+PORT=3100
+FEDEO_RUN_MIGRATIONS=true
+COOKIE_SECRET=change-this-cookie-secret
+JWT_SECRET=change-this-jwt-secret
+ENCRYPTION_KEY=change-this-encryption-key
+
+MAILER_SMTP_HOST=smtp.example.com
+MAILER_SMTP_PORT=587
+MAILER_SMTP_SSL=false
+MAILER_SMTP_USER=mailer@example.com
+MAILER_SMTP_PASS=change-this-mail-password
+MAILER_FROM=FEDEO <no-reply@example.com>
+
+# Desktop Push per Web Push. Schlüssel können mit
+# `npx web-push generate-vapid-keys` erzeugt werden.
+WEB_PUSH_PUBLIC_KEY=replace-this-web-push-public-key
+WEB_PUSH_PRIVATE_KEY=replace-this-web-push-private-key
+WEB_PUSH_SUBJECT=mailto:admin@example.com
+
+S3_ENDPOINT=http://minio:9000
+S3_REGION=eu-central-1
+S3_ACCESS_KEY=fedeo-minio
+S3_SECRET_KEY=change-this-minio-password
+S3_BUCKET=fedeo
+
+# Datei-Backend. S3 bleibt aktuell der Standard; Seafile kann als externer
+# Dateidienst angebunden werden, sobald der Backend-Umbau aktiviert ist.
+FEDEO_FILE_BACKEND=s3
+
+# Externer Seafile-Dienst, nicht Teil des Standard-Compose-Stacks.
+SEAFILE_BASE_URL=https://files.example.com
+SEAFILE_INTERNAL_URL=https://files.example.com
+SEAFILE_ADMIN_EMAIL=admin@example.com
+SEAFILE_ADMIN_PASSWORD=change-this-seafile-admin-password
+
+M2M_API_KEY=change-this-m2m-key
+API_BASE_URL=https://app.example.com/backend
+GOCARDLESS_BASE_URL=https://api.gocardless.com
+GOCARDLESS_SECRET_ID=replace-this
+GOCARDLESS_SECRET_KEY=replace-this
+
+DOKUBOX_IMAP_HOST=imap.example.com
+DOKUBOX_IMAP_PORT=993
+DOKUBOX_IMAP_SECURE=true
+DOKUBOX_IMAP_USER=dokubox@example.com
+DOKUBOX_IMAP_PASSWORD=change-this-imap-password
+
+OPENAI_API_KEY=replace-this
+STIRLING_API_KEY=replace-this
+NUXT_PUBLIC_PDF_LICENSE=replace-with-your-pdf-license
+
+# Interner Prometheus Node Exporter für die Admin-Systemstatusseite.
+NODE_EXPORTER_URL=http://node-exporter:9100
+
+# Lokaler Asterisk-Test für SIP/Voice. Aktivieren, wenn das Compose-Profil
+# `telephony-dev` genutzt wird.
+TELEPHONY_ENABLED=false
+ASTERISK_IMAGE=andrius/asterisk:20
+TELEPHONY_ASTERISK_HTTP_URL=http://asterisk-dev:8088/ws
+TELEPHONY_ASTERISK_WS_URL=ws://localhost:8088/ws
+TELEPHONY_ASTERISK_GENERATED_DIR=/var/lib/fedeo/asterisk/generated
+TELEPHONY_ASTERISK_AMI_HOST=asterisk-dev
+TELEPHONY_ASTERISK_AMI_PORT=5038
+TELEPHONY_ASTERISK_AMI_USER=fedeo
+TELEPHONY_ASTERISK_AMI_PASSWORD=fedeo-ami-dev
+TELEPHONY_SIP_DOMAIN=localhost
+TELEPHONY_TEST_EXTENSION=1001
+TELEPHONY_TEST_PASSWORD=fedeo-test-1001
+TELEPHONY_TEST_EXTENSION_2=1002
+TELEPHONY_TEST_PASSWORD_2=fedeo-test-1002
+TELEPHONY_ECHO_EXTENSION=600
+TELEPHONY_DEV_WS_PORT=8088
+TELEPHONY_DEV_AMI_PORT=5038
+TELEPHONY_DEV_SIP_PORT=5060
+TELEPHONY_DEV_RTP_MIN_PORT=10000
+TELEPHONY_DEV_RTP_MAX_PORT=10100
+TELEPHONY_ASTERISK_EXTERNAL_SIGNALING_ADDRESS=
+TELEPHONY_ASTERISK_EXTERNAL_MEDIA_ADDRESS=
+
+# Externe Telefonie über Telekom/tel.t-online.de. Keine echten Zugangsdaten
+# einchecken. SIP-ID ist in der Regel die Rufnummer mit Vorwahl ohne Leerzeichen
+# und ohne Sonderzeichen, z. B. 0301234567. Wenn dein Anschluss noch die
+# Internet-Zugangsdaten als Auth-User nutzt, kann TELEPHONY_TELEKOM_AUTH_USER
+# aus Anschlusskennung + Zugangsnummer + # + Mitbenutzernummer + @t-online.de
+# gebildet werden.
+TELEPHONY_EXTERNAL_PROVIDER=
+TELEPHONY_EXTERNAL_ENABLED=false
+TELEPHONY_EXTERNAL_INBOUND_EXTENSION=1001
+TELEPHONY_TELEKOM_ENABLED=false
+TELEPHONY_TELEKOM_REGISTRAR=tel.t-online.de
+TELEPHONY_TELEKOM_SIP_USER=
+TELEPHONY_TELEKOM_AUTH_USER=
+TELEPHONY_TELEKOM_PASSWORD=
+TELEPHONY_TELEKOM_CALLER_ID=
+TELEPHONY_TELEKOM_INBOUND_EXTENSION=1001
+TELEPHONY_TELEKOM_OUTBOUND_PREFIX=0
+
+# Optionaler Erststart-Bootstrap. Wenn gesetzt, werden Admin, Mandant,
+# Admin-Rolle und Grunddaten beim Backend-Start idempotent angelegt.
+FEDEO_BOOTSTRAP_ADMIN_EMAIL=admin@example.com
+FEDEO_BOOTSTRAP_ADMIN_PASSWORD=change-this-admin-password
+FEDEO_BOOTSTRAP_ADMIN_FIRST_NAME=Admin
+FEDEO_BOOTSTRAP_ADMIN_LAST_NAME=Benutzer
+FEDEO_BOOTSTRAP_TENANT_NAME=Mein Unternehmen
+FEDEO_BOOTSTRAP_TENANT_SHORT=MEIN
+
+# FEDEO Matrix-Kommunikation
+#
+# Diese Werte werden von docker-compose.selfhost.yml für den integrierten
+# Matrix-Stack gelesen. Für produktive Systeme müssen alle Geheimnisse ersetzt
+# werden.
+
+MATRIX_SERVER_NAME=app.example.com
+
+MATRIX_POSTGRES_DB=synapse
+MATRIX_POSTGRES_USER=synapse
+MATRIX_POSTGRES_PASSWORD=change-this-matrix-db-password
+
+MATRIX_TURN_SHARED_SECRET=change-this-turn-secret
+
+LIVEKIT_KEY=fedeo-livekit
+LIVEKIT_SECRET=change-this-livekit-secret-please-replace
+
+# Backend-Integration im Selfhost-Stack
+MATRIX_HOMESERVER_URL=http://matrix-synapse:8008
+MATRIX_RTC_HOST=app.example.com
+MATRIX_RTC_JWT_URL=https://app.example.com/livekit/jwt
+MATRIX_LIVEKIT_URL=wss://app.example.com/livekit/sfu
+MATRIX_REGISTRATION_SHARED_SECRET=change-this-matrix-registration-secret
+MATRIX_SERVICE_USER_LOCALPART=fedeo_service
+NUXT_PUBLIC_MATRIX_ELEMENT_URL=https://app.example.com/element
+
+# Lokale Matrix-Entwicklung
+MATRIX_DEV_SYNAPSE_PORT=8008
+MATRIX_DEV_ELEMENT_PORT=8080
+MATRIX_DEV_RTC_JWT_PORT=8081
+MATRIX_DEV_LIVEKIT_PORT=7880
+MATRIX_DEV_LIVEKIT_TCP_PORT=7881
+MATRIX_DEV_LIVEKIT_RTC_MIN_PORT=50000
+MATRIX_DEV_LIVEKIT_RTC_MAX_PORT=50100
+MATRIX_DEV_LIVEKIT_NODE_IP=127.0.0.1
+MATRIX_DEV_TURN_PORT=3478
+MATRIX_DEV_TURN_MIN_PORT=49160
+MATRIX_DEV_TURN_MAX_PORT=49200
+
+# Lokale Backend-Integration gegen den Matrix-Entwicklungsstack
+# MATRIX_HOMESERVER_URL=http://localhost:8008
+# MATRIX_RTC_JWT_URL=http://localhost:8081
+# MATRIX_LIVEKIT_URL=ws://localhost:7880
+# MATRIX_REGISTRATION_SHARED_SECRET=copy-from-matrix-dev-synapse-homeserver-yaml
+# NUXT_PUBLIC_MATRIX_ELEMENT_URL=http://localhost:8080

.gitea/workflows/build-push.yaml

@@ -1,5 +1,5 @@
 name: Build and Push Docker Images
-run-name: Build Backend & Frontend by @${{ github.actor }}
+run-name: Build Backend, Frontend, Website & Docs by @${{ github.actor }}
 
 on: [push]
 
@@ -8,12 +8,38 @@ env:
   # Wenn du die Gitea-interne Registry nutzt, ist es meist einfach der Hostname deiner Gitea-Instanz.
   # Beispiel: gitea.deine-domain.de
   REGISTRY_HOST: git.federspiel.tech
-  # Der Name des Repos (z.B. user/repo)
-  IMAGE_NAME: ${{ github.repository }}
+  # Der Name des Repos (z.B. user/repo).
+  # Explizit in lowercase gesetzt, damit es exakt zu den Compose-Imagepfaden passt.
+  IMAGE_NAME: flfeders/fedeo
   ACTOR: flfeders
 
 jobs:
+#  verify-docs-sync:
+#    runs-on: ubuntu-latest
+#    steps:
+#      - name: Check out repository code
+#        uses: actions/checkout@v3
+#
+#      - name: Prüfe Node-Version
+#        uses: actions/setup-node@v4
+#        with:
+#          node-version: 20
+#
+#      - name: Synchronisiere Funktionsdokumentation
+#        run: node docs/scripts/sync-funktionsdoku.mjs
+#
+#      - name: Breche ab, wenn Doku nicht aktuell committed ist
+#        run: |
+#          if [ -n "$(git status --porcelain docs/)" ]; then
+#            echo "Die generierte Dokumentation ist nicht aktuell."
+#            echo "Bitte lokal ausführen: node docs/scripts/sync-funktionsdoku.mjs"
+#            echo "Danach die Änderungen committen."
+#            git status --short docs/
+#            exit 1
+#          fi
+
   build-backend:
+    #needs: verify-docs-sync
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository code
@@ -46,6 +72,7 @@ jobs:
           labels: ${{ steps.meta-backend.outputs.labels }}
 
   build-frontend:
+    #needs: verify-docs-sync
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository code
@@ -74,4 +101,69 @@ jobs:
           context: ./frontend # Hier wird der Ordner gewechselt (wie 'cd frontend')
           push: true
           tags: ${{ steps.meta-frontend.outputs.tags }}
-          labels: ${{ steps.meta-frontend.outputs.labels }}
+          labels: ${{ steps.meta-frontend.outputs.labels }}
+
+  build-docs:
+    needs: verify-docs-sync
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+
+      - name: Log in to Docker Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY_HOST }}
+          username: ${{ env.ACTOR }}
+          password: ${{ vars.CI_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docs
+        id: meta-docs
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY_HOST }}/${{ env.IMAGE_NAME }}/docs
+          tags: |
+            type=ref,event=branch
+            type=ref,event=tag
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+
+      - name: Build and push Docs
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: ./docs-site/Dockerfile
+          push: true
+          tags: ${{ steps.meta-docs.outputs.tags }}
+          labels: ${{ steps.meta-docs.outputs.labels }}
+
+  build-website:
+    #needs: verify-docs-sync
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+
+      - name: Log in to Docker Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY_HOST }}
+          username: ${{ env.ACTOR }}
+          password: ${{ vars.CI_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Website
+        id: meta-website
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY_HOST }}/${{ env.IMAGE_NAME }}/website
+          tags: |
+            type=ref,event=branch
+            type=ref,event=tag
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+
+      - name: Build and push Website
+        uses: docker/build-push-action@v4
+        with:
+          context: ./website
+          push: true
+          tags: ${{ steps.meta-website.outputs.tags }}
+          labels: ${{ steps.meta-website.outputs.labels }}

.gitignore

@@ -0,0 +1,10 @@
+.env
+node_modules/
+.nuxt/
+.output/
+
+# Lokale Runtime-Daten und generierte Konfigurationen
+matrix/postgres/
+matrix/synapse/
+matrix/dev/postgres/
+matrix/dev/synapse/

README.md

@@ -89,13 +89,16 @@ Wenn du MinIO verwendest, setze zusatzlich:
 
 ## Deploy-Struktur
 
-Deploye den Stack direkt aus einem geklonten Checkout dieses Repositories, weil die Compose-Datei die lokalen Build-Kontexte `./frontend` und `./backend` verwendet.
+Deploye den Stack in einem eigenen Betriebsverzeichnis. Der Selfhost-Installer lädt dafür nur die benötigten Betriebsdateien und klont nicht das komplette Repository.
 
-Beispiel:
+Beispiel für die manuelle Vorbereitung:
 
 ```bash
-git clone <DEIN-REPO-URL> /opt/fedeo
-cd /opt/fedeo
+mkdir -p /opt/fedeo/scripts
+curl -fsSL https://git.federspiel.tech/flfeders/FEDEO/raw/branch/dev/docker-compose.selfhost.yml -o /opt/fedeo/docker-compose.yml
+curl -fsSL https://git.federspiel.tech/flfeders/FEDEO/raw/branch/dev/.env.example -o /opt/fedeo/.env.example
+curl -fsSL https://git.federspiel.tech/flfeders/FEDEO/raw/branch/dev/scripts/selfhost-setup.sh -o /opt/fedeo/scripts/selfhost-setup.sh
+chmod +x /opt/fedeo/scripts/selfhost-setup.sh
 ```
 
 Die Verzeichnisstruktur sollte dann mindestens so aussehen:
@@ -104,8 +107,7 @@ Die Verzeichnisstruktur sollte dann mindestens so aussehen:
 /opt/fedeo/
   docker-compose.yml
   .env
-  backend/
-  frontend/
+  scripts/
   traefik/
     letsencrypt/
     logs/
@@ -124,13 +126,55 @@ touch /opt/fedeo/traefik/letsencrypt/acme.json
 chmod 600 /opt/fedeo/traefik/letsencrypt/acme.json
 ```
 
+Als Startpunkt kannst du die Beispielumgebung kopieren:
+
+```bash
+cp .env.example .env
+```
+
+Ersetze anschließend alle Platzhalter und passe mindestens `DOMAIN`, `CONTACT_EMAIL`, Datenbank-, Secret-, SMTP- und S3-Werte an. Seafile ist kein Teil des Standard-Stacks; wenn FEDEO später Seafile als File-Backend nutzen soll, zeigst du die Seafile-Variablen auf einen externen Seafile-Dienst.
+
+Alternativ kannst du die Konfiguration geführt erzeugen lassen:
+
+```bash
+bash scripts/selfhost-setup.sh
+```
+
+Auf einem frischen Server kannst du die Betriebsdateien und die Konfiguration direkt per One-Liner vorbereiten:
+
+```bash
+curl -fsSL https://git.federspiel.tech/flfeders/FEDEO/raw/branch/dev/scripts/selfhost-install.sh | bash
+```
+
+Der schnelle One-Liner mit direktem Stack-Start:
+
+```bash
+curl -fsSL https://git.federspiel.tech/flfeders/FEDEO/raw/branch/dev/scripts/selfhost-install.sh | bash -s -- --simple --start
+```
+
+Der Installer prüft Basispakete, installiert Docker auf Wunsch über das offizielle Docker-Installationsscript, lädt nur die Selfhost-Dateien nach `/opt/fedeo` und startet anschließend den geführten Setup-Assistenten.
+
+Für den schnellen Standardpfad:
+
+```bash
+bash scripts/selfhost-setup.sh --simple
+```
+
+Für mehr Rückfragen zu SMTP, API-Schlüsseln und optionalen Diensten:
+
+```bash
+bash scripts/selfhost-setup.sh --advanced
+```
+
+Der Assistent erklärt zuerst die Selfhost-Verzeichnisstruktur, schreibt anschließend `.env`, legt persistente Verzeichnisse inklusive `traefik/letsencrypt/acme.json` an und kann den Stack optional direkt starten.
+
 ## Beispiel `.env`
 
 Diese Datei liegt neben der `docker-compose.yml`:
 
 ```env
 DOMAIN=app.example.com
-CONTACT_EMAIL=admin@example.com
+CONTACT_EMAIL=admin@deine-domain.de
 
 DB_NAME=fedeo
 DB_USER=fedeo
@@ -160,6 +204,12 @@ S3_ACCESS_KEY=fedeo-minio
 S3_SECRET_KEY=change-this-minio-password
 S3_BUCKET=fedeo
 
+FEDEO_FILE_BACKEND=s3
+SEAFILE_BASE_URL=https://files.example.com
+SEAFILE_INTERNAL_URL=https://files.example.com
+SEAFILE_ADMIN_EMAIL=admin@example.com
+SEAFILE_ADMIN_PASSWORD=change-this-seafile-admin-password
+
 M2M_API_KEY=change-this-m2m-key
 API_BASE_URL=https://app.example.com/backend
 GOCARDLESS_BASE_URL=https://api.gocardless.com
@@ -176,11 +226,41 @@ OPENAI_API_KEY=replace-this
 STIRLING_API_KEY=replace-this
 
 NUXT_PUBLIC_PDF_LICENSE=replace-with-your-pdf-license
+
+FEDEO_BOOTSTRAP_ADMIN_EMAIL=admin@example.com
+FEDEO_BOOTSTRAP_ADMIN_PASSWORD=change-this-admin-password
+FEDEO_BOOTSTRAP_ADMIN_FIRST_NAME=Admin
+FEDEO_BOOTSTRAP_ADMIN_LAST_NAME=Benutzer
+FEDEO_BOOTSTRAP_TENANT_NAME=Mein Unternehmen
+FEDEO_BOOTSTRAP_TENANT_SHORT=MEIN
+
+MATRIX_SERVER_NAME=app.example.com
+MATRIX_POSTGRES_DB=synapse
+MATRIX_POSTGRES_USER=synapse
+MATRIX_POSTGRES_PASSWORD=change-this-matrix-db-password
+MATRIX_TURN_SHARED_SECRET=change-this-turn-secret
+MATRIX_HOMESERVER_URL=http://matrix-synapse:8008
+MATRIX_RTC_HOST=app.example.com
+MATRIX_RTC_JWT_URL=https://app.example.com/livekit/jwt
+MATRIX_LIVEKIT_URL=wss://app.example.com/livekit/sfu
+MATRIX_REGISTRATION_SHARED_SECRET=change-this-matrix-registration-secret
+MATRIX_SERVICE_USER_LOCALPART=fedeo_service
+LIVEKIT_KEY=fedeo-livekit
+LIVEKIT_SECRET=change-this-livekit-secret-please-replace
+NUXT_PUBLIC_MATRIX_ELEMENT_URL=https://app.example.com/element
 ```
 
-## Vollstandiges Docker Compose mit optionaler S3-MinIO-Option
+Die `FEDEO_BOOTSTRAP_*`-Werte sind für den ersten Start gedacht. Wenn `FEDEO_BOOTSTRAP_ADMIN_EMAIL` und `FEDEO_BOOTSTRAP_ADMIN_PASSWORD` gesetzt sind, legt das Backend idempotent einen Admin-Benutzer, einen ersten Mandanten, eine Administrator-Rolle und grundlegende Stammdaten an. Nach erfolgreichem Erstzugriff solltest du das Bootstrap-Passwort aus der `.env` entfernen oder ändern.
 
-Hinweis: Der Stack unten startet MinIO standardmassig mit. Wenn du stattdessen AWS S3, Hetzner Object Storage, Backblaze B2 S3 oder einen anderen externen S3-Dienst nutzen willst, kannst du die Services `minio` und `createbuckets` entfernen und nur die entsprechenden S3-Umgebungsvariablen auf den externen Anbieter zeigen lassen.
+## Docker Compose mit optionalem S3 und Matrix
+
+Die Selfhost-Konfiguration wird im Betriebsverzeichnis als `docker-compose.yml` abgelegt. Sie startet MinIO standardmäßig mit. Wenn du stattdessen AWS S3, Hetzner Object Storage, Backblaze B2 S3 oder einen anderen externen S3-Dienst nutzen willst, kannst du die Services `minio` und `createbuckets` entfernen und nur die entsprechenden S3-Umgebungsvariablen auf den externen Anbieter zeigen lassen.
+
+Seafile wird bewusst nicht im Standard-Compose-Stack gestartet. FEDEO kann später gegen einen extern betriebenen Seafile-Dienst sprechen; dafür bleiben `SEAFILE_BASE_URL`, `SEAFILE_INTERNAL_URL`, `SEAFILE_ADMIN_EMAIL` und `SEAFILE_ADMIN_PASSWORD` als generische Anbindungswerte vorgesehen. `FEDEO_FILE_BACKEND=s3` bleibt der Standard, bis die Backend-Integration für Seafile vollständig umgesetzt ist.
+
+Der Matrix-Stack ist im Selfhost-Compose direkt enthalten. Er umfasst Synapse, eine eigene PostgreSQL-Datenbank für Synapse, Redis, `.well-known/matrix`, coturn, LiveKit, den LiveKit-JWT-Service und Element Web. Das einfache Selfhost-Setup nutzt nur `DOMAIN`: Synapse läuft unter `https://DOMAIN/_matrix`, Matrix-Well-Known unter `https://DOMAIN/.well-known/matrix`, LiveKit unter `https://DOMAIN/livekit/sfu`, der JWT-Service unter `https://DOMAIN/livekit/jwt` und Element Web unter `https://DOMAIN/element`.
+
+Das Backend führt beim Containerstart standardmäßig `npm run migrate` aus. Setze `FEDEO_RUN_MIGRATIONS=false`, wenn du Migrationen bewusst manuell ausführen möchtest.
 
 ```yaml
 services:
@@ -266,8 +346,7 @@ services:
       - internal
 
   backend:
-    build:
-      context: ./backend
+    image: git.federspiel.tech/flfeders/fedeo/backend:dev
     container_name: fedeo-backend
     restart: unless-stopped
     depends_on:
@@ -316,13 +395,13 @@ services:
       - traefik.http.middlewares.fedeo-backend-strip.stripprefix.prefixes=/backend
       - traefik.http.routers.fedeo-backend.middlewares=fedeo-backend-strip
       - traefik.http.services.fedeo-backend.loadbalancer.server.port=3100
+      - traefik.docker.network=fedeo_web
     networks:
       - web
       - internal
 
   frontend:
-    build:
-      context: ./frontend
+    image: git.federspiel.tech/flfeders/fedeo/frontend:dev
     container_name: fedeo-frontend
     restart: unless-stopped
     depends_on:
@@ -337,13 +416,16 @@ services:
       - traefik.http.routers.fedeo-frontend.entrypoints=websecure
       - traefik.http.routers.fedeo-frontend.tls.certresolver=letsencrypt
       - traefik.http.services.fedeo-frontend.loadbalancer.server.port=3000
+      - traefik.docker.network=fedeo_web
     networks:
       - web
 
 networks:
   web:
+    name: fedeo_web
     driver: bridge
   internal:
+    name: fedeo_internal
     driver: bridge
 ```
 
@@ -372,16 +454,23 @@ Hinweis: Das Backend nutzt `forcePathStyle: true`. Das funktioniert sauber mit M
 Im Deploy-Verzeichnis:
 
 ```bash
-docker compose build
-docker compose up -d
+docker compose --env-file /opt/fedeo/.env -f /opt/fedeo/docker-compose.yml up -d
 ```
 
+Synapse erzeugt `matrix/synapse/homeserver.yaml` beim ersten Start automatisch und aktualisiert die für FEDEO relevanten Werte aus der `.env`. `MATRIX_REGISTRATION_SHARED_SECRET` muss in der `.env` gesetzt und geheim bleiben, weil FEDEO damit Matrix-Nutzer provisioniert.
+
 Danach Status prufen:
 
 ```bash
-docker compose ps
-docker compose logs -f traefik
-docker compose logs -f backend
+docker compose --env-file /opt/fedeo/.env -f /opt/fedeo/docker-compose.yml ps
+docker compose --env-file /opt/fedeo/.env -f /opt/fedeo/docker-compose.yml logs -f traefik
+docker compose --env-file /opt/fedeo/.env -f /opt/fedeo/docker-compose.yml logs -f backend
+```
+
+Wenn du Migrationen manuell ausführen möchtest:
+
+```bash
+docker compose --env-file /opt/fedeo/.env -f /opt/fedeo/docker-compose.yml run --rm backend npm run migrate
 ```
 
 ## Funktionsprufung
@@ -398,17 +487,23 @@ Erwartung:
 - Frontend liefert `200` oder `302`
 - Backend liefert JSON wie `{"status":"ok"}`
 
+Wenn der Bootstrap aktiviert ist, kannst du dich danach mit `FEDEO_BOOTSTRAP_ADMIN_EMAIL` und `FEDEO_BOOTSTRAP_ADMIN_PASSWORD` anmelden. Die Mandantensperre wird über `locked` gesteuert; `hasActiveLicense` wird nicht mehr für den Selfhost-Zugriff ausgewertet.
+
 ## Updates
 
 Bei neuen Versionen:
 
 ```bash
-git pull
-docker compose build
-docker compose up -d
+curl -fsSL https://git.federspiel.tech/flfeders/FEDEO/raw/branch/dev/docker-compose.selfhost.yml -o /opt/fedeo/docker-compose.yml
+curl -fsSL https://git.federspiel.tech/flfeders/FEDEO/raw/branch/dev/.env.example -o /opt/fedeo/.env.example
+curl -fsSL https://git.federspiel.tech/flfeders/FEDEO/raw/branch/dev/scripts/selfhost-setup.sh -o /opt/fedeo/scripts/selfhost-setup.sh
+chmod +x /opt/fedeo/scripts/selfhost-setup.sh
+docker compose --env-file /opt/fedeo/.env -f /opt/fedeo/docker-compose.yml up -d
 ```
 
-Falls du statt lokaler Builds vorgebaute Images verwenden willst, kannst du in der Compose-Datei `build:` durch passende `image:`-Eintrage ersetzen. Erst dann ist ein vorgelagertes `docker compose pull` sinnvoll.
+Der Backend-Container wendet Datenbankmigrationen beim Start automatisch an. Bei kritischen Updates sollte vorher ein Backup von `./postgres` und `./minio` erstellt werden.
+
+Die Selfhost-Compose-Datei nutzt vorgebaute Images. Dadurch braucht der Server keinen Repository-Checkout und keine lokalen Build-Kontexte.
 
 ## Backup-Empfehlung
 
@@ -416,6 +511,8 @@ Regelmassig sichern:
 
 - `./postgres`
 - `./minio` falls MinIO lokal genutzt wird
+- `./matrix/postgres` falls Matrix lokal betrieben wird
+- `./matrix/synapse` falls Matrix lokal betrieben wird
 - `./traefik/letsencrypt/acme.json`
 - deine `.env`
 - deine dokumentierten Secret-Werte aus der `.env` oder deinem Secret-Management

agents/fedeo-device-agent/.dockerignore

@@ -0,0 +1,6 @@
+node_modules
+dist
+.venv-opencv
+.env
+*.log
+*.tmp

agents/fedeo-device-agent/.env.example

@@ -0,0 +1,14 @@
+FEDEO_URL=https://fedeo.example.com
+FEDEO_AGENT_TOKEN=fedeo_agent_REPLACE_ME
+FEDEO_POLL_SECONDS=5
+FEDEO_WORK_DIR=/tmp/fedeo-device-agent
+FEDEO_SCANNER_NAME=
+FEDEO_PRINTER_NAME=
+FEDEO_SCAN_FORMAT=pdf
+FEDEO_SCAN_RESOLUTION=300
+FEDEO_SCAN_MODE=Color
+FEDEO_SCAN_SOURCE=
+FEDEO_SCAN_POSTPROCESS=false
+FEDEO_SCAN_POSTPROCESS_PROFILE=document
+FEDEO_SCAN_POSTPROCESS_PYTHON=
+FEDEO_SCAN_POSTPROCESS_STRICT=false

agents/fedeo-device-agent/.gitignore

@@ -0,0 +1,6 @@
+dist
+node_modules
+.venv-opencv
+.env
+*.log
+*.tmp

agents/fedeo-device-agent/Dockerfile

@@ -0,0 +1,45 @@
+FROM node:20-bookworm-slim AS build
+
+WORKDIR /app
+
+COPY package.json tsconfig.json ./
+RUN npm install
+
+COPY src ./src
+RUN npm run build
+
+FROM node:20-bookworm-slim AS runtime
+
+ENV NODE_ENV=production
+ENV FEDEO_WORK_DIR=/work
+ENV FEDEO_SCAN_POSTPROCESS=true
+ENV FEDEO_SCAN_POSTPROCESS_PROFILE=receipt
+ENV FEDEO_SCAN_POSTPROCESS_PYTHON=/opt/fedeo-device-agent/.venv-opencv/bin/python
+ENV FEDEO_SCAN_POSTPROCESS_STRICT=false
+
+WORKDIR /opt/fedeo-device-agent
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+        ca-certificates \
+        cups-client \
+        libgomp1 \
+        python3 \
+        python3-pip \
+        python3-venv \
+        sane-utils \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY requirements-opencv.txt ./
+RUN python3 -m venv .venv-opencv \
+    && .venv-opencv/bin/python -m pip install --no-cache-dir --upgrade pip \
+    && .venv-opencv/bin/python -m pip install --no-cache-dir -r requirements-opencv.txt \
+    && .venv-opencv/bin/python -c "import cv2, PIL, numpy"
+
+COPY --from=build /app/dist ./dist
+COPY scripts ./scripts
+COPY package.json ./
+
+RUN mkdir -p /work
+
+CMD ["node", "dist/main.js"]

agents/fedeo-device-agent/README.md

@@ -0,0 +1,133 @@
+# FEDEO Geräte-Agent
+
+Der FEDEO Geräte-Agent läuft lokal auf macOS, Linux oder Raspberry Pi OS. Er holt instanzweite Scan-Aufträge von FEDEO ab, führt sie auf einem lokal angeschlossenen Scanner aus und lädt das Ergebnis wieder in FEDEO hoch.
+
+Der Agent ist nicht an einen Mandanten gebunden. Jeder Auftrag enthält seinen Tenant selbst.
+
+## Voraussetzungen
+
+### macOS
+
+```bash
+brew install node sane-backends
+scanimage -L
+```
+
+Drucken nutzt später das macOS-Drucksystem/CUPS:
+
+```bash
+lpstat -p
+```
+
+### Linux und Raspberry Pi OS
+
+```bash
+sudo apt update
+sudo apt install -y nodejs npm sane-utils cups
+scanimage -L
+lpstat -p
+```
+
+## Konfiguration
+
+```bash
+cp .env.example .env
+nano .env
+```
+
+Wichtige Werte:
+
+```env
+FEDEO_URL=https://deine-fedeo-instanz
+FEDEO_AGENT_TOKEN=fedeo_agent_...
+FEDEO_SCANNER_NAME=
+FEDEO_POLL_SECONDS=5
+```
+
+Wenn `FEDEO_SCANNER_NAME` leer bleibt, verwendet `scanimage` den Standard-Scanner.
+
+## Entwicklung
+
+```bash
+npm install
+npm run dev
+```
+
+## OpenCV-Nachbearbeitung
+
+Für automatischen Zuschnitt, leichte Entzerrung, Rotation und Kontrastkorrektur kann die OpenCV-Pipeline aktiviert werden.
+
+```bash
+npm run setup:opencv
+```
+
+Konfiguration:
+
+```env
+FEDEO_SCAN_POSTPROCESS=true
+FEDEO_SCAN_POSTPROCESS_PROFILE=receipt
+FEDEO_SCAN_POSTPROCESS_PYTHON=/pfad/zum/agent/.venv-opencv/bin/python
+FEDEO_SCAN_POSTPROCESS_STRICT=false
+```
+
+Wenn `FEDEO_SCAN_POSTPROCESS_PYTHON` leer bleibt, verwendet der Agent automatisch `.venv-opencv/bin/python`, sofern diese Umgebung existiert. Falls OpenCV nicht installiert ist und `FEDEO_SCAN_POSTPROCESS_STRICT=false` gesetzt ist, lädt der Agent den Rohscan hoch, statt den Auftrag komplett fehlschlagen zu lassen.
+
+Profile:
+
+- `receipt`: Bons und schmale Belege werden bevorzugt hochkant zugeschnitten und kontrastiert.
+- `document`: allgemeine Dokumente mit Farberhalt und moderater Verbesserung.
+- `raw`: Zuschnitt/Entzerrung ohne starke Kontrastkorrektur.
+
+## Container-Betrieb
+
+Auf Linux und Raspberry Pi OS kann der Agent komplett im Container laufen. Dadurch bleiben Node.js, Python, OpenCV und SANE im Image. Auf dem Host werden dann nur Docker und Zugriff auf den USB-Scanner benötigt.
+
+```bash
+cp .env.example .env
+nano .env
+docker compose -f docker-compose.example.yml up --build
+```
+
+Wenn FEDEO lokal auf dem Docker-Host läuft, verwende im Container nicht `localhost`, sondern:
+
+```env
+FEDEO_URL=http://host.docker.internal:3100
+```
+
+Scanner im Container prüfen:
+
+```bash
+docker compose -f docker-compose.example.yml run --rm fedeo-device-agent scanimage -L
+```
+
+Wenn der Scanner nicht sichtbar ist, hilft je nach Gerät/Host manchmal `privileged: true` im Compose-Beispiel. Auf macOS ist Docker dafür nur eingeschränkt geeignet, weil Docker Desktop USB-Scanner normalerweise nicht direkt an Linux-Container durchreichen kann. Für macOS bleibt deshalb der native Agent oder später eine signierte App der bessere Weg.
+
+## Build
+
+```bash
+npm run build
+npm start
+```
+
+## FEDEO-Endpunkte
+
+Der Agent nutzt:
+
+- `POST /instance-agent/heartbeat`
+- `GET /instance-agent/scan-jobs/next`
+- `POST /instance-agent/scan-jobs/:id/status`
+- `POST /instance-agent/scan-jobs/:id/upload`
+
+## macOS Autostart
+
+Die Vorlage liegt unter `system/macos/com.fedeo.device-agent.plist`. Nach Anpassung der Pfade kann sie als LaunchAgent installiert werden:
+
+```bash
+mkdir -p ~/Library/LaunchAgents
+cp system/macos/com.fedeo.device-agent.plist ~/Library/LaunchAgents/
+launchctl load ~/Library/LaunchAgents/com.fedeo.device-agent.plist
+```
+
+## Linux Autostart
+
+Die Vorlage liegt unter `system/linux/fedeo-device-agent.service`.

agents/fedeo-device-agent/docker-compose.example.yml

@@ -0,0 +1,28 @@
+services:
+  fedeo-device-agent:
+    build:
+      context: .
+    image: fedeo-device-agent:local
+    container_name: fedeo-device-agent
+    restart: unless-stopped
+    env_file:
+      - .env
+    environment:
+      FEDEO_WORK_DIR: /work
+      FEDEO_SCAN_POSTPROCESS: "true"
+      FEDEO_SCAN_POSTPROCESS_PROFILE: receipt
+      FEDEO_SCAN_POSTPROCESS_PYTHON: /opt/fedeo-device-agent/.venv-opencv/bin/python
+      FEDEO_SCAN_POSTPROCESS_STRICT: "false"
+    volumes:
+      - fedeo-device-agent-work:/work
+      # Optional fuer CUPS-Druck ueber den Host:
+      # - /var/run/cups/cups.sock:/var/run/cups/cups.sock
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    devices:
+      - /dev/bus/usb:/dev/bus/usb
+    # Falls SANE den Scanner trotz devices-Mapping nicht sieht, testweise aktivieren:
+    # privileged: true
+
+volumes:
+  fedeo-device-agent-work:

agents/fedeo-device-agent/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "@fedeo/device-agent",
+  "version": "0.1.0",
+  "private": true,
+  "description": "Lokaler FEDEO Druck- und Scan-Agent für macOS, Linux und Raspberry Pi OS.",
+  "type": "module",
+  "main": "dist/main.js",
+  "bin": {
+    "fedeo-device-agent": "dist/main.js"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "dev": "tsx src/main.ts",
+    "start": "node dist/main.js",
+    "setup:opencv": "sh scripts/setup-opencv.sh"
+  },
+  "dependencies": {},
+  "devDependencies": {
+    "@types/node": "^24.3.0",
+    "tsx": "^4.20.5",
+    "typescript": "^5.9.2"
+  },
+  "engines": {
+    "node": ">=20"
+  }
+}

agents/fedeo-device-agent/requirements-opencv.txt

@@ -0,0 +1,3 @@
+opencv-python-headless>=4.9
+Pillow>=10.0
+numpy>=1.26

agents/fedeo-device-agent/scripts/opencv_postprocess.py

@@ -0,0 +1,219 @@
+#!/usr/bin/env python3
+import argparse
+import math
+from pathlib import Path
+
+import cv2
+import numpy as np
+from PIL import Image
+
+
+def order_points(points):
+    rect = np.zeros((4, 2), dtype="float32")
+    point_sum = points.sum(axis=1)
+    point_diff = np.diff(points, axis=1)
+
+    rect[0] = points[np.argmin(point_sum)]
+    rect[2] = points[np.argmax(point_sum)]
+    rect[1] = points[np.argmin(point_diff)]
+    rect[3] = points[np.argmax(point_diff)]
+    return rect
+
+
+def four_point_transform(image, points):
+    rect = order_points(points)
+    top_left, top_right, bottom_right, bottom_left = rect
+
+    width_a = np.linalg.norm(bottom_right - bottom_left)
+    width_b = np.linalg.norm(top_right - top_left)
+    max_width = int(max(width_a, width_b))
+
+    height_a = np.linalg.norm(top_right - bottom_right)
+    height_b = np.linalg.norm(top_left - bottom_left)
+    max_height = int(max(height_a, height_b))
+
+    destination = np.array([
+        [0, 0],
+        [max_width - 1, 0],
+        [max_width - 1, max_height - 1],
+        [0, max_height - 1],
+    ], dtype="float32")
+
+    matrix = cv2.getPerspectiveTransform(rect, destination)
+    return cv2.warpPerspective(image, matrix, (max_width, max_height), borderValue=(255, 255, 255))
+
+
+def rotate_bound(image, angle):
+    height, width = image.shape[:2]
+    center = (width / 2, height / 2)
+    matrix = cv2.getRotationMatrix2D(center, angle, 1.0)
+    cos = abs(matrix[0, 0])
+    sin = abs(matrix[0, 1])
+
+    new_width = int((height * sin) + (width * cos))
+    new_height = int((height * cos) + (width * sin))
+
+    matrix[0, 2] += (new_width / 2) - center[0]
+    matrix[1, 2] += (new_height / 2) - center[1]
+
+    return cv2.warpAffine(image, matrix, (new_width, new_height), borderValue=(255, 255, 255))
+
+
+def deskew_by_text_angle(image):
+    gray = cv2.cvtColor(image, cv2.COLOR_BGR2GRAY)
+    inverted = cv2.bitwise_not(gray)
+    threshold = cv2.threshold(inverted, 0, 255, cv2.THRESH_BINARY | cv2.THRESH_OTSU)[1]
+    coordinates = np.column_stack(np.where(threshold > 0))
+
+    if len(coordinates) < 500:
+        return image
+
+    angle = cv2.minAreaRect(coordinates)[-1]
+    if angle < -45:
+        angle = -(90 + angle)
+    else:
+        angle = -angle
+
+    if abs(angle) < 0.2 or abs(angle) > 8:
+        return image
+
+    return rotate_bound(image, angle)
+
+
+def find_document_contour(image, profile):
+    ratio = image.shape[0] / 900.0
+    resized = cv2.resize(image, (int(image.shape[1] / ratio), 900))
+    gray = cv2.cvtColor(resized, cv2.COLOR_BGR2GRAY)
+    gray = cv2.GaussianBlur(gray, (5, 5), 0)
+
+    edges = cv2.Canny(gray, 45, 140)
+    kernel = cv2.getStructuringElement(cv2.MORPH_RECT, (7, 7))
+    edges = cv2.morphologyEx(edges, cv2.MORPH_CLOSE, kernel)
+
+    contours, _ = cv2.findContours(edges, cv2.RETR_EXTERNAL, cv2.CHAIN_APPROX_SIMPLE)
+    contours = sorted(contours, key=cv2.contourArea, reverse=True)[:8]
+
+    min_area = resized.shape[0] * resized.shape[1] * (0.03 if profile == "receipt" else 0.12)
+
+    for contour in contours:
+        if cv2.contourArea(contour) < min_area:
+            continue
+
+        perimeter = cv2.arcLength(contour, True)
+        approx = cv2.approxPolyDP(contour, 0.025 * perimeter, True)
+        if len(approx) == 4:
+            return approx.reshape(4, 2) * ratio
+
+    return None
+
+
+def trim_light_border(image):
+    gray = cv2.cvtColor(image, cv2.COLOR_BGR2GRAY)
+    mask = cv2.threshold(gray, 245, 255, cv2.THRESH_BINARY_INV)[1]
+    kernel = cv2.getStructuringElement(cv2.MORPH_RECT, (9, 9))
+    mask = cv2.morphologyEx(mask, cv2.MORPH_CLOSE, kernel)
+
+    contours, _ = cv2.findContours(mask, cv2.RETR_EXTERNAL, cv2.CHAIN_APPROX_SIMPLE)
+    if not contours:
+        return image
+
+    contour = max(contours, key=cv2.contourArea)
+    if cv2.contourArea(contour) < image.shape[0] * image.shape[1] * 0.02:
+        return image
+
+    x, y, width, height = cv2.boundingRect(contour)
+    padding = max(12, int(min(width, height) * 0.025))
+    x = max(0, x - padding)
+    y = max(0, y - padding)
+    width = min(image.shape[1] - x, width + padding * 2)
+    height = min(image.shape[0] - y, height + padding * 2)
+    return image[y:y + height, x:x + width]
+
+
+def enhance_receipt(image):
+    gray = cv2.cvtColor(image, cv2.COLOR_BGR2GRAY)
+    clahe = cv2.createCLAHE(clipLimit=2.0, tileGridSize=(8, 8))
+    gray = clahe.apply(gray)
+    gray = cv2.fastNlMeansDenoising(gray, None, 8, 7, 21)
+    gray = cv2.normalize(gray, None, 0, 255, cv2.NORM_MINMAX)
+    return cv2.cvtColor(gray, cv2.COLOR_GRAY2BGR)
+
+
+def enhance_document(image):
+    lab = cv2.cvtColor(image, cv2.COLOR_BGR2LAB)
+    l_channel, a_channel, b_channel = cv2.split(lab)
+    clahe = cv2.createCLAHE(clipLimit=1.6, tileGridSize=(8, 8))
+    l_channel = clahe.apply(l_channel)
+    return cv2.cvtColor(cv2.merge((l_channel, a_channel, b_channel)), cv2.COLOR_LAB2BGR)
+
+
+def auto_rotate_profile(image, profile):
+    height, width = image.shape[:2]
+
+    if profile == "receipt" and width > height:
+        return cv2.rotate(image, cv2.ROTATE_90_CLOCKWISE)
+
+    return image
+
+
+def postprocess(input_path, output_path, profile):
+    image = cv2.imread(str(input_path), cv2.IMREAD_COLOR)
+    if image is None:
+        raise RuntimeError(f"OpenCV konnte {input_path} nicht lesen")
+
+    contour = find_document_contour(image, profile)
+    if contour is not None:
+        processed = four_point_transform(image, contour.astype("float32"))
+    else:
+        processed = trim_light_border(image)
+
+    processed = deskew_by_text_angle(processed)
+    processed = trim_light_border(processed)
+    processed = auto_rotate_profile(processed, profile)
+
+    if profile == "receipt":
+        processed = enhance_receipt(processed)
+    elif profile != "raw":
+        processed = enhance_document(processed)
+
+    save_output(processed, output_path)
+
+
+def save_output(image, output_path):
+    suffix = output_path.suffix.lower()
+
+    if suffix == ".pdf":
+        rgb = cv2.cvtColor(image, cv2.COLOR_BGR2RGB)
+        pil_image = Image.fromarray(rgb)
+        if pil_image.mode != "RGB":
+            pil_image = pil_image.convert("RGB")
+        pil_image.save(output_path, "PDF", resolution=300.0)
+        return
+
+    if suffix in {".jpg", ".jpeg"}:
+        cv2.imwrite(str(output_path), image, [cv2.IMWRITE_JPEG_QUALITY, 92])
+        return
+
+    if suffix == ".png":
+        cv2.imwrite(str(output_path), image, [cv2.IMWRITE_PNG_COMPRESSION, 3])
+        return
+
+    if suffix in {".tif", ".tiff"}:
+        cv2.imwrite(str(output_path), image)
+        return
+
+    raise RuntimeError(f"Nicht unterstütztes Ausgabeformat: {suffix}")
+
+
+def main():
+    parser = argparse.ArgumentParser(description="FEDEO Scan-Nachbearbeitung mit OpenCV")
+    parser.add_argument("--input", required=True)
+    parser.add_argument("--output", required=True)
+    parser.add_argument("--profile", default="document", choices=["document", "receipt", "raw"])
+    args = parser.parse_args()
+
+    postprocess(Path(args.input), Path(args.output), args.profile)
+
+
+if __name__ == "__main__":
+    main()

agents/fedeo-device-agent/scripts/setup-opencv.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env sh
+set -eu
+
+SCRIPT_DIR="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+AGENT_DIR="$(CDPATH= cd -- "$SCRIPT_DIR/.." && pwd)"
+VENV_DIR="${FEDEO_SCAN_POSTPROCESS_VENV:-$AGENT_DIR/.venv-opencv}"
+PYTHON_BIN="${PYTHON:-python3}"
+
+echo "FEDEO OpenCV-Umgebung wird vorbereitet"
+echo "Agent: $AGENT_DIR"
+echo "Venv:  $VENV_DIR"
+
+if ! command -v "$PYTHON_BIN" >/dev/null 2>&1; then
+  echo "Fehler: $PYTHON_BIN wurde nicht gefunden." >&2
+  exit 1
+fi
+
+"$PYTHON_BIN" -m venv "$VENV_DIR"
+"$VENV_DIR/bin/python" -m pip install --upgrade pip
+"$VENV_DIR/bin/python" -m pip install -r "$AGENT_DIR/requirements-opencv.txt"
+"$VENV_DIR/bin/python" -c "import cv2, PIL, numpy; print('OpenCV OK')"
+
+echo
+echo "Fertig. Verwende in .env:"
+echo "FEDEO_SCAN_POSTPROCESS=true"
+echo "FEDEO_SCAN_POSTPROCESS_PYTHON=$VENV_DIR/bin/python"

agents/fedeo-device-agent/src/api.ts

@@ -0,0 +1,67 @@
+import { readFile } from "node:fs/promises"
+import { basename } from "node:path"
+import { AgentConfig, AgentHeartbeat, NextScanJobResponse, ScanResult } from "./types.js"
+
+export class FedeoApi {
+    constructor(private readonly config: AgentConfig) {}
+
+    private url(path: string) {
+        return `${this.config.fedeoUrl}${path}`
+    }
+
+    private headers(extra?: HeadersInit): HeadersInit {
+        return {
+            "X-Agent-Token": this.config.agentToken,
+            ...extra,
+        }
+    }
+
+    private async request<T>(path: string, init: RequestInit = {}): Promise<T> {
+        const response = await fetch(this.url(path), {
+            ...init,
+            headers: this.headers(init.headers),
+        })
+
+        if (!response.ok) {
+            const body = await response.text().catch(() => "")
+            throw new Error(`${init.method || "GET"} ${path} fehlgeschlagen: ${response.status} ${body}`)
+        }
+
+        return await response.json() as T
+    }
+
+    heartbeat(payload: AgentHeartbeat) {
+        return this.request<{ status: string; pendingScanJobs: number }>("/instance-agent/heartbeat", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(payload),
+        })
+    }
+
+    nextScanJob() {
+        return this.request<NextScanJobResponse>("/instance-agent/scan-jobs/next")
+    }
+
+    updateScanJobStatus(jobId: string, status: "running" | "failed" | "canceled", message?: string) {
+        return this.request(`/instance-agent/scan-jobs/${jobId}/status`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ status, message }),
+        })
+    }
+
+    async uploadScan(jobId: string, result: ScanResult) {
+        const form = new FormData()
+        const fileBuffer = await readFile(result.path)
+        const file = new File([fileBuffer], result.filename || basename(result.path), {
+            type: result.mimeType,
+        })
+
+        form.append("file", file)
+
+        return this.request(`/instance-agent/scan-jobs/${jobId}/upload`, {
+            method: "POST",
+            body: form,
+        })
+    }
+}

agents/fedeo-device-agent/src/commands.ts

@@ -0,0 +1,48 @@
+import { spawn } from "node:child_process"
+
+export type CommandResult = {
+    stdout: string
+    stderr: string
+    code: number
+}
+
+export const commandExists = (command: string) =>
+    new Promise<boolean>((resolve) => {
+        const child = spawn("sh", ["-lc", `command -v ${command}`])
+        child.on("error", () => resolve(false))
+        child.on("close", (code) => resolve(code === 0))
+    })
+
+export const runCommand = (
+    command: string,
+    args: string[],
+    options: { timeoutMs?: number } = {}
+) =>
+    new Promise<CommandResult>((resolve, reject) => {
+        const child = spawn(command, args, {
+            stdio: ["ignore", "pipe", "pipe"],
+        })
+
+        const stdout: Buffer[] = []
+        const stderr: Buffer[] = []
+
+        const timeout = options.timeoutMs
+            ? setTimeout(() => {
+                child.kill("SIGTERM")
+                reject(new Error(`${command} wurde nach ${options.timeoutMs} ms beendet`))
+            }, options.timeoutMs)
+            : null
+
+        child.stdout.on("data", (chunk) => stdout.push(Buffer.from(chunk)))
+        child.stderr.on("data", (chunk) => stderr.push(Buffer.from(chunk)))
+        child.on("error", reject)
+        child.on("close", (code) => {
+            if (timeout) clearTimeout(timeout)
+
+            resolve({
+                stdout: Buffer.concat(stdout).toString("utf8"),
+                stderr: Buffer.concat(stderr).toString("utf8"),
+                code: code ?? 0,
+            })
+        })
+    })

agents/fedeo-device-agent/src/config.ts

@@ -0,0 +1,68 @@
+import path from "node:path"
+import os from "node:os"
+import { existsSync } from "node:fs"
+import { fileURLToPath } from "node:url"
+import { AgentConfig } from "./types.js"
+import { loadDotEnv } from "./env.js"
+
+const currentFile = fileURLToPath(import.meta.url)
+const agentRoot = path.resolve(path.dirname(currentFile), "..")
+
+const optional = (value: string | undefined) => {
+    const trimmed = value?.trim()
+    return trimmed ? trimmed : undefined
+}
+
+const numberFromEnv = (value: string | undefined, fallback: number) => {
+    if (!value) return fallback
+
+    const parsed = Number(value)
+    return Number.isFinite(parsed) && parsed > 0 ? parsed : fallback
+}
+
+const scanFormatFromEnv = (value: string | undefined): AgentConfig["scanFormat"] => {
+    if (value === "png" || value === "tiff" || value === "pdf") return value
+    return "pdf"
+}
+
+const booleanFromEnv = (value: string | undefined, fallback: boolean) => {
+    if (!value) return fallback
+    return ["1", "true", "yes", "ja", "on"].includes(value.trim().toLowerCase())
+}
+
+const postprocessProfileFromEnv = (value: string | undefined): AgentConfig["postprocessProfile"] => {
+    if (value === "document" || value === "receipt" || value === "raw") return value
+    return "document"
+}
+
+const defaultPostprocessPython = () => {
+    const localVenvPython = path.join(agentRoot, ".venv-opencv", "bin", "python")
+    return existsSync(localVenvPython) ? localVenvPython : "python3"
+}
+
+export const loadConfig = (): AgentConfig => {
+    loadDotEnv(process.env.FEDEO_AGENT_ENV || ".env")
+
+    const fedeoUrl = optional(process.env.FEDEO_URL)
+    const agentToken = optional(process.env.FEDEO_AGENT_TOKEN)
+
+    if (!fedeoUrl) throw new Error("FEDEO_URL fehlt")
+    if (!agentToken) throw new Error("FEDEO_AGENT_TOKEN fehlt")
+
+    return {
+        fedeoUrl: fedeoUrl.replace(/\/+$/, ""),
+        agentToken,
+        pollSeconds: numberFromEnv(process.env.FEDEO_POLL_SECONDS, 5),
+        workDir: optional(process.env.FEDEO_WORK_DIR) || path.join(os.tmpdir(), "fedeo-device-agent"),
+        scannerName: optional(process.env.FEDEO_SCANNER_NAME),
+        printerName: optional(process.env.FEDEO_PRINTER_NAME),
+        scanFormat: scanFormatFromEnv(process.env.FEDEO_SCAN_FORMAT),
+        scanResolution: numberFromEnv(process.env.FEDEO_SCAN_RESOLUTION, 300),
+        scanMode: optional(process.env.FEDEO_SCAN_MODE) || "Color",
+        scanSource: optional(process.env.FEDEO_SCAN_SOURCE),
+        scanPostprocess: booleanFromEnv(process.env.FEDEO_SCAN_POSTPROCESS, false),
+        postprocessProfile: postprocessProfileFromEnv(process.env.FEDEO_SCAN_POSTPROCESS_PROFILE),
+        postprocessPython: optional(process.env.FEDEO_SCAN_POSTPROCESS_PYTHON) || defaultPostprocessPython(),
+        postprocessStrict: booleanFromEnv(process.env.FEDEO_SCAN_POSTPROCESS_STRICT, false),
+    }
+}

agents/fedeo-device-agent/src/env.ts

@@ -0,0 +1,32 @@
+import { readFileSync, existsSync } from "node:fs"
+
+const parseEnvLine = (line: string) => {
+    const trimmed = line.trim()
+    if (!trimmed || trimmed.startsWith("#")) return null
+
+    const separator = trimmed.indexOf("=")
+    if (separator === -1) return null
+
+    const key = trimmed.slice(0, separator).trim()
+    let value = trimmed.slice(separator + 1).trim()
+
+    if (
+        (value.startsWith("\"") && value.endsWith("\"")) ||
+        (value.startsWith("'") && value.endsWith("'"))
+    ) {
+        value = value.slice(1, -1)
+    }
+
+    return { key, value }
+}
+
+export const loadDotEnv = (path = ".env") => {
+    if (!existsSync(path)) return
+
+    const content = readFileSync(path, "utf8")
+    for (const line of content.split(/\r?\n/)) {
+        const parsed = parseEnvLine(line)
+        if (!parsed) continue
+        if (process.env[parsed.key] === undefined) process.env[parsed.key] = parsed.value
+    }
+}

agents/fedeo-device-agent/src/logger.ts

@@ -0,0 +1,30 @@
+const timestamp = () => new Date().toISOString()
+
+export const log = {
+    info(message: string, meta?: unknown) {
+        if (meta === undefined) {
+            console.log(`[${timestamp()}] INFO ${message}`)
+            return
+        }
+
+        console.log(`[${timestamp()}] INFO ${message}`, meta)
+    },
+
+    warn(message: string, meta?: unknown) {
+        if (meta === undefined) {
+            console.warn(`[${timestamp()}] WARN ${message}`)
+            return
+        }
+
+        console.warn(`[${timestamp()}] WARN ${message}`, meta)
+    },
+
+    error(message: string, meta?: unknown) {
+        if (meta === undefined) {
+            console.error(`[${timestamp()}] ERROR ${message}`)
+            return
+        }
+
+        console.error(`[${timestamp()}] ERROR ${message}`, meta)
+    },
+}

agents/fedeo-device-agent/src/main.ts

@@ -0,0 +1,93 @@
+#!/usr/bin/env node
+import os from "node:os"
+import { FedeoApi } from "./api.js"
+import { loadConfig } from "./config.js"
+import { log } from "./logger.js"
+import { listPrinters } from "./print/cups.js"
+import { hasSane, listScanners, runScan } from "./scan/sane.js"
+
+const sleep = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms))
+
+const stringifyError = (error: unknown) => {
+    if (error instanceof Error) return error.message
+    return String(error)
+}
+
+const main = async () => {
+    const config = loadConfig()
+    const api = new FedeoApi(config)
+
+    log.info("FEDEO Geräte-Agent startet", {
+        platform: process.platform,
+        workDir: config.workDir,
+        pollSeconds: config.pollSeconds,
+    })
+
+    while (true) {
+        try {
+            const scannerNames = await listScanners()
+            const printerNames = await listPrinters()
+            const scanAvailable = await hasSane()
+
+            const heartbeat = await api.heartbeat({
+                capabilities: {
+                    scan: scanAvailable,
+                    print: printerNames.length > 0,
+                    platform: process.platform,
+                },
+                scannerNames,
+                printerNames,
+                debugInfo: {
+                    hostname: os.hostname(),
+                    release: os.release(),
+                    arch: os.arch(),
+                    node: process.version,
+                    uptimeSeconds: Math.round(os.uptime()),
+                },
+            })
+
+            if (heartbeat.pendingScanJobs > 0) {
+                log.info(`${heartbeat.pendingScanJobs} Scan-Auftrag/Aufträge warten`)
+            }
+
+            const next = await api.nextScanJob()
+            if (!next.job) {
+                await sleep(config.pollSeconds * 1000)
+                continue
+            }
+
+            log.info("Scan-Auftrag wird ausgeführt", {
+                jobId: next.job.id,
+                tenantId: next.job.tenantId,
+                scannerName: next.job.scannerName || config.scannerName || "default",
+            })
+
+            try {
+                await api.updateScanJobStatus(next.job.id, "running")
+                const scanResult = await runScan(config, next.job)
+                await api.uploadScan(next.job.id, scanResult)
+
+                log.info("Scan-Auftrag abgeschlossen", {
+                    jobId: next.job.id,
+                    file: scanResult.filename,
+                })
+            } catch (error) {
+                const message = stringifyError(error)
+                log.error("Scan-Auftrag fehlgeschlagen", {
+                    jobId: next.job.id,
+                    message,
+                })
+
+                await api.updateScanJobStatus(next.job.id, "failed", message)
+            }
+        } catch (error) {
+            log.error("Agent-Schleife fehlgeschlagen", stringifyError(error))
+            await sleep(config.pollSeconds * 1000)
+        }
+    }
+}
+
+main().catch((error) => {
+    log.error("Agent konnte nicht gestartet werden", stringifyError(error))
+    process.exit(1)
+})

agents/fedeo-device-agent/src/print/cups.ts

@@ -0,0 +1,15 @@
+import { commandExists, runCommand } from "../commands.js"
+
+export const hasCups = () => commandExists("lpstat")
+
+export const listPrinters = async () => {
+    if (!await hasCups()) return []
+
+    const result = await runCommand("lpstat", ["-p"], { timeoutMs: 10_000 })
+    if (result.code !== 0) return []
+
+    return result.stdout
+        .split(/\r?\n/)
+        .map((line) => line.match(/^printer\s+(\S+)/)?.[1])
+        .filter((printer): printer is string => Boolean(printer))
+}

agents/fedeo-device-agent/src/scan/postprocess.ts

@@ -0,0 +1,66 @@
+import path from "node:path"
+import { fileURLToPath } from "node:url"
+import { AgentConfig, ScanResult } from "../types.js"
+import { commandExists, runCommand } from "../commands.js"
+
+const currentFile = fileURLToPath(import.meta.url)
+const agentRoot = path.resolve(path.dirname(currentFile), "../..")
+const postprocessScript = path.join(agentRoot, "scripts/opencv_postprocess.py")
+
+const extensionMimeTypes: Record<string, string> = {
+    ".pdf": "application/pdf",
+    ".png": "image/png",
+    ".tif": "image/tiff",
+    ".tiff": "image/tiff",
+    ".jpg": "image/jpeg",
+    ".jpeg": "image/jpeg",
+}
+
+const ensureOutputExtension = (filename: string, format: AgentConfig["scanFormat"]) => {
+    const ext = path.extname(filename)
+    if (ext) return filename
+    return `${filename}.${format}`
+}
+
+export const hasOpenCvPostprocessRuntime = async (config: AgentConfig) => {
+    if (!await commandExists(config.postprocessPython)) return false
+
+    const result = await runCommand(config.postprocessPython, [
+        "-c",
+        "import cv2, PIL, numpy",
+    ], { timeoutMs: 10_000 })
+
+    return result.code === 0
+}
+
+export const postprocessScan = async (
+    config: AgentConfig,
+    inputPath: string,
+    outputFilename: string,
+    outputFormat: AgentConfig["scanFormat"],
+    profile: AgentConfig["postprocessProfile"]
+): Promise<ScanResult> => {
+    const filename = ensureOutputExtension(outputFilename, outputFormat)
+    const outputPath = path.join(config.workDir, filename)
+
+    const result = await runCommand(config.postprocessPython, [
+        postprocessScript,
+        "--input",
+        inputPath,
+        "--output",
+        outputPath,
+        "--profile",
+        profile,
+    ], { timeoutMs: 5 * 60 * 1000 })
+
+    if (result.code !== 0) {
+        throw new Error(result.stderr || `OpenCV-Nachbearbeitung wurde mit Code ${result.code} beendet`)
+    }
+
+    const extension = path.extname(outputPath).toLowerCase()
+    return {
+        path: outputPath,
+        filename,
+        mimeType: extensionMimeTypes[extension] || "application/octet-stream",
+    }
+}

agents/fedeo-device-agent/src/scan/sane.ts

@@ -0,0 +1,149 @@
+import { mkdirSync } from "node:fs"
+import path from "node:path"
+import { AgentConfig, ScanJob, ScanResult } from "../types.js"
+import { commandExists, runCommand } from "../commands.js"
+import { hasOpenCvPostprocessRuntime, postprocessScan } from "./postprocess.js"
+import { log } from "../logger.js"
+
+const mimeTypes = {
+    pdf: "application/pdf",
+    png: "image/png",
+    tiff: "image/tiff",
+}
+
+const stringSetting = (settings: Record<string, unknown> | undefined, key: string) => {
+    const value = settings?.[key]
+    return typeof value === "string" && value.trim() ? value.trim() : undefined
+}
+
+const numberSetting = (settings: Record<string, unknown> | undefined, key: string) => {
+    const value = settings?.[key]
+    if (typeof value === "number" && Number.isFinite(value)) return value
+    if (typeof value === "string" && value.trim()) {
+        const parsed = Number(value)
+        if (Number.isFinite(parsed)) return parsed
+    }
+
+    return undefined
+}
+
+const booleanSetting = (settings: Record<string, unknown> | undefined, key: string, fallback: boolean) => {
+    const value = settings?.[key]
+    if (typeof value === "boolean") return value
+    if (typeof value === "string") return ["1", "true", "yes", "ja", "on"].includes(value.trim().toLowerCase())
+    return fallback
+}
+
+const profileSetting = (
+    settings: Record<string, unknown> | undefined,
+    fallback: AgentConfig["postprocessProfile"]
+): AgentConfig["postprocessProfile"] => {
+    const value = settings?.postprocessProfile
+    if (value === "document" || value === "receipt" || value === "raw") return value
+    return fallback
+}
+
+const ensureFilenameExtension = (filename: string, format: AgentConfig["scanFormat"]) => {
+    const ext = path.extname(filename)
+    if (!ext) return `${filename}.${format}`
+
+    const expectedExt = `.${format}`
+    if (ext.toLowerCase() === expectedExt) return filename
+    return `${filename.slice(0, -ext.length)}${expectedExt}`
+}
+
+const fallbackRawResult = (scanOutputPath: string, jobId: string): ScanResult => ({
+    path: scanOutputPath,
+    filename: `${jobId}.raw.png`,
+    mimeType: "image/png",
+})
+
+export const hasSane = () => commandExists("scanimage")
+
+export const listScanners = async () => {
+    if (!await hasSane()) return []
+
+    const result = await runCommand("scanimage", ["-L"], { timeoutMs: 10_000 })
+    if (result.code !== 0) return []
+
+    return result.stdout
+        .split(/\r?\n/)
+        .map((line) => line.trim())
+        .filter((line) => line.startsWith("device `"))
+        .map((line) => line.match(/device `([^']+)'/)?.[1])
+        .filter((device): device is string => Boolean(device))
+}
+
+export const runScan = async (config: AgentConfig, job: ScanJob): Promise<ScanResult> => {
+    if (!await hasSane()) {
+        throw new Error("scanimage ist nicht installiert oder nicht im PATH")
+    }
+
+    mkdirSync(config.workDir, { recursive: true })
+
+    const settings = job.settings || {}
+    const format = stringSetting(settings, "format") as AgentConfig["scanFormat"] | undefined || config.scanFormat
+    const resolution = numberSetting(settings, "resolution") || config.scanResolution
+    const mode = stringSetting(settings, "mode") || config.scanMode
+    const source = stringSetting(settings, "source") || config.scanSource
+    const scannerName = job.scannerName || config.scannerName
+    const filename = ensureFilenameExtension(job.requestedFilename || `${job.id}.${format}`, format)
+    const outputPath = path.join(config.workDir, filename)
+    const shouldPostprocess = booleanSetting(settings, "postprocess", config.scanPostprocess)
+    const postprocessProfile = profileSetting(settings, config.postprocessProfile)
+    const scanFormat = shouldPostprocess ? "png" : format
+    const scanOutputPath = shouldPostprocess
+        ? path.join(config.workDir, `${job.id}.raw.png`)
+        : outputPath
+
+    const args = [
+        "--format",
+        scanFormat,
+        "--resolution",
+        String(resolution),
+        "--mode",
+        mode,
+        "--output-file",
+        scanOutputPath,
+    ]
+
+    if (source) args.push("--source", source)
+    if (scannerName) args.push("--device-name", scannerName)
+
+    const result = await runCommand("scanimage", args, { timeoutMs: 5 * 60 * 1000 })
+
+    if (result.code !== 0) {
+        throw new Error(result.stderr || `scanimage wurde mit Code ${result.code} beendet`)
+    }
+
+    if (shouldPostprocess) {
+        if (!await hasOpenCvPostprocessRuntime(config)) {
+            const message = "OpenCV-Nachbearbeitung ist aktiviert, aber python3 mit cv2, Pillow und numpy ist nicht verfügbar"
+            if (config.postprocessStrict) throw new Error(message)
+
+            log.warn(`${message}. Rohscan wird ohne Korrektur hochgeladen.`, {
+                jobId: job.id,
+                python: config.postprocessPython,
+            })
+            return fallbackRawResult(scanOutputPath, job.id)
+        }
+
+        try {
+            return await postprocessScan(config, scanOutputPath, filename, format, postprocessProfile)
+        } catch (error) {
+            if (config.postprocessStrict) throw error
+
+            log.warn("OpenCV-Nachbearbeitung fehlgeschlagen. Rohscan wird ohne Korrektur hochgeladen.", {
+                jobId: job.id,
+                error: error instanceof Error ? error.message : String(error),
+            })
+            return fallbackRawResult(scanOutputPath, job.id)
+        }
+    }
+
+    return {
+        path: outputPath,
+        filename,
+        mimeType: mimeTypes[format] || "application/octet-stream",
+    }
+}

agents/fedeo-device-agent/src/types.ts

@@ -0,0 +1,48 @@
+export type AgentConfig = {
+    fedeoUrl: string
+    agentToken: string
+    pollSeconds: number
+    workDir: string
+    scannerName?: string
+    printerName?: string
+    scanFormat: "pdf" | "png" | "tiff"
+    scanResolution: number
+    scanMode: string
+    scanSource?: string
+    scanPostprocess: boolean
+    postprocessProfile: "document" | "receipt" | "raw"
+    postprocessPython: string
+    postprocessStrict: boolean
+}
+
+export type AgentHeartbeat = {
+    capabilities: {
+        scan: boolean
+        print: boolean
+        platform: NodeJS.Platform
+    }
+    scannerNames: string[]
+    printerNames: string[]
+    debugInfo: Record<string, unknown>
+}
+
+export type ScanJob = {
+    id: string
+    tenantId: number
+    agentId: string
+    status: string
+    scannerName?: string | null
+    requestedFilename?: string | null
+    settings?: Record<string, unknown>
+    target?: Record<string, unknown>
+}
+
+export type NextScanJobResponse = {
+    job: ScanJob | null
+}
+
+export type ScanResult = {
+    path: string
+    filename: string
+    mimeType: string
+}

agents/fedeo-device-agent/system/linux/fedeo-device-agent.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=FEDEO Geräte-Agent
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+EnvironmentFile=/etc/fedeo-device-agent/config.env
+WorkingDirectory=/opt/fedeo-device-agent
+ExecStart=/usr/bin/node /opt/fedeo-device-agent/dist/main.js
+Restart=always
+RestartSec=5
+User=fedeo-agent
+
+[Install]
+WantedBy=multi-user.target

agents/fedeo-device-agent/system/macos/com.fedeo.device-agent.plist

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
+  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>com.fedeo.device-agent</string>
+
+  <key>ProgramArguments</key>
+  <array>
+    <string>/usr/local/bin/node</string>
+    <string>/opt/fedeo-device-agent/dist/main.js</string>
+  </array>
+
+  <key>EnvironmentVariables</key>
+  <dict>
+    <key>FEDEO_AGENT_ENV</key>
+    <string>/opt/fedeo-device-agent/.env</string>
+  </dict>
+
+  <key>RunAtLoad</key>
+  <true/>
+
+  <key>KeepAlive</key>
+  <true/>
+
+  <key>StandardOutPath</key>
+  <string>/tmp/fedeo-device-agent.log</string>
+
+  <key>StandardErrorPath</key>
+  <string>/tmp/fedeo-device-agent.err.log</string>
+</dict>
+</plist>

agents/fedeo-device-agent/tsconfig.json

@@ -0,0 +1,17 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "lib": ["ES2022", "DOM"],
+    "types": ["node"],
+    "typeRoots": ["../../backend/node_modules/@types"],
+    "rootDir": "src",
+    "outDir": "dist",
+    "strict": true,
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+    "skipLibCheck": true
+  },
+  "include": ["src/**/*.ts"]
+}

backend/Dockerfile

@@ -12,8 +12,10 @@ RUN apt-get update \
 # Package-Dateien
 COPY package*.json ./
 
-# Dev + Prod Dependencies (für TS-Build nötig)
-RUN npm install
+# Dev + Prod Dependencies (für TS-Build nötig).
+# Sharp benötigt im Linux-Container native optionale Pakete, auch wenn das Lockfile auf macOS erzeugt wurde.
+RUN npm install --include=optional \
+    && npm install --include=optional --os=linux --cpu=x64 sharp
 
 # Restlicher Sourcecode
 COPY . .
@@ -24,5 +26,5 @@ RUN npm run build
 # Port freigeben
 EXPOSE 3100
 
-# Start der App
-CMD ["node", "dist/src/index.js"]
+# Migrationen ausführen und App starten
+CMD ["sh", "./docker-entrypoint.sh"]

backend/db/index.ts

@@ -6,10 +6,16 @@ import {secrets} from "../src/utils/secrets";
 
 console.log("[DB INIT] 1. Suche Connection String...");
 
+const fallbackConnectionString = "postgres://postgres:wJw7aNpEBJdcxgoct6GXNpvY4Cn6ECqu@fedeo-db-001.vpn.internal:5432/fedeo"
+
 // Checken woher die URL kommt
-let connectionString = process.env.DATABASE_URL || secrets.DATABASE_URL;
-if (connectionString) {
+let connectionString = process.env.DATABASE_URL || secrets.DATABASE_URL || fallbackConnectionString;
+if (process.env.DATABASE_URL) {
     console.log("[DB INIT] -> Gefunden in process.env.DATABASE_URL");
+} else if (secrets.DATABASE_URL) {
+    console.log("[DB INIT] -> Gefunden in secrets.DATABASE_URL");
+} else if (connectionString) {
+    console.log("[DB INIT] -> Nutze Fallback aus dem Projekt");
 } else {
     console.error("[DB INIT] ❌ KEIN CONNECTION STRING GEFUNDEN! .env nicht geladen?");
 }
@@ -24,4 +30,4 @@ pool.query('SELECT NOW()')
     .then(res => console.log(`[DB INIT] ✅ VERBINDUNG ERFOLGREICH! Zeit auf DB: ${res.rows[0].now}`))
     .catch(err => console.error(`[DB INIT] ❌ VERBINDUNGSFEHLER:`, err.message));
 
-export const db = drizzle(pool, { schema });
+export const db = drizzle(pool, { schema });

backend/db/migrations/0005_green_shinobi_shaw.sql

@@ -14,26 +14,6 @@ CREATE TABLE "m2m_api_keys" (
 	CONSTRAINT "m2m_api_keys_key_hash_unique" UNIQUE("key_hash")
 );
 --> statement-breakpoint
-CREATE TABLE "staff_time_events" (
-	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
-	"tenant_id" bigint NOT NULL,
-	"user_id" uuid NOT NULL,
-	"actor_type" text NOT NULL,
-	"actor_user_id" uuid,
-	"event_time" timestamp with time zone NOT NULL,
-	"event_type" text NOT NULL,
-	"source" text NOT NULL,
-	"invalidates_event_id" uuid,
-	"related_event_id" uuid,
-	"metadata" jsonb,
-	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
-	CONSTRAINT "time_events_actor_user_check" CHECK (
-        (actor_type = 'system' AND actor_user_id IS NULL)
-        OR
-        (actor_type = 'user' AND actor_user_id IS NOT NULL)
-      )
-);
---> statement-breakpoint
 CREATE TABLE "serialtypes" (
 	"id" bigint PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY (sequence name "serialtypes_id_seq" INCREMENT BY 1 MINVALUE 1 MAXVALUE 9223372036854775807 START WITH 1 CACHE 1),
 	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
@@ -89,20 +69,15 @@ CREATE TABLE "wiki_pages" (
 	"updated_by" uuid
 );
 --> statement-breakpoint
-ALTER TABLE "time_events" DISABLE ROW LEVEL SECURITY;--> statement-breakpoint
-DROP TABLE "time_events" CASCADE;--> statement-breakpoint
 ALTER TABLE "projects" ALTER COLUMN "active_phase" SET DEFAULT 'Erstkontakt';--> statement-breakpoint
 ALTER TABLE "createddocuments" ADD COLUMN "serialexecution" uuid;--> statement-breakpoint
 ALTER TABLE "devices" ADD COLUMN "last_seen" timestamp with time zone;--> statement-breakpoint
 ALTER TABLE "devices" ADD COLUMN "last_debug_info" jsonb;--> statement-breakpoint
 ALTER TABLE "files" ADD COLUMN "size" bigint;--> statement-breakpoint
+ALTER TABLE "staff_time_events" ADD COLUMN "related_event_id" uuid;--> statement-breakpoint
 ALTER TABLE "m2m_api_keys" ADD CONSTRAINT "m2m_api_keys_tenant_id_tenants_id_fk" FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
 ALTER TABLE "m2m_api_keys" ADD CONSTRAINT "m2m_api_keys_user_id_auth_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."auth_users"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
 ALTER TABLE "m2m_api_keys" ADD CONSTRAINT "m2m_api_keys_created_by_auth_users_id_fk" FOREIGN KEY ("created_by") REFERENCES "public"."auth_users"("id") ON DELETE set null ON UPDATE cascade;--> statement-breakpoint
-ALTER TABLE "staff_time_events" ADD CONSTRAINT "staff_time_events_tenant_id_tenants_id_fk" FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "staff_time_events" ADD CONSTRAINT "staff_time_events_user_id_auth_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "staff_time_events" ADD CONSTRAINT "staff_time_events_actor_user_id_auth_users_id_fk" FOREIGN KEY ("actor_user_id") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "staff_time_events" ADD CONSTRAINT "staff_time_events_invalidates_event_id_staff_time_events_id_fk" FOREIGN KEY ("invalidates_event_id") REFERENCES "public"."staff_time_events"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "staff_time_events" ADD CONSTRAINT "staff_time_events_related_event_id_staff_time_events_id_fk" FOREIGN KEY ("related_event_id") REFERENCES "public"."staff_time_events"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "serialtypes" ADD CONSTRAINT "serialtypes_tenant_tenants_id_fk" FOREIGN KEY ("tenant") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "serialtypes" ADD CONSTRAINT "serialtypes_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
@@ -113,11 +88,8 @@ ALTER TABLE "wiki_pages" ADD CONSTRAINT "wiki_pages_tenant_id_tenants_id_fk" FOR
 ALTER TABLE "wiki_pages" ADD CONSTRAINT "wiki_pages_parent_id_wiki_pages_id_fk" FOREIGN KEY ("parent_id") REFERENCES "public"."wiki_pages"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "wiki_pages" ADD CONSTRAINT "wiki_pages_created_by_auth_users_id_fk" FOREIGN KEY ("created_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "wiki_pages" ADD CONSTRAINT "wiki_pages_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-CREATE INDEX "idx_time_events_tenant_user_time" ON "staff_time_events" USING btree ("tenant_id","user_id","event_time");--> statement-breakpoint
-CREATE INDEX "idx_time_events_created_at" ON "staff_time_events" USING btree ("created_at");--> statement-breakpoint
-CREATE INDEX "idx_time_events_invalidates" ON "staff_time_events" USING btree ("invalidates_event_id");--> statement-breakpoint
 CREATE INDEX "wiki_pages_tenant_idx" ON "wiki_pages" USING btree ("tenant_id");--> statement-breakpoint
 CREATE INDEX "wiki_pages_parent_idx" ON "wiki_pages" USING btree ("parent_id");--> statement-breakpoint
 CREATE INDEX "wiki_pages_entity_int_idx" ON "wiki_pages" USING btree ("tenant_id","entity_type","entity_id");--> statement-breakpoint
 CREATE INDEX "wiki_pages_entity_uuid_idx" ON "wiki_pages" USING btree ("tenant_id","entity_type","entity_uuid");--> statement-breakpoint
-ALTER TABLE "createddocuments" ADD CONSTRAINT "createddocuments_serialexecution_serial_executions_id_fk" FOREIGN KEY ("serialexecution") REFERENCES "public"."serial_executions"("id") ON DELETE no action ON UPDATE no action;
+ALTER TABLE "createddocuments" ADD CONSTRAINT "createddocuments_serialexecution_serial_executions_id_fk" FOREIGN KEY ("serialexecution") REFERENCES "public"."serial_executions"("id") ON DELETE no action ON UPDATE no action;

backend/db/migrations/0017_slow_the_hood.sql

@@ -1,108 +1 @@
-CREATE TABLE "contracttypes" (
-	"id" bigint PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY (sequence name "contracttypes_id_seq" INCREMENT BY 1 MINVALUE 1 MAXVALUE 9223372036854775807 START WITH 1 CACHE 1),
-	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
-	"tenant" bigint NOT NULL,
-	"name" text NOT NULL,
-	"description" text,
-	"paymentType" text,
-	"recurring" boolean DEFAULT false NOT NULL,
-	"billingInterval" text,
-	"archived" boolean DEFAULT false NOT NULL,
-	"updated_at" timestamp with time zone,
-	"updated_by" uuid
-);
---> statement-breakpoint
-CREATE TABLE "customerinventoryitems" (
-	"id" bigint PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY (sequence name "customerinventoryitems_id_seq" INCREMENT BY 1 MINVALUE 1 MAXVALUE 9223372036854775807 START WITH 1 CACHE 1),
-	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
-	"name" text NOT NULL,
-	"description" text,
-	"tenant" bigint NOT NULL,
-	"customer" bigint NOT NULL,
-	"customerspace" bigint,
-	"customerInventoryId" text NOT NULL,
-	"serialNumber" text,
-	"quantity" bigint DEFAULT 0 NOT NULL,
-	"manufacturer" text,
-	"manufacturerNumber" text,
-	"purchaseDate" date,
-	"purchasePrice" double precision DEFAULT 0,
-	"currentValue" double precision,
-	"product" bigint,
-	"vendor" bigint,
-	"archived" boolean DEFAULT false NOT NULL,
-	"updated_at" timestamp with time zone,
-	"updated_by" uuid
-);
---> statement-breakpoint
-CREATE TABLE "customerspaces" (
-	"id" bigint PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY (sequence name "customerspaces_id_seq" INCREMENT BY 1 MINVALUE 1 MAXVALUE 9223372036854775807 START WITH 1 CACHE 1),
-	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
-	"name" text NOT NULL,
-	"type" text NOT NULL,
-	"tenant" bigint NOT NULL,
-	"customer" bigint NOT NULL,
-	"spaceNumber" text NOT NULL,
-	"parentSpace" bigint,
-	"infoData" jsonb DEFAULT '{"zip":"","city":"","streetNumber":""}'::jsonb NOT NULL,
-	"description" text,
-	"archived" boolean DEFAULT false NOT NULL,
-	"updated_at" timestamp with time zone,
-	"updated_by" uuid
-);
---> statement-breakpoint
-CREATE TABLE "entitybankaccounts" (
-	"id" bigint PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY (sequence name "entitybankaccounts_id_seq" INCREMENT BY 1 MINVALUE 1 MAXVALUE 9223372036854775807 START WITH 1 CACHE 1),
-	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
-	"tenant" bigint NOT NULL,
-	"iban_encrypted" jsonb NOT NULL,
-	"bic_encrypted" jsonb NOT NULL,
-	"bank_name_encrypted" jsonb NOT NULL,
-	"description" text,
-	"updated_at" timestamp with time zone,
-	"updated_by" uuid,
-	"archived" boolean DEFAULT false NOT NULL
-);
---> statement-breakpoint
-CREATE TABLE "memberrelations" (
-	"id" bigint PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY (sequence name "memberrelations_id_seq" INCREMENT BY 1 MINVALUE 1 MAXVALUE 9223372036854775807 START WITH 1 CACHE 1),
-	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
-	"tenant" bigint NOT NULL,
-	"type" text NOT NULL,
-	"billingInterval" text NOT NULL,
-	"billingAmount" double precision DEFAULT 0 NOT NULL,
-	"archived" boolean DEFAULT false NOT NULL,
-	"updated_at" timestamp with time zone,
-	"updated_by" uuid
-);
---> statement-breakpoint
-ALTER TABLE "tenants" ALTER COLUMN "numberRanges" SET DEFAULT '{"vendors":{"prefix":"","suffix":"","nextNumber":10000},"customers":{"prefix":"","suffix":"","nextNumber":10000},"products":{"prefix":"AT-","suffix":"","nextNumber":1000},"quotes":{"prefix":"AN-","suffix":"","nextNumber":1000},"confirmationOrders":{"prefix":"AB-","suffix":"","nextNumber":1000},"invoices":{"prefix":"RE-","suffix":"","nextNumber":1000},"spaces":{"prefix":"LP-","suffix":"","nextNumber":1000},"customerspaces":{"prefix":"KLP-","suffix":"","nextNumber":1000},"inventoryitems":{"prefix":"IA-","suffix":"","nextNumber":1000},"customerinventoryitems":{"prefix":"KIA-","suffix":"","nextNumber":1000},"projects":{"prefix":"PRJ-","suffix":"","nextNumber":1000},"costcentres":{"prefix":"KST-","suffix":"","nextNumber":1000}}'::jsonb;--> statement-breakpoint
-ALTER TABLE "contracts" ADD COLUMN "contracttype" bigint;--> statement-breakpoint
-ALTER TABLE "contracts" ADD COLUMN "billingInterval" text;--> statement-breakpoint
-ALTER TABLE "customers" ADD COLUMN "customTaxType" text;--> statement-breakpoint
-ALTER TABLE "customers" ADD COLUMN "memberrelation" bigint;--> statement-breakpoint
-ALTER TABLE "historyitems" ADD COLUMN "customerspace" bigint;--> statement-breakpoint
-ALTER TABLE "historyitems" ADD COLUMN "customerinventoryitem" bigint;--> statement-breakpoint
-ALTER TABLE "historyitems" ADD COLUMN "memberrelation" bigint;--> statement-breakpoint
-ALTER TABLE "services" ADD COLUMN "priceUpdateLocked" boolean DEFAULT false NOT NULL;--> statement-breakpoint
-ALTER TABLE "contracttypes" ADD CONSTRAINT "contracttypes_tenant_tenants_id_fk" FOREIGN KEY ("tenant") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "contracttypes" ADD CONSTRAINT "contracttypes_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerinventoryitems" ADD CONSTRAINT "customerinventoryitems_tenant_tenants_id_fk" FOREIGN KEY ("tenant") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerinventoryitems" ADD CONSTRAINT "customerinventoryitems_customer_customers_id_fk" FOREIGN KEY ("customer") REFERENCES "public"."customers"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerinventoryitems" ADD CONSTRAINT "customerinventoryitems_customerspace_customerspaces_id_fk" FOREIGN KEY ("customerspace") REFERENCES "public"."customerspaces"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerinventoryitems" ADD CONSTRAINT "customerinventoryitems_product_products_id_fk" FOREIGN KEY ("product") REFERENCES "public"."products"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerinventoryitems" ADD CONSTRAINT "customerinventoryitems_vendor_vendors_id_fk" FOREIGN KEY ("vendor") REFERENCES "public"."vendors"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerinventoryitems" ADD CONSTRAINT "customerinventoryitems_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerspaces" ADD CONSTRAINT "customerspaces_tenant_tenants_id_fk" FOREIGN KEY ("tenant") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerspaces" ADD CONSTRAINT "customerspaces_customer_customers_id_fk" FOREIGN KEY ("customer") REFERENCES "public"."customers"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerspaces" ADD CONSTRAINT "customerspaces_parentSpace_customerspaces_id_fk" FOREIGN KEY ("parentSpace") REFERENCES "public"."customerspaces"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customerspaces" ADD CONSTRAINT "customerspaces_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "entitybankaccounts" ADD CONSTRAINT "entitybankaccounts_tenant_tenants_id_fk" FOREIGN KEY ("tenant") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "entitybankaccounts" ADD CONSTRAINT "entitybankaccounts_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "memberrelations" ADD CONSTRAINT "memberrelations_tenant_tenants_id_fk" FOREIGN KEY ("tenant") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "memberrelations" ADD CONSTRAINT "memberrelations_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "contracts" ADD CONSTRAINT "contracts_contracttype_contracttypes_id_fk" FOREIGN KEY ("contracttype") REFERENCES "public"."contracttypes"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "customers" ADD CONSTRAINT "customers_memberrelation_memberrelations_id_fk" FOREIGN KEY ("memberrelation") REFERENCES "public"."memberrelations"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "historyitems" ADD CONSTRAINT "historyitems_customerspace_customerspaces_id_fk" FOREIGN KEY ("customerspace") REFERENCES "public"."customerspaces"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "historyitems" ADD CONSTRAINT "historyitems_customerinventoryitem_customerinventoryitems_id_fk" FOREIGN KEY ("customerinventoryitem") REFERENCES "public"."customerinventoryitems"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "historyitems" ADD CONSTRAINT "historyitems_memberrelation_memberrelations_id_fk" FOREIGN KEY ("memberrelation") REFERENCES "public"."memberrelations"("id") ON DELETE no action ON UPDATE no action;
+-- Absichtlich leer: Die Objekte aus dieser generierten Migration existieren bereits in früheren Migrationen.

backend/db/migrations/0024_tenant_branches.sql

@@ -0,0 +1,37 @@
+CREATE TABLE "branches" (
+	"id" bigint GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY NOT NULL,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"tenant" bigint NOT NULL,
+	"name" text NOT NULL,
+	"number" text,
+	"description" text,
+	"archived" boolean DEFAULT false NOT NULL,
+	"updated_at" timestamp with time zone,
+	"updated_by" uuid
+);
+--> statement-breakpoint
+ALTER TABLE "branches" ADD CONSTRAINT "branches_tenant_tenants_id_fk" FOREIGN KEY ("tenant") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "branches" ADD CONSTRAINT "branches_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "costcentres" ADD COLUMN "branch" bigint;
+--> statement-breakpoint
+ALTER TABLE "costcentres" ADD CONSTRAINT "costcentres_branch_branches_id_fk" FOREIGN KEY ("branch") REFERENCES "public"."branches"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "auth_profiles" ADD COLUMN "branch_id" bigint;
+--> statement-breakpoint
+ALTER TABLE "auth_profiles" ADD CONSTRAINT "auth_profiles_branch_id_branches_id_fk" FOREIGN KEY ("branch_id") REFERENCES "public"."branches"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+CREATE TABLE "auth_profile_branches" (
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"profile_id" uuid NOT NULL,
+	"branch_id" bigint NOT NULL,
+	"created_by" uuid,
+	CONSTRAINT "auth_profile_branches_profile_id_branch_id_pk" PRIMARY KEY("profile_id","branch_id")
+);
+--> statement-breakpoint
+ALTER TABLE "auth_profile_branches" ADD CONSTRAINT "auth_profile_branches_profile_id_auth_profiles_id_fk" FOREIGN KEY ("profile_id") REFERENCES "public"."auth_profiles"("id") ON DELETE cascade ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "auth_profile_branches" ADD CONSTRAINT "auth_profile_branches_branch_id_branches_id_fk" FOREIGN KEY ("branch_id") REFERENCES "public"."branches"("id") ON DELETE cascade ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "auth_profile_branches" ADD CONSTRAINT "auth_profile_branches_created_by_auth_users_id_fk" FOREIGN KEY ("created_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;

backend/db/migrations/0025_statementallocation_depreciation.sql

@@ -0,0 +1,6 @@
+ALTER TABLE "statementallocations"
+ADD COLUMN "booking_mode" text DEFAULT 'expense' NOT NULL,
+ADD COLUMN "depreciation_months" integer,
+ADD COLUMN "depreciation_start_date" text,
+ADD COLUMN "depreciation_label" text,
+ADD COLUMN "depreciation_group" text;

backend/db/migrations/0026_statementallocation_depreciation_method.sql

@@ -0,0 +1,3 @@
+ALTER TABLE "statementallocations"
+ADD COLUMN "depreciation_method" text,
+ADD COLUMN "residual_value" double precision;

backend/db/migrations/0027_product_supplier_link.sql

@@ -0,0 +1,2 @@
+ALTER TABLE "products"
+ADD COLUMN "supplierLink" text;

backend/db/migrations/0028_teams.sql

@@ -0,0 +1,31 @@
+CREATE TABLE "teams" (
+	"id" bigint PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY (sequence name "teams_id_seq" INCREMENT BY 1 MINVALUE 1 MAXVALUE 9223372036854775807 START WITH 1 CACHE 1),
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"tenant" bigint NOT NULL,
+	"name" text NOT NULL,
+	"description" text,
+	"branch" bigint,
+	"archived" boolean DEFAULT false NOT NULL,
+	"updated_at" timestamp with time zone,
+	"updated_by" uuid
+);
+--> statement-breakpoint
+CREATE TABLE "auth_profile_teams" (
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"profile_id" uuid NOT NULL,
+	"team_id" bigint NOT NULL,
+	"created_by" uuid,
+	CONSTRAINT "auth_profile_teams_profile_id_team_id_pk" PRIMARY KEY("profile_id","team_id")
+);
+--> statement-breakpoint
+ALTER TABLE "teams" ADD CONSTRAINT "teams_tenant_tenants_id_fk" FOREIGN KEY ("tenant") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "teams" ADD CONSTRAINT "teams_branch_branches_id_fk" FOREIGN KEY ("branch") REFERENCES "public"."branches"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "teams" ADD CONSTRAINT "teams_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "auth_profile_teams" ADD CONSTRAINT "auth_profile_teams_profile_id_auth_profiles_id_fk" FOREIGN KEY ("profile_id") REFERENCES "public"."auth_profiles"("id") ON DELETE cascade ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "auth_profile_teams" ADD CONSTRAINT "auth_profile_teams_team_id_teams_id_fk" FOREIGN KEY ("team_id") REFERENCES "public"."teams"("id") ON DELETE cascade ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "auth_profile_teams" ADD CONSTRAINT "auth_profile_teams_created_by_auth_users_id_fk" FOREIGN KEY ("created_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;

backend/db/migrations/0029_events_quick.sql

@@ -0,0 +1 @@
+ALTER TABLE "events" ADD COLUMN "quick" boolean DEFAULT false NOT NULL;

backend/db/migrations/0030_manual_statementallocations.sql

@@ -0,0 +1,10 @@
+ALTER TABLE "statementallocations" ALTER COLUMN "bs_id" DROP NOT NULL;
+ALTER TABLE "statementallocations" ADD COLUMN "manual_booking_date" text;
+ALTER TABLE "statementallocations" ADD COLUMN "contra_account" bigint;
+ALTER TABLE "statementallocations" ADD COLUMN "contra_ownaccount" uuid;
+ALTER TABLE "statementallocations" ADD COLUMN "contra_customer" bigint;
+ALTER TABLE "statementallocations" ADD COLUMN "contra_vendor" bigint;
+ALTER TABLE "statementallocations" ADD CONSTRAINT "statementallocations_contra_account_accounts_id_fk" FOREIGN KEY ("contra_account") REFERENCES "public"."accounts"("id") ON DELETE no action ON UPDATE no action;
+ALTER TABLE "statementallocations" ADD CONSTRAINT "statementallocations_contra_ownaccount_ownaccounts_id_fk" FOREIGN KEY ("contra_ownaccount") REFERENCES "public"."ownaccounts"("id") ON DELETE no action ON UPDATE no action;
+ALTER TABLE "statementallocations" ADD CONSTRAINT "statementallocations_contra_customer_customers_id_fk" FOREIGN KEY ("contra_customer") REFERENCES "public"."customers"("id") ON DELETE no action ON UPDATE no action;
+ALTER TABLE "statementallocations" ADD CONSTRAINT "statementallocations_contra_vendor_vendors_id_fk" FOREIGN KEY ("contra_vendor") REFERENCES "public"."vendors"("id") ON DELETE no action ON UPDATE no action;

backend/db/migrations/0031_manual_statementallocations_tax_key.sql

@@ -0,0 +1 @@
+ALTER TABLE "statementallocations" ADD COLUMN "datev_tax_key" text;

backend/db/migrations/0032_manual_statementallocations_invoice_side.sql

@@ -0,0 +1 @@
+ALTER TABLE "statementallocations" ADD COLUMN "manual_invoice_side" text;

backend/db/migrations/0033_costcentres_parent.sql

@@ -0,0 +1,2 @@
+ALTER TABLE "costcentres" ADD COLUMN "parent_costcentre" uuid;
+ALTER TABLE "costcentres" ADD CONSTRAINT "costcentres_parent_costcentre_costcentres_id_fk" FOREIGN KEY ("parent_costcentre") REFERENCES "public"."costcentres"("id") ON DELETE no action ON UPDATE no action;

backend/db/migrations/0034_events_color.sql

@@ -0,0 +1,8 @@
+ALTER TABLE "events" ADD COLUMN "color" text;
+
+UPDATE "events" AS e
+SET "color" = COALESCE(t."calendarConfig"->'quickEntry'->>'color', '#2563eb')
+FROM "tenants" AS t
+WHERE e."tenant" = t."id"
+  AND e."quick" = true
+  AND e."color" IS NULL;

backend/db/migrations/0034_profile_availability_note.sql

@@ -0,0 +1,2 @@
+ALTER TABLE "auth_profiles"
+ADD COLUMN IF NOT EXISTS "availability_note" text;

backend/db/migrations/0035_contract_history.sql

@@ -0,0 +1,3 @@
+ALTER TABLE "historyitems" ADD COLUMN "contract" bigint;
+--> statement-breakpoint
+ALTER TABLE "historyitems" ADD CONSTRAINT "historyitems_contract_contracts_id_fk" FOREIGN KEY ("contract") REFERENCES "public"."contracts"("id") ON DELETE cascade ON UPDATE no action;

backend/db/migrations/0036_allowed_contracttypes.sql

@@ -0,0 +1 @@
+ALTER TABLE "contracts" ADD COLUMN "allowedContracttypes" jsonb DEFAULT '[]'::jsonb NOT NULL;

backend/db/migrations/0037_outgoing_sepa_mandates.sql

@@ -0,0 +1,53 @@
+CREATE TABLE "outgoingsepamandates" (
+	"id" bigint PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY (sequence name "outgoingsepamandates_id_seq" INCREMENT BY 1 MINVALUE 1 MAXVALUE 9223372036854775807 START WITH 1 CACHE 1),
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"tenant" bigint NOT NULL,
+	"customer" bigint NOT NULL,
+	"bankaccount" bigint NOT NULL,
+	"reference" text NOT NULL,
+	"status" text DEFAULT 'Entwurf' NOT NULL,
+	"mandate_type" text DEFAULT 'CORE' NOT NULL,
+	"sequence_type" text DEFAULT 'RCUR' NOT NULL,
+	"signed_at" timestamp with time zone,
+	"valid_from" timestamp with time zone,
+	"valid_until" timestamp with time zone,
+	"default_mandate" boolean DEFAULT false NOT NULL,
+	"notes" text,
+	"archived" boolean DEFAULT false NOT NULL,
+	"updated_at" timestamp with time zone,
+	"updated_by" uuid
+);
+--> statement-breakpoint
+ALTER TABLE "outgoingsepamandates" ADD CONSTRAINT "outgoingsepamandates_tenant_tenants_id_fk" FOREIGN KEY ("tenant") REFERENCES "public"."tenants"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "outgoingsepamandates" ADD CONSTRAINT "outgoingsepamandates_customer_customers_id_fk" FOREIGN KEY ("customer") REFERENCES "public"."customers"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "outgoingsepamandates" ADD CONSTRAINT "outgoingsepamandates_bankaccount_entitybankaccounts_id_fk" FOREIGN KEY ("bankaccount") REFERENCES "public"."entitybankaccounts"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "outgoingsepamandates" ADD CONSTRAINT "outgoingsepamandates_updated_by_auth_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "contracts" ADD COLUMN "outgoingsepamandate" bigint;
+--> statement-breakpoint
+ALTER TABLE "contracts" ADD CONSTRAINT "contracts_outgoingsepamandate_outgoingsepamandates_id_fk" FOREIGN KEY ("outgoingsepamandate") REFERENCES "public"."outgoingsepamandates"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "createddocuments" ADD COLUMN "outgoingsepamandate" bigint;
+--> statement-breakpoint
+ALTER TABLE "createddocuments" ADD CONSTRAINT "createddocuments_outgoingsepamandate_outgoingsepamandates_id_fk" FOREIGN KEY ("outgoingsepamandate") REFERENCES "public"."outgoingsepamandates"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "historyitems" ADD COLUMN "outgoingsepamandate" bigint;
+--> statement-breakpoint
+ALTER TABLE "historyitems" ADD CONSTRAINT "historyitems_outgoingsepamandate_outgoingsepamandates_id_fk" FOREIGN KEY ("outgoingsepamandate") REFERENCES "public"."outgoingsepamandates"("id") ON DELETE cascade ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "tenants" ALTER COLUMN "numberRanges" SET DEFAULT '{"vendors":{"prefix":"","suffix":"","nextNumber":10000},"customers":{"prefix":"","suffix":"","nextNumber":10000},"products":{"prefix":"AT-","suffix":"","nextNumber":1000},"quotes":{"prefix":"AN-","suffix":"","nextNumber":1000},"costEstimates":{"prefix":"KS-","suffix":"","nextNumber":1000},"confirmationOrders":{"prefix":"AB-","suffix":"","nextNumber":1000},"invoices":{"prefix":"RE-","suffix":"","nextNumber":1000},"deliveryNotes":{"prefix":"LS-","suffix":"","nextNumber":1000},"packingSlips":{"prefix":"PS-","suffix":"","nextNumber":1000},"spaces":{"prefix":"LP-","suffix":"","nextNumber":1000},"customerspaces":{"prefix":"KLP-","suffix":"","nextNumber":1000},"inventoryitems":{"prefix":"IA-","suffix":"","nextNumber":1000},"customerinventoryitems":{"prefix":"KIA-","suffix":"","nextNumber":1000},"projects":{"prefix":"PRJ-","suffix":"","nextNumber":1000},"costcentres":{"prefix":"KST-","suffix":"","nextNumber":1000},"outgoingsepamandates":{"prefix":"SEPA-","suffix":"","nextNumber":1000}}'::jsonb;
+--> statement-breakpoint
+UPDATE "tenants"
+SET "numberRanges" = COALESCE("numberRanges", '{}'::jsonb) || jsonb_build_object(
+    'outgoingsepamandates',
+    COALESCE("numberRanges"->'outgoingsepamandates', '{"prefix":"SEPA-","suffix":"","nextNumber":1000}'::jsonb)
+);
+--> statement-breakpoint
+UPDATE "tenants"
+SET "features" = COALESCE("features", '{}'::jsonb) || jsonb_build_object(
+    'outgoingsepamandates',
+    COALESCE("features"->'outgoingsepamandates', 'true'::jsonb)
+);

backend/db/migrations/0038_communication_rooms.sql

@@ -0,0 +1,43 @@
+CREATE TABLE "communication_rooms" (
+    "id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+    "tenant_id" bigint NOT NULL,
+    "key" text NOT NULL,
+    "name" text NOT NULL,
+    "topic" text,
+    "type" text DEFAULT 'room' NOT NULL,
+    "entity_type" text,
+    "entity_id" bigint,
+    "entity_uuid" uuid,
+    "matrix_room_id" text,
+    "matrix_alias" text,
+    "parent_space_room_id" text,
+    "archived" boolean DEFAULT false NOT NULL,
+    "created_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "updated_at" timestamp with time zone,
+    "created_by" uuid,
+    "updated_by" uuid
+);
+
+ALTER TABLE "communication_rooms"
+    ADD CONSTRAINT "communication_rooms_tenant_id_tenants_id_fk"
+    FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id")
+    ON DELETE cascade ON UPDATE no action;
+
+ALTER TABLE "communication_rooms"
+    ADD CONSTRAINT "communication_rooms_created_by_auth_users_id_fk"
+    FOREIGN KEY ("created_by") REFERENCES "public"."auth_users"("id")
+    ON DELETE no action ON UPDATE no action;
+
+ALTER TABLE "communication_rooms"
+    ADD CONSTRAINT "communication_rooms_updated_by_auth_users_id_fk"
+    FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id")
+    ON DELETE no action ON UPDATE no action;
+
+CREATE UNIQUE INDEX "communication_rooms_tenant_key_idx"
+    ON "communication_rooms" USING btree ("tenant_id", "key");
+
+CREATE INDEX "communication_rooms_tenant_idx"
+    ON "communication_rooms" USING btree ("tenant_id");
+
+CREATE INDEX "communication_rooms_entity_idx"
+    ON "communication_rooms" USING btree ("tenant_id", "entity_type", "entity_id", "entity_uuid");

backend/db/migrations/0038_events_state.sql

@@ -0,0 +1,5 @@
+ALTER TABLE "events" ADD COLUMN "state" text DEFAULT 'Final' NOT NULL;
+
+UPDATE "events"
+SET "state" = 'Final'
+WHERE "state" IS NULL;

backend/db/migrations/0039_events_repeat_interval.sql

@@ -0,0 +1 @@
+ALTER TABLE "events" ADD COLUMN "repeatInterval" text DEFAULT 'Keine Wiederholung' NOT NULL;

backend/db/migrations/0039_notification_push_subscriptions.sql

@@ -0,0 +1,46 @@
+CREATE TABLE "notification_push_subscriptions" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"tenant_id" bigint NOT NULL,
+	"user_id" uuid NOT NULL,
+	"endpoint" text NOT NULL,
+	"p256dh" text NOT NULL,
+	"auth" text NOT NULL,
+	"user_agent" text,
+	"device_label" text,
+	"meta" jsonb,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"last_seen_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"disabled_at" timestamp with time zone,
+	CONSTRAINT "notification_push_subscriptions_endpoint_key" UNIQUE("endpoint")
+);
+
+ALTER TABLE "notification_push_subscriptions"
+	ADD CONSTRAINT "notification_push_subscriptions_tenant_id_tenants_id_fk"
+	FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id")
+	ON DELETE cascade ON UPDATE cascade;
+
+ALTER TABLE "notification_push_subscriptions"
+	ADD CONSTRAINT "notification_push_subscriptions_user_id_auth_users_id_fk"
+	FOREIGN KEY ("user_id") REFERENCES "public"."auth_users"("id")
+	ON DELETE cascade ON UPDATE cascade;
+
+INSERT INTO "notifications_event_types" (
+	"event_key",
+	"display_name",
+	"description",
+	"category",
+	"severity",
+	"allowed_channels"
+) VALUES
+	('system.test_push', 'Test-Push', 'Testet Desktop-Benachrichtigungen für den angemeldeten Nutzer.', 'system', 'info', '["inapp", "push"]'::jsonb),
+	('communication.message.new', 'Neue Chatnachricht', 'Benachrichtigt über relevante neue Chatnachrichten.', 'communication', 'info', '["inapp", "push"]'::jsonb),
+	('communication.call.started', 'Besprechung gestartet', 'Benachrichtigt Raumteilnehmer über gestartete Audio- oder Videoanrufe.', 'communication', 'info', '["inapp", "push"]'::jsonb),
+	('communication.call.missed', 'Verpasster Anruf', 'Benachrichtigt über verpasste Besprechungen.', 'communication', 'warning', '["inapp", "push"]'::jsonb),
+	('communication.room.invited', 'Raumeinladung', 'Benachrichtigt über Einladungen in Kommunikationsräume.', 'communication', 'info', '["inapp", "push"]'::jsonb)
+ON CONFLICT ("event_key") DO UPDATE SET
+	"display_name" = EXCLUDED."display_name",
+	"description" = EXCLUDED."description",
+	"category" = EXCLUDED."category",
+	"severity" = EXCLUDED."severity",
+	"allowed_channels" = EXCLUDED."allowed_channels",
+	"is_active" = true;

backend/db/migrations/0040_filetag_system_types.sql

@@ -0,0 +1,6 @@
+ALTER TABLE "filetags" ADD COLUMN "isSystemUsed" boolean DEFAULT false NOT NULL;
+
+UPDATE "filetags"
+SET "isSystemUsed" = true
+WHERE COALESCE("createddocumenttype", '') <> ''
+   OR COALESCE("incomingDocumentType", '') <> '';

backend/db/migrations/0041_profile_calendar_subscription.sql

@@ -0,0 +1,2 @@
+ALTER TABLE "auth_profiles"
+ADD COLUMN "calendar_subscription_token" text;

backend/db/migrations/0042_profile_availability_note.sql

@@ -0,0 +1,2 @@
+ALTER TABLE "auth_profiles"
+ADD COLUMN IF NOT EXISTS "availability_note" text;

backend/db/migrations/0043_communication_rooms.sql

@@ -0,0 +1,58 @@
+CREATE TABLE IF NOT EXISTS "communication_rooms" (
+    "id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+    "tenant_id" bigint NOT NULL,
+    "key" text NOT NULL,
+    "name" text NOT NULL,
+    "topic" text,
+    "type" text DEFAULT 'room' NOT NULL,
+    "entity_type" text,
+    "entity_id" bigint,
+    "entity_uuid" uuid,
+    "matrix_room_id" text,
+    "matrix_alias" text,
+    "parent_space_room_id" text,
+    "archived" boolean DEFAULT false NOT NULL,
+    "created_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "updated_at" timestamp with time zone,
+    "created_by" uuid,
+    "updated_by" uuid
+);
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'communication_rooms_tenant_id_tenants_id_fk'
+    ) THEN
+        ALTER TABLE "communication_rooms"
+            ADD CONSTRAINT "communication_rooms_tenant_id_tenants_id_fk"
+            FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id")
+            ON DELETE cascade ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'communication_rooms_created_by_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "communication_rooms"
+            ADD CONSTRAINT "communication_rooms_created_by_auth_users_id_fk"
+            FOREIGN KEY ("created_by") REFERENCES "public"."auth_users"("id")
+            ON DELETE no action ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'communication_rooms_updated_by_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "communication_rooms"
+            ADD CONSTRAINT "communication_rooms_updated_by_auth_users_id_fk"
+            FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id")
+            ON DELETE no action ON UPDATE no action;
+    END IF;
+END $$;
+
+CREATE UNIQUE INDEX IF NOT EXISTS "communication_rooms_tenant_key_idx"
+    ON "communication_rooms" USING btree ("tenant_id", "key");
+
+CREATE INDEX IF NOT EXISTS "communication_rooms_tenant_idx"
+    ON "communication_rooms" USING btree ("tenant_id");
+
+CREATE INDEX IF NOT EXISTS "communication_rooms_entity_idx"
+    ON "communication_rooms" USING btree ("tenant_id", "entity_type", "entity_id", "entity_uuid");

backend/db/migrations/0044_telephony_calls.sql

@@ -0,0 +1,57 @@
+CREATE TABLE IF NOT EXISTS "telephony_calls" (
+    "id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+    "tenant_id" bigint NOT NULL,
+    "direction" text NOT NULL,
+    "status" text DEFAULT 'ringing' NOT NULL,
+    "local_extension" text,
+    "remote_number" text,
+    "remote_display_name" text,
+    "sip_call_id" text,
+    "started_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "answered_at" timestamp with time zone,
+    "ended_at" timestamp with time zone,
+    "duration_seconds" integer,
+    "created_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "updated_at" timestamp with time zone,
+    "created_by" uuid,
+    "updated_by" uuid
+);
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_calls_tenant_id_tenants_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_calls"
+            ADD CONSTRAINT "telephony_calls_tenant_id_tenants_id_fk"
+            FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id")
+            ON DELETE cascade ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_calls_created_by_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_calls"
+            ADD CONSTRAINT "telephony_calls_created_by_auth_users_id_fk"
+            FOREIGN KEY ("created_by") REFERENCES "public"."auth_users"("id")
+            ON DELETE no action ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_calls_updated_by_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_calls"
+            ADD CONSTRAINT "telephony_calls_updated_by_auth_users_id_fk"
+            FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id")
+            ON DELETE no action ON UPDATE no action;
+    END IF;
+END $$;
+
+CREATE INDEX IF NOT EXISTS "telephony_calls_tenant_started_idx"
+    ON "telephony_calls" USING btree ("tenant_id", "started_at");
+
+CREATE INDEX IF NOT EXISTS "telephony_calls_created_by_idx"
+    ON "telephony_calls" USING btree ("tenant_id", "created_by");
+
+CREATE INDEX IF NOT EXISTS "telephony_calls_sip_call_idx"
+    ON "telephony_calls" USING btree ("tenant_id", "sip_call_id");

backend/db/migrations/0045_telephony_trunks.sql

@@ -0,0 +1,50 @@
+CREATE TABLE IF NOT EXISTS "telephony_trunks" (
+    "id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+    "tenant_id" bigint NOT NULL,
+    "provider" text DEFAULT 'telekom' NOT NULL,
+    "enabled" boolean DEFAULT false NOT NULL,
+    "registrar" text DEFAULT 'tel.t-online.de' NOT NULL,
+    "sip_user" text,
+    "auth_user" text,
+    "password" text,
+    "caller_id" text,
+    "inbound_extension" text DEFAULT '1001' NOT NULL,
+    "outbound_prefix" text DEFAULT '0' NOT NULL,
+    "created_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "updated_at" timestamp with time zone,
+    "created_by" uuid,
+    "updated_by" uuid
+);
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_trunks_tenant_id_tenants_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_trunks"
+            ADD CONSTRAINT "telephony_trunks_tenant_id_tenants_id_fk"
+            FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id")
+            ON DELETE cascade ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_trunks_created_by_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_trunks"
+            ADD CONSTRAINT "telephony_trunks_created_by_auth_users_id_fk"
+            FOREIGN KEY ("created_by") REFERENCES "public"."auth_users"("id")
+            ON DELETE no action ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_trunks_updated_by_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_trunks"
+            ADD CONSTRAINT "telephony_trunks_updated_by_auth_users_id_fk"
+            FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id")
+            ON DELETE no action ON UPDATE no action;
+    END IF;
+END $$;
+
+CREATE UNIQUE INDEX IF NOT EXISTS "telephony_trunks_tenant_provider_idx"
+    ON "telephony_trunks" USING btree ("tenant_id", "provider");

backend/db/migrations/0046_telephony_trunk_nat.sql

@@ -0,0 +1,3 @@
+ALTER TABLE "telephony_trunks" ADD COLUMN IF NOT EXISTS "external_signaling_address" text;
+ALTER TABLE "telephony_trunks" ADD COLUMN IF NOT EXISTS "external_media_address" text;
+ALTER TABLE "telephony_trunks" ADD COLUMN IF NOT EXISTS "local_networks" text;

backend/db/migrations/0047_telephony_extensions.sql

@@ -0,0 +1,92 @@
+CREATE TABLE IF NOT EXISTS "telephony_extensions" (
+    "id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+    "tenant_id" bigint NOT NULL,
+    "target_type" text NOT NULL,
+    "target_user_id" uuid,
+    "target_team_id" bigint,
+    "target_branch_id" bigint,
+    "extension" text NOT NULL,
+    "display_name" text,
+    "sip_username" text,
+    "sip_password" text,
+    "enabled" boolean DEFAULT true NOT NULL,
+    "created_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "updated_at" timestamp with time zone,
+    "created_by" uuid,
+    "updated_by" uuid
+);
+
+ALTER TABLE "telephony_trunks"
+    ADD COLUMN IF NOT EXISTS "default_route_extension_id" uuid;
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_extensions_tenant_id_tenants_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_extensions"
+            ADD CONSTRAINT "telephony_extensions_tenant_id_tenants_id_fk"
+            FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id")
+            ON DELETE cascade ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_extensions_target_user_id_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_extensions"
+            ADD CONSTRAINT "telephony_extensions_target_user_id_auth_users_id_fk"
+            FOREIGN KEY ("target_user_id") REFERENCES "public"."auth_users"("id")
+            ON DELETE cascade ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_extensions_target_team_id_teams_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_extensions"
+            ADD CONSTRAINT "telephony_extensions_target_team_id_teams_id_fk"
+            FOREIGN KEY ("target_team_id") REFERENCES "public"."teams"("id")
+            ON DELETE cascade ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_extensions_target_branch_id_branches_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_extensions"
+            ADD CONSTRAINT "telephony_extensions_target_branch_id_branches_id_fk"
+            FOREIGN KEY ("target_branch_id") REFERENCES "public"."branches"("id")
+            ON DELETE cascade ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_extensions_created_by_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_extensions"
+            ADD CONSTRAINT "telephony_extensions_created_by_auth_users_id_fk"
+            FOREIGN KEY ("created_by") REFERENCES "public"."auth_users"("id")
+            ON DELETE no action ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_extensions_updated_by_auth_users_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_extensions"
+            ADD CONSTRAINT "telephony_extensions_updated_by_auth_users_id_fk"
+            FOREIGN KEY ("updated_by") REFERENCES "public"."auth_users"("id")
+            ON DELETE no action ON UPDATE no action;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'telephony_trunks_default_route_extension_id_telephony_extensions_id_fk'
+    ) THEN
+        ALTER TABLE "telephony_trunks"
+            ADD CONSTRAINT "telephony_trunks_default_route_extension_id_telephony_extensions_id_fk"
+            FOREIGN KEY ("default_route_extension_id") REFERENCES "public"."telephony_extensions"("id")
+            ON DELETE set null ON UPDATE no action;
+    END IF;
+END $$;
+
+CREATE UNIQUE INDEX IF NOT EXISTS "telephony_extensions_tenant_extension_idx"
+    ON "telephony_extensions" USING btree ("tenant_id", "extension");
+
+CREATE INDEX IF NOT EXISTS "telephony_extensions_tenant_target_idx"
+    ON "telephony_extensions" USING btree ("tenant_id", "target_type");

backend/db/migrations/0048_mobile_push_devices.sql

@@ -0,0 +1,19 @@
+CREATE TABLE "notification_mobile_push_devices" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"tenant_id" bigint NOT NULL,
+	"user_id" uuid NOT NULL,
+	"local_device_id" text NOT NULL,
+	"central_device_id" text NOT NULL,
+	"platform" text NOT NULL,
+	"provider_token_preview" text,
+	"device_label" text,
+	"meta" jsonb,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"last_seen_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"disabled_at" timestamp with time zone
+);
+--> statement-breakpoint
+ALTER TABLE "notification_mobile_push_devices" ADD CONSTRAINT "notification_mobile_push_devices_tenant_id_tenants_id_fk" FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "notification_mobile_push_devices" ADD CONSTRAINT "notification_mobile_push_devices_user_id_auth_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."auth_users"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+CREATE UNIQUE INDEX "notification_mobile_push_devices_user_device_key" ON "notification_mobile_push_devices" USING btree ("tenant_id","user_id","local_device_id");--> statement-breakpoint
+CREATE UNIQUE INDEX "notification_mobile_push_devices_central_device_key" ON "notification_mobile_push_devices" USING btree ("central_device_id");

backend/db/migrations/0049_email_cache.sql

@@ -0,0 +1,106 @@
+CREATE TABLE "email_mailboxes" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"tenant_id" bigint NOT NULL,
+	"user_id" uuid NOT NULL,
+	"account_id" uuid NOT NULL,
+	"path" text NOT NULL,
+	"delimiter" text,
+	"name" text NOT NULL,
+	"special_use" text,
+	"flags" jsonb,
+	"exists" integer DEFAULT 0 NOT NULL,
+	"unseen" integer DEFAULT 0 NOT NULL,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone
+);
+--> statement-breakpoint
+CREATE TABLE "email_messages" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"tenant_id" bigint NOT NULL,
+	"user_id" uuid NOT NULL,
+	"account_id" uuid NOT NULL,
+	"mailbox_id" uuid NOT NULL,
+	"mailbox_path" text NOT NULL,
+	"uid" bigint NOT NULL,
+	"email_id" text,
+	"message_id" text,
+	"in_reply_to" text,
+	"thread_id" text,
+	"subject" text,
+	"from" jsonb,
+	"to" jsonb,
+	"cc" jsonb,
+	"bcc" jsonb,
+	"reply_to" jsonb,
+	"preview" text,
+	"flags" jsonb,
+	"seen" boolean DEFAULT false NOT NULL,
+	"flagged" boolean DEFAULT false NOT NULL,
+	"has_attachments" boolean DEFAULT false NOT NULL,
+	"size" bigint,
+	"sent_at" timestamp with time zone,
+	"received_at" timestamp with time zone,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone
+);
+--> statement-breakpoint
+CREATE TABLE "email_message_bodies" (
+	"message_id" uuid PRIMARY KEY NOT NULL,
+	"text" text,
+	"html" text,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone
+);
+--> statement-breakpoint
+CREATE TABLE "email_attachments" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"message_id" uuid NOT NULL,
+	"filename" text,
+	"content_type" text,
+	"content_id" text,
+	"disposition" text,
+	"size" bigint,
+	"checksum" text,
+	"storage_key" text,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE "email_sync_state" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"tenant_id" bigint NOT NULL,
+	"user_id" uuid NOT NULL,
+	"account_id" uuid NOT NULL,
+	"mailbox_id" uuid NOT NULL,
+	"mailbox_path" text NOT NULL,
+	"uid_validity" bigint,
+	"highest_uid" bigint DEFAULT 0 NOT NULL,
+	"mod_seq" text,
+	"last_synced_at" timestamp with time zone,
+	"sync_error" text,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone
+);
+--> statement-breakpoint
+ALTER TABLE "email_mailboxes" ADD CONSTRAINT "email_mailboxes_tenant_id_tenants_id_fk" FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_mailboxes" ADD CONSTRAINT "email_mailboxes_user_id_auth_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."auth_users"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_mailboxes" ADD CONSTRAINT "email_mailboxes_account_id_user_credentials_id_fk" FOREIGN KEY ("account_id") REFERENCES "public"."user_credentials"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_messages" ADD CONSTRAINT "email_messages_tenant_id_tenants_id_fk" FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_messages" ADD CONSTRAINT "email_messages_user_id_auth_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."auth_users"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_messages" ADD CONSTRAINT "email_messages_account_id_user_credentials_id_fk" FOREIGN KEY ("account_id") REFERENCES "public"."user_credentials"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_messages" ADD CONSTRAINT "email_messages_mailbox_id_email_mailboxes_id_fk" FOREIGN KEY ("mailbox_id") REFERENCES "public"."email_mailboxes"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_message_bodies" ADD CONSTRAINT "email_message_bodies_message_id_email_messages_id_fk" FOREIGN KEY ("message_id") REFERENCES "public"."email_messages"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_attachments" ADD CONSTRAINT "email_attachments_message_id_email_messages_id_fk" FOREIGN KEY ("message_id") REFERENCES "public"."email_messages"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_sync_state" ADD CONSTRAINT "email_sync_state_tenant_id_tenants_id_fk" FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_sync_state" ADD CONSTRAINT "email_sync_state_user_id_auth_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."auth_users"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_sync_state" ADD CONSTRAINT "email_sync_state_account_id_user_credentials_id_fk" FOREIGN KEY ("account_id") REFERENCES "public"."user_credentials"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+ALTER TABLE "email_sync_state" ADD CONSTRAINT "email_sync_state_mailbox_id_email_mailboxes_id_fk" FOREIGN KEY ("mailbox_id") REFERENCES "public"."email_mailboxes"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
+CREATE UNIQUE INDEX "email_mailboxes_account_path_key" ON "email_mailboxes" USING btree ("account_id","path");--> statement-breakpoint
+CREATE INDEX "email_mailboxes_tenant_account_idx" ON "email_mailboxes" USING btree ("tenant_id","account_id");--> statement-breakpoint
+CREATE UNIQUE INDEX "email_messages_mailbox_uid_key" ON "email_messages" USING btree ("mailbox_id","uid");--> statement-breakpoint
+CREATE INDEX "email_messages_account_mailbox_idx" ON "email_messages" USING btree ("account_id","mailbox_path");--> statement-breakpoint
+CREATE INDEX "email_messages_received_idx" ON "email_messages" USING btree ("received_at");--> statement-breakpoint
+CREATE INDEX "email_messages_message_id_idx" ON "email_messages" USING btree ("message_id");--> statement-breakpoint
+CREATE INDEX "email_messages_thread_idx" ON "email_messages" USING btree ("thread_id");--> statement-breakpoint
+CREATE INDEX "email_attachments_message_idx" ON "email_attachments" USING btree ("message_id");--> statement-breakpoint
+CREATE UNIQUE INDEX "email_sync_state_mailbox_key" ON "email_sync_state" USING btree ("account_id","mailbox_path");--> statement-breakpoint
+CREATE INDEX "email_sync_state_tenant_account_idx" ON "email_sync_state" USING btree ("tenant_id","account_id");

backend/db/migrations/0050_outgoing_document_costcentres.sql

@@ -0,0 +1,7 @@
+ALTER TABLE "createddocuments" ADD COLUMN "costcentre" uuid;
+--> statement-breakpoint
+ALTER TABLE "services" ADD COLUMN "costcentre" uuid;
+--> statement-breakpoint
+ALTER TABLE "createddocuments" ADD CONSTRAINT "createddocuments_costcentre_costcentres_id_fk" FOREIGN KEY ("costcentre") REFERENCES "public"."costcentres"("id") ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "services" ADD CONSTRAINT "services_costcentre_costcentres_id_fk" FOREIGN KEY ("costcentre") REFERENCES "public"."costcentres"("id") ON DELETE no action ON UPDATE no action;

backend/db/migrations/0051_instance_scan_agents.sql

@@ -0,0 +1,43 @@
+CREATE TABLE "instance_agents" (
+    "id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+    "created_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "updated_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "name" text NOT NULL,
+    "description" text,
+    "token_prefix" text NOT NULL,
+    "token_hash" text NOT NULL,
+    "active" boolean DEFAULT true NOT NULL,
+    "capabilities" jsonb DEFAULT '{"scan":true,"print":false}'::jsonb NOT NULL,
+    "scanner_names" jsonb DEFAULT '[]'::jsonb NOT NULL,
+    "printer_names" jsonb DEFAULT '[]'::jsonb NOT NULL,
+    "last_seen_at" timestamp with time zone,
+    "last_debug_info" jsonb,
+    CONSTRAINT "instance_agents_token_hash_unique" UNIQUE("token_hash")
+);
+--> statement-breakpoint
+CREATE TABLE "instance_agent_scan_jobs" (
+    "id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+    "created_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "updated_at" timestamp with time zone DEFAULT now() NOT NULL,
+    "tenant_id" bigint NOT NULL,
+    "agent_id" uuid NOT NULL,
+    "requested_by" uuid,
+    "status" text DEFAULT 'pending' NOT NULL,
+    "scanner_name" text,
+    "requested_filename" text,
+    "settings" jsonb DEFAULT '{}'::jsonb NOT NULL,
+    "target" jsonb DEFAULT '{}'::jsonb NOT NULL,
+    "agent_message" text,
+    "attempts" integer DEFAULT 0 NOT NULL,
+    "claimed_at" timestamp with time zone,
+    "finished_at" timestamp with time zone,
+    "file_id" uuid,
+    CONSTRAINT "instance_agent_scan_jobs_tenant_id_tenants_id_fk" FOREIGN KEY ("tenant_id") REFERENCES "public"."tenants"("id") ON DELETE cascade ON UPDATE cascade,
+    CONSTRAINT "instance_agent_scan_jobs_agent_id_instance_agents_id_fk" FOREIGN KEY ("agent_id") REFERENCES "public"."instance_agents"("id") ON DELETE cascade ON UPDATE cascade,
+    CONSTRAINT "instance_agent_scan_jobs_requested_by_auth_users_id_fk" FOREIGN KEY ("requested_by") REFERENCES "public"."auth_users"("id") ON DELETE set null ON UPDATE cascade,
+    CONSTRAINT "instance_agent_scan_jobs_file_id_files_id_fk" FOREIGN KEY ("file_id") REFERENCES "public"."files"("id") ON DELETE set null ON UPDATE cascade
+);
+--> statement-breakpoint
+CREATE INDEX "instance_agent_scan_jobs_agent_status_idx" ON "instance_agent_scan_jobs" USING btree ("agent_id","status","created_at");
+--> statement-breakpoint
+CREATE INDEX "instance_agent_scan_jobs_tenant_idx" ON "instance_agent_scan_jobs" USING btree ("tenant_id","created_at");

backend/db/migrations/0052_instance_agent_scan_defaults.sql

@@ -0,0 +1,3 @@
+ALTER TABLE "instance_agents" ADD COLUMN "preferred_scanner_name" text;
+--> statement-breakpoint
+ALTER TABLE "instance_agents" ADD COLUMN "scan_defaults" jsonb DEFAULT '{"format":"pdf","resolution":300,"mode":"Color","source":null}'::jsonb NOT NULL;

backend/db/migrations/0053_instance_agent_postprocess_defaults.sql

@@ -0,0 +1 @@
+ALTER TABLE "instance_agents" ALTER COLUMN "scan_defaults" SET DEFAULT '{"format":"pdf","resolution":300,"mode":"Color","source":null,"postprocess":false,"postprocessProfile":"document"}'::jsonb;

backend/db/migrations/meta/_journal.json

@@ -138,30 +138,226 @@
     {
       "idx": 19,
       "version": "7",
+      "when": 1773489600000,
+      "tag": "0019_custom_surcharge_percentage_decimal",
+      "breakpoints": true
+    },
+    {
+      "idx": 20,
+      "version": "7",
       "when": 1773572400000,
       "tag": "0020_file_extracted_text",
       "breakpoints": true
     },
     {
-      "idx": 20,
+      "idx": 21,
       "version": "7",
       "when": 1773835200000,
       "tag": "0021_admin_user_flag",
       "breakpoints": true
     },
     {
-      "idx": 21,
+      "idx": 22,
       "version": "7",
       "when": 1773925200000,
       "tag": "0022_task_dependencies",
       "breakpoints": true
     },
     {
-      "idx": 22,
+      "idx": 23,
       "version": "7",
       "when": 1774080000000,
       "tag": "0023_tax_evaluation_period",
       "breakpoints": true
+    },
+    {
+      "idx": 24,
+      "version": "7",
+      "when": 1774393200000,
+      "tag": "0024_tenant_branches",
+      "breakpoints": true
+    },
+    {
+      "idx": 25,
+      "version": "7",
+      "when": 1774393201000,
+      "tag": "0025_statementallocation_depreciation",
+      "breakpoints": true
+    },
+    {
+      "idx": 26,
+      "version": "7",
+      "when": 1774393202000,
+      "tag": "0026_statementallocation_depreciation_method",
+      "breakpoints": true
+    },
+    {
+      "idx": 27,
+      "version": "7",
+      "when": 1774602000000,
+      "tag": "0027_product_supplier_link",
+      "breakpoints": true
+    },
+    {
+      "idx": 28,
+      "version": "7",
+      "when": 1776124800000,
+      "tag": "0028_teams",
+      "breakpoints": true
+    },
+    {
+      "idx": 29,
+      "version": "7",
+      "when": 1776211200000,
+      "tag": "0029_events_quick",
+      "breakpoints": true
+    },
+    {
+      "idx": 30,
+      "version": "7",
+      "when": 1776297600000,
+      "tag": "0030_manual_statementallocations",
+      "breakpoints": true
+    },
+    {
+      "idx": 31,
+      "version": "7",
+      "when": 1776298200000,
+      "tag": "0031_manual_statementallocations_tax_key",
+      "breakpoints": true
+    },
+    {
+      "idx": 32,
+      "version": "7",
+      "when": 1776298800000,
+      "tag": "0032_manual_statementallocations_invoice_side",
+      "breakpoints": true
+    },
+    {
+      "idx": 33,
+      "version": "7",
+      "when": 1777003200000,
+      "tag": "0033_costcentres_parent",
+      "breakpoints": true
+    },
+    {
+      "idx": 34,
+      "version": "7",
+      "when": 1777420800000,
+      "tag": "0034_events_color",
+      "breakpoints": true
+    },
+    {
+      "idx": 35,
+      "version": "7",
+      "when": 1778191200000,
+      "tag": "0035_contract_history",
+      "breakpoints": true
+    },
+    {
+      "idx": 36,
+      "version": "7",
+      "when": 1778194800000,
+      "tag": "0036_allowed_contracttypes",
+      "breakpoints": true
+    },
+    {
+      "idx": 37,
+      "version": "7",
+      "when": 1778840100000,
+      "tag": "0037_outgoing_sepa_mandates",
+      "breakpoints": true
+    },
+    {
+      "idx": 38,
+      "version": "7",
+      "when": 1779158400000,
+      "tag": "0038_events_state",
+      "breakpoints": true
+    },
+    {
+      "idx": 39,
+      "version": "7",
+      "when": 1779840000000,
+      "tag": "0039_events_repeat_interval",
+      "breakpoints": true
+    },
+    {
+      "idx": 40,
+      "version": "7",
+      "when": 1779141600000,
+      "tag": "0040_filetag_system_types",
+      "breakpoints": true
+    },
+    {
+      "idx": 41,
+      "version": "7",
+      "when": 1780149600000,
+      "tag": "0041_profile_calendar_subscription",
+      "breakpoints": true
+    },
+    {
+      "idx": 42,
+      "version": "7",
+      "when": 1780153200000,
+      "tag": "0042_profile_availability_note",
+      "breakpoints": true
+    },
+    {
+      "idx": 43,
+      "version": "7",
+      "when": 1780156800000,
+      "tag": "0043_communication_rooms",
+      "breakpoints": true
+    },
+    {
+      "idx": 44,
+      "version": "7",
+      "when": 1780160400000,
+      "tag": "0044_telephony_calls",
+      "breakpoints": true
+    },
+    {
+      "idx": 45,
+      "version": "7",
+      "when": 1780164000000,
+      "tag": "0045_telephony_trunks",
+      "breakpoints": true
+    },
+    {
+      "idx": 46,
+      "version": "7",
+      "when": 1780167600000,
+      "tag": "0046_telephony_trunk_nat",
+      "breakpoints": true
+    },
+    {
+      "idx": 47,
+      "version": "7",
+      "when": 1780171200000,
+      "tag": "0047_telephony_extensions",
+      "breakpoints": true
+    },
+    {
+      "idx": 48,
+      "version": "7",
+      "when": 1780174800000,
+      "tag": "0048_mobile_push_devices",
+      "breakpoints": true
+    },
+    {
+      "idx": 49,
+      "version": "7",
+      "when": 1780178400000,
+      "tag": "0049_email_cache",
+      "breakpoints": true
+    },
+    {
+      "idx": 50,
+      "version": "7",
+      "when": 1780261200000,
+      "tag": "0050_outgoing_document_costcentres",
+      "breakpoints": true
     }
   ]
 }

backend/db/schema/auth_profile_branches.ts

@@ -0,0 +1,30 @@
+import { pgTable, uuid, bigint, timestamp } from "drizzle-orm/pg-core"
+
+import { authProfiles } from "./auth_profiles"
+import { branches } from "./branches"
+import { authUsers } from "./auth_users"
+
+export const authProfileBranches = pgTable(
+    "auth_profile_branches",
+    {
+        created_at: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+
+        profile_id: uuid("profile_id")
+            .notNull()
+            .references(() => authProfiles.id, { onDelete: "cascade" }),
+
+        branch_id: bigint("branch_id", { mode: "number" })
+            .notNull()
+            .references(() => branches.id, { onDelete: "cascade" }),
+
+        created_by: uuid("created_by").references(() => authUsers.id),
+    },
+    (table) => ({
+        primaryKey: [table.profile_id, table.branch_id],
+    })
+)
+
+export type AuthProfileBranch = typeof authProfileBranches.$inferSelect
+export type NewAuthProfileBranch = typeof authProfileBranches.$inferInsert

backend/db/schema/auth_profile_teams.ts

@@ -0,0 +1,30 @@
+import { pgTable, uuid, bigint, timestamp } from "drizzle-orm/pg-core"
+
+import { authProfiles } from "./auth_profiles"
+import { teams } from "./teams"
+import { authUsers } from "./auth_users"
+
+export const authProfileTeams = pgTable(
+    "auth_profile_teams",
+    {
+        created_at: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+
+        profile_id: uuid("profile_id")
+            .notNull()
+            .references(() => authProfiles.id, { onDelete: "cascade" }),
+
+        team_id: bigint("team_id", { mode: "number" })
+            .notNull()
+            .references(() => teams.id, { onDelete: "cascade" }),
+
+        created_by: uuid("created_by").references(() => authUsers.id),
+    },
+    (table) => ({
+        primaryKey: [table.profile_id, table.team_id],
+    })
+)
+
+export type AuthProfileTeam = typeof authProfileTeams.$inferSelect
+export type NewAuthProfileTeam = typeof authProfileTeams.$inferInsert

backend/db/schema/auth_profiles.ts

@@ -10,6 +10,7 @@ import {
     jsonb,
 } from "drizzle-orm/pg-core"
 import { authUsers } from "./auth_users"
+import { branches } from "./branches"
 
 export const authProfiles = pgTable("auth_profiles", {
     id: uuid("id").primaryKey().defaultRandom(),
@@ -18,6 +19,8 @@ export const authProfiles = pgTable("auth_profiles", {
 
     tenant_id: bigint("tenant_id", { mode: "number" }).notNull(),
 
+    branch_id: bigint("branch_id", { mode: "number" }).references(() => branches.id),
+
     created_at: timestamp("created_at", { withTimezone: true })
         .notNull()
         .defaultNow(),
@@ -60,6 +63,7 @@ export const authProfiles = pgTable("auth_profiles", {
 
     email: text("email"),
     token_id: text("token_id"),
+    calendar_subscription_token: text("calendar_subscription_token"),
 
     weekly_working_days: doublePrecision("weekly_working_days"),
 
@@ -71,6 +75,7 @@ export const authProfiles = pgTable("auth_profiles", {
     contract_type: text("contract_type"),
     position: text("position"),
     qualification: text("qualification"),
+    availability_note: text("availability_note"),
 
     address_street: text("address_street"),
     address_zip: text("address_zip"),

backend/db/schema/branches.ts

@@ -0,0 +1,37 @@
+import {
+    pgTable,
+    bigint,
+    timestamp,
+    text,
+    boolean,
+    uuid,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+
+export const branches = pgTable("branches", {
+    id: bigint("id", { mode: "number" })
+        .primaryKey()
+        .generatedByDefaultAsIdentity(),
+
+    createdAt: timestamp("created_at", { withTimezone: true })
+        .notNull()
+        .defaultNow(),
+
+    tenant: bigint("tenant", { mode: "number" })
+        .notNull()
+        .references(() => tenants.id),
+
+    name: text("name").notNull(),
+    number: text("number"),
+    description: text("description"),
+
+    archived: boolean("archived").notNull().default(false),
+
+    updatedAt: timestamp("updated_at", { withTimezone: true }),
+    updatedBy: uuid("updated_by").references(() => authUsers.id),
+})
+
+export type Branch = typeof branches.$inferSelect
+export type NewBranch = typeof branches.$inferInsert

backend/db/schema/communication_rooms.ts

@@ -0,0 +1,57 @@
+import {
+    pgTable,
+    uuid,
+    bigint,
+    text,
+    timestamp,
+    boolean,
+    uniqueIndex,
+    index,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+
+export const communicationRooms = pgTable(
+    "communication_rooms",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade" }),
+
+        key: text("key").notNull(),
+        name: text("name").notNull(),
+        topic: text("topic"),
+        type: text("type").notNull().default("room"),
+
+        entityType: text("entity_type"),
+        entityId: bigint("entity_id", { mode: "number" }),
+        entityUuid: uuid("entity_uuid"),
+
+        matrixRoomId: text("matrix_room_id"),
+        matrixAlias: text("matrix_alias"),
+        parentSpaceRoomId: text("parent_space_room_id"),
+
+        archived: boolean("archived").notNull().default(false),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        updatedAt: timestamp("updated_at", { withTimezone: true }),
+        createdBy: uuid("created_by").references(() => authUsers.id),
+        updatedBy: uuid("updated_by").references(() => authUsers.id),
+    },
+    (table) => ({
+        tenantKeyIdx: uniqueIndex("communication_rooms_tenant_key_idx")
+            .on(table.tenantId, table.key),
+        tenantIdx: index("communication_rooms_tenant_idx")
+            .on(table.tenantId),
+        entityIdx: index("communication_rooms_entity_idx")
+            .on(table.tenantId, table.entityType, table.entityId, table.entityUuid),
+    })
+)
+
+export type CommunicationRoom = typeof communicationRooms.$inferSelect
+export type NewCommunicationRoom = typeof communicationRooms.$inferInsert

backend/db/schema/contracts.ts

@@ -13,6 +13,7 @@ import { customers } from "./customers"
 import { contacts } from "./contacts"
 import { contracttypes } from "./contracttypes"
 import { authUsers } from "./auth_users"
+import { outgoingsepamandates } from "./outgoingsepamandates"
 
 export const contracts = pgTable(
     "contracts",
@@ -52,6 +53,7 @@ export const contracts = pgTable(
         contracttype: bigint("contracttype", { mode: "number" }).references(
             () => contracttypes.id
         ),
+        allowedContracttypes: jsonb("allowedContracttypes").notNull().default([]),
 
         bankingIban: text("bankingIban"),
         bankingBIC: text("bankingBIC"),
@@ -59,6 +61,9 @@ export const contracts = pgTable(
         bankingOwner: text("bankingOwner"),
         sepaRef: text("sepaRef"),
         sepaDate: timestamp("sepaDate", { withTimezone: true }),
+        outgoingsepamandate: bigint("outgoingsepamandate", { mode: "number" }).references(
+            () => outgoingsepamandates.id
+        ),
 
         paymentType: text("paymentType"),
         billingInterval: text("billingInterval"),

backend/db/schema/costcentres.ts

@@ -13,6 +13,7 @@ import { inventoryitems } from "./inventoryitems"
 import { projects } from "./projects"
 import { vehicles } from "./vehicles"
 import { authUsers } from "./auth_users"
+import { branches } from "./branches"
 
 export const costcentres = pgTable("costcentres", {
     id: uuid("id").primaryKey().defaultRandom(),
@@ -28,10 +29,14 @@ export const costcentres = pgTable("costcentres", {
     number: text("number").notNull(),
     name: text("name").notNull(),
 
+    parentCostcentre: uuid("parent_costcentre").references(() => costcentres.id),
+
     vehicle: bigint("vehicle", { mode: "number" }).references(() => vehicles.id),
 
     project: bigint("project", { mode: "number" }).references(() => projects.id),
 
+    branch: bigint("branch", { mode: "number" }).references(() => branches.id),
+
     inventoryitem: bigint("inventoryitem", { mode: "number" }).references(
         () => inventoryitems.id
     ),

backend/db/schema/createddocuments.ts

@@ -19,6 +19,8 @@ import { projects } from "./projects"
 import { plants } from "./plants"
 import { authUsers } from "./auth_users"
 import {serialExecutions} from "./serialexecutions";
+import { outgoingsepamandates } from "./outgoingsepamandates"
+import { costcentres } from "./costcentres"
 
 export const createddocuments = pgTable("createddocuments", {
     id: bigint("id", { mode: "number" })
@@ -48,6 +50,8 @@ export const createddocuments = pgTable("createddocuments", {
         () => projects.id
     ),
 
+    costcentre: uuid("costcentre").references(() => costcentres.id),
+
     documentNumber: text("documentNumber"),
     documentDate: text("documentDate"),
 
@@ -118,6 +122,10 @@ export const createddocuments = pgTable("createddocuments", {
         () => contracts.id
     ),
 
+    outgoingsepamandate: bigint("outgoingsepamandate", { mode: "number" }).references(
+        () => outgoingsepamandates.id
+    ),
+
     serialexecution: uuid("serialexecution").references(() => serialExecutions.id)
 })
 

backend/db/schema/emails.ts

@@ -0,0 +1,208 @@
+import {
+    bigint,
+    boolean,
+    index,
+    integer,
+    jsonb,
+    pgTable,
+    text,
+    timestamp,
+    uniqueIndex,
+    uuid,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+import { userCredentials } from "./user_credentials"
+
+export const emailMailboxes = pgTable(
+    "email_mailboxes",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        userId: uuid("user_id")
+            .notNull()
+            .references(() => authUsers.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        accountId: uuid("account_id")
+            .notNull()
+            .references(() => userCredentials.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        path: text("path").notNull(),
+        delimiter: text("delimiter"),
+        name: text("name").notNull(),
+        specialUse: text("special_use"),
+        flags: jsonb("flags").$type<string[]>(),
+        exists: integer("exists").notNull().default(0),
+        unseen: integer("unseen").notNull().default(0),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        updatedAt: timestamp("updated_at", { withTimezone: true }),
+    },
+    (table) => ({
+        accountPathKey: uniqueIndex("email_mailboxes_account_path_key")
+            .on(table.accountId, table.path),
+        tenantAccountIdx: index("email_mailboxes_tenant_account_idx")
+            .on(table.tenantId, table.accountId),
+    }),
+)
+
+export const emailMessages = pgTable(
+    "email_messages",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        userId: uuid("user_id")
+            .notNull()
+            .references(() => authUsers.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        accountId: uuid("account_id")
+            .notNull()
+            .references(() => userCredentials.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        mailboxId: uuid("mailbox_id")
+            .notNull()
+            .references(() => emailMailboxes.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        mailboxPath: text("mailbox_path").notNull(),
+        uid: bigint("uid", { mode: "number" }).notNull(),
+        emailId: text("email_id"),
+        messageId: text("message_id"),
+        inReplyTo: text("in_reply_to"),
+        threadId: text("thread_id"),
+        subject: text("subject"),
+        from: jsonb("from").$type<Array<{ name?: string | null; address?: string | null }>>(),
+        to: jsonb("to").$type<Array<{ name?: string | null; address?: string | null }>>(),
+        cc: jsonb("cc").$type<Array<{ name?: string | null; address?: string | null }>>(),
+        bcc: jsonb("bcc").$type<Array<{ name?: string | null; address?: string | null }>>(),
+        replyTo: jsonb("reply_to").$type<Array<{ name?: string | null; address?: string | null }>>(),
+        preview: text("preview"),
+        flags: jsonb("flags").$type<string[]>(),
+        seen: boolean("seen").notNull().default(false),
+        flagged: boolean("flagged").notNull().default(false),
+        hasAttachments: boolean("has_attachments").notNull().default(false),
+        size: bigint("size", { mode: "number" }),
+        sentAt: timestamp("sent_at", { withTimezone: true }),
+        receivedAt: timestamp("received_at", { withTimezone: true }),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        updatedAt: timestamp("updated_at", { withTimezone: true }),
+    },
+    (table) => ({
+        mailboxUidKey: uniqueIndex("email_messages_mailbox_uid_key")
+            .on(table.mailboxId, table.uid),
+        accountMailboxIdx: index("email_messages_account_mailbox_idx")
+            .on(table.accountId, table.mailboxPath),
+        receivedIdx: index("email_messages_received_idx")
+            .on(table.receivedAt),
+        messageIdIdx: index("email_messages_message_id_idx")
+            .on(table.messageId),
+        threadIdx: index("email_messages_thread_idx")
+            .on(table.threadId),
+    }),
+)
+
+export const emailMessageBodies = pgTable("email_message_bodies", {
+    messageId: uuid("message_id")
+        .primaryKey()
+        .references(() => emailMessages.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+    text: text("text"),
+    html: text("html"),
+
+    createdAt: timestamp("created_at", { withTimezone: true })
+        .notNull()
+        .defaultNow(),
+    updatedAt: timestamp("updated_at", { withTimezone: true }),
+})
+
+export const emailAttachments = pgTable(
+    "email_attachments",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        messageId: uuid("message_id")
+            .notNull()
+            .references(() => emailMessages.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        filename: text("filename"),
+        contentType: text("content_type"),
+        contentId: text("content_id"),
+        disposition: text("disposition"),
+        size: bigint("size", { mode: "number" }),
+        checksum: text("checksum"),
+        storageKey: text("storage_key"),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+    },
+    (table) => ({
+        messageIdx: index("email_attachments_message_idx")
+            .on(table.messageId),
+    }),
+)
+
+export const emailSyncState = pgTable(
+    "email_sync_state",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        userId: uuid("user_id")
+            .notNull()
+            .references(() => authUsers.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        accountId: uuid("account_id")
+            .notNull()
+            .references(() => userCredentials.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        mailboxId: uuid("mailbox_id")
+            .notNull()
+            .references(() => emailMailboxes.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        mailboxPath: text("mailbox_path").notNull(),
+        uidValidity: bigint("uid_validity", { mode: "number" }),
+        highestUid: bigint("highest_uid", { mode: "number" }).notNull().default(0),
+        modSeq: text("mod_seq"),
+        lastSyncedAt: timestamp("last_synced_at", { withTimezone: true }),
+        syncError: text("sync_error"),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        updatedAt: timestamp("updated_at", { withTimezone: true }),
+    },
+    (table) => ({
+        mailboxKey: uniqueIndex("email_sync_state_mailbox_key")
+            .on(table.accountId, table.mailboxPath),
+        tenantAccountIdx: index("email_sync_state_tenant_account_idx")
+            .on(table.tenantId, table.accountId),
+    }),
+)
+
+export type EmailMailbox = typeof emailMailboxes.$inferSelect
+export type NewEmailMailbox = typeof emailMailboxes.$inferInsert
+export type EmailMessage = typeof emailMessages.$inferSelect
+export type NewEmailMessage = typeof emailMessages.$inferInsert
+export type EmailMessageBody = typeof emailMessageBodies.$inferSelect
+export type NewEmailMessageBody = typeof emailMessageBodies.$inferInsert
+export type EmailAttachment = typeof emailAttachments.$inferSelect
+export type NewEmailAttachment = typeof emailAttachments.$inferInsert
+export type EmailSyncState = typeof emailSyncState.$inferSelect
+export type NewEmailSyncState = typeof emailSyncState.$inferInsert

backend/db/schema/events.ts

@@ -31,6 +31,10 @@ export const events = pgTable(
         endDate: timestamp("endDate", { withTimezone: true }),
 
         eventtype: text("eventtype").default("Umsetzung"),
+        quick: boolean("quick").notNull().default(false),
+        state: text("state").notNull().default("Final"),
+        color: text("color"),
+        repeatInterval: text("repeatInterval").notNull().default("Keine Wiederholung"),
 
         project: bigint("project", { mode: "number" }), // FK follows when projects.ts exists
 

backend/db/schema/filetags.ts

@@ -26,6 +26,8 @@ export const filetags = pgTable("filetags", {
     createdDocumentType: text("createddocumenttype").default(""),
     incomingDocumentType: text("incomingDocumentType"),
 
+    isSystemUsed: boolean("isSystemUsed").notNull().default(false),
+
     archived: boolean("archived").notNull().default(false),
 })
 

backend/db/schema/historyitems.ts

@@ -35,6 +35,8 @@ import { inventoryitemgroups } from "./inventoryitemgroups"
 import { authUsers } from "./auth_users"
 import {files} from "./files";
 import { memberrelations } from "./memberrelations";
+import { contracts } from "./contracts";
+import { outgoingsepamandates } from "./outgoingsepamandates";
 
 export const historyitems = pgTable("historyitems", {
     id: bigint("id", { mode: "number" })
@@ -52,6 +54,11 @@ export const historyitems = pgTable("historyitems", {
         { onDelete: "cascade" }
     ),
 
+    contract: bigint("contract", { mode: "number" }).references(
+        () => contracts.id,
+        { onDelete: "cascade" }
+    ),
+
     tenant: bigint("tenant", { mode: "number" })
         .notNull()
         .references(() => tenants.id),
@@ -108,6 +115,11 @@ export const historyitems = pgTable("historyitems", {
 
     memberrelation: bigint("memberrelation", { mode: "number" }).references(() => memberrelations.id),
 
+    outgoingsepamandate: bigint("outgoingsepamandate", { mode: "number" }).references(
+        () => outgoingsepamandates.id,
+        { onDelete: "cascade" }
+    ),
+
     config: jsonb("config"),
 
     projecttype: bigint("projecttype", { mode: "number" }).references(

backend/db/schema/index.ts

@@ -1,5 +1,7 @@
 export * from "./accounts"
 export * from "./auth_profiles"
+export * from "./auth_profile_branches"
+export * from "./auth_profile_teams"
 export * from "./auth_role_permisssions"
 export * from "./auth_roles"
 export * from "./auth_tenant_users"
@@ -8,9 +10,11 @@ export * from "./auth_users"
 export * from "./bankaccounts"
 export * from "./bankrequisitions"
 export * from "./bankstatements"
+export * from "./branches"
 export * from "./checkexecutions"
 export * from "./checks"
 export * from "./citys"
+export * from "./communication_rooms"
 export * from "./contacts"
 export * from "./contracts"
 export * from "./contracttypes"
@@ -23,6 +27,7 @@ export * from "./customerspaces"
 export * from "./customerinventoryitems"
 export * from "./devices"
 export * from "./documentboxes"
+export * from "./emails"
 export * from "./enums"
 export * from "./events"
 export * from "./entitybankaccounts"
@@ -43,6 +48,8 @@ export * from "./historyitems"
 export * from "./holidays"
 export * from "./hourrates"
 export * from "./incominginvoices"
+export * from "./instance_agents"
+export * from "./instance_agent_scan_jobs"
 export * from "./inventoryitemgroups"
 export * from "./inventoryitems"
 export * from "./letterheads"
@@ -51,9 +58,12 @@ export * from "./movements"
 export * from "./m2m_api_keys"
 export * from "./notifications_event_types"
 export * from "./notifications_items"
+export * from "./notification_mobile_push_devices"
 export * from "./notifications_preferences"
 export * from "./notifications_preferences_defaults"
+export * from "./notification_push_subscriptions"
 export * from "./ownaccounts"
+export * from "./outgoingsepamandates"
 export * from "./plants"
 export * from "./productcategories"
 export * from "./products"
@@ -67,7 +77,11 @@ export * from "./staff_time_entry_connects"
 export * from "./staff_zeitstromtimestamps"
 export * from "./statementallocations"
 export * from "./tasks"
+export * from "./teams"
 export * from "./taxtypes"
+export * from "./telephony_calls"
+export * from "./telephony_extensions"
+export * from "./telephony_trunks"
 export * from "./tenants"
 export * from "./texttemplates"
 export * from "./units"

backend/db/schema/instance_agent_scan_jobs.ts

@@ -0,0 +1,59 @@
+import {
+    pgTable,
+    uuid,
+    timestamp,
+    text,
+    bigint,
+    jsonb,
+    integer,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+import { files } from "./files"
+import { instanceAgents } from "./instance_agents"
+
+export const instanceAgentScanJobs = pgTable("instance_agent_scan_jobs", {
+    id: uuid("id").primaryKey().defaultRandom(),
+
+    createdAt: timestamp("created_at", { withTimezone: true })
+        .notNull()
+        .defaultNow(),
+
+    updatedAt: timestamp("updated_at", { withTimezone: true })
+        .notNull()
+        .defaultNow(),
+
+    tenantId: bigint("tenant_id", { mode: "number" })
+        .notNull()
+        .references(() => tenants.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+    agentId: uuid("agent_id")
+        .notNull()
+        .references(() => instanceAgents.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+    requestedBy: uuid("requested_by").references(() => authUsers.id, {
+        onDelete: "set null",
+        onUpdate: "cascade",
+    }),
+
+    status: text("status").notNull().default("pending"),
+    scannerName: text("scanner_name"),
+    requestedFilename: text("requested_filename"),
+
+    settings: jsonb("settings").notNull().default({}),
+    target: jsonb("target").notNull().default({}),
+    agentMessage: text("agent_message"),
+
+    attempts: integer("attempts").notNull().default(0),
+    claimedAt: timestamp("claimed_at", { withTimezone: true }),
+    finishedAt: timestamp("finished_at", { withTimezone: true }),
+
+    fileId: uuid("file_id").references(() => files.id, {
+        onDelete: "set null",
+        onUpdate: "cascade",
+    }),
+})
+
+export type InstanceAgentScanJob = typeof instanceAgentScanJobs.$inferSelect
+export type NewInstanceAgentScanJob = typeof instanceAgentScanJobs.$inferInsert

backend/db/schema/instance_agents.ts

@@ -0,0 +1,47 @@
+import {
+    pgTable,
+    uuid,
+    timestamp,
+    text,
+    boolean,
+    jsonb,
+} from "drizzle-orm/pg-core"
+
+export const instanceAgents = pgTable("instance_agents", {
+    id: uuid("id").primaryKey().defaultRandom(),
+
+    createdAt: timestamp("created_at", { withTimezone: true })
+        .notNull()
+        .defaultNow(),
+
+    updatedAt: timestamp("updated_at", { withTimezone: true })
+        .notNull()
+        .defaultNow(),
+
+    name: text("name").notNull(),
+    description: text("description"),
+
+    tokenPrefix: text("token_prefix").notNull(),
+    tokenHash: text("token_hash").notNull().unique(),
+
+    active: boolean("active").notNull().default(true),
+
+    capabilities: jsonb("capabilities").notNull().default({ scan: true, print: false }),
+    scannerNames: jsonb("scanner_names").notNull().default([]),
+    printerNames: jsonb("printer_names").notNull().default([]),
+    preferredScannerName: text("preferred_scanner_name"),
+    scanDefaults: jsonb("scan_defaults").notNull().default({
+        format: "pdf",
+        resolution: 300,
+        mode: "Color",
+        source: null,
+        postprocess: false,
+        postprocessProfile: "document",
+    }),
+
+    lastSeenAt: timestamp("last_seen_at", { withTimezone: true }),
+    lastDebugInfo: jsonb("last_debug_info"),
+})
+
+export type InstanceAgent = typeof instanceAgents.$inferSelect
+export type NewInstanceAgent = typeof instanceAgents.$inferInsert

backend/db/schema/notification_mobile_push_devices.ts

@@ -0,0 +1,53 @@
+import {
+    pgTable,
+    uuid,
+    bigint,
+    text,
+    jsonb,
+    timestamp,
+    uniqueIndex,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+
+export const notificationMobilePushDevices = pgTable(
+    "notification_mobile_push_devices",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        userId: uuid("user_id")
+            .notNull()
+            .references(() => authUsers.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        localDeviceId: text("local_device_id").notNull(),
+        centralDeviceId: text("central_device_id").notNull(),
+        platform: text("platform").notNull(),
+        providerTokenPreview: text("provider_token_preview"),
+        deviceLabel: text("device_label"),
+        meta: jsonb("meta"),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        lastSeenAt: timestamp("last_seen_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        disabledAt: timestamp("disabled_at", { withTimezone: true }),
+    },
+    (table) => ({
+        uniqueUserDevice: uniqueIndex("notification_mobile_push_devices_user_device_key")
+            .on(table.tenantId, table.userId, table.localDeviceId),
+        uniqueCentralDevice: uniqueIndex("notification_mobile_push_devices_central_device_key")
+            .on(table.centralDeviceId),
+    }),
+)
+
+export type NotificationMobilePushDevice =
+    typeof notificationMobilePushDevices.$inferSelect
+export type NewNotificationMobilePushDevice =
+    typeof notificationMobilePushDevices.$inferInsert

backend/db/schema/notification_push_subscriptions.ts

@@ -0,0 +1,50 @@
+import {
+    pgTable,
+    uuid,
+    bigint,
+    text,
+    jsonb,
+    timestamp,
+    uniqueIndex,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+
+export const notificationPushSubscriptions = pgTable(
+    "notification_push_subscriptions",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        userId: uuid("user_id")
+            .notNull()
+            .references(() => authUsers.id, { onDelete: "cascade", onUpdate: "cascade" }),
+
+        endpoint: text("endpoint").notNull(),
+        p256dh: text("p256dh").notNull(),
+        auth: text("auth").notNull(),
+        userAgent: text("user_agent"),
+        deviceLabel: text("device_label"),
+        meta: jsonb("meta"),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        lastSeenAt: timestamp("last_seen_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        disabledAt: timestamp("disabled_at", { withTimezone: true }),
+    },
+    (table) => ({
+        uniqueEndpoint: uniqueIndex("notification_push_subscriptions_endpoint_key").on(table.endpoint),
+    }),
+)
+
+export type NotificationPushSubscription =
+    typeof notificationPushSubscriptions.$inferSelect
+export type NewNotificationPushSubscription =
+    typeof notificationPushSubscriptions.$inferInsert

backend/db/schema/outgoingsepamandates.ts

@@ -0,0 +1,61 @@
+import {
+    pgTable,
+    bigint,
+    text,
+    timestamp,
+    boolean,
+    uuid,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { customers } from "./customers"
+import { entitybankaccounts } from "./entitybankaccounts"
+import { authUsers } from "./auth_users"
+
+export const outgoingsepamandates = pgTable("outgoingsepamandates", {
+    id: bigint("id", { mode: "number" })
+        .primaryKey()
+        .generatedByDefaultAsIdentity(),
+
+    createdAt: timestamp("created_at", { withTimezone: true })
+        .notNull()
+        .defaultNow(),
+
+    tenant: bigint("tenant", { mode: "number" })
+        .notNull()
+        .references(() => tenants.id),
+
+    customer: bigint("customer", { mode: "number" })
+        .notNull()
+        .references(() => customers.id),
+
+    bankaccount: bigint("bankaccount", { mode: "number" })
+        .notNull()
+        .references(() => entitybankaccounts.id),
+
+    reference: text("reference").notNull(),
+
+    status: text("status").notNull().default("Entwurf"),
+
+    mandateType: text("mandate_type").notNull().default("CORE"),
+
+    sequenceType: text("sequence_type").notNull().default("RCUR"),
+
+    signedAt: timestamp("signed_at", { withTimezone: true }),
+
+    validFrom: timestamp("valid_from", { withTimezone: true }),
+
+    validUntil: timestamp("valid_until", { withTimezone: true }),
+
+    defaultMandate: boolean("default_mandate").notNull().default(false),
+
+    notes: text("notes"),
+
+    archived: boolean("archived").notNull().default(false),
+
+    updatedAt: timestamp("updated_at", { withTimezone: true }),
+    updatedBy: uuid("updated_by").references(() => authUsers.id),
+})
+
+export type OutgoingSepaMandate = typeof outgoingsepamandates.$inferSelect
+export type NewOutgoingSepaMandate = typeof outgoingsepamandates.$inferInsert

backend/db/schema/products.ts

@@ -50,6 +50,7 @@ export const products = pgTable("products", {
     vendor_allocation: jsonb("vendorAllocation").default([]),
 
     article_number: text("articleNumber"),
+    supplier_link: text("supplierLink"),
 
     barcodes: text("barcodes").array().notNull().default([]),
 

backend/db/schema/services.ts

@@ -13,6 +13,7 @@ import {
 import { tenants } from "./tenants"
 import { units } from "./units"
 import { authUsers } from "./auth_users"
+import { costcentres } from "./costcentres"
 
 export const services = pgTable("services", {
     id: bigint("id", { mode: "number" })
@@ -35,6 +36,8 @@ export const services = pgTable("services", {
 
     unit: bigint("unit", { mode: "number" }).references(() => units.id),
 
+    costcentre: uuid("costcentre").references(() => costcentres.id),
+
     serviceNumber: bigint("serviceNumber", { mode: "number" }),
 
     tags: jsonb("tags").default([]),

backend/db/schema/statementallocations.ts

@@ -23,9 +23,7 @@ export const statementallocations = pgTable("statementallocations", {
     id: uuid("id").primaryKey().defaultRandom(),
 
     // foreign keys
-    bankstatement: integer("bs_id")
-        .notNull()
-        .references(() => bankstatements.id),
+    bankstatement: integer("bs_id").references(() => bankstatements.id),
 
     createddocument: integer("cd_id").references(() => createddocuments.id),
 
@@ -34,6 +32,7 @@ export const statementallocations = pgTable("statementallocations", {
     incominginvoice: bigint("ii_id", { mode: "number" }).references(
         () => incominginvoices.id
     ),
+    manualInvoiceSide: text("manual_invoice_side"),
 
     tenant: bigint("tenant", { mode: "number" })
         .notNull()
@@ -43,20 +42,43 @@ export const statementallocations = pgTable("statementallocations", {
         () => accounts.id
     ),
 
+    contraAccount: bigint("contra_account", { mode: "number" }).references(
+        () => accounts.id
+    ),
+
     created_at: timestamp("created_at", {
         withTimezone: false,
     }).defaultNow(),
 
     ownaccount: uuid("ownaccount").references(() => ownaccounts.id),
 
+    contraOwnaccount: uuid("contra_ownaccount").references(() => ownaccounts.id),
+
     description: text("description"),
 
+    manualBookingDate: text("manual_booking_date"),
+    datevTaxKey: text("datev_tax_key"),
+
+    bookingMode: text("booking_mode").notNull().default("expense"),
+    depreciationMonths: integer("depreciation_months"),
+    depreciationStartDate: text("depreciation_start_date"),
+    depreciationMethod: text("depreciation_method"),
+    depreciationLabel: text("depreciation_label"),
+    depreciationGroup: text("depreciation_group"),
+    residualValue: doublePrecision("residual_value"),
+
     customer: bigint("customer", { mode: "number" }).references(
         () => customers.id
     ),
 
     vendor: bigint("vendor", { mode: "number" }).references(() => vendors.id),
 
+    contraCustomer: bigint("contra_customer", { mode: "number" }).references(
+        () => customers.id
+    ),
+
+    contraVendor: bigint("contra_vendor", { mode: "number" }).references(() => vendors.id),
+
     updated_at: timestamp("updated_at", { withTimezone: true }),
 
     updated_by: uuid("updated_by").references(() => authUsers.id),

backend/db/schema/teams.ts

@@ -0,0 +1,40 @@
+import {
+    pgTable,
+    bigint,
+    timestamp,
+    text,
+    boolean,
+    uuid,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+import { branches } from "./branches"
+
+export const teams = pgTable("teams", {
+    id: bigint("id", { mode: "number" })
+        .primaryKey()
+        .generatedByDefaultAsIdentity(),
+
+    createdAt: timestamp("created_at", { withTimezone: true })
+        .notNull()
+        .defaultNow(),
+
+    tenant: bigint("tenant", { mode: "number" })
+        .notNull()
+        .references(() => tenants.id),
+
+    name: text("name").notNull(),
+    description: text("description"),
+
+    branch: bigint("branch", { mode: "number" })
+        .references(() => branches.id),
+
+    archived: boolean("archived").notNull().default(false),
+
+    updatedAt: timestamp("updated_at", { withTimezone: true }),
+    updatedBy: uuid("updated_by").references(() => authUsers.id),
+})
+
+export type Team = typeof teams.$inferSelect
+export type NewTeam = typeof teams.$inferInsert

backend/db/schema/telephony_calls.ts

@@ -0,0 +1,56 @@
+import {
+    pgTable,
+    uuid,
+    bigint,
+    text,
+    timestamp,
+    integer,
+    index,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+
+export const telephonyCalls = pgTable(
+    "telephony_calls",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade" }),
+
+        direction: text("direction").notNull(),
+        status: text("status").notNull().default("ringing"),
+
+        localExtension: text("local_extension"),
+        remoteNumber: text("remote_number"),
+        remoteDisplayName: text("remote_display_name"),
+        sipCallId: text("sip_call_id"),
+
+        startedAt: timestamp("started_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        answeredAt: timestamp("answered_at", { withTimezone: true }),
+        endedAt: timestamp("ended_at", { withTimezone: true }),
+        durationSeconds: integer("duration_seconds"),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        updatedAt: timestamp("updated_at", { withTimezone: true }),
+        createdBy: uuid("created_by").references(() => authUsers.id),
+        updatedBy: uuid("updated_by").references(() => authUsers.id),
+    },
+    (table) => ({
+        tenantStartedIdx: index("telephony_calls_tenant_started_idx")
+            .on(table.tenantId, table.startedAt),
+        createdByIdx: index("telephony_calls_created_by_idx")
+            .on(table.tenantId, table.createdBy),
+        sipCallIdx: index("telephony_calls_sip_call_idx")
+            .on(table.tenantId, table.sipCallId),
+    })
+)
+
+export type TelephonyCall = typeof telephonyCalls.$inferSelect
+export type NewTelephonyCall = typeof telephonyCalls.$inferInsert

backend/db/schema/telephony_extensions.ts

@@ -0,0 +1,53 @@
+import {
+    pgTable,
+    uuid,
+    bigint,
+    text,
+    timestamp,
+    boolean,
+    index,
+    uniqueIndex,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+import { teams } from "./teams"
+import { branches } from "./branches"
+
+export const telephonyExtensions = pgTable(
+    "telephony_extensions",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade" }),
+
+        targetType: text("target_type").notNull(),
+        targetUserId: uuid("target_user_id").references(() => authUsers.id, { onDelete: "cascade" }),
+        targetTeamId: bigint("target_team_id", { mode: "number" }).references(() => teams.id, { onDelete: "cascade" }),
+        targetBranchId: bigint("target_branch_id", { mode: "number" }).references(() => branches.id, { onDelete: "cascade" }),
+
+        extension: text("extension").notNull(),
+        displayName: text("display_name"),
+        sipUsername: text("sip_username"),
+        sipPassword: text("sip_password"),
+        enabled: boolean("enabled").notNull().default(true),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        updatedAt: timestamp("updated_at", { withTimezone: true }),
+        createdBy: uuid("created_by").references(() => authUsers.id),
+        updatedBy: uuid("updated_by").references(() => authUsers.id),
+    },
+    (table) => ({
+        tenantExtensionIdx: uniqueIndex("telephony_extensions_tenant_extension_idx")
+            .on(table.tenantId, table.extension),
+        tenantTargetIdx: index("telephony_extensions_tenant_target_idx")
+            .on(table.tenantId, table.targetType),
+    })
+)
+
+export type TelephonyExtension = typeof telephonyExtensions.$inferSelect
+export type NewTelephonyExtension = typeof telephonyExtensions.$inferInsert

backend/db/schema/telephony_trunks.ts

@@ -0,0 +1,53 @@
+import {
+    pgTable,
+    uuid,
+    bigint,
+    text,
+    timestamp,
+    boolean,
+    uniqueIndex,
+} from "drizzle-orm/pg-core"
+
+import { tenants } from "./tenants"
+import { authUsers } from "./auth_users"
+import { telephonyExtensions } from "./telephony_extensions"
+
+export const telephonyTrunks = pgTable(
+    "telephony_trunks",
+    {
+        id: uuid("id").primaryKey().defaultRandom(),
+
+        tenantId: bigint("tenant_id", { mode: "number" })
+            .notNull()
+            .references(() => tenants.id, { onDelete: "cascade" }),
+
+        provider: text("provider").notNull().default("telekom"),
+        enabled: boolean("enabled").notNull().default(false),
+        registrar: text("registrar").notNull().default("tel.t-online.de"),
+
+        sipUser: text("sip_user"),
+        authUser: text("auth_user"),
+        password: text("password"),
+        callerId: text("caller_id"),
+        inboundExtension: text("inbound_extension").notNull().default("1001"),
+        defaultRouteExtensionId: uuid("default_route_extension_id").references(() => telephonyExtensions.id, { onDelete: "set null" }),
+        outboundPrefix: text("outbound_prefix").notNull().default("0"),
+        externalSignalingAddress: text("external_signaling_address"),
+        externalMediaAddress: text("external_media_address"),
+        localNetworks: text("local_networks"),
+
+        createdAt: timestamp("created_at", { withTimezone: true })
+            .notNull()
+            .defaultNow(),
+        updatedAt: timestamp("updated_at", { withTimezone: true }),
+        createdBy: uuid("created_by").references(() => authUsers.id),
+        updatedBy: uuid("updated_by").references(() => authUsers.id),
+    },
+    (table) => ({
+        tenantProviderIdx: uniqueIndex("telephony_trunks_tenant_provider_idx")
+            .on(table.tenantId, table.provider),
+    })
+)
+
+export type TelephonyTrunk = typeof telephonyTrunks.$inferSelect
+export type NewTelephonyTrunk = typeof telephonyTrunks.$inferInsert

backend/db/schema/tenants.ts

@@ -91,7 +91,10 @@ export const tenants = pgTable(
             createDocument: true,
             serialInvoice: true,
             incomingInvoices: true,
+            outgoingsepamandates: true,
             costcentres: true,
+            branches: true,
+            teams: true,
             accounts: true,
             ownaccounts: true,
             banking: true,
@@ -127,14 +130,18 @@ export const tenants = pgTable(
                 customers: { prefix: "", suffix: "", nextNumber: 10000 },
                 products: { prefix: "AT-", suffix: "", nextNumber: 1000 },
                 quotes: { prefix: "AN-", suffix: "", nextNumber: 1000 },
+                costEstimates: { prefix: "KS-", suffix: "", nextNumber: 1000 },
                 confirmationOrders: { prefix: "AB-", suffix: "", nextNumber: 1000 },
                 invoices: { prefix: "RE-", suffix: "", nextNumber: 1000 },
+                deliveryNotes: { prefix: "LS-", suffix: "", nextNumber: 1000 },
+                packingSlips: { prefix: "PS-", suffix: "", nextNumber: 1000 },
                 spaces: { prefix: "LP-", suffix: "", nextNumber: 1000 },
                 customerspaces: { prefix: "KLP-", suffix: "", nextNumber: 1000 },
                 inventoryitems: { prefix: "IA-", suffix: "", nextNumber: 1000 },
                 customerinventoryitems: { prefix: "KIA-", suffix: "", nextNumber: 1000 },
                 projects: { prefix: "PRJ-", suffix: "", nextNumber: 1000 },
                 costcentres: { prefix: "KST-", suffix: "", nextNumber: 1000 },
+                outgoingsepamandates: { prefix: "SEPA-", suffix: "", nextNumber: 1000 },
             }),
         accountChart: text("accountChart").notNull().default("skr03"),
 

backend/docker-entrypoint.sh

@@ -0,0 +1,7 @@
+set -e
+
+if [ "${FEDEO_RUN_MIGRATIONS:-true}" = "true" ]; then
+  npm run migrate
+fi
+
+exec node dist/src/index.js

backend/drizzle.config.ts

@@ -1,11 +1,14 @@
+import "dotenv/config"
 import { defineConfig } from "drizzle-kit"
-import {secrets} from "./src/utils/secrets";
+
+const fallbackDatabaseUrl = "postgres://postgres:wJw7aNpEBJdcxgoct6GXNpvY4Cn6ECqu@fedeo-db-001.vpn.internal:5432/fedeo"
+const databaseUrl = process.env.DATABASE_URL || fallbackDatabaseUrl
 
 export default defineConfig({
     dialect: "postgresql",
     schema: "./db/schema",
     out: "./db/migrations",
     dbCredentials: {
-        url: secrets.DATABASE_URL || "postgres://postgres:wJw7aNpEBJdcxgoct6GXNpvY4Cn6ECqu@fedeo-db-001.vpn.internal:5432/fedeo",
+        url: databaseUrl,
     },
-})
+})

backend/package.json

@@ -5,6 +5,7 @@
   "main": "index.js",
   "scripts": {
     "dev": "tsx watch src/index.ts",
+    "migrate": "tsx scripts/migrate.ts",
     "fill": "ts-node src/webdav/fill-file-sizes.ts",
     "dev:dav": "tsx watch src/webdav/server.ts",
     "build": "tsc",
@@ -12,6 +13,7 @@
     "schema:index": "ts-node scripts/generate-schema-index.ts",
     "bankcodes:update": "tsx scripts/generate-de-bank-codes.ts",
     "members:import:csv": "tsx scripts/import-members-csv.ts",
+    "profiles:import:mitarbeiterliste": "tsx scripts/import-mitarbeiterliste.ts",
     "accounts:import:skr42": "ts-node scripts/import-skr42-accounts.ts"
   },
   "repository": {
@@ -52,6 +54,7 @@
     "pg": "^8.16.3",
     "pngjs": "^7.0.0",
     "sharp": "^0.34.5",
+    "web-push": "^3.6.7",
     "webdav-server": "^2.6.2",
     "xmlbuilder": "^15.1.1",
     "zpl-image": "^0.2.0",
@@ -61,6 +64,7 @@
     "@types/bcrypt": "^6.0.0",
     "@types/jsonwebtoken": "^9.0.10",
     "@types/node": "^24.3.0",
+    "@types/web-push": "^3.6.4",
     "drizzle-kit": "^0.31.8",
     "prisma": "^6.15.0",
     "tsx": "^4.20.5",

backend/scripts/import-mitarbeiterliste.ts

@@ -0,0 +1,589 @@
+import * as fs from "node:fs"
+import * as path from "node:path"
+import { execFileSync } from "node:child_process"
+import { and, eq } from "drizzle-orm"
+
+import {
+    authProfileBranches,
+    authProfiles,
+    authProfileTeams,
+    branches,
+    teams,
+    tenants,
+} from "../db/schema"
+
+type ImportRow = {
+    rowNumber: number
+    mitarbeiter: string
+    betrieb: string
+    anstellung: string
+    position: string
+    bereich: string
+    stundenMonat: number | null
+    urlaub: number | null
+}
+
+type CliOptions = {
+    workbookPath: string
+    tenantId: number
+    dryRun: boolean
+    defaultBranchId: number | null
+    branchMap: Record<string, number>
+}
+
+type ImportAction = "create" | "update"
+
+function printHelp() {
+    console.log(`
+Importiert die Excel-Datei "Mitarbeiterliste.xlsm" in auth_profiles.
+
+Verwendung:
+  npm run profiles:import:mitarbeiterliste -- --tenant-id=12 --branch-map-file=./branch-map.json /pfad/zur/Mitarbeiterliste.xlsm
+
+Optionen:
+  --tenant-id=ID                Pflicht. Tenant-ID für den Import.
+  --branch-map='{"Name":1}'     Optional. JSON-Mapping Betrieb -> branchId.
+  --branch-map-file=DATEI       Optional. JSON-Datei mit Betrieb -> branchId.
+  --default-branch-id=ID        Optional. Fallback-Branch-ID für nicht gemappte Betriebe.
+  --dry-run                     Führt keine Schreiboperationen aus.
+  --help                        Zeigt diese Hilfe an.
+
+Beispiel branch-map.json:
+{
+  "Strandcafé": 10,
+  "1848 Pütt": 11,
+  "Oceans11": 12,
+  "Winnys": 13
+}
+`.trim())
+}
+
+function parseArgs(argv: string[]): CliOptions | null {
+    const options: CliOptions = {
+        workbookPath: "/Users/florianfederspiel/Downloads/Mitarbeiterliste.xlsm",
+        tenantId: Number.NaN,
+        dryRun: false,
+        defaultBranchId: null,
+        branchMap: {},
+    }
+
+    for (const arg of argv) {
+        if (arg === "--help" || arg === "-h") {
+            return null
+        }
+
+        if (arg === "--dry-run") {
+            options.dryRun = true
+            continue
+        }
+
+        if (arg.startsWith("--tenant-id=")) {
+            options.tenantId = Number(arg.slice("--tenant-id=".length))
+            continue
+        }
+
+        if (arg.startsWith("--default-branch-id=")) {
+            options.defaultBranchId = Number(arg.slice("--default-branch-id=".length))
+            continue
+        }
+
+        if (arg.startsWith("--branch-map=")) {
+            options.branchMap = parseBranchMap(arg.slice("--branch-map=".length), "CLI")
+            continue
+        }
+
+        if (arg.startsWith("--branch-map-file=")) {
+            const branchMapPath = path.resolve(arg.slice("--branch-map-file=".length))
+            options.branchMap = parseBranchMap(fs.readFileSync(branchMapPath, "utf8"), branchMapPath)
+            continue
+        }
+
+        if (!arg.startsWith("--")) {
+            options.workbookPath = path.resolve(arg)
+            continue
+        }
+
+        throw new Error(`Unbekanntes Argument: ${arg}`)
+    }
+
+    if (!Number.isFinite(options.tenantId)) {
+        throw new Error("Bitte --tenant-id=... angeben.")
+    }
+
+    if (options.defaultBranchId != null && !Number.isFinite(options.defaultBranchId)) {
+        throw new Error("--default-branch-id muss numerisch sein.")
+    }
+
+    return options
+}
+
+function parseBranchMap(raw: string, sourceLabel: string): Record<string, number> {
+    let parsed: unknown
+    try {
+        parsed = JSON.parse(raw)
+    } catch (error) {
+        throw new Error(`Branch-Mapping aus ${sourceLabel} konnte nicht gelesen werden: ${(error as Error).message}`)
+    }
+
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new Error(`Branch-Mapping aus ${sourceLabel} muss ein JSON-Objekt sein.`)
+    }
+
+    const normalizedEntries = Object.entries(parsed).map(([key, value]) => {
+        const branchId = Number(value)
+        if (!Number.isFinite(branchId)) {
+            throw new Error(`Ungültige Branch-ID für "${key}" in ${sourceLabel}.`)
+        }
+        return [normalizeKey(key), branchId] as const
+    })
+
+    return Object.fromEntries(normalizedEntries)
+}
+
+function normalizeKey(value: string) {
+    return String(value || "")
+        .trim()
+        .replace(/\s+/g, " ")
+        .toLocaleLowerCase("de-DE")
+}
+
+function decodeXmlText(value: string) {
+    return value
+        .replace(/&amp;/g, "&")
+        .replace(/&lt;/g, "<")
+        .replace(/&gt;/g, ">")
+        .replace(/&quot;/g, "\"")
+        .replace(/&apos;/g, "'")
+        .replace(/&#(\d+);/g, (_, code) => String.fromCharCode(Number(code)))
+}
+
+function getWorkbookXml(workbookPath: string, innerPath: string) {
+    return execFileSync("unzip", ["-p", workbookPath, innerPath], {
+        encoding: "utf8",
+        stdio: ["ignore", "pipe", "pipe"],
+    })
+}
+
+function readSharedStrings(workbookPath: string) {
+    const xml = getWorkbookXml(workbookPath, "xl/sharedStrings.xml")
+    return [...xml.matchAll(/<si\b[^>]*>([\s\S]*?)<\/si>/g)].map((match) => {
+        const parts = [...match[1].matchAll(/<t\b[^>]*>([\s\S]*?)<\/t>/g)].map((part) => decodeXmlText(part[1]))
+        return parts.join("")
+    })
+}
+
+function readSheetRows(workbookPath: string, sharedStrings: string[]) {
+    const sheetXml = getWorkbookXml(workbookPath, "xl/worksheets/sheet1.xml")
+    const rows: Record<string, string>[] = []
+
+    for (const rowMatch of sheetXml.matchAll(/<row\b[^>]*r="(\d+)"[^>]*>([\s\S]*?)<\/row>/g)) {
+        const cellMap: Record<string, string> = {}
+        const rowXml = rowMatch[2]
+
+        for (const cellMatch of rowXml.matchAll(/<c\b([^>]*)>([\s\S]*?)<\/c>/g)) {
+            const attrs = cellMatch[1]
+            const cellXml = cellMatch[2]
+            const refMatch = attrs.match(/r="([A-Z]+)\d+"/)
+            if (!refMatch) continue
+
+            const column = refMatch[1]
+            const typeMatch = attrs.match(/t="([^"]+)"/)
+            const type = typeMatch?.[1] || ""
+            const valueMatch = cellXml.match(/<v>([\s\S]*?)<\/v>/)
+            const inlineTextMatch = cellXml.match(/<t\b[^>]*>([\s\S]*?)<\/t>/)
+
+            let value = ""
+            if (type === "s" && valueMatch) {
+                value = sharedStrings[Number(valueMatch[1])] || ""
+            } else if (inlineTextMatch) {
+                value = decodeXmlText(inlineTextMatch[1])
+            } else if (valueMatch) {
+                value = decodeXmlText(valueMatch[1])
+            }
+
+            cellMap[column] = value.trim()
+        }
+
+        rows.push(cellMap)
+    }
+
+    return rows
+}
+
+function parseNumber(value: string) {
+    const normalized = String(value || "").trim().replace(",", ".")
+    if (!normalized) return null
+
+    const parsed = Number(normalized)
+    return Number.isFinite(parsed) ? parsed : null
+}
+
+function parseWorkbook(workbookPath: string): ImportRow[] {
+    const sharedStrings = readSharedStrings(workbookPath)
+    const rows = readSheetRows(workbookPath, sharedStrings)
+
+    if (!rows.length) {
+        throw new Error("Die Arbeitsmappe enthält keine Zeilen.")
+    }
+
+    const header = rows[0]
+    if (header.A !== "Mitarbeiter" || header.B !== "Betrieb") {
+        throw new Error("Unerwartetes Format der Excel-Datei. Erwartet wurden die Spalten 'Mitarbeiter' und 'Betrieb'.")
+    }
+
+    return rows
+        .slice(1)
+        .map((row, index) => ({
+            rowNumber: index + 2,
+            mitarbeiter: row.A || "",
+            betrieb: row.B || "",
+            anstellung: row.C || "",
+            position: row.D || "",
+            bereich: row.E || "",
+            stundenMonat: parseNumber(row.F || ""),
+            urlaub: parseNumber(row.G || ""),
+        }))
+        .filter((row) => row.mitarbeiter)
+}
+
+function splitFullName(fullName: string) {
+    const parts = fullName.trim().split(/\s+/).filter(Boolean)
+    if (parts.length <= 1) {
+        return {
+            firstName: fullName.trim(),
+            lastName: "Unbekannt",
+        }
+    }
+
+    return {
+        firstName: parts.slice(0, -1).join(" "),
+        lastName: parts[parts.length - 1],
+    }
+}
+
+function toWeeklyHours(monthlyHours: number | null) {
+    if (monthlyHours == null) return null
+    return Math.round(((monthlyHours * 12) / 52) * 100) / 100
+}
+
+function formatValue(value: unknown) {
+    if (value == null) return "-"
+    if (typeof value === "object") return JSON.stringify(value)
+    return String(value)
+}
+
+function mapEmploymentCategory(value: string) {
+    const normalized = normalizeKey(value)
+    if (normalized === "aushilfe") return "Aushilfen"
+    if (normalized === "teilzeit" || normalized === "vollzeit") return "Festangestellte"
+    return null
+}
+
+function buildTeamName(bereich: string, anstellung: string) {
+    const employmentCategory = mapEmploymentCategory(anstellung)
+    const normalizedBereich = String(bereich || "").trim()
+    if (!normalizedBereich || !employmentCategory) return null
+    return `${normalizedBereich} ${employmentCategory}`
+}
+
+function collectFieldChanges(existing: any, nextPayload: Record<string, unknown>) {
+    if (!existing) return []
+
+    const changes: string[] = []
+    for (const [field, nextValue] of Object.entries(nextPayload)) {
+        const currentValue = existing[field]
+        const currentFormatted = formatValue(currentValue)
+        const nextFormatted = formatValue(nextValue)
+
+        if (currentFormatted !== nextFormatted) {
+            changes.push(`${field}: ${currentFormatted} -> ${nextFormatted}`)
+        }
+    }
+
+    return changes
+}
+
+async function validateTenantAndBranches(
+    db: any,
+    tenantId: number,
+    branchIds: number[]
+) {
+    const [tenant] = await db
+        .select({ id: tenants.id, name: tenants.name })
+        .from(tenants)
+        .where(eq(tenants.id, tenantId))
+        .limit(1)
+
+    if (!tenant) {
+        throw new Error(`Tenant ${tenantId} wurde nicht gefunden.`)
+    }
+
+    const branchRows = await db
+        .select({ id: branches.id, name: branches.name })
+        .from(branches)
+        .where(eq(branches.tenant, tenantId))
+
+    const validBranchIds = new Set(branchRows.map((branch: any) => Number(branch.id)))
+    for (const branchId of branchIds) {
+        if (!validBranchIds.has(branchId)) {
+            throw new Error(`Branch-ID ${branchId} gehört nicht zum Tenant ${tenantId}.`)
+        }
+    }
+
+    return {
+        tenant,
+        branchRows,
+    }
+}
+
+async function loadTenantTeams(db: any, tenantId: number) {
+    const teamRows = await db
+        .select({
+            id: teams.id,
+            name: teams.name,
+            branch: teams.branch,
+            archived: teams.archived,
+        })
+        .from(teams)
+        .where(eq(teams.tenant, tenantId))
+
+    return new Map(
+        teamRows
+            .filter((team: any) => !team.archived)
+            .map((team: any) => [`${team.branch}::${normalizeKey(team.name)}`, team])
+    )
+}
+
+async function main() {
+    const options = parseArgs(process.argv.slice(2))
+    if (!options) {
+        printHelp()
+        return
+    }
+
+    if (!fs.existsSync(options.workbookPath)) {
+        throw new Error(`Excel-Datei nicht gefunden: ${options.workbookPath}`)
+    }
+
+    const rows = parseWorkbook(options.workbookPath)
+    if (!rows.length) {
+        throw new Error("Keine importierbaren Mitarbeiter gefunden.")
+    }
+
+    const mappedBranchIds = [
+        ...new Set(
+            Object.values(options.branchMap)
+                .concat(options.defaultBranchId != null ? [options.defaultBranchId] : [])
+        ),
+    ]
+
+    const { db, pool } = await import("../db")
+
+    try {
+        const { tenant } = await validateTenantAndBranches(db, options.tenantId, mappedBranchIds)
+        const teamByBranchAndName = await loadTenantTeams(db, options.tenantId)
+
+        const existingProfiles = await db
+            .select()
+            .from(authProfiles)
+            .where(eq(authProfiles.tenant_id, options.tenantId))
+
+        const existingByName = new Map<string, any>()
+        for (const profile of existingProfiles) {
+            const key = normalizeKey(`${profile.first_name} ${profile.last_name}`)
+            if (existingByName.has(key)) {
+                throw new Error(`Mehrdeutiger bestehender Mitarbeiter: ${profile.first_name} ${profile.last_name}`)
+            }
+            existingByName.set(key, profile)
+        }
+
+        const duplicateImportNames = new Set<string>()
+        const seenImportNames = new Set<string>()
+        for (const row of rows) {
+            const key = normalizeKey(row.mitarbeiter)
+            if (seenImportNames.has(key)) duplicateImportNames.add(row.mitarbeiter)
+            seenImportNames.add(key)
+        }
+
+        if (duplicateImportNames.size) {
+            throw new Error(`Die Excel-Datei enthält doppelte Mitarbeiternamen: ${[...duplicateImportNames].join(", ")}`)
+        }
+
+        const missingBranchMappings = new Set<string>()
+        const missingTeams = new Set<string>()
+        const preparedRows = rows.map((row) => {
+            const branchKey = normalizeKey(row.betrieb)
+            const branchId = options.branchMap[branchKey] ?? options.defaultBranchId ?? null
+            if (!branchId) {
+                missingBranchMappings.add(row.betrieb || `(Zeile ${row.rowNumber})`)
+            }
+
+            const teamName = buildTeamName(row.bereich, row.anstellung)
+            const team = branchId && teamName
+                ? (teamByBranchAndName.get(`${branchId}::${normalizeKey(teamName)}`) as any) || null
+                : null
+
+            if (branchId && teamName && !team) {
+                missingTeams.add(`${row.betrieb} | ${teamName}`)
+            }
+
+            return {
+                ...row,
+                branchId,
+                teamId: team?.id ?? null,
+                teamName,
+                weeklyHours: toWeeklyHours(row.stundenMonat),
+            }
+        })
+
+        if (missingBranchMappings.size) {
+            throw new Error(
+                `Für folgende Betriebe fehlt eine Branch-ID: ${[...missingBranchMappings].join(", ")}`
+            )
+        }
+
+        if (missingTeams.size) {
+            throw new Error(
+                `Für folgende Niederlassung-/Bereich-Kombinationen fehlen Teams: ${[...missingTeams].join(", ")}`
+            )
+        }
+
+        let createdProfiles = 0
+        let updatedProfiles = 0
+        const actionLogs: string[] = []
+
+        for (const row of preparedRows) {
+            const nameParts = splitFullName(row.mitarbeiter)
+            const nameKey = normalizeKey(row.mitarbeiter)
+            const existing = existingByName.get(nameKey)
+
+            const tempConfig = {
+                ...((existing?.temp_config && typeof existing.temp_config === "object") ? existing.temp_config : {}),
+                mitarbeiterImport: {
+                    betrieb: row.betrieb,
+                    bereich: row.bereich,
+                    stundenMonat: row.stundenMonat,
+                    urlaub: row.urlaub,
+                    quelle: path.basename(options.workbookPath),
+                    importiertAm: new Date().toISOString(),
+                },
+            }
+
+            const payload = {
+                tenant_id: options.tenantId,
+                branch_id: row.branchId,
+                first_name: nameParts.firstName,
+                last_name: nameParts.lastName,
+                contract_type: row.anstellung || null,
+                position: row.position || null,
+                qualification: row.bereich || null,
+                weekly_working_hours: row.weeklyHours ?? existing?.weekly_working_hours ?? 0,
+                annual_paid_leave_days: row.urlaub != null ? Math.round(row.urlaub) : existing?.annual_paid_leave_days ?? null,
+                temp_config: tempConfig,
+                active: existing?.active ?? true,
+            }
+
+            const action: ImportAction = existing ? "update" : "create"
+            const fieldChanges = existing ? collectFieldChanges(existing, payload) : []
+            const actionPrefix = action === "create" ? "ERSTELLEN" : "AKTUALISIEREN"
+            const branchLabel = `${row.betrieb} -> ${row.branchId}`
+            const teamLabel = row.teamName ? `${row.teamName} -> ${row.teamId}` : "-"
+
+            if (action === "create") {
+                actionLogs.push(
+                    `[${actionPrefix}] ${row.mitarbeiter} | Branch ${branchLabel} | Team ${teamLabel} | Vertrag ${row.anstellung || "-"} | Position ${row.position || "-"}`
+                )
+            } else {
+                actionLogs.push(
+                    `[${actionPrefix}] ${row.mitarbeiter} | Branch ${branchLabel} | Team ${teamLabel} | Änderungen: ${fieldChanges.length ? fieldChanges.join("; ") : "keine"}`
+                )
+            }
+
+            if (!existing) {
+                if (!options.dryRun) {
+                    const [created] = await db
+                        .insert(authProfiles)
+                        .values(payload)
+                        .returning()
+
+                    if (!created) {
+                        throw new Error(`Profil für "${row.mitarbeiter}" konnte nicht erstellt werden.`)
+                    }
+
+                    await db.insert(authProfileBranches).values({
+                        profile_id: created.id,
+                        branch_id: row.branchId,
+                    })
+
+                    if (row.teamId) {
+                        await db.insert(authProfileTeams).values({
+                            profile_id: created.id,
+                            team_id: row.teamId,
+                        })
+                    }
+
+                    existingByName.set(nameKey, created)
+                }
+
+                createdProfiles += 1
+                continue
+            }
+
+            if (!options.dryRun) {
+                await db
+                    .update(authProfiles)
+                    .set(payload)
+                    .where(
+                        and(
+                            eq(authProfiles.id, existing.id),
+                            eq(authProfiles.tenant_id, options.tenantId)
+                        )
+                    )
+
+                await db
+                    .delete(authProfileBranches)
+                    .where(eq(authProfileBranches.profile_id, existing.id))
+
+                await db.insert(authProfileBranches).values({
+                    profile_id: existing.id,
+                    branch_id: row.branchId,
+                })
+
+                await db
+                    .delete(authProfileTeams)
+                    .where(eq(authProfileTeams.profile_id, existing.id))
+
+                if (row.teamId) {
+                    await db.insert(authProfileTeams).values({
+                        profile_id: existing.id,
+                        team_id: row.teamId,
+                    })
+                }
+            }
+
+            updatedProfiles += 1
+        }
+
+        console.log("")
+        console.log(`[IMPORT MITARBEITER] Tenant: ${tenant.id} (${tenant.name})`)
+        console.log(`[IMPORT MITARBEITER] Datei: ${options.workbookPath}`)
+        console.log(`[IMPORT MITARBEITER] Dry-Run: ${options.dryRun ? "JA" : "NEIN"}`)
+        console.log(`[IMPORT MITARBEITER] Zeilen gelesen: ${rows.length}`)
+        console.log(`[IMPORT MITARBEITER] Profile erstellt: ${createdProfiles}`)
+        console.log(`[IMPORT MITARBEITER] Profile aktualisiert: ${updatedProfiles}`)
+        if (actionLogs.length) {
+            console.log("[IMPORT MITARBEITER] Details:")
+            for (const logLine of actionLogs) {
+                console.log(`  ${logLine}`)
+            }
+        }
+        console.log("")
+    } finally {
+        await pool.end()
+    }
+}
+
+main().catch((error) => {
+    console.error("[IMPORT MITARBEITER] Fehler:", error)
+    process.exitCode = 1
+})

backend/scripts/migrate.ts

@@ -0,0 +1,47 @@
+import "dotenv/config"
+import path from "node:path"
+import { fileURLToPath } from "node:url"
+import { drizzle } from "drizzle-orm/node-postgres"
+import { migrate } from "drizzle-orm/node-postgres/migrator"
+import { Pool } from "pg"
+
+import { loadSecrets, secrets } from "../src/utils/secrets"
+
+const __filename = fileURLToPath(import.meta.url)
+const __dirname = path.dirname(__filename)
+
+async function run() {
+    let connectionString = process.env.DATABASE_URL
+
+    if (!connectionString) {
+        await loadSecrets()
+        connectionString = secrets.DATABASE_URL
+    }
+
+    if (!connectionString) {
+        throw new Error("DATABASE_URL not configured")
+    }
+
+    const pool = new Pool({
+        connectionString,
+        max: 1,
+    })
+
+    try {
+        const db = drizzle(pool)
+
+        await migrate(db, {
+            migrationsFolder: path.resolve(__dirname, "../db/migrations"),
+        })
+
+        console.log("✅ Drizzle-Migrationen erfolgreich angewendet")
+    } finally {
+        await pool.end()
+    }
+}
+
+run().catch((err) => {
+    console.error("❌ Migration fehlgeschlagen")
+    console.error(err)
+    process.exit(1)
+})

backend/scripts/mitarbeiterliste-tenant-41-branches.json

@@ -0,0 +1,7 @@
+{
+  "1848 Pütt": 1,
+  "Strandcafé": 3,
+  "Oceans11": 4,
+  "Oceans 11": 4,
+  "Winnys": 5
+}

backend/src/index.ts

@@ -29,6 +29,12 @@ import staffTimeConnectRoutes from "./routes/staff/timeconnects";
 import userRoutes from "./routes/auth/user";
 import publiclinksAuthenticatedRoutes from "./routes/publiclinks/publiclinks-authenticated";
 import wikiRoutes from "./routes/wiki";
+import portalContractRoutes from "./routes/portal/contracts";
+import mcpRoutes from "./routes/mcp";
+import communicationRoutes from "./routes/communication";
+import telephonyRoutes from "./routes/telephony";
+import instanceAgentRoutes from "./routes/instanceAgents";
+import instanceAgentGatewayRoutes from "./routes/instanceAgentGateway";
 
 //Public Links
 import publiclinksNonAuthenticatedRoutes from "./routes/publiclinks/publiclinks-non-authenticated";
@@ -53,6 +59,8 @@ import {sendMail} from "./utils/mailer";
 import {loadSecrets, secrets} from "./utils/secrets";
 import {initMailer} from "./utils/mailer"
 import {initS3} from "./utils/s3";
+import { runBootstrap } from "./modules/bootstrap.service";
+import { startMatrixPushWorker } from "./modules/matrix-push-worker.service";
 
 
 //Services
@@ -77,6 +85,8 @@ async function main() {
     await app.register(dayjsPlugin);
     await app.register(dbPlugin);
     await app.register(servicesPlugin);
+    await runBootstrap(app);
+    startMatrixPushWorker(app);
 
     app.addHook('preHandler', (req, reply, done) => {
         console.log(req.method)
@@ -120,6 +130,10 @@ async function main() {
         await devicesApp.register(devicesManagementRoutes)
     },{prefix: "/devices"})
 
+    await app.register(async (agentApp) => {
+        await agentApp.register(instanceAgentGatewayRoutes)
+    },{prefix: "/instance-agent"})
+
     await app.register(corsPlugin);
 
     //Geschützte Routes
@@ -146,6 +160,11 @@ async function main() {
         await subApp.register(publiclinksAuthenticatedRoutes);
         await subApp.register(resourceRoutes);
         await subApp.register(wikiRoutes);
+        await subApp.register(portalContractRoutes);
+        await subApp.register(mcpRoutes);
+        await subApp.register(communicationRoutes);
+        await subApp.register(telephonyRoutes);
+        await subApp.register(instanceAgentRoutes);
 
     },{prefix: "/api"})