feat: time tracking + billing — hourly rates, time entries, invoices (P1)

Database: time_entries, billing_rates, invoices tables with RLS.
Backend: CRUD services+handlers for time entries, billing rates, invoices.
  - Time entries: list/create/update/delete, summary by case/user/month
  - Billing rates: upsert with auto-close previous, current rate lookup
  - Invoices: create with auto-number (RE-YYYY-NNN), status transitions
    (draft->sent->paid, cancellation), link time entries on invoice create
API: 11 new endpoints under /api/time-entries, /api/billing-rates, /api/invoices
Frontend: Zeiterfassung tab on case detail, /abrechnung overview with filters,
  /abrechnung/rechnungen list+detail with status actions, billing rates settings
Also: resolved merge conflicts between audit-trail and role-based branches,
  added missing types (Notification, AuditLogResponse, NotificationPreferences)

backend/internal/handlers/billing_rates.go

@@ -0,0 +1,66 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
+)
+
+type BillingRateHandler struct {
+	svc *services.BillingRateService
+}
+
+func NewBillingRateHandler(svc *services.BillingRateService) *BillingRateHandler {
+	return &BillingRateHandler{svc: svc}
+}
+
+// List handles GET /api/billing-rates
+func (h *BillingRateHandler) List(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	rates, err := h.svc.List(r.Context(), tenantID)
+	if err != nil {
+		internalError(w, "failed to list billing rates", err)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]any{"billing_rates": rates})
+}
+
+// Upsert handles PUT /api/billing-rates
+func (h *BillingRateHandler) Upsert(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	var input services.UpsertBillingRateInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+
+	if input.Rate < 0 {
+		writeError(w, http.StatusBadRequest, "rate must be non-negative")
+		return
+	}
+	if input.ValidFrom == "" {
+		writeError(w, http.StatusBadRequest, "valid_from is required")
+		return
+	}
+
+	rate, err := h.svc.Upsert(r.Context(), tenantID, input)
+	if err != nil {
+		internalError(w, "failed to upsert billing rate", err)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, rate)
+}

backend/internal/handlers/deadlines.go

@@ -198,18 +198,9 @@ func (h *DeadlineHandlers) Delete(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-<<<<<<< HEAD
-	if err := h.deadlines.Delete(tenantID, deadlineID); err != nil {
-		writeError(w, http.StatusNotFound, "deadline not found")
-||||||| 82878df
-	err = h.deadlines.Delete(tenantID, deadlineID)
-	if err != nil {
-		writeError(w, http.StatusNotFound, err.Error())
-=======
 	err = h.deadlines.Delete(r.Context(), tenantID, deadlineID)
 	if err != nil {
 		writeError(w, http.StatusNotFound, err.Error())
->>>>>>> mai/knuth/p0-audit-trail-append
 		return
 	}
 

backend/internal/handlers/invoices.go

@@ -0,0 +1,170 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
+
+	"github.com/google/uuid"
+)
+
+type InvoiceHandler struct {
+	svc *services.InvoiceService
+}
+
+func NewInvoiceHandler(svc *services.InvoiceService) *InvoiceHandler {
+	return &InvoiceHandler{svc: svc}
+}
+
+// List handles GET /api/invoices?case_id=&status=
+func (h *InvoiceHandler) List(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	var caseID *uuid.UUID
+	if caseStr := r.URL.Query().Get("case_id"); caseStr != "" {
+		parsed, err := uuid.Parse(caseStr)
+		if err != nil {
+			writeError(w, http.StatusBadRequest, "invalid case_id")
+			return
+		}
+		caseID = &parsed
+	}
+
+	invoices, err := h.svc.List(r.Context(), tenantID, caseID, r.URL.Query().Get("status"))
+	if err != nil {
+		internalError(w, "failed to list invoices", err)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]any{"invoices": invoices})
+}
+
+// Get handles GET /api/invoices/{id}
+func (h *InvoiceHandler) Get(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	invoiceID, err := parsePathUUID(r, "id")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid invoice ID")
+		return
+	}
+
+	inv, err := h.svc.GetByID(r.Context(), tenantID, invoiceID)
+	if err != nil {
+		internalError(w, "failed to get invoice", err)
+		return
+	}
+	if inv == nil {
+		writeError(w, http.StatusNotFound, "invoice not found")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, inv)
+}
+
+// Create handles POST /api/invoices
+func (h *InvoiceHandler) Create(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+	userID, _ := auth.UserFromContext(r.Context())
+
+	var input services.CreateInvoiceInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+
+	if input.ClientName == "" {
+		writeError(w, http.StatusBadRequest, "client_name is required")
+		return
+	}
+	if input.CaseID == uuid.Nil {
+		writeError(w, http.StatusBadRequest, "case_id is required")
+		return
+	}
+
+	inv, err := h.svc.Create(r.Context(), tenantID, userID, input)
+	if err != nil {
+		internalError(w, "failed to create invoice", err)
+		return
+	}
+
+	writeJSON(w, http.StatusCreated, inv)
+}
+
+// Update handles PUT /api/invoices/{id}
+func (h *InvoiceHandler) Update(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	invoiceID, err := parsePathUUID(r, "id")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid invoice ID")
+		return
+	}
+
+	var input services.UpdateInvoiceInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+
+	inv, err := h.svc.Update(r.Context(), tenantID, invoiceID, input)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusOK, inv)
+}
+
+// UpdateStatus handles PATCH /api/invoices/{id}/status
+func (h *InvoiceHandler) UpdateStatus(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	invoiceID, err := parsePathUUID(r, "id")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid invoice ID")
+		return
+	}
+
+	var body struct {
+		Status string `json:"status"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+	if body.Status == "" {
+		writeError(w, http.StatusBadRequest, "status is required")
+		return
+	}
+
+	inv, err := h.svc.UpdateStatus(r.Context(), tenantID, invoiceID, body.Status)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusOK, inv)
+}

backend/internal/handlers/time_entries.go

@@ -0,0 +1,209 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"strconv"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
+
+	"github.com/google/uuid"
+)
+
+type TimeEntryHandler struct {
+	svc *services.TimeEntryService
+}
+
+func NewTimeEntryHandler(svc *services.TimeEntryService) *TimeEntryHandler {
+	return &TimeEntryHandler{svc: svc}
+}
+
+// ListForCase handles GET /api/cases/{id}/time-entries
+func (h *TimeEntryHandler) ListForCase(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	caseID, err := parsePathUUID(r, "id")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid case ID")
+		return
+	}
+
+	entries, err := h.svc.ListForCase(r.Context(), tenantID, caseID)
+	if err != nil {
+		internalError(w, "failed to list time entries", err)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]any{"time_entries": entries})
+}
+
+// List handles GET /api/time-entries?case_id=&user_id=&from=&to=
+func (h *TimeEntryHandler) List(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	limit, _ := strconv.Atoi(r.URL.Query().Get("limit"))
+	offset, _ := strconv.Atoi(r.URL.Query().Get("offset"))
+	limit, offset = clampPagination(limit, offset)
+
+	filter := services.TimeEntryFilter{
+		From:   r.URL.Query().Get("from"),
+		To:     r.URL.Query().Get("to"),
+		Limit:  limit,
+		Offset: offset,
+	}
+
+	if caseStr := r.URL.Query().Get("case_id"); caseStr != "" {
+		caseID, err := uuid.Parse(caseStr)
+		if err != nil {
+			writeError(w, http.StatusBadRequest, "invalid case_id")
+			return
+		}
+		filter.CaseID = &caseID
+	}
+	if userStr := r.URL.Query().Get("user_id"); userStr != "" {
+		userID, err := uuid.Parse(userStr)
+		if err != nil {
+			writeError(w, http.StatusBadRequest, "invalid user_id")
+			return
+		}
+		filter.UserID = &userID
+	}
+
+	entries, total, err := h.svc.List(r.Context(), tenantID, filter)
+	if err != nil {
+		internalError(w, "failed to list time entries", err)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]any{
+		"time_entries": entries,
+		"total":        total,
+	})
+}
+
+// Create handles POST /api/cases/{id}/time-entries
+func (h *TimeEntryHandler) Create(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+	userID, _ := auth.UserFromContext(r.Context())
+
+	caseID, err := parsePathUUID(r, "id")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid case ID")
+		return
+	}
+
+	var input services.CreateTimeEntryInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+	input.CaseID = caseID
+
+	if input.Description == "" {
+		writeError(w, http.StatusBadRequest, "description is required")
+		return
+	}
+	if input.DurationMinutes <= 0 {
+		writeError(w, http.StatusBadRequest, "duration_minutes must be positive")
+		return
+	}
+	if input.Date == "" {
+		writeError(w, http.StatusBadRequest, "date is required")
+		return
+	}
+
+	entry, err := h.svc.Create(r.Context(), tenantID, userID, input)
+	if err != nil {
+		internalError(w, "failed to create time entry", err)
+		return
+	}
+
+	writeJSON(w, http.StatusCreated, entry)
+}
+
+// Update handles PUT /api/time-entries/{id}
+func (h *TimeEntryHandler) Update(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	entryID, err := parsePathUUID(r, "id")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid time entry ID")
+		return
+	}
+
+	var input services.UpdateTimeEntryInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+
+	entry, err := h.svc.Update(r.Context(), tenantID, entryID, input)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusOK, entry)
+}
+
+// Delete handles DELETE /api/time-entries/{id}
+func (h *TimeEntryHandler) Delete(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	entryID, err := parsePathUUID(r, "id")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid time entry ID")
+		return
+	}
+
+	if err := h.svc.Delete(r.Context(), tenantID, entryID); err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]string{"status": "deleted"})
+}
+
+// Summary handles GET /api/time-entries/summary?group_by=case|user|month&from=&to=
+func (h *TimeEntryHandler) Summary(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	groupBy := r.URL.Query().Get("group_by")
+	if groupBy == "" {
+		groupBy = "case"
+	}
+
+	summaries, err := h.svc.Summary(r.Context(), tenantID, groupBy,
+		r.URL.Query().Get("from"), r.URL.Query().Get("to"))
+	if err != nil {
+		internalError(w, "failed to get summary", err)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]any{"summary": summaries})
+}