test: comprehensive E2E and API test suite for full KanzlAI stack

Backend (Go):
- Expanded integration_test.go: health, auth middleware (expired/invalid/wrong-secret JWT),
  tenant CRUD, case CRUD (create/list/get/update/delete + filters + validation),
  deadline CRUD (create/list/update/complete/delete), appointment CRUD,
  dashboard (verifies all sections), deadline calculator (valid/invalid/unknown type),
  proceeding types & rules, document endpoints, AI extraction (no-key path),
  and full critical path E2E (auth -> case -> deadline -> appointment -> dashboard -> complete)
- New handler unit tests: case (10), appointment (11), dashboard (1), calculate (5),
  document (10), AI (4) — all testing validation, auth guards, and error paths without DB
- Total: ~80 backend tests (unit + integration)

Frontend (TypeScript/Vitest):
- Installed vitest 2.x, @testing-library/react, @testing-library/jest-dom, jsdom 24, msw
- vitest.config.ts with jsdom env, esbuild JSX automatic, path aliases
- API client tests (13): URL construction, no double /api/, auth header, tenant header,
  POST/PUT/PATCH/DELETE methods, error handling, 204 responses
- DeadlineTrafficLights tests (5): renders cards, correct counts, zero state, onFilter callback
- CaseOverviewGrid tests (4): renders categories, counts, header, zero state
- LoginPage tests (8): form rendering, mode toggle, password login, redirect, error display,
  magic link, registration link
- Total: 30 frontend tests

Makefile: test-frontend target now runs vitest instead of placeholder echo.

backend/internal/handlers/case_handler_test.go

@@ -0,0 +1,177 @@
+package handlers
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/google/uuid"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+)
+
+func TestCaseCreate_NoAuth(t *testing.T) {
+	h := &CaseHandler{}
+	r := httptest.NewRequest("POST", "/api/cases", bytes.NewBufferString(`{}`))
+	w := httptest.NewRecorder()
+
+	h.Create(w, r)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("expected 403, got %d", w.Code)
+	}
+}
+
+func TestCaseCreate_MissingFields(t *testing.T) {
+	h := &CaseHandler{}
+	body := `{"case_number":"","title":""}`
+	r := httptest.NewRequest("POST", "/api/cases", bytes.NewBufferString(body))
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Create(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+	var resp map[string]string
+	json.NewDecoder(w.Body).Decode(&resp)
+	if resp["error"] != "case_number and title are required" {
+		t.Errorf("unexpected error: %s", resp["error"])
+	}
+}
+
+func TestCaseCreate_InvalidJSON(t *testing.T) {
+	h := &CaseHandler{}
+	r := httptest.NewRequest("POST", "/api/cases", bytes.NewBufferString(`not-json`))
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Create(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestCaseGet_InvalidID(t *testing.T) {
+	h := &CaseHandler{}
+	r := httptest.NewRequest("GET", "/api/cases/not-a-uuid", nil)
+	r.SetPathValue("id", "not-a-uuid")
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Get(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestCaseGet_NoTenant(t *testing.T) {
+	h := &CaseHandler{}
+	r := httptest.NewRequest("GET", "/api/cases/"+uuid.New().String(), nil)
+	r.SetPathValue("id", uuid.New().String())
+	w := httptest.NewRecorder()
+
+	h.Get(w, r)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("expected 403, got %d", w.Code)
+	}
+}
+
+func TestCaseList_NoTenant(t *testing.T) {
+	h := &CaseHandler{}
+	r := httptest.NewRequest("GET", "/api/cases", nil)
+	w := httptest.NewRecorder()
+
+	h.List(w, r)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("expected 403, got %d", w.Code)
+	}
+}
+
+func TestCaseUpdate_InvalidID(t *testing.T) {
+	h := &CaseHandler{}
+	body := `{"title":"Updated"}`
+	r := httptest.NewRequest("PUT", "/api/cases/bad-id", bytes.NewBufferString(body))
+	r.SetPathValue("id", "bad-id")
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Update(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestCaseUpdate_InvalidJSON(t *testing.T) {
+	h := &CaseHandler{}
+	caseID := uuid.New().String()
+	r := httptest.NewRequest("PUT", "/api/cases/"+caseID, bytes.NewBufferString(`{bad`))
+	r.SetPathValue("id", caseID)
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Update(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestCaseDelete_NoTenant(t *testing.T) {
+	h := &CaseHandler{}
+	r := httptest.NewRequest("DELETE", "/api/cases/"+uuid.New().String(), nil)
+	r.SetPathValue("id", uuid.New().String())
+	w := httptest.NewRecorder()
+
+	h.Delete(w, r)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("expected 403, got %d", w.Code)
+	}
+}
+
+func TestCaseDelete_InvalidID(t *testing.T) {
+	h := &CaseHandler{}
+	r := httptest.NewRequest("DELETE", "/api/cases/bad-id", nil)
+	r.SetPathValue("id", "bad-id")
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Delete(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}