feat: HL tenant + email domain auto-assignment

backend/internal/auth/middleware.go

@@ -43,7 +43,7 @@ func (m *Middleware) RequireAuth(next http.Handler) http.Handler {
 		}
 		ctx = ContextWithRequestInfo(ctx, ip, r.UserAgent())
 
-		// Tenant resolution is handled by TenantResolver middleware for scoped routes.
+		// Tenant/role resolution is handled by TenantResolver middleware for scoped routes.
 		// Tenant management routes handle their own access control.
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})

backend/internal/auth/tenant_resolver.go

@@ -12,7 +12,6 @@ import (
 // Defined as an interface to avoid circular dependency with services.
 type TenantLookup interface {
 	FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error)
-	VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error)
 	GetUserRole(ctx context.Context, userID, tenantID uuid.UUID) (string, error)
 }
 
@@ -42,7 +41,6 @@ func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
 				http.Error(w, `{"error":"invalid X-Tenant-ID"}`, http.StatusBadRequest)
 				return
 			}
-
 			// Verify user has access and get their role
 			role, err := tr.lookup.GetUserRole(r.Context(), userID, parsed)
 			if err != nil {
@@ -58,7 +56,7 @@ func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
 			tenantID = parsed
 			r = r.WithContext(ContextWithUserRole(r.Context(), role))
 		} else {
-			// Default to user's first tenant (role already set by middleware)
+			// Default to user's first tenant
 			first, err := tr.lookup.FirstTenantForUser(r.Context(), userID)
 			if err != nil {
 				slog.Error("failed to resolve default tenant", "error", err, "user_id", userID)
@@ -70,6 +68,15 @@ func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
 				return
 			}
 			tenantID = *first
+
+			// Resolve role for default tenant
+			role, err := tr.lookup.GetUserRole(r.Context(), userID, tenantID)
+			if err != nil {
+				slog.Error("failed to resolve role for default tenant", "error", err)
+				http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
+				return
+			}
+			r = r.WithContext(ContextWithUserRole(r.Context(), role))
 		}
 
 		ctx := ContextWithTenantID(r.Context(), tenantID)

backend/internal/auth/tenant_resolver_test.go

@@ -10,27 +10,18 @@ import (
 )
 
 type mockTenantLookup struct {
-	tenantID  *uuid.UUID
+	tenantID *uuid.UUID
-	err       error
+	role     string
-	hasAccess bool
+	roleSet  bool // true means role was explicitly set (even if empty)
-	accessErr error
+	err      error
-	role      string
-	noAccess  bool // when true, GetUserRole returns ""
 }
 
 func (m *mockTenantLookup) FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error) {
 	return m.tenantID, m.err
 }
 
-func (m *mockTenantLookup) VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error) {
-	return m.hasAccess, m.accessErr
-}
-
 func (m *mockTenantLookup) GetUserRole(ctx context.Context, userID, tenantID uuid.UUID) (string, error) {
-	if m.noAccess {
+	if m.roleSet {
-		return "", m.err
-	}
-	if m.role != "" {
 		return m.role, m.err
 	}
 	return "associate", m.err
@@ -38,7 +29,7 @@ func (m *mockTenantLookup) GetUserRole(ctx context.Context, userID, tenantID uui
 
 func TestTenantResolver_FromHeader(t *testing.T) {
 	tenantID := uuid.New()
-	tr := NewTenantResolver(&mockTenantLookup{role: "partner", hasAccess: true})
+	tr := NewTenantResolver(&mockTenantLookup{role: "partner"})
 
 	var gotTenantID uuid.UUID
 	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -67,7 +58,7 @@ func TestTenantResolver_FromHeader(t *testing.T) {
 
 func TestTenantResolver_FromHeader_NoAccess(t *testing.T) {
 	tenantID := uuid.New()
-	tr := NewTenantResolver(&mockTenantLookup{noAccess: true})
+	tr := NewTenantResolver(&mockTenantLookup{role: "", roleSet: true})
 
 	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		t.Fatal("next should not be called")
@@ -87,7 +78,7 @@ func TestTenantResolver_FromHeader_NoAccess(t *testing.T) {
 
 func TestTenantResolver_DefaultsToFirst(t *testing.T) {
 	tenantID := uuid.New()
-	tr := NewTenantResolver(&mockTenantLookup{tenantID: &tenantID})
+	tr := NewTenantResolver(&mockTenantLookup{tenantID: &tenantID, role: "owner"})
 
 	var gotTenantID uuid.UUID
 	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

backend/internal/handlers/tenant_handler.go

@@ -356,6 +356,71 @@ func (h *TenantHandler) UpdateMemberRole(w http.ResponseWriter, r *http.Request)
 	jsonResponse(w, map[string]string{"status": "updated"}, http.StatusOK)
 }
 
+// AutoAssign handles POST /api/tenants/auto-assign — checks if the user's email domain
+// matches any tenant's auto_assign_domains and assigns them if so.
+func (h *TenantHandler) AutoAssign(w http.ResponseWriter, r *http.Request) {
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	var req struct {
+		Email string `json:"email"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		jsonError(w, "invalid request body", http.StatusBadRequest)
+		return
+	}
+	if req.Email == "" {
+		jsonError(w, "email is required", http.StatusBadRequest)
+		return
+	}
+
+	// Extract domain from email
+	parts := splitEmail(req.Email)
+	if parts == "" {
+		jsonError(w, "invalid email format", http.StatusBadRequest)
+		return
+	}
+
+	result, err := h.svc.AutoAssignByDomain(r.Context(), userID, parts)
+	if err != nil {
+		slog.Error("auto-assign failed", "error", err)
+		jsonError(w, "internal error", http.StatusInternalServerError)
+		return
+	}
+
+	if result == nil {
+		jsonResponse(w, map[string]any{"assigned": false}, http.StatusOK)
+		return
+	}
+
+	jsonResponse(w, map[string]any{
+		"assigned":  true,
+		"tenant_id": result.ID,
+		"name":      result.Name,
+		"slug":      result.Slug,
+		"role":      result.Role,
+		"settings":  result.Settings,
+	}, http.StatusOK)
+}
+
+// splitEmail extracts the domain part from an email address.
+func splitEmail(email string) string {
+	at := -1
+	for i, c := range email {
+		if c == '@' {
+			at = i
+			break
+		}
+	}
+	if at < 0 || at >= len(email)-1 {
+		return ""
+	}
+	return email[at+1:]
+}
+
 // GetMe handles GET /api/me — returns the current user's ID and role in the active tenant.
 func (h *TenantHandler) GetMe(w http.ResponseWriter, r *http.Request) {
 	userID, ok := auth.UserFromContext(r.Context())
@@ -370,11 +435,26 @@ func (h *TenantHandler) GetMe(w http.ResponseWriter, r *http.Request) {
 	// Get user's permissions for frontend UI
 	perms := auth.GetRolePermissions(role)
 
+	// Check if tenant is in demo mode
+	isDemo := false
+	if tenant, err := h.svc.GetByID(r.Context(), tenantID); err == nil && tenant != nil {
+		var settings map[string]json.RawMessage
+		if json.Unmarshal(tenant.Settings, &settings) == nil {
+			if demoRaw, ok := settings["demo"]; ok {
+				var demo bool
+				if json.Unmarshal(demoRaw, &demo) == nil {
+					isDemo = demo
+				}
+			}
+		}
+	}
+
 	jsonResponse(w, map[string]any{
 		"user_id":     userID,
 		"tenant_id":   tenantID,
 		"role":        role,
 		"permissions": perms,
+		"is_demo":     isDemo,
 	}, http.StatusOK)
 }
 

backend/internal/router/router.go

@@ -77,6 +77,7 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	api := http.NewServeMux()
 
 	// Tenant management (no tenant resolver — these operate across tenants)
+	api.HandleFunc("POST /api/tenants/auto-assign", tenantH.AutoAssign)
 	api.HandleFunc("POST /api/tenants", tenantH.CreateTenant)
 	api.HandleFunc("GET /api/tenants", tenantH.ListTenants)
 	api.HandleFunc("GET /api/tenants/{id}", tenantH.GetTenant)
@@ -161,7 +162,7 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	scoped.HandleFunc("GET /api/dashboard", dashboardH.Get)
 
 	// Audit log
-	scoped.HandleFunc("GET /api/audit-log", auditH.List)
+	scoped.HandleFunc("GET /api/audit-log", perm(auth.PermViewAuditLog, auditH.List))
 
 	// Documents — all can upload, delete checked in handler (own vs all)
 	scoped.HandleFunc("GET /api/cases/{id}/documents", docH.ListByCase)

backend/internal/services/tenant_service.go

@@ -240,6 +240,54 @@ func (s *TenantService) UpdateMemberRole(ctx context.Context, tenantID, userID u
 	return nil
 }
 
+// AutoAssignByDomain finds a tenant with a matching auto_assign_domains setting
+// and adds the user as a member. Returns the tenant and role, or nil if no match.
+func (s *TenantService) AutoAssignByDomain(ctx context.Context, userID uuid.UUID, emailDomain string) (*models.TenantWithRole, error) {
+	// Find tenant where settings.auto_assign_domains contains this domain
+	var tenant models.Tenant
+	err := s.db.GetContext(ctx, &tenant,
+		`SELECT id, name, slug, settings, created_at, updated_at
+		 FROM tenants
+		 WHERE settings->'auto_assign_domains' ? $1
+		 LIMIT 1`,
+		emailDomain,
+	)
+	if err != nil {
+		return nil, nil // no match — not an error
+	}
+
+	// Check if already a member
+	var exists bool
+	err = s.db.GetContext(ctx, &exists,
+		`SELECT EXISTS(SELECT 1 FROM user_tenants WHERE user_id = $1 AND tenant_id = $2)`,
+		userID, tenant.ID,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("check membership: %w", err)
+	}
+	if exists {
+		// Already a member — return the existing membership
+		role, err := s.GetUserRole(ctx, userID, tenant.ID)
+		if err != nil {
+			return nil, fmt.Errorf("get existing role: %w", err)
+		}
+		return &models.TenantWithRole{Tenant: tenant, Role: role}, nil
+	}
+
+	// Add as member (associate by default for auto-assigned users)
+	role := "associate"
+	_, err = s.db.ExecContext(ctx,
+		`INSERT INTO user_tenants (user_id, tenant_id, role) VALUES ($1, $2, $3)`,
+		userID, tenant.ID, role,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("auto-assign user: %w", err)
+	}
+
+	s.audit.Log(ctx, "create", "auto_membership", &tenant.ID, map[string]any{"domain": emailDomain}, map[string]any{"user_id": userID, "role": role})
+	return &models.TenantWithRole{Tenant: tenant, Role: role}, nil
+}
+
 // RemoveMember removes a user from a tenant. Cannot remove the last owner.
 func (s *TenantService) RemoveMember(ctx context.Context, tenantID, userID uuid.UUID) error {
 	// Check if the user being removed is an owner

frontend/src/app/(app)/layout.tsx

@@ -1,5 +1,6 @@
 import { Sidebar } from "@/components/layout/Sidebar";
 import { Header } from "@/components/layout/Header";
+import { DemoBanner } from "@/components/layout/DemoBanner";
 
 export const dynamic = "force-dynamic";
 
@@ -12,6 +13,7 @@ export default function AppLayout({
     <div className="flex h-screen overflow-hidden bg-neutral-50">
       <Sidebar />
       <div className="flex flex-1 flex-col overflow-hidden">
+        <DemoBanner />
         <Header />
         <main className="flex-1 overflow-y-auto p-4 sm:p-6">{children}</main>
       </div>

frontend/src/app/(auth)/register/page.tsx

@@ -5,12 +5,22 @@ import { api } from "@/lib/api";
 import { useRouter } from "next/navigation";
 import { useState } from "react";
 
+interface AutoAssignResponse {
+  assigned: boolean;
+  tenant_id?: string;
+  name?: string;
+  slug?: string;
+  role?: string;
+  settings?: Record<string, unknown>;
+}
+
 export default function RegisterPage() {
   const [email, setEmail] = useState("");
   const [password, setPassword] = useState("");
   const [firmName, setFirmName] = useState("");
   const [loading, setLoading] = useState(false);
   const [error, setError] = useState<string | null>(null);
+  const [showFirmName, setShowFirmName] = useState(true);
   const router = useRouter();
   const supabase = createClient();
 
@@ -34,8 +44,30 @@ export default function RegisterPage() {
       return;
     }
 
-    // 2. Create tenant via backend (the backend adds the user as owner)
     if (data.session) {
+      // 2. Check if email domain matches an existing tenant for auto-assignment
+      try {
+        const result = await api.post<AutoAssignResponse>("/tenants/auto-assign", { email });
+        if (result.assigned && result.tenant_id) {
+          // Auto-assigned — store tenant and go to dashboard
+          localStorage.setItem("kanzlai_tenant_id", result.tenant_id);
+          router.push("/");
+          router.refresh();
+          return;
+        }
+      } catch {
+        // Auto-assign failed — fall through to manual tenant creation
+      }
+
+      // 3. No auto-assignment — create tenant manually
+      if (!firmName) {
+        // Show firm name field if not yet visible
+        setShowFirmName(true);
+        setError("Bitte geben Sie einen Kanzleinamen ein");
+        setLoading(false);
+        return;
+      }
+
       try {
         await api.post("/tenants", { name: firmName });
       } catch (err: unknown) {
@@ -68,23 +100,27 @@ export default function RegisterPage() {
         </div>
 
         <form onSubmit={handleRegister} className="space-y-4">
-          <div>
+          {showFirmName && (
-            <label
+            <div>
-              htmlFor="firm"
+              <label
-              className="block text-sm font-medium text-neutral-700"
+                htmlFor="firm"
-            >
+                className="block text-sm font-medium text-neutral-700"
-              Kanzleiname
+              >
-            </label>
+                Kanzleiname
-            <input
+              </label>
-              id="firm"
+              <input
-              type="text"
+                id="firm"
-              value={firmName}
+                type="text"
-              onChange={(e) => setFirmName(e.target.value)}
+                value={firmName}
-              required
+                onChange={(e) => setFirmName(e.target.value)}
-              className="mt-1 block w-full rounded-md border border-neutral-300 px-3 py-2 text-sm placeholder-neutral-400 focus:border-neutral-900 focus:outline-none focus:ring-1 focus:ring-neutral-900"
+                className="mt-1 block w-full rounded-md border border-neutral-300 px-3 py-2 text-sm placeholder-neutral-400 focus:border-neutral-900 focus:outline-none focus:ring-1 focus:ring-neutral-900"
-              placeholder="Muster & Partner Rechtsanwaelte"
+                placeholder="Muster & Partner Rechtsanwaelte"
-            />
+              />
-          </div>
+              <p className="mt-1 text-xs text-neutral-400">
+                Leer lassen, falls Sie zu einer bestehenden Kanzlei eingeladen wurden
+              </p>
+            </div>
+          )}
 
           <div>
             <label

frontend/src/components/layout/DemoBanner.tsx

@@ -0,0 +1,17 @@
+"use client";
+
+import { usePermissions } from "@/lib/hooks/usePermissions";
+
+export function DemoBanner() {
+  const { isDemo, isLoading } = usePermissions();
+
+  if (isLoading || !isDemo) return null;
+
+  return (
+    <div className="flex items-center justify-center gap-2 bg-amber-50 border-b border-amber-200 px-4 py-2 text-sm text-amber-800">
+      <span className="font-medium">Demo-Modus</span>
+      <span className="text-amber-600">&mdash;</span>
+      <span>Keine echten Mandantendaten eingeben</span>
+    </div>
+  );
+}

frontend/src/lib/hooks/usePermissions.ts

@@ -25,5 +25,6 @@ export function usePermissions() {
     isLoading,
     userId: data?.user_id ?? null,
     tenantId: data?.tenant_id ?? null,
+    isDemo: data?.is_demo ?? false,
   };
 }

frontend/src/lib/types.ts

@@ -202,6 +202,7 @@ export interface UserInfo {
   tenant_id: string;
   role: UserRole;
   permissions: string[];
+  is_demo: boolean;
 }
 
 export type UserRole = "owner" | "partner" | "associate" | "paralegal" | "secretary";