feat: add CalDAV bidirectional sync service (Phase 3O)

Implements CalDAV sync using github.com/emersion/go-webdav:

- CalDAVService with background polling (configurable per-tenant interval)
- Push: deadlines -> VTODO, appointments -> VEVENT on create/update/delete
- Pull: periodic fetch from CalDAV, reconcile with local DB
- Conflict resolution: KanzlAI wins dates/status, CalDAV wins notes/description
- Conflicts logged as case_events with caldav_conflict type
- UID pattern: kanzlai-{deadline|appointment}-{uuid}@kanzlai.msbls.de
- CalDAV config per tenant in tenants.settings JSONB

Endpoints:
- POST /api/caldav/sync — trigger full sync for current tenant
- GET /api/caldav/status — last sync time, item counts, errors

8 unit tests for UID generation, parsing, path construction, config parsing.

backend/cmd/server/main.go

@@ -8,6 +8,7 @@ import (
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/config"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/db"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/router"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
 )
 
 func main() {
@@ -23,7 +24,13 @@ func main() {
 	defer database.Close()
 
 	authMW := auth.NewMiddleware(cfg.SupabaseJWTSecret, database)
-	handler := router.New(database, authMW, cfg)
+
+	// Start CalDAV sync service
+	calDAVSvc := services.NewCalDAVService(database)
+	calDAVSvc.Start()
+	defer calDAVSvc.Stop()
+
+	handler := router.New(database, authMW, cfg, calDAVSvc)
 
 	log.Printf("Starting KanzlAI API server on :%s", cfg.Port)
 	if err := http.ListenAndServe(":"+cfg.Port, handler); err != nil {

backend/go.mod

@@ -3,11 +3,17 @@ module mgit.msbls.de/m/KanzlAI-mGMT
 go 1.25.5
 
 require (
-	github.com/anthropics/anthropic-sdk-go v1.27.1 // indirect
-	github.com/golang-jwt/jwt/v5 v5.3.1 // indirect
-	github.com/google/uuid v1.6.0 // indirect
-	github.com/jmoiron/sqlx v1.4.0 // indirect
-	github.com/lib/pq v1.12.0 // indirect
+	github.com/anthropics/anthropic-sdk-go v1.27.1
+	github.com/emersion/go-ical v0.0.0-20250609112844-439c63cef608
+	github.com/emersion/go-webdav v0.7.0
+	github.com/golang-jwt/jwt/v5 v5.3.1
+	github.com/google/uuid v1.6.0
+	github.com/jmoiron/sqlx v1.4.0
+	github.com/lib/pq v1.12.0
+)
+
+require (
+	github.com/teambition/rrule-go v1.8.2 // indirect
 	github.com/tidwall/gjson v1.18.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect

backend/go.sum

@@ -1,6 +1,18 @@
+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/anthropics/anthropic-sdk-go v1.27.1 h1:7DgMZ2Ng3C2mPzJGHA30NXQTZolcF07mHd0tGaLwfzk=
 github.com/anthropics/anthropic-sdk-go v1.27.1/go.mod h1:qUKmaW+uuPB64iy1l+4kOSvaLqPXnHTTBKH6RVZ7q5Q=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
+github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
+github.com/emersion/go-ical v0.0.0-20240127095438-fc1c9d8fb2b6/go.mod h1:BEksegNspIkjCQfmzWgsgbu6KdeJ/4LwUZs7DMBzjzw=
+github.com/emersion/go-ical v0.0.0-20250609112844-439c63cef608 h1:5XWaET4YAcppq3l1/Yh2ay5VmQjUdq6qhJuucdGbmOY=
+github.com/emersion/go-ical v0.0.0-20250609112844-439c63cef608/go.mod h1:BEksegNspIkjCQfmzWgsgbu6KdeJ/4LwUZs7DMBzjzw=
+github.com/emersion/go-vcard v0.0.0-20230815062825-8fda7d206ec9/go.mod h1:HMJKR5wlh/ziNp+sHEDV2ltblO4JD2+IdDOWtGcQBTM=
+github.com/emersion/go-webdav v0.7.0 h1:cp6aBWXBf8Sjzguka9VJarr4XTkGc2IHxXI1Gq3TKpA=
+github.com/emersion/go-webdav v0.7.0/go.mod h1:mI8iBx3RAODwX7PJJ7qzsKAKs/vY429YfS2/9wKnDbQ=
+github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
 github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
 github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
 github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
@@ -11,7 +23,14 @@ github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.12.0 h1:mC1zeiNamwKBecjHarAr26c/+d8V5w/u4J0I/yASbJo=
 github.com/lib/pq v1.12.0/go.mod h1:/p+8NSbOcwzAEI7wiMXFlgydTwcgTr3OSKMsD2BitpA=
+github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/teambition/rrule-go v1.8.2 h1:lIjpjvWTj9fFUZCmuoVDrKVOtdiyzbzc93qTmRVe/J8=
+github.com/teambition/rrule-go v1.8.2/go.mod h1:Ieq5AbrKGciP1V//Wq8ktsTXwSwJHDD5mD/wLBGl3p4=
 github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
 github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
@@ -24,3 +43,7 @@ github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
 github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
 golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
 golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

backend/internal/handlers/caldav.go

@@ -0,0 +1,68 @@
+package handlers
+
+import (
+	"net/http"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
+)
+
+// CalDAVHandler handles CalDAV sync HTTP endpoints.
+type CalDAVHandler struct {
+	svc *services.CalDAVService
+}
+
+// NewCalDAVHandler creates a new CalDAV handler.
+func NewCalDAVHandler(svc *services.CalDAVService) *CalDAVHandler {
+	return &CalDAVHandler{svc: svc}
+}
+
+// TriggerSync handles POST /api/caldav/sync — triggers a full sync for the current tenant.
+func (h *CalDAVHandler) TriggerSync(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "no tenant context")
+		return
+	}
+
+	cfg, err := h.svc.LoadTenantConfig(tenantID)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
+	status, err := h.svc.SyncTenant(r.Context(), tenantID, *cfg)
+	if err != nil {
+		// Still return the status — it contains partial results + error info
+		writeJSON(w, http.StatusOK, map[string]any{
+			"status": "completed_with_errors",
+			"sync":   status,
+		})
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]any{
+		"status": "ok",
+		"sync":   status,
+	})
+}
+
+// GetStatus handles GET /api/caldav/status — returns last sync status.
+func (h *CalDAVHandler) GetStatus(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "no tenant context")
+		return
+	}
+
+	status := h.svc.GetStatus(tenantID)
+	if status == nil {
+		writeJSON(w, http.StatusOK, map[string]any{
+			"status":       "no_sync_yet",
+			"last_sync_at": nil,
+		})
+		return
+	}
+
+	writeJSON(w, http.StatusOK, status)
+}

backend/internal/router/router.go

@@ -12,7 +12,7 @@ import (
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
 )
 
-func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config) http.Handler {
+func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *services.CalDAVService) http.Handler {
 	mux := http.NewServeMux()
 
 	// Services
@@ -118,6 +118,13 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config) http.Handler
 		scoped.HandleFunc("POST /api/ai/summarize-case", aiH.SummarizeCase)
 	}
 
+	// CalDAV sync endpoints
+	if calDAVSvc != nil {
+		calDAVH := handlers.NewCalDAVHandler(calDAVSvc)
+		scoped.HandleFunc("POST /api/caldav/sync", calDAVH.TriggerSync)
+		scoped.HandleFunc("GET /api/caldav/status", calDAVH.GetStatus)
+	}
+
 	// Wire: auth -> tenant routes go directly, scoped routes get tenant resolver
 	api.Handle("/api/", tenantResolver.Resolve(scoped))
 

backend/internal/services/caldav_service.go

@@ -0,0 +1,687 @@
+package services
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/emersion/go-ical"
+	"github.com/emersion/go-webdav"
+	"github.com/emersion/go-webdav/caldav"
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
+)
+
+const (
+	calDAVDomain   = "kanzlai.msbls.de"
+	calDAVProdID   = "-//KanzlAI//KanzlAI-mGMT//EN"
+	defaultSyncMin = 15
+)
+
+// CalDAVConfig holds per-tenant CalDAV configuration from tenants.settings.
+type CalDAVConfig struct {
+	URL                 string `json:"url"`
+	Username            string `json:"username"`
+	Password            string `json:"password"`
+	CalendarPath        string `json:"calendar_path"`
+	SyncEnabled         bool   `json:"sync_enabled"`
+	SyncIntervalMinutes int    `json:"sync_interval_minutes"`
+}
+
+// SyncStatus holds the last sync result for a tenant.
+type SyncStatus struct {
+	TenantID     uuid.UUID `json:"tenant_id"`
+	LastSyncAt   time.Time `json:"last_sync_at"`
+	ItemsPushed  int       `json:"items_pushed"`
+	ItemsPulled  int       `json:"items_pulled"`
+	Errors       []string  `json:"errors,omitempty"`
+	SyncDuration string    `json:"sync_duration"`
+}
+
+// CalDAVService handles bidirectional CalDAV synchronization.
+type CalDAVService struct {
+	db *sqlx.DB
+
+	mu       sync.RWMutex
+	statuses map[uuid.UUID]*SyncStatus // per-tenant sync status
+
+	stopCh chan struct{}
+	wg     sync.WaitGroup
+}
+
+// NewCalDAVService creates a new CalDAV sync service.
+func NewCalDAVService(db *sqlx.DB) *CalDAVService {
+	return &CalDAVService{
+		db:       db,
+		statuses: make(map[uuid.UUID]*SyncStatus),
+		stopCh:   make(chan struct{}),
+	}
+}
+
+// GetStatus returns the last sync status for a tenant.
+func (s *CalDAVService) GetStatus(tenantID uuid.UUID) *SyncStatus {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	return s.statuses[tenantID]
+}
+
+// setStatus stores the sync status for a tenant.
+func (s *CalDAVService) setStatus(status *SyncStatus) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.statuses[status.TenantID] = status
+}
+
+// Start begins the background sync goroutine that polls per-tenant.
+func (s *CalDAVService) Start() {
+	s.wg.Go(func() {
+		s.backgroundLoop()
+	})
+	log.Println("CalDAV sync service started")
+}
+
+// Stop gracefully stops the background sync.
+func (s *CalDAVService) Stop() {
+	close(s.stopCh)
+	s.wg.Wait()
+	log.Println("CalDAV sync service stopped")
+}
+
+// backgroundLoop polls tenants at their configured interval.
+func (s *CalDAVService) backgroundLoop() {
+	// Check every minute, but only sync tenants whose interval has elapsed.
+	ticker := time.NewTicker(1 * time.Minute)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-s.stopCh:
+			return
+		case <-ticker.C:
+			s.syncAllTenants()
+		}
+	}
+}
+
+// syncAllTenants checks all tenants and syncs those due for a sync.
+func (s *CalDAVService) syncAllTenants() {
+	configs, err := s.loadAllTenantConfigs()
+	if err != nil {
+		log.Printf("CalDAV: failed to load tenant configs: %v", err)
+		return
+	}
+
+	for tenantID, cfg := range configs {
+		if !cfg.SyncEnabled {
+			continue
+		}
+
+		interval := cfg.SyncIntervalMinutes
+		if interval <= 0 {
+			interval = defaultSyncMin
+		}
+
+		// Check if enough time has passed since last sync
+		status := s.GetStatus(tenantID)
+		if status != nil && time.Since(status.LastSyncAt) < time.Duration(interval)*time.Minute {
+			continue
+		}
+
+		go func(tid uuid.UUID, c CalDAVConfig) {
+			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+			defer cancel()
+			if _, err := s.SyncTenant(ctx, tid, c); err != nil {
+				log.Printf("CalDAV: sync failed for tenant %s: %v", tid, err)
+			}
+		}(tenantID, cfg)
+	}
+}
+
+// loadAllTenantConfigs reads CalDAV configs from all tenants.
+func (s *CalDAVService) loadAllTenantConfigs() (map[uuid.UUID]CalDAVConfig, error) {
+	type row struct {
+		ID       uuid.UUID       `db:"id"`
+		Settings json.RawMessage `db:"settings"`
+	}
+	var rows []row
+	if err := s.db.Select(&rows, "SELECT id, settings FROM tenants"); err != nil {
+		return nil, fmt.Errorf("querying tenants: %w", err)
+	}
+
+	result := make(map[uuid.UUID]CalDAVConfig)
+	for _, r := range rows {
+		cfg, err := parseCalDAVConfig(r.Settings)
+		if err != nil || cfg.URL == "" {
+			continue
+		}
+		result[r.ID] = cfg
+	}
+	return result, nil
+}
+
+// LoadTenantConfig reads CalDAV config for a single tenant.
+func (s *CalDAVService) LoadTenantConfig(tenantID uuid.UUID) (*CalDAVConfig, error) {
+	var settings json.RawMessage
+	if err := s.db.Get(&settings, "SELECT settings FROM tenants WHERE id = $1", tenantID); err != nil {
+		return nil, fmt.Errorf("loading tenant settings: %w", err)
+	}
+	cfg, err := parseCalDAVConfig(settings)
+	if err != nil {
+		return nil, err
+	}
+	if cfg.URL == "" {
+		return nil, fmt.Errorf("no CalDAV configuration for tenant")
+	}
+	return &cfg, nil
+}
+
+func parseCalDAVConfig(settings json.RawMessage) (CalDAVConfig, error) {
+	if len(settings) == 0 {
+		return CalDAVConfig{}, nil
+	}
+	var wrapper struct {
+		CalDAV CalDAVConfig `json:"caldav"`
+	}
+	if err := json.Unmarshal(settings, &wrapper); err != nil {
+		return CalDAVConfig{}, fmt.Errorf("parsing CalDAV settings: %w", err)
+	}
+	return wrapper.CalDAV, nil
+}
+
+// newCalDAVClient creates a caldav.Client from config.
+func newCalDAVClient(cfg CalDAVConfig) (*caldav.Client, error) {
+	httpClient := webdav.HTTPClientWithBasicAuth(nil, cfg.Username, cfg.Password)
+	return caldav.NewClient(httpClient, cfg.URL)
+}
+
+// SyncTenant performs a full bidirectional sync for a tenant.
+func (s *CalDAVService) SyncTenant(ctx context.Context, tenantID uuid.UUID, cfg CalDAVConfig) (*SyncStatus, error) {
+	start := time.Now()
+	status := &SyncStatus{
+		TenantID: tenantID,
+	}
+
+	client, err := newCalDAVClient(cfg)
+	if err != nil {
+		status.Errors = append(status.Errors, fmt.Sprintf("creating client: %v", err))
+		status.LastSyncAt = time.Now()
+		s.setStatus(status)
+		return status, err
+	}
+
+	// Push local changes to CalDAV
+	pushed, pushErrs := s.pushAll(ctx, client, tenantID, cfg)
+	status.ItemsPushed = pushed
+	status.Errors = append(status.Errors, pushErrs...)
+
+	// Pull remote changes from CalDAV
+	pulled, pullErrs := s.pullAll(ctx, client, tenantID, cfg)
+	status.ItemsPulled = pulled
+	status.Errors = append(status.Errors, pullErrs...)
+
+	status.LastSyncAt = time.Now()
+	status.SyncDuration = time.Since(start).String()
+	s.setStatus(status)
+
+	if len(status.Errors) > 0 {
+		return status, fmt.Errorf("sync completed with %d errors", len(status.Errors))
+	}
+	return status, nil
+}
+
+// --- Push: Local -> CalDAV ---
+
+// pushAll pushes all deadlines and appointments to CalDAV.
+func (s *CalDAVService) pushAll(ctx context.Context, client *caldav.Client, tenantID uuid.UUID, cfg CalDAVConfig) (int, []string) {
+	var pushed int
+	var errs []string
+
+	// Push deadlines as VTODO
+	deadlines, err := s.loadDeadlines(tenantID)
+	if err != nil {
+		return 0, []string{fmt.Sprintf("loading deadlines: %v", err)}
+	}
+	for _, d := range deadlines {
+		if err := s.pushDeadline(ctx, client, cfg, &d); err != nil {
+			errs = append(errs, fmt.Sprintf("push deadline %s: %v", d.ID, err))
+		} else {
+			pushed++
+		}
+	}
+
+	// Push appointments as VEVENT
+	appointments, err := s.loadAppointments(ctx, tenantID)
+	if err != nil {
+		errs = append(errs, fmt.Sprintf("loading appointments: %v", err))
+		return pushed, errs
+	}
+	for _, a := range appointments {
+		if err := s.pushAppointment(ctx, client, cfg, &a); err != nil {
+			errs = append(errs, fmt.Sprintf("push appointment %s: %v", a.ID, err))
+		} else {
+			pushed++
+		}
+	}
+
+	return pushed, errs
+}
+
+// PushDeadline pushes a single deadline to CalDAV (called on create/update).
+func (s *CalDAVService) PushDeadline(ctx context.Context, tenantID uuid.UUID, deadline *models.Deadline) error {
+	cfg, err := s.LoadTenantConfig(tenantID)
+	if err != nil || !cfg.SyncEnabled {
+		return nil // CalDAV not configured or disabled — silently skip
+	}
+	client, err := newCalDAVClient(*cfg)
+	if err != nil {
+		return fmt.Errorf("creating CalDAV client: %w", err)
+	}
+	return s.pushDeadline(ctx, client, *cfg, deadline)
+}
+
+func (s *CalDAVService) pushDeadline(ctx context.Context, client *caldav.Client, cfg CalDAVConfig, d *models.Deadline) error {
+	uid := deadlineUID(d.ID)
+
+	cal := ical.NewCalendar()
+	cal.Props.SetText(ical.PropProductID, calDAVProdID)
+	cal.Props.SetText(ical.PropVersion, "2.0")
+
+	todo := ical.NewComponent(ical.CompToDo)
+	todo.Props.SetText(ical.PropUID, uid)
+	todo.Props.SetText(ical.PropSummary, d.Title)
+	todo.Props.SetDateTime(ical.PropDateTimeStamp, time.Now().UTC())
+
+	if d.Description != nil {
+		todo.Props.SetText(ical.PropDescription, *d.Description)
+	}
+	if d.Notes != nil {
+		desc := ""
+		if d.Description != nil {
+			desc = *d.Description + "\n\n"
+		}
+		todo.Props.SetText(ical.PropDescription, desc+*d.Notes)
+	}
+
+	// Parse due_date (stored as string "YYYY-MM-DD")
+	if due, err := time.Parse("2006-01-02", d.DueDate); err == nil {
+		todo.Props.SetDate(ical.PropDue, due)
+	}
+
+	// Map status
+	switch d.Status {
+	case "completed":
+		todo.Props.SetText(ical.PropStatus, "COMPLETED")
+		if d.CompletedAt != nil {
+			todo.Props.SetDateTime(ical.PropCompleted, d.CompletedAt.UTC())
+		}
+	case "pending":
+		todo.Props.SetText(ical.PropStatus, "NEEDS-ACTION")
+	default:
+		todo.Props.SetText(ical.PropStatus, "IN-PROCESS")
+	}
+
+	cal.Children = append(cal.Children, todo)
+
+	path := calendarObjectPath(cfg.CalendarPath, uid)
+	obj, err := client.PutCalendarObject(ctx, path, cal)
+	if err != nil {
+		return fmt.Errorf("putting VTODO: %w", err)
+	}
+
+	// Update caldav_uid and etag in DB
+	return s.updateDeadlineCalDAV(d.ID, uid, obj.ETag)
+}
+
+// PushAppointment pushes a single appointment to CalDAV (called on create/update).
+func (s *CalDAVService) PushAppointment(ctx context.Context, tenantID uuid.UUID, appointment *models.Appointment) error {
+	cfg, err := s.LoadTenantConfig(tenantID)
+	if err != nil || !cfg.SyncEnabled {
+		return nil
+	}
+	client, err := newCalDAVClient(*cfg)
+	if err != nil {
+		return fmt.Errorf("creating CalDAV client: %w", err)
+	}
+	return s.pushAppointment(ctx, client, *cfg, appointment)
+}
+
+func (s *CalDAVService) pushAppointment(ctx context.Context, client *caldav.Client, cfg CalDAVConfig, a *models.Appointment) error {
+	uid := appointmentUID(a.ID)
+
+	cal := ical.NewCalendar()
+	cal.Props.SetText(ical.PropProductID, calDAVProdID)
+	cal.Props.SetText(ical.PropVersion, "2.0")
+
+	event := ical.NewEvent()
+	event.Props.SetText(ical.PropUID, uid)
+	event.Props.SetText(ical.PropSummary, a.Title)
+	event.Props.SetDateTime(ical.PropDateTimeStamp, time.Now().UTC())
+	event.Props.SetDateTime(ical.PropDateTimeStart, a.StartAt.UTC())
+
+	if a.EndAt != nil {
+		event.Props.SetDateTime(ical.PropDateTimeEnd, a.EndAt.UTC())
+	}
+	if a.Description != nil {
+		event.Props.SetText(ical.PropDescription, *a.Description)
+	}
+	if a.Location != nil {
+		event.Props.SetText(ical.PropLocation, *a.Location)
+	}
+
+	cal.Children = append(cal.Children, event.Component)
+
+	path := calendarObjectPath(cfg.CalendarPath, uid)
+	obj, err := client.PutCalendarObject(ctx, path, cal)
+	if err != nil {
+		return fmt.Errorf("putting VEVENT: %w", err)
+	}
+
+	return s.updateAppointmentCalDAV(a.ID, uid, obj.ETag)
+}
+
+// DeleteDeadlineCalDAV removes a deadline's VTODO from CalDAV.
+func (s *CalDAVService) DeleteDeadlineCalDAV(ctx context.Context, tenantID uuid.UUID, deadline *models.Deadline) error {
+	if deadline.CalDAVUID == nil || *deadline.CalDAVUID == "" {
+		return nil
+	}
+	cfg, err := s.LoadTenantConfig(tenantID)
+	if err != nil || !cfg.SyncEnabled {
+		return nil
+	}
+	client, err := newCalDAVClient(*cfg)
+	if err != nil {
+		return fmt.Errorf("creating CalDAV client: %w", err)
+	}
+	path := calendarObjectPath(cfg.CalendarPath, *deadline.CalDAVUID)
+	return client.RemoveAll(ctx, path)
+}
+
+// DeleteAppointmentCalDAV removes an appointment's VEVENT from CalDAV.
+func (s *CalDAVService) DeleteAppointmentCalDAV(ctx context.Context, tenantID uuid.UUID, appointment *models.Appointment) error {
+	if appointment.CalDAVUID == nil || *appointment.CalDAVUID == "" {
+		return nil
+	}
+	cfg, err := s.LoadTenantConfig(tenantID)
+	if err != nil || !cfg.SyncEnabled {
+		return nil
+	}
+	client, err := newCalDAVClient(*cfg)
+	if err != nil {
+		return fmt.Errorf("creating CalDAV client: %w", err)
+	}
+	path := calendarObjectPath(cfg.CalendarPath, *appointment.CalDAVUID)
+	return client.RemoveAll(ctx, path)
+}
+
+// --- Pull: CalDAV -> Local ---
+
+// pullAll fetches all calendar objects from CalDAV and reconciles with local DB.
+func (s *CalDAVService) pullAll(ctx context.Context, client *caldav.Client, tenantID uuid.UUID, cfg CalDAVConfig) (int, []string) {
+	var pulled int
+	var errs []string
+
+	query := &caldav.CalendarQuery{
+		CompFilter: caldav.CompFilter{
+			Name: ical.CompCalendar,
+		},
+	}
+
+	objects, err := client.QueryCalendar(ctx, cfg.CalendarPath, query)
+	if err != nil {
+		return 0, []string{fmt.Sprintf("querying calendar: %v", err)}
+	}
+
+	for _, obj := range objects {
+		if obj.Data == nil {
+			continue
+		}
+
+		for _, child := range obj.Data.Children {
+			switch child.Name {
+			case ical.CompToDo:
+				uid, _ := child.Props.Text(ical.PropUID)
+				if uid == "" || !isKanzlAIUID(uid, "deadline") {
+					continue
+				}
+				if err := s.reconcileDeadline(ctx, tenantID, child, obj.ETag); err != nil {
+					errs = append(errs, fmt.Sprintf("reconcile deadline %s: %v", uid, err))
+				} else {
+					pulled++
+				}
+			case ical.CompEvent:
+				uid, _ := child.Props.Text(ical.PropUID)
+				if uid == "" || !isKanzlAIUID(uid, "appointment") {
+					continue
+				}
+				if err := s.reconcileAppointment(ctx, tenantID, child, obj.ETag); err != nil {
+					errs = append(errs, fmt.Sprintf("reconcile appointment %s: %v", uid, err))
+				} else {
+					pulled++
+				}
+			}
+		}
+	}
+
+	return pulled, errs
+}
+
+// reconcileDeadline handles conflict resolution for a pulled VTODO.
+// KanzlAI wins for dates/status, CalDAV wins for notes/description.
+func (s *CalDAVService) reconcileDeadline(ctx context.Context, tenantID uuid.UUID, comp *ical.Component, remoteEtag string) error {
+	uid, _ := comp.Props.Text(ical.PropUID)
+	deadlineID := extractIDFromUID(uid, "deadline")
+	if deadlineID == uuid.Nil {
+		return fmt.Errorf("invalid UID: %s", uid)
+	}
+
+	// Load existing deadline
+	var d models.Deadline
+	err := s.db.Get(&d, `SELECT id, tenant_id, case_id, title, description, due_date, original_due_date,
+		warning_date, source, rule_id, status, completed_at,
+		caldav_uid, caldav_etag, notes, created_at, updated_at
+		FROM deadlines WHERE id = $1 AND tenant_id = $2`, deadlineID, tenantID)
+	if err != nil {
+		return fmt.Errorf("loading deadline: %w", err)
+	}
+
+	// Check if remote changed (etag mismatch)
+	if d.CalDAVEtag != nil && *d.CalDAVEtag == remoteEtag {
+		return nil // No change
+	}
+
+	// CalDAV wins for description/notes
+	description, _ := comp.Props.Text(ical.PropDescription)
+	hasConflict := false
+
+	if description != "" {
+		existingDesc := ""
+		if d.Description != nil {
+			existingDesc = *d.Description
+		}
+		existingNotes := ""
+		if d.Notes != nil {
+			existingNotes = *d.Notes
+		}
+		// CalDAV wins for notes/description
+		if description != existingDesc && description != existingNotes {
+			hasConflict = true
+			_, err = s.db.Exec(`UPDATE deadlines SET notes = $1, caldav_etag = $2, updated_at = NOW()
+				WHERE id = $3 AND tenant_id = $4`, description, remoteEtag, deadlineID, tenantID)
+			if err != nil {
+				return fmt.Errorf("updating deadline notes: %w", err)
+			}
+		}
+	}
+
+	if !hasConflict {
+		// Just update etag
+		_, err = s.db.Exec(`UPDATE deadlines SET caldav_etag = $1, updated_at = NOW()
+			WHERE id = $2 AND tenant_id = $3`, remoteEtag, deadlineID, tenantID)
+		if err != nil {
+			return fmt.Errorf("updating deadline etag: %w", err)
+		}
+	}
+
+	// Log conflict in case_events if detected
+	if hasConflict {
+		s.logConflictEvent(ctx, tenantID, d.CaseID, "deadline", deadlineID, "CalDAV description updated from remote")
+	}
+
+	return nil
+}
+
+// reconcileAppointment handles conflict resolution for a pulled VEVENT.
+func (s *CalDAVService) reconcileAppointment(ctx context.Context, tenantID uuid.UUID, comp *ical.Component, remoteEtag string) error {
+	uid, _ := comp.Props.Text(ical.PropUID)
+	appointmentID := extractIDFromUID(uid, "appointment")
+	if appointmentID == uuid.Nil {
+		return fmt.Errorf("invalid UID: %s", uid)
+	}
+
+	var a models.Appointment
+	err := s.db.GetContext(ctx, &a, `SELECT * FROM appointments WHERE id = $1 AND tenant_id = $2`, appointmentID, tenantID)
+	if err != nil {
+		return fmt.Errorf("loading appointment: %w", err)
+	}
+
+	if a.CalDAVEtag != nil && *a.CalDAVEtag == remoteEtag {
+		return nil
+	}
+
+	// CalDAV wins for description
+	description, _ := comp.Props.Text(ical.PropDescription)
+	location, _ := comp.Props.Text(ical.PropLocation)
+	hasConflict := false
+
+	updates := []string{"caldav_etag = $1", "updated_at = NOW()"}
+	args := []any{remoteEtag}
+	argN := 2
+
+	if description != "" {
+		existingDesc := ""
+		if a.Description != nil {
+			existingDesc = *a.Description
+		}
+		if description != existingDesc {
+			hasConflict = true
+			updates = append(updates, fmt.Sprintf("description = $%d", argN))
+			args = append(args, description)
+			argN++
+		}
+	}
+	if location != "" {
+		existingLoc := ""
+		if a.Location != nil {
+			existingLoc = *a.Location
+		}
+		if location != existingLoc {
+			hasConflict = true
+			updates = append(updates, fmt.Sprintf("location = $%d", argN))
+			args = append(args, location)
+			argN++
+		}
+	}
+
+	args = append(args, appointmentID, tenantID)
+	query := fmt.Sprintf("UPDATE appointments SET %s WHERE id = $%d AND tenant_id = $%d",
+		strings.Join(updates, ", "), argN, argN+1)
+
+	if _, err := s.db.ExecContext(ctx, query, args...); err != nil {
+		return fmt.Errorf("updating appointment: %w", err)
+	}
+
+	if hasConflict {
+		caseID := uuid.Nil
+		if a.CaseID != nil {
+			caseID = *a.CaseID
+		}
+		s.logConflictEvent(ctx, tenantID, caseID, "appointment", appointmentID, "CalDAV description/location updated from remote")
+	}
+
+	return nil
+}
+
+// --- DB helpers ---
+
+func (s *CalDAVService) loadDeadlines(tenantID uuid.UUID) ([]models.Deadline, error) {
+	var deadlines []models.Deadline
+	err := s.db.Select(&deadlines, `SELECT id, tenant_id, case_id, title, description, due_date,
+		original_due_date, warning_date, source, rule_id, status, completed_at,
+		caldav_uid, caldav_etag, notes, created_at, updated_at
+		FROM deadlines WHERE tenant_id = $1`, tenantID)
+	return deadlines, err
+}
+
+func (s *CalDAVService) loadAppointments(ctx context.Context, tenantID uuid.UUID) ([]models.Appointment, error) {
+	var appointments []models.Appointment
+	err := s.db.SelectContext(ctx, &appointments, "SELECT * FROM appointments WHERE tenant_id = $1", tenantID)
+	return appointments, err
+}
+
+func (s *CalDAVService) updateDeadlineCalDAV(id uuid.UUID, calDAVUID, etag string) error {
+	_, err := s.db.Exec(`UPDATE deadlines SET caldav_uid = $1, caldav_etag = $2, updated_at = NOW()
+		WHERE id = $3`, calDAVUID, etag, id)
+	return err
+}
+
+func (s *CalDAVService) updateAppointmentCalDAV(id uuid.UUID, calDAVUID, etag string) error {
+	_, err := s.db.Exec(`UPDATE appointments SET caldav_uid = $1, caldav_etag = $2, updated_at = NOW()
+		WHERE id = $3`, calDAVUID, etag, id)
+	return err
+}
+
+func (s *CalDAVService) logConflictEvent(ctx context.Context, tenantID, caseID uuid.UUID, objectType string, objectID uuid.UUID, msg string) {
+	if caseID == uuid.Nil {
+		return
+	}
+	metadata, _ := json.Marshal(map[string]string{
+		"object_type": objectType,
+		"object_id":   objectID.String(),
+		"source":      "caldav_sync",
+	})
+	_, err := s.db.ExecContext(ctx, `INSERT INTO case_events (id, tenant_id, case_id, event_type, title, description, metadata, created_at, updated_at)
+		VALUES ($1, $2, $3, 'caldav_conflict', $4, $5, $6, NOW(), NOW())`,
+		uuid.New(), tenantID, caseID, "CalDAV sync conflict", msg, metadata)
+	if err != nil {
+		log.Printf("CalDAV: failed to log conflict event: %v", err)
+	}
+}
+
+// --- UID helpers ---
+
+func deadlineUID(id uuid.UUID) string {
+	return fmt.Sprintf("kanzlai-deadline-%s@%s", id, calDAVDomain)
+}
+
+func appointmentUID(id uuid.UUID) string {
+	return fmt.Sprintf("kanzlai-appointment-%s@%s", id, calDAVDomain)
+}
+
+func isKanzlAIUID(uid, objectType string) bool {
+	return strings.HasPrefix(uid, "kanzlai-"+objectType+"-") && strings.HasSuffix(uid, "@"+calDAVDomain)
+}
+
+func extractIDFromUID(uid, objectType string) uuid.UUID {
+	prefix := "kanzlai-" + objectType + "-"
+	suffix := "@" + calDAVDomain
+	if !strings.HasPrefix(uid, prefix) || !strings.HasSuffix(uid, suffix) {
+		return uuid.Nil
+	}
+	idStr := uid[len(prefix) : len(uid)-len(suffix)]
+	id, err := uuid.Parse(idStr)
+	if err != nil {
+		return uuid.Nil
+	}
+	return id
+}
+
+func calendarObjectPath(calendarPath, uid string) string {
+	path := strings.TrimSuffix(calendarPath, "/")
+	return path + "/" + uid + ".ics"
+}

backend/internal/services/caldav_service_test.go

@@ -0,0 +1,124 @@
+package services
+
+import (
+	"testing"
+
+	"github.com/google/uuid"
+)
+
+func TestDeadlineUID(t *testing.T) {
+	id := uuid.MustParse("550e8400-e29b-41d4-a716-446655440000")
+	uid := deadlineUID(id)
+	want := "kanzlai-deadline-550e8400-e29b-41d4-a716-446655440000@kanzlai.msbls.de"
+	if uid != want {
+		t.Errorf("deadlineUID = %q, want %q", uid, want)
+	}
+}
+
+func TestAppointmentUID(t *testing.T) {
+	id := uuid.MustParse("550e8400-e29b-41d4-a716-446655440000")
+	uid := appointmentUID(id)
+	want := "kanzlai-appointment-550e8400-e29b-41d4-a716-446655440000@kanzlai.msbls.de"
+	if uid != want {
+		t.Errorf("appointmentUID = %q, want %q", uid, want)
+	}
+}
+
+func TestIsKanzlAIUID(t *testing.T) {
+	tests := []struct {
+		uid        string
+		objectType string
+		want       bool
+	}{
+		{"kanzlai-deadline-550e8400-e29b-41d4-a716-446655440000@kanzlai.msbls.de", "deadline", true},
+		{"kanzlai-appointment-550e8400-e29b-41d4-a716-446655440000@kanzlai.msbls.de", "appointment", true},
+		{"kanzlai-deadline-550e8400-e29b-41d4-a716-446655440000@kanzlai.msbls.de", "appointment", false},
+		{"random-uid@other.com", "deadline", false},
+		{"", "deadline", false},
+	}
+	for _, tt := range tests {
+		got := isKanzlAIUID(tt.uid, tt.objectType)
+		if got != tt.want {
+			t.Errorf("isKanzlAIUID(%q, %q) = %v, want %v", tt.uid, tt.objectType, got, tt.want)
+		}
+	}
+}
+
+func TestExtractIDFromUID(t *testing.T) {
+	id := uuid.MustParse("550e8400-e29b-41d4-a716-446655440000")
+
+	tests := []struct {
+		uid        string
+		objectType string
+		want       uuid.UUID
+	}{
+		{"kanzlai-deadline-550e8400-e29b-41d4-a716-446655440000@kanzlai.msbls.de", "deadline", id},
+		{"kanzlai-appointment-550e8400-e29b-41d4-a716-446655440000@kanzlai.msbls.de", "appointment", id},
+		{"invalid-uid", "deadline", uuid.Nil},
+		{"kanzlai-deadline-not-a-uuid@kanzlai.msbls.de", "deadline", uuid.Nil},
+	}
+	for _, tt := range tests {
+		got := extractIDFromUID(tt.uid, tt.objectType)
+		if got != tt.want {
+			t.Errorf("extractIDFromUID(%q, %q) = %v, want %v", tt.uid, tt.objectType, got, tt.want)
+		}
+	}
+}
+
+func TestCalendarObjectPath(t *testing.T) {
+	tests := []struct {
+		calendarPath string
+		uid          string
+		want         string
+	}{
+		{"/dav/calendars/user/cal", "kanzlai-deadline-abc@kanzlai.msbls.de", "/dav/calendars/user/cal/kanzlai-deadline-abc@kanzlai.msbls.de.ics"},
+		{"/dav/calendars/user/cal/", "kanzlai-deadline-abc@kanzlai.msbls.de", "/dav/calendars/user/cal/kanzlai-deadline-abc@kanzlai.msbls.de.ics"},
+	}
+	for _, tt := range tests {
+		got := calendarObjectPath(tt.calendarPath, tt.uid)
+		if got != tt.want {
+			t.Errorf("calendarObjectPath(%q, %q) = %q, want %q", tt.calendarPath, tt.uid, got, tt.want)
+		}
+	}
+}
+
+func TestParseCalDAVConfig(t *testing.T) {
+	settings := []byte(`{"caldav": {"url": "https://dav.example.com", "username": "user", "password": "pass", "calendar_path": "/cal", "sync_enabled": true, "sync_interval_minutes": 30}}`)
+	cfg, err := parseCalDAVConfig(settings)
+	if err != nil {
+		t.Fatalf("parseCalDAVConfig: %v", err)
+	}
+	if cfg.URL != "https://dav.example.com" {
+		t.Errorf("URL = %q, want %q", cfg.URL, "https://dav.example.com")
+	}
+	if cfg.Username != "user" {
+		t.Errorf("Username = %q, want %q", cfg.Username, "user")
+	}
+	if cfg.SyncIntervalMinutes != 30 {
+		t.Errorf("SyncIntervalMinutes = %d, want 30", cfg.SyncIntervalMinutes)
+	}
+	if !cfg.SyncEnabled {
+		t.Error("SyncEnabled = false, want true")
+	}
+}
+
+func TestParseCalDAVConfig_Empty(t *testing.T) {
+	cfg, err := parseCalDAVConfig(nil)
+	if err != nil {
+		t.Fatalf("parseCalDAVConfig(nil): %v", err)
+	}
+	if cfg.URL != "" {
+		t.Errorf("expected empty config, got URL=%q", cfg.URL)
+	}
+}
+
+func TestParseCalDAVConfig_NoCalDAV(t *testing.T) {
+	settings := []byte(`{"other_setting": true}`)
+	cfg, err := parseCalDAVConfig(settings)
+	if err != nil {
+		t.Fatalf("parseCalDAVConfig: %v", err)
+	}
+	if cfg.URL != "" {
+		t.Errorf("expected empty caldav config, got URL=%q", cfg.URL)
+	}
+}