feat: UPC deadline determination — event-driven model with proceeding timeline

Full event-driven deadline determination system ported from youpc.org:

Backend:
- DetermineService: walks proceeding event tree, calculates cascading
  dates with holiday adjustment and conditional logic
- GET /api/proceeding-types/{code}/timeline — full event tree structure
- POST /api/deadlines/determine — calculate timeline with conditions
- POST /api/cases/{caseID}/deadlines/batch — batch-create deadlines
- DeadlineRule model: added is_spawn, spawn_label fields
- GetFullTimeline: recursive CTE following cross-type spawn branches
- Conditional deadlines: condition_rule_id toggles alt_duration/rule_code
  (e.g. Reply changes from RoP.029b to RoP.029a when CCR is filed)
- Seed SQL with full UPC event trees (INF, REV, CCR, APM, APP, AMD)

Frontend:
- DeadlineWizard: interactive proceeding timeline with step-by-step flow
  1. Select proceeding type (visual cards)
  2. Enter trigger event date
  3. Toggle conditional branches (CCR, Appeal, Amend)
  4. See full calculated timeline with color-coded urgency
  5. Batch-create all deadlines on a selected case
- Visual timeline tree with party icons, rule codes, duration badges
- Kept existing DeadlineCalculator as "Schnell" quick mode

Also resolved merge conflicts across 6 files (auth, router, handlers)
merging role-based permissions + audit trail features.

backend/internal/router/router.go

@@ -28,15 +28,10 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	deadlineSvc := services.NewDeadlineService(db, auditSvc)
 	deadlineRuleSvc := services.NewDeadlineRuleService(db)
 	calculator := services.NewDeadlineCalculator(holidaySvc)
+	determineSvc := services.NewDetermineService(db, calculator)
 	storageCli := services.NewStorageClient(cfg.SupabaseURL, cfg.SupabaseServiceKey)
-<<<<<<< HEAD
 	documentSvc := services.NewDocumentService(db, storageCli, auditSvc)
-||||||| 82878df
-	documentSvc := services.NewDocumentService(db, storageCli)
-=======
-	documentSvc := services.NewDocumentService(db, storageCli)
 	assignmentSvc := services.NewCaseAssignmentService(db)
->>>>>>> mai/pike/p0-role-based
 
 	// AI service (optional — only if API key is configured)
 	var aiH *handlers.AIHandler
@@ -66,6 +61,7 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	deadlineH := handlers.NewDeadlineHandlers(deadlineSvc)
 	ruleH := handlers.NewDeadlineRuleHandlers(deadlineRuleSvc)
 	calcH := handlers.NewCalculateHandlers(calculator, deadlineRuleSvc)
+	determineH := handlers.NewDetermineHandlers(determineSvc, deadlineSvc)
 	dashboardH := handlers.NewDashboardHandler(dashboardSvc)
 	noteH := handlers.NewNoteHandler(noteSvc)
 	eventH := handlers.NewCaseEventHandler(db)
@@ -112,7 +108,7 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	scoped.HandleFunc("GET /api/cases", caseH.List)
 	scoped.HandleFunc("POST /api/cases", perm(auth.PermCreateCase, caseH.Create))
 	scoped.HandleFunc("GET /api/cases/{id}", caseH.Get)
-	scoped.HandleFunc("PUT /api/cases/{id}", caseH.Update)    // case-level access checked in handler
+	scoped.HandleFunc("PUT /api/cases/{id}", caseH.Update)
 	scoped.HandleFunc("DELETE /api/cases/{id}", perm(auth.PermCreateCase, caseH.Delete))
 
 	// Parties — same access as case editing
@@ -138,6 +134,11 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	// Deadline calculator — all can use
 	scoped.HandleFunc("POST /api/deadlines/calculate", calcH.Calculate)
 
+	// Deadline determination — full timeline calculation with conditions
+	scoped.HandleFunc("GET /api/proceeding-types/{code}/timeline", determineH.GetTimeline)
+	scoped.HandleFunc("POST /api/deadlines/determine", determineH.Determine)
+	scoped.HandleFunc("POST /api/cases/{caseID}/deadlines/batch", perm(auth.PermManageDeadlines, determineH.BatchCreate))
+
 	// Appointments — all can manage (PermManageAppointments granted to all)
 	scoped.HandleFunc("GET /api/appointments/{id}", apptH.Get)
 	scoped.HandleFunc("GET /api/appointments", apptH.List)
@@ -162,21 +163,15 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	// Dashboard — all can view
 	scoped.HandleFunc("GET /api/dashboard", dashboardH.Get)
 
-<<<<<<< HEAD
 	// Audit log
 	scoped.HandleFunc("GET /api/audit-log", auditH.List)
 
-	// Documents
-||||||| 82878df
-	// Documents
-=======
 	// Documents — all can upload, delete checked in handler (own vs all)
->>>>>>> mai/pike/p0-role-based
 	scoped.HandleFunc("GET /api/cases/{id}/documents", docH.ListByCase)
 	scoped.HandleFunc("POST /api/cases/{id}/documents", perm(auth.PermUploadDocuments, docH.Upload))
 	scoped.HandleFunc("GET /api/documents/{docId}", docH.Download)
 	scoped.HandleFunc("GET /api/documents/{docId}/meta", docH.GetMeta)
-	scoped.HandleFunc("DELETE /api/documents/{docId}", docH.Delete) // permission check inside handler
+	scoped.HandleFunc("DELETE /api/documents/{docId}", docH.Delete)
 
 	// AI endpoints (rate limited: 5 req/min burst 10 per IP)
 	if aiH != nil {
@@ -185,7 +180,6 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 		scoped.HandleFunc("POST /api/ai/summarize-case", perm(auth.PermAIExtraction, aiLimiter.LimitFunc(aiH.SummarizeCase)))
 	}
 
-<<<<<<< HEAD
 	// Notifications
 	if notifH != nil {
 		scoped.HandleFunc("GET /api/notifications", notifH.List)
@@ -196,12 +190,7 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 		scoped.HandleFunc("PUT /api/notification-preferences", notifH.UpdatePreferences)
 	}
 
-	// CalDAV sync endpoints
-||||||| 82878df
-	// CalDAV sync endpoints
-=======
 	// CalDAV sync endpoints — settings permission required
->>>>>>> mai/pike/p0-role-based
 	if calDAVSvc != nil {
 		calDAVH := handlers.NewCalDAVHandler(calDAVSvc)
 		scoped.HandleFunc("POST /api/caldav/sync", perm(auth.PermManageSettings, calDAVH.TriggerSync))