fix: resolve merge conflicts from P0 role-based + audit trail branches

Combine role-based permissions (VerifyAccess/GetUserRole) with audit trail
(IP/user-agent context capture) in auth middleware and tenant resolver.

backend/internal/router/router.go

@@ -15,7 +15,7 @@ import (
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
 )
 
-func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *services.CalDAVService, notifSvc *services.NotificationService) http.Handler {
+func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *services.CalDAVService, notifSvc *services.NotificationService, youpcDB ...*sqlx.DB) http.Handler {
 	mux := http.NewServeMux()
 
 	// Services
@@ -29,19 +29,17 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	deadlineRuleSvc := services.NewDeadlineRuleService(db)
 	calculator := services.NewDeadlineCalculator(holidaySvc)
 	storageCli := services.NewStorageClient(cfg.SupabaseURL, cfg.SupabaseServiceKey)
-<<<<<<< HEAD
 	documentSvc := services.NewDocumentService(db, storageCli, auditSvc)
-||||||| 82878df
-	documentSvc := services.NewDocumentService(db, storageCli)
-=======
-	documentSvc := services.NewDocumentService(db, storageCli)
 	assignmentSvc := services.NewCaseAssignmentService(db)
->>>>>>> mai/pike/p0-role-based
 
 	// AI service (optional — only if API key is configured)
 	var aiH *handlers.AIHandler
 	if cfg.AnthropicAPIKey != "" {
-		aiSvc := services.NewAIService(cfg.AnthropicAPIKey, db)
+		var ydb *sqlx.DB
+		if len(youpcDB) > 0 {
+			ydb = youpcDB[0]
+		}
+		aiSvc := services.NewAIService(cfg.AnthropicAPIKey, db, ydb)
 		aiH = handlers.NewAIHandler(aiSvc)
 	}
 
@@ -162,16 +160,10 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	// Dashboard — all can view
 	scoped.HandleFunc("GET /api/dashboard", dashboardH.Get)
 
-<<<<<<< HEAD
 	// Audit log
 	scoped.HandleFunc("GET /api/audit-log", auditH.List)
 
-	// Documents
-||||||| 82878df
-	// Documents
-=======
 	// Documents — all can upload, delete checked in handler (own vs all)
->>>>>>> mai/pike/p0-role-based
 	scoped.HandleFunc("GET /api/cases/{id}/documents", docH.ListByCase)
 	scoped.HandleFunc("POST /api/cases/{id}/documents", perm(auth.PermUploadDocuments, docH.Upload))
 	scoped.HandleFunc("GET /api/documents/{docId}", docH.Download)
@@ -183,9 +175,11 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 		aiLimiter := middleware.NewTokenBucket(5.0/60.0, 10)
 		scoped.HandleFunc("POST /api/ai/extract-deadlines", perm(auth.PermAIExtraction, aiLimiter.LimitFunc(aiH.ExtractDeadlines)))
 		scoped.HandleFunc("POST /api/ai/summarize-case", perm(auth.PermAIExtraction, aiLimiter.LimitFunc(aiH.SummarizeCase)))
+		scoped.HandleFunc("POST /api/ai/draft-document", perm(auth.PermAIExtraction, aiLimiter.LimitFunc(aiH.DraftDocument)))
+		scoped.HandleFunc("POST /api/ai/case-strategy", perm(auth.PermAIExtraction, aiLimiter.LimitFunc(aiH.CaseStrategy)))
+		scoped.HandleFunc("POST /api/ai/similar-cases", perm(auth.PermAIExtraction, aiLimiter.LimitFunc(aiH.SimilarCases)))
 	}
 
-<<<<<<< HEAD
 	// Notifications
 	if notifH != nil {
 		scoped.HandleFunc("GET /api/notifications", notifH.List)
@@ -196,12 +190,7 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 		scoped.HandleFunc("PUT /api/notification-preferences", notifH.UpdatePreferences)
 	}
 
-	// CalDAV sync endpoints
-||||||| 82878df
-	// CalDAV sync endpoints
-=======
 	// CalDAV sync endpoints — settings permission required
->>>>>>> mai/pike/p0-role-based
 	if calDAVSvc != nil {
 		calDAVH := handlers.NewCalDAVHandler(calDAVSvc)
 		scoped.HandleFunc("POST /api/caldav/sync", perm(auth.PermManageSettings, calDAVH.TriggerSync))