feat: reporting dashboard — case stats, deadline compliance, workload, billing (P1)

Backend: - ReportingService with aggregation queries (CTEs, FILTER clauses) - 4 API endpoints: /api/reports/{cases,deadlines,workload,billing} - Date range filtering via ?from=&to= query params Frontend: - /berichte page with 4 tabs: Akten, Fristen, Auslastung, Abrechnung - recharts: bar/pie/line charts for all report types - Date range picker, CSV export, print-friendly view - Sidebar nav entry with BarChart3 icon Also resolves merge conflicts between role-based, notification, and audit trail branches, and adds missing TS types (AuditLogResponse, Notification, NotificationPreferences).
2026-03-30 11:24:45 +02:00
parent 8e65463130
commit fdef5af32e
17 changed files with 1812 additions and 124 deletions
--- a/backend/internal/auth/context.go
+++ b/backend/internal/auth/context.go
@@ -9,19 +9,11 @@ import (
 type contextKey string

 const (
-<<<<<<< HEAD
 	userIDKey    contextKey = "user_id"
 	tenantIDKey  contextKey = "tenant_id"
+	userRoleKey  contextKey = "user_role"
 	ipKey        contextKey = "ip_address"
 	userAgentKey contextKey = "user_agent"
-||||||| 82878df
-	userIDKey   contextKey = "user_id"
-	tenantIDKey contextKey = "tenant_id"
-=======
-	userIDKey   contextKey = "user_id"
-	tenantIDKey contextKey = "tenant_id"
-	userRoleKey contextKey = "user_role"
->>>>>>> mai/pike/p0-role-based
 )

 func ContextWithUserID(ctx context.Context, userID uuid.UUID) context.Context {
@@ -41,7 +33,15 @@ func TenantFromContext(ctx context.Context) (uuid.UUID, bool) {
 	id, ok := ctx.Value(tenantIDKey).(uuid.UUID)
 	return id, ok
 }
-<<<<<<< HEAD
+
+func ContextWithUserRole(ctx context.Context, role string) context.Context {
+	return context.WithValue(ctx, userRoleKey, role)
+}
+
+func UserRoleFromContext(ctx context.Context) string {
+	role, _ := ctx.Value(userRoleKey).(string)
+	return role
+}

 func ContextWithRequestInfo(ctx context.Context, ip, userAgent string) context.Context {
 	ctx = context.WithValue(ctx, ipKey, ip)
@@ -62,15 +62,3 @@ func UserAgentFromContext(ctx context.Context) *string {
 	}
 	return nil
 }
-||||||| 82878df
-=======
-
-func ContextWithUserRole(ctx context.Context, role string) context.Context {
-	return context.WithValue(ctx, userRoleKey, role)
-}
-
-func UserRoleFromContext(ctx context.Context) string {
-	role, _ := ctx.Value(userRoleKey).(string)
-	return role
-}
->>>>>>> mai/pike/p0-role-based
--- a/backend/internal/auth/middleware.go
+++ b/backend/internal/auth/middleware.go
@@ -35,36 +35,8 @@ func (m *Middleware) RequireAuth(next http.Handler) http.Handler {
 		}

 		ctx := ContextWithUserID(r.Context(), userID)
-<<<<<<< HEAD
 		// Tenant resolution is handled by TenantResolver middleware for scoped routes.
 		// Tenant management routes handle their own access control.
-||||||| 82878df
-
-		// Resolve tenant and role from user_tenants
-		var membership struct {
-			TenantID uuid.UUID `db:"tenant_id"`
-			Role     string    `db:"role"`
-		}
-		err = m.db.GetContext(r.Context(), &membership,
-			"SELECT tenant_id, role FROM user_tenants WHERE user_id = $1 LIMIT 1", userID)
-		if err != nil {
-			http.Error(w, "no tenant found for user", http.StatusForbidden)
-			return
-		}
-		ctx = ContextWithTenantID(ctx, membership.TenantID)
-		ctx = ContextWithUserRole(ctx, membership.Role)
-
-=======
-
-		// Resolve tenant from user_tenants
-		var tenantID uuid.UUID
-		err = m.db.GetContext(r.Context(), &tenantID,
-			"SELECT tenant_id FROM user_tenants WHERE user_id = $1 LIMIT 1", userID)
-		if err != nil {
-			http.Error(w, "no tenant found for user", http.StatusForbidden)
-			return
-		}
-		ctx = ContextWithTenantID(ctx, tenantID)

 		// Capture IP and user-agent for audit logging
 		ip := r.Header.Get("X-Forwarded-For")
@@ -73,7 +45,6 @@ func (m *Middleware) RequireAuth(next http.Handler) http.Handler {
 		}
 		ctx = ContextWithRequestInfo(ctx, ip, r.UserAgent())

->>>>>>> mai/knuth/p0-audit-trail-append
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
 }
--- a/backend/internal/auth/tenant_resolver.go
+++ b/backend/internal/auth/tenant_resolver.go
@@ -12,12 +12,8 @@ import (
 // Defined as an interface to avoid circular dependency with services.
 type TenantLookup interface {
 	FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error)
-<<<<<<< HEAD
 	VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error)
-||||||| 82878df
-=======
 	GetUserRole(ctx context.Context, userID, tenantID uuid.UUID) (string, error)
->>>>>>> mai/pike/p0-role-based
 }

 // TenantResolver is middleware that resolves the tenant from X-Tenant-ID header
@@ -46,33 +42,19 @@ func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
 				http.Error(w, `{"error":"invalid X-Tenant-ID"}`, http.StatusBadRequest)
 				return
 			}
-<<<<<<< HEAD

-			// Verify user has access to this tenant
-			hasAccess, err := tr.lookup.VerifyAccess(r.Context(), userID, parsed)
+			// Verify user has access and get their role
+			role, err := tr.lookup.GetUserRole(r.Context(), userID, parsed)
 			if err != nil {
 				slog.Error("tenant access check failed", "error", err, "user_id", userID, "tenant_id", parsed)
 				http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
 				return
 			}
-			if !hasAccess {
+			if role == "" {
 				http.Error(w, `{"error":"no access to tenant"}`, http.StatusForbidden)
 				return
 			}

-||||||| 82878df
-=======
-			// Verify user has access and get their role
-			role, err := tr.lookup.GetUserRole(r.Context(), userID, parsed)
-			if err != nil {
-				http.Error(w, "error checking tenant access", http.StatusInternalServerError)
-				return
-			}
-			if role == "" {
-				http.Error(w, "no access to this tenant", http.StatusForbidden)
-				return
-			}
->>>>>>> mai/pike/p0-role-based
 			tenantID = parsed
 			// Override the role from middleware with the correct one for this tenant
 			r = r.WithContext(ContextWithUserRole(r.Context(), role))
--- a/backend/internal/auth/tenant_resolver_test.go
+++ b/backend/internal/auth/tenant_resolver_test.go
@@ -10,49 +10,34 @@ import (
 )

 type mockTenantLookup struct {
-<<<<<<< HEAD
 	tenantID  *uuid.UUID
 	err       error
 	hasAccess bool
 	accessErr error
-||||||| 82878df
-	tenantID *uuid.UUID
-	err      error
-=======
-	tenantID *uuid.UUID
-	role     string
-	err      error
->>>>>>> mai/pike/p0-role-based
+	role      string
 }

 func (m *mockTenantLookup) FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error) {
 	return m.tenantID, m.err
 }

-<<<<<<< HEAD
 func (m *mockTenantLookup) VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error) {
 	return m.hasAccess, m.accessErr
 }

-||||||| 82878df
-=======
 func (m *mockTenantLookup) GetUserRole(ctx context.Context, userID, tenantID uuid.UUID) (string, error) {
 	if m.role != "" {
 		return m.role, m.err
 	}
-	return "associate", m.err
+	if m.hasAccess {
+		return "associate", m.err
+	}
+	return "", m.err
 }

->>>>>>> mai/pike/p0-role-based
 func TestTenantResolver_FromHeader(t *testing.T) {
 	tenantID := uuid.New()
-<<<<<<< HEAD
-	tr := NewTenantResolver(&mockTenantLookup{hasAccess: true})
-||||||| 82878df
-	tr := NewTenantResolver(&mockTenantLookup{})
-=======
-	tr := NewTenantResolver(&mockTenantLookup{role: "partner"})
->>>>>>> mai/pike/p0-role-based
+	tr := NewTenantResolver(&mockTenantLookup{hasAccess: true, role: "partner"})

 	var gotTenantID uuid.UUID
 	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
--- a/backend/internal/handlers/deadlines.go
+++ b/backend/internal/handlers/deadlines.go
@@ -198,18 +198,8 @@ func (h *DeadlineHandlers) Delete(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-<<<<<<< HEAD
-	if err := h.deadlines.Delete(tenantID, deadlineID); err != nil {
+	if err := h.deadlines.Delete(r.Context(), tenantID, deadlineID); err != nil {
 		writeError(w, http.StatusNotFound, "deadline not found")
-||||||| 82878df
-	err = h.deadlines.Delete(tenantID, deadlineID)
-	if err != nil {
-		writeError(w, http.StatusNotFound, err.Error())
-=======
-	err = h.deadlines.Delete(r.Context(), tenantID, deadlineID)
-	if err != nil {
-		writeError(w, http.StatusNotFound, err.Error())
->>>>>>> mai/knuth/p0-audit-trail-append
 		return
 	}

--- a/backend/internal/handlers/reports.go
+++ b/backend/internal/handlers/reports.go
@@ -0,0 +1,109 @@
+package handlers
+
+import (
+	"net/http"
+	"time"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
+)
+
+type ReportHandler struct {
+	svc *services.ReportingService
+}
+
+func NewReportHandler(svc *services.ReportingService) *ReportHandler {
+	return &ReportHandler{svc: svc}
+}
+
+// parseDateRange extracts from/to query params, defaulting to last 12 months.
+func parseDateRange(r *http.Request) (time.Time, time.Time) {
+	now := time.Now()
+	from := time.Date(now.Year()-1, now.Month(), 1, 0, 0, 0, 0, time.UTC)
+	to := time.Date(now.Year(), now.Month(), now.Day(), 23, 59, 59, 0, time.UTC)
+
+	if v := r.URL.Query().Get("from"); v != "" {
+		if t, err := time.Parse("2006-01-02", v); err == nil {
+			from = t
+		}
+	}
+	if v := r.URL.Query().Get("to"); v != "" {
+		if t, err := time.Parse("2006-01-02", v); err == nil {
+			to = time.Date(t.Year(), t.Month(), t.Day(), 23, 59, 59, 0, time.UTC)
+		}
+	}
+
+	return from, to
+}
+
+func (h *ReportHandler) Cases(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	from, to := parseDateRange(r)
+
+	data, err := h.svc.CaseReport(r.Context(), tenantID, from, to)
+	if err != nil {
+		internalError(w, "failed to generate case report", err)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, data)
+}
+
+func (h *ReportHandler) Deadlines(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	from, to := parseDateRange(r)
+
+	data, err := h.svc.DeadlineReport(r.Context(), tenantID, from, to)
+	if err != nil {
+		internalError(w, "failed to generate deadline report", err)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, data)
+}
+
+func (h *ReportHandler) Workload(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	from, to := parseDateRange(r)
+
+	data, err := h.svc.WorkloadReport(r.Context(), tenantID, from, to)
+	if err != nil {
+		internalError(w, "failed to generate workload report", err)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, data)
+}
+
+func (h *ReportHandler) Billing(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	from, to := parseDateRange(r)
+
+	data, err := h.svc.BillingReport(r.Context(), tenantID, from, to)
+	if err != nil {
+		internalError(w, "failed to generate billing report", err)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, data)
+}
--- a/backend/internal/router/router.go
+++ b/backend/internal/router/router.go
@@ -29,14 +29,8 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	deadlineRuleSvc := services.NewDeadlineRuleService(db)
 	calculator := services.NewDeadlineCalculator(holidaySvc)
 	storageCli := services.NewStorageClient(cfg.SupabaseURL, cfg.SupabaseServiceKey)
-<<<<<<< HEAD
 	documentSvc := services.NewDocumentService(db, storageCli, auditSvc)
-||||||| 82878df
-	documentSvc := services.NewDocumentService(db, storageCli)
-=======
-	documentSvc := services.NewDocumentService(db, storageCli)
 	assignmentSvc := services.NewCaseAssignmentService(db)
->>>>>>> mai/pike/p0-role-based

 	// AI service (optional — only if API key is configured)
 	var aiH *handlers.AIHandler
@@ -50,6 +44,7 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se

 	noteSvc := services.NewNoteService(db, auditSvc)
 	dashboardSvc := services.NewDashboardService(db)
+	reportingSvc := services.NewReportingService(db)

 	// Notification handler (optional — nil in tests)
 	var notifH *handlers.NotificationHandler
@@ -67,6 +62,7 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	ruleH := handlers.NewDeadlineRuleHandlers(deadlineRuleSvc)
 	calcH := handlers.NewCalculateHandlers(calculator, deadlineRuleSvc)
 	dashboardH := handlers.NewDashboardHandler(dashboardSvc)
+	reportH := handlers.NewReportHandler(reportingSvc)
 	noteH := handlers.NewNoteHandler(noteSvc)
 	eventH := handlers.NewCaseEventHandler(db)
 	docH := handlers.NewDocumentHandler(documentSvc)
@@ -162,16 +158,16 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	// Dashboard — all can view
 	scoped.HandleFunc("GET /api/dashboard", dashboardH.Get)

-<<<<<<< HEAD
+	// Reports — all can view
+	scoped.HandleFunc("GET /api/reports/cases", reportH.Cases)
+	scoped.HandleFunc("GET /api/reports/deadlines", reportH.Deadlines)
+	scoped.HandleFunc("GET /api/reports/workload", reportH.Workload)
+	scoped.HandleFunc("GET /api/reports/billing", reportH.Billing)
+
 	// Audit log
 	scoped.HandleFunc("GET /api/audit-log", auditH.List)

-	// Documents
-||||||| 82878df
-	// Documents
-=======
 	// Documents — all can upload, delete checked in handler (own vs all)
->>>>>>> mai/pike/p0-role-based
 	scoped.HandleFunc("GET /api/cases/{id}/documents", docH.ListByCase)
 	scoped.HandleFunc("POST /api/cases/{id}/documents", perm(auth.PermUploadDocuments, docH.Upload))
 	scoped.HandleFunc("GET /api/documents/{docId}", docH.Download)
@@ -185,7 +181,6 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 		scoped.HandleFunc("POST /api/ai/summarize-case", perm(auth.PermAIExtraction, aiLimiter.LimitFunc(aiH.SummarizeCase)))
 	}

-<<<<<<< HEAD
 	// Notifications
 	if notifH != nil {
 		scoped.HandleFunc("GET /api/notifications", notifH.List)
@@ -196,12 +191,7 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 		scoped.HandleFunc("PUT /api/notification-preferences", notifH.UpdatePreferences)
 	}

-	// CalDAV sync endpoints
-||||||| 82878df
-	// CalDAV sync endpoints
-=======
 	// CalDAV sync endpoints — settings permission required
->>>>>>> mai/pike/p0-role-based
 	if calDAVSvc != nil {
 		calDAVH := handlers.NewCalDAVHandler(calDAVSvc)
 		scoped.HandleFunc("POST /api/caldav/sync", perm(auth.PermManageSettings, calDAVH.TriggerSync))
--- a/backend/internal/services/reporting_service.go
+++ b/backend/internal/services/reporting_service.go
@@ -0,0 +1,329 @@
+package services
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+)
+
+type ReportingService struct {
+	db *sqlx.DB
+}
+
+func NewReportingService(db *sqlx.DB) *ReportingService {
+	return &ReportingService{db: db}
+}
+
+// --- Case Statistics ---
+
+type CaseStats struct {
+	Period     string `json:"period" db:"period"`
+	Opened     int    `json:"opened" db:"opened"`
+	Closed     int    `json:"closed" db:"closed"`
+	Active     int    `json:"active" db:"active"`
+}
+
+type CasesByType struct {
+	CaseType string `json:"case_type" db:"case_type"`
+	Count    int    `json:"count" db:"count"`
+}
+
+type CasesByCourt struct {
+	Court string `json:"court" db:"court"`
+	Count int    `json:"count" db:"count"`
+}
+
+type CaseReport struct {
+	Monthly  []CaseStats    `json:"monthly"`
+	ByType   []CasesByType  `json:"by_type"`
+	ByCourt  []CasesByCourt `json:"by_court"`
+	Total    CaseReportTotals `json:"total"`
+}
+
+type CaseReportTotals struct {
+	Opened int `json:"opened"`
+	Closed int `json:"closed"`
+	Active int `json:"active"`
+}
+
+func (s *ReportingService) CaseReport(ctx context.Context, tenantID uuid.UUID, from, to time.Time) (*CaseReport, error) {
+	report := &CaseReport{}
+
+	// Monthly breakdown
+	monthlyQuery := `
+		SELECT
+			TO_CHAR(DATE_TRUNC('month', created_at), 'YYYY-MM') AS period,
+			COUNT(*) AS opened,
+			COUNT(*) FILTER (WHERE status IN ('closed', 'archived')) AS closed,
+			COUNT(*) FILTER (WHERE status = 'active') AS active
+		FROM cases
+		WHERE tenant_id = $1 AND created_at >= $2 AND created_at <= $3
+		GROUP BY DATE_TRUNC('month', created_at)
+		ORDER BY DATE_TRUNC('month', created_at)`
+
+	report.Monthly = []CaseStats{}
+	if err := s.db.SelectContext(ctx, &report.Monthly, monthlyQuery, tenantID, from, to); err != nil {
+		return nil, fmt.Errorf("case report monthly: %w", err)
+	}
+
+	// By type
+	typeQuery := `
+		SELECT COALESCE(case_type, 'Sonstiges') AS case_type, COUNT(*) AS count
+		FROM cases
+		WHERE tenant_id = $1 AND created_at >= $2 AND created_at <= $3
+		GROUP BY case_type
+		ORDER BY count DESC`
+
+	report.ByType = []CasesByType{}
+	if err := s.db.SelectContext(ctx, &report.ByType, typeQuery, tenantID, from, to); err != nil {
+		return nil, fmt.Errorf("case report by type: %w", err)
+	}
+
+	// By court
+	courtQuery := `
+		SELECT COALESCE(court, 'Ohne Gericht') AS court, COUNT(*) AS count
+		FROM cases
+		WHERE tenant_id = $1 AND created_at >= $2 AND created_at <= $3
+		GROUP BY court
+		ORDER BY count DESC`
+
+	report.ByCourt = []CasesByCourt{}
+	if err := s.db.SelectContext(ctx, &report.ByCourt, courtQuery, tenantID, from, to); err != nil {
+		return nil, fmt.Errorf("case report by court: %w", err)
+	}
+
+	// Totals
+	totalsQuery := `
+		SELECT
+			COUNT(*) AS opened,
+			COUNT(*) FILTER (WHERE status IN ('closed', 'archived')) AS closed,
+			COUNT(*) FILTER (WHERE status = 'active') AS active
+		FROM cases
+		WHERE tenant_id = $1 AND created_at >= $2 AND created_at <= $3`
+
+	if err := s.db.GetContext(ctx, &report.Total, totalsQuery, tenantID, from, to); err != nil {
+		return nil, fmt.Errorf("case report totals: %w", err)
+	}
+
+	return report, nil
+}
+
+// --- Deadline Compliance ---
+
+type DeadlineCompliance struct {
+	Period       string  `json:"period" db:"period"`
+	Total        int     `json:"total" db:"total"`
+	Met          int     `json:"met" db:"met"`
+	Missed       int     `json:"missed" db:"missed"`
+	Pending      int     `json:"pending" db:"pending"`
+	ComplianceRate float64 `json:"compliance_rate"`
+}
+
+type MissedDeadline struct {
+	ID         uuid.UUID `json:"id" db:"id"`
+	Title      string    `json:"title" db:"title"`
+	DueDate    string    `json:"due_date" db:"due_date"`
+	CaseID     uuid.UUID `json:"case_id" db:"case_id"`
+	CaseNumber string    `json:"case_number" db:"case_number"`
+	CaseTitle  string    `json:"case_title" db:"case_title"`
+	DaysOverdue int      `json:"days_overdue" db:"days_overdue"`
+}
+
+type DeadlineReport struct {
+	Monthly []DeadlineCompliance `json:"monthly"`
+	Missed  []MissedDeadline     `json:"missed"`
+	Total   DeadlineReportTotals `json:"total"`
+}
+
+type DeadlineReportTotals struct {
+	Total          int     `json:"total"`
+	Met            int     `json:"met"`
+	Missed         int     `json:"missed"`
+	Pending        int     `json:"pending"`
+	ComplianceRate float64 `json:"compliance_rate"`
+}
+
+func (s *ReportingService) DeadlineReport(ctx context.Context, tenantID uuid.UUID, from, to time.Time) (*DeadlineReport, error) {
+	report := &DeadlineReport{}
+
+	// Monthly compliance
+	monthlyQuery := `
+		SELECT
+			TO_CHAR(DATE_TRUNC('month', due_date), 'YYYY-MM') AS period,
+			COUNT(*) AS total,
+			COUNT(*) FILTER (WHERE status = 'completed' AND (completed_at IS NULL OR completed_at::date <= due_date)) AS met,
+			COUNT(*) FILTER (WHERE (status = 'completed' AND completed_at::date > due_date) OR (status = 'pending' AND due_date < CURRENT_DATE)) AS missed,
+			COUNT(*) FILTER (WHERE status = 'pending' AND due_date >= CURRENT_DATE) AS pending
+		FROM deadlines
+		WHERE tenant_id = $1 AND due_date >= $2 AND due_date <= $3
+		GROUP BY DATE_TRUNC('month', due_date)
+		ORDER BY DATE_TRUNC('month', due_date)`
+
+	report.Monthly = []DeadlineCompliance{}
+	if err := s.db.SelectContext(ctx, &report.Monthly, monthlyQuery, tenantID, from, to); err != nil {
+		return nil, fmt.Errorf("deadline report monthly: %w", err)
+	}
+
+	// Calculate compliance rates
+	for i := range report.Monthly {
+		completed := report.Monthly[i].Met + report.Monthly[i].Missed
+		if completed > 0 {
+			report.Monthly[i].ComplianceRate = float64(report.Monthly[i].Met) / float64(completed) * 100
+		}
+	}
+
+	// Missed deadlines list
+	missedQuery := `
+		SELECT d.id, d.title, d.due_date, d.case_id, c.case_number, c.title AS case_title,
+			(CURRENT_DATE - d.due_date::date) AS days_overdue
+		FROM deadlines d
+		JOIN cases c ON c.id = d.case_id AND c.tenant_id = d.tenant_id
+		WHERE d.tenant_id = $1 AND d.due_date >= $2 AND d.due_date <= $3
+			AND ((d.status = 'pending' AND d.due_date < CURRENT_DATE)
+				OR (d.status = 'completed' AND d.completed_at::date > d.due_date))
+		ORDER BY d.due_date ASC
+		LIMIT 50`
+
+	report.Missed = []MissedDeadline{}
+	if err := s.db.SelectContext(ctx, &report.Missed, missedQuery, tenantID, from, to); err != nil {
+		return nil, fmt.Errorf("deadline report missed: %w", err)
+	}
+
+	// Totals
+	totalsQuery := `
+		SELECT
+			COUNT(*) AS total,
+			COUNT(*) FILTER (WHERE status = 'completed' AND (completed_at IS NULL OR completed_at::date <= due_date)) AS met,
+			COUNT(*) FILTER (WHERE (status = 'completed' AND completed_at::date > due_date) OR (status = 'pending' AND due_date < CURRENT_DATE)) AS missed,
+			COUNT(*) FILTER (WHERE status = 'pending' AND due_date >= CURRENT_DATE) AS pending
+		FROM deadlines
+		WHERE tenant_id = $1 AND due_date >= $2 AND due_date <= $3`
+
+	if err := s.db.GetContext(ctx, &report.Total, totalsQuery, tenantID, from, to); err != nil {
+		return nil, fmt.Errorf("deadline report totals: %w", err)
+	}
+
+	completed := report.Total.Met + report.Total.Missed
+	if completed > 0 {
+		report.Total.ComplianceRate = float64(report.Total.Met) / float64(completed) * 100
+	}
+
+	return report, nil
+}
+
+// --- Workload ---
+
+type UserWorkload struct {
+	UserID      uuid.UUID `json:"user_id" db:"user_id"`
+	ActiveCases int       `json:"active_cases" db:"active_cases"`
+	Deadlines   int       `json:"deadlines" db:"deadlines"`
+	Overdue     int       `json:"overdue" db:"overdue"`
+	Completed   int       `json:"completed" db:"completed"`
+}
+
+type WorkloadReport struct {
+	Users []UserWorkload `json:"users"`
+}
+
+func (s *ReportingService) WorkloadReport(ctx context.Context, tenantID uuid.UUID, from, to time.Time) (*WorkloadReport, error) {
+	report := &WorkloadReport{}
+
+	query := `
+		WITH user_cases AS (
+			SELECT ca.user_id, COUNT(DISTINCT ca.case_id) AS active_cases
+			FROM case_assignments ca
+			JOIN cases c ON c.id = ca.case_id AND c.tenant_id = $1
+			WHERE c.status = 'active'
+			GROUP BY ca.user_id
+		),
+		user_deadlines AS (
+			SELECT ca.user_id,
+				COUNT(*) AS deadlines,
+				COUNT(*) FILTER (WHERE d.status = 'pending' AND d.due_date < CURRENT_DATE) AS overdue,
+				COUNT(*) FILTER (WHERE d.status = 'completed' AND d.completed_at >= $2 AND d.completed_at <= $3) AS completed
+			FROM case_assignments ca
+			JOIN deadlines d ON d.case_id = ca.case_id AND d.tenant_id = $1
+			WHERE d.due_date >= $2 AND d.due_date <= $3
+			GROUP BY ca.user_id
+		)
+		SELECT
+			COALESCE(uc.user_id, ud.user_id) AS user_id,
+			COALESCE(uc.active_cases, 0) AS active_cases,
+			COALESCE(ud.deadlines, 0) AS deadlines,
+			COALESCE(ud.overdue, 0) AS overdue,
+			COALESCE(ud.completed, 0) AS completed
+		FROM user_cases uc
+		FULL OUTER JOIN user_deadlines ud ON uc.user_id = ud.user_id
+		ORDER BY active_cases DESC`
+
+	report.Users = []UserWorkload{}
+	if err := s.db.SelectContext(ctx, &report.Users, query, tenantID, from, to); err != nil {
+		return nil, fmt.Errorf("workload report: %w", err)
+	}
+
+	return report, nil
+}
+
+// --- Billing (summary from case data) ---
+
+type BillingByMonth struct {
+	Period      string `json:"period" db:"period"`
+	CasesActive int    `json:"cases_active" db:"cases_active"`
+	CasesClosed int    `json:"cases_closed" db:"cases_closed"`
+	CasesNew    int    `json:"cases_new" db:"cases_new"`
+}
+
+type BillingByType struct {
+	CaseType string `json:"case_type" db:"case_type"`
+	Active   int    `json:"active" db:"active"`
+	Closed   int    `json:"closed" db:"closed"`
+	Total    int    `json:"total" db:"total"`
+}
+
+type BillingReport struct {
+	Monthly []BillingByMonth `json:"monthly"`
+	ByType  []BillingByType  `json:"by_type"`
+}
+
+func (s *ReportingService) BillingReport(ctx context.Context, tenantID uuid.UUID, from, to time.Time) (*BillingReport, error) {
+	report := &BillingReport{}
+
+	// Monthly activity for billing overview
+	monthlyQuery := `
+		SELECT
+			TO_CHAR(DATE_TRUNC('month', created_at), 'YYYY-MM') AS period,
+			COUNT(*) FILTER (WHERE status = 'active') AS cases_active,
+			COUNT(*) FILTER (WHERE status IN ('closed', 'archived')) AS cases_closed,
+			COUNT(*) AS cases_new
+		FROM cases
+		WHERE tenant_id = $1 AND created_at >= $2 AND created_at <= $3
+		GROUP BY DATE_TRUNC('month', created_at)
+		ORDER BY DATE_TRUNC('month', created_at)`
+
+	report.Monthly = []BillingByMonth{}
+	if err := s.db.SelectContext(ctx, &report.Monthly, monthlyQuery, tenantID, from, to); err != nil {
+		return nil, fmt.Errorf("billing report monthly: %w", err)
+	}
+
+	// By case type
+	typeQuery := `
+		SELECT
+			COALESCE(case_type, 'Sonstiges') AS case_type,
+			COUNT(*) FILTER (WHERE status = 'active') AS active,
+			COUNT(*) FILTER (WHERE status IN ('closed', 'archived')) AS closed,
+			COUNT(*) AS total
+		FROM cases
+		WHERE tenant_id = $1 AND created_at >= $2 AND created_at <= $3
+		GROUP BY case_type
+		ORDER BY total DESC`
+
+	report.ByType = []BillingByType{}
+	if err := s.db.SelectContext(ctx, &report.ByType, typeQuery, tenantID, from, to); err != nil {
+		return nil, fmt.Errorf("billing report by type: %w", err)
+	}
+
+	return report, nil
+}