feat: add CalDAV settings UI and team management pages (Phase 3P)

Backend: PUT /api/tenants/{id}/settings endpoint for updating tenant
settings (JSONB merge). Frontend: /einstellungen page with CalDAV
config (URL, credentials, calendar path, sync toggle, interval),
manual sync button, live sync status display. /einstellungen/team
page with member list, invite-by-email, role management.

backend/internal/handlers/tenant_handler.go

@@ -196,6 +196,46 @@ func (h *TenantHandler) RemoveMember(w http.ResponseWriter, r *http.Request) {
 	jsonResponse(w, map[string]string{"status": "removed"}, http.StatusOK)
 }
 
+// UpdateSettings handles PUT /api/tenants/{id}/settings
+func (h *TenantHandler) UpdateSettings(w http.ResponseWriter, r *http.Request) {
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	tenantID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		jsonError(w, "invalid tenant ID", http.StatusBadRequest)
+		return
+	}
+
+	// Only owners and admins can update settings
+	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
+	if err != nil {
+		jsonError(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	if role != "owner" && role != "admin" {
+		jsonError(w, "only owners and admins can update settings", http.StatusForbidden)
+		return
+	}
+
+	var settings json.RawMessage
+	if err := json.NewDecoder(r.Body).Decode(&settings); err != nil {
+		jsonError(w, "invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	tenant, err := h.svc.UpdateSettings(r.Context(), tenantID, settings)
+	if err != nil {
+		jsonError(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	jsonResponse(w, tenant, http.StatusOK)
+}
+
 // ListMembers handles GET /api/tenants/{id}/members
 func (h *TenantHandler) ListMembers(w http.ResponseWriter, r *http.Request) {
 	userID, ok := auth.UserFromContext(r.Context())

backend/internal/router/router.go

@@ -60,6 +60,7 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	api.HandleFunc("POST /api/tenants", tenantH.CreateTenant)
 	api.HandleFunc("GET /api/tenants", tenantH.ListTenants)
 	api.HandleFunc("GET /api/tenants/{id}", tenantH.GetTenant)
+	api.HandleFunc("PUT /api/tenants/{id}/settings", tenantH.UpdateSettings)
 	api.HandleFunc("POST /api/tenants/{id}/invite", tenantH.InviteUser)
 	api.HandleFunc("DELETE /api/tenants/{id}/members/{uid}", tenantH.RemoveMember)
 	api.HandleFunc("GET /api/tenants/{id}/members", tenantH.ListMembers)

backend/internal/services/tenant_service.go

@@ -3,6 +3,7 @@ package services
 import (
 	"context"
 	"database/sql"
+	"encoding/json"
 	"fmt"
 
 	"github.com/google/uuid"
@@ -173,6 +174,21 @@ func (s *TenantService) InviteByEmail(ctx context.Context, tenantID uuid.UUID, e
 	return &ut, nil
 }
 
+// UpdateSettings merges new settings into the tenant's existing settings JSONB.
+func (s *TenantService) UpdateSettings(ctx context.Context, tenantID uuid.UUID, settings json.RawMessage) (*models.Tenant, error) {
+	var tenant models.Tenant
+	err := s.db.QueryRowxContext(ctx,
+		`UPDATE tenants SET settings = COALESCE(settings, '{}'::jsonb) || $1::jsonb, updated_at = NOW()
+		 WHERE id = $2
+		 RETURNING id, name, slug, settings, created_at, updated_at`,
+		settings, tenantID,
+	).StructScan(&tenant)
+	if err != nil {
+		return nil, fmt.Errorf("update settings: %w", err)
+	}
+	return &tenant, nil
+}
+
 // RemoveMember removes a user from a tenant. Cannot remove the last owner.
 func (s *TenantService) RemoveMember(ctx context.Context, tenantID, userID uuid.UUID) error {
 	// Check if the user being removed is an owner