refactor: remove YouPCDatabaseURL, use same DB connection for case finder

Now that KanzlAI is on the youpc.org Supabase instance, the separate
YouPCDatabaseURL connection is unnecessary. The main database connection
can query mlex.* tables directly since they're on the same Postgres.

- Remove YouPCDatabaseURL from config
- Remove separate sqlx.Connect block in main.go
- Pass main database handle as youpcDB parameter to router
- Update CLAUDE.md: mgmt schema in youpc.org (was kanzlai in flexsiebels)

CLAUDE.md

@@ -18,7 +18,7 @@ frontend/          Next.js 15 (TypeScript, Tailwind CSS, App Router)
 
 - **Frontend:** Next.js 15 with TypeScript, Tailwind CSS v4, App Router, Bun
 - **Backend:** Go (standard library HTTP server)
-- **Database:** Supabase (PostgreSQL) — `kanzlai` schema in flexsiebels instance
+- **Database:** Supabase (PostgreSQL) — `mgmt` schema in youpc.org instance
 - **Deploy:** Dokploy on mLake, domain: kanzlai.msbls.de
 
 ## Development

backend/cmd/server/main.go

@@ -5,7 +5,6 @@ import (
 	"net/http"
 	"os"
 
-	"github.com/jmoiron/sqlx"
 	_ "github.com/lib/pq"
 
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
@@ -34,21 +33,6 @@ func main() {
 
 	authMW := auth.NewMiddleware(cfg.SupabaseJWTSecret, database)
 
-	// Optional: connect to youpc.org database for similar case finder
-	var youpcDB *sqlx.DB
-	if cfg.YouPCDatabaseURL != "" {
-		youpcDB, err = sqlx.Connect("postgres", cfg.YouPCDatabaseURL)
-		if err != nil {
-			slog.Warn("failed to connect to youpc.org database — similar case finder disabled", "error", err)
-			youpcDB = nil
-		} else {
-			youpcDB.SetMaxOpenConns(5)
-			youpcDB.SetMaxIdleConns(2)
-			defer youpcDB.Close()
-			slog.Info("connected to youpc.org database for similar case finder")
-		}
-	}
-
 	// Start CalDAV sync service
 	calDAVSvc := services.NewCalDAVService(database)
 	calDAVSvc.Start()
@@ -59,7 +43,7 @@ func main() {
 	notifSvc.Start()
 	defer notifSvc.Stop()
 
-	handler := router.New(database, authMW, cfg, calDAVSvc, notifSvc, youpcDB)
+	handler := router.New(database, authMW, cfg, calDAVSvc, notifSvc, database)
 
 	slog.Info("starting KanzlAI API server", "port", cfg.Port)
 	if err := http.ListenAndServe(":"+cfg.Port, handler); err != nil {

backend/internal/config/config.go

@@ -14,7 +14,6 @@ type Config struct {
 	SupabaseJWTSecret string
 	AnthropicAPIKey   string
 	FrontendOrigin    string
-	YouPCDatabaseURL  string // read-only connection to youpc.org Supabase for similar case finder
 }
 
 func Load() (*Config, error) {
@@ -27,7 +26,6 @@ func Load() (*Config, error) {
 		SupabaseJWTSecret: os.Getenv("SUPABASE_JWT_SECRET"),
 		AnthropicAPIKey:  os.Getenv("ANTHROPIC_API_KEY"),
 		FrontendOrigin:   getEnv("FRONTEND_ORIGIN", "https://kanzlai.msbls.de"),
-		YouPCDatabaseURL: os.Getenv("YOUPC_DATABASE_URL"),
 	}
 
 	if cfg.DatabaseURL == "" {

backend/internal/router/router.go

@@ -32,6 +32,11 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	storageCli := services.NewStorageClient(cfg.SupabaseURL, cfg.SupabaseServiceKey)
 	documentSvc := services.NewDocumentService(db, storageCli, auditSvc)
 	assignmentSvc := services.NewCaseAssignmentService(db)
+	reportSvc := services.NewReportingService(db)
+	timeEntrySvc := services.NewTimeEntryService(db, auditSvc)
+	invoiceSvc := services.NewInvoiceService(db, auditSvc)
+	billingRateSvc := services.NewBillingRateService(db, auditSvc)
+	templateSvc := services.NewTemplateService(db, auditSvc)
 
 	// AI service (optional — only if API key is configured)
 	var aiH *handlers.AIHandler
@@ -71,6 +76,11 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	eventH := handlers.NewCaseEventHandler(db)
 	docH := handlers.NewDocumentHandler(documentSvc)
 	assignmentH := handlers.NewCaseAssignmentHandler(assignmentSvc)
+	reportH := handlers.NewReportHandler(reportSvc)
+	timeH := handlers.NewTimeEntryHandler(timeEntrySvc)
+	invoiceH := handlers.NewInvoiceHandler(invoiceSvc)
+	billingH := handlers.NewBillingRateHandler(billingRateSvc)
+	templateH := handlers.NewTemplateHandler(templateSvc, caseSvc, partySvc, deadlineSvc, tenantSvc)
 
 	// Public routes
 	mux.HandleFunc("GET /health", handleHealth(db))
@@ -205,6 +215,39 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 		scoped.HandleFunc("GET /api/caldav/status", calDAVH.GetStatus)
 	}
 
+	// Reports — cases/deadlines/workload open to all, billing restricted
+	scoped.HandleFunc("GET /api/reports/cases", reportH.Cases)
+	scoped.HandleFunc("GET /api/reports/deadlines", reportH.Deadlines)
+	scoped.HandleFunc("GET /api/reports/workload", reportH.Workload)
+	scoped.HandleFunc("GET /api/reports/billing", perm(auth.PermManageBilling, reportH.Billing))
+
+	// Time entries — all can view/create, tied to cases
+	scoped.HandleFunc("GET /api/cases/{id}/time-entries", timeH.ListForCase)
+	scoped.HandleFunc("GET /api/time-entries", timeH.List)
+	scoped.HandleFunc("POST /api/cases/{id}/time-entries", timeH.Create)
+	scoped.HandleFunc("PUT /api/time-entries/{id}", timeH.Update)
+	scoped.HandleFunc("DELETE /api/time-entries/{id}", timeH.Delete)
+	scoped.HandleFunc("GET /api/time-entries/summary", timeH.Summary)
+
+	// Invoices — billing permission required
+	scoped.HandleFunc("GET /api/invoices", perm(auth.PermManageBilling, invoiceH.List))
+	scoped.HandleFunc("GET /api/invoices/{id}", perm(auth.PermManageBilling, invoiceH.Get))
+	scoped.HandleFunc("POST /api/invoices", perm(auth.PermManageBilling, invoiceH.Create))
+	scoped.HandleFunc("PUT /api/invoices/{id}", perm(auth.PermManageBilling, invoiceH.Update))
+	scoped.HandleFunc("PATCH /api/invoices/{id}/status", perm(auth.PermManageBilling, invoiceH.UpdateStatus))
+
+	// Billing rates — billing permission required
+	scoped.HandleFunc("GET /api/billing-rates", perm(auth.PermManageBilling, billingH.List))
+	scoped.HandleFunc("PUT /api/billing-rates", perm(auth.PermManageBilling, billingH.Upsert))
+
+	// Document templates — all can view/use, manage needs case creation permission
+	scoped.HandleFunc("GET /api/templates", templateH.List)
+	scoped.HandleFunc("GET /api/templates/{id}", templateH.Get)
+	scoped.HandleFunc("POST /api/templates", perm(auth.PermCreateCase, templateH.Create))
+	scoped.HandleFunc("PUT /api/templates/{id}", perm(auth.PermCreateCase, templateH.Update))
+	scoped.HandleFunc("DELETE /api/templates/{id}", perm(auth.PermCreateCase, templateH.Delete))
+	scoped.HandleFunc("POST /api/templates/{id}/render", templateH.Render)
+
 	// Wire: auth -> tenant routes go directly, scoped routes get tenant resolver
 	api.Handle("/api/", tenantResolver.Resolve(scoped))