feat: time tracking + billing — hourly rates, time entries, invoices (P1)

Database: time_entries, billing_rates, invoices tables with RLS.
Backend: CRUD services+handlers for time entries, billing rates, invoices.
  - Time entries: list/create/update/delete, summary by case/user/month
  - Billing rates: upsert with auto-close previous, current rate lookup
  - Invoices: create with auto-number (RE-YYYY-NNN), status transitions
    (draft->sent->paid, cancellation), link time entries on invoice create
API: 11 new endpoints under /api/time-entries, /api/billing-rates, /api/invoices
Frontend: Zeiterfassung tab on case detail, /abrechnung overview with filters,
  /abrechnung/rechnungen list+detail with status actions, billing rates settings
Also: resolved merge conflicts between audit-trail and role-based branches,
  added missing types (Notification, AuditLogResponse, NotificationPreferences)

backend/cmd/server/main.go

@@ -36,7 +36,12 @@ func main() {
 	calDAVSvc.Start()
 	defer calDAVSvc.Stop()
 
-	handler := router.New(database, authMW, cfg, calDAVSvc)
+	// Start notification reminder service
+	notifSvc := services.NewNotificationService(database)
+	notifSvc.Start()
+	defer notifSvc.Stop()
+
+	handler := router.New(database, authMW, cfg, calDAVSvc, notifSvc)
 
 	slog.Info("starting KanzlAI API server", "port", cfg.Port)
 	if err := http.ListenAndServe(":"+cfg.Port, handler); err != nil {

backend/internal/auth/context.go

@@ -9,8 +9,11 @@ import (
 type contextKey string
 
 const (
-	userIDKey   contextKey = "user_id"
+	userIDKey    contextKey = "user_id"
-	tenantIDKey contextKey = "tenant_id"
+	tenantIDKey  contextKey = "tenant_id"
+	userRoleKey  contextKey = "user_role"
+	ipKey        contextKey = "ip_address"
+	userAgentKey contextKey = "user_agent"
 )
 
 func ContextWithUserID(ctx context.Context, userID uuid.UUID) context.Context {
@@ -30,3 +33,32 @@ func TenantFromContext(ctx context.Context) (uuid.UUID, bool) {
 	id, ok := ctx.Value(tenantIDKey).(uuid.UUID)
 	return id, ok
 }
+
+func ContextWithUserRole(ctx context.Context, role string) context.Context {
+	return context.WithValue(ctx, userRoleKey, role)
+}
+
+func UserRoleFromContext(ctx context.Context) string {
+	role, _ := ctx.Value(userRoleKey).(string)
+	return role
+}
+
+func ContextWithRequestInfo(ctx context.Context, ip, userAgent string) context.Context {
+	ctx = context.WithValue(ctx, ipKey, ip)
+	ctx = context.WithValue(ctx, userAgentKey, userAgent)
+	return ctx
+}
+
+func IPFromContext(ctx context.Context) *string {
+	if v, ok := ctx.Value(ipKey).(string); ok && v != "" {
+		return &v
+	}
+	return nil
+}
+
+func UserAgentFromContext(ctx context.Context) *string {
+	if v, ok := ctx.Value(userAgentKey).(string); ok && v != "" {
+		return &v
+	}
+	return nil
+}

backend/internal/auth/middleware.go

@@ -35,8 +35,17 @@ func (m *Middleware) RequireAuth(next http.Handler) http.Handler {
 		}
 
 		ctx := ContextWithUserID(r.Context(), userID)
+
+		// Capture IP and user-agent for audit logging
+		ip := r.Header.Get("X-Forwarded-For")
+		if ip == "" {
+			ip = r.RemoteAddr
+		}
+		ctx = ContextWithRequestInfo(ctx, ip, r.UserAgent())
+
 		// Tenant resolution is handled by TenantResolver middleware for scoped routes.
 		// Tenant management routes handle their own access control.
+
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
 }

backend/internal/auth/permissions.go

@@ -0,0 +1,213 @@
+package auth
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+)
+
+// Valid roles ordered by privilege level (highest first).
+var ValidRoles = []string{"owner", "partner", "associate", "paralegal", "secretary"}
+
+// IsValidRole checks if a role string is one of the defined roles.
+func IsValidRole(role string) bool {
+	for _, r := range ValidRoles {
+		if r == role {
+			return true
+		}
+	}
+	return false
+}
+
+// Permission represents an action that can be checked against roles.
+type Permission int
+
+const (
+	PermManageTeam Permission = iota
+	PermManageBilling
+	PermCreateCase
+	PermEditAllCases
+	PermEditAssignedCase
+	PermViewAllCases
+	PermManageDeadlines
+	PermManageAppointments
+	PermUploadDocuments
+	PermDeleteDocuments
+	PermDeleteOwnDocuments
+	PermViewAuditLog
+	PermManageSettings
+	PermAIExtraction
+)
+
+// rolePermissions maps each role to its set of permissions.
+var rolePermissions = map[string]map[Permission]bool{
+	"owner": {
+		PermManageTeam:         true,
+		PermManageBilling:      true,
+		PermCreateCase:         true,
+		PermEditAllCases:       true,
+		PermEditAssignedCase:   true,
+		PermViewAllCases:       true,
+		PermManageDeadlines:    true,
+		PermManageAppointments: true,
+		PermUploadDocuments:    true,
+		PermDeleteDocuments:    true,
+		PermDeleteOwnDocuments: true,
+		PermViewAuditLog:       true,
+		PermManageSettings:     true,
+		PermAIExtraction:       true,
+	},
+	"partner": {
+		PermManageTeam:         true,
+		PermManageBilling:      true,
+		PermCreateCase:         true,
+		PermEditAllCases:       true,
+		PermEditAssignedCase:   true,
+		PermViewAllCases:       true,
+		PermManageDeadlines:    true,
+		PermManageAppointments: true,
+		PermUploadDocuments:    true,
+		PermDeleteDocuments:    true,
+		PermDeleteOwnDocuments: true,
+		PermViewAuditLog:       true,
+		PermManageSettings:     true,
+		PermAIExtraction:       true,
+	},
+	"associate": {
+		PermCreateCase:         true,
+		PermEditAssignedCase:   true,
+		PermViewAllCases:       true,
+		PermManageDeadlines:    true,
+		PermManageAppointments: true,
+		PermUploadDocuments:    true,
+		PermDeleteOwnDocuments: true,
+		PermAIExtraction:       true,
+	},
+	"paralegal": {
+		PermEditAssignedCase:   true,
+		PermViewAllCases:       true,
+		PermManageDeadlines:    true,
+		PermManageAppointments: true,
+		PermUploadDocuments:    true,
+	},
+	"secretary": {
+		PermViewAllCases:       true,
+		PermManageAppointments: true,
+		PermUploadDocuments:    true,
+	},
+}
+
+// HasPermission checks if the given role has the specified permission.
+func HasPermission(role string, perm Permission) bool {
+	perms, ok := rolePermissions[role]
+	if !ok {
+		return false
+	}
+	return perms[perm]
+}
+
+// RequirePermission returns middleware that checks if the user's role has the given permission.
+func RequirePermission(perm Permission) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			role := UserRoleFromContext(r.Context())
+			if role == "" || !HasPermission(role, perm) {
+				writeJSONError(w, "insufficient permissions", http.StatusForbidden)
+				return
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+// RequireRole returns middleware that checks if the user has one of the specified roles.
+func RequireRole(roles ...string) func(http.Handler) http.Handler {
+	allowed := make(map[string]bool, len(roles))
+	for _, r := range roles {
+		allowed[r] = true
+	}
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			role := UserRoleFromContext(r.Context())
+			if !allowed[role] {
+				writeJSONError(w, "insufficient permissions", http.StatusForbidden)
+				return
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+// IsAssignedToCase checks if a user is assigned to a specific case.
+func IsAssignedToCase(ctx context.Context, db *sqlx.DB, userID, caseID uuid.UUID) (bool, error) {
+	var exists bool
+	err := db.GetContext(ctx, &exists,
+		`SELECT EXISTS(SELECT 1 FROM case_assignments WHERE user_id = $1 AND case_id = $2)`,
+		userID, caseID)
+	return exists, err
+}
+
+// CanEditCase checks if a user can edit a specific case based on role and assignment.
+func CanEditCase(ctx context.Context, db *sqlx.DB, userID, caseID uuid.UUID, role string) (bool, error) {
+	// Owner and partner can edit all cases
+	if HasPermission(role, PermEditAllCases) {
+		return true, nil
+	}
+	// Others need to be assigned
+	if !HasPermission(role, PermEditAssignedCase) {
+		return false, nil
+	}
+	return IsAssignedToCase(ctx, db, userID, caseID)
+}
+
+// CanDeleteDocument checks if a user can delete a specific document.
+func CanDeleteDocument(role string, docUploaderID, userID uuid.UUID) bool {
+	if HasPermission(role, PermDeleteDocuments) {
+		return true
+	}
+	if HasPermission(role, PermDeleteOwnDocuments) {
+		return docUploaderID == userID
+	}
+	return false
+}
+
+// permissionNames maps Permission constants to their string names for frontend use.
+var permissionNames = map[Permission]string{
+	PermManageTeam:         "manage_team",
+	PermManageBilling:      "manage_billing",
+	PermCreateCase:         "create_case",
+	PermEditAllCases:       "edit_all_cases",
+	PermEditAssignedCase:   "edit_assigned_case",
+	PermViewAllCases:       "view_all_cases",
+	PermManageDeadlines:    "manage_deadlines",
+	PermManageAppointments: "manage_appointments",
+	PermUploadDocuments:    "upload_documents",
+	PermDeleteDocuments:    "delete_documents",
+	PermDeleteOwnDocuments: "delete_own_documents",
+	PermViewAuditLog:       "view_audit_log",
+	PermManageSettings:     "manage_settings",
+	PermAIExtraction:       "ai_extraction",
+}
+
+// GetRolePermissions returns a list of permission name strings for the given role.
+func GetRolePermissions(role string) []string {
+	perms, ok := rolePermissions[role]
+	if !ok {
+		return nil
+	}
+	var names []string
+	for p := range perms {
+		if name, ok := permissionNames[p]; ok {
+			names = append(names, name)
+		}
+	}
+	return names
+}
+
+func writeJSONError(w http.ResponseWriter, msg string, status int) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	w.Write([]byte(`{"error":"` + msg + `"}`))
+}

backend/internal/auth/tenant_resolver.go

@@ -13,6 +13,7 @@ import (
 type TenantLookup interface {
 	FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error)
 	VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error)
+	GetUserRole(ctx context.Context, userID, tenantID uuid.UUID) (string, error)
 }
 
 // TenantResolver is middleware that resolves the tenant from X-Tenant-ID header
@@ -42,19 +43,20 @@ func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
 				return
 			}
 
-			// Verify user has access to this tenant
+			// Verify user has access and get their role
-			hasAccess, err := tr.lookup.VerifyAccess(r.Context(), userID, parsed)
+			role, err := tr.lookup.GetUserRole(r.Context(), userID, parsed)
 			if err != nil {
 				slog.Error("tenant access check failed", "error", err, "user_id", userID, "tenant_id", parsed)
 				http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
 				return
 			}
-			if !hasAccess {
+			if role == "" {
 				http.Error(w, `{"error":"no access to tenant"}`, http.StatusForbidden)
 				return
 			}
 
 			tenantID = parsed
+			r = r.WithContext(ContextWithUserRole(r.Context(), role))
 		} else {
 			// Default to user's first tenant
 			first, err := tr.lookup.FirstTenantForUser(r.Context(), userID)
@@ -68,6 +70,15 @@ func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
 				return
 			}
 			tenantID = *first
+
+			// Also resolve role for default tenant
+			role, err := tr.lookup.GetUserRole(r.Context(), userID, tenantID)
+			if err != nil {
+				slog.Error("failed to get role for default tenant", "error", err, "user_id", userID, "tenant_id", tenantID)
+				http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
+				return
+			}
+			r = r.WithContext(ContextWithUserRole(r.Context(), role))
 		}
 
 		ctx := ContextWithTenantID(r.Context(), tenantID)

backend/internal/auth/tenant_resolver_test.go

@@ -14,6 +14,7 @@ type mockTenantLookup struct {
 	err       error
 	hasAccess bool
 	accessErr error
+	role      string
 }
 
 func (m *mockTenantLookup) FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error) {
@@ -24,9 +25,19 @@ func (m *mockTenantLookup) VerifyAccess(ctx context.Context, userID, tenantID uu
 	return m.hasAccess, m.accessErr
 }
 
+func (m *mockTenantLookup) GetUserRole(ctx context.Context, userID, tenantID uuid.UUID) (string, error) {
+	if m.role != "" {
+		return m.role, m.err
+	}
+	if m.hasAccess {
+		return "associate", m.err
+	}
+	return "", m.err
+}
+
 func TestTenantResolver_FromHeader(t *testing.T) {
 	tenantID := uuid.New()
-	tr := NewTenantResolver(&mockTenantLookup{hasAccess: true})
+	tr := NewTenantResolver(&mockTenantLookup{hasAccess: true, role: "partner"})
 
 	var gotTenantID uuid.UUID
 	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -75,7 +86,7 @@ func TestTenantResolver_FromHeader_NoAccess(t *testing.T) {
 
 func TestTenantResolver_DefaultsToFirst(t *testing.T) {
 	tenantID := uuid.New()
-	tr := NewTenantResolver(&mockTenantLookup{tenantID: &tenantID})
+	tr := NewTenantResolver(&mockTenantLookup{tenantID: &tenantID, role: "owner"})
 
 	var gotTenantID uuid.UUID
 	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

backend/internal/handlers/audit_log.go

@@ -0,0 +1,63 @@
+package handlers
+
+import (
+	"net/http"
+	"strconv"
+
+	"github.com/google/uuid"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
+)
+
+type AuditLogHandler struct {
+	svc *services.AuditService
+}
+
+func NewAuditLogHandler(svc *services.AuditService) *AuditLogHandler {
+	return &AuditLogHandler{svc: svc}
+}
+
+func (h *AuditLogHandler) List(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	q := r.URL.Query()
+	page, _ := strconv.Atoi(q.Get("page"))
+	limit, _ := strconv.Atoi(q.Get("limit"))
+
+	filter := services.AuditFilter{
+		EntityType: q.Get("entity_type"),
+		From:       q.Get("from"),
+		To:         q.Get("to"),
+		Page:       page,
+		Limit:      limit,
+	}
+
+	if idStr := q.Get("entity_id"); idStr != "" {
+		if id, err := uuid.Parse(idStr); err == nil {
+			filter.EntityID = &id
+		}
+	}
+	if idStr := q.Get("user_id"); idStr != "" {
+		if id, err := uuid.Parse(idStr); err == nil {
+			filter.UserID = &id
+		}
+	}
+
+	entries, total, err := h.svc.List(r.Context(), tenantID, filter)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to fetch audit log")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]any{
+		"entries": entries,
+		"total":   total,
+		"page":    filter.Page,
+		"limit":   filter.Limit,
+	})
+}

backend/internal/handlers/billing_rates.go

@@ -0,0 +1,66 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
+)
+
+type BillingRateHandler struct {
+	svc *services.BillingRateService
+}
+
+func NewBillingRateHandler(svc *services.BillingRateService) *BillingRateHandler {
+	return &BillingRateHandler{svc: svc}
+}
+
+// List handles GET /api/billing-rates
+func (h *BillingRateHandler) List(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	rates, err := h.svc.List(r.Context(), tenantID)
+	if err != nil {
+		internalError(w, "failed to list billing rates", err)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]any{"billing_rates": rates})
+}
+
+// Upsert handles PUT /api/billing-rates
+func (h *BillingRateHandler) Upsert(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	var input services.UpsertBillingRateInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+
+	if input.Rate < 0 {
+		writeError(w, http.StatusBadRequest, "rate must be non-negative")
+		return
+	}
+	if input.ValidFrom == "" {
+		writeError(w, http.StatusBadRequest, "valid_from is required")
+		return
+	}
+
+	rate, err := h.svc.Upsert(r.Context(), tenantID, input)
+	if err != nil {
+		internalError(w, "failed to upsert billing rate", err)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, rate)
+}

backend/internal/handlers/case_assignments.go

@@ -0,0 +1,119 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/google/uuid"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
+)
+
+type CaseAssignmentHandler struct {
+	svc *services.CaseAssignmentService
+}
+
+func NewCaseAssignmentHandler(svc *services.CaseAssignmentService) *CaseAssignmentHandler {
+	return &CaseAssignmentHandler{svc: svc}
+}
+
+// List handles GET /api/cases/{id}/assignments
+func (h *CaseAssignmentHandler) List(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	caseID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid case ID")
+		return
+	}
+
+	assignments, err := h.svc.ListByCase(r.Context(), tenantID, caseID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]any{
+		"assignments": assignments,
+		"total":       len(assignments),
+	})
+}
+
+// Assign handles POST /api/cases/{id}/assignments
+func (h *CaseAssignmentHandler) Assign(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	caseID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid case ID")
+		return
+	}
+
+	var req struct {
+		UserID string `json:"user_id"`
+		Role   string `json:"role"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid request body")
+		return
+	}
+
+	userID, err := uuid.Parse(req.UserID)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid user_id")
+		return
+	}
+
+	if req.Role == "" {
+		req.Role = "team"
+	}
+	if req.Role != "lead" && req.Role != "team" && req.Role != "viewer" {
+		writeError(w, http.StatusBadRequest, "role must be lead, team, or viewer")
+		return
+	}
+
+	assignment, err := h.svc.Assign(r.Context(), tenantID, caseID, userID, req.Role)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusCreated, assignment)
+}
+
+// Unassign handles DELETE /api/cases/{id}/assignments/{uid}
+func (h *CaseAssignmentHandler) Unassign(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	caseID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid case ID")
+		return
+	}
+
+	userID, err := uuid.Parse(r.PathValue("uid"))
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid user ID")
+		return
+	}
+
+	if err := h.svc.Unassign(r.Context(), tenantID, caseID, userID); err != nil {
+		writeError(w, http.StatusNotFound, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]string{"status": "removed"})
+}

backend/internal/handlers/deadlines.go

@@ -115,7 +115,7 @@ func (h *DeadlineHandlers) Create(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	deadline, err := h.deadlines.Create(tenantID, input)
+	deadline, err := h.deadlines.Create(r.Context(), tenantID, input)
 	if err != nil {
 		internalError(w, "failed to create deadline", err)
 		return
@@ -144,7 +144,7 @@ func (h *DeadlineHandlers) Update(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	deadline, err := h.deadlines.Update(tenantID, deadlineID, input)
+	deadline, err := h.deadlines.Update(r.Context(), tenantID, deadlineID, input)
 	if err != nil {
 		internalError(w, "failed to update deadline", err)
 		return
@@ -171,7 +171,7 @@ func (h *DeadlineHandlers) Complete(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	deadline, err := h.deadlines.Complete(tenantID, deadlineID)
+	deadline, err := h.deadlines.Complete(r.Context(), tenantID, deadlineID)
 	if err != nil {
 		internalError(w, "failed to complete deadline", err)
 		return
@@ -198,8 +198,9 @@ func (h *DeadlineHandlers) Delete(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := h.deadlines.Delete(tenantID, deadlineID); err != nil {
+	err = h.deadlines.Delete(r.Context(), tenantID, deadlineID)
-		writeError(w, http.StatusNotFound, "deadline not found")
+	if err != nil {
+		writeError(w, http.StatusNotFound, err.Error())
 		return
 	}
 

backend/internal/handlers/documents.go

@@ -167,6 +167,7 @@ func (h *DocumentHandler) Delete(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	userID, _ := auth.UserFromContext(r.Context())
+	role := auth.UserRoleFromContext(r.Context())
 
 	docID, err := uuid.Parse(r.PathValue("docId"))
 	if err != nil {
@@ -174,6 +175,26 @@ func (h *DocumentHandler) Delete(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Check permission: owner/partner can delete any, associate can delete own
+	doc, err := h.svc.GetByID(r.Context(), tenantID, docID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	if doc == nil {
+		writeError(w, http.StatusNotFound, "document not found")
+		return
+	}
+
+	uploaderID := uuid.Nil
+	if doc.UploadedBy != nil {
+		uploaderID = *doc.UploadedBy
+	}
+	if !auth.CanDeleteDocument(role, uploaderID, userID) {
+		writeError(w, http.StatusForbidden, "insufficient permissions to delete this document")
+		return
+	}
+
 	if err := h.svc.Delete(r.Context(), tenantID, docID, userID); err != nil {
 		writeError(w, http.StatusNotFound, "document not found")
 		return

backend/internal/handlers/invoices.go

@@ -0,0 +1,170 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
+
+	"github.com/google/uuid"
+)
+
+type InvoiceHandler struct {
+	svc *services.InvoiceService
+}
+
+func NewInvoiceHandler(svc *services.InvoiceService) *InvoiceHandler {
+	return &InvoiceHandler{svc: svc}
+}
+
+// List handles GET /api/invoices?case_id=&status=
+func (h *InvoiceHandler) List(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	var caseID *uuid.UUID
+	if caseStr := r.URL.Query().Get("case_id"); caseStr != "" {
+		parsed, err := uuid.Parse(caseStr)
+		if err != nil {
+			writeError(w, http.StatusBadRequest, "invalid case_id")
+			return
+		}
+		caseID = &parsed
+	}
+
+	invoices, err := h.svc.List(r.Context(), tenantID, caseID, r.URL.Query().Get("status"))
+	if err != nil {
+		internalError(w, "failed to list invoices", err)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]any{"invoices": invoices})
+}
+
+// Get handles GET /api/invoices/{id}
+func (h *InvoiceHandler) Get(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	invoiceID, err := parsePathUUID(r, "id")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid invoice ID")
+		return
+	}
+
+	inv, err := h.svc.GetByID(r.Context(), tenantID, invoiceID)
+	if err != nil {
+		internalError(w, "failed to get invoice", err)
+		return
+	}
+	if inv == nil {
+		writeError(w, http.StatusNotFound, "invoice not found")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, inv)
+}
+
+// Create handles POST /api/invoices
+func (h *InvoiceHandler) Create(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+	userID, _ := auth.UserFromContext(r.Context())
+
+	var input services.CreateInvoiceInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+
+	if input.ClientName == "" {
+		writeError(w, http.StatusBadRequest, "client_name is required")
+		return
+	}
+	if input.CaseID == uuid.Nil {
+		writeError(w, http.StatusBadRequest, "case_id is required")
+		return
+	}
+
+	inv, err := h.svc.Create(r.Context(), tenantID, userID, input)
+	if err != nil {
+		internalError(w, "failed to create invoice", err)
+		return
+	}
+
+	writeJSON(w, http.StatusCreated, inv)
+}
+
+// Update handles PUT /api/invoices/{id}
+func (h *InvoiceHandler) Update(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	invoiceID, err := parsePathUUID(r, "id")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid invoice ID")
+		return
+	}
+
+	var input services.UpdateInvoiceInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+
+	inv, err := h.svc.Update(r.Context(), tenantID, invoiceID, input)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusOK, inv)
+}
+
+// UpdateStatus handles PATCH /api/invoices/{id}/status
+func (h *InvoiceHandler) UpdateStatus(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	invoiceID, err := parsePathUUID(r, "id")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid invoice ID")
+		return
+	}
+
+	var body struct {
+		Status string `json:"status"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+	if body.Status == "" {
+		writeError(w, http.StatusBadRequest, "status is required")
+		return
+	}
+
+	inv, err := h.svc.UpdateStatus(r.Context(), tenantID, invoiceID, body.Status)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusOK, inv)
+}

backend/internal/handlers/notifications.go

@@ -0,0 +1,171 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"strconv"
+
+	"github.com/jmoiron/sqlx"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
+)
+
+// NotificationHandler handles notification API endpoints.
+type NotificationHandler struct {
+	svc *services.NotificationService
+	db  *sqlx.DB
+}
+
+// NewNotificationHandler creates a new notification handler.
+func NewNotificationHandler(svc *services.NotificationService, db *sqlx.DB) *NotificationHandler {
+	return &NotificationHandler{svc: svc, db: db}
+}
+
+// List returns paginated notifications for the authenticated user.
+func (h *NotificationHandler) List(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+
+	limit, _ := strconv.Atoi(r.URL.Query().Get("limit"))
+	offset, _ := strconv.Atoi(r.URL.Query().Get("offset"))
+
+	notifications, total, err := h.svc.ListForUser(r.Context(), tenantID, userID, limit, offset)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to list notifications")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]any{
+		"data":  notifications,
+		"total": total,
+	})
+}
+
+// UnreadCount returns the count of unread notifications.
+func (h *NotificationHandler) UnreadCount(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+
+	count, err := h.svc.UnreadCount(r.Context(), tenantID, userID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to count notifications")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]int{"unread_count": count})
+}
+
+// MarkRead marks a single notification as read.
+func (h *NotificationHandler) MarkRead(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+
+	notifID, err := parsePathUUID(r, "id")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid notification ID")
+		return
+	}
+
+	if err := h.svc.MarkRead(r.Context(), tenantID, userID, notifID); err != nil {
+		writeError(w, http.StatusNotFound, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
+}
+
+// MarkAllRead marks all notifications as read.
+func (h *NotificationHandler) MarkAllRead(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+
+	if err := h.svc.MarkAllRead(r.Context(), tenantID, userID); err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to mark all read")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
+}
+
+// GetPreferences returns notification preferences for the authenticated user.
+func (h *NotificationHandler) GetPreferences(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+
+	pref, err := h.svc.GetPreferences(r.Context(), tenantID, userID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to get preferences")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, pref)
+}
+
+// UpdatePreferences updates notification preferences for the authenticated user.
+func (h *NotificationHandler) UpdatePreferences(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+
+	var input services.UpdatePreferencesInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid request body")
+		return
+	}
+
+	pref, err := h.svc.UpdatePreferences(r.Context(), tenantID, userID, input)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to update preferences")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, pref)
+}

backend/internal/handlers/tenant_handler.go

@@ -130,15 +130,15 @@ func (h *TenantHandler) InviteUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Only owners and admins can invite
+	// Only owners and partners can invite
 	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
 	if err != nil {
 		slog.Error("failed to get user role", "error", err)
 		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
-	if role != "owner" && role != "admin" {
+	if role != "owner" && role != "partner" {
-		jsonError(w, "only owners and admins can invite users", http.StatusForbidden)
+		jsonError(w, "only owners and partners can invite users", http.StatusForbidden)
 		return
 	}
 
@@ -155,10 +155,15 @@ func (h *TenantHandler) InviteUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if req.Role == "" {
-		req.Role = "member"
+		req.Role = "associate"
 	}
-	if req.Role != "member" && req.Role != "admin" {
+	if !auth.IsValidRole(req.Role) {
-		jsonError(w, "role must be member or admin", http.StatusBadRequest)
+		jsonError(w, "invalid role", http.StatusBadRequest)
+		return
+	}
+	// Non-owners cannot invite as owner
+	if role != "owner" && req.Role == "owner" {
+		jsonError(w, "only owners can invite as owner", http.StatusForbidden)
 		return
 	}
 
@@ -192,14 +197,14 @@ func (h *TenantHandler) RemoveMember(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Only owners and admins can remove members (or user removing themselves)
+	// Only owners and partners can remove members (or user removing themselves)
 	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
 	if err != nil {
 		slog.Error("failed to get user role", "error", err)
 		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
-	if role != "owner" && role != "admin" && userID != memberID {
+	if role != "owner" && role != "partner" && userID != memberID {
 		jsonError(w, "insufficient permissions", http.StatusForbidden)
 		return
 	}
@@ -227,15 +232,15 @@ func (h *TenantHandler) UpdateSettings(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Only owners and admins can update settings
+	// Only owners and partners can update settings
 	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
 	if err != nil {
 		slog.Error("failed to get user role", "error", err)
 		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
-	if role != "owner" && role != "admin" {
+	if role != "owner" && role != "partner" {
-		jsonError(w, "only owners and admins can update settings", http.StatusForbidden)
+		jsonError(w, "only owners and partners can update settings", http.StatusForbidden)
 		return
 	}
 
@@ -294,6 +299,85 @@ func (h *TenantHandler) ListMembers(w http.ResponseWriter, r *http.Request) {
 	jsonResponse(w, members, http.StatusOK)
 }
 
+// UpdateMemberRole handles PUT /api/tenants/{id}/members/{uid}/role
+func (h *TenantHandler) UpdateMemberRole(w http.ResponseWriter, r *http.Request) {
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	tenantID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		jsonError(w, "invalid tenant ID", http.StatusBadRequest)
+		return
+	}
+
+	memberID, err := uuid.Parse(r.PathValue("uid"))
+	if err != nil {
+		jsonError(w, "invalid member ID", http.StatusBadRequest)
+		return
+	}
+
+	// Only owners and partners can change roles
+	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
+	if err != nil {
+		jsonError(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	if role != "owner" && role != "partner" {
+		jsonError(w, "only owners and partners can change roles", http.StatusForbidden)
+		return
+	}
+
+	var req struct {
+		Role string `json:"role"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		jsonError(w, "invalid request body", http.StatusBadRequest)
+		return
+	}
+	if !auth.IsValidRole(req.Role) {
+		jsonError(w, "invalid role", http.StatusBadRequest)
+		return
+	}
+
+	// Non-owners cannot promote to owner
+	if role != "owner" && req.Role == "owner" {
+		jsonError(w, "only owners can promote to owner", http.StatusForbidden)
+		return
+	}
+
+	if err := h.svc.UpdateMemberRole(r.Context(), tenantID, memberID, req.Role); err != nil {
+		jsonError(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	jsonResponse(w, map[string]string{"status": "updated"}, http.StatusOK)
+}
+
+// GetMe handles GET /api/me — returns the current user's ID and role in the active tenant.
+func (h *TenantHandler) GetMe(w http.ResponseWriter, r *http.Request) {
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	role := auth.UserRoleFromContext(r.Context())
+	tenantID, _ := auth.TenantFromContext(r.Context())
+
+	// Get user's permissions for frontend UI
+	perms := auth.GetRolePermissions(role)
+
+	jsonResponse(w, map[string]any{
+		"user_id":     userID,
+		"tenant_id":   tenantID,
+		"role":        role,
+		"permissions": perms,
+	}, http.StatusOK)
+}
+
 func jsonResponse(w http.ResponseWriter, data interface{}, status int) {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(status)

backend/internal/handlers/time_entries.go

@@ -0,0 +1,209 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"strconv"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
+
+	"github.com/google/uuid"
+)
+
+type TimeEntryHandler struct {
+	svc *services.TimeEntryService
+}
+
+func NewTimeEntryHandler(svc *services.TimeEntryService) *TimeEntryHandler {
+	return &TimeEntryHandler{svc: svc}
+}
+
+// ListForCase handles GET /api/cases/{id}/time-entries
+func (h *TimeEntryHandler) ListForCase(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	caseID, err := parsePathUUID(r, "id")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid case ID")
+		return
+	}
+
+	entries, err := h.svc.ListForCase(r.Context(), tenantID, caseID)
+	if err != nil {
+		internalError(w, "failed to list time entries", err)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]any{"time_entries": entries})
+}
+
+// List handles GET /api/time-entries?case_id=&user_id=&from=&to=
+func (h *TimeEntryHandler) List(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	limit, _ := strconv.Atoi(r.URL.Query().Get("limit"))
+	offset, _ := strconv.Atoi(r.URL.Query().Get("offset"))
+	limit, offset = clampPagination(limit, offset)
+
+	filter := services.TimeEntryFilter{
+		From:   r.URL.Query().Get("from"),
+		To:     r.URL.Query().Get("to"),
+		Limit:  limit,
+		Offset: offset,
+	}
+
+	if caseStr := r.URL.Query().Get("case_id"); caseStr != "" {
+		caseID, err := uuid.Parse(caseStr)
+		if err != nil {
+			writeError(w, http.StatusBadRequest, "invalid case_id")
+			return
+		}
+		filter.CaseID = &caseID
+	}
+	if userStr := r.URL.Query().Get("user_id"); userStr != "" {
+		userID, err := uuid.Parse(userStr)
+		if err != nil {
+			writeError(w, http.StatusBadRequest, "invalid user_id")
+			return
+		}
+		filter.UserID = &userID
+	}
+
+	entries, total, err := h.svc.List(r.Context(), tenantID, filter)
+	if err != nil {
+		internalError(w, "failed to list time entries", err)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]any{
+		"time_entries": entries,
+		"total":        total,
+	})
+}
+
+// Create handles POST /api/cases/{id}/time-entries
+func (h *TimeEntryHandler) Create(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+	userID, _ := auth.UserFromContext(r.Context())
+
+	caseID, err := parsePathUUID(r, "id")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid case ID")
+		return
+	}
+
+	var input services.CreateTimeEntryInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+	input.CaseID = caseID
+
+	if input.Description == "" {
+		writeError(w, http.StatusBadRequest, "description is required")
+		return
+	}
+	if input.DurationMinutes <= 0 {
+		writeError(w, http.StatusBadRequest, "duration_minutes must be positive")
+		return
+	}
+	if input.Date == "" {
+		writeError(w, http.StatusBadRequest, "date is required")
+		return
+	}
+
+	entry, err := h.svc.Create(r.Context(), tenantID, userID, input)
+	if err != nil {
+		internalError(w, "failed to create time entry", err)
+		return
+	}
+
+	writeJSON(w, http.StatusCreated, entry)
+}
+
+// Update handles PUT /api/time-entries/{id}
+func (h *TimeEntryHandler) Update(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	entryID, err := parsePathUUID(r, "id")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid time entry ID")
+		return
+	}
+
+	var input services.UpdateTimeEntryInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+
+	entry, err := h.svc.Update(r.Context(), tenantID, entryID, input)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusOK, entry)
+}
+
+// Delete handles DELETE /api/time-entries/{id}
+func (h *TimeEntryHandler) Delete(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	entryID, err := parsePathUUID(r, "id")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid time entry ID")
+		return
+	}
+
+	if err := h.svc.Delete(r.Context(), tenantID, entryID); err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]string{"status": "deleted"})
+}
+
+// Summary handles GET /api/time-entries/summary?group_by=case|user|month&from=&to=
+func (h *TimeEntryHandler) Summary(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	groupBy := r.URL.Query().Get("group_by")
+	if groupBy == "" {
+		groupBy = "case"
+	}
+
+	summaries, err := h.svc.Summary(r.Context(), tenantID, groupBy,
+		r.URL.Query().Get("from"), r.URL.Query().Get("to"))
+	if err != nil {
+		internalError(w, "failed to get summary", err)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]any{"summary": summaries})
+}

backend/internal/integration_test.go

@@ -46,7 +46,7 @@ func testServer(t *testing.T) (http.Handler, func()) {
 	}
 
 	authMW := auth.NewMiddleware(jwtSecret, database)
-	handler := router.New(database, authMW, cfg, nil)
+	handler := router.New(database, authMW, cfg, nil, nil)
 
 	return handler, func() { database.Close() }
 }

backend/internal/models/audit_log.go

@@ -0,0 +1,22 @@
+package models
+
+import (
+	"encoding/json"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type AuditLog struct {
+	ID         int64            `db:"id" json:"id"`
+	TenantID   uuid.UUID        `db:"tenant_id" json:"tenant_id"`
+	UserID     *uuid.UUID       `db:"user_id" json:"user_id,omitempty"`
+	Action     string           `db:"action" json:"action"`
+	EntityType string           `db:"entity_type" json:"entity_type"`
+	EntityID   *uuid.UUID       `db:"entity_id" json:"entity_id,omitempty"`
+	OldValues  *json.RawMessage `db:"old_values" json:"old_values,omitempty"`
+	NewValues  *json.RawMessage `db:"new_values" json:"new_values,omitempty"`
+	IPAddress  *string          `db:"ip_address" json:"ip_address,omitempty"`
+	UserAgent  *string          `db:"user_agent" json:"user_agent,omitempty"`
+	CreatedAt  time.Time        `db:"created_at" json:"created_at"`
+}

backend/internal/models/billing_rate.go

@@ -0,0 +1,18 @@
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type BillingRate struct {
+	ID        uuid.UUID  `db:"id" json:"id"`
+	TenantID  uuid.UUID  `db:"tenant_id" json:"tenant_id"`
+	UserID    *uuid.UUID `db:"user_id" json:"user_id,omitempty"`
+	Rate      float64    `db:"rate" json:"rate"`
+	Currency  string     `db:"currency" json:"currency"`
+	ValidFrom string     `db:"valid_from" json:"valid_from"`
+	ValidTo   *string    `db:"valid_to" json:"valid_to,omitempty"`
+	CreatedAt time.Time  `db:"created_at" json:"created_at"`
+}

backend/internal/models/case_assignment.go

@@ -0,0 +1,15 @@
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type CaseAssignment struct {
+	ID         uuid.UUID `db:"id" json:"id"`
+	CaseID     uuid.UUID `db:"case_id" json:"case_id"`
+	UserID     uuid.UUID `db:"user_id" json:"user_id"`
+	Role       string    `db:"role" json:"role"`
+	AssignedAt time.Time `db:"assigned_at" json:"assigned_at"`
+}

backend/internal/models/invoice.go

@@ -0,0 +1,38 @@
+package models
+
+import (
+	"encoding/json"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type Invoice struct {
+	ID            uuid.UUID       `db:"id" json:"id"`
+	TenantID      uuid.UUID       `db:"tenant_id" json:"tenant_id"`
+	CaseID        uuid.UUID       `db:"case_id" json:"case_id"`
+	InvoiceNumber string          `db:"invoice_number" json:"invoice_number"`
+	ClientName    string          `db:"client_name" json:"client_name"`
+	ClientAddress *string         `db:"client_address" json:"client_address,omitempty"`
+	Items         json.RawMessage `db:"items" json:"items"`
+	Subtotal      float64         `db:"subtotal" json:"subtotal"`
+	TaxRate       float64         `db:"tax_rate" json:"tax_rate"`
+	TaxAmount     float64         `db:"tax_amount" json:"tax_amount"`
+	Total         float64         `db:"total" json:"total"`
+	Status        string          `db:"status" json:"status"`
+	IssuedAt      *string         `db:"issued_at" json:"issued_at,omitempty"`
+	DueAt         *string         `db:"due_at" json:"due_at,omitempty"`
+	PaidAt        *time.Time      `db:"paid_at" json:"paid_at,omitempty"`
+	Notes         *string         `db:"notes" json:"notes,omitempty"`
+	CreatedBy     uuid.UUID       `db:"created_by" json:"created_by"`
+	CreatedAt     time.Time       `db:"created_at" json:"created_at"`
+	UpdatedAt     time.Time       `db:"updated_at" json:"updated_at"`
+}
+
+type InvoiceItem struct {
+	Description     string  `json:"description"`
+	DurationMinutes int     `json:"duration_minutes,omitempty"`
+	HourlyRate      float64 `json:"hourly_rate,omitempty"`
+	Amount          float64 `json:"amount"`
+	TimeEntryID     *string `json:"time_entry_id,omitempty"`
+}

backend/internal/models/notification.go

@@ -0,0 +1,32 @@
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/lib/pq"
+)
+
+type Notification struct {
+	ID         uuid.UUID  `db:"id" json:"id"`
+	TenantID   uuid.UUID  `db:"tenant_id" json:"tenant_id"`
+	UserID     uuid.UUID  `db:"user_id" json:"user_id"`
+	Type       string     `db:"type" json:"type"`
+	EntityType *string    `db:"entity_type" json:"entity_type,omitempty"`
+	EntityID   *uuid.UUID `db:"entity_id" json:"entity_id,omitempty"`
+	Title      string     `db:"title" json:"title"`
+	Body       *string    `db:"body" json:"body,omitempty"`
+	SentAt     *time.Time `db:"sent_at" json:"sent_at,omitempty"`
+	ReadAt     *time.Time `db:"read_at" json:"read_at,omitempty"`
+	CreatedAt  time.Time  `db:"created_at" json:"created_at"`
+}
+
+type NotificationPreferences struct {
+	UserID              uuid.UUID     `db:"user_id" json:"user_id"`
+	TenantID            uuid.UUID     `db:"tenant_id" json:"tenant_id"`
+	DeadlineReminderDays pq.Int64Array `db:"deadline_reminder_days" json:"deadline_reminder_days"`
+	EmailEnabled        bool          `db:"email_enabled" json:"email_enabled"`
+	DailyDigest         bool          `db:"daily_digest" json:"daily_digest"`
+	CreatedAt           time.Time     `db:"created_at" json:"created_at"`
+	UpdatedAt           time.Time     `db:"updated_at" json:"updated_at"`
+}

backend/internal/models/time_entry.go

@@ -0,0 +1,24 @@
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type TimeEntry struct {
+	ID              uuid.UUID  `db:"id" json:"id"`
+	TenantID        uuid.UUID  `db:"tenant_id" json:"tenant_id"`
+	CaseID          uuid.UUID  `db:"case_id" json:"case_id"`
+	UserID          uuid.UUID  `db:"user_id" json:"user_id"`
+	Date            string     `db:"date" json:"date"`
+	DurationMinutes int        `db:"duration_minutes" json:"duration_minutes"`
+	Description     string     `db:"description" json:"description"`
+	Activity        *string    `db:"activity" json:"activity,omitempty"`
+	Billable        bool       `db:"billable" json:"billable"`
+	Billed          bool       `db:"billed" json:"billed"`
+	InvoiceID       *uuid.UUID `db:"invoice_id" json:"invoice_id,omitempty"`
+	HourlyRate      *float64   `db:"hourly_rate" json:"hourly_rate,omitempty"`
+	CreatedAt       time.Time  `db:"created_at" json:"created_at"`
+	UpdatedAt       time.Time  `db:"updated_at" json:"updated_at"`
+}

backend/internal/router/router.go

@@ -15,20 +15,25 @@ import (
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
 )
 
-func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *services.CalDAVService) http.Handler {
+func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *services.CalDAVService, notifSvc *services.NotificationService) http.Handler {
 	mux := http.NewServeMux()
 
 	// Services
-	tenantSvc := services.NewTenantService(db)
+	auditSvc := services.NewAuditService(db)
-	caseSvc := services.NewCaseService(db)
+	tenantSvc := services.NewTenantService(db, auditSvc)
-	partySvc := services.NewPartyService(db)
+	caseSvc := services.NewCaseService(db, auditSvc)
-	appointmentSvc := services.NewAppointmentService(db)
+	partySvc := services.NewPartyService(db, auditSvc)
+	appointmentSvc := services.NewAppointmentService(db, auditSvc)
 	holidaySvc := services.NewHolidayService(db)
-	deadlineSvc := services.NewDeadlineService(db)
+	deadlineSvc := services.NewDeadlineService(db, auditSvc)
 	deadlineRuleSvc := services.NewDeadlineRuleService(db)
 	calculator := services.NewDeadlineCalculator(holidaySvc)
 	storageCli := services.NewStorageClient(cfg.SupabaseURL, cfg.SupabaseServiceKey)
-	documentSvc := services.NewDocumentService(db, storageCli)
+	documentSvc := services.NewDocumentService(db, storageCli, auditSvc)
+	assignmentSvc := services.NewCaseAssignmentService(db)
+	timeEntrySvc := services.NewTimeEntryService(db, auditSvc)
+	billingRateSvc := services.NewBillingRateService(db, auditSvc)
+	invoiceSvc := services.NewInvoiceService(db, auditSvc)
 
 	// AI service (optional — only if API key is configured)
 	var aiH *handlers.AIHandler
@@ -40,10 +45,17 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	// Middleware
 	tenantResolver := auth.NewTenantResolver(tenantSvc)
 
-	noteSvc := services.NewNoteService(db)
+	noteSvc := services.NewNoteService(db, auditSvc)
 	dashboardSvc := services.NewDashboardService(db)
 
+	// Notification handler (optional — nil in tests)
+	var notifH *handlers.NotificationHandler
+	if notifSvc != nil {
+		notifH = handlers.NewNotificationHandler(notifSvc, db)
+	}
+
 	// Handlers
+	auditH := handlers.NewAuditLogHandler(auditSvc)
 	tenantH := handlers.NewTenantHandler(tenantSvc)
 	caseH := handlers.NewCaseHandler(caseSvc)
 	partyH := handlers.NewPartyHandler(partySvc)
@@ -55,6 +67,10 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	noteH := handlers.NewNoteHandler(noteSvc)
 	eventH := handlers.NewCaseEventHandler(db)
 	docH := handlers.NewDocumentHandler(documentSvc)
+	assignmentH := handlers.NewCaseAssignmentHandler(assignmentSvc)
+	timeEntryH := handlers.NewTimeEntryHandler(timeEntrySvc)
+	billingRateH := handlers.NewBillingRateHandler(billingRateSvc)
+	invoiceH := handlers.NewInvoiceHandler(invoiceSvc)
 
 	// Public routes
 	mux.HandleFunc("GET /health", handleHealth(db))
@@ -70,62 +86,88 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	api.HandleFunc("POST /api/tenants/{id}/invite", tenantH.InviteUser)
 	api.HandleFunc("DELETE /api/tenants/{id}/members/{uid}", tenantH.RemoveMember)
 	api.HandleFunc("GET /api/tenants/{id}/members", tenantH.ListMembers)
+	api.HandleFunc("PUT /api/tenants/{id}/members/{uid}/role", tenantH.UpdateMemberRole)
+
+	// Permission-wrapping helper: wraps a HandlerFunc with a permission check
+	perm := func(p auth.Permission, fn http.HandlerFunc) http.HandlerFunc {
+		return func(w http.ResponseWriter, r *http.Request) {
+			role := auth.UserRoleFromContext(r.Context())
+			if !auth.HasPermission(role, p) {
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusForbidden)
+				w.Write([]byte(`{"error":"insufficient permissions"}`))
+				return
+			}
+			fn(w, r)
+		}
+	}
 
 	// Tenant-scoped routes (require tenant context)
 	scoped := http.NewServeMux()
 
-	// Cases
+	// Current user info (role, permissions) — all authenticated users
+	scoped.HandleFunc("GET /api/me", tenantH.GetMe)
+
+	// Cases — all can view, create needs PermCreateCase, archive needs PermCreateCase
 	scoped.HandleFunc("GET /api/cases", caseH.List)
-	scoped.HandleFunc("POST /api/cases", caseH.Create)
+	scoped.HandleFunc("POST /api/cases", perm(auth.PermCreateCase, caseH.Create))
 	scoped.HandleFunc("GET /api/cases/{id}", caseH.Get)
 	scoped.HandleFunc("PUT /api/cases/{id}", caseH.Update)
-	scoped.HandleFunc("DELETE /api/cases/{id}", caseH.Delete)
+	scoped.HandleFunc("DELETE /api/cases/{id}", perm(auth.PermCreateCase, caseH.Delete))
 
-	// Parties
+	// Parties — same access as case editing
 	scoped.HandleFunc("GET /api/cases/{id}/parties", partyH.List)
 	scoped.HandleFunc("POST /api/cases/{id}/parties", partyH.Create)
 	scoped.HandleFunc("PUT /api/parties/{partyId}", partyH.Update)
 	scoped.HandleFunc("DELETE /api/parties/{partyId}", partyH.Delete)
 
-	// Deadlines
+	// Deadlines — manage needs PermManageDeadlines, view is open
 	scoped.HandleFunc("GET /api/deadlines/{deadlineID}", deadlineH.Get)
 	scoped.HandleFunc("GET /api/deadlines", deadlineH.ListAll)
 	scoped.HandleFunc("GET /api/cases/{caseID}/deadlines", deadlineH.ListForCase)
-	scoped.HandleFunc("POST /api/cases/{caseID}/deadlines", deadlineH.Create)
+	scoped.HandleFunc("POST /api/cases/{caseID}/deadlines", perm(auth.PermManageDeadlines, deadlineH.Create))
-	scoped.HandleFunc("PUT /api/deadlines/{deadlineID}", deadlineH.Update)
+	scoped.HandleFunc("PUT /api/deadlines/{deadlineID}", perm(auth.PermManageDeadlines, deadlineH.Update))
-	scoped.HandleFunc("PATCH /api/deadlines/{deadlineID}/complete", deadlineH.Complete)
+	scoped.HandleFunc("PATCH /api/deadlines/{deadlineID}/complete", perm(auth.PermManageDeadlines, deadlineH.Complete))
-	scoped.HandleFunc("DELETE /api/deadlines/{deadlineID}", deadlineH.Delete)
+	scoped.HandleFunc("DELETE /api/deadlines/{deadlineID}", perm(auth.PermManageDeadlines, deadlineH.Delete))
 
-	// Deadline rules (reference data)
+	// Deadline rules (reference data) — all can read
 	scoped.HandleFunc("GET /api/deadline-rules", ruleH.List)
 	scoped.HandleFunc("GET /api/deadline-rules/{type}", ruleH.GetRuleTree)
 	scoped.HandleFunc("GET /api/proceeding-types", ruleH.ListProceedingTypes)
 
-	// Deadline calculator
+	// Deadline calculator — all can use
 	scoped.HandleFunc("POST /api/deadlines/calculate", calcH.Calculate)
 
-	// Appointments
+	// Appointments — all can manage (PermManageAppointments granted to all)
 	scoped.HandleFunc("GET /api/appointments/{id}", apptH.Get)
 	scoped.HandleFunc("GET /api/appointments", apptH.List)
-	scoped.HandleFunc("POST /api/appointments", apptH.Create)
+	scoped.HandleFunc("POST /api/appointments", perm(auth.PermManageAppointments, apptH.Create))
-	scoped.HandleFunc("PUT /api/appointments/{id}", apptH.Update)
+	scoped.HandleFunc("PUT /api/appointments/{id}", perm(auth.PermManageAppointments, apptH.Update))
-	scoped.HandleFunc("DELETE /api/appointments/{id}", apptH.Delete)
+	scoped.HandleFunc("DELETE /api/appointments/{id}", perm(auth.PermManageAppointments, apptH.Delete))
 
-	// Case events
+	// Case assignments — manage team required for assign/unassign
+	scoped.HandleFunc("GET /api/cases/{id}/assignments", assignmentH.List)
+	scoped.HandleFunc("POST /api/cases/{id}/assignments", perm(auth.PermManageTeam, assignmentH.Assign))
+	scoped.HandleFunc("DELETE /api/cases/{id}/assignments/{uid}", perm(auth.PermManageTeam, assignmentH.Unassign))
+
+	// Case events — all can view
 	scoped.HandleFunc("GET /api/case-events/{id}", eventH.Get)
 
-	// Notes
+	// Notes — all can manage
 	scoped.HandleFunc("GET /api/notes", noteH.List)
 	scoped.HandleFunc("POST /api/notes", noteH.Create)
 	scoped.HandleFunc("PUT /api/notes/{id}", noteH.Update)
 	scoped.HandleFunc("DELETE /api/notes/{id}", noteH.Delete)
 
-	// Dashboard
+	// Dashboard — all can view
 	scoped.HandleFunc("GET /api/dashboard", dashboardH.Get)
 
-	// Documents
+	// Audit log — view requires PermViewAuditLog
+	scoped.HandleFunc("GET /api/audit-log", perm(auth.PermViewAuditLog, auditH.List))
+
+	// Documents — all can upload, delete checked in handler (own vs all)
 	scoped.HandleFunc("GET /api/cases/{id}/documents", docH.ListByCase)
-	scoped.HandleFunc("POST /api/cases/{id}/documents", docH.Upload)
+	scoped.HandleFunc("POST /api/cases/{id}/documents", perm(auth.PermUploadDocuments, docH.Upload))
 	scoped.HandleFunc("GET /api/documents/{docId}", docH.Download)
 	scoped.HandleFunc("GET /api/documents/{docId}/meta", docH.GetMeta)
 	scoped.HandleFunc("DELETE /api/documents/{docId}", docH.Delete)
@@ -133,17 +175,46 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	// AI endpoints (rate limited: 5 req/min burst 10 per IP)
 	if aiH != nil {
 		aiLimiter := middleware.NewTokenBucket(5.0/60.0, 10)
-		scoped.HandleFunc("POST /api/ai/extract-deadlines", aiLimiter.LimitFunc(aiH.ExtractDeadlines))
+		scoped.HandleFunc("POST /api/ai/extract-deadlines", perm(auth.PermAIExtraction, aiLimiter.LimitFunc(aiH.ExtractDeadlines)))
-		scoped.HandleFunc("POST /api/ai/summarize-case", aiLimiter.LimitFunc(aiH.SummarizeCase))
+		scoped.HandleFunc("POST /api/ai/summarize-case", perm(auth.PermAIExtraction, aiLimiter.LimitFunc(aiH.SummarizeCase)))
 	}
 
-	// CalDAV sync endpoints
+	// Notifications
+	if notifH != nil {
+		scoped.HandleFunc("GET /api/notifications", notifH.List)
+		scoped.HandleFunc("GET /api/notifications/unread-count", notifH.UnreadCount)
+		scoped.HandleFunc("PATCH /api/notifications/{id}/read", notifH.MarkRead)
+		scoped.HandleFunc("PATCH /api/notifications/read-all", notifH.MarkAllRead)
+		scoped.HandleFunc("GET /api/notification-preferences", notifH.GetPreferences)
+		scoped.HandleFunc("PUT /api/notification-preferences", notifH.UpdatePreferences)
+	}
+
+	// CalDAV sync endpoints — settings permission required
 	if calDAVSvc != nil {
 		calDAVH := handlers.NewCalDAVHandler(calDAVSvc)
-		scoped.HandleFunc("POST /api/caldav/sync", calDAVH.TriggerSync)
+		scoped.HandleFunc("POST /api/caldav/sync", perm(auth.PermManageSettings, calDAVH.TriggerSync))
 		scoped.HandleFunc("GET /api/caldav/status", calDAVH.GetStatus)
 	}
 
+	// Time entries — billing permission for create/update/delete
+	scoped.HandleFunc("GET /api/cases/{id}/time-entries", timeEntryH.ListForCase)
+	scoped.HandleFunc("POST /api/cases/{id}/time-entries", perm(auth.PermManageBilling, timeEntryH.Create))
+	scoped.HandleFunc("GET /api/time-entries", timeEntryH.List)
+	scoped.HandleFunc("GET /api/time-entries/summary", perm(auth.PermManageBilling, timeEntryH.Summary))
+	scoped.HandleFunc("PUT /api/time-entries/{id}", perm(auth.PermManageBilling, timeEntryH.Update))
+	scoped.HandleFunc("DELETE /api/time-entries/{id}", perm(auth.PermManageBilling, timeEntryH.Delete))
+
+	// Billing rates — billing permission required
+	scoped.HandleFunc("GET /api/billing-rates", perm(auth.PermManageBilling, billingRateH.List))
+	scoped.HandleFunc("PUT /api/billing-rates", perm(auth.PermManageBilling, billingRateH.Upsert))
+
+	// Invoices — billing permission required
+	scoped.HandleFunc("GET /api/invoices", perm(auth.PermManageBilling, invoiceH.List))
+	scoped.HandleFunc("POST /api/invoices", perm(auth.PermManageBilling, invoiceH.Create))
+	scoped.HandleFunc("GET /api/invoices/{id}", perm(auth.PermManageBilling, invoiceH.Get))
+	scoped.HandleFunc("PUT /api/invoices/{id}", perm(auth.PermManageBilling, invoiceH.Update))
+	scoped.HandleFunc("PATCH /api/invoices/{id}/status", perm(auth.PermManageBilling, invoiceH.UpdateStatus))
+
 	// Wire: auth -> tenant routes go directly, scoped routes get tenant resolver
 	api.Handle("/api/", tenantResolver.Resolve(scoped))
 

backend/internal/services/appointment_service.go

@@ -12,11 +12,12 @@ import (
 )
 
 type AppointmentService struct {
-	db *sqlx.DB
+	db    *sqlx.DB
+	audit *AuditService
 }
 
-func NewAppointmentService(db *sqlx.DB) *AppointmentService {
+func NewAppointmentService(db *sqlx.DB, audit *AuditService) *AppointmentService {
-	return &AppointmentService{db: db}
+	return &AppointmentService{db: db, audit: audit}
 }
 
 type AppointmentFilter struct {
@@ -86,6 +87,7 @@ func (s *AppointmentService) Create(ctx context.Context, a *models.Appointment)
 	if err != nil {
 		return fmt.Errorf("creating appointment: %w", err)
 	}
+	s.audit.Log(ctx, "create", "appointment", &a.ID, nil, a)
 	return nil
 }
 
@@ -116,6 +118,7 @@ func (s *AppointmentService) Update(ctx context.Context, a *models.Appointment)
 	if rows == 0 {
 		return fmt.Errorf("appointment not found")
 	}
+	s.audit.Log(ctx, "update", "appointment", &a.ID, nil, a)
 	return nil
 }
 
@@ -131,5 +134,6 @@ func (s *AppointmentService) Delete(ctx context.Context, tenantID, id uuid.UUID)
 	if rows == 0 {
 		return fmt.Errorf("appointment not found")
 	}
+	s.audit.Log(ctx, "delete", "appointment", &id, nil, nil)
 	return nil
 }

backend/internal/services/audit_service.go

@@ -0,0 +1,141 @@
+package services
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
+)
+
+type AuditService struct {
+	db *sqlx.DB
+}
+
+func NewAuditService(db *sqlx.DB) *AuditService {
+	return &AuditService{db: db}
+}
+
+// Log records an audit entry. It extracts tenant, user, IP, and user-agent from context.
+// Errors are logged but not returned — audit logging must not break business operations.
+func (s *AuditService) Log(ctx context.Context, action, entityType string, entityID *uuid.UUID, oldValues, newValues any) {
+	tenantID, ok := auth.TenantFromContext(ctx)
+	if !ok {
+		slog.Warn("audit: missing tenant_id in context", "action", action, "entity_type", entityType)
+		return
+	}
+
+	var userID *uuid.UUID
+	if uid, ok := auth.UserFromContext(ctx); ok {
+		userID = &uid
+	}
+
+	var oldJSON, newJSON *json.RawMessage
+	if oldValues != nil {
+		if b, err := json.Marshal(oldValues); err == nil {
+			raw := json.RawMessage(b)
+			oldJSON = &raw
+		}
+	}
+	if newValues != nil {
+		if b, err := json.Marshal(newValues); err == nil {
+			raw := json.RawMessage(b)
+			newJSON = &raw
+		}
+	}
+
+	ip := auth.IPFromContext(ctx)
+	ua := auth.UserAgentFromContext(ctx)
+
+	_, err := s.db.ExecContext(ctx,
+		`INSERT INTO audit_log (tenant_id, user_id, action, entity_type, entity_id, old_values, new_values, ip_address, user_agent)
+		 VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)`,
+		tenantID, userID, action, entityType, entityID, oldJSON, newJSON, ip, ua)
+	if err != nil {
+		slog.Error("audit: failed to write log entry",
+			"error", err,
+			"action", action,
+			"entity_type", entityType,
+			"entity_id", entityID,
+		)
+	}
+}
+
+// AuditFilter holds query parameters for listing audit log entries.
+type AuditFilter struct {
+	EntityType string
+	EntityID   *uuid.UUID
+	UserID     *uuid.UUID
+	From       string // RFC3339 date
+	To         string // RFC3339 date
+	Page       int
+	Limit      int
+}
+
+// List returns paginated audit log entries for a tenant.
+func (s *AuditService) List(ctx context.Context, tenantID uuid.UUID, filter AuditFilter) ([]models.AuditLog, int, error) {
+	if filter.Limit <= 0 {
+		filter.Limit = 50
+	}
+	if filter.Limit > 200 {
+		filter.Limit = 200
+	}
+	if filter.Page <= 0 {
+		filter.Page = 1
+	}
+	offset := (filter.Page - 1) * filter.Limit
+
+	where := "WHERE tenant_id = $1"
+	args := []any{tenantID}
+	argIdx := 2
+
+	if filter.EntityType != "" {
+		where += fmt.Sprintf(" AND entity_type = $%d", argIdx)
+		args = append(args, filter.EntityType)
+		argIdx++
+	}
+	if filter.EntityID != nil {
+		where += fmt.Sprintf(" AND entity_id = $%d", argIdx)
+		args = append(args, *filter.EntityID)
+		argIdx++
+	}
+	if filter.UserID != nil {
+		where += fmt.Sprintf(" AND user_id = $%d", argIdx)
+		args = append(args, *filter.UserID)
+		argIdx++
+	}
+	if filter.From != "" {
+		where += fmt.Sprintf(" AND created_at >= $%d", argIdx)
+		args = append(args, filter.From)
+		argIdx++
+	}
+	if filter.To != "" {
+		where += fmt.Sprintf(" AND created_at <= $%d", argIdx)
+		args = append(args, filter.To)
+		argIdx++
+	}
+
+	var total int
+	if err := s.db.GetContext(ctx, &total, "SELECT COUNT(*) FROM audit_log "+where, args...); err != nil {
+		return nil, 0, fmt.Errorf("counting audit entries: %w", err)
+	}
+
+	query := fmt.Sprintf("SELECT * FROM audit_log %s ORDER BY created_at DESC LIMIT $%d OFFSET $%d",
+		where, argIdx, argIdx+1)
+	args = append(args, filter.Limit, offset)
+
+	var entries []models.AuditLog
+	if err := s.db.SelectContext(ctx, &entries, query, args...); err != nil {
+		return nil, 0, fmt.Errorf("listing audit entries: %w", err)
+	}
+	if entries == nil {
+		entries = []models.AuditLog{}
+	}
+
+	return entries, total, nil
+}

backend/internal/services/billing_rate_service.go

@@ -0,0 +1,88 @@
+package services
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
+)
+
+type BillingRateService struct {
+	db    *sqlx.DB
+	audit *AuditService
+}
+
+func NewBillingRateService(db *sqlx.DB, audit *AuditService) *BillingRateService {
+	return &BillingRateService{db: db, audit: audit}
+}
+
+type UpsertBillingRateInput struct {
+	UserID    *uuid.UUID `json:"user_id,omitempty"`
+	Rate      float64    `json:"rate"`
+	Currency  string     `json:"currency"`
+	ValidFrom string     `json:"valid_from"`
+	ValidTo   *string    `json:"valid_to,omitempty"`
+}
+
+func (s *BillingRateService) List(ctx context.Context, tenantID uuid.UUID) ([]models.BillingRate, error) {
+	var rates []models.BillingRate
+	err := s.db.SelectContext(ctx, &rates,
+		`SELECT id, tenant_id, user_id, rate, currency, valid_from, valid_to, created_at
+		 FROM billing_rates
+		 WHERE tenant_id = $1
+		 ORDER BY valid_from DESC, user_id NULLS LAST`,
+		tenantID)
+	if err != nil {
+		return nil, fmt.Errorf("list billing rates: %w", err)
+	}
+	return rates, nil
+}
+
+func (s *BillingRateService) Upsert(ctx context.Context, tenantID uuid.UUID, input UpsertBillingRateInput) (*models.BillingRate, error) {
+	if input.Currency == "" {
+		input.Currency = "EUR"
+	}
+
+	// Close any existing open-ended rate for this user
+	_, err := s.db.ExecContext(ctx,
+		`UPDATE billing_rates SET valid_to = $3
+		 WHERE tenant_id = $1
+		 AND (($2::uuid IS NULL AND user_id IS NULL) OR user_id = $2)
+		 AND valid_to IS NULL
+		 AND valid_from < $3`,
+		tenantID, input.UserID, input.ValidFrom)
+	if err != nil {
+		return nil, fmt.Errorf("close existing rate: %w", err)
+	}
+
+	var rate models.BillingRate
+	err = s.db.QueryRowxContext(ctx,
+		`INSERT INTO billing_rates (tenant_id, user_id, rate, currency, valid_from, valid_to)
+		 VALUES ($1, $2, $3, $4, $5, $6)
+		 RETURNING id, tenant_id, user_id, rate, currency, valid_from, valid_to, created_at`,
+		tenantID, input.UserID, input.Rate, input.Currency, input.ValidFrom, input.ValidTo,
+	).StructScan(&rate)
+	if err != nil {
+		return nil, fmt.Errorf("upsert billing rate: %w", err)
+	}
+
+	s.audit.Log(ctx, "create", "billing_rate", &rate.ID, nil, rate)
+	return &rate, nil
+}
+
+func (s *BillingRateService) GetCurrentRate(ctx context.Context, tenantID uuid.UUID, userID uuid.UUID, date string) (*float64, error) {
+	var rate float64
+	err := s.db.GetContext(ctx, &rate,
+		`SELECT rate FROM billing_rates
+		 WHERE tenant_id = $1 AND (user_id = $2 OR user_id IS NULL)
+		 AND valid_from <= $3 AND (valid_to IS NULL OR valid_to >= $3)
+		 ORDER BY user_id NULLS LAST LIMIT 1`,
+		tenantID, userID, date)
+	if err != nil {
+		return nil, err
+	}
+	return &rate, nil
+}

backend/internal/services/case_assignment_service.go

@@ -0,0 +1,92 @@
+package services
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
+)
+
+type CaseAssignmentService struct {
+	db *sqlx.DB
+}
+
+func NewCaseAssignmentService(db *sqlx.DB) *CaseAssignmentService {
+	return &CaseAssignmentService{db: db}
+}
+
+// ListByCase returns all assignments for a case.
+func (s *CaseAssignmentService) ListByCase(ctx context.Context, tenantID, caseID uuid.UUID) ([]models.CaseAssignment, error) {
+	var assignments []models.CaseAssignment
+	err := s.db.SelectContext(ctx, &assignments,
+		`SELECT ca.id, ca.case_id, ca.user_id, ca.role, ca.assigned_at
+		 FROM case_assignments ca
+		 JOIN cases c ON c.id = ca.case_id
+		 WHERE ca.case_id = $1 AND c.tenant_id = $2
+		 ORDER BY ca.assigned_at`,
+		caseID, tenantID)
+	if err != nil {
+		return nil, fmt.Errorf("list case assignments: %w", err)
+	}
+	return assignments, nil
+}
+
+// Assign adds a user to a case with the given role.
+func (s *CaseAssignmentService) Assign(ctx context.Context, tenantID, caseID, userID uuid.UUID, role string) (*models.CaseAssignment, error) {
+	// Verify user is a member of this tenant
+	var memberExists bool
+	err := s.db.GetContext(ctx, &memberExists,
+		`SELECT EXISTS(SELECT 1 FROM user_tenants WHERE user_id = $1 AND tenant_id = $2)`,
+		userID, tenantID)
+	if err != nil {
+		return nil, fmt.Errorf("check membership: %w", err)
+	}
+	if !memberExists {
+		return nil, fmt.Errorf("user is not a member of this tenant")
+	}
+
+	// Verify case belongs to tenant
+	var caseExists bool
+	err = s.db.GetContext(ctx, &caseExists,
+		`SELECT EXISTS(SELECT 1 FROM cases WHERE id = $1 AND tenant_id = $2)`,
+		caseID, tenantID)
+	if err != nil {
+		return nil, fmt.Errorf("check case: %w", err)
+	}
+	if !caseExists {
+		return nil, fmt.Errorf("case not found")
+	}
+
+	var assignment models.CaseAssignment
+	err = s.db.QueryRowxContext(ctx,
+		`INSERT INTO case_assignments (case_id, user_id, role)
+		 VALUES ($1, $2, $3)
+		 ON CONFLICT (case_id, user_id) DO UPDATE SET role = EXCLUDED.role
+		 RETURNING id, case_id, user_id, role, assigned_at`,
+		caseID, userID, role,
+	).StructScan(&assignment)
+	if err != nil {
+		return nil, fmt.Errorf("assign user to case: %w", err)
+	}
+	return &assignment, nil
+}
+
+// Unassign removes a user from a case.
+func (s *CaseAssignmentService) Unassign(ctx context.Context, tenantID, caseID, userID uuid.UUID) error {
+	result, err := s.db.ExecContext(ctx,
+		`DELETE FROM case_assignments ca
+		 USING cases c
+		 WHERE ca.case_id = c.id AND ca.case_id = $1 AND ca.user_id = $2 AND c.tenant_id = $3`,
+		caseID, userID, tenantID)
+	if err != nil {
+		return fmt.Errorf("unassign: %w", err)
+	}
+	rows, _ := result.RowsAffected()
+	if rows == 0 {
+		return fmt.Errorf("assignment not found")
+	}
+	return nil
+}

backend/internal/services/case_service.go

@@ -13,11 +13,12 @@ import (
 )
 
 type CaseService struct {
-	db *sqlx.DB
+	db    *sqlx.DB
+	audit *AuditService
 }
 
-func NewCaseService(db *sqlx.DB) *CaseService {
+func NewCaseService(db *sqlx.DB, audit *AuditService) *CaseService {
-	return &CaseService{db: db}
+	return &CaseService{db: db, audit: audit}
 }
 
 type CaseFilter struct {
@@ -162,6 +163,9 @@ func (s *CaseService) Create(ctx context.Context, tenantID uuid.UUID, userID uui
 	if err := s.db.GetContext(ctx, &c, "SELECT * FROM cases WHERE id = $1", id); err != nil {
 		return nil, fmt.Errorf("fetching created case: %w", err)
 	}
+
+	s.audit.Log(ctx, "create", "case", &id, nil, c)
+
 	return &c, nil
 }
 
@@ -239,6 +243,9 @@ func (s *CaseService) Update(ctx context.Context, tenantID, caseID uuid.UUID, us
 	if err := s.db.GetContext(ctx, &updated, "SELECT * FROM cases WHERE id = $1", caseID); err != nil {
 		return nil, fmt.Errorf("fetching updated case: %w", err)
 	}
+
+	s.audit.Log(ctx, "update", "case", &caseID, current, updated)
+
 	return &updated, nil
 }
 
@@ -254,6 +261,7 @@ func (s *CaseService) Delete(ctx context.Context, tenantID, caseID uuid.UUID, us
 		return sql.ErrNoRows
 	}
 	createEvent(ctx, s.db, tenantID, caseID, userID, "case_archived", "Case archived", nil)
+	s.audit.Log(ctx, "delete", "case", &caseID, map[string]string{"status": "active"}, map[string]string{"status": "archived"})
 	return nil
 }
 

backend/internal/services/deadline_service.go

@@ -1,6 +1,7 @@
 package services
 
 import (
+	"context"
 	"database/sql"
 	"fmt"
 	"time"
@@ -13,12 +14,13 @@ import (
 
 // DeadlineService handles CRUD operations for case deadlines
 type DeadlineService struct {
-	db *sqlx.DB
+	db    *sqlx.DB
+	audit *AuditService
 }
 
 // NewDeadlineService creates a new deadline service
-func NewDeadlineService(db *sqlx.DB) *DeadlineService {
+func NewDeadlineService(db *sqlx.DB, audit *AuditService) *DeadlineService {
-	return &DeadlineService{db: db}
+	return &DeadlineService{db: db, audit: audit}
 }
 
 // ListAll returns all deadlines for a tenant, ordered by due_date
@@ -87,7 +89,7 @@ type CreateDeadlineInput struct {
 }
 
 // Create inserts a new deadline
-func (s *DeadlineService) Create(tenantID uuid.UUID, input CreateDeadlineInput) (*models.Deadline, error) {
+func (s *DeadlineService) Create(ctx context.Context, tenantID uuid.UUID, input CreateDeadlineInput) (*models.Deadline, error) {
 	id := uuid.New()
 	source := input.Source
 	if source == "" {
@@ -108,6 +110,7 @@ func (s *DeadlineService) Create(tenantID uuid.UUID, input CreateDeadlineInput)
 	if err != nil {
 		return nil, fmt.Errorf("creating deadline: %w", err)
 	}
+	s.audit.Log(ctx, "create", "deadline", &id, nil, d)
 	return &d, nil
 }
 
@@ -123,7 +126,7 @@ type UpdateDeadlineInput struct {
 }
 
 // Update modifies an existing deadline
-func (s *DeadlineService) Update(tenantID, deadlineID uuid.UUID, input UpdateDeadlineInput) (*models.Deadline, error) {
+func (s *DeadlineService) Update(ctx context.Context, tenantID, deadlineID uuid.UUID, input UpdateDeadlineInput) (*models.Deadline, error) {
 	// First check it exists and belongs to tenant
 	existing, err := s.GetByID(tenantID, deadlineID)
 	if err != nil {
@@ -154,11 +157,12 @@ func (s *DeadlineService) Update(tenantID, deadlineID uuid.UUID, input UpdateDea
 	if err != nil {
 		return nil, fmt.Errorf("updating deadline: %w", err)
 	}
+	s.audit.Log(ctx, "update", "deadline", &deadlineID, existing, d)
 	return &d, nil
 }
 
 // Complete marks a deadline as completed
-func (s *DeadlineService) Complete(tenantID, deadlineID uuid.UUID) (*models.Deadline, error) {
+func (s *DeadlineService) Complete(ctx context.Context, tenantID, deadlineID uuid.UUID) (*models.Deadline, error) {
 	query := `UPDATE deadlines SET
 	            status = 'completed',
 	            completed_at = $1,
@@ -176,11 +180,12 @@ func (s *DeadlineService) Complete(tenantID, deadlineID uuid.UUID) (*models.Dead
 		}
 		return nil, fmt.Errorf("completing deadline: %w", err)
 	}
+	s.audit.Log(ctx, "update", "deadline", &deadlineID, map[string]string{"status": "pending"}, map[string]string{"status": "completed"})
 	return &d, nil
 }
 
 // Delete removes a deadline
-func (s *DeadlineService) Delete(tenantID, deadlineID uuid.UUID) error {
+func (s *DeadlineService) Delete(ctx context.Context, tenantID, deadlineID uuid.UUID) error {
 	query := `DELETE FROM deadlines WHERE id = $1 AND tenant_id = $2`
 	result, err := s.db.Exec(query, deadlineID, tenantID)
 	if err != nil {
@@ -193,5 +198,6 @@ func (s *DeadlineService) Delete(tenantID, deadlineID uuid.UUID) error {
 	if rows == 0 {
 		return fmt.Errorf("deadline not found")
 	}
+	s.audit.Log(ctx, "delete", "deadline", &deadlineID, nil, nil)
 	return nil
 }

backend/internal/services/document_service.go

@@ -18,10 +18,11 @@ const documentBucket = "kanzlai-documents"
 type DocumentService struct {
 	db      *sqlx.DB
 	storage *StorageClient
+	audit   *AuditService
 }
 
-func NewDocumentService(db *sqlx.DB, storage *StorageClient) *DocumentService {
+func NewDocumentService(db *sqlx.DB, storage *StorageClient, audit *AuditService) *DocumentService {
-	return &DocumentService{db: db, storage: storage}
+	return &DocumentService{db: db, storage: storage, audit: audit}
 }
 
 type CreateDocumentInput struct {
@@ -97,6 +98,7 @@ func (s *DocumentService) Create(ctx context.Context, tenantID, caseID, userID u
 	if err := s.db.GetContext(ctx, &doc, "SELECT * FROM documents WHERE id = $1", id); err != nil {
 		return nil, fmt.Errorf("fetching created document: %w", err)
 	}
+	s.audit.Log(ctx, "create", "document", &id, nil, doc)
 	return &doc, nil
 }
 
@@ -151,6 +153,7 @@ func (s *DocumentService) Delete(ctx context.Context, tenantID, docID, userID uu
 	// Log case event
 	createEvent(ctx, s.db, tenantID, doc.CaseID, userID, "document_deleted",
 		fmt.Sprintf("Document deleted: %s", doc.Title), nil)
+	s.audit.Log(ctx, "delete", "document", &docID, doc, nil)
 
 	return nil
 }

backend/internal/services/invoice_service.go

@@ -0,0 +1,292 @@
+package services
+
+import (
+	"context"
+	"database/sql"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
+)
+
+type InvoiceService struct {
+	db    *sqlx.DB
+	audit *AuditService
+}
+
+func NewInvoiceService(db *sqlx.DB, audit *AuditService) *InvoiceService {
+	return &InvoiceService{db: db, audit: audit}
+}
+
+type CreateInvoiceInput struct {
+	CaseID        uuid.UUID             `json:"case_id"`
+	ClientName    string                `json:"client_name"`
+	ClientAddress *string               `json:"client_address,omitempty"`
+	Items         []models.InvoiceItem  `json:"items"`
+	TaxRate       *float64              `json:"tax_rate,omitempty"`
+	IssuedAt      *string               `json:"issued_at,omitempty"`
+	DueAt         *string               `json:"due_at,omitempty"`
+	Notes         *string               `json:"notes,omitempty"`
+	TimeEntryIDs  []uuid.UUID           `json:"time_entry_ids,omitempty"`
+}
+
+type UpdateInvoiceInput struct {
+	ClientName    *string               `json:"client_name,omitempty"`
+	ClientAddress *string               `json:"client_address,omitempty"`
+	Items         []models.InvoiceItem  `json:"items,omitempty"`
+	TaxRate       *float64              `json:"tax_rate,omitempty"`
+	IssuedAt      *string               `json:"issued_at,omitempty"`
+	DueAt         *string               `json:"due_at,omitempty"`
+	Notes         *string               `json:"notes,omitempty"`
+}
+
+const invoiceCols = `id, tenant_id, case_id, invoice_number, client_name, client_address,
+	items, subtotal, tax_rate, tax_amount, total, status, issued_at, due_at, paid_at, notes,
+	created_by, created_at, updated_at`
+
+func (s *InvoiceService) List(ctx context.Context, tenantID uuid.UUID, caseID *uuid.UUID, status string) ([]models.Invoice, error) {
+	where := "WHERE tenant_id = $1"
+	args := []any{tenantID}
+	argIdx := 2
+
+	if caseID != nil {
+		where += fmt.Sprintf(" AND case_id = $%d", argIdx)
+		args = append(args, *caseID)
+		argIdx++
+	}
+	if status != "" {
+		where += fmt.Sprintf(" AND status = $%d", argIdx)
+		args = append(args, status)
+		argIdx++
+	}
+
+	var invoices []models.Invoice
+	err := s.db.SelectContext(ctx, &invoices,
+		fmt.Sprintf("SELECT %s FROM invoices %s ORDER BY created_at DESC", invoiceCols, where),
+		args...)
+	if err != nil {
+		return nil, fmt.Errorf("list invoices: %w", err)
+	}
+	return invoices, nil
+}
+
+func (s *InvoiceService) GetByID(ctx context.Context, tenantID, invoiceID uuid.UUID) (*models.Invoice, error) {
+	var inv models.Invoice
+	err := s.db.GetContext(ctx, &inv,
+		`SELECT `+invoiceCols+` FROM invoices WHERE tenant_id = $1 AND id = $2`,
+		tenantID, invoiceID)
+	if err == sql.ErrNoRows {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, fmt.Errorf("get invoice: %w", err)
+	}
+	return &inv, nil
+}
+
+func (s *InvoiceService) Create(ctx context.Context, tenantID, userID uuid.UUID, input CreateInvoiceInput) (*models.Invoice, error) {
+	tx, err := s.db.BeginTxx(ctx, nil)
+	if err != nil {
+		return nil, fmt.Errorf("begin tx: %w", err)
+	}
+	defer tx.Rollback()
+
+	// Generate invoice number: RE-YYYY-NNN
+	year := time.Now().Year()
+	var seq int
+	err = tx.GetContext(ctx, &seq,
+		`SELECT COUNT(*) + 1 FROM invoices WHERE tenant_id = $1 AND invoice_number LIKE $2`,
+		tenantID, fmt.Sprintf("RE-%d-%%", year))
+	if err != nil {
+		return nil, fmt.Errorf("generate invoice number: %w", err)
+	}
+	invoiceNumber := fmt.Sprintf("RE-%d-%03d", year, seq)
+
+	// Calculate totals
+	taxRate := 19.00
+	if input.TaxRate != nil {
+		taxRate = *input.TaxRate
+	}
+
+	var subtotal float64
+	for _, item := range input.Items {
+		subtotal += item.Amount
+	}
+	taxAmount := subtotal * taxRate / 100
+	total := subtotal + taxAmount
+
+	itemsJSON, err := json.Marshal(input.Items)
+	if err != nil {
+		return nil, fmt.Errorf("marshal items: %w", err)
+	}
+
+	var inv models.Invoice
+	err = tx.QueryRowxContext(ctx,
+		`INSERT INTO invoices (tenant_id, case_id, invoice_number, client_name, client_address,
+			items, subtotal, tax_rate, tax_amount, total, issued_at, due_at, notes, created_by)
+		 VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14)
+		 RETURNING `+invoiceCols,
+		tenantID, input.CaseID, invoiceNumber, input.ClientName, input.ClientAddress,
+		itemsJSON, subtotal, taxRate, taxAmount, total, input.IssuedAt, input.DueAt, input.Notes, userID,
+	).StructScan(&inv)
+	if err != nil {
+		return nil, fmt.Errorf("create invoice: %w", err)
+	}
+
+	// Mark linked time entries as billed
+	if len(input.TimeEntryIDs) > 0 {
+		query, args, err := sqlx.In(
+			`UPDATE time_entries SET billed = true, invoice_id = ? WHERE tenant_id = ? AND id IN (?)`,
+			inv.ID, tenantID, input.TimeEntryIDs)
+		if err != nil {
+			return nil, fmt.Errorf("build time entry update: %w", err)
+		}
+		query = tx.Rebind(query)
+		_, err = tx.ExecContext(ctx, query, args...)
+		if err != nil {
+			return nil, fmt.Errorf("mark time entries billed: %w", err)
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return nil, fmt.Errorf("commit: %w", err)
+	}
+
+	s.audit.Log(ctx, "create", "invoice", &inv.ID, nil, inv)
+	return &inv, nil
+}
+
+func (s *InvoiceService) Update(ctx context.Context, tenantID, invoiceID uuid.UUID, input UpdateInvoiceInput) (*models.Invoice, error) {
+	old, err := s.GetByID(ctx, tenantID, invoiceID)
+	if err != nil {
+		return nil, err
+	}
+	if old == nil {
+		return nil, fmt.Errorf("invoice not found")
+	}
+	if old.Status != "draft" {
+		return nil, fmt.Errorf("can only update draft invoices")
+	}
+
+	// Recalculate totals if items changed
+	var itemsJSON json.RawMessage
+	var subtotal float64
+	taxRate := old.TaxRate
+
+	if input.Items != nil {
+		for _, item := range input.Items {
+			subtotal += item.Amount
+		}
+		itemsJSON, _ = json.Marshal(input.Items)
+	}
+	if input.TaxRate != nil {
+		taxRate = *input.TaxRate
+	}
+
+	if input.Items != nil {
+		taxAmount := subtotal * taxRate / 100
+		total := subtotal + taxAmount
+
+		var inv models.Invoice
+		err = s.db.QueryRowxContext(ctx,
+			`UPDATE invoices SET
+				client_name = COALESCE($3, client_name),
+				client_address = COALESCE($4, client_address),
+				items = $5,
+				subtotal = $6,
+				tax_rate = $7,
+				tax_amount = $8,
+				total = $9,
+				issued_at = COALESCE($10, issued_at),
+				due_at = COALESCE($11, due_at),
+				notes = COALESCE($12, notes),
+				updated_at = now()
+			 WHERE tenant_id = $1 AND id = $2
+			 RETURNING `+invoiceCols,
+			tenantID, invoiceID, input.ClientName, input.ClientAddress,
+			itemsJSON, subtotal, taxRate, subtotal*taxRate/100, total,
+			input.IssuedAt, input.DueAt, input.Notes,
+		).StructScan(&inv)
+		if err != nil {
+			return nil, fmt.Errorf("update invoice: %w", err)
+		}
+		s.audit.Log(ctx, "update", "invoice", &inv.ID, old, inv)
+		return &inv, nil
+	}
+
+	// Update without changing items
+	var inv models.Invoice
+	err = s.db.QueryRowxContext(ctx,
+		`UPDATE invoices SET
+			client_name = COALESCE($3, client_name),
+			client_address = COALESCE($4, client_address),
+			tax_rate = COALESCE($5, tax_rate),
+			issued_at = COALESCE($6, issued_at),
+			due_at = COALESCE($7, due_at),
+			notes = COALESCE($8, notes),
+			updated_at = now()
+		 WHERE tenant_id = $1 AND id = $2
+		 RETURNING `+invoiceCols,
+		tenantID, invoiceID, input.ClientName, input.ClientAddress,
+		input.TaxRate, input.IssuedAt, input.DueAt, input.Notes,
+	).StructScan(&inv)
+	if err != nil {
+		return nil, fmt.Errorf("update invoice: %w", err)
+	}
+
+	s.audit.Log(ctx, "update", "invoice", &inv.ID, old, inv)
+	return &inv, nil
+}
+
+func (s *InvoiceService) UpdateStatus(ctx context.Context, tenantID, invoiceID uuid.UUID, newStatus string) (*models.Invoice, error) {
+	old, err := s.GetByID(ctx, tenantID, invoiceID)
+	if err != nil {
+		return nil, err
+	}
+	if old == nil {
+		return nil, fmt.Errorf("invoice not found")
+	}
+
+	// Validate transitions
+	validTransitions := map[string][]string{
+		"draft":     {"sent", "cancelled"},
+		"sent":      {"paid", "cancelled"},
+		"paid":      {},
+		"cancelled": {},
+	}
+	allowed := validTransitions[old.Status]
+	valid := false
+	for _, s := range allowed {
+		if s == newStatus {
+			valid = true
+			break
+		}
+	}
+	if !valid {
+		return nil, fmt.Errorf("invalid status transition from %s to %s", old.Status, newStatus)
+	}
+
+	var paidAt *time.Time
+	if newStatus == "paid" {
+		now := time.Now()
+		paidAt = &now
+	}
+
+	var inv models.Invoice
+	err = s.db.QueryRowxContext(ctx,
+		`UPDATE invoices SET status = $3, paid_at = COALESCE($4, paid_at), updated_at = now()
+		 WHERE tenant_id = $1 AND id = $2
+		 RETURNING `+invoiceCols,
+		tenantID, invoiceID, newStatus, paidAt,
+	).StructScan(&inv)
+	if err != nil {
+		return nil, fmt.Errorf("update invoice status: %w", err)
+	}
+
+	s.audit.Log(ctx, "update", "invoice", &inv.ID, old, inv)
+	return &inv, nil
+}

backend/internal/services/note_service.go

@@ -13,11 +13,12 @@ import (
 )
 
 type NoteService struct {
-	db *sqlx.DB
+	db    *sqlx.DB
+	audit *AuditService
 }
 
-func NewNoteService(db *sqlx.DB) *NoteService {
+func NewNoteService(db *sqlx.DB, audit *AuditService) *NoteService {
-	return &NoteService{db: db}
+	return &NoteService{db: db, audit: audit}
 }
 
 // ListByParent returns all notes for a given parent entity, scoped to tenant.
@@ -68,6 +69,7 @@ func (s *NoteService) Create(ctx context.Context, tenantID uuid.UUID, createdBy
 	if err != nil {
 		return nil, fmt.Errorf("creating note: %w", err)
 	}
+	s.audit.Log(ctx, "create", "note", &id, nil, n)
 	return &n, nil
 }
 
@@ -85,6 +87,7 @@ func (s *NoteService) Update(ctx context.Context, tenantID, noteID uuid.UUID, co
 		}
 		return nil, fmt.Errorf("updating note: %w", err)
 	}
+	s.audit.Log(ctx, "update", "note", &noteID, nil, n)
 	return &n, nil
 }
 
@@ -101,6 +104,7 @@ func (s *NoteService) Delete(ctx context.Context, tenantID, noteID uuid.UUID) er
 	if rows == 0 {
 		return fmt.Errorf("note not found")
 	}
+	s.audit.Log(ctx, "delete", "note", &noteID, nil, nil)
 	return nil
 }
 

backend/internal/services/notification_service.go

@@ -0,0 +1,501 @@
+package services
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os/exec"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+	"github.com/lib/pq"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
+)
+
+// NotificationService handles notification CRUD, deadline reminders, and email sending.
+type NotificationService struct {
+	db     *sqlx.DB
+	stopCh chan struct{}
+	wg     sync.WaitGroup
+}
+
+// NewNotificationService creates a new notification service.
+func NewNotificationService(db *sqlx.DB) *NotificationService {
+	return &NotificationService{
+		db:     db,
+		stopCh: make(chan struct{}),
+	}
+}
+
+// Start launches the background reminder checker (every hour) and daily digest (8am).
+func (s *NotificationService) Start() {
+	s.wg.Add(1)
+	go s.backgroundLoop()
+}
+
+// Stop gracefully shuts down background workers.
+func (s *NotificationService) Stop() {
+	close(s.stopCh)
+	s.wg.Wait()
+}
+
+func (s *NotificationService) backgroundLoop() {
+	defer s.wg.Done()
+
+	// Check reminders on startup
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+	s.CheckDeadlineReminders(ctx)
+	cancel()
+
+	reminderTicker := time.NewTicker(1 * time.Hour)
+	defer reminderTicker.Stop()
+
+	// Digest ticker: check every 15 minutes, send at 8am
+	digestTicker := time.NewTicker(15 * time.Minute)
+	defer digestTicker.Stop()
+
+	var lastDigestDate string
+
+	for {
+		select {
+		case <-s.stopCh:
+			return
+		case <-reminderTicker.C:
+			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+			s.CheckDeadlineReminders(ctx)
+			cancel()
+		case now := <-digestTicker.C:
+			today := now.Format("2006-01-02")
+			hour := now.Hour()
+			if hour >= 8 && lastDigestDate != today {
+				lastDigestDate = today
+				ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
+				s.SendDailyDigests(ctx)
+				cancel()
+			}
+		}
+	}
+}
+
+// CheckDeadlineReminders finds deadlines due in N days matching user preferences and creates notifications.
+func (s *NotificationService) CheckDeadlineReminders(ctx context.Context) {
+	slog.Info("checking deadline reminders")
+
+	// Get all user preferences with email enabled
+	var prefs []models.NotificationPreferences
+	err := s.db.SelectContext(ctx, &prefs,
+		`SELECT user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest, created_at, updated_at
+		 FROM notification_preferences`)
+	if err != nil {
+		slog.Error("failed to load notification preferences", "error", err)
+		return
+	}
+
+	if len(prefs) == 0 {
+		return
+	}
+
+	// Collect all unique reminder day values across all users
+	daySet := make(map[int64]bool)
+	for _, p := range prefs {
+		for _, d := range p.DeadlineReminderDays {
+			daySet[d] = true
+		}
+	}
+	if len(daySet) == 0 {
+		return
+	}
+
+	// Build array of target dates
+	today := time.Now().Truncate(24 * time.Hour)
+	var targetDates []string
+	dayToDate := make(map[string]int64)
+	for d := range daySet {
+		target := today.AddDate(0, 0, int(d))
+		dateStr := target.Format("2006-01-02")
+		targetDates = append(targetDates, dateStr)
+		dayToDate[dateStr] = d
+	}
+
+	// Also check overdue deadlines
+	todayStr := today.Format("2006-01-02")
+
+	// Find pending deadlines matching target dates
+	type deadlineRow struct {
+		models.Deadline
+		CaseTitle  string `db:"case_title"`
+		CaseNumber string `db:"case_number"`
+	}
+
+	// Reminder deadlines (due in N days)
+	var reminderDeadlines []deadlineRow
+	query, args, err := sqlx.In(
+		`SELECT d.*, c.title AS case_title, c.case_number
+		 FROM deadlines d
+		 JOIN cases c ON c.id = d.case_id
+		 WHERE d.status = 'pending' AND d.due_date IN (?)`,
+		targetDates)
+	if err == nil {
+		query = s.db.Rebind(query)
+		err = s.db.SelectContext(ctx, &reminderDeadlines, query, args...)
+	}
+	if err != nil {
+		slog.Error("failed to query reminder deadlines", "error", err)
+	}
+
+	// Overdue deadlines
+	var overdueDeadlines []deadlineRow
+	err = s.db.SelectContext(ctx, &overdueDeadlines,
+		`SELECT d.*, c.title AS case_title, c.case_number
+		 FROM deadlines d
+		 JOIN cases c ON c.id = d.case_id
+		 WHERE d.status = 'pending' AND d.due_date < $1`, todayStr)
+	if err != nil {
+		slog.Error("failed to query overdue deadlines", "error", err)
+	}
+
+	// Create notifications for each user based on their tenant and preferences
+	for _, pref := range prefs {
+		// Reminder notifications
+		for _, dl := range reminderDeadlines {
+			if dl.TenantID != pref.TenantID {
+				continue
+			}
+			daysUntil := dayToDate[dl.DueDate]
+			// Check if this user cares about this many days
+			if !containsDay(pref.DeadlineReminderDays, daysUntil) {
+				continue
+			}
+
+			title := fmt.Sprintf("Frist in %d Tagen: %s", daysUntil, dl.Title)
+			body := fmt.Sprintf("Akte %s — %s\nFällig am %s", dl.CaseNumber, dl.CaseTitle, dl.DueDate)
+			entityType := "deadline"
+
+			s.CreateNotification(ctx, CreateNotificationInput{
+				TenantID:   pref.TenantID,
+				UserID:     pref.UserID,
+				Type:       "deadline_reminder",
+				EntityType: &entityType,
+				EntityID:   &dl.ID,
+				Title:      title,
+				Body:       &body,
+				SendEmail:  pref.EmailEnabled && !pref.DailyDigest,
+			})
+		}
+
+		// Overdue notifications
+		for _, dl := range overdueDeadlines {
+			if dl.TenantID != pref.TenantID {
+				continue
+			}
+
+			title := fmt.Sprintf("Frist überfällig: %s", dl.Title)
+			body := fmt.Sprintf("Akte %s — %s\nFällig seit %s", dl.CaseNumber, dl.CaseTitle, dl.DueDate)
+			entityType := "deadline"
+
+			s.CreateNotification(ctx, CreateNotificationInput{
+				TenantID:   pref.TenantID,
+				UserID:     pref.UserID,
+				Type:       "deadline_overdue",
+				EntityType: &entityType,
+				EntityID:   &dl.ID,
+				Title:      title,
+				Body:       &body,
+				SendEmail:  pref.EmailEnabled && !pref.DailyDigest,
+			})
+		}
+	}
+}
+
+// SendDailyDigests compiles pending notifications into one email per user.
+func (s *NotificationService) SendDailyDigests(ctx context.Context) {
+	slog.Info("sending daily digests")
+
+	// Find users with daily_digest enabled
+	var prefs []models.NotificationPreferences
+	err := s.db.SelectContext(ctx, &prefs,
+		`SELECT user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest, created_at, updated_at
+		 FROM notification_preferences
+		 WHERE daily_digest = true AND email_enabled = true`)
+	if err != nil {
+		slog.Error("failed to load digest preferences", "error", err)
+		return
+	}
+
+	for _, pref := range prefs {
+		// Get unsent notifications for this user from the last 24 hours
+		var notifications []models.Notification
+		err := s.db.SelectContext(ctx, &notifications,
+			`SELECT id, tenant_id, user_id, type, entity_type, entity_id, title, body, sent_at, read_at, created_at
+			 FROM notifications
+			 WHERE user_id = $1 AND tenant_id = $2 AND sent_at IS NULL
+			   AND created_at > now() - interval '24 hours'
+			 ORDER BY created_at DESC`,
+			pref.UserID, pref.TenantID)
+		if err != nil {
+			slog.Error("failed to load unsent notifications", "error", err, "user_id", pref.UserID)
+			continue
+		}
+
+		if len(notifications) == 0 {
+			continue
+		}
+
+		// Get user email
+		email := s.getUserEmail(ctx, pref.UserID)
+		if email == "" {
+			continue
+		}
+
+		// Build digest
+		var lines []string
+		lines = append(lines, fmt.Sprintf("Guten Morgen! Hier ist Ihre Tagesübersicht mit %d Benachrichtigungen:\n", len(notifications)))
+		for _, n := range notifications {
+			body := ""
+			if n.Body != nil {
+				body = " — " + *n.Body
+			}
+			lines = append(lines, fmt.Sprintf("• %s%s", n.Title, body))
+		}
+		lines = append(lines, "\n---\nKanzlAI Kanzleimanagement")
+
+		subject := fmt.Sprintf("KanzlAI Tagesübersicht — %d Benachrichtigungen", len(notifications))
+		bodyText := strings.Join(lines, "\n")
+
+		if err := SendEmail(email, subject, bodyText); err != nil {
+			slog.Error("failed to send digest email", "error", err, "user_id", pref.UserID)
+			continue
+		}
+
+		// Mark all as sent
+		ids := make([]uuid.UUID, len(notifications))
+		for i, n := range notifications {
+			ids[i] = n.ID
+		}
+		query, args, err := sqlx.In(
+			`UPDATE notifications SET sent_at = now() WHERE id IN (?)`, ids)
+		if err == nil {
+			query = s.db.Rebind(query)
+			_, err = s.db.ExecContext(ctx, query, args...)
+		}
+		if err != nil {
+			slog.Error("failed to mark digest notifications sent", "error", err)
+		}
+
+		slog.Info("sent daily digest", "user_id", pref.UserID, "count", len(notifications))
+	}
+}
+
+// CreateNotificationInput holds the data for creating a notification.
+type CreateNotificationInput struct {
+	TenantID   uuid.UUID
+	UserID     uuid.UUID
+	Type       string
+	EntityType *string
+	EntityID   *uuid.UUID
+	Title      string
+	Body       *string
+	SendEmail  bool
+}
+
+// CreateNotification stores a notification in the DB and optionally sends an email.
+func (s *NotificationService) CreateNotification(ctx context.Context, input CreateNotificationInput) (*models.Notification, error) {
+	// Dedup: check if we already sent this notification today
+	if input.EntityID != nil {
+		var count int
+		err := s.db.GetContext(ctx, &count,
+			`SELECT COUNT(*) FROM notifications
+			 WHERE user_id = $1 AND entity_id = $2 AND type = $3
+			   AND created_at::date = CURRENT_DATE`,
+			input.UserID, input.EntityID, input.Type)
+		if err == nil && count > 0 {
+			return nil, nil // Already notified today
+		}
+	}
+
+	var n models.Notification
+	err := s.db.QueryRowxContext(ctx,
+		`INSERT INTO notifications (tenant_id, user_id, type, entity_type, entity_id, title, body)
+		 VALUES ($1, $2, $3, $4, $5, $6, $7)
+		 RETURNING id, tenant_id, user_id, type, entity_type, entity_id, title, body, sent_at, read_at, created_at`,
+		input.TenantID, input.UserID, input.Type, input.EntityType, input.EntityID,
+		input.Title, input.Body).StructScan(&n)
+	if err != nil {
+		slog.Error("failed to create notification", "error", err)
+		return nil, fmt.Errorf("create notification: %w", err)
+	}
+
+	// Send email immediately if requested (non-digest users)
+	if input.SendEmail {
+		email := s.getUserEmail(ctx, input.UserID)
+		if email != "" {
+			go func() {
+				if err := SendEmail(email, input.Title, derefStr(input.Body)); err != nil {
+					slog.Error("failed to send notification email", "error", err, "user_id", input.UserID)
+				} else {
+					// Mark as sent
+					_, _ = s.db.Exec(`UPDATE notifications SET sent_at = now() WHERE id = $1`, n.ID)
+				}
+			}()
+		}
+	}
+
+	return &n, nil
+}
+
+// ListForUser returns notifications for a user in a tenant, paginated.
+func (s *NotificationService) ListForUser(ctx context.Context, tenantID, userID uuid.UUID, limit, offset int) ([]models.Notification, int, error) {
+	if limit <= 0 {
+		limit = 50
+	}
+	if limit > 200 {
+		limit = 200
+	}
+
+	var total int
+	err := s.db.GetContext(ctx, &total,
+		`SELECT COUNT(*) FROM notifications WHERE user_id = $1 AND tenant_id = $2`,
+		userID, tenantID)
+	if err != nil {
+		return nil, 0, fmt.Errorf("count notifications: %w", err)
+	}
+
+	var notifications []models.Notification
+	err = s.db.SelectContext(ctx, &notifications,
+		`SELECT id, tenant_id, user_id, type, entity_type, entity_id, title, body, sent_at, read_at, created_at
+		 FROM notifications
+		 WHERE user_id = $1 AND tenant_id = $2
+		 ORDER BY created_at DESC
+		 LIMIT $3 OFFSET $4`,
+		userID, tenantID, limit, offset)
+	if err != nil {
+		return nil, 0, fmt.Errorf("list notifications: %w", err)
+	}
+
+	return notifications, total, nil
+}
+
+// UnreadCount returns the number of unread notifications for a user.
+func (s *NotificationService) UnreadCount(ctx context.Context, tenantID, userID uuid.UUID) (int, error) {
+	var count int
+	err := s.db.GetContext(ctx, &count,
+		`SELECT COUNT(*) FROM notifications WHERE user_id = $1 AND tenant_id = $2 AND read_at IS NULL`,
+		userID, tenantID)
+	return count, err
+}
+
+// MarkRead marks a single notification as read.
+func (s *NotificationService) MarkRead(ctx context.Context, tenantID, userID, notificationID uuid.UUID) error {
+	result, err := s.db.ExecContext(ctx,
+		`UPDATE notifications SET read_at = now()
+		 WHERE id = $1 AND user_id = $2 AND tenant_id = $3 AND read_at IS NULL`,
+		notificationID, userID, tenantID)
+	if err != nil {
+		return fmt.Errorf("mark notification read: %w", err)
+	}
+	rows, _ := result.RowsAffected()
+	if rows == 0 {
+		return fmt.Errorf("notification not found or already read")
+	}
+	return nil
+}
+
+// MarkAllRead marks all notifications as read for a user.
+func (s *NotificationService) MarkAllRead(ctx context.Context, tenantID, userID uuid.UUID) error {
+	_, err := s.db.ExecContext(ctx,
+		`UPDATE notifications SET read_at = now()
+		 WHERE user_id = $1 AND tenant_id = $2 AND read_at IS NULL`,
+		userID, tenantID)
+	return err
+}
+
+// GetPreferences returns notification preferences for a user, creating defaults if needed.
+func (s *NotificationService) GetPreferences(ctx context.Context, tenantID, userID uuid.UUID) (*models.NotificationPreferences, error) {
+	var pref models.NotificationPreferences
+	err := s.db.GetContext(ctx, &pref,
+		`SELECT user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest, created_at, updated_at
+		 FROM notification_preferences
+		 WHERE user_id = $1 AND tenant_id = $2`,
+		userID, tenantID)
+	if err != nil {
+		// Return defaults if no preferences set
+		return &models.NotificationPreferences{
+			UserID:               userID,
+			TenantID:             tenantID,
+			DeadlineReminderDays: pq.Int64Array{7, 3, 1},
+			EmailEnabled:         true,
+			DailyDigest:          false,
+		}, nil
+	}
+	return &pref, nil
+}
+
+// UpdatePreferences upserts notification preferences for a user.
+func (s *NotificationService) UpdatePreferences(ctx context.Context, tenantID, userID uuid.UUID, input UpdatePreferencesInput) (*models.NotificationPreferences, error) {
+	var pref models.NotificationPreferences
+	err := s.db.QueryRowxContext(ctx,
+		`INSERT INTO notification_preferences (user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest)
+		 VALUES ($1, $2, $3, $4, $5)
+		 ON CONFLICT (user_id, tenant_id)
+		 DO UPDATE SET deadline_reminder_days = $3, email_enabled = $4, daily_digest = $5, updated_at = now()
+		 RETURNING user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest, created_at, updated_at`,
+		userID, tenantID, pq.Int64Array(input.DeadlineReminderDays), input.EmailEnabled, input.DailyDigest).StructScan(&pref)
+	if err != nil {
+		return nil, fmt.Errorf("update preferences: %w", err)
+	}
+	return &pref, nil
+}
+
+// UpdatePreferencesInput holds the data for updating notification preferences.
+type UpdatePreferencesInput struct {
+	DeadlineReminderDays []int64 `json:"deadline_reminder_days"`
+	EmailEnabled         bool    `json:"email_enabled"`
+	DailyDigest          bool    `json:"daily_digest"`
+}
+
+// SendEmail sends an email using the `m mail send` CLI command.
+func SendEmail(to, subject, body string) error {
+	cmd := exec.Command("m", "mail", "send",
+		"--to", to,
+		"--subject", subject,
+		"--body", body,
+		"--yes")
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("m mail send failed: %w (output: %s)", err, string(output))
+	}
+	slog.Info("email sent", "to", to, "subject", subject)
+	return nil
+}
+
+// getUserEmail looks up the email for a user from Supabase auth.users.
+func (s *NotificationService) getUserEmail(ctx context.Context, userID uuid.UUID) string {
+	var email string
+	err := s.db.GetContext(ctx, &email,
+		`SELECT email FROM auth.users WHERE id = $1`, userID)
+	if err != nil {
+		slog.Error("failed to get user email", "error", err, "user_id", userID)
+		return ""
+	}
+	return email
+}
+
+func containsDay(arr pq.Int64Array, day int64) bool {
+	for _, d := range arr {
+		if d == day {
+			return true
+		}
+	}
+	return false
+}
+
+func derefStr(s *string) string {
+	if s == nil {
+		return ""
+	}
+	return *s
+}

backend/internal/services/party_service.go

@@ -13,11 +13,12 @@ import (
 )
 
 type PartyService struct {
-	db *sqlx.DB
+	db    *sqlx.DB
+	audit *AuditService
 }
 
-func NewPartyService(db *sqlx.DB) *PartyService {
+func NewPartyService(db *sqlx.DB, audit *AuditService) *PartyService {
-	return &PartyService{db: db}
+	return &PartyService{db: db, audit: audit}
 }
 
 type CreatePartyInput struct {
@@ -79,6 +80,7 @@ func (s *PartyService) Create(ctx context.Context, tenantID, caseID uuid.UUID, u
 	if err := s.db.GetContext(ctx, &party, "SELECT * FROM parties WHERE id = $1", id); err != nil {
 		return nil, fmt.Errorf("fetching created party: %w", err)
 	}
+	s.audit.Log(ctx, "create", "party", &id, nil, party)
 	return &party, nil
 }
 
@@ -135,6 +137,7 @@ func (s *PartyService) Update(ctx context.Context, tenantID, partyID uuid.UUID,
 	if err := s.db.GetContext(ctx, &updated, "SELECT * FROM parties WHERE id = $1", partyID); err != nil {
 		return nil, fmt.Errorf("fetching updated party: %w", err)
 	}
+	s.audit.Log(ctx, "update", "party", &partyID, current, updated)
 	return &updated, nil
 }
 
@@ -148,5 +151,6 @@ func (s *PartyService) Delete(ctx context.Context, tenantID, partyID uuid.UUID)
 	if rows == 0 {
 		return sql.ErrNoRows
 	}
+	s.audit.Log(ctx, "delete", "party", &partyID, nil, nil)
 	return nil
 }

backend/internal/services/tenant_service.go

@@ -13,11 +13,12 @@ import (
 )
 
 type TenantService struct {
-	db *sqlx.DB
+	db    *sqlx.DB
+	audit *AuditService
 }
 
-func NewTenantService(db *sqlx.DB) *TenantService {
+func NewTenantService(db *sqlx.DB, audit *AuditService) *TenantService {
-	return &TenantService{db: db}
+	return &TenantService{db: db, audit: audit}
 }
 
 // Create creates a new tenant and assigns the creator as owner.
@@ -49,6 +50,7 @@ func (s *TenantService) Create(ctx context.Context, userID uuid.UUID, name, slug
 		return nil, fmt.Errorf("commit: %w", err)
 	}
 
+	s.audit.Log(ctx, "create", "tenant", &tenant.ID, nil, tenant)
 	return &tenant, nil
 }
 
@@ -184,6 +186,7 @@ func (s *TenantService) InviteByEmail(ctx context.Context, tenantID uuid.UUID, e
 		return nil, fmt.Errorf("invite user: %w", err)
 	}
 
+	s.audit.Log(ctx, "create", "membership", &tenantID, nil, ut)
 	return &ut, nil
 }
 
@@ -199,9 +202,44 @@ func (s *TenantService) UpdateSettings(ctx context.Context, tenantID uuid.UUID,
 	if err != nil {
 		return nil, fmt.Errorf("update settings: %w", err)
 	}
+	s.audit.Log(ctx, "update", "settings", &tenantID, nil, settings)
 	return &tenant, nil
 }
 
+// UpdateMemberRole changes a member's role in a tenant.
+func (s *TenantService) UpdateMemberRole(ctx context.Context, tenantID, userID uuid.UUID, newRole string) error {
+	// Get current role
+	currentRole, err := s.GetUserRole(ctx, userID, tenantID)
+	if err != nil {
+		return fmt.Errorf("get current role: %w", err)
+	}
+	if currentRole == "" {
+		return fmt.Errorf("user is not a member of this tenant")
+	}
+
+	// If demoting the last owner, block it
+	if currentRole == "owner" && newRole != "owner" {
+		var ownerCount int
+		err := s.db.GetContext(ctx, &ownerCount,
+			`SELECT COUNT(*) FROM user_tenants WHERE tenant_id = $1 AND role = 'owner'`,
+			tenantID)
+		if err != nil {
+			return fmt.Errorf("count owners: %w", err)
+		}
+		if ownerCount <= 1 {
+			return fmt.Errorf("cannot demote the last owner")
+		}
+	}
+
+	_, err = s.db.ExecContext(ctx,
+		`UPDATE user_tenants SET role = $1 WHERE user_id = $2 AND tenant_id = $3`,
+		newRole, userID, tenantID)
+	if err != nil {
+		return fmt.Errorf("update role: %w", err)
+	}
+	return nil
+}
+
 // RemoveMember removes a user from a tenant. Cannot remove the last owner.
 func (s *TenantService) RemoveMember(ctx context.Context, tenantID, userID uuid.UUID) error {
 	// Check if the user being removed is an owner
@@ -236,5 +274,6 @@ func (s *TenantService) RemoveMember(ctx context.Context, tenantID, userID uuid.
 		return fmt.Errorf("remove member: %w", err)
 	}
 
+	s.audit.Log(ctx, "delete", "membership", &tenantID, map[string]any{"user_id": userID, "role": role}, nil)
 	return nil
 }

backend/internal/services/time_entry_service.go

@@ -0,0 +1,276 @@
+package services
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
+)
+
+type TimeEntryService struct {
+	db    *sqlx.DB
+	audit *AuditService
+}
+
+func NewTimeEntryService(db *sqlx.DB, audit *AuditService) *TimeEntryService {
+	return &TimeEntryService{db: db, audit: audit}
+}
+
+type CreateTimeEntryInput struct {
+	CaseID          uuid.UUID `json:"case_id"`
+	Date            string    `json:"date"`
+	DurationMinutes int       `json:"duration_minutes"`
+	Description     string    `json:"description"`
+	Activity        *string   `json:"activity,omitempty"`
+	Billable        *bool     `json:"billable,omitempty"`
+	HourlyRate      *float64  `json:"hourly_rate,omitempty"`
+}
+
+type UpdateTimeEntryInput struct {
+	Date            *string  `json:"date,omitempty"`
+	DurationMinutes *int     `json:"duration_minutes,omitempty"`
+	Description     *string  `json:"description,omitempty"`
+	Activity        *string  `json:"activity,omitempty"`
+	Billable        *bool    `json:"billable,omitempty"`
+	HourlyRate      *float64 `json:"hourly_rate,omitempty"`
+}
+
+type TimeEntryFilter struct {
+	CaseID *uuid.UUID
+	UserID *uuid.UUID
+	From   string
+	To     string
+	Limit  int
+	Offset int
+}
+
+type TimeEntrySummary struct {
+	GroupKey       string  `db:"group_key" json:"group_key"`
+	TotalMinutes   int     `db:"total_minutes" json:"total_minutes"`
+	BillableMinutes int   `db:"billable_minutes" json:"billable_minutes"`
+	TotalAmount    float64 `db:"total_amount" json:"total_amount"`
+	EntryCount     int     `db:"entry_count" json:"entry_count"`
+}
+
+const timeEntryCols = `id, tenant_id, case_id, user_id, date, duration_minutes, description,
+	activity, billable, billed, invoice_id, hourly_rate, created_at, updated_at`
+
+func (s *TimeEntryService) ListForCase(ctx context.Context, tenantID, caseID uuid.UUID) ([]models.TimeEntry, error) {
+	var entries []models.TimeEntry
+	err := s.db.SelectContext(ctx, &entries,
+		`SELECT `+timeEntryCols+` FROM time_entries
+		 WHERE tenant_id = $1 AND case_id = $2
+		 ORDER BY date DESC, created_at DESC`,
+		tenantID, caseID)
+	if err != nil {
+		return nil, fmt.Errorf("list time entries for case: %w", err)
+	}
+	return entries, nil
+}
+
+func (s *TimeEntryService) List(ctx context.Context, tenantID uuid.UUID, filter TimeEntryFilter) ([]models.TimeEntry, int, error) {
+	if filter.Limit <= 0 {
+		filter.Limit = 20
+	}
+	if filter.Limit > 100 {
+		filter.Limit = 100
+	}
+
+	where := "WHERE tenant_id = $1"
+	args := []any{tenantID}
+	argIdx := 2
+
+	if filter.CaseID != nil {
+		where += fmt.Sprintf(" AND case_id = $%d", argIdx)
+		args = append(args, *filter.CaseID)
+		argIdx++
+	}
+	if filter.UserID != nil {
+		where += fmt.Sprintf(" AND user_id = $%d", argIdx)
+		args = append(args, *filter.UserID)
+		argIdx++
+	}
+	if filter.From != "" {
+		where += fmt.Sprintf(" AND date >= $%d", argIdx)
+		args = append(args, filter.From)
+		argIdx++
+	}
+	if filter.To != "" {
+		where += fmt.Sprintf(" AND date <= $%d", argIdx)
+		args = append(args, filter.To)
+		argIdx++
+	}
+
+	var total int
+	err := s.db.GetContext(ctx, &total,
+		"SELECT COUNT(*) FROM time_entries "+where, args...)
+	if err != nil {
+		return nil, 0, fmt.Errorf("count time entries: %w", err)
+	}
+
+	query := fmt.Sprintf("SELECT %s FROM time_entries %s ORDER BY date DESC, created_at DESC LIMIT $%d OFFSET $%d",
+		timeEntryCols, where, argIdx, argIdx+1)
+	args = append(args, filter.Limit, filter.Offset)
+
+	var entries []models.TimeEntry
+	err = s.db.SelectContext(ctx, &entries, query, args...)
+	if err != nil {
+		return nil, 0, fmt.Errorf("list time entries: %w", err)
+	}
+	return entries, total, nil
+}
+
+func (s *TimeEntryService) GetByID(ctx context.Context, tenantID, entryID uuid.UUID) (*models.TimeEntry, error) {
+	var entry models.TimeEntry
+	err := s.db.GetContext(ctx, &entry,
+		`SELECT `+timeEntryCols+` FROM time_entries WHERE tenant_id = $1 AND id = $2`,
+		tenantID, entryID)
+	if err == sql.ErrNoRows {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, fmt.Errorf("get time entry: %w", err)
+	}
+	return &entry, nil
+}
+
+func (s *TimeEntryService) Create(ctx context.Context, tenantID, userID uuid.UUID, input CreateTimeEntryInput) (*models.TimeEntry, error) {
+	billable := true
+	if input.Billable != nil {
+		billable = *input.Billable
+	}
+
+	// If no hourly rate provided, look up the current billing rate
+	hourlyRate := input.HourlyRate
+	if hourlyRate == nil {
+		var rate float64
+		err := s.db.GetContext(ctx, &rate,
+			`SELECT rate FROM billing_rates
+			 WHERE tenant_id = $1 AND (user_id = $2 OR user_id IS NULL)
+			 AND valid_from <= $3 AND (valid_to IS NULL OR valid_to >= $3)
+			 ORDER BY user_id NULLS LAST LIMIT 1`,
+			tenantID, userID, input.Date)
+		if err == nil {
+			hourlyRate = &rate
+		}
+	}
+
+	var entry models.TimeEntry
+	err := s.db.QueryRowxContext(ctx,
+		`INSERT INTO time_entries (tenant_id, case_id, user_id, date, duration_minutes, description, activity, billable, hourly_rate)
+		 VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
+		 RETURNING `+timeEntryCols,
+		tenantID, input.CaseID, userID, input.Date, input.DurationMinutes, input.Description, input.Activity, billable, hourlyRate,
+	).StructScan(&entry)
+	if err != nil {
+		return nil, fmt.Errorf("create time entry: %w", err)
+	}
+
+	s.audit.Log(ctx, "create", "time_entry", &entry.ID, nil, entry)
+	return &entry, nil
+}
+
+func (s *TimeEntryService) Update(ctx context.Context, tenantID, entryID uuid.UUID, input UpdateTimeEntryInput) (*models.TimeEntry, error) {
+	old, err := s.GetByID(ctx, tenantID, entryID)
+	if err != nil {
+		return nil, err
+	}
+	if old == nil {
+		return nil, fmt.Errorf("time entry not found")
+	}
+	if old.Billed {
+		return nil, fmt.Errorf("cannot update a billed time entry")
+	}
+
+	var entry models.TimeEntry
+	err = s.db.QueryRowxContext(ctx,
+		`UPDATE time_entries SET
+			date = COALESCE($3, date),
+			duration_minutes = COALESCE($4, duration_minutes),
+			description = COALESCE($5, description),
+			activity = COALESCE($6, activity),
+			billable = COALESCE($7, billable),
+			hourly_rate = COALESCE($8, hourly_rate),
+			updated_at = now()
+		 WHERE tenant_id = $1 AND id = $2
+		 RETURNING `+timeEntryCols,
+		tenantID, entryID, input.Date, input.DurationMinutes, input.Description, input.Activity, input.Billable, input.HourlyRate,
+	).StructScan(&entry)
+	if err != nil {
+		return nil, fmt.Errorf("update time entry: %w", err)
+	}
+
+	s.audit.Log(ctx, "update", "time_entry", &entry.ID, old, entry)
+	return &entry, nil
+}
+
+func (s *TimeEntryService) Delete(ctx context.Context, tenantID, entryID uuid.UUID) error {
+	old, err := s.GetByID(ctx, tenantID, entryID)
+	if err != nil {
+		return err
+	}
+	if old == nil {
+		return fmt.Errorf("time entry not found")
+	}
+	if old.Billed {
+		return fmt.Errorf("cannot delete a billed time entry")
+	}
+
+	_, err = s.db.ExecContext(ctx,
+		`DELETE FROM time_entries WHERE tenant_id = $1 AND id = $2`,
+		tenantID, entryID)
+	if err != nil {
+		return fmt.Errorf("delete time entry: %w", err)
+	}
+
+	s.audit.Log(ctx, "delete", "time_entry", &entryID, old, nil)
+	return nil
+}
+
+func (s *TimeEntryService) Summary(ctx context.Context, tenantID uuid.UUID, groupBy string, from, to string) ([]TimeEntrySummary, error) {
+	var groupExpr string
+	switch groupBy {
+	case "user":
+		groupExpr = "user_id::text"
+	case "month":
+		groupExpr = "to_char(date, 'YYYY-MM')"
+	default:
+		groupExpr = "case_id::text"
+	}
+
+	where := "WHERE tenant_id = $1"
+	args := []any{tenantID}
+	argIdx := 2
+
+	if from != "" {
+		where += fmt.Sprintf(" AND date >= $%d", argIdx)
+		args = append(args, from)
+		argIdx++
+	}
+	if to != "" {
+		where += fmt.Sprintf(" AND date <= $%d", argIdx)
+		args = append(args, to)
+		argIdx++
+	}
+
+	query := fmt.Sprintf(`SELECT %s AS group_key,
+		SUM(duration_minutes) AS total_minutes,
+		SUM(CASE WHEN billable THEN duration_minutes ELSE 0 END) AS billable_minutes,
+		SUM(CASE WHEN billable AND hourly_rate IS NOT NULL THEN duration_minutes * hourly_rate / 60.0 ELSE 0 END) AS total_amount,
+		COUNT(*) AS entry_count
+		FROM time_entries %s
+		GROUP BY %s
+		ORDER BY %s`,
+		groupExpr, where, groupExpr, groupExpr)
+
+	var summaries []TimeEntrySummary
+	err := s.db.SelectContext(ctx, &summaries, query, args...)
+	if err != nil {
+		return nil, fmt.Errorf("time entry summary: %w", err)
+	}
+	return summaries, nil
+}

frontend/src/app/(app)/abrechnung/page.tsx

@@ -0,0 +1,164 @@
+"use client";
+
+import { useQuery } from "@tanstack/react-query";
+import { api } from "@/lib/api";
+import type { TimeEntry } from "@/lib/types";
+import { format } from "date-fns";
+import { de } from "date-fns/locale";
+import { Timer, Loader2 } from "lucide-react";
+import { useState } from "react";
+import Link from "next/link";
+import { Breadcrumb } from "@/components/layout/Breadcrumb";
+
+function formatDuration(minutes: number): string {
+  const h = Math.floor(minutes / 60);
+  const m = minutes % 60;
+  if (h === 0) return `${m}min`;
+  if (m === 0) return `${h}h`;
+  return `${h}h ${m}min`;
+}
+
+export default function AbrechnungPage() {
+  const [from, setFrom] = useState(() => {
+    const d = new Date();
+    d.setDate(1);
+    return format(d, "yyyy-MM-dd");
+  });
+  const [to, setTo] = useState(() => format(new Date(), "yyyy-MM-dd"));
+
+  const { data, isLoading } = useQuery({
+    queryKey: ["time-entries", from, to],
+    queryFn: () =>
+      api.get<{ time_entries: TimeEntry[]; total: number }>(
+        `/time-entries?from=${from}&to=${to}&limit=100`,
+      ),
+  });
+
+  const entries = data?.time_entries ?? [];
+  const totalMinutes = entries.reduce((s, e) => s + e.duration_minutes, 0);
+  const billableMinutes = entries
+    .filter((e) => e.billable)
+    .reduce((s, e) => s + e.duration_minutes, 0);
+  const totalAmount = entries
+    .filter((e) => e.billable && e.hourly_rate)
+    .reduce((s, e) => s + (e.duration_minutes / 60) * (e.hourly_rate ?? 0), 0);
+
+  return (
+    <div className="animate-fade-in">
+      <Breadcrumb
+        items={[
+          { label: "Dashboard", href: "/dashboard" },
+          { label: "Abrechnung" },
+        ]}
+      />
+
+      <div className="mt-4 flex flex-col gap-3 sm:flex-row sm:items-center sm:justify-between">
+        <h1 className="text-lg font-semibold text-neutral-900">
+          Zeiterfassung
+        </h1>
+        <Link
+          href="/abrechnung/rechnungen"
+          className="text-sm text-neutral-500 transition-colors hover:text-neutral-700"
+        >
+          Rechnungen ansehen &rarr;
+        </Link>
+      </div>
+
+      {/* Filters */}
+      <div className="mt-4 flex flex-wrap items-center gap-3">
+        <div className="flex items-center gap-2">
+          <label className="text-xs text-neutral-500">Von</label>
+          <input
+            type="date"
+            value={from}
+            onChange={(e) => setFrom(e.target.value)}
+            className="rounded-md border border-neutral-300 px-2 py-1 text-sm focus:border-neutral-500 focus:outline-none"
+          />
+        </div>
+        <div className="flex items-center gap-2">
+          <label className="text-xs text-neutral-500">Bis</label>
+          <input
+            type="date"
+            value={to}
+            onChange={(e) => setTo(e.target.value)}
+            className="rounded-md border border-neutral-300 px-2 py-1 text-sm focus:border-neutral-500 focus:outline-none"
+          />
+        </div>
+      </div>
+
+      {/* Summary cards */}
+      <div className="mt-4 grid grid-cols-1 gap-3 sm:grid-cols-3">
+        <div className="rounded-md border border-neutral-200 bg-white p-4">
+          <p className="text-xs text-neutral-500">Gesamt</p>
+          <p className="mt-1 text-xl font-semibold text-neutral-900">
+            {formatDuration(totalMinutes)}
+          </p>
+        </div>
+        <div className="rounded-md border border-neutral-200 bg-white p-4">
+          <p className="text-xs text-neutral-500">Abrechenbar</p>
+          <p className="mt-1 text-xl font-semibold text-neutral-900">
+            {formatDuration(billableMinutes)}
+          </p>
+        </div>
+        <div className="rounded-md border border-neutral-200 bg-white p-4">
+          <p className="text-xs text-neutral-500">Betrag</p>
+          <p className="mt-1 text-xl font-semibold text-neutral-900">
+            {totalAmount.toFixed(2)} EUR
+          </p>
+        </div>
+      </div>
+
+      {/* Entries */}
+      {isLoading ? (
+        <div className="flex items-center justify-center py-8">
+          <Loader2 className="h-5 w-5 animate-spin text-neutral-400" />
+        </div>
+      ) : entries.length === 0 ? (
+        <div className="flex flex-col items-center py-12 text-center">
+          <div className="rounded-xl bg-neutral-100 p-3">
+            <Timer className="h-5 w-5 text-neutral-400" />
+          </div>
+          <p className="mt-2 text-sm text-neutral-500">
+            Keine Zeiteintraege im gewaehlten Zeitraum.
+          </p>
+        </div>
+      ) : (
+        <div className="mt-4 space-y-2">
+          {entries.map((entry) => (
+            <div
+              key={entry.id}
+              className="flex items-center justify-between rounded-md border border-neutral-200 bg-white px-4 py-3"
+            >
+              <div className="min-w-0 flex-1">
+                <p className="text-sm font-medium text-neutral-900 truncate">
+                  {entry.description}
+                </p>
+                <div className="mt-0.5 flex gap-3 text-xs text-neutral-500">
+                  <span>
+                    {format(new Date(entry.date), "d. MMM yyyy", { locale: de })}
+                  </span>
+                  <Link
+                    href={`/cases/${entry.case_id}/zeiterfassung`}
+                    className="hover:text-neutral-700"
+                  >
+                    Akte ansehen
+                  </Link>
+                </div>
+              </div>
+              <div className="flex items-center gap-4 ml-4 text-sm">
+                {entry.billable ? (
+                  <span className="text-emerald-600">abrechenbar</span>
+                ) : (
+                  <span className="text-neutral-400">intern</span>
+                )}
+                <span className="font-medium text-neutral-900 whitespace-nowrap">
+                  {formatDuration(entry.duration_minutes)}
+                </span>
+              </div>
+            </div>
+          ))}
+        </div>
+      )}
+    </div>
+  );
+}

frontend/src/app/(app)/abrechnung/rechnungen/[id]/page.tsx

@@ -0,0 +1,225 @@
+"use client";
+
+import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
+import { useParams } from "next/navigation";
+import { api } from "@/lib/api";
+import type { Invoice } from "@/lib/types";
+import { format } from "date-fns";
+import { de } from "date-fns/locale";
+import { Loader2, AlertTriangle } from "lucide-react";
+import { Breadcrumb } from "@/components/layout/Breadcrumb";
+
+const STATUS_BADGE: Record<string, string> = {
+  draft: "bg-neutral-100 text-neutral-600",
+  sent: "bg-blue-50 text-blue-700",
+  paid: "bg-emerald-50 text-emerald-700",
+  cancelled: "bg-red-50 text-red-600",
+};
+
+const STATUS_LABEL: Record<string, string> = {
+  draft: "Entwurf",
+  sent: "Versendet",
+  paid: "Bezahlt",
+  cancelled: "Storniert",
+};
+
+const TRANSITIONS: Record<string, { label: string; next: string }[]> = {
+  draft: [
+    { label: "Als versendet markieren", next: "sent" },
+    { label: "Stornieren", next: "cancelled" },
+  ],
+  sent: [
+    { label: "Als bezahlt markieren", next: "paid" },
+    { label: "Stornieren", next: "cancelled" },
+  ],
+  paid: [],
+  cancelled: [],
+};
+
+export default function InvoiceDetailPage() {
+  const { id } = useParams<{ id: string }>();
+  const queryClient = useQueryClient();
+
+  const { data: invoice, isLoading, error } = useQuery({
+    queryKey: ["invoice", id],
+    queryFn: () => api.get<Invoice>(`/invoices/${id}`),
+  });
+
+  const statusMutation = useMutation({
+    mutationFn: (status: string) =>
+      api.patch<Invoice>(`/invoices/${id}/status`, { status }),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["invoice", id] });
+      queryClient.invalidateQueries({ queryKey: ["invoices"] });
+    },
+  });
+
+  if (isLoading) {
+    return (
+      <div className="flex items-center justify-center py-12">
+        <Loader2 className="h-5 w-5 animate-spin text-neutral-400" />
+      </div>
+    );
+  }
+
+  if (error || !invoice) {
+    return (
+      <div className="py-12 text-center">
+        <AlertTriangle className="mx-auto h-6 w-6 text-red-500" />
+        <p className="mt-2 text-sm text-neutral-500">
+          Rechnung nicht gefunden.
+        </p>
+      </div>
+    );
+  }
+
+  const items = Array.isArray(invoice.items) ? invoice.items : [];
+  const actions = TRANSITIONS[invoice.status] ?? [];
+
+  return (
+    <div className="animate-fade-in">
+      <Breadcrumb
+        items={[
+          { label: "Dashboard", href: "/dashboard" },
+          { label: "Abrechnung", href: "/abrechnung" },
+          { label: "Rechnungen", href: "/abrechnung/rechnungen" },
+          { label: invoice.invoice_number },
+        ]}
+      />
+
+      <div className="mt-4 flex flex-col gap-3 sm:flex-row sm:items-start sm:justify-between">
+        <div>
+          <div className="flex items-center gap-3">
+            <h1 className="text-lg font-semibold text-neutral-900">
+              {invoice.invoice_number}
+            </h1>
+            <span
+              className={`rounded-full px-2 py-0.5 text-xs font-medium ${STATUS_BADGE[invoice.status]}`}
+            >
+              {STATUS_LABEL[invoice.status]}
+            </span>
+          </div>
+          <p className="mt-1 text-sm text-neutral-500">
+            {invoice.client_name}
+          </p>
+        </div>
+        <div className="flex gap-2">
+          {actions.map((action) => (
+            <button
+              key={action.next}
+              onClick={() => statusMutation.mutate(action.next)}
+              disabled={statusMutation.isPending}
+              className="rounded-md bg-neutral-900 px-3 py-1.5 text-sm font-medium text-white transition-colors hover:bg-neutral-800 disabled:opacity-50"
+            >
+              {action.label}
+            </button>
+          ))}
+        </div>
+      </div>
+
+      {/* Invoice details */}
+      <div className="mt-6 rounded-md border border-neutral-200 bg-white">
+        {/* Client info */}
+        <div className="border-b border-neutral-100 p-4">
+          <p className="text-xs text-neutral-500">Empfaenger</p>
+          <p className="mt-1 text-sm font-medium text-neutral-900">
+            {invoice.client_name}
+          </p>
+          {invoice.client_address && (
+            <p className="mt-0.5 text-sm text-neutral-500 whitespace-pre-line">
+              {invoice.client_address}
+            </p>
+          )}
+        </div>
+
+        {/* Dates */}
+        <div className="flex flex-wrap gap-6 border-b border-neutral-100 p-4">
+          {invoice.issued_at && (
+            <div>
+              <p className="text-xs text-neutral-500">Rechnungsdatum</p>
+              <p className="mt-0.5 text-sm text-neutral-900">
+                {format(new Date(invoice.issued_at), "d. MMMM yyyy", { locale: de })}
+              </p>
+            </div>
+          )}
+          {invoice.due_at && (
+            <div>
+              <p className="text-xs text-neutral-500">Faellig am</p>
+              <p className="mt-0.5 text-sm text-neutral-900">
+                {format(new Date(invoice.due_at), "d. MMMM yyyy", { locale: de })}
+              </p>
+            </div>
+          )}
+          {invoice.paid_at && (
+            <div>
+              <p className="text-xs text-neutral-500">Bezahlt am</p>
+              <p className="mt-0.5 text-sm text-neutral-900">
+                {format(new Date(invoice.paid_at), "d. MMMM yyyy", { locale: de })}
+              </p>
+            </div>
+          )}
+        </div>
+
+        {/* Line items */}
+        <div className="p-4">
+          <table className="w-full text-sm">
+            <thead>
+              <tr className="border-b border-neutral-100 text-left text-xs text-neutral-500">
+                <th className="pb-2 font-medium">Beschreibung</th>
+                <th className="pb-2 font-medium text-right">Betrag</th>
+              </tr>
+            </thead>
+            <tbody>
+              {items.map((item, i) => (
+                <tr key={i} className="border-b border-neutral-50">
+                  <td className="py-2 text-neutral-900">
+                    {item.description}
+                    {item.duration_minutes && item.hourly_rate && (
+                      <span className="ml-2 text-xs text-neutral-400">
+                        ({Math.floor(item.duration_minutes / 60)}h{" "}
+                        {item.duration_minutes % 60}min x {item.hourly_rate} EUR/h)
+                      </span>
+                    )}
+                  </td>
+                  <td className="py-2 text-right text-neutral-900">
+                    {item.amount.toFixed(2)} EUR
+                  </td>
+                </tr>
+              ))}
+            </tbody>
+          </table>
+        </div>
+
+        {/* Totals */}
+        <div className="border-t border-neutral-200 p-4">
+          <div className="flex justify-end">
+            <div className="w-48 space-y-1">
+              <div className="flex justify-between text-sm">
+                <span className="text-neutral-500">Netto</span>
+                <span>{invoice.subtotal.toFixed(2)} EUR</span>
+              </div>
+              <div className="flex justify-between text-sm">
+                <span className="text-neutral-500">
+                  USt. {invoice.tax_rate}%
+                </span>
+                <span>{invoice.tax_amount.toFixed(2)} EUR</span>
+              </div>
+              <div className="flex justify-between border-t border-neutral-200 pt-1 text-sm font-semibold">
+                <span>Gesamt</span>
+                <span>{invoice.total.toFixed(2)} EUR</span>
+              </div>
+            </div>
+          </div>
+        </div>
+
+        {/* Notes */}
+        {invoice.notes && (
+          <div className="border-t border-neutral-100 p-4">
+            <p className="text-xs text-neutral-500">Anmerkungen</p>
+            <p className="mt-1 text-sm text-neutral-700">{invoice.notes}</p>
+          </div>
+        )}
+      </div>
+    </div>
+  );
+}

frontend/src/app/(app)/abrechnung/rechnungen/page.tsx

@@ -0,0 +1,118 @@
+"use client";
+
+import { useQuery } from "@tanstack/react-query";
+import { api } from "@/lib/api";
+import type { Invoice } from "@/lib/types";
+import { format } from "date-fns";
+import { de } from "date-fns/locale";
+import { Receipt, Loader2 } from "lucide-react";
+import Link from "next/link";
+import { useState } from "react";
+import { Breadcrumb } from "@/components/layout/Breadcrumb";
+
+const STATUS_BADGE: Record<string, string> = {
+  draft: "bg-neutral-100 text-neutral-600",
+  sent: "bg-blue-50 text-blue-700",
+  paid: "bg-emerald-50 text-emerald-700",
+  cancelled: "bg-red-50 text-red-600",
+};
+
+const STATUS_LABEL: Record<string, string> = {
+  draft: "Entwurf",
+  sent: "Versendet",
+  paid: "Bezahlt",
+  cancelled: "Storniert",
+};
+
+export default function RechnungenPage() {
+  const [statusFilter, setStatusFilter] = useState("");
+
+  const { data, isLoading } = useQuery({
+    queryKey: ["invoices", statusFilter],
+    queryFn: () => {
+      const params = statusFilter ? `?status=${statusFilter}` : "";
+      return api.get<{ invoices: Invoice[] }>(`/invoices${params}`);
+    },
+  });
+
+  const invoices = data?.invoices ?? [];
+
+  return (
+    <div className="animate-fade-in">
+      <Breadcrumb
+        items={[
+          { label: "Dashboard", href: "/dashboard" },
+          { label: "Abrechnung", href: "/abrechnung" },
+          { label: "Rechnungen" },
+        ]}
+      />
+
+      <div className="mt-4 flex items-center justify-between">
+        <h1 className="text-lg font-semibold text-neutral-900">Rechnungen</h1>
+      </div>
+
+      {/* Filters */}
+      <div className="mt-4 flex gap-2">
+        {["", "draft", "sent", "paid", "cancelled"].map((s) => (
+          <button
+            key={s}
+            onClick={() => setStatusFilter(s)}
+            className={`rounded-md px-2.5 py-1 text-xs font-medium transition-colors ${
+              statusFilter === s
+                ? "bg-neutral-900 text-white"
+                : "bg-neutral-100 text-neutral-600 hover:bg-neutral-200"
+            }`}
+          >
+            {s === "" ? "Alle" : STATUS_LABEL[s]}
+          </button>
+        ))}
+      </div>
+
+      {isLoading ? (
+        <div className="flex items-center justify-center py-8">
+          <Loader2 className="h-5 w-5 animate-spin text-neutral-400" />
+        </div>
+      ) : invoices.length === 0 ? (
+        <div className="flex flex-col items-center py-12 text-center">
+          <div className="rounded-xl bg-neutral-100 p-3">
+            <Receipt className="h-5 w-5 text-neutral-400" />
+          </div>
+          <p className="mt-2 text-sm text-neutral-500">
+            Keine Rechnungen vorhanden.
+          </p>
+        </div>
+      ) : (
+        <div className="mt-4 space-y-2">
+          {invoices.map((inv) => (
+            <Link
+              key={inv.id}
+              href={`/abrechnung/rechnungen/${inv.id}`}
+              className="flex items-center justify-between rounded-md border border-neutral-200 bg-white px-4 py-3 transition-colors hover:bg-neutral-50"
+            >
+              <div>
+                <div className="flex items-center gap-2">
+                  <p className="text-sm font-medium text-neutral-900">
+                    {inv.invoice_number}
+                  </p>
+                  <span
+                    className={`rounded-full px-2 py-0.5 text-xs font-medium ${STATUS_BADGE[inv.status]}`}
+                  >
+                    {STATUS_LABEL[inv.status]}
+                  </span>
+                </div>
+                <p className="mt-0.5 text-xs text-neutral-500">
+                  {inv.client_name}
+                  {inv.issued_at &&
+                    ` — ${format(new Date(inv.issued_at), "d. MMM yyyy", { locale: de })}`}
+                </p>
+              </div>
+              <p className="text-sm font-semibold text-neutral-900">
+                {inv.total.toFixed(2)} EUR
+              </p>
+            </Link>
+          ))}
+        </div>
+      )}
+    </div>
+  );
+}

frontend/src/app/(app)/cases/[id]/layout.tsx

@@ -13,8 +13,11 @@ import {
   Clock,
   FileText,
   Users,
+  UserCheck,
   StickyNote,
   AlertTriangle,
+  ScrollText,
+  Timer,
 } from "lucide-react";
 import { format } from "date-fns";
 import { de } from "date-fns/locale";
@@ -43,7 +46,10 @@ const TABS = [
   { segment: "fristen", label: "Fristen", icon: Clock },
   { segment: "dokumente", label: "Dokumente", icon: FileText },
   { segment: "parteien", label: "Parteien", icon: Users },
+  { segment: "mitarbeiter", label: "Mitarbeiter", icon: UserCheck },
+  { segment: "zeiterfassung", label: "Zeiterfassung", icon: Timer },
   { segment: "notizen", label: "Notizen", icon: StickyNote },
+  { segment: "protokoll", label: "Protokoll", icon: ScrollText },
 ] as const;
 
 const TAB_LABELS: Record<string, string> = {
@@ -51,7 +57,10 @@ const TAB_LABELS: Record<string, string> = {
   fristen: "Fristen",
   dokumente: "Dokumente",
   parteien: "Parteien",
+  mitarbeiter: "Mitarbeiter",
+  zeiterfassung: "Zeiterfassung",
   notizen: "Notizen",
+  protokoll: "Protokoll",
 };
 
 function CaseDetailSkeleton() {

frontend/src/app/(app)/cases/[id]/mitarbeiter/page.tsx

@@ -0,0 +1,9 @@
+"use client";
+
+import { useParams } from "next/navigation";
+import { CaseAssignments } from "@/components/cases/CaseAssignments";
+
+export default function CaseMitarbeiterPage() {
+  const { id } = useParams<{ id: string }>();
+  return <CaseAssignments caseId={id} />;
+}

frontend/src/app/(app)/cases/[id]/protokoll/page.tsx

@@ -0,0 +1,178 @@
+"use client";
+
+import { useQuery } from "@tanstack/react-query";
+import { useParams, useSearchParams } from "next/navigation";
+import { api } from "@/lib/api";
+import type { AuditLogResponse } from "@/lib/types";
+import { format } from "date-fns";
+import { de } from "date-fns/locale";
+import { Loader2, ChevronLeft, ChevronRight } from "lucide-react";
+
+const ACTION_LABELS: Record<string, string> = {
+  create: "Erstellt",
+  update: "Aktualisiert",
+  delete: "Geloescht",
+};
+
+const ACTION_COLORS: Record<string, string> = {
+  create: "bg-emerald-50 text-emerald-700",
+  update: "bg-blue-50 text-blue-700",
+  delete: "bg-red-50 text-red-700",
+};
+
+const ENTITY_LABELS: Record<string, string> = {
+  case: "Akte",
+  deadline: "Frist",
+  appointment: "Termin",
+  document: "Dokument",
+  party: "Partei",
+  note: "Notiz",
+  settings: "Einstellungen",
+  membership: "Mitgliedschaft",
+};
+
+function DiffPreview({
+  oldValues,
+  newValues,
+}: {
+  oldValues?: Record<string, unknown>;
+  newValues?: Record<string, unknown>;
+}) {
+  if (!oldValues && !newValues) return null;
+
+  const allKeys = new Set([
+    ...Object.keys(oldValues ?? {}),
+    ...Object.keys(newValues ?? {}),
+  ]);
+
+  const changes: { key: string; from?: unknown; to?: unknown }[] = [];
+  for (const key of allKeys) {
+    const oldVal = oldValues?.[key];
+    const newVal = newValues?.[key];
+    if (JSON.stringify(oldVal) !== JSON.stringify(newVal)) {
+      changes.push({ key, from: oldVal, to: newVal });
+    }
+  }
+
+  if (changes.length === 0) return null;
+
+  return (
+    <div className="mt-2 space-y-1">
+      {changes.slice(0, 5).map((c) => (
+        <div key={c.key} className="flex items-baseline gap-2 text-xs">
+          <span className="font-medium text-neutral-500">{c.key}:</span>
+          {c.from !== undefined && (
+            <span className="rounded bg-red-50 px-1 text-red-600 line-through">
+              {String(c.from)}
+            </span>
+          )}
+          {c.to !== undefined && (
+            <span className="rounded bg-emerald-50 px-1 text-emerald-600">
+              {String(c.to)}
+            </span>
+          )}
+        </div>
+      ))}
+      {changes.length > 5 && (
+        <span className="text-xs text-neutral-400">
+          +{changes.length - 5} weitere Aenderungen
+        </span>
+      )}
+    </div>
+  );
+}
+
+export default function ProtokollPage() {
+  const { id } = useParams<{ id: string }>();
+  const searchParams = useSearchParams();
+  const page = Number(searchParams.get("page")) || 1;
+
+  const { data, isLoading } = useQuery({
+    queryKey: ["audit-log", id, page],
+    queryFn: () =>
+      api.get<AuditLogResponse>(
+        `/audit-log?entity_id=${id}&page=${page}&limit=50`,
+      ),
+  });
+
+  if (isLoading) {
+    return (
+      <div className="flex items-center justify-center py-8">
+        <Loader2 className="h-5 w-5 animate-spin text-neutral-400" />
+      </div>
+    );
+  }
+
+  const entries = data?.entries ?? [];
+  const total = data?.total ?? 0;
+  const totalPages = Math.ceil(total / 50);
+
+  if (entries.length === 0) {
+    return (
+      <div className="py-8 text-center text-sm text-neutral-400">
+        Keine Protokolleintraege vorhanden.
+      </div>
+    );
+  }
+
+  return (
+    <div>
+      <div className="space-y-3">
+        {entries.map((entry) => (
+          <div
+            key={entry.id}
+            className="rounded-md border border-neutral-100 bg-white px-4 py-3"
+          >
+            <div className="flex items-start justify-between gap-3">
+              <div className="flex items-center gap-2">
+                <span
+                  className={`inline-block rounded-full px-2 py-0.5 text-xs font-medium ${ACTION_COLORS[entry.action] ?? "bg-neutral-100 text-neutral-600"}`}
+                >
+                  {ACTION_LABELS[entry.action] ?? entry.action}
+                </span>
+                <span className="text-sm font-medium text-neutral-700">
+                  {ENTITY_LABELS[entry.entity_type] ?? entry.entity_type}
+                </span>
+              </div>
+              <span className="shrink-0 text-xs text-neutral-400">
+                {format(new Date(entry.created_at), "d. MMM yyyy, HH:mm", {
+                  locale: de,
+                })}
+              </span>
+            </div>
+            <DiffPreview
+              oldValues={entry.old_values}
+              newValues={entry.new_values}
+            />
+          </div>
+        ))}
+      </div>
+
+      {totalPages > 1 && (
+        <div className="mt-4 flex items-center justify-between">
+          <span className="text-xs text-neutral-400">
+            {total} Eintraege, Seite {page} von {totalPages}
+          </span>
+          <div className="flex gap-1">
+            {page > 1 && (
+              <a
+                href={`?page=${page - 1}`}
+                className="inline-flex items-center gap-1 rounded-md border border-neutral-200 px-2 py-1 text-xs text-neutral-600 hover:bg-neutral-50"
+              >
+                <ChevronLeft className="h-3 w-3" /> Zurueck
+              </a>
+            )}
+            {page < totalPages && (
+              <a
+                href={`?page=${page + 1}`}
+                className="inline-flex items-center gap-1 rounded-md border border-neutral-200 px-2 py-1 text-xs text-neutral-600 hover:bg-neutral-50"
+              >
+                Weiter <ChevronRight className="h-3 w-3" />
+              </a>
+            )}
+          </div>
+        </div>
+      )}
+    </div>
+  );
+}

frontend/src/app/(app)/cases/[id]/zeiterfassung/page.tsx

@@ -0,0 +1,306 @@
+"use client";
+
+import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
+import { useParams } from "next/navigation";
+import { api } from "@/lib/api";
+import type { TimeEntry } from "@/lib/types";
+import { format } from "date-fns";
+import { de } from "date-fns/locale";
+import { Timer, Loader2, Plus, Trash2 } from "lucide-react";
+import { useState } from "react";
+
+function formatDuration(minutes: number): string {
+  const h = Math.floor(minutes / 60);
+  const m = minutes % 60;
+  if (h === 0) return `${m}min`;
+  if (m === 0) return `${h}h`;
+  return `${h}h ${m}min`;
+}
+
+function formatAmount(minutes: number, rate?: number): string {
+  if (!rate) return "-";
+  return `${((minutes / 60) * rate).toFixed(2)} EUR`;
+}
+
+const ACTIVITIES = [
+  { value: "", label: "Keine Kategorie" },
+  { value: "research", label: "Recherche" },
+  { value: "drafting", label: "Entwurf" },
+  { value: "hearing", label: "Verhandlung" },
+  { value: "call", label: "Telefonat" },
+  { value: "review", label: "Prüfung" },
+  { value: "travel", label: "Reise" },
+  { value: "meeting", label: "Besprechung" },
+];
+
+export default function ZeiterfassungPage() {
+  const { id } = useParams<{ id: string }>();
+  const queryClient = useQueryClient();
+  const [showForm, setShowForm] = useState(false);
+  const [desc, setDesc] = useState("");
+  const [hours, setHours] = useState("");
+  const [minutes, setMinutes] = useState("");
+  const [date, setDate] = useState(format(new Date(), "yyyy-MM-dd"));
+  const [activity, setActivity] = useState("");
+  const [billable, setBillable] = useState(true);
+
+  const { data, isLoading } = useQuery({
+    queryKey: ["case-time-entries", id],
+    queryFn: () =>
+      api.get<{ time_entries: TimeEntry[] }>(`/cases/${id}/time-entries`),
+  });
+
+  const createMutation = useMutation({
+    mutationFn: (input: {
+      description: string;
+      duration_minutes: number;
+      date: string;
+      activity?: string;
+      billable: boolean;
+    }) => api.post<TimeEntry>(`/cases/${id}/time-entries`, input),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["case-time-entries", id] });
+      setShowForm(false);
+      setDesc("");
+      setHours("");
+      setMinutes("");
+      setActivity("");
+      setBillable(true);
+    },
+  });
+
+  const deleteMutation = useMutation({
+    mutationFn: (entryId: string) =>
+      api.delete(`/time-entries/${entryId}`),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["case-time-entries", id] });
+    },
+  });
+
+  function handleSubmit(e: React.FormEvent) {
+    e.preventDefault();
+    const totalMinutes = (parseInt(hours || "0") * 60) + parseInt(minutes || "0");
+    if (totalMinutes <= 0 || !desc.trim()) return;
+    createMutation.mutate({
+      description: desc.trim(),
+      duration_minutes: totalMinutes,
+      date,
+      activity: activity || undefined,
+      billable,
+    });
+  }
+
+  if (isLoading) {
+    return (
+      <div className="flex items-center justify-center py-8">
+        <Loader2 className="h-5 w-5 animate-spin text-neutral-400" />
+      </div>
+    );
+  }
+
+  const entries = data?.time_entries ?? [];
+  const totalMinutes = entries.reduce((s, e) => s + e.duration_minutes, 0);
+  const billableMinutes = entries
+    .filter((e) => e.billable)
+    .reduce((s, e) => s + e.duration_minutes, 0);
+
+  return (
+    <div className="space-y-4">
+      {/* Summary bar */}
+      <div className="flex flex-wrap items-center justify-between gap-3">
+        <div className="flex gap-6 text-sm text-neutral-500">
+          <span>
+            Gesamt: <span className="font-medium text-neutral-900">{formatDuration(totalMinutes)}</span>
+          </span>
+          <span>
+            Abrechenbar: <span className="font-medium text-neutral-900">{formatDuration(billableMinutes)}</span>
+          </span>
+        </div>
+        <button
+          onClick={() => setShowForm(!showForm)}
+          className="inline-flex items-center gap-1.5 rounded-md bg-neutral-900 px-3 py-1.5 text-sm font-medium text-white transition-colors hover:bg-neutral-800"
+        >
+          <Plus className="h-3.5 w-3.5" />
+          Eintrag
+        </button>
+      </div>
+
+      {/* Quick add form */}
+      {showForm && (
+        <form
+          onSubmit={handleSubmit}
+          className="rounded-md border border-neutral-200 bg-neutral-50 p-4 space-y-3"
+        >
+          <div>
+            <label className="block text-xs font-medium text-neutral-600 mb-1">
+              Beschreibung
+            </label>
+            <input
+              type="text"
+              value={desc}
+              onChange={(e) => setDesc(e.target.value)}
+              placeholder="Was wurde getan?"
+              className="w-full rounded-md border border-neutral-300 px-3 py-1.5 text-sm focus:border-neutral-500 focus:outline-none"
+              required
+            />
+          </div>
+          <div className="flex flex-wrap gap-3">
+            <div className="flex-1 min-w-[120px]">
+              <label className="block text-xs font-medium text-neutral-600 mb-1">
+                Dauer
+              </label>
+              <div className="flex gap-2">
+                <div className="flex items-center gap-1">
+                  <input
+                    type="number"
+                    min="0"
+                    value={hours}
+                    onChange={(e) => setHours(e.target.value)}
+                    placeholder="0"
+                    className="w-16 rounded-md border border-neutral-300 px-2 py-1.5 text-sm focus:border-neutral-500 focus:outline-none"
+                  />
+                  <span className="text-xs text-neutral-500">h</span>
+                </div>
+                <div className="flex items-center gap-1">
+                  <input
+                    type="number"
+                    min="0"
+                    max="59"
+                    value={minutes}
+                    onChange={(e) => setMinutes(e.target.value)}
+                    placeholder="0"
+                    className="w-16 rounded-md border border-neutral-300 px-2 py-1.5 text-sm focus:border-neutral-500 focus:outline-none"
+                  />
+                  <span className="text-xs text-neutral-500">min</span>
+                </div>
+              </div>
+            </div>
+            <div className="flex-1 min-w-[120px]">
+              <label className="block text-xs font-medium text-neutral-600 mb-1">
+                Datum
+              </label>
+              <input
+                type="date"
+                value={date}
+                onChange={(e) => setDate(e.target.value)}
+                className="w-full rounded-md border border-neutral-300 px-3 py-1.5 text-sm focus:border-neutral-500 focus:outline-none"
+              />
+            </div>
+            <div className="flex-1 min-w-[120px]">
+              <label className="block text-xs font-medium text-neutral-600 mb-1">
+                Kategorie
+              </label>
+              <select
+                value={activity}
+                onChange={(e) => setActivity(e.target.value)}
+                className="w-full rounded-md border border-neutral-300 px-3 py-1.5 text-sm focus:border-neutral-500 focus:outline-none"
+              >
+                {ACTIVITIES.map((a) => (
+                  <option key={a.value} value={a.value}>
+                    {a.label}
+                  </option>
+                ))}
+              </select>
+            </div>
+          </div>
+          <div className="flex items-center justify-between">
+            <label className="flex items-center gap-2 text-sm text-neutral-600">
+              <input
+                type="checkbox"
+                checked={billable}
+                onChange={(e) => setBillable(e.target.checked)}
+                className="rounded border-neutral-300"
+              />
+              Abrechenbar
+            </label>
+            <div className="flex gap-2">
+              <button
+                type="button"
+                onClick={() => setShowForm(false)}
+                className="rounded-md px-3 py-1.5 text-sm text-neutral-600 transition-colors hover:bg-neutral-100"
+              >
+                Abbrechen
+              </button>
+              <button
+                type="submit"
+                disabled={createMutation.isPending}
+                className="rounded-md bg-neutral-900 px-3 py-1.5 text-sm font-medium text-white transition-colors hover:bg-neutral-800 disabled:opacity-50"
+              >
+                {createMutation.isPending ? "Speichern..." : "Speichern"}
+              </button>
+            </div>
+          </div>
+          {createMutation.isError && (
+            <p className="text-sm text-red-600">Fehler beim Speichern.</p>
+          )}
+        </form>
+      )}
+
+      {/* Entries list */}
+      {entries.length === 0 ? (
+        <div className="flex flex-col items-center py-8 text-center">
+          <div className="rounded-xl bg-neutral-100 p-3">
+            <Timer className="h-5 w-5 text-neutral-400" />
+          </div>
+          <p className="mt-2 text-sm text-neutral-500">
+            Keine Zeiteintraege vorhanden.
+          </p>
+        </div>
+      ) : (
+        <div className="space-y-2">
+          {entries.map((entry) => (
+            <div
+              key={entry.id}
+              className="flex items-center justify-between rounded-md border border-neutral-200 bg-white px-4 py-3"
+            >
+              <div className="min-w-0 flex-1">
+                <div className="flex items-center gap-2">
+                  <p className="text-sm font-medium text-neutral-900 truncate">
+                    {entry.description}
+                  </p>
+                  {entry.activity && (
+                    <span className="shrink-0 rounded-full bg-neutral-100 px-2 py-0.5 text-xs text-neutral-500">
+                      {ACTIVITIES.find((a) => a.value === entry.activity)?.label ?? entry.activity}
+                    </span>
+                  )}
+                  {!entry.billable && (
+                    <span className="shrink-0 rounded-full bg-neutral-100 px-2 py-0.5 text-xs text-neutral-400">
+                      nicht abrechenbar
+                    </span>
+                  )}
+                  {entry.billed && (
+                    <span className="shrink-0 rounded-full bg-emerald-50 px-2 py-0.5 text-xs text-emerald-700">
+                      abgerechnet
+                    </span>
+                  )}
+                </div>
+                <div className="mt-0.5 flex gap-4 text-xs text-neutral-500">
+                  <span>
+                    {format(new Date(entry.date), "d. MMM yyyy", { locale: de })}
+                  </span>
+                  {entry.hourly_rate && (
+                    <span>{formatAmount(entry.duration_minutes, entry.hourly_rate)}</span>
+                  )}
+                </div>
+              </div>
+              <div className="flex items-center gap-3 ml-4">
+                <span className="text-sm font-medium text-neutral-900 whitespace-nowrap">
+                  {formatDuration(entry.duration_minutes)}
+                </span>
+                {!entry.billed && (
+                  <button
+                    onClick={() => deleteMutation.mutate(entry.id)}
+                    className="rounded-md p-1 text-neutral-400 transition-colors hover:bg-red-50 hover:text-red-600"
+                    title="Loeschen"
+                  >
+                    <Trash2 className="h-3.5 w-3.5" />
+                  </button>
+                )}
+              </div>
+            </div>
+          ))}
+        </div>
+      )}
+    </div>
+  );
+}

frontend/src/app/(app)/cases/page.tsx

@@ -10,6 +10,7 @@ import { Plus, Search, FolderOpen } from "lucide-react";
 import { useState } from "react";
 import { SkeletonTable } from "@/components/ui/Skeleton";
 import { EmptyState } from "@/components/ui/EmptyState";
+import { usePermissions } from "@/lib/hooks/usePermissions";
 
 const STATUS_OPTIONS = [
   { value: "", label: "Alle Status" },
@@ -49,6 +50,8 @@ const inputClass =
 export default function CasesPage() {
   const router = useRouter();
   const searchParams = useSearchParams();
+  const { can } = usePermissions();
+  const canCreateCase = can("create_case");
 
   const [search, setSearch] = useState(searchParams.get("search") ?? "");
   const [status, setStatus] = useState(searchParams.get("status") ?? "");
@@ -86,13 +89,15 @@ export default function CasesPage() {
             {data ? `${data.total} Akten` : "\u00A0"}
           </p>
         </div>
-        <Link
+        {canCreateCase && (
-          href="/cases/new"
+          <Link
-          className="inline-flex w-fit items-center gap-1.5 rounded-md bg-neutral-900 px-3 py-1.5 text-sm font-medium text-white transition-colors hover:bg-neutral-800"
+            href="/cases/new"
-        >
+            className="inline-flex w-fit items-center gap-1.5 rounded-md bg-neutral-900 px-3 py-1.5 text-sm font-medium text-white transition-colors hover:bg-neutral-800"
-          <Plus className="h-4 w-4" />
+          >
-          Neue Akte
+            <Plus className="h-4 w-4" />
-        </Link>
+            Neue Akte
+          </Link>
+        )}
       </div>
 
       <div className="mt-4 flex flex-col gap-3 sm:flex-row sm:items-center">
@@ -145,7 +150,7 @@ export default function CasesPage() {
                 : "Erstellen Sie Ihre erste Akte, um loszulegen."
             }
             action={
-              !search && !status && !type ? (
+              !search && !status && !type && canCreateCase ? (
                 <Link
                   href="/cases/new"
                   className="inline-flex items-center gap-1.5 rounded-md bg-neutral-900 px-3 py-1.5 text-sm font-medium text-white transition-colors hover:bg-neutral-800"

frontend/src/app/(app)/einstellungen/abrechnung/page.tsx

@@ -0,0 +1,166 @@
+"use client";
+
+import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
+import { api } from "@/lib/api";
+import type { BillingRate } from "@/lib/types";
+import { format } from "date-fns";
+import { de } from "date-fns/locale";
+import { Loader2, Plus } from "lucide-react";
+import { useState } from "react";
+import { Breadcrumb } from "@/components/layout/Breadcrumb";
+
+export default function BillingRatesPage() {
+  const queryClient = useQueryClient();
+  const [showForm, setShowForm] = useState(false);
+  const [rate, setRate] = useState("");
+  const [validFrom, setValidFrom] = useState(format(new Date(), "yyyy-MM-dd"));
+
+  const { data, isLoading } = useQuery({
+    queryKey: ["billing-rates"],
+    queryFn: () =>
+      api.get<{ billing_rates: BillingRate[] }>("/billing-rates"),
+  });
+
+  const upsertMutation = useMutation({
+    mutationFn: (input: { rate: number; valid_from: string; currency: string }) =>
+      api.put<BillingRate>("/billing-rates", input),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["billing-rates"] });
+      setShowForm(false);
+      setRate("");
+    },
+  });
+
+  function handleSubmit(e: React.FormEvent) {
+    e.preventDefault();
+    const rateNum = parseFloat(rate);
+    if (isNaN(rateNum) || rateNum < 0) return;
+    upsertMutation.mutate({
+      rate: rateNum,
+      valid_from: validFrom,
+      currency: "EUR",
+    });
+  }
+
+  const rates = data?.billing_rates ?? [];
+
+  return (
+    <div className="animate-fade-in">
+      <Breadcrumb
+        items={[
+          { label: "Dashboard", href: "/dashboard" },
+          { label: "Einstellungen", href: "/einstellungen" },
+          { label: "Stundensaetze" },
+        ]}
+      />
+
+      <div className="mt-4 flex items-center justify-between">
+        <h1 className="text-lg font-semibold text-neutral-900">
+          Stundensaetze
+        </h1>
+        <button
+          onClick={() => setShowForm(!showForm)}
+          className="inline-flex items-center gap-1.5 rounded-md bg-neutral-900 px-3 py-1.5 text-sm font-medium text-white transition-colors hover:bg-neutral-800"
+        >
+          <Plus className="h-3.5 w-3.5" />
+          Neuer Satz
+        </button>
+      </div>
+
+      {showForm && (
+        <form
+          onSubmit={handleSubmit}
+          className="mt-4 rounded-md border border-neutral-200 bg-neutral-50 p-4 space-y-3"
+        >
+          <div className="flex flex-wrap gap-3">
+            <div className="flex-1 min-w-[150px]">
+              <label className="block text-xs font-medium text-neutral-600 mb-1">
+                Stundensatz (EUR)
+              </label>
+              <input
+                type="number"
+                min="0"
+                step="0.01"
+                value={rate}
+                onChange={(e) => setRate(e.target.value)}
+                placeholder="z.B. 350.00"
+                className="w-full rounded-md border border-neutral-300 px-3 py-1.5 text-sm focus:border-neutral-500 focus:outline-none"
+                required
+              />
+            </div>
+            <div className="flex-1 min-w-[150px]">
+              <label className="block text-xs font-medium text-neutral-600 mb-1">
+                Gueltig ab
+              </label>
+              <input
+                type="date"
+                value={validFrom}
+                onChange={(e) => setValidFrom(e.target.value)}
+                className="w-full rounded-md border border-neutral-300 px-3 py-1.5 text-sm focus:border-neutral-500 focus:outline-none"
+                required
+              />
+            </div>
+          </div>
+          <div className="flex justify-end gap-2">
+            <button
+              type="button"
+              onClick={() => setShowForm(false)}
+              className="rounded-md px-3 py-1.5 text-sm text-neutral-600 hover:bg-neutral-100"
+            >
+              Abbrechen
+            </button>
+            <button
+              type="submit"
+              disabled={upsertMutation.isPending}
+              className="rounded-md bg-neutral-900 px-3 py-1.5 text-sm font-medium text-white hover:bg-neutral-800 disabled:opacity-50"
+            >
+              Speichern
+            </button>
+          </div>
+        </form>
+      )}
+
+      {isLoading ? (
+        <div className="flex items-center justify-center py-8">
+          <Loader2 className="h-5 w-5 animate-spin text-neutral-400" />
+        </div>
+      ) : rates.length === 0 ? (
+        <div className="mt-8 text-center">
+          <p className="text-sm text-neutral-500">
+            Noch keine Stundensaetze definiert.
+          </p>
+        </div>
+      ) : (
+        <div className="mt-4 space-y-2">
+          {rates.map((r) => (
+            <div
+              key={r.id}
+              className="flex items-center justify-between rounded-md border border-neutral-200 bg-white px-4 py-3"
+            >
+              <div>
+                <p className="text-sm font-medium text-neutral-900">
+                  {r.rate.toFixed(2)} {r.currency}/h
+                </p>
+                <p className="mt-0.5 text-xs text-neutral-500">
+                  {r.user_id ? `Benutzer: ${r.user_id.slice(0, 8)}...` : "Standard (alle Benutzer)"}
+                </p>
+              </div>
+              <div className="text-right text-xs text-neutral-500">
+                <p>
+                  Ab{" "}
+                  {format(new Date(r.valid_from), "d. MMM yyyy", { locale: de })}
+                </p>
+                {r.valid_to && (
+                  <p>
+                    Bis{" "}
+                    {format(new Date(r.valid_to), "d. MMM yyyy", { locale: de })}
+                  </p>
+                )}
+              </div>
+            </div>
+          ))}
+        </div>
+      )}
+    </div>
+  );
+}

frontend/src/app/(app)/einstellungen/page.tsx

@@ -1,11 +1,12 @@
 "use client";
 
 import { useQuery } from "@tanstack/react-query";
-import { Settings, Calendar, Users } from "lucide-react";
+import { Settings, Calendar, Users, Bell } from "lucide-react";
 import Link from "next/link";
 import { api } from "@/lib/api";
 import type { Tenant } from "@/lib/types";
 import { CalDAVSettings } from "@/components/settings/CalDAVSettings";
+import { NotificationSettings } from "@/components/settings/NotificationSettings";
 import { SkeletonCard } from "@/components/ui/Skeleton";
 import { EmptyState } from "@/components/ui/EmptyState";
 
@@ -97,6 +98,19 @@ export default function EinstellungenPage() {
             </div>
           </section>
 
+          {/* Notification Settings */}
+          <section className="rounded-xl border border-neutral-200 bg-white p-5">
+            <div className="flex items-center gap-2.5 border-b border-neutral-100 pb-3">
+              <Bell className="h-4 w-4 text-neutral-500" />
+              <h2 className="text-sm font-semibold text-neutral-900">
+                Benachrichtigungen
+              </h2>
+            </div>
+            <div className="mt-4">
+              <NotificationSettings />
+            </div>
+          </section>
+
           {/* CalDAV Settings */}
           <section className="rounded-xl border border-neutral-200 bg-white p-5">
             <div className="flex items-center gap-2.5 border-b border-neutral-100 pb-3">

frontend/src/components/cases/CaseAssignments.tsx

@@ -0,0 +1,180 @@
+"use client";
+
+import { useState } from "react";
+import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
+import { toast } from "sonner";
+import { UserPlus, Trash2, Users } from "lucide-react";
+import { api } from "@/lib/api";
+import type { CaseAssignment, UserTenant } from "@/lib/types";
+import { CASE_ASSIGNMENT_ROLE_LABELS } from "@/lib/types";
+import type { CaseAssignmentRole } from "@/lib/types";
+import { Skeleton } from "@/components/ui/Skeleton";
+import { EmptyState } from "@/components/ui/EmptyState";
+import { usePermissions } from "@/lib/hooks/usePermissions";
+
+export function CaseAssignments({ caseId }: { caseId: string }) {
+  const queryClient = useQueryClient();
+  const { can } = usePermissions();
+  const canManage = can("manage_team");
+
+  const tenantId =
+    typeof window !== "undefined"
+      ? localStorage.getItem("kanzlai_tenant_id")
+      : null;
+
+  const [selectedUser, setSelectedUser] = useState("");
+  const [assignRole, setAssignRole] = useState<CaseAssignmentRole>("team");
+
+  const { data, isLoading } = useQuery({
+    queryKey: ["case-assignments", caseId],
+    queryFn: () =>
+      api.get<{ assignments: CaseAssignment[]; total: number }>(
+        `/cases/${caseId}/assignments`,
+      ),
+  });
+
+  const { data: members } = useQuery({
+    queryKey: ["tenant-members", tenantId],
+    queryFn: () =>
+      api.get<UserTenant[]>(`/tenants/${tenantId}/members`),
+    enabled: !!tenantId && canManage,
+  });
+
+  const assignMutation = useMutation({
+    mutationFn: (input: { user_id: string; role: string }) =>
+      api.post(`/cases/${caseId}/assignments`, input),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["case-assignments", caseId] });
+      setSelectedUser("");
+      toast.success("Mitarbeiter zugewiesen");
+    },
+    onError: (err: { error?: string }) => {
+      toast.error(err.error || "Fehler beim Zuweisen");
+    },
+  });
+
+  const unassignMutation = useMutation({
+    mutationFn: (userId: string) =>
+      api.delete(`/cases/${caseId}/assignments/${userId}`),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["case-assignments", caseId] });
+      toast.success("Zuweisung entfernt");
+    },
+    onError: (err: { error?: string }) => {
+      toast.error(err.error || "Fehler beim Entfernen");
+    },
+  });
+
+  const assignments = data?.assignments ?? [];
+  const assignedUserIds = new Set(assignments.map((a) => a.user_id));
+  const availableMembers = (members ?? []).filter(
+    (m) => !assignedUserIds.has(m.user_id),
+  );
+
+  const handleAssign = (e: React.FormEvent) => {
+    e.preventDefault();
+    if (!selectedUser) return;
+    assignMutation.mutate({ user_id: selectedUser, role: assignRole });
+  };
+
+  if (isLoading) {
+    return (
+      <div className="space-y-3">
+        <Skeleton className="h-10 w-full" />
+        <Skeleton className="h-10 w-full" />
+      </div>
+    );
+  }
+
+  return (
+    <div className="space-y-4">
+      <h3 className="text-sm font-semibold text-neutral-900">
+        Zugewiesene Mitarbeiter
+      </h3>
+
+      {/* Assign form — only for owners/partners */}
+      {canManage && availableMembers.length > 0 && (
+        <form onSubmit={handleAssign} className="flex flex-col gap-2 sm:flex-row">
+          <select
+            value={selectedUser}
+            onChange={(e) => setSelectedUser(e.target.value)}
+            className="flex-1 rounded-md border border-neutral-200 px-2 py-1.5 text-sm outline-none focus:border-neutral-400 focus:ring-1 focus:ring-neutral-400"
+          >
+            <option value="">Mitarbeiter auswählen...</option>
+            {availableMembers.map((m) => (
+              <option key={m.user_id} value={m.user_id}>
+                {m.user_id.slice(0, 8)}... ({m.role})
+              </option>
+            ))}
+          </select>
+          <select
+            value={assignRole}
+            onChange={(e) => setAssignRole(e.target.value as CaseAssignmentRole)}
+            className="rounded-md border border-neutral-200 px-2 py-1.5 text-sm outline-none focus:border-neutral-400 focus:ring-1 focus:ring-neutral-400"
+          >
+            {(Object.keys(CASE_ASSIGNMENT_ROLE_LABELS) as CaseAssignmentRole[]).map(
+              (r) => (
+                <option key={r} value={r}>
+                  {CASE_ASSIGNMENT_ROLE_LABELS[r]}
+                </option>
+              ),
+            )}
+          </select>
+          <button
+            type="submit"
+            disabled={assignMutation.isPending || !selectedUser}
+            className="inline-flex items-center gap-1.5 rounded-md bg-neutral-900 px-3 py-1.5 text-sm font-medium text-white hover:bg-neutral-800 disabled:opacity-50"
+          >
+            <UserPlus className="h-3.5 w-3.5" />
+            Zuweisen
+          </button>
+        </form>
+      )}
+
+      {/* Assignments list */}
+      {assignments.length > 0 ? (
+        <div className="overflow-hidden rounded-md border border-neutral-200">
+          {assignments.map((a, i) => (
+            <div
+              key={a.id}
+              className={`flex items-center justify-between px-4 py-2.5 ${
+                i < assignments.length - 1 ? "border-b border-neutral-100" : ""
+              }`}
+            >
+              <div className="flex items-center gap-3">
+                <div className="flex h-7 w-7 items-center justify-center rounded-full bg-neutral-100">
+                  <Users className="h-3.5 w-3.5 text-neutral-500" />
+                </div>
+                <div>
+                  <p className="text-sm text-neutral-900">
+                    {a.user_id.slice(0, 8)}...
+                  </p>
+                  <p className="text-xs text-neutral-500">
+                    {CASE_ASSIGNMENT_ROLE_LABELS[a.role as CaseAssignmentRole] ??
+                      a.role}
+                  </p>
+                </div>
+              </div>
+              {canManage && (
+                <button
+                  onClick={() => unassignMutation.mutate(a.user_id)}
+                  disabled={unassignMutation.isPending}
+                  className="rounded-md p-1 text-neutral-400 hover:bg-red-50 hover:text-red-600 disabled:opacity-50"
+                  title="Zuweisung entfernen"
+                >
+                  <Trash2 className="h-3.5 w-3.5" />
+                </button>
+              )}
+            </div>
+          ))}
+        </div>
+      ) : (
+        <EmptyState
+          icon={Users}
+          title="Keine Zuweisungen"
+          description="Noch keine Mitarbeiter zugewiesen."
+        />
+      )}
+    </div>
+  );
+}

frontend/src/components/layout/Header.tsx

@@ -2,6 +2,7 @@
 
 import { createClient } from "@/lib/supabase/client";
 import { TenantSwitcher } from "./TenantSwitcher";
+import { NotificationBell } from "@/components/notifications/NotificationBell";
 import { LogOut } from "lucide-react";
 import { useRouter } from "next/navigation";
 import { useEffect, useState } from "react";
@@ -29,6 +30,7 @@ export function Header() {
       <div className="w-8 lg:w-0" />
       <div className="flex items-center gap-2 sm:gap-3">
         <TenantSwitcher />
+        <NotificationBell />
         {email && (
           <span className="hidden text-sm text-neutral-500 sm:inline">
             {email}

frontend/src/components/layout/Sidebar.tsx

@@ -11,21 +11,36 @@ import {
   Settings,
   Menu,
   X,
+  Receipt,
 } from "lucide-react";
 import { useState, useEffect } from "react";
+import { usePermissions } from "@/lib/hooks/usePermissions";
 
-const navigation = [
+interface NavItem {
+  name: string;
+  href: string;
+  icon: typeof LayoutDashboard;
+  permission?: string;
+}
+
+const allNavigation: NavItem[] = [
   { name: "Dashboard", href: "/dashboard", icon: LayoutDashboard },
   { name: "Akten", href: "/cases", icon: FolderOpen },
   { name: "Fristen", href: "/fristen", icon: Clock },
   { name: "Termine", href: "/termine", icon: Calendar },
-  { name: "AI Analyse", href: "/ai/extract", icon: Brain },
+  { name: "Abrechnung", href: "/abrechnung", icon: Receipt, permission: "manage_billing" },
-  { name: "Einstellungen", href: "/einstellungen", icon: Settings },
+  { name: "AI Analyse", href: "/ai/extract", icon: Brain, permission: "ai_extraction" },
+  { name: "Einstellungen", href: "/einstellungen", icon: Settings, permission: "manage_settings" },
 ];
 
 export function Sidebar() {
   const pathname = usePathname();
   const [mobileOpen, setMobileOpen] = useState(false);
+  const { can, isLoading: permLoading } = usePermissions();
+
+  const navigation = allNavigation.filter(
+    (item) => !item.permission || permLoading || can(item.permission),
+  );
 
   // Close on route change
   useEffect(() => {

frontend/src/components/notifications/NotificationBell.tsx

@@ -0,0 +1,205 @@
+"use client";
+
+import { useEffect, useRef, useState } from "react";
+import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
+import { Bell, Check, CheckCheck, ExternalLink } from "lucide-react";
+import { api } from "@/lib/api";
+import type { Notification, NotificationListResponse } from "@/lib/types";
+
+function getEntityLink(n: Notification): string | null {
+  if (!n.entity_type || !n.entity_id) return null;
+  switch (n.entity_type) {
+    case "deadline":
+      return `/fristen/${n.entity_id}`;
+    case "appointment":
+      return `/termine/${n.entity_id}`;
+    case "case":
+      return `/akten/${n.entity_id}`;
+    default:
+      return null;
+  }
+}
+
+function getTypeColor(type: Notification["type"]): string {
+  switch (type) {
+    case "deadline_overdue":
+      return "bg-red-500";
+    case "deadline_reminder":
+      return "bg-amber-500";
+    case "case_update":
+      return "bg-blue-500";
+    case "assignment":
+      return "bg-violet-500";
+    default:
+      return "bg-neutral-500";
+  }
+}
+
+function timeAgo(dateStr: string): string {
+  const now = new Date();
+  const date = new Date(dateStr);
+  const diffMs = now.getTime() - date.getTime();
+  const diffMin = Math.floor(diffMs / 60000);
+  if (diffMin < 1) return "gerade eben";
+  if (diffMin < 60) return `vor ${diffMin} Min.`;
+  const diffHours = Math.floor(diffMin / 60);
+  if (diffHours < 24) return `vor ${diffHours} Std.`;
+  const diffDays = Math.floor(diffHours / 24);
+  if (diffDays === 1) return "gestern";
+  return `vor ${diffDays} Tagen`;
+}
+
+export function NotificationBell() {
+  const [open, setOpen] = useState(false);
+  const panelRef = useRef<HTMLDivElement>(null);
+  const queryClient = useQueryClient();
+
+  const { data: unreadData } = useQuery({
+    queryKey: ["notifications-unread-count"],
+    queryFn: () =>
+      api.get<{ unread_count: number }>("/api/notifications/unread-count"),
+    refetchInterval: 30_000,
+  });
+
+  const { data: notifData } = useQuery({
+    queryKey: ["notifications"],
+    queryFn: () =>
+      api.get<NotificationListResponse>("/api/notifications?limit=20"),
+    enabled: open,
+  });
+
+  const markRead = useMutation({
+    mutationFn: (id: string) =>
+      api.patch(`/api/notifications/${id}/read`),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["notifications"] });
+      queryClient.invalidateQueries({
+        queryKey: ["notifications-unread-count"],
+      });
+    },
+  });
+
+  const markAllRead = useMutation({
+    mutationFn: () => api.patch("/api/notifications/read-all"),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["notifications"] });
+      queryClient.invalidateQueries({
+        queryKey: ["notifications-unread-count"],
+      });
+    },
+  });
+
+  // Close on click outside
+  useEffect(() => {
+    function handleClickOutside(e: MouseEvent) {
+      if (panelRef.current && !panelRef.current.contains(e.target as Node)) {
+        setOpen(false);
+      }
+    }
+    if (open) {
+      document.addEventListener("mousedown", handleClickOutside);
+    }
+    return () => document.removeEventListener("mousedown", handleClickOutside);
+  }, [open]);
+
+  const unreadCount = unreadData?.unread_count ?? 0;
+  const notifications = notifData?.data ?? [];
+
+  return (
+    <div className="relative" ref={panelRef}>
+      <button
+        onClick={() => setOpen(!open)}
+        className="relative rounded-md p-1.5 text-neutral-400 transition-colors hover:bg-neutral-100 hover:text-neutral-600"
+        title="Benachrichtigungen"
+      >
+        <Bell className="h-4 w-4" />
+        {unreadCount > 0 && (
+          <span className="absolute -right-0.5 -top-0.5 flex h-4 min-w-4 items-center justify-center rounded-full bg-red-500 px-1 text-[10px] font-bold text-white">
+            {unreadCount > 99 ? "99+" : unreadCount}
+          </span>
+        )}
+      </button>
+
+      {open && (
+        <div className="absolute right-0 top-full z-50 mt-2 w-80 rounded-xl border border-neutral-200 bg-white shadow-lg sm:w-96">
+          {/* Header */}
+          <div className="flex items-center justify-between border-b border-neutral-100 px-4 py-3">
+            <h3 className="text-sm font-semibold text-neutral-900">
+              Benachrichtigungen
+            </h3>
+            {unreadCount > 0 && (
+              <button
+                onClick={() => markAllRead.mutate()}
+                className="flex items-center gap-1 text-xs text-neutral-500 hover:text-neutral-700"
+              >
+                <CheckCheck className="h-3 w-3" />
+                Alle gelesen
+              </button>
+            )}
+          </div>
+
+          {/* Notification list */}
+          <div className="max-h-96 overflow-y-auto">
+            {notifications.length === 0 ? (
+              <div className="p-6 text-center text-sm text-neutral-400">
+                Keine Benachrichtigungen
+              </div>
+            ) : (
+              notifications.map((n) => {
+                const link = getEntityLink(n);
+                return (
+                  <div
+                    key={n.id}
+                    className={`flex items-start gap-3 border-b border-neutral-50 px-4 py-3 transition-colors last:border-0 ${
+                      n.read_at
+                        ? "bg-white"
+                        : "bg-blue-50/50"
+                    }`}
+                  >
+                    <div
+                      className={`mt-1.5 h-2 w-2 flex-shrink-0 rounded-full ${getTypeColor(n.type)}`}
+                    />
+                    <div className="min-w-0 flex-1">
+                      <p className="text-sm font-medium text-neutral-900 leading-snug">
+                        {n.title}
+                      </p>
+                      {n.body && (
+                        <p className="mt-0.5 text-xs text-neutral-500 line-clamp-2">
+                          {n.body}
+                        </p>
+                      )}
+                      <div className="mt-1.5 flex items-center gap-2">
+                        <span className="text-[11px] text-neutral-400">
+                          {timeAgo(n.created_at)}
+                        </span>
+                        {link && (
+                          <a
+                            href={link}
+                            onClick={() => setOpen(false)}
+                            className="flex items-center gap-0.5 text-[11px] text-blue-600 hover:text-blue-700"
+                          >
+                            <ExternalLink className="h-2.5 w-2.5" />
+                            Anzeigen
+                          </a>
+                        )}
+                      </div>
+                    </div>
+                    {!n.read_at && (
+                      <button
+                        onClick={() => markRead.mutate(n.id)}
+                        className="flex-shrink-0 rounded p-1 text-neutral-400 hover:bg-neutral-100 hover:text-neutral-600"
+                        title="Als gelesen markieren"
+                      >
+                        <Check className="h-3 w-3" />
+                      </button>
+                    )}
+                  </div>
+                );
+              })
+            )}
+          </div>
+        </div>
+      )}
+    </div>
+  );
+}

frontend/src/components/settings/NotificationSettings.tsx

@@ -0,0 +1,167 @@
+"use client";
+
+import { useState } from "react";
+import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
+import { api } from "@/lib/api";
+import type { NotificationPreferences } from "@/lib/types";
+
+const REMINDER_OPTIONS = [
+  { value: 14, label: "14 Tage" },
+  { value: 7, label: "7 Tage" },
+  { value: 3, label: "3 Tage" },
+  { value: 1, label: "1 Tag" },
+];
+
+export function NotificationSettings() {
+  const queryClient = useQueryClient();
+  const [saved, setSaved] = useState(false);
+
+  const { data: prefs, isLoading } = useQuery({
+    queryKey: ["notification-preferences"],
+    queryFn: () =>
+      api.get<NotificationPreferences>("/api/notification-preferences"),
+  });
+
+  const [reminderDays, setReminderDays] = useState<number[]>([]);
+  const [emailEnabled, setEmailEnabled] = useState(true);
+  const [dailyDigest, setDailyDigest] = useState(false);
+  const [initialized, setInitialized] = useState(false);
+
+  // Sync state from server once loaded
+  if (prefs && !initialized) {
+    setReminderDays(prefs.deadline_reminder_days);
+    setEmailEnabled(prefs.email_enabled);
+    setDailyDigest(prefs.daily_digest);
+    setInitialized(true);
+  }
+
+  const update = useMutation({
+    mutationFn: (input: {
+      deadline_reminder_days: number[];
+      email_enabled: boolean;
+      daily_digest: boolean;
+    }) => api.put<NotificationPreferences>("/api/notification-preferences", input),
+    onSuccess: () => {
+      queryClient.invalidateQueries({
+        queryKey: ["notification-preferences"],
+      });
+      setSaved(true);
+      setTimeout(() => setSaved(false), 2000);
+    },
+  });
+
+  function toggleDay(day: number) {
+    setReminderDays((prev) =>
+      prev.includes(day) ? prev.filter((d) => d !== day) : [...prev, day].sort((a, b) => b - a),
+    );
+  }
+
+  function handleSave() {
+    update.mutate({
+      deadline_reminder_days: reminderDays,
+      email_enabled: emailEnabled,
+      daily_digest: dailyDigest,
+    });
+  }
+
+  if (isLoading) {
+    return (
+      <div className="animate-pulse space-y-3">
+        <div className="h-4 w-48 rounded bg-neutral-200" />
+        <div className="h-8 w-full rounded bg-neutral-100" />
+        <div className="h-8 w-full rounded bg-neutral-100" />
+      </div>
+    );
+  }
+
+  return (
+    <div className="space-y-5">
+      {/* Reminder days */}
+      <div>
+        <p className="text-sm font-medium text-neutral-700">
+          Fristen-Erinnerungen
+        </p>
+        <p className="mt-0.5 text-xs text-neutral-500">
+          Erinnern Sie mich vor Fristablauf:
+        </p>
+        <div className="mt-2 flex flex-wrap gap-2">
+          {REMINDER_OPTIONS.map((opt) => (
+            <button
+              key={opt.value}
+              onClick={() => toggleDay(opt.value)}
+              className={`rounded-lg border px-3 py-1.5 text-sm transition-colors ${
+                reminderDays.includes(opt.value)
+                  ? "border-blue-500 bg-blue-50 text-blue-700"
+                  : "border-neutral-200 bg-white text-neutral-600 hover:border-neutral-300"
+              }`}
+            >
+              {opt.label}
+            </button>
+          ))}
+        </div>
+      </div>
+
+      {/* Email toggle */}
+      <label className="flex items-center justify-between">
+        <div>
+          <p className="text-sm font-medium text-neutral-700">
+            E-Mail-Benachrichtigungen
+          </p>
+          <p className="text-xs text-neutral-500">
+            Erinnerungen per E-Mail erhalten
+          </p>
+        </div>
+        <button
+          onClick={() => setEmailEnabled(!emailEnabled)}
+          className={`relative h-6 w-11 rounded-full transition-colors ${
+            emailEnabled ? "bg-blue-500" : "bg-neutral-300"
+          }`}
+        >
+          <span
+            className={`absolute left-0.5 top-0.5 h-5 w-5 rounded-full bg-white shadow transition-transform ${
+              emailEnabled ? "translate-x-5" : "translate-x-0"
+            }`}
+          />
+        </button>
+      </label>
+
+      {/* Daily digest toggle */}
+      <label className="flex items-center justify-between">
+        <div>
+          <p className="text-sm font-medium text-neutral-700">
+            Tagesübersicht
+          </p>
+          <p className="text-xs text-neutral-500">
+            Alle Benachrichtigungen gesammelt um 8:00 Uhr per E-Mail
+          </p>
+        </div>
+        <button
+          onClick={() => setDailyDigest(!dailyDigest)}
+          className={`relative h-6 w-11 rounded-full transition-colors ${
+            dailyDigest ? "bg-blue-500" : "bg-neutral-300"
+          }`}
+        >
+          <span
+            className={`absolute left-0.5 top-0.5 h-5 w-5 rounded-full bg-white shadow transition-transform ${
+              dailyDigest ? "translate-x-5" : "translate-x-0"
+            }`}
+          />
+        </button>
+      </label>
+
+      {/* Save */}
+      <div className="flex items-center gap-3 pt-2">
+        <button
+          onClick={handleSave}
+          disabled={update.isPending}
+          className="rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white hover:bg-neutral-800 disabled:opacity-50"
+        >
+          {update.isPending ? "Speichern..." : "Speichern"}
+        </button>
+        {saved && (
+          <span className="text-sm text-green-600">Gespeichert</span>
+        )}
+      </div>
+    </div>
+  );
+}

frontend/src/components/settings/TeamSettings.tsx

@@ -3,27 +3,36 @@
 import { useState } from "react";
 import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
 import { toast } from "sonner";
-import { UserPlus, Trash2, Shield, Crown, User } from "lucide-react";
+import { UserPlus, Trash2, Crown, Scale, Briefcase, FileText, Phone } from "lucide-react";
 import { api } from "@/lib/api";
-import type { UserTenant } from "@/lib/types";
+import type { UserTenant, UserRole } from "@/lib/types";
+import { ROLE_LABELS } from "@/lib/types";
 import { Skeleton } from "@/components/ui/Skeleton";
 import { EmptyState } from "@/components/ui/EmptyState";
+import { usePermissions } from "@/lib/hooks/usePermissions";
 
-const ROLE_LABELS: Record<string, { label: string; icon: typeof Crown }> = {
+const ROLE_CONFIG: Record<UserRole, { label: string; icon: typeof Crown }> = {
-  owner: { label: "Eigentümer", icon: Crown },
+  owner: { label: ROLE_LABELS.owner, icon: Crown },
-  admin: { label: "Administrator", icon: Shield },
+  partner: { label: ROLE_LABELS.partner, icon: Scale },
-  member: { label: "Mitglied", icon: User },
+  associate: { label: ROLE_LABELS.associate, icon: Briefcase },
+  paralegal: { label: ROLE_LABELS.paralegal, icon: FileText },
+  secretary: { label: ROLE_LABELS.secretary, icon: Phone },
 };
 
+const INVITE_ROLES: UserRole[] = ["partner", "associate", "paralegal", "secretary"];
+
 export function TeamSettings() {
   const queryClient = useQueryClient();
+  const { can, role: myRole } = usePermissions();
   const tenantId =
     typeof window !== "undefined"
       ? localStorage.getItem("kanzlai_tenant_id")
       : null;
 
   const [email, setEmail] = useState("");
-  const [role, setRole] = useState("member");
+  const [role, setRole] = useState<string>("associate");
+
+  const canManageTeam = can("manage_team");
 
   const {
     data: members,
@@ -42,7 +51,7 @@ export function TeamSettings() {
     onSuccess: () => {
       queryClient.invalidateQueries({ queryKey: ["tenant-members"] });
       setEmail("");
-      setRole("member");
+      setRole("associate");
       toast.success("Benutzer eingeladen");
     },
     onError: (err: { error?: string }) => {
@@ -62,6 +71,19 @@ export function TeamSettings() {
     },
   });
 
+  const updateRoleMutation = useMutation({
+    mutationFn: ({ userId, newRole }: { userId: string; newRole: string }) =>
+      api.put(`/tenants/${tenantId}/members/${userId}/role`, { role: newRole }),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["tenant-members"] });
+      queryClient.invalidateQueries({ queryKey: ["me"] });
+      toast.success("Rolle aktualisiert");
+    },
+    onError: (err: { error?: string }) => {
+      toast.error(err.error || "Fehler beim Aktualisieren der Rolle");
+    },
+  });
+
   const handleInvite = (e: React.FormEvent) => {
     e.preventDefault();
     if (!email.trim()) return;
@@ -81,7 +103,7 @@ export function TeamSettings() {
   if (error) {
     return (
       <EmptyState
-        icon={User}
+        icon={Briefcase}
         title="Fehler beim Laden"
         description="Team-Mitglieder konnten nicht geladen werden."
       />
@@ -90,38 +112,44 @@ export function TeamSettings() {
 
   return (
     <div className="space-y-6">
-      {/* Invite Form */}
+      {/* Invite Form — only for owners/partners */}
-      <form onSubmit={handleInvite} className="flex flex-col gap-3 sm:flex-row">
+      {canManageTeam && (
-        <input
+        <form onSubmit={handleInvite} className="flex flex-col gap-3 sm:flex-row">
-          type="email"
+          <input
-          value={email}
+            type="email"
-          onChange={(e) => setEmail(e.target.value)}
+            value={email}
-          placeholder="name@example.com"
+            onChange={(e) => setEmail(e.target.value)}
-          className="flex-1 rounded-md border border-neutral-200 px-3 py-1.5 text-sm outline-none focus:border-neutral-400 focus:ring-1 focus:ring-neutral-400"
+            placeholder="name@example.com"
-        />
+            className="flex-1 rounded-md border border-neutral-200 px-3 py-1.5 text-sm outline-none focus:border-neutral-400 focus:ring-1 focus:ring-neutral-400"
-        <select
+          />
-          value={role}
+          <select
-          onChange={(e) => setRole(e.target.value)}
+            value={role}
-          className="rounded-md border border-neutral-200 px-2 py-1.5 text-sm outline-none focus:border-neutral-400 focus:ring-1 focus:ring-neutral-400"
+            onChange={(e) => setRole(e.target.value)}
-        >
+            className="rounded-md border border-neutral-200 px-2 py-1.5 text-sm outline-none focus:border-neutral-400 focus:ring-1 focus:ring-neutral-400"
-          <option value="member">Mitglied</option>
+          >
-          <option value="admin">Administrator</option>
+            {INVITE_ROLES.map((r) => (
-        </select>
+              <option key={r} value={r}>
-        <button
+                {ROLE_LABELS[r]}
-          type="submit"
+              </option>
-          disabled={inviteMutation.isPending || !email.trim()}
+            ))}
-          className="inline-flex items-center gap-1.5 rounded-md bg-neutral-900 px-4 py-1.5 text-sm font-medium text-white hover:bg-neutral-800 disabled:opacity-50"
+          </select>
-        >
+          <button
-          <UserPlus className="h-3.5 w-3.5" />
+            type="submit"
-          {inviteMutation.isPending ? "Einladen..." : "Einladen"}
+            disabled={inviteMutation.isPending || !email.trim()}
-        </button>
+            className="inline-flex items-center gap-1.5 rounded-md bg-neutral-900 px-4 py-1.5 text-sm font-medium text-white hover:bg-neutral-800 disabled:opacity-50"
-      </form>
+          >
+            <UserPlus className="h-3.5 w-3.5" />
+            {inviteMutation.isPending ? "Einladen..." : "Einladen"}
+          </button>
+        </form>
+      )}
 
       {/* Members List */}
       {Array.isArray(members) && members.length > 0 ? (
         <div className="overflow-hidden rounded-md border border-neutral-200">
           {members.map((member, i) => {
-            const roleInfo = ROLE_LABELS[member.role] || ROLE_LABELS.member;
+            const roleKey = (member.role as UserRole) || "associate";
+            const roleInfo = ROLE_CONFIG[roleKey] || ROLE_CONFIG.associate;
             const RoleIcon = roleInfo.icon;
             return (
               <div
@@ -141,23 +169,48 @@ export function TeamSettings() {
                     <p className="text-xs text-neutral-500">{roleInfo.label}</p>
                   </div>
                 </div>
-                {member.role !== "owner" && (
+                <div className="flex items-center gap-2">
-                  <button
+                  {/* Role dropdown — only for owners/partners, not for the member's own row if they are owner */}
-                    onClick={() => removeMutation.mutate(member.user_id)}
+                  {canManageTeam && member.role !== "owner" && (
-                    disabled={removeMutation.isPending}
+                    <select
-                    className="rounded-md p-1.5 text-neutral-400 hover:bg-red-50 hover:text-red-600 disabled:opacity-50"
+                      value={member.role}
-                    title="Mitglied entfernen"
+                      onChange={(e) =>
-                  >
+                        updateRoleMutation.mutate({
-                    <Trash2 className="h-4 w-4" />
+                          userId: member.user_id,
-                  </button>
+                          newRole: e.target.value,
-                )}
+                        })
+                      }
+                      disabled={updateRoleMutation.isPending}
+                      className="rounded-md border border-neutral-200 px-2 py-1 text-xs outline-none focus:border-neutral-400 focus:ring-1 focus:ring-neutral-400"
+                    >
+                      {myRole === "owner" && (
+                        <option value="owner">{ROLE_LABELS.owner}</option>
+                      )}
+                      {INVITE_ROLES.map((r) => (
+                        <option key={r} value={r}>
+                          {ROLE_LABELS[r]}
+                        </option>
+                      ))}
+                    </select>
+                  )}
+                  {canManageTeam && member.role !== "owner" && (
+                    <button
+                      onClick={() => removeMutation.mutate(member.user_id)}
+                      disabled={removeMutation.isPending}
+                      className="rounded-md p-1.5 text-neutral-400 hover:bg-red-50 hover:text-red-600 disabled:opacity-50"
+                      title="Mitglied entfernen"
+                    >
+                      <Trash2 className="h-4 w-4" />
+                    </button>
+                  )}
+                </div>
               </div>
             );
           })}
         </div>
       ) : (
         <EmptyState
-          icon={User}
+          icon={Briefcase}
           title="Noch keine Mitglieder"
           description="Laden Sie Teammitglieder per E-Mail ein."
         />

frontend/src/lib/hooks/usePermissions.ts

@@ -0,0 +1,29 @@
+"use client";
+
+import { useQuery } from "@tanstack/react-query";
+import { api } from "@/lib/api";
+import type { UserInfo } from "@/lib/types";
+
+export function usePermissions() {
+  const { data, isLoading } = useQuery({
+    queryKey: ["me"],
+    queryFn: () => api.get<UserInfo>("/me"),
+    staleTime: 60 * 1000,
+  });
+
+  const role = data?.role ?? null;
+  const permissions = data?.permissions ?? [];
+
+  function can(permission: string): boolean {
+    return permissions.includes(permission);
+  }
+
+  return {
+    role,
+    permissions,
+    can,
+    isLoading,
+    userId: data?.user_id ?? null,
+    tenantId: data?.tenant_id ?? null,
+  };
+}

frontend/src/lib/types.ts

@@ -189,6 +189,159 @@ export interface Note {
   updated_at: string;
 }
 
+export interface CaseAssignment {
+  id: string;
+  case_id: string;
+  user_id: string;
+  role: string;
+  assigned_at: string;
+}
+
+export interface UserInfo {
+  user_id: string;
+  tenant_id: string;
+  role: UserRole;
+  permissions: string[];
+}
+
+export type UserRole = "owner" | "partner" | "associate" | "paralegal" | "secretary";
+
+export const ROLE_LABELS: Record<UserRole, string> = {
+  owner: "Inhaber",
+  partner: "Partner",
+  associate: "Anwalt",
+  paralegal: "Paralegal",
+  secretary: "Sekretariat",
+};
+
+export const CASE_ASSIGNMENT_ROLES = ["lead", "team", "viewer"] as const;
+export type CaseAssignmentRole = (typeof CASE_ASSIGNMENT_ROLES)[number];
+
+export const CASE_ASSIGNMENT_ROLE_LABELS: Record<CaseAssignmentRole, string> = {
+  lead: "Federführend",
+  team: "Team",
+  viewer: "Einsicht",
+};
+
+// Time tracking & billing
+
+export interface TimeEntry {
+  id: string;
+  tenant_id: string;
+  case_id: string;
+  user_id: string;
+  date: string;
+  duration_minutes: number;
+  description: string;
+  activity?: string;
+  billable: boolean;
+  billed: boolean;
+  invoice_id?: string;
+  hourly_rate?: number;
+  created_at: string;
+  updated_at: string;
+}
+
+export interface BillingRate {
+  id: string;
+  tenant_id: string;
+  user_id?: string;
+  rate: number;
+  currency: string;
+  valid_from: string;
+  valid_to?: string;
+  created_at: string;
+}
+
+export interface InvoiceItem {
+  description: string;
+  duration_minutes?: number;
+  hourly_rate?: number;
+  amount: number;
+  time_entry_id?: string;
+}
+
+export interface Invoice {
+  id: string;
+  tenant_id: string;
+  case_id: string;
+  invoice_number: string;
+  client_name: string;
+  client_address?: string;
+  items: InvoiceItem[];
+  subtotal: number;
+  tax_rate: number;
+  tax_amount: number;
+  total: number;
+  status: "draft" | "sent" | "paid" | "cancelled";
+  issued_at?: string;
+  due_at?: string;
+  paid_at?: string;
+  notes?: string;
+  created_by: string;
+  created_at: string;
+  updated_at: string;
+}
+
+export interface TimeEntrySummary {
+  group_key: string;
+  total_minutes: number;
+  billable_minutes: number;
+  total_amount: number;
+  entry_count: number;
+}
+
+// Notifications
+export interface Notification {
+  id: string;
+  tenant_id: string;
+  user_id: string;
+  type: string;
+  title: string;
+  body?: string;
+  entity_type?: string;
+  entity_id?: string;
+  sent_at?: string;
+  read_at?: string;
+  created_at: string;
+}
+
+export interface NotificationPreferences {
+  user_id: string;
+  tenant_id: string;
+  deadline_reminder_days: number[];
+  email_enabled: boolean;
+  daily_digest: boolean;
+  created_at: string;
+  updated_at: string;
+}
+
+export interface NotificationListResponse {
+  notifications: Notification[];
+  data: Notification[];
+  total: number;
+}
+
+// Audit log
+export interface AuditLogEntry {
+  id: number;
+  tenant_id: string;
+  user_id?: string;
+  action: string;
+  entity_type: string;
+  entity_id?: string;
+  old_values?: Record<string, unknown>;
+  new_values?: Record<string, unknown>;
+  ip_address?: string;
+  user_agent?: string;
+  created_at: string;
+}
+
+export interface AuditLogResponse {
+  entries: AuditLogEntry[];
+  total: number;
+}
+
 export interface ApiError {
   error: string;
   status: number;