feat: email notifications + deadline reminder system

Database: - notification_preferences table (user_id, tenant_id, reminder days, email/digest toggles) - notifications table (type, entity link, read/sent tracking, dedup index) Backend: - NotificationService with background goroutine checking reminders hourly - CheckDeadlineReminders: finds deadlines due in N days per user prefs, creates notifications - Overdue deadline detection and notification - Daily digest at 8am: compiles pending notifications into one email - SendEmail via `m mail send` CLI command - Deduplication: same notification type + entity + day = skip - API: GET/PATCH notifications, unread count, mark read/all-read - API: GET/PUT notification-preferences with upsert Frontend: - NotificationBell in header with unread count badge (polls every 30s) - Dropdown panel with notification list, type-colored dots, time-ago, entity links - Mark individual/all as read - NotificationSettings in Einstellungen page: reminder day toggles, email toggle, digest toggle
2026-03-30 11:03:17 +02:00
29 changed files with 1315 additions and 365 deletions
--- a/backend/cmd/server/main.go
+++ b/backend/cmd/server/main.go
@@ -36,7 +36,12 @@ func main() {
 	calDAVSvc.Start()
 	defer calDAVSvc.Stop()

-	handler := router.New(database, authMW, cfg, calDAVSvc)
+	// Start notification reminder service
+	notifSvc := services.NewNotificationService(database)
+	notifSvc.Start()
+	defer notifSvc.Stop()
+
+	handler := router.New(database, authMW, cfg, calDAVSvc, notifSvc)

 	slog.Info("starting KanzlAI API server", "port", cfg.Port)
 	if err := http.ListenAndServe(":"+cfg.Port, handler); err != nil {
--- a/backend/internal/auth/middleware.go
+++ b/backend/internal/auth/middleware.go
@@ -24,19 +24,28 @@ func (m *Middleware) RequireAuth(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		token := extractBearerToken(r)
 		if token == "" {
-			http.Error(w, `{"error":"missing authorization token"}`, http.StatusUnauthorized)
+			http.Error(w, "missing authorization token", http.StatusUnauthorized)
 			return
 		}

 		userID, err := m.verifyJWT(token)
 		if err != nil {
-			http.Error(w, `{"error":"invalid token"}`, http.StatusUnauthorized)
+			http.Error(w, fmt.Sprintf("invalid token: %v", err), http.StatusUnauthorized)
 			return
 		}

 		ctx := ContextWithUserID(r.Context(), userID)
-		// Tenant resolution is handled by TenantResolver middleware for scoped routes.
-		// Tenant management routes handle their own access control.
+
+		// Resolve tenant from user_tenants
+		var tenantID uuid.UUID
+		err = m.db.GetContext(r.Context(), &tenantID,
+			"SELECT tenant_id FROM user_tenants WHERE user_id = $1 LIMIT 1", userID)
+		if err != nil {
+			http.Error(w, "no tenant found for user", http.StatusForbidden)
+			return
+		}
+		ctx = ContextWithTenantID(ctx, tenantID)
+
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
 }
--- a/backend/internal/auth/tenant_resolver.go
+++ b/backend/internal/auth/tenant_resolver.go
@@ -2,21 +2,20 @@ package auth

 import (
 	"context"
-	"log/slog"
+	"fmt"
 	"net/http"

 	"github.com/google/uuid"
 )

-// TenantLookup resolves and verifies tenant access for a user.
+// TenantLookup resolves the default tenant for a user.
 // Defined as an interface to avoid circular dependency with services.
 type TenantLookup interface {
 	FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error)
-	VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error)
 }

 // TenantResolver is middleware that resolves the tenant from X-Tenant-ID header
-// or defaults to the user's first tenant. Always verifies user has access.
+// or defaults to the user's first tenant.
 type TenantResolver struct {
 	lookup TenantLookup
 }
@@ -29,7 +28,7 @@ func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		userID, ok := UserFromContext(r.Context())
 		if !ok {
-			http.Error(w, `{"error":"unauthorized"}`, http.StatusUnauthorized)
+			http.Error(w, "unauthorized", http.StatusUnauthorized)
 			return
 		}

@@ -38,33 +37,19 @@ func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
 		if header := r.Header.Get("X-Tenant-ID"); header != "" {
 			parsed, err := uuid.Parse(header)
 			if err != nil {
-				http.Error(w, `{"error":"invalid X-Tenant-ID"}`, http.StatusBadRequest)
+				http.Error(w, fmt.Sprintf("invalid X-Tenant-ID: %v", err), http.StatusBadRequest)
 				return
 			}
-
-			// Verify user has access to this tenant
-			hasAccess, err := tr.lookup.VerifyAccess(r.Context(), userID, parsed)
-			if err != nil {
-				slog.Error("tenant access check failed", "error", err, "user_id", userID, "tenant_id", parsed)
-				http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
-				return
-			}
-			if !hasAccess {
-				http.Error(w, `{"error":"no access to tenant"}`, http.StatusForbidden)
-				return
-			}
-
 			tenantID = parsed
 		} else {
 			// Default to user's first tenant
 			first, err := tr.lookup.FirstTenantForUser(r.Context(), userID)
 			if err != nil {
-				slog.Error("failed to resolve default tenant", "error", err, "user_id", userID)
-				http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
+				http.Error(w, fmt.Sprintf("resolving tenant: %v", err), http.StatusInternalServerError)
 				return
 			}
 			if first == nil {
-				http.Error(w, `{"error":"no tenant found for user"}`, http.StatusBadRequest)
+				http.Error(w, "no tenant found for user", http.StatusBadRequest)
 				return
 			}
 			tenantID = *first
--- a/backend/internal/auth/tenant_resolver_test.go
+++ b/backend/internal/auth/tenant_resolver_test.go
@@ -10,23 +10,17 @@ import (
 )

 type mockTenantLookup struct {
-	tenantID  *uuid.UUID
-	err       error
-	hasAccess bool
-	accessErr error
+	tenantID *uuid.UUID
+	err      error
 }

 func (m *mockTenantLookup) FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error) {
 	return m.tenantID, m.err
 }

-func (m *mockTenantLookup) VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error) {
-	return m.hasAccess, m.accessErr
-}
-
 func TestTenantResolver_FromHeader(t *testing.T) {
 	tenantID := uuid.New()
-	tr := NewTenantResolver(&mockTenantLookup{hasAccess: true})
+	tr := NewTenantResolver(&mockTenantLookup{})

 	var gotTenantID uuid.UUID
 	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -53,26 +47,6 @@ func TestTenantResolver_FromHeader(t *testing.T) {
 	}
 }

-func TestTenantResolver_FromHeader_NoAccess(t *testing.T) {
-	tenantID := uuid.New()
-	tr := NewTenantResolver(&mockTenantLookup{hasAccess: false})
-
-	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		t.Fatal("next should not be called")
-	})
-
-	r := httptest.NewRequest("GET", "/api/cases", nil)
-	r.Header.Set("X-Tenant-ID", tenantID.String())
-	r = r.WithContext(ContextWithUserID(r.Context(), uuid.New()))
-	w := httptest.NewRecorder()
-
-	tr.Resolve(next).ServeHTTP(w, r)
-
-	if w.Code != http.StatusForbidden {
-		t.Errorf("expected 403, got %d", w.Code)
-	}
-}
-
 func TestTenantResolver_DefaultsToFirst(t *testing.T) {
 	tenantID := uuid.New()
 	tr := NewTenantResolver(&mockTenantLookup{tenantID: &tenantID})
--- a/backend/internal/config/config.go
+++ b/backend/internal/config/config.go
@@ -13,7 +13,6 @@ type Config struct {
 	SupabaseServiceKey string
 	SupabaseJWTSecret string
 	AnthropicAPIKey   string
-	FrontendOrigin    string
 }

 func Load() (*Config, error) {
@@ -25,7 +24,6 @@ func Load() (*Config, error) {
 		SupabaseServiceKey: os.Getenv("SUPABASE_SERVICE_KEY"),
 		SupabaseJWTSecret: os.Getenv("SUPABASE_JWT_SECRET"),
 		AnthropicAPIKey:  os.Getenv("ANTHROPIC_API_KEY"),
-		FrontendOrigin:   getEnv("FRONTEND_ORIGIN", "https://kanzlai.msbls.de"),
 	}

 	if cfg.DatabaseURL == "" {
--- a/backend/internal/handlers/ai.go
+++ b/backend/internal/handlers/ai.go
@@ -5,16 +5,18 @@ import (
 	"io"
 	"net/http"

-	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"github.com/jmoiron/sqlx"
+
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
 )

 type AIHandler struct {
 	ai *services.AIService
+	db *sqlx.DB
 }

-func NewAIHandler(ai *services.AIService) *AIHandler {
-	return &AIHandler{ai: ai}
+func NewAIHandler(ai *services.AIService, db *sqlx.DB) *AIHandler {
+	return &AIHandler{ai: ai, db: db}
 }

 // ExtractDeadlines handles POST /api/ai/extract-deadlines
@@ -59,14 +61,10 @@ func (h *AIHandler) ExtractDeadlines(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "provide either a PDF file or text")
 		return
 	}
-	if len(text) > maxDescriptionLen {
-		writeError(w, http.StatusBadRequest, "text exceeds maximum length")
-		return
-	}

 	deadlines, err := h.ai.ExtractDeadlines(r.Context(), pdfData, text)
 	if err != nil {
-		internalError(w, "AI deadline extraction failed", err)
+		writeError(w, http.StatusInternalServerError, "AI extraction failed: "+err.Error())
 		return
 	}

@@ -79,9 +77,9 @@ func (h *AIHandler) ExtractDeadlines(w http.ResponseWriter, r *http.Request) {
 // SummarizeCase handles POST /api/ai/summarize-case
 // Accepts JSON {"case_id": "uuid"}.
 func (h *AIHandler) SummarizeCase(w http.ResponseWriter, r *http.Request) {
-	tenantID, ok := auth.TenantFromContext(r.Context())
-	if !ok {
-		writeError(w, http.StatusForbidden, "missing tenant")
+	tenantID, err := resolveTenant(r, h.db)
+	if err != nil {
+		handleTenantError(w, err)
 		return
 	}

@@ -106,7 +104,7 @@ func (h *AIHandler) SummarizeCase(w http.ResponseWriter, r *http.Request) {

 	summary, err := h.ai.SummarizeCase(r.Context(), tenantID, caseID)
 	if err != nil {
-		internalError(w, "AI case summarization failed", err)
+		writeError(w, http.StatusInternalServerError, "AI summarization failed: "+err.Error())
 		return
 	}

--- a/backend/internal/handlers/ai_handler_test.go
+++ b/backend/internal/handlers/ai_handler_test.go
@@ -42,7 +42,7 @@ func TestAIExtractDeadlines_InvalidJSON(t *testing.T) {
 	}
 }

-func TestAISummarizeCase_MissingTenant(t *testing.T) {
+func TestAISummarizeCase_MissingCaseID(t *testing.T) {
 	h := &AIHandler{}

 	body := `{"case_id":""}`
@@ -52,9 +52,9 @@ func TestAISummarizeCase_MissingTenant(t *testing.T) {

 	h.SummarizeCase(w, r)

-	// Without tenant context, TenantFromContext returns !ok → 403
-	if w.Code != http.StatusForbidden {
-		t.Errorf("expected 403, got %d", w.Code)
+	// Without auth context, the resolveTenant will fail first
+	if w.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", w.Code)
 	}
 }

@@ -67,8 +67,8 @@ func TestAISummarizeCase_InvalidJSON(t *testing.T) {

 	h.SummarizeCase(w, r)

-	// Without tenant context, TenantFromContext returns !ok → 403
-	if w.Code != http.StatusForbidden {
-		t.Errorf("expected 403, got %d", w.Code)
+	// Without auth context, the resolveTenant will fail first
+	if w.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", w.Code)
 	}
 }
--- a/backend/internal/handlers/appointments.go
+++ b/backend/internal/handlers/appointments.go
@@ -121,10 +121,6 @@ func (h *AppointmentHandler) Create(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "title is required")
 		return
 	}
-	if msg := validateStringLength("title", req.Title, maxTitleLen); msg != "" {
-		writeError(w, http.StatusBadRequest, msg)
-		return
-	}
 	if req.StartAt.IsZero() {
 		writeError(w, http.StatusBadRequest, "start_at is required")
 		return
@@ -192,10 +188,6 @@ func (h *AppointmentHandler) Update(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "title is required")
 		return
 	}
-	if msg := validateStringLength("title", req.Title, maxTitleLen); msg != "" {
-		writeError(w, http.StatusBadRequest, msg)
-		return
-	}
 	if req.StartAt.IsZero() {
 		writeError(w, http.StatusBadRequest, "start_at is required")
 		return
--- a/backend/internal/handlers/caldav.go
+++ b/backend/internal/handlers/caldav.go
@@ -27,7 +27,7 @@ func (h *CalDAVHandler) TriggerSync(w http.ResponseWriter, r *http.Request) {

 	cfg, err := h.svc.LoadTenantConfig(tenantID)
 	if err != nil {
-		writeError(w, http.StatusBadRequest, "CalDAV not configured for this tenant")
+		writeError(w, http.StatusBadRequest, err.Error())
 		return
 	}

--- a/backend/internal/handlers/cases.go
+++ b/backend/internal/handlers/cases.go
@@ -28,25 +28,18 @@ func (h *CaseHandler) List(w http.ResponseWriter, r *http.Request) {

 	limit, _ := strconv.Atoi(r.URL.Query().Get("limit"))
 	offset, _ := strconv.Atoi(r.URL.Query().Get("offset"))
-	limit, offset = clampPagination(limit, offset)
-
-	search := r.URL.Query().Get("search")
-	if msg := validateStringLength("search", search, maxSearchLen); msg != "" {
-		writeError(w, http.StatusBadRequest, msg)
-		return
-	}

 	filter := services.CaseFilter{
 		Status: r.URL.Query().Get("status"),
 		Type:   r.URL.Query().Get("type"),
-		Search: search,
+		Search: r.URL.Query().Get("search"),
 		Limit:  limit,
 		Offset: offset,
 	}

 	cases, total, err := h.svc.List(r.Context(), tenantID, filter)
 	if err != nil {
-		internalError(w, "failed to list cases", err)
+		writeError(w, http.StatusInternalServerError, err.Error())
 		return
 	}

@@ -73,18 +66,10 @@ func (h *CaseHandler) Create(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "case_number and title are required")
 		return
 	}
-	if msg := validateStringLength("case_number", input.CaseNumber, maxCaseNumberLen); msg != "" {
-		writeError(w, http.StatusBadRequest, msg)
-		return
-	}
-	if msg := validateStringLength("title", input.Title, maxTitleLen); msg != "" {
-		writeError(w, http.StatusBadRequest, msg)
-		return
-	}

 	c, err := h.svc.Create(r.Context(), tenantID, userID, input)
 	if err != nil {
-		internalError(w, "failed to create case", err)
+		writeError(w, http.StatusInternalServerError, err.Error())
 		return
 	}

@@ -106,7 +91,7 @@ func (h *CaseHandler) Get(w http.ResponseWriter, r *http.Request) {

 	detail, err := h.svc.GetByID(r.Context(), tenantID, caseID)
 	if err != nil {
-		internalError(w, "failed to get case", err)
+		writeError(w, http.StatusInternalServerError, err.Error())
 		return
 	}
 	if detail == nil {
@@ -136,22 +121,10 @@ func (h *CaseHandler) Update(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "invalid JSON body")
 		return
 	}
-	if input.Title != nil {
-		if msg := validateStringLength("title", *input.Title, maxTitleLen); msg != "" {
-			writeError(w, http.StatusBadRequest, msg)
-			return
-		}
-	}
-	if input.CaseNumber != nil {
-		if msg := validateStringLength("case_number", *input.CaseNumber, maxCaseNumberLen); msg != "" {
-			writeError(w, http.StatusBadRequest, msg)
-			return
-		}
-	}

 	updated, err := h.svc.Update(r.Context(), tenantID, caseID, userID, input)
 	if err != nil {
-		internalError(w, "failed to update case", err)
+		writeError(w, http.StatusInternalServerError, err.Error())
 		return
 	}
 	if updated == nil {
--- a/backend/internal/handlers/dashboard.go
+++ b/backend/internal/handlers/dashboard.go
@@ -24,7 +24,7 @@ func (h *DashboardHandler) Get(w http.ResponseWriter, r *http.Request) {

 	data, err := h.svc.Get(r.Context(), tenantID)
 	if err != nil {
-		internalError(w, "failed to load dashboard", err)
+		writeError(w, http.StatusInternalServerError, err.Error())
 		return
 	}

--- a/backend/internal/handlers/deadlines.go
+++ b/backend/internal/handlers/deadlines.go
@@ -4,25 +4,27 @@ import (
 	"encoding/json"
 	"net/http"

-	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"github.com/jmoiron/sqlx"
+
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
 )

 // DeadlineHandlers holds handlers for deadline CRUD endpoints
 type DeadlineHandlers struct {
 	deadlines *services.DeadlineService
+	db        *sqlx.DB
 }

 // NewDeadlineHandlers creates deadline handlers
-func NewDeadlineHandlers(ds *services.DeadlineService) *DeadlineHandlers {
-	return &DeadlineHandlers{deadlines: ds}
+func NewDeadlineHandlers(ds *services.DeadlineService, db *sqlx.DB) *DeadlineHandlers {
+	return &DeadlineHandlers{deadlines: ds, db: db}
 }

 // Get handles GET /api/deadlines/{deadlineID}
 func (h *DeadlineHandlers) Get(w http.ResponseWriter, r *http.Request) {
-	tenantID, ok := auth.TenantFromContext(r.Context())
-	if !ok {
-		writeError(w, http.StatusForbidden, "missing tenant")
+	tenantID, err := resolveTenant(r, h.db)
+	if err != nil {
+		handleTenantError(w, err)
 		return
 	}

@@ -34,7 +36,7 @@ func (h *DeadlineHandlers) Get(w http.ResponseWriter, r *http.Request) {

 	deadline, err := h.deadlines.GetByID(tenantID, deadlineID)
 	if err != nil {
-		internalError(w, "failed to fetch deadline", err)
+		writeError(w, http.StatusInternalServerError, "failed to fetch deadline")
 		return
 	}
 	if deadline == nil {
@@ -47,15 +49,15 @@ func (h *DeadlineHandlers) Get(w http.ResponseWriter, r *http.Request) {

 // ListAll handles GET /api/deadlines
 func (h *DeadlineHandlers) ListAll(w http.ResponseWriter, r *http.Request) {
-	tenantID, ok := auth.TenantFromContext(r.Context())
-	if !ok {
-		writeError(w, http.StatusForbidden, "missing tenant")
+	tenantID, err := resolveTenant(r, h.db)
+	if err != nil {
+		handleTenantError(w, err)
 		return
 	}

 	deadlines, err := h.deadlines.ListAll(tenantID)
 	if err != nil {
-		internalError(w, "failed to list deadlines", err)
+		writeError(w, http.StatusInternalServerError, "failed to list deadlines")
 		return
 	}

@@ -64,9 +66,9 @@ func (h *DeadlineHandlers) ListAll(w http.ResponseWriter, r *http.Request) {

 // ListForCase handles GET /api/cases/{caseID}/deadlines
 func (h *DeadlineHandlers) ListForCase(w http.ResponseWriter, r *http.Request) {
-	tenantID, ok := auth.TenantFromContext(r.Context())
-	if !ok {
-		writeError(w, http.StatusForbidden, "missing tenant")
+	tenantID, err := resolveTenant(r, h.db)
+	if err != nil {
+		handleTenantError(w, err)
 		return
 	}

@@ -78,7 +80,7 @@ func (h *DeadlineHandlers) ListForCase(w http.ResponseWriter, r *http.Request) {

 	deadlines, err := h.deadlines.ListForCase(tenantID, caseID)
 	if err != nil {
-		internalError(w, "failed to list deadlines for case", err)
+		writeError(w, http.StatusInternalServerError, "failed to list deadlines")
 		return
 	}

@@ -87,9 +89,9 @@ func (h *DeadlineHandlers) ListForCase(w http.ResponseWriter, r *http.Request) {

 // Create handles POST /api/cases/{caseID}/deadlines
 func (h *DeadlineHandlers) Create(w http.ResponseWriter, r *http.Request) {
-	tenantID, ok := auth.TenantFromContext(r.Context())
-	if !ok {
-		writeError(w, http.StatusForbidden, "missing tenant")
+	tenantID, err := resolveTenant(r, h.db)
+	if err != nil {
+		handleTenantError(w, err)
 		return
 	}

@@ -110,14 +112,10 @@ func (h *DeadlineHandlers) Create(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "title and due_date are required")
 		return
 	}
-	if msg := validateStringLength("title", input.Title, maxTitleLen); msg != "" {
-		writeError(w, http.StatusBadRequest, msg)
-		return
-	}

 	deadline, err := h.deadlines.Create(tenantID, input)
 	if err != nil {
-		internalError(w, "failed to create deadline", err)
+		writeError(w, http.StatusInternalServerError, "failed to create deadline")
 		return
 	}

@@ -126,9 +124,9 @@ func (h *DeadlineHandlers) Create(w http.ResponseWriter, r *http.Request) {

 // Update handles PUT /api/deadlines/{deadlineID}
 func (h *DeadlineHandlers) Update(w http.ResponseWriter, r *http.Request) {
-	tenantID, ok := auth.TenantFromContext(r.Context())
-	if !ok {
-		writeError(w, http.StatusForbidden, "missing tenant")
+	tenantID, err := resolveTenant(r, h.db)
+	if err != nil {
+		handleTenantError(w, err)
 		return
 	}

@@ -146,7 +144,7 @@ func (h *DeadlineHandlers) Update(w http.ResponseWriter, r *http.Request) {

 	deadline, err := h.deadlines.Update(tenantID, deadlineID, input)
 	if err != nil {
-		internalError(w, "failed to update deadline", err)
+		writeError(w, http.StatusInternalServerError, "failed to update deadline")
 		return
 	}
 	if deadline == nil {
@@ -159,9 +157,9 @@ func (h *DeadlineHandlers) Update(w http.ResponseWriter, r *http.Request) {

 // Complete handles PATCH /api/deadlines/{deadlineID}/complete
 func (h *DeadlineHandlers) Complete(w http.ResponseWriter, r *http.Request) {
-	tenantID, ok := auth.TenantFromContext(r.Context())
-	if !ok {
-		writeError(w, http.StatusForbidden, "missing tenant")
+	tenantID, err := resolveTenant(r, h.db)
+	if err != nil {
+		handleTenantError(w, err)
 		return
 	}

@@ -173,7 +171,7 @@ func (h *DeadlineHandlers) Complete(w http.ResponseWriter, r *http.Request) {

 	deadline, err := h.deadlines.Complete(tenantID, deadlineID)
 	if err != nil {
-		internalError(w, "failed to complete deadline", err)
+		writeError(w, http.StatusInternalServerError, "failed to complete deadline")
 		return
 	}
 	if deadline == nil {
@@ -186,9 +184,9 @@ func (h *DeadlineHandlers) Complete(w http.ResponseWriter, r *http.Request) {

 // Delete handles DELETE /api/deadlines/{deadlineID}
 func (h *DeadlineHandlers) Delete(w http.ResponseWriter, r *http.Request) {
-	tenantID, ok := auth.TenantFromContext(r.Context())
-	if !ok {
-		writeError(w, http.StatusForbidden, "missing tenant")
+	tenantID, err := resolveTenant(r, h.db)
+	if err != nil {
+		handleTenantError(w, err)
 		return
 	}

@@ -198,8 +196,9 @@ func (h *DeadlineHandlers) Delete(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if err := h.deadlines.Delete(tenantID, deadlineID); err != nil {
-		writeError(w, http.StatusNotFound, "deadline not found")
+	err = h.deadlines.Delete(tenantID, deadlineID)
+	if err != nil {
+		writeError(w, http.StatusNotFound, err.Error())
 		return
 	}

--- a/backend/internal/handlers/documents.go
+++ b/backend/internal/handlers/documents.go
@@ -36,7 +36,7 @@ func (h *DocumentHandler) ListByCase(w http.ResponseWriter, r *http.Request) {

 	docs, err := h.svc.ListByCase(r.Context(), tenantID, caseID)
 	if err != nil {
-		internalError(w, "failed to list documents", err)
+		writeError(w, http.StatusInternalServerError, err.Error())
 		return
 	}

@@ -98,7 +98,7 @@ func (h *DocumentHandler) Upload(w http.ResponseWriter, r *http.Request) {
 			writeError(w, http.StatusNotFound, "case not found")
 			return
 		}
-		internalError(w, "failed to upload document", err)
+		writeError(w, http.StatusInternalServerError, err.Error())
 		return
 	}

@@ -121,16 +121,16 @@ func (h *DocumentHandler) Download(w http.ResponseWriter, r *http.Request) {
 	body, contentType, title, err := h.svc.Download(r.Context(), tenantID, docID)
 	if err != nil {
 		if err.Error() == "document not found" || err.Error() == "document has no file" {
-			writeError(w, http.StatusNotFound, "document not found")
+			writeError(w, http.StatusNotFound, err.Error())
 			return
 		}
-		internalError(w, "failed to download document", err)
+		writeError(w, http.StatusInternalServerError, err.Error())
 		return
 	}
 	defer body.Close()

 	w.Header().Set("Content-Type", contentType)
-	w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, sanitizeFilename(title)))
+	w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, title))
 	io.Copy(w, body)
 }

@@ -149,7 +149,7 @@ func (h *DocumentHandler) GetMeta(w http.ResponseWriter, r *http.Request) {

 	doc, err := h.svc.GetByID(r.Context(), tenantID, docID)
 	if err != nil {
-		internalError(w, "failed to get document metadata", err)
+		writeError(w, http.StatusInternalServerError, err.Error())
 		return
 	}
 	if doc == nil {
--- a/backend/internal/handlers/helpers.go
+++ b/backend/internal/handlers/helpers.go
@@ -2,12 +2,12 @@ package handlers

 import (
 	"encoding/json"
-	"log/slog"
 	"net/http"
-	"strings"
-	"unicode/utf8"

 	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
 )

 func writeJSON(w http.ResponseWriter, status int, v any) {
@@ -20,9 +20,62 @@ func writeError(w http.ResponseWriter, status int, msg string) {
 	writeJSON(w, status, map[string]string{"error": msg})
 }

-// internalError logs the real error and returns a generic message to the client.
-func internalError(w http.ResponseWriter, msg string, err error) {
-	slog.Error(msg, "error", err)
+// resolveTenant gets the tenant ID for the authenticated user.
+// Checks X-Tenant-ID header first, then falls back to user's first tenant.
+func resolveTenant(r *http.Request, db *sqlx.DB) (uuid.UUID, error) {
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		return uuid.Nil, errUnauthorized
+	}
+
+	// Check header first
+	if headerVal := r.Header.Get("X-Tenant-ID"); headerVal != "" {
+		tenantID, err := uuid.Parse(headerVal)
+		if err != nil {
+			return uuid.Nil, errInvalidTenant
+		}
+		// Verify user has access to this tenant
+		var count int
+		err = db.Get(&count,
+			`SELECT COUNT(*) FROM user_tenants WHERE user_id = $1 AND tenant_id = $2`,
+			userID, tenantID)
+		if err != nil || count == 0 {
+			return uuid.Nil, errTenantAccess
+		}
+		return tenantID, nil
+	}
+
+	// Fall back to user's first tenant
+	var tenantID uuid.UUID
+	err := db.Get(&tenantID,
+		`SELECT tenant_id FROM user_tenants WHERE user_id = $1 ORDER BY created_at LIMIT 1`,
+		userID)
+	if err != nil {
+		return uuid.Nil, errNoTenant
+	}
+	return tenantID, nil
+}
+
+type apiError struct {
+	msg    string
+	status int
+}
+
+func (e *apiError) Error() string { return e.msg }
+
+var (
+	errUnauthorized = &apiError{msg: "unauthorized", status: http.StatusUnauthorized}
+	errInvalidTenant = &apiError{msg: "invalid tenant ID", status: http.StatusBadRequest}
+	errTenantAccess  = &apiError{msg: "no access to tenant", status: http.StatusForbidden}
+	errNoTenant      = &apiError{msg: "no tenant found for user", status: http.StatusBadRequest}
+)
+
+// handleTenantError writes the appropriate error response for tenant resolution errors
+func handleTenantError(w http.ResponseWriter, err error) {
+	if ae, ok := err.(*apiError); ok {
+		writeError(w, ae.status, ae.msg)
+		return
+	}
 	writeError(w, http.StatusInternalServerError, "internal error")
 }

@@ -35,74 +88,3 @@ func parsePathUUID(r *http.Request, key string) (uuid.UUID, error) {
 func parseUUID(s string) (uuid.UUID, error) {
 	return uuid.Parse(s)
 }
-
-// --- Input validation helpers ---
-
-const (
-	maxTitleLen       = 500
-	maxDescriptionLen = 10000
-	maxCaseNumberLen  = 100
-	maxSearchLen      = 200
-	maxPaginationLimit = 100
-)
-
-// validateStringLength checks if a string exceeds the given max length.
-func validateStringLength(field, value string, maxLen int) string {
-	if utf8.RuneCountInString(value) > maxLen {
-		return field + " exceeds maximum length"
-	}
-	return ""
-}
-
-// clampPagination enforces sane pagination defaults and limits.
-func clampPagination(limit, offset int) (int, int) {
-	if limit <= 0 {
-		limit = 20
-	}
-	if limit > maxPaginationLimit {
-		limit = maxPaginationLimit
-	}
-	if offset < 0 {
-		offset = 0
-	}
-	return limit, offset
-}
-
-// sanitizeFilename removes characters unsafe for Content-Disposition headers.
-func sanitizeFilename(name string) string {
-	// Remove control characters, quotes, and backslashes
-	var b strings.Builder
-	for _, r := range name {
-		if r < 32 || r == '"' || r == '\\' || r == '/' {
-			b.WriteRune('_')
-		} else {
-			b.WriteRune(r)
-		}
-	}
-	return b.String()
-}
-
-// maskSettingsPassword masks the CalDAV password in tenant settings JSON before returning to clients.
-func maskSettingsPassword(settings json.RawMessage) json.RawMessage {
-	if len(settings) == 0 {
-		return settings
-	}
-	var m map[string]json.RawMessage
-	if err := json.Unmarshal(settings, &m); err != nil {
-		return settings
-	}
-	caldavRaw, ok := m["caldav"]
-	if !ok {
-		return settings
-	}
-	var caldav map[string]json.RawMessage
-	if err := json.Unmarshal(caldavRaw, &caldav); err != nil {
-		return settings
-	}
-	if _, ok := caldav["password"]; ok {
-		caldav["password"], _ = json.Marshal("********")
-	}
-	m["caldav"], _ = json.Marshal(caldav)
-	result, _ := json.Marshal(m)
-	return result
-}
--- a/backend/internal/handlers/notes.go
+++ b/backend/internal/handlers/notes.go
@@ -60,10 +60,6 @@ func (h *NoteHandler) Create(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "content is required")
 		return
 	}
-	if msg := validateStringLength("content", input.Content, maxDescriptionLen); msg != "" {
-		writeError(w, http.StatusBadRequest, msg)
-		return
-	}

 	var createdBy *uuid.UUID
 	if userID != uuid.Nil {
@@ -104,10 +100,6 @@ func (h *NoteHandler) Update(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "content is required")
 		return
 	}
-	if msg := validateStringLength("content", req.Content, maxDescriptionLen); msg != "" {
-		writeError(w, http.StatusBadRequest, msg)
-		return
-	}

 	note, err := h.svc.Update(r.Context(), tenantID, noteID, req.Content)
 	if err != nil {
--- a/backend/internal/handlers/notifications.go
+++ b/backend/internal/handlers/notifications.go
@@ -0,0 +1,171 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"strconv"
+
+	"github.com/jmoiron/sqlx"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
+)
+
+// NotificationHandler handles notification API endpoints.
+type NotificationHandler struct {
+	svc *services.NotificationService
+	db  *sqlx.DB
+}
+
+// NewNotificationHandler creates a new notification handler.
+func NewNotificationHandler(svc *services.NotificationService, db *sqlx.DB) *NotificationHandler {
+	return &NotificationHandler{svc: svc, db: db}
+}
+
+// List returns paginated notifications for the authenticated user.
+func (h *NotificationHandler) List(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+
+	limit, _ := strconv.Atoi(r.URL.Query().Get("limit"))
+	offset, _ := strconv.Atoi(r.URL.Query().Get("offset"))
+
+	notifications, total, err := h.svc.ListForUser(r.Context(), tenantID, userID, limit, offset)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to list notifications")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]any{
+		"data":  notifications,
+		"total": total,
+	})
+}
+
+// UnreadCount returns the count of unread notifications.
+func (h *NotificationHandler) UnreadCount(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+
+	count, err := h.svc.UnreadCount(r.Context(), tenantID, userID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to count notifications")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]int{"unread_count": count})
+}
+
+// MarkRead marks a single notification as read.
+func (h *NotificationHandler) MarkRead(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+
+	notifID, err := parsePathUUID(r, "id")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid notification ID")
+		return
+	}
+
+	if err := h.svc.MarkRead(r.Context(), tenantID, userID, notifID); err != nil {
+		writeError(w, http.StatusNotFound, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
+}
+
+// MarkAllRead marks all notifications as read.
+func (h *NotificationHandler) MarkAllRead(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+
+	if err := h.svc.MarkAllRead(r.Context(), tenantID, userID); err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to mark all read")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
+}
+
+// GetPreferences returns notification preferences for the authenticated user.
+func (h *NotificationHandler) GetPreferences(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+
+	pref, err := h.svc.GetPreferences(r.Context(), tenantID, userID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to get preferences")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, pref)
+}
+
+// UpdatePreferences updates notification preferences for the authenticated user.
+func (h *NotificationHandler) UpdatePreferences(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+
+	var input services.UpdatePreferencesInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid request body")
+		return
+	}
+
+	pref, err := h.svc.UpdatePreferences(r.Context(), tenantID, userID, input)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to update preferences")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, pref)
+}
--- a/backend/internal/handlers/parties.go
+++ b/backend/internal/handlers/parties.go
@@ -34,7 +34,7 @@ func (h *PartyHandler) List(w http.ResponseWriter, r *http.Request) {

 	parties, err := h.svc.ListByCase(r.Context(), tenantID, caseID)
 	if err != nil {
-		internalError(w, "failed to list parties", err)
+		writeError(w, http.StatusInternalServerError, err.Error())
 		return
 	}

@@ -67,18 +67,13 @@ func (h *PartyHandler) Create(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if msg := validateStringLength("name", input.Name, maxTitleLen); msg != "" {
-		writeError(w, http.StatusBadRequest, msg)
-		return
-	}
-
 	party, err := h.svc.Create(r.Context(), tenantID, caseID, userID, input)
 	if err != nil {
 		if err == sql.ErrNoRows {
 			writeError(w, http.StatusNotFound, "case not found")
 			return
 		}
-		internalError(w, "failed to create party", err)
+		writeError(w, http.StatusInternalServerError, err.Error())
 		return
 	}

@@ -106,7 +101,7 @@ func (h *PartyHandler) Update(w http.ResponseWriter, r *http.Request) {

 	updated, err := h.svc.Update(r.Context(), tenantID, partyID, input)
 	if err != nil {
-		internalError(w, "failed to update party", err)
+		writeError(w, http.StatusInternalServerError, err.Error())
 		return
 	}
 	if updated == nil {
--- a/backend/internal/handlers/tenant_handler.go
+++ b/backend/internal/handlers/tenant_handler.go
@@ -2,7 +2,6 @@ package handlers

 import (
 	"encoding/json"
-	"log/slog"
 	"net/http"

 	"github.com/google/uuid"
@@ -42,8 +41,7 @@ func (h *TenantHandler) CreateTenant(w http.ResponseWriter, r *http.Request) {

 	tenant, err := h.svc.Create(r.Context(), userID, req.Name, req.Slug)
 	if err != nil {
-		slog.Error("failed to create tenant", "error", err)
-		jsonError(w, "internal error", http.StatusInternalServerError)
+		jsonError(w, err.Error(), http.StatusInternalServerError)
 		return
 	}

@@ -60,16 +58,10 @@ func (h *TenantHandler) ListTenants(w http.ResponseWriter, r *http.Request) {

 	tenants, err := h.svc.ListForUser(r.Context(), userID)
 	if err != nil {
-		slog.Error("failed to list tenants", "error", err)
-		jsonError(w, "internal error", http.StatusInternalServerError)
+		jsonError(w, err.Error(), http.StatusInternalServerError)
 		return
 	}

-	// Mask CalDAV passwords in tenant settings
-	for i := range tenants {
-		tenants[i].Settings = maskSettingsPassword(tenants[i].Settings)
-	}
-
 	jsonResponse(w, tenants, http.StatusOK)
 }

@@ -90,8 +82,7 @@ func (h *TenantHandler) GetTenant(w http.ResponseWriter, r *http.Request) {
 	// Verify user has access to this tenant
 	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
 	if err != nil {
-		slog.Error("failed to get user role", "error", err)
-		jsonError(w, "internal error", http.StatusInternalServerError)
+		jsonError(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	if role == "" {
@@ -101,8 +92,7 @@ func (h *TenantHandler) GetTenant(w http.ResponseWriter, r *http.Request) {

 	tenant, err := h.svc.GetByID(r.Context(), tenantID)
 	if err != nil {
-		slog.Error("failed to get tenant", "error", err)
-		jsonError(w, "internal error", http.StatusInternalServerError)
+		jsonError(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	if tenant == nil {
@@ -110,9 +100,6 @@ func (h *TenantHandler) GetTenant(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	// Mask CalDAV password before returning
-	tenant.Settings = maskSettingsPassword(tenant.Settings)
-
 	jsonResponse(w, tenant, http.StatusOK)
 }

@@ -133,8 +120,7 @@ func (h *TenantHandler) InviteUser(w http.ResponseWriter, r *http.Request) {
 	// Only owners and admins can invite
 	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
 	if err != nil {
-		slog.Error("failed to get user role", "error", err)
-		jsonError(w, "internal error", http.StatusInternalServerError)
+		jsonError(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	if role != "owner" && role != "admin" {
@@ -164,8 +150,7 @@ func (h *TenantHandler) InviteUser(w http.ResponseWriter, r *http.Request) {

 	ut, err := h.svc.InviteByEmail(r.Context(), tenantID, req.Email, req.Role)
 	if err != nil {
-		// These are user-facing validation errors (user not found, already member)
-		jsonError(w, "failed to invite user", http.StatusBadRequest)
+		jsonError(w, err.Error(), http.StatusBadRequest)
 		return
 	}

@@ -195,8 +180,7 @@ func (h *TenantHandler) RemoveMember(w http.ResponseWriter, r *http.Request) {
 	// Only owners and admins can remove members (or user removing themselves)
 	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
 	if err != nil {
-		slog.Error("failed to get user role", "error", err)
-		jsonError(w, "internal error", http.StatusInternalServerError)
+		jsonError(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	if role != "owner" && role != "admin" && userID != memberID {
@@ -205,8 +189,7 @@ func (h *TenantHandler) RemoveMember(w http.ResponseWriter, r *http.Request) {
 	}

 	if err := h.svc.RemoveMember(r.Context(), tenantID, memberID); err != nil {
-		// These are user-facing validation errors (not a member, last owner, etc.)
-		jsonError(w, "failed to remove member", http.StatusBadRequest)
+		jsonError(w, err.Error(), http.StatusBadRequest)
 		return
 	}

@@ -230,8 +213,7 @@ func (h *TenantHandler) UpdateSettings(w http.ResponseWriter, r *http.Request) {
 	// Only owners and admins can update settings
 	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
 	if err != nil {
-		slog.Error("failed to get user role", "error", err)
-		jsonError(w, "internal error", http.StatusInternalServerError)
+		jsonError(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	if role != "owner" && role != "admin" {
@@ -247,14 +229,10 @@ func (h *TenantHandler) UpdateSettings(w http.ResponseWriter, r *http.Request) {

 	tenant, err := h.svc.UpdateSettings(r.Context(), tenantID, settings)
 	if err != nil {
-		slog.Error("failed to update settings", "error", err)
-		jsonError(w, "internal error", http.StatusInternalServerError)
+		jsonError(w, err.Error(), http.StatusInternalServerError)
 		return
 	}

-	// Mask CalDAV password before returning
-	tenant.Settings = maskSettingsPassword(tenant.Settings)
-
 	jsonResponse(w, tenant, http.StatusOK)
 }

@@ -275,8 +253,7 @@ func (h *TenantHandler) ListMembers(w http.ResponseWriter, r *http.Request) {
 	// Verify user has access
 	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
 	if err != nil {
-		slog.Error("failed to get user role", "error", err)
-		jsonError(w, "internal error", http.StatusInternalServerError)
+		jsonError(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	if role == "" {
@@ -286,8 +263,7 @@ func (h *TenantHandler) ListMembers(w http.ResponseWriter, r *http.Request) {

 	members, err := h.svc.ListMembers(r.Context(), tenantID)
 	if err != nil {
-		slog.Error("failed to list members", "error", err)
-		jsonError(w, "internal error", http.StatusInternalServerError)
+		jsonError(w, err.Error(), http.StatusInternalServerError)
 		return
 	}

--- a/backend/internal/integration_test.go
+++ b/backend/internal/integration_test.go
@@ -46,7 +46,7 @@ func testServer(t *testing.T) (http.Handler, func()) {
 	}

 	authMW := auth.NewMiddleware(jwtSecret, database)
-	handler := router.New(database, authMW, cfg, nil)
+	handler := router.New(database, authMW, cfg, nil, nil)

 	return handler, func() { database.Close() }
 }
--- a/backend/internal/middleware/security.go
+++ b/backend/internal/middleware/security.go
@@ -1,49 +0,0 @@
-package middleware
-
-import (
-	"net/http"
-	"strings"
-)
-
-// SecurityHeaders adds standard security headers to all responses.
-func SecurityHeaders(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("X-Frame-Options", "DENY")
-		w.Header().Set("X-Content-Type-Options", "nosniff")
-		w.Header().Set("X-XSS-Protection", "1; mode=block")
-		w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
-		w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
-		next.ServeHTTP(w, r)
-	})
-}
-
-// CORS returns middleware that restricts cross-origin requests to the given origin.
-// If allowedOrigin is empty, CORS headers are not set (same-origin only).
-func CORS(allowedOrigin string) func(http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			origin := r.Header.Get("Origin")
-
-			if allowedOrigin != "" && origin != "" && matchOrigin(origin, allowedOrigin) {
-				w.Header().Set("Access-Control-Allow-Origin", allowedOrigin)
-				w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
-				w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Tenant-ID")
-				w.Header().Set("Access-Control-Max-Age", "86400")
-				w.Header().Set("Vary", "Origin")
-			}
-
-			// Handle preflight
-			if r.Method == http.MethodOptions {
-				w.WriteHeader(http.StatusNoContent)
-				return
-			}
-
-			next.ServeHTTP(w, r)
-		})
-	}
-}
-
-// matchOrigin checks if the request origin matches the allowed origin.
-func matchOrigin(origin, allowed string) bool {
-	return strings.EqualFold(strings.TrimRight(origin, "/"), strings.TrimRight(allowed, "/"))
-}
--- a/backend/internal/models/notification.go
+++ b/backend/internal/models/notification.go
@@ -0,0 +1,32 @@
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/lib/pq"
+)
+
+type Notification struct {
+	ID         uuid.UUID  `db:"id" json:"id"`
+	TenantID   uuid.UUID  `db:"tenant_id" json:"tenant_id"`
+	UserID     uuid.UUID  `db:"user_id" json:"user_id"`
+	Type       string     `db:"type" json:"type"`
+	EntityType *string    `db:"entity_type" json:"entity_type,omitempty"`
+	EntityID   *uuid.UUID `db:"entity_id" json:"entity_id,omitempty"`
+	Title      string     `db:"title" json:"title"`
+	Body       *string    `db:"body" json:"body,omitempty"`
+	SentAt     *time.Time `db:"sent_at" json:"sent_at,omitempty"`
+	ReadAt     *time.Time `db:"read_at" json:"read_at,omitempty"`
+	CreatedAt  time.Time  `db:"created_at" json:"created_at"`
+}
+
+type NotificationPreferences struct {
+	UserID              uuid.UUID     `db:"user_id" json:"user_id"`
+	TenantID            uuid.UUID     `db:"tenant_id" json:"tenant_id"`
+	DeadlineReminderDays pq.Int64Array `db:"deadline_reminder_days" json:"deadline_reminder_days"`
+	EmailEnabled        bool          `db:"email_enabled" json:"email_enabled"`
+	DailyDigest         bool          `db:"daily_digest" json:"daily_digest"`
+	CreatedAt           time.Time     `db:"created_at" json:"created_at"`
+	UpdatedAt           time.Time     `db:"updated_at" json:"updated_at"`
+}
--- a/backend/internal/router/router.go
+++ b/backend/internal/router/router.go
@@ -15,7 +15,7 @@ import (
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
 )

-func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *services.CalDAVService) http.Handler {
+func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *services.CalDAVService, notifSvc *services.NotificationService) http.Handler {
 	mux := http.NewServeMux()

 	// Services
@@ -34,7 +34,7 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	var aiH *handlers.AIHandler
 	if cfg.AnthropicAPIKey != "" {
 		aiSvc := services.NewAIService(cfg.AnthropicAPIKey, db)
-		aiH = handlers.NewAIHandler(aiSvc)
+		aiH = handlers.NewAIHandler(aiSvc, db)
 	}

 	// Middleware
@@ -43,12 +43,18 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	noteSvc := services.NewNoteService(db)
 	dashboardSvc := services.NewDashboardService(db)

+	// Notification handler (optional — nil in tests)
+	var notifH *handlers.NotificationHandler
+	if notifSvc != nil {
+		notifH = handlers.NewNotificationHandler(notifSvc, db)
+	}
+
 	// Handlers
 	tenantH := handlers.NewTenantHandler(tenantSvc)
 	caseH := handlers.NewCaseHandler(caseSvc)
 	partyH := handlers.NewPartyHandler(partySvc)
 	apptH := handlers.NewAppointmentHandler(appointmentSvc)
-	deadlineH := handlers.NewDeadlineHandlers(deadlineSvc)
+	deadlineH := handlers.NewDeadlineHandlers(deadlineSvc, db)
 	ruleH := handlers.NewDeadlineRuleHandlers(deadlineRuleSvc)
 	calcH := handlers.NewCalculateHandlers(calculator, deadlineRuleSvc)
 	dashboardH := handlers.NewDashboardHandler(dashboardSvc)
@@ -137,6 +143,16 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 		scoped.HandleFunc("POST /api/ai/summarize-case", aiLimiter.LimitFunc(aiH.SummarizeCase))
 	}

+	// Notifications
+	if notifH != nil {
+		scoped.HandleFunc("GET /api/notifications", notifH.List)
+		scoped.HandleFunc("GET /api/notifications/unread-count", notifH.UnreadCount)
+		scoped.HandleFunc("PATCH /api/notifications/{id}/read", notifH.MarkRead)
+		scoped.HandleFunc("PATCH /api/notifications/read-all", notifH.MarkAllRead)
+		scoped.HandleFunc("GET /api/notification-preferences", notifH.GetPreferences)
+		scoped.HandleFunc("PUT /api/notification-preferences", notifH.UpdatePreferences)
+	}
+
 	// CalDAV sync endpoints
 	if calDAVSvc != nil {
 		calDAVH := handlers.NewCalDAVHandler(calDAVSvc)
@@ -149,20 +165,14 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se

 	mux.Handle("/api/", authMW.RequireAuth(api))

-	// Apply security middleware stack: CORS -> Security Headers -> Request Logger -> Routes
-	var handler http.Handler = mux
-	handler = requestLogger(handler)
-	handler = middleware.SecurityHeaders(handler)
-	handler = middleware.CORS(cfg.FrontendOrigin)(handler)
-
-	return handler
+	return requestLogger(mux)
 }

 func handleHealth(db *sqlx.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		if err := db.Ping(); err != nil {
 			w.WriteHeader(http.StatusServiceUnavailable)
-			json.NewEncoder(w).Encode(map[string]string{"status": "error"})
+			json.NewEncoder(w).Encode(map[string]string{"status": "error", "error": err.Error()})
 			return
 		}
 		w.Header().Set("Content-Type", "application/json")
@@ -200,3 +210,4 @@ func requestLogger(next http.Handler) http.Handler {
 		)
 	})
 }
+
--- a/backend/internal/services/notification_service.go
+++ b/backend/internal/services/notification_service.go
@@ -0,0 +1,501 @@
+package services
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os/exec"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+	"github.com/lib/pq"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
+)
+
+// NotificationService handles notification CRUD, deadline reminders, and email sending.
+type NotificationService struct {
+	db     *sqlx.DB
+	stopCh chan struct{}
+	wg     sync.WaitGroup
+}
+
+// NewNotificationService creates a new notification service.
+func NewNotificationService(db *sqlx.DB) *NotificationService {
+	return &NotificationService{
+		db:     db,
+		stopCh: make(chan struct{}),
+	}
+}
+
+// Start launches the background reminder checker (every hour) and daily digest (8am).
+func (s *NotificationService) Start() {
+	s.wg.Add(1)
+	go s.backgroundLoop()
+}
+
+// Stop gracefully shuts down background workers.
+func (s *NotificationService) Stop() {
+	close(s.stopCh)
+	s.wg.Wait()
+}
+
+func (s *NotificationService) backgroundLoop() {
+	defer s.wg.Done()
+
+	// Check reminders on startup
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+	s.CheckDeadlineReminders(ctx)
+	cancel()
+
+	reminderTicker := time.NewTicker(1 * time.Hour)
+	defer reminderTicker.Stop()
+
+	// Digest ticker: check every 15 minutes, send at 8am
+	digestTicker := time.NewTicker(15 * time.Minute)
+	defer digestTicker.Stop()
+
+	var lastDigestDate string
+
+	for {
+		select {
+		case <-s.stopCh:
+			return
+		case <-reminderTicker.C:
+			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+			s.CheckDeadlineReminders(ctx)
+			cancel()
+		case now := <-digestTicker.C:
+			today := now.Format("2006-01-02")
+			hour := now.Hour()
+			if hour >= 8 && lastDigestDate != today {
+				lastDigestDate = today
+				ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
+				s.SendDailyDigests(ctx)
+				cancel()
+			}
+		}
+	}
+}
+
+// CheckDeadlineReminders finds deadlines due in N days matching user preferences and creates notifications.
+func (s *NotificationService) CheckDeadlineReminders(ctx context.Context) {
+	slog.Info("checking deadline reminders")
+
+	// Get all user preferences with email enabled
+	var prefs []models.NotificationPreferences
+	err := s.db.SelectContext(ctx, &prefs,
+		`SELECT user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest, created_at, updated_at
+		 FROM notification_preferences`)
+	if err != nil {
+		slog.Error("failed to load notification preferences", "error", err)
+		return
+	}
+
+	if len(prefs) == 0 {
+		return
+	}
+
+	// Collect all unique reminder day values across all users
+	daySet := make(map[int64]bool)
+	for _, p := range prefs {
+		for _, d := range p.DeadlineReminderDays {
+			daySet[d] = true
+		}
+	}
+	if len(daySet) == 0 {
+		return
+	}
+
+	// Build array of target dates
+	today := time.Now().Truncate(24 * time.Hour)
+	var targetDates []string
+	dayToDate := make(map[string]int64)
+	for d := range daySet {
+		target := today.AddDate(0, 0, int(d))
+		dateStr := target.Format("2006-01-02")
+		targetDates = append(targetDates, dateStr)
+		dayToDate[dateStr] = d
+	}
+
+	// Also check overdue deadlines
+	todayStr := today.Format("2006-01-02")
+
+	// Find pending deadlines matching target dates
+	type deadlineRow struct {
+		models.Deadline
+		CaseTitle  string `db:"case_title"`
+		CaseNumber string `db:"case_number"`
+	}
+
+	// Reminder deadlines (due in N days)
+	var reminderDeadlines []deadlineRow
+	query, args, err := sqlx.In(
+		`SELECT d.*, c.title AS case_title, c.case_number
+		 FROM deadlines d
+		 JOIN cases c ON c.id = d.case_id
+		 WHERE d.status = 'pending' AND d.due_date IN (?)`,
+		targetDates)
+	if err == nil {
+		query = s.db.Rebind(query)
+		err = s.db.SelectContext(ctx, &reminderDeadlines, query, args...)
+	}
+	if err != nil {
+		slog.Error("failed to query reminder deadlines", "error", err)
+	}
+
+	// Overdue deadlines
+	var overdueDeadlines []deadlineRow
+	err = s.db.SelectContext(ctx, &overdueDeadlines,
+		`SELECT d.*, c.title AS case_title, c.case_number
+		 FROM deadlines d
+		 JOIN cases c ON c.id = d.case_id
+		 WHERE d.status = 'pending' AND d.due_date < $1`, todayStr)
+	if err != nil {
+		slog.Error("failed to query overdue deadlines", "error", err)
+	}
+
+	// Create notifications for each user based on their tenant and preferences
+	for _, pref := range prefs {
+		// Reminder notifications
+		for _, dl := range reminderDeadlines {
+			if dl.TenantID != pref.TenantID {
+				continue
+			}
+			daysUntil := dayToDate[dl.DueDate]
+			// Check if this user cares about this many days
+			if !containsDay(pref.DeadlineReminderDays, daysUntil) {
+				continue
+			}
+
+			title := fmt.Sprintf("Frist in %d Tagen: %s", daysUntil, dl.Title)
+			body := fmt.Sprintf("Akte %s — %s\nFällig am %s", dl.CaseNumber, dl.CaseTitle, dl.DueDate)
+			entityType := "deadline"
+
+			s.CreateNotification(ctx, CreateNotificationInput{
+				TenantID:   pref.TenantID,
+				UserID:     pref.UserID,
+				Type:       "deadline_reminder",
+				EntityType: &entityType,
+				EntityID:   &dl.ID,
+				Title:      title,
+				Body:       &body,
+				SendEmail:  pref.EmailEnabled && !pref.DailyDigest,
+			})
+		}
+
+		// Overdue notifications
+		for _, dl := range overdueDeadlines {
+			if dl.TenantID != pref.TenantID {
+				continue
+			}
+
+			title := fmt.Sprintf("Frist überfällig: %s", dl.Title)
+			body := fmt.Sprintf("Akte %s — %s\nFällig seit %s", dl.CaseNumber, dl.CaseTitle, dl.DueDate)
+			entityType := "deadline"
+
+			s.CreateNotification(ctx, CreateNotificationInput{
+				TenantID:   pref.TenantID,
+				UserID:     pref.UserID,
+				Type:       "deadline_overdue",
+				EntityType: &entityType,
+				EntityID:   &dl.ID,
+				Title:      title,
+				Body:       &body,
+				SendEmail:  pref.EmailEnabled && !pref.DailyDigest,
+			})
+		}
+	}
+}
+
+// SendDailyDigests compiles pending notifications into one email per user.
+func (s *NotificationService) SendDailyDigests(ctx context.Context) {
+	slog.Info("sending daily digests")
+
+	// Find users with daily_digest enabled
+	var prefs []models.NotificationPreferences
+	err := s.db.SelectContext(ctx, &prefs,
+		`SELECT user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest, created_at, updated_at
+		 FROM notification_preferences
+		 WHERE daily_digest = true AND email_enabled = true`)
+	if err != nil {
+		slog.Error("failed to load digest preferences", "error", err)
+		return
+	}
+
+	for _, pref := range prefs {
+		// Get unsent notifications for this user from the last 24 hours
+		var notifications []models.Notification
+		err := s.db.SelectContext(ctx, &notifications,
+			`SELECT id, tenant_id, user_id, type, entity_type, entity_id, title, body, sent_at, read_at, created_at
+			 FROM notifications
+			 WHERE user_id = $1 AND tenant_id = $2 AND sent_at IS NULL
+			   AND created_at > now() - interval '24 hours'
+			 ORDER BY created_at DESC`,
+			pref.UserID, pref.TenantID)
+		if err != nil {
+			slog.Error("failed to load unsent notifications", "error", err, "user_id", pref.UserID)
+			continue
+		}
+
+		if len(notifications) == 0 {
+			continue
+		}
+
+		// Get user email
+		email := s.getUserEmail(ctx, pref.UserID)
+		if email == "" {
+			continue
+		}
+
+		// Build digest
+		var lines []string
+		lines = append(lines, fmt.Sprintf("Guten Morgen! Hier ist Ihre Tagesübersicht mit %d Benachrichtigungen:\n", len(notifications)))
+		for _, n := range notifications {
+			body := ""
+			if n.Body != nil {
+				body = " — " + *n.Body
+			}
+			lines = append(lines, fmt.Sprintf("• %s%s", n.Title, body))
+		}
+		lines = append(lines, "\n---\nKanzlAI Kanzleimanagement")
+
+		subject := fmt.Sprintf("KanzlAI Tagesübersicht — %d Benachrichtigungen", len(notifications))
+		bodyText := strings.Join(lines, "\n")
+
+		if err := SendEmail(email, subject, bodyText); err != nil {
+			slog.Error("failed to send digest email", "error", err, "user_id", pref.UserID)
+			continue
+		}
+
+		// Mark all as sent
+		ids := make([]uuid.UUID, len(notifications))
+		for i, n := range notifications {
+			ids[i] = n.ID
+		}
+		query, args, err := sqlx.In(
+			`UPDATE notifications SET sent_at = now() WHERE id IN (?)`, ids)
+		if err == nil {
+			query = s.db.Rebind(query)
+			_, err = s.db.ExecContext(ctx, query, args...)
+		}
+		if err != nil {
+			slog.Error("failed to mark digest notifications sent", "error", err)
+		}
+
+		slog.Info("sent daily digest", "user_id", pref.UserID, "count", len(notifications))
+	}
+}
+
+// CreateNotificationInput holds the data for creating a notification.
+type CreateNotificationInput struct {
+	TenantID   uuid.UUID
+	UserID     uuid.UUID
+	Type       string
+	EntityType *string
+	EntityID   *uuid.UUID
+	Title      string
+	Body       *string
+	SendEmail  bool
+}
+
+// CreateNotification stores a notification in the DB and optionally sends an email.
+func (s *NotificationService) CreateNotification(ctx context.Context, input CreateNotificationInput) (*models.Notification, error) {
+	// Dedup: check if we already sent this notification today
+	if input.EntityID != nil {
+		var count int
+		err := s.db.GetContext(ctx, &count,
+			`SELECT COUNT(*) FROM notifications
+			 WHERE user_id = $1 AND entity_id = $2 AND type = $3
+			   AND created_at::date = CURRENT_DATE`,
+			input.UserID, input.EntityID, input.Type)
+		if err == nil && count > 0 {
+			return nil, nil // Already notified today
+		}
+	}
+
+	var n models.Notification
+	err := s.db.QueryRowxContext(ctx,
+		`INSERT INTO notifications (tenant_id, user_id, type, entity_type, entity_id, title, body)
+		 VALUES ($1, $2, $3, $4, $5, $6, $7)
+		 RETURNING id, tenant_id, user_id, type, entity_type, entity_id, title, body, sent_at, read_at, created_at`,
+		input.TenantID, input.UserID, input.Type, input.EntityType, input.EntityID,
+		input.Title, input.Body).StructScan(&n)
+	if err != nil {
+		slog.Error("failed to create notification", "error", err)
+		return nil, fmt.Errorf("create notification: %w", err)
+	}
+
+	// Send email immediately if requested (non-digest users)
+	if input.SendEmail {
+		email := s.getUserEmail(ctx, input.UserID)
+		if email != "" {
+			go func() {
+				if err := SendEmail(email, input.Title, derefStr(input.Body)); err != nil {
+					slog.Error("failed to send notification email", "error", err, "user_id", input.UserID)
+				} else {
+					// Mark as sent
+					_, _ = s.db.Exec(`UPDATE notifications SET sent_at = now() WHERE id = $1`, n.ID)
+				}
+			}()
+		}
+	}
+
+	return &n, nil
+}
+
+// ListForUser returns notifications for a user in a tenant, paginated.
+func (s *NotificationService) ListForUser(ctx context.Context, tenantID, userID uuid.UUID, limit, offset int) ([]models.Notification, int, error) {
+	if limit <= 0 {
+		limit = 50
+	}
+	if limit > 200 {
+		limit = 200
+	}
+
+	var total int
+	err := s.db.GetContext(ctx, &total,
+		`SELECT COUNT(*) FROM notifications WHERE user_id = $1 AND tenant_id = $2`,
+		userID, tenantID)
+	if err != nil {
+		return nil, 0, fmt.Errorf("count notifications: %w", err)
+	}
+
+	var notifications []models.Notification
+	err = s.db.SelectContext(ctx, &notifications,
+		`SELECT id, tenant_id, user_id, type, entity_type, entity_id, title, body, sent_at, read_at, created_at
+		 FROM notifications
+		 WHERE user_id = $1 AND tenant_id = $2
+		 ORDER BY created_at DESC
+		 LIMIT $3 OFFSET $4`,
+		userID, tenantID, limit, offset)
+	if err != nil {
+		return nil, 0, fmt.Errorf("list notifications: %w", err)
+	}
+
+	return notifications, total, nil
+}
+
+// UnreadCount returns the number of unread notifications for a user.
+func (s *NotificationService) UnreadCount(ctx context.Context, tenantID, userID uuid.UUID) (int, error) {
+	var count int
+	err := s.db.GetContext(ctx, &count,
+		`SELECT COUNT(*) FROM notifications WHERE user_id = $1 AND tenant_id = $2 AND read_at IS NULL`,
+		userID, tenantID)
+	return count, err
+}
+
+// MarkRead marks a single notification as read.
+func (s *NotificationService) MarkRead(ctx context.Context, tenantID, userID, notificationID uuid.UUID) error {
+	result, err := s.db.ExecContext(ctx,
+		`UPDATE notifications SET read_at = now()
+		 WHERE id = $1 AND user_id = $2 AND tenant_id = $3 AND read_at IS NULL`,
+		notificationID, userID, tenantID)
+	if err != nil {
+		return fmt.Errorf("mark notification read: %w", err)
+	}
+	rows, _ := result.RowsAffected()
+	if rows == 0 {
+		return fmt.Errorf("notification not found or already read")
+	}
+	return nil
+}
+
+// MarkAllRead marks all notifications as read for a user.
+func (s *NotificationService) MarkAllRead(ctx context.Context, tenantID, userID uuid.UUID) error {
+	_, err := s.db.ExecContext(ctx,
+		`UPDATE notifications SET read_at = now()
+		 WHERE user_id = $1 AND tenant_id = $2 AND read_at IS NULL`,
+		userID, tenantID)
+	return err
+}
+
+// GetPreferences returns notification preferences for a user, creating defaults if needed.
+func (s *NotificationService) GetPreferences(ctx context.Context, tenantID, userID uuid.UUID) (*models.NotificationPreferences, error) {
+	var pref models.NotificationPreferences
+	err := s.db.GetContext(ctx, &pref,
+		`SELECT user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest, created_at, updated_at
+		 FROM notification_preferences
+		 WHERE user_id = $1 AND tenant_id = $2`,
+		userID, tenantID)
+	if err != nil {
+		// Return defaults if no preferences set
+		return &models.NotificationPreferences{
+			UserID:               userID,
+			TenantID:             tenantID,
+			DeadlineReminderDays: pq.Int64Array{7, 3, 1},
+			EmailEnabled:         true,
+			DailyDigest:          false,
+		}, nil
+	}
+	return &pref, nil
+}
+
+// UpdatePreferences upserts notification preferences for a user.
+func (s *NotificationService) UpdatePreferences(ctx context.Context, tenantID, userID uuid.UUID, input UpdatePreferencesInput) (*models.NotificationPreferences, error) {
+	var pref models.NotificationPreferences
+	err := s.db.QueryRowxContext(ctx,
+		`INSERT INTO notification_preferences (user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest)
+		 VALUES ($1, $2, $3, $4, $5)
+		 ON CONFLICT (user_id, tenant_id)
+		 DO UPDATE SET deadline_reminder_days = $3, email_enabled = $4, daily_digest = $5, updated_at = now()
+		 RETURNING user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest, created_at, updated_at`,
+		userID, tenantID, pq.Int64Array(input.DeadlineReminderDays), input.EmailEnabled, input.DailyDigest).StructScan(&pref)
+	if err != nil {
+		return nil, fmt.Errorf("update preferences: %w", err)
+	}
+	return &pref, nil
+}
+
+// UpdatePreferencesInput holds the data for updating notification preferences.
+type UpdatePreferencesInput struct {
+	DeadlineReminderDays []int64 `json:"deadline_reminder_days"`
+	EmailEnabled         bool    `json:"email_enabled"`
+	DailyDigest          bool    `json:"daily_digest"`
+}
+
+// SendEmail sends an email using the `m mail send` CLI command.
+func SendEmail(to, subject, body string) error {
+	cmd := exec.Command("m", "mail", "send",
+		"--to", to,
+		"--subject", subject,
+		"--body", body,
+		"--yes")
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("m mail send failed: %w (output: %s)", err, string(output))
+	}
+	slog.Info("email sent", "to", to, "subject", subject)
+	return nil
+}
+
+// getUserEmail looks up the email for a user from Supabase auth.users.
+func (s *NotificationService) getUserEmail(ctx context.Context, userID uuid.UUID) string {
+	var email string
+	err := s.db.GetContext(ctx, &email,
+		`SELECT email FROM auth.users WHERE id = $1`, userID)
+	if err != nil {
+		slog.Error("failed to get user email", "error", err, "user_id", userID)
+		return ""
+	}
+	return email
+}
+
+func containsDay(arr pq.Int64Array, day int64) bool {
+	for _, d := range arr {
+		if d == day {
+			return true
+		}
+	}
+	return false
+}
+
+func derefStr(s *string) string {
+	if s == nil {
+		return ""
+	}
+	return *s
+}
--- a/backend/internal/services/tenant_service.go
+++ b/backend/internal/services/tenant_service.go
@@ -101,19 +101,6 @@ func (s *TenantService) GetUserRole(ctx context.Context, userID, tenantID uuid.U
 	return role, nil
 }

-// VerifyAccess checks if a user has access to a given tenant.
-func (s *TenantService) VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error) {
-	var exists bool
-	err := s.db.GetContext(ctx, &exists,
-		`SELECT EXISTS(SELECT 1 FROM user_tenants WHERE user_id = $1 AND tenant_id = $2)`,
-		userID, tenantID,
-	)
-	if err != nil {
-		return false, fmt.Errorf("verify tenant access: %w", err)
-	}
-	return exists, nil
-}
-
 // FirstTenantForUser returns the user's first tenant (by name), used as default.
 func (s *TenantService) FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error) {
 	var tenantID uuid.UUID
--- a/frontend/src/app/(app)/einstellungen/page.tsx
+++ b/frontend/src/app/(app)/einstellungen/page.tsx
@@ -1,11 +1,12 @@
 "use client";

 import { useQuery } from "@tanstack/react-query";
-import { Settings, Calendar, Users } from "lucide-react";
+import { Settings, Calendar, Users, Bell } from "lucide-react";
 import Link from "next/link";
 import { api } from "@/lib/api";
 import type { Tenant } from "@/lib/types";
 import { CalDAVSettings } from "@/components/settings/CalDAVSettings";
+import { NotificationSettings } from "@/components/settings/NotificationSettings";
 import { SkeletonCard } from "@/components/ui/Skeleton";
 import { EmptyState } from "@/components/ui/EmptyState";

@@ -97,6 +98,19 @@ export default function EinstellungenPage() {
            </div>
          </section>

+          {/* Notification Settings */}
+          <section className="rounded-xl border border-neutral-200 bg-white p-5">
+            <div className="flex items-center gap-2.5 border-b border-neutral-100 pb-3">
+              <Bell className="h-4 w-4 text-neutral-500" />
+              <h2 className="text-sm font-semibold text-neutral-900">
+                Benachrichtigungen
+              </h2>
+            </div>
+            <div className="mt-4">
+              <NotificationSettings />
+            </div>
+          </section>
+
          {/* CalDAV Settings */}
          <section className="rounded-xl border border-neutral-200 bg-white p-5">
            <div className="flex items-center gap-2.5 border-b border-neutral-100 pb-3">
--- a/frontend/src/components/layout/Header.tsx
+++ b/frontend/src/components/layout/Header.tsx
@@ -2,6 +2,7 @@

 import { createClient } from "@/lib/supabase/client";
 import { TenantSwitcher } from "./TenantSwitcher";
+import { NotificationBell } from "@/components/notifications/NotificationBell";
 import { LogOut } from "lucide-react";
 import { useRouter } from "next/navigation";
 import { useEffect, useState } from "react";
@@ -29,6 +30,7 @@ export function Header() {
      <div className="w-8 lg:w-0" />
      <div className="flex items-center gap-2 sm:gap-3">
        <TenantSwitcher />
+        <NotificationBell />
        {email && (
          <span className="hidden text-sm text-neutral-500 sm:inline">
            {email}
--- a/frontend/src/components/notifications/NotificationBell.tsx
+++ b/frontend/src/components/notifications/NotificationBell.tsx
@@ -0,0 +1,205 @@
+"use client";
+
+import { useEffect, useRef, useState } from "react";
+import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
+import { Bell, Check, CheckCheck, ExternalLink } from "lucide-react";
+import { api } from "@/lib/api";
+import type { Notification, NotificationListResponse } from "@/lib/types";
+
+function getEntityLink(n: Notification): string | null {
+  if (!n.entity_type || !n.entity_id) return null;
+  switch (n.entity_type) {
+    case "deadline":
+      return `/fristen/${n.entity_id}`;
+    case "appointment":
+      return `/termine/${n.entity_id}`;
+    case "case":
+      return `/akten/${n.entity_id}`;
+    default:
+      return null;
+  }
+}
+
+function getTypeColor(type: Notification["type"]): string {
+  switch (type) {
+    case "deadline_overdue":
+      return "bg-red-500";
+    case "deadline_reminder":
+      return "bg-amber-500";
+    case "case_update":
+      return "bg-blue-500";
+    case "assignment":
+      return "bg-violet-500";
+    default:
+      return "bg-neutral-500";
+  }
+}
+
+function timeAgo(dateStr: string): string {
+  const now = new Date();
+  const date = new Date(dateStr);
+  const diffMs = now.getTime() - date.getTime();
+  const diffMin = Math.floor(diffMs / 60000);
+  if (diffMin < 1) return "gerade eben";
+  if (diffMin < 60) return `vor ${diffMin} Min.`;
+  const diffHours = Math.floor(diffMin / 60);
+  if (diffHours < 24) return `vor ${diffHours} Std.`;
+  const diffDays = Math.floor(diffHours / 24);
+  if (diffDays === 1) return "gestern";
+  return `vor ${diffDays} Tagen`;
+}
+
+export function NotificationBell() {
+  const [open, setOpen] = useState(false);
+  const panelRef = useRef<HTMLDivElement>(null);
+  const queryClient = useQueryClient();
+
+  const { data: unreadData } = useQuery({
+    queryKey: ["notifications-unread-count"],
+    queryFn: () =>
+      api.get<{ unread_count: number }>("/api/notifications/unread-count"),
+    refetchInterval: 30_000,
+  });
+
+  const { data: notifData } = useQuery({
+    queryKey: ["notifications"],
+    queryFn: () =>
+      api.get<NotificationListResponse>("/api/notifications?limit=20"),
+    enabled: open,
+  });
+
+  const markRead = useMutation({
+    mutationFn: (id: string) =>
+      api.patch(`/api/notifications/${id}/read`),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["notifications"] });
+      queryClient.invalidateQueries({
+        queryKey: ["notifications-unread-count"],
+      });
+    },
+  });
+
+  const markAllRead = useMutation({
+    mutationFn: () => api.patch("/api/notifications/read-all"),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["notifications"] });
+      queryClient.invalidateQueries({
+        queryKey: ["notifications-unread-count"],
+      });
+    },
+  });
+
+  // Close on click outside
+  useEffect(() => {
+    function handleClickOutside(e: MouseEvent) {
+      if (panelRef.current && !panelRef.current.contains(e.target as Node)) {
+        setOpen(false);
+      }
+    }
+    if (open) {
+      document.addEventListener("mousedown", handleClickOutside);
+    }
+    return () => document.removeEventListener("mousedown", handleClickOutside);
+  }, [open]);
+
+  const unreadCount = unreadData?.unread_count ?? 0;
+  const notifications = notifData?.data ?? [];
+
+  return (
+    <div className="relative" ref={panelRef}>
+      <button
+        onClick={() => setOpen(!open)}
+        className="relative rounded-md p-1.5 text-neutral-400 transition-colors hover:bg-neutral-100 hover:text-neutral-600"
+        title="Benachrichtigungen"
+      >
+        <Bell className="h-4 w-4" />
+        {unreadCount > 0 && (
+          <span className="absolute -right-0.5 -top-0.5 flex h-4 min-w-4 items-center justify-center rounded-full bg-red-500 px-1 text-[10px] font-bold text-white">
+            {unreadCount > 99 ? "99+" : unreadCount}
+          </span>
+        )}
+      </button>
+
+      {open && (
+        <div className="absolute right-0 top-full z-50 mt-2 w-80 rounded-xl border border-neutral-200 bg-white shadow-lg sm:w-96">
+          {/* Header */}
+          <div className="flex items-center justify-between border-b border-neutral-100 px-4 py-3">
+            <h3 className="text-sm font-semibold text-neutral-900">
+              Benachrichtigungen
+            </h3>
+            {unreadCount > 0 && (
+              <button
+                onClick={() => markAllRead.mutate()}
+                className="flex items-center gap-1 text-xs text-neutral-500 hover:text-neutral-700"
+              >
+                <CheckCheck className="h-3 w-3" />
+                Alle gelesen
+              </button>
+            )}
+          </div>
+
+          {/* Notification list */}
+          <div className="max-h-96 overflow-y-auto">
+            {notifications.length === 0 ? (
+              <div className="p-6 text-center text-sm text-neutral-400">
+                Keine Benachrichtigungen
+              </div>
+            ) : (
+              notifications.map((n) => {
+                const link = getEntityLink(n);
+                return (
+                  <div
+                    key={n.id}
+                    className={`flex items-start gap-3 border-b border-neutral-50 px-4 py-3 transition-colors last:border-0 ${
+                      n.read_at
+                        ? "bg-white"
+                        : "bg-blue-50/50"
+                    }`}
+                  >
+                    <div
+                      className={`mt-1.5 h-2 w-2 flex-shrink-0 rounded-full ${getTypeColor(n.type)}`}
+                    />
+                    <div className="min-w-0 flex-1">
+                      <p className="text-sm font-medium text-neutral-900 leading-snug">
+                        {n.title}
+                      </p>
+                      {n.body && (
+                        <p className="mt-0.5 text-xs text-neutral-500 line-clamp-2">
+                          {n.body}
+                        </p>
+                      )}
+                      <div className="mt-1.5 flex items-center gap-2">
+                        <span className="text-[11px] text-neutral-400">
+                          {timeAgo(n.created_at)}
+                        </span>
+                        {link && (
+                          <a
+                            href={link}
+                            onClick={() => setOpen(false)}
+                            className="flex items-center gap-0.5 text-[11px] text-blue-600 hover:text-blue-700"
+                          >
+                            <ExternalLink className="h-2.5 w-2.5" />
+                            Anzeigen
+                          </a>
+                        )}
+                      </div>
+                    </div>
+                    {!n.read_at && (
+                      <button
+                        onClick={() => markRead.mutate(n.id)}
+                        className="flex-shrink-0 rounded p-1 text-neutral-400 hover:bg-neutral-100 hover:text-neutral-600"
+                        title="Als gelesen markieren"
+                      >
+                        <Check className="h-3 w-3" />
+                      </button>
+                    )}
+                  </div>
+                );
+              })
+            )}
+          </div>
+        </div>
+      )}
+    </div>
+  );
+}
--- a/frontend/src/components/settings/NotificationSettings.tsx
+++ b/frontend/src/components/settings/NotificationSettings.tsx
@@ -0,0 +1,167 @@
+"use client";
+
+import { useState } from "react";
+import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
+import { api } from "@/lib/api";
+import type { NotificationPreferences } from "@/lib/types";
+
+const REMINDER_OPTIONS = [
+  { value: 14, label: "14 Tage" },
+  { value: 7, label: "7 Tage" },
+  { value: 3, label: "3 Tage" },
+  { value: 1, label: "1 Tag" },
+];
+
+export function NotificationSettings() {
+  const queryClient = useQueryClient();
+  const [saved, setSaved] = useState(false);
+
+  const { data: prefs, isLoading } = useQuery({
+    queryKey: ["notification-preferences"],
+    queryFn: () =>
+      api.get<NotificationPreferences>("/api/notification-preferences"),
+  });
+
+  const [reminderDays, setReminderDays] = useState<number[]>([]);
+  const [emailEnabled, setEmailEnabled] = useState(true);
+  const [dailyDigest, setDailyDigest] = useState(false);
+  const [initialized, setInitialized] = useState(false);
+
+  // Sync state from server once loaded
+  if (prefs && !initialized) {
+    setReminderDays(prefs.deadline_reminder_days);
+    setEmailEnabled(prefs.email_enabled);
+    setDailyDigest(prefs.daily_digest);
+    setInitialized(true);
+  }
+
+  const update = useMutation({
+    mutationFn: (input: {
+      deadline_reminder_days: number[];
+      email_enabled: boolean;
+      daily_digest: boolean;
+    }) => api.put<NotificationPreferences>("/api/notification-preferences", input),
+    onSuccess: () => {
+      queryClient.invalidateQueries({
+        queryKey: ["notification-preferences"],
+      });
+      setSaved(true);
+      setTimeout(() => setSaved(false), 2000);
+    },
+  });
+
+  function toggleDay(day: number) {
+    setReminderDays((prev) =>
+      prev.includes(day) ? prev.filter((d) => d !== day) : [...prev, day].sort((a, b) => b - a),
+    );
+  }
+
+  function handleSave() {
+    update.mutate({
+      deadline_reminder_days: reminderDays,
+      email_enabled: emailEnabled,
+      daily_digest: dailyDigest,
+    });
+  }
+
+  if (isLoading) {
+    return (
+      <div className="animate-pulse space-y-3">
+        <div className="h-4 w-48 rounded bg-neutral-200" />
+        <div className="h-8 w-full rounded bg-neutral-100" />
+        <div className="h-8 w-full rounded bg-neutral-100" />
+      </div>
+    );
+  }
+
+  return (
+    <div className="space-y-5">
+      {/* Reminder days */}
+      <div>
+        <p className="text-sm font-medium text-neutral-700">
+          Fristen-Erinnerungen
+        </p>
+        <p className="mt-0.5 text-xs text-neutral-500">
+          Erinnern Sie mich vor Fristablauf:
+        </p>
+        <div className="mt-2 flex flex-wrap gap-2">
+          {REMINDER_OPTIONS.map((opt) => (
+            <button
+              key={opt.value}
+              onClick={() => toggleDay(opt.value)}
+              className={`rounded-lg border px-3 py-1.5 text-sm transition-colors ${
+                reminderDays.includes(opt.value)
+                  ? "border-blue-500 bg-blue-50 text-blue-700"
+                  : "border-neutral-200 bg-white text-neutral-600 hover:border-neutral-300"
+              }`}
+            >
+              {opt.label}
+            </button>
+          ))}
+        </div>
+      </div>
+
+      {/* Email toggle */}
+      <label className="flex items-center justify-between">
+        <div>
+          <p className="text-sm font-medium text-neutral-700">
+            E-Mail-Benachrichtigungen
+          </p>
+          <p className="text-xs text-neutral-500">
+            Erinnerungen per E-Mail erhalten
+          </p>
+        </div>
+        <button
+          onClick={() => setEmailEnabled(!emailEnabled)}
+          className={`relative h-6 w-11 rounded-full transition-colors ${
+            emailEnabled ? "bg-blue-500" : "bg-neutral-300"
+          }`}
+        >
+          <span
+            className={`absolute left-0.5 top-0.5 h-5 w-5 rounded-full bg-white shadow transition-transform ${
+              emailEnabled ? "translate-x-5" : "translate-x-0"
+            }`}
+          />
+        </button>
+      </label>
+
+      {/* Daily digest toggle */}
+      <label className="flex items-center justify-between">
+        <div>
+          <p className="text-sm font-medium text-neutral-700">
+            Tagesübersicht
+          </p>
+          <p className="text-xs text-neutral-500">
+            Alle Benachrichtigungen gesammelt um 8:00 Uhr per E-Mail
+          </p>
+        </div>
+        <button
+          onClick={() => setDailyDigest(!dailyDigest)}
+          className={`relative h-6 w-11 rounded-full transition-colors ${
+            dailyDigest ? "bg-blue-500" : "bg-neutral-300"
+          }`}
+        >
+          <span
+            className={`absolute left-0.5 top-0.5 h-5 w-5 rounded-full bg-white shadow transition-transform ${
+              dailyDigest ? "translate-x-5" : "translate-x-0"
+            }`}
+          />
+        </button>
+      </label>
+
+      {/* Save */}
+      <div className="flex items-center gap-3 pt-2">
+        <button
+          onClick={handleSave}
+          disabled={update.isPending}
+          className="rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white hover:bg-neutral-800 disabled:opacity-50"
+        >
+          {update.isPending ? "Speichern..." : "Speichern"}
+        </button>
+        {saved && (
+          <span className="text-sm text-green-600">Gespeichert</span>
+        )}
+      </div>
+    </div>
+  );
+}
--- a/frontend/src/lib/types.ts
+++ b/frontend/src/lib/types.ts
@@ -189,6 +189,37 @@ export interface Note {
  updated_at: string;
 }

+// Notifications
+
+export interface Notification {
+  id: string;
+  tenant_id: string;
+  user_id: string;
+  type: "deadline_reminder" | "deadline_overdue" | "case_update" | "assignment";
+  entity_type?: "deadline" | "appointment" | "case";
+  entity_id?: string;
+  title: string;
+  body?: string;
+  sent_at?: string;
+  read_at?: string;
+  created_at: string;
+}
+
+export interface NotificationPreferences {
+  user_id: string;
+  tenant_id: string;
+  deadline_reminder_days: number[];
+  email_enabled: boolean;
+  daily_digest: boolean;
+  created_at?: string;
+  updated_at?: string;
+}
+
+export interface NotificationListResponse {
+  data: Notification[];
+  total: number;
+}
+
 export interface ApiError {
  error: string;
  status: number;