fix: remove /api/ double-prefix from all frontend API calls

Frontend api.ts baseUrl is already "/api", so paths like
"/api/cases" produced "/api/api/cases". Stripped the redundant
prefix from all component calls. Rewrite destination correctly
adds /api/ back for the Go backend.

.env.example

@@ -3,11 +3,16 @@
 
 # Backend
 PORT=8080
+DATABASE_URL=postgresql://user:pass@host:5432/dbname
 
-# Supabase (required for database access)
+# Supabase (required for database + auth)
-SUPABASE_URL=
+SUPABASE_URL=https://your-project.supabase.co
 SUPABASE_ANON_KEY=
 SUPABASE_SERVICE_KEY=
+SUPABASE_JWT_SECRET=
 
 # Claude API (required for AI features)
 ANTHROPIC_API_KEY=
+
+# CalDAV (configured per-tenant in tenant settings, not env vars)
+# See tenant.settings.caldav JSON field

backend/cmd/server/main.go

@@ -1,25 +1,31 @@
 package main
 
 import (
-	"log"
+	"log/slog"
 	"net/http"
+	"os"
 
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/config"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/db"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/logging"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/router"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
 )
 
 func main() {
+	logging.Setup()
+
 	cfg, err := config.Load()
 	if err != nil {
-		log.Fatalf("Failed to load config: %v", err)
+		slog.Error("failed to load config", "error", err)
+		os.Exit(1)
 	}
 
 	database, err := db.Connect(cfg.DatabaseURL)
 	if err != nil {
-		log.Fatalf("Failed to connect to database: %v", err)
+		slog.Error("failed to connect to database", "error", err)
+		os.Exit(1)
 	}
 	defer database.Close()
 
@@ -32,8 +38,9 @@ func main() {
 
 	handler := router.New(database, authMW, cfg, calDAVSvc)
 
-	log.Printf("Starting KanzlAI API server on :%s", cfg.Port)
+	slog.Info("starting KanzlAI API server", "port", cfg.Port)
 	if err := http.ListenAndServe(":"+cfg.Port, handler); err != nil {
-		log.Fatal(err)
+		slog.Error("server failed", "error", err)
+		os.Exit(1)
 	}
 }

backend/internal/integration_test.go

@@ -0,0 +1,273 @@
+package internal_test
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+	"time"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/config"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/db"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/router"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
+)
+
+// testServer sets up the full router with a real DB connection.
+// Requires DATABASE_URL and SUPABASE_JWT_SECRET env vars.
+func testServer(t *testing.T) (http.Handler, func()) {
+	t.Helper()
+
+	dbURL := os.Getenv("DATABASE_URL")
+	if dbURL == "" {
+		t.Skip("DATABASE_URL not set, skipping integration test")
+	}
+	jwtSecret := os.Getenv("SUPABASE_JWT_SECRET")
+	if jwtSecret == "" {
+		jwtSecret = "test-jwt-secret-for-integration-tests"
+		os.Setenv("SUPABASE_JWT_SECRET", jwtSecret)
+	}
+
+	database, err := db.Connect(dbURL)
+	if err != nil {
+		t.Fatalf("connecting to database: %v", err)
+	}
+
+	cfg := &config.Config{
+		Port:              "0",
+		DatabaseURL:       dbURL,
+		SupabaseJWTSecret: jwtSecret,
+	}
+
+	authMW := auth.NewMiddleware(jwtSecret, database)
+	handler := router.New(database, authMW, cfg, nil)
+
+	return handler, func() { database.Close() }
+}
+
+// createTestJWT creates a JWT for the given user ID, signed with the test secret.
+func createTestJWT(t *testing.T, userID uuid.UUID) string {
+	t.Helper()
+	secret := os.Getenv("SUPABASE_JWT_SECRET")
+	if secret == "" {
+		secret = "test-jwt-secret-for-integration-tests"
+	}
+
+	claims := jwt.MapClaims{
+		"sub": userID.String(),
+		"aud": "authenticated",
+		"exp": time.Now().Add(1 * time.Hour).Unix(),
+		"iat": time.Now().Unix(),
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	signed, err := token.SignedString([]byte(secret))
+	if err != nil {
+		t.Fatalf("signing JWT: %v", err)
+	}
+	return signed
+}
+
+// setupTestTenant creates a temporary tenant and user_tenant for testing.
+// Returns tenantID and userID. Cleans up on test completion.
+func setupTestTenant(t *testing.T, handler http.Handler) (tenantID, userID uuid.UUID) {
+	t.Helper()
+
+	dbURL := os.Getenv("DATABASE_URL")
+	database, err := db.Connect(dbURL)
+	if err != nil {
+		t.Fatalf("connecting to database for setup: %v", err)
+	}
+	defer database.Close()
+
+	tenantID = uuid.New()
+	userID = uuid.New()
+
+	_, err = database.Exec(`INSERT INTO tenants (id, name, slug) VALUES ($1, $2, $3)`,
+		tenantID, "Integration Test Kanzlei "+tenantID.String()[:8], "test-"+tenantID.String()[:8])
+	if err != nil {
+		t.Fatalf("creating test tenant: %v", err)
+	}
+
+	// Create a user in auth.users so JWT auth works
+	_, err = database.Exec(`INSERT INTO auth.users (id, instance_id, role, aud, email, encrypted_password, email_confirmed_at, created_at, updated_at, confirmation_token, recovery_token)
+		VALUES ($1, '00000000-0000-0000-0000-000000000000', 'authenticated', 'authenticated', $2, '', NOW(), NOW(), NOW(), '', '')`,
+		userID, fmt.Sprintf("test-%s@kanzlai.test", userID.String()[:8]))
+	if err != nil {
+		t.Fatalf("creating test user: %v", err)
+	}
+
+	_, err = database.Exec(`INSERT INTO user_tenants (user_id, tenant_id, role) VALUES ($1, $2, 'owner')`,
+		userID, tenantID)
+	if err != nil {
+		t.Fatalf("creating user_tenant: %v", err)
+	}
+
+	t.Cleanup(func() {
+		cleanupDB, _ := db.Connect(dbURL)
+		if cleanupDB != nil {
+			cleanupDB.Exec(`DELETE FROM case_events WHERE tenant_id = $1`, tenantID)
+			cleanupDB.Exec(`DELETE FROM deadlines WHERE tenant_id = $1`, tenantID)
+			cleanupDB.Exec(`DELETE FROM appointments WHERE tenant_id = $1`, tenantID)
+			cleanupDB.Exec(`DELETE FROM parties WHERE tenant_id = $1`, tenantID)
+			cleanupDB.Exec(`DELETE FROM documents WHERE tenant_id = $1`, tenantID)
+			cleanupDB.Exec(`DELETE FROM cases WHERE tenant_id = $1`, tenantID)
+			cleanupDB.Exec(`DELETE FROM user_tenants WHERE tenant_id = $1`, tenantID)
+			cleanupDB.Exec(`DELETE FROM tenants WHERE id = $1`, tenantID)
+			cleanupDB.Exec(`DELETE FROM auth.users WHERE id = $1`, userID)
+			cleanupDB.Close()
+		}
+	})
+
+	return tenantID, userID
+}
+
+func TestHealthEndpoint(t *testing.T) {
+	handler, cleanup := testServer(t)
+	defer cleanup()
+
+	req := httptest.NewRequest("GET", "/health", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+
+	var resp map[string]string
+	json.Unmarshal(w.Body.Bytes(), &resp)
+	if resp["status"] != "ok" {
+		t.Fatalf("expected status ok, got %v", resp)
+	}
+}
+
+func TestCriticalPath_CreateCase_AddDeadline_Dashboard(t *testing.T) {
+	handler, cleanup := testServer(t)
+	defer cleanup()
+
+	_, userID := setupTestTenant(t, handler)
+	token := createTestJWT(t, userID)
+
+	// Step 1: Create a case
+	caseBody := `{"case_number":"TEST/001","title":"Integration Test — Patentverletzung","case_type":"patent","court":"UPC München"}`
+	req := httptest.NewRequest("POST", "/api/cases", bytes.NewBufferString(caseBody))
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", "Bearer "+token)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusCreated {
+		t.Fatalf("create case: expected 201, got %d: %s", w.Code, w.Body.String())
+	}
+
+	var createdCase map[string]interface{}
+	json.Unmarshal(w.Body.Bytes(), &createdCase)
+	caseID, ok := createdCase["id"].(string)
+	if !ok || caseID == "" {
+		t.Fatalf("create case: missing ID in response: %v", createdCase)
+	}
+	t.Logf("Created case: %s", caseID)
+
+	// Step 2: List cases — verify our case is there
+	req = httptest.NewRequest("GET", "/api/cases", nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+	w = httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("list cases: expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+
+	var caseList map[string]interface{}
+	json.Unmarshal(w.Body.Bytes(), &caseList)
+	total := caseList["total"].(float64)
+	if total < 1 {
+		t.Fatalf("list cases: expected at least 1 case, got %.0f", total)
+	}
+
+	// Step 3: Add a deadline to the case
+	dueDate := time.Now().AddDate(0, 0, 14).Format("2006-01-02")
+	warnDate := time.Now().AddDate(0, 0, 10).Format("2006-01-02")
+	deadlineBody := fmt.Sprintf(`{"title":"Klageerwiderung einreichen","due_date":"%s","warning_date":"%s","source":"manual"}`, dueDate, warnDate)
+	req = httptest.NewRequest("POST", "/api/cases/"+caseID+"/deadlines", bytes.NewBufferString(deadlineBody))
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", "Bearer "+token)
+	w = httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusCreated {
+		t.Fatalf("create deadline: expected 201, got %d: %s", w.Code, w.Body.String())
+	}
+
+	var createdDeadline map[string]interface{}
+	json.Unmarshal(w.Body.Bytes(), &createdDeadline)
+	deadlineID, ok := createdDeadline["id"].(string)
+	if !ok || deadlineID == "" {
+		t.Fatalf("create deadline: missing ID in response: %v", createdDeadline)
+	}
+	t.Logf("Created deadline: %s", deadlineID)
+
+	// Step 4: Verify deadline appears in case deadlines
+	req = httptest.NewRequest("GET", "/api/cases/"+caseID+"/deadlines", nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+	w = httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("list deadlines: expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+
+	var deadlines []interface{}
+	json.Unmarshal(w.Body.Bytes(), &deadlines)
+	if len(deadlines) < 1 {
+		t.Fatalf("list deadlines: expected at least 1, got %d", len(deadlines))
+	}
+
+	// Step 5: Fetch dashboard — should include our case and deadline
+	req = httptest.NewRequest("GET", "/api/dashboard", nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+	w = httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("dashboard: expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+
+	var dashboard map[string]interface{}
+	json.Unmarshal(w.Body.Bytes(), &dashboard)
+
+	// Verify dashboard has expected sections
+	for _, key := range []string{"deadline_summary", "case_summary", "upcoming_deadlines"} {
+		if _, exists := dashboard[key]; !exists {
+			t.Errorf("dashboard: missing key %q in response", key)
+		}
+	}
+
+	// Verify case_summary shows at least 1 active case
+	if cs, ok := dashboard["case_summary"].(map[string]interface{}); ok {
+		if active, ok := cs["active"].(float64); ok && active < 1 {
+			t.Errorf("dashboard: expected at least 1 active case, got %.0f", active)
+		}
+	}
+
+	t.Logf("Full critical path passed: auth -> create case -> add deadline -> dashboard")
+}
+
+func TestUnauthenticatedAccess(t *testing.T) {
+	handler, cleanup := testServer(t)
+	defer cleanup()
+
+	// Accessing API without token should return 401
+	req := httptest.NewRequest("GET", "/api/cases", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusUnauthorized {
+		t.Fatalf("expected 401, got %d: %s", w.Code, w.Body.String())
+	}
+}

backend/internal/logging/logging.go

@@ -0,0 +1,14 @@
+package logging
+
+import (
+	"log/slog"
+	"os"
+)
+
+// Setup initializes the global slog logger with JSON output for production.
+func Setup() {
+	handler := slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{
+		Level: slog.LevelInfo,
+	})
+	slog.SetDefault(slog.New(handler))
+}

backend/internal/middleware/ratelimit.go

@@ -0,0 +1,98 @@
+package middleware
+
+import (
+	"log/slog"
+	"net/http"
+	"sync"
+	"time"
+)
+
+// TokenBucket implements a simple per-IP token bucket rate limiter.
+type TokenBucket struct {
+	mu      sync.Mutex
+	buckets map[string]*bucket
+	rate    float64 // tokens per second
+	burst   int     // max tokens
+}
+
+type bucket struct {
+	tokens   float64
+	lastTime time.Time
+}
+
+// NewTokenBucket creates a rate limiter allowing rate requests per second with burst capacity.
+func NewTokenBucket(rate float64, burst int) *TokenBucket {
+	tb := &TokenBucket{
+		buckets: make(map[string]*bucket),
+		rate:    rate,
+		burst:   burst,
+	}
+	// Periodically clean up stale buckets
+	go tb.cleanup()
+	return tb
+}
+
+func (tb *TokenBucket) allow(key string) bool {
+	tb.mu.Lock()
+	defer tb.mu.Unlock()
+
+	b, ok := tb.buckets[key]
+	if !ok {
+		b = &bucket{tokens: float64(tb.burst), lastTime: time.Now()}
+		tb.buckets[key] = b
+	}
+
+	now := time.Now()
+	elapsed := now.Sub(b.lastTime).Seconds()
+	b.tokens += elapsed * tb.rate
+	if b.tokens > float64(tb.burst) {
+		b.tokens = float64(tb.burst)
+	}
+	b.lastTime = now
+
+	if b.tokens < 1 {
+		return false
+	}
+	b.tokens--
+	return true
+}
+
+func (tb *TokenBucket) cleanup() {
+	ticker := time.NewTicker(5 * time.Minute)
+	defer ticker.Stop()
+	for range ticker.C {
+		tb.mu.Lock()
+		cutoff := time.Now().Add(-10 * time.Minute)
+		for key, b := range tb.buckets {
+			if b.lastTime.Before(cutoff) {
+				delete(tb.buckets, key)
+			}
+		}
+		tb.mu.Unlock()
+	}
+}
+
+// Limit wraps an http.Handler with rate limiting.
+func (tb *TokenBucket) Limit(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ip := r.Header.Get("X-Forwarded-For")
+		if ip == "" {
+			ip = r.RemoteAddr
+		}
+		if !tb.allow(ip) {
+			slog.Warn("rate limit exceeded", "ip", ip, "path", r.URL.Path)
+			w.Header().Set("Content-Type", "application/json")
+			w.Header().Set("Retry-After", "10")
+			w.WriteHeader(http.StatusTooManyRequests)
+			w.Write([]byte(`{"error":"rate limit exceeded, try again later"}`))
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+// LimitFunc wraps an http.HandlerFunc with rate limiting.
+func (tb *TokenBucket) LimitFunc(next http.HandlerFunc) http.HandlerFunc {
+	limited := tb.Limit(http.HandlerFunc(next))
+	return limited.ServeHTTP
+}

backend/internal/middleware/ratelimit_test.go

@@ -0,0 +1,70 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestTokenBucket_AllowsBurst(t *testing.T) {
+	tb := NewTokenBucket(1.0, 5) // 1/sec, burst 5
+
+	handler := tb.LimitFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	// Should allow burst of 5 requests
+	for i := 0; i < 5; i++ {
+		req := httptest.NewRequest("GET", "/test", nil)
+		w := httptest.NewRecorder()
+		handler.ServeHTTP(w, req)
+		if w.Code != http.StatusOK {
+			t.Fatalf("request %d: expected 200, got %d", i+1, w.Code)
+		}
+	}
+
+	// 6th request should be rate limited
+	req := httptest.NewRequest("GET", "/test", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+	if w.Code != http.StatusTooManyRequests {
+		t.Fatalf("request 6: expected 429, got %d", w.Code)
+	}
+}
+
+func TestTokenBucket_DifferentIPs(t *testing.T) {
+	tb := NewTokenBucket(1.0, 2) // 1/sec, burst 2
+
+	handler := tb.LimitFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	// Exhaust IP1's bucket
+	for i := 0; i < 2; i++ {
+		req := httptest.NewRequest("GET", "/test", nil)
+		req.Header.Set("X-Forwarded-For", "1.2.3.4")
+		w := httptest.NewRecorder()
+		handler.ServeHTTP(w, req)
+		if w.Code != http.StatusOK {
+			t.Fatalf("ip1 request %d: expected 200, got %d", i+1, w.Code)
+		}
+	}
+
+	// IP1 should now be limited
+	req := httptest.NewRequest("GET", "/test", nil)
+	req.Header.Set("X-Forwarded-For", "1.2.3.4")
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+	if w.Code != http.StatusTooManyRequests {
+		t.Fatalf("ip1 request 3: expected 429, got %d", w.Code)
+	}
+
+	// IP2 should still work
+	req = httptest.NewRequest("GET", "/test", nil)
+	req.Header.Set("X-Forwarded-For", "5.6.7.8")
+	w = httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+	if w.Code != http.StatusOK {
+		t.Fatalf("ip2 request 1: expected 200, got %d", w.Code)
+	}
+}

backend/internal/router/router.go

@@ -2,13 +2,16 @@ package router
 
 import (
 	"encoding/json"
+	"log/slog"
 	"net/http"
+	"time"
 
 	"github.com/jmoiron/sqlx"
 
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/config"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/handlers"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/middleware"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
 )
 
@@ -113,10 +116,11 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	scoped.HandleFunc("GET /api/documents/{docId}/meta", docH.GetMeta)
 	scoped.HandleFunc("DELETE /api/documents/{docId}", docH.Delete)
 
-	// AI endpoints
+	// AI endpoints (rate limited: 5 req/min burst 10 per IP)
 	if aiH != nil {
-		scoped.HandleFunc("POST /api/ai/extract-deadlines", aiH.ExtractDeadlines)
+		aiLimiter := middleware.NewTokenBucket(5.0/60.0, 10)
-		scoped.HandleFunc("POST /api/ai/summarize-case", aiH.SummarizeCase)
+		scoped.HandleFunc("POST /api/ai/extract-deadlines", aiLimiter.LimitFunc(aiH.ExtractDeadlines))
+		scoped.HandleFunc("POST /api/ai/summarize-case", aiLimiter.LimitFunc(aiH.SummarizeCase))
 	}
 
 	// CalDAV sync endpoints
@@ -131,7 +135,7 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 
 	mux.Handle("/api/", authMW.RequireAuth(api))
 
-	return mux
+	return requestLogger(mux)
 }
 
 func handleHealth(db *sqlx.DB) http.HandlerFunc {
@@ -146,3 +150,34 @@ func handleHealth(db *sqlx.DB) http.HandlerFunc {
 	}
 }
 
+type statusWriter struct {
+	http.ResponseWriter
+	status int
+}
+
+func (w *statusWriter) WriteHeader(code int) {
+	w.status = code
+	w.ResponseWriter.WriteHeader(code)
+}
+
+func requestLogger(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Skip health checks to reduce noise
+		if r.URL.Path == "/health" {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		sw := &statusWriter{ResponseWriter: w, status: http.StatusOK}
+		start := time.Now()
+		next.ServeHTTP(sw, r)
+
+		slog.Info("request",
+			"method", r.Method,
+			"path", r.URL.Path,
+			"status", sw.status,
+			"duration_ms", time.Since(start).Milliseconds(),
+		)
+	})
+}
+

backend/internal/services/caldav_service.go

@@ -4,7 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"log"
+	"log/slog"
 	"strings"
 	"sync"
 	"time"
@@ -83,14 +83,14 @@ func (s *CalDAVService) Start() {
 	s.wg.Go(func() {
 		s.backgroundLoop()
 	})
-	log.Println("CalDAV sync service started")
+	slog.Info("CalDAV sync service started")
 }
 
 // Stop gracefully stops the background sync.
 func (s *CalDAVService) Stop() {
 	close(s.stopCh)
 	s.wg.Wait()
-	log.Println("CalDAV sync service stopped")
+	slog.Info("CalDAV sync service stopped")
 }
 
 // backgroundLoop polls tenants at their configured interval.
@@ -113,7 +113,7 @@ func (s *CalDAVService) backgroundLoop() {
 func (s *CalDAVService) syncAllTenants() {
 	configs, err := s.loadAllTenantConfigs()
 	if err != nil {
-		log.Printf("CalDAV: failed to load tenant configs: %v", err)
+		slog.Error("CalDAV: failed to load tenant configs", "error", err)
 		return
 	}
 
@@ -137,7 +137,7 @@ func (s *CalDAVService) syncAllTenants() {
 			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
 			defer cancel()
 			if _, err := s.SyncTenant(ctx, tid, c); err != nil {
-				log.Printf("CalDAV: sync failed for tenant %s: %v", tid, err)
+				slog.Error("CalDAV: sync failed", "tenant_id", tid, "error", err)
 			}
 		}(tenantID, cfg)
 	}
@@ -649,7 +649,7 @@ func (s *CalDAVService) logConflictEvent(ctx context.Context, tenantID, caseID u
 		VALUES ($1, $2, $3, 'caldav_conflict', $4, $5, $6, NOW(), NOW())`,
 		uuid.New(), tenantID, caseID, "CalDAV sync conflict", msg, metadata)
 	if err != nil {
-		log.Printf("CalDAV: failed to log conflict event: %v", err)
+		slog.Error("CalDAV: failed to log conflict event", "error", err)
 	}
 }
 

backend/seed/demo_data.sql

@@ -0,0 +1,167 @@
+-- KanzlAI Demo Data
+-- Creates 1 test tenant, 5 cases with deadlines and appointments
+-- Run with: psql $DATABASE_URL -f demo_data.sql
+
+SET search_path TO kanzlai, public;
+
+-- Demo tenant
+INSERT INTO tenants (id, name, slug, settings) VALUES
+  ('a0000000-0000-0000-0000-000000000001', 'Kanzlei Siebels & Partner', 'siebels-partner', '{}')
+ON CONFLICT (id) DO NOTHING;
+
+-- Link both users to the demo tenant
+INSERT INTO user_tenants (user_id, tenant_id, role) VALUES
+  ('1da9374d-a8a6-49fc-a2ec-5ddfa91d522d', 'a0000000-0000-0000-0000-000000000001', 'owner'),
+  ('ac6c9501-3757-4a6d-8b97-2cff4288382b', 'a0000000-0000-0000-0000-000000000001', 'member')
+ON CONFLICT DO NOTHING;
+
+-- ============================================================
+-- Case 1: Patentverletzung (patent infringement) — active
+-- ============================================================
+INSERT INTO cases (id, tenant_id, case_number, title, case_type, court, court_ref, status) VALUES
+  ('c0000000-0000-0000-0000-000000000001',
+   'a0000000-0000-0000-0000-000000000001',
+   '2026/001', 'TechCorp GmbH ./. InnovatAG — Patentverletzung EP 1234567',
+   'patent', 'UPC München (Lokalkammer)', 'UPC_CFI-123/2026',
+   'active');
+
+INSERT INTO parties (id, tenant_id, case_id, name, role, representative) VALUES
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000001',
+   'TechCorp GmbH', 'claimant', 'RA Dr. Siebels'),
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000001',
+   'InnovatAG', 'defendant', 'RA Müller');
+
+INSERT INTO deadlines (id, tenant_id, case_id, title, due_date, warning_date, status, source) VALUES
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000001',
+   'Klageerwiderung einreichen', CURRENT_DATE + INTERVAL '3 days', CURRENT_DATE + INTERVAL '1 day', 'pending', 'manual'),
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000001',
+   'Beweisangebote nachreichen', CURRENT_DATE + INTERVAL '14 days', CURRENT_DATE + INTERVAL '10 days', 'pending', 'manual'),
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000001',
+   'Schriftsatz Anspruch 3', CURRENT_DATE - INTERVAL '2 days', CURRENT_DATE - INTERVAL '5 days', 'pending', 'manual');
+
+INSERT INTO appointments (id, tenant_id, case_id, title, start_at, end_at, location, appointment_type) VALUES
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000001',
+   'Mündliche Verhandlung', CURRENT_DATE + INTERVAL '21 days' + TIME '10:00', CURRENT_DATE + INTERVAL '21 days' + TIME '12:00',
+   'UPC München, Saal 4', 'hearing');
+
+-- ============================================================
+-- Case 2: Markenrecht (trademark) — active
+-- ============================================================
+INSERT INTO cases (id, tenant_id, case_number, title, case_type, court, court_ref, status) VALUES
+  ('c0000000-0000-0000-0000-000000000002',
+   'a0000000-0000-0000-0000-000000000001',
+   '2026/002', 'BrandHouse ./. CopyShop UG — Markenverletzung DE 30201234',
+   'trademark', 'LG Hamburg', '315 O 78/26',
+   'active');
+
+INSERT INTO parties (id, tenant_id, case_id, name, role, representative) VALUES
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000002',
+   'BrandHouse SE', 'claimant', 'RA Dr. Siebels'),
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000002',
+   'CopyShop UG', 'defendant', 'RA Weber');
+
+INSERT INTO deadlines (id, tenant_id, case_id, title, due_date, warning_date, status, source) VALUES
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000002',
+   'Antrag einstweilige Verfügung', CURRENT_DATE + INTERVAL '5 days', CURRENT_DATE + INTERVAL '2 days', 'pending', 'manual'),
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000002',
+   'Abmahnung Fristablauf', CURRENT_DATE + INTERVAL '30 days', CURRENT_DATE + INTERVAL '25 days', 'pending', 'manual');
+
+INSERT INTO appointments (id, tenant_id, case_id, title, start_at, end_at, location, appointment_type) VALUES
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000002',
+   'Mandantenbesprechung BrandHouse', CURRENT_DATE + INTERVAL '2 days' + TIME '14:00', CURRENT_DATE + INTERVAL '2 days' + TIME '15:30',
+   'Kanzlei, Besprechungsraum 1', 'consultation');
+
+-- ============================================================
+-- Case 3: Arbeitsgericht (labor law) — active
+-- ============================================================
+INSERT INTO cases (id, tenant_id, case_number, title, case_type, court, court_ref, status) VALUES
+  ('c0000000-0000-0000-0000-000000000003',
+   'a0000000-0000-0000-0000-000000000001',
+   '2026/003', 'Schmidt ./. AutoWerk Bayern GmbH — Kündigungsschutz',
+   'labor', 'ArbG München', '12 Ca 456/26',
+   'active');
+
+INSERT INTO parties (id, tenant_id, case_id, name, role, representative) VALUES
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000003',
+   'Klaus Schmidt', 'claimant', 'RA Dr. Siebels'),
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000003',
+   'AutoWerk Bayern GmbH', 'defendant', 'RA Fischer');
+
+INSERT INTO deadlines (id, tenant_id, case_id, title, due_date, warning_date, status, source) VALUES
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000003',
+   'Kündigungsschutzklage einreichen (3-Wochen-Frist)', CURRENT_DATE + INTERVAL '7 days', CURRENT_DATE + INTERVAL '4 days', 'pending', 'manual'),
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000003',
+   'Stellungnahme Arbeitgeber', CURRENT_DATE + INTERVAL '28 days', CURRENT_DATE + INTERVAL '21 days', 'pending', 'manual');
+
+INSERT INTO appointments (id, tenant_id, case_id, title, start_at, end_at, location, appointment_type) VALUES
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000003',
+   'Güteverhandlung', CURRENT_DATE + INTERVAL '35 days' + TIME '09:00', CURRENT_DATE + INTERVAL '35 days' + TIME '10:00',
+   'ArbG München, Saal 12', 'hearing');
+
+-- ============================================================
+-- Case 4: Mietrecht (tenancy) — active
+-- ============================================================
+INSERT INTO cases (id, tenant_id, case_number, title, case_type, court, court_ref, status) VALUES
+  ('c0000000-0000-0000-0000-000000000004',
+   'a0000000-0000-0000-0000-000000000001',
+   '2026/004', 'Hausverwaltung Zentral ./. Meier — Mietrückstand',
+   'civil', 'AG München', '432 C 1234/26',
+   'active');
+
+INSERT INTO parties (id, tenant_id, case_id, name, role, representative) VALUES
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000004',
+   'Hausverwaltung Zentral GmbH', 'claimant', 'RA Dr. Siebels'),
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000004',
+   'Thomas Meier', 'defendant', NULL);
+
+INSERT INTO deadlines (id, tenant_id, case_id, title, due_date, warning_date, status, source) VALUES
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000004',
+   'Mahnbescheid beantragen', CURRENT_DATE + INTERVAL '10 days', CURRENT_DATE + INTERVAL '7 days', 'pending', 'manual'),
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000004',
+   'Räumungsfrist prüfen', CURRENT_DATE + INTERVAL '60 days', CURRENT_DATE + INTERVAL '50 days', 'pending', 'manual');
+
+INSERT INTO appointments (id, tenant_id, case_id, title, start_at, end_at, location, appointment_type) VALUES
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000004',
+   'Besprechung Hausverwaltung', CURRENT_DATE + INTERVAL '4 days' + TIME '11:00', CURRENT_DATE + INTERVAL '4 days' + TIME '12:00',
+   'Kanzlei, Besprechungsraum 2', 'meeting');
+
+-- ============================================================
+-- Case 5: Erbrecht (inheritance) — closed
+-- ============================================================
+INSERT INTO cases (id, tenant_id, case_number, title, case_type, court, court_ref, status) VALUES
+  ('c0000000-0000-0000-0000-000000000005',
+   'a0000000-0000-0000-0000-000000000001',
+   '2025/042', 'Nachlass Wagner — Erbauseinandersetzung',
+   'civil', 'AG Starnberg', '3 VI 891/25',
+   'closed');
+
+INSERT INTO parties (id, tenant_id, case_id, name, role, representative) VALUES
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000005',
+   'Maria Wagner', 'claimant', 'RA Dr. Siebels'),
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000005',
+   'Peter Wagner', 'defendant', 'RA Braun');
+
+INSERT INTO deadlines (id, tenant_id, case_id, title, due_date, warning_date, status, source, completed_at) VALUES
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000005',
+   'Erbscheinsantrag einreichen', CURRENT_DATE - INTERVAL '30 days', CURRENT_DATE - INTERVAL '37 days', 'completed', 'manual', CURRENT_DATE - INTERVAL '32 days');
+
+-- ============================================================
+-- Case events for realistic activity feed
+-- ============================================================
+INSERT INTO case_events (id, tenant_id, case_id, event_type, title, description, created_at, updated_at) VALUES
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000001',
+   'case_created', 'Akte angelegt', 'Patentverletzungsklage TechCorp ./. InnovatAG eröffnet', NOW() - INTERVAL '10 days', NOW() - INTERVAL '10 days'),
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000001',
+   'party_added', 'Partei hinzugefügt', 'TechCorp GmbH als Kläger eingetragen', NOW() - INTERVAL '10 days', NOW() - INTERVAL '10 days'),
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000002',
+   'case_created', 'Akte angelegt', 'Markenrechtsstreit BrandHouse ./. CopyShop eröffnet', NOW() - INTERVAL '7 days', NOW() - INTERVAL '7 days'),
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000003',
+   'case_created', 'Akte angelegt', 'Kündigungsschutzklage Schmidt eröffnet', NOW() - INTERVAL '5 days', NOW() - INTERVAL '5 days'),
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000004',
+   'case_created', 'Akte angelegt', 'Mietrückstand Hausverwaltung ./. Meier eröffnet', NOW() - INTERVAL '3 days', NOW() - INTERVAL '3 days'),
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000001',
+   'status_changed', 'Fristablauf überschritten', 'Schriftsatz Anspruch 3 ist überfällig', NOW() - INTERVAL '1 day', NOW() - INTERVAL '1 day'),
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000005',
+   'case_created', 'Akte angelegt', 'Erbauseinandersetzung Wagner eröffnet', NOW() - INTERVAL '60 days', NOW() - INTERVAL '60 days'),
+  (gen_random_uuid(), 'a0000000-0000-0000-0000-000000000001', 'c0000000-0000-0000-0000-000000000005',
+   'status_changed', 'Akte geschlossen', 'Erbscheinsverfahren abgeschlossen', NOW() - INTERVAL '20 days', NOW() - INTERVAL '20 days');

docker-compose.yml

@@ -6,6 +6,12 @@ services:
       - "8080"
     environment:
       - PORT=8080
+      - DATABASE_URL=${DATABASE_URL}
+      - SUPABASE_URL=${SUPABASE_URL}
+      - SUPABASE_ANON_KEY=${SUPABASE_ANON_KEY}
+      - SUPABASE_SERVICE_KEY=${SUPABASE_SERVICE_KEY}
+      - SUPABASE_JWT_SECRET=${SUPABASE_JWT_SECRET}
+      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
     healthcheck:
       test: ["CMD", "wget", "--spider", "-q", "http://localhost:8080/health"]
       interval: 30s
@@ -16,6 +22,9 @@ services:
   frontend:
     build:
       context: ./frontend
+      args:
+        NEXT_PUBLIC_SUPABASE_URL: ${SUPABASE_URL}
+        NEXT_PUBLIC_SUPABASE_ANON_KEY: ${SUPABASE_ANON_KEY}
     expose:
       - "3000"
     depends_on:
@@ -23,6 +32,8 @@ services:
         condition: service_healthy
     environment:
       - API_URL=http://backend:8080
+      - NEXT_PUBLIC_SUPABASE_URL=${SUPABASE_URL}
+      - NEXT_PUBLIC_SUPABASE_ANON_KEY=${SUPABASE_ANON_KEY}
     healthcheck:
       test: ["CMD", "node", "-e", "fetch('http://localhost:3000').then(r=>{if(!r.ok)throw r.status;process.exit(0)}).catch(()=>process.exit(1))"]
       interval: 30s

frontend/Dockerfile

@@ -10,6 +10,10 @@ WORKDIR /app
 COPY --from=deps /app/node_modules ./node_modules
 COPY . .
 ENV API_URL=http://backend:8080
+ARG NEXT_PUBLIC_SUPABASE_URL
+ARG NEXT_PUBLIC_SUPABASE_ANON_KEY
+ENV NEXT_PUBLIC_SUPABASE_URL=$NEXT_PUBLIC_SUPABASE_URL
+ENV NEXT_PUBLIC_SUPABASE_ANON_KEY=$NEXT_PUBLIC_SUPABASE_ANON_KEY
 RUN mkdir -p public
 RUN bun run build
 

frontend/next.config.ts

@@ -5,7 +5,7 @@ const nextConfig: NextConfig = {
   rewrites: async () => [
     {
       source: "/api/:path*",
-      destination: `${process.env.API_URL || "http://localhost:8080"}/:path*`,
+      destination: `${process.env.API_URL || "http://localhost:8080"}/api/:path*`,
     },
   ],
 };

frontend/src/app/(app)/ai/extract/page.tsx

@@ -24,7 +24,7 @@ export default function AIExtractPage() {
 
   const { data: casesData } = useQuery({
     queryKey: ["cases"],
-    queryFn: () => api.get<PaginatedResponse<Case>>("/api/cases"),
+    queryFn: () => api.get<PaginatedResponse<Case>>("/cases"),
   });
 
   const cases = casesData?.data ?? [];
@@ -40,12 +40,12 @@ export default function AIExtractPage() {
         const formData = new FormData();
         formData.append("file", file);
         response = await api.postFormData<ExtractionResponse>(
-          "/api/ai/extract-deadlines",
+          "/ai/extract-deadlines",
           formData,
         );
       } else {
         response = await api.post<ExtractionResponse>(
-          "/api/ai/extract-deadlines",
+          "/ai/extract-deadlines",
           { text },
         );
       }
@@ -74,7 +74,7 @@ export default function AIExtractPage() {
 
     try {
       const promises = deadlines.map((d) =>
-        api.post(`/api/cases/${selectedCaseId}/deadlines`, {
+        api.post(`/cases/${selectedCaseId}/deadlines`, {
           title: d.title,
           due_date: d.due_date ?? "",
           source: "ai_extraction",

frontend/src/app/(app)/fristen/page.tsx

@@ -16,7 +16,7 @@ export default function FristenPage() {
 
   const { data: deadlines } = useQuery({
     queryKey: ["deadlines"],
-    queryFn: () => api.get<Deadline[]>("/api/deadlines"),
+    queryFn: () => api.get<Deadline[]>("/deadlines"),
   });
 
   return (

frontend/src/app/(app)/termine/page.tsx

@@ -18,7 +18,7 @@ export default function TerminePage() {
 
   const { data: appointments } = useQuery({
     queryKey: ["appointments"],
-    queryFn: () => api.get<Appointment[]>("/api/appointments"),
+    queryFn: () => api.get<Appointment[]>("/appointments"),
   });
 
   function handleEdit(appointment: Appointment) {

frontend/src/components/appointments/AppointmentList.tsx

@@ -54,16 +54,16 @@ export function AppointmentList({ onEdit }: AppointmentListProps) {
 
   const { data: appointments, isLoading } = useQuery({
     queryKey: ["appointments"],
-    queryFn: () => api.get<Appointment[]>("/api/appointments"),
+    queryFn: () => api.get<Appointment[]>("/appointments"),
   });
 
   const { data: cases } = useQuery({
     queryKey: ["cases"],
-    queryFn: () => api.get<{ cases: Case[]; total: number }>("/api/cases"),
+    queryFn: () => api.get<{ cases: Case[]; total: number }>("/cases"),
   });
 
   const deleteMutation = useMutation({
-    mutationFn: (id: string) => api.delete(`/api/appointments/${id}`),
+    mutationFn: (id: string) => api.delete(`/appointments/${id}`),
     onSuccess: () => {
       queryClient.invalidateQueries({ queryKey: ["appointments"] });
       toast.success("Termin geloscht");

frontend/src/components/appointments/AppointmentModal.tsx

@@ -41,7 +41,7 @@ export function AppointmentModal({ open, onClose, appointment }: AppointmentModa
 
   const { data: cases } = useQuery({
     queryKey: ["cases"],
-    queryFn: () => api.get<{ cases: Case[]; total: number }>("/api/cases"),
+    queryFn: () => api.get<{ cases: Case[]; total: number }>("/cases"),
   });
 
   useEffect(() => {
@@ -66,7 +66,7 @@ export function AppointmentModal({ open, onClose, appointment }: AppointmentModa
 
   const createMutation = useMutation({
     mutationFn: (body: Record<string, unknown>) =>
-      api.post<Appointment>("/api/appointments", body),
+      api.post<Appointment>("/appointments", body),
     onSuccess: () => {
       queryClient.invalidateQueries({ queryKey: ["appointments"] });
       queryClient.invalidateQueries({ queryKey: ["dashboard"] });
@@ -89,7 +89,7 @@ export function AppointmentModal({ open, onClose, appointment }: AppointmentModa
   });
 
   const deleteMutation = useMutation({
-    mutationFn: () => api.delete(`/api/appointments/${appointment!.id}`),
+    mutationFn: () => api.delete(`/appointments/${appointment!.id}`),
     onSuccess: () => {
       queryClient.invalidateQueries({ queryKey: ["appointments"] });
       queryClient.invalidateQueries({ queryKey: ["dashboard"] });

frontend/src/components/deadlines/DeadlineCalculator.tsx

@@ -39,14 +39,14 @@ export function DeadlineCalculator() {
 
   const { data: proceedingTypes, isLoading: typesLoading } = useQuery({
     queryKey: ["proceeding-types"],
-    queryFn: () => api.get<ProceedingType[]>("/api/proceeding-types"),
+    queryFn: () => api.get<ProceedingType[]>("/proceeding-types"),
   });
 
   const calculateMutation = useMutation({
     mutationFn: (params: {
       proceeding_type: string;
       trigger_event_date: string;
-    }) => api.post<CalculateResponse>("/api/deadlines/calculate", params),
+    }) => api.post<CalculateResponse>("/deadlines/calculate", params),
   });
 
   function handleCalculate(e: React.FormEvent) {

frontend/src/components/deadlines/DeadlineList.tsx

@@ -54,12 +54,12 @@ export function DeadlineList() {
 
   const { data: deadlines, isLoading } = useQuery({
     queryKey: ["deadlines"],
-    queryFn: () => api.get<Deadline[]>("/api/deadlines"),
+    queryFn: () => api.get<Deadline[]>("/deadlines"),
   });
 
   const { data: cases } = useQuery({
     queryKey: ["cases"],
-    queryFn: () => api.get<Case[]>("/api/cases"),
+    queryFn: () => api.get<Case[]>("/cases"),
   });
 
   const completeMutation = useMutation({

frontend/src/components/settings/CalDAVSettings.tsx

@@ -57,7 +57,7 @@ export function CalDAVSettings({ tenant }: { tenant: Tenant }) {
   // Fetch sync status
   const { data: syncStatus } = useQuery({
     queryKey: ["caldav-status"],
-    queryFn: () => api.get<CalDAVSyncResponse>("/api/caldav/status"),
+    queryFn: () => api.get<CalDAVSyncResponse>("/caldav/status"),
     refetchInterval: 30_000,
   });
 
@@ -83,7 +83,7 @@ export function CalDAVSettings({ tenant }: { tenant: Tenant }) {
 
   // Trigger sync
   const syncMutation = useMutation({
-    mutationFn: () => api.post<CalDAVSyncResponse>("/api/caldav/sync"),
+    mutationFn: () => api.post<CalDAVSyncResponse>("/caldav/sync"),
     onSuccess: (result) => {
       queryClient.invalidateQueries({ queryKey: ["caldav-status"] });
       if (result.status === "ok") {

frontend/src/middleware.ts

@@ -55,6 +55,6 @@ export async function middleware(request: NextRequest) {
 
 export const config = {
   matcher: [
-    "/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
+    "/((?!api/|_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
   ],
 };