feat: add frontend auth pages, app layout, and Supabase integration (Phase 1E)

- Auth pages: login (password + magic link), register (with firm name), callback
- Supabase client setup: browser client, server client, middleware for session refresh
- App layout: sidebar (Dashboard, Akten, Fristen, Termine, AI Analyse, Einstellungen),
  header with user info and tenant switcher
- Shared: API client with auth headers, TypeScript types matching Go models,
  QueryClientProvider + Toaster providers
- Dependencies: @supabase/supabase-js, @supabase/ssr, @tanstack/react-query,
  lucide-react, date-fns, sonner

.claude/agents/coder.md

@@ -0,0 +1,14 @@
+# Coder Agent
+
+Implementation-focused agent for writing and refactoring code.
+
+## Instructions
+
+- Follow existing patterns in the codebase
+- Write minimal, focused code
+- Run tests after changes
+- Commit incrementally with descriptive messages
+
+## Tools
+
+All tools available.

.claude/agents/researcher.md

@@ -0,0 +1,14 @@
+# Researcher Agent
+
+Exploration and information gathering agent.
+
+## Instructions
+
+- Search broadly, then narrow down
+- Document findings in structured format
+- Cite sources and file paths
+- Summarize key insights, don't dump raw data
+
+## Tools
+
+Read-only tools preferred. Use Bash only for non-destructive commands.

.claude/agents/reviewer.md

@@ -0,0 +1,14 @@
+# Reviewer Agent
+
+Code review agent for checking quality and correctness.
+
+## Instructions
+
+- Check for bugs, security issues, and style violations
+- Verify test coverage for changes
+- Suggest improvements concisely
+- Focus on correctness over style preferences
+
+## Tools
+
+Read-only tools. No file modifications.

.claude/skills/mai-clone

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-clone

.claude/skills/mai-coder

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-coder

.claude/skills/mai-commit

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-commit

.claude/skills/mai-consultant

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-consultant

.claude/skills/mai-daily

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-daily

.claude/skills/mai-debrief

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-debrief

.claude/skills/mai-enemy

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-enemy

.claude/skills/mai-excalidraw

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-excalidraw

.claude/skills/mai-fixer

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-fixer

.claude/skills/mai-gitster

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-gitster

.claude/skills/mai-head

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-head

.claude/skills/mai-init

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-init

.claude/skills/mai-inventor

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-inventor

.claude/skills/mai-lead

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-lead

.claude/skills/mai-maister

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-maister

.claude/skills/mai-member

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-member

.claude/skills/mai-researcher

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-researcher

.claude/skills/mai-think

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-think

.claude/skills/mai-web

@@ -0,0 +1 @@
+/home/m/.mai/skills/mai-web

.gitignore

@@ -45,3 +45,4 @@ tmp/
 
 # TypeScript
 *.tsbuildinfo
+.worktrees/

.m/.gitignore

@@ -0,0 +1,4 @@
+workers.json
+spawn.lock
+session.yaml
+config.reference.yaml

.m/config.yaml

@@ -0,0 +1,168 @@
+provider: claude
+providers:
+    claude:
+        api_key: ""
+        model: claude-sonnet-4-20250514
+        base_url: https://api.anthropic.com/v1
+    ollama:
+        host: http://localhost:11434
+        model: llama3.2
+memory:
+    enabled: true
+    backend: ""
+    path: ""
+    url: postgres://mai_memory.your-tenant-id:maiMem6034supa@100.99.98.201:6543/postgres?sslmode=disable
+    group_id: ""
+    cache_ttl: 5m0s
+    auto_load: true
+    embedding_url: ""
+    embedding_model: ""
+gitea:
+    url: https://mgit.msbls.de
+    repo: m/KanzlAI
+    token: ""
+    sync:
+        enabled: false
+        interval: 0s
+        repos: []
+        auto_queue: false
+api:
+    api_key: ""
+    basic_auth:
+        username: ""
+        password: ""
+    public_endpoints:
+        - /api/health
+ui:
+    theme: default
+    show_sidebar: true
+    animation: true
+    persona: true
+    avatar_pack: ""
+worker:
+    names: []
+    name_scheme: role
+    default_level: standard
+    auto_discard: false
+    max_workers: 5
+    persistent: true
+head:
+    name: ingeborg
+    max_loops: 50
+    infinity_mode: false
+capacity:
+    global:
+        max_workers: 5
+        max_heads: 3
+    per_worker:
+        max_tasks_lifetime: 0
+        max_concurrent: 1
+        max_context_tokens: 0
+    per_head:
+        max_workers: 10
+    resources:
+        max_memory_mb: 0
+        max_cpu_percent: 0
+    queue:
+        max_pending: 100
+        stale_task_days: 30
+workforce:
+    timeouts:
+        task_default: 0s
+        task_max: 0s
+        idle_before_warn: 10m0s
+        idle_before_kill: 30m0s
+        quality_check: 2m0s
+    context:
+        max_tokens_per_worker: 0
+        max_tokens_global: 0
+        warn_threshold: 0.8
+        truncate_strategy: oldest
+    delegation:
+        strategy: skill_match
+        preferred_role: coder
+        auto_delegate: false
+        max_depth: 3
+        allowed_roles:
+            - coder
+            - researcher
+            - fixer
+    peppy:
+        enabled: false
+        style: calm
+        interval: 5m0s
+        emoji: false
+        nudges: true
+        nudge_main: false
+        custom_prompt: ""
+        stall_threshold: 0s
+        restart_enabled: false
+        max_shifts: 0
+quality_gates:
+    enabled: true
+    checks: []
+preflight:
+    enabled: false
+    type: ""
+    root: ""
+    checks: []
+guardrails:
+    enabled: false
+    use_defaults: true
+    output:
+        coder_checks: []
+        researcher_checks: []
+        fixer_checks: []
+        custom_checks: {}
+        global_checks: []
+    tools:
+        role_rules: {}
+        deny_patterns: []
+        allow_patterns: []
+    schemas:
+        report_schemas: {}
+        deliverable_schemas: {}
+modes:
+    yolo: false
+    self_improvement: false
+    autonomous: false
+    verbose: false
+    improve_interval: 0s
+    predict_interval: 0s
+layouts:
+    head: ""
+    worker: ""
+    roles: {}
+dog:
+    name: buddy
+supabase:
+    url: ""
+    role_key: ""
+    anon_key: ""
+    schema: mai
+storage:
+    backend: ""
+    postgres:
+        url: ""
+        max_conns: 0
+        min_conns: 0
+        max_conn_lifetime: 0s
+idle:
+    behavior: wait
+    auto_hire: false
+    prompt: ""
+git:
+    worktrees:
+        enabled: true
+        delete_branch: false
+        dir: .worktrees
+phase:
+    enabled: false
+    current: ""
+    allowed_roles: {}
+goal: ""
+skills: {}
+editor: nvim
+log_level: info
+project_detection: true
+tone: professional

.mcp.json

@@ -0,0 +1,22 @@
+{
+  "mcpServers": {
+    "mai": {
+      "type": "http",
+      "url": "http://100.99.98.201:8000/mcp",
+      "headers": {
+        "Authorization": "Basic ${SUPABASE_AUTH}"
+      }
+    },
+    "mai-memory": {
+      "command": "mai",
+      "args": [
+        "mcp",
+        "memory"
+      ],
+      "env": {
+        "MAI_MEMORY_EMBEDDING_MODEL": "nomic-embed-text",
+        "MAI_MEMORY_EMBEDDING_URL": "https://llm.x.msbls.de"
+      }
+    }
+  }
+}

AGENTS.md

@@ -0,0 +1 @@
+.claude/CLAUDE.md

backend/cmd/server/main.go

@@ -22,7 +22,7 @@ func main() {
 	}
 	defer database.Close()
 
-	authMW := auth.NewMiddleware(cfg.SupabaseJWTSecret)
+	authMW := auth.NewMiddleware(cfg.SupabaseJWTSecret, database)
 	handler := router.New(database, authMW)
 
 	log.Printf("Starting KanzlAI API server on :%s", cfg.Port)

backend/internal/auth/middleware.go

@@ -8,14 +8,16 @@ import (
 
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
 )
 
 type Middleware struct {
 	jwtSecret []byte
+	db        *sqlx.DB
 }
 
-func NewMiddleware(jwtSecret string) *Middleware {
-	return &Middleware{jwtSecret: []byte(jwtSecret)}
+func NewMiddleware(jwtSecret string, db *sqlx.DB) *Middleware {
+	return &Middleware{jwtSecret: []byte(jwtSecret), db: db}
 }
 
 func (m *Middleware) RequireAuth(next http.Handler) http.Handler {
@@ -33,6 +35,17 @@ func (m *Middleware) RequireAuth(next http.Handler) http.Handler {
 		}
 
 		ctx := ContextWithUserID(r.Context(), userID)
+
+		// Resolve tenant from user_tenants
+		var tenantID uuid.UUID
+		err = m.db.GetContext(r.Context(), &tenantID,
+			"SELECT tenant_id FROM user_tenants WHERE user_id = $1 LIMIT 1", userID)
+		if err != nil {
+			http.Error(w, "no tenant found for user", http.StatusForbidden)
+			return
+		}
+		ctx = ContextWithTenantID(ctx, tenantID)
+
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
 }

backend/internal/auth/tenant_resolver.go

@@ -0,0 +1,61 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/google/uuid"
+)
+
+// TenantLookup resolves the default tenant for a user.
+// Defined as an interface to avoid circular dependency with services.
+type TenantLookup interface {
+	FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error)
+}
+
+// TenantResolver is middleware that resolves the tenant from X-Tenant-ID header
+// or defaults to the user's first tenant.
+type TenantResolver struct {
+	lookup TenantLookup
+}
+
+func NewTenantResolver(lookup TenantLookup) *TenantResolver {
+	return &TenantResolver{lookup: lookup}
+}
+
+func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		userID, ok := UserFromContext(r.Context())
+		if !ok {
+			http.Error(w, "unauthorized", http.StatusUnauthorized)
+			return
+		}
+
+		var tenantID uuid.UUID
+
+		if header := r.Header.Get("X-Tenant-ID"); header != "" {
+			parsed, err := uuid.Parse(header)
+			if err != nil {
+				http.Error(w, fmt.Sprintf("invalid X-Tenant-ID: %v", err), http.StatusBadRequest)
+				return
+			}
+			tenantID = parsed
+		} else {
+			// Default to user's first tenant
+			first, err := tr.lookup.FirstTenantForUser(r.Context(), userID)
+			if err != nil {
+				http.Error(w, fmt.Sprintf("resolving tenant: %v", err), http.StatusInternalServerError)
+				return
+			}
+			if first == nil {
+				http.Error(w, "no tenant found for user", http.StatusBadRequest)
+				return
+			}
+			tenantID = *first
+		}
+
+		ctx := ContextWithTenantID(r.Context(), tenantID)
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}

backend/internal/auth/tenant_resolver_test.go

@@ -0,0 +1,124 @@
+package auth
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/google/uuid"
+)
+
+type mockTenantLookup struct {
+	tenantID *uuid.UUID
+	err      error
+}
+
+func (m *mockTenantLookup) FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error) {
+	return m.tenantID, m.err
+}
+
+func TestTenantResolver_FromHeader(t *testing.T) {
+	tenantID := uuid.New()
+	tr := NewTenantResolver(&mockTenantLookup{})
+
+	var gotTenantID uuid.UUID
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		id, ok := TenantFromContext(r.Context())
+		if !ok {
+			t.Fatal("tenant ID not in context")
+		}
+		gotTenantID = id
+		w.WriteHeader(http.StatusOK)
+	})
+
+	r := httptest.NewRequest("GET", "/api/cases", nil)
+	r.Header.Set("X-Tenant-ID", tenantID.String())
+	r = r.WithContext(ContextWithUserID(r.Context(), uuid.New()))
+	w := httptest.NewRecorder()
+
+	tr.Resolve(next).ServeHTTP(w, r)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d", w.Code)
+	}
+	if gotTenantID != tenantID {
+		t.Errorf("expected tenant %s, got %s", tenantID, gotTenantID)
+	}
+}
+
+func TestTenantResolver_DefaultsToFirst(t *testing.T) {
+	tenantID := uuid.New()
+	tr := NewTenantResolver(&mockTenantLookup{tenantID: &tenantID})
+
+	var gotTenantID uuid.UUID
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		id, _ := TenantFromContext(r.Context())
+		gotTenantID = id
+		w.WriteHeader(http.StatusOK)
+	})
+
+	r := httptest.NewRequest("GET", "/api/cases", nil)
+	r = r.WithContext(ContextWithUserID(r.Context(), uuid.New()))
+	w := httptest.NewRecorder()
+
+	tr.Resolve(next).ServeHTTP(w, r)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d", w.Code)
+	}
+	if gotTenantID != tenantID {
+		t.Errorf("expected tenant %s, got %s", tenantID, gotTenantID)
+	}
+}
+
+func TestTenantResolver_NoUser(t *testing.T) {
+	tr := NewTenantResolver(&mockTenantLookup{})
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatal("next should not be called")
+	})
+
+	r := httptest.NewRequest("GET", "/api/cases", nil)
+	w := httptest.NewRecorder()
+
+	tr.Resolve(next).ServeHTTP(w, r)
+
+	if w.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", w.Code)
+	}
+}
+
+func TestTenantResolver_InvalidHeader(t *testing.T) {
+	tr := NewTenantResolver(&mockTenantLookup{})
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatal("next should not be called")
+	})
+
+	r := httptest.NewRequest("GET", "/api/cases", nil)
+	r.Header.Set("X-Tenant-ID", "not-a-uuid")
+	r = r.WithContext(ContextWithUserID(r.Context(), uuid.New()))
+	w := httptest.NewRecorder()
+
+	tr.Resolve(next).ServeHTTP(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestTenantResolver_NoTenantForUser(t *testing.T) {
+	tr := NewTenantResolver(&mockTenantLookup{tenantID: nil})
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatal("next should not be called")
+	})
+
+	r := httptest.NewRequest("GET", "/api/cases", nil)
+	r = r.WithContext(ContextWithUserID(r.Context(), uuid.New()))
+	w := httptest.NewRecorder()
+
+	tr.Resolve(next).ServeHTTP(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}

backend/internal/handlers/appointments.go

@@ -0,0 +1,216 @@
+package handlers
+
+import (
+	"database/sql"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"time"
+
+	"github.com/google/uuid"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
+)
+
+type AppointmentHandler struct {
+	svc *services.AppointmentService
+}
+
+func NewAppointmentHandler(svc *services.AppointmentService) *AppointmentHandler {
+	return &AppointmentHandler{svc: svc}
+}
+
+func (h *AppointmentHandler) List(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "missing tenant")
+		return
+	}
+
+	filter := services.AppointmentFilter{}
+
+	if v := r.URL.Query().Get("case_id"); v != "" {
+		id, err := uuid.Parse(v)
+		if err != nil {
+			writeError(w, http.StatusBadRequest, "invalid case_id")
+			return
+		}
+		filter.CaseID = &id
+	}
+	if v := r.URL.Query().Get("type"); v != "" {
+		filter.Type = &v
+	}
+	if v := r.URL.Query().Get("start_from"); v != "" {
+		t, err := time.Parse(time.RFC3339, v)
+		if err != nil {
+			writeError(w, http.StatusBadRequest, "invalid start_from (use RFC3339)")
+			return
+		}
+		filter.StartFrom = &t
+	}
+	if v := r.URL.Query().Get("start_to"); v != "" {
+		t, err := time.Parse(time.RFC3339, v)
+		if err != nil {
+			writeError(w, http.StatusBadRequest, "invalid start_to (use RFC3339)")
+			return
+		}
+		filter.StartTo = &t
+	}
+
+	appointments, err := h.svc.List(r.Context(), tenantID, filter)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to list appointments")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, appointments)
+}
+
+type createAppointmentRequest struct {
+	CaseID          *uuid.UUID `json:"case_id"`
+	Title           string     `json:"title"`
+	Description     *string    `json:"description"`
+	StartAt         time.Time  `json:"start_at"`
+	EndAt           *time.Time `json:"end_at"`
+	Location        *string    `json:"location"`
+	AppointmentType *string    `json:"appointment_type"`
+}
+
+func (h *AppointmentHandler) Create(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "missing tenant")
+		return
+	}
+
+	var req createAppointmentRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid request body")
+		return
+	}
+	if req.Title == "" {
+		writeError(w, http.StatusBadRequest, "title is required")
+		return
+	}
+	if req.StartAt.IsZero() {
+		writeError(w, http.StatusBadRequest, "start_at is required")
+		return
+	}
+
+	appt := &models.Appointment{
+		TenantID:        tenantID,
+		CaseID:          req.CaseID,
+		Title:           req.Title,
+		Description:     req.Description,
+		StartAt:         req.StartAt,
+		EndAt:           req.EndAt,
+		Location:        req.Location,
+		AppointmentType: req.AppointmentType,
+	}
+
+	if err := h.svc.Create(r.Context(), appt); err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to create appointment")
+		return
+	}
+
+	writeJSON(w, http.StatusCreated, appt)
+}
+
+type updateAppointmentRequest struct {
+	CaseID          *uuid.UUID `json:"case_id"`
+	Title           string     `json:"title"`
+	Description     *string    `json:"description"`
+	StartAt         time.Time  `json:"start_at"`
+	EndAt           *time.Time `json:"end_at"`
+	Location        *string    `json:"location"`
+	AppointmentType *string    `json:"appointment_type"`
+}
+
+func (h *AppointmentHandler) Update(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "missing tenant")
+		return
+	}
+
+	id, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid appointment id")
+		return
+	}
+
+	// Fetch existing to verify ownership
+	existing, err := h.svc.GetByID(r.Context(), tenantID, id)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			writeError(w, http.StatusNotFound, "appointment not found")
+			return
+		}
+		writeError(w, http.StatusInternalServerError, "failed to fetch appointment")
+		return
+	}
+
+	var req updateAppointmentRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid request body")
+		return
+	}
+	if req.Title == "" {
+		writeError(w, http.StatusBadRequest, "title is required")
+		return
+	}
+	if req.StartAt.IsZero() {
+		writeError(w, http.StatusBadRequest, "start_at is required")
+		return
+	}
+
+	existing.CaseID = req.CaseID
+	existing.Title = req.Title
+	existing.Description = req.Description
+	existing.StartAt = req.StartAt
+	existing.EndAt = req.EndAt
+	existing.Location = req.Location
+	existing.AppointmentType = req.AppointmentType
+
+	if err := h.svc.Update(r.Context(), existing); err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to update appointment")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, existing)
+}
+
+func (h *AppointmentHandler) Delete(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusUnauthorized, "missing tenant")
+		return
+	}
+
+	id, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid appointment id")
+		return
+	}
+
+	if err := h.svc.Delete(r.Context(), tenantID, id); err != nil {
+		writeError(w, http.StatusNotFound, "appointment not found")
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+func writeJSON(w http.ResponseWriter, status int, v any) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	json.NewEncoder(w).Encode(v)
+}
+
+func writeError(w http.ResponseWriter, status int, msg string) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	json.NewEncoder(w).Encode(map[string]string{"error": msg})
+}

backend/internal/handlers/cases.go

@@ -0,0 +1,158 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"strconv"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
+
+	"github.com/google/uuid"
+)
+
+type CaseHandler struct {
+	svc *services.CaseService
+}
+
+func NewCaseHandler(svc *services.CaseService) *CaseHandler {
+	return &CaseHandler{svc: svc}
+}
+
+func (h *CaseHandler) List(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	limit, _ := strconv.Atoi(r.URL.Query().Get("limit"))
+	offset, _ := strconv.Atoi(r.URL.Query().Get("offset"))
+
+	filter := services.CaseFilter{
+		Status: r.URL.Query().Get("status"),
+		Type:   r.URL.Query().Get("type"),
+		Search: r.URL.Query().Get("search"),
+		Limit:  limit,
+		Offset: offset,
+	}
+
+	cases, total, err := h.svc.List(r.Context(), tenantID, filter)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]interface{}{
+		"cases": cases,
+		"total": total,
+	})
+}
+
+func (h *CaseHandler) Create(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+	userID, _ := auth.UserFromContext(r.Context())
+
+	var input services.CreateCaseInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+	if input.CaseNumber == "" || input.Title == "" {
+		writeError(w, http.StatusBadRequest, "case_number and title are required")
+		return
+	}
+
+	c, err := h.svc.Create(r.Context(), tenantID, userID, input)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusCreated, c)
+}
+
+func (h *CaseHandler) Get(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	caseID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid case ID")
+		return
+	}
+
+	detail, err := h.svc.GetByID(r.Context(), tenantID, caseID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	if detail == nil {
+		writeError(w, http.StatusNotFound, "case not found")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, detail)
+}
+
+func (h *CaseHandler) Update(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+	userID, _ := auth.UserFromContext(r.Context())
+
+	caseID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid case ID")
+		return
+	}
+
+	var input services.UpdateCaseInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+
+	updated, err := h.svc.Update(r.Context(), tenantID, caseID, userID, input)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	if updated == nil {
+		writeError(w, http.StatusNotFound, "case not found")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, updated)
+}
+
+func (h *CaseHandler) Delete(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+	userID, _ := auth.UserFromContext(r.Context())
+
+	caseID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid case ID")
+		return
+	}
+
+	if err := h.svc.Delete(r.Context(), tenantID, caseID, userID); err != nil {
+		writeError(w, http.StatusNotFound, "case not found")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]string{"status": "archived"})
+}

backend/internal/handlers/parties.go

@@ -0,0 +1,134 @@
+package handlers
+
+import (
+	"database/sql"
+	"encoding/json"
+	"net/http"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
+
+	"github.com/google/uuid"
+)
+
+type PartyHandler struct {
+	svc *services.PartyService
+}
+
+func NewPartyHandler(svc *services.PartyService) *PartyHandler {
+	return &PartyHandler{svc: svc}
+}
+
+func (h *PartyHandler) List(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	caseID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid case ID")
+		return
+	}
+
+	parties, err := h.svc.ListByCase(r.Context(), tenantID, caseID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]interface{}{
+		"parties": parties,
+	})
+}
+
+func (h *PartyHandler) Create(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+	userID, _ := auth.UserFromContext(r.Context())
+
+	caseID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid case ID")
+		return
+	}
+
+	var input services.CreatePartyInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+	if input.Name == "" {
+		writeError(w, http.StatusBadRequest, "name is required")
+		return
+	}
+
+	party, err := h.svc.Create(r.Context(), tenantID, caseID, userID, input)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			writeError(w, http.StatusNotFound, "case not found")
+			return
+		}
+		writeError(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusCreated, party)
+}
+
+func (h *PartyHandler) Update(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	partyID, err := uuid.Parse(r.PathValue("partyId"))
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid party ID")
+		return
+	}
+
+	var input services.UpdatePartyInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+
+	updated, err := h.svc.Update(r.Context(), tenantID, partyID, input)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	if updated == nil {
+		writeError(w, http.StatusNotFound, "party not found")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, updated)
+}
+
+func (h *PartyHandler) Delete(w http.ResponseWriter, r *http.Request) {
+	tenantID, ok := auth.TenantFromContext(r.Context())
+	if !ok {
+		writeError(w, http.StatusForbidden, "missing tenant")
+		return
+	}
+
+	partyID, err := uuid.Parse(r.PathValue("partyId"))
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid party ID")
+		return
+	}
+
+	if err := h.svc.Delete(r.Context(), tenantID, partyID); err != nil {
+		writeError(w, http.StatusNotFound, "party not found")
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}

backend/internal/handlers/tenant_handler.go

@@ -0,0 +1,243 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/google/uuid"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
+)
+
+type TenantHandler struct {
+	svc *services.TenantService
+}
+
+func NewTenantHandler(svc *services.TenantService) *TenantHandler {
+	return &TenantHandler{svc: svc}
+}
+
+// CreateTenant handles POST /api/tenants
+func (h *TenantHandler) CreateTenant(w http.ResponseWriter, r *http.Request) {
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	var req struct {
+		Name string `json:"name"`
+		Slug string `json:"slug"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		jsonError(w, "invalid request body", http.StatusBadRequest)
+		return
+	}
+	if req.Name == "" || req.Slug == "" {
+		jsonError(w, "name and slug are required", http.StatusBadRequest)
+		return
+	}
+
+	tenant, err := h.svc.Create(r.Context(), userID, req.Name, req.Slug)
+	if err != nil {
+		jsonError(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	jsonResponse(w, tenant, http.StatusCreated)
+}
+
+// ListTenants handles GET /api/tenants
+func (h *TenantHandler) ListTenants(w http.ResponseWriter, r *http.Request) {
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	tenants, err := h.svc.ListForUser(r.Context(), userID)
+	if err != nil {
+		jsonError(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	jsonResponse(w, tenants, http.StatusOK)
+}
+
+// GetTenant handles GET /api/tenants/{id}
+func (h *TenantHandler) GetTenant(w http.ResponseWriter, r *http.Request) {
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	tenantID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		jsonError(w, "invalid tenant ID", http.StatusBadRequest)
+		return
+	}
+
+	// Verify user has access to this tenant
+	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
+	if err != nil {
+		jsonError(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	if role == "" {
+		jsonError(w, "not found", http.StatusNotFound)
+		return
+	}
+
+	tenant, err := h.svc.GetByID(r.Context(), tenantID)
+	if err != nil {
+		jsonError(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	if tenant == nil {
+		jsonError(w, "not found", http.StatusNotFound)
+		return
+	}
+
+	jsonResponse(w, tenant, http.StatusOK)
+}
+
+// InviteUser handles POST /api/tenants/{id}/invite
+func (h *TenantHandler) InviteUser(w http.ResponseWriter, r *http.Request) {
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	tenantID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		jsonError(w, "invalid tenant ID", http.StatusBadRequest)
+		return
+	}
+
+	// Only owners and admins can invite
+	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
+	if err != nil {
+		jsonError(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	if role != "owner" && role != "admin" {
+		jsonError(w, "only owners and admins can invite users", http.StatusForbidden)
+		return
+	}
+
+	var req struct {
+		Email string `json:"email"`
+		Role  string `json:"role"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		jsonError(w, "invalid request body", http.StatusBadRequest)
+		return
+	}
+	if req.Email == "" {
+		jsonError(w, "email is required", http.StatusBadRequest)
+		return
+	}
+	if req.Role == "" {
+		req.Role = "member"
+	}
+	if req.Role != "member" && req.Role != "admin" {
+		jsonError(w, "role must be member or admin", http.StatusBadRequest)
+		return
+	}
+
+	ut, err := h.svc.InviteByEmail(r.Context(), tenantID, req.Email, req.Role)
+	if err != nil {
+		jsonError(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	jsonResponse(w, ut, http.StatusCreated)
+}
+
+// RemoveMember handles DELETE /api/tenants/{id}/members/{uid}
+func (h *TenantHandler) RemoveMember(w http.ResponseWriter, r *http.Request) {
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	tenantID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		jsonError(w, "invalid tenant ID", http.StatusBadRequest)
+		return
+	}
+
+	memberID, err := uuid.Parse(r.PathValue("uid"))
+	if err != nil {
+		jsonError(w, "invalid member ID", http.StatusBadRequest)
+		return
+	}
+
+	// Only owners and admins can remove members (or user removing themselves)
+	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
+	if err != nil {
+		jsonError(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	if role != "owner" && role != "admin" && userID != memberID {
+		jsonError(w, "insufficient permissions", http.StatusForbidden)
+		return
+	}
+
+	if err := h.svc.RemoveMember(r.Context(), tenantID, memberID); err != nil {
+		jsonError(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	jsonResponse(w, map[string]string{"status": "removed"}, http.StatusOK)
+}
+
+// ListMembers handles GET /api/tenants/{id}/members
+func (h *TenantHandler) ListMembers(w http.ResponseWriter, r *http.Request) {
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	tenantID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		jsonError(w, "invalid tenant ID", http.StatusBadRequest)
+		return
+	}
+
+	// Verify user has access
+	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
+	if err != nil {
+		jsonError(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	if role == "" {
+		jsonError(w, "not found", http.StatusNotFound)
+		return
+	}
+
+	members, err := h.svc.ListMembers(r.Context(), tenantID)
+	if err != nil {
+		jsonError(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	jsonResponse(w, members, http.StatusOK)
+}
+
+func jsonResponse(w http.ResponseWriter, data interface{}, status int) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	json.NewEncoder(w).Encode(data)
+}
+
+func jsonError(w http.ResponseWriter, msg string, status int) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	json.NewEncoder(w).Encode(map[string]string{"error": msg})
+}

backend/internal/handlers/tenant_handler_test.go

@@ -0,0 +1,132 @@
+package handlers
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/google/uuid"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+)
+
+func TestCreateTenant_MissingFields(t *testing.T) {
+	h := &TenantHandler{} // no service needed for validation
+
+	// Build request with auth context
+	body := `{"name":"","slug":""}`
+	r := httptest.NewRequest("POST", "/api/tenants", bytes.NewBufferString(body))
+	r = r.WithContext(auth.ContextWithUserID(r.Context(), uuid.New()))
+	w := httptest.NewRecorder()
+
+	h.CreateTenant(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+
+	var resp map[string]string
+	json.NewDecoder(w.Body).Decode(&resp)
+	if resp["error"] != "name and slug are required" {
+		t.Errorf("unexpected error: %s", resp["error"])
+	}
+}
+
+func TestCreateTenant_NoAuth(t *testing.T) {
+	h := &TenantHandler{}
+	r := httptest.NewRequest("POST", "/api/tenants", bytes.NewBufferString(`{}`))
+	w := httptest.NewRecorder()
+
+	h.CreateTenant(w, r)
+
+	if w.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", w.Code)
+	}
+}
+
+func TestGetTenant_InvalidID(t *testing.T) {
+	h := &TenantHandler{}
+	r := httptest.NewRequest("GET", "/api/tenants/not-a-uuid", nil)
+	r.SetPathValue("id", "not-a-uuid")
+	r = r.WithContext(auth.ContextWithUserID(r.Context(), uuid.New()))
+	w := httptest.NewRecorder()
+
+	h.GetTenant(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestInviteUser_InvalidTenantID(t *testing.T) {
+	h := &TenantHandler{}
+	body := `{"email":"test@example.com","role":"member"}`
+	r := httptest.NewRequest("POST", "/api/tenants/bad/invite", bytes.NewBufferString(body))
+	r.SetPathValue("id", "bad")
+	r = r.WithContext(auth.ContextWithUserID(r.Context(), uuid.New()))
+	w := httptest.NewRecorder()
+
+	h.InviteUser(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestInviteUser_NoAuth(t *testing.T) {
+	h := &TenantHandler{}
+	body := `{"email":"test@example.com"}`
+	r := httptest.NewRequest("POST", "/api/tenants/"+uuid.New().String()+"/invite", bytes.NewBufferString(body))
+	r.SetPathValue("id", uuid.New().String())
+	w := httptest.NewRecorder()
+
+	h.InviteUser(w, r)
+
+	if w.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", w.Code)
+	}
+}
+
+func TestRemoveMember_InvalidIDs(t *testing.T) {
+	h := &TenantHandler{}
+	r := httptest.NewRequest("DELETE", "/api/tenants/bad/members/bad", nil)
+	r.SetPathValue("id", "bad")
+	r.SetPathValue("uid", "bad")
+	r = r.WithContext(auth.ContextWithUserID(r.Context(), uuid.New()))
+	w := httptest.NewRecorder()
+
+	h.RemoveMember(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestJsonResponse(t *testing.T) {
+	w := httptest.NewRecorder()
+	jsonResponse(w, map[string]string{"key": "value"}, http.StatusOK)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d", w.Code)
+	}
+	if ct := w.Header().Get("Content-Type"); ct != "application/json" {
+		t.Errorf("expected application/json, got %s", ct)
+	}
+}
+
+func TestJsonError(t *testing.T) {
+	w := httptest.NewRecorder()
+	jsonError(w, "something went wrong", http.StatusBadRequest)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+
+	var resp map[string]string
+	json.NewDecoder(w.Body).Decode(&resp)
+	if resp["error"] != "something went wrong" {
+		t.Errorf("unexpected error: %s", resp["error"])
+	}
+}

backend/internal/models/tenant.go

@@ -22,3 +22,9 @@ type UserTenant struct {
 	Role      string    `db:"role" json:"role"`
 	CreatedAt time.Time `db:"created_at" json:"created_at"`
 }
+
+// TenantWithRole is a Tenant joined with the user's role in that tenant.
+type TenantWithRole struct {
+	Tenant
+	Role string `db:"role" json:"role"`
+}

backend/internal/router/router.go

@@ -12,43 +12,85 @@ import (
 )
 
 func New(db *sqlx.DB, authMW *auth.Middleware) http.Handler {
+	mux := http.NewServeMux()
+
 	// Services
+	tenantSvc := services.NewTenantService(db)
+	caseSvc := services.NewCaseService(db)
+	partySvc := services.NewPartyService(db)
+	appointmentSvc := services.NewAppointmentService(db)
 	holidaySvc := services.NewHolidayService(db)
 	deadlineSvc := services.NewDeadlineService(db)
 	deadlineRuleSvc := services.NewDeadlineRuleService(db)
 	calculator := services.NewDeadlineCalculator(holidaySvc)
 
+	// Middleware
+	tenantResolver := auth.NewTenantResolver(tenantSvc)
+
 	// Handlers
+	tenantH := handlers.NewTenantHandler(tenantSvc)
+	caseH := handlers.NewCaseHandler(caseSvc)
+	partyH := handlers.NewPartyHandler(partySvc)
+	apptH := handlers.NewAppointmentHandler(appointmentSvc)
 	deadlineH := handlers.NewDeadlineHandlers(deadlineSvc, db)
 	ruleH := handlers.NewDeadlineRuleHandlers(deadlineRuleSvc)
 	calcH := handlers.NewCalculateHandlers(calculator, deadlineRuleSvc)
 
-	mux := http.NewServeMux()
-
 	// Public routes
 	mux.HandleFunc("GET /health", handleHealth(db))
 
 	// Authenticated API routes
 	api := http.NewServeMux()
 
-	// Deadline CRUD (case-scoped)
-	api.HandleFunc("GET /api/cases/{caseID}/deadlines", deadlineH.ListForCase)
-	api.HandleFunc("POST /api/cases/{caseID}/deadlines", deadlineH.Create)
-	api.HandleFunc("PUT /api/deadlines/{deadlineID}", deadlineH.Update)
-	api.HandleFunc("PATCH /api/deadlines/{deadlineID}/complete", deadlineH.Complete)
-	api.HandleFunc("DELETE /api/deadlines/{deadlineID}", deadlineH.Delete)
+	// Tenant management (no tenant resolver — these operate across tenants)
+	api.HandleFunc("POST /api/tenants", tenantH.CreateTenant)
+	api.HandleFunc("GET /api/tenants", tenantH.ListTenants)
+	api.HandleFunc("GET /api/tenants/{id}", tenantH.GetTenant)
+	api.HandleFunc("POST /api/tenants/{id}/invite", tenantH.InviteUser)
+	api.HandleFunc("DELETE /api/tenants/{id}/members/{uid}", tenantH.RemoveMember)
+	api.HandleFunc("GET /api/tenants/{id}/members", tenantH.ListMembers)
 
-	// Deadline rules (public reference data, but behind auth)
-	api.HandleFunc("GET /api/deadline-rules", ruleH.List)
-	api.HandleFunc("GET /api/deadline-rules/{type}", ruleH.GetRuleTree)
+	// Tenant-scoped routes (require tenant context)
+	scoped := http.NewServeMux()
+
+	// Cases
+	scoped.HandleFunc("GET /api/cases", caseH.List)
+	scoped.HandleFunc("POST /api/cases", caseH.Create)
+	scoped.HandleFunc("GET /api/cases/{id}", caseH.Get)
+	scoped.HandleFunc("PUT /api/cases/{id}", caseH.Update)
+	scoped.HandleFunc("DELETE /api/cases/{id}", caseH.Delete)
+
+	// Parties
+	scoped.HandleFunc("GET /api/cases/{id}/parties", partyH.List)
+	scoped.HandleFunc("POST /api/cases/{id}/parties", partyH.Create)
+	scoped.HandleFunc("PUT /api/parties/{partyId}", partyH.Update)
+	scoped.HandleFunc("DELETE /api/parties/{partyId}", partyH.Delete)
+
+	// Deadlines
+	scoped.HandleFunc("GET /api/cases/{caseID}/deadlines", deadlineH.ListForCase)
+	scoped.HandleFunc("POST /api/cases/{caseID}/deadlines", deadlineH.Create)
+	scoped.HandleFunc("PUT /api/deadlines/{deadlineID}", deadlineH.Update)
+	scoped.HandleFunc("PATCH /api/deadlines/{deadlineID}/complete", deadlineH.Complete)
+	scoped.HandleFunc("DELETE /api/deadlines/{deadlineID}", deadlineH.Delete)
+
+	// Deadline rules (reference data)
+	scoped.HandleFunc("GET /api/deadline-rules", ruleH.List)
+	scoped.HandleFunc("GET /api/deadline-rules/{type}", ruleH.GetRuleTree)
 
 	// Deadline calculator
-	api.HandleFunc("POST /api/deadlines/calculate", calcH.Calculate)
+	scoped.HandleFunc("POST /api/deadlines/calculate", calcH.Calculate)
 
-	// Placeholder routes (not yet implemented)
-	api.HandleFunc("GET /api/cases", placeholder("cases"))
-	api.HandleFunc("GET /api/appointments", placeholder("appointments"))
-	api.HandleFunc("GET /api/documents", placeholder("documents"))
+	// Appointments
+	scoped.HandleFunc("GET /api/appointments", apptH.List)
+	scoped.HandleFunc("POST /api/appointments", apptH.Create)
+	scoped.HandleFunc("PUT /api/appointments/{id}", apptH.Update)
+	scoped.HandleFunc("DELETE /api/appointments/{id}", apptH.Delete)
+
+	// Placeholder routes for future phases
+	scoped.HandleFunc("GET /api/documents", placeholder("documents"))
+
+	// Wire: auth -> tenant routes go directly, scoped routes get tenant resolver
+	api.Handle("/api/", tenantResolver.Resolve(scoped))
 
 	mux.Handle("/api/", authMW.RequireAuth(api))
 

backend/internal/services/appointment_service.go

@@ -0,0 +1,135 @@
+package services
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
+)
+
+type AppointmentService struct {
+	db *sqlx.DB
+}
+
+func NewAppointmentService(db *sqlx.DB) *AppointmentService {
+	return &AppointmentService{db: db}
+}
+
+type AppointmentFilter struct {
+	CaseID    *uuid.UUID
+	Type      *string
+	StartFrom *time.Time
+	StartTo   *time.Time
+}
+
+func (s *AppointmentService) List(ctx context.Context, tenantID uuid.UUID, filter AppointmentFilter) ([]models.Appointment, error) {
+	query := "SELECT * FROM appointments WHERE tenant_id = $1"
+	args := []any{tenantID}
+	argN := 2
+
+	if filter.CaseID != nil {
+		query += fmt.Sprintf(" AND case_id = $%d", argN)
+		args = append(args, *filter.CaseID)
+		argN++
+	}
+	if filter.Type != nil {
+		query += fmt.Sprintf(" AND appointment_type = $%d", argN)
+		args = append(args, *filter.Type)
+		argN++
+	}
+	if filter.StartFrom != nil {
+		query += fmt.Sprintf(" AND start_at >= $%d", argN)
+		args = append(args, *filter.StartFrom)
+		argN++
+	}
+	if filter.StartTo != nil {
+		query += fmt.Sprintf(" AND start_at <= $%d", argN)
+		args = append(args, *filter.StartTo)
+		argN++
+	}
+
+	query += " ORDER BY start_at ASC"
+
+	var appointments []models.Appointment
+	if err := s.db.SelectContext(ctx, &appointments, query, args...); err != nil {
+		return nil, fmt.Errorf("listing appointments: %w", err)
+	}
+	if appointments == nil {
+		appointments = []models.Appointment{}
+	}
+	return appointments, nil
+}
+
+func (s *AppointmentService) GetByID(ctx context.Context, tenantID, id uuid.UUID) (*models.Appointment, error) {
+	var a models.Appointment
+	err := s.db.GetContext(ctx, &a, "SELECT * FROM appointments WHERE id = $1 AND tenant_id = $2", id, tenantID)
+	if err != nil {
+		return nil, fmt.Errorf("getting appointment: %w", err)
+	}
+	return &a, nil
+}
+
+func (s *AppointmentService) Create(ctx context.Context, a *models.Appointment) error {
+	a.ID = uuid.New()
+	now := time.Now().UTC()
+	a.CreatedAt = now
+	a.UpdatedAt = now
+
+	_, err := s.db.NamedExecContext(ctx, `
+		INSERT INTO appointments (id, tenant_id, case_id, title, description, start_at, end_at, location, appointment_type, caldav_uid, caldav_etag, created_at, updated_at)
+		VALUES (:id, :tenant_id, :case_id, :title, :description, :start_at, :end_at, :location, :appointment_type, :caldav_uid, :caldav_etag, :created_at, :updated_at)
+	`, a)
+	if err != nil {
+		return fmt.Errorf("creating appointment: %w", err)
+	}
+	return nil
+}
+
+func (s *AppointmentService) Update(ctx context.Context, a *models.Appointment) error {
+	a.UpdatedAt = time.Now().UTC()
+
+	result, err := s.db.NamedExecContext(ctx, `
+		UPDATE appointments SET
+			case_id = :case_id,
+			title = :title,
+			description = :description,
+			start_at = :start_at,
+			end_at = :end_at,
+			location = :location,
+			appointment_type = :appointment_type,
+			caldav_uid = :caldav_uid,
+			caldav_etag = :caldav_etag,
+			updated_at = :updated_at
+		WHERE id = :id AND tenant_id = :tenant_id
+	`, a)
+	if err != nil {
+		return fmt.Errorf("updating appointment: %w", err)
+	}
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("checking rows affected: %w", err)
+	}
+	if rows == 0 {
+		return fmt.Errorf("appointment not found")
+	}
+	return nil
+}
+
+func (s *AppointmentService) Delete(ctx context.Context, tenantID, id uuid.UUID) error {
+	result, err := s.db.ExecContext(ctx, "DELETE FROM appointments WHERE id = $1 AND tenant_id = $2", id, tenantID)
+	if err != nil {
+		return fmt.Errorf("deleting appointment: %w", err)
+	}
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("checking rows affected: %w", err)
+	}
+	if rows == 0 {
+		return fmt.Errorf("appointment not found")
+	}
+	return nil
+}

backend/internal/services/case_service.go

@@ -0,0 +1,277 @@
+package services
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"time"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+)
+
+type CaseService struct {
+	db *sqlx.DB
+}
+
+func NewCaseService(db *sqlx.DB) *CaseService {
+	return &CaseService{db: db}
+}
+
+type CaseFilter struct {
+	Status string
+	Type   string
+	Search string
+	Limit  int
+	Offset int
+}
+
+type CaseDetail struct {
+	models.Case
+	Parties        []models.Party     `json:"parties"`
+	RecentEvents   []models.CaseEvent `json:"recent_events"`
+	DeadlinesCount int                `json:"deadlines_count"`
+}
+
+type CreateCaseInput struct {
+	CaseNumber string  `json:"case_number"`
+	Title      string  `json:"title"`
+	CaseType   *string `json:"case_type,omitempty"`
+	Court      *string `json:"court,omitempty"`
+	CourtRef   *string `json:"court_ref,omitempty"`
+	Status     string  `json:"status"`
+}
+
+type UpdateCaseInput struct {
+	CaseNumber *string `json:"case_number,omitempty"`
+	Title      *string `json:"title,omitempty"`
+	CaseType   *string `json:"case_type,omitempty"`
+	Court      *string `json:"court,omitempty"`
+	CourtRef   *string `json:"court_ref,omitempty"`
+	Status     *string `json:"status,omitempty"`
+}
+
+func (s *CaseService) List(ctx context.Context, tenantID uuid.UUID, filter CaseFilter) ([]models.Case, int, error) {
+	if filter.Limit <= 0 {
+		filter.Limit = 20
+	}
+	if filter.Limit > 100 {
+		filter.Limit = 100
+	}
+
+	// Build WHERE clause
+	where := "WHERE tenant_id = $1"
+	args := []interface{}{tenantID}
+	argIdx := 2
+
+	if filter.Status != "" {
+		where += fmt.Sprintf(" AND status = $%d", argIdx)
+		args = append(args, filter.Status)
+		argIdx++
+	}
+	if filter.Type != "" {
+		where += fmt.Sprintf(" AND case_type = $%d", argIdx)
+		args = append(args, filter.Type)
+		argIdx++
+	}
+	if filter.Search != "" {
+		where += fmt.Sprintf(" AND (title ILIKE $%d OR case_number ILIKE $%d)", argIdx, argIdx)
+		args = append(args, "%"+filter.Search+"%")
+		argIdx++
+	}
+
+	// Count total
+	var total int
+	countQuery := "SELECT COUNT(*) FROM cases " + where
+	if err := s.db.GetContext(ctx, &total, countQuery, args...); err != nil {
+		return nil, 0, fmt.Errorf("counting cases: %w", err)
+	}
+
+	// Fetch page
+	query := fmt.Sprintf("SELECT * FROM cases %s ORDER BY updated_at DESC LIMIT $%d OFFSET $%d",
+		where, argIdx, argIdx+1)
+	args = append(args, filter.Limit, filter.Offset)
+
+	var cases []models.Case
+	if err := s.db.SelectContext(ctx, &cases, query, args...); err != nil {
+		return nil, 0, fmt.Errorf("listing cases: %w", err)
+	}
+
+	return cases, total, nil
+}
+
+func (s *CaseService) GetByID(ctx context.Context, tenantID, caseID uuid.UUID) (*CaseDetail, error) {
+	var c models.Case
+	err := s.db.GetContext(ctx, &c,
+		"SELECT * FROM cases WHERE id = $1 AND tenant_id = $2", caseID, tenantID)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("getting case: %w", err)
+	}
+
+	detail := &CaseDetail{Case: c}
+
+	// Parties
+	if err := s.db.SelectContext(ctx, &detail.Parties,
+		"SELECT * FROM parties WHERE case_id = $1 AND tenant_id = $2 ORDER BY name",
+		caseID, tenantID); err != nil {
+		return nil, fmt.Errorf("getting parties: %w", err)
+	}
+
+	// Recent events (last 20)
+	if err := s.db.SelectContext(ctx, &detail.RecentEvents,
+		"SELECT * FROM case_events WHERE case_id = $1 AND tenant_id = $2 ORDER BY created_at DESC LIMIT 20",
+		caseID, tenantID); err != nil {
+		return nil, fmt.Errorf("getting events: %w", err)
+	}
+
+	// Deadlines count
+	if err := s.db.GetContext(ctx, &detail.DeadlinesCount,
+		"SELECT COUNT(*) FROM deadlines WHERE case_id = $1 AND tenant_id = $2",
+		caseID, tenantID); err != nil {
+		return nil, fmt.Errorf("counting deadlines: %w", err)
+	}
+
+	return detail, nil
+}
+
+func (s *CaseService) Create(ctx context.Context, tenantID uuid.UUID, userID uuid.UUID, input CreateCaseInput) (*models.Case, error) {
+	if input.Status == "" {
+		input.Status = "active"
+	}
+
+	id := uuid.New()
+	now := time.Now()
+
+	_, err := s.db.ExecContext(ctx,
+		`INSERT INTO cases (id, tenant_id, case_number, title, case_type, court, court_ref, status, metadata, created_at, updated_at)
+		 VALUES ($1, $2, $3, $4, $5, $6, $7, $8, '{}', $9, $9)`,
+		id, tenantID, input.CaseNumber, input.Title, input.CaseType, input.Court, input.CourtRef, input.Status, now)
+	if err != nil {
+		return nil, fmt.Errorf("creating case: %w", err)
+	}
+
+	// Create case_created event
+	createEvent(ctx, s.db, tenantID, id, userID, "case_created", "Case created", nil)
+
+	var c models.Case
+	if err := s.db.GetContext(ctx, &c, "SELECT * FROM cases WHERE id = $1", id); err != nil {
+		return nil, fmt.Errorf("fetching created case: %w", err)
+	}
+	return &c, nil
+}
+
+func (s *CaseService) Update(ctx context.Context, tenantID, caseID uuid.UUID, userID uuid.UUID, input UpdateCaseInput) (*models.Case, error) {
+	// Fetch current to detect status change
+	var current models.Case
+	err := s.db.GetContext(ctx, &current,
+		"SELECT * FROM cases WHERE id = $1 AND tenant_id = $2", caseID, tenantID)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("fetching case for update: %w", err)
+	}
+
+	// Build SET clause dynamically
+	sets := []string{}
+	args := []interface{}{}
+	argIdx := 1
+
+	if input.CaseNumber != nil {
+		sets = append(sets, fmt.Sprintf("case_number = $%d", argIdx))
+		args = append(args, *input.CaseNumber)
+		argIdx++
+	}
+	if input.Title != nil {
+		sets = append(sets, fmt.Sprintf("title = $%d", argIdx))
+		args = append(args, *input.Title)
+		argIdx++
+	}
+	if input.CaseType != nil {
+		sets = append(sets, fmt.Sprintf("case_type = $%d", argIdx))
+		args = append(args, *input.CaseType)
+		argIdx++
+	}
+	if input.Court != nil {
+		sets = append(sets, fmt.Sprintf("court = $%d", argIdx))
+		args = append(args, *input.Court)
+		argIdx++
+	}
+	if input.CourtRef != nil {
+		sets = append(sets, fmt.Sprintf("court_ref = $%d", argIdx))
+		args = append(args, *input.CourtRef)
+		argIdx++
+	}
+	if input.Status != nil {
+		sets = append(sets, fmt.Sprintf("status = $%d", argIdx))
+		args = append(args, *input.Status)
+		argIdx++
+	}
+
+	if len(sets) == 0 {
+		return &current, nil
+	}
+
+	sets = append(sets, fmt.Sprintf("updated_at = $%d", argIdx))
+	args = append(args, time.Now())
+	argIdx++
+
+	query := fmt.Sprintf("UPDATE cases SET %s WHERE id = $%d AND tenant_id = $%d",
+		joinStrings(sets, ", "), argIdx, argIdx+1)
+	args = append(args, caseID, tenantID)
+
+	if _, err := s.db.ExecContext(ctx, query, args...); err != nil {
+		return nil, fmt.Errorf("updating case: %w", err)
+	}
+
+	// Log status change event
+	if input.Status != nil && *input.Status != current.Status {
+		desc := fmt.Sprintf("Status changed from %s to %s", current.Status, *input.Status)
+		createEvent(ctx, s.db, tenantID, caseID, userID, "status_changed", desc, nil)
+	}
+
+	var updated models.Case
+	if err := s.db.GetContext(ctx, &updated, "SELECT * FROM cases WHERE id = $1", caseID); err != nil {
+		return nil, fmt.Errorf("fetching updated case: %w", err)
+	}
+	return &updated, nil
+}
+
+func (s *CaseService) Delete(ctx context.Context, tenantID, caseID uuid.UUID, userID uuid.UUID) error {
+	result, err := s.db.ExecContext(ctx,
+		"UPDATE cases SET status = 'archived', updated_at = $1 WHERE id = $2 AND tenant_id = $3 AND status != 'archived'",
+		time.Now(), caseID, tenantID)
+	if err != nil {
+		return fmt.Errorf("archiving case: %w", err)
+	}
+	rows, _ := result.RowsAffected()
+	if rows == 0 {
+		return sql.ErrNoRows
+	}
+	createEvent(ctx, s.db, tenantID, caseID, userID, "case_archived", "Case archived", nil)
+	return nil
+}
+
+func createEvent(ctx context.Context, db *sqlx.DB, tenantID, caseID uuid.UUID, userID uuid.UUID, eventType, title string, description *string) {
+	now := time.Now()
+	db.ExecContext(ctx,
+		`INSERT INTO case_events (id, tenant_id, case_id, event_type, title, description, event_date, created_by, metadata, created_at, updated_at)
+		 VALUES ($1, $2, $3, $4, $5, $6, $7, $8, '{}', $7, $7)`,
+		uuid.New(), tenantID, caseID, eventType, title, description, now, userID)
+}
+
+func joinStrings(strs []string, sep string) string {
+	result := ""
+	for i, s := range strs {
+		if i > 0 {
+			result += sep
+		}
+		result += s
+	}
+	return result
+}

backend/internal/services/party_service.go

@@ -0,0 +1,152 @@
+package services
+
+import (
+	"context"
+	"database/sql"
+	"encoding/json"
+	"fmt"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+)
+
+type PartyService struct {
+	db *sqlx.DB
+}
+
+func NewPartyService(db *sqlx.DB) *PartyService {
+	return &PartyService{db: db}
+}
+
+type CreatePartyInput struct {
+	Name           string          `json:"name"`
+	Role           *string         `json:"role,omitempty"`
+	Representative *string         `json:"representative,omitempty"`
+	ContactInfo    json.RawMessage `json:"contact_info,omitempty"`
+}
+
+type UpdatePartyInput struct {
+	Name           *string         `json:"name,omitempty"`
+	Role           *string         `json:"role,omitempty"`
+	Representative *string         `json:"representative,omitempty"`
+	ContactInfo    json.RawMessage `json:"contact_info,omitempty"`
+}
+
+func (s *PartyService) ListByCase(ctx context.Context, tenantID, caseID uuid.UUID) ([]models.Party, error) {
+	var parties []models.Party
+	err := s.db.SelectContext(ctx, &parties,
+		"SELECT * FROM parties WHERE case_id = $1 AND tenant_id = $2 ORDER BY name",
+		caseID, tenantID)
+	if err != nil {
+		return nil, fmt.Errorf("listing parties: %w", err)
+	}
+	return parties, nil
+}
+
+func (s *PartyService) Create(ctx context.Context, tenantID, caseID uuid.UUID, userID uuid.UUID, input CreatePartyInput) (*models.Party, error) {
+	// Verify case exists and belongs to tenant
+	var exists bool
+	err := s.db.GetContext(ctx, &exists,
+		"SELECT EXISTS(SELECT 1 FROM cases WHERE id = $1 AND tenant_id = $2)", caseID, tenantID)
+	if err != nil {
+		return nil, fmt.Errorf("checking case: %w", err)
+	}
+	if !exists {
+		return nil, sql.ErrNoRows
+	}
+
+	id := uuid.New()
+	contactInfo := input.ContactInfo
+	if contactInfo == nil {
+		contactInfo = json.RawMessage("{}")
+	}
+
+	_, err = s.db.ExecContext(ctx,
+		`INSERT INTO parties (id, tenant_id, case_id, name, role, representative, contact_info)
+		 VALUES ($1, $2, $3, $4, $5, $6, $7)`,
+		id, tenantID, caseID, input.Name, input.Role, input.Representative, contactInfo)
+	if err != nil {
+		return nil, fmt.Errorf("creating party: %w", err)
+	}
+
+	// Log event
+	desc := fmt.Sprintf("Party added: %s", input.Name)
+	createEvent(ctx, s.db, tenantID, caseID, userID, "party_added", desc, nil)
+
+	var party models.Party
+	if err := s.db.GetContext(ctx, &party, "SELECT * FROM parties WHERE id = $1", id); err != nil {
+		return nil, fmt.Errorf("fetching created party: %w", err)
+	}
+	return &party, nil
+}
+
+func (s *PartyService) Update(ctx context.Context, tenantID, partyID uuid.UUID, input UpdatePartyInput) (*models.Party, error) {
+	// Verify party exists and belongs to tenant
+	var current models.Party
+	err := s.db.GetContext(ctx, &current,
+		"SELECT * FROM parties WHERE id = $1 AND tenant_id = $2", partyID, tenantID)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("fetching party: %w", err)
+	}
+
+	sets := []string{}
+	args := []interface{}{}
+	argIdx := 1
+
+	if input.Name != nil {
+		sets = append(sets, fmt.Sprintf("name = $%d", argIdx))
+		args = append(args, *input.Name)
+		argIdx++
+	}
+	if input.Role != nil {
+		sets = append(sets, fmt.Sprintf("role = $%d", argIdx))
+		args = append(args, *input.Role)
+		argIdx++
+	}
+	if input.Representative != nil {
+		sets = append(sets, fmt.Sprintf("representative = $%d", argIdx))
+		args = append(args, *input.Representative)
+		argIdx++
+	}
+	if input.ContactInfo != nil {
+		sets = append(sets, fmt.Sprintf("contact_info = $%d", argIdx))
+		args = append(args, input.ContactInfo)
+		argIdx++
+	}
+
+	if len(sets) == 0 {
+		return &current, nil
+	}
+
+	query := fmt.Sprintf("UPDATE parties SET %s WHERE id = $%d AND tenant_id = $%d",
+		joinStrings(sets, ", "), argIdx, argIdx+1)
+	args = append(args, partyID, tenantID)
+
+	if _, err := s.db.ExecContext(ctx, query, args...); err != nil {
+		return nil, fmt.Errorf("updating party: %w", err)
+	}
+
+	var updated models.Party
+	if err := s.db.GetContext(ctx, &updated, "SELECT * FROM parties WHERE id = $1", partyID); err != nil {
+		return nil, fmt.Errorf("fetching updated party: %w", err)
+	}
+	return &updated, nil
+}
+
+func (s *PartyService) Delete(ctx context.Context, tenantID, partyID uuid.UUID) error {
+	result, err := s.db.ExecContext(ctx,
+		"DELETE FROM parties WHERE id = $1 AND tenant_id = $2", partyID, tenantID)
+	if err != nil {
+		return fmt.Errorf("deleting party: %w", err)
+	}
+	rows, _ := result.RowsAffected()
+	if rows == 0 {
+		return sql.ErrNoRows
+	}
+	return nil
+}

backend/internal/services/tenant_service.go

@@ -0,0 +1,211 @@
+package services
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
+)
+
+type TenantService struct {
+	db *sqlx.DB
+}
+
+func NewTenantService(db *sqlx.DB) *TenantService {
+	return &TenantService{db: db}
+}
+
+// Create creates a new tenant and assigns the creator as owner.
+func (s *TenantService) Create(ctx context.Context, userID uuid.UUID, name, slug string) (*models.Tenant, error) {
+	tx, err := s.db.BeginTxx(ctx, nil)
+	if err != nil {
+		return nil, fmt.Errorf("begin transaction: %w", err)
+	}
+	defer tx.Rollback()
+
+	var tenant models.Tenant
+	err = tx.QueryRowxContext(ctx,
+		`INSERT INTO tenants (name, slug) VALUES ($1, $2) RETURNING id, name, slug, settings, created_at, updated_at`,
+		name, slug,
+	).StructScan(&tenant)
+	if err != nil {
+		return nil, fmt.Errorf("insert tenant: %w", err)
+	}
+
+	_, err = tx.ExecContext(ctx,
+		`INSERT INTO user_tenants (user_id, tenant_id, role) VALUES ($1, $2, 'owner')`,
+		userID, tenant.ID,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("assign owner: %w", err)
+	}
+
+	if err := tx.Commit(); err != nil {
+		return nil, fmt.Errorf("commit: %w", err)
+	}
+
+	return &tenant, nil
+}
+
+// ListForUser returns all tenants the user belongs to.
+func (s *TenantService) ListForUser(ctx context.Context, userID uuid.UUID) ([]models.TenantWithRole, error) {
+	var tenants []models.TenantWithRole
+	err := s.db.SelectContext(ctx, &tenants,
+		`SELECT t.id, t.name, t.slug, t.settings, t.created_at, t.updated_at, ut.role
+		 FROM tenants t
+		 JOIN user_tenants ut ON ut.tenant_id = t.id
+		 WHERE ut.user_id = $1
+		 ORDER BY t.name`,
+		userID,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("list tenants: %w", err)
+	}
+	return tenants, nil
+}
+
+// GetByID returns a single tenant. The caller must verify the user has access.
+func (s *TenantService) GetByID(ctx context.Context, tenantID uuid.UUID) (*models.Tenant, error) {
+	var tenant models.Tenant
+	err := s.db.GetContext(ctx, &tenant,
+		`SELECT id, name, slug, settings, created_at, updated_at FROM tenants WHERE id = $1`,
+		tenantID,
+	)
+	if err == sql.ErrNoRows {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, fmt.Errorf("get tenant: %w", err)
+	}
+	return &tenant, nil
+}
+
+// GetUserRole returns the user's role in a tenant, or empty string if not a member.
+func (s *TenantService) GetUserRole(ctx context.Context, userID, tenantID uuid.UUID) (string, error) {
+	var role string
+	err := s.db.GetContext(ctx, &role,
+		`SELECT role FROM user_tenants WHERE user_id = $1 AND tenant_id = $2`,
+		userID, tenantID,
+	)
+	if err == sql.ErrNoRows {
+		return "", nil
+	}
+	if err != nil {
+		return "", fmt.Errorf("get user role: %w", err)
+	}
+	return role, nil
+}
+
+// FirstTenantForUser returns the user's first tenant (by name), used as default.
+func (s *TenantService) FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error) {
+	var tenantID uuid.UUID
+	err := s.db.GetContext(ctx, &tenantID,
+		`SELECT t.id FROM tenants t
+		 JOIN user_tenants ut ON ut.tenant_id = t.id
+		 WHERE ut.user_id = $1
+		 ORDER BY t.name LIMIT 1`,
+		userID,
+	)
+	if err == sql.ErrNoRows {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, fmt.Errorf("first tenant: %w", err)
+	}
+	return &tenantID, nil
+}
+
+// ListMembers returns all members of a tenant.
+func (s *TenantService) ListMembers(ctx context.Context, tenantID uuid.UUID) ([]models.UserTenant, error) {
+	var members []models.UserTenant
+	err := s.db.SelectContext(ctx, &members,
+		`SELECT user_id, tenant_id, role, created_at FROM user_tenants WHERE tenant_id = $1 ORDER BY created_at`,
+		tenantID,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("list members: %w", err)
+	}
+	return members, nil
+}
+
+// InviteByEmail looks up a user by email in auth.users and adds them to the tenant.
+func (s *TenantService) InviteByEmail(ctx context.Context, tenantID uuid.UUID, email, role string) (*models.UserTenant, error) {
+	// Look up user in Supabase auth.users
+	var userID uuid.UUID
+	err := s.db.GetContext(ctx, &userID,
+		`SELECT id FROM auth.users WHERE email = $1`,
+		email,
+	)
+	if err == sql.ErrNoRows {
+		return nil, fmt.Errorf("no user found with email %s", email)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("lookup user: %w", err)
+	}
+
+	// Check if already a member
+	var exists bool
+	err = s.db.GetContext(ctx, &exists,
+		`SELECT EXISTS(SELECT 1 FROM user_tenants WHERE user_id = $1 AND tenant_id = $2)`,
+		userID, tenantID,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("check membership: %w", err)
+	}
+	if exists {
+		return nil, fmt.Errorf("user is already a member of this tenant")
+	}
+
+	var ut models.UserTenant
+	err = s.db.QueryRowxContext(ctx,
+		`INSERT INTO user_tenants (user_id, tenant_id, role) VALUES ($1, $2, $3)
+		 RETURNING user_id, tenant_id, role, created_at`,
+		userID, tenantID, role,
+	).StructScan(&ut)
+	if err != nil {
+		return nil, fmt.Errorf("invite user: %w", err)
+	}
+
+	return &ut, nil
+}
+
+// RemoveMember removes a user from a tenant. Cannot remove the last owner.
+func (s *TenantService) RemoveMember(ctx context.Context, tenantID, userID uuid.UUID) error {
+	// Check if the user being removed is an owner
+	role, err := s.GetUserRole(ctx, userID, tenantID)
+	if err != nil {
+		return fmt.Errorf("check role: %w", err)
+	}
+	if role == "" {
+		return fmt.Errorf("user is not a member of this tenant")
+	}
+
+	if role == "owner" {
+		// Count owners — prevent removing the last one
+		var ownerCount int
+		err := s.db.GetContext(ctx, &ownerCount,
+			`SELECT COUNT(*) FROM user_tenants WHERE tenant_id = $1 AND role = 'owner'`,
+			tenantID,
+		)
+		if err != nil {
+			return fmt.Errorf("count owners: %w", err)
+		}
+		if ownerCount <= 1 {
+			return fmt.Errorf("cannot remove the last owner of a tenant")
+		}
+	}
+
+	_, err = s.db.ExecContext(ctx,
+		`DELETE FROM user_tenants WHERE user_id = $1 AND tenant_id = $2`,
+		userID, tenantID,
+	)
+	if err != nil {
+		return fmt.Errorf("remove member: %w", err)
+	}
+
+	return nil
+}

frontend/bun.lock

@@ -5,9 +5,15 @@
     "": {
       "name": "frontend",
       "dependencies": {
+        "@supabase/ssr": "^0.9.0",
+        "@supabase/supabase-js": "^2.100.0",
+        "@tanstack/react-query": "^5.95.2",
+        "date-fns": "^4.1.0",
+        "lucide-react": "^1.6.0",
         "next": "15.5.14",
         "react": "19.1.0",
         "react-dom": "19.1.0",
+        "sonner": "^2.0.7",
       },
       "devDependencies": {
         "@eslint/eslintrc": "^3",
@@ -151,6 +157,22 @@
 
     "@rushstack/eslint-patch": ["@rushstack/eslint-patch@1.16.1", "", {}, "sha512-TvZbIpeKqGQQ7X0zSCvPH9riMSFQFSggnfBjFZ1mEoILW+UuXCKwOoPcgjMwiUtRqFZ8jWhPJc4um14vC6I4ag=="],
 
+    "@supabase/auth-js": ["@supabase/auth-js@2.100.0", "", { "dependencies": { "tslib": "2.8.1" } }, "sha512-pdT3ye3UVRN1Cg0wom6BmyY+XTtp5DiJaYnPi6j8ht5i8Lq8kfqxJMJz9GI9YDKk3w1nhGOPnh6Qz5qpyYm+1w=="],
+
+    "@supabase/functions-js": ["@supabase/functions-js@2.100.0", "", { "dependencies": { "tslib": "2.8.1" } }, "sha512-keLg79RPwP+uiwHuxFPTFgDRxPV46LM4j/swjyR2GKJgWniTVSsgiBHfbIBDcrQwehLepy09b/9QSHUywtKRWQ=="],
+
+    "@supabase/phoenix": ["@supabase/phoenix@0.4.0", "", {}, "sha512-RHSx8bHS02xwfHdAbX5Lpbo6PXbgyf7lTaXTlwtFDPwOIw64NnVRwFAXGojHhjtVYI+PEPNSWwkL90f4agN3bw=="],
+
+    "@supabase/postgrest-js": ["@supabase/postgrest-js@2.100.0", "", { "dependencies": { "tslib": "2.8.1" } }, "sha512-xYNvNbBJaXOGcrZ44wxwp5830uo1okMHGS8h8dm3u4f0xcZ39yzbryUsubTJW41MG2gbL/6U57cA4Pi6YMZ9pA=="],
+
+    "@supabase/realtime-js": ["@supabase/realtime-js@2.100.0", "", { "dependencies": { "@supabase/phoenix": "^0.4.0", "@types/ws": "^8.18.1", "tslib": "2.8.1", "ws": "^8.18.2" } }, "sha512-2AZs00zzEF0HuCKY8grz5eCYlwEfVi5HONLZFoNR6aDfxQivl8zdQYNjyFoqN2MZiVhQHD7u6XV/xHwM8mCEHw=="],
+
+    "@supabase/ssr": ["@supabase/ssr@0.9.0", "", { "dependencies": { "cookie": "^1.0.2" }, "peerDependencies": { "@supabase/supabase-js": "^2.97.0" } }, "sha512-UFY6otYV3yqCgV+AyHj80vNkTvbf1Gas2LW4dpbQ4ap6p6v3eB2oaDfcI99jsuJzwVBCFU4BJI+oDYyhNk1z0Q=="],
+
+    "@supabase/storage-js": ["@supabase/storage-js@2.100.0", "", { "dependencies": { "iceberg-js": "^0.8.1", "tslib": "2.8.1" } }, "sha512-d4EeuK6RNIgYNA2MU9kj8lQrLm5AzZ+WwpWjGkii6SADQNIGTC/uiaTRu02XJ5AmFALQfo8fLl9xuCkO6Xw+iQ=="],
+
+    "@supabase/supabase-js": ["@supabase/supabase-js@2.100.0", "", { "dependencies": { "@supabase/auth-js": "2.100.0", "@supabase/functions-js": "2.100.0", "@supabase/postgrest-js": "2.100.0", "@supabase/realtime-js": "2.100.0", "@supabase/storage-js": "2.100.0" } }, "sha512-r0tlcukejJXJ1m/2eG/Ya5eYs4W8AC7oZfShpG3+SIo/eIU9uIt76ZeYI1SoUwUmcmzlAbgch+HDZDR/toVQPQ=="],
+
     "@swc/helpers": ["@swc/helpers@0.5.15", "", { "dependencies": { "tslib": "^2.8.0" } }, "sha512-JQ5TuMi45Owi4/BIMAJBoSQoOJu12oOk/gADqlcUL9JEdHB8vyjUSsxqeNXnmXHjYKMi2WcYtezGEEhqUI/E2g=="],
 
     "@tailwindcss/node": ["@tailwindcss/node@4.2.2", "", { "dependencies": { "@jridgewell/remapping": "^2.3.5", "enhanced-resolve": "^5.19.0", "jiti": "^2.6.1", "lightningcss": "1.32.0", "magic-string": "^0.30.21", "source-map-js": "^1.2.1", "tailwindcss": "4.2.2" } }, "sha512-pXS+wJ2gZpVXqFaUEjojq7jzMpTGf8rU6ipJz5ovJV6PUGmlJ+jvIwGrzdHdQ80Sg+wmQxUFuoW1UAAwHNEdFA=="],
@@ -183,6 +205,10 @@
 
     "@tailwindcss/postcss": ["@tailwindcss/postcss@4.2.2", "", { "dependencies": { "@alloc/quick-lru": "^5.2.0", "@tailwindcss/node": "4.2.2", "@tailwindcss/oxide": "4.2.2", "postcss": "^8.5.6", "tailwindcss": "4.2.2" } }, "sha512-n4goKQbW8RVXIbNKRB/45LzyUqN451deQK0nzIeauVEqjlI49slUlgKYJM2QyUzap/PcpnS7kzSUmPb1sCRvYQ=="],
 
+    "@tanstack/query-core": ["@tanstack/query-core@5.95.2", "", {}, "sha512-o4T8vZHZET4Bib3jZ/tCW9/7080urD4c+0/AUaYVpIqOsr7y0reBc1oX3ttNaSW5mYyvZHctiQ/UOP2PfdmFEQ=="],
+
+    "@tanstack/react-query": ["@tanstack/react-query@5.95.2", "", { "dependencies": { "@tanstack/query-core": "5.95.2" }, "peerDependencies": { "react": "^18 || ^19" } }, "sha512-/wGkvLj/st5Ud1Q76KF1uFxScV7WeqN1slQx5280ycwAyYkIPGaRZAEgHxe3bjirSd5Zpwkj6zNcR4cqYni/ZA=="],
+
     "@tybys/wasm-util": ["@tybys/wasm-util@0.10.1", "", { "dependencies": { "tslib": "^2.4.0" } }, "sha512-9tTaPJLSiejZKx+Bmog4uSubteqTvFrVrURwkmHixBo0G4seD0zUxp98E1DzUBJxLQ3NPwXrGKDiVjwx/DpPsg=="],
 
     "@types/estree": ["@types/estree@1.0.8", "", {}, "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w=="],
@@ -197,6 +223,8 @@
 
     "@types/react-dom": ["@types/react-dom@19.2.3", "", { "peerDependencies": { "@types/react": "^19.2.0" } }, "sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ=="],
 
+    "@types/ws": ["@types/ws@8.18.1", "", { "dependencies": { "@types/node": "*" } }, "sha512-ThVF6DCVhA8kUGy+aazFQ4kXQ7E1Ty7A3ypFOe0IcJV8O/M511G99AW24irKrW56Wt44yG9+ij8FaqoBGkuBXg=="],
+
     "@typescript-eslint/eslint-plugin": ["@typescript-eslint/eslint-plugin@8.57.2", "", { "dependencies": { "@eslint-community/regexpp": "^4.12.2", "@typescript-eslint/scope-manager": "8.57.2", "@typescript-eslint/type-utils": "8.57.2", "@typescript-eslint/utils": "8.57.2", "@typescript-eslint/visitor-keys": "8.57.2", "ignore": "^7.0.5", "natural-compare": "^1.4.0", "ts-api-utils": "^2.4.0" }, "peerDependencies": { "@typescript-eslint/parser": "^8.57.2", "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0", "typescript": ">=4.8.4 <6.0.0" } }, "sha512-NZZgp0Fm2IkD+La5PR81sd+g+8oS6JwJje+aRWsDocxHkjyRw0J5L5ZTlN3LI1LlOcGL7ph3eaIUmTXMIjLk0w=="],
 
     "@typescript-eslint/parser": ["@typescript-eslint/parser@8.57.2", "", { "dependencies": { "@typescript-eslint/scope-manager": "8.57.2", "@typescript-eslint/types": "8.57.2", "@typescript-eslint/typescript-estree": "8.57.2", "@typescript-eslint/visitor-keys": "8.57.2", "debug": "^4.4.3" }, "peerDependencies": { "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0", "typescript": ">=4.8.4 <6.0.0" } }, "sha512-30ScMRHIAD33JJQkgfGW1t8CURZtjc2JpTrq5n2HFhOefbAhb7ucc7xJwdWcrEtqUIYJ73Nybpsggii6GtAHjA=="],
@@ -319,6 +347,8 @@
 
     "concat-map": ["concat-map@0.0.1", "", {}, "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg=="],
 
+    "cookie": ["cookie@1.1.1", "", {}, "sha512-ei8Aos7ja0weRpFzJnEA9UHJ/7XQmqglbRwnf2ATjcB9Wq874VKH9kfjjirM6UhU2/E5fFYadylyhFldcqSidQ=="],
+
     "cross-spawn": ["cross-spawn@7.0.6", "", { "dependencies": { "path-key": "^3.1.0", "shebang-command": "^2.0.0", "which": "^2.0.1" } }, "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA=="],
 
     "csstype": ["csstype@3.2.3", "", {}, "sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ=="],
@@ -331,6 +361,8 @@
 
     "data-view-byte-offset": ["data-view-byte-offset@1.0.1", "", { "dependencies": { "call-bound": "^1.0.2", "es-errors": "^1.3.0", "is-data-view": "^1.0.1" } }, "sha512-BS8PfmtDGnrgYdOonGZQdLZslWIeCGFP9tpan0hi1Co2Zr2NKADsvGYA8XxuG/4UWgJ6Cjtv+YJnB6MM69QGlQ=="],
 
+    "date-fns": ["date-fns@4.1.0", "", {}, "sha512-Ukq0owbQXxa/U3EGtsdVBkR1w7KOQ5gIBqdH2hkvknzZPYvBxb/aa6E8L7tmjFtkwZBu3UXBbjIgPo/Ez4xaNg=="],
+
     "debug": ["debug@4.4.3", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA=="],
 
     "deep-is": ["deep-is@0.1.4", "", {}, "sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ=="],
@@ -463,6 +495,8 @@
 
     "hasown": ["hasown@2.0.2", "", { "dependencies": { "function-bind": "^1.1.2" } }, "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ=="],
 
+    "iceberg-js": ["iceberg-js@0.8.1", "", {}, "sha512-1dhVQZXhcHje7798IVM+xoo/1ZdVfzOMIc8/rgVSijRK38EDqOJoGula9N/8ZI5RD8QTxNQtK/Gozpr+qUqRRA=="],
+
     "ignore": ["ignore@5.3.2", "", {}, "sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g=="],
 
     "import-fresh": ["import-fresh@3.3.1", "", { "dependencies": { "parent-module": "^1.0.0", "resolve-from": "^4.0.0" } }, "sha512-TR3KfrTZTYLPB6jUjfx6MF9WcWrHL9su5TObK4ZkYgBdWKPOFoSoQIdEuTuR82pmtxH2spWG9h6etwfr1pLBqQ=="],
@@ -583,6 +617,8 @@
 
     "loose-envify": ["loose-envify@1.4.0", "", { "dependencies": { "js-tokens": "^3.0.0 || ^4.0.0" }, "bin": { "loose-envify": "cli.js" } }, "sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q=="],
 
+    "lucide-react": ["lucide-react@1.6.0", "", { "peerDependencies": { "react": "^16.5.1 || ^17.0.0 || ^18.0.0 || ^19.0.0" } }, "sha512-YxLKVCOF5ZDI1AhKQE5IBYMY9y/Nr4NT15+7QEWpsTSVCdn4vmZhww+6BP76jWYjQx8rSz1Z+gGme1f+UycWEw=="],
+
     "magic-string": ["magic-string@0.30.21", "", { "dependencies": { "@jridgewell/sourcemap-codec": "^1.5.5" } }, "sha512-vd2F4YUyEXKGcLHoq+TEyCjxueSeHnFxyyjNp80yg0XV4vUhnDer/lvvlqM/arB5bXQN5K2/3oinyCRyx8T2CQ=="],
 
     "math-intrinsics": ["math-intrinsics@1.1.0", "", {}, "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g=="],
@@ -705,6 +741,8 @@
 
     "side-channel-weakmap": ["side-channel-weakmap@1.0.2", "", { "dependencies": { "call-bound": "^1.0.2", "es-errors": "^1.3.0", "get-intrinsic": "^1.2.5", "object-inspect": "^1.13.3", "side-channel-map": "^1.0.1" } }, "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A=="],
 
+    "sonner": ["sonner@2.0.7", "", { "peerDependencies": { "react": "^18.0.0 || ^19.0.0 || ^19.0.0-rc", "react-dom": "^18.0.0 || ^19.0.0 || ^19.0.0-rc" } }, "sha512-W6ZN4p58k8aDKA4XPcx2hpIQXBRAgyiWVkYhT7CvK6D3iAu7xjvVyhQHg2/iaKJZ1XVJ4r7XuwGL+WGEK37i9w=="],
+
     "source-map-js": ["source-map-js@1.2.1", "", {}, "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA=="],
 
     "stable-hash": ["stable-hash@0.0.5", "", {}, "sha512-+L3ccpzibovGXFK+Ap/f8LOS0ahMrHTf3xu7mMLSpEGU0EO9ucaysSylKo9eRDFNhWve/y275iPmIZ4z39a9iA=="],
@@ -779,6 +817,8 @@
 
     "word-wrap": ["word-wrap@1.2.5", "", {}, "sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA=="],
 
+    "ws": ["ws@8.20.0", "", { "peerDependencies": { "bufferutil": "^4.0.1", "utf-8-validate": ">=5.0.2" }, "optionalPeers": ["bufferutil", "utf-8-validate"] }, "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA=="],
+
     "yocto-queue": ["yocto-queue@0.1.0", "", {}, "sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q=="],
 
     "@eslint-community/eslint-utils/eslint-visitor-keys": ["eslint-visitor-keys@3.4.3", "", {}, "sha512-wpc+LXeiyiisxPlEkUzU6svyS1frIO3Mgxj1fdy7Pm8Ygzguax2N3Fa/D/ag1WqbOprdI+uY6wMUl8/a2G+iag=="],

frontend/next-env.d.ts

@@ -0,0 +1,6 @@
+/// <reference types="next" />
+/// <reference types="next/image-types/global" />
+/// <reference path="./.next/types/routes.d.ts" />
+
+// NOTE: This file should not be edited
+// see https://nextjs.org/docs/app/api-reference/config/typescript for more information.

frontend/package.json

@@ -9,9 +9,15 @@
     "lint": "eslint"
   },
   "dependencies": {
+    "@supabase/ssr": "^0.9.0",
+    "@supabase/supabase-js": "^2.100.0",
+    "@tanstack/react-query": "^5.95.2",
+    "date-fns": "^4.1.0",
+    "lucide-react": "^1.6.0",
+    "next": "15.5.14",
     "react": "19.1.0",
     "react-dom": "19.1.0",
-    "next": "15.5.14"
+    "sonner": "^2.0.7"
   },
   "devDependencies": {
     "typescript": "^5",

frontend/src/app/(app)/layout.tsx

@@ -0,0 +1,20 @@
+import { Sidebar } from "@/components/layout/Sidebar";
+import { Header } from "@/components/layout/Header";
+
+export const dynamic = "force-dynamic";
+
+export default function AppLayout({
+  children,
+}: {
+  children: React.ReactNode;
+}) {
+  return (
+    <div className="flex h-screen overflow-hidden bg-neutral-50">
+      <Sidebar />
+      <div className="flex flex-1 flex-col overflow-hidden">
+        <Header />
+        <main className="flex-1 overflow-y-auto p-6">{children}</main>
+      </div>
+    </div>
+  );
+}

frontend/src/app/(app)/page.tsx

@@ -0,0 +1,10 @@
+export default function DashboardPage() {
+  return (
+    <div>
+      <h1 className="text-lg font-semibold text-neutral-900">Dashboard</h1>
+      <p className="mt-1 text-sm text-neutral-500">
+        Willkommen bei KanzlAI
+      </p>
+    </div>
+  );
+}

frontend/src/app/(auth)/callback/page.tsx

@@ -0,0 +1,25 @@
+"use client";
+
+import { createClient } from "@/lib/supabase/client";
+import { useRouter } from "next/navigation";
+import { useEffect } from "react";
+
+export default function CallbackPage() {
+  const router = useRouter();
+  const supabase = createClient();
+
+  useEffect(() => {
+    supabase.auth.onAuthStateChange((event) => {
+      if (event === "SIGNED_IN") {
+        router.push("/");
+        router.refresh();
+      }
+    });
+  }, [router, supabase.auth]);
+
+  return (
+    <div className="flex min-h-screen items-center justify-center bg-neutral-50">
+      <p className="text-sm text-neutral-500">Authentifizierung...</p>
+    </div>
+  );
+}

frontend/src/app/(auth)/layout.tsx

@@ -0,0 +1,9 @@
+export const dynamic = "force-dynamic";
+
+export default function AuthLayout({
+  children,
+}: {
+  children: React.ReactNode;
+}) {
+  return <>{children}</>;
+}

frontend/src/app/(auth)/login/page.tsx

@@ -0,0 +1,189 @@
+"use client";
+
+import { createClient } from "@/lib/supabase/client";
+import { useRouter } from "next/navigation";
+import { useState } from "react";
+
+export default function LoginPage() {
+  const [email, setEmail] = useState("");
+  const [password, setPassword] = useState("");
+  const [mode, setMode] = useState<"password" | "magic">("password");
+  const [loading, setLoading] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+  const [magicSent, setMagicSent] = useState(false);
+  const router = useRouter();
+  const supabase = createClient();
+
+  async function handlePasswordLogin(e: React.FormEvent) {
+    e.preventDefault();
+    setLoading(true);
+    setError(null);
+
+    const { error } = await supabase.auth.signInWithPassword({
+      email,
+      password,
+    });
+
+    if (error) {
+      setError(error.message);
+      setLoading(false);
+      return;
+    }
+
+    router.push("/");
+    router.refresh();
+  }
+
+  async function handleMagicLink(e: React.FormEvent) {
+    e.preventDefault();
+    setLoading(true);
+    setError(null);
+
+    const { error } = await supabase.auth.signInWithOtp({
+      email,
+      options: {
+        emailRedirectTo: `${window.location.origin}/callback`,
+      },
+    });
+
+    if (error) {
+      setError(error.message);
+      setLoading(false);
+      return;
+    }
+
+    setMagicSent(true);
+    setLoading(false);
+  }
+
+  if (magicSent) {
+    return (
+      <div className="flex min-h-screen items-center justify-center bg-neutral-50">
+        <div className="w-full max-w-sm space-y-6 rounded-lg border border-neutral-200 bg-white p-8">
+          <div className="text-center">
+            <h1 className="text-lg font-semibold text-neutral-900">
+              Link gesendet
+            </h1>
+            <p className="mt-2 text-sm text-neutral-500">
+              Wir haben einen Login-Link an{" "}
+              <span className="font-medium text-neutral-700">{email}</span>{" "}
+              gesendet. Bitte pruefen Sie Ihren Posteingang.
+            </p>
+          </div>
+          <button
+            onClick={() => setMagicSent(false)}
+            className="w-full text-center text-sm text-neutral-500 hover:text-neutral-700"
+          >
+            Zurueck zum Login
+          </button>
+        </div>
+      </div>
+    );
+  }
+
+  return (
+    <div className="flex min-h-screen items-center justify-center bg-neutral-50">
+      <div className="w-full max-w-sm space-y-6 rounded-lg border border-neutral-200 bg-white p-8">
+        <div className="text-center">
+          <h1 className="text-lg font-semibold text-neutral-900">
+            KanzlAI
+          </h1>
+          <p className="mt-1 text-sm text-neutral-500">
+            Melden Sie sich an
+          </p>
+        </div>
+
+        <div className="flex rounded-md border border-neutral-200 bg-neutral-50 p-0.5">
+          <button
+            onClick={() => setMode("password")}
+            className={`flex-1 rounded-md px-3 py-1.5 text-sm font-medium transition-colors ${
+              mode === "password"
+                ? "bg-white text-neutral-900 shadow-sm"
+                : "text-neutral-500 hover:text-neutral-700"
+            }`}
+          >
+            Passwort
+          </button>
+          <button
+            onClick={() => setMode("magic")}
+            className={`flex-1 rounded-md px-3 py-1.5 text-sm font-medium transition-colors ${
+              mode === "magic"
+                ? "bg-white text-neutral-900 shadow-sm"
+                : "text-neutral-500 hover:text-neutral-700"
+            }`}
+          >
+            Magic Link
+          </button>
+        </div>
+
+        <form
+          onSubmit={mode === "password" ? handlePasswordLogin : handleMagicLink}
+          className="space-y-4"
+        >
+          <div>
+            <label
+              htmlFor="email"
+              className="block text-sm font-medium text-neutral-700"
+            >
+              E-Mail
+            </label>
+            <input
+              id="email"
+              type="email"
+              value={email}
+              onChange={(e) => setEmail(e.target.value)}
+              required
+              className="mt-1 block w-full rounded-md border border-neutral-300 px-3 py-2 text-sm placeholder-neutral-400 focus:border-neutral-900 focus:outline-none focus:ring-1 focus:ring-neutral-900"
+              placeholder="anwalt@kanzlei.de"
+            />
+          </div>
+
+          {mode === "password" && (
+            <div>
+              <label
+                htmlFor="password"
+                className="block text-sm font-medium text-neutral-700"
+              >
+                Passwort
+              </label>
+              <input
+                id="password"
+                type="password"
+                value={password}
+                onChange={(e) => setPassword(e.target.value)}
+                required
+                className="mt-1 block w-full rounded-md border border-neutral-300 px-3 py-2 text-sm placeholder-neutral-400 focus:border-neutral-900 focus:outline-none focus:ring-1 focus:ring-neutral-900"
+              />
+            </div>
+          )}
+
+          {error && (
+            <p className="text-sm text-red-600">{error}</p>
+          )}
+
+          <button
+            type="submit"
+            disabled={loading}
+            className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white hover:bg-neutral-800 focus:outline-none focus:ring-2 focus:ring-neutral-900 focus:ring-offset-2 disabled:opacity-50"
+          >
+            {loading
+              ? "..."
+              : mode === "password"
+                ? "Anmelden"
+                : "Link senden"}
+          </button>
+        </form>
+
+        <p className="text-center text-sm text-neutral-500">
+          Noch kein Konto?{" "}
+          <a
+            href="/register"
+            className="font-medium text-neutral-900 hover:underline"
+          >
+            Registrieren
+          </a>
+        </p>
+      </div>
+    </div>
+  );
+}

frontend/src/app/(auth)/register/page.tsx

@@ -0,0 +1,151 @@
+"use client";
+
+import { createClient } from "@/lib/supabase/client";
+import { api } from "@/lib/api";
+import { useRouter } from "next/navigation";
+import { useState } from "react";
+
+export default function RegisterPage() {
+  const [email, setEmail] = useState("");
+  const [password, setPassword] = useState("");
+  const [firmName, setFirmName] = useState("");
+  const [loading, setLoading] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+  const router = useRouter();
+  const supabase = createClient();
+
+  async function handleRegister(e: React.FormEvent) {
+    e.preventDefault();
+    setLoading(true);
+    setError(null);
+
+    // 1. Create auth user
+    const { data, error: authError } = await supabase.auth.signUp({
+      email,
+      password,
+      options: {
+        emailRedirectTo: `${window.location.origin}/callback`,
+      },
+    });
+
+    if (authError) {
+      setError(authError.message);
+      setLoading(false);
+      return;
+    }
+
+    // 2. Create tenant via backend (the backend adds the user as owner)
+    if (data.session) {
+      try {
+        await api.post("/tenants", { name: firmName });
+      } catch (err: unknown) {
+        const apiErr = err as { error?: string };
+        setError(apiErr.error || "Kanzlei konnte nicht erstellt werden");
+        setLoading(false);
+        return;
+      }
+
+      router.push("/");
+      router.refresh();
+    } else {
+      // Email confirmation required
+      router.push("/login");
+    }
+
+    setLoading(false);
+  }
+
+  return (
+    <div className="flex min-h-screen items-center justify-center bg-neutral-50">
+      <div className="w-full max-w-sm space-y-6 rounded-lg border border-neutral-200 bg-white p-8">
+        <div className="text-center">
+          <h1 className="text-lg font-semibold text-neutral-900">
+            KanzlAI
+          </h1>
+          <p className="mt-1 text-sm text-neutral-500">
+            Erstellen Sie Ihr Konto
+          </p>
+        </div>
+
+        <form onSubmit={handleRegister} className="space-y-4">
+          <div>
+            <label
+              htmlFor="firm"
+              className="block text-sm font-medium text-neutral-700"
+            >
+              Kanzleiname
+            </label>
+            <input
+              id="firm"
+              type="text"
+              value={firmName}
+              onChange={(e) => setFirmName(e.target.value)}
+              required
+              className="mt-1 block w-full rounded-md border border-neutral-300 px-3 py-2 text-sm placeholder-neutral-400 focus:border-neutral-900 focus:outline-none focus:ring-1 focus:ring-neutral-900"
+              placeholder="Muster & Partner Rechtsanwaelte"
+            />
+          </div>
+
+          <div>
+            <label
+              htmlFor="email"
+              className="block text-sm font-medium text-neutral-700"
+            >
+              E-Mail
+            </label>
+            <input
+              id="email"
+              type="email"
+              value={email}
+              onChange={(e) => setEmail(e.target.value)}
+              required
+              className="mt-1 block w-full rounded-md border border-neutral-300 px-3 py-2 text-sm placeholder-neutral-400 focus:border-neutral-900 focus:outline-none focus:ring-1 focus:ring-neutral-900"
+              placeholder="anwalt@kanzlei.de"
+            />
+          </div>
+
+          <div>
+            <label
+              htmlFor="password"
+              className="block text-sm font-medium text-neutral-700"
+            >
+              Passwort
+            </label>
+            <input
+              id="password"
+              type="password"
+              value={password}
+              onChange={(e) => setPassword(e.target.value)}
+              required
+              minLength={8}
+              className="mt-1 block w-full rounded-md border border-neutral-300 px-3 py-2 text-sm placeholder-neutral-400 focus:border-neutral-900 focus:outline-none focus:ring-1 focus:ring-neutral-900"
+            />
+            <p className="mt-1 text-xs text-neutral-400">Mindestens 8 Zeichen</p>
+          </div>
+
+          {error && (
+            <p className="text-sm text-red-600">{error}</p>
+          )}
+
+          <button
+            type="submit"
+            disabled={loading}
+            className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white hover:bg-neutral-800 focus:outline-none focus:ring-2 focus:ring-neutral-900 focus:ring-offset-2 disabled:opacity-50"
+          >
+            {loading ? "..." : "Konto erstellen"}
+          </button>
+        </form>
+
+        <p className="text-center text-sm text-neutral-500">
+          Bereits registriert?{" "}
+          <a
+            href="/login"
+            className="font-medium text-neutral-900 hover:underline"
+          >
+            Anmelden
+          </a>
+        </p>
+      </div>
+    </div>
+  );
+}

frontend/src/app/globals.css

@@ -1,26 +1,11 @@
 @import "tailwindcss";
 
-:root {
-  --background: #ffffff;
-  --foreground: #171717;
-}
-
 @theme inline {
-  --color-background: var(--background);
-  --color-foreground: var(--foreground);
   --font-sans: var(--font-geist-sans);
   --font-mono: var(--font-geist-mono);
 }
 
-@media (prefers-color-scheme: dark) {
-  :root {
-    --background: #0a0a0a;
-    --foreground: #ededed;
-  }
-}
-
 body {
-  background: var(--background);
-  color: var(--foreground);
-  font-family: Arial, Helvetica, sans-serif;
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
 }

frontend/src/app/layout.tsx

@@ -1,5 +1,6 @@
 import type { Metadata } from "next";
 import { Geist, Geist_Mono } from "next/font/google";
+import { Providers } from "@/components/Providers";
 import "./globals.css";
 
 const geistSans = Geist({
@@ -13,7 +14,7 @@ const geistMono = Geist_Mono({
 });
 
 export const metadata: Metadata = {
-  title: "KanzlAI-mGMT",
+  title: "KanzlAI",
   description: "Kanzleimanagement online",
 };
 
@@ -23,11 +24,11 @@ export default function RootLayout({
   children: React.ReactNode;
 }>) {
   return (
-    <html lang="en">
+    <html lang="de">
       <body
-        className={`${geistSans.variable} ${geistMono.variable} antialiased`}
+        className={`${geistSans.variable} ${geistMono.variable} font-sans antialiased`}
       >
-        {children}
+        <Providers>{children}</Providers>
       </body>
     </html>
   );

frontend/src/app/page.tsx

@@ -1,7 +0,0 @@
-export default function Home() {
-  return (
-    <main className="flex min-h-screen items-center justify-center">
-      <h1 className="text-4xl font-bold">KanzlAI-mGMT</h1>
-    </main>
-  );
-}

frontend/src/components/Providers.tsx

@@ -0,0 +1,26 @@
+"use client";
+
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { Toaster } from "sonner";
+import { useState } from "react";
+
+export function Providers({ children }: { children: React.ReactNode }) {
+  const [queryClient] = useState(
+    () =>
+      new QueryClient({
+        defaultOptions: {
+          queries: {
+            staleTime: 30 * 1000,
+            retry: 1,
+          },
+        },
+      }),
+  );
+
+  return (
+    <QueryClientProvider client={queryClient}>
+      {children}
+      <Toaster position="bottom-right" richColors />
+    </QueryClientProvider>
+  );
+}

frontend/src/components/layout/Header.tsx

@@ -0,0 +1,44 @@
+"use client";
+
+import { createClient } from "@/lib/supabase/client";
+import { TenantSwitcher } from "./TenantSwitcher";
+import { LogOut } from "lucide-react";
+import { useRouter } from "next/navigation";
+import { useEffect, useState } from "react";
+
+export function Header() {
+  const [email, setEmail] = useState<string | null>(null);
+  const router = useRouter();
+  const supabase = createClient();
+
+  useEffect(() => {
+    supabase.auth.getUser().then(({ data: { user } }) => {
+      setEmail(user?.email ?? null);
+    });
+  }, [supabase.auth]);
+
+  async function handleLogout() {
+    await supabase.auth.signOut();
+    router.push("/login");
+    router.refresh();
+  }
+
+  return (
+    <header className="flex h-14 items-center justify-between border-b border-neutral-200 bg-white px-4">
+      <div />
+      <div className="flex items-center gap-3">
+        <TenantSwitcher />
+        {email && (
+          <span className="text-sm text-neutral-500">{email}</span>
+        )}
+        <button
+          onClick={handleLogout}
+          title="Abmelden"
+          className="rounded-md p-1.5 text-neutral-400 hover:bg-neutral-100 hover:text-neutral-600"
+        >
+          <LogOut className="h-4 w-4" />
+        </button>
+      </div>
+    </header>
+  );
+}

frontend/src/components/layout/Sidebar.tsx

@@ -0,0 +1,55 @@
+"use client";
+
+import Link from "next/link";
+import { usePathname } from "next/navigation";
+import {
+  LayoutDashboard,
+  FolderOpen,
+  Clock,
+  Calendar,
+  Brain,
+  Settings,
+} from "lucide-react";
+
+const navigation = [
+  { name: "Dashboard", href: "/", icon: LayoutDashboard },
+  { name: "Akten", href: "/akten", icon: FolderOpen },
+  { name: "Fristen", href: "/fristen", icon: Clock },
+  { name: "Termine", href: "/termine", icon: Calendar },
+  { name: "AI Analyse", href: "/ai", icon: Brain },
+  { name: "Einstellungen", href: "/einstellungen", icon: Settings },
+];
+
+export function Sidebar() {
+  const pathname = usePathname();
+
+  return (
+    <aside className="flex h-full w-56 flex-col border-r border-neutral-200 bg-white">
+      <div className="flex h-14 items-center border-b border-neutral-200 px-4">
+        <span className="text-sm font-semibold text-neutral-900">KanzlAI</span>
+      </div>
+      <nav className="flex-1 space-y-0.5 p-2">
+        {navigation.map((item) => {
+          const isActive =
+            item.href === "/"
+              ? pathname === "/"
+              : pathname.startsWith(item.href);
+          return (
+            <Link
+              key={item.href}
+              href={item.href}
+              className={`flex items-center gap-2.5 rounded-md px-2.5 py-1.5 text-sm transition-colors ${
+                isActive
+                  ? "bg-neutral-100 font-medium text-neutral-900"
+                  : "text-neutral-600 hover:bg-neutral-50 hover:text-neutral-900"
+              }`}
+            >
+              <item.icon className="h-4 w-4 shrink-0" />
+              {item.name}
+            </Link>
+          );
+        })}
+      </nav>
+    </aside>
+  );
+}

frontend/src/components/layout/TenantSwitcher.tsx

@@ -0,0 +1,79 @@
+"use client";
+
+import { api } from "@/lib/api";
+import type { TenantWithRole } from "@/lib/types";
+import { ChevronsUpDown } from "lucide-react";
+import { useEffect, useRef, useState } from "react";
+
+export function TenantSwitcher() {
+  const [tenants, setTenants] = useState<TenantWithRole[]>([]);
+  const [current, setCurrent] = useState<TenantWithRole | null>(null);
+  const [open, setOpen] = useState(false);
+  const ref = useRef<HTMLDivElement>(null);
+
+  useEffect(() => {
+    api.get<TenantWithRole[]>("/tenants").then((data) => {
+      setTenants(data);
+      const savedId = localStorage.getItem("kanzlai_tenant_id");
+      const match = data.find((t) => t.id === savedId) || data[0];
+      if (match) {
+        setCurrent(match);
+        localStorage.setItem("kanzlai_tenant_id", match.id);
+      }
+    }).catch(() => {
+      // Not authenticated or no tenants
+    });
+  }, []);
+
+  useEffect(() => {
+    function handleClick(e: MouseEvent) {
+      if (ref.current && !ref.current.contains(e.target as Node)) {
+        setOpen(false);
+      }
+    }
+    document.addEventListener("mousedown", handleClick);
+    return () => document.removeEventListener("mousedown", handleClick);
+  }, []);
+
+  function switchTenant(tenant: TenantWithRole) {
+    setCurrent(tenant);
+    localStorage.setItem("kanzlai_tenant_id", tenant.id);
+    setOpen(false);
+    window.location.reload();
+  }
+
+  if (!current) return null;
+
+  return (
+    <div ref={ref} className="relative">
+      <button
+        onClick={() => setOpen(!open)}
+        className="flex items-center gap-1.5 rounded-md border border-neutral-200 bg-white px-2.5 py-1.5 text-sm text-neutral-700 hover:bg-neutral-50"
+      >
+        <span className="max-w-[160px] truncate">{current.name}</span>
+        <ChevronsUpDown className="h-3.5 w-3.5 text-neutral-400" />
+      </button>
+
+      {open && tenants.length > 1 && (
+        <div className="absolute right-0 top-full z-50 mt-1 w-56 rounded-md border border-neutral-200 bg-white py-1 shadow-lg">
+          {tenants.map((tenant) => (
+            <button
+              key={tenant.id}
+              onClick={() => switchTenant(tenant)}
+              className={`flex w-full items-center px-3 py-1.5 text-left text-sm transition-colors ${
+                tenant.id === current.id
+                  ? "bg-neutral-50 font-medium text-neutral-900"
+                  : "text-neutral-600 hover:bg-neutral-50"
+              }`}
+            >
+              <span className="truncate">{tenant.name}</span>
+              <span className="ml-auto text-xs text-neutral-400">
+                {tenant.role}
+              </span>
+            </button>
+          ))}
+        </div>
+      )}
+    </div>
+  );
+}

frontend/src/lib/api.ts

@@ -0,0 +1,77 @@
+import { createClient } from "@/lib/supabase/client";
+import type { ApiError } from "@/lib/types";
+
+class ApiClient {
+  private baseUrl = "/api";
+
+  private async getHeaders(): Promise<HeadersInit> {
+    const supabase = createClient();
+    const {
+      data: { session },
+    } = await supabase.auth.getSession();
+
+    const headers: HeadersInit = {
+      "Content-Type": "application/json",
+    };
+
+    if (session?.access_token) {
+      headers["Authorization"] = `Bearer ${session.access_token}`;
+    }
+
+    const tenantId = typeof window !== "undefined"
+      ? localStorage.getItem("kanzlai_tenant_id")
+      : null;
+    if (tenantId) {
+      headers["X-Tenant-ID"] = tenantId;
+    }
+
+    return headers;
+  }
+
+  private async request<T>(
+    path: string,
+    options: RequestInit = {},
+  ): Promise<T> {
+    const headers = await this.getHeaders();
+    const res = await fetch(`${this.baseUrl}${path}`, {
+      ...options,
+      headers: { ...headers, ...options.headers },
+    });
+
+    if (!res.ok) {
+      const body = await res.json().catch(() => ({}));
+      const err: ApiError = {
+        error: body.error || res.statusText,
+        status: res.status,
+      };
+      throw err;
+    }
+
+    if (res.status === 204) return undefined as T;
+    return res.json();
+  }
+
+  get<T>(path: string) {
+    return this.request<T>(path, { method: "GET" });
+  }
+
+  post<T>(path: string, body?: unknown) {
+    return this.request<T>(path, {
+      method: "POST",
+      body: body ? JSON.stringify(body) : undefined,
+    });
+  }
+
+  put<T>(path: string, body?: unknown) {
+    return this.request<T>(path, {
+      method: "PUT",
+      body: body ? JSON.stringify(body) : undefined,
+    });
+  }
+
+  delete<T>(path: string) {
+    return this.request<T>(path, { method: "DELETE" });
+  }
+}
+
+export const api = new ApiClient();

frontend/src/lib/supabase/client.ts

@@ -0,0 +1,8 @@
+import { createBrowserClient } from "@supabase/ssr";
+
+export function createClient() {
+  return createBrowserClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+  );
+}

frontend/src/lib/supabase/server.ts

@@ -0,0 +1,29 @@
+import { createServerClient } from "@supabase/ssr";
+import { cookies } from "next/headers";
+
+export async function createClient() {
+  const cookieStore = await cookies();
+
+  return createServerClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+    {
+      cookies: {
+        getAll() {
+          return cookieStore.getAll();
+        },
+        setAll(cookiesToSet) {
+          try {
+            cookiesToSet.forEach(({ name, value, options }) =>
+              cookieStore.set(name, value, options),
+            );
+          } catch {
+            // setAll is called from Server Components where cookies
+            // cannot be set. This is safe to ignore when middleware
+            // handles the session refresh.
+          }
+        },
+      },
+    },
+  );
+}

frontend/src/lib/types.ts

@@ -0,0 +1,117 @@
+export interface Tenant {
+  id: string;
+  name: string;
+  slug: string;
+  settings: Record<string, unknown>;
+  created_at: string;
+  updated_at: string;
+}
+
+export interface TenantWithRole extends Tenant {
+  role: string;
+}
+
+export interface UserTenant {
+  user_id: string;
+  tenant_id: string;
+  role: string;
+  created_at: string;
+}
+
+export interface Case {
+  id: string;
+  tenant_id: string;
+  case_number: string;
+  title: string;
+  case_type?: string;
+  court?: string;
+  court_ref?: string;
+  status: string;
+  ai_summary?: string;
+  metadata: Record<string, unknown>;
+  created_at: string;
+  updated_at: string;
+}
+
+export interface Party {
+  id: string;
+  tenant_id: string;
+  case_id: string;
+  name: string;
+  role?: string;
+  representative?: string;
+  contact_info: Record<string, unknown>;
+}
+
+export interface Deadline {
+  id: string;
+  tenant_id: string;
+  case_id: string;
+  title: string;
+  description?: string;
+  due_date: string;
+  original_due_date?: string;
+  warning_date?: string;
+  source: string;
+  rule_id?: string;
+  status: string;
+  completed_at?: string;
+  notes?: string;
+  created_at: string;
+  updated_at: string;
+}
+
+export interface Appointment {
+  id: string;
+  tenant_id: string;
+  case_id?: string;
+  title: string;
+  description?: string;
+  start_at: string;
+  end_at?: string;
+  location?: string;
+  appointment_type?: string;
+  created_at: string;
+  updated_at: string;
+}
+
+export interface CaseEvent {
+  id: string;
+  tenant_id: string;
+  case_id: string;
+  event_type?: string;
+  title: string;
+  description?: string;
+  event_date?: string;
+  created_by?: string;
+  metadata: Record<string, unknown>;
+  created_at: string;
+  updated_at: string;
+}
+
+export interface Document {
+  id: string;
+  tenant_id: string;
+  case_id: string;
+  title: string;
+  doc_type?: string;
+  file_path?: string;
+  file_size?: number;
+  mime_type?: string;
+  ai_extracted?: Record<string, unknown>;
+  uploaded_by?: string;
+  created_at: string;
+  updated_at: string;
+}
+
+export interface ApiError {
+  error: string;
+  status: number;
+}
+
+export interface PaginatedResponse<T> {
+  data: T[];
+  total: number;
+  page: number;
+  per_page: number;
+}

frontend/src/middleware.ts

@@ -0,0 +1,60 @@
+import { createServerClient } from "@supabase/ssr";
+import { NextResponse, type NextRequest } from "next/server";
+
+export async function middleware(request: NextRequest) {
+  let supabaseResponse = NextResponse.next({ request });
+
+  const supabase = createServerClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+    {
+      cookies: {
+        getAll() {
+          return request.cookies.getAll();
+        },
+        setAll(cookiesToSet) {
+          cookiesToSet.forEach(({ name, value }) =>
+            request.cookies.set(name, value),
+          );
+          supabaseResponse = NextResponse.next({ request });
+          cookiesToSet.forEach(({ name, value, options }) =>
+            supabaseResponse.cookies.set(name, value, options),
+          );
+        },
+      },
+    },
+  );
+
+  const {
+    data: { user },
+  } = await supabase.auth.getUser();
+
+  const { pathname } = request.nextUrl;
+
+  // Auth pages — redirect to app if already logged in
+  if (user && (pathname === "/login" || pathname === "/register")) {
+    const url = request.nextUrl.clone();
+    url.pathname = "/";
+    return NextResponse.redirect(url);
+  }
+
+  // Protected routes — redirect to login if not authenticated
+  if (
+    !user &&
+    !pathname.startsWith("/login") &&
+    !pathname.startsWith("/register") &&
+    !pathname.startsWith("/callback")
+  ) {
+    const url = request.nextUrl.clone();
+    url.pathname = "/login";
+    return NextResponse.redirect(url);
+  }
+
+  return supabaseResponse;
+}
+
+export const config = {
+  matcher: [
+    "/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
+  ],
+};