fix: critical security hardening — tenant isolation, CORS, error leaking, input validation

1. Tenant isolation bypass (CRITICAL): TenantResolver now verifies user has access to X-Tenant-ID via user_tenants lookup before setting context. Added VerifyAccess method to TenantLookup interface and TenantService. 2. Consolidated tenant resolution: Removed duplicate resolveTenant() from helpers.go and tenant resolution from auth middleware. TenantResolver is now the single source of truth. Deadlines and AI handlers use auth.TenantFromContext() instead of direct DB queries. 3. CalDAV credential masking: tenant settings responses now mask CalDAV passwords with "********" via maskSettingsPassword helper. Applied to GetTenant, ListTenants, and UpdateSettings responses. 4. CORS + security headers: New middleware/security.go with CORS (restricted to FRONTEND_ORIGIN) and security headers (X-Frame-Options, X-Content-Type-Options, HSTS, Referrer-Policy, X-XSS-Protection). 5. Internal error leaking: All writeError(w, 500, err.Error()) replaced with internalError() that logs via slog and returns generic "internal error" to client. Same for jsonError in tenant handler. 6. Input validation: Max length on title (500), description (10000), case_number (100), search (200). Pagination clamped to max 100. Content-Disposition filename sanitized against header injection. Regression test added for tenant access denial (403 on unauthorized X-Tenant-ID). All existing tests pass, go vet clean.
2026-03-30 11:01:14 +02:00
29 changed files with 365 additions and 1315 deletions
--- a/backend/cmd/server/main.go
+++ b/backend/cmd/server/main.go
@@ -36,12 +36,7 @@ func main() {
 	calDAVSvc.Start()
 	defer calDAVSvc.Stop()
-	// Start notification reminder service
+	handler := router.New(database, authMW, cfg, calDAVSvc)
 	notifSvc := services.NewNotificationService(database)
 	notifSvc.Start()
 	defer notifSvc.Stop()
 	handler := router.New(database, authMW, cfg, calDAVSvc, notifSvc)
 	slog.Info("starting KanzlAI API server", "port", cfg.Port)
 	if err := http.ListenAndServe(":"+cfg.Port, handler); err != nil {
--- a/backend/internal/auth/middleware.go
+++ b/backend/internal/auth/middleware.go
@@ -24,28 +24,19 @@ func (m *Middleware) RequireAuth(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		token := extractBearerToken(r)
 		if token == "" {
-			http.Error(w, "missing authorization token", http.StatusUnauthorized)
+			http.Error(w, `{"error":"missing authorization token"}`, http.StatusUnauthorized)
 			return
 		}
 		userID, err := m.verifyJWT(token)
 		if err != nil {
-			http.Error(w, fmt.Sprintf("invalid token: %v", err), http.StatusUnauthorized)
+			http.Error(w, `{"error":"invalid token"}`, http.StatusUnauthorized)
 			return
 		}
 		ctx := ContextWithUserID(r.Context(), userID)
-
+		// Tenant resolution is handled by TenantResolver middleware for scoped routes.
-		// Resolve tenant from user_tenants
+		// Tenant management routes handle their own access control.
 		var tenantID uuid.UUID
 		err = m.db.GetContext(r.Context(), &tenantID,
 			"SELECT tenant_id FROM user_tenants WHERE user_id = $1 LIMIT 1", userID)
 		if err != nil {
 			http.Error(w, "no tenant found for user", http.StatusForbidden)
 			return
 		}
 		ctx = ContextWithTenantID(ctx, tenantID)
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
 }
--- a/backend/internal/auth/tenant_resolver.go
+++ b/backend/internal/auth/tenant_resolver.go
@@ -2,20 +2,21 @@ package auth
 import (
 	"context"
-	"fmt"
+	"log/slog"
 	"net/http"
 	"github.com/google/uuid"
 )
-// TenantLookup resolves the default tenant for a user.
+// TenantLookup resolves and verifies tenant access for a user.
 // Defined as an interface to avoid circular dependency with services.
 type TenantLookup interface {
 	FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error)
 	VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error)
 }
 // TenantResolver is middleware that resolves the tenant from X-Tenant-ID header
-// or defaults to the user's first tenant.
+// or defaults to the user's first tenant. Always verifies user has access.
 type TenantResolver struct {
 	lookup TenantLookup
 }
@@ -28,7 +29,7 @@ func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		userID, ok := UserFromContext(r.Context())
 		if !ok {
-			http.Error(w, "unauthorized", http.StatusUnauthorized)
+			http.Error(w, `{"error":"unauthorized"}`, http.StatusUnauthorized)
 			return
 		}
@@ -37,19 +38,33 @@ func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
 		if header := r.Header.Get("X-Tenant-ID"); header != "" {
 			parsed, err := uuid.Parse(header)
 			if err != nil {
-				http.Error(w, fmt.Sprintf("invalid X-Tenant-ID: %v", err), http.StatusBadRequest)
+				http.Error(w, `{"error":"invalid X-Tenant-ID"}`, http.StatusBadRequest)
 				return
 			}
 			// Verify user has access to this tenant
 			hasAccess, err := tr.lookup.VerifyAccess(r.Context(), userID, parsed)
 			if err != nil {
 				slog.Error("tenant access check failed", "error", err, "user_id", userID, "tenant_id", parsed)
 				http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
 				return
 			}
 			if !hasAccess {
 				http.Error(w, `{"error":"no access to tenant"}`, http.StatusForbidden)
 				return
 			}
 			tenantID = parsed
 		} else {
 			// Default to user's first tenant
 			first, err := tr.lookup.FirstTenantForUser(r.Context(), userID)
 			if err != nil {
-				http.Error(w, fmt.Sprintf("resolving tenant: %v", err), http.StatusInternalServerError)
+				slog.Error("failed to resolve default tenant", "error", err, "user_id", userID)
 				http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
 				return
 			}
 			if first == nil {
-				http.Error(w, "no tenant found for user", http.StatusBadRequest)
+				http.Error(w, `{"error":"no tenant found for user"}`, http.StatusBadRequest)
 				return
 			}
 			tenantID = *first
--- a/backend/internal/auth/tenant_resolver_test.go
+++ b/backend/internal/auth/tenant_resolver_test.go
@@ -10,17 +10,23 @@ import (
 )
 type mockTenantLookup struct {
-	tenantID *uuid.UUID
+	tenantID  *uuid.UUID
-	err      error
+	err       error
 	hasAccess bool
 	accessErr error
 }
 func (m *mockTenantLookup) FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error) {
 	return m.tenantID, m.err
 }
 func (m *mockTenantLookup) VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error) {
 	return m.hasAccess, m.accessErr
 }
 func TestTenantResolver_FromHeader(t *testing.T) {
 	tenantID := uuid.New()
-	tr := NewTenantResolver(&mockTenantLookup{})
+	tr := NewTenantResolver(&mockTenantLookup{hasAccess: true})
 	var gotTenantID uuid.UUID
 	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -47,6 +53,26 @@ func TestTenantResolver_FromHeader(t *testing.T) {
 	}
 }
 func TestTenantResolver_FromHeader_NoAccess(t *testing.T) {
 	tenantID := uuid.New()
 	tr := NewTenantResolver(&mockTenantLookup{hasAccess: false})
 	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		t.Fatal("next should not be called")
 	})
 	r := httptest.NewRequest("GET", "/api/cases", nil)
 	r.Header.Set("X-Tenant-ID", tenantID.String())
 	r = r.WithContext(ContextWithUserID(r.Context(), uuid.New()))
 	w := httptest.NewRecorder()
 	tr.Resolve(next).ServeHTTP(w, r)
 	if w.Code != http.StatusForbidden {
 		t.Errorf("expected 403, got %d", w.Code)
 	}
 }
 func TestTenantResolver_DefaultsToFirst(t *testing.T) {
 	tenantID := uuid.New()
 	tr := NewTenantResolver(&mockTenantLookup{tenantID: &tenantID})
--- a/backend/internal/config/config.go
+++ b/backend/internal/config/config.go
@@ -13,6 +13,7 @@ type Config struct {
 	SupabaseServiceKey string
 	SupabaseJWTSecret string
 	AnthropicAPIKey   string
 	FrontendOrigin    string
 }
 func Load() (*Config, error) {
@@ -24,6 +25,7 @@ func Load() (*Config, error) {
 		SupabaseServiceKey: os.Getenv("SUPABASE_SERVICE_KEY"),
 		SupabaseJWTSecret: os.Getenv("SUPABASE_JWT_SECRET"),
 		AnthropicAPIKey:  os.Getenv("ANTHROPIC_API_KEY"),
 		FrontendOrigin:   getEnv("FRONTEND_ORIGIN", "https://kanzlai.msbls.de"),
 	}
 	if cfg.DatabaseURL == "" {
--- a/backend/internal/handlers/ai.go
+++ b/backend/internal/handlers/ai.go
@@ -5,18 +5,16 @@ import (
 	"io"
 	"net/http"
-	"github.com/jmoiron/sqlx"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
 )
 type AIHandler struct {
 	ai *services.AIService
 	db *sqlx.DB
 }
-func NewAIHandler(ai *services.AIService, db *sqlx.DB) *AIHandler {
+func NewAIHandler(ai *services.AIService) *AIHandler {
-	return &AIHandler{ai: ai, db: db}
+	return &AIHandler{ai: ai}
 }
 // ExtractDeadlines handles POST /api/ai/extract-deadlines
@@ -61,10 +59,14 @@ func (h *AIHandler) ExtractDeadlines(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "provide either a PDF file or text")
 		return
 	}
 	if len(text) > maxDescriptionLen {
 		writeError(w, http.StatusBadRequest, "text exceeds maximum length")
 		return
 	}
 	deadlines, err := h.ai.ExtractDeadlines(r.Context(), pdfData, text)
 	if err != nil {
-		writeError(w, http.StatusInternalServerError, "AI extraction failed: "+err.Error())
+		internalError(w, "AI deadline extraction failed", err)
 		return
 	}
@@ -77,9 +79,9 @@ func (h *AIHandler) ExtractDeadlines(w http.ResponseWriter, r *http.Request) {
 // SummarizeCase handles POST /api/ai/summarize-case
 // Accepts JSON {"case_id": "uuid"}.
 func (h *AIHandler) SummarizeCase(w http.ResponseWriter, r *http.Request) {
-	tenantID, err := resolveTenant(r, h.db)
+	tenantID, ok := auth.TenantFromContext(r.Context())
-	if err != nil {
+	if !ok {
-		handleTenantError(w, err)
+		writeError(w, http.StatusForbidden, "missing tenant")
 		return
 	}
@@ -104,7 +106,7 @@ func (h *AIHandler) SummarizeCase(w http.ResponseWriter, r *http.Request) {
 	summary, err := h.ai.SummarizeCase(r.Context(), tenantID, caseID)
 	if err != nil {
-		writeError(w, http.StatusInternalServerError, "AI summarization failed: "+err.Error())
+		internalError(w, "AI case summarization failed", err)
 		return
 	}
--- a/backend/internal/handlers/ai_handler_test.go
+++ b/backend/internal/handlers/ai_handler_test.go
@@ -42,7 +42,7 @@ func TestAIExtractDeadlines_InvalidJSON(t *testing.T) {
 	}
 }
-func TestAISummarizeCase_MissingCaseID(t *testing.T) {
+func TestAISummarizeCase_MissingTenant(t *testing.T) {
 	h := &AIHandler{}
 	body := `{"case_id":""}`
@@ -52,9 +52,9 @@ func TestAISummarizeCase_MissingCaseID(t *testing.T) {
 	h.SummarizeCase(w, r)
-	// Without auth context, the resolveTenant will fail first
+	// Without tenant context, TenantFromContext returns !ok → 403
-	if w.Code != http.StatusUnauthorized {
+	if w.Code != http.StatusForbidden {
-		t.Errorf("expected 401, got %d", w.Code)
+		t.Errorf("expected 403, got %d", w.Code)
 	}
 }
@@ -67,8 +67,8 @@ func TestAISummarizeCase_InvalidJSON(t *testing.T) {
 	h.SummarizeCase(w, r)
-	// Without auth context, the resolveTenant will fail first
+	// Without tenant context, TenantFromContext returns !ok → 403
-	if w.Code != http.StatusUnauthorized {
+	if w.Code != http.StatusForbidden {
-		t.Errorf("expected 401, got %d", w.Code)
+		t.Errorf("expected 403, got %d", w.Code)
 	}
 }
--- a/backend/internal/handlers/appointments.go
+++ b/backend/internal/handlers/appointments.go
@@ -121,6 +121,10 @@ func (h *AppointmentHandler) Create(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "title is required")
 		return
 	}
 	if msg := validateStringLength("title", req.Title, maxTitleLen); msg != "" {
 		writeError(w, http.StatusBadRequest, msg)
 		return
 	}
 	if req.StartAt.IsZero() {
 		writeError(w, http.StatusBadRequest, "start_at is required")
 		return
@@ -188,6 +192,10 @@ func (h *AppointmentHandler) Update(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "title is required")
 		return
 	}
 	if msg := validateStringLength("title", req.Title, maxTitleLen); msg != "" {
 		writeError(w, http.StatusBadRequest, msg)
 		return
 	}
 	if req.StartAt.IsZero() {
 		writeError(w, http.StatusBadRequest, "start_at is required")
 		return
--- a/backend/internal/handlers/caldav.go
+++ b/backend/internal/handlers/caldav.go
@@ -27,7 +27,7 @@ func (h *CalDAVHandler) TriggerSync(w http.ResponseWriter, r *http.Request) {
 	cfg, err := h.svc.LoadTenantConfig(tenantID)
 	if err != nil {
-		writeError(w, http.StatusBadRequest, err.Error())
+		writeError(w, http.StatusBadRequest, "CalDAV not configured for this tenant")
 		return
 	}
--- a/backend/internal/handlers/cases.go
+++ b/backend/internal/handlers/cases.go
@@ -28,18 +28,25 @@ func (h *CaseHandler) List(w http.ResponseWriter, r *http.Request) {
 	limit, _ := strconv.Atoi(r.URL.Query().Get("limit"))
 	offset, _ := strconv.Atoi(r.URL.Query().Get("offset"))
 	limit, offset = clampPagination(limit, offset)
 	search := r.URL.Query().Get("search")
 	if msg := validateStringLength("search", search, maxSearchLen); msg != "" {
 		writeError(w, http.StatusBadRequest, msg)
 		return
 	}
 	filter := services.CaseFilter{
 		Status: r.URL.Query().Get("status"),
 		Type:   r.URL.Query().Get("type"),
-		Search: r.URL.Query().Get("search"),
+		Search: search,
 		Limit:  limit,
 		Offset: offset,
 	}
 	cases, total, err := h.svc.List(r.Context(), tenantID, filter)
 	if err != nil {
-		writeError(w, http.StatusInternalServerError, err.Error())
+		internalError(w, "failed to list cases", err)
 		return
 	}
@@ -66,10 +73,18 @@ func (h *CaseHandler) Create(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "case_number and title are required")
 		return
 	}
 	if msg := validateStringLength("case_number", input.CaseNumber, maxCaseNumberLen); msg != "" {
 		writeError(w, http.StatusBadRequest, msg)
 		return
 	}
 	if msg := validateStringLength("title", input.Title, maxTitleLen); msg != "" {
 		writeError(w, http.StatusBadRequest, msg)
 		return
 	}
 	c, err := h.svc.Create(r.Context(), tenantID, userID, input)
 	if err != nil {
-		writeError(w, http.StatusInternalServerError, err.Error())
+		internalError(w, "failed to create case", err)
 		return
 	}
@@ -91,7 +106,7 @@ func (h *CaseHandler) Get(w http.ResponseWriter, r *http.Request) {
 	detail, err := h.svc.GetByID(r.Context(), tenantID, caseID)
 	if err != nil {
-		writeError(w, http.StatusInternalServerError, err.Error())
+		internalError(w, "failed to get case", err)
 		return
 	}
 	if detail == nil {
@@ -121,10 +136,22 @@ func (h *CaseHandler) Update(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "invalid JSON body")
 		return
 	}
 	if input.Title != nil {
 		if msg := validateStringLength("title", *input.Title, maxTitleLen); msg != "" {
 			writeError(w, http.StatusBadRequest, msg)
 			return
 		}
 	}
 	if input.CaseNumber != nil {
 		if msg := validateStringLength("case_number", *input.CaseNumber, maxCaseNumberLen); msg != "" {
 			writeError(w, http.StatusBadRequest, msg)
 			return
 		}
 	}
 	updated, err := h.svc.Update(r.Context(), tenantID, caseID, userID, input)
 	if err != nil {
-		writeError(w, http.StatusInternalServerError, err.Error())
+		internalError(w, "failed to update case", err)
 		return
 	}
 	if updated == nil {
--- a/backend/internal/handlers/dashboard.go
+++ b/backend/internal/handlers/dashboard.go
@@ -24,7 +24,7 @@ func (h *DashboardHandler) Get(w http.ResponseWriter, r *http.Request) {
 	data, err := h.svc.Get(r.Context(), tenantID)
 	if err != nil {
-		writeError(w, http.StatusInternalServerError, err.Error())
+		internalError(w, "failed to load dashboard", err)
 		return
 	}
--- a/backend/internal/handlers/deadlines.go
+++ b/backend/internal/handlers/deadlines.go
@@ -4,27 +4,25 @@ import (
 	"encoding/json"
 	"net/http"
-	"github.com/jmoiron/sqlx"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
 )
 // DeadlineHandlers holds handlers for deadline CRUD endpoints
 type DeadlineHandlers struct {
 	deadlines *services.DeadlineService
 	db        *sqlx.DB
 }
 // NewDeadlineHandlers creates deadline handlers
-func NewDeadlineHandlers(ds *services.DeadlineService, db *sqlx.DB) *DeadlineHandlers {
+func NewDeadlineHandlers(ds *services.DeadlineService) *DeadlineHandlers {
-	return &DeadlineHandlers{deadlines: ds, db: db}
+	return &DeadlineHandlers{deadlines: ds}
 }
 // Get handles GET /api/deadlines/{deadlineID}
 func (h *DeadlineHandlers) Get(w http.ResponseWriter, r *http.Request) {
-	tenantID, err := resolveTenant(r, h.db)
+	tenantID, ok := auth.TenantFromContext(r.Context())
-	if err != nil {
+	if !ok {
-		handleTenantError(w, err)
+		writeError(w, http.StatusForbidden, "missing tenant")
 		return
 	}
@@ -36,7 +34,7 @@ func (h *DeadlineHandlers) Get(w http.ResponseWriter, r *http.Request) {
 	deadline, err := h.deadlines.GetByID(tenantID, deadlineID)
 	if err != nil {
-		writeError(w, http.StatusInternalServerError, "failed to fetch deadline")
+		internalError(w, "failed to fetch deadline", err)
 		return
 	}
 	if deadline == nil {
@@ -49,15 +47,15 @@ func (h *DeadlineHandlers) Get(w http.ResponseWriter, r *http.Request) {
 // ListAll handles GET /api/deadlines
 func (h *DeadlineHandlers) ListAll(w http.ResponseWriter, r *http.Request) {
-	tenantID, err := resolveTenant(r, h.db)
+	tenantID, ok := auth.TenantFromContext(r.Context())
-	if err != nil {
+	if !ok {
-		handleTenantError(w, err)
+		writeError(w, http.StatusForbidden, "missing tenant")
 		return
 	}
 	deadlines, err := h.deadlines.ListAll(tenantID)
 	if err != nil {
-		writeError(w, http.StatusInternalServerError, "failed to list deadlines")
+		internalError(w, "failed to list deadlines", err)
 		return
 	}
@@ -66,9 +64,9 @@ func (h *DeadlineHandlers) ListAll(w http.ResponseWriter, r *http.Request) {
 // ListForCase handles GET /api/cases/{caseID}/deadlines
 func (h *DeadlineHandlers) ListForCase(w http.ResponseWriter, r *http.Request) {
-	tenantID, err := resolveTenant(r, h.db)
+	tenantID, ok := auth.TenantFromContext(r.Context())
-	if err != nil {
+	if !ok {
-		handleTenantError(w, err)
+		writeError(w, http.StatusForbidden, "missing tenant")
 		return
 	}
@@ -80,7 +78,7 @@ func (h *DeadlineHandlers) ListForCase(w http.ResponseWriter, r *http.Request) {
 	deadlines, err := h.deadlines.ListForCase(tenantID, caseID)
 	if err != nil {
-		writeError(w, http.StatusInternalServerError, "failed to list deadlines")
+		internalError(w, "failed to list deadlines for case", err)
 		return
 	}
@@ -89,9 +87,9 @@ func (h *DeadlineHandlers) ListForCase(w http.ResponseWriter, r *http.Request) {
 // Create handles POST /api/cases/{caseID}/deadlines
 func (h *DeadlineHandlers) Create(w http.ResponseWriter, r *http.Request) {
-	tenantID, err := resolveTenant(r, h.db)
+	tenantID, ok := auth.TenantFromContext(r.Context())
-	if err != nil {
+	if !ok {
-		handleTenantError(w, err)
+		writeError(w, http.StatusForbidden, "missing tenant")
 		return
 	}
@@ -112,10 +110,14 @@ func (h *DeadlineHandlers) Create(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "title and due_date are required")
 		return
 	}
 	if msg := validateStringLength("title", input.Title, maxTitleLen); msg != "" {
 		writeError(w, http.StatusBadRequest, msg)
 		return
 	}
 	deadline, err := h.deadlines.Create(tenantID, input)
 	if err != nil {
-		writeError(w, http.StatusInternalServerError, "failed to create deadline")
+		internalError(w, "failed to create deadline", err)
 		return
 	}
@@ -124,9 +126,9 @@ func (h *DeadlineHandlers) Create(w http.ResponseWriter, r *http.Request) {
 // Update handles PUT /api/deadlines/{deadlineID}
 func (h *DeadlineHandlers) Update(w http.ResponseWriter, r *http.Request) {
-	tenantID, err := resolveTenant(r, h.db)
+	tenantID, ok := auth.TenantFromContext(r.Context())
-	if err != nil {
+	if !ok {
-		handleTenantError(w, err)
+		writeError(w, http.StatusForbidden, "missing tenant")
 		return
 	}
@@ -144,7 +146,7 @@ func (h *DeadlineHandlers) Update(w http.ResponseWriter, r *http.Request) {
 	deadline, err := h.deadlines.Update(tenantID, deadlineID, input)
 	if err != nil {
-		writeError(w, http.StatusInternalServerError, "failed to update deadline")
+		internalError(w, "failed to update deadline", err)
 		return
 	}
 	if deadline == nil {
@@ -157,9 +159,9 @@ func (h *DeadlineHandlers) Update(w http.ResponseWriter, r *http.Request) {
 // Complete handles PATCH /api/deadlines/{deadlineID}/complete
 func (h *DeadlineHandlers) Complete(w http.ResponseWriter, r *http.Request) {
-	tenantID, err := resolveTenant(r, h.db)
+	tenantID, ok := auth.TenantFromContext(r.Context())
-	if err != nil {
+	if !ok {
-		handleTenantError(w, err)
+		writeError(w, http.StatusForbidden, "missing tenant")
 		return
 	}
@@ -171,7 +173,7 @@ func (h *DeadlineHandlers) Complete(w http.ResponseWriter, r *http.Request) {
 	deadline, err := h.deadlines.Complete(tenantID, deadlineID)
 	if err != nil {
-		writeError(w, http.StatusInternalServerError, "failed to complete deadline")
+		internalError(w, "failed to complete deadline", err)
 		return
 	}
 	if deadline == nil {
@@ -184,9 +186,9 @@ func (h *DeadlineHandlers) Complete(w http.ResponseWriter, r *http.Request) {
 // Delete handles DELETE /api/deadlines/{deadlineID}
 func (h *DeadlineHandlers) Delete(w http.ResponseWriter, r *http.Request) {
-	tenantID, err := resolveTenant(r, h.db)
+	tenantID, ok := auth.TenantFromContext(r.Context())
-	if err != nil {
+	if !ok {
-		handleTenantError(w, err)
+		writeError(w, http.StatusForbidden, "missing tenant")
 		return
 	}
@@ -196,9 +198,8 @@ func (h *DeadlineHandlers) Delete(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	err = h.deadlines.Delete(tenantID, deadlineID)
+	if err := h.deadlines.Delete(tenantID, deadlineID); err != nil {
-	if err != nil {
+		writeError(w, http.StatusNotFound, "deadline not found")
 		writeError(w, http.StatusNotFound, err.Error())
 		return
 	}
--- a/backend/internal/handlers/documents.go
+++ b/backend/internal/handlers/documents.go
@@ -36,7 +36,7 @@ func (h *DocumentHandler) ListByCase(w http.ResponseWriter, r *http.Request) {
 	docs, err := h.svc.ListByCase(r.Context(), tenantID, caseID)
 	if err != nil {
-		writeError(w, http.StatusInternalServerError, err.Error())
+		internalError(w, "failed to list documents", err)
 		return
 	}
@@ -98,7 +98,7 @@ func (h *DocumentHandler) Upload(w http.ResponseWriter, r *http.Request) {
 			writeError(w, http.StatusNotFound, "case not found")
 			return
 		}
-		writeError(w, http.StatusInternalServerError, err.Error())
+		internalError(w, "failed to upload document", err)
 		return
 	}
@@ -121,16 +121,16 @@ func (h *DocumentHandler) Download(w http.ResponseWriter, r *http.Request) {
 	body, contentType, title, err := h.svc.Download(r.Context(), tenantID, docID)
 	if err != nil {
 		if err.Error() == "document not found" || err.Error() == "document has no file" {
-			writeError(w, http.StatusNotFound, err.Error())
+			writeError(w, http.StatusNotFound, "document not found")
 			return
 		}
-		writeError(w, http.StatusInternalServerError, err.Error())
+		internalError(w, "failed to download document", err)
 		return
 	}
 	defer body.Close()
 	w.Header().Set("Content-Type", contentType)
-	w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, title))
+	w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, sanitizeFilename(title)))
 	io.Copy(w, body)
 }
@@ -149,7 +149,7 @@ func (h *DocumentHandler) GetMeta(w http.ResponseWriter, r *http.Request) {
 	doc, err := h.svc.GetByID(r.Context(), tenantID, docID)
 	if err != nil {
-		writeError(w, http.StatusInternalServerError, err.Error())
+		internalError(w, "failed to get document metadata", err)
 		return
 	}
 	if doc == nil {
--- a/backend/internal/handlers/helpers.go
+++ b/backend/internal/handlers/helpers.go
@@ -2,12 +2,12 @@ package handlers
 import (
 	"encoding/json"
 	"log/slog"
 	"net/http"
 	"strings"
 	"unicode/utf8"
 	"github.com/google/uuid"
 	"github.com/jmoiron/sqlx"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
 )
 func writeJSON(w http.ResponseWriter, status int, v any) {
@@ -20,62 +20,9 @@ func writeError(w http.ResponseWriter, status int, msg string) {
 	writeJSON(w, status, map[string]string{"error": msg})
 }
-// resolveTenant gets the tenant ID for the authenticated user.
+// internalError logs the real error and returns a generic message to the client.
-// Checks X-Tenant-ID header first, then falls back to user's first tenant.
+func internalError(w http.ResponseWriter, msg string, err error) {
-func resolveTenant(r *http.Request, db *sqlx.DB) (uuid.UUID, error) {
+	slog.Error(msg, "error", err)
 	userID, ok := auth.UserFromContext(r.Context())
 	if !ok {
 		return uuid.Nil, errUnauthorized
 	}
 	// Check header first
 	if headerVal := r.Header.Get("X-Tenant-ID"); headerVal != "" {
 		tenantID, err := uuid.Parse(headerVal)
 		if err != nil {
 			return uuid.Nil, errInvalidTenant
 		}
 		// Verify user has access to this tenant
 		var count int
 		err = db.Get(&count,
 			`SELECT COUNT(*) FROM user_tenants WHERE user_id = $1 AND tenant_id = $2`,
 			userID, tenantID)
 		if err != nil || count == 0 {
 			return uuid.Nil, errTenantAccess
 		}
 		return tenantID, nil
 	}
 	// Fall back to user's first tenant
 	var tenantID uuid.UUID
 	err := db.Get(&tenantID,
 		`SELECT tenant_id FROM user_tenants WHERE user_id = $1 ORDER BY created_at LIMIT 1`,
 		userID)
 	if err != nil {
 		return uuid.Nil, errNoTenant
 	}
 	return tenantID, nil
 }
 type apiError struct {
 	msg    string
 	status int
 }
 func (e *apiError) Error() string { return e.msg }
 var (
 	errUnauthorized = &apiError{msg: "unauthorized", status: http.StatusUnauthorized}
 	errInvalidTenant = &apiError{msg: "invalid tenant ID", status: http.StatusBadRequest}
 	errTenantAccess  = &apiError{msg: "no access to tenant", status: http.StatusForbidden}
 	errNoTenant      = &apiError{msg: "no tenant found for user", status: http.StatusBadRequest}
 )
 // handleTenantError writes the appropriate error response for tenant resolution errors
 func handleTenantError(w http.ResponseWriter, err error) {
 	if ae, ok := err.(*apiError); ok {
 		writeError(w, ae.status, ae.msg)
 		return
 	}
 	writeError(w, http.StatusInternalServerError, "internal error")
 }
@@ -88,3 +35,74 @@ func parsePathUUID(r *http.Request, key string) (uuid.UUID, error) {
 func parseUUID(s string) (uuid.UUID, error) {
 	return uuid.Parse(s)
 }
 // --- Input validation helpers ---
 const (
 	maxTitleLen       = 500
 	maxDescriptionLen = 10000
 	maxCaseNumberLen  = 100
 	maxSearchLen      = 200
 	maxPaginationLimit = 100
 )
 // validateStringLength checks if a string exceeds the given max length.
 func validateStringLength(field, value string, maxLen int) string {
 	if utf8.RuneCountInString(value) > maxLen {
 		return field + " exceeds maximum length"
 	}
 	return ""
 }
 // clampPagination enforces sane pagination defaults and limits.
 func clampPagination(limit, offset int) (int, int) {
 	if limit <= 0 {
 		limit = 20
 	}
 	if limit > maxPaginationLimit {
 		limit = maxPaginationLimit
 	}
 	if offset < 0 {
 		offset = 0
 	}
 	return limit, offset
 }
 // sanitizeFilename removes characters unsafe for Content-Disposition headers.
 func sanitizeFilename(name string) string {
 	// Remove control characters, quotes, and backslashes
 	var b strings.Builder
 	for _, r := range name {
 		if r < 32 || r == '"' || r == '\\' || r == '/' {
 			b.WriteRune('_')
 		} else {
 			b.WriteRune(r)
 		}
 	}
 	return b.String()
 }
 // maskSettingsPassword masks the CalDAV password in tenant settings JSON before returning to clients.
 func maskSettingsPassword(settings json.RawMessage) json.RawMessage {
 	if len(settings) == 0 {
 		return settings
 	}
 	var m map[string]json.RawMessage
 	if err := json.Unmarshal(settings, &m); err != nil {
 		return settings
 	}
 	caldavRaw, ok := m["caldav"]
 	if !ok {
 		return settings
 	}
 	var caldav map[string]json.RawMessage
 	if err := json.Unmarshal(caldavRaw, &caldav); err != nil {
 		return settings
 	}
 	if _, ok := caldav["password"]; ok {
 		caldav["password"], _ = json.Marshal("********")
 	}
 	m["caldav"], _ = json.Marshal(caldav)
 	result, _ := json.Marshal(m)
 	return result
 }
--- a/backend/internal/handlers/notes.go
+++ b/backend/internal/handlers/notes.go
@@ -60,6 +60,10 @@ func (h *NoteHandler) Create(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "content is required")
 		return
 	}
 	if msg := validateStringLength("content", input.Content, maxDescriptionLen); msg != "" {
 		writeError(w, http.StatusBadRequest, msg)
 		return
 	}
 	var createdBy *uuid.UUID
 	if userID != uuid.Nil {
@@ -100,6 +104,10 @@ func (h *NoteHandler) Update(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "content is required")
 		return
 	}
 	if msg := validateStringLength("content", req.Content, maxDescriptionLen); msg != "" {
 		writeError(w, http.StatusBadRequest, msg)
 		return
 	}
 	note, err := h.svc.Update(r.Context(), tenantID, noteID, req.Content)
 	if err != nil {
--- a/backend/internal/handlers/notifications.go
+++ b/backend/internal/handlers/notifications.go
@@ -1,171 +0,0 @@
 package handlers
 import (
 	"encoding/json"
 	"net/http"
 	"strconv"
 	"github.com/jmoiron/sqlx"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
 )
 // NotificationHandler handles notification API endpoints.
 type NotificationHandler struct {
 	svc *services.NotificationService
 	db  *sqlx.DB
 }
 // NewNotificationHandler creates a new notification handler.
 func NewNotificationHandler(svc *services.NotificationService, db *sqlx.DB) *NotificationHandler {
 	return &NotificationHandler{svc: svc, db: db}
 }
 // List returns paginated notifications for the authenticated user.
 func (h *NotificationHandler) List(w http.ResponseWriter, r *http.Request) {
 	tenantID, ok := auth.TenantFromContext(r.Context())
 	if !ok {
 		writeError(w, http.StatusUnauthorized, "unauthorized")
 		return
 	}
 	userID, ok := auth.UserFromContext(r.Context())
 	if !ok {
 		writeError(w, http.StatusUnauthorized, "unauthorized")
 		return
 	}
 	limit, _ := strconv.Atoi(r.URL.Query().Get("limit"))
 	offset, _ := strconv.Atoi(r.URL.Query().Get("offset"))
 	notifications, total, err := h.svc.ListForUser(r.Context(), tenantID, userID, limit, offset)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "failed to list notifications")
 		return
 	}
 	writeJSON(w, http.StatusOK, map[string]any{
 		"data":  notifications,
 		"total": total,
 	})
 }
 // UnreadCount returns the count of unread notifications.
 func (h *NotificationHandler) UnreadCount(w http.ResponseWriter, r *http.Request) {
 	tenantID, ok := auth.TenantFromContext(r.Context())
 	if !ok {
 		writeError(w, http.StatusUnauthorized, "unauthorized")
 		return
 	}
 	userID, ok := auth.UserFromContext(r.Context())
 	if !ok {
 		writeError(w, http.StatusUnauthorized, "unauthorized")
 		return
 	}
 	count, err := h.svc.UnreadCount(r.Context(), tenantID, userID)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "failed to count notifications")
 		return
 	}
 	writeJSON(w, http.StatusOK, map[string]int{"unread_count": count})
 }
 // MarkRead marks a single notification as read.
 func (h *NotificationHandler) MarkRead(w http.ResponseWriter, r *http.Request) {
 	tenantID, ok := auth.TenantFromContext(r.Context())
 	if !ok {
 		writeError(w, http.StatusUnauthorized, "unauthorized")
 		return
 	}
 	userID, ok := auth.UserFromContext(r.Context())
 	if !ok {
 		writeError(w, http.StatusUnauthorized, "unauthorized")
 		return
 	}
 	notifID, err := parsePathUUID(r, "id")
 	if err != nil {
 		writeError(w, http.StatusBadRequest, "invalid notification ID")
 		return
 	}
 	if err := h.svc.MarkRead(r.Context(), tenantID, userID, notifID); err != nil {
 		writeError(w, http.StatusNotFound, err.Error())
 		return
 	}
 	writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
 }
 // MarkAllRead marks all notifications as read.
 func (h *NotificationHandler) MarkAllRead(w http.ResponseWriter, r *http.Request) {
 	tenantID, ok := auth.TenantFromContext(r.Context())
 	if !ok {
 		writeError(w, http.StatusUnauthorized, "unauthorized")
 		return
 	}
 	userID, ok := auth.UserFromContext(r.Context())
 	if !ok {
 		writeError(w, http.StatusUnauthorized, "unauthorized")
 		return
 	}
 	if err := h.svc.MarkAllRead(r.Context(), tenantID, userID); err != nil {
 		writeError(w, http.StatusInternalServerError, "failed to mark all read")
 		return
 	}
 	writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
 }
 // GetPreferences returns notification preferences for the authenticated user.
 func (h *NotificationHandler) GetPreferences(w http.ResponseWriter, r *http.Request) {
 	tenantID, ok := auth.TenantFromContext(r.Context())
 	if !ok {
 		writeError(w, http.StatusUnauthorized, "unauthorized")
 		return
 	}
 	userID, ok := auth.UserFromContext(r.Context())
 	if !ok {
 		writeError(w, http.StatusUnauthorized, "unauthorized")
 		return
 	}
 	pref, err := h.svc.GetPreferences(r.Context(), tenantID, userID)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "failed to get preferences")
 		return
 	}
 	writeJSON(w, http.StatusOK, pref)
 }
 // UpdatePreferences updates notification preferences for the authenticated user.
 func (h *NotificationHandler) UpdatePreferences(w http.ResponseWriter, r *http.Request) {
 	tenantID, ok := auth.TenantFromContext(r.Context())
 	if !ok {
 		writeError(w, http.StatusUnauthorized, "unauthorized")
 		return
 	}
 	userID, ok := auth.UserFromContext(r.Context())
 	if !ok {
 		writeError(w, http.StatusUnauthorized, "unauthorized")
 		return
 	}
 	var input services.UpdatePreferencesInput
 	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
 		writeError(w, http.StatusBadRequest, "invalid request body")
 		return
 	}
 	pref, err := h.svc.UpdatePreferences(r.Context(), tenantID, userID, input)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "failed to update preferences")
 		return
 	}
 	writeJSON(w, http.StatusOK, pref)
 }
--- a/backend/internal/handlers/parties.go
+++ b/backend/internal/handlers/parties.go
@@ -34,7 +34,7 @@ func (h *PartyHandler) List(w http.ResponseWriter, r *http.Request) {
 	parties, err := h.svc.ListByCase(r.Context(), tenantID, caseID)
 	if err != nil {
-		writeError(w, http.StatusInternalServerError, err.Error())
+		internalError(w, "failed to list parties", err)
 		return
 	}
@@ -67,13 +67,18 @@ func (h *PartyHandler) Create(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if msg := validateStringLength("name", input.Name, maxTitleLen); msg != "" {
 		writeError(w, http.StatusBadRequest, msg)
 		return
 	}
 	party, err := h.svc.Create(r.Context(), tenantID, caseID, userID, input)
 	if err != nil {
 		if err == sql.ErrNoRows {
 			writeError(w, http.StatusNotFound, "case not found")
 			return
 		}
-		writeError(w, http.StatusInternalServerError, err.Error())
+		internalError(w, "failed to create party", err)
 		return
 	}
@@ -101,7 +106,7 @@ func (h *PartyHandler) Update(w http.ResponseWriter, r *http.Request) {
 	updated, err := h.svc.Update(r.Context(), tenantID, partyID, input)
 	if err != nil {
-		writeError(w, http.StatusInternalServerError, err.Error())
+		internalError(w, "failed to update party", err)
 		return
 	}
 	if updated == nil {
--- a/backend/internal/handlers/tenant_handler.go
+++ b/backend/internal/handlers/tenant_handler.go
@@ -2,6 +2,7 @@ package handlers
 import (
 	"encoding/json"
 	"log/slog"
 	"net/http"
 	"github.com/google/uuid"
@@ -41,7 +42,8 @@ func (h *TenantHandler) CreateTenant(w http.ResponseWriter, r *http.Request) {
 	tenant, err := h.svc.Create(r.Context(), userID, req.Name, req.Slug)
 	if err != nil {
-		jsonError(w, err.Error(), http.StatusInternalServerError)
+		slog.Error("failed to create tenant", "error", err)
 		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
@@ -58,10 +60,16 @@ func (h *TenantHandler) ListTenants(w http.ResponseWriter, r *http.Request) {
 	tenants, err := h.svc.ListForUser(r.Context(), userID)
 	if err != nil {
-		jsonError(w, err.Error(), http.StatusInternalServerError)
+		slog.Error("failed to list tenants", "error", err)
 		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 	// Mask CalDAV passwords in tenant settings
 	for i := range tenants {
 		tenants[i].Settings = maskSettingsPassword(tenants[i].Settings)
 	}
 	jsonResponse(w, tenants, http.StatusOK)
 }
@@ -82,7 +90,8 @@ func (h *TenantHandler) GetTenant(w http.ResponseWriter, r *http.Request) {
 	// Verify user has access to this tenant
 	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
 	if err != nil {
-		jsonError(w, err.Error(), http.StatusInternalServerError)
+		slog.Error("failed to get user role", "error", err)
 		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 	if role == "" {
@@ -92,7 +101,8 @@ func (h *TenantHandler) GetTenant(w http.ResponseWriter, r *http.Request) {
 	tenant, err := h.svc.GetByID(r.Context(), tenantID)
 	if err != nil {
-		jsonError(w, err.Error(), http.StatusInternalServerError)
+		slog.Error("failed to get tenant", "error", err)
 		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 	if tenant == nil {
@@ -100,6 +110,9 @@ func (h *TenantHandler) GetTenant(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	// Mask CalDAV password before returning
 	tenant.Settings = maskSettingsPassword(tenant.Settings)
 	jsonResponse(w, tenant, http.StatusOK)
 }
@@ -120,7 +133,8 @@ func (h *TenantHandler) InviteUser(w http.ResponseWriter, r *http.Request) {
 	// Only owners and admins can invite
 	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
 	if err != nil {
-		jsonError(w, err.Error(), http.StatusInternalServerError)
+		slog.Error("failed to get user role", "error", err)
 		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 	if role != "owner" && role != "admin" {
@@ -150,7 +164,8 @@ func (h *TenantHandler) InviteUser(w http.ResponseWriter, r *http.Request) {
 	ut, err := h.svc.InviteByEmail(r.Context(), tenantID, req.Email, req.Role)
 	if err != nil {
-		jsonError(w, err.Error(), http.StatusBadRequest)
+		// These are user-facing validation errors (user not found, already member)
 		jsonError(w, "failed to invite user", http.StatusBadRequest)
 		return
 	}
@@ -180,7 +195,8 @@ func (h *TenantHandler) RemoveMember(w http.ResponseWriter, r *http.Request) {
 	// Only owners and admins can remove members (or user removing themselves)
 	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
 	if err != nil {
-		jsonError(w, err.Error(), http.StatusInternalServerError)
+		slog.Error("failed to get user role", "error", err)
 		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 	if role != "owner" && role != "admin" && userID != memberID {
@@ -189,7 +205,8 @@ func (h *TenantHandler) RemoveMember(w http.ResponseWriter, r *http.Request) {
 	}
 	if err := h.svc.RemoveMember(r.Context(), tenantID, memberID); err != nil {
-		jsonError(w, err.Error(), http.StatusBadRequest)
+		// These are user-facing validation errors (not a member, last owner, etc.)
 		jsonError(w, "failed to remove member", http.StatusBadRequest)
 		return
 	}
@@ -213,7 +230,8 @@ func (h *TenantHandler) UpdateSettings(w http.ResponseWriter, r *http.Request) {
 	// Only owners and admins can update settings
 	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
 	if err != nil {
-		jsonError(w, err.Error(), http.StatusInternalServerError)
+		slog.Error("failed to get user role", "error", err)
 		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 	if role != "owner" && role != "admin" {
@@ -229,10 +247,14 @@ func (h *TenantHandler) UpdateSettings(w http.ResponseWriter, r *http.Request) {
 	tenant, err := h.svc.UpdateSettings(r.Context(), tenantID, settings)
 	if err != nil {
-		jsonError(w, err.Error(), http.StatusInternalServerError)
+		slog.Error("failed to update settings", "error", err)
 		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 	// Mask CalDAV password before returning
 	tenant.Settings = maskSettingsPassword(tenant.Settings)
 	jsonResponse(w, tenant, http.StatusOK)
 }
@@ -253,7 +275,8 @@ func (h *TenantHandler) ListMembers(w http.ResponseWriter, r *http.Request) {
 	// Verify user has access
 	role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
 	if err != nil {
-		jsonError(w, err.Error(), http.StatusInternalServerError)
+		slog.Error("failed to get user role", "error", err)
 		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 	if role == "" {
@@ -263,7 +286,8 @@ func (h *TenantHandler) ListMembers(w http.ResponseWriter, r *http.Request) {
 	members, err := h.svc.ListMembers(r.Context(), tenantID)
 	if err != nil {
-		jsonError(w, err.Error(), http.StatusInternalServerError)
+		slog.Error("failed to list members", "error", err)
 		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
--- a/backend/internal/integration_test.go
+++ b/backend/internal/integration_test.go
@@ -46,7 +46,7 @@ func testServer(t *testing.T) (http.Handler, func()) {
 	}
 	authMW := auth.NewMiddleware(jwtSecret, database)
-	handler := router.New(database, authMW, cfg, nil, nil)
+	handler := router.New(database, authMW, cfg, nil)
 	return handler, func() { database.Close() }
 }
--- a/backend/internal/middleware/security.go
+++ b/backend/internal/middleware/security.go
@@ -0,0 +1,49 @@
 package middleware
 import (
 	"net/http"
 	"strings"
 )
 // SecurityHeaders adds standard security headers to all responses.
 func SecurityHeaders(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("X-Frame-Options", "DENY")
 		w.Header().Set("X-Content-Type-Options", "nosniff")
 		w.Header().Set("X-XSS-Protection", "1; mode=block")
 		w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
 		w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
 		next.ServeHTTP(w, r)
 	})
 }
 // CORS returns middleware that restricts cross-origin requests to the given origin.
 // If allowedOrigin is empty, CORS headers are not set (same-origin only).
 func CORS(allowedOrigin string) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			origin := r.Header.Get("Origin")
 			if allowedOrigin != "" && origin != "" && matchOrigin(origin, allowedOrigin) {
 				w.Header().Set("Access-Control-Allow-Origin", allowedOrigin)
 				w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
 				w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Tenant-ID")
 				w.Header().Set("Access-Control-Max-Age", "86400")
 				w.Header().Set("Vary", "Origin")
 			}
 			// Handle preflight
 			if r.Method == http.MethodOptions {
 				w.WriteHeader(http.StatusNoContent)
 				return
 			}
 			next.ServeHTTP(w, r)
 		})
 	}
 }
 // matchOrigin checks if the request origin matches the allowed origin.
 func matchOrigin(origin, allowed string) bool {
 	return strings.EqualFold(strings.TrimRight(origin, "/"), strings.TrimRight(allowed, "/"))
 }
--- a/backend/internal/models/notification.go
+++ b/backend/internal/models/notification.go
@@ -1,32 +0,0 @@
 package models
 import (
 	"time"
 	"github.com/google/uuid"
 	"github.com/lib/pq"
 )
 type Notification struct {
 	ID         uuid.UUID  `db:"id" json:"id"`
 	TenantID   uuid.UUID  `db:"tenant_id" json:"tenant_id"`
 	UserID     uuid.UUID  `db:"user_id" json:"user_id"`
 	Type       string     `db:"type" json:"type"`
 	EntityType *string    `db:"entity_type" json:"entity_type,omitempty"`
 	EntityID   *uuid.UUID `db:"entity_id" json:"entity_id,omitempty"`
 	Title      string     `db:"title" json:"title"`
 	Body       *string    `db:"body" json:"body,omitempty"`
 	SentAt     *time.Time `db:"sent_at" json:"sent_at,omitempty"`
 	ReadAt     *time.Time `db:"read_at" json:"read_at,omitempty"`
 	CreatedAt  time.Time  `db:"created_at" json:"created_at"`
 }
 type NotificationPreferences struct {
 	UserID              uuid.UUID     `db:"user_id" json:"user_id"`
 	TenantID            uuid.UUID     `db:"tenant_id" json:"tenant_id"`
 	DeadlineReminderDays pq.Int64Array `db:"deadline_reminder_days" json:"deadline_reminder_days"`
 	EmailEnabled        bool          `db:"email_enabled" json:"email_enabled"`
 	DailyDigest         bool          `db:"daily_digest" json:"daily_digest"`
 	CreatedAt           time.Time     `db:"created_at" json:"created_at"`
 	UpdatedAt           time.Time     `db:"updated_at" json:"updated_at"`
 }
--- a/backend/internal/router/router.go
+++ b/backend/internal/router/router.go
@@ -15,7 +15,7 @@ import (
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
 )
-func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *services.CalDAVService, notifSvc *services.NotificationService) http.Handler {
+func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *services.CalDAVService) http.Handler {
 	mux := http.NewServeMux()
 	// Services
@@ -34,7 +34,7 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	var aiH *handlers.AIHandler
 	if cfg.AnthropicAPIKey != "" {
 		aiSvc := services.NewAIService(cfg.AnthropicAPIKey, db)
-		aiH = handlers.NewAIHandler(aiSvc, db)
+		aiH = handlers.NewAIHandler(aiSvc)
 	}
 	// Middleware
@@ -43,18 +43,12 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	noteSvc := services.NewNoteService(db)
 	dashboardSvc := services.NewDashboardService(db)
 	// Notification handler (optional — nil in tests)
 	var notifH *handlers.NotificationHandler
 	if notifSvc != nil {
 		notifH = handlers.NewNotificationHandler(notifSvc, db)
 	}
 	// Handlers
 	tenantH := handlers.NewTenantHandler(tenantSvc)
 	caseH := handlers.NewCaseHandler(caseSvc)
 	partyH := handlers.NewPartyHandler(partySvc)
 	apptH := handlers.NewAppointmentHandler(appointmentSvc)
-	deadlineH := handlers.NewDeadlineHandlers(deadlineSvc, db)
+	deadlineH := handlers.NewDeadlineHandlers(deadlineSvc)
 	ruleH := handlers.NewDeadlineRuleHandlers(deadlineRuleSvc)
 	calcH := handlers.NewCalculateHandlers(calculator, deadlineRuleSvc)
 	dashboardH := handlers.NewDashboardHandler(dashboardSvc)
@@ -143,16 +137,6 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 		scoped.HandleFunc("POST /api/ai/summarize-case", aiLimiter.LimitFunc(aiH.SummarizeCase))
 	}
 	// Notifications
 	if notifH != nil {
 		scoped.HandleFunc("GET /api/notifications", notifH.List)
 		scoped.HandleFunc("GET /api/notifications/unread-count", notifH.UnreadCount)
 		scoped.HandleFunc("PATCH /api/notifications/{id}/read", notifH.MarkRead)
 		scoped.HandleFunc("PATCH /api/notifications/read-all", notifH.MarkAllRead)
 		scoped.HandleFunc("GET /api/notification-preferences", notifH.GetPreferences)
 		scoped.HandleFunc("PUT /api/notification-preferences", notifH.UpdatePreferences)
 	}
 	// CalDAV sync endpoints
 	if calDAVSvc != nil {
 		calDAVH := handlers.NewCalDAVHandler(calDAVSvc)
@@ -165,14 +149,20 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	mux.Handle("/api/", authMW.RequireAuth(api))
-	return requestLogger(mux)
+	// Apply security middleware stack: CORS -> Security Headers -> Request Logger -> Routes
 	var handler http.Handler = mux
 	handler = requestLogger(handler)
 	handler = middleware.SecurityHeaders(handler)
 	handler = middleware.CORS(cfg.FrontendOrigin)(handler)
 	return handler
 }
 func handleHealth(db *sqlx.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		if err := db.Ping(); err != nil {
 			w.WriteHeader(http.StatusServiceUnavailable)
-			json.NewEncoder(w).Encode(map[string]string{"status": "error", "error": err.Error()})
+			json.NewEncoder(w).Encode(map[string]string{"status": "error"})
 			return
 		}
 		w.Header().Set("Content-Type", "application/json")
@@ -210,4 +200,3 @@ func requestLogger(next http.Handler) http.Handler {
 		)
 	})
 }
--- a/backend/internal/services/notification_service.go
+++ b/backend/internal/services/notification_service.go
@@ -1,501 +0,0 @@
 package services
 import (
 	"context"
 	"fmt"
 	"log/slog"
 	"os/exec"
 	"strings"
 	"sync"
 	"time"
 	"github.com/google/uuid"
 	"github.com/jmoiron/sqlx"
 	"github.com/lib/pq"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
 )
 // NotificationService handles notification CRUD, deadline reminders, and email sending.
 type NotificationService struct {
 	db     *sqlx.DB
 	stopCh chan struct{}
 	wg     sync.WaitGroup
 }
 // NewNotificationService creates a new notification service.
 func NewNotificationService(db *sqlx.DB) *NotificationService {
 	return &NotificationService{
 		db:     db,
 		stopCh: make(chan struct{}),
 	}
 }
 // Start launches the background reminder checker (every hour) and daily digest (8am).
 func (s *NotificationService) Start() {
 	s.wg.Add(1)
 	go s.backgroundLoop()
 }
 // Stop gracefully shuts down background workers.
 func (s *NotificationService) Stop() {
 	close(s.stopCh)
 	s.wg.Wait()
 }
 func (s *NotificationService) backgroundLoop() {
 	defer s.wg.Done()
 	// Check reminders on startup
 	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
 	s.CheckDeadlineReminders(ctx)
 	cancel()
 	reminderTicker := time.NewTicker(1 * time.Hour)
 	defer reminderTicker.Stop()
 	// Digest ticker: check every 15 minutes, send at 8am
 	digestTicker := time.NewTicker(15 * time.Minute)
 	defer digestTicker.Stop()
 	var lastDigestDate string
 	for {
 		select {
 		case <-s.stopCh:
 			return
 		case <-reminderTicker.C:
 			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
 			s.CheckDeadlineReminders(ctx)
 			cancel()
 		case now := <-digestTicker.C:
 			today := now.Format("2006-01-02")
 			hour := now.Hour()
 			if hour >= 8 && lastDigestDate != today {
 				lastDigestDate = today
 				ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
 				s.SendDailyDigests(ctx)
 				cancel()
 			}
 		}
 	}
 }
 // CheckDeadlineReminders finds deadlines due in N days matching user preferences and creates notifications.
 func (s *NotificationService) CheckDeadlineReminders(ctx context.Context) {
 	slog.Info("checking deadline reminders")
 	// Get all user preferences with email enabled
 	var prefs []models.NotificationPreferences
 	err := s.db.SelectContext(ctx, &prefs,
 		`SELECT user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest, created_at, updated_at
 		 FROM notification_preferences`)
 	if err != nil {
 		slog.Error("failed to load notification preferences", "error", err)
 		return
 	}
 	if len(prefs) == 0 {
 		return
 	}
 	// Collect all unique reminder day values across all users
 	daySet := make(map[int64]bool)
 	for _, p := range prefs {
 		for _, d := range p.DeadlineReminderDays {
 			daySet[d] = true
 		}
 	}
 	if len(daySet) == 0 {
 		return
 	}
 	// Build array of target dates
 	today := time.Now().Truncate(24 * time.Hour)
 	var targetDates []string
 	dayToDate := make(map[string]int64)
 	for d := range daySet {
 		target := today.AddDate(0, 0, int(d))
 		dateStr := target.Format("2006-01-02")
 		targetDates = append(targetDates, dateStr)
 		dayToDate[dateStr] = d
 	}
 	// Also check overdue deadlines
 	todayStr := today.Format("2006-01-02")
 	// Find pending deadlines matching target dates
 	type deadlineRow struct {
 		models.Deadline
 		CaseTitle  string `db:"case_title"`
 		CaseNumber string `db:"case_number"`
 	}
 	// Reminder deadlines (due in N days)
 	var reminderDeadlines []deadlineRow
 	query, args, err := sqlx.In(
 		`SELECT d.*, c.title AS case_title, c.case_number
 		 FROM deadlines d
 		 JOIN cases c ON c.id = d.case_id
 		 WHERE d.status = 'pending' AND d.due_date IN (?)`,
 		targetDates)
 	if err == nil {
 		query = s.db.Rebind(query)
 		err = s.db.SelectContext(ctx, &reminderDeadlines, query, args...)
 	}
 	if err != nil {
 		slog.Error("failed to query reminder deadlines", "error", err)
 	}
 	// Overdue deadlines
 	var overdueDeadlines []deadlineRow
 	err = s.db.SelectContext(ctx, &overdueDeadlines,
 		`SELECT d.*, c.title AS case_title, c.case_number
 		 FROM deadlines d
 		 JOIN cases c ON c.id = d.case_id
 		 WHERE d.status = 'pending' AND d.due_date < $1`, todayStr)
 	if err != nil {
 		slog.Error("failed to query overdue deadlines", "error", err)
 	}
 	// Create notifications for each user based on their tenant and preferences
 	for _, pref := range prefs {
 		// Reminder notifications
 		for _, dl := range reminderDeadlines {
 			if dl.TenantID != pref.TenantID {
 				continue
 			}
 			daysUntil := dayToDate[dl.DueDate]
 			// Check if this user cares about this many days
 			if !containsDay(pref.DeadlineReminderDays, daysUntil) {
 				continue
 			}
 			title := fmt.Sprintf("Frist in %d Tagen: %s", daysUntil, dl.Title)
 			body := fmt.Sprintf("Akte %s — %s\nFällig am %s", dl.CaseNumber, dl.CaseTitle, dl.DueDate)
 			entityType := "deadline"
 			s.CreateNotification(ctx, CreateNotificationInput{
 				TenantID:   pref.TenantID,
 				UserID:     pref.UserID,
 				Type:       "deadline_reminder",
 				EntityType: &entityType,
 				EntityID:   &dl.ID,
 				Title:      title,
 				Body:       &body,
 				SendEmail:  pref.EmailEnabled && !pref.DailyDigest,
 			})
 		}
 		// Overdue notifications
 		for _, dl := range overdueDeadlines {
 			if dl.TenantID != pref.TenantID {
 				continue
 			}
 			title := fmt.Sprintf("Frist überfällig: %s", dl.Title)
 			body := fmt.Sprintf("Akte %s — %s\nFällig seit %s", dl.CaseNumber, dl.CaseTitle, dl.DueDate)
 			entityType := "deadline"
 			s.CreateNotification(ctx, CreateNotificationInput{
 				TenantID:   pref.TenantID,
 				UserID:     pref.UserID,
 				Type:       "deadline_overdue",
 				EntityType: &entityType,
 				EntityID:   &dl.ID,
 				Title:      title,
 				Body:       &body,
 				SendEmail:  pref.EmailEnabled && !pref.DailyDigest,
 			})
 		}
 	}
 }
 // SendDailyDigests compiles pending notifications into one email per user.
 func (s *NotificationService) SendDailyDigests(ctx context.Context) {
 	slog.Info("sending daily digests")
 	// Find users with daily_digest enabled
 	var prefs []models.NotificationPreferences
 	err := s.db.SelectContext(ctx, &prefs,
 		`SELECT user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest, created_at, updated_at
 		 FROM notification_preferences
 		 WHERE daily_digest = true AND email_enabled = true`)
 	if err != nil {
 		slog.Error("failed to load digest preferences", "error", err)
 		return
 	}
 	for _, pref := range prefs {
 		// Get unsent notifications for this user from the last 24 hours
 		var notifications []models.Notification
 		err := s.db.SelectContext(ctx, &notifications,
 			`SELECT id, tenant_id, user_id, type, entity_type, entity_id, title, body, sent_at, read_at, created_at
 			 FROM notifications
 			 WHERE user_id = $1 AND tenant_id = $2 AND sent_at IS NULL
 			   AND created_at > now() - interval '24 hours'
 			 ORDER BY created_at DESC`,
 			pref.UserID, pref.TenantID)
 		if err != nil {
 			slog.Error("failed to load unsent notifications", "error", err, "user_id", pref.UserID)
 			continue
 		}
 		if len(notifications) == 0 {
 			continue
 		}
 		// Get user email
 		email := s.getUserEmail(ctx, pref.UserID)
 		if email == "" {
 			continue
 		}
 		// Build digest
 		var lines []string
 		lines = append(lines, fmt.Sprintf("Guten Morgen! Hier ist Ihre Tagesübersicht mit %d Benachrichtigungen:\n", len(notifications)))
 		for _, n := range notifications {
 			body := ""
 			if n.Body != nil {
 				body = " — " + *n.Body
 			}
 			lines = append(lines, fmt.Sprintf("• %s%s", n.Title, body))
 		}
 		lines = append(lines, "\n---\nKanzlAI Kanzleimanagement")
 		subject := fmt.Sprintf("KanzlAI Tagesübersicht — %d Benachrichtigungen", len(notifications))
 		bodyText := strings.Join(lines, "\n")
 		if err := SendEmail(email, subject, bodyText); err != nil {
 			slog.Error("failed to send digest email", "error", err, "user_id", pref.UserID)
 			continue
 		}
 		// Mark all as sent
 		ids := make([]uuid.UUID, len(notifications))
 		for i, n := range notifications {
 			ids[i] = n.ID
 		}
 		query, args, err := sqlx.In(
 			`UPDATE notifications SET sent_at = now() WHERE id IN (?)`, ids)
 		if err == nil {
 			query = s.db.Rebind(query)
 			_, err = s.db.ExecContext(ctx, query, args...)
 		}
 		if err != nil {
 			slog.Error("failed to mark digest notifications sent", "error", err)
 		}
 		slog.Info("sent daily digest", "user_id", pref.UserID, "count", len(notifications))
 	}
 }
 // CreateNotificationInput holds the data for creating a notification.
 type CreateNotificationInput struct {
 	TenantID   uuid.UUID
 	UserID     uuid.UUID
 	Type       string
 	EntityType *string
 	EntityID   *uuid.UUID
 	Title      string
 	Body       *string
 	SendEmail  bool
 }
 // CreateNotification stores a notification in the DB and optionally sends an email.
 func (s *NotificationService) CreateNotification(ctx context.Context, input CreateNotificationInput) (*models.Notification, error) {
 	// Dedup: check if we already sent this notification today
 	if input.EntityID != nil {
 		var count int
 		err := s.db.GetContext(ctx, &count,
 			`SELECT COUNT(*) FROM notifications
 			 WHERE user_id = $1 AND entity_id = $2 AND type = $3
 			   AND created_at::date = CURRENT_DATE`,
 			input.UserID, input.EntityID, input.Type)
 		if err == nil && count > 0 {
 			return nil, nil // Already notified today
 		}
 	}
 	var n models.Notification
 	err := s.db.QueryRowxContext(ctx,
 		`INSERT INTO notifications (tenant_id, user_id, type, entity_type, entity_id, title, body)
 		 VALUES ($1, $2, $3, $4, $5, $6, $7)
 		 RETURNING id, tenant_id, user_id, type, entity_type, entity_id, title, body, sent_at, read_at, created_at`,
 		input.TenantID, input.UserID, input.Type, input.EntityType, input.EntityID,
 		input.Title, input.Body).StructScan(&n)
 	if err != nil {
 		slog.Error("failed to create notification", "error", err)
 		return nil, fmt.Errorf("create notification: %w", err)
 	}
 	// Send email immediately if requested (non-digest users)
 	if input.SendEmail {
 		email := s.getUserEmail(ctx, input.UserID)
 		if email != "" {
 			go func() {
 				if err := SendEmail(email, input.Title, derefStr(input.Body)); err != nil {
 					slog.Error("failed to send notification email", "error", err, "user_id", input.UserID)
 				} else {
 					// Mark as sent
 					_, _ = s.db.Exec(`UPDATE notifications SET sent_at = now() WHERE id = $1`, n.ID)
 				}
 			}()
 		}
 	}
 	return &n, nil
 }
 // ListForUser returns notifications for a user in a tenant, paginated.
 func (s *NotificationService) ListForUser(ctx context.Context, tenantID, userID uuid.UUID, limit, offset int) ([]models.Notification, int, error) {
 	if limit <= 0 {
 		limit = 50
 	}
 	if limit > 200 {
 		limit = 200
 	}
 	var total int
 	err := s.db.GetContext(ctx, &total,
 		`SELECT COUNT(*) FROM notifications WHERE user_id = $1 AND tenant_id = $2`,
 		userID, tenantID)
 	if err != nil {
 		return nil, 0, fmt.Errorf("count notifications: %w", err)
 	}
 	var notifications []models.Notification
 	err = s.db.SelectContext(ctx, &notifications,
 		`SELECT id, tenant_id, user_id, type, entity_type, entity_id, title, body, sent_at, read_at, created_at
 		 FROM notifications
 		 WHERE user_id = $1 AND tenant_id = $2
 		 ORDER BY created_at DESC
 		 LIMIT $3 OFFSET $4`,
 		userID, tenantID, limit, offset)
 	if err != nil {
 		return nil, 0, fmt.Errorf("list notifications: %w", err)
 	}
 	return notifications, total, nil
 }
 // UnreadCount returns the number of unread notifications for a user.
 func (s *NotificationService) UnreadCount(ctx context.Context, tenantID, userID uuid.UUID) (int, error) {
 	var count int
 	err := s.db.GetContext(ctx, &count,
 		`SELECT COUNT(*) FROM notifications WHERE user_id = $1 AND tenant_id = $2 AND read_at IS NULL`,
 		userID, tenantID)
 	return count, err
 }
 // MarkRead marks a single notification as read.
 func (s *NotificationService) MarkRead(ctx context.Context, tenantID, userID, notificationID uuid.UUID) error {
 	result, err := s.db.ExecContext(ctx,
 		`UPDATE notifications SET read_at = now()
 		 WHERE id = $1 AND user_id = $2 AND tenant_id = $3 AND read_at IS NULL`,
 		notificationID, userID, tenantID)
 	if err != nil {
 		return fmt.Errorf("mark notification read: %w", err)
 	}
 	rows, _ := result.RowsAffected()
 	if rows == 0 {
 		return fmt.Errorf("notification not found or already read")
 	}
 	return nil
 }
 // MarkAllRead marks all notifications as read for a user.
 func (s *NotificationService) MarkAllRead(ctx context.Context, tenantID, userID uuid.UUID) error {
 	_, err := s.db.ExecContext(ctx,
 		`UPDATE notifications SET read_at = now()
 		 WHERE user_id = $1 AND tenant_id = $2 AND read_at IS NULL`,
 		userID, tenantID)
 	return err
 }
 // GetPreferences returns notification preferences for a user, creating defaults if needed.
 func (s *NotificationService) GetPreferences(ctx context.Context, tenantID, userID uuid.UUID) (*models.NotificationPreferences, error) {
 	var pref models.NotificationPreferences
 	err := s.db.GetContext(ctx, &pref,
 		`SELECT user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest, created_at, updated_at
 		 FROM notification_preferences
 		 WHERE user_id = $1 AND tenant_id = $2`,
 		userID, tenantID)
 	if err != nil {
 		// Return defaults if no preferences set
 		return &models.NotificationPreferences{
 			UserID:               userID,
 			TenantID:             tenantID,
 			DeadlineReminderDays: pq.Int64Array{7, 3, 1},
 			EmailEnabled:         true,
 			DailyDigest:          false,
 		}, nil
 	}
 	return &pref, nil
 }
 // UpdatePreferences upserts notification preferences for a user.
 func (s *NotificationService) UpdatePreferences(ctx context.Context, tenantID, userID uuid.UUID, input UpdatePreferencesInput) (*models.NotificationPreferences, error) {
 	var pref models.NotificationPreferences
 	err := s.db.QueryRowxContext(ctx,
 		`INSERT INTO notification_preferences (user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest)
 		 VALUES ($1, $2, $3, $4, $5)
 		 ON CONFLICT (user_id, tenant_id)
 		 DO UPDATE SET deadline_reminder_days = $3, email_enabled = $4, daily_digest = $5, updated_at = now()
 		 RETURNING user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest, created_at, updated_at`,
 		userID, tenantID, pq.Int64Array(input.DeadlineReminderDays), input.EmailEnabled, input.DailyDigest).StructScan(&pref)
 	if err != nil {
 		return nil, fmt.Errorf("update preferences: %w", err)
 	}
 	return &pref, nil
 }
 // UpdatePreferencesInput holds the data for updating notification preferences.
 type UpdatePreferencesInput struct {
 	DeadlineReminderDays []int64 `json:"deadline_reminder_days"`
 	EmailEnabled         bool    `json:"email_enabled"`
 	DailyDigest          bool    `json:"daily_digest"`
 }
 // SendEmail sends an email using the `m mail send` CLI command.
 func SendEmail(to, subject, body string) error {
 	cmd := exec.Command("m", "mail", "send",
 		"--to", to,
 		"--subject", subject,
 		"--body", body,
 		"--yes")
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("m mail send failed: %w (output: %s)", err, string(output))
 	}
 	slog.Info("email sent", "to", to, "subject", subject)
 	return nil
 }
 // getUserEmail looks up the email for a user from Supabase auth.users.
 func (s *NotificationService) getUserEmail(ctx context.Context, userID uuid.UUID) string {
 	var email string
 	err := s.db.GetContext(ctx, &email,
 		`SELECT email FROM auth.users WHERE id = $1`, userID)
 	if err != nil {
 		slog.Error("failed to get user email", "error", err, "user_id", userID)
 		return ""
 	}
 	return email
 }
 func containsDay(arr pq.Int64Array, day int64) bool {
 	for _, d := range arr {
 		if d == day {
 			return true
 		}
 	}
 	return false
 }
 func derefStr(s *string) string {
 	if s == nil {
 		return ""
 	}
 	return *s
 }
--- a/backend/internal/services/tenant_service.go
+++ b/backend/internal/services/tenant_service.go
@@ -101,6 +101,19 @@ func (s *TenantService) GetUserRole(ctx context.Context, userID, tenantID uuid.U
 	return role, nil
 }
 // VerifyAccess checks if a user has access to a given tenant.
 func (s *TenantService) VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error) {
 	var exists bool
 	err := s.db.GetContext(ctx, &exists,
 		`SELECT EXISTS(SELECT 1 FROM user_tenants WHERE user_id = $1 AND tenant_id = $2)`,
 		userID, tenantID,
 	)
 	if err != nil {
 		return false, fmt.Errorf("verify tenant access: %w", err)
 	}
 	return exists, nil
 }
 // FirstTenantForUser returns the user's first tenant (by name), used as default.
 func (s *TenantService) FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error) {
 	var tenantID uuid.UUID
--- a/frontend/src/app/(app)/einstellungen/page.tsx
+++ b/frontend/src/app/(app)/einstellungen/page.tsx
@@ -1,12 +1,11 @@
 "use client";
 import { useQuery } from "@tanstack/react-query";
-import { Settings, Calendar, Users, Bell } from "lucide-react";
+import { Settings, Calendar, Users } from "lucide-react";
 import Link from "next/link";
 import { api } from "@/lib/api";
 import type { Tenant } from "@/lib/types";
 import { CalDAVSettings } from "@/components/settings/CalDAVSettings";
 import { NotificationSettings } from "@/components/settings/NotificationSettings";
 import { SkeletonCard } from "@/components/ui/Skeleton";
 import { EmptyState } from "@/components/ui/EmptyState";
@@ -98,19 +97,6 @@ export default function EinstellungenPage() {
            </div>
          </section>
          {/* Notification Settings */}
          <section className="rounded-xl border border-neutral-200 bg-white p-5">
            <div className="flex items-center gap-2.5 border-b border-neutral-100 pb-3">
              <Bell className="h-4 w-4 text-neutral-500" />
              <h2 className="text-sm font-semibold text-neutral-900">
                Benachrichtigungen
              </h2>
            </div>
            <div className="mt-4">
              <NotificationSettings />
            </div>
          </section>
          {/* CalDAV Settings */}
          <section className="rounded-xl border border-neutral-200 bg-white p-5">
            <div className="flex items-center gap-2.5 border-b border-neutral-100 pb-3">
--- a/frontend/src/components/layout/Header.tsx
+++ b/frontend/src/components/layout/Header.tsx
@@ -2,7 +2,6 @@
 import { createClient } from "@/lib/supabase/client";
 import { TenantSwitcher } from "./TenantSwitcher";
 import { NotificationBell } from "@/components/notifications/NotificationBell";
 import { LogOut } from "lucide-react";
 import { useRouter } from "next/navigation";
 import { useEffect, useState } from "react";
@@ -30,7 +29,6 @@ export function Header() {
      <div className="w-8 lg:w-0" />
      <div className="flex items-center gap-2 sm:gap-3">
        <TenantSwitcher />
        <NotificationBell />
        {email && (
          <span className="hidden text-sm text-neutral-500 sm:inline">
            {email}
--- a/frontend/src/components/notifications/NotificationBell.tsx
+++ b/frontend/src/components/notifications/NotificationBell.tsx
@@ -1,205 +0,0 @@
 "use client";
 import { useEffect, useRef, useState } from "react";
 import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
 import { Bell, Check, CheckCheck, ExternalLink } from "lucide-react";
 import { api } from "@/lib/api";
 import type { Notification, NotificationListResponse } from "@/lib/types";
 function getEntityLink(n: Notification): string | null {
  if (!n.entity_type || !n.entity_id) return null;
  switch (n.entity_type) {
    case "deadline":
      return `/fristen/${n.entity_id}`;
    case "appointment":
      return `/termine/${n.entity_id}`;
    case "case":
      return `/akten/${n.entity_id}`;
    default:
      return null;
  }
 }
 function getTypeColor(type: Notification["type"]): string {
  switch (type) {
    case "deadline_overdue":
      return "bg-red-500";
    case "deadline_reminder":
      return "bg-amber-500";
    case "case_update":
      return "bg-blue-500";
    case "assignment":
      return "bg-violet-500";
    default:
      return "bg-neutral-500";
  }
 }
 function timeAgo(dateStr: string): string {
  const now = new Date();
  const date = new Date(dateStr);
  const diffMs = now.getTime() - date.getTime();
  const diffMin = Math.floor(diffMs / 60000);
  if (diffMin < 1) return "gerade eben";
  if (diffMin < 60) return `vor ${diffMin} Min.`;
  const diffHours = Math.floor(diffMin / 60);
  if (diffHours < 24) return `vor ${diffHours} Std.`;
  const diffDays = Math.floor(diffHours / 24);
  if (diffDays === 1) return "gestern";
  return `vor ${diffDays} Tagen`;
 }
 export function NotificationBell() {
  const [open, setOpen] = useState(false);
  const panelRef = useRef<HTMLDivElement>(null);
  const queryClient = useQueryClient();
  const { data: unreadData } = useQuery({
    queryKey: ["notifications-unread-count"],
    queryFn: () =>
      api.get<{ unread_count: number }>("/api/notifications/unread-count"),
    refetchInterval: 30_000,
  });
  const { data: notifData } = useQuery({
    queryKey: ["notifications"],
    queryFn: () =>
      api.get<NotificationListResponse>("/api/notifications?limit=20"),
    enabled: open,
  });
  const markRead = useMutation({
    mutationFn: (id: string) =>
      api.patch(`/api/notifications/${id}/read`),
    onSuccess: () => {
      queryClient.invalidateQueries({ queryKey: ["notifications"] });
      queryClient.invalidateQueries({
        queryKey: ["notifications-unread-count"],
      });
    },
  });
  const markAllRead = useMutation({
    mutationFn: () => api.patch("/api/notifications/read-all"),
    onSuccess: () => {
      queryClient.invalidateQueries({ queryKey: ["notifications"] });
      queryClient.invalidateQueries({
        queryKey: ["notifications-unread-count"],
      });
    },
  });
  // Close on click outside
  useEffect(() => {
    function handleClickOutside(e: MouseEvent) {
      if (panelRef.current && !panelRef.current.contains(e.target as Node)) {
        setOpen(false);
      }
    }
    if (open) {
      document.addEventListener("mousedown", handleClickOutside);
    }
    return () => document.removeEventListener("mousedown", handleClickOutside);
  }, [open]);
  const unreadCount = unreadData?.unread_count ?? 0;
  const notifications = notifData?.data ?? [];
  return (
    <div className="relative" ref={panelRef}>
      <button
        onClick={() => setOpen(!open)}
        className="relative rounded-md p-1.5 text-neutral-400 transition-colors hover:bg-neutral-100 hover:text-neutral-600"
        title="Benachrichtigungen"
      >
        <Bell className="h-4 w-4" />
        {unreadCount > 0 && (
          <span className="absolute -right-0.5 -top-0.5 flex h-4 min-w-4 items-center justify-center rounded-full bg-red-500 px-1 text-[10px] font-bold text-white">
            {unreadCount > 99 ? "99+" : unreadCount}
          </span>
        )}
      </button>
      {open && (
        <div className="absolute right-0 top-full z-50 mt-2 w-80 rounded-xl border border-neutral-200 bg-white shadow-lg sm:w-96">
          {/* Header */}
          <div className="flex items-center justify-between border-b border-neutral-100 px-4 py-3">
            <h3 className="text-sm font-semibold text-neutral-900">
              Benachrichtigungen
            </h3>
            {unreadCount > 0 && (
              <button
                onClick={() => markAllRead.mutate()}
                className="flex items-center gap-1 text-xs text-neutral-500 hover:text-neutral-700"
              >
                <CheckCheck className="h-3 w-3" />
                Alle gelesen
              </button>
            )}
          </div>
          {/* Notification list */}
          <div className="max-h-96 overflow-y-auto">
            {notifications.length === 0 ? (
              <div className="p-6 text-center text-sm text-neutral-400">
                Keine Benachrichtigungen
              </div>
            ) : (
              notifications.map((n) => {
                const link = getEntityLink(n);
                return (
                  <div
                    key={n.id}
                    className={`flex items-start gap-3 border-b border-neutral-50 px-4 py-3 transition-colors last:border-0 ${
                      n.read_at
                        ? "bg-white"
                        : "bg-blue-50/50"
                    }`}
                  >
                    <div
                      className={`mt-1.5 h-2 w-2 flex-shrink-0 rounded-full ${getTypeColor(n.type)}`}
                    />
                    <div className="min-w-0 flex-1">
                      <p className="text-sm font-medium text-neutral-900 leading-snug">
                        {n.title}
                      </p>
                      {n.body && (
                        <p className="mt-0.5 text-xs text-neutral-500 line-clamp-2">
                          {n.body}
                        </p>
                      )}
                      <div className="mt-1.5 flex items-center gap-2">
                        <span className="text-[11px] text-neutral-400">
                          {timeAgo(n.created_at)}
                        </span>
                        {link && (
                          <a
                            href={link}
                            onClick={() => setOpen(false)}
                            className="flex items-center gap-0.5 text-[11px] text-blue-600 hover:text-blue-700"
                          >
                            <ExternalLink className="h-2.5 w-2.5" />
                            Anzeigen
                          </a>
                        )}
                      </div>
                    </div>
                    {!n.read_at && (
                      <button
                        onClick={() => markRead.mutate(n.id)}
                        className="flex-shrink-0 rounded p-1 text-neutral-400 hover:bg-neutral-100 hover:text-neutral-600"
                        title="Als gelesen markieren"
                      >
                        <Check className="h-3 w-3" />
                      </button>
                    )}
                  </div>
                );
              })
            )}
          </div>
        </div>
      )}
    </div>
  );
 }
--- a/frontend/src/components/settings/NotificationSettings.tsx
+++ b/frontend/src/components/settings/NotificationSettings.tsx
@@ -1,167 +0,0 @@
 "use client";
 import { useState } from "react";
 import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
 import { api } from "@/lib/api";
 import type { NotificationPreferences } from "@/lib/types";
 const REMINDER_OPTIONS = [
  { value: 14, label: "14 Tage" },
  { value: 7, label: "7 Tage" },
  { value: 3, label: "3 Tage" },
  { value: 1, label: "1 Tag" },
 ];
 export function NotificationSettings() {
  const queryClient = useQueryClient();
  const [saved, setSaved] = useState(false);
  const { data: prefs, isLoading } = useQuery({
    queryKey: ["notification-preferences"],
    queryFn: () =>
      api.get<NotificationPreferences>("/api/notification-preferences"),
  });
  const [reminderDays, setReminderDays] = useState<number[]>([]);
  const [emailEnabled, setEmailEnabled] = useState(true);
  const [dailyDigest, setDailyDigest] = useState(false);
  const [initialized, setInitialized] = useState(false);
  // Sync state from server once loaded
  if (prefs && !initialized) {
    setReminderDays(prefs.deadline_reminder_days);
    setEmailEnabled(prefs.email_enabled);
    setDailyDigest(prefs.daily_digest);
    setInitialized(true);
  }
  const update = useMutation({
    mutationFn: (input: {
      deadline_reminder_days: number[];
      email_enabled: boolean;
      daily_digest: boolean;
    }) => api.put<NotificationPreferences>("/api/notification-preferences", input),
    onSuccess: () => {
      queryClient.invalidateQueries({
        queryKey: ["notification-preferences"],
      });
      setSaved(true);
      setTimeout(() => setSaved(false), 2000);
    },
  });
  function toggleDay(day: number) {
    setReminderDays((prev) =>
      prev.includes(day) ? prev.filter((d) => d !== day) : [...prev, day].sort((a, b) => b - a),
    );
  }
  function handleSave() {
    update.mutate({
      deadline_reminder_days: reminderDays,
      email_enabled: emailEnabled,
      daily_digest: dailyDigest,
    });
  }
  if (isLoading) {
    return (
      <div className="animate-pulse space-y-3">
        <div className="h-4 w-48 rounded bg-neutral-200" />
        <div className="h-8 w-full rounded bg-neutral-100" />
        <div className="h-8 w-full rounded bg-neutral-100" />
      </div>
    );
  }
  return (
    <div className="space-y-5">
      {/* Reminder days */}
      <div>
        <p className="text-sm font-medium text-neutral-700">
          Fristen-Erinnerungen
        </p>
        <p className="mt-0.5 text-xs text-neutral-500">
          Erinnern Sie mich vor Fristablauf:
        </p>
        <div className="mt-2 flex flex-wrap gap-2">
          {REMINDER_OPTIONS.map((opt) => (
            <button
              key={opt.value}
              onClick={() => toggleDay(opt.value)}
              className={`rounded-lg border px-3 py-1.5 text-sm transition-colors ${
                reminderDays.includes(opt.value)
                  ? "border-blue-500 bg-blue-50 text-blue-700"
                  : "border-neutral-200 bg-white text-neutral-600 hover:border-neutral-300"
              }`}
            >
              {opt.label}
            </button>
          ))}
        </div>
      </div>
      {/* Email toggle */}
      <label className="flex items-center justify-between">
        <div>
          <p className="text-sm font-medium text-neutral-700">
            E-Mail-Benachrichtigungen
          </p>
          <p className="text-xs text-neutral-500">
            Erinnerungen per E-Mail erhalten
          </p>
        </div>
        <button
          onClick={() => setEmailEnabled(!emailEnabled)}
          className={`relative h-6 w-11 rounded-full transition-colors ${
            emailEnabled ? "bg-blue-500" : "bg-neutral-300"
          }`}
        >
          <span
            className={`absolute left-0.5 top-0.5 h-5 w-5 rounded-full bg-white shadow transition-transform ${
              emailEnabled ? "translate-x-5" : "translate-x-0"
            }`}
          />
        </button>
      </label>
      {/* Daily digest toggle */}
      <label className="flex items-center justify-between">
        <div>
          <p className="text-sm font-medium text-neutral-700">
            Tagesübersicht
          </p>
          <p className="text-xs text-neutral-500">
            Alle Benachrichtigungen gesammelt um 8:00 Uhr per E-Mail
          </p>
        </div>
        <button
          onClick={() => setDailyDigest(!dailyDigest)}
          className={`relative h-6 w-11 rounded-full transition-colors ${
            dailyDigest ? "bg-blue-500" : "bg-neutral-300"
          }`}
        >
          <span
            className={`absolute left-0.5 top-0.5 h-5 w-5 rounded-full bg-white shadow transition-transform ${
              dailyDigest ? "translate-x-5" : "translate-x-0"
            }`}
          />
        </button>
      </label>
      {/* Save */}
      <div className="flex items-center gap-3 pt-2">
        <button
          onClick={handleSave}
          disabled={update.isPending}
          className="rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white hover:bg-neutral-800 disabled:opacity-50"
        >
          {update.isPending ? "Speichern..." : "Speichern"}
        </button>
        {saved && (
          <span className="text-sm text-green-600">Gespeichert</span>
        )}
      </div>
    </div>
  );
 }
--- a/frontend/src/lib/types.ts
+++ b/frontend/src/lib/types.ts
@@ -189,37 +189,6 @@ export interface Note {
  updated_at: string;
 }
 // Notifications
 export interface Notification {
  id: string;
  tenant_id: string;
  user_id: string;
  type: "deadline_reminder" | "deadline_overdue" | "case_update" | "assignment";
  entity_type?: "deadline" | "appointment" | "case";
  entity_id?: string;
  title: string;
  body?: string;
  sent_at?: string;
  read_at?: string;
  created_at: string;
 }
 export interface NotificationPreferences {
  user_id: string;
  tenant_id: string;
  deadline_reminder_days: number[];
  email_enabled: boolean;
  daily_digest: boolean;
  created_at?: string;
  updated_at?: string;
 }
 export interface NotificationListResponse {
  data: Notification[];
  total: number;
 }
 export interface ApiError {
  error: string;
  status: number;