feat(submissions): Composer Slice C — building blocks library (m/paliad#141)

Per the design at docs/design-submission-generator-v2-2026-05-26.md §8
and the Q2 / Q9 ratifications:

- Q2 (m, 2026-05-26): building blocks are plain text paste sources.
  No building_block_id reference is stored on submission_sections.
- Q9 (m, 2026-05-26): four visibility tiers — private / team / firm
  / global.

Schema (mig 149):

- paliad.submission_building_blocks — library catalog. Columns: slug,
  firm (NULL = cross-firm), section_key (binds to one section kind),
  proceeding_family (NULL = any), title_de/_en + description_de/_en
  + content_md_de/_en, author_id, visibility (CHECK in 4-tier set),
  is_published, created_at, updated_at, deleted_at (soft delete).
  RLS: coarse-grained SELECT — every authenticated user sees
  non-deleted non-private rows + own private rows. Tier-specific
  predicate (private/team/firm/global) applied in Go-layer service so
  semantics evolve without RLS migrations. Mutations admin-only (no
  RLS write paths).

- paliad.submission_building_block_admin_versions — append-only
  history per block, retention=20. Admin-side only; NOT referenced
  from submission_sections (per Q2's plain-text-paste model). Exists
  so accidental delete / overwrite are recoverable.

Backend:

- internal/services/submission_building_block_service.go (~510 LoC):
  BuildingBlockService. ListVisible applies tier predicate at query
  time (private = author_id match; firm = firm column NULL OR matches
  branding.Name; team = author shares a project_team with caller via
  paliad.project_teams self-join; global = open). ListAllForAdmin
  drops the predicate. Create + Update + SoftDelete + RestoreVersion
  all transactional; appendVersionTx writes one audit row +
  GC-deletes anything past the retention=20 horizon in the same tx.
  InsertIntoSection (the paste mechanic) clones content_md_<lang>
  into the section row with a "\n\n" separator if section already has
  content. NO building_block_id stamped per Q2.

- internal/handlers/submission_building_blocks.go (~480 LoC): nine
  handlers split between the lawyer-facing picker (list, insert) and
  the admin editor (list, get, create, update, delete, list-versions,
  restore-version, page). buildingBlockUpdateInput uses presence-
  tracking UnmarshalJSON for the four nullable fields (firm,
  proceeding_family, description_de/_en) so PATCH can distinguish
  "no change" from "set to null".

- Routes registered: lawyer-facing under /api/submission-building-blocks,
  admin-gated under /api/admin/submission-building-blocks/* and
  /admin/submission-building-blocks (page).

- Wiring: handlers.Services + dbServices + cmd/server/main.go all
  gain SubmissionBuildingBlock. NewBuildingBlockService takes the
  branding.Name firm hint for the visibility predicate.

Frontend:

- frontend/src/admin-submission-building-blocks.tsx (~85 LoC):
  three-pane admin shell (list / editor / version log) registered
  in build.ts.

- frontend/src/client/admin-submission-building-blocks.ts (~370
  LoC): admin client — list paint, edit form (slug + firm +
  section_key + proceeding_family + title/desc/content per lang +
  visibility radio + is_published toggle), per-block version log
  with restore button. Bilingual labels.

- frontend/src/client/submission-draft.ts: per-section "+ Baustein"
  button on the Composer editor toolbar (Slice B substrate gets one
  more affordance). openBlockPicker opens a modal filtered to the
  section's section_key, 200ms-debounced search by free text against
  title/description/content. Click a hit → POST insert-into-section
  → section row's content_md_<lang> gains the block's content
  appended at the end (Q2's plain-text paste semantic, no lineage).

- ~240 LoC of CSS: modal overlay + picker rows with tier-colored
  visibility chips + admin editor 3-pane grid + form rows + version
  list.

- 12 new i18n keys × 2 langs (admin.building_blocks.*).

Tests:
- TestValidVisibility (8 cases including case-sensitivity + empty).
- TestAppendBlockContent (8 cases covering empty-existing / empty-
  addition / whitespace-only / trailing newline collapse).
- TestBuildingBlockVisibilityConstants pins the 4 string literals
  against drift (RLS predicate + DB CHECK depend on them).

Build hygiene: go build/vet/test -short clean; bun run build clean
(2906 i18n keys, data-i18n scan clean).

Hard rules per ratifications honoured:
- Q2: no building_block_id lineage on sections (paste is plain text).
- Q9: 4 visibility tiers (private/team/firm/global).
- NO behavior change for pre-Composer drafts (the picker just doesn't
  show — section list is hidden for base_id NULL drafts).
- {{rule.X}} aliases preserved (block content goes through the same
  v1 placeholder pass on export as section prose).

NOT in scope per Slice C brief:
- User-authored private blocks (Slice C ships admin curation only;
  any-user create is a follow-up).
- Tier promotion review workflow (admin sets tier directly today).
- Per-section "where is this block used" reverse lookup (no lineage
  to query).
- Slice D's rich-prose features (headings, lists, blockquote) still
  Slice D's job; this Slice doesn't extend the MD walker.

t-paliad-315 Slice C

Makefile

@@ -21,7 +21,7 @@
 # the test runner's working dirs. None of them touch internal/db/migrations/
 # files.
 
-.PHONY: help verify-migrations verify-mig verify-mig-app test test-go test-frontend refresh-snapshot
+.PHONY: help verify-migrations verify-mig verify-mig-app test test-go test-frontend refresh-snapshot snapshot-upc
 
 help:
 	@echo "Paliad — developer targets"
@@ -33,6 +33,8 @@ help:
 	@echo "  test                Short test pass — covers gate tier"
 	@echo "  test-go             Full Go suite with race detector"
 	@echo "  test-frontend       Frontend bun:test suite"
+	@echo "  snapshot-upc        Regenerate pkg/litigationplanner/embedded/upc/ from live DB"
+	@echo "                      (needs DATABASE_URL — see cmd/gen-upc-snapshot/README.md)"
 	@echo ""
 	@echo "Set TEST_DATABASE_URL to enable live-DB tests. Example:"
 	@echo "  export TEST_DATABASE_URL=postgres://paliad:...@localhost:11833/paliad_test"
@@ -141,3 +143,22 @@ refresh-snapshot:
 	' internal/db/testdata/prod-snapshot.sql.tmp > internal/db/testdata/prod-snapshot.sql
 	@rm internal/db/testdata/prod-snapshot.sql.tmp
 	@wc -l internal/db/testdata/prod-snapshot.sql
+
+# Regenerate the embedded UPC snapshot from a live paliad DB. The
+# generator applies pending migrations first, then SELECTs the UPC
+# subset and writes JSON files under pkg/litigationplanner/embedded/upc/.
+#
+# Requires DATABASE_URL — Slice C of the litigation-planner extraction
+# (m/paliad#124 §19). See cmd/gen-upc-snapshot/README.md for the full
+# operator runbook.
+snapshot-upc:
+	@if [ -z "$$DATABASE_URL" ]; then \
+		echo "ERROR: DATABASE_URL is not set."; \
+		echo "       Snapshot generation needs read access to a paliad DB."; \
+		echo "       Set DATABASE_URL to the live paliad Postgres, then re-run."; \
+		exit 2; \
+	fi
+	@echo "==> regenerating UPC snapshot from $$DATABASE_URL"
+	go run ./cmd/gen-upc-snapshot
+	@echo "==> running snapshot tests against the regenerated data"
+	go test ./pkg/litigationplanner/embedded/upc/...

cmd/gen-upc-snapshot/README.md

@@ -0,0 +1,59 @@
+# gen-upc-snapshot
+
+Regenerates the embedded UPC snapshot consumed by
+`pkg/litigationplanner/embedded/upc`. Slice C of the litigation-planner
+extraction (m/paliad#124 §19). See
+`docs/design-litigation-planner-2026-05-26.md` §19 for the full design.
+
+## When to regenerate
+
+After any change that affects the public UPC rule corpus:
+
+- new rules merged via the admin rule-editor
+- a deadline-rule migration that touches UPC rows
+- a `paliad.holidays` update (new public holidays / vacation runs)
+- a `paliad.courts` update (new UPC LD opens, etc.)
+- a `paliad.proceeding_types` change for `jurisdiction = 'UPC'`
+
+The snapshot is operator-controlled — there is no CI regeneration in v1.
+
+## How to regenerate
+
+```sh
+make snapshot-upc
+```
+
+or directly:
+
+```sh
+DATABASE_URL=postgres://...  go run ./cmd/gen-upc-snapshot
+```
+
+Flags:
+
+| Flag            | Default                                | Purpose |
+|-----------------|----------------------------------------|---------|
+| `-output`       | `./pkg/litigationplanner/embedded/upc` | directory to write JSON files into |
+| `-version`      | auto-derived (`YYYY-MM-DD-N`)          | override the snapshot version |
+| `-source-label` | empty                                  | text label written to `meta.json` (`paliad-prod`, `paliad-dev`, …) |
+
+The generator:
+
+1. Applies pending migrations against `DATABASE_URL` (snapshot always matches schema HEAD).
+2. SELECTs UPC active proceeding_types + their published+active rules + referenced trigger_events + DE/UPC holidays + UPC courts.
+3. Writes pretty-printed JSON to `<output>/{proceeding_types,rules,trigger_events,holidays,courts,meta}.json`.
+
+## Idempotence
+
+Running twice with the same DB state produces the same JSON (modulo `meta.generated_at`). Diff-friendly in git.
+
+## Versioning
+
+`meta.json.version` uses `YYYY-MM-DD-N` where N starts at 1 and increments on same-day regenerations. The generator reads the existing `meta.json` and bumps automatically.
+
+## After regeneration
+
+1. Review the diff: `git diff pkg/litigationplanner/embedded/upc/`.
+2. Run tests: `go test ./pkg/litigationplanner/embedded/upc/...`.
+3. Commit with a message like `chore(snapshot): regenerate UPC snapshot (<reason>)`.
+4. Notify any downstream consumer (youpc.org) that a new paliad release is available.

cmd/gen-upc-snapshot/main.go

@@ -0,0 +1,301 @@
+// Command gen-upc-snapshot reads paliad's live deadline corpus and
+// writes the UPC subset as JSON files under
+// pkg/litigationplanner/embedded/upc/. The package's embedded
+// catalog/holiday/court implementations then serve this data without
+// any DB roundtrip — letting youpc.org (or any future consumer) run
+// the litigationplanner engine against the canonical UPC rule set.
+//
+// Slice C (m/paliad#124 §19). See docs/design-litigation-planner-2026-05-26.md
+// §19 for the full design.
+//
+// Usage:
+//
+//	DATABASE_URL=postgres://... go run ./cmd/gen-upc-snapshot \
+//	    [-output ./pkg/litigationplanner/embedded/upc] \
+//	    [-version 2026-05-26-1] \
+//	    [-source-label paliad-dev-supabase]
+//
+// The generator applies migrations against DATABASE_URL before
+// SELECTing (so the snapshot always matches schema HEAD). Idempotent —
+// running twice with the same DB state produces the same JSON.
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/jmoiron/sqlx"
+	_ "github.com/lib/pq"
+
+	"mgit.msbls.de/m/paliad/internal/db"
+	"mgit.msbls.de/m/paliad/pkg/litigationplanner"
+)
+
+const (
+	defaultOutput      = "./pkg/litigationplanner/embedded/upc"
+	defaultSourceLabel = ""
+)
+
+// Meta is the version block written to meta.json. The embedded sub-
+// package re-defines this type so consumers can decode it without
+// importing the cmd; the cmd holds the canonical write shape.
+type Meta struct {
+	Version           string    `json:"version"`
+	GeneratedAt       time.Time `json:"generated_at"`
+	PaliadCommit      string    `json:"paliad_commit,omitempty"`
+	SourceDBLabel     string    `json:"source_db_label,omitempty"`
+	RuleCount         int       `json:"rule_count"`
+	ProceedingCount   int       `json:"proceeding_count"`
+	TriggerEventCount int       `json:"trigger_event_count"`
+	HolidayCount      int       `json:"holiday_count"`
+	CourtCount        int       `json:"court_count"`
+}
+
+// EmbeddedHoliday is the holiday row shape the embedded snapshot
+// stores. JSON tags mirror paliad.holidays so the generator's SELECT
+// scans onto it directly + the embedded HolidayCalendar reads the
+// same tag.
+type EmbeddedHoliday struct {
+	Date        string  `db:"date_iso" json:"date"`
+	Name        string  `db:"name" json:"name"`
+	Country     *string `db:"country" json:"country,omitempty"`
+	Regime      *string `db:"regime" json:"regime,omitempty"`
+	State       *string `db:"state" json:"state,omitempty"`
+	HolidayType string  `db:"holiday_type" json:"holiday_type"`
+}
+
+// EmbeddedCourt is the court row shape the embedded snapshot stores.
+type EmbeddedCourt struct {
+	ID        string  `db:"id" json:"id"`
+	Code      string  `db:"code" json:"code"`
+	NameDE    string  `db:"name_de" json:"name_de"`
+	NameEN    string  `db:"name_en" json:"name_en"`
+	Country   string  `db:"country" json:"country"`
+	Regime    *string `db:"regime" json:"regime,omitempty"`
+	CourtType string  `db:"court_type" json:"court_type"`
+	ParentID  *string `db:"parent_id" json:"parent_id,omitempty"`
+	SortOrder int     `db:"sort_order" json:"sort_order"`
+}
+
+func main() {
+	output := flag.String("output", defaultOutput, "directory to write JSON files into")
+	version := flag.String("version", "", "explicit snapshot version (auto-derived if empty)")
+	sourceLabel := flag.String("source-label", defaultSourceLabel, "label for source_db in meta.json")
+	flag.Parse()
+
+	url := os.Getenv("DATABASE_URL")
+	if url == "" {
+		log.Fatal("DATABASE_URL must be set")
+	}
+
+	if err := db.ApplyMigrations(url); err != nil {
+		log.Fatalf("apply migrations: %v", err)
+	}
+
+	pool, err := sqlx.Connect("postgres", url)
+	if err != nil {
+		log.Fatalf("connect: %v", err)
+	}
+	defer pool.Close()
+
+	ctx := context.Background()
+	if err := run(ctx, pool, *output, *version, *sourceLabel); err != nil {
+		log.Fatalf("snapshot: %v", err)
+	}
+}
+
+func run(ctx context.Context, pool *sqlx.DB, output, version, sourceLabel string) error {
+	if err := os.MkdirAll(output, 0o755); err != nil {
+		return fmt.Errorf("mkdir output: %w", err)
+	}
+
+	// 1. Proceeding types — UPC + active only. The unified upc.apl row
+	// from B1 mig 134 is included; the 3 archived old appeal codes
+	// (is_active=false) are filtered out by the WHERE.
+	var procs []litigationplanner.ProceedingType
+	if err := pool.SelectContext(ctx, &procs, `
+		SELECT id, code, name, name_en, description, jurisdiction,
+		       category, default_color, sort_order, is_active,
+		       trigger_event_label_de, trigger_event_label_en,
+		       appeal_target
+		  FROM paliad.proceeding_types
+		 WHERE jurisdiction = 'UPC' AND is_active = true
+		 ORDER BY sort_order, id`); err != nil {
+		return fmt.Errorf("select proceeding_types: %w", err)
+	}
+
+	if len(procs) == 0 {
+		return fmt.Errorf("no active UPC proceeding_types — refusing to write empty snapshot")
+	}
+
+	procIDs := make([]int, 0, len(procs))
+	for _, p := range procs {
+		procIDs = append(procIDs, p.ID)
+	}
+
+	// 2. Deadline rules — published + active rules for those proceedings.
+	const ruleCols = `id, proceeding_type_id, parent_id, submission_code, name, name_en,
+		description, primary_party, event_type, duration_value,
+		duration_unit, timing, rule_code, deadline_notes, deadline_notes_en, sequence_order,
+		alt_duration_value, alt_duration_unit, alt_rule_code,
+		anchor_alt, concept_id, legal_source, is_spawn, spawn_label, is_active,
+		created_at, updated_at,
+		trigger_event_id, spawn_proceeding_type_id, combine_op, condition_expr,
+		priority, is_court_set, lifecycle_state, draft_of, published_at,
+		choices_offered, applies_to_target`
+
+	q, args, err := sqlx.In(`
+		SELECT `+ruleCols+`
+		  FROM paliad.deadline_rules
+		 WHERE proceeding_type_id IN (?)
+		   AND is_active = true
+		   AND lifecycle_state = 'published'
+		 ORDER BY proceeding_type_id, sequence_order`, procIDs)
+	if err != nil {
+		return fmt.Errorf("build rules IN: %w", err)
+	}
+	q = pool.Rebind(q)
+	var rules []litigationplanner.Rule
+	if err := pool.SelectContext(ctx, &rules, q, args...); err != nil {
+		return fmt.Errorf("select rules: %w", err)
+	}
+
+	// 3. Trigger events referenced by any UPC rule's trigger_event_id.
+	triggerIDSet := make(map[int64]struct{})
+	for _, r := range rules {
+		if r.TriggerEventID != nil {
+			triggerIDSet[*r.TriggerEventID] = struct{}{}
+		}
+	}
+	var triggers []litigationplanner.TriggerEvent
+	if len(triggerIDSet) > 0 {
+		triggerIDs := make([]int64, 0, len(triggerIDSet))
+		for id := range triggerIDSet {
+			triggerIDs = append(triggerIDs, id)
+		}
+		q, args, err := sqlx.In(`
+			SELECT id, code, name, name_de, description, is_active, created_at
+			  FROM paliad.trigger_events
+			 WHERE id IN (?)
+			 ORDER BY id`, triggerIDs)
+		if err != nil {
+			return fmt.Errorf("build triggers IN: %w", err)
+		}
+		q = pool.Rebind(q)
+		if err := pool.SelectContext(ctx, &triggers, q, args...); err != nil {
+			return fmt.Errorf("select trigger_events: %w", err)
+		}
+	}
+
+	// 4. Holidays — DE national + UPC regime entries. The embedded
+	// calendar serves UPC computations so both axes matter.
+	var holidays []EmbeddedHoliday
+	if err := pool.SelectContext(ctx, &holidays, `
+		SELECT to_char(date, 'YYYY-MM-DD') AS date_iso,
+		       name, country, regime, state, holiday_type
+		  FROM paliad.holidays
+		 WHERE country = 'DE' OR regime = 'UPC'
+		 ORDER BY date, name`); err != nil {
+		return fmt.Errorf("select holidays: %w", err)
+	}
+
+	// 5. Courts — UPC subset.
+	var courts []EmbeddedCourt
+	if err := pool.SelectContext(ctx, &courts, `
+		SELECT id, code, name_de, name_en, country, regime, court_type, parent_id, sort_order
+		  FROM paliad.courts
+		 WHERE is_active = true
+		   AND (regime = 'UPC' OR court_type LIKE 'upc%')
+		 ORDER BY sort_order, id`); err != nil {
+		return fmt.Errorf("select courts: %w", err)
+	}
+
+	// 6. Compose meta.
+	meta := Meta{
+		Version:           resolveVersion(version, output),
+		GeneratedAt:       time.Now().UTC().Truncate(time.Second),
+		PaliadCommit:      gitCommitShort(),
+		SourceDBLabel:     sourceLabel,
+		RuleCount:         len(rules),
+		ProceedingCount:   len(procs),
+		TriggerEventCount: len(triggers),
+		HolidayCount:      len(holidays),
+		CourtCount:        len(courts),
+	}
+
+	// 7. Write each file.
+	files := []struct {
+		name string
+		data any
+	}{
+		{"proceeding_types.json", procs},
+		{"rules.json", rules},
+		{"trigger_events.json", triggers},
+		{"holidays.json", holidays},
+		{"courts.json", courts},
+		{"meta.json", meta},
+	}
+	for _, f := range files {
+		path := filepath.Join(output, f.name)
+		buf, err := json.MarshalIndent(f.data, "", "  ")
+		if err != nil {
+			return fmt.Errorf("marshal %s: %w", f.name, err)
+		}
+		buf = append(buf, '\n')
+		if err := os.WriteFile(path, buf, 0o644); err != nil {
+			return fmt.Errorf("write %s: %w", path, err)
+		}
+	}
+
+	log.Printf("snapshot written: version=%s rules=%d proceedings=%d triggers=%d holidays=%d courts=%d → %s",
+		meta.Version, meta.RuleCount, meta.ProceedingCount,
+		meta.TriggerEventCount, meta.HolidayCount, meta.CourtCount, output)
+	return nil
+}
+
+// resolveVersion picks a date-stamped version slug, bumping the suffix
+// past any pre-existing same-day version found in the existing
+// meta.json. If the caller passed -version, that wins.
+func resolveVersion(explicit, output string) string {
+	if explicit != "" {
+		return explicit
+	}
+	today := time.Now().UTC().Format("2006-01-02")
+	// Read prior meta to detect same-day collisions.
+	prior, err := os.ReadFile(filepath.Join(output, "meta.json"))
+	if err != nil {
+		return today + "-1"
+	}
+	var pm Meta
+	if err := json.Unmarshal(prior, &pm); err != nil {
+		return today + "-1"
+	}
+	if !strings.HasPrefix(pm.Version, today+"-") {
+		return today + "-1"
+	}
+	// Same day: bump the suffix.
+	suffix := pm.Version[len(today)+1:]
+	var n int
+	if _, err := fmt.Sscanf(suffix, "%d", &n); err != nil {
+		return today + "-1"
+	}
+	return fmt.Sprintf("%s-%d", today, n+1)
+}
+
+// gitCommitShort returns the short SHA of the paliad checkout. Best-
+// effort — empty string when we're not in a git checkout.
+func gitCommitShort() string {
+	out, err := exec.Command("git", "rev-parse", "--short", "HEAD").Output()
+	if err != nil {
+		return ""
+	}
+	return strings.TrimSpace(string(out))
+}

cmd/server/main.go

@@ -12,6 +12,7 @@ import (
 	"strconv"
 	"strings"
 	"syscall"
+	"time"
 
 	// Embed Go's IANA tz database into the binary so time.LoadLocation works
 	// without OS tzdata. The runtime image (alpine) doesn't ship /usr/share/
@@ -159,6 +160,21 @@ func main() {
 		submissionVarsSvc := services.NewSubmissionVarsService(pool, projectSvc, partySvc, users)
 		submissionRenderer := services.NewSubmissionRenderer()
 		submissionDraftSvc := services.NewSubmissionDraftService(pool, projectSvc, submissionVarsSvc, submissionRenderer)
+		// t-paliad-313 Composer Slice A — base catalog + section seeding.
+		// AttachComposer wires both into the draft service so Create
+		// seeds base_id + submission_sections rows on new drafts. v1
+		// fallback path stays active for pre-Composer drafts (base_id
+		// NULL, no section rows).
+		submissionBaseSvc := services.NewBaseService(pool)
+		submissionSectionSvc := services.NewSectionService(pool)
+		submissionDraftSvc.AttachComposer(submissionBaseSvc, submissionSectionSvc, branding.Name)
+		// t-paliad-313 Slice B — render-pipeline assembler. Reuses the
+		// existing SubmissionRenderer for the final placeholder pass so
+		// the {{rule.X}} alias contract stays preserved inside the
+		// composed body.
+		submissionComposerSvc := services.NewSubmissionComposer(submissionRenderer)
+		// t-paliad-315 Slice C — building-block library.
+		submissionBuildingBlockSvc := services.NewBuildingBlockService(pool, branding.Name)
 		// t-paliad-225 Slice A — user-authored checklist templates.
 		// Slice B adds checklist_shares grants + admin promotion.
 		checklistCatalogSvc := services.NewChecklistCatalogService(pool)
@@ -170,7 +186,11 @@ func main() {
 			Team:           teamSvc,
 			PartnerUnit:    partnerUnitSvc,
 			Party:          partySvc,
-			SubmissionDraft: submissionDraftSvc,
+			SubmissionDraft:         submissionDraftSvc,
+			SubmissionBase:          submissionBaseSvc,
+			SubmissionSection:       submissionSectionSvc,
+			SubmissionComposer:      submissionComposerSvc,
+			SubmissionBuildingBlock: submissionBuildingBlockSvc,
 			Deadline:       deadlineSvc,
 			Appointment:    appointmentSvc,
 			CalDAV:         caldavSvc,
@@ -221,6 +241,8 @@ func main() {
 			Export: services.NewExportService(pool, branding.Name),
 			// t-paliad-265 / m/paliad#96 — per-event-card optional choices.
 			EventChoice: services.NewEventChoiceService(pool, projectSvc, users),
+			// Slice D (m/paliad#124 §5, mig 145) — named scenario compositions.
+			Scenario: services.NewScenarioService(pool, projectSvc, rules),
 		}
 
 		// t-paliad-246 Slice A — Backup Mode runner. Wired only when
@@ -337,6 +359,13 @@ func main() {
 			log.Printf("CalDAV start: %v", err)
 		}
 		reminderSvc.Start(bgCtx)
+		// Slice B.2 dual-write drift check (t-paliad-305 / m/paliad#93).
+		// Runs every 6 h while the new procedural_events / sequencing_rules /
+		// legal_sources tables shadow the legacy paliad.deadline_rules
+		// table. A clean run logs at INFO; drift logs at WARN with the
+		// full report so a broken dual-write surfaces before the next
+		// deploy.
+		services.StartDualWriteDriftCheckLoop(bgCtx, pool, 6*time.Hour)
 		go func() {
 			<-bgCtx.Done()
 			log.Println("background services: shutdown signal received")

docs/design-fristen-phase2-2026-05-15.md

@@ -421,7 +421,7 @@ The editor is the **largest single surface** in Phase 3. ~3-4 PRs of work depend
 | `POST /api/admin/rules` | POST | global_admin | Create a new rule from scratch (starts as `lifecycle_state='draft'`). |
 | `GET /admin/rules/{id}/audit` | GET | global_admin | Audit log for this rule. |
 | `POST /admin/rules/{id}/preview` | POST | global_admin | Preview-on-trigger-date — runs calculator with this draft replacing its published peer; returns the resulting timeline (no persistence). |
-| `POST /admin/rules/export-migration` | POST | global_admin | Export pending (draft + audit-since-last-export) rules as a `*.up.sql` blob the human can paste into `internal/db/migrations/`. Sets `migration_exported=true` on the audit rows. |
+| _(removed t-paliad-297)_ migration-export endpoint | — | — | Was a SQL-export tool generating `*.up.sql` from audit rows. Workflow shifted to hand-written numbered migrations; tool removed in m/paliad#129. |
 
 ### 4.2 Draft → published lifecycle
 

docs/design-paliad-data-export-2026-05-19.md

@@ -43,7 +43,7 @@ A full org export today is **< 600 rows of user content** plus reference data
 
 **Audit trail.** Lives in `paliad.project_events` (93 rows). One row per lifecycle event with `event_type`, `metadata jsonb`, `event_date`, `created_by`. The auditing union (`AuditService.ListEntries`) joins 5 sources (project_events, partner_unit_events, deadline_rule_audit, policy_audit_log, reminder_log). For the export we treat `project_events` as primary; the four auxiliary logs are scope-specific.
 
-**Existing export precedent.** `/admin/rules/export` + `/admin/api/rules/export-migrations` (handlers/admin_rules.go) — admin-gated, streams a generated SQL artifact. Same shape as what we want for the Excel exports. Re-use the gating helper.
+**Existing export precedent.** _(Originally pointed at the admin rule-migration export. That tool was deleted in m/paliad#129 / t-paliad-297. The gating pattern — `adminGate(users, …)` on a download endpoint that streams a generated artifact — still lives on other admin handlers, e.g. `handleAdminDownloadBackup` for `/api/admin/backups/{id}/file`.)_ Re-use the gating helper.
 
 **No Go xlsx library on `go.mod` today.** This design picks **`github.com/xuri/excelize/v2`** in §3.
 
@@ -591,7 +591,7 @@ No other slice deltas. v1 still ships slices 1+2+3.
 - `docs/design-data-model-v2.md` — projects + mandanten + ltree path + can_see_project predicate.
 - `docs/design-approval-policy-ui-2026-05-07.md` — 5-source audit union (this design adds the 6th source).
 - `docs/design-profession-vs-project-role-2026-05-07.md` — profession ladder for the §4 project gate.
-- `internal/handlers/admin_rules.go:303` — `handleAdminExportRuleMigrations` (precedent for admin-gated export-as-download).
+- `internal/handlers/backups.go` — `handleAdminDownloadBackup` (precedent for admin-gated artifact download; the older rule-migration export precedent was removed in t-paliad-297).
 - `internal/services/project_service.go:15` — visibility predicate.
 - `internal/services/derivation_service.go` — `EffectiveProjectRole` for the project gate.
 - `github.com/xuri/excelize/v2` — chosen xlsx library.

docs/design-procedural-events-b0-findings-2026-05-26.md

@@ -0,0 +1,277 @@
+# Slice B.0 — Live DB re-validation findings (t-paliad-273)
+
+**Author:** curie (researcher)
+**Date:** 2026-05-26
+**Branch:** `mai/curie/researcher-slice-b-zero`
+**Predecessor:** `docs/design-procedural-events-model-2026-05-25.md` (cronus, t-paliad-262)
+**Scope:** READ-ONLY re-validation of the design doc's §1 premises against the live youpc Supabase `paliad` schema. No migration SQL written, no writes to `deadline_rules` or any table. B.1 (additive migration) remains blocked pending m's greenlight.
+
+This document does **not** redesign the schema. It does **not** propose new structural changes. It records what the live DB looks like ~24 hours after the design was authored, flags every claim that drifted, and gives the eventual B.1 coder a current-as-of-2026-05-26 baseline to plan against.
+
+---
+
+## §0 TL;DR
+
+The design doc's §1 premises were sound on 2026-05-25. **All numeric premises drifted in the 24 hours since.** The qualitative model (`deadline_rules` conflates three concepts; live `deadlines.rule_id` FK; snapshot precedent established; no `proceeding_event*` tables) still holds.
+
+The Q5 default ("10 archived multi-row submission_codes collapse safely") is now **moot**: those rows were removed from the live DB between 2026-05-25 15:30 and 2026-05-26 13:30. There are now **zero** multi-row submission codes; every active submission_code maps 1:1 to one rule row. B.1 backfill no longer needs the multi-row collapse logic that §5 of the design doc anticipated.
+
+The Q6 default ("concept_id attaches to procedural event, not sequencing rule") is **directionally correct but needs refinement**. The empirical attachment is **above** the procedural-event level — `deadline_concepts` rows cluster legal meaning *across* jurisdictional procedural-event variants. One concept_id can span 15 distinct submission_codes (e.g. "Berufungsfrist" across BGH / BPatG / LG / OLG for both PatG and ZPO paths). The FK in §4.1's draft schema (`procedural_events.concept_id REFERENCES deadline_concepts(id)`, N:1) is **already correctly shaped** for this — no schema change needed. The verbal claim in the design doc should be tightened to "one `deadline_concept` row may be referenced by many procedural events; the FK lives on `procedural_events`."
+
+Migration tracker drift: the design's "next available mig = 124" is stale; live head is 133 (`upc_dmgs_pi_court_followup`, 2026-05-25 15:27 — applied **after** the design was written). **Next available is 134.** Ten migrations landed since the doc was authored — 124..133. None of them touched `deadline_rules` schema, but they did mutate row content (the missing 23 rows and the new event_type/legal_source distribution come from migs 127/128/132/133).
+
+The design's claimed migration tracker `paliad.paliad_schema_migrations` is the legacy golang-migrate v1 native counter (stuck at v106). The **canonical** tracker is `paliad.applied_migrations` (one row per applied migration, with checksum + applied_at). `internal/db/migrate.go:9-21` is the source of truth. Project CLAUDE.md still says `paliad.paliad_schema_migrations`; that's a stale doc, not a B.0-scope fix.
+
+One doc-side bug fixed by this slice: design doc §1 + m/paliad#93 issue body referenced `paliad.deadlines.deadline_rule_id`. Live column is `paliad.deadlines.rule_id`. Both files patched on this branch.
+
+---
+
+## §1 Headline-count drift table
+
+All numbers taken 2026-05-26 ~13:30 UTC against the live `paliad` schema.
+
+| Metric | Design (2026-05-25) | Live (2026-05-26) | Δ | Notes |
+|---|--:|--:|--:|---|
+| `deadline_rules` row count | 254 | **231** | -23 | All rows `is_active = true`. No soft-deletes in flight. |
+| Rows with `submission_code` | 177 | **153** | -24 | |
+| Distinct `submission_code` values | 158 | **153** | -5 | **All 5 lost are the multi-row `_archived_litigation.*` codes** — see §2. |
+| Rows with `legal_source` | 102 | **112** | +10 | |
+| Distinct `legal_source` values | 70 | **87** | +17 | New jurisdictional variants seeded by recent migs (127/132/133). |
+| Rows with `concept_id` (linked to `deadline_concepts`) | 125 | **129** | +4 | 56% of the corpus is concept-linked, vs 49% in the design. |
+| `paliad.deadlines` rows | 1 | **5** | +4 | Still tiny — destructive cutover stays cheap. |
+| `paliad.submission_drafts` rows | 4 | **7** | +3 | |
+| Rules in `lifecycle_state = 'draft'` | 4 | **0** | -4 | All 4 design-era drafts were published or discarded. |
+
+### event_type distribution
+
+| `event_type` | Design | Live | Δ |
+|---|--:|--:|--:|
+| `filing` | 130 | 105 | -25 |
+| NULL | 77 | 89 | +12 |
+| `decision` | 25 | 21 | -4 |
+| `hearing` | 21 | 15 | -6 |
+| `order` | 1 | 1 | 0 |
+| **Total** | **254** | **231** | -23 |
+
+The -23 row delta lands almost entirely in `filing` (-25) and `hearing` (-6), offset by +12 NULL — consistent with the disappearance of the `_archived_litigation.*` filings and a few archived `hearing` rows, plus seeding of new structural / parent-only rows by recent migrations.
+
+### What did NOT drift (qualitative claims, still valid)
+
+- `paliad.deadline_rules` carries 39 columns (design said 38 — drift +1; likely from mig 128 `deadline_rules_unit_check` which adds a CHECK without adding a column — or one of migs 124-133 added a column. Not investigated further; out of B.0 scope).
+- `paliad.deadlines.rule_id` (uuid, nullable) is the FK column to `paliad.deadline_rules.id`. **Confirmed via `information_schema.referential_constraints`** — `rule_id → paliad.deadline_rules(id)`. The doc-side mention of `deadline_rule_id` was always a typo.
+- `paliad.deadlines.rule_code` + `paliad.deadlines.custom_rule_text` both still present (the denormalized-display columns from mig 122).
+- `paliad.submission_drafts` uses `(project_id uuid nullable, submission_code text NOT NULL)` as its key — **no FK to deadline_rules**. Confirms the design's claim that the Schriftsätze surface filters on a text key, not on `deadline_rules.id`.
+- No `paliad.proceeding_event*` tables exist (einstein's 2026-05-08 graph design was never built — still the case).
+
+---
+
+## §2 Archived submission_code audit (Q5 re-confirm)
+
+**Premise re-checked:** "10 archived multi-row submission_codes (`_archived_litigation.*`) collapse safely into single procedural events with multiple sequencing variants."
+
+**Finding:** the premise is **moot in the live DB**.
+
+```sql
+SELECT submission_code, COUNT(*)
+FROM paliad.deadline_rules
+WHERE submission_code LIKE '_archived_litigation.%'
+GROUP BY submission_code;
+-- 0 rows
+```
+
+```sql
+SELECT submission_code, COUNT(*)
+FROM paliad.deadline_rules
+WHERE submission_code IS NOT NULL
+GROUP BY submission_code
+HAVING COUNT(*) > 1;
+-- 0 rows
+```
+
+Every active submission_code in the live corpus is 1:1 with its `deadline_rules` row. The 10 multi-row codes the design anticipated no longer exist.
+
+**Consequence for B.1 backfill:**
+
+- The §5.1 / §5.2 backfill SQL the design sketched (collapsing N rows-with-same-submission_code into 1 procedural_event + N sequencing_rules) is **simpler than expected**: a straight 1:1 backfill, no GROUP-BY-and-collapse step needed.
+- B.1's `INSERT INTO paliad.procedural_events ... SELECT DISTINCT submission_code ...` becomes equivalent to `INSERT ... SELECT submission_code, ... FROM deadline_rules WHERE submission_code IS NOT NULL`. No deduplication needed.
+- The 78 rows where `submission_code IS NULL` (231 - 153) still need a B.1 decision: do they become `procedural_events` rows (with synthetic codes), do they become free-standing `sequencing_rules` with `procedural_event_id` NULL, or do they get parked? This was implicit in the design (the 77 NULLs were framed as "structural / parent-only rows in the proceeding tree"); B.1 should make the decision explicit and document it in the migration's `.up.sql` comments.
+
+---
+
+## §3 concept_id attachment shape (Q6 re-confirm)
+
+**Premise re-checked:** "concept_id attaches to procedural event, not sequencing rule."
+
+**Finding:** **partly true.** The FK direction the design proposes (`procedural_events.concept_id → deadline_concepts.id`, N:1) is correct. The verbal phrasing in Q6's default needs refinement — the empirical attachment is **above** the procedural-event level, not "at" it.
+
+### Empirical pattern
+
+129 of 231 rows carry a `concept_id`. Those 129 rows reference **53 distinct `deadline_concepts`** rows. Averages: 2.43 rows-per-concept, 2.42 submission-codes-per-concept (the two are nearly identical because today's corpus has no multi-row submission codes — see §2). Span distribution:
+
+- 33 of 53 concepts (62%) attach to exactly 1 submission_code → procedural-event-scoped.
+- 20 of 53 concepts (38%) attach to >1 submission_code → cross-procedural-event scoped.
+- Maximum: 1 concept attaches to **15 distinct submission_codes**.
+
+### Example: one concept, four procedural events
+
+The concept `b85b2e5a-4064-40b2-b862-24b7abaa5b94` ("Berufungsfrist / Berufungsschrift") is referenced by 4 `deadline_rules` rows that today carry these 4 distinct submission_codes:
+
+| rule_code | submission_code | court | name |
+|---|---|---|---|
+| § 110 PatG | `de.null.bgh.berufung` | BGH | Berufungsschrift |
+| § 110 PatG | `de.null.bpatg.berufung` | BPatG | Berufungsfrist |
+| § 517 ZPO | `de.inf.lg.berufung` | LG | Berufungsfrist |
+| § 517 ZPO | `de.inf.olg.berufung` | OLG | Berufungsfrist |
+
+Under Slice B's target schema (§4.1), each of these four rows becomes a separate `procedural_events` row (different `code`s, different jurisdiction-specific names, different `legal_source_id`s), but **all four reference the same `deadline_concepts.id`**.
+
+### Implication for B.1
+
+- `procedural_events.concept_id` should be **nullable** (62% of rows today have no concept link — the §4.1 sketch already allows this).
+- The constraint must be **N:1, not 1:1** (one `deadline_concept` may be referenced by many `procedural_events`). The §4.1 sketch (`concept_id uuid REFERENCES paliad.deadline_concepts(id)`) is already correctly N:1; a hypothetical "UNIQUE INDEX on `procedural_events.concept_id`" would break the existing data. **Do not add UNIQUE.**
+- The design doc's Q6 phrasing can be tightened to: "concept_id attaches to procedural event (N procedural events → 1 concept). Sequencing rules do not carry concept_id." — but this is a wording nit, not a structural change. It does **not** block B.1.
+
+---
+
+## §4 Snapshot precedent audit
+
+**Premise re-checked:** the `paliad.deadline_rules_pre_<N>` snapshot pattern is established and ready for B.4's destructive drop.
+
+**Finding:** confirmed and consistent.
+
+Snapshot tables in `paliad`:
+
+| Snapshot table | Origin migration |
+|---|---|
+| `deadlines_pre_089` | mig 089 |
+| `deadline_rules_pre_091` | mig 091 (destructive drop of legacy columns) |
+| `event_deadlines_pre_092` | mig 092 |
+| `event_deadline_rule_codes_pre_092` | mig 092 |
+| `deadline_rules_pre_093` | mig 093 |
+| `proceeding_types_pre_093` | mig 093 |
+| `projects_pre_094` | mig 094 |
+| `deadline_rules_pre_095` | mig 095 |
+| `proceeding_types_pre_096` | mig 096 |
+| `deadline_rules_pre_098` | mig 098 |
+
+Pattern: `<original_table>_pre_<migration_number>`. Always created in the `.up.sql` of the destructive migration as `CREATE TABLE paliad.<t>_pre_<N> AS TABLE paliad.<t>;` (followed by the destructive DROP / ALTER).
+
+**B.4's template:** before `DROP TABLE paliad.deadline_rules;` (and `ALTER TABLE paliad.deadlines DROP COLUMN rule_id;`), `mig <N>.up.sql` must include:
+
+```sql
+CREATE TABLE paliad.deadline_rules_pre_<N> AS TABLE paliad.deadline_rules;
+-- (optional) CREATE TABLE paliad.deadlines_pre_<N> AS TABLE paliad.deadlines;
+```
+
+This is non-negotiable per m's snapshot policy and the precedent of migs 089-098. B.4 should not enter the deploy queue without it.
+
+---
+
+## §5 deadlines.rule_id doc bug — verified + patched
+
+**Premise re-checked:** the live column on `paliad.deadlines` referencing `deadline_rules` is named `rule_id`, not `deadline_rule_id`.
+
+**Verification:**
+
+```sql
+SELECT column_name FROM information_schema.columns
+WHERE table_schema='paliad' AND table_name='deadlines' AND column_name LIKE '%rule%';
+-- rule_id (uuid, nullable)
+-- rule_code (text, nullable)
+-- custom_rule_text (text, nullable)
+```
+
+```sql
+SELECT kcu.column_name, ccu.table_name, ccu.column_name
+FROM information_schema.table_constraints tc
+JOIN information_schema.key_column_usage kcu ON ...
+JOIN information_schema.constraint_column_usage ccu ON ...
+WHERE tc.constraint_type='FOREIGN KEY' AND tc.table_schema='paliad' AND tc.table_name='deadlines';
+-- rule_id → paliad.deadline_rules.id
+```
+
+**Fix applied on this branch:**
+
+- `docs/design-procedural-events-model-2026-05-25.md` — §1 row 51 already says "the column is `rule_id` (issue body called it `deadlines.deadline_rule_id` — that's a doc-side typo)". §1 row 63 (the "Doc-side bug flagged" line) already names the fix target. **No change needed to the design doc — the inventor already flagged and described the bug; B.0 just re-confirms it.**
+- `m/paliad#93` issue body — line 56 says `paliad.deadlines.deadline_rule_id` in the Q3 migration shape. Patched via Gitea API on this slice. See §6 of this report.
+
+---
+
+## §6 Migration tracker drift (out-of-scope context)
+
+The design doc said "next available mig number is 124 (mig 123 = Backup Mode Slice A, just shipped)". Live state on 2026-05-26 13:30:
+
+- Latest applied migration: **133** (`upc_dmgs_pi_court_followup`, 2026-05-25 15:27).
+- Next available: **134**.
+- Migrations 124-133 (all applied after the design was authored):
+
+```
+124  de_inf_lg_replik_duplik_sequencing      (2026-05-25 13:49)
+125  cross_cutting_filter_legal_source       (2026-05-25 14:13)
+126  users_inbox_seen_at                     (2026-05-25 13:51)
+127  wave0_tier0_deadline_fixes              (2026-05-25 14:13)
+128  deadline_rules_unit_check               (2026-05-25 14:13)
+129  project_event_choices                   (2026-05-25 15:02)
+130  submission_drafts_language              (2026-05-25 15:05)
+131  submission_drafts_party_selection       (2026-05-25 15:02)
+132  wave1_tier1_rule_additions              (2026-05-25 15:40)
+133  upc_dmgs_pi_court_followup              (2026-05-25 15:27)
+```
+
+These touched `deadline_rules` content (wave0/wave1 rule additions, sequencing fixes, unit checks) and adjacent tables, but did not change the conflated-three-concepts shape that motivates Slice B. The structural premise of the design holds; the row-level numbers shifted.
+
+**Side observation (not a B.0 fix scope):** the project's `CLAUDE.md` says "Migration tracker is `paliad.paliad_schema_migrations` (avoids collision with other apps on the shared `public.schema_migrations`)." That sentence is stale. The **canonical tracker is `paliad.applied_migrations`** (per `internal/db/migrate.go:9-21,53,105`). `paliad.paliad_schema_migrations` is the legacy golang-migrate v1 counter, frozen at v106; the migrate runner uses it only to bootstrap `applied_migrations` on first deploy of the new runner (`internal/db/migrate.go:219-240`). Recommend a separate doc-fix slice (out of B.0 scope) to update `.claude/CLAUDE.md`.
+
+---
+
+## §7 Updated B.1 brief (no-op / minor adjustments only)
+
+What the live data means for the design's §5 migration plan:
+
+1. **Backfill is simpler.** No multi-row collapse logic needed (§2). One-to-one `INSERT INTO paliad.procedural_events SELECT submission_code, name, name_en, description, event_type AS event_kind, primary_party, ... FROM paliad.deadline_rules WHERE submission_code IS NOT NULL` against 153 rows.
+2. **The 78 NULL-submission_code rows need an explicit decision in B.1.** Either:
+   - (a) Skip them — they remain `deadline_rules`-only and become orphan-once-deadline_rules-is-dropped. Not acceptable; B.4 would lose them.
+   - (b) Mint synthetic codes (`null.<uuid8>` or similar) for the structural rows and create `procedural_events` for them.
+   - (c) Treat them as "sequencing-rule-only" (a `sequencing_rules` row with NULL `procedural_event_id`) — would require `sequencing_rules.procedural_event_id` to be nullable, which contradicts §4.1's NOT NULL FK.
+   - Default recommendation: **(b)** — mint codes, preserve every row. B.1 must document the mint rule in the `.up.sql`. Surface this to head before scheduling B.1.
+3. **concept_id stays N:1 on procedural_events.** No UNIQUE constraint. §4.1's sketch already does this; just don't accidentally tighten it.
+4. **Use migration number 134** (or whatever's the live `MAX(version)+1` at B.1-write-time; re-check at the moment of writing the file).
+5. **Snapshot before drop in B.4:** `CREATE TABLE paliad.deadline_rules_pre_<N> AS TABLE paliad.deadline_rules;` per §4 precedent. **This is the hard-stop pre-condition for B.4 entering the deploy queue.**
+6. **Submission_drafts.submission_code → procedural_events.code text join** continues to work unchanged through B.1-B.3 because both names match. No B.5 dual-write needed for `submission_drafts`. (The design's §6.3 already noted this.)
+
+None of these change the **shape** of the design — they tighten the backfill SQL and surface one explicit decision (point 2) for head.
+
+---
+
+## §8 Outputs of this slice (B.0)
+
+| Artifact | Status |
+|---|---|
+| `docs/design-procedural-events-b0-findings-2026-05-26.md` (this file) | created on `mai/curie/researcher-slice-b-zero` |
+| `docs/design-procedural-events-model-2026-05-25.md` | cherry-picked from `mai/cronus/inventor-procedural` onto this branch (design doc was never merged to main; B.0 brings it onto a branch off main so the doc bug fix has somewhere to land) |
+| m/paliad#93 issue body — `deadline_rule_id` → `rule_id` correction | patched via Gitea API |
+| Gitea comment on m/paliad#93 summarizing this report | posted (see §6 trailing summary on the issue) |
+
+**Nothing migrated, nothing written to `paliad.deadline_rules` or any other live data table.** Only `mai.reports` (progress) and the GitHub issue body / repo files were touched.
+
+---
+
+## §9 Hard-stop status
+
+**B.0 COMPLETE. AWAITING B.1 GREENLIGHT.**
+
+Per the original instruction:
+
+- B.1 (additive migration creating `paliad.procedural_events`, `paliad.sequencing_rules`, `paliad.legal_sources` + backfill) requires explicit m approval before any new tables get created.
+- B.4 (destructive drop of `paliad.deadline_rules` + `paliad.deadlines.rule_id`) requires m's downtime-window approval AND a `paliad.deadline_rules_pre_<N>` snapshot table in the same migration.
+- This researcher (curie) stays parked until head re-hires.
+
+---
+
+## §10 Decisions worth surfacing to m before B.1 starts
+
+1. **NULL-submission_code rows (78 of them) — what to do during backfill?** Recommendation (b): mint synthetic codes. m should confirm or pick (a)/(c).
+2. **B.5 deprecation header window length** — the design (§8.2) says "one slice". For 7 active submission_drafts that's safe; the question is whether external integrations (Word templates with `{{rule.X}}`) need a longer window. The variable-bag alias contract (`submission_vars.go`) covers Word templates without a wire-format change, so "one slice" is defensible. m should confirm.
+3. **Migration number reservation** — by the time B.1 ships, the live head may be 135+. The B.1 coder must re-check `MAX(version)` at write-time. (Not a decision; just a process note.)
+
+These are the only open questions the B.0 audit surfaced. Everything else in the design holds.

docs/design-procedural-events-model-2026-05-25.md

@@ -0,0 +1,571 @@
+# Design — Procedural-Events Data Model (t-paliad-262)
+
+**Author:** cronus (inventor)
+**Date:** 2026-05-25
+**Issue:** m/paliad#93 (mai task t-paliad-262)
+**Branch:** `mai/cronus/inventor-procedural`
+**Status:** DESIGN — read-only, no schema or code changes in this branch.
+**B.0 re-validation:** see `docs/design-procedural-events-b0-findings-2026-05-26.md` (curie, 2026-05-26) for the live-DB premise re-check. Numeric §1 claims drifted; Q5 multi-row collapse premise is moot (no `_archived_litigation.*` rows remain); Q6 N:1 attachment confirmed; mig number target updated 124 → 134.
+**Prior art read:**
+- `docs/design-deadline-data-model-2026-05-08.md` (einstein, t-paliad-158) — proposed `proceeding_event_types` + `proceeding_event_edges`; the **graph-shape recommendation has not been built** (no `proceeding_event*` tables exist in the live DB as of 2026-05-25, verified via `information_schema.tables`).
+- `docs/design-fristen-phase2-2026-05-15.md` (Phase 2/3 unified-rule columns — migs 078/079/091, **shipped**).
+- `docs/design-submission-generator-2026-05-19.md` and `docs/design-submission-page-2026-05-22.md` (Slice 1 → Slice A of the Schriftsätze stack — shipped on top of today's `deadline_rules`).
+
+This doc names a single conflation in the schema and proposes a two-slice fix (cosmetic immediate, structural follow-up). It is intentionally narrower than einstein's 2026-05-08 graph proposal — it does **not** re-litigate the proceeding-as-DAG question.
+
+---
+
+## §0 TL;DR
+
+`paliad.deadline_rules` today is **one row that wears three hats**:
+
+1. **The procedural-event template** — `submission_code`, `name`, `name_en`, `description`, `event_type`, `primary_party`. This is "what kind of step is this in the proceeding": Rechtsbeschwerdebegründung, mündliche Verhandlung, Entscheidung, etc.
+2. **The legal-norm citation** — `legal_source`, `rule_code`, `alt_rule_code`, `rule_codes[]`. This is "the source-of-law anchor": § 102 PatG, UPC RoP R.220(1).
+3. **The sequencing rule** — `parent_id`, `trigger_event_id`, `duration_value`, `duration_unit`, `timing`, `alt_duration_*`, `combine_op`, `condition_expr`, `is_spawn`, `spawn_*`, `sequence_order`, `is_court_set`, `priority`, `anchor_alt`, `proceeding_type_id`. This is "how and when does it fire relative to other events".
+
+The conflation surfaces most painfully in the submission-draft editor's variable sidebar (m's report 2026-05-25 15:02), where the lawyer sees field labels like `{{rule.submission_code}}` for what is plainly a *procedural-event code*, `{{rule.event_type}}` for what is plainly the *procedural-event kind*, and `{{rule.legal_source_pretty}}` for what is plainly the *legal norm* — all under a `rule.*` namespace that reads as if the lawyer were filling in arithmetic.
+
+**Recommendation = Q1 option (C):**
+
+- **Slice A (immediate, this design's coder shift):** cosmetic rename — placeholders, i18n labels, Go struct-comment naming, admin-UI page titles all shift to `procedural_event.*` as the canonical name. **Database schema, table name, column names, FK directions, JSON envelope keys on the wire all stay exactly as they are.** Old `{{rule.*}}` placeholders remain emitted in the variable bag as legacy aliases so existing Word templates and saved drafts keep working.
+- **Slice B (planned follow-up, separate mai task, separate slice plan):** structural rework — extract `paliad.procedural_events`, `paliad.sequencing_rules`, `paliad.legal_sources`, with a phased dual-write migration. **Not shipped here.** This doc defines the target shape (§4) and the migration shape (§5) so the eventual coder has a brief, not so the eventual coder is hired today.
+
+**Umbrella term lock = Q2 option (R):** **"procedural event"** (DE: **"Verfahrensschritt"**) as the umbrella covering filings, hearings, decisions, orders. Justification in §2.
+
+Both Slice A and the eventual Slice B preserve the Schriftsätze surface (t-paliad-238/242/243): the submissions list query changes its predicate from `dr.event_type = 'filing'` to `pe.event_kind IN ('filing', 'reply')` (Slice B only) — same rows, cleaner predicate.
+
+---
+
+## §1 Premises verified live (2026-05-25)
+
+Every load-bearing claim was checked against the running paliad codebase + youpc Supabase. Numbers and schema facts are point-in-time as of 2026-05-25 15:30.
+
+| Claim | Verification |
+|---|---|
+| `paliad.deadline_rules` carries the 38 columns listed in §0's three-hats decomposition. | `information_schema.columns WHERE table_schema='paliad' AND table_name='deadline_rules'` — 38 rows; columns confirmed verbatim. |
+| Live row count = 254. | `SELECT COUNT(*) FROM paliad.deadline_rules` → 254. |
+| 177 rows carry a `submission_code` (procedural-event identity); 158 distinct values. | `COUNT(*) FILTER (WHERE submission_code IS NOT NULL)` → 177; `COUNT(DISTINCT submission_code)` → 158. |
+| 102 rows carry a `legal_source`; 70 distinct citations. | Same query, `legal_source` column. |
+| 125 rows are linked to a `deadline_concepts` row via `concept_id`. | `COUNT(*) FILTER (WHERE concept_id IS NOT NULL)` → 125 (49 % of the corpus). |
+| `event_type` distribution: 130 `filing` · 77 NULL · 25 `decision` · 21 `hearing` · 1 `order`. | `SELECT event_type, count(*) GROUP BY event_type` — confirmed; the 77 NULL rows are structural / parent-only rows in the proceeding tree. |
+| 10 `submission_code` values appear on more than one row (jurisdictional / bilateral variants). | All 10 today are `_archived_litigation.*` codes (claimant/defendant splits + multi-stage hearing rows). Live non-archived codes are 1:1 with rows in the current corpus. |
+| `paliad.deadlines` joins to `deadline_rules` via column `rule_id` (uuid, FK). The text `rule_code` and free-text `custom_rule_text` (mig 122, t-paliad-258) are denormalized for display when the rule row is deleted. | `internal/services/deadline_service.go:69-127`; live column list confirms `rule_id`, `rule_code`, `custom_rule_text` — there is **no** `deadline_rule_id` column on deadlines (issue body called it `deadlines.deadline_rule_id` — that's a doc-side typo; the column is `rule_id`). |
+| `paliad.submission_drafts` keys to a procedural event via `submission_code` text — **no FK** to `deadline_rules`. | `information_schema.columns` for `submission_drafts`: `submission_code text` plus `(project_id, submission_code)` as the joint identifier. Confirms the Schriftsätze surface filters on the *text key*, not on `deadline_rules.id`. |
+| The Schriftsätze list (t-paliad-238) filters `deadline_rules` by `event_type='filing'` and `submission_code IS NOT NULL`. | `internal/handlers/submissions.go:193-211` — verbatim. |
+| The variable bag emits exactly 8 `rule.*` placeholders. | `internal/services/submission_vars.go:349-364` — `rule.submission_code`, `rule.name`, `rule.name_de`, `rule.name_en`, `rule.legal_source`, `rule.legal_source_pretty`, `rule.primary_party`, `rule.event_type`. Frontend i18n labels at `frontend/src/client/submission-draft.ts:158-185`. |
+| Admin rule-edit form binds the same `rule.X` fields. | `frontend/src/admin-rules-edit.tsx:74-110` + `frontend/src/client/admin-rules-edit.ts:253-278` — same eight columns surfaced as form inputs. |
+| The Fristenrechner client surface refers to `calc.rule.nameDE` / `calc.rule.nameEN`. | `frontend/src/client/fristenrechner.ts:1592,1655`. |
+| einstein's 2026-05-08 `proceeding_event_types` + `proceeding_event_edges` are **not** in the DB. | `SELECT table_name FROM information_schema.tables WHERE table_schema='paliad' AND table_name LIKE '%proceeding_event%'` → 0 rows. The graph-shape proposal was never built. |
+| `paliad.deadline_concepts` (57 rows in the original einstein audit; live count not directly queried this shift) still exists and is referenced via `deadline_rules.concept_id`. | `information_schema.tables` confirms `deadline_concepts`, `deadline_concept_event_types`, `deadline_event_types`, `event_types`, `trigger_events`, `event_categories` all still present — the deadline-knowledge graph from the einstein design lives on alongside the unified rule columns. |
+| Phase 2/3 columns (`priority`, `condition_expr`, `is_court_set`, `lifecycle_state`, `draft_of`, `published_at`, `rule_codes[]`) are live and load-bearing. | `internal/models/models.go:622-684` + mig 091. Slice B's structural rework must preserve every one of these on the new `sequencing_rules` table — they are not legacy. |
+| Live `paliad.deadlines` references to rules are sparse (1 row in prod). | `SELECT COUNT(*) FROM paliad.deadlines` → 1. The 4 `submission_drafts` rows reference a procedural event by `submission_code` text only. Tiny live FK surface → migrations can be aggressive without losing user data. |
+| Migration tracker is `paliad.paliad_schema_migrations`; next available number is 124 (mig 123 = Backup Mode Slice A, just shipped). | `internal/db/migrations/` directory listing; latest applied = 123. |
+
+**Doc-side bug flagged for this issue's body:** the deliverable spec writes `paliad.deadlines.deadline_rule_id` in §3 (Q3 migration shape). The live column is `paliad.deadlines.rule_id`. Slice B's rename target is therefore `paliad.deadlines.procedural_event_id`, renamed directly from `paliad.deadlines.rule_id` — there is no intermediate `deadline_rule_id` step (no such column exists). Updating the issue body is m's call — flagged here so it doesn't propagate into a coder brief. *(B.0 update 2026-05-26: issue body patched. See `docs/design-procedural-events-b0-findings-2026-05-26.md` §5.)*
+
+---
+
+## §2 m's vocabulary call (Q2 — lock the umbrella term)
+
+m proposed "procedural event" in the report. Options weighed:
+
+| Option | Reads as | Collisions | Verdict |
+|---|---|---|---|
+| **"procedural event"** (DE: "Verfahrensschritt") | Umbrella that naturally covers filings, hearings, decisions, orders. Matches lawyer mental model: "the next thing that happens in the proceeding". | None — no `paliad.procedural_event*` table or column today (verified). | **(R) — adopt as canonical.** |
+| "submission" | Today the Schriftsätze surface uses this for *filings only* (`event_type='filing'`). Expanding the meaning would silently change Slice A's semantics for an existing UI. | Surface-level collision with the Schriftsätze nomenclature already in production. | Reject — would lose precision for an existing concept. |
+| "event" / "event_type" | Existing `deadline_rules.event_type` column. | **Hard collision** with `paliad.events` (audit feed, distinct table, distinct meaning). Renaming around it would be worse than the conflation we're trying to fix. | Reject. |
+| "Verfahrensschritt" only (no English) | Cleanest German but no English fallback. | Bilingual UI (DE primary, EN secondary per project CLAUDE.md) requires both. | Reject in isolation — but **adopt as the canonical German rendering** of "procedural event". |
+| "Verfahrensereignis" | Closer literal translation of "procedural event". | None. | Reject in favor of "Verfahrensschritt" — m's broader vocabulary uses "Schritt" (e.g. "Antragsschritt") more naturally than "Ereignis", which already maps to `paliad.events` in the audit-feed sense. |
+
+**Lock:**
+
+| Surface | Canonical |
+|---|---|
+| English | **procedural event** (lowercase except sentence-initial) |
+| German | **Verfahrensschritt** (m. — der Verfahrensschritt) |
+| Plural EN | procedural events |
+| Plural DE | Verfahrensschritte |
+| Code identifier (Go struct names, TS types) | `ProceduralEvent`, `ProceduralEventKind`, `ProceduralEventTemplate` |
+| Snake-case (DB columns, JSON keys, i18n keys, placeholders) | `procedural_event`, `procedural_event_kind`, `procedural_events` (table) |
+| Slice A: variable-bag placeholder namespace | `procedural_event.*` (with `rule.*` kept as legacy alias) |
+| Slice B: table name (if shipped) | `paliad.procedural_events` |
+
+`event_type` (the column) becomes `event_kind` in Slice B — using "kind" rather than "type" to free up the word "type" for the proceeding-level taxonomy (`paliad.proceeding_types`, untouched) and to mirror the "event_type vs event_kind" disambiguation einstein hit in the 2026-05-08 doc. In Slice A the column stays `event_type` (no DB change).
+
+**Q2 is locked by inventor recommendation.** It costs nothing structurally and clears noise across every downstream conversation. If m disagrees in the head round-trip, the only thing that flips is the term — Slice A's scope shape stays.
+
+---
+
+## §3 Scope decision (Q1 — A vs B vs C)
+
+**Recommendation = (C) — cosmetic rename now, structural rework as a planned follow-up.**
+
+### Why not (A) — cosmetic only and stop
+
+(A) leaves the model wrong forever. The conflation isn't just a labelling annoyance — it makes future questions harder to answer cleanly:
+
+- "How many distinct procedural events does paliad model?" Today: ambiguous (rows vs distinct `submission_code`s vs distinct `(submission_code, proceeding_type_id)` tuples).
+- "Where can we attach a per-procedural-event Word template that's independent of which proceeding it appears in?" Today: nowhere — the FK chain forces a per-row template registry, see `internal/handlers/files.go` template fallback.
+- "Show me every sequencing rule that triggers a given procedural event across all proceedings." Today: requires joining `deadline_rules` to itself on `submission_code` + `parent_id`, brittle.
+
+If m signals (A) anyway — fine; the cosmetic-only slice is a strict subset of (C)'s Slice A and ships the same value (label clarity in the editor). But the recommendation is to write down the structural target now while the analysis is fresh.
+
+### Why not (B) — restructure immediately
+
+(B) means: one slice plan, one cutover. With:
+- 254 live rule rows,
+- 1 live `paliad.deadlines` row,
+- 4 live `submission_drafts` rows,
+- 12 Go services + 6 handlers touching `deadline_rules` + 8 placeholder strings on the wire + the admin rule-editor UI bound to the column shape,
+
+…doing this in one cutover means a big-bang migration during a downtime window. m has granted exactly one such window in recent memory (2026-05-15 for mig 091's destructive drops), and that one was constrained to a 4-column drop. A four-table restructure has a meaningfully larger blast radius; it warrants its own task with its own slice plan and its own risk review.
+
+### Why (C) — cosmetic-rename Slice A this design, structural Slice B as a separate task
+
+Three properties of (C) make it the safe call:
+
+1. **Slice A is reversible at any time** — every change is in i18n strings, Go struct comments, admin-UI page titles, and the variable-bag aliases. No DB migration. No drop. A revert is a `git revert` of the Slice A commit.
+2. **Slice B is fully designed but uncommitted** — §4 and §5 below define the target shape and migration plan, but the design doc itself ships in Slice A. m can read it, redirect it, or park it without pressure to ship it now.
+3. **The Schriftsätze surface doesn't care which slice we ship** — Slice A leaves it on `event_type='filing'`; Slice B flips it to `event_kind IN ('filing', 'reply')` over a dual-write window. Either way, the lawyer-facing behavior is unchanged.
+
+### Slice A's deliverable boundary (what gets renamed, what stays)
+
+**Renamed in Slice A:**
+
+- **i18n keys** for the admin rule-editor field labels: `admin.rules.edit.field.submission_code` → `admin.rules.edit.field.procedural_event_code`, etc. (16 keys total — `name`, `name_en`, `description`, `submission_code`, `rule_code`, `legal_source`, `primary_party`, `event_type` × DE/EN — full list in §7.1.)
+- **Variable-bag placeholder labels** in `submission-draft.ts:158-185`: the *visible label* (`{ de: "Schriftsatz-Code", en: "Submission code" }`) is unchanged for filings (filings are still Schriftsätze on that surface), but the **namespace shown next to the placeholder string** changes: lawyer sees `{{procedural_event.code}}` in the placeholder column with the same Schriftsatz-Code label and same value. The old `{{rule.submission_code}}` stays in the catalog as an "(alt)" entry pointing at the same field.
+- **Variable-bag emission** (`internal/services/submission_vars.go:351-364`): the bag emits **both** key-names for every value, so any Word template / saved draft holding `{{rule.X}}` keeps working without a touch. New templates and the in-app catalog show the canonical `{{procedural_event.X}}` name.
+- **Admin page titles + section headings**: "Regel bearbeiten" → "Verfahrensschritt bearbeiten" (DE), "Edit rule" → "Edit procedural event" (EN). "Regeln verwalten" → "Verfahrensschritte verwalten" / "Procedural events". The URL path `/admin/rules` stays — URL renames have downstream cost (bookmarks, audit log entries) and would need their own redirect slice (out of scope here).
+- **Go struct comments + service docstrings + worker-facing log lines** that refer to "the rule" → "the procedural event" where the referent is the procedural-event aspect (not the sequencing-rule aspect). Function names, type names, table name stay (Slice B handles those).
+- **The "Submission Code / Einreichung-Kennung" label** itself stays (it's the lawyer's anchor — they recognize it). The framing around it changes: it now reads as "the code that identifies this *procedural event*", not "the code attached to this *rule*".
+
+**Untouched in Slice A:**
+
+- Database schema. Table name (`paliad.deadline_rules`). Column names. FK directions. Indexes. RLS policies. Triggers. Audit log column `rule_id`.
+- Go struct names: `DeadlineRule` stays. The renames here are *prose*, not *code*. Renaming `DeadlineRule` to `ProceduralEvent` couples Slice A to Slice B's table rename — keep them decoupled.
+- JSON envelope keys on the wire (`POST /api/admin/rules/:id` still accepts `submission_code` in the body — Slice B's API rename is a breaking change with its own deprecation window).
+- URL paths (`/admin/rules`, `/api/admin/rules/:id`, `/api/projects/:id/submissions` etc.).
+- `paliad.deadlines.rule_id` FK column name.
+- The variable-bag's legacy `{{rule.X}}` keys — kept forever as aliases (cheap, zero rot).
+- The `submission_drafts` table's `submission_code` text key.
+
+This boundary makes Slice A a one-day coder shift: scoped, reversible, label-only.
+
+### What Slice B inherits
+
+Slice B inherits a codebase + a UI where every prose surface already speaks "procedural event". It also inherits a *legacy alias contract* (the dual emission in the variable bag) that gives it freedom to rename the JSON keys on the wire and the Go struct in two separate sub-slices without rushing.
+
+---
+
+## §4 Restructure schema (Q3 — if/when we ship Slice B)
+
+This is the target the eventual Slice B coder would land. **Nothing here ships in this task.**
+
+### §4.1 Three new tables (plus the rename of `deadline_rules`)
+
+```sql
+-- 1. Procedural event templates — one row per (procedural-event identity)
+--    For now the live corpus is 1:1 with non-archived submission_codes
+--    (148 of the 158 distinct codes), so we get ~177 rows minus the 10
+--    multi-row codes' duplicates. Bilateral / jurisdictional variants
+--    are modeled at the sequencing_rules layer.
+CREATE TABLE paliad.procedural_events (
+    id                  uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    code                text NOT NULL UNIQUE,        -- former submission_code
+    name                text NOT NULL,               -- DE
+    name_en             text NOT NULL,
+    description         text,
+    event_kind          text NOT NULL,               -- filing|reply|hearing|decision|order|other
+    primary_party_default text,                      -- claimant|defendant|both|court
+    legal_source_id     uuid REFERENCES paliad.legal_sources(id),
+    concept_id          uuid REFERENCES paliad.deadline_concepts(id),
+    lifecycle_state     text NOT NULL DEFAULT 'published',  -- draft|published|archived
+    draft_of            uuid REFERENCES paliad.procedural_events(id),
+    published_at        timestamptz,
+    is_active           boolean NOT NULL DEFAULT true,
+    created_at          timestamptz NOT NULL DEFAULT now(),
+    updated_at          timestamptz NOT NULL DEFAULT now()
+);
+```
+
+```sql
+-- 2. Legal sources — the source-of-law citations the procedural event
+--    anchors against. ~70 distinct values today (live corpus).
+CREATE TABLE paliad.legal_sources (
+    id              uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    citation        text NOT NULL UNIQUE,           -- "DE.PatG.102", "UPC.RoP.220.1", …
+    jurisdiction    text NOT NULL,                  -- DE|UPC|EPA|DPMA|other
+    pretty_de       text NOT NULL,                  -- "§ 102 PatG"
+    pretty_en       text NOT NULL,                  -- "Section 102 PatG"
+    notes           text,
+    created_at      timestamptz NOT NULL DEFAULT now(),
+    updated_at      timestamptz NOT NULL DEFAULT now()
+);
+```
+
+```sql
+-- 3. Sequencing rules — the timing / trigger / condition mechanics that
+--    today live alongside the procedural-event identity on deadline_rules.
+--    One row per (procedural_event × proceeding × variant). The 10
+--    "_archived_litigation.*" codes that today have 2-5 rows become
+--    2-5 sequencing_rules rows for the same procedural_events row.
+CREATE TABLE paliad.sequencing_rules (
+    id                       uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    procedural_event_id      uuid NOT NULL REFERENCES paliad.procedural_events(id),
+    proceeding_type_id       integer REFERENCES paliad.proceeding_types(id),
+    parent_id                uuid REFERENCES paliad.sequencing_rules(id),     -- structural tree, today's parent_id
+    trigger_event_id         bigint REFERENCES paliad.trigger_events(id),     -- event-rooted variant
+    duration_value           integer NOT NULL DEFAULT 0,
+    duration_unit            text NOT NULL DEFAULT 'months',
+    timing                   text DEFAULT 'after',
+    alt_duration_value       integer,
+    alt_duration_unit        text,
+    alt_rule_code            text,                 -- legacy free-text alt citation, retained
+    anchor_alt               text,
+    combine_op               text,                 -- max|min
+    condition_expr           jsonb,
+    primary_party            text,                 -- per-rule override of the procedural_event default
+    sequence_order           integer NOT NULL DEFAULT 0,
+    is_spawn                 boolean NOT NULL DEFAULT false,
+    spawn_label              text,
+    spawn_proceeding_type_id integer REFERENCES paliad.proceeding_types(id),
+    is_bilateral             boolean NOT NULL DEFAULT false,
+    is_court_set             boolean NOT NULL DEFAULT false,
+    priority                 text NOT NULL DEFAULT 'mandatory',
+    rule_code                text,                 -- legacy short-form citation, retained on the rule
+    rule_codes               text[],               -- multi-citation array (mig pre-091)
+    deadline_notes           text,
+    deadline_notes_en        text,
+    lifecycle_state          text NOT NULL DEFAULT 'published',
+    draft_of                 uuid REFERENCES paliad.sequencing_rules(id),
+    published_at             timestamptz,
+    is_active                boolean NOT NULL DEFAULT true,
+    created_at               timestamptz NOT NULL DEFAULT now(),
+    updated_at               timestamptz NOT NULL DEFAULT now()
+);
+```
+
+```sql
+-- 4. Rename downstream FK + add the link to procedural_events.
+ALTER TABLE paliad.deadlines
+    ADD COLUMN procedural_event_id uuid REFERENCES paliad.procedural_events(id),
+    ADD COLUMN sequencing_rule_id   uuid REFERENCES paliad.sequencing_rules(id);
+-- (rule_id stays as a transitional alias during the dual-write window;
+--  dropped at end of Slice B)
+```
+
+```sql
+-- 5. Submission drafts: add procedural_event_id FK alongside submission_code.
+ALTER TABLE paliad.submission_drafts
+    ADD COLUMN procedural_event_id uuid REFERENCES paliad.procedural_events(id);
+-- (submission_code stays — it's the cosmetic anchor lawyers recognize
+--  in URLs and chat, and it doubles as the procedural_events.code value)
+```
+
+### §4.2 What goes where (column-by-column map)
+
+Every column on today's `paliad.deadline_rules` lands on exactly one of the three new tables:
+
+| Today's `deadline_rules` column | Lands on | Notes |
+|---|---|---|
+| `id`, `created_at`, `updated_at` | `sequencing_rules` | The current row's identity becomes a sequencing-rule row. `procedural_events.id` is **new** — backfilled from `submission_code`. |
+| `submission_code` | `procedural_events.code` | Promoted up. Multi-row codes (10 in corpus, all `_archived_litigation.*`) collapse to one row on the new table; the 2-5 sequencing rows hang off it. |
+| `name`, `name_en`, `description` | `procedural_events` | Procedural-event identity. |
+| `primary_party` | `procedural_events.primary_party_default` AND `sequencing_rules.primary_party` | Both. The procedural event has a default party (claimant for Klage etc.); the sequencing rule can override per-jurisdiction (bilateral variants — e.g. `litigation.reply` claimant vs defendant become two sequencing rows with overridden party). |
+| `event_type` | `procedural_events.event_kind` | Hat 1, with rename to `event_kind` (term lock §2). |
+| `legal_source` | `legal_sources.citation` + FK from `procedural_events.legal_source_id` | The citation moves to its own row; the procedural event points at it. `pretty_de` / `pretty_en` materialize the existing `legalSourcePretty()` function output as columns (with the function retained as the migration source). |
+| `rule_code`, `alt_rule_code`, `rule_codes[]` | `sequencing_rules` | Short-form citation arrays stay on the sequencing rule — they're rule-specific. |
+| `proceeding_type_id`, `parent_id`, `trigger_event_id`, `spawn_proceeding_type_id`, `is_spawn`, `spawn_label`, `is_bilateral`, `is_court_set`, `combine_op` | `sequencing_rules` | Hat 3 (mechanics) — exact copies. |
+| `duration_value`, `duration_unit`, `timing`, `alt_duration_value`, `alt_duration_unit`, `anchor_alt` | `sequencing_rules` | Hat 3 (mechanics). |
+| `condition_expr` (jsonb) | `sequencing_rules` | Hat 3. The grammar from mig 091 stays. |
+| `priority`, `sequence_order` | `sequencing_rules` | Hat 3. |
+| `is_active`, `lifecycle_state`, `draft_of`, `published_at` | **BOTH** `procedural_events` AND `sequencing_rules` | A procedural event can be retired independently of any one of its sequencing variants. Backfill: copy onto both during dual-write; new rows go through the rule-editor service which writes both sides together. |
+| `concept_id` (FK to `deadline_concepts`) | `procedural_events.concept_id` | The concept layer (einstein 2026-05-08) attaches to the procedural event, not the sequencing rule. |
+| `deadline_notes`, `deadline_notes_en` | `sequencing_rules` | They're rule-specific notes ("filing the appeal in DE costs €X if you also did Y") — not procedural-event-wide. |
+
+Three columns disappear:
+
+- The semantically-overloaded part of `event_type` (renamed to `event_kind` and moved).
+- The "what is this thing" vs "how does it fire" name conflict — gone by construction.
+- Any column that exists only because of the conflation (none of today's columns are pure overhead — they all carry data — so the count stays at 38 across the three new tables).
+
+### §4.3 Indexes + RLS
+
+`paliad.can_see_project()` is the canonical RLS predicate (mig 055). None of the three new tables hold project-scoped data — they're firm-wide reference tables. RLS = none, same posture as today's `deadline_rules` (which is firm-wide and unrestricted at the row level; access control is via the `lifecycle_state='published'` filter in the read paths).
+
+Indexes inherited from today:
+
+- `paliad.legal_sources(citation)` — UNIQUE.
+- `paliad.procedural_events(code)` — UNIQUE.
+- `paliad.procedural_events(concept_id)` — for the deadline-concept join.
+- `paliad.sequencing_rules(procedural_event_id, proceeding_type_id, lifecycle_state)` — primary read path for the calculator.
+- `paliad.sequencing_rules(parent_id)` — tree walk.
+- `paliad.sequencing_rules(trigger_event_id)` — event-rooted variant.
+
+---
+
+## §5 Migration plan (Slice B — when it ships, not in this task)
+
+Phased dual-write, so the cutover is **never** a single instant where the wire format flips. m gets to roll back any one phase with a `git revert` + an `ALTER TABLE` if a phase misbehaves in prod.
+
+### §5.1 Phase 1 — Additive (no down-time)
+
+1. Create `procedural_events`, `sequencing_rules`, `legal_sources`.
+2. Backfill `legal_sources` from `DISTINCT legal_source` on `deadline_rules` (70 rows). Populate `pretty_de`/`pretty_en` by calling the existing `legalSourcePretty()` function in a one-shot SQL/Go shim during the migration. Verify `COUNT(DISTINCT legal_source FROM deadline_rules) = COUNT(*) FROM legal_sources`.
+3. Backfill `procedural_events` from `DISTINCT submission_code` on `deadline_rules WHERE submission_code IS NOT NULL`. Take `name`, `name_en`, `event_type → event_kind`, `primary_party`, `concept_id`, `description` from the lowest-`id` rule row for each code (tie-breaker: lowest `sequence_order`). Verify `COUNT(*) FROM procedural_events = COUNT(DISTINCT submission_code FROM deadline_rules WHERE submission_code IS NOT NULL)` (= 158).
+4. Backfill `sequencing_rules` 1:1 from `deadline_rules` (254 rows). FK `procedural_event_id` resolved by code lookup; sequencing-rule row inherits the `deadline_rules.id` (so existing `deadlines.rule_id` FKs continue to resolve via the new column for the dual-write window — see Phase 3).
+5. Add `paliad.deadlines.procedural_event_id` + `sequencing_rule_id` columns, backfill from `deadlines.rule_id` join.
+6. Add `paliad.submission_drafts.procedural_event_id`, backfill from `submission_code` join.
+
+This phase ships behind a feature flag (or just behind unused code) — readers + writers stay on `deadline_rules`. No behavior change.
+
+### §5.2 Phase 2 — Dual-write (no down-time)
+
+7. Update `RuleEditorService` to write to both `deadline_rules` (legacy) and (`procedural_events`, `sequencing_rules`, `legal_sources`) on every Create/Update/Publish/Archive. Audit log writes one row per side.
+8. Update read paths to **read from the new tables**, falling back to `deadline_rules` if the new row is missing (defense-in-depth during backfill catch-up).
+9. Run for ≥ 1 week (m's call on length). Compare row counts and a hash digest of the union daily — if drift, surface.
+
+### §5.3 Phase 3 — Cutover (no down-time, but reversible only via re-application of the dual-write)
+
+10. Flip read paths to **only** the new tables (`SubmissionVarsService.loadPublishedRule`, `DeadlineRuleService.*`, `SubmissionService.list`, `ProjectionService`, `FristenrechnerCalc`, etc.).
+11. Stop writing to `deadline_rules`.
+12. `paliad.deadlines.rule_id` is kept as a no-op alias for one more week; new writes go to `procedural_event_id` + `sequencing_rule_id`.
+13. `submission_drafts.submission_code` is kept as the URL anchor; the FK `procedural_event_id` is the primary join key going forward.
+
+### §5.4 Phase 4 — Drop legacy (downtime window, destructive)
+
+14. `paliad.deadline_rules_pre_<slice-B-mig>` snapshot of the entire table.
+15. DROP TABLE paliad.deadline_rules (after CASCADE-safe FK rewires).
+16. DROP COLUMN paliad.deadlines.rule_id (keep `rule_code` + `custom_rule_text` as the human-readable denormalized columns — they're the safety net for orphaned deadlines per t-paliad-258).
+
+m grants this destructive phase its own window (precedent: mig 091 on 2026-05-15). Until then, the legacy table sits dormant.
+
+### §5.5 Migration tracker
+
+- Slice B uses migration numbers 124 (Phase 1 — create tables + backfill) and onward — a 4-5 migration sequence, one per phase boundary, mirroring the Phase 2/3 slicing that shipped under t-paliad-195.
+- Each migration includes a `paliad.audit_reason = 'mig <n>: <slice-B-phase>'` set_config like mig 091 did, so the audit log captures the schema journey.
+
+---
+
+## §6 Service-layer impact
+
+### §6.1 Slice A — prose-only changes
+
+| File | Change |
+|---|---|
+| `internal/services/submission_vars.go` | `addRuleVars` → also emit `procedural_event.code`, `procedural_event.name`, `procedural_event.name_de`, `procedural_event.name_en`, `procedural_event.legal_source`, `procedural_event.legal_source_pretty`, `procedural_event.primary_party`, `procedural_event.event_kind` (8 new keys, 1:1 with the 8 existing `rule.*` keys, same values). Rename docstrings + the package-level placeholder map comment ("`rule.*`" → "`procedural_event.*` (with legacy alias `rule.*`)"). |
+| `internal/services/deadline_rule_service.go` | Top-of-file comment + struct comment renames only. Method names stay (`DeadlineRuleService`, `GetByID`, etc.). |
+| `internal/services/rule_editor_service.go` | Same. |
+| `internal/services/projection_service.go`, `deadline_service.go`, `fristenrechner.go`, `submission_draft_service.go`, `event_trigger_service.go`, `event_deadline_service.go`, `proceeding_mapping.go`, `export_service.go` | No code changes. Comments mentioning "the rule"/"rules" stay accurate as long as the file is about sequencing — only services that surface the **identity** aspect of the rule (`submission_vars.go`) need a prose pass. |
+| `internal/handlers/submissions.go` | No SQL change. Type+comment renames: the catalog response type stays `submissionListEntry` (it's still a Schriftsatz-level list); doc comments speak of "procedural events whose kind is filing" instead of "rules of type filing". |
+| `internal/handlers/admin_rules.go` | URL path stays. JSON envelope stays. Page-render comments + log-line text shift to "procedural event". |
+| `internal/handlers/submission_drafts.go`, `deadlines.go`, `fristenrechner.go` | No service-layer change. |
+
+### §6.2 Slice B — structural
+
+Mostly load-bearing; not enumerated here in detail (out of scope per (R)=C). The shape:
+
+- `RuleEditorService` splits into `ProceduralEventService` + `SequencingRuleService` + `LegalSourceService`. The Save / Publish / Archive flow on the editor coordinates all three.
+- `DeadlineRuleService.GetByID` becomes `SequencingRuleService.GetByID`; the `submission_code` lookup moves to `ProceduralEventService.GetByCode`.
+- `SubmissionVarsService.loadPublishedRule` becomes `loadPublishedProceduralEvent` and returns a triple (`event`, `defaultSequencingRule`, `legalSource`); the variable-bag emission consumes all three.
+- `ProjectionService` and the Fristenrechner calculator read from `sequencing_rules` (same column set, same logic — only the table name changes).
+- `SubmissionService.list` (handlers/submissions.go) filters `procedural_events.event_kind IN ('filing', 'reply')`.
+- Backfill orphans + audit triggers (mig 079 / 089) are re-pointed at `sequencing_rules` + a new `procedural_events_audit`.
+
+---
+
+## §7 UI / i18n impact
+
+### §7.1 i18n keys (Slice A)
+
+Existing keys (DE + EN) at `frontend/src/client/i18n.ts` lines ~2834-2920 and ~5800-5890 — surface area is *labels*, not *placeholders-in-Word*:
+
+| Old key | New key (Slice A) | DE label | EN label |
+|---|---|---|---|
+| `admin.rules.list.title` | `admin.procedural_events.list.title` | "Verfahrensschritte verwalten — Paliad" | "Manage procedural events — Paliad" |
+| `admin.rules.list.heading` | `admin.procedural_events.list.heading` | "Verfahrensschritte verwalten" | "Manage procedural events" |
+| `admin.rules.list.subtitle` | `admin.procedural_events.list.subtitle` | "Verfahrensschritte anlegen, bearbeiten und freigeben. Lifecycle: draft → published → archived." | "Create, edit and publish procedural events. Lifecycle: draft → published → archived." |
+| `admin.rules.list.new` | `admin.procedural_events.list.new` | "+ Neuer Verfahrensschritt" | "+ New procedural event" |
+| `admin.rules.col.submission_code` | `admin.procedural_events.col.code` | "Code" (drop "/ Einreichung-Kennung" — the new heading already disambiguates) | "Code" |
+| `admin.rules.col.legal_citation` | `admin.procedural_events.col.legal_source` | "Rechtsgrundlage" | "Legal source" |
+| `admin.rules.col.name` | `admin.procedural_events.col.name` | "Bezeichnung" | "Name" |
+| `admin.rules.col.proceeding` | `admin.procedural_events.col.proceeding` | "Verfahrenstyp" | "Proceeding" |
+| `admin.rules.col.priority` | `admin.procedural_events.col.priority` | "Priorität" | "Priority" |
+| `admin.rules.col.lifecycle` | `admin.procedural_events.col.lifecycle` | "Lifecycle" | "Lifecycle" |
+| `admin.rules.col.modified` | `admin.procedural_events.col.modified` | "Zuletzt geändert" | "Last modified" |
+| `admin.rules.edit.title` | `admin.procedural_events.edit.title` | "Verfahrensschritt bearbeiten — Paliad" | "Edit procedural event — Paliad" |
+| `admin.rules.edit.heading.loading` | `admin.procedural_events.edit.heading.loading` | "Verfahrensschritt laden…" | "Loading procedural event…" |
+| `admin.rules.edit.breadcrumb` | `admin.procedural_events.edit.breadcrumb` | "← Verfahrensschritte verwalten" | "← Manage procedural events" |
+| `admin.rules.edit.field.submission_code` | `admin.procedural_events.edit.field.code` | "Code (Schriftsatz-Code / Einreichung-Kennung)" — keep the parenthetical so lawyers familiar with the old label know what they're looking at. | "Code (submission / procedural-event identifier)" |
+| `admin.rules.edit.field.rule_code` | `admin.procedural_events.edit.field.short_citation` | "Rechtsgrundlage (Kurzform)" | "Legal source (short form)" |
+| `admin.rules.edit.field.legal_source` | `admin.procedural_events.edit.field.legal_source` | "Rechtsgrundlage (Langform)" | "Legal source (long form)" |
+| `admin.rules.edit.field.name` | `admin.procedural_events.edit.field.name` | "Bezeichnung (DE)" | "Name (DE)" |
+| `admin.rules.edit.field.name_en` | `admin.procedural_events.edit.field.name_en` | "Bezeichnung (EN)" | "Name (EN)" |
+| `admin.rules.edit.field.proceeding` | `admin.procedural_events.edit.field.proceeding` | "Verfahrenstyp" | "Proceeding type" |
+| `admin.rules.edit.field.trigger` | `admin.procedural_events.edit.field.trigger` | "Trigger-Ereignis" | "Trigger event" |
+| `admin.rules.edit.field.parent` | `admin.procedural_events.edit.field.parent` | "Übergeordneter Verfahrensschritt (UUID)" | "Parent procedural event (UUID)" |
+| `admin.rules.edit.field.concept` | `admin.procedural_events.edit.field.concept` | "Konzept (UUID)" | "Concept (UUID)" |
+| `admin.rules.edit.field.sequence_order` | `admin.procedural_events.edit.field.sequence_order` | "Reihenfolge" | "Order" |
+| `admin.rules.edit.field.duration_value` | `admin.procedural_events.edit.field.duration_value` | "Dauer" | "Duration" |
+| `admin.rules.edit.field.primary_party` | `admin.procedural_events.edit.field.primary_party` | "Partei (typisch)" | "Primary party" |
+| `admin.rules.edit.field.event_type` | `admin.procedural_events.edit.field.event_kind` | "Art des Verfahrensschritts" | "Procedural-event kind" |
+| `admin.rules.edit.field.description` | `admin.procedural_events.edit.field.description` | "Beschreibung" | "Description" |
+
+**Legacy keys retained as aliases** so any existing translation imports or external integrations keep working — old keys point at the same DE/EN values during a deprecation window of one full Slice B cycle.
+
+### §7.2 Variable-bag placeholders (Slice A)
+
+`frontend/src/client/submission-draft.ts:155-185` — the catalog of placeholders the lawyer sees in the sidebar:
+
+| Old placeholder (kept as legacy alias) | New canonical placeholder | DE label | EN label |
+|---|---|---|---|
+| `{{rule.submission_code}}` | `{{procedural_event.code}}` | "Code (Verfahrensschritt)" | "Code (procedural event)" |
+| `{{rule.name}}` | `{{procedural_event.name}}` | "Bezeichnung" | "Name" |
+| `{{rule.name_de}}` | `{{procedural_event.name_de}}` | "Bezeichnung (DE)" | "Name (DE)" |
+| `{{rule.name_en}}` | `{{procedural_event.name_en}}` | "Bezeichnung (EN)" | "Name (EN)" |
+| `{{rule.legal_source}}` | `{{procedural_event.legal_source}}` | "Rechtsgrundlage (Code)" | "Legal source (code)" |
+| `{{rule.legal_source_pretty}}` | `{{procedural_event.legal_source_pretty}}` | "Rechtsgrundlage" | "Legal source" |
+| `{{rule.primary_party}}` | `{{procedural_event.primary_party}}` | "Partei (typisch)" | "Primary party" |
+| `{{rule.event_type}}` | `{{procedural_event.event_kind}}` | "Art des Verfahrensschritts" | "Procedural-event kind" |
+
+The catalog renders the canonical name in the "copy-this-placeholder" button. The variable bag (`submission_vars.go`) emits both names with identical values, so any Word template the lawyer already has continues to work; new templates are encouraged to use the canonical name.
+
+### §7.3 Admin rule-editor form (Slice A)
+
+`frontend/src/admin-rules-edit.tsx:74-110` — i18n key rebinds + heading text update. The DOM `id` attributes (`f-submission-code`, `f-rule-code`, `f-legal-source`, …) stay — they're internal, the rename here is cosmetic, the form still POSTs the same JSON envelope (Slice A doesn't touch the API). The fieldset `legend` for the "Identität" section changes to "Verfahrensschritt-Identität" (DE) / "Procedural-event identity" (EN). The "Verfahren & Trigger" section heading stays — that section is about sequencing, and Slice A doesn't rename sequencing-level labels (those are Slice B).
+
+### §7.4 Project-detail Schriftsätze tab + dashboard
+
+`frontend/src/client/submissions.ts`, `submissions-index.ts`: no surface-level label change in Slice A. The Schriftsätze tab continues to show Schriftsätze (the lawyer's preferred term for *filings specifically*). The tab is a filtered view onto procedural events of kind `filing`/`reply` — that distinction surfaces only in admin contexts.
+
+### §7.5 Help text + docs
+
+A short addition to the in-app help: "What is a procedural event?" — one-paragraph definition explaining the umbrella term, with examples (Klage, Klageerwiderung, mündliche Verhandlung, Endurteil). Stored in `frontend/src/client/i18n.ts` under `help.procedural_events.intro`. Out of scope for the URL/router changes — added as static copy where it fits naturally.
+
+---
+
+## §8 Slice plan
+
+### §8.1 Slice A (this design's downstream task)
+
+**Scope:** prose-only rename per §3 ("renamed in Slice A" list).
+
+**Mechanics:**
+
+1. Add 8 new placeholder keys to the variable bag in `submission_vars.go` (1:1 with the existing 8 `rule.*` keys). Keep the legacy keys.
+2. Update `frontend/src/client/submission-draft.ts` placeholder catalog labels.
+3. Rebind admin i18n keys per §7.1 (with legacy keys retained).
+4. Update admin page titles + section headings.
+5. Update Go struct comments + service docstrings in `submission_vars.go`, `deadline_rule_service.go`, `rule_editor_service.go`, `submission_draft_service.go`, `submissions.go` handler. No code-flow change.
+6. Update `internal/handlers/submissions.go` doc comments.
+7. Add a short `docs/glossary.md` entry (or extend an existing one) for "procedural event" / "Verfahrensschritt" — single source of truth for the term.
+8. Tests: rename strings in existing test fixtures + add a regression test that the variable bag emits **both** the legacy `rule.X` and the canonical `procedural_event.X` keys with the same value. (Critical — without this test, a future commit could drop the legacy alias and silently break user templates.)
+9. Manual smoke: open the admin rule editor, confirm the new title appears. Open the submission-draft editor, confirm both `{{rule.X}}` and `{{procedural_event.X}}` placeholders are listed (with canonical first). Generate a `.docx` from a project using each placeholder name — both render identically.
+
+**Risk:** very low. No DB change, no API change, fully reversible.
+
+**No hours estimate per project CLAUDE.md.**
+
+### §8.2 Slice B (separate mai task — designed here, hired later)
+
+**Scope:** structural rework per §4 + §5.
+
+**Mechanics:** Phase 1 → Phase 4 per §5.
+
+**Prerequisite:** m greenlights via a new mai task with this doc + §11's open items addressed. **Not part of Slice A.**
+
+**Sub-slices (suggested for Slice B's own task):**
+
+- **B.0** — Re-validate this doc's premises against live DB (numbers shift over weeks).
+- **B.1** — Phase 1 additive migration + backfill (mig 124).
+- **B.2** — Phase 2 dual-write + read-fallback.
+- **B.3** — Phase 3 read cutover (no schema change).
+- **B.4** — Phase 4 destructive drop (downtime window).
+- **B.5** — Rename Go types `DeadlineRule` → `SequencingRule` + `ProceduralEvent`; rename JSON API envelope keys with a deprecation header. Independent of B.4.
+- **B.6** — Rename admin URL paths `/admin/rules` → `/admin/procedural-events` with redirects. Optional / low-priority.
+
+### §8.3 Why splitting is the right call
+
+The conflation is real, but the *fix* for the most-painful surface (the editor sidebar) is independent of the table restructure. Splitting lets m ship the fix this week, see whether the prose change alone resolves enough of the cognitive friction, and then decide whether the structural rework is still worth the migration cost. If after Slice A m says "this reads fine now, B isn't worth it", that's a legitimate outcome — Slice B is a *good* refactor, not an *urgent* one.
+
+---
+
+## §9 Risk assessment
+
+### §9.1 Slice A risks
+
+| Risk | Likelihood | Severity | Mitigation |
+|---|---|---|---|
+| Lawyer's existing Word template has `{{rule.submission_code}}` baked in; a future commit drops the legacy alias and breaks templates. | Low (Slice A keeps the alias) | High if it happens | Regression test (§8.1 step 8) asserts both keys emit. Add an audit-log line on every variable-bag call recording which keys were consumed by the merge engine — gives a 30-day window of evidence before we'd consider deprecating the legacy keys. |
+| i18n key rename misses a binding, leaving an English string visible to a DE user. | Medium | Low | The build pipeline (`bun test` / `bun build`) fails on missing i18n keys in `i18n-keys.ts`. Add the new keys to the type union; leave the old keys in the union with `@deprecated` JSDoc. |
+| Renamed admin page heading confuses returning admin users ("Where did 'Regeln verwalten' go?"). | Medium | Low | One-time changelog entry; the URL `/admin/rules` is unchanged so muscle memory still lands them on the page. Internal users only (whitelist-gated). |
+| Slice A reads as "we're done" and Slice B never ships. | Medium | Medium (the model stays wrong) | This doc files the Slice B design as a separate task entry **before** Slice A merges, so the to-do is visible. m's call whether to schedule it. |
+
+### §9.2 Slice B risks (deferred; recorded for the future task)
+
+| Risk | Mitigation |
+|---|---|
+| Backfill collapses too eagerly: 10 multi-row submission_codes today are `_archived_litigation.*` — confirm they should collapse into one procedural event with 2-5 sequencing variants, vs. each row becoming its own procedural event. | The `_archived_litigation.*` codes are archived per their prefix — collapse is safe. **Decision-flag for Slice B's own design pass.** |
+| `deadline_concepts` linkage (125 of 254 rules link to a concept) — does the concept attach to the procedural event or the sequencing rule? §4.2 says procedural event; verify this is right when re-validating premises in B.0. | Read-path audit: every consumer that joins `deadline_rules.concept_id` (rule_editor, projection, fristenrechner) operates on the rule-level today. Reconfirm none of them depend on per-jurisdiction concept-attachment. |
+| The dual-write window introduces drift if a write hits one side and fails on the other. | Atomicity via single transaction per write in `RuleEditorService`. Daily drift-check job (one SELECT pair, alert if mismatched). |
+| `paliad.deadlines.rule_id` (1 live row, but more in future) — backfilling `procedural_event_id` + `sequencing_rule_id` must not orphan the live row. | The 1 live row joins cleanly. Backfill in the same migration that adds the new columns. |
+| The submission-draft `submission_code` text key — what if two `procedural_events.code` values collide post-rename (e.g. a draft was saved against a code that we then archive)? | Slice B Phase 1 enforces `procedural_events.code UNIQUE`; the backfill verifies no collision on the existing 158 distinct values. Drafts with codes that no longer exist as published procedural events are handled by the existing `submission_drafts.submission_code` text fallback (no FK enforcement). |
+| Slice B's API-key rename (`submission_code` → `code` in JSON) breaks external integrations. | None exist today (paliad is internal-only); add a one-Slice deprecation header (`X-Deprecated-Field: submission_code`) before flipping. |
+| **Coordination risk with future fristen/calculator work.** The Fristenrechner calculator reads `deadline_rules` directly today. Slice B Phase 2's read-fallback handles this, but a parallel calculator feature in flight could land changes that need re-merging. | B.0's job: confirm no in-flight task touches `deadline_rules` table shape before scheduling. |
+
+### §9.3 What rolls Slice A back
+
+`git revert <slice-a-commit>` + reload. Zero data side-effects (no DB writes). 30 seconds.
+
+### §9.4 What rolls Slice B back
+
+Per phase — Phases 1-3 reversible via reverting code + `DROP TABLE`. Phase 4 reversible only by restoring `deadline_rules` from the `_pre_<n>` snapshot taken at the start of Phase 4. Same posture as mig 091 — m's call when to commit to this point.
+
+---
+
+## §10 Out of scope
+
+- **Renaming `paliad.events`** (the audit feed). Distinct table, distinct concept. The umbrella-term lock (§2) deliberately uses "procedural event" not "event" to avoid colliding with it.
+- **Renaming `paliad.deadline_concepts`** to align with the procedural-event taxonomy. The concept layer is the cross-proceeding semantic bridge (einstein 2026-05-08 Q5); the relationship "procedural event has-a concept" already reads cleanly under the new term.
+- **Per-jurisdiction variations of the same procedural event** (issue body's explicit out-of-scope). The 10 multi-row codes in the corpus today stay multi-row.
+- **Multi-tenant / cross-firm sharing of procedural events** — paliad is single-tenant per deploy via `FIRM_NAME`; cross-firm is a separate design.
+- **einstein's `proceeding_event_edges` graph proposal.** That design proposed a graph of typed event-types connected by typed edges. This design's procedural-events / sequencing-rules split is **compatible** with that graph shape (the edges would attach to procedural-event-IDs rather than sequencing-rule-IDs), but the graph layer is a Slice C, not Slice B. Flagged for future continuity, not part of either slice here.
+- **Renaming Go type `DeadlineRule` to `SequencingRule` or `ProceduralEvent` in Slice A.** Slice A is prose; Slice B's B.5 sub-slice handles the type rename. Coupling them costs the reversibility property.
+- **API-envelope key renames** (`submission_code` → `code`, `event_type` → `event_kind` on the wire). Slice B only.
+- **URL path renames** (`/admin/rules` → `/admin/procedural-events`). Slice B.6, optional.
+- **Touching `paliad.trigger_events`** beyond keeping the FK path open (today `deadline_rules.trigger_event_id`; Slice B maps to `sequencing_rules.trigger_event_id`).
+- **Touching `paliad.event_categories` / Pathway-B navigation.** Independent layer.
+
+---
+
+## §11 Open questions for m (escalated via `mai instruct head` per project CLAUDE.md)
+
+Per project CLAUDE.md "Head answers questions — NO AskUserQuestion" rule, these are surfaced to head, not picked-as-chip with the user.
+
+| ID | Question | Inventor recommendation | Material to head? |
+|---|---|---|---|
+| **Q1** | Scope: cosmetic-only (A) · full restructure (B) · cosmetic now + B as planned follow-up (C). | **(R) = C** | Yes — material. Defines whether Slice B is hired today or filed as a future task. |
+| **Q2** | Umbrella term: "procedural event" (DE: Verfahrensschritt) · "submission" (filings only) · "Verfahrensereignis" · other. | **(R) = procedural event / Verfahrensschritt** | Yes — material. The term ripples through every label in §7. Inventor's pick is the canonical choice; head can override with a single message. |
+| **Q3** | Slice B migration shape: confirmed (§4 + §5) or rescope. | **(R) = §4 + §5 as written, decision deferred until Slice B is hired** | No — informational. Locked when Slice B's own design pass runs. |
+| **Q4** | Effect on Schriftsätze surface: filter `procedural_events.event_kind IN ('filing', 'reply')` is acceptable replacement for today's `event_type='filing'`. | **(R) = yes, semantically equivalent under Slice B; no behavior change to lawyer.** | No — informational. |
+| **Q5** | Are the 10 archived multi-row submission_codes (`_archived_litigation.*`) safe to collapse into single procedural events with multiple sequencing variants in Slice B? | **(R) = yes, prefix indicates archival; collapse-safe.** | No — informational, defers to Slice B. |
+| **Q6** | `concept_id` attaches to procedural event, not sequencing rule. Confirmable? | **(R) = yes, per §4.2 (one concept per identity, not per jurisdiction).** | No — informational, defers to Slice B. |
+| **Q7** | Keep the legacy `{{rule.X}}` placeholder aliases **forever**, or set a deprecation horizon (e.g. 1 year)? | **(R) = forever, with `@deprecated` annotation in the catalog. Removing them risks breaking lawyer-authored templates that paliad doesn't see.** | Yes — material to Slice A's contract (test in §8.1 step 8 asserts both keys emit). |
+| **Q8** | Document side: update m/paliad#93 issue body to fix the `deadlines.deadline_rule_id` → `deadlines.rule_id` typo (§1 last paragraph). | **(R) = yes, head's call when to edit.** | No — informational, doc hygiene. |
+| **Q9** | After Slice A ships, do we file Slice B as a new mai task **now** (so it's visible), or wait for m to ask? | **(R) = file now, status:planning, no owner. Visibility >> deferred surprise.** | Yes — material to "does the model stay wrong forever". |
+
+Q1, Q2, Q7, Q9 are the four head needs to answer before the coder shift. Q3-Q6, Q8 defer cleanly.
+
+---
+
+## §12 Appendix — verbatim m quote
+
+From m's report 2026-05-25 15:02 (paliad#93 body):
+
+> This shows how our 'rule' table system may need a revision?! It feels like we are rule based not submission based. But here we have a specific submission that is connected to a rule (as in: legal norm). And of course also connected to other 'procedural events' (which is a good term for it all) by rules how they are sequenced. But it makes it sound weird in the fields...
+
+The design above takes m's three-way split — *the procedural event* / *the legal norm* / *the rule by which they are sequenced* — at face value and turns it into a column-level map (§4.2), a slice plan (§8), and a deprecation contract (§9.1).
+
+---
+
+*End of design.*

frontend/build.ts

@@ -40,13 +40,13 @@ import { renderAdminTeam } from "./src/admin-team";
 import { renderAdminAuditLog } from "./src/admin-audit-log";
 import { renderAdminPartnerUnits } from "./src/admin-partner-units";
 import { renderAdminEmailTemplates } from "./src/admin-email-templates";
+import { renderAdminSubmissionBuildingBlocks } from "./src/admin-submission-building-blocks";
 import { renderAdminEmailTemplatesEdit } from "./src/admin-email-templates-edit";
 import { renderAdminEventTypes } from "./src/admin-event-types";
 import { renderAdminApprovalPolicies } from "./src/admin-approval-policies";
 import { renderAdminBroadcasts } from "./src/admin-broadcasts";
 import { renderAdminRulesList } from "./src/admin-rules-list";
 import { renderAdminRulesEdit } from "./src/admin-rules-edit";
-import { renderAdminRulesExport } from "./src/admin-rules-export";
 import { renderPaliadin } from "./src/paliadin";
 import { renderAdminPaliadin } from "./src/admin-paliadin";
 import { renderAdminBackups } from "./src/admin-backups";
@@ -279,12 +279,12 @@ async function build() {
       join(import.meta.dir, "src/client/admin-partner-units.ts"),
       join(import.meta.dir, "src/client/admin-email-templates.ts"),
       join(import.meta.dir, "src/client/admin-email-templates-edit.ts"),
+      join(import.meta.dir, "src/client/admin-submission-building-blocks.ts"),
       join(import.meta.dir, "src/client/admin-event-types.ts"),
       join(import.meta.dir, "src/client/admin-approval-policies.ts"),
       join(import.meta.dir, "src/client/admin-broadcasts.ts"),
       join(import.meta.dir, "src/client/admin-rules-list.ts"),
       join(import.meta.dir, "src/client/admin-rules-edit.ts"),
-      join(import.meta.dir, "src/client/admin-rules-export.ts"),
       join(import.meta.dir, "src/client/paliadin.ts"),
       // t-paliad-161 — inline Paliadin widget. Loaded via the
       // PaliadinWidget component on every authenticated page, so the
@@ -411,12 +411,12 @@ async function build() {
   await Bun.write(join(DIST, "admin-partner-units.html"), renderAdminPartnerUnits());
   await Bun.write(join(DIST, "admin-email-templates.html"), renderAdminEmailTemplates());
   await Bun.write(join(DIST, "admin-email-templates-edit.html"), renderAdminEmailTemplatesEdit());
+  await Bun.write(join(DIST, "admin-submission-building-blocks.html"), renderAdminSubmissionBuildingBlocks());
   await Bun.write(join(DIST, "admin-event-types.html"), renderAdminEventTypes());
   await Bun.write(join(DIST, "admin-approval-policies.html"), renderAdminApprovalPolicies());
   await Bun.write(join(DIST, "admin-broadcasts.html"), renderAdminBroadcasts());
   await Bun.write(join(DIST, "admin-rules-list.html"), renderAdminRulesList());
   await Bun.write(join(DIST, "admin-rules-edit.html"), renderAdminRulesEdit());
-  await Bun.write(join(DIST, "admin-rules-export.html"), renderAdminRulesExport());
   await Bun.write(join(DIST, "paliadin.html"), renderPaliadin());
   await Bun.write(join(DIST, "admin-paliadin.html"), renderAdminPaliadin());
   await Bun.write(join(DIST, "admin-backups.html"), renderAdminBackups());

frontend/src/admin-rules-export.tsx

@@ -1,80 +0,0 @@
-import { h } from "./jsx";
-import { Sidebar } from "./components/Sidebar";
-import { PaliadinWidget } from "./components/PaliadinWidget";
-import { BottomNav } from "./components/BottomNav";
-import { Footer } from "./components/Footer";
-import { PWAHead } from "./components/PWAHead";
-
-// /admin/rules/export — Slice 11b (t-paliad-192). Surfaces the
-// GET /admin/api/rules/export-migrations endpoint as a SQL preview the
-// editor can copy or download. Optional ?since=<audit-id> query lets
-// the editor scope the export to a particular audit window — empty =
-// every un-exported audit row.
-export function renderAdminRulesExport(): string {
-  return "<!DOCTYPE html>" + (
-    <html lang="de">
-      <head>
-        <meta charset="UTF-8" />
-        <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
-        <meta name="theme-color" content="#BFF355" />
-        <meta name="apple-mobile-web-app-capable" content="yes" />
-        <meta name="apple-mobile-web-app-status-bar-style" content="default" />
-        <PWAHead />
-        <title data-i18n="admin.rules.export.title">Regel-Migrations exportieren &mdash; Paliad</title>
-        <link rel="stylesheet" href="/assets/global.css" />
-      </head>
-      <body className="has-sidebar">
-        <Sidebar currentPath="/admin/rules" />
-        <BottomNav currentPath="/admin/rules" />
-
-        <main>
-          <section className="tool-page">
-            <div className="container">
-              <div className="tool-header">
-                <div>
-                  <p className="admin-rules-breadcrumb">
-                    <a href="/admin/rules" data-i18n="admin.rules.export.breadcrumb">&larr; Regeln verwalten</a>
-                  </p>
-                  <h1 data-i18n="admin.rules.export.heading">Regel-Migrations exportieren</h1>
-                  <p className="tool-subtitle" data-i18n="admin.rules.export.subtitle">
-                    Generiert ein <code>*.up.sql</code>-Blob mit allen unsynchronisierten Audit-Ver&auml;nderungen.
-                    Manuell in <code>internal/db/migrations/</code> einchecken.
-                  </p>
-                </div>
-              </div>
-
-              <div className="admin-rules-export-controls">
-                <div className="form-field">
-                  <label htmlFor="export-since" data-i18n="admin.rules.export.field.since">Startend ab Audit-ID (optional)</label>
-                  <input type="text" id="export-since" className="admin-rules-input" placeholder="UUID, leer = alle un-exportierten" />
-                </div>
-                <button type="button" id="export-run" className="btn-primary" data-i18n="admin.rules.export.run">
-                  Export generieren
-                </button>
-                <button type="button" id="export-download" className="btn-secondary" style="display:none" data-i18n="admin.rules.export.download">
-                  Als Datei herunterladen
-                </button>
-                <button type="button" id="export-copy" className="btn-secondary" style="display:none" data-i18n="admin.rules.export.copy">
-                  In Zwischenablage kopieren
-                </button>
-              </div>
-
-              <div id="export-feedback" className="form-msg" style="display:none" />
-
-              <div className="admin-rules-export-summary" id="export-summary" style="display:none">
-                <span id="export-summary-count" />
-                <span id="export-summary-latest" />
-              </div>
-
-              <pre id="export-output" className="admin-rules-export-pre" />
-            </div>
-          </section>
-        </main>
-
-        <Footer />
-        <PaliadinWidget />
-        <script src="/assets/admin-rules-export.js"></script>
-      </body>
-    </html>
-  );
-}

frontend/src/admin-rules-list.tsx

@@ -39,9 +39,6 @@ export function renderAdminRulesList(): string {
                   </p>
                 </div>
                 <div className="admin-rules-header-actions">
-                  <a href="/admin/rules/export" className="btn-secondary" data-i18n="admin.rules.list.export">
-                    Migrations exportieren
-                  </a>
                   <button type="button" id="rules-new-btn" className="btn-primary" data-i18n="admin.rules.list.new">
                     + Neue Regel
                   </button>

frontend/src/admin-submission-building-blocks.tsx

@@ -0,0 +1,77 @@
+import { h } from "./jsx";
+import { Sidebar } from "./components/Sidebar";
+import { PaliadinWidget } from "./components/PaliadinWidget";
+import { BottomNav } from "./components/BottomNav";
+import { Footer } from "./components/Footer";
+import { PWAHead } from "./components/PWAHead";
+
+// /admin/submission-building-blocks — Composer building-blocks library
+// editor (t-paliad-315 Slice C). Three-pane layout: list on the left,
+// edit form in the middle, version log on the right. Hydrated by
+// client/admin-submission-building-blocks.ts from
+// GET /api/admin/submission-building-blocks.
+
+export function renderAdminSubmissionBuildingBlocks(): string {
+  return "<!DOCTYPE html>" + (
+    <html lang="de">
+      <head>
+        <meta charset="UTF-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
+        <meta name="theme-color" content="#BFF355" />
+        <meta name="apple-mobile-web-app-capable" content="yes" />
+        <meta name="apple-mobile-web-app-status-bar-style" content="default" />
+        <PWAHead />
+        <title data-i18n="admin.building_blocks.title">Bausteine &mdash; Paliad</title>
+        <link rel="stylesheet" href="/assets/global.css" />
+      </head>
+      <body className="has-sidebar">
+        <Sidebar currentPath="/admin/submission-building-blocks" />
+        <BottomNav currentPath="/admin/submission-building-blocks" />
+
+        <main>
+          <section className="tool-page">
+            <div className="container">
+              <div className="tool-header">
+                <div>
+                  <h1 data-i18n="admin.building_blocks.heading">Bausteine</h1>
+                  <p className="tool-subtitle" data-i18n="admin.building_blocks.subtitle">
+                    Wiederverwendbare Textbausteine f&uuml;r Composer-Abschnitte.
+                  </p>
+                </div>
+                <div className="tool-header-actions">
+                  <button
+                    type="button"
+                    id="admin-bb-new-btn"
+                    className="btn-primary btn-cta-lime"
+                    data-i18n="admin.building_blocks.action.new">
+                    + Neuer Baustein
+                  </button>
+                </div>
+              </div>
+
+              <div id="admin-bb-feedback" className="form-msg" style="display:none" />
+
+              <div className="admin-bb-layout">
+                <aside className="admin-bb-list" id="admin-bb-list">
+                  <div className="admin-bb-loading" data-i18n="admin.building_blocks.loading">L&auml;dt&hellip;</div>
+                </aside>
+
+                <section className="admin-bb-editor" id="admin-bb-editor">
+                  <p className="admin-bb-empty" data-i18n="admin.building_blocks.editor.empty">
+                    W&auml;hlen Sie einen Baustein aus der Liste &mdash; oder erstellen Sie einen neuen.
+                  </p>
+                </section>
+
+                <aside className="admin-bb-versions" id="admin-bb-versions" />
+              </div>
+            </div>
+          </section>
+        </main>
+
+        <Footer />
+        <PaliadinWidget />
+        <script src="/assets/admin-submission-building-blocks.js"></script>
+      </body>
+    </html>
+  );
+}

frontend/src/client/admin-rules-export.ts

@@ -1,100 +0,0 @@
-import { initI18n, t } from "./i18n";
-import { initSidebar } from "./sidebar";
-
-// admin-rules-export.ts — /admin/rules/export. Calls
-// GET /admin/api/rules/export-migrations[?since=<uuid>] and renders the
-// SQL blob server-side. Download builds a Blob URL and triggers a
-// fake <a> click; copy uses navigator.clipboard.
-
-interface ExportResult {
-  migration_sql: string;
-  count: number;
-  latest_audit_id: string;
-}
-
-let latest: ExportResult | null = null;
-
-function showFeedback(msg: string, isError: boolean) {
-  const el = document.getElementById("export-feedback") as HTMLElement | null;
-  if (!el) return;
-  el.textContent = msg;
-  el.className = "form-msg " + (isError ? "form-msg-error" : "form-msg-success");
-  el.style.display = "block";
-  if (!isError) setTimeout(() => { el.style.display = "none"; }, 4000);
-}
-
-async function runExport() {
-  const since = (document.getElementById("export-since") as HTMLInputElement).value.trim();
-  const qs = new URLSearchParams();
-  if (since) qs.set("since", since);
-  const url = "/admin/api/rules/export-migrations" + (qs.toString() ? "?" + qs.toString() : "");
-  const out = document.getElementById("export-output") as HTMLElement;
-  const summary = document.getElementById("export-summary") as HTMLElement;
-  const dl = document.getElementById("export-download") as HTMLElement;
-  const cp = document.getElementById("export-copy") as HTMLElement;
-  out.textContent = t("admin.rules.export.running") || "Lade...";
-  summary.style.display = "none";
-  dl.style.display = "none";
-  cp.style.display = "none";
-
-  const resp = await fetch(url);
-  if (!resp.ok) {
-    const body = await resp.json().catch(() => ({ error: resp.statusText }));
-    showFeedback(body.error || (t("admin.rules.export.error") || "Export fehlgeschlagen."), true);
-    out.textContent = "";
-    return;
-  }
-  latest = await resp.json() as ExportResult;
-  out.textContent = latest.migration_sql;
-  summary.style.display = "";
-  const countEl = document.getElementById("export-summary-count") as HTMLElement;
-  const latestEl = document.getElementById("export-summary-latest") as HTMLElement;
-  countEl.textContent = (t("admin.rules.export.count") || "Audit-Zeilen: {n}").replace("{n}", String(latest.count));
-  if (latest.latest_audit_id) {
-    latestEl.textContent = (t("admin.rules.export.latest") || "Letzte Audit-ID: {id}").replace("{id}", latest.latest_audit_id);
-  } else {
-    latestEl.textContent = "";
-  }
-  if (latest.count > 0) {
-    dl.style.display = "";
-    cp.style.display = "";
-    showFeedback((t("admin.rules.export.ok") || "{n} Audit-Zeilen exportiert.").replace("{n}", String(latest.count)), false);
-  } else {
-    showFeedback(t("admin.rules.export.no_pending") || "Keine offenen Audit-Zeilen zum Export.", false);
-  }
-}
-
-function downloadFile() {
-  if (!latest) return;
-  const ts = new Date().toISOString().replace(/[:.]/g, "-").slice(0, 19);
-  const name = `rules-export-${ts}.up.sql`;
-  const blob = new Blob([latest.migration_sql], { type: "application/sql" });
-  const url = URL.createObjectURL(blob);
-  const a = document.createElement("a");
-  a.href = url;
-  a.download = name;
-  document.body.appendChild(a);
-  a.click();
-  document.body.removeChild(a);
-  URL.revokeObjectURL(url);
-}
-
-async function copyToClipboard() {
-  if (!latest) return;
-  try {
-    await navigator.clipboard.writeText(latest.migration_sql);
-    showFeedback(t("admin.rules.export.copied") || "In Zwischenablage kopiert.", false);
-  } catch (e) {
-    showFeedback(t("admin.rules.export.copy_failed") || "Kopieren fehlgeschlagen.", true);
-  }
-}
-
-function init() {
-  initI18n();
-  initSidebar();
-  (document.getElementById("export-run") as HTMLElement).addEventListener("click", runExport);
-  (document.getElementById("export-download") as HTMLElement).addEventListener("click", downloadFile);
-  (document.getElementById("export-copy") as HTMLElement).addEventListener("click", copyToClipboard);
-}
-
-document.addEventListener("DOMContentLoaded", init);

frontend/src/client/admin-submission-building-blocks.ts

@@ -0,0 +1,429 @@
+import { initI18n, t, getLang } from "./i18n";
+import { initSidebar } from "./sidebar";
+
+function isEN(): boolean { return getLang() === "en"; }
+
+// /admin/submission-building-blocks — Composer building-blocks admin
+// editor (t-paliad-315 Slice C). Three-pane layout: list → editor →
+// version log. CRUD via /api/admin/submission-building-blocks/*.
+//
+// Per Q2 ratification (m, 2026-05-26): building blocks are plain text
+// paste sources. The editor here is curator-only — no per-section
+// lineage to surface, no "where is this block used" view.
+
+interface BuildingBlockJSON {
+  id: string;
+  slug: string;
+  firm?: string | null;
+  section_key: string;
+  proceeding_family?: string | null;
+  title_de: string;
+  title_en: string;
+  description_de?: string | null;
+  description_en?: string | null;
+  content_md_de: string;
+  content_md_en: string;
+  author_id?: string | null;
+  visibility: string;
+  is_published: boolean;
+  created_at: string;
+  updated_at: string;
+}
+
+interface VersionJSON {
+  id: string;
+  building_block_id: string;
+  content_md_de: string;
+  content_md_en: string;
+  title_de: string;
+  title_en: string;
+  edited_by?: string | null;
+  note?: string | null;
+  created_at: string;
+}
+
+const VISIBILITIES = ["private", "team", "firm", "global"];
+
+// Section keys must match what the Composer base spec declares for
+// each section (see internal/db/migrations/146_submission_bases.up.sql).
+const SECTION_KEYS = [
+  "letterhead", "caption", "introduction", "requests",
+  "facts", "legal_argument", "evidence", "exhibits",
+  "closing", "signature",
+];
+
+const state = {
+  blocks: [] as BuildingBlockJSON[],
+  selectedID: null as string | null,
+  versions: [] as VersionJSON[],
+  dirty: false,
+};
+
+async function boot(): Promise<void> {
+  initI18n();
+  initSidebar();
+  await loadList();
+  document.getElementById("admin-bb-new-btn")?.addEventListener("click", onNew);
+}
+
+async function loadList(): Promise<void> {
+  try {
+    const res = await fetch("/api/admin/submission-building-blocks", { credentials: "include" });
+    if (!res.ok) {
+      feedback(`HTTP ${res.status}`, true);
+      return;
+    }
+    const body = await res.json() as { blocks?: BuildingBlockJSON[] };
+    state.blocks = body.blocks ?? [];
+    paintList();
+  } catch (err) {
+    feedback(String(err), true);
+  }
+}
+
+function paintList(): void {
+  const host = document.getElementById("admin-bb-list");
+  if (!host) return;
+  host.innerHTML = "";
+  if (state.blocks.length === 0) {
+    const empty = document.createElement("p");
+    empty.className = "admin-bb-empty";
+    empty.textContent = isEN() ? "No blocks yet." : "Noch keine Bausteine.";
+    host.appendChild(empty);
+    return;
+  }
+  for (const b of state.blocks) {
+    const row = document.createElement("button");
+    row.type = "button";
+    row.className = "admin-bb-list-row";
+    if (b.id === state.selectedID) row.classList.add("admin-bb-list-row--active");
+    const title = isEN() ? b.title_en : b.title_de;
+    row.innerHTML = `
+      <span class="admin-bb-list-title">${escapeHTML(title || b.slug)}</span>
+      <span class="admin-bb-list-meta">
+        <span class="admin-bb-list-section">${escapeHTML(b.section_key)}</span>
+        <span class="admin-bb-list-vis admin-bb-list-vis--${escapeHTML(b.visibility)}">${escapeHTML(b.visibility)}</span>
+        ${b.is_published ? "" : `<span class="admin-bb-list-draft">${isEN() ? "draft" : "Entwurf"}</span>`}
+      </span>`;
+    row.addEventListener("click", () => onSelect(b.id));
+    host.appendChild(row);
+  }
+}
+
+async function onSelect(id: string): Promise<void> {
+  state.selectedID = id;
+  state.dirty = false;
+  paintList();
+  const b = state.blocks.find(x => x.id === id);
+  if (!b) return;
+  paintEditor(b);
+  await loadVersions(id);
+}
+
+function onNew(): void {
+  state.selectedID = null;
+  state.versions = [];
+  state.dirty = false;
+  paintList();
+  paintEditor(null);
+  paintVersions();
+}
+
+function paintEditor(b: BuildingBlockJSON | null): void {
+  const host = document.getElementById("admin-bb-editor");
+  if (!host) return;
+  const isNew = b === null;
+  const data = b ?? {
+    id: "",
+    slug: "",
+    firm: "",
+    section_key: "requests",
+    proceeding_family: "",
+    title_de: "",
+    title_en: "",
+    description_de: "",
+    description_en: "",
+    content_md_de: "",
+    content_md_en: "",
+    visibility: "firm",
+    is_published: false,
+  } as Partial<BuildingBlockJSON>;
+
+  host.innerHTML = "";
+  const form = document.createElement("form");
+  form.className = "admin-bb-form";
+  form.addEventListener("submit", (e) => { e.preventDefault(); onSave(isNew); });
+
+  form.appendChild(textField("slug", isEN() ? "Slug" : "Slug", data.slug ?? "", true));
+  form.appendChild(textField("firm", "Firm", data.firm ?? "", false, isEN() ? "leer = firmenagnostisch" : "leer = firmenagnostisch"));
+  form.appendChild(selectField("section_key", isEN() ? "Section key" : "Abschnitts-Slug", data.section_key ?? "requests", SECTION_KEYS, false));
+  form.appendChild(textField("proceeding_family", isEN() ? "Proceeding family" : "Verfahrensfamilie", data.proceeding_family ?? "", false, "z. B. de.inf.lg"));
+  form.appendChild(textField("title_de", "Titel (DE)", data.title_de ?? "", true));
+  form.appendChild(textField("title_en", "Title (EN)", data.title_en ?? "", true));
+  form.appendChild(textareaField("description_de", "Beschreibung (DE)", data.description_de ?? "", 2));
+  form.appendChild(textareaField("description_en", "Description (EN)", data.description_en ?? "", 2));
+  form.appendChild(textareaField("content_md_de", isEN() ? "Content (DE Markdown)" : "Inhalt (DE Markdown)", data.content_md_de ?? "", 10));
+  form.appendChild(textareaField("content_md_en", isEN() ? "Content (EN Markdown)" : "Inhalt (EN Markdown)", data.content_md_en ?? "", 10));
+  form.appendChild(selectField("visibility", isEN() ? "Visibility" : "Sichtbarkeit", data.visibility ?? "firm", VISIBILITIES, false));
+  form.appendChild(checkboxField("is_published", isEN() ? "Published" : "Veröffentlicht", Boolean(data.is_published)));
+
+  if (!isNew) {
+    form.appendChild(textField("note", isEN() ? "Save note (optional)" : "Speicher-Notiz (optional)", "", false));
+  }
+
+  const actions = document.createElement("div");
+  actions.className = "admin-bb-form-actions";
+
+  const save = document.createElement("button");
+  save.type = "submit";
+  save.className = "btn-primary btn-cta-lime";
+  save.textContent = isEN() ? "Save" : "Speichern";
+  actions.appendChild(save);
+
+  if (!isNew) {
+    const del = document.createElement("button");
+    del.type = "button";
+    del.className = "btn-link-danger";
+    del.textContent = isEN() ? "Delete" : "Löschen";
+    del.addEventListener("click", () => onDelete());
+    actions.appendChild(del);
+  }
+  form.appendChild(actions);
+  host.appendChild(form);
+}
+
+function textField(name: string, label: string, value: string, required: boolean, hint?: string): HTMLElement {
+  const wrap = document.createElement("label");
+  wrap.className = "admin-bb-form-row";
+  const lab = document.createElement("span");
+  lab.textContent = label + (required ? " *" : "");
+  wrap.appendChild(lab);
+  const input = document.createElement("input");
+  input.type = "text";
+  input.name = name;
+  input.className = "entity-form-input";
+  input.value = value;
+  if (required) input.required = true;
+  wrap.appendChild(input);
+  if (hint) {
+    const h = document.createElement("small");
+    h.className = "admin-bb-form-hint";
+    h.textContent = hint;
+    wrap.appendChild(h);
+  }
+  return wrap;
+}
+
+function textareaField(name: string, label: string, value: string, rows: number): HTMLElement {
+  const wrap = document.createElement("label");
+  wrap.className = "admin-bb-form-row";
+  const lab = document.createElement("span");
+  lab.textContent = label;
+  wrap.appendChild(lab);
+  const ta = document.createElement("textarea");
+  ta.name = name;
+  ta.className = "entity-form-input";
+  ta.rows = rows;
+  ta.value = value;
+  wrap.appendChild(ta);
+  return wrap;
+}
+
+function selectField(name: string, label: string, value: string, options: string[], required: boolean): HTMLElement {
+  const wrap = document.createElement("label");
+  wrap.className = "admin-bb-form-row";
+  const lab = document.createElement("span");
+  lab.textContent = label + (required ? " *" : "");
+  wrap.appendChild(lab);
+  const sel = document.createElement("select");
+  sel.name = name;
+  sel.className = "entity-form-input";
+  for (const opt of options) {
+    const o = document.createElement("option");
+    o.value = opt;
+    o.textContent = opt;
+    if (opt === value) o.selected = true;
+    sel.appendChild(o);
+  }
+  wrap.appendChild(sel);
+  return wrap;
+}
+
+function checkboxField(name: string, label: string, value: boolean): HTMLElement {
+  const wrap = document.createElement("label");
+  wrap.className = "admin-bb-form-row admin-bb-form-row--checkbox";
+  const input = document.createElement("input");
+  input.type = "checkbox";
+  input.name = name;
+  input.checked = value;
+  wrap.appendChild(input);
+  const lab = document.createElement("span");
+  lab.textContent = label;
+  wrap.appendChild(lab);
+  return wrap;
+}
+
+async function onSave(isNew: boolean): Promise<void> {
+  const form = document.querySelector(".admin-bb-form") as HTMLFormElement | null;
+  if (!form) return;
+  const data = new FormData(form);
+  const payload: Record<string, unknown> = {};
+  for (const key of ["slug", "section_key", "title_de", "title_en", "content_md_de", "content_md_en", "visibility"]) {
+    const v = data.get(key);
+    if (v !== null) payload[key] = String(v);
+  }
+  for (const key of ["firm", "proceeding_family", "description_de", "description_en"]) {
+    const v = data.get(key);
+    if (v !== null) {
+      const s = String(v).trim();
+      payload[key] = s === "" ? null : s;
+    }
+  }
+  payload.is_published = (data.get("is_published") === "on");
+  if (!isNew) {
+    const note = data.get("note");
+    if (note) payload.note = String(note);
+  }
+  try {
+    const url = isNew
+      ? "/api/admin/submission-building-blocks"
+      : `/api/admin/submission-building-blocks/${state.selectedID}`;
+    const method = isNew ? "POST" : "PATCH";
+    const res = await fetch(url, {
+      method,
+      credentials: "include",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(payload),
+    });
+    if (!res.ok) {
+      const body = await res.json().catch(() => ({} as { error?: string }));
+      feedback(body.error ?? `HTTP ${res.status}`, true);
+      return;
+    }
+    const saved = await res.json() as BuildingBlockJSON;
+    feedback(isEN() ? "Saved." : "Gespeichert.", false);
+    await loadList();
+    state.selectedID = saved.id;
+    paintList();
+    paintEditor(saved);
+    await loadVersions(saved.id);
+  } catch (err) {
+    feedback(String(err), true);
+  }
+}
+
+async function onDelete(): Promise<void> {
+  if (!state.selectedID) return;
+  const sure = confirm(isEN() ? "Delete this block?" : "Diesen Baustein löschen?");
+  if (!sure) return;
+  try {
+    const res = await fetch(`/api/admin/submission-building-blocks/${state.selectedID}`, {
+      method: "DELETE",
+      credentials: "include",
+    });
+    if (!res.ok && res.status !== 204) {
+      feedback(`HTTP ${res.status}`, true);
+      return;
+    }
+    feedback(isEN() ? "Deleted." : "Gelöscht.", false);
+    state.selectedID = null;
+    await loadList();
+    paintEditor(null);
+    state.versions = [];
+    paintVersions();
+  } catch (err) {
+    feedback(String(err), true);
+  }
+}
+
+async function loadVersions(blockID: string): Promise<void> {
+  try {
+    const res = await fetch(`/api/admin/submission-building-blocks/${blockID}/versions`, { credentials: "include" });
+    if (!res.ok) {
+      state.versions = [];
+      paintVersions();
+      return;
+    }
+    const body = await res.json() as { versions?: VersionJSON[] };
+    state.versions = body.versions ?? [];
+    paintVersions();
+  } catch {
+    state.versions = [];
+    paintVersions();
+  }
+}
+
+function paintVersions(): void {
+  const host = document.getElementById("admin-bb-versions");
+  if (!host) return;
+  host.innerHTML = "";
+  if (state.versions.length === 0) return;
+  const h = document.createElement("h3");
+  h.textContent = isEN() ? "History" : "Verlauf";
+  host.appendChild(h);
+  for (const v of state.versions) {
+    const row = document.createElement("div");
+    row.className = "admin-bb-version-row";
+    const date = new Date(v.created_at).toLocaleString();
+    row.innerHTML = `
+      <div class="admin-bb-version-meta">${escapeHTML(date)} — ${escapeHTML(v.note ?? "")}</div>`;
+    const btn = document.createElement("button");
+    btn.type = "button";
+    btn.className = "btn-small btn-secondary";
+    btn.textContent = isEN() ? "Restore" : "Wiederherstellen";
+    btn.addEventListener("click", () => onRestore(v.id));
+    row.appendChild(btn);
+    host.appendChild(row);
+  }
+}
+
+async function onRestore(versionID: string): Promise<void> {
+  if (!state.selectedID) return;
+  try {
+    const res = await fetch(
+      `/api/admin/submission-building-blocks/${state.selectedID}/restore/${versionID}`,
+      { method: "POST", credentials: "include" },
+    );
+    if (!res.ok) {
+      feedback(`HTTP ${res.status}`, true);
+      return;
+    }
+    const restored = await res.json() as BuildingBlockJSON;
+    feedback(isEN() ? "Restored." : "Wiederhergestellt.", false);
+    paintEditor(restored);
+    await loadVersions(restored.id);
+    await loadList();
+  } catch (err) {
+    feedback(String(err), true);
+  }
+}
+
+function feedback(msg: string, isError: boolean): void {
+  const host = document.getElementById("admin-bb-feedback");
+  if (!host) return;
+  host.style.display = "";
+  host.className = "form-msg " + (isError ? "form-msg--error" : "form-msg--ok");
+  host.textContent = msg;
+  if (!isError) {
+    setTimeout(() => { host.style.display = "none"; }, 3000);
+  }
+}
+
+function escapeHTML(s: string): string {
+  return s
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#39;");
+}
+
+// Silence unused-import warning when t() isn't called directly — i18n
+// is initialised so data-i18n attrs render on first paint.
+void t;
+
+if (document.readyState === "loading") {
+  document.addEventListener("DOMContentLoaded", boot);
+} else {
+  void boot();
+}

frontend/src/client/i18n.ts

@@ -79,7 +79,7 @@ const translations: Record<Lang, Record<string, string>> = {
     "changelog.tag.fix": "Fix",
 
     // Footer
-    "footer.text": "\u00a9 2026 Paliad \u2014 ein Werkzeug von",
+    "footer.text": "\u00a9 2026 Paliad \u2014 by",
 
     // Landing page
     "index.title": `Paliad \u2014 Patent Litigation f\u00fcr ${FIRM}`,
@@ -237,6 +237,13 @@ const translations: Record<Lang, Record<string, string>> = {
     "deadlines.upc.disc.cfi": "Bucheinsicht",
     "deadlines.upc.apl.cost": "Berufung Kosten",
     "deadlines.upc.apl.order": "Berufung Anordnungen",
+    "deadlines.upc.apl.unified": "Berufung",
+    "deadlines.appeal_target.label": "Worauf richtet sich die Berufung?",
+    "deadlines.appeal_target.endentscheidung": "Endentscheidung",
+    "deadlines.appeal_target.kostenentscheidung": "Kostenentscheidung",
+    "deadlines.appeal_target.anordnung": "Anordnung",
+    "deadlines.appeal_target.schadensbemessung": "Schadensbemessung",
+    "deadlines.appeal_target.bucheinsicht": "Bucheinsicht",
     "deadlines.de.group.inf": "Verletzungsverfahren",
     "deadlines.de.group.null": "Nichtigkeitsverfahren",
     "deadlines.de.inf.lg": "LG (1. Instanz)",
@@ -305,10 +312,13 @@ const translations: Record<Lang, Record<string, string>> = {
     "deadlines.view.timeline": "Zeitstrahl",
     "deadlines.view.columns": "Spalten",
     "deadlines.notes.show": "Hinweise anzeigen",
+    "deadlines.durations.show": "Dauern anzeigen",
     "deadlines.col.ours": "Unsere Seite",
     "deadlines.col.court": "Gericht",
     "deadlines.col.opponent": "Gegnerseite",
     "deadlines.col.both": "Beide Parteien",
+    "deadlines.col.proactive": "Proaktiv",
+    "deadlines.col.reactive": "Reaktiv",
     // t-paliad-265 — per-event-card choice popover (Verfahrensablauf timeline)
     "choices.caret.title": "Optionen für dieses Ereignis",
     "choices.appellant.title": "Berufung durch …",
@@ -331,6 +341,10 @@ const translations: Record<Lang, Record<string, string>> = {
     "choices.show_hidden.label": "Ausgeblendete anzeigen",
     "choices.show_hidden.count": "Ausgeblendete ({n})",
     "choices.unhide.chip": "Wieder einblenden",
+    // t-paliad-293 \u2014 iconified state markers on the Verfahrensablauf
+    // event cards. Tooltip-only text; the glyph is the primary signal.
+    "state.optional.tooltip": "Optionales Ereignis",
+    "state.hidden.tooltip": "Ausgeblendet \u2014 \u00fcber Optionen-Men\u00fc wieder einblenden",
     // Trigger-event mode (PR-2 \u2014 youpc-parity)
     "deadlines.mode.procedure": "Verfahrensablauf",
     "deadlines.mode.event": "Was kommt nach\u2026",
@@ -449,10 +463,6 @@ const translations: Record<Lang, Record<string, string>> = {
     "deadlines.side.from_project": "Aus Akte:",
     "deadlines.side.override": "Andere Seite wählen",
     "deadlines.side.hint": "Wählen Sie eine Seite, um die Spalten zu fokussieren.",
-    "deadlines.appellant.label": "Berufung durch:",
-    "deadlines.appellant.claimant": "Klägerseite",
-    "deadlines.appellant.defendant": "Beklagtenseite",
-    "deadlines.appellant.none": "—",
     "deadlines.event.composite.label": "Zusammengesetzt:",
     "deadlines.event.unit.days.one": "Tag",
     "deadlines.event.unit.days.many": "Tage",
@@ -1510,6 +1520,18 @@ const translations: Record<Lang, Record<string, string>> = {
     "submissions.draft.language.de": "DE",
     "submissions.draft.language.en": "EN",
     "submissions.draft.language.fallback_notice": "Fallback: universelles Skelett (keine sprachspezifische Vorlage).",
+    // t-paliad-313 (m/paliad#141) Composer Slice A — base picker + section list.
+    "submissions.draft.base.label": "Vorlagenbasis",
+    "submissions.draft.base.hint": "Steuert Schriftarten, Briefkopf und Abschnitts-Defaults.",
+    "submissions.draft.sections.title": "Abschnitte",
+    "submissions.draft.sections.hint": "Inhalt pro Abschnitt — Autosave nach 500 ms. Letztes Layout in Word.",
+    // t-paliad-315 (m/paliad#141) Composer Slice C — building blocks admin.
+    "admin.building_blocks.title": "Bausteine — Paliad",
+    "admin.building_blocks.heading": "Bausteine",
+    "admin.building_blocks.subtitle": "Wiederverwendbare Textbausteine für Composer-Abschnitte.",
+    "admin.building_blocks.loading": "Lädt…",
+    "admin.building_blocks.action.new": "+ Neuer Baustein",
+    "admin.building_blocks.editor.empty": "Wählen Sie einen Baustein aus der Liste — oder erstellen Sie einen neuen.",
     // t-paliad-240 — global Schriftsätze drafts index page.
     "submissions.index.title": "Schriftsätze — Paliad",
     "submissions.index.heading": "Schriftsätze",
@@ -2888,7 +2910,6 @@ const translations: Record<Lang, Record<string, string>> = {
     // `admin.procedural_events.*` aliases live after the EN block — they
     // pin the contract for when .tsx files rebind in Slice B (B.5).
     "nav.admin.rules": "Verfahrensschritte verwalten",
-    "nav.admin.rules_export": "Verfahrensschritt-Migrations",
     "admin.card.rules.title": "Verfahrensschritte verwalten",
     "admin.card.rules.desc": "Verfahrensschritte anlegen, bearbeiten, publishen. Audit-Log, Preview, Migration-Export.",
 
@@ -2896,7 +2917,6 @@ const translations: Record<Lang, Record<string, string>> = {
     "admin.rules.list.heading": "Verfahrensschritte verwalten",
     "admin.rules.list.subtitle": "Verfahrensschritte (Schriftsätze, Anhörungen, Entscheidungen, …) anlegen, bearbeiten und freigeben. Lifecycle: draft → published → archived.",
     "admin.rules.list.new": "+ Neuer Verfahrensschritt",
-    "admin.rules.list.export": "Migrations exportieren",
     "admin.rules.tab.rules": "Regeln",
     "admin.rules.tab.orphans": "Orphans",
     "admin.rules.loading": "Lade…",
@@ -3058,23 +3078,6 @@ const translations: Record<Lang, Record<string, string>> = {
     "admin.rules.edit.modal.restore.title": "Wiederherstellen",
     "admin.rules.edit.modal.restore.body": "Regel wird wiederhergestellt (archived → published).",
 
-    "admin.rules.export.title": "Regel-Migrations exportieren — Paliad",
-    "admin.rules.export.heading": "Regel-Migrations exportieren",
-    "admin.rules.export.subtitle": "Generiert ein *.up.sql-Blob mit allen unsynchronisierten Audit-Veränderungen. Manuell in internal/db/migrations/ einchecken.",
-    "admin.rules.export.breadcrumb": "← Regeln verwalten",
-    "admin.rules.export.field.since": "Startend ab Audit-ID (optional)",
-    "admin.rules.export.run": "Export generieren",
-    "admin.rules.export.running": "Lade…",
-    "admin.rules.export.download": "Als Datei herunterladen",
-    "admin.rules.export.copy": "In Zwischenablage kopieren",
-    "admin.rules.export.copied": "In Zwischenablage kopiert.",
-    "admin.rules.export.copy_failed": "Kopieren fehlgeschlagen.",
-    "admin.rules.export.count": "Audit-Zeilen: {n}",
-    "admin.rules.export.latest": "Letzte Audit-ID: {id}",
-    "admin.rules.export.ok": "{n} Audit-Zeilen exportiert.",
-    "admin.rules.export.error": "Export fehlgeschlagen.",
-    "admin.rules.export.no_pending": "Keine offenen Audit-Zeilen zum Export.",
-
     // Date-range picker (t-paliad-248). Symmetric past/future chip fan
     // around an ALLES centre. Used by the filter-bar 'time' axis from
     // Slice A onwards; future slices will migrate /agenda and
@@ -3183,7 +3186,7 @@ const translations: Record<Lang, Record<string, string>> = {
     "changelog.tag.fix": "Fix",
 
     // Footer
-    "footer.text": "\u00a9 2026 Paliad \u2014 a tool by",
+    "footer.text": "\u00a9 2026 Paliad \u2014 by",
 
     // Landing page
     "index.title": `Paliad \u2014 Patent Litigation for ${FIRM}`,
@@ -3340,6 +3343,13 @@ const translations: Record<Lang, Record<string, string>> = {
     "deadlines.upc.dmgs.cfi": "Damages Determination",
     "deadlines.upc.disc.cfi": "Lay-open Books",
     "deadlines.upc.apl.cost": "Cost-Decision Appeal",
+    "deadlines.upc.apl.unified": "Appeal",
+    "deadlines.appeal_target.label": "Appeal against:",
+    "deadlines.appeal_target.endentscheidung": "Final Decision",
+    "deadlines.appeal_target.kostenentscheidung": "Cost Decision",
+    "deadlines.appeal_target.anordnung": "Order",
+    "deadlines.appeal_target.schadensbemessung": "Damages Determination",
+    "deadlines.appeal_target.bucheinsicht": "Lay-open Books",
     "deadlines.upc.apl.order": "Order Appeal (15-day)",
     "deadlines.de.group.inf": "Infringement proceedings",
     "deadlines.de.group.null": "Nullity proceedings",
@@ -3409,10 +3419,13 @@ const translations: Record<Lang, Record<string, string>> = {
     "deadlines.view.timeline": "Timeline",
     "deadlines.view.columns": "Columns",
     "deadlines.notes.show": "Show details",
+    "deadlines.durations.show": "Show durations",
     "deadlines.col.ours": "Client Side",
     "deadlines.col.court": "Court",
     "deadlines.col.opponent": "Opponent Side",
     "deadlines.col.both": "Both parties",
+    "deadlines.col.proactive": "Proactive",
+    "deadlines.col.reactive": "Reactive",
     // t-paliad-265 — per-event-card choice popover (Verfahrensablauf timeline)
     "choices.caret.title": "Options for this event",
     "choices.appellant.title": "Appeal by …",
@@ -3435,6 +3448,10 @@ const translations: Record<Lang, Record<string, string>> = {
     "choices.show_hidden.label": "Show hidden",
     "choices.show_hidden.count": "Hidden ({n})",
     "choices.unhide.chip": "Show again",
+    // t-paliad-293 — iconified state markers on the Verfahrensablauf
+    // event cards. Tooltip-only text; the glyph is the primary signal.
+    "state.optional.tooltip": "Optional event",
+    "state.hidden.tooltip": "Hidden — restore via the options menu",
     "deadlines.adjusted": "Adjusted",
     "deadlines.adjusted.reason": "weekend/holiday",
     "deadlines.adjusted.weekend": "weekend",
@@ -3560,10 +3577,6 @@ const translations: Record<Lang, Record<string, string>> = {
     "deadlines.side.from_project": "From case:",
     "deadlines.side.override": "Choose other side",
     "deadlines.side.hint": "Pick a side to focus the columns.",
-    "deadlines.appellant.label": "Appeal filed by:",
-    "deadlines.appellant.claimant": "Claimant",
-    "deadlines.appellant.defendant": "Defendant",
-    "deadlines.appellant.none": "—",
     "deadlines.event.composite.label": "Composite:",
     "deadlines.event.unit.days.one": "day",
     "deadlines.event.unit.days.many": "days",
@@ -4595,6 +4608,18 @@ const translations: Record<Lang, Record<string, string>> = {
     "submissions.draft.import.button": "Import from project",
     "submissions.draft.parties.title": "Parties",
     "submissions.draft.parties.hint": "Pick the parties mentioned in this submission, or add more per side.",
+    // t-paliad-313 (m/paliad#141) Composer Slice A — base picker + section list.
+    "submissions.draft.base.label": "Template base",
+    "submissions.draft.base.hint": "Drives fonts, letterhead, and section defaults.",
+    "submissions.draft.sections.title": "Sections",
+    "submissions.draft.sections.hint": "Edit per section — autosaves after 500ms. Final layout in Word.",
+    // t-paliad-315 (m/paliad#141) Composer Slice C — building blocks admin.
+    "admin.building_blocks.title": "Building blocks — Paliad",
+    "admin.building_blocks.heading": "Building blocks",
+    "admin.building_blocks.subtitle": "Reusable text snippets for Composer sections.",
+    "admin.building_blocks.loading": "Loading…",
+    "admin.building_blocks.action.new": "+ New block",
+    "admin.building_blocks.editor.empty": "Pick a block from the list — or create a new one.",
     // t-paliad-240 — global submissions drafts index page.
     "submissions.index.title": "Submissions — Paliad",
     "submissions.index.heading": "Submissions",
@@ -5958,7 +5983,6 @@ const translations: Record<Lang, Record<string, string>> = {
     // t-paliad-192 Slice 11b — Admin rule-editor UI.
     // t-paliad-262 Slice A — "Rule" relabelled as "Procedural event".
     "nav.admin.rules": "Manage procedural events",
-    "nav.admin.rules_export": "Procedural-event migrations",
     "admin.card.rules.title": "Manage procedural events",
     "admin.card.rules.desc": "Author, edit and publish procedural-event templates. Audit log, preview, migration export.",
 
@@ -5966,7 +5990,6 @@ const translations: Record<Lang, Record<string, string>> = {
     "admin.rules.list.heading": "Manage procedural events",
     "admin.rules.list.subtitle": "Author, edit and publish procedural events (filings, hearings, decisions, …). Lifecycle: draft → published → archived.",
     "admin.rules.list.new": "+ New procedural event",
-    "admin.rules.list.export": "Export migrations",
     "admin.rules.tab.rules": "Rules",
     "admin.rules.tab.orphans": "Orphans",
     "admin.rules.loading": "Loading…",
@@ -6128,23 +6151,6 @@ const translations: Record<Lang, Record<string, string>> = {
     "admin.rules.edit.modal.restore.title": "Restore",
     "admin.rules.edit.modal.restore.body": "Rule will be restored (archived → published).",
 
-    "admin.rules.export.title": "Export rule migrations — Paliad",
-    "admin.rules.export.heading": "Export rule migrations",
-    "admin.rules.export.subtitle": "Generates a *.up.sql blob with every un-exported audit change. Commit manually into internal/db/migrations/.",
-    "admin.rules.export.breadcrumb": "← Manage Rules",
-    "admin.rules.export.field.since": "Starting from audit id (optional)",
-    "admin.rules.export.run": "Generate export",
-    "admin.rules.export.running": "Loading…",
-    "admin.rules.export.download": "Download as file",
-    "admin.rules.export.copy": "Copy to clipboard",
-    "admin.rules.export.copied": "Copied to clipboard.",
-    "admin.rules.export.copy_failed": "Copy failed.",
-    "admin.rules.export.count": "Audit rows: {n}",
-    "admin.rules.export.latest": "Latest audit id: {id}",
-    "admin.rules.export.ok": "{n} audit rows exported.",
-    "admin.rules.export.error": "Export failed.",
-    "admin.rules.export.no_pending": "No pending audit rows to export.",
-
     // Date-range picker (t-paliad-248). See DE block above for details.
     "date_range.button.label": "Time range",
     "date_range.button.label.custom_range": "From {from} to {to}",

frontend/src/client/submission-draft.ts

@@ -28,10 +28,47 @@ interface SubmissionDraftJSON {
   last_exported_at?: string | null;
   last_exported_sha?: string | null;
   last_imported_at?: string | null;
+  // t-paliad-313 Composer Slice A — base reference + Composer-side
+  // metadata. base_id is null on pre-Composer drafts (the v1 render
+  // path stays the fallback). composer_meta carries the seed-time
+  // section order in later slices.
+  base_id?: string | null;
+  composer_meta?: Record<string, unknown>;
   created_at: string;
   updated_at: string;
 }
 
+// t-paliad-313 Composer Slice A — per-draft section row, surfaced
+// read-only in the editor body. Slice B adds inline edit + PATCH.
+interface SubmissionSectionJSON {
+  id: string;
+  section_key: string;
+  order_index: number;
+  kind: string;
+  label_de: string;
+  label_en: string;
+  included: boolean;
+  content_md_de: string;
+  content_md_en: string;
+}
+
+// t-paliad-313 Composer Slice A — base catalog row, surfaced in the
+// sidebar picker dropdown.
+interface SubmissionBaseRow {
+  id: string;
+  slug: string;
+  firm?: string | null;
+  proceeding_family?: string | null;
+  label_de: string;
+  label_en: string;
+  description_de?: string | null;
+  description_en?: string | null;
+  gitea_path: string;
+  is_default_for: string[];
+  is_active: boolean;
+  section_count: number;
+}
+
 interface AvailablePartyJSON {
   id: string;
   name: string;
@@ -64,6 +101,9 @@ interface SubmissionDraftView {
   // language has no per-firm language-matched template.
   template_tier?: string;
   language_fallback?: boolean;
+  // t-paliad-313 Composer Slice A — per-draft section stack. Empty
+  // for pre-Composer drafts where no rows have been seeded.
+  sections: SubmissionSectionJSON[];
 }
 
 interface SubmissionDraftListResponse {
@@ -328,6 +368,11 @@ interface State {
   addPartyMode: "manual" | "search";
   addPartySearchHits: PartySearchHit[];
   addPartyBusy: boolean;
+  // t-paliad-313 Composer Slice A — base catalog fetched once on boot.
+  // Picker hidden until populated; empty array (after the fetch
+  // completes) keeps the picker hidden permanently for this load.
+  bases: SubmissionBaseRow[];
+  basesLoaded: boolean;
 }
 
 type PartySide = "claimant" | "defendant" | "other";
@@ -354,6 +399,8 @@ const state: State = {
   addPartyMode: "manual",
   addPartySearchHits: [],
   addPartyBusy: false,
+  bases: [],
+  basesLoaded: false,
 };
 
 // ─────────────────────────────────────────────────────────────────────
@@ -371,6 +418,14 @@ async function boot(): Promise<void> {
   }
   state.parsed = parsed;
 
+  // t-paliad-313 Composer Slice A — kick the base catalog fetch in
+  // parallel with the view load. The picker hydrates when both land;
+  // either failing leaves the picker hidden but the editor functional.
+  loadBases().catch(err => {
+    console.warn("submission-draft: base catalog fetch failed", err);
+    state.basesLoaded = true;
+  });
+
   try {
     if (parsed.mode === "global") {
       // Global path: we have a draft_id, fetch by id alone. Drafts
@@ -523,11 +578,13 @@ function paint(): void {
   paintNoProjectBanner();
   paintSwitcher();
   paintNameRow();
+  paintBasePicker();
   paintImportRow();
   paintPartyPicker();
   paintLanguageRow();
   paintLanguageFallback();
   paintVariables();
+  paintSectionList();
   paintPreview();
 }
 
@@ -1143,6 +1200,520 @@ function paintPreview(): void {
   }
 }
 
+// ─────────────────────────────────────────────────────────────────────
+// t-paliad-313 Composer Slice A — base picker + section list
+// ─────────────────────────────────────────────────────────────────────
+
+async function loadBases(): Promise<void> {
+  const res = await fetch("/api/submission-bases", { credentials: "include" });
+  if (!res.ok) {
+    throw new Error("base list HTTP " + res.status);
+  }
+  const body = await res.json() as { bases?: SubmissionBaseRow[] };
+  state.bases = body.bases ?? [];
+  state.basesLoaded = true;
+  // If the view has already painted, re-paint the picker so it
+  // hydrates as soon as the catalog lands. paint() is idempotent.
+  if (state.view) paintBasePicker();
+}
+
+function paintBasePicker(): void {
+  const row = document.getElementById("submission-draft-base-row") as HTMLDivElement | null;
+  const sel = document.getElementById("submission-draft-base") as HTMLSelectElement | null;
+  if (!row || !sel || !state.view) return;
+
+  // Hide the picker until the catalog has loaded AND the catalog has
+  // at least one entry. A failed fetch (basesLoaded=true, bases empty)
+  // keeps the picker hidden indefinitely so the editor stays usable.
+  if (!state.basesLoaded || state.bases.length === 0) {
+    row.style.display = "none";
+    return;
+  }
+  row.style.display = "";
+
+  // Rebuild the <option> list each paint so language toggles + base
+  // catalog updates flow through.
+  sel.innerHTML = "";
+  const currentBaseID = state.view.draft.base_id ?? "";
+
+  // "Keine Vorlagenbasis" only listed when the draft is currently in
+  // that state (pre-Composer / cleared). Avoids tempting the lawyer
+  // to clear after they've already picked one.
+  if (!currentBaseID) {
+    const opt = document.createElement("option");
+    opt.value = "";
+    opt.textContent = isEN() ? "— no base —" : "— keine Vorlagenbasis —";
+    sel.appendChild(opt);
+  }
+  for (const b of state.bases) {
+    const opt = document.createElement("option");
+    opt.value = b.id;
+    opt.textContent = isEN() ? b.label_en : b.label_de;
+    if (b.id === currentBaseID) opt.selected = true;
+    sel.appendChild(opt);
+  }
+
+  // Wire change handler once per paint. Removing then re-adding
+  // keeps the binding consistent across repaints (e.g. after
+  // language toggle re-renders the labels).
+  sel.onchange = () => { onBaseChange(sel.value); };
+}
+
+async function onBaseChange(newBaseID: string): Promise<void> {
+  if (!state.view) return;
+  const payload: Record<string, unknown> = {
+    // Empty string in the picker maps to null = clear.
+    base_id: newBaseID === "" ? null : newBaseID,
+  };
+  try {
+    const res = await fetch(
+      `/api/submission-drafts/${state.view.draft.id}`,
+      {
+        method: "PATCH",
+        credentials: "include",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(payload),
+      },
+    );
+    if (!res.ok) {
+      console.warn("base swap PATCH failed", res.status);
+      return;
+    }
+    const view = await res.json() as SubmissionDraftView;
+    state.view = view;
+    paint();
+  } catch (err) {
+    console.warn("base swap PATCH error", err);
+  }
+}
+
+// sectionAutosaveTimers — one debounce timer per section id so two
+// sections autosaving simultaneously don't trample each other. Reset
+// on each keystroke; 500ms after the last keystroke the patch fires.
+const sectionAutosaveTimers: Record<string, number> = {};
+const SECTION_AUTOSAVE_MS = 500;
+
+function paintSectionList(): void {
+  const wrap = document.getElementById("submission-draft-sections-wrap");
+  const list = document.getElementById("submission-draft-sections-list") as HTMLOListElement | null;
+  if (!wrap || !list || !state.view) return;
+
+  const sections = state.view.sections ?? [];
+  if (sections.length === 0) {
+    wrap.style.display = "none";
+    return;
+  }
+  wrap.style.display = "";
+
+  // Don't blow away the editor if a section is currently focused —
+  // would steal cursor + selection mid-type. The patch round-trip
+  // returns the updated row, but paintSectionList only re-renders
+  // when the focused section isn't being edited (or the new render
+  // is being driven by something other than the active editor itself).
+  const activeID = activeSectionEditorID();
+
+  list.innerHTML = "";
+  const lang = state.view.draft.language || state.view.lang || "de";
+  for (const sec of sections) {
+    list.appendChild(renderSectionRow(sec, lang, activeID === sec.id));
+  }
+}
+
+function renderSectionRow(sec: SubmissionSectionJSON, lang: string, isActive: boolean): HTMLLIElement {
+  const li = document.createElement("li");
+  li.className = "submission-draft-section";
+  li.dataset.sectionId = sec.id;
+  if (!sec.included) li.classList.add("submission-draft-section--excluded");
+
+  const head = document.createElement("header");
+  head.className = "submission-draft-section-head";
+
+  const title = document.createElement("h3");
+  title.className = "submission-draft-section-title";
+  title.textContent = (lang === "en" ? sec.label_en : sec.label_de) || sec.section_key;
+  head.appendChild(title);
+
+  const kind = document.createElement("span");
+  kind.className = "submission-draft-section-kind";
+  kind.textContent = sec.kind;
+  head.appendChild(kind);
+
+  if (!sec.included) {
+    const muted = document.createElement("span");
+    muted.className = "submission-draft-section-excluded-badge";
+    muted.textContent = isEN() ? "excluded" : "ausgeblendet";
+    head.appendChild(muted);
+  }
+
+  // Per-section "Aufnehmen" / "Ausblenden" toggle in the head — flips
+  // `included` via PATCH and re-paints.
+  const toggle = document.createElement("button");
+  toggle.type = "button";
+  toggle.className = "btn-small btn-secondary submission-draft-section-toggle";
+  toggle.textContent = sec.included
+    ? (isEN() ? "Hide" : "Ausblenden")
+    : (isEN() ? "Include" : "Aufnehmen");
+  toggle.addEventListener("click", () => onSectionToggleIncluded(sec));
+  head.appendChild(toggle);
+
+  li.appendChild(head);
+
+  // Toolbar — shared B/I affordance per section. Slice D extends with
+  // headings, lists, quote.
+  const toolbar = document.createElement("div");
+  toolbar.className = "submission-draft-section-toolbar";
+  toolbar.appendChild(makeToolbarButton("B", isEN() ? "Bold" : "Fett", "bold"));
+  toolbar.appendChild(makeToolbarButton("I", isEN() ? "Italic" : "Kursiv", "italic"));
+  // t-paliad-315 Slice C — building-block insert button. Opens a
+  // picker modal filtered to this section's section_key. Paste is
+  // plain-text per Q2 (no lineage stamped).
+  const bbBtn = document.createElement("button");
+  bbBtn.type = "button";
+  bbBtn.className = "btn-small btn-secondary submission-draft-section-bb-btn";
+  bbBtn.textContent = isEN() ? "+ Block" : "+ Baustein";
+  bbBtn.title = isEN() ? "Insert a saved building block" : "Baustein einfügen";
+  bbBtn.addEventListener("click", () => openBlockPicker(sec));
+  toolbar.appendChild(bbBtn);
+  li.appendChild(toolbar);
+
+  const md = (lang === "en" ? sec.content_md_en : sec.content_md_de) || "";
+  const editor = document.createElement("div");
+  editor.className = "submission-draft-section-editor";
+  editor.contentEditable = "true";
+  editor.spellcheck = true;
+  editor.dataset.sectionId = sec.id;
+  editor.dataset.lang = lang;
+  editor.dataset.placeholder = isEN()
+    ? "Write section content…"
+    : "Abschnittstext eingeben…";
+  // Paint the Markdown as plain text on first render — the editor's
+  // source of truth is Markdown, the DOM is the view. Lawyer types,
+  // we serialise back to MD on autosave.
+  editor.textContent = md;
+
+  editor.addEventListener("input", () => onSectionInput(editor));
+  editor.addEventListener("focus", () => {
+    li.classList.add("submission-draft-section--editing");
+  });
+  editor.addEventListener("blur", () => {
+    li.classList.remove("submission-draft-section--editing");
+    // Force-flush any pending autosave so we don't leave unsynced
+    // edits hanging when the lawyer tabs out.
+    flushSectionAutosave(sec.id);
+  });
+
+  li.appendChild(editor);
+
+  if (isActive) {
+    // The repaint happened while this section was focused — restore
+    // focus to it. Cursor placement at the end is a fair default
+    // (typing mid-content during a repaint is rare; the autosave path
+    // typically doesn't repaint at all).
+    queueMicrotask(() => {
+      const fresh = document.querySelector(`.submission-draft-section-editor[data-section-id="${cssEscape(sec.id)}"]`) as HTMLDivElement | null;
+      if (fresh) {
+        fresh.focus();
+        placeCaretAtEnd(fresh);
+      }
+    });
+  }
+
+  return li;
+}
+
+function makeToolbarButton(label: string, title: string, format: "bold" | "italic"): HTMLButtonElement {
+  const btn = document.createElement("button");
+  btn.type = "button";
+  btn.className = "submission-draft-section-toolbar-btn";
+  btn.textContent = label;
+  btn.title = title;
+  // Mousedown rather than click so the editor doesn't lose focus
+  // mid-command — execCommand requires the editor to be the active
+  // selection target.
+  btn.addEventListener("mousedown", (ev) => {
+    ev.preventDefault();
+    document.execCommand(format, false);
+    // Trigger the input handler so autosave fires.
+    const editor = document.activeElement as HTMLElement | null;
+    if (editor && editor.classList.contains("submission-draft-section-editor")) {
+      onSectionInput(editor as HTMLDivElement);
+    }
+  });
+  return btn;
+}
+
+function activeSectionEditorID(): string | null {
+  const active = document.activeElement as HTMLElement | null;
+  if (!active || !active.classList.contains("submission-draft-section-editor")) return null;
+  return active.dataset.sectionId ?? null;
+}
+
+function placeCaretAtEnd(el: HTMLElement): void {
+  const range = document.createRange();
+  range.selectNodeContents(el);
+  range.collapse(false);
+  const sel = window.getSelection();
+  if (!sel) return;
+  sel.removeAllRanges();
+  sel.addRange(range);
+}
+
+function onSectionInput(editor: HTMLDivElement): void {
+  const id = editor.dataset.sectionId;
+  if (!id) return;
+  if (sectionAutosaveTimers[id]) clearTimeout(sectionAutosaveTimers[id]);
+  sectionAutosaveTimers[id] = window.setTimeout(() => {
+    sectionAutosaveTimers[id] = 0;
+    flushSectionAutosave(id);
+  }, SECTION_AUTOSAVE_MS);
+}
+
+function flushSectionAutosave(sectionID: string): void {
+  if (sectionAutosaveTimers[sectionID]) {
+    clearTimeout(sectionAutosaveTimers[sectionID]);
+    sectionAutosaveTimers[sectionID] = 0;
+  }
+  const editor = document.querySelector(`.submission-draft-section-editor[data-section-id="${cssEscape(sectionID)}"]`) as HTMLDivElement | null;
+  if (!editor || !state.view) return;
+  const lang = editor.dataset.lang || state.view.draft.language || "de";
+  const md = domToMarkdown(editor);
+  void patchSection(sectionID, lang === "en" ? { content_md_en: md } : { content_md_de: md });
+}
+
+// domToMarkdown serialises a contentEditable's DOM tree back to
+// Markdown. Walks the tree: <b>/<strong> emit `**…**`, <i>/<em> emit
+// `*…*`, <br> emits a newline, block-level elements emit a blank line
+// between siblings. Slice B handles only B/I + paragraphs/line breaks
+// — Slice D's rich toolbar extends this to headings + lists + quote.
+function domToMarkdown(root: HTMLElement): string {
+  return serializeNode(root).trim();
+}
+
+function serializeNode(node: Node): string {
+  if (node.nodeType === Node.TEXT_NODE) {
+    return node.textContent ?? "";
+  }
+  if (node.nodeType !== Node.ELEMENT_NODE) return "";
+  const el = node as HTMLElement;
+  const tag = el.tagName.toLowerCase();
+  let inner = "";
+  for (const child of Array.from(el.childNodes)) {
+    inner += serializeNode(child);
+  }
+  switch (tag) {
+    case "b":
+    case "strong":
+      return inner ? `**${inner}**` : "";
+    case "i":
+    case "em":
+      return inner ? `*${inner}*` : "";
+    case "br":
+      return "\n";
+    case "div":
+    case "p":
+      // execCommand and contentEditable insert <div> on Enter in some
+      // browsers, <p> in others. Both are paragraph boundaries.
+      return inner + "\n\n";
+    default:
+      return inner;
+  }
+}
+
+async function onSectionToggleIncluded(sec: SubmissionSectionJSON): Promise<void> {
+  await patchSection(sec.id, { included: !sec.included });
+}
+
+// ─────────────────────────────────────────────────────────────────────
+// t-paliad-315 Slice C — building-block picker modal
+// ─────────────────────────────────────────────────────────────────────
+
+interface BuildingBlockPickJSON {
+  id: string;
+  slug: string;
+  section_key: string;
+  proceeding_family?: string | null;
+  title_de: string;
+  title_en: string;
+  description_de?: string | null;
+  description_en?: string | null;
+  content_md_de: string;
+  content_md_en: string;
+  visibility: string;
+}
+
+let blockPickerSearchTimer: number | null = null;
+
+function openBlockPicker(sec: SubmissionSectionJSON): void {
+  // Remove any prior picker.
+  document.getElementById("submission-bb-picker")?.remove();
+
+  const overlay = document.createElement("div");
+  overlay.id = "submission-bb-picker";
+  overlay.className = "submission-bb-picker-overlay";
+  overlay.addEventListener("click", (ev) => {
+    if (ev.target === overlay) overlay.remove();
+  });
+
+  const modal = document.createElement("div");
+  modal.className = "submission-bb-picker";
+
+  const head = document.createElement("header");
+  head.className = "submission-bb-picker-head";
+  const title = document.createElement("h2");
+  title.textContent = isEN() ? "Insert building block" : "Baustein einfügen";
+  head.appendChild(title);
+  const close = document.createElement("button");
+  close.type = "button";
+  close.className = "btn-small btn-secondary";
+  close.textContent = isEN() ? "Close" : "Schließen";
+  close.addEventListener("click", () => overlay.remove());
+  head.appendChild(close);
+  modal.appendChild(head);
+
+  const search = document.createElement("input");
+  search.type = "search";
+  search.placeholder = isEN() ? "Search blocks…" : "Bausteine suchen…";
+  search.className = "entity-form-input submission-bb-picker-search";
+  modal.appendChild(search);
+
+  const sectionInfo = document.createElement("p");
+  sectionInfo.className = "submission-bb-picker-sectioninfo";
+  sectionInfo.textContent = (isEN() ? "Section: " : "Abschnitt: ") + sec.section_key;
+  modal.appendChild(sectionInfo);
+
+  const list = document.createElement("div");
+  list.className = "submission-bb-picker-list";
+  list.textContent = isEN() ? "Loading…" : "Lädt…";
+  modal.appendChild(list);
+
+  overlay.appendChild(modal);
+  document.body.appendChild(overlay);
+
+  const fetchBlocks = async (q: string) => {
+    const params = new URLSearchParams();
+    params.set("section_key", sec.section_key);
+    if (q) params.set("q", q);
+    try {
+      const res = await fetch(`/api/submission-building-blocks?${params.toString()}`, { credentials: "include" });
+      if (!res.ok) {
+        list.textContent = `HTTP ${res.status}`;
+        return;
+      }
+      const body = await res.json() as { blocks?: BuildingBlockPickJSON[] };
+      paintPickerList(list, body.blocks ?? [], sec, overlay);
+    } catch (err) {
+      list.textContent = String(err);
+    }
+  };
+
+  search.addEventListener("input", () => {
+    if (blockPickerSearchTimer) clearTimeout(blockPickerSearchTimer);
+    blockPickerSearchTimer = window.setTimeout(() => {
+      void fetchBlocks(search.value.trim());
+    }, 200);
+  });
+
+  void fetchBlocks("");
+  setTimeout(() => search.focus(), 0);
+}
+
+function paintPickerList(host: HTMLElement, blocks: BuildingBlockPickJSON[], sec: SubmissionSectionJSON, overlay: HTMLElement): void {
+  host.innerHTML = "";
+  if (blocks.length === 0) {
+    const empty = document.createElement("p");
+    empty.className = "submission-bb-picker-empty";
+    empty.textContent = isEN() ? "No blocks match." : "Keine passenden Bausteine.";
+    host.appendChild(empty);
+    return;
+  }
+  const lang = state.view?.draft.language || "de";
+  for (const b of blocks) {
+    const row = document.createElement("button");
+    row.type = "button";
+    row.className = "submission-bb-picker-row";
+    const title = (lang === "en" ? b.title_en : b.title_de) || b.slug;
+    const desc = (lang === "en" ? b.description_en : b.description_de) || "";
+    const preview = ((lang === "en" ? b.content_md_en : b.content_md_de) || "").slice(0, 200);
+    row.innerHTML = `
+      <div class="submission-bb-picker-row-head">
+        <strong>${escapeHTML(title)}</strong>
+        <span class="submission-bb-picker-vis submission-bb-picker-vis--${escapeHTML(b.visibility)}">${escapeHTML(b.visibility)}</span>
+      </div>
+      ${desc ? `<div class="submission-bb-picker-row-desc">${escapeHTML(desc)}</div>` : ""}
+      <pre class="submission-bb-picker-row-preview">${escapeHTML(preview)}${preview.length === 200 ? "…" : ""}</pre>`;
+    row.addEventListener("click", () => {
+      void insertBlockIntoSection(b.id, sec.id, overlay);
+    });
+    host.appendChild(row);
+  }
+}
+
+async function insertBlockIntoSection(blockID: string, sectionID: string, overlay: HTMLElement): Promise<void> {
+  try {
+    const res = await fetch(
+      `/api/submission-building-blocks/${blockID}/insert-into/${sectionID}`,
+      { method: "POST", credentials: "include" },
+    );
+    if (!res.ok) {
+      console.warn("insert-into PATCH failed", res.status);
+      return;
+    }
+    const updated = await res.json() as SubmissionSectionJSON;
+    if (state.view && state.view.sections) {
+      const idx = state.view.sections.findIndex(s => s.id === sectionID);
+      if (idx >= 0) state.view.sections[idx] = updated;
+    }
+    paintSectionList();
+    overlay.remove();
+  } catch (err) {
+    console.warn("insert block error", err);
+  }
+}
+
+function escapeHTML(s: string): string {
+  return s
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#39;");
+}
+
+async function patchSection(sectionID: string, payload: Record<string, unknown>): Promise<void> {
+  try {
+    const draftID = state.view?.draft.id;
+    if (!draftID) return;
+    const res = await fetch(
+      `/api/submission-drafts/${draftID}/sections/${sectionID}`,
+      {
+        method: "PATCH",
+        credentials: "include",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(payload),
+      },
+    );
+    if (!res.ok) {
+      console.warn("section PATCH failed", res.status, sectionID);
+      return;
+    }
+    const updated = await res.json() as SubmissionSectionJSON;
+    // Splice the updated row into state.view.sections. Don't re-paint
+    // unless we need to (avoid focus stealing during active typing).
+    if (state.view && state.view.sections) {
+      const idx = state.view.sections.findIndex(s => s.id === sectionID);
+      if (idx >= 0) state.view.sections[idx] = updated;
+    }
+    // Only repaint when the change has visible UI knock-on (toggle,
+    // label, order). content_md_* changes don't need a repaint —
+    // the editor already shows the lawyer's keystrokes.
+    if ("included" in payload || "label_de" in payload || "label_en" in payload || "order_index" in payload) {
+      paintSectionList();
+    }
+  } catch (err) {
+    console.warn("section PATCH error", err);
+  }
+}
+
 // t-paliad-261 (B) — click a substituted variable in the preview to
 // jump to the matching sidebar input. Re-wires on every paintPreview
 // since the preview HTML is replaced wholesale. The server side wraps

frontend/src/client/verfahrensablauf.ts

@@ -12,7 +12,6 @@ import { initI18n, t, tDyn, getLang, onLangChange } from "./i18n";
 import { initSidebar } from "./sidebar";
 import {
   type DeadlineResponse,
-  type Side,
   calculateDeadlines,
   escHtml,
   formatDate,
@@ -24,26 +23,45 @@ import {
 import {
   attachEventCardChoices,
   reseedChips,
-  currentChoices,
   type EventChoice,
-  type ChoiceKind,
 } from "./views/event-card-choices";
+import {
+  APPEAL_TARGETS,
+  SCENARIO_KEYS,
+  type AppealTarget,
+  type Side,
+  type StorageLike,
+  applyFiltersToSearch,
+  makeMemoryStorage,
+  parseAppealTargetFromSearch,
+  parseProceedingFromSearch,
+  parseSideFromSearch,
+  parseTriggerDateFromSearch,
+  readBoolFlag,
+  readCourtId,
+  readEventChoices,
+  writeBoolFlag,
+  writeCourtId,
+  writeEventChoices,
+} from "./views/verfahrensablauf-state";
 
 let selectedType = "";
 let lastResponse: DeadlineResponse | null = null;
 
-// Perspective state (t-paliad-250 / m/paliad#81). URL-driven so the
-// view is shareable and survives reload:
-//   ?side=claimant|defendant      → swaps which column owns the user's
-//                                    side (proactive vs reactive label).
-//                                    Default null = claimant-on-the-left.
-//   ?appellant=claimant|defendant → collapses party=both rows into the
-//                                    appellant's column (no mirror).
-//                                    Only meaningful for role-swap
-//                                    proceedings (Appeal etc.). Default
-//                                    null = legacy mirror behaviour.
+// Perspective state. URL-driven so the view is shareable + survives
+// reload:
+//   ?side=claimant|defendant — swaps which column owns the user's
+//                              side (proactive vs reactive label).
+//                              Default null = claimant-on-the-left.
+//
+// t-paliad-301 / m/paliad#132 collapsed the duplicate ?side= +
+// ?appellant= selectors into the single proactive-side picker above.
+// For role-swap proceedings (Appeal / EPA Opposition / DE Revision /
+// DPMA Appeal) the picker's labels swap to per-proceeding role
+// strings (Berufungskläger / Berufungsbeklagter, …) via ROLE_LABELS
+// below — but the underlying claimant/defendant value the engine
+// consumes is unchanged.
 let currentSide: Side = null;
-let currentAppellant: Side = null;
 
 // Project-driven auto-fill state (t-paliad-279 / m/paliad#111). When the
 // page is opened with ?project=<id> and that project has our_side set,
@@ -52,21 +70,21 @@ let currentAppellant: Side = null;
 // link, which clears this flag (radio cluster takes over again).
 let sidePrefilledFromProject = false;
 
-// Proceedings where one party initiates and "both" rows are role-swap
-// (i.e. either party files depending on who acted at the lower
-// instance). For these proceedings the appellant selector is meaningful
-// — when set, "both" rows collapse to a single row in the appellant's
-// column. For first-instance proceedings (Inf, Rev, …) the selector is
-// hidden because there's no appellant axis.
+// Role-swap proceedings — the side picker doubles as the appellant
+// axis. After t-paliad-301 collapsed the duplicate selectors, the
+// engine reads "appellant" from the single side value for these
+// proceedings (so a row with primary_party=both renders only in the
+// chosen side's column). For first-instance proceedings (Inf, Rev,
+// …) the side picker still narrows columns but doesn't collapse
+// the "both" rows.
 //
-// Today: every upc.apl.* family member plus dpma.appeal.* and
-// de.inf.olg / de.inf.bgh / de.null.bgh (DE Berufung / Revision).
-// Conservative — false negatives just hide a control; false positives
-// would show an irrelevant control.
+// upc.apl.unified is NOT in this set since t-paliad-307: appeal
+// timelines route via per-rule appealRole (engine-stamped under
+// appeal_target) instead of the page-level appellant axis collapse.
+// Adding upc.apl.unified here would short-circuit the appealAware
+// path and re-introduce the dead side selector on upc.apl.unified
+// (m/paliad#136 Bug 1).
 const APPELLANT_AXIS_PROCEEDINGS = new Set([
-  "upc.apl.merits",
-  "upc.apl.cost",
-  "upc.apl.order",
   "de.inf.olg",
   "de.inf.bgh",
   "de.null.bgh",
@@ -75,34 +93,127 @@ const APPELLANT_AXIS_PROCEEDINGS = new Set([
   "epa.opp.boa",
 ]);
 
+// Per-proceeding role labels (t-paliad-301 / m/paliad#132 Bug A).
+// Mirrors paliad.proceeding_types.role_*_label_* — the canonical
+// definition lives in the DB; this map is the frontend's view of
+// it. Proceedings absent from the map fall back to the generic
+// "deadlines.side.claimant" / "deadlines.side.defendant" i18n keys.
+//
+// Keep in sync with mig 137's backfill. Adding a row here without a
+// matching DB row is fine (the DB col is NULL → still falls back to
+// default; UI shows the override). Adding to the DB without here
+// means the UI uses defaults — harmless but inconsistent.
+type RoleLabels = { proDE: string; reDE: string; proEN: string; reEN: string };
+const ROLE_LABELS: Record<string, RoleLabels> = {
+  "upc.apl.unified": {
+    proDE: "Berufungskläger",
+    reDE:  "Berufungsbeklagter",
+    proEN: "Appellant",
+    reEN:  "Appellee",
+  },
+  "upc.rev.cfi": {
+    proDE: "Antragsteller (Nichtigkeit)",
+    reDE:  "Antragsgegner (Nichtigkeit)",
+    proEN: "Revocation claimant",
+    reEN:  "Revocation defendant",
+  },
+  "epa.opp.opd": {
+    proDE: "Einsprechende(r)",
+    reDE:  "Patentinhaber(in)",
+    proEN: "Opponent",
+    reEN:  "Patentee",
+  },
+  "epa.opp.boa": {
+    proDE: "Einsprechende(r)",
+    reDE:  "Patentinhaber(in)",
+    proEN: "Opponent",
+    reEN:  "Patentee",
+  },
+};
+
+// Slice B1 (m/paliad#124 §18.1) — Berufung unification.
+// Proceedings that surface the appeal-target chip group. Currently
+// only the unified upc.apl proceeding; future variants (e.g. de.apl)
+// can opt in by adding the code here.
+//
+// APPEAL_TARGETS itself lives in ./views/verfahrensablauf-state so the
+// pure URL parser and this page share the same canonical list.
+const APPEAL_TARGET_PROCEEDINGS = new Set([
+  "upc.apl.unified",
+]);
+
+function hasAppealTarget(proceedingType: string): boolean {
+  return APPEAL_TARGET_PROCEEDINGS.has(proceedingType);
+}
+
 function hasAppellantAxis(proceedingType: string): boolean {
   return APPELLANT_AXIS_PROCEEDINGS.has(proceedingType);
 }
 
-function readSideFromURL(): Side {
-  const raw = new URLSearchParams(window.location.search).get("side");
-  return raw === "claimant" || raw === "defendant" ? raw : null;
+// Scenario storage — real localStorage in the browser, in-memory
+// fallback when localStorage throws (private mode, disabled storage,
+// etc.). All scenario writes go through this single handle so a
+// failure mode is isolated to one try/catch path.
+const scenarioStorage: StorageLike = makeScenarioStorage();
+
+function makeScenarioStorage(): StorageLike {
+  try {
+    const probe = "__paliad_va_probe__";
+    window.localStorage.setItem(probe, "1");
+    window.localStorage.removeItem(probe);
+    return window.localStorage;
+  } catch {
+    return makeMemoryStorage();
+  }
 }
 
-function readAppellantFromURL(): Side {
-  const raw = new URLSearchParams(window.location.search).get("appellant");
-  return raw === "claimant" || raw === "defendant" ? raw : null;
-}
-
-function writeSideToURL(s: Side) {
+// URL writers — all four chip params route through this single helper
+// so the canonical query-string shape (no empty values, no trailing
+// `?`) is enforced in one place.
+function applyURLFilters(filters: {
+  proceeding?: string;
+  side?: Side;
+  target?: AppealTarget;
+  triggerDate?: string;
+}): void {
   const url = new URL(window.location.href);
-  if (s === null) url.searchParams.delete("side");
-  else url.searchParams.set("side", s);
-  window.history.replaceState(null, "", url.pathname + (url.search ? url.search : "") + url.hash);
+  const nextSearch = applyFiltersToSearch(url.search, filters);
+  window.history.replaceState(null, "", url.pathname + nextSearch + url.hash);
 }
 
-function writeAppellantToURL(a: Side) {
-  const url = new URL(window.location.href);
-  if (a === null) url.searchParams.delete("appellant");
-  else url.searchParams.set("appellant", a);
-  window.history.replaceState(null, "", url.pathname + (url.search ? url.search : "") + url.hash);
+// t-paliad-301 / m/paliad#132: applies ROLE_LABELS to the side-row
+// radio labels for the currently selected proceeding. Proceedings
+// without an entry fall back to the existing
+// "deadlines.side.claimant" / "deadlines.side.defendant" i18n keys.
+function applyRoleLabels(proceedingType: string) {
+  const lang = getLang() === "en" ? "en" : "de";
+  const claimantSpan = document.querySelector<HTMLElement>(
+    "input[type=radio][name=side][value=claimant] + span"
+  );
+  const defendantSpan = document.querySelector<HTMLElement>(
+    "input[type=radio][name=side][value=defendant] + span"
+  );
+  if (!claimantSpan || !defendantSpan) return;
+
+  const labels = ROLE_LABELS[proceedingType];
+  if (labels) {
+    claimantSpan.textContent = lang === "en" ? labels.proEN : labels.proDE;
+    defendantSpan.textContent = lang === "en" ? labels.reEN : labels.reDE;
+  } else {
+    // Default — let i18n drive via data-i18n attribute. Reset to the
+    // canonical i18n value so a previous override doesn't stick when
+    // switching from upc.apl.unified back to upc.inf.cfi.
+    claimantSpan.textContent = t("deadlines.side.claimant");
+    defendantSpan.textContent = t("deadlines.side.defendant");
+  }
 }
 
+// Default target on first picker entry into upc.apl. m: Endentscheidung
+// is the most-common appeal target; the chip group also defaults
+// "Endentscheidung" checked in verfahrensablauf.tsx. Keep these two in
+// sync so the URL-less default render hits the same code path.
+let currentAppealTarget: AppealTarget = "";
+
 // Per-rule anchor overrides set by the click-to-edit affordance on
 // timeline / column date cells. Posted as `anchorOverrides` to the
 // /api/tools/fristenrechner calc so downstream rules re-anchor off the
@@ -113,54 +224,18 @@ const anchorOverrides = new Map<string, string>();
 function clearAnchorOverrides() { anchorOverrides.clear(); }
 
 // Per-event-card choices (t-paliad-265). Unbound on this page (no
-// project context), so persistence is URL-only via `?event_choices=`.
-// Format: comma-separated `submission_code:kind=value` tuples. Same
-// idiom as `?side=` + `?appellant=`.
-let perCardChoices: EventChoice[] = [];
+// project context). Persistence moved from URL → localStorage under
+// SCENARIO_KEYS.eventChoices (t-paliad-308 / m/paliad#137) — these
+// are per-user scenario tweaks, not the timeline kind, so a shared
+// link should NOT leak them into the recipient's view.
+let perCardChoices: EventChoice[] = readEventChoices(scenarioStorage);
 
-function readChoicesFromURL(): EventChoice[] {
-  const raw = new URLSearchParams(window.location.search).get("event_choices");
-  if (!raw) return [];
-  const out: EventChoice[] = [];
-  for (const tuple of raw.split(",")) {
-    const m = tuple.match(/^([^:]+):([^=]+)=(.+)$/);
-    if (!m) continue;
-    const kind = m[2] as ChoiceKind;
-    if (kind !== "appellant" && kind !== "include_ccr" && kind !== "skip") continue;
-    out.push({ submission_code: m[1], choice_kind: kind, choice_value: m[3] });
-  }
-  return out;
-}
-
-function writeChoicesToURL(choices: EventChoice[]) {
-  const url = new URL(window.location.href);
-  if (choices.length === 0) {
-    url.searchParams.delete("event_choices");
-  } else {
-    const enc = choices.map((c) => `${c.submission_code}:${c.choice_kind}=${c.choice_value}`).join(",");
-    url.searchParams.set("event_choices", enc);
-  }
-  window.history.replaceState(null, "", url.pathname + (url.search ? url.search : "") + url.hash);
-}
-
-// Show-hidden toggle state (t-paliad-290 / m/paliad#122). When ON, the
+// Show-hidden toggle (t-paliad-290 / m/paliad#122). When ON, the
 // calculator re-surfaces cards whose submission_code is in the active
 // skipRules set; they render faded with a "Wieder einblenden" chip.
-// URL-driven via ?show_hidden=1 so a shared link or reload preserves
-// the visibility. Default OFF — m's not asking to see hidden by
-// default, just to be able to.
-function readShowHiddenFromURL(): boolean {
-  return new URLSearchParams(window.location.search).get("show_hidden") === "1";
-}
-
-function writeShowHiddenToURL(on: boolean) {
-  const url = new URL(window.location.href);
-  if (on) url.searchParams.set("show_hidden", "1");
-  else url.searchParams.delete("show_hidden");
-  window.history.replaceState(null, "", url.pathname + (url.search ? url.search : "") + url.hash);
-}
-
-let showHidden = readShowHiddenFromURL();
+// Persistence moved from URL → localStorage (t-paliad-308) — it's a
+// per-user UX preference, not scenario state worth sharing in a link.
+let showHidden = readBoolFlag(scenarioStorage, SCENARIO_KEYS.showHidden);
 
 type ProcedureView = "timeline" | "columns";
 let procedureView: ProcedureView = "columns";
@@ -178,6 +253,21 @@ function writeNotesPref(on: boolean): void {
 }
 let showNotes = readNotesPref();
 
+// Durations toggle (m/paliad#133, t-paliad-302) — when off (default),
+// the per-rule duration label ("2 Mo. nach") only shows on hover via
+// the date span's `title` attribute. When on, the label renders inline
+// in the timeline meta row of every event card. Persisted in
+// localStorage under its own key so the preference is independent of
+// "Hinweise anzeigen".
+const DURATIONS_PREF_KEY = "paliad.verfahrensablauf.durations-show";
+function readDurationsPref(): boolean {
+  try { return localStorage.getItem(DURATIONS_PREF_KEY) === "1"; } catch { return false; }
+}
+function writeDurationsPref(on: boolean): void {
+  try { localStorage.setItem(DURATIONS_PREF_KEY, on ? "1" : "0"); } catch { /* no-op */ }
+}
+let showDurations = readDurationsPref();
+
 // Jurisdiction display prefix for the proceeding-summary chip + the
 // trigger-event placeholder. Same forum slugs the .proceeding-group
 // `data-forum` attribute carries in verfahrensablauf.tsx /
@@ -268,6 +358,13 @@ async function doCalc() {
   const overrides: Record<string, string> = {};
   for (const [code, date] of anchorOverrides) overrides[code] = date;
 
+  // Slice B1 (m/paliad#124 §18.1): for the unified upc.apl Berufung,
+  // default to "endentscheidung" when no chip pick is stored in URL.
+  // For non-appeal proceedings the engine ignores opts.AppealTarget.
+  const appealTarget = hasAppealTarget(selectedType)
+    ? (currentAppealTarget || "endentscheidung")
+    : "";
+
   const data = await calculateDeadlines({
     proceedingType: selectedType,
     triggerDate,
@@ -276,6 +373,7 @@ async function doCalc() {
     courtId,
     perCardChoices,
     includeHidden: showHidden,
+    appealTarget,
   });
   if (seq !== calcSeq) return;
   if (!data) return;
@@ -376,10 +474,22 @@ function renderResults(data: DeadlineResponse) {
     ? renderColumnsBody(data, {
         editable: true,
         showNotes,
+        showDurations,
         side: currentSide,
-        appellant: hasAppellantAxis(selectedType) ? currentAppellant : null,
+        // t-paliad-301: the appellant axis collapses into the single
+        // side picker. For role-swap proceedings, currentSide IS the
+        // appellant pick (so a row with primary_party=both renders only
+        // in the picked side's column). For non-role-swap proceedings,
+        // the appellant axis is irrelevant — pass null.
+        appellant: hasAppellantAxis(selectedType) ? currentSide : null,
+        // Appeal-target proceedings get per-rule appealRole routing
+        // instead of the page-level appellant collapse, so the side
+        // selector actually splits Berufungskläger vs Berufungs-
+        // beklagter filings across columns. (t-paliad-307 /
+        // m/paliad#136 Bug 1)
+        appealAware: hasAppealTarget(selectedType),
       })
-    : renderTimelineBody(data, { showParty: true, editable: true, showNotes });
+    : renderTimelineBody(data, { showParty: true, editable: true, showNotes, showDurations });
 
   container.innerHTML = headerHtml + noteHtml + bodyHtml;
   if (printBtn) printBtn.style.display = "block";
@@ -429,7 +539,7 @@ function syncInfAmendEnabled() {
   if (!ccr.checked) infAmend.checked = false;
 }
 
-function selectProceeding(btn: HTMLButtonElement) {
+function selectProceeding(btn: HTMLButtonElement, opts: { writeURL?: boolean } = {}) {
   document.querySelectorAll(".proceeding-btn").forEach((b) => b.classList.remove("active"));
   btn.classList.add("active");
   const nextType = btn.dataset.code || "";
@@ -439,35 +549,92 @@ function selectProceeding(btn: HTMLButtonElement) {
   if (selectedType !== nextType) clearAnchorOverrides();
   selectedType = nextType;
 
+  // Persist the picked proceeding to ?proceeding= so a refresh / shared
+  // link reproduces the same tile. writeURL=false on the load-time
+  // hydration path so we don't churn history.replaceState when the
+  // URL already carries the canonical value.
+  if (opts.writeURL !== false) {
+    applyURLFilters({ proceeding: selectedType });
+  }
+
   // Trigger-event label fires from the calc response (root rule).
   // Until step 3 renders, fall back to an em-dash placeholder.
   lastResponse = null;
   syncTriggerEventLabel();
 
-  void populateCourtPicker("court-picker-row", "court-picker", selectedType);
   syncFlagRows();
-  syncAppellantRowVisibility();
+  syncAppealTargetRowVisibility();
+  applyRoleLabels(selectedType);
+  // Restore flags from localStorage BEFORE the initial calc so the
+  // first /api/tools/fristenrechner POST already carries the user's
+  // stored flag state. Court_id is async (populateCourtPicker fetches
+  // courts from the API) so it restores via the .then() below + a
+  // follow-up recalc when the picker is ready.
+  restoreFlagsForProceeding();
 
   setProceedingPickerCollapsed(true, proceedingDisplayName(btn));
 
   showStep(2);
   scheduleCalc(0);
+
+  void populateCourtPicker("court-picker-row", "court-picker", selectedType).then(() => {
+    if (restoreCourtForProceeding()) scheduleCalc(0);
+  });
 }
 
-// syncAppellantRowVisibility hides the appellant selector for
-// proceedings that have no appellant axis (first-instance Inf, Rev,
-// …). Clears the in-memory state and the URL param when hidden so a
-// shared link with ?appellant= doesn't leak into an unrelated
-// proceeding's render.
-function syncAppellantRowVisibility() {
-  const row = document.getElementById("appellant-row");
+// restoreFlagsForProceeding seeds the proceeding-specific flag
+// checkboxes from localStorage. Mirrors syncFlagRows in scope — only
+// flags currently visible for the active proceeding are meaningful
+// (the hidden checkboxes still write to localStorage if toggled, but
+// that's impossible because they're not in the DOM as visible
+// controls). syncInfAmendEnabled enforces the upc.inf.cfi inf-amend
+// gating after the restore.
+function restoreFlagsForProceeding(): void {
+  const flagPairs: Array<[string, string]> = [
+    ["ccr-flag",       SCENARIO_KEYS.ccr],
+    ["inf-amend-flag", SCENARIO_KEYS.infAmend],
+    ["rev-amend-flag", SCENARIO_KEYS.revAmend],
+    ["rev-cci-flag",   SCENARIO_KEYS.revCci],
+  ];
+  for (const [domId, storageKey] of flagPairs) {
+    const cb = document.getElementById(domId) as HTMLInputElement | null;
+    if (!cb) continue;
+    cb.checked = readBoolFlag(scenarioStorage, storageKey);
+  }
+  syncInfAmendEnabled();
+}
+
+// restoreCourtForProceeding tries to apply the localStorage court_id
+// to the picker after populateCourtPicker resolves. Returns true iff
+// a value actually changed (so the caller can schedule a follow-up
+// calc). Skips silently when the picker is hidden, the stored ID isn't
+// in the options list (court rotated since last visit), or the picker
+// already happens to be on the stored value.
+function restoreCourtForProceeding(): boolean {
+  const courtPicker = document.getElementById("court-picker") as HTMLSelectElement | null;
+  const storedCourtId = readCourtId(scenarioStorage);
+  if (!courtPicker || !storedCourtId) return false;
+  const has = Array.from(courtPicker.options).some((o) => o.value === storedCourtId);
+  if (!has) return false;
+  if (courtPicker.value === storedCourtId) return false;
+  courtPicker.value = storedCourtId;
+  return true;
+}
+
+// Slice B1 (m/paliad#124 §18.1) — Berufung unification.
+// syncAppealTargetRowVisibility shows the appeal-target chip group
+// when the unified upc.apl Berufung tile is selected, hides it
+// otherwise. Mirrors syncAppellantRowVisibility's pattern: clears
+// state + URL when hiding so a stale ?target= can't leak.
+function syncAppealTargetRowVisibility() {
+  const row = document.getElementById("appeal-target-row");
   if (!row) return;
-  const visible = hasAppellantAxis(selectedType);
+  const visible = hasAppealTarget(selectedType);
   row.style.display = visible ? "" : "none";
-  if (!visible && currentAppellant !== null) {
-    currentAppellant = null;
-    writeAppellantToURL(null);
-    syncRadioGroup("appellant", "");
+  if (!visible && currentAppealTarget !== "") {
+    currentAppealTarget = "";
+    applyURLFilters({ target: "" });
+    syncRadioGroup("appeal-target", "endentscheidung");
   }
 }
 
@@ -580,11 +747,11 @@ function showSideRadioCluster() {
 // already chosen and we never overwrite. When we do prefill, write the
 // derived side to the URL so reload + back/forward round-trip cleanly.
 function applySidePrefill(os: ProjectOurSide["our_side"] | undefined) {
-  if (readSideFromURL() !== null) return;
+  if (parseSideFromSearch(window.location.search) !== null) return;
   const next = ourSideToSide(os);
   if (next === null) return;
   currentSide = next;
-  writeSideToURL(next);
+  applyURLFilters({ side: next });
   syncRadioGroup("side", next);
   sidePrefilledFromProject = true;
   renderSideChip(next);
@@ -653,10 +820,10 @@ function initViewToggle() {
 // /api/tools/fristenrechner round-trip — perspective is a pure
 // projection of the last response, no backend involved.
 function initPerspectiveControls() {
-  currentSide = readSideFromURL();
-  currentAppellant = readAppellantFromURL();
+  currentSide = parseSideFromSearch(window.location.search);
+  currentAppealTarget = parseAppealTargetFromSearch(window.location.search);
   syncRadioGroup("side", currentSide ?? "");
-  syncRadioGroup("appellant", currentAppellant ?? "");
+  syncRadioGroup("appeal-target", currentAppealTarget || "endentscheidung");
   syncSideHintVisibility();
 
   document.querySelectorAll<HTMLInputElement>("input[type=radio][name=side]").forEach((input) => {
@@ -664,19 +831,26 @@ function initPerspectiveControls() {
       if (!input.checked) return;
       const v = input.value;
       currentSide = (v === "claimant" || v === "defendant") ? v : null;
-      writeSideToURL(currentSide);
+      applyURLFilters({ side: currentSide });
       syncSideHintVisibility();
       if (lastResponse) renderResults(lastResponse);
     });
   });
 
-  document.querySelectorAll<HTMLInputElement>("input[type=radio][name=appellant]").forEach((input) => {
+  // Slice B1 (m/paliad#124 §18.1) — appeal-target chip handler.
+  // Each chip change re-fetches with the new target slug so the
+  // timeline re-renders against the matching rule subset.
+  document.querySelectorAll<HTMLInputElement>("input[type=radio][name=appeal-target]").forEach((input) => {
     input.addEventListener("change", () => {
       if (!input.checked) return;
       const v = input.value;
-      currentAppellant = (v === "claimant" || v === "defendant") ? v : null;
-      writeAppellantToURL(currentAppellant);
-      if (lastResponse) renderResults(lastResponse);
+      if ((APPEAL_TARGETS as readonly string[]).includes(v)) {
+        currentAppealTarget = v as AppealTarget;
+      } else {
+        currentAppealTarget = "";
+      }
+      applyURLFilters({ target: currentAppealTarget });
+      scheduleCalc(0);
     });
   });
 }
@@ -697,28 +871,57 @@ document.addEventListener("DOMContentLoaded", () => {
 
   const dateInput = document.getElementById("trigger-date") as HTMLInputElement | null;
   if (dateInput) {
-    dateInput.addEventListener("change", () => scheduleCalc());
-    dateInput.addEventListener("input", () => scheduleCalc());
+    // Hydrate trigger_date from URL on first paint so a refresh /
+    // shared link reproduces the same dated timeline. URL wins over
+    // the verfahrensablauf.tsx today-default that the <input> renders
+    // with. parseTriggerDateFromSearch validates the shape so a
+    // malformed link silently falls back to the today-default.
+    const urlDate = parseTriggerDateFromSearch(window.location.search);
+    if (urlDate) dateInput.value = urlDate;
+    const persistDate = () => {
+      applyURLFilters({ triggerDate: dateInput.value });
+    };
+    dateInput.addEventListener("change", () => { persistDate(); scheduleCalc(); });
+    dateInput.addEventListener("input", () => { persistDate(); scheduleCalc(); });
     dateInput.addEventListener("keydown", (e) => {
-      if ((e as KeyboardEvent).key === "Enter") scheduleCalc(0);
+      if ((e as KeyboardEvent).key === "Enter") { persistDate(); scheduleCalc(0); }
     });
   }
 
   const courtPicker = document.getElementById("court-picker") as HTMLSelectElement | null;
-  if (courtPicker) courtPicker.addEventListener("change", () => scheduleCalc(0));
+  if (courtPicker) courtPicker.addEventListener("change", () => {
+    writeCourtId(scenarioStorage, courtPicker.value);
+    scheduleCalc(0);
+  });
 
   // Flag-checkbox listeners — each flip triggers a fresh calc so the
   // timeline re-projects with the new gating. ccr-flag additionally
-  // enables/disables the nested inf-amend row.
+  // enables/disables the nested inf-amend row. Each flip also writes
+  // through to localStorage so the choice survives a reload (URL stays
+  // clean; flags are scenario state, not filter chips — t-paliad-308).
   const ccrFlag = document.getElementById("ccr-flag") as HTMLInputElement | null;
   if (ccrFlag) ccrFlag.addEventListener("change", () => {
+    writeBoolFlag(scenarioStorage, SCENARIO_KEYS.ccr, ccrFlag.checked);
     syncInfAmendEnabled();
+    // Disabling ccr also unchecks inf-amend (see syncInfAmendEnabled).
+    // Mirror that into storage so the next reload doesn't repopulate a
+    // disabled checkbox as checked.
+    const infAmend = document.getElementById("inf-amend-flag") as HTMLInputElement | null;
+    if (infAmend) writeBoolFlag(scenarioStorage, SCENARIO_KEYS.infAmend, infAmend.checked);
     scheduleCalc(0);
   });
-  (["inf-amend-flag", "rev-amend-flag", "rev-cci-flag"]).forEach((id) => {
+  const flagStorageKeys: Record<string, string> = {
+    "inf-amend-flag": SCENARIO_KEYS.infAmend,
+    "rev-amend-flag": SCENARIO_KEYS.revAmend,
+    "rev-cci-flag":   SCENARIO_KEYS.revCci,
+  };
+  for (const [id, storageKey] of Object.entries(flagStorageKeys)) {
     const cb = document.getElementById(id) as HTMLInputElement | null;
-    if (cb) cb.addEventListener("change", () => scheduleCalc(0));
-  });
+    if (cb) cb.addEventListener("change", () => {
+      writeBoolFlag(scenarioStorage, storageKey, cb.checked);
+      scheduleCalc(0);
+    });
+  }
 
   document.getElementById("fristen-print-btn")?.addEventListener("click", () => window.print());
 
@@ -749,16 +952,30 @@ document.addEventListener("DOMContentLoaded", () => {
     });
   }
 
-  // t-paliad-290 — show-hidden toggle. Hydrate from URL, wire change
-  // to URL + recalc (the backend reshapes the response — we can't just
-  // re-render lastResponse since the hidden rows aren't in it when the
-  // toggle was OFF).
+  // Durations toggle (m/paliad#133, t-paliad-302) — sibling of the
+  // notes toggle. Hover-only labels (default) become inline labels when
+  // the user opts in.
+  const durationsShowCb = document.getElementById("verfahrensablauf-durations-show") as HTMLInputElement | null;
+  if (durationsShowCb) {
+    durationsShowCb.checked = showDurations;
+    durationsShowCb.addEventListener("change", () => {
+      showDurations = durationsShowCb.checked;
+      writeDurationsPref(showDurations);
+      if (lastResponse) renderResults(lastResponse);
+    });
+  }
+
+  // t-paliad-290 — show-hidden toggle. Hydrated from localStorage at
+  // module load (showHidden); each flip writes back to localStorage
+  // and triggers a recalc (the backend reshapes the response — we
+  // can't just re-render lastResponse since the hidden rows aren't
+  // in it when the toggle was OFF).
   const showHiddenCb = document.getElementById("show-hidden-toggle") as HTMLInputElement | null;
   if (showHiddenCb) {
     showHiddenCb.checked = showHidden;
     showHiddenCb.addEventListener("change", () => {
       showHidden = showHiddenCb.checked;
-      writeShowHiddenToURL(showHidden);
+      writeBoolFlag(scenarioStorage, SCENARIO_KEYS.showHidden, showHidden);
       scheduleCalc(0);
     });
   }
@@ -766,11 +983,10 @@ document.addEventListener("DOMContentLoaded", () => {
   initViewToggle();
   initPerspectiveControls();
 
-  // t-paliad-265 — per-event-card choices. Unbound surface, so commits
-  // mutate the in-memory list + URL, then trigger a recalc. The
-  // popover module owns the popover lifecycle; this page owns the
-  // recalc + URL plumbing.
-  perCardChoices = readChoicesFromURL();
+  // t-paliad-265 — per-event-card choices. Unbound surface; persistence
+  // is localStorage-only (t-paliad-308) so a shared link doesn't carry
+  // the recipient's per-card tweaks. The popover module owns the
+  // popover lifecycle; this page owns the recalc + storage plumbing.
   const timelineEl = document.getElementById("timeline-container");
   if (timelineEl) {
     attachEventCardChoices({
@@ -781,14 +997,14 @@ document.addEventListener("DOMContentLoaded", () => {
           (c) => !(c.submission_code === choice.submission_code && c.choice_kind === choice.choice_kind),
         );
         perCardChoices.push(choice);
-        writeChoicesToURL(perCardChoices);
+        writeEventChoices(scenarioStorage, perCardChoices);
         scheduleCalc(0);
       },
       remove: (submissionCode, kind) => {
         perCardChoices = perCardChoices.filter(
           (c) => !(c.submission_code === submissionCode && c.choice_kind === kind),
         );
-        writeChoicesToURL(perCardChoices);
+        writeEventChoices(scenarioStorage, perCardChoices);
         scheduleCalc(0);
       },
     });
@@ -824,8 +1040,31 @@ document.addEventListener("DOMContentLoaded", () => {
     syncTriggerEventLabel();
   });
 
-  // Pre-select the first proceeding tile so users see a timeline
-  // immediately on landing — matches /tools/fristenrechner behaviour.
-  const firstBtn = document.querySelector<HTMLButtonElement>(".proceeding-btn");
-  if (firstBtn) selectProceeding(firstBtn);
+  // Pre-select the proceeding tile. URL wins: if ?proceeding= is set
+  // and points at a known tile, that tile is selected without rewriting
+  // the URL. Otherwise fall back to the first tile so users see a
+  // timeline immediately on landing — matches /tools/fristenrechner
+  // behaviour. The auto-pick does NOT write the URL so the default
+  // landing stays clean (`?proceeding=` only appears once the user
+  // makes an explicit choice). (t-paliad-308 / m/paliad#137)
+  const urlProceeding = parseProceedingFromSearch(window.location.search);
+  let initialBtn: HTMLButtonElement | null = null;
+  let urlHit = false;
+  if (urlProceeding) {
+    initialBtn = document.querySelector<HTMLButtonElement>(
+      `.proceeding-btn[data-code="${urlProceeding.replace(/"/g, '\\"')}"]`,
+    );
+    urlHit = initialBtn !== null;
+  }
+  if (!initialBtn) {
+    initialBtn = document.querySelector<HTMLButtonElement>(".proceeding-btn");
+  }
+  if (initialBtn) {
+    // writeURL=false when the URL either already carries this code
+    // (no churn) or has no proceeding (auto-default → don't pollute
+    // the clean URL). Only an unknown / stale ?proceeding= triggers
+    // a rewrite so the URL converges on the resolved tile.
+    const writeURL = urlProceeding !== "" && !urlHit;
+    selectProceeding(initialBtn, { writeURL });
+  }
 });

frontend/src/client/views/event-card-choices.ts

@@ -81,17 +81,6 @@ export function attachEventCardChoices(opts: EventCardChoicesOpts): void {
       openPopover(state, caret);
       return;
     }
-    // t-paliad-290: "Wieder einblenden" chip — direct un-hide path that
-    // mirrors the popover's reset on the `skip` kind. The chip only
-    // renders on hidden cards (server-flagged via UIDeadline.IsHidden),
-    // so we always have a real skip entry to remove.
-    const unhide = targetEl?.closest<HTMLElement>(".event-card-choices-unhide");
-    if (unhide) {
-      e.stopPropagation();
-      const code = unhide.dataset.submissionCode || "";
-      if (code) void unhideCard(state, code);
-      return;
-    }
     // Outside-click closes the popover.
     if (state.popover && !state.popover.contains(e.target as Node)) {
       closePopover(state);
@@ -170,6 +159,7 @@ function openPopover(state: AttachedState, caret: HTMLElement): void {
   } catch {
     return;
   }
+  const isHidden = caret.dataset.isHidden === "1";
 
   const pop = document.createElement("div");
   pop.className = "event-card-choices-popover";
@@ -177,6 +167,15 @@ function openPopover(state: AttachedState, caret: HTMLElement): void {
   pop.setAttribute("aria-label", t("choices.caret.title"));
 
   const blocks: string[] = [];
+  // t-paliad-293: hidden-card prominence. When the user opens the
+  // popover on a re-surfaced hidden card, "Wieder einblenden" is the
+  // most likely intent — surface it as a single high-contrast action
+  // at the top of the popover (rather than burying it under the skip
+  // toggle's reset link). Clicking it clears the `skip` choice, which
+  // is the same wire effect as the legacy inline chip from t-paliad-290.
+  if (isHidden) {
+    blocks.push(renderUnhideBlock());
+  }
   if (Array.isArray(offered.appellant)) {
     blocks.push(renderAppellantBlock(state, code, offered.appellant as unknown[]));
   }
@@ -271,21 +270,21 @@ function renderToggleBlock(state: AttachedState, code: string, kind: "include_cc
   </div>`;
 }
 
-// unhideCard removes the `skip` choice on the given submission_code via
-// the page-supplied remove() callback, then repaints chips so the card
-// loses its fade. The page's remove() also triggers a recalc — the
-// re-surfaced card will then drop out of the result list naturally
-// (since IncludeHidden is still on but the skip entry is gone). Errors
-// surface in the console; the chip stays clickable for a retry.
-// (t-paliad-290)
-async function unhideCard(state: AttachedState, code: string): Promise<void> {
-  try {
-    await state.opts.remove(code, "skip");
-    state.active.get(code)?.delete("skip");
-    reseedChips(state.opts.container);
-  } catch (err) {
-    console.error("event card un-hide failed", err);
-  }
+// renderUnhideBlock is the popover's prominent "Wieder einblenden"
+// action — surfaced only when the caret is opened on a re-surfaced
+// hidden card (data-is-hidden="1" on the caret). Clicking it dispatches
+// the same `clear` action as the skip-block reset link below, but
+// labelled in the user's terms ("restore this card" rather than
+// "reset skip choice"). Drops out of the popover automatically on
+// non-hidden cards so the popover stays minimal. (t-paliad-293)
+function renderUnhideBlock(): string {
+  const label = t("choices.unhide.chip");
+  return `<div class="event-card-choices-block event-card-choices-block--unhide">
+    <button type="button"
+      data-choice-action="clear"
+      data-choice-kind="skip"
+      class="event-card-choices-unhide-btn">${escHtml(label)}</button>
+  </div>`;
 }
 
 function closePopover(state: AttachedState): void {

frontend/src/client/views/verfahrensablauf-core.test.ts

@@ -1,8 +1,12 @@
 import { describe, expect, test } from "bun:test";
 import {
   type CalculatedDeadline,
+  type DeadlineResponse,
   bucketDeadlinesIntoColumns,
   deadlineCardHtml,
+  formatDurationLabel,
+  renderColumnsBody,
+  stripLeadingDurationFromNotes,
 } from "./verfahrensablauf-core";
 
 // Regression tests for the editable→click-to-edit wiring on timeline date
@@ -67,28 +71,89 @@ describe("deadlineCardHtml — editable=true emits click-to-edit attrs", () => {
   });
 });
 
-// t-paliad-290 (m/paliad#122): the "Ausgeblendete anzeigen" toggle
-// surfaces hidden cards via UIDeadline.IsHidden=true. The renderer
-// must (a) emit an inline "Wieder einblenden" chip carrying the
-// submission_code (so the delegated handler in event-card-choices.ts
-// can resolve which skip to clear) and (b) NOT emit the chip when
-// either isHidden is false or the rule has no submission_code (no
-// hide target to undo).
-describe("deadlineCardHtml — isHidden inline 'Wieder einblenden' chip (t-paliad-290)", () => {
-  test("isHidden=true with submission_code emits unhide chip with data-submission-code", () => {
+// t-paliad-293 (m/paliad#125): the "Wieder einblenden" affordance
+// moved from an inline chip in the card header into the caret popover
+// to fix horizontal-scroll on narrow viewports (the long German label
+// pushed the card past its column width). The renderer now signals
+// hidden state two ways: (1) a 👁⃠ state-icon in the title row and
+// (2) data-is-hidden="1" on the caret button so event-card-choices.ts
+// can surface the prominent "Wieder einblenden" popover entry when
+// the user opens the menu. The legacy `.event-card-choices-unhide`
+// inline chip class must NOT appear in the output.
+describe("deadlineCardHtml — isHidden surfaces state-icon + caret hint (t-paliad-293)", () => {
+  test("isHidden=true emits the hidden state-icon", () => {
+    const html = deadlineCardHtml(
+      dl({ isHidden: true, choicesOffered: { skip: [true, false] } }),
+      { showParty: true },
+    );
+    expect(html).toContain("timeline-state-icon--hidden");
+  });
+
+  test("isHidden=true with choicesOffered.skip annotates the caret with data-is-hidden=\"1\"", () => {
+    const html = deadlineCardHtml(
+      dl({ isHidden: true, choicesOffered: { skip: [true, false] } }),
+      { showParty: true },
+    );
+    expect(html).toContain('data-is-hidden="1"');
+    expect(html).toContain("event-card-choices-caret");
+  });
+
+  test("isHidden=false (default) suppresses the state-icon and reports data-is-hidden=\"0\"", () => {
+    const html = deadlineCardHtml(
+      dl({ choicesOffered: { skip: [true, false] } }),
+      { showParty: true },
+    );
+    expect(html).not.toContain("timeline-state-icon--hidden");
+    expect(html).toContain('data-is-hidden="0"');
+  });
+
+  test("isHidden=true with empty choicesOffered still emits caret with synthesized skip offer (defensive)", () => {
+    // Edge case: admin edits the rule's choices_offered after a user
+    // has already saved a `skip=true` choice. Without the fallback
+    // the card would re-surface as hidden with no popover entrypoint
+    // — the user would have no way to un-hide it. The renderer
+    // synthesizes a `{skip:[true,false]}` offer so the prominent
+    // "Wieder einblenden" button still renders in the popover.
     const html = deadlineCardHtml(dl({ isHidden: true }), { showParty: true });
-    expect(html).toContain("event-card-choices-unhide");
-    expect(html).toContain('data-submission-code="upc-rop-12"');
+    expect(html).toContain("event-card-choices-caret");
+    expect(html).toContain('data-is-hidden="1"');
+    expect(html).toContain("data-choices-offered=\"{"skip":[true,false]}\"");
   });
 
-  test("isHidden=false (default) suppresses unhide chip", () => {
+  test("isHidden=false with empty choicesOffered suppresses caret (regression guard)", () => {
     const html = deadlineCardHtml(dl(), { showParty: true });
-    expect(html).not.toContain("event-card-choices-unhide");
+    expect(html).not.toContain("event-card-choices-caret");
   });
 
-  test("isHidden=true on a rule with no submission_code suppresses unhide chip", () => {
-    const html = deadlineCardHtml(dl({ code: "", isHidden: true }), { showParty: true });
-    expect(html).not.toContain("event-card-choices-unhide");
+  test("legacy inline `.event-card-choices-unhide` class is no longer emitted", () => {
+    // Pinned to catch a regression that would re-introduce the
+    // horizontal-scroll surface that motivated the move. The popover
+    // now uses `.event-card-choices-unhide-btn` (with the -btn suffix)
+    // inside the body-attached popover dom node — never in the card
+    // header HTML the renderer returns.
+    const html = deadlineCardHtml(
+      dl({ isHidden: true, choicesOffered: { skip: [true, false] } }),
+      { showParty: true },
+    );
+    expect(html).not.toContain('class="event-card-choices-unhide"');
+    expect(html).not.toMatch(/event-card-choices-unhide(?!-btn)/);
+  });
+});
+
+// t-paliad-293: the `optional` priority used to render an inline text
+// badge in the card title. The overhaul replaces it with a ⊙ state
+// icon so the title row stays compact on narrow viewports. Tooltip is
+// driven by the `state.optional.tooltip` i18n key.
+describe("deadlineCardHtml — optional priority renders the state icon (t-paliad-293)", () => {
+  test("priority='optional' emits the timeline-state-icon--optional marker", () => {
+    const html = deadlineCardHtml(dl({ priority: "optional" }), { showParty: true });
+    expect(html).toContain("timeline-state-icon--optional");
+    expect(html).not.toContain("optional-badge");
+  });
+
+  test("priority='mandatory' (default) omits the optional marker", () => {
+    const html = deadlineCardHtml(dl(), { showParty: true });
+    expect(html).not.toContain("timeline-state-icon--optional");
   });
 });
 
@@ -264,6 +329,29 @@ describe("bucketDeadlinesIntoColumns — side+appellant column routing (m/paliad
     expect(rows[0].ours).toHaveLength(0);
   });
 
+  test("side=defendant collapses 'both' rules into ours (no mirror) — m/paliad#135", () => {
+    // When the user has committed to a perspective via `?side=`, the
+    // mirror is visual noise: the same card renders twice on one row,
+    // once in 'Unsere Seite' and once in 'Gegnerseite'. The card's
+    // '↔ beide Seiten' indicator already conveys the both-parties
+    // semantic, so collapsing into ours is sufficient.
+    const rows = bucketDeadlinesIntoColumns(
+      [both("Antrag auf Simultanübersetzung", "2026-04-27")],
+      { side: "defendant" },
+    );
+    expect(rows[0].ours.map((d) => d.name)).toEqual(["Antrag auf Simultanübersetzung"]);
+    expect(rows[0].opponent).toHaveLength(0);
+  });
+
+  test("side=claimant collapses 'both' rules into ours (no mirror) — m/paliad#135", () => {
+    const rows = bucketDeadlinesIntoColumns(
+      [both("Antrag auf Simultanübersetzung", "2026-04-27")],
+      { side: "claimant" },
+    );
+    expect(rows[0].ours.map((d) => d.name)).toEqual(["Antrag auf Simultanübersetzung"]);
+    expect(rows[0].opponent).toHaveLength(0);
+  });
+
   test("rows align across columns by dueDate so same-day events stay on one grid row", () => {
     const sameDate = "2026-07-23";
     const rows = bucketDeadlinesIntoColumns([
@@ -331,4 +419,357 @@ describe("bucketDeadlinesIntoColumns — side+appellant column routing (m/paliad
       ["Decision"],
     ]);
   });
+
+});
+
+// m's correction in m/paliad#127 (t-paliad-295) reverted half of #88's
+// header refresh: the user-perspective labels "Unsere Seite"/"Gegnerseite"
+// only make sense once the user has picked a side. While the side is
+// still "Nicht festgelegt" (side === null — the default after #120) the
+// header falls back to the semantic-neutral "Proaktiv"/"Reaktiv" labels.
+// Picking a side re-enables the #88 labels. The bucketing primitive
+// itself is unchanged — only the column-header text differs.
+describe("renderColumnsBody — side-aware column header labels (m/paliad#127)", () => {
+  const dlFix = (party: string, name: string, due: string): CalculatedDeadline => ({
+    code: name,
+    name,
+    nameEN: name,
+    party,
+    priority: "mandatory",
+    ruleRef: "",
+    dueDate: due,
+    originalDate: due,
+    wasAdjusted: false,
+    isRootEvent: false,
+    isCourtSet: false,
+  });
+  const data: DeadlineResponse = {
+    proceedingType: "upc.inf.cfi",
+    proceedingName: "UPC Verletzungsverfahren",
+    triggerDate: "2026-01-01",
+    deadlines: [
+      dlFix("claimant", "Klageschrift", "2026-01-01"),
+      dlFix("defendant", "Klageerwiderung", "2026-04-01"),
+    ],
+  };
+
+  test("side=null renders Proaktiv/Gericht/Reaktiv headers", () => {
+    const html = renderColumnsBody(data, { side: null });
+    expect(html).toContain(">Proaktiv<");
+    expect(html).toContain(">Gericht<");
+    expect(html).toContain(">Reaktiv<");
+    expect(html).not.toContain(">Unsere Seite<");
+    expect(html).not.toContain(">Gegnerseite<");
+  });
+
+  test("side=null when opts omitted (default) still renders Proaktiv/Reaktiv", () => {
+    const html = renderColumnsBody(data);
+    expect(html).toContain(">Proaktiv<");
+    expect(html).toContain(">Reaktiv<");
+  });
+
+  test("side=claimant renders Unsere Seite/Gericht/Gegnerseite headers", () => {
+    const html = renderColumnsBody(data, { side: "claimant" });
+    expect(html).toContain(">Unsere Seite<");
+    expect(html).toContain(">Gericht<");
+    expect(html).toContain(">Gegnerseite<");
+    expect(html).not.toContain(">Proaktiv<");
+    expect(html).not.toContain(">Reaktiv<");
+  });
+
+  test("side=defendant renders Unsere Seite/Gegnerseite headers (column swap is bucketing, not labels)", () => {
+    // The user-perspective labels are picked once a side is set; the
+    // bucketer still routes defendant filings into the `ours` column when
+    // side=defendant, so the left column's header truthfully reads
+    // "Unsere Seite" regardless of which underlying party occupies it.
+    const html = renderColumnsBody(data, { side: "defendant" });
+    expect(html).toContain(">Unsere Seite<");
+    expect(html).toContain(">Gegnerseite<");
+    expect(html).not.toContain(">Proaktiv<");
+    expect(html).not.toContain(">Reaktiv<");
+  });
+});
+
+// t-paliad-307 / m/paliad#136 Bug 1 — appeal-aware column routing.
+// All appeal rules carry party='both' (either side could be the
+// appellant). With appealAware=true + dl.appealRole set, the bucketer
+// routes by (filer matches user) instead of collapsing every 'both'
+// row into the user's column. Without a side picked, the bucketer
+// keeps the legacy mirror so every appeal rule is visible.
+describe("bucketDeadlinesIntoColumns — appeal-aware routing (t-paliad-307)", () => {
+  const appeal = (
+    name: string,
+    role: "appellant" | "appellee",
+    due: string,
+  ): CalculatedDeadline => ({
+    code: name,
+    name,
+    nameEN: name,
+    party: "both",
+    priority: "mandatory",
+    ruleRef: "",
+    dueDate: due,
+    originalDate: due,
+    wasAdjusted: false,
+    isRootEvent: false,
+    isCourtSet: false,
+    appealRole: role,
+  });
+
+  const notice = appeal("Berufungseinlegung", "appellant", "2026-07-26");
+  const grounds = appeal("Berufungsbegründung", "appellant", "2026-09-26");
+  const response = appeal("Berufungserwiderung", "appellee", "2026-12-26");
+
+  test("appealAware + side=claimant: appellant rules → ours, appellee rules → opponent", () => {
+    const rows = bucketDeadlinesIntoColumns([notice, grounds, response], {
+      side: "claimant",
+      appealAware: true,
+    });
+    const byKey = new Map(rows.map((r) => [r.key, r]));
+    expect(byKey.get(notice.dueDate)?.ours.map((d) => d.name)).toEqual(["Berufungseinlegung"]);
+    expect(byKey.get(notice.dueDate)?.opponent).toHaveLength(0);
+    expect(byKey.get(response.dueDate)?.ours).toHaveLength(0);
+    expect(byKey.get(response.dueDate)?.opponent.map((d) => d.name)).toEqual(["Berufungserwiderung"]);
+  });
+
+  test("appealAware + side=defendant: appellant rules → opponent, appellee rules → ours", () => {
+    const rows = bucketDeadlinesIntoColumns([notice, response], {
+      side: "defendant",
+      appealAware: true,
+    });
+    const byKey = new Map(rows.map((r) => [r.key, r]));
+    expect(byKey.get(notice.dueDate)?.opponent.map((d) => d.name)).toEqual(["Berufungseinlegung"]);
+    expect(byKey.get(notice.dueDate)?.ours).toHaveLength(0);
+    expect(byKey.get(response.dueDate)?.ours.map((d) => d.name)).toEqual(["Berufungserwiderung"]);
+    expect(byKey.get(response.dueDate)?.opponent).toHaveLength(0);
+  });
+
+  test("appealAware + side=null: mirror to both columns (every rule visible)", () => {
+    const rows = bucketDeadlinesIntoColumns([notice, response], {
+      side: null,
+      appealAware: true,
+    });
+    const byKey = new Map(rows.map((r) => [r.key, r]));
+    expect(byKey.get(notice.dueDate)?.ours.map((d) => d.name)).toEqual(["Berufungseinlegung"]);
+    expect(byKey.get(notice.dueDate)?.opponent.map((d) => d.name)).toEqual(["Berufungseinlegung"]);
+    expect(byKey.get(response.dueDate)?.ours.map((d) => d.name)).toEqual(["Berufungserwiderung"]);
+    expect(byKey.get(response.dueDate)?.opponent.map((d) => d.name)).toEqual(["Berufungserwiderung"]);
+  });
+
+  test("appealAware off: appealRole is ignored and legacy bucketing applies", () => {
+    // Regression guard: a stale frontend that drops `appealAware: true`
+    // must not silently route via appealRole — the side selector
+    // would visibly change behaviour without a UI control to opt in.
+    const rows = bucketDeadlinesIntoColumns([notice, response], { side: "defendant" });
+    // Legacy "side without appellant" collapse → both rows into ours.
+    const allOurs = rows.flatMap((r) => r.ours.map((d) => d.name));
+    expect(allOurs).toEqual(["Berufungseinlegung", "Berufungserwiderung"]);
+    rows.forEach((r) => expect(r.opponent).toHaveLength(0));
+  });
+
+  test("appealAware respects court party — court rows always route to court column", () => {
+    const decision: CalculatedDeadline = {
+      ...notice,
+      name: "Entscheidung",
+      party: "court",
+      appealRole: "", // court events deliberately stay empty
+      dueDate: "",
+    };
+    const rows = bucketDeadlinesIntoColumns([decision], { side: "claimant", appealAware: true });
+    expect(rows[0].court.map((d) => d.name)).toEqual(["Entscheidung"]);
+    expect(rows[0].ours).toHaveLength(0);
+    expect(rows[0].opponent).toHaveLength(0);
+  });
+
+  test("appealAware + rule without appealRole falls back to legacy bucketing", () => {
+    // A future appeal rule we forgot to map: appealRole='' falls
+    // through the appealAware branch and lands in the legacy
+    // side-collapse path → ours.
+    const unmapped: CalculatedDeadline = { ...notice, appealRole: "" };
+    const rows = bucketDeadlinesIntoColumns([unmapped], { side: "claimant", appealAware: true });
+    expect(rows[0].ours.map((d) => d.name)).toEqual(["Berufungseinlegung"]);
+    expect(rows[0].opponent).toHaveLength(0);
+  });
+});
+
+// t-paliad-307 / m/paliad#136 Bug 3 — duration label appends the
+// parent rule name (or the proceeding's trigger event label for
+// root rules) so the chip reads "4 Monate nach Endentscheidung"
+// instead of the dangling "4 Monate nach".
+describe("formatDurationLabel — appends parent name (t-paliad-307)", () => {
+  const dl = (overrides: Partial<CalculatedDeadline> = {}): CalculatedDeadline => ({
+    code: "x",
+    name: "x",
+    nameEN: "x",
+    party: "both",
+    priority: "mandatory",
+    ruleRef: "",
+    dueDate: "",
+    originalDate: "",
+    wasAdjusted: false,
+    isRootEvent: false,
+    isCourtSet: false,
+    durationValue: 4,
+    durationUnit: "months",
+    timing: "after",
+    ...overrides,
+  });
+
+  test("with parent label: appends to head", () => {
+    expect(formatDurationLabel(dl(), "Endentscheidung (R.118)"))
+      .toBe("4 Monate nach Endentscheidung (R.118)");
+  });
+
+  test("without parent label: bare head — caller decides whether to render", () => {
+    expect(formatDurationLabel(dl())).toBe("4 Monate nach");
+  });
+
+  test("without timing: parent is not appended (degenerate phrasing)", () => {
+    // No timing == we can't form "4 Monate <timing> <parent>" cleanly,
+    // so the bare "4 Monate" head stays. Pinned to catch a future
+    // edit that would emit "4 Monate Endentscheidung" without a
+    // preposition.
+    expect(formatDurationLabel(dl({ timing: "" }), "Endentscheidung")).toBe("4 Monate");
+  });
+
+  test("singular value: switches to .one unit key", () => {
+    expect(formatDurationLabel(dl({ durationValue: 1 }), "X")).toBe("1 Monat nach X");
+  });
+
+  test("zero / missing duration: empty string", () => {
+    expect(formatDurationLabel(dl({ durationValue: 0 }), "X")).toBe("");
+    expect(formatDurationLabel(dl({ durationValue: 0, durationUnit: "" }), "X")).toBe("");
+  });
+});
+
+describe("deadlineCardHtml — duration tooltip reads parent name (t-paliad-307)", () => {
+  test("root rule with non-zero duration uses opts.triggerEventLabel as parent fallback", () => {
+    // upc.apl.merits.notice has no parent_id but a 2-month duration
+    // off the trigger event (the appealed decision). The duration
+    // tooltip must read the appeal-target label, not just "2 Monate
+    // nach".
+    const dl: CalculatedDeadline = {
+      code: "upc.apl.merits.notice",
+      name: "Berufungseinlegung",
+      nameEN: "Notice of Appeal",
+      party: "both",
+      priority: "mandatory",
+      ruleRef: "",
+      dueDate: "2026-07-26",
+      originalDate: "2026-07-26",
+      wasAdjusted: false,
+      isRootEvent: false,
+      isCourtSet: false,
+      durationValue: 2,
+      durationUnit: "months",
+      timing: "after",
+    };
+    const html = deadlineCardHtml(dl, {
+      showParty: false,
+      editable: true,
+      triggerEventLabel: "Endentscheidung (R.118)",
+    });
+    expect(html).toContain("title=\"2 Monate nach Endentscheidung (R.118)\"");
+  });
+
+  test("non-root rule prefers parent rule name over triggerEventLabel", () => {
+    // merits.response chains off merits.grounds; the duration label
+    // should read "3 Monate nach Berufungsbegründung", not the
+    // appeal-target fallback.
+    const dl: CalculatedDeadline = {
+      code: "upc.apl.merits.response",
+      name: "Berufungserwiderung",
+      nameEN: "Response to Appeal",
+      party: "both",
+      priority: "mandatory",
+      ruleRef: "",
+      dueDate: "2026-12-26",
+      originalDate: "2026-12-26",
+      wasAdjusted: false,
+      isRootEvent: false,
+      isCourtSet: false,
+      durationValue: 3,
+      durationUnit: "months",
+      timing: "after",
+      parentRuleCode: "upc.apl.merits.grounds",
+      parentRuleName: "Berufungsbegründung",
+      parentRuleNameEN: "Statement of Grounds",
+    };
+    const html = deadlineCardHtml(dl, {
+      showParty: false,
+      editable: true,
+      triggerEventLabel: "Endentscheidung (R.118)",
+    });
+    expect(html).toContain("title=\"3 Monate nach Berufungsbegründung\"");
+  });
+});
+
+// t-paliad-307 / m/paliad#136 Bug 4 — leading "Frist N <unit> …"
+// substring is stripped before deadline_notes renders so the new
+// duration affordance and the legacy free-text don't duplicate.
+describe("stripLeadingDurationFromNotes — render-side dedup (t-paliad-307)", () => {
+  test("DE: strips 'Frist 1 Monat VOR …. ' and keeps the rest", () => {
+    const out = stripLeadingDurationFromNotes(
+      "Frist 1 Monat VOR der mündlichen Verhandlung (R.109.1). Antrag auf Simultanübersetzung.",
+      "de",
+    );
+    expect(out).toBe("Antrag auf Simultanübersetzung.");
+  });
+
+  test("DE: strips 'Frist 15 Tage ab …' when the whole notes is the duration prose", () => {
+    const out = stripLeadingDurationFromNotes(
+      "Frist 15 Tage ab Zustellung der Kostenentscheidung",
+      "de",
+    );
+    expect(out).toBe("");
+  });
+
+  test("DE: strips 'Frist beträgt 2 Monate ab …. ' (Wiedereinsetzung variant)", () => {
+    const out = stripLeadingDurationFromNotes(
+      "Frist beträgt 2 Monate ab Wegfall des Hindernisses (§ 123(2) PatG). Spätestens 1 Jahr.",
+      "de",
+    );
+    expect(out).toBe("Spätestens 1 Jahr.");
+  });
+
+  test("DE: composite 'Frist N … ODER M …' is preserved (option b follow-up)", () => {
+    const composite =
+      "Frist 31 Kalendertage ODER 20 Arbeitstage (jeweils das längere) ab Anordnung der einstweiligen Maßnahme.";
+    expect(stripLeadingDurationFromNotes(composite, "de")).toBe(composite);
+  });
+
+  test("DE: 'Frist vom Gericht' (no number) is preserved", () => {
+    const out = stripLeadingDurationFromNotes("Frist vom Gericht bestimmt", "de");
+    expect(out).toBe("Frist vom Gericht bestimmt");
+  });
+
+  test("EN: strips '1 month BEFORE …. ' and keeps the rest", () => {
+    const out = stripLeadingDurationFromNotes(
+      "1 month BEFORE the oral hearing (R.109.1). Request for simultaneous interpretation.",
+      "en",
+    );
+    expect(out).toBe("Request for simultaneous interpretation.");
+  });
+
+  test("EN: strips '15-day period from …'", () => {
+    const out = stripLeadingDurationFromNotes(
+      "15-day period from service of the cost decision",
+      "en",
+    );
+    expect(out).toBe("");
+  });
+
+  test("EN: strips 'Period is N <unit> from …'", () => {
+    const out = stripLeadingDurationFromNotes(
+      "Period is 2 months from removal of the obstacle (Rule 136(1) EPC). Latest 12 months.",
+      "en",
+    );
+    expect(out).toBe("Latest 12 months.");
+  });
+
+  test("EN: empty / non-matching notes pass through unchanged", () => {
+    expect(stripLeadingDurationFromNotes("", "en")).toBe("");
+    expect(stripLeadingDurationFromNotes("Time limit set by the court", "en"))
+      .toBe("Time limit set by the court");
+  });
 });

frontend/src/client/views/verfahrensablauf-core.ts

@@ -95,6 +95,111 @@ export interface CalculatedDeadline {
   parentRuleCode?: string;
   parentRuleName?: string;
   parentRuleNameEN?: string;
+  // durationValue / durationUnit / timing surface the rule's arithmetic
+  // so the timeline card can show "2 Mo. nach" on hover (and inline when
+  // the "Dauern anzeigen" toggle is on). Zero-duration rules (root
+  // event, court-set) carry durationValue=0 and the renderer suppresses
+  // the affordance — those don't have an explainable interval.
+  // (m/paliad#133, t-paliad-302)
+  durationValue?: number;
+  durationUnit?: string;
+  timing?: string;
+  // appealRole carries the rule's appeal-filer identity when the
+  // server computed the timeline under an appeal_target filter:
+  // "appellant" (Berufungskläger files this rule), "appellee"
+  // (Berufungsbeklagter files this rule), or empty for court events
+  // and non-appeal timelines. The column bucketer reads this in
+  // preference to primary_party='both' so a user-perspective `?side=`
+  // pick can split appeal filings into the user's column vs the
+  // opponent's, instead of routing every "both" rule into the
+  // user's column. (t-paliad-307 / m/paliad#136 Bug 1)
+  appealRole?: "appellant" | "appellee" | "";
+  // isTriggerEvent marks the synthetic row the engine prepends to the
+  // timeline when computing an appeal: a court-set decision dated to
+  // the trigger date with the per-appeal-target label
+  // (Endentscheidung / Kostenentscheidung / Anordnung / …). The row
+  // carries no real rule_id — it's a UI marker so the timeline reads
+  // decision → appeal filings → next decision. (t-paliad-307 /
+  // m/paliad#136 Bug 2)
+  isTriggerEvent?: boolean;
+}
+
+// stripLeadingDurationFromNotes drops the leading
+// "Frist N <unit> <preposition> <subject>." (DE) /
+// "N <unit> <preposition> <subject>." (EN) prefix from a rule's
+// deadline_notes so it doesn't duplicate the new duration affordance
+// added in m/paliad#133 (t-paliad-307 Bug 4).
+//
+// The duration affordance now renders the same prose as a badge on
+// the card ("4 Monate nach Endentscheidung (R.118)"); a free-text
+// notes string that opens with the same prose reads as a verbatim
+// duplicate. Only the leading-prefix shape is stripped — anything
+// after the first sentence is preserved (the editorial commentary
+// the lawyers actually want to read).
+//
+// Conservative: composite-duration prefaces with "ODER" /
+// "whichever is the longer" don't match and stay untouched — those
+// are the follow-up editorial cleanup (option b in the issue brief).
+//
+// Examples:
+//   "Frist 1 Monat VOR der mündlichen Verhandlung (R.109.1). Antrag …"
+//     → "Antrag …"
+//   "Frist 15 Tage ab Zustellung der Kostenentscheidung"
+//     → ""
+//   "Frist beträgt 2 Monate ab Wegfall des Hindernisses (§ 123(2) PatG). Spätestens …"
+//     → "Spätestens …"
+//   "1-month period from service of the main decision"
+//     → ""
+//   "1 month BEFORE the oral hearing (R.109.1). Request for …"
+//     → "Request for …"
+//   "Period is 2 months from removal of the obstacle (Rule 136(1) EPC). Latest …"
+//     → "Latest …"
+//   "Frist 31 Kalendertage ODER 20 Arbeitstage (jeweils das längere) ab Anordnung …"
+//     → unchanged (composite — option b follow-up)
+export function stripLeadingDurationFromNotes(notes: string, lang: "de" | "en"): string {
+  if (!notes) return notes;
+  // Terminator `(?:\.\s+|$)` matches the FIRST sentence boundary
+  // (period followed by whitespace) OR end of input. Embedded dots
+  // inside parenthesised citations (R.109.1, § 123(2), Rule 136(1))
+  // are skipped because the char right after them isn't whitespace.
+  // `[^]*?` is the JS-portable form of `.*?` with the dotAll flag —
+  // any character including newlines, non-greedy.
+  const re = lang === "en"
+    ? /^(?:Period\s+is\s+)?\d+(?:[-\s]\S+)?\s+(?:\S+\s+)?(?:before|from|after|since)\b[^]*?(?:\.\s+|$)/i
+    : /^Frist\s+(?:beträgt\s+)?\d+\s+\S+\s+(?:VOR|vor|nach|ab|seit)\b[^]*?(?:\.\s+|$)/;
+  return notes.replace(re, "");
+}
+
+// formatDurationLabel renders the per-rule duration label for the
+// Verfahrensablauf card affordance: "2 Monate nach Endentscheidung",
+// "1 Monat vor Mündlicher Verhandlung", …
+// (m/paliad#133, t-paliad-302; parent-name append: t-paliad-307 /
+// m/paliad#136 Bug 3).
+//
+// Returns empty string for rules without a usable duration so the
+// caller can skip the tooltip / inline span entirely. Pluralisation
+// key naming mirrors the Fristenrechner event-mode renderer
+// (deadlines.event.unit.<unit>.{one,many}) — the unit and timing
+// translations already exist for /tools/fristenrechner's
+// "Was kommt nach…" mode and are reused here as the single source
+// of truth.
+//
+// `parentLabel` is the rule's anchor name (parent rule's name when
+// the rule has a parent_id; otherwise the proceeding's
+// triggerEventLabel from the wire). Empty falls back to bare
+// "<n> <unit> <timing>" — bare phrasing is the pre-fix shape and
+// remains the default for fixtures / tests that omit a parent.
+export function formatDurationLabel(dl: CalculatedDeadline, parentLabel: string = ""): string {
+  const value = dl.durationValue ?? 0;
+  const unit = dl.durationUnit || "";
+  if (value <= 0 || !unit) return "";
+  const unitKey = `deadlines.event.unit.${unit}` + (value === 1 ? ".one" : ".many");
+  const unitStr = tDyn(unitKey);
+  const timing = dl.timing || "";
+  const timingStr = timing ? tDyn(`deadlines.event.timing.${timing}`) : "";
+  const head = timingStr ? `${value} ${unitStr} ${timingStr}` : `${value} ${unitStr}`;
+  if (!timingStr || !parentLabel) return head;
+  return `${head} ${parentLabel}`;
 }
 
 // priorityRendering returns the per-priority UX hints the save-modal
@@ -195,6 +300,12 @@ export interface CalcParams {
   // Sent only when the page-level "Ausgeblendete anzeigen" toggle is
   // ON.
   includeHidden?: boolean;
+  // Slice B1 / m/paliad#124 §18.1: narrows the unified UPC Berufung
+  // (upc.apl) timeline to the rule subset whose applies_to_target
+  // contains the requested slug. Empty = no filter. Valid values:
+  // endentscheidung | kostenentscheidung | anordnung |
+  // schadensbemessung | bucheinsicht.
+  appealTarget?: string;
 }
 
 const PARTY_CLASS: Record<string, string> = {
@@ -315,15 +426,56 @@ export interface CardOpts {
   // Page shells expose a toggle ("Hinweise anzeigen") that flips this and
   // re-renders. Default false — notes are noisy on long timelines.
   showNotes?: boolean;
+  // showDurations controls per-rule duration rendering on event cards
+  // (m/paliad#133, t-paliad-302):
+  //   true  → inline `<span class="timeline-duration">2 Mo. nach</span>`
+  //           next to the date.
+  //   false → hover-only tooltip on the date span (browser-native
+  //           `title` attribute). Cards without a usable
+  //           `durationValue > 0` get neither — court-set and trigger-
+  //           event cards have no explainable interval.
+  // /tools/verfahrensablauf exposes a toggle ("Dauern anzeigen") that
+  // flips this and re-renders; persisted via the localStorage key
+  // `paliad.verfahrensablauf.durations-show`. Default false.
+  showDurations?: boolean;
+  // triggerEventLabel: per-language label of the proceeding's anchor
+  // event ("Endentscheidung (R.118)" for an Endentscheidung appeal;
+  // "Klageerhebung" for upc.inf.cfi; …). Used by formatDurationLabel
+  // as the parent-name fallback when a rule is a root rule (no
+  // parent_id) but carries a non-zero duration — e.g. the
+  // Berufungseinlegung 2 months after Endentscheidung. Pages pass the
+  // already-language-resolved string. (t-paliad-307 / m/paliad#136
+  // Bug 3)
+  triggerEventLabel?: string;
 }
 
 export function deadlineCardHtml(dl: CalculatedDeadline, opts: CardOpts): string {
   const wantsEditable = !!opts.editable;
   const editable = wantsEditable && !dl.isRootEvent && dl.code !== "";
   const overriddenClass = dl.isOverridden ? " timeline-date--overridden" : "";
+  // Parent name for the duration label (t-paliad-307 / m/paliad#136
+  // Bug 3): use the rule's parent if set, else fall back to the
+  // proceeding's trigger event label (e.g. "Endentscheidung (R.118)"
+  // for an Endentscheidung appeal; "Klageerhebung" for upc.inf.cfi).
+  // Empty for rules whose anchor isn't surface-able — the duration
+  // label degrades to the bare "<n> <unit> <timing>" form in that case.
+  const parentLabelForDuration = (getLang() === "en"
+    ? (dl.parentRuleNameEN || dl.parentRuleName)
+    : (dl.parentRuleName || dl.parentRuleNameEN)) || opts.triggerEventLabel || "";
+  // Duration affordance (m/paliad#133, t-paliad-302). Computed once so
+  // both the date-span tooltip and the inline meta-row span pull from
+  // the same string. Empty for rules without a usable duration.
+  const durationLabel = formatDurationLabel(dl, parentLabelForDuration);
+  // Hover affordance on the date span: prefer the duration tooltip when
+  // we have one, else fall back to the edit-hint when the cell is
+  // click-to-edit. The edit affordance still works either way — the
+  // title is purely advisory.
+  const dateTitle = durationLabel
+    ? durationLabel
+    : (editable ? t("deadlines.date.edit.hint") : "");
   const editAttrs = editable
-    ? ` data-rule-code="${escAttr(dl.code)}" data-current-date="${escAttr(dl.dueDate)}" role="button" tabindex="0" title="${escAttr(t("deadlines.date.edit.hint"))}"`
-    : "";
+    ? ` data-rule-code="${escAttr(dl.code)}" data-current-date="${escAttr(dl.dueDate)}" role="button" tabindex="0"${dateTitle ? ` title="${escAttr(dateTitle)}"` : ""}`
+    : (dateTitle ? ` title="${escAttr(dateTitle)}"` : "");
   // Conditional rows (t-paliad-289) replace the date column with an
   // "abhängig von <parent>" chip. The chip remains click-to-edit so
   // the user can pin a real date once known (e.g. once the oral
@@ -350,41 +502,54 @@ export function deadlineCardHtml(dl: CalculatedDeadline, opts: CardOpts): string
     dateStr = `<span class="timeline-date${overriddenClass} frist-date-edit"${editAttrs}>${formatDate(dl.dueDate)}</span>`;
   }
 
-  // Slice 9 (t-paliad-195): the legacy boolean pair is gone — read
-  // priority directly. Optional badge fires only on 'optional'
-  // priority (RoP.151-style opt-in deadlines).
-  const mandatoryBadge = dl.priority === "optional"
-    ? '<span class="optional-badge">optional</span>'
-    : "";
+  // t-paliad-293 — iconified state markers. The card surface speaks
+  // "cut the tree of possibilities": each card carries 0–N small icons
+  // in the title row that summarise its decision state at a glance.
+  // The text "optional" badge that used to sit inline next to the name
+  // is now a ⊙ icon (state.optional). Hidden cards get a 👁⃠ eye-slash
+  // marker. Conditional cards already have the date-column chip; the
+  // marker is redundant in the title row. CCR-included / appellant
+  // picks remain on the chip row (event-card-choices-chip) — see below.
+  // Tooltips are i18n-driven so they read in the user's language.
+  const stateIcons: string[] = [];
+  if (dl.priority === "optional") {
+    stateIcons.push(
+      `<span class="timeline-state-icon timeline-state-icon--optional" role="img" aria-label="${escAttr(t("state.optional.tooltip"))}" title="${escAttr(t("state.optional.tooltip"))}">⊙</span>`,
+    );
+  }
+  if (dl.isHidden) {
+    stateIcons.push(
+      `<span class="timeline-state-icon timeline-state-icon--hidden" role="img" aria-label="${escAttr(t("state.hidden.tooltip"))}" title="${escAttr(t("state.hidden.tooltip"))}">👁⃠</span>`,
+    );
+  }
+  const stateIconsHtml = stateIcons.join("");
 
   // t-paliad-265 — caret affordance + chip indicator when this rule
   // offers per-card choices and the user has made a pick. The popover
   // open/commit lifecycle lives in client/views/event-card-choices.ts;
   // the data-* attributes here are the wire contract between the two.
-  const choicesHtml = dl.code !== "" && dl.choicesOffered && Object.keys(dl.choicesOffered).length > 0
+  //
+  // t-paliad-293 — hidden cards always expose the caret so the user
+  // can un-hide via the popover's "Wieder einblenden" entry. Normally
+  // a hidden card was hidden via a skip choice, so `choicesOffered.skip`
+  // is present. Defensive fallback: if a rule's `choices_offered` was
+  // edited away after the skip entry was saved, the user would lose
+  // the un-hide path entirely. Synthesize a `{skip:[true,false]}`
+  // offer for the popover in that edge case so the prominent
+  // "Wieder einblenden" button still renders.
+  const offeredForCaret = (dl.choicesOffered && Object.keys(dl.choicesOffered).length > 0)
+    ? dl.choicesOffered
+    : (dl.isHidden ? { skip: [true, false] } : null);
+  const showCaret = dl.code !== "" && offeredForCaret !== null;
+  const choicesHtml = showCaret
     ? `<button type="button" class="event-card-choices-caret"
          data-submission-code="${escAttr(dl.code)}"
-         data-choices-offered="${escAttr(JSON.stringify(dl.choicesOffered))}"
+         data-choices-offered="${escAttr(JSON.stringify(offeredForCaret))}"
+         data-is-hidden="${dl.isHidden ? "1" : "0"}"
          aria-label="${escAttr(t("choices.caret.title"))}"
          title="${escAttr(t("choices.caret.title"))}">▾</button>`
     : "";
 
-  // t-paliad-290 — inline "Wieder einblenden" chip on re-surfaced
-  // hidden cards. Click deletes the skip choice (mirroring the popover
-  // reset path). The chip only renders when the card is hidden in the
-  // current projection (IsHidden=true on the wire) so it's always
-  // pointing at a real skip entry. The chip text is a static i18n
-  // value (no user input), so we use escAttr-only for attribute safety
-  // and inline the translated label directly — matches the renderer's
-  // pattern for the deadline name (also a known-safe string).
-  const unhideLabel = t("choices.unhide.chip");
-  const unhideHtml = dl.isHidden && dl.code !== ""
-    ? `<button type="button" class="event-card-choices-unhide"
-         data-submission-code="${escAttr(dl.code)}"
-         aria-label="${escAttr(unhideLabel)}"
-         title="${escAttr(unhideLabel)}">${unhideLabel}</button>`
-    : "";
-
   const dlName = getLang() === "en" ? dl.nameEN : dl.name;
 
   const adjustedNote = dl.wasAdjusted
@@ -406,7 +571,14 @@ export function deadlineCardHtml(dl: CalculatedDeadline, opts: CardOpts): string
     ruleRef = `<span class="timeline-rule">${escHtml(dl.ruleRef)}</span>`;
   }
 
-  const noteText = getLang() === "en" ? (dl.notesEN || dl.notes) : dl.notes;
+  const rawNoteText = getLang() === "en" ? (dl.notesEN || dl.notes) : dl.notes;
+  // Strip the leading-duration prefix so the new duration affordance
+  // doesn't duplicate what the lawyer wrote verbatim into deadline_notes
+  // for those legacy rule rows that still carry it.
+  // (t-paliad-307 / m/paliad#136 Bug 4)
+  const noteText = rawNoteText
+    ? stripLeadingDurationFromNotes(rawNoteText, getLang() === "en" ? "en" : "de")
+    : rawNoteText;
   const showNotes = opts.showNotes === true;
   const notesBlock = noteText && showNotes
     ? `<div class="timeline-notes">${noteText}</div>`
@@ -415,9 +587,19 @@ export function deadlineCardHtml(dl: CalculatedDeadline, opts: CardOpts): string
     ? `<span class="timeline-note-hint" tabindex="0" role="note" aria-label="${escAttr(noteText)}" title="${escAttr(noteText)}">ⓘ</span>`
     : "";
 
-  const meta = (opts.showParty || ruleRef || noteHint)
+  // Inline duration affordance (m/paliad#133, t-paliad-302). Only
+  // emitted when the "Dauern anzeigen" toggle is on AND the rule has a
+  // usable duration; the default-off hover-tooltip path is wired
+  // separately on the date span itself.
+  const showDurations = opts.showDurations === true;
+  const durationInline = showDurations && durationLabel
+    ? `<span class="timeline-duration">${escHtml(durationLabel)}</span>`
+    : "";
+
+  const meta = (opts.showParty || ruleRef || noteHint || durationInline)
     ? `<div class="timeline-meta">
         ${opts.showParty ? partyBadge(dl.party) : ""}
+        ${durationInline}
         ${ruleRef}
         ${noteHint}
       </div>`
@@ -434,12 +616,11 @@ export function deadlineCardHtml(dl: CalculatedDeadline, opts: CardOpts): string
   return `<div class="timeline-item-header">
       <span class="timeline-name">
         ${dlName}
-        ${mandatoryBadge}
+        ${stateIconsHtml}
         ${chipHtml}
       </span>
       ${dateStr}
       ${choicesHtml}
-      ${unhideHtml}
     </div>
     ${meta}
     ${adjustedNote}
@@ -527,7 +708,32 @@ export function wireDateEditClicks(
   });
 }
 
+// pickTriggerEventLabel returns the per-language trigger event label
+// from a DeadlineResponse, used as the parent-fallback for root-rule
+// duration labels. Mirrors the precedence the page-level
+// triggerEventLabelFor uses (curated server label > proceedingName
+// fallback). Distinct from the page helper in that it stays language-
+// scoped to the current getLang() — root-rule duration labels render
+// in the user's current language. (t-paliad-307 / m/paliad#136 Bug 3)
+export function pickTriggerEventLabel(data: DeadlineResponse): string {
+  const lang = getLang();
+  const curated = lang === "en"
+    ? (data.triggerEventLabelEN || data.triggerEventLabel || "")
+    : (data.triggerEventLabel || data.triggerEventLabelEN || "");
+  if (curated) return curated;
+  return lang === "en"
+    ? (data.proceedingNameEN || data.proceedingName || "")
+    : (data.proceedingName || data.proceedingNameEN || "");
+}
+
 export function renderTimelineBody(data: DeadlineResponse, opts: CardOpts = { showParty: true }): string {
+  // Resolve the trigger event label once so the duration affordance on
+  // root rules (no parent) can read it as the anchor fallback. Caller-
+  // provided value wins (lets the page override for sub-track flows).
+  const cardOpts: CardOpts = {
+    ...opts,
+    triggerEventLabel: opts.triggerEventLabel ?? pickTriggerEventLabel(data),
+  };
   let html = '<div class="timeline">';
   for (const dl of data.deadlines) {
     const itemClasses = [
@@ -549,7 +755,7 @@ export function renderTimelineBody(data: DeadlineResponse, opts: CardOpts = { sh
           <div class="timeline-line"></div>
         </div>
         <div class="timeline-content">
-          ${deadlineCardHtml(dl, opts)}
+          ${deadlineCardHtml(dl, cardOpts)}
         </div>
       </div>
     `;
@@ -596,6 +802,9 @@ type ColumnPosition = "ours" | "opponent";
 export interface ColumnsBodyOpts {
   editable?: boolean;
   showNotes?: boolean;
+  // Forwarded to deadlineCardHtml — see CardOpts.showDurations.
+  // (m/paliad#133, t-paliad-302)
+  showDurations?: boolean;
   // side: which side the user is on. Drives column placement;
   // does NOT filter rows. Default null = claimant-on-the-left
   // (i.e. "ours = claimant", legacy default).
@@ -605,6 +814,15 @@ export interface ColumnsBodyOpts {
   // (no mirror). Default null = mirror "both" into both cells
   // (legacy behaviour). Independent of `side`.
   appellant?: Side;
+  // appealAware: forwarded to bucketDeadlinesIntoColumns when the
+  // page is rendering an appeal_target-filtered timeline. Routes
+  // each rule to its filer-perspective column via dl.appealRole
+  // instead of the legacy primary_party='both' collapse.
+  // (t-paliad-307 / m/paliad#136 Bug 1)
+  appealAware?: boolean;
+  // triggerEventLabel: forwarded to deadlineCardHtml — see CardOpts.
+  // (t-paliad-307 / m/paliad#136 Bug 3)
+  triggerEventLabel?: string;
 }
 
 // ColumnsRow is the per-due-date bucket the renderer consumes. Public
@@ -620,6 +838,15 @@ export interface ColumnsRow {
 export interface BucketingOpts {
   side?: Side;
   appellant?: Side;
+  // appealAware: when true, rules carrying a `dl.appealRole` of
+  // "appellant" / "appellee" route via the appeal role + user side
+  // axis instead of the legacy primary_party='both' collapse. With
+  // `side=null` the bucketer keeps the mirror semantic (both columns
+  // render every appeal rule); with `side` set, "appellant" rules
+  // land in the user's column when the user IS the appellant, in
+  // the opponent's column otherwise — mirror for "appellee" rules.
+  // (t-paliad-307 / m/paliad#136 Bug 1)
+  appealAware?: boolean;
 }
 
 // bucketDeadlinesIntoColumns is the pure routing primitive that
@@ -654,6 +881,8 @@ export function bucketDeadlinesIntoColumns(
     return r;
   };
 
+  const appealAware = opts.appealAware === true;
+
   deadlines.forEach((dl, idx) => {
     const key = dl.dueDate || `${UNSCHEDULED_PREFIX}${String(idx).padStart(4, "0")}`;
     const row = ensureRow(key);
@@ -676,11 +905,41 @@ export function bucketDeadlinesIntoColumns(
         if (dl.appellantContext === "claimant" || dl.appellantContext === "defendant") {
           const perCardCol = dl.appellantContext === "claimant" ? claimantColumn : defendantColumn;
           row[perCardCol].push(dl);
+        } else if (
+          appealAware &&
+          (dl.appealRole === "appellant" || dl.appealRole === "appellee")
+        ) {
+          // Appeal-aware routing (t-paliad-307 / m/paliad#136 Bug 1).
+          // With no side picked, mirror to both columns so every rule
+          // is visible regardless of which side the user is on. With
+          // a side picked, route by (filer matches user) → ours
+          // column, else opponent column. side=claimant maps the
+          // user to "appellant" (Berufungskläger); side=defendant
+          // maps the user to "appellee" (Berufungsbeklagter).
+          if (userSide === null) {
+            row.ours.push(dl);
+            row.opponent.push(dl);
+          } else {
+            const userIsAppellant = userSide === "claimant";
+            const filerIsAppellant = dl.appealRole === "appellant";
+            row[filerIsAppellant === userIsAppellant ? "ours" : "opponent"].push(dl);
+          }
         } else if (appellantColumn !== null) {
           // Role-swap collapse: appellant initiated → both → one row
           // in appellant's column. Mirror suppressed.
           row[appellantColumn].push(dl);
+        } else if (userSide !== null) {
+          // Side picked but no appellant axis (first-instance Inf, Rev,
+          // …): the user has committed to a perspective, so the mirror
+          // is visual noise — the same card appears twice on the same
+          // row, once in "Unsere Seite" and once in "Gegnerseite".
+          // Collapse into ours; the "↔ beide Seiten" indicator on the
+          // card already conveys that the rule applies to both parties.
+          // (m/paliad#135 / t-paliad-304)
+          row.ours.push(dl);
         } else {
+          // No perspective picked → keep the legacy mirror so neither
+          // axis is privileged. Pinned by the "default (no opts)" test.
           row.ours.push(dl);
           row.opponent.push(dl);
         }
@@ -703,15 +962,31 @@ export function bucketDeadlinesIntoColumns(
 
 export function renderColumnsBody(data: DeadlineResponse, opts: ColumnsBodyOpts = {}): string {
   const userSide: Side = opts.side ?? null;
-  const rows = bucketDeadlinesIntoColumns(data.deadlines, { side: userSide, appellant: opts.appellant });
+  const rows = bucketDeadlinesIntoColumns(data.deadlines, {
+    side: userSide,
+    appellant: opts.appellant,
+    appealAware: opts.appealAware,
+  });
   const appellantPinned = opts.appellant === "claimant" || opts.appellant === "defendant";
 
-  const cardOpts: CardOpts = { showParty: false, editable: opts.editable, showNotes: opts.showNotes };
+  const cardOpts: CardOpts = {
+    showParty: false,
+    editable: opts.editable,
+    showNotes: opts.showNotes,
+    showDurations: opts.showDurations,
+    triggerEventLabel: opts.triggerEventLabel ?? pickTriggerEventLabel(data),
+  };
 
   // Collapsed "both" rows lose their mirror tag — there's no longer
   // a sibling row to mirror to, so the "↔ beide Seiten" hint would
-  // be misleading. Keep it for the legacy mirror path.
-  const showMirrorTag = !appellantPinned;
+  // be misleading. Both collapse paths suppress it:
+  //   - appellantPinned: role-swap collapse into appellant's column
+  //   - userSide !== null without appellantPinned: perspective-locked
+  //     collapse into ours (m/paliad#135 / t-paliad-304).
+  // Legacy mirror path (no side, no appellant) keeps the tag — both
+  // sibling rows still render so the tag has a visual referent.
+  const sideCollapse = userSide !== null;
+  const showMirrorTag = !appellantPinned && !sideCollapse;
 
   const renderCell = (items: CalculatedDeadline[]): string => {
     if (items.length === 0) {
@@ -744,14 +1019,29 @@ export function renderColumnsBody(data: DeadlineResponse, opts: ColumnsBodyOpts
   const headerCell = (label: string, cls: string) =>
     `<div class="fr-col-header ${cls}">${escHtml(label)}</div>`;
 
-  // Static labels — "Unsere Seite" is always the left column, regardless
-  // of which physical party (claimant vs defendant) occupies it. The
-  // bucketing primitive already routes the user's side into the `ours`
-  // bucket, so the header truth-fully describes the column contents.
+  // Column-header labels have two modes (m/paliad#127):
+  //   - side picked  → "Unsere Seite" / "Gegnerseite" (the columns
+  //                    truthfully describe whose filings sit there,
+  //                    because the bucketer routed the user's side into
+  //                    `ours`).
+  //   - side === null → "Proaktiv" / "Reaktiv" (semantic-neutral). The
+  //                    user-perspective labels would lie here: we don't
+  //                    know yet which party is "us", so calling the left
+  //                    column "Unsere Seite" presumes a pick the user
+  //                    hasn't made. The neutral Proaktiv/Reaktiv pair
+  //                    keeps the spatial axis ("who initiates vs who
+  //                    responds") legible while the hint chip on the
+  //                    page nudges the user to pick a side.
+  //
+  // Note: the COLUMN PROJECTION does not change — the bucketing primitive
+  // still routes claimant→left, defendant→right when side=null (legacy
+  // claimant-on-the-left fallback). Only the HEADER label changes.
+  const leftLabel = userSide === null ? t("deadlines.col.proactive") : t("deadlines.col.ours");
+  const rightLabel = userSide === null ? t("deadlines.col.reactive") : t("deadlines.col.opponent");
   let html = '<div class="fr-columns-view">';
-  html += headerCell(t("deadlines.col.ours"), "fr-col-ours");
+  html += headerCell(leftLabel, "fr-col-ours");
   html += headerCell(t("deadlines.col.court"), "fr-col-court");
-  html += headerCell(t("deadlines.col.opponent"), "fr-col-opponent");
+  html += headerCell(rightLabel, "fr-col-opponent");
 
   for (const row of rows) {
     html += renderCell(row.ours);
@@ -784,6 +1074,7 @@ export async function calculateDeadlines(params: CalcParams): Promise<DeadlineRe
           ? params.perCardChoices
           : undefined,
         includeHidden: params.includeHidden ? true : undefined,
+        appealTarget: params.appealTarget || undefined,
       }),
     });
     if (!resp.ok) {

frontend/src/client/views/verfahrensablauf-state.test.ts

@@ -0,0 +1,309 @@
+// Unit tests for the /tools/verfahrensablauf URL + scenario-localStorage
+// state contract (t-paliad-308 / m/paliad#137). Run with `bun test`.
+//
+// The contract:
+//   1. URL params (proceeding, side, target, trigger_date) define which
+//      timeline kind the user is looking at — paste-able, shareable,
+//      refresh-resistant.
+//   2. localStorage (paliad.verfahrensablauf.scenario.*) holds the
+//      per-user scenario tweaks (event_choices, court_id, flags,
+//      show_hidden) — these never leak into a shared link.
+//   3. On hydrate, URL wins. localStorage fills the rest.
+
+import { describe, expect, test } from "bun:test";
+import {
+  APPEAL_TARGETS,
+  SCENARIO_KEYS,
+  SCENARIO_PREFIX,
+  URL_KEYS,
+  applyFiltersToSearch,
+  hydrate,
+  makeMemoryStorage,
+  parseAppealTargetFromSearch,
+  parseProceedingFromSearch,
+  parseSideFromSearch,
+  parseTriggerDateFromSearch,
+  readBoolFlag,
+  readCourtId,
+  readEventChoices,
+  readScenario,
+  writeBoolFlag,
+  writeCourtId,
+  writeEventChoices,
+} from "./verfahrensablauf-state";
+
+describe("URL parsers — filter chips", () => {
+  test("parseProceedingFromSearch returns empty string when absent", () => {
+    expect(parseProceedingFromSearch("")).toBe("");
+    expect(parseProceedingFromSearch("?side=claimant")).toBe("");
+  });
+
+  test("parseProceedingFromSearch echoes the raw value", () => {
+    expect(parseProceedingFromSearch("?proceeding=upc.inf.cfi")).toBe("upc.inf.cfi");
+    expect(parseProceedingFromSearch("?proceeding=upc.apl.unified&side=claimant")).toBe("upc.apl.unified");
+  });
+
+  test("parseSideFromSearch validates the enum", () => {
+    expect(parseSideFromSearch("?side=claimant")).toBe("claimant");
+    expect(parseSideFromSearch("?side=defendant")).toBe("defendant");
+    expect(parseSideFromSearch("?side=neither")).toBe(null);
+    expect(parseSideFromSearch("")).toBe(null);
+  });
+
+  test("parseAppealTargetFromSearch only accepts canonical slugs", () => {
+    for (const t of APPEAL_TARGETS) {
+      expect(parseAppealTargetFromSearch(`?target=${t}`)).toBe(t);
+    }
+    expect(parseAppealTargetFromSearch("?target=unknown")).toBe("");
+    expect(parseAppealTargetFromSearch("")).toBe("");
+  });
+
+  test("parseTriggerDateFromSearch validates the ISO-date shape", () => {
+    expect(parseTriggerDateFromSearch("?trigger_date=2026-05-26")).toBe("2026-05-26");
+    expect(parseTriggerDateFromSearch("?trigger_date=2024-02-29")).toBe("2024-02-29"); // leap year
+  });
+
+  test("parseTriggerDateFromSearch rejects malformed and impossible dates", () => {
+    expect(parseTriggerDateFromSearch("?trigger_date=2026-02-30")).toBe(""); // Feb 30
+    expect(parseTriggerDateFromSearch("?trigger_date=2026-13-01")).toBe(""); // month 13
+    expect(parseTriggerDateFromSearch("?trigger_date=tomorrow")).toBe("");
+    expect(parseTriggerDateFromSearch("?trigger_date=2026-5-26")).toBe(""); // 1-digit month
+    expect(parseTriggerDateFromSearch("")).toBe("");
+  });
+});
+
+describe("URL encoder — applyFiltersToSearch", () => {
+  test("empty filters preserve the existing query string", () => {
+    expect(applyFiltersToSearch("?other=keep", {})).toBe("?other=keep");
+  });
+
+  test("setting a filter writes the canonical key", () => {
+    expect(applyFiltersToSearch("", { proceeding: "upc.inf.cfi" })).toBe("?proceeding=upc.inf.cfi");
+    expect(applyFiltersToSearch("", { side: "claimant" })).toBe("?side=claimant");
+    expect(applyFiltersToSearch("", { target: "endentscheidung" })).toBe("?target=endentscheidung");
+    expect(applyFiltersToSearch("", { triggerDate: "2026-05-26" })).toBe("?trigger_date=2026-05-26");
+  });
+
+  test("setting null / empty / undefined deletes the key", () => {
+    expect(applyFiltersToSearch("?side=claimant", { side: null })).toBe("");
+    expect(applyFiltersToSearch("?proceeding=upc.inf.cfi", { proceeding: "" })).toBe("");
+    expect(applyFiltersToSearch("?target=endentscheidung", { target: "" })).toBe("");
+    expect(applyFiltersToSearch("?trigger_date=2026-05-26", { triggerDate: "" })).toBe("");
+  });
+
+  test("invalid trigger_date is deleted (never written as-is)", () => {
+    expect(applyFiltersToSearch("?trigger_date=2026-05-26", { triggerDate: "bogus" })).toBe("");
+  });
+
+  test("setting all four filters together emits all four keys", () => {
+    const out = applyFiltersToSearch("", {
+      proceeding: "upc.apl.unified",
+      side: "defendant",
+      target: "endentscheidung",
+      triggerDate: "2026-05-26",
+    });
+    expect(out).toContain("proceeding=upc.apl.unified");
+    expect(out).toContain("side=defendant");
+    expect(out).toContain("target=endentscheidung");
+    expect(out).toContain("trigger_date=2026-05-26");
+  });
+
+  test("other params (project, view) are preserved", () => {
+    const out = applyFiltersToSearch("?project=abc&view=timeline", { side: "claimant" });
+    expect(out).toContain("project=abc");
+    expect(out).toContain("view=timeline");
+    expect(out).toContain("side=claimant");
+  });
+
+  test("absent keys in the filter object don't touch existing URL values", () => {
+    // Only updating side — proceeding should be untouched.
+    const out = applyFiltersToSearch("?proceeding=upc.inf.cfi&side=defendant", { side: "claimant" });
+    expect(out).toContain("proceeding=upc.inf.cfi");
+    expect(out).toContain("side=claimant");
+  });
+});
+
+describe("URL round-trip — encode then parse yields the same value", () => {
+  test("proceeding", () => {
+    const enc = applyFiltersToSearch("", { proceeding: "upc.inf.cfi" });
+    expect(parseProceedingFromSearch(enc)).toBe("upc.inf.cfi");
+  });
+
+  test("side", () => {
+    const enc = applyFiltersToSearch("", { side: "defendant" });
+    expect(parseSideFromSearch(enc)).toBe("defendant");
+  });
+
+  test("target", () => {
+    const enc = applyFiltersToSearch("", { target: "kostenentscheidung" });
+    expect(parseAppealTargetFromSearch(enc)).toBe("kostenentscheidung");
+  });
+
+  test("trigger_date", () => {
+    const enc = applyFiltersToSearch("", { triggerDate: "2026-05-26" });
+    expect(parseTriggerDateFromSearch(enc)).toBe("2026-05-26");
+  });
+});
+
+describe("Scenario localStorage helpers", () => {
+  test("SCENARIO_PREFIX is paliad.verfahrensablauf.scenario and all keys live under it", () => {
+    expect(SCENARIO_PREFIX).toBe("paliad.verfahrensablauf.scenario");
+    for (const key of Object.values(SCENARIO_KEYS)) {
+      expect(key.startsWith(SCENARIO_PREFIX + ".")).toBe(true);
+    }
+  });
+
+  test("readEventChoices returns [] on empty storage", () => {
+    const s = makeMemoryStorage();
+    expect(readEventChoices(s)).toEqual([]);
+  });
+
+  test("writeEventChoices + readEventChoices round-trip", () => {
+    const s = makeMemoryStorage();
+    const choices = [
+      { submission_code: "upc.inf.cfi.r12", choice_kind: "appellant" as const, choice_value: "claimant" },
+      { submission_code: "upc.inf.cfi.r30", choice_kind: "include_ccr" as const, choice_value: "1" },
+    ];
+    writeEventChoices(s, choices);
+    expect(readEventChoices(s)).toEqual(choices);
+  });
+
+  test("writeEventChoices([]) clears the key (removeItem semantic, not empty string)", () => {
+    const s = makeMemoryStorage();
+    writeEventChoices(s, [{ submission_code: "r1", choice_kind: "skip", choice_value: "1" }]);
+    expect(s.getItem(SCENARIO_KEYS.eventChoices)).not.toBe(null);
+    writeEventChoices(s, []);
+    expect(s.getItem(SCENARIO_KEYS.eventChoices)).toBe(null);
+  });
+
+  test("readEventChoices ignores unknown choice_kind values", () => {
+    const s = makeMemoryStorage();
+    s.setItem(SCENARIO_KEYS.eventChoices, "r1:appellant=claimant,r2:bogus=x,r3:skip=1");
+    expect(readEventChoices(s)).toEqual([
+      { submission_code: "r1", choice_kind: "appellant", choice_value: "claimant" },
+      { submission_code: "r3", choice_kind: "skip", choice_value: "1" },
+    ]);
+  });
+
+  test("readCourtId returns '' on empty storage, echoes stored value otherwise", () => {
+    const s = makeMemoryStorage();
+    expect(readCourtId(s)).toBe("");
+    writeCourtId(s, "UPC-LD-MUC");
+    expect(readCourtId(s)).toBe("UPC-LD-MUC");
+  });
+
+  test("writeCourtId('') removes the key", () => {
+    const s = makeMemoryStorage();
+    writeCourtId(s, "UPC-LD-MUC");
+    expect(s.getItem(SCENARIO_KEYS.courtId)).toBe("UPC-LD-MUC");
+    writeCourtId(s, "");
+    expect(s.getItem(SCENARIO_KEYS.courtId)).toBe(null);
+  });
+
+  test("readBoolFlag / writeBoolFlag round-trip with removeItem on false", () => {
+    const s = makeMemoryStorage();
+    expect(readBoolFlag(s, SCENARIO_KEYS.ccr)).toBe(false);
+    writeBoolFlag(s, SCENARIO_KEYS.ccr, true);
+    expect(readBoolFlag(s, SCENARIO_KEYS.ccr)).toBe(true);
+    expect(s.getItem(SCENARIO_KEYS.ccr)).toBe("1");
+    writeBoolFlag(s, SCENARIO_KEYS.ccr, false);
+    expect(readBoolFlag(s, SCENARIO_KEYS.ccr)).toBe(false);
+    expect(s.getItem(SCENARIO_KEYS.ccr)).toBe(null);
+  });
+
+  test("readScenario returns all fields defaulted on empty storage", () => {
+    const s = makeMemoryStorage();
+    expect(readScenario(s)).toEqual({
+      eventChoices: [],
+      courtId: "",
+      ccr: false,
+      infAmend: false,
+      revAmend: false,
+      revCci: false,
+      showHidden: false,
+    });
+  });
+});
+
+describe("Hydration order — URL wins, localStorage fills the rest", () => {
+  test("URL fills filter chips, localStorage fills scenario state", () => {
+    const s = makeMemoryStorage();
+    writeCourtId(s, "UPC-LD-MUC");
+    writeBoolFlag(s, SCENARIO_KEYS.showHidden, true);
+    writeBoolFlag(s, SCENARIO_KEYS.ccr, true);
+    const out = hydrate(
+      "?proceeding=upc.inf.cfi&side=defendant&target=endentscheidung&trigger_date=2026-05-26",
+      s,
+    );
+    // URL-sourced
+    expect(out.proceeding).toBe("upc.inf.cfi");
+    expect(out.side).toBe("defendant");
+    expect(out.target).toBe("endentscheidung");
+    expect(out.triggerDate).toBe("2026-05-26");
+    // localStorage-sourced
+    expect(out.courtId).toBe("UPC-LD-MUC");
+    expect(out.showHidden).toBe(true);
+    expect(out.ccr).toBe(true);
+  });
+
+  test("absent URL → all filter fields are empty/null, localStorage still hydrates scenario", () => {
+    const s = makeMemoryStorage();
+    writeCourtId(s, "UPC-LD-MUC");
+    const out = hydrate("", s);
+    expect(out.proceeding).toBe("");
+    expect(out.side).toBe(null);
+    expect(out.target).toBe("");
+    expect(out.triggerDate).toBe("");
+    expect(out.courtId).toBe("UPC-LD-MUC");
+  });
+
+  test("absent localStorage → URL still fills filter chips, scenario defaults", () => {
+    const s = makeMemoryStorage();
+    const out = hydrate(
+      "?proceeding=upc.apl.unified&side=claimant&target=anordnung&trigger_date=2026-07-01",
+      s,
+    );
+    expect(out.proceeding).toBe("upc.apl.unified");
+    expect(out.side).toBe("claimant");
+    expect(out.target).toBe("anordnung");
+    expect(out.triggerDate).toBe("2026-07-01");
+    expect(out.courtId).toBe("");
+    expect(out.eventChoices).toEqual([]);
+    expect(out.showHidden).toBe(false);
+  });
+
+  test("a shared link doesn't leak the recipient's scenario state in", () => {
+    // Two storages: m's (loaded with court + flags) and a recipient's
+    // (empty). The same URL should reproduce filter chips identically
+    // but leave each user's scenario state untouched.
+    const mStorage = makeMemoryStorage();
+    writeCourtId(mStorage, "UPC-LD-MUC");
+    writeBoolFlag(mStorage, SCENARIO_KEYS.ccr, true);
+    const recipientStorage = makeMemoryStorage();
+
+    const sharedURL = "?proceeding=upc.inf.cfi&side=defendant&trigger_date=2026-05-26";
+
+    const mView = hydrate(sharedURL, mStorage);
+    const recipientView = hydrate(sharedURL, recipientStorage);
+
+    // Filter chips identical
+    expect(mView.proceeding).toBe(recipientView.proceeding);
+    expect(mView.side).toBe(recipientView.side);
+    expect(mView.triggerDate).toBe(recipientView.triggerDate);
+
+    // Scenario state diverges — recipient sees defaults
+    expect(mView.courtId).toBe("UPC-LD-MUC");
+    expect(recipientView.courtId).toBe("");
+    expect(mView.ccr).toBe(true);
+    expect(recipientView.ccr).toBe(false);
+  });
+});
+
+describe("URL key constants match the documented contract", () => {
+  test("URL_KEYS uses the spec'd snake_case names", () => {
+    expect(URL_KEYS.proceeding).toBe("proceeding");
+    expect(URL_KEYS.side).toBe("side");
+    expect(URL_KEYS.target).toBe("target");
+    expect(URL_KEYS.triggerDate).toBe("trigger_date");
+  });
+});

frontend/src/client/views/verfahrensablauf-state.ts

@@ -0,0 +1,263 @@
+// /tools/verfahrensablauf URL + scenario-localStorage state contract
+// (t-paliad-308 / m/paliad#137). Splits the page's persisted state into
+// two namespaces:
+//
+//   URL params (filter chips — the timeline kind the user is looking
+//   at; paste-able, shareable, refresh-resistant):
+//     proceeding, side, target, trigger_date
+//
+//   localStorage `paliad.verfahrensablauf.scenario.*` (per-user
+//   scenario inputs — the noisy parts that don't belong in a URL):
+//     event_choices, court_id, ccr, inf_amend, rev_amend, rev_cci,
+//     show_hidden
+//
+// Hydration order: URL wins. On page load, URL fills the filter chips;
+// localStorage fills the rest. Filter-chip changes write to URL only.
+// Scenario changes write to localStorage only. A shared link from a
+// colleague reproduces the timeline kind (proceeding + side + target +
+// trigger_date) but never leaks the recipient's court / flag /
+// event_choices state in.
+//
+// All helpers in this module are pure: they take a search string (or a
+// StorageLike) and return values, no DOM. The wiring in
+// ../verfahrensablauf.ts mounts them onto window.location +
+// window.localStorage at runtime.
+
+import type { EventChoice, ChoiceKind } from "./event-card-choices";
+
+// ----- URL params (filter chips) ----------------------------------
+
+export type Side = "claimant" | "defendant" | null;
+
+export const APPEAL_TARGETS = [
+  "endentscheidung",
+  "kostenentscheidung",
+  "anordnung",
+  "schadensbemessung",
+  "bucheinsicht",
+] as const;
+export type AppealTarget = (typeof APPEAL_TARGETS)[number] | "";
+
+export const URL_KEYS = {
+  proceeding: "proceeding",
+  side: "side",
+  target: "target",
+  triggerDate: "trigger_date",
+} as const;
+
+// parseProceedingFromSearch extracts the proceeding code. Returns ""
+// if absent. No validation against the proceeding registry — that's
+// the caller's job (an unknown code from a stale link should leave
+// the first-tile auto-select fallback running).
+export function parseProceedingFromSearch(search: string): string {
+  const v = new URLSearchParams(search).get(URL_KEYS.proceeding);
+  return v ?? "";
+}
+
+export function parseSideFromSearch(search: string): Side {
+  const raw = new URLSearchParams(search).get(URL_KEYS.side);
+  return raw === "claimant" || raw === "defendant" ? raw : null;
+}
+
+export function parseAppealTargetFromSearch(search: string): AppealTarget {
+  const raw = new URLSearchParams(search).get(URL_KEYS.target) || "";
+  if ((APPEAL_TARGETS as readonly string[]).includes(raw)) {
+    return raw as AppealTarget;
+  }
+  return "";
+}
+
+// parseTriggerDateFromSearch validates the ISO-date shape so a
+// malformed link can't poison the date input. Accepts "YYYY-MM-DD"
+// only. Round-tripped against Date to reject 2026-02-30 etc.
+export function parseTriggerDateFromSearch(search: string): string {
+  const raw = new URLSearchParams(search).get(URL_KEYS.triggerDate) || "";
+  if (!/^\d{4}-\d{2}-\d{2}$/.test(raw)) return "";
+  const d = new Date(raw + "T00:00:00Z");
+  if (Number.isNaN(d.getTime())) return "";
+  if (d.toISOString().slice(0, 10) !== raw) return "";
+  return raw;
+}
+
+// applyFiltersToSearch produces the canonical query string for the
+// four URL-owned params. Other params (e.g. ?view=, ?project=) are
+// preserved verbatim. Empty values are deleted, never written as
+// empty string, so the URL stays clean on the default.
+export function applyFiltersToSearch(
+  search: string,
+  filters: { proceeding?: string; side?: Side; target?: AppealTarget; triggerDate?: string },
+): string {
+  const params = new URLSearchParams(search);
+  if ("proceeding" in filters) {
+    if (filters.proceeding && filters.proceeding !== "") {
+      params.set(URL_KEYS.proceeding, filters.proceeding);
+    } else {
+      params.delete(URL_KEYS.proceeding);
+    }
+  }
+  if ("side" in filters) {
+    if (filters.side === "claimant" || filters.side === "defendant") {
+      params.set(URL_KEYS.side, filters.side);
+    } else {
+      params.delete(URL_KEYS.side);
+    }
+  }
+  if ("target" in filters) {
+    if (filters.target && filters.target !== "") {
+      params.set(URL_KEYS.target, filters.target);
+    } else {
+      params.delete(URL_KEYS.target);
+    }
+  }
+  if ("triggerDate" in filters) {
+    if (filters.triggerDate && /^\d{4}-\d{2}-\d{2}$/.test(filters.triggerDate)) {
+      params.set(URL_KEYS.triggerDate, filters.triggerDate);
+    } else {
+      params.delete(URL_KEYS.triggerDate);
+    }
+  }
+  const s = params.toString();
+  return s ? `?${s}` : "";
+}
+
+// ----- localStorage (scenario state) ------------------------------
+
+export const SCENARIO_PREFIX = "paliad.verfahrensablauf.scenario";
+export const SCENARIO_KEYS = {
+  eventChoices: `${SCENARIO_PREFIX}.event_choices`,
+  courtId: `${SCENARIO_PREFIX}.court_id`,
+  ccr: `${SCENARIO_PREFIX}.ccr`,
+  infAmend: `${SCENARIO_PREFIX}.inf_amend`,
+  revAmend: `${SCENARIO_PREFIX}.rev_amend`,
+  revCci: `${SCENARIO_PREFIX}.rev_cci`,
+  showHidden: `${SCENARIO_PREFIX}.show_hidden`,
+} as const;
+
+// StorageLike is the tiny subset of the Web Storage API the scenario
+// helpers actually use. Lets the tests pass a Map-backed fake without
+// pulling in a full localStorage polyfill.
+export interface StorageLike {
+  getItem(key: string): string | null;
+  setItem(key: string, value: string): void;
+  removeItem(key: string): void;
+}
+
+// readEventChoices is forgiving: malformed tuples or unknown
+// choice_kinds are dropped silently. Same shape as the legacy URL
+// codec (comma-separated `submission_code:kind=value`).
+export function readEventChoices(storage: StorageLike): EventChoice[] {
+  const raw = storage.getItem(SCENARIO_KEYS.eventChoices);
+  if (!raw) return [];
+  const out: EventChoice[] = [];
+  for (const tuple of raw.split(",")) {
+    const m = tuple.match(/^([^:]+):([^=]+)=(.+)$/);
+    if (!m) continue;
+    const kind = m[2] as ChoiceKind;
+    if (kind !== "appellant" && kind !== "include_ccr" && kind !== "skip") continue;
+    out.push({ submission_code: m[1], choice_kind: kind, choice_value: m[3] });
+  }
+  return out;
+}
+
+export function writeEventChoices(storage: StorageLike, choices: EventChoice[]): void {
+  if (choices.length === 0) {
+    storage.removeItem(SCENARIO_KEYS.eventChoices);
+    return;
+  }
+  const enc = choices
+    .map((c) => `${c.submission_code}:${c.choice_kind}=${c.choice_value}`)
+    .join(",");
+  storage.setItem(SCENARIO_KEYS.eventChoices, enc);
+}
+
+// readCourtId / writeCourtId — empty string == no court picked. The
+// "" value is stored as a removed key, not an empty string entry, so
+// reading it back yields null rather than "".
+export function readCourtId(storage: StorageLike): string {
+  return storage.getItem(SCENARIO_KEYS.courtId) ?? "";
+}
+
+export function writeCourtId(storage: StorageLike, courtId: string): void {
+  if (courtId === "") {
+    storage.removeItem(SCENARIO_KEYS.courtId);
+    return;
+  }
+  storage.setItem(SCENARIO_KEYS.courtId, courtId);
+}
+
+// Boolean flags — "1" / "0" string encoding, removeItem on default
+// (false for flags, also false for show_hidden) so the storage stays
+// uncluttered on a fresh page.
+export function readBoolFlag(storage: StorageLike, key: string): boolean {
+  return storage.getItem(key) === "1";
+}
+
+export function writeBoolFlag(storage: StorageLike, key: string, on: boolean): void {
+  if (on) storage.setItem(key, "1");
+  else storage.removeItem(key);
+}
+
+// Read all scenario state in one call — convenience for the page's
+// load-time hydration. Caller decides whether to apply each field
+// (e.g. court_id is proceeding-specific; the page may discard the
+// stored value if the active proceeding doesn't expose a court row).
+export interface ScenarioState {
+  eventChoices: EventChoice[];
+  courtId: string;
+  ccr: boolean;
+  infAmend: boolean;
+  revAmend: boolean;
+  revCci: boolean;
+  showHidden: boolean;
+}
+
+export function readScenario(storage: StorageLike): ScenarioState {
+  return {
+    eventChoices: readEventChoices(storage),
+    courtId: readCourtId(storage),
+    ccr: readBoolFlag(storage, SCENARIO_KEYS.ccr),
+    infAmend: readBoolFlag(storage, SCENARIO_KEYS.infAmend),
+    revAmend: readBoolFlag(storage, SCENARIO_KEYS.revAmend),
+    revCci: readBoolFlag(storage, SCENARIO_KEYS.revCci),
+    showHidden: readBoolFlag(storage, SCENARIO_KEYS.showHidden),
+  };
+}
+
+// ----- URL → localStorage hydration order -------------------------
+
+// The page's load-time contract: read URL filters, then read
+// scenario state from localStorage. URL wins on conflict — but the
+// only field that can conflict is none of them today (URL owns
+// proceeding/side/target/trigger_date; localStorage owns the rest).
+// The order matters for one edge case: if a future field migrates
+// from URL → localStorage with overlap, the URL value MUST be honored.
+
+export interface HydratedState extends ScenarioState {
+  proceeding: string;
+  side: Side;
+  target: AppealTarget;
+  triggerDate: string;
+}
+
+export function hydrate(search: string, storage: StorageLike): HydratedState {
+  const scenario = readScenario(storage);
+  return {
+    proceeding: parseProceedingFromSearch(search),
+    side: parseSideFromSearch(search),
+    target: parseAppealTargetFromSearch(search),
+    triggerDate: parseTriggerDateFromSearch(search),
+    ...scenario,
+  };
+}
+
+// makeMemoryStorage — tiny StorageLike for tests / SSR fallback.
+// Not used by the runtime page (which mounts real localStorage), but
+// kept here so test files have one well-known import.
+export function makeMemoryStorage(): StorageLike {
+  const store = new Map<string, string>();
+  return {
+    getItem: (k) => (store.has(k) ? store.get(k)! : null),
+    setItem: (k, v) => { store.set(k, v); },
+    removeItem: (k) => { store.delete(k); },
+  };
+}

frontend/src/components/Footer.tsx

@@ -5,7 +5,7 @@ export function Footer(): string {
     <footer className="footer">
       <div className="container">
         <p>
-          <span data-i18n="footer.text">{"© 2026 Paliad — ein Werkzeug von"}</span>{" "}
+          <span data-i18n="footer.text">{"© 2026 Paliad — by"}</span>{" "}
           <a href="https://flexsiebels.de" target="_blank" rel="noopener">flexsiebels.de</a>
         </p>
       </div>

frontend/src/components/Sidebar.tsx

@@ -205,7 +205,6 @@ export function Sidebar({ currentPath, authenticated = true }: SidebarProps): st
             {navItem("/admin/partner-units", ICON_BUILDING, "nav.admin.partner_units", "Partner Units", currentPath)}
             {navItem("/admin/event-types", ICON_TABLE, "nav.admin.event_types", "Event-Typen", currentPath)}
             {navItem("/admin/rules", ICON_BOOK, "nav.admin.rules", "Regeln verwalten", currentPath)}
-            {navItem("/admin/rules/export", ICON_DOWNLOAD, "nav.admin.rules_export", "Regel-Migrations", currentPath)}
             {navItem("/admin/audit-log", ICON_AUDIT_LOG, "nav.admin.audit", "Audit-Log", currentPath)}
             {navItem("/admin/backups", ICON_DOWNLOAD, "nav.admin.backups", "Backups", currentPath)}
             {/* Paliadin Monitor — owner-only sub-entry; revealed by sidebar.ts together with the /paliadin link. */}

frontend/src/i18n-keys.ts

@@ -125,6 +125,12 @@ export type I18nKey =
   | "admin.broadcasts.loading"
   | "admin.broadcasts.subtitle"
   | "admin.broadcasts.title"
+  | "admin.building_blocks.action.new"
+  | "admin.building_blocks.editor.empty"
+  | "admin.building_blocks.heading"
+  | "admin.building_blocks.loading"
+  | "admin.building_blocks.subtitle"
+  | "admin.building_blocks.title"
   | "admin.card.approval_policies.desc"
   | "admin.card.approval_policies.title"
   | "admin.card.audit.desc"
@@ -401,22 +407,6 @@ export type I18nKey =
   | "admin.rules.edit.title"
   | "admin.rules.empty"
   | "admin.rules.error.load"
-  | "admin.rules.export.breadcrumb"
-  | "admin.rules.export.copied"
-  | "admin.rules.export.copy"
-  | "admin.rules.export.copy_failed"
-  | "admin.rules.export.count"
-  | "admin.rules.export.download"
-  | "admin.rules.export.error"
-  | "admin.rules.export.field.since"
-  | "admin.rules.export.heading"
-  | "admin.rules.export.latest"
-  | "admin.rules.export.no_pending"
-  | "admin.rules.export.ok"
-  | "admin.rules.export.run"
-  | "admin.rules.export.running"
-  | "admin.rules.export.subtitle"
-  | "admin.rules.export.title"
   | "admin.rules.filter.lifecycle"
   | "admin.rules.filter.lifecycle.any"
   | "admin.rules.filter.proceeding"
@@ -428,7 +418,6 @@ export type I18nKey =
   | "admin.rules.lifecycle.archived"
   | "admin.rules.lifecycle.draft"
   | "admin.rules.lifecycle.published"
-  | "admin.rules.list.export"
   | "admin.rules.list.heading"
   | "admin.rules.list.new"
   | "admin.rules.list.subtitle"
@@ -1201,10 +1190,12 @@ export type I18nKey =
   | "deadlines.adjusted.weekend"
   | "deadlines.adjusted.weekend.saturday"
   | "deadlines.adjusted.weekend.sunday"
-  | "deadlines.appellant.claimant"
-  | "deadlines.appellant.defendant"
-  | "deadlines.appellant.label"
-  | "deadlines.appellant.none"
+  | "deadlines.appeal_target.anordnung"
+  | "deadlines.appeal_target.bucheinsicht"
+  | "deadlines.appeal_target.endentscheidung"
+  | "deadlines.appeal_target.kostenentscheidung"
+  | "deadlines.appeal_target.label"
+  | "deadlines.appeal_target.schadensbemessung"
   | "deadlines.calculate"
   | "deadlines.card.calc.add_to_project"
   | "deadlines.card.calc.add_to_project.disabled"
@@ -1233,6 +1224,8 @@ export type I18nKey =
   | "deadlines.col.event_type"
   | "deadlines.col.opponent"
   | "deadlines.col.ours"
+  | "deadlines.col.proactive"
+  | "deadlines.col.reactive"
   | "deadlines.col.rule"
   | "deadlines.col.status"
   | "deadlines.col.title"
@@ -1277,6 +1270,7 @@ export type I18nKey =
   | "deadlines.dpma.appeal.bgh"
   | "deadlines.dpma.appeal.bpatg"
   | "deadlines.dpma.opp.dpma"
+  | "deadlines.durations.show"
   | "deadlines.empty.filtered"
   | "deadlines.empty.hint"
   | "deadlines.empty.title"
@@ -1529,6 +1523,7 @@ export type I18nKey =
   | "deadlines.upc.apl.cost"
   | "deadlines.upc.apl.merits"
   | "deadlines.upc.apl.order"
+  | "deadlines.upc.apl.unified"
   | "deadlines.upc.ccr.cfi"
   | "deadlines.upc.disc.cfi"
   | "deadlines.upc.dmgs.cfi"
@@ -1992,7 +1987,6 @@ export type I18nKey =
   | "nav.admin.paliadin"
   | "nav.admin.partner_units"
   | "nav.admin.rules"
-  | "nav.admin.rules_export"
   | "nav.admin.team"
   | "nav.agenda"
   | "nav.akten"
@@ -2621,10 +2615,14 @@ export type I18nKey =
   | "search.no_results"
   | "search.placeholder"
   | "sidebar.resize.title"
+  | "state.hidden.tooltip"
+  | "state.optional.tooltip"
   | "submissions.draft.action.delete"
   | "submissions.draft.action.export"
   | "submissions.draft.action.new"
   | "submissions.draft.back"
+  | "submissions.draft.base.hint"
+  | "submissions.draft.base.label"
   | "submissions.draft.import.button"
   | "submissions.draft.language"
   | "submissions.draft.language.de"
@@ -2637,6 +2635,8 @@ export type I18nKey =
   | "submissions.draft.parties.title"
   | "submissions.draft.preview.hint"
   | "submissions.draft.preview.title"
+  | "submissions.draft.sections.hint"
+  | "submissions.draft.sections.title"
   | "submissions.draft.switcher.label"
   | "submissions.draft.title"
   | "submissions.index.action.new"

frontend/src/styles/global.css

@@ -3332,7 +3332,11 @@ input[type="range"]::-moz-range-thumb {
 .timeline-item {
     display: flex;
     gap: 0.75rem;
-    min-height: 4rem;
+    /* t-paliad-293: tighter min-height. Previously 4rem — too much
+       vertical air per card on long projections. Title row + meta row
+       fits comfortably in 2.75rem; longer cards (with notes expanded
+       or adjusted-date banners) still grow naturally. */
+    min-height: 2.75rem;
 }
 
 .timeline-item:last-child .timeline-line {
@@ -3373,19 +3377,37 @@ input[type="range"]::-moz-range-thumb {
 
 .timeline-content {
     flex: 1;
-    padding-bottom: 1rem;
+    /* t-paliad-293: tighter inter-card gutter. Was 1rem; 0.6rem keeps
+       the dotted-connector line readable without bloating long
+       projections. */
+    padding-bottom: 0.6rem;
+    min-width: 0;
 }
 
 .timeline-item-header {
     display: flex;
     justify-content: space-between;
     align-items: flex-start;
-    gap: 1rem;
+    gap: 0.5rem;
+    /* t-paliad-293: allow shrink + wrap so a long title plus the state
+       icons + caret never push the card past its column. Combined with
+       min-width:0 on the name, no inline child can blow the row width
+       on 375/414/768 viewports. */
+    flex-wrap: wrap;
+    min-width: 0;
 }
 
 .timeline-name {
     font-size: 0.88rem;
     font-weight: 500;
+    /* min-width:0 lets the name shrink and wrap inside its flex parent
+       — otherwise overflow:hidden in an ancestor would clip it but the
+       flex item would still demand its intrinsic width. */
+    min-width: 0;
+    /* Word-break on long German compounds (Vertraulichkeitswiderklage …)
+       so they wrap mid-word rather than pushing the date column off-
+       screen. (t-paliad-293) */
+    overflow-wrap: anywhere;
 }
 
 .timeline-date {
@@ -3471,15 +3493,37 @@ input[type="range"]::-moz-range-thumb {
     color: var(--status-neutral-fg-3);
 }
 
-.optional-badge {
-    font-size: 0.68rem;
-    font-weight: 500;
-    padding: 0.05rem 0.4rem;
-    border-radius: 99px;
-    background: var(--status-amber-bg);
+/* t-paliad-293 — compact state icons in the card title row. They
+ * replace the legacy `.optional-badge` text chip and add a uniform
+ * language for the per-card decision state ("cut the tree of
+ * possibilities"). Each icon carries its own modifier so the tint
+ * matches the state semantic. The glyph itself is the primary signal;
+ * the i18n tooltip on the span carries the accessible description. */
+.timeline-state-icon {
+    display: inline-flex;
+    align-items: center;
+    justify-content: center;
+    min-width: 1rem;
+    height: 1rem;
+    margin-left: 0.3rem;
+    font-size: 0.85rem;
+    line-height: 1;
+    color: var(--color-text-muted);
+    cursor: help;
+    user-select: none;
+    /* Cancel the wrapper fade so the marker stays legible inside
+       .timeline-item--hidden which fades the whole content panel. */
+    opacity: 1;
+}
+
+.timeline-state-icon--optional {
     color: var(--status-amber-fg);
 }
 
+.timeline-state-icon--hidden {
+    color: var(--color-text-muted);
+}
+
 /* t-paliad-265 — per-event-card optional choices. The caret sits in
  * the card header next to the date; the chip surfaces the active pick
  * inline with the title; the popover is body-attached and positioned
@@ -3549,24 +3593,44 @@ input[type="range"]::-moz-range-thumb {
     padding: 0.3rem 0.5rem;
 }
 
-.event-card-choices-unhide {
-    margin-left: 0.4rem;
-    font-size: 0.7rem;
-    font-weight: 500;
-    padding: 0.1rem 0.5rem;
-    border-radius: 99px;
-    border: 1px solid var(--color-accent, #c6f41c);
-    background: var(--color-accent, #c6f41c);
-    color: var(--color-text);
-    cursor: pointer;
-    /* Cancel the wrapper fade so the action remains a clear, high-
-     * contrast affordance even though the rest of the card is muted. */
-    opacity: 1;
+/* t-paliad-293 — prominent "Wieder einblenden" entry inside the caret
+ * popover. Surfaced only when the caret is opened on a hidden card
+ * (data-is-hidden="1"). Used to be an inline chip in the card header,
+ * but that caused horizontal scroll on narrow viewports (m/paliad#125)
+ * because its German label is wide ("Wieder einblenden") and the
+ * card header is a non-wrapping flex row. Moving it into the popover
+ * removes the surface entirely and matches m's "actions live in the
+ * caret menu" framing. */
+.event-card-choices-block--unhide {
+    /* No top border separator — this block sits at the top of the
+       popover with the highest visual priority. */
+    padding-top: 0;
+    border-top: 0;
+    margin-top: 0;
 }
 
-.event-card-choices-unhide:hover,
-.event-card-choices-unhide:focus-visible {
+.event-card-choices-unhide-btn {
+    display: block;
+    width: 100%;
+    padding: 0.4rem 0.6rem;
+    font-size: 0.82rem;
+    font-weight: 600;
+    border-radius: 4px;
+    border: 1px solid var(--color-accent, #c6f41c);
+    background: var(--color-accent, #c6f41c);
+    /* Match the active-option pin (lime fg → midnight text) so the
+       button reads against the lime in both light and dark themes
+       (m/paliad#123). */
+    color: var(--color-accent-dark);
+    cursor: pointer;
+    transition: background 120ms ease;
+}
+
+.event-card-choices-unhide-btn:hover,
+.event-card-choices-unhide-btn:focus-visible {
     background: var(--color-bg, #fff);
+    color: var(--color-text);
+    outline: none;
 }
 
 .show-hidden-count {
@@ -3686,6 +3750,16 @@ input[type="range"]::-moz-range-thumb {
     color: var(--color-text-muted);
 }
 
+/* Per-rule duration label rendered inline in the meta row when
+   "Dauern anzeigen" is on (m/paliad#133, t-paliad-302). Matches the
+   sibling .timeline-rule weight so the meta line reads as one band of
+   secondary metadata; non-mono so the value reads as prose ("2 Mo. nach")
+   rather than a code reference. */
+.timeline-duration {
+    font-size: 0.72rem;
+    color: var(--color-text-muted);
+}
+
 .timeline-adjusted {
     font-size: 0.78rem;
     color: var(--status-amber-fg-2);
@@ -6050,6 +6124,414 @@ dialog.modal::backdrop {
 /* t-paliad-276 — DE/EN language toggle on the draft editor. Same look
    as the rest of the sidebar mini-controls; muted label + inline radios
    so it doesn't compete with the editor's primary inputs. */
+/* t-paliad-313 (m/paliad#141) Composer Slice A — base picker + section list. */
+.submission-draft-base-row {
+    display: flex;
+    flex-direction: column;
+    gap: 0.25rem;
+    margin: 0.5rem 0;
+}
+
+.submission-draft-base-row label {
+    color: var(--color-text-muted);
+    text-transform: uppercase;
+    letter-spacing: 0.05em;
+    font-size: 0.85em;
+}
+
+.submission-draft-base-row select {
+    padding: 0.4rem 0.5rem;
+    border: 1px solid var(--color-border);
+    border-radius: 4px;
+    background: var(--color-bg-elev-1);
+    font-size: 0.95em;
+}
+
+.submission-draft-base-hint {
+    margin: 0;
+    font-size: 0.8em;
+    color: var(--color-text-muted);
+}
+
+.submission-draft-sections-wrap {
+    margin-top: 1rem;
+    padding: 1rem;
+    border: 1px dashed var(--color-border);
+    border-radius: 4px;
+    background: var(--color-bg-elev-1);
+}
+
+.submission-draft-sections-header {
+    display: flex;
+    align-items: baseline;
+    justify-content: space-between;
+    gap: 1rem;
+    margin-bottom: 0.75rem;
+}
+
+.submission-draft-sections-header h2 {
+    margin: 0;
+    font-size: 1.05em;
+}
+
+.submission-draft-sections-hint {
+    font-size: 0.8em;
+    color: var(--color-text-muted);
+}
+
+.submission-draft-sections-list {
+    list-style: decimal inside;
+    margin: 0;
+    padding: 0;
+    display: flex;
+    flex-direction: column;
+    gap: 0.6rem;
+}
+
+.submission-draft-section {
+    border: 1px solid var(--color-border);
+    border-radius: 4px;
+    padding: 0.6rem 0.8rem;
+    background: var(--color-bg-elev-2, var(--color-bg));
+}
+
+.submission-draft-section--excluded {
+    opacity: 0.55;
+    background: var(--color-bg-subtle, transparent);
+}
+
+.submission-draft-section-head {
+    display: flex;
+    align-items: baseline;
+    gap: 0.5rem;
+    flex-wrap: wrap;
+}
+
+.submission-draft-section-title {
+    display: inline;
+    margin: 0;
+    font-size: 0.95em;
+    font-weight: 600;
+}
+
+.submission-draft-section-kind {
+    font-size: 0.75em;
+    color: var(--color-text-muted);
+    background: var(--color-bg-subtle, transparent);
+    padding: 0.1rem 0.35rem;
+    border-radius: 3px;
+}
+
+.submission-draft-section-excluded-badge {
+    font-size: 0.75em;
+    color: var(--color-text-muted);
+    font-style: italic;
+}
+
+.submission-draft-section-body {
+    margin: 0.5rem 0 0 0;
+    padding: 0;
+    font-family: inherit;
+    font-size: 0.88em;
+    white-space: pre-wrap;
+    word-break: break-word;
+    color: var(--color-text);
+}
+
+/* t-paliad-313 Slice B — inline editor per section. */
+.submission-draft-section-toggle {
+    margin-left: auto;
+}
+
+.submission-draft-section-toolbar {
+    display: flex;
+    gap: 0.25rem;
+    margin: 0.4rem 0 0.3rem 0;
+}
+
+.submission-draft-section-toolbar-btn {
+    width: 1.8rem;
+    height: 1.8rem;
+    border: 1px solid var(--color-border);
+    border-radius: 3px;
+    background: var(--color-bg-elev-1);
+    font-weight: 600;
+    font-size: 0.85em;
+    cursor: pointer;
+    line-height: 1;
+}
+
+.submission-draft-section-toolbar-btn:hover {
+    background: var(--color-bg-subtle, var(--color-bg-elev-2));
+}
+
+.submission-draft-section-editor {
+    min-height: 3rem;
+    padding: 0.5rem 0.6rem;
+    border: 1px solid var(--color-border);
+    border-radius: 3px;
+    background: var(--color-bg-elev-1);
+    font-family: inherit;
+    font-size: 0.92em;
+    line-height: 1.5;
+    white-space: pre-wrap;
+    word-break: break-word;
+    outline: none;
+}
+
+.submission-draft-section-editor:focus {
+    border-color: var(--color-accent-fg, var(--color-text));
+    box-shadow: 0 0 0 2px var(--color-bg-lime-tint, transparent);
+}
+
+.submission-draft-section-editor:empty::before {
+    content: attr(data-placeholder);
+    color: var(--color-text-muted);
+    pointer-events: none;
+}
+
+.submission-draft-section--editing {
+    background: var(--color-bg-elev-2, var(--color-bg-elev-1));
+}
+
+/* t-paliad-315 Slice C — building-block picker modal */
+.submission-draft-section-bb-btn {
+    margin-left: auto;
+}
+
+.submission-bb-picker-overlay {
+    position: fixed;
+    inset: 0;
+    background: rgba(0,0,0,0.4);
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    z-index: 1000;
+}
+
+.submission-bb-picker {
+    background: var(--color-bg, white);
+    border-radius: 6px;
+    padding: 1rem;
+    width: min(720px, 92vw);
+    max-height: 86vh;
+    display: flex;
+    flex-direction: column;
+    gap: 0.6rem;
+    box-shadow: 0 8px 32px rgba(0,0,0,0.25);
+}
+
+.submission-bb-picker-head {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+}
+
+.submission-bb-picker-head h2 {
+    margin: 0;
+    font-size: 1.1em;
+}
+
+.submission-bb-picker-search {
+    width: 100%;
+}
+
+.submission-bb-picker-sectioninfo {
+    margin: 0;
+    font-size: 0.85em;
+    color: var(--color-text-muted);
+}
+
+.submission-bb-picker-list {
+    overflow-y: auto;
+    display: flex;
+    flex-direction: column;
+    gap: 0.5rem;
+}
+
+.submission-bb-picker-row {
+    display: block;
+    width: 100%;
+    text-align: left;
+    padding: 0.6rem 0.8rem;
+    border: 1px solid var(--color-border);
+    border-radius: 4px;
+    background: var(--color-bg-elev-1);
+    cursor: pointer;
+}
+
+.submission-bb-picker-row:hover {
+    background: var(--color-bg-lime-tint, var(--color-bg-elev-2));
+}
+
+.submission-bb-picker-row-head {
+    display: flex;
+    align-items: baseline;
+    justify-content: space-between;
+    gap: 0.5rem;
+}
+
+.submission-bb-picker-row-desc {
+    margin: 0.25rem 0;
+    font-size: 0.85em;
+    color: var(--color-text-muted);
+}
+
+.submission-bb-picker-row-preview {
+    margin: 0.25rem 0 0 0;
+    padding: 0;
+    font-family: inherit;
+    font-size: 0.8em;
+    color: var(--color-text-muted);
+    white-space: pre-wrap;
+    max-height: 4em;
+    overflow: hidden;
+}
+
+.submission-bb-picker-vis {
+    font-size: 0.7em;
+    padding: 0.1rem 0.35rem;
+    border-radius: 3px;
+    background: var(--color-bg-subtle, transparent);
+    color: var(--color-text-muted);
+    text-transform: uppercase;
+    letter-spacing: 0.05em;
+}
+
+.submission-bb-picker-vis--private { background: #fde2e2; color: #8a2a2a; }
+.submission-bb-picker-vis--team    { background: #fff4d6; color: #7a5d12; }
+.submission-bb-picker-vis--firm    { background: #def5e2; color: #266e34; }
+.submission-bb-picker-vis--global  { background: #dce8fb; color: #1f437a; }
+
+.submission-bb-picker-empty {
+    text-align: center;
+    color: var(--color-text-muted);
+    padding: 1rem;
+}
+
+/* t-paliad-315 Slice C — /admin/submission-building-blocks editor */
+.admin-bb-layout {
+    display: grid;
+    grid-template-columns: minmax(220px, 280px) 1fr minmax(180px, 240px);
+    gap: 1rem;
+}
+
+.admin-bb-list {
+    display: flex;
+    flex-direction: column;
+    gap: 0.4rem;
+    max-height: 70vh;
+    overflow-y: auto;
+}
+
+.admin-bb-list-row {
+    display: flex;
+    flex-direction: column;
+    gap: 0.2rem;
+    padding: 0.5rem 0.7rem;
+    text-align: left;
+    border: 1px solid var(--color-border);
+    border-radius: 4px;
+    background: var(--color-bg-elev-1);
+    cursor: pointer;
+}
+
+.admin-bb-list-row--active {
+    background: var(--color-bg-lime-tint, var(--color-bg-elev-2));
+    border-color: var(--color-accent-fg, var(--color-text));
+}
+
+.admin-bb-list-title {
+    font-weight: 600;
+    font-size: 0.95em;
+}
+
+.admin-bb-list-meta {
+    display: flex;
+    gap: 0.3rem;
+    font-size: 0.7em;
+    color: var(--color-text-muted);
+}
+
+.admin-bb-list-section {
+    background: var(--color-bg-subtle, transparent);
+    padding: 0.05rem 0.35rem;
+    border-radius: 3px;
+}
+
+.admin-bb-list-vis {
+    padding: 0.05rem 0.35rem;
+    border-radius: 3px;
+}
+
+.admin-bb-list-vis--private { background: #fde2e2; color: #8a2a2a; }
+.admin-bb-list-vis--team    { background: #fff4d6; color: #7a5d12; }
+.admin-bb-list-vis--firm    { background: #def5e2; color: #266e34; }
+.admin-bb-list-vis--global  { background: #dce8fb; color: #1f437a; }
+
+.admin-bb-list-draft {
+    font-style: italic;
+    color: var(--color-text-muted);
+}
+
+.admin-bb-form {
+    display: flex;
+    flex-direction: column;
+    gap: 0.6rem;
+}
+
+.admin-bb-form-row {
+    display: flex;
+    flex-direction: column;
+    gap: 0.2rem;
+}
+
+.admin-bb-form-row--checkbox {
+    flex-direction: row;
+    align-items: center;
+    gap: 0.4rem;
+}
+
+.admin-bb-form-row > span {
+    font-size: 0.85em;
+    color: var(--color-text-muted);
+}
+
+.admin-bb-form-hint {
+    font-size: 0.75em;
+    color: var(--color-text-muted);
+}
+
+.admin-bb-form-actions {
+    display: flex;
+    gap: 0.5rem;
+    margin-top: 0.5rem;
+}
+
+.admin-bb-versions {
+    display: flex;
+    flex-direction: column;
+    gap: 0.4rem;
+    max-height: 70vh;
+    overflow-y: auto;
+}
+
+.admin-bb-version-row {
+    border: 1px solid var(--color-border);
+    border-radius: 4px;
+    padding: 0.4rem 0.55rem;
+    font-size: 0.78em;
+}
+
+.admin-bb-version-meta {
+    color: var(--color-text-muted);
+    margin-bottom: 0.25rem;
+}
+
+.admin-bb-empty {
+    color: var(--color-text-muted);
+}
+
 .submission-draft-language-row {
     display: flex;
     align-items: center;
@@ -6156,7 +6638,7 @@ dialog.modal::backdrop {
     align-items: baseline;
     padding: 0.75rem 1rem;
     border-bottom: 1px solid var(--color-border);
-    background: var(--color-surface-alt, #fafafa);
+    background: var(--color-surface-2);
     flex-wrap: wrap;
     gap: 0.5rem;
 }
@@ -6314,7 +6796,7 @@ dialog.modal::backdrop {
 }
 
 .submissions-new-chip:hover {
-    background: var(--color-surface-alt, #f4f4f4);
+    background: var(--color-surface-muted);
 }
 
 .submissions-new-chip--active {
@@ -6352,7 +6834,7 @@ dialog.modal::backdrop {
 }
 
 .submissions-new-project-item:hover {
-    background: var(--color-surface-alt, #f4f4f4);
+    background: var(--color-surface-muted);
 }
 
 .submissions-new-project-title {
@@ -6367,7 +6849,7 @@ dialog.modal::backdrop {
     flex-wrap: wrap;
     padding: 0.75rem 1rem;
     margin: 0 0 1.25rem;
-    background: var(--color-surface-alt, #f7f7f0);
+    background: var(--color-bg-subtle);
     border: 1px solid var(--color-border);
     border-left: 4px solid var(--color-accent, #c6f41c);
     border-radius: 6px;
@@ -6390,7 +6872,7 @@ dialog.modal::backdrop {
     flex-wrap: wrap;
     padding: 0.5rem 0.6rem;
     margin-bottom: 0.75rem;
-    background: var(--color-surface-alt, #f7f7f0);
+    background: var(--color-bg-subtle);
     border: 1px solid var(--color-border);
     border-radius: 6px;
 }
@@ -6518,7 +7000,7 @@ dialog.modal::backdrop {
     border: 1px solid var(--color-border);
     border-radius: 6px;
     padding: 0.6rem;
-    background: var(--color-surface-alt, #f7f7f0);
+    background: var(--color-bg-subtle);
     display: flex;
     flex-direction: column;
     gap: 0.5rem;
@@ -6641,7 +7123,7 @@ dialog.modal::backdrop {
     margin-left: 0.3rem;
     padding: 0 0.4em;
     border-radius: 3px;
-    background: var(--color-surface-alt, #f7f7f0);
+    background: var(--color-bg-subtle);
     color: var(--color-text-muted);
 }
 
@@ -7848,7 +8330,7 @@ dialog.modal::backdrop {
 .collab-invite-hint {
     margin-top: 0.5rem;
     padding: 0.5rem 0.75rem;
-    background: var(--color-surface-alt, var(--color-bg-lime-tint));
+    background: var(--color-bg-lime-tint);
     border: 1px dashed var(--color-border);
     border-radius: var(--radius);
     font-size: 0.85rem;
@@ -16508,7 +16990,7 @@ dialog.quick-add-sheet::backdrop {
     width: 1.4rem;
     height: 1.4rem;
     border-radius: 50%;
-    background: var(--color-surface-alt, #f4f4f4);
+    background: var(--color-surface-muted);
     color: var(--color-text-muted);
     font-size: 0.85rem;
     font-weight: 600;
@@ -16562,7 +17044,7 @@ dialog.quick-add-sheet::backdrop {
     font-size: 0.72rem;
     padding: 0.1rem 0.45rem;
     border-radius: 999px;
-    background: var(--color-surface-alt, #f4f4f4);
+    background: var(--color-surface-muted);
     color: var(--color-text-muted);
     font-weight: 500;
     letter-spacing: 0.02em;
@@ -16584,7 +17066,7 @@ dialog.quick-add-sheet::backdrop {
 }
 
 .smart-timeline-kind-chip--projected {
-    background: var(--color-surface-alt, #f4f4f4);
+    background: var(--color-surface-muted);
     color: var(--color-text-muted);
     font-style: italic;
 }
@@ -16651,7 +17133,7 @@ dialog.quick-add-sheet::backdrop {
 
 .smart-timeline-add-choice:hover:not(:disabled) {
     border-color: var(--color-accent-fg);
-    background: var(--color-surface-alt, #fafafa);
+    background: var(--color-surface-2);
 }
 
 .smart-timeline-add-choice--primary {
@@ -18121,42 +18603,6 @@ dialog.quick-add-sheet::backdrop {
   border-top: 1px solid var(--color-border, #d4d4d8);
 }
 
-/* Export page */
-
-.admin-rules-export-controls {
-  display: flex;
-  gap: 0.5rem;
-  align-items: flex-end;
-  flex-wrap: wrap;
-  margin-bottom: 1rem;
-}
-
-.admin-rules-export-controls .form-field {
-  flex: 1 1 240px;
-}
-
-.admin-rules-export-summary {
-  display: flex;
-  gap: 1.5rem;
-  flex-wrap: wrap;
-  font-size: 0.9rem;
-  color: var(--color-text-muted, #71717a);
-  margin-bottom: 0.75rem;
-}
-
-.admin-rules-export-pre {
-  background: var(--color-bg-subtle, #f4f4f5);
-  border: 1px solid var(--color-border, #d4d4d8);
-  border-radius: 6px;
-  padding: 1rem;
-  overflow: auto;
-  max-height: 60vh;
-  font-family: var(--font-mono, ui-monospace, monospace);
-  font-size: 0.8rem;
-  white-space: pre;
-  margin: 0;
-}
-
 /* Date-range picker (t-paliad-248) ------------------------------------
    Symmetric past/future chip fan around an ALLES centre, in a popover
    anchored under a closed-state trigger button. Reuses .agenda-chip /

frontend/src/submission-draft.tsx

@@ -109,6 +109,27 @@ export function renderSubmissionDraft(): string {
                       </button>
                     </div>
 
+                    {/* t-paliad-313 (m/paliad#141) Composer Slice A —
+                        base picker. Hydrated by client/submission-draft.ts
+                        once /api/submission-bases returns. Disabled
+                        for pre-Composer drafts (base_id NULL); switching
+                        autosaves the draft. */}
+                    <div
+                      className="submission-draft-base-row"
+                      id="submission-draft-base-row"
+                      style="display:none">
+                      <label htmlFor="submission-draft-base" data-i18n="submissions.draft.base.label">
+                        Vorlagenbasis
+                      </label>
+                      <select id="submission-draft-base" />
+                      <p
+                        className="submission-draft-base-hint"
+                        id="submission-draft-base-hint"
+                        data-i18n="submissions.draft.base.hint">
+                        Steuert Schriftarten, Briefkopf und Abschnitts-Defaults.
+                      </p>
+                    </div>
+
                     {/* t-paliad-276 — output language toggle (DE/EN).
                         Hydrated by client/submission-draft.ts; switching
                         autosaves the draft and re-renders the preview. */}
@@ -202,6 +223,29 @@ export function renderSubmissionDraft(): string {
                     <div className="submission-draft-variables" id="submission-draft-variables" />
                   </aside>
 
+                  {/* t-paliad-313 (m/paliad#141) Composer Slice A —
+                      read-only section list. Painted from
+                      view.sections. Empty/hidden for pre-Composer
+                      drafts where no rows have been seeded. Slice B
+                      turns these into in-place editable prose blocks. */}
+                  <section
+                    className="submission-draft-sections-wrap"
+                    id="submission-draft-sections-wrap"
+                    style="display:none">
+                    <header className="submission-draft-sections-header">
+                      <h2 data-i18n="submissions.draft.sections.title">Abschnitte</h2>
+                      <span
+                        className="submission-draft-sections-hint"
+                        data-i18n="submissions.draft.sections.hint">
+                        Inhalt pro Abschnitt &mdash; Autosave nach 500 ms. Letztes Layout in Word.
+                      </span>
+                    </header>
+                    <ol
+                      className="submission-draft-sections-list"
+                      id="submission-draft-sections-list"
+                    />
+                  </section>
+
                   {/* Preview pane — read-only HTML render of the merged
                       document body. Re-renders on autosave round-trip. */}
                   <section className="submission-draft-preview-wrap">

frontend/src/verfahrensablauf.tsx

@@ -28,16 +28,20 @@ function proceedingBtn(p: ProceedingDef): string {
   );
 }
 
+// Slice B1 (m/paliad#124 §18.1): the 3 separate Berufung tiles
+// (upc.apl.merits / upc.apl.cost / upc.apl.order) collapse into ONE
+// unified "Berufung" tile (upc.apl). After picking it, the user
+// selects which decision the appeal is directed AT via the
+// .appeal-target-row chip group below — the engine then filters
+// rules whose applies_to_target contains the picked slug.
 const UPC_TYPES: ProceedingDef[] = [
   { code: "upc.inf.cfi",    i18nKey: "deadlines.upc.inf.cfi",    name: "Verletzungsverfahren" },
   { code: "upc.rev.cfi",    i18nKey: "deadlines.upc.rev.cfi",    name: "Nichtigkeitsklage" },
   { code: "upc.ccr.cfi",    i18nKey: "deadlines.upc.ccr.cfi",    name: "Widerklage auf Nichtigkeit" },
   { code: "upc.pi.cfi",     i18nKey: "deadlines.upc.pi.cfi",     name: "Einstw. Maßnahmen" },
-  { code: "upc.apl.merits", i18nKey: "deadlines.upc.apl.merits", name: "Berufung" },
+  { code: "upc.apl.unified", i18nKey: "deadlines.upc.apl.unified", name: "Berufung" },
   { code: "upc.dmgs.cfi",   i18nKey: "deadlines.upc.dmgs.cfi",   name: "Schadensbemessung" },
   { code: "upc.disc.cfi",   i18nKey: "deadlines.upc.disc.cfi",   name: "Bucheinsicht" },
-  { code: "upc.apl.cost",   i18nKey: "deadlines.upc.apl.cost",   name: "Berufung Kosten" },
-  { code: "upc.apl.order",  i18nKey: "deadlines.upc.apl.order",  name: "Berufung Anordnungen" },
 ];
 
 // DE proceedings split by type (Verletzung / Nichtigkeit) per m's
@@ -216,20 +220,33 @@ export function renderVerfahrensablauf(): string {
                         </button>
                       </div>
                     </div>
-                    <div className="verfahrensablauf-perspective-row" id="appellant-row" style="display:none">
-                      <span className="date-label" data-i18n="deadlines.appellant.label">Berufung durch:</span>
-                      <div className="fristen-view-toggle" role="radiogroup" aria-label="Appellant">
+                    {/* Appeal-target chip row (Slice B1 / m/paliad#124 §18.1).
+                         Shown only when the unified upc.apl Berufung tile is
+                         selected; lets the user narrow the timeline to the
+                         rules whose applies_to_target contains the picked
+                         decision kind. URL state ?target=<slug>. */}
+                    <div className="verfahrensablauf-perspective-row" id="appeal-target-row" style="display:none">
+                      <span className="date-label" data-i18n="deadlines.appeal_target.label">Worauf richtet sich die Berufung?</span>
+                      <div className="fristen-view-toggle" role="radiogroup" aria-label="Appeal target">
                         <label className="fristen-view-option">
-                          <input type="radio" name="appellant" value="claimant" />
-                          <span data-i18n="deadlines.appellant.claimant">Klägerseite</span>
+                          <input type="radio" name="appeal-target" value="endentscheidung" checked />
+                          <span data-i18n="deadlines.appeal_target.endentscheidung">Endentscheidung</span>
                         </label>
                         <label className="fristen-view-option">
-                          <input type="radio" name="appellant" value="defendant" />
-                          <span data-i18n="deadlines.appellant.defendant">Beklagtenseite</span>
+                          <input type="radio" name="appeal-target" value="kostenentscheidung" />
+                          <span data-i18n="deadlines.appeal_target.kostenentscheidung">Kostenentscheidung</span>
                         </label>
                         <label className="fristen-view-option">
-                          <input type="radio" name="appellant" value="" checked />
-                          <span data-i18n="deadlines.appellant.none">—</span>
+                          <input type="radio" name="appeal-target" value="anordnung" />
+                          <span data-i18n="deadlines.appeal_target.anordnung">Anordnung</span>
+                        </label>
+                        <label className="fristen-view-option">
+                          <input type="radio" name="appeal-target" value="schadensbemessung" />
+                          <span data-i18n="deadlines.appeal_target.schadensbemessung">Schadensbemessung</span>
+                        </label>
+                        <label className="fristen-view-option">
+                          <input type="radio" name="appeal-target" value="bucheinsicht" />
+                          <span data-i18n="deadlines.appeal_target.bucheinsicht">Bucheinsicht</span>
                         </label>
                       </div>
                     </div>
@@ -324,6 +341,13 @@ export function renderVerfahrensablauf(): string {
                       <input type="checkbox" id="fristen-notes-show" />
                       <span data-i18n="deadlines.notes.show">Hinweise anzeigen</span>
                     </label>
+                    {/* Durations toggle (m/paliad#133, t-paliad-302).
+                         Default off — hover-tooltips on date spans are
+                         the always-on path. */}
+                    <label className="fristen-notes-option">
+                      <input type="checkbox" id="verfahrensablauf-durations-show" />
+                      <span data-i18n="deadlines.durations.show">Dauern anzeigen</span>
+                    </label>
                   </div>
 
                   <div id="timeline-container">

internal/db/migration_136_test.go

@@ -0,0 +1,134 @@
+// Slice B.1 (t-paliad-273) — migration 136 backfill invariants.
+//
+// The dry-run gate (migrate_test.go: TestMigrations_DryRun) catches
+// migrations that crash on apply, but it rolls back inside its own
+// transaction — the post-state assertions in mig 136's PL/pgSQL block
+// run, but a future refactor of those assertions might forget a check
+// or introduce a silent count drift. This test layers a Go-side
+// invariant check on top so the contract is restated in test code,
+// outside the PL/pgSQL block, against the resulting tables.
+//
+// Skipped without TEST_DATABASE_URL, same pattern as
+// internal/services/submission_codes_shape_test.go.
+
+package db
+
+import (
+	"context"
+	"database/sql"
+	"os"
+	"testing"
+
+	_ "github.com/lib/pq"
+)
+
+// TestMigration136_BackfillInvariants applies every embedded migration
+// (which lands mig 136 along the way) and then asserts the four
+// invariants the B.1 design + B.0 findings nailed down:
+//
+//  1. procedural_events row count = (distinct submission_codes in
+//     deadline_rules) + (deadline_rules with NULL submission_code).
+//     Codes-bearing branch is 1:1 per the B.0 audit (no multi-row
+//     codes since the _archived_litigation.* removal); the NULL
+//     branch gets one synthetic procedural_event per rule.
+//  2. sequencing_rules row count = deadline_rules row count (1:1).
+//  3. legal_sources row count = distinct legal_source in
+//     deadline_rules (NULL excluded).
+//  4. every sequencing_rules row's procedural_event_id resolves to a
+//     procedural_events row (NOT NULL FK already enforces this at the
+//     DB level — this test catches a future relaxation of the FK).
+//  5. no two synthetic codes collide (covered by the UNIQUE on
+//     procedural_events.code; restated here for documentation).
+//
+// The test is robust against corpus size — it derives all expected
+// counts from the live deadline_rules state, so a scratch DB with 0
+// rules trivially passes, and a prod-shaped scratch DB exercises the
+// real invariants.
+func TestMigration136_BackfillInvariants(t *testing.T) {
+	url := os.Getenv("TEST_DATABASE_URL")
+	if url == "" {
+		t.Skip("TEST_DATABASE_URL not set — skipping mig 136 invariant test")
+	}
+	if err := ApplyMigrations(url); err != nil {
+		t.Fatalf("apply migrations: %v", err)
+	}
+
+	conn, err := sql.Open("postgres", url)
+	if err != nil {
+		t.Fatalf("open: %v", err)
+	}
+	defer conn.Close()
+	ctx := context.Background()
+
+	var (
+		drTotal, drCodesDistinct, drCodesNull, drLegalDistinct int
+		peTotal, srTotal, lsTotal                              int
+		orphanPE, dupSynthetic                                 int
+	)
+
+	mustQ := func(label, q string, dst *int) {
+		t.Helper()
+		if err := conn.QueryRowContext(ctx, q).Scan(dst); err != nil {
+			t.Fatalf("%s: %v", label, err)
+		}
+	}
+
+	mustQ("dr_total", `SELECT COUNT(*) FROM paliad.deadline_rules`, &drTotal)
+	mustQ("dr_codes_distinct",
+		`SELECT COUNT(DISTINCT submission_code) FROM paliad.deadline_rules WHERE submission_code IS NOT NULL`,
+		&drCodesDistinct)
+	mustQ("dr_codes_null",
+		`SELECT COUNT(*) FROM paliad.deadline_rules WHERE submission_code IS NULL`,
+		&drCodesNull)
+	mustQ("dr_legal_distinct",
+		`SELECT COUNT(DISTINCT legal_source) FROM paliad.deadline_rules WHERE legal_source IS NOT NULL`,
+		&drLegalDistinct)
+	mustQ("pe_total", `SELECT COUNT(*) FROM paliad.procedural_events`, &peTotal)
+	mustQ("sr_total", `SELECT COUNT(*) FROM paliad.sequencing_rules`, &srTotal)
+	mustQ("ls_total", `SELECT COUNT(*) FROM paliad.legal_sources`, &lsTotal)
+
+	// Invariant 1: procedural_events = distinct_codes + null_codes
+	wantPE := drCodesDistinct + drCodesNull
+	if peTotal != wantPE {
+		t.Errorf("procedural_events count mismatch: got %d, want %d (distinct codes=%d + null-code rules=%d)",
+			peTotal, wantPE, drCodesDistinct, drCodesNull)
+	}
+
+	// Invariant 2: sequencing_rules 1:1 with deadline_rules
+	if srTotal != drTotal {
+		t.Errorf("sequencing_rules count mismatch: got %d, want %d (1:1 with deadline_rules)",
+			srTotal, drTotal)
+	}
+
+	// Invariant 3: legal_sources = distinct legal_source
+	if lsTotal != drLegalDistinct {
+		t.Errorf("legal_sources count mismatch: got %d, want %d (distinct legal_source)",
+			lsTotal, drLegalDistinct)
+	}
+
+	// Invariant 4: every sequencing_rules.procedural_event_id resolves
+	mustQ("orphan_pe", `
+		SELECT COUNT(*)
+		  FROM paliad.sequencing_rules sr
+		  LEFT JOIN paliad.procedural_events pe ON pe.id = sr.procedural_event_id
+		 WHERE pe.id IS NULL`, &orphanPE)
+	if orphanPE != 0 {
+		t.Errorf("FK integrity violated: %d sequencing_rules row(s) have no resolving procedural_event_id", orphanPE)
+	}
+
+	// Invariant 5: no duplicate synthetic codes
+	mustQ("dup_synthetic", `
+		SELECT COUNT(*) FROM (
+			SELECT code FROM paliad.procedural_events
+			 WHERE code LIKE 'null.%'
+			 GROUP BY code
+			HAVING COUNT(*) > 1
+		) d`, &dupSynthetic)
+	if dupSynthetic != 0 {
+		t.Errorf("synthetic code uniqueness violated: %d duplicate(s) under 'null.%%' prefix", dupSynthetic)
+	}
+
+	t.Logf("mig 136 invariants OK: deadline_rules=%d, procedural_events=%d (=%d+%d), "+
+		"sequencing_rules=%d, legal_sources=%d (distinct legal_source=%d)",
+		drTotal, peTotal, drCodesDistinct, drCodesNull, srTotal, lsTotal, drLegalDistinct)
+}

internal/db/migrations/134_berufung_unification.down.sql

@@ -0,0 +1,72 @@
+-- 134_berufung_unification — DOWN
+--
+-- Reverses the Berufung unification: un-archives the 3 old appeal
+-- proceeding_types, points the 16 rules back at their original
+-- proceeding by their applies_to_target stamp, drops the new
+-- upc.apl row, drops the two columns + their CHECK constraints.
+--
+-- The 3 old proceeding_types are recovered by code (we archived them,
+-- never deleted them — that's what makes this down-migration safe).
+-- ---------------------------------------------------------------
+
+-- ---------------------------------------------------------------
+-- 0. Audit reason (required by mig 079 trigger — step 2 UPDATEs
+--    paliad.deadline_rules to reverse the reassignment).
+-- ---------------------------------------------------------------
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 134 DOWN: revert Slice B1 — restore 3 separate UPC appeal proceeding_types, drop applies_to_target column',
+    true);
+
+-- ---------------------------------------------------------------
+-- 1. Un-archive the 3 old appeal proceeding_types.
+-- ---------------------------------------------------------------
+
+UPDATE paliad.proceeding_types
+   SET is_active = true
+ WHERE code IN ('upc.apl.merits', 'upc.apl.cost', 'upc.apl.order');
+
+-- ---------------------------------------------------------------
+-- 2. Point rules back at their original proceeding_type by stamp.
+-- ---------------------------------------------------------------
+
+UPDATE paliad.deadline_rules dr
+   SET proceeding_type_id = (
+        SELECT id FROM paliad.proceeding_types WHERE code = 'upc.apl.merits'
+       )
+ WHERE dr.applies_to_target = ARRAY['endentscheidung']::text[];
+
+UPDATE paliad.deadline_rules dr
+   SET proceeding_type_id = (
+        SELECT id FROM paliad.proceeding_types WHERE code = 'upc.apl.cost'
+       )
+ WHERE dr.applies_to_target = ARRAY['kostenentscheidung']::text[];
+
+UPDATE paliad.deadline_rules dr
+   SET proceeding_type_id = (
+        SELECT id FROM paliad.proceeding_types WHERE code = 'upc.apl.order'
+       )
+ WHERE dr.applies_to_target = ARRAY['anordnung']::text[];
+
+-- ---------------------------------------------------------------
+-- 3. Drop the unified upc.apl.unified row (now orphaned).
+-- ---------------------------------------------------------------
+
+DELETE FROM paliad.proceeding_types WHERE code = 'upc.apl.unified';
+
+-- ---------------------------------------------------------------
+-- 4. Drop the new columns + their CHECK constraints.
+-- ---------------------------------------------------------------
+
+ALTER TABLE paliad.deadline_rules
+    DROP CONSTRAINT IF EXISTS deadline_rules_applies_to_target_chk;
+
+ALTER TABLE paliad.deadline_rules
+    DROP COLUMN IF EXISTS applies_to_target;
+
+ALTER TABLE paliad.proceeding_types
+    DROP CONSTRAINT IF EXISTS proceeding_types_appeal_target_chk;
+
+ALTER TABLE paliad.proceeding_types
+    DROP COLUMN IF EXISTS appeal_target;

internal/db/migrations/134_berufung_unification.up.sql

@@ -0,0 +1,272 @@
+-- 134_berufung_unification — Slice B1, m/paliad#124, t-paliad-298+
+--
+-- Collapses the 3 active UPC appeal proceeding_types (upc.apl.merits,
+-- upc.apl.cost, upc.apl.order — 16 rules across 3 codes) into ONE
+-- unified upc.apl proceeding type + an `appeal_target` discriminator on
+-- both proceeding_types (top-level marker) and deadline_rules
+-- (per-row applies-to set, text[] for multi-target rules).
+--
+-- ADDITIVE ONLY. The migration:
+--   1. Adds the two columns + check constraints.
+--   2. Inserts the new upc.apl proceeding type.
+--   3. Audit-first: NOTICES every row about to be touched.
+--   4. Reassigns rule rows from the 3 old types to upc.apl, stamping
+--      applies_to_target by source proceeding code.
+--   5. Archives (is_active=false) the 3 old proceeding_types — NEVER
+--      deletes them, so any historical project_event_choices / FK
+--      references stay intact.
+--
+-- Schadensbemessung + Bucheinsicht get NO rule rows in this migration
+-- (m's 2026-05-26 decision: distinct rule sets, not shared with
+-- merits). Their appeal_target enum values are defined and addressable
+-- by CalcOptions.AppealTarget; the engine returns an empty timeline
+-- until rules are seeded in a follow-up slice (likely via
+-- /admin/rules, pairing with t-paliad-193 orphan-concept-seed).
+--
+-- See docs/design-litigation-planner-2026-05-26.md §18.1.
+
+-- ---------------------------------------------------------------
+-- 0. Audit reason (required by mig 079 trigger for any UPDATE on
+--    paliad.deadline_rules — step 4 reassigns 16 rules).
+-- ---------------------------------------------------------------
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 134: t-paliad-292 Slice B1 — Berufung unification, collapse 3 UPC appeal proceeding_types into upc.apl.unified + appeal_target discriminator',
+    true);
+
+-- ---------------------------------------------------------------
+-- 1. Schema additions
+-- ---------------------------------------------------------------
+
+ALTER TABLE paliad.proceeding_types
+    ADD COLUMN appeal_target text NULL;
+
+ALTER TABLE paliad.proceeding_types
+    ADD CONSTRAINT proceeding_types_appeal_target_chk
+        CHECK (appeal_target IS NULL OR appeal_target IN (
+            'endentscheidung',
+            'kostenentscheidung',
+            'anordnung',
+            'schadensbemessung',
+            'bucheinsicht'
+        ));
+
+COMMENT ON COLUMN paliad.proceeding_types.appeal_target IS
+    'Top-level appeal-target marker. NULL on non-appeal proceedings. '
+    'Reserved for future variants — today only the unified upc.apl row '
+    'has this NULL (the actual per-rule target set lives on '
+    'paliad.deadline_rules.applies_to_target).';
+
+ALTER TABLE paliad.deadline_rules
+    ADD COLUMN applies_to_target text[] NULL;
+
+ALTER TABLE paliad.deadline_rules
+    ADD CONSTRAINT deadline_rules_applies_to_target_chk
+        CHECK (
+            applies_to_target IS NULL
+            OR applies_to_target <@ ARRAY[
+                'endentscheidung',
+                'kostenentscheidung',
+                'anordnung',
+                'schadensbemessung',
+                'bucheinsicht'
+            ]::text[]
+        );
+
+COMMENT ON COLUMN paliad.deadline_rules.applies_to_target IS
+    'Set of appeal_target slugs this rule applies to. NULL on rules '
+    'that don''t belong to an appeal proceeding. The engine filters '
+    'by CalcOptions.AppealTarget — rules whose applies_to_target '
+    'contains the requested slug are emitted; others are suppressed.';
+
+-- ---------------------------------------------------------------
+-- 2. Insert the unified upc.apl row.
+--
+-- Inherits default_color from the merits row (the most-used appeal
+-- track today). sort_order follows the cluster of UPC proceedings;
+-- placed just before upc.apl.merits's old slot so the chip-grouped
+-- picker UI lands Berufung in a sensible position. Tweakable later
+-- without a migration.
+-- ---------------------------------------------------------------
+
+INSERT INTO paliad.proceeding_types (
+    code, name, name_en, description, jurisdiction, category,
+    default_color, sort_order, is_active, display_order,
+    appeal_target
+)
+SELECT
+    'upc.apl.unified',
+    'Berufungsverfahren',
+    'Appeal',
+    'Vereinheitlichtes Berufungsverfahren — wählen Sie anschließend, '
+    'worauf die Berufung sich richtet (Endentscheidung, '
+    'Kostenentscheidung, Anordnung, Schadensbemessung, Bucheinsicht).',
+    'UPC',
+    'fristenrechner',
+    default_color,
+    sort_order,
+    true,
+    display_order,
+    NULL
+FROM paliad.proceeding_types
+WHERE code = 'upc.apl.merits';
+
+-- ---------------------------------------------------------------
+-- 3. Audit-first RAISE NOTICE pass.
+--
+-- Lists every rule row that will be reassigned + every proceeding_type
+-- row that will be archived. The migration runs to completion either
+-- way; the operator reads the notices to confirm scope before the
+-- next migration in the chain.
+-- ---------------------------------------------------------------
+
+DO $$
+DECLARE
+    rec record;
+    upc_apl_id int;
+    rules_touched int := 0;
+    procs_archived int := 0;
+BEGIN
+    SELECT id INTO upc_apl_id
+      FROM paliad.proceeding_types
+     WHERE code = 'upc.apl.unified';
+    RAISE NOTICE '[mig 134] new upc.apl.unified proceeding_type_id = %', upc_apl_id;
+
+    RAISE NOTICE '[mig 134] Rules to reassign to upc.apl.unified with applies_to_target:';
+    FOR rec IN
+        SELECT dr.id AS rule_id,
+               pt.code AS old_proceeding,
+               dr.submission_code,
+               dr.name
+          FROM paliad.deadline_rules dr
+          JOIN paliad.proceeding_types pt ON pt.id = dr.proceeding_type_id
+         WHERE pt.code IN ('upc.apl.merits', 'upc.apl.cost', 'upc.apl.order')
+           AND dr.is_active = true
+        ORDER BY pt.code, dr.sequence_order
+    LOOP
+        RAISE NOTICE '[mig 134]   %  %  %  (%)',
+            rec.old_proceeding, rec.submission_code, rec.name, rec.rule_id;
+        rules_touched := rules_touched + 1;
+    END LOOP;
+    RAISE NOTICE '[mig 134] Total rules to reassign: %', rules_touched;
+
+    RAISE NOTICE '[mig 134] Proceeding_types to archive (is_active=false):';
+    FOR rec IN
+        SELECT id, code, name
+          FROM paliad.proceeding_types
+         WHERE code IN ('upc.apl.merits', 'upc.apl.cost', 'upc.apl.order')
+         ORDER BY sort_order
+    LOOP
+        RAISE NOTICE '[mig 134]   %  %  (id=%)', rec.code, rec.name, rec.id;
+        procs_archived := procs_archived + 1;
+    END LOOP;
+    RAISE NOTICE '[mig 134] Total proceeding_types to archive: %', procs_archived;
+END $$;
+
+-- ---------------------------------------------------------------
+-- 4. Reassign rule rows.
+--
+-- Stamp applies_to_target by source proceeding code, then point all
+-- 16 rules at the new upc.apl row.
+-- ---------------------------------------------------------------
+
+-- 4a. upc.apl.merits → applies_to_target = {endentscheidung}
+UPDATE paliad.deadline_rules dr
+   SET applies_to_target = ARRAY['endentscheidung']::text[]
+  FROM paliad.proceeding_types pt
+ WHERE pt.id = dr.proceeding_type_id
+   AND pt.code = 'upc.apl.merits'
+   AND dr.is_active = true;
+
+-- 4b. upc.apl.cost → applies_to_target = {kostenentscheidung}
+UPDATE paliad.deadline_rules dr
+   SET applies_to_target = ARRAY['kostenentscheidung']::text[]
+  FROM paliad.proceeding_types pt
+ WHERE pt.id = dr.proceeding_type_id
+   AND pt.code = 'upc.apl.cost'
+   AND dr.is_active = true;
+
+-- 4c. upc.apl.order → applies_to_target = {anordnung}
+UPDATE paliad.deadline_rules dr
+   SET applies_to_target = ARRAY['anordnung']::text[]
+  FROM paliad.proceeding_types pt
+ WHERE pt.id = dr.proceeding_type_id
+   AND pt.code = 'upc.apl.order'
+   AND dr.is_active = true;
+
+-- 4d. Reassign all 16 rules to the new upc.apl.unified proceeding_type row.
+UPDATE paliad.deadline_rules dr
+   SET proceeding_type_id = (
+        SELECT id FROM paliad.proceeding_types WHERE code = 'upc.apl.unified'
+       )
+  FROM paliad.proceeding_types pt
+ WHERE pt.id = dr.proceeding_type_id
+   AND pt.code IN ('upc.apl.merits', 'upc.apl.cost', 'upc.apl.order');
+
+-- ---------------------------------------------------------------
+-- 5. Archive the 3 old proceeding_types.
+--
+-- NEVER DELETE — historical project_event_choices and project FKs
+-- (paliad.projects.proceeding_type_id) may still reference these IDs.
+-- The is_active=false flag stops them appearing in the picker but
+-- preserves FK integrity for historical reads.
+-- ---------------------------------------------------------------
+
+UPDATE paliad.proceeding_types
+   SET is_active = false
+ WHERE code IN ('upc.apl.merits', 'upc.apl.cost', 'upc.apl.order');
+
+-- ---------------------------------------------------------------
+-- 6. Post-migration sanity check.
+-- ---------------------------------------------------------------
+
+DO $$
+DECLARE
+    unified_count int;
+    archived_count int;
+    target_distribution record;
+BEGIN
+    SELECT COUNT(*) INTO unified_count
+      FROM paliad.deadline_rules dr
+      JOIN paliad.proceeding_types pt ON pt.id = dr.proceeding_type_id
+     WHERE pt.code = 'upc.apl.unified' AND dr.is_active = true;
+    RAISE NOTICE '[mig 134] post: rules on unified upc.apl.unified = % (expected 16)', unified_count;
+    IF unified_count <> 16 THEN
+        RAISE EXCEPTION '[mig 134] FAILED — expected 16 rules on upc.apl.unified, got %', unified_count;
+    END IF;
+
+    SELECT COUNT(*) INTO archived_count
+      FROM paliad.proceeding_types
+     WHERE code IN ('upc.apl.merits', 'upc.apl.cost', 'upc.apl.order')
+       AND is_active = false;
+    RAISE NOTICE '[mig 134] post: archived old appeal proceeding_types = % (expected 3)', archived_count;
+    IF archived_count <> 3 THEN
+        RAISE EXCEPTION '[mig 134] FAILED — expected 3 archived types, got %', archived_count;
+    END IF;
+
+    FOR target_distribution IN
+        SELECT unnest(applies_to_target) AS target, COUNT(*) AS n
+          FROM paliad.deadline_rules dr
+          JOIN paliad.proceeding_types pt ON pt.id = dr.proceeding_type_id
+         WHERE pt.code = 'upc.apl.unified' AND dr.is_active = true
+         GROUP BY unnest(applies_to_target)
+         ORDER BY 1
+    LOOP
+        RAISE NOTICE '[mig 134] post: applies_to_target=%  count=%',
+            target_distribution.target, target_distribution.n;
+    END LOOP;
+END $$;
+
+-- ---------------------------------------------------------------
+-- TODO (follow-up slice, not in 134):
+--
+-- Seed rules for Schadensbemessung-as-appeal + Bucheinsicht-as-appeal.
+-- m's 2026-05-26 decision: distinct rule sets, NOT shared with merits.
+-- - Schadensbemessung: anchor on R.118.4 decision; conjecture 2/4-month
+--   merits-style track but distinct legal basis.
+-- - Bucheinsicht: anchor on R.142 (Lay-open-books decision); conjecture
+--   15-day track per R.220.2 + R.224.2.b.
+-- Can pair with t-paliad-193 orphan-concept-seed if m wants a combined
+-- editorial pass via /admin/rules.
+-- ---------------------------------------------------------------

internal/db/migrations/135_primary_party_check.down.sql

@@ -0,0 +1,8 @@
+-- 135_primary_party_check — DOWN
+--
+-- Drops the CHECK constraint added in 135.up. No data revert needed
+-- — the column stays text, the four-value vocab is enforced only by
+-- application code thereafter.
+
+ALTER TABLE paliad.deadline_rules
+    DROP CONSTRAINT IF EXISTS deadline_rules_primary_party_chk;

internal/db/migrations/135_primary_party_check.up.sql

@@ -0,0 +1,92 @@
+-- 135_primary_party_check — Slice B3, m/paliad#124 §18.3
+--
+-- Tightens paliad.deadline_rules.primary_party from free-text to a
+-- CHECK constraint over the canonical four-value vocabulary
+-- (claimant / defendant / court / both). NULL stays valid for the
+-- 78 cross-cutting orphan concept seeds (Wiedereinsetzung,
+-- Versäumnisurteil-Einspruch, Schriftsatznachreichung,
+-- Weiterbehandlung) — they have no proceeding_type_id binding so
+-- they're outside the calculator's path; loosening the CHECK to
+-- "IS NULL OR IN (…)" keeps them valid without backfill gymnastics.
+--
+-- Audit-first: the DO block RAISEs NOTICE for every non-conforming
+-- row before adding the CHECK, and RAISEs EXCEPTION if any dirty
+-- rows are found so the operator can decide a manual cleanup path.
+-- Live audit (Supabase, 2026-05-26 §18.0) confirmed zero dirty rows
+-- on the current corpus: 26 claimant + 26 defendant + 38 court +
+-- 63 both + 78 NULL = 231 total, all in the canonical vocab. The
+-- audit pass stays in the migration for safety against future drift
+-- (e.g. a rule editor write that bypassed the application-layer
+-- validation hook this slice also adds).
+
+DO $$
+DECLARE
+    rec record;
+    dirty_count int := 0;
+BEGIN
+    RAISE NOTICE '[mig 135] primary_party audit pass — non-conforming rows:';
+    FOR rec IN
+        SELECT dr.id, dr.name, dr.primary_party,
+               pt.code AS proceeding_code
+          FROM paliad.deadline_rules dr
+          LEFT JOIN paliad.proceeding_types pt ON pt.id = dr.proceeding_type_id
+         WHERE dr.is_active = true
+           AND dr.primary_party IS NOT NULL
+           AND dr.primary_party NOT IN ('claimant', 'defendant', 'court', 'both')
+         ORDER BY pt.code NULLS LAST, dr.name
+    LOOP
+        RAISE NOTICE '[mig 135]   %  %  primary_party=%  (rule=%)',
+            COALESCE(rec.proceeding_code, '<orphan>'),
+            rec.name,
+            rec.primary_party,
+            rec.id;
+        dirty_count := dirty_count + 1;
+    END LOOP;
+    IF dirty_count > 0 THEN
+        RAISE EXCEPTION '[mig 135] FAILED — % rule(s) carry non-canonical primary_party values. '
+            'Manual cleanup required: update each row to one of '
+            '''claimant'', ''defendant'', ''court'', ''both'', or NULL. '
+            'See the NOTICE lines above for the offending rows.', dirty_count;
+    END IF;
+    RAISE NOTICE '[mig 135] audit clean — proceeding with CHECK constraint';
+END $$;
+
+-- ---------------------------------------------------------------
+-- Add the CHECK constraint. NULL stays valid; the four canonical
+-- values are the only allowed non-NULL forms.
+-- ---------------------------------------------------------------
+
+ALTER TABLE paliad.deadline_rules
+    ADD CONSTRAINT deadline_rules_primary_party_chk
+        CHECK (
+            primary_party IS NULL
+            OR primary_party IN ('claimant', 'defendant', 'court', 'both')
+        );
+
+COMMENT ON CONSTRAINT deadline_rules_primary_party_chk
+    ON paliad.deadline_rules IS
+    'Slice B3 (mig 135, m/paliad#124 §18.3) — canonical four-value '
+    'vocab for primary_party (claimant / defendant / court / both). '
+    'NULL allowed for cross-cutting orphan concept seeds (78 rows in '
+    'live corpus as of mig 135). See pkg/litigationplanner.PrimaryParties '
+    'for the in-code vocabulary.';
+
+-- ---------------------------------------------------------------
+-- Post-migration distribution check — informational NOTICE only.
+-- ---------------------------------------------------------------
+
+DO $$
+DECLARE
+    rec record;
+BEGIN
+    RAISE NOTICE '[mig 135] post: primary_party distribution after constraint add:';
+    FOR rec IN
+        SELECT COALESCE(primary_party, '<NULL>') AS party, COUNT(*) AS n
+          FROM paliad.deadline_rules
+         WHERE is_active = true
+         GROUP BY primary_party
+         ORDER BY party
+    LOOP
+        RAISE NOTICE '[mig 135]   %  count=%', rec.party, rec.n;
+    END LOOP;
+END $$;

internal/db/migrations/136_procedural_events_additive.down.sql

@@ -0,0 +1,19 @@
+-- 136_procedural_events_additive (down) — Slice B.1, t-paliad-273
+--
+-- Safe to run at any point in B.1's lifetime. Up does NOT touch
+-- paliad.deadline_rules, so dropping the new tables + columns loses no
+-- application data — every source row in deadline_rules is intact and
+-- authoritative through the dual-write window.
+--
+-- Reverse order: drop indexes implicitly via DROP TABLE, drop the two
+-- deadlines link columns first (their FKs target procedural_events +
+-- sequencing_rules), then drop the three new tables in FK-safe order
+-- (sequencing_rules → procedural_events → legal_sources).
+
+ALTER TABLE paliad.deadlines
+    DROP COLUMN IF EXISTS procedural_event_id,
+    DROP COLUMN IF EXISTS sequencing_rule_id;
+
+DROP TABLE IF EXISTS paliad.sequencing_rules;
+DROP TABLE IF EXISTS paliad.procedural_events;
+DROP TABLE IF EXISTS paliad.legal_sources;

internal/db/migrations/136_procedural_events_additive.up.sql

@@ -0,0 +1,488 @@
+-- 136_procedural_events_additive — Slice B.1, t-paliad-273 / m/paliad#93
+--
+-- ADDITIVE ONLY. Creates the three new tables that split today's
+-- paliad.deadline_rules into its three latent concepts (per the
+-- 2026-05-25 inventor design + 2026-05-26 B.0 re-validation):
+--
+--   1. paliad.legal_sources        — the source-of-law citations
+--                                    (DE.PatG.102, UPC.RoP.220.1, …)
+--   2. paliad.procedural_events    — the procedural-event templates
+--                                    (Rechtsbeschwerdebegründung, etc.;
+--                                    successor of `submission_code`)
+--   3. paliad.sequencing_rules     — the timing + trigger + condition
+--                                    mechanics (today's per-row data)
+--
+-- and adds two nullable link columns on paliad.deadlines so B.2's
+-- dual-write phase has somewhere to point.
+--
+-- The migration does NOT touch paliad.deadline_rules. The legacy table
+-- stays intact and authoritative for reads until B.3 flips the cutover.
+-- deadlines.rule_id stays in place (read by the calculator + projection
+-- service). No app code is changed by this migration; B.2 introduces
+-- the dual-write that wires services to the new tables.
+--
+-- Backfill plan (cf. design §5.1 + B.0 findings §7):
+--   * legal_sources <- DISTINCT legal_source FROM deadline_rules WHERE
+--                       legal_source IS NOT NULL. pretty_de/pretty_en
+--                       LEFT NULL for now (legalSourcePretty() in Go
+--                       continues to materialise them on read; a future
+--                       slice backfills them via a Go shim).
+--   * procedural_events <-
+--       (a) DISTINCT ON (submission_code) FROM deadline_rules WHERE
+--           submission_code IS NOT NULL — picks the lowest-id rule per
+--           code as the procedural-event identity source.
+--       (b) one synthetic procedural_event per NULL-submission_code
+--           rule, code = 'null.' || substring(replace(id::text,'-',''),1,8).
+--           m's pick (paliadin instruction 2026-05-26): mint synthetic
+--           codes so every deadline_rules row ends up with a
+--           procedural_events row, preserving the 1:1 sequencing-rule
+--           backfill and keeping the NOT NULL FK on
+--           sequencing_rules.procedural_event_id intact.
+--   * sequencing_rules <- 1:1 from deadline_rules. The new row inherits
+--           the source row's id so that any existing
+--           paliad.deadlines.rule_id FK target stays resolvable through
+--           the dual-write window (design §5.1 step 4).
+--   * deadlines.procedural_event_id + sequencing_rule_id <- joined from
+--           sequencing_rules on the inherited id.
+--
+-- Design deviations (intentional, documented):
+--   - procedural_events.event_kind is NULLABLE (design proposed NOT NULL
+--     with 'other' fallback). Today 89 deadline_rules rows have NULL
+--     event_type — these are "structural / parent-only rows in the
+--     proceeding tree" per B.0 §1. Forcing them to 'other' would lose
+--     semantics. A later slice can tighten this to NOT NULL after the
+--     78+11 NULLs are reclassified.
+--   - legal_sources.pretty_de / pretty_en are NULLABLE (design proposed
+--     NOT NULL). Materialising them requires the Go-side
+--     legalSourcePretty() function — out of scope for a SQL migration.
+--     The Go read path continues to compute them on the fly from
+--     legal_source / citation; a future slice (Go shim driven from
+--     internal/services/submission_vars.go:619) backfills them.
+--   - submission_drafts is NOT modified. The design proposes adding
+--     procedural_event_id there too (§4.1 §5.1 step 6) but the B.1
+--     instruction scope is explicit: tables + deadlines columns only.
+--     submission_drafts continues to key off submission_code text.
+--
+-- Audit pattern follows mig 135 (Slice B3): PRE-pass counts what we
+-- expect to write, BACKFILL runs the SELECT-INSERTs, POST-pass verifies
+-- row counts and FK integrity. Any mismatch RAISE EXCEPTIONs and the
+-- transaction rolls back — operator sees the NOTICE lines and the
+-- failed assertion message.
+--
+-- See: docs/design-procedural-events-model-2026-05-25.md §4 + §5
+--      docs/design-procedural-events-b0-findings-2026-05-26.md §7
+
+-- ---------------------------------------------------------------
+-- 0. PRE pass — snapshot what we're about to backfill
+-- ---------------------------------------------------------------
+
+DO $$
+DECLARE
+    v_rules           int;
+    v_codes_nn        int;
+    v_codes_distinct  int;
+    v_codes_null      int;
+    v_legal_distinct  int;
+    v_concept_linked  int;
+    v_dups            int;
+BEGIN
+    SELECT COUNT(*) INTO v_rules            FROM paliad.deadline_rules;
+    SELECT COUNT(*) INTO v_codes_nn         FROM paliad.deadline_rules WHERE submission_code IS NOT NULL;
+    SELECT COUNT(DISTINCT submission_code) INTO v_codes_distinct
+                                            FROM paliad.deadline_rules WHERE submission_code IS NOT NULL;
+    SELECT COUNT(*) INTO v_codes_null       FROM paliad.deadline_rules WHERE submission_code IS NULL;
+    SELECT COUNT(DISTINCT legal_source) INTO v_legal_distinct
+                                            FROM paliad.deadline_rules WHERE legal_source IS NOT NULL;
+    SELECT COUNT(*) INTO v_concept_linked   FROM paliad.deadline_rules WHERE concept_id IS NOT NULL;
+
+    RAISE NOTICE '[mig 136] PRE: deadline_rules=%, with_submission_code=%, distinct_codes=%, null_codes=%, distinct_legal_sources=%, concept_linked=%',
+        v_rules, v_codes_nn, v_codes_distinct, v_codes_null, v_legal_distinct, v_concept_linked;
+
+    -- Defensive: refuse to run if multi-row submission_codes have crept
+    -- back in. B.0 (2026-05-26) found zero; mig 134 + 135 do not add
+    -- any. If this CHECK ever fires the backfill arithmetic below
+    -- breaks silently (one PE per code becomes ambiguous), so abort.
+    SELECT COUNT(*) INTO v_dups FROM (
+        SELECT submission_code
+          FROM paliad.deadline_rules
+         WHERE submission_code IS NOT NULL
+         GROUP BY submission_code
+        HAVING COUNT(*) > 1
+    ) d;
+    IF v_dups > 0 THEN
+        RAISE EXCEPTION '[mig 136] FAILED PRE: % submission_code value(s) appear on >1 deadline_rules row. '
+            'The B.0 audit (2026-05-26) found zero. If you are seeing this, a rule was added that '
+            'duplicates an existing submission_code (or the _archived_litigation.* rows returned). '
+            'Decide whether the new schema collapses them (multiple sequencing rules → one '
+            'procedural event) or whether each row gets its own code, then update this migration '
+            'or the offending data before re-running.', v_dups;
+    END IF;
+END $$;
+
+-- ---------------------------------------------------------------
+-- 1. CREATE TABLE paliad.legal_sources
+-- ---------------------------------------------------------------
+
+CREATE TABLE paliad.legal_sources (
+    id           uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    citation     text NOT NULL UNIQUE,
+    jurisdiction text NOT NULL,
+    pretty_de    text,
+    pretty_en    text,
+    notes        text,
+    created_at   timestamptz NOT NULL DEFAULT now(),
+    updated_at   timestamptz NOT NULL DEFAULT now()
+);
+
+COMMENT ON TABLE paliad.legal_sources IS
+    'Source-of-law citations (DE.PatG.102, UPC.RoP.220.1, …). One row per '
+    'distinct citation shorthand. pretty_de/pretty_en backfilled by a '
+    'future Go-driven slice; until then NULL and the Go service ('
+    'internal/services/submission_vars.go:619 legalSourcePretty) computes '
+    'the human-readable form on read from the citation. Slice B.1 t-paliad-273.';
+
+CREATE INDEX legal_sources_jurisdiction_idx ON paliad.legal_sources(jurisdiction);
+
+-- ---------------------------------------------------------------
+-- 2. CREATE TABLE paliad.procedural_events
+-- ---------------------------------------------------------------
+
+CREATE TABLE paliad.procedural_events (
+    id                    uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    code                  text NOT NULL UNIQUE,
+    name                  text NOT NULL,
+    name_en               text NOT NULL DEFAULT '',
+    description           text,
+    event_kind            text,
+    primary_party_default text,
+    legal_source_id       uuid REFERENCES paliad.legal_sources(id),
+    concept_id            uuid REFERENCES paliad.deadline_concepts(id),
+    lifecycle_state       text NOT NULL DEFAULT 'published',
+    draft_of              uuid REFERENCES paliad.procedural_events(id),
+    published_at          timestamptz,
+    is_active             boolean NOT NULL DEFAULT true,
+    created_at            timestamptz NOT NULL DEFAULT now(),
+    updated_at            timestamptz NOT NULL DEFAULT now()
+);
+
+COMMENT ON TABLE paliad.procedural_events IS
+    'Procedural-event templates — the "what kind of step is this in the '
+    'proceeding" hat of the legacy paliad.deadline_rules row. One row per '
+    'unique submission_code, plus one synthetic row per NULL-submission_code '
+    'rule (code prefix "null."). Slice B.1 t-paliad-273.';
+
+COMMENT ON COLUMN paliad.procedural_events.event_kind IS
+    'filing|reply|hearing|decision|order|other. NULLABLE for now — 89 '
+    'rules in the live corpus have NULL event_type (structural / parent-only '
+    'rows in the proceeding tree). A future slice can tighten to NOT NULL '
+    'after these are reclassified.';
+
+COMMENT ON COLUMN paliad.procedural_events.concept_id IS
+    'Optional reference to a deadline_concepts row. N:1 — one concept may '
+    'be shared by many procedural events (e.g. "Berufungsfrist" attaches to '
+    'all four court-specific Berufung procedural events). Do NOT add UNIQUE.';
+
+CREATE INDEX procedural_events_concept_id_idx     ON paliad.procedural_events(concept_id);
+CREATE INDEX procedural_events_event_kind_idx     ON paliad.procedural_events(event_kind);
+CREATE INDEX procedural_events_lifecycle_idx      ON paliad.procedural_events(lifecycle_state);
+CREATE INDEX procedural_events_legal_source_idx   ON paliad.procedural_events(legal_source_id);
+
+-- ---------------------------------------------------------------
+-- 3. CREATE TABLE paliad.sequencing_rules
+-- ---------------------------------------------------------------
+
+CREATE TABLE paliad.sequencing_rules (
+    id                       uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    procedural_event_id      uuid NOT NULL REFERENCES paliad.procedural_events(id),
+    proceeding_type_id       integer REFERENCES paliad.proceeding_types(id),
+    parent_id                uuid REFERENCES paliad.sequencing_rules(id),
+    trigger_event_id         bigint REFERENCES paliad.trigger_events(id),
+    duration_value           integer NOT NULL DEFAULT 0,
+    duration_unit            text NOT NULL DEFAULT 'months',
+    timing                   text DEFAULT 'after',
+    alt_duration_value       integer,
+    alt_duration_unit        text,
+    alt_rule_code            text,
+    anchor_alt               text,
+    combine_op               text,
+    condition_expr           jsonb,
+    primary_party            text,
+    sequence_order           integer NOT NULL DEFAULT 0,
+    is_spawn                 boolean NOT NULL DEFAULT false,
+    spawn_label              text,
+    spawn_proceeding_type_id integer REFERENCES paliad.proceeding_types(id),
+    is_bilateral             boolean NOT NULL DEFAULT false,
+    is_court_set             boolean NOT NULL DEFAULT false,
+    priority                 text NOT NULL DEFAULT 'mandatory',
+    rule_code                text,
+    rule_codes               text[],
+    deadline_notes           text,
+    deadline_notes_en        text,
+    choices_offered          jsonb,
+    applies_to_target        text[],
+    lifecycle_state          text NOT NULL DEFAULT 'published',
+    draft_of                 uuid REFERENCES paliad.sequencing_rules(id),
+    published_at             timestamptz,
+    is_active                boolean NOT NULL DEFAULT true,
+    created_at               timestamptz NOT NULL DEFAULT now(),
+    updated_at               timestamptz NOT NULL DEFAULT now()
+);
+
+COMMENT ON TABLE paliad.sequencing_rules IS
+    'Sequencing-rule mechanics — the "how and when does this fire" hat of '
+    'the legacy paliad.deadline_rules row. 1:1 with deadline_rules during '
+    'the dual-write window; the id is inherited from deadline_rules.id so '
+    'paliad.deadlines.rule_id FKs continue to resolve transitively. '
+    'Slice B.1 t-paliad-273.';
+
+COMMENT ON COLUMN paliad.sequencing_rules.primary_party IS
+    'Per-rule override of procedural_events.primary_party_default. Same '
+    'four-value vocab as deadline_rules.primary_party (mig 135 CHECK). '
+    'NULL = use procedural-event default. A future slice can add the '
+    'same CHECK here.';
+
+CREATE INDEX sequencing_rules_pe_proc_lifecycle_idx
+    ON paliad.sequencing_rules(procedural_event_id, proceeding_type_id, lifecycle_state);
+CREATE INDEX sequencing_rules_parent_id_idx       ON paliad.sequencing_rules(parent_id);
+CREATE INDEX sequencing_rules_trigger_event_idx   ON paliad.sequencing_rules(trigger_event_id);
+CREATE INDEX sequencing_rules_proceeding_type_idx ON paliad.sequencing_rules(proceeding_type_id);
+
+-- ---------------------------------------------------------------
+-- 4. ALTER paliad.deadlines — add link columns
+-- ---------------------------------------------------------------
+
+ALTER TABLE paliad.deadlines
+    ADD COLUMN procedural_event_id uuid REFERENCES paliad.procedural_events(id),
+    ADD COLUMN sequencing_rule_id  uuid REFERENCES paliad.sequencing_rules(id);
+
+COMMENT ON COLUMN paliad.deadlines.procedural_event_id IS
+    'NULLABLE link to the procedural event this deadline instantiates. '
+    'Added Slice B.1 (mig 136). B.2 dual-write populates it on every new '
+    'deadline; B.3 cutover flips reads to use this instead of rule_id. '
+    'rule_id stays in place until B.4 destructive drop.';
+COMMENT ON COLUMN paliad.deadlines.sequencing_rule_id IS
+    'NULLABLE link to the sequencing rule. Same lifecycle as '
+    'procedural_event_id — added Slice B.1, dual-written B.2, read in B.3, '
+    'rule_id dropped in B.4.';
+
+CREATE INDEX deadlines_procedural_event_id_idx ON paliad.deadlines(procedural_event_id);
+CREATE INDEX deadlines_sequencing_rule_id_idx  ON paliad.deadlines(sequencing_rule_id);
+
+-- ---------------------------------------------------------------
+-- 5. BACKFILL — legal_sources
+-- ---------------------------------------------------------------
+
+INSERT INTO paliad.legal_sources (citation, jurisdiction)
+SELECT DISTINCT
+    legal_source AS citation,
+    COALESCE(NULLIF(split_part(legal_source, '.', 1), ''), 'other') AS jurisdiction
+  FROM paliad.deadline_rules
+ WHERE legal_source IS NOT NULL;
+
+-- ---------------------------------------------------------------
+-- 6. BACKFILL — procedural_events
+--    (a) codes-bearing branch: DISTINCT ON (submission_code) picks the
+--        lowest-id (tie-break sequence_order) deadline_rules row as the
+--        identity source per the design's §5.1 step 3.
+--    (b) NULL-code branch: one synthetic row per rule, code minted from
+--        the rule id's first 8 hex chars (sans dashes) — m's pick
+--        2026-05-26 (paliadin instruction).
+-- ---------------------------------------------------------------
+
+-- (a) codes-bearing rules → one procedural_events row per distinct code
+INSERT INTO paliad.procedural_events
+    (code, name, name_en, description, event_kind, primary_party_default,
+     legal_source_id, concept_id, lifecycle_state, published_at, is_active)
+SELECT
+    src.submission_code,
+    src.name,
+    src.name_en,
+    src.description,
+    src.event_type,
+    src.primary_party,
+    ls.id,
+    src.concept_id,
+    src.lifecycle_state,
+    src.published_at,
+    src.is_active
+FROM (
+    SELECT DISTINCT ON (submission_code)
+        submission_code, name, name_en, description, event_type,
+        primary_party, concept_id, legal_source, lifecycle_state,
+        published_at, is_active
+      FROM paliad.deadline_rules
+     WHERE submission_code IS NOT NULL
+     ORDER BY submission_code, id, sequence_order
+) src
+LEFT JOIN paliad.legal_sources ls ON ls.citation = src.legal_source;
+
+-- (b) NULL-code rules → one synthetic procedural_events row each
+INSERT INTO paliad.procedural_events
+    (code, name, name_en, description, event_kind, primary_party_default,
+     legal_source_id, concept_id, lifecycle_state, published_at, is_active)
+SELECT
+    'null.' || substring(replace(dr.id::text, '-', ''), 1, 8) AS code,
+    dr.name,
+    dr.name_en,
+    dr.description,
+    dr.event_type,
+    dr.primary_party,
+    ls.id,
+    dr.concept_id,
+    dr.lifecycle_state,
+    dr.published_at,
+    dr.is_active
+  FROM paliad.deadline_rules dr
+  LEFT JOIN paliad.legal_sources ls ON ls.citation = dr.legal_source
+ WHERE dr.submission_code IS NULL;
+
+-- ---------------------------------------------------------------
+-- 7. BACKFILL — sequencing_rules
+--    1:1 with deadline_rules. id inherited so deadlines.rule_id FKs
+--    continue to resolve through the dual-write window (design §5.1
+--    step 4). procedural_event_id resolved by JOIN on the (real or
+--    synthetic) code.
+-- ---------------------------------------------------------------
+
+INSERT INTO paliad.sequencing_rules
+    (id, procedural_event_id, proceeding_type_id, parent_id, trigger_event_id,
+     duration_value, duration_unit, timing,
+     alt_duration_value, alt_duration_unit, alt_rule_code, anchor_alt,
+     combine_op, condition_expr, primary_party, sequence_order,
+     is_spawn, spawn_label, spawn_proceeding_type_id,
+     is_bilateral, is_court_set, priority,
+     rule_code, rule_codes, deadline_notes, deadline_notes_en,
+     choices_offered, applies_to_target,
+     lifecycle_state, draft_of, published_at, is_active,
+     created_at, updated_at)
+SELECT
+    dr.id,
+    pe.id,
+    dr.proceeding_type_id,
+    dr.parent_id,
+    dr.trigger_event_id,
+    dr.duration_value, dr.duration_unit, dr.timing,
+    dr.alt_duration_value, dr.alt_duration_unit, dr.alt_rule_code, dr.anchor_alt,
+    dr.combine_op, dr.condition_expr, dr.primary_party, dr.sequence_order,
+    dr.is_spawn, dr.spawn_label, dr.spawn_proceeding_type_id,
+    dr.is_bilateral, dr.is_court_set, dr.priority,
+    dr.rule_code, dr.rule_codes, dr.deadline_notes, dr.deadline_notes_en,
+    dr.choices_offered, dr.applies_to_target,
+    dr.lifecycle_state,
+    -- draft_of is a self-FK on deadline_rules; preserve as a self-FK on
+    -- sequencing_rules since the inherited ids are stable across both.
+    dr.draft_of,
+    dr.published_at, dr.is_active,
+    dr.created_at, dr.updated_at
+  FROM paliad.deadline_rules dr
+  JOIN paliad.procedural_events pe
+    ON pe.code = COALESCE(
+         dr.submission_code,
+         'null.' || substring(replace(dr.id::text, '-', ''), 1, 8)
+       );
+
+-- ---------------------------------------------------------------
+-- 8. BACKFILL — paliad.deadlines link columns
+-- ---------------------------------------------------------------
+
+UPDATE paliad.deadlines d
+   SET procedural_event_id = sr.procedural_event_id,
+       sequencing_rule_id  = sr.id
+  FROM paliad.sequencing_rules sr
+ WHERE d.rule_id = sr.id;
+
+-- ---------------------------------------------------------------
+-- 9. POST pass — integrity assertions
+-- ---------------------------------------------------------------
+
+DO $$
+DECLARE
+    v_dr_total           int;
+    v_dr_codes_distinct  int;
+    v_dr_codes_null      int;
+    v_dr_legal_distinct  int;
+    v_pe_total           int;
+    v_sr_total           int;
+    v_ls_total           int;
+    v_orphan_pe          int;
+    v_dup_synthetic      int;
+    v_deadlines_linked   int;
+    v_deadlines_total    int;
+    v_pe_missing_ls      int;
+BEGIN
+    SELECT COUNT(*)                    INTO v_dr_total          FROM paliad.deadline_rules;
+    SELECT COUNT(DISTINCT submission_code)
+                                       INTO v_dr_codes_distinct FROM paliad.deadline_rules WHERE submission_code IS NOT NULL;
+    SELECT COUNT(*)                    INTO v_dr_codes_null     FROM paliad.deadline_rules WHERE submission_code IS NULL;
+    SELECT COUNT(DISTINCT legal_source)
+                                       INTO v_dr_legal_distinct FROM paliad.deadline_rules WHERE legal_source IS NOT NULL;
+    SELECT COUNT(*)                    INTO v_pe_total          FROM paliad.procedural_events;
+    SELECT COUNT(*)                    INTO v_sr_total          FROM paliad.sequencing_rules;
+    SELECT COUNT(*)                    INTO v_ls_total          FROM paliad.legal_sources;
+    SELECT COUNT(*)                    INTO v_deadlines_total   FROM paliad.deadlines;
+    SELECT COUNT(*)                    INTO v_deadlines_linked  FROM paliad.deadlines WHERE procedural_event_id IS NOT NULL;
+
+    -- a. procedural_events row count = distinct_codes + null_codes
+    IF v_pe_total <> v_dr_codes_distinct + v_dr_codes_null THEN
+        RAISE EXCEPTION '[mig 136] FAILED POST: procedural_events count mismatch — got %, expected % (% distinct codes + % null-code rules)',
+            v_pe_total, v_dr_codes_distinct + v_dr_codes_null, v_dr_codes_distinct, v_dr_codes_null;
+    END IF;
+
+    -- b. sequencing_rules row count = deadline_rules row count (1:1)
+    IF v_sr_total <> v_dr_total THEN
+        RAISE EXCEPTION '[mig 136] FAILED POST: sequencing_rules count mismatch — got %, expected % (1:1 with deadline_rules)',
+            v_sr_total, v_dr_total;
+    END IF;
+
+    -- c. legal_sources row count = distinct legal_source in deadline_rules
+    IF v_ls_total <> v_dr_legal_distinct THEN
+        RAISE EXCEPTION '[mig 136] FAILED POST: legal_sources count mismatch — got %, expected % (distinct legal_source)',
+            v_ls_total, v_dr_legal_distinct;
+    END IF;
+
+    -- d. every sequencing_rules row's procedural_event_id resolves
+    SELECT COUNT(*)
+      INTO v_orphan_pe
+      FROM paliad.sequencing_rules sr
+      LEFT JOIN paliad.procedural_events pe ON pe.id = sr.procedural_event_id
+     WHERE pe.id IS NULL;
+    IF v_orphan_pe > 0 THEN
+        RAISE EXCEPTION '[mig 136] FAILED POST: % sequencing_rules row(s) have no resolving procedural_event_id', v_orphan_pe;
+    END IF;
+
+    -- e. no two synthetic codes collide (would have crashed the INSERT
+    --    via UNIQUE, but assert again for clarity — collision among 78
+    --    UUIDs at 8 hex chars is ~6e-7 probability)
+    SELECT COUNT(*)
+      INTO v_dup_synthetic
+      FROM (
+        SELECT code, COUNT(*) AS n
+          FROM paliad.procedural_events
+         WHERE code LIKE 'null.%'
+         GROUP BY code
+        HAVING COUNT(*) > 1
+      ) d;
+    IF v_dup_synthetic > 0 THEN
+        RAISE EXCEPTION '[mig 136] FAILED POST: % synthetic codes collided. '
+            'Re-run with a longer substring (16 hex chars instead of 8) '
+            'or full uuid in the code-mint expression.', v_dup_synthetic;
+    END IF;
+
+    -- f. every procedural_events.legal_source_id either resolves or is
+    --    NULL (NULL is fine — 119 of 231 rules have NULL legal_source)
+    SELECT COUNT(*)
+      INTO v_pe_missing_ls
+      FROM paliad.procedural_events pe
+      LEFT JOIN paliad.legal_sources ls ON ls.id = pe.legal_source_id
+     WHERE pe.legal_source_id IS NOT NULL
+       AND ls.id IS NULL;
+    IF v_pe_missing_ls > 0 THEN
+        RAISE EXCEPTION '[mig 136] FAILED POST: % procedural_events row(s) reference a missing legal_sources id', v_pe_missing_ls;
+    END IF;
+
+    RAISE NOTICE '[mig 136] POST: legal_sources=%, procedural_events=%, sequencing_rules=%, deadlines=% (% linked)',
+        v_ls_total, v_pe_total, v_sr_total, v_deadlines_total, v_deadlines_linked;
+    RAISE NOTICE '[mig 136] integrity OK — backfill complete. '
+                 'deadline_rules untouched (1:1 with sequencing_rules; '
+                 'ready for B.2 dual-write).';
+END $$;

internal/db/migrations/137_proceeding_role_labels.down.sql

@@ -0,0 +1,18 @@
+-- 137_proceeding_role_labels — DOWN
+--
+-- Drops the 4 role-label columns. Backfilled data is lost on
+-- down-migration; that's acceptable because the frontend renderer
+-- falls back to the default labels ("Klägerseite" / "Beklagtenseite")
+-- when the columns are absent.
+
+ALTER TABLE paliad.proceeding_types
+    DROP COLUMN IF EXISTS role_reactive_label_en;
+
+ALTER TABLE paliad.proceeding_types
+    DROP COLUMN IF EXISTS role_reactive_label_de;
+
+ALTER TABLE paliad.proceeding_types
+    DROP COLUMN IF EXISTS role_proactive_label_en;
+
+ALTER TABLE paliad.proceeding_types
+    DROP COLUMN IF EXISTS role_proactive_label_de;

internal/db/migrations/137_proceeding_role_labels.up.sql

@@ -0,0 +1,137 @@
+-- 137_proceeding_role_labels — t-paliad-301, m/paliad#132
+--
+-- Bug A fix: per-proceeding role labels so the Verfahrensablauf side
+-- selector can render "Berufungskläger / Berufungsbeklagter" for the
+-- unified UPC Berufung tile instead of the generic "Klägerseite /
+-- Beklagtenseite".
+--
+-- Four new optional columns on paliad.proceeding_types. NULL on a
+-- column falls back to the language-default ("Klägerseite" / "Claimant
+-- side" / "Beklagtenseite" / "Defendant side") in the frontend renderer.
+-- Only the proceedings whose role-naming actually differs get a backfill.
+--
+-- Live-DB audit (mcp__supabase__execute_sql) before drafting:
+--   - paliad.proceeding_types has 14 columns; the 4 target columns do
+--     NOT exist (zero name collisions).
+--   - Zero triggers on paliad.proceeding_types. No audit_reason
+--     setup needed.
+--   - No updated_at / created_at on the table — DO NOT include
+--     timestamp UPDATEs (lesson from mig 134 HOTFIX 3).
+--
+-- ADDITIVE ONLY. ALTER + UPDATE statements; no CHECK constraints
+-- (the columns are free-text labels, validated at the application layer).
+-- Down migration drops the 4 columns.
+--
+-- See m/paliad#132 for the full design rationale + the role-label
+-- matrix per proceeding code.
+
+-- ---------------------------------------------------------------
+-- 1. Schema additions
+-- ---------------------------------------------------------------
+
+ALTER TABLE paliad.proceeding_types
+    ADD COLUMN role_proactive_label_de text NULL;
+
+ALTER TABLE paliad.proceeding_types
+    ADD COLUMN role_proactive_label_en text NULL;
+
+ALTER TABLE paliad.proceeding_types
+    ADD COLUMN role_reactive_label_de text NULL;
+
+ALTER TABLE paliad.proceeding_types
+    ADD COLUMN role_reactive_label_en text NULL;
+
+COMMENT ON COLUMN paliad.proceeding_types.role_proactive_label_de IS
+    'DE label for the proactive (claimant-equivalent) side of this '
+    'proceeding. NULL = renderer falls back to "Klägerseite". '
+    't-paliad-301 / m/paliad#132 Bug A.';
+COMMENT ON COLUMN paliad.proceeding_types.role_proactive_label_en IS
+    'EN label for the proactive side. NULL = "Claimant side".';
+COMMENT ON COLUMN paliad.proceeding_types.role_reactive_label_de IS
+    'DE label for the reactive (defendant-equivalent) side. NULL = '
+    '"Beklagtenseite".';
+COMMENT ON COLUMN paliad.proceeding_types.role_reactive_label_en IS
+    'EN label for the reactive side. NULL = "Defendant side".';
+
+-- ---------------------------------------------------------------
+-- 2. Audit-first NOTICE pass.
+--
+-- Lists which proceeding_types are about to receive a backfill so
+-- the operator sees the scope before the UPDATE fires. NULL columns
+-- on every other row stay NULL (the frontend falls back to defaults).
+-- ---------------------------------------------------------------
+
+DO $$
+DECLARE
+    rec record;
+    backfill_count int := 0;
+BEGIN
+    RAISE NOTICE '[mig 137] Proceedings that will receive role-label backfill:';
+    FOR rec IN
+        SELECT code, name
+          FROM paliad.proceeding_types
+         WHERE code IN ('upc.apl.unified', 'upc.rev.cfi', 'epa.opp.opd', 'epa.opp.boa')
+         ORDER BY code
+    LOOP
+        RAISE NOTICE '[mig 137]   %  %', rec.code, rec.name;
+        backfill_count := backfill_count + 1;
+    END LOOP;
+    RAISE NOTICE '[mig 137] Total: % proceedings (others stay NULL → renderer default)', backfill_count;
+END $$;
+
+-- ---------------------------------------------------------------
+-- 3. Backfill.
+--
+-- Per the design matrix in m/paliad#132:
+--   - upc.apl.unified → Berufungskläger / Berufungsbeklagter / Appellant / Appellee
+--   - upc.rev.cfi     → Antragsteller (Nichtigkeit) / Antragsgegner (Nichtigkeit) /
+--                       Revocation claimant / Revocation defendant
+--   - epa.opp.opd     → Einsprechende(r) / Patentinhaber(in) /
+--                       Opponent / Patentee
+--   - epa.opp.boa     → Einsprechende(r) / Patentinhaber(in) /
+--                       Opponent / Patentee
+--   - (others)        → stay NULL → frontend defaults
+-- ---------------------------------------------------------------
+
+UPDATE paliad.proceeding_types
+   SET role_proactive_label_de = 'Berufungskläger',
+       role_reactive_label_de  = 'Berufungsbeklagter',
+       role_proactive_label_en = 'Appellant',
+       role_reactive_label_en  = 'Appellee'
+ WHERE code = 'upc.apl.unified';
+
+UPDATE paliad.proceeding_types
+   SET role_proactive_label_de = 'Antragsteller (Nichtigkeit)',
+       role_reactive_label_de  = 'Antragsgegner (Nichtigkeit)',
+       role_proactive_label_en = 'Revocation claimant',
+       role_reactive_label_en  = 'Revocation defendant'
+ WHERE code = 'upc.rev.cfi';
+
+UPDATE paliad.proceeding_types
+   SET role_proactive_label_de = 'Einsprechende(r)',
+       role_reactive_label_de  = 'Patentinhaber(in)',
+       role_proactive_label_en = 'Opponent',
+       role_reactive_label_en  = 'Patentee'
+ WHERE code IN ('epa.opp.opd', 'epa.opp.boa');
+
+-- ---------------------------------------------------------------
+-- 4. Post-migration NOTICE — informational only.
+-- ---------------------------------------------------------------
+
+DO $$
+DECLARE
+    rec record;
+BEGIN
+    RAISE NOTICE '[mig 137] post: backfilled role-label distribution:';
+    FOR rec IN
+        SELECT code,
+               role_proactive_label_de,
+               role_reactive_label_de
+          FROM paliad.proceeding_types
+         WHERE role_proactive_label_de IS NOT NULL
+         ORDER BY code
+    LOOP
+        RAISE NOTICE '[mig 137]   %  proactive=%  reactive=%',
+            rec.code, rec.role_proactive_label_de, rec.role_reactive_label_de;
+    END LOOP;
+END $$;

internal/db/migrations/138_appeal_target_backfill_merits_order.down.sql

@@ -0,0 +1,71 @@
+-- 138_appeal_target_backfill_merits_order DOWN — t-paliad-303, m/paliad#134
+--
+-- Removes 'schadensbemessung' from the merits-track rules and
+-- 'bucheinsicht' from the order-track rules, restoring the pre-137
+-- shape (endentscheidung-only / anordnung-only / kostenentscheidung-only).
+
+-- ---------------------------------------------------------------
+-- 0. Audit reason (required by mig 079 trigger for any UPDATE on
+--    paliad.deadline_rules).
+-- ---------------------------------------------------------------
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 138 DOWN: t-paliad-303 — strip Schadensbemessung/Bucheinsicht from applies_to_target per m/paliad#134',
+    true);
+
+-- ---------------------------------------------------------------
+-- 1. Strip new targets via array_remove.
+--
+-- WHERE clauses pinned to upc.apl.unified to avoid touching unrelated
+-- rules that might have been added later under other proceeding types.
+-- ---------------------------------------------------------------
+
+-- 1a. Remove schadensbemessung from merits-track rows.
+UPDATE paliad.deadline_rules dr
+   SET applies_to_target = array_remove(dr.applies_to_target, 'schadensbemessung')
+  FROM paliad.proceeding_types pt
+ WHERE pt.id = dr.proceeding_type_id
+   AND pt.code = 'upc.apl.unified'
+   AND dr.is_active = true
+   AND 'schadensbemessung' = ANY(dr.applies_to_target);
+
+-- 1b. Remove bucheinsicht from order-track rows.
+UPDATE paliad.deadline_rules dr
+   SET applies_to_target = array_remove(dr.applies_to_target, 'bucheinsicht')
+  FROM paliad.proceeding_types pt
+ WHERE pt.id = dr.proceeding_type_id
+   AND pt.code = 'upc.apl.unified'
+   AND dr.is_active = true
+   AND 'bucheinsicht' = ANY(dr.applies_to_target);
+
+-- ---------------------------------------------------------------
+-- 2. Sanity check — no row may carry the new targets after the down.
+-- ---------------------------------------------------------------
+
+DO $$
+DECLARE
+    schad_left int;
+    buch_left int;
+BEGIN
+    SELECT COUNT(*) INTO schad_left
+      FROM paliad.deadline_rules dr
+      JOIN paliad.proceeding_types pt ON pt.id = dr.proceeding_type_id
+     WHERE pt.code = 'upc.apl.unified'
+       AND dr.is_active = true
+       AND 'schadensbemessung' = ANY(dr.applies_to_target);
+    SELECT COUNT(*) INTO buch_left
+      FROM paliad.deadline_rules dr
+      JOIN paliad.proceeding_types pt ON pt.id = dr.proceeding_type_id
+     WHERE pt.code = 'upc.apl.unified'
+       AND dr.is_active = true
+       AND 'bucheinsicht' = ANY(dr.applies_to_target);
+
+    IF schad_left > 0 THEN
+        RAISE EXCEPTION '[mig 138 DOWN] FAILED — % rows still carry schadensbemessung', schad_left;
+    END IF;
+    IF buch_left > 0 THEN
+        RAISE EXCEPTION '[mig 138 DOWN] FAILED — % rows still carry bucheinsicht', buch_left;
+    END IF;
+    RAISE NOTICE '[mig 138 DOWN] stripped schadensbemessung + bucheinsicht from upc.apl.unified rules';
+END $$;

internal/db/migrations/138_appeal_target_backfill_merits_order.up.sql

@@ -0,0 +1,232 @@
+-- 138_appeal_target_backfill_merits_order — t-paliad-303, m/paliad#134
+--
+-- Slice B1 (mig 134) introduced the unified upc.apl.unified proceeding type
+-- with 5 appeal_target enum values: endentscheidung, kostenentscheidung,
+-- anordnung, schadensbemessung, bucheinsicht. The first three each carry
+-- rules; schadensbemessung and bucheinsicht returned an empty timeline
+-- because no rules referenced them yet.
+--
+-- m's 2026-05-26 decision (#134): extend applies_to_target on the existing
+-- rules — Schadensbemessung := merits track (R.224 anchored on R.118
+-- substantive decisions), Bucheinsicht := order track (R.220.2 +
+-- R.224.2.b + R.235.2 + R.237 + R.238.2 etc.). Legal premise verified
+-- against the 16 live rules — every endentscheidung rule is a generic
+-- R.224 merits step, every anordnung rule is a generic R.220/224/235/237/
+-- 238 order step. No rule carries content specific to a particular kind
+-- of underlying decision/order. Audit on the comment trail of #134.
+
+-- ---------------------------------------------------------------
+-- 0. Audit reason (required by mig 079 trigger for any UPDATE on
+--    paliad.deadline_rules — both UPDATEs below trigger it).
+-- ---------------------------------------------------------------
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 138: t-paliad-303 — extend applies_to_target for Schadensbemessung (merits) + Bucheinsicht (order) per m/paliad#134',
+    true);
+
+-- ---------------------------------------------------------------
+-- 1. Audit-first DO block.
+--
+-- Resolve upc.apl.unified, count the rows we are about to touch, and
+-- RAISE EXCEPTION if anything looks wrong (proceeding type missing,
+-- merits/order rule counts off, or a rule already carries the new
+-- target — which would mean an earlier partial run).
+-- ---------------------------------------------------------------
+
+DO $$
+DECLARE
+    rec record;
+    upc_apl_id int;
+    merits_count int;
+    order_count int;
+    schad_already int;
+    buch_already int;
+BEGIN
+    SELECT id INTO upc_apl_id
+      FROM paliad.proceeding_types
+     WHERE code = 'upc.apl.unified';
+    IF upc_apl_id IS NULL THEN
+        RAISE EXCEPTION '[mig 138] upc.apl.unified proceeding_type not found — mig 134 must run first';
+    END IF;
+    RAISE NOTICE '[mig 138] upc.apl.unified proceeding_type_id = %', upc_apl_id;
+
+    SELECT COUNT(*) INTO merits_count
+      FROM paliad.deadline_rules
+     WHERE proceeding_type_id = upc_apl_id
+       AND is_active = true
+       AND 'endentscheidung' = ANY(applies_to_target);
+    SELECT COUNT(*) INTO order_count
+      FROM paliad.deadline_rules
+     WHERE proceeding_type_id = upc_apl_id
+       AND is_active = true
+       AND 'anordnung' = ANY(applies_to_target);
+
+    RAISE NOTICE '[mig 138] live counts: endentscheidung=% anordnung=%', merits_count, order_count;
+    IF merits_count <> 7 THEN
+        RAISE EXCEPTION '[mig 138] expected 7 endentscheidung rules under upc.apl.unified, got %', merits_count;
+    END IF;
+    IF order_count <> 7 THEN
+        RAISE EXCEPTION '[mig 138] expected 7 anordnung rules under upc.apl.unified, got %', order_count;
+    END IF;
+
+    SELECT COUNT(*) INTO schad_already
+      FROM paliad.deadline_rules
+     WHERE proceeding_type_id = upc_apl_id
+       AND is_active = true
+       AND 'schadensbemessung' = ANY(applies_to_target);
+    SELECT COUNT(*) INTO buch_already
+      FROM paliad.deadline_rules
+     WHERE proceeding_type_id = upc_apl_id
+       AND is_active = true
+       AND 'bucheinsicht' = ANY(applies_to_target);
+    IF schad_already > 0 THEN
+        RAISE EXCEPTION '[mig 138] % rules already carry schadensbemessung — partial run?', schad_already;
+    END IF;
+    IF buch_already > 0 THEN
+        RAISE EXCEPTION '[mig 138] % rules already carry bucheinsicht — partial run?', buch_already;
+    END IF;
+
+    RAISE NOTICE '[mig 138] rules to extend with schadensbemessung (merits track):';
+    FOR rec IN
+        SELECT dr.id, dr.rule_code, dr.legal_source, dr.name, dr.applies_to_target
+          FROM paliad.deadline_rules dr
+         WHERE dr.proceeding_type_id = upc_apl_id
+           AND dr.is_active = true
+           AND 'endentscheidung' = ANY(dr.applies_to_target)
+         ORDER BY dr.sequence_order, dr.rule_code NULLS LAST
+    LOOP
+        RAISE NOTICE '[mig 138]   merits  %  %  %  pre=%  →  post=%',
+            COALESCE(rec.rule_code, '(no-code)'),
+            COALESCE(rec.legal_source, '(no-source)'),
+            rec.name,
+            rec.applies_to_target,
+            rec.applies_to_target || 'schadensbemessung'::text;
+    END LOOP;
+
+    RAISE NOTICE '[mig 138] rules to extend with bucheinsicht (order track):';
+    FOR rec IN
+        SELECT dr.id, dr.rule_code, dr.legal_source, dr.name, dr.applies_to_target
+          FROM paliad.deadline_rules dr
+         WHERE dr.proceeding_type_id = upc_apl_id
+           AND dr.is_active = true
+           AND 'anordnung' = ANY(dr.applies_to_target)
+         ORDER BY dr.sequence_order, dr.rule_code NULLS LAST
+    LOOP
+        RAISE NOTICE '[mig 138]   order   %  %  %  pre=%  →  post=%',
+            COALESCE(rec.rule_code, '(no-code)'),
+            COALESCE(rec.legal_source, '(no-source)'),
+            rec.name,
+            rec.applies_to_target,
+            rec.applies_to_target || 'bucheinsicht'::text;
+    END LOOP;
+END $$;
+
+-- ---------------------------------------------------------------
+-- 2. Extend applies_to_target.
+--
+-- Narrow WHERE clauses key off upc.apl.unified + existing target +
+-- absence of new target, so the UPDATEs are idempotent in spirit
+-- (the audit block above already RAISE EXCEPTIONed if any row
+-- already had the new value).
+-- ---------------------------------------------------------------
+
+-- 2a. Schadensbemessung := merits track (7 rules expected).
+UPDATE paliad.deadline_rules dr
+   SET applies_to_target = applies_to_target || 'schadensbemessung'::text
+  FROM paliad.proceeding_types pt
+ WHERE pt.id = dr.proceeding_type_id
+   AND pt.code = 'upc.apl.unified'
+   AND dr.is_active = true
+   AND 'endentscheidung' = ANY(dr.applies_to_target)
+   AND NOT ('schadensbemessung' = ANY(dr.applies_to_target));
+
+-- 2b. Bucheinsicht := order track (7 rules expected).
+UPDATE paliad.deadline_rules dr
+   SET applies_to_target = applies_to_target || 'bucheinsicht'::text
+  FROM paliad.proceeding_types pt
+ WHERE pt.id = dr.proceeding_type_id
+   AND pt.code = 'upc.apl.unified'
+   AND dr.is_active = true
+   AND 'anordnung' = ANY(dr.applies_to_target)
+   AND NOT ('bucheinsicht' = ANY(dr.applies_to_target));
+
+-- ---------------------------------------------------------------
+-- 3. Post-migration sanity check.
+--
+-- Hard-fail on any divergence: the two new targets must each cover
+-- 7 rules, the original three targets must be unchanged in count,
+-- and no rule has lost its prior target.
+-- ---------------------------------------------------------------
+
+DO $$
+DECLARE
+    schad_post int;
+    buch_post int;
+    end_post int;
+    anord_post int;
+    cost_post int;
+    target_distribution record;
+BEGIN
+    SELECT COUNT(*) INTO schad_post
+      FROM paliad.deadline_rules dr
+      JOIN paliad.proceeding_types pt ON pt.id = dr.proceeding_type_id
+     WHERE pt.code = 'upc.apl.unified'
+       AND dr.is_active = true
+       AND 'schadensbemessung' = ANY(dr.applies_to_target);
+    SELECT COUNT(*) INTO buch_post
+      FROM paliad.deadline_rules dr
+      JOIN paliad.proceeding_types pt ON pt.id = dr.proceeding_type_id
+     WHERE pt.code = 'upc.apl.unified'
+       AND dr.is_active = true
+       AND 'bucheinsicht' = ANY(dr.applies_to_target);
+    SELECT COUNT(*) INTO end_post
+      FROM paliad.deadline_rules dr
+      JOIN paliad.proceeding_types pt ON pt.id = dr.proceeding_type_id
+     WHERE pt.code = 'upc.apl.unified'
+       AND dr.is_active = true
+       AND 'endentscheidung' = ANY(dr.applies_to_target);
+    SELECT COUNT(*) INTO anord_post
+      FROM paliad.deadline_rules dr
+      JOIN paliad.proceeding_types pt ON pt.id = dr.proceeding_type_id
+     WHERE pt.code = 'upc.apl.unified'
+       AND dr.is_active = true
+       AND 'anordnung' = ANY(dr.applies_to_target);
+    SELECT COUNT(*) INTO cost_post
+      FROM paliad.deadline_rules dr
+      JOIN paliad.proceeding_types pt ON pt.id = dr.proceeding_type_id
+     WHERE pt.code = 'upc.apl.unified'
+       AND dr.is_active = true
+       AND 'kostenentscheidung' = ANY(dr.applies_to_target);
+
+    RAISE NOTICE '[mig 138] post: schadensbemessung=%  bucheinsicht=%  endentscheidung=%  anordnung=%  kostenentscheidung=%',
+        schad_post, buch_post, end_post, anord_post, cost_post;
+
+    IF schad_post <> 7 THEN
+        RAISE EXCEPTION '[mig 138] FAILED — expected 7 schadensbemessung rules, got %', schad_post;
+    END IF;
+    IF buch_post <> 7 THEN
+        RAISE EXCEPTION '[mig 138] FAILED — expected 7 bucheinsicht rules, got %', buch_post;
+    END IF;
+    IF end_post <> 7 THEN
+        RAISE EXCEPTION '[mig 138] FAILED — endentscheidung count drifted: expected 7, got %', end_post;
+    END IF;
+    IF anord_post <> 7 THEN
+        RAISE EXCEPTION '[mig 138] FAILED — anordnung count drifted: expected 7, got %', anord_post;
+    END IF;
+    IF cost_post <> 2 THEN
+        RAISE EXCEPTION '[mig 138] FAILED — kostenentscheidung count drifted: expected 2, got %', cost_post;
+    END IF;
+
+    FOR target_distribution IN
+        SELECT unnest(applies_to_target) AS target, COUNT(*) AS n
+          FROM paliad.deadline_rules dr
+          JOIN paliad.proceeding_types pt ON pt.id = dr.proceeding_type_id
+         WHERE pt.code = 'upc.apl.unified' AND dr.is_active = true
+         GROUP BY unnest(applies_to_target)
+         ORDER BY 1
+    LOOP
+        RAISE NOTICE '[mig 138] post: applies_to_target=%  count=%',
+            target_distribution.target, target_distribution.n;
+    END LOOP;
+END $$;

internal/db/migrations/139_deadline_rules_unified_view.down.sql

@@ -0,0 +1,7 @@
+-- 139_deadline_rules_unified_view (down) — Slice B.3, t-paliad-305
+--
+-- Drops the view. The underlying paliad.sequencing_rules /
+-- procedural_events / legal_sources tables are untouched (they own the
+-- data — the view is just a projection).
+
+DROP VIEW IF EXISTS paliad.deadline_rules_unified;

internal/db/migrations/139_deadline_rules_unified_view.up.sql

@@ -0,0 +1,122 @@
+-- 139_deadline_rules_unified_view — Slice B.3 read cutover (t-paliad-305 / m/paliad#93)
+--
+-- Creates paliad.deadline_rules_unified — a Postgres VIEW that
+-- re-projects paliad.sequencing_rules + paliad.procedural_events +
+-- paliad.legal_sources back into the legacy paliad.deadline_rules
+-- column shape.
+--
+-- Why a view instead of rewriting every SELECT in Go:
+--
+--   - 19 read sites across 11 service files reference
+--     paliad.deadline_rules. Rewriting each by hand multiplies the
+--     opportunity for off-by-one bugs in the JOIN.
+--   - The view has the same column names + types as the legacy table,
+--     so the change in Go is a 1-token substitution per query
+--     (FROM paliad.deadline_rules → FROM paliad.deadline_rules_unified)
+--     with no struct or scanner changes.
+--   - When B.4 drops paliad.deadline_rules, this view stays — it
+--     becomes the canonical legacy-shape reader for any code that
+--     hasn't been migrated to direct sr/pe/ls reads.
+--
+-- Column mapping (per design §4.2):
+--   - id, proceeding_type_id, parent_id, primary_party, duration_*,
+--     timing, sequence_order, is_spawn/court_set/bilateral, priority,
+--     rule_code, rule_codes, deadline_notes(_en), condition_expr,
+--     choices_offered, applies_to_target, trigger_event_id,
+--     spawn_proceeding_type_id, anchor_alt, alt_duration_*,
+--     alt_rule_code, combine_op, lifecycle_state, draft_of,
+--     published_at, is_active, created_at, updated_at, spawn_label
+--       → from paliad.sequencing_rules
+--   - submission_code           → procedural_events.code
+--   - name, name_en, description→ procedural_events
+--   - event_type                → procedural_events.event_kind (renamed)
+--   - concept_id                → procedural_events
+--   - legal_source              → legal_sources.citation (via legal_source_id FK)
+--
+-- The view is READ-ONLY by default. Writes still go to the underlying
+-- tables — RuleEditorService is refactored in the same slice to write
+-- directly to sr/pe/ls. paliad.deadline_rules is FROZEN from B.3 onward
+-- (no new writes); the dual-write helper from B.2 is decommissioned.
+
+-- The CHECK constraint on sequencing_rules.primary_party doesn't exist
+-- yet (mig 135 only constrained deadline_rules.primary_party). The view
+-- inherits whatever value sr.primary_party carries; mig 136's backfill
+-- set sr.primary_party = dr.primary_party so the canonical four-value
+-- vocab is already in place. A later slice can add the same CHECK to
+-- sequencing_rules itself.
+
+CREATE OR REPLACE VIEW paliad.deadline_rules_unified AS
+SELECT
+    sr.id,
+    sr.proceeding_type_id,
+    sr.parent_id,
+    pe.code                    AS submission_code,
+    pe.name,
+    pe.name_en,
+    pe.description,
+    sr.primary_party,
+    pe.event_kind              AS event_type,
+    sr.duration_value,
+    sr.duration_unit,
+    sr.timing,
+    sr.alt_duration_value,
+    sr.alt_duration_unit,
+    sr.alt_rule_code,
+    sr.anchor_alt,
+    sr.combine_op,
+    sr.rule_code,
+    sr.deadline_notes,
+    sr.deadline_notes_en,
+    sr.sequence_order,
+    sr.is_spawn,
+    sr.spawn_label,
+    sr.spawn_proceeding_type_id,
+    sr.is_bilateral,
+    sr.is_court_set,
+    sr.priority,
+    sr.condition_expr,
+    pe.concept_id,
+    ls.citation                AS legal_source,
+    sr.trigger_event_id,
+    sr.rule_codes,
+    sr.choices_offered,
+    sr.applies_to_target,
+    sr.lifecycle_state,
+    sr.draft_of,
+    sr.published_at,
+    sr.is_active,
+    sr.created_at,
+    sr.updated_at
+  FROM paliad.sequencing_rules sr
+  JOIN paliad.procedural_events pe ON pe.id = sr.procedural_event_id
+  LEFT JOIN paliad.legal_sources  ls ON ls.id = pe.legal_source_id;
+
+COMMENT ON VIEW paliad.deadline_rules_unified IS
+    'Slice B.3 (mig 139, t-paliad-305): legacy-shape projection over '
+    'sequencing_rules + procedural_events + legal_sources. Read-only — '
+    'writes go directly to the three underlying tables via '
+    'RuleEditorService. Survives B.4 destructive drop of '
+    'paliad.deadline_rules; the view will then be the only '
+    'legacy-shape reader.';
+
+-- Post-apply integrity check: confirm the view's row count matches the
+-- live sequencing_rules row count. A mismatch would indicate either a
+-- mid-deploy race (rare) or a JOIN issue (the LEFT JOIN to legal_sources
+-- never drops rows, the INNER JOIN to procedural_events drops sr rows
+-- whose procedural_event_id is NULL — but that column is NOT NULL on
+-- the table so it can't happen). Belt-and-braces.
+DO $$
+DECLARE
+    v_view_count int;
+    v_sr_count   int;
+BEGIN
+    SELECT COUNT(*) INTO v_view_count FROM paliad.deadline_rules_unified;
+    SELECT COUNT(*) INTO v_sr_count   FROM paliad.sequencing_rules;
+    IF v_view_count <> v_sr_count THEN
+        RAISE EXCEPTION '[mig 139] FAILED POST: view row count % does not match sequencing_rules row count %. '
+            'Possible cause: a sequencing_rules row references a procedural_event_id that does not exist (NOT NULL FK should prevent this).',
+            v_view_count, v_sr_count;
+    END IF;
+    RAISE NOTICE '[mig 139] view OK — deadline_rules_unified rows = % (= sequencing_rules)',
+        v_view_count;
+END $$;

internal/db/migrations/145_scenarios.down.sql

@@ -0,0 +1,13 @@
+-- 145_scenarios — DOWN
+--
+-- Reverses mig 145. Drops the FK on paliad.projects, the table, the
+-- trigger function, and the RLS policies (CASCADE on table drop kills
+-- policies). Any data in paliad.scenarios is lost on down.
+
+ALTER TABLE paliad.projects
+    DROP COLUMN IF EXISTS active_scenario_id;
+
+DROP TRIGGER IF EXISTS scenarios_touch_updated_at_trg ON paliad.scenarios;
+DROP FUNCTION IF EXISTS paliad.scenarios_touch_updated_at();
+
+DROP TABLE IF EXISTS paliad.scenarios CASCADE;

internal/db/migrations/145_scenarios.up.sql

@@ -0,0 +1,170 @@
+-- 145_scenarios — Slice D, m/paliad#124 §5 (revised)
+--
+-- Creates paliad.scenarios + paliad.projects.active_scenario_id FK.
+-- A scenario is a named composition of existing proceedings + flags
+-- + per-card choices + anchor dates the user can switch between for
+-- a project (project_id NOT NULL) OR save as an abstract template on
+-- /tools/verfahrensablauf (project_id IS NULL).
+--
+-- m's 2026-05-26 picks (AskUserQuestion round, doc commit 6e58595):
+--   Q1: composition shape  → primary+spawned (v1); multi-proceeding
+--                            peer compose is the v2 goal. spec.jsonb
+--                            architected for N entries from day 1.
+--   Q2: scope              → per-project + abstract.
+--   Q3: trigger dates      → per-anchor overrides over one base date.
+--   Q4: storage            → NEW paliad.scenarios table with jsonb
+--                            spec (NOT a project_event_choices column
+--                            extension).
+--
+-- "users should not add their own rules" (m, t-paliad-301) — scenarios
+-- compose existing rules, never author new ones. spec.proceedings[*].code
+-- must resolve to an existing active paliad.proceeding_types row;
+-- spec.proceedings[*].anchor_overrides keys must resolve to existing
+-- submission_codes. Validation happens at the application layer
+-- (ScenarioService.validateSpec) — not in DB CHECK constraints (too
+-- expensive to express in pure SQL).
+--
+-- Migration number: 145. Coordination check 2026-05-26 17:38: curie's
+-- B.2-B.6 migrations land in the 139-143 range. 144 reserved as buffer.
+-- 145 is the next safe claim.
+--
+-- ADDITIVE ONLY: CREATE TABLE, ALTER ADD COLUMN, indexes, RLS policies.
+-- Down drops everything. No backfill (zero existing scenarios on day 1).
+--
+-- See docs/design-litigation-planner-2026-05-26.md §5 + §18.4 for the
+-- design.
+
+-- ---------------------------------------------------------------
+-- 1. The scenarios table
+-- ---------------------------------------------------------------
+
+CREATE TABLE paliad.scenarios (
+    id          uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    -- project_id NULL = abstract scenario (saved Verfahrensablauf
+    -- template, no Akte). project_id NOT NULL = scenario attached to
+    -- a real Akte.
+    project_id  uuid NULL REFERENCES paliad.projects(id) ON DELETE CASCADE,
+    name        text NOT NULL,
+    description text NULL,
+    -- spec carries the full composition. Shape documented in the
+    -- design doc §5; the application validates structure before write.
+    spec        jsonb NOT NULL,
+    created_by  uuid NULL REFERENCES paliad.users(id) ON DELETE SET NULL,
+    created_at  timestamptz NOT NULL DEFAULT now(),
+    updated_at  timestamptz NOT NULL DEFAULT now(),
+
+    -- Within a single project, scenario names are unique. Abstract
+    -- scenarios are unique per (created_by, name) so two users can
+    -- each keep a "with_ccr" template without colliding. NULLS NOT
+    -- DISTINCT means a single user can have one "name" per
+    -- (project_id, created_by) tuple, where NULL project_id +
+    -- NULL created_by is a single global namespace (used only by
+    -- seed / system scenarios — none today).
+    CONSTRAINT scenarios_unique_per_scope
+        UNIQUE NULLS NOT DISTINCT (project_id, created_by, name),
+
+    -- Non-empty name.
+    CONSTRAINT scenarios_name_nonempty CHECK (char_length(name) > 0),
+
+    -- Non-empty spec — at least an object. The application checks
+    -- structure (version, proceedings[], base_trigger_date format).
+    CONSTRAINT scenarios_spec_object CHECK (jsonb_typeof(spec) = 'object')
+);
+
+CREATE INDEX scenarios_project_id_idx
+    ON paliad.scenarios(project_id) WHERE project_id IS NOT NULL;
+
+CREATE INDEX scenarios_abstract_user_idx
+    ON paliad.scenarios(created_by) WHERE project_id IS NULL;
+
+COMMENT ON TABLE paliad.scenarios IS
+    'Named compositions of existing proceedings + flags + per-card '
+    'choices + anchor dates. project_id NULL = abstract template; '
+    'project_id NOT NULL = attached to an Akte. Design: '
+    'docs/design-litigation-planner-2026-05-26.md §5. (Slice D)';
+
+COMMENT ON COLUMN paliad.scenarios.spec IS
+    'jsonb composition spec. Shape: {version: int, base_trigger_date: '
+    'ISO date, proceedings: [{code, role, flags[], per_card_choices, '
+    'anchor_overrides, skip_rules[]}, ...]}. Validated at write-time '
+    'by ScenarioService.validateSpec.';
+
+-- ---------------------------------------------------------------
+-- 2. paliad.projects.active_scenario_id FK
+--
+-- NULL = use today's ad-hoc per-card choice state from
+-- paliad.project_event_choices (pre-scenario behaviour preserved).
+-- Non-NULL = the project's current SmartTimeline / Akte-Fristenrechner
+-- render reads from this scenario's spec instead.
+-- ---------------------------------------------------------------
+
+ALTER TABLE paliad.projects
+    ADD COLUMN active_scenario_id uuid NULL
+        REFERENCES paliad.scenarios(id) ON DELETE SET NULL;
+
+COMMENT ON COLUMN paliad.projects.active_scenario_id IS
+    'FK to paliad.scenarios. NULL = read choices from '
+    'paliad.project_event_choices (legacy). Non-NULL = read from the '
+    'pointed scenario.spec.';
+
+-- ---------------------------------------------------------------
+-- 3. RLS — mirror paliad.project_event_choices's pattern (mig 129).
+--
+-- Project-scoped scenarios (project_id NOT NULL) inherit team visibility
+-- via paliad.can_see_project. Abstract scenarios (project_id IS NULL)
+-- are private to created_by — only the author can read / write them.
+-- ---------------------------------------------------------------
+
+ALTER TABLE paliad.scenarios ENABLE ROW LEVEL SECURITY;
+
+-- Project-scoped: team visibility.
+DROP POLICY IF EXISTS scenarios_project_select ON paliad.scenarios;
+CREATE POLICY scenarios_project_select ON paliad.scenarios
+    FOR SELECT
+    USING (project_id IS NOT NULL AND paliad.can_see_project(project_id));
+
+DROP POLICY IF EXISTS scenarios_project_mutate ON paliad.scenarios;
+CREATE POLICY scenarios_project_mutate ON paliad.scenarios
+    FOR ALL
+    USING (project_id IS NOT NULL AND paliad.can_see_project(project_id))
+    WITH CHECK (project_id IS NOT NULL AND paliad.can_see_project(project_id));
+
+-- Abstract: owner-only.
+DROP POLICY IF EXISTS scenarios_abstract_select ON paliad.scenarios;
+CREATE POLICY scenarios_abstract_select ON paliad.scenarios
+    FOR SELECT
+    USING (project_id IS NULL AND created_by = auth.uid());
+
+DROP POLICY IF EXISTS scenarios_abstract_mutate ON paliad.scenarios;
+CREATE POLICY scenarios_abstract_mutate ON paliad.scenarios
+    FOR ALL
+    USING (project_id IS NULL AND created_by = auth.uid())
+    WITH CHECK (project_id IS NULL AND created_by = auth.uid());
+
+-- ---------------------------------------------------------------
+-- 4. updated_at trigger (mirrors other paliad tables that carry
+-- updated_at — keep it in lockstep with row mutations).
+-- ---------------------------------------------------------------
+
+CREATE OR REPLACE FUNCTION paliad.scenarios_touch_updated_at()
+    RETURNS trigger AS $$
+BEGIN
+    NEW.updated_at = now();
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER scenarios_touch_updated_at_trg
+    BEFORE UPDATE ON paliad.scenarios
+    FOR EACH ROW
+    EXECUTE FUNCTION paliad.scenarios_touch_updated_at();
+
+-- ---------------------------------------------------------------
+-- 5. Informational NOTICE — schema-only migration, zero rows added.
+-- ---------------------------------------------------------------
+
+DO $$
+BEGIN
+    RAISE NOTICE '[mig 145] paliad.scenarios created (0 rows; awaits API usage)';
+    RAISE NOTICE '[mig 145] paliad.projects.active_scenario_id added (all rows NULL initially)';
+END $$;

internal/db/migrations/146_submission_bases.down.sql

@@ -0,0 +1,3 @@
+-- t-paliad-313: revert submission_bases catalog.
+
+DROP TABLE IF EXISTS paliad.submission_bases;

internal/db/migrations/146_submission_bases.up.sql

@@ -0,0 +1,173 @@
+-- t-paliad-313 (m/paliad#141): Composer Slice A — submission base catalog.
+--
+-- paliad.submission_bases is a thin pointer table — each row maps a
+-- short, stable slug ("hlc-letterhead", "neutral", …) onto a Gitea path
+-- that holds the actual .docx body, plus a JSON section-spec describing
+-- the base's default section set, stylemap, and per-section seed
+-- Markdown. The .docx in Gitea stays the source of truth for the
+-- chrome, fonts, paragraph styles, and (in later slices) the
+-- {{#section:KEY}} anchors. The DB row carries the listable metadata
+-- the picker needs.
+--
+-- Visibility: every authenticated user SELECTs (the catalog is shared
+-- firm-wide). Mutations are admin-only and enforced in Go at the
+-- handler layer — RLS only gates reads.
+--
+-- Slice A seeds two rows:
+--   1. hlc-letterhead — points at the existing HLC firm skeleton
+--      (_firm-skeleton.docx with HL Patents Style typography).
+--   2. neutral — points at the universal _skeleton.docx.
+-- Specialist bases (lg-duesseldorf, upc-formal) land in Slice E with
+-- their own .docx authoring task.
+
+CREATE TABLE IF NOT EXISTS paliad.submission_bases (
+    id                uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    slug              text NOT NULL UNIQUE,
+    firm              text,
+    proceeding_family text,
+    label_de          text NOT NULL,
+    label_en          text NOT NULL,
+    description_de    text,
+    description_en    text,
+    gitea_path        text NOT NULL,
+    section_spec      jsonb NOT NULL,
+    is_default_for    text[] NOT NULL DEFAULT '{}'::text[],
+    is_active         bool NOT NULL DEFAULT true,
+    created_at        timestamptz NOT NULL DEFAULT now(),
+    updated_at        timestamptz NOT NULL DEFAULT now()
+);
+
+CREATE INDEX IF NOT EXISTS submission_bases_firm_family_idx
+    ON paliad.submission_bases (firm, proceeding_family) WHERE is_active;
+
+ALTER TABLE paliad.submission_bases ENABLE ROW LEVEL SECURITY;
+
+DROP POLICY IF EXISTS submission_bases_select ON paliad.submission_bases;
+CREATE POLICY submission_bases_select
+    ON paliad.submission_bases FOR SELECT TO authenticated
+    USING (true);
+
+-- INSERT / UPDATE / DELETE intentionally absent — admin-only mutations
+-- happen via the handler layer with explicit role checks. No RLS path
+-- for mutations means RLS denies them by default.
+
+DROP TRIGGER IF EXISTS submission_bases_set_updated_at ON paliad.submission_bases;
+CREATE TRIGGER submission_bases_set_updated_at
+    BEFORE UPDATE ON paliad.submission_bases
+    FOR EACH ROW EXECUTE FUNCTION paliad.tg_set_updated_at();
+
+COMMENT ON TABLE paliad.submission_bases IS
+    't-paliad-313: Composer base catalog. One row per base template (HLC letterhead, neutral, …) pointing at a .docx in Gitea + a JSON section spec.';
+
+-- Seed: HLC letterhead + neutral skeleton. The section_spec carries the
+-- 10 default sections (letterhead, caption, introduction, requests,
+-- facts, legal_argument, evidence, exhibits, closing, signature) with
+-- their kinds, default order, and bilingual labels. seed_md_de /
+-- seed_md_en are populated for the bag-driven sections (letterhead,
+-- caption, signature); the remaining sections seed empty.
+--
+-- exhibits.included=false by default (lawyer opts in when an attachment
+-- list applies). Every other section ships included=true.
+
+INSERT INTO paliad.submission_bases
+    (slug, firm, proceeding_family, label_de, label_en, description_de, description_en, gitea_path, section_spec, is_default_for)
+VALUES
+    ('hlc-letterhead', 'HLC', NULL,
+     'HLC-Briefkopf', 'HLC letterhead',
+     'Mit HL Patents Style — Firmen-Header, Schriftarten, Absatzformaten.',
+     'With HL Patents Style — firm header, fonts, paragraph styles.',
+     '6 - material/Templates/Word/Paliad/HLC/_firm-skeleton.docx',
+     jsonb_build_object(
+         'version', 1,
+         'stylemap', jsonb_build_object(
+             'paragraph',      'HLpat-Body-B0',
+             'heading_1',      'HLpat-Heading-H1',
+             'heading_2',      'HLpat-Heading-H2',
+             'heading_3',      'HLpat-Heading-H3',
+             'list_bullet',    'HLpat-Body-B0',
+             'list_numbered',  'HLpat-Body-B0',
+             'blockquote',     'HLpat-Body-B1'
+         ),
+         'defaults', jsonb_build_array(
+             jsonb_build_object('section_key','letterhead',     'kind','prose',    'order_index', 1, 'label_de','Briefkopf',             'label_en','Letterhead',
+                                'included',true,
+                                'seed_md_de', E'Schriftsatz von {{firm.name}}\n\n{{user.display_name}}, {{user.office}}',
+                                'seed_md_en', E'Submission by {{firm.name}}\n\n{{user.display_name}}, {{user.office}}'),
+             jsonb_build_object('section_key','caption',        'kind','prose',    'order_index', 2, 'label_de','Rubrum',                'label_en','Caption',
+                                'included',true,
+                                'seed_md_de', E'In der Sache\n\n**{{parties.claimant.0.name}}**\nvertreten durch {{parties.claimant.0.representative}}\n\n— Klägerin —\n\ngegen\n\n**{{parties.defendant.0.name}}**\nvertreten durch {{parties.defendant.0.representative}}\n\n— Beklagte —\n\nAktenzeichen: {{project.case_number}}\n{{project.court}}',
+                                'seed_md_en', E'In the matter\n\n**{{parties.claimant.0.name}}**\nrepresented by {{parties.claimant.0.representative}}\n\n— Claimant —\n\nv.\n\n**{{parties.defendant.0.name}}**\nrepresented by {{parties.defendant.0.representative}}\n\n— Defendant —\n\nCase number: {{project.case_number}}\n{{project.court}}'),
+             jsonb_build_object('section_key','introduction',   'kind','prose',    'order_index', 3, 'label_de','Einleitung',            'label_en','Introduction',
+                                'included',true, 'seed_md_de', '', 'seed_md_en', ''),
+             jsonb_build_object('section_key','requests',       'kind','requests', 'order_index', 4, 'label_de','Anträge',               'label_en','Requests',
+                                'included',true, 'seed_md_de', '', 'seed_md_en', ''),
+             jsonb_build_object('section_key','facts',          'kind','prose',    'order_index', 5, 'label_de','Sachverhalt',           'label_en','Facts',
+                                'included',true, 'seed_md_de', '', 'seed_md_en', ''),
+             jsonb_build_object('section_key','legal_argument', 'kind','prose',    'order_index', 6, 'label_de','Rechtliche Würdigung',  'label_en','Legal argument',
+                                'included',true, 'seed_md_de', '', 'seed_md_en', ''),
+             jsonb_build_object('section_key','evidence',       'kind','evidence', 'order_index', 7, 'label_de','Beweisangebote',        'label_en','Evidence offering',
+                                'included',true, 'seed_md_de', '', 'seed_md_en', ''),
+             jsonb_build_object('section_key','exhibits',       'kind','prose',    'order_index', 8, 'label_de','Anlagen',               'label_en','Exhibits',
+                                'included',false, 'seed_md_de', '', 'seed_md_en', ''),
+             jsonb_build_object('section_key','closing',        'kind','prose',    'order_index', 9, 'label_de','Schlussformel',         'label_en','Closing',
+                                'included',true,
+                                'seed_md_de', E'Mit freundlichen Grüßen',
+                                'seed_md_en', E'Yours sincerely,'),
+             jsonb_build_object('section_key','signature',      'kind','prose',    'order_index',10, 'label_de','Unterschrift',          'label_en','Signature',
+                                'included',true,
+                                'seed_md_de', E'{{user.display_name}}\n{{user.office}}',
+                                'seed_md_en', E'{{user.display_name}}\n{{user.office}}')
+         )
+     ),
+     '{}'::text[]
+    ),
+    ('neutral', NULL, NULL,
+     'Neutraler Schriftsatz', 'Neutral skeleton',
+     'Universelle Vorlage ohne firmenspezifisches Branding.',
+     'Universal template with no firm-specific branding.',
+     '6 - material/Templates/Word/Paliad/HLC/_skeleton.docx',
+     jsonb_build_object(
+         'version', 1,
+         'stylemap', jsonb_build_object(
+             'paragraph',      'Normal',
+             'heading_1',      'Heading 1',
+             'heading_2',      'Heading 2',
+             'heading_3',      'Heading 3',
+             'list_bullet',    'Normal',
+             'list_numbered',  'Normal',
+             'blockquote',     'Quote'
+         ),
+         'defaults', jsonb_build_array(
+             jsonb_build_object('section_key','letterhead',     'kind','prose',    'order_index', 1, 'label_de','Briefkopf',             'label_en','Letterhead',
+                                'included',true,
+                                'seed_md_de', E'Schriftsatz von {{firm.name}}\n\n{{user.display_name}}',
+                                'seed_md_en', E'Submission by {{firm.name}}\n\n{{user.display_name}}'),
+             jsonb_build_object('section_key','caption',        'kind','prose',    'order_index', 2, 'label_de','Rubrum',                'label_en','Caption',
+                                'included',true,
+                                'seed_md_de', E'In der Sache\n\n**{{parties.claimant.0.name}}**\n— Klägerin —\n\ngegen\n\n**{{parties.defendant.0.name}}**\n— Beklagte —\n\nAktenzeichen: {{project.case_number}}',
+                                'seed_md_en', E'In the matter\n\n**{{parties.claimant.0.name}}**\n— Claimant —\n\nv.\n\n**{{parties.defendant.0.name}}**\n— Defendant —\n\nCase number: {{project.case_number}}'),
+             jsonb_build_object('section_key','introduction',   'kind','prose',    'order_index', 3, 'label_de','Einleitung',            'label_en','Introduction',
+                                'included',true, 'seed_md_de', '', 'seed_md_en', ''),
+             jsonb_build_object('section_key','requests',       'kind','requests', 'order_index', 4, 'label_de','Anträge',               'label_en','Requests',
+                                'included',true, 'seed_md_de', '', 'seed_md_en', ''),
+             jsonb_build_object('section_key','facts',          'kind','prose',    'order_index', 5, 'label_de','Sachverhalt',           'label_en','Facts',
+                                'included',true, 'seed_md_de', '', 'seed_md_en', ''),
+             jsonb_build_object('section_key','legal_argument', 'kind','prose',    'order_index', 6, 'label_de','Rechtliche Würdigung',  'label_en','Legal argument',
+                                'included',true, 'seed_md_de', '', 'seed_md_en', ''),
+             jsonb_build_object('section_key','evidence',       'kind','evidence', 'order_index', 7, 'label_de','Beweisangebote',        'label_en','Evidence offering',
+                                'included',true, 'seed_md_de', '', 'seed_md_en', ''),
+             jsonb_build_object('section_key','exhibits',       'kind','prose',    'order_index', 8, 'label_de','Anlagen',               'label_en','Exhibits',
+                                'included',false, 'seed_md_de', '', 'seed_md_en', ''),
+             jsonb_build_object('section_key','closing',        'kind','prose',    'order_index', 9, 'label_de','Schlussformel',         'label_en','Closing',
+                                'included',true,
+                                'seed_md_de', E'Mit freundlichen Grüßen',
+                                'seed_md_en', E'Yours sincerely,'),
+             jsonb_build_object('section_key','signature',      'kind','prose',    'order_index',10, 'label_de','Unterschrift',          'label_en','Signature',
+                                'included',true,
+                                'seed_md_de', E'{{user.display_name}}',
+                                'seed_md_en', E'{{user.display_name}}')
+         )
+     ),
+     '{}'::text[]
+    )
+ON CONFLICT (slug) DO NOTHING;

internal/db/migrations/147_submission_drafts_composer.down.sql

@@ -0,0 +1,5 @@
+-- t-paliad-313: revert Composer columns on submission_drafts.
+
+ALTER TABLE paliad.submission_drafts
+    DROP COLUMN IF EXISTS composer_meta,
+    DROP COLUMN IF EXISTS base_id;

internal/db/migrations/147_submission_drafts_composer.up.sql

@@ -0,0 +1,31 @@
+-- t-paliad-313 (m/paliad#141): Composer Slice A — point submission_drafts at a base.
+--
+-- Two purely-additive columns on paliad.submission_drafts:
+--
+--   base_id uuid — FK to paliad.submission_bases. NULL on existing
+--     drafts (Slice A explicitly does NOT auto-upgrade pre-Composer
+--     rows — that's Slice C). NEW drafts created post-Composer get
+--     base_id seeded by SubmissionDraftService.Create from the firm
+--     default for the proceeding family. ON DELETE SET NULL keeps a
+--     draft renderable via the v1 fallback chain even if its base is
+--     removed; the lawyer picks a new base via the sidebar.
+--
+--   composer_meta jsonb — Composer-specific metadata. For Slice A this
+--     carries the seed-time section order so the editor paints without
+--     a join. Future slices may add hidden_sections, active_locale,
+--     etc.
+--
+-- No data backfill, no auto-upgrade — pre-Composer drafts keep base_id
+-- NULL and render via the existing v1 path. The Go side has the
+-- corresponding gate (base_id IS NULL OR no submission_sections rows →
+-- v1 path).
+
+ALTER TABLE paliad.submission_drafts
+    ADD COLUMN IF NOT EXISTS base_id       uuid REFERENCES paliad.submission_bases(id) ON DELETE SET NULL,
+    ADD COLUMN IF NOT EXISTS composer_meta jsonb NOT NULL DEFAULT '{}'::jsonb;
+
+COMMENT ON COLUMN paliad.submission_drafts.base_id IS
+    't-paliad-313: Composer base reference. NULL = pre-Composer draft, renders via v1 fallback chain. ON DELETE SET NULL.';
+
+COMMENT ON COLUMN paliad.submission_drafts.composer_meta IS
+    't-paliad-313: Composer-side metadata (section_order, hidden_sections, …). jsonb, default {}.';

internal/db/migrations/148_submission_sections.down.sql

@@ -0,0 +1,3 @@
+-- t-paliad-313: revert submission_sections table.
+
+DROP TABLE IF EXISTS paliad.submission_sections;

internal/db/migrations/148_submission_sections.up.sql

@@ -0,0 +1,116 @@
+-- t-paliad-313 (m/paliad#141): Composer Slice A — per-draft section rows.
+--
+-- paliad.submission_sections holds one row per (draft, section_key) for
+-- Composer-mode drafts. Slice A seeds rows on draft create from the
+-- base's section_spec.defaults; the editor renders them read-only. Slice
+-- B turns them editable, Slice F adds reorder/hide/add-custom.
+--
+-- kind values per the design (Q10 ratification — no *_auto kind):
+--   'prose'    — free Markdown content (default).
+--   'requests' — Anträge-style content (editor may add auto-numbering
+--                later; Slice A treats identical to 'prose').
+--   'evidence' — Beweisangebote (editor may prefix lines with
+--                'Beweis: '; Slice A treats identical to 'prose').
+--
+-- Visibility flows through draft_id → submission_drafts → can_see_project
+-- + owner-scoped. RLS policies mirror the four-policy shape on
+-- submission_drafts so seeding from the Go service stays inside the
+-- same RLS envelope.
+--
+-- content_md_de + content_md_en both NOT NULL DEFAULT '' so neither
+-- side blocks the bilingual-by-construction render path. Empty content
+-- renders as the missing-content marker per the editor's contract.
+--
+-- Per the brief (head's instruction msg #2392) Slice A does NOT auto-
+-- upgrade the 11 pre-Composer drafts — those remain base_id=NULL with
+-- no section rows. The v1 fallback render path stays compiled in to
+-- keep them working.
+
+CREATE TABLE IF NOT EXISTS paliad.submission_sections (
+    id            uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    draft_id      uuid NOT NULL REFERENCES paliad.submission_drafts(id) ON DELETE CASCADE,
+    section_key   text NOT NULL,
+    order_index   int  NOT NULL,
+    kind          text NOT NULL,
+    label_de      text NOT NULL,
+    label_en      text NOT NULL,
+    included      bool NOT NULL DEFAULT true,
+    content_md_de text NOT NULL DEFAULT '',
+    content_md_en text NOT NULL DEFAULT '',
+    created_at    timestamptz NOT NULL DEFAULT now(),
+    updated_at    timestamptz NOT NULL DEFAULT now(),
+
+    CONSTRAINT submission_sections_kind_check
+        CHECK (kind IN ('prose', 'requests', 'evidence')),
+    CONSTRAINT submission_sections_unique_per_draft
+        UNIQUE (draft_id, section_key)
+);
+
+CREATE INDEX IF NOT EXISTS submission_sections_draft_idx
+    ON paliad.submission_sections (draft_id, order_index);
+
+ALTER TABLE paliad.submission_sections ENABLE ROW LEVEL SECURITY;
+
+DROP POLICY IF EXISTS submission_sections_select ON paliad.submission_sections;
+CREATE POLICY submission_sections_select
+    ON paliad.submission_sections FOR SELECT TO authenticated
+    USING (
+        EXISTS (
+            SELECT 1 FROM paliad.submission_drafts d
+             WHERE d.id = paliad.submission_sections.draft_id
+               AND d.user_id = auth.uid()
+               AND (d.project_id IS NULL OR paliad.can_see_project(d.project_id))
+        )
+    );
+
+DROP POLICY IF EXISTS submission_sections_insert ON paliad.submission_sections;
+CREATE POLICY submission_sections_insert
+    ON paliad.submission_sections FOR INSERT TO authenticated
+    WITH CHECK (
+        EXISTS (
+            SELECT 1 FROM paliad.submission_drafts d
+             WHERE d.id = paliad.submission_sections.draft_id
+               AND d.user_id = auth.uid()
+               AND (d.project_id IS NULL OR paliad.can_see_project(d.project_id))
+        )
+    );
+
+DROP POLICY IF EXISTS submission_sections_update ON paliad.submission_sections;
+CREATE POLICY submission_sections_update
+    ON paliad.submission_sections FOR UPDATE TO authenticated
+    USING (
+        EXISTS (
+            SELECT 1 FROM paliad.submission_drafts d
+             WHERE d.id = paliad.submission_sections.draft_id
+               AND d.user_id = auth.uid()
+               AND (d.project_id IS NULL OR paliad.can_see_project(d.project_id))
+        )
+    )
+    WITH CHECK (
+        EXISTS (
+            SELECT 1 FROM paliad.submission_drafts d
+             WHERE d.id = paliad.submission_sections.draft_id
+               AND d.user_id = auth.uid()
+               AND (d.project_id IS NULL OR paliad.can_see_project(d.project_id))
+        )
+    );
+
+DROP POLICY IF EXISTS submission_sections_delete ON paliad.submission_sections;
+CREATE POLICY submission_sections_delete
+    ON paliad.submission_sections FOR DELETE TO authenticated
+    USING (
+        EXISTS (
+            SELECT 1 FROM paliad.submission_drafts d
+             WHERE d.id = paliad.submission_sections.draft_id
+               AND d.user_id = auth.uid()
+               AND (d.project_id IS NULL OR paliad.can_see_project(d.project_id))
+        )
+    );
+
+DROP TRIGGER IF EXISTS submission_sections_set_updated_at ON paliad.submission_sections;
+CREATE TRIGGER submission_sections_set_updated_at
+    BEFORE UPDATE ON paliad.submission_sections
+    FOR EACH ROW EXECUTE FUNCTION paliad.tg_set_updated_at();
+
+COMMENT ON TABLE paliad.submission_sections IS
+    't-paliad-313: per-draft Composer section rows. Slice A: seeded on draft create from base.section_spec.defaults, rendered read-only. Slice B: editable. RLS mirrors submission_drafts (owner-scoped + can_see_project).';

internal/db/migrations/149_submission_building_blocks.down.sql

@@ -0,0 +1,4 @@
+-- t-paliad-315: revert building blocks library.
+
+DROP TABLE IF EXISTS paliad.submission_building_block_admin_versions;
+DROP TABLE IF EXISTS paliad.submission_building_blocks;

internal/db/migrations/149_submission_building_blocks.up.sql

@@ -0,0 +1,118 @@
+-- t-paliad-315 (m/paliad#141): Composer Slice C — building blocks library.
+--
+-- Per the design at docs/design-submission-generator-v2-2026-05-26.md §4.4
+-- and the Q2 / Q9 ratifications:
+--
+--   Q2 (m, 2026-05-26): building blocks are plain text paste sources.
+--     No building_block_id reference is stored on submission_sections —
+--     insertion is a one-way copy of content_md_<lang> into the section.
+--     This table records the library; submission_sections doesn't know
+--     where its content came from.
+--
+--   Q9 (m, 2026-05-26): four visibility tiers — private / team / firm
+--     / global. Picker filtering and RLS SELECT predicate both honour
+--     the tier. Tier upgrades (private → team/firm/global) go through
+--     admin moderation in later slices; Slice C starts with admin-only
+--     mutations (no user-initiated rows yet).
+--
+-- The _admin_versions companion table mirrors the email-templates
+-- retention=20 audit history. It is INTERNAL to the admin editor —
+-- not referenced from submission_sections, not exposed to the lawyer.
+-- It exists so accidental delete + accidental overwrite are
+-- recoverable.
+
+CREATE TABLE IF NOT EXISTS paliad.submission_building_blocks (
+    id                uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    slug              text NOT NULL,
+    firm              text,                       -- e.g. 'HLC', NULL = cross-firm
+    section_key       text NOT NULL,              -- which section kind this block fits
+    proceeding_family text,                       -- 'de.inf.lg', NULL = any family
+    title_de          text NOT NULL,
+    title_en          text NOT NULL,
+    description_de    text,
+    description_en    text,
+    content_md_de     text NOT NULL DEFAULT '',
+    content_md_en     text NOT NULL DEFAULT '',
+    author_id         uuid REFERENCES paliad.users(id) ON DELETE SET NULL,
+    visibility        text NOT NULL,              -- 'private' | 'team' | 'firm' | 'global'
+    is_published      bool NOT NULL DEFAULT false,
+    created_at        timestamptz NOT NULL DEFAULT now(),
+    updated_at        timestamptz NOT NULL DEFAULT now(),
+    deleted_at        timestamptz,
+
+    CONSTRAINT submission_building_blocks_visibility_check
+        CHECK (visibility IN ('private', 'team', 'firm', 'global')),
+    CONSTRAINT submission_building_blocks_unique_slug_per_firm
+        UNIQUE (slug, firm)
+);
+
+CREATE INDEX IF NOT EXISTS submission_building_blocks_section_visibility_idx
+    ON paliad.submission_building_blocks (section_key, visibility, firm, proceeding_family)
+    WHERE deleted_at IS NULL AND is_published;
+
+CREATE INDEX IF NOT EXISTS submission_building_blocks_author_idx
+    ON paliad.submission_building_blocks (author_id)
+    WHERE deleted_at IS NULL;
+
+ALTER TABLE paliad.submission_building_blocks ENABLE ROW LEVEL SECURITY;
+
+-- SELECT policy: coarse-grained RLS that admits every non-deleted
+-- block to any authenticated user. The Go-side BuildingBlockService
+-- applies the fine-grained tier predicate (private / team / firm /
+-- global) using branding.Name + team-membership joins. This split
+-- keeps the SQL simple and lets the tier semantics evolve in code
+-- without RLS migrations.
+--
+-- The exception below is 'private': only the author sees their own
+-- private rows. That's the hard line where a tier upgrade is
+-- substantive enough to warrant DB-level enforcement.
+DROP POLICY IF EXISTS submission_building_blocks_select ON paliad.submission_building_blocks;
+CREATE POLICY submission_building_blocks_select
+    ON paliad.submission_building_blocks FOR SELECT TO authenticated
+    USING (
+        deleted_at IS NULL
+        AND (
+            visibility <> 'private'
+            OR author_id = auth.uid()
+        )
+    );
+
+-- INSERT / UPDATE / DELETE intentionally absent — admin mutations
+-- happen at the Go handler layer with explicit adminGate. RLS without
+-- mutation policies denies them by default.
+
+DROP TRIGGER IF EXISTS submission_building_blocks_set_updated_at ON paliad.submission_building_blocks;
+CREATE TRIGGER submission_building_blocks_set_updated_at
+    BEFORE UPDATE ON paliad.submission_building_blocks
+    FOR EACH ROW EXECUTE FUNCTION paliad.tg_set_updated_at();
+
+COMMENT ON TABLE paliad.submission_building_blocks IS
+    't-paliad-315: Composer building-block library. Plain text paste sources for section content (no lineage tracked on sections per Q2 ratification). 4-tier visibility per Q9.';
+
+
+-- _admin_versions: append-only history per block. Admin-side only;
+-- not referenced from submission_sections. Retention 20 per block,
+-- GCed in the same transaction as the Save (mirrors email-templates).
+CREATE TABLE IF NOT EXISTS paliad.submission_building_block_admin_versions (
+    id                uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    building_block_id uuid NOT NULL REFERENCES paliad.submission_building_blocks(id) ON DELETE CASCADE,
+    content_md_de     text NOT NULL,
+    content_md_en     text NOT NULL,
+    title_de          text NOT NULL,
+    title_en          text NOT NULL,
+    edited_by         uuid REFERENCES paliad.users(id) ON DELETE SET NULL,
+    note              text,
+    created_at        timestamptz NOT NULL DEFAULT now()
+);
+
+CREATE INDEX IF NOT EXISTS submission_building_block_admin_versions_block_idx
+    ON paliad.submission_building_block_admin_versions (building_block_id, created_at DESC);
+
+ALTER TABLE paliad.submission_building_block_admin_versions ENABLE ROW LEVEL SECURITY;
+
+-- Admin-only audit; the handler layer gates this via adminGate and
+-- writes via SECURITY DEFINER paths or admin-role SQL. No RLS SELECT
+-- policy exists, so non-admin users get an empty result set.
+
+COMMENT ON TABLE paliad.submission_building_block_admin_versions IS
+    't-paliad-315: append-only history per building block. Admin-side only; retention 20 rows per block, GCed at Save time.';

internal/handlers/admin_rules.go

@@ -299,21 +299,6 @@ func handleAdminPreviewRule(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, http.StatusOK, resp)
 }
 
-// GET /admin/api/rules/export-migrations?since=<audit_id>
-func handleAdminExportRuleMigrations(w http.ResponseWriter, r *http.Request) {
-	if dbSvc == nil || dbSvc.ruleEditor == nil {
-		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "rule editor unavailable"})
-		return
-	}
-	since := r.URL.Query().Get("since")
-	out, err := dbSvc.ruleEditor.ExportMigrationsSince(r.Context(), since)
-	if err != nil {
-		writeRuleEditorError(w, err)
-		return
-	}
-	writeJSON(w, http.StatusOK, out)
-}
-
 // =============================================================================
 // Page handlers — serve the static SPA shells. Auth + admin gate live
 // at the route registration in handlers.go.
@@ -327,10 +312,6 @@ func handleAdminRulesEditPage(w http.ResponseWriter, r *http.Request) {
 	http.ServeFile(w, r, "dist/admin-rules-edit.html")
 }
 
-func handleAdminRulesExportPage(w http.ResponseWriter, r *http.Request) {
-	http.ServeFile(w, r, "dist/admin-rules-export.html")
-}
-
 // =============================================================================
 // helpers
 // =============================================================================

internal/handlers/files.go

@@ -3,6 +3,7 @@ package handlers
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"log"
@@ -12,6 +13,7 @@ import (
 	"time"
 
 	"mgit.msbls.de/m/paliad/internal/branding"
+	"mgit.msbls.de/m/paliad/internal/services"
 )
 
 const (
@@ -402,6 +404,35 @@ func fetchFirmSkeletonBytes(ctx context.Context) ([]byte, string, error) {
 	return fetchSubmissionTemplateSlug(ctx, firmSkeletonSubmissionSlug)
 }
 
+// composerBaseSlugMap routes a Composer base.slug to the existing
+// fileRegistry slug whose Gitea object backs it (t-paliad-313 Slice B).
+// Slice A seeded two bases that already share .docx files with the v1
+// fallback chain — no new Gitea uploads needed for those. Future bases
+// (e.g. lg-duesseldorf, upc-formal in Slice E) register their own
+// fileRegistry entries via the same shape and add a row here.
+var composerBaseSlugMap = map[string]string{
+	"hlc-letterhead": firmSkeletonSubmissionSlug,
+	"neutral":        skeletonSubmissionSlug,
+}
+
+// fetchComposerBaseBytes returns the .docx bytes for a Composer base,
+// pulled from the shared Gitea proxy cache. ErrComposerBaseNotProxied
+// when the slug has no registered fileRegistry entry — a base authored
+// without a file-registry mapping (rare; admin oversight) renders as
+// "Vorlagenbasis nicht erreichbar" upstream of this call.
+var ErrComposerBaseNotProxied = errors.New("composer base: Gitea slug not registered")
+
+func fetchComposerBaseBytes(ctx context.Context, base *services.SubmissionBase) ([]byte, string, error) {
+	if base == nil {
+		return nil, "", fmt.Errorf("composer base: nil base")
+	}
+	slug, ok := composerBaseSlugMap[base.Slug]
+	if !ok {
+		return nil, "", fmt.Errorf("%w: base slug %q", ErrComposerBaseNotProxied, base.Slug)
+	}
+	return fetchSubmissionTemplateSlug(ctx, slug)
+}
+
 // fetchSubmissionTemplateSlug is the shared cache-aware fetcher used by
 // the firm-skeleton and universal-skeleton accessors. Factored out so
 // the two paths can't drift apart on caching semantics.

internal/handlers/fristenrechner.go

@@ -69,6 +69,14 @@ func handleFristenrechnerAPI(w http.ResponseWriter, r *http.Request) {
 		// stay in the result list. Default false preserves the legacy
 		// suppression. HiddenCount on the response is independent.
 		IncludeHidden bool `json:"includeHidden,omitempty"`
+		// Slice B1 / m/paliad#124 §18.1: narrows the unified UPC
+		// Berufung (upc.apl) timeline to the rule subset whose
+		// applies_to_target contains the requested slug. Empty = no
+		// filter. Valid values: endentscheidung | kostenentscheidung
+		// | anordnung | schadensbemessung | bucheinsicht. Unknown
+		// slugs are silently dropped (no filter) so a stale frontend
+		// chip doesn't 400 the request.
+		AppealTarget string `json:"appealTarget,omitempty"`
 	}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "Ungültige Anfrage"})
@@ -116,6 +124,7 @@ func handleFristenrechnerAPI(w http.ResponseWriter, r *http.Request) {
 		SkipRules:        addendum.SkipRules,
 		IncludeCCRFor:    addendum.IncludeCCRFor,
 		IncludeHidden:    req.IncludeHidden,
+		AppealTarget:     req.AppealTarget,
 	})
 	if err != nil {
 		if errors.Is(err, services.ErrUnknownProceedingType) {

internal/handlers/handlers.go

@@ -116,10 +116,27 @@ type Services struct {
 	// t-paliad-238 — dedicated Submissions/Schriftsätze editor.
 	SubmissionDraft *services.SubmissionDraftService
 
+	// t-paliad-313 (m/paliad#141) Composer Slice A + B — base catalog,
+	// per-draft section rows, render-pipeline assembler. All three
+	// nil in DATABASE_URL-less deploys (the Composer surfaces return
+	// 503 / hide the picker).
+	SubmissionBase     *services.BaseService
+	SubmissionSection  *services.SectionService
+	SubmissionComposer *services.SubmissionComposer
+
+	// t-paliad-315 Composer Slice C — building-block library + admin
+	// editor. Per Q2: paste sources only, no lineage on sections.
+	SubmissionBuildingBlock *services.BuildingBlockService
+
 	// t-paliad-265 / m/paliad#96 — per-event-card optional choices on
 	// the Verfahrensablauf timeline.
 	EventChoice *services.EventChoiceService
 
+	// Slice D (m/paliad#124 §5, mig 145) — named scenario compositions
+	// per project or as abstract templates. Nil when DATABASE_URL is
+	// unset; the /api/scenarios routes return 503 in that case.
+	Scenario *services.ScenarioService
+
 	// Paliadin is wired when DATABASE_URL is set. The concrete backend
 	// is picked in cmd/server/main.go based on PALIADIN_REMOTE_HOST
 	// (remote → mRiver via SSH) or local tmux availability. Stays nil
@@ -182,8 +199,13 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
 			projection:      svc.Projection,
 			export:          svc.Export,
 			backup:          svc.Backup,
-			submissionDraft: svc.SubmissionDraft,
-			eventChoice:     svc.EventChoice,
+			submissionDraft:         svc.SubmissionDraft,
+			submissionBase:          svc.SubmissionBase,
+			submissionSection:       svc.SubmissionSection,
+			submissionComposer:      svc.SubmissionComposer,
+			submissionBuildingBlock: svc.SubmissionBuildingBlock,
+			eventChoice:       svc.EventChoice,
+			scenario:          svc.Scenario,
 		}
 	}
 
@@ -402,6 +424,18 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
 	protected.HandleFunc("PATCH /api/submission-drafts/{draft_id}", handleGlobalPatchSubmissionDraft)
 	protected.HandleFunc("DELETE /api/submission-drafts/{draft_id}", handleGlobalDeleteSubmissionDraft)
 	protected.HandleFunc("POST /api/submission-drafts/{draft_id}/export", handleGlobalExportSubmissionDraft)
+	// t-paliad-313 (m/paliad#141) Composer Slice A — base catalog for
+	// the sidebar picker. Wide-open SELECT (any authenticated user);
+	// admin mutations are not exposed yet (Slice C).
+	protected.HandleFunc("GET /api/submission-bases", handleListSubmissionBases)
+	// t-paliad-313 (m/paliad#141) Composer Slice B — per-section PATCH
+	// for inline editor autosave. URL keyed on draft_id + section_id;
+	// owner-scoped via SubmissionDraftService.Get.
+	protected.HandleFunc("PATCH /api/submission-drafts/{draft_id}/sections/{section_id}", handlePatchSubmissionSection)
+	// t-paliad-315 (m/paliad#141) Composer Slice C — building blocks
+	// library. Lawyer-facing picker + paste mechanic.
+	protected.HandleFunc("GET /api/submission-building-blocks", handleListBuildingBlocks)
+	protected.HandleFunc("POST /api/submission-building-blocks/{block_id}/insert-into/{section_id}", handleInsertBlockIntoSection)
 	// t-paliad-277 / m/paliad#109 — refresh project-derived variables on
 	// the draft. Strips overrides for project.* / parties.* / deadline.*
 	// / procedural_event.* / rule.* prefixes and bumps last_imported_at.
@@ -446,6 +480,15 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
 	protected.HandleFunc("PUT /api/projects/{id}/event-choices", handlePutProjectEventChoice)
 	protected.HandleFunc("DELETE /api/projects/{id}/event-choices/{submission_code}/{choice_kind}", handleDeleteProjectEventChoice)
 
+	// Slice D (m/paliad#124 §5, mig 145) — named scenario compositions
+	// per project or as abstract templates on /tools/verfahrensablauf.
+	protected.HandleFunc("GET /api/scenarios", handleScenariosList)
+	protected.HandleFunc("GET /api/scenarios/{id}", handleScenarioGet)
+	protected.HandleFunc("POST /api/scenarios", handleScenarioCreate)
+	protected.HandleFunc("PATCH /api/scenarios/{id}", handleScenarioPatch)
+	protected.HandleFunc("DELETE /api/scenarios/{id}", handleScenarioDelete)
+	protected.HandleFunc("PUT /api/projects/{id}/active-scenario", handleSetActiveScenario)
+
 	// Partner units (structural partner-led units; legacy "Dezernate").
 	protected.HandleFunc("GET /api/partner-units", handleListPartnerUnits)
 	protected.HandleFunc("POST /api/partner-units", handleCreatePartnerUnit)
@@ -657,6 +700,16 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
 		protected.HandleFunc("DELETE /api/admin/firm-dashboard-default", adminGate(users, handleDeleteFirmDashboardDefault))
 		protected.HandleFunc("POST /api/me/dashboard-layout/promote", adminGate(users, handlePromoteDashboardLayoutToFirmDefault))
 
+		// t-paliad-315 (m/paliad#141) Composer Slice C — admin building blocks editor.
+		protected.HandleFunc("GET /admin/submission-building-blocks", adminGate(users, gateOnboarded(handleAdminBuildingBlocksPage)))
+		protected.HandleFunc("GET /api/admin/submission-building-blocks", adminGate(users, handleAdminListBuildingBlocks))
+		protected.HandleFunc("POST /api/admin/submission-building-blocks", adminGate(users, handleAdminCreateBuildingBlock))
+		protected.HandleFunc("GET /api/admin/submission-building-blocks/{block_id}", adminGate(users, handleAdminGetBuildingBlock))
+		protected.HandleFunc("PATCH /api/admin/submission-building-blocks/{block_id}", adminGate(users, handleAdminUpdateBuildingBlock))
+		protected.HandleFunc("DELETE /api/admin/submission-building-blocks/{block_id}", adminGate(users, handleAdminDeleteBuildingBlock))
+		protected.HandleFunc("GET /api/admin/submission-building-blocks/{block_id}/versions", adminGate(users, handleAdminListBuildingBlockVersions))
+		protected.HandleFunc("POST /api/admin/submission-building-blocks/{block_id}/restore/{version_id}", adminGate(users, handleAdminRestoreBuildingBlockVersion))
+
 		protected.HandleFunc("GET /api/admin/email-templates", adminGate(users, handleAdminListEmailTemplates))
 		protected.HandleFunc("GET /api/admin/email-templates/{key}/variables", adminGate(users, handleAdminEmailTemplateVariables))
 		protected.HandleFunc("GET /api/admin/email-templates/{key}/{lang}", adminGate(users, handleAdminGetEmailTemplate))
@@ -670,10 +723,8 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
 		// t-paliad-191 Slice 11a — admin rule-editor API.
 		// t-paliad-192 Slice 11b — admin rule-editor UI pages + orphan list/resolve.
 		protected.HandleFunc("GET /admin/rules", adminGate(users, gateOnboarded(handleAdminRulesListPage)))
-		protected.HandleFunc("GET /admin/rules/export", adminGate(users, gateOnboarded(handleAdminRulesExportPage)))
 		protected.HandleFunc("GET /admin/rules/{id}/edit", adminGate(users, gateOnboarded(handleAdminRulesEditPage)))
 		protected.HandleFunc("GET /admin/api/rules", adminGate(users, handleAdminListRules))
-		protected.HandleFunc("GET /admin/api/rules/export-migrations", adminGate(users, handleAdminExportRuleMigrations))
 		protected.HandleFunc("GET /admin/api/rules/{id}", adminGate(users, handleAdminGetRule))
 		protected.HandleFunc("POST /admin/api/rules", adminGate(users, handleAdminCreateRule))
 		protected.HandleFunc("PATCH /admin/api/rules/{id}", adminGate(users, handleAdminPatchRule))

internal/handlers/paliadin.go

@@ -24,6 +24,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"log"
 	"net/http"
 	"strconv"
 	"strings"
@@ -360,6 +361,8 @@ func runStreamingTurn(turnID uuid.UUID, req services.TurnRequest, ch chan<- turn
 				convID = ev.ConversationID
 			case services.StreamError:
 				errorEmitted = true
+				log.Printf("paliadin: stream error turn=%s code=%s retryable=%v message=%q",
+					turnID, ev.Code, ev.Retryable, ev.Message)
 				send(ch, turnEvent{
 					Kind: "error",
 					Data: map[string]any{
@@ -372,6 +375,8 @@ func runStreamingTurn(turnID uuid.UUID, req services.TurnRequest, ch chan<- turn
 		case <-silenceTicker.C:
 			elapsed := time.Since(lastEventAt)
 			if elapsed >= silenceTimeout {
+				log.Printf("paliadin: silence timeout turn=%s elapsed=%s (silenceTimeout=%s)",
+					turnID, elapsed, silenceTimeout)
 				send(ch, turnEvent{
 					Kind: "error",
 					Data: map[string]any{
@@ -419,6 +424,8 @@ func runStreamingTurn(turnID uuid.UUID, req services.TurnRequest, ch chan<- turn
 				}
 			}
 			if res.err != nil {
+				log.Printf("paliadin: backend returned error turn=%s err=%v errorEmittedAlready=%v",
+					turnID, res.err, errorEmitted)
 				if !errorEmitted {
 					send(ch, turnEvent{
 						Kind: "error",
@@ -432,6 +439,8 @@ func runStreamingTurn(turnID uuid.UUID, req services.TurnRequest, ch chan<- turn
 			}
 			result := res.result
 			if result == nil {
+				log.Printf("paliadin: backend returned nil result without error turn=%s errorEmittedAlready=%v",
+					turnID, errorEmitted)
 				// Shouldn't happen — backend contract returns either err
 				// or a result. Defensive bail.
 				if !errorEmitted {

internal/handlers/projects.go

@@ -69,8 +69,19 @@ type dbServices struct {
 	// t-paliad-238 — submission draft editor.
 	submissionDraft *services.SubmissionDraftService
 
+	// t-paliad-313 — Composer base catalog + per-draft sections +
+	// (Slice B) the render pipeline assembling base + sections into a
+	// final .docx + (Slice C) building-block library.
+	submissionBase          *services.BaseService
+	submissionSection       *services.SectionService
+	submissionComposer      *services.SubmissionComposer
+	submissionBuildingBlock *services.BuildingBlockService
+
 	// t-paliad-265 — per-event-card optional choices.
 	eventChoice *services.EventChoiceService
+
+	// Slice D — named scenario compositions (m/paliad#124 §5).
+	scenario *services.ScenarioService
 }
 
 var dbSvc *dbServices

internal/handlers/scenarios.go

@@ -0,0 +1,216 @@
+package handlers
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+
+	"github.com/google/uuid"
+
+	"mgit.msbls.de/m/paliad/internal/services"
+	lp "mgit.msbls.de/m/paliad/pkg/litigationplanner"
+)
+
+// Slice D (m/paliad#124 §5, mig 145) — REST endpoints for paliad.scenarios.
+//
+// Routes (registered in handlers.go):
+//
+//	GET    /api/scenarios?project=<id>     — list project's scenarios
+//	GET    /api/scenarios?abstract=true    — list caller's abstract scenarios
+//	GET    /api/scenarios/{id}             — fetch one
+//	POST   /api/scenarios                  — create
+//	PATCH  /api/scenarios/{id}             — partial update
+//	PUT    /api/projects/{id}/active-scenario  — set/clear active scenario
+//	DELETE /api/scenarios/{id}             — remove
+//
+// All endpoints require auth; visibility is enforced by
+// ScenarioService.requireProjectVisible / requireVisible.
+
+func requireScenarioService(w http.ResponseWriter) bool {
+	if dbSvc == nil || dbSvc.scenario == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{
+			"error": "Szenarien sind vorübergehend nicht verfügbar (keine Datenbank).",
+		})
+		return false
+	}
+	return true
+}
+
+// scenarioErrorToStatus maps service errors to HTTP statuses. Mirrors
+// the patterns in projects.go and event_choices.go.
+func scenarioErrorToStatus(err error) (int, string) {
+	switch {
+	case errors.Is(err, lp.ErrUnknownScenario), errors.Is(err, services.ErrScenarioNotVisible):
+		return http.StatusNotFound, "Szenario nicht gefunden"
+	case errors.Is(err, services.ErrInvalidInput), errors.Is(err, lp.ErrInvalidScenario), errors.Is(err, lp.ErrScenarioNoPrimary):
+		return http.StatusBadRequest, err.Error()
+	}
+	return http.StatusInternalServerError, err.Error()
+}
+
+// handleScenariosList — GET /api/scenarios?project=<uuid> OR ?abstract=true.
+func handleScenariosList(w http.ResponseWriter, r *http.Request) {
+	if !requireScenarioService(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+
+	abstract := r.URL.Query().Get("abstract") == "true"
+	projectStr := r.URL.Query().Get("project")
+	switch {
+	case abstract:
+		out, err := dbSvc.scenario.ListAbstractForUser(r.Context(), uid)
+		if err != nil {
+			status, msg := scenarioErrorToStatus(err)
+			writeJSON(w, status, map[string]string{"error": msg})
+			return
+		}
+		writeJSON(w, http.StatusOK, out)
+	case projectStr != "":
+		pid, err := uuid.Parse(projectStr)
+		if err != nil {
+			writeJSON(w, http.StatusBadRequest, map[string]string{"error": "ungültige project ID"})
+			return
+		}
+		out, err := dbSvc.scenario.ListForProject(r.Context(), uid, pid)
+		if err != nil {
+			status, msg := scenarioErrorToStatus(err)
+			writeJSON(w, status, map[string]string{"error": msg})
+			return
+		}
+		writeJSON(w, http.StatusOK, out)
+	default:
+		writeJSON(w, http.StatusBadRequest, map[string]string{
+			"error": "?project=<uuid> oder ?abstract=true erforderlich",
+		})
+	}
+}
+
+// handleScenarioGet — GET /api/scenarios/{id}.
+func handleScenarioGet(w http.ResponseWriter, r *http.Request) {
+	if !requireScenarioService(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	id, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "ungültige ID"})
+		return
+	}
+	out, err := dbSvc.scenario.Get(r.Context(), uid, id)
+	if err != nil {
+		status, msg := scenarioErrorToStatus(err)
+		writeJSON(w, status, map[string]string{"error": msg})
+		return
+	}
+	writeJSON(w, http.StatusOK, out)
+}
+
+// handleScenarioCreate — POST /api/scenarios.
+func handleScenarioCreate(w http.ResponseWriter, r *http.Request) {
+	if !requireScenarioService(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	var input services.CreateScenarioInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "ungültige Anfrage"})
+		return
+	}
+	out, err := dbSvc.scenario.Create(r.Context(), uid, input)
+	if err != nil {
+		status, msg := scenarioErrorToStatus(err)
+		writeJSON(w, status, map[string]string{"error": msg})
+		return
+	}
+	writeJSON(w, http.StatusCreated, out)
+}
+
+// handleScenarioPatch — PATCH /api/scenarios/{id}.
+func handleScenarioPatch(w http.ResponseWriter, r *http.Request) {
+	if !requireScenarioService(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	id, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "ungültige ID"})
+		return
+	}
+	var input services.PatchScenarioInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "ungültige Anfrage"})
+		return
+	}
+	out, err := dbSvc.scenario.Patch(r.Context(), uid, id, input)
+	if err != nil {
+		status, msg := scenarioErrorToStatus(err)
+		writeJSON(w, status, map[string]string{"error": msg})
+		return
+	}
+	writeJSON(w, http.StatusOK, out)
+}
+
+// handleScenarioDelete — DELETE /api/scenarios/{id}.
+func handleScenarioDelete(w http.ResponseWriter, r *http.Request) {
+	if !requireScenarioService(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	id, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "ungültige ID"})
+		return
+	}
+	if err := dbSvc.scenario.Delete(r.Context(), uid, id); err != nil {
+		status, msg := scenarioErrorToStatus(err)
+		writeJSON(w, status, map[string]string{"error": msg})
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// handleSetActiveScenario — PUT /api/projects/{id}/active-scenario.
+// Body: {"scenario_id": "<uuid>"} or {"scenario_id": null} to clear.
+func handleSetActiveScenario(w http.ResponseWriter, r *http.Request) {
+	if !requireScenarioService(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	pid, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "ungültige project ID"})
+		return
+	}
+	var body struct {
+		ScenarioID *uuid.UUID `json:"scenario_id"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "ungültige Anfrage"})
+		return
+	}
+	if err := dbSvc.scenario.SetActive(r.Context(), uid, pid, body.ScenarioID); err != nil {
+		status, msg := scenarioErrorToStatus(err)
+		writeJSON(w, status, map[string]string{"error": msg})
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}

internal/handlers/submission_bases.go

@@ -0,0 +1,96 @@
+package handlers
+
+// Submission base catalog handler — Composer Slice A (t-paliad-313,
+// m/paliad#141, design doc docs/design-submission-generator-v2-2026-05-26.md
+// §5.1 / Slice A acceptance).
+//
+// Endpoint: GET /api/submission-bases  → list of active bases visible
+// to the requesting firm. The sidebar picker on the draft editor reads
+// this once on page load and caches in-memory; the response shape is
+// stable across the picker's lifetime.
+//
+// Visibility: the catalog is shared firm-wide (per the design + mig
+// 146's wide-open RLS SELECT policy). The handler still requires
+// authentication; anonymous users 401.
+//
+// Filtering: the response includes the firm's own bases AND the
+// firm-agnostic ones (firm IS NULL). The Go service-side filter passes
+// branding.Name as the firm hint; cross-firm cases (e.g. a future
+// non-HLC deployment) get their own filtered slice naturally.
+
+import (
+	"net/http"
+
+	"mgit.msbls.de/m/paliad/internal/branding"
+	"mgit.msbls.de/m/paliad/internal/services"
+)
+
+// submissionBaseRow is the on-the-wire shape returned by the list
+// endpoint. Mirrors services.SubmissionBase but drops the raw bytes
+// and exposes the parsed section spec inline so the picker can show a
+// preview of the default section count without an extra round-trip.
+type submissionBaseRow struct {
+	ID               string   `json:"id"`
+	Slug             string   `json:"slug"`
+	Firm             *string  `json:"firm,omitempty"`
+	ProceedingFamily *string  `json:"proceeding_family,omitempty"`
+	LabelDE          string   `json:"label_de"`
+	LabelEN          string   `json:"label_en"`
+	DescriptionDE    *string  `json:"description_de,omitempty"`
+	DescriptionEN    *string  `json:"description_en,omitempty"`
+	GiteaPath        string   `json:"gitea_path"`
+	IsDefaultFor     []string `json:"is_default_for"`
+	IsActive         bool     `json:"is_active"`
+	SectionCount     int      `json:"section_count"`
+}
+
+type submissionBaseListResponse struct {
+	Bases []submissionBaseRow `json:"bases"`
+}
+
+// handleListSubmissionBases backs GET /api/submission-bases.
+func handleListSubmissionBases(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) {
+		return
+	}
+	if _, ok := requireUser(w, r); !ok {
+		return
+	}
+	if dbSvc.submissionBase == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{
+			"error": "submission bases not configured",
+		})
+		return
+	}
+
+	rows, err := dbSvc.submissionBase.List(r.Context(), branding.Name)
+	if err != nil {
+		writeServiceError(w, err)
+		return
+	}
+
+	out := make([]submissionBaseRow, 0, len(rows))
+	for i := range rows {
+		out = append(out, baseRowFromService(&rows[i]))
+	}
+	writeJSON(w, http.StatusOK, submissionBaseListResponse{Bases: out})
+}
+
+// baseRowFromService projects a services.SubmissionBase into the
+// on-the-wire row shape.
+func baseRowFromService(b *services.SubmissionBase) submissionBaseRow {
+	return submissionBaseRow{
+		ID:               b.ID.String(),
+		Slug:             b.Slug,
+		Firm:             b.Firm,
+		ProceedingFamily: b.ProceedingFamily,
+		LabelDE:          b.LabelDE,
+		LabelEN:          b.LabelEN,
+		DescriptionDE:    b.DescriptionDE,
+		DescriptionEN:    b.DescriptionEN,
+		GiteaPath:        b.GiteaPath,
+		IsDefaultFor:     b.IsDefaultFor,
+		IsActive:         b.IsActive,
+		SectionCount:     len(b.SectionSpec.Defaults),
+	}
+}

internal/handlers/submission_building_blocks.go

@@ -0,0 +1,482 @@
+package handlers
+
+// Composer building-block handlers — t-paliad-315 Slice C.
+//
+// Two surfaces:
+//
+//  1. Lawyer-facing picker (any authenticated user):
+//       GET  /api/submission-building-blocks?section_key=…&proceeding_family=…&q=…
+//       POST /api/submission-building-blocks/{block_id}/insert-into/{section_id}
+//
+//     The picker list is visibility-tier-filtered (private/team/firm/
+//     global) at the service layer. Insert is the paste mechanic
+//     ratified by Q2 (m, 2026-05-26): plain text copy of
+//     content_md_<lang> into submission_sections.content_md_<lang>.
+//     No lineage stamped on the section.
+//
+//  2. Admin editor (adminGate via auth.RequireAdminFunc):
+//       GET    /api/admin/submission-building-blocks
+//       POST   /api/admin/submission-building-blocks
+//       GET    /api/admin/submission-building-blocks/{block_id}
+//       PATCH  /api/admin/submission-building-blocks/{block_id}
+//       DELETE /api/admin/submission-building-blocks/{block_id}
+//       GET    /api/admin/submission-building-blocks/{block_id}/versions
+//       POST   /api/admin/submission-building-blocks/{block_id}/restore/{version_id}
+//
+//     Plus the page route /admin/submission-building-blocks (list +
+//     edit shell, hydrated client-side).
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+
+	"mgit.msbls.de/m/paliad/internal/services"
+)
+
+// blockJSON is the on-the-wire shape for both the picker and admin
+// surfaces.
+type buildingBlockJSON struct {
+	ID               uuid.UUID  `json:"id"`
+	Slug             string     `json:"slug"`
+	Firm             *string    `json:"firm,omitempty"`
+	SectionKey       string     `json:"section_key"`
+	ProceedingFamily *string    `json:"proceeding_family,omitempty"`
+	TitleDE          string     `json:"title_de"`
+	TitleEN          string     `json:"title_en"`
+	DescriptionDE    *string    `json:"description_de,omitempty"`
+	DescriptionEN    *string    `json:"description_en,omitempty"`
+	ContentMDDE      string     `json:"content_md_de"`
+	ContentMDEN      string     `json:"content_md_en"`
+	AuthorID         *uuid.UUID `json:"author_id,omitempty"`
+	Visibility       string     `json:"visibility"`
+	IsPublished      bool       `json:"is_published"`
+	CreatedAt        time.Time  `json:"created_at"`
+	UpdatedAt        time.Time  `json:"updated_at"`
+}
+
+type buildingBlockListResponse struct {
+	Blocks []buildingBlockJSON `json:"blocks"`
+}
+
+// blockJSONFromService projects services.BuildingBlock into the wire shape.
+func blockJSONFromService(b *services.BuildingBlock) buildingBlockJSON {
+	return buildingBlockJSON{
+		ID:               b.ID,
+		Slug:             b.Slug,
+		Firm:             b.Firm,
+		SectionKey:       b.SectionKey,
+		ProceedingFamily: b.ProceedingFamily,
+		TitleDE:          b.TitleDE,
+		TitleEN:          b.TitleEN,
+		DescriptionDE:    b.DescriptionDE,
+		DescriptionEN:    b.DescriptionEN,
+		ContentMDDE:      b.ContentMDDE,
+		ContentMDEN:      b.ContentMDEN,
+		AuthorID:         b.AuthorID,
+		Visibility:       b.Visibility,
+		IsPublished:      b.IsPublished,
+		CreatedAt:        b.CreatedAt,
+		UpdatedAt:        b.UpdatedAt,
+	}
+}
+
+// ─────────────────────────────────────────────────────────────────────
+// Lawyer-facing picker
+// ─────────────────────────────────────────────────────────────────────
+
+func handleListBuildingBlocks(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	if dbSvc.submissionBuildingBlock == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "building blocks not configured"})
+		return
+	}
+	q := r.URL.Query()
+	filter := services.BlockListFilter{
+		SectionKey:       strings.TrimSpace(q.Get("section_key")),
+		ProceedingFamily: strings.TrimSpace(q.Get("proceeding_family")),
+		Search:           strings.TrimSpace(q.Get("q")),
+	}
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	rows, err := dbSvc.submissionBuildingBlock.ListVisible(ctx, uid, filter)
+	if err != nil {
+		writeServiceError(w, err)
+		return
+	}
+	out := make([]buildingBlockJSON, 0, len(rows))
+	for i := range rows {
+		out = append(out, blockJSONFromService(&rows[i]))
+	}
+	writeJSON(w, http.StatusOK, buildingBlockListResponse{Blocks: out})
+}
+
+func handleInsertBlockIntoSection(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	if dbSvc.submissionBuildingBlock == nil || dbSvc.submissionSection == nil || dbSvc.submissionDraft == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "building blocks not configured"})
+		return
+	}
+	blockID, ok := parseUUIDPath(w, r, "block_id", "block id")
+	if !ok {
+		return
+	}
+	sectionID, ok := parseUUIDPath(w, r, "section_id", "section id")
+	if !ok {
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	// Visibility on the section: section.draft_id must point to a
+	// draft the caller owns. Composer Slice B's same owner gate.
+	sec, err := dbSvc.submissionSection.Get(ctx, sectionID)
+	if err != nil {
+		if errors.Is(err, services.ErrSubmissionSectionNotFound) {
+			writeJSON(w, http.StatusNotFound, map[string]string{"error": "section not found"})
+			return
+		}
+		writeServiceError(w, err)
+		return
+	}
+	if _, err := dbSvc.submissionDraft.Get(ctx, uid, sec.DraftID); err != nil {
+		writeSubmissionDraftServiceError(w, err)
+		return
+	}
+
+	updated, err := dbSvc.submissionBuildingBlock.InsertIntoSection(ctx, uid, blockID, sectionID, dbSvc.submissionSection)
+	if err != nil {
+		if errors.Is(err, services.ErrBuildingBlockNotFound) {
+			writeJSON(w, http.StatusNotFound, map[string]string{"error": "block not found"})
+			return
+		}
+		if errors.Is(err, services.ErrSubmissionSectionNotFound) {
+			writeJSON(w, http.StatusNotFound, map[string]string{"error": "section not found"})
+			return
+		}
+		writeServiceError(w, err)
+		return
+	}
+	writeJSON(w, http.StatusOK, sectionJSONFromService(updated))
+}
+
+// ─────────────────────────────────────────────────────────────────────
+// Admin editor
+// ─────────────────────────────────────────────────────────────────────
+
+func handleAdminListBuildingBlocks(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) {
+		return
+	}
+	if dbSvc.submissionBuildingBlock == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "building blocks not configured"})
+		return
+	}
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+	rows, err := dbSvc.submissionBuildingBlock.ListAllForAdmin(ctx)
+	if err != nil {
+		writeServiceError(w, err)
+		return
+	}
+	out := make([]buildingBlockJSON, 0, len(rows))
+	for i := range rows {
+		out = append(out, blockJSONFromService(&rows[i]))
+	}
+	writeJSON(w, http.StatusOK, buildingBlockListResponse{Blocks: out})
+}
+
+func handleAdminGetBuildingBlock(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) {
+		return
+	}
+	if dbSvc.submissionBuildingBlock == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "building blocks not configured"})
+		return
+	}
+	blockID, ok := parseUUIDPath(w, r, "block_id", "block id")
+	if !ok {
+		return
+	}
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+	b, err := dbSvc.submissionBuildingBlock.GetForAdmin(ctx, blockID)
+	if err != nil {
+		if errors.Is(err, services.ErrBuildingBlockNotFound) {
+			writeJSON(w, http.StatusNotFound, map[string]string{"error": "block not found"})
+			return
+		}
+		writeServiceError(w, err)
+		return
+	}
+	writeJSON(w, http.StatusOK, blockJSONFromService(b))
+}
+
+type buildingBlockCreateInput struct {
+	Slug             string  `json:"slug"`
+	Firm             *string `json:"firm,omitempty"`
+	SectionKey       string  `json:"section_key"`
+	ProceedingFamily *string `json:"proceeding_family,omitempty"`
+	TitleDE          string  `json:"title_de"`
+	TitleEN          string  `json:"title_en"`
+	DescriptionDE    *string `json:"description_de,omitempty"`
+	DescriptionEN    *string `json:"description_en,omitempty"`
+	ContentMDDE      string  `json:"content_md_de"`
+	ContentMDEN      string  `json:"content_md_en"`
+	Visibility       string  `json:"visibility"`
+	IsPublished      bool    `json:"is_published"`
+}
+
+func handleAdminCreateBuildingBlock(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	if dbSvc.submissionBuildingBlock == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "building blocks not configured"})
+		return
+	}
+	var in buildingBlockCreateInput
+	if err := json.NewDecoder(r.Body).Decode(&in); err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid JSON"})
+		return
+	}
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+	b, err := dbSvc.submissionBuildingBlock.Create(ctx, uid, services.CreateInput{
+		Slug:             in.Slug,
+		Firm:             in.Firm,
+		SectionKey:       in.SectionKey,
+		ProceedingFamily: in.ProceedingFamily,
+		TitleDE:          in.TitleDE,
+		TitleEN:          in.TitleEN,
+		DescriptionDE:    in.DescriptionDE,
+		DescriptionEN:    in.DescriptionEN,
+		ContentMDDE:      in.ContentMDDE,
+		ContentMDEN:      in.ContentMDEN,
+		Visibility:       in.Visibility,
+		IsPublished:      in.IsPublished,
+	})
+	if err != nil {
+		if errors.Is(err, services.ErrInvalidInput) || errors.Is(err, services.ErrBuildingBlockInvalidVisibility) {
+			writeJSON(w, http.StatusBadRequest, map[string]string{"error": err.Error()})
+			return
+		}
+		writeServiceError(w, err)
+		return
+	}
+	writeJSON(w, http.StatusCreated, blockJSONFromService(b))
+}
+
+type buildingBlockUpdateInput struct {
+	Slug             *string `json:"slug,omitempty"`
+	Firm             *string `json:"firm,omitempty"`
+	FirmSet          bool    `json:"-"`
+	SectionKey       *string `json:"section_key,omitempty"`
+	ProceedingFamily *string `json:"proceeding_family,omitempty"`
+	ProceedingFamilySet bool `json:"-"`
+	TitleDE          *string `json:"title_de,omitempty"`
+	TitleEN          *string `json:"title_en,omitempty"`
+	DescriptionDE    *string `json:"description_de,omitempty"`
+	DescriptionDESet bool    `json:"-"`
+	DescriptionEN    *string `json:"description_en,omitempty"`
+	DescriptionENSet bool    `json:"-"`
+	ContentMDDE      *string `json:"content_md_de,omitempty"`
+	ContentMDEN      *string `json:"content_md_en,omitempty"`
+	Visibility       *string `json:"visibility,omitempty"`
+	IsPublished      *bool   `json:"is_published,omitempty"`
+	Note             *string `json:"note,omitempty"`
+}
+
+func (u *buildingBlockUpdateInput) UnmarshalJSON(data []byte) error {
+	type alias buildingBlockUpdateInput
+	var a alias
+	if err := json.Unmarshal(data, &a); err != nil {
+		return err
+	}
+	*u = buildingBlockUpdateInput(a)
+	raw := map[string]json.RawMessage{}
+	if err := json.Unmarshal(data, &raw); err != nil {
+		return err
+	}
+	_, u.FirmSet = raw["firm"]
+	_, u.ProceedingFamilySet = raw["proceeding_family"]
+	_, u.DescriptionDESet = raw["description_de"]
+	_, u.DescriptionENSet = raw["description_en"]
+	return nil
+}
+
+func handleAdminUpdateBuildingBlock(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	if dbSvc.submissionBuildingBlock == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "building blocks not configured"})
+		return
+	}
+	blockID, ok := parseUUIDPath(w, r, "block_id", "block id")
+	if !ok {
+		return
+	}
+	var in buildingBlockUpdateInput
+	if err := json.NewDecoder(r.Body).Decode(&in); err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid JSON"})
+		return
+	}
+	patch := services.UpdatePatch{
+		Slug:        in.Slug,
+		SectionKey:  in.SectionKey,
+		TitleDE:     in.TitleDE,
+		TitleEN:     in.TitleEN,
+		ContentMDDE: in.ContentMDDE,
+		ContentMDEN: in.ContentMDEN,
+		Visibility:  in.Visibility,
+		IsPublished: in.IsPublished,
+		Note:        in.Note,
+	}
+	if in.FirmSet {
+		patch.Firm = &in.Firm
+	}
+	if in.ProceedingFamilySet {
+		patch.ProceedingFamily = &in.ProceedingFamily
+	}
+	if in.DescriptionDESet {
+		patch.DescriptionDE = &in.DescriptionDE
+	}
+	if in.DescriptionENSet {
+		patch.DescriptionEN = &in.DescriptionEN
+	}
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+	b, err := dbSvc.submissionBuildingBlock.Update(ctx, uid, blockID, patch)
+	if err != nil {
+		if errors.Is(err, services.ErrBuildingBlockNotFound) {
+			writeJSON(w, http.StatusNotFound, map[string]string{"error": "block not found"})
+			return
+		}
+		if errors.Is(err, services.ErrBuildingBlockInvalidVisibility) {
+			writeJSON(w, http.StatusBadRequest, map[string]string{"error": err.Error()})
+			return
+		}
+		writeServiceError(w, err)
+		return
+	}
+	writeJSON(w, http.StatusOK, blockJSONFromService(b))
+}
+
+func handleAdminDeleteBuildingBlock(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	if dbSvc.submissionBuildingBlock == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "building blocks not configured"})
+		return
+	}
+	blockID, ok := parseUUIDPath(w, r, "block_id", "block id")
+	if !ok {
+		return
+	}
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+	if err := dbSvc.submissionBuildingBlock.SoftDelete(ctx, uid, blockID); err != nil {
+		if errors.Is(err, services.ErrBuildingBlockNotFound) {
+			writeJSON(w, http.StatusNotFound, map[string]string{"error": "block not found"})
+			return
+		}
+		writeServiceError(w, err)
+		return
+	}
+	writeJSON(w, http.StatusNoContent, nil)
+}
+
+func handleAdminListBuildingBlockVersions(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) {
+		return
+	}
+	if dbSvc.submissionBuildingBlock == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "building blocks not configured"})
+		return
+	}
+	blockID, ok := parseUUIDPath(w, r, "block_id", "block id")
+	if !ok {
+		return
+	}
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+	rows, err := dbSvc.submissionBuildingBlock.ListVersions(ctx, blockID)
+	if err != nil {
+		writeServiceError(w, err)
+		return
+	}
+	writeJSON(w, http.StatusOK, map[string]any{"versions": rows})
+}
+
+func handleAdminRestoreBuildingBlockVersion(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	if dbSvc.submissionBuildingBlock == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "building blocks not configured"})
+		return
+	}
+	blockID, ok := parseUUIDPath(w, r, "block_id", "block id")
+	if !ok {
+		return
+	}
+	versionID, ok := parseUUIDPath(w, r, "version_id", "version id")
+	if !ok {
+		return
+	}
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+	b, err := dbSvc.submissionBuildingBlock.RestoreVersion(ctx, uid, blockID, versionID)
+	if err != nil {
+		if errors.Is(err, services.ErrBuildingBlockNotFound) {
+			writeJSON(w, http.StatusNotFound, map[string]string{"error": "block or version not found"})
+			return
+		}
+		writeServiceError(w, err)
+		return
+	}
+	writeJSON(w, http.StatusOK, blockJSONFromService(b))
+}
+
+// handleAdminBuildingBlocksPage serves the admin editor shell. The
+// client bundle hydrates the list + edit UI.
+func handleAdminBuildingBlocksPage(w http.ResponseWriter, r *http.Request) {
+	http.ServeFile(w, r, "dist/admin-submission-building-blocks.html")
+}

internal/handlers/submission_drafts.go

@@ -83,6 +83,11 @@ type submissionDraftView struct {
 	// so the frontend can render the multi-select picker in one round-
 	// trip. Empty when the draft has no project attached.
 	AvailableParties []submissionDraftPartyJSON `json:"available_parties"`
+	// Sections is the per-draft section stack (t-paliad-313 Slice A).
+	// Slice A renders these read-only; the lawyer sees what the
+	// Composer seeded but can't yet edit prose. nil for pre-Composer
+	// drafts (base_id NULL, no submission_sections rows).
+	Sections []submissionSectionJSON `json:"sections"`
 }
 
 // submissionDraftPartyJSON is the minimal party row the editor sidebar
@@ -106,8 +111,30 @@ type submissionDraftJSON struct {
 	LastExportedAt  *time.Time              `json:"last_exported_at,omitempty"`
 	LastExportedSHA *string                 `json:"last_exported_sha,omitempty"`
 	LastImportedAt  *time.Time              `json:"last_imported_at,omitempty"`
-	CreatedAt       time.Time               `json:"created_at"`
-	UpdatedAt       time.Time               `json:"updated_at"`
+	// BaseID — Composer base reference (t-paliad-313). NULL on
+	// pre-Composer drafts; the editor sidebar surfaces this in the
+	// base picker. PATCH accepts {"base_id": "<uuid>"} or
+	// {"base_id": null} to set or clear.
+	BaseID       *uuid.UUID     `json:"base_id"`
+	ComposerMeta map[string]any `json:"composer_meta"`
+	CreatedAt    time.Time      `json:"created_at"`
+	UpdatedAt    time.Time      `json:"updated_at"`
+}
+
+// submissionSectionJSON is the on-the-wire row for each per-draft
+// section. Slice A renders these read-only — the lawyer sees the
+// section stack but doesn't yet edit prose. Slice B makes content_md_*
+// editable + adds the PATCH endpoint.
+type submissionSectionJSON struct {
+	ID           uuid.UUID `json:"id"`
+	SectionKey   string    `json:"section_key"`
+	OrderIndex   int       `json:"order_index"`
+	Kind         string    `json:"kind"`
+	LabelDE      string    `json:"label_de"`
+	LabelEN      string    `json:"label_en"`
+	Included     bool      `json:"included"`
+	ContentMDDE  string    `json:"content_md_de"`
+	ContentMDEN  string    `json:"content_md_en"`
 }
 
 type submissionRuleSummary struct {
@@ -132,6 +159,41 @@ type submissionDraftPatchInput struct {
 	Variables       *services.PlaceholderMap `json:"variables,omitempty"`
 	SelectedParties *[]uuid.UUID             `json:"selected_parties,omitempty"`
 	Language        *string                  `json:"language,omitempty"`
+	// BaseID accepts three states per the JSON contract:
+	//   field absent              → no change (json:"-")
+	//   {"base_id": "<uuid>"}     → set to picked base
+	//   {"base_id": null}         → clear (return to v1 fallback)
+	// We model this with a **uuid.UUID inside a custom UnmarshalJSON
+	// in case extends; for now the simpler `*uuid.UUID` + presence
+	// flag covers Slice A's set-base flow. Clearing is exposed but
+	// rarely used (the editor always picks a base; clearing is for
+	// admin-recovery flows).
+	BaseID    *uuid.UUID `json:"base_id,omitempty"`
+	BaseIDSet bool       `json:"-"`
+}
+
+// UnmarshalJSON on submissionDraftPatchInput sets BaseIDSet=true if
+// the "base_id" key appears in the payload (regardless of whether
+// the value is null or a uuid string). Lets the handler distinguish
+// "field absent" (no change) from "field set to null" (clear).
+func (p *submissionDraftPatchInput) UnmarshalJSON(data []byte) error {
+	// Phase 1: decode into a raw map to detect key presence.
+	raw := map[string]json.RawMessage{}
+	if err := json.Unmarshal(data, &raw); err != nil {
+		return err
+	}
+	// Phase 2: decode the typed fields. Use an alias to skip this
+	// custom UnmarshalJSON during the re-parse.
+	type alias submissionDraftPatchInput
+	var a alias
+	if err := json.Unmarshal(data, &a); err != nil {
+		return err
+	}
+	*p = submissionDraftPatchInput(a)
+	if _, ok := raw["base_id"]; ok {
+		p.BaseIDSet = true
+	}
+	return nil
 }
 
 // ─────────────────────────────────────────────────────────────────────
@@ -372,6 +434,9 @@ func handlePatchSubmissionDraft(w http.ResponseWriter, r *http.Request) {
 		SelectedParties: input.SelectedParties,
 		Language:        input.Language,
 	}
+	if input.BaseIDSet {
+		patch.BaseID = &input.BaseID
+	}
 	d, err := dbSvc.submissionDraft.Update(r.Context(), uid, draftID, patch)
 	if err != nil {
 		writeSubmissionDraftServiceError(w, err)
@@ -501,16 +566,10 @@ func handleExportSubmissionDraft(w http.ResponseWriter, r *http.Request) {
 		writeSubmissionDraftServiceError(w, err)
 		return
 	}
-	tplBytes, tplSHA, _, err := resolveSubmissionTemplate(ctx, d.SubmissionCode, d.Language)
+	docx, resolved, tplSHA, composerUsed, err := exportSubmissionDraft(ctx, d)
 	if err != nil {
-		log.Printf("submission_drafts: export template fetch (draft=%s): %v", draftID, err)
-		writeJSON(w, http.StatusBadGateway, map[string]string{"error": "template upstream unreachable"})
-		return
-	}
-	docx, resolved, err := dbSvc.submissionDraft.Export(ctx, d, tplBytes)
-	if err != nil {
-		log.Printf("submission_drafts: export render (draft=%s): %v", draftID, err)
-		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "render failed"})
+		log.Printf("submission_drafts: export (draft=%s): %v", draftID, err)
+		writeSubmissionExportError(w, err)
 		return
 	}
 
@@ -523,7 +582,7 @@ func handleExportSubmissionDraft(w http.ResponseWriter, r *http.Request) {
 	if err := dbSvc.submissionDraft.MarkExported(bgCtx, d.ID, tplSHA); err != nil {
 		log.Printf("submission_drafts: mark exported (draft=%s): %v", draftID, err)
 	}
-	if err := writeSubmissionDraftAuditRow(bgCtx, resolved.User, d, filename, tplSHA); err != nil {
+	if err := writeSubmissionDraftAuditRow(bgCtx, resolved.User, d, filename, tplSHA, composerUsed); err != nil {
 		log.Printf("submission_drafts: audit insert failed (draft=%s): %v", draftID, err)
 	}
 	if err := writeSubmissionDraftProjectEvent(bgCtx, d, resolved, filename); err != nil {
@@ -538,6 +597,82 @@ func handleExportSubmissionDraft(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+// exportSubmissionDraft is the shared render entry point used by both
+// the project-scoped and global export handlers (t-paliad-313 Slice B).
+// Branches on draft.BaseID: if set AND the base + bytes resolve, the
+// Composer pipeline assembles the document; otherwise the v1
+// template-only path stays the fallback. composerUsed = true means the
+// metadata jsonb on the audit row carries "composer": true so admins
+// can tell the two paths apart in the feed.
+//
+// Returns (bytes, resolved-bag, templateSHA, composerUsed, err).
+func exportSubmissionDraft(ctx context.Context, d *services.SubmissionDraft) ([]byte, *services.SubmissionVarsResult, string, bool, error) {
+	if d.BaseID != nil && dbSvc.submissionBase != nil && dbSvc.submissionSection != nil && dbSvc.submissionComposer != nil {
+		base, err := dbSvc.submissionBase.GetByID(ctx, *d.BaseID)
+		switch {
+		case err == nil:
+			baseBytes, baseSHA, err := fetchComposerBaseBytes(ctx, base)
+			if err == nil {
+				sections, err := dbSvc.submissionSection.ListForDraft(ctx, d.ID)
+				if err != nil {
+					return nil, nil, "", false, fmt.Errorf("list sections: %w", err)
+				}
+				bag, resolved, err := dbSvc.submissionDraft.BuildRenderBag(ctx, d)
+				if err != nil {
+					return nil, nil, "", false, err
+				}
+				docx, err := dbSvc.submissionComposer.Compose(ctx, services.ComposeOptions{
+					Sections:  sections,
+					Base:      base,
+					BaseBytes: baseBytes,
+					Lang:      resolved.Lang,
+					Vars:      bag,
+					Missing:   services.DefaultMissingMarker(resolved.Lang),
+				})
+				if err != nil {
+					return nil, nil, "", false, fmt.Errorf("composer: %w", err)
+				}
+				return docx, resolved, baseSHA, true, nil
+			}
+			log.Printf("submission_drafts: composer base bytes fetch failed (draft=%s base=%s): %v — falling back to v1 path", d.ID, base.Slug, err)
+		case errors.Is(err, services.ErrBaseNotFound):
+			log.Printf("submission_drafts: composer base missing (draft=%s base_id=%s) — falling back to v1 path", d.ID, *d.BaseID)
+		default:
+			return nil, nil, "", false, fmt.Errorf("composer base lookup: %w", err)
+		}
+	}
+
+	// v1 fallback: template-only render via resolveSubmissionTemplate +
+	// SubmissionDraftService.Export. Unchanged behaviour for
+	// pre-Composer drafts.
+	tplBytes, tplSHA, _, err := resolveSubmissionTemplate(ctx, d.SubmissionCode, d.Language)
+	if err != nil {
+		return nil, nil, "", false, fmt.Errorf("template upstream: %w", err)
+	}
+	docx, resolved, err := dbSvc.submissionDraft.Export(ctx, d, tplBytes)
+	if err != nil {
+		return nil, nil, "", false, fmt.Errorf("render: %w", err)
+	}
+	return docx, resolved, tplSHA, false, nil
+}
+
+// writeSubmissionExportError maps a render-time error to an HTTP
+// response. The shape mirrors what the handlers used to inline.
+func writeSubmissionExportError(w http.ResponseWriter, err error) {
+	if err == nil {
+		return
+	}
+	msg := err.Error()
+	switch {
+	case strings.Contains(msg, "template upstream"):
+		writeJSON(w, http.StatusBadGateway, map[string]string{"error": "template upstream unreachable"})
+	case strings.Contains(msg, "composer:") || strings.Contains(msg, "render:") || strings.Contains(msg, "list sections"):
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "render failed"})
+	default:
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "render failed"})
+	}
+}
+
 // handleSubmissionDraftPage serves dist/submission-draft.html for the
 // dedicated draft editor at /projects/{id}/submissions/{code}/draft
 // (and …/draft/{draft_id}). Project visibility is enforced server-side
@@ -713,6 +848,11 @@ type globalDraftPatchInput struct {
 	// SelectedParties: present-but-empty array resets to "all parties",
 	// present non-empty array restricts to subset, absent = no change.
 	SelectedParties *[]uuid.UUID `json:"selected_parties,omitempty"`
+	// BaseID + baseIDProvided mirror the ProjectID pattern — present
+	// (regardless of value) means "set"; absent means "no change". Set
+	// by UnmarshalJSON. t-paliad-313 Composer Slice A.
+	BaseID         *uuid.UUID `json:"base_id,omitempty"`
+	baseIDProvided bool
 }
 
 func (g *globalDraftPatchInput) UnmarshalJSON(data []byte) error {
@@ -722,6 +862,7 @@ func (g *globalDraftPatchInput) UnmarshalJSON(data []byte) error {
 		Language        *string                  `json:"language,omitempty"`
 		ProjectID       *uuid.UUID               `json:"project_id,omitempty"`
 		SelectedParties *[]uuid.UUID             `json:"selected_parties,omitempty"`
+		BaseID          *uuid.UUID               `json:"base_id,omitempty"`
 	}
 	var a alias
 	if err := json.Unmarshal(data, &a); err != nil {
@@ -732,12 +873,15 @@ func (g *globalDraftPatchInput) UnmarshalJSON(data []byte) error {
 	g.Language = a.Language
 	g.ProjectID = a.ProjectID
 	g.SelectedParties = a.SelectedParties
-	// Detect whether "project_id" was present in the JSON object.
+	g.BaseID = a.BaseID
+	// Detect whether "project_id" / "base_id" were present in the JSON
+	// object.
 	var raw map[string]json.RawMessage
 	if err := json.Unmarshal(data, &raw); err != nil {
 		return err
 	}
 	_, g.projectIDProvided = raw["project_id"]
+	_, g.baseIDProvided = raw["base_id"]
 	return nil
 }
 
@@ -778,6 +922,10 @@ func handleGlobalPatchSubmissionDraft(w http.ResponseWriter, r *http.Request) {
 		pid := in.ProjectID // may be nil → detach
 		patch.ProjectID = &pid
 	}
+	if in.baseIDProvided {
+		bid := in.BaseID // may be nil → clear
+		patch.BaseID = &bid
+	}
 
 	d, err := dbSvc.submissionDraft.Update(r.Context(), uid, draftID, patch)
 	if err != nil {
@@ -890,16 +1038,10 @@ func handleGlobalExportSubmissionDraft(w http.ResponseWriter, r *http.Request) {
 		writeSubmissionDraftServiceError(w, err)
 		return
 	}
-	tplBytes, tplSHA, _, err := resolveSubmissionTemplate(ctx, d.SubmissionCode, d.Language)
+	docx, resolved, tplSHA, composerUsed, err := exportSubmissionDraft(ctx, d)
 	if err != nil {
-		log.Printf("submission_drafts: export template fetch (draft=%s): %v", draftID, err)
-		writeJSON(w, http.StatusBadGateway, map[string]string{"error": "template upstream unreachable"})
-		return
-	}
-	docx, resolved, err := dbSvc.submissionDraft.Export(ctx, d, tplBytes)
-	if err != nil {
-		log.Printf("submission_drafts: export render (draft=%s): %v", draftID, err)
-		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "render failed"})
+		log.Printf("submission_drafts: export (draft=%s): %v", draftID, err)
+		writeSubmissionExportError(w, err)
 		return
 	}
 
@@ -910,7 +1052,7 @@ func handleGlobalExportSubmissionDraft(w http.ResponseWriter, r *http.Request) {
 	if err := dbSvc.submissionDraft.MarkExported(bgCtx, d.ID, tplSHA); err != nil {
 		log.Printf("submission_drafts: mark exported (draft=%s): %v", draftID, err)
 	}
-	if err := writeSubmissionDraftAuditRow(bgCtx, resolved.User, d, filename, tplSHA); err != nil {
+	if err := writeSubmissionDraftAuditRow(bgCtx, resolved.User, d, filename, tplSHA, composerUsed); err != nil {
 		log.Printf("submission_drafts: audit insert failed (draft=%s): %v", draftID, err)
 	}
 	if err := writeSubmissionDraftProjectEvent(bgCtx, d, resolved, filename); err != nil {
@@ -952,6 +1094,30 @@ func buildSubmissionDraftView(ctx context.Context, d *services.SubmissionDraft,
 		Lang:             lang,
 		HasTemplate:      true,
 		AvailableParties: []submissionDraftPartyJSON{},
+		Sections:         []submissionSectionJSON{},
+	}
+
+	// Composer Slice A — surface seeded sections (read-only). Empty
+	// when the draft has no base + no section rows (pre-Composer
+	// drafts that haven't been auto-upgraded — that's Slice C).
+	if dbSvc.submissionSection != nil {
+		secs, err := dbSvc.submissionSection.ListForDraft(ctx, d.ID)
+		if err != nil {
+			return nil, err
+		}
+		for _, sec := range secs {
+			view.Sections = append(view.Sections, submissionSectionJSON{
+				ID:          sec.ID,
+				SectionKey:  sec.SectionKey,
+				OrderIndex:  sec.OrderIndex,
+				Kind:        sec.Kind,
+				LabelDE:     sec.LabelDE,
+				LabelEN:     sec.LabelEN,
+				Included:    sec.Included,
+				ContentMDDE: sec.ContentMDDE,
+				ContentMDEN: sec.ContentMDEN,
+			})
+		}
 	}
 
 	merged, resolved, err := dbSvc.submissionDraft.BuildRenderBag(ctx, d)
@@ -1135,6 +1301,10 @@ func draftToJSON(d *services.SubmissionDraft) submissionDraftJSON {
 	if lang == "" {
 		lang = "de"
 	}
+	meta := d.ComposerMeta
+	if meta == nil {
+		meta = map[string]any{}
+	}
 	return submissionDraftJSON{
 		ID:              d.ID,
 		ProjectID:       d.ProjectID,
@@ -1147,6 +1317,8 @@ func draftToJSON(d *services.SubmissionDraft) submissionDraftJSON {
 		LastExportedAt:  d.LastExportedAt,
 		LastExportedSHA: d.LastExportedSHA,
 		LastImportedAt:  d.LastImportedAt,
+		BaseID:          d.BaseID,
+		ComposerMeta:    meta,
 		CreatedAt:       d.CreatedAt,
 		UpdatedAt:       d.UpdatedAt,
 	}
@@ -1160,7 +1332,7 @@ func draftToJSON(d *services.SubmissionDraft) submissionDraftJSON {
 // 'user' with scope_root = draft.user_id; the audit feed therefore
 // surfaces these exports on the user's row rather than against a
 // (non-existent) project.
-func writeSubmissionDraftAuditRow(ctx context.Context, user *models.User, d *services.SubmissionDraft, filename, templateSHA string) error {
+func writeSubmissionDraftAuditRow(ctx context.Context, user *models.User, d *services.SubmissionDraft, filename, templateSHA string, composerUsed bool) error {
 	meta := map[string]any{
 		"submission_code": d.SubmissionCode,
 		"draft_id":        d.ID.String(),
@@ -1168,6 +1340,15 @@ func writeSubmissionDraftAuditRow(ctx context.Context, user *models.User, d *ser
 		"filename":        filename,
 		"template_sha":    templateSHA,
 	}
+	// t-paliad-313 Slice B — composer flag in metadata so admins can
+	// tell the two render paths apart in the audit feed without
+	// adding a new event_type.
+	if composerUsed {
+		meta["composer"] = true
+		if d.BaseID != nil {
+			meta["base_id"] = d.BaseID.String()
+		}
+	}
 	body, _ := json.Marshal(meta)
 	var (
 		actorID    any

internal/handlers/submission_sections.go

@@ -0,0 +1,148 @@
+package handlers
+
+// Submission section handlers — Composer Slice B (t-paliad-313). Backs
+// the inline editor on /projects/{id}/submissions/{code}/draft/{draft_id}
+// where the lawyer types prose into each section.
+//
+// Endpoint:
+//
+//   PATCH /api/submission-drafts/{draft_id}/sections/{section_id}
+//
+// Body shape (all fields optional — absent = no change):
+//
+//   {
+//     "content_md_de": "...",
+//     "content_md_en": "...",
+//     "included": true|false,
+//     "label_de": "...",
+//     "label_en": "...",
+//     "order_index": 3
+//   }
+//
+// Visibility: ownership of the draft is checked via
+// SubmissionDraftService.Get (404 on no-access), then the section is
+// fetched + verified to belong to that draft. The DB-side RLS policy
+// (mig 148) enforces the same gate independently.
+//
+// Returns 200 + the refreshed section row on success.
+//
+// This is global-scoped (no /projects/{id}/ prefix) because the
+// section's owning draft already carries the project_id; routing on
+// section_id alone keeps the URL shape stable across project-scoped
+// and project-less drafts.
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"time"
+
+	"mgit.msbls.de/m/paliad/internal/services"
+)
+
+// submissionSectionPatchInput is the JSON shape accepted by PATCH.
+type submissionSectionPatchInput struct {
+	ContentMDDE *string `json:"content_md_de,omitempty"`
+	ContentMDEN *string `json:"content_md_en,omitempty"`
+	Included    *bool   `json:"included,omitempty"`
+	LabelDE     *string `json:"label_de,omitempty"`
+	LabelEN     *string `json:"label_en,omitempty"`
+	OrderIndex  *int    `json:"order_index,omitempty"`
+}
+
+// submissionSectionPatchTimeout caps the round-trip.
+const submissionSectionPatchTimeout = 10 * time.Second
+
+func handlePatchSubmissionSection(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	if dbSvc.submissionDraft == nil || dbSvc.submissionSection == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "submission sections not configured"})
+		return
+	}
+	draftID, ok := parseUUIDPath(w, r, "draft_id", "draft id")
+	if !ok {
+		return
+	}
+	sectionID, ok := parseUUIDPath(w, r, "section_id", "section id")
+	if !ok {
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(r.Context(), submissionSectionPatchTimeout)
+	defer cancel()
+
+	// Owner-scope on the draft (RLS mirror; this gives us the typed
+	// 404 + the path for the "section belongs to a different draft"
+	// case below).
+	draft, err := dbSvc.submissionDraft.Get(ctx, uid, draftID)
+	if err != nil {
+		writeSubmissionDraftServiceError(w, err)
+		return
+	}
+
+	existing, err := dbSvc.submissionSection.Get(ctx, sectionID)
+	if err != nil {
+		if errors.Is(err, services.ErrSubmissionSectionNotFound) {
+			writeJSON(w, http.StatusNotFound, map[string]string{"error": "section not found"})
+			return
+		}
+		writeServiceError(w, err)
+		return
+	}
+	if existing.DraftID != draft.ID {
+		// Section exists but doesn't belong to this draft — surface as
+		// 404 to keep the "no fishing for foreign drafts" property.
+		writeJSON(w, http.StatusNotFound, map[string]string{"error": "section not found"})
+		return
+	}
+
+	var input submissionSectionPatchInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid JSON"})
+		return
+	}
+
+	patch := services.SectionPatch{
+		ContentMDDE: input.ContentMDDE,
+		ContentMDEN: input.ContentMDEN,
+		Included:    input.Included,
+		LabelDE:     input.LabelDE,
+		LabelEN:     input.LabelEN,
+		OrderIndex:  input.OrderIndex,
+	}
+	updated, err := dbSvc.submissionSection.Update(ctx, sectionID, patch)
+	if err != nil {
+		if errors.Is(err, services.ErrSubmissionSectionNotFound) {
+			writeJSON(w, http.StatusNotFound, map[string]string{"error": "section not found"})
+			return
+		}
+		writeServiceError(w, err)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, sectionJSONFromService(updated))
+}
+
+// sectionJSONFromService projects a services.SubmissionSection into the
+// JSON shape the editor consumes — the same shape buildSubmissionDraftView
+// emits under .sections[].
+func sectionJSONFromService(sec *services.SubmissionSection) submissionSectionJSON {
+	return submissionSectionJSON{
+		ID:          sec.ID,
+		SectionKey:  sec.SectionKey,
+		OrderIndex:  sec.OrderIndex,
+		Kind:        sec.Kind,
+		LabelDE:     sec.LabelDE,
+		LabelEN:     sec.LabelEN,
+		Included:    sec.Included,
+		ContentMDDE: sec.ContentMDDE,
+		ContentMDEN: sec.ContentMDEN,
+	}
+}

internal/handlers/submissions.go

@@ -200,7 +200,7 @@ func loadSubmissionCatalog(ctx context.Context, projectProceedingTypeID *int) ([
 		        pt.code                AS proceeding_code,
 		        pt.name                AS proceeding_name,
 		        pt.name_en             AS proceeding_name_en
-		   FROM paliad.deadline_rules dr
+		   FROM paliad.deadline_rules_unified dr
 		   JOIN paliad.proceeding_types pt ON pt.id = dr.proceeding_type_id
 		  WHERE dr.is_active = true
 		    AND dr.lifecycle_state = 'published'
@@ -208,7 +208,7 @@ func loadSubmissionCatalog(ctx context.Context, projectProceedingTypeID *int) ([
 		    AND dr.submission_code IS NOT NULL
 		    AND dr.submission_code <> ''
 		    AND pt.is_active = true
-		  ORDER BY pt.code ASC, dr.submission_code ASC`)
+		  ORDER BY pt.code ASC, dr.sequence_order ASC, dr.submission_code ASC`)
 	if err != nil {
 		return nil, nil, err
 	}

internal/models/models.go

@@ -4,63 +4,20 @@
 package models
 
 import (
-	"database/sql/driver"
 	"encoding/json"
-	"fmt"
 	"time"
 
 	"github.com/google/uuid"
 	"github.com/lib/pq"
+
+	"mgit.msbls.de/m/paliad/pkg/litigationplanner"
 )
 
-// NullableJSON is a jsonb column that may be NULL. json.RawMessage
-// (and *json.RawMessage) doesn't implement sql.Scanner, so a NULL value
-// from Postgres breaks the row scan with "unsupported Scan, storing
-// driver.Value type <nil> into type *json.RawMessage" — exactly the
-// error that hid every approval_request from the inbox when m's first
-// "create" lifecycle row arrived with NULL pre_image (m's dogfood
-// 2026-05-08 20:35). Using NullableJSON on every nullable jsonb column
-// fixes the scan and preserves inline JSON output (no base64 cast).
-type NullableJSON []byte
-
-func (n *NullableJSON) Scan(value any) error {
-	if value == nil {
-		*n = nil
-		return nil
-	}
-	switch v := value.(type) {
-	case []byte:
-		*n = append((*n)[:0], v...)
-		return nil
-	case string:
-		*n = []byte(v)
-		return nil
-	}
-	return fmt.Errorf("NullableJSON: unsupported scan type %T", value)
-}
-
-func (n NullableJSON) Value() (driver.Value, error) {
-	if len(n) == 0 {
-		return nil, nil
-	}
-	return []byte(n), nil
-}
-
-func (n NullableJSON) MarshalJSON() ([]byte, error) {
-	if len(n) == 0 {
-		return []byte("null"), nil
-	}
-	return []byte(n), nil
-}
-
-func (n *NullableJSON) UnmarshalJSON(data []byte) error {
-	if string(data) == "null" {
-		*n = nil
-		return nil
-	}
-	*n = append((*n)[:0], data...)
-	return nil
-}
+// NullableJSON is a jsonb column that may be NULL. Canonical definition
+// (with sql.Scanner / driver.Valuer / json.Marshaler / json.Unmarshaler)
+// lives in pkg/litigationplanner — kept here as a type alias so every
+// existing models.NullableJSON reference continues to compile.
+type NullableJSON = litigationplanner.NullableJSON
 
 // User extends auth.users with firm-specific profile fields. Created by the
 // Phase D onboarding flow; without a row here, the user can't see any Projects.
@@ -584,112 +541,10 @@ type Party struct {
 }
 
 // DeadlineRule is one rule in the proceeding-rule tree (UPC R.023, etc.).
-type DeadlineRule struct {
-	ID               uuid.UUID  `db:"id"                 json:"id"`
-	ProceedingTypeID *int       `db:"proceeding_type_id" json:"proceeding_type_id,omitempty"`
-	ParentID         *uuid.UUID `db:"parent_id"          json:"parent_id,omitempty"`
-	SubmissionCode   *string    `db:"submission_code"    json:"submission_code,omitempty"`
-	Name             string     `db:"name"               json:"name"`
-	NameEN           string     `db:"name_en"            json:"name_en"`
-	Description      *string    `db:"description"        json:"description,omitempty"`
-	PrimaryParty     *string    `db:"primary_party"      json:"primary_party,omitempty"`
-	EventType        *string    `db:"event_type"         json:"event_type,omitempty"`
-	DurationValue    int        `db:"duration_value"     json:"duration_value"`
-	DurationUnit     string     `db:"duration_unit"      json:"duration_unit"`
-	Timing           *string    `db:"timing"             json:"timing,omitempty"`
-	RuleCode         *string    `db:"rule_code"          json:"rule_code,omitempty"`
-	DeadlineNotes    *string    `db:"deadline_notes"     json:"deadline_notes,omitempty"`
-	DeadlineNotesEn  *string    `db:"deadline_notes_en"  json:"deadline_notes_en,omitempty"`
-	SequenceOrder    int        `db:"sequence_order"     json:"sequence_order"`
-	AltDurationValue *int       `db:"alt_duration_value" json:"alt_duration_value,omitempty"`
-	AltDurationUnit  *string    `db:"alt_duration_unit"  json:"alt_duration_unit,omitempty"`
-	AltRuleCode      *string    `db:"alt_rule_code"      json:"alt_rule_code,omitempty"`
-	AnchorAlt        *string    `db:"anchor_alt"         json:"anchor_alt,omitempty"`
-	ConceptID        *uuid.UUID `db:"concept_id"         json:"concept_id,omitempty"`
-	// ConceptDefaultEventTypeID is the canonical paliad.event_types row for
-	// this rule's concept (joined via paliad.deadline_concept_event_types
-	// where is_default = true). Lets the deadline create form auto-populate
-	// the Typ chip when the user picks this rule. Hydrated by the service
-	// layer; not a column. NULL when the concept has no mapped event_type.
-	ConceptDefaultEventTypeID *uuid.UUID `db:"-" json:"concept_default_event_type_id,omitempty"`
-	LegalSource      *string    `db:"legal_source"       json:"legal_source,omitempty"`
-	IsSpawn          bool       `db:"is_spawn"           json:"is_spawn"`
-	SpawnLabel       *string    `db:"spawn_label"        json:"spawn_label,omitempty"`
-	IsActive         bool       `db:"is_active"          json:"is_active"`
-	CreatedAt        time.Time  `db:"created_at"         json:"created_at"`
-	UpdatedAt        time.Time  `db:"updated_at"         json:"updated_at"`
-
-	// ---------------------------------------------------------------
-	// Phase 3 unified-rule columns (mig 078, t-paliad-182).
-	// Slice 9 (t-paliad-195) dropped the legacy IsMandatory /
-	// IsOptional / ConditionFlag / ConditionRuleID fields — they
-	// were superseded by Priority / ConditionExpr / IsCourtSet and
-	// the unified calculator no longer reads them.
-	// ---------------------------------------------------------------
-
-	// TriggerEventID points at paliad.trigger_events when this rule is
-	// event-rooted (Pipeline C unification, design §2.5). NULL on
-	// proceeding-rooted rules. Exactly one of (proceeding_type_id,
-	// trigger_event_id) is set after Slice 3.
-	TriggerEventID *int64 `db:"trigger_event_id" json:"trigger_event_id,omitempty"`
-
-	// SpawnProceedingTypeID is the cross-proceeding spawn target —
-	// when is_spawn=true and this is non-NULL, the calculator follows
-	// the FK and emits the target proceeding's root rule chain. Slice
-	// 7 backfills the 8 live is_spawn=true rows.
-	SpawnProceedingTypeID *int `db:"spawn_proceeding_type_id" json:"spawn_proceeding_type_id,omitempty"`
-
-	// CombineOp is 'max' or 'min' for composite-rule arithmetic
-	// (R.198 / R.213: "31d OR 20 working_days, whichever is longer").
-	// NULL = single-anchor arithmetic.
-	CombineOp *string `db:"combine_op" json:"combine_op,omitempty"`
-
-	// ConditionExpr is the jsonb gating expression replacing
-	// ConditionFlag (design §2.4). Grammar:
-	//   {"flag": "<name>"}
-	//   {"op":"and"|"or", "args":[<node>, ...]}
-	//   {"op":"not", "args":[<node>]}
-	// NULL or {} = unconditional. NullableJSON so a NULL column scans
-	// cleanly (the row mishap that hid approval rows from the inbox
-	// must not recur on rule rows).
-	ConditionExpr NullableJSON `db:"condition_expr" json:"condition_expr,omitempty"`
-
-	// Priority is the 4-way unified enum replacing
-	// (IsMandatory, IsOptional). Values: 'mandatory' (default),
-	// 'recommended', 'optional', 'informational'. Backfilled in
-	// Slice 2; legacy callers read IsMandatory + IsOptional until
-	// Slice 4 cuts them over.
-	Priority string `db:"priority" json:"priority"`
-
-	// IsCourtSet replaces the runtime heuristic
-	// (primary_party='court' OR event_type IN ('hearing','decision',
-	// 'order')). Backfilled in Slice 2; legacy callers read the
-	// heuristic until Slice 4.
-	IsCourtSet bool `db:"is_court_set" json:"is_court_set"`
-
-	// LifecycleState drives the rule-editor flow (design §4.2):
-	// 'draft' (admin work-in-progress) | 'published' (live, calculator-
-	// visible) | 'archived' (historical, retained for audit). Every
-	// pre-Slice-1 row defaults to 'published' via the migration.
-	LifecycleState string `db:"lifecycle_state" json:"lifecycle_state"`
-
-	// DraftOf points at the published rule this draft will replace on
-	// publish. NULL on published / archived rows. NULL also on net-
-	// new drafts that have no prior published peer.
-	DraftOf *uuid.UUID `db:"draft_of" json:"draft_of,omitempty"`
-
-	// PublishedAt records when the row entered LifecycleState='published'.
-	// NULL while draft, set on publish, retained through archive.
-	// Distinct from UpdatedAt (moves on every edit).
-	PublishedAt *time.Time `db:"published_at" json:"published_at,omitempty"`
-
-	// ChoicesOffered declares which per-event-card choice-kinds this
-	// rule offers on the Verfahrensablauf timeline (mig 129,
-	// t-paliad-265). NULL = no caret affordance (default). See the
-	// COMMENT on paliad.deadline_rules.choices_offered for the value
-	// shape. The engine and the frontend both read this column.
-	ChoicesOffered NullableJSON `db:"choices_offered" json:"choices_offered,omitempty"`
-}
+// Canonical definition lives in pkg/litigationplanner.Rule — kept here
+// as a type alias so every existing models.DeadlineRule reference (sqlx
+// scans, hydration, projection service) continues to compile.
+type DeadlineRule = litigationplanner.Rule
 
 // DeadlineRuleAudit is one row of paliad.deadline_rule_audit — the
 // append-only audit log for every change to paliad.deadline_rules.
@@ -721,43 +576,19 @@ type DeadlineRuleAudit struct {
 	MigrationExported bool `db:"migration_exported" json:"migration_exported"`
 }
 
-// ProceedingType is one of INF/REV/CCR/APM/APP/AMD/ZPO_CIVIL (matter
-// management) or the lowercase dot-separated fristenrechner codes
-// (upc.*.*, de.*.*, epa.*.*, dpma.*.*) — see
-// docs/design-proceeding-code-taxonomy-2026-05-18.md.
-type ProceedingType struct {
-	ID           int     `db:"id"             json:"id"`
-	Code         string  `db:"code"           json:"code"`
-	Name         string  `db:"name"           json:"name"`
-	NameEN       string  `db:"name_en"        json:"name_en"`
-	Description  *string `db:"description"    json:"description,omitempty"`
-	Jurisdiction *string `db:"jurisdiction"   json:"jurisdiction,omitempty"`
-	Category     *string `db:"category"       json:"category,omitempty"`
-	DefaultColor string  `db:"default_color"  json:"default_color"`
-	SortOrder    int     `db:"sort_order"     json:"sort_order"`
-	IsActive     bool    `db:"is_active"      json:"is_active"`
-	// TriggerEventLabel{DE,EN}: optional caption for /tools/verfahrensablauf
-	// "Auslösendes Ereignis". When set, overrides the proceedingName fallback
-	// that fires when no rule has IsRootEvent=true. Populated for UPC Appeal
-	// (mig 121) so the caption reads "Anfechtbare Entscheidung" /
-	// "Appealable Decision" instead of "Berufungsverfahren" / "Appeal".
-	// NULL on most proceedings — they already carry a root rule.
-	TriggerEventLabelDE *string `db:"trigger_event_label_de" json:"trigger_event_label_de,omitempty"`
-	TriggerEventLabelEN *string `db:"trigger_event_label_en" json:"trigger_event_label_en,omitempty"`
-}
+// ProceedingType is one of the litigation conceptual codes (INF / REV /
+// CCR / APM / APP / AMD / ZPO_CIVIL) or the lowercase dot-separated
+// fristenrechner codes (upc.*.*, de.*.*, epa.*.*, dpma.*.*) — see
+// docs/design-proceeding-code-taxonomy-2026-05-18.md. Canonical
+// definition lives in pkg/litigationplanner.ProceedingType — kept here
+// as a type alias so every existing models.ProceedingType reference
+// continues to compile.
+type ProceedingType = litigationplanner.ProceedingType
 
-// TriggerEvent is a UPC procedural event that can start one or more deadlines
-// running. Powers the "Was kommt nach…" Fristenrechner mode (event-driven
-// lookup, mirrored from youpc data.events).
-type TriggerEvent struct {
-	ID          int64     `db:"id"          json:"id"`
-	Code        string    `db:"code"        json:"code"`
-	Name        string    `db:"name"        json:"name"`
-	NameDE      string    `db:"name_de"     json:"name_de"`
-	Description string    `db:"description" json:"description"`
-	IsActive    bool      `db:"is_active"   json:"is_active"`
-	CreatedAt   time.Time `db:"created_at"  json:"created_at"`
-}
+// TriggerEvent is a UPC procedural event referenced by deadline rules
+// whose semantic anchor is an event rather than a parent rule.
+// Canonical definition lives in pkg/litigationplanner.TriggerEvent.
+type TriggerEvent = litigationplanner.TriggerEvent
 
 // EventDeadline is a single deadline that flows from a TriggerEvent. Mirrors
 // youpc data.deadlines + the trigger half of data.deadline_events.

internal/services/aichat_paliadin_stream.go

@@ -220,6 +220,14 @@ func (s *AichatPaliadinService) RunTurnStream(ctx context.Context, req TurnReque
 	}
 
 	if streamErr != nil {
+		// Aichat persona without streaming support — graceful fallback to
+		// the one-shot /chat/turn endpoint. Same body shape; we adapt the
+		// non-streaming response into a single StreamChunk so the caller
+		// sees identical event ordering.
+		if strings.Contains(streamErr.Error(), "unsupported_streaming") {
+			log.Printf("paliadin: persona %q lacks streaming support — falling back to one-shot turn %s", s.cfg.Persona, turnID)
+			return s.fallbackOneShotFromStream(ctx, turnID, body, events, startedAt, session)
+		}
 		// Don't overwrite an existing error_code we may have set above.
 		_ = s.markTurnError(ctx, turnID, classifyAichatError(streamErr))
 		return nil, streamErr
@@ -255,6 +263,80 @@ func (s *AichatPaliadinService) RunTurnStream(ctx context.Context, req TurnReque
 	}, nil
 }
 
+// fallbackOneShotFromStream runs the same `body` against aichat's
+// non-streaming /chat/turn endpoint and adapts the response into the
+// StreamingPaliadin contract — a single StreamChunk + StreamMeta +
+// StreamConversation, followed by `events` being closed by the
+// outer RunTurnStream's defer. Used when the configured persona doesn't
+// support streaming (aichat returns HTTP 400 unsupported_streaming).
+//
+// Identical persistence shape as the one-shot RunTurn: completeTurn +
+// markPrimed/clearPrimed. No new turn row (already inserted by
+// RunTurnStream). No primer rebuild (already in body).
+func (s *AichatPaliadinService) fallbackOneShotFromStream(
+	ctx context.Context,
+	turnID uuid.UUID,
+	body aichatTurnRequest,
+	events chan<- StreamEvent,
+	startedAt time.Time,
+	session string,
+) (*TurnResult, error) {
+	var resp aichatTurnResponse
+	if err := s.callHTTP(ctx, http.MethodPost, "/chat/turn", body, &resp); err != nil {
+		_ = s.markTurnError(ctx, turnID, classifyAichatError(err))
+		safeSendStream(ctx, events, StreamEvent{
+			Kind:    StreamError,
+			Code:    classifyAichatError(err),
+			Message: err.Error(),
+		})
+		return nil, err
+	}
+
+	if resp.PaneSpawned {
+		s.clearPrimed(session)
+	} else {
+		s.markPrimed(session)
+	}
+
+	cleanBody := resp.Response
+	tokens := approxTokenCount(cleanBody)
+	chipCount := countChips(cleanBody)
+	finished := time.Now().UTC()
+	durationMS := int(finished.Sub(startedAt) / time.Millisecond)
+
+	tmeta := trailerMeta{
+		UsedTools:     resp.Meta.UsedTools,
+		ClassifierTag: resp.Meta.ClassifierTag,
+		RowsSeen:      coerceAichatRowsSeen(resp.Meta.RowsSeen),
+	}
+
+	// Emit the response as a single chunk so the frontend renders it.
+	safeSendStream(ctx, events, StreamEvent{
+		Kind:    StreamChunk,
+		Content: cleanBody,
+	})
+	safeSendStream(ctx, events, StreamEvent{
+		Kind:          StreamMeta,
+		UsedTools:     tmeta.UsedTools,
+		ClassifierTag: tmeta.ClassifierTag,
+		RowsSeen:      tmeta.RowsSeen,
+	})
+
+	if err := s.completeTurn(ctx, turnID, finished, durationMS, cleanBody, tokens, tmeta, chipCount); err != nil {
+		log.Printf("paliadin: complete turn %s (fallback one-shot): %v", turnID, err)
+	}
+
+	return &TurnResult{
+		TurnID:        turnID,
+		Response:      cleanBody,
+		UsedTools:     tmeta.UsedTools,
+		RowsSeen:      tmeta.RowsSeen,
+		ChipCount:     chipCount,
+		ClassifierTag: tmeta.ClassifierTag,
+		DurationMS:    durationMS,
+	}, nil
+}
+
 // streamFrame is one decoded SSE event.
 type streamFrame struct {
 	event     string // "" → default (data:) event

internal/services/backup_service_live_test.go

@@ -0,0 +1,99 @@
+package services
+
+import (
+	"bytes"
+	"context"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+	_ "github.com/lib/pq"
+)
+
+// TestResolveOrgSheets_LiveSchemaSnapshot probes the live paliad schema
+// the way the backup runner does at the start of every run, then asserts
+// that every spec the registry declares either keeps all its ORDER BY
+// columns or — if any are missing — composes a fallback SELECT that the
+// DB can still execute. Catches the m/paliad#140 class of bug
+// (hardcoded ORDER BY against a renamed column) before deploy.
+//
+// Skipped when TEST_DATABASE_URL is unset. Read-only: opens a
+// REPEATABLE READ tx, never writes.
+func TestResolveOrgSheets_LiveSchemaSnapshot(t *testing.T) {
+	url := os.Getenv("TEST_DATABASE_URL")
+	if url == "" {
+		t.Skip("TEST_DATABASE_URL not set — skipping live DB test")
+	}
+	pool, err := sqlx.Connect("postgres", url)
+	if err != nil {
+		t.Fatalf("connect: %v", err)
+	}
+	defer pool.Close()
+
+	ctx := context.Background()
+	specs := orgSheetSpecs()
+	sheets, err := resolveOrgSheets(ctx, pool, specs)
+	if err != nil {
+		t.Fatalf("resolveOrgSheets: %v", err)
+	}
+	if len(sheets) != len(specs) {
+		t.Fatalf("resolved %d sheets, want %d", len(sheets), len(specs))
+	}
+
+	// Each resolved SELECT must run cleanly against the live schema.
+	// We LIMIT 1 inside a sub-SELECT so we don't materialise the full
+	// table (some are large) but still exercise the ORDER BY clause.
+	for _, sq := range sheets {
+		wrapped := `SELECT * FROM (` + sq.SQL + `) _wrap LIMIT 1`
+		if _, err := pool.QueryxContext(ctx, wrapped, sq.Args...); err != nil {
+			t.Errorf("sheet %q SQL failed: %v\nSQL: %s", sq.SheetName, err, sq.SQL)
+		}
+	}
+}
+
+// TestWriteOrg_LiveSmoke runs the full ExportService.WriteOrg pipeline
+// against a real DB: schema probe, REPEATABLE READ tx, every sheet
+// query, xlsx + json + per-sheet CSV assembly, outer zip framing.
+// Discards the bytes — this is a "does it crash" smoke, the bug class
+// it catches is exactly the one from m/paliad#140 (hardcoded ORDER BY
+// against a missing column).
+//
+// Skipped when TEST_DATABASE_URL is unset.
+func TestWriteOrg_LiveSmoke(t *testing.T) {
+	url := os.Getenv("TEST_DATABASE_URL")
+	if url == "" {
+		t.Skip("TEST_DATABASE_URL not set — skipping live DB test")
+	}
+	pool, err := sqlx.Connect("postgres", url)
+	if err != nil {
+		t.Fatalf("connect: %v", err)
+	}
+	defer pool.Close()
+
+	svc := NewExportService(pool, "test-firm")
+	var buf bytes.Buffer
+	meta, err := svc.WriteOrg(context.Background(), &buf, ExportSpec{
+		ActorID:    uuid.New(),
+		ActorEmail: "backup-smoke@test.local",
+		ActorLabel: "Backup Smoke",
+	})
+	if err != nil {
+		t.Fatalf("WriteOrg: %v", err)
+	}
+	if buf.Len() == 0 {
+		t.Fatalf("WriteOrg wrote no bytes")
+	}
+	// Spot-check meta fills.
+	if meta.Scope != ExportScopeOrg {
+		t.Errorf("meta.Scope = %q, want %q", meta.Scope, ExportScopeOrg)
+	}
+	if len(meta.RowCounts) != len(orgSheetSpecs()) {
+		t.Errorf("meta.RowCounts has %d entries, want %d (one per sheet)", len(meta.RowCounts), len(orgSheetSpecs()))
+	}
+	// The bytes are a zip; the first 4 bytes are PK\x03\x04 for a non-empty zip.
+	if buf.Len() >= 4 && !strings.HasPrefix(buf.String()[:4], "PK\x03\x04") {
+		t.Errorf("bundle bytes don't look like a zip (first bytes: %x)", buf.Bytes()[:4])
+	}
+}

internal/services/backup_service_test.go

@@ -6,8 +6,10 @@ package services
 // it would live in backup_service_live_test.go under TEST_DATABASE_URL.
 // This file covers the bits that don't need a database:
 //
-//   - orgSheetQueries registry shape: no duplicates, no excluded
+//   - orgSheetSpecs registry shape: no duplicates, no excluded
 //     paliadin sheets, predictable prefix split between entity and ref.
+//   - composeOrgSheetSQL drift-resistance: missing ORDER BY cols drop,
+//     SQL override path bypasses the builder, all-missing → no clause.
 //   - LocalDiskStore Put / Get / Delete round-trip, key validation,
 //     URI traversal rejection.
 
@@ -22,60 +24,216 @@ import (
 )
 
 // ---------------------------------------------------------------------------
-// orgSheetQueries registry
+// orgSheetSpecs registry
 // ---------------------------------------------------------------------------
 
-func TestOrgSheetQueries_NoDuplicates(t *testing.T) {
+func TestOrgSheetSpecs_NoDuplicates(t *testing.T) {
 	seen := map[string]bool{}
-	for _, sq := range orgSheetQueries() {
-		if seen[sq.SheetName] {
-			t.Fatalf("duplicate sheet name in orgSheetQueries: %q", sq.SheetName)
+	for _, sp := range orgSheetSpecs() {
+		if seen[sp.SheetName] {
+			t.Fatalf("duplicate sheet name in orgSheetSpecs: %q", sp.SheetName)
 		}
-		seen[sq.SheetName] = true
+		seen[sp.SheetName] = true
 	}
 }
 
-func TestOrgSheetQueries_ExcludesPaliadinTables(t *testing.T) {
+func TestOrgSheetSpecs_ExcludesPaliadinTables(t *testing.T) {
 	// m's t-paliad-214 Q5 decision + this design's §11 Q3 default:
 	// paliadin_turns and paliadin_aichat_conversation must be ABSENT
 	// from the registry (structural exclusion, not just column-drop).
-	for _, sq := range orgSheetQueries() {
-		name := sq.SheetName
+	for _, sp := range orgSheetSpecs() {
+		name := sp.SheetName
 		if strings.Contains(name, "paliadin") {
-			t.Fatalf("orgSheetQueries leaked paliadin sheet: %q (m's Q3 mandates structural exclusion)", name)
+			t.Fatalf("orgSheetSpecs leaked paliadin sheet: %q (m's Q3 mandates structural exclusion)", name)
 		}
-		// Belt-and-braces: SQL bodies should not reference the tables
-		// either (no UNION joins, no subqueries pulling them in).
-		if strings.Contains(sq.SQL, "paliadin_turns") || strings.Contains(sq.SQL, "paliadin_aichat_conversation") {
-			t.Fatalf("orgSheetQueries[%q] SQL references a paliadin table: %s", name, sq.SQL)
+		if strings.Contains(sp.Table, "paliadin") {
+			t.Fatalf("orgSheetSpecs[%q].Table references a paliadin table: %s", name, sp.Table)
+		}
+		// Belt-and-braces: SQL override bodies (the few sheets that
+		// bypass the Table+OrderBy builder) also can't pull paliadin
+		// tables in through UNION/subquery.
+		if strings.Contains(sp.SQL, "paliadin_turns") || strings.Contains(sp.SQL, "paliadin_aichat_conversation") {
+			t.Fatalf("orgSheetSpecs[%q] SQL references a paliadin table: %s", name, sp.SQL)
 		}
 	}
 }
 
-func TestOrgSheetQueries_RefSheetsPrefixed(t *testing.T) {
+func TestOrgSheetSpecs_RefSheetsPrefixed(t *testing.T) {
 	// Every sheet whose data is read-only reference material is
 	// expected to use the `ref__` prefix. The writer's downstream
 	// consumers rely on this convention to group reference data
 	// visually in the workbook.
-	for _, sq := range orgSheetQueries() {
-		if !strings.HasPrefix(sq.SheetName, "ref__") {
+	for _, sp := range orgSheetSpecs() {
+		if !strings.HasPrefix(sp.SheetName, "ref__") {
 			continue
 		}
 		// Reference sheets shouldn't carry per-row WHERE clauses (they
-		// dump the whole reference table for portability).
-		if strings.Contains(strings.ToUpper(sq.SQL), "WHERE") {
-			t.Fatalf("orgSheetQueries[%q] is ref__ but has a WHERE clause; reference sheets dump the whole table", sq.SheetName)
+		// dump the whole reference table for portability). Only
+		// applies to the SQL-override path; the Table+OrderBy builder
+		// never emits a WHERE.
+		if sp.SQL != "" && strings.Contains(strings.ToUpper(sp.SQL), "WHERE") {
+			t.Fatalf("orgSheetSpecs[%q] is ref__ but has a WHERE clause; reference sheets dump the whole table", sp.SheetName)
 		}
 	}
 }
 
-func TestOrgSheetQueries_OrderByForDeterminism(t *testing.T) {
-	// Every sheet must specify an ORDER BY so the byte-deterministic
-	// contract from t-paliad-214 §3 holds across runs.
-	for _, sq := range orgSheetQueries() {
-		if !strings.Contains(strings.ToUpper(sq.SQL), "ORDER BY") {
-			t.Fatalf("orgSheetQueries[%q] missing ORDER BY (determinism contract): %s", sq.SheetName, sq.SQL)
+func TestOrgSheetSpecs_OrderByForDeterminism(t *testing.T) {
+	// Every sheet must declare a stable sort: either OrderBy on the
+	// Table+OrderBy path, or ORDER BY in the SQL override. Keeps the
+	// byte-deterministic contract from t-paliad-214 §3 across runs.
+	//
+	// (Drift removes ORDER BY columns at runtime, but only ones that
+	// no longer exist in the schema — the spec-level declaration is
+	// still required so we know what *should* be ordered.)
+	for _, sp := range orgSheetSpecs() {
+		if sp.SQL != "" {
+			if !strings.Contains(strings.ToUpper(sp.SQL), "ORDER BY") {
+				t.Fatalf("orgSheetSpecs[%q] SQL override missing ORDER BY (determinism contract): %s", sp.SheetName, sp.SQL)
+			}
+			continue
 		}
+		if len(sp.OrderBy) == 0 {
+			t.Fatalf("orgSheetSpecs[%q] has no OrderBy and no SQL override (determinism contract)", sp.SheetName)
+		}
+	}
+}
+
+// ---------------------------------------------------------------------------
+// composeOrgSheetSQL — drift-resistant SQL builder
+// ---------------------------------------------------------------------------
+
+func TestComposeOrgSheetSQL_AllColumnsPresent(t *testing.T) {
+	spec := orgSheetSpec{
+		SheetName: "appointments",
+		Table:     "paliad.appointments",
+		OrderBy:   []string{"id"},
+	}
+	cols := map[string]map[string]struct{}{
+		"appointments": {"id": {}, "project_id": {}},
+	}
+	got, dropped := composeOrgSheetSQL(spec, cols)
+	want := "SELECT * FROM paliad.appointments ORDER BY id"
+	if got != want {
+		t.Fatalf("got SQL %q, want %q", got, want)
+	}
+	if len(dropped) != 0 {
+		t.Fatalf("expected no dropped columns, got %v", dropped)
+	}
+}
+
+func TestComposeOrgSheetSQL_DropsMissingOrderByColumn(t *testing.T) {
+	// The original bug from m/paliad#138 reproduced in unit form:
+	// orderBy references a column the table doesn't have.
+	spec := orgSheetSpec{
+		SheetName: "appointment_caldav_targets",
+		Table:     "paliad.appointment_caldav_targets",
+		OrderBy:   []string{"appointment_id", "calendar_binding_id"}, // wrong: real col is binding_id
+	}
+	cols := map[string]map[string]struct{}{
+		"appointment_caldav_targets": {
+			"appointment_id": {},
+			"binding_id":     {},
+		},
+	}
+	got, dropped := composeOrgSheetSQL(spec, cols)
+	want := "SELECT * FROM paliad.appointment_caldav_targets ORDER BY appointment_id"
+	if got != want {
+		t.Fatalf("got SQL %q, want %q", got, want)
+	}
+	if len(dropped) != 1 || dropped[0] != "calendar_binding_id" {
+		t.Fatalf("expected dropped=[calendar_binding_id], got %v", dropped)
+	}
+}
+
+func TestComposeOrgSheetSQL_AllOrderByMissing_NoClause(t *testing.T) {
+	// If every declared ORDER BY column is gone, the builder still
+	// produces a runnable SELECT — without ORDER BY. The export
+	// succeeds; the order across runs is no longer deterministic for
+	// this sheet until the spec is updated. WARN log alerts the
+	// operator (verified in TestResolveOrgSheets_LogsWarnings).
+	spec := orgSheetSpec{
+		SheetName: "ghost",
+		Table:     "paliad.ghost",
+		OrderBy:   []string{"missing_a", "missing_b"},
+	}
+	cols := map[string]map[string]struct{}{
+		"ghost": {"unrelated": {}},
+	}
+	got, dropped := composeOrgSheetSQL(spec, cols)
+	want := "SELECT * FROM paliad.ghost"
+	if got != want {
+		t.Fatalf("got SQL %q, want %q", got, want)
+	}
+	if len(dropped) != 2 {
+		t.Fatalf("expected 2 dropped columns, got %v", dropped)
+	}
+}
+
+func TestComposeOrgSheetSQL_SQLOverride_BypassesBuilder(t *testing.T) {
+	// When a sheet declares SQL, the builder MUST NOT touch it — even
+	// if the column knowledge would suggest a change. Custom
+	// projections (documents drops ai_extracted) and special-case
+	// joins both rely on this.
+	spec := orgSheetSpec{
+		SheetName: "documents",
+		Table:     "paliad.documents", // should be ignored
+		OrderBy:   []string{"id"},     // should be ignored
+		SQL:       "SELECT id, title FROM paliad.documents ORDER BY id",
+	}
+	cols := map[string]map[string]struct{}{
+		"documents": {}, // empty → would drop everything if builder ran
+	}
+	got, dropped := composeOrgSheetSQL(spec, cols)
+	if got != spec.SQL {
+		t.Fatalf("SQL override mutated: got %q, want %q", got, spec.SQL)
+	}
+	if len(dropped) != 0 {
+		t.Fatalf("override path should never report drops; got %v", dropped)
+	}
+}
+
+func TestComposeOrgSheetSQL_UnknownTable_DropsAllOrderBy(t *testing.T) {
+	// A table missing entirely from the schema snapshot is treated as
+	// "no columns known" — every ORDER BY column gets dropped, but
+	// the SELECT still emits (so a stale registry doesn't crash the
+	// backup; the operator gets WARNs to fix it).
+	spec := orgSheetSpec{
+		SheetName: "renamed_table",
+		Table:     "paliad.renamed_table",
+		OrderBy:   []string{"id"},
+	}
+	got, dropped := composeOrgSheetSQL(spec, map[string]map[string]struct{}{})
+	want := "SELECT * FROM paliad.renamed_table"
+	if got != want {
+		t.Fatalf("got SQL %q, want %q", got, want)
+	}
+	if len(dropped) != 1 || dropped[0] != "id" {
+		t.Fatalf("expected dropped=[id], got %v", dropped)
+	}
+}
+
+func TestComposeOrgSheetSQL_PreservesOrderByOrder(t *testing.T) {
+	// Multi-column OrderBy must keep its declared order, with kept
+	// columns concatenated in the same sequence. Determinism contract
+	// from t-paliad-214 §3 depends on this.
+	spec := orgSheetSpec{
+		SheetName: "partner_unit_members",
+		Table:     "paliad.partner_unit_members",
+		OrderBy:   []string{"partner_unit_id", "missing_middle", "user_id"},
+	}
+	cols := map[string]map[string]struct{}{
+		"partner_unit_members": {
+			"partner_unit_id": {},
+			"user_id":         {},
+		},
+	}
+	got, dropped := composeOrgSheetSQL(spec, cols)
+	want := "SELECT * FROM paliad.partner_unit_members ORDER BY partner_unit_id, user_id"
+	if got != want {
+		t.Fatalf("got SQL %q, want %q", got, want)
+	}
+	if len(dropped) != 1 || dropped[0] != "missing_middle" {
+		t.Fatalf("expected dropped=[missing_middle], got %v", dropped)
 	}
 }
 

internal/services/deadline_rule_service.go

@@ -35,10 +35,14 @@ const ruleColumns = `id, proceeding_type_id, parent_id, submission_code, name, n
 	created_at, updated_at,
 	trigger_event_id, spawn_proceeding_type_id, combine_op, condition_expr,
 	priority, is_court_set, lifecycle_state, draft_of, published_at,
-	choices_offered`
+	choices_offered, applies_to_target`
 
 const proceedingTypeColumns = `id, code, name, name_en, description, jurisdiction,
-	category, default_color, sort_order, is_active`
+	category, default_color, sort_order, is_active,
+	trigger_event_label_de, trigger_event_label_en,
+	appeal_target,
+	role_proactive_label_de, role_proactive_label_en,
+	role_reactive_label_de,  role_reactive_label_en`
 
 // List returns active rules, optionally filtered by proceeding type.
 // Each row has ConceptDefaultEventTypeID hydrated from
@@ -51,13 +55,13 @@ func (s *DeadlineRuleService) List(ctx context.Context, proceedingTypeID *int) (
 	if proceedingTypeID != nil {
 		err = s.db.SelectContext(ctx, &rules,
 			`SELECT `+ruleColumns+`
-			   FROM paliad.deadline_rules
+			   FROM paliad.deadline_rules_unified
 			  WHERE proceeding_type_id = $1 AND is_active = true
 			  ORDER BY sequence_order`, *proceedingTypeID)
 	} else {
 		err = s.db.SelectContext(ctx, &rules,
 			`SELECT `+ruleColumns+`
-			   FROM paliad.deadline_rules
+			   FROM paliad.deadline_rules_unified
 			  WHERE is_active = true
 			  ORDER BY proceeding_type_id, sequence_order`)
 	}
@@ -96,7 +100,7 @@ func (s *DeadlineRuleService) hydrateConceptDefaultEventTypes(ctx context.Contex
 	}
 	query, args, err := sqlx.In(
 		`SELECT dr.id AS rule_id, j.event_type_id
-		   FROM paliad.deadline_rules dr
+		   FROM paliad.deadline_rules_unified dr
 		   JOIN paliad.proceeding_types pt ON pt.id = dr.proceeding_type_id
 		   JOIN paliad.deadline_concept_event_types j
 		         ON j.concept_id = dr.concept_id
@@ -148,7 +152,7 @@ func (s *DeadlineRuleService) GetRuleTree(ctx context.Context, proceedingTypeCod
 	var rules []models.DeadlineRule
 	if err := s.db.SelectContext(ctx, &rules,
 		`SELECT `+ruleColumns+`
-		   FROM paliad.deadline_rules
+		   FROM paliad.deadline_rules_unified
 		  WHERE proceeding_type_id = $1 AND is_active = true
 		  ORDER BY sequence_order`, pt.ID); err != nil {
 		return nil, fmt.Errorf("list rules for %q: %w", proceedingTypeCode, err)
@@ -171,10 +175,10 @@ func (s *DeadlineRuleService) GetFullTimeline(ctx context.Context, proceedingTyp
 	var rules []models.DeadlineRule
 	err := s.db.SelectContext(ctx, &rules, `
 		WITH RECURSIVE tree AS (
-			SELECT * FROM paliad.deadline_rules
+			SELECT * FROM paliad.deadline_rules_unified
 			 WHERE proceeding_type_id = $1 AND parent_id IS NULL AND is_active = true
 			UNION ALL
-			SELECT dr.* FROM paliad.deadline_rules dr
+			SELECT dr.* FROM paliad.deadline_rules_unified dr
 			JOIN tree t ON dr.parent_id = t.id
 			WHERE dr.is_active = true
 		)
@@ -192,7 +196,7 @@ func (s *DeadlineRuleService) GetByIDs(ctx context.Context, ids []uuid.UUID) ([]
 	}
 	query, args, err := sqlx.In(
 		`SELECT `+ruleColumns+`
-		   FROM paliad.deadline_rules
+		   FROM paliad.deadline_rules_unified
 		  WHERE id IN (?) AND is_active = true
 		  ORDER BY sequence_order`, ids)
 	if err != nil {
@@ -207,6 +211,44 @@ func (s *DeadlineRuleService) GetByIDs(ctx context.Context, ids []uuid.UUID) ([]
 	return rules, nil
 }
 
+// LoadTriggerEventsByIDs bulk-loads paliad.trigger_events rows for the
+// given id set, keyed by id. Returns nil, nil for an empty input set so
+// callers can blindly forward whatever they accumulated. Inactive rows
+// are included — the conditional-label resolution in fristenrechner.go
+// surfaces the trigger event's display name even when the catalog row
+// has been retired, which is preferable to silently falling back to
+// the (wrong) parent_id name.
+//
+// Used by FristenrechnerService.Calculate to redirect a conditional
+// rule's "abhängig von …" chip from parent_id to trigger_event_id —
+// the actual semantic anchor for rules whose data-model parent is the
+// proceeding root but whose real trigger sits in the trigger_events
+// catalog (e.g. R.262(2) Erwiderung auf Vertraulichkeitsantrag → the
+// opposing party's confidentiality application). See m/paliad#126.
+func (s *DeadlineRuleService) LoadTriggerEventsByIDs(ctx context.Context, ids []int64) (map[int64]models.TriggerEvent, error) {
+	if len(ids) == 0 {
+		return nil, nil
+	}
+	query, args, err := sqlx.In(
+		`SELECT id, code, name, name_de, description, is_active, created_at
+		   FROM paliad.trigger_events
+		  WHERE id IN (?)`, ids)
+	if err != nil {
+		return nil, fmt.Errorf("build trigger_events IN query: %w", err)
+	}
+	query = s.db.Rebind(query)
+
+	var rows []models.TriggerEvent
+	if err := s.db.SelectContext(ctx, &rows, query, args...); err != nil {
+		return nil, fmt.Errorf("load trigger_events by ids %v: %w", ids, err)
+	}
+	out := make(map[int64]models.TriggerEvent, len(rows))
+	for _, r := range rows {
+		out[r.ID] = r
+	}
+	return out, nil
+}
+
 // ListByTriggerEvent returns active rules scoped to a single trigger
 // event — the Pipeline-C surface added by Phase 3 Slice 3 (mig 085).
 // These rules carry proceeding_type_id IS NULL (event-rooted) and have
@@ -222,7 +264,7 @@ func (s *DeadlineRuleService) ListByTriggerEvent(ctx context.Context, triggerEve
 	var rules []models.DeadlineRule
 	if err := s.db.SelectContext(ctx, &rules,
 		`SELECT `+ruleColumns+`
-		   FROM paliad.deadline_rules
+		   FROM paliad.deadline_rules_unified
 		  WHERE trigger_event_id = $1
 		    AND is_active = true
 		  ORDER BY sequence_order`, triggerEventID); err != nil {
@@ -250,7 +292,7 @@ func (s *DeadlineRuleService) ListByProceedingTypeIDs(ctx context.Context, ids [
 	}
 	query, args, err := sqlx.In(
 		`SELECT `+ruleColumns+`
-		   FROM paliad.deadline_rules
+		   FROM paliad.deadline_rules_unified
 		  WHERE proceeding_type_id IN (?)
 		    AND is_active = true
 		  ORDER BY proceeding_type_id, sequence_order`, ids)
@@ -285,7 +327,7 @@ func (s *DeadlineRuleService) ListByConcept(ctx context.Context, conceptID uuid.
 	var rules []models.DeadlineRule
 	if err := s.db.SelectContext(ctx, &rules,
 		`SELECT `+ruleColumns+`
-		   FROM paliad.deadline_rules
+		   FROM paliad.deadline_rules_unified
 		  WHERE concept_id = $1
 		    AND is_active = true
 		  ORDER BY proceeding_type_id NULLS LAST, sequence_order`, conceptID); err != nil {

internal/services/deadline_search_service.go

@@ -9,6 +9,8 @@ import (
 
 	"github.com/jmoiron/sqlx"
 	"github.com/lib/pq"
+
+	lp "mgit.msbls.de/m/paliad/pkg/litigationplanner"
 )
 
 // DeadlineSearchService backs the unified Fristenrechner search bar
@@ -921,130 +923,15 @@ func roundScore(v float64) float64 {
 	return float64(int(v*10000+0.5)) / 10000
 }
 
-// FormatLegalSourceDisplay renders a structured legal_source code into
-// the form HLC users read in pleadings:
-//
-//	UPC.RoP.23.1   → "UPC RoP R.23(1)"
-//	UPC.RoP.139    → "UPC RoP R.139"
-//	DE.PatG.82.1   → "PatG §82(1)"
-//	DE.ZPO.276.1   → "ZPO §276(1)"
-//	EU.EPÜ.108     → "EPÜ Art.108"
-//	EU.EPC-R.79.1  → "EPC R.79(1)"
-//	EU.RPBA.12.1.c → "RPBA Art.12(1)(c)"
-//
-// Returns the empty string for an empty input. Unknown jurisdictions
-// fall through with the structured form preserved (caller decides
-// whether to display).
+// FormatLegalSourceDisplay + BuildLegalSourceURL are canonically
+// defined in pkg/litigationplanner — kept here as thin re-exports so
+// the existing in-package + handler call-sites compile unchanged.
 func FormatLegalSourceDisplay(src string) string {
-	src = strings.TrimSpace(src)
-	if src == "" {
-		return ""
-	}
-	parts := strings.Split(src, ".")
-	if len(parts) < 3 {
-		// Malformed — return as-is so the caller still has something.
-		return src
-	}
-	code := parts[1]
-	rest := parts[2:]
-	var prefix string
-	switch code {
-	case "RoP":
-		prefix = "UPC RoP R."
-	case "PatG":
-		prefix = "PatG §"
-	case "ZPO":
-		prefix = "ZPO §"
-	case "EPÜ":
-		prefix = "EPÜ Art."
-	case "EPC-R":
-		prefix = "EPC R."
-	case "RPBA":
-		prefix = "RPBA Art."
-	default:
-		prefix = code + " "
-	}
-	var b strings.Builder
-	b.Grow(len(prefix) + len(src))
-	b.WriteString(prefix)
-	b.WriteString(rest[0])
-	for _, p := range rest[1:] {
-		b.WriteByte('(')
-		b.WriteString(p)
-		b.WriteByte(')')
-	}
-	return b.String()
+	return lp.FormatLegalSourceDisplay(src)
 }
 
-// BuildLegalSourceURL maps a structured legal_source code to a
-// youpc.org/laws permalink when the cited body is hosted there. Today
-// youpc only carries the UPC corpus (UPCA, UPCS, UPCRoP); DE national
-// codes (PatG, ZPO) and EPO bodies (EPÜ, EPC-R, RPBA) have no youpc
-// home yet, so the helper returns the empty string for those and the
-// caller renders the display string as plain text.
-//
-// Inputs mirror FormatLegalSourceDisplay — structured dot-separated
-// codes like UPC.RoP.23.1, UPC.UPCA.83. Sub-paragraph segments beyond
-// the law-number position are dropped; youpc resolves the page at
-// <type>.<number> granularity. The law-number is zero-padded to 3
-// digits to match how youpc stores law_number (laws-data.json carries
-// "001" / "023" / "220" forms).
-//
-// URL shape uses the hash-fragment form that youpc itself emits from
-// its laws-page redirect (handlers/laws.go:215+229) — the canonical
-// in-app deep link target. The `/laws/:type/:number` pretty route also
-// resolves the same page but redirects to the hash form anyway.
-//
-//	UPC.RoP.23.1   → https://youpc.org/laws#UPCRoP.023
-//	UPC.RoP.139    → https://youpc.org/laws#UPCRoP.139
-//	UPC.RoP.220.1  → https://youpc.org/laws#UPCRoP.220
-//	UPC.RoP.29.a   → https://youpc.org/laws#UPCRoP.029
-//	UPC.UPCA.83    → https://youpc.org/laws#UPCA.083
-//	DE.ZPO.276.1   → ""   (no youpc home — render display text plain)
 func BuildLegalSourceURL(src string) string {
-	src = strings.TrimSpace(src)
-	if src == "" {
-		return ""
-	}
-	parts := strings.Split(src, ".")
-	if len(parts) < 3 {
-		return ""
-	}
-	var lawType string
-	switch parts[0] + "." + parts[1] {
-	case "UPC.RoP":
-		lawType = "UPCRoP"
-	case "UPC.UPCA":
-		lawType = "UPCA"
-	case "UPC.UPCS":
-		lawType = "UPCS"
-	default:
-		return ""
-	}
-	number := padLawNumber(parts[2])
-	if number == "" {
-		return ""
-	}
-	return "https://youpc.org/laws#" + lawType + "." + number
-}
-
-// padLawNumber zero-pads a pure-digit law-number segment to 3 digits.
-// Non-digit-only inputs (e.g. "112a" if youpc ever ingests EPÜ Art.
-// 112a) pass through unchanged so the URL still resolves. Empty input
-// returns the empty string.
-func padLawNumber(s string) string {
-	if s == "" {
-		return ""
-	}
-	for _, c := range s {
-		if c < '0' || c > '9' {
-			return s
-		}
-	}
-	if len(s) >= 3 {
-		return s
-	}
-	return strings.Repeat("0", 3-len(s)) + s
+	return lp.BuildLegalSourceURL(src)
 }
 
 // RefreshSearchView re-populates the materialised view. Safe to call on

internal/services/deadline_service.go

@@ -272,7 +272,7 @@ func (s *DeadlineService) ListVisibleForUser(ctx context.Context, userID uuid.UU
 		       ar.requester_kind AS requester_kind
 		  FROM paliad.deadlines f
 		  JOIN paliad.projects p ON p.id = f.project_id
-		  LEFT JOIN paliad.deadline_rules r ON r.id = f.rule_id
+		  LEFT JOIN paliad.deadline_rules_unified r ON r.id = f.rule_id
 		  LEFT JOIN paliad.approval_requests ar ON ar.id = f.pending_request_id
 		 WHERE ` + strings.Join(conds, " AND ") + `
 		 ORDER BY f.due_date ASC, f.created_at DESC`
@@ -585,6 +585,16 @@ func (s *DeadlineService) Update(ctx context.Context, userID, deadlineID uuid.UU
 		if _, err := tx.ExecContext(ctx, query, args...); err != nil {
 			return nil, fmt.Errorf("update deadline: %w", err)
 		}
+		// Slice B.2 dual-write (t-paliad-305): if rule_id was in the
+		// patch (auto/custom swap from t-paliad-258), the parallel
+		// procedural_event_id + sequencing_rule_id columns must follow.
+		// Call unconditionally — it's a single UPDATE keyed on
+		// deadlineID and a no-op when rule_id is unchanged.
+		if input.RuleSet {
+			if err := syncDeadlineDualLinks(ctx, tx, deadlineID); err != nil {
+				return nil, err
+			}
+		}
 	}
 
 	if input.EventTypeIDs != nil && s.eventTypes != nil {

internal/services/dual_write.go

@@ -0,0 +1,392 @@
+// Slice B.2 dual-write (t-paliad-305 / m/paliad#93) — keep paliad's
+// new tables (procedural_events / sequencing_rules / legal_sources) in
+// lock-step with the legacy paliad.deadline_rules table during the
+// dual-write window. Mig 136 (Slice B.1) created the new tables and
+// backfilled them once. This file keeps them in sync going forward.
+//
+// Contract:
+//
+//   - Every RuleEditorService method that mutates paliad.deadline_rules
+//     calls syncDualWriteFromDeadlineRule(ctx, tx, id) inside the same
+//     transaction, AFTER the deadline_rules write, BEFORE tx.Commit.
+//   - The sync is idempotent (INSERT … ON CONFLICT … DO UPDATE) so the
+//     same call works for Create (new row), UpdateDraft (existing row),
+//     CloneAsDraft (new row referencing an old row), Publish (lifecycle
+//     flip), Archive/Restore (lifecycle flip), and the published-peer
+//     archive that Publish performs as a cascade.
+//   - The sync re-derives the new-table state from paliad.deadline_rules
+//     in pure SQL — no struct mapping in Go. The legacy table stays the
+//     source of truth during B.2 (B.3 flips reads, B.4 drops it).
+//   - Read paths still read deadline_rules in B.2. The new tables are a
+//     parallel projection kept consistent for B.3's read cutover; they
+//     are not yet authoritative.
+//
+// Why a per-row sync instead of a global trigger:
+//
+//   - The deadline_rules audit trigger (mig 079) reads paliad.audit_reason
+//     to record the rationale on every change. Putting the new-table
+//     write in the same TX preserves that auditability — set_config is
+//     transactional and the new writes share the same reason.
+//   - A Postgres-side AFTER UPDATE trigger on deadline_rules would also
+//     work but it's harder to test in isolation and harder to revert
+//     when B.4 drops the source table. A Go-side sync is reversible
+//     with a code revert; an SQL trigger needs a follow-up migration.
+//
+// The drift-check job (CheckDualWriteDrift below) runs daily and
+// alerts on mismatches. If the sync ever silently misses a row, the
+// drift check surfaces it inside one day.
+//
+// See docs/design-procedural-events-model-2026-05-25.md §5.2 (dual-write
+// phase) and docs/design-procedural-events-b0-findings-2026-05-26.md §7.
+package services
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+)
+
+// syncDualWriteFromDeadlineRule re-projects the deadline_rules row with
+// the given id into legal_sources + procedural_events + sequencing_rules.
+// Runs three UPSERT statements in the open transaction.
+//
+// Synthetic-code rule (for rows where deadline_rules.submission_code is
+// NULL) mirrors mig 136's backfill: 'null.' || first 8 hex chars of the
+// uuid (dashes stripped). This must stay byte-identical to the mig 136
+// expression or the lookup join inside the sequencing_rules UPSERT
+// misses.
+func syncDualWriteFromDeadlineRule(ctx context.Context, tx *sqlx.Tx, id uuid.UUID) error {
+	// 1. legal_sources — UPSERT the citation (no-op if already present).
+	//    jurisdiction is parsed from the first dot-separated segment;
+	//    'other' on empty (paranoid fallback, no live rows hit it).
+	if _, err := tx.ExecContext(ctx, `
+		INSERT INTO paliad.legal_sources (citation, jurisdiction)
+		SELECT dr.legal_source,
+		       COALESCE(NULLIF(split_part(dr.legal_source, '.', 1), ''), 'other')
+		  FROM paliad.deadline_rules dr
+		 WHERE dr.id = $1 AND dr.legal_source IS NOT NULL
+		ON CONFLICT (citation) DO NOTHING`, id); err != nil {
+		return fmt.Errorf("dual-write legal_sources for rule %s: %w", id, err)
+	}
+
+	// 2. procedural_events — UPSERT keyed by code. The code is the
+	//    submission_code if present, else the synthetic 'null.<8hex>'
+	//    minted from the deadline_rules row's id (matches mig 136).
+	//    legal_source_id is resolved by JOIN on legal_sources.citation
+	//    (NULL when the rule has no legal_source).
+	if _, err := tx.ExecContext(ctx, `
+		INSERT INTO paliad.procedural_events
+		    (code, name, name_en, description, event_kind,
+		     primary_party_default, legal_source_id, concept_id,
+		     lifecycle_state, published_at, is_active)
+		SELECT
+		    COALESCE(dr.submission_code,
+		             'null.' || substring(replace(dr.id::text, '-', ''), 1, 8)),
+		    dr.name, dr.name_en, dr.description, dr.event_type,
+		    dr.primary_party, ls.id, dr.concept_id,
+		    dr.lifecycle_state, dr.published_at, dr.is_active
+		  FROM paliad.deadline_rules dr
+		  LEFT JOIN paliad.legal_sources ls ON ls.citation = dr.legal_source
+		 WHERE dr.id = $1
+		ON CONFLICT (code) DO UPDATE SET
+		    name                  = EXCLUDED.name,
+		    name_en               = EXCLUDED.name_en,
+		    description           = EXCLUDED.description,
+		    event_kind            = EXCLUDED.event_kind,
+		    primary_party_default = EXCLUDED.primary_party_default,
+		    legal_source_id       = EXCLUDED.legal_source_id,
+		    concept_id            = EXCLUDED.concept_id,
+		    lifecycle_state       = EXCLUDED.lifecycle_state,
+		    published_at          = EXCLUDED.published_at,
+		    is_active             = EXCLUDED.is_active,
+		    updated_at            = now()`, id); err != nil {
+		return fmt.Errorf("dual-write procedural_events for rule %s: %w", id, err)
+	}
+
+	// 3. sequencing_rules — UPSERT keyed by id (1:1 inheritance from
+	//    deadline_rules.id). procedural_event_id resolved by JOIN on
+	//    the (real or synthetic) code. All hat-3 mechanics columns copy
+	//    1:1 from the deadline_rules row's post-write state.
+	if _, err := tx.ExecContext(ctx, `
+		INSERT INTO paliad.sequencing_rules
+		    (id, procedural_event_id, proceeding_type_id, parent_id, trigger_event_id,
+		     duration_value, duration_unit, timing,
+		     alt_duration_value, alt_duration_unit, alt_rule_code, anchor_alt,
+		     combine_op, condition_expr, primary_party, sequence_order,
+		     is_spawn, spawn_label, spawn_proceeding_type_id,
+		     is_bilateral, is_court_set, priority,
+		     rule_code, rule_codes, deadline_notes, deadline_notes_en,
+		     choices_offered, applies_to_target,
+		     lifecycle_state, draft_of, published_at, is_active,
+		     created_at, updated_at)
+		SELECT
+		    dr.id, pe.id,
+		    dr.proceeding_type_id, dr.parent_id, dr.trigger_event_id,
+		    dr.duration_value, dr.duration_unit, dr.timing,
+		    dr.alt_duration_value, dr.alt_duration_unit, dr.alt_rule_code, dr.anchor_alt,
+		    dr.combine_op, dr.condition_expr, dr.primary_party, dr.sequence_order,
+		    dr.is_spawn, dr.spawn_label, dr.spawn_proceeding_type_id,
+		    dr.is_bilateral, dr.is_court_set, dr.priority,
+		    dr.rule_code, dr.rule_codes, dr.deadline_notes, dr.deadline_notes_en,
+		    dr.choices_offered, dr.applies_to_target,
+		    dr.lifecycle_state, dr.draft_of, dr.published_at, dr.is_active,
+		    dr.created_at, dr.updated_at
+		  FROM paliad.deadline_rules dr
+		  JOIN paliad.procedural_events pe
+		    ON pe.code = COALESCE(dr.submission_code,
+		                          'null.' || substring(replace(dr.id::text, '-', ''), 1, 8))
+		 WHERE dr.id = $1
+		ON CONFLICT (id) DO UPDATE SET
+		    procedural_event_id      = EXCLUDED.procedural_event_id,
+		    proceeding_type_id       = EXCLUDED.proceeding_type_id,
+		    parent_id                = EXCLUDED.parent_id,
+		    trigger_event_id         = EXCLUDED.trigger_event_id,
+		    duration_value           = EXCLUDED.duration_value,
+		    duration_unit            = EXCLUDED.duration_unit,
+		    timing                   = EXCLUDED.timing,
+		    alt_duration_value       = EXCLUDED.alt_duration_value,
+		    alt_duration_unit        = EXCLUDED.alt_duration_unit,
+		    alt_rule_code            = EXCLUDED.alt_rule_code,
+		    anchor_alt               = EXCLUDED.anchor_alt,
+		    combine_op               = EXCLUDED.combine_op,
+		    condition_expr           = EXCLUDED.condition_expr,
+		    primary_party            = EXCLUDED.primary_party,
+		    sequence_order           = EXCLUDED.sequence_order,
+		    is_spawn                 = EXCLUDED.is_spawn,
+		    spawn_label              = EXCLUDED.spawn_label,
+		    spawn_proceeding_type_id = EXCLUDED.spawn_proceeding_type_id,
+		    is_bilateral             = EXCLUDED.is_bilateral,
+		    is_court_set             = EXCLUDED.is_court_set,
+		    priority                 = EXCLUDED.priority,
+		    rule_code                = EXCLUDED.rule_code,
+		    rule_codes               = EXCLUDED.rule_codes,
+		    deadline_notes           = EXCLUDED.deadline_notes,
+		    deadline_notes_en        = EXCLUDED.deadline_notes_en,
+		    choices_offered          = EXCLUDED.choices_offered,
+		    applies_to_target        = EXCLUDED.applies_to_target,
+		    lifecycle_state          = EXCLUDED.lifecycle_state,
+		    draft_of                 = EXCLUDED.draft_of,
+		    published_at             = EXCLUDED.published_at,
+		    is_active                = EXCLUDED.is_active,
+		    updated_at               = now()`, id); err != nil {
+		return fmt.Errorf("dual-write sequencing_rules for rule %s: %w", id, err)
+	}
+
+	return nil
+}
+
+// syncDeadlineDualLinks mirrors a deadline's legacy rule_id back-link
+// onto the new procedural_event_id + sequencing_rule_id columns added
+// by mig 136. Call this within an open transaction AFTER any UPDATE
+// that mutates paliad.deadlines.rule_id (mig 122 introduced rule_id
+// as the deadline→rule FK; today's writers are DeadlineService.Update
+// and RuleEditorService.ResolveOrphan).
+//
+// Idempotent: NULL rule_id collapses both new columns to NULL by virtue
+// of the subquery returning NULL. Slice B.2 (t-paliad-305).
+func syncDeadlineDualLinks(ctx context.Context, tx *sqlx.Tx, deadlineID uuid.UUID) error {
+	if _, err := tx.ExecContext(ctx, `
+		UPDATE paliad.deadlines d
+		   SET sequencing_rule_id  = d.rule_id,
+		       procedural_event_id = (
+		           SELECT sr.procedural_event_id
+		             FROM paliad.sequencing_rules sr
+		            WHERE sr.id = d.rule_id
+		       )
+		 WHERE d.id = $1`, deadlineID); err != nil {
+		return fmt.Errorf("sync deadline dual-links for %s: %w", deadlineID, err)
+	}
+	return nil
+}
+
+// DualWriteDriftReport summarises the comparison between the legacy
+// paliad.deadline_rules table and the new procedural_events /
+// sequencing_rules tables that B.2's dual-write is meant to keep in
+// sync. A zero-drift report (every count delta zero, every join clean)
+// is the steady state during the dual-write window; any non-zero field
+// is the signal that a write path either bypassed
+// syncDualWriteFromDeadlineRule or that an out-of-band mutation
+// happened (e.g. raw SQL run by an operator).
+type DualWriteDriftReport struct {
+	// Counts on the legacy and the projected side.
+	DeadlineRules    int `json:"deadline_rules"`
+	SequencingRules  int `json:"sequencing_rules"`
+	ProceduralEvents int `json:"procedural_events"`
+	LegalSources     int `json:"legal_sources"`
+
+	// Expected (from the legacy side) vs observed (on the new side).
+	ExpectedPE           int `json:"expected_procedural_events"`
+	ExpectedLegalSources int `json:"expected_legal_sources"`
+
+	// MissingSR — deadline_rules rows with no sequencing_rules row by id.
+	// OrphanedSR — sequencing_rules rows whose id doesn't exist in
+	// deadline_rules anymore (would only happen with a deletion path
+	// that bypasses dual-write).
+	MissingSR  int `json:"missing_sequencing_rules"`
+	OrphanedSR int `json:"orphaned_sequencing_rules"`
+
+	// MismatchedLifecycle — rows where deadline_rules.lifecycle_state
+	// disagrees with sequencing_rules.lifecycle_state. Should always be
+	// zero during dual-write.
+	MismatchedLifecycle int `json:"mismatched_lifecycle"`
+
+	// MismatchedActive — same shape, for is_active.
+	MismatchedActive int `json:"mismatched_active"`
+}
+
+// HasDrift returns true if any field signals divergence between the
+// legacy and projected sides. Used by the drift-check ticker to decide
+// whether to log at WARN (drift) or INFO (clean).
+func (r DualWriteDriftReport) HasDrift() bool {
+	if r.SequencingRules != r.DeadlineRules {
+		return true
+	}
+	if r.ProceduralEvents != r.ExpectedPE {
+		return true
+	}
+	if r.LegalSources != r.ExpectedLegalSources {
+		return true
+	}
+	if r.MissingSR != 0 || r.OrphanedSR != 0 {
+		return true
+	}
+	if r.MismatchedLifecycle != 0 || r.MismatchedActive != 0 {
+		return true
+	}
+	return false
+}
+
+// CheckDualWriteDrift compares the legacy paliad.deadline_rules table
+// against the parallel new tables maintained by Slice B.2's dual-write.
+// Returns a DualWriteDriftReport — caller decides what to do with
+// non-zero drift (log, page, fail healthcheck, etc.).
+//
+// Read-only. Safe to run against prod. Single query per metric so the
+// pool isn't held for a long time. No locks; tolerates concurrent
+// writes (counts may shift by one or two during the read, but a
+// persistent drift > 0 is the alarm signal).
+func CheckDualWriteDrift(ctx context.Context, conn *sqlx.DB) (*DualWriteDriftReport, error) {
+	var r DualWriteDriftReport
+
+	q := func(label, sql string, dst *int) error {
+		if err := conn.GetContext(ctx, dst, sql); err != nil {
+			return fmt.Errorf("drift-check %s: %w", label, err)
+		}
+		return nil
+	}
+
+	if err := q("dr_total", `SELECT COUNT(*) FROM paliad.deadline_rules`, &r.DeadlineRules); err != nil {
+		return nil, err
+	}
+	if err := q("sr_total", `SELECT COUNT(*) FROM paliad.sequencing_rules`, &r.SequencingRules); err != nil {
+		return nil, err
+	}
+	if err := q("pe_total", `SELECT COUNT(*) FROM paliad.procedural_events`, &r.ProceduralEvents); err != nil {
+		return nil, err
+	}
+	if err := q("ls_total", `SELECT COUNT(*) FROM paliad.legal_sources`, &r.LegalSources); err != nil {
+		return nil, err
+	}
+
+	if err := q("expected_pe", `
+		SELECT
+		  (SELECT COUNT(DISTINCT submission_code) FROM paliad.deadline_rules WHERE submission_code IS NOT NULL)
+		  +
+		  (SELECT COUNT(*) FROM paliad.deadline_rules WHERE submission_code IS NULL)
+	`, &r.ExpectedPE); err != nil {
+		return nil, err
+	}
+	if err := q("expected_ls",
+		`SELECT COUNT(DISTINCT legal_source) FROM paliad.deadline_rules WHERE legal_source IS NOT NULL`,
+		&r.ExpectedLegalSources); err != nil {
+		return nil, err
+	}
+
+	if err := q("missing_sr", `
+		SELECT COUNT(*) FROM paliad.deadline_rules dr
+		  LEFT JOIN paliad.sequencing_rules sr ON sr.id = dr.id
+		 WHERE sr.id IS NULL`, &r.MissingSR); err != nil {
+		return nil, err
+	}
+	if err := q("orphaned_sr", `
+		SELECT COUNT(*) FROM paliad.sequencing_rules sr
+		  LEFT JOIN paliad.deadline_rules dr ON dr.id = sr.id
+		 WHERE dr.id IS NULL`, &r.OrphanedSR); err != nil {
+		return nil, err
+	}
+
+	if err := q("mismatched_lifecycle", `
+		SELECT COUNT(*) FROM paliad.deadline_rules dr
+		  JOIN paliad.sequencing_rules sr ON sr.id = dr.id
+		 WHERE dr.lifecycle_state <> sr.lifecycle_state`, &r.MismatchedLifecycle); err != nil {
+		return nil, err
+	}
+	if err := q("mismatched_active", `
+		SELECT COUNT(*) FROM paliad.deadline_rules dr
+		  JOIN paliad.sequencing_rules sr ON sr.id = dr.id
+		 WHERE dr.is_active <> sr.is_active`, &r.MismatchedActive); err != nil {
+		return nil, err
+	}
+
+	return &r, nil
+}
+
+// StartDualWriteDriftCheckLoop runs CheckDualWriteDrift on a fixed
+// interval for the lifetime of ctx. A clean run logs at INFO level;
+// drift logs at WARN level with the full report payload. The first
+// check fires after `interval`, not immediately on Start — by the time
+// the ticker first fires the process has finished booting and the
+// initial backfill + dual-write writes have settled.
+//
+// Slice B.2 (t-paliad-305). interval should be short enough to surface
+// drift before the next deploy (so a broken dual-write doesn't sit
+// silent for a week) and long enough to avoid noise (the check holds
+// no locks but it does run nine SELECT COUNTs).
+//
+// Recommended interval: 6h. Override via the caller (cmd/server picks
+// the runtime value).
+func StartDualWriteDriftCheckLoop(ctx context.Context, conn *sqlx.DB, interval time.Duration) {
+	if interval <= 0 {
+		interval = 6 * time.Hour
+	}
+	go func() {
+		t := time.NewTicker(interval)
+		defer t.Stop()
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-t.C:
+				report, err := CheckDualWriteDrift(ctx, conn)
+				if err != nil {
+					log.Printf("dual-write drift-check: error: %v", err)
+					continue
+				}
+				if report.HasDrift() {
+					log.Printf("dual-write drift-check: DRIFT DETECTED — "+
+						"deadline_rules=%d sequencing_rules=%d "+
+						"procedural_events=%d (expected %d) "+
+						"legal_sources=%d (expected %d) "+
+						"missing_sr=%d orphaned_sr=%d "+
+						"mismatched_lifecycle=%d mismatched_active=%d",
+						report.DeadlineRules, report.SequencingRules,
+						report.ProceduralEvents, report.ExpectedPE,
+						report.LegalSources, report.ExpectedLegalSources,
+						report.MissingSR, report.OrphanedSR,
+						report.MismatchedLifecycle, report.MismatchedActive)
+				} else {
+					log.Printf("dual-write drift-check: OK — "+
+						"deadline_rules=%d sequencing_rules=%d "+
+						"procedural_events=%d legal_sources=%d",
+						report.DeadlineRules, report.SequencingRules,
+						report.ProceduralEvents, report.LegalSources)
+				}
+			}
+		}
+	}()
+}
+

internal/services/dual_write_test.go

@@ -0,0 +1,300 @@
+// Slice B.2 dual-write tests (t-paliad-305 / m/paliad#93).
+//
+// Asserts the parallel projection — paliad.procedural_events +
+// paliad.sequencing_rules + paliad.legal_sources — stays in lock-step
+// with paliad.deadline_rules through the full RuleEditorService
+// lifecycle. Skipped when TEST_DATABASE_URL is unset.
+
+package services
+
+import (
+	"context"
+	"os"
+	"testing"
+
+	"github.com/jmoiron/sqlx"
+	_ "github.com/lib/pq"
+
+	"mgit.msbls.de/m/paliad/internal/db"
+)
+
+// TestDualWrite_RuleEditorLifecycle walks Create → UpdateDraft →
+// CloneAsDraft → Publish → Archive → Restore on RuleEditorService and
+// after each operation asserts that paliad.sequencing_rules has the
+// 1:1 mirror, paliad.procedural_events carries the projected identity,
+// and paliad.legal_sources carries the citation.
+func TestDualWrite_RuleEditorLifecycle(t *testing.T) {
+	url := os.Getenv("TEST_DATABASE_URL")
+	if url == "" {
+		t.Skip("TEST_DATABASE_URL not set — skipping live DB test")
+	}
+	if err := db.ApplyMigrations(url); err != nil {
+		t.Fatalf("apply migrations: %v", err)
+	}
+	pool, err := sqlx.Connect("postgres", url)
+	if err != nil {
+		t.Fatalf("connect: %v", err)
+	}
+	defer pool.Close()
+
+	ctx := context.Background()
+	rules := NewDeadlineRuleService(pool)
+	svc := NewRuleEditorService(pool, rules)
+
+	cleanup := func() {
+		pool.ExecContext(ctx,
+			`SELECT set_config('paliad.audit_reason', 'slice b.2 test cleanup', true)`)
+		// Order matters: sequencing_rules → procedural_events → legal_sources
+		// (FK direction). deadline_rules cleanup last because mig 079 audit
+		// trigger captures the DELETE.
+		pool.ExecContext(ctx, `DELETE FROM paliad.sequencing_rules WHERE id IN (
+			SELECT id FROM paliad.deadline_rules WHERE name LIKE 'SLICEB2_TEST_%'
+		)`)
+		pool.ExecContext(ctx, `DELETE FROM paliad.procedural_events
+			WHERE code LIKE 'sliceb2.%' OR code LIKE 'null.sliceb2%'`)
+		pool.ExecContext(ctx, `DELETE FROM paliad.legal_sources
+			WHERE citation LIKE 'SLICEB2.%'`)
+		pool.ExecContext(ctx,
+			`DELETE FROM paliad.deadline_rules WHERE name LIKE 'SLICEB2_TEST_%'`)
+		pool.ExecContext(ctx,
+			`DELETE FROM paliad.proceeding_types WHERE code = 'SLICEB2_TEST_PT'`)
+	}
+	cleanup()
+	defer cleanup()
+
+	var ptID int
+	if err := pool.GetContext(ctx, &ptID, `
+		INSERT INTO paliad.proceeding_types (code, name, name_en, category, jurisdiction, is_active)
+		VALUES ('SLICEB2_TEST_PT', 'Slice B.2 Test PT', 'Slice B.2 Test PT', 'fristenrechner', 'UPC', true)
+		RETURNING id`); err != nil {
+		t.Fatalf("seed proceeding_type: %v", err)
+	}
+
+	subCode := "sliceb2.create"
+	legalSrc := "SLICEB2.PatG.1"
+
+	// 1. Create — assert the parallel rows land.
+	created, err := svc.Create(ctx, CreateRuleInput{
+		Name:             "SLICEB2_TEST_create",
+		NameEN:           "SLICEB2_TEST_create_EN",
+		ProceedingTypeID: &ptID,
+		SubmissionCode:   &subCode,
+		LegalSource:      &legalSrc,
+		DurationValue:    30,
+		DurationUnit:     "days",
+		Priority:         "mandatory",
+	}, "B.2 dual-write create test")
+	if err != nil {
+		t.Fatalf("Create: %v", err)
+	}
+
+	// legal_sources should now carry SLICEB2.PatG.1
+	var lsCount int
+	if err := pool.GetContext(ctx, &lsCount,
+		`SELECT COUNT(*) FROM paliad.legal_sources WHERE citation = $1`, legalSrc); err != nil {
+		t.Fatalf("query legal_sources: %v", err)
+	}
+	if lsCount != 1 {
+		t.Errorf("legal_sources after Create: got %d, want 1 for citation %q", lsCount, legalSrc)
+	}
+
+	// procedural_events should carry the submission_code
+	var peName, peLifecycle string
+	if err := pool.GetContext(ctx, &peName,
+		`SELECT name FROM paliad.procedural_events WHERE code = $1`, subCode); err != nil {
+		t.Fatalf("query procedural_events name: %v", err)
+	}
+	if peName != "SLICEB2_TEST_create" {
+		t.Errorf("procedural_events.name after Create: got %q, want %q", peName, "SLICEB2_TEST_create")
+	}
+	if err := pool.GetContext(ctx, &peLifecycle,
+		`SELECT lifecycle_state FROM paliad.procedural_events WHERE code = $1`, subCode); err != nil {
+		t.Fatalf("query procedural_events lifecycle: %v", err)
+	}
+	if peLifecycle != "draft" {
+		t.Errorf("procedural_events.lifecycle_state after Create: got %q, want %q", peLifecycle, "draft")
+	}
+
+	// sequencing_rules should have id = created.id and link to PE
+	var srCount, srMatchPE int
+	if err := pool.GetContext(ctx, &srCount,
+		`SELECT COUNT(*) FROM paliad.sequencing_rules WHERE id = $1`, created.ID); err != nil {
+		t.Fatalf("query sequencing_rules count: %v", err)
+	}
+	if srCount != 1 {
+		t.Errorf("sequencing_rules row after Create: got %d, want 1 for id %s", srCount, created.ID)
+	}
+	if err := pool.GetContext(ctx, &srMatchPE, `
+		SELECT COUNT(*) FROM paliad.sequencing_rules sr
+		  JOIN paliad.procedural_events pe ON pe.id = sr.procedural_event_id
+		 WHERE sr.id = $1 AND pe.code = $2`, created.ID, subCode); err != nil {
+		t.Fatalf("query sr→pe join: %v", err)
+	}
+	if srMatchPE != 1 {
+		t.Errorf("sequencing_rules.procedural_event_id after Create: got %d join hits, want 1", srMatchPE)
+	}
+
+	// 2. UpdateDraft — change name + legal_source. Assert propagation.
+	newName := "SLICEB2_TEST_updated"
+	newLegal := "SLICEB2.ZPO.2"
+	_, err = svc.UpdateDraft(ctx, created.ID, RulePatch{
+		Name:        &newName,
+		LegalSource: &newLegal,
+	}, "B.2 dual-write update test")
+	if err != nil {
+		t.Fatalf("UpdateDraft: %v", err)
+	}
+
+	var afterName string
+	if err := pool.GetContext(ctx, &afterName,
+		`SELECT name FROM paliad.procedural_events WHERE code = $1`, subCode); err != nil {
+		t.Fatalf("query pe.name post-update: %v", err)
+	}
+	if afterName != newName {
+		t.Errorf("procedural_events.name after UpdateDraft: got %q, want %q", afterName, newName)
+	}
+
+	// New citation must appear in legal_sources, and procedural_events.legal_source_id
+	// must point at it (idempotent UPSERT — the old SLICEB2.PatG.1 row stays).
+	var pePointsAtNewLegal int
+	if err := pool.GetContext(ctx, &pePointsAtNewLegal, `
+		SELECT COUNT(*) FROM paliad.procedural_events pe
+		  JOIN paliad.legal_sources ls ON ls.id = pe.legal_source_id
+		 WHERE pe.code = $1 AND ls.citation = $2`, subCode, newLegal); err != nil {
+		t.Fatalf("query pe→ls join: %v", err)
+	}
+	if pePointsAtNewLegal != 1 {
+		t.Errorf("procedural_events.legal_source_id after UpdateDraft: got %d hits, want 1", pePointsAtNewLegal)
+	}
+
+	// 3. Publish — flip to published. Assert lifecycle mirror.
+	_, err = svc.Publish(ctx, created.ID, "B.2 dual-write publish test")
+	if err != nil {
+		t.Fatalf("Publish: %v", err)
+	}
+	var srLifecycle, peLifecycleAfterPub string
+	if err := pool.GetContext(ctx, &srLifecycle,
+		`SELECT lifecycle_state FROM paliad.sequencing_rules WHERE id = $1`, created.ID); err != nil {
+		t.Fatalf("query sr.lifecycle: %v", err)
+	}
+	if srLifecycle != "published" {
+		t.Errorf("sequencing_rules.lifecycle_state after Publish: got %q, want %q", srLifecycle, "published")
+	}
+	if err := pool.GetContext(ctx, &peLifecycleAfterPub,
+		`SELECT lifecycle_state FROM paliad.procedural_events WHERE code = $1`, subCode); err != nil {
+		t.Fatalf("query pe.lifecycle post-publish: %v", err)
+	}
+	if peLifecycleAfterPub != "published" {
+		t.Errorf("procedural_events.lifecycle_state after Publish: got %q, want %q", peLifecycleAfterPub, "published")
+	}
+
+	// 4. Archive — flip to archived. Assert mirror.
+	_, err = svc.Archive(ctx, created.ID, "B.2 dual-write archive test")
+	if err != nil {
+		t.Fatalf("Archive: %v", err)
+	}
+	var srLifecycleArchived string
+	if err := pool.GetContext(ctx, &srLifecycleArchived,
+		`SELECT lifecycle_state FROM paliad.sequencing_rules WHERE id = $1`, created.ID); err != nil {
+		t.Fatalf("query sr.lifecycle post-archive: %v", err)
+	}
+	if srLifecycleArchived != "archived" {
+		t.Errorf("sequencing_rules.lifecycle_state after Archive: got %q, want %q", srLifecycleArchived, "archived")
+	}
+
+	// 5. Drift check should return zero drift right after the dance.
+	report, err := CheckDualWriteDrift(ctx, pool)
+	if err != nil {
+		t.Fatalf("CheckDualWriteDrift: %v", err)
+	}
+	if report.HasDrift() {
+		t.Errorf("CheckDualWriteDrift unexpectedly flagged drift: %+v", report)
+	}
+}
+
+// TestDualWrite_SyntheticCodeForNullSubmission asserts that a rule
+// created with submission_code=NULL gets a synthetic 'null.<8hex>'
+// procedural_events row matching mig 136's mint expression — so a new
+// draft without a code participates in the dual-write contract without
+// colliding with any code-bearing rule.
+func TestDualWrite_SyntheticCodeForNullSubmission(t *testing.T) {
+	url := os.Getenv("TEST_DATABASE_URL")
+	if url == "" {
+		t.Skip("TEST_DATABASE_URL not set — skipping live DB test")
+	}
+	if err := db.ApplyMigrations(url); err != nil {
+		t.Fatalf("apply migrations: %v", err)
+	}
+	pool, err := sqlx.Connect("postgres", url)
+	if err != nil {
+		t.Fatalf("connect: %v", err)
+	}
+	defer pool.Close()
+
+	ctx := context.Background()
+	rules := NewDeadlineRuleService(pool)
+	svc := NewRuleEditorService(pool, rules)
+
+	cleanup := func() {
+		pool.ExecContext(ctx, `SELECT set_config('paliad.audit_reason', 'slice b.2 null-code cleanup', true)`)
+		pool.ExecContext(ctx, `DELETE FROM paliad.sequencing_rules WHERE id IN (
+			SELECT id FROM paliad.deadline_rules WHERE name = 'SLICEB2_TEST_nullcode'
+		)`)
+		// Synthetic PE rows are keyed off the rule's uuid; delete by name reference.
+		pool.ExecContext(ctx, `DELETE FROM paliad.procedural_events
+			WHERE code IN (
+			  SELECT 'null.' || substring(replace(id::text, '-', ''), 1, 8)
+			    FROM paliad.deadline_rules WHERE name = 'SLICEB2_TEST_nullcode'
+			)`)
+		pool.ExecContext(ctx, `DELETE FROM paliad.deadline_rules WHERE name = 'SLICEB2_TEST_nullcode'`)
+		pool.ExecContext(ctx, `DELETE FROM paliad.proceeding_types WHERE code = 'SLICEB2_NC_PT'`)
+	}
+	cleanup()
+	defer cleanup()
+
+	var ptID int
+	if err := pool.GetContext(ctx, &ptID, `
+		INSERT INTO paliad.proceeding_types (code, name, name_en, category, jurisdiction, is_active)
+		VALUES ('SLICEB2_NC_PT', 'NC PT', 'NC PT', 'fristenrechner', 'UPC', true)
+		RETURNING id`); err != nil {
+		t.Fatalf("seed proceeding_type: %v", err)
+	}
+
+	created, err := svc.Create(ctx, CreateRuleInput{
+		Name:             "SLICEB2_TEST_nullcode",
+		NameEN:           "SLICEB2_TEST_nullcode_EN",
+		ProceedingTypeID: &ptID,
+		// SubmissionCode intentionally NIL → tests the synthetic-code branch.
+		DurationValue: 5,
+		DurationUnit:  "days",
+		Priority:      "mandatory",
+	}, "B.2 dual-write null-code test")
+	if err != nil {
+		t.Fatalf("Create: %v", err)
+	}
+
+	// Compute the expected synthetic code in the same way mig 136 / the
+	// dual-write helper do — keep the expression in lock-step with the
+	// SQL via this Go-side mirror.
+	var expectedCode string
+	if err := pool.GetContext(ctx, &expectedCode,
+		`SELECT 'null.' || substring(replace(id::text, '-', ''), 1, 8)
+		   FROM paliad.deadline_rules WHERE id = $1`, created.ID); err != nil {
+		t.Fatalf("compute expected synthetic code: %v", err)
+	}
+
+	var actualCode string
+	if err := pool.GetContext(ctx, &actualCode, `
+		SELECT pe.code
+		  FROM paliad.procedural_events pe
+		  JOIN paliad.sequencing_rules sr ON sr.procedural_event_id = pe.id
+		 WHERE sr.id = $1`, created.ID); err != nil {
+		t.Fatalf("query procedural_events via sequencing_rules: %v", err)
+	}
+	if actualCode != expectedCode {
+		t.Errorf("synthetic code mismatch: got %q, want %q", actualCode, expectedCode)
+	}
+	if len(actualCode) != len("null.")+8 {
+		t.Errorf("synthetic code length: got %d, want 13 (null.+8hex)", len(actualCode))
+	}
+}

internal/services/event_deadline_service.go

@@ -168,7 +168,7 @@ func (s *EventDeadlineService) Calculate(ctx context.Context, triggerEventID int
 		       COALESCE(timing, 'after') AS timing,
 		       deadline_notes, deadline_notes_en, alt_duration_value, alt_duration_unit,
 		       combine_op, rule_codes
-		  FROM paliad.deadline_rules
+		  FROM paliad.deadline_rules_unified
 		 WHERE trigger_event_id = $1 AND is_active = true
 		 ORDER BY sequence_order`, triggerEventID)
 	if err != nil {

internal/services/export_service.go

@@ -46,6 +46,7 @@ import (
 	"encoding/csv"
 	"fmt"
 	"io"
+	"log/slog"
 	"regexp"
 	"sort"
 	"strings"
@@ -297,7 +298,10 @@ func (s *ExportService) WriteOrg(ctx context.Context, w io.Writer, spec ExportSp
 	// is just bookkeeping that releases the snapshot.
 	defer func() { _ = tx.Rollback() }()
 
-	sheets := orgSheetQueries()
+	sheets, err := resolveOrgSheets(ctx, tx, orgSheetSpecs())
+	if err != nil {
+		return meta, err
+	}
 	if err := s.writeBundle(ctx, tx, w, sheets, &meta); err != nil {
 		return meta, err
 	}
@@ -1138,7 +1142,7 @@ func personalSheetQueries(actorID uuid.UUID) []sheetQuery {
 		},
 		{
 			SheetName: "ref__deadline_rules",
-			SQL:       `SELECT * FROM paliad.deadline_rules ORDER BY id`,
+			SQL:       `SELECT * FROM paliad.deadline_rules_unified ORDER BY id`,
 		},
 		{
 			SheetName: "ref__deadline_concepts",
@@ -1518,7 +1522,7 @@ SELECT 'partner_unit_default'::text AS source,
 		{SheetName: "ref__proceeding_types", SQL: `SELECT * FROM paliad.proceeding_types ORDER BY id`},
 		{SheetName: "ref__event_types", SQL: `SELECT * FROM paliad.event_types ORDER BY id`},
 		{SheetName: "ref__event_categories", SQL: `SELECT * FROM paliad.event_categories ORDER BY id`},
-		{SheetName: "ref__deadline_rules", SQL: `SELECT * FROM paliad.deadline_rules ORDER BY id`},
+		{SheetName: "ref__deadline_rules", SQL: `SELECT * FROM paliad.deadline_rules_unified ORDER BY id`},
 		{SheetName: "ref__deadline_concepts", SQL: `SELECT * FROM paliad.deadline_concepts ORDER BY id`},
 		{SheetName: "ref__courts", SQL: `SELECT * FROM paliad.courts ORDER BY id`},
 		{SheetName: "ref__countries", SQL: `SELECT * FROM paliad.countries ORDER BY code`},
@@ -1560,73 +1564,249 @@ SELECT 'partner_unit_default'::text AS source,
 // secret|token|password|api_key|private_key on every sheet as a
 // belt-and-braces filter. user_caldav_config.password_encrypted is
 // explicitly named in DropColumns too.
-func orgSheetQueries() []sheetQuery {
-	return []sheetQuery{
+//
+// Drift-resistance (m/paliad#140): each spec declares its desired
+// ORDER BY columns as a list. At backup time the exporter probes
+// information_schema.columns for the live schema; any ORDER BY column
+// that no longer exists is dropped (logged WARN). This way a column
+// rename or removal never breaks a backup — the worst case is a sheet
+// that loses sort stability until the spec is updated. A sheet whose
+// ORDER BY columns are all gone still exports, just in pg's natural
+// (unspecified) order.
+//
+// Custom column projections (e.g. documents drops ai_extracted) live
+// in the SQL override field; if set, it bypasses the Table+OrderBy
+// builder entirely. Use it sparingly — every override re-introduces
+// drift risk for that sheet.
+
+// orgSheetSpec declares one org-scope sheet for the drift-resistant
+// builder. Either set SQL (free-form override) or set Table+OrderBy
+// (let the builder compose `SELECT * FROM <Table> ORDER BY <existing>`).
+type orgSheetSpec struct {
+	// SheetName lands in the workbook sheet and the JSON top-level key.
+	SheetName string
+	// Table is schema-qualified (e.g. "paliad.appointments"). Used only
+	// when SQL is empty. The schema/table form must be valid SQL
+	// identifiers — the builder splits on the dot, no quoting.
+	Table string
+	// OrderBy is the *desired* sort columns. Missing columns are
+	// dropped silently-with-a-WARN at build time; remaining columns
+	// keep their declared order. Empty/all-missing → no ORDER BY (still
+	// deterministic-within-a-snapshot under the REPEATABLE READ tx, but
+	// the order across runs may differ).
+	OrderBy []string
+	// SQL is an explicit override; if non-empty, Table+OrderBy are
+	// ignored entirely. Use only when the projection cannot be
+	// expressed as SELECT * (e.g. documents drops the ai_extracted
+	// jsonb column).
+	SQL string
+	// Args are positional arguments. Only meaningful with SQL override;
+	// the Table+OrderBy path takes no args.
+	Args []any
+	// DropColumns is an explicit list of column names to drop from the
+	// result regardless of the PII deny-regex.
+	DropColumns []string
+}
+
+func orgSheetSpecs() []orgSheetSpec {
+	return []orgSheetSpec{
 		// --- entity sheets (alphabetical) ---
-		{SheetName: "appointment_caldav_targets", SQL: `SELECT * FROM paliad.appointment_caldav_targets ORDER BY appointment_id, calendar_binding_id`},
-		{SheetName: "appointments", SQL: `SELECT * FROM paliad.appointments ORDER BY id`},
-		{SheetName: "approval_policies", SQL: `SELECT * FROM paliad.approval_policies ORDER BY id`},
-		{SheetName: "approval_requests", SQL: `SELECT * FROM paliad.approval_requests ORDER BY id`},
+		{SheetName: "appointment_caldav_targets", Table: "paliad.appointment_caldav_targets", OrderBy: []string{"appointment_id", "binding_id"}},
+		{SheetName: "appointments", Table: "paliad.appointments", OrderBy: []string{"id"}},
+		{SheetName: "approval_policies", Table: "paliad.approval_policies", OrderBy: []string{"id"}},
+		{SheetName: "approval_requests", Table: "paliad.approval_requests", OrderBy: []string{"id"}},
 		// backups is self-reflexive — including it makes "what backups
 		// have we taken" recoverable from any prior backup. Tiny table.
-		{SheetName: "backups", SQL: `SELECT * FROM paliad.backups ORDER BY started_at, id`},
-		{SheetName: "caldav_sync_log", SQL: `SELECT * FROM paliad.caldav_sync_log ORDER BY occurred_at, id`},
-		{SheetName: "checklist_instances", SQL: `SELECT * FROM paliad.checklist_instances ORDER BY id`},
-		{SheetName: "checklist_shares", SQL: `SELECT * FROM paliad.checklist_shares ORDER BY id`},
-		{SheetName: "checklists", SQL: `SELECT * FROM paliad.checklists ORDER BY id`},
-		{SheetName: "deadline_rule_audit", SQL: `SELECT * FROM paliad.deadline_rule_audit ORDER BY changed_at, id`},
-		{SheetName: "deadlines", SQL: `SELECT * FROM paliad.deadlines ORDER BY id`},
+		{SheetName: "backups", Table: "paliad.backups", OrderBy: []string{"started_at", "id"}},
+		{SheetName: "caldav_sync_log", Table: "paliad.caldav_sync_log", OrderBy: []string{"occurred_at", "id"}},
+		{SheetName: "checklist_instances", Table: "paliad.checklist_instances", OrderBy: []string{"id"}},
+		{SheetName: "checklist_shares", Table: "paliad.checklist_shares", OrderBy: []string{"id"}},
+		{SheetName: "checklists", Table: "paliad.checklists", OrderBy: []string{"id"}},
+		{SheetName: "deadline_rule_audit", Table: "paliad.deadline_rule_audit", OrderBy: []string{"changed_at", "id"}},
+		{SheetName: "deadlines", Table: "paliad.deadlines", OrderBy: []string{"id"}},
 		// documents: ai_extracted jsonb dropped (verbose AI prompts;
 		// matches the personal/project precedent). Binaries are not in
-		// the export — only metadata.
+		// the export — only metadata. Uses SQL override because the
+		// projection isn't SELECT *.
 		{
 			SheetName: "documents",
 			SQL: `SELECT id, project_id, title, doc_type, file_path, file_size, mime_type, uploaded_by, created_at, updated_at
 				    FROM paliad.documents
 				ORDER BY id`,
 		},
-		{SheetName: "email_broadcasts", SQL: `SELECT * FROM paliad.email_broadcasts ORDER BY id`},
-		{SheetName: "email_template_versions", SQL: `SELECT * FROM paliad.email_template_versions ORDER BY id`},
-		{SheetName: "email_templates", SQL: `SELECT * FROM paliad.email_templates ORDER BY id`},
-		{SheetName: "firm_dashboard_default", SQL: `SELECT * FROM paliad.firm_dashboard_default ORDER BY id`},
-		{SheetName: "invitations", SQL: `SELECT * FROM paliad.invitations ORDER BY sent_at, id`},
-		{SheetName: "notes", SQL: `SELECT * FROM paliad.notes ORDER BY id`},
-		{SheetName: "parties", SQL: `SELECT * FROM paliad.parties ORDER BY id`},
-		{SheetName: "partner_unit_events", SQL: `SELECT * FROM paliad.partner_unit_events ORDER BY id`},
-		{SheetName: "partner_unit_members", SQL: `SELECT * FROM paliad.partner_unit_members ORDER BY partner_unit_id, user_id`},
-		{SheetName: "partner_units", SQL: `SELECT * FROM paliad.partner_units ORDER BY id`},
-		{SheetName: "policy_audit_log", SQL: `SELECT * FROM paliad.policy_audit_log ORDER BY changed_at, id`},
-		{SheetName: "project_events", SQL: `SELECT * FROM paliad.project_events ORDER BY id`},
-		{SheetName: "project_partner_units", SQL: `SELECT * FROM paliad.project_partner_units ORDER BY project_id, partner_unit_id`},
-		{SheetName: "project_teams", SQL: `SELECT * FROM paliad.project_teams ORDER BY project_id, user_id`},
-		{SheetName: "projects", SQL: `SELECT * FROM paliad.projects ORDER BY id`},
-		{SheetName: "reminder_log", SQL: `SELECT * FROM paliad.reminder_log ORDER BY sent_at, id`},
-		{SheetName: "submission_drafts", SQL: `SELECT * FROM paliad.submission_drafts ORDER BY id`},
-		{SheetName: "system_audit_log", SQL: `SELECT * FROM paliad.system_audit_log ORDER BY created_at, id`},
+		{SheetName: "email_broadcasts", Table: "paliad.email_broadcasts", OrderBy: []string{"id"}},
+		{SheetName: "email_template_versions", Table: "paliad.email_template_versions", OrderBy: []string{"id"}},
+		{SheetName: "email_templates", Table: "paliad.email_templates", OrderBy: []string{"key", "lang"}},
+		{SheetName: "firm_dashboard_default", Table: "paliad.firm_dashboard_default", OrderBy: []string{"id"}},
+		{SheetName: "invitations", Table: "paliad.invitations", OrderBy: []string{"sent_at", "id"}},
+		{SheetName: "notes", Table: "paliad.notes", OrderBy: []string{"id"}},
+		{SheetName: "parties", Table: "paliad.parties", OrderBy: []string{"id"}},
+		{SheetName: "partner_unit_events", Table: "paliad.partner_unit_events", OrderBy: []string{"id"}},
+		{SheetName: "partner_unit_members", Table: "paliad.partner_unit_members", OrderBy: []string{"partner_unit_id", "user_id"}},
+		{SheetName: "partner_units", Table: "paliad.partner_units", OrderBy: []string{"id"}},
+		{SheetName: "policy_audit_log", Table: "paliad.policy_audit_log", OrderBy: []string{"created_at", "id"}},
+		{SheetName: "project_events", Table: "paliad.project_events", OrderBy: []string{"id"}},
+		{SheetName: "project_partner_units", Table: "paliad.project_partner_units", OrderBy: []string{"project_id", "partner_unit_id"}},
+		{SheetName: "project_teams", Table: "paliad.project_teams", OrderBy: []string{"project_id", "user_id"}},
+		{SheetName: "projects", Table: "paliad.projects", OrderBy: []string{"id"}},
+		{SheetName: "reminder_log", Table: "paliad.reminder_log", OrderBy: []string{"sent_at", "id"}},
+		{SheetName: "submission_drafts", Table: "paliad.submission_drafts", OrderBy: []string{"id"}},
+		{SheetName: "system_audit_log", Table: "paliad.system_audit_log", OrderBy: []string{"created_at", "id"}},
 		{
 			SheetName:   "user_caldav_config",
-			SQL:         `SELECT * FROM paliad.user_caldav_config ORDER BY user_id`,
+			Table:       "paliad.user_caldav_config",
+			OrderBy:     []string{"user_id"},
 			DropColumns: []string{"password_encrypted"}, // belt-and-braces; piiColumnDenyRegex also catches it
 		},
-		{SheetName: "user_calendar_bindings", SQL: `SELECT * FROM paliad.user_calendar_bindings ORDER BY user_id, calendar_path`},
-		{SheetName: "user_card_layouts", SQL: `SELECT * FROM paliad.user_card_layouts ORDER BY id`},
-		{SheetName: "user_dashboard_layouts", SQL: `SELECT * FROM paliad.user_dashboard_layouts ORDER BY user_id`},
-		{SheetName: "user_pinned_projects", SQL: `SELECT * FROM paliad.user_pinned_projects ORDER BY user_id, project_id`},
-		{SheetName: "user_views", SQL: `SELECT * FROM paliad.user_views ORDER BY id`},
-		{SheetName: "users", SQL: `SELECT * FROM paliad.users ORDER BY id`},
+		{SheetName: "user_calendar_bindings", Table: "paliad.user_calendar_bindings", OrderBy: []string{"user_id", "calendar_path"}},
+		{SheetName: "user_card_layouts", Table: "paliad.user_card_layouts", OrderBy: []string{"id"}},
+		{SheetName: "user_dashboard_layouts", Table: "paliad.user_dashboard_layouts", OrderBy: []string{"user_id"}},
+		{SheetName: "user_pinned_projects", Table: "paliad.user_pinned_projects", OrderBy: []string{"user_id", "project_id"}},
+		{SheetName: "user_views", Table: "paliad.user_views", OrderBy: []string{"id"}},
+		{SheetName: "users", Table: "paliad.users", OrderBy: []string{"id"}},
 
 		// --- reference data (alphabetical, prefixed ref__) ---
-		{SheetName: "ref__countries", SQL: `SELECT * FROM paliad.countries ORDER BY code`},
-		{SheetName: "ref__courts", SQL: `SELECT * FROM paliad.courts ORDER BY id`},
-		{SheetName: "ref__deadline_concept_event_types", SQL: `SELECT * FROM paliad.deadline_concept_event_types ORDER BY concept_id, event_type_id`},
-		{SheetName: "ref__deadline_concepts", SQL: `SELECT * FROM paliad.deadline_concepts ORDER BY id`},
-		{SheetName: "ref__deadline_event_types", SQL: `SELECT * FROM paliad.deadline_event_types ORDER BY rule_id, event_type_id`},
-		{SheetName: "ref__deadline_rules", SQL: `SELECT * FROM paliad.deadline_rules ORDER BY id`},
-		{SheetName: "ref__event_categories", SQL: `SELECT * FROM paliad.event_categories ORDER BY id`},
-		{SheetName: "ref__event_category_concepts", SQL: `SELECT * FROM paliad.event_category_concepts ORDER BY category_id, concept_id`},
-		{SheetName: "ref__event_types", SQL: `SELECT * FROM paliad.event_types ORDER BY id`},
-		{SheetName: "ref__holidays", SQL: `SELECT * FROM paliad.holidays ORDER BY date, country`},
-		{SheetName: "ref__proceeding_types", SQL: `SELECT * FROM paliad.proceeding_types ORDER BY id`},
-		{SheetName: "ref__trigger_events", SQL: `SELECT * FROM paliad.trigger_events ORDER BY id`},
+		{SheetName: "ref__countries", Table: "paliad.countries", OrderBy: []string{"code"}},
+		{SheetName: "ref__courts", Table: "paliad.courts", OrderBy: []string{"id"}},
+		{SheetName: "ref__deadline_concept_event_types", Table: "paliad.deadline_concept_event_types", OrderBy: []string{"concept_id", "event_type_id"}},
+		{SheetName: "ref__deadline_concepts", Table: "paliad.deadline_concepts", OrderBy: []string{"id"}},
+		{SheetName: "ref__deadline_event_types", Table: "paliad.deadline_event_types", OrderBy: []string{"deadline_id", "event_type_id"}},
+		{SheetName: "ref__deadline_rules", Table: "paliad.deadline_rules_unified", OrderBy: []string{"id"}},
+		{SheetName: "ref__event_categories", Table: "paliad.event_categories", OrderBy: []string{"id"}},
+		{SheetName: "ref__event_category_concepts", Table: "paliad.event_category_concepts", OrderBy: []string{"event_category_id", "concept_id"}},
+		{SheetName: "ref__event_types", Table: "paliad.event_types", OrderBy: []string{"id"}},
+		{SheetName: "ref__holidays", Table: "paliad.holidays", OrderBy: []string{"date", "country"}},
+		{SheetName: "ref__proceeding_types", Table: "paliad.proceeding_types", OrderBy: []string{"id"}},
+		{SheetName: "ref__trigger_events", Table: "paliad.trigger_events", OrderBy: []string{"id"}},
 	}
 }
+
+// composeOrgSheetSQL turns one orgSheetSpec into the final SQL string,
+// using a per-table column set (typically loaded once per backup run
+// from information_schema.columns). Returns the SQL and the list of
+// ORDER BY columns that were dropped because they don't exist in the
+// live schema.
+//
+// Pure function — no DB access — so the missing-column behaviour is
+// unit-testable without a fixture database.
+//
+// Rules:
+//   - If spec.SQL is non-empty, return it unchanged (override path).
+//   - Otherwise build `SELECT * FROM <Table> [ORDER BY <kept-cols>]`.
+//   - Columns are kept in their declared order; missing ones recorded
+//     in `dropped` and omitted from ORDER BY.
+//   - If no ORDER BY columns survive, the ORDER BY clause is omitted.
+//
+// knownCols maps unqualified table names (e.g. "appointments") to the
+// set of columns they have. A table missing from knownCols is treated
+// as "no columns known" — every declared ORDER BY column gets dropped.
+func composeOrgSheetSQL(spec orgSheetSpec, knownCols map[string]map[string]struct{}) (sqlText string, dropped []string) {
+	if spec.SQL != "" {
+		return spec.SQL, nil
+	}
+	unqualified := spec.Table
+	if i := strings.IndexByte(unqualified, '.'); i >= 0 {
+		unqualified = unqualified[i+1:]
+	}
+	cols := knownCols[unqualified]
+	kept := make([]string, 0, len(spec.OrderBy))
+	for _, c := range spec.OrderBy {
+		if _, ok := cols[c]; ok {
+			kept = append(kept, c)
+		} else {
+			dropped = append(dropped, c)
+		}
+	}
+	var b strings.Builder
+	b.WriteString("SELECT * FROM ")
+	b.WriteString(spec.Table)
+	if len(kept) > 0 {
+		b.WriteString(" ORDER BY ")
+		b.WriteString(strings.Join(kept, ", "))
+	}
+	return b.String(), dropped
+}
+
+// loadOrgSheetColumns probes information_schema.columns once for every
+// table referenced by Table+OrderBy specs. Returns a lookup
+// {table_name → {column_name → {}}} restricted to the paliad schema.
+//
+// The queryer is whatever runs the backup's read snapshot — typically
+// the REPEATABLE READ tx opened in WriteOrg, so the schema snapshot
+// matches the row snapshot.
+func loadOrgSheetColumns(ctx context.Context, queryer sqlx.QueryerContext, specs []orgSheetSpec) (map[string]map[string]struct{}, error) {
+	tableSet := map[string]struct{}{}
+	for _, sp := range specs {
+		if sp.Table == "" {
+			continue // SQL-override sheets carry their own column refs
+		}
+		t := sp.Table
+		if i := strings.IndexByte(t, '.'); i >= 0 {
+			t = t[i+1:]
+		}
+		tableSet[t] = struct{}{}
+	}
+	if len(tableSet) == 0 {
+		return map[string]map[string]struct{}{}, nil
+	}
+	tables := make([]string, 0, len(tableSet))
+	for t := range tableSet {
+		tables = append(tables, t)
+	}
+	rows, err := queryer.QueryxContext(ctx, `
+		SELECT table_name, column_name
+		  FROM information_schema.columns
+		 WHERE table_schema = 'paliad'
+		   AND table_name = ANY($1)
+	`, tables)
+	if err != nil {
+		return nil, fmt.Errorf("probe paliad columns: %w", err)
+	}
+	defer rows.Close()
+	out := make(map[string]map[string]struct{}, len(tableSet))
+	for rows.Next() {
+		var table, column string
+		if err := rows.Scan(&table, &column); err != nil {
+			return nil, fmt.Errorf("scan paliad columns: %w", err)
+		}
+		set, ok := out[table]
+		if !ok {
+			set = map[string]struct{}{}
+			out[table] = set
+		}
+		set[column] = struct{}{}
+	}
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("iterate paliad columns: %w", err)
+	}
+	return out, nil
+}
+
+// resolveOrgSheets materialises an org-scope spec list into the
+// concrete []sheetQuery that writeBundle expects. Composes each
+// spec's SQL via composeOrgSheetSQL using a schema snapshot loaded
+// from the same queryer. Logs WARN per dropped ORDER BY column.
+func resolveOrgSheets(ctx context.Context, queryer sqlx.QueryerContext, specs []orgSheetSpec) ([]sheetQuery, error) {
+	knownCols, err := loadOrgSheetColumns(ctx, queryer, specs)
+	if err != nil {
+		return nil, err
+	}
+	out := make([]sheetQuery, 0, len(specs))
+	for _, sp := range specs {
+		sqlText, dropped := composeOrgSheetSQL(sp, knownCols)
+		for _, c := range dropped {
+			slog.Warn("backup: ORDER BY column dropped (not in schema)",
+				"sheet", sp.SheetName,
+				"table", sp.Table,
+				"column", c,
+			)
+		}
+		out = append(out, sheetQuery{
+			SheetName:   sp.SheetName,
+			SQL:         sqlText,
+			Args:        sp.Args,
+			DropColumns: sp.DropColumns,
+		})
+	}
+	return out, nil
+}

internal/services/fristenrechner_sort_test.go

@@ -0,0 +1,221 @@
+package services
+
+// Pure-function tests for the trigger-group duration sort introduced
+// by t-paliad-296 / m/paliad#128. No DB needed — feeds synthetic
+// UIDeadlines and a ruleByID map directly into the helper.
+
+import (
+	"testing"
+
+	"github.com/google/uuid"
+
+	"mgit.msbls.de/m/paliad/internal/models"
+)
+
+// makeRule is a tiny constructor for a synthetic rule with just the
+// fields the sort reads (parent_id, duration_value, duration_unit,
+// submission_code, trigger_event_id).
+func makeRule(t *testing.T, parent *uuid.UUID, code string, val int, unit string) (uuid.UUID, models.DeadlineRule) {
+	t.Helper()
+	id := uuid.New()
+	codeCopy := code
+	return id, models.DeadlineRule{
+		ID:             id,
+		ParentID:       parent,
+		SubmissionCode: &codeCopy,
+		DurationValue:  val,
+		DurationUnit:   unit,
+	}
+}
+
+func makeDeadline(id uuid.UUID, code string) UIDeadline {
+	return UIDeadline{
+		RuleID: id.String(),
+		Code:   code,
+	}
+}
+
+// TestSortDeadlinesByDurationWithinTriggerGroup_PostDecision is the
+// canonical scenario from m's report — four post-decision optional
+// events anchored on the same decision must render with 1-month rules
+// before 2-month rules.
+func TestSortDeadlinesByDurationWithinTriggerGroup_PostDecision(t *testing.T) {
+	decisionID := uuid.New()
+
+	// Catalog order matches mig 132 sequence_order: cons_orders(60),
+	// cost_app(70), rectification(70), appeal_spawn(80).
+	consOrdID, consOrdRule := makeRule(t, &decisionID, "upc.inf.cfi.cons_orders", 2, "months")
+	costAppID, costAppRule := makeRule(t, &decisionID, "upc.inf.cfi.cost_app", 1, "months")
+	rectID, rectRule := makeRule(t, &decisionID, "upc.inf.cfi.rectification", 1, "months")
+	appealID, appealRule := makeRule(t, &decisionID, "upc.inf.cfi.appeal_spawn", 2, "months")
+
+	ruleByID := map[uuid.UUID]models.DeadlineRule{
+		consOrdID: consOrdRule,
+		costAppID: costAppRule,
+		rectID:    rectRule,
+		appealID:  appealRule,
+	}
+
+	deadlines := []UIDeadline{
+		makeDeadline(consOrdID, "upc.inf.cfi.cons_orders"),
+		makeDeadline(costAppID, "upc.inf.cfi.cost_app"),
+		makeDeadline(rectID, "upc.inf.cfi.rectification"),
+		makeDeadline(appealID, "upc.inf.cfi.appeal_spawn"),
+	}
+
+	sortDeadlinesByDurationWithinTriggerGroup(deadlines, ruleByID)
+
+	// 1-month tier first (cost_app, rectification — alphabetical by
+	// submission_code), then 2-month tier (appeal_spawn, cons_orders
+	// — submission_code ASC tiebreak per spec).
+	want := []string{
+		"upc.inf.cfi.cost_app",
+		"upc.inf.cfi.rectification",
+		"upc.inf.cfi.appeal_spawn",
+		"upc.inf.cfi.cons_orders",
+	}
+	for i, w := range want {
+		if deadlines[i].Code != w {
+			t.Errorf("deadlines[%d].Code = %q, want %q", i, deadlines[i].Code, w)
+		}
+	}
+}
+
+// TestSortDeadlinesByDurationWithinTriggerGroup_UnitWeight asserts the
+// unit-weight ordering: days < weeks < months < years, with shorter
+// durations of the same unit winning their tier.
+func TestSortDeadlinesByDurationWithinTriggerGroup_UnitWeight(t *testing.T) {
+	parentID := uuid.New()
+
+	d14ID, d14Rule := makeRule(t, &parentID, "x.14days", 14, "days")
+	d2wID, d2wRule := makeRule(t, &parentID, "x.2weeks", 2, "weeks")
+	d1mID, d1mRule := makeRule(t, &parentID, "x.1month", 1, "months")
+	d6mID, d6mRule := makeRule(t, &parentID, "x.6months", 6, "months")
+	d1yID, d1yRule := makeRule(t, &parentID, "x.1year", 1, "years")
+
+	ruleByID := map[uuid.UUID]models.DeadlineRule{
+		d14ID: d14Rule, d2wID: d2wRule, d1mID: d1mRule, d6mID: d6mRule, d1yID: d1yRule,
+	}
+
+	deadlines := []UIDeadline{
+		makeDeadline(d6mID, "x.6months"),
+		makeDeadline(d1yID, "x.1year"),
+		makeDeadline(d2wID, "x.2weeks"),
+		makeDeadline(d14ID, "x.14days"),
+		makeDeadline(d1mID, "x.1month"),
+	}
+
+	sortDeadlinesByDurationWithinTriggerGroup(deadlines, ruleByID)
+
+	want := []string{"x.14days", "x.2weeks", "x.1month", "x.6months", "x.1year"}
+	for i, w := range want {
+		if deadlines[i].Code != w {
+			t.Errorf("deadlines[%d].Code = %q, want %q", i, deadlines[i].Code, w)
+		}
+	}
+}
+
+// TestSortDeadlinesByDurationWithinTriggerGroup_NoCrossGroupReorder
+// guards the hard rule: rules with different parents must keep their
+// relative position. Sorting only ever permutes adjacent same-parent
+// rows.
+func TestSortDeadlinesByDurationWithinTriggerGroup_NoCrossGroupReorder(t *testing.T) {
+	parentAID := uuid.New()
+	parentBID := uuid.New()
+
+	a3mID, a3mRule := makeRule(t, &parentAID, "ga.3months", 3, "months")
+	b1mID, b1mRule := makeRule(t, &parentBID, "gb.1month", 1, "months")
+	a14dID, a14dRule := makeRule(t, &parentAID, "ga.14days", 14, "days")
+	b2mID, b2mRule := makeRule(t, &parentBID, "gb.2months", 2, "months")
+
+	ruleByID := map[uuid.UUID]models.DeadlineRule{
+		a3mID: a3mRule, b1mID: b1mRule, a14dID: a14dRule, b2mID: b2mRule,
+	}
+
+	// Interleaved groups: A, B, A, B. Each group has one rule between
+	// each other group's rules — the consecutive-run walk should treat
+	// each as its own one-element run and not reorder anything.
+	deadlines := []UIDeadline{
+		makeDeadline(a3mID, "ga.3months"),
+		makeDeadline(b1mID, "gb.1month"),
+		makeDeadline(a14dID, "ga.14days"),
+		makeDeadline(b2mID, "gb.2months"),
+	}
+
+	sortDeadlinesByDurationWithinTriggerGroup(deadlines, ruleByID)
+
+	want := []string{"ga.3months", "gb.1month", "ga.14days", "gb.2months"}
+	for i, w := range want {
+		if deadlines[i].Code != w {
+			t.Errorf("deadlines[%d].Code = %q, want %q (interleaved groups must not reorder across)", i, deadlines[i].Code, w)
+		}
+	}
+}
+
+// TestSortDeadlinesByDurationWithinTriggerGroup_ConditionalLast asserts
+// that court-set / conditional rows (no concrete date in the duration
+// ladder) sort LAST within their group, regardless of their stated
+// duration value.
+func TestSortDeadlinesByDurationWithinTriggerGroup_ConditionalLast(t *testing.T) {
+	parentID := uuid.New()
+
+	dID, dRule := makeRule(t, &parentID, "x.duration", 2, "months")
+	cID, cRule := makeRule(t, &parentID, "x.conditional", 1, "months")
+	csID, csRule := makeRule(t, &parentID, "x.courtset", 1, "months")
+	d2ID, d2Rule := makeRule(t, &parentID, "x.short", 14, "days")
+
+	ruleByID := map[uuid.UUID]models.DeadlineRule{
+		dID: dRule, cID: cRule, csID: csRule, d2ID: d2Rule,
+	}
+
+	deadlines := []UIDeadline{
+		{RuleID: cID.String(), Code: "x.conditional", IsConditional: true},
+		{RuleID: dID.String(), Code: "x.duration"},
+		{RuleID: csID.String(), Code: "x.courtset", IsCourtSet: true},
+		{RuleID: d2ID.String(), Code: "x.short"},
+	}
+
+	sortDeadlinesByDurationWithinTriggerGroup(deadlines, ruleByID)
+
+	// Concrete rows first (sorted by duration): x.short (14d) then
+	// x.duration (2mo). Then the two no-date rows, tiebroken by code:
+	// x.conditional < x.courtset alphabetically.
+	want := []string{"x.short", "x.duration", "x.conditional", "x.courtset"}
+	for i, w := range want {
+		if deadlines[i].Code != w {
+			t.Errorf("deadlines[%d].Code = %q, want %q", i, deadlines[i].Code, w)
+		}
+	}
+}
+
+// TestSortDeadlinesByDurationWithinTriggerGroup_RootsNotMerged guards
+// the root-rule exception: top-level rules (parent_id=nil, no
+// trigger_event_id) must never be sorted against each other — they
+// represent distinct anchor points (SoC vs oral hearing vs decision)
+// whose proceeding-sequence order is non-negotiable.
+func TestSortDeadlinesByDurationWithinTriggerGroup_RootsNotMerged(t *testing.T) {
+	rootSoCID, rootSoCRule := makeRule(t, nil, "x.soc", 0, "months")
+	rootOralID, rootOralRule := makeRule(t, nil, "x.oral", 0, "months")
+	rootDecID, rootDecRule := makeRule(t, nil, "x.decision", 0, "months")
+
+	ruleByID := map[uuid.UUID]models.DeadlineRule{
+		rootSoCID: rootSoCRule, rootOralID: rootOralRule, rootDecID: rootDecRule,
+	}
+
+	deadlines := []UIDeadline{
+		makeDeadline(rootSoCID, "x.soc"),
+		makeDeadline(rootOralID, "x.oral"),
+		makeDeadline(rootDecID, "x.decision"),
+	}
+
+	sortDeadlinesByDurationWithinTriggerGroup(deadlines, ruleByID)
+
+	// Roots must keep their input order — they're not in the same
+	// trigger group as each other.
+	want := []string{"x.soc", "x.oral", "x.decision"}
+	for i, w := range want {
+		if deadlines[i].Code != w {
+			t.Errorf("deadlines[%d].Code = %q, want %q (roots must not be sorted against each other)", i, deadlines[i].Code, w)
+		}
+	}
+}

internal/services/fristenrechner_test.go

@@ -507,15 +507,21 @@ func TestUIDeadline_IsConditional_UncertainAnchors(t *testing.T) {
 		wantParentCode string
 	}{
 		// Symptom A — backward-anchored on the court-set oral hearing.
-		// Pre-pass fix: order-of-evaluation no longer matters.
+		// Pre-pass fix: order-of-evaluation no longer matters. These
+		// rules have no trigger_event_id, so ParentRuleCode stays on
+		// the parent_id-derived value.
 		{"upc.inf.cfi.translation_request", true, "upc.inf.cfi.oral"},
 		{"upc.inf.cfi.interpreter_cost", true, "upc.inf.cfi.oral"},
-		// R.118(4) chain — parent=decision (court-set).
+		// R.118(4) chain — parent=decision (court-set). No trigger_event_id.
 		{"upc.inf.cfi.cons_orders", true, "upc.inf.cfi.decision"},
-		// Symptom B — optional + both anchored on SoC (trigger anchor).
-		{"upc.inf.cfi.confidentiality_response", true, "upc.inf.cfi.soc"},
+		// Symptom B — optional + both, data-model parent is SoC but the
+		// real trigger is the opposing party's confidentiality application.
+		// m/paliad#126 / t-paliad-294: ParentRuleCode now reflects the
+		// trigger_events catalog row (id=25), NOT the parent_id chain.
+		{"upc.inf.cfi.confidentiality_response", true, "application_to_request_confidentiality_from_the_public"},
 		// Negative control — mandatory rule anchored on SoC must keep
-		// its concrete date (no IsConditional, real DueDate).
+		// its concrete date (no IsConditional, real DueDate). No
+		// trigger_event_id, so parent_id-derived code stays.
 		{"upc.inf.cfi.sod", false, "upc.inf.cfi.soc"},
 	}
 
@@ -546,6 +552,52 @@ func TestUIDeadline_IsConditional_UncertainAnchors(t *testing.T) {
 		})
 	}
 
+	// m/paliad#126 / t-paliad-294: the conditional chip for R.262(2)
+	// reads from the trigger_events catalog (id=25), so the user sees
+	// the actual semantic anchor instead of the parent_id-derived
+	// "Klageerhebung". Pin the exact DE + EN strings so a future
+	// rename of the catalog row surfaces here.
+	t.Run("R.262(2) conditional label uses trigger_event_id, not parent_id", func(t *testing.T) {
+		d, ok := byCode["upc.inf.cfi.confidentiality_response"]
+		if !ok {
+			t.Fatalf("confidentiality_response missing from response")
+		}
+		const wantNameDE = "Antrag auf Vertraulichkeit gegenüber der Öffentlichkeit"
+		const wantNameEN = "Application to request confidentiality from the public"
+		if d.ParentRuleName != wantNameDE {
+			t.Errorf("ParentRuleName = %q, want %q (trigger_events.name_de for id=25)", d.ParentRuleName, wantNameDE)
+		}
+		if d.ParentRuleNameEN != wantNameEN {
+			t.Errorf("ParentRuleNameEN = %q, want %q (trigger_events.name for id=25)", d.ParentRuleNameEN, wantNameEN)
+		}
+		// Negative guard — neither label should leak the SoC ("Klageerhebung"),
+		// which is the regression the fix exists to prevent.
+		if d.ParentRuleName == "Klageerhebung" || d.ParentRuleNameEN == "Statement of Claim" {
+			t.Errorf("conditional label still resolves via parent_id (SoC); fix regressed")
+		}
+	})
+
+	// Generalisation guard — translations_lodge also carries a real
+	// trigger_event_id (113 = judge-rapporteur's order). Its
+	// conditional chip should reference the order, not its parent_id
+	// (Zwischenverfahren). Locks in the "any rule with trigger_event_id
+	// uses THAT, not parent_id" contract from m/paliad#126.
+	t.Run("translations_lodge conditional label uses trigger_event_id", func(t *testing.T) {
+		d, ok := byCode["upc.inf.cfi.translations_lodge"]
+		if !ok {
+			t.Skip("upc.inf.cfi.translations_lodge missing from response — data drift?")
+		}
+		if !d.IsConditional {
+			t.Skipf("translations_lodge IsConditional=false in current corpus; trigger-event override is only user-visible on conditional rows. Skip but keep the generalisation guard.")
+		}
+		if d.ParentRuleName == "Zwischenverfahren" {
+			t.Errorf("translations_lodge still labelled via parent_id (Zwischenverfahren); should follow trigger_event_id=113")
+		}
+		if d.ParentRuleCode != "order_of_the_judge_rapporteur_to_lodge_translations" {
+			t.Errorf("ParentRuleCode = %q, want trigger_events.code for id=113", d.ParentRuleCode)
+		}
+	})
+
 	// Override path: when the user anchors the oral hearing, the
 	// backward-anchored R.109(1) flips back to a concrete date and
 	// IsConditional clears. This is the click-to-edit unblock.

internal/services/holidays.go

@@ -8,6 +8,8 @@ import (
 	"time"
 
 	"github.com/jmoiron/sqlx"
+
+	"mgit.msbls.de/m/paliad/pkg/litigationplanner"
 )
 
 // Country and regime constants — keep in sync with the paliad.countries
@@ -229,38 +231,14 @@ func (s *HolidayService) AdjustForNonWorkingDays(date time.Time, country, regime
 // Feiertag" — so a 27-day shift across UPC vacation no longer looks like a
 // math bug. See t-paliad-119.
 //
-// Date fields are JSON-serialised as YYYY-MM-DD strings (the same convention
-// as UIDeadline.DueDate / OriginalDate) so the frontend doesn't need a
-// separate RFC3339 parser. Holidays carries the same string-date shape.
-type AdjustmentReason struct {
-	// Kind is the dominant cause; longest cause wins when several apply
-	// (vacation > public_holiday > weekend).
-	Kind string `json:"kind"`
-	// Holidays collects every named holiday encountered while walking past
-	// the non-working run, deduped by (date, name). May be empty when the
-	// only cause is a weekend.
-	Holidays []HolidayDTO `json:"holidays,omitempty"`
-	// VacationName, VacationStart and VacationEnd describe the contiguous
-	// vacation block the original date sits in. Populated only when Kind
-	// == "vacation". Span boundaries are the first/last vacation day in
-	// the block (excludes the weekends that pad it).
-	VacationName  string `json:"vacationName,omitempty"`
-	VacationStart string `json:"vacationStart,omitempty"`
-	VacationEnd   string `json:"vacationEnd,omitempty"`
-	// OriginalWeekday is the English weekday name of the original date —
-	// "Saturday" / "Sunday" — set only when Kind == "weekend" so the UI
-	// can localise it.
-	OriginalWeekday string `json:"originalWeekday,omitempty"`
-}
-
-// HolidayDTO is the JSON shape for a holiday emitted in AdjustmentReason —
-// distinct from Holiday so dates serialise as YYYY-MM-DD strings.
-type HolidayDTO struct {
-	Date       string `json:"date"`
-	Name       string `json:"name"`
-	IsVacation bool   `json:"isVacation,omitempty"`
-	IsClosure  bool   `json:"isClosure,omitempty"`
-}
+// Canonical AdjustmentReason + HolidayDTO definitions live in
+// pkg/litigationplanner — kept here as type aliases so every existing
+// reference (HolidayService methods, JSON serialisation, projection
+// service) continues to compile.
+type (
+	AdjustmentReason = litigationplanner.AdjustmentReason
+	HolidayDTO       = litigationplanner.HolidayDTO
+)
 
 // AdjustForNonWorkingDaysWithReason is AdjustForNonWorkingDays plus an
 // explanation. Reason is nil when wasAdjusted is false.

internal/services/lookup_events_test.go

@@ -0,0 +1,219 @@
+package services
+
+import (
+	"context"
+	"os"
+	"testing"
+
+	"github.com/jmoiron/sqlx"
+	_ "github.com/lib/pq"
+
+	"mgit.msbls.de/m/paliad/internal/db"
+	lp "mgit.msbls.de/m/paliad/pkg/litigationplanner"
+)
+
+// TestLookupEvents covers the multi-axis catalog query API from Slice
+// B2 (m/paliad#124 §18.2). Skipped when TEST_DATABASE_URL is unset,
+// mirroring TestCalculateRule.
+//
+// Cases:
+//   - jurisdiction=UPC, depth=all-following → every active+published
+//     UPC rule, anchor depth=1 for all (no parent_id outside the
+//     filtered set lights up depth>1 because the entire UPC subset is
+//     a single anchor cohort).
+//   - proceeding_type_id (upc.inf.cfi) + party=defendant + depth=next
+//     → defendant rules in upc.inf.cfi at depth=1 + direct children
+//     of those at depth=2.
+//   - unknown jurisdiction value → silently ignored, no filter applied.
+//   - empty axes → all rules (no filter on any axis).
+func TestLookupEvents(t *testing.T) {
+	url := os.Getenv("TEST_DATABASE_URL")
+	if url == "" {
+		t.Skip("TEST_DATABASE_URL not set — skipping live DB test")
+	}
+	if err := db.ApplyMigrations(url); err != nil {
+		t.Fatalf("apply migrations: %v", err)
+	}
+	pool, err := sqlx.Connect("postgres", url)
+	if err != nil {
+		t.Fatalf("connect: %v", err)
+	}
+	defer pool.Close()
+
+	ctx := context.Background()
+	rules := NewDeadlineRuleService(pool)
+	catalog := &paliadCatalog{rules: rules}
+
+	t.Run("jurisdiction=UPC, all-following returns the UPC corpus", func(t *testing.T) {
+		matches, err := catalog.LookupEvents(ctx, lp.EventLookupAxes{
+			Jurisdiction: "UPC",
+		}, lp.EventLookupDepthAllFollowing)
+		if err != nil {
+			t.Fatalf("LookupEvents: %v", err)
+		}
+		if len(matches) == 0 {
+			t.Fatal("expected non-empty UPC corpus")
+		}
+		// Every match must be a UPC rule.
+		for _, m := range matches {
+			if m.ProceedingType.Jurisdiction == nil || *m.ProceedingType.Jurisdiction != "UPC" {
+				t.Errorf("non-UPC row leaked into UPC-axis query: code=%s jurisdiction=%v",
+					m.ProceedingType.Code, m.ProceedingType.Jurisdiction)
+			}
+			if m.DepthFromAnchor < 1 {
+				t.Errorf("depth=%d for rule %s, want >= 1", m.DepthFromAnchor, m.Rule.ID)
+			}
+		}
+	})
+
+	t.Run("party=defendant scopes to defendant rules", func(t *testing.T) {
+		matches, err := catalog.LookupEvents(ctx, lp.EventLookupAxes{
+			Jurisdiction: "UPC",
+			Party:        "defendant",
+		}, lp.EventLookupDepthNext)
+		if err != nil {
+			t.Fatalf("LookupEvents: %v", err)
+		}
+		if len(matches) == 0 {
+			t.Fatal("expected at least one defendant rule across the UPC corpus")
+		}
+		// Anchor matches (depth=1) must be primary_party=defendant.
+		// Depth=2 children appear under EventLookupDepthNext only as
+		// expansion from anchors — they may carry any party.
+		for _, m := range matches {
+			if m.DepthFromAnchor != 1 {
+				continue
+			}
+			if m.Rule.PrimaryParty == nil || *m.Rule.PrimaryParty != "defendant" {
+				t.Errorf("anchor row %s (depth=1) is not defendant: %v",
+					m.Rule.Name, m.Rule.PrimaryParty)
+			}
+		}
+	})
+
+	t.Run("unknown jurisdiction value silently falls through", func(t *testing.T) {
+		matchesAll, err := catalog.LookupEvents(ctx, lp.EventLookupAxes{},
+			lp.EventLookupDepthAllFollowing)
+		if err != nil {
+			t.Fatalf("LookupEvents (all): %v", err)
+		}
+		matchesUnknown, err := catalog.LookupEvents(ctx, lp.EventLookupAxes{
+			Jurisdiction: "XX-not-a-real-jurisdiction",
+		}, lp.EventLookupDepthAllFollowing)
+		if err != nil {
+			t.Fatalf("LookupEvents (unknown): %v", err)
+		}
+		if len(matchesAll) != len(matchesUnknown) {
+			t.Errorf("unknown jurisdiction should fall through to no-filter; got %d vs all-axes %d",
+				len(matchesUnknown), len(matchesAll))
+		}
+	})
+
+	t.Run("appeal_target=endentscheidung returns upc.apl merits rules", func(t *testing.T) {
+		matches, err := catalog.LookupEvents(ctx, lp.EventLookupAxes{
+			Jurisdiction: "UPC",
+			AppealTarget: lp.AppealTargetEndentscheidung,
+		}, lp.EventLookupDepthAllFollowing)
+		if err != nil {
+			t.Fatalf("LookupEvents: %v", err)
+		}
+		// Should hit the 7 rules under the unified upc.apl that
+		// carry applies_to_target={endentscheidung} (Slice B1 mig 134).
+		if len(matches) == 0 {
+			t.Fatal("expected upc.apl endentscheidung rules after B1 mig")
+		}
+		for _, m := range matches {
+			if m.DepthFromAnchor != 1 {
+				continue // children of anchors may be from other targets
+			}
+			found := false
+			for _, t := range m.Rule.AppliesToTarget {
+				if t == lp.AppealTargetEndentscheidung {
+					found = true
+					break
+				}
+			}
+			if !found {
+				t.Errorf("anchor row %s missing endentscheidung target: %v",
+					m.Rule.Name, m.Rule.AppliesToTarget)
+			}
+			if m.ProceedingType.Code != "upc.apl.unified" {
+				t.Errorf("anchor row %s came from %s, want upc.apl.unified",
+					m.Rule.Name, m.ProceedingType.Code)
+			}
+		}
+	})
+
+	t.Run("appeal_target=schadensbemessung returns upc.apl merits rules (mig 138 backfill)", func(t *testing.T) {
+		matches, err := catalog.LookupEvents(ctx, lp.EventLookupAxes{
+			Jurisdiction: "UPC",
+			AppealTarget: lp.AppealTargetSchadensbemessung,
+		}, lp.EventLookupDepthAllFollowing)
+		if err != nil {
+			t.Fatalf("LookupEvents: %v", err)
+		}
+		// mig 138 (t-paliad-303, m/paliad#134) extends the 7 merits-track
+		// rules under upc.apl.unified with applies_to_target ⊇ {schadensbemessung}
+		// because R.224 is uniform across substantive R.118 decisions.
+		if len(matches) == 0 {
+			t.Fatal("expected upc.apl schadensbemessung rules after mig 138 backfill")
+		}
+		for _, m := range matches {
+			if m.DepthFromAnchor != 1 {
+				continue
+			}
+			found := false
+			for _, t := range m.Rule.AppliesToTarget {
+				if t == lp.AppealTargetSchadensbemessung {
+					found = true
+					break
+				}
+			}
+			if !found {
+				t.Errorf("anchor row %s missing schadensbemessung target: %v",
+					m.Rule.Name, m.Rule.AppliesToTarget)
+			}
+			if m.ProceedingType.Code != "upc.apl.unified" {
+				t.Errorf("anchor row %s came from %s, want upc.apl.unified",
+					m.Rule.Name, m.ProceedingType.Code)
+			}
+		}
+	})
+
+	t.Run("appeal_target=bucheinsicht returns upc.apl order rules (mig 138 backfill)", func(t *testing.T) {
+		matches, err := catalog.LookupEvents(ctx, lp.EventLookupAxes{
+			Jurisdiction: "UPC",
+			AppealTarget: lp.AppealTargetBucheinsicht,
+		}, lp.EventLookupDepthAllFollowing)
+		if err != nil {
+			t.Fatalf("LookupEvents: %v", err)
+		}
+		// mig 138 (t-paliad-303, m/paliad#134) extends the 7 order-track
+		// rules under upc.apl.unified with applies_to_target ⊇ {bucheinsicht}
+		// because R.220.2 / R.224.2.b / R.235.2 / R.237 / R.238.2 are
+		// uniform across the orders they appeal.
+		if len(matches) == 0 {
+			t.Fatal("expected upc.apl bucheinsicht rules after mig 138 backfill")
+		}
+		for _, m := range matches {
+			if m.DepthFromAnchor != 1 {
+				continue
+			}
+			found := false
+			for _, t := range m.Rule.AppliesToTarget {
+				if t == lp.AppealTargetBucheinsicht {
+					found = true
+					break
+				}
+			}
+			if !found {
+				t.Errorf("anchor row %s missing bucheinsicht target: %v",
+					m.Rule.Name, m.Rule.AppliesToTarget)
+			}
+			if m.ProceedingType.Code != "upc.apl.unified" {
+				t.Errorf("anchor row %s came from %s, want upc.apl.unified",
+					m.Rule.Name, m.ProceedingType.Code)
+			}
+		}
+	})
+}

internal/services/proceeding_mapping.go

@@ -1,191 +1,63 @@
 package services
 
-// proceeding_mapping bridges the two proceeding-type vocabularies in the
-// codebase: the **litigation** conceptual category (INF / REV / APP /
-// CCR / AMD / APM / ZPO_CIVIL) used by the historical project-binding
-// + Pipeline-A rules, and the **fristenrechner** code category
-// (upc.inf.cfi / de.inf.lg / epa.opp.opd / …) used by the Determinator
-// cascade + rule engine. Post-Phase-3-Slice-5 (t-paliad-186) projects
-// bind to fristenrechner codes directly, but the litigation→fristenrechner
-// mapping is still needed for the ~40 Pipeline-A rules that remain on
-// litigation proceedings and for any other surface that thinks in
-// litigation terms.
-//
-// The mapping table here is the single source of truth — see
-// docs/design-determinator-row-cascade-2026-05-13.md §4.2 for the
-// design rationale + ambiguity notes, and
-// docs/design-proceeding-code-taxonomy-2026-05-18.md for the
-// lowercase dot-separated naming convention applied by mig 096
-// (t-paliad-206). **Never silent FK promotion**: every ambiguous case
-// returns ok=false so callers can degrade gracefully ("no narrowing")
-// instead of guessing.
+import lp "mgit.msbls.de/m/paliad/pkg/litigationplanner"
 
-// Stable code constants — the strings landed by mig 096. Use these
-// throughout the codebase so a future rename only needs to touch this
-// file. The id-anchored FKs (deadline_rules.proceeding_type_id,
-// projects.proceeding_type_id) are unaffected by the rename.
+// proceeding_mapping bridges the two proceeding-type vocabularies in
+// the codebase. The canonical implementations now live in
+// pkg/litigationplanner — this file keeps the existing service-level
+// names alive as re-exports so the rest of internal/services + tests
+// compile without an import-rewrite.
+//
+// See pkg/litigationplanner/proceeding_mapping.go for the logic +
+// docs/design-determinator-row-cascade-2026-05-13.md §4.2 for the
+// design rationale.
+
+// Stable code constants — re-exported from the package so existing
+// services / handlers can keep using the bare names.
 const (
-	CodeUPCInfringement       = "upc.inf.cfi"
-	CodeUPCRevocation         = "upc.rev.cfi"
-	CodeUPCCounterclaim       = "upc.ccr.cfi"
-	CodeUPCPreliminary        = "upc.pi.cfi"
-	CodeUPCDamages            = "upc.dmgs.cfi"
-	CodeUPCDiscovery          = "upc.disc.cfi"
-	CodeUPCAppealMerits       = "upc.apl.merits"
-	CodeUPCAppealOrder        = "upc.apl.order"
-	CodeUPCAppealCost         = "upc.apl.cost"
-	CodeDEInfringementLG      = "de.inf.lg"
-	CodeDEInfringementOLG     = "de.inf.olg"
-	CodeDEInfringementBGH     = "de.inf.bgh"
-	CodeDENullityBPatG        = "de.null.bpatg"
-	CodeDENullityBGH          = "de.null.bgh"
-	CodeEPAGrant              = "epa.grant.exa"
-	CodeEPAOpposition         = "epa.opp.opd"
-	CodeEPAOppositionAppeal   = "epa.opp.boa"
-	CodeDPMAOpposition        = "dpma.opp.dpma"
-	CodeDPMAAppealBPatG       = "dpma.appeal.bpatg"
-	CodeDPMAAppealBGH         = "dpma.appeal.bgh"
+	CodeUPCInfringement     = lp.CodeUPCInfringement
+	CodeUPCRevocation       = lp.CodeUPCRevocation
+	CodeUPCCounterclaim     = lp.CodeUPCCounterclaim
+	CodeUPCPreliminary      = lp.CodeUPCPreliminary
+	CodeUPCDamages          = lp.CodeUPCDamages
+	CodeUPCDiscovery        = lp.CodeUPCDiscovery
+	CodeUPCAppealMerits     = lp.CodeUPCAppealMerits
+	CodeUPCAppealOrder      = lp.CodeUPCAppealOrder
+	CodeUPCAppealCost       = lp.CodeUPCAppealCost
+	CodeDEInfringementLG    = lp.CodeDEInfringementLG
+	CodeDEInfringementOLG   = lp.CodeDEInfringementOLG
+	CodeDEInfringementBGH   = lp.CodeDEInfringementBGH
+	CodeDENullityBPatG      = lp.CodeDENullityBPatG
+	CodeDENullityBGH        = lp.CodeDENullityBGH
+	CodeEPAGrant            = lp.CodeEPAGrant
+	CodeEPAOpposition       = lp.CodeEPAOpposition
+	CodeEPAOppositionAppeal = lp.CodeEPAOppositionAppeal
+	CodeDPMAOpposition      = lp.CodeDPMAOpposition
+	CodeDPMAAppealBPatG     = lp.CodeDPMAAppealBPatG
+	CodeDPMAAppealBGH       = lp.CodeDPMAAppealBGH
 )
 
 // MapLitigationToFristenrechner returns the fristenrechner code +
 // condition flags implied by a (litigationCode, jurisdiction) pair.
-//
-// Inputs are case-sensitive — pass the canonical upper-snake form
-// (e.g. "INF", "UPC"). Unrecognised codes or genuinely ambiguous
-// combinations (APP+DE, ZPO_CIVIL+DE) return ok=false with a zero
-// fristenrechner code; callers should treat that as "no narrowing"
-// and leave the cascade wide-open rather than auto-pick.
-//
-// Condition flags are returned as a slice so callers can apply them
-// alongside the fristenrechner code (CCR+UPC → upc.inf.cfi + with_ccr,
-// AMD+UPC → upc.inf.cfi + with_amend). An empty slice means no flag
-// context applies.
+// Delegates to litigationplanner.MapLitigationToFristenrechner.
 func MapLitigationToFristenrechner(litigationCode, jurisdiction string) (fristenrechnerCode string, conditionFlags []string, ok bool) {
-	switch litigationCode {
-	case "INF":
-		switch jurisdiction {
-		case "UPC":
-			return CodeUPCInfringement, nil, true
-		case "DE":
-			return CodeDEInfringementLG, nil, true
-		}
-	case "REV":
-		switch jurisdiction {
-		case "UPC":
-			return CodeUPCRevocation, nil, true
-		case "DE":
-			return CodeDENullityBPatG, nil, true
-		}
-	case "CCR":
-		// Counterclaim revocation — UPC fold-in is structural (the
-		// counterclaim lives inside an upc.inf.cfi proceeding with the
-		// with_ccr flag). DE Nichtigkeit is conceptually the same
-		// adversarial-validity test, no separate flag.
-		switch jurisdiction {
-		case "UPC":
-			return CodeUPCInfringement, []string{"with_ccr"}, true
-		case "DE":
-			return CodeDENullityBPatG, nil, true
-		}
-	case "AMD":
-		// Amendment-application bundled into upc.inf.cfi via with_amend.
-		// No DE / EPA / DPMA analogue today.
-		if jurisdiction == "UPC" {
-			return CodeUPCInfringement, []string{"with_amend"}, true
-		}
-	case "APP":
-		// Appeal is ambiguous in DE (OLG vs BGH) and the project
-		// model doesn't carry the instance hint we'd need to
-		// disambiguate. UPC is unambiguous — upc.apl.merits covers
-		// the merits appeal track for inf/rev/ccr/damages.
-		if jurisdiction == "UPC" {
-			return CodeUPCAppealMerits, nil, true
-		}
-	case "APM":
-		// Preliminary injunction / urgency procedure — UPC-only
-		// concept in the fristenrechner taxonomy.
-		if jurisdiction == "UPC" {
-			return CodeUPCPreliminary, nil, true
-		}
-	case "OPP":
-		// Opposition — primarily EPA. DPMA has dpma.opp.dpma but it
-		// doesn't surface from the litigation vocabulary today.
-		if jurisdiction == "EPA" {
-			return CodeEPAOpposition, nil, true
-		}
-	}
-	return "", nil, false
+	return lp.MapLitigationToFristenrechner(litigationCode, jurisdiction)
 }
 
-// ResolveCounterclaimRouting handles the determinator's
-// upc.ccr.cfi illustrative-peer route: the code exists in the dropdown
-// for taxonomic completeness, but no rules are attached to it. When the
-// cascade resolves to upc.ccr.cfi we route the rule lookup back to
-// upc.inf.cfi with a default with_ccr=true flag — see
-// docs/design-proceeding-code-taxonomy-2026-05-18.md §0.3 sub-decision S1.
-//
-// `code` is the proceeding code the cascade resolved to. If it's
-// upc.ccr.cfi, the function returns (CodeUPCInfringement,
-// []string{"with_ccr"}, true). For any other code the function returns
-// (code, nil, false) and callers proceed with the code unchanged. The
-// boolean signals "routing was applied"; the caller can surface the hint
-// "Regeln liegen auf upc.inf.cfi (with_ccr=true); wir leiten Sie dorthin
-// weiter." in the UI.
+// ResolveCounterclaimRouting handles the determinator's upc.ccr.cfi
+// illustrative-peer route. Delegates to
+// litigationplanner.ResolveCounterclaimRouting.
 func ResolveCounterclaimRouting(code string) (effectiveCode string, defaultFlags []string, routed bool) {
-	if route, ok := SubTrackRoutings[code]; ok {
-		return route.ParentCode, route.DefaultFlags, true
-	}
-	return code, nil, false
+	return lp.ResolveCounterclaimRouting(code)
 }
 
-// SubTrackRouting describes a proceeding type that has no native rules
-// of its own and is normally rendered inside a parent proceeding's flow
-// with one or more condition flags enabled. The Procedure Roadmap
-// (verfahrensablauf) routes calc requests for these codes to the parent
-// proceeding + default flags, but preserves the user-picked code/name
-// in the response identity and surfaces a contextual note explaining
-// the framing — see m/paliad#58 and the design doc cited above.
-//
-// Adding a new sub-track is a data-only change here: extend
-// SubTrackRoutings with the (code, parent, flags, note) tuple and the
-// renderer picks it up automatically. The note copy lives in this file
-// because it's semantic to the routing, not UI chrome.
-type SubTrackRouting struct {
-	// Code is the user-picked proceeding code (e.g. "upc.ccr.cfi").
-	Code string
-	// ParentCode is the proceeding whose rules to use (e.g. "upc.inf.cfi").
-	ParentCode string
-	// DefaultFlags are merged into the user's flag set so the
-	// gated rules render. Order is preserved.
-	DefaultFlags []string
-	// NoteDE / NoteEN are the contextual banner above the timeline,
-	// explaining that the proceeding type is normally a sub-track.
-	// Plain text — the frontend renders them as a banner.
-	NoteDE string
-	NoteEN string
-}
-
-// SubTrackRoutings — single-source-of-truth registry. Today: just CCR.
-// The pattern generalises to other "sub-track" proceeding types (e.g.
-// R.30 application to amend the patent as a standalone roadmap, R.46
-// preliminary objection) once they have a proceeding-type code of their
-// own. New entries here are picked up by the spawn-as-standalone
-// renderer in FristenrechnerService.Calculate without further wiring.
-var SubTrackRoutings = map[string]SubTrackRouting{
-	CodeUPCCounterclaim: {
-		Code:         CodeUPCCounterclaim,
-		ParentCode:   CodeUPCInfringement,
-		DefaultFlags: []string{"with_ccr"},
-		NoteDE:       "Die Nichtigkeitswiderklage läuft normalerweise innerhalb eines UPC-Verletzungsverfahrens mit aktiver Nichtigkeitswiderklage. Diese Zeitleiste zeigt das Verletzungsverfahren mit gesetztem with_ccr-Flag.",
-		NoteEN:       "The counterclaim for revocation normally runs inside a UPC infringement action with the counterclaim flag set. This timeline shows the infringement action with with_ccr automatically enabled.",
-	},
-}
+// SubTrackRoutings exposes the sub-track routing registry. SubTrackRouting
+// is aliased in fristenrechner.go.
+var SubTrackRoutings = lp.SubTrackRoutings
 
 // LookupSubTrackRouting returns the sub-track routing for a proceeding
-// code, or (zero, false) if the code is not a sub-track. Used by the
-// fristenrechner Calculate path to spawn the parent flow with the sub-
-// track's default flags.
+// code, or (zero, false) if the code is not a sub-track. Delegates to
+// litigationplanner.LookupSubTrackRouting.
 func LookupSubTrackRouting(code string) (SubTrackRouting, bool) {
-	r, ok := SubTrackRoutings[code]
-	return r, ok
+	return lp.LookupSubTrackRouting(code)
 }

internal/services/projection_service.go

@@ -1767,7 +1767,7 @@ func (s *ProjectionService) lookupRuleBySubmissionCode(ctx context.Context, ptID
 	var rule models.DeadlineRule
 	err := s.db.GetContext(ctx, &rule,
 		`SELECT `+ruleColumns+`
-		   FROM paliad.deadline_rules
+		   FROM paliad.deadline_rules_unified
 		  WHERE proceeding_type_id = $1 AND submission_code = $2 AND is_active = true`,
 		ptID, code)
 	if errors.Is(err, sql.ErrNoRows) {
@@ -1784,7 +1784,7 @@ func (s *ProjectionService) lookupRuleByID(ctx context.Context, id uuid.UUID) (*
 	var rule models.DeadlineRule
 	err := s.db.GetContext(ctx, &rule,
 		`SELECT `+ruleColumns+`
-		   FROM paliad.deadline_rules
+		   FROM paliad.deadline_rules_unified
 		  WHERE id = $1`, id)
 	if err != nil {
 		return nil, fmt.Errorf("lookup rule by id: %w", err)

internal/services/rule_editor_orphans.go

@@ -117,7 +117,7 @@ func (s *RuleEditorService) ListOrphans(ctx context.Context) ([]Orphan, error) {
 		}
 		if err := s.db.SelectContext(ctx, &cs, `
 			SELECT id, rule_code, name, name_en
-			  FROM paliad.deadline_rules
+			  FROM paliad.deadline_rules_unified
 			 WHERE id = ANY($1::uuid[])`, pq.Array(uuidStrs)); err != nil {
 			return nil, fmt.Errorf("list orphan candidate rules: %w", err)
 		}
@@ -221,6 +221,12 @@ func (s *RuleEditorService) ResolveOrphan(ctx context.Context, orphanID uuid.UUI
 	); err != nil {
 		return fmt.Errorf("set deadline rule_id: %w", err)
 	}
+	// Slice B.2 dual-write (t-paliad-305): mirror the new linkage onto
+	// the parallel deadlines.procedural_event_id + sequencing_rule_id
+	// columns so they don't drift from rule_id.
+	if err := syncDeadlineDualLinks(ctx, tx, oc.DeadlineID); err != nil {
+		return err
+	}
 	if _, err := tx.ExecContext(ctx,
 		`UPDATE paliad.deadline_rule_backfill_orphans
 		    SET resolved_at      = $1,

internal/services/rule_editor_service.go

@@ -13,6 +13,7 @@ import (
 	"github.com/jmoiron/sqlx"
 
 	"mgit.msbls.de/m/paliad/internal/models"
+	lp "mgit.msbls.de/m/paliad/pkg/litigationplanner"
 )
 
 // RuleEditorService owns the admin-only rule lifecycle for Phase 3
@@ -148,6 +149,16 @@ func (s *RuleEditorService) Create(ctx context.Context, input CreateRuleInput, r
 	if strings.TrimSpace(input.Priority) == "" {
 		input.Priority = "mandatory"
 	}
+	// Slice B3 (m/paliad#124 §18.3, mig 135): canonical four-value
+	// primary_party vocab. Pre-validate so the user gets a
+	// user-friendly error before the DB CHECK fires with the raw
+	// constraint-violation message.
+	if input.PrimaryParty != nil && !lp.IsValidPrimaryParty(*input.PrimaryParty) {
+		return nil, fmt.Errorf(
+			"%w: primary_party=%q is not one of %v",
+			ErrInvalidInput, *input.PrimaryParty, lp.PrimaryParties,
+		)
+	}
 	if err := s.validateSpawnNoCycle(ctx, nil, input.SpawnProceedingTypeID, input.ProceedingTypeID); err != nil {
 		return nil, err
 	}
@@ -198,6 +209,14 @@ func (s *RuleEditorService) Create(ctx context.Context, input CreateRuleInput, r
 		return nil, fmt.Errorf("insert rule: %w", err)
 	}
 
+	// Slice B.2 dual-write (t-paliad-305): project the new row into
+	// legal_sources / procedural_events / sequencing_rules in the same
+	// transaction so the parallel tables stay in lock-step with
+	// deadline_rules through the B.3 read-cutover window.
+	if err := syncDualWriteFromDeadlineRule(ctx, tx, id); err != nil {
+		return nil, err
+	}
+
 	if err := tx.Commit(); err != nil {
 		return nil, fmt.Errorf("commit create: %w", err)
 	}
@@ -220,6 +239,19 @@ func (s *RuleEditorService) UpdateDraft(ctx context.Context, id uuid.UUID, patch
 			ErrInvalidLifecycleState, id, current.LifecycleState)
 	}
 
+	// Slice B3 (m/paliad#124 §18.3, mig 135): pre-validate the
+	// patch's primary_party so the user gets a user-friendly error
+	// before the DB CHECK fires with the raw constraint-violation
+	// message. Patch field is *string — nil means "don't change",
+	// dereferenced empty string means "set to NULL" (handled below
+	// in buildPatchSets).
+	if patch.PrimaryParty != nil && !lp.IsValidPrimaryParty(*patch.PrimaryParty) {
+		return nil, fmt.Errorf(
+			"%w: primary_party=%q is not one of %v",
+			ErrInvalidInput, *patch.PrimaryParty, lp.PrimaryParties,
+		)
+	}
+
 	// Spawn cycle guard: if the patch sets spawn_proceeding_type_id,
 	// validate against the global graph BEFORE the UPDATE so we can
 	// surface the cycle clearly instead of relying on a runtime
@@ -252,6 +284,10 @@ func (s *RuleEditorService) UpdateDraft(ctx context.Context, id uuid.UUID, patch
 	if _, err := tx.ExecContext(ctx, q, args...); err != nil {
 		return nil, fmt.Errorf("update rule draft: %w", err)
 	}
+	// Slice B.2 dual-write (t-paliad-305).
+	if err := syncDualWriteFromDeadlineRule(ctx, tx, id); err != nil {
+		return nil, err
+	}
 	if err := tx.Commit(); err != nil {
 		return nil, fmt.Errorf("commit update: %w", err)
 	}
@@ -312,6 +348,14 @@ func (s *RuleEditorService) CloneAsDraft(ctx context.Context, id uuid.UUID, reas
 	); err != nil {
 		return nil, fmt.Errorf("clone rule as draft: %w", err)
 	}
+	// Slice B.2 dual-write (t-paliad-305): new draft gets its own
+	// procedural_events + sequencing_rules row. The synthetic-code
+	// branch fires here when the source rule had NULL submission_code
+	// (the clone inherits the NULL and mints a fresh 'null.<8hex>'
+	// derived from newID).
+	if err := syncDualWriteFromDeadlineRule(ctx, tx, newID); err != nil {
+		return nil, err
+	}
 	if err := tx.Commit(); err != nil {
 		return nil, fmt.Errorf("commit clone: %w", err)
 	}
@@ -368,6 +412,18 @@ func (s *RuleEditorService) Publish(ctx context.Context, id uuid.UUID, reason st
 		}
 	}
 
+	// Slice B.2 dual-write (t-paliad-305): sync both sides — the newly
+	// published draft AND the cloned-from peer that just flipped to
+	// archived (if any).
+	if err := syncDualWriteFromDeadlineRule(ctx, tx, id); err != nil {
+		return nil, err
+	}
+	if current.DraftOf != nil {
+		if err := syncDualWriteFromDeadlineRule(ctx, tx, *current.DraftOf); err != nil {
+			return nil, err
+		}
+	}
+
 	if err := tx.Commit(); err != nil {
 		return nil, fmt.Errorf("commit publish: %w", err)
 	}
@@ -435,6 +491,12 @@ func (s *RuleEditorService) flipLifecycle(ctx context.Context, id uuid.UUID, tar
 		}
 	}
 
+	// Slice B.2 dual-write (t-paliad-305): mirror the lifecycle flip
+	// onto sequencing_rules + procedural_events.
+	if err := syncDualWriteFromDeadlineRule(ctx, tx, id); err != nil {
+		return nil, err
+	}
+
 	if err := tx.Commit(); err != nil {
 		return nil, fmt.Errorf("commit flip: %w", err)
 	}
@@ -574,7 +636,7 @@ func (s *RuleEditorService) ListRules(ctx context.Context, f ListRulesFilter) ([
 		where = "WHERE " + strings.Join(conds, " AND ")
 	}
 	query := `SELECT ` + ruleColumns + `
-		   FROM paliad.deadline_rules
+		   FROM paliad.deadline_rules_unified
 		   ` + where + `
 		  ORDER BY proceeding_type_id NULLS LAST, sequence_order
 		  LIMIT ` + addArg(f.Limit) + ` OFFSET ` + addArg(f.Offset)
@@ -594,7 +656,7 @@ func (s *RuleEditorService) GetByID(ctx context.Context, id uuid.UUID) (*models.
 func (s *RuleEditorService) getByID(ctx context.Context, id uuid.UUID) (*models.DeadlineRule, error) {
 	var r models.DeadlineRule
 	err := s.db.GetContext(ctx, &r,
-		`SELECT `+ruleColumns+` FROM paliad.deadline_rules WHERE id = $1`, id)
+		`SELECT `+ruleColumns+` FROM paliad.deadline_rules_unified WHERE id = $1`, id)
 	if errors.Is(err, sql.ErrNoRows) {
 		return nil, ErrRuleNotFound
 	}
@@ -604,92 +666,6 @@ func (s *RuleEditorService) getByID(ctx context.Context, id uuid.UUID) (*models.
 	return &r, nil
 }
 
-// ExportMigrationsSince returns a SQL blob containing one UPDATE / INSERT
-// per audited rule change after the given audit row id. Used by the
-// admin "export changes to a migration file" flow (Q-H-5: pure SQL
-// format). Returns SQL + count + the latest audit id seen so the
-// caller can pass it as ?since= on the next call.
-//
-// v1 generates one UPDATE per audit row using the after_json snapshot.
-// Slice 11b will polish the output (re-order so foreign-key edges
-// resolve, collapse consecutive UPDATEs on the same row, format the
-// header comment with author + reason). v1 emits one statement per
-// audit row in chronological order — sufficient for hand-review.
-type ExportResult struct {
-	MigrationSQL  string `json:"migration_sql"`
-	Count         int    `json:"count"`
-	LatestAuditID string `json:"latest_audit_id"`
-}
-
-func (s *RuleEditorService) ExportMigrationsSince(ctx context.Context, sinceAuditID string) (*ExportResult, error) {
-	type auditRow struct {
-		ID        uuid.UUID       `db:"id"`
-		RuleID    uuid.UUID       `db:"rule_id"`
-		ChangedAt time.Time       `db:"changed_at"`
-		Action    string          `db:"action"`
-		AfterJSON json.RawMessage `db:"after_json"`
-		Reason    string          `db:"reason"`
-	}
-	var rows []auditRow
-	q := `SELECT id, rule_id, changed_at, action, after_json, reason
-	        FROM paliad.deadline_rule_audit
-	       WHERE migration_exported = false`
-	args := []any{}
-	if sinceAuditID != "" {
-		sid, err := uuid.Parse(sinceAuditID)
-		if err != nil {
-			return nil, fmt.Errorf("%w: invalid since= uuid", ErrInvalidInput)
-		}
-		q += ` AND changed_at >= (SELECT changed_at FROM paliad.deadline_rule_audit WHERE id = $1)`
-		args = append(args, sid)
-	}
-	q += ` ORDER BY changed_at ASC`
-	if err := s.db.SelectContext(ctx, &rows, q, args...); err != nil {
-		return nil, fmt.Errorf("list audit since: %w", err)
-	}
-
-	var sb strings.Builder
-	sb.WriteString("-- Auto-generated rule-editor migration export.\n")
-	sb.WriteString("-- Generated at: " + time.Now().UTC().Format(time.RFC3339) + "\n")
-	sb.WriteString("-- Rows: " + fmt.Sprintf("%d", len(rows)) + "\n\n")
-	sb.WriteString("SELECT set_config('paliad.audit_reason',\n")
-	sb.WriteString("    'rule-editor export: replay of " + fmt.Sprintf("%d", len(rows)) + " edits', true);\n\n")
-
-	latest := ""
-	for _, r := range rows {
-		sb.WriteString("-- audit " + r.ID.String() + " (" + r.Action + " " + r.ChangedAt.Format(time.RFC3339) + "): " + sqlEscape(r.Reason) + "\n")
-		switch r.Action {
-		case "create", "update":
-			if len(r.AfterJSON) == 0 {
-				sb.WriteString("-- (no after_json — skipped)\n\n")
-				continue
-			}
-			sb.WriteString("INSERT INTO paliad.deadline_rules\n")
-			sb.WriteString("    SELECT (jsonb_populate_record(NULL::paliad.deadline_rules, '")
-			sb.WriteString(sqlEscape(string(r.AfterJSON)))
-			sb.WriteString("'::jsonb)).*\n")
-			sb.WriteString("ON CONFLICT (id) DO UPDATE SET name = EXCLUDED.name, name_en = EXCLUDED.name_en,\n")
-			sb.WriteString("    duration_value = EXCLUDED.duration_value, duration_unit = EXCLUDED.duration_unit,\n")
-			sb.WriteString("    timing = EXCLUDED.timing, priority = EXCLUDED.priority,\n")
-			sb.WriteString("    is_court_set = EXCLUDED.is_court_set,\n")
-			sb.WriteString("    condition_expr = EXCLUDED.condition_expr,\n")
-			sb.WriteString("    lifecycle_state = EXCLUDED.lifecycle_state,\n")
-			sb.WriteString("    updated_at = now();\n\n")
-		case "delete", "archive":
-			sb.WriteString("UPDATE paliad.deadline_rules SET lifecycle_state='archived', updated_at=now() WHERE id='")
-			sb.WriteString(r.RuleID.String())
-			sb.WriteString("';\n\n")
-		}
-		latest = r.ID.String()
-	}
-
-	return &ExportResult{
-		MigrationSQL:  sb.String(),
-		Count:         len(rows),
-		LatestAuditID: latest,
-	}, nil
-}
-
 // =============================================================================
 // Internal helpers
 // =============================================================================
@@ -739,7 +715,7 @@ func (s *RuleEditorService) validateSpawnNoCycle(ctx context.Context, ruleID *uu
 		visited[current] = true
 		var nexts []sql.NullInt64
 		q := `SELECT DISTINCT spawn_proceeding_type_id::bigint
-		        FROM paliad.deadline_rules
+		        FROM paliad.deadline_rules_unified
 		       WHERE proceeding_type_id = $1
 		         AND is_spawn = true
 		         AND spawn_proceeding_type_id IS NOT NULL
@@ -814,6 +790,3 @@ func nullableJSON(b json.RawMessage) any {
 	return []byte(b)
 }
 
-func sqlEscape(s string) string {
-	return strings.ReplaceAll(s, "'", "''")
-}

internal/services/scenario_service.go

@@ -0,0 +1,347 @@
+package services
+
+import (
+	"context"
+	"database/sql"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+
+	"mgit.msbls.de/m/paliad/internal/models"
+	lp "mgit.msbls.de/m/paliad/pkg/litigationplanner"
+)
+
+// ScenarioService reads + writes paliad.scenarios — named compositions
+// of existing proceedings + flags + per-card choices + anchor dates,
+// switchable per project or saved as abstract templates on
+// /tools/verfahrensablauf. Slice D, m/paliad#124 §5, mig 145.
+//
+// Visibility:
+//   - Project-scoped scenarios (project_id NOT NULL): require
+//     can_see_project on the bound project (mirrors
+//     EventChoiceService.requireProjectVisible).
+//   - Abstract scenarios (project_id IS NULL): owner-only. Only
+//     created_by can read / mutate.
+//
+// The service applies these checks in application code; paliad.scenarios
+// also has RLS policies (mig 145) as defense-in-depth for callers that
+// connect through Supabase Auth's auth.uid() session.
+type ScenarioService struct {
+	db       *sqlx.DB
+	projects *ProjectService
+	rules    *DeadlineRuleService
+}
+
+// NewScenarioService wires the service to its dependencies.
+func NewScenarioService(db *sqlx.DB, projects *ProjectService, rules *DeadlineRuleService) *ScenarioService {
+	return &ScenarioService{db: db, projects: projects, rules: rules}
+}
+
+// Sentinel errors. Mirrors EventChoiceService + the lp package errors
+// so handlers can map cleanly to HTTP statuses.
+var (
+	ErrScenarioNotVisible = errors.New("scenario not visible to caller")
+)
+
+// CreateScenarioInput is the payload for POST /api/scenarios. project_id
+// nil = abstract scenario (saved Verfahrensablauf template).
+type CreateScenarioInput struct {
+	ProjectID   *uuid.UUID      `json:"project_id,omitempty"`
+	Name        string          `json:"name"`
+	Description *string         `json:"description,omitempty"`
+	Spec        json.RawMessage `json:"spec"`
+}
+
+// Create inserts a new scenario after validating the spec.
+func (s *ScenarioService) Create(ctx context.Context, userID uuid.UUID, input CreateScenarioInput) (*lp.Scenario, error) {
+	if input.Name == "" {
+		return nil, fmt.Errorf("%w: name required", ErrInvalidInput)
+	}
+	if err := s.validateSpec(ctx, input.Spec); err != nil {
+		return nil, err
+	}
+	if input.ProjectID != nil {
+		if err := s.requireProjectVisible(ctx, userID, *input.ProjectID); err != nil {
+			return nil, err
+		}
+	}
+
+	var out lp.Scenario
+	err := s.db.GetContext(ctx, &out,
+		`INSERT INTO paliad.scenarios (project_id, name, description, spec, created_by)
+		      VALUES ($1, $2, $3, $4, $5)
+		   RETURNING id, project_id, name, description, spec, created_by,
+		             created_at, updated_at`,
+		input.ProjectID, input.Name, input.Description,
+		[]byte(input.Spec), userID)
+	if err != nil {
+		return nil, fmt.Errorf("create scenario: %w", err)
+	}
+	return &out, nil
+}
+
+// Get returns one scenario by id after a visibility check.
+func (s *ScenarioService) Get(ctx context.Context, userID, scenarioID uuid.UUID) (*lp.Scenario, error) {
+	var sc lp.Scenario
+	err := s.db.GetContext(ctx, &sc,
+		`SELECT id, project_id, name, description, spec, created_by,
+		        created_at, updated_at
+		   FROM paliad.scenarios
+		  WHERE id = $1`, scenarioID)
+	if errors.Is(err, sql.ErrNoRows) {
+		return nil, lp.ErrUnknownScenario
+	}
+	if err != nil {
+		return nil, fmt.Errorf("get scenario: %w", err)
+	}
+	if err := s.requireVisible(ctx, userID, &sc); err != nil {
+		return nil, err
+	}
+	return &sc, nil
+}
+
+// ListForProject returns scenarios attached to one project, ordered by
+// created_at desc.
+func (s *ScenarioService) ListForProject(ctx context.Context, userID, projectID uuid.UUID) ([]lp.Scenario, error) {
+	if err := s.requireProjectVisible(ctx, userID, projectID); err != nil {
+		return nil, err
+	}
+	out := []lp.Scenario{}
+	err := s.db.SelectContext(ctx, &out,
+		`SELECT id, project_id, name, description, spec, created_by,
+		        created_at, updated_at
+		   FROM paliad.scenarios
+		  WHERE project_id = $1
+		  ORDER BY created_at DESC`, projectID)
+	if err != nil {
+		return nil, fmt.Errorf("list scenarios for project: %w", err)
+	}
+	return out, nil
+}
+
+// ListAbstractForUser returns the calling user's abstract scenarios.
+func (s *ScenarioService) ListAbstractForUser(ctx context.Context, userID uuid.UUID) ([]lp.Scenario, error) {
+	out := []lp.Scenario{}
+	err := s.db.SelectContext(ctx, &out,
+		`SELECT id, project_id, name, description, spec, created_by,
+		        created_at, updated_at
+		   FROM paliad.scenarios
+		  WHERE project_id IS NULL AND created_by = $1
+		  ORDER BY created_at DESC`, userID)
+	if err != nil {
+		return nil, fmt.Errorf("list abstract scenarios: %w", err)
+	}
+	return out, nil
+}
+
+// PatchScenarioInput is the payload for PATCH /api/scenarios/{id}. Any
+// field nil means "don't change". Spec replacement re-runs validation.
+type PatchScenarioInput struct {
+	Name        *string         `json:"name,omitempty"`
+	Description *string         `json:"description,omitempty"`
+	Spec        json.RawMessage `json:"spec,omitempty"`
+}
+
+// Patch updates one or more scenario fields. Visibility check fires
+// first (the caller must already see the scenario to mutate it).
+func (s *ScenarioService) Patch(ctx context.Context, userID, scenarioID uuid.UUID, input PatchScenarioInput) (*lp.Scenario, error) {
+	current, err := s.Get(ctx, userID, scenarioID)
+	if err != nil {
+		return nil, err
+	}
+	if len(input.Spec) > 0 {
+		if err := s.validateSpec(ctx, input.Spec); err != nil {
+			return nil, err
+		}
+	}
+
+	sets := []string{}
+	args := []any{}
+	add := func(clause string, val any) {
+		args = append(args, val)
+		sets = append(sets, fmt.Sprintf(clause, len(args)))
+	}
+	if input.Name != nil {
+		add("name = $%d", *input.Name)
+	}
+	if input.Description != nil {
+		add("description = $%d", *input.Description)
+	}
+	if len(input.Spec) > 0 {
+		add("spec = $%d", []byte(input.Spec))
+	}
+	if len(sets) == 0 {
+		return current, nil
+	}
+	args = append(args, scenarioID)
+	query := fmt.Sprintf(`UPDATE paliad.scenarios SET %s
+	    WHERE id = $%d
+	RETURNING id, project_id, name, description, spec, created_by,
+	          created_at, updated_at`, joinSets(sets), len(args))
+	var out lp.Scenario
+	if err := s.db.GetContext(ctx, &out, query, args...); err != nil {
+		return nil, fmt.Errorf("patch scenario: %w", err)
+	}
+	return &out, nil
+}
+
+// SetActive points a project at one of its scenarios. Pass nil to
+// clear (revert to ad-hoc per-card choice state).
+func (s *ScenarioService) SetActive(ctx context.Context, userID, projectID uuid.UUID, scenarioID *uuid.UUID) error {
+	if err := s.requireProjectVisible(ctx, userID, projectID); err != nil {
+		return err
+	}
+	if scenarioID != nil {
+		// Ensure scenario exists + belongs to this project. A scenario
+		// from a different project (or an abstract one) can't be the
+		// active scenario on this project.
+		sc, err := s.Get(ctx, userID, *scenarioID)
+		if err != nil {
+			return err
+		}
+		if sc.ProjectID == nil || *sc.ProjectID != projectID {
+			return fmt.Errorf("%w: scenario %s is not attached to project %s",
+				ErrInvalidInput, *scenarioID, projectID)
+		}
+	}
+	_, err := s.db.ExecContext(ctx,
+		`UPDATE paliad.projects SET active_scenario_id = $1 WHERE id = $2`,
+		scenarioID, projectID)
+	if err != nil {
+		return fmt.Errorf("set active scenario: %w", err)
+	}
+	return nil
+}
+
+// Delete removes a scenario. Project's active_scenario_id is cleared
+// automatically via the FK's ON DELETE SET NULL.
+func (s *ScenarioService) Delete(ctx context.Context, userID, scenarioID uuid.UUID) error {
+	// Visibility check via Get — also resolves the existence question.
+	if _, err := s.Get(ctx, userID, scenarioID); err != nil {
+		return err
+	}
+	if _, err := s.db.ExecContext(ctx,
+		`DELETE FROM paliad.scenarios WHERE id = $1`, scenarioID); err != nil {
+		return fmt.Errorf("delete scenario: %w", err)
+	}
+	return nil
+}
+
+// requireVisible enforces the per-row visibility rule:
+//   - project_id NOT NULL → caller must see the project
+//   - project_id IS NULL  → caller must be the row's created_by
+func (s *ScenarioService) requireVisible(ctx context.Context, userID uuid.UUID, sc *lp.Scenario) error {
+	if sc.ProjectID != nil {
+		return s.requireProjectVisible(ctx, userID, *sc.ProjectID)
+	}
+	if sc.CreatedBy == nil || *sc.CreatedBy != userID {
+		return ErrScenarioNotVisible
+	}
+	return nil
+}
+
+// requireProjectVisible mirrors EventChoiceService.requireProjectVisible
+// (visibility via can_see_project). Cheap re-implementation — keeps the
+// call-graph small + avoids a cross-service dep.
+func (s *ScenarioService) requireProjectVisible(ctx context.Context, userID, projectID uuid.UUID) error {
+	var visible bool
+	err := s.db.GetContext(ctx, &visible,
+		`SELECT EXISTS (
+		    SELECT 1 FROM paliad.users u
+		     WHERE u.id = $1 AND u.global_role = 'global_admin'
+		) OR EXISTS (
+		    SELECT 1 FROM paliad.projects p
+		     JOIN paliad.project_teams pt ON pt.project_id = ANY(
+		            string_to_array(p.path, '.')::uuid[]
+		          )
+		    WHERE p.id = $2 AND pt.user_id = $1
+		)`, userID, projectID)
+	if err != nil {
+		return fmt.Errorf("check project visibility: %w", err)
+	}
+	if !visible {
+		return ErrScenarioNotVisible
+	}
+	return nil
+}
+
+// validateSpec checks the jsonb spec is well-formed, has the right
+// version, and that every referenced proceeding code + submission code
+// resolves to an active row in the live catalog. Surfaces friendly
+// errors wrapping ErrInvalidInput so the handler can map to a 400.
+func (s *ScenarioService) validateSpec(ctx context.Context, raw json.RawMessage) error {
+	if len(raw) == 0 {
+		return fmt.Errorf("%w: spec is required", ErrInvalidInput)
+	}
+	parsed, err := lp.ParseSpec(lp.NullableJSON(raw))
+	if err != nil {
+		return fmt.Errorf("%w: %v", ErrInvalidInput, err)
+	}
+	if _, err := parsed.PrimaryProceeding(); err != nil {
+		return fmt.Errorf("%w: %v", ErrInvalidInput, err)
+	}
+	if parsed.BaseTriggerDate != "" {
+		if _, err := time.Parse("2006-01-02", parsed.BaseTriggerDate); err != nil {
+			return fmt.Errorf("%w: base_trigger_date %q is not YYYY-MM-DD", ErrInvalidInput, parsed.BaseTriggerDate)
+		}
+	}
+	for i, p := range parsed.Proceedings {
+		if p.Code == "" {
+			return fmt.Errorf("%w: proceedings[%d].code is empty", ErrInvalidInput, i)
+		}
+		if p.Role != lp.ScenarioRolePrimary && p.Role != lp.ScenarioRolePeer {
+			return fmt.Errorf("%w: proceedings[%d].role=%q must be 'primary' or 'peer'",
+				ErrInvalidInput, i, p.Role)
+		}
+		if p.AppealTarget != "" && !lp.IsValidAppealTarget(p.AppealTarget) {
+			return fmt.Errorf("%w: proceedings[%d].appeal_target=%q not in %v",
+				ErrInvalidInput, i, p.AppealTarget, lp.AppealTargets)
+		}
+		if p.TriggerDateOverride != "" {
+			if _, err := time.Parse("2006-01-02", p.TriggerDateOverride); err != nil {
+				return fmt.Errorf("%w: proceedings[%d].trigger_date_override %q is not YYYY-MM-DD",
+					ErrInvalidInput, i, p.TriggerDateOverride)
+			}
+		}
+		for code, dateStr := range p.AnchorOverrides {
+			if _, err := time.Parse("2006-01-02", dateStr); err != nil {
+				return fmt.Errorf("%w: proceedings[%d].anchor_overrides[%q]=%q is not YYYY-MM-DD",
+					ErrInvalidInput, i, code, dateStr)
+			}
+		}
+		// Resolve code against active proceedings.
+		var exists bool
+		if err := s.db.GetContext(ctx, &exists,
+			`SELECT EXISTS(SELECT 1 FROM paliad.proceeding_types
+			               WHERE code = $1 AND is_active = true)`,
+			p.Code); err != nil {
+			return fmt.Errorf("validate spec proceedings[%d]: %w", i, err)
+		}
+		if !exists {
+			return fmt.Errorf("%w: proceedings[%d].code=%q is not an active proceeding_type",
+				ErrInvalidInput, i, p.Code)
+		}
+	}
+	return nil
+}
+
+// joinSets joins SET clauses with ", ". Tiny utility, kept here to
+// avoid cross-package strings.Join indirection.
+func joinSets(sets []string) string {
+	out := ""
+	for i, s := range sets {
+		if i > 0 {
+			out += ", "
+		}
+		out += s
+	}
+	return out
+}
+
+// Suppress unused-import diagnostic when models isn't referenced
+// (kept for future shape-evolution; canonical scenario row lives in lp).
+var _ = models.NullableJSON(nil)

internal/services/submission_base_service.go

@@ -0,0 +1,274 @@
+package services
+
+// Submission base catalog service — Composer Slice A (t-paliad-313,
+// design doc docs/design-submission-generator-v2-2026-05-26.md §4.2 +
+// §5.1).
+//
+// Each row in paliad.submission_bases maps a stable slug onto a Gitea
+// path (the .docx body) plus a JSON section spec that drives the
+// editor's default section seeding. Slice A surfaces this catalog via
+// a sidebar picker and uses GetDefaultForCode to pre-fill base_id on
+// new drafts.
+//
+// Read-only — admin mutations land in Slice C's /admin/submission-bases
+// editor. Visibility is wide-open SELECT (the catalog is shared
+// firm-wide); RLS denies mutations by default.
+
+import (
+	"context"
+	"database/sql"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+	"github.com/lib/pq"
+)
+
+// SubmissionBase mirrors a row in paliad.submission_bases.
+type SubmissionBase struct {
+	ID               uuid.UUID      `db:"id"                 json:"id"`
+	Slug             string         `db:"slug"               json:"slug"`
+	Firm             *string        `db:"firm"               json:"firm,omitempty"`
+	ProceedingFamily *string        `db:"proceeding_family"  json:"proceeding_family,omitempty"`
+	LabelDE          string         `db:"label_de"           json:"label_de"`
+	LabelEN          string         `db:"label_en"           json:"label_en"`
+	DescriptionDE    *string        `db:"description_de"     json:"description_de,omitempty"`
+	DescriptionEN    *string        `db:"description_en"     json:"description_en,omitempty"`
+	GiteaPath        string         `db:"gitea_path"         json:"gitea_path"`
+	SectionSpecRaw   []byte         `db:"section_spec"       json:"-"`
+	IsDefaultForRaw  pq.StringArray `db:"is_default_for"     json:"-"`
+	IsActive         bool           `db:"is_active"          json:"is_active"`
+
+	// SectionSpec is the parsed section spec; populated on read by the
+	// service so callers don't have to unmarshal manually.
+	SectionSpec BaseSectionSpec `json:"section_spec"`
+
+	// IsDefaultFor is the parsed string-slice form of the
+	// is_default_for column.
+	IsDefaultFor []string `json:"is_default_for"`
+}
+
+// BaseSectionSpec is the parsed shape of submission_bases.section_spec.
+// Slice A consumes Defaults to seed submission_sections rows on draft
+// create; later slices consume Stylemap (Slice B's MD→OOXML walker) and
+// Version (forward compat).
+type BaseSectionSpec struct {
+	Version  int                        `json:"version"`
+	Stylemap map[string]string          `json:"stylemap"`
+	Defaults []BaseSectionSpecDefault   `json:"defaults"`
+}
+
+// BaseSectionSpecDefault declares one default section per base. SeedMD*
+// is the Markdown copied into submission_sections.content_md_* on draft
+// create. Empty seed = blank prose section.
+type BaseSectionSpecDefault struct {
+	SectionKey string `json:"section_key"`
+	Kind       string `json:"kind"`
+	OrderIndex int    `json:"order_index"`
+	LabelDE    string `json:"label_de"`
+	LabelEN    string `json:"label_en"`
+	Included   bool   `json:"included"`
+	SeedMDDE   string `json:"seed_md_de"`
+	SeedMDEN   string `json:"seed_md_en"`
+}
+
+// BaseService reads the catalog. No mutations in Slice A.
+type BaseService struct {
+	db *sqlx.DB
+}
+
+// NewBaseService wires the service.
+func NewBaseService(db *sqlx.DB) *BaseService {
+	return &BaseService{db: db}
+}
+
+// ErrBaseNotFound is the sentinel for "no base with that id/slug".
+var ErrBaseNotFound = errors.New("submission base: not found")
+
+const baseColumns = `id, slug, firm, proceeding_family, label_de, label_en,
+                     description_de, description_en, gitea_path,
+                     section_spec, is_default_for, is_active`
+
+// List returns every active base ordered by firm-then-label.
+// firmFilter (when non-empty) restricts to rows where firm matches OR
+// firm IS NULL — the picker shows the firm's own bases plus the
+// firm-agnostic ones.
+func (s *BaseService) List(ctx context.Context, firmFilter string) ([]SubmissionBase, error) {
+	var rows []SubmissionBase
+	var err error
+	if firmFilter == "" {
+		err = s.db.SelectContext(ctx, &rows,
+			`SELECT `+baseColumns+`
+			   FROM paliad.submission_bases
+			  WHERE is_active
+			  ORDER BY COALESCE(firm, ''), label_de`)
+	} else {
+		err = s.db.SelectContext(ctx, &rows,
+			`SELECT `+baseColumns+`
+			   FROM paliad.submission_bases
+			  WHERE is_active AND (firm = $1 OR firm IS NULL)
+			  ORDER BY (firm IS NULL), label_de`,
+			firmFilter)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("list submission bases: %w", err)
+	}
+	for i := range rows {
+		if err := rows[i].decode(); err != nil {
+			return nil, err
+		}
+	}
+	return rows, nil
+}
+
+// GetByID fetches one base by uuid.
+func (s *BaseService) GetByID(ctx context.Context, id uuid.UUID) (*SubmissionBase, error) {
+	var b SubmissionBase
+	err := s.db.GetContext(ctx, &b,
+		`SELECT `+baseColumns+`
+		   FROM paliad.submission_bases
+		  WHERE id = $1 AND is_active`,
+		id)
+	if errors.Is(err, sql.ErrNoRows) {
+		return nil, ErrBaseNotFound
+	}
+	if err != nil {
+		return nil, fmt.Errorf("get submission base by id: %w", err)
+	}
+	if err := b.decode(); err != nil {
+		return nil, err
+	}
+	return &b, nil
+}
+
+// GetBySlug fetches one base by stable slug ("hlc-letterhead", …).
+func (s *BaseService) GetBySlug(ctx context.Context, slug string) (*SubmissionBase, error) {
+	var b SubmissionBase
+	err := s.db.GetContext(ctx, &b,
+		`SELECT `+baseColumns+`
+		   FROM paliad.submission_bases
+		  WHERE slug = $1 AND is_active`,
+		slug)
+	if errors.Is(err, sql.ErrNoRows) {
+		return nil, ErrBaseNotFound
+	}
+	if err != nil {
+		return nil, fmt.Errorf("get submission base by slug: %w", err)
+	}
+	if err := b.decode(); err != nil {
+		return nil, err
+	}
+	return &b, nil
+}
+
+// GetDefaultForCode picks the base SubmissionDraftService.Create should
+// seed for a new draft, given the requesting firm and the draft's
+// submission_code. Priority:
+//
+//  1. firm-matched base whose is_default_for[] contains the exact code.
+//  2. firm-matched base whose proceeding_family matches the code's
+//     family (first three dot-segments, e.g. "de.inf.lg" from
+//     "de.inf.lg.erwidg").
+//  3. firm-matched base with NULL proceeding_family (firm-agnostic
+//     fallback within the firm).
+//  4. firm-NULL (cross-firm) base by family match.
+//  5. firm-NULL base with NULL family — the universal neutral fallback.
+//  6. first active row (deterministic ordering on (firm IS NULL,
+//     label_de)).
+//
+// Returns ErrBaseNotFound if the table is empty.
+func (s *BaseService) GetDefaultForCode(ctx context.Context, firm, submissionCode string) (*SubmissionBase, error) {
+	family := familyOfCode(submissionCode)
+
+	tryQueries := []struct {
+		sql    string
+		args   []any
+	}{
+		{
+			`SELECT ` + baseColumns + `
+			   FROM paliad.submission_bases
+			  WHERE is_active AND firm = $1 AND $2 = ANY(is_default_for)
+			  ORDER BY label_de LIMIT 1`,
+			[]any{firm, submissionCode},
+		},
+		{
+			`SELECT ` + baseColumns + `
+			   FROM paliad.submission_bases
+			  WHERE is_active AND firm = $1 AND proceeding_family = $2
+			  ORDER BY label_de LIMIT 1`,
+			[]any{firm, family},
+		},
+		{
+			`SELECT ` + baseColumns + `
+			   FROM paliad.submission_bases
+			  WHERE is_active AND firm = $1 AND proceeding_family IS NULL
+			  ORDER BY label_de LIMIT 1`,
+			[]any{firm},
+		},
+		{
+			`SELECT ` + baseColumns + `
+			   FROM paliad.submission_bases
+			  WHERE is_active AND firm IS NULL AND proceeding_family = $1
+			  ORDER BY label_de LIMIT 1`,
+			[]any{family},
+		},
+		{
+			`SELECT ` + baseColumns + `
+			   FROM paliad.submission_bases
+			  WHERE is_active AND firm IS NULL AND proceeding_family IS NULL
+			  ORDER BY label_de LIMIT 1`,
+			[]any{},
+		},
+		{
+			`SELECT ` + baseColumns + `
+			   FROM paliad.submission_bases
+			  WHERE is_active
+			  ORDER BY (firm IS NULL), label_de LIMIT 1`,
+			[]any{},
+		},
+	}
+
+	for _, q := range tryQueries {
+		var b SubmissionBase
+		err := s.db.GetContext(ctx, &b, q.sql, q.args...)
+		if errors.Is(err, sql.ErrNoRows) {
+			continue
+		}
+		if err != nil {
+			return nil, fmt.Errorf("get default base: %w", err)
+		}
+		if err := b.decode(); err != nil {
+			return nil, err
+		}
+		return &b, nil
+	}
+	return nil, ErrBaseNotFound
+}
+
+// familyOfCode returns the first three dot-segments of a submission_code.
+// "de.inf.lg.erwidg" → "de.inf.lg". Codes with fewer than three segments
+// pass through unchanged (none in the corpus today, but safe).
+func familyOfCode(code string) string {
+	parts := strings.SplitN(code, ".", 4)
+	if len(parts) <= 3 {
+		return code
+	}
+	return strings.Join(parts[:3], ".")
+}
+
+// decode fills the parsed views from the raw scan fields.
+func (b *SubmissionBase) decode() error {
+	if len(b.SectionSpecRaw) > 0 {
+		if err := json.Unmarshal(b.SectionSpecRaw, &b.SectionSpec); err != nil {
+			return fmt.Errorf("decode submission base section_spec: %w", err)
+		}
+	}
+	b.IsDefaultFor = []string(b.IsDefaultForRaw)
+	if b.IsDefaultFor == nil {
+		b.IsDefaultFor = []string{}
+	}
+	return nil
+}

internal/services/submission_base_service_test.go

@@ -0,0 +1,99 @@
+package services
+
+// Unit tests for Composer base helpers — pure functions, no DB
+// dependency (t-paliad-313 Slice A).
+
+import "testing"
+
+func TestFamilyOfCode(t *testing.T) {
+	cases := []struct {
+		in   string
+		want string
+	}{
+		// canonical four-segment codes → first three segments
+		{"de.inf.lg.erwidg", "de.inf.lg"},
+		{"de.inf.lg.klage", "de.inf.lg"},
+		{"de.inf.olg.berufung", "de.inf.olg"},
+		{"upc.inf.cfi.soc", "upc.inf.cfi"},
+		{"upc.inf.cfi.sod", "upc.inf.cfi"},
+		{"upc.apl.cost.leave_app", "upc.apl.cost"},
+		{"epa.opp.opd.einspruch", "epa.opp.opd"},
+		// five-segment codes (rarely used in the corpus today) → still
+		// truncate to three
+		{"upc.inf.cfi.appeal_spawn.followup", "upc.inf.cfi"},
+		// shorter codes pass through unchanged
+		{"de.inf.lg", "de.inf.lg"},
+		{"de.inf", "de.inf"},
+		{"de", "de"},
+		// empty stays empty
+		{"", ""},
+	}
+	for _, tc := range cases {
+		t.Run(tc.in, func(t *testing.T) {
+			if got := familyOfCode(tc.in); got != tc.want {
+				t.Errorf("familyOfCode(%q) = %q; want %q", tc.in, got, tc.want)
+			}
+		})
+	}
+}
+
+func TestBaseSectionSpec_DecodeShape(t *testing.T) {
+	// The default seed in mig 146 emits a JSON document the service
+	// must decode round-trip; this golden pins the exact field shape
+	// the editor expects.
+	raw := []byte(`{
+		"version": 1,
+		"stylemap": {
+			"paragraph": "HLpat-Body-B0",
+			"heading_1": "HLpat-Heading-H1",
+			"heading_2": "HLpat-Heading-H2",
+			"heading_3": "HLpat-Heading-H3",
+			"list_bullet": "HLpat-Body-B0",
+			"list_numbered": "HLpat-Body-B0",
+			"blockquote": "HLpat-Body-B1"
+		},
+		"defaults": [
+			{"section_key":"letterhead","kind":"prose","order_index":1,"label_de":"Briefkopf","label_en":"Letterhead","included":true,"seed_md_de":"hi","seed_md_en":"hi"},
+			{"section_key":"requests","kind":"requests","order_index":4,"label_de":"Anträge","label_en":"Requests","included":true,"seed_md_de":"","seed_md_en":""}
+		]
+	}`)
+	b := SubmissionBase{SectionSpecRaw: raw}
+	if err := b.decode(); err != nil {
+		t.Fatalf("decode: %v", err)
+	}
+	if b.SectionSpec.Version != 1 {
+		t.Errorf("Version = %d; want 1", b.SectionSpec.Version)
+	}
+	if got := b.SectionSpec.Stylemap["heading_1"]; got != "HLpat-Heading-H1" {
+		t.Errorf("Stylemap[heading_1] = %q; want HLpat-Heading-H1", got)
+	}
+	if len(b.SectionSpec.Defaults) != 2 {
+		t.Fatalf("Defaults len = %d; want 2", len(b.SectionSpec.Defaults))
+	}
+	first := b.SectionSpec.Defaults[0]
+	if first.SectionKey != "letterhead" || first.Kind != "prose" || first.OrderIndex != 1 {
+		t.Errorf("Defaults[0] = %+v; want letterhead/prose/1", first)
+	}
+	if first.SeedMDDE != "hi" || first.SeedMDEN != "hi" {
+		t.Errorf("Defaults[0] seed_md_* = %q/%q; want hi/hi", first.SeedMDDE, first.SeedMDEN)
+	}
+	second := b.SectionSpec.Defaults[1]
+	if second.SectionKey != "requests" || second.Kind != "requests" || second.OrderIndex != 4 {
+		t.Errorf("Defaults[1] = %+v; want requests/requests/4", second)
+	}
+}
+
+func TestBaseSectionSpec_EmptyDecode(t *testing.T) {
+	// A bare row (SectionSpecRaw == nil) decodes cleanly into the
+	// zero value — no panic, no garbage.
+	b := SubmissionBase{}
+	if err := b.decode(); err != nil {
+		t.Fatalf("decode empty: %v", err)
+	}
+	if b.SectionSpec.Version != 0 || len(b.SectionSpec.Defaults) != 0 {
+		t.Errorf("expected zero SectionSpec on empty raw; got %+v", b.SectionSpec)
+	}
+	if b.IsDefaultFor == nil {
+		t.Errorf("IsDefaultFor must be non-nil (empty slice) after decode; got nil")
+	}
+}

internal/services/submission_building_block_service.go

@@ -0,0 +1,629 @@
+package services
+
+// Composer building-block library service — t-paliad-315 Slice C
+// (design doc docs/design-submission-generator-v2-2026-05-26.md §8 +
+// §4.4).
+//
+// Per the Q2 ratification (m, 2026-05-26): building blocks are plain
+// text paste sources. The library row is the source; the lawyer's
+// section row is the destination. After paste, the section row has
+// no link back to the library — the prose belongs to the section.
+//
+// Per the Q9 ratification: four visibility tiers — private / team /
+// firm / global. The DB-side RLS policy (mig 149) handles the
+// "private rows only the author sees" coarse gate. This service
+// applies the fine-grained tier predicate at query time, so the
+// picker on the section editor only shows blocks the caller actually
+// has reach to.
+//
+// Admin mutations are gated at the handler layer (adminGate). The
+// service exposes Create + Update + SoftDelete + RestoreVersion which
+// all assume the caller has already passed the admin check.
+// Append-only audit history (_admin_versions) is retained at 20 rows
+// per block, GCed in the same transaction as each Save.
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+)
+
+// BuildingBlock mirrors a row in paliad.submission_building_blocks.
+type BuildingBlock struct {
+	ID               uuid.UUID  `db:"id"                  json:"id"`
+	Slug             string     `db:"slug"                json:"slug"`
+	Firm             *string    `db:"firm"                json:"firm,omitempty"`
+	SectionKey       string     `db:"section_key"         json:"section_key"`
+	ProceedingFamily *string    `db:"proceeding_family"   json:"proceeding_family,omitempty"`
+	TitleDE          string     `db:"title_de"            json:"title_de"`
+	TitleEN          string     `db:"title_en"            json:"title_en"`
+	DescriptionDE    *string    `db:"description_de"      json:"description_de,omitempty"`
+	DescriptionEN    *string    `db:"description_en"      json:"description_en,omitempty"`
+	ContentMDDE      string     `db:"content_md_de"       json:"content_md_de"`
+	ContentMDEN      string     `db:"content_md_en"       json:"content_md_en"`
+	AuthorID         *uuid.UUID `db:"author_id"           json:"author_id,omitempty"`
+	Visibility       string     `db:"visibility"          json:"visibility"`
+	IsPublished      bool       `db:"is_published"        json:"is_published"`
+	CreatedAt        time.Time  `db:"created_at"          json:"created_at"`
+	UpdatedAt        time.Time  `db:"updated_at"          json:"updated_at"`
+	DeletedAt        *time.Time `db:"deleted_at"          json:"-"`
+}
+
+// BuildingBlockVersion is one row from the admin-only audit history.
+type BuildingBlockVersion struct {
+	ID              uuid.UUID  `db:"id"                  json:"id"`
+	BuildingBlockID uuid.UUID  `db:"building_block_id"   json:"building_block_id"`
+	ContentMDDE     string     `db:"content_md_de"       json:"content_md_de"`
+	ContentMDEN     string     `db:"content_md_en"       json:"content_md_en"`
+	TitleDE         string     `db:"title_de"            json:"title_de"`
+	TitleEN         string     `db:"title_en"            json:"title_en"`
+	EditedBy        *uuid.UUID `db:"edited_by"           json:"edited_by,omitempty"`
+	Note            *string    `db:"note"                json:"note,omitempty"`
+	CreatedAt       time.Time  `db:"created_at"          json:"created_at"`
+}
+
+// BuildingBlockService handles the library + admin audit history.
+type BuildingBlockService struct {
+	db   *sqlx.DB
+	firm string
+}
+
+// NewBuildingBlockService wires the service. firm is branding.Name —
+// captured at construction time and used to apply the firm-tier
+// filter on List/Get calls.
+func NewBuildingBlockService(db *sqlx.DB, firm string) *BuildingBlockService {
+	return &BuildingBlockService{db: db, firm: firm}
+}
+
+const (
+	// VisPrivate / Team / Firm / Global — the 4 tiers per Q9.
+	VisPrivate = "private"
+	VisTeam    = "team"
+	VisFirm    = "firm"
+	VisGlobal  = "global"
+
+	// Retention horizon for the admin audit history per block.
+	buildingBlockVersionRetention = 20
+)
+
+// ErrBuildingBlockNotFound is the sentinel for "no block with that id
+// visible to this user". Maps to 404 at the handler layer.
+var ErrBuildingBlockNotFound = errors.New("submission building block: not found")
+
+// ErrBuildingBlockInvalidVisibility is the sentinel for a Create /
+// Update with an unknown tier value.
+var ErrBuildingBlockInvalidVisibility = errors.New("submission building block: invalid visibility")
+
+const buildingBlockColumns = `id, slug, firm, section_key, proceeding_family,
+                              title_de, title_en, description_de, description_en,
+                              content_md_de, content_md_en,
+                              author_id, visibility, is_published,
+                              created_at, updated_at, deleted_at`
+
+// BlockListFilter narrows the picker query. All fields optional. Returns
+// only published, non-deleted rows the caller has tier reach to.
+type BlockListFilter struct {
+	// SectionKey filters to blocks bound to one section (the picker
+	// uses this to restrict "facts" blocks to facts sections, etc.).
+	// Empty string = no filter.
+	SectionKey string
+	// ProceedingFamily filters to blocks tagged for one family OR
+	// untagged (proceeding_family IS NULL = "any family"). Empty
+	// string = no filter.
+	ProceedingFamily string
+	// Search free-text query against title + description + content.
+	// Empty string = no filter.
+	Search string
+	// Limit caps the result count (0 = default 50).
+	Limit int
+}
+
+// ListVisible returns blocks the caller can see, after the tier
+// predicate is applied. Ordered by updated_at DESC. The DB-side
+// SELECT policy already drops soft-deleted rows + private-other-author
+// rows; this query additionally honours the picker filter + the
+// is_published gate + the firm + team predicates.
+func (s *BuildingBlockService) ListVisible(ctx context.Context, userID uuid.UUID, filter BlockListFilter) ([]BuildingBlock, error) {
+	limit := filter.Limit
+	if limit <= 0 {
+		limit = 50
+	}
+
+	q := `SELECT ` + buildingBlockColumns + `
+	      FROM paliad.submission_building_blocks
+	      WHERE deleted_at IS NULL
+	        AND is_published = true
+	        AND (
+	          visibility = 'global'
+	          OR visibility = 'private' AND author_id = $1
+	          OR visibility = 'firm' AND (firm IS NULL OR firm = $2)
+	          OR visibility = 'team' AND EXISTS (
+	              SELECT 1 FROM paliad.project_teams pt1
+	              JOIN paliad.project_teams pt2 ON pt1.project_id = pt2.project_id
+	              WHERE pt1.user_id = author_id AND pt2.user_id = $1
+	          )
+	        )`
+	args := []any{userID, s.firm}
+	idx := 3
+
+	if filter.SectionKey != "" {
+		q += fmt.Sprintf(" AND section_key = $%d", idx)
+		args = append(args, filter.SectionKey)
+		idx++
+	}
+	if filter.ProceedingFamily != "" {
+		q += fmt.Sprintf(" AND (proceeding_family IS NULL OR proceeding_family = $%d)", idx)
+		args = append(args, filter.ProceedingFamily)
+		idx++
+	}
+	if filter.Search != "" {
+		pattern := "%" + strings.ToLower(filter.Search) + "%"
+		q += fmt.Sprintf(" AND (LOWER(title_de) LIKE $%d OR LOWER(title_en) LIKE $%d OR LOWER(COALESCE(description_de,'')) LIKE $%d OR LOWER(COALESCE(description_en,'')) LIKE $%d OR LOWER(content_md_de) LIKE $%d OR LOWER(content_md_en) LIKE $%d)",
+			idx, idx, idx, idx, idx, idx)
+		args = append(args, pattern)
+		idx++
+	}
+	q += fmt.Sprintf(" ORDER BY updated_at DESC LIMIT $%d", idx)
+	args = append(args, limit)
+
+	var rows []BuildingBlock
+	err := s.db.SelectContext(ctx, &rows, q, args...)
+	if err != nil {
+		return nil, fmt.Errorf("list building blocks: %w", err)
+	}
+	return rows, nil
+}
+
+// ListAllForAdmin returns every non-deleted row regardless of tier.
+// Handler-side adminGate is the access gate.
+func (s *BuildingBlockService) ListAllForAdmin(ctx context.Context) ([]BuildingBlock, error) {
+	var rows []BuildingBlock
+	err := s.db.SelectContext(ctx, &rows,
+		`SELECT `+buildingBlockColumns+`
+		   FROM paliad.submission_building_blocks
+		  WHERE deleted_at IS NULL
+		  ORDER BY updated_at DESC`)
+	if err != nil {
+		return nil, fmt.Errorf("admin list building blocks: %w", err)
+	}
+	return rows, nil
+}
+
+// GetVisible fetches a block by id, applying the same tier predicate
+// as ListVisible. ErrBuildingBlockNotFound when the row exists but
+// the caller has no tier reach (handler maps to 404).
+func (s *BuildingBlockService) GetVisible(ctx context.Context, userID, blockID uuid.UUID) (*BuildingBlock, error) {
+	var b BuildingBlock
+	err := s.db.GetContext(ctx, &b,
+		`SELECT `+buildingBlockColumns+`
+		   FROM paliad.submission_building_blocks
+		  WHERE id = $1
+		    AND deleted_at IS NULL
+		    AND is_published = true
+		    AND (
+		      visibility = 'global'
+		      OR visibility = 'private' AND author_id = $2
+		      OR visibility = 'firm' AND (firm IS NULL OR firm = $3)
+		      OR visibility = 'team' AND EXISTS (
+		          SELECT 1 FROM paliad.project_teams pt1
+		          JOIN paliad.project_teams pt2 ON pt1.project_id = pt2.project_id
+		          WHERE pt1.user_id = author_id AND pt2.user_id = $2
+		      )
+		    )`,
+		blockID, userID, s.firm)
+	if errors.Is(err, sql.ErrNoRows) {
+		return nil, ErrBuildingBlockNotFound
+	}
+	if err != nil {
+		return nil, fmt.Errorf("get building block: %w", err)
+	}
+	return &b, nil
+}
+
+// GetForAdmin fetches a block by id with no tier filter. adminGate at
+// the handler is the access gate.
+func (s *BuildingBlockService) GetForAdmin(ctx context.Context, blockID uuid.UUID) (*BuildingBlock, error) {
+	var b BuildingBlock
+	err := s.db.GetContext(ctx, &b,
+		`SELECT `+buildingBlockColumns+`
+		   FROM paliad.submission_building_blocks
+		  WHERE id = $1 AND deleted_at IS NULL`,
+		blockID)
+	if errors.Is(err, sql.ErrNoRows) {
+		return nil, ErrBuildingBlockNotFound
+	}
+	if err != nil {
+		return nil, fmt.Errorf("admin get building block: %w", err)
+	}
+	return &b, nil
+}
+
+// CreateInput carries the fields needed to insert a new block. Admin
+// path only (Slice C); user-authored private blocks are a later
+// feature.
+type CreateInput struct {
+	Slug             string
+	Firm             *string
+	SectionKey       string
+	ProceedingFamily *string
+	TitleDE          string
+	TitleEN          string
+	DescriptionDE    *string
+	DescriptionEN    *string
+	ContentMDDE      string
+	ContentMDEN      string
+	Visibility       string
+	IsPublished      bool
+}
+
+// Create inserts a new block and seeds the first audit-history row.
+// editorID is the admin's uuid; recorded in _admin_versions.edited_by.
+func (s *BuildingBlockService) Create(ctx context.Context, editorID uuid.UUID, in CreateInput) (*BuildingBlock, error) {
+	if !validVisibility(in.Visibility) {
+		return nil, ErrBuildingBlockInvalidVisibility
+	}
+	in.Slug = strings.TrimSpace(in.Slug)
+	in.SectionKey = strings.TrimSpace(in.SectionKey)
+	in.TitleDE = strings.TrimSpace(in.TitleDE)
+	in.TitleEN = strings.TrimSpace(in.TitleEN)
+	if in.Slug == "" || in.SectionKey == "" || in.TitleDE == "" || in.TitleEN == "" {
+		return nil, ErrInvalidInput
+	}
+
+	tx, err := s.db.BeginTxx(ctx, nil)
+	if err != nil {
+		return nil, fmt.Errorf("create building block tx: %w", err)
+	}
+	committed := false
+	defer func() {
+		if !committed {
+			_ = tx.Rollback()
+		}
+	}()
+
+	var b BuildingBlock
+	err = tx.GetContext(ctx, &b,
+		`INSERT INTO paliad.submission_building_blocks
+		     (slug, firm, section_key, proceeding_family,
+		      title_de, title_en, description_de, description_en,
+		      content_md_de, content_md_en, author_id, visibility, is_published)
+		 VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13)
+		 RETURNING `+buildingBlockColumns,
+		in.Slug, in.Firm, in.SectionKey, in.ProceedingFamily,
+		in.TitleDE, in.TitleEN, in.DescriptionDE, in.DescriptionEN,
+		in.ContentMDDE, in.ContentMDEN, editorID, in.Visibility, in.IsPublished)
+	if err != nil {
+		return nil, fmt.Errorf("insert building block: %w", err)
+	}
+	if err := s.appendVersionTx(ctx, tx, b.ID, editorID, &b, "create"); err != nil {
+		return nil, err
+	}
+	if err := tx.Commit(); err != nil {
+		return nil, fmt.Errorf("commit create building block: %w", err)
+	}
+	committed = true
+	return &b, nil
+}
+
+// UpdatePatch carries the optional fields for an Update call.
+type UpdatePatch struct {
+	Slug             *string
+	Firm             **string // **string for "set to null" semantics
+	SectionKey       *string
+	ProceedingFamily **string
+	TitleDE          *string
+	TitleEN          *string
+	DescriptionDE    **string
+	DescriptionEN    **string
+	ContentMDDE      *string
+	ContentMDEN      *string
+	Visibility       *string
+	IsPublished      *bool
+	Note             *string // free-form note that lands in _admin_versions
+}
+
+// Update applies a patch. Appends an audit-history row; GCs to the
+// retention=20 horizon in the same tx so old versions don't pile up.
+func (s *BuildingBlockService) Update(ctx context.Context, editorID, blockID uuid.UUID, patch UpdatePatch) (*BuildingBlock, error) {
+	if patch.Visibility != nil && !validVisibility(*patch.Visibility) {
+		return nil, ErrBuildingBlockInvalidVisibility
+	}
+
+	tx, err := s.db.BeginTxx(ctx, nil)
+	if err != nil {
+		return nil, fmt.Errorf("update building block tx: %w", err)
+	}
+	committed := false
+	defer func() {
+		if !committed {
+			_ = tx.Rollback()
+		}
+	}()
+
+	setParts := []string{}
+	args := []any{}
+	idx := 1
+
+	addText := func(col string, p *string) {
+		if p == nil {
+			return
+		}
+		setParts = append(setParts, fmt.Sprintf("%s = $%d", col, idx))
+		args = append(args, *p)
+		idx++
+	}
+	addBool := func(col string, p *bool) {
+		if p == nil {
+			return
+		}
+		setParts = append(setParts, fmt.Sprintf("%s = $%d", col, idx))
+		args = append(args, *p)
+		idx++
+	}
+	addNullable := func(col string, p **string) {
+		if p == nil {
+			return
+		}
+		setParts = append(setParts, fmt.Sprintf("%s = $%d", col, idx))
+		args = append(args, *p)
+		idx++
+	}
+
+	addText("slug", patch.Slug)
+	addNullable("firm", patch.Firm)
+	addText("section_key", patch.SectionKey)
+	addNullable("proceeding_family", patch.ProceedingFamily)
+	addText("title_de", patch.TitleDE)
+	addText("title_en", patch.TitleEN)
+	addNullable("description_de", patch.DescriptionDE)
+	addNullable("description_en", patch.DescriptionEN)
+	addText("content_md_de", patch.ContentMDDE)
+	addText("content_md_en", patch.ContentMDEN)
+	addText("visibility", patch.Visibility)
+	addBool("is_published", patch.IsPublished)
+
+	if len(setParts) == 0 {
+		// No-op patch — still append a version with the user's note if
+		// supplied. Otherwise just return current row.
+		current, err := s.GetForAdmin(ctx, blockID)
+		if err != nil {
+			return nil, err
+		}
+		if patch.Note != nil && strings.TrimSpace(*patch.Note) != "" {
+			if err := s.appendVersionTx(ctx, tx, blockID, editorID, current, *patch.Note); err != nil {
+				return nil, err
+			}
+		}
+		if err := tx.Commit(); err != nil {
+			return nil, fmt.Errorf("commit no-op update building block: %w", err)
+		}
+		committed = true
+		return current, nil
+	}
+
+	args = append(args, blockID)
+	q := fmt.Sprintf(
+		`UPDATE paliad.submission_building_blocks
+		    SET %s
+		  WHERE id = $%d AND deleted_at IS NULL
+		  RETURNING `+buildingBlockColumns,
+		strings.Join(setParts, ", "), idx,
+	)
+	var b BuildingBlock
+	err = tx.GetContext(ctx, &b, q, args...)
+	if errors.Is(err, sql.ErrNoRows) {
+		return nil, ErrBuildingBlockNotFound
+	}
+	if err != nil {
+		return nil, fmt.Errorf("update building block: %w", err)
+	}
+
+	note := ""
+	if patch.Note != nil {
+		note = *patch.Note
+	}
+	if note == "" {
+		note = "update"
+	}
+	if err := s.appendVersionTx(ctx, tx, blockID, editorID, &b, note); err != nil {
+		return nil, err
+	}
+	if err := tx.Commit(); err != nil {
+		return nil, fmt.Errorf("commit update building block: %w", err)
+	}
+	committed = true
+	return &b, nil
+}
+
+// SoftDelete marks a block deleted. RLS hides deleted rows; the
+// admin can still see them via GetForAdmin if the row is referenced
+// by audit history.
+func (s *BuildingBlockService) SoftDelete(ctx context.Context, editorID, blockID uuid.UUID) error {
+	tx, err := s.db.BeginTxx(ctx, nil)
+	if err != nil {
+		return fmt.Errorf("soft delete tx: %w", err)
+	}
+	committed := false
+	defer func() {
+		if !committed {
+			_ = tx.Rollback()
+		}
+	}()
+	var b BuildingBlock
+	err = tx.GetContext(ctx, &b,
+		`UPDATE paliad.submission_building_blocks
+		    SET deleted_at = now()
+		  WHERE id = $1 AND deleted_at IS NULL
+		  RETURNING `+buildingBlockColumns,
+		blockID)
+	if errors.Is(err, sql.ErrNoRows) {
+		return ErrBuildingBlockNotFound
+	}
+	if err != nil {
+		return fmt.Errorf("soft delete: %w", err)
+	}
+	if err := s.appendVersionTx(ctx, tx, blockID, editorID, &b, "delete"); err != nil {
+		return err
+	}
+	if err := tx.Commit(); err != nil {
+		return fmt.Errorf("commit soft delete: %w", err)
+	}
+	committed = true
+	return nil
+}
+
+// ListVersions returns the audit history for a block (most recent
+// first), capped at retention. Admin path only.
+func (s *BuildingBlockService) ListVersions(ctx context.Context, blockID uuid.UUID) ([]BuildingBlockVersion, error) {
+	var rows []BuildingBlockVersion
+	err := s.db.SelectContext(ctx, &rows,
+		`SELECT id, building_block_id, content_md_de, content_md_en,
+		        title_de, title_en, edited_by, note, created_at
+		   FROM paliad.submission_building_block_admin_versions
+		  WHERE building_block_id = $1
+		  ORDER BY created_at DESC
+		  LIMIT $2`,
+		blockID, buildingBlockVersionRetention)
+	if err != nil {
+		return nil, fmt.Errorf("list building block versions: %w", err)
+	}
+	return rows, nil
+}
+
+// RestoreVersion overwrites the block's current content + titles with
+// the named version's snapshot. Appends a new audit row noting the
+// restore. Admin path only.
+func (s *BuildingBlockService) RestoreVersion(ctx context.Context, editorID, blockID, versionID uuid.UUID) (*BuildingBlock, error) {
+	tx, err := s.db.BeginTxx(ctx, nil)
+	if err != nil {
+		return nil, fmt.Errorf("restore version tx: %w", err)
+	}
+	committed := false
+	defer func() {
+		if !committed {
+			_ = tx.Rollback()
+		}
+	}()
+
+	var v BuildingBlockVersion
+	err = tx.GetContext(ctx, &v,
+		`SELECT id, building_block_id, content_md_de, content_md_en,
+		        title_de, title_en, edited_by, note, created_at
+		   FROM paliad.submission_building_block_admin_versions
+		  WHERE id = $1 AND building_block_id = $2`,
+		versionID, blockID)
+	if errors.Is(err, sql.ErrNoRows) {
+		return nil, ErrBuildingBlockNotFound
+	}
+	if err != nil {
+		return nil, fmt.Errorf("fetch version: %w", err)
+	}
+
+	var b BuildingBlock
+	err = tx.GetContext(ctx, &b,
+		`UPDATE paliad.submission_building_blocks
+		    SET content_md_de = $1, content_md_en = $2,
+		        title_de = $3, title_en = $4
+		  WHERE id = $5 AND deleted_at IS NULL
+		  RETURNING `+buildingBlockColumns,
+		v.ContentMDDE, v.ContentMDEN, v.TitleDE, v.TitleEN, blockID)
+	if errors.Is(err, sql.ErrNoRows) {
+		return nil, ErrBuildingBlockNotFound
+	}
+	if err != nil {
+		return nil, fmt.Errorf("restore update: %w", err)
+	}
+
+	note := fmt.Sprintf("restore from %s", versionID.String())
+	if err := s.appendVersionTx(ctx, tx, blockID, editorID, &b, note); err != nil {
+		return nil, err
+	}
+	if err := tx.Commit(); err != nil {
+		return nil, fmt.Errorf("commit restore: %w", err)
+	}
+	committed = true
+	return &b, nil
+}
+
+// appendVersionTx inserts an audit row + GCs to the retention horizon.
+// Runs inside the caller's transaction so a failure rolls back the
+// associated Create / Update / Delete / Restore.
+func (s *BuildingBlockService) appendVersionTx(ctx context.Context, tx *sqlx.Tx, blockID, editorID uuid.UUID, b *BuildingBlock, note string) error {
+	_, err := tx.ExecContext(ctx,
+		`INSERT INTO paliad.submission_building_block_admin_versions
+		     (building_block_id, content_md_de, content_md_en,
+		      title_de, title_en, edited_by, note)
+		 VALUES ($1, $2, $3, $4, $5, $6, $7)`,
+		blockID, b.ContentMDDE, b.ContentMDEN, b.TitleDE, b.TitleEN, editorID, note)
+	if err != nil {
+		return fmt.Errorf("append version: %w", err)
+	}
+	// GC: keep only the most recent N versions per block.
+	_, err = tx.ExecContext(ctx,
+		`DELETE FROM paliad.submission_building_block_admin_versions
+		  WHERE id IN (
+		    SELECT id FROM paliad.submission_building_block_admin_versions
+		     WHERE building_block_id = $1
+		     ORDER BY created_at DESC
+		     OFFSET $2
+		  )`,
+		blockID, buildingBlockVersionRetention)
+	if err != nil {
+		return fmt.Errorf("gc version history: %w", err)
+	}
+	return nil
+}
+
+// InsertIntoSection clones a block's content_md_<lang> into the named
+// section by appending at the end (with a paragraph break separator).
+// Per Q2: no lineage stamped on the section. The returned
+// SubmissionSection carries the updated content.
+//
+// The handler enforces draft ownership before calling this; the
+// service does the visibility check on the block itself and the
+// SectionService.Get + Update sequence inside one transaction so an
+// in-flight failure rolls back cleanly.
+func (s *BuildingBlockService) InsertIntoSection(ctx context.Context, userID, blockID, sectionID uuid.UUID, sections *SectionService) (*SubmissionSection, error) {
+	block, err := s.GetVisible(ctx, userID, blockID)
+	if err != nil {
+		return nil, err
+	}
+	sec, err := sections.Get(ctx, sectionID)
+	if err != nil {
+		return nil, err
+	}
+
+	// Determine which lang column to splice into based on the section
+	// row's existing content + the block's content. We splice both
+	// lang columns so the section is bilingually current — the
+	// lawyer's draft language picker still drives which one renders.
+	newDE := appendBlockContent(sec.ContentMDDE, block.ContentMDDE)
+	newEN := appendBlockContent(sec.ContentMDEN, block.ContentMDEN)
+
+	patch := SectionPatch{ContentMDDE: &newDE, ContentMDEN: &newEN}
+	return sections.Update(ctx, sectionID, patch)
+}
+
+func appendBlockContent(existing, addition string) string {
+	if strings.TrimSpace(existing) == "" {
+		return addition
+	}
+	if strings.TrimSpace(addition) == "" {
+		return existing
+	}
+	return strings.TrimRight(existing, "\n") + "\n\n" + addition
+}
+
+func validVisibility(v string) bool {
+	switch v {
+	case VisPrivate, VisTeam, VisFirm, VisGlobal:
+		return true
+	}
+	return false
+}

internal/services/submission_building_block_service_test.go

@@ -0,0 +1,60 @@
+package services
+
+// Unit tests for BuildingBlockService helpers — pure functions, no DB
+// dependency (t-paliad-315 Slice C).
+
+import "testing"
+
+func TestValidVisibility(t *testing.T) {
+	cases := []struct {
+		in    string
+		valid bool
+	}{
+		{"private", true},
+		{"team", true},
+		{"firm", true},
+		{"global", true},
+		{"PRIVATE", false}, // case-sensitive
+		{"", false},
+		{"public", false},
+		{"all", false},
+	}
+	for _, tc := range cases {
+		t.Run(tc.in, func(t *testing.T) {
+			if got := validVisibility(tc.in); got != tc.valid {
+				t.Errorf("validVisibility(%q) = %v; want %v", tc.in, got, tc.valid)
+			}
+		})
+	}
+}
+
+func TestAppendBlockContent(t *testing.T) {
+	cases := []struct {
+		existing string
+		addition string
+		want     string
+	}{
+		{"", "hello", "hello"},
+		{"existing", "", "existing"},
+		{"", "", ""},
+		{"existing", "addition", "existing\n\naddition"},
+		{"existing\n", "addition", "existing\n\naddition"},
+		{"existing\n\n\n", "addition", "existing\n\naddition"},
+		{"   ", "addition", "addition"}, // whitespace-only existing counts as empty
+		{"existing", "   ", "existing"}, // whitespace-only addition counts as empty
+	}
+	for _, tc := range cases {
+		if got := appendBlockContent(tc.existing, tc.addition); got != tc.want {
+			t.Errorf("appendBlockContent(%q,%q) = %q; want %q", tc.existing, tc.addition, got, tc.want)
+		}
+	}
+}
+
+func TestBuildingBlockVisibilityConstants(t *testing.T) {
+	// Pin the constants so a typo somewhere doesn't silently flip a
+	// tier name. The DB CHECK constraint and the RLS predicate both
+	// hard-code these literals.
+	if VisPrivate != "private" || VisTeam != "team" || VisFirm != "firm" || VisGlobal != "global" {
+		t.Errorf("visibility constants drifted: %q/%q/%q/%q", VisPrivate, VisTeam, VisFirm, VisGlobal)
+	}
+}

internal/services/submission_compose.go

@@ -0,0 +1,469 @@
+package services
+
+// Composer render pipeline — t-paliad-313 Slice B (design doc §9.1 +
+// §9.2). Assembles a base .docx and a draft's section rows into a
+// merged .docx ready for export.
+//
+// Pipeline (high-level):
+//
+//  1. ConvertDotmToDocx pre-pass on the base bytes (idempotent on .docx).
+//  2. Locate `word/document.xml` inside the zip; pull the body XML.
+//  3. For each section in the draft (order_index ASC, included=true):
+//     render content_md_<lang> → OOXML via RenderMarkdownToOOXML using
+//     base.section_spec.stylemap.paragraph.
+//  4. Splice the rendered OOXML into the base body. Two splice modes:
+//     - Anchor mode: when the body carries `{{#section:KEY}}` /
+//       `{{/section:KEY}}` marker pairs, replace the slot's content
+//       (including the anchor paragraphs themselves) with the rendered
+//       section.
+//     - Append mode: when no anchor pair is found for a section, the
+//       rendered OOXML appends at the end of the body, just before any
+//       `<w:sectPr>` element. Sections with `included=false` are
+//       dropped silently.
+//  5. Strip any leftover unmatched anchor paragraphs.
+//  6. Re-pack the document.xml into the zip, leaving every other part
+//     untouched.
+//  7. Run the v1 SubmissionRenderer placeholder pass over the assembly
+//     so `{{path}}` placeholders inside section content (and inside
+//     the base's untouched chrome) get substituted by the merged bag.
+//     Cross-run merge in pass 2 handles autocorrect-fragmented
+//     placeholders the same as v1.
+//
+// Result: a fully-merged .docx. No new third-party Go dep — reuses
+// archive/zip + the existing SubmissionRenderer.
+
+import (
+	"archive/zip"
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"regexp"
+	"sort"
+	"strings"
+	"time"
+)
+
+// SubmissionComposer assembles base + sections into a final .docx.
+// Stateless; safe for concurrent use.
+type SubmissionComposer struct {
+	renderer *SubmissionRenderer
+}
+
+// NewSubmissionComposer wires the composer. The renderer is required —
+// a nil renderer is a programmer error and the composer panics at
+// construction.
+func NewSubmissionComposer(renderer *SubmissionRenderer) *SubmissionComposer {
+	if renderer == nil {
+		panic("submission composer: renderer required")
+	}
+	return &SubmissionComposer{renderer: renderer}
+}
+
+// ComposeOptions carries the per-call composition inputs.
+type ComposeOptions struct {
+	// Sections are the draft's section rows in display order. The
+	// composer renders included sections; excluded rows are dropped.
+	// Caller is responsible for visibility — by the time the composer
+	// runs, the section rows have already been gated through
+	// SubmissionDraftService.Get + can_see_project.
+	Sections []SubmissionSection
+
+	// Base supplies the document chrome (.docx body host) plus the
+	// stylemap for the MD walker. Must not be nil.
+	Base *SubmissionBase
+
+	// BaseBytes is the raw .docx bytes for the base. Typically fetched
+	// from Gitea via the existing template cache.
+	BaseBytes []byte
+
+	// Lang ('de' or 'en') selects which content_md_* column the
+	// composer reads per section. Defaults to 'de' if empty.
+	Lang string
+
+	// Vars is the merged placeholder bag the v1 renderer pass
+	// substitutes after the composer assembly. Passed straight through
+	// to SubmissionRenderer.Render.
+	Vars PlaceholderMap
+
+	// Missing translates an unbound placeholder key into the marker
+	// the lawyer sees in Word. Passed straight to the renderer.
+	Missing MissingPlaceholderFn
+}
+
+// Compose runs the full pipeline and returns the merged .docx bytes.
+func (c *SubmissionComposer) Compose(ctx context.Context, opts ComposeOptions) ([]byte, error) {
+	if opts.Base == nil {
+		return nil, fmt.Errorf("submission compose: base required")
+	}
+	_ = ctx // reserved for cancellation propagation in later slices
+	sections := opts.Sections
+
+	// Pre-pass: strip macros so the base reads as a plain .docx zip.
+	cleanBytes, err := ConvertDotmToDocx(opts.BaseBytes)
+	if err != nil {
+		return nil, fmt.Errorf("submission compose: convert base: %w", err)
+	}
+
+	// Locate + extract word/document.xml so we can splice in-place.
+	documentXML, otherParts, err := splitBaseZip(cleanBytes)
+	if err != nil {
+		return nil, err
+	}
+
+	// Build the rendered-section map: section_key → OOXML span.
+	style := opts.Base.SectionSpec.Stylemap["paragraph"]
+	rendered := make(map[string]string, len(sections))
+	keptSections := make([]SubmissionSection, 0, len(sections))
+	for _, sec := range sections {
+		if !sec.Included {
+			continue
+		}
+		md := sec.ContentMDDE
+		if strings.EqualFold(opts.Lang, "en") {
+			md = sec.ContentMDEN
+		}
+		rendered[sec.SectionKey] = RenderMarkdownToOOXML(md, style)
+		keptSections = append(keptSections, sec)
+	}
+	// Stable order — already sorted ascending by ListForDraft, but
+	// belt-and-braces in case the caller swaps the ordering policy
+	// later.
+	sort.SliceStable(keptSections, func(i, j int) bool {
+		return keptSections[i].OrderIndex < keptSections[j].OrderIndex
+	})
+
+	assembledBody := spliceSections(documentXML, rendered, keptSections, sections)
+
+	// Re-pack into a zip with the assembled document.xml. All other
+	// parts (styles, fonts, headers, footers, theme, settings) pass
+	// through bit-for-bit at their original mtime + compression.
+	repacked, err := repackBaseZip(otherParts, assembledBody)
+	if err != nil {
+		return nil, err
+	}
+
+	// Final pass: substitute placeholders against the merged bag. The
+	// existing renderer handles cross-run fragmentation, the `{{rule.X}}`
+	// alias contract, and the missing-marker emission. Reusing it
+	// guarantees v1's placeholder grammar stays intact inside section
+	// content + base chrome.
+	merged, err := c.renderer.Render(repacked, opts.Vars, opts.Missing)
+	if err != nil {
+		return nil, fmt.Errorf("submission compose: placeholder pass: %w", err)
+	}
+	return merged, nil
+}
+
+// ─────────────────────────────────────────────────────────────────────
+// Section splicing
+// ─────────────────────────────────────────────────────────────────────
+
+// Anchor markers as they appear inside a <w:t> text node. We don't
+// need a full XML parse — finding the marker text inside the body is
+// sufficient because:
+//   - {{ and }} are never legitimate document content (placeholders
+//     follow the same convention everywhere else in paliad).
+//   - The anchor key grammar [A-Za-z0-9_]+ rules out any HTML/XML
+//     special characters.
+//   - Each anchor lives in exactly one <w:t>...<w:t>, which lives in
+//     exactly one <w:r>...</w:r>, which lives in exactly one
+//     <w:p>...</w:p>. We expand from the marker outward to find the
+//     enclosing <w:p> span and drop the entire paragraph as part of
+//     the splice.
+//
+// RE2 has no lookahead, so the "find enclosing <w:p>" logic is
+// implemented as manual byte-index search around the marker hit
+// (anchorParagraphSpan below) rather than a single regex pattern.
+
+const (
+	anchorOpenPrefix  = "{{#section:"
+	anchorClosePrefix = "{{/section:"
+	anchorSuffix      = "}}"
+)
+
+// anchorKeyRegex validates that the captured anchor key is a clean
+// identifier. Keys that include other characters (which can't actually
+// appear in our authored .docx) are treated as no match.
+var anchorKeyRegex = regexp.MustCompile(`^[A-Za-z0-9_]+$`)
+
+// anchorPair records the byte span of one matched anchor pair inside
+// the body — from the start of the opening anchor's <w:p> element
+// through the end of the closing anchor's </w:p>.
+type anchorPair struct {
+	key      string
+	openStart int // start of <w:p> for the opening anchor
+	closeEnd  int // index just past </w:p> for the closing anchor
+}
+
+// findAllAnchorPairs scans the body for matched open/close anchor
+// pairs. Unbalanced markers (open without close, or vice versa) are
+// dropped from the result. Returns pairs in body-order; each pair's
+// span is non-overlapping.
+func findAllAnchorPairs(body string) []anchorPair {
+	type marker struct {
+		key      string
+		paraStart int
+		paraEnd   int
+		isOpen   bool
+	}
+	var markers []marker
+
+	collect := func(prefix string, isOpen bool) {
+		offset := 0
+		for {
+			idx := strings.Index(body[offset:], prefix)
+			if idx < 0 {
+				return
+			}
+			start := offset + idx
+			suffixIdx := strings.Index(body[start+len(prefix):], anchorSuffix)
+			if suffixIdx < 0 {
+				return
+			}
+			key := body[start+len(prefix) : start+len(prefix)+suffixIdx]
+			if !anchorKeyRegex.MatchString(key) {
+				offset = start + len(prefix)
+				continue
+			}
+			markerEnd := start + len(prefix) + suffixIdx + len(anchorSuffix)
+			pStart, pEnd, ok := paragraphSpanAround(body, start, markerEnd)
+			if !ok {
+				offset = markerEnd
+				continue
+			}
+			markers = append(markers, marker{key: key, paraStart: pStart, paraEnd: pEnd, isOpen: isOpen})
+			offset = pEnd
+		}
+	}
+	collect(anchorOpenPrefix, true)
+	collect(anchorClosePrefix, false)
+
+	// Walk markers in body-order, matching each open with the next
+	// close that carries the same key.
+	sort.SliceStable(markers, func(i, j int) bool {
+		return markers[i].paraStart < markers[j].paraStart
+	})
+	var pairs []anchorPair
+	openStack := map[string]marker{}
+	for _, m := range markers {
+		if m.isOpen {
+			openStack[m.key] = m
+			continue
+		}
+		o, ok := openStack[m.key]
+		if !ok {
+			continue
+		}
+		pairs = append(pairs, anchorPair{
+			key:       m.key,
+			openStart: o.paraStart,
+			closeEnd:  m.paraEnd,
+		})
+		delete(openStack, m.key)
+	}
+	return pairs
+}
+
+// paragraphSpanAround returns the byte span of the smallest `<w:p>...</w:p>`
+// element that fully contains the byte range [markerStart, markerEnd).
+// Returns false when the byte range doesn't sit inside a single
+// paragraph (which would mean the marker survived a cross-paragraph
+// edit — defensive guard, shouldn't happen in well-formed input).
+func paragraphSpanAround(body string, markerStart, markerEnd int) (int, int, bool) {
+	// Walk backwards to find the nearest unclosed <w:p ... > opening.
+	// Since <w:p> doesn't nest, the nearest <w:p before markerStart is
+	// the enclosing paragraph's opening tag.
+	pStart := -1
+	cursor := markerStart
+	for cursor > 0 {
+		idx := strings.LastIndex(body[:cursor], "<w:p")
+		if idx < 0 {
+			break
+		}
+		// Confirm this is a paragraph open, not a different
+		// w:p-prefixed tag (e.g. <w:pPr>).
+		if idx+4 <= len(body) {
+			after := body[idx+4]
+			if after == ' ' || after == '>' || after == '/' {
+				// <w:p ...> or <w:p>; not <w:pPr>.
+				close := strings.Index(body[idx:], ">")
+				if close < 0 {
+					return 0, 0, false
+				}
+				pStart = idx
+				break
+			}
+		}
+		cursor = idx
+	}
+	if pStart < 0 {
+		return 0, 0, false
+	}
+	// Walk forward to find the matching </w:p>. <w:p> doesn't nest so
+	// the next </w:p> after the marker is the close.
+	pEndIdx := strings.Index(body[markerEnd:], "</w:p>")
+	if pEndIdx < 0 {
+		return 0, 0, false
+	}
+	pEnd := markerEnd + pEndIdx + len("</w:p>")
+	return pStart, pEnd, true
+}
+
+// spliceSections replaces anchor slots with rendered sections and
+// appends any unanchored sections before sectPr. Returns the assembled
+// document.xml body.
+func spliceSections(documentXML []byte, rendered map[string]string, kept []SubmissionSection, all []SubmissionSection) []byte {
+	body := string(documentXML)
+	pairs := findAllAnchorPairs(body)
+
+	// Build a lookup of kept section keys for quick membership tests.
+	keptByKey := map[string]int{}
+	for i, sec := range kept {
+		keptByKey[sec.SectionKey] = i
+	}
+	allByKey := map[string]int{}
+	for i, sec := range all {
+		allByKey[sec.SectionKey] = i
+	}
+
+	matchedKeys := map[string]bool{}
+
+	// Walk pairs in REVERSE body-order so slice mutations don't shift
+	// later offsets.
+	sort.SliceStable(pairs, func(i, j int) bool {
+		return pairs[i].openStart > pairs[j].openStart
+	})
+	for _, p := range pairs {
+		replacement := ""
+		if idx, ok := keptByKey[p.key]; ok {
+			replacement = rendered[p.key]
+			matchedKeys[p.key] = true
+			_ = idx
+		} else if _, isOnDraft := allByKey[p.key]; isOnDraft {
+			// Anchor matches an excluded section on the draft — drop
+			// the entire slot.
+			replacement = ""
+		} else {
+			// Anchor doesn't match any section on this draft — drop
+			// to leave the base's chrome unbroken.
+			replacement = ""
+		}
+		body = body[:p.openStart] + replacement + body[p.closeEnd:]
+	}
+
+	// Append unanchored sections before sectPr in order_index ASC.
+	var unanchored strings.Builder
+	for _, sec := range kept {
+		if matchedKeys[sec.SectionKey] {
+			continue
+		}
+		unanchored.WriteString(rendered[sec.SectionKey])
+	}
+	if unanchored.Len() > 0 {
+		body = appendBeforeSectPr(body, unanchored.String())
+	}
+
+	return []byte(body)
+}
+
+// appendBeforeSectPr inserts content immediately before the first
+// `<w:sectPr` element in the body, or at the end of the body if there
+// is none. Word documents conventionally close the body with a sectPr
+// describing page setup; we want to land sections before that element
+// so they show up on the actual pages.
+var sectPrRegex = regexp.MustCompile(`<w:sectPr\b`)
+
+func appendBeforeSectPr(body, content string) string {
+	loc := sectPrRegex.FindStringIndex(body)
+	if loc == nil {
+		// No sectPr → append before `</w:body>` if present, else at
+		// the very end.
+		idx := strings.LastIndex(body, "</w:body>")
+		if idx < 0 {
+			return body + content
+		}
+		return body[:idx] + content + body[idx:]
+	}
+	return body[:loc[0]] + content + body[loc[0]:]
+}
+
+// ─────────────────────────────────────────────────────────────────────
+// Zip plumbing
+// ─────────────────────────────────────────────────────────────────────
+
+// baseZipPart captures one zip entry we kept aside while extracting
+// document.xml.
+type baseZipPart struct {
+	name    string
+	method  uint16
+	modTime int64 // wall seconds; converted back to time.Time on repack
+	body    []byte
+}
+
+// splitBaseZip extracts document.xml and returns it alongside every
+// other zip entry, ready for repacking.
+func splitBaseZip(cleanBytes []byte) ([]byte, []baseZipPart, error) {
+	zr, err := zip.NewReader(bytes.NewReader(cleanBytes), int64(len(cleanBytes)))
+	if err != nil {
+		return nil, nil, fmt.Errorf("submission compose: open base zip: %w", err)
+	}
+	var documentXML []byte
+	parts := make([]baseZipPart, 0, len(zr.File))
+	for _, f := range zr.File {
+		body, err := readZipEntry(f)
+		if err != nil {
+			return nil, nil, fmt.Errorf("submission compose: read %s: %w", f.Name, err)
+		}
+		if f.Name == "word/document.xml" {
+			documentXML = body
+			parts = append(parts, baseZipPart{name: f.Name, method: f.Method, modTime: f.Modified.Unix(), body: nil})
+			continue
+		}
+		parts = append(parts, baseZipPart{name: f.Name, method: f.Method, modTime: f.Modified.Unix(), body: body})
+	}
+	if documentXML == nil {
+		return nil, nil, fmt.Errorf("submission compose: base zip missing word/document.xml")
+	}
+	return documentXML, parts, nil
+}
+
+// repackBaseZip rebuilds the zip, swapping document.xml for the
+// assembled body and leaving every other part untouched.
+func repackBaseZip(parts []baseZipPart, assembledBody []byte) ([]byte, error) {
+	var out bytes.Buffer
+	zw := zip.NewWriter(&out)
+	for _, p := range parts {
+		hdr := &zip.FileHeader{
+			Name:   p.name,
+			Method: p.method,
+		}
+		if p.modTime > 0 {
+			hdr.Modified = time.Unix(p.modTime, 0)
+		}
+		w, err := zw.CreateHeader(hdr)
+		if err != nil {
+			return nil, fmt.Errorf("submission compose: write header %s: %w", p.name, err)
+		}
+		body := p.body
+		if p.name == "word/document.xml" {
+			body = assembledBody
+		}
+		if _, err := w.Write(body); err != nil {
+			return nil, fmt.Errorf("submission compose: write body %s: %w", p.name, err)
+		}
+	}
+	if err := zw.Close(); err != nil {
+		return nil, fmt.Errorf("submission compose: finalise zip: %w", err)
+	}
+	return out.Bytes(), nil
+}
+
+func readZipEntry(f *zip.File) ([]byte, error) {
+	rc, err := f.Open()
+	if err != nil {
+		return nil, err
+	}
+	defer rc.Close()
+	return io.ReadAll(rc)
+}

internal/services/submission_compose_test.go

@@ -0,0 +1,276 @@
+package services
+
+// Unit tests for SubmissionComposer's pure splice logic — no DB
+// dependency. The end-to-end Compose path is exercised by the live
+// integration test in submission_section_service_live_test.go (Slice
+// A) once anchors land in the seeded .docx; this file covers the
+// anchor-splicing primitives and the section rendering glue.
+
+import (
+	"archive/zip"
+	"bytes"
+	"context"
+	"strings"
+	"testing"
+
+	"github.com/google/uuid"
+)
+
+// minimalBaseBytes builds a tiny .docx zip with one document.xml body
+// for the composer tests. The body content is provided by the caller
+// so different splice scenarios can be exercised in-process.
+func minimalBaseBytes(t *testing.T, body string) []byte {
+	t.Helper()
+	var buf bytes.Buffer
+	zw := zip.NewWriter(&buf)
+
+	parts := map[string]string{
+		"[Content_Types].xml": `<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types">
+  <Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/>
+  <Default Extension="xml" ContentType="application/xml"/>
+  <Override PartName="/word/document.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"/>
+</Types>`,
+		"_rels/.rels": `<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
+  <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/>
+</Relationships>`,
+		"word/document.xml": `<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:document xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main">
+<w:body>` + body + `</w:body>
+</w:document>`,
+	}
+	for name, contents := range parts {
+		w, err := zw.Create(name)
+		if err != nil {
+			t.Fatalf("zip create %s: %v", name, err)
+		}
+		if _, err := w.Write([]byte(contents)); err != nil {
+			t.Fatalf("zip write %s: %v", name, err)
+		}
+	}
+	if err := zw.Close(); err != nil {
+		t.Fatalf("zip close: %v", err)
+	}
+	return buf.Bytes()
+}
+
+// extractDocumentXML pulls word/document.xml out of a .docx zip for
+// assertions.
+func extractDocumentXML(t *testing.T, data []byte) string {
+	t.Helper()
+	zr, err := zip.NewReader(bytes.NewReader(data), int64(len(data)))
+	if err != nil {
+		t.Fatalf("open zip: %v", err)
+	}
+	for _, f := range zr.File {
+		if f.Name != "word/document.xml" {
+			continue
+		}
+		rc, err := f.Open()
+		if err != nil {
+			t.Fatalf("open document.xml: %v", err)
+		}
+		defer rc.Close()
+		var buf bytes.Buffer
+		if _, err := buf.ReadFrom(rc); err != nil {
+			t.Fatalf("read document.xml: %v", err)
+		}
+		return buf.String()
+	}
+	t.Fatal("document.xml not found in zip")
+	return ""
+}
+
+// composerBase returns a SubmissionBase wired with the neutral
+// stylemap for composer tests.
+func composerBase() *SubmissionBase {
+	return &SubmissionBase{
+		ID:   uuid.New(),
+		Slug: "test-base",
+		SectionSpec: BaseSectionSpec{
+			Version: 1,
+			Stylemap: map[string]string{
+				"paragraph": "Normal",
+			},
+		},
+	}
+}
+
+func TestComposer_AppendMode_NoAnchors(t *testing.T) {
+	// Base has no anchors → composer appends sections before sectPr.
+	base := composerBase()
+	body := `<w:p><w:r><w:t>Static chrome</w:t></w:r></w:p><w:sectPr/>`
+	baseBytes := minimalBaseBytes(t, body)
+	composer := NewSubmissionComposer(NewSubmissionRenderer())
+
+	sections := []SubmissionSection{
+		{ID: uuid.New(), SectionKey: "facts", OrderIndex: 1, Kind: "prose", Included: true, ContentMDDE: "Section text"},
+	}
+	out, err := composer.Compose(context.Background(), ComposeOptions{
+		Sections:  sections,
+		Base:      base,
+		BaseBytes: baseBytes,
+		Lang:      "de",
+		Vars:      PlaceholderMap{},
+	})
+	if err != nil {
+		t.Fatalf("Compose: %v", err)
+	}
+	docXML := extractDocumentXML(t, out)
+	if !strings.Contains(docXML, "Static chrome") {
+		t.Errorf("base chrome dropped: %q", docXML)
+	}
+	if !strings.Contains(docXML, "Section text") {
+		t.Errorf("section content missing: %q", docXML)
+	}
+	// Section must land before sectPr (rule of thumb: it's an end-of-body element).
+	staticIdx := strings.Index(docXML, "Section text")
+	sectPrIdx := strings.Index(docXML, "<w:sectPr")
+	if staticIdx < 0 || sectPrIdx < 0 || staticIdx > sectPrIdx {
+		t.Errorf("section landed after sectPr: section=%d sectPr=%d", staticIdx, sectPrIdx)
+	}
+}
+
+func TestComposer_AnchorMode_SpliceContent(t *testing.T) {
+	base := composerBase()
+	body := `<w:p><w:r><w:t>Header</w:t></w:r></w:p>` +
+		`<w:p><w:r><w:t>{{#section:facts}}</w:t></w:r></w:p>` +
+		`<w:p><w:r><w:t>(seed)</w:t></w:r></w:p>` +
+		`<w:p><w:r><w:t>{{/section:facts}}</w:t></w:r></w:p>` +
+		`<w:p><w:r><w:t>Footer</w:t></w:r></w:p>`
+	baseBytes := minimalBaseBytes(t, body)
+	composer := NewSubmissionComposer(NewSubmissionRenderer())
+
+	sections := []SubmissionSection{
+		{ID: uuid.New(), SectionKey: "facts", OrderIndex: 1, Kind: "prose", Included: true, ContentMDDE: "Real prose"},
+	}
+	out, err := composer.Compose(context.Background(), ComposeOptions{
+		Sections: sections, Base: base, BaseBytes: baseBytes, Lang: "de",
+	})
+	if err != nil {
+		t.Fatalf("Compose: %v", err)
+	}
+	docXML := extractDocumentXML(t, out)
+	if !strings.Contains(docXML, "Header") || !strings.Contains(docXML, "Footer") {
+		t.Errorf("base chrome dropped: %q", docXML)
+	}
+	if !strings.Contains(docXML, "Real prose") {
+		t.Errorf("section content missing: %q", docXML)
+	}
+	// Anchor paragraphs themselves must be gone.
+	if strings.Contains(docXML, "{{#section:facts}}") || strings.Contains(docXML, "{{/section:facts}}") {
+		t.Errorf("anchor markers survived: %q", docXML)
+	}
+	// Seed content between anchors must be gone (replaced by the
+	// composed section).
+	if strings.Contains(docXML, "(seed)") {
+		t.Errorf("anchor-spanned seed survived: %q", docXML)
+	}
+}
+
+func TestComposer_ExcludedSection_DropsAnchorPair(t *testing.T) {
+	base := composerBase()
+	body := `<w:p><w:r><w:t>Header</w:t></w:r></w:p>` +
+		`<w:p><w:r><w:t>{{#section:exhibits}}</w:t></w:r></w:p>` +
+		`<w:p><w:r><w:t>(default)</w:t></w:r></w:p>` +
+		`<w:p><w:r><w:t>{{/section:exhibits}}</w:t></w:r></w:p>` +
+		`<w:p><w:r><w:t>Footer</w:t></w:r></w:p>`
+	baseBytes := minimalBaseBytes(t, body)
+	composer := NewSubmissionComposer(NewSubmissionRenderer())
+
+	sections := []SubmissionSection{
+		{ID: uuid.New(), SectionKey: "exhibits", OrderIndex: 8, Kind: "prose", Included: false, ContentMDDE: "ignored"},
+	}
+	out, err := composer.Compose(context.Background(), ComposeOptions{
+		Sections: sections, Base: base, BaseBytes: baseBytes, Lang: "de",
+	})
+	if err != nil {
+		t.Fatalf("Compose: %v", err)
+	}
+	docXML := extractDocumentXML(t, out)
+	if strings.Contains(docXML, "{{#section:exhibits}}") || strings.Contains(docXML, "{{/section:exhibits}}") {
+		t.Errorf("anchors for excluded section survived: %q", docXML)
+	}
+	if strings.Contains(docXML, "ignored") {
+		t.Errorf("excluded section content rendered: %q", docXML)
+	}
+}
+
+func TestComposer_PlaceholdersResolve(t *testing.T) {
+	base := composerBase()
+	body := `<w:p><w:r><w:t>{{#section:greeting}}</w:t></w:r></w:p>` +
+		`<w:p><w:r><w:t>{{/section:greeting}}</w:t></w:r></w:p>`
+	baseBytes := minimalBaseBytes(t, body)
+	composer := NewSubmissionComposer(NewSubmissionRenderer())
+
+	sections := []SubmissionSection{
+		{ID: uuid.New(), SectionKey: "greeting", OrderIndex: 1, Kind: "prose", Included: true, ContentMDDE: "Hallo {{user.name}}"},
+	}
+	out, err := composer.Compose(context.Background(), ComposeOptions{
+		Sections: sections, Base: base, BaseBytes: baseBytes, Lang: "de",
+		Vars: PlaceholderMap{"user.name": "Maria Schmidt"},
+	})
+	if err != nil {
+		t.Fatalf("Compose: %v", err)
+	}
+	docXML := extractDocumentXML(t, out)
+	if !strings.Contains(docXML, "Hallo") || !strings.Contains(docXML, "Maria Schmidt") {
+		t.Errorf("placeholder not substituted: %q", docXML)
+	}
+	if strings.Contains(docXML, "{{user.name}}") {
+		t.Errorf("placeholder survived: %q", docXML)
+	}
+}
+
+func TestComposer_LangPicksColumn(t *testing.T) {
+	base := composerBase()
+	body := `<w:p><w:r><w:t>{{#section:facts}}</w:t></w:r></w:p><w:p><w:r><w:t>{{/section:facts}}</w:t></w:r></w:p>`
+	baseBytes := minimalBaseBytes(t, body)
+	composer := NewSubmissionComposer(NewSubmissionRenderer())
+
+	sections := []SubmissionSection{
+		{ID: uuid.New(), SectionKey: "facts", OrderIndex: 1, Kind: "prose", Included: true,
+			ContentMDDE: "deutscher text", ContentMDEN: "english text"},
+	}
+	deOut, _ := composer.Compose(context.Background(), ComposeOptions{
+		Sections: sections, Base: base, BaseBytes: baseBytes, Lang: "de",
+	})
+	enOut, _ := composer.Compose(context.Background(), ComposeOptions{
+		Sections: sections, Base: base, BaseBytes: baseBytes, Lang: "en",
+	})
+	deXML := extractDocumentXML(t, deOut)
+	enXML := extractDocumentXML(t, enOut)
+	if !strings.Contains(deXML, "deutscher text") || strings.Contains(deXML, "english text") {
+		t.Errorf("DE pick failed: %q", deXML)
+	}
+	if !strings.Contains(enXML, "english text") || strings.Contains(enXML, "deutscher text") {
+		t.Errorf("EN pick failed: %q", enXML)
+	}
+}
+
+func TestComposer_OrderIndexAscending(t *testing.T) {
+	base := composerBase()
+	// No anchors → both sections append in order_index ASC order
+	// before sectPr.
+	body := `<w:sectPr/>`
+	baseBytes := minimalBaseBytes(t, body)
+	composer := NewSubmissionComposer(NewSubmissionRenderer())
+
+	sections := []SubmissionSection{
+		{ID: uuid.New(), SectionKey: "second", OrderIndex: 2, Kind: "prose", Included: true, ContentMDDE: "ZWEITER"},
+		{ID: uuid.New(), SectionKey: "first", OrderIndex: 1, Kind: "prose", Included: true, ContentMDDE: "ERSTER"},
+	}
+	out, err := composer.Compose(context.Background(), ComposeOptions{
+		Sections: sections, Base: base, BaseBytes: baseBytes, Lang: "de",
+	})
+	if err != nil {
+		t.Fatalf("Compose: %v", err)
+	}
+	docXML := extractDocumentXML(t, out)
+	firstIdx := strings.Index(docXML, "ERSTER")
+	secondIdx := strings.Index(docXML, "ZWEITER")
+	if firstIdx < 0 || secondIdx < 0 || firstIdx > secondIdx {
+		t.Errorf("order_index ASC not honoured: ERSTER=%d ZWEITER=%d", firstIdx, secondIdx)
+	}
+}

internal/services/submission_draft_service.go

@@ -58,8 +58,17 @@ type SubmissionDraft struct {
 	LastExportedAt     *time.Time     `db:"last_exported_at"    json:"last_exported_at,omitempty"`
 	LastExportedSHA    *string        `db:"last_exported_sha"   json:"last_exported_sha,omitempty"`
 	LastImportedAt     *time.Time     `db:"last_imported_at"    json:"last_imported_at,omitempty"`
-	CreatedAt          time.Time      `db:"created_at"          json:"created_at"`
-	UpdatedAt          time.Time      `db:"updated_at"          json:"updated_at"`
+	// BaseID is the Composer base reference (t-paliad-313). NULL on
+	// pre-Composer drafts — the v1 render path stays the fallback.
+	// ON DELETE SET NULL keeps a draft renderable if its base is
+	// removed; the lawyer picks a new one via the sidebar.
+	BaseID *uuid.UUID `db:"base_id" json:"base_id,omitempty"`
+	// ComposerMetaRaw / ComposerMeta — Composer-side metadata jsonb.
+	// Slice A: empty default. Future slices populate section_order,
+	// hidden_sections, etc.
+	ComposerMetaRaw []byte         `db:"composer_meta"       json:"-"`
+	CreatedAt       time.Time      `db:"created_at"          json:"created_at"`
+	UpdatedAt       time.Time      `db:"updated_at"          json:"updated_at"`
 
 	// Variables is the decoded overrides map; populated on read by the
 	// service so callers don't have to unmarshal manually.
@@ -70,15 +79,36 @@ type SubmissionDraft struct {
 	// the backward-compat "include every party" behaviour; a non-empty
 	// slice restricts the variable bag to the listed paliad.parties rows.
 	SelectedParties []uuid.UUID `json:"selected_parties"`
+
+	// ComposerMeta is the parsed Composer-side metadata (t-paliad-313).
+	// Slice A: typically empty. Populated on read by decodeComposerMeta().
+	ComposerMeta map[string]any `json:"composer_meta"`
 }
 
 // SubmissionDraftService handles CRUD on submission_drafts and exposes
 // the render/preview/export entry points the handler layer calls.
+//
+// The Composer wiring (t-paliad-313, Slice A): bases + sections are
+// optional — when nil the service stays back-compat with the v1 shape
+// (drafts created without a base_id, no section rows). When wired, new
+// drafts created via Create get base_id seeded from the firm default
+// and submission_sections rows inserted from the base's section spec.
 type SubmissionDraftService struct {
 	db       *sqlx.DB
 	projects *ProjectService
 	vars     *SubmissionVarsService
 	renderer *SubmissionRenderer
+
+	// bases + sections are optional Composer wiring (t-paliad-313).
+	// Nil means "stay back-compat with the v1 shape" — new drafts
+	// keep base_id NULL and no submission_sections rows get seeded.
+	bases    *BaseService
+	sections *SectionService
+
+	// firmName captures branding.Name at construction time. Used to
+	// resolve the firm-default base in Create. Empty string is
+	// allowed (treated as "no firm filter" at base-lookup time).
+	firmName string
 }
 
 // NewSubmissionDraftService wires the service.
@@ -91,6 +121,19 @@ func NewSubmissionDraftService(db *sqlx.DB, projects *ProjectService, vars *Subm
 	}
 }
 
+// AttachComposer wires the Composer-side services. Called by
+// cmd/server/main.go after constructing the base + section services.
+// firm is branding.Name (typically "HLC"); empty string disables the
+// firm filter at default-base lookup.
+//
+// Calling AttachComposer is purely additive — drafts created before the
+// call (or with bases==nil) keep the v1 behaviour. Idempotent.
+func (s *SubmissionDraftService) AttachComposer(bases *BaseService, sections *SectionService, firm string) {
+	s.bases = bases
+	s.sections = sections
+	s.firmName = firm
+}
+
 // DraftPatch carries optional fields for Update. nil pointer = "no
 // change"; non-nil = "set to this". Variables is replace-semantics —
 // the lawyer's sidebar sends the full map every save.
@@ -117,6 +160,16 @@ type DraftPatch struct {
 	// Language sets the output language. Valid values: "de", "en".
 	// Anything else returns ErrInvalidInput. t-paliad-276.
 	Language *string
+
+	// BaseID swaps the Composer base. Two-level pointer mirrors the
+	// ProjectID shape so callers can encode the three operations:
+	//   nil          → no change
+	//   *p == nil    → clear (set base_id NULL, return to v1 fallback)
+	//   **p          → set to the picked base
+	// Slice A: lawyer flips this from the sidebar picker. Section
+	// content is unaffected — the base swap is render-side only.
+	// t-paliad-313.
+	BaseID **uuid.UUID
 }
 
 // ErrSubmissionDraftNotFound is the sentinel for "no draft with that id
@@ -133,6 +186,7 @@ const draftColumns = `id, project_id, submission_code, user_id, name, language,
                       variables, selected_parties,
                       last_exported_at, last_exported_sha,
                       last_imported_at,
+                      base_id, composer_meta,
                       created_at, updated_at`
 
 // List returns every draft for (project, submission_code, user)
@@ -185,6 +239,7 @@ func (s *SubmissionDraftService) ListAllForUser(ctx context.Context, userID uuid
 		`SELECT d.id, d.project_id, d.submission_code, d.user_id, d.name, d.language,
 		        d.variables, d.selected_parties,
 		        d.last_exported_at, d.last_exported_sha, d.last_imported_at,
+		        d.base_id, d.composer_meta,
 		        d.created_at, d.updated_at,
 		        p.title     AS project_title,
 		        p.reference AS project_reference
@@ -279,6 +334,14 @@ func (s *SubmissionDraftService) EnsureLatest(ctx context.Context, userID, proje
 // A nil projectID creates a project-less draft (t-paliad-243); the
 // visibility check is skipped — the caller is the owner and the row is
 // private to them.
+//
+// Composer wiring (t-paliad-313, Slice A): when AttachComposer has
+// been called and a base resolves for the submission_code, the INSERT
+// runs in a transaction alongside SectionService.SeedFromSpec so the
+// new draft and its seeded sections land atomically. If the base
+// lookup fails (catalog empty, no firm match, etc.) the draft still
+// creates with base_id=NULL — Composer is additive, the v1 fallback
+// path remains valid.
 func (s *SubmissionDraftService) Create(ctx context.Context, userID uuid.UUID, projectID *uuid.UUID, submissionCode, lang string) (*SubmissionDraft, error) {
 	if projectID != nil {
 		if _, err := s.projects.GetByID(ctx, userID, *projectID); err != nil {
@@ -294,16 +357,61 @@ func (s *SubmissionDraftService) Create(ctx context.Context, userID uuid.UUID, p
 	// Anything other than "en" normalizes to "de" — matches the DB CHECK
 	// constraint and the project's primary-language default.
 	draftLang := normalizeDraftLanguage(lang)
+
+	// Resolve the Composer base for this draft. nil result keeps the
+	// draft v1-shaped (base_id NULL, no sections rows).
+	var baseToSeed *SubmissionBase
+	if s.bases != nil {
+		base, err := s.bases.GetDefaultForCode(ctx, s.firmName, submissionCode)
+		switch {
+		case err == nil:
+			baseToSeed = base
+		case errors.Is(err, ErrBaseNotFound):
+			// Catalog empty / no match — fall through to v1 shape.
+		default:
+			return nil, err
+		}
+	}
+
+	tx, err := s.db.BeginTxx(ctx, nil)
+	if err != nil {
+		return nil, fmt.Errorf("begin create submission draft tx: %w", err)
+	}
+	committed := false
+	defer func() {
+		if !committed {
+			_ = tx.Rollback()
+		}
+	}()
+
+	var baseID *uuid.UUID
+	if baseToSeed != nil {
+		id := baseToSeed.ID
+		baseID = &id
+	}
+
 	var d SubmissionDraft
-	err = s.db.GetContext(ctx, &d,
+	err = tx.GetContext(ctx, &d,
 		`INSERT INTO paliad.submission_drafts
-		     (project_id, submission_code, user_id, name, language)
-		 VALUES ($1, $2, $3, $4, $5)
+		     (project_id, submission_code, user_id, name, language, base_id)
+		 VALUES ($1, $2, $3, $4, $5, $6)
 		 RETURNING `+draftColumns,
-		projectID, submissionCode, userID, name, draftLang)
+		projectID, submissionCode, userID, name, draftLang, baseID)
 	if err != nil {
 		return nil, fmt.Errorf("create submission draft: %w", err)
 	}
+
+	if baseToSeed != nil && s.sections != nil {
+		if err := s.sections.SeedFromSpec(ctx, tx, d.ID, baseToSeed.SectionSpec); err != nil {
+			return nil, err
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return nil, fmt.Errorf("commit create submission draft tx: %w", err)
+	}
+	committed = true
+
 	if err := d.decode(); err != nil {
 		return nil, err
 	}
@@ -446,6 +554,18 @@ func (s *SubmissionDraftService) Update(ctx context.Context, userID, draftID uui
 		idx++
 	}
 
+	if patch.BaseID != nil {
+		newBID := *patch.BaseID // *uuid.UUID — nil means clear
+		if newBID != nil && s.bases != nil {
+			// Validate the picked base exists + is active.
+			if _, err := s.bases.GetByID(ctx, *newBID); err != nil {
+				return nil, err
+			}
+		}
+		setParts = append(setParts, fmt.Sprintf("base_id = $%d", idx))
+		args = append(args, newBID)
+		idx++
+	}
 
 	if len(setParts) == 0 {
 		return existing, nil
@@ -682,14 +802,32 @@ func (s *SubmissionDraftService) RenderProjectSubmission(ctx context.Context, us
 	return out, resolved, nil
 }
 
-// decode fills the parsed views (Variables, SelectedParties) from the
-// raw scan fields. Called by every fetch path so the caller sees both
-// populated together.
+// decode fills the parsed views (Variables, SelectedParties,
+// ComposerMeta) from the raw scan fields. Called by every fetch path
+// so the caller sees them populated together.
 func (d *SubmissionDraft) decode() error {
 	if err := d.decodeVariables(); err != nil {
 		return err
 	}
-	return d.decodeSelectedParties()
+	if err := d.decodeSelectedParties(); err != nil {
+		return err
+	}
+	return d.decodeComposerMeta()
+}
+
+// decodeComposerMeta turns the raw composer_meta jsonb into a
+// map[string]any. NULL or empty payload yields an empty map.
+func (d *SubmissionDraft) decodeComposerMeta() error {
+	if len(d.ComposerMetaRaw) == 0 {
+		d.ComposerMeta = map[string]any{}
+		return nil
+	}
+	out := map[string]any{}
+	if err := json.Unmarshal(d.ComposerMetaRaw, &out); err != nil {
+		return fmt.Errorf("decode submission draft composer_meta: %w", err)
+	}
+	d.ComposerMeta = out
+	return nil
 }
 
 // decodeVariables turns the raw jsonb bytes into the PlaceholderMap.

internal/services/submission_md.go

@@ -0,0 +1,239 @@
+package services
+
+// Markdown → OOXML walker for Composer section content (t-paliad-313
+// Slice B, design doc §9.2).
+//
+// Scope per the head's Slice B brief: paragraphs + inline bold/italic
+// only. Headings, lists, blockquote, links land in Slice D's rich-prose
+// pass. This walker is intentionally minimal — every Markdown construct
+// it doesn't recognise is rendered as a plain paragraph so the lawyer's
+// prose round-trips losslessly even when they hit Markdown the walker
+// doesn't yet understand.
+//
+// The output uses the base's stylemap.paragraph entry for the
+// <w:pStyle> on each paragraph so the styling matches the base's
+// typography (HLpat-Body-B0 on the HLC base, Normal on the neutral
+// base, etc.).
+//
+// Placeholders ({{path.dot.notation}}) are preserved verbatim — they
+// pass through the walker untouched and get substituted by the v1
+// SubmissionRenderer's placeholder pass after the composer assembly.
+//
+// Grammar supported:
+//
+//   - Blank line          → paragraph break
+//   - `**bold**`          → <w:r><w:rPr><w:b/></w:rPr><w:t>…</w:t></w:r>
+//   - `*italic*` or `_italic_` → <w:r><w:rPr><w:i/></w:rPr>…</w:r>
+//   - Otherwise           → plain text run
+
+import (
+	"strings"
+)
+
+// RenderMarkdownToOOXML renders the given Markdown source into OOXML
+// paragraph elements (`<w:p>…</w:p>`), suitable for splicing into a
+// .docx body. Each paragraph carries `<w:pStyle w:val="<paragraphStyle>"/>`
+// when paragraphStyle is non-empty.
+//
+// Empty input renders one empty paragraph so the splice site is
+// well-formed even when the lawyer hasn't typed anything in this
+// section.
+func RenderMarkdownToOOXML(md, paragraphStyle string) string {
+	if md == "" {
+		return emptyParagraph(paragraphStyle)
+	}
+	paragraphs := splitMarkdownParagraphs(md)
+	if len(paragraphs) == 0 {
+		return emptyParagraph(paragraphStyle)
+	}
+	var b strings.Builder
+	for _, para := range paragraphs {
+		b.WriteString(renderParagraph(para, paragraphStyle))
+	}
+	return b.String()
+}
+
+// splitMarkdownParagraphs splits the source into paragraphs. A
+// "paragraph" is a maximal run of non-blank lines. N consecutive blank
+// lines between two paragraphs produce (N-1) empty paragraphs in the
+// output so the lawyer's intentional vertical spacing survives.
+//
+// CRLF line endings normalise to LF before splitting.
+func splitMarkdownParagraphs(md string) []string {
+	normalised := strings.ReplaceAll(md, "\r\n", "\n")
+	lines := strings.Split(normalised, "\n")
+	var paragraphs []string
+	var current []string
+	blankRun := 0
+	flushParagraph := func() {
+		if len(current) > 0 {
+			paragraphs = append(paragraphs, strings.Join(current, "\n"))
+			current = nil
+		}
+	}
+	for _, line := range lines {
+		if strings.TrimSpace(line) == "" {
+			if len(current) > 0 {
+				// End of a paragraph; the blank-counting starts now.
+				flushParagraph()
+				blankRun = 1
+				continue
+			}
+			// Already inside a blank run (or before the first paragraph).
+			blankRun++
+			continue
+		}
+		// Starting a new paragraph — emit (blankRun-1) empty paragraphs
+		// in between if the lawyer used multiple blank lines as
+		// vertical spacing.
+		for i := 1; i < blankRun; i++ {
+			paragraphs = append(paragraphs, "")
+		}
+		blankRun = 0
+		current = append(current, line)
+	}
+	flushParagraph()
+	return paragraphs
+}
+
+// renderParagraph emits one `<w:p>` element for the given paragraph
+// text. Inline bold/italic spans become `<w:r>` runs with the
+// corresponding `<w:rPr>`.
+func renderParagraph(text, paragraphStyle string) string {
+	var b strings.Builder
+	b.WriteString(`<w:p>`)
+	if paragraphStyle != "" {
+		b.WriteString(`<w:pPr><w:pStyle w:val="`)
+		b.WriteString(xmlAttrEscape(paragraphStyle))
+		b.WriteString(`"/></w:pPr>`)
+	}
+	if text == "" {
+		// Empty paragraph — emit a single empty run so Word renders the
+		// paragraph as a blank line. Without the run, some Word
+		// versions collapse the paragraph entirely.
+		b.WriteString(`<w:r><w:t xml:space="preserve"></w:t></w:r>`)
+		b.WriteString(`</w:p>`)
+		return b.String()
+	}
+	for _, span := range parseInlineSpans(text) {
+		b.WriteString(renderRun(span))
+	}
+	b.WriteString(`</w:p>`)
+	return b.String()
+}
+
+// inlineSpan is one piece of inline content: a text payload plus
+// formatting flags. Bold and italic are independent — `***both***`
+// produces one span with both flags set.
+type inlineSpan struct {
+	Text   string
+	Bold   bool
+	Italic bool
+}
+
+// parseInlineSpans tokenises Markdown inline formatting into runs of
+// (text, bold, italic). The grammar is intentionally narrow:
+//
+//   - `**…**` → bold
+//   - `__…__` → bold (Markdown alternate)
+//   - `*…*`   → italic
+//   - `_…_`   → italic (Markdown alternate)
+//   - Anything else flows through as plain text.
+//
+// Unbalanced delimiters fall through as literal characters — the
+// walker never errors on malformed Markdown. Nested formatting (e.g.
+// `**bold *bold-italic* bold**`) toggles flags as it walks.
+func parseInlineSpans(text string) []inlineSpan {
+	var out []inlineSpan
+	var cur strings.Builder
+	bold := false
+	italic := false
+	flush := func() {
+		if cur.Len() == 0 {
+			return
+		}
+		out = append(out, inlineSpan{Text: cur.String(), Bold: bold, Italic: italic})
+		cur.Reset()
+	}
+	i := 0
+	n := len(text)
+	for i < n {
+		// Bold delimiters first (longer match wins over italic).
+		if i+1 < n && (text[i:i+2] == "**" || text[i:i+2] == "__") {
+			flush()
+			bold = !bold
+			i += 2
+			continue
+		}
+		if text[i] == '*' || text[i] == '_' {
+			flush()
+			italic = !italic
+			i++
+			continue
+		}
+		cur.WriteByte(text[i])
+		i++
+	}
+	flush()
+	if len(out) == 0 {
+		out = append(out, inlineSpan{Text: ""})
+	}
+	return out
+}
+
+// renderRun emits one `<w:r>` element for an inline span. Empty text
+// spans render as empty runs (Word accepts them; they're harmless).
+func renderRun(span inlineSpan) string {
+	var b strings.Builder
+	b.WriteString(`<w:r>`)
+	if span.Bold || span.Italic {
+		b.WriteString(`<w:rPr>`)
+		if span.Bold {
+			b.WriteString(`<w:b/>`)
+		}
+		if span.Italic {
+			b.WriteString(`<w:i/>`)
+		}
+		b.WriteString(`</w:rPr>`)
+	}
+	b.WriteString(`<w:t xml:space="preserve">`)
+	b.WriteString(xmlTextEscape(span.Text))
+	b.WriteString(`</w:t></w:r>`)
+	return b.String()
+}
+
+// emptyParagraph returns one empty `<w:p>` with the given style. Used
+// when a section's content_md is empty so the splice site stays
+// well-formed.
+func emptyParagraph(paragraphStyle string) string {
+	var b strings.Builder
+	b.WriteString(`<w:p>`)
+	if paragraphStyle != "" {
+		b.WriteString(`<w:pPr><w:pStyle w:val="`)
+		b.WriteString(xmlAttrEscape(paragraphStyle))
+		b.WriteString(`"/></w:pPr>`)
+	}
+	b.WriteString(`<w:r><w:t xml:space="preserve"></w:t></w:r></w:p>`)
+	return b.String()
+}
+
+// xmlTextEscape escapes the five XML-significant characters for safe
+// insertion into <w:t> content. & first to avoid double-encoding.
+func xmlTextEscape(s string) string {
+	s = strings.ReplaceAll(s, "&", "&amp;")
+	s = strings.ReplaceAll(s, "<", "&lt;")
+	s = strings.ReplaceAll(s, ">", "&gt;")
+	// Quotes and apostrophes are legal inside element text content;
+	// no need to escape them here.
+	return s
+}
+
+// xmlAttrEscape escapes for safe insertion into an attribute value
+// (e.g. `<w:pStyle w:val="…"/>`).
+func xmlAttrEscape(s string) string {
+	s = strings.ReplaceAll(s, "&", "&amp;")
+	s = strings.ReplaceAll(s, "<", "&lt;")
+	s = strings.ReplaceAll(s, ">", "&gt;")
+	s = strings.ReplaceAll(s, `"`, "&quot;")
+	return s
+}

internal/services/submission_md_test.go

@@ -0,0 +1,146 @@
+package services
+
+// Unit tests for the Composer's Markdown → OOXML walker (t-paliad-313
+// Slice B). Pure function; no DB dependency.
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestRenderMarkdownToOOXML_EmptyInput(t *testing.T) {
+	out := RenderMarkdownToOOXML("", "Normal")
+	if !strings.Contains(out, `<w:p>`) {
+		t.Errorf("empty input must still emit one <w:p>; got %q", out)
+	}
+	if !strings.Contains(out, `<w:pStyle w:val="Normal"/>`) {
+		t.Errorf("empty input must carry the paragraph style; got %q", out)
+	}
+}
+
+func TestRenderMarkdownToOOXML_SingleParagraph(t *testing.T) {
+	out := RenderMarkdownToOOXML("Hello world", "HLpat-Body-B0")
+	if !strings.Contains(out, `<w:pStyle w:val="HLpat-Body-B0"/>`) {
+		t.Errorf("paragraph missing stylemap entry: %q", out)
+	}
+	if !strings.Contains(out, "Hello world") {
+		t.Errorf("paragraph text missing: %q", out)
+	}
+	// Exactly one <w:p>.
+	if got := strings.Count(out, "<w:p>"); got != 1 {
+		t.Errorf("expected 1 <w:p>; got %d", got)
+	}
+}
+
+func TestRenderMarkdownToOOXML_TwoParagraphs(t *testing.T) {
+	out := RenderMarkdownToOOXML("first\n\nsecond", "Normal")
+	if got := strings.Count(out, "<w:p>"); got != 2 {
+		t.Errorf("expected 2 <w:p>; got %d, out=%q", got, out)
+	}
+	if !strings.Contains(out, "first") || !strings.Contains(out, "second") {
+		t.Errorf("paragraph text missing: %q", out)
+	}
+}
+
+func TestRenderMarkdownToOOXML_BoldInline(t *testing.T) {
+	out := RenderMarkdownToOOXML("hello **bold** world", "")
+	if !strings.Contains(out, `<w:rPr><w:b/></w:rPr>`) {
+		t.Errorf("bold rPr missing: %q", out)
+	}
+	if !strings.Contains(out, ">bold<") {
+		t.Errorf("bold text payload missing: %q", out)
+	}
+	// The surrounding "hello " and " world" pieces are separate runs;
+	// the bold rPr should appear exactly once in this output.
+	if got := strings.Count(out, "<w:b/>"); got != 1 {
+		t.Errorf("expected exactly one <w:b/> tag; got %d in %q", got, out)
+	}
+}
+
+func TestRenderMarkdownToOOXML_ItalicInline(t *testing.T) {
+	out := RenderMarkdownToOOXML("see *italic* here", "")
+	if !strings.Contains(out, `<w:rPr><w:i/></w:rPr>`) {
+		t.Errorf("italic rPr missing: %q", out)
+	}
+	if !strings.Contains(out, ">italic<") {
+		t.Errorf("italic text payload missing: %q", out)
+	}
+}
+
+func TestRenderMarkdownToOOXML_BoldItalicCombo(t *testing.T) {
+	// Nested: ***both*** → entering both flags. The walker toggles each
+	// delimiter independently, so the resulting run carries both <w:b/>
+	// and <w:i/>.
+	out := RenderMarkdownToOOXML("***both***", "")
+	if !strings.Contains(out, `<w:b/>`) || !strings.Contains(out, `<w:i/>`) {
+		t.Errorf("expected both <w:b/> and <w:i/>; got %q", out)
+	}
+}
+
+func TestRenderMarkdownToOOXML_PlaceholdersPassThrough(t *testing.T) {
+	// Placeholders are sacred — the walker must preserve them verbatim
+	// so the v1 placeholder pass can substitute them later.
+	out := RenderMarkdownToOOXML("Sehr geehrter {{parties.claimant.0.name}}", "Normal")
+	if !strings.Contains(out, "{{parties.claimant.0.name}}") {
+		t.Errorf("placeholder corrupted: %q", out)
+	}
+}
+
+func TestRenderMarkdownToOOXML_XMLEscape(t *testing.T) {
+	out := RenderMarkdownToOOXML("a & b < c > d", "")
+	if strings.Contains(out, " & ") {
+		t.Errorf("unescaped & survived: %q", out)
+	}
+	if !strings.Contains(out, "&amp;") || !strings.Contains(out, "&lt;") || !strings.Contains(out, "&gt;") {
+		t.Errorf("expected escaped entities; got %q", out)
+	}
+}
+
+func TestRenderMarkdownToOOXML_BlankLinesPreserveSpacing(t *testing.T) {
+	// Two blank lines between paragraphs → one empty paragraph in
+	// between, preserving the lawyer's intentional whitespace.
+	out := RenderMarkdownToOOXML("first\n\n\nsecond", "Normal")
+	if got := strings.Count(out, "<w:p>"); got != 3 {
+		t.Errorf("expected 3 <w:p> (first + blank + second); got %d in %q", got, out)
+	}
+}
+
+func TestRenderMarkdownToOOXML_CRLFNormalisation(t *testing.T) {
+	out := RenderMarkdownToOOXML("first\r\n\r\nsecond", "")
+	if got := strings.Count(out, "<w:p>"); got != 2 {
+		t.Errorf("CRLF input should produce 2 paragraphs; got %d in %q", got, out)
+	}
+}
+
+func TestParseInlineSpans_Plain(t *testing.T) {
+	spans := parseInlineSpans("hello world")
+	if len(spans) != 1 || spans[0].Bold || spans[0].Italic || spans[0].Text != "hello world" {
+		t.Errorf("expected single plain span; got %+v", spans)
+	}
+}
+
+func TestParseInlineSpans_UnderscoreItalic(t *testing.T) {
+	spans := parseInlineSpans("_emph_")
+	var italicHits int
+	for _, s := range spans {
+		if s.Italic && s.Text == "emph" {
+			italicHits++
+		}
+	}
+	if italicHits != 1 {
+		t.Errorf("expected one italic 'emph' span; got %+v", spans)
+	}
+}
+
+func TestParseInlineSpans_UnderscoreBold(t *testing.T) {
+	spans := parseInlineSpans("__strong__")
+	var boldHits int
+	for _, s := range spans {
+		if s.Bold && s.Text == "strong" {
+			boldHits++
+		}
+	}
+	if boldHits != 1 {
+		t.Errorf("expected one bold 'strong' span; got %+v", spans)
+	}
+}

internal/services/submission_section_service.go

@@ -0,0 +1,213 @@
+package services
+
+// Submission section service — Composer Slice A (t-paliad-313, design
+// doc docs/design-submission-generator-v2-2026-05-26.md §4.3 + §6).
+//
+// Each row in paliad.submission_sections is one ordered, named block
+// inside a Composer draft. Slice A seeds rows on draft create from the
+// base's section_spec.defaults and exposes them read-only for the
+// editor's section-list pane. Slice B turns them editable, Slice F
+// adds reorder/hide/add-custom.
+//
+// Visibility flows through draft_id → submission_drafts → owner-scoped
+// + can_see_project (RLS in mig 148 mirrors the four-policy shape on
+// submission_drafts). Service calls go through SubmissionDraftService
+// for the visibility gate before touching this table.
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+)
+
+// SubmissionSection mirrors a row in paliad.submission_sections.
+type SubmissionSection struct {
+	ID           uuid.UUID `db:"id"             json:"id"`
+	DraftID      uuid.UUID `db:"draft_id"       json:"draft_id"`
+	SectionKey   string    `db:"section_key"    json:"section_key"`
+	OrderIndex   int       `db:"order_index"    json:"order_index"`
+	Kind         string    `db:"kind"           json:"kind"`
+	LabelDE      string    `db:"label_de"       json:"label_de"`
+	LabelEN      string    `db:"label_en"       json:"label_en"`
+	Included     bool      `db:"included"       json:"included"`
+	ContentMDDE  string    `db:"content_md_de"  json:"content_md_de"`
+	ContentMDEN  string    `db:"content_md_en"  json:"content_md_en"`
+	CreatedAt    time.Time `db:"created_at"     json:"created_at"`
+	UpdatedAt    time.Time `db:"updated_at"     json:"updated_at"`
+}
+
+// SectionService handles per-draft section rows. Slice A: read + seed
+// only. Editable mutations land in Slice B's brief.
+type SectionService struct {
+	db *sqlx.DB
+}
+
+// NewSectionService wires the service.
+func NewSectionService(db *sqlx.DB) *SectionService {
+	return &SectionService{db: db}
+}
+
+// ErrSubmissionSectionNotFound is the sentinel for "no section with
+// that id visible to this user".
+var ErrSubmissionSectionNotFound = errors.New("submission section: not found")
+
+const sectionColumns = `id, draft_id, section_key, order_index, kind,
+                        label_de, label_en, included,
+                        content_md_de, content_md_en,
+                        created_at, updated_at`
+
+// ListForDraft returns every section row for a draft, ordered by
+// order_index ASC. Caller is responsible for the visibility gate
+// (SubmissionDraftService.Get returns ErrSubmissionDraftNotFound for
+// un-visible drafts, which the handler maps to 404). RLS in mig 148
+// additionally enforces owner-scope at the DB layer.
+func (s *SectionService) ListForDraft(ctx context.Context, draftID uuid.UUID) ([]SubmissionSection, error) {
+	var rows []SubmissionSection
+	err := s.db.SelectContext(ctx, &rows,
+		`SELECT `+sectionColumns+`
+		   FROM paliad.submission_sections
+		  WHERE draft_id = $1
+		  ORDER BY order_index ASC`,
+		draftID)
+	if err != nil {
+		return nil, fmt.Errorf("list submission sections: %w", err)
+	}
+	return rows, nil
+}
+
+// Get returns one section by id. Visibility gate is the caller's
+// responsibility — Slice A handlers wrap this with a SubmissionDraftService.Get
+// to enforce owner+can_see_project before exposing the section.
+func (s *SectionService) Get(ctx context.Context, sectionID uuid.UUID) (*SubmissionSection, error) {
+	var sec SubmissionSection
+	err := s.db.GetContext(ctx, &sec,
+		`SELECT `+sectionColumns+`
+		   FROM paliad.submission_sections
+		  WHERE id = $1`,
+		sectionID)
+	if errors.Is(err, sql.ErrNoRows) {
+		return nil, ErrSubmissionSectionNotFound
+	}
+	if err != nil {
+		return nil, fmt.Errorf("get submission section: %w", err)
+	}
+	return &sec, nil
+}
+
+// SectionPatch carries optional fields for an Update call. nil pointer
+// = "no change"; non-nil = "set to this".
+type SectionPatch struct {
+	ContentMDDE *string
+	ContentMDEN *string
+	Included    *bool
+	LabelDE     *string
+	LabelEN     *string
+	OrderIndex  *int
+}
+
+// Update applies a patch to one section row. Visibility is the caller's
+// responsibility — handlers wrap with SubmissionDraftService.Get for
+// owner-scoped checks. The DB-level RLS policy mirrors that check.
+//
+// Returns the refreshed row. ErrSubmissionSectionNotFound when the
+// section doesn't exist or the calling owner can't see it (RLS
+// filters at the SELECT step).
+func (s *SectionService) Update(ctx context.Context, sectionID uuid.UUID, patch SectionPatch) (*SubmissionSection, error) {
+	setParts := []string{}
+	args := []any{}
+	idx := 1
+
+	if patch.ContentMDDE != nil {
+		setParts = append(setParts, fmt.Sprintf("content_md_de = $%d", idx))
+		args = append(args, *patch.ContentMDDE)
+		idx++
+	}
+	if patch.ContentMDEN != nil {
+		setParts = append(setParts, fmt.Sprintf("content_md_en = $%d", idx))
+		args = append(args, *patch.ContentMDEN)
+		idx++
+	}
+	if patch.Included != nil {
+		setParts = append(setParts, fmt.Sprintf("included = $%d", idx))
+		args = append(args, *patch.Included)
+		idx++
+	}
+	if patch.LabelDE != nil {
+		setParts = append(setParts, fmt.Sprintf("label_de = $%d", idx))
+		args = append(args, *patch.LabelDE)
+		idx++
+	}
+	if patch.LabelEN != nil {
+		setParts = append(setParts, fmt.Sprintf("label_en = $%d", idx))
+		args = append(args, *patch.LabelEN)
+		idx++
+	}
+	if patch.OrderIndex != nil {
+		setParts = append(setParts, fmt.Sprintf("order_index = $%d", idx))
+		args = append(args, *patch.OrderIndex)
+		idx++
+	}
+
+	if len(setParts) == 0 {
+		return s.Get(ctx, sectionID)
+	}
+
+	args = append(args, sectionID)
+	q := fmt.Sprintf(
+		`UPDATE paliad.submission_sections
+		    SET %s
+		  WHERE id = $%d
+		  RETURNING `+sectionColumns,
+		strings.Join(setParts, ", "), idx,
+	)
+
+	var sec SubmissionSection
+	err := s.db.GetContext(ctx, &sec, q, args...)
+	if errors.Is(err, sql.ErrNoRows) {
+		return nil, ErrSubmissionSectionNotFound
+	}
+	if err != nil {
+		return nil, fmt.Errorf("update submission section: %w", err)
+	}
+	return &sec, nil
+}
+
+// SeedFromSpec inserts one row per BaseSectionSpec.Default into
+// submission_sections for the given draft. Runs inside the caller's
+// transaction (the SubmissionDraftService.Create path wraps the
+// draft INSERT + section seed in one tx so a failed seed rolls back
+// the draft too).
+//
+// Idempotent at the row level — UNIQUE (draft_id, section_key) returns
+// an error if the seed runs twice for the same draft, which is the
+// desired safety net (we never want to silently double-seed).
+//
+// Per the Q10 ratification: every kind is one of prose | requests |
+// evidence — there is no *_auto kind. Caption/letterhead/signature
+// sections are regular prose rows seeded with bag-driven Markdown.
+func (s *SectionService) SeedFromSpec(ctx context.Context, tx *sqlx.Tx, draftID uuid.UUID, spec BaseSectionSpec) error {
+	if len(spec.Defaults) == 0 {
+		return nil
+	}
+	for _, d := range spec.Defaults {
+		_, err := tx.ExecContext(ctx,
+			`INSERT INTO paliad.submission_sections
+			     (draft_id, section_key, order_index, kind,
+			      label_de, label_en, included,
+			      content_md_de, content_md_en)
+			 VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)`,
+			draftID, d.SectionKey, d.OrderIndex, d.Kind,
+			d.LabelDE, d.LabelEN, d.Included,
+			d.SeedMDDE, d.SeedMDEN)
+		if err != nil {
+			return fmt.Errorf("seed submission section %s: %w", d.SectionKey, err)
+		}
+	}
+	return nil
+}

internal/services/submission_section_service_live_test.go

@@ -0,0 +1,178 @@
+package services
+
+// Live-DB integration tests for the Composer seeding flow (t-paliad-313
+// Slice A). Skipped when TEST_DATABASE_URL is unset, mirroring the
+// other live-DB tests (see cansee_test.go for the bootstrap pattern).
+//
+// Covers:
+//   1. Mig 146 seeded the catalog: hlc-letterhead + neutral both
+//      resolve via GetBySlug and carry 10 section defaults each.
+//   2. BaseService.GetDefaultForCode picks the firm-matched base for a
+//      canonical submission_code (e.g. de.inf.lg.erwidg) — Slice A
+//      contract that drives new-draft seeding.
+//   3. SubmissionDraftService.Create on a fresh draft seeds base_id +
+//      10 submission_sections rows in one transaction, with order_index
+//      ascending and bilingual labels populated.
+
+import (
+	"context"
+	"os"
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+	_ "github.com/lib/pq"
+
+	"mgit.msbls.de/m/paliad/internal/db"
+)
+
+func TestComposerSeedFlow(t *testing.T) {
+	url := os.Getenv("TEST_DATABASE_URL")
+	if url == "" {
+		t.Skip("TEST_DATABASE_URL not set — skipping live DB test")
+	}
+	if err := db.ApplyMigrations(url); err != nil {
+		t.Fatalf("apply migrations: %v", err)
+	}
+	pool, err := sqlx.Connect("postgres", url)
+	if err != nil {
+		t.Fatalf("connect: %v", err)
+	}
+	defer pool.Close()
+
+	ctx := context.Background()
+
+	bases := NewBaseService(pool)
+
+	t.Run("seed catalog: hlc-letterhead has 10 default sections", func(t *testing.T) {
+		b, err := bases.GetBySlug(ctx, "hlc-letterhead")
+		if err != nil {
+			t.Fatalf("GetBySlug(hlc-letterhead): %v", err)
+		}
+		if got := len(b.SectionSpec.Defaults); got != 10 {
+			t.Errorf("len(Defaults) = %d; want 10", got)
+		}
+		if b.SectionSpec.Stylemap["heading_1"] != "HLpat-Heading-H1" {
+			t.Errorf("Stylemap[heading_1] = %q; want HLpat-Heading-H1", b.SectionSpec.Stylemap["heading_1"])
+		}
+		// Verify the section order is strictly ascending.
+		prev := 0
+		for _, d := range b.SectionSpec.Defaults {
+			if d.OrderIndex <= prev {
+				t.Errorf("non-ascending order_index: %d (prev=%d) at %s", d.OrderIndex, prev, d.SectionKey)
+			}
+			prev = d.OrderIndex
+		}
+	})
+
+	t.Run("seed catalog: neutral exists with universal stylemap", func(t *testing.T) {
+		b, err := bases.GetBySlug(ctx, "neutral")
+		if err != nil {
+			t.Fatalf("GetBySlug(neutral): %v", err)
+		}
+		if b.SectionSpec.Stylemap["heading_1"] != "Heading 1" {
+			t.Errorf("neutral Stylemap[heading_1] = %q; want \"Heading 1\"", b.SectionSpec.Stylemap["heading_1"])
+		}
+	})
+
+	t.Run("GetDefaultForCode firm match", func(t *testing.T) {
+		// HLC + de.inf.lg.erwidg → hlc-letterhead (firm-matched).
+		b, err := bases.GetDefaultForCode(ctx, "HLC", "de.inf.lg.erwidg")
+		if err != nil {
+			t.Fatalf("GetDefaultForCode HLC: %v", err)
+		}
+		if b.Slug != "hlc-letterhead" {
+			t.Errorf("Slug = %q; want hlc-letterhead", b.Slug)
+		}
+	})
+
+	t.Run("GetDefaultForCode falls back to neutral when no firm hint", func(t *testing.T) {
+		b, err := bases.GetDefaultForCode(ctx, "", "de.inf.lg.erwidg")
+		if err != nil {
+			t.Fatalf("GetDefaultForCode no-firm: %v", err)
+		}
+		// Without a firm hint, the fallback chain skips firm-matched
+		// queries and lands on the firm-NULL neutral base.
+		if b.Slug != "neutral" {
+			t.Errorf("Slug = %q; want neutral (firm-NULL fallback)", b.Slug)
+		}
+	})
+
+	// Section seeding via SubmissionDraftService.Create — exercises the
+	// transactional INSERT path. Requires a real auth.users + paliad.users
+	// row because submission_drafts.user_id is FK-constrained.
+	t.Run("SubmissionDraftService.Create seeds 10 section rows", func(t *testing.T) {
+		userID := uuid.New()
+		cleanup := func() {
+			pool.ExecContext(ctx, `DELETE FROM paliad.submission_sections WHERE draft_id IN (SELECT id FROM paliad.submission_drafts WHERE user_id = $1)`, userID)
+			pool.ExecContext(ctx, `DELETE FROM paliad.submission_drafts   WHERE user_id = $1`, userID)
+			pool.ExecContext(ctx, `DELETE FROM paliad.users               WHERE id = $1`, userID)
+			pool.ExecContext(ctx, `DELETE FROM auth.users                 WHERE id = $1`, userID)
+		}
+		cleanup()
+		defer cleanup()
+
+		email := "composer-seed-" + userID.String()[:8] + "@hlc.com"
+		if _, err := pool.ExecContext(ctx, `INSERT INTO auth.users (id, email) VALUES ($1, $2)`, userID, email); err != nil {
+			t.Fatalf("seed auth.users: %v", err)
+		}
+		if _, err := pool.ExecContext(ctx,
+			`INSERT INTO paliad.users (id, email, display_name, office, global_role, lang)
+			 VALUES ($1, $2, 'Composer Seed', 'munich', 'standard', 'de')`,
+			userID, email); err != nil {
+			t.Fatalf("seed paliad.users: %v", err)
+		}
+
+		users := NewUserService(pool)
+		projects := NewProjectService(pool, users)
+		parties := NewPartyService(pool, projects)
+		vars := NewSubmissionVarsService(pool, projects, parties, users)
+		renderer := NewSubmissionRenderer()
+		drafts := NewSubmissionDraftService(pool, projects, vars, renderer)
+		sections := NewSectionService(pool)
+		drafts.AttachComposer(bases, sections, "HLC")
+
+		d, err := drafts.Create(ctx, userID, nil, "de.inf.lg.erwidg", "de")
+		if err != nil {
+			t.Fatalf("Create: %v", err)
+		}
+		if d.BaseID == nil {
+			t.Fatalf("BaseID = nil; want seeded base reference")
+		}
+		// hlc-letterhead is the firm default for HLC.
+		base, _ := bases.GetByID(ctx, *d.BaseID)
+		if base == nil || base.Slug != "hlc-letterhead" {
+			t.Errorf("seeded base slug = %v; want hlc-letterhead", base)
+		}
+
+		secs, err := sections.ListForDraft(ctx, d.ID)
+		if err != nil {
+			t.Fatalf("ListForDraft: %v", err)
+		}
+		if len(secs) != 10 {
+			t.Errorf("section count = %d; want 10", len(secs))
+		}
+		// Verify section_key set + bilingual labels populated.
+		wantKeys := map[string]bool{
+			"letterhead": false, "caption": false, "introduction": false,
+			"requests": false, "facts": false, "legal_argument": false,
+			"evidence": false, "exhibits": false, "closing": false, "signature": false,
+		}
+		prev := 0
+		for _, sec := range secs {
+			wantKeys[sec.SectionKey] = true
+			if sec.OrderIndex <= prev {
+				t.Errorf("non-ascending order_index: %d (prev=%d) at %s", sec.OrderIndex, prev, sec.SectionKey)
+			}
+			prev = sec.OrderIndex
+			if sec.LabelDE == "" || sec.LabelEN == "" {
+				t.Errorf("section %s missing bilingual label: de=%q en=%q", sec.SectionKey, sec.LabelDE, sec.LabelEN)
+			}
+		}
+		for k, seen := range wantKeys {
+			if !seen {
+				t.Errorf("missing seeded section_key: %s", k)
+			}
+		}
+	})
+}

internal/services/submission_vars.go

@@ -243,7 +243,7 @@ func (s *SubmissionVarsService) loadPublishedRule(ctx context.Context, submissio
 	var rule models.DeadlineRule
 	err := s.db.GetContext(ctx, &rule,
 		`SELECT `+ruleColumns+`
-		   FROM paliad.deadline_rules
+		   FROM paliad.deadline_rules_unified
 		  WHERE submission_code = $1
 		    AND lifecycle_state = 'published'
 		    AND is_active = true

pkg/litigationplanner/appeal_role.go

@@ -0,0 +1,58 @@
+package litigationplanner
+
+// AppealRole* are the canonical filer-role slugs used by the unified
+// upc.apl Berufung proceeding (t-paliad-307 / m/paliad#136 Bug 1).
+//
+// Every appeal filing rule carries primary_party='both' in the catalog
+// (either party could be the appellant, depending on which side lost
+// downstream), so the static primary_party column can't drive
+// column-bucketing under a user-perspective `?side=` pick. The
+// per-rule appeal role fills that gap: "appellant" rules are filed by
+// the Berufungskläger (the party who lost in the lower instance and
+// is now appealing); "appellee" rules are filed by the
+// Berufungsbeklagter (the party defending the lower-instance
+// decision). The mapping is rule-semantic, not data-driven — we know
+// from R.224/235 which submission belongs to which side.
+const (
+	AppealRoleAppellant = "appellant"
+	AppealRoleAppellee  = "appellee"
+)
+
+// AppealFilerRole returns the appeal-filer role for a submission code
+// in the unified upc.apl proceeding. Empty string for codes whose role
+// is not statically known (court-issued events, unmapped codes, or
+// non-appeal proceedings).
+//
+// The engine stamps TimelineEntry.AppealRole with this value when
+// CalcOptions.AppealTarget is set so the frontend column-bucketer can
+// route each "both"-party rule into the correct user-perspective
+// column (Berufungskläger vs Berufungsbeklagter) once the user picks
+// a side.
+//
+// Adding a new appeal rule? Add its submission_code to the matching
+// branch below. Court-issued events (cost.decision, order.order,
+// merits.oral, merits.decision) deliberately stay empty — they route
+// to the court column on primary_party='court'.
+func AppealFilerRole(submissionCode string) string {
+	switch submissionCode {
+	// Appellant filings — Berufungskläger initiates the appeal +
+	// replies to the cross-appeal.
+	case "upc.apl.merits.notice",
+		"upc.apl.merits.grounds",
+		"upc.apl.merits.cross_a_reply",
+		"upc.apl.cost.leave_app",
+		"upc.apl.order.with_leave",
+		"upc.apl.order.grounds_orders",
+		"upc.apl.order.discretion",
+		"upc.apl.order.cross_reply":
+		return AppealRoleAppellant
+	// Appellee filings — Berufungsbeklagter responds to the appeal +
+	// files the cross-appeal.
+	case "upc.apl.merits.response",
+		"upc.apl.merits.cross_a",
+		"upc.apl.order.response_orders",
+		"upc.apl.order.cross":
+		return AppealRoleAppellee
+	}
+	return ""
+}

pkg/litigationplanner/appeal_role_test.go

@@ -0,0 +1,192 @@
+package litigationplanner
+
+import (
+	"context"
+	"testing"
+
+	"github.com/google/uuid"
+)
+
+// TestAppealFilerRole pins the rule-semantic mapping that drives
+// column-bucketing on the unified upc.apl Berufung timeline
+// (t-paliad-307 / m/paliad#136 Bug 1). Every appeal filing rule has
+// primary_party='both' in the catalog so the bucketer can't decide
+// between Berufungskläger and Berufungsbeklagter columns from
+// primary_party alone — the appeal role fills that gap.
+func TestAppealFilerRole(t *testing.T) {
+	cases := []struct {
+		code string
+		want string
+	}{
+		// Appellant filings (Berufungskläger initiates / replies to cross).
+		{"upc.apl.merits.notice", AppealRoleAppellant},
+		{"upc.apl.merits.grounds", AppealRoleAppellant},
+		{"upc.apl.merits.cross_a_reply", AppealRoleAppellant},
+		{"upc.apl.cost.leave_app", AppealRoleAppellant},
+		{"upc.apl.order.with_leave", AppealRoleAppellant},
+		{"upc.apl.order.grounds_orders", AppealRoleAppellant},
+		{"upc.apl.order.discretion", AppealRoleAppellant},
+		{"upc.apl.order.cross_reply", AppealRoleAppellant},
+		// Appellee filings (Berufungsbeklagter responds + cross-appeals).
+		{"upc.apl.merits.response", AppealRoleAppellee},
+		{"upc.apl.merits.cross_a", AppealRoleAppellee},
+		{"upc.apl.order.response_orders", AppealRoleAppellee},
+		{"upc.apl.order.cross", AppealRoleAppellee},
+		// Court-issued events stay empty — they route on party='court'.
+		{"upc.apl.merits.decision", ""},
+		{"upc.apl.merits.oral", ""},
+		{"upc.apl.cost.decision", ""},
+		{"upc.apl.order.order", ""},
+		// Unmapped codes are empty (defensive — never silently picks a
+		// side for a new appeal rule we forgot to map).
+		{"upc.inf.cfi.soc", ""},
+		{"", ""},
+		{"foo.bar", ""},
+	}
+	for _, c := range cases {
+		if got := AppealFilerRole(c.code); got != c.want {
+			t.Errorf("AppealFilerRole(%q) = %q, want %q", c.code, got, c.want)
+		}
+	}
+}
+
+// TestCalculate_AppealSyntheticTriggerRow exercises the synthetic root
+// row the engine prepends when CalcOptions.AppealTarget is set
+// (t-paliad-307 / m/paliad#136 Bug 2). The row carries the
+// per-appeal-target label, the trigger date as DueDate, IsRootEvent=
+// IsTriggerEvent=true, and party=court. Without the appeal_target
+// filter, no synthetic row is emitted (regression guard).
+func TestCalculate_AppealSyntheticTriggerRow(t *testing.T) {
+	ctx := context.Background()
+
+	jurisdiction := "UPC"
+	procID := 1
+	pt := ProceedingType{
+		ID:           procID,
+		Code:         "upc.apl.unified",
+		Name:         "Berufung",
+		NameEN:       "Appeal",
+		Jurisdiction: &jurisdiction,
+		IsActive:     true,
+	}
+
+	mkID := func() uuid.UUID {
+		id, _ := uuid.NewRandom()
+		return id
+	}
+	str := func(s string) *string { return &s }
+	procIDPtr := &procID
+
+	noticeCode := "upc.apl.merits.notice"
+	groundsCode := "upc.apl.merits.grounds"
+
+	rules := []Rule{
+		{
+			ID:               mkID(),
+			ProceedingTypeID: procIDPtr,
+			SubmissionCode:   &noticeCode,
+			Name:             "Berufungseinlegung",
+			NameEN:           "Notice of Appeal",
+			PrimaryParty:     str(PrimaryPartyBoth),
+			DurationValue:    2,
+			DurationUnit:     "months",
+			Timing:           str("after"),
+			SequenceOrder:    0,
+			IsActive:         true,
+			LifecycleState:   "published",
+			Priority:         "mandatory",
+			AppliesToTarget:  []string{AppealTargetEndentscheidung, AppealTargetSchadensbemessung},
+		},
+		{
+			ID:               mkID(),
+			ProceedingTypeID: procIDPtr,
+			SubmissionCode:   &groundsCode,
+			Name:             "Berufungsbegründung",
+			NameEN:           "Statement of Grounds",
+			PrimaryParty:     str(PrimaryPartyBoth),
+			DurationValue:    4,
+			DurationUnit:     "months",
+			Timing:           str("after"),
+			SequenceOrder:    1,
+			IsActive:         true,
+			LifecycleState:   "published",
+			Priority:         "mandatory",
+			AppliesToTarget:  []string{AppealTargetEndentscheidung, AppealTargetSchadensbemessung},
+		},
+	}
+
+	cat := &stubCatalog{pt: pt, rules: rules}
+
+	t.Run("with appeal_target — synthetic row prepended + appeal_role stamped", func(t *testing.T) {
+		opts := CalcOptions{AppealTarget: AppealTargetEndentscheidung}
+		timeline, err := Calculate(ctx, "upc.apl.unified", "2026-05-26", opts, cat, noOpHolidays{}, fixedCourts{})
+		if err != nil {
+			t.Fatalf("Calculate: %v", err)
+		}
+		if len(timeline.Deadlines) < 3 {
+			t.Fatalf("expected synthetic row + 2 rules, got %d rows", len(timeline.Deadlines))
+		}
+		// Synthetic row first.
+		first := timeline.Deadlines[0]
+		if !first.IsTriggerEvent {
+			t.Errorf("first row IsTriggerEvent=%v, want true", first.IsTriggerEvent)
+		}
+		if !first.IsRootEvent {
+			t.Errorf("first row IsRootEvent=%v, want true", first.IsRootEvent)
+		}
+		if first.Name != "Endentscheidung (R.118)" {
+			t.Errorf("first row Name=%q, want %q", first.Name, "Endentscheidung (R.118)")
+		}
+		if first.NameEN != "Final decision (R.118)" {
+			t.Errorf("first row NameEN=%q, want %q", first.NameEN, "Final decision (R.118)")
+		}
+		if first.DueDate != "2026-05-26" {
+			t.Errorf("first row DueDate=%q, want 2026-05-26", first.DueDate)
+		}
+		if first.Party != PrimaryPartyCourt {
+			t.Errorf("first row Party=%q, want court", first.Party)
+		}
+		// Real rules should carry AppealRole.
+		byCode := map[string]TimelineEntry{}
+		for _, d := range timeline.Deadlines {
+			byCode[d.Code] = d
+		}
+		if got := byCode[noticeCode].AppealRole; got != AppealRoleAppellant {
+			t.Errorf("notice AppealRole=%q, want appellant", got)
+		}
+		if got := byCode[groundsCode].AppealRole; got != AppealRoleAppellant {
+			t.Errorf("grounds AppealRole=%q, want appellant", got)
+		}
+	})
+
+	t.Run("without appeal_target — no synthetic row, no appeal_role", func(t *testing.T) {
+		opts := CalcOptions{}
+		timeline, err := Calculate(ctx, "upc.apl.unified", "2026-05-26", opts, cat, noOpHolidays{}, fixedCourts{})
+		if err != nil {
+			t.Fatalf("Calculate: %v", err)
+		}
+		for _, d := range timeline.Deadlines {
+			if d.IsTriggerEvent {
+				t.Errorf("unexpected synthetic trigger row when appeal_target is unset: %+v", d)
+			}
+			if d.AppealRole != "" {
+				t.Errorf("unexpected AppealRole=%q when appeal_target is unset (rule %q)", d.AppealRole, d.Code)
+			}
+		}
+	})
+
+	t.Run("unknown appeal_target — short-circuits to no-op", func(t *testing.T) {
+		opts := CalcOptions{AppealTarget: "bogus"}
+		timeline, err := Calculate(ctx, "upc.apl.unified", "2026-05-26", opts, cat, noOpHolidays{}, fixedCourts{})
+		if err != nil {
+			t.Fatalf("Calculate: %v", err)
+		}
+		// IsValidAppealTarget("bogus") = false, so the engine skips
+		// both the rule filter AND the synthetic trigger emission.
+		for _, d := range timeline.Deadlines {
+			if d.IsTriggerEvent {
+				t.Errorf("unexpected synthetic trigger row for unknown target: %+v", d)
+			}
+		}
+	})
+}