m/paliad
1
0
Fork 0
Code Issues 146 Pull Requests 8 Actions 3 Packages Projects Releases Wiki Activity

Compare commits

base: m:mai/fermi/interactive-session
Branches Tags
m:main m:mai/galileo/docforge-draft-editor m:mai/bohr/coder-apply-m-s-caption m:mai/faraday/coder-generated-document m:mai/planck/coder-b5-b6-train-share m:mai/archimedes/fixer-port-engine m:mai/maxwell/coder-b4-akte-mode m:mai/lorenz/coder-b3-event-triggered m:mai/euler/fixer-builder-add m:mai/brunel/fixer-prod-500s-after-b1 m:mai/galileo/coder-b1-b2-mvp-train m:mai/pasteur/fixer-pkg-litigationplann m:mai/newton/coder-b0-scenario-db m:mai/edison/inventor-prd-columnar m:mai/knuth/coder-workflow-tracker m:mai/atlas/inventor-extend-tools m:mai/cronus/inventor-unified m:mai/atlas/inventor-deadline-system m:mai/atlas/inventor-followup-rules m:mai/athena/consultant-deadline m:mai/brunel/fixer-dark-mode-support m:mai/knuth/coder-cronus-fristenrechn m:mai/ritchie/coder-mig-153-proceeding m:mai/atlas/inventor-proceeding m:mai/cronus/inventor-fristenrechner m:mai/curie/coder-mig152-clone-dedupe m:mai/darwin/researcher-lexy-draft m:mai/knuth/coder-dedupe-null m:mai/cronus/coder-composer-slice-f m:mai/cronus/coder-composer-slice-e m:mai/cronus/coder-composer-slice-d m:mai/curie/coder-slice-b6-url-rename m:mai/curie/coder-slice-b5-go-rename m:mai/cronus/coder-composer-slice-c m:mai/curie/coder-slice-b4-destructive-drop m:mai/cronus/coder-composer-slice-b m:mai/cronus/coder-composer-slice-a m:mai/cronus/inventor-prd-for m:mai/knuth/coder-verfahrensablauf m:mai/ritchie/coder-make-backup m:mai/diesel/fixer-dark-mode-css m:mai/curie/coder-slice-b3-read-cutover m:mai/diesel/fixer-verfahrensablauf m:mai/curie/coder-slice-b2-dual-write m:mai/cronus/coder-slice-d-scenarios m:mai/knuth/coder-backfill-applies m:mai/hermes/gitster-verfahrensablauf m:mai/cronus/coder-berufung-labels-refactor m:mai/diesel/hotfix-2-mig-134-missing m:mai/curie/coder-slice-b1-procedural-events m:mai/cronus/coder-slice-c-upc-snapshot m:mai/brunel/hotfix-rename-upc-apl m:mai/cronus/coder-slice-b3-primary-party m:mai/cronus/coder-slice-b2-catalog-query m:mai/cronus/inventor-litigation-slice-b m:mai/curie/researcher-slice-b-zero m:mai/cronus/inventor-litigation m:mai/artemis/gitster-remove-admin m:mai/ritchie/coder-sort-post-trigger m:mai/knuth/coder-conditional-label m:mai/hermes/coder-verfahrensablauf m:mai/brunel/rebase-121-conditional m:mai/knuth/coder-conditional-rule m:mai/hermes/gitster-dark-mode-fix m:mai/ritchie/coder-submission-form m:mai/artemis/gitster-re-surface m:mai/brunel/fixer-views-any-filters m:mai/cronus/coder-cicd-slice-a m:mai/knuth/coder-wave-1-tier-1-rule m:mai/ritchie/coder-upc-damages-add m:mai/cronus/inventor-ci-cd-pre m:mai/brunel/rebase-108-language m:mai/hermes/gitster-admin-rules-list m:mai/artemis/gitster-submission m:mai/icarus/gitster-verfahrensablauf m:mai/orpheus/gitster-search-input m:mai/atlas/coder-event-card-choices-slice-ab m:mai/hermes/gitster-date-range m:mai/demeter/gitster-submission m:mai/knuth/coder-hl-patents-style m:mai/hermes/gitster-draft-editor m:mai/atlas/inventor-per-event-card m:mai/knuth/coder-deadline-rule-tier m:mai/cronus/coder-procedural-events-slice-a m:mai/hermes/gitster-deadline-form m:mai/artemis/gitster-add-missing-i18n m:mai/demeter/gitster-paliadin-chat m:mai/brunel/wave0-tier0-deadline-fixes m:mai/artemis/coder-docker-compose-yml m:mai/icarus/coder-inbox-overhaul-slice-a m:mai/atlas/coder-date-range-picker-slice-a m:mai/brunel/fixer-de-inf-lg-cfi m:mai/cronus/inventor-procedural m:mai/hermes/gitster-event-type-modal m:mai/cronus/coder-backup-mode m:mai/curie/researcher-bulletproof m:mai/hermes/gitster-draft-editor-focus-jump m:mai/cronus/inventor-backup-mode m:mai/hermes/gitster-submissions m:mai/artemis/gitster-deadline-form m:mai/brunel/fixer-submission-preview m:mai/brunel/fixer-test-data-reset m:mai/artemis/gitster-approval-withdraw m:mai/demeter/gitster-events m:mai/hermes/gitster-sidebar-loses m:mai/hermes/gitster-browse-a m:mai/brunel/fixer-submissions-demo m:mai/icarus/inventor-inbox-overhaul m:mai/atlas/inventor-symmetric-date m:mai/artemis/gitster-demote-daten m:mai/hermes/gitster-team-view-mailto m:mai/knuth/coder-global-schriftsatze m:mai/knuth/coder-schriftsatze m:mai/ritchie/coder-author-demo-docx m:mai/knuth/coder-add-schriftsatze m:mai/knuth/coder-add-checklist m:mai/knuth/coder-anchor-lookup-must m:mai/tesla/dashboard-resize-clamp m:mai/knuth/coder-demote-projekt m:mai/knuth/coder-paliadin-chat m:mai/knuth/coder-print-views m:mai/knuth/coder-add-proceeding m:mai/knuth/coder-submission m:mai/ritchie/coder-extend-team-email m:mai/knuth/coder-changelog-catch-up m:mai/tesla/dashboard-overlap m:mai/pasteur/fixercoder-dashboard m:mai/newton/inventor-configurable m:mai/dirac/inventorcoder-user m:mai/gauss/inventorcoder-team-admin m:mai/kepler/inventorcoder-project m:mai/darwin/roadmap-ccr-en m:mai/euler/coder-small-ux-polish m:mai/darwin/fristenrechner-cleanup m:mai/darwin/fixercoder-priority-bug m:mai/leibniz/inventor-caldav-multi m:mai/hertz/inventor-unified-modal m:mai/archimedes/inventor-excel-data m:mai/boltzmann/inventor-gap-tolerant m:mai/copernicus/submission-slice-1 m:mai/fermi/interactive-session m:mai/hertz/inventor-suggest-changes m:mai/copernicus/inventor-submission m:mai/mendel/test-strategy-slice-1 m:mai/mendel/inventor-test-strategy m:mai/ampere/custom-views-improvements m:mai/joule/mig-097-apply-huygens-s m:mai/ohm/workstream-b-rename m:mai/huygens/workstream-a-backfill m:mai/kelvin/t-204-phase-2-proceeding m:mai/bohr/ingest-t-paliad-203-rule m:mai/curie/fristenrechner-gap m:mai/maxwell/inbox-grey-out m:mai/rutherford/slice-9-follow-up-b-re m:mai/dirac/slice-9-follow-up-a m:mai/bose/determinator-cascade-slice-3 m:mai/bose/determinator-cascade-slice-2 m:mai/bose/determinator-row-cascade m:mai/lorenz/fristen-phase-3-slice-9 m:mai/curie/fristen-phase-3-slice-12 m:mai/planck/aichat-phase-b-paliad m:mai/young/fristen-phase-3-slice-11b m:mai/lorenz/fristen-phase-3-slice-11a m:mai/lorenz/fristen-phase-3-slice-10 m:mai/lorenz/fristen-phase-3-slice-8 m:mai/lorenz/fristen-phase-3-slice-7 m:mai/lorenz/fristen-phase-3-slice-6 m:mai/lorenz/fristen-phase-3-slice-5 m:mai/lorenz/fristen-phase-3-slice-4 m:mai/lorenz/fristen-phase-3-slice-3 m:mai/lorenz/fristen-phase-3-slice-2 m:mai/lorenz/fristen-phase-3-slice-1 m:mai/pauli/fristen-phase2-design m:mai/tesla/project-timeline-chart m:mai/pauli/fristen-logic-audit m:mai/pauli/determinator-b1-row-by m:mai/noether/tools-cleanup-slice-1 m:mai/kelvin/inventor-tools-surface m:mai/planck/paliadin-per-user-rls m:mai/maxwell/bug-bundle-filterbar m:mai/faraday/project-timeline-chart m:mai/schroedinger/smarttimeline-slice-4 m:mai/bohr/smarttimeline-slice-3 m:mai/gauss/smarttimeline-slice-2 m:mai/riemann/filterbar-phase-2-slice m:mai/lagrange/smarttimeline-design-the m:mai/curie/researcher-determinator m:mai/noether/collapse-regel-typ-on m:mai/riemann/inventor-universal m:mai/minkowski/project-level-our-side m:mai/dirac/inventor-inline-paliadin m:mai/feynman/fristenrechner m:mai/minkowski/navbar-dashboard-reorg m:mai/shannon/approval-rework m:mai/einstein/consultant-deadline-data m:mai/curie/researcher-upc-rop-audit m:mai/noether/paliadin-real-claude m:mai/noether/inventor-paliadin m:mai/hilbert/inventor-approval-policy m:mai/shannon/bug-frist-due-date m:mai/fritz/bug-fristen-termine m:mai/godel/inventor-projects-page m:mai/fritz/bug-paliadin-chat m:mai/kepler/inventor-profession-vs m:mai/noether/inventor-paliadin-in-app m:mai/fritz/bulk-team-email-send-to m:mai/noether/inventor-local-chat-for m:mai/noether/inventor-data-display m:mai/fritz/bug-derived-team-members m:mai/fritz/bug-sidebar-visibly m:mai/noether/inventor-project m:mai/shannon/bug-project-team-add m:mai/cronus/inventor-dual-control m:mai/fritz/bug-edit-mode-on m:mai/cronus/inventor-holidays-per m:mai/ritchie/phase-h-ai-deadline
..
compare: m:mai/copernicus/inventor-submission
Branches Tags
m:main m:mai/galileo/docforge-draft-editor m:mai/bohr/coder-apply-m-s-caption m:mai/faraday/coder-generated-document m:mai/planck/coder-b5-b6-train-share m:mai/archimedes/fixer-port-engine m:mai/maxwell/coder-b4-akte-mode m:mai/lorenz/coder-b3-event-triggered m:mai/euler/fixer-builder-add m:mai/brunel/fixer-prod-500s-after-b1 m:mai/galileo/coder-b1-b2-mvp-train m:mai/pasteur/fixer-pkg-litigationplann m:mai/newton/coder-b0-scenario-db m:mai/edison/inventor-prd-columnar m:mai/knuth/coder-workflow-tracker m:mai/atlas/inventor-extend-tools m:mai/cronus/inventor-unified m:mai/atlas/inventor-deadline-system m:mai/atlas/inventor-followup-rules m:mai/athena/consultant-deadline m:mai/brunel/fixer-dark-mode-support m:mai/knuth/coder-cronus-fristenrechn m:mai/ritchie/coder-mig-153-proceeding m:mai/atlas/inventor-proceeding m:mai/cronus/inventor-fristenrechner m:mai/curie/coder-mig152-clone-dedupe m:mai/darwin/researcher-lexy-draft m:mai/knuth/coder-dedupe-null m:mai/cronus/coder-composer-slice-f m:mai/cronus/coder-composer-slice-e m:mai/cronus/coder-composer-slice-d m:mai/curie/coder-slice-b6-url-rename m:mai/curie/coder-slice-b5-go-rename m:mai/cronus/coder-composer-slice-c m:mai/curie/coder-slice-b4-destructive-drop m:mai/cronus/coder-composer-slice-b m:mai/cronus/coder-composer-slice-a m:mai/cronus/inventor-prd-for m:mai/knuth/coder-verfahrensablauf m:mai/ritchie/coder-make-backup m:mai/diesel/fixer-dark-mode-css m:mai/curie/coder-slice-b3-read-cutover m:mai/diesel/fixer-verfahrensablauf m:mai/curie/coder-slice-b2-dual-write m:mai/cronus/coder-slice-d-scenarios m:mai/knuth/coder-backfill-applies m:mai/hermes/gitster-verfahrensablauf m:mai/cronus/coder-berufung-labels-refactor m:mai/diesel/hotfix-2-mig-134-missing m:mai/curie/coder-slice-b1-procedural-events m:mai/cronus/coder-slice-c-upc-snapshot m:mai/brunel/hotfix-rename-upc-apl m:mai/cronus/coder-slice-b3-primary-party m:mai/cronus/coder-slice-b2-catalog-query m:mai/cronus/inventor-litigation-slice-b m:mai/curie/researcher-slice-b-zero m:mai/cronus/inventor-litigation m:mai/artemis/gitster-remove-admin m:mai/ritchie/coder-sort-post-trigger m:mai/knuth/coder-conditional-label m:mai/hermes/coder-verfahrensablauf m:mai/brunel/rebase-121-conditional m:mai/knuth/coder-conditional-rule m:mai/hermes/gitster-dark-mode-fix m:mai/ritchie/coder-submission-form m:mai/artemis/gitster-re-surface m:mai/brunel/fixer-views-any-filters m:mai/cronus/coder-cicd-slice-a m:mai/knuth/coder-wave-1-tier-1-rule m:mai/ritchie/coder-upc-damages-add m:mai/cronus/inventor-ci-cd-pre m:mai/brunel/rebase-108-language m:mai/hermes/gitster-admin-rules-list m:mai/artemis/gitster-submission m:mai/icarus/gitster-verfahrensablauf m:mai/orpheus/gitster-search-input m:mai/atlas/coder-event-card-choices-slice-ab m:mai/hermes/gitster-date-range m:mai/demeter/gitster-submission m:mai/knuth/coder-hl-patents-style m:mai/hermes/gitster-draft-editor m:mai/atlas/inventor-per-event-card m:mai/knuth/coder-deadline-rule-tier m:mai/cronus/coder-procedural-events-slice-a m:mai/hermes/gitster-deadline-form m:mai/artemis/gitster-add-missing-i18n m:mai/demeter/gitster-paliadin-chat m:mai/brunel/wave0-tier0-deadline-fixes m:mai/artemis/coder-docker-compose-yml m:mai/icarus/coder-inbox-overhaul-slice-a m:mai/atlas/coder-date-range-picker-slice-a m:mai/brunel/fixer-de-inf-lg-cfi m:mai/cronus/inventor-procedural m:mai/hermes/gitster-event-type-modal m:mai/cronus/coder-backup-mode m:mai/curie/researcher-bulletproof m:mai/hermes/gitster-draft-editor-focus-jump m:mai/cronus/inventor-backup-mode m:mai/hermes/gitster-submissions m:mai/artemis/gitster-deadline-form m:mai/brunel/fixer-submission-preview m:mai/brunel/fixer-test-data-reset m:mai/artemis/gitster-approval-withdraw m:mai/demeter/gitster-events m:mai/hermes/gitster-sidebar-loses m:mai/hermes/gitster-browse-a m:mai/brunel/fixer-submissions-demo m:mai/icarus/inventor-inbox-overhaul m:mai/atlas/inventor-symmetric-date m:mai/artemis/gitster-demote-daten m:mai/hermes/gitster-team-view-mailto m:mai/knuth/coder-global-schriftsatze m:mai/knuth/coder-schriftsatze m:mai/ritchie/coder-author-demo-docx m:mai/knuth/coder-add-schriftsatze m:mai/knuth/coder-add-checklist m:mai/knuth/coder-anchor-lookup-must m:mai/tesla/dashboard-resize-clamp m:mai/knuth/coder-demote-projekt m:mai/knuth/coder-paliadin-chat m:mai/knuth/coder-print-views m:mai/knuth/coder-add-proceeding m:mai/knuth/coder-submission m:mai/ritchie/coder-extend-team-email m:mai/knuth/coder-changelog-catch-up m:mai/tesla/dashboard-overlap m:mai/pasteur/fixercoder-dashboard m:mai/newton/inventor-configurable m:mai/dirac/inventorcoder-user m:mai/gauss/inventorcoder-team-admin m:mai/kepler/inventorcoder-project m:mai/darwin/roadmap-ccr-en m:mai/euler/coder-small-ux-polish m:mai/darwin/fristenrechner-cleanup m:mai/darwin/fixercoder-priority-bug m:mai/leibniz/inventor-caldav-multi m:mai/hertz/inventor-unified-modal m:mai/archimedes/inventor-excel-data m:mai/boltzmann/inventor-gap-tolerant m:mai/copernicus/submission-slice-1 m:mai/fermi/interactive-session m:mai/hertz/inventor-suggest-changes m:mai/copernicus/inventor-submission m:mai/mendel/test-strategy-slice-1 m:mai/mendel/inventor-test-strategy m:mai/ampere/custom-views-improvements m:mai/joule/mig-097-apply-huygens-s m:mai/ohm/workstream-b-rename m:mai/huygens/workstream-a-backfill m:mai/kelvin/t-204-phase-2-proceeding m:mai/bohr/ingest-t-paliad-203-rule m:mai/curie/fristenrechner-gap m:mai/maxwell/inbox-grey-out m:mai/rutherford/slice-9-follow-up-b-re m:mai/dirac/slice-9-follow-up-a m:mai/bose/determinator-cascade-slice-3 m:mai/bose/determinator-cascade-slice-2 m:mai/bose/determinator-row-cascade m:mai/lorenz/fristen-phase-3-slice-9 m:mai/curie/fristen-phase-3-slice-12 m:mai/planck/aichat-phase-b-paliad m:mai/young/fristen-phase-3-slice-11b m:mai/lorenz/fristen-phase-3-slice-11a m:mai/lorenz/fristen-phase-3-slice-10 m:mai/lorenz/fristen-phase-3-slice-8 m:mai/lorenz/fristen-phase-3-slice-7 m:mai/lorenz/fristen-phase-3-slice-6 m:mai/lorenz/fristen-phase-3-slice-5 m:mai/lorenz/fristen-phase-3-slice-4 m:mai/lorenz/fristen-phase-3-slice-3 m:mai/lorenz/fristen-phase-3-slice-2 m:mai/lorenz/fristen-phase-3-slice-1 m:mai/pauli/fristen-phase2-design m:mai/tesla/project-timeline-chart m:mai/pauli/fristen-logic-audit m:mai/pauli/determinator-b1-row-by m:mai/noether/tools-cleanup-slice-1 m:mai/kelvin/inventor-tools-surface m:mai/planck/paliadin-per-user-rls m:mai/maxwell/bug-bundle-filterbar m:mai/faraday/project-timeline-chart m:mai/schroedinger/smarttimeline-slice-4 m:mai/bohr/smarttimeline-slice-3 m:mai/gauss/smarttimeline-slice-2 m:mai/riemann/filterbar-phase-2-slice m:mai/lagrange/smarttimeline-design-the m:mai/curie/researcher-determinator m:mai/noether/collapse-regel-typ-on m:mai/riemann/inventor-universal m:mai/minkowski/project-level-our-side m:mai/dirac/inventor-inline-paliadin m:mai/feynman/fristenrechner m:mai/minkowski/navbar-dashboard-reorg m:mai/shannon/approval-rework m:mai/einstein/consultant-deadline-data m:mai/curie/researcher-upc-rop-audit m:mai/noether/paliadin-real-claude m:mai/noether/inventor-paliadin m:mai/hilbert/inventor-approval-policy m:mai/shannon/bug-frist-due-date m:mai/fritz/bug-fristen-termine m:mai/godel/inventor-projects-page m:mai/fritz/bug-paliadin-chat m:mai/kepler/inventor-profession-vs m:mai/noether/inventor-paliadin-in-app m:mai/fritz/bulk-team-email-send-to m:mai/noether/inventor-local-chat-for m:mai/noether/inventor-data-display m:mai/fritz/bug-derived-team-members m:mai/fritz/bug-sidebar-visibly m:mai/noether/inventor-project m:mai/shannon/bug-project-team-add m:mai/cronus/inventor-dual-control m:mai/fritz/bug-edit-mode-on m:mai/cronus/inventor-holidays-per m:mai/ritchie/phase-h-ai-deadline

24 Commits
mai/fermi/ ... mai/copern

Author SHA1 Message Date
mAi
d6caa490dc docs(submission-generator): t-paliad-215 inventor design 
DESIGN READY FOR REVIEW — copernicus inventor pass on the submission
generator (t-paliad-215). 5 questions answered with m's picks captured
in §2; awaiting head's go/no-go on coder shift.

Locked decisions:
- Scope: template-render to .docx (no LLM in v1)
- Template registry: Gitea (mWorkRepo proxy, same pattern as
  HL Patents Style)
- Output: direct download, no server-side binary persistence
- Mapping: fallback chain (firm → base/code → base/family → skeleton)
- Slice 1: one template end-to-end on one project
  (de.inf.lg.erwidg / Klageerwiderung)

No code, no migrations, no schema additions. Read-only design phase
per inventor SKILL.md.
 2026-05-19 13:20:10 +02:00
mAi
bf31935767 Merge: t-paliad-214 — archimedes Excel-export Slice 1 (mig 102 system_audit_log + personal /api/me/export + xlsx/json/csv writer + Datenexport tab on /settings) 2026-05-19 12:52:25 +02:00
mAi
aee177a303 feat(export): t-paliad-214 Slice 1 frontend — Datenexport tab on /settings 
Adds a 4th tab "Datenexport" to /settings (after Profil /
Benachrichtigungen / CalDAV) with a single-button card that triggers
GET /api/me/export. Browser handles the download via
Content-Disposition: attachment.

i18n: 12 new keys under einstellungen.export.* (DE primary, EN
secondary) — subtitle, bullets per format, scope notice, audit
notice, button label, post-click hint.

The tab is loaded lazily (idempotent loadExportTab) like every other
settings tab, and the runExport handler swaps in a transient <a download>
to use the browser's normal download pipeline.
 2026-05-19 12:51:52 +02:00
mAi
28c7215458 feat(export): t-paliad-214 Slice 1 backend — personal sync export endpoint + xlsx/json/csv writer 
Adds GET /api/me/export streaming a deterministic .zip bundle of the
caller's RLS-visible projection (per design §2.3): projects, deadlines,
appointments, parties, notes, documents (metadata), audit events,
approval requests, checklist instances + personal sidecars (me row,
caldav config without ciphertext, views, pins, card layouts, paliadin
turns) + reference data (proceeding_types, event_types, deadline_rules,
courts, countries, holidays …) + restricted users_referenced sheet.

Bundle shape: paliad-export.xlsx + paliad-export.json + per-sheet
CSVs (UTF-8 BOM, RFC 4180) + README.txt + __meta.json. Outer zip is
byte-deterministic — sorted file list, fixed Modified time on every
entry, sorted JSON keys. Two runs at same row-state → identical bytes.

ExportService.WritePersonal owns the SQL recipe + column discovery
+ PII deny-regex (?i)secret|token|password|api[_-]?key|private[_-]?key
+ per-sheet DropColumns belt-and-braces (e.g. user_caldav_config
.password_encrypted explicitly dropped on top of the regex). Audit row
written to paliad.system_audit_log before the run, patched with
row_counts + file_size_bytes after.

Migration 102 creates paliad.system_audit_log (generic event_type +
actor_id/email + scope + scope_root + metadata jsonb). Idempotent
CREATE TABLE IF NOT EXISTS + indexes; RLS enabled with self-read +
admin-read policies. AuditService.ListEntries gains a 6th UNION branch
so the new table surfaces on /admin/audit-log.

excelize/v2 added to go.mod for xlsx generation.

Pure-function tests pin formatCellValue value-coercion, PII regex,
CSV quoting + BOM + umlaut survival, JSON shape, meta key order
stability, filename slugify, and byte-determinism of the bundle
assembly.

Design: docs/design-paliad-data-export-2026-05-19.md §7 Slice 1.
 2026-05-19 12:51:52 +02:00
mAi
9aebe5780b Merge: t-paliad-212 — leibniz CalDAV Slice 1 (mig 101 user_calendar_bindings + appointment_caldav_targets + backfill, RLS, idempotent) 2026-05-19 12:45:50 +02:00
mAi
8a43aed100 feat(caldav): mig 101 — multi-calendar binding schema + backfill (t-paliad-212 Slice 1) 
Schema-only landing for Slice 1 of the CalDAV multi-calendar design
(docs/design-caldav-multi-calendar-2026-05-19.md). Sync engine NOT
touched — Slice 2 wires the per-binding fan-out. After this migration:

- paliad.user_calendar_bindings — N bindings per user with scope_kind
  ∈ {all_visible, personal_only, project, client, litigation, patent,
  case}. Hierarchy scopes anchor scope_id at paliad.projects(id).
  Partial unique indexes enforce one binding per (user, scope_kind,
  scope_id) for hierarchical scopes and one per (user, scope_kind)
  for the scope-less roots. RLS mirrors user_caldav_config.
- paliad.appointment_caldav_targets — per-(appointment, binding) join
  carrying caldav_uid + caldav_etag. UID stays canonical per
  appointment so the same event in N cals shares one UID.
- Backfill — one all_visible binding per existing user_caldav_config
  row, one target row per appointment already pushed. Maps target to
  the creator's binding, matching today's Phase F semantics where the
  creator's goroutine owns the etag.

Legacy paliad.appointments.caldav_uid / caldav_etag columns are
untouched (kept as denormalised pointers through Slice 1+2; dropped
in Slice 4 after telemetry).

Dry-run verified against live Supabase (PG 15.8): synthetic config +
appointment backfill creates exactly 1 binding + 1 target; re-run is a
no-op; all CHECK + unique-index constraints enforce as designed; final
assertions pass with 0 missing rows.

Prod impact at landing: 0 rows in user_caldav_config and 0 appointments
with caldav_uid — backfill is a true no-op. Slice 1 ships invisible.
 2026-05-19 12:44:27 +02:00
mAi
52b3feb9d2 Merge: t-paliad-213 — mendel test-strategy Slice 1 (Make targets, migration dry-run gate, boot smoke, /healthz) 2026-05-19 12:41:33 +02:00
mAi
586ba29b86 feat(test): migration dry-run gate + boot smoke (Slice 1) 
Slice 1 of docs/design-paliad-test-strategy-2026-05-19.md — the test
infrastructure that would have caught mig 098 (digit-regex) and mig 099
(missing audit_reason) before the deploy hit prod.

Three new files + one route addition:

- Makefile: `make verify-migrations` (alias `verify-mig`) runs the
  per-migration dry-run + boot smoke against TEST_DATABASE_URL. Fails
  fast with a clear error if TEST_DATABASE_URL is unset so CI can't
  silently pass a missing env var. `make test` and `make test-go`
  cover the rest of the short / full Go suites.

- internal/db/migrate_test.go (TestMigrations_DryRun): walks every
  pending *.up.sql in numeric order, applies each inside its own
  BEGIN..ROLLBACK transaction, fails on the first SQL error with the
  file name + Postgres error. "Pending" = greater than the scratch
  DB's current tracker version, so fresh-DB CI runs verify everything
  while developer scratch DBs only re-verify the new pending migration.
  Always non-destructive — the rollback runs even on success.

- cmd/server/main_smoke_test.go (TestBootSmoke): boots the apply path
  end-to-end, asserts (a) db.ApplyMigrations returns nil, (b) the
  tracker advanced to the highest *.up.sql version on disk with
  dirty=false, (c) GET /healthz on the registered mux returns 200.
  The dry-run catches per-migration syntax errors; this catches the
  apply+bind path the container actually runs.

- internal/handlers/handlers.go: adds a GET /healthz public route — a
  no-auth, no-DB liveness probe. Used by the boot smoke; also safe
  for any future orchestrator or uptime check.

Both live-DB tests gate on TEST_DATABASE_URL and skip cleanly without
it, matching the rest of paliad's live-DB test pattern.

Verification: go build ./... clean, go vet ./... clean,
go test -short ./internal/... ./cmd/... clean (all packages pass,
live-DB tests skip), bun run build clean (2436 i18n keys unchanged).

Per CLAUDE.md inventor → coder gate, NOT self-merged.
 2026-05-19 12:41:15 +02:00
mAi
0b57ec5257 Merge: t-paliad-214 — archimedes Excel-export decisions addendum (9 Qs answered) 2026-05-19 12:37:08 +02:00
mAi
2007ad39bb docs(export): §12 addendum — m's decisions on the 9 §11 questions 
t-paliad-214. m walked all 9 questions live; deviated on Q2 (project-scope
floor = any team member, not associate), Q3 (retention 90d, not 7d), Q5
(paliadin_turns hard-excluded from org scope, not opt-in). Other 6
matched inventor picks. Net slice-plan deltas captured in §12.
 2026-05-19 12:36:49 +02:00
mAi
b7c4de9ac9 Merge: t-paliad-212 — leibniz CalDAV decisions addendum (6 Qs answered) 2026-05-19 10:43:37 +02:00
mAi
8e0e4c9dcc docs(caldav): fold m's decisions on the 6 open Qs into the design (t-paliad-212) 
Addendum after §10 captures m's picks (2026-05-19, via AskUserQuestion):
§8.1 bidirectional default: YES; §8.2 personal_only: KEEP first-class;
§8.3 MKCALENDAR: Slice 2 with Google-degrade; §8.4 soft caps: NONE in
v1 (add later if telemetry warrants); §8.5 admin view: don't ship;
§8.6 approval-flow remote-edit gap: separate task under t-138.

Net effect: drops the 20-warn/80-block UI guards from §6 and the
`read_only` flag from §3; Slice 2 gains MKCALENDAR + binding-count
telemetry; §8.6 fix filed separately so multi-cal slices stay clean.
 2026-05-19 10:43:20 +02:00
mAi
023f32d4f2 Merge: t-paliad-213 — mendel test-strategy decisions addendum (all 6 Qs answered, picks match inventor recs) 2026-05-19 10:31:03 +02:00
mAi
621fe35d79 docs(test-strategy): fold m's §10 decisions addendum 
m's 2026-05-19 picks via AskUserQuestion interview:
- Q1 budget: 60–90s gate, 3–4min full (inventor's call — m deferred)
- Q2 CI: Gitea Actions, gate tier only
- Q3 test DB: YouPC for devs + ephemeral docker for CI
- Q4 coverage: critical-path only, no % gate
- Q5 floor: Slices 1+4+5 before new feature work
- Q6 ownership: head decides + rotate per profile

All six matched inventor's recommendation. Slice 1 (migration
dry-run + boot smoke) starts first; Slices 4+5 in parallel after.
 2026-05-19 10:30:25 +02:00
mAi
139c4a6406 Merge: t-paliad-214 — archimedes Excel data-export design doc 2026-05-19 10:12:24 +02:00
mAi
6e8e2e7653 Merge: t-paliad-213 — mendel test-strategy design doc 2026-05-19 10:11:26 +02:00
mAi
de20356cec docs(export): inventor design for scoped Excel data export (org / project-subtree / personal) 
t-paliad-214. Covers scope definitions, format choices (xlsx + JSON + CSV
in one zip, deterministic, schema_version 1), authorization model
(global_admin / project-team-with-associate-floor / authenticated-self),
trigger model (sync personal+project, async org), storage on
PALIAD_EXPORT_DIR with 7-day retention, PII/GDPR posture, 3-slice plan,
and 9 open questions for m. No code touches — design only.
 2026-05-19 10:10:59 +02:00
mAi
8414aa4c14 docs(test-strategy): inventor design for production-grade test pyramid 
t-paliad-213 — six-layer pyramid (migration dry-run, Go/frontend unit,
frontend DOM, service live-DB, handler integration, Playwright E2E),
audit of current coverage (323 test funcs, 24 untested services, 53
untested handlers, 4/90 frontend modules), eight-slice tracer-bullet
roll-out, six open questions for m.

Read-only design phase per CLAUDE.md inventor gate — no test files,
make targets or CI configs touched. Awaiting m go/no-go on §5 slice
plan + §6 open questions before any coder shift.
 2026-05-19 10:10:23 +02:00
mAi
1e1c84b0f6 Merge: t-paliad-212 — leibniz CalDAV multi-calendar design doc 2026-05-19 10:07:40 +02:00
mAi
e1b91a9481 docs(caldav): design for multi-calendar binding model (t-paliad-212) 
Inventor design for letting users connect Paliad's CalDAV sync to N
external calendars per user, with scope filters (master / personal /
per-project / per-client / per-litigation / per-patent / per-case)
rather than today's single-target push. Splits credentials (per user,
unchanged) from bindings (new join table). Adds a per-target join for
push state so the same Appointment can live in multiple calendars at
once. Includes per-provider limit research (iCloud 100, Google ~100,
Fastmail no cap, Nextcloud 30 default), a 4-slice rollout plan, and 6
open questions for m. READ-ONLY design — no schema or code changes.
 2026-05-19 10:06:58 +02:00
mAi
92780cf726 fix(events): default Termine filter to 'upcoming' so past events don't show by default 
m's call 2026-05-19: opening /events with type=appointment was
defaulting status='all' which surfaces every past appointment in
the corpus. The default should hide past events; 'Alle (auch
vergangene)' is opt-in for the one user who actually wants the
historical view.

Replaces the default with the existing DeadlineFilterUpcoming bucket
(already implemented backend-side at internal/services/deadline_service.go:132
as 'today + future'). New status option 'upcoming' at the top of the
appointment list; existing 'all' moves to the bottom with a clearer
label that calls out 'incl. past'.

Deadlines unaffected — they still default to 'pending'.

i18n keys added in both DE + EN slots (events.filter.status.upcoming
'Ab heute' / 'From today'; .all reframed as 'Alle (auch vergangene)'
/ 'All (incl. past)').
 2026-05-19 09:56:05 +02:00
mAi
a0082d2b0d fix(index): drop Downloads section from anon landing — the dotm card was the only visible affordance for unauth visitors 
m's call 2026-05-19: the /files/hl-patents-style.dotm link on the
anonymous frontpage shouldn't tempt visitors to try downloading. The
/files/{filename} route IS already auth-gated (302 to /login on
anon click), and the macro-update endpoint at /patentstyle/* stays
public for the in-Word update logic per m's note ('with knowledge
of the direct source link it needs to be available').

Authenticated users never see this page anyway — handleRootPage 302s
them to /dashboard. So removing the section costs them nothing and
removes the obvious affordance for anon visitors. ICON_DOWNLOAD
const dropped along with it.

The Downloads page itself (/downloads + Sidebar nav entry) stays —
that's auth-gated and works for logged-in users.

Leftover surface: /patentstyle/HL-Patents-Style.dotm is still anon-
downloadable (necessary for the Word macro's auto-update poll).
That's m's stated requirement — flagged as the known leak path for
anyone who knows the URL.
 2026-05-19 09:05:36 +02:00
mAi
c921925c68 Merge: hlpat /patentstyle/ endpoint 2026-05-18 21:00:46 +02:00
mAi
22cfdb909f feat(handlers): serve /patentstyle/ for HL Patents Style auto-update 
Hosts the manifest + .dotm that the Word ribbon's Check-for-Updates button polls. paliad.msbls.de is the primary endpoint; hihlc.msbls.de mirrors it (hihlc/main b871ded). Files live in frontend/public/patentstyle/, copied into dist/ by the frontend build. Cache-Control: no-cache via noCacheAssets so version.json never serves stale after a release.
 2026-05-18 21:00:46 +02:00
39 changed files with 5232 additions and 579 deletions
Expand all files Collapse all files

73
Makefile Normal file
View File

@@ -0,0 +1,73 @@
# Paliad — developer entrypoints.
#
# Targets here are the gate tier from the test-strategy design
# (docs/design-paliad-test-strategy-2026-05-19.md). Slice 1 lands:
#
# make verify-migrations — dry-run every pending migration (BEGIN..ROLLBACK)
# plus the full boot smoke (apply + tracker
# advances + /healthz returns 200).
# make verify-mig — alias for verify-migrations.
# make test — short test pass: go test ./internal/... -short
# plus the cmd/server package. Includes the
# live-DB tests when TEST_DATABASE_URL is set,
# skips them otherwise.
# make test-go — go test ./... -race (full Go suite).
#
# Future slices will extend this with:
# make test-frontend — bun test (Slice 3 / Slice 6)
# make e2e — Playwright golden-path suite (Slice 4)
#
# All targets are idempotent. None of them write to the filesystem outside
# the test runner's working dirs. None of them touch internal/db/migrations/
# files.
.PHONY: help verify-migrations verify-mig test test-go
help:
@echo "Paliad — developer targets"
@echo ""
@echo " verify-migrations Dry-run pending migrations + boot smoke (needs TEST_DATABASE_URL)"
@echo " verify-mig Alias for verify-migrations"
@echo " test Short test pass — covers gate tier"
@echo " test-go Full Go suite with race detector"
@echo ""
@echo "Set TEST_DATABASE_URL to enable live-DB tests. Example:"
@echo " export TEST_DATABASE_URL=postgres://paliad:...@localhost:11833/paliad_test"
# Gate target — the test that would have caught mig 098 / mig 099 before
# deploy. Combines:
# - TestMigrations_DryRun (internal/db): per-migration BEGIN..ROLLBACK
# - TestBootSmoke (cmd/server): apply-end-to-end + tracker advances
# + /healthz 200
#
# Requires TEST_DATABASE_URL. Without it, both tests skip and the target
# is effectively a no-op — guard against that explicitly so CI doesn't
# silently green a missing env var.
verify-migrations:
@if [ -z "$$TEST_DATABASE_URL" ]; then \
echo "ERROR: TEST_DATABASE_URL is not set."; \
echo " The migration gate cannot run without a scratch DB."; \
echo " Set TEST_DATABASE_URL to a Postgres URL the test can"; \
echo " open transactions against, e.g."; \
echo " export TEST_DATABASE_URL=postgres://paliad:PW@localhost:11833/paliad_test"; \
exit 2; \
fi
@echo "==> migration dry-run (per-mig BEGIN..ROLLBACK)"
go test -count=1 -run TestMigrations_DryRun ./internal/db/
@echo "==> boot smoke (apply + tracker + /healthz)"
go test -count=1 -run TestBootSmoke ./cmd/server/
verify-mig: verify-migrations
# Gate-tier test pass. -short skips the slow live-DB tests when the
# author opts out via `if testing.Short() { t.Skip(...) }`; today most of
# paliad's live-DB tests gate on TEST_DATABASE_URL instead, so -short is
# forward-compatible rather than load-bearing.
test:
go test -short ./internal/... ./cmd/...
# Full Go suite with race detection. Slower but catches concurrent-map
# regressions that -short would skip; intended for the merge-to-main gate
# (full suite, not per-PR).
test-go:
go test -race ./...

4
cmd/server/main.go
View File

@@ -177,6 +177,10 @@ func main() {
Pin: services.NewPinService(pool, projectSvc),
CardLayout: services.NewCardLayoutService(pool),
Projection: services.NewProjectionService(pool, projectSvc, deadlineSvc, appointmentSvc, services.NewFristenrechnerService(rules, holidays, courts), rules),
// t-paliad-214 Slice 1 — personal-scope data export. firm name
// is captured into __meta of every export and printed in the
// embedded README.
Export: services.NewExportService(pool, branding.Name),
}
// Paliadin backend selection.

170
cmd/server/main_smoke_test.go Normal file
View File

@@ -0,0 +1,170 @@
// Boot smoke test — assert paliad reaches a serving state.
//
// Three checks against TEST_DATABASE_URL:
//
// 1. db.ApplyMigrations does not panic and returns nil.
// 2. The migration tracker (public.paliad_schema_migrations) advances to
// the highest *.up.sql version on disk — no migrations were silently
// skipped, no "dirty=true" stragglers left behind.
// 3. The handler mux (with /healthz mounted) responds 200 to GET /healthz.
//
// This is the lightweight cousin of the migration dry-run gate
// (internal/db/migrate_test.go): the dry-run catches per-migration syntax
// errors before merge; this smoke confirms the apply+bind path the
// container actually runs at boot. Together they cover the mig-098 /
// mig-099 class of crash-loops end-to-end.
//
// Skipped without TEST_DATABASE_URL — matches the rest of the live-DB tests.
//
// Design: docs/design-paliad-test-strategy-2026-05-19.md §5 Slice 1.
package main
import (
"database/sql"
"net/http"
"net/http/httptest"
"os"
"path/filepath"
"sort"
"strconv"
"strings"
"testing"
_ "github.com/lib/pq"
"mgit.msbls.de/m/paliad/internal/auth"
"mgit.msbls.de/m/paliad/internal/db"
"mgit.msbls.de/m/paliad/internal/handlers"
)
func TestBootSmoke(t *testing.T) {
url := os.Getenv("TEST_DATABASE_URL")
if url == "" {
t.Skip("TEST_DATABASE_URL not set — skipping boot smoke")
}
// (1) Apply migrations end-to-end. The same code path the prod
// container runs at boot before `http.ListenAndServe`. A regression
// like mig-098's digit-regex would surface here as a non-nil error.
if err := db.ApplyMigrations(url); err != nil {
t.Fatalf("db.ApplyMigrations: %v", err)
}
// (2) Assert the tracker advanced to the highest *.up.sql version we
// embed. If a migration was silently skipped or the tracker is dirty,
// the prod container would crash-loop — this turns that into a test
// failure with a precise reason.
expected := highestEmbeddedMigrationVersion(t)
got, dirty := readTrackerVersion(t, url)
if dirty {
t.Errorf("tracker reports dirty=true at version %d — investigate before deploying", got)
}
if got != expected {
t.Errorf("tracker at version %d; expected %d (highest *.up.sql on disk). "+
"A migration was skipped or applied out of order.",
got, expected)
}
// (3) Mount the public handlers (the same Register call main() makes,
// minus the DB-backed Services bundle which the /healthz route doesn't
// need) and assert /healthz returns 200. This is the bind-and-serve
// half of the smoke: catches a regression that would make /healthz
// 404 or break the mux registration order.
//
// We deliberately do not boot the full main() — that would require
// SUPABASE_URL, SUPABASE_ANON_KEY, SUPABASE_JWT_SECRET, an open
// listening socket and a real auth client. The /healthz handler is
// auth-independent by design, and Register registers it on the outer
// mux before any DB-backed route, so this minimal setup exercises the
// exact code path main() takes.
mux := http.NewServeMux()
authClient := auth.NewClient("https://test.invalid", "anon-key", []byte("test-secret"))
handlers.Register(mux, authClient, "", nil)
rec := httptest.NewRecorder()
req := httptest.NewRequest(http.MethodGet, "/healthz", nil)
mux.ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Errorf("GET /healthz: status=%d, body=%q; want 200 OK", rec.Code, rec.Body.String())
}
if body := strings.TrimSpace(rec.Body.String()); body != "ok" {
t.Errorf("GET /healthz: body=%q; want \"ok\"", body)
}
}
// highestEmbeddedMigrationVersion finds max(N) over every NNN_*.up.sql
// file in internal/db/migrations/ on disk. Used as the expected tracker
// version after a clean apply. We read from disk (not the embed.FS in
// the db package — it's unexported) since the test runs from the repo.
func highestEmbeddedMigrationVersion(t *testing.T) int {
t.Helper()
root, err := repoRoot()
if err != nil {
t.Fatalf("locate repo root: %v", err)
}
dir := filepath.Join(root, "internal", "db", "migrations")
entries, err := os.ReadDir(dir)
if err != nil {
t.Fatalf("read migrations dir %s: %v", dir, err)
}
var versions []int
for _, e := range entries {
name := e.Name()
if !strings.HasSuffix(name, ".up.sql") {
continue
}
base := strings.TrimSuffix(name, ".up.sql")
underscore := strings.IndexByte(base, '_')
if underscore <= 0 {
continue
}
v, err := strconv.Atoi(base[:underscore])
if err != nil {
continue
}
versions = append(versions, v)
}
if len(versions) == 0 {
t.Fatalf("no *.up.sql files found in %s", dir)
}
sort.Ints(versions)
return versions[len(versions)-1]
}
// readTrackerVersion fetches the lone row from the tracker. golang-migrate
// keeps exactly one row; if we ever see zero or more, that's the dirty-state
// the test is designed to flag.
func readTrackerVersion(t *testing.T, url string) (version int, dirty bool) {
t.Helper()
conn, err := sql.Open("postgres", url)
if err != nil {
t.Fatalf("open: %v", err)
}
defer conn.Close()
row := conn.QueryRow(`SELECT version, dirty FROM public.paliad_schema_migrations LIMIT 1`)
if err := row.Scan(&version, &dirty); err != nil {
t.Fatalf("read tracker: %v", err)
}
return version, dirty
}
// repoRoot walks upward from the test binary's working directory until it
// finds a go.mod. `go test` runs in the package dir, so we typically have
// to climb a couple of levels.
func repoRoot() (string, error) {
dir, err := os.Getwd()
if err != nil {
return "", err
}
for {
if _, err := os.Stat(filepath.Join(dir, "go.mod")); err == nil {
return dir, nil
}
parent := filepath.Dir(dir)
if parent == dir {
return "", os.ErrNotExist
}
dir = parent
}
}

597
docs/design-caldav-multi-calendar-2026-05-19.md Normal file
View File

@@ -0,0 +1,597 @@
# CalDAV multi-calendar sync — design
**Task:** t-paliad-212
**Inventor:** leibniz (2026-05-19)
**Branch:** mai/leibniz/inventor-caldav-multi
**Status:** READY FOR REVIEW — m's decisions on the §8 open questions captured in the addendum below (2026-05-19).
---
## §0 — One-paragraph summary
Paliad's CalDAV sync today is a single-target push: every user has one
`paliad.user_caldav_config` row, and every Appointment they can see gets
PUT into that one calendar. m wants users to pick their own organization —
one cal with everything, one cal per project (or per client / litigation /
patent / case), or any hybrid. This design splits the model in two:
**credentials stay per user** (one CalDAV server, one auth blob) and
**bindings become first-class rows** (a join table `paliad.user_calendar_bindings`
that points an Appointment-filter scope at a specific `calendar_path`).
Push/pull state migrates from scalar `appointments.caldav_uid`/`caldav_etag`
columns to a per-(appointment, binding) join table
`paliad.appointment_caldav_targets`, so the same Appointment can live in
N external calendars at once. The 60-second per-user sync goroutine survives
unchanged in shape; inside it the inner loop iterates bindings instead of
hard-coding `cfg.CalendarPath`. Sliced for safe rollout: Slice 1 introduces
the new tables behind a backfill that auto-creates one binding per
existing config row (zero behaviour change); Slice 2 ships the
binding-picker UI; Slice 3 wires scope-aware filtering (one cal per project).
Bidirectional sync stays exactly as it works today (last-write-wins on ETag,
Paliad-owned UIDs only) — multi-calendar does not change the conflict
model.
---
## §1 — What's already built (verified live, 2026-05-19)
Verified against the codebase, not the project's CLAUDE.md.
- **Schema** — `paliad.user_caldav_config` is one row per user with
`(user_id PK, url, username, password_encrypted bytea, calendar_path,
enabled, last_sync_at, last_sync_error, created_at, updated_at)`. The
scalar `calendar_path` is the only handle on which external calendar
receives events. Per direct `information_schema` query.
- **Appointment binding** — `paliad.appointments` carries scalar
`caldav_uid text` and `caldav_etag text` (nullable). Set once after a
successful PUT via `AppointmentService.SetCalDAVMeta`. This is the
single-target assumption baked into the row itself.
- **Sync engine** — `internal/services/caldav_service.go:298502`. One
goroutine per enabled user, 60s ticker, `runSyncOnce``syncOnce`
`pushAll` (`AppointmentService.AllForUser` × `cli.PutEvent`) +
`pullAll` (`cli.PropfindCalendar``cli.GetEvent` → reconcile by UID).
`AllForUser` returns *every* personal-or-visible-project appointment
for the user; today they all funnel into the single `calendar_path`.
- **UID convention** — `paliad-appointment-<uuid>@paliad.de`
(`caldav_ical.go:3134`). Foreign UIDs are intentionally skipped on
pull (`caldav_service.go:436442`).
- **Hooks** — `OnAppointmentCreated/Updated/Deleted` push directly to
the configured `cfg.CalendarPath` on a 30s-timeout background goroutine
so user requests don't block (`caldav_service.go:510558`).
- **Approval flow (t-138)** — project-attached appointments may be
`approval_status = 'pending'`. CalDAV push already runs after approval
in `AppointmentService.Update` paths; `ApplyRemoteUpdate` from a remote
edit currently bypasses the approval gate. That's a pre-existing hole
flagged here only because multi-calendar makes "which calendar's edit
wins" more visible — fix belongs in t-138 follow-ups, not in this
design.
- **CalDAV verbs supported** — PUT / DELETE / GET / PROPFIND (depth 0
and 1). No MKCALENDAR, no REPORT, no calendar-multiget. Tested
against Nextcloud, Radicale, Baikal, mailcow SOGo per
`caldav_client.go:2224`.
**What is _not_ baked in and is therefore free to extend:**
- The 60s ticker is per-*user*, not per-*calendar*. Adding bindings does
not multiply tickers.
- `cfg.CalendarPath` is referenced in exactly two places (`pushAll`,
`pullAll`) plus the three hooks. Replacing it with a binding loop is
a contained edit.
- Credentials are server-scoped, not calendar-scoped — every binding
for the same user shares the existing decrypted credential, so the
encryption layer (`caldav_crypto.go`) is untouched.
---
## §2 — Per-provider calendar-count limits (verified 2026-05-19)
Real numbers, from current docs, so the design knows its envelope.
| Provider | Per-account / per-user limit | Source |
|---|---|---|
| **iCloud** | **100** calendars + reminder-lists combined | [Apple Support 103188](https://support.apple.com/en-us/103188) |
| **Google Calendar** | **~100 owned** (soft recommendation, post-Nov-2025 ownership model) | [Workspace Updates 2026-01](https://workspaceupdates.googleblog.com/2026/01/automatic-addition-owned-secondary-calendars.html), [usecarly.com summary](https://www.usecarly.com/blog/how-many-calendars-google-account/) |
| **Fastmail** | **No documented cap on calendars.** 100 000 events/user. | [Fastmail account-limits page](https://www.fastmail.help/hc/en-us/articles/1500000277382-Account-limits) |
| **Nextcloud** | **30 per user** default; admin-configurable, `-1` = unlimited. Rate limit: 10 calendar-creations/hour. | [Nextcloud admin manual — Calendar](https://docs.nextcloud.com/server/stable/admin_manual/groupware/calendar.html) |
| **Radicale / Baikal / mailcow SOGo** | No published per-account cap (file-system / DB bound). | server defaults |
**Implications for the design:**
- "One calendar per project" is comfortably within all providers'
envelopes for typical HLC caseloads. A senior PA who tracks 40
litigations would land 40+ calendars, still inside iCloud's 100 and
Nextcloud's default 30 (would need an admin bump on Nextcloud — flag
in onboarding).
- "One calendar per case" can blow past Nextcloud's default 30 fast and
is a real risk on iCloud at the 60+ mark when combined with the
user's existing personal calendars + reminder lists. We should
**soft-cap** scope choices at the UI layer (warn at 20 bindings, hard
block at 80) rather than discover the limit by 5xx on PUT.
- Google Calendar's CalDAV endpoint does **not** support `MKCALENDAR`
reliably — calendars must be pre-created in the Google UI. iCloud,
Fastmail, Nextcloud, Radicale, Baikal, SOGo all accept `MKCALENDAR`.
So the "auto-create a calendar per project" affordance is provider-
dependent and must degrade gracefully ("we couldn't create it for
you — please make `Project X` in your calendar app and paste its
URL").
---
## §3 — Proposed data model
Three schema changes, no destructive migrations. The scalar
`appointments.caldav_uid` / `caldav_etag` columns survive as a
denormalised "default-binding" pointer through Slice 1 and 2; Slice 4
drops them after telemetry confirms no path still reads them.
### §3.1 New table: `paliad.user_calendar_bindings`
```sql
CREATE TABLE paliad.user_calendar_bindings (
id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
user_id uuid NOT NULL REFERENCES paliad.users(id) ON DELETE CASCADE,
calendar_path text NOT NULL, -- absolute URL or path under user_caldav_config.url
display_name text NOT NULL DEFAULT '', -- the label discovered via PROPFIND <displayname/>; what we show in the UI
scope_kind text NOT NULL, -- 'all_visible' | 'personal_only' | 'project' | 'client' | 'litigation' | 'patent' | 'case'
scope_id uuid REFERENCES paliad.projects(id) ON DELETE CASCADE, -- NULL for 'all_visible' / 'personal_only'
include_personal boolean NOT NULL DEFAULT false, -- only meaningful when scope_kind <> 'all_visible'/'personal_only'
enabled boolean NOT NULL DEFAULT true,
last_sync_at timestamptz,
last_sync_error text,
created_at timestamptz NOT NULL DEFAULT now(),
updated_at timestamptz NOT NULL DEFAULT now(),
UNIQUE (user_id, calendar_path), -- can't bind one calendar twice for the same user
UNIQUE (user_id, scope_kind, scope_id), -- one binding per scope per user — but a project can also be covered by 'all_visible'
CHECK ((scope_kind IN ('all_visible','personal_only') AND scope_id IS NULL)
OR (scope_kind NOT IN ('all_visible','personal_only') AND scope_id IS NOT NULL))
);
CREATE INDEX user_calendar_bindings_user_idx ON paliad.user_calendar_bindings(user_id) WHERE enabled;
-- RLS: row visible/writable only when auth.uid() = user_id (mirrors user_caldav_config).
```
**Why per-scope unique but not per-appointment unique:** an Appointment in
project P is allowed to land in both the user's `all_visible` calendar
AND their `project=P` calendar — that's the explicit "master + per-project"
hybrid m asked about. What we forbid is two different `project=P` bindings
for the same user, which would have no useful semantics.
**`scope_kind = 'personal_only'`** is a separate scope from `'all_visible'`
because the existing pushAll already covers both personal and visible-project
appointments; users may want a "personal only" calendar that does *not*
get the noisy team events. Without this, every binding either includes
personal events or doesn't, and there's no way to say "the master
calendar = everything except personal".
### §3.2 New table: `paliad.appointment_caldav_targets`
```sql
CREATE TABLE paliad.appointment_caldav_targets (
appointment_id uuid NOT NULL REFERENCES paliad.appointments(id) ON DELETE CASCADE,
binding_id uuid NOT NULL REFERENCES paliad.user_calendar_bindings(id) ON DELETE CASCADE,
caldav_uid text NOT NULL, -- still 'paliad-appointment-<uuid>@paliad.de' — same for all bindings of one appointment
caldav_etag text NOT NULL,
last_pushed_at timestamptz NOT NULL DEFAULT now(),
PRIMARY KEY (appointment_id, binding_id)
);
CREATE INDEX appointment_caldav_targets_binding_idx ON paliad.appointment_caldav_targets(binding_id);
-- RLS: visible/writable when the underlying binding's user_id = auth.uid().
```
**UID stays per-appointment, not per-binding.** That keeps the iCal UID
canonical (still `paliad-appointment-<uuid>@paliad.de`), so when a user
removes a binding and re-adds it later, the same UID rebinds without
spurious duplicates. The `.ics` filename in the calendar — `<uid>.ics`
— is also identical across bindings, which means the same UUID
shows up in different calendars on the same server but never collides
because they're under different `calendar_path` collections.
### §3.3 Row examples for the four common organisations
| Organisation | Rows in `user_calendar_bindings` |
|---|---|
| **A — one cal, everything** | 1 row: `scope_kind='all_visible'`, `calendar_path='/cal/work'` |
| **B — one cal per project** | N rows, all `scope_kind='project'`, distinct `(scope_id, calendar_path)` |
| **C — master + per-project hybrid** | 1 row `scope_kind='all_visible'` + N rows `scope_kind='project'`. Each project event appears in both. |
| **D — personal split from work** | 1 row `scope_kind='personal_only'``/cal/personal` + 1 row `scope_kind='all_visible'` (which will include the same personal events, so the user will more commonly pair `personal_only` with a `scope_kind='client'` per-client work view instead). |
### §3.4 What stays unchanged
- `paliad.user_caldav_config` — still holds the server URL, username,
encrypted password, and a per-user `enabled` flag. The existing
`calendar_path` column becomes a hint for the **default binding** we
auto-create on migration and is no longer read by sync logic after
Slice 1 ships. We keep it nullable-on-read for forwards-compat then
drop in Slice 4.
- `paliad.caldav_sync_log` — still per-user; sync entries gain a
`binding_id` column (nullable for legacy rows) so the UI can show
per-calendar last-sync state.
- iCal serialisation (`caldav_ical.go`) — unchanged. Same VEVENT
formatter feeds every binding.
- AES-GCM credential encryption (`caldav_crypto.go`) — unchanged.
---
## §4 — Sync engine implications
The shape of the per-user goroutine stays. The body of `syncOnce`
moves from "push to one path / pull from one path" to "for each
enabled binding, push the scope-filtered slice / pull from that path".
### §4.1 Push fan-out
```go
// pseudocode for the new pushAll body
bindings := s.bindings.ListEnabled(ctx, userID) // 1..N rows
for _, b := range bindings {
appts := s.appointments.ForBinding(ctx, userID, b) // scope-filtered
for _, a := range appts {
body := formatAppointment(&a)
etag, err := cli.PutEvent(ctx, b.CalendarPath, terminUID(a.ID), body)
if err != nil { continue } // best-effort, per-binding error
s.targets.Upsert(ctx, a.ID, b.ID, terminUID(a.ID), etag)
}
// Remove events from this calendar that no longer belong to the scope.
for _, stale := range s.targets.DanglingForBinding(ctx, b.ID, currentIDs(appts)) {
cli.DeleteEvent(ctx, b.CalendarPath, stale.CalDAVUID)
s.targets.Delete(ctx, stale.AppointmentID, b.ID)
}
}
```
`ForBinding(userID, b)` is the scope filter:
- `all_visible` → existing `AllForUser(userID)`
- `personal_only` → appointments with `project_id IS NULL AND created_by = userID`
- `project` → appointments where `project_id = scope_id` AND visible to user
- `client` / `litigation` / `patent` / `case` → appointments where the
ancestor at the relevant hierarchy level = `scope_id` AND visible to user
- when `include_personal = true`, union with personal events on top of the above (only for non-`all_visible`/`personal_only` scopes)
This reuses the existing `can_see_project()` predicate (per project
CLAUDE.md, team-based RLS), so visibility shrinkage on a project unshare
falls out naturally: next push sees the appointment is no longer in
`ForBinding(...)`, sees a dangling target row, issues `DeleteEvent`.
### §4.2 Pull reconciliation
Each binding has its own pull pass against `b.CalendarPath`. The
matching key is still `caldav_uid` — same UID across all bindings, so
`appointments.FindByCalDAVUID(uid)` resolves the local row. The
**ETag check is per-target row** now, not per-appointment: a remote
edit in calendar X bumps the etag in `appointment_caldav_targets` for
binding X only. The local Appointment is updated once (last-write-wins
on Appointment.updated_at), the next push tick re-syncs the other
bindings with the new payload (they see their stored etag is older
than the appointment's `updated_at` and re-PUT).
**One subtle change:** the foreign-UID skip (`extractAppointmentID == ""`)
still applies per-binding pull. That preserves the v1 "Paliad owns its
UIDs" property — multi-calendar does not open the door to importing
events the user creates in their calendar app. (If/when that becomes
in-scope, it's a separate t-paliad-* design.)
### §4.3 Hooks (instant push)
`OnAppointmentCreated/Updated/Deleted` fan out across all the user's
enabled bindings that match the appointment's scope. Same 30s-timeout
background goroutine. The user-facing request still returns
immediately; the failure mode is identical (best-effort per binding,
logged on `slog.Warn`).
### §4.4 Bandwidth & rate limits
- Per user per tick: **N bindings × 1 PROPFIND + per-event GETs**.
The pull GET is the dominant cost; a 50-binding user with 20 events
per calendar is ~1 000 GETs/min, which is fine over HTTP/1.1 to a
decent CalDAV server but **does** put us inside iCloud's
~throttle-friendly band and risks Google's quota model.
- Mitigation: switch pull to **`REPORT` `calendar-multiget`** so each
binding's events come back in one round-trip. That's a single
iteration on `caldav_client.go` (the same multistatus parser
already handles the body) and pays for itself the moment a user
has >10 events per binding. We deliberately deferred this in
Phase F (one calendar, low volume) — multi-calendar makes it
table-stakes. Plan to land it in **Slice 2** alongside the picker.
- Rate limiting on the Paliad side: keep the 60s ticker, but stagger
per-binding pulls so we never fire N concurrent PROPFINDs against
the same provider. Sequential per binding is fine; we already do
this implicitly with the per-user goroutine.
### §4.5 Server-side cleanup on binding delete
User deletes a binding → service:
1. Lists every (appointment, binding) target row for that binding.
2. Issues `DELETE` per `.ics` on the remote calendar (best effort).
3. Deletes the target rows.
4. Deletes the binding row (or relies on `ON DELETE CASCADE` from
target FK — cleaner to delete remotely first, then drop the row,
so a half-failed cleanup leaves rows we can retry on next tick).
A "leave events behind in the external calendar" toggle is a real
ask (users sometimes archive bindings without wanting their calendar
app to suddenly empty). Plumb it as `binding.cleanup_on_delete bool`
in Slice 2 if there's demand; default `true` (delete).
---
## §5 — Bidirectional vs one-way
**Recommendation: stay bidirectional, identical to today's semantics,
per-binding.** Reasons:
1. **m's stated workflow expects round-trip.** Drag a deadline in
Outlook → Paliad sees the new date → approval flow triggers
(t-138). One-way push breaks that. Multi-calendar doesn't change
this expectation; if anything, it strengthens it (the user picked
the project-cal binding *because* they intend to edit there).
2. **The conflict model is already in place.** Last-write-wins on
ETag, foreign-UID skip, `LogConflict` audit append. Multi-calendar
adds one new question: "if the user edits the same event in two
different bindings between ticks, which wins?" Answer: the one
that lands first in our pull pass. Bindings are iterated in
`created_at` order so the behaviour is deterministic, and the
second edit gets overwritten on the next tick when we re-push the
resolved appointment to it. Acceptable trade-off; would only show
up if a user actually edits the same event in two of their own
calendars within 60s, which is vanishingly rare.
3. **Approval-flow integration is unchanged.** Pending-approval
events have the `[PENDING APPROVAL]` marker baked into the iCal
summary by `caldav_ical.go:76+`. That marker survives multi-binding
fan-out untouched; an external edit on a pending event still has
the pre-existing bypass-the-gate hole (flagged §1, not in scope).
**Tee-up for m's call:** if multi-calendar is the wrong moment to
keep bidirectional (e.g. because per-project calendars are about
**read-only visibility for partners**, not editing), we'd add a
`binding.read_only bool` column and skip the pull pass for that
binding. Cheap to add now or later. **I recommend defaulting
`read_only = false` (bidirectional like today) and only making it
optional if m's first session with the UI surfaces the need.**
---
## §6 — User-facing config model
Surface on `/einstellungen/caldav` (already exists for Phase F creds).
Two sections, in this order:
1. **Server** (existing) — URL, username, password, "test connection".
Unchanged.
2. **Calendars** (new) — list of bindings as cards / rows. For each:
`display_name`, `calendar_path`, `scope_kind` chip (master /
personal / project / …), `enabled` toggle, last-sync status, action
buttons "Edit scope" / "Remove".
3. **Add a calendar** — flow:
- **a)** click "Add". Modal opens. We do a `PROPFIND
<calendar-home-set>` against the user's server to discover their
existing calendars; show as a picker. (RFC 6638 / 4791 calendar
home set discovery — supported by iCloud, Fastmail, Nextcloud,
Radicale, Baikal, SOGo. Google CalDAV does not expose this
reliably; for Google users we degrade to a manual path entry box.)
- **b)** user picks an existing calendar, or chooses "Create new
calendar". Create-new attempts `MKCALENDAR` (works on iCloud,
Fastmail, Nextcloud, Radicale, Baikal, SOGo; fails on Google →
friendly error with copy-paste instruction).
- **c)** user picks the **scope**: a radio between "Everything I can
see", "Personal only", "One project", and (later) "One client /
litigation / patent / case". Project picker uses the existing
`/api/projects?…` autocomplete.
- **d)** "Save" → POST `/api/caldav-bindings`. The next 60s tick
starts pushing into the new calendar; the UI shows "Initial
sync running…" with a live last-sync indicator (already polled
by the existing `caldav-config` page).
4. **Quick-add affordances** (Slice 3 polish, not v1):
- On a project's `/projects/<id>` page: "Open in calendar app" link
if a binding already exists for that project, "Pin to a new
calendar" if none does (deep-links to the Add-a-calendar modal
pre-filled).
- Bulk action "Create one calendar per active litigation" on
`/einstellungen/caldav` (requires `MKCALENDAR` support; gated
behind a server-capability probe at first PROPFIND).
5. **Soft limits in the UI:**
- At **20 bindings**: yellow info banner "Most users keep ≤ 20
calendars; review your list before adding more."
- At **80 bindings**: red error, block adding new (we don't know
the user's provider for sure; 80 is a safe ceiling for iCloud
and Nextcloud-default).
- Provider hint surfaced under the Server form: parsed from the
URL host, with a "your provider's documented limit" line —
pure courtesy, not enforced.
### §6.1 What the API contract looks like
| Verb + Path | Body / Returns | Notes |
|---|---|---|
| `GET /api/caldav-bindings` | array of binding rows + sync status | replaces having to interpret `user_caldav_config.calendar_path` |
| `POST /api/caldav-bindings` | `{calendar_path, display_name, scope_kind, scope_id?, include_personal?}` → created binding | triggers immediate sync goroutine wake-up |
| `PATCH /api/caldav-bindings/{id}` | partial; toggle `enabled` or change `scope_*` | re-runs `pushAll` for this binding |
| `DELETE /api/caldav-bindings/{id}` | — | deletes external events first, then row |
| `GET /api/caldav-discover` | array of `{href, displayname}` from server `<calendar-home-set>` | populates the picker; cached 5 min |
| `POST /api/caldav-mkcalendar` | `{display_name, color?}` → `{calendar_path}` | issues `MKCALENDAR`; returns 501 on Google |
`GET /api/caldav-config` still works (back-compat for the server-creds
section); its `calendar_path` field is documented as "deprecated, see
/api/caldav-bindings".
---
## §7 — Slice plan
Tracer-bullet slices so each is independently shippable, safe to
revert, and gives the user something they can see.
**Slice 1 — Schema + backfill (no UI change).**
- Migration: create `user_calendar_bindings`, `appointment_caldav_targets`.
- Backfill: for every existing `user_caldav_config` row, insert one
`bindings` row `(user_id, calendar_path, display_name='', scope_kind='all_visible', enabled)`.
For every Appointment with non-null `caldav_uid`, insert one
`appointment_caldav_targets` row pointing at the user's new default
binding.
- Refactor `CalDAVService.syncOnce` / `pushAll` / `pullAll` to drive
off bindings (loop of length 1 per existing user). Behaviour
observably identical: same calendars, same events, same logs.
- `appointments.caldav_uid` / `caldav_etag` columns still exist and
are written for compatibility (treat them as denormalised pointers
to the default binding's target row). UI unchanged.
- **Exit criterion:** existing users see no change in their calendar;
`caldav_sync_log.binding_id` is populated for all new rows; manually
inserted second binding via SQL syncs correctly end-to-end on a
staging account.
**Slice 2 — Binding-picker UI + multi-binding support.**
- `/api/caldav-bindings` CRUD + `/api/caldav-discover` (PROPFIND
`calendar-home-set`) + `/api/caldav-mkcalendar`.
- New "Calendars" section on `/einstellungen/caldav` with the modal
flow from §6.
- **Land `REPORT calendar-multiget` pull** alongside (per §4.4).
Required, not optional, for the bandwidth profile multi-binding
introduces.
- Scope kinds enabled in v1: `all_visible`, `personal_only`, `project`.
Hierarchy scopes (`client`, `litigation`, `patent`, `case`) parked
for Slice 3.
- **Exit criterion:** m can pin a second calendar via the UI on
staging; events for project X appear only in the X-bound calendar
if his master binding is disabled, and in both if it's enabled.
**Slice 3 — Hierarchy scopes + project-page quick-adds.**
- Enable `scope_kind ∈ {client, litigation, patent, case}` — pure
filter-predicate change in `ForBinding(...)` using the existing
project-tree walker.
- "Pin to a new calendar" button on `/projects/<id>` and on the
/einstellungen page.
- Bulk "calendar-per-active-litigation" provisioner (with
`MKCALENDAR` capability probe).
- **Exit criterion:** real HLC PA can set up "one cal per
litigation" in <5 min on first try without inventor help.
**Slice 4 — Polish + cleanup.**
- Drop `appointments.caldav_uid` / `caldav_etag` after instrumentation
shows zero readers outside `CalDAVService` (`grep` + a one-week
query-log audit on the read replica).
- Soft-limit banners (20 / 80).
- `binding.read_only` and `binding.cleanup_on_delete` toggles if
asked for by then.
- **Exit criterion:** schema is final; no legacy paths remain in
`caldav_service.go`.
**(Out of scope across all four slices:** foreign-UID import, custom
event types per binding, per-binding colour mapping, MKCALENDAR for
Google. These are easy to add later if the data says so.)
---
## §8 — Open questions for m
1. **Bidirectional default for new bindings: yes/no?** I recommend
**yes** (matches today's single-cal behaviour and the round-trip
workflow expectation). A `read_only` per-binding flag is cheap to
add later if a real use case shows up. Decide now → Slice 1; decide
later → Slice 4.
2. **`personal_only` scope — keep or drop?** It's useful for users
who want a "noisy team master + clean personal" split, but it's
redundant for users who only use the master calendar. I'd keep
it; trivial to remove if m disagrees.
3. **`MKCALENDAR` (auto-create calendar) — ship in Slice 2 or defer
to Slice 3?** Shipping it in Slice 2 means we need the
capability-probe + Google-degrade UX up-front. Deferring means
Slice 2 users have to pre-create the calendar in their app and
paste the URL — workable but clunky. Default plan: **Slice 2,
with a clean Google-degrade message**.
4. **Soft cap numbers (20 / 80) — sensible?** Picked from §2
provider limits + "most paliad users will pick 15". m may
want different numbers — easy to tune.
5. **`/admin/caldav-bindings` view for support debugging?** Not in
the slice plan; useful if a user calls confused about which
calendar holds which event. Add if m wants it.
6. **Approval-flow + remote-edit gap (§1, the bypass) — fix scope?**
Pre-existing in single-cal Phase F. Multi-cal makes it more
visible. Should this be a follow-up under t-138, or folded into
Slice 3? I'd file as a separate task.
---
## §9 — Why this is the right shape
- **Single CalDAV server per user, N bindings.** Matches every real
provider's auth model (one auth blob covers all the user's
calendars) and keeps `caldav_crypto.go` and `user_caldav_config`
untouched.
- **Binding scope is a row, not a static config.** Users compose
the organisation they want without us guessing; defaults (one
master binding on migration) preserve current behaviour.
- **UID stays per-appointment.** Means an event re-binding (move
from project-cal to master-cal) is just shuffling target rows,
not minting new UIDs. Re-importing into the same calendar later
rebinds cleanly.
- **Sync engine shape is unchanged.** Same per-user goroutine, same
60s tick, same hooks. The blast radius of multi-binding is one
inner loop, gated behind a feature that backfills to a no-op for
every existing user.
- **Slices give m a vertical demo at each step.** Slice 1 is
invisible-but-shippable; Slice 2 is the first user-facing change
("you can pin a second calendar"); Slice 3 is "now organise by
project tree"; Slice 4 is cleanup.
- **No new external dependencies.** Same hand-rolled CalDAV client.
Adds one new verb (`MKCALENDAR`) and one new report
(`calendar-multiget`) — both small, both already half-tested
against `caldav_client.go`'s patterns.
---
## §10 — Sources
- [Apple Support — Limits for iCloud Contacts, Calendars, Reminders, Bookmarks, and Maps](https://support.apple.com/en-us/103188) — iCloud 100 combined calendars + reminder lists.
- [Google Workspace Updates — Automatic addition of owned secondary calendars, Jan 2026](https://workspaceupdates.googleblog.com/2026/01/automatic-addition-owned-secondary-calendars.html) — Google ~100 owned recommendation.
- [Fastmail — Account limits](https://www.fastmail.help/hc/en-us/articles/1500000277382-Account-limits) — 100k events/user, no documented calendar count cap.
- [Nextcloud admin manual — Calendar / CalDAV](https://docs.nextcloud.com/server/stable/admin_manual/groupware/calendar.html) — default 30, configurable, 10/hr rate limit.
- Live verification against `internal/services/caldav_*.go` and `paliad.user_caldav_config` / `paliad.appointments` schema on the youpc Supabase instance.
---
## Addendum — m's decisions (2026-05-19)
Walked through §8.1§8.6 with m via AskUserQuestion. Decisions are
locked in for the coder shift; revisit only on Slice-3 feedback.
| Q | Decision | Implication for the slice plan |
|---|---|---|
| **§8.1 — Bidirectional default** | **Yes — bidirectional by default** | No `read_only` flag in Slice 13. Multi-cal inherits Phase F's last-write-wins / foreign-UID-skip semantics unchanged. Per-binding `read_only` only added later if a real use case shows up. |
| **§8.2 — `personal_only` scope** | **Keep — first-class scope** | Ships in Slice 2 as one of the picker's radio options (`Everything I can see` / `Personal only` / `One project`). One enum value, one `ForBinding()` branch. |
| **§8.3 — MKCALENDAR timing** | **Slice 2 with Google-degrade UX** | Slice 2 includes `POST /api/caldav-mkcalendar` + capability probe. Google users get a friendly "create the calendar in your Google UI, paste the URL" fallback. iCloud / Fastmail / Nextcloud / Radicale / Baikal / SOGo get one-click "Create new calendar". |
| **§8.4 — Soft caps** | **No caps in v1, add later if data warrants** | Drop the 20-warn / 80-block UI guards from §6. Instrument `count(*)` on `user_calendar_bindings` per user as a Slice 2 telemetry add. Revisit if/when real distributions land. |
| **§8.5 — `/admin/caldav-bindings` view** | **Don't ship in v1** | Stays out of the slice plan. Support debugging goes via Supabase SQL until a real ticket lands. Frees Slice 4 polish for the legacy-column drop only. |
| **§8.6 — Approval-flow remote-edit gap** | **Separate task under t-138** | Out of scope for all four multi-cal slices. File the gap as a new `t-paliad-*` follow-up under t-138 so multi-cal stays clean and reverter-friendly. Pre-existing hole, surfaced not fixed. |
### Net effect on §7 slice plan
- **Slice 1** unchanged — schema + backfill, behaviour-equivalent.
- **Slice 2** = picker UI + `REPORT calendar-multiget` + **MKCALENDAR
with capability probe + Google-degrade message** + binding-count
telemetry. No `read_only` flag, no soft caps, no admin view.
Scopes enabled: `all_visible`, `personal_only`, `project`.
- **Slice 3** = hierarchy scopes (`client` / `litigation` / `patent` / `case`)
+ per-project quick-adds. **No** approval-gap fix folded in.
- **Slice 4** = drop legacy `appointments.caldav_uid` / `caldav_etag`.
Soft-cap banners only if Slice 2 telemetry says we need them.
### Net effect on §3 schema
No change. `user_calendar_bindings` still ships with the full
`scope_kind` enum (including `personal_only`). `appointment_caldav_targets`
unchanged. No `read_only` column in v1.
### Follow-ups to file as separate tasks
1. **`t-paliad-*` (under t-138):** approval-flow + CalDAV remote-edit
gap. `ApplyRemoteUpdate` bypasses the approval gate when an external
client edits a pending-approval event. Pre-existing in single-cal
Phase F. Owner: t-138 maintainer.
2. **(maybe) `t-paliad-*`:** soft-cap UI if Slice 2 telemetry shows
any user near the iCloud-100 / Nextcloud-30 envelope. Not pre-filed
— only opens if data warrants.

603
docs/design-paliad-data-export-2026-05-19.md Normal file
View File

@@ -0,0 +1,603 @@
# Paliad data export — Excel-first, scoped (org / project-subtree / personal)
Design: archimedes (inventor), 2026-05-19.
Task: **t-paliad-214**.
Branch: `mai/archimedes/inventor-excel-data`.
Status: READY FOR REVIEW — no code yet, awaiting m go/no-go on §11 open questions.
---
## 0. Premise check (live state, 2026-05-19)
Verified directly against the youpc Postgres `paliad` schema rather than against memory or older design docs.
**Migration tracker.** Latest applied is `100_ccr_visible_rule`; next is **101**.
**Row counts (org-wide today):**
| table | rows |
|------------------------|-----:|
| users | 47 |
| projects | 11 |
| deadlines | 26 |
| appointments | 5 |
| parties | 0 |
| notes | 4 |
| documents | 0 |
| project_events (audit) | 93 |
| project_teams | 3 |
| approval_requests | 8 |
| approval_policies | 160 |
| checklist_instances | 4 |
| deadline_rules | 254 |
| user_views | 2 |
| partner_units | 11 |
A full org export today is **< 600 rows of user content** plus reference data synchronous streamed download is plausible for every scope. We design for an order-of-magnitude head-room.
**Auth.** Passwords live in Supabase Auth (separate `auth` schema, not `paliad`). The `paliad.users` table has **no `password_hash` column** so the "don't export credentials" rule from the brief is enforced by absence, not by a column-deny list. Good.
**Visibility.** Row-level via `paliad.can_see_project(project_id)` (subtree-aware through ltree path). Already used as the predicate that gates every list endpoint. We reuse it for the **personal** and **project** scopes; the **org** scope bypasses it under `global_admin`.
**Documents.** Table exists, 0 rows. Phase H (AI Frist-Extraktion) is deferred per m's 2026-04-16 call. No `ANTHROPIC_API_KEY` on Dokploy. Therefore **this design does not concern itself with binary attachments** only with the metadata row when documents start landing.
**Audit trail.** Lives in `paliad.project_events` (93 rows). One row per lifecycle event with `event_type`, `metadata jsonb`, `event_date`, `created_by`. The auditing union (`AuditService.ListEntries`) joins 5 sources (project_events, partner_unit_events, deadline_rule_audit, policy_audit_log, reminder_log). For the export we treat `project_events` as primary; the four auxiliary logs are scope-specific.
**Existing export precedent.** `/admin/rules/export` + `/admin/api/rules/export-migrations` (handlers/admin_rules.go) admin-gated, streams a generated SQL artifact. Same shape as what we want for the Excel exports. Re-use the gating helper.
**No Go xlsx library on `go.mod` today.** This design picks **`github.com/xuri/excelize/v2`** in §3.
---
## 1. Why this exists
Two motivations, both load-bearing:
1. **Safety / backup.** A workbook on disk is a portable artifact independent of the running app. If paliad.de is down, a partner needs the matter file. If the Dokploy compose corrupts, IT needs a recent dump. If a deadline gets accidentally deleted, we want a recoverable snapshot.
2. **No lock-in.** A team or an entire org choosing to leave paliad must be able to walk away with their entire dataset in a format anyone can open. We promise this in writing as a trust signal exactly because the alternative (silently locking customers in) is what we built paliad to *not* be.
The export is therefore not a "nice analytics feature" it is **a contractual guarantee that the data is yours**. That framing shapes the design: completeness > convenience, portability > polish, every export auditable.
---
## 2. Scope definitions (precise)
Three scopes. The boundary is **what the caller is allowed to see**, joined with **what makes the artifact interpretable standalone**.
### 2.1 `org` scope
**Caller:** `global_role='global_admin'` only. There is no firm-admin role distinct from global_admin in paliad today (see §4).
**Content:** literally everything in the `paliad` schema that is user content or reference data the workbook needs to be readable. Specifically:
| sheet | source table(s) | notes |
|------------------------|-------------------------------------------------------------------|-------|
| `projects` | `paliad.projects` (all rows) | Full project tree including soft-deleted (status='deleted' / 'closed' if any). |
| `project_teams` | `paliad.project_teams` | profession + responsibility (post-t-148). |
| `project_partner_units`| `paliad.project_partner_units` | Derivation grants. |
| `deadlines` | `paliad.deadlines` | Including completed, cancelled. |
| `appointments` | `paliad.appointments` | Including completed. |
| `parties` | `paliad.parties` | All client / opposing-party data. |
| `notes` | `paliad.notes` | All four polymorphic targets resolved into the `target_kind`/`target_id` columns. |
| `documents` | `paliad.documents` metadata (file_path, file_size, mime_type, ai_extracted) | Binaries excluded (open Q1). |
| `audit_events` | `paliad.project_events` | Full audit trail per project. |
| `approval_requests` | `paliad.approval_requests` | Including completed / rejected, with `requester_kind` + `agent_turn_id`. |
| `approval_policies` | `paliad.approval_policies` | Both project-scoped and partner-unit-defaults. |
| `policy_audit_log` | `paliad.policy_audit_log` | Source #5 of the audit union. |
| `partner_units` | `paliad.partner_units` | Org chart. |
| `partner_unit_members` | `paliad.partner_unit_members` | Including unit_role. |
| `partner_unit_events` | `paliad.partner_unit_events` | Org-chart audit. |
| `checklist_instances` | `paliad.checklist_instances` | Per-project completion state. |
| `invitations` | `paliad.invitations` (status, role, expires_at) | Without raw tokens (open Q7). |
| `users` | `paliad.users` (id, email, display_name, office, profession, …) | Excludes `email_preferences` jsonb only if it carries channel secrets — none do today, but checked at export time. |
| `user_views` | `paliad.user_views` | Saved filters / custom layouts. |
| `user_card_layouts` | `paliad.user_card_layouts` | Project-card layouts. |
| `user_pinned_projects` | `paliad.user_pinned_projects` | Per-user pins. |
| `user_caldav_config` | `paliad.user_caldav_config` **without** the ciphertext column | URL + calendar IDs + last_sync; passwords NEVER exported. |
| `reminder_log` | `paliad.reminder_log` | Outbound digest history. |
| `caldav_sync_log` | `paliad.caldav_sync_log` | Per-user sync runs. |
| `paliadin_turns` | `paliad.paliadin_turns` | **Excluded by default** in org export (privacy — see §6) — admins opt in per Q5. |
| `email_broadcasts` | `paliad.email_broadcasts` | Outbound broadcast history. |
| `email_templates` + `_versions` | both | Custom firm templates. |
| **reference (read-only):** | `proceeding_types`, `event_types`, `event_categories`, `deadline_rules`, `deadline_concepts`, `deadline_concept_event_types`, `deadline_event_types`, `event_category_concepts`, `trigger_events`, `holidays`, `courts`, `countries` | One sheet per table, prefixed `ref__`. Embedded so the workbook is interpretable without paliad context. |
| **deferred audit (admin opt-in):** | `deadline_rule_audit`, `policy_audit_log`, `partner_unit_events`, `caldav_sync_log`, `paliadin_turns` | Behaviour per Q5/Q6. |
**Excluded unconditionally:**
- `auth.*` (Supabase Auth schema — not ours; the user can request their auth record from Supabase directly).
- `paliad_schema_migrations` (operational, no business meaning).
- `*_pre_NNN` shadow / pre-migration backup tables (rows are duplicates; the live table is canonical).
- Any future `*_secret` / `*_token` columns (see §6 deny-list mechanism).
**Edge cases:**
- **Soft-deleted rows:** paliad currently has no soft-delete columns (`deleted_at` etc.). When that lands, the org export includes them by default with a `deleted_at` column populated. Until then, this is a no-op.
- **Archived projects:** `projects.status` can be `'closed'` or future `'archived'` — export includes them (the whole point of backup is recoverability of closed matters).
- **Counterclaims:** `projects.counterclaim_of` is a self-FK. Export carries the column as-is; the relationship is reconstructable via the `id` column.
### 2.2 `project` scope
**Caller:** any team member of the project who passes the §4 profession-tier gate.
**Content:** one project + **all descendants** along the ltree path. The descendant walk is `WHERE path <@ root.path` (subtree-inclusive of root). Every entity gets filtered through `WHERE project_id IN (subtree_ids)`.
Per-sheet inclusion:
- `projects` (root + descendants, one row each)
- `project_teams` (membership for those projects)
- `project_partner_units` (derivation attachments)
- `deadlines`, `appointments`, `parties`, `notes`, `documents` (metadata), `audit_events`, `approval_requests`, `checklist_instances` — all scoped to subtree
- **users sheet — restricted columns:** only `id, email, display_name, office, profession` for users referenced by any FK in the export (created_by, assigned, etc.). Don't dump all 47 users when you only need 4. (Avoids accidental org-chart leak in a project-scope export shared externally.)
- **reference data:** `ref__proceeding_types`, `ref__event_types`, `ref__deadline_rules`, `ref__deadline_concepts`, `ref__courts`, `ref__countries`, `ref__holidays`. Same as org but a smaller universe is acceptable too — the v1 ships the full reference tables for simplicity (every row count is ≤ 300; size is moot).
- **Cross-project references** (e.g., a party referenced by a project outside the subtree): out of scope by the predicate. The export carries the foreign UUID so a re-import or merge could re-link, but the foreign row itself is not in the workbook. Edge case is rare — `counterclaim_of` is the only known cross-project pointer today.
**Edge cases:**
- **Partner-unit data:** `partner_units` is org-wide; project export carries only the unit ids attached via `project_partner_units`. The unit name + membership are loaded into the workbook on `partner_units` and `partner_unit_members` sheets (filtered to the attached units only).
- **Policies:** `approval_policies` rows include both project-scoped (the project + ancestors) **and** partner-unit-defaults attached to this project. Same MAX-of-sources logic as runtime.
- **Audit:** `project_events` for the subtree + (admin opt-in only) `deadline_rule_audit` rows whose rule was used by any deadline in the subtree. Default off — these are firm-wide curation logs and don't belong in a per-project handoff.
### 2.3 `personal` scope
**Semantics:** "everything I can see right now in paliad, framed as my data."
That definition resolves the ambiguity in the brief: personal scope is **not** "rows where I am `created_by`" — that misses everything I see by being on a team. It is **the RLS-visible projection of the schema for caller=me**, plus a handful of explicitly-personal sidecars (caldav config, my pins, my views).
Per-sheet inclusion:
| sheet | rows |
|---|---|
| `projects` | `WHERE paliad.can_see_project(id)` for the caller. |
| `project_teams` | Rows where `user_id = me` OR the row's project is in my visible set. |
| `deadlines` | Same project-visibility filter. |
| `appointments` | Same. |
| `parties`, `notes`, `documents` metadata, `audit_events`, `checklist_instances` | Same. |
| `approval_requests` | Rows where `requested_by = me` OR `decided_by = me` OR project ∈ visible set. |
| `me` (single-row sheet) | Caller's `users` row (id, email, display_name, office, profession, reminder_*, lang, escalation_contact_id). |
| `my_caldav_config` | The caller's `user_caldav_config` row **without** the encrypted password column — sync URL, calendar IDs, last_sync_at. |
| `my_views` | Caller's `user_views` rows. |
| `my_pinned_projects` | Caller's `user_pinned_projects` rows. |
| `my_card_layouts` | Caller's `user_card_layouts` rows. |
| `my_paliadin_turns` | Caller's `paliadin_turns` rows (currently restricted to `PaliadinOwnerEmail` = m, so this sheet is empty for everyone else). Sensitive: AI prompts + responses. **Default on for personal scope** — it's literally the caller's data. |
| `users_referenced` | Restricted: id + display_name + email for users referenced as FKs in the export. |
| reference tables | Same set as project scope. |
**Edge cases:**
- **Caller leaves a team:** the export reflects the moment-in-time visibility. A `generated_at` timestamp in the workbook header (`__meta` sheet) anchors this.
- **Caller is a global_admin:** their personal export is the entire org (because their visible set = all projects). This is by design — but we surface a banner ("Sie sehen alles, weil Sie global_admin sind. Ein org-scope-Export wäre identisch.") so they don't get confused thinking the personal-scope endpoint is broken.
- **Caller has no team memberships:** export contains the empty workbook + the `me` row + their caldav config + views/pins. Still useful — they can save their preferences.
### 2.4 Common columns across all scopes
Every export workbook contains a `__meta` sheet:
```
schema_version: 1
firm_name: HLC # from internal/branding.Name
scope: org | project | personal
scope_root_id: uuid or NULL # the project id for project-scope, NULL otherwise
generated_at: 2026-05-19T14:23:00Z
generated_by_user: <uuid> <email> # the caller
generated_by_label: archimedes / m / ... # display_name
row_counts: JSON {"projects": 11, ...}
paliad_version: <git sha at server build>
notes: free-form, e.g., "documents binaries excluded by design"
```
This pins provenance + reproducibility + diffability.
---
## 3. Format choices
### 3.1 xlsx as the primary format
**Library: `github.com/xuri/excelize/v2`.** De-facto Go xlsx library, pure-Go (no cgo, no external libreoffice), MIT, streaming writer for large workbooks, broad format-feature support (number formats, freeze panes, hyperlinks, sheet hide). The streaming writer (`NewStreamWriter`) is what we use — it writes rows one at a time without holding the whole sheet in memory. At 11-projects scale this is unnecessary; at 11k-projects scale it's essential, so we set the pattern now.
**Why not the alternatives:**
- `tealeg/xlsx` — older, unmaintained, no streaming.
- `qax-os/excelize` — same project as xuri/excelize (the github org renamed); xuri is the upstream.
- `360EntSecGroup-Skylar/excelize` — defunct fork.
**Workbook structure:** one **sheet per entity type**, *never* a mixed-type sheet with conditional columns. Reasons:
- Excel users sort + filter by column; a column that means "deadline due_date" on row 4 and "appointment start_at" on row 12 is unusable.
- The "self-describing" promise (no-lock-in) is satisfied by a workbook where every sheet is a flat table with stable column headers, not by a polymorphic blob.
- Cross-sheet relationships are represented by **UUIDs in foreign-key columns** + a `__lookup` sheet pairing UUID → display label (project title, user email) for the workbook's lifetime. This makes the workbook self-joining in Power Query / pivot tables.
**Sheet conventions:**
- Sheet names use `snake_case` matching SQL table names (`deadlines`, not `Fristen`). Reference tables prefixed `ref__`. Personal sidecars prefixed `my_`. Meta sheet `__meta`. The `__lookup` sheet sits last.
- Row 1 = column headers; frozen.
- Column 1 of every entity sheet is `id` (uuid).
- Dates: ISO 8601 UTC for timestamptz; `YYYY-MM-DD` for `date`. Always as Excel strings (not Excel date types) — Excel-date interpretation differs by locale (DE: `Tag.Monat.Jahr`, EN: `Month/Day/Year`) and silently corrupts on round-trip. A pinned ISO string is unambiguous and re-importable. Open Q4 covers whether to *also* mirror to native Excel dates for human convenience.
- Booleans: literal `TRUE` / `FALSE` strings, same reason.
- `jsonb` columns: serialised as compact JSON one-liners in the cell. Cell type = string. Power Query can `Json.Document` them.
- Arrays (e.g., `additional_offices text[]`): semicolon-joined string. Excel's CSV-array convention is the comma but our office codes use commas; semicolon avoids the collision.
- `text[uuid[]]` paths (the projects.path ltree): exported as the canonical dotted-uuid string.
**Encoding:** UTF-8 always. Excelize handles the xlsx packaging which is unicode-native. Umlaute round-trip correctly (verified pattern with tesla's CSV export in t-paliad-177).
### 3.2 CSV + JSON siblings
Per the no-lock-in promise, **xlsx is not enough on its own** — Excel is a proprietary format owned by Microsoft, and a workbook is opaque without a tool that understands it. For genuine portability we also produce:
- **CSV:** one file per entity sheet (no reference sheets — those go as JSON), UTF-8 with BOM (`\xEF\xBB\xBF`) for Excel-DE compat, RFC 4180 quoting, headers row 1. Identical column shape to the xlsx sheet.
- **JSON:** a single `paliad-export.json` per scope, top-level `{"meta": {...}, "tables": {"projects": [...], "deadlines": [...], ...}}`. Easiest for programmatic re-ingest. Reference tables included.
**Delivery shape:** all three formats live inside one `.zip` per export:
```
paliad-export-<scope>-<timestamp>.zip
├── README.txt # human-readable: what this is, how to read it
├── paliad-export.xlsx # canonical workbook
├── paliad-export.json # JSON twin (machine-readable)
├── csv/
│ ├── projects.csv
│ ├── deadlines.csv
│ ├── ...
│ └── ref/
│ ├── proceeding_types.csv
│ └── ...
└── __meta.json # standalone meta (same content as __meta sheet)
```
The `.zip` is the artifact users download. Default content is "all three" — there's no UI knob to pick (open Q1: should there be? Inventor pick = no, zip-only).
**Filename convention:**
```
paliad-export-{scope}-{timestamp}.zip
scope = org | project-<root-short> | personal
timestamp = YYYY-MM-DDTHHMMZ # UTC, no colons (Windows-safe)
```
Examples: `paliad-export-org-2026-05-19T1423Z.zip`, `paliad-export-project-Siemens-AG-2026-05-19T1423Z.zip`, `paliad-export-personal-2026-05-19T1423Z.zip`. The project-short is `slugify(root.title)` capped 40 chars.
**Determinism (Q6 question).** Two exports of the same scope at the same row state must produce **byte-identical** workbooks. xlsx is internally a zip of XML — file order in the zip is significant; excelize's default zip writer is non-deterministic. We can make this deterministic by sorting the file list before writing. JSON: keys sorted alphabetically. CSV: rows ordered by `id ASC` (stable). The only inherently non-deterministic field is `generated_at`; we externalise it to the filename and the `__meta` sheet, but the rest of the workbook is byte-stable. **Inventor pick: yes, deterministic.** Lets users diff exports and prove "nothing changed between Tuesday and Thursday."
### 3.3 Future-proofing — schema_version
`__meta.schema_version = 1`. When we add columns (e.g., projects.archived_at lands), we bump to 2 and note the additions in a `docs/export-schema-changelog.md`. Importers (us in the future, or a re-importer at a different firm) read schema_version first.
---
## 4. Authorization model
**Tightly mirrored to existing paliad role surfaces.** No new roles introduced.
| Scope | Required auth |
|---|---|
| `org` | `paliad.users.global_role = 'global_admin'`. Same gate as `/admin/*` pages (`auth.RequireAdminFunc` in `handlers.go:417`). |
| `project` | Caller must (a) pass `can_see_project(root_id)`, AND (b) have effective project profession ≥ **associate** on the root. The associate floor mirrors the conservative seed in `approval_policies` (t-154); paralegals + PA can see data but not extract it. m-tunable per Q2. |
| `personal` | Any authenticated user. No additional gate. |
**Profession ladder check** for project scope uses the existing `DerivationService.EffectiveProjectRole` (t-139 phase 2) — direct membership > ancestor > derived via partner-unit. Same surface that gates approvals; same surface gates extracts.
**Audit row written on every export run.** A new event_type into `paliad.project_events` for project-scope (so it appears on the project's Verlauf), `partner_unit_events` for org-scope (so it appears on the partner-unit audit log of the firm-admin's home unit), and `policy_audit_log` is too narrow — we likely want a **new** audit table for org-wide actions, OR we widen `project_events` to allow `project_id = NULL` org-wide rows. **Inventor pick: new table `paliad.system_audit_log`** — clean separation, integrates into the existing 5-source AuditService union as source #6. Migration 101 adds it.
`system_audit_log` columns:
```sql
id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
event_type text NOT NULL, -- 'data_export'
actor_id uuid REFERENCES paliad.users(id),
actor_email text NOT NULL, -- captured at write time, survives user deletion
scope text NOT NULL, -- 'org' | 'project' | 'personal'
scope_root uuid, -- project_id for project scope, NULL otherwise
metadata jsonb NOT NULL DEFAULT '{}'::jsonb, -- {"formats":["xlsx","json","csv"], "row_counts":{...}, "file_size_bytes":12345, "filename":"..."}
created_at timestamptz NOT NULL DEFAULT now()
```
The audit row is written **before** the export runs (so failed exports are still recorded) and **updated** with `file_size_bytes` + final `row_counts` on success. Failure case: separate `event_type='data_export_failed'` row with the error string in metadata. **The audit chain is the trust signal** — m sees who exfiltrated what, when, and how much.
**Headers on the response:**
- `Content-Disposition: attachment; filename="paliad-export-<scope>-<ts>.zip"`
- `X-Paliad-Export-Audit-Id: <system_audit_log.id>` — so an automated client can reference the audit row.
---
## 5. Trigger model
Three trigger surfaces:
### 5.1 On-demand button
- **Personal:** `/settings` → "Daten exportieren" card → button. POST `/api/me/export` → 200 with `Content-Type: application/zip`. Synchronous.
- **Project:** `/projects/{id}` → settings/cog menu → "Daten dieses Projekts exportieren". POST `/api/projects/{id}/export` → 200 zip. Synchronous. Includes a "Inkl. Unterprojekte" toggle hint (it's always subtree-inclusive — the toggle is purely informational, no off switch).
- **Org:** `/admin/data-export` (new page, card on `/admin`) → "Org-Export erstellen" button. POST `/api/admin/export/org`**async** by default (see §6.1). Returns 202 + `job_id`. UI polls `/api/admin/export/org/jobs/{id}` for status.
**Why org is async even at today's scale:** the principle isn't "is it slow now" — it's "the trigger model should not change as the firm grows." If the partner with the firm-wide button gets a different UX from the associate with the project button, we'd retrofit later. Sync at 600 rows works fine; the wrapping is `goroutine + channel + Server-Sent Events for live progress`, no new infra needed. See §6.1.
### 5.2 Scheduled exports
**Inventor pick — defer to slice 4.** Out of v1 scope. The reasoning: scheduling sits on storage + delivery + retention, all of which are *also* deferred to slice 3+. Building the scheduler before we know how + where the artifact lives is premature.
When it lands (slice 4), the model is:
- A new `paliad.scheduled_exports` table: `(id, scope, scope_root_id, owner_user_id, cadence, last_run_at, next_run_at, delivery)` where `delivery` is `{kind: 'email-link' | 'caldav-style-webdav', config: jsonb}`.
- A daily cron (mai cron or a `time.Ticker` goroutine) checks `next_run_at < now()`, runs the export, posts the link via the configured delivery channel.
- Cadence: weekly + monthly + on-status-change (e.g., "export when project closes" — a webhook from `projects.status` triggers).
For now (slice 1-2), users can right-click the on-demand button and bookmark the URL — that's the **only** scheduled-export-y thing we offer, and it's intentional: get the manual flow rock-solid before adding cadence.
### 5.3 API endpoint
Same endpoints as §5.1, callable directly with the standard cookie / bearer auth. We don't add a separate "API key" surface in v1 — paliad doesn't have personal access tokens today. If a user wants to script their personal export weekly, they can use cookie auth from `m/paliad` automation; that's enough until power-user volume justifies a real PAT surface.
For machine ergonomics: the `/api/...export` endpoints accept `?format=zip` (default), `?format=xlsx`, `?format=json`, `?format=csv-zip` query params. Only `zip` is documented; the others are internal but reachable for automation.
---
## 6. Storage + delivery
### 6.1 Synchronous vs async — per-scope picks
**Personal, project:** **Synchronous, streamed.** The handler holds the HTTP connection open, writes the zip directly to `http.ResponseWriter`. For 1MB-class exports (today's reality at every scale up to thousands of rows per entity) this is the right call — no persistence, nothing to garbage-collect, nothing leaking onto disk. Excelize's `NewStreamWriter` flushes rows as they're written so RAM stays bounded.
**Org:** **Asynchronous, in-process queue, on-disk artifact.**
- Submit (`POST /api/admin/export/org`) writes a `system_audit_log` row with status `pending` and dispatches a goroutine.
- The goroutine writes the zip to `/var/lib/paliad/exports/{audit_id}.zip` (configurable via `PALIAD_EXPORT_DIR`; on Dokploy this is a mounted volume).
- The goroutine updates the audit row's metadata with progress, then status `done` with `file_size_bytes` on success.
- The user polls `GET /api/admin/export/org/jobs/{audit_id}` (SSE or simple JSON) — when ready, a download link `GET /api/admin/export/org/jobs/{audit_id}/download` serves the file.
- Download deletes the file by default (one-shot link), or keeps it per Q3.
**Why not S3-style bucket?** Paliad already has a `documents` table that *will* need a binary store, eventually. Coupling export storage to that future store is right — but the future store doesn't exist yet, and we don't want to provision MinIO on mlake purely for exports. **Inventor pick: local disk in `PALIAD_EXPORT_DIR`** until/unless we provision a real object store; at that point the export storage moves there transparently.
### 6.2 Retention (Q3)
**Inventor pick: 7 days, then auto-delete.** Justifications:
1. Exports contain sensitive client data — minimising the retention window minimises blast radius if the Dokploy host is compromised.
2. 7 days covers a holiday-week round-trip ("I exported Friday, want to look at it Monday next week, missed the day-1 link").
3. The audit row in `system_audit_log` persists forever — you can always tell that an export happened, even after the artifact is deleted.
A cleanup goroutine runs daily, lists `system_audit_log` rows older than 7 days with non-NULL `file_path`, deletes the file, sets `metadata.deleted_at`. Audit row stays.
The `PALIAD_EXPORT_RETENTION_DAYS` env var is the knob (default `7`). m-tunable per firm.
### 6.3 PII / GDPR
This is where the design gets serious.
**At-rest encryption.** Files in `PALIAD_EXPORT_DIR` are plaintext on the Dokploy volume. The volume itself is encrypted at the host layer (Hostinger VPS disk encryption). We **do not** layer additional file-level encryption on the artifact — that would require a per-user key, key escrow, key rotation, all of which is over-engineered for a 7-day-retention exfil where the link is single-use behind cookie auth. The disk encryption + 7-day TTL + audit log is the trust boundary.
**In-transit encryption.** TLS via Dokploy + Traefik — paliad.de is Let's Encrypt-served. No raw HTTP path.
**Download authentication.** The download link `/api/admin/export/org/jobs/{audit_id}/download` requires the same cookie auth as the submit. No public signed URLs in v1 (deferred per Q8). When we add scheduled exports + email delivery (slice 4), we'll need expiring signed URLs — that design is captured then, not now.
**Data-subject requests.** A user invoking `/api/me/export` is, in effect, performing a self-serve GDPR Art. 15 data-portability request. Audit row records the request. If the firm receives a *third-party* DSR ("export the data my client Mr. Müller asked for"), a global_admin can run a project-scope export filtered to projects involving that client; this is a manual workflow we don't automate in v1 (open Q9).
**Right-to-erasure.** Out of scope. Erasure is a write path; export is read-only. They share no code.
**External sharing of export files.** A user who downloads an export and emails it to an external party has done so on their own authority and outside paliad's protection. We don't watermark the file (debated and rejected: watermarking introduces non-determinism, breaks diffability, and gives false security — anyone reading the zip can strip metadata). What we *do* document in the embedded `README.txt`:
> Diese Datei enthält möglicherweise vertrauliche Mandantsdaten. Sie wurde
> erzeugt am {generated_at} durch {actor_email} aus Paliad ({firm_name}).
> Die Weitergabe an Dritte erfolgt in eigener Verantwortung des Empfängers.
A simple "you broke the seal" notice is what we offer. It's a contract, not a control.
**PII column deny-list.** Hard-coded in `internal/services/export_service.go`:
- `paliad.users.password_hash` — doesn't exist, but the deny-list is the safety net if it ever does.
- `paliad.user_caldav_config.encrypted_password` — explicit drop.
- Any column whose name matches `(?i)secret|token|password|api[_-]?key|private[_-]?key` — caught at column-discovery time, errors loudly into `system_audit_log.metadata.warnings`.
- `paliadin_turns.assistant_response` — present in personal export of caller's own data; **off** in org export by default (m's call per Q5).
### 6.4 GDPR-completeness note
The export of one user's personal scope is **a partial Art. 15 disclosure** — it contains what's *in paliad's* control. Other systems (Supabase Auth row, mlake logs, CalDAV provider) are out of paliad's scope and not in the export. The embedded README states this explicitly so the user knows the workbook is the paliad-side answer, not a complete personal-data dump from "the firm."
---
## 7. Slice plan
Tracer-bullet shipping. Each slice is independently shippable and reviewable. The first slice closes the no-lock-in promise for the smallest, lowest-risk scope; later slices widen.
### Slice 1 — personal export, synchronous, xlsx + JSON
- Adds `excelize/v2` to `go.mod`.
- New `internal/services/export_service.go` with the column-discovery + writer plumbing for xlsx + JSON.
- New `internal/handlers/export.go` with `POST /api/me/export`.
- New `/settings` UI: "Daten exportieren" card + button.
- Migration 101: `paliad.system_audit_log` + `AuditService.ListEntries` 6th union branch.
- i18n keys (`settings.export.*`, `__meta.*`).
- Tests: `export_service_test.go` covers xlsx structure (one row each kind), JSON shape, PII deny-list.
Ships the no-lock-in promise for every user immediately. ~600-800 LoC + ~25 i18n keys.
### Slice 2 — project export, synchronous, xlsx + JSON + CSV-zip
- Generalises the export_service to scope-aware queries (the visibility predicate gets injected per scope).
- New `POST /api/projects/{id}/export`, gated by §4.
- Adds CSV writer alongside xlsx + JSON; bundles all three into `.zip`.
- Project-detail UI gets the export menu entry.
- README.txt template embedded.
- Tests + e2e (Playwright) on the project page button.
~800-1000 LoC. The CSV path generalises the xlsx column-discovery so the marginal cost is low. After this slice, two of three scopes are shipped and synchronous serves both.
### Slice 3 — org export, async with job tracking
- Adds the goroutine + on-disk artifact path + `PALIAD_EXPORT_DIR` env.
- `POST /api/admin/export/org` + job status + download endpoints.
- New `/admin/data-export` page (card on `/admin/`).
- Cleanup goroutine (daily, deletes artifacts > `PALIAD_EXPORT_RETENTION_DAYS`).
- Refactor: extract the now-common "writeExportToWriter" core from the synchronous path so async re-uses it.
~600-800 LoC. After this slice, all three scopes ship + audit trail is complete.
### Slice 4 — scheduled exports (deferred, not v1)
Designed in §5.2; building deferred until at least 2 firms ask. The contract surface is the `scheduled_exports` table + cadence + delivery channel.
### Slice 5 — API ergonomics (deferred)
Personal Access Tokens (the "I want to cron my own export" surface). Until there's a customer, we don't build the PAT issuer + revocation + audit.
### Slice 6 — GDPR DSR helpers (deferred)
A `/admin/data-subject-request` workflow to assemble a per-natural-person export across projects. Built on Slice 1-3 primitives; not blocked by them.
### Slice 7 — document binary inclusion (deferred until documents have rows)
When the `documents` table starts holding real files, the export adds a `documents/` subdir in the zip with the actual files, keyed by filename = `{document_id}.{ext}`. The metadata sheet links by id. Adds ~150 LoC + an env var for the file backend.
**Critical-path slices for v1: 1 + 2 + 3.** Everything after is layered, optional, m-prioritised when there's a real customer pull.
---
## 8. Trade-offs flagged
1. **xlsx-first means we own the `excelize` dependency forever.** Mitigation: excelize is the canonical Go xlsx — replacing it would be a multi-thousand-LoC migration, but the upstream is healthy (MIT, 17k+ stars, monthly releases). Acceptable lock-in.
2. **Determinism (sorted file order, sorted JSON keys, row-id-ordered CSV) is implementation discipline, not a library default.** Test that breaks if any future change introduces non-determinism is essential (helps reviewers + prevents regressions).
3. **Synchronous personal + project means a runaway export can block a request goroutine for seconds.** At today's data shape this is sub-second. Watchdog: a 30s context deadline on synchronous exports; over that, return 503 with "export too large — contact admin for async." Triggers slice 3 → slice 4 of the user's mental model.
4. **Per-scope endpoints triplicate similar code paths.** Mitigated by the shared `ExportSpec` struct + scope-aware predicate injection. Read carefully in code review — this is the place subtle scope leaks creep in.
5. **JSON twin is genuinely redundant for human users.** It's there for the no-lock-in promise (a Python script can re-ingest without Excel). The cost is one extra file in the zip + one extra serialisation pass. Acceptable.
6. **No diff tooling — yet.** Determinism enables `diff -r` between two extracted zips, but no in-app surface. Slice 4+ may layer "show me what changed between Monday's and Friday's export" once exports are scheduled and stored.
7. **`paliadin_turns` privacy default.** Currently restricted to `PaliadinOwnerEmail` so the table is empty for every other user. Personal export carries them by default ("your AI history"); org export by default does NOT (admin opt-in via `?include=paliadin_turns`). When Paliadin opens past owner-only (post-API cutover), revisit.
8. **Reference-data inclusion bloats every export.** 254 deadline_rules + 102 trigger_events + 56 concepts + … = ~1000 reference rows in every workbook regardless of scope. At zip-compressed sizes this is < 100KB and worth the standalone-interpretability. If the workbook gets too large later, ship reference data as a separate "paliad-reference-snapshot.zip" once + reference it from each export's README.
9. **Org export volume at firm-scale.** A 10k-project firm has ~50k deadlines and ~200k audit events. Even at 200 bytes/row average that's < 100MB comfortable for the async path with 4GB Dokploy RAM. Threshold concerns kick in at 1M+ rows, which is firm-class-of-100-attorneys territory. Designed for, not blocked on.
10. **Audit-log explosion.** A nightly cron + 47 users self-exporting = 50 audit rows / day. At a year that's 18k rows. Still trivial. No retention on the audit chain (the artifact retention does NOT touch audit-log retention the audit chain is the trust signal, see §4).
---
## 9. Recommended implementer
**Single PR, layered slices 1 → 2 → 3 as separate commits.** No DB-heavy migrations; the only schema add is `system_audit_log` (one table, one trigger if any). The hard work is in the writer abstraction.
- **Slice 1:** pattern-fluent Sonnet coder. ~600-800 LoC, mostly bookkeeping. Tests pin the shape.
- **Slice 2:** same hands as slice 1 (continuity matters here the writer abstraction is set in slice 1 and the project scope generalises it).
- **Slice 3:** same hands again. The async path is its own subsystem but the writer is unchanged.
**NOT cronus** per memory directive 2026-05-06 (retired from paliad).
**NOT m** this is a coder task end-to-end.
---
## 10. Inventor → coder transition (GATED per project CLAUDE.md)
Per `.claude/CLAUDE.md`: design phase ends here. No code touches the tree from inventor. Head's `mai-head` skill gates the coder shift after m's go on §11 open questions.
When approved, the coder shift opens on `mai/<coder-name>/data-export-slice-1` (fresh branch off main, NOT off the design branch design doc commit is the only artifact this branch carries forward via cherry-pick).
---
## 11. Open questions for m
The brief lists 8 candidate questions. After live-state verification I've collapsed + sharpened to 9, each with an inventor pick + reasoning. Will be asked sequentially via AskUserQuestion (paliad dogma no `## §X.Y` markdown dump on m, per t-paliad-154 lesson).
### Q1 — Bundle xlsx + CSV + JSON in one zip, or let user pick format?
**Inventor pick: bundle all three in one zip, no UI knob.**
Reasoning: the no-lock-in promise *requires* the JSON twin (Excel-independent re-ingest); the xlsx is the human-readable default; CSV is the universal lingua franca. Picking only one breaks the promise for some user. Bundle size at today's scale is < 1MB; even at firm-scale it's well under the email-attachment limit. The cost of a checkbox UI is more than the cost of three extra files.
Alternative: offer `?format=xlsx-only|json-only|csv-only` query params for the API surface, default to bundle. Documented in README only. We do this in v1 anyway since multi-format is what generates the zip in the first place.
### Q2 — Project-scope profession floor: associate (inventor pick) or member?
**Inventor pick: associate floor.**
A project export carries party names, addresses, decision-history, draft strategy notes. That's "I can write a paper for the partner" data, not "I can see the deadline calendar" data. Member is the bare-visibility tier (you got added to the team). Export is exfiltration needs the next tier up.
Alternative: gate by `responsibility ∈ {lead, member}` (no profession floor, only the project-team responsibility check). Cleaner architecturally separates the "can see" axis from the "can extract" axis using the same fields. Less restrictive in practice.
Worth choosing now because the gate text in the audit row mentions the tier.
### Q3 — Org-export artifact retention: 7 days (pick) or 30 / 90?
**Inventor pick: 7 days.**
Default conservative. m-tunable per firm via env var.
### Q4 — Excel dates: ISO strings only (pick) or also a mirrored native-Excel-date column?
**Inventor pick: ISO strings only.**
Native Excel dates are locale-poisoned (DE vs EN epoch interpretation flips, round-trip corruption when re-saved). ISO is the universal answer. Power users who want a sortable native-date column can derive it once in their workbook but the canonical export stays unambiguous.
### Q5 — `paliadin_turns` in org export: opt-in only (pick), or include by default?
**Inventor pick: opt-in via `?include=paliadin_turns` query.**
Today it's m-only data (`PaliadinOwnerEmail` gate), so the privacy stakes are low but the *moment* Paliadin opens beyond owner-only, the AI conversation history per user is the most sensitive personal data we carry. Setting the off-by-default precedent now means we don't accidentally start dumping it later.
### Q6 — Deterministic byte-for-byte exports: yes (pick) or accept timestamp drift in zip metadata?
**Inventor pick: yes, deterministic.**
Lets users diff exports across time. Cost: ~50 lines of `sort.Strings` + a custom zip writer with stable ordering. Worth it.
### Q7 — Invitation tokens in org export: drop them entirely (pick) or include as hash?
**Inventor pick: drop entirely.**
Tokens grant signup access. Including them in a backup creates a vulnerability surface an exfiltrated backup could be used to sign up as someone-else with their pending invite. Hashing doesn't help because the hash is what the URL contains. The invitation **row** (recipient, role, expiry, sent_at) is in the export; the token is not. If you need to re-issue, you do so from paliad's invite UI.
### Q8 — Public signed-URL downloads (for scheduled/email delivery): yes / not in v1 (pick)?
**Inventor pick: not in v1.**
Defer to slice 4. v1's download is cookie-authenticated only. Signed URLs are useful when the recipient is asynchronously notified (email link), which is the scheduled-export model and that whole subsystem ships later.
### Q9 — GDPR Art. 15 DSR helper UI: not in v1 (pick)?
**Inventor pick: not in v1.**
A global_admin can already assemble a DSR manually using project-scope exports filtered by client. v1 ships the primitives; v2 ships the workflow.
### Closing question for m: implementer
> Recommend pattern-fluent Sonnet for all three slices, same hands across (continuity matters for the writer abstraction). Specific name = your call.
---
## 12. m's decisions (addendum, 2026-05-19)
m walked the §11 questions live via AskUserQuestion. Results below these supersede the inventor picks where they differ.
- **Q1 Bundle format:** Bundle xlsx + JSON + CSV in one `.zip` per export. matches pick.
- **Q2 Project-scope floor:** **Any team member** (`responsibility ∈ {lead, member}`). **Deviation** from associate-floor pick m chose the looser axis-split gate. **Implementation update for §4:** project-scope auth becomes `(a) can_see_project(root_id) AND (b) caller is on project_teams for the root with responsibility ∈ {lead, member}`. The DerivationService profession check is dropped from the export gate; observers + externals + derived-only members still cannot extract. `system_audit_log.metadata` records the responsibility value the caller held at export time.
- **Q3 Org-export retention:** **90 days**. **Deviation** from 7-day pick. **Implementation update for §6.2:** `PALIAD_EXPORT_RETENTION_DAYS` default flips from `7` to `90`. The cleanup goroutine still runs daily; the threshold is just longer. Audit row unaffected (still persists forever).
- **Q4 Date format:** ISO 8601 strings only. matches pick.
- **Q5 paliadin_turns in org export:** **Never include in org export.** **Tighter** than opt-in pick. **Implementation update for §2.1 + §6.3:** the `paliadin_turns` row drops from the org-scope sheet table entirely no `?include=paliadin_turns` query param. Personal scope still carries the caller's own paliadin_turns (it's literally their data). The hard exclusion is enforced in `export_service.go`'s scope-aware sheet registry, not just in column-discovery, so a future schema addition can't accidentally re-include it.
- **Q6 Deterministic exports:** Yes. matches pick. (m answered freeform "1" alongside the batching request first option = deterministic.)
- **Q7 Invitation tokens:** Drop entirely. matches pick.
- **Q8 Signed URLs in v1:** Not in v1. matches pick.
- **Q9 GDPR DSR helper UI in v1:** Not in v1. matches pick.
**Net effect on slice plan:** unchanged shape, three modifications:
- Slice 2 gate logic uses `project_teams.responsibility` only (no profession lookup).
- Slice 3 default retention is 90 days (one env-var value change).
- Slice 1 + 3 sheet registry omits `paliadin_turns` from org scope entirely.
No other slice deltas. v1 still ships slices 1+2+3.
**Coder shift gating:** head still gates the implementation handoff; m's decisions here close §11 but don't auto-trigger coder work.
---
## 13. Adjacent / out-of-scope
- **Import path** explicitly out per brief. A round-trip "export then re-import" is appealing but is its own design (rebinding UUIDs, conflict resolution, schema_version migrations). Don't conflate.
- **Postgres replacement** the Excel workbook is a *backup* + *portability artifact*, not a data-model alternative. Postgres stays canonical.
- **t-paliad-212 (leibniz, CalDAV multi-calendar):** personal export already carries the caller's caldav config (minus ciphertext). When leibniz designs multi-calendar, the personal export's `my_caldav_config` sheet becomes a list rather than a single row handled by column-discovery automatically. No design conflict; flagged for confirmation when leibniz's design lands.
- **t-paliad-213 (mendel, test strategy):** export service warrants pure-function tests for column discovery, deny-list, scope predicate, plus one e2e (Playwright) per scope endpoint. Slice tests pin the contract; mendel's overall strategy decides framework choice.
---
## 14. References
- `docs/design-data-model-v2.md` projects + mandanten + ltree path + can_see_project predicate.
- `docs/design-approval-policy-ui-2026-05-07.md` 5-source audit union (this design adds the 6th source).
- `docs/design-profession-vs-project-role-2026-05-07.md` profession ladder for the §4 project gate.
- `internal/handlers/admin_rules.go:303` `handleAdminExportRuleMigrations` (precedent for admin-gated export-as-download).
- `internal/services/project_service.go:15` visibility predicate.
- `internal/services/derivation_service.go` `EffectiveProjectRole` for the project gate.
- `github.com/xuri/excelize/v2` chosen xlsx library.
---
**END OF DESIGN. Status: READY FOR REVIEW.**
Inventor parks until m's go/no-go on §11. No code touches the tree from this branch.

582
docs/design-paliad-test-strategy-2026-05-19.md Normal file
View File

@@ -0,0 +1,582 @@
# Design — Paliad Test Strategy (production-grade)
**Author:** mendel (inventor)
**Date:** 2026-05-19
**Task:** t-paliad-213
**Branch:** `mai/mendel/inventor-test-strategy`
**Status:** DESIGN READY FOR REVIEW. No test files / Make targets / CI configs touched. Awaiting m go/no-go on §5 slice plan + §6 open questions before any coder shift.
---
## 0. TL;DR
Paliad has accidental test discipline today: 59 `_test.go` files / 323 test functions in Go (≈45 % of services tested, ≈12 % of handlers tested) and 4 frontend test files for 90+ client modules (≈4 %). There is no committed end-to-end suite and no CI — every smoke pass is human-driven via the manual reports in `tests/`. The `mig 098` prod crash-loop, the `t-paliad-036` triple-bug after the German→English rename, and a long tail of UX regressions (deadline-done modal, calendar column drift) would all have been caught by a 10-test boot-and-click smoke pass.
This design proposes a six-layer test pyramid with a concrete tool per layer (stdlib `testing` + bun's built-in `bun:test` + `playwright` for E2E — nothing third-party we don't already use). It pins three lessons paliad has paid for in commits:
1. **No mocks at the service↔DB boundary.** Live-DB tests against a per-developer Postgres are the floor; in-memory mocks for `paliad.*` would have hidden every rename-after-DROP-CASCADE bug. Project preference is already in this direction (27/44 service tests are live-DB-gated); we double down rather than reverse.
2. **Migrations must dry-run before they merge.** Every recent prod-down (mig 098, mig 020-after-rename, mig 099 audit_reason gap) was a migration that compiled, passed `go test ./...` (which skips without `TEST_DATABASE_URL`), and broke on first apply against the real schema. A `make verify-migrations` target that does BEGIN/apply/ROLLBACK in CI fixes the entire failure mode.
3. **Browser-shaped bugs need a browser.** The fristenrechner cascade, shape-timeline render, calendar grid, inline paliadin widget — these are JS state machines. Bun's stdlib `bun:test` covers the pure parser/codec code; Playwright covers the auth-gated DOM. Don't try to substitute one for the other.
Six slices roll the strategy out as tracer-bullet PRs, each independently shippable. Slice 1 (migration dry-run harness) and Slice 4 (Playwright golden-path smoke) buy the most outage-prevention per LoC; the rest is widening proven patterns.
Six open questions for m at §6. Most surface a coverage-vs-cost trade-off — the picks that need m's call before any code lands are CI infrastructure choice (Q2), per-PR run-time budget (Q1), and live-DB-vs-dockerised Postgres (Q3).
---
## 1. Audit — what exists today
Counts taken on `mai/mendel/inventor-test-strategy` @ HEAD (2026-05-19, 100 migrations applied).
### 1.1 Go test inventory
| Package | Source files | Test files | Test functions | Notes |
|---|---|---|---|---|
| `internal/services` | 56 | 44 | ~200 | 26 live-DB-gated (`TEST_DATABASE_URL`), 18 pure-Go. 24 services have **no test file at all** — see §1.4. |
| `internal/handlers` | 59 | 7 | ~30 | Only auth-domain check, search, audit-parse, approval-error-mapping, redirects, verfahrensablauf-redirect, chart-404 covered. **53 handlers have no test file.** |
| `internal/auth` | small | 2 | ~10 | Session middleware + require-admin. |
| `internal/branding` | small | 1 | small | Firm-name override. |
| `internal/offices` | small | 1 | small | Office enum. |
| `internal/changelog` | small | 1 | small | Pure parser. |
| `internal/calc` | small | 1 | small | Fees / fee tables. |
| `cmd/server` | 1 | 1 | small | `main_paliadin_backend_test.go` covers env-gate selection. |
| **Total** | **133** | **58** | **323** | |
`go test ./...` runs all 58 files. Without `TEST_DATABASE_URL` set, 27 of them silently skip their live-DB cases — the suite still passes, but coverage of mutation paths drops to near zero.
### 1.2 Frontend test inventory
| Path | Test files | Tested |
|---|---|---|
| `frontend/src/client/filter-bar/url-codec.test.ts` | 1 | FilterBar URL codec round-trip. |
| `frontend/src/client/views/format.test.ts` | 1 | Date/time formatters (regression for t-paliad-153). |
| `frontend/src/client/views/shape-timeline-chart.test.ts` | 1 | Chart layout pure function. |
| `frontend/src/client/views/shape-timeline-cv.test.ts` | 1 | Continuous-view shape layout. |
| **Total** | **4** | Out of ~90 client modules (`frontend/src/client/*.ts`). |
All four use bun's built-in `bun:test` (no extra dep). No DOM/jsdom tests. No Playwright. No `bun test` script in `package.json` (`bun run build` is the only script).
### 1.3 End-to-end / smoke
- `tests/smoke-2026-04-25.md`, `tests/smoke-auth-2026-04-25.md`, `tests/smoke-auth-2026-04-26-cleanup.md` — human-written reports with screenshots committed under `tests/screenshots-*`. No code. No re-runnable script.
- `mai-tester` skill uses Playwright for ad-hoc runs; nothing committed.
- No `e2e/`, no `.gitea/workflows/`, no `.github/workflows/`, no `Makefile`.
### 1.4 Critical service paths with no test file
These are `internal/services/*.go` for which no `*_test.go` sibling exists:
| Service | Risk class | Why it matters |
|---|---|---|
| `caldav_service.go`, `caldav_client.go`, `caldav_crypto.go`, `caldav_ical.go` | High | Per-user push/pull goroutines + AES-GCM at rest. One pure parser test (`caldav_ical_timeline_test.go`) exists but the service + crypto + WebDAV client are blind. |
| `agenda_service.go` | High | Dashboard agenda query; reused by `/agenda` page. Exercised transitively by visibility tests but no direct test. |
| `dashboard_service.go` | High | Traffic-light + summary counts. Same story — transitively covered via visibility, no direct test. |
| `derivation_service.go` | Medium | Project-tree derivation (the new t-paliad-194-era subtree machinery). |
| `team_service.go` | Medium | Team membership / inheritance. |
| `partner_unit_service.go` | Medium | Dezernat replacement (t-paliad-070). |
| `party_service.go`, `note_service.go`, `link_service.go`, `checklist_instance_service.go` | Medium | All do project-scoped CRUD with the same RLS+audit pattern that `t-paliad-036` proved easy to break. |
| `appointment_service.go` | High | Hot — every calendar mutation. Exercised through approval tests but has no own test file. |
| `view_service.go` | Medium | Powers the substrate (`/views/*`). |
| `paliadin_jwt.go` | Medium | Per-turn JWT mint for the aichat path (`t-paliad-194`). No call sites in tests today. |
| `markdown.go` | Low | Glossary + checklist content render. |
### 1.5 Handlers with no test file
53 of 59. Notably: **`auth.go` itself** (login / logout / session creation), **`projects.go`** (the most-mutated entity), **`deadlines.go` / `appointments.go`** (writes), **`paliadin.go` / `paliadin_suggest.go`** (m-only routes — never click-tested), **`fristenrechner.go` / `fristenrechner_search.go` / `fristenrechner_event_categories.go`** (the cascade users live in), **`dashboard.go` / `agenda.go`** (landing), **`onboarding.go` / `onboarding_gate.go`** (every new user's first three minutes), **`invite.go`** (rate-limited write path). The currently-tested handlers (search, audit-parse, approval error mapping, etc.) are the cheap pure-Go ones; every handler that touches the DB is untested at handler level.
### 1.6 Live-DB test scaffold — is it sound?
The pattern (read from `internal/services/visibility_test.go`):
```go
url := os.Getenv("TEST_DATABASE_URL")
if url == "" { t.Skip("TEST_DATABASE_URL not set — skipping live DB test") }
if err := db.ApplyMigrations(url); err != nil { t.Fatalf(...) }
pool, _ := sqlx.Connect("postgres", url)
defer pool.Close()
// per-test seed + cleanup via DELETE + defer cleanup()
```
Verdict: **sound, but has rough edges that need addressing before we widen.**
- ✅ Migrations apply at test startup against the test DB — catches every "you forgot to add a CHECK" / "you reference a column that doesn't exist" before a real-DB-touching test runs.
- ✅ Per-test cleanup via `DELETE FROM ... WHERE id IN ($1,...)` is explicit and idempotent.
- ✅ The `paliad.paliad_schema_migrations` tracker collision noted in memory `0b900afa…` is a pre-existing issue, not introduced by this design.
- ⚠️ Cleanup-via-DELETE is fragile: a test that creates a row referenced by FK from another table needs to remember to clean both. A few existing tests (see `audit_service_test.go`) already chain 5+ DELETEs.
- ⚠️ Tests can't run in parallel against the same `TEST_DATABASE_URL` because they share schema state. `go test ./...` defaults to `-parallel` per-package; same-package tests with overlapping cleanup IDs can interfere.
- ⚠️ No CI today actually exercises `TEST_DATABASE_URL` — so every live-DB test is effectively run only on the author's laptop or not at all. Half the value is paid-for but unbilled.
### 1.7 Migration tooling
- `internal/db/migrate.go` embeds `migrations/*.sql` and applies on server boot via `golang-migrate/v4` with the `paliad_schema_migrations` tracker in `public` schema.
- 100 migrations on disk (`001``100`).
- **No dry-run gate today.** A bad migration breaks `paliad.de` at boot (Dokploy crash-loops the container). Recent prod incidents: mig 098 (submission code rename), mig 099 (with_po flag drop missed audit_reason gap), mig 020 (function rename without body rewrite — see memory `49a05cfa…`).
- `down.sql` exists for every migration but no test ever exercises it.
### 1.8 CI / deploy loop
- No CI. Push-to-main → Gitea webhook → Dokploy auto-builds the Dockerfile and replaces the container. The Dockerfile runs `bun run build` then `go build`. **Neither `go test` nor `bun test` runs in the build pipeline.**
- Pre-commit hooks: none in repo. Each worker runs `go build / go vet / go test / bun run build` by convention (see memories — every shipped task report ends with "build hygiene held").
---
## 2. Test pyramid — recommended shape
```
┌─────────────────┐
│ E2E (Playwright)│ ~10 flows
│ L6 │
└─────────────────┘
┌─────────────────────────┐
│ Handler integration │ ~30 routes
│ L5 (httptest + real DB)│
└─────────────────────────┘
┌──────────────────────────────────┐
│ Service-layer (live DB) │ ~60 tests
│ L4 (BEGIN/ROLLBACK harness) │
└──────────────────────────────────┘
┌──────────────────────────────────────────┐
│ Frontend DOM / cascade (bun:test+jsdom) │ ~15 modules
│ L3 │
└──────────────────────────────────────────┘
┌──────────────────────────────────────────────────────┐
│ Frontend unit (bun:test pure TS) │ ~30 modules
│ L2 │
└──────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────┐
│ Go unit (stdlib testing, table-driven, pure functions) │ ~150 tests
│ L1 │
└──────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────┐
│ Migration dry-run (make verify-migrations) │ 100 mig
│ L0 — gate on every PR │
└──────────────────────────────────────────────────────────────┘
```
### Layer 0 — Migration dry-run
**What:** Every `*.up.sql` in `internal/db/migrations/` is applied inside a single `BEGIN ... ROLLBACK` transaction against a scratch Postgres, in numeric order. The harness asserts each statement succeeds *and* asserts no statement leaves the schema in a `paliad_schema_migrations.dirty=true` state. A second pass applies all up-migrations end-to-end (no rollback) and then re-applies the latest up-migration to assert idempotency (every paliad migration since `t-paliad-070` has been written to be idempotent — this enforces it).
**Tool:** stdlib `testing` package, no third-party. Pattern: `internal/db/migrate_test.go` with a `TestMigrations_DryRun` driven from `TEST_DATABASE_URL`. A `make verify-migrations` target wraps it.
**Why this layer matters most:** Every recent prod-down was a migration. Catching them on a CI run before merge is the highest-leverage test investment paliad can make. Cost: one ~100-line Go file + one Postgres in CI.
**Coverage target:** 100 % of `*.up.sql` files. Hard gate on PR — no exceptions.
### Layer 1 — Go unit (pure)
**What:** `go test ./...` against pure functions — formatters, parsers, validators, calculators, fee tables, deadline calculators, projection lookahead clamping, codec round-trips. No DB, no HTTP.
**Tool:** stdlib `testing`. Table-driven `cases := []struct{...}{...}` style is already the house pattern (see `auth_test.go` / `projection_anchor_test.go`). **Do not introduce testify or any matcher library** — the current code reads cleanly without one, and 323 existing test functions don't need a rename pass.
**What's already there:** 19 pure-Go test files (calculator, mapping, codec, holiday, fees, etc.). Density is good; targeted infill rather than re-architecture.
**Coverage target:** Every pure function in `internal/services/`, `internal/handlers/`, `internal/calc/`, `internal/changelog/`. Aim for "every branch in a decision table has at least one test row." Don't chase % — chase "the obvious edge that would burn a coworker".
### Layer 2 — Frontend unit (pure)
**What:** `bun test` against pure TS modules — URL codecs (`filter-bar/url-codec`), formatters, parsers, i18n key correctness (every `data-i18n` attribute used in TSX has a key in `i18n.ts`), view-spec parsers, projection-row mapping helpers.
**Tool:** `bun:test` (built into bun, no install). Already in use in 4 files — extend the same pattern. Add `bun test` to `package.json` `scripts`.
**What to add:**
- i18n key audit (every `t("foo.bar")` and `data-i18n="foo.bar"` resolves in both `de` and `en`).
- `filter-bar/` types + render helpers (paliad has shipped 4 FilterBar slices; coverage is one codec test).
- `paliadin-context.ts` route table + entity extraction (the `[ctx …]` envelope is a stable contract paliadin's SKILL.md depends on; any drift here is a silent failure).
- `paliadin-starters.ts` registry — every route maps to ≥1 starter; every starter is bilingual.
- View-spec parsers in `views/`.
**Coverage target:** Every pure TS module in `frontend/src/client/`. Pages (TSX renderers) are E2E concern, not unit concern.
### Layer 3 — Frontend DOM (cascade / jsdom)
**What:** `bun test` with jsdom global, exercising the interactive cascade modules — the fristenrechner cascade builder, the shape-timeline render, the FilterBar UI (chips, panels), the calendar grid, the inline Paliadin widget message stream, the inbox-row click handler, the dashboard activity item navigation.
These modules contain enough state that pure-function tests miss real bugs (e.g. the t-paliad-098 `.entity-table` row-cursor lie was a CSS+DOM bug; t-paliad-099's modal close was a DOM-event bug; t-paliad-103's `::before` overlay click-swallow was a DOM bug).
**Tool:** bun + `happy-dom` is the lighter choice; if it can't handle event ordering, fall back to `jsdom`. Both are ESM-clean and bun-friendly. **Pick one and stick with it — running both means twice the dependency surface.** Default pick: `happy-dom` (smaller, paliad doesn't need legacy IE semantics).
**Pattern:** import the cascade module, build a minimal DOM (`document.body.innerHTML = …`), dispatch synthetic events, assert resulting state. Reuses the production renderers — no test-only fakes.
**Coverage target:** ~15 modules. Specifically:
- `client/filter-bar/index.ts` chip render + active-state.
- `client/fristenrechner.ts` cascade — most complex JS in the codebase; depend chains light up every UPC bug we know.
- `client/shape-timeline.ts` lane mode + track mode (envelope wire shape brittle to refactor).
- `client/projects-detail.ts` row click + Verlauf render.
- `client/paliadin-widget.ts` + `paliadin-context.ts` interaction.
- `client/inbox.ts` row-action click routing.
- `client/dashboard.ts` activity-item nav.
- `client/deadlines-calendar.ts` / `appointments-calendar.ts` column layout (the calendar-column-drift bug class).
Not unit tests; not E2E. They are the missing middle.
### Layer 4 — Service-layer (live DB)
**What:** Go service methods against a real Postgres, using the existing `TEST_DATABASE_URL` pattern. Two improvements:
1. **Replace per-test DELETE cleanup with a per-test transaction harness** — open a transaction, run the test inside it, ROLLBACK. Faster, isolating, no cleanup forgotten. Already viable because the service layer accepts `*sqlx.DB`-or-tx-shaped interfaces in many places; needs a small `internal/services/internal/testdb` package that exposes `WithTx(t *testing.T, fn func(*sqlx.Tx))`. Migration is mechanical, can happen alongside infill.
*Caveat:* some service methods open their own transactions internally (`approval_service.submit` is one). Those keep DELETE cleanup; the tx harness is a default, not a mandate.
2. **Make `TEST_DATABASE_URL` mandatory in CI.** Today these tests are skipped on every machine that doesn't `export TEST_DATABASE_URL=…` — i.e. they don't run on autoatic pipelines because there's no pipeline. Once CI exists (§3.5), it becomes a required env var.
**Tool:** stdlib `testing` + `sqlx` (already in `go.mod`). **No mocks at the service↔DB boundary.** This is m's hardest line — see global CLAUDE.md memory pattern and `t-paliad-036` (the bug that masked two other bugs would have been caught instantly by a real-DB test).
**Where to invest first:** Approval (already heavy), Projection (already heavy), Fristenrechner (already heavy), DeadlineService Create/Update/Complete/Delete with `pending_request_id` interplay, AppointmentService same, ProjectService visibility predicate, CalDAV push (the four CalDAV `*.go` files have zero direct test).
**Coverage target:** Every service method that mutates the DB has at least one happy-path live-DB test. RLS predicate (`visibilityPredicatePositional`) has one test per role (global_admin, member, non-member).
### Layer 5 — Handler integration (httptest + real DB)
**What:** Spin a real `services.DBService`, mount the protected mux, drive `httptest.NewRequest` + `ServeHTTP` against it. Auth via a fake session cookie produced by a `testauth.Login(t, userID)` helper that mints the same Supabase JWT shape `auth.UserIDFromContext` expects.
**Why:** The 53 untested handlers are where the request shape ↔ service interaction lives. Examples that would have caught real bugs:
- `t-paliad-036`'s "`/projects/{id}` 404 while `/api/projects/{id}` 200" mismatch — a 5-line handler test would have failed before the migration ran.
- mig 020's three-stacked bug — a handler test that POSTs a deadline and asserts a 200 + read-back row would have failed at submit-time, not boot-time.
- The audit-log query timezone bug — handler test asserts the JSON contains the expected `event_date`.
**Tool:** stdlib `net/http/httptest`. **No new framework.** Pattern: handler tests live next to the handler file (`internal/handlers/deadlines_test.go` next to `deadlines.go`).
**Coverage target:** Every handler that gates a state-changing route — `POST/PATCH/DELETE` flavour. Plus `GET` handlers that compose a non-trivial query (dashboard, agenda, search, audit-log).
### Layer 6 — End-to-end (Playwright)
**What:** A small Playwright suite (~10 flows) committed at `e2e/` with a `bun run e2e` entry. Targets a local `./paliad` against a scratch Postgres (the same `TEST_DATABASE_URL`). Each test logs in, drives the UI through one user journey, asserts visible state.
**Why ~10 not 100:** Per-PR budget caps at ~2 min total (§6 Q1). Playwright tests are the most expensive minute-per-confidence in this stack; they pay for themselves on the *golden path* and nothing else. The deep-coverage layer is L5; E2E is *"is the app still alive end to end?"*.
**Tool:** `playwright` (npm; bun installs cleanly). No third-party test runner — Playwright ships its own. Tests live in `e2e/*.spec.ts`. **Not bun:test.** Playwright's runner is purpose-built for browser-driving and integrates with their tracing — don't fight it.
**Cap:** 10 flows. If a new test wants in, an existing one must drop out (or we have a real reason to widen). This is the cheapest discipline available: it forces the suite to remain a smoke pass, not a regression-test dumping ground.
**Coverage target:** See §4.
---
## 3. Tooling — concrete picks per layer
| Layer | Tool | Already in deps? | Install? |
|---|---|---|---|
| L0 — migration dry-run | stdlib `testing` + `migrate/v4` | yes | no |
| L1 — Go unit | stdlib `testing` | yes | no |
| L2 — Frontend unit | `bun:test` | yes (built into bun) | no |
| L3 — Frontend DOM | `bun:test` + `happy-dom` | bun yes, happy-dom **new** | `bun add -d happy-dom` (one dep, ~200 KB) |
| L4 — Service live-DB | stdlib + sqlx | yes | no |
| L5 — Handler integration | stdlib `net/http/httptest` + sqlx | yes | no |
| L6 — E2E | `@playwright/test` | **new** | `bun add -d @playwright/test` + `npx playwright install chromium` |
Net new deps: **2** (happy-dom + playwright). Both are mainstream, both have small surface area, both align with bun's ecosystem.
Explicit rejects:
-**testify** — current tests read cleanly with stdlib; adding it forces a rename pass nobody wants.
-**vitest** — bun's built-in test runner is faster and the tests are already in `bun:test` shape.
-**dockertest / testcontainers-go** — m's preference is real-DB tests against the existing Postgres; spinning ephemeral Docker Postgres per package run adds latency and surface area for marginal isolation gain. See Q3.
-**sqlmock / gomock for DB** — banned by §0 lesson 1.
-**cypress** — Playwright is the better tool today, and the team's existing skill (`/mai-tester`) already uses it.
### 3.1 Per-PR run-time budget
Target (subject to m's call in Q1): **≤ 90 s for the gating tier (L0+L1+L2+L4 subset+L5 happy-path)**, ≤ 4 min for the full suite (add L3+L4 full+L6). The gating tier blocks merge; the full suite blocks deploy.
Indicative times (estimated, validate when slice 1 lands):
| Tier | Layers | Est. time | Blocks |
|---|---|---|---|
| **Gate (every PR)** | L0 + L1 + L2 + L5 happy-path + L4 critical | 6090 s | merge |
| **Full (every merge to main)** | + L4 full + L3 + L6 | 34 min | deploy |
### 3.2 CI — proposal, not commitment
paliad has no CI today. Two routes:
- **Gitea Actions** (m's stack already runs `mgit.msbls.de`). Self-hosted; same auth model as the rest of mAi. Adds a `.gitea/workflows/test.yml`. Postgres comes from a service container.
- **Stay click-deploy.** No CI. Workers run tests locally; Dokploy auto-deploys on green-main convention.
Recommendation: **Gitea Actions for the gate tier only** (L0 + L1 + L2), driven by a single short workflow. The L3-L6 expansion can be a follow-up once the gate tier proves stable. Deferred to Q2 for m's call.
### 3.3 Test DB — live YouPC vs ephemeral
The `paliad` schema lives on the shared YouPC Postgres (port 11833). Three options:
| Option | Pros | Cons |
|---|---|---|
| **Per-developer separate DB on YouPC** (`TEST_DATABASE_URL` per laptop) | Closest to prod; existing pattern. | Cleanup discipline matters; cross-developer contention possible. |
| **Ephemeral docker postgres per CI run** | Full isolation; parallel-safe; reset for free. | New infra; ~5 s container startup per CI invocation. |
| **Dedicated test DB on a paliad-only Postgres** | Isolated; cheap. | New infra to maintain. |
Recommendation: **option 1 for developers (no-op change), option 2 for CI** (Gitea Actions postgres service container). Deferred to Q3 for m's call.
### 3.4 Coverage targets
Don't gate on percentage. Gate on critical-path coverage (§4). Add `go test -coverprofile=` output to CI for visibility, not as a merge gate. Coverage % gating produces tests-for-tests'-sake; we want the tests that catch the bugs we've shipped.
---
## 4. Critical journeys — what MUST be covered
These are the golden-path flows. Anything not on this list is L1-L5 territory, not L6. The list is intentionally short; if it grows beyond 10, we are doing E2E wrong.
| # | Flow | Why it's critical | Layer mix |
|---|---|---|---|
| 1 | **Login → dashboard renders → traffic-light counts match** | Every user does this every day; broken auth = paliad is offline. | L6 (Playwright) + L5 handler (auth.go) |
| 2 | **Create project (Client → Litigation → Patent → Case)** | Hierarchy with team inheritance — the data model's spine. | L6 + L5 + L4 (project_service) |
| 3 | **Submit deadline → routes to /inbox → approver approves → state flips** | The 4-eye flow (t-paliad-138). Most-mutated paliad surface. | L6 + L5 (deadlines, approvals) + L4 (approval_service) |
| 4 | **Fristenrechner: pick proceeding → cascade fires → result shows** | The platform's flagship interactive tool. JS cascade. | L6 + L3 (fristenrechner cascade) + L4 (fristenrechner) |
| 5 | **SmartTimeline: anchor a projected row → predecessor-missing-error handled** | Recent Slice-2 work (t-paliad-173 / #31). High-touch surface. | L6 + L3 (shape-timeline) + L4 (projection_service) |
| 6 | **CalDAV sync: PUT a Termin → external client sees it, edits there → pull reconciles** | Owned-event semantics + foreign-UID skip rule from Phase F. Untested today. | L4 (caldav_service push/pull) — gated on Q3 (live YouPC vs ephemeral) |
| 7 | **Paliadin chat: anon visit hits 404; m's session opens widget; turn renders** | Owner-gated `/paliadin` is the only m-only surface. Quiet failures here are silent. | L6 (smoke) + L5 (paliadin_suggest) + L4 (paliadin / aichat_paliadin) |
| 8 | **/admin/rules: filter → edit one rule → lifecycle transition → audit log row** | Rules drive the cascade; bad edits break every user's fristenrechner. | L6 + L5 (admin_rules) + L4 (rule_editor_service) |
| 9 | **Onboarding: new user with allowed email → onboarding form → first project membership** | The new-user funnel; gateOnboarded middleware traps. | L6 + L5 (onboarding, invite) |
| 10 | **Migration boot smoke: spin paliad against an empty DB → server binds 8080** | Catches every mig-N crash-loop. | L0 (migration dry-run) + L4 boot-smoke variant |
Picks 1, 3, 4 and 10 are the highest-value-per-cost — they cover the routes most regressions land on (auth, mutation, cascade, boot).
---
## 5. Slice plan — tracer-bullet roll-out
Each slice is a shippable PR with a concrete deliverable, in order of expected outage-prevention payoff. Sized for a single coder shift unless flagged. No slice depends on a later one being merged. Hour estimates intentionally omitted (per global CLAUDE.md).
### Slice 1 — Migration dry-run harness + boot smoke (highest leverage)
**Branch:** `mai/<coder>/test-strategy-slice-1-migrations`
**Deliverable:**
- `internal/db/migrate_test.go``TestMigrations_DryRun` (per-mig BEGIN/ROLLBACK), `TestMigrations_EndToEnd` (full apply, then re-apply latest to assert idempotency), `TestMigrations_Down` (apply N→0).
- `Makefile` with `make verify-migrations` (the gate target), `make test` (run everything), `make test-go`, `make test-frontend`.
- `cmd/server/main_paliadin_backend_test.go` already exists; extend with a `TestMain_BindsHTTPAfterMigrate` that boots the full server against `TEST_DATABASE_URL`, asserts `:8080` is listening, then shuts down. Catches the mig-098-class crash-loop in a single test.
- README section: how to set `TEST_DATABASE_URL` locally.
**Catches:** Every mig-98-class crash-loop; every drop-cascade-with-stale-policy-name regression (t-paliad-036).
### Slice 2 — Service-layer infill: critical mutators
**Branch:** `mai/<coder>/test-strategy-slice-2-services`
**Deliverable:**
- Test files for the three highest-impact untested services:
- `internal/services/agenda_service_test.go` (live-DB, dashboard agenda query)
- `internal/services/dashboard_service_test.go` (traffic-light counts)
- `internal/services/team_service_test.go` (membership + inheritance — RLS-load-bearing)
- Tighten existing `approval_service_test.go` + `deadline_service_test.go` coverage of the create/update/complete/delete × pending-request matrix where there are demonstrable gaps.
- Add `internal/services/internal/testdb/withtx.go` — the per-test tx harness (optional adoption; existing tests stay).
**Catches:** RLS regressions, approval interplay regressions, dashboard count drift after schema renames.
### Slice 3 — Frontend bun:test setup + L2 infill
**Branch:** `mai/<coder>/test-strategy-slice-3-frontend-unit`
**Deliverable:**
- `frontend/package.json` `scripts.test = "bun test"`.
- New tests under `frontend/src/client/`:
- `paliadin-context.test.ts` (route table, entity extraction, selection truncation).
- `paliadin-starters.test.ts` (every route ≥1 starter, every starter bilingual).
- `filter-bar/index.test.ts` (chip render + active state — pure DOM-less helpers).
- i18n key audit: `frontend/scripts/i18n-audit.test.ts` parses every `data-i18n="…"` from `dist/` HTML and every `t("…")` call from `src/`, asserts both `de` and `en` resolve. Runs as part of `bun test`.
- `make test-frontend` wires `cd frontend && bun test`.
**Catches:** i18n drift (untranslated key shipped to user), context-envelope contract drift (paliadin SKILL.md depends on it), starter-registry regressions.
### Slice 4 — Playwright golden-path smoke
**Branch:** `mai/<coder>/test-strategy-slice-4-e2e`
**Deliverable:**
- `e2e/` directory at repo root.
- `playwright.config.ts` pointing at `http://localhost:8080` (paliad started by the test, not assumed).
- Five Playwright `*.spec.ts` files covering critical journeys 1, 3, 4, 7, 9 from §4.
- `make e2e` target that:
1. starts paliad against `TEST_DATABASE_URL`,
2. waits for `:8080` to be live,
3. runs `npx playwright test`,
4. tears the server down.
- `bun add -d @playwright/test` + `npx playwright install chromium`.
**Catches:** Auth regressions, deadline-mutation regressions, fristenrechner cascade regressions, owner-gated /paliadin leaks, onboarding-gate misbehaviour.
### Slice 5 — Handler integration tests for the 5 most-touched routes
**Branch:** `mai/<coder>/test-strategy-slice-5-handlers`
**Deliverable:**
- `internal/handlers/auth_test.go` extended with `TestLogin_HappyPath` + `TestLogout_ClearsCookie` (real DB).
- `internal/handlers/projects_test.go``TestProjectsCreate` (POST 200, row inserted, audit emitted), `TestProjectsGetByID_RespectsVisibility` (404 for non-member).
- `internal/handlers/deadlines_test.go``TestDeadlinesCreate_TriggersApproval` (verifies pending pill).
- `internal/handlers/appointments_test.go` — same shape.
- `internal/handlers/paliadin_test.go``TestPaliadinPage_404ForNonOwner`, `TestPaliadinPage_200ForOwner`.
- Shared `internal/handlers/testauth/testauth.go` — mints a session cookie for `userID` so handler tests don't reinvent auth seeding.
**Catches:** Handler ↔ service wiring drift, visibility-predicate handler-side bugs (t-paliad-036 bug 2 was exactly this), owner-gate bypass.
### Slice 6 — Frontend L3 (DOM) cascade tests
**Branch:** `mai/<coder>/test-strategy-slice-6-frontend-dom`
**Deliverable:**
- `bun add -d happy-dom`.
- DOM-driven tests for the three most-touched cascades:
- `client/fristenrechner.test.ts` (cascade activate → row appears → date-set fires fetch).
- `client/shape-timeline.test.ts` (lane render, track render, projected-row click).
- `client/filter-bar/index.test.ts` (chip click toggles state, URL params update).
**Catches:** The whole class of "the function exists and is unit-tested but the cascade in the browser doesn't fire it" bugs. This is the layer that catches t-paliad-098 / 099 / 102 / 103.
### Slice 7 — CI wiring (deferred — Q2 dependent)
**Branch:** `mai/<coder>/test-strategy-slice-7-ci` (gated on m's Q2 pick)
**Deliverable:**
- `.gitea/workflows/test.yml` (or stay click-deploy if m picks that).
- Gate tier runs on every PR; full suite runs on merge to main.
- Postgres service container provides `TEST_DATABASE_URL`.
- Slack/Gotify ping on red main.
**Catches:** Drift between "tests pass on my laptop" and prod reality.
### Slice 8 — Coverage reporting + dashboard (lowest priority)
**Branch:** `mai/<coder>/test-strategy-slice-8-coverage`
**Deliverable:**
- `go test -coverprofile=` aggregated into a single `coverage.html`.
- Bun's coverage output similarly.
- A `docs/coverage.md` index updated by CI.
- **Not a merge gate.** Visibility only.
**Catches:** Slow drift; nice-to-have once the floor is in.
### Slice order rationale
1, 4, 5 are the highest outage-prevention per LoC: migration dry-run kills crash-loops, E2E kills regressions, handler tests kill wiring drift. 2, 3, 6 widen the floor; 7-8 are infrastructure.
---
## 6. Open questions for m
These need m's call before any coder shift starts (or before specific slices start, where noted).
### Q1 — Per-PR test-run budget
How long is acceptable to wait on the gate tier before merge?
- 30 s — only L0 + L1 (no L2+ on the gate).
- **6090 s (recommended)** — L0 + L1 + L2 + L5 happy-path + L4 critical.
- 2 min — add L3 + L4 full.
- 4+ min — add L6 (E2E on gate).
The pick determines whether E2E gates merge or only deploy.
### Q2 — CI infrastructure
- **Gitea Actions** (self-hosted, gate tier only, recommended) — minimal new infra; aligns with m's existing stack.
- **Stay click-deploy** — workers run tests locally; merge discipline enforced by convention. Today's reality; we keep it.
- **Both:** start with click-deploy, add Gitea Actions in Slice 7 once gate tier proves stable.
### Q3 — Live-DB vs ephemeral docker Postgres for tests
- **Per-developer YouPC DB (current pattern)** — closest to prod; existing tests work unchanged.
- **Ephemeral docker postgres in CI, YouPC for devs (recommended hybrid)** — keeps local-dev simple, gives CI deterministic isolation.
- **YouPC everywhere** — simplest, but parallel CI runs would contend.
### Q4 — Coverage targets — % or critical-path?
- **Critical-path only (recommended)** — §4's 10 flows + every state-mutating service method has a test. No % gate.
- **% gate** — set a floor (e.g. 60 % lines, 50 % branches) and refuse merges below it.
- **Both** — critical-path is mandatory, % is informational.
m's prior preference (memory pattern: "tests that catch real bugs > coverage theatre") points at critical-path-only. Confirming.
### Q5 — Which slices land before paliad is "production-grade"?
paliad is already live at `paliad.de` and being used by HLC colleagues. "Production-grade" here means "next time someone ships, we don't go down."
Picks:
- **Slices 1 + 4 + 5 are the production-grade floor (recommended).** Migration dry-run + golden-path E2E + handler integration tests cover the failure modes that hit prod since the rebrand.
- Add Slice 2 + 3 + 6 as widening passes, on their own cadence.
- Slice 7-8 are nice-to-haves.
Confirming the floor pick — and whether m wants all three to land before any new feature work, or whether they roll out alongside.
### Q6 — Who owns each slice?
Recommendation: rotate coder slots so the same person isn't on every slice. Suggested assignment (head can override):
| Slice | Profile fit |
|---|---|
| 1 — migrations | Backend-heavy coder (knuth, gauss, cronus). |
| 2 — service infill | Backend-heavy coder; whoever owns approval/projection. |
| 3 — frontend unit | Frontend-heavy coder. |
| 4 — Playwright E2E | Cross-stack coder; ideally one familiar with `/mai-tester`. |
| 5 — handler integration | Backend coder. |
| 6 — frontend DOM | Frontend coder (same person as 3 makes sense). |
Inventor does **not** decide assignments; head + m do.
---
## 7. Out of scope (explicit)
- **No rewrite of any existing test.** The 323 existing test functions stay. New tests use the new patterns; old tests are migrated only when their files are touched for unrelated reasons.
- **No third-party framework where stdlib + bun:test suffice** (testify, vitest, etc. — see §3).
- **No mocks at the service↔DB boundary.** This is the lock-in. Mocks lie; the live-DB tests we already have are paliad's most useful safety net.
- **No new feature work in this strategy.** The doc proposes infra; feature scope is unchanged.
- **No retirement of the `tests/smoke-*.md` human-written reports.** Those are great for one-shot regression hunts; they coexist with the automated suite.
---
## 8. Implementation notes for the eventual coder
(For whichever coder picks up a slice. Not exhaustive.)
- **Test-name collisions in Go's flat package namespace bite when a service grows N implementations.** Memory note from `t-paliad-194` already records this. Prefix tests with the service name (e.g. `TestAichatPaliadin_RunTurn_…` not `TestRunTurn_…`).
- **`httptest.NewRequest` does not URL-encode** — use `url.QueryEscape` for any `?q=…` argument. Memory note from `t-paliad-026`.
- **sqlx v1.4.0 `Named` parser strips one colon from `::uuid[]`** — known pitfall, repro lives at `internal/services/project_service.go`. Use `CAST(... AS uuid[])` in new query strings.
- **Live-DB cleanup must DELETE FKs first.** Order matters (auth.users last). Look at `audit_service_test.go` for the chain pattern.
- **`paliad.paliad_schema_migrations` tracker collision** is documented but unresolved. Slice 1 should add a `make reset-test-db` target that drops both `public.paliad_schema_migrations` *and* `paliad.paliad_schema_migrations` to keep developers unblocked.
- **`bun:test` matchers are Jest-compatible** — `expect().toEqual()`, `expect().toHaveBeenCalled()`, etc. No deps needed.
- **happy-dom does not implement** every DOM method (notably some `<dialog>` semantics). If a cascade test fails on something missing, jsdom is the escape hatch.
---
## 9. Decision summary — pick list for m
| # | Question | Inventor recommends |
|---|---|---|
| Q1 | Per-PR budget | 6090 s gate, 34 min full |
| Q2 | CI infra | Gitea Actions, gate tier only |
| Q3 | Test DB | YouPC for devs, ephemeral docker for CI |
| Q4 | Coverage target | Critical-path only, no % gate |
| Q5 | Production-grade floor | Slices 1 + 4 + 5 before new feature work |
| Q6 | Slice ownership | Rotate per profile; head decides |
If m's calls match inventor's, the implementer's brief writes itself: Slice 1 first, then 4 + 5 in parallel, then 2/3/6 as widening passes.
---
**Status:** DESIGN READY FOR REVIEW. Awaiting m go/no-go on §5 slice plan + §6 open questions before any coder shift starts.
---
## 10. m's decisions (2026-05-19, locked)
Walked through §6 with m via the AskUserQuestion interview (per head's 2026-05-19 workflow rule: inventor questions are resolved before parking, not after). Six picks locked, all matching inventor's recommendation.
| # | Question | m's answer | Effect on plan |
|---|---|---|---|
| Q1 | Per-PR test-run budget | **Inventor's call** (m deferred). Pick: **6090 s gate, 34 min full.** | Gate tier = L0 + L1 + L2 + L5 happy-path + L4 critical. L6 E2E gates deploy, not merge. |
| Q2 | CI infrastructure | **Gitea Actions, gate tier only.** | Slice 7 adds `.gitea/workflows/test.yml` running the gate tier; full suite stays on merge-to-main. |
| Q3 | Test DB topology | **YouPC for devs + ephemeral docker for CI.** | Local dev unchanged. Slice 7 wires Postgres service container in Gitea Actions. |
| Q4 | Coverage target | **Critical-path only, no % gate.** | §4's 10 flows + every state-mutating service method gets a test. Coverage % output is informational in Slice 8, never a merge gate. |
| Q5 | Production-grade floor | **Slices 1 + 4 + 5 before new feature work.** | These three land before any new paliad feature gets a coder shift. Slices 2, 3, 6 widen the floor on their own cadence. Slices 7-8 are nice-to-haves. |
| Q6 | Slice ownership | **Head decides + rotate per profile.** | Backend slices (1, 2, 5) → backend-heavy coder. Frontend slices (3, 6) → frontend-heavy coder. E2E (4) → cross-stack. Head picks at dispatch time. |
**Implementer brief (post-m-decisions):**
1. **Slice 1 starts first** — migration dry-run harness + `make verify-migrations` + boot-smoke variant of `cmd/server/main_paliadin_backend_test.go`. Backend-heavy coder.
2. **Slice 4 + Slice 5 in parallel** once Slice 1 is merged — Playwright golden-path (cross-stack coder, 5 specs) and handler integration (backend coder, auth/projects/deadlines/appointments/paliadin).
3. Slice 7 (Gitea Actions wiring) follows once Slice 1 gate tier is proven locally.
4. Slices 2, 3, 6 enter rotation alongside feature work — not blocking.
5. Slice 8 (coverage reporting) lowest priority.
**Status:** DESIGN APPROVED — awaiting head's dispatch of Slice 1 coder shift.

784
docs/design-submission-generator-2026-05-19.md Normal file
View File

@@ -0,0 +1,784 @@
# Design — Submission generator (t-paliad-215)
**Author:** copernicus (inventor)
**Date:** 2026-05-19
**Issue:** m/paliad (task t-paliad-215, no Gitea issue filed yet)
**Branch:** `mai/copernicus/inventor-submission`
**Status:** DESIGN READY FOR REVIEW
---
## §0 TL;DR
Each row in `paliad.deadline_rules` represents a SUBMISSION — a filing,
hearing, or decision inside a proceeding (`submission_code` shape
`de.inf.lg.erwidg`, `upc.inf.cfi.soc`, …). The submission generator
takes a project + a submission_code, pulls a `.docx` template from
Gitea, merges in project variables (party names, court, case number,
patent number, our_side, deadline date, legal_source citation, firm
header), and streams the result to the browser as a download.
- **Scope (locked by m):** template-render to `.docx`. No LLM in v1.
- **Template registry (locked):** Gitea — same proxy pattern as the
existing HL Patents Style `.dotm` in `internal/handlers/files.go`.
- **Output (locked):** direct download, NO server-side binary
persistence. One audit row per generation; the bytes themselves are
regenerable from inputs on demand.
- **Lookup (locked):** fallback chain — firm-specific override →
base for the exact `submission_code` → generic for the proceeding
family → ultra-generic skeleton.
- **Slice 1 (locked):** one template, end-to-end, on one project.
Pick `de.inf.lg.erwidg` (Klageerwiderung) as the proof template.
- **AI-drafted body:** explicitly OUT of scope for this task. Lives
in §11 as a follow-up sketch only.
This design is read-only. No code, no migrations, no schema
additions. Implementation gate is m's go/no-go on this doc.
---
## §1 Premises verified live (2026-05-19)
Anchored against the running paliad codebase + youpc Supabase, not
against CLAUDE.md or memory. Where a claim load-bears the design, it
was checked against the live system.
| Claim | Verification |
|---|---|
| Migration tracker at **102** (next is 103) | `ls internal/db/migrations/``102_system_audit_log` is the latest applied. |
| `paliad.documents` table exists, is empty, no code writes to it yet | `SELECT COUNT(*) FROM paliad.documents` → 0 rows. Columns: `id, title, doc_type, file_path NULLABLE, file_size, mime_type, ai_extracted jsonb, uploaded_by, created_at, updated_at, project_id NOT NULL`. `grep` shows only `export_service.go` (audit-export only) and a comment in `render_spec.go`. No `document_service.go`, no `/api/documents` handler. |
| `paliad.deadline_rules` carries the submission corpus | 254 total rows, 158 unique `submission_code`s, 214 `published`. Per-row fields used by the generator: `name`, `name_en`, `submission_code`, `primary_party` (claimant/defendant/court/both), `event_type` (filing/hearing/decision), `legal_source` (e.g. `DE.ZPO.276.1`, `UPC.RoP.23.1`), `is_bilateral`. |
| Slice 1 target row exists in published state | `SELECT … WHERE submission_code='de.inf.lg.erwidg'``{name:"Klageerwiderung", name_en:"Statement of Defence", primary_party:"defendant", legal_source:"DE.ZPO.276.1"}`. |
| Project rows carry all variables we need to merge | `paliad.projects` has `case_number, court, patent_number, filing_date, grant_date, our_side, instance_level, proceeding_type_id, title, reference, client_number, matter_number`. |
| Party rows carry party variables | `paliad.parties` has `name, role, representative, contact_info jsonb` and is project-scoped via `project_id`. |
| The HL Patents Style proxy pattern is reusable | `internal/handlers/files.go`: `fileRegistry` map → Gitea raw URL + SHA-based cache + 5-min refresh check + binary download response with `Content-Disposition`. Cache is in-process (`sync.Mutex` over a `map[string]*cacheEntry`). Single web replica today (`docker-compose.yml`), so in-process cache is fine. |
| Email templates already use `{{.VarName}}` placeholders + a "variable contract" sidebar pattern | `internal/services/email_template_variables.go``EmailTemplateVariable{Name, Type, Description, SampleDE, SampleEN}` rendered in `/admin/email-templates`. Submission generator can copy this contract pattern. |
| Audit infrastructure landed in mig 102 | `paliad.system_audit_log(id, event_type, actor_id, actor_email, scope, scope_root, metadata jsonb, created_at, updated_at)` — submission_generated events slot straight in. |
| Branding source is `internal/branding.Name` | Default `"HLC"`, overridable via `FIRM_NAME`. Inlined into client bundles by `frontend/build.ts`. Submission templates honour this via the `{{firm.name}}` placeholder. |
| `paliad.can_see_project(project_id)` is the canonical visibility predicate | mig 055; `internal/services/visibility.go` mirrors it. Generator gates on this; no new auth surface. |
| Paliadin runs on the aichat backend (mRiver) with persona system | `internal/services/aichat_paliadin.go` + `personas.yaml` in `m/mAi/internal/aichat/persona/`. Owner-gated to `PaliadinOwnerEmail = matthias.siebels@hoganlovells.com`. A future AI-drafted body would be a new persona, not a new Go service. |
**Doc-vs-live conflicts found:** none material for this design.
`docs/project-status.md` still lists "Phase H AI Frist-Extraktion
deferred" — this design does NOT revive Phase H (different surface;
this is template merge, not document understanding).
---
## §2 m's decisions (2026-05-19)
Locked via AskUserQuestion before drafting the rest of the design.
| # | Question | m's pick | Inventor recommended? |
|---|---|---|---|
| Q1 | Generator scope (template / AI-draft / brief / other) | **Template-render to `.docx`** | ✅ yes |
| Q2 | Template registry (Gitea / paliad DB / hybrid) | **Gitea** | ✅ yes |
| Q3 | Output flow (download-only / persist binary / attach to Frist) | **Direct download, no server-side binary** | ✅ yes |
| Q4 | Mapping (fallback chain / 1:1 / 1:N user picks) | **Fallback chain** | ✅ yes |
| Q5 | Slice 1 scope (1 template / 35 templates / full corpus / skeleton-only) | **One template, end-to-end on one project** (`de.inf.lg.erwidg` Klageerwiderung) | ✅ yes |
Inventor-defaulted (not asked because there's a clear right answer or
because the question is implementation-level, not architecture-level):
| # | Topic | Default | Reasoning |
|---|---|---|---|
| D1 | Variable engine | `{{path.dot.notation}}` placeholders in the .docx body, replaced via a Go library that handles run-fragmentation | Matches the existing email-template `{{.Var}}` shape lawyers already see in `/admin/email-templates`. See §6. |
| D2 | Authorization | Project-team visibility only (`paliad.can_see_project`) + audit row | Matches every other write surface in paliad. No profession floor (generation is read-only on source data and produces a draft, not a binding action). |
| D3 | Naming convention | `{rule.name}-{project.case_number}-{YYYY-MM-DD}.docx`, slashes → underscores, FIRM_NAME-aware | Mirrors how lawyers name files manually. See §7. |
| D4 | Missing-variable behaviour | Render `[KEIN WERT: {field}]` / `[NO VALUE: {field}]` marker inline | Lets the lawyer see the gap in Word, fix in paliad, regenerate. Better than 400ing. |
| D5 | Editor surface | Gitea-only for v1 (admin edits .docx in Word, commits to mWorkRepo) | A paliad uploader UI is Phase 2 affordance if Gitea round-trip is painful. |
| D6 | AI-drafted body | OUT of scope for this task | §11 sketches the natural follow-up shape (new aichat persona) but does not commit to it. |
---
## §3 Architecture overview
```
┌────────────────────────────────────────────────────────────────────────┐
│ Project detail page │
│ ├─ "Submissions" panel (or button row) │
│ │ [Generate Klageerwiderung] [Generate Klageerhebung] [...] │
│ │ Each button enabled iff a template exists for that │
│ │ submission_code AND user passes paliad.can_see_project. │
│ └─ Click → POST /api/projects/{id}/submissions/{code}/generate │
└──────────────────────────────────┬─────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────┐
│ handlers/submissions.go (NEW) │
│ 1. Auth: UserIDFromContext + can_see_project gate │
│ 2. Load deadline_rule by submission_code │
│ 3. Resolve template via fallback chain (TemplateRegistry) │
│ 4. Build variable bag (services/submission_vars.go) │
│ 5. Render via SubmissionRenderer (services/submission_render.go) │
│ 6. Write paliad.documents audit row (NO file_path) │
│ 7. Write paliad.system_audit_log entry (event_type= │
│ 'submission.generated') │
│ 8. Stream .docx bytes with Content-Disposition: attachment │
└──────────────────────────────────┬─────────────────────────────────────┘
│ (template fetch)
┌────────────────────────────────────────────────────────────────────────┐
│ TemplateRegistry (services/submission_templates.go) — NEW │
│ • In-process cache (same shape as handlers/files.go cacheEntry) │
│ • Lookup path: │
│ (1) templates/{FIRM_NAME}/{submission_code}.docx │
│ (2) templates/_base/{submission_code}.docx │
│ (3) templates/_base/{proceeding_family}.docx (e.g. upc.inf.cfi) │
│ (4) templates/_base/_skeleton.docx │
│ • Fetched from m/mWorkRepo via Gitea raw URL │
│ • 5-min SHA refresh check (identical pattern to files.go) │
└──────────────────────────────────┬─────────────────────────────────────┘
Gitea: m/mWorkRepo
templates/HLC/de.inf.lg.erwidg.docx
templates/_base/de.inf.lg.erwidg.docx
templates/_base/de.inf.lg.docx
templates/_base/_skeleton.docx
```
**No new tables.** `paliad.documents` already exists; we write audit
rows there but leave `file_path` NULL. The fallback chain uses
filesystem-style paths inside the existing Gitea repo; no
`submission_templates` table needed for Slice 1.
---
## §4 Slice 1 — what ships first
Locked by Q5: **one template, end-to-end, on one project.**
### 4.1 Target submission
**`de.inf.lg.erwidg`** — Klageerwiderung (DE Verletzungs-LG).
Reasoning:
- High-frequency submission in patent practice; lawyers draft these
often enough that the tool earns its keep on day 1.
- `primary_party='defendant'` — exercises the our_side variable.
- `legal_source='DE.ZPO.276.1'` — exercises citation injection.
- Pure-DE (no UPC complexity); easier first template for HLC's
Munich/Düsseldorf practice to author and review.
- Klageerhebung (`de.inf.lg.klage`) is an obvious alternative; either
works. m can flip the target in his decision review if Klageerhebung
is the better proof case.
### 4.2 Surfaces in Slice 1
- **Project detail page** — new "Submissions" panel listing every
submission_code from the project's `proceeding_type` (via existing
`DeadlineRuleService`) with a `[Generieren]` button per row. Button
is enabled iff a template resolves AND `event_type='filing'` (no
`[Generieren]` on hearings/decisions — those don't have submissions).
- **Project detail API** — `GET /api/projects/{id}/submissions` returns
the list of (submission_code, name, has_template) so the frontend
can render enabled/disabled state.
- **Generate endpoint** — `POST /api/projects/{id}/submissions/{code}/generate`
returns `application/vnd.openxmlformats-officedocument.wordprocessingml.document`
with `Content-Disposition: attachment; filename="..."`.
Slice 1 does NOT add:
- A `/admin/submission-templates` editor (Gitea is the editor).
- A Frist-detail "Generate" button (project-detail only in Slice 1;
Frist-level surface is a Slice 2 affordance).
- A "Submissions" tab as a dedicated page (project-detail panel only).
- Per-firm overrides beyond `templates/HLC/...` (the fallback chain is
WIRED but the only override directory exercised in Slice 1 is HLC).
- The variable-contract sidebar UI (mirrors email-template editor) —
the contract is documented in §6 as code constants, surfaced as a
Slice 2 admin affordance.
### 4.3 Slice 1 LoC estimate (informational, no time estimate)
| File | Approx |
|---|---|
| `internal/handlers/submissions.go` (NEW) | 180 |
| `internal/services/submission_templates.go` (NEW — registry + Gitea proxy, reuses files.go cache idea) | 200 |
| `internal/services/submission_vars.go` (NEW — variable bag builder) | 220 |
| `internal/services/submission_render.go` (NEW — docx merge engine wrapper) | 120 |
| `internal/services/submission_render_test.go` (placeholder coverage + missing-var marker) | 180 |
| `frontend/src/components/SubmissionsPanel.tsx` (NEW) | 80 |
| `frontend/src/client/submissions.ts` (NEW — fetch + download) | 60 |
| Wiring in `cmd/server/main.go` + `internal/handlers/handlers.go` | 30 |
| i18n keys (`submissions.*`) DE+EN | 20 |
| **Total** | **~1090 LoC** |
Plus: ONE `.docx` template authored by HLC at
`m/mWorkRepo/templates/HLC/de.inf.lg.erwidg.docx`, lawyer-reviewed
before Slice 1 closes.
---
## §5 Template registry (Gitea-backed)
### 5.1 Gitea layout
```
m/mWorkRepo (existing repo)
└── templates/
├── HLC/ # FIRM_NAME-keyed override dir
│ └── de.inf.lg.erwidg.docx # Slice 1 ships THIS file
├── _base/ # Cross-firm baseline
│ ├── de.inf.lg.erwidg.docx # (Phase 2+)
│ ├── de.inf.lg.docx # proceeding-family fallback
│ ├── upc.inf.cfi.docx # (Phase 2+)
│ └── _skeleton.docx # ultra-generic fallback
└── README.md # placeholder reference for authors
```
Naming convention is the submission_code with a `.docx` suffix.
Proceeding-family fallback is the submission_code's first two
dot-segments (`de.inf.lg` from `de.inf.lg.erwidg`).
### 5.2 Lookup algorithm
```go
// services/submission_templates.go
func (r *TemplateRegistry) Resolve(ctx context.Context, code string) (Template, error) {
firm := branding.Name // "HLC", or whatever FIRM_NAME is
family := familyOf(code) // "de.inf.lg" from "de.inf.lg.erwidg"
candidates := []string{
fmt.Sprintf("templates/%s/%s.docx", firm, code),
fmt.Sprintf("templates/_base/%s.docx", code),
fmt.Sprintf("templates/_base/%s.docx", family),
"templates/_base/_skeleton.docx",
}
for _, path := range candidates {
if tmpl, ok := r.fetch(ctx, path); ok {
return tmpl, nil
}
}
return Template{}, ErrNoTemplate
}
```
`fetch` does the same SHA-cache dance `handlers/files.go` already
does, scoped to the templates subtree.
### 5.3 Gitea auth
Reuses `GITEA_TOKEN` env var that already exists for the HL Patents
Style proxy. `m/mWorkRepo` is the same repo, same access token. No
new secret to configure.
### 5.4 What happens when no template resolves
The fallback chain ends at `_skeleton.docx`. The skeleton is an
intentionally bare-bones .docx (firm letterhead + party block + court
address + case number + signature stub) that ships as part of the
initial template set. In practice every Generate request resolves to
something — but if even the skeleton 404s (misconfigured repo), the
generator returns `503` with a clear error, the SubmissionsPanel
button surfaces "Vorlagen-Repository nicht erreichbar".
---
## §6 Variable interpolation
### 6.1 Engine
Plain text replacement of `{{path.dot.notation}}` placeholders in the
.docx body. Whitespace inside braces is trimmed
(`{{ project.case_number }}``{{project.case_number}}`).
Implementation: a Go library that handles Word's run-fragmentation
correctly (Word may split `{{project.case_number}}` across multiple
`<w:r>` runs during editing; naive find/replace breaks). Candidates:
- **`github.com/lukasjarosch/go-docx`** (~2k stars, MIT, pure Go,
maintained). Handles run-merging before replacement. **Inventor
recommendation.**
- `github.com/nguyenthenguyen/docx` — older, less active.
- Custom in-house implementation — ~200 LoC for a minimal robust
replacer that walks the document XML and merges runs that fall
inside a `{{…}}` span. Fallback if the library doesn't pan out.
Slice 1: try `lukasjarosch/go-docx` first; if it has dealbreaker bugs
(e.g. blows up on Word's autocorrect runs), fall back to the in-house
~200 LoC walker. The library choice is an implementation detail; the
placeholder syntax stays the same either way.
### 6.2 Variable contract (v1 placeholder set)
```
{{firm.name}} — HLC (or whatever FIRM_NAME is)
{{firm.signature_block}} — Phase 2; v1 renders empty string
{{today}} — 2026-05-19 (ISO)
{{today.long_de}} — "19. Mai 2026"
{{today.long_en}} — "19 May 2026"
{{user.display_name}} — "Maria Schmidt"
{{user.email}} — "maria.schmidt@hlc.com"
{{user.office}} — "Munich"
{{project.title}} — paliad.projects.title
{{project.reference}} — paliad.projects.reference
{{project.case_number}} — paliad.projects.case_number
{{project.court}} — paliad.projects.court
{{project.patent_number}} — paliad.projects.patent_number
{{project.filing_date}} — ISO date
{{project.grant_date}} — ISO date
{{project.our_side}} — "claimant" | "defendant"
{{project.our_side_de}} — "Klägerin" | "Beklagte"
{{project.instance_level}} — "lg" | "olg" | "bgh" | ...
{{project.proceeding.code}} — e.g. "de.inf.lg"
{{project.proceeding.name}} — Verletzungsklage am Landgericht
{{project.client_number}} — paliad.projects.client_number
{{project.matter_number}} — paliad.projects.matter_number
{{parties.claimant.name}} — first paliad.parties row with role='claimant'
{{parties.claimant.representative}} — paliad.parties.representative
{{parties.defendant.name}} — first row with role='defendant'
{{parties.defendant.representative}} — paliad.parties.representative
{{parties.other.name}} — first row with role NOT IN ('claimant','defendant') — court, intervener, etc.
{{rule.submission_code}} — "de.inf.lg.erwidg"
{{rule.name}} — "Klageerwiderung"
{{rule.name_en}} — "Statement of Defence"
{{rule.legal_source}} — "DE.ZPO.276.1"
{{rule.legal_source_pretty}} — "§ 276 Abs. 1 ZPO"
{{rule.primary_party}} — "defendant"
{{rule.event_type}} — "filing"
{{deadline.due_date}} — date of the next pending deadline for this rule on this project
{{deadline.due_date_long_de}} — "26. Juni 2026"
{{deadline.computed_from}} — anchor description (e.g. "Klageerhebung am 12.05.2026 +6 Wochen")
```
Per-firm extensions (e.g. `{{firm.signature_block}}` filled from a
table) are Phase 2.
### 6.3 Variable bag construction
`services/submission_vars.go` builds a flat `map[string]string`
keyed by the dotted-path placeholders above. One pass over:
1. `branding.Name` for `{{firm.*}}`
2. `time.Now()` (with `Europe/Berlin` locale for the long forms) for
`{{today.*}}`
3. `userService.GetByID()` for `{{user.*}}`
4. `projectService.GetByID()` for `{{project.*}}`
5. `partyService.ListByProject()` for `{{parties.*}}`
6. `deadlineRuleService.GetByCode()` for `{{rule.*}}`
7. `deadlineService.NextByRuleOnProject()` for `{{deadline.*}}`
Missing values render as `[KEIN WERT: {dotted.path}]` (DE) or
`[NO VALUE: {dotted.path}]` (EN) based on user locale. This is by
design — the lawyer sees the gap in Word, fixes it (either in Word
or in paliad and regenerates), rather than getting a 400 with a list
of missing fields they then have to chase.
### 6.4 Pretty-printing the legal_source
`legal_source` in the rule corpus is shorthand
(`DE.ZPO.276.1`, `UPC.RoP.23.1`). Lawyers don't want that in a brief;
they want `§ 276 Abs. 1 ZPO` or `Rule 23.1 RoP UPC`.
Slice 1 ships a small pretty-printer (`legalSourcePretty`) that knows
the families we currently use:
| Prefix | Pretty form (DE) | Pretty form (EN) |
|---|---|---|
| `DE.ZPO.<§>.<Abs>` | `§ <§> Abs. <Abs> ZPO` | `Section <§>(<Abs>) ZPO` |
| `DE.ZPO.<§>` | `§ <§> ZPO` | `Section <§> ZPO` |
| `UPC.RoP.<Rule>.<Sub>` | `Regel <Rule>.<Sub> VerfO UPC` | `Rule <Rule>.<Sub> RoP UPC` |
| `UPC.RoP.<Rule>` | `Regel <Rule> VerfO UPC` | `Rule <Rule> RoP UPC` |
| `DE.PatG.<§>` | `§ <§> PatG` | `Section <§> PatG` |
| `EPC.<Art>` | `Art. <Art> EPÜ` | `Art. <Art> EPC` |
| (unknown) | original string | original string |
Unrecognised prefixes pass through unchanged (better than an
incorrect prettification). The function is pure and unit-tested.
---
## §7 File naming
Generated file name:
```
{rule.name}-{project.case_number}-{YYYY-MM-DD}.docx
```
Concrete example for the Slice 1 happy path:
```
Klageerwiderung-2 O 123_25-2026-05-19.docx
```
Rules:
- `rule.name` honours user locale (`Klageerwiderung` for DE,
`Statement of Defence` for EN).
- `project.case_number` slash/backslash → underscore (Word file name
hygiene), other characters preserved.
- Date is ISO at server-local (`Europe/Berlin`) date.
- If `project.case_number` is empty → fall back to a short hash of
`project_id` (8 hex chars) so the file still has a stable identifier
the lawyer can rename without losing track.
---
## §8 Authorization
- **Visibility gate:** `paliad.can_see_project(project_id)` — anyone
who can see the project can generate. Matches every other write
surface on the project. The endpoint inlines the predicate;
unauthorised callers get 404 (not 403, to avoid project
enumeration).
- **No profession floor.** A paralegal can generate a draft of a
Klageerwiderung; the draft is a Word doc that needs the associate's
approval downstream (in Word, on the document itself). Adding an
approval gate on generation would slow the workflow without
preventing anything that paliad's existing approval system doesn't
already cover at the substantive-act layer.
- **Owner gate (Paliadin) does NOT apply.** This is the
submission-template engine, not Paliadin. All paliad users get the
feature once a template exists for the proceeding their project is
in.
---
## §9 Audit trail
Two records per generation:
### 9.1 `paliad.documents` row (audit-only, no binary)
```sql
INSERT INTO paliad.documents (id, title, doc_type, file_path, file_size,
mime_type, ai_extracted, uploaded_by,
project_id)
VALUES (gen_random_uuid(),
'{rule.name} (generiert {YYYY-MM-DD})',
'generated_submission', -- new doc_type value
NULL, -- no on-disk path
NULL, -- no file size (binary not persisted)
'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
jsonb_build_object(
'submission_code', $1,
'template_path', $2, -- the gitea path we resolved
'template_sha', $3, -- pinned SHA from the cache fetch
'firm', $4),
$user_id,
$project_id);
```
- `doc_type='generated_submission'` is a new value; no CHECK constraint
on doc_type today so this is additive.
- `file_path NULL` is the marker that says "regenerate from inputs on
demand". The /api/projects/{id}/documents listing UI (Phase 2) will
surface a `[Erneut generieren]` action for these rows.
- `ai_extracted` jsonb is repurposed for generation provenance
(template SHA, firm at time of generation). Naming is unfortunate
but the column shape fits; renaming the column is out of scope for
this task.
### 9.2 `paliad.system_audit_log` row
```sql
INSERT INTO paliad.system_audit_log (event_type, actor_id, actor_email,
scope, scope_root, metadata)
VALUES ('submission.generated',
$user_id,
$user_email,
'project',
$project_id::text,
jsonb_build_object(
'submission_code', $1,
'template_path', $2,
'template_sha', $3,
'document_id', $document_id,
'firm', $4));
```
Mirrors the existing `system_audit_log` event_type convention
(`*.created`, `*.updated`, etc., from t-paliad-214).
### 9.3 Verlauf entry (project event)
`paliad.project_events` gets a row with `event_type='submission_generated'`
and `timeline_kind='custom_milestone'` so the generation surfaces in
SmartTimeline's audit-log toggle and on the project's Verlauf list.
This is the user-visible footprint; the `system_audit_log` entry is
the admin-visible audit footprint.
---
## §10 Frontend surface
### 10.1 Slice 1 — SubmissionsPanel on project detail
A new panel below the existing Verlauf / Deadlines panels on
`/projects/{id}`:
```
┌─────────────────────────────────────────────────────────────────┐
│ Schriftsätze │
├─────────────────────────────────────────────────────────────────┤
│ Klageerhebung [— Vorlage fehlt] │
│ Klageerwiderung [Generieren ↓] │
│ Replik [— Vorlage fehlt] │
│ Duplik [— Vorlage fehlt] │
└─────────────────────────────────────────────────────────────────┘
```
- Filter: only `event_type='filing'` rules from the project's
`proceeding_type` are listed. Hearings and decisions don't have
submissions.
- Per-row state: `has_template` returned by
`GET /api/projects/{id}/submissions`. Disabled buttons show the
"Vorlage fehlt" hint (German default, English in EN locale).
- Click `[Generieren ↓]` → POST → browser triggers download.
- `aria-busy="true"` on the panel while a generation is in flight
(cheap, but lawyers feel slow networks).
### 10.2 Out of scope for Slice 1
- A standalone `/submissions` index page.
- A Frist-detail "Generate" button.
- A picker for template variants (1:N) — locked to fallback chain
(Q4), which is 1:1 from the user's perspective.
- An "edit project, then regenerate" loop on the same UI.
---
## §11 AI-drafted body (deferred — sketch only)
NOT in scope for t-paliad-215. Documented here so the next inventor
picking up the "AI Klageerwiderung body" task has a clear starting
shape.
The natural fit: a new aichat persona (e.g. `paliadin-draft`) on
mRiver, parallel to the existing `paliadin` persona.
```
{{ai.draft_body}} # placeholder in the template
→ generator detects {{ai.*}} placeholders in the template
→ POSTs to aichat with persona=paliadin-draft + context:
- project state (variables already built)
- relevant project notes (paliad.notes)
- the deadline_rule corpus (rule + family)
- HL Patents Style guide chunks (RAG, eventually)
→ aichat returns Markdown body
→ generator injects into the .docx as one or more <w:p> paragraphs
(Word-friendly Markdown → docx mapping needed; substantive
formatting question for that follow-up)
```
Open shape questions for that follow-up (NOT for this design):
- One persona per submission type, or one persona that branches on
`submission_code` in its system prompt?
- Owner gate (m only) like current paliadin, or open to all
authenticated users?
- Approval gate before the AI body lands in the .docx?
- Cost accounting per generation?
- Where does the prose context come from (notes / uploaded patent
spec / prior pleadings)?
Re-uses, when that task fires:
- This task's template engine, variable contract, fallback chain,
audit trail — all unchanged.
- Just a new placeholder family (`{{ai.*}}`) + a new aichat persona +
a new admin gate.
---
## §12 Slice plan beyond Slice 1
| Slice | Scope |
|---|---|
| 1 | One template (`de.inf.lg.erwidg`), engine + fallback chain + audit + SubmissionsPanel on project detail. THIS DESIGN. |
| 2 | 35 more templates (Klageerhebung, SoC `upc.inf.cfi.soc`, SoD `upc.inf.cfi.sod`, Berufungsbegründung `de.inf.olg.begruendung`). Template authoring effort, no new architecture. |
| 3 | Variable-contract sidebar in a new `/admin/submission-templates` page (mirrors `/admin/email-templates` shape). Shows what placeholders exist, with samples. Does NOT add an uploader UI — Gitea remains the editor. |
| 4 | Per-firm override directory exercised (first non-HLC firm onboarded). |
| 5 | Frist-detail "Generate" button + paliad.documents.deadline_id FK (mig 103+) for per-Frist draft history. |
| 6 | (Separate task) AI-drafted body via Paliadin persona — see §11. |
| 7 | (Future) Paliad UI uploader as alternative to Gitea, if the round-trip is friction. |
Slices 25 are roadmap markers, not commitments — m decides cadence.
---
## §13 Trade-offs flagged
1. **No binary persistence is a deliberate retention choice.** If a
lawyer regenerates after the project state changes (party renamed,
case_number corrected), the "regenerated" doc differs from the
"original generated" doc. This is a feature, not a bug — the source
of truth is paliad's project state, and the .docx is a derivative.
But the lawyer needs to be aware: there is no "what did I generate
last Thursday" recovery without re-saving locally. The
`paliad.documents` audit row records WHAT was generated (template
SHA + project state hash, optionally), but not the bytes.
2. **Gitea round-trip for template edits is friction.** Template
authors edit `.docx` in Word, save, drag to Gitea web UI (or push
from a local clone). The 5-min SHA cache means edits surface
within 5 minutes (or instantly via `POST /api/files/refresh`
already wired for the HL Patents Style template). If lawyers
complain, Phase 7 adds an in-paliad uploader. Until then, Gitea is
the editor.
3. **Variable contract changes are coordinated edits.** Adding a new
`{{project.*}}` placeholder needs both a code change (var bag) AND
template edits (templates won't auto-discover new placeholders).
The variable-contract sidebar (Slice 3) is the mitigation —
template authors see what's available without reading the Go code.
4. **`lukasjarosch/go-docx` library risk.** ~2k stars, MIT, maintained
— but it's a third-party dep we haven't used before. Fallback is
the in-house ~200-LoC walker. The placeholder syntax doesn't change
either way; Slice 1 can swap engines without touching templates or
callers.
5. **`paliad.documents.ai_extracted` is repurposed for generation
provenance.** Slightly ugly naming because the column was added for
Phase H (AI Frist-Extraktion), which never shipped. Renaming the
column to something like `metadata` is out of scope for this task
but should be folded into the migration that lands when Phase 5
adds `deadline_id`.
6. **`paliad.parties.role='claimant'`** — multiple claimants on a
project (multi-party suit) → Slice 1 picks the first row. v1
shortcut. Templates needing multi-claimant blocks become Phase 2
work (with a `{{#each parties.claimants}}` shape on top of
`lukasjarosch/go-docx`'s loop support).
7. **No Word-side `MERGEFIELD` support.** Lawyers who insert Word
merge fields (via Insert → Quick Parts → Field) instead of typing
`{{…}}` will get untouched MERGEFIELD codes in the rendered output.
Decision: standardise on `{{…}}` syntax (cheap to type, visible
in the template, predictable). Document this in the `templates/
README.md`.
8. **No template versioning UI.** Gitea provides git history; that's
the canonical version trail. Bumping to "use template X as of
commit Y" for an old project is a manual git-checkout-and-pin
exercise. Phase 2+ if anyone asks; not today.
---
## §14 Open follow-ups (NOT blocking)
These items are NOT m-decisions; they're follow-ups for the coder
shift or future inventor passes:
- **Template authoring effort.** Slice 1 needs HLC to author/review
the actual Klageerwiderung template. That's a legal-review task that
can run in parallel with the engine code (template uploaded last
before the slice ships). Coordinate with m on who reviews.
- **English version of `legalSourcePretty`.** Pretty-printer table in
§6.4 needs an EN column for every prefix — populated from existing
glossary entries where possible.
- **i18n key sweep.** `submissions.*` namespace; ~20 keys for Slice 1
(panel title, button labels, "Vorlage fehlt" hints, error messages
for 503/404/422).
- **README for template authors.** A `templates/README.md` in
m/mWorkRepo listing the available placeholders + naming convention
+ a screenshot of a working template. Coder ships this alongside
Slice 1.
- **CLAUDE.md update.** Add a "Submission templates" section
documenting the Gitea proxy, placeholder syntax, and the
`submission.generated` audit event_type.
- **Cleanup task for `ai_extracted` naming.** Issue + Phase 5 mig.
---
## §15 What this design does NOT do
To set the scope boundary cleanly:
- ❌ Generate PDFs.
- ❌ Generate emails or any non-.docx format.
- ❌ Edit `.docx` files inside paliad (no in-browser Word editor).
- ❌ Upload .docx to NetDocuments or any external DMS.
- ❌ Translate templates DE↔EN automatically.
- ❌ Validate the generated draft against any legal rule.
- ❌ Sign, certify, or notarise the output.
- ❌ Send the draft to court / e-filing.
- ❌ AI-draft any prose. (See §11.)
- ❌ Provide a paliad-UI template editor. (Gitea is the editor.)
- ❌ Persist generated .docx bytes server-side. (Audit row only.)
- ❌ Add a new database table. (`paliad.documents` is enough for v1.)
- ❌ Require a database migration. (Slice 1 is migration-free.)
Each of these is a defensible future-scope item; none belong in
Slice 1.
---
## §16 Recommended implementer
Pattern-fluent Sonnet coder. The substrate is well-trodden:
- Gitea proxy + cache: `internal/handlers/files.go` is the template
to lift.
- Variable contract pattern: `internal/services/email_template_variables.go`
is the template to mirror (different surface, identical shape).
- Visibility gate: `internal/services/visibility.go` +
`paliad.can_see_project()` — standard everywhere.
- Audit insert: `paliad.system_audit_log` (mig 102) + `paliad.documents`
(existing table, first writer).
- Frontend SubmissionsPanel: stock TSX + client/.ts pattern, same shape
as the existing CardLayout / EventsList panels.
The only novel piece is the docx merge library integration — that's a
~200 LoC isolated module the coder can prototype on a sample .docx
before wiring into the project flow.
NOT cronus per project memory directive.
---
## §17 Acceptance criteria for Slice 1
The coder considers Slice 1 done when:
1. Pushing a `.docx` to `m/mWorkRepo/templates/HLC/de.inf.lg.erwidg.docx`
and visiting any project with `proceeding_type=de.inf.lg` surfaces
a `[Generieren]` Klageerwiderung button.
2. Clicking it downloads a `.docx` named per §7 with all §6.2
placeholders resolved (or `[KEIN WERT: …]` markers for genuinely
missing project fields).
3. Opening the downloaded .docx in Word renders cleanly (no run
fragmentation artefacts, no broken styles).
4. A row appears in `paliad.documents` with `doc_type='generated_submission'`,
`file_path=NULL`, and `ai_extracted` jsonb carrying the template
path + SHA.
5. A row appears in `paliad.system_audit_log` with `event_type='submission.generated'`.
6. A row appears in `paliad.project_events` with
`event_type='submission_generated'` and shows up in the project's
Verlauf / SmartTimeline.
7. Calling the endpoint without project visibility returns 404.
8. Calling the endpoint with no template anywhere in the fallback
chain returns 503 with a clear error.
9. Unit tests cover: placeholder rendering happy path, missing-var
marker, fallback chain (all 4 levels), file naming, slash
sanitization, legalSourcePretty for every prefix in §6.4.
10. `go build ./... && go vet ./... && go test ./... && bun run build`
all clean.
11. Manual test on the live database (test admin
`tester@hlc.de` per memory) against a project with a real
`de.inf.lg` proceeding succeeds end-to-end.
---
## §18 Approval gate
Per inventor SKILL.md and project CLAUDE.md: this design needs m's
go/no-go before any coder is hired. After m approves:
- The head decides whether to hire the same worker as `/mai-coder`
with this design as the brief, or a fresh coder.
- A coder shift takes this doc as the spec, ships Slice 1, opens a
PR (no self-merge — maria's gate).
- Phase 11 (AI-drafted body) is a SEPARATE task — not auto-spawned.
Inventor parks here.

52
docs/t-paliad-207-followup-scope.md
View File

@@ -1,52 +0,0 @@
# t-paliad-207 follow-up scope — close-out assessment
**Author:** fermi (inventor)
**Date:** 2026-05-20
**Verdict:** **(A) DONE** — interactive session scope is shipped; remaining tail is filed-or-fileable as discrete issues, not a fresh fermi slice.
---
## 0. What shipped under t-paliad-207
Six substantive deliveries on `mai/fermi/interactive-session`, all merged to main as of 2026-05-20 morning:
1. **Verfahrensablauf + Fristenrechner polish** — jurisdiction prefix on the picked proceeding, trigger-event label derived from the root rule, flag rows lifted to `/tools/verfahrensablauf`, rule references rendered as `youpc.org/laws#…` links via new `BuildLegalSourceURL`, `Vorab-Einrede → Einspruch` rename (DE i18n).
2. **DE proceeding picker — sub-group headers** (`Verletzungsverfahren` / `Nichtigkeitsverfahren`) + parallel labels (`LG (1. Instanz)` / `OLG (Berufung)` / …).
3. **mig 099** — drop the `with_po` flag from the two RoP 19 rules (Einspruch is always-available, not flag-gated).
4. **mig 100**`upc.inf.cfi.ccr` visible rule (`Nichtigkeitswiderklage`) so the CCR filing event surfaces when `with_ccr` is set; later corrected to `priority='optional'` via mig 101.
5. **mig 101** — strip rule-cite brackets from the two Einspruch names + flip the CCR priority `informational → optional`.
6. **mig 102** — track-aware sequence reshuffle on `upc.inf.cfi` so at any tied date the order is infringement (Replik) → revocation (Erwiderung Nichtigkeitswiderklage) → amendment.
7. **Notes toggle**`Hinweise anzeigen` checkbox in the view-toggle bar; compact ⓘ hover hint when off (default), inline `timeline-notes` block when on. `localStorage` shared across both tool pages.
Filed two follow-up issues during the session:
- **m/paliad#39** — link DE + EPA + EU rule references to `youpc.org/laws` (depends on youpc.org ingesting the corpus).
- **m/paliad#41** — DE proceedings as one combined timeline per type (LG→OLG→BGH, BPatG→BGH) — corpus + spawn + de-duplication + multi-instance UI.
## 1. Why (A) DONE
Every concrete thing m surfaced in the session was addressed and merged. The two larger unaddressed asks — combined-timeline behaviour for DE proceedings, and DE/EPA rule-link coverage — are already captured in #39 and #41 with concrete scope notes. Neither belongs as a fermi "next slice" because:
- **#41** is a corpus + UI design pass of its own (3 new spawn rules, de-duplication of the existing `de.inf.lg.berufung ↔ de.inf.olg.berufung` pair, multi-court picker shape, instance markers in the timeline body). That's its own design ticket, not a fermi follow-up.
- **#39** is primarily a youpc.org-side ingest task; the paliad-side change is a 5-line `switch` extension once youpc serves the URLs. Wait for the dependency, then small.
Everything else I surfaced in the read-only audit is either pre-existing (not introduced by this session) or speculative (no user complaint behind it).
## 2. Optional tail — would file as discrete issues, not a fermi slice
Surfacing these for completeness; none are blocking, and most would be small enough to either roll into the existing tickets or land as one-off polish:
| # | Candidate | Size | Already covered? |
|---|---|---|---|
| 1 | **`legal_source` backfill on 47 unsourced active rules** — query: 4 of `upc.inf.cfi`, 4 of `upc.pi.cfi` (100% gap), 6 of `upc.rev.cfi`, others. Pre-condition for #39's links to bite. | Medium — corpus research per rule | Partially: huygens did the broader citation backfill in t-paliad-208 / mig 097. This is the remaining tail. |
| 2 | **`upc.pi.cfi` corpus completeness audit** — all 4 of its rules lack `legal_source`; likely also missing the analogous track-of-decision spawn rules to `upc.apl.merits`. | Small audit, medium fix | No — would be a fresh task. |
| 3 | **Touch-device fallback for the ⓘ hover hint**`title=` attribute degrades poorly on phones (no hover, no tap-to-show). Either a click-to-popover variant, or accept the gap. | Tiny | No, but no user complaint yet. |
| 4 | **R.46 mutatis-mutandis distinction in `upc.rev.cfi.prelim` description** — when mig 101 stripped the `(R. 19 i.V.m. R. 46)` cite, the legal nuance dropped from the user-visible name. Could be surfaced in the description text where it doesn't crowd the timeline cell. | Tiny (one row update) | No. |
| 5 | **Save-modal warning on SoD + CCR double-check** — with mig 100's new `upc.inf.cfi.ccr` rule, a user can save both `sod` and `ccr` from the same modal and get two `paliad.deadlines` rows on the same date. Today's pre-uncheck behaviour for optional priority mitigates accidental double-write but doesn't surface the duplication actively. | Small | No. |
| 6 | **Deferred slices from earlier design docs that touch this surface**: t-paliad-179 Slice 2-4 (variant chips, lane view, side-by-side compare on `/tools/verfahrensablauf`); t-paliad-169 "+ Eintrag" CTA on the SmartTimeline (project-bound) path. | Each a separate slice. | Yes — parked from their original tasks; would be revisited when m prioritises. |
None of these warrant a "next fermi slice" right now. They're polish + corpus tail, and best handled as individual issues that m can pick from.
## 3. Recommendation
Close t-paliad-207. Fire fermi. The remaining tail (items 16 above) is appropriate as a small "polish backlog" m can dip into when relevant, but not a coherent unit of work that needs a parked inventor.

BIN
frontend/public/patentstyle/HL-Patents-Style.dotm Normal file
View File

Binary file not shown.

5
frontend/public/patentstyle/version.json Normal file
View File

@@ -0,0 +1,5 @@
{
"version": "v0.260518",
"dotm_url": "https://paliad.msbls.de/patentstyle/HL-Patents-Style.dotm",
"sha256": "5CEA98A29D2FD6D9970B9A2499054DF52685A1116459E07F9290B0D0ADD521F4"
}

5
frontend/src/client/events.ts
View File

@@ -126,11 +126,12 @@ const STATUS_OPTIONS_DEADLINE: StatusOption[] = [
];
const STATUS_OPTIONS_APPOINTMENT: StatusOption[] = [
{ value: "all", key: "events.filter.status.all" },
{ value: "upcoming", key: "events.filter.status.upcoming" },
{ value: "today", key: "deadlines.filter.today" },
{ value: "this_week", key: "deadlines.filter.thisweek" },
{ value: "next_week", key: "deadlines.filter.nextweek" },
{ value: "later", key: "deadlines.filter.later" },
{ value: "all", key: "events.filter.status.all" },
];
function statusOptionsFor(type: EventTypeChoice): StatusOption[] {
@@ -139,7 +140,7 @@ function statusOptionsFor(type: EventTypeChoice): StatusOption[] {
}
function defaultStatusFor(type: EventTypeChoice): string {
return type === "appointment" ? "all" : "pending";
return type === "appointment" ? "upcoming" : "pending";
}
let currentType: EventTypeChoice = "deadline";

29
frontend/src/client/fristenrechner.ts
View File

@@ -57,19 +57,6 @@ type ProcedureView = "timeline" | "columns";
// HLC team than the single vertical line.
let procedureView: ProcedureView = "columns";
// Notes toggle — off by default; per-rule notes render as a compact
// ⓘ hover icon. Flipped on, they expand under each card. Choice is
// localStorage-persisted (paliad.fristen.notes-show key shared with
// /tools/verfahrensablauf so the preference carries across both).
const NOTES_PREF_KEY = "paliad.fristen.notes-show";
function readNotesPref(): boolean {
try { return localStorage.getItem(NOTES_PREF_KEY) === "1"; } catch { return false; }
}
function writeNotesPref(on: boolean): void {
try { localStorage.setItem(NOTES_PREF_KEY, on ? "1" : "0"); } catch { /* no-op */ }
}
let showNotes = readNotesPref();
onLangChange(() => {
if (lastResponse) renderProcedureResults(lastResponse);
// Update trigger event name if a proceeding is selected
@@ -404,8 +391,8 @@ function renderProcedureResults(data: DeadlineResponse) {
</div>`;
const bodyHtml = procedureView === "columns"
? renderColumnsBody(data, { editable: true, showNotes })
: renderTimelineBody(data, { showParty: true, editable: true, showNotes });
? renderColumnsBody(data, { editable: true })
: renderTimelineBody(data, { showParty: true, editable: true });
container.innerHTML = headerHtml + bodyHtml;
printBtn.style.display = "block";
@@ -674,18 +661,6 @@ document.addEventListener("DOMContentLoaded", () => {
const saveBtn = document.getElementById("fristen-save-cta");
if (saveBtn) saveBtn.addEventListener("click", openSaveModal);
// Notes toggle — restores last preference on load + re-renders when
// the user flips it. Lives in the same toggle bar as the view picker.
const notesShowCb = document.getElementById("fristen-notes-show") as HTMLInputElement | null;
if (notesShowCb) {
notesShowCb.checked = showNotes;
notesShowCb.addEventListener("change", () => {
showNotes = notesShowCb.checked;
writeNotesPref(showNotes);
if (lastResponse) renderProcedureResults(lastResponse);
});
}
// View toggle (timeline vs. columns layout) for procedure mode.
initViewToggle();

30
frontend/src/client/i18n.ts
View File

@@ -300,7 +300,6 @@ const translations: Record<Lang, Record<string, string>> = {
"deadlines.view.label": "Ansicht:",
"deadlines.view.timeline": "Zeitstrahl",
"deadlines.view.columns": "Spalten",
"deadlines.notes.show": "Hinweise anzeigen",
"deadlines.col.proactive": "Proaktiv",
"deadlines.col.court": "Gericht",
"deadlines.col.reactive": "Reaktiv",
@@ -1127,6 +1126,17 @@ const translations: Record<Lang, Record<string, string>> = {
"einstellungen.tab.profil": "Profil",
"einstellungen.tab.benachrichtigungen": "Benachrichtigungen",
"einstellungen.tab.caldav": "CalDAV",
"einstellungen.tab.export": "Datenexport",
"einstellungen.export.subtitle": "Laden Sie Ihre pers\u00f6nlichen Paliad-Daten als Excel- + JSON- + CSV-Paket herunter. Enthalten ist alles, was Sie aktuell sehen k\u00f6nnen \u2014 Ihre Projekte, Fristen, Termine, Notizen, Genehmigungen und Einstellungen.",
"einstellungen.export.heading": "Pers\u00f6nlicher Datenexport",
"einstellungen.export.what": "Das Paket enth\u00e4lt Ihre sichtbaren Daten in drei Formaten in einem .zip:",
"einstellungen.export.bullet.xlsx": "paliad-export.xlsx \u2014 eine Excel-Mappe pro Entit\u00e4t.",
"einstellungen.export.bullet.json": "paliad-export.json \u2014 maschinenlesbare Kopie f\u00fcr Skripte und Tools.",
"einstellungen.export.bullet.csv": "csv/<sheet>.csv \u2014 Tabellen einzeln als CSV (UTF-8 mit BOM).",
"einstellungen.export.scope": "Umfang: alles, was Sie aktuell in Paliad sehen k\u00f6nnen (Sichtbarkeit zum Zeitpunkt des Exports). Passw\u00f6rter, CalDAV-Zugangsdaten und andere Geheimnisse werden nie exportiert.",
"einstellungen.export.audit": "Jeder Export wird im Audit-Log protokolliert.",
"einstellungen.export.button": "Daten exportieren",
"einstellungen.export.started": "Download gestartet. Falls nichts passiert, pr\u00fcfen Sie Ihren Browser-Downloadordner.",
"projects.title": "Projekte \u2014 Paliad",
"projects.heading": "Projekte",
"projects.subtitle": "Mandanten, Streitsachen, Patente und Verfahren \u2014 hierarchisch organisiert.",
@@ -1606,7 +1616,8 @@ const translations: Record<Lang, Record<string, string>> = {
"events.toggle.deadline": "Fristen",
"events.toggle.appointment": "Termine",
"events.toggle.all": "Beides",
"events.filter.status.all": "Alle",
"events.filter.status.all": "Alle (auch vergangene)",
"events.filter.status.upcoming": "Ab heute",
"events.summary.later": "Sp\u00e4ter",
"events.col.date": "Datum",
"events.col.location": "Ort",
@@ -2888,7 +2899,6 @@ const translations: Record<Lang, Record<string, string>> = {
"deadlines.view.label": "View:",
"deadlines.view.timeline": "Timeline",
"deadlines.view.columns": "Columns",
"deadlines.notes.show": "Show details",
"deadlines.col.proactive": "Proactive",
"deadlines.col.court": "Court",
"deadlines.col.reactive": "Reactive",
@@ -3703,6 +3713,17 @@ const translations: Record<Lang, Record<string, string>> = {
"einstellungen.tab.profil": "Profile",
"einstellungen.tab.benachrichtigungen": "Notifications",
"einstellungen.tab.caldav": "CalDAV",
"einstellungen.tab.export": "Data export",
"einstellungen.export.subtitle": "Download your personal Paliad data as an Excel + JSON + CSV bundle. The package contains everything you can currently see \u2014 your projects, deadlines, appointments, notes, approvals and settings.",
"einstellungen.export.heading": "Personal data export",
"einstellungen.export.what": "The package contains your visible data in three formats in one .zip:",
"einstellungen.export.bullet.xlsx": "paliad-export.xlsx \u2014 one Excel sheet per entity.",
"einstellungen.export.bullet.json": "paliad-export.json \u2014 machine-readable copy for scripts and tools.",
"einstellungen.export.bullet.csv": "csv/<sheet>.csv \u2014 individual tables as CSV (UTF-8 with BOM).",
"einstellungen.export.scope": "Scope: everything you can currently see in Paliad (visibility at the moment of export). Passwords, CalDAV credentials and other secrets are never exported.",
"einstellungen.export.audit": "Every export is logged in the audit log.",
"einstellungen.export.button": "Export data",
"einstellungen.export.started": "Download started. If nothing happens, check your browser's downloads folder.",
"projects.title": "Projects \u2014 Paliad",
"projects.heading": "Projects",
"projects.subtitle": "Clients, litigations, patents and cases \u2014 organised hierarchically.",
@@ -4178,7 +4199,8 @@ const translations: Record<Lang, Record<string, string>> = {
"events.toggle.deadline": "Deadlines",
"events.toggle.appointment": "Appointments",
"events.toggle.all": "Both",
"events.filter.status.all": "All",
"events.filter.status.all": "All (incl. past)",
"events.filter.status.upcoming": "From today",
"events.summary.later": "Later",
"events.col.date": "Date",
"events.col.location": "Location",

49
frontend/src/client/settings.ts
View File

@@ -51,8 +51,8 @@ interface SyncLogEntry {
duration_ms?: number;
}
type TabName = "profil" | "benachrichtigungen" | "caldav";
const TABS: TabName[] = ["profil", "benachrichtigungen", "caldav"];
type TabName = "profil" | "benachrichtigungen" | "caldav" | "export";
const TABS: TabName[] = ["profil", "benachrichtigungen", "caldav", "export"];
const DEFAULT_TAB: TabName = "profil";
let me: Me | null = null;
@@ -115,6 +115,7 @@ function showTab(tab: TabName, pushHistory: boolean) {
if (tab === "profil") void loadProfilTab();
else if (tab === "benachrichtigungen") void loadPrefsTab();
else if (tab === "caldav") void loadCalDAVTab();
else if (tab === "export") void loadExportTab();
}
}
@@ -662,6 +663,48 @@ async function renderMyPartnerUnits(): Promise<void> {
}
}
// --- Export tab (t-paliad-214 Slice 1) -------------------------------------
// Personal data export. One button; on click hits GET /api/me/export and the
// browser handles the download via Content-Disposition. We use an anchor +
// hidden iframe pattern so any non-200 response can surface inline instead
// of silently triggering a save dialog with an error-html body.
async function loadExportTab(): Promise<void> {
// Nothing to fetch on render; the tab is static text + button. Wired in
// the DOMContentLoaded handler.
}
function runExport(): void {
const msg = document.getElementById("export-msg");
const btn = document.getElementById("export-btn") as HTMLButtonElement | null;
if (msg) msg.textContent = "";
if (btn) btn.disabled = true;
// Trigger a navigation to the endpoint. The server sets
// Content-Disposition: attachment which the browser respects.
// We use a transient <a download> so the click goes through the
// normal download path even on browsers that try to render text/json.
const a = document.createElement("a");
a.href = "/api/me/export";
// download="" tells the browser to keep the server-provided filename
// when one is set via Content-Disposition.
a.download = "";
document.body.appendChild(a);
a.click();
document.body.removeChild(a);
// Re-enable after a short timeout so users can re-trigger if needed.
// We don't try to detect download completion — there's no portable
// browser API for it.
if (btn) {
setTimeout(() => {
btn.disabled = false;
if (msg)
msg.textContent =
t("einstellungen.export.started") ||
"Download gestartet. Falls nichts passiert, prüfen Sie Ihren Browser-Downloadordner.";
}, 500);
}
}
// --- Init -------------------------------------------------------------------
document.addEventListener("DOMContentLoaded", () => {
@@ -674,6 +717,8 @@ document.addEventListener("DOMContentLoaded", () => {
document.getElementById("caldav-form")!.addEventListener("submit", saveCalDAV);
document.getElementById("caldav-test-btn")!.addEventListener("click", testCalDAVConnection);
document.getElementById("caldav-delete-btn")!.addEventListener("click", deleteCalDAVConfig);
const exportBtn = document.getElementById("export-btn");
if (exportBtn) exportBtn.addEventListener("click", runExport);
onLangChange(() => {
if (loadedTabs.has("profil")) renderOfficeOptions();

29
frontend/src/client/verfahrensablauf.ts
View File

@@ -25,19 +25,6 @@ let lastResponse: DeadlineResponse | null = null;
type ProcedureView = "timeline" | "columns";
let procedureView: ProcedureView = "columns";
// Notes toggle — when off (default), per-rule descriptive notes render
// as a compact ⓘ icon next to the meta line (hover for full text). When
// on, the full notes block expands under each card. Choice persists in
// localStorage so a reload or recalc keeps the user's preference.
const NOTES_PREF_KEY = "paliad.fristen.notes-show";
function readNotesPref(): boolean {
try { return localStorage.getItem(NOTES_PREF_KEY) === "1"; } catch { return false; }
}
function writeNotesPref(on: boolean): void {
try { localStorage.setItem(NOTES_PREF_KEY, on ? "1" : "0"); } catch { /* no-op */ }
}
let showNotes = readNotesPref();
// Jurisdiction display prefix for the proceeding-summary chip + the
// trigger-event placeholder. Same forum slugs the .proceeding-group
// `data-forum` attribute carries in verfahrensablauf.tsx /
@@ -180,8 +167,8 @@ function renderResults(data: DeadlineResponse) {
</div>`;
const bodyHtml = procedureView === "columns"
? renderColumnsBody(data, { showNotes })
: renderTimelineBody(data, { showParty: true, showNotes });
? renderColumnsBody(data)
: renderTimelineBody(data);
container.innerHTML = headerHtml + bodyHtml;
if (printBtn) printBtn.style.display = "block";
@@ -312,18 +299,6 @@ document.addEventListener("DOMContentLoaded", () => {
document.getElementById("fristen-print-btn")?.addEventListener("click", () => window.print());
// Notes toggle — restores last preference on load + re-renders when
// the user flips it. Lives in the same toggle bar as the view picker.
const notesShowCb = document.getElementById("fristen-notes-show") as HTMLInputElement | null;
if (notesShowCb) {
notesShowCb.checked = showNotes;
notesShowCb.addEventListener("change", () => {
showNotes = notesShowCb.checked;
writeNotesPref(showNotes);
if (lastResponse) renderResults(lastResponse);
});
}
initViewToggle();
onLangChange(() => {

20
frontend/src/client/views/verfahrensablauf-core.ts
View File

@@ -219,13 +219,6 @@ export interface CardOpts {
// verfahrensablauf abstract-browse surface keeps editable=false because
// there's no anchor-override state on that page in Slice 1.
editable?: boolean;
// showNotes controls how the per-rule descriptive notes render:
// true → expanded `<div class="timeline-notes">…</div>` below the card
// false → compact ⓘ icon next to the meta line, full text on hover
// (browser-native `title` attribute) and screen-reader-readable
// Page shells expose a toggle ("Hinweise anzeigen") that flips this and
// re-renders. Default false — notes are noisy on long timelines.
showNotes?: boolean;
}
export function deadlineCardHtml(dl: CalculatedDeadline, opts: CardOpts): string {
@@ -271,19 +264,14 @@ export function deadlineCardHtml(dl: CalculatedDeadline, opts: CardOpts): string
}
const noteText = getLang() === "en" ? (dl.notesEN || dl.notes) : dl.notes;
const showNotes = opts.showNotes === true;
const notesBlock = noteText && showNotes
const notes = noteText
? `<div class="timeline-notes">${noteText}</div>`
: "";
const noteHint = noteText && !showNotes
? `<span class="timeline-note-hint" tabindex="0" role="note" aria-label="${escAttr(noteText)}" title="${escAttr(noteText)}">ⓘ</span>`
: "";
const meta = (opts.showParty || ruleRef || noteHint)
const meta = (opts.showParty || ruleRef)
? `<div class="timeline-meta">
${opts.showParty ? partyBadge(dl.party) : ""}
${ruleRef}
${noteHint}
</div>`
: "";
@@ -296,7 +284,7 @@ export function deadlineCardHtml(dl: CalculatedDeadline, opts: CardOpts): string
</div>
${meta}
${adjustedNote}
${notesBlock}`;
${notes}`;
}
export function renderTimelineBody(data: DeadlineResponse, opts: CardOpts = { showParty: true }): string {
@@ -370,7 +358,7 @@ export function renderColumnsBody(data: DeadlineResponse, opts: Omit<CardOpts, "
unscheduledKeys.sort();
const keys = [...datedKeys, ...unscheduledKeys];
const cardOpts: CardOpts = { showParty: false, editable: opts.editable, showNotes: opts.showNotes };
const cardOpts: CardOpts = { showParty: false, editable: opts.editable };
const renderCell = (items: CalculatedDeadline[]): string => {
if (items.length === 0) {

4
frontend/src/fristenrechner.tsx
View File

@@ -546,10 +546,6 @@ export function renderFristenrechner(): string {
<input type="radio" name="fristen-view" value="timeline" />
<span data-i18n="deadlines.view.timeline">Zeitstrahl</span>
</label>
<label className="fristen-notes-option">
<input type="checkbox" id="fristen-notes-show" />
<span data-i18n="deadlines.notes.show">Hinweise anzeigen</span>
</label>
</div>
<div id="timeline-container">

13
frontend/src/i18n-keys.ts
View File

@@ -1069,7 +1069,6 @@ export type I18nKey =
| "deadlines.neu.submit"
| "deadlines.neu.subtitle"
| "deadlines.neu.title"
| "deadlines.notes.show"
| "deadlines.optional.badge"
| "deadlines.party.both"
| "deadlines.party.both.label"
@@ -1230,6 +1229,16 @@ export type I18nKey =
| "downloads.subtitle"
| "downloads.title"
| "einstellungen.error.generic"
| "einstellungen.export.audit"
| "einstellungen.export.bullet.csv"
| "einstellungen.export.bullet.json"
| "einstellungen.export.bullet.xlsx"
| "einstellungen.export.button"
| "einstellungen.export.heading"
| "einstellungen.export.scope"
| "einstellungen.export.started"
| "einstellungen.export.subtitle"
| "einstellungen.export.what"
| "einstellungen.heading"
| "einstellungen.loading"
| "einstellungen.optional"
@@ -1273,6 +1282,7 @@ export type I18nKey =
| "einstellungen.subtitle"
| "einstellungen.tab.benachrichtigungen"
| "einstellungen.tab.caldav"
| "einstellungen.tab.export"
| "einstellungen.tab.profil"
| "einstellungen.title"
| "event.description.appointment_approval_approved"
@@ -1377,6 +1387,7 @@ export type I18nKey =
| "events.empty.hint"
| "events.empty.title"
| "events.filter.status.all"
| "events.filter.status.upcoming"
| "events.row.type.appointment"
| "events.row.type.deadline"
| "events.summary.later"

14
frontend/src/index.tsx
View File

@@ -9,7 +9,6 @@ const ICON_FILE = '<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" st
const ICON_FOLDER = '<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"><path d="M22 19a2 2 0 0 1-2 2H4a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h5l2 3h9a2 2 0 0 1 2 2z"/></svg>';
const ICON_CALC = '<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"><rect x="4" y="2" width="16" height="20" rx="2"/><line x1="8" y1="6" x2="16" y2="6"/><line x1="8" y1="14" x2="8" y2="14.01"/><line x1="12" y1="14" x2="12" y2="14.01"/><line x1="16" y1="14" x2="16" y2="14.01"/><line x1="8" y1="18" x2="16" y2="18"/></svg>';
const ICON_CLOCK = '<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"/><polyline points="12 6 12 12 16 14"/></svg>';
const ICON_DOWNLOAD = '<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"><path d="M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4"/><polyline points="7 10 12 15 17 10"/><line x1="12" y1="15" x2="12" y2="3"/></svg>';
const ICON_GLOSSAR = '<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"><path d="M4 19.5A2.5 2.5 0 0 1 6.5 17H20"/><path d="M6.5 2H20v20H6.5A2.5 2.5 0 0 1 4 19.5v-15A2.5 2.5 0 0 1 6.5 2z"/></svg>';
const ICON_TABLE = '<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"><rect x="3" y="3" width="18" height="18" rx="2"/><line x1="3" y1="9" x2="21" y2="9"/><line x1="3" y1="15" x2="21" y2="15"/><line x1="9" y1="3" x2="9" y2="21"/></svg>';
const ICON_CHECK = '<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"><path d="M9 11l3 3L22 4"/><path d="M21 12v7a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h11"/></svg>';
@@ -108,19 +107,6 @@ export function renderIndex(): string {
</div>
</section>
<section className="sections">
<div className="container">
<h3 className="section-heading" data-i18n="index.downloads">Downloads</h3>
<div className="grid grid-2">
<a href="/files/hl-patents-style.dotm" className="card card-link">
<div className="card-icon" dangerouslySetInnerHTML={{ __html: ICON_DOWNLOAD }} />
<h2 data-i18n="index.style.title">{`${FIRM} Patents Style`}</h2>
<p data-i18n="index.style.desc">{`Word-Vorlage im ${FIRM} Patents Style. Formatierung, Schriftarten und Makros für standardisierte Schriftsätze.`}</p>
</a>
</div>
</div>
</section>
<section className="offices">
<div className="container">
<h3 data-i18n="index.offices">Standorte</h3>

44
frontend/src/settings.tsx
View File

@@ -40,6 +40,7 @@ export function renderSettings(): string {
<a className="entity-tab" data-tab="profil" href="?tab=profil" data-i18n="einstellungen.tab.profil">Profil</a>
<a className="entity-tab" data-tab="benachrichtigungen" href="?tab=benachrichtigungen" data-i18n="einstellungen.tab.benachrichtigungen">Benachrichtigungen</a>
<a className="entity-tab" data-tab="caldav" href="?tab=caldav" data-i18n="einstellungen.tab.caldav">CalDAV</a>
<a className="entity-tab" data-tab="export" href="?tab=export" data-i18n="einstellungen.tab.export">Datenexport</a>
</nav>
{/* --- Profil tab ---------------------------------------- */}
@@ -342,6 +343,49 @@ export function renderSettings(): string {
</div>
</section>
{/* --- Datenexport tab (t-paliad-214 Slice 1) ----------- */}
<section className="entity-tab-panel" id="tab-export" style="display:none">
<p className="tool-subtitle" data-i18n="einstellungen.export.subtitle">
Laden Sie Ihre pers&ouml;nlichen Paliad-Daten als Excel- + JSON- + CSV-Paket herunter.
Enthalten ist alles, was Sie aktuell sehen k&ouml;nnen &mdash; Ihre Projekte, Fristen, Termine, Notizen, Genehmigungen und Einstellungen.
</p>
<div className="caldav-info-card">
<h2 data-i18n="einstellungen.export.heading">Pers&ouml;nlicher Datenexport</h2>
<p data-i18n="einstellungen.export.what">
Das Paket enth&auml;lt Ihre sichtbaren Daten in drei Formaten in einem <code>.zip</code>:
</p>
<ul className="form-hint settings-export-list">
<li data-i18n="einstellungen.export.bullet.xlsx">
<strong>paliad-export.xlsx</strong> &mdash; eine Excel-Mappe pro Entit&auml;t.
</li>
<li data-i18n="einstellungen.export.bullet.json">
<strong>paliad-export.json</strong> &mdash; maschinenlesbare Kopie f&uuml;r Skripte und Tools.
</li>
<li data-i18n="einstellungen.export.bullet.csv">
<strong>csv/&lt;sheet&gt;.csv</strong> &mdash; Tabellen einzeln als CSV (UTF-8 mit BOM).
</li>
</ul>
<p className="form-hint" data-i18n="einstellungen.export.scope">
Umfang: alles, was Sie aktuell in Paliad sehen k&ouml;nnen (Sichtbarkeit zum Zeitpunkt des Exports).
Passw&ouml;rter, CalDAV-Zugangsdaten und andere Geheimnisse werden nie exportiert.
</p>
<p className="form-hint" data-i18n="einstellungen.export.audit">
Jeder Export wird im Audit-Log protokolliert.
</p>
<p className="form-msg" id="export-msg" />
<div className="form-actions">
<button type="button" id="export-btn" className="btn-primary btn-cta-lime" data-i18n="einstellungen.export.button">
Daten exportieren
</button>
</div>
</div>
</section>
</div>
</section>
</main>

43
frontend/src/styles/global.css
View File

@@ -3441,49 +3441,6 @@ input[type="range"]::-moz-range-thumb {
cursor: pointer;
}
/* Notes toggle — checkbox affordance in the view-toggle bar that flips
per-card descriptive notes between compact (ⓘ tooltip icon) and
expanded (timeline-notes block). Sits with a leading separator so it
reads as a distinct control from the radio view picker. */
.fristen-notes-option {
display: inline-flex;
align-items: center;
gap: 0.35rem;
cursor: pointer;
color: var(--color-text);
margin-left: auto;
padding-left: 0.75rem;
border-left: 1px solid var(--color-border);
}
.fristen-notes-option input[type=checkbox] {
margin: 0;
cursor: pointer;
}
/* Compact note hint — sits in the timeline-meta line when the notes
toggle is off. Native browser tooltip via title= attribute carries
the full text on hover; tabindex=0 + aria-label make it
keyboard / screen-reader accessible. */
.timeline-note-hint {
display: inline-flex;
align-items: center;
justify-content: center;
min-width: 1.1rem;
height: 1.1rem;
border-radius: 50%;
font-size: 0.85rem;
color: var(--color-text-muted);
cursor: help;
user-select: none;
}
.timeline-note-hint:hover,
.timeline-note-hint:focus-visible {
color: var(--color-text);
outline: none;
}
/* Fristenrechner — three-column lane view (Proactive | Court | Reactive).
Each lane is independently date-ordered; party=both rows render below
as full-width spans because they apply to all sides. */

4
frontend/src/verfahrensablauf.tsx
View File

@@ -225,10 +225,6 @@ export function renderVerfahrensablauf(): string {
<input type="radio" name="fristen-view" value="timeline" />
<span data-i18n="deadlines.view.timeline">Zeitstrahl</span>
</label>
<label className="fristen-notes-option">
<input type="checkbox" id="fristen-notes-show" />
<span data-i18n="deadlines.notes.show">Hinweise anzeigen</span>
</label>
</div>
<div id="timeline-container">

12
go.mod
View File

@@ -9,3 +9,15 @@ require (
github.com/jmoiron/sqlx v1.4.0
github.com/lib/pq v1.12.3
)
require (
github.com/richardlehane/mscfb v1.0.6 // indirect
github.com/richardlehane/msoleps v1.0.6 // indirect
github.com/tiendc/go-deepcopy v1.7.2 // indirect
github.com/xuri/efp v0.0.1 // indirect
github.com/xuri/excelize/v2 v2.10.1 // indirect
github.com/xuri/nfp v0.0.2-0.20250530014748-2ddeb826f9a9 // indirect
golang.org/x/crypto v0.48.0 // indirect
golang.org/x/net v0.50.0 // indirect
golang.org/x/text v0.34.0 // indirect
)

18
go.sum
View File

@@ -57,8 +57,20 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/richardlehane/mscfb v1.0.6 h1:eN3bvvZCp00bs7Zf52bxNwAx5lJDBK1tCuH19qq5aC8=
github.com/richardlehane/mscfb v1.0.6/go.mod h1:pe0+IUIc0AHh0+teNzBlJCtSyZdFOGgV4ZK9bsoV+Jo=
github.com/richardlehane/msoleps v1.0.6 h1:9BvkpjvD+iUBalUY4esMwv6uBkfOip/Lzvd93jvR9gg=
github.com/richardlehane/msoleps v1.0.6/go.mod h1:BWev5JBpU9Ko2WAgmZEuiz4/u3ZYTKbjLycmwiWUfWg=
github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/tiendc/go-deepcopy v1.7.2 h1:Ut2yYR7W9tWjTQitganoIue4UGxZwCcJy3orjrrIj44=
github.com/tiendc/go-deepcopy v1.7.2/go.mod h1:4bKjNC2r7boYOkD2IOuZpYjmlDdzjbpTRyCx+goBCJQ=
github.com/xuri/efp v0.0.1 h1:fws5Rv3myXyYni8uwj2qKjVaRP30PdjeYe2Y6FDsCL8=
github.com/xuri/efp v0.0.1/go.mod h1:ybY/Jr0T0GTCnYjKqmdwxyxn2BQf2RcQIIvex5QldPI=
github.com/xuri/excelize/v2 v2.10.1 h1:V62UlqopMqha3kOpnlHy2CcRVw1V8E63jFoWUmMzxN0=
github.com/xuri/excelize/v2 v2.10.1/go.mod h1:iG5tARpgaEeIhTqt3/fgXCGoBRt4hNXgCp3tfXKoOIc=
github.com/xuri/nfp v0.0.2-0.20250530014748-2ddeb826f9a9 h1:+C0TIdyyYmzadGaL/HBLbf3WdLgC29pgyhTjAT/0nuE=
github.com/xuri/nfp v0.0.2-0.20250530014748-2ddeb826f9a9/go.mod h1:WwHg+CVyzlv/TX9xqBFXEZAuxOPxn2k1GNHwG41IIUQ=
go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
@@ -69,7 +81,13 @@ go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/Wgbsd
go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

198
internal/db/migrate_test.go Normal file
View File

@@ -0,0 +1,198 @@
// Package db tests — migration dry-run gate.
//
// This is the test that catches mig-N crash-loops before they reach prod.
// The convention since t-paliad-098/099 is that paliad migrations land in
// numeric order on a single trunk; the next deploy runs whichever ones are
// pending against the live `public.paliad_schema_migrations` tracker. A
// migration that compiles cleanly but fails on apply (typo, missing column,
// wrong CHECK shape) crashes the Dokploy container loop before paliad.de
// finishes binding :8080, and the only way to learn about it today is to
// watch the deploy log.
//
// TestMigrations_DryRun closes that gap: for every *.up.sql in this
// directory whose version is greater than the scratch DB's current tracker
// version, it opens a transaction, runs the SQL, and ROLLBACKs. Any error
// fails the test with the file name + Postgres error. Always non-destructive
// — the ROLLBACK runs even on success, so the scratch DB stays at its
// starting version.
//
// Requires TEST_DATABASE_URL (same pattern as the rest of the live-DB
// tests). Skipped without it.
//
// Design: docs/design-paliad-test-strategy-2026-05-19.md §5 Slice 1.
package db
import (
"database/sql"
"errors"
"fmt"
"os"
"sort"
"strconv"
"strings"
"testing"
_ "github.com/lib/pq"
)
// migration is one *.up.sql file from the embedded migrations FS.
type migration struct {
version int
name string
filename string
}
// TestMigrations_DryRun walks every pending *.up.sql in numeric order,
// applies each inside its own BEGIN/ROLLBACK against the scratch DB, and
// fails the test on the first SQL error. Reports per-file as a sub-test so
// `go test -v` shows which migration failed.
//
// What "pending" means: greater than the scratch DB's current tracker
// version (or 0 if the tracker doesn't exist yet). In CI against a fresh
// scratch DB, every migration is pending and gets verified. On a developer
// laptop whose scratch DB is already at HEAD, no migrations are pending and
// the test logs the start version and passes — the protection only kicks in
// the moment a new *.up.sql lands in the tree before the developer runs
// `db.ApplyMigrations` against the same scratch DB.
func TestMigrations_DryRun(t *testing.T) {
url := os.Getenv("TEST_DATABASE_URL")
if url == "" {
t.Skip("TEST_DATABASE_URL not set — skipping migration dry-run")
}
conn, err := sql.Open("postgres", url)
if err != nil {
t.Fatalf("open: %v", err)
}
defer conn.Close()
if err := conn.Ping(); err != nil {
t.Fatalf("ping: %v", err)
}
// The paliad schema must exist before migration 001 runs against it,
// mirroring the bootstrap step in ApplyMigrations. Without this, a
// fresh scratch DB would fail migration 001's CREATE TABLE paliad.*
// statements inside the BEGIN/ROLLBACK probe with "schema paliad does
// not exist" — a false negative that distracts from real errors.
if _, err := conn.Exec(`CREATE SCHEMA IF NOT EXISTS paliad`); err != nil {
t.Fatalf("ensure paliad schema: %v", err)
}
startVersion, dirty, err := currentTrackerVersion(conn)
if err != nil {
t.Fatalf("read tracker: %v", err)
}
if dirty {
t.Fatalf("tracker is dirty at version %d — fix that first (DROP the tracker row "+
"or restore from backup); the dry-run cannot trust a dirty starting state",
startVersion)
}
t.Logf("scratch DB tracker at version %d; walking pending migrations from %d upward",
startVersion, startVersion+1)
migs, err := loadPendingMigrations(startVersion)
if err != nil {
t.Fatalf("load migrations: %v", err)
}
if len(migs) == 0 {
t.Logf("no pending migrations — scratch DB is at HEAD (%d)", startVersion)
return
}
for _, m := range migs {
t.Run(fmt.Sprintf("%03d_%s", m.version, m.name), func(t *testing.T) {
body, err := migrationFS.ReadFile("migrations/" + m.filename)
if err != nil {
t.Fatalf("read %s: %v", m.filename, err)
}
tx, err := conn.Begin()
if err != nil {
t.Fatalf("begin: %v", err)
}
// Always rollback; the dry-run must not leave the scratch DB
// at a different version than where it started. Rollback is
// safe to call even after a failed Exec — Postgres aborts the
// transaction internally on the first error.
defer func() { _ = tx.Rollback() }()
if _, err := tx.Exec(string(body)); err != nil {
t.Fatalf("migration %s failed dry-run: %v", m.filename, err)
}
})
}
}
// currentTrackerVersion reads the latest version + dirty flag from the
// `public.paliad_schema_migrations` tracker. Returns (0, false, nil) when the
// tracker doesn't exist yet — that's the "fresh scratch DB" path.
//
// We don't use golang-migrate's API to read this because golang-migrate's
// driver locks the tracker row on read; a test runner that calls this while
// the developer has paliad running locally would race. A plain SELECT is
// race-safe and matches what `psql` would show.
func currentTrackerVersion(conn *sql.DB) (version int, dirty bool, err error) {
const q = `SELECT version, dirty FROM public.paliad_schema_migrations LIMIT 1`
row := conn.QueryRow(q)
if scanErr := row.Scan(&version, &dirty); scanErr != nil {
// Missing table → fresh DB → start at 0. lib/pq surfaces this
// as `pq.Error.Code = "42P01"` (undefined_table); the simpler
// sql.ErrNoRows fires if the table exists but is empty (also
// fresh-DB-shaped).
if errors.Is(scanErr, sql.ErrNoRows) {
return 0, false, nil
}
if strings.Contains(scanErr.Error(), "does not exist") {
return 0, false, nil
}
return 0, false, scanErr
}
return version, dirty, nil
}
// loadPendingMigrations returns every *.up.sql in the embedded FS whose
// version is greater than startVersion, sorted by version ascending. A
// filename like "098_submission_codes_prefix_and_rename.up.sql" yields
// version=98, name="submission_codes_prefix_and_rename".
func loadPendingMigrations(startVersion int) ([]migration, error) {
entries, err := migrationFS.ReadDir("migrations")
if err != nil {
return nil, fmt.Errorf("read migrations dir: %w", err)
}
var out []migration
for _, e := range entries {
name := e.Name()
if !strings.HasSuffix(name, ".up.sql") {
continue
}
v, n, ok := parseMigrationName(name)
if !ok {
return nil, fmt.Errorf("unparseable migration filename: %s "+
"(expected NNN_description.up.sql)", name)
}
if v <= startVersion {
continue
}
out = append(out, migration{version: v, name: n, filename: name})
}
sort.Slice(out, func(i, j int) bool { return out[i].version < out[j].version })
return out, nil
}
// parseMigrationName splits "NNN_description.up.sql" into (NNN, description).
// Returns ok=false on any deviation from that shape.
func parseMigrationName(filename string) (version int, name string, ok bool) {
base := strings.TrimSuffix(filename, ".up.sql")
if base == filename { // suffix wasn't present
return 0, "", false
}
underscore := strings.IndexByte(base, '_')
if underscore <= 0 {
return 0, "", false
}
v, err := strconv.Atoi(base[:underscore])
if err != nil {
return 0, "", false
}
return v, base[underscore+1:], true
}

13
internal/db/migrations/101_caldav_multi_calendar.down.sql Normal file
View File

@@ -0,0 +1,13 @@
-- Reverse of 101_caldav_multi_calendar.up.sql.
--
-- Drop the new join + binding tables. CASCADE on the FK references
-- isn't needed because we drop targets before bindings, and Postgres
-- handles RLS policies / indexes automatically on DROP TABLE.
--
-- The legacy paliad.appointments.caldav_uid / caldav_etag columns are
-- untouched by the up migration, so they're untouched here too —
-- rollback returns the system to the pre-Slice-1 state where those
-- scalars are the single source of CalDAV truth.
DROP TABLE IF EXISTS paliad.appointment_caldav_targets;
DROP TABLE IF EXISTS paliad.user_calendar_bindings;

350
internal/db/migrations/101_caldav_multi_calendar.up.sql Normal file
View File

@@ -0,0 +1,350 @@
-- t-paliad-212 — Slice 1 of the CalDAV multi-calendar design (see
-- docs/design-caldav-multi-calendar-2026-05-19.md). Pure schema +
-- backfill; the sync engine is NOT touched in this migration. Slice 2
-- wires the per-binding fan-out.
--
-- What we add:
-- 1. paliad.user_calendar_bindings — N bindings per user, each with
-- a scope_kind enum (all_visible / personal_only / project /
-- client / litigation / patent / case) and an optional scope_id
-- pointing at a paliad.projects row when the scope is hierarchy-
-- anchored. The same Appointment can be PUT into multiple of
-- these bindings (e.g. master cal + per-project cal).
-- 2. paliad.appointment_caldav_targets — (appointment_id, binding_id)
-- join carrying the per-target caldav_uid + caldav_etag. The
-- canonical UID is still per-appointment (paliad-appointment-
-- <uuid>@paliad.de) so the same event in N cals shares one UID.
-- 3. Backfill: one all_visible binding per existing
-- user_caldav_config row, plus one target row per Appointment
-- already pushed (caldav_uid IS NOT NULL). Backfill maps the
-- target's binding_id to the appointment creator's binding —
-- that matches today's Phase F semantics, where the creator's
-- sync goroutine owns the etag.
--
-- The scalar columns paliad.appointments.caldav_uid / caldav_etag
-- STAY in place through Slice 1 and Slice 2. Slice 1 keeps them as
-- read-once denormalised pointers to the default binding's target
-- row; Slice 4 drops them after telemetry confirms no path still
-- reads them.
--
-- Idempotent: every CREATE uses IF NOT EXISTS, both backfills are
-- guarded by NOT EXISTS. Safe to re-run.
--
-- audit_reason set_config required at the top because m's recent
-- migration friction had several mig failures from missing reasons.
-- The trigger raising 'audit reason required' is on
-- paliad.deadline_rules only — this migration doesn't touch that
-- table — but we set the reason for symmetry per paliadin's 2026-05-19
-- coder-shift brief.
SELECT set_config(
'paliad.audit_reason',
'mig 101: CalDAV multi-calendar schema + backfill (Slice 1 of t-paliad-212; design doc docs/design-caldav-multi-calendar-2026-05-19.md). No row mutations on existing trigger-guarded tables; this is a defensive symmetry set_config.',
true);
-- =========================================================================
-- 1. paliad.user_calendar_bindings
-- =========================================================================
CREATE TABLE IF NOT EXISTS paliad.user_calendar_bindings (
id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
user_id uuid NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
-- Full URL or path under user_caldav_config.url. The CalDAV client
-- resolves it against the user's server URL the same way it
-- resolves the legacy user_caldav_config.calendar_path today.
calendar_path text NOT NULL,
-- What the picker UI shows for this binding. Discovered via
-- PROPFIND <displayname/> at add-time and cached here so we don't
-- re-fetch every render. Default '' (Slice 1 backfill leaves it
-- empty; Slice 2 fills it during the picker flow).
display_name text NOT NULL DEFAULT '',
-- Which appointments push into this calendar. Slice 1 only really
-- needs 'all_visible' (that's all the backfill creates) but we
-- ship the full enum now so the schema is final and Slice 2/3
-- don't have to ALTER it.
scope_kind text NOT NULL,
scope_id uuid REFERENCES paliad.projects(id) ON DELETE CASCADE,
-- Only meaningful when scope_kind is hierarchy-anchored
-- (project / client / litigation / patent / case). When true,
-- the binding ALSO receives the user's personal (project_id IS
-- NULL AND created_by = user_id) appointments. Ignored for
-- 'all_visible' (already includes them) and 'personal_only'.
include_personal boolean NOT NULL DEFAULT false,
enabled boolean NOT NULL DEFAULT true,
last_sync_at timestamptz,
last_sync_error text,
created_at timestamptz NOT NULL DEFAULT now(),
updated_at timestamptz NOT NULL DEFAULT now(),
CONSTRAINT user_calendar_bindings_scope_kind_chk CHECK (
scope_kind IN ('all_visible','personal_only','project','client','litigation','patent','case')
),
CONSTRAINT user_calendar_bindings_scope_id_chk CHECK (
(scope_kind IN ('all_visible','personal_only') AND scope_id IS NULL)
OR
(scope_kind NOT IN ('all_visible','personal_only') AND scope_id IS NOT NULL)
)
);
-- One binding per (user, calendar) — can't bind the same external
-- calendar twice for the same user.
CREATE UNIQUE INDEX IF NOT EXISTS user_calendar_bindings_user_path_uniq
ON paliad.user_calendar_bindings (user_id, calendar_path);
-- One hierarchy binding per (user, scope_kind, scope_id) — a user
-- can't have two bindings for the same project, but CAN have a
-- 'project' binding for project X alongside an 'all_visible'
-- master binding (different scope_kind ⇒ different row).
CREATE UNIQUE INDEX IF NOT EXISTS user_calendar_bindings_scope_hier_uniq
ON paliad.user_calendar_bindings (user_id, scope_kind, scope_id)
WHERE scope_id IS NOT NULL;
-- One scope-less binding per (user, scope_kind) — at most one
-- 'all_visible' and one 'personal_only' per user.
CREATE UNIQUE INDEX IF NOT EXISTS user_calendar_bindings_scope_root_uniq
ON paliad.user_calendar_bindings (user_id, scope_kind)
WHERE scope_id IS NULL;
CREATE INDEX IF NOT EXISTS user_calendar_bindings_user_idx
ON paliad.user_calendar_bindings (user_id)
WHERE enabled;
-- No updated_at trigger — paliad.user_caldav_config also doesn't have
-- one. The Go service layer sets updated_at = NOW() explicitly on
-- every write (see SaveConfig in caldav_service.go); we follow the
-- same convention here so all CalDAV-related tables are consistent.
ALTER TABLE paliad.user_calendar_bindings ENABLE ROW LEVEL SECURITY;
-- Same shape as user_caldav_config policies: a user sees + mutates
-- only their own rows. auth.uid() returns the authenticated user's
-- id (mirrors auth.uid()).
DROP POLICY IF EXISTS user_calendar_bindings_self_select ON paliad.user_calendar_bindings;
CREATE POLICY user_calendar_bindings_self_select ON paliad.user_calendar_bindings
FOR SELECT TO authenticated
USING (user_id = auth.uid());
DROP POLICY IF EXISTS user_calendar_bindings_self_insert ON paliad.user_calendar_bindings;
CREATE POLICY user_calendar_bindings_self_insert ON paliad.user_calendar_bindings
FOR INSERT TO authenticated
WITH CHECK (user_id = auth.uid());
DROP POLICY IF EXISTS user_calendar_bindings_self_update ON paliad.user_calendar_bindings;
CREATE POLICY user_calendar_bindings_self_update ON paliad.user_calendar_bindings
FOR UPDATE TO authenticated
USING (user_id = auth.uid())
WITH CHECK (user_id = auth.uid());
DROP POLICY IF EXISTS user_calendar_bindings_self_delete ON paliad.user_calendar_bindings;
CREATE POLICY user_calendar_bindings_self_delete ON paliad.user_calendar_bindings
FOR DELETE TO authenticated
USING (user_id = auth.uid());
-- =========================================================================
-- 2. paliad.appointment_caldav_targets
-- =========================================================================
CREATE TABLE IF NOT EXISTS paliad.appointment_caldav_targets (
appointment_id uuid NOT NULL REFERENCES paliad.appointments(id) ON DELETE CASCADE,
binding_id uuid NOT NULL REFERENCES paliad.user_calendar_bindings(id) ON DELETE CASCADE,
-- 'paliad-appointment-<uuid>@paliad.de' — derived from
-- appointment_id, identical across all bindings of one appointment.
caldav_uid text NOT NULL,
-- ETag returned by the CalDAV server on the last successful PUT.
-- NULLABLE to match the legacy paliad.appointments.caldav_etag
-- column: some servers don't return ETag on PUT and we
-- re-PROPFIND lazily on next tick.
caldav_etag text,
last_pushed_at timestamptz NOT NULL DEFAULT now(),
PRIMARY KEY (appointment_id, binding_id)
);
CREATE INDEX IF NOT EXISTS appointment_caldav_targets_binding_idx
ON paliad.appointment_caldav_targets (binding_id);
CREATE INDEX IF NOT EXISTS appointment_caldav_targets_uid_idx
ON paliad.appointment_caldav_targets (caldav_uid);
ALTER TABLE paliad.appointment_caldav_targets ENABLE ROW LEVEL SECURITY;
-- A target row is visible/mutable to the user who owns the binding.
-- Appointment-side visibility is enforced separately by AppointmentService;
-- the target is a sync-state row, scoped per-user.
DROP POLICY IF EXISTS appointment_caldav_targets_self_select ON paliad.appointment_caldav_targets;
CREATE POLICY appointment_caldav_targets_self_select ON paliad.appointment_caldav_targets
FOR SELECT TO authenticated
USING (EXISTS (
SELECT 1 FROM paliad.user_calendar_bindings b
WHERE b.id = appointment_caldav_targets.binding_id
AND b.user_id = auth.uid()
));
DROP POLICY IF EXISTS appointment_caldav_targets_self_insert ON paliad.appointment_caldav_targets;
CREATE POLICY appointment_caldav_targets_self_insert ON paliad.appointment_caldav_targets
FOR INSERT TO authenticated
WITH CHECK (EXISTS (
SELECT 1 FROM paliad.user_calendar_bindings b
WHERE b.id = appointment_caldav_targets.binding_id
AND b.user_id = auth.uid()
));
DROP POLICY IF EXISTS appointment_caldav_targets_self_update ON paliad.appointment_caldav_targets;
CREATE POLICY appointment_caldav_targets_self_update ON paliad.appointment_caldav_targets
FOR UPDATE TO authenticated
USING (EXISTS (
SELECT 1 FROM paliad.user_calendar_bindings b
WHERE b.id = appointment_caldav_targets.binding_id
AND b.user_id = auth.uid()
))
WITH CHECK (EXISTS (
SELECT 1 FROM paliad.user_calendar_bindings b
WHERE b.id = appointment_caldav_targets.binding_id
AND b.user_id = auth.uid()
));
DROP POLICY IF EXISTS appointment_caldav_targets_self_delete ON paliad.appointment_caldav_targets;
CREATE POLICY appointment_caldav_targets_self_delete ON paliad.appointment_caldav_targets
FOR DELETE TO authenticated
USING (EXISTS (
SELECT 1 FROM paliad.user_calendar_bindings b
WHERE b.id = appointment_caldav_targets.binding_id
AND b.user_id = auth.uid()
));
-- =========================================================================
-- 3. Backfill — one all_visible binding per existing CalDAV-configured user
-- =========================================================================
-- For every paliad.user_caldav_config row, insert an 'all_visible'
-- binding that mirrors today's single-target Phase F push. The new
-- binding inherits the legacy `calendar_path` (or, when that's empty,
-- the server URL itself — same fallback the client uses today). The
-- enabled flag carries over.
--
-- Idempotent: skipped when this user already has an all_visible binding
-- (re-running the migration is a no-op).
INSERT INTO paliad.user_calendar_bindings
(user_id, calendar_path, display_name, scope_kind, scope_id, include_personal, enabled)
SELECT
c.user_id,
COALESCE(NULLIF(c.calendar_path, ''), c.url),
'',
'all_visible',
NULL,
false,
c.enabled
FROM paliad.user_caldav_config c
WHERE NOT EXISTS (
SELECT 1 FROM paliad.user_calendar_bindings b
WHERE b.user_id = c.user_id
AND b.scope_kind = 'all_visible'
);
-- =========================================================================
-- 4. Backfill — one target row per already-pushed appointment
-- =========================================================================
-- For every appointment with a non-null caldav_uid, insert one target
-- row pointing at the appointment creator's new all_visible binding.
-- That preserves the (appointment, calendar) sync state exactly as it
-- existed before this migration.
--
-- Why created_by, not "every visible user": today's Phase F
-- caldav_uid/caldav_etag scalars on appointments are populated by
-- whoever happened to push last; in practice the etag almost always
-- belongs to the creator's calendar because pull-side updates only
-- run when CreatedBy = userID (caldav_service.go:449). Mapping the
-- backfill target to the creator's binding keeps the etag pointing
-- where it actually came from. Other users' goroutines will create
-- their own target rows on their next sync tick after Slice 2 ships.
--
-- Idempotent: skipped when (appointment_id, binding_id) target already
-- exists.
INSERT INTO paliad.appointment_caldav_targets
(appointment_id, binding_id, caldav_uid, caldav_etag, last_pushed_at)
SELECT
a.id,
b.id,
a.caldav_uid,
a.caldav_etag,
a.updated_at
FROM paliad.appointments a
JOIN paliad.user_calendar_bindings b
ON b.user_id = a.created_by
AND b.scope_kind = 'all_visible'
WHERE a.caldav_uid IS NOT NULL
AND a.created_by IS NOT NULL
AND NOT EXISTS (
SELECT 1 FROM paliad.appointment_caldav_targets t
WHERE t.appointment_id = a.id
AND t.binding_id = b.id
);
-- =========================================================================
-- 5. Assertions — hard fail if the backfill didn't catch every row
-- =========================================================================
-- Every paliad.user_caldav_config row must have at least one
-- all_visible binding after this migration. If it doesn't, either a
-- row was inserted between the backfill and the assertion (race —
-- run is wrapped in a transaction by golang-migrate, so this can't
-- happen) or the backfill is buggy. Hard fail either way.
DO $$
DECLARE
missing_users int;
BEGIN
SELECT count(*) INTO missing_users
FROM paliad.user_caldav_config c
WHERE NOT EXISTS (
SELECT 1 FROM paliad.user_calendar_bindings b
WHERE b.user_id = c.user_id
AND b.scope_kind = 'all_visible'
);
IF missing_users > 0 THEN
RAISE EXCEPTION
'mig 101 assertion failed: % paliad.user_caldav_config row(s) without an all_visible binding',
missing_users;
END IF;
END $$;
-- Every appointment with a non-null caldav_uid AND a non-null
-- created_by must have a target row pointing at its creator's
-- all_visible binding. created_by can be NULL on legacy rows
-- (e.g. seed data) so we exclude those from the assertion.
DO $$
DECLARE
missing_targets int;
BEGIN
SELECT count(*) INTO missing_targets
FROM paliad.appointments a
WHERE a.caldav_uid IS NOT NULL
AND a.created_by IS NOT NULL
AND NOT EXISTS (
SELECT 1
FROM paliad.appointment_caldav_targets t
JOIN paliad.user_calendar_bindings b
ON b.id = t.binding_id
WHERE t.appointment_id = a.id
AND b.user_id = a.created_by
AND b.scope_kind = 'all_visible'
);
IF missing_targets > 0 THEN
RAISE EXCEPTION
'mig 101 assertion failed: % appointment(s) with caldav_uid but no all_visible target row',
missing_targets;
END IF;
END $$;

52
internal/db/migrations/101_einspruch_name_and_ccr_priority.down.sql
View File

@@ -1,52 +0,0 @@
-- Revert mig 101 — restore the bracket-bearing Einspruch names and
-- flip the CCR priority back to 'informational'.
SELECT set_config(
'paliad.audit_reason',
'mig 101 down: restore "Einspruch (R. 19 VerfO)" and "Einspruch (R. 19 i.V.m. R. 46 VerfO)" names + flip upc.inf.cfi.ccr priority back to informational',
true);
UPDATE paliad.deadline_rules dr
SET name_en = 'Preliminary Objection (RoP 19 in conjunction with RoP 46)'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.rev.cfi'
AND dr.submission_code = 'upc.rev.cfi.prelim'
AND dr.lifecycle_state = 'published'
AND dr.name_en = 'Preliminary Objection';
UPDATE paliad.deadline_rules dr
SET name = 'Einspruch (R. 19 i.V.m. R. 46 VerfO)'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.rev.cfi'
AND dr.submission_code = 'upc.rev.cfi.prelim'
AND dr.lifecycle_state = 'published'
AND dr.name = 'Einspruch';
UPDATE paliad.deadline_rules dr
SET name_en = 'Preliminary Objection (RoP 19)'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.inf.cfi'
AND dr.submission_code = 'upc.inf.cfi.prelim'
AND dr.lifecycle_state = 'published'
AND dr.name_en = 'Preliminary Objection';
UPDATE paliad.deadline_rules dr
SET name = 'Einspruch (R. 19 VerfO)'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.inf.cfi'
AND dr.submission_code = 'upc.inf.cfi.prelim'
AND dr.lifecycle_state = 'published'
AND dr.name = 'Einspruch';
UPDATE paliad.deadline_rules dr
SET priority = 'informational'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.inf.cfi'
AND dr.submission_code = 'upc.inf.cfi.ccr'
AND dr.lifecycle_state = 'published'
AND dr.priority = 'optional';

89
internal/db/migrations/101_einspruch_name_and_ccr_priority.up.sql
View File

@@ -1,89 +0,0 @@
-- t-paliad-207 (m's interactive session) — two label/priority polish
-- fixes on upc.inf.cfi / upc.rev.cfi:
--
-- 1. **CCR priority informational → optional.** m's correction
-- 2026-05-18 18:01: the Nichtigkeitswiderklage is a substantive
-- defensive choice the defendant makes — not just an informational
-- notice. priority='optional' renders it as an unchecked save row
-- the user can opt into. The fermi amend (commit e8d658a) flipping
-- this didn't land in main — paliadin's merge of mig 100 (commit
-- c10f8cf, merge 4ddcd28) picked up the pre-amend 'informational'
-- version. This is the recovery.
--
-- 2. **Strip rule citation from Einspruch names.** m's correction
-- 2026-05-18 18:08: every other rule name in the corpus carries
-- the act-name without a parenthetical rule cite (Klageerwiderung,
-- Antrag auf Patentänderung, Replik, etc.). The Einspruch rule
-- names are the outliers:
-- upc.inf.cfi.prelim "Einspruch (R. 19 VerfO)" → "Einspruch"
-- upc.rev.cfi.prelim "Einspruch (R. 19 i.V.m. R. 46 VerfO)" → "Einspruch"
-- and EN equivalents:
-- "Preliminary Objection (RoP 19)" → "Preliminary Objection"
-- "Preliminary Objection (RoP 19 in conjunction with RoP 46)"
-- → "Preliminary Objection"
-- The legal_source / rule_code columns already carry the citation
-- and render in the deadline card's meta line, so the name stays
-- clean. The R.46-i.V.m. distinction is preserved in the legal
-- source field (RoP.019.1 for both — m may want to further
-- differentiate; flagged in description text instead).
--
-- audit_reason set_config required at the top — the deadline_rules
-- audit trigger raises EXCEPTION 'audit reason required' on any
-- mutation without it (cf. mig 099 hotfix history).
--
-- Idempotency:
-- * Priority UPDATE guarded on the current 'informational' value.
-- * Name UPDATEs guarded on the current parenthetical-bearing names.
SELECT set_config(
'paliad.audit_reason',
'mig 101: flip upc.inf.cfi.ccr priority informational→optional + strip rule-cite brackets from R.19 Einspruch names on both upc.inf.cfi.prelim and upc.rev.cfi.prelim (m''s corrections 2026-05-18, t-paliad-207 interactive session)',
true);
-- 1) Flip CCR priority
UPDATE paliad.deadline_rules dr
SET priority = 'optional'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.inf.cfi'
AND dr.submission_code = 'upc.inf.cfi.ccr'
AND dr.lifecycle_state = 'published'
AND dr.priority = 'informational';
-- 2a) Strip "(R. 19 VerfO)" from upc.inf.cfi.prelim DE/EN names
UPDATE paliad.deadline_rules dr
SET name = 'Einspruch'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.inf.cfi'
AND dr.submission_code = 'upc.inf.cfi.prelim'
AND dr.lifecycle_state = 'published'
AND dr.name = 'Einspruch (R. 19 VerfO)';
UPDATE paliad.deadline_rules dr
SET name_en = 'Preliminary Objection'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.inf.cfi'
AND dr.submission_code = 'upc.inf.cfi.prelim'
AND dr.lifecycle_state = 'published'
AND dr.name_en = 'Preliminary Objection (RoP 19)';
-- 2b) Strip "(R. 19 i.V.m. R. 46 VerfO)" from upc.rev.cfi.prelim DE/EN names
UPDATE paliad.deadline_rules dr
SET name = 'Einspruch'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.rev.cfi'
AND dr.submission_code = 'upc.rev.cfi.prelim'
AND dr.lifecycle_state = 'published'
AND dr.name = 'Einspruch (R. 19 i.V.m. R. 46 VerfO)';
UPDATE paliad.deadline_rules dr
SET name_en = 'Preliminary Objection'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.rev.cfi'
AND dr.submission_code = 'upc.rev.cfi.prelim'
AND dr.lifecycle_state = 'published'
AND dr.name_en = 'Preliminary Objection (RoP 19 in conjunction with RoP 46)';

15
internal/db/migrations/102_system_audit_log.down.sql Normal file
View File

@@ -0,0 +1,15 @@
-- Revert mig 102 — drop paliad.system_audit_log and its indexes / policies.
-- audit_reason set_config required by the mig 079 trigger pattern.
SELECT set_config(
'paliad.audit_reason',
'mig 102 down: drop paliad.system_audit_log (t-paliad-214 Slice 1 revert)',
true);
DROP POLICY IF EXISTS system_audit_log_select_admin ON paliad.system_audit_log;
DROP POLICY IF EXISTS system_audit_log_select_self ON paliad.system_audit_log;
DROP INDEX IF EXISTS paliad.system_audit_log_event_type_created_at_idx;
DROP INDEX IF EXISTS paliad.system_audit_log_actor_id_created_at_idx;
DROP TABLE IF EXISTS paliad.system_audit_log;

79
internal/db/migrations/102_system_audit_log.up.sql Normal file
View File

@@ -0,0 +1,79 @@
-- t-paliad-214 Slice 1 — create paliad.system_audit_log as the 6th source
-- in the AuditService.ListEntries union. Captures org-wide / scope-spanning
-- actions that don't naturally belong on any single project_events row.
--
-- Design: docs/design-paliad-data-export-2026-05-19.md §4.
--
-- Initial use case is data-export auditing (every export run writes one row,
-- before the artifact is generated, then is patched with row_counts +
-- file_size_bytes on completion). The table is intentionally generic
-- (`event_type` + `metadata jsonb`) so future org-wide actions can land here
-- without a new table per concept.
--
-- Idempotent: CREATE TABLE IF NOT EXISTS + CREATE INDEX IF NOT EXISTS.
-- audit_reason set_config required by the mig 079 trigger pattern when
-- migrations touch the database — universal convention even for pure-DDL
-- migrations.
SELECT set_config(
'paliad.audit_reason',
'mig 102: add paliad.system_audit_log for org-wide / scope-spanning audit events (t-paliad-214 Slice 1 — data-export audit chain)',
true);
CREATE TABLE IF NOT EXISTS paliad.system_audit_log (
id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
event_type text NOT NULL,
actor_id uuid REFERENCES paliad.users(id) ON DELETE SET NULL,
-- actor_email is captured at write time so the audit row survives a
-- subsequent user-deletion (FK above sets NULL, but the historical
-- identity stays readable).
actor_email text NOT NULL,
scope text NOT NULL CHECK (scope IN ('org', 'project', 'personal')),
-- scope_root is the project_id for scope='project'; NULL otherwise.
-- Not a hard FK because we want the audit row to outlive a project
-- deletion. Resolution happens at read time.
scope_root uuid,
metadata jsonb NOT NULL DEFAULT '{}'::jsonb,
created_at timestamptz NOT NULL DEFAULT now(),
updated_at timestamptz NOT NULL DEFAULT now()
);
-- Indexes mirror the read patterns:
-- - actor lookup ("show me what I've exported"): actor_id + created_at desc
-- - scope rollup ("how much org-wide activity in the last 30 days"): event_type + created_at desc
CREATE INDEX IF NOT EXISTS system_audit_log_actor_id_created_at_idx
ON paliad.system_audit_log (actor_id, created_at DESC);
CREATE INDEX IF NOT EXISTS system_audit_log_event_type_created_at_idx
ON paliad.system_audit_log (event_type, created_at DESC);
-- RLS: every authenticated user can SELECT their own rows (actor_id = auth.uid());
-- global_admins see everything. INSERT / UPDATE happen via the Go service path
-- under the migration-runner role (no end-user write surface) so no INSERT
-- policy is needed for end users.
ALTER TABLE paliad.system_audit_log ENABLE ROW LEVEL SECURITY;
DROP POLICY IF EXISTS system_audit_log_select_self ON paliad.system_audit_log;
CREATE POLICY system_audit_log_select_self ON paliad.system_audit_log
FOR SELECT
USING (actor_id = auth.uid());
DROP POLICY IF EXISTS system_audit_log_select_admin ON paliad.system_audit_log;
CREATE POLICY system_audit_log_select_admin ON paliad.system_audit_log
FOR SELECT
USING (
EXISTS (
SELECT 1 FROM paliad.users u
WHERE u.id = auth.uid()
AND u.global_role = 'global_admin'
)
);
COMMENT ON TABLE paliad.system_audit_log IS
'Org-wide / scope-spanning audit events. 6th source of AuditService union. Generic event_type + metadata jsonb. Initial users: data-export audit chain (t-paliad-214). Audit rows persist forever; artifact retention is separate.';
COMMENT ON COLUMN paliad.system_audit_log.actor_email IS
'Captured at write time so the audit row survives user deletion (actor_id FK uses ON DELETE SET NULL).';
COMMENT ON COLUMN paliad.system_audit_log.scope_root IS
'project_id for scope=project; NULL otherwise. Not a hard FK so audit survives project deletion.';

31
internal/db/migrations/102_upc_inf_track_aware_sequence.down.sql
View File

@@ -1,31 +0,0 @@
-- Revert mig 102 — restore the pre-mig-102 sequence_order values
-- (post-mig-100 state). Same two-phase swap pattern.
SELECT set_config(
'paliad.audit_reason',
'mig 102 down: restore pre-track-aware sequence_order on upc.inf.cfi rules',
true);
-- Phase 1: park
UPDATE paliad.deadline_rules SET sequence_order = 1011 WHERE submission_code = 'upc.inf.cfi.ccr' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 20;
UPDATE paliad.deadline_rules SET sequence_order = 1012 WHERE submission_code = 'upc.inf.cfi.def_to_ccr' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 22;
UPDATE paliad.deadline_rules SET sequence_order = 1013 WHERE submission_code = 'upc.inf.cfi.app_to_amend' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 30;
UPDATE paliad.deadline_rules SET sequence_order = 1020 WHERE submission_code = 'upc.inf.cfi.reply' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 12;
UPDATE paliad.deadline_rules SET sequence_order = 1021 WHERE submission_code = 'upc.inf.cfi.def_to_amend' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 32;
UPDATE paliad.deadline_rules SET sequence_order = 1022 WHERE submission_code = 'upc.inf.cfi.reply_def_ccr' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 24;
UPDATE paliad.deadline_rules SET sequence_order = 1030 WHERE submission_code = 'upc.inf.cfi.rejoin' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 14;
UPDATE paliad.deadline_rules SET sequence_order = 1031 WHERE submission_code = 'upc.inf.cfi.reply_def_amd' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 34;
UPDATE paliad.deadline_rules SET sequence_order = 1032 WHERE submission_code = 'upc.inf.cfi.rejoin_reply_ccr' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 26;
UPDATE paliad.deadline_rules SET sequence_order = 1033 WHERE submission_code = 'upc.inf.cfi.rejoin_amd' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 36;
-- Phase 2: assign originals
UPDATE paliad.deadline_rules SET sequence_order = 11 WHERE submission_code = 'upc.inf.cfi.ccr' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1011;
UPDATE paliad.deadline_rules SET sequence_order = 12 WHERE submission_code = 'upc.inf.cfi.def_to_ccr' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1012;
UPDATE paliad.deadline_rules SET sequence_order = 13 WHERE submission_code = 'upc.inf.cfi.app_to_amend' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1013;
UPDATE paliad.deadline_rules SET sequence_order = 20 WHERE submission_code = 'upc.inf.cfi.reply' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1020;
UPDATE paliad.deadline_rules SET sequence_order = 21 WHERE submission_code = 'upc.inf.cfi.def_to_amend' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1021;
UPDATE paliad.deadline_rules SET sequence_order = 22 WHERE submission_code = 'upc.inf.cfi.reply_def_ccr' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1022;
UPDATE paliad.deadline_rules SET sequence_order = 30 WHERE submission_code = 'upc.inf.cfi.rejoin' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1030;
UPDATE paliad.deadline_rules SET sequence_order = 31 WHERE submission_code = 'upc.inf.cfi.reply_def_amd' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1031;
UPDATE paliad.deadline_rules SET sequence_order = 32 WHERE submission_code = 'upc.inf.cfi.rejoin_reply_ccr' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1032;
UPDATE paliad.deadline_rules SET sequence_order = 33 WHERE submission_code = 'upc.inf.cfi.rejoin_amd' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1033;

211
internal/db/migrations/102_upc_inf_track_aware_sequence.up.sql
View File

@@ -1,211 +0,0 @@
-- t-paliad-207 — re-sequence upc.inf.cfi rules so within any tied-date
-- group the infringement-track responses sit ABOVE the revocation-
-- track responses ABOVE the amendment-track responses. m's ask
-- 2026-05-18 18:08: "the infringement parts (like Replik) should show
-- above the part for the revocation (Erwiderung Nichtigkeitswider-
-- klage)".
--
-- Three tracks coexist on upc.inf.cfi once the with_ccr / with_amend
-- flags are set. They share calendar dates because R.29 / R.30 / R.32
-- all key off the SoD or its descendants. The current sequence_orders
-- (post-mig 100) interleave them; the user sees Erwiderung-zur-CCR
-- before Replik even though Replik is the infringement-side response
-- to the same triggering event.
--
-- New sequence_order assignment (preserves the soc=0, prelim=5,
-- sod=10, ccr=11 anchors at the head; phase markers interim/oral/
-- decision/cost_app/appeal_spawn keep their existing 40/50/60/70/80
-- slots at the tail):
--
-- Old → New submission_code track date
-- --- --- --------------- ----- ----
-- 0 0 upc.inf.cfi.soc — D+0
-- 5 5 upc.inf.cfi.prelim — D+1mo
-- 10 10 upc.inf.cfi.sod infringement D+3mo
-- 11 20 upc.inf.cfi.ccr revocation D+3mo
-- 20 12 upc.inf.cfi.reply infringement D+5mo ← MOVED UP
-- 12 22 upc.inf.cfi.def_to_ccr revocation D+5mo
-- 13 30 upc.inf.cfi.app_to_amend amendment D+5mo
-- 30 14 upc.inf.cfi.rejoin infringement D+6mo ← MOVED UP
-- 22 24 upc.inf.cfi.reply_def_ccr revocation D+7mo
-- 21 32 upc.inf.cfi.def_to_amend amendment D+7mo
-- 32 26 upc.inf.cfi.rejoin_reply_ccr revocation D+8mo
-- 31 34 upc.inf.cfi.reply_def_amd amendment D+8mo
-- 33 36 upc.inf.cfi.rejoin_amd amendment D+9mo
-- 40 40 upc.inf.cfi.interim phase later
-- 50 50 upc.inf.cfi.oral phase later
-- 60 60 upc.inf.cfi.decision phase later
-- 70 70 upc.inf.cfi.cost_app phase later
-- 80 80 upc.inf.cfi.appeal_spawn phase later
--
-- Order within each tied-date group after the reshuffle:
-- D+3mo: sod(10), ccr(20) — SoD then its CCR
-- D+5mo: reply(12), def_to_ccr(22), app_to_amend(30) — inf → rev → amd
-- D+7mo: reply_def_ccr(24), def_to_amend(32) — rev → amd
-- D+8mo: rejoin_reply_ccr(26), reply_def_amd(34) — rev → amd
--
-- (no infringement-track rule at +7mo or +8mo so revocation leads
-- those dates; rejoin sits alone at +6mo so it has no peers to order
-- against.)
--
-- audit_reason set_config required at the top — the deadline_rules
-- audit trigger raises EXCEPTION 'audit reason required' on any
-- mutation without it (cf. mig 099 hotfix history).
--
-- Idempotency: every UPDATE is guarded by both the submission_code
-- AND the SOURCE sequence_order, so re-apply is a no-op once the new
-- numbers are in place.
SELECT set_config(
'paliad.audit_reason',
'mig 102: re-sequence upc.inf.cfi rules track-aware (infringement → revocation → amendment within tied-date groups; m''s 2026-05-18 ask, t-paliad-207 interactive session)',
true);
-- Two-phase swap to avoid sequence collisions during the UPDATE
-- (otherwise two rules can briefly share a sequence_order if Postgres
-- evaluates them in parallel). Phase 1: move every reshuffled rule to
-- a high temporary number (1000+). Phase 2: assign final numbers.
-- ─── Phase 1: park reshuffled rules at 1000+ ────────────────────────
UPDATE paliad.deadline_rules
SET sequence_order = 1011
WHERE submission_code = 'upc.inf.cfi.ccr'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 11;
UPDATE paliad.deadline_rules
SET sequence_order = 1012
WHERE submission_code = 'upc.inf.cfi.def_to_ccr'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 12;
UPDATE paliad.deadline_rules
SET sequence_order = 1013
WHERE submission_code = 'upc.inf.cfi.app_to_amend'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 13;
UPDATE paliad.deadline_rules
SET sequence_order = 1020
WHERE submission_code = 'upc.inf.cfi.reply'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 20;
UPDATE paliad.deadline_rules
SET sequence_order = 1021
WHERE submission_code = 'upc.inf.cfi.def_to_amend'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 21;
UPDATE paliad.deadline_rules
SET sequence_order = 1022
WHERE submission_code = 'upc.inf.cfi.reply_def_ccr'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 22;
UPDATE paliad.deadline_rules
SET sequence_order = 1030
WHERE submission_code = 'upc.inf.cfi.rejoin'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 30;
UPDATE paliad.deadline_rules
SET sequence_order = 1031
WHERE submission_code = 'upc.inf.cfi.reply_def_amd'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 31;
UPDATE paliad.deadline_rules
SET sequence_order = 1032
WHERE submission_code = 'upc.inf.cfi.rejoin_reply_ccr'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 32;
UPDATE paliad.deadline_rules
SET sequence_order = 1033
WHERE submission_code = 'upc.inf.cfi.rejoin_amd'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 33;
-- ─── Phase 2: assign final track-aware numbers ──────────────────────
UPDATE paliad.deadline_rules
SET sequence_order = 12
WHERE submission_code = 'upc.inf.cfi.reply'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1020;
UPDATE paliad.deadline_rules
SET sequence_order = 14
WHERE submission_code = 'upc.inf.cfi.rejoin'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1030;
UPDATE paliad.deadline_rules
SET sequence_order = 20
WHERE submission_code = 'upc.inf.cfi.ccr'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1011;
UPDATE paliad.deadline_rules
SET sequence_order = 22
WHERE submission_code = 'upc.inf.cfi.def_to_ccr'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1012;
UPDATE paliad.deadline_rules
SET sequence_order = 24
WHERE submission_code = 'upc.inf.cfi.reply_def_ccr'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1022;
UPDATE paliad.deadline_rules
SET sequence_order = 26
WHERE submission_code = 'upc.inf.cfi.rejoin_reply_ccr'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1032;
UPDATE paliad.deadline_rules
SET sequence_order = 30
WHERE submission_code = 'upc.inf.cfi.app_to_amend'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1013;
UPDATE paliad.deadline_rules
SET sequence_order = 32
WHERE submission_code = 'upc.inf.cfi.def_to_amend'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1021;
UPDATE paliad.deadline_rules
SET sequence_order = 34
WHERE submission_code = 'upc.inf.cfi.reply_def_amd'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1031;
UPDATE paliad.deadline_rules
SET sequence_order = 36
WHERE submission_code = 'upc.inf.cfi.rejoin_amd'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1033;

125
internal/handlers/export.go Normal file
View File

@@ -0,0 +1,125 @@
package handlers
// Data-export handlers (t-paliad-214).
//
// Slice 1 ships the personal scope only:
//
// GET /api/me/export → streams a personal-scope export .zip
//
// Slices 2 + 3 (project + org) layer onto this file when they ship.
//
// Authentication: the existing protected mux middleware (auth.Middleware +
// auth.WithUserID) populates the user UUID in the context. We do not gate
// on global_role here — personal export is available to every authenticated
// user.
import (
"bytes"
"context"
"fmt"
"log"
"net/http"
"strconv"
"time"
"mgit.msbls.de/m/paliad/internal/services"
)
// exportRequestTimeout caps any single export request. Personal-scope
// exports at firm-scale data shape complete in well under this; the
// timeout is the watchdog that surfaces "too large for sync" loudly
// (the user gets a 503 and slice 3's async path becomes the answer).
const exportRequestTimeout = 30 * time.Second
// handleMeExport streams the caller's personal-scope export .zip.
//
// Order of operations:
//
// 1. Validate auth + db wiring.
// 2. Look up the caller's user row for actor_email / actor_label.
// 3. Write an audit row (event_type='data_export', scope='personal').
// 4. Run the export into an in-memory buffer (so we can patch the
// audit row with file_size_bytes before flushing to the client).
// 5. Set headers + flush.
// 6. Patch the audit row with success (row_counts + file_size).
// On any error after step 3, the audit row is patched as failed.
func handleMeExport(w http.ResponseWriter, r *http.Request) {
if !requireDB(w) {
return
}
uid, ok := requireUser(w, r)
if !ok {
return
}
if dbSvc.export == nil {
writeJSON(w, http.StatusServiceUnavailable, map[string]string{
"error": "export service not configured",
})
return
}
// Apply the per-request watchdog.
ctx, cancel := context.WithTimeout(r.Context(), exportRequestTimeout)
defer cancel()
user, err := dbSvc.users.GetByID(ctx, uid)
if err != nil || user == nil {
log.Printf("export: user lookup failed for %s: %v", uid, err)
writeJSON(w, http.StatusInternalServerError, map[string]string{
"error": "user lookup failed",
})
return
}
spec := services.ExportSpec{
Scope: services.ExportScopePersonal,
ActorID: uid,
ActorEmail: user.Email,
ActorLabel: user.DisplayName,
GeneratedAt: time.Now().UTC(),
}
auditID, err := dbSvc.export.WriteAuditRow(ctx, spec)
if err != nil {
log.Printf("export: audit insert failed for %s: %v", uid, err)
writeJSON(w, http.StatusInternalServerError, map[string]string{
"error": "audit write failed",
})
return
}
// Generate into a memory buffer so we can size + audit-patch BEFORE
// writing to the response (otherwise headers are committed and we
// can't return a 500 if anything fails). At personal scale this is a
// sub-megabyte buffer.
var buf bytes.Buffer
meta, err := dbSvc.export.WritePersonal(ctx, &buf, spec)
if err != nil {
dbSvc.export.PatchAuditRowFailure(context.Background(), auditID, err.Error())
log.Printf("export: WritePersonal failed for %s (audit=%s): %v", uid, auditID, err)
writeJSON(w, http.StatusInternalServerError, map[string]string{
"error": "export generation failed",
})
return
}
filename := services.ExportFilename(services.ExportScopePersonal, "", spec.GeneratedAt)
size := int64(buf.Len())
if err := dbSvc.export.PatchAuditRowSuccess(ctx, auditID, meta, size); err != nil {
// Audit-patch failure isn't fatal to the user — they still get
// their export. Log it; the data already left the system.
log.Printf("export: audit patch failed for %s (audit=%s): %v", uid, auditID, err)
}
w.Header().Set("Content-Type", "application/zip")
w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename=%q`, filename))
w.Header().Set("Content-Length", strconv.FormatInt(size, 10))
w.Header().Set("X-Paliad-Export-Audit-Id", auditID.String())
if _, err := w.Write(buf.Bytes()); err != nil {
// Connection dropped mid-flush — the user didn't get the file.
// We don't patch the audit row a second time; the success patch
// already recorded the row counts. A separate event would be
// noise (the failure is at the network layer, not in our path).
log.Printf("export: response write failed for %s (audit=%s): %v", uid, auditID, err)
}
}

24
internal/handlers/handlers.go
View File

@@ -71,6 +71,7 @@ type Services struct {
Pin *services.PinService
CardLayout *services.CardLayoutService
Projection *services.ProjectionService
Export *services.ExportService
// Paliadin is wired when DATABASE_URL is set. The concrete backend
// is picked in cmd/server/main.go based on PALIADIN_REMOTE_HOST
@@ -125,9 +126,21 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
pin: svc.Pin,
cardLayout: svc.CardLayout,
projection: svc.Projection,
export: svc.Export,
}
}
// Liveness probe. Public, no auth, no DB touch — just confirms the
// process bound the listener and the goroutine is alive. Used by the
// boot-smoke test (cmd/server/main_smoke_test.go) to assert the server
// reaches a serving state after migrations apply; also safe for any
// future container orchestrator or uptime check.
mux.HandleFunc("GET /healthz", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Cache-Control", "no-store")
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
_, _ = w.Write([]byte("ok\n"))
})
// API endpoints (JSON, public)
mux.HandleFunc("POST /api/login", handleAPILogin)
mux.HandleFunc("POST /api/register", handleAPIRegister)
@@ -159,6 +172,13 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
mux.Handle("GET /icons/", noCacheAssets(http.StripPrefix("/icons/", http.FileServer(http.Dir("dist/icons")))))
mux.HandleFunc("GET /sw.js", servePWAServiceWorker)
// HL Patents Style auto-update endpoint. version.json is the manifest
// the installed Word client polls; HL-Patents-Style.dotm is fetched on
// version mismatch. Source files live in frontend/public/patentstyle/
// (copied into dist/ at build time). noCacheAssets ensures the manifest
// is never stale after a release.
mux.Handle("GET /patentstyle/", noCacheAssets(http.StripPrefix("/patentstyle/", http.FileServer(http.Dir("dist/patentstyle")))))
// Protected routes
protected := http.NewServeMux()
protected.HandleFunc("GET /tools/kostenrechner", handleKostenrechnerPage)
@@ -333,6 +353,10 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
protected.HandleFunc("GET /api/me", handleGetMe)
protected.HandleFunc("PATCH /api/me", handleUpdateMe)
// t-paliad-214 Slice 1 — personal-scope data export. Bundles xlsx +
// JSON + per-sheet CSVs in one deterministic .zip; streams the result
// inline. Audit row written to paliad.system_audit_log.
protected.HandleFunc("GET /api/me/export", handleMeExport)
protected.HandleFunc("GET /api/users", handleListUsers)
protected.HandleFunc("GET /api/offices", handleListOffices)
protected.HandleFunc("GET /api/dashboard", handleDashboardAPI)

1
internal/handlers/projects.go
View File

@@ -52,6 +52,7 @@ type dbServices struct {
pin *services.PinService
cardLayout *services.CardLayoutService
projection *services.ProjectionService
export *services.ExportService
}
var dbSvc *dbServices

23
internal/services/audit_service.go
View File

@@ -9,6 +9,7 @@ package services
// - paliad.reminder_log — bundled-digest reminder sends
// - paliad.partner_unit_events — partner-unit CRUD + membership changes
// - paliad.policy_audit_log — approval-policy CRUD (t-paliad-154)
// - paliad.system_audit_log — org-wide / scope-spanning actions (t-paliad-214)
//
// The union happens in SQL (one round-trip, server-side ordering) and is
// keyset-paginated on (timestamp, id) DESC so the cursor stays stable across
@@ -37,6 +38,7 @@ const (
AuditSourceReminderLog = "reminder_log"
AuditSourcePartnerUnitEvents = "partner_unit_events"
AuditSourcePolicyAuditLog = "policy_audit_log"
AuditSourceSystemAuditLog = "system_audit_log"
)
// MaxAuditPageLimit caps a single ListEntries page.
@@ -216,6 +218,27 @@ WITH unioned AS (
WHERE ($1::text IS NULL OR $1 = '' OR $1 = 'policy_audit_log')
AND ($2::timestamptz IS NULL OR pal.created_at >= $2)
AND ($3::timestamptz IS NULL OR pal.created_at <= $3)
UNION ALL
-- t-paliad-214 — org-wide / scope-spanning actions. First user is the
-- data-export audit chain. scope_root is the project_id for
-- scope='project'; NULL otherwise. project_id forwarded so timeline
-- filtering by project surfaces project-scope exports too.
SELECT
'system_audit_log'::text AS source,
sal.id AS id,
sal.created_at AS ts,
sal.event_type AS event_type,
sal.actor_email AS actor,
COALESCE(sal.scope, 'system') AS subject,
sal.scope_root AS project_id,
NULL::text AS title,
sal.metadata::text AS description
FROM paliad.system_audit_log sal
WHERE ($1::text IS NULL OR $1 = '' OR $1 = 'system_audit_log')
AND ($2::timestamptz IS NULL OR sal.created_at >= $2)
AND ($3::timestamptz IS NULL OR sal.created_at <= $3)
)
SELECT source, id, ts, event_type, actor, subject, project_id, title, description
FROM unioned

956
internal/services/export_service.go Normal file
View File

@@ -0,0 +1,956 @@
package services
// ExportService streams a paliad data-export bundle to an io.Writer.
//
// One .zip per export, containing:
//
// - paliad-export.xlsx canonical workbook, one sheet per entity
// - paliad-export.json Excel-independent re-ingest twin
// - csv/<sheet>.csv per-sheet flat tables (RFC 4180 + UTF-8 BOM)
// - README.txt human-readable explainer
// - __meta.json standalone meta (same as the __meta sheet)
//
// Three scopes (per docs/design-paliad-data-export-2026-05-19.md):
//
// - personal — caller's RLS-visible projection + personal sidecars
// - project — one project + its ltree subtree (slice 2, not in this file yet)
// - org — full schema dump (slice 3, async path)
//
// Slice 1 ships personal only; the writer abstraction is scope-aware so
// slices 2 + 3 layer on without rewriting the core.
//
// Determinism: sheets emitted in a fixed canonical order; rows ordered by
// id ASC (or another stable tuple where no id exists); JSON object keys
// sorted alphabetically; the outer zip writes its file list in sorted
// order. Same row-state → identical bytes. The only non-deterministic
// field is __meta.generated_at, externalised to the filename.
//
// PII posture:
//
// - Column names matching (?i)secret|token|password|api[_-]?key|private[_-]?key
// are dropped at column-discovery time and recorded in __meta.warnings.
// - Specific column overrides (user_caldav_config.password_encrypted,
// invitations.token where it exists, etc.) live in the sheet definitions
// as explicit column-filter lists.
// - paliadin_turns is OFF in org scope and ON in personal scope (it's
// literally the caller's own data). Org-scope exclusion is structural
// (sheet absent from the registry), not just column-level.
import (
"archive/zip"
"context"
"crypto/rand"
"encoding/hex"
"encoding/json"
"encoding/csv"
"fmt"
"io"
"regexp"
"sort"
"strings"
"time"
"github.com/google/uuid"
"github.com/jmoiron/sqlx"
"github.com/xuri/excelize/v2"
)
// Export scope discriminators. Stable strings — exposed in the audit row
// and the __meta sheet.
const (
ExportScopePersonal = "personal"
ExportScopeProject = "project"
ExportScopeOrg = "org"
)
// ExportSchemaVersion is bumped whenever the on-disk shape changes in a
// way that requires importers to adapt. v1 is the slice-1/2/3 baseline.
const ExportSchemaVersion = 1
// PII column-name deny regex. Any column whose name matches is dropped
// during column discovery and recorded in __meta.warnings. The list of
// known column names (e.g. user_caldav_config.password_encrypted) is
// deliberately covered by the regex too — explicit + regex belt-and-braces.
var piiColumnDenyRegex = regexp.MustCompile(`(?i)secret|token|password|api[_-]?key|private[_-]?key`)
// ExportService writes a scoped export bundle. Stateless except for the
// DB handle + firm-name display string.
type ExportService struct {
db *sqlx.DB
firmName string
}
// NewExportService wires the service. firmName is read once at process
// start from internal/branding.Name and embedded in every export's __meta.
func NewExportService(db *sqlx.DB, firmName string) *ExportService {
return &ExportService{db: db, firmName: firmName}
}
// ExportMeta is the bundle metadata. Stored on the __meta sheet, in
// __meta.json, and as part of the audit row.
type ExportMeta struct {
SchemaVersion int `json:"schema_version"`
FirmName string `json:"firm_name"`
Scope string `json:"scope"`
ScopeRootID *uuid.UUID `json:"scope_root_id,omitempty"`
GeneratedAt time.Time `json:"generated_at"`
GeneratedByID uuid.UUID `json:"generated_by_user_id"`
GeneratedByEml string `json:"generated_by_user_email"`
GeneratedByLbl string `json:"generated_by_user_label"`
RowCounts map[string]int `json:"row_counts"`
Warnings []string `json:"warnings,omitempty"`
PaliadVersion string `json:"paliad_version,omitempty"`
Notes string `json:"notes,omitempty"`
}
// ExportSpec is the per-run inputs.
type ExportSpec struct {
Scope string
ScopeRoot *uuid.UUID // project_id when Scope==ExportScopeProject; nil otherwise
ActorID uuid.UUID
ActorEmail string
ActorLabel string // display_name for the audit + meta
GeneratedAt time.Time
}
// sheetQuery is one entity sheet's SQL recipe. Sheets emit in the order
// they appear in the registry, which is fixed (alphabetical inside each
// scope-prefix group). args are sqlx-positional.
type sheetQuery struct {
// SheetName lands in the workbook sheet, the JSON top-level key, and
// the CSV filename stem. snake_case, ≤31 chars (Excel's hard limit).
SheetName string
// SQL runs as-is; should select rows in a deterministic order (ORDER
// BY id ASC or a comparable stable tuple).
SQL string
// Args are sqlx-positional, bound 1:1 against the SQL's $1, $2, ….
Args []any
// DropColumns is an explicit list of column names to drop from the
// result regardless of the regex deny-list. Used for jsonb columns
// that contain credentials, or paliadin response bodies in org scope.
DropColumns []string
}
// WritePersonal streams the caller's personal-scope bundle into w. Returns
// the meta (incl. row_counts) for audit-row patching.
//
// Order of operations:
//
// 1. Build the sheet-query registry for the caller's visible set.
// 2. Execute each query, materialise rows + columns + types.
// 3. Run column-discovery + PII filter, collect warnings.
// 4. Write the xlsx (excelize streaming writer), JSON, and CSVs into a
// memory buffer (small at personal-scope sizes — ≪ 10MB is normal).
// 5. Bundle into the outer zip in deterministic file-list order.
//
// The handler is responsible for the audit-row INSERT before calling +
// the UPDATE after the call returns. We do not write the audit row here
// because the handler also needs to decide what to do on failure (the
// audit row gets a separate event_type='data_export_failed' UPDATE in
// that case).
func (s *ExportService) WritePersonal(ctx context.Context, w io.Writer, spec ExportSpec) (ExportMeta, error) {
if spec.Scope == "" {
spec.Scope = ExportScopePersonal
}
if spec.GeneratedAt.IsZero() {
spec.GeneratedAt = time.Now().UTC()
}
meta := ExportMeta{
SchemaVersion: ExportSchemaVersion,
FirmName: s.firmName,
Scope: spec.Scope,
GeneratedAt: spec.GeneratedAt,
GeneratedByID: spec.ActorID,
GeneratedByEml: spec.ActorEmail,
GeneratedByLbl: spec.ActorLabel,
RowCounts: map[string]int{},
}
sheets := personalSheetQueries(spec.ActorID)
if err := s.writeBundle(ctx, w, sheets, &meta); err != nil {
return meta, err
}
return meta, nil
}
// collectedSheet holds one sheet's data after column-discovery + row
// materialisation. Used to hand data from writeBundle to buildXLSX +
// buildJSON + buildCSV.
type collectedSheet struct {
name string
columns []string
rows [][]string // pre-stringified for cell writes
}
// writeBundle is the scope-agnostic core. Runs each query, writes one
// xlsx sheet + one JSON branch + one CSV per sheet, packs everything into
// the outer zip in sorted file-list order so two runs of the same row
// state produce byte-identical bundles.
func (s *ExportService) writeBundle(ctx context.Context, w io.Writer, sheets []sheetQuery, meta *ExportMeta) error {
collectedSheets := make([]collectedSheet, 0, len(sheets))
jsonTables := make(map[string][]map[string]string, len(sheets))
warnings := []string{}
for _, sq := range sheets {
cols, rowMatrix, dropped, err := s.runSheetQuery(ctx, sq)
if err != nil {
return fmt.Errorf("export sheet %q: %w", sq.SheetName, err)
}
for _, c := range dropped {
warnings = append(warnings, fmt.Sprintf("sheet=%s column=%s dropped (PII deny-list)", sq.SheetName, c))
}
collectedSheets = append(collectedSheets, collectedSheet{
name: sq.SheetName,
columns: cols,
rows: rowMatrix,
})
// JSON twin: one object per row, keyed by column name. We accept
// the value-as-string convention so JSON shape matches CSV shape
// 1:1 — anyone re-ingesting can re-parse with the same rules.
jsonRows := make([]map[string]string, 0, len(rowMatrix))
for _, r := range rowMatrix {
obj := make(map[string]string, len(cols))
for i, c := range cols {
if i < len(r) {
obj[c] = r[i]
}
}
jsonRows = append(jsonRows, obj)
}
jsonTables[sq.SheetName] = jsonRows
meta.RowCounts[sq.SheetName] = len(rowMatrix)
}
sort.Strings(warnings)
meta.Warnings = warnings
// --- build the xlsx in a memory buffer ---
xlsxBytes, err := buildXLSX(collectedSheets, *meta)
if err != nil {
return fmt.Errorf("export build xlsx: %w", err)
}
// --- build the JSON twin ---
jsonBytes, err := buildJSON(jsonTables, *meta)
if err != nil {
return fmt.Errorf("export build json: %w", err)
}
// --- build per-sheet CSVs (in-memory map, written in sorted order) ---
csvBlobs := map[string][]byte{}
for _, c := range collectedSheets {
b, err := buildCSV(c.columns, c.rows)
if err != nil {
return fmt.Errorf("export build csv %q: %w", c.name, err)
}
csvBlobs[c.name] = b
}
// --- build __meta.json + README.txt ---
metaJSON, err := json.MarshalIndent(*meta, "", " ")
if err != nil {
return fmt.Errorf("export marshal meta: %w", err)
}
readme := buildREADME(*meta)
// --- assemble outer zip in deterministic file order ---
type zipEntry struct {
name string
body []byte
}
entries := []zipEntry{
{"README.txt", []byte(readme)},
{"__meta.json", metaJSON},
{"paliad-export.json", jsonBytes},
{"paliad-export.xlsx", xlsxBytes},
}
csvNames := make([]string, 0, len(csvBlobs))
for name := range csvBlobs {
csvNames = append(csvNames, name)
}
sort.Strings(csvNames)
for _, name := range csvNames {
entries = append(entries, zipEntry{"csv/" + name + ".csv", csvBlobs[name]})
}
sort.Slice(entries, func(i, j int) bool { return entries[i].name < entries[j].name })
zw := zip.NewWriter(w)
// Force a fixed Modified time on every entry so the zip header bytes
// don't drift between runs. archive/zip otherwise stamps Modified
// with time.Now() which would defeat the deterministic guarantee.
fixedMod := time.Date(2000, 1, 1, 0, 0, 0, 0, time.UTC)
for _, e := range entries {
hdr := &zip.FileHeader{
Name: e.name,
Method: zip.Deflate,
Modified: fixedMod,
}
fw, err := zw.CreateHeader(hdr)
if err != nil {
return fmt.Errorf("export zip header %q: %w", e.name, err)
}
if _, err := fw.Write(e.body); err != nil {
return fmt.Errorf("export zip write %q: %w", e.name, err)
}
}
if err := zw.Close(); err != nil {
return fmt.Errorf("export zip close: %w", err)
}
return nil
}
// runSheetQuery executes one sheetQuery and returns the kept columns,
// row matrix (pre-stringified per the design's value-as-string convention),
// and the list of columns that were dropped by the PII filter.
func (s *ExportService) runSheetQuery(ctx context.Context, sq sheetQuery) (cols []string, rows [][]string, dropped []string, err error) {
rs, err := s.db.QueryxContext(ctx, sq.SQL, sq.Args...)
if err != nil {
return nil, nil, nil, fmt.Errorf("query: %w", err)
}
defer rs.Close()
rawCols, err := rs.Columns()
if err != nil {
return nil, nil, nil, fmt.Errorf("columns: %w", err)
}
// Filter columns through the PII deny-list + the per-sheet drop set.
keepIdx := make([]int, 0, len(rawCols))
keepCols := make([]string, 0, len(rawCols))
drops := map[string]bool{}
for _, c := range sq.DropColumns {
drops[c] = true
}
for i, c := range rawCols {
if drops[c] || piiColumnDenyRegex.MatchString(c) {
dropped = append(dropped, c)
continue
}
keepIdx = append(keepIdx, i)
keepCols = append(keepCols, c)
}
for rs.Next() {
// Read raw values; Postgres returns text/numeric/etc as []byte,
// uuids as []byte, jsonb as []byte. The map-row helper picks the
// right Go type per column via reflection.
rawRow := make([]any, len(rawCols))
ptrs := make([]any, len(rawCols))
for i := range rawRow {
ptrs[i] = &rawRow[i]
}
if err := rs.Scan(ptrs...); err != nil {
return nil, nil, nil, fmt.Errorf("scan: %w", err)
}
out := make([]string, len(keepIdx))
for j, srcIdx := range keepIdx {
out[j] = formatCellValue(rawRow[srcIdx])
}
rows = append(rows, out)
}
if err := rs.Err(); err != nil {
return nil, nil, nil, fmt.Errorf("rows: %w", err)
}
return keepCols, rows, dropped, nil
}
// formatCellValue renders a Postgres-driver value as the canonical export
// string. Conventions per design §3.1:
//
// - timestamptz → RFC3339 UTC ("2026-05-19T14:23:00Z")
// - date → ISO 8601 ("2026-05-19")
// - booleans → "TRUE" / "FALSE"
// - []byte that is valid JSON → compact JSON string (jsonb columns)
// - []byte that looks like UUID/text → string
// - nil → "" (the empty cell)
// - arrays → semicolon-joined (Postgres returns text[] as "{a,b}" via lib/pq)
//
// Returning strings (vs typed Excel values) is intentional — see design
// §3.1 (Q4 = ISO strings only).
func formatCellValue(v any) string {
if v == nil {
return ""
}
switch x := v.(type) {
case bool:
if x {
return "TRUE"
}
return "FALSE"
case time.Time:
// Try date-only when the value is exactly midnight UTC (Postgres
// returns DATE columns as time.Time with H/M/S/N all zero).
if x.Hour() == 0 && x.Minute() == 0 && x.Second() == 0 && x.Nanosecond() == 0 && (x.Location() == time.UTC || x.Location() == time.Local) {
// Heuristic: if year < 2 it's likely the zero value
if x.Year() < 2 {
return ""
}
return x.UTC().Format("2006-01-02")
}
return x.UTC().Format(time.RFC3339)
case []byte:
// jsonb columns come back as []byte holding valid JSON. Pass them
// through verbatim (one-liner) so PowerQuery's Json.Document can
// re-parse. Non-JSON []byte is treated as a UTF-8 string.
s := string(x)
trim := strings.TrimSpace(s)
if strings.HasPrefix(trim, "{") || strings.HasPrefix(trim, "[") {
// Compactify so the cell has no embedded newlines.
var raw json.RawMessage = []byte(trim)
if b, err := json.Marshal(raw); err == nil {
return string(b)
}
return trim
}
return s
case string:
return x
case int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64, float32, float64:
return fmt.Sprintf("%v", x)
default:
return fmt.Sprintf("%v", x)
}
}
// buildXLSX assembles the workbook from the collected sheets + meta. Uses
// excelize's row-by-row writer; at personal/project scale the dataset
// fits comfortably in memory. Returns the xlsx-file bytes.
func buildXLSX(sheets []collectedSheet, meta ExportMeta) ([]byte, error) {
f := excelize.NewFile()
defer f.Close()
// excelize creates a default "Sheet1" we want to rename to __meta.
const metaName = "__meta"
first := f.GetSheetName(0)
if first != metaName {
if err := f.SetSheetName(first, metaName); err != nil {
return nil, err
}
}
// Write meta as key/value rows.
metaRows := metaToKeyValueRows(meta)
for i, kv := range metaRows {
cellA, _ := excelize.CoordinatesToCellName(1, i+1)
cellB, _ := excelize.CoordinatesToCellName(2, i+1)
if err := f.SetCellValue(metaName, cellA, kv[0]); err != nil {
return nil, err
}
if err := f.SetCellValue(metaName, cellB, kv[1]); err != nil {
return nil, err
}
}
// One sheet per entity, columns in column-discovery order (= SELECT
// order = stable across runs because the SQL is fixed).
for _, sh := range sheets {
// Excel sheet name limit is 31 chars; truncate defensively (none
// of our names hit it today, but the personal-scope users_referenced
// sheet is right at the edge).
sheetName := sh.name
if len(sheetName) > 31 {
sheetName = sheetName[:31]
}
if _, err := f.NewSheet(sheetName); err != nil {
return nil, err
}
// Stream rows via the row-by-row API (NewStreamWriter is faster
// but it forbids re-opening sheets and silently truncates writes
// past the streamer's offset — at our scale the simple API is
// safer and the perf cost is negligible).
// Header row
for ci, col := range sh.columns {
cell, _ := excelize.CoordinatesToCellName(ci+1, 1)
if err := f.SetCellValue(sheetName, cell, col); err != nil {
return nil, err
}
}
for ri, row := range sh.rows {
for ci, val := range row {
cell, _ := excelize.CoordinatesToCellName(ci+1, ri+2)
if err := f.SetCellValue(sheetName, cell, val); err != nil {
return nil, err
}
}
}
// Freeze the header row.
_ = f.SetPanes(sheetName, &excelize.Panes{
Freeze: true,
YSplit: 1,
})
}
// Write to buffer.
var buf strings.Builder
// excelize writes to an io.Writer via WriteTo
bw := &byteBuf{}
if _, err := f.WriteTo(bw); err != nil {
return nil, err
}
_ = buf // silence unused (kept for clarity that we considered a strings.Builder)
return bw.Bytes(), nil
}
// byteBuf is a tiny io.Writer that accumulates into a byte slice. We don't
// use bytes.Buffer because we need WriteTo to round-trip the result and
// bytes.Buffer's interface is wider than we need.
type byteBuf struct{ b []byte }
func (b *byteBuf) Write(p []byte) (int, error) {
b.b = append(b.b, p...)
return len(p), nil
}
func (b *byteBuf) Bytes() []byte { return b.b }
// metaToKeyValueRows flattens the meta into stable (key, value) tuples
// in a fixed key order for the __meta sheet.
func metaToKeyValueRows(m ExportMeta) [][2]string {
rows := [][2]string{
{"schema_version", fmt.Sprintf("%d", m.SchemaVersion)},
{"firm_name", m.FirmName},
{"scope", m.Scope},
}
if m.ScopeRootID != nil {
rows = append(rows, [2]string{"scope_root_id", m.ScopeRootID.String()})
} else {
rows = append(rows, [2]string{"scope_root_id", ""})
}
rows = append(rows,
[2]string{"generated_at", m.GeneratedAt.UTC().Format(time.RFC3339)},
[2]string{"generated_by_user_id", m.GeneratedByID.String()},
[2]string{"generated_by_user_email", m.GeneratedByEml},
[2]string{"generated_by_user_label", m.GeneratedByLbl},
[2]string{"paliad_version", m.PaliadVersion},
[2]string{"notes", m.Notes},
)
// Row counts as one row per sheet (sorted).
names := make([]string, 0, len(m.RowCounts))
for k := range m.RowCounts {
names = append(names, k)
}
sort.Strings(names)
for _, n := range names {
rows = append(rows, [2]string{"row_count." + n, fmt.Sprintf("%d", m.RowCounts[n])})
}
for _, w := range m.Warnings {
rows = append(rows, [2]string{"warning", w})
}
return rows
}
// buildJSON produces the JSON twin. Top-level shape:
//
// {
// "meta": { ... },
// "tables": { "<sheet>": [ {"<col>": "<val>", ...}, ... ] }
// }
//
// Keys in every map are alphabetically sorted (encoding/json does this by
// default for map[string]X, which is what we use everywhere).
func buildJSON(tables map[string][]map[string]string, meta ExportMeta) ([]byte, error) {
payload := map[string]any{
"meta": meta,
"tables": tables,
}
return json.MarshalIndent(payload, "", " ")
}
// buildCSV emits a UTF-8-BOM-prefixed CSV with RFC 4180 quoting. The BOM
// makes Excel-DE open the file with the correct encoding instead of
// guessing windows-1252 and corrupting umlauts.
func buildCSV(cols []string, rows [][]string) ([]byte, error) {
var buf byteBuf
// UTF-8 BOM
buf.Write([]byte{0xEF, 0xBB, 0xBF})
w := csv.NewWriter(&buf)
if err := w.Write(cols); err != nil {
return nil, err
}
for _, r := range rows {
if err := w.Write(r); err != nil {
return nil, err
}
}
w.Flush()
if err := w.Error(); err != nil {
return nil, err
}
return buf.Bytes(), nil
}
// buildREADME produces a short human-readable explainer embedded as the
// first file in the bundle. Bilingual (DE primary, EN secondary).
func buildREADME(m ExportMeta) string {
var b strings.Builder
fmt.Fprintf(&b, "Paliad Datenexport (%s)\n", m.FirmName)
fmt.Fprintf(&b, "============================\n\n")
fmt.Fprintf(&b, "Erstellt am : %s\n", m.GeneratedAt.UTC().Format(time.RFC3339))
fmt.Fprintf(&b, "Erstellt von : %s <%s>\n", m.GeneratedByLbl, m.GeneratedByEml)
fmt.Fprintf(&b, "Umfang : %s\n", m.Scope)
fmt.Fprintf(&b, "Schema-Version: %d\n", m.SchemaVersion)
fmt.Fprintf(&b, "\n")
fmt.Fprintf(&b, "Inhalt\n------\n")
fmt.Fprintf(&b, "- paliad-export.xlsx — kanonische Excel-Mappe (eine Tabelle pro Entität)\n")
fmt.Fprintf(&b, "- paliad-export.json — maschinenlesbare Kopie der gleichen Daten\n")
fmt.Fprintf(&b, "- csv/<sheet>.csv — Tabellen einzeln als CSV (UTF-8 mit BOM)\n")
fmt.Fprintf(&b, "- __meta.json — Metadaten dieses Exports (auch im __meta-Sheet)\n")
fmt.Fprintf(&b, "\n")
fmt.Fprintf(&b, "Zeilen pro Tabelle:\n")
names := make([]string, 0, len(m.RowCounts))
for k := range m.RowCounts {
names = append(names, k)
}
sort.Strings(names)
for _, n := range names {
fmt.Fprintf(&b, " %-32s %d\n", n, m.RowCounts[n])
}
fmt.Fprintf(&b, "\n")
fmt.Fprintf(&b, "Hinweise\n--------\n")
fmt.Fprintf(&b, "Diese Datei enthält möglicherweise vertrauliche Mandantsdaten.\n")
fmt.Fprintf(&b, "Sie wurde erzeugt am %s durch %s aus Paliad (%s).\n", m.GeneratedAt.UTC().Format(time.RFC3339), m.GeneratedByEml, m.FirmName)
fmt.Fprintf(&b, "Die Weitergabe an Dritte erfolgt in eigener Verantwortung des Empfängers.\n")
fmt.Fprintf(&b, "\n")
fmt.Fprintf(&b, "Passwörter, CalDAV-Zugangsdaten, Einladungstoken und andere Geheimnisse\n")
fmt.Fprintf(&b, "werden NIE exportiert (Spalten-Filter und allgemeine Deny-Regel).\n")
fmt.Fprintf(&b, "\n")
fmt.Fprintf(&b, "--- English ---\n\n")
fmt.Fprintf(&b, "This Paliad export bundle contains structured data of the scope above.\n")
fmt.Fprintf(&b, "Open paliad-export.xlsx in Excel/LibreOffice, or parse paliad-export.json\n")
fmt.Fprintf(&b, "with any JSON-capable tool. CSVs are RFC 4180 with a UTF-8 BOM.\n")
fmt.Fprintf(&b, "\n")
fmt.Fprintf(&b, "Dates are ISO 8601 strings; timestamps are RFC 3339 UTC. Booleans are\n")
fmt.Fprintf(&b, "the literal strings TRUE/FALSE. JSON-typed columns are stored as compact\n")
fmt.Fprintf(&b, "one-line JSON in each cell.\n")
fmt.Fprintf(&b, "\n")
fmt.Fprintf(&b, "This bundle is byte-deterministic: two exports of the same row state\n")
fmt.Fprintf(&b, "produce identical zip bytes (modulo the generated_at field stored on\n")
fmt.Fprintf(&b, "the __meta sheet and in __meta.json).\n")
return b.String()
}
// ExportFilename returns the canonical filename for a download. Slugify is
// minimal — only the project-scope variant has a free-text component to
// sanitise.
func ExportFilename(scope string, scopeLabel string, generatedAt time.Time) string {
ts := generatedAt.UTC().Format("2006-01-02T1504Z")
switch scope {
case ExportScopePersonal:
return fmt.Sprintf("paliad-export-personal-%s.zip", ts)
case ExportScopeOrg:
return fmt.Sprintf("paliad-export-org-%s.zip", ts)
case ExportScopeProject:
slug := slugifyFilename(scopeLabel)
if slug == "" {
slug = randomSlug()
}
return fmt.Sprintf("paliad-export-project-%s-%s.zip", slug, ts)
default:
return fmt.Sprintf("paliad-export-%s.zip", ts)
}
}
var filenameSafeRegex = regexp.MustCompile(`[^A-Za-z0-9-]+`)
func slugifyFilename(s string) string {
s = strings.TrimSpace(s)
s = filenameSafeRegex.ReplaceAllString(s, "-")
s = strings.Trim(s, "-")
if len(s) > 40 {
s = s[:40]
}
return s
}
func randomSlug() string {
var b [4]byte
_, _ = rand.Read(b[:])
return hex.EncodeToString(b[:])
}
// ---------------------------------------------------------------------------
// Personal-scope sheet registry.
// ---------------------------------------------------------------------------
//
// Per design §2.3, "personal scope" is the RLS-visible projection plus
// caller-personal sidecars. Every visible-projects query goes through
// visibilityPredicatePositional so the gate is the same as runtime list
// endpoints. The ?-positional binding takes the caller's user_id at $1.
//
// Ordering: every SELECT uses `ORDER BY id` (or the natural stable
// sort-tuple for tables without an id PK) to keep two-runs-same-state
// byte-deterministic.
func personalSheetQueries(actorID uuid.UUID) []sheetQuery {
uid := actorID
visiblePProj := visibilityPredicatePositional("p", 1)
// The visible-projects CTE is used by all entity sheets that scope by
// project_id. Building it inline keeps each sheet's SQL self-contained
// for readability + lets the query planner choose its own join order.
visibleProjectsSubquery := `(SELECT p.id FROM paliad.projects p WHERE ` + visiblePProj + `)`
return []sheetQuery{
// --- entity sheets (subtree-aware via visibility predicate) ---
{
SheetName: "projects",
SQL: `SELECT * FROM paliad.projects p
WHERE ` + visiblePProj + `
ORDER BY p.id`,
Args: []any{uid},
},
{
SheetName: "project_teams",
SQL: `SELECT * FROM paliad.project_teams
WHERE user_id = $1
OR project_id IN ` + visibleProjectsSubquery + `
ORDER BY project_id, user_id`,
Args: []any{uid},
},
{
SheetName: "deadlines",
SQL: `SELECT * FROM paliad.deadlines
WHERE project_id IN ` + visibleProjectsSubquery + `
ORDER BY id`,
Args: []any{uid},
},
{
SheetName: "appointments",
SQL: `SELECT * FROM paliad.appointments
WHERE project_id IN ` + visibleProjectsSubquery + `
ORDER BY id`,
Args: []any{uid},
},
{
SheetName: "parties",
SQL: `SELECT * FROM paliad.parties
WHERE project_id IN ` + visibleProjectsSubquery + `
ORDER BY id`,
Args: []any{uid},
},
{
SheetName: "notes",
SQL: `SELECT * FROM paliad.notes
WHERE COALESCE(project_id,
(SELECT d.project_id FROM paliad.deadlines d WHERE d.id = notes.deadline_id),
(SELECT a.project_id FROM paliad.appointments a WHERE a.id = notes.appointment_id),
(SELECT pe.project_id FROM paliad.project_events pe WHERE pe.id = notes.project_event_id)
) IN ` + visibleProjectsSubquery + `
ORDER BY id`,
Args: []any{uid},
},
{
SheetName: "documents",
SQL: `SELECT id, project_id, title, doc_type, file_path, file_size, mime_type, uploaded_by, created_at, updated_at
FROM paliad.documents
WHERE project_id IN ` + visibleProjectsSubquery + `
ORDER BY id`,
Args: []any{uid},
// ai_extracted jsonb is the only column omitted from the
// personal projection because it can carry verbose AI prompts.
},
{
SheetName: "project_events",
SQL: `SELECT * FROM paliad.project_events
WHERE project_id IN ` + visibleProjectsSubquery + `
ORDER BY id`,
Args: []any{uid},
},
{
SheetName: "approval_requests",
SQL: `SELECT * FROM paliad.approval_requests
WHERE requested_by = $1
OR decided_by = $1
OR project_id IN ` + visibleProjectsSubquery + `
ORDER BY id`,
Args: []any{uid},
},
{
SheetName: "checklist_instances",
SQL: `SELECT * FROM paliad.checklist_instances
WHERE project_id IN ` + visibleProjectsSubquery + `
ORDER BY id`,
Args: []any{uid},
},
// --- personal sidecars (my_*) ---
{
SheetName: "me",
SQL: `SELECT id, email, display_name, office, profession, job_title,
practice_group, lang, reminder_morning_time, reminder_evening_time,
reminder_timezone, reminder_warning_offset_days, escalation_contact_id,
email_preferences, additional_offices, global_role, forum_pref,
created_at, updated_at
FROM paliad.users
WHERE id = $1`,
Args: []any{uid},
},
{
SheetName: "my_caldav_config",
SQL: `SELECT user_id, url, username, calendar_path, enabled,
last_sync_at, last_sync_error, created_at, updated_at
FROM paliad.user_caldav_config
WHERE user_id = $1`,
Args: []any{uid},
DropColumns: []string{"password_encrypted"}, // belt-and-braces; the SELECT above already omits it
},
{
SheetName: "my_views",
SQL: `SELECT * FROM paliad.user_views
WHERE user_id = $1
ORDER BY id`,
Args: []any{uid},
},
{
SheetName: "my_pinned_projects",
SQL: `SELECT * FROM paliad.user_pinned_projects
WHERE user_id = $1
ORDER BY project_id`,
Args: []any{uid},
},
{
SheetName: "my_card_layouts",
SQL: `SELECT * FROM paliad.user_card_layouts
WHERE user_id = $1
ORDER BY id`,
Args: []any{uid},
},
{
SheetName: "my_paliadin_turns",
SQL: `SELECT * FROM paliad.paliadin_turns
WHERE user_id = $1
ORDER BY started_at`,
Args: []any{uid},
},
// --- restricted users-referenced sheet ---
// Surfaces only id/email/display_name/office/profession for users
// who appear as FKs anywhere in the export — avoids dumping all 47
// users on a personal-scope handoff.
{
SheetName: "users_referenced",
SQL: `SELECT id, email, display_name, office, profession
FROM paliad.users u
WHERE u.id IN (
SELECT created_by FROM paliad.projects WHERE id IN ` + visibleProjectsSubquery + `
UNION SELECT created_by FROM paliad.deadlines WHERE project_id IN ` + visibleProjectsSubquery + `
UNION SELECT created_by FROM paliad.appointments WHERE project_id IN ` + visibleProjectsSubquery + `
UNION SELECT created_by FROM paliad.project_events WHERE project_id IN ` + visibleProjectsSubquery + `
UNION SELECT user_id FROM paliad.project_teams WHERE project_id IN ` + visibleProjectsSubquery + `
UNION SELECT created_by FROM paliad.notes WHERE COALESCE(project_id,
(SELECT d.project_id FROM paliad.deadlines d WHERE d.id = notes.deadline_id),
(SELECT a.project_id FROM paliad.appointments a WHERE a.id = notes.appointment_id),
(SELECT pe.project_id FROM paliad.project_events pe WHERE pe.id = notes.project_event_id)
) IN ` + visibleProjectsSubquery + `
UNION SELECT $1::uuid
)
ORDER BY id`,
Args: []any{uid},
},
// --- reference data (read-only, prefixed ref__) ---
// Same set as project scope; included so the workbook is
// interpretable standalone without paliad context.
{
SheetName: "ref__proceeding_types",
SQL: `SELECT * FROM paliad.proceeding_types ORDER BY id`,
},
{
SheetName: "ref__event_types",
SQL: `SELECT * FROM paliad.event_types ORDER BY id`,
},
{
SheetName: "ref__event_categories",
SQL: `SELECT * FROM paliad.event_categories ORDER BY id`,
},
{
SheetName: "ref__deadline_rules",
SQL: `SELECT * FROM paliad.deadline_rules ORDER BY id`,
},
{
SheetName: "ref__deadline_concepts",
SQL: `SELECT * FROM paliad.deadline_concepts ORDER BY id`,
},
{
SheetName: "ref__courts",
SQL: `SELECT * FROM paliad.courts ORDER BY id`,
},
{
SheetName: "ref__countries",
SQL: `SELECT * FROM paliad.countries ORDER BY code`,
},
{
SheetName: "ref__holidays",
SQL: `SELECT * FROM paliad.holidays ORDER BY date, country`,
},
}
}
// ---------------------------------------------------------------------------
// Audit row helpers (used by the handler; here to keep all export-related
// SQL in one file).
// ---------------------------------------------------------------------------
// WriteAuditRow inserts a system_audit_log row before the export runs and
// returns the new row id. The handler PATCHes the row with file_size_bytes
// + final row_counts on success or marks it failed on error.
func (s *ExportService) WriteAuditRow(ctx context.Context, spec ExportSpec) (uuid.UUID, error) {
meta := map[string]any{
"requested_at": spec.GeneratedAt.UTC().Format(time.RFC3339),
}
mb, _ := json.Marshal(meta)
var id uuid.UUID
err := s.db.QueryRowContext(ctx,
`INSERT INTO paliad.system_audit_log
(event_type, actor_id, actor_email, scope, scope_root, metadata)
VALUES ('data_export', $1, $2, $3, $4, $5::jsonb)
RETURNING id`,
spec.ActorID, spec.ActorEmail, spec.Scope, spec.ScopeRoot, string(mb),
).Scan(&id)
if err != nil {
return uuid.Nil, fmt.Errorf("audit insert: %w", err)
}
return id, nil
}
// PatchAuditRowSuccess updates the audit row with final row counts and the
// generated artifact size.
func (s *ExportService) PatchAuditRowSuccess(ctx context.Context, id uuid.UUID, meta ExportMeta, fileSizeBytes int64) error {
payload := map[string]any{
"row_counts": meta.RowCounts,
"file_size_bytes": fileSizeBytes,
"warnings": meta.Warnings,
"completed_at": time.Now().UTC().Format(time.RFC3339),
}
mb, _ := json.Marshal(payload)
_, err := s.db.ExecContext(ctx,
`UPDATE paliad.system_audit_log
SET metadata = metadata || $2::jsonb,
updated_at = now()
WHERE id = $1`,
id, string(mb),
)
if err != nil {
return fmt.Errorf("audit patch success: %w", err)
}
return nil
}
// PatchAuditRowFailure marks the audit row as a failed export and stores
// the error string. Uses a separate event_type so dashboards can count
// failures distinctly.
func (s *ExportService) PatchAuditRowFailure(ctx context.Context, id uuid.UUID, errStr string) {
payload := map[string]any{
"error": errStr,
"failed_at": time.Now().UTC().Format(time.RFC3339),
}
mb, _ := json.Marshal(payload)
// Best-effort — never propagate audit-write errors back to the caller
// because the original export error is the real one to bubble.
_, _ = s.db.ExecContext(ctx,
`UPDATE paliad.system_audit_log
SET event_type = 'data_export_failed',
metadata = metadata || $2::jsonb,
updated_at = now()
WHERE id = $1`,
id, string(mb),
)
}

460
internal/services/export_service_test.go Normal file
View File

@@ -0,0 +1,460 @@
package services
// Pure-function tests for the ExportService writer plumbing.
//
// Live DB behaviour (the actual personal-scope query running against
// Postgres) is covered by the integration test in
// export_service_live_test.go (skipped without TEST_DATABASE_URL).
//
// What's pinned here:
//
// - formatCellValue value coercion (bool / time / []byte JSON / string / nil)
// - piiColumnDenyRegex catches the canonical credential-shaped names
// - buildCSV emits UTF-8 BOM + RFC 4180 quoting + survives umlauts
// - buildJSON has the expected top-level shape
// - metaToKeyValueRows keeps a stable key order (deterministic xlsx)
// - ExportFilename + slugifyFilename produce safe filenames
import (
"archive/zip"
"bytes"
"encoding/json"
"regexp"
"strings"
"testing"
"time"
"github.com/google/uuid"
)
func TestFormatCellValue_Booleans(t *testing.T) {
if got := formatCellValue(true); got != "TRUE" {
t.Fatalf("true → %q, want TRUE", got)
}
if got := formatCellValue(false); got != "FALSE" {
t.Fatalf("false → %q, want FALSE", got)
}
}
func TestFormatCellValue_NilEmpty(t *testing.T) {
if got := formatCellValue(nil); got != "" {
t.Fatalf("nil → %q, want empty string", got)
}
}
func TestFormatCellValue_Time_RFC3339UTC(t *testing.T) {
ts := time.Date(2026, 5, 19, 14, 23, 45, 0, time.UTC)
got := formatCellValue(ts)
if got != "2026-05-19T14:23:45Z" {
t.Fatalf("timestamp → %q, want RFC 3339 UTC", got)
}
}
func TestFormatCellValue_Time_DateOnly_MidnightUTC(t *testing.T) {
// A DATE column comes back as time.Time at midnight UTC.
ts := time.Date(2026, 5, 19, 0, 0, 0, 0, time.UTC)
got := formatCellValue(ts)
if got != "2026-05-19" {
t.Fatalf("date → %q, want ISO YYYY-MM-DD", got)
}
}
func TestFormatCellValue_Time_ZeroValue(t *testing.T) {
got := formatCellValue(time.Time{})
if got != "" {
t.Fatalf("zero time → %q, want empty", got)
}
}
func TestFormatCellValue_JSONBytes_CompactedOneLine(t *testing.T) {
// jsonb columns come back as []byte holding pretty JSON. The writer
// must compact it onto one line so cells don't wrap.
pretty := []byte("{\n \"a\": 1,\n \"b\": [\n 2,\n 3\n ]\n}")
got := formatCellValue(pretty)
if strings.ContainsRune(got, '\n') {
t.Fatalf("compacted JSON has newline: %q", got)
}
// Must still be valid JSON.
var m map[string]any
if err := json.Unmarshal([]byte(got), &m); err != nil {
t.Fatalf("compacted JSON is no longer valid: %v (input=%q)", err, got)
}
}
func TestFormatCellValue_PlainBytes_AsString(t *testing.T) {
// Postgres returns text/uuid columns as []byte. Non-JSON-shaped
// payload must be returned verbatim (preserves umlauts).
got := formatCellValue([]byte("Müller & Söhne"))
if got != "Müller & Söhne" {
t.Fatalf("bytes → %q, want UTF-8 string preserved", got)
}
}
func TestFormatCellValue_String(t *testing.T) {
if got := formatCellValue("Hügelmäßig"); got != "Hügelmäßig" {
t.Fatalf("string → %q, want passthrough", got)
}
}
func TestFormatCellValue_Numbers(t *testing.T) {
cases := []struct {
in any
want string
}{
{int(42), "42"},
{int64(-7), "-7"},
{uint32(99), "99"},
{float64(3.14), "3.14"},
}
for _, c := range cases {
if got := formatCellValue(c.in); got != c.want {
t.Errorf("%v → %q, want %q", c.in, got, c.want)
}
}
}
func TestPIIColumnDenyRegex_MatchesKnownSecrets(t *testing.T) {
must := []string{
"password",
"password_encrypted",
"PASSWORD_HASH",
"api_key",
"apiKey",
"api-key",
"private_key",
"some_secret",
"jwt_token",
"access_token",
}
for _, name := range must {
if !piiColumnDenyRegex.MatchString(name) {
t.Errorf("deny regex should match %q but did not", name)
}
}
}
func TestPIIColumnDenyRegex_DoesNotMatchInnocuousNames(t *testing.T) {
// Sanity: common business columns must NOT trip the deny regex.
innocuous := []string{
"id",
"title",
"created_at",
"event_type",
"project_id",
"email",
"display_name",
"office",
"profession",
}
for _, name := range innocuous {
if piiColumnDenyRegex.MatchString(name) {
t.Errorf("deny regex should NOT match %q but did", name)
}
}
}
func TestBuildCSV_BOM_AndUmlauts(t *testing.T) {
cols := []string{"id", "title"}
rows := [][]string{
{"1", "Mündliche Verhandlung"},
{"2", "Süßmäßig"},
}
got, err := buildCSV(cols, rows)
if err != nil {
t.Fatalf("buildCSV: %v", err)
}
// BOM
if len(got) < 3 || got[0] != 0xEF || got[1] != 0xBB || got[2] != 0xBF {
t.Fatalf("missing UTF-8 BOM: % x", got[:3])
}
// Body is valid UTF-8 with umlauts preserved
body := string(got[3:])
if !strings.Contains(body, "Mündliche Verhandlung") {
t.Errorf("umlaut text missing from CSV body: %q", body)
}
if !strings.Contains(body, "Süßmäßig") {
t.Errorf("ß / umlaut text missing from CSV body: %q", body)
}
// Header row first
lines := strings.SplitN(body, "\n", 3)
if !strings.HasPrefix(lines[0], "id,title") {
t.Errorf("first line should be CSV header, got %q", lines[0])
}
}
func TestBuildCSV_QuotingForCommaAndQuote(t *testing.T) {
cols := []string{"id", "label"}
rows := [][]string{
{"1", `Müller, Schulze "Krause" & Co`},
}
got, err := buildCSV(cols, rows)
if err != nil {
t.Fatalf("buildCSV: %v", err)
}
body := string(got[3:])
// RFC 4180: comma + double-quote in field → wrap in quotes, escape "
if !strings.Contains(body, `"Müller, Schulze ""Krause"" & Co"`) {
t.Errorf("RFC 4180 quoting wrong: %q", body)
}
}
func TestBuildJSON_TopLevelShape(t *testing.T) {
tables := map[string][]map[string]string{
"projects": {{"id": "u1", "title": "Acme"}},
}
meta := ExportMeta{
SchemaVersion: 1,
FirmName: "HLC",
Scope: ExportScopePersonal,
GeneratedAt: time.Date(2026, 5, 19, 0, 0, 0, 0, time.UTC),
RowCounts: map[string]int{"projects": 1},
}
got, err := buildJSON(tables, meta)
if err != nil {
t.Fatalf("buildJSON: %v", err)
}
var payload map[string]any
if err := json.Unmarshal(got, &payload); err != nil {
t.Fatalf("buildJSON not valid JSON: %v", err)
}
if _, ok := payload["meta"]; !ok {
t.Errorf("payload missing meta key")
}
if _, ok := payload["tables"]; !ok {
t.Errorf("payload missing tables key")
}
if !bytes.Contains(got, []byte(`"Acme"`)) {
t.Errorf("payload missing project title: %s", string(got))
}
}
func TestMetaToKeyValueRows_StableOrder(t *testing.T) {
m := ExportMeta{
SchemaVersion: 1,
FirmName: "HLC",
Scope: ExportScopePersonal,
GeneratedAt: time.Date(2026, 5, 19, 14, 23, 0, 0, time.UTC),
GeneratedByID: uuid.MustParse("00000000-0000-0000-0000-000000000001"),
GeneratedByEml: "m@hlc.de",
GeneratedByLbl: "m",
RowCounts: map[string]int{"projects": 11, "deadlines": 26, "appointments": 5},
Warnings: []string{"sheet=foo column=token dropped"},
}
rows1 := metaToKeyValueRows(m)
rows2 := metaToKeyValueRows(m)
if len(rows1) != len(rows2) {
t.Fatalf("row count differs between runs")
}
for i := range rows1 {
if rows1[i] != rows2[i] {
t.Fatalf("row %d differs between runs: %v vs %v", i, rows1[i], rows2[i])
}
}
// row_count rows must be sorted (deadlines < projects < appointments? no: alpha)
// → row_count.appointments < row_count.deadlines < row_count.projects
wantOrder := []string{"row_count.appointments", "row_count.deadlines", "row_count.projects"}
gotKeys := []string{}
for _, r := range rows1 {
if strings.HasPrefix(r[0], "row_count.") {
gotKeys = append(gotKeys, r[0])
}
}
for i, k := range wantOrder {
if i >= len(gotKeys) || gotKeys[i] != k {
t.Errorf("row_count order wrong at %d: got %v, want %v", i, gotKeys, wantOrder)
break
}
}
}
func TestExportFilename_PerScope(t *testing.T) {
ts := time.Date(2026, 5, 19, 14, 23, 0, 0, time.UTC)
cases := []struct {
scope, label, want string
}{
{ExportScopePersonal, "", "paliad-export-personal-2026-05-19T1423Z.zip"},
{ExportScopeOrg, "", "paliad-export-org-2026-05-19T1423Z.zip"},
{ExportScopeProject, "Siemens AG", "paliad-export-project-Siemens-AG-2026-05-19T1423Z.zip"},
{ExportScopeProject, "Hügel & Söhne", "paliad-export-project-H-gel-S-hne-2026-05-19T1423Z.zip"},
}
for _, c := range cases {
got := ExportFilename(c.scope, c.label, ts)
if got != c.want {
t.Errorf("ExportFilename(%q, %q) → %q, want %q", c.scope, c.label, got, c.want)
}
}
}
func TestSlugifyFilename_StripsUnsafe(t *testing.T) {
cases := []struct{ in, want string }{
{"Siemens AG", "Siemens-AG"},
{"Müller & Söhne", "M-ller-S-hne"},
{" /etc/passwd ", "etc-passwd"},
{"", ""},
{"this-is-already-fine", "this-is-already-fine"},
}
for _, c := range cases {
got := slugifyFilename(c.in)
if got != c.want {
t.Errorf("slugifyFilename(%q) → %q, want %q", c.in, got, c.want)
}
}
}
// TestZipDeterminism verifies that two bundle assemblies of the same
// sheet data + same meta produce byte-identical output. This is the core
// guarantee m signed off on (Q6=yes deterministic).
//
// We can't go through writeBundle here (it needs a DB), so we exercise
// the deterministic path at the layer where it matters: the outer zip's
// file order + each entry's deterministic content + fixed Modified time.
func TestZipDeterminism_TwoRunsSameBytes(t *testing.T) {
meta := ExportMeta{
SchemaVersion: 1,
FirmName: "HLC",
Scope: ExportScopePersonal,
GeneratedAt: time.Date(2026, 5, 19, 14, 23, 0, 0, time.UTC),
RowCounts: map[string]int{"projects": 1, "deadlines": 0},
}
sheets := []collectedSheet{
{name: "projects", columns: []string{"id", "title"}, rows: [][]string{{"u1", "Acme"}}},
{name: "deadlines", columns: []string{"id", "due_date"}, rows: nil},
}
first := assembleBundleForTest(t, sheets, meta)
second := assembleBundleForTest(t, sheets, meta)
if !bytes.Equal(first, second) {
t.Fatalf("two assemblies of same data produced different bytes (%d vs %d)", len(first), len(second))
}
// Sanity: the bundle is a valid zip and contains the expected files.
zr, err := zip.NewReader(bytes.NewReader(first), int64(len(first)))
if err != nil {
t.Fatalf("bundle is not a valid zip: %v", err)
}
wantFiles := []string{"README.txt", "__meta.json", "csv/deadlines.csv", "csv/projects.csv", "paliad-export.json", "paliad-export.xlsx"}
gotFiles := []string{}
for _, f := range zr.File {
gotFiles = append(gotFiles, f.Name)
}
for _, want := range wantFiles {
found := false
for _, got := range gotFiles {
if got == want {
found = true
break
}
}
if !found {
t.Errorf("missing %q in bundle (got %v)", want, gotFiles)
}
}
}
// assembleBundleForTest mirrors writeBundle's assembly step without
// hitting the DB. Exposed as a test helper here to keep production code
// strictly DB-coupled while still pinning the deterministic-zip contract.
func assembleBundleForTest(t *testing.T, sheets []collectedSheet, meta ExportMeta) []byte {
t.Helper()
xlsxBytes, err := buildXLSX(sheets, meta)
if err != nil {
t.Fatalf("buildXLSX: %v", err)
}
tables := map[string][]map[string]string{}
for _, sh := range sheets {
rs := make([]map[string]string, 0, len(sh.rows))
for _, r := range sh.rows {
obj := map[string]string{}
for i, c := range sh.columns {
if i < len(r) {
obj[c] = r[i]
}
}
rs = append(rs, obj)
}
tables[sh.name] = rs
}
jsonBytes, err := buildJSON(tables, meta)
if err != nil {
t.Fatalf("buildJSON: %v", err)
}
csvBlobs := map[string][]byte{}
for _, sh := range sheets {
b, err := buildCSV(sh.columns, sh.rows)
if err != nil {
t.Fatalf("buildCSV %q: %v", sh.name, err)
}
csvBlobs[sh.name] = b
}
metaJSON, err := json.MarshalIndent(meta, "", " ")
if err != nil {
t.Fatalf("meta marshal: %v", err)
}
readme := buildREADME(meta)
// Mirror writeBundle's zip-assembly: sort entries, fixed mod time.
type ent struct {
name string
body []byte
}
entries := []ent{
{"README.txt", []byte(readme)},
{"__meta.json", metaJSON},
{"paliad-export.json", jsonBytes},
{"paliad-export.xlsx", xlsxBytes},
}
// CSV names sorted.
for _, sh := range sheets {
entries = append(entries, ent{"csv/" + sh.name + ".csv", csvBlobs[sh.name]})
}
// Outer sort to mirror writeBundle.
for i := 1; i < len(entries); i++ {
for j := i; j > 0 && entries[j-1].name > entries[j].name; j-- {
entries[j-1], entries[j] = entries[j], entries[j-1]
}
}
var buf bytes.Buffer
zw := zip.NewWriter(&buf)
fixedMod := time.Date(2000, 1, 1, 0, 0, 0, 0, time.UTC)
for _, e := range entries {
hdr := &zip.FileHeader{Name: e.name, Method: zip.Deflate, Modified: fixedMod}
fw, err := zw.CreateHeader(hdr)
if err != nil {
t.Fatalf("zip create %q: %v", e.name, err)
}
if _, err := fw.Write(e.body); err != nil {
t.Fatalf("zip write %q: %v", e.name, err)
}
}
if err := zw.Close(); err != nil {
t.Fatalf("zip close: %v", err)
}
return buf.Bytes()
}
// TestExportScopeConstants ensures the scope discriminator strings are
// the stable contract — the audit row, __meta sheet, and external
// importers depend on them not drifting.
func TestExportScopeConstants(t *testing.T) {
if ExportScopePersonal != "personal" {
t.Errorf("ExportScopePersonal drifted: %q", ExportScopePersonal)
}
if ExportScopeProject != "project" {
t.Errorf("ExportScopeProject drifted: %q", ExportScopeProject)
}
if ExportScopeOrg != "org" {
t.Errorf("ExportScopeOrg drifted: %q", ExportScopeOrg)
}
}
// TestPIIRegex_IsExported makes sure the deny regex stays a compiled
// regexp (catches accidental nil if someone refactors).
func TestPIIRegex_IsExported(t *testing.T) {
if piiColumnDenyRegex == nil {
t.Fatal("piiColumnDenyRegex is nil")
}
if _, ok := any(piiColumnDenyRegex).(*regexp.Regexp); !ok {
t.Fatal("piiColumnDenyRegex is not *regexp.Regexp")
}
}