PostgreSQL SET commands do not support parameterized queries ($1),
causing "syntax error at or near $1" on all tenant-scoped operations.
Replaced with set_config('app.tenant_id', $1, true) which supports
parameters safely. Also added BEGIN/COMMIT transaction wrapping since
set_config(..., true) requires a transaction for LOCAL scope.
Fixed SQL injection vulnerability in tenant.ts which used unescaped
string interpolation.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The static "new" segment was missing, so Next.js treated "new" as a
UUID parameter for [id]/page.tsx, causing a Postgres "invalid input
syntax for type uuid" error. Adding cases/new/page.tsx with a create
form resolves the server error.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- API routes: GET/POST /api/cases (list + create), GET/PATCH/DELETE /api/cases/[id]
- Cases list page with search, status filter, and pagination
- Case detail page showing linked analyses and proceedings
- Sidebar navigation: added "Fälle" link after Dashboard
- Tenant isolation via withTenantDb + requirePermission on all API routes
- Audit logging on all case operations
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add Ollama as a third AI provider option alongside Anthropic and OpenAI.
Uses the OpenAI-compatible API endpoint that Ollama exposes, configured
via OLLAMA_URL and OLLAMA_MODEL env vars. Provider selection is now
tenant-aware via DB settings, with env var fallback.
- New provider type 'ollama' in AIProvider union
- Tenant-aware getModelForTenant() reads AI config from tenant settings jsonb
- Admin settings UI on /einstellungen for provider/model selection
- API route GET/PATCH /api/settings/ai for tenant AI config
- Updated all AI call sites (analysis, structured-analysis, contracts)
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- GET /api/decisions: Add requirePermission('decisions:read'), use
withTenantDb() for RLS enforcement, add application-level tenant
filter (own tenant OR published+anonymized)
- POST /api/decisions: Add requirePermission('decisions:write'), use
withTenantDb(), set tenantId from authenticated session context
instead of accepting it from request body (prevents tenant spoofing)
Addresses DSGVO Art. 32 (security of processing) and Art. 5(1)(f)
(integrity and confidentiality).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Implement § 61 NV Bühne non-renewal deadline calculation with tiered
protection (standard 31.10., extended 31.07. for 15+ years, special
protection for over-55), tariff-based compensation calculation with
Gagenklassen and Dienstalterszulage, and Spielzeit seasonal logic
(1.8.–31.7. with Probenzeit). Includes DB schema (contracts,
compensationRules, nonRenewalDeadlines), migration, and three API
endpoints under /api/nv-buehne/.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
