m/paliad
1
0
Fork 0
Code Issues 146 Pull Requests 8 Actions 3 Packages Projects Releases Wiki Activity

Compare commits

base: m:mai/darwin/fixercoder-priority-bug
Branches Tags
m:main m:mai/bohr/coder-apply-m-s-caption m:mai/faraday/coder-generated-document m:mai/planck/coder-b5-b6-train-share m:mai/archimedes/fixer-port-engine m:mai/maxwell/coder-b4-akte-mode m:mai/lorenz/coder-b3-event-triggered m:mai/euler/fixer-builder-add m:mai/brunel/fixer-prod-500s-after-b1 m:mai/galileo/coder-b1-b2-mvp-train m:mai/pasteur/fixer-pkg-litigationplann m:mai/newton/coder-b0-scenario-db m:mai/edison/inventor-prd-columnar m:mai/knuth/coder-workflow-tracker m:mai/atlas/inventor-extend-tools m:mai/cronus/inventor-unified m:mai/atlas/inventor-deadline-system m:mai/atlas/inventor-followup-rules m:mai/athena/consultant-deadline m:mai/brunel/fixer-dark-mode-support m:mai/knuth/coder-cronus-fristenrechn m:mai/ritchie/coder-mig-153-proceeding m:mai/atlas/inventor-proceeding m:mai/cronus/inventor-fristenrechner m:mai/curie/coder-mig152-clone-dedupe m:mai/darwin/researcher-lexy-draft m:mai/knuth/coder-dedupe-null m:mai/cronus/coder-composer-slice-f m:mai/cronus/coder-composer-slice-e m:mai/cronus/coder-composer-slice-d m:mai/curie/coder-slice-b6-url-rename m:mai/curie/coder-slice-b5-go-rename m:mai/cronus/coder-composer-slice-c m:mai/curie/coder-slice-b4-destructive-drop m:mai/cronus/coder-composer-slice-b m:mai/cronus/coder-composer-slice-a m:mai/cronus/inventor-prd-for m:mai/knuth/coder-verfahrensablauf m:mai/ritchie/coder-make-backup m:mai/diesel/fixer-dark-mode-css m:mai/curie/coder-slice-b3-read-cutover m:mai/diesel/fixer-verfahrensablauf m:mai/curie/coder-slice-b2-dual-write m:mai/cronus/coder-slice-d-scenarios m:mai/knuth/coder-backfill-applies m:mai/hermes/gitster-verfahrensablauf m:mai/cronus/coder-berufung-labels-refactor m:mai/diesel/hotfix-2-mig-134-missing m:mai/curie/coder-slice-b1-procedural-events m:mai/cronus/coder-slice-c-upc-snapshot m:mai/brunel/hotfix-rename-upc-apl m:mai/cronus/coder-slice-b3-primary-party m:mai/cronus/coder-slice-b2-catalog-query m:mai/cronus/inventor-litigation-slice-b m:mai/curie/researcher-slice-b-zero m:mai/cronus/inventor-litigation m:mai/artemis/gitster-remove-admin m:mai/ritchie/coder-sort-post-trigger m:mai/knuth/coder-conditional-label m:mai/hermes/coder-verfahrensablauf m:mai/brunel/rebase-121-conditional m:mai/knuth/coder-conditional-rule m:mai/hermes/gitster-dark-mode-fix m:mai/ritchie/coder-submission-form m:mai/artemis/gitster-re-surface m:mai/brunel/fixer-views-any-filters m:mai/cronus/coder-cicd-slice-a m:mai/knuth/coder-wave-1-tier-1-rule m:mai/ritchie/coder-upc-damages-add m:mai/cronus/inventor-ci-cd-pre m:mai/brunel/rebase-108-language m:mai/hermes/gitster-admin-rules-list m:mai/artemis/gitster-submission m:mai/icarus/gitster-verfahrensablauf m:mai/orpheus/gitster-search-input m:mai/atlas/coder-event-card-choices-slice-ab m:mai/hermes/gitster-date-range m:mai/demeter/gitster-submission m:mai/knuth/coder-hl-patents-style m:mai/hermes/gitster-draft-editor m:mai/atlas/inventor-per-event-card m:mai/knuth/coder-deadline-rule-tier m:mai/cronus/coder-procedural-events-slice-a m:mai/hermes/gitster-deadline-form m:mai/artemis/gitster-add-missing-i18n m:mai/demeter/gitster-paliadin-chat m:mai/brunel/wave0-tier0-deadline-fixes m:mai/artemis/coder-docker-compose-yml m:mai/icarus/coder-inbox-overhaul-slice-a m:mai/atlas/coder-date-range-picker-slice-a m:mai/brunel/fixer-de-inf-lg-cfi m:mai/cronus/inventor-procedural m:mai/hermes/gitster-event-type-modal m:mai/cronus/coder-backup-mode m:mai/curie/researcher-bulletproof m:mai/hermes/gitster-draft-editor-focus-jump m:mai/cronus/inventor-backup-mode m:mai/hermes/gitster-submissions m:mai/artemis/gitster-deadline-form m:mai/brunel/fixer-submission-preview m:mai/brunel/fixer-test-data-reset m:mai/artemis/gitster-approval-withdraw m:mai/demeter/gitster-events m:mai/hermes/gitster-sidebar-loses m:mai/hermes/gitster-browse-a m:mai/brunel/fixer-submissions-demo m:mai/icarus/inventor-inbox-overhaul m:mai/atlas/inventor-symmetric-date m:mai/artemis/gitster-demote-daten m:mai/hermes/gitster-team-view-mailto m:mai/knuth/coder-global-schriftsatze m:mai/knuth/coder-schriftsatze m:mai/ritchie/coder-author-demo-docx m:mai/knuth/coder-add-schriftsatze m:mai/knuth/coder-add-checklist m:mai/knuth/coder-anchor-lookup-must m:mai/tesla/dashboard-resize-clamp m:mai/knuth/coder-demote-projekt m:mai/knuth/coder-paliadin-chat m:mai/knuth/coder-print-views m:mai/knuth/coder-add-proceeding m:mai/knuth/coder-submission m:mai/ritchie/coder-extend-team-email m:mai/knuth/coder-changelog-catch-up m:mai/tesla/dashboard-overlap m:mai/pasteur/fixercoder-dashboard m:mai/newton/inventor-configurable m:mai/dirac/inventorcoder-user m:mai/gauss/inventorcoder-team-admin m:mai/kepler/inventorcoder-project m:mai/darwin/roadmap-ccr-en m:mai/euler/coder-small-ux-polish m:mai/darwin/fristenrechner-cleanup m:mai/darwin/fixercoder-priority-bug m:mai/leibniz/inventor-caldav-multi m:mai/hertz/inventor-unified-modal m:mai/archimedes/inventor-excel-data m:mai/boltzmann/inventor-gap-tolerant m:mai/copernicus/submission-slice-1 m:mai/fermi/interactive-session m:mai/hertz/inventor-suggest-changes m:mai/copernicus/inventor-submission m:mai/mendel/test-strategy-slice-1 m:mai/mendel/inventor-test-strategy m:mai/ampere/custom-views-improvements m:mai/joule/mig-097-apply-huygens-s m:mai/ohm/workstream-b-rename m:mai/huygens/workstream-a-backfill m:mai/kelvin/t-204-phase-2-proceeding m:mai/bohr/ingest-t-paliad-203-rule m:mai/curie/fristenrechner-gap m:mai/maxwell/inbox-grey-out m:mai/rutherford/slice-9-follow-up-b-re m:mai/dirac/slice-9-follow-up-a m:mai/bose/determinator-cascade-slice-3 m:mai/bose/determinator-cascade-slice-2 m:mai/bose/determinator-row-cascade m:mai/lorenz/fristen-phase-3-slice-9 m:mai/curie/fristen-phase-3-slice-12 m:mai/planck/aichat-phase-b-paliad m:mai/young/fristen-phase-3-slice-11b m:mai/lorenz/fristen-phase-3-slice-11a m:mai/lorenz/fristen-phase-3-slice-10 m:mai/lorenz/fristen-phase-3-slice-8 m:mai/lorenz/fristen-phase-3-slice-7 m:mai/lorenz/fristen-phase-3-slice-6 m:mai/lorenz/fristen-phase-3-slice-5 m:mai/lorenz/fristen-phase-3-slice-4 m:mai/lorenz/fristen-phase-3-slice-3 m:mai/lorenz/fristen-phase-3-slice-2 m:mai/lorenz/fristen-phase-3-slice-1 m:mai/pauli/fristen-phase2-design m:mai/tesla/project-timeline-chart m:mai/pauli/fristen-logic-audit m:mai/pauli/determinator-b1-row-by m:mai/noether/tools-cleanup-slice-1 m:mai/kelvin/inventor-tools-surface m:mai/planck/paliadin-per-user-rls m:mai/maxwell/bug-bundle-filterbar m:mai/faraday/project-timeline-chart m:mai/schroedinger/smarttimeline-slice-4 m:mai/bohr/smarttimeline-slice-3 m:mai/gauss/smarttimeline-slice-2 m:mai/riemann/filterbar-phase-2-slice m:mai/lagrange/smarttimeline-design-the m:mai/curie/researcher-determinator m:mai/noether/collapse-regel-typ-on m:mai/riemann/inventor-universal m:mai/minkowski/project-level-our-side m:mai/dirac/inventor-inline-paliadin m:mai/feynman/fristenrechner m:mai/minkowski/navbar-dashboard-reorg m:mai/shannon/approval-rework m:mai/einstein/consultant-deadline-data m:mai/curie/researcher-upc-rop-audit m:mai/noether/paliadin-real-claude m:mai/noether/inventor-paliadin m:mai/hilbert/inventor-approval-policy m:mai/shannon/bug-frist-due-date m:mai/fritz/bug-fristen-termine m:mai/godel/inventor-projects-page m:mai/fritz/bug-paliadin-chat m:mai/kepler/inventor-profession-vs m:mai/noether/inventor-paliadin-in-app m:mai/fritz/bulk-team-email-send-to m:mai/noether/inventor-local-chat-for m:mai/noether/inventor-data-display m:mai/fritz/bug-derived-team-members m:mai/fritz/bug-sidebar-visibly m:mai/noether/inventor-project m:mai/shannon/bug-project-team-add m:mai/cronus/inventor-dual-control m:mai/fritz/bug-edit-mode-on m:mai/cronus/inventor-holidays-per m:mai/ritchie/phase-h-ai-deadline
..
compare: m:mai/copernicus/inventor-submission
Branches Tags
m:main m:mai/bohr/coder-apply-m-s-caption m:mai/faraday/coder-generated-document m:mai/planck/coder-b5-b6-train-share m:mai/archimedes/fixer-port-engine m:mai/maxwell/coder-b4-akte-mode m:mai/lorenz/coder-b3-event-triggered m:mai/euler/fixer-builder-add m:mai/brunel/fixer-prod-500s-after-b1 m:mai/galileo/coder-b1-b2-mvp-train m:mai/pasteur/fixer-pkg-litigationplann m:mai/newton/coder-b0-scenario-db m:mai/edison/inventor-prd-columnar m:mai/knuth/coder-workflow-tracker m:mai/atlas/inventor-extend-tools m:mai/cronus/inventor-unified m:mai/atlas/inventor-deadline-system m:mai/atlas/inventor-followup-rules m:mai/athena/consultant-deadline m:mai/brunel/fixer-dark-mode-support m:mai/knuth/coder-cronus-fristenrechn m:mai/ritchie/coder-mig-153-proceeding m:mai/atlas/inventor-proceeding m:mai/cronus/inventor-fristenrechner m:mai/curie/coder-mig152-clone-dedupe m:mai/darwin/researcher-lexy-draft m:mai/knuth/coder-dedupe-null m:mai/cronus/coder-composer-slice-f m:mai/cronus/coder-composer-slice-e m:mai/cronus/coder-composer-slice-d m:mai/curie/coder-slice-b6-url-rename m:mai/curie/coder-slice-b5-go-rename m:mai/cronus/coder-composer-slice-c m:mai/curie/coder-slice-b4-destructive-drop m:mai/cronus/coder-composer-slice-b m:mai/cronus/coder-composer-slice-a m:mai/cronus/inventor-prd-for m:mai/knuth/coder-verfahrensablauf m:mai/ritchie/coder-make-backup m:mai/diesel/fixer-dark-mode-css m:mai/curie/coder-slice-b3-read-cutover m:mai/diesel/fixer-verfahrensablauf m:mai/curie/coder-slice-b2-dual-write m:mai/cronus/coder-slice-d-scenarios m:mai/knuth/coder-backfill-applies m:mai/hermes/gitster-verfahrensablauf m:mai/cronus/coder-berufung-labels-refactor m:mai/diesel/hotfix-2-mig-134-missing m:mai/curie/coder-slice-b1-procedural-events m:mai/cronus/coder-slice-c-upc-snapshot m:mai/brunel/hotfix-rename-upc-apl m:mai/cronus/coder-slice-b3-primary-party m:mai/cronus/coder-slice-b2-catalog-query m:mai/cronus/inventor-litigation-slice-b m:mai/curie/researcher-slice-b-zero m:mai/cronus/inventor-litigation m:mai/artemis/gitster-remove-admin m:mai/ritchie/coder-sort-post-trigger m:mai/knuth/coder-conditional-label m:mai/hermes/coder-verfahrensablauf m:mai/brunel/rebase-121-conditional m:mai/knuth/coder-conditional-rule m:mai/hermes/gitster-dark-mode-fix m:mai/ritchie/coder-submission-form m:mai/artemis/gitster-re-surface m:mai/brunel/fixer-views-any-filters m:mai/cronus/coder-cicd-slice-a m:mai/knuth/coder-wave-1-tier-1-rule m:mai/ritchie/coder-upc-damages-add m:mai/cronus/inventor-ci-cd-pre m:mai/brunel/rebase-108-language m:mai/hermes/gitster-admin-rules-list m:mai/artemis/gitster-submission m:mai/icarus/gitster-verfahrensablauf m:mai/orpheus/gitster-search-input m:mai/atlas/coder-event-card-choices-slice-ab m:mai/hermes/gitster-date-range m:mai/demeter/gitster-submission m:mai/knuth/coder-hl-patents-style m:mai/hermes/gitster-draft-editor m:mai/atlas/inventor-per-event-card m:mai/knuth/coder-deadline-rule-tier m:mai/cronus/coder-procedural-events-slice-a m:mai/hermes/gitster-deadline-form m:mai/artemis/gitster-add-missing-i18n m:mai/demeter/gitster-paliadin-chat m:mai/brunel/wave0-tier0-deadline-fixes m:mai/artemis/coder-docker-compose-yml m:mai/icarus/coder-inbox-overhaul-slice-a m:mai/atlas/coder-date-range-picker-slice-a m:mai/brunel/fixer-de-inf-lg-cfi m:mai/cronus/inventor-procedural m:mai/hermes/gitster-event-type-modal m:mai/cronus/coder-backup-mode m:mai/curie/researcher-bulletproof m:mai/hermes/gitster-draft-editor-focus-jump m:mai/cronus/inventor-backup-mode m:mai/hermes/gitster-submissions m:mai/artemis/gitster-deadline-form m:mai/brunel/fixer-submission-preview m:mai/brunel/fixer-test-data-reset m:mai/artemis/gitster-approval-withdraw m:mai/demeter/gitster-events m:mai/hermes/gitster-sidebar-loses m:mai/hermes/gitster-browse-a m:mai/brunel/fixer-submissions-demo m:mai/icarus/inventor-inbox-overhaul m:mai/atlas/inventor-symmetric-date m:mai/artemis/gitster-demote-daten m:mai/hermes/gitster-team-view-mailto m:mai/knuth/coder-global-schriftsatze m:mai/knuth/coder-schriftsatze m:mai/ritchie/coder-author-demo-docx m:mai/knuth/coder-add-schriftsatze m:mai/knuth/coder-add-checklist m:mai/knuth/coder-anchor-lookup-must m:mai/tesla/dashboard-resize-clamp m:mai/knuth/coder-demote-projekt m:mai/knuth/coder-paliadin-chat m:mai/knuth/coder-print-views m:mai/knuth/coder-add-proceeding m:mai/knuth/coder-submission m:mai/ritchie/coder-extend-team-email m:mai/knuth/coder-changelog-catch-up m:mai/tesla/dashboard-overlap m:mai/pasteur/fixercoder-dashboard m:mai/newton/inventor-configurable m:mai/dirac/inventorcoder-user m:mai/gauss/inventorcoder-team-admin m:mai/kepler/inventorcoder-project m:mai/darwin/roadmap-ccr-en m:mai/euler/coder-small-ux-polish m:mai/darwin/fristenrechner-cleanup m:mai/darwin/fixercoder-priority-bug m:mai/leibniz/inventor-caldav-multi m:mai/hertz/inventor-unified-modal m:mai/archimedes/inventor-excel-data m:mai/boltzmann/inventor-gap-tolerant m:mai/copernicus/submission-slice-1 m:mai/fermi/interactive-session m:mai/hertz/inventor-suggest-changes m:mai/copernicus/inventor-submission m:mai/mendel/test-strategy-slice-1 m:mai/mendel/inventor-test-strategy m:mai/ampere/custom-views-improvements m:mai/joule/mig-097-apply-huygens-s m:mai/ohm/workstream-b-rename m:mai/huygens/workstream-a-backfill m:mai/kelvin/t-204-phase-2-proceeding m:mai/bohr/ingest-t-paliad-203-rule m:mai/curie/fristenrechner-gap m:mai/maxwell/inbox-grey-out m:mai/rutherford/slice-9-follow-up-b-re m:mai/dirac/slice-9-follow-up-a m:mai/bose/determinator-cascade-slice-3 m:mai/bose/determinator-cascade-slice-2 m:mai/bose/determinator-row-cascade m:mai/lorenz/fristen-phase-3-slice-9 m:mai/curie/fristen-phase-3-slice-12 m:mai/planck/aichat-phase-b-paliad m:mai/young/fristen-phase-3-slice-11b m:mai/lorenz/fristen-phase-3-slice-11a m:mai/lorenz/fristen-phase-3-slice-10 m:mai/lorenz/fristen-phase-3-slice-8 m:mai/lorenz/fristen-phase-3-slice-7 m:mai/lorenz/fristen-phase-3-slice-6 m:mai/lorenz/fristen-phase-3-slice-5 m:mai/lorenz/fristen-phase-3-slice-4 m:mai/lorenz/fristen-phase-3-slice-3 m:mai/lorenz/fristen-phase-3-slice-2 m:mai/lorenz/fristen-phase-3-slice-1 m:mai/pauli/fristen-phase2-design m:mai/tesla/project-timeline-chart m:mai/pauli/fristen-logic-audit m:mai/pauli/determinator-b1-row-by m:mai/noether/tools-cleanup-slice-1 m:mai/kelvin/inventor-tools-surface m:mai/planck/paliadin-per-user-rls m:mai/maxwell/bug-bundle-filterbar m:mai/faraday/project-timeline-chart m:mai/schroedinger/smarttimeline-slice-4 m:mai/bohr/smarttimeline-slice-3 m:mai/gauss/smarttimeline-slice-2 m:mai/riemann/filterbar-phase-2-slice m:mai/lagrange/smarttimeline-design-the m:mai/curie/researcher-determinator m:mai/noether/collapse-regel-typ-on m:mai/riemann/inventor-universal m:mai/minkowski/project-level-our-side m:mai/dirac/inventor-inline-paliadin m:mai/feynman/fristenrechner m:mai/minkowski/navbar-dashboard-reorg m:mai/shannon/approval-rework m:mai/einstein/consultant-deadline-data m:mai/curie/researcher-upc-rop-audit m:mai/noether/paliadin-real-claude m:mai/noether/inventor-paliadin m:mai/hilbert/inventor-approval-policy m:mai/shannon/bug-frist-due-date m:mai/fritz/bug-fristen-termine m:mai/godel/inventor-projects-page m:mai/fritz/bug-paliadin-chat m:mai/kepler/inventor-profession-vs m:mai/noether/inventor-paliadin-in-app m:mai/fritz/bulk-team-email-send-to m:mai/noether/inventor-local-chat-for m:mai/noether/inventor-data-display m:mai/fritz/bug-derived-team-members m:mai/fritz/bug-sidebar-visibly m:mai/noether/inventor-project m:mai/shannon/bug-project-team-add m:mai/cronus/inventor-dual-control m:mai/fritz/bug-edit-mode-on m:mai/cronus/inventor-holidays-per m:mai/ritchie/phase-h-ai-deadline

1 Commits
mai/darwin ... mai/copern

Author SHA1 Message Date
mAi
d6caa490dc docs(submission-generator): t-paliad-215 inventor design 
DESIGN READY FOR REVIEW — copernicus inventor pass on the submission
generator (t-paliad-215). 5 questions answered with m's picks captured
in §2; awaiting head's go/no-go on coder shift.

Locked decisions:
- Scope: template-render to .docx (no LLM in v1)
- Template registry: Gitea (mWorkRepo proxy, same pattern as
  HL Patents Style)
- Output: direct download, no server-side binary persistence
- Mapping: fallback chain (firm → base/code → base/family → skeleton)
- Slice 1: one template end-to-end on one project
  (de.inf.lg.erwidg / Klageerwiderung)

No code, no migrations, no schema additions. Read-only design phase
per inventor SKILL.md.
 2026-05-19 13:20:10 +02:00
83 changed files with 765 additions and 12110 deletions
Expand all files Collapse all files

32
cmd/server/main.go
View File

@@ -117,9 +117,7 @@ func main() {
}
appointmentSvc := services.NewAppointmentService(pool, projectSvc)
bindingSvc := services.NewCalendarBindingService(pool)
targetSvc := services.NewAppointmentTargetService(pool)
caldavSvc = services.NewCalDAVService(pool, cipher, appointmentSvc, bindingSvc, targetSvc)
caldavSvc = services.NewCalDAVService(pool, cipher, appointmentSvc)
// Wire the push hook so user-driven mutations sync to the external
// calendar without waiting for the next 60-second tick.
appointmentSvc.SetCalDAVPusher(caldavSvc)
@@ -145,7 +143,6 @@ func main() {
Deadline: deadlineSvc,
Appointment: appointmentSvc,
CalDAV: caldavSvc,
CalDAVBindings: bindingSvc,
Rules: rules,
Calculator: services.NewDeadlineCalculator(holidays),
Users: users,
@@ -178,37 +175,14 @@ func main() {
UserView: services.NewUserViewService(pool),
Broadcast: services.NewBroadcastService(pool, mailSvc, users, teamSvc, emailTemplateSvc),
Pin: services.NewPinService(pool, projectSvc),
CardLayout: services.NewCardLayoutService(pool),
DashboardLayout: services.NewDashboardLayoutService(pool),
Projection: services.NewProjectionService(pool, projectSvc, deadlineSvc, appointmentSvc, services.NewFristenrechnerService(rules, holidays, courts), rules),
CardLayout: services.NewCardLayoutService(pool),
Projection: services.NewProjectionService(pool, projectSvc, deadlineSvc, appointmentSvc, services.NewFristenrechnerService(rules, holidays, courts), rules),
// t-paliad-214 Slice 1 — personal-scope data export. firm name
// is captured into __meta of every export and printed in the
// embedded README.
Export: services.NewExportService(pool, branding.Name),
}
// t-paliad-219 Slice A3 — stitch DashboardService → ApprovalService
// for the inbox-approvals widget. Done post-construction to avoid
// a circular constructor dependency (ApprovalService doesn't need
// the dashboard, and DashboardService can render its other widgets
// without approvals — so keeping this a setter keeps both
// constructors simple).
svcBundle.Dashboard.SetApprovalService(svcBundle.Approval)
// t-paliad-215 Slice 1 — submission generator. Three services
// stitched together by handlers/submissions.go: registry pulls
// templates from Gitea (reuses GITEA_TOKEN env), vars builds
// the placeholder map from project + parties + rule, renderer
// merges {{placeholder}} tokens into the .docx.
svcBundle.SubmissionRegistry = services.NewTemplateRegistry(giteaToken, branding.Name)
svcBundle.SubmissionVars = services.NewSubmissionVarsService(
pool,
svcBundle.Project,
svcBundle.Party,
svcBundle.Users,
)
svcBundle.SubmissionRenderer = services.NewSubmissionRenderer()
// Paliadin backend selection.
//
// PALIADIN_BACKEND (t-paliad-194 / m/paliad#38):

102
cmd/server/main_smoke_test.go
View File

@@ -3,23 +3,20 @@
// Three checks against TEST_DATABASE_URL:
//
// 1. db.ApplyMigrations does not panic and returns nil.
// 2. paliad.applied_migrations covers every on-disk *.up.sql — no
// migration was silently skipped, no version is missing. The set
// contract is stronger than the old single-counter check: applied
// set must EQUAL on-disk set, not just reach the max version.
// 2. The migration tracker (public.paliad_schema_migrations) advances to
// the highest *.up.sql version on disk — no migrations were silently
// skipped, no "dirty=true" stragglers left behind.
// 3. The handler mux (with /healthz mounted) responds 200 to GET /healthz.
//
// This is the lightweight cousin of the migration dry-run gate
// (internal/db/migrate_test.go): the dry-run catches per-migration syntax
// errors before merge; this smoke confirms the apply+bind path the
// container actually runs at boot. Together they cover the mig-098 /
// mig-099 class of crash-loops end-to-end, plus the mig-103 parallel-merge
// skip-hole that t-paliad-218 closed (m/paliad#44).
// mig-099 class of crash-loops end-to-end.
//
// Skipped without TEST_DATABASE_URL — matches the rest of the live-DB tests.
//
// Design: docs/design-paliad-test-strategy-2026-05-19.md §5 Slice 1 and
// docs/design-migration-runner-applied-set-2026-05-20.md §6.
// Design: docs/design-paliad-test-strategy-2026-05-19.md §5 Slice 1.
package main
@@ -54,23 +51,19 @@ func TestBootSmoke(t *testing.T) {
t.Fatalf("db.ApplyMigrations: %v", err)
}
// (2) Assert the applied set equals the on-disk set. The new runner
// tracks applied state per-migration; a silently-skipped version
// would surface as a row missing from paliad.applied_migrations even
// though max(version) matches. Comparing sets — not just max —
// catches the failure mode the t-paliad-218 post-mortem documented.
onDisk := embeddedMigrationVersions(t)
applied := appliedMigrationVersions(t, url)
if missing := setDiff(onDisk, applied); len(missing) > 0 {
t.Errorf("paliad.applied_migrations missing %d on-disk versions: %v "+
"(a migration was skipped — investigate before deploying)",
len(missing), missing)
// (2) Assert the tracker advanced to the highest *.up.sql version we
// embed. If a migration was silently skipped or the tracker is dirty,
// the prod container would crash-loop — this turns that into a test
// failure with a precise reason.
expected := highestEmbeddedMigrationVersion(t)
got, dirty := readTrackerVersion(t, url)
if dirty {
t.Errorf("tracker reports dirty=true at version %d — investigate before deploying", got)
}
if extra := setDiff(applied, onDisk); len(extra) > 0 {
t.Errorf("paliad.applied_migrations has %d versions with no on-disk file: %v "+
"(orphan rows — either restore the file or DELETE the row)",
len(extra), extra)
if got != expected {
t.Errorf("tracker at version %d; expected %d (highest *.up.sql on disk). "+
"A migration was skipped or applied out of order.",
got, expected)
}
// (3) Mount the public handlers (the same Register call main() makes,
@@ -100,16 +93,11 @@ func TestBootSmoke(t *testing.T) {
}
}
// embeddedMigrationVersions returns every N where N_*.up.sql exists in
// internal/db/migrations/ on disk. The boot smoke compares this set
// against paliad.applied_migrations to detect skipped or orphan
// migrations.
//
// Read from disk (not the embed.FS inside the db package — it's unexported)
// since the test runs from the repo. The two views must agree for the
// build to be self-consistent; if they diverge, the smoke test is the
// wrong place to learn about it (the build is). We trust them to match.
func embeddedMigrationVersions(t *testing.T) []int {
// highestEmbeddedMigrationVersion finds max(N) over every NNN_*.up.sql
// file in internal/db/migrations/ on disk. Used as the expected tracker
// version after a clean apply. We read from disk (not the embed.FS in
// the db package — it's unexported) since the test runs from the repo.
func highestEmbeddedMigrationVersion(t *testing.T) int {
t.Helper()
root, err := repoRoot()
if err != nil {
@@ -141,52 +129,24 @@ func embeddedMigrationVersions(t *testing.T) []int {
t.Fatalf("no *.up.sql files found in %s", dir)
}
sort.Ints(versions)
return versions
return versions[len(versions)-1]
}
// appliedMigrationVersions reads paliad.applied_migrations and returns
// the sorted list of versions. Fails the test if the table doesn't exist —
// db.ApplyMigrations is supposed to have created it by this point.
func appliedMigrationVersions(t *testing.T, url string) []int {
// readTrackerVersion fetches the lone row from the tracker. golang-migrate
// keeps exactly one row; if we ever see zero or more, that's the dirty-state
// the test is designed to flag.
func readTrackerVersion(t *testing.T, url string) (version int, dirty bool) {
t.Helper()
conn, err := sql.Open("postgres", url)
if err != nil {
t.Fatalf("open: %v", err)
}
defer conn.Close()
rows, err := conn.Query(`SELECT version FROM paliad.applied_migrations ORDER BY version`)
if err != nil {
t.Fatalf("read applied_migrations: %v", err)
row := conn.QueryRow(`SELECT version, dirty FROM public.paliad_schema_migrations LIMIT 1`)
if err := row.Scan(&version, &dirty); err != nil {
t.Fatalf("read tracker: %v", err)
}
defer rows.Close()
var out []int
for rows.Next() {
var v int
if err := rows.Scan(&v); err != nil {
t.Fatalf("scan: %v", err)
}
out = append(out, v)
}
if err := rows.Err(); err != nil {
t.Fatalf("rows: %v", err)
}
return out
}
// setDiff returns the elements of a that are not in b. Inputs are sorted
// ascending; output preserves that ordering.
func setDiff(a, b []int) []int {
bset := make(map[int]bool, len(b))
for _, v := range b {
bset[v] = true
}
var out []int
for _, v := range a {
if !bset[v] {
out = append(out, v)
}
}
return out
return version, dirty
}
// repoRoot walks upward from the test binary's working directory until it

332
docs/design-approval-suggest-changes-2026-05-19.md
View File

@@ -1,332 +0,0 @@
# Design — "Suggest changes" action on approval flow
**Author:** hertz (inventor)
**Date:** 2026-05-19
**Task:** t-paliad-216 (m/paliad in-flight)
**Branch:** `mai/hertz/inventor-suggest-changes`
**Status:** DESIGN — open questions await m before any coder shift.
---
## 0. TL;DR
Add a fourth action **"Änderungen vorschlagen"** ("Suggest changes") to the approval flow, alongside Approve / Reject / Revoke. Use case: the approver doesn't want to accept the proposed change as-is, but doesn't want to reject outright — they edit the proposed values into a counter-proposal and submit it back into the same approval flow.
**Mental model (m, 2026-05-19):** suggest-changes is not "ping the requester to fix it" — it's the approver **authoring a counter-proposal** that gets re-injected into the approval flow as a fresh `pending` row. The original requester (now potentially an eligible approver of the counter, since they're no longer the requested_by) sees:
- the **old row** in their /inbox as `changes_requested` ("Abgelehnt mit Vorschlag" / "Declined with changes") — historical record of their original attempt;
- the **new row** in /inbox as `pending` — the counter, which they can approve, reject, revoke (n/a, not theirs), or suggest changes back on. Everyone else eligible sees the new row too. 4-Augen still holds: the counter's requested_by (the approver who suggested it) cannot self-approve.
Click flow:
1. Approver opens an editable modal on the pending row showing the requester's proposed values. Edits any field. Writes a free-text note ("Bitte den Termin um 9:00 statt 8:00, weil der Raum sonst kollidiert").
2. POST `/api/approval-requests/{id}/suggest-changes` with `{note, counter_payload}`.
3. Server, in one tx: closes the old row (`changes_requested`, `decision_note=note`), reverts the entity from `pre_image`, then immediately inserts a **new** `pending` approval_requests row authored by the approver with `payload=counter_payload`, re-applies the counter to the entity, marks `pending_request_id` to the new row, emits two events (`*_approval_changes_suggested` + `*_approval_requested`). `previous_request_id` FK links new → old for chain traversal.
The pending audience for the new row is the same as any fresh `Submit*` — the existing notification + visibility plumbing handles it without special-casing.
---
## 0a. m's decisions (2026-05-19)
| # | Header | m picked | Reasoning note (when different from recommendation) |
|---|---|---|---|
| Q1 | State machine | **(a) New status `changes_requested`.** | As recommended. |
| Q2 | Entity state | **(a) Reverts to pre_image, same as Reject.** | As recommended. The counter is then re-applied in the same tx by the new approval row's write-then-approve cycle. |
| Q3 | Chain depth | **(a) Yes, across chained rows.** | As recommended. |
| Q4 | Note shape | **Hybrid: approver can edit the proposed values (counter-proposal) AND/OR leave free-text in `decision_note`.** | Differs from (a). Inventor picked free-text-only; m's twist: the suggestion should ALSO carry concrete edits. This adds a `counter_payload jsonb` column on `approval_requests` and turns "suggest-changes" into an action that authors a real counter-proposal, not just a hint. |
| Q5 | Surface | **(a) /inbox only — v1.** | As recommended. Email + entity-detail badge are Phase 2. |
| Q6 | Requester actions | **Different model: the counter is a NEW pending approval_request row, not an "edit + resubmit" CTA on the requester side.** | Differs from (a). m's reframing: instead of routing back to the requester to act on, the suggestion IS the next request. Original requester sees the old row as `changes_requested` (status pill "Abgelehnt mit Vorschlag" or similar). Original requester then sees the NEW row in /inbox like any pending — and **may approve it themselves**, because they are no longer the row's requested_by (the suggesting approver is). Everyone else eligible sees it too. Cleaner workflow, removes the "edit-and-resubmit CTA" from the requester role entirely. |
| Q7 | Notifications | **(b) Notify all eligible approvers + the original requester for the NEW pending row.** | Consistent with Q6. The counter is a fresh `pending` request, so the existing Submit*-notification audience applies. The original requester needs the ping because they're now an eligible approver of the counter — no special-case path. |
| Q8 | Audit shape | **(a) New event_type `*_approval_changes_suggested` per entity.** | As recommended. The new row also emits a normal `*_approval_requested` event, so the Verlauf chronology naturally captures the chain. |
The decisions above lock the design. §3 has been rewritten to reflect them; §2 (open questions) is retained as the historical record of what was open before the decisions.
---
## 1. Context — what's already in the code (verified 2026-05-19)
- **State machine** in `internal/services/approval_service.go`:
- `paliad.approval_requests.status` CHECK is already `('pending', 'approved', 'rejected', 'revoked', 'superseded')` — the `superseded` value is defined as a Go constant `RequestStatusSuperseded` but never written by the live service (reserved).
- `paliad.{deadlines,appointments}.approval_status` CHECK is `('approved', 'pending', 'legacy')` — three values only.
- Shared kernel `decide(requestID, callerID, finalStatus, note)` powers Approve / Reject / Revoke. Approve invokes `applyApproved`; Reject + Revoke invoke `applyRevert` (restores entity from `pre_image`).
- Self-approval blocked at 3 layers: `canApprove` Go gate, `approval_requests_no_self_approval` DB CHECK, deadlock-check excludes requester from pool.
- **Handlers** in `internal/handlers/approvals.go`:
- `POST /api/approval-requests/{id}/approve`
- `POST /api/approval-requests/{id}/reject`
- `POST /api/approval-requests/{id}/revoke`
- `GET /api/approval-requests/{id}` — single hydrated request
- **Per-viewer flags** (t-paliad-202, shipped): every row carries `viewer_can_approve` + `viewer_is_requester` resolved server-side so the UI can grey out buttons the server would reject. Server still enforces — the flags are a UX hint.
- **Frontend**:
- `frontend/src/client/inbox.ts` wires three buttons per pending row (approve/reject/revoke). Reject opens `window.prompt()` for the note; approve+revoke don't.
- `frontend/src/client/views/shape-list.ts` (row_action="approve") stamps the row with action buttons + diff + `decision_note` display if present.
- **Audit**: event types `*_approval_requested`, `*_approval_approved`, `*_approval_rejected`, `*_approval_revoked` emitted to `paliad.project_events` (one per entity_type prefix).
- **Decision note**: `paliad.approval_requests.decision_note text` — a single free-text column, last-write-wins. Already populated on Reject (Approve also accepts an optional note).
---
## 2. Design questions (the open list — see §6 for answered)
Pre-recommendations from inventor. m will pick via AskUserQuestion.
### State machine
**Q1 — Where does "suggest changes" sit on the lifecycle?**
- **(a) New status `changes_requested` (RECOMMENDED).** The approval_requests row transitions pending → changes_requested. Sibling of approved/rejected/revoked/superseded. The row is terminal in that status; a re-submit creates a fresh row (linked via `previous_request_id`).
- (b) Reuse `rejected` with `is_revisable=true` flag. Cheap, but conflates two semantically distinct outcomes ("we'll never want this" vs. "tweak X and try again").
- (c) Auto-revoke the current row, mark the entity for edit, requester creates a new approval row when ready. Reuses existing plumbing — but loses the approver's note as a first-class thing (it'd just be a comment on the project_events row).
- (d) Other (you'll tell us).
Recommend (a) — keeps the audit lifecycle clear, gives us a clean place to hang the suggestion note, and is the smallest schema change (one new value in a CHECK constraint).
**Q2 — What happens to the entity (deadline/appointment) while in "changes requested"?**
- **(a) Entity reverts to pre_image — same as Reject (RECOMMENDED).** approval_status flips back to `approved`. The requester edits the entity in the normal flow; saving fires a fresh `Submit*` cycle.
- (b) Entity stays at `approval_status=pending` carrying the proposed values; requester edits "in place" through a new "amend the pending request" endpoint that mutates the same approval_request row + entity fields.
- (c) Entity goes to a new `approval_status=draft` (would require a new value on the entity-level CHECK + UI work to handle a third entity state).
Recommend (a) — minimum schema change, reuses every existing path (entity edit, Submit*, applyRevert, project_events emission). The trade-off is one extra approval_requests row per cycle; we link via `previous_request_id` so the chain stays inspectable.
**Q3 — Can the approver suggest changes multiple times (across a chain)?**
- **(a) Yes, across chained rows (RECOMMENDED).** Each row is terminal after suggest-changes; the requester resubmits → new pending row → approver can suggest changes again. Chain depth unbounded.
- (b) No — one chance per entity-lifecycle; if the requester comes back, the only options are approve or reject (the suggest-changes button is hidden for the second submission).
Recommend (a) — bounded by the requester's patience, not by the system. Multi-round review is the norm in legal-doc workflows.
**Q4 — Note shape on the suggestion**
- **(a) Free-text — reuse `decision_note` (RECOMMENDED).** Same column the existing Reject path already populates. Last-write-wins per row (but rows are terminal after suggest-changes, so there's no real "last write").
- (b) Thread of notes — new `paliad.approval_notes` table, ordered, multi-author. Lets the requester respond inline, the approver clarify, etc.
- (c) Structured per-field suggestions (`[{"field": "due_date", "current": "...", "suggested": "..."}]`) — a "diff-style" view.
Recommend (a) — matches the existing Reject UX, no new schema. (b) is right if the team wants to discuss; (c) is over-engineered for v1.
### UX
**Q5 — Where does the requester see the suggestion?**
- **(a) /inbox under `a_role=self_requested` (RECOMMENDED for v1).** Same surface they already use to see rejected. New status pill "Änderungen vorgeschlagen" + the note + a CTA "Bearbeiten und erneut einreichen".
- (b) A new badge on the entity's detail page (e.g. on the deadline detail page itself).
- (c) Email + push notification.
- (d) All of the above.
Recommend (a) for v1. Email reminder is a natural Phase-2 add-on (it'd reuse the existing reminder-mail plumbing). The entity-detail badge is nice but the user is already seeing the row in /inbox.
**Q6 — What action(s) does the requester have on a `changes_requested` row?**
- **(a) Edit and resubmit (RECOMMENDED).** Primary action. Opens the entity's edit form pre-populated with the original `payload`. Saving fires `Submit*` → new pending request with `previous_request_id` linking back.
- (b) Withdraw (= dismiss the row from inbox, no DB change). Mostly UI-only — the row is already terminal; "withdraw" would just be a "mark as not-pursuing" toggle.
- (c) Both.
Recommend (a). The row is already terminal once status=`changes_requested`; the requester either acts on the suggestion (a) or lets the row sit in their inbox history (no action needed). Adding a "dismiss" button is a UI nice-to-have but doesn't change the data model; can defer.
### Notifications
**Q7 — Who gets notified when "suggest changes" fires?**
- **(a) Just the requester (RECOMMENDED for v1).** Email-reminder path is reused: requester gets a mail "X hat Änderungen vorgeschlagen für …" with the note inline + a link to /inbox.
- (b) Requester + any other potential approvers (they need to know the request is closed, not pending).
- (c) Requester + approval-policy-defined watchers (would require a new `approval_policies.watchers` column).
Recommend (a). The request is terminal so other approvers don't need a "this is now your problem" ping — they wouldn't have anything to act on. They see it in /inbox under "Alle sichtbaren" anyway if curious.
### Audit
**Q8 — Audit row shape on `project_events`**
- **(a) New event_type `*_approval_changes_suggested` per entity (RECOMMENDED).** Parallel to the existing 4 (requested/approved/rejected/revoked). Two new event types: `deadline_approval_changes_suggested`, `appointment_approval_changes_suggested`. Note text goes in metadata.
- (b) Bundle with the resubmission — single composite event "approved-with-revisions" when the chain eventually approves.
Recommend (a). Each transition gets its own event row — that's how the existing audit chain already works (one event per state change). It also gives the Verlauf timeline a row to render the approver's note.
---
## 3. Implementation sketch (decisions-locked, see §0a)
### 3.1 Migration `103_approval_suggest_changes.up.sql`
```sql
-- 1. Extend approval_requests.status CHECK to allow 'changes_requested'.
ALTER TABLE paliad.approval_requests
DROP CONSTRAINT IF EXISTS approval_requests_status_check;
ALTER TABLE paliad.approval_requests
ADD CONSTRAINT approval_requests_status_check
CHECK (status IN ('pending', 'approved', 'rejected', 'revoked', 'superseded', 'changes_requested'));
-- 2. Add counter_payload — the approver's edited values, becomes the
-- `payload` of the NEW pending row spawned in the same tx as the
-- suggest-changes call. Stored on the OLD (now changes_requested) row
-- too so the audit chain can show "approver edited X, Y, Z" without
-- joining to the next row.
ALTER TABLE paliad.approval_requests
ADD COLUMN counter_payload jsonb NULL;
-- 3. Add previous_request_id FK so the new row links back to its origin.
ALTER TABLE paliad.approval_requests
ADD COLUMN previous_request_id uuid NULL
REFERENCES paliad.approval_requests(id) ON DELETE SET NULL;
CREATE INDEX approval_requests_previous_idx
ON paliad.approval_requests (previous_request_id)
WHERE previous_request_id IS NOT NULL;
```
`.down.sql`: drop the index + columns, restore the original CHECK (would reject existing `changes_requested` rows — that's normal for a breaking-change down).
### 3.2 Service layer
`SuggestChanges` is the only new public method on `ApprovalService`. It runs in **one transaction** and does five things:
```go
const RequestStatusChangesRequested = "changes_requested"
var ErrSuggestionRequiresChange = errors.New("suggestion_requires_change")
// SuggestChanges closes the pending request as `changes_requested`,
// reverts the entity, then immediately inserts a new pending
// approval_request authored by the caller carrying `counterPayload` as
// its new payload. The new row enters the standard pending flow — anyone
// eligible (including the original requester) can approve, reject,
// suggest-changes-again, etc.
//
// Authorization: caller satisfies canApprove on the OLD row (same gate
// as Approve / Reject). For the NEW row, the caller is the requested_by
// — self-approval is blocked by the standard 3-layer guard. Deadlock
// check (qualified-approver-exists-other-than-caller) runs on the new
// row to avoid spawning an unapprovable request.
//
// counterPayload must differ from the old row's payload OR a non-empty
// note must be present. A no-op suggest (same values, no note) is
// indistinguishable from "I have no opinion" and gets rejected with
// ErrSuggestionRequiresChange.
func (s *ApprovalService) SuggestChanges(
ctx context.Context,
requestID, callerID uuid.UUID,
counterPayload []byte, // jsonb-marshaled
note string,
) (newRequestID *uuid.UUID, err error) {
// 1. Begin tx, lock old row, validate status=pending + canApprove.
// 2. Validate: counterPayload differs from old payload OR note != "".
// 3. Update old row: status='changes_requested', decided_by=callerID,
// decision_note=note, counter_payload=counterPayload.
// 4. applyRevert on the entity (uses old row's pre_image).
// 5. Deadlock-check on the new row's required_role + projectID,
// excluding callerID.
// 6. INSERT new approval_requests row: requested_by=callerID,
// pre_image=<entity-state-as-just-reverted> (= old.pre_image),
// payload=counterPayload, required_role=old.required_role,
// lifecycle_event=old.lifecycle_event, entity_type=old.entity_type,
// entity_id=old.entity_id, status='pending',
// previous_request_id=requestID.
// 7. Re-apply the new payload to the entity (write-then-approve):
// apply the counter_payload's field updates + mark
// approval_status='pending' + pending_request_id=newRequestID.
// 8. Emit *_approval_changes_suggested project_events row
// (metadata: note, counter_payload diff vs original).
// 9. Emit *_approval_requested project_events row for the new
// request (same shape Submit* normally emits).
// 10. Commit.
}
```
Steps 6 + 7 reuse the existing `Submit*` plumbing structurally — the cleanest implementation factors out an "insert approval row + apply payload to entity" helper that both `Submit*` and `SuggestChanges` call. **decide()** does not need to know about `changes_requested` because suggest-changes is not a decision-kernel transition — it's its own end-to-end action.
### 3.3 HTTP layer
```
POST /api/approval-requests/{id}/suggest-changes
Body: {
"counter_payload": { ...same shape as Submit*'s payload... },
"note": "free-text explanation, optional iff counter_payload differs from original"
}
Returns: 200 { "new_request_id": "uuid" }
Errors:
400 "suggestion_requires_change" — counter_payload == old payload AND note empty
400 "invalid_counter_payload" — schema validation failure
403 "self_approval_blocked" — caller == old row's requested_by
403 "not_authorized" — caller doesn't satisfy canApprove
404 — request not found / not visible
409 "request_not_pending" — old row already decided
409 "no_qualified_approver" — deadlock on the new row (only caller is eligible)
```
Register in `internal/handlers/handlers.go` alongside the existing three:
```go
protected.HandleFunc("POST /api/approval-requests/{id}/suggest-changes", handleSuggestChangesApprovalRequest)
```
### 3.4 Frontend
`frontend/src/client/views/shape-list.ts` — extend the pending-row action group to four buttons:
```ts
actions.appendChild(approvalActionBtn("approve", detail));
actions.appendChild(approvalActionBtn("suggest_changes", detail));
actions.appendChild(approvalActionBtn("reject", detail));
actions.appendChild(approvalActionBtn("revoke", detail));
```
The `action` union type gains `"suggest_changes"`. Disabled-reason logic is identical to approve/reject (`viewer_can_approve` gate). i18n: `approvals.action.suggest_changes` → DE "Änderungen vorschlagen" / EN "Suggest changes".
`frontend/src/client/inbox.ts` — clicking the suggest-changes button opens a **modal**, not a `window.prompt` (the existing reject prompt is OK because reject only needs a note; suggest-changes needs an editable form). The modal:
- Renders the same fields the entity edit form would show, pre-populated from `detail.payload` (the requester's proposed values).
- Adds a free-text "Vorschlagskommentar" textarea at the bottom (the note).
- On submit: POST `/api/approval-requests/{id}/suggest-changes` with `{counter_payload: {...editedFields}, note}`.
- On success: refresh the bar — the old row flips to `changes_requested`, the new row appears as `pending`.
Where the modal's field-editor lives: a new `client/components/approval-edit-modal.ts` that takes `entity_type` + `payload` + `pre_image` and returns the edited payload. For v1 it can be a thin wrapper over the existing entity-edit form components (Frist date picker, Termin start/end pickers). Don't build a generic field-editor framework — just deadlines + appointments, hard-coded fields per entity_type.
**Status pill for `changes_requested`** — i18n keys + colour:
- `approvals.status.changes_requested` → DE "Abgelehnt mit Vorschlag" / EN "Declined with changes"
- Reuse the existing `approval-pill--historic` style; no new colour token needed for v1.
**The "Edit and resubmit" CTA on the requester's row is NOT needed** (m's Q6 reframing) — the requester just sees the new pending row in /inbox, same as any other.
### 3.5 Inbox filter
The /inbox `approval_status` filter chip cluster gains `changes_requested`. The `self_requested` viewer-role default already includes terminal statuses, so the original requester sees their `changes_requested` row without changing the default filter.
### 3.6 Linkage from old row to new row in /inbox
When showing a `changes_requested` row in /inbox, add a small "→ Neuer Vorschlag von {approver}" link below the note that scrolls / filters to the new pending row (it'll be visible to anyone eligible, including the original requester). The new row has `previous_request_id` pointing at the old one — so the API response for the old row can hydrate `next_request_id` (computed: `SELECT id FROM approval_requests WHERE previous_request_id = $1 LIMIT 1`).
### 3.7 Email notification (Phase 2 — defer until v1 ships)
The new row triggers the existing `*_approval_requested` notification path (whatever that is for Submit*) — same audience, same template. No new code. The old row's transition to `changes_requested` doesn't need its own mail; the new-row mail already tells the audience "X suggested changes to your earlier submission" through the body.
Out of scope for v1: a bespoke "your submission was declined with a counter-proposal" email aimed at the original requester. The new-row mail covers it functionally.
---
## 4. Slice plan
Three reviewable slices, each one PR. Combined scope is small/medium.
1. **Slice A — backend.** Migration 103 (CHECK extension + `counter_payload jsonb` + `previous_request_id` FK + index) + `SuggestChanges` service method + HTTP handler + service tests (happy path, no-op-suggestion guard, deadlock on new row, self-approval block, request_not_pending). Migration is non-blocking on Postgres; safe for live deploy.
2. **Slice B — frontend.** 4th button on /inbox + the edit modal (deadline-fields variant + appointment-fields variant) + status pill `changes_requested` ("Abgelehnt mit Vorschlag") + i18n keys (DE + EN) + the "→ Neuer Vorschlag" link from old row to new row. End-to-end browser smoke test via Playwright.
3. **Slice C — Verlauf integration.** Make sure the `*_approval_changes_suggested` event renders on the project / deadline / appointment Verlauf timeline alongside the existing 4 approval event types. May or may not need code change depending on how generic the Verlauf row renderer is — likely just an i18n key + an icon mapping.
Don't ship a chain-traversal UI in v1. The `previous_request_id` FK is captured so the data is there; surfacing the full chain history (n hops back) is a Phase-2 polish.
---
## 5. Risks / open considerations
- **Chain depth runaway.** Nothing stops an "I keep suggesting / they keep counter-suggesting" loop. Same risk as comment threads on GitHub PRs. Out of scope to cap; the social pressure (each round is a 4-Augen action with a name attached) is the natural brake.
- **Concurrent suggestions on the same pending row.** Two approvers click "suggest changes" at the same time? The existing `getRequestForUpdate` row-lock serialises them; the second caller gets `ErrRequestNotPending` (the first already flipped it). Same guarantee as Approve/Reject today.
- **Deadlock on the new row.** If the suggesting approver is the only qualified approver other than the original requester, the new row's deadlock check returns "no qualified approver" — because the original requester IS now eligible (they're no longer the requested_by), but might not have a high-enough role. The check needs to recognise: caller's pool = "anyone other than the new requester who can canApprove". Original requester counts if they hit the required-role bar. This is just the existing deadlock predicate run against the new (requester, role) tuple; no special-case logic. Surfaced as `409 "no_qualified_approver"` to the suggesting approver, with the standard global_admin override path still available.
- **Counter-payload schema validation.** Server must validate `counter_payload` against the same schema as a normal `Submit*` for that entity_type + lifecycle_event. Otherwise a malicious approver could write garbage values via the suggestion path that wouldn't fly through `Submit*`. Reuse the existing payload-schema validator from the entity services; don't write a parallel.
- **No-op suggestion guard.** Approver clicks suggest-changes but doesn't actually edit anything AND leaves the note empty? Server rejects with `ErrSuggestionRequiresChange`. UI guards too (the submit button stays disabled until either the form is dirty OR the note has text).
- **Migration safety.** Non-blocking. Adding a value to a CHECK constraint is a metadata-only change; adding a NULLable column + a NULLable FK is also metadata-only.
- **What about a structured per-field suggestion (Q4c)?** The `counter_payload` jsonb IS structured — each entity_type has fixed fields. There's no need for a separate "{field, current, suggested}" shape because the diff is computable from `pre_image → counter_payload` on the new row.
- **What about thread-of-notes (Q4b)?** Implicit in the chain — each row's `decision_note` is one "note" by one author; following `previous_request_id` backwards reconstructs the full back-and-forth. A future "thread view" UI is layered on top of this without schema change.
---
## 6. m's decisions
See §0a (decisions table) — filled in after the AskUserQuestion phase on 2026-05-19.
---
## 7. Out of scope for this design
- Email + push notifications (Phase 2; see §3.7).
- Structured per-field suggestion shape (Phase 2 enhancement).
- Approval-policy `watchers` column for notification fan-out.
- "Dismiss this row from my inbox" UI toggle (UX-only, not a data-model change).
- Cross-entity suggest-changes (e.g. project, party). Same as the original approval scope — deadlines + appointments only.

52
docs/t-paliad-207-followup-scope.md
View File

@@ -1,52 +0,0 @@
# t-paliad-207 follow-up scope — close-out assessment
**Author:** fermi (inventor)
**Date:** 2026-05-20
**Verdict:** **(A) DONE** — interactive session scope is shipped; remaining tail is filed-or-fileable as discrete issues, not a fresh fermi slice.
---
## 0. What shipped under t-paliad-207
Six substantive deliveries on `mai/fermi/interactive-session`, all merged to main as of 2026-05-20 morning:
1. **Verfahrensablauf + Fristenrechner polish** — jurisdiction prefix on the picked proceeding, trigger-event label derived from the root rule, flag rows lifted to `/tools/verfahrensablauf`, rule references rendered as `youpc.org/laws#…` links via new `BuildLegalSourceURL`, `Vorab-Einrede → Einspruch` rename (DE i18n).
2. **DE proceeding picker — sub-group headers** (`Verletzungsverfahren` / `Nichtigkeitsverfahren`) + parallel labels (`LG (1. Instanz)` / `OLG (Berufung)` / …).
3. **mig 099** — drop the `with_po` flag from the two RoP 19 rules (Einspruch is always-available, not flag-gated).
4. **mig 100**`upc.inf.cfi.ccr` visible rule (`Nichtigkeitswiderklage`) so the CCR filing event surfaces when `with_ccr` is set; later corrected to `priority='optional'` via mig 101.
5. **mig 101** — strip rule-cite brackets from the two Einspruch names + flip the CCR priority `informational → optional`.
6. **mig 102** — track-aware sequence reshuffle on `upc.inf.cfi` so at any tied date the order is infringement (Replik) → revocation (Erwiderung Nichtigkeitswiderklage) → amendment.
7. **Notes toggle**`Hinweise anzeigen` checkbox in the view-toggle bar; compact ⓘ hover hint when off (default), inline `timeline-notes` block when on. `localStorage` shared across both tool pages.
Filed two follow-up issues during the session:
- **m/paliad#39** — link DE + EPA + EU rule references to `youpc.org/laws` (depends on youpc.org ingesting the corpus).
- **m/paliad#41** — DE proceedings as one combined timeline per type (LG→OLG→BGH, BPatG→BGH) — corpus + spawn + de-duplication + multi-instance UI.
## 1. Why (A) DONE
Every concrete thing m surfaced in the session was addressed and merged. The two larger unaddressed asks — combined-timeline behaviour for DE proceedings, and DE/EPA rule-link coverage — are already captured in #39 and #41 with concrete scope notes. Neither belongs as a fermi "next slice" because:
- **#41** is a corpus + UI design pass of its own (3 new spawn rules, de-duplication of the existing `de.inf.lg.berufung ↔ de.inf.olg.berufung` pair, multi-court picker shape, instance markers in the timeline body). That's its own design ticket, not a fermi follow-up.
- **#39** is primarily a youpc.org-side ingest task; the paliad-side change is a 5-line `switch` extension once youpc serves the URLs. Wait for the dependency, then small.
Everything else I surfaced in the read-only audit is either pre-existing (not introduced by this session) or speculative (no user complaint behind it).
## 2. Optional tail — would file as discrete issues, not a fermi slice
Surfacing these for completeness; none are blocking, and most would be small enough to either roll into the existing tickets or land as one-off polish:
| # | Candidate | Size | Already covered? |
|---|---|---|---|
| 1 | **`legal_source` backfill on 47 unsourced active rules** — query: 4 of `upc.inf.cfi`, 4 of `upc.pi.cfi` (100% gap), 6 of `upc.rev.cfi`, others. Pre-condition for #39's links to bite. | Medium — corpus research per rule | Partially: huygens did the broader citation backfill in t-paliad-208 / mig 097. This is the remaining tail. |
| 2 | **`upc.pi.cfi` corpus completeness audit** — all 4 of its rules lack `legal_source`; likely also missing the analogous track-of-decision spawn rules to `upc.apl.merits`. | Small audit, medium fix | No — would be a fresh task. |
| 3 | **Touch-device fallback for the ⓘ hover hint**`title=` attribute degrades poorly on phones (no hover, no tap-to-show). Either a click-to-popover variant, or accept the gap. | Tiny | No, but no user complaint yet. |
| 4 | **R.46 mutatis-mutandis distinction in `upc.rev.cfi.prelim` description** — when mig 101 stripped the `(R. 19 i.V.m. R. 46)` cite, the legal nuance dropped from the user-visible name. Could be surfaced in the description text where it doesn't crowd the timeline cell. | Tiny (one row update) | No. |
| 5 | **Save-modal warning on SoD + CCR double-check** — with mig 100's new `upc.inf.cfi.ccr` rule, a user can save both `sod` and `ccr` from the same modal and get two `paliad.deadlines` rows on the same date. Today's pre-uncheck behaviour for optional priority mitigates accidental double-write but doesn't surface the duplication actively. | Small | No. |
| 6 | **Deferred slices from earlier design docs that touch this surface**: t-paliad-179 Slice 2-4 (variant chips, lane view, side-by-side compare on `/tools/verfahrensablauf`); t-paliad-169 "+ Eintrag" CTA on the SmartTimeline (project-bound) path. | Each a separate slice. | Yes — parked from their original tasks; would be revisited when m prioritises. |
None of these warrant a "next fermi slice" right now. They're polish + corpus tail, and best handled as individual issues that m can pick from.
## 3. Recommendation
Close t-paliad-207. Fire fermi. The remaining tail (items 16 above) is appropriate as a small "polish backlog" m can dip into when relevant, but not a coherent unit of work that needs a parked inventor.

126
frontend/public/patentstyle/index.html
View File

@@ -1,126 +0,0 @@
<!DOCTYPE html>
<html lang="de">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>HL Patents Style</title>
<style>
:root {
--bg: #002236;
--fg: #e8e8ed;
--muted: #8a9aa6;
--accent: #bff355;
--rule: #0f3a55;
}
* { box-sizing: border-box; }
html, body { margin: 0; padding: 0; background: var(--bg); color: var(--fg); }
body {
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Inter, sans-serif;
line-height: 1.55;
font-size: 17px;
}
main {
max-width: 720px;
margin: 0 auto;
padding: 4rem 1.5rem 6rem;
}
h1 {
font-size: 2.25rem;
margin: 0 0 0.25rem;
letter-spacing: -0.02em;
}
h1 .accent { color: var(--accent); }
.lead {
color: var(--muted);
margin: 0 0 3rem;
font-size: 1.05rem;
}
h2 {
font-size: 1.1rem;
text-transform: uppercase;
letter-spacing: 0.08em;
color: var(--accent);
margin: 2.5rem 0 0.75rem;
border-bottom: 1px solid var(--rule);
padding-bottom: 0.5rem;
}
ul { padding-left: 1.25rem; margin: 0.5rem 0 1rem; }
li { margin: 0.35rem 0; }
p { margin: 0.6rem 0; }
a { color: var(--accent); text-decoration: none; border-bottom: 1px solid transparent; }
a:hover { border-bottom-color: var(--accent); }
code, kbd {
font-family: ui-monospace, "SF Mono", Menlo, Consolas, monospace;
font-size: 0.9em;
background: #0a2d44;
padding: 0.1em 0.35em;
border-radius: 3px;
color: var(--accent);
}
.download {
display: inline-block;
margin-top: 0.5rem;
padding: 0.7rem 1.2rem;
background: var(--accent);
color: var(--bg);
font-weight: 600;
border-radius: 4px;
border: 0;
}
.download:hover { border-bottom: 0; filter: brightness(1.05); }
footer {
margin-top: 4rem;
padding-top: 1.5rem;
border-top: 1px solid var(--rule);
color: var(--muted);
font-size: 0.85rem;
}
footer code { color: var(--muted); background: transparent; padding: 0; }
</style>
</head>
<body>
<main>
<h1>HL <span class="accent">Patents Style</span></h1>
<p class="lead">Das Word-Template fuer Patentschriftsaetze bei Hogan Lovells.</p>
<h2>Was es kann</h2>
<ul>
<li>Vorlagen-Stile fuer alle gaengigen Schriftsatz-Bausteine (Headings, Randnummern, Antraege, Exhibits)</li>
<li>BuildingBlocks: ueber das Ribbon vorgefertigte Abschnitte einfuegen</li>
<li>Sprachumschaltung DE / EN per Ribbon-Toggle</li>
<li>Scaffolding: kompletter Schriftsatz-Aufbau mit einem Klick</li>
<li>Margin Numbers, Exhibit-Nummerierung, SEQ-Felder</li>
<li>Auto-Update ueber das Ribbon (siehe unten)</li>
</ul>
<h2>Aktualisierungen</h2>
<p>Im Ribbon-Tab <em>HL Patent</em> &rarr; Gruppe <em>Manage</em> &rarr; <kbd>Check for Updates</kbd>. Holt das aktuelle Manifest von diesem Server, prueft die Version, laedt die neue <code>.dotm</code> nur bei Bedarf, verifiziert per SHA256, installiert. Nach dem Update Word neu starten.</p>
<h2>Frische Installation</h2>
<p>Wer das Template noch nicht installiert hat, laedt einmal manuell die aktuelle Version und kopiert sie in den Word-Startup-Ordner. Den Rest macht die <code>InstallTemplate</code>-Routine im Template selbst.</p>
<p><a class="download" href="HL-Patents-Style.dotm" download>HL Patents Style.dotm herunterladen</a></p>
<h2>Hilfe &amp; Feedback</h2>
<p>Fehler, Wuensche, Stilfragen, Build-Probleme: <a href="mailto:matthias.siebels@hoganlovells.com?subject=HL%20Patents%20Style">matthias.siebels@hoganlovells.com</a></p>
<footer>
<p>Update-Endpoint: <code>paliad.msbls.de/patentstyle/</code> &middot; Mirror: <code>hihlc.msbls.de/patentstyle/</code></p>
<p id="ver"></p>
</footer>
<script>
// Best-effort: show the currently-served version
fetch('version.json', { cache: 'no-cache' })
.then(r => r.ok ? r.json() : null)
.then(j => {
if (j && j.version) {
document.getElementById('ver').textContent = 'Aktuell ausgeliefert: ' + j.version;
}
})
.catch(() => {});
</script>
</main>
</body>
</html>

251
frontend/src/client/broadcast.ts
View File

@@ -1,23 +1,16 @@
// broadcast.ts — bulk team-email compose modal (t-paliad-147 / issue #7,
// retrofitted onto the unified modal primitive in t-paliad-217 Slice D).
// broadcast.ts — bulk team-email compose modal (t-paliad-147 / issue #7).
//
// Exposes openBroadcastModal({ recipients, projectIDs }) which the /team
// page calls when the "E-Mail an Auswahl" button is clicked. The modal
// collects subject + body + (optional) template and posts to
// /api/team/broadcast. On success it shows a per-recipient send report
// and closes after a short delay.
// and closes.
//
// Per-recipient privacy: each member receives their own envelope. The
// modal lists every addressee so the sender knows exactly who will be
// mailed; there is no surprise to-line.
//
// Migration notes (t-paliad-217 Slice D): the shell, ESC, backdrop,
// close button, and browser back-button are now owned by openModal().
// The body is built imperatively so the submit handler can read form
// state from the modal-body element it constructed.
import { t } from "./i18n";
import { openModal } from "./components/modal";
export interface BroadcastRecipient {
user_id: string;
@@ -42,12 +35,6 @@ interface EmailTemplateOption {
is_default: boolean;
}
interface BroadcastResult {
sent: number;
failed: number;
total: number;
}
const RECIPIENT_CAP = 100;
function esc(s: string): string {
@@ -91,32 +78,69 @@ export function openBroadcastModal(args: OpenBroadcastModalArgs): void {
return;
}
const body = renderBody(args);
wireBody(body);
// Existing modal? Remove. Avoids stacking on rapid double-click.
document.getElementById("broadcast-modal")?.remove();
void openModal<BroadcastResult>({
title: t("team.broadcast.title") || "E-Mail an Auswahl",
body,
size: "lg",
primary: {
label: `${t("team.broadcast.send") || "Senden"} (${args.recipients.length})`,
handler: async (close) => {
await onSubmit(body, args, close);
},
},
secondary: { label: t("common.cancel") || "Abbrechen" },
const overlay = document.createElement("div");
overlay.id = "broadcast-modal";
overlay.className = "modal-overlay";
overlay.innerHTML = renderShell(args);
document.body.appendChild(overlay);
// Close handlers
overlay.querySelector("[data-broadcast-close]")?.addEventListener("click", () => overlay.remove());
overlay.addEventListener("click", (e) => {
if (e.target === overlay) overlay.remove();
});
document.addEventListener("keydown", function escClose(e) {
if (e.key === "Escape") {
overlay.remove();
document.removeEventListener("keydown", escClose);
}
});
// Recipient toggle
overlay.querySelector("[data-broadcast-toggle-recipients]")?.addEventListener("click", () => {
const list = overlay.querySelector<HTMLDivElement>("[data-broadcast-recipient-list]");
if (!list) return;
list.classList.toggle("hidden");
});
// Template dropdown
const templateSelect = overlay.querySelector<HTMLSelectElement>("[data-broadcast-template]");
templateSelect?.addEventListener("change", async () => {
const key = templateSelect.value;
if (!key) return;
const lang = (document.documentElement.lang || "de") as "de" | "en";
try {
const res = await fetch(`/api/admin/email-templates/${encodeURIComponent(key)}/${lang}`);
if (!res.ok) return;
const tpl = (await res.json()) as EmailTemplateOption;
const subjectInput = overlay.querySelector<HTMLInputElement>("[data-broadcast-subject]");
const bodyInput = overlay.querySelector<HTMLTextAreaElement>("[data-broadcast-body]");
if (subjectInput) subjectInput.value = stripGoTemplate(tpl.subject);
if (bodyInput) bodyInput.value = stripGoTemplate(tpl.body);
} catch {
/* template load failure is non-fatal — sender keeps freeform mode. */
}
});
// Submit
const form = overlay.querySelector<HTMLFormElement>("[data-broadcast-form]");
form?.addEventListener("submit", async (e) => {
e.preventDefault();
await onSubmit(form, overlay, args);
});
}
function renderBody(args: OpenBroadcastModalArgs): HTMLElement {
const root = document.createElement("div");
root.className = "broadcast-body";
function renderShell(args: OpenBroadcastModalArgs): string {
const count = args.recipients.length;
const previewItems = args.recipients
.slice(0, 5)
.map((r) => esc(r.display_name) + " &lt;" + esc(r.email) + "&gt;")
.join(", ");
const more = count > 5 ? ` +${count - 5}` : "";
const fullList = args.recipients
.map(
(r) =>
@@ -126,89 +150,65 @@ function renderBody(args: OpenBroadcastModalArgs): HTMLElement {
)
.join("");
root.innerHTML = `
<div class="broadcast-recipient-summary">
<strong>${esc(t("team.broadcast.recipients") || "Empfänger")}: ${count}</strong>
<button type="button" class="link-button" data-broadcast-toggle-recipients>${esc(t("team.broadcast.show_all") || "Alle anzeigen")}</button>
<a class="link-button broadcast-mailto" href="${buildMailtoHref(args.recipients)}" data-broadcast-mailto title="${esc(t("team.broadcast.mailto.tooltip") || "Im lokalen Mail-Client öffnen")}">
${esc(t("team.broadcast.mailto.label") || "Im Mail-Client öffnen")}
</a>
<div class="broadcast-recipient-preview">${previewItems}${more}</div>
<div class="broadcast-recipient-list hidden" data-broadcast-recipient-list>
<ul>${fullList}</ul>
</div>
return `
<div class="modal modal-broadcast" role="dialog" aria-modal="true" aria-labelledby="broadcast-title">
<header class="modal-header">
<h2 id="broadcast-title">${esc(t("team.broadcast.title") || "E-Mail an Auswahl")}</h2>
<button type="button" class="modal-close" data-broadcast-close aria-label="${esc(t("common.close") || "Schließen")}">&times;</button>
</header>
<form data-broadcast-form>
<div class="modal-body">
<div class="broadcast-recipient-summary">
<strong>${esc(t("team.broadcast.recipients") || "Empfänger")}: ${count}</strong>
<button type="button" class="link-button" data-broadcast-toggle-recipients>${esc(t("team.broadcast.show_all") || "Alle anzeigen")}</button>
<a class="link-button broadcast-mailto" href="${buildMailtoHref(args.recipients)}" data-broadcast-mailto title="${esc(t("team.broadcast.mailto.tooltip") || "Im lokalen Mail-Client öffnen")}">
${esc(t("team.broadcast.mailto.label") || "Im Mail-Client öffnen")}
</a>
<div class="broadcast-recipient-preview">${previewItems}${more}</div>
<div class="broadcast-recipient-list hidden" data-broadcast-recipient-list>
<ul>${fullList}</ul>
</div>
</div>
<label for="broadcast-template-select">${esc(t("team.broadcast.template") || "Vorlage")} <span class="muted">(${esc(t("team.broadcast.template_optional") || "optional")})</span></label>
<select id="broadcast-template-select" data-broadcast-template>
<option value="">${esc(t("team.broadcast.template_freeform") || "Freitext")}</option>
<option value="invitation">${esc(t("team.broadcast.template.invitation") || "Einladung")}</option>
<option value="deadline_digest">${esc(t("team.broadcast.template.deadline_digest") || "Frist-Digest")}</option>
</select>
<label for="broadcast-subject">${esc(t("team.broadcast.subject") || "Betreff")}</label>
<input type="text" id="broadcast-subject" data-broadcast-subject required maxlength="200" />
<label for="broadcast-body">${esc(t("team.broadcast.body") || "Nachricht")}</label>
<textarea id="broadcast-body" data-broadcast-body required rows="12" placeholder="${esc(t("team.broadcast.body_placeholder") || "Hallo {{first_name}}, …")}"></textarea>
<p class="broadcast-hint muted">
${esc(t("team.broadcast.placeholders_hint") || "Platzhalter: {{name}}, {{first_name}}, {{role_on_project}}")}
</p>
<p class="broadcast-hint muted">
${esc(t("team.broadcast.markdown_hint") || "Markdown unterstützt: **fett**, *kursiv*, [Link](https://...), - Aufzählung.")}
</p>
<div class="broadcast-error hidden" data-broadcast-error></div>
<div class="broadcast-success hidden" data-broadcast-success></div>
</div>
<footer class="modal-footer">
<button type="button" class="btn btn-ghost" data-broadcast-close>${esc(t("common.cancel") || "Abbrechen")}</button>
<button type="submit" class="btn btn-primary" data-broadcast-submit>${esc(t("team.broadcast.send") || "Senden")} (${count})</button>
</footer>
</form>
</div>
<div class="form-field">
<label for="broadcast-template-select">${esc(t("team.broadcast.template") || "Vorlage")} <span class="muted">(${esc(t("team.broadcast.template_optional") || "optional")})</span></label>
<select id="broadcast-template-select" data-broadcast-template>
<option value="">${esc(t("team.broadcast.template_freeform") || "Freitext")}</option>
<option value="invitation">${esc(t("team.broadcast.template.invitation") || "Einladung")}</option>
<option value="deadline_digest">${esc(t("team.broadcast.template.deadline_digest") || "Frist-Digest")}</option>
</select>
</div>
<div class="form-field">
<label for="broadcast-subject">${esc(t("team.broadcast.subject") || "Betreff")}</label>
<input type="text" id="broadcast-subject" data-broadcast-subject required maxlength="200" />
</div>
<div class="form-field">
<label for="broadcast-body">${esc(t("team.broadcast.body") || "Nachricht")}</label>
<textarea id="broadcast-body" data-broadcast-body required rows="12" placeholder="${esc(t("team.broadcast.body_placeholder") || "Hallo {{first_name}}, …")}"></textarea>
</div>
<p class="broadcast-hint muted">
${esc(t("team.broadcast.placeholders_hint") || "Platzhalter: {{name}}, {{first_name}}, {{role_on_project}}")}
</p>
<p class="broadcast-hint muted">
${esc(t("team.broadcast.markdown_hint") || "Markdown unterstützt: **fett**, *kursiv*, [Link](https://...), - Aufzählung.")}
</p>
<div class="broadcast-error hidden" data-broadcast-error></div>
<div class="broadcast-success hidden" data-broadcast-success></div>
`;
return root;
}
function wireBody(body: HTMLElement): void {
// Recipient list toggle.
body.querySelector("[data-broadcast-toggle-recipients]")?.addEventListener("click", () => {
const list = body.querySelector<HTMLDivElement>("[data-broadcast-recipient-list]");
if (!list) return;
list.classList.toggle("hidden");
});
// Template dropdown — populates subject/body from the selected template.
const templateSelect = body.querySelector<HTMLSelectElement>("[data-broadcast-template]");
templateSelect?.addEventListener("change", async () => {
const key = templateSelect.value;
if (!key) return;
const lang = (document.documentElement.lang || "de") as "de" | "en";
try {
const res = await fetch(`/api/admin/email-templates/${encodeURIComponent(key)}/${lang}`);
if (!res.ok) return;
const tpl = (await res.json()) as EmailTemplateOption;
const subjectInput = body.querySelector<HTMLInputElement>("[data-broadcast-subject]");
const bodyInput = body.querySelector<HTMLTextAreaElement>("[data-broadcast-body]");
if (subjectInput) subjectInput.value = stripGoTemplate(tpl.subject);
if (bodyInput) bodyInput.value = stripGoTemplate(tpl.body);
} catch {
/* template load failure is non-fatal — sender keeps freeform mode. */
}
});
}
async function onSubmit(
body: HTMLElement,
args: OpenBroadcastModalArgs,
close: (result: BroadcastResult) => void,
): Promise<void> {
const subject = (body.querySelector<HTMLInputElement>("[data-broadcast-subject]")?.value ?? "").trim();
const bodyText = (body.querySelector<HTMLTextAreaElement>("[data-broadcast-body]")?.value ?? "").trim();
const templateKey = body.querySelector<HTMLSelectElement>("[data-broadcast-template]")?.value ?? "";
const errEl = body.querySelector<HTMLDivElement>("[data-broadcast-error]");
const okEl = body.querySelector<HTMLDivElement>("[data-broadcast-success]");
async function onSubmit(form: HTMLFormElement, overlay: HTMLElement, args: OpenBroadcastModalArgs): Promise<void> {
const subject = (form.querySelector<HTMLInputElement>("[data-broadcast-subject]")?.value ?? "").trim();
const body = (form.querySelector<HTMLTextAreaElement>("[data-broadcast-body]")?.value ?? "").trim();
const templateKey = form.querySelector<HTMLSelectElement>("[data-broadcast-template]")?.value ?? "";
const errEl = overlay.querySelector<HTMLDivElement>("[data-broadcast-error]");
const okEl = overlay.querySelector<HTMLDivElement>("[data-broadcast-success]");
errEl?.classList.add("hidden");
okEl?.classList.add("hidden");
@@ -216,15 +216,17 @@ async function onSubmit(
showError(errEl, t("team.broadcast.error.subject_required") || "Betreff ist erforderlich.");
return;
}
if (!bodyText) {
if (!body) {
showError(errEl, t("team.broadcast.error.body_required") || "Nachricht ist erforderlich.");
return;
}
// The modal primary button lives in the footer (owned by openModal),
// not in the body. We surface "sending..." feedback via the in-body
// success/error areas; the primary button stays clickable but the
// server-side idempotency + RECIPIENT_CAP make double-clicks safe.
const submitBtn = form.querySelector<HTMLButtonElement>("[data-broadcast-submit]");
if (submitBtn) {
submitBtn.disabled = true;
submitBtn.textContent = t("team.broadcast.sending") || "Sende…";
}
const recipientFilter: Record<string, unknown> = {};
if (args.projectIDs?.length) recipientFilter.project_ids = args.projectIDs;
if (args.projectID) recipientFilter.project_id = args.projectID;
@@ -240,7 +242,7 @@ async function onSubmit(
body: JSON.stringify({
project_id: args.projectID ?? null,
subject,
body: bodyText,
body,
template_key: templateKey || undefined,
lang,
recipient_filter: recipientFilter,
@@ -250,9 +252,13 @@ async function onSubmit(
if (!res.ok) {
const errBody = await res.json().catch(() => ({ error: "Send failed" }));
showError(errEl, (errBody as { error?: string }).error || "Send failed");
if (submitBtn) {
submitBtn.disabled = false;
submitBtn.textContent = (t("team.broadcast.send") || "Senden") + ` (${args.recipients.length})`;
}
return;
}
const report = (await res.json()) as BroadcastResult;
const report = (await res.json()) as { sent: number; failed: number; total: number };
if (okEl) {
okEl.classList.remove("hidden");
const tpl = t("team.broadcast.success") || "{sent} von {total} Mails versandt ({failed} fehlgeschlagen).";
@@ -261,10 +267,17 @@ async function onSubmit(
.replace("{total}", String(report.total))
.replace("{failed}", String(report.failed));
}
// Give the sender a moment to see the report, then close.
setTimeout(() => close(report), 2500);
if (submitBtn) {
submitBtn.disabled = true;
submitBtn.textContent = t("team.broadcast.sent") || "Versandt";
}
setTimeout(() => overlay.remove(), 2500);
} catch (e) {
showError(errEl, String(e));
if (submitBtn) {
submitBtn.disabled = false;
submitBtn.textContent = (t("team.broadcast.send") || "Senden") + ` (${args.recipients.length})`;
}
}
}

405
frontend/src/client/components/approval-edit-modal.ts
View File

@@ -1,405 +0,0 @@
// t-paliad-216 Slice B (initial) + t-paliad-217 Slice C (rewrite) —
// modal for the "Suggest changes" approval action.
//
// The approver authors a counter-proposal: edits any field on the
// underlying deadline / appointment AND/OR leaves a free-text note. On
// submit the caller POSTs to /api/approval-requests/{id}/suggest-changes,
// which closes the OLD row as `changes_requested` and spawns a NEW pending
// row authored by the approver carrying counter_payload as its payload.
//
// Scope (t-paliad-217 m's Q1 Reading A — 2026-05-20):
// - Every editable field on the entity is in the form, not just the
// date allowlist that triggers approval (t-paliad-138 §Q4). The
// backend's counter-allowlist (buildCounterSetClauses in
// approval_service.go) accepts the wider set:
// deadline: title, due_date, original_due_date, warning_date,
// description, notes, rule_code, event_type_ids
// appointment: title, start_at, end_at, description, location,
// appointment_type
// - Lifecycle restriction: update-only. shape-list.ts hides the
// suggest_changes button for create / complete / delete; this modal
// refuses to open on them as defence-in-depth.
//
// Built on the unified openModal() primitive (t-paliad-217 Slice A) —
// the primitive owns ESC, focus, backdrop, close button, browser
// back-button, mobile takeover. This module only constructs the body.
//
// API:
// const result = await openApprovalEditModal({
// entityType: "deadline",
// lifecycleEvent: "update",
// payload: {...}, // requester's proposed values (= current entity row)
// preImage: {...}, // pre-mutation values (for "vorher" diff hints)
// });
// if (result) {
// // result.counterPayload + result.note ready to POST
// } else {
// // user cancelled
// }
import { t } from "../i18n";
import {
attachEventTypePicker,
fetchEventTypes,
type PickerHandle,
} from "../event-types";
import { openModal } from "./modal";
export interface ApprovalEditModalArgs {
entityType: "deadline" | "appointment";
lifecycleEvent: string;
payload: Record<string, unknown> | null;
preImage: Record<string, unknown> | null;
// Optional context for the read-only context section. The caller can
// hydrate these from the row's API response (project_title,
// requester_name, requested_at) when available; the modal degrades
// gracefully when they're missing.
projectTitle?: string;
requesterName?: string;
requestedAt?: string;
}
export interface ApprovalEditModalResult {
counterPayload: Record<string, unknown>;
note: string;
}
// FieldSpec — one editable input row. The type determines the <input>
// (or <textarea>) shape; getValue / setValue normalise the form-element
// value to the server-friendly counter_payload shape.
interface FieldSpec {
key: string;
labelKey: string; // i18n key
inputType: "text" | "date" | "datetime-local" | "textarea";
// Required = title (NOT NULL on the column). Other fields are nullable;
// empty string clears (server's addText helper handles this).
required?: boolean;
}
const DEADLINE_FIELDS: ReadonlyArray<FieldSpec> = [
{ key: "title", labelKey: "deadlines.field.title", inputType: "text", required: true },
{ key: "due_date", labelKey: "deadlines.field.due", inputType: "date" },
{ key: "original_due_date", labelKey: "approvals.suggest.field.original_due_date", inputType: "date" },
{ key: "warning_date", labelKey: "approvals.suggest.field.warning_date", inputType: "date" },
{ key: "rule_code", labelKey: "approvals.suggest.field.rule_code", inputType: "text" },
{ key: "description", labelKey: "approvals.suggest.field.description", inputType: "textarea" },
{ key: "notes", labelKey: "deadlines.field.notes", inputType: "textarea" },
];
const APPOINTMENT_FIELDS: ReadonlyArray<FieldSpec> = [
{ key: "title", labelKey: "appointments.field.title", inputType: "text", required: true },
{ key: "start_at", labelKey: "appointments.field.start", inputType: "datetime-local" },
{ key: "end_at", labelKey: "appointments.field.end", inputType: "datetime-local" },
{ key: "location", labelKey: "appointments.field.location", inputType: "text" },
{ key: "appointment_type", labelKey: "appointments.field.type", inputType: "text" },
{ key: "description", labelKey: "appointments.field.description", inputType: "textarea" },
];
export async function openApprovalEditModal(
args: ApprovalEditModalArgs,
): Promise<ApprovalEditModalResult | null> {
if (args.lifecycleEvent !== "update") {
window.alert(t("approvals.suggest.unsupported_lifecycle"));
return null;
}
const fields = args.entityType === "deadline" ? DEADLINE_FIELDS : APPOINTMENT_FIELDS;
const original = (args.payload ?? {}) as Record<string, unknown>;
const preImage = (args.preImage ?? {}) as Record<string, unknown>;
// Build the body element imperatively so we can wire input handlers
// before openModal mounts the dialog.
const body = document.createElement("div");
body.className = "approval-suggest-body";
body.appendChild(renderIntro());
body.appendChild(renderFieldsSection(fields, original, preImage));
// event_type_ids picker (deadline-only) — async because the picker
// needs to fetch the firm's event-type catalogue. We attach a host
// element synchronously and populate it once the fetch returns.
let eventTypePicker: PickerHandle | null = null;
let eventTypePickerLoaded = false;
if (args.entityType === "deadline") {
const pickerSection = renderEventTypePickerSection();
body.appendChild(pickerSection.section);
void (async () => {
try {
await fetchEventTypes();
eventTypePicker = attachEventTypePicker(pickerSection.host, {
initialIDs: (original.event_type_ids as string[] | undefined) ?? [],
});
eventTypePickerLoaded = true;
} catch (_e) {
// Fail-soft: leave the section empty; counter still works
// without event_type_ids in the payload.
pickerSection.host.textContent = t("approvals.suggest.event_type_picker_unavailable");
}
})();
}
body.appendChild(renderContextSection(args, original));
const noteEl = renderNoteSection();
body.appendChild(noteEl.section);
// Read inputs back at submit time. The same list is what we listen to
// for the dirty-state gate.
const fieldInputs = Array.from(
body.querySelectorAll<HTMLInputElement | HTMLTextAreaElement>("[data-suggest-field]"),
);
return openModal<ApprovalEditModalResult>({
title: `${t("approvals.suggest.modal_title")}${t(("approvals.entity." + args.entityType) as never)}`,
body,
size: "lg",
primary: {
label: t("approvals.suggest.submit"),
handler: (close) => {
const result = buildResult(fieldInputs, noteEl.textarea, original, eventTypePicker, eventTypePickerLoaded);
if (!result.dirty && !result.note) {
// Server enforces too. Client-side guard avoids the 400 round-trip.
window.alert(t("approvals.suggest.submit_disabled_hint"));
return;
}
close({
counterPayload: result.counterPayload,
note: result.note,
});
},
},
secondary: { label: t("approvals.suggest.cancel") },
});
}
function renderIntro(): HTMLElement {
const p = document.createElement("p");
p.className = "approval-suggest-intro muted";
p.textContent = t("approvals.suggest.intro");
return p;
}
function renderFieldsSection(
fields: ReadonlyArray<FieldSpec>,
original: Record<string, unknown>,
preImage: Record<string, unknown>,
): HTMLElement {
const section = document.createElement("section");
section.className = "approval-suggest-section approval-suggest-section--editable";
const h = document.createElement("h3");
h.className = "approval-suggest-section-title";
h.textContent = t("approvals.suggest.section.editable");
section.appendChild(h);
for (const f of fields) {
const wrap = document.createElement("div");
wrap.className = "form-field approval-suggest-field";
const label = document.createElement("label");
label.textContent = t(f.labelKey as never);
wrap.appendChild(label);
const value = formatFieldForInput(original[f.key], f.inputType);
let input: HTMLInputElement | HTMLTextAreaElement;
if (f.inputType === "textarea") {
input = document.createElement("textarea");
input.rows = 3;
(input as HTMLTextAreaElement).value = value;
} else {
input = document.createElement("input");
(input as HTMLInputElement).type = f.inputType;
(input as HTMLInputElement).value = value;
}
input.dataset.suggestField = f.key;
input.dataset.suggestOriginal = value;
input.dataset.suggestInputType = f.inputType;
if (f.required) input.required = true;
// Wire the <label> to focus the <input> on click.
const inputID = `suggest-field-${f.key}`;
input.id = inputID;
label.setAttribute("for", inputID);
wrap.appendChild(input);
// "Vorher" hint when pre_image carries a distinct value for this field.
const preVal = formatFieldForInput(preImage[f.key], f.inputType);
if (preVal && preVal !== value) {
const hint = document.createElement("span");
hint.className = "approval-suggest-prehint";
hint.textContent = `${t("approvals.diff.before")}: ${preVal}`;
wrap.appendChild(hint);
}
section.appendChild(wrap);
}
return section;
}
function renderEventTypePickerSection(): { section: HTMLElement; host: HTMLElement } {
const section = document.createElement("section");
section.className = "approval-suggest-section approval-suggest-section--editable";
const h = document.createElement("h3");
h.className = "approval-suggest-section-title";
h.textContent = t("deadlines.field.event_type");
section.appendChild(h);
const host = document.createElement("div");
host.className = "approval-suggest-event-type-picker";
section.appendChild(host);
return { section, host };
}
function renderContextSection(
args: ApprovalEditModalArgs,
original: Record<string, unknown>,
): HTMLElement {
const section = document.createElement("section");
section.className = "approval-suggest-section approval-suggest-section--context";
const h = document.createElement("h3");
h.className = "approval-suggest-section-title";
h.textContent = t("approvals.suggest.section.context");
section.appendChild(h);
const rows: Array<[string, string]> = [];
if (args.projectTitle) {
rows.push([t("approvals.suggest.context.project"), args.projectTitle]);
}
if (args.requesterName) {
rows.push([t("approvals.suggest.context.requester"), args.requesterName]);
}
if (args.requestedAt) {
rows.push([t("approvals.suggest.context.requested_at"), formatDateForDisplay(args.requestedAt)]);
}
// Approval status — entity row's current approval_status (typically
// "pending" while the modal is open, but display the requester's
// perspective for completeness).
const approvalStatus = original.approval_status as string | undefined;
if (approvalStatus) {
rows.push([
t("approvals.suggest.context.approval_status"),
t(("approvals.status." + approvalStatus) as never) || approvalStatus,
]);
}
if (rows.length === 0) {
section.style.display = "none";
return section;
}
const dl = document.createElement("dl");
dl.className = "approval-suggest-context-grid";
for (const [label, value] of rows) {
const dt = document.createElement("dt");
dt.textContent = label;
const dd = document.createElement("dd");
dd.textContent = value;
dl.appendChild(dt);
dl.appendChild(dd);
}
section.appendChild(dl);
return section;
}
function renderNoteSection(): { section: HTMLElement; textarea: HTMLTextAreaElement } {
const section = document.createElement("section");
section.className = "approval-suggest-section approval-suggest-section--note";
const wrap = document.createElement("div");
wrap.className = "form-field approval-suggest-note";
const label = document.createElement("label");
label.textContent = t("approvals.suggest.note_label");
label.setAttribute("for", "suggest-note");
wrap.appendChild(label);
const textarea = document.createElement("textarea");
textarea.id = "suggest-note";
textarea.rows = 3;
textarea.placeholder = t("approvals.suggest.note_placeholder");
textarea.dataset.suggestNote = "true";
wrap.appendChild(textarea);
section.appendChild(wrap);
return { section, textarea };
}
interface BuildResult {
counterPayload: Record<string, unknown>;
note: string;
dirty: boolean;
}
function buildResult(
fieldInputs: ReadonlyArray<HTMLInputElement | HTMLTextAreaElement>,
noteEl: HTMLTextAreaElement,
original: Record<string, unknown>,
eventTypePicker: PickerHandle | null,
eventTypePickerLoaded: boolean,
): BuildResult {
const counterPayload: Record<string, unknown> = {};
let dirty = false;
for (const el of fieldInputs) {
const key = el.dataset.suggestField || "";
const orig = el.dataset.suggestOriginal || "";
const inputType = el.dataset.suggestInputType || "text";
if (el.value === orig) continue;
counterPayload[key] = formatFieldForServer(el.value, inputType);
dirty = true;
}
if (eventTypePicker && eventTypePickerLoaded) {
const currentIDs = eventTypePicker.getIDs().slice().sort();
const originalIDs = ((original.event_type_ids as string[] | undefined) ?? []).slice().sort();
if (currentIDs.length !== originalIDs.length
|| currentIDs.some((id, i) => id !== originalIDs[i])) {
counterPayload.event_type_ids = currentIDs;
dirty = true;
}
}
return {
counterPayload,
note: noteEl.value.trim(),
dirty,
};
}
// formatFieldForInput — convert a server-side payload value to the format
// the <input> wants. Dates round-trip as YYYY-MM-DD; datetime-local wants
// YYYY-MM-DDTHH:MM. Server returns ISO 8601 / RFC 3339 timestamps; we
// trim to the local-input shape. Text passes through verbatim.
function formatFieldForInput(v: unknown, inputType: string): string {
if (v == null) return "";
const s = String(v);
if (inputType === "date") {
if (/^\d{4}-\d{2}-\d{2}$/.test(s)) return s;
const m = s.match(/^(\d{4}-\d{2}-\d{2})/);
return m ? m[1] : s;
}
if (inputType === "datetime-local") {
const m = s.match(/^(\d{4}-\d{2}-\d{2})[T\s](\d{2}:\d{2})/);
return m ? `${m[1]}T${m[2]}` : s;
}
return s;
}
// formatFieldForServer — convert input value back to server-friendly
// shape. Empty string means "clear this nullable field"; the server's
// addText helper writes NULL for "". Required fields (title) reach the
// server's non-empty CHECK on the column, which surfaces as a 400.
function formatFieldForServer(value: string, inputType: string): unknown {
if (inputType === "date" || inputType === "datetime-local") {
return value || null;
}
return value;
}
function formatDateForDisplay(iso: string): string {
const d = Date.parse(iso);
if (isNaN(d)) return iso;
return new Date(d).toLocaleString();
}

200
frontend/src/client/components/modal.ts
View File

@@ -1,200 +0,0 @@
// Unified modal primitive — t-paliad-217.
//
// Native <dialog>-backed. The browser handles top-layer stacking, ESC,
// ARIA, and focus trap. We layer back-button integration and focus
// restoration on top so the modal behaves consistently on desktop and on
// the iPhone PWA (m's checking surface).
//
// API:
// const result = await openModal<MyResult>({
// title: "…",
// body: htmlStringOrElement,
// primary: { label: "Speichern", handler: (close) => { close(result); } },
// secondary: { label: "Abbrechen" }, // optional, defaults to "Abbrechen"
// size: "sm" | "md" | "lg" | "full", // optional, defaults to "md"
// onClose: () => { /* … */ },
// classNames: "extra css classes on the <dialog>",
// });
// // result is the value passed to close(), or null if the user
// // dismissed via ESC / backdrop / secondary / browser back-button.
//
// All dismiss paths are unified: ESC, backdrop click, secondary button,
// the always-rendered close (×) button, and the browser back-button all
// resolve the promise with null. Programmatic close from the primary
// handler resolves with whatever was passed.
//
// Migration target: call sites that currently roll their own
// modal-overlay + ESC handler + focus management replace all of it with
// one openModal() call. broadcast.ts and approval-edit-modal.ts are the
// first two call sites (t-paliad-217 Slices C + D); the other ~5 legacy
// modals migrate in follow-up PRs.
import { t } from "../i18n";
export interface ModalConfig<T> {
title: string;
// body can be either a pre-built HTMLElement (the caller assembled the
// DOM and may have local references for read-back) or an HTML string
// (caller is responsible for escaping). Element is preferred when the
// caller needs to read form state on submit.
body: HTMLElement | string;
primary: {
label: string;
handler: (close: (result: T) => void) => void | Promise<void>;
};
// secondary defaults to a Cancel button that just dismisses. Pass null
// explicitly to suppress (rare — primary-only modals like a confirmation
// toast).
secondary?: { label: string } | null;
size?: "sm" | "md" | "lg" | "full";
// onClose fires on EVERY dismiss path (including primary handler
// resolution). Use for analytics / dirty-state warnings.
onClose?: () => void;
classNames?: string;
}
// openModal returns a promise that resolves with the value passed to
// close() inside the primary handler, or null if the user dismissed via
// any other path. Always non-throwing — the primary handler decides
// whether to surface errors via its own UI (e.g. inline form errors)
// rather than rejecting the promise.
export function openModal<T = void>(config: ModalConfig<T>): Promise<T | null> {
return new Promise((resolve) => {
// Record + restore focus to whatever was focused before the modal
// opened. Native <dialog> does NOT do this automatically.
const previouslyFocused = document.activeElement as HTMLElement | null;
const dialog = document.createElement("dialog");
dialog.className = ["modal", config.classNames].filter(Boolean).join(" ");
dialog.dataset.size = config.size ?? "md";
const header = document.createElement("header");
header.className = "modal__header";
const titleEl = document.createElement("h2");
titleEl.className = "modal__title";
titleEl.textContent = config.title;
header.appendChild(titleEl);
const closeBtn = document.createElement("button");
closeBtn.type = "button";
closeBtn.className = "modal__close";
closeBtn.setAttribute("aria-label", t("modal.close.label"));
closeBtn.textContent = "×"; // ×
header.appendChild(closeBtn);
dialog.appendChild(header);
const body = document.createElement("div");
body.className = "modal__body";
if (typeof config.body === "string") {
body.innerHTML = config.body;
} else {
body.appendChild(config.body);
}
dialog.appendChild(body);
const footer = document.createElement("footer");
footer.className = "modal__footer";
const secondaryCfg = config.secondary === null
? null
: config.secondary ?? { label: t("common.cancel") };
let secondaryBtn: HTMLButtonElement | null = null;
if (secondaryCfg) {
secondaryBtn = document.createElement("button");
secondaryBtn.type = "button";
secondaryBtn.className = "btn btn-ghost modal__secondary";
secondaryBtn.textContent = secondaryCfg.label;
footer.appendChild(secondaryBtn);
}
const primaryBtn = document.createElement("button");
primaryBtn.type = "button";
primaryBtn.className = "btn btn-primary modal__primary";
primaryBtn.textContent = config.primary.label;
footer.appendChild(primaryBtn);
dialog.appendChild(footer);
document.body.appendChild(dialog);
// History integration (Q5): push a synthetic history state so the
// browser back-button closes the modal instead of leaving the page.
// We pop the state in finish() unless popstate already fired it.
let historyEntryActive = false;
try {
history.pushState({ paliadModalOpen: true }, "");
historyEntryActive = true;
} catch (_e) {
// pushState may throw in obscure embedded contexts; degrade gracefully.
}
// resolved guards against double-resolution (e.g. ESC fires + then a
// microtask-deferred primary handler also calls close).
let resolved = false;
const finish = (value: T | null) => {
if (resolved) return;
resolved = true;
window.removeEventListener("popstate", onPopState);
// Pop our history entry if it's still on the stack. Skip when the
// popstate listener already fired (otherwise we'd go back twice).
if (historyEntryActive) {
historyEntryActive = false;
try { history.back(); } catch (_e) { /* same fallback as pushState */ }
}
// Native dialog close. Use the close event's default rather than
// the cancel event so we don't fight the browser's own dismissal.
if (dialog.open) dialog.close();
dialog.remove();
// Restore focus to whatever the user was on before. The dialog
// teardown happens synchronously so the focus call lands on a
// live element.
if (previouslyFocused && document.body.contains(previouslyFocused)) {
previouslyFocused.focus();
}
config.onClose?.();
resolve(value);
};
const close = (result: T) => finish(result);
// Dismiss paths.
closeBtn.addEventListener("click", () => finish(null));
secondaryBtn?.addEventListener("click", () => finish(null));
dialog.addEventListener("click", (e) => {
// Backdrop click — only when the click landed on the dialog element
// itself (not on a child). Browsers report dialog.click events
// through the backdrop too because the backdrop is conceptually
// part of the dialog's box.
if (e.target === dialog) finish(null);
});
// <dialog>'s cancel event fires on ESC. preventDefault stops the
// browser's default close so we can run our finish() (history pop,
// focus restore, onClose, resolve).
dialog.addEventListener("cancel", (e) => {
e.preventDefault();
finish(null);
});
const onPopState = () => {
// Browser back-button. Our history entry is gone by the time this
// fires, so skip the history.back() in finish().
historyEntryActive = false;
finish(null);
};
window.addEventListener("popstate", onPopState);
// Primary action.
primaryBtn.addEventListener("click", () => {
const result = config.primary.handler(close);
// Allow async primary handlers (handler returns a promise) — we
// don't wait for it explicitly; the handler is responsible for
// calling close() when ready.
void result;
});
// Open the dialog in the top layer. showModal activates ARIA
// role="dialog" + aria-modal=true + focus trap + backdrop.
dialog.showModal();
});
}

206
frontend/src/client/dashboard.ts
View File

@@ -65,60 +65,14 @@ interface DashboardData {
upcoming_deadlines: UpcomingDeadline[];
upcoming_appointments: UpcomingAppointment[];
recent_activity: ActivityEntry[];
inbox_summary?: InboxSummary;
}
interface InboxEntry {
id: string;
entity_type: string;
entity_title?: string | null;
project_id: string;
project_title: string;
requested_at: string;
requester_id: string;
requester_name: string;
}
interface InboxSummary {
pending_count: number;
top: InboxEntry[];
}
// DashboardLayoutSpec mirrors the Go shape in
// internal/services/dashboard_layout_spec.go. The client treats the spec
// as advice: unknown widget keys are dropped silently (server is the
// source of truth for the catalog).
interface DashboardWidgetRef {
key: string;
visible: boolean;
settings?: { count?: number; horizon_days?: number };
}
interface DashboardLayoutSpec {
v: number;
widgets: DashboardWidgetRef[];
}
declare global {
interface Window {
__PALIAD_DASHBOARD__?: DashboardData | null;
__PALIAD_DASHBOARD_LAYOUT__?: DashboardLayoutSpec | null;
__PALIAD_DASHBOARD_CATALOG__?: unknown;
}
}
let currentLayout: DashboardLayoutSpec | null = null;
// settingsFor returns the (possibly-empty) settings blob for a given
// widget key in the active layout. Falls back to an empty object so
// renderers can read `.count ?? defaultN` without null checks.
function settingsFor(key: string): { count?: number; horizon_days?: number } {
if (!currentLayout) return {};
for (const w of currentLayout.widgets) {
if (w.key === key) return w.settings ?? {};
}
return {};
}
const POLL_INTERVAL_MS = 60_000;
// 30-day look-ahead matches the agenda.tsx default chip and the server's
// default `to=today+30d` window — keeps the inline agenda visually
@@ -156,13 +110,7 @@ function render(): void {
renderAppointments(data.upcoming_appointments);
renderAgenda();
renderActivity(data.recent_activity);
renderInbox(data.inbox_summary ?? { pending_count: 0, top: [] });
toggleOnboardingHint(data.user);
// Apply the saved layout AFTER renderers so the per-widget settings
// applied above (count truncation, horizon filtering) are stable
// before we toggle visibility + reorder. Failing to find the layout
// is non-fatal — the factory default markup order takes over.
applyLayout();
}
function renderGreeting(user: DashboardUser | null): void {
@@ -214,13 +162,6 @@ function renderDeadlines(items: UpcomingDeadline[]): void {
const list = document.getElementById("dashboard-deadlines-list")!;
const empty = document.getElementById("dashboard-deadlines-empty")!;
// Per-widget settings: truncate by count + filter by horizon. Backend
// returns 40 rows / 60d; the widget settings narrow it. Defaults match
// the catalog (10 rows, 30 days).
const s = settingsFor("upcoming-deadlines");
items = filterByHorizonDays(items, s.horizon_days ?? 30, (d) => d.due_date);
items = items.slice(0, s.count ?? 10);
if (!items.length) {
list.innerHTML = "";
list.style.display = "none";
@@ -250,10 +191,6 @@ function renderAppointments(items: UpcomingAppointment[]): void {
const list = document.getElementById("dashboard-appointments-list")!;
const empty = document.getElementById("dashboard-appointments-empty")!;
const s = settingsFor("upcoming-appointments");
items = filterByHorizonDays(items, s.horizon_days ?? 30, (a) => a.start_at);
items = items.slice(0, s.count ?? 10);
if (!items.length) {
list.innerHTML = "";
list.style.display = "none";
@@ -289,9 +226,6 @@ function renderActivity(items: ActivityEntry[]): void {
const list = document.getElementById("dashboard-activity-list")!;
const empty = document.getElementById("dashboard-activity-empty")!;
const s = settingsFor("recent-activity");
items = items.slice(0, s.count ?? 10);
if (!items.length) {
list.innerHTML = "";
list.style.display = "none";
@@ -410,10 +344,8 @@ function renderAgenda(): void {
}
async function loadAgenda(): Promise<void> {
const s = settingsFor("inline-agenda");
const horizon = s.horizon_days ?? AGENDA_LOOKAHEAD_DAYS;
const from = toAgendaDate(startOfToday());
const to = toAgendaDate(addDays(startOfToday(), horizon - 1));
const to = toAgendaDate(addDays(startOfToday(), AGENDA_LOOKAHEAD_DAYS - 1));
try {
const resp = await fetch(`/api/agenda?from=${from}&to=${to}&types=deadlines,appointments`);
if (!resp.ok) {
@@ -507,125 +439,6 @@ function syncCollapseAriaLabels(): void {
});
}
function renderInbox(s: InboxSummary): void {
const summary = document.getElementById("dashboard-inbox-summary");
const list = document.getElementById("dashboard-inbox-list");
const empty = document.getElementById("dashboard-inbox-empty");
if (!summary || !list || !empty) return;
const settings = settingsFor("inbox-approvals");
const cap = settings.count ?? 3;
const top = s.top.slice(0, cap);
if (s.pending_count === 0) {
summary.style.display = "none";
list.innerHTML = "";
list.style.display = "none";
empty.style.display = "block";
return;
}
empty.style.display = "none";
summary.style.display = "block";
summary.textContent = getLang() === "de"
? `${s.pending_count} offene Freigaben warten auf dich.`
: `${s.pending_count} open approvals are waiting for you.`;
list.style.display = "";
list.innerHTML = top.map((e) => {
const entityLabel = e.entity_type === "deadline"
? tDyn("dashboard.inbox.entity.deadline")
: (e.entity_type === "appointment"
? tDyn("dashboard.inbox.entity.appointment")
: e.entity_type);
const title = e.entity_title || entityLabel;
return `<li class="dashboard-list-item">
<a href="/inbox" class="dashboard-list-link">
<div class="dashboard-list-main">
<span class="dashboard-list-title">${esc(title)}</span>
<span class="dashboard-list-ref" title="${escAttr(`${e.project_title} · ${e.requester_name}`)}">${esc(e.project_title)} &middot; ${esc(e.requester_name)}</span>
</div>
<div class="dashboard-list-meta">
<span class="dashboard-appt-time">${esc(formatDateTime(e.requested_at))}</span>
</div>
</a>
</li>`;
}).join("");
}
// applyLayout walks the saved DashboardLayoutSpec and hides widgets whose
// keys are `visible: false`, then reorders the visible ones to match the
// layout's order. Widgets in the layout but missing from the DOM are
// ignored (the catalog must define the markup for them — Slice A has
// every catalog widget pre-rendered in dashboard.tsx). Widgets in the
// DOM but missing from the layout (e.g. a deploy added markup ahead of a
// migration) stay in their authored position so nothing disappears
// silently.
//
// Reordering target: the visible widgets live in two parents — the
// outer .container and the .dashboard-columns 2-up grid. We respect
// that boundary: widgets inside .dashboard-columns are reordered within
// it; widgets outside are reordered relative to each other inside
// .container. This keeps the existing 2-up behaviour for the
// deadlines+appointments pair without forcing a full container flatten.
function applyLayout(): void {
if (!currentLayout || !Array.isArray(currentLayout.widgets)) return;
// Discover widget elements once. data-widget-key set in dashboard.tsx.
const allWidgets = Array.from(
document.querySelectorAll<HTMLElement>("[data-widget-key]"),
);
if (!allWidgets.length) return;
const byKey = new Map<string, HTMLElement>();
allWidgets.forEach((el) => {
const k = el.dataset.widgetKey;
if (k) byKey.set(k, el);
});
// Hide widgets whose layout entry says visible:false. Anything not in
// the layout at all stays untouched.
const seenInLayout = new Set<string>();
for (const w of currentLayout.widgets) {
seenInLayout.add(w.key);
const el = byKey.get(w.key);
if (!el) continue;
el.style.display = w.visible ? "" : "none";
}
// Reorder visible widgets inside each parent. We group widgets by their
// current parent element so we don't move them out of .dashboard-columns
// and lose the 2-up grid layout.
const groups = new Map<HTMLElement, HTMLElement[]>();
for (const w of currentLayout.widgets) {
if (!w.visible) continue;
const el = byKey.get(w.key);
if (!el || !el.parentElement) continue;
const arr = groups.get(el.parentElement) ?? [];
arr.push(el);
groups.set(el.parentElement, arr);
}
groups.forEach((widgets, parent) => {
widgets.forEach((el) => parent.appendChild(el));
});
}
// filterByHorizonDays drops items whose key date is more than `days`
// days from today. Items without a parseable date stay in (we don't
// want to silently hide rows on bad data). today is inclusive.
function filterByHorizonDays<T>(items: T[], days: number, key: (t: T) => string): T[] {
if (!Number.isFinite(days) || days <= 0) return items;
const cutoff = new Date();
cutoff.setHours(0, 0, 0, 0);
cutoff.setDate(cutoff.getDate() + days);
return items.filter((t) => {
const raw = key(t);
if (!raw) return true;
// due_date is "YYYY-MM-DD"; start_at is RFC 3339. Both parseable
// by Date.
const d = new Date(raw.length === 10 ? raw + "T00:00:00" : raw);
if (isNaN(d.getTime())) return true;
return d.getTime() <= cutoff.getTime();
});
}
function toggleOnboardingHint(user: DashboardUser | null): void {
// Belt-and-braces: the server-side gate (gateOnboarded in handlers.go)
// already redirects users without a paliad.users row to /onboarding before
@@ -705,23 +518,6 @@ document.addEventListener("DOMContentLoaded", () => {
syncCollapseAriaLabels();
});
// Configurable layout (t-paliad-219). The Go shell handler splices
// the user's saved layout into __PALIAD_DASHBOARD_LAYOUT__. If it's
// missing (knowledge-platform-only deploy, hydration failure), the
// dashboard renders the factory order baked into dashboard.tsx; the
// client also kicks off a best-effort fetch so a slow-hydrating user
// still gets their saved layout on the next render pass.
const layoutInline = window.__PALIAD_DASHBOARD_LAYOUT__;
if (layoutInline) {
currentLayout = layoutInline;
} else if (layoutInline === undefined) {
void fetch("/api/me/dashboard-layout").then(async (r) => {
if (!r.ok) return;
currentLayout = (await r.json()) as DashboardLayoutSpec;
if (data) render();
}).catch(() => { /* silent — factory order is the fallback */ });
}
// Inline agenda fetch is independent of the main dashboard payload.
// Kicked off in parallel so the agenda section paints as soon as the
// /api/agenda response lands instead of waiting on the dashboard

9
frontend/src/client/filter-bar/axes.ts
View File

@@ -162,11 +162,10 @@ function renderApprovalRoleAxis(ctx: AxisCtx): HTMLElement {
// ----------------------------------------------------------------------
const APPROVAL_STATUSES: Array<{ value: string; key: I18nKey }> = [
{ value: "pending", key: "views.bar.approval_status.pending" },
{ value: "approved", key: "views.bar.approval_status.approved" },
{ value: "rejected", key: "views.bar.approval_status.rejected" },
{ value: "revoked", key: "views.bar.approval_status.revoked" },
{ value: "changes_requested", key: "views.bar.approval_status.changes_requested" },
{ value: "pending", key: "views.bar.approval_status.pending" },
{ value: "approved", key: "views.bar.approval_status.approved" },
{ value: "rejected", key: "views.bar.approval_status.rejected" },
{ value: "revoked", key: "views.bar.approval_status.revoked" },
];
function renderApprovalStatusAxis(ctx: AxisCtx): HTMLElement {

115
frontend/src/client/fristenrechner.ts
View File

@@ -2,11 +2,11 @@
// 3-step wizard: select proceeding -> enter date -> view timeline
//
// Rendering primitives (renderTimelineBody / renderColumnsBody /
// deadlineCardHtml / formatDate / partyBadge / court picker / inline
// date editor) live in `./views/verfahrensablauf-core` and are shared
// with /tools/verfahrensablauf. This module owns the Step1/2/3a
// wizard, Pathway A/B, Akte save flow — none of which Verfahrensablauf
// wants.
// deadlineCardHtml / formatDate / partyBadge / court picker) live in
// `./views/verfahrensablauf-core` and are shared with the
// /tools/verfahrensablauf page (t-paliad-179 Slice 1). This module owns
// the Step1/2/3a wizard, Pathway A/B, Akte save flow, anchor-override
// click-to-edit — none of which Verfahrensablauf wants.
import { initI18n, t, tDyn, getLang, onLangChange } from "./i18n";
import { initSidebar } from "./sidebar";
@@ -22,7 +22,6 @@ import {
priorityRendering,
renderColumnsBody,
renderTimelineBody,
wireDateEditClicks,
} from "./views/verfahrensablauf-core";
let lastResponse: DeadlineResponse | null = null;
@@ -58,19 +57,6 @@ type ProcedureView = "timeline" | "columns";
// HLC team than the single vertical line.
let procedureView: ProcedureView = "columns";
// Notes toggle — off by default; per-rule notes render as a compact
// ⓘ hover icon. Flipped on, they expand under each card. Choice is
// localStorage-persisted (paliad.fristen.notes-show key shared with
// /tools/verfahrensablauf so the preference carries across both).
const NOTES_PREF_KEY = "paliad.fristen.notes-show";
function readNotesPref(): boolean {
try { return localStorage.getItem(NOTES_PREF_KEY) === "1"; } catch { return false; }
}
function writeNotesPref(on: boolean): void {
try { localStorage.setItem(NOTES_PREF_KEY, on ? "1" : "0"); } catch { /* no-op */ }
}
let showNotes = readNotesPref();
onLangChange(() => {
if (lastResponse) renderProcedureResults(lastResponse);
// Update trigger event name if a proceeding is selected
@@ -405,8 +391,8 @@ function renderProcedureResults(data: DeadlineResponse) {
</div>`;
const bodyHtml = procedureView === "columns"
? renderColumnsBody(data, { editable: true, showNotes })
: renderTimelineBody(data, { showParty: true, editable: true, showNotes });
? renderColumnsBody(data, { editable: true })
: renderTimelineBody(data, { showParty: true, editable: true });
container.innerHTML = headerHtml + bodyHtml;
printBtn.style.display = "block";
@@ -431,21 +417,54 @@ function renderProcedureResults(data: DeadlineResponse) {
applyPendingFocus();
}
// onDateEditCommit is the click-to-edit callback handed to the shared
// wireDateEditClicks() helper: persist the per-rule override (empty value
// clears it) then recompute so downstream rules re-anchor.
function onDateEditCommit(ruleCode: string, newValue: string) {
if (newValue === "") {
anchorOverrides.delete(ruleCode);
} else {
anchorOverrides.set(ruleCode, newValue);
}
void calculate();
// openInlineDateEditor swaps the date span for a date input. On commit
// (blur or Enter), the override is recorded and the timeline re-fetched.
// On Escape, the editor closes without changing anything. An empty
// commit clears the override (lets the user revert to the calculated
// date or to the IsCourtSet placeholder).
function openInlineDateEditor(span: HTMLElement) {
const ruleCode = span.dataset.ruleCode!;
const current = span.dataset.currentDate || anchorOverrides.get(ruleCode) || "";
const editor = document.createElement("input");
editor.type = "date";
editor.className = "frist-date-edit-input";
editor.value = current;
const commit = (newValue: string) => {
if (newValue === "") {
anchorOverrides.delete(ruleCode);
} else {
anchorOverrides.set(ruleCode, newValue);
}
void calculate();
};
const cancel = () => {
editor.replaceWith(span);
};
editor.addEventListener("blur", () => {
if (editor.value !== current) commit(editor.value);
else cancel();
});
editor.addEventListener("keydown", (e) => {
const ke = e as KeyboardEvent;
if (ke.key === "Enter") {
e.preventDefault();
editor.blur();
} else if (ke.key === "Escape") {
e.preventDefault();
cancel();
}
});
span.replaceWith(editor);
editor.focus();
if (editor.value) editor.select();
}
// deadlineCardHtml / renderTimelineBody / renderColumnsBody /
// openInlineDateEditor / wireDateEditClicks moved to
// ./views/verfahrensablauf-core.
// deadlineCardHtml / renderTimelineBody / renderColumnsBody moved to
// ./views/verfahrensablauf-core (t-paliad-179 Slice 1).
function reset() {
selectedType = "";
@@ -616,7 +635,21 @@ document.addEventListener("DOMContentLoaded", () => {
// rules re-anchor on the user's date. Delegated on the container so
// it survives renderProcedureResults() innerHTML rewrites.
const timelineContainer = document.getElementById("timeline-container");
if (timelineContainer) wireDateEditClicks(timelineContainer, onDateEditCommit);
if (timelineContainer) {
timelineContainer.addEventListener("click", (e) => {
const target = (e.target as HTMLElement).closest<HTMLElement>(".frist-date-edit");
if (!target || !target.dataset.ruleCode) return;
openInlineDateEditor(target);
});
timelineContainer.addEventListener("keydown", (e) => {
const ke = e as KeyboardEvent;
if (ke.key !== "Enter" && ke.key !== " ") return;
const target = (e.target as HTMLElement).closest<HTMLElement>(".frist-date-edit");
if (!target || !target.dataset.ruleCode) return;
e.preventDefault();
openInlineDateEditor(target);
});
}
// Reset button
document.getElementById("reset-btn")!.addEventListener("click", reset);
@@ -628,18 +661,6 @@ document.addEventListener("DOMContentLoaded", () => {
const saveBtn = document.getElementById("fristen-save-cta");
if (saveBtn) saveBtn.addEventListener("click", openSaveModal);
// Notes toggle — restores last preference on load + re-renders when
// the user flips it. Lives in the same toggle bar as the view picker.
const notesShowCb = document.getElementById("fristen-notes-show") as HTMLInputElement | null;
if (notesShowCb) {
notesShowCb.checked = showNotes;
notesShowCb.addEventListener("change", () => {
showNotes = notesShowCb.checked;
writeNotesPref(showNotes);
if (lastResponse) renderProcedureResults(lastResponse);
});
}
// View toggle (timeline vs. columns layout) for procedure mode.
initViewToggle();

177
frontend/src/client/i18n.ts
View File

@@ -300,7 +300,6 @@ const translations: Record<Lang, Record<string, string>> = {
"deadlines.view.label": "Ansicht:",
"deadlines.view.timeline": "Zeitstrahl",
"deadlines.view.columns": "Spalten",
"deadlines.notes.show": "Hinweise anzeigen",
"deadlines.col.proactive": "Proaktiv",
"deadlines.col.court": "Gericht",
"deadlines.col.reactive": "Reaktiv",
@@ -911,12 +910,6 @@ const translations: Record<Lang, Record<string, string>> = {
"dashboard.agenda.heading": "Agenda",
"dashboard.agenda.empty": "Keine F\u00e4lligkeiten in den n\u00e4chsten 30 Tagen.",
"dashboard.agenda.full_link": "Vollst\u00e4ndige Agenda \u00f6ffnen \u2192",
// Inbox-approvals widget (t-paliad-219).
"dashboard.inbox.heading": "Offene Freigaben",
"dashboard.inbox.empty": "Keine offenen Freigaben.",
"dashboard.inbox.full_link": "Vollst\u00e4ndigen Posteingang \u00f6ffnen \u2192",
"dashboard.inbox.entity.deadline": "Frist",
"dashboard.inbox.entity.appointment": "Termin",
// Collapsible-section toggle a11y labels (t-paliad-162). Both states
// are needed because the aria-label flips with the expanded state.
"dashboard.section.collapse": "Abschnitt einklappen",
@@ -978,22 +971,18 @@ const translations: Record<Lang, Record<string, string>> = {
"event.title.deadline_approval_approved": "Genehmigung erteilt",
"event.title.deadline_approval_rejected": "Genehmigung abgelehnt",
"event.title.deadline_approval_revoked": "Anfrage zurückgezogen",
"event.title.deadline_approval_changes_suggested": "Änderungen vorgeschlagen",
"event.title.appointment_approval_requested": "Genehmigung beantragt",
"event.title.appointment_approval_approved": "Genehmigung erteilt",
"event.title.appointment_approval_rejected": "Genehmigung abgelehnt",
"event.title.appointment_approval_revoked": "Anfrage zurückgezogen",
"event.title.appointment_approval_changes_suggested": "Änderungen vorgeschlagen",
"event.description.deadline_approval_requested": "4-Augen-Genehmigung für Frist beantragt",
"event.description.deadline_approval_approved": "Genehmigung für Frist erteilt",
"event.description.deadline_approval_rejected": "Genehmigung für Frist abgelehnt",
"event.description.deadline_approval_revoked": "Genehmigungsanfrage für Frist zurückgezogen",
"event.description.deadline_approval_changes_suggested": "Frist abgelehnt mit Gegenvorschlag",
"event.description.appointment_approval_requested": "4-Augen-Genehmigung für Termin beantragt",
"event.description.appointment_approval_approved": "Genehmigung für Termin erteilt",
"event.description.appointment_approval_rejected": "Genehmigung für Termin abgelehnt",
"event.description.appointment_approval_revoked": "Genehmigungsanfrage für Termin zurückgezogen",
"event.description.appointment_approval_changes_suggested": "Termin abgelehnt mit Gegenvorschlag",
"dashboard.action.short.deadline_approval_requested": "beantragte Genehmigung",
"dashboard.action.short.deadline_approval_approved": "genehmigte Frist",
"dashboard.action.short.deadline_approval_rejected": "lehnte Frist ab",
@@ -1267,18 +1256,6 @@ const translations: Record<Lang, Record<string, string>> = {
"projects.detail.tab.termine": "Termine",
"projects.detail.tab.notizen": "Notizen",
"projects.detail.tab.checklisten": "Checklisten",
"projects.detail.tab.submissions": "Schriftsätze",
"projects.detail.export.button": "Daten exportieren",
"projects.detail.export.tooltip": "Daten dieses Projekts (mit Unter-Projekten) als Excel + JSON + CSV herunterladen.",
"projects.detail.submissions.empty": "Für dieses Verfahren sind keine Schriftsätze hinterlegt.",
"projects.detail.submissions.empty.no_proceeding": "Bitte zuerst einen Verfahrenstyp setzen.",
"projects.detail.submissions.col.name": "Schriftsatz",
"projects.detail.submissions.col.party": "Partei",
"projects.detail.submissions.col.source": "Rechtsgrundlage",
"projects.detail.submissions.col.action": "",
"projects.detail.submissions.action.generate": "Generieren",
"projects.detail.submissions.action.no_template": "Keine Vorlage",
"projects.detail.submissions.hint": "Schriftsätze werden direkt aus dem Projekt heraus als .docx generiert. Anpassen, drucken, einreichen.",
"projects.detail.verlauf.empty": "Noch keine Ereignisse aufgezeichnet.",
"projects.detail.verlauf.loadMore": "Mehr laden",
// SmartTimeline (t-paliad-171, Slice 1).
@@ -1691,45 +1668,6 @@ const translations: Record<Lang, Record<string, string>> = {
"caldav.log.col.error": "Fehler",
"caldav.log.empty": "Noch keine Synchronisationen aufgezeichnet.",
// CalDAV multi-calendar bindings (t-paliad-212 Slice 2b)
"caldav.bindings.heading": "Kalender",
"caldav.bindings.hint": "Verbinde mehrere Kalender mit Paliad — einen Master für alles oder eigene Kalender pro Projekt.",
"caldav.bindings.add": "+ Kalender hinzufügen",
"caldav.bindings.empty": "Noch keine Kalender konfiguriert.",
"caldav.bindings.scope.all_visible": "Alles",
"caldav.bindings.scope.personal_only": "Nur persönlich",
"caldav.bindings.scope.project": "Projekt",
"caldav.bindings.card.enabled": "Aktiv",
"caldav.bindings.card.edit": "Bearbeiten",
"caldav.bindings.card.remove": "Entfernen",
"caldav.bindings.modal.add_title": "Kalender hinzufügen",
"caldav.bindings.modal.edit_title": "Kalender bearbeiten",
"caldav.bindings.modal.source": "Kalender",
"caldav.bindings.modal.source.loading": "Lädt …",
"caldav.bindings.modal.source.existing": "Vorhandenen Kalender wählen",
"caldav.bindings.modal.source.create": "Neuen Kalender erstellen",
"caldav.bindings.modal.source.custom": "Eigene URL eingeben",
"caldav.bindings.modal.source.degrade": "Dieser Anbieter erlaubt das Erstellen neuer Kalender nicht via CalDAV. Erstelle den Kalender direkt in der Anbieter-Oberfläche und füge ihn hier per URL hinzu.",
"caldav.bindings.modal.source.discover_failed": "Kalender konnten nicht ermittelt werden — eigene URL eingeben.",
"caldav.bindings.modal.source.discover_empty": "Keine Kalender gefunden — eigene URL eingeben.",
"caldav.bindings.modal.display_name": "Anzeigename (optional)",
"caldav.bindings.modal.display_name.placeholder": "z.B. Projekt Acme v Bosch",
"caldav.bindings.modal.scope": "Inhalt",
"caldav.bindings.modal.scope.all_visible": "Alles, was ich sehe",
"caldav.bindings.modal.scope.personal_only": "Nur persönliche Termine",
"caldav.bindings.modal.scope.project": "Ein Projekt:",
"caldav.bindings.modal.scope.project.loading": "Lädt …",
"caldav.bindings.modal.submit_add": "Hinzufügen",
"caldav.bindings.modal.submit_edit": "Speichern",
"caldav.bindings.delete.confirm": "Diesen Kalender wirklich entfernen? Die zugehörigen Termine werden im externen Kalender gelöscht.",
"caldav.bindings.delete.failed": "Entfernen fehlgeschlagen — bitte später erneut versuchen.",
"caldav.bindings.error.scope": "Bitte einen Inhaltsbereich wählen.",
"caldav.bindings.error.scope_project": "Bitte ein Projekt auswählen.",
"caldav.bindings.error.path": "Bitte einen Kalender wählen oder eine URL eingeben.",
"caldav.bindings.error.create_name_required": "Bitte einen Anzeigenamen eingeben.",
"caldav.bindings.error.create_name_taken": "Name bereits vergeben — bitte einen anderen Anzeigenamen wählen.",
"caldav.bindings.error.create_unsupported": "Dein Anbieter unterstützt das Erstellen neuer Kalender nicht. Bitte 'Eigene URL eingeben' verwenden.",
// Notizen (polymorphic notes — Phase I)
"notes.section.title": "Notizen",
"notes.placeholder": "Notiz hinzuf\u00fcgen\u2026",
@@ -2160,7 +2098,6 @@ const translations: Record<Lang, Record<string, string>> = {
// t-paliad-088: Event Types — picker, multi-select filter, add modal.
"common.cancel": "Abbrechen",
"modal.close.label": "Schließen",
"event_types.cat.submission": "Eingaben",
"event_types.cat.decision": "Entscheidungen",
"event_types.cat.order": "Anordnungen",
@@ -2277,32 +2214,10 @@ const translations: Record<Lang, Record<string, string>> = {
"approvals.status.rejected": "Abgelehnt",
"approvals.status.revoked": "Zurückgezogen",
"approvals.status.superseded": "Ersetzt",
"approvals.status.changes_requested": "Abgelehnt mit Vorschlag",
"approvals.action.approve": "Genehmigen",
"approvals.action.reject": "Ablehnen",
"approvals.action.revoke": "Zurückziehen",
"approvals.action.suggest_changes": "Änderungen vorschlagen",
"approvals.note.placeholder": "Optionale Begründung...",
"approvals.suggest.modal_title": "Änderungen vorschlagen",
"approvals.suggest.intro": "Bearbeite die vorgeschlagenen Werte und/oder hinterlasse einen Kommentar. Dein Vorschlag wird als neue Genehmigungsanfrage eingestellt und kann vom ursprünglichen Antragsteller (oder einer anderen berechtigten Person) genehmigt werden.",
"approvals.suggest.note_label": "Kommentar zum Vorschlag",
"approvals.suggest.note_placeholder": "Warum sollen die Werte angepasst werden?",
"approvals.suggest.submit": "Vorschlag einreichen",
"approvals.suggest.cancel": "Abbrechen",
"approvals.suggest.submit_disabled_hint": "Bitte mindestens ein Feld ändern oder einen Kommentar hinterlassen.",
"approvals.suggest.next_request_link": "→ Neuer Vorschlag von {name}",
"approvals.suggest.unsupported_lifecycle": "Änderungen vorschlagen ist nur für Update-Anfragen möglich.",
"approvals.suggest.section.editable": "Felder",
"approvals.suggest.section.context": "Kontext",
"approvals.suggest.context.project": "Projekt",
"approvals.suggest.context.requester": "Eingereicht von",
"approvals.suggest.context.requested_at": "Eingereicht am",
"approvals.suggest.context.approval_status": "Genehmigungsstatus",
"approvals.suggest.event_type_picker_unavailable": "Ereignistypen konnten nicht geladen werden.",
"approvals.suggest.field.original_due_date": "Ursprüngliches Fälligkeitsdatum",
"approvals.suggest.field.warning_date": "Warndatum",
"approvals.suggest.field.rule_code": "Regel-Zitat",
"approvals.suggest.field.description": "Beschreibung",
"approvals.requested_by": "Eingereicht von",
"approvals.decided_by": "Entschieden von",
"approvals.decision_kind.peer": "Genehmigt durch Teammitglied",
@@ -2314,12 +2229,9 @@ const translations: Record<Lang, Record<string, string>> = {
"approvals.error.concurrent_pending": "Es liegt bereits eine Genehmigungsanfrage auf diesem Eintrag vor.",
"approvals.error.awaiting_approval": "Diese Anforderung wartet auf Genehmigung.",
"approvals.error.request_not_pending": "Diese Anfrage ist nicht mehr offen.",
"approvals.error.suggestion_requires_change": "Ein Vorschlag braucht entweder geänderte Werte oder einen Kommentar.",
"approvals.error.suggestion_lifecycle_invalid": "Änderungen vorschlagen ist nur für Update-Anfragen möglich.",
"approvals.disabled.self_approval": "Du kannst eigene Anträge nicht genehmigen",
"approvals.disabled.not_authorized": "Du hast keine Genehmigungsberechtigung für diesen Antrag",
"approvals.disabled.revoke_not_requester": "Nur der Antragsteller kann zurückziehen",
"approvals.disabled.suggest_lifecycle": "Änderungen vorschlagen ist nur für Update-Anfragen möglich",
"approvals.pending.badge": "Wartet auf Genehmigung",
"approvals.withdraw.cta": "Genehmigungsanfrage zurückziehen",
"approvals.withdraw.confirm": "Genehmigungsanfrage wirklich zurückziehen?",
@@ -2487,7 +2399,6 @@ const translations: Record<Lang, Record<string, string>> = {
"views.bar.approval_status.approved": "Genehmigt",
"views.bar.approval_status.rejected": "Abgelehnt",
"views.bar.approval_status.revoked": "Zurückgezogen",
"views.bar.approval_status.changes_requested": "Mit Vorschlag",
"views.bar.approval_entity.deadline": "Frist",
"views.bar.approval_entity.appointment": "Termin",
"views.bar.deadline_status.pending": "Offen",
@@ -2988,7 +2899,6 @@ const translations: Record<Lang, Record<string, string>> = {
"deadlines.view.label": "View:",
"deadlines.view.timeline": "Timeline",
"deadlines.view.columns": "Columns",
"deadlines.notes.show": "Show details",
"deadlines.col.proactive": "Proactive",
"deadlines.col.court": "Court",
"deadlines.col.reactive": "Reactive",
@@ -3595,11 +3505,6 @@ const translations: Record<Lang, Record<string, string>> = {
"dashboard.agenda.heading": "Agenda",
"dashboard.agenda.empty": "Nothing due in the next 30 days.",
"dashboard.agenda.full_link": "Open full agenda →",
"dashboard.inbox.heading": "Open approvals",
"dashboard.inbox.empty": "No open approvals.",
"dashboard.inbox.full_link": "Open full inbox →",
"dashboard.inbox.entity.deadline": "Deadline",
"dashboard.inbox.entity.appointment": "Appointment",
"dashboard.section.collapse": "Collapse section",
"dashboard.section.expand": "Expand section",
"dashboard.urgency.overdue": "Overdue",
@@ -3653,22 +3558,18 @@ const translations: Record<Lang, Record<string, string>> = {
"event.title.deadline_approval_approved": "Approval granted",
"event.title.deadline_approval_rejected": "Approval rejected",
"event.title.deadline_approval_revoked": "Request revoked",
"event.title.deadline_approval_changes_suggested": "Changes suggested",
"event.title.appointment_approval_requested": "Approval requested",
"event.title.appointment_approval_approved": "Approval granted",
"event.title.appointment_approval_rejected": "Approval rejected",
"event.title.appointment_approval_revoked": "Request revoked",
"event.title.appointment_approval_changes_suggested": "Changes suggested",
"event.description.deadline_approval_requested": "Four-eyes approval requested for deadline",
"event.description.deadline_approval_approved": "Deadline approval granted",
"event.description.deadline_approval_rejected": "Deadline approval rejected",
"event.description.deadline_approval_revoked": "Deadline approval request revoked",
"event.description.deadline_approval_changes_suggested": "Deadline declined with a counter-proposal",
"event.description.appointment_approval_requested": "Four-eyes approval requested for appointment",
"event.description.appointment_approval_approved": "Appointment approval granted",
"event.description.appointment_approval_rejected": "Appointment approval rejected",
"event.description.appointment_approval_revoked": "Appointment approval request revoked",
"event.description.appointment_approval_changes_suggested": "Appointment declined with a counter-proposal",
"dashboard.action.short.deadline_approval_requested": "requested approval",
"dashboard.action.short.deadline_approval_approved": "approved deadline",
"dashboard.action.short.deadline_approval_rejected": "rejected deadline",
@@ -3942,18 +3843,6 @@ const translations: Record<Lang, Record<string, string>> = {
"projects.detail.tab.termine": "Appointments",
"projects.detail.tab.notizen": "Notes",
"projects.detail.tab.checklisten": "Checklists",
"projects.detail.tab.submissions": "Submissions",
"projects.detail.export.button": "Export data",
"projects.detail.export.tooltip": "Download this project's data (including sub-projects) as Excel + JSON + CSV.",
"projects.detail.submissions.empty": "No submissions are configured for this proceeding.",
"projects.detail.submissions.empty.no_proceeding": "Please set a proceeding type first.",
"projects.detail.submissions.col.name": "Submission",
"projects.detail.submissions.col.party": "Party",
"projects.detail.submissions.col.source": "Legal basis",
"projects.detail.submissions.col.action": "",
"projects.detail.submissions.action.generate": "Generate",
"projects.detail.submissions.action.no_template": "No template",
"projects.detail.submissions.hint": "Submissions are generated as .docx directly from the project. Edit, print, file.",
"projects.detail.verlauf.empty": "No events recorded yet.",
"projects.detail.verlauf.loadMore": "Load more",
"projects.detail.smarttimeline.empty": "No events captured yet.",
@@ -4362,45 +4251,6 @@ const translations: Record<Lang, Record<string, string>> = {
"caldav.log.col.error": "Error",
"caldav.log.empty": "No sync attempts recorded yet.",
// CalDAV multi-calendar bindings (t-paliad-212 Slice 2b)
"caldav.bindings.heading": "Calendars",
"caldav.bindings.hint": "Connect multiple calendars to Paliad — one master for everything or separate calendars per project.",
"caldav.bindings.add": "+ Add calendar",
"caldav.bindings.empty": "No calendars configured yet.",
"caldav.bindings.scope.all_visible": "Everything",
"caldav.bindings.scope.personal_only": "Personal only",
"caldav.bindings.scope.project": "Project",
"caldav.bindings.card.enabled": "Enabled",
"caldav.bindings.card.edit": "Edit",
"caldav.bindings.card.remove": "Remove",
"caldav.bindings.modal.add_title": "Add calendar",
"caldav.bindings.modal.edit_title": "Edit calendar",
"caldav.bindings.modal.source": "Calendar",
"caldav.bindings.modal.source.loading": "Loading…",
"caldav.bindings.modal.source.existing": "Pick existing calendar",
"caldav.bindings.modal.source.create": "Create new calendar",
"caldav.bindings.modal.source.custom": "Enter custom URL",
"caldav.bindings.modal.source.degrade": "This provider doesn't allow creating calendars via CalDAV. Please create the calendar in your provider's UI and add it here by URL.",
"caldav.bindings.modal.source.discover_failed": "Couldn't discover calendars — enter URL manually.",
"caldav.bindings.modal.source.discover_empty": "No calendars found — enter URL manually.",
"caldav.bindings.modal.display_name": "Display name (optional)",
"caldav.bindings.modal.display_name.placeholder": "e.g. Project Acme v Bosch",
"caldav.bindings.modal.scope": "Contents",
"caldav.bindings.modal.scope.all_visible": "Everything I can see",
"caldav.bindings.modal.scope.personal_only": "Personal appointments only",
"caldav.bindings.modal.scope.project": "One project:",
"caldav.bindings.modal.scope.project.loading": "Loading…",
"caldav.bindings.modal.submit_add": "Add",
"caldav.bindings.modal.submit_edit": "Save",
"caldav.bindings.delete.confirm": "Remove this calendar? Its events will be deleted from the external calendar.",
"caldav.bindings.delete.failed": "Removal failed — please try again later.",
"caldav.bindings.error.scope": "Please pick a content scope.",
"caldav.bindings.error.scope_project": "Please pick a project.",
"caldav.bindings.error.path": "Please pick a calendar or enter a URL.",
"caldav.bindings.error.create_name_required": "Please enter a display name.",
"caldav.bindings.error.create_name_taken": "Name already in use — please pick a different display name.",
"caldav.bindings.error.create_unsupported": "Your provider doesn't support creating calendars. Please use 'Enter custom URL' instead.",
// Notizen (polymorphic notes — Phase I)
"notes.section.title": "Notes",
"notes.placeholder": "Add a note\u2026",
@@ -4831,7 +4681,6 @@ const translations: Record<Lang, Record<string, string>> = {
// t-paliad-088: Event Types — picker, multi-select filter, add modal.
"common.cancel": "Cancel",
"modal.close.label": "Close",
"event_types.cat.submission": "Submissions",
"event_types.cat.decision": "Decisions",
"event_types.cat.order": "Orders",
@@ -4948,32 +4797,10 @@ const translations: Record<Lang, Record<string, string>> = {
"approvals.status.rejected": "Rejected",
"approvals.status.revoked": "Revoked",
"approvals.status.superseded": "Superseded",
"approvals.status.changes_requested": "Declined with changes",
"approvals.action.approve": "Approve",
"approvals.action.reject": "Reject",
"approvals.action.revoke": "Revoke",
"approvals.action.suggest_changes": "Suggest changes",
"approvals.note.placeholder": "Optional note...",
"approvals.suggest.modal_title": "Suggest changes",
"approvals.suggest.intro": "Edit the proposed values and/or leave a note. Your suggestion will be filed as a new approval request and may be approved by the original requester (or anyone else eligible).",
"approvals.suggest.note_label": "Note about your suggestion",
"approvals.suggest.note_placeholder": "Why should these values change?",
"approvals.suggest.submit": "Submit suggestion",
"approvals.suggest.cancel": "Cancel",
"approvals.suggest.submit_disabled_hint": "Change at least one field or leave a note.",
"approvals.suggest.next_request_link": "→ New suggestion by {name}",
"approvals.suggest.unsupported_lifecycle": "Suggest changes is only available for update requests.",
"approvals.suggest.section.editable": "Fields",
"approvals.suggest.section.context": "Context",
"approvals.suggest.context.project": "Project",
"approvals.suggest.context.requester": "Submitted by",
"approvals.suggest.context.requested_at": "Submitted at",
"approvals.suggest.context.approval_status": "Approval status",
"approvals.suggest.event_type_picker_unavailable": "Event types could not be loaded.",
"approvals.suggest.field.original_due_date": "Original due date",
"approvals.suggest.field.warning_date": "Warning date",
"approvals.suggest.field.rule_code": "Rule citation",
"approvals.suggest.field.description": "Description",
"approvals.requested_by": "Submitted by",
"approvals.decided_by": "Decided by",
"approvals.decision_kind.peer": "Peer approval",
@@ -4985,12 +4812,9 @@ const translations: Record<Lang, Record<string, string>> = {
"approvals.error.concurrent_pending": "Another approval request is already in flight on this entity.",
"approvals.error.awaiting_approval": "This entity is awaiting approval.",
"approvals.error.request_not_pending": "This request is no longer open.",
"approvals.error.suggestion_requires_change": "A suggestion needs either changed values or a note.",
"approvals.error.suggestion_lifecycle_invalid": "Suggest changes is only available for update requests.",
"approvals.disabled.self_approval": "You cannot approve your own requests",
"approvals.disabled.not_authorized": "You are not authorized to approve this request",
"approvals.disabled.revoke_not_requester": "Only the requester can withdraw",
"approvals.disabled.suggest_lifecycle": "Suggest changes is only available for update requests",
"approvals.pending.badge": "Awaiting approval",
"approvals.withdraw.cta": "Withdraw approval request",
"approvals.withdraw.confirm": "Withdraw the approval request?",
@@ -5157,7 +4981,6 @@ const translations: Record<Lang, Record<string, string>> = {
"views.bar.approval_status.approved": "Approved",
"views.bar.approval_status.rejected": "Rejected",
"views.bar.approval_status.revoked": "Revoked",
"views.bar.approval_status.changes_requested": "With suggestion",
"views.bar.approval_entity.deadline": "Deadline",
"views.bar.approval_entity.appointment": "Appointment",
"views.bar.deadline_status.pending": "Open",

123
frontend/src/client/inbox.ts
View File

@@ -4,7 +4,6 @@ import { mountFilterBar, type BarHandle } from "./filter-bar";
import type { AxisKey } from "./filter-bar";
import type { FilterSpec, RenderSpec, SystemView, ViewRunResult } from "./views/types";
import { renderListShape } from "./views/shape-list";
import { openApprovalEditModal } from "./components/approval-edit-modal";
// /inbox client — t-paliad-163 universal-filter migration.
//
@@ -124,20 +123,11 @@ function paint(
function wireApprovalActions(host: HTMLElement): void {
host.querySelectorAll<HTMLButtonElement>(".views-approval-action").forEach((btn) => {
const action = btn.dataset.action as
| "approve"
| "reject"
| "revoke"
| "suggest_changes"
| undefined;
const action = btn.dataset.action as "approve" | "reject" | "revoke" | undefined;
const li = btn.closest<HTMLLIElement>(".views-approval-row");
const id = li?.dataset.requestId;
if (!action || !id) return;
btn.addEventListener("click", async () => {
if (action === "suggest_changes") {
await handleSuggestChanges(btn, id, li!);
return;
}
let note = "";
if (action === "reject") {
note = window.prompt(t("approvals.note.placeholder")) || "";
@@ -151,8 +141,8 @@ function wireApprovalActions(host: HTMLElement): void {
body: JSON.stringify({ note }),
});
if (!r.ok) {
const body = await r.json().catch(() => ({} as { error?: string; code?: string }));
alert(mapApprovalError(body.code || body.error || "internal"));
const body = await r.json().catch(() => ({} as { error?: string }));
alert(mapApprovalError(body.error || "internal"));
btn.disabled = false;
return;
}
@@ -166,109 +156,14 @@ function wireApprovalActions(host: HTMLElement): void {
});
}
// handleSuggestChanges — t-paliad-216. Open the edit modal with the
// requester's original payload + pre_image pre-populated. If the user
// submits non-empty changes / note, POST to
// /api/approval-requests/{id}/suggest-changes; refresh the bar on success
// so the OLD row flips to changes_requested and the NEW pending row
// appears.
async function handleSuggestChanges(
btn: HTMLButtonElement,
requestID: string,
li: HTMLLIElement,
): Promise<void> {
// Read the row's detail blob off the data-attrs the shape-list stamped.
// shape-list serialises payload/pre_image inline; we fetch fresh via
// the per-row API to avoid relying on stale list data.
let payload: Record<string, unknown> | null = null;
let preImage: Record<string, unknown> | null = null;
let entityType: "deadline" | "appointment" = "deadline";
let lifecycleEvent = "update";
let projectTitle: string | undefined;
let requesterName: string | undefined;
let requestedAt: string | undefined;
try {
const r = await fetch(`/api/approval-requests/${requestID}`, { credentials: "include" });
if (r.ok) {
const body = (await r.json()) as {
entity_type?: "deadline" | "appointment";
lifecycle_event?: string;
payload?: Record<string, unknown> | null;
pre_image?: Record<string, unknown> | null;
project_title?: string;
requester_name?: string;
requested_at?: string;
};
payload = body.payload ?? null;
preImage = body.pre_image ?? null;
if (body.entity_type === "appointment") entityType = "appointment";
if (body.lifecycle_event) lifecycleEvent = body.lifecycle_event;
projectTitle = body.project_title;
requesterName = body.requester_name;
requestedAt = body.requested_at;
}
} catch (_e) {
// Modal still opens with empty defaults if the fetch fails; the
// server-side schema validation catches a misshapen counter.
}
const result = await openApprovalEditModal({
entityType,
lifecycleEvent,
payload,
preImage,
projectTitle,
requesterName,
requestedAt,
});
if (!result) return; // cancel
btn.disabled = true;
try {
const r = await fetch(`/api/approval-requests/${requestID}/suggest-changes`, {
method: "POST",
credentials: "include",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
counter_payload: result.counterPayload,
note: result.note,
}),
});
const body = (await r.json().catch(() => ({}))) as {
error?: string;
code?: string;
new_request_id?: string;
};
if (!r.ok) {
alert(mapApprovalError(body.code || body.error || "internal"));
btn.disabled = false;
return;
}
await bar?.refresh();
await refreshInboxBadge();
btn.disabled = false;
// Surface the new row's id on the OLD row's <li> so callers (e.g.
// tests, future inspection) can find it without re-querying.
if (body.new_request_id) {
li.dataset.spawnedRequestId = body.new_request_id;
}
} catch (_e) {
alert("Network error");
btn.disabled = false;
}
}
function mapApprovalError(key: string): string {
switch (key) {
case "self_approval_blocked": return t("approvals.error.self_approval");
case "no_qualified_approver": return t("approvals.error.no_qualified_approver");
case "concurrent_pending": return t("approvals.error.concurrent_pending");
case "not_authorized": return t("approvals.error.not_authorized");
case "request_not_pending": return t("approvals.error.request_not_pending");
case "suggestion_requires_change": return t("approvals.error.suggestion_requires_change");
case "suggestion_lifecycle_invalid": return t("approvals.error.suggestion_lifecycle_invalid");
default: return key;
case "self_approval_blocked": return t("approvals.error.self_approval");
case "no_qualified_approver": return t("approvals.error.no_qualified_approver");
case "concurrent_pending": return t("approvals.error.concurrent_pending");
case "not_authorized": return t("approvals.error.not_authorized");
case "request_not_pending": return t("approvals.error.request_not_pending");
default: return key;
}
}

44
frontend/src/client/projects-detail.ts
View File

@@ -12,7 +12,6 @@ import {
import { mountFilterBar, type BarHandle } from "./filter-bar";
import type { FilterSpec, RenderSpec } from "./views/types";
import { renderSmartTimeline, type TimelineEvent as SmartTimelineEvent, type LaneInfo as SmartTimelineLane } from "./views/shape-timeline";
import { loadAndRenderSubmissions } from "./submissions";
interface Project {
id: string;
@@ -159,8 +158,7 @@ type TabId =
| "deadlines"
| "appointments"
| "notes"
| "checklists"
| "submissions";
| "checklists";
const VALID_TABS: TabId[] = [
"history",
@@ -171,7 +169,6 @@ const VALID_TABS: TabId[] = [
"appointments",
"notes",
"checklists",
"submissions",
];
// Legacy German tab slugs that may appear in bookmarked URLs after the
@@ -1613,9 +1610,6 @@ function showTab(tab: TabId) {
if (tab === "checklists" && project) {
void loadAndRenderChecklistInstances(project.id);
}
if (tab === "submissions" && project) {
void loadAndRenderSubmissions(project.id);
}
}
let checklistInstancesInited = false;
@@ -2064,7 +2058,6 @@ async function main() {
initAttachUnitForm(id);
initNotesContainer(id);
mountVerlaufFilterBar(id);
wireExportButton(id);
showTab(parseTab());
}
@@ -2687,41 +2680,6 @@ function canManagePartnerUnits(): boolean {
);
}
// canExportProject mirrors the §4 server-side gate for /api/projects/{id}/export:
// global_admin OR direct team responsibility ∈ {lead, member}. Used to
// reveal the export button — server still re-enforces on the request.
function canExportProject(): boolean {
if (!me || !project) return false;
if (me.global_role === "global_admin") return true;
return teamMembers.some(
(m) =>
m.user_id === me!.id &&
m.project_id === project!.id &&
(m.responsibility === "lead" || m.responsibility === "member"),
);
}
// wireExportButton reveals + hooks up the project-export button on the
// tabs nav. Triggers a download via a transient <a download> — same
// pattern as the personal export in client/settings.ts.
function wireExportButton(projectID: string): void {
const btn = document.getElementById("project-export-btn") as HTMLButtonElement | null;
if (!btn) return;
if (!canExportProject()) {
btn.style.display = "none";
return;
}
btn.style.display = "";
btn.addEventListener("click", () => {
const a = document.createElement("a");
a.href = `/api/projects/${encodeURIComponent(projectID)}/export`;
a.download = "";
document.body.appendChild(a);
a.click();
document.body.removeChild(a);
});
}
function canRemoveTeamMember(m: ProjectTeamMember): boolean {
if (!me) return false;
if (m.user_id === me.id) return true;

426
frontend/src/client/settings.ts
View File

@@ -412,11 +412,6 @@ async function loadCalDAVTab() {
fillCalDAVForm();
renderCalDAVStatus();
await loadCalDAVLog();
// Slice 2b — multi-calendar bindings. loadBindingProjects feeds the
// project picker for scope=project; runs in parallel with the binding
// list fetch.
void loadBindingProjects();
await loadBindings();
}
async function loadCalDAVConfig(): Promise<boolean> {
@@ -602,415 +597,6 @@ async function deleteCalDAVConfig() {
}
}
// --- CalDAV bindings (Slice 2b multi-calendar picker) ---------------------
interface UserCalendarBinding {
id: string;
user_id: string;
calendar_path: string;
display_name: string;
scope_kind: "all_visible" | "personal_only" | "project" | "client" | "litigation" | "patent" | "case";
scope_id?: string | null;
include_personal: boolean;
enabled: boolean;
last_sync_at?: string | null;
last_sync_error?: string | null;
}
interface DiscoveredCalendar {
href: string;
display_name: string;
supported_components?: string[];
}
interface ProjectListItem {
id: string;
reference?: string;
title?: string;
type?: string;
}
let bindings: UserCalendarBinding[] = [];
let discoveredCalendars: DiscoveredCalendar[] = [];
let bindingProjects: ProjectListItem[] = [];
let editingBindingID: string | null = null;
// Slice 2c — capability cached from /api/caldav-discover. null = unprobed,
// true = MKCALENDAR supported (show "Create new calendar" radio),
// false = degrade UX (hide radio, surface bilingual notice).
let supportsMKCalendar: boolean | null = null;
async function loadBindings(): Promise<void> {
const section = document.getElementById("caldav-bindings-section");
if (!section) return;
try {
const resp = await fetch("/api/caldav-bindings");
if (resp.status === 501) return; // CalDAV unavailable; leave hidden
if (!resp.ok) return;
bindings = (await resp.json()) as UserCalendarBinding[];
section.style.display = "";
renderBindingsList();
} catch {
/* non-fatal */
}
}
function renderBindingsList(): void {
const list = document.getElementById("caldav-bindings-list")!;
const empty = document.getElementById("caldav-bindings-empty")!;
if (!bindings.length) {
list.innerHTML = "";
empty.style.display = "block";
return;
}
empty.style.display = "none";
list.innerHTML = bindings.map(renderBindingCard).join("");
// Wire per-card buttons.
for (const b of bindings) {
const card = document.getElementById(`caldav-binding-card-${b.id}`);
if (!card) continue;
card.querySelector(".caldav-binding-edit-btn")?.addEventListener("click", () => openBindingModal(b));
card.querySelector(".caldav-binding-delete-btn")?.addEventListener("click", () => deleteBinding(b));
const toggle = card.querySelector(".caldav-binding-enabled-toggle") as HTMLInputElement | null;
toggle?.addEventListener("change", () => toggleBindingEnabled(b, toggle.checked));
}
}
function renderBindingCard(b: UserCalendarBinding): string {
const label = b.display_name || b.calendar_path;
const scope = scopeLabel(b);
const last = b.last_sync_at ? fmtDateTime(b.last_sync_at) : t("caldav.never");
const err = b.last_sync_error ? `<span class="caldav-status-error">${esc(b.last_sync_error)}</span>` : "";
return `<div class="caldav-binding-card" id="caldav-binding-card-${esc(b.id)}">
<div class="caldav-binding-card-row">
<div class="caldav-binding-card-title">
<strong>${esc(label)}</strong>
<span class="caldav-binding-scope-chip">${esc(scope)}</span>
</div>
<label class="caldav-toggle-label">
<input type="checkbox" class="caldav-binding-enabled-toggle" ${b.enabled ? "checked" : ""} />
<span data-i18n="caldav.bindings.card.enabled">Aktiv</span>
</label>
</div>
<div class="caldav-binding-card-row caldav-binding-card-meta">
<span class="caldav-binding-path">${esc(b.calendar_path)}</span>
<span class="caldav-binding-last-sync">${esc(t("caldav.status.last_sync"))} ${esc(last)} ${err}</span>
</div>
<div class="caldav-binding-card-actions">
<button type="button" class="btn-secondary caldav-binding-edit-btn" data-i18n="caldav.bindings.card.edit">Bearbeiten</button>
<button type="button" class="btn-danger caldav-binding-delete-btn" data-i18n="caldav.bindings.card.remove">Entfernen</button>
</div>
</div>`;
}
function scopeLabel(b: UserCalendarBinding): string {
switch (b.scope_kind) {
case "all_visible":
return t("caldav.bindings.scope.all_visible");
case "personal_only":
return t("caldav.bindings.scope.personal_only");
case "project": {
const p = bindingProjects.find((p) => p.id === b.scope_id);
const name = p ? p.title || p.reference || p.id.slice(0, 8) : "?";
return `${t("caldav.bindings.scope.project")}: ${name}`;
}
default:
return b.scope_kind;
}
}
async function loadBindingProjects(): Promise<void> {
if (bindingProjects.length) return;
try {
const resp = await fetch("/api/projects");
if (resp.ok) bindingProjects = (await resp.json()) as ProjectListItem[];
} catch {
/* ignore */
}
}
async function loadDiscoveredCalendars(): Promise<void> {
const sel = document.getElementById("caldav-binding-discover-select") as HTMLSelectElement;
sel.innerHTML = `<option value="">${esc(t("caldav.bindings.modal.source.loading"))}</option>`;
try {
const resp = await fetch("/api/caldav-discover");
if (!resp.ok) {
sel.innerHTML = `<option value="">${esc(t("caldav.bindings.modal.source.discover_failed"))}</option>`;
supportsMKCalendar = null;
syncBindingSourceModeUI();
return;
}
const data = (await resp.json()) as {
calendars: DiscoveredCalendar[];
supports_mkcalendar?: boolean | null;
};
discoveredCalendars = data.calendars || [];
supportsMKCalendar = data.supports_mkcalendar ?? null;
if (!discoveredCalendars.length) {
sel.innerHTML = `<option value="">${esc(t("caldav.bindings.modal.source.discover_empty"))}</option>`;
} else {
sel.innerHTML = discoveredCalendars
.map((c) => `<option value="${esc(c.href)}">${esc(c.display_name || c.href)}</option>`)
.join("");
}
syncBindingSourceModeUI();
} catch {
sel.innerHTML = `<option value="">${esc(t("caldav.bindings.modal.source.discover_failed"))}</option>`;
supportsMKCalendar = null;
syncBindingSourceModeUI();
}
}
// syncBindingSourceModeUI shows / hides the "Neuen Kalender erstellen"
// radio + the Google-degrade notice based on the cached
// supports_mkcalendar capability. Also flips the visible input
// (dropdown vs URL text box) to match the currently selected mode.
function syncBindingSourceModeUI(): void {
const createRow = document.getElementById("caldav-binding-source-mode-create-row");
const degrade = document.getElementById("caldav-binding-degrade-notice");
if (createRow) createRow.style.display = supportsMKCalendar === true ? "" : "none";
if (degrade) degrade.style.display = supportsMKCalendar === false ? "" : "none";
// If supports_mkcalendar flipped to false while "create" was selected,
// fall back to "existing" so the user isn't staring at a hidden radio.
if (supportsMKCalendar !== true) {
const createRadio = document.querySelector(
'input[name="caldav-binding-source-mode"][value="create"]',
) as HTMLInputElement | null;
if (createRadio?.checked) {
const existing = document.querySelector(
'input[name="caldav-binding-source-mode"][value="existing"]',
) as HTMLInputElement | null;
if (existing) existing.checked = true;
}
}
const mode = currentBindingSourceMode();
const sel = document.getElementById("caldav-binding-discover-select") as HTMLSelectElement;
const customInput = document.getElementById("caldav-binding-custom-path") as HTMLInputElement;
sel.style.display = mode === "existing" ? "" : "none";
customInput.style.display = mode === "custom" ? "" : "none";
}
function currentBindingSourceMode(): "existing" | "create" | "custom" {
const checked = document.querySelector(
'input[name="caldav-binding-source-mode"]:checked',
) as HTMLInputElement | null;
return (checked?.value as "existing" | "create" | "custom") ?? "existing";
}
function openBindingModal(b: UserCalendarBinding | null) {
editingBindingID = b ? b.id : null;
const modal = document.getElementById("caldav-binding-modal")!;
const title = document.getElementById("caldav-binding-modal-title")!;
const submitBtn = document.getElementById("caldav-binding-submit-btn")!;
const sourceField = document.getElementById("caldav-binding-source-field")!;
const customInput = document.getElementById("caldav-binding-custom-path") as HTMLInputElement;
const nameInput = document.getElementById("caldav-binding-display-name") as HTMLInputElement;
const projectSel = document.getElementById("caldav-binding-project-select") as HTMLSelectElement;
const msg = document.getElementById("caldav-binding-msg")!;
msg.textContent = "";
if (b) {
title.textContent = t("caldav.bindings.modal.edit_title");
submitBtn.textContent = t("caldav.bindings.modal.submit_edit");
sourceField.style.display = "none";
nameInput.value = b.display_name;
const radio = document.querySelector(`input[name="caldav-binding-scope"][value="${b.scope_kind}"]`) as HTMLInputElement | null;
if (radio) radio.checked = true;
} else {
title.textContent = t("caldav.bindings.modal.add_title");
submitBtn.textContent = t("caldav.bindings.modal.submit_add");
sourceField.style.display = "";
// Reset the 3-way source-mode radio to "existing" (most common path).
const existingRadio = document.querySelector(
'input[name="caldav-binding-source-mode"][value="existing"]',
) as HTMLInputElement | null;
if (existingRadio) existingRadio.checked = true;
customInput.value = "";
nameInput.value = "";
const radio = document.querySelector(`input[name="caldav-binding-scope"][value="all_visible"]`) as HTMLInputElement;
radio.checked = true;
void loadDiscoveredCalendars();
}
// Project picker — populate options when project scope is picked.
projectSel.innerHTML = bindingProjects
.map((p) => `<option value="${esc(p.id)}">${esc((p.title || p.reference || p.id.slice(0, 8)))}</option>`)
.join("");
if (b && b.scope_kind === "project" && b.scope_id) {
projectSel.value = b.scope_id;
projectSel.disabled = false;
}
syncBindingScopeUI();
syncBindingSourceModeUI();
modal.style.display = "flex";
}
function closeBindingModal() {
document.getElementById("caldav-binding-modal")!.style.display = "none";
editingBindingID = null;
}
function syncBindingScopeUI(): void {
const scope = (document.querySelector('input[name="caldav-binding-scope"]:checked') as HTMLInputElement | null)?.value;
const projectSel = document.getElementById("caldav-binding-project-select") as HTMLSelectElement;
projectSel.disabled = scope !== "project";
}
async function submitBindingModal(ev: Event): Promise<void> {
ev.preventDefault();
const msg = document.getElementById("caldav-binding-msg")!;
msg.textContent = "";
const customInput = document.getElementById("caldav-binding-custom-path") as HTMLInputElement;
const sel = document.getElementById("caldav-binding-discover-select") as HTMLSelectElement;
const nameInput = document.getElementById("caldav-binding-display-name") as HTMLInputElement;
const projectSel = document.getElementById("caldav-binding-project-select") as HTMLSelectElement;
const submitBtn = document.getElementById("caldav-binding-submit-btn") as HTMLButtonElement;
const scope = (document.querySelector('input[name="caldav-binding-scope"]:checked') as HTMLInputElement | null)?.value;
if (!scope) {
msg.textContent = t("caldav.bindings.error.scope");
msg.className = "form-msg form-msg-error";
return;
}
if (scope === "project" && !projectSel.value) {
msg.textContent = t("caldav.bindings.error.scope_project");
msg.className = "form-msg form-msg-error";
return;
}
submitBtn.disabled = true;
try {
if (editingBindingID) {
const patchPayload: Record<string, unknown> = {
display_name: nameInput.value.trim(),
scope_kind: scope,
enabled: true,
};
if (scope === "project") patchPayload.scope_id = projectSel.value;
const resp = await fetch(`/api/caldav-bindings/${editingBindingID}`, {
method: "PATCH",
headers: { "Content-Type": "application/json" },
body: JSON.stringify(patchPayload),
});
if (!resp.ok) {
const err = await resp.json().catch(() => ({}) as { error?: string });
msg.textContent = err.error || t("caldav.error.generic");
msg.className = "form-msg form-msg-error";
return;
}
} else {
const mode = currentBindingSourceMode();
if (mode === "create") {
// Slice 2c MKCALENDAR path.
const displayName = nameInput.value.trim();
if (!displayName) {
msg.textContent = t("caldav.bindings.error.create_name_required");
msg.className = "form-msg form-msg-error";
return;
}
const createPayload: Record<string, unknown> = {
display_name: displayName,
scope_kind: scope,
};
if (scope === "project") createPayload.scope_id = projectSel.value;
const resp = await fetch("/api/caldav-mkcalendar", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify(createPayload),
});
if (resp.status === 501) {
// Race: probe flipped to false between modal-open and submit.
// Re-sync the UI and surface a helpful message.
supportsMKCalendar = false;
syncBindingSourceModeUI();
msg.textContent = t("caldav.bindings.error.create_unsupported");
msg.className = "form-msg form-msg-error";
return;
}
if (resp.status === 409) {
msg.textContent = t("caldav.bindings.error.create_name_taken");
msg.className = "form-msg form-msg-error";
return;
}
if (!resp.ok) {
const err = await resp.json().catch(() => ({}) as { error?: string });
msg.textContent = err.error || t("caldav.error.generic");
msg.className = "form-msg form-msg-error";
return;
}
} else {
// existing | custom — POST /api/caldav-bindings with the path.
const path = mode === "custom" ? customInput.value.trim() : sel.value;
if (!path) {
msg.textContent = t("caldav.bindings.error.path");
msg.className = "form-msg form-msg-error";
return;
}
const postPayload: Record<string, unknown> = {
calendar_path: path,
display_name: nameInput.value.trim(),
scope_kind: scope,
enabled: true,
};
if (scope === "project") postPayload.scope_id = projectSel.value;
if (!postPayload.display_name && mode === "existing") {
const opt = sel.options[sel.selectedIndex];
postPayload.display_name = opt ? opt.text : "";
}
const resp = await fetch("/api/caldav-bindings", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify(postPayload),
});
if (!resp.ok) {
const err = await resp.json().catch(() => ({}) as { error?: string });
msg.textContent = err.error || t("caldav.error.generic");
msg.className = "form-msg form-msg-error";
return;
}
}
}
closeBindingModal();
await loadBindings();
} catch {
msg.textContent = t("caldav.error.generic");
msg.className = "form-msg form-msg-error";
} finally {
submitBtn.disabled = false;
}
}
async function deleteBinding(b: UserCalendarBinding): Promise<void> {
if (!confirm(t("caldav.bindings.delete.confirm"))) return;
try {
const resp = await fetch(`/api/caldav-bindings/${b.id}`, { method: "DELETE" });
if (!resp.ok && resp.status !== 204 && resp.status !== 202) {
alert(t("caldav.bindings.delete.failed"));
return;
}
await loadBindings();
} catch {
alert(t("caldav.bindings.delete.failed"));
}
}
async function toggleBindingEnabled(b: UserCalendarBinding, enabled: boolean): Promise<void> {
try {
const resp = await fetch(`/api/caldav-bindings/${b.id}`, {
method: "PATCH",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ enabled }),
});
if (resp.ok) {
b.enabled = enabled;
}
} catch {
/* non-fatal */
}
}
// --- "Meine Partner Units" card on the profile tab -------------------------
//
// Read-only summary of the current user's structural memberships. Membership
@@ -1131,18 +717,6 @@ document.addEventListener("DOMContentLoaded", () => {
document.getElementById("caldav-form")!.addEventListener("submit", saveCalDAV);
document.getElementById("caldav-test-btn")!.addEventListener("click", testCalDAVConnection);
document.getElementById("caldav-delete-btn")!.addEventListener("click", deleteCalDAVConfig);
// CalDAV bindings (Slice 2b + 2c) — add/edit modal wiring.
document.getElementById("caldav-bindings-add-btn")?.addEventListener("click", () => openBindingModal(null));
document.getElementById("caldav-binding-modal-close")?.addEventListener("click", closeBindingModal);
document.getElementById("caldav-binding-cancel-btn")?.addEventListener("click", closeBindingModal);
document.getElementById("caldav-binding-form")?.addEventListener("submit", submitBindingModal);
document.querySelectorAll('input[name="caldav-binding-source-mode"]').forEach((el) => {
el.addEventListener("change", syncBindingSourceModeUI);
});
document.querySelectorAll('input[name="caldav-binding-scope"]').forEach((el) => {
el.addEventListener("change", syncBindingScopeUI);
});
const exportBtn = document.getElementById("export-btn");
if (exportBtn) exportBtn.addEventListener("click", runExport);

208
frontend/src/client/submissions.ts
View File

@@ -1,208 +0,0 @@
// Submissions panel — fetches the project's submission catalog and
// renders one row per filing-type rule, with a [Generieren] action
// when a .docx template resolves server-side.
//
// t-paliad-215 Slice 1. Loaded lazily by the projects-detail tab
// switcher so projects without the Schriftsätze tab open don't pay
// for the per-row template-availability probes.
function escapeHtml(s: string): string {
return s
.replace(/&/g, "&amp;")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;")
.replace(/'/g, "&#39;");
}
interface SubmissionEntry {
submission_code: string;
name: string;
name_en: string;
event_type?: string;
primary_party?: string;
legal_source?: string;
has_template: boolean;
}
interface SubmissionListResponse {
project_id: string;
proceeding_type_id?: number;
entries: SubmissionEntry[];
}
// Module state — set once per page load when the user first opens the
// tab. Subsequent activations re-use the cached result so the lawyer
// doesn't pay for repeat list calls flipping between tabs.
let cached: { projectID: string; data: SubmissionListResponse } | null = null;
let loading = false;
/**
* Load + render the submissions panel for the given project.
*
* Idempotent: safe to call on every tab activation. The second call
* paints from cache instantly; the first call shows a loading state
* until the list response arrives.
*/
export async function loadAndRenderSubmissions(projectID: string): Promise<void> {
if (loading) return;
if (cached && cached.projectID === projectID) {
render(cached.data);
return;
}
loading = true;
try {
const resp = await fetch(`/api/projects/${projectID}/submissions`);
if (!resp.ok) {
renderError();
return;
}
const data = (await resp.json()) as SubmissionListResponse;
cached = { projectID, data };
render(data);
} catch {
renderError();
} finally {
loading = false;
}
}
function render(data: SubmissionListResponse): void {
const empty = document.getElementById("project-submissions-empty");
const noProc = document.getElementById("project-submissions-no-proceeding");
const wrap = document.getElementById("project-submissions-tablewrap");
const body = document.getElementById("project-submissions-body");
if (!empty || !noProc || !wrap || !body) return;
if (data.proceeding_type_id == null || data.proceeding_type_id === 0) {
noProc.style.display = "";
empty.style.display = "none";
wrap.style.display = "none";
return;
}
noProc.style.display = "none";
if (data.entries.length === 0) {
empty.style.display = "";
wrap.style.display = "none";
return;
}
empty.style.display = "none";
wrap.style.display = "";
const isEN = document.documentElement.lang === "en";
body.innerHTML = data.entries.map((entry) => {
const name = isEN && entry.name_en ? entry.name_en : entry.name;
const party = formatParty(entry.primary_party, isEN);
const source = entry.legal_source ?? "";
const action = entry.has_template
? `<button type="button" class="btn-primary btn-cta-lime btn-small submission-generate-btn"
data-code="${escapeHtml(entry.submission_code)}"
data-project="${escapeHtml(data.project_id)}"
data-i18n="projects.detail.submissions.action.generate">${isEN ? "Generate" : "Generieren"}</button>`
: `<span class="submission-no-template" data-i18n="projects.detail.submissions.action.no_template">${isEN ? "No template" : "Keine Vorlage"}</span>`;
return `<tr class="submission-row">
<td>
<span class="submission-name">${escapeHtml(name)}</span>
<span class="submission-code">${escapeHtml(entry.submission_code)}</span>
</td>
<td>${escapeHtml(party)}</td>
<td>${escapeHtml(source)}</td>
<td class="submission-action-cell">${action}</td>
</tr>`;
}).join("");
// Wire button clicks. One click handler per render to avoid stale
// closures from the previous render's data.
body.querySelectorAll<HTMLButtonElement>(".submission-generate-btn").forEach((btn) => {
btn.addEventListener("click", (e) => {
e.preventDefault();
e.stopPropagation();
void onGenerateClick(btn);
});
});
}
function renderError(): void {
const empty = document.getElementById("project-submissions-empty");
const noProc = document.getElementById("project-submissions-no-proceeding");
const wrap = document.getElementById("project-submissions-tablewrap");
if (!empty || !noProc || !wrap) return;
noProc.style.display = "none";
wrap.style.display = "none";
empty.style.display = "";
empty.textContent = document.documentElement.lang === "en"
? "Failed to load submissions list."
: "Schriftsatzliste konnte nicht geladen werden.";
}
function formatParty(role: string | undefined, isEN: boolean): string {
switch ((role ?? "").toLowerCase()) {
case "claimant": return isEN ? "Claimant" : "Klägerin";
case "defendant": return isEN ? "Defendant" : "Beklagte";
case "both": return isEN ? "Both" : "Beide";
case "court": return isEN ? "Court" : "Gericht";
default: return "";
}
}
// onGenerateClick triggers a download. Disables the button while the
// request is in flight to prevent double-submits and surfaces an
// inline error on failure.
async function onGenerateClick(btn: HTMLButtonElement): Promise<void> {
const code = btn.dataset.code;
const projectID = btn.dataset.project;
if (!code || !projectID) return;
const originalLabel = btn.textContent ?? "";
btn.disabled = true;
btn.textContent = document.documentElement.lang === "en" ? "Generating…" : "Wird generiert…";
try {
const url = `/api/projects/${projectID}/submissions/${encodeURIComponent(code)}/generate`;
const resp = await fetch(url, { method: "GET" });
if (!resp.ok) {
let detail = "";
try {
const data = await resp.json() as { error?: string };
detail = data.error ?? "";
} catch {
// fallthrough
}
alert(
(document.documentElement.lang === "en"
? "Generation failed."
: "Generieren fehlgeschlagen.") + (detail ? `\n\n${detail}` : ""),
);
return;
}
const blob = await resp.blob();
const filename = parseFilename(resp.headers.get("Content-Disposition") ?? "")
?? `${code}.docx`;
triggerDownload(blob, filename);
} finally {
btn.disabled = false;
btn.textContent = originalLabel;
}
}
// parseFilename pulls the filename out of a Content-Disposition
// header. Supports both unquoted and quoted forms.
function parseFilename(header: string): string | null {
const m = /filename\s*=\s*"?([^";]+)"?/i.exec(header);
return m ? m[1] : null;
}
// triggerDownload creates an <a> with an object URL, clicks it, and
// revokes the URL. Standard browser-side download pattern.
function triggerDownload(blob: Blob, filename: string): void {
const url = URL.createObjectURL(blob);
const a = document.createElement("a");
a.href = url;
a.download = filename;
document.body.appendChild(a);
a.click();
document.body.removeChild(a);
// Revoke on next tick so the click actually triggers the download
// before the URL is gone.
setTimeout(() => URL.revokeObjectURL(url), 0);
}

65
frontend/src/client/verfahrensablauf.ts
View File

@@ -17,37 +17,14 @@ import {
populateCourtPicker,
renderColumnsBody,
renderTimelineBody,
wireDateEditClicks,
} from "./views/verfahrensablauf-core";
let selectedType = "";
let lastResponse: DeadlineResponse | null = null;
// Per-rule anchor overrides set by the click-to-edit affordance on
// timeline / column date cells. Posted as `anchorOverrides` to the
// /api/tools/fristenrechner calc so downstream rules re-anchor off the
// user's chosen date. Cleared whenever the trigger changes (proceeding,
// trigger date, flag toggle) so a fresh calc starts unanchored — same
// semantic as /tools/fristenrechner.
const anchorOverrides = new Map<string, string>();
function clearAnchorOverrides() { anchorOverrides.clear(); }
type ProcedureView = "timeline" | "columns";
let procedureView: ProcedureView = "columns";
// Notes toggle — when off (default), per-rule descriptive notes render
// as a compact ⓘ icon next to the meta line (hover for full text). When
// on, the full notes block expands under each card. Choice persists in
// localStorage so a reload or recalc keeps the user's preference.
const NOTES_PREF_KEY = "paliad.fristen.notes-show";
function readNotesPref(): boolean {
try { return localStorage.getItem(NOTES_PREF_KEY) === "1"; } catch { return false; }
}
function writeNotesPref(on: boolean): void {
try { localStorage.setItem(NOTES_PREF_KEY, on ? "1" : "0"); } catch { /* no-op */ }
}
let showNotes = readNotesPref();
// Jurisdiction display prefix for the proceeding-summary chip + the
// trigger-event placeholder. Same forum slugs the .proceeding-group
// `data-forum` attribute carries in verfahrensablauf.tsx /
@@ -135,14 +112,10 @@ async function doCalc() {
? courtPicker.value
: "";
const overrides: Record<string, string> = {};
for (const [code, date] of anchorOverrides) overrides[code] = date;
const data = await calculateDeadlines({
proceedingType: selectedType,
triggerDate,
flags: readFlags(),
anchorOverrides: overrides,
courtId,
});
if (seq !== calcSeq) return;
@@ -194,8 +167,8 @@ function renderResults(data: DeadlineResponse) {
</div>`;
const bodyHtml = procedureView === "columns"
? renderColumnsBody(data, { editable: true, showNotes })
: renderTimelineBody(data, { showParty: true, editable: true, showNotes });
? renderColumnsBody(data)
: renderTimelineBody(data);
container.innerHTML = headerHtml + bodyHtml;
if (printBtn) printBtn.style.display = "block";
@@ -243,12 +216,7 @@ function syncInfAmendEnabled() {
function selectProceeding(btn: HTMLButtonElement) {
document.querySelectorAll(".proceeding-btn").forEach((b) => b.classList.remove("active"));
btn.classList.add("active");
const nextType = btn.dataset.code || "";
// Different proceeding tree → previously-set overrides reference
// rule codes that don't exist in the new tree. Clear before the
// next calc so the fresh proceeding starts unanchored.
if (selectedType !== nextType) clearAnchorOverrides();
selectedType = nextType;
selectedType = btn.dataset.code || "";
// Trigger-event label fires from the calc response (root rule).
// Until step 3 renders, fall back to an em-dash placeholder.
@@ -331,33 +299,6 @@ document.addEventListener("DOMContentLoaded", () => {
document.getElementById("fristen-print-btn")?.addEventListener("click", () => window.print());
// Click-to-edit on timeline / column date cells — same delegated
// pattern as /tools/fristenrechner. Survives renderResults()'s
// innerHTML rewrites because the listener lives on the container.
const timelineContainer = document.getElementById("timeline-container");
if (timelineContainer) {
wireDateEditClicks(timelineContainer, (ruleCode, newValue) => {
if (newValue === "") {
anchorOverrides.delete(ruleCode);
} else {
anchorOverrides.set(ruleCode, newValue);
}
scheduleCalc(0);
});
}
// Notes toggle — restores last preference on load + re-renders when
// the user flips it. Lives in the same toggle bar as the view picker.
const notesShowCb = document.getElementById("fristen-notes-show") as HTMLInputElement | null;
if (notesShowCb) {
notesShowCb.checked = showNotes;
notesShowCb.addEventListener("change", () => {
showNotes = notesShowCb.checked;
writeNotesPref(showNotes);
if (lastResponse) renderResults(lastResponse);
});
}
initViewToggle();
onLangChange(() => {

53
frontend/src/client/views/shape-list.ts
View File

@@ -196,12 +196,6 @@ interface ApprovalDetail {
requester_kind?: "user" | "agent";
decider_name?: string;
decision_note?: string;
// counter_payload + next_request_id — populated on the OLD row of a
// suggest-changes pair (t-paliad-216). The new row's id lets us
// render a back-link "→ Neuer Vorschlag von {decider}". Both stay
// unset on any non-changes_requested status.
counter_payload?: Record<string, unknown> | null;
next_request_id?: string;
// Per-viewer eligibility flags resolved server-side against the caller
// (t-paliad-202). Used to grey out actions the server would reject.
// Optional so an older payload still renders — falsy means "treat as
@@ -210,11 +204,6 @@ interface ApprovalDetail {
viewer_is_requester?: boolean;
}
// Pending-row action set. suggest_changes was added in t-paliad-216 as
// the fourth action — the approver authors a counter-proposal which
// becomes a NEW pending row authored by them.
type ApprovalAction = "approve" | "reject" | "revoke" | "suggest_changes";
function renderApprovalList(rows: ViewRow[]): HTMLElement {
const ul = document.createElement("ul");
ul.className = "inbox-list views-approval-list";
@@ -273,20 +262,13 @@ function renderApprovalList(rows: ViewRow[]): HTMLElement {
actions.className = "inbox-row-actions";
if (detail.status === "pending") {
// All four actions are stamped on every pending row; the per-viewer
// All three actions are stamped on every pending row; the per-viewer
// viewer_can_approve / viewer_is_requester flags (resolved server-side)
// decide which are enabled vs. greyed out with a tooltip. m's ask
// (2026-05-17): show what's possible but disable what isn't, rather
// than alert-after-click. The server still enforces — disabled buttons
// are a UI hint, not a security gate.
//
// suggest_changes is hidden for non-update lifecycles (the backend
// returns ErrSuggestionLifecycleInvalid for create/complete/delete,
// so we don't even render the button for them).
actions.appendChild(approvalActionBtn("approve", detail));
if (detail.lifecycle_event === "update") {
actions.appendChild(approvalActionBtn("suggest_changes", detail));
}
actions.appendChild(approvalActionBtn("reject", detail));
actions.appendChild(approvalActionBtn("revoke", detail));
} else if (detail.status) {
@@ -303,22 +285,6 @@ function renderApprovalList(rows: ViewRow[]): HTMLElement {
}
li.appendChild(actions);
// Back-link from the OLD changes_requested row to the NEW pending
// counter row (t-paliad-216). Hydrated server-side as
// detail.next_request_id; the surface renders a link that scrolls
// / filters to the new row. Falsy next_request_id = no link (e.g.
// older rows pre-mig-103, or rows where the server hasn't joined the
// back-pointer).
if (detail.status === "changes_requested" && detail.next_request_id) {
const link = document.createElement("a");
link.className = "inbox-row-next-request";
link.href = `#request-${detail.next_request_id}`;
link.dataset.nextRequestId = detail.next_request_id;
const deciderName = detail.decider_name || "";
link.textContent = t("approvals.suggest.next_request_link").replace("{name}", deciderName);
li.appendChild(link);
}
ul.appendChild(li);
}
return ul;
@@ -355,24 +321,17 @@ function renderDiff(detail: ApprovalDetail): HTMLElement | null {
}
function approvalActionBtn(
action: ApprovalAction,
action: "approve" | "reject" | "revoke",
detail: ApprovalDetail,
): HTMLButtonElement {
const btn = document.createElement("button");
btn.type = "button";
btn.dataset.action = action;
// suggest_changes shares the secondary style with revoke; reject is
// danger (terminal "no"); approve is primary.
const cls = action === "approve"
? "btn-primary"
: action === "reject"
? "btn-danger"
: "btn-secondary";
const cls = action === "approve" ? "btn-primary" : action === "reject" ? "btn-danger" : "btn-secondary";
btn.className = `btn ${cls} inbox-row-action views-approval-action`;
btn.textContent = t(("approvals.action." + action) as I18nKey);
// approve / reject / suggest_changes share the canApprove eligibility
// gate; revoke is requester-only.
// approve / reject share the eligibility gate; revoke is requester-only.
const reason = disabledReasonFor(action, detail);
if (reason) {
btn.disabled = true;
@@ -382,13 +341,13 @@ function approvalActionBtn(
}
function disabledReasonFor(
action: ApprovalAction,
action: "approve" | "reject" | "revoke",
detail: ApprovalDetail,
): I18nKey | null {
if (action === "revoke") {
return detail.viewer_is_requester ? null : "approvals.disabled.revoke_not_requester";
}
// approve / reject / suggest_changes — same gate as the server's canApprove.
// approve + reject — same gate as the server's canApprove.
if (detail.viewer_can_approve) return null;
if (detail.viewer_is_requester) return "approvals.disabled.self_approval";
return "approvals.disabled.not_authorized";

67
frontend/src/client/views/verfahrensablauf-core.test.ts
View File

@@ -1,67 +0,0 @@
import { describe, expect, test } from "bun:test";
import {
type CalculatedDeadline,
deadlineCardHtml,
} from "./verfahrensablauf-core";
// Regression tests for the editable→click-to-edit wiring on timeline date
// cells (m/paliad#59). When CardOpts.editable=true the card renderer must
// emit `class="… frist-date-edit"` with `data-rule-code` + `data-current-
// date` on the date span. Pages then attach a delegated click handler that
// resolves that selector to swap in an inline `<input type="date">`. If a
// future refactor drops the attrs, /tools/verfahrensablauf and
// /tools/fristenrechner both silently lose click-to-edit (no script error,
// nothing happens on click). These tests pin the contract.
//
// Fixture leaves ruleRef/legalSource* empty so deadlineCardHtml stays
// inside its non-DOM code paths (escHtml is DOM-backed and bun test runs
// in plain Node without jsdom).
const dl = (overrides: Partial<CalculatedDeadline> = {}): CalculatedDeadline => ({
code: "upc-rop-12",
name: "Klageerwiderung",
nameEN: "Statement of Defence",
party: "defendant",
priority: "mandatory",
ruleRef: "",
dueDate: "2026-07-15",
originalDate: "2026-07-15",
wasAdjusted: false,
isRootEvent: false,
isCourtSet: false,
...overrides,
});
describe("deadlineCardHtml — editable=true emits click-to-edit attrs", () => {
test("date span carries frist-date-edit class + data-rule-code + data-current-date", () => {
const html = deadlineCardHtml(dl(), { showParty: true, editable: true });
expect(html).toContain('class="timeline-date frist-date-edit"');
expect(html).toContain('data-rule-code="upc-rop-12"');
expect(html).toContain('data-current-date="2026-07-15"');
expect(html).toContain('role="button"');
expect(html).toContain('tabindex="0"');
});
test("editable=false (default) emits the date span without click-to-edit attrs", () => {
const html = deadlineCardHtml(dl(), { showParty: true });
expect(html).toContain("timeline-date");
expect(html).not.toContain("data-rule-code=");
expect(html).not.toContain('role="button"');
});
test("root event suppresses editable even when editable=true (root has no override semantic)", () => {
const html = deadlineCardHtml(dl({ isRootEvent: true }), { showParty: true, editable: true });
expect(html).not.toContain("data-rule-code=");
});
test("isCourtSet renders the court-set placeholder with click-to-edit so users can pin a real date", () => {
const html = deadlineCardHtml(dl({ isCourtSet: true }), { showParty: true, editable: true });
expect(html).toContain("timeline-court-set frist-date-edit");
expect(html).toContain('data-rule-code="upc-rop-12"');
});
test("empty rule code with editable=true still suppresses click-to-edit (no anchor target)", () => {
const html = deadlineCardHtml(dl({ code: "" }), { showParty: true, editable: true });
expect(html).not.toContain("data-rule-code=");
});
});

101
frontend/src/client/views/verfahrensablauf-core.ts
View File

@@ -219,13 +219,6 @@ export interface CardOpts {
// verfahrensablauf abstract-browse surface keeps editable=false because
// there's no anchor-override state on that page in Slice 1.
editable?: boolean;
// showNotes controls how the per-rule descriptive notes render:
// true → expanded `<div class="timeline-notes">…</div>` below the card
// false → compact ⓘ icon next to the meta line, full text on hover
// (browser-native `title` attribute) and screen-reader-readable
// Page shells expose a toggle ("Hinweise anzeigen") that flips this and
// re-renders. Default false — notes are noisy on long timelines.
showNotes?: boolean;
}
export function deadlineCardHtml(dl: CalculatedDeadline, opts: CardOpts): string {
@@ -271,19 +264,14 @@ export function deadlineCardHtml(dl: CalculatedDeadline, opts: CardOpts): string
}
const noteText = getLang() === "en" ? (dl.notesEN || dl.notes) : dl.notes;
const showNotes = opts.showNotes === true;
const notesBlock = noteText && showNotes
const notes = noteText
? `<div class="timeline-notes">${noteText}</div>`
: "";
const noteHint = noteText && !showNotes
? `<span class="timeline-note-hint" tabindex="0" role="note" aria-label="${escAttr(noteText)}" title="${escAttr(noteText)}">ⓘ</span>`
: "";
const meta = (opts.showParty || ruleRef || noteHint)
const meta = (opts.showParty || ruleRef)
? `<div class="timeline-meta">
${opts.showParty ? partyBadge(dl.party) : ""}
${ruleRef}
${noteHint}
</div>`
: "";
@@ -296,88 +284,7 @@ export function deadlineCardHtml(dl: CalculatedDeadline, opts: CardOpts): string
</div>
${meta}
${adjustedNote}
${notesBlock}`;
}
// ─── inline date editor (click-to-edit per-rule due date) ────────────────
//
// The renderer emits `<span class="frist-date-edit" data-rule-code="…"
// data-current-date="YYYY-MM-DD" role="button" tabindex="0">…</span>` when
// CardOpts.editable is true. Pages call wireDateEditClicks() on their
// result container once, and the delegated click/keydown handlers swap a
// clicked span for a `<input type="date">` editor via openInlineDateEditor.
// The caller's onCommit callback receives (ruleCode, newValue) — an empty
// newValue means "revert" (clear the anchor override and let the calculator
// re-project). The actual recompute is the caller's job — they own the
// anchor-overrides map + the calc dispatch.
export function openInlineDateEditor(
span: HTMLElement,
onCommit: (ruleCode: string, newValue: string) => void,
): void {
const ruleCode = span.dataset.ruleCode || "";
if (!ruleCode) return;
const current = span.dataset.currentDate || "";
const editor = document.createElement("input");
editor.type = "date";
editor.className = "frist-date-edit-input";
editor.value = current;
let done = false;
const cancel = () => {
if (done) return;
done = true;
editor.replaceWith(span);
};
const commit = (newValue: string) => {
if (done) return;
done = true;
onCommit(ruleCode, newValue);
};
editor.addEventListener("blur", () => {
if (editor.value !== current) commit(editor.value);
else cancel();
});
editor.addEventListener("keydown", (e) => {
const ke = e as KeyboardEvent;
if (ke.key === "Enter") {
e.preventDefault();
editor.blur();
} else if (ke.key === "Escape") {
e.preventDefault();
cancel();
}
});
span.replaceWith(editor);
editor.focus();
if (editor.value) editor.select();
}
// wireDateEditClicks attaches delegated click + keyboard handlers to the
// timeline result container so click-to-edit survives every innerHTML
// rewrite the page does on recalc. Idempotent — re-calling on the same
// container does nothing (the dataset flag short-circuits).
export function wireDateEditClicks(
container: HTMLElement,
onCommit: (ruleCode: string, newValue: string) => void,
): void {
if (container.dataset.dateEditWired === "1") return;
container.dataset.dateEditWired = "1";
container.addEventListener("click", (e) => {
const target = (e.target as HTMLElement).closest<HTMLElement>(".frist-date-edit");
if (!target || !target.dataset.ruleCode) return;
openInlineDateEditor(target, onCommit);
});
container.addEventListener("keydown", (e) => {
const ke = e as KeyboardEvent;
if (ke.key !== "Enter" && ke.key !== " ") return;
const target = (e.target as HTMLElement).closest<HTMLElement>(".frist-date-edit");
if (!target || !target.dataset.ruleCode) return;
e.preventDefault();
openInlineDateEditor(target, onCommit);
});
${notes}`;
}
export function renderTimelineBody(data: DeadlineResponse, opts: CardOpts = { showParty: true }): string {
@@ -451,7 +358,7 @@ export function renderColumnsBody(data: DeadlineResponse, opts: Omit<CardOpts, "
unscheduledKeys.sort();
const keys = [...datedKeys, ...unscheduledKeys];
const cardOpts: CardOpts = { showParty: false, editable: opts.editable, showNotes: opts.showNotes };
const cardOpts: CardOpts = { showParty: false, editable: opts.editable };
const renderCell = (items: CalculatedDeadline[]): string => {
if (items.length === 0) {

44
frontend/src/dashboard.tsx
View File

@@ -5,14 +5,12 @@ import { BottomNav } from "./components/BottomNav";
import { Footer } from "./components/Footer";
import { PWAHead } from "./components/PWAHead";
// The three /* __PALIAD_DASHBOARD_*__ */ tokens below are replaced at
// request time by the Go handler (internal/handlers/dashboard_shell.go)
// with JSON blobs assigned to window.__PALIAD_DASHBOARD__,
// window.__PALIAD_DASHBOARD_LAYOUT__, and window.__PALIAD_DASHBOARD_CATALOG__.
// Keep each token intact and exactly once in the output. The latter two
// power the per-user configurable layout (t-paliad-219).
// The /* __PALIAD_DASHBOARD_DATA__ */ token below is replaced at request time
// by the Go handler (internal/handlers/dashboard_shell.go) with a JSON blob
// assigned to window.__PALIAD_DASHBOARD__. Keep the token intact and exactly
// once in the output.
const HYDRATION_SCRIPT =
"/*__PALIAD_DASHBOARD_DATA__*//*__PALIAD_DASHBOARD_LAYOUT__*//*__PALIAD_DASHBOARD_CATALOG__*/";
"/*__PALIAD_DASHBOARD_DATA__*/";
// Chevron used as the collapsible-section disclosure indicator. CSS rotates
// it 90deg clockwise when the section is open via the
@@ -25,13 +23,12 @@ const ICON_CHEVRON = '<svg viewBox="0 0 24 24" fill="none" stroke="currentColor"
// renders all sections expanded so unstyled fallback is sensible.
function CollapsibleSection(props: {
id: string;
widgetKey: string;
headingI18n: string;
headingDe: string;
children: any;
}): string {
return (
<section className="dashboard-section" data-collapse-key={props.id} data-widget-key={props.widgetKey} aria-expanded="true">
<section className="dashboard-section" data-collapse-key={props.id} aria-expanded="true">
<button type="button" className="dashboard-section-toggle" aria-expanded="true">
<h3 className="dashboard-section-heading" data-i18n={props.headingI18n}>{props.headingDe}</h3>
<span className="dashboard-section-chevron" aria-hidden="true"
@@ -91,7 +88,7 @@ export function renderDashboard(): string {
</div>
{/* Traffic-light deadline summary (4+1: Überfällig conditional + 4 universal — t-paliad-110) */}
<CollapsibleSection id="summary" widgetKey="deadline-summary" headingI18n="dashboard.summary.heading" headingDe="Fristen auf einen Blick">
<CollapsibleSection id="summary" headingI18n="dashboard.summary.heading" headingDe="Fristen auf einen Blick">
<div className="dashboard-summary-grid">
<a href="/deadlines?status=overdue" className="dashboard-card dashboard-card-red" id="dashboard-card-overdue">
<div className="dashboard-card-count" id="dashboard-count-overdue">0</div>
@@ -119,7 +116,7 @@ export function renderDashboard(): string {
{/* Matter summary card — single tappable card, kept outside the
collapsible scaffold because its h3 is internal to the card
and doubles as the navigation affordance. */}
<section className="dashboard-matters" data-widget-key="matter-summary">
<section className="dashboard-matters">
<a href="/projects" className="dashboard-matter-card">
<div className="dashboard-matter-header">
<h3 data-i18n="dashboard.matters.heading">Meine Akten</h3>
@@ -148,14 +145,14 @@ export function renderDashboard(): string {
layout still applies; collapse hides the body of each col
but leaves the heading row in the grid. */}
<div className="dashboard-columns">
<CollapsibleSection id="deadlines" widgetKey="upcoming-deadlines" headingI18n="dashboard.deadlines.heading" headingDe="Kommende Fristen">
<CollapsibleSection id="deadlines" headingI18n="dashboard.deadlines.heading" headingDe="Kommende Fristen">
<ul className="dashboard-list" id="dashboard-deadlines-list"></ul>
<p className="dashboard-empty" id="dashboard-deadlines-empty" style="display:none" data-i18n="dashboard.deadlines.empty">
Keine Fristen in den n&auml;chsten 7 Tagen.
</p>
</CollapsibleSection>
<CollapsibleSection id="appointments" widgetKey="upcoming-appointments" headingI18n="dashboard.appointments.heading" headingDe="Kommende Termine">
<CollapsibleSection id="appointments" headingI18n="dashboard.appointments.heading" headingDe="Kommende Termine">
<ul className="dashboard-list" id="dashboard-appointments-list"></ul>
<p className="dashboard-empty" id="dashboard-appointments-empty" style="display:none" data-i18n="dashboard.appointments.empty">
Keine Termine in den n&auml;chsten 7 Tagen.
@@ -169,7 +166,7 @@ export function renderDashboard(): string {
no chip filters, no URL state — a 30-day window of
upcoming items grouped by day. The standalone /agenda
route is unchanged for direct-link compatibility. */}
<CollapsibleSection id="agenda" widgetKey="inline-agenda" headingI18n="dashboard.agenda.heading" headingDe="Agenda">
<CollapsibleSection id="agenda" headingI18n="dashboard.agenda.heading" headingDe="Agenda">
<div className="dashboard-agenda">
<div className="agenda-timeline" id="dashboard-agenda-timeline" />
<p className="dashboard-empty" id="dashboard-agenda-empty" style="display:none" data-i18n="dashboard.agenda.empty">
@@ -181,26 +178,9 @@ export function renderDashboard(): string {
</div>
</CollapsibleSection>
{/* Inbox-approvals widget (t-paliad-219 — new in v1). The
list mirrors /inbox's "Approver" axis but capped at the
widget's count setting. Renders the empty state when
the user has no open approvals to review. */}
<CollapsibleSection id="inbox-approvals" widgetKey="inbox-approvals" headingI18n="dashboard.inbox.heading" headingDe="Offene Freigaben">
<div className="dashboard-inbox">
<p className="dashboard-inbox-summary" id="dashboard-inbox-summary" style="display:none"></p>
<ul className="dashboard-list" id="dashboard-inbox-list"></ul>
<p className="dashboard-empty" id="dashboard-inbox-empty" style="display:none" data-i18n="dashboard.inbox.empty">
Keine offenen Freigaben.
</p>
<p className="dashboard-agenda-link">
<a href="/inbox" data-i18n="dashboard.inbox.full_link">Vollst&auml;ndigen Posteingang &ouml;ffnen &rarr;</a>
</p>
</div>
</CollapsibleSection>
{/* Activity feed — moved under Agenda per m's design call
(t-paliad-162). */}
<CollapsibleSection id="activity" widgetKey="recent-activity" headingI18n="dashboard.activity.heading" headingDe="Letzte Aktivität">
<CollapsibleSection id="activity" headingI18n="dashboard.activity.heading" headingDe="Letzte Aktivität">
<ul className="dashboard-activity-list" id="dashboard-activity-list"></ul>
<p className="dashboard-empty" id="dashboard-activity-empty" style="display:none" data-i18n="dashboard.activity.empty">
Noch keine Aktivit&auml;t erfasst.

4
frontend/src/fristenrechner.tsx
View File

@@ -546,10 +546,6 @@ export function renderFristenrechner(): string {
<input type="radio" name="fristen-view" value="timeline" />
<span data-i18n="deadlines.view.timeline">Zeitstrahl</span>
</label>
<label className="fristen-notes-option">
<input type="checkbox" id="fristen-notes-show" />
<span data-i18n="deadlines.notes.show">Hinweise anzeigen</span>
</label>
</div>
<div id="timeline-container">

86
frontend/src/i18n-keys.ts
View File

@@ -583,7 +583,6 @@ export type I18nKey =
| "approvals.action.approve"
| "approvals.action.reject"
| "approvals.action.revoke"
| "approvals.action.suggest_changes"
| "approvals.agent.byline"
| "approvals.agent.label"
| "approvals.agent.suggestion_pending"
@@ -596,7 +595,6 @@ export type I18nKey =
| "approvals.disabled.not_authorized"
| "approvals.disabled.revoke_not_requester"
| "approvals.disabled.self_approval"
| "approvals.disabled.suggest_lifecycle"
| "approvals.empty.mine"
| "approvals.empty.pending_mine"
| "approvals.entity.appointment"
@@ -607,8 +605,6 @@ export type I18nKey =
| "approvals.error.not_authorized"
| "approvals.error.request_not_pending"
| "approvals.error.self_approval"
| "approvals.error.suggestion_lifecycle_invalid"
| "approvals.error.suggestion_requires_change"
| "approvals.heading"
| "approvals.lifecycle.complete"
| "approvals.lifecycle.create"
@@ -635,32 +631,11 @@ export type I18nKey =
| "approvals.required_role.pa"
| "approvals.required_role.senior_pa"
| "approvals.status.approved"
| "approvals.status.changes_requested"
| "approvals.status.pending"
| "approvals.status.rejected"
| "approvals.status.revoked"
| "approvals.status.superseded"
| "approvals.subtitle"
| "approvals.suggest.cancel"
| "approvals.suggest.context.approval_status"
| "approvals.suggest.context.project"
| "approvals.suggest.context.requested_at"
| "approvals.suggest.context.requester"
| "approvals.suggest.event_type_picker_unavailable"
| "approvals.suggest.field.description"
| "approvals.suggest.field.original_due_date"
| "approvals.suggest.field.rule_code"
| "approvals.suggest.field.warning_date"
| "approvals.suggest.intro"
| "approvals.suggest.modal_title"
| "approvals.suggest.next_request_link"
| "approvals.suggest.note_label"
| "approvals.suggest.note_placeholder"
| "approvals.suggest.section.context"
| "approvals.suggest.section.editable"
| "approvals.suggest.submit"
| "approvals.suggest.submit_disabled_hint"
| "approvals.suggest.unsupported_lifecycle"
| "approvals.tab.mine"
| "approvals.tab.pending_mine"
| "approvals.title"
@@ -709,43 +684,6 @@ export type I18nKey =
| "cal.view.week"
| "cal.week.next"
| "cal.week.prev"
| "caldav.bindings.add"
| "caldav.bindings.card.edit"
| "caldav.bindings.card.enabled"
| "caldav.bindings.card.remove"
| "caldav.bindings.delete.confirm"
| "caldav.bindings.delete.failed"
| "caldav.bindings.empty"
| "caldav.bindings.error.create_name_required"
| "caldav.bindings.error.create_name_taken"
| "caldav.bindings.error.create_unsupported"
| "caldav.bindings.error.path"
| "caldav.bindings.error.scope"
| "caldav.bindings.error.scope_project"
| "caldav.bindings.heading"
| "caldav.bindings.hint"
| "caldav.bindings.modal.add_title"
| "caldav.bindings.modal.display_name"
| "caldav.bindings.modal.display_name.placeholder"
| "caldav.bindings.modal.edit_title"
| "caldav.bindings.modal.scope"
| "caldav.bindings.modal.scope.all_visible"
| "caldav.bindings.modal.scope.personal_only"
| "caldav.bindings.modal.scope.project"
| "caldav.bindings.modal.scope.project.loading"
| "caldav.bindings.modal.source"
| "caldav.bindings.modal.source.create"
| "caldav.bindings.modal.source.custom"
| "caldav.bindings.modal.source.degrade"
| "caldav.bindings.modal.source.discover_empty"
| "caldav.bindings.modal.source.discover_failed"
| "caldav.bindings.modal.source.existing"
| "caldav.bindings.modal.source.loading"
| "caldav.bindings.modal.submit_add"
| "caldav.bindings.modal.submit_edit"
| "caldav.bindings.scope.all_visible"
| "caldav.bindings.scope.personal_only"
| "caldav.bindings.scope.project"
| "caldav.delete"
| "caldav.delete.confirm"
| "caldav.delete.done"
@@ -927,11 +865,6 @@ export type I18nKey =
| "dashboard.deadlines.empty"
| "dashboard.deadlines.heading"
| "dashboard.greeting.prefix"
| "dashboard.inbox.empty"
| "dashboard.inbox.entity.appointment"
| "dashboard.inbox.entity.deadline"
| "dashboard.inbox.full_link"
| "dashboard.inbox.heading"
| "dashboard.matters.active"
| "dashboard.matters.archived"
| "dashboard.matters.heading"
@@ -1136,7 +1069,6 @@ export type I18nKey =
| "deadlines.neu.submit"
| "deadlines.neu.subtitle"
| "deadlines.neu.title"
| "deadlines.notes.show"
| "deadlines.optional.badge"
| "deadlines.party.both"
| "deadlines.party.both.label"
@@ -1354,7 +1286,6 @@ export type I18nKey =
| "einstellungen.tab.profil"
| "einstellungen.title"
| "event.description.appointment_approval_approved"
| "event.description.appointment_approval_changes_suggested"
| "event.description.appointment_approval_rejected"
| "event.description.appointment_approval_requested"
| "event.description.appointment_approval_revoked"
@@ -1363,7 +1294,6 @@ export type I18nKey =
| "event.description.appointment_project_changed"
| "event.description.appointment_updated"
| "event.description.deadline_approval_approved"
| "event.description.deadline_approval_changes_suggested"
| "event.description.deadline_approval_rejected"
| "event.description.deadline_approval_requested"
| "event.description.deadline_approval_revoked"
@@ -1379,7 +1309,6 @@ export type I18nKey =
| "event.note.parent.deadline"
| "event.note.parent.project"
| "event.title.appointment_approval_approved"
| "event.title.appointment_approval_changes_suggested"
| "event.title.appointment_approval_rejected"
| "event.title.appointment_approval_requested"
| "event.title.appointment_approval_revoked"
@@ -1394,7 +1323,6 @@ export type I18nKey =
| "event.title.checklist_reset"
| "event.title.checklist_unlinked"
| "event.title.deadline_approval_approved"
| "event.title.deadline_approval_changes_suggested"
| "event.title.deadline_approval_rejected"
| "event.title.deadline_approval_requested"
| "event.title.deadline_approval_revoked"
@@ -1723,7 +1651,6 @@ export type I18nKey =
| "login.tab.login"
| "login.tab.register"
| "login.title"
| "modal.close.label"
| "nav.admin.audit"
| "nav.admin.bereich"
| "nav.admin.event_types"
@@ -2008,8 +1935,6 @@ export type I18nKey =
| "projects.detail.edit"
| "projects.detail.edit.modal.title"
| "projects.detail.edit.type_change_warning.title"
| "projects.detail.export.button"
| "projects.detail.export.tooltip"
| "projects.detail.firmwide.off"
| "projects.detail.firmwide.on"
| "projects.detail.kinder.add"
@@ -2105,21 +2030,11 @@ export type I18nKey =
| "projects.detail.smarttimeline.track.only.counterclaim"
| "projects.detail.smarttimeline.track.only.parent"
| "projects.detail.smarttimeline.track.only.parent_context"
| "projects.detail.submissions.action.generate"
| "projects.detail.submissions.action.no_template"
| "projects.detail.submissions.col.action"
| "projects.detail.submissions.col.name"
| "projects.detail.submissions.col.party"
| "projects.detail.submissions.col.source"
| "projects.detail.submissions.empty"
| "projects.detail.submissions.empty.no_proceeding"
| "projects.detail.submissions.hint"
| "projects.detail.tab.checklisten"
| "projects.detail.tab.fristen"
| "projects.detail.tab.kinder"
| "projects.detail.tab.notizen"
| "projects.detail.tab.parteien"
| "projects.detail.tab.submissions"
| "projects.detail.tab.team"
| "projects.detail.tab.termine"
| "projects.detail.tab.verlauf"
@@ -2384,7 +2299,6 @@ export type I18nKey =
| "views.bar.approval_role.approver_eligible"
| "views.bar.approval_role.self_requested"
| "views.bar.approval_status.approved"
| "views.bar.approval_status.changes_requested"
| "views.bar.approval_status.pending"
| "views.bar.approval_status.rejected"
| "views.bar.approval_status.revoked"

47
frontend/src/projects-detail.tsx
View File

@@ -80,21 +80,6 @@ export function renderProjectsDetail(): string {
<a className="entity-tab" data-tab="appointments" href="#" data-i18n="projects.detail.tab.termine">Termine</a>
<a className="entity-tab" data-tab="notes" href="#" data-i18n="projects.detail.tab.notizen">Notizen</a>
<a className="entity-tab" data-tab="checklists" href="#" data-i18n="projects.detail.tab.checklisten">Checklisten</a>
<a className="entity-tab" data-tab="submissions" href="#" data-i18n="projects.detail.tab.submissions">Schriftsätze</a>
{/* t-paliad-214 Slice 2 — project-subtree export button.
Sits at the end of the tab nav. Hidden by default; the
client unhides it after /api/me confirms the caller can
extract (responsibility ∈ {lead, member} OR global_admin). */}
<button
type="button"
id="project-export-btn"
className="entity-tab entity-tab-action"
style="display:none"
title=""
data-i18n-title="projects.detail.export.tooltip"
data-i18n="projects.detail.export.button">
Daten exportieren
</button>
</nav>
{/* History (Verlauf) — t-paliad-171 SmartTimeline Slice 1.
@@ -586,38 +571,6 @@ export function renderProjectsDetail(): string {
</p>
</section>
{/* Submissions (Schriftsätze) — t-paliad-215 Slice 1.
Lists the project's filing-type rules with a per-row
[Generieren] button when a .docx template resolves
in the registry's fallback chain (firm → base/code →
base/family → skeleton). Empty for projects with no
proceeding bound; otherwise enumerates every active
filing rule for the proceeding. */}
<section className="entity-tab-panel" id="tab-submissions" style="display:none">
<p id="project-submissions-no-proceeding" className="entity-events-empty" style="display:none" data-i18n="projects.detail.submissions.empty.no_proceeding">
Bitte zuerst einen Verfahrenstyp setzen.
</p>
<p id="project-submissions-empty" className="entity-events-empty" style="display:none" data-i18n="projects.detail.submissions.empty">
Für dieses Verfahren sind keine Schriftsätze hinterlegt.
</p>
<div className="entity-table-wrap" id="project-submissions-tablewrap" style="display:none">
<table className="entity-table entity-table--readonly">
<thead>
<tr>
<th data-i18n="projects.detail.submissions.col.name">Schriftsatz</th>
<th data-i18n="projects.detail.submissions.col.party">Partei</th>
<th data-i18n="projects.detail.submissions.col.source">Rechtsgrundlage</th>
<th data-i18n="projects.detail.submissions.col.action" />
</tr>
</thead>
<tbody id="project-submissions-body" />
</table>
</div>
<p className="tool-subtitle submissions-hint" data-i18n="projects.detail.submissions.hint">
Schriftsätze werden direkt aus dem Projekt heraus als .docx generiert. Anpassen, drucken, einreichen.
</p>
</section>
<div className="entity-detail-footer" id="project-delete-wrap" style="display:none">
<button id="project-delete-btn" className="btn-secondary" type="button" data-i18n="projects.detail.delete">
Projekt archivieren

102
frontend/src/settings.tsx
View File

@@ -323,25 +323,6 @@ export function renderSettings(): string {
</div>
</form>
{/* t-paliad-212 Slice 2b — multi-calendar bindings.
Each card is one (calendar, scope) binding layered on the
single CalDAV server connection above. */}
<div className="caldav-bindings-section" id="caldav-bindings-section" style="display:none">
<div className="caldav-bindings-header">
<h2 data-i18n="caldav.bindings.heading">Kalender</h2>
<button type="button" id="caldav-bindings-add-btn" className="btn-secondary" data-i18n="caldav.bindings.add">
+ Kalender hinzuf&uuml;gen
</button>
</div>
<p className="form-hint" data-i18n="caldav.bindings.hint">
Verbinde mehrere Kalender mit Paliad &mdash; einen Master f&uuml;r alles oder eigene Kalender pro Projekt.
</p>
<div id="caldav-bindings-list" className="caldav-bindings-list" />
<p className="entity-events-empty" id="caldav-bindings-empty" data-i18n="caldav.bindings.empty" style="display:none">
Noch keine Kalender konfiguriert.
</p>
</div>
<div className="caldav-log-card">
<h2 data-i18n="caldav.log.heading">Letzte Synchronisationen</h2>
<table className="entity-table entity-table--readonly caldav-log-table">
@@ -411,89 +392,6 @@ export function renderSettings(): string {
<Footer />
<PaliadinWidget />
{/* t-paliad-212 Slice 2b — single-step Add/Edit modal for
calendar bindings. Source picker (existing dropdown or
custom URL) + scope radio + display name. Edit mode hides
the source picker (path is fixed). */}
<div id="caldav-binding-modal" className="modal-backdrop" style="display:none">
<div className="modal-dialog">
<div className="modal-header">
<h2 id="caldav-binding-modal-title" data-i18n="caldav.bindings.modal.add_title">Kalender hinzuf&uuml;gen</h2>
<button type="button" className="modal-close" id="caldav-binding-modal-close" aria-label="Schlie&szlig;en">&times;</button>
</div>
<form id="caldav-binding-form" className="entity-form modal-body" autocomplete="off">
<div className="form-field" id="caldav-binding-source-field">
<label data-i18n="caldav.bindings.modal.source">Kalender</label>
<div className="caldav-binding-source-modes" id="caldav-binding-source-modes">
<label className="caldav-toggle-label">
<input type="radio" name="caldav-binding-source-mode" value="existing" checked />
<span data-i18n="caldav.bindings.modal.source.existing">Vorhandenen Kalender w&auml;hlen</span>
</label>
<label className="caldav-toggle-label" id="caldav-binding-source-mode-create-row" style="display:none">
<input type="radio" name="caldav-binding-source-mode" value="create" />
<span data-i18n="caldav.bindings.modal.source.create">Neuen Kalender erstellen</span>
</label>
<label className="caldav-toggle-label">
<input type="radio" name="caldav-binding-source-mode" value="custom" />
<span data-i18n="caldav.bindings.modal.source.custom">Eigene URL eingeben</span>
</label>
</div>
<select id="caldav-binding-discover-select">
<option value="" data-i18n="caldav.bindings.modal.source.loading">L&auml;dt&hellip;</option>
</select>
<input
type="text"
id="caldav-binding-custom-path"
placeholder="https://..."
style="display:none"
/>
{/* Slice 2c — Google-degrade notice. Shown when
supports_mkcalendar=false; the create-new radio is
hidden in that state, so users are nudged to the
custom-URL path. */}
<p className="form-hint caldav-binding-degrade-notice" id="caldav-binding-degrade-notice" style="display:none" data-i18n="caldav.bindings.modal.source.degrade">
Dieser Anbieter erlaubt das Erstellen neuer Kalender nicht via CalDAV.
Erstelle den Kalender direkt in der Anbieter-Oberfl&auml;che und f&uuml;ge ihn hier per URL hinzu.
</p>
</div>
<div className="form-field">
<label htmlFor="caldav-binding-display-name" data-i18n="caldav.bindings.modal.display_name">Anzeigename (optional)</label>
<input type="text" id="caldav-binding-display-name" data-i18n-placeholder="caldav.bindings.modal.display_name.placeholder" placeholder="z.B. Projekt Acme v Bosch" />
</div>
<div className="form-field">
<label data-i18n="caldav.bindings.modal.scope">Inhalt</label>
<div className="caldav-binding-scope-radios">
<label className="caldav-toggle-label">
<input type="radio" name="caldav-binding-scope" value="all_visible" checked />
<span data-i18n="caldav.bindings.modal.scope.all_visible">Alles, was ich sehe</span>
</label>
<label className="caldav-toggle-label">
<input type="radio" name="caldav-binding-scope" value="personal_only" />
<span data-i18n="caldav.bindings.modal.scope.personal_only">Nur pers&ouml;nliche Termine</span>
</label>
<label className="caldav-toggle-label">
<input type="radio" name="caldav-binding-scope" value="project" />
<span data-i18n="caldav.bindings.modal.scope.project">Ein Projekt:</span>
<select id="caldav-binding-project-select" disabled>
<option value="" data-i18n="caldav.bindings.modal.scope.project.loading">L&auml;dt&hellip;</option>
</select>
</label>
</div>
</div>
<p className="form-msg" id="caldav-binding-msg" />
<div className="form-actions">
<button type="button" className="btn-secondary" id="caldav-binding-cancel-btn" data-i18n="common.cancel">Abbrechen</button>
<button type="submit" className="btn-primary btn-cta-lime" id="caldav-binding-submit-btn" data-i18n="caldav.bindings.modal.submit_add">Hinzuf&uuml;gen</button>
</div>
</form>
</div>
</div>
<script src="/assets/settings.js"></script>
</body>
</html>

286
frontend/src/styles/global.css
View File

@@ -3441,49 +3441,6 @@ input[type="range"]::-moz-range-thumb {
cursor: pointer;
}
/* Notes toggle — checkbox affordance in the view-toggle bar that flips
per-card descriptive notes between compact (ⓘ tooltip icon) and
expanded (timeline-notes block). Sits with a leading separator so it
reads as a distinct control from the radio view picker. */
.fristen-notes-option {
display: inline-flex;
align-items: center;
gap: 0.35rem;
cursor: pointer;
color: var(--color-text);
margin-left: auto;
padding-left: 0.75rem;
border-left: 1px solid var(--color-border);
}
.fristen-notes-option input[type=checkbox] {
margin: 0;
cursor: pointer;
}
/* Compact note hint — sits in the timeline-meta line when the notes
toggle is off. Native browser tooltip via title= attribute carries
the full text on hover; tabindex=0 + aria-label make it
keyboard / screen-reader accessible. */
.timeline-note-hint {
display: inline-flex;
align-items: center;
justify-content: center;
min-width: 1.1rem;
height: 1.1rem;
border-radius: 50%;
font-size: 0.85rem;
color: var(--color-text-muted);
cursor: help;
user-select: none;
}
.timeline-note-hint:hover,
.timeline-note-hint:focus-visible {
color: var(--color-text);
outline: none;
}
/* Fristenrechner — three-column lane view (Proactive | Court | Reactive).
Each lane is independently date-ordered; party=both rows render below
as full-width spans because they apply to all sides. */
@@ -3882,177 +3839,7 @@ input[type="range"]::-moz-range-thumb {
font-size: 0.95rem;
}
/* --- Unified modal primitive (t-paliad-217) ---
Native <dialog>-backed. Layered on top of the legacy .modal-overlay /
.modal-card / .modal-content / .modal classes below; those stay in
place until each call site migrates to openModal(). The new BEM-style
.modal__* selectors avoid colliding with the legacy class hierarchy. */
dialog.modal {
border: none;
border-radius: calc(var(--radius) * 1.5);
box-shadow: var(--shadow-xl);
padding: 0;
background: var(--color-surface);
color: var(--color-text);
width: 100%;
max-width: min(90vw, var(--modal-max-w, 480px));
max-height: min(90vh, 40rem);
overflow: hidden;
display: flex;
flex-direction: column;
}
dialog.modal[data-size="sm"] { --modal-max-w: 380px; }
dialog.modal[data-size="lg"] { --modal-max-w: 640px; }
dialog.modal[data-size="full"] {
--modal-max-w: 100vw;
max-height: 100vh;
border-radius: 0;
}
dialog.modal::backdrop {
background: var(--color-overlay-modal);
}
/* Phone breakpoint — full-screen takeover ABOVE the PWA bottom-nav.
m's 2026-05-20 lock-in: the modal must not cover the bottom-nav and
must close via the browser back-button (handled in modal.ts). */
@media (max-width: 32rem) {
dialog.modal {
--modal-max-w: 100vw;
border-radius: 0;
max-height: calc(100vh - var(--bottom-nav-height, 56px));
margin-bottom: var(--bottom-nav-height, 56px);
}
}
.modal__header {
flex-shrink: 0;
padding: 1.25rem 1.5rem 0.75rem;
display: flex;
align-items: center;
justify-content: space-between;
gap: 1rem;
border-bottom: 1px solid var(--color-border);
}
.modal__title {
font-size: 1.15rem;
font-weight: 700;
margin: 0;
color: var(--color-text);
}
.modal__close {
background: none;
border: none;
cursor: pointer;
font-size: 1.5rem;
color: var(--color-text-muted);
padding: 0.25rem 0.5rem;
line-height: 1;
border-radius: var(--radius);
}
.modal__close:hover {
color: var(--color-text);
background: var(--color-surface-muted);
}
.modal__body {
flex: 1;
overflow-y: auto;
padding: 1.25rem 1.5rem;
font-size: 1rem;
color: var(--color-text);
}
.modal__footer {
flex-shrink: 0;
padding: 0.75rem 1.5rem 1.25rem;
display: flex;
gap: 0.75rem;
justify-content: flex-end;
border-top: 1px solid var(--color-border);
background: var(--color-surface);
}
/* --- approval-suggest modal body (t-paliad-217) ---
The body is laid out as three sections (editable / context /
comment), separated by light rules. Reuses the existing .form-field
shapes so input typography matches /deadlines/new + views editor. */
.approval-suggest-body {
display: flex;
flex-direction: column;
gap: 1.5rem;
}
.approval-suggest-intro {
margin: 0;
font-size: 0.9rem;
color: var(--color-text-muted);
line-height: 1.5;
}
.approval-suggest-section {
display: flex;
flex-direction: column;
gap: 0.75rem;
}
.approval-suggest-section-title {
font-size: 0.85rem;
font-weight: 700;
text-transform: uppercase;
letter-spacing: 0.04em;
color: var(--color-text-muted);
margin: 0;
}
.approval-suggest-section--context {
border-top: 1px dashed var(--color-border);
padding-top: 1rem;
}
.approval-suggest-context-grid {
display: grid;
grid-template-columns: max-content 1fr;
gap: 0.4rem 1rem;
margin: 0;
font-size: 0.88rem;
}
.approval-suggest-context-grid dt {
color: var(--color-text-muted);
font-weight: 600;
}
.approval-suggest-context-grid dd {
margin: 0;
color: var(--color-text);
}
.approval-suggest-prehint {
display: block;
margin-top: 0.25rem;
font-size: 0.78rem;
color: var(--color-text-muted);
font-style: italic;
}
.approval-suggest-section--note {
border-top: 1px solid var(--color-border);
padding-top: 1rem;
}
.approval-suggest-event-type-picker {
/* Picker styles its own internals (.event-type-picker). */
}
/* Legacy modal classes follow — kept until the other ~7 modals migrate. */
/* --- Modal (legacy) --- */
/* --- Modal --- */
.modal-overlay {
position: fixed;
@@ -5417,40 +5204,6 @@ dialog.modal::backdrop {
text-decoration: underline;
}
/* Submissions panel — t-paliad-215 Slice 1. */
.submission-row td {
vertical-align: middle;
}
.submission-name {
color: var(--color-text);
font-weight: 500;
display: block;
}
.submission-code {
color: var(--color-text-muted);
font-size: 0.85em;
font-family: var(--font-mono, monospace);
display: block;
margin-top: 0.1rem;
}
.submission-action-cell {
text-align: right;
white-space: nowrap;
}
.submission-no-template {
color: var(--color-text-muted);
font-size: 0.9em;
font-style: italic;
}
.submissions-hint {
margin-top: 1rem;
}
.checklist-instance-actions {
display: flex;
gap: 0.35rem;
@@ -12372,12 +12125,37 @@ dialog.quick-add-sheet::backdrop {
font-weight: 600;
}
/* Broadcast compose modal body styling. The shell (width, modal-body
padding, base form-field rules) is owned by the unified modal
primitive — these rules below cover only the broadcast-specific
content. Textarea gets a code-monospace face so the placeholder
syntax reads correctly. (Migrated onto openModal in t-paliad-217.) */
.broadcast-body [data-broadcast-body] {
/* Broadcast compose modal — extends .modal-overlay / .modal pattern. */
.modal-broadcast {
width: 720px;
max-width: 92vw;
max-height: 90vh;
display: flex;
flex-direction: column;
}
.modal-broadcast .modal-body {
overflow-y: auto;
flex: 1;
padding: 16px 20px;
}
.modal-broadcast label {
display: block;
margin-top: 12px;
margin-bottom: 4px;
font-weight: 500;
font-size: 14px;
}
.modal-broadcast input[type="text"],
.modal-broadcast textarea,
.modal-broadcast select {
width: 100%;
padding: 8px 10px;
border: 1px solid var(--color-border);
border-radius: 4px;
font-family: inherit;
font-size: 14px;
}
.modal-broadcast textarea {
resize: vertical;
min-height: 200px;
font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;

4
frontend/src/verfahrensablauf.tsx
View File

@@ -225,10 +225,6 @@ export function renderVerfahrensablauf(): string {
<input type="radio" name="fristen-view" value="timeline" />
<span data-i18n="deadlines.view.timeline">Zeitstrahl</span>
</label>
<label className="fristen-notes-option">
<input type="checkbox" id="fristen-notes-show" />
<span data-i18n="deadlines.notes.show">Hinweise anzeigen</span>
</label>
</div>
<div id="timeline-container">

5
go.mod
View File

@@ -4,19 +4,18 @@ go 1.24.0
require (
github.com/golang-jwt/jwt/v5 v5.3.1
github.com/golang-migrate/migrate/v4 v4.19.1
github.com/google/uuid v1.6.0
github.com/jmoiron/sqlx v1.4.0
github.com/lib/pq v1.12.3
github.com/xuri/excelize/v2 v2.10.1
)
require (
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/richardlehane/mscfb v1.0.6 // indirect
github.com/richardlehane/msoleps v1.0.6 // indirect
github.com/tiendc/go-deepcopy v1.7.2 // indirect
github.com/xuri/efp v0.0.1 // indirect
github.com/xuri/excelize/v2 v2.10.1 // indirect
github.com/xuri/nfp v0.0.2-0.20250530014748-2ddeb826f9a9 // indirect
golang.org/x/crypto v0.48.0 // indirect
golang.org/x/net v0.50.0 // indirect

58
go.sum
View File

@@ -1,11 +1,39 @@
filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/dhui/dktest v0.4.6 h1:+DPKyScKSEp3VLtbMDHcUq6V5Lm5zfZZVb0Sk7Ahom4=
github.com/dhui/dktest v0.4.6/go.mod h1:JHTSYDtKkvFNFHJKqCzVzqXecyv+tKt8EzceOmQOgbU=
github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=
github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
github.com/golang-migrate/migrate/v4 v4.19.1 h1:OCyb44lFuQfYXYLx1SCxPZQGU7mcaZ7gH9yH4jSFbBA=
github.com/golang-migrate/migrate/v4 v4.19.1/go.mod h1:CTcgfjxhaUtsLipnLoQRWCrjYXycRz/g5+RWDuYgPrE=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
@@ -15,14 +43,26 @@ github.com/lib/pq v1.12.3 h1:tTWxr2YLKwIvK90ZXEw8GP7UFHtcbTtty8zsI+YjrfQ=
github.com/lib/pq v1.12.3/go.mod h1:/p+8NSbOcwzAEI7wiMXFlgydTwcgTr3OSKMsD2BitpA=
github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/richardlehane/mscfb v1.0.6 h1:eN3bvvZCp00bs7Zf52bxNwAx5lJDBK1tCuH19qq5aC8=
github.com/richardlehane/mscfb v1.0.6/go.mod h1:pe0+IUIc0AHh0+teNzBlJCtSyZdFOGgV4ZK9bsoV+Jo=
github.com/richardlehane/msoleps v1.0.6 h1:9BvkpjvD+iUBalUY4esMwv6uBkfOip/Lzvd93jvR9gg=
github.com/richardlehane/msoleps v1.0.6/go.mod h1:BWev5JBpU9Ko2WAgmZEuiz4/u3ZYTKbjLycmwiWUfWg=
github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/tiendc/go-deepcopy v1.7.2 h1:Ut2yYR7W9tWjTQitganoIue4UGxZwCcJy3orjrrIj44=
github.com/tiendc/go-deepcopy v1.7.2/go.mod h1:4bKjNC2r7boYOkD2IOuZpYjmlDdzjbpTRyCx+goBCJQ=
github.com/xuri/efp v0.0.1 h1:fws5Rv3myXyYni8uwj2qKjVaRP30PdjeYe2Y6FDsCL8=
@@ -31,12 +71,22 @@ github.com/xuri/excelize/v2 v2.10.1 h1:V62UlqopMqha3kOpnlHy2CcRVw1V8E63jFoWUmMzx
github.com/xuri/excelize/v2 v2.10.1/go.mod h1:iG5tARpgaEeIhTqt3/fgXCGoBRt4hNXgCp3tfXKoOIc=
github.com/xuri/nfp v0.0.2-0.20250530014748-2ddeb826f9a9 h1:+C0TIdyyYmzadGaL/HBLbf3WdLgC29pgyhTjAT/0nuE=
github.com/xuri/nfp v0.0.2-0.20250530014748-2ddeb826f9a9/go.mod h1:WwHg+CVyzlv/TX9xqBFXEZAuxOPxn2k1GNHwG41IIUQ=
go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
golang.org/x/image v0.25.0 h1:Y6uW6rH1y5y/LK1J8BPWZtr6yZ7hrsy6hFrXjgsc2fQ=
golang.org/x/image v0.25.0/go.mod h1:tCAmOEGthTtkalusGp1g3xa2gke8J6c2N565dTyl9Rs=
golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

325
internal/db/migrate.go
View File

@@ -1,78 +1,46 @@
// Package db owns the Paliad Postgres connection and embedded schema migrations.
//
// Migrations are NNN_description.up.sql / .down.sql files in the migrations/
// subdirectory, embedded into the binary so a single artifact ships with its
// schema. The server applies pending migrations at startup before binding
// the HTTP listener.
//
// The runner tracks applied state as a set, not a counter: every applied
// migration gets its own row in paliad.applied_migrations(version PK, name,
// applied_at, checksum). On every deploy, pending = on_disk \ applied, in
// ascending version order. Gaps in the version space are first-class — a
// version that's missing from applied_migrations runs on the next deploy,
// regardless of which higher versions are already applied.
//
// This is what closes the parallel-merge skip-hole that the single-counter
// tracker (golang-migrate) silently fell into on 2026-05-20 (m/paliad#44).
// Background and design: docs/design-migration-runner-applied-set-2026-05-20.md.
//
// .down.sql files ship in the embedded FS as reference material but are not
// auto-applied — there are no call sites for rolling back, and operator
// recovery (psql .down.sql + DELETE FROM paliad.applied_migrations WHERE
// version=N) is the documented path. If a real call site for auto-rollback
// materializes later, add it as a focused follow-up.
// Migrations are golang-migrate format (NNN_description.up.sql / .down.sql) and
// live in the migrations/ subdirectory, embedded into the binary so a single
// artifact ships with its schema. The server applies pending migrations at
// startup before binding the HTTP listener.
package db
import (
"crypto/sha256"
"database/sql"
"embed"
"errors"
"fmt"
"hash/fnv"
"sort"
"strconv"
"strings"
"github.com/golang-migrate/migrate/v4"
"github.com/golang-migrate/migrate/v4/database/postgres"
"github.com/golang-migrate/migrate/v4/source/iofs"
_ "github.com/lib/pq"
)
//go:embed migrations/*.sql
var migrationFS embed.FS
// advisoryLockID is the Postgres advisory-lock id the runner takes around
// the apply loop. Derived once from the table name so the value is stable
// across processes — two concurrent deploys (rolling Dokploy update, dev
// laptop hitting the same scratch DB as CI) serialize on this id rather
// than racing on the pending set.
// migrationsTable is the name of the golang-migrate tracking table. We use a
// uniquely-named table (not the default "schema_migrations") because the
// production Supabase instance hosts multiple apps in the `public` schema,
// and a differently-shaped `public.schema_migrations` already exists there.
// Using "paliad_schema_migrations" prevents collision at startup.
//
// FNV-1a-64 is good enough: the id only has to be a stable int64, not
// cryptographically uniform. Process-wide constant.
var advisoryLockID = func() int64 {
h := fnv.New64a()
_, _ = h.Write([]byte("paliad.applied_migrations"))
return int64(h.Sum64())
}()
// The table lives in the `public` schema (golang-migrate's default) rather
// than `paliad`. Rationale: migration 001's down-step is
// DROP SCHEMA IF EXISTS paliad CASCADE
// which would take the tracking table with it — breaking any subsequent
// migrate.Up() call. Keeping the tracker in `public` makes the down-path
// safe and idempotent.
const migrationsTable = "paliad_schema_migrations"
// migration is one *.up.sql file from the embedded FS.
type migration struct {
version int
name string
filename string
}
// ApplyMigrations applies every pending up-migration to the given database.
// ApplyMigrations runs all pending up-migrations against the given database
// URL. Returns nil if no migrations were pending. Safe to call repeatedly.
//
// Safe to call repeatedly; a fully-applied tree is a no-op. Returns the
// first error encountered (with the offending migration filename wrapped
// in the message) and leaves the rest of pending unapplied — same fail-fast
// posture as the previous golang-migrate runner.
//
// On first deploy of this code path against a database that still has the
// legacy paliad.paliad_schema_migrations counter at version N, the runner
// seeds paliad.applied_migrations with rows 1..N (checksum NULL) before
// applying anything new. The first deploy is therefore effectively a
// no-op against the schema — the bootstrap just relabels existing state.
// Pre-creates the `paliad` schema before invoking golang-migrate because the
// first migration creates it and golang-migrate's tracking table would
// otherwise be created in whatever `current_schema()` happens to be.
func ApplyMigrations(databaseURL string) error {
if databaseURL == "" {
return errors.New("database URL is empty")
@@ -83,250 +51,39 @@ func ApplyMigrations(databaseURL string) error {
return fmt.Errorf("open database: %w", err)
}
defer conn.Close()
if err := conn.Ping(); err != nil {
return fmt.Errorf("ping database: %w", err)
}
// Ensure the paliad schema exists. Mig 001 also creates it; the
// applied_migrations table lives in paliad.* and gets created before
// any migrations run, so the schema must exist first.
// Bootstrap the paliad schema so later migrations can target it cleanly.
// This duplicates migration 001, but is idempotent via IF NOT EXISTS and
// ensures the schema exists before golang-migrate touches the DB.
if _, err := conn.Exec(`CREATE SCHEMA IF NOT EXISTS paliad`); err != nil {
return fmt.Errorf("ensure paliad schema: %w", err)
}
if _, err := conn.Exec(`SELECT pg_advisory_lock($1)`, advisoryLockID); err != nil {
return fmt.Errorf("acquire advisory lock: %w", err)
}
defer func() {
_, _ = conn.Exec(`SELECT pg_advisory_unlock($1)`, advisoryLockID)
}()
if _, err := conn.Exec(`
CREATE TABLE IF NOT EXISTS paliad.applied_migrations (
version int NOT NULL PRIMARY KEY,
name text NOT NULL,
applied_at timestamptz NOT NULL DEFAULT now(),
checksum text NULL
)
`); err != nil {
return fmt.Errorf("create applied_migrations: %w", err)
}
onDisk, err := scanEmbeddedMigrations()
source, err := iofs.New(migrationFS, "migrations")
if err != nil {
return fmt.Errorf("scan embedded migrations: %w", err)
return fmt.Errorf("open migration source: %w", err)
}
if err := bootstrapFromLegacyTracker(conn, onDisk); err != nil {
return fmt.Errorf("bootstrap from legacy tracker: %w", err)
}
applied, err := readAppliedMigrations(conn)
driver, err := postgres.WithInstance(conn, &postgres.Config{
// Unique tracking-table name avoids collision with pre-existing
// public.schema_migrations owned by other apps on this Postgres.
MigrationsTable: migrationsTable,
})
if err != nil {
return fmt.Errorf("read applied_migrations: %w", err)
return fmt.Errorf("create migration driver: %w", err)
}
if err := checkNameAgreement(onDisk, applied); err != nil {
return err
m, err := migrate.NewWithInstance("iofs", source, "postgres", driver)
if err != nil {
return fmt.Errorf("create migrator: %w", err)
}
for _, m := range onDisk {
if _, ok := applied[m.version]; ok {
continue
}
if err := applyOne(conn, m); err != nil {
return fmt.Errorf("apply %s: %w", m.filename, err)
}
if err := m.Up(); err != nil && !errors.Is(err, migrate.ErrNoChange) {
return fmt.Errorf("apply migrations: %w", err)
}
return nil
}
// scanEmbeddedMigrations returns every NNN_*.up.sql in the embedded FS,
// sorted by version ascending. Hard-fails on two files sharing the same
// version prefix — that's the failure mode the parallel-merge incident
// exposed, and the runner refuses to start rather than silently picking one.
func scanEmbeddedMigrations() ([]migration, error) {
entries, err := migrationFS.ReadDir("migrations")
if err != nil {
return nil, fmt.Errorf("read migrations dir: %w", err)
}
seen := map[int]string{}
var out []migration
for _, e := range entries {
name := e.Name()
if !strings.HasSuffix(name, ".up.sql") {
continue
}
v, n, ok := parseMigrationFilename(name)
if !ok {
return nil, fmt.Errorf("unparseable migration filename %q "+
"(expected NNN_description.up.sql)", name)
}
if prior, dup := seen[v]; dup {
return nil, fmt.Errorf("two migrations at version %d: %q and %q — "+
"rename one and redeploy", v, prior, name)
}
seen[v] = name
out = append(out, migration{version: v, name: n, filename: name})
}
sort.Slice(out, func(i, j int) bool { return out[i].version < out[j].version })
return out, nil
}
// parseMigrationFilename splits "NNN_description.up.sql" into (NNN, description).
// Returns ok=false on any deviation from that shape.
func parseMigrationFilename(filename string) (version int, name string, ok bool) {
base := strings.TrimSuffix(filename, ".up.sql")
if base == filename {
return 0, "", false
}
underscore := strings.IndexByte(base, '_')
if underscore <= 0 {
return 0, "", false
}
v, err := strconv.Atoi(base[:underscore])
if err != nil {
return 0, "", false
}
return v, base[underscore+1:], true
}
// readAppliedMigrations returns a map version → name from
// paliad.applied_migrations. Returns an empty map (no error) if the table
// is missing — that's the fresh-DB path before the CREATE TABLE in
// ApplyMigrations runs against it.
func readAppliedMigrations(conn *sql.DB) (map[int]string, error) {
rows, err := conn.Query(`SELECT version, name FROM paliad.applied_migrations`)
if err != nil {
if strings.Contains(err.Error(), "does not exist") {
return map[int]string{}, nil
}
return nil, err
}
defer rows.Close()
out := map[int]string{}
for rows.Next() {
var v int
var n string
if err := rows.Scan(&v, &n); err != nil {
return nil, err
}
out[v] = n
}
return out, rows.Err()
}
// bootstrapFromLegacyTracker seeds paliad.applied_migrations from
// paliad.paliad_schema_migrations on the first deploy of the new runner
// against a DB that previously ran golang-migrate.
//
// Behavior:
// - applied_migrations already has rows → no-op (idempotent).
// - applied_migrations empty AND legacy tracker missing → no-op
// (virgin DB; the apply loop will run everything from scratch).
// - applied_migrations empty AND legacy tracker present, clean, version N
// → INSERT rows for every on-disk version ≤ N with checksum NULL.
// - applied_migrations empty AND legacy tracker dirty → hard-fail.
// The operator must recover the legacy tracker first (it being dirty
// means a prior golang-migrate run crashed mid-flight); we will not
// paper over an unknown state by guessing what landed.
//
// Backfilled rows have checksum NULL because the legacy runner didn't hash
// anything — we can't fabricate a provenance hash today without falsely
// claiming we know the byte-identity of what shipped historically.
func bootstrapFromLegacyTracker(conn *sql.DB, onDisk []migration) error {
var count int
if err := conn.QueryRow(`SELECT count(*) FROM paliad.applied_migrations`).Scan(&count); err != nil {
return fmt.Errorf("count applied_migrations: %w", err)
}
if count > 0 {
return nil
}
var legacyVer int
var legacyDirty bool
err := conn.QueryRow(`SELECT version, dirty FROM paliad.paliad_schema_migrations LIMIT 1`).
Scan(&legacyVer, &legacyDirty)
if errors.Is(err, sql.ErrNoRows) {
return nil
}
if err != nil {
if strings.Contains(err.Error(), "does not exist") {
return nil
}
return fmt.Errorf("read legacy tracker: %w", err)
}
if legacyDirty {
return fmt.Errorf("legacy paliad.paliad_schema_migrations is dirty at version %d — "+
"recover manually before deploying", legacyVer)
}
for _, m := range onDisk {
if m.version > legacyVer {
continue
}
if _, err := conn.Exec(`
INSERT INTO paliad.applied_migrations(version, name, applied_at, checksum)
VALUES ($1, $2, now(), NULL)
ON CONFLICT (version) DO NOTHING
`, m.version, m.name); err != nil {
return fmt.Errorf("backfill version %d: %w", m.version, err)
}
}
return nil
}
// checkNameAgreement hard-fails if a version that's already applied has a
// different name on disk than in the DB. Catches the post-merge rename
// accident where someone renames `098_foo.up.sql` to `098_bar.up.sql` —
// the SQL has already run on prod with the old name, so the rename is a
// lie about history. Operator recovery: revert the rename, or update the
// DB row if the rename is intentional.
//
// Backfilled rows have a name pulled from the on-disk filename, so an
// out-of-the-box backfill never trips this check.
func checkNameAgreement(onDisk []migration, applied map[int]string) error {
for _, m := range onDisk {
dbName, ok := applied[m.version]
if !ok {
continue
}
if dbName != m.name {
return fmt.Errorf("migration %d: disk name %q != DB name %q "+
"(renamed after apply? revert the rename, or UPDATE paliad.applied_migrations "+
"SET name=%q WHERE version=%d if the rename is intentional)",
m.version, m.name, dbName, m.name, m.version)
}
}
return nil
}
// applyOne runs one migration's .up.sql plus its INSERT row in a single
// transaction. All-or-nothing per migration: if the SQL fails, the row
// isn't inserted and the next deploy re-tries from the same point. If
// the INSERT fails (e.g. PK violation because the lock wasn't held), the
// SQL rolls back too.
func applyOne(conn *sql.DB, m migration) error {
body, err := migrationFS.ReadFile("migrations/" + m.filename)
if err != nil {
return fmt.Errorf("read %s: %w", m.filename, err)
}
checksum := fmt.Sprintf("%x", sha256.Sum256(body))
tx, err := conn.Begin()
if err != nil {
return fmt.Errorf("begin tx: %w", err)
}
defer func() { _ = tx.Rollback() }()
if _, err := tx.Exec(string(body)); err != nil {
return fmt.Errorf("exec sql: %w", err)
}
if _, err := tx.Exec(`
INSERT INTO paliad.applied_migrations(version, name, applied_at, checksum)
VALUES ($1, $2, now(), $3)
`, m.version, m.name, checksum); err != nil {
return fmt.Errorf("record applied: %w", err)
}
return tx.Commit()
}

181
internal/db/migrate_test.go
View File

@@ -1,49 +1,60 @@
// Package db tests — migration dry-run gate.
//
// This is the test that catches mig-N crash-loops before they reach prod.
// The new runner tracks applied state as a set in paliad.applied_migrations
// (one row per migration; see migrate.go). A migration that compiles cleanly
// but fails on apply (typo, missing column, wrong CHECK shape) crashes the
// Dokploy container loop before paliad.de finishes binding :8080, and the
// only way to learn about it today is to watch the deploy log.
// The convention since t-paliad-098/099 is that paliad migrations land in
// numeric order on a single trunk; the next deploy runs whichever ones are
// pending against the live `public.paliad_schema_migrations` tracker. A
// migration that compiles cleanly but fails on apply (typo, missing column,
// wrong CHECK shape) crashes the Dokploy container loop before paliad.de
// finishes binding :8080, and the only way to learn about it today is to
// watch the deploy log.
//
// TestMigrations_DryRun closes that gap: for every *.up.sql in this
// directory whose version is NOT present in paliad.applied_migrations on
// the scratch DB, it opens a transaction, runs the SQL, and ROLLBACKs.
// Any error fails the test with the file name + Postgres error. Always
// non-destructive — the ROLLBACK runs even on success, so the scratch DB
// stays at its starting set.
//
// "Pending" means: a version that's on disk but not in applied_migrations.
// In CI against a fresh scratch DB (where applied_migrations either
// doesn't exist or is empty), every migration is pending and gets
// verified. On a developer laptop whose scratch DB is already at HEAD,
// no migrations are pending and the test logs and passes — the protection
// only kicks in the moment a new *.up.sql lands in the tree before the
// developer runs `db.ApplyMigrations` against the same scratch DB.
// directory whose version is greater than the scratch DB's current tracker
// version, it opens a transaction, runs the SQL, and ROLLBACKs. Any error
// fails the test with the file name + Postgres error. Always non-destructive
// — the ROLLBACK runs even on success, so the scratch DB stays at its
// starting version.
//
// Requires TEST_DATABASE_URL (same pattern as the rest of the live-DB
// tests). Skipped without it.
//
// Design: docs/design-paliad-test-strategy-2026-05-19.md §5 Slice 1 and
// docs/design-migration-runner-applied-set-2026-05-20.md §6.
// Design: docs/design-paliad-test-strategy-2026-05-19.md §5 Slice 1.
package db
import (
"database/sql"
"errors"
"fmt"
"os"
"sort"
"strconv"
"strings"
"testing"
_ "github.com/lib/pq"
)
// migration is one *.up.sql file from the embedded migrations FS.
type migration struct {
version int
name string
filename string
}
// TestMigrations_DryRun walks every pending *.up.sql in numeric order,
// applies each inside its own BEGIN/ROLLBACK against the scratch DB, and
// fails the test on the first SQL error. Reports per-file as a sub-test so
// `go test -v` shows which migration failed.
//
// What "pending" means: greater than the scratch DB's current tracker
// version (or 0 if the tracker doesn't exist yet). In CI against a fresh
// scratch DB, every migration is pending and gets verified. On a developer
// laptop whose scratch DB is already at HEAD, no migrations are pending and
// the test logs the start version and passes — the protection only kicks in
// the moment a new *.up.sql lands in the tree before the developer runs
// `db.ApplyMigrations` against the same scratch DB.
func TestMigrations_DryRun(t *testing.T) {
url := os.Getenv("TEST_DATABASE_URL")
if url == "" {
@@ -68,32 +79,28 @@ func TestMigrations_DryRun(t *testing.T) {
t.Fatalf("ensure paliad schema: %v", err)
}
applied, err := readAppliedVersions(conn)
startVersion, dirty, err := currentTrackerVersion(conn)
if err != nil {
t.Fatalf("read applied_migrations: %v", err)
t.Fatalf("read tracker: %v", err)
}
if dirty {
t.Fatalf("tracker is dirty at version %d — fix that first (DROP the tracker row "+
"or restore from backup); the dry-run cannot trust a dirty starting state",
startVersion)
}
t.Logf("scratch DB tracker at version %d; walking pending migrations from %d upward",
startVersion, startVersion+1)
onDisk, err := scanEmbeddedMigrations()
migs, err := loadPendingMigrations(startVersion)
if err != nil {
t.Fatalf("scan embedded migrations: %v", err)
t.Fatalf("load migrations: %v", err)
}
var pending []migration
for _, m := range onDisk {
if !applied[m.version] {
pending = append(pending, m)
}
}
if len(pending) == 0 {
t.Logf("no pending migrations — scratch DB applied set covers every on-disk version (%d total)",
len(onDisk))
if len(migs) == 0 {
t.Logf("no pending migrations — scratch DB is at HEAD (%d)", startVersion)
return
}
t.Logf("scratch DB has %d/%d on-disk migrations applied; walking %d pending",
len(applied), len(onDisk), len(pending))
for _, m := range pending {
for _, m := range migs {
t.Run(fmt.Sprintf("%03d_%s", m.version, m.name), func(t *testing.T) {
body, err := migrationFS.ReadFile("migrations/" + m.filename)
if err != nil {
@@ -103,10 +110,10 @@ func TestMigrations_DryRun(t *testing.T) {
if err != nil {
t.Fatalf("begin: %v", err)
}
// Always rollback; the dry-run must not leave the scratch
// DB at a different applied set than where it started.
// Rollback is safe after a failed Exec — Postgres aborts
// the transaction internally on the first error.
// Always rollback; the dry-run must not leave the scratch DB
// at a different version than where it started. Rollback is
// safe to call even after a failed Exec — Postgres aborts the
// transaction internally on the first error.
defer func() { _ = tx.Rollback() }()
if _, err := tx.Exec(string(body)); err != nil {
@@ -116,30 +123,76 @@ func TestMigrations_DryRun(t *testing.T) {
}
}
// readAppliedVersions returns the set of versions present in
// paliad.applied_migrations on the scratch DB. Missing table → empty set
// (fresh-DB path; the table only exists after the runner has been called).
// currentTrackerVersion reads the latest version + dirty flag from the
// `public.paliad_schema_migrations` tracker. Returns (0, false, nil) when the
// tracker doesn't exist yet — that's the "fresh scratch DB" path.
//
// We don't pre-create the table here because the dry-run is supposed to be
// a passive observer — it must not mutate the scratch DB outside of its
// own per-mig BEGIN/ROLLBACK probes. A "table doesn't exist" outcome is
// the right read against a virgin scratch DB.
func readAppliedVersions(conn *sql.DB) (map[int]bool, error) {
rows, err := conn.Query(`SELECT version FROM paliad.applied_migrations`)
if err != nil {
if strings.Contains(err.Error(), "does not exist") {
return map[int]bool{}, nil
// We don't use golang-migrate's API to read this because golang-migrate's
// driver locks the tracker row on read; a test runner that calls this while
// the developer has paliad running locally would race. A plain SELECT is
// race-safe and matches what `psql` would show.
func currentTrackerVersion(conn *sql.DB) (version int, dirty bool, err error) {
const q = `SELECT version, dirty FROM public.paliad_schema_migrations LIMIT 1`
row := conn.QueryRow(q)
if scanErr := row.Scan(&version, &dirty); scanErr != nil {
// Missing table → fresh DB → start at 0. lib/pq surfaces this
// as `pq.Error.Code = "42P01"` (undefined_table); the simpler
// sql.ErrNoRows fires if the table exists but is empty (also
// fresh-DB-shaped).
if errors.Is(scanErr, sql.ErrNoRows) {
return 0, false, nil
}
return nil, err
}
defer rows.Close()
out := map[int]bool{}
for rows.Next() {
var v int
if err := rows.Scan(&v); err != nil {
return nil, err
if strings.Contains(scanErr.Error(), "does not exist") {
return 0, false, nil
}
out[v] = true
return 0, false, scanErr
}
return out, rows.Err()
return version, dirty, nil
}
// loadPendingMigrations returns every *.up.sql in the embedded FS whose
// version is greater than startVersion, sorted by version ascending. A
// filename like "098_submission_codes_prefix_and_rename.up.sql" yields
// version=98, name="submission_codes_prefix_and_rename".
func loadPendingMigrations(startVersion int) ([]migration, error) {
entries, err := migrationFS.ReadDir("migrations")
if err != nil {
return nil, fmt.Errorf("read migrations dir: %w", err)
}
var out []migration
for _, e := range entries {
name := e.Name()
if !strings.HasSuffix(name, ".up.sql") {
continue
}
v, n, ok := parseMigrationName(name)
if !ok {
return nil, fmt.Errorf("unparseable migration filename: %s "+
"(expected NNN_description.up.sql)", name)
}
if v <= startVersion {
continue
}
out = append(out, migration{version: v, name: n, filename: name})
}
sort.Slice(out, func(i, j int) bool { return out[i].version < out[j].version })
return out, nil
}
// parseMigrationName splits "NNN_description.up.sql" into (NNN, description).
// Returns ok=false on any deviation from that shape.
func parseMigrationName(filename string) (version int, name string, ok bool) {
base := strings.TrimSuffix(filename, ".up.sql")
if base == filename { // suffix wasn't present
return 0, "", false
}
underscore := strings.IndexByte(base, '_')
if underscore <= 0 {
return 0, "", false
}
v, err := strconv.Atoi(base[:underscore])
if err != nil {
return 0, "", false
}
return v, base[underscore+1:], true
}

27
internal/db/migrations/103_approval_suggest_changes.down.sql
View File

@@ -1,27 +0,0 @@
-- Reverse of 103_approval_suggest_changes.up.sql.
--
-- Drops the previous_request_id index + column, drops counter_payload, and
-- restores the original status CHECK (without 'changes_requested'). If any
-- live rows are at status='changes_requested' OR carry a non-NULL
-- counter_payload OR previous_request_id, the down will fail on the CHECK
-- restore. That is intentional: it forces an explicit cleanup decision
-- before tearing the schema back.
SELECT set_config(
'paliad.audit_reason',
'mig 103 DOWN: revert suggest-changes schema extensions (t-paliad-216)',
true);
DROP INDEX IF EXISTS paliad.approval_requests_previous_idx;
ALTER TABLE paliad.approval_requests
DROP COLUMN IF EXISTS previous_request_id;
ALTER TABLE paliad.approval_requests
DROP COLUMN IF EXISTS counter_payload;
ALTER TABLE paliad.approval_requests
DROP CONSTRAINT IF EXISTS approval_requests_status_check;
ALTER TABLE paliad.approval_requests
ADD CONSTRAINT approval_requests_status_check
CHECK (status IN ('pending', 'approved', 'rejected', 'revoked', 'superseded'));

57
internal/db/migrations/103_approval_suggest_changes.up.sql
View File

@@ -1,57 +0,0 @@
-- t-paliad-216 Slice A — add the "Suggest changes" action to the approval
-- flow alongside Approve / Reject / Revoke. Design:
-- docs/design-approval-suggest-changes-2026-05-19.md.
--
-- Mental model (m's 2026-05-19 decisions, §0a of the design doc):
-- "Suggest changes" is not a soft-reject with a hint. It is the approver
-- AUTHORING A COUNTER-PROPOSAL that gets re-injected into the approval
-- flow as a fresh `pending` row. The original requester (no longer the
-- new row's requested_by) becomes potentially-eligible to approve the
-- counter — 4-Augen still holds via the standard self-approval guard.
--
-- Three schema additions to paliad.approval_requests:
-- 1. Extend the status CHECK to allow 'changes_requested'.
-- 2. counter_payload jsonb NULL — the approver's edited values,
-- stored on the OLD (changes_requested) row so the audit chain
-- can show "approver edited X, Y, Z" without joining forward.
-- Also used as the `payload` for the NEW row spawned in the same
-- tx by ApprovalService.SuggestChanges.
-- 3. previous_request_id uuid NULL FK — back-pointer on the NEW row
-- to the OLD (changes_requested) row that spawned it. ON DELETE
-- SET NULL keeps a survivor row intact if either end is ever
-- pruned. Partial index covers chain traversal.
--
-- The set_config('paliad.audit_reason', ...) line is the universal
-- convention for paliad migrations (mig 079 trigger pattern) — even
-- pure-DDL migrations set it so an audit trigger that fires on any
-- migration-touched table has a non-NULL reason string to record.
SELECT set_config(
'paliad.audit_reason',
'mig 103: add suggest-changes action — extend approval_requests.status CHECK with changes_requested, add counter_payload jsonb + previous_request_id FK (t-paliad-216 Slice A)',
true);
-- 1. Extend approval_requests.status CHECK.
ALTER TABLE paliad.approval_requests
DROP CONSTRAINT IF EXISTS approval_requests_status_check;
ALTER TABLE paliad.approval_requests
ADD CONSTRAINT approval_requests_status_check
CHECK (status IN (
'pending', 'approved', 'rejected', 'revoked', 'superseded', 'changes_requested'
));
-- 2. counter_payload — the approver's edited values when suggesting
-- changes. Stays NULL for every status other than changes_requested.
ALTER TABLE paliad.approval_requests
ADD COLUMN counter_payload jsonb;
-- 3. previous_request_id — back-pointer FK. NULL for first-attempt rows;
-- set to the prior (changes_requested) row's id on the NEW row spawned
-- by SuggestChanges. ON DELETE SET NULL keeps survivor rows intact.
ALTER TABLE paliad.approval_requests
ADD COLUMN previous_request_id uuid
REFERENCES paliad.approval_requests(id) ON DELETE SET NULL;
CREATE INDEX IF NOT EXISTS approval_requests_previous_idx
ON paliad.approval_requests (previous_request_id)
WHERE previous_request_id IS NOT NULL;

52
internal/db/migrations/104_einspruch_name_and_ccr_priority.down.sql
View File

@@ -1,52 +0,0 @@
-- Revert mig 104 — restore the bracket-bearing Einspruch names and
-- flip the CCR priority back to 'informational'.
SELECT set_config(
'paliad.audit_reason',
'mig 104 down: restore "Einspruch (R. 19 VerfO)" and "Einspruch (R. 19 i.V.m. R. 46 VerfO)" names + flip upc.inf.cfi.ccr priority back to informational',
true);
UPDATE paliad.deadline_rules dr
SET name_en = 'Preliminary Objection (RoP 19 in conjunction with RoP 46)'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.rev.cfi'
AND dr.submission_code = 'upc.rev.cfi.prelim'
AND dr.lifecycle_state = 'published'
AND dr.name_en = 'Preliminary Objection';
UPDATE paliad.deadline_rules dr
SET name = 'Einspruch (R. 19 i.V.m. R. 46 VerfO)'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.rev.cfi'
AND dr.submission_code = 'upc.rev.cfi.prelim'
AND dr.lifecycle_state = 'published'
AND dr.name = 'Einspruch';
UPDATE paliad.deadline_rules dr
SET name_en = 'Preliminary Objection (RoP 19)'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.inf.cfi'
AND dr.submission_code = 'upc.inf.cfi.prelim'
AND dr.lifecycle_state = 'published'
AND dr.name_en = 'Preliminary Objection';
UPDATE paliad.deadline_rules dr
SET name = 'Einspruch (R. 19 VerfO)'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.inf.cfi'
AND dr.submission_code = 'upc.inf.cfi.prelim'
AND dr.lifecycle_state = 'published'
AND dr.name = 'Einspruch';
UPDATE paliad.deadline_rules dr
SET priority = 'informational'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.inf.cfi'
AND dr.submission_code = 'upc.inf.cfi.ccr'
AND dr.lifecycle_state = 'published'
AND dr.priority = 'optional';

89
internal/db/migrations/104_einspruch_name_and_ccr_priority.up.sql
View File

@@ -1,89 +0,0 @@
-- t-paliad-207 (m's interactive session) — two label/priority polish
-- fixes on upc.inf.cfi / upc.rev.cfi:
--
-- 1. **CCR priority informational → optional.** m's correction
-- 2026-05-18 18:01: the Nichtigkeitswiderklage is a substantive
-- defensive choice the defendant makes — not just an informational
-- notice. priority='optional' renders it as an unchecked save row
-- the user can opt into. The fermi amend (commit e8d658a) flipping
-- this didn't land in main — paliadin's merge of mig 100 (commit
-- c10f8cf, merge 4ddcd28) picked up the pre-amend 'informational'
-- version. This is the recovery.
--
-- 2. **Strip rule citation from Einspruch names.** m's correction
-- 2026-05-18 18:08: every other rule name in the corpus carries
-- the act-name without a parenthetical rule cite (Klageerwiderung,
-- Antrag auf Patentänderung, Replik, etc.). The Einspruch rule
-- names are the outliers:
-- upc.inf.cfi.prelim "Einspruch (R. 19 VerfO)" → "Einspruch"
-- upc.rev.cfi.prelim "Einspruch (R. 19 i.V.m. R. 46 VerfO)" → "Einspruch"
-- and EN equivalents:
-- "Preliminary Objection (RoP 19)" → "Preliminary Objection"
-- "Preliminary Objection (RoP 19 in conjunction with RoP 46)"
-- → "Preliminary Objection"
-- The legal_source / rule_code columns already carry the citation
-- and render in the deadline card's meta line, so the name stays
-- clean. The R.46-i.V.m. distinction is preserved in the legal
-- source field (RoP.019.1 for both — m may want to further
-- differentiate; flagged in description text instead).
--
-- audit_reason set_config required at the top — the deadline_rules
-- audit trigger raises EXCEPTION 'audit reason required' on any
-- mutation without it (cf. mig 099 hotfix history).
--
-- Idempotency:
-- * Priority UPDATE guarded on the current 'informational' value.
-- * Name UPDATEs guarded on the current parenthetical-bearing names.
SELECT set_config(
'paliad.audit_reason',
'mig 104: flip upc.inf.cfi.ccr priority informational→optional + strip rule-cite brackets from R.19 Einspruch names on both upc.inf.cfi.prelim and upc.rev.cfi.prelim (m''s corrections 2026-05-18, t-paliad-207 interactive session)',
true);
-- 1) Flip CCR priority
UPDATE paliad.deadline_rules dr
SET priority = 'optional'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.inf.cfi'
AND dr.submission_code = 'upc.inf.cfi.ccr'
AND dr.lifecycle_state = 'published'
AND dr.priority = 'informational';
-- 2a) Strip "(R. 19 VerfO)" from upc.inf.cfi.prelim DE/EN names
UPDATE paliad.deadline_rules dr
SET name = 'Einspruch'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.inf.cfi'
AND dr.submission_code = 'upc.inf.cfi.prelim'
AND dr.lifecycle_state = 'published'
AND dr.name = 'Einspruch (R. 19 VerfO)';
UPDATE paliad.deadline_rules dr
SET name_en = 'Preliminary Objection'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.inf.cfi'
AND dr.submission_code = 'upc.inf.cfi.prelim'
AND dr.lifecycle_state = 'published'
AND dr.name_en = 'Preliminary Objection (RoP 19)';
-- 2b) Strip "(R. 19 i.V.m. R. 46 VerfO)" from upc.rev.cfi.prelim DE/EN names
UPDATE paliad.deadline_rules dr
SET name = 'Einspruch'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.rev.cfi'
AND dr.submission_code = 'upc.rev.cfi.prelim'
AND dr.lifecycle_state = 'published'
AND dr.name = 'Einspruch (R. 19 i.V.m. R. 46 VerfO)';
UPDATE paliad.deadline_rules dr
SET name_en = 'Preliminary Objection'
FROM paliad.proceeding_types pt
WHERE dr.proceeding_type_id = pt.id
AND pt.code = 'upc.rev.cfi'
AND dr.submission_code = 'upc.rev.cfi.prelim'
AND dr.lifecycle_state = 'published'
AND dr.name_en = 'Preliminary Objection (RoP 19 in conjunction with RoP 46)';

31
internal/db/migrations/105_upc_inf_track_aware_sequence.down.sql
View File

@@ -1,31 +0,0 @@
-- Revert mig 105 — restore the pre-mig-105 sequence_order values
-- (post-mig-100 state). Same two-phase swap pattern.
SELECT set_config(
'paliad.audit_reason',
'mig 105 down: restore pre-track-aware sequence_order on upc.inf.cfi rules',
true);
-- Phase 1: park
UPDATE paliad.deadline_rules SET sequence_order = 1011 WHERE submission_code = 'upc.inf.cfi.ccr' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 20;
UPDATE paliad.deadline_rules SET sequence_order = 1012 WHERE submission_code = 'upc.inf.cfi.def_to_ccr' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 22;
UPDATE paliad.deadline_rules SET sequence_order = 1013 WHERE submission_code = 'upc.inf.cfi.app_to_amend' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 30;
UPDATE paliad.deadline_rules SET sequence_order = 1020 WHERE submission_code = 'upc.inf.cfi.reply' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 12;
UPDATE paliad.deadline_rules SET sequence_order = 1021 WHERE submission_code = 'upc.inf.cfi.def_to_amend' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 32;
UPDATE paliad.deadline_rules SET sequence_order = 1022 WHERE submission_code = 'upc.inf.cfi.reply_def_ccr' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 24;
UPDATE paliad.deadline_rules SET sequence_order = 1030 WHERE submission_code = 'upc.inf.cfi.rejoin' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 14;
UPDATE paliad.deadline_rules SET sequence_order = 1031 WHERE submission_code = 'upc.inf.cfi.reply_def_amd' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 34;
UPDATE paliad.deadline_rules SET sequence_order = 1032 WHERE submission_code = 'upc.inf.cfi.rejoin_reply_ccr' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 26;
UPDATE paliad.deadline_rules SET sequence_order = 1033 WHERE submission_code = 'upc.inf.cfi.rejoin_amd' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 36;
-- Phase 2: assign originals
UPDATE paliad.deadline_rules SET sequence_order = 11 WHERE submission_code = 'upc.inf.cfi.ccr' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1011;
UPDATE paliad.deadline_rules SET sequence_order = 12 WHERE submission_code = 'upc.inf.cfi.def_to_ccr' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1012;
UPDATE paliad.deadline_rules SET sequence_order = 13 WHERE submission_code = 'upc.inf.cfi.app_to_amend' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1013;
UPDATE paliad.deadline_rules SET sequence_order = 20 WHERE submission_code = 'upc.inf.cfi.reply' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1020;
UPDATE paliad.deadline_rules SET sequence_order = 21 WHERE submission_code = 'upc.inf.cfi.def_to_amend' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1021;
UPDATE paliad.deadline_rules SET sequence_order = 22 WHERE submission_code = 'upc.inf.cfi.reply_def_ccr' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1022;
UPDATE paliad.deadline_rules SET sequence_order = 30 WHERE submission_code = 'upc.inf.cfi.rejoin' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1030;
UPDATE paliad.deadline_rules SET sequence_order = 31 WHERE submission_code = 'upc.inf.cfi.reply_def_amd' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1031;
UPDATE paliad.deadline_rules SET sequence_order = 32 WHERE submission_code = 'upc.inf.cfi.rejoin_reply_ccr' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1032;
UPDATE paliad.deadline_rules SET sequence_order = 33 WHERE submission_code = 'upc.inf.cfi.rejoin_amd' AND proceeding_type_id = 8 AND lifecycle_state = 'published' AND sequence_order = 1033;

211
internal/db/migrations/105_upc_inf_track_aware_sequence.up.sql
View File

@@ -1,211 +0,0 @@
-- t-paliad-207 — re-sequence upc.inf.cfi rules so within any tied-date
-- group the infringement-track responses sit ABOVE the revocation-
-- track responses ABOVE the amendment-track responses. m's ask
-- 2026-05-18 18:08: "the infringement parts (like Replik) should show
-- above the part for the revocation (Erwiderung Nichtigkeitswider-
-- klage)".
--
-- Three tracks coexist on upc.inf.cfi once the with_ccr / with_amend
-- flags are set. They share calendar dates because R.29 / R.30 / R.32
-- all key off the SoD or its descendants. The current sequence_orders
-- (post-mig 100) interleave them; the user sees Erwiderung-zur-CCR
-- before Replik even though Replik is the infringement-side response
-- to the same triggering event.
--
-- New sequence_order assignment (preserves the soc=0, prelim=5,
-- sod=10, ccr=11 anchors at the head; phase markers interim/oral/
-- decision/cost_app/appeal_spawn keep their existing 40/50/60/70/80
-- slots at the tail):
--
-- Old → New submission_code track date
-- --- --- --------------- ----- ----
-- 0 0 upc.inf.cfi.soc — D+0
-- 5 5 upc.inf.cfi.prelim — D+1mo
-- 10 10 upc.inf.cfi.sod infringement D+3mo
-- 11 20 upc.inf.cfi.ccr revocation D+3mo
-- 20 12 upc.inf.cfi.reply infringement D+5mo ← MOVED UP
-- 12 22 upc.inf.cfi.def_to_ccr revocation D+5mo
-- 13 30 upc.inf.cfi.app_to_amend amendment D+5mo
-- 30 14 upc.inf.cfi.rejoin infringement D+6mo ← MOVED UP
-- 22 24 upc.inf.cfi.reply_def_ccr revocation D+7mo
-- 21 32 upc.inf.cfi.def_to_amend amendment D+7mo
-- 32 26 upc.inf.cfi.rejoin_reply_ccr revocation D+8mo
-- 31 34 upc.inf.cfi.reply_def_amd amendment D+8mo
-- 33 36 upc.inf.cfi.rejoin_amd amendment D+9mo
-- 40 40 upc.inf.cfi.interim phase later
-- 50 50 upc.inf.cfi.oral phase later
-- 60 60 upc.inf.cfi.decision phase later
-- 70 70 upc.inf.cfi.cost_app phase later
-- 80 80 upc.inf.cfi.appeal_spawn phase later
--
-- Order within each tied-date group after the reshuffle:
-- D+3mo: sod(10), ccr(20) — SoD then its CCR
-- D+5mo: reply(12), def_to_ccr(22), app_to_amend(30) — inf → rev → amd
-- D+7mo: reply_def_ccr(24), def_to_amend(32) — rev → amd
-- D+8mo: rejoin_reply_ccr(26), reply_def_amd(34) — rev → amd
--
-- (no infringement-track rule at +7mo or +8mo so revocation leads
-- those dates; rejoin sits alone at +6mo so it has no peers to order
-- against.)
--
-- audit_reason set_config required at the top — the deadline_rules
-- audit trigger raises EXCEPTION 'audit reason required' on any
-- mutation without it (cf. mig 099 hotfix history).
--
-- Idempotency: every UPDATE is guarded by both the submission_code
-- AND the SOURCE sequence_order, so re-apply is a no-op once the new
-- numbers are in place.
SELECT set_config(
'paliad.audit_reason',
'mig 105: re-sequence upc.inf.cfi rules track-aware (infringement → revocation → amendment within tied-date groups; m''s 2026-05-18 ask, t-paliad-207 interactive session)',
true);
-- Two-phase swap to avoid sequence collisions during the UPDATE
-- (otherwise two rules can briefly share a sequence_order if Postgres
-- evaluates them in parallel). Phase 1: move every reshuffled rule to
-- a high temporary number (1000+). Phase 2: assign final numbers.
-- ─── Phase 1: park reshuffled rules at 1000+ ────────────────────────
UPDATE paliad.deadline_rules
SET sequence_order = 1011
WHERE submission_code = 'upc.inf.cfi.ccr'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 11;
UPDATE paliad.deadline_rules
SET sequence_order = 1012
WHERE submission_code = 'upc.inf.cfi.def_to_ccr'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 12;
UPDATE paliad.deadline_rules
SET sequence_order = 1013
WHERE submission_code = 'upc.inf.cfi.app_to_amend'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 13;
UPDATE paliad.deadline_rules
SET sequence_order = 1020
WHERE submission_code = 'upc.inf.cfi.reply'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 20;
UPDATE paliad.deadline_rules
SET sequence_order = 1021
WHERE submission_code = 'upc.inf.cfi.def_to_amend'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 21;
UPDATE paliad.deadline_rules
SET sequence_order = 1022
WHERE submission_code = 'upc.inf.cfi.reply_def_ccr'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 22;
UPDATE paliad.deadline_rules
SET sequence_order = 1030
WHERE submission_code = 'upc.inf.cfi.rejoin'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 30;
UPDATE paliad.deadline_rules
SET sequence_order = 1031
WHERE submission_code = 'upc.inf.cfi.reply_def_amd'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 31;
UPDATE paliad.deadline_rules
SET sequence_order = 1032
WHERE submission_code = 'upc.inf.cfi.rejoin_reply_ccr'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 32;
UPDATE paliad.deadline_rules
SET sequence_order = 1033
WHERE submission_code = 'upc.inf.cfi.rejoin_amd'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 33;
-- ─── Phase 2: assign final track-aware numbers ──────────────────────
UPDATE paliad.deadline_rules
SET sequence_order = 12
WHERE submission_code = 'upc.inf.cfi.reply'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1020;
UPDATE paliad.deadline_rules
SET sequence_order = 14
WHERE submission_code = 'upc.inf.cfi.rejoin'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1030;
UPDATE paliad.deadline_rules
SET sequence_order = 20
WHERE submission_code = 'upc.inf.cfi.ccr'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1011;
UPDATE paliad.deadline_rules
SET sequence_order = 22
WHERE submission_code = 'upc.inf.cfi.def_to_ccr'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1012;
UPDATE paliad.deadline_rules
SET sequence_order = 24
WHERE submission_code = 'upc.inf.cfi.reply_def_ccr'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1022;
UPDATE paliad.deadline_rules
SET sequence_order = 26
WHERE submission_code = 'upc.inf.cfi.rejoin_reply_ccr'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1032;
UPDATE paliad.deadline_rules
SET sequence_order = 30
WHERE submission_code = 'upc.inf.cfi.app_to_amend'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1013;
UPDATE paliad.deadline_rules
SET sequence_order = 32
WHERE submission_code = 'upc.inf.cfi.def_to_amend'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1021;
UPDATE paliad.deadline_rules
SET sequence_order = 34
WHERE submission_code = 'upc.inf.cfi.reply_def_amd'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1031;
UPDATE paliad.deadline_rules
SET sequence_order = 36
WHERE submission_code = 'upc.inf.cfi.rejoin_amd'
AND proceeding_type_id = 8
AND lifecycle_state = 'published'
AND sequence_order = 1033;

28
internal/db/migrations/106_add_madrid_office.down.sql
View File

@@ -1,28 +0,0 @@
-- Revert mig 106 — drop 'madrid' from the office CHECK constraints.
--
-- Will fail if any users.office or partner_units.office row carries
-- 'madrid' — that's intentional (the down has no opinion on the data;
-- caller must clean up first or accept the failure).
SELECT set_config(
'paliad.audit_reason',
'mig 106 down: restore pre-madrid office CHECK on users + partner_units',
true);
ALTER TABLE paliad.users
DROP CONSTRAINT IF EXISTS users_office_check;
ALTER TABLE paliad.users
ADD CONSTRAINT users_office_check
CHECK (office IN (
'munich', 'duesseldorf', 'hamburg',
'amsterdam', 'london', 'paris', 'milan'
));
ALTER TABLE paliad.partner_units
DROP CONSTRAINT IF EXISTS partner_units_office_check;
ALTER TABLE paliad.partner_units
ADD CONSTRAINT partner_units_office_check
CHECK (office IN (
'munich', 'duesseldorf', 'hamburg',
'amsterdam', 'london', 'paris', 'milan'
));

42
internal/db/migrations/106_add_madrid_office.up.sql
View File

@@ -1,42 +0,0 @@
-- mig 106 — add 'madrid' to firm office CHECK constraints
--
-- m's ask 2026-05-20 09:42: add Madrid as an HLC office, alongside the
-- existing seven (munich, duesseldorf, hamburg, amsterdam, london,
-- paris, milan). Two active CHECK constraints to extend:
-- - paliad.users.office (mig 002)
-- - paliad.partner_units.office (mig 018; renamed mig 024 + mig 027)
--
-- The Go-side source of truth lives in internal/offices/offices.go;
-- this migration keeps the DB in sync.
--
-- Long-term, the admin area will let firms manage their own office
-- list (separate issue) — but for now the list is hard-coded here
-- + offices.go.
--
-- Non-blocking: extending a CHECK constraint is a metadata-only change
-- on a small enum-style column.
SELECT set_config(
'paliad.audit_reason',
'mig 106: add madrid to firm office CHECK on users + partner_units',
true);
ALTER TABLE paliad.users
DROP CONSTRAINT IF EXISTS users_office_check;
ALTER TABLE paliad.users
ADD CONSTRAINT users_office_check
CHECK (office IN (
'munich', 'duesseldorf', 'hamburg',
'amsterdam', 'london', 'paris', 'milan',
'madrid'
));
ALTER TABLE paliad.partner_units
DROP CONSTRAINT IF EXISTS partner_units_office_check;
ALTER TABLE paliad.partner_units
ADD CONSTRAINT partner_units_office_check
CHECK (office IN (
'munich', 'duesseldorf', 'hamburg',
'amsterdam', 'london', 'paris', 'milan',
'madrid'
));

5
internal/db/migrations/107_caldav_sync_log_binding_id.down.sql
View File

@@ -1,5 +0,0 @@
-- Reverse of 107: drop the binding_id column from caldav_sync_log.
-- The associated index drops automatically with the column.
ALTER TABLE paliad.caldav_sync_log
DROP COLUMN IF EXISTS binding_id;

53
internal/db/migrations/107_caldav_sync_log_binding_id.up.sql
View File

@@ -1,53 +0,0 @@
-- t-paliad-212 — Slice 2a of CalDAV multi-calendar.
--
-- Adds paliad.caldav_sync_log.binding_id so the per-tick sync log
-- records which binding the entry belongs to. NULL for legacy rows
-- and for "global" log entries that aren't per-binding (Slice 2a
-- still writes one row per user per tick — Slice 2b's sync rewrite
-- moves to one row per (user, binding) per tick).
--
-- FK uses ON DELETE SET NULL so deleting a binding doesn't blow away
-- its historical sync log (audit trail wins over referential tidiness).
--
-- Idempotent: column added via DO block with information_schema check.
SELECT set_config(
'paliad.audit_reason',
'mig 107: add caldav_sync_log.binding_id for per-binding sync log entries (t-paliad-212 Slice 2a)',
true);
DO $$
BEGIN
IF NOT EXISTS (
SELECT 1 FROM information_schema.columns
WHERE table_schema = 'paliad'
AND table_name = 'caldav_sync_log'
AND column_name = 'binding_id'
) THEN
ALTER TABLE paliad.caldav_sync_log
ADD COLUMN binding_id uuid
REFERENCES paliad.user_calendar_bindings(id) ON DELETE SET NULL;
END IF;
END $$;
CREATE INDEX IF NOT EXISTS caldav_sync_log_binding_idx
ON paliad.caldav_sync_log (binding_id, occurred_at DESC)
WHERE binding_id IS NOT NULL;
-- Assertion: column exists and is nullable.
DO $$
DECLARE
col_nullable text;
BEGIN
SELECT is_nullable INTO col_nullable
FROM information_schema.columns
WHERE table_schema = 'paliad'
AND table_name = 'caldav_sync_log'
AND column_name = 'binding_id';
IF col_nullable IS NULL THEN
RAISE EXCEPTION 'mig 107 assertion failed: caldav_sync_log.binding_id missing';
END IF;
IF col_nullable <> 'YES' THEN
RAISE EXCEPTION 'mig 107 assertion failed: caldav_sync_log.binding_id is NOT NULL (must be nullable)';
END IF;
END $$;

5
internal/db/migrations/108_caldav_mkcalendar_capability.down.sql
View File

@@ -1,5 +0,0 @@
-- Reverse of 108: drop the capability columns.
ALTER TABLE paliad.user_caldav_config
DROP COLUMN IF EXISTS supports_mkcalendar,
DROP COLUMN IF EXISTS mkcalendar_probed_at;

67
internal/db/migrations/108_caldav_mkcalendar_capability.up.sql
View File

@@ -1,67 +0,0 @@
-- t-paliad-212 — Slice 2c of CalDAV multi-calendar.
--
-- Adds the MKCALENDAR-capability tri-state to paliad.user_caldav_config:
-- * supports_mkcalendar = NULL → unprobed (probe runs lazily on
-- the first /api/caldav-discover or
-- /api/caldav-mkcalendar call).
-- * supports_mkcalendar = TRUE → server accepts MKCALENDAR; the
-- "Create new calendar" affordance
-- in the picker is visible.
-- * supports_mkcalendar = FALSE → Google-style degrade; UI hides the
-- create button and surfaces the
-- "create it in your provider's UI"
-- notice with a manual-URL input.
-- The probed_at timestamp lets us re-probe stale-cached results when
-- the user changes credentials (SaveConfig invalidates by SetNull in
-- the Go service layer; the column is here so the next round of
-- probing has somewhere to land).
--
-- Idempotent (column-exists DO block) + assertion at the bottom.
SELECT set_config(
'paliad.audit_reason',
'mig 108: add user_caldav_config.supports_mkcalendar tri-state for t-paliad-212 Slice 2c capability probe',
true);
DO $$
BEGIN
IF NOT EXISTS (
SELECT 1 FROM information_schema.columns
WHERE table_schema = 'paliad'
AND table_name = 'user_caldav_config'
AND column_name = 'supports_mkcalendar'
) THEN
ALTER TABLE paliad.user_caldav_config
ADD COLUMN supports_mkcalendar boolean;
END IF;
IF NOT EXISTS (
SELECT 1 FROM information_schema.columns
WHERE table_schema = 'paliad'
AND table_name = 'user_caldav_config'
AND column_name = 'mkcalendar_probed_at'
) THEN
ALTER TABLE paliad.user_caldav_config
ADD COLUMN mkcalendar_probed_at timestamptz;
END IF;
END $$;
-- Assertion — both columns present and nullable.
DO $$
DECLARE
sup_nullable text;
probed_nullable text;
BEGIN
SELECT is_nullable INTO sup_nullable
FROM information_schema.columns
WHERE table_schema = 'paliad' AND table_name = 'user_caldav_config'
AND column_name = 'supports_mkcalendar';
SELECT is_nullable INTO probed_nullable
FROM information_schema.columns
WHERE table_schema = 'paliad' AND table_name = 'user_caldav_config'
AND column_name = 'mkcalendar_probed_at';
IF sup_nullable <> 'YES' OR probed_nullable <> 'YES' THEN
RAISE EXCEPTION
'mig 108 assertion failed: expected both columns nullable, got supports=% probed=%',
sup_nullable, probed_nullable;
END IF;
END $$;

3
internal/db/migrations/109_user_dashboard_layouts.down.sql
View File

@@ -1,3 +0,0 @@
-- Reverse of 109_user_dashboard_layouts.up.sql.
DROP TABLE IF EXISTS paliad.user_dashboard_layouts;

29
internal/db/migrations/109_user_dashboard_layouts.up.sql
View File

@@ -1,29 +0,0 @@
-- t-paliad-219 Slice A1: per-user dashboard layout.
--
-- Design: docs/design-dashboard-configurable-2026-05-20.md §5.1 (newton,
-- m-locked 2026-05-20: single layout per user, Q2).
--
-- Stores one configurable dashboard layout per user as a single jsonb
-- column. The layout is an ordered list of (widget_key, visible, settings)
-- triples; see internal/services/dashboard_layout_spec.go DashboardLayoutSpec.
--
-- Single-row-per-user PK because m's Q2 pick is one layout per user (v1) —
-- no named-layout switcher. Forward path to named layouts (drop the PK, add
-- id+name+is_default columns) stays open if m later changes course.
--
-- RLS owner-only mirrors user_card_layouts / user_views — personal working
-- state, not auditable infrastructure. global_admin gets no override.
CREATE TABLE paliad.user_dashboard_layouts (
user_id uuid PRIMARY KEY REFERENCES paliad.users(id) ON DELETE CASCADE,
layout_json jsonb NOT NULL,
created_at timestamptz NOT NULL DEFAULT now(),
updated_at timestamptz NOT NULL DEFAULT now()
);
ALTER TABLE paliad.user_dashboard_layouts ENABLE ROW LEVEL SECURITY;
CREATE POLICY user_dashboard_layouts_owner_all
ON paliad.user_dashboard_layouts FOR ALL
USING (user_id = auth.uid())
WITH CHECK (user_id = auth.uid());

221
internal/handlers/appointments.go
View File

@@ -8,7 +8,6 @@ import (
"github.com/google/uuid"
"mgit.msbls.de/m/paliad/internal/models"
"mgit.msbls.de/m/paliad/internal/services"
)
@@ -312,226 +311,6 @@ func handleTestCalDAVConfig(w http.ResponseWriter, r *http.Request) {
writeJSON(w, http.StatusOK, map[string]any{"ok": true})
}
// GET /api/caldav-bindings — list the authenticated user's CalDAV
// bindings (the (calendar, scope) entries layered on the single CalDAV
// server connection). Read-only in Slice 2a; full CRUD lands in Slice 2b.
func handleListCalDAVBindings(w http.ResponseWriter, r *http.Request) {
if !requireDB(w) {
return
}
uid, ok := requireUser(w, r)
if !ok {
return
}
if dbSvc.caldavBindings == nil {
writeJSON(w, http.StatusNotImplemented, map[string]any{
"error": "CalDAV bindings unavailable (CalDAV service not configured)",
})
return
}
rows, err := dbSvc.caldavBindings.ListForUser(r.Context(), uid)
if err != nil {
writeServiceError(w, err)
return
}
if rows == nil {
rows = []models.UserCalendarBinding{}
}
writeJSON(w, http.StatusOK, rows)
}
// POST /api/caldav-bindings — create a new binding for the
// authenticated user and synchronously fire a first push so the modal
// closes with events already landed. Returns 201 with the binding row.
func handleCreateCalDAVBinding(w http.ResponseWriter, r *http.Request) {
if !requireCalDAV(w) {
return
}
uid, ok := requireUser(w, r)
if !ok {
return
}
if dbSvc.caldavBindings == nil {
writeJSON(w, http.StatusNotImplemented, map[string]any{"error": "CalDAV bindings unavailable"})
return
}
var input services.CreateBindingInput
if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid JSON"})
return
}
// Default to enabled=true so the modal "Hinzufügen" button does the
// expected thing without forcing the user to toggle anything.
if !input.Enabled {
input.Enabled = true
}
binding, err := dbSvc.caldavBindings.Create(r.Context(), uid, input)
if err != nil {
writeCalDAVError(w, err)
return
}
// Synchronous first push per Q5 of the Slice 2 design (m's 2026-05-20
// pick): block the request so the user sees events already landed
// when the modal closes. PushBindingNow logs per-event failures and
// returns; we only surface a hard config/cipher error.
pushed, pushErr := dbSvc.caldav.PushBindingNow(r.Context(), uid, binding)
if pushErr != nil {
// Binding was created; sync failed. Tell the UI both bits so it
// can show "binding added, initial sync had a problem".
writeJSON(w, http.StatusCreated, map[string]any{
"binding": binding,
"initial_pushed": pushed,
"initial_sync_error": pushErr.Error(),
})
return
}
// Ensure the per-user goroutine is running so future ticks happen.
dbSvc.caldav.EnsureLoop(uid)
writeJSON(w, http.StatusCreated, map[string]any{
"binding": binding,
"initial_pushed": pushed,
})
}
// PATCH /api/caldav-bindings/{id} — partial update. Lazy scope cleanup
// per Q6: stale targets get dropped on the next sync tick, not here.
func handlePatchCalDAVBinding(w http.ResponseWriter, r *http.Request) {
if !requireDB(w) {
return
}
uid, ok := requireUser(w, r)
if !ok {
return
}
if dbSvc.caldavBindings == nil {
writeJSON(w, http.StatusNotImplemented, map[string]any{"error": "CalDAV bindings unavailable"})
return
}
id, err := uuid.Parse(r.PathValue("id"))
if err != nil {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid id"})
return
}
var input services.UpdateBindingInput
if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid JSON"})
return
}
binding, err := dbSvc.caldavBindings.Update(r.Context(), uid, id, input)
if err != nil {
writeCalDAVError(w, err)
return
}
writeJSON(w, http.StatusOK, binding)
}
// DELETE /api/caldav-bindings/{id} — best-effort remote cleanup of every
// .ics this binding pushed, then drop the binding row. On partial remote
// failure the binding is disabled (not deleted) so the next sync tick
// can retry; the response is 202 Accepted in that case.
func handleDeleteCalDAVBinding(w http.ResponseWriter, r *http.Request) {
if !requireDB(w) {
return
}
uid, ok := requireUser(w, r)
if !ok {
return
}
if dbSvc.caldav == nil {
writeJSON(w, http.StatusNotImplemented, map[string]any{"error": "CalDAV bindings unavailable"})
return
}
id, err := uuid.Parse(r.PathValue("id"))
if err != nil {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid id"})
return
}
fully, err := dbSvc.caldav.RemoveBinding(r.Context(), uid, id)
if err != nil {
writeCalDAVError(w, err)
return
}
if !fully {
writeJSON(w, http.StatusAccepted, map[string]any{
"status": "partial",
"message": "Binding disabled; some remote events could not be deleted. Retry on next sync tick.",
})
return
}
w.WriteHeader(http.StatusNoContent)
}
// POST /api/caldav-mkcalendar — creates a new calendar on the user's
// CalDAV server via MKCALENDAR + a matching binding row in one logical
// transaction. Slice 2c only — visible when /api/caldav-discover
// reports supports_mkcalendar=true. Errors:
// - 501 when supports_mkcalendar=false (caller should show the
// Google-degrade UX with the manual-URL input).
// - 409 when the slugified name + 3 retries all collide on the
// server. UI should ask the user to type their own name.
func handleCalDAVMakeCalendar(w http.ResponseWriter, r *http.Request) {
if !requireCalDAV(w) {
return
}
uid, ok := requireUser(w, r)
if !ok {
return
}
var input services.CreateCalendarInput
if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid JSON"})
return
}
result, err := dbSvc.caldav.MakeCalendar(r.Context(), uid, input)
if err != nil {
switch {
case errors.Is(err, services.ErrMKCalendarUnsupported):
writeJSON(w, http.StatusNotImplemented, map[string]any{
"error": err.Error(),
"supports_mkcalendar": false,
})
case errors.Is(err, services.ErrCalendarNameTaken):
writeJSON(w, http.StatusConflict, map[string]any{
"error": err.Error(),
})
default:
// Binding-create / push errors carry the partial result so
// the UI can surface "created remotely but binding failed".
if result != nil {
writeJSON(w, http.StatusCreated, map[string]any{
"calendar_path": result.CalendarPath,
"binding": result.Binding,
"initial_pushed": result.InitialPushed,
"initial_sync_error": err.Error(),
})
return
}
writeCalDAVError(w, err)
}
return
}
writeJSON(w, http.StatusCreated, result)
}
// GET /api/caldav-discover — walks the calendar-home-set chain on the
// user's CalDAV server and returns the calendars they own. Cached
// server-side for 5 minutes per user (Q4 of Slice 2 brief).
func handleCalDAVDiscover(w http.ResponseWriter, r *http.Request) {
if !requireCalDAV(w) {
return
}
uid, ok := requireUser(w, r)
if !ok {
return
}
result, err := dbSvc.caldav.DiscoverCalendars(r.Context(), uid)
if err != nil {
writeCalDAVError(w, err)
return
}
writeJSON(w, http.StatusOK, result)
}
// GET /api/caldav-config/log — last 5 sync attempts.
func handleCalDAVSyncLog(w http.ResponseWriter, r *http.Request) {
if !requireCalDAV(w) {

64
internal/handlers/approvals.go
View File

@@ -270,8 +270,7 @@ func isValidInboxStatus(s string) bool {
services.RequestStatusApproved,
services.RequestStatusRejected,
services.RequestStatusRevoked,
services.RequestStatusSuperseded,
services.RequestStatusChangesRequested:
services.RequestStatusSuperseded:
return true
}
return false
@@ -326,67 +325,6 @@ func handleRevokeApprovalRequest(w http.ResponseWriter, r *http.Request) {
handleApprovalDecision(w, r, "revoke")
}
// suggestChangesBody is the JSON body for POST /api/approval-requests/{id}/suggest-changes.
// counter_payload is an entity-shaped jsonb of the approver's edited
// values (allowlist enforced server-side); note is the optional free-text
// explanation. The service rejects the call with
// ErrSuggestionRequiresChange when both are no-ops (counter is identical
// to the old row's payload AND note is empty).
type suggestChangesBody struct {
CounterPayload map[string]any `json:"counter_payload"`
Note string `json:"note"`
}
// POST /api/approval-requests/{id}/suggest-changes — t-paliad-216.
//
// In one transaction: close the pending request as 'changes_requested'
// (with the caller's note + counter_payload on the row), revert the entity
// from pre_image, then spawn a NEW pending approval_request authored by
// the caller carrying the counter_payload. Returns the new request id.
//
// Status mapping (see writeApprovalError → mapApprovalError):
//
// 400 suggestion_requires_change — counter == old payload AND no note
// 400 suggestion_lifecycle_invalid — old row's lifecycle ∉ (update, complete)
// 403 self_approval_blocked — caller == old row's requested_by
// 403 not_authorized — caller doesn't satisfy canApprove
// 404 — request not found / not visible
// 409 request_not_pending — old row already decided
// 409 no_qualified_approver — deadlock on the new row
func handleSuggestChangesApprovalRequest(w http.ResponseWriter, r *http.Request) {
if !requireDB(w) {
return
}
uid, ok := requireUser(w, r)
if !ok {
return
}
requestID, err := uuid.Parse(r.PathValue("id"))
if err != nil {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid request id"})
return
}
var body suggestChangesBody
if r.Body != nil && r.ContentLength > 0 {
if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
writeJSON(w, http.StatusBadRequest, map[string]string{
"code": "invalid_body",
"message": "Ungültiger Body.",
})
return
}
}
newID, err := dbSvc.approval.SuggestChanges(r.Context(), requestID, uid, body.CounterPayload, body.Note)
if err != nil {
writeApprovalError(w, err)
return
}
writeJSON(w, http.StatusOK, map[string]string{
"status": "ok",
"new_request_id": newID.String(),
})
}
func handleApprovalDecision(w http.ResponseWriter, r *http.Request, action string) {
if !requireDB(w) {
return

39
internal/handlers/approvals_test.go
View File

@@ -82,44 +82,6 @@ func TestMapApprovalError_MissReturnsFalse(t *testing.T) {
}
}
// TestMapApprovalError_SuggestionRequiresChange400 pins t-paliad-216:
// a no-op suggest-changes (no counter diff + no note) surfaces as a 400
// with code suggestion_requires_change so the frontend can disable the
// submit button instead of letting the user click into a dead-end alert.
func TestMapApprovalError_SuggestionRequiresChange400(t *testing.T) {
w := httptest.NewRecorder()
if !mapApprovalError(w, services.ErrSuggestionRequiresChange) {
t.Fatal("mapApprovalError returned false for ErrSuggestionRequiresChange")
}
if w.Code != http.StatusBadRequest {
t.Fatalf("status = %d, want 400", w.Code)
}
var body map[string]string
_ = json.Unmarshal(w.Body.Bytes(), &body)
if body["code"] != "suggestion_requires_change" {
t.Errorf("code = %q, want suggestion_requires_change", body["code"])
}
}
// TestMapApprovalError_SuggestionLifecycleInvalid400 pins t-paliad-216:
// suggest-changes on a create/delete lifecycle is rejected with a clean
// 400 + code suggestion_lifecycle_invalid so the frontend can hide the
// button for those rows.
func TestMapApprovalError_SuggestionLifecycleInvalid400(t *testing.T) {
w := httptest.NewRecorder()
if !mapApprovalError(w, services.ErrSuggestionLifecycleInvalid) {
t.Fatal("mapApprovalError returned false for ErrSuggestionLifecycleInvalid")
}
if w.Code != http.StatusBadRequest {
t.Fatalf("status = %d, want 400", w.Code)
}
var body map[string]string
_ = json.Unmarshal(w.Body.Bytes(), &body)
if body["code"] != "suggestion_lifecycle_invalid" {
t.Errorf("code = %q, want suggestion_lifecycle_invalid", body["code"])
}
}
// TestParseInboxFilter_DropsUnknownStatus pins t-paliad-160 §D regression
// hardening: a stray ?status=foo from a stale frontend build (or an
// attacker scoping us out of our own list) must NOT shadow rows out of
@@ -135,7 +97,6 @@ func TestParseInboxFilter_DropsUnknownStatus(t *testing.T) {
{"rejected", "rejected"},
{"revoked", "revoked"},
{"superseded", "superseded"},
{"changes_requested", "changes_requested"}, // t-paliad-216
{"foo", ""}, // unknown — dropped
{"DROP+TABLE", ""}, // hostile — dropped
{"PENDING", ""}, // case mismatch — dropped (we don't normalise)

25
internal/handlers/dashboard.go
View File

@@ -4,7 +4,6 @@ import (
"net/http"
"mgit.msbls.de/m/paliad/internal/auth"
"mgit.msbls.de/m/paliad/internal/services"
)
// GET /api/dashboard — returns the DashboardData JSON for the logged-in user.
@@ -25,29 +24,21 @@ func handleDashboardAPI(w http.ResponseWriter, r *http.Request) {
writeJSON(w, http.StatusOK, data)
}
// GET /dashboard — protected shell page. The client boots, reads three
// initial payloads inlined by the server (data, layout, catalog), and
// renders without a second round-trip (audit §2.3: no skeleton→fetch
// waterfall). Each inline is best-effort: if any read fails the
// corresponding blob is left null and the client falls back to fetch.
// GET /dashboard — protected shell page. The client boots, reads the initial
// payload inlined by the server into window.__PALIAD_DASHBOARD__, and renders
// without a second round-trip (audit §2.3: no skeleton→fetch waterfall).
func handleDashboardPage(w http.ResponseWriter, r *http.Request) {
uid, hasUser := auth.UserIDFromContext(r.Context())
var payload, layout []byte
var payload []byte
if hasUser && dbSvc != nil {
// Best-effort server-render. If the DB read fails we still serve the
// shell; the client will show the inline error state instead of the
// zero-count cards.
if data, err := dbSvc.dashboard.Get(r.Context(), uid); err == nil {
payload = mustJSON(data)
}
if dbSvc.dashboardLayout != nil {
if spec, err := dbSvc.dashboardLayout.GetOrSeed(r.Context(), uid); err == nil {
layout = mustJSON(spec)
}
}
}
// Catalog is code-resident — always inline it so the widget picker
// and dispatch logic can boot without an extra fetch even on
// knowledge-platform-only deployments without DATABASE_URL.
catalog := mustJSON(services.WidgetCatalog())
serveDashboardShell(w, r, payload, layout, catalog)
serveDashboardShell(w, r, payload)
}
// handleRootPage is the public `/` route. Unauthenticated visitors get the

109
internal/handlers/dashboard_layout.go
View File

@@ -1,109 +0,0 @@
package handlers
// HTTP handlers for the per-user dashboard layout (t-paliad-219 Slice A2).
//
// Design: docs/design-dashboard-configurable-2026-05-20.md §9.
//
// Four endpoints:
// GET /api/me/dashboard-layout → read (auto-seeds factory default)
// PUT /api/me/dashboard-layout → replace (validates against catalog)
// POST /api/me/dashboard-layout/reset → overwrite with factory default
// GET /api/dashboard-widget-catalog → catalog metadata for the picker
import (
"encoding/json"
"errors"
"net/http"
"mgit.msbls.de/m/paliad/internal/services"
)
// GET /api/me/dashboard-layout — returns the caller's layout, seeding the
// factory default on first call. Always returns 200 with a valid
// DashboardLayoutSpec.
func handleGetDashboardLayout(w http.ResponseWriter, r *http.Request) {
if !requireDB(w) {
return
}
uid, ok := requireUser(w, r)
if !ok {
return
}
if dbSvc.dashboardLayout == nil {
writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "dashboard-layout service not configured"})
return
}
spec, err := dbSvc.dashboardLayout.GetOrSeed(r.Context(), uid)
if err != nil {
writeServiceError(w, err)
return
}
writeJSON(w, http.StatusOK, spec)
}
// PUT /api/me/dashboard-layout — replaces the caller's layout. Body must
// be a complete DashboardLayoutSpec; the service validates against the
// catalog and 400s on a bad spec.
func handlePutDashboardLayout(w http.ResponseWriter, r *http.Request) {
if !requireDB(w) {
return
}
uid, ok := requireUser(w, r)
if !ok {
return
}
if dbSvc.dashboardLayout == nil {
writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "dashboard-layout service not configured"})
return
}
var spec services.DashboardLayoutSpec
if err := json.NewDecoder(r.Body).Decode(&spec); err != nil {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid JSON body"})
return
}
out, err := dbSvc.dashboardLayout.Update(r.Context(), uid, spec)
if err != nil {
if errors.Is(err, services.ErrInvalidInput) {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": err.Error()})
return
}
writeServiceError(w, err)
return
}
writeJSON(w, http.StatusOK, out)
}
// POST /api/me/dashboard-layout/reset — overwrites the caller's layout
// with the factory default. The previous layout is discarded.
func handleResetDashboardLayout(w http.ResponseWriter, r *http.Request) {
if !requireDB(w) {
return
}
uid, ok := requireUser(w, r)
if !ok {
return
}
if dbSvc.dashboardLayout == nil {
writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "dashboard-layout service not configured"})
return
}
spec, err := dbSvc.dashboardLayout.ResetToDefault(r.Context(), uid)
if err != nil {
writeServiceError(w, err)
return
}
writeJSON(w, http.StatusOK, spec)
}
// GET /api/dashboard-widget-catalog — returns the widget catalog. Auth-
// gated only because the catalog includes user-facing copy; nothing
// security-sensitive is exposed. The handler is DB-independent (the
// catalog is code-resident) so the requireDB gate is intentionally
// skipped — knowledge-platform-only deployments can still surface the
// catalog and we never want this endpoint to 503.
func handleGetWidgetCatalog(w http.ResponseWriter, r *http.Request) {
if _, ok := requireUser(w, r); !ok {
return
}
writeJSON(w, http.StatusOK, services.WidgetCatalog())
}

54
internal/handlers/dashboard_shell.go
View File

@@ -11,15 +11,10 @@ import (
)
// The dashboard shell is pre-rendered by bun (`renderDashboard()` → dist/dashboard.html)
// and contains three placeholder tokens (data, layout, catalog). On each
// request we splice in JSON blobs as window.__PALIAD_DASHBOARD__ /
// __PALIAD_DASHBOARD_LAYOUT__ / __PALIAD_DASHBOARD_CATALOG__ so the client
// can paint the real data on first frame — no skeleton + /api/* waterfall.
const (
dashboardDataPlaceholder = "/*__PALIAD_DASHBOARD_DATA__*/"
dashboardLayoutPlaceholder = "/*__PALIAD_DASHBOARD_LAYOUT__*/"
dashboardCatalogPlaceholder = "/*__PALIAD_DASHBOARD_CATALOG__*/"
)
// and contains the placeholder token below. On each request we splice in a
// JSON blob as `window.__PALIAD_DASHBOARD__` so the client can paint the real
// data on first frame — no skeleton + /api/dashboard waterfall.
const dashboardDataPlaceholder = "/*__PALIAD_DASHBOARD_DATA__*/"
var (
dashboardShellOnce sync.Once
@@ -43,19 +38,28 @@ func loadDashboardShell() ([]byte, error) {
return dashboardShellBytes, dashboardShellErr
}
// serveDashboardShell writes dist/dashboard.html with three JSON blobs
// spliced in (data, layout, catalog). A nil payload disables server-side
// hydration of that slot; the client falls back to fetching the
// corresponding /api/* endpoint on mount.
func serveDashboardShell(w http.ResponseWriter, _ *http.Request, payload, layout, catalog []byte) {
// serveDashboardShell writes dist/dashboard.html with the JSON payload spliced
// into the placeholder. A nil payload disables server-side hydration; the
// client then falls back to fetching /api/dashboard on mount.
func serveDashboardShell(w http.ResponseWriter, _ *http.Request, payload []byte) {
shell, err := loadDashboardShell()
if err != nil {
http.Error(w, "dashboard shell unavailable", http.StatusInternalServerError)
return
}
body := splicePlaceholder(shell, dashboardDataPlaceholder, "window.__PALIAD_DASHBOARD__=", payload)
body = splicePlaceholder(body, dashboardLayoutPlaceholder, "window.__PALIAD_DASHBOARD_LAYOUT__=", layout)
body = splicePlaceholder(body, dashboardCatalogPlaceholder, "window.__PALIAD_DASHBOARD_CATALOG__=", catalog)
var body []byte
if len(payload) > 0 {
// JSON is wrapped so the script block is self-contained even when the
// payload contains `</script>` sequences (defensive: our data is
// server-owned, but future event.description fields could contain
// arbitrary text).
inline := append([]byte("window.__PALIAD_DASHBOARD__="), escapeForScript(payload)...)
inline = append(inline, ';')
body = bytes.Replace(shell, []byte(dashboardDataPlaceholder), inline, 1)
} else {
body = bytes.Replace(shell, []byte(dashboardDataPlaceholder),
[]byte("window.__PALIAD_DASHBOARD__=null;"), 1)
}
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.Header().Set("Cache-Control", "no-store")
@@ -63,22 +67,6 @@ func serveDashboardShell(w http.ResponseWriter, _ *http.Request, payload, layout
_, _ = w.Write(body)
}
// splicePlaceholder replaces a single placeholder token with a JS
// assignment of the given JSON payload to a window.X global. A nil
// payload assigns `null` so the client can detect "no server-side
// hydration" and fall back to fetch.
func splicePlaceholder(shell []byte, placeholder, prefix string, payload []byte) []byte {
var inline []byte
if len(payload) > 0 {
inline = append(inline, []byte(prefix)...)
inline = append(inline, escapeForScript(payload)...)
inline = append(inline, ';')
} else {
inline = append(inline, []byte(prefix+"null;")...)
}
return bytes.Replace(shell, []byte(placeholder), inline, 1)
}
// escapeForScript makes a JSON blob safe to embed directly in an inline
// <script>. JSON strings may contain `</script>` or U+2028/U+2029, both of
// which terminate script blocks in some parsers.

179
internal/handlers/export.go
View File

@@ -2,19 +2,16 @@ package handlers
// Data-export handlers (t-paliad-214).
//
// Slice 1: personal scope
// Slice 1 ships the personal scope only:
//
// GET /api/me/export → streams a personal-scope export .zip
//
// Slice 2: project subtree scope
// GET /api/projects/{id}/export?direct_only=0|1 → streams a project-subtree
// export .zip
//
// Slice 3 (org, async) lands in a follow-up.
// Slices 2 + 3 (project + org) layer onto this file when they ship.
//
// Authentication: the existing protected mux middleware (auth.Middleware +
// auth.WithUserID) populates the user UUID in the context. Slice 1 gates
// only on authentication; Slice 2 adds a §4 responsibility + global_admin
// check via handleProjectExportGate.
// auth.WithUserID) populates the user UUID in the context. We do not gate
// on global_role here — personal export is available to every authenticated
// user.
import (
"bytes"
@@ -25,8 +22,6 @@ import (
"strconv"
"time"
"github.com/google/uuid"
"mgit.msbls.de/m/paliad/internal/services"
)
@@ -107,7 +102,7 @@ func handleMeExport(w http.ResponseWriter, r *http.Request) {
return
}
filename := services.ExportFilename(services.ExportScopePersonal, "", uuid.Nil, spec.GeneratedAt)
filename := services.ExportFilename(services.ExportScopePersonal, "", spec.GeneratedAt)
size := int64(buf.Len())
if err := dbSvc.export.PatchAuditRowSuccess(ctx, auditID, meta, size); err != nil {
@@ -128,163 +123,3 @@ func handleMeExport(w http.ResponseWriter, r *http.Request) {
log.Printf("export: response write failed for %s (audit=%s): %v", uid, auditID, err)
}
}
// handleProjectExport streams the project-subtree export .zip for the
// project named in the URL path.
//
// Authorization (Slice 2 §4):
//
// - caller must be authenticated (handled by the mux middleware),
// - caller must pass paliad.can_see_project(rootID) — enforced via
// ProjectService.GetByID returning ErrNotVisible → 404,
// - caller must be on paliad.project_teams for the root with
// responsibility ∈ {lead, member}, OR be a global_admin.
// Observers + Externals see but cannot extract — 403 bilingual.
//
// Query params:
// - ?direct_only=1 narrows the export to the root project only (no
// descendants). Default = subtree-inclusive.
func handleProjectExport(w http.ResponseWriter, r *http.Request) {
if !requireDB(w) {
return
}
uid, ok := requireUser(w, r)
if !ok {
return
}
if dbSvc.export == nil {
writeJSON(w, http.StatusServiceUnavailable, map[string]string{
"error": "export service not configured",
})
return
}
rootID, err := uuid.Parse(r.PathValue("id"))
if err != nil {
writeJSON(w, http.StatusBadRequest, map[string]string{
"error": "invalid project id",
})
return
}
directOnly := false
if q := r.URL.Query().Get("direct_only"); q == "1" || q == "true" {
directOnly = true
}
ctx, cancel := context.WithTimeout(r.Context(), exportRequestTimeout)
defer cancel()
// Visibility gate (a + b): GetByID returns ErrNotVisible when the
// caller can't see the project, which we map to 404. The handler
// stays oblivious to whether the project doesn't exist or simply
// isn't visible — that's by design (RLS-style opacity).
project, err := dbSvc.projects.GetByID(ctx, uid, rootID)
if err != nil {
writeServiceError(w, err)
return
}
// Authority gate (c): direct-team responsibility ∈ {lead, member} OR
// global_admin. Derived-only-via-partner-unit users (DerivedPeer)
// don't qualify for extraction — m's Q1 lock-in.
allowed, err := callerCanExportProject(ctx, uid, rootID)
if err != nil {
log.Printf("export: authority check failed for user=%s project=%s: %v", uid, rootID, err)
writeJSON(w, http.StatusInternalServerError, map[string]string{
"error": "authority check failed",
})
return
}
if !allowed {
// Bilingual 403 per Q7. Pattern matches mapApprovalError style.
writeJSON(w, http.StatusForbidden, map[string]string{
"code": "export_not_authorized",
"message": "Datenexport ist nur Team-Mitgliedern (Lead / Member) vorbehalten. / Data export is restricted to project team members (lead / member).",
})
return
}
user, err := dbSvc.users.GetByID(ctx, uid)
if err != nil || user == nil {
log.Printf("export: user lookup failed for %s: %v", uid, err)
writeJSON(w, http.StatusInternalServerError, map[string]string{
"error": "user lookup failed",
})
return
}
spec := services.ExportSpec{
Scope: services.ExportScopeProject,
ScopeRoot: &rootID,
ScopeRootLabel: project.Title,
ScopeRootPath: project.Path,
DirectOnly: directOnly,
ActorID: uid,
ActorEmail: user.Email,
ActorLabel: user.DisplayName,
GeneratedAt: time.Now().UTC(),
}
auditID, err := dbSvc.export.WriteAuditRow(ctx, spec)
if err != nil {
log.Printf("export: audit insert failed for %s/project=%s: %v", uid, rootID, err)
writeJSON(w, http.StatusInternalServerError, map[string]string{
"error": "audit write failed",
})
return
}
var buf bytes.Buffer
meta, err := dbSvc.export.WriteProject(ctx, &buf, spec)
if err != nil {
dbSvc.export.PatchAuditRowFailure(context.Background(), auditID, err.Error())
log.Printf("export: WriteProject failed for %s/project=%s (audit=%s): %v", uid, rootID, auditID, err)
writeJSON(w, http.StatusInternalServerError, map[string]string{
"error": "export generation failed",
})
return
}
filename := services.ExportFilename(services.ExportScopeProject, project.Title, rootID, spec.GeneratedAt)
size := int64(buf.Len())
if err := dbSvc.export.PatchAuditRowSuccess(ctx, auditID, meta, size); err != nil {
log.Printf("export: audit patch failed for %s/project=%s (audit=%s): %v", uid, rootID, auditID, err)
}
w.Header().Set("Content-Type", "application/zip")
w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename=%q`, filename))
w.Header().Set("Content-Length", strconv.FormatInt(size, 10))
w.Header().Set("X-Paliad-Export-Audit-Id", auditID.String())
if _, err := w.Write(buf.Bytes()); err != nil {
log.Printf("export: response write failed for %s/project=%s (audit=%s): %v", uid, rootID, auditID, err)
}
}
// callerCanExportProject is the §4 authority check:
//
// - global_admin can extract anything anywhere.
// - else: caller must be on paliad.project_teams for the root with
// responsibility ∈ {lead, member}.
//
// One query, parameterised; returns the boolean. Errors surface to the
// handler as 500.
func callerCanExportProject(ctx context.Context, userID, projectID uuid.UUID) (bool, error) {
const q = `
SELECT
EXISTS (
SELECT 1 FROM paliad.users u
WHERE u.id = $1 AND u.global_role = 'global_admin'
) OR EXISTS (
SELECT 1 FROM paliad.project_teams pt
WHERE pt.user_id = $1
AND pt.project_id = $2
AND pt.responsibility IN ('lead', 'member')
)
`
var ok bool
if err := dbSvc.projects.DB().QueryRowContext(ctx, q, userID, projectID).Scan(&ok); err != nil {
return false, err
}
return ok, nil
}

78
internal/handlers/handlers.go
View File

@@ -3,7 +3,6 @@ package handlers
import (
"encoding/json"
"net/http"
"strings"
"mgit.msbls.de/m/paliad/internal/auth"
"mgit.msbls.de/m/paliad/internal/services"
@@ -22,19 +21,6 @@ func noCacheAssets(h http.Handler) http.Handler {
})
}
// patentstyleDownload sets a Content-Disposition with the spaced filename
// "HL Patents Style.dotm" for .dotm requests under /patentstyle/. The URL
// path stays clean (dashes), browsers and download tools land the file
// with the name PAs expect to see.
func patentstyleDownload(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if strings.HasSuffix(r.URL.Path, ".dotm") {
w.Header().Set("Content-Disposition", `attachment; filename="HL Patents Style.dotm"`)
}
h.ServeHTTP(w, r)
})
}
// noCachePages wraps a handler so its response always revalidates. Combined
// with the build-time `?v=<buildVersion>` stamp on /assets/*.js and /css URLs
// in dist/*.html, this is what makes a deploy actually reach users: the HTML
@@ -57,7 +43,6 @@ type Services struct {
Deadline *services.DeadlineService
Appointment *services.AppointmentService
CalDAV *services.CalDAVService
CalDAVBindings *services.CalendarBindingService
Rules *services.DeadlineRuleService
Calculator *services.DeadlineCalculator
Users *services.UserService
@@ -84,19 +69,9 @@ type Services struct {
UserView *services.UserViewService
Broadcast *services.BroadcastService
Pin *services.PinService
CardLayout *services.CardLayoutService
DashboardLayout *services.DashboardLayoutService
Projection *services.ProjectionService
Export *services.ExportService
// Submission generator (t-paliad-215) — Klageerwiderung &
// friends. Three coordinated services: registry fetches templates
// from Gitea; vars builds the placeholder map from project +
// parties + rule; renderer merges the .docx. Wired together in
// cmd/server/main.go; nil here when DATABASE_URL is unset.
SubmissionRegistry *services.TemplateRegistry
SubmissionVars *services.SubmissionVarsService
SubmissionRenderer *services.SubmissionRenderer
CardLayout *services.CardLayoutService
Projection *services.ProjectionService
Export *services.ExportService
// Paliadin is wired when DATABASE_URL is set. The concrete backend
// is picked in cmd/server/main.go based on PALIADIN_REMOTE_HOST
@@ -114,14 +89,6 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
paliadinSvc = svc.Paliadin
}
// Submission generator singletons (t-paliad-215). All three or
// none — the handler short-circuits with 503 when any is nil.
if svc != nil {
submissionRegistry = svc.SubmissionRegistry
submissionVars = svc.SubmissionVars
submissionRenderer = svc.SubmissionRenderer
}
if svc != nil {
dbSvc = &dbServices{
projects: svc.Project,
@@ -131,7 +98,6 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
deadline: svc.Deadline,
appointment: svc.Appointment,
caldav: svc.CalDAV,
caldavBindings: svc.CalDAVBindings,
rules: svc.Rules,
calc: svc.Calculator,
users: svc.Users,
@@ -158,10 +124,9 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
userView: svc.UserView,
broadcast: svc.Broadcast,
pin: svc.Pin,
cardLayout: svc.CardLayout,
dashboardLayout: svc.DashboardLayout,
projection: svc.Projection,
export: svc.Export,
cardLayout: svc.CardLayout,
projection: svc.Projection,
export: svc.Export,
}
}
@@ -211,11 +176,8 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
// the installed Word client polls; HL-Patents-Style.dotm is fetched on
// version mismatch. Source files live in frontend/public/patentstyle/
// (copied into dist/ at build time). noCacheAssets ensures the manifest
// is never stale after a release. patentstyleDownload renames the .dotm
// to "HL Patents Style.dotm" (with spaces) on download — the on-disk
// filename has dashes so the URL is clean, but Word users expect the
// spaced name in their downloads folder.
mux.Handle("GET /patentstyle/", noCacheAssets(patentstyleDownload(http.StripPrefix("/patentstyle/", http.FileServer(http.Dir("dist/patentstyle"))))))
// is never stale after a release.
mux.Handle("GET /patentstyle/", noCacheAssets(http.StripPrefix("/patentstyle/", http.FileServer(http.Dir("dist/patentstyle")))))
// Protected routes
protected := http.NewServeMux()
@@ -288,18 +250,9 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
protected.HandleFunc("GET /api/projects/{id}/timeline", handleGetProjectTimeline)
// t-paliad-177 Slice 2 — iCal feed (deadlines + appointments only).
protected.HandleFunc("GET /api/projects/{id}/timeline.ics", handleGetProjectTimelineICS)
// t-paliad-214 Slice 2 — project-subtree data export. ?direct_only=1
// narrows to the root project only; default = root + descendants.
// Permission gate: responsibility ∈ {lead, member} OR global_admin.
protected.HandleFunc("GET /api/projects/{id}/export", handleProjectExport)
protected.HandleFunc("POST /api/projects/{id}/timeline/milestone", handleCreateProjectTimelineMilestone)
protected.HandleFunc("POST /api/projects/{id}/timeline/anchor", handleProjectTimelineAnchor)
protected.HandleFunc("POST /api/projects/{id}/timeline/skip", handleProjectTimelineSkip)
// t-paliad-215 Slice 1 — submission generator. /submissions lists
// the project's filing-type rules with template-availability flags;
// /submissions/{code}/generate streams the rendered .docx.
protected.HandleFunc("GET /api/projects/{id}/submissions", handleListProjectSubmissions)
protected.HandleFunc("GET /api/projects/{id}/submissions/{code}/generate", handleGenerateProjectSubmission)
// /counterclaim creates a CCR sub-project linked via the new
// paliad.projects.counterclaim_of FK (t-paliad-174 Slice 3).
protected.HandleFunc("POST /api/projects/{id}/counterclaim", handleCreateProjectCounterclaim)
@@ -314,11 +267,6 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
protected.HandleFunc("PATCH /api/user-card-layouts/{id}", handleUpdateCardLayout)
protected.HandleFunc("DELETE /api/user-card-layouts/{id}", handleDeleteCardLayout)
protected.HandleFunc("POST /api/user-card-layouts/{id}/set-default", handleSetDefaultCardLayout)
// t-paliad-219 — per-user configurable dashboard layout.
protected.HandleFunc("GET /api/me/dashboard-layout", handleGetDashboardLayout)
protected.HandleFunc("PUT /api/me/dashboard-layout", handlePutDashboardLayout)
protected.HandleFunc("POST /api/me/dashboard-layout/reset", handleResetDashboardLayout)
protected.HandleFunc("GET /api/dashboard-widget-catalog", handleGetWidgetCatalog)
protected.HandleFunc("GET /api/projects/{id}/ancestors", handleListProjectAncestors)
protected.HandleFunc("GET /api/projects/{id}/parties", handleListParties)
protected.HandleFunc("POST /api/projects/{id}/parties", handleCreateParty)
@@ -363,15 +311,6 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
protected.HandleFunc("DELETE /api/caldav-config", handleDeleteCalDAVConfig)
protected.HandleFunc("POST /api/caldav-config/test", handleTestCalDAVConfig)
protected.HandleFunc("GET /api/caldav-config/log", handleCalDAVSyncLog)
// t-paliad-212 Slice 2a/2b — multi-calendar binding CRUD.
protected.HandleFunc("GET /api/caldav-bindings", handleListCalDAVBindings)
protected.HandleFunc("POST /api/caldav-bindings", handleCreateCalDAVBinding)
protected.HandleFunc("PATCH /api/caldav-bindings/{id}", handlePatchCalDAVBinding)
protected.HandleFunc("DELETE /api/caldav-bindings/{id}", handleDeleteCalDAVBinding)
// /api/caldav-discover — calendar-home-set walk (RFC 6764) for picker.
protected.HandleFunc("GET /api/caldav-discover", handleCalDAVDiscover)
// Slice 2c — MKCALENDAR ("Create new calendar" affordance in picker).
protected.HandleFunc("POST /api/caldav-mkcalendar", handleCalDAVMakeCalendar)
// t-paliad-088 — Event Types (categorization for Deadlines).
protected.HandleFunc("GET /api/event-types", handleListEventTypes)
@@ -587,7 +526,6 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
protected.HandleFunc("POST /api/approval-requests/{id}/approve", handleApproveApprovalRequest)
protected.HandleFunc("POST /api/approval-requests/{id}/reject", handleRejectApprovalRequest)
protected.HandleFunc("POST /api/approval-requests/{id}/revoke", handleRevokeApprovalRequest)
protected.HandleFunc("POST /api/approval-requests/{id}/suggest-changes", handleSuggestChangesApprovalRequest)
// t-paliad-154 — form-time effective policy lookup. Reachable by
// every authenticated user (NOT admin-gated) so deadline +

14
internal/handlers/projects.go
View File

@@ -24,7 +24,6 @@ type dbServices struct {
deadline *services.DeadlineService
appointment *services.AppointmentService
caldav *services.CalDAVService
caldavBindings *services.CalendarBindingService
rules *services.DeadlineRuleService
calc *services.DeadlineCalculator
users *services.UserService
@@ -52,7 +51,6 @@ type dbServices struct {
broadcast *services.BroadcastService
pin *services.PinService
cardLayout *services.CardLayoutService
dashboardLayout *services.DashboardLayoutService
projection *services.ProjectionService
export *services.ExportService
}
@@ -172,18 +170,6 @@ func mapApprovalError(w http.ResponseWriter, err error) bool {
"message": "Die Anfrage ist nicht mehr offen.",
})
return true
case errors.Is(err, services.ErrSuggestionRequiresChange):
writeJSON(w, http.StatusBadRequest, map[string]string{
"code": "suggestion_requires_change",
"message": "Ein Vorschlag braucht entweder geänderte Werte oder einen Kommentar.",
})
return true
case errors.Is(err, services.ErrSuggestionLifecycleInvalid):
writeJSON(w, http.StatusBadRequest, map[string]string{
"code": "suggestion_lifecycle_invalid",
"message": "Änderungen vorschlagen ist nur für Update- und Complete-Anfragen möglich.",
})
return true
}
return false
}

387
internal/handlers/submissions.go
View File

@@ -1,387 +0,0 @@
package handlers
// Submission generator HTTP layer (t-paliad-215 Slice 1).
//
// Endpoints:
//
// GET /api/projects/{id}/submissions
// Lists the project's proceeding-relevant submission codes
// and reports template availability for each. Powers the
// SubmissionsPanel on the project detail page.
//
// GET /api/projects/{id}/submissions/{code}/generate
// Renders the .docx and streams it as an attachment download.
// Writes one paliad.system_audit_log row and one
// paliad.project_events row per generation. No server-side
// binary persistence (design §3, m's Q3 pick).
//
// Visibility: every endpoint runs through ProjectService.GetByID
// (paliad.can_see_project gate). Unauthorised callers get 404, never
// 403 — same convention as the rest of the project surfaces (avoids
// project-existence enumeration).
import (
"context"
"encoding/json"
"errors"
"fmt"
"log"
"net/http"
"strconv"
"strings"
"time"
"github.com/google/uuid"
"mgit.msbls.de/m/paliad/internal/branding"
"mgit.msbls.de/m/paliad/internal/services"
)
// submissionRenderer + registry + vars are package-level singletons
// wired by Register() once at boot. Stateless rendering + thread-safe
// caches inside the registry mean no per-request construction.
var (
submissionRenderer *services.SubmissionRenderer
submissionRegistry *services.TemplateRegistry
submissionVars *services.SubmissionVarsService
)
// submissionRenderTimeout caps a single generate request. Template
// fetch (cache-miss) + rendering of a typical pleading takes well
// under a second; the timeout exists to surface "Gitea is unreachable"
// quickly rather than letting the browser spin.
const submissionRenderTimeout = 30 * time.Second
// docxMime is the .docx Content-Type per the OOXML spec.
const docxMime = "application/vnd.openxmlformats-officedocument.wordprocessingml.document"
// submissionListEntry is one row in the SubmissionsPanel.
type submissionListEntry struct {
SubmissionCode string `json:"submission_code"`
Name string `json:"name"`
NameEN string `json:"name_en"`
EventType string `json:"event_type,omitempty"`
PrimaryParty string `json:"primary_party,omitempty"`
LegalSource string `json:"legal_source,omitempty"`
HasTemplate bool `json:"has_template"`
}
// submissionListResponse wraps the list with a project-level header.
type submissionListResponse struct {
ProjectID uuid.UUID `json:"project_id"`
ProceedingTypeID *int `json:"proceeding_type_id,omitempty"`
Entries []submissionListEntry `json:"entries"`
}
// handleListProjectSubmissions returns the filing-type rules for the
// project's proceeding, annotated with template availability.
func handleListProjectSubmissions(w http.ResponseWriter, r *http.Request) {
if !requireDB(w) {
return
}
uid, ok := requireUser(w, r)
if !ok {
return
}
if !requireSubmissionsWired(w) {
return
}
projectID, err := uuid.Parse(r.PathValue("id"))
if err != nil {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid project id"})
return
}
ctx := r.Context()
project, err := dbSvc.projects.GetByID(ctx, uid, projectID)
if err != nil {
writeServiceError(w, err)
return
}
resp := submissionListResponse{
ProjectID: projectID,
ProceedingTypeID: project.ProceedingTypeID,
Entries: []submissionListEntry{},
}
if project.ProceedingTypeID == nil {
writeJSON(w, http.StatusOK, resp)
return
}
rules, err := dbSvc.rules.List(ctx, project.ProceedingTypeID)
if err != nil {
log.Printf("submissions: list rules for proceeding %d: %v", *project.ProceedingTypeID, err)
writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "rule lookup failed"})
return
}
for _, rule := range rules {
if rule.SubmissionCode == nil || *rule.SubmissionCode == "" {
continue
}
if rule.EventType == nil || *rule.EventType != "filing" {
// Hearings + decisions don't generate submissions. The
// "Schriftsätze" panel only lists filings.
continue
}
if rule.LifecycleState != "published" {
continue
}
entry := submissionListEntry{
SubmissionCode: *rule.SubmissionCode,
Name: rule.Name,
NameEN: rule.NameEN,
HasTemplate: submissionRegistry.HasTemplate(ctx, *rule.SubmissionCode),
}
if rule.EventType != nil {
entry.EventType = *rule.EventType
}
if rule.PrimaryParty != nil {
entry.PrimaryParty = *rule.PrimaryParty
}
if rule.LegalSource != nil {
entry.LegalSource = *rule.LegalSource
}
resp.Entries = append(resp.Entries, entry)
}
writeJSON(w, http.StatusOK, resp)
}
// handleGenerateProjectSubmission renders the .docx and streams it
// back to the browser. Audits the generation; never persists the
// rendered bytes server-side.
func handleGenerateProjectSubmission(w http.ResponseWriter, r *http.Request) {
if !requireDB(w) {
return
}
uid, ok := requireUser(w, r)
if !ok {
return
}
if !requireSubmissionsWired(w) {
return
}
projectID, err := uuid.Parse(r.PathValue("id"))
if err != nil {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid project id"})
return
}
submissionCode := strings.TrimSpace(r.PathValue("code"))
if submissionCode == "" {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": "submission code required"})
return
}
ctx, cancel := context.WithTimeout(r.Context(), submissionRenderTimeout)
defer cancel()
varsResult, err := submissionVars.Build(ctx, services.SubmissionVarsContext{
UserID: uid,
ProjectID: projectID,
SubmissionCode: submissionCode,
})
if err != nil {
if errors.Is(err, services.ErrSubmissionRuleNotFound) {
writeJSON(w, http.StatusNotFound, map[string]string{
"error": fmt.Sprintf("no published rule for submission_code %q", submissionCode),
})
return
}
writeServiceError(w, err)
return
}
tmpl, err := submissionRegistry.Resolve(ctx, submissionCode)
if err != nil {
if errors.Is(err, services.ErrNoTemplate) {
writeJSON(w, http.StatusServiceUnavailable, map[string]string{
"error": "no template available for this submission",
"hint": "ask an admin to upload a .docx template under templates/_base/ in mWorkRepo",
})
return
}
log.Printf("submissions: template resolve for %s: %v", submissionCode, err)
writeJSON(w, http.StatusServiceUnavailable, map[string]string{
"error": "template repository unreachable",
})
return
}
missing := services.DefaultMissingMarker(varsResult.Lang)
rendered, err := submissionRenderer.Render(tmpl.Bytes, varsResult.Placeholders, missing)
if err != nil {
log.Printf("submissions: render %s for project %s: %v", submissionCode, projectID, err)
writeJSON(w, http.StatusInternalServerError, map[string]string{
"error": "render failed",
})
return
}
filename := submissionFileName(varsResult, projectID)
// Audit + Verlauf writes. Best-effort with a background context so
// the user still receives the download even if the audit insert
// races a slow DB.
bgCtx, cancelBG := context.WithTimeout(context.Background(), 10*time.Second)
defer cancelBG()
if err := writeSubmissionAuditRow(bgCtx, varsResult, tmpl, submissionCode); err != nil {
log.Printf("submissions: audit insert failed (project=%s code=%s): %v", projectID, submissionCode, err)
}
if err := writeSubmissionProjectEvent(bgCtx, varsResult, tmpl, submissionCode); err != nil {
log.Printf("submissions: project_events insert failed (project=%s code=%s): %v", projectID, submissionCode, err)
}
if err := writeSubmissionDocumentRow(bgCtx, varsResult, tmpl, submissionCode); err != nil {
log.Printf("submissions: documents insert failed (project=%s code=%s): %v", projectID, submissionCode, err)
}
w.Header().Set("Content-Type", docxMime)
w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename=%q`, filename))
w.Header().Set("Content-Length", strconv.Itoa(len(rendered)))
w.Header().Set("X-Paliad-Template-Sha", tmpl.SHA)
w.Header().Set("X-Paliad-Template-Tier", tmpl.FirmTier)
if _, err := w.Write(rendered); err != nil {
log.Printf("submissions: response write failed (project=%s code=%s): %v", projectID, submissionCode, err)
}
}
// requireSubmissionsWired returns false (and writes 503) when the
// generator wasn't constructed at boot. Happens in DATABASE_URL-less
// deployments — knowledge-platform-only stacks don't ship the
// submission engine.
func requireSubmissionsWired(w http.ResponseWriter) bool {
if submissionRenderer == nil || submissionRegistry == nil || submissionVars == nil {
writeJSON(w, http.StatusServiceUnavailable, map[string]string{
"error": "submission generator not configured",
})
return false
}
return true
}
// submissionFileName builds the user-facing filename per design §7:
//
// {rule.name}-{project.case_number}-{YYYY-MM-DD}.docx
//
// Slashes and backslashes in case_number sanitise to underscores so
// the file saves cleanly across Windows + macOS + Linux. Missing
// case_number falls back to an 8-hex-char stable id from the project
// UUID so the file still has a deterministic handle.
func submissionFileName(vars *services.SubmissionVarsResult, projectID uuid.UUID) string {
day := time.Now()
if loc, err := time.LoadLocation("Europe/Berlin"); err == nil {
day = day.In(loc)
}
ruleName := strings.TrimSpace(vars.Rule.Name)
if strings.EqualFold(vars.Lang, "en") {
ruleName = strings.TrimSpace(vars.Rule.NameEN)
}
if ruleName == "" {
ruleName = "submission"
}
caseNo := ""
if vars.Project != nil && vars.Project.CaseNumber != nil {
caseNo = strings.TrimSpace(*vars.Project.CaseNumber)
}
if caseNo == "" {
caseNo = projectID.String()[:8]
}
caseNo = strings.ReplaceAll(caseNo, "/", "_")
caseNo = strings.ReplaceAll(caseNo, `\`, "_")
return fmt.Sprintf("%s-%s-%s.docx", ruleName, caseNo, day.Format("2006-01-02"))
}
// writeSubmissionAuditRow files the org-wide audit entry. Reuses the
// system_audit_log convention (event_type='submission.generated')
// established in t-paliad-214's mig 102.
func writeSubmissionAuditRow(ctx context.Context, vars *services.SubmissionVarsResult, tmpl *services.ResolvedTemplate, code string) error {
meta := map[string]any{
"submission_code": code,
"template_path": tmpl.Path,
"template_sha": tmpl.SHA,
"template_tier": tmpl.FirmTier,
"project_id": vars.Project.ID.String(),
"rule_id": vars.Rule.ID.String(),
"firm": branding.Name,
}
body, _ := json.Marshal(meta)
_, err := dbSvc.projects.DB().ExecContext(ctx,
`INSERT INTO paliad.system_audit_log
(event_type, actor_id, actor_email, scope, scope_root, metadata)
VALUES ('submission.generated', $1, $2, 'project', $3, $4::jsonb)`,
vars.User.ID, vars.User.Email, vars.Project.ID.String(), string(body),
)
return err
}
// writeSubmissionProjectEvent surfaces the generation in the project
// Verlauf / SmartTimeline. event_type stays free-text (no CHECK on
// paliad.project_events.event_type per Slice 2 of SmartTimeline) so we
// don't need a migration to introduce 'submission_generated'.
func writeSubmissionProjectEvent(ctx context.Context, vars *services.SubmissionVarsResult, tmpl *services.ResolvedTemplate, code string) error {
ruleName := strings.TrimSpace(vars.Rule.Name)
if strings.EqualFold(vars.Lang, "en") {
ruleName = strings.TrimSpace(vars.Rule.NameEN)
}
title := fmt.Sprintf("%s generiert", ruleName)
if strings.EqualFold(vars.Lang, "en") {
title = fmt.Sprintf("%s generated", ruleName)
}
meta := map[string]any{
"submission_code": code,
"template_path": tmpl.Path,
"template_sha": tmpl.SHA,
"template_tier": tmpl.FirmTier,
"rule_id": vars.Rule.ID.String(),
}
body, _ := json.Marshal(meta)
now := time.Now().UTC()
_, err := dbSvc.projects.DB().ExecContext(ctx,
`INSERT INTO paliad.project_events
(id, project_id, event_type, title, description, event_date,
created_by, metadata, created_at, updated_at)
VALUES ($1, $2, 'submission_generated', $3, NULL, $4, $5, $6::jsonb, $4, $4)`,
uuid.New(), vars.Project.ID, title, now, vars.User.ID, string(body),
)
return err
}
// writeSubmissionDocumentRow files the audit-only paliad.documents
// row. file_path stays NULL — the bytes are regenerable from inputs
// (m's Q3 pick: no server-side binary). doc_type='generated_submission'
// is the additive marker; no CHECK constraint exists on doc_type, so
// this requires no migration.
func writeSubmissionDocumentRow(ctx context.Context, vars *services.SubmissionVarsResult, tmpl *services.ResolvedTemplate, code string) error {
ruleName := strings.TrimSpace(vars.Rule.Name)
if strings.EqualFold(vars.Lang, "en") {
ruleName = strings.TrimSpace(vars.Rule.NameEN)
}
day := time.Now()
if loc, err := time.LoadLocation("Europe/Berlin"); err == nil {
day = day.In(loc)
}
title := fmt.Sprintf("%s (generiert %s)", ruleName, day.Format("2006-01-02"))
if strings.EqualFold(vars.Lang, "en") {
title = fmt.Sprintf("%s (generated %s)", ruleName, day.Format("2006-01-02"))
}
provenance := map[string]any{
"submission_code": code,
"template_path": tmpl.Path,
"template_sha": tmpl.SHA,
"template_tier": tmpl.FirmTier,
"firm": branding.Name,
"rule_id": vars.Rule.ID.String(),
}
body, _ := json.Marshal(provenance)
_, err := dbSvc.projects.DB().ExecContext(ctx,
`INSERT INTO paliad.documents
(id, project_id, title, doc_type, file_path, file_size, mime_type,
ai_extracted, uploaded_by, created_at, updated_at)
VALUES ($1, $2, $3, 'generated_submission', NULL, NULL, $4, $5::jsonb, $6, now(), now())`,
uuid.New(), vars.Project.ID, title, docxMime, string(body), vars.User.ID,
)
return err
}

98
internal/models/models.go
View File

@@ -425,75 +425,28 @@ type ChecklistInstanceWithProject struct {
// UserCalDAVConfig holds one user's external CalDAV connection. The password
// is never returned in API responses; only the public fields are exposed.
type UserCalDAVConfig struct {
UserID uuid.UUID `db:"user_id" json:"user_id"`
URL string `db:"url" json:"url"`
Username string `db:"username" json:"username"`
PasswordEncrypted []byte `db:"password_encrypted" json:"-"`
CalendarPath string `db:"calendar_path" json:"calendar_path"`
Enabled bool `db:"enabled" json:"enabled"`
LastSyncAt *time.Time `db:"last_sync_at" json:"last_sync_at,omitempty"`
LastSyncError *string `db:"last_sync_error" json:"last_sync_error,omitempty"`
CreatedAt time.Time `db:"created_at" json:"created_at"`
UpdatedAt time.Time `db:"updated_at" json:"updated_at"`
// MKCALENDAR-capability tri-state (mig 108, Slice 2c). NULL = unprobed.
SupportsMKCalendar *bool `db:"supports_mkcalendar" json:"supports_mkcalendar,omitempty"`
MKCalendarProbedAt *time.Time `db:"mkcalendar_probed_at" json:"mkcalendar_probed_at,omitempty"`
UserID uuid.UUID `db:"user_id" json:"user_id"`
URL string `db:"url" json:"url"`
Username string `db:"username" json:"username"`
PasswordEncrypted []byte `db:"password_encrypted" json:"-"`
CalendarPath string `db:"calendar_path" json:"calendar_path"`
Enabled bool `db:"enabled" json:"enabled"`
LastSyncAt *time.Time `db:"last_sync_at" json:"last_sync_at,omitempty"`
LastSyncError *string `db:"last_sync_error" json:"last_sync_error,omitempty"`
CreatedAt time.Time `db:"created_at" json:"created_at"`
UpdatedAt time.Time `db:"updated_at" json:"updated_at"`
}
// CalDAVSyncLogEntry is one historical sync record. BindingID is populated
// for per-binding sync entries written by the post-Slice-2a sync engine;
// older rows have it NULL and the entry covers the user's default binding.
// CalDAVSyncLogEntry is one historical sync record.
type CalDAVSyncLogEntry struct {
ID uuid.UUID `db:"id" json:"id"`
UserID uuid.UUID `db:"user_id" json:"user_id"`
OccurredAt time.Time `db:"occurred_at" json:"occurred_at"`
Direction string `db:"direction" json:"direction"`
ItemsPushed int `db:"items_pushed" json:"items_pushed"`
ItemsPulled int `db:"items_pulled" json:"items_pulled"`
Error *string `db:"error" json:"error,omitempty"`
DurationMS *int `db:"duration_ms" json:"duration_ms,omitempty"`
BindingID *uuid.UUID `db:"binding_id" json:"binding_id,omitempty"`
}
// UserCalendarBinding is one of N (calendar, scope) bindings a user can
// configure on top of their single CalDAV server connection. The same
// Appointment can land in multiple bindings (e.g. master + per-project),
// with per-binding push state living in AppointmentCalDAVTarget.
type UserCalendarBinding struct {
ID uuid.UUID `db:"id" json:"id"`
UserID uuid.UUID `db:"user_id" json:"user_id"`
CalendarPath string `db:"calendar_path" json:"calendar_path"`
DisplayName string `db:"display_name" json:"display_name"`
ScopeKind string `db:"scope_kind" json:"scope_kind"`
ScopeID *uuid.UUID `db:"scope_id" json:"scope_id,omitempty"`
IncludePersonal bool `db:"include_personal" json:"include_personal"`
Enabled bool `db:"enabled" json:"enabled"`
LastSyncAt *time.Time `db:"last_sync_at" json:"last_sync_at,omitempty"`
LastSyncError *string `db:"last_sync_error" json:"last_sync_error,omitempty"`
CreatedAt time.Time `db:"created_at" json:"created_at"`
UpdatedAt time.Time `db:"updated_at" json:"updated_at"`
}
// Scope-kind enum mirrored from paliad.user_calendar_bindings_scope_kind_chk.
const (
BindingScopeAllVisible = "all_visible"
BindingScopePersonalOnly = "personal_only"
BindingScopeProject = "project"
BindingScopeClient = "client"
BindingScopeLitigation = "litigation"
BindingScopePatent = "patent"
BindingScopeCase = "case"
)
// AppointmentCalDAVTarget is the per-(appointment, binding) push state.
// The caldav_uid is canonical per Appointment (same value across all of
// an appointment's targets); caldav_etag varies per binding.
type AppointmentCalDAVTarget struct {
AppointmentID uuid.UUID `db:"appointment_id" json:"appointment_id"`
BindingID uuid.UUID `db:"binding_id" json:"binding_id"`
CalDAVUID string `db:"caldav_uid" json:"caldav_uid"`
CalDAVEtag *string `db:"caldav_etag" json:"caldav_etag,omitempty"`
LastPushedAt time.Time `db:"last_pushed_at" json:"last_pushed_at"`
ID uuid.UUID `db:"id" json:"id"`
UserID uuid.UUID `db:"user_id" json:"user_id"`
OccurredAt time.Time `db:"occurred_at" json:"occurred_at"`
Direction string `db:"direction" json:"direction"`
ItemsPushed int `db:"items_pushed" json:"items_pushed"`
ItemsPulled int `db:"items_pulled" json:"items_pulled"`
Error *string `db:"error" json:"error,omitempty"`
DurationMS *int `db:"duration_ms" json:"duration_ms,omitempty"`
}
// Party is a party to a Project (Kläger, Beklagter, etc. — typically on
@@ -852,15 +805,6 @@ type ApprovalRequest struct {
// alongside 👀 with a sparkle ✨ on the eye-pill surface.
RequesterKind string `db:"requester_kind" json:"requester_kind"`
AgentTurnID *uuid.UUID `db:"agent_turn_id" json:"agent_turn_id,omitempty"`
// CounterPayload carries the approver's edited values on a
// changes_requested row (mig 103, t-paliad-216). NULL for every
// other status. Frontend renders it as a diff against the OLD
// payload to show "approver suggested X→Y on the following fields".
CounterPayload NullableJSON `db:"counter_payload" json:"counter_payload,omitempty"`
// PreviousRequestID is the back-pointer from a row spawned by
// SuggestChanges to the prior changes_requested row that birthed it
// (mig 103, t-paliad-216). NULL on first-attempt rows.
PreviousRequestID *uuid.UUID `db:"previous_request_id" json:"previous_request_id,omitempty"`
CreatedAt time.Time `db:"created_at" json:"created_at"`
UpdatedAt time.Time `db:"updated_at" json:"updated_at"`
CreatedAt time.Time `db:"created_at" json:"created_at"`
UpdatedAt time.Time `db:"updated_at" json:"updated_at"`
}

6
internal/offices/offices.go
View File

@@ -1,8 +1,7 @@
// Package offices is the single source of truth for the firm's office list.
//
// The keys here must stay in sync with the CHECK constraints on
// paliad.users.office (mig 002) and paliad.partner_units.office
// (mig 018, renamed mig 024 + mig 027). Madrid added mig 106.
// The keys here must stay in sync with the CHECK constraint on
// paliad.users.office and paliad.akten.owning_office (migration 001).
package offices
// Office is a single firm office with its i18n-ready labels.
@@ -21,7 +20,6 @@ var All = []Office{
{Key: "london", LabelDE: "London", LabelEN: "London"},
{Key: "paris", LabelDE: "Paris", LabelEN: "Paris"},
{Key: "milan", LabelDE: "Mailand", LabelEN: "Milan"},
{Key: "madrid", LabelDE: "Madrid", LabelEN: "Madrid"},
}
// IsValid reports whether the given key names a known office.

2
internal/offices/offices_test.go
View File

@@ -3,7 +3,7 @@ package offices
import "testing"
func TestIsValid(t *testing.T) {
for _, key := range []string{"munich", "duesseldorf", "hamburg", "amsterdam", "london", "paris", "milan", "madrid"} {
for _, key := range []string{"munich", "duesseldorf", "hamburg", "amsterdam", "london", "paris", "milan"} {
if !IsValid(key) {
t.Errorf("IsValid(%q) = false, want true", key)
}

80
internal/services/appointment_service.go
View File

@@ -753,86 +753,6 @@ func (s *AppointmentService) AllForUser(ctx context.Context, userID uuid.UUID) (
return rows, nil
}
// ErrUnsupportedScope is returned by ForBinding when the binding's
// scope_kind is one of the hierarchy scopes (client / litigation /
// patent / case) — those land in Slice 3 of t-paliad-212. Slice 2
// only supports all_visible / personal_only / project.
var ErrUnsupportedScope = errors.New("binding scope_kind not yet supported")
// ForBinding returns the slice of the user's appointments that belongs
// in this binding's calendar. Implements the §2.3 scope filter from
// docs/design-caldav-slice-2-2026-05-20.md.
//
// - all_visible → AllForUser(userID)
// - personal_only → personal (project_id IS NULL) appointments
// created by this user
// - project → appointments attached to scope_id, gated by the
// same visibility predicate as AllForUser. Hidden
// projects return an empty slice (the binding stays
// in place but receives no events). If
// include_personal is true, the user's personal
// appointments are unioned in.
//
// Hierarchy scopes (client / litigation / patent / case) return
// ErrUnsupportedScope; Slice 3 wires them via the existing path-based
// descendant predicate.
func (s *AppointmentService) ForBinding(ctx context.Context, userID uuid.UUID, b *models.UserCalendarBinding) ([]models.Appointment, error) {
if b == nil {
return nil, fmt.Errorf("%w: nil binding", ErrInvalidInput)
}
switch b.ScopeKind {
case models.BindingScopeAllVisible:
return s.AllForUser(ctx, userID)
case models.BindingScopePersonalOnly:
rows := []models.Appointment{}
if err := s.db.SelectContext(ctx, &rows,
`SELECT `+appointmentColumns+`
FROM paliad.appointments t
WHERE t.project_id IS NULL
AND t.created_by = $1`, userID); err != nil {
return nil, fmt.Errorf("for-binding personal_only: %w", err)
}
return rows, nil
case models.BindingScopeProject:
if b.ScopeID == nil {
return nil, fmt.Errorf("%w: project binding missing scope_id", ErrInvalidInput)
}
var query string
if b.IncludePersonal {
query = `
SELECT ` + appointmentColumns + `
FROM paliad.appointments t
LEFT JOIN paliad.projects p ON p.id = t.project_id
WHERE (
t.project_id = $2
AND ` + visibilityPredicatePositional("p", 1) + `
) OR (
t.project_id IS NULL AND t.created_by = $1
)`
} else {
query = `
SELECT ` + appointmentColumns + `
FROM paliad.appointments t
JOIN paliad.projects p ON p.id = t.project_id
WHERE t.project_id = $2
AND ` + visibilityPredicatePositional("p", 1)
}
rows := []models.Appointment{}
if err := s.db.SelectContext(ctx, &rows, query, userID, *b.ScopeID); err != nil {
return nil, fmt.Errorf("for-binding project: %w", err)
}
return rows, nil
case models.BindingScopeClient, models.BindingScopeLitigation, models.BindingScopePatent, models.BindingScopeCase:
return nil, ErrUnsupportedScope
default:
return nil, fmt.Errorf("%w: unknown scope_kind %q", ErrInvalidInput, b.ScopeKind)
}
}
// FindByCalDAVUID resolves a Appointment from its external UID.
func (s *AppointmentService) FindByCalDAVUID(ctx context.Context, uid string) (*models.Appointment, error) {
var t models.Appointment

25
internal/services/approval_levels.go
View File

@@ -61,12 +61,11 @@ const (
// RequestStatus values on paliad.approval_requests.status.
const (
RequestStatusPending = "pending"
RequestStatusApproved = "approved"
RequestStatusRejected = "rejected"
RequestStatusRevoked = "revoked"
RequestStatusSuperseded = "superseded"
RequestStatusChangesRequested = "changes_requested"
RequestStatusPending = "pending"
RequestStatusApproved = "approved"
RequestStatusRejected = "rejected"
RequestStatusRevoked = "revoked"
RequestStatusSuperseded = "superseded"
)
// DecisionKind discriminates 'peer' (normal in-team sign-off) from
@@ -159,14 +158,12 @@ func IsValidResponsibility(r string) bool {
// ErrRequestNotPending -> 409
// ErrUnknownEntityType -> 500 (programming error)
var (
ErrSelfApproval = errors.New("self-approval blocked")
ErrNoQualifiedApprover = errors.New("no qualified approver available")
ErrConcurrentPending = errors.New("entity already has a pending approval request")
ErrNotApprover = errors.New("not authorized to approve this request")
ErrRequestNotPending = errors.New("request is not pending")
ErrUnknownEntityType = errors.New("unknown entity type")
ErrSuggestionRequiresChange = errors.New("suggestion requires a counter_payload diff or a note")
ErrSuggestionLifecycleInvalid = errors.New("suggest-changes is only valid for update / complete lifecycles")
ErrSelfApproval = errors.New("self-approval blocked")
ErrNoQualifiedApprover = errors.New("no qualified approver available")
ErrConcurrentPending = errors.New("entity already has a pending approval request")
ErrNotApprover = errors.New("not authorized to approve this request")
ErrRequestNotPending = errors.New("request is not pending")
ErrUnknownEntityType = errors.New("unknown entity type")
)
// PendingApprovalError wraps ErrConcurrentPending with the in-flight

492
internal/services/approval_service.go
View File

@@ -35,7 +35,6 @@ package services
// pool, so the deadlock path can't be silently bypassed.
import (
"bytes"
"context"
"database/sql"
"encoding/json"
@@ -364,321 +363,6 @@ func (s *ApprovalService) Revoke(ctx context.Context, requestID, callerID uuid.U
return s.decide(ctx, requestID, callerID, RequestStatusRevoked, "")
}
// SuggestChanges is the fourth approval action (t-paliad-216). The caller
// proposes a counter-payload + optional free-text note; in one transaction
// we close the old request as 'changes_requested', revert the entity from
// pre_image, then immediately spawn a NEW 'pending' approval_request
// authored by the caller carrying counter_payload as the new payload. The
// new row enters the normal pending flow — anyone eligible (including the
// original requester) can approve, reject, or suggest changes back on it.
// 4-Augen still holds: the suggesting caller is now the new row's
// requested_by, so self-approval is blocked by the standard 3-layer guard.
//
// Authorization is the same as Approve/Reject on the OLD row (canApprove).
// The new row's deadlock check (qualified-approver-exists-other-than-
// caller) runs before the new INSERT so we never spawn an unapprovable
// request.
//
// counterPayload must differ from the old row's payload OR a non-empty
// note must be present — a no-op suggestion (same values, no note) is
// indistinguishable from "I have no opinion" and is rejected with
// ErrSuggestionRequiresChange. counterPayload field shape is the same
// allowlist used by Submit*/applyRevert (the date-bearing columns per
// entity_type); unknown keys are silently dropped at apply time.
//
// SuggestChanges is only valid for lifecycle in (update, complete). For
// create the original entity would be deleted by applyRevert, leaving no
// row to apply a counter to. For delete the original is "remove this
// entity" — a counter-proposal would be a different lifecycle entirely.
// Both return ErrSuggestionLifecycleInvalid; the caller (handler) maps
// it to 400.
//
// Returns the new request ID on success.
func (s *ApprovalService) SuggestChanges(ctx context.Context, requestID, callerID uuid.UUID, counterPayload map[string]any, note string) (*uuid.UUID, error) {
trimmedNote := strings.TrimSpace(note)
tx, err := s.db.BeginTxx(ctx, nil)
if err != nil {
return nil, fmt.Errorf("begin tx: %w", err)
}
defer tx.Rollback() //nolint:errcheck
old, err := s.getRequestForUpdate(ctx, tx, requestID)
if err != nil {
return nil, err
}
if old.Status != RequestStatusPending {
return nil, fmt.Errorf("%w: status=%s", ErrRequestNotPending, old.Status)
}
if old.LifecycleEvent != LifecycleUpdate && old.LifecycleEvent != LifecycleComplete {
return nil, fmt.Errorf("%w: lifecycle=%s", ErrSuggestionLifecycleInvalid, old.LifecycleEvent)
}
// No-op guard: counter must differ from old.payload OR note must be present.
payloadDiffers, err := payloadsDiffer(old.Payload, counterPayload)
if err != nil {
return nil, err
}
if !payloadDiffers && trimmedNote == "" {
return nil, ErrSuggestionRequiresChange
}
// Authorization on the OLD row: caller must satisfy canApprove (same
// gate as Approve/Reject). Self-approval blocks here too.
decisionKind, err := s.canApprove(ctx, tx, callerID, old)
if err != nil {
return nil, err
}
now := time.Now().UTC()
counterJSON, err := marshalJSONOrNull(counterPayload)
if err != nil {
return nil, fmt.Errorf("marshal counter_payload: %w", err)
}
// Validate counter has at least one counter-allowlisted field for the
// entity type — otherwise the entity-update below would be a no-op
// and the new row would just resubmit the SAME values, which is a
// degenerate case we should reject cleanly. Only run this check when
// the payload "differs" (i.e. caller actually provided something).
// Note: validates against the WIDER counter-allowlist (t-paliad-217
// Slice B), not the date-only revert-allowlist.
if payloadDiffers {
if _, _, err := buildCounterSetClauses(old.EntityType, counterPayload); err != nil {
// buildCounterSetClauses already wraps ErrSuggestionRequiresChange
// for the "no allowlisted fields" + empty-title cases. Propagate.
return nil, err
}
}
// 1. Close the OLD row as changes_requested.
var noteArg any
if trimmedNote != "" {
noteArg = trimmedNote
}
updateOldSQL := `UPDATE paliad.approval_requests
SET status = $1, decided_by = $2, decided_at = $3, decision_kind = $4,
decision_note = $5, counter_payload = $6, updated_at = $3
WHERE id = $7`
if _, err := tx.ExecContext(ctx, updateOldSQL,
RequestStatusChangesRequested, callerID, now, decisionKind,
noteArg, counterJSON, requestID); err != nil {
return nil, fmt.Errorf("close old request: %w", err)
}
// 2. Revert the entity from old.pre_image (same as Reject).
if err := s.applyRevert(ctx, tx, old); err != nil {
return nil, err
}
// 3. Deadlock check on the NEW row: someone other than the caller
// must be qualified to approve. Original requester is no longer
// excluded (they're a regular team member now from the new row's
// POV), so they count if their role is sufficient.
ok, err := s.hasQualifiedApprover(ctx, tx, old.ProjectID, callerID, old.RequiredRole)
if err != nil {
return nil, err
}
if !ok {
return nil, fmt.Errorf("%w: required role %q", ErrNoQualifiedApprover, old.RequiredRole)
}
// 4. Re-apply the counter_payload to the entity row (write-then-approve).
// Reuses buildRevertSetClauses (date-allowlist translation). Always
// runs because we validated payloadDiffers + a valid set of keys
// above; even when only a note was provided (payloadDiffers=false),
// the original payload is re-applied for symmetry with Submit*.
applyPayload := counterPayload
if !payloadDiffers {
// Counter is identical to original — resubmit the same values as
// the new row's payload so the standard Submit* shape holds.
if err := json.Unmarshal(old.Payload, &applyPayload); err != nil {
return nil, fmt.Errorf("unmarshal original payload: %w", err)
}
}
if err := s.applyEntityUpdate(ctx, tx, old.EntityType, old.EntityID, applyPayload); err != nil {
return nil, err
}
// 5. INSERT the NEW pending row, authored by the caller, with
// previous_request_id pointing back at the old row.
newID := uuid.New()
applyPayloadJSON, err := marshalJSONOrNull(applyPayload)
if err != nil {
return nil, fmt.Errorf("marshal new payload: %w", err)
}
insertNewSQL := `INSERT INTO paliad.approval_requests
(id, project_id, entity_type, entity_id, lifecycle_event,
pre_image, payload, requested_by, required_role, status,
requester_kind, agent_turn_id, previous_request_id)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, 'pending', 'user', NULL, $10)`
if _, err := tx.ExecContext(ctx, insertNewSQL,
newID, old.ProjectID, old.EntityType, old.EntityID, old.LifecycleEvent,
[]byte(old.PreImage), applyPayloadJSON, callerID, old.RequiredRole,
requestID); err != nil {
return nil, fmt.Errorf("insert new approval_request: %w", err)
}
// 6. Mark the entity pending pointing at the new row.
updateEntitySQL := fmt.Sprintf(`UPDATE paliad.%s
SET approval_status = 'pending', pending_request_id = $1, updated_at = now()
WHERE id = $2 AND approval_status IN ('approved','legacy')`,
entityTableName(old.EntityType))
res, err := tx.ExecContext(ctx, updateEntitySQL, newID, old.EntityID)
if err != nil {
return nil, fmt.Errorf("mark entity pending: %w", err)
}
rows, _ := res.RowsAffected()
if rows != 1 {
return nil, ErrConcurrentPending
}
// 7. Emit *_approval_changes_suggested for the OLD row's transition.
suggestedEvent := approvalEventType(old.EntityType, "changes_suggested")
suggestedDesc := approvalDescription("changes_suggested", old.RequiredRole, old.LifecycleEvent)
suggestedMeta := map[string]any{
"approval_request_id": requestID.String(),
"new_request_id": newID.String(),
"lifecycle_event": old.LifecycleEvent,
"decision_kind": decisionKind,
old.EntityType + "_id": old.EntityID.String(),
}
if trimmedNote != "" {
suggestedMeta["decision_note"] = trimmedNote
}
if counterJSON != nil {
suggestedMeta["counter_payload"] = json.RawMessage(counterJSON)
}
if err := insertProjectEventWithMeta(ctx, tx, old.ProjectID, callerID, suggestedEvent, suggestedEvent, suggestedDesc, suggestedMeta); err != nil {
return nil, err
}
// 8. Emit *_approval_requested for the NEW row (same shape as Submit*).
requestedEvent := approvalEventType(old.EntityType, "requested")
requestedDesc := approvalDescription("requested", old.RequiredRole, old.LifecycleEvent)
requestedMeta := map[string]any{
"approval_request_id": newID.String(),
"previous_request_id": requestID.String(),
"lifecycle_event": old.LifecycleEvent,
"required_role": old.RequiredRole,
"requester_kind": "user",
old.EntityType + "_id": old.EntityID.String(),
}
if err := insertProjectEventWithMeta(ctx, tx, old.ProjectID, callerID, requestedEvent, requestedEvent, requestedDesc, requestedMeta); err != nil {
return nil, err
}
if err := tx.Commit(); err != nil {
return nil, fmt.Errorf("commit: %w", err)
}
return &newID, nil
}
// applyEntityUpdate writes the counter_payload fields onto the entity
// row (t-paliad-217 Slice B). Uses the WIDER counter-allowlist
// (buildCounterSetClauses) — every editable field on the entity, not
// just the date-allowlist that triggers approval. Handles
// event_type_ids as a junction-table rewrite when present in payload.
func (s *ApprovalService) applyEntityUpdate(ctx context.Context, tx *sqlx.Tx, entityType string, entityID uuid.UUID, payload map[string]any) error {
if len(payload) == 0 {
return fmt.Errorf("%w: empty payload", ErrSuggestionRequiresChange)
}
// 1. Column-level updates via the counter-allowlist.
setClauses, args, err := buildCounterSetClauses(entityType, payload)
if err != nil {
return err
}
if len(setClauses) > 0 {
setClauses = append(setClauses, "updated_at = now()")
args = append(args, entityID)
q := fmt.Sprintf(`UPDATE paliad.%s SET %s WHERE id = $%d`,
entityTableName(entityType), strings.Join(setClauses, ", "), len(args))
if _, err := tx.ExecContext(ctx, q, args...); err != nil {
return fmt.Errorf("apply counter payload to entity: %w", err)
}
}
// 2. event_type_ids junction rewrite (deadline only).
if entityType == EntityTypeDeadline {
if raw, ok := payload["event_type_ids"]; ok {
ids, err := parseUUIDList(raw)
if err != nil {
return fmt.Errorf("%w: invalid event_type_ids: %v", ErrSuggestionRequiresChange, err)
}
if err := rewriteDeadlineEventTypes(ctx, tx, entityID, ids); err != nil {
return err
}
}
}
return nil
}
// parseUUIDList accepts either []any (from json.Unmarshal of a JSON
// array) or []string and returns a []uuid.UUID. Empty list = explicit
// clear; nil-typed list also empty.
func parseUUIDList(raw any) ([]uuid.UUID, error) {
if raw == nil {
return nil, nil
}
arr, ok := raw.([]any)
if !ok {
// Fallback: caller serialized as []string directly.
if sarr, ok := raw.([]string); ok {
out := make([]uuid.UUID, 0, len(sarr))
for _, s := range sarr {
id, err := uuid.Parse(s)
if err != nil {
return nil, fmt.Errorf("not a UUID: %q", s)
}
out = append(out, id)
}
return out, nil
}
return nil, fmt.Errorf("expected array, got %T", raw)
}
out := make([]uuid.UUID, 0, len(arr))
for _, v := range arr {
s, ok := v.(string)
if !ok {
return nil, fmt.Errorf("expected string in array, got %T", v)
}
id, err := uuid.Parse(s)
if err != nil {
return nil, fmt.Errorf("not a UUID: %q", s)
}
out = append(out, id)
}
return out, nil
}
// payloadsDiffer returns true iff the candidate counter map decodes to a
// value that differs from the old row's payload jsonb. Used by
// SuggestChanges to detect "no-op suggestion". Both NULL or both empty
// map = identical → false. Comparison is by canonical re-marshal so
// jsonb-key-ordering doesn't poison the equality check.
func payloadsDiffer(old models.NullableJSON, candidate map[string]any) (bool, error) {
if len(candidate) == 0 && len(old) == 0 {
return false, nil
}
if len(candidate) == 0 || len(old) == 0 {
return true, nil
}
var oldMap map[string]any
if err := json.Unmarshal(old, &oldMap); err != nil {
return false, fmt.Errorf("unmarshal old payload: %w", err)
}
oldCanonical, err := json.Marshal(oldMap)
if err != nil {
return false, fmt.Errorf("re-marshal old payload: %w", err)
}
candCanonical, err := json.Marshal(candidate)
if err != nil {
return false, fmt.Errorf("marshal candidate payload: %w", err)
}
return !bytes.Equal(oldCanonical, candCanonical), nil
}
// decide is the shared kernel for Approve / Reject / Revoke. The decision
// kind is derived from the (caller, request) relationship and the requested
// final status:
@@ -947,17 +631,11 @@ func (s *ApprovalService) applyRevert(ctx context.Context, tx *sqlx.Tx, req *mod
}
// buildRevertSetClauses translates pre_image jsonb keys into SQL SET
// fragments for the Reject / Revoke path. Only the date-bearing
// t-paliad-138 §Q4 allowlist is honoured; unknown keys are silently
// dropped to defend against malformed pre_image rows (defence-in-depth:
// callers should already be sending only allowlisted fields, but a
// hostile UPDATE on the request row shouldn't let arbitrary fields be
// reverted).
//
// This is intentionally NARROWER than buildCounterSetClauses (which
// handles the SuggestChanges counter-payload). Reject restores ONLY what
// was originally captured in pre_image; SuggestChanges can write any
// counter-allowlist field the approver chose to author.
// fragments. Only the date-bearing allowlist (Q4) is honoured; unknown
// keys are silently dropped to defend against malformed pre_image rows
// (defence-in-depth: callers should already be sending only allowlisted
// fields, but a hostile UPDATE on the request row shouldn't let arbitrary
// fields be reverted).
func buildRevertSetClauses(entityType string, preImage map[string]any) ([]string, []any, error) {
var setClauses []string
var args []any
@@ -1007,135 +685,6 @@ func buildRevertSetClauses(entityType string, preImage map[string]any) ([]string
return setClauses, args, nil
}
// buildCounterSetClauses translates a SuggestChanges counter_payload jsonb
// into SQL SET fragments for the entity row (t-paliad-217 Slice B). This
// is the WIDER counter-allowlist — m's 2026-05-20 lock-in: every "real"
// editable field on the entity is in scope for a counter-proposal, not
// just the date-allowlist that triggers approval (t-paliad-138 §Q4).
//
// Unknown keys are silently dropped — defence-in-depth against a hostile
// counter_payload making it past the handler's body decode. Returns an
// error iff zero allowlisted fields are present (caller surfaces as
// ErrSuggestionRequiresChange when paired with an empty note).
//
// event_type_ids is NOT a column on paliad.deadlines — it's a junction
// table (paliad.deadline_event_types). applyEntityUpdate handles it
// separately; this function silently ignores the key.
func buildCounterSetClauses(entityType string, counter map[string]any) ([]string, []any, error) {
var setClauses []string
var args []any
add := func(col string, val any) {
args = append(args, val)
setClauses = append(setClauses, fmt.Sprintf("%s = $%d", col, len(args)))
}
// addText accepts string keys and stores either a non-NULL string or
// NULL when the caller explicitly cleared the value with an empty
// string. Used for the optional-text columns (description, notes,
// location, etc.).
addText := func(col string, raw any) {
if raw == nil {
args = append(args, nil)
} else {
s, _ := raw.(string)
if s == "" {
args = append(args, nil)
} else {
args = append(args, s)
}
}
setClauses = append(setClauses, fmt.Sprintf("%s = $%d", col, len(args)))
}
switch entityType {
case EntityTypeDeadline:
// Date allowlist (existing).
for _, col := range []string{"due_date", "original_due_date", "warning_date"} {
if v, ok := counter[col]; ok {
add(col, v)
}
}
// Required text (NOT NULL on the column — refuse empty).
if v, ok := counter["title"]; ok {
s, _ := v.(string)
if strings.TrimSpace(s) == "" {
return nil, nil, fmt.Errorf("%w: title cannot be empty", ErrSuggestionRequiresChange)
}
add("title", s)
}
// Nullable text (empty string clears).
for _, col := range []string{"description", "notes", "rule_code"} {
if v, ok := counter[col]; ok {
addText(col, v)
}
}
case EntityTypeAppointment:
// Datetime allowlist (existing).
for _, col := range []string{"start_at", "end_at"} {
if v, ok := counter[col]; ok {
add(col, v)
}
}
if v, ok := counter["title"]; ok {
s, _ := v.(string)
if strings.TrimSpace(s) == "" {
return nil, nil, fmt.Errorf("%w: title cannot be empty", ErrSuggestionRequiresChange)
}
add("title", s)
}
for _, col := range []string{"description", "location", "appointment_type"} {
if v, ok := counter[col]; ok {
addText(col, v)
}
}
default:
return nil, nil, fmt.Errorf("%w: %q", ErrUnknownEntityType, entityType)
}
// event_type_ids is handled outside this function (junction-table
// write). Its presence alone in the counter doesn't count as "zero
// fields" — applyEntityUpdate inspects len(setClauses)==0 against the
// combined picture, not this return value.
if len(setClauses) == 0 {
if _, ok := counter["event_type_ids"]; !ok {
return nil, nil, fmt.Errorf("%w: no allowlisted fields in counter for %s", ErrSuggestionRequiresChange, entityType)
}
}
return setClauses, args, nil
}
// rewriteDeadlineEventTypes replaces the deadline_event_types junction
// rows for a deadline with the provided list (t-paliad-217 Slice B).
// Empty list clears the junction (the deadline has no event-type tags).
// nil list = no-op (caller didn't include event_type_ids in the counter).
//
// We don't validate the event_type ids exist — the FK to paliad.event_types
// catches that with an ON DELETE CASCADE-safe failure. Caller wraps in tx.
func rewriteDeadlineEventTypes(ctx context.Context, tx *sqlx.Tx, deadlineID uuid.UUID, ids []uuid.UUID) error {
if _, err := tx.ExecContext(ctx,
`DELETE FROM paliad.deadline_event_types WHERE deadline_id = $1`, deadlineID); err != nil {
return fmt.Errorf("clear deadline_event_types: %w", err)
}
if len(ids) == 0 {
return nil
}
values := make([]string, 0, len(ids))
args := make([]any, 0, len(ids)+1)
args = append(args, deadlineID)
for i, id := range ids {
values = append(values, fmt.Sprintf("($1, $%d)", i+2))
args = append(args, id)
}
q := `INSERT INTO paliad.deadline_event_types (deadline_id, event_type_id) VALUES ` + strings.Join(values, ", ")
if _, err := tx.ExecContext(ctx, q, args...); err != nil {
return fmt.Errorf("insert deadline_event_types: %w", err)
}
return nil
}
// getRequestForUpdate locks an approval_requests row inside the tx for
// decision processing.
func (s *ApprovalService) getRequestForUpdate(ctx context.Context, tx *sqlx.Tx, requestID uuid.UUID) (*models.ApprovalRequest, error) {
@@ -1143,8 +692,6 @@ func (s *ApprovalService) getRequestForUpdate(ctx context.Context, tx *sqlx.Tx,
q := `SELECT id, project_id, entity_type, entity_id, lifecycle_event,
pre_image, payload, requested_by, requested_at, required_role,
status, decided_by, decided_at, decision_kind, decision_note,
requester_kind, agent_turn_id,
counter_payload, previous_request_id,
created_at, updated_at
FROM paliad.approval_requests
WHERE id = $1
@@ -1269,20 +816,14 @@ func marshalJSONOrNull(m map[string]any) ([]byte, error) {
// server would reject, replacing the previous click-then-alert UX.
type ApprovalRequestView struct {
models.ApprovalRequest
ProjectTitle string `db:"project_title" json:"project_title"`
EntityTitle *string `db:"entity_title" json:"entity_title,omitempty"`
RequesterName string `db:"requester_name" json:"requester_name"`
RequesterEmail string `db:"requester_email" json:"requester_email"`
DeciderName *string `db:"decider_name" json:"decider_name,omitempty"`
DeciderEmail *string `db:"decider_email" json:"decider_email,omitempty"`
ViewerCanApprove bool `db:"viewer_can_approve" json:"viewer_can_approve"`
ViewerIsRequester bool `db:"viewer_is_requester" json:"viewer_is_requester"`
// NextRequestID is the forward-pointer from a changes_requested row
// to the new pending row spawned by SuggestChanges (t-paliad-216).
// Hydrated via correlated subquery on previous_request_id; the
// partial index approval_requests_previous_idx keeps the lookup O(1).
// NULL on every row that hasn't been counter-proposed.
NextRequestID *uuid.UUID `db:"next_request_id" json:"next_request_id,omitempty"`
ProjectTitle string `db:"project_title" json:"project_title"`
EntityTitle *string `db:"entity_title" json:"entity_title,omitempty"`
RequesterName string `db:"requester_name" json:"requester_name"`
RequesterEmail string `db:"requester_email" json:"requester_email"`
DeciderName *string `db:"decider_name" json:"decider_name,omitempty"`
DeciderEmail *string `db:"decider_email" json:"decider_email,omitempty"`
ViewerCanApprove bool `db:"viewer_can_approve" json:"viewer_can_approve"`
ViewerIsRequester bool `db:"viewer_is_requester" json:"viewer_is_requester"`
}
// approvalEligibilitySQL is the SELECT-and-WHERE-compatible boolean
@@ -1334,7 +875,6 @@ const approvalRequestViewColumns = `
ar.pre_image, ar.payload, ar.requested_by, ar.requested_at, ar.required_role,
ar.status, ar.decided_by, ar.decided_at, ar.decision_kind, ar.decision_note,
ar.requester_kind, ar.agent_turn_id,
ar.counter_payload, ar.previous_request_id,
ar.created_at, ar.updated_at,
p.title AS project_title,
CASE WHEN ar.entity_type = 'deadline' THEN d.title
@@ -1345,11 +885,7 @@ const approvalRequestViewColumns = `
du.display_name AS decider_name,
du.email AS decider_email,
(ar.status = 'pending' AND ar.requested_by <> $1 AND ` + approvalEligibilitySQL + `) AS viewer_can_approve,
(ar.requested_by = $1) AS viewer_is_requester,
(SELECT nxt.id FROM paliad.approval_requests nxt
WHERE nxt.previous_request_id = ar.id
ORDER BY nxt.requested_at DESC
LIMIT 1) AS next_request_id`
(ar.requested_by = $1) AS viewer_is_requester`
const approvalRequestViewJoins = `
paliad.approval_requests ar

467
internal/services/approval_service_test.go
View File

@@ -946,470 +946,3 @@ func TestApprovalService_ViewerFlags(t *testing.T) {
t.Error("ListSubmittedByUser: viewer_is_requester = false on self-authored row, want true")
}
}
// ============================================================================
// SuggestChanges — t-paliad-216 Slice A. The fourth approval action: the
// approver authors a counter-proposal which becomes a NEW pending row
// requested by the approver. 4-Augen still holds via the standard
// self-approval guard.
// ============================================================================
// seedPendingUpdate spins up the {policy, deadline, pending update
// request} triple SuggestChanges needs. Returns the deadline id, the
// pending request id, and the pre-image due_date (so callers can assert
// applyRevert restored it correctly).
func (e *approvalTestEnv) seedPendingUpdate(t *testing.T) (uuid.UUID, uuid.UUID, time.Time) {
t.Helper()
ctx := context.Background()
e.seedPolicy(EntityTypeDeadline, LifecycleUpdate, "associate")
originalDue := time.Date(2026, 6, 1, 0, 0, 0, 0, time.UTC)
deadlineID := e.seedDeadline(originalDue)
newDue := time.Date(2026, 6, 15, 0, 0, 0, 0, time.UTC)
tx, err := e.pool.BeginTxx(ctx, nil)
if err != nil {
t.Fatalf("begin: %v", err)
}
if _, err := tx.ExecContext(ctx,
`UPDATE paliad.deadlines SET due_date = $1 WHERE id = $2`,
newDue, deadlineID); err != nil {
tx.Rollback()
t.Fatalf("UPDATE pre-submit: %v", err)
}
preImage := map[string]any{"due_date": "2026-06-01"}
payload := map[string]any{"due_date": "2026-06-15"}
reqID, err := e.approvals.SubmitUpdate(ctx, tx, e.projectID, deadlineID, e.requester, EntityTypeDeadline, preImage, payload)
if err != nil {
tx.Rollback()
t.Fatalf("SubmitUpdate: %v", err)
}
if err := tx.Commit(); err != nil {
t.Fatalf("commit: %v", err)
}
if reqID == nil {
t.Fatal("SubmitUpdate returned nil request id")
}
return deadlineID, *reqID, originalDue
}
// TestApprovalService_SuggestChanges_HappyPath: approver suggests a
// different due_date + note. Expected end state:
// - OLD request: status='changes_requested', decision_note set,
// counter_payload set, decided_by=approver.
// - Entity: approval_status='pending', pending_request_id points at
// a NEW pending row, due_date == approver's counter_payload value.
// - NEW request: status='pending', requested_by=approver,
// payload=counter_payload, previous_request_id=OLD.
// - Two project_events emitted: *_approval_changes_suggested and
// *_approval_requested.
func TestApprovalService_SuggestChanges_HappyPath(t *testing.T) {
env := setupApprovalTest(t)
defer env.cleanup()
ctx := context.Background()
deadlineID, oldReqID, _ := env.seedPendingUpdate(t)
counterDue := time.Date(2026, 6, 20, 0, 0, 0, 0, time.UTC)
counter := map[string]any{"due_date": "2026-06-20"}
newReqID, err := env.approvals.SuggestChanges(ctx, oldReqID, env.approver, counter, "Bitte später, Raumkonflikt am 15.6.")
if err != nil {
t.Fatalf("SuggestChanges: %v", err)
}
if newReqID == nil {
t.Fatal("expected new request id, got nil")
}
if *newReqID == oldReqID {
t.Fatal("new request id must differ from old")
}
// OLD row.
oldRow := struct {
Status string `db:"status"`
DecidedBy *uuid.UUID `db:"decided_by"`
DecidedAt *time.Time `db:"decided_at"`
DecisionNote *string `db:"decision_note"`
CounterPayload []byte `db:"counter_payload"`
PreviousRequest *uuid.UUID `db:"previous_request_id"`
DecisionKind *string `db:"decision_kind"`
}{}
if err := env.pool.GetContext(ctx, &oldRow,
`SELECT status, decided_by, decided_at, decision_note, counter_payload,
previous_request_id, decision_kind
FROM paliad.approval_requests WHERE id = $1`, oldReqID); err != nil {
t.Fatalf("read old row: %v", err)
}
if oldRow.Status != RequestStatusChangesRequested {
t.Errorf("old row status = %q, want %q", oldRow.Status, RequestStatusChangesRequested)
}
if oldRow.DecidedBy == nil || *oldRow.DecidedBy != env.approver {
t.Errorf("old row decided_by = %v, want %v", oldRow.DecidedBy, env.approver)
}
if oldRow.DecisionNote == nil || *oldRow.DecisionNote == "" {
t.Error("old row decision_note should be set")
}
if len(oldRow.CounterPayload) == 0 {
t.Error("old row counter_payload should be set")
}
if oldRow.PreviousRequest != nil {
t.Errorf("old row previous_request_id = %v, want NULL", oldRow.PreviousRequest)
}
if oldRow.DecisionKind == nil || (*oldRow.DecisionKind != DecisionKindPeer && *oldRow.DecisionKind != DecisionKindAdminOverride) {
t.Errorf("old row decision_kind = %v, want peer or admin_override", oldRow.DecisionKind)
}
// NEW row.
newRow := struct {
Status string `db:"status"`
RequestedBy uuid.UUID `db:"requested_by"`
Payload []byte `db:"payload"`
PreviousRequestID *uuid.UUID `db:"previous_request_id"`
LifecycleEvent string `db:"lifecycle_event"`
}{}
if err := env.pool.GetContext(ctx, &newRow,
`SELECT status, requested_by, payload, previous_request_id, lifecycle_event
FROM paliad.approval_requests WHERE id = $1`, *newReqID); err != nil {
t.Fatalf("read new row: %v", err)
}
if newRow.Status != RequestStatusPending {
t.Errorf("new row status = %q, want pending", newRow.Status)
}
if newRow.RequestedBy != env.approver {
t.Errorf("new row requested_by = %v, want %v (approver)", newRow.RequestedBy, env.approver)
}
if newRow.PreviousRequestID == nil || *newRow.PreviousRequestID != oldReqID {
t.Errorf("new row previous_request_id = %v, want %v", newRow.PreviousRequestID, oldReqID)
}
if newRow.LifecycleEvent != LifecycleUpdate {
t.Errorf("new row lifecycle = %q, want update", newRow.LifecycleEvent)
}
// Entity: pending, due_date == counter.
entity := struct {
Status string `db:"approval_status"`
PendingRequest *uuid.UUID `db:"pending_request_id"`
DueDate time.Time `db:"due_date"`
}{}
if err := env.pool.GetContext(ctx, &entity,
`SELECT approval_status, pending_request_id, due_date FROM paliad.deadlines WHERE id = $1`,
deadlineID); err != nil {
t.Fatalf("read entity: %v", err)
}
if entity.Status != "pending" {
t.Errorf("entity approval_status = %q, want pending", entity.Status)
}
if entity.PendingRequest == nil || *entity.PendingRequest != *newReqID {
t.Errorf("entity pending_request_id = %v, want %v", entity.PendingRequest, *newReqID)
}
if !entity.DueDate.Equal(counterDue) {
t.Errorf("entity due_date = %v, want %v (counter)", entity.DueDate, counterDue)
}
// Two project_events: one *_approval_changes_suggested + one *_approval_requested
// for the NEW row.
var nSuggested, nRequested int
if err := env.pool.GetContext(ctx, &nSuggested,
`SELECT COUNT(*) FROM paliad.project_events
WHERE project_id = $1 AND event_type = 'deadline_approval_changes_suggested'`,
env.projectID); err != nil {
t.Fatalf("count changes_suggested events: %v", err)
}
if nSuggested != 1 {
t.Errorf("expected 1 deadline_approval_changes_suggested event, got %d", nSuggested)
}
if err := env.pool.GetContext(ctx, &nRequested,
`SELECT COUNT(*) FROM paliad.project_events
WHERE project_id = $1 AND event_type = 'deadline_approval_requested'`,
env.projectID); err != nil {
t.Fatalf("count requested events: %v", err)
}
// Two requested events expected: one from the original SubmitUpdate +
// one from the SuggestChanges spawn.
if nRequested != 2 {
t.Errorf("expected 2 deadline_approval_requested events (original + spawn), got %d", nRequested)
}
}
// TestApprovalService_SuggestChanges_NoOpRejected: identical counter +
// empty note returns ErrSuggestionRequiresChange.
func TestApprovalService_SuggestChanges_NoOpRejected(t *testing.T) {
env := setupApprovalTest(t)
defer env.cleanup()
ctx := context.Background()
_, oldReqID, _ := env.seedPendingUpdate(t)
// Same payload as the original SubmitUpdate. No note.
identical := map[string]any{"due_date": "2026-06-15"}
_, err := env.approvals.SuggestChanges(ctx, oldReqID, env.approver, identical, "")
if !errors.Is(err, ErrSuggestionRequiresChange) {
t.Errorf("no-op suggest: got %v, want ErrSuggestionRequiresChange", err)
}
// Empty counter, empty note → also rejected.
_, err = env.approvals.SuggestChanges(ctx, oldReqID, env.approver, nil, "")
if !errors.Is(err, ErrSuggestionRequiresChange) {
t.Errorf("empty suggest: got %v, want ErrSuggestionRequiresChange", err)
}
}
// TestApprovalService_SuggestChanges_NoteOnlyAccepted: when the counter
// is unchanged but a non-empty note is present, the call succeeds. The
// new row's payload equals the OLD payload (the approver said "I want a
// fresh look from someone else; here's why", without a different value).
func TestApprovalService_SuggestChanges_NoteOnlyAccepted(t *testing.T) {
env := setupApprovalTest(t)
defer env.cleanup()
ctx := context.Background()
deadlineID, oldReqID, _ := env.seedPendingUpdate(t)
identical := map[string]any{"due_date": "2026-06-15"}
newReqID, err := env.approvals.SuggestChanges(ctx, oldReqID, env.approver, identical, "Bitte nochmal prüfen.")
if err != nil {
t.Fatalf("note-only suggest: %v", err)
}
if newReqID == nil {
t.Fatal("expected new request id, got nil")
}
// Entity's due_date stays at 2026-06-15 (the original counter == original payload).
var got time.Time
if err := env.pool.GetContext(ctx, &got,
`SELECT due_date FROM paliad.deadlines WHERE id = $1`, deadlineID); err != nil {
t.Fatalf("read due_date: %v", err)
}
want := time.Date(2026, 6, 15, 0, 0, 0, 0, time.UTC)
if !got.Equal(want) {
t.Errorf("entity due_date = %v, want %v", got, want)
}
}
// TestApprovalService_SuggestChanges_SelfApprovalBlocked: the original
// requester cannot suggest changes on their own row (would equal
// self-approval).
func TestApprovalService_SuggestChanges_SelfApprovalBlocked(t *testing.T) {
env := setupApprovalTest(t)
defer env.cleanup()
ctx := context.Background()
_, oldReqID, _ := env.seedPendingUpdate(t)
counter := map[string]any{"due_date": "2026-06-20"}
_, err := env.approvals.SuggestChanges(ctx, oldReqID, env.requester, counter, "")
if !errors.Is(err, ErrSelfApproval) {
t.Errorf("self suggest: got %v, want ErrSelfApproval", err)
}
}
// TestApprovalService_SuggestChanges_RequestNotPending: a row already
// decided (approved/rejected/revoked/changes_requested) rejects further
// suggest-changes calls.
func TestApprovalService_SuggestChanges_RequestNotPending(t *testing.T) {
env := setupApprovalTest(t)
defer env.cleanup()
ctx := context.Background()
_, oldReqID, _ := env.seedPendingUpdate(t)
// Approve first.
if err := env.approvals.Approve(ctx, oldReqID, env.approver, "ok"); err != nil {
t.Fatalf("Approve: %v", err)
}
counter := map[string]any{"due_date": "2026-06-20"}
_, err := env.approvals.SuggestChanges(ctx, oldReqID, env.approver, counter, "too late")
if !errors.Is(err, ErrRequestNotPending) {
t.Errorf("decided row suggest: got %v, want ErrRequestNotPending", err)
}
}
// TestApprovalService_SuggestChanges_LifecycleInvalid: lifecycle ∉
// (update, complete) rejects with ErrSuggestionLifecycleInvalid. A
// create-lifecycle pending request is the easiest to set up.
func TestApprovalService_SuggestChanges_LifecycleInvalid(t *testing.T) {
env := setupApprovalTest(t)
defer env.cleanup()
ctx := context.Background()
env.seedPolicy(EntityTypeDeadline, LifecycleCreate, "associate")
deadlineID := env.seedDeadline(time.Now().AddDate(0, 0, 14))
tx, err := env.pool.BeginTxx(ctx, nil)
if err != nil {
t.Fatalf("begin: %v", err)
}
reqID, err := env.approvals.SubmitCreate(ctx, tx, env.projectID, deadlineID, env.requester, EntityTypeDeadline, map[string]any{"due_date": "2026-05-20"})
if err != nil {
tx.Rollback()
t.Fatalf("SubmitCreate: %v", err)
}
if err := tx.Commit(); err != nil {
t.Fatalf("commit: %v", err)
}
counter := map[string]any{"due_date": "2026-06-01"}
_, err = env.approvals.SuggestChanges(ctx, *reqID, env.approver, counter, "different date")
if !errors.Is(err, ErrSuggestionLifecycleInvalid) {
t.Errorf("create-lifecycle suggest: got %v, want ErrSuggestionLifecycleInvalid", err)
}
}
// TestApprovalService_SuggestChanges_OriginalRequesterCanApproveCounter:
// the cleanest verification of m's Q6 mental model — after the approver
// suggests changes, the ORIGINAL REQUESTER is no longer the new row's
// requested_by and can now approve the counter themselves (provided
// their profession is sufficient). For this test we promote the requester
// to 'partner' profession so they pass the canApprove gate.
func TestApprovalService_SuggestChanges_OriginalRequesterCanApproveCounter(t *testing.T) {
env := setupApprovalTest(t)
defer env.cleanup()
ctx := context.Background()
// Promote the requester so they qualify as an approver of the counter.
// The original Submit was theirs (excluded as requested_by); for the
// counter their role lets them sign off.
if _, err := env.pool.ExecContext(ctx,
`UPDATE paliad.users SET profession='partner' WHERE id = $1`, env.requester); err != nil {
t.Fatalf("promote requester profession: %v", err)
}
if _, err := env.pool.ExecContext(ctx,
`UPDATE paliad.users SET profession='partner' WHERE id = $1`, env.approver); err != nil {
t.Fatalf("promote approver profession: %v", err)
}
deadlineID, oldReqID, _ := env.seedPendingUpdate(t)
counter := map[string]any{"due_date": "2026-06-22"}
newReqID, err := env.approvals.SuggestChanges(ctx, oldReqID, env.approver, counter, "Lieber den 22.")
if err != nil {
t.Fatalf("SuggestChanges: %v", err)
}
// Original requester approves the counter.
if err := env.approvals.Approve(ctx, *newReqID, env.requester, "Ja, passt."); err != nil {
t.Fatalf("original requester approves counter: %v", err)
}
// Entity is back to approved with the counter date.
row := struct {
Status string `db:"approval_status"`
ApprovedBy *uuid.UUID `db:"approved_by"`
DueDate time.Time `db:"due_date"`
}{}
if err := env.pool.GetContext(ctx, &row,
`SELECT approval_status, approved_by, due_date FROM paliad.deadlines WHERE id = $1`,
deadlineID); err != nil {
t.Fatalf("read entity: %v", err)
}
if row.Status != "approved" {
t.Errorf("entity approval_status = %q, want approved", row.Status)
}
if row.ApprovedBy == nil || *row.ApprovedBy != env.requester {
t.Errorf("approved_by = %v, want %v (original requester)", row.ApprovedBy, env.requester)
}
want := time.Date(2026, 6, 22, 0, 0, 0, 0, time.UTC)
if !row.DueDate.Equal(want) {
t.Errorf("due_date = %v, want %v", row.DueDate, want)
}
}
// TestApprovalService_SuggestChanges_CounterApproverCannotSelfApprove:
// after suggest-changes, the approver who suggested (= new row's
// requested_by) is blocked from approving their own counter — 4-Augen
// still holds.
func TestApprovalService_SuggestChanges_CounterApproverCannotSelfApprove(t *testing.T) {
env := setupApprovalTest(t)
defer env.cleanup()
ctx := context.Background()
_, oldReqID, _ := env.seedPendingUpdate(t)
counter := map[string]any{"due_date": "2026-06-22"}
newReqID, err := env.approvals.SuggestChanges(ctx, oldReqID, env.approver, counter, "")
if err != nil {
t.Fatalf("SuggestChanges: %v", err)
}
if err := env.approvals.Approve(ctx, *newReqID, env.approver, ""); !errors.Is(err, ErrSelfApproval) {
t.Errorf("counter author self-approves: got %v, want ErrSelfApproval", err)
}
}
// TestApprovalService_SuggestChanges_TitleOnlyCounter pins t-paliad-217
// Slice B: the counter-allowlist now accepts the wider field set
// (title / description / notes / rule_code / event_type_ids on
// deadlines). A counter that ONLY changes the title (no date diff) must
// succeed — the new pending row's payload carries the title, and the
// entity row's title field is updated in-tx.
func TestApprovalService_SuggestChanges_TitleOnlyCounter(t *testing.T) {
env := setupApprovalTest(t)
defer env.cleanup()
ctx := context.Background()
deadlineID, oldReqID, _ := env.seedPendingUpdate(t)
counter := map[string]any{"title": "Klageerwiderung — Vorschlag Hertz"}
newReqID, err := env.approvals.SuggestChanges(ctx, oldReqID, env.approver, counter, "")
if err != nil {
t.Fatalf("title-only suggest: %v", err)
}
if newReqID == nil {
t.Fatal("expected new request id, got nil")
}
// Entity's title flipped.
var gotTitle string
if err := env.pool.GetContext(ctx, &gotTitle,
`SELECT title FROM paliad.deadlines WHERE id = $1`, deadlineID); err != nil {
t.Fatalf("read title: %v", err)
}
if gotTitle != "Klageerwiderung — Vorschlag Hertz" {
t.Errorf("entity title = %q, want %q", gotTitle, "Klageerwiderung — Vorschlag Hertz")
}
}
// TestApprovalService_SuggestChanges_NotesOnlyCounter pins t-paliad-217
// Slice B: notes is in the counter-allowlist and a notes-only counter
// must succeed. Empty-string clears the column (NULLable text).
func TestApprovalService_SuggestChanges_NotesOnlyCounter(t *testing.T) {
env := setupApprovalTest(t)
defer env.cleanup()
ctx := context.Background()
deadlineID, oldReqID, _ := env.seedPendingUpdate(t)
counter := map[string]any{"notes": "Bitte vor Einreichung mit Mandant abstimmen."}
if _, err := env.approvals.SuggestChanges(ctx, oldReqID, env.approver, counter, ""); err != nil {
t.Fatalf("notes-only suggest: %v", err)
}
var gotNotes *string
if err := env.pool.GetContext(ctx, &gotNotes,
`SELECT notes FROM paliad.deadlines WHERE id = $1`, deadlineID); err != nil {
t.Fatalf("read notes: %v", err)
}
if gotNotes == nil || *gotNotes != "Bitte vor Einreichung mit Mandant abstimmen." {
t.Errorf("entity notes = %v, want set", gotNotes)
}
}
// TestApprovalService_SuggestChanges_EmptyTitleRejected pins the title
// non-empty CHECK on the counter-allowlist: title is NOT NULL on the
// deadlines column, so a counter that explicitly sends "" for title
// must be rejected with ErrSuggestionRequiresChange (not silently
// dropped or written as a NULL).
func TestApprovalService_SuggestChanges_EmptyTitleRejected(t *testing.T) {
env := setupApprovalTest(t)
defer env.cleanup()
ctx := context.Background()
_, oldReqID, _ := env.seedPendingUpdate(t)
counter := map[string]any{"title": " "} // whitespace-only
_, err := env.approvals.SuggestChanges(ctx, oldReqID, env.approver, counter, "")
if !errors.Is(err, ErrSuggestionRequiresChange) {
t.Errorf("empty-title suggest: got %v, want ErrSuggestionRequiresChange", err)
}
}

265
internal/services/binding_service.go
View File

@@ -1,265 +0,0 @@
package services
import (
"context"
"database/sql"
"errors"
"fmt"
"strings"
"time"
"github.com/google/uuid"
"github.com/jmoiron/sqlx"
"mgit.msbls.de/m/paliad/internal/models"
)
// CalendarBindingService — CRUD on paliad.user_calendar_bindings.
//
// Each row is one of N (calendar, scope) bindings layered on top of the
// user's single CalDAV server connection in paliad.user_caldav_config.
// Slice 1 (t-paliad-212) introduced the table + an auto-backfilled
// 'all_visible' binding per existing user; Slice 2a wires the service
// that owns the rows. The sync engine (CalDAVService) drives off
// ListEnabled to discover where to push.
//
// Validation of (scope_kind, scope_id) combinatorics is enforced both
// here (so the API returns a useful 400) and by the table's CHECK
// constraints (so direct SQL or older clients can't slip a bad row in).
type CalendarBindingService struct {
db *sqlx.DB
}
func NewCalendarBindingService(db *sqlx.DB) *CalendarBindingService {
return &CalendarBindingService{db: db}
}
const bindingColumns = `
id, user_id, calendar_path, display_name,
scope_kind, scope_id, include_personal, enabled,
last_sync_at, last_sync_error, created_at, updated_at`
// ListForUser returns every binding owned by the user, ordered by
// scope_kind then created_at so the all_visible / personal_only roots
// always sort to the top.
func (s *CalendarBindingService) ListForUser(ctx context.Context, userID uuid.UUID) ([]models.UserCalendarBinding, error) {
rows := []models.UserCalendarBinding{}
if err := s.db.SelectContext(ctx, &rows,
`SELECT `+bindingColumns+`
FROM paliad.user_calendar_bindings
WHERE user_id = $1
ORDER BY
CASE scope_kind
WHEN 'all_visible' THEN 0
WHEN 'personal_only' THEN 1
ELSE 2
END,
created_at`, userID); err != nil {
return nil, fmt.Errorf("list bindings: %w", err)
}
return rows, nil
}
// ListEnabled returns the user's bindings with enabled = true.
// Used by the CalDAVService sync loop.
func (s *CalendarBindingService) ListEnabled(ctx context.Context, userID uuid.UUID) ([]models.UserCalendarBinding, error) {
rows := []models.UserCalendarBinding{}
if err := s.db.SelectContext(ctx, &rows,
`SELECT `+bindingColumns+`
FROM paliad.user_calendar_bindings
WHERE user_id = $1 AND enabled = true
ORDER BY created_at`, userID); err != nil {
return nil, fmt.Errorf("list enabled bindings: %w", err)
}
return rows, nil
}
// ListAllEnabled returns every enabled binding across all users.
// Used at server boot to spawn one sync goroutine per (user) that
// owns at least one enabled binding.
func (s *CalendarBindingService) ListAllEnabled(ctx context.Context) ([]models.UserCalendarBinding, error) {
rows := []models.UserCalendarBinding{}
if err := s.db.SelectContext(ctx, &rows,
`SELECT `+bindingColumns+`
FROM paliad.user_calendar_bindings
WHERE enabled = true
ORDER BY user_id, created_at`); err != nil {
return nil, fmt.Errorf("list all enabled bindings: %w", err)
}
return rows, nil
}
// Get returns one binding scoped to the user; ErrNotVisible when the row
// doesn't exist or belongs to someone else.
func (s *CalendarBindingService) Get(ctx context.Context, userID, bindingID uuid.UUID) (*models.UserCalendarBinding, error) {
var b models.UserCalendarBinding
err := s.db.GetContext(ctx, &b,
`SELECT `+bindingColumns+`
FROM paliad.user_calendar_bindings
WHERE id = $1 AND user_id = $2`, bindingID, userID)
if errors.Is(err, sql.ErrNoRows) {
return nil, ErrNotVisible
}
if err != nil {
return nil, fmt.Errorf("get binding: %w", err)
}
return &b, nil
}
// CreateInput is the payload for POST /api/caldav-bindings. Slice 2b
// wires this; Slice 2a exposes Create for tests + SQL-equivalent
// integration tests.
type CreateBindingInput struct {
CalendarPath string `json:"calendar_path"`
DisplayName string `json:"display_name"`
ScopeKind string `json:"scope_kind"`
ScopeID *uuid.UUID `json:"scope_id,omitempty"`
IncludePersonal bool `json:"include_personal"`
Enabled bool `json:"enabled"`
}
// Create inserts a new binding. Validates scope_kind / scope_id
// combinatorics; returns ErrInvalidInput on a bad payload.
func (s *CalendarBindingService) Create(ctx context.Context, userID uuid.UUID, in CreateBindingInput) (*models.UserCalendarBinding, error) {
if err := validateScope(in.ScopeKind, in.ScopeID); err != nil {
return nil, err
}
if in.CalendarPath == "" {
return nil, fmt.Errorf("%w: calendar_path is required", ErrInvalidInput)
}
now := time.Now().UTC()
var b models.UserCalendarBinding
err := s.db.GetContext(ctx, &b,
`INSERT INTO paliad.user_calendar_bindings
(user_id, calendar_path, display_name, scope_kind, scope_id,
include_personal, enabled, created_at, updated_at)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $8)
RETURNING `+bindingColumns,
userID, in.CalendarPath, in.DisplayName, in.ScopeKind, in.ScopeID,
in.IncludePersonal, in.Enabled, now)
if err != nil {
return nil, fmt.Errorf("insert binding: %w", err)
}
return &b, nil
}
// UpdateInput captures the PATCH-shaped fields. Pointer fields = "leave
// as-is when nil".
type UpdateBindingInput struct {
DisplayName *string `json:"display_name,omitempty"`
ScopeKind *string `json:"scope_kind,omitempty"`
ScopeID *uuid.UUID `json:"scope_id,omitempty"`
IncludePersonal *bool `json:"include_personal,omitempty"`
Enabled *bool `json:"enabled,omitempty"`
}
// Update mutates the binding. Validates the resulting (scope_kind, scope_id)
// combinatorics if either field changes.
func (s *CalendarBindingService) Update(ctx context.Context, userID, bindingID uuid.UUID, in UpdateBindingInput) (*models.UserCalendarBinding, error) {
existing, err := s.Get(ctx, userID, bindingID)
if err != nil {
return nil, err
}
if in.ScopeKind != nil || in.ScopeID != nil {
kind := existing.ScopeKind
if in.ScopeKind != nil {
kind = *in.ScopeKind
}
var sid *uuid.UUID
if in.ScopeID != nil {
sid = in.ScopeID
} else {
sid = existing.ScopeID
}
if err := validateScope(kind, sid); err != nil {
return nil, err
}
}
sets := []string{"updated_at = NOW()"}
args := []any{}
next := 1
addSet := func(col string, val any) {
sets = append(sets, fmt.Sprintf("%s = $%d", col, next))
args = append(args, val)
next++
}
if in.DisplayName != nil {
addSet("display_name", *in.DisplayName)
}
if in.ScopeKind != nil {
addSet("scope_kind", *in.ScopeKind)
}
if in.ScopeID != nil {
addSet("scope_id", *in.ScopeID)
}
if in.IncludePersonal != nil {
addSet("include_personal", *in.IncludePersonal)
}
if in.Enabled != nil {
addSet("enabled", *in.Enabled)
}
// Append WHERE clause args last.
args = append(args, bindingID, userID)
q := fmt.Sprintf(`UPDATE paliad.user_calendar_bindings
SET %s
WHERE id = $%d AND user_id = $%d
RETURNING %s`, strings.Join(sets, ", "), next, next+1, bindingColumns)
var b models.UserCalendarBinding
if err := s.db.GetContext(ctx, &b, q, args...); err != nil {
if errors.Is(err, sql.ErrNoRows) {
return nil, ErrNotVisible
}
return nil, fmt.Errorf("update binding: %w", err)
}
return &b, nil
}
// Delete removes the binding row. Caller is responsible for the remote
// .ics cleanup (CalDAVService handles that via §2.6 of the Slice 2 brief)
// before invoking this; this method is the bare DB delete.
func (s *CalendarBindingService) Delete(ctx context.Context, userID, bindingID uuid.UUID) error {
res, err := s.db.ExecContext(ctx,
`DELETE FROM paliad.user_calendar_bindings
WHERE id = $1 AND user_id = $2`, bindingID, userID)
if err != nil {
return fmt.Errorf("delete binding: %w", err)
}
n, _ := res.RowsAffected()
if n == 0 {
return ErrNotVisible
}
return nil
}
// SetSyncStatus is called by CalDAVService after each sync attempt for
// this binding. last_sync_error nil clears the previous error.
func (s *CalendarBindingService) SetSyncStatus(ctx context.Context, bindingID uuid.UUID, errStr *string) error {
_, err := s.db.ExecContext(ctx,
`UPDATE paliad.user_calendar_bindings
SET last_sync_at = NOW(), last_sync_error = $1, updated_at = NOW()
WHERE id = $2`, errStr, bindingID)
if err != nil {
return fmt.Errorf("update binding sync status: %w", err)
}
return nil
}
// validateScope mirrors the table's CHECK constraints — we duplicate
// the rule here so the API can return a useful 400 instead of letting
// Postgres reject the row with a generic check_violation.
func validateScope(kind string, scopeID *uuid.UUID) error {
switch kind {
case models.BindingScopeAllVisible, models.BindingScopePersonalOnly:
if scopeID != nil {
return fmt.Errorf("%w: scope_id must be NULL when scope_kind = %q", ErrInvalidInput, kind)
}
case models.BindingScopeProject, models.BindingScopeClient, models.BindingScopeLitigation, models.BindingScopePatent, models.BindingScopeCase:
if scopeID == nil {
return fmt.Errorf("%w: scope_id is required when scope_kind = %q", ErrInvalidInput, kind)
}
default:
return fmt.Errorf("%w: unknown scope_kind %q", ErrInvalidInput, kind)
}
return nil
}

503
internal/services/caldav_client.go
View File

@@ -2,28 +2,15 @@ package services
import (
"context"
"crypto/rand"
"encoding/hex"
"encoding/xml"
"errors"
"fmt"
"io"
"net/http"
"net/url"
"slices"
"strings"
"time"
)
// ErrCalendarNameTaken is returned by MakeCalendar when the server
// rejects MKCALENDAR with 405 — name already in use.
var ErrCalendarNameTaken = errors.New("calendar name already taken on server")
// ErrMKCalendarUnsupported is returned by MakeCalendar when the server
// outright rejects MKCALENDAR (403/501) — should never fire after a
// successful probe, but kept as a defence so we don't loop.
var ErrMKCalendarUnsupported = errors.New("server does not support MKCALENDAR")
// Tiny CalDAV HTTP client — only the verbs Paliad needs:
// - PUT (create / replace event)
// - GET (fetch event by path)
@@ -182,77 +169,6 @@ func (c *calDAVClient) PropfindCalendar(ctx context.Context, calendarPath string
return parseMultiStatus(resp.Body)
}
// multigetMaxHrefs caps the number of hrefs in one REPORT request to keep
// us well within Google's documented limit (~200) and iCloud's
// rate-shaping. Callers chunk larger lists into multiple requests.
const multigetMaxHrefs = 100
// MultigetEvent is one (href, etag, calendar-data) result returned by
// ReportMultiget. CalendarData is the raw iCalendar body and is fed
// straight into parseICalendar; ETag matches the value that would have
// been returned by PROPFIND for the same href.
type MultigetEvent struct {
Href string
ETag string
CalendarData string
}
// ReportMultiget runs a `REPORT calendar-multiget` (RFC 4791 §7.9)
// against calendarPath and returns one MultigetEvent per requested href.
// Hrefs missing from the response (404 inside the multistatus) are
// omitted from the returned slice — callers should treat that as a
// remote deletion. Hrefs are auto-chunked at multigetMaxHrefs.
func (c *calDAVClient) ReportMultiget(ctx context.Context, calendarPath string, hrefs []string) ([]MultigetEvent, error) {
if len(hrefs) == 0 {
return nil, nil
}
out := []MultigetEvent{}
for start := 0; start < len(hrefs); start += multigetMaxHrefs {
end := min(start+multigetMaxHrefs, len(hrefs))
chunk, err := c.reportMultigetChunk(ctx, calendarPath, hrefs[start:end])
if err != nil {
return nil, err
}
out = append(out, chunk...)
}
return out, nil
}
func (c *calDAVClient) reportMultigetChunk(ctx context.Context, calendarPath string, hrefs []string) ([]MultigetEvent, error) {
var b strings.Builder
b.WriteString(`<?xml version="1.0" encoding="utf-8"?>
<C:calendar-multiget xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav">
<D:prop>
<D:getetag/>
<C:calendar-data/>
</D:prop>
`)
for _, h := range hrefs {
b.WriteString(" <D:href>")
_ = xml.EscapeText(&b, []byte(h))
b.WriteString("</D:href>\n")
}
b.WriteString(`</C:calendar-multiget>`)
req, err := http.NewRequestWithContext(ctx, "REPORT", c.absURL(calendarPath), strings.NewReader(b.String()))
if err != nil {
return nil, err
}
req.SetBasicAuth(c.username, c.password)
req.Header.Set("Depth", "1")
req.Header.Set("Content-Type", "application/xml; charset=utf-8")
resp, err := c.hc.Do(req)
if err != nil {
return nil, fmt.Errorf("REPORT: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode != 207 {
raw, _ := io.ReadAll(resp.Body)
return nil, fmt.Errorf("REPORT %s: %d %s — %s", calendarPath, resp.StatusCode, resp.Status, string(raw))
}
return parseMultigetResponse(resp.Body)
}
// PropfindRoot performs a Depth:0 PROPFIND on the calendar URL — used by
// the "Test connection" button to verify auth + URL without storing creds.
func (c *calDAVClient) PropfindRoot(ctx context.Context, path string) error {
@@ -282,338 +198,6 @@ func (c *calDAVClient) PropfindRoot(ctx context.Context, path string) error {
return nil
}
// DiscoveredCalendar is one calendar collection enumerated by
// DiscoverCalendars. supportedComponents lists the iCal component types
// the server advertises (VEVENT, VTODO, …); the picker filters to ones
// supporting VEVENT.
type DiscoveredCalendar struct {
Href string
DisplayName string
SupportedComponents []string
}
// DiscoverCalendars walks the CalDAV discovery chain (RFC 6764 §6 /
// RFC 6638 §10): server root → current-user-principal → calendar-home-set
// → enumeration of child calendar collections.
//
// Returns the discovered calendars + the calendar-home-set URL so the
// caller can issue MKCALENDAR against it in Slice 2c. Hrefs are
// returned as-is (absolute or path-rooted) per server response; the
// client's absURL handles both at PUT time.
func (c *calDAVClient) DiscoverCalendars(ctx context.Context, serverURL string) ([]DiscoveredCalendar, string, error) {
principal, err := c.findCurrentUserPrincipal(ctx, serverURL)
if err != nil {
return nil, "", fmt.Errorf("current-user-principal: %w", err)
}
home, err := c.findCalendarHomeSet(ctx, principal)
if err != nil {
return nil, "", fmt.Errorf("calendar-home-set: %w", err)
}
calendars, err := c.listCalendars(ctx, home)
if err != nil {
return nil, home, fmt.Errorf("list calendars: %w", err)
}
return calendars, home, nil
}
func (c *calDAVClient) findCurrentUserPrincipal(ctx context.Context, urlPath string) (string, error) {
body := `<?xml version="1.0" encoding="utf-8"?>
<d:propfind xmlns:d="DAV:">
<d:prop><d:current-user-principal/></d:prop>
</d:propfind>`
hrefs, err := c.propfindHrefs(ctx, urlPath, "0", body, "current-user-principal")
if err != nil {
return "", err
}
if len(hrefs) == 0 {
return "", fmt.Errorf("server returned no current-user-principal")
}
return hrefs[0], nil
}
func (c *calDAVClient) findCalendarHomeSet(ctx context.Context, principalPath string) (string, error) {
body := `<?xml version="1.0" encoding="utf-8"?>
<d:propfind xmlns:d="DAV:" xmlns:c="urn:ietf:params:xml:ns:caldav">
<d:prop><c:calendar-home-set/></d:prop>
</d:propfind>`
hrefs, err := c.propfindHrefs(ctx, principalPath, "0", body, "calendar-home-set")
if err != nil {
return "", err
}
if len(hrefs) == 0 {
return "", fmt.Errorf("server returned no calendar-home-set")
}
return hrefs[0], nil
}
func (c *calDAVClient) listCalendars(ctx context.Context, homePath string) ([]DiscoveredCalendar, error) {
body := `<?xml version="1.0" encoding="utf-8"?>
<d:propfind xmlns:d="DAV:" xmlns:c="urn:ietf:params:xml:ns:caldav">
<d:prop>
<d:resourcetype/>
<d:displayname/>
<c:supported-calendar-component-set/>
</d:prop>
</d:propfind>`
req, err := http.NewRequestWithContext(ctx, "PROPFIND", c.absURL(homePath), strings.NewReader(body))
if err != nil {
return nil, err
}
req.SetBasicAuth(c.username, c.password)
req.Header.Set("Depth", "1")
req.Header.Set("Content-Type", "application/xml; charset=utf-8")
resp, err := c.hc.Do(req)
if err != nil {
return nil, fmt.Errorf("PROPFIND: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode != 207 {
raw, _ := io.ReadAll(resp.Body)
return nil, fmt.Errorf("PROPFIND %s: %d %s — %s", homePath, resp.StatusCode, resp.Status, string(raw))
}
var ms calendarHomeMultiStatus
if err := xml.NewDecoder(resp.Body).Decode(&ms); err != nil {
return nil, fmt.Errorf("decode home-set multistatus: %w", err)
}
out := []DiscoveredCalendar{}
for _, r := range ms.Responses {
var displayname string
isCalendar := false
comps := []string{}
for _, ps := range r.Propstat {
if !strings.Contains(ps.Status, "200") {
continue
}
if ps.Prop.ResourceType.Calendar != nil {
isCalendar = true
}
if ps.Prop.DisplayName != "" {
displayname = ps.Prop.DisplayName
}
for _, comp := range ps.Prop.SupportedCalendarComponentSet.Comp {
if comp.Name != "" {
comps = append(comps, comp.Name)
}
}
}
if !isCalendar {
continue
}
// Filter to calendars that advertise VEVENT support — task / address
// books slip into the home-set on Apple iCloud and we don't want
// those in the picker.
if len(comps) > 0 && !slices.Contains(comps, "VEVENT") {
continue
}
out = append(out, DiscoveredCalendar{
Href: r.Href,
DisplayName: displayname,
SupportedComponents: comps,
})
}
return out, nil
}
// propfindHrefs runs a PROPFIND and returns the hrefs nested under the
// named property's value. Used for current-user-principal +
// calendar-home-set extraction where the property body is a single href.
func (c *calDAVClient) propfindHrefs(ctx context.Context, urlPath, depth, body, propName string) ([]string, error) {
req, err := http.NewRequestWithContext(ctx, "PROPFIND", c.absURL(urlPath), strings.NewReader(body))
if err != nil {
return nil, err
}
req.SetBasicAuth(c.username, c.password)
req.Header.Set("Depth", depth)
req.Header.Set("Content-Type", "application/xml; charset=utf-8")
resp, err := c.hc.Do(req)
if err != nil {
return nil, fmt.Errorf("PROPFIND: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode != 207 && resp.StatusCode != 200 {
raw, _ := io.ReadAll(resp.Body)
return nil, fmt.Errorf("PROPFIND %s: %d %s — %s", urlPath, resp.StatusCode, resp.Status, string(raw))
}
var ms propHrefMultiStatus
if err := xml.NewDecoder(resp.Body).Decode(&ms); err != nil {
return nil, fmt.Errorf("decode multistatus for %s: %w", propName, err)
}
out := []string{}
for _, r := range ms.Responses {
for _, ps := range r.Propstat {
if !strings.Contains(ps.Status, "200") {
continue
}
for _, h := range ps.Prop.CurrentUserPrincipal.Hrefs {
out = append(out, h)
}
for _, h := range ps.Prop.CalendarHomeSet.Hrefs {
out = append(out, h)
}
}
}
return out, nil
}
// --- MKCALENDAR capability probe + provisioning (Slice 2c) ---
// ProbeMKCalendar reports whether the CalDAV server accepts MKCALENDAR
// against the calendar-home-set. Two-step per design §4.2:
//
// 1. OPTIONS on the home URL — if the server returns `Allow:` listing
// MKCALENDAR, we're done.
// 2. Synthetic probe — issue MKCALENDAR against a random
// `.paliad-probe-<short>/` path and DELETE it. Catches legacy SOGo
// and misconfigured Radicales that don't list MKCALENDAR in Allow
// but still accept it. Servers that 405/501 the synthetic probe
// are recorded as no-MKCALENDAR; further attempts skip the probe.
//
// The probe never persists state — that's the service-layer's job via
// CalDAVService.MakeCalendar.
func (c *calDAVClient) ProbeMKCalendar(ctx context.Context, homePath string) (bool, error) {
if allows, err := c.optionsAllows(ctx, homePath); err == nil {
if slices.Contains(allows, "MKCALENDAR") {
return true, nil
}
// OPTIONS responded but doesn't list MKCALENDAR — fall through to
// synthetic probe; some servers omit MKCALENDAR from Allow even
// when they accept it. OPTIONS-returns-no-MKCALENDAR is not a
// hard negative.
}
// Synthetic probe — a single MKCALENDAR against a randomised name
// that the server is overwhelmingly unlikely to already have.
probePath := joinPath(homePath, ".paliad-probe-"+randomToken(6)+"/")
mkBody := `<?xml version="1.0" encoding="utf-8"?>
<C:mkcalendar xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav">
<D:set><D:prop><D:displayname>paliad-probe</D:displayname></D:prop></D:set>
</C:mkcalendar>`
req, err := http.NewRequestWithContext(ctx, "MKCALENDAR", c.absURL(probePath), strings.NewReader(mkBody))
if err != nil {
return false, err
}
req.SetBasicAuth(c.username, c.password)
req.Header.Set("Content-Type", "application/xml; charset=utf-8")
resp, err := c.hc.Do(req)
if err != nil {
return false, fmt.Errorf("MKCALENDAR probe: %w", err)
}
resp.Body.Close()
switch resp.StatusCode {
case http.StatusCreated, http.StatusOK:
// Server accepted the probe. Tear down the probe collection so
// we don't leak a junk calendar; if the DELETE fails we shrug
// (best effort — the user's calendar list will have one
// .paliad-probe-* entry; not the end of the world).
_ = c.deleteCollection(ctx, probePath)
return true, nil
case http.StatusMethodNotAllowed, http.StatusNotImplemented, http.StatusForbidden:
return false, nil
default:
// Unknown — treat as no-MKCALENDAR to be safe; the user can
// still bind by URL.
return false, nil
}
}
// MakeCalendar issues MKCALENDAR against home/<calendarName>/ and
// returns the absolute path that was created. The caller is
// responsible for picking a free slug; 405 from the server means
// "name already taken — pick another".
func (c *calDAVClient) MakeCalendar(ctx context.Context, homePath, calendarName, displayName string) (string, error) {
path := joinPath(homePath, calendarName+"/")
body := mkcalendarBody(displayName)
req, err := http.NewRequestWithContext(ctx, "MKCALENDAR", c.absURL(path), strings.NewReader(body))
if err != nil {
return "", err
}
req.SetBasicAuth(c.username, c.password)
req.Header.Set("Content-Type", "application/xml; charset=utf-8")
resp, err := c.hc.Do(req)
if err != nil {
return "", fmt.Errorf("MKCALENDAR: %w", err)
}
defer resp.Body.Close()
switch resp.StatusCode {
case http.StatusCreated, http.StatusOK:
return path, nil
case http.StatusMethodNotAllowed:
return "", ErrCalendarNameTaken
case http.StatusForbidden, http.StatusNotImplemented:
return "", ErrMKCalendarUnsupported
default:
raw, _ := io.ReadAll(resp.Body)
return "", fmt.Errorf("MKCALENDAR %s: %d %s — %s", path, resp.StatusCode, resp.Status, string(raw))
}
}
func mkcalendarBody(displayName string) string {
var b strings.Builder
b.WriteString(`<?xml version="1.0" encoding="utf-8"?>
<C:mkcalendar xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav">
<D:set>
<D:prop>
<D:displayname>`)
_ = xml.EscapeText(&b, []byte(displayName))
b.WriteString(`</D:displayname>
<C:supported-calendar-component-set>
<C:comp name="VEVENT"/>
</C:supported-calendar-component-set>
</D:prop>
</D:set>
</C:mkcalendar>`)
return b.String()
}
// optionsAllows returns the methods listed in the Allow header of an
// OPTIONS response. Caseless match per RFC 7231 §7.4.1.
func (c *calDAVClient) optionsAllows(ctx context.Context, path string) ([]string, error) {
req, err := http.NewRequestWithContext(ctx, "OPTIONS", c.absURL(path), nil)
if err != nil {
return nil, err
}
req.SetBasicAuth(c.username, c.password)
resp, err := c.hc.Do(req)
if err != nil {
return nil, fmt.Errorf("OPTIONS: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode >= 400 {
return nil, fmt.Errorf("OPTIONS %s: %d", path, resp.StatusCode)
}
out := []string{}
for _, h := range resp.Header.Values("Allow") {
for _, m := range strings.Split(h, ",") {
out = append(out, strings.ToUpper(strings.TrimSpace(m)))
}
}
return out, nil
}
// deleteCollection sends a DELETE that doesn't care about 404.
func (c *calDAVClient) deleteCollection(ctx context.Context, path string) error {
req, err := http.NewRequestWithContext(ctx, "DELETE", c.absURL(path), nil)
if err != nil {
return err
}
req.SetBasicAuth(c.username, c.password)
resp, err := c.hc.Do(req)
if err != nil {
return err
}
resp.Body.Close()
return nil
}
// randomToken returns a short hex string of `n` bytes. Used for the
// synthetic MKCALENDAR probe path; doesn't need to be cryptographically
// strong (the worst-case is a collision with an existing calendar of
// the same name, which we catch as ErrCalendarNameTaken upstream).
func randomToken(n int) string {
buf := make([]byte, n)
_, _ = rand.Read(buf)
return hex.EncodeToString(buf)
}
// joinPath cleans up double slashes between calendar path and uid.
func joinPath(base, name string) string {
base = strings.TrimRight(base, "/")
@@ -637,7 +221,6 @@ type propStat struct {
Status string `xml:"DAV: status"`
Prop struct {
ETag string `xml:"DAV: getetag"`
CalendarData string `xml:"urn:ietf:params:xml:ns:caldav calendar-data"`
ResourceType struct {
Collection *struct{} `xml:"DAV: collection"`
} `xml:"DAV: resourcetype"`
@@ -649,92 +232,6 @@ type multiStatus struct {
Responses []msResponse `xml:"DAV: response"`
}
// propHrefMultiStatus is used to extract <DAV:href> children out of the
// <D:current-user-principal/> and <C:calendar-home-set/> properties.
// Both render as: <prop><name><href>…</href></name></prop>.
type propHrefMultiStatus struct {
XMLName xml.Name `xml:"DAV: multistatus"`
Responses []propHrefResponse `xml:"DAV: response"`
}
type propHrefResponse struct {
XMLName xml.Name `xml:"DAV: response"`
Href string `xml:"DAV: href"`
Propstat []propHrefPropstat `xml:"DAV: propstat"`
}
type propHrefPropstat struct {
XMLName xml.Name `xml:"DAV: propstat"`
Status string `xml:"DAV: status"`
Prop struct {
CurrentUserPrincipal struct {
Hrefs []string `xml:"DAV: href"`
} `xml:"DAV: current-user-principal"`
CalendarHomeSet struct {
Hrefs []string `xml:"DAV: href"`
} `xml:"urn:ietf:params:xml:ns:caldav calendar-home-set"`
} `xml:"DAV: prop"`
}
// calendarHomeMultiStatus parses the response to a Depth:1 PROPFIND on
// calendar-home-set asking for resourcetype + displayname +
// supported-calendar-component-set.
type calendarHomeMultiStatus struct {
XMLName xml.Name `xml:"DAV: multistatus"`
Responses []calendarHomeResponse `xml:"DAV: response"`
}
type calendarHomeResponse struct {
XMLName xml.Name `xml:"DAV: response"`
Href string `xml:"DAV: href"`
Propstat []calendarHomePropstat `xml:"DAV: propstat"`
}
type calendarHomePropstat struct {
XMLName xml.Name `xml:"DAV: propstat"`
Status string `xml:"DAV: status"`
Prop struct {
DisplayName string `xml:"DAV: displayname"`
ResourceType struct {
Calendar *struct{} `xml:"urn:ietf:params:xml:ns:caldav calendar"`
} `xml:"DAV: resourcetype"`
SupportedCalendarComponentSet struct {
Comp []struct {
Name string `xml:"name,attr"`
} `xml:"urn:ietf:params:xml:ns:caldav comp"`
} `xml:"urn:ietf:params:xml:ns:caldav supported-calendar-component-set"`
} `xml:"DAV: prop"`
}
func parseMultigetResponse(r io.Reader) ([]MultigetEvent, error) {
var ms multiStatus
dec := xml.NewDecoder(r)
if err := dec.Decode(&ms); err != nil {
return nil, fmt.Errorf("decode multistatus: %w", err)
}
out := []MultigetEvent{}
for _, resp := range ms.Responses {
var etag, data string
ok := false
for _, ps := range resp.Propstat {
if !strings.Contains(ps.Status, "200") {
continue
}
etag = strings.Trim(ps.Prop.ETag, `"`)
data = ps.Prop.CalendarData
if data != "" {
ok = true
}
}
if !ok {
// 404 / 403 on this specific href — treat as missing, skip.
continue
}
out = append(out, MultigetEvent{Href: resp.Href, ETag: etag, CalendarData: data})
}
return out, nil
}
func parseMultiStatus(r io.Reader) ([]CalDAVEntry, error) {
var ms multiStatus
dec := xml.NewDecoder(r)

802
internal/services/caldav_service.go
View File

File diff suppressed because it is too large Load Diff

157
internal/services/dashboard_layout_service.go
View File

@@ -1,157 +0,0 @@
package services
// DashboardLayoutService is the CRUD layer for paliad.user_dashboard_layouts —
// per-user configurable dashboard layout for /dashboard.
//
// Design: docs/design-dashboard-configurable-2026-05-20.md §5.4.
//
// Visibility: every read and write is scoped to the calling user via the
// RLS policy `user_dashboard_layouts_owner_all` on auth.uid() = user_id.
// The service also AND-joins user_id in SQL for defense-in-depth.
import (
"context"
"database/sql"
"encoding/json"
"errors"
"fmt"
"github.com/google/uuid"
"github.com/jmoiron/sqlx"
)
// DashboardLayoutService manages paliad.user_dashboard_layouts.
type DashboardLayoutService struct {
db *sqlx.DB
}
// NewDashboardLayoutService wires the service.
func NewDashboardLayoutService(db *sqlx.DB) *DashboardLayoutService {
return &DashboardLayoutService{db: db}
}
// GetOrSeed returns the caller's saved layout. On first call for a user
// (no row), it inserts and returns the factory default. The seed is
// idempotent — concurrent first-loads converge to the same row via the
// ON CONFLICT DO NOTHING clause.
//
// The returned spec has SanitizeForRead applied; if any entries were
// dropped (catalog shrank) the cleaned spec is also persisted back so the
// next write doesn't trip on stale entries.
func (s *DashboardLayoutService) GetOrSeed(ctx context.Context, userID uuid.UUID) (DashboardLayoutSpec, error) {
spec, found, err := s.fetch(ctx, userID)
if err != nil {
return DashboardLayoutSpec{}, err
}
if !found {
return s.seedFactoryDefault(ctx, userID)
}
if spec.SanitizeForRead() {
// Best-effort cleanup; on failure we still return the in-memory
// sanitized spec — the user sees a clean dashboard either way.
_ = s.upsert(ctx, userID, spec)
}
return spec, nil
}
// Update validates the spec and UPSERTs it. Returns the persisted spec
// (round-tripped through the DB to confirm storage).
func (s *DashboardLayoutService) Update(ctx context.Context, userID uuid.UUID, spec DashboardLayoutSpec) (DashboardLayoutSpec, error) {
if err := spec.Validate(); err != nil {
return DashboardLayoutSpec{}, err
}
if err := s.upsert(ctx, userID, spec); err != nil {
return DashboardLayoutSpec{}, err
}
out, found, err := s.fetch(ctx, userID)
if err != nil {
return DashboardLayoutSpec{}, err
}
if !found {
return DashboardLayoutSpec{}, fmt.Errorf("dashboard layout vanished after upsert for user %s", userID)
}
return out, nil
}
// ResetToDefault overwrites the user's layout with the factory default.
func (s *DashboardLayoutService) ResetToDefault(ctx context.Context, userID uuid.UUID) (DashboardLayoutSpec, error) {
def := FactoryDefaultLayout()
if err := s.upsert(ctx, userID, def); err != nil {
return DashboardLayoutSpec{}, err
}
return def, nil
}
// fetch returns (spec, found, err). found=false means the user has no row
// yet — the seed path takes over.
func (s *DashboardLayoutService) fetch(ctx context.Context, userID uuid.UUID) (DashboardLayoutSpec, bool, error) {
var raw json.RawMessage
err := s.db.GetContext(ctx, &raw, `
SELECT layout_json
FROM paliad.user_dashboard_layouts
WHERE user_id = $1
`, userID)
if errors.Is(err, sql.ErrNoRows) {
return DashboardLayoutSpec{}, false, nil
}
if err != nil {
return DashboardLayoutSpec{}, false, fmt.Errorf("fetch dashboard layout: %w", err)
}
var spec DashboardLayoutSpec
if err := json.Unmarshal(raw, &spec); err != nil {
// Stored row is unparseable — treat as a missing row, the seed
// path will overwrite it. Log via the returned error wrapper.
return DashboardLayoutSpec{}, false, fmt.Errorf("dashboard layout JSON decode for user %s: %w", userID, err)
}
return spec, true, nil
}
// seedFactoryDefault inserts the factory layout for a brand-new user.
// ON CONFLICT DO NOTHING handles the race where two concurrent first
// loads both miss the SELECT and both try to insert.
func (s *DashboardLayoutService) seedFactoryDefault(ctx context.Context, userID uuid.UUID) (DashboardLayoutSpec, error) {
def := FactoryDefaultLayout()
bytes, err := json.Marshal(def)
if err != nil {
return DashboardLayoutSpec{}, fmt.Errorf("seed dashboard layout marshal: %w", err)
}
if _, err := s.db.ExecContext(ctx, `
INSERT INTO paliad.user_dashboard_layouts (user_id, layout_json)
VALUES ($1, $2)
ON CONFLICT (user_id) DO NOTHING
`, userID, json.RawMessage(bytes)); err != nil {
return DashboardLayoutSpec{}, fmt.Errorf("seed dashboard layout insert: %w", err)
}
// Re-fetch in case ON CONFLICT DO NOTHING let another writer's row win;
// either way the user now has a row.
out, found, err := s.fetch(ctx, userID)
if err != nil {
return DashboardLayoutSpec{}, err
}
if !found {
// Extremely unlikely — would mean the row vanished between
// INSERT and SELECT. Return the factory default in-memory.
return def, nil
}
return out, nil
}
// upsert overwrites the layout. updated_at gets bumped on conflict so
// callers can observe write recency.
func (s *DashboardLayoutService) upsert(ctx context.Context, userID uuid.UUID, spec DashboardLayoutSpec) error {
bytes, err := json.Marshal(spec)
if err != nil {
return fmt.Errorf("dashboard layout marshal: %w", err)
}
_, err = s.db.ExecContext(ctx, `
INSERT INTO paliad.user_dashboard_layouts (user_id, layout_json)
VALUES ($1, $2)
ON CONFLICT (user_id) DO UPDATE
SET layout_json = EXCLUDED.layout_json,
updated_at = now()
`, userID, json.RawMessage(bytes))
if err != nil {
return fmt.Errorf("dashboard layout upsert: %w", err)
}
return nil
}

181
internal/services/dashboard_layout_service_test.go
View File

@@ -1,181 +0,0 @@
package services
// Live-DB tests for DashboardLayoutService. Skipped when TEST_DATABASE_URL
// is unset.
import (
"context"
"encoding/json"
"os"
"testing"
"github.com/google/uuid"
"github.com/jmoiron/sqlx"
_ "github.com/lib/pq"
"mgit.msbls.de/m/paliad/internal/db"
)
type dashboardLayoutTestEnv struct {
t *testing.T
pool *sqlx.DB
svc *DashboardLayoutService
userID uuid.UUID
cleanup func()
}
func setupDashboardLayoutTest(t *testing.T) *dashboardLayoutTestEnv {
t.Helper()
url := os.Getenv("TEST_DATABASE_URL")
if url == "" {
t.Skip("TEST_DATABASE_URL not set — skipping live DB test")
}
if err := db.ApplyMigrations(url); err != nil {
t.Fatalf("apply migrations: %v", err)
}
pool, err := sqlx.Connect("postgres", url)
if err != nil {
t.Fatalf("connect: %v", err)
}
ctx := context.Background()
userID := uuid.New()
if _, err := pool.ExecContext(ctx,
`INSERT INTO auth.users (id, email) VALUES ($1, $1::text || '@test.local')
ON CONFLICT (id) DO NOTHING`, userID); err != nil {
t.Logf("skip auth.users seed: %v", err)
}
if _, err := pool.ExecContext(ctx,
`INSERT INTO paliad.users (id, email, display_name, office, global_role)
VALUES ($1, $1::text || '@test.local', 'Dashboard Layout Test', 'munich', 'standard')
ON CONFLICT (id) DO NOTHING`, userID); err != nil {
t.Fatalf("seed paliad.users: %v", err)
}
cleanup := func() {
c := context.Background()
pool.ExecContext(c, `DELETE FROM paliad.user_dashboard_layouts WHERE user_id = $1`, userID)
pool.ExecContext(c, `DELETE FROM paliad.users WHERE id = $1`, userID)
pool.ExecContext(c, `DELETE FROM auth.users WHERE id = $1`, userID)
pool.Close()
}
return &dashboardLayoutTestEnv{
t: t,
pool: pool,
svc: NewDashboardLayoutService(pool),
userID: userID,
cleanup: cleanup,
}
}
func TestDashboardLayoutService_GetOrSeedAutoSeeds(t *testing.T) {
env := setupDashboardLayoutTest(t)
defer env.cleanup()
ctx := context.Background()
spec, err := env.svc.GetOrSeed(ctx, env.userID)
if err != nil {
t.Fatalf("GetOrSeed: %v", err)
}
if spec.Version != LayoutSpecVersion {
t.Errorf("seeded version=%d; want %d", spec.Version, LayoutSpecVersion)
}
if len(spec.Widgets) != len(KnownWidgetKeys) {
t.Errorf("seeded widget count=%d; want %d", len(spec.Widgets), len(KnownWidgetKeys))
}
// Second call returns the same row, not a second seed.
spec2, err := env.svc.GetOrSeed(ctx, env.userID)
if err != nil {
t.Fatalf("GetOrSeed second: %v", err)
}
if len(spec2.Widgets) != len(spec.Widgets) {
t.Errorf("second call widget count drifted: %d vs %d", len(spec2.Widgets), len(spec.Widgets))
}
}
func TestDashboardLayoutService_UpdateRoundTrips(t *testing.T) {
env := setupDashboardLayoutTest(t)
defer env.cleanup()
ctx := context.Background()
// Seed first so the row exists.
if _, err := env.svc.GetOrSeed(ctx, env.userID); err != nil {
t.Fatalf("GetOrSeed: %v", err)
}
// Custom layout: hide matter-summary, reorder.
custom := DashboardLayoutSpec{
Version: LayoutSpecVersion,
Widgets: []DashboardWidgetRef{
{Key: WidgetUpcomingDeadlines, Visible: true, Settings: json.RawMessage(`{"count": 5, "horizon_days": 14}`)},
{Key: WidgetMatterSummary, Visible: false},
{Key: WidgetDeadlineSummary, Visible: true},
},
}
out, err := env.svc.Update(ctx, env.userID, custom)
if err != nil {
t.Fatalf("Update: %v", err)
}
if len(out.Widgets) != 3 {
t.Fatalf("Update returned %d widgets; want 3", len(out.Widgets))
}
if out.Widgets[0].Key != WidgetUpcomingDeadlines {
t.Errorf("Update returned widgets[0]=%q; want %q", out.Widgets[0].Key, WidgetUpcomingDeadlines)
}
if out.Widgets[1].Visible {
t.Errorf("Update returned widgets[1].Visible=true; want false")
}
// Re-read confirms persistence.
got, err := env.svc.GetOrSeed(ctx, env.userID)
if err != nil {
t.Fatalf("GetOrSeed after update: %v", err)
}
if len(got.Widgets) != 3 {
t.Errorf("GetOrSeed after update: %d widgets; want 3", len(got.Widgets))
}
}
func TestDashboardLayoutService_UpdateRejectsInvalid(t *testing.T) {
env := setupDashboardLayoutTest(t)
defer env.cleanup()
ctx := context.Background()
bad := DashboardLayoutSpec{
Version: LayoutSpecVersion,
Widgets: []DashboardWidgetRef{
{Key: "fake-widget-key", Visible: true},
},
}
if _, err := env.svc.Update(ctx, env.userID, bad); err == nil {
t.Fatalf("Update accepted invalid layout")
}
}
func TestDashboardLayoutService_ResetToDefault(t *testing.T) {
env := setupDashboardLayoutTest(t)
defer env.cleanup()
ctx := context.Background()
// Custom layout first.
custom := DashboardLayoutSpec{
Version: LayoutSpecVersion,
Widgets: []DashboardWidgetRef{
{Key: WidgetDeadlineSummary, Visible: true},
},
}
if _, err := env.svc.Update(ctx, env.userID, custom); err != nil {
t.Fatalf("Update: %v", err)
}
// Reset.
reset, err := env.svc.ResetToDefault(ctx, env.userID)
if err != nil {
t.Fatalf("ResetToDefault: %v", err)
}
if len(reset.Widgets) != len(KnownWidgetKeys) {
t.Errorf("reset widget count=%d; want %d", len(reset.Widgets), len(KnownWidgetKeys))
}
}

176
internal/services/dashboard_layout_spec.go
View File

@@ -1,176 +0,0 @@
package services
// DashboardLayoutSpec — JSON shape for paliad.user_dashboard_layouts.layout_json.
//
// Design: docs/design-dashboard-configurable-2026-05-20.md §5.2.
//
// Validation surface:
// - version must be 1 (v0 / unknown versions seed the factory default at
// read time; the validator only ever sees writes from a current client).
// - widgets is at most 32 entries (sanity cap; catalog can grow but a
// single user's layout shouldn't).
// - each widget.key must be in KnownWidgetKeys on WRITE.
// - no duplicate keys.
// - each widget.settings (if present) is validated against its catalog
// entry's WidgetSettingsSchema.
//
// On READ, unknown keys are dropped silently — see SanitizeForRead.
import (
"encoding/json"
"fmt"
"slices"
)
// LayoutSpecVersion is the only supported version for v1.
const LayoutSpecVersion = 1
// LayoutWidgetCap is the sanity cap on widgets per layout. The v1 catalog
// has 7 entries; 32 leaves room for catalog growth without unbounded JSON
// blobs.
const LayoutWidgetCap = 32
// DashboardWidgetRef is a single widget entry in the ordered widgets[] array.
// Visible=false entries are kept in the array so the picker can show them as
// "hidden" and re-adding restores their position.
type DashboardWidgetRef struct {
Key WidgetKey `json:"key"`
Visible bool `json:"visible"`
Settings json.RawMessage `json:"settings,omitempty"`
}
// DashboardLayoutSpec is the persisted layout shape.
type DashboardLayoutSpec struct {
Version int `json:"v"`
Widgets []DashboardWidgetRef `json:"widgets"`
}
// FactoryDefaultLayout returns the Slice A1 baseline layout — every
// widget in KnownWidgetKeys, visible, in canonical order, with per-widget
// default settings drawn from the catalog. A user with no row sees this
// on first load and is byte-identical to today's dashboard plus the new
// inbox-approvals widget.
func FactoryDefaultLayout() DashboardLayoutSpec {
catalog := WidgetCatalog()
byKey := make(map[WidgetKey]WidgetDef, len(catalog))
for _, def := range catalog {
byKey[def.Key] = def
}
widgets := make([]DashboardWidgetRef, 0, len(KnownWidgetKeys))
for _, k := range KnownWidgetKeys {
def, ok := byKey[k]
if !ok {
continue
}
ref := DashboardWidgetRef{Key: k, Visible: def.DefaultVisible}
if settings := defaultSettingsJSON(def); settings != nil {
ref.Settings = settings
}
widgets = append(widgets, ref)
}
return DashboardLayoutSpec{
Version: LayoutSpecVersion,
Widgets: widgets,
}
}
// defaultSettingsJSON encodes the per-widget defaults declared on the
// catalog entry. Returns nil when the widget has no settings.
func defaultSettingsJSON(def WidgetDef) json.RawMessage {
if def.DefaultCount == nil && def.DefaultHorizon == nil {
return nil
}
out := map[string]int{}
if def.DefaultCount != nil {
out["count"] = *def.DefaultCount
}
if def.DefaultHorizon != nil {
out["horizon_days"] = *def.DefaultHorizon
}
b, err := json.Marshal(out)
if err != nil {
return nil
}
return b
}
// Validate enforces the structural invariants on write. Returns
// ErrInvalidInput wrapped with a precise message on the first violation.
func (s DashboardLayoutSpec) Validate() error {
if s.Version != LayoutSpecVersion {
return fmt.Errorf("%w: layout version %d not supported (want %d)",
ErrInvalidInput, s.Version, LayoutSpecVersion)
}
if len(s.Widgets) > LayoutWidgetCap {
return fmt.Errorf("%w: layout has %d widgets (cap %d)",
ErrInvalidInput, len(s.Widgets), LayoutWidgetCap)
}
seen := make(map[WidgetKey]bool, len(s.Widgets))
for i, w := range s.Widgets {
if !slices.Contains(KnownWidgetKeys, w.Key) {
return fmt.Errorf("%w: widgets[%d].key %q is not a known widget",
ErrInvalidInput, i, w.Key)
}
if seen[w.Key] {
return fmt.Errorf("%w: widgets has duplicate key %q",
ErrInvalidInput, w.Key)
}
seen[w.Key] = true
def, ok := LookupWidgetDef(w.Key)
if !ok {
// Defense in depth — KnownWidgetKeys was checked above.
return fmt.Errorf("%w: widgets[%d].key %q has no catalog entry",
ErrInvalidInput, i, w.Key)
}
if err := def.Settings.Validate(w.Settings); err != nil {
return fmt.Errorf("widgets[%d]: %w", i, err)
}
}
return nil
}
// SanitizeForRead applies the forgiving read-path rules: drop entries whose
// keys are not in the catalog (catalog has shrunk) and bump the version to
// the current one if missing. Settings on surviving entries pass through
// unchanged — invalid settings on read are not worth aborting over and the
// next write will reject them anyway.
//
// Returns true if anything was changed; callers can use that to decide
// whether to PUT the cleaned spec back.
func (s *DashboardLayoutSpec) SanitizeForRead() bool {
changed := false
if s.Version != LayoutSpecVersion {
s.Version = LayoutSpecVersion
changed = true
}
if len(s.Widgets) == 0 {
return changed
}
out := make([]DashboardWidgetRef, 0, len(s.Widgets))
for _, w := range s.Widgets {
if _, ok := LookupWidgetDef(w.Key); !ok {
changed = true
continue
}
out = append(out, w)
}
s.Widgets = out
return changed
}
// ParseDashboardLayoutSpec decodes JSON bytes and validates. Used by the
// HTTP handler on incoming request bodies.
func ParseDashboardLayoutSpec(b []byte) (DashboardLayoutSpec, error) {
var s DashboardLayoutSpec
if err := json.Unmarshal(b, &s); err != nil {
return DashboardLayoutSpec{}, fmt.Errorf("%w: layout JSON decode: %v", ErrInvalidInput, err)
}
if err := s.Validate(); err != nil {
return DashboardLayoutSpec{}, err
}
return s, nil
}

241
internal/services/dashboard_layout_spec_test.go
View File

@@ -1,241 +0,0 @@
package services
// Pure-function tests for DashboardLayoutSpec + WidgetCatalog.
// No DB; safe to run in any environment.
import (
"encoding/json"
"errors"
"strings"
"testing"
)
func TestFactoryDefaultLayout_AllKnownWidgetsPresent(t *testing.T) {
def := FactoryDefaultLayout()
if def.Version != LayoutSpecVersion {
t.Errorf("FactoryDefaultLayout version=%d; want %d", def.Version, LayoutSpecVersion)
}
if len(def.Widgets) != len(KnownWidgetKeys) {
t.Fatalf("FactoryDefaultLayout has %d widgets; want %d", len(def.Widgets), len(KnownWidgetKeys))
}
for i, k := range KnownWidgetKeys {
if def.Widgets[i].Key != k {
t.Errorf("widgets[%d].Key = %q; want %q", i, def.Widgets[i].Key, k)
}
if !def.Widgets[i].Visible {
t.Errorf("widgets[%d].Visible = false; factory default should be all-visible", i)
}
}
}
func TestFactoryDefaultLayout_SettingsDefaultsPresent(t *testing.T) {
def := FactoryDefaultLayout()
for _, w := range def.Widgets {
catalogDef, ok := LookupWidgetDef(w.Key)
if !ok {
t.Errorf("factory widget %q is not in catalog", w.Key)
continue
}
hasDefaults := catalogDef.DefaultCount != nil || catalogDef.DefaultHorizon != nil
if hasDefaults && len(w.Settings) == 0 {
t.Errorf("widget %q has catalog defaults but factory layout has empty settings", w.Key)
}
if !hasDefaults && len(w.Settings) > 0 {
t.Errorf("widget %q has no catalog defaults but factory layout has settings %s", w.Key, string(w.Settings))
}
}
}
func TestFactoryDefaultLayout_PassesValidation(t *testing.T) {
def := FactoryDefaultLayout()
if err := def.Validate(); err != nil {
t.Fatalf("factory default failed Validate(): %v", err)
}
}
func TestDashboardLayoutSpec_Validate_WrongVersion(t *testing.T) {
s := DashboardLayoutSpec{Version: 99, Widgets: []DashboardWidgetRef{{Key: WidgetDeadlineSummary, Visible: true}}}
err := s.Validate()
if !errors.Is(err, ErrInvalidInput) {
t.Fatalf("Validate returned %v; want ErrInvalidInput", err)
}
if !strings.Contains(err.Error(), "version") {
t.Errorf("error %q should mention 'version'", err.Error())
}
}
func TestDashboardLayoutSpec_Validate_TooManyWidgets(t *testing.T) {
widgets := make([]DashboardWidgetRef, LayoutWidgetCap+1)
for i := range widgets {
widgets[i] = DashboardWidgetRef{Key: WidgetDeadlineSummary, Visible: true}
}
s := DashboardLayoutSpec{Version: 1, Widgets: widgets}
err := s.Validate()
if !errors.Is(err, ErrInvalidInput) {
t.Fatalf("Validate returned %v; want ErrInvalidInput", err)
}
}
func TestDashboardLayoutSpec_Validate_UnknownKey(t *testing.T) {
s := DashboardLayoutSpec{Version: 1, Widgets: []DashboardWidgetRef{
{Key: "not-a-real-widget", Visible: true},
}}
err := s.Validate()
if !errors.Is(err, ErrInvalidInput) {
t.Fatalf("Validate returned %v; want ErrInvalidInput", err)
}
}
func TestDashboardLayoutSpec_Validate_DuplicateKey(t *testing.T) {
s := DashboardLayoutSpec{Version: 1, Widgets: []DashboardWidgetRef{
{Key: WidgetDeadlineSummary, Visible: true},
{Key: WidgetDeadlineSummary, Visible: false},
}}
err := s.Validate()
if !errors.Is(err, ErrInvalidInput) {
t.Fatalf("Validate returned %v; want ErrInvalidInput", err)
}
if !strings.Contains(err.Error(), "duplicate") {
t.Errorf("error %q should mention 'duplicate'", err.Error())
}
}
func TestDashboardLayoutSpec_Validate_BadSettings(t *testing.T) {
// count not in CountOptions for upcoming-deadlines (legal: 1,3,5,10,20)
s := DashboardLayoutSpec{Version: 1, Widgets: []DashboardWidgetRef{
{Key: WidgetUpcomingDeadlines, Visible: true, Settings: json.RawMessage(`{"count": 7}`)},
}}
err := s.Validate()
if !errors.Is(err, ErrInvalidInput) {
t.Fatalf("Validate returned %v; want ErrInvalidInput", err)
}
}
func TestDashboardLayoutSpec_Validate_AcceptsValidSettings(t *testing.T) {
s := DashboardLayoutSpec{Version: 1, Widgets: []DashboardWidgetRef{
{Key: WidgetUpcomingDeadlines, Visible: true, Settings: json.RawMessage(`{"count": 5, "horizon_days": 14}`)},
{Key: WidgetInlineAgenda, Visible: true, Settings: json.RawMessage(`{"horizon_days": 60}`)},
{Key: WidgetRecentActivity, Visible: false},
}}
if err := s.Validate(); err != nil {
t.Fatalf("Validate returned %v; want nil", err)
}
}
func TestDashboardLayoutSpec_Validate_SettingsOnNoSettingsWidget(t *testing.T) {
// deadline-summary has no Settings schema.
s := DashboardLayoutSpec{Version: 1, Widgets: []DashboardWidgetRef{
{Key: WidgetDeadlineSummary, Visible: true, Settings: json.RawMessage(`{"count": 5}`)},
}}
err := s.Validate()
if !errors.Is(err, ErrInvalidInput) {
t.Fatalf("Validate returned %v; want ErrInvalidInput", err)
}
}
func TestDashboardLayoutSpec_SanitizeForRead_DropsUnknownKeys(t *testing.T) {
s := DashboardLayoutSpec{Version: 1, Widgets: []DashboardWidgetRef{
{Key: WidgetDeadlineSummary, Visible: true},
{Key: "deprecated-widget", Visible: true},
{Key: WidgetInlineAgenda, Visible: true},
}}
changed := s.SanitizeForRead()
if !changed {
t.Errorf("SanitizeForRead returned false; expected true (one entry dropped)")
}
if len(s.Widgets) != 2 {
t.Errorf("after sanitize: %d widgets; want 2", len(s.Widgets))
}
if s.Widgets[0].Key != WidgetDeadlineSummary || s.Widgets[1].Key != WidgetInlineAgenda {
t.Errorf("after sanitize: keys = %v %v; want %v %v",
s.Widgets[0].Key, s.Widgets[1].Key, WidgetDeadlineSummary, WidgetInlineAgenda)
}
}
func TestDashboardLayoutSpec_SanitizeForRead_NoopOnClean(t *testing.T) {
s := FactoryDefaultLayout()
if s.SanitizeForRead() {
t.Errorf("SanitizeForRead on factory default returned true; want false (already clean)")
}
}
func TestDashboardLayoutSpec_SanitizeForRead_BumpsVersion(t *testing.T) {
s := DashboardLayoutSpec{Version: 0, Widgets: []DashboardWidgetRef{{Key: WidgetDeadlineSummary, Visible: true}}}
if !s.SanitizeForRead() {
t.Errorf("SanitizeForRead returned false; expected version bump")
}
if s.Version != LayoutSpecVersion {
t.Errorf("after sanitize: Version=%d; want %d", s.Version, LayoutSpecVersion)
}
}
func TestParseDashboardLayoutSpec_RoundTrip(t *testing.T) {
def := FactoryDefaultLayout()
bytes, err := json.Marshal(def)
if err != nil {
t.Fatalf("marshal: %v", err)
}
parsed, err := ParseDashboardLayoutSpec(bytes)
if err != nil {
t.Fatalf("parse: %v", err)
}
if parsed.Version != def.Version {
t.Errorf("version mismatch: %d vs %d", parsed.Version, def.Version)
}
if len(parsed.Widgets) != len(def.Widgets) {
t.Errorf("widget count mismatch: %d vs %d", len(parsed.Widgets), len(def.Widgets))
}
}
func TestParseDashboardLayoutSpec_InvalidJSON(t *testing.T) {
_, err := ParseDashboardLayoutSpec([]byte(`{not-json}`))
if !errors.Is(err, ErrInvalidInput) {
t.Fatalf("ParseDashboardLayoutSpec returned %v; want ErrInvalidInput", err)
}
}
func TestWidgetCatalog_AllKnownKeysHaveDef(t *testing.T) {
for _, k := range KnownWidgetKeys {
def, ok := LookupWidgetDef(k)
if !ok {
t.Errorf("KnownWidgetKeys entry %q has no WidgetDef", k)
continue
}
if def.TitleDE == "" || def.TitleEN == "" {
t.Errorf("widget %q missing title (de=%q en=%q)", k, def.TitleDE, def.TitleEN)
}
if def.DescriptionDE == "" || def.DescriptionEN == "" {
t.Errorf("widget %q missing description", k)
}
}
}
func TestWidgetCatalog_NoOrphanDefs(t *testing.T) {
known := make(map[WidgetKey]bool, len(KnownWidgetKeys))
for _, k := range KnownWidgetKeys {
known[k] = true
}
for _, def := range WidgetCatalog() {
if !known[def.Key] {
// Orphans are allowed (forward-compat: pinned-projects const
// exists in widget_catalog.go before its widget module ships).
// But verify the catalog entry is internally coherent.
if def.TitleDE == "" || def.TitleEN == "" {
t.Errorf("orphan catalog entry %q must still have titles", def.Key)
}
}
}
}
func TestWidgetSettingsSchema_NilRejectsNonEmpty(t *testing.T) {
var sch *WidgetSettingsSchema
if err := sch.Validate(json.RawMessage(`{"count": 5}`)); !errors.Is(err, ErrInvalidInput) {
t.Fatalf("nil schema accepted settings; got %v", err)
}
if err := sch.Validate(nil); err != nil {
t.Errorf("nil schema rejected empty settings: %v", err)
}
if err := sch.Validate(json.RawMessage(`null`)); err != nil {
t.Errorf("nil schema rejected 'null' settings: %v", err)
}
}

103
internal/services/dashboard_service.go
View File

@@ -21,24 +21,14 @@ import (
// DashboardService reads paliad.projects/deadlines/appointments/project_events for
// the Dashboard page.
type DashboardService struct {
db *sqlx.DB
users *UserService
approvals *ApprovalService
db *sqlx.DB
users *UserService
}
func NewDashboardService(db *sqlx.DB, users *UserService) *DashboardService {
return &DashboardService{db: db, users: users}
}
// SetApprovalService wires the inbox-approvals widget data source. Called
// post-construction so that DashboardService and ApprovalService can be
// stitched together at boot without a circular constructor dependency.
// Safe to leave nil — InboxSummary will then carry pending_count=0 and an
// empty entries list, and the widget renders its empty state.
func (s *DashboardService) SetApprovalService(a *ApprovalService) {
s.approvals = a
}
// DashboardData is the full payload returned to the frontend.
type DashboardData struct {
User *DashboardUser `json:"user"`
@@ -48,42 +38,8 @@ type DashboardData struct {
UpcomingDeadlines []UpcomingDeadline `json:"upcoming_deadlines"`
UpcomingAppointments []UpcomingAppointment `json:"upcoming_appointments"`
RecentActivity []ActivityEntry `json:"recent_activity"`
InboxSummary InboxSummary `json:"inbox_summary"`
}
// InboxSummary feeds the inbox-approvals widget on the configurable
// dashboard (t-paliad-219). PendingCount is the precise number of
// approval requests that await this user's approval; Top is a small
// preview list (up to InboxTopCap entries) ordered oldest-pending-first
// so the most urgent appears first.
//
// When the ApprovalService dependency is unwired (knowledge-platform-only
// deployments, tests), PendingCount=0 and Top=[] so the widget renders
// its empty state. The data path is read-only — no writes go through
// the dashboard payload.
type InboxSummary struct {
PendingCount int `json:"pending_count"`
Top []InboxEntry `json:"top"`
}
// InboxEntry is a single row in InboxSummary.Top — the minimum needed
// to render a clickable preview ("Frist X auf Akte Y, vorgeschlagen am Z").
type InboxEntry struct {
RequestID uuid.UUID `json:"id"`
EntityType string `json:"entity_type"`
EntityTitle *string `json:"entity_title,omitempty"`
ProjectID uuid.UUID `json:"project_id"`
ProjectTitle string `json:"project_title"`
RequestedAt time.Time `json:"requested_at"`
RequesterID uuid.UUID `json:"requester_id"`
RequesterName string `json:"requester_name"`
}
// InboxTopCap caps the preview list. The widget's count setting tops out
// at 10 (see WidgetCatalog inboxCounts); we fetch the cap once and let
// the client trim further per the user's setting.
const InboxTopCap = 10
type DashboardUser struct {
ID uuid.UUID `json:"id"`
Email string `json:"email"`
@@ -190,12 +146,7 @@ func (s *DashboardService) Get(ctx context.Context, userID uuid.UUID) (*Dashboar
now := time.Now()
today := now.Format("2006-01-02")
// t-paliad-219 §18 Note B: widen the upcoming windows from 7d → 60d
// so the per-widget horizon dropdown (7/14/30/60) can filter client-
// side without re-querying. LIMIT bumps from 10 to 40 for the same
// reason — the widget's count setting tops out at 20 plus headroom
// for the agenda widget which can read from the same payload.
endOfWindow := now.AddDate(0, 0, 60).Format("2006-01-02")
endOfWindow := now.AddDate(0, 0, 7).Format("2006-01-02")
bounds := computeDeadlineBucketBounds(now.UTC())
if err := s.loadSummary(ctx, data, user, bounds); err != nil {
@@ -210,9 +161,6 @@ func (s *DashboardService) Get(ctx context.Context, userID uuid.UUID) (*Dashboar
if err := s.loadRecentActivity(ctx, data, user); err != nil {
return nil, err
}
if err := s.loadInboxSummary(ctx, data, user); err != nil {
return nil, err
}
annotateUrgency(data.UpcomingDeadlines, now)
return data, nil
@@ -313,7 +261,7 @@ SELECT f.id,
AND f.due_date <= $3::date
AND ` + visibilityPredicatePositional("p", 1) + `
ORDER BY f.due_date ASC
LIMIT 40`
LIMIT 10`
if err := s.db.SelectContext(ctx, &data.UpcomingDeadlines, query,
user.ID, today, endOfWeek); err != nil {
return fmt.Errorf("dashboard upcoming deadlines: %w", err)
@@ -321,45 +269,6 @@ SELECT f.id,
return nil
}
// loadInboxSummary populates DashboardData.InboxSummary — the open-
// approval count + top InboxTopCap entries for the inbox-approvals
// widget (t-paliad-219). When ApprovalService is unwired (knowledge-
// platform-only deployments, tests), the function is a no-op and the
// widget renders its empty state.
func (s *DashboardService) loadInboxSummary(ctx context.Context, data *DashboardData, user *models.User) error {
data.InboxSummary = InboxSummary{Top: []InboxEntry{}}
if s.approvals == nil {
return nil
}
cnt, err := s.approvals.PendingCountForUser(ctx, user.ID)
if err != nil {
return fmt.Errorf("dashboard inbox count: %w", err)
}
data.InboxSummary.PendingCount = cnt
if cnt == 0 {
return nil
}
rows, err := s.approvals.ListPendingForApprover(ctx, user.ID, InboxFilter{Limit: InboxTopCap})
if err != nil {
return fmt.Errorf("dashboard inbox top: %w", err)
}
top := make([]InboxEntry, 0, len(rows))
for _, r := range rows {
top = append(top, InboxEntry{
RequestID: r.ID,
EntityType: r.EntityType,
EntityTitle: r.EntityTitle,
ProjectID: r.ProjectID,
ProjectTitle: r.ProjectTitle,
RequestedAt: r.RequestedAt,
RequesterID: r.RequestedBy,
RequesterName: r.RequesterName,
})
}
data.InboxSummary.Top = top
return nil
}
func (s *DashboardService) loadUpcomingAppointments(ctx context.Context, data *DashboardData, user *models.User, now time.Time) error {
query := `
SELECT t.id,
@@ -373,13 +282,13 @@ SELECT t.id,
FROM paliad.appointments t
LEFT JOIN paliad.projects p ON p.id = t.project_id
WHERE t.start_at >= $2
AND t.start_at < ($2 + interval '60 days')
AND t.start_at < ($2 + interval '7 days')
AND (
(t.project_id IS NULL AND t.created_by = $1)
OR (t.project_id IS NOT NULL AND ` + visibilityPredicatePositional("p", 1) + `)
)
ORDER BY t.start_at ASC
LIMIT 40`
LIMIT 10`
if err := s.db.SelectContext(ctx, &data.UpcomingAppointments, query,
user.ID, now); err != nil {
return fmt.Errorf("dashboard upcoming appointments: %w", err)

51
internal/services/dashboard_service_test.go
View File

@@ -1,51 +0,0 @@
package services
// Pure-function tests for DashboardService extensions in Slice A3.
import (
"context"
"testing"
"github.com/google/uuid"
"mgit.msbls.de/m/paliad/internal/models"
)
func TestDashboardService_InboxSummary_NilApprovalsIsNoop(t *testing.T) {
s := &DashboardService{} // approvals nil
data := &DashboardData{}
user := &models.User{ID: uuid.New()}
if err := s.loadInboxSummary(context.Background(), data, user); err != nil {
t.Fatalf("loadInboxSummary with nil approvals returned %v; want nil", err)
}
if data.InboxSummary.PendingCount != 0 {
t.Errorf("PendingCount=%d; want 0", data.InboxSummary.PendingCount)
}
if data.InboxSummary.Top == nil {
t.Errorf("Top is nil; want empty slice")
}
if len(data.InboxSummary.Top) != 0 {
t.Errorf("Top has %d entries; want 0", len(data.InboxSummary.Top))
}
}
func TestDashboardService_SetApprovalService_WiringWorks(t *testing.T) {
s := &DashboardService{}
if s.approvals != nil {
t.Fatalf("freshly-constructed DashboardService has non-nil approvals")
}
a := &ApprovalService{} // empty shell; we only check the pointer wiring
s.SetApprovalService(a)
if s.approvals != a {
t.Errorf("SetApprovalService did not wire the pointer")
}
}
func TestInboxTopCap_NonZero(t *testing.T) {
// Sanity guard: if someone zeros this const, the inbox-approvals
// widget falls back to an empty top-N silently. Pin it ≥ the
// largest catalog count option for the inbox widget (10).
if InboxTopCap < 10 {
t.Errorf("InboxTopCap=%d; must be ≥ 10 to satisfy widget catalog max count", InboxTopCap)
}
}

266
internal/services/dump_export_test.go
View File

@@ -1,266 +0,0 @@
package services
// Regression tests for the xlsx-generator pitfalls reported by m on
// 2026-05-19:
//
// 1. Excel showed a "Repairs required" prompt on opening the .xlsx.
// Root cause: SetPanes call passed only Freeze + YSplit; the
// resulting <pane> XML missed topLeftCell + activePane, which
// Excel rejects. Fix in buildXLSX: complete the Panes struct
// (TopLeftCell="A2", ActivePane="bottomLeft", Selection on
// bottomLeft).
//
// 2. Windows Explorer / Excel's File→Info showed Modified=2006-09-16
// ("xuri" — excelize's first-commit defaults). Root cause:
// SetDocProps was never called, so the canned default leaked
// through. Fix in buildXLSX: SetDocProps({Created, Modified} =
// meta.GeneratedAt; Creator = "Paliad (<firm>)").
//
// The tests are always-on (no env var gate) so a future writer
// regression shows up loudly in `go test`. Developer-convenience hatch
// at the bottom: set DUMP_EXPORT=1 to additionally write the bundle +
// xlsx to /tmp for opening in real Excel.
import (
"archive/zip"
"bytes"
"io"
"os"
"strings"
"testing"
"time"
"github.com/google/uuid"
"github.com/xuri/excelize/v2"
)
// fixturePersonalExport builds a tiny in-memory bundle + the raw xlsx
// for the regression assertions and the optional /tmp dump.
func fixturePersonalExport(t *testing.T) (bundle []byte, xlsxBytes []byte, meta ExportMeta) {
t.Helper()
meta = ExportMeta{
SchemaVersion: 1,
FirmName: "HLC",
Scope: ExportScopePersonal,
GeneratedAt: time.Date(2026, 5, 19, 14, 23, 0, 0, time.UTC),
GeneratedByID: uuid.MustParse("00000000-0000-0000-0000-000000000001"),
GeneratedByEml: "m@hlc.de",
GeneratedByLbl: "m",
RowCounts: map[string]int{"projects": 1, "deadlines": 0},
}
sheets := []collectedSheet{
{name: "projects", columns: []string{"id", "title", "umlauts"}, rows: [][]string{{"u1", "Acme", "Müller"}}},
{name: "deadlines", columns: []string{"id", "due_date"}, rows: nil},
}
bundle = assembleBundleForTest(t, sheets, meta)
var err error
xlsxBytes, err = buildXLSX(sheets, meta)
if err != nil {
t.Fatalf("buildXLSX: %v", err)
}
return bundle, xlsxBytes, meta
}
// TestXLSX_DocProps_NotExcelizeDefault pins fix #2.
//
// Before the fix: core.xml had Created=Modified="2006-09-16T00:00:00Z"
// (xuri's first commit). Now we expect both to equal meta.GeneratedAt
// in RFC 3339 UTC, and Creator to be "Paliad (<firm>)".
func TestXLSX_DocProps_NotExcelizeDefault(t *testing.T) {
_, xlsxBytes, meta := fixturePersonalExport(t)
fl, err := excelize.OpenReader(bytes.NewReader(xlsxBytes))
if err != nil {
t.Fatalf("excelize.OpenReader: %v", err)
}
defer fl.Close()
props, err := fl.GetDocProps()
if err != nil {
t.Fatalf("GetDocProps: %v", err)
}
wantTS := meta.GeneratedAt.UTC().Format(time.RFC3339)
if props.Created != wantTS {
t.Errorf("Created = %q, want %q (excelize-default leak)", props.Created, wantTS)
}
if props.Modified != wantTS {
t.Errorf("Modified = %q, want %q (excelize-default leak)", props.Modified, wantTS)
}
if props.Creator == "xuri" || props.Creator == "" {
t.Errorf("Creator = %q, want non-empty non-xuri (e.g. \"Paliad (HLC)\")", props.Creator)
}
if !strings.Contains(props.Creator, "Paliad") {
t.Errorf("Creator = %q, expected to contain \"Paliad\"", props.Creator)
}
}
// TestXLSX_DocProps_TracksGeneratedAt pins that docProps stays bound to
// meta.GeneratedAt across different timestamps — belt-and-braces vs
// the fixed-fixture timestamp in the previous test.
func TestXLSX_DocProps_TracksGeneratedAt(t *testing.T) {
for _, ts := range []time.Time{
time.Date(2026, 1, 1, 0, 0, 0, 0, time.UTC),
time.Date(2027, 12, 31, 23, 59, 59, 0, time.UTC),
time.Now().UTC().Truncate(time.Second),
} {
meta := ExportMeta{
SchemaVersion: 1,
FirmName: "HLC",
Scope: ExportScopePersonal,
GeneratedAt: ts,
RowCounts: map[string]int{"projects": 0},
}
xlsxBytes, err := buildXLSX([]collectedSheet{
{name: "projects", columns: []string{"id"}, rows: nil},
}, meta)
if err != nil {
t.Fatalf("buildXLSX: %v", err)
}
fl, err := excelize.OpenReader(bytes.NewReader(xlsxBytes))
if err != nil {
t.Fatalf("OpenReader: %v", err)
}
props, err := fl.GetDocProps()
_ = fl.Close()
if err != nil {
t.Fatalf("GetDocProps: %v", err)
}
want := ts.Format(time.RFC3339)
if props.Modified != want {
t.Errorf("Modified = %q, want %q", props.Modified, want)
}
}
}
// TestXLSX_PaneXML_IsCompleteAndValid pins fix #1.
//
// excelize accepts the half-broken <pane state="frozen" ySplit="1"/>
// shape on re-read (its parser is permissive), but Excel rejects it
// with "Repairs required". To detect the regression without spinning
// up Office, we read the raw worksheet XML out of the in-memory xlsx
// zip and assert that the pane element has both topLeftCell + activePane.
func TestXLSX_PaneXML_IsCompleteAndValid(t *testing.T) {
_, xlsxBytes, _ := fixturePersonalExport(t)
zr, err := zip.NewReader(bytes.NewReader(xlsxBytes), int64(len(xlsxBytes)))
if err != nil {
t.Fatalf("xlsx is not a valid zip: %v", err)
}
// sheet1 = __meta (no pane). sheet2 = projects, sheet3 = deadlines —
// both have the frozen header.
for _, target := range []string{"xl/worksheets/sheet2.xml", "xl/worksheets/sheet3.xml"} {
var body []byte
for _, f := range zr.File {
if f.Name == target {
rc, err := f.Open()
if err != nil {
t.Fatalf("open %s: %v", target, err)
}
body, _ = io.ReadAll(rc)
rc.Close()
break
}
}
if body == nil {
t.Fatalf("missing %s in xlsx zip", target)
}
s := string(body)
if !strings.Contains(s, `topLeftCell="A2"`) {
t.Errorf("%s pane missing topLeftCell — Excel will prompt 'repairs required'.\nXML: %s",
target, s)
}
if !strings.Contains(s, `activePane="bottomLeft"`) {
t.Errorf("%s pane missing activePane — Excel will prompt 'repairs required'.\nXML: %s",
target, s)
}
if !strings.Contains(s, `state="frozen"`) {
t.Errorf("%s pane missing state=frozen.\nXML: %s", target, s)
}
}
}
// TestXLSX_NoExcelizeBuildDefaults guards against any future regression
// where a code path writes the .xlsx without first overriding excelize's
// canned defaults. Cheap byte-level assertions.
func TestXLSX_NoExcelizeBuildDefaults(t *testing.T) {
_, xlsxBytes, _ := fixturePersonalExport(t)
if bytes.Contains(xlsxBytes, []byte("2006-09-16T00:00:00Z")) {
t.Errorf("xlsx leaks excelize default Created/Modified=2006-09-16 — SetDocProps not called?")
}
if bytes.Contains(xlsxBytes, []byte(`<dc:creator>xuri</dc:creator>`)) {
t.Errorf("xlsx leaks excelize default Creator=xuri — SetDocProps not called?")
}
}
// TestXLSX_OpensCleanly is the catch-all: round-trip the file through
// excelize and confirm sheet names, row counts, and GetDocProps work.
func TestXLSX_OpensCleanly(t *testing.T) {
_, xlsxBytes, _ := fixturePersonalExport(t)
fl, err := excelize.OpenReader(bytes.NewReader(xlsxBytes))
if err != nil {
t.Fatalf("OpenReader: %v", err)
}
defer fl.Close()
wantSheets := []string{"__meta", "projects", "deadlines"}
got := fl.GetSheetList()
if len(got) != len(wantSheets) {
t.Fatalf("sheet list length = %d, want %d (%v vs %v)", len(got), len(wantSheets), got, wantSheets)
}
for i, want := range wantSheets {
if got[i] != want {
t.Errorf("sheet[%d] = %q, want %q", i, got[i], want)
}
}
rows, err := fl.GetRows("projects")
if err != nil {
t.Fatalf("GetRows(projects): %v", err)
}
if len(rows) != 2 {
t.Fatalf("projects rows = %d, want 2 (header + 1)", len(rows))
}
if rows[0][0] != "id" || rows[1][0] != "u1" || rows[1][2] != "Müller" {
t.Errorf("projects rows = %v, want header=[id title umlauts] row=[u1 Acme Müller]", rows)
}
}
// TestBundle_ZipEntryMTime_TracksGeneratedAt pins the outer-zip side of
// fix #2. Pre-fix every entry was stamped 2000-01-01 (the deterministic
// constant) so Windows showed extracted files with a stale Modified
// column. Now they carry meta.GeneratedAt.
func TestBundle_ZipEntryMTime_TracksGeneratedAt(t *testing.T) {
bundle, _, meta := fixturePersonalExport(t)
zr, err := zip.NewReader(bytes.NewReader(bundle), int64(len(bundle)))
if err != nil {
t.Fatalf("bundle not a valid zip: %v", err)
}
want := meta.GeneratedAt.UTC()
for _, f := range zr.File {
got := f.Modified.UTC()
// Zip stores mtime at 2-second resolution; allow ≤2s drift.
diff := got.Sub(want)
if diff < -2*time.Second || diff > 2*time.Second {
t.Errorf("zip entry %q Modified = %v, want ~%v", f.Name, got, want)
}
// Specifically catch the old 2000-01-01 stamp.
if got.Year() == 2000 && got.Month() == 1 && got.Day() == 1 {
t.Errorf("zip entry %q stamped 2000-01-01 — old deterministic-constant regression", f.Name)
}
}
}
// TestDumpExport is the developer-convenience hatch. Skipped by default;
// set DUMP_EXPORT=1 to write artifacts to /tmp for opening in real Excel.
func TestDumpExport(t *testing.T) {
if os.Getenv("DUMP_EXPORT") == "" {
t.Skip("set DUMP_EXPORT=1 to dump artifacts to /tmp/paliad-export-debug.{zip,xlsx}")
}
bundle, xlsxBytes, _ := fixturePersonalExport(t)
if err := os.WriteFile("/tmp/paliad-export-debug.zip", bundle, 0o644); err != nil {
t.Fatal(err)
}
if err := os.WriteFile("/tmp/paliad-export-debug.xlsx", xlsxBytes, 0o644); err != nil {
t.Fatal(err)
}
t.Logf("wrote /tmp/paliad-export-debug.zip (%d bytes) + .xlsx (%d bytes)", len(bundle), len(xlsxBytes))
}

215
internal/services/export_project_test.go
View File

@@ -1,215 +0,0 @@
package services
// Tests for the Slice 2 (project-subtree) sheet registry. Pure-function
// shape tests — live-DB integration coverage of the SQL itself stays in
// the existing query patterns the personal-scope tests already cover.
import (
"strings"
"testing"
"time"
"github.com/google/uuid"
)
// TestProjectSheetQueries_RegistryShape pins the sheet inventory + the
// design's §2 contract: every entity sheet binds rootID as $1, and the
// approval_policies sheet ships with all three sources (project +
// ancestor + partner_unit_default).
func TestProjectSheetQueries_RegistryShape(t *testing.T) {
rootID := uuid.MustParse("61e3fb9e-29fb-44aa-867e-a89469e2cacb")
qs := projectSheetQueries(rootID, false)
wantSheets := []string{
"projects",
"project_teams",
"project_partner_units",
"deadlines",
"appointments",
"parties",
"notes",
"documents",
"project_events",
"approval_requests",
"approval_policies",
"checklist_instances",
"partner_units",
"partner_unit_members",
"users_referenced",
"system_audit_log_subset",
"ref__proceeding_types",
"ref__event_types",
"ref__event_categories",
"ref__deadline_rules",
"ref__deadline_concepts",
"ref__courts",
"ref__countries",
"ref__holidays",
}
gotSheets := []string{}
for _, q := range qs {
gotSheets = append(gotSheets, q.SheetName)
}
if len(gotSheets) != len(wantSheets) {
t.Fatalf("sheet count = %d, want %d (got %v)", len(gotSheets), len(wantSheets), gotSheets)
}
for i, want := range wantSheets {
if gotSheets[i] != want {
t.Errorf("sheet[%d] = %q, want %q", i, gotSheets[i], want)
}
}
// Every NON-reference sheet binds rootID as $1.
for _, q := range qs {
if strings.HasPrefix(q.SheetName, "ref__") {
if len(q.Args) != 0 {
t.Errorf("ref sheet %q has %d args, want 0", q.SheetName, len(q.Args))
}
continue
}
if len(q.Args) != 1 {
t.Errorf("entity sheet %q has %d args, want 1", q.SheetName, len(q.Args))
continue
}
if got, ok := q.Args[0].(uuid.UUID); !ok || got != rootID {
t.Errorf("entity sheet %q first arg = %v, want rootID %v", q.SheetName, q.Args[0], rootID)
}
}
}
// TestProjectSheetQueries_ApprovalPoliciesTripleSource verifies that the
// approval_policies sheet's SQL carries all three source tags so an
// importer can reconstruct the effective gate (Q4 lock-in).
func TestProjectSheetQueries_ApprovalPoliciesTripleSource(t *testing.T) {
qs := projectSheetQueries(uuid.New(), false)
var found *sheetQuery
for i := range qs {
if qs[i].SheetName == "approval_policies" {
found = &qs[i]
break
}
}
if found == nil {
t.Fatal("approval_policies sheet missing from registry")
}
for _, src := range []string{
`'project'::text AS source`,
`'ancestor'::text AS source`,
`'partner_unit_default'::text AS source`,
} {
if !strings.Contains(found.SQL, src) {
t.Errorf("approval_policies SQL missing %q tag — Q4 triple-source attribution broken.\nSQL:\n%s",
src, found.SQL)
}
}
}
// TestProjectSheetQueries_DirectOnlyNarrowsSubtree pins that direct_only=true
// produces a subtree subquery resolving to exactly the root (no LIKE-walk).
func TestProjectSheetQueries_DirectOnlyNarrowsSubtree(t *testing.T) {
subtreeAll := projectSubtreeProjectIDsSQL(false)
subtreeRoot := projectSubtreeProjectIDsSQL(true)
if !strings.Contains(subtreeAll, `LIKE r.path`) {
t.Errorf("default subtree SQL missing path-LIKE descendant walk:\n%s", subtreeAll)
}
if strings.Contains(subtreeRoot, `LIKE`) {
t.Errorf("direct_only subtree SQL still has LIKE walk — should be root-only:\n%s", subtreeRoot)
}
if !strings.Contains(subtreeRoot, `$1::uuid`) {
t.Errorf("direct_only subtree SQL missing $1::uuid root reference:\n%s", subtreeRoot)
}
}
// TestProjectSheetQueries_NoPersonalSidecars guards against an accidental
// inclusion of personal sidecars (caldav config, views, pins, paliadin
// turns) in the project-scope export. These are per-user, not per-project,
// and don't belong in a matter handover.
func TestProjectSheetQueries_NoPersonalSidecars(t *testing.T) {
qs := projectSheetQueries(uuid.New(), false)
for _, q := range qs {
switch q.SheetName {
case "my_caldav_config", "my_views", "my_pinned_projects", "my_card_layouts", "my_paliadin_turns", "me":
t.Errorf("project-scope export must not include personal sidecar sheet %q", q.SheetName)
}
// Also defence-in-depth on the SQL: no SELECT from
// user_caldav_config or paliadin_turns from project scope.
if strings.Contains(q.SQL, "user_caldav_config") {
t.Errorf("sheet %q SQL touches user_caldav_config — never in project scope", q.SheetName)
}
if strings.Contains(q.SQL, "paliadin_turns") {
t.Errorf("sheet %q SQL touches paliadin_turns — never in project scope", q.SheetName)
}
}
}
// TestProjectSheetQueries_AttachedPartnerUnitsOnly pins that the
// partner_units sheet is filtered to attached units only (not the full
// org chart).
func TestProjectSheetQueries_AttachedPartnerUnitsOnly(t *testing.T) {
qs := projectSheetQueries(uuid.New(), false)
for _, q := range qs {
if q.SheetName != "partner_units" {
continue
}
if !strings.Contains(q.SQL, "project_partner_units") {
t.Errorf("partner_units sheet SQL must filter via project_partner_units (got attached-only requirement):\n%s",
q.SQL)
}
return
}
t.Fatal("partner_units sheet missing from registry")
}
// TestShortUUIDSuffix_ReturnsLast8Hex pins the §3 filename disambiguator
// shape — Q5 lock-in.
func TestShortUUIDSuffix_ReturnsLast8Hex(t *testing.T) {
cases := []struct {
in uuid.UUID
want string
}{
{uuid.Nil, ""},
{uuid.MustParse("11111111-1111-1111-1111-aaaaaaaaaaaa"), "aaaaaaaaaaaa"},
{uuid.MustParse("61e3fb9e-29fb-44aa-867e-a89469e2cacb"), "a89469e2cacb"},
}
for _, c := range cases {
got := shortUUIDSuffix(c.in)
if got != c.want {
t.Errorf("shortUUIDSuffix(%v) = %q, want %q", c.in, got, c.want)
}
}
}
// TestMetaToKeyValueRows_ProjectScopeRows verifies that project-scope
// meta picks up scope_root_label + scope_root_path + direct_only rows
// (so the __meta sheet carries Q6 lock-in details).
func TestMetaToKeyValueRows_ProjectScopeRows(t *testing.T) {
rootID := uuid.MustParse("61e3fb9e-29fb-44aa-867e-a89469e2cacb")
m := ExportMeta{
SchemaVersion: 1,
FirmName: "HLC",
Scope: ExportScopeProject,
ScopeRootID: &rootID,
ScopeRootLabel: "Siemens AG",
ScopeRootPath: "61e3fb9e_29fb_44aa_867e_a89469e2cacb",
DirectOnly: false,
GeneratedAt: time.Date(2026, 5, 20, 14, 23, 0, 0, time.UTC),
RowCounts: map[string]int{},
}
rows := metaToKeyValueRows(m)
want := map[string]string{
"scope_root_label": "Siemens AG",
"scope_root_path": "61e3fb9e_29fb_44aa_867e_a89469e2cacb",
"direct_only": "FALSE",
}
seen := map[string]string{}
for _, r := range rows {
seen[r[0]] = r[1]
}
for k, v := range want {
if seen[k] != v {
t.Errorf("meta key %q = %q, want %q (full rows: %v)", k, seen[k], v, rows)
}
}
}

554
internal/services/export_service.go
View File

@@ -93,16 +93,6 @@ type ExportMeta struct {
FirmName string `json:"firm_name"`
Scope string `json:"scope"`
ScopeRootID *uuid.UUID `json:"scope_root_id,omitempty"`
// ScopeRootLabel is the project title (project scope only). Empty
// for personal + org scope.
ScopeRootLabel string `json:"scope_root_label,omitempty"`
// ScopeRootPath is the ltree path of the root project (project scope
// only). Preserved in the audit row so closed-out projects retain a
// usable ancestry pointer (Q6 lock-in).
ScopeRootPath string `json:"scope_root_path,omitempty"`
// DirectOnly is true when ?direct_only=1 was passed (project scope
// only) — narrows the export to the root project, no descendants.
DirectOnly bool `json:"direct_only,omitempty"`
GeneratedAt time.Time `json:"generated_at"`
GeneratedByID uuid.UUID `json:"generated_by_user_id"`
GeneratedByEml string `json:"generated_by_user_email"`
@@ -117,14 +107,6 @@ type ExportMeta struct {
type ExportSpec struct {
Scope string
ScopeRoot *uuid.UUID // project_id when Scope==ExportScopeProject; nil otherwise
// ScopeRootLabel + ScopeRootPath are populated by the project-export
// handler (resolved from the root project row) so the audit + __meta
// carry stable labels even if the project is later renamed.
ScopeRootLabel string
ScopeRootPath string
// DirectOnly narrows the export to the root project only (project
// scope, ?direct_only=1).
DirectOnly bool
ActorID uuid.UUID
ActorEmail string
ActorLabel string // display_name for the audit + meta
@@ -191,102 +173,6 @@ func (s *ExportService) WritePersonal(ctx context.Context, w io.Writer, spec Exp
return meta, nil
}
// WriteProject streams the project-subtree bundle for the project named
// in spec.ScopeRoot into w. Returns the meta (incl. row_counts) for the
// audit-row patch.
//
// Behavior contract (per Slice 2 design §2):
//
// - Every entity sheet is filtered to the subtree (project + descendants
// via ltree path). When spec.DirectOnly is true, narrows to the root
// project only (no descendants).
// - approval_policies carries all 3 sources (project rows + ancestor
// rows + partner-unit-default rows) tagged with a `source` column —
// m's Q4 lock-in lets recipients reconstruct the effective gate.
// - users_referenced restricts the user disclosure to FK-referenced
// users only (avoids dumping the full firm roster into a per-matter
// handover).
// - Cross-subtree FKs (projects.counterclaim_of pointing outside the
// subtree) are kept but warned about in __meta.warnings — m's Q3
// lock-in preserves the no-lock-in promise.
//
// Permission gate (§4) lives on the handler, NOT here — the service
// trusts the caller has already authorised. Wiring is in handlers/export.go.
func (s *ExportService) WriteProject(ctx context.Context, w io.Writer, spec ExportSpec) (ExportMeta, error) {
if spec.Scope == "" {
spec.Scope = ExportScopeProject
}
if spec.GeneratedAt.IsZero() {
spec.GeneratedAt = time.Now().UTC()
}
if spec.ScopeRoot == nil {
return ExportMeta{}, fmt.Errorf("WriteProject: ScopeRoot is required")
}
meta := ExportMeta{
SchemaVersion: ExportSchemaVersion,
FirmName: s.firmName,
Scope: spec.Scope,
ScopeRootID: spec.ScopeRoot,
ScopeRootLabel: spec.ScopeRootLabel,
ScopeRootPath: spec.ScopeRootPath,
DirectOnly: spec.DirectOnly,
GeneratedAt: spec.GeneratedAt,
GeneratedByID: spec.ActorID,
GeneratedByEml: spec.ActorEmail,
GeneratedByLbl: spec.ActorLabel,
RowCounts: map[string]int{},
}
sheets := projectSheetQueries(*spec.ScopeRoot, spec.DirectOnly)
if err := s.writeBundle(ctx, w, sheets, &meta); err != nil {
return meta, err
}
// Cross-subtree FK detection (Q3 lock-in: keep FK + warn). After the
// bundle is built we run one lightweight scan to surface
// counterclaim_of references that escape the subtree. The result
// gets appended to meta.Warnings so it lands in __meta + the audit
// row + the README's warning list.
if warns, err := s.detectCrossSubtreeFKs(ctx, *spec.ScopeRoot, spec.DirectOnly); err == nil && len(warns) > 0 {
meta.Warnings = append(meta.Warnings, warns...)
sort.Strings(meta.Warnings)
}
return meta, nil
}
// detectCrossSubtreeFKs scans subtree-resident projects for FKs that
// point outside the subtree (today: only projects.counterclaim_of). One
// warning row per outbound reference. Best-effort: a query error here
// degrades silently (the export still ships) since the warning is
// informational, not load-bearing.
func (s *ExportService) detectCrossSubtreeFKs(ctx context.Context, rootID uuid.UUID, directOnly bool) ([]string, error) {
subtreeSQL := projectSubtreeProjectIDsSQL(directOnly)
q := `
SELECT p.id, p.title, p.counterclaim_of
FROM paliad.projects p
WHERE p.id IN ` + subtreeSQL + `
AND p.counterclaim_of IS NOT NULL
AND p.counterclaim_of NOT IN ` + subtreeSQL + `
ORDER BY p.id`
type row struct {
ID uuid.UUID `db:"id"`
Title string `db:"title"`
CounterclaimOf uuid.UUID `db:"counterclaim_of"`
}
var rows []row
if err := s.db.SelectContext(ctx, &rows, q, rootID); err != nil {
return nil, err
}
out := make([]string, 0, len(rows))
for _, r := range rows {
out = append(out, fmt.Sprintf(
"cross-subtree FK: project %q (%s).counterclaim_of → %s (not in this export)",
r.Title, r.ID, r.CounterclaimOf,
))
}
return out, nil
}
// collectedSheet holds one sheet's data after column-discovery + row
// materialisation. Used to hand data from writeBundle to buildXLSX +
// buildJSON + buildCSV.
@@ -388,24 +274,15 @@ func (s *ExportService) writeBundle(ctx context.Context, w io.Writer, sheets []s
sort.Slice(entries, func(i, j int) bool { return entries[i].name < entries[j].name })
zw := zip.NewWriter(w)
// Stamp every zip entry's Modified with the export's GeneratedAt so
// the extracted files carry a meaningful timestamp in Windows
// Explorer / Finder (instead of "01.01.2000" or the build time).
// This is still deterministic-within-an-export: two calls with the
// same ExportMeta produce identical bytes (m's Q6 contract is
// "same row state at same generation time → identical bytes",
// modulo __meta.generated_at — and now the file mtimes too).
mod := meta.GeneratedAt.UTC()
if mod.IsZero() {
// Defensive: a zero time would cause archive/zip to write 1980-01-01
// (the DOS epoch) which would re-surface the original bug.
mod = time.Now().UTC()
}
// Force a fixed Modified time on every entry so the zip header bytes
// don't drift between runs. archive/zip otherwise stamps Modified
// with time.Now() which would defeat the deterministic guarantee.
fixedMod := time.Date(2000, 1, 1, 0, 0, 0, 0, time.UTC)
for _, e := range entries {
hdr := &zip.FileHeader{
Name: e.name,
Method: zip.Deflate,
Modified: mod,
Modified: fixedMod,
}
fw, err := zw.CreateHeader(hdr)
if err != nil {
@@ -537,43 +414,10 @@ func formatCellValue(v any) string {
// buildXLSX assembles the workbook from the collected sheets + meta. Uses
// excelize's row-by-row writer; at personal/project scale the dataset
// fits comfortably in memory. Returns the xlsx-file bytes.
//
// Two non-obvious things this function gets right (because past versions
// got them wrong and Excel complained):
//
// 1. excelize's default core.xml carries Created=Modified="2006-09-16T00:00:00Z"
// (xuri's first commit date) until SetDocProps is called. We overwrite
// both with meta.GeneratedAt so Excel's File→Info shows the real time
// and Windows Explorer shows a sensible Modified column.
//
// 2. A frozen header row needs a complete <pane> definition or Excel
// pops the "Repairs required" prompt on open. excelize's Panes struct
// requires Freeze + YSplit + TopLeftCell + ActivePane; passing just
// Freeze + YSplit (the obvious-but-wrong form) emits invalid XML that
// excelize itself accepts on re-read but Excel rejects.
func buildXLSX(sheets []collectedSheet, meta ExportMeta) ([]byte, error) {
f := excelize.NewFile()
defer f.Close()
// Replace the hardcoded "Author: xuri / Created: 2006-09-16" defaults
// with real per-export metadata. Modified == Created on first write
// (no editing has happened by the time the user downloads).
tsISO := meta.GeneratedAt.UTC().Format(time.RFC3339)
creator := "Paliad"
if meta.FirmName != "" {
creator = "Paliad (" + meta.FirmName + ")"
}
if err := f.SetDocProps(&excelize.DocProperties{
Created: tsISO,
Modified: tsISO,
Creator: creator,
LastModifiedBy: creator,
Title: fmt.Sprintf("Paliad export (%s)", meta.Scope),
Description: fmt.Sprintf("Paliad data export, scope=%s, generated_by=%s", meta.Scope, meta.GeneratedByEml),
}); err != nil {
return nil, fmt.Errorf("excelize SetDocProps: %w", err)
}
// excelize creates a default "Sheet1" we want to rename to __meta.
const metaName = "__meta"
first := f.GetSheetName(0)
@@ -609,6 +453,10 @@ func buildXLSX(sheets []collectedSheet, meta ExportMeta) ([]byte, error) {
if _, err := f.NewSheet(sheetName); err != nil {
return nil, err
}
// Stream rows via the row-by-row API (NewStreamWriter is faster
// but it forbids re-opening sheets and silently truncates writes
// past the streamer's offset — at our scale the simple API is
// safer and the perf cost is negligible).
// Header row
for ci, col := range sh.columns {
cell, _ := excelize.CoordinatesToCellName(ci+1, 1)
@@ -624,34 +472,21 @@ func buildXLSX(sheets []collectedSheet, meta ExportMeta) ([]byte, error) {
}
}
}
// Freeze the header row. The complete <pane> shape Excel insists
// on for a Y-only freeze: TopLeftCell="A2" (cell below the frozen
// row), ActivePane="bottomLeft", Selection on bottomLeft. The
// obvious-but-incomplete form {Freeze: true, YSplit: 1} produces
// invalid pane XML that triggers Excel's repair prompt on open.
if err := f.SetPanes(sheetName, &excelize.Panes{
Freeze: true,
YSplit: 1,
TopLeftCell: "A2",
ActivePane: "bottomLeft",
Selection: []excelize.Selection{
{SQRef: "A2", ActiveCell: "A2", Pane: "bottomLeft"},
},
}); err != nil {
return nil, fmt.Errorf("excelize SetPanes(%q): %w", sheetName, err)
}
// Freeze the header row.
_ = f.SetPanes(sheetName, &excelize.Panes{
Freeze: true,
YSplit: 1,
})
}
// Set the active sheet to the __meta sheet (index 0). Without this,
// excelize's default active-sheet index can point at a sheet that no
// longer exists at that ordinal — also a "repair required" trigger.
f.SetActiveSheet(0)
// Write to buffer.
var buf strings.Builder
// excelize writes to an io.Writer via WriteTo
bw := &byteBuf{}
if _, err := f.WriteTo(bw); err != nil {
return nil, err
}
_ = buf // silence unused (kept for clarity that we considered a strings.Builder)
return bw.Bytes(), nil
}
@@ -679,20 +514,6 @@ func metaToKeyValueRows(m ExportMeta) [][2]string {
} else {
rows = append(rows, [2]string{"scope_root_id", ""})
}
// Project-scope-only rows (Slice 2 §2.4). Surface as empty rows for
// other scopes so the __meta layout stays stable + Excel users can
// see "this field exists but doesn't apply here".
rows = append(rows,
[2]string{"scope_root_label", m.ScopeRootLabel},
[2]string{"scope_root_path", m.ScopeRootPath},
)
if m.Scope == ExportScopeProject {
if m.DirectOnly {
rows = append(rows, [2]string{"direct_only", "TRUE"})
} else {
rows = append(rows, [2]string{"direct_only", "FALSE"})
}
}
rows = append(rows,
[2]string{"generated_at", m.GeneratedAt.UTC().Format(time.RFC3339)},
[2]string{"generated_by_user_id", m.GeneratedByID.String()},
@@ -765,19 +586,6 @@ func buildREADME(m ExportMeta) string {
fmt.Fprintf(&b, "Erstellt am : %s\n", m.GeneratedAt.UTC().Format(time.RFC3339))
fmt.Fprintf(&b, "Erstellt von : %s <%s>\n", m.GeneratedByLbl, m.GeneratedByEml)
fmt.Fprintf(&b, "Umfang : %s\n", m.Scope)
if m.Scope == ExportScopeProject {
if m.ScopeRootLabel != "" {
fmt.Fprintf(&b, "Projekt : %s\n", m.ScopeRootLabel)
}
if m.ScopeRootID != nil {
fmt.Fprintf(&b, "Projekt-ID : %s\n", m.ScopeRootID.String())
}
if m.DirectOnly {
fmt.Fprintf(&b, "Hinweis : nur das Root-Projekt (?direct_only=1), keine Unter-Projekte.\n")
} else {
fmt.Fprintf(&b, "Hinweis : Root-Projekt + alle Unter-Projekte.\n")
}
}
fmt.Fprintf(&b, "Schema-Version: %d\n", m.SchemaVersion)
fmt.Fprintf(&b, "\n")
fmt.Fprintf(&b, "Inhalt\n------\n")
@@ -822,16 +630,7 @@ func buildREADME(m ExportMeta) string {
// ExportFilename returns the canonical filename for a download. Slugify is
// minimal — only the project-scope variant has a free-text component to
// sanitise.
//
// Project-scope filenames include an 8-hex-char disambiguator derived from
// the root project's UUID (Slice 2 §3 Q5). Two projects with identical
// titles (common: "Standard NDA" per client) would otherwise produce
// filename collisions when archived together; 4-billion-class disambiguation
// is cheap insurance.
//
// rootID is consumed only for ExportScopeProject; pass uuid.Nil for the
// other scopes.
func ExportFilename(scope string, scopeLabel string, rootID uuid.UUID, generatedAt time.Time) string {
func ExportFilename(scope string, scopeLabel string, generatedAt time.Time) string {
ts := generatedAt.UTC().Format("2006-01-02T1504Z")
switch scope {
case ExportScopePersonal:
@@ -843,30 +642,12 @@ func ExportFilename(scope string, scopeLabel string, rootID uuid.UUID, generated
if slug == "" {
slug = randomSlug()
}
short := shortUUIDSuffix(rootID)
if short == "" {
return fmt.Sprintf("paliad-export-project-%s-%s.zip", slug, ts)
}
return fmt.Sprintf("paliad-export-project-%s-%s-%s.zip", slug, short, ts)
return fmt.Sprintf("paliad-export-project-%s-%s.zip", slug, ts)
default:
return fmt.Sprintf("paliad-export-%s.zip", ts)
}
}
// shortUUIDSuffix returns the last 8 hex chars of the UUID's canonical
// representation (the trailing block after the final dash). Empty string
// for uuid.Nil so callers can fall back to the slug-only variant.
func shortUUIDSuffix(id uuid.UUID) string {
if id == uuid.Nil {
return ""
}
s := id.String()
if i := strings.LastIndex(s, "-"); i != -1 && i+1 < len(s) {
return s[i+1:]
}
return ""
}
var filenameSafeRegex = regexp.MustCompile(`[^A-Za-z0-9-]+`)
func slugifyFilename(s string) string {
@@ -1111,25 +892,10 @@ func personalSheetQueries(actorID uuid.UUID) []sheetQuery {
// WriteAuditRow inserts a system_audit_log row before the export runs and
// returns the new row id. The handler PATCHes the row with file_size_bytes
// + final row_counts on success or marks it failed on error.
//
// For project-scope exports the metadata jsonb carries the ltree path
// (Q6 lock-in) so the audit row remains interpretable after a project
// deletion: scope_root → just the UUID; metadata.root_path → the
// ancestry. Same goes for root_label + direct_only so dashboards don't
// need to round-trip back to paliad.projects on render.
func (s *ExportService) WriteAuditRow(ctx context.Context, spec ExportSpec) (uuid.UUID, error) {
meta := map[string]any{
"requested_at": spec.GeneratedAt.UTC().Format(time.RFC3339),
}
if spec.Scope == ExportScopeProject {
if spec.ScopeRootLabel != "" {
meta["root_label"] = spec.ScopeRootLabel
}
if spec.ScopeRootPath != "" {
meta["root_path"] = spec.ScopeRootPath
}
meta["direct_only"] = spec.DirectOnly
}
mb, _ := json.Marshal(meta)
var id uuid.UUID
err := s.db.QueryRowContext(ctx,
@@ -1188,285 +954,3 @@ func (s *ExportService) PatchAuditRowFailure(ctx context.Context, id uuid.UUID,
id, string(mb),
)
}
// ---------------------------------------------------------------------------
// Project-scope sheet registry (Slice 2).
// ---------------------------------------------------------------------------
//
// Subtree-aware queries via paliad.projects.path (ltree as text). The
// subtree predicate works on the materialised path column:
//
// p.path LIKE root.path || '%' -- descendants + self
// p.path = root.path -- self only (direct_only=true)
//
// We use the path-prefix-LIKE form instead of ltree `<@` because the
// schema stores path as text (the underlying ltree is materialised in
// the projects.path column). The LIKE pattern is anchored at the start
// and uses indexes built on path.
//
// Ordering: every SELECT uses ORDER BY id (or another stable tuple) so
// byte-determinism holds across runs.
// projectSubtreeProjectIDsSQL returns a SQL subquery expression that
// resolves to "the set of project ids in the subtree of $1". Use as the
// right-hand side of `IN`. The $1 placeholder must bind the root
// project's UUID.
//
// When directOnly is true, narrows to the root project itself only.
func projectSubtreeProjectIDsSQL(directOnly bool) string {
if directOnly {
// Tighter: just the root, no descendants. Still framed as a
// subquery so the outer SQL can be uniformly composed.
return `(SELECT $1::uuid AS id)`
}
// Subtree = root + descendants. The materialised path column on
// every project includes its own UUID as the trailing label, so the
// LIKE pattern matches both the root and every descendant in one
// expression. r.path is read from the root row keyed by $1.
return `(
SELECT p.id
FROM paliad.projects p
JOIN paliad.projects r ON r.id = $1::uuid
WHERE p.path = r.path
OR p.path LIKE r.path || '.%'
)`
}
// projectSheetQueries returns the sheet registry for a project-scope
// export. rootID is bound to $1 in every query; directOnly narrows the
// subtree to just the root project.
//
// Sheet inclusion follows design §2.2. Same shape as personalSheetQueries
// but with subtree filtering instead of RLS-visibility and a tighter
// users-disclosure profile.
func projectSheetQueries(rootID uuid.UUID, directOnly bool) []sheetQuery {
subtree := projectSubtreeProjectIDsSQL(directOnly)
queries := []sheetQuery{
// --- entity sheets (subtree-scoped) ---
{
SheetName: "projects",
SQL: `SELECT * FROM paliad.projects
WHERE id IN ` + subtree + `
ORDER BY id`,
Args: []any{rootID},
},
{
SheetName: "project_teams",
SQL: `SELECT * FROM paliad.project_teams
WHERE project_id IN ` + subtree + `
ORDER BY project_id, user_id`,
Args: []any{rootID},
},
{
SheetName: "project_partner_units",
SQL: `SELECT * FROM paliad.project_partner_units
WHERE project_id IN ` + subtree + `
ORDER BY project_id, partner_unit_id`,
Args: []any{rootID},
},
{
SheetName: "deadlines",
SQL: `SELECT * FROM paliad.deadlines
WHERE project_id IN ` + subtree + `
ORDER BY id`,
Args: []any{rootID},
},
{
SheetName: "appointments",
SQL: `SELECT * FROM paliad.appointments
WHERE project_id IN ` + subtree + `
ORDER BY id`,
Args: []any{rootID},
},
{
SheetName: "parties",
SQL: `SELECT * FROM paliad.parties
WHERE project_id IN ` + subtree + `
ORDER BY id`,
Args: []any{rootID},
},
{
SheetName: "notes",
SQL: `SELECT * FROM paliad.notes
WHERE COALESCE(project_id,
(SELECT d.project_id FROM paliad.deadlines d WHERE d.id = notes.deadline_id),
(SELECT a.project_id FROM paliad.appointments a WHERE a.id = notes.appointment_id),
(SELECT pe.project_id FROM paliad.project_events pe WHERE pe.id = notes.project_event_id)
) IN ` + subtree + `
ORDER BY id`,
Args: []any{rootID},
},
{
SheetName: "documents",
SQL: `SELECT id, project_id, title, doc_type, file_path, file_size, mime_type, uploaded_by, created_at, updated_at
FROM paliad.documents
WHERE project_id IN ` + subtree + `
ORDER BY id`,
Args: []any{rootID},
},
{
SheetName: "project_events",
SQL: `SELECT * FROM paliad.project_events
WHERE project_id IN ` + subtree + `
ORDER BY id`,
Args: []any{rootID},
},
{
SheetName: "approval_requests",
SQL: `SELECT * FROM paliad.approval_requests
WHERE project_id IN ` + subtree + `
ORDER BY id`,
Args: []any{rootID},
},
// Approval policies — m's Q4 lock: ship all three sources with
// `source` attribution column so an importer can reconstruct
// "what gate applies" without re-running paliad's resolver.
//
// Source 1: project rows for any project in the subtree.
// Source 2: project rows for ancestors of the root (so a
// descendant export still sees the gate inherited
// from above the subtree).
// Source 3: partner-unit-default rows for units attached to
// any subtree project.
//
// One UNION query, with a `source` column tagged per branch.
// We hand-pick the columns to keep the shape stable across the
// three sources (approval_policies.project_id is nullable when
// the row is a partner-unit-default, etc.).
{
SheetName: "approval_policies",
SQL: `
SELECT 'project'::text AS source,
id, project_id, partner_unit_id, entity_type, lifecycle_event,
required_role, requires_approval, min_role,
created_by, created_at, updated_at
FROM paliad.approval_policies
WHERE project_id IN ` + subtree + `
UNION ALL
SELECT 'ancestor'::text AS source,
ap.id, ap.project_id, ap.partner_unit_id, ap.entity_type, ap.lifecycle_event,
ap.required_role, ap.requires_approval, ap.min_role,
ap.created_by, ap.created_at, ap.updated_at
FROM paliad.approval_policies ap
JOIN paliad.projects r ON r.id = $1::uuid
WHERE ap.project_id IS NOT NULL
AND ap.project_id <> $1::uuid
AND ap.project_id IN (
SELECT pa.id
FROM paliad.projects pa
WHERE r.path LIKE pa.path || '.%'
)
UNION ALL
SELECT 'partner_unit_default'::text AS source,
ap.id, ap.project_id, ap.partner_unit_id, ap.entity_type, ap.lifecycle_event,
ap.required_role, ap.requires_approval, ap.min_role,
ap.created_by, ap.created_at, ap.updated_at
FROM paliad.approval_policies ap
WHERE ap.partner_unit_id IS NOT NULL
AND ap.partner_unit_id IN (
SELECT ppu.partner_unit_id
FROM paliad.project_partner_units ppu
WHERE ppu.project_id IN ` + subtree + `
)
ORDER BY source, id`,
Args: []any{rootID},
},
{
SheetName: "checklist_instances",
SQL: `SELECT * FROM paliad.checklist_instances
WHERE project_id IN ` + subtree + `
ORDER BY id`,
Args: []any{rootID},
},
// --- attached partner-unit subset ---
// Only units attached to any subtree project (avoids dumping
// the full org chart into a per-matter handover).
{
SheetName: "partner_units",
SQL: `SELECT * FROM paliad.partner_units pu
WHERE pu.id IN (
SELECT ppu.partner_unit_id
FROM paliad.project_partner_units ppu
WHERE ppu.project_id IN ` + subtree + `
)
ORDER BY pu.id`,
Args: []any{rootID},
},
{
SheetName: "partner_unit_members",
SQL: `SELECT * FROM paliad.partner_unit_members pum
WHERE pum.partner_unit_id IN (
SELECT ppu.partner_unit_id
FROM paliad.project_partner_units ppu
WHERE ppu.project_id IN ` + subtree + `
)
ORDER BY partner_unit_id, user_id`,
Args: []any{rootID},
},
// --- restricted users sheet ---
// Limit user disclosure to those referenced by some FK in the
// export. Keeps a per-matter handover from leaking the full
// firm roster (47 users → typically 3-5 per matter).
{
SheetName: "users_referenced",
SQL: `SELECT id, email, display_name, office, profession
FROM paliad.users u
WHERE u.id IN (
SELECT created_by FROM paliad.projects WHERE id IN ` + subtree + `
UNION SELECT created_by FROM paliad.deadlines WHERE project_id IN ` + subtree + `
UNION SELECT created_by FROM paliad.appointments WHERE project_id IN ` + subtree + `
UNION SELECT created_by FROM paliad.project_events WHERE project_id IN ` + subtree + `
UNION SELECT user_id FROM paliad.project_teams WHERE project_id IN ` + subtree + `
UNION SELECT requested_by FROM paliad.approval_requests WHERE project_id IN ` + subtree + `
UNION SELECT decided_by FROM paliad.approval_requests WHERE project_id IN ` + subtree + ` AND decided_by IS NOT NULL
UNION SELECT created_by FROM paliad.notes WHERE COALESCE(project_id,
(SELECT d.project_id FROM paliad.deadlines d WHERE d.id = notes.deadline_id),
(SELECT a.project_id FROM paliad.appointments a WHERE a.id = notes.appointment_id),
(SELECT pe.project_id FROM paliad.project_events pe WHERE pe.id = notes.project_event_id)
) IN ` + subtree + `
UNION SELECT uploaded_by FROM paliad.documents WHERE project_id IN ` + subtree + ` AND uploaded_by IS NOT NULL
UNION SELECT user_id FROM paliad.partner_unit_members pum
WHERE pum.partner_unit_id IN (
SELECT ppu.partner_unit_id
FROM paliad.project_partner_units ppu
WHERE ppu.project_id IN ` + subtree + `
)
)
ORDER BY id`,
Args: []any{rootID},
},
// --- system_audit_log subset (the export's own audit trail) ---
// Includes prior export events scoped to this subtree's
// projects — lets a recipient see "who has previously
// exported this matter".
{
SheetName: "system_audit_log_subset",
SQL: `SELECT * FROM paliad.system_audit_log
WHERE scope_root IN ` + subtree + `
ORDER BY created_at, id`,
Args: []any{rootID},
},
// --- reference data (same set as personal scope) ---
{SheetName: "ref__proceeding_types", SQL: `SELECT * FROM paliad.proceeding_types ORDER BY id`},
{SheetName: "ref__event_types", SQL: `SELECT * FROM paliad.event_types ORDER BY id`},
{SheetName: "ref__event_categories", SQL: `SELECT * FROM paliad.event_categories ORDER BY id`},
{SheetName: "ref__deadline_rules", SQL: `SELECT * FROM paliad.deadline_rules ORDER BY id`},
{SheetName: "ref__deadline_concepts", SQL: `SELECT * FROM paliad.deadline_concepts ORDER BY id`},
{SheetName: "ref__courts", SQL: `SELECT * FROM paliad.courts ORDER BY id`},
{SheetName: "ref__countries", SQL: `SELECT * FROM paliad.countries ORDER BY code`},
{SheetName: "ref__holidays", SQL: `SELECT * FROM paliad.holidays ORDER BY date, country`},
}
return queries
}

53
internal/services/export_service_test.go
View File

@@ -269,51 +269,22 @@ func TestMetaToKeyValueRows_StableOrder(t *testing.T) {
func TestExportFilename_PerScope(t *testing.T) {
ts := time.Date(2026, 5, 19, 14, 23, 0, 0, time.UTC)
// Project-scope filenames carry an 8-hex disambiguator (last UUID
// block); personal + org omit it.
rootID := uuid.MustParse("61e3fb9e-29fb-44aa-867e-a89469e2cacb")
cases := []struct {
scope, label string
id uuid.UUID
want string
scope, label, want string
}{
{ExportScopePersonal, "", uuid.Nil, "paliad-export-personal-2026-05-19T1423Z.zip"},
{ExportScopeOrg, "", uuid.Nil, "paliad-export-org-2026-05-19T1423Z.zip"},
{ExportScopeProject, "Siemens AG", rootID, "paliad-export-project-Siemens-AG-a89469e2cacb-2026-05-19T1423Z.zip"},
{ExportScopeProject, "Hügel & Söhne", rootID, "paliad-export-project-H-gel-S-hne-a89469e2cacb-2026-05-19T1423Z.zip"},
// Nil UUID falls back to the slug-only variant — same as Slice 1's
// pre-disambiguator filename. Useful for unit tests of label-only
// behaviour.
{ExportScopeProject, "Siemens AG", uuid.Nil, "paliad-export-project-Siemens-AG-2026-05-19T1423Z.zip"},
{ExportScopePersonal, "", "paliad-export-personal-2026-05-19T1423Z.zip"},
{ExportScopeOrg, "", "paliad-export-org-2026-05-19T1423Z.zip"},
{ExportScopeProject, "Siemens AG", "paliad-export-project-Siemens-AG-2026-05-19T1423Z.zip"},
{ExportScopeProject, "Hügel & Söhne", "paliad-export-project-H-gel-S-hne-2026-05-19T1423Z.zip"},
}
for _, c := range cases {
got := ExportFilename(c.scope, c.label, c.id, ts)
got := ExportFilename(c.scope, c.label, ts)
if got != c.want {
t.Errorf("ExportFilename(%q, %q, %q) → %q, want %q", c.scope, c.label, c.id, got, c.want)
t.Errorf("ExportFilename(%q, %q) → %q, want %q", c.scope, c.label, got, c.want)
}
}
}
func TestExportFilename_ShortUUIDDisambiguator(t *testing.T) {
// Two projects with identical titles must produce different filenames
// when the UUID suffix is present — that's the whole point of Q5's
// disambiguator.
ts := time.Date(2026, 5, 19, 14, 23, 0, 0, time.UTC)
idA := uuid.MustParse("11111111-1111-1111-1111-aaaaaaaaaaaa")
idB := uuid.MustParse("22222222-2222-2222-2222-bbbbbbbbbbbb")
a := ExportFilename(ExportScopeProject, "Standard NDA", idA, ts)
b := ExportFilename(ExportScopeProject, "Standard NDA", idB, ts)
if a == b {
t.Fatalf("same-title same-ts filenames collide: %q", a)
}
if !strings.Contains(a, "aaaaaaaaaaaa") {
t.Errorf("filename missing UUID-A suffix: %q", a)
}
if !strings.Contains(b, "bbbbbbbbbbbb") {
t.Errorf("filename missing UUID-B suffix: %q", b)
}
}
func TestSlugifyFilename_StripsUnsafe(t *testing.T) {
cases := []struct{ in, want string }{
{"Siemens AG", "Siemens-AG"},
@@ -445,15 +416,9 @@ func assembleBundleForTest(t *testing.T, sheets []collectedSheet, meta ExportMet
var buf bytes.Buffer
zw := zip.NewWriter(&buf)
// Mirror writeBundle's mtime convention so the helper produces
// realistic bytes — and so the TestBundle_ZipEntryMTime regression
// test actually exercises the right code path.
mod := meta.GeneratedAt.UTC()
if mod.IsZero() {
mod = time.Now().UTC()
}
fixedMod := time.Date(2000, 1, 1, 0, 0, 0, 0, time.UTC)
for _, e := range entries {
hdr := &zip.FileHeader{Name: e.name, Method: zip.Deflate, Modified: mod}
hdr := &zip.FileHeader{Name: e.name, Method: zip.Deflate, Modified: fixedMod}
fw, err := zw.CreateHeader(hdr)
if err != nil {
t.Fatalf("zip create %q: %v", e.name, err)

2
internal/services/filter_spec.go
View File

@@ -203,7 +203,7 @@ var KnownProjectEventKinds = []string{
// filters and request-side status filters respectively.
var (
validEntityApprovalStatuses = []string{"approved", "pending", "legacy"}
validRequestStatuses = []string{"pending", "approved", "rejected", "revoked", "changes_requested"}
validRequestStatuses = []string{"pending", "approved", "rejected", "revoked"}
validApprovalEntityTypes = []string{"deadline", "appointment"}
validApprovalViewerRoles = []string{"approver_eligible", "self_requested", "any_visible"}
validDeadlineStatuses = []string{"pending", "completed"}

315
internal/services/submission_render.go
View File

@@ -1,315 +0,0 @@
package services
// Submission template renderer — in-house engine for the submission
// generator (t-paliad-215, design doc
// docs/design-submission-generator-2026-05-19.md §6).
//
// Design choice — why not lukasjarosch/go-docx:
// The library's "nested placeholder" guard treats sibling placeholders
// inside the same <w:t> run (e.g. "{{a}} ./. {{b}}") as nested and
// refuses to replace either. Patent submissions routinely have multiple
// placeholders per paragraph (party blocks especially), so the library
// is a non-starter without a custom fork. The in-house renderer below
// is ~150 LoC and handles both the single-run common case and the
// cross-run case (where Word may split a placeholder across runs after
// editing).
//
// Placeholder grammar: {{[A-Za-z][A-Za-z0-9_.]*}} with optional
// whitespace inside braces ({{ project.case_number }} ≡
// {{project.case_number}}).
//
// Missing-value behaviour: when a placeholder has no binding in the
// PlaceholderMap, the renderer emits a marker token so the lawyer sees
// the gap in Word rather than failing the request. See §6.3 of the
// design doc.
import (
"archive/zip"
"bytes"
"fmt"
"io"
"regexp"
"strings"
)
// PlaceholderMap is the variable bag built by SubmissionVarsService.
// Keys are dotted paths without braces (e.g. "project.case_number").
// Values are the substituted text — already locale-aware, pretty-
// printed, and sanitised by the caller.
type PlaceholderMap map[string]string
// MissingPlaceholderFn translates an unbound placeholder key into the
// in-document marker token. The default in DefaultMissingMarker is
// "[KEIN WERT: <key>]" / "[NO VALUE: <key>]" depending on lang.
type MissingPlaceholderFn func(key string) string
// DefaultMissingMarker returns the standard missing-value marker for
// the given UI language.
func DefaultMissingMarker(lang string) MissingPlaceholderFn {
prefix := "KEIN WERT"
if strings.EqualFold(lang, "en") {
prefix = "NO VALUE"
}
return func(key string) string {
return "[" + prefix + ": " + key + "]"
}
}
// placeholderRegex matches a single placeholder. The capture group
// extracts the key name without braces or surrounding whitespace.
//
// Restricted to [A-Za-z][A-Za-z0-9_.]* so that stray "{{" sequences in
// legal prose (extremely rare in DE/EN court briefs but possible)
// don't get mistaken for placeholders. A genuine placeholder always
// starts with an ASCII letter.
var placeholderRegex = regexp.MustCompile(`\{\{\s*([A-Za-z][A-Za-z0-9_.]*)\s*\}\}`)
// SubmissionRenderer renders a .docx template into a .docx output by
// substituting {{placeholder}} tokens with values from a PlaceholderMap.
// Stateless; safe for concurrent use.
type SubmissionRenderer struct{}
// NewSubmissionRenderer constructs the renderer.
func NewSubmissionRenderer() *SubmissionRenderer {
return &SubmissionRenderer{}
}
// Render reads the .docx template at templateBytes, substitutes every
// placeholder from vars (or emits the missing-marker token), and writes
// the result to the returned byte slice. Unknown placeholders never
// fail the render — the lawyer sees the marker in Word and fixes it.
func (r *SubmissionRenderer) Render(templateBytes []byte, vars PlaceholderMap, missing MissingPlaceholderFn) ([]byte, error) {
if missing == nil {
missing = DefaultMissingMarker("de")
}
zr, err := zip.NewReader(bytes.NewReader(templateBytes), int64(len(templateBytes)))
if err != nil {
return nil, fmt.Errorf("submission template: open zip: %w", err)
}
var out bytes.Buffer
zw := zip.NewWriter(&out)
defer zw.Close()
for _, entry := range zr.File {
body, err := readZipEntry(entry)
if err != nil {
return nil, fmt.Errorf("submission template: read %s: %w", entry.Name, err)
}
if isWordXMLEntry(entry.Name) {
body = substituteInDocumentXML(body, vars, missing)
}
w, err := zw.CreateHeader(&zip.FileHeader{
Name: entry.Name,
Method: entry.Method,
Modified: entry.Modified,
})
if err != nil {
return nil, fmt.Errorf("submission template: write header %s: %w", entry.Name, err)
}
if _, err := w.Write(body); err != nil {
return nil, fmt.Errorf("submission template: write %s: %w", entry.Name, err)
}
}
if err := zw.Close(); err != nil {
return nil, fmt.Errorf("submission template: finalise zip: %w", err)
}
return out.Bytes(), nil
}
// isWordXMLEntry returns true for the .docx parts that contain
// substitutable text. We touch document.xml plus header*.xml and
// footer*.xml (templates may put firm letterhead in a header) but
// skip styles, theme, settings, comments, footnotes — none of which
// should carry merge placeholders in a well-formed template.
func isWordXMLEntry(name string) bool {
switch {
case name == "word/document.xml":
return true
case strings.HasPrefix(name, "word/header") && strings.HasSuffix(name, ".xml"):
return true
case strings.HasPrefix(name, "word/footer") && strings.HasSuffix(name, ".xml"):
return true
}
return false
}
// readZipEntry slurps a zip entry's bytes.
func readZipEntry(f *zip.File) ([]byte, error) {
rc, err := f.Open()
if err != nil {
return nil, err
}
defer rc.Close()
return io.ReadAll(rc)
}
// substituteInDocumentXML walks document XML and replaces every
// {{placeholder}} occurrence inside <w:t> text nodes. Handles both
// single-run placeholders (the common case for freshly authored
// templates) and cross-run placeholders (where Word's autocorrect or
// manual editing has split a placeholder across runs).
//
// Two-pass strategy:
//
// 1. Pass 1: replace placeholders that fit entirely within one
// <w:t>…</w:t>. This is the 99% case and preserves all run-level
// formatting (bold, italic, font runs).
// 2. Pass 2: for paragraphs that still contain orphan "{{" or "}}"
// markers after pass 1, merge the text of every <w:t> inside the
// paragraph, run the replacement on the merged text, and rewrite
// the paragraph's runs as a single <w:r><w:t>…</w:t></w:r> using
// the formatting properties of the first run. Loses intra-paragraph
// formatting on the affected paragraph — but only on paragraphs
// where Word genuinely fragmented a placeholder.
func substituteInDocumentXML(body []byte, vars PlaceholderMap, missing MissingPlaceholderFn) []byte {
replaced := substituteInTextNodes(body, vars, missing)
if !needsCrossRunMerge(replaced) {
return replaced
}
return substituteAcrossRuns(replaced, vars, missing)
}
// wTextNodeRegex matches one <w:t …>contents</w:t> element, capturing
// the contents. Attributes on <w:t> (xml:space="preserve") are preserved
// because the entire match is rewritten.
var wTextNodeRegex = regexp.MustCompile(`<w:t(\s[^>]*)?>([^<]*)</w:t>`)
// substituteInTextNodes runs the placeholder replacement inside each
// <w:t> text node independently. Format-preserving for single-run
// placeholders.
func substituteInTextNodes(body []byte, vars PlaceholderMap, missing MissingPlaceholderFn) []byte {
return wTextNodeRegex.ReplaceAllFunc(body, func(match []byte) []byte {
sub := wTextNodeRegex.FindSubmatch(match)
attrs := string(sub[1])
contents := xmlDecode(string(sub[2]))
replaced := replacePlaceholders(contents, vars, missing)
if replaced == contents {
return match
}
// xml:space="preserve" stays attached whenever the original
// content had leading/trailing whitespace; ensure it's still
// declared after replacement to avoid Word collapsing spaces.
if !strings.Contains(attrs, "xml:space") &&
(strings.HasPrefix(replaced, " ") || strings.HasSuffix(replaced, " ")) {
attrs += ` xml:space="preserve"`
}
return []byte(`<w:t` + attrs + `>` + xmlEncode(replaced) + `</w:t>`)
})
}
// needsCrossRunMerge returns true when the body still contains an
// unmatched "{{" or "}}" after pass 1 — a sign that Word fragmented
// the placeholder across runs and pass 1 couldn't touch it.
func needsCrossRunMerge(body []byte) bool {
// Cheap heuristic: count "{{" vs "}}" inside <w:t> nodes. If we have
// either marker present in the text-node space, pass 2 will handle
// it. (Inside attributes or other XML, the markers don't matter.)
for _, m := range wTextNodeRegex.FindAllSubmatch(body, -1) {
t := string(m[2])
if strings.Contains(t, "{{") || strings.Contains(t, "}}") {
return true
}
}
return false
}
// wParagraphRegex matches one <w:p>…</w:p> paragraph block. Greedy
// inner-content match is safe here because <w:p> elements do not nest
// in WordprocessingML — a paragraph is the leaf container for text.
var wParagraphRegex = regexp.MustCompile(`(?s)<w:p\b[^>]*>.*?</w:p>`)
// wRunPropsRegex pulls the first <w:rPr>…</w:rPr> block from a
// paragraph so we can reuse it as the formatting of the merged run.
var wRunPropsRegex = regexp.MustCompile(`(?s)<w:rPr>.*?</w:rPr>`)
// wParagraphPropsRegex pulls the optional <w:pPr>…</w:pPr> that sits
// at the top of a paragraph (alignment, spacing, etc.). Preserved.
var wParagraphPropsRegex = regexp.MustCompile(`(?s)<w:pPr>.*?</w:pPr>`)
// substituteAcrossRuns is pass 2: for any paragraph that still has a
// split placeholder, concatenate every text node, run replacement, and
// rewrite the paragraph as a single run using the first run's
// properties. Paragraphs without orphan markers are left untouched so
// run-level formatting survives wherever pass 1 already resolved the
// placeholders.
func substituteAcrossRuns(body []byte, vars PlaceholderMap, missing MissingPlaceholderFn) []byte {
return wParagraphRegex.ReplaceAllFunc(body, func(para []byte) []byte {
textNodes := wTextNodeRegex.FindAllSubmatch(para, -1)
if len(textNodes) == 0 {
return para
}
var merged strings.Builder
for _, m := range textNodes {
merged.WriteString(xmlDecode(string(m[2])))
}
original := merged.String()
if !strings.Contains(original, "{{") {
// No fragmented placeholder in this paragraph; leave it
// alone so pass 1's run-level edits survive.
return para
}
replaced := replacePlaceholders(original, vars, missing)
if replaced == original {
return para
}
// Preserve paragraph properties (alignment, spacing) and the
// first run's properties (font, bold/italic).
pPr := wParagraphPropsRegex.Find(para)
rPr := wRunPropsRegex.Find(para)
var rebuilt bytes.Buffer
rebuilt.WriteString(`<w:p>`)
if pPr != nil {
rebuilt.Write(pPr)
}
rebuilt.WriteString(`<w:r>`)
if rPr != nil {
rebuilt.Write(rPr)
}
rebuilt.WriteString(`<w:t xml:space="preserve">`)
rebuilt.WriteString(xmlEncode(replaced))
rebuilt.WriteString(`</w:t></w:r></w:p>`)
return rebuilt.Bytes()
})
}
// replacePlaceholders performs the actual substitution on a plain
// string. Unbound placeholders render the missing marker.
func replacePlaceholders(s string, vars PlaceholderMap, missing MissingPlaceholderFn) string {
return placeholderRegex.ReplaceAllStringFunc(s, func(match string) string {
sub := placeholderRegex.FindStringSubmatch(match)
if len(sub) < 2 {
return match
}
key := sub[1]
if value, ok := vars[key]; ok {
return value
}
return missing(key)
})
}
// xmlDecode reverses the small set of escapes used in WordprocessingML
// text content. We don't need a full XML parser — text nodes carry only
// the standard five entities, and Word never emits numeric-character
// references inside <w:t> for printable content.
func xmlDecode(s string) string {
s = strings.ReplaceAll(s, "&lt;", "<")
s = strings.ReplaceAll(s, "&gt;", ">")
s = strings.ReplaceAll(s, "&quot;", `"`)
s = strings.ReplaceAll(s, "&apos;", "'")
s = strings.ReplaceAll(s, "&amp;", "&")
return s
}
// xmlEncode escapes a substituted value for safe insertion back into a
// WordprocessingML text node. & must be replaced first to avoid double
// encoding the entity prefixes we introduce on the other characters.
func xmlEncode(s string) string {
s = strings.ReplaceAll(s, "&", "&amp;")
s = strings.ReplaceAll(s, "<", "&lt;")
s = strings.ReplaceAll(s, ">", "&gt;")
s = strings.ReplaceAll(s, `"`, "&quot;")
s = strings.ReplaceAll(s, "'", "&apos;")
return s
}

389
internal/services/submission_render_test.go
View File

@@ -1,389 +0,0 @@
package services
import (
"archive/zip"
"bytes"
"io"
"strings"
"testing"
)
// minimalDOCX builds a tiny .docx zip with one document.xml that
// contains the given body. Just enough to exercise the renderer
// without depending on Word's full OOXML scaffolding.
func minimalDOCX(t *testing.T, documentBody string) []byte {
t.Helper()
var buf bytes.Buffer
zw := zip.NewWriter(&buf)
w, err := zw.Create("word/document.xml")
if err != nil {
t.Fatalf("create document.xml: %v", err)
}
if _, err := io.WriteString(w, documentBody); err != nil {
t.Fatalf("write document.xml: %v", err)
}
// Drop in a stub Content-Types so the bytes look more like a real
// .docx for any downstream sanity checks; Word doesn't care about
// the content during our unit tests but the shape stays honest.
w2, err := zw.Create("[Content_Types].xml")
if err != nil {
t.Fatalf("create content types: %v", err)
}
if _, err := io.WriteString(w2, `<?xml version="1.0"?><Types/>`); err != nil {
t.Fatalf("write content types: %v", err)
}
if err := zw.Close(); err != nil {
t.Fatalf("close zip: %v", err)
}
return buf.Bytes()
}
// readDocumentXML pulls word/document.xml out of a rendered .docx.
func readDocumentXML(t *testing.T, b []byte) string {
t.Helper()
zr, err := zip.NewReader(bytes.NewReader(b), int64(len(b)))
if err != nil {
t.Fatalf("open rendered zip: %v", err)
}
for _, f := range zr.File {
if f.Name != "word/document.xml" {
continue
}
rc, err := f.Open()
if err != nil {
t.Fatalf("open document.xml: %v", err)
}
defer rc.Close()
body, err := io.ReadAll(rc)
if err != nil {
t.Fatalf("read document.xml: %v", err)
}
return string(body)
}
t.Fatal("rendered .docx had no word/document.xml")
return ""
}
// TestRender_SingleRunPlaceholder covers the 99% case: a placeholder
// that sits inside a single <w:t> text node.
func TestRender_SingleRunPlaceholder(t *testing.T) {
doc := `<w:document><w:body><w:p><w:r><w:t>{{firm.name}}</w:t></w:r></w:p></w:body></w:document>`
tmpl := minimalDOCX(t, doc)
r := NewSubmissionRenderer()
out, err := r.Render(tmpl, PlaceholderMap{"firm.name": "HLC"}, nil)
if err != nil {
t.Fatalf("render: %v", err)
}
body := readDocumentXML(t, out)
if !strings.Contains(body, ">HLC<") {
t.Errorf("expected HLC in body, got %q", body)
}
if strings.Contains(body, "{{") {
t.Errorf("unreplaced placeholder marker in body: %q", body)
}
}
// TestRender_MultiplePlaceholdersPerRun is the case go-docx fails on
// — sibling placeholders inside the same <w:t> run. The in-house
// renderer must handle them.
func TestRender_MultiplePlaceholdersPerRun(t *testing.T) {
doc := `<w:document><w:body><w:p><w:r><w:t>{{parties.claimant.name}}, vertreten durch {{parties.claimant.representative}}</w:t></w:r></w:p></w:body></w:document>`
tmpl := minimalDOCX(t, doc)
r := NewSubmissionRenderer()
out, err := r.Render(tmpl, PlaceholderMap{
"parties.claimant.name": "Acme Inc.",
"parties.claimant.representative": "Kanzlei Müller",
}, nil)
if err != nil {
t.Fatalf("render: %v", err)
}
body := readDocumentXML(t, out)
if !strings.Contains(body, "Acme Inc.") || !strings.Contains(body, "Kanzlei Müller") {
t.Errorf("expected both party values, got %q", body)
}
if strings.Contains(body, "{{") {
t.Errorf("unreplaced placeholder marker in body: %q", body)
}
}
// TestRender_MissingMarker confirms unbound placeholders render the
// missing-value marker instead of failing the request.
func TestRender_MissingMarker(t *testing.T) {
doc := `<w:document><w:body><w:p><w:r><w:t>{{project.case_number}}</w:t></w:r></w:p></w:body></w:document>`
tmpl := minimalDOCX(t, doc)
r := NewSubmissionRenderer()
out, err := r.Render(tmpl, PlaceholderMap{}, DefaultMissingMarker("de"))
if err != nil {
t.Fatalf("render: %v", err)
}
body := readDocumentXML(t, out)
if !strings.Contains(body, "[KEIN WERT: project.case_number]") {
t.Errorf("expected KEIN WERT marker, got %q", body)
}
outEN, err := r.Render(tmpl, PlaceholderMap{}, DefaultMissingMarker("en"))
if err != nil {
t.Fatalf("render en: %v", err)
}
bodyEN := readDocumentXML(t, outEN)
if !strings.Contains(bodyEN, "[NO VALUE: project.case_number]") {
t.Errorf("expected NO VALUE marker, got %q", bodyEN)
}
}
// TestRender_CrossRunPlaceholder simulates Word fragmenting a
// placeholder across runs (autocorrect or post-edit run-split).
// Pass 2 must catch it.
func TestRender_CrossRunPlaceholder(t *testing.T) {
doc := `<w:document><w:body><w:p><w:r><w:t>Hello {{</w:t></w:r><w:r><w:t>project</w:t></w:r><w:r><w:t>.case_number}}!</w:t></w:r></w:p></w:body></w:document>`
tmpl := minimalDOCX(t, doc)
r := NewSubmissionRenderer()
out, err := r.Render(tmpl, PlaceholderMap{"project.case_number": "7 O 1234/26"}, nil)
if err != nil {
t.Fatalf("render: %v", err)
}
body := readDocumentXML(t, out)
if !strings.Contains(body, "7 O 1234/26") {
t.Errorf("expected case number after cross-run merge, got %q", body)
}
if strings.Contains(body, "{{") {
t.Errorf("orphan placeholder marker remained: %q", body)
}
}
// TestRender_XMLEscaping verifies special characters in placeholder
// values are escaped so they don't corrupt the document XML.
func TestRender_XMLEscaping(t *testing.T) {
doc := `<w:document><w:body><w:p><w:r><w:t>{{user.display_name}}</w:t></w:r></w:p></w:body></w:document>`
tmpl := minimalDOCX(t, doc)
r := NewSubmissionRenderer()
out, err := r.Render(tmpl, PlaceholderMap{
"user.display_name": `Müller & Söhne <GmbH> "Special"`,
}, nil)
if err != nil {
t.Fatalf("render: %v", err)
}
body := readDocumentXML(t, out)
if !strings.Contains(body, "Müller &amp; Söhne &lt;GmbH&gt; &quot;Special&quot;") {
t.Errorf("expected escaped value, got %q", body)
}
}
// TestRender_PreservesNonWordEntries leaves the rest of the .docx
// untouched so any styles / theme / settings parts come through bit-
// for-bit.
func TestRender_PreservesNonWordEntries(t *testing.T) {
doc := `<w:document><w:body><w:p><w:r><w:t>{{firm.name}}</w:t></w:r></w:p></w:body></w:document>`
tmpl := minimalDOCX(t, doc)
r := NewSubmissionRenderer()
out, err := r.Render(tmpl, PlaceholderMap{"firm.name": "HLC"}, nil)
if err != nil {
t.Fatalf("render: %v", err)
}
zr, err := zip.NewReader(bytes.NewReader(out), int64(len(out)))
if err != nil {
t.Fatalf("open rendered: %v", err)
}
var sawTypes bool
for _, f := range zr.File {
if f.Name == "[Content_Types].xml" {
sawTypes = true
}
}
if !sawTypes {
t.Error("rendered .docx lost [Content_Types].xml")
}
}
// TestPlaceholderRegex_Boundaries pins the placeholder grammar.
func TestPlaceholderRegex_Boundaries(t *testing.T) {
tests := []struct {
in string
matches []string
}{
{"plain text", nil},
{"{{foo}}", []string{"{{foo}}"}},
{"{{ foo }}", []string{"{{ foo }}"}},
{"{{foo.bar}}", []string{"{{foo.bar}}"}},
{"{{ foo.bar_baz }}", []string{"{{ foo.bar_baz }}"}},
{"{{1bad}}", nil}, // must start with a letter
{"{{ foo }} and {{ bar }}", []string{"{{ foo }}", "{{ bar }}"}},
}
for _, tc := range tests {
t.Run(tc.in, func(t *testing.T) {
got := placeholderRegex.FindAllString(tc.in, -1)
if len(got) != len(tc.matches) {
t.Fatalf("got %d matches, want %d (in=%q)", len(got), len(tc.matches), tc.in)
}
for i := range got {
if got[i] != tc.matches[i] {
t.Errorf("match %d: got %q, want %q", i, got[i], tc.matches[i])
}
}
})
}
}
// TestFamilyOf covers the proceeding-family extraction used by the
// template registry's fallback chain.
func TestFamilyOf(t *testing.T) {
tests := map[string]string{
"de.inf.lg.erwidg": "de.inf.lg",
"upc.inf.cfi.soc": "upc.inf.cfi",
"dpma.opp.dpma": "", // only three segments → no family
"de.inf.lg": "",
"": "",
}
for in, want := range tests {
t.Run(in, func(t *testing.T) {
got := familyOf(in)
if got != want {
t.Errorf("familyOf(%q) = %q, want %q", in, got, want)
}
})
}
}
// TestLegalSourcePretty covers the prefix table.
func TestLegalSourcePretty(t *testing.T) {
tests := []struct {
src, lang, want string
}{
{"DE.ZPO.276.1", "de", "§ 276 Abs. 1 ZPO"},
{"DE.ZPO.276.1", "en", "Section 276(1) ZPO"},
{"DE.ZPO.253", "de", "§ 253 ZPO"},
{"DE.ZPO.253", "en", "Section 253 ZPO"},
{"UPC.RoP.23.1", "de", "Regel 23.1 VerfO UPC"},
{"UPC.RoP.23.1", "en", "Rule 23.1 RoP UPC"},
{"UPC.RoP.198", "de", "Regel 198 VerfO UPC"},
{"DE.PatG.83", "de", "§ 83 PatG"},
{"EPC.123", "de", "Art. 123 EPÜ"},
{"EPC.123", "en", "Art. 123 EPC"},
// Unknown prefix → pass-through unchanged.
{"FOO.BAR.123", "de", "FOO.BAR.123"},
{"", "de", ""},
}
for _, tc := range tests {
t.Run(tc.src+"/"+tc.lang, func(t *testing.T) {
got := legalSourcePretty(tc.src, tc.lang)
if got != tc.want {
t.Errorf("legalSourcePretty(%q, %q) = %q, want %q", tc.src, tc.lang, got, tc.want)
}
})
}
}
// TestOurSideTranslations pins the our_side enum → DE/EN prose
// mapping used by addProjectVars.
func TestOurSideTranslations(t *testing.T) {
cases := []struct {
in, wantDE, wantEN string
}{
{"claimant", "Klägerin", "Claimant"},
{"defendant", "Beklagte", "Defendant"},
{"court", "Gericht", "Court"},
{"both", "Klägerin und Beklagte", "Claimant and Defendant"},
{"", "", ""},
{"unknown", "", ""},
}
for _, tc := range cases {
t.Run(tc.in, func(t *testing.T) {
if got := ourSideDE(tc.in); got != tc.wantDE {
t.Errorf("ourSideDE(%q) = %q, want %q", tc.in, got, tc.wantDE)
}
if got := ourSideEN(tc.in); got != tc.wantEN {
t.Errorf("ourSideEN(%q) = %q, want %q", tc.in, got, tc.wantEN)
}
})
}
}
// TestTemplateRegistry_Candidates verifies the fallback-chain order
// matches the m-locked Q4 decision (firm → base/code → base/family →
// skeleton).
func TestTemplateRegistry_Candidates(t *testing.T) {
r := NewTemplateRegistry("", "HLC")
got := r.candidates("de.inf.lg.erwidg")
want := []string{
"templates/HLC/de.inf.lg.erwidg.docx",
"templates/_base/de.inf.lg.erwidg.docx",
"templates/_base/de.inf.lg.docx",
"templates/_base/_skeleton.docx",
}
if len(got) != len(want) {
t.Fatalf("candidates = %v, want %v", got, want)
}
for i := range got {
if got[i] != want[i] {
t.Errorf("candidate[%d] = %q, want %q", i, got[i], want[i])
}
}
}
// TestTemplateRegistry_Candidates_NoFamily covers submission codes
// without a family suffix (only three dot-segments).
func TestTemplateRegistry_Candidates_NoFamily(t *testing.T) {
r := NewTemplateRegistry("", "HLC")
got := r.candidates("dpma.opp.dpma")
want := []string{
"templates/HLC/dpma.opp.dpma.docx",
"templates/_base/dpma.opp.dpma.docx",
"templates/_base/_skeleton.docx",
}
if len(got) != len(want) {
t.Fatalf("candidates = %v, want %v", got, want)
}
for i := range got {
if got[i] != want[i] {
t.Errorf("candidate[%d] = %q, want %q", i, got[i], want[i])
}
}
}
// TestTemplateRegistry_Tiers labels each candidate slot. Must stay
// 1:1 with candidates().
func TestTemplateRegistry_Tiers(t *testing.T) {
r := NewTemplateRegistry("", "HLC")
codes := []string{"de.inf.lg.erwidg", "dpma.opp.dpma"}
for _, code := range codes {
c := r.candidates(code)
ts := r.tiers(code)
if len(c) != len(ts) {
t.Fatalf("candidate/tier mismatch for %q: %d vs %d", code, len(c), len(ts))
}
}
}
// TestPatentNumberUPC covers the kind-code parenthesisation that UPC
// briefs use (t-paliad-215 Slice 2, design §22 Q-S2-4).
func TestPatentNumberUPC(t *testing.T) {
tests := []struct {
in, want string
}{
// EP variants — the common case.
{"EP 1 234 567 B1", "EP 1 234 567 (B1)"},
{"EP 4 056 049 A1", "EP 4 056 049 (A1)"},
// DE national number with kind code.
{"DE 10 2020 123 456 A1", "DE 10 2020 123 456 (A1)"},
// No kind code → pass-through unchanged.
{"EP 1 234 567", "EP 1 234 567"},
// Leading + trailing whitespace trimmed.
{" EP 1 234 567 B1 ", "EP 1 234 567 (B1)"},
// Empty input.
{"", ""},
// Slash-separated forms (WO publication numbers) don't match
// the kind-code shape → pass through.
{"WO/2023/123456", "WO/2023/123456"},
// Two-digit kind code (e.g. B12) doesn't match the single-digit
// pattern; pass through. This is intentional — real EP kind
// codes are single-letter + single-digit.
{"EP 1 234 567 B12", "EP 1 234 567 B12"},
}
for _, tc := range tests {
t.Run(tc.in, func(t *testing.T) {
got := patentNumberUPC(tc.in)
if got != tc.want {
t.Errorf("patentNumberUPC(%q) = %q, want %q", tc.in, got, tc.want)
}
})
}
}

442
internal/services/submission_templates.go
View File

@@ -1,442 +0,0 @@
package services
// Submission template registry — Gitea-backed .docx template loader for
// the submission generator (t-paliad-215, design doc
// docs/design-submission-generator-2026-05-19.md §5).
//
// Layout in mWorkRepo:
//
// templates/{FIRM_NAME}/{submission_code}.docx firm-specific override
// templates/_base/{submission_code}.docx cross-firm baseline
// templates/_base/{family}.docx proceeding-family fallback
// templates/_base/_skeleton.docx ultra-generic fallback
//
// Lookup is first-match-wins down the chain; this is the m-locked Q4
// decision. Templates fetched via Gitea's raw URL endpoint, cached
// in-process with a 5-minute SHA refresh check — identical pattern to
// the HL Patents Style proxy in internal/handlers/files.go (which the
// design doc §1 verified is in production and works).
//
// Slice 1 ships one template at templates/_base/de.inf.lg.erwidg.docx
// (committed to HL/mWorkRepo at SHA 7f97b7f9, the bootstrap demo
// authored by the engine for end-to-end testing — HLC ships the
// polished version per §14 follow-up).
import (
"context"
"encoding/json"
"errors"
"fmt"
"io"
"log"
"net/http"
"net/url"
"strings"
"sync"
"time"
)
const (
templatesGiteaBaseURL = "https://mgit.msbls.de"
templatesGiteaRepoOwn = "HL"
templatesGiteaRepoName = "mWorkRepo"
templatesGiteaBranch = "main"
templatesCheckInterval = 5 * time.Minute
templatesSkeleton = "_skeleton"
)
// ErrNoTemplate is returned when no template resolves anywhere in the
// fallback chain (firm/code → base/code → base/family → skeleton).
// Caller maps to 503 + a clear UI hint.
var ErrNoTemplate = errors.New("submission template: no template resolved in fallback chain")
// ErrTemplateUpstream wraps Gitea-side failures (network, 5xx).
// Distinct from ErrNoTemplate so the handler can render different UI:
// "no template configured" vs "template repo unreachable".
var ErrTemplateUpstream = errors.New("submission template: upstream Gitea unreachable")
// ResolvedTemplate is the result of a fallback-chain lookup: the
// template bytes plus the metadata the audit row + UI need.
type ResolvedTemplate struct {
// Path is the Gitea-relative path that resolved (e.g.
// "templates/HLC/de.inf.lg.erwidg.docx"). Persisted in the
// system_audit_log row so an admin can trace which template was
// used for a given generation.
Path string
// SHA is the commit SHA the template was fetched at. Pinning this
// lets audit consumers reproduce the exact bytes that went into
// the lawyer's download.
SHA string
// FirmTier reports which level of the fallback chain fired:
// "firm", "base_code", "base_family", or "skeleton". Useful for
// the variable-contract sidebar (Slice 3) and for ops monitoring
// of how often each firm is actually overriding.
FirmTier string
// Bytes is the .docx content; only populated for callers that
// need to render (i.e. SubmissionRenderer.Render). Resolve()
// returns it populated; Probe() leaves it nil.
Bytes []byte
}
// templateCacheEntry mirrors the per-file cache shape used by
// internal/handlers/files.go. Each cached entry tracks its bytes, the
// commit SHA, the last upstream check, and a checking flag so two
// concurrent refresh goroutines don't double-fetch.
type templateCacheEntry struct {
mu sync.RWMutex
data []byte
sha string
lastChecked time.Time
checking bool
missing bool // true when Gitea returned 404 — short-circuits subsequent lookups
}
// TemplateRegistry resolves submission templates from Gitea using the
// fallback chain. Process-wide cache; single-replica deployment (per
// docs/design-submission-generator-2026-05-19.md §1) makes in-process
// caching sufficient — a future multi-replica rollout would swap this
// for a shared cache. Same trade-off the HL Patents Style proxy makes.
type TemplateRegistry struct {
cache map[string]*templateCacheEntry
cacheMu sync.Mutex
giteaToken string
httpClient *http.Client
firmName string
}
// NewTemplateRegistry constructs the registry. firmName is read once
// at process start from internal/branding.Name so a runtime FIRM_NAME
// rebrand cuts in on the next deploy, not mid-request.
func NewTemplateRegistry(giteaToken, firmName string) *TemplateRegistry {
return &TemplateRegistry{
cache: make(map[string]*templateCacheEntry),
giteaToken: giteaToken,
firmName: firmName,
httpClient: &http.Client{Timeout: 30 * time.Second},
}
}
// HasTemplate reports whether any template resolves for the given
// submission code, without fetching the bytes. Used by the
// SubmissionsPanel to decide which "Generate" buttons to enable.
//
// Cheap path: walks the same fallback chain as Resolve, but stops at
// the SHA-probe step (Gitea's contents endpoint, single round-trip per
// candidate). The probe results land in the same cache as Resolve so a
// subsequent Resolve call reuses the SHA.
func (r *TemplateRegistry) HasTemplate(ctx context.Context, submissionCode string) bool {
for _, candidate := range r.candidates(submissionCode) {
if r.probe(ctx, candidate) {
return true
}
}
return false
}
// Resolve walks the fallback chain and returns the first template that
// fetches successfully, with bytes loaded. Returns ErrNoTemplate when
// no candidate (including the ultra-generic skeleton) resolves.
func (r *TemplateRegistry) Resolve(ctx context.Context, submissionCode string) (*ResolvedTemplate, error) {
candidates := r.candidates(submissionCode)
tiers := r.tiers(submissionCode)
if len(candidates) != len(tiers) {
return nil, fmt.Errorf("template registry: candidate/tier mismatch (%d vs %d)", len(candidates), len(tiers))
}
for i, candidate := range candidates {
entry := r.cacheGet(candidate)
entry.mu.RLock()
hasData := !entry.missing && len(entry.data) > 0
needsCheck := time.Since(entry.lastChecked) >= templatesCheckInterval
isMissing := entry.missing
entry.mu.RUnlock()
if isMissing && !needsCheck {
continue
}
if !hasData {
if err := r.fetchInto(ctx, candidate, entry); err != nil {
if errors.Is(err, errTemplate404) {
continue
}
return nil, fmt.Errorf("%w: %v", ErrTemplateUpstream, err)
}
} else if needsCheck {
go r.refresh(context.Background(), candidate, entry)
}
entry.mu.RLock()
out := &ResolvedTemplate{
Path: candidate,
SHA: entry.sha,
FirmTier: tiers[i],
Bytes: append([]byte(nil), entry.data...),
}
entry.mu.RUnlock()
return out, nil
}
return nil, ErrNoTemplate
}
// candidates returns the ordered Gitea-relative paths the registry
// walks for the given submission code. The order is the m-locked Q4
// decision: firm → base/code → base/family → skeleton.
func (r *TemplateRegistry) candidates(submissionCode string) []string {
family := familyOf(submissionCode)
out := []string{
fmt.Sprintf("templates/%s/%s.docx", r.firmName, submissionCode),
fmt.Sprintf("templates/_base/%s.docx", submissionCode),
}
if family != "" && family != submissionCode {
out = append(out, fmt.Sprintf("templates/_base/%s.docx", family))
}
out = append(out, fmt.Sprintf("templates/_base/%s.docx", templatesSkeleton))
return out
}
// tiers labels each candidate with its fallback tier. Order is locked
// to candidates(); both functions evolve together.
func (r *TemplateRegistry) tiers(submissionCode string) []string {
family := familyOf(submissionCode)
out := []string{"firm", "base_code"}
if family != "" && family != submissionCode {
out = append(out, "base_family")
}
out = append(out, "skeleton")
return out
}
// familyOf extracts the proceeding-family prefix from a submission
// code. The convention (docs/design-proceeding-code-taxonomy-2026-05-18.md)
// is jurisdiction.substantive.forum.submission, so the family is the
// first three dot-segments.
//
// de.inf.lg.erwidg → de.inf.lg
// upc.inf.cfi.soc → upc.inf.cfi
// dpma.opp.dpma → "" (only three segments — no submission suffix)
//
// Returns "" when the code doesn't carry a submission segment (no
// family-level fallback is meaningful).
func familyOf(submissionCode string) string {
parts := strings.Split(submissionCode, ".")
if len(parts) < 4 {
return ""
}
return strings.Join(parts[:3], ".")
}
// cacheGet returns the cache entry for a Gitea path, creating an empty
// entry on first lookup.
func (r *TemplateRegistry) cacheGet(path string) *templateCacheEntry {
r.cacheMu.Lock()
defer r.cacheMu.Unlock()
entry, ok := r.cache[path]
if !ok {
entry = &templateCacheEntry{}
r.cache[path] = entry
}
return entry
}
// errTemplate404 is an internal sentinel: candidate doesn't exist in
// Gitea, walk the chain. Distinguished from network/5xx errors so the
// registry doesn't wrap every fallback miss as ErrTemplateUpstream.
var errTemplate404 = errors.New("template not found in gitea")
// fetchInto downloads a candidate and populates the cache entry. On
// 404 it marks the entry missing so subsequent lookups short-circuit
// without hitting the network.
func (r *TemplateRegistry) fetchInto(ctx context.Context, path string, entry *templateCacheEntry) error {
sha, err := r.giteaSHA(ctx, path)
if err != nil {
if errors.Is(err, errTemplate404) {
entry.mu.Lock()
entry.missing = true
entry.lastChecked = time.Now()
entry.mu.Unlock()
}
return err
}
data, err := r.giteaDownload(ctx, path)
if err != nil {
return err
}
entry.mu.Lock()
entry.data = data
entry.sha = sha
entry.lastChecked = time.Now()
entry.missing = false
entry.mu.Unlock()
return nil
}
// refresh runs in the background after a stale-but-present cache hit.
// SHA-checks the candidate; re-downloads on change. Mirrors the same
// goroutine pattern as internal/handlers/files.go.
func (r *TemplateRegistry) refresh(ctx context.Context, path string, entry *templateCacheEntry) {
entry.mu.Lock()
if entry.checking {
entry.mu.Unlock()
return
}
entry.checking = true
entry.mu.Unlock()
defer func() {
entry.mu.Lock()
entry.checking = false
entry.mu.Unlock()
}()
latestSHA, err := r.giteaSHA(ctx, path)
if err != nil {
log.Printf("submission template: SHA check for %s failed: %v", path, err)
entry.mu.Lock()
entry.lastChecked = time.Now()
entry.mu.Unlock()
return
}
entry.mu.RLock()
unchanged := latestSHA == entry.sha && entry.sha != ""
entry.mu.RUnlock()
if unchanged {
entry.mu.Lock()
entry.lastChecked = time.Now()
entry.mu.Unlock()
return
}
data, err := r.giteaDownload(ctx, path)
if err != nil {
log.Printf("submission template: download %s failed: %v", path, err)
entry.mu.Lock()
entry.lastChecked = time.Now()
entry.mu.Unlock()
return
}
entry.mu.Lock()
entry.data = data
entry.sha = latestSHA
entry.lastChecked = time.Now()
entry.mu.Unlock()
log.Printf("submission template: updated %s (SHA: %.8s)", path, latestSHA)
}
// probe is the cheap existence-check used by HasTemplate. Reuses the
// cache but only fetches the SHA (not the bytes), so the
// SubmissionsPanel's per-row HasTemplate calls don't pull a megabyte
// of .docx data the user might never download.
func (r *TemplateRegistry) probe(ctx context.Context, path string) bool {
entry := r.cacheGet(path)
entry.mu.RLock()
hasData := !entry.missing && len(entry.data) > 0
hasSHA := !entry.missing && entry.sha != ""
isMissing := entry.missing
needsCheck := time.Since(entry.lastChecked) >= templatesCheckInterval
entry.mu.RUnlock()
if isMissing && !needsCheck {
return false
}
if hasData || hasSHA {
return true
}
sha, err := r.giteaSHA(ctx, path)
if err != nil {
if errors.Is(err, errTemplate404) {
entry.mu.Lock()
entry.missing = true
entry.lastChecked = time.Now()
entry.mu.Unlock()
}
return false
}
entry.mu.Lock()
entry.sha = sha
entry.lastChecked = time.Now()
entry.missing = false
entry.mu.Unlock()
return true
}
// giteaSHA returns the SHA of the latest commit that touched the
// template path. Returns errTemplate404 when Gitea responds with 404 —
// the registry distinguishes "no such template" from "Gitea is down".
func (r *TemplateRegistry) giteaSHA(ctx context.Context, path string) (string, error) {
apiURL := fmt.Sprintf("%s/api/v1/repos/%s/%s/commits?path=%s&limit=1&sha=%s",
templatesGiteaBaseURL,
templatesGiteaRepoOwn,
templatesGiteaRepoName,
url.QueryEscape(path),
templatesGiteaBranch,
)
req, err := http.NewRequestWithContext(ctx, "GET", apiURL, nil)
if err != nil {
return "", err
}
if r.giteaToken != "" {
req.Header.Set("Authorization", "token "+r.giteaToken)
}
resp, err := r.httpClient.Do(req)
if err != nil {
return "", err
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusNotFound {
return "", errTemplate404
}
if resp.StatusCode != http.StatusOK {
return "", fmt.Errorf("gitea sha lookup returned %d", resp.StatusCode)
}
var commits []struct {
SHA string `json:"sha"`
}
if err := json.NewDecoder(resp.Body).Decode(&commits); err != nil {
return "", err
}
if len(commits) == 0 {
return "", errTemplate404
}
return commits[0].SHA, nil
}
// giteaDownload fetches the raw template bytes.
func (r *TemplateRegistry) giteaDownload(ctx context.Context, path string) ([]byte, error) {
rawURL := fmt.Sprintf("%s/%s/%s/raw/branch/%s/%s",
templatesGiteaBaseURL,
templatesGiteaRepoOwn,
templatesGiteaRepoName,
templatesGiteaBranch,
path,
)
req, err := http.NewRequestWithContext(ctx, "GET", rawURL, nil)
if err != nil {
return nil, err
}
if r.giteaToken != "" {
req.Header.Set("Authorization", "token "+r.giteaToken)
}
resp, err := r.httpClient.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusNotFound {
return nil, errTemplate404
}
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("gitea raw returned %d", resp.StatusCode)
}
return io.ReadAll(resp.Body)
}
// ClearCache drops every cached entry. Exposed for an admin-side
// "refresh templates" affordance — paliad's existing /api/files/refresh
// has the same shape for the HL Patents Style proxy.
func (r *TemplateRegistry) ClearCache() {
r.cacheMu.Lock()
defer r.cacheMu.Unlock()
for k := range r.cache {
r.cache[k] = &templateCacheEntry{}
}
}

535
internal/services/submission_vars.go
View File

@@ -1,535 +0,0 @@
package services
// Submission variable bag — builds the PlaceholderMap that
// SubmissionRenderer fills into a template (t-paliad-215, design doc
// docs/design-submission-generator-2026-05-19.md §6.2).
//
// Variables span six namespaces:
//
// firm.* process-wide (branding.Name)
// user.* caller's user row
// today.* server time in Europe/Berlin, locale-aware
// project.* paliad.projects + joined proceeding type
// parties.* paliad.parties grouped by role
// rule.* paliad.deadline_rules row keyed by submission_code
// deadline.* next open paliad.deadlines row for (project, rule), if any
//
// Locale handling: every long-form date string is computed in both DE
// and EN; the renderer picks based on the user's lang preference. The
// rule pretty-printer (legalSourcePretty) also has DE/EN variants.
//
// Visibility: caller passes userID; ProjectService.GetByID enforces
// paliad.can_see_project — unauthorised callers get the standard
// ErrNotFound before any variable construction runs.
import (
"context"
"database/sql"
"errors"
"fmt"
"regexp"
"strings"
"time"
"github.com/google/uuid"
"github.com/jmoiron/sqlx"
"mgit.msbls.de/m/paliad/internal/branding"
"mgit.msbls.de/m/paliad/internal/models"
)
// SubmissionVarsService assembles the placeholder map.
type SubmissionVarsService struct {
db *sqlx.DB
projects *ProjectService
parties *PartyService
users *UserService
}
// NewSubmissionVarsService wires the service.
func NewSubmissionVarsService(db *sqlx.DB, projects *ProjectService, parties *PartyService, users *UserService) *SubmissionVarsService {
return &SubmissionVarsService{
db: db,
projects: projects,
parties: parties,
users: users,
}
}
// SubmissionVarsContext is the input bundle that produces a render.
type SubmissionVarsContext struct {
UserID uuid.UUID
ProjectID uuid.UUID
SubmissionCode string
}
// SubmissionVarsResult bundles the placeholder map with the lookup
// values the handler needs for the audit row + file naming
// (rule.Name, project.case_number, etc.).
type SubmissionVarsResult struct {
Placeholders PlaceholderMap
// Resolved entities for audit + naming.
User *models.User
Project *models.Project
Rule *models.DeadlineRule
ProceedingType *models.ProceedingType
Parties []models.Party
NextDeadline *models.Deadline
// Lang is the user's UI language used to pick locale-aware values
// during the build. Returned so the renderer can use the matching
// missing-marker function.
Lang string
}
// ErrSubmissionRuleNotFound is returned when no published deadline_rule
// matches the requested submission_code. Maps to 404 in the handler.
var ErrSubmissionRuleNotFound = errors.New("submission generator: no rule found for submission_code")
// Build resolves every entity and assembles the placeholder map.
func (s *SubmissionVarsService) Build(ctx context.Context, in SubmissionVarsContext) (*SubmissionVarsResult, error) {
if s.projects == nil || s.users == nil {
return nil, fmt.Errorf("submission vars: required services not wired")
}
user, err := s.users.GetByID(ctx, in.UserID)
if err != nil {
return nil, err
}
if user == nil {
return nil, ErrNotVisible
}
// Visibility gate — GetByID returns ErrNotFound when the user
// can't see the project, which is exactly the 404 the handler
// wants to propagate.
project, err := s.projects.GetByID(ctx, in.UserID, in.ProjectID)
if err != nil {
return nil, err
}
rule, err := s.loadPublishedRule(ctx, in.SubmissionCode)
if err != nil {
return nil, err
}
pt, err := s.loadProceedingType(ctx, project.ProceedingTypeID)
if err != nil {
return nil, err
}
parties, err := s.parties.ListForProject(ctx, in.UserID, in.ProjectID)
if err != nil {
return nil, err
}
next, err := s.nextOpenDeadline(ctx, in.ProjectID, rule.ID)
if err != nil {
return nil, err
}
lang := user.Lang
if lang == "" {
lang = "de"
}
bag := PlaceholderMap{}
addFirmVars(bag)
addTodayVars(bag, time.Now())
addUserVars(bag, user)
addProjectVars(bag, project, pt, lang)
addPartyVars(bag, parties)
addRuleVars(bag, rule, lang)
addDeadlineVars(bag, next, project, lang)
return &SubmissionVarsResult{
Placeholders: bag,
User: user,
Project: project,
Rule: rule,
ProceedingType: pt,
Parties: parties,
NextDeadline: next,
Lang: lang,
}, nil
}
// loadPublishedRule fetches the deadline_rule that owns the given
// submission_code. Restricts to lifecycle_state='published' so drafts
// never end up shaping a real submission.
func (s *SubmissionVarsService) loadPublishedRule(ctx context.Context, submissionCode string) (*models.DeadlineRule, error) {
if submissionCode == "" {
return nil, ErrSubmissionRuleNotFound
}
var rule models.DeadlineRule
err := s.db.GetContext(ctx, &rule,
`SELECT `+ruleColumns+`
FROM paliad.deadline_rules
WHERE submission_code = $1
AND lifecycle_state = 'published'
AND is_active = true
ORDER BY sequence_order
LIMIT 1`, submissionCode)
if errors.Is(err, sql.ErrNoRows) {
return nil, ErrSubmissionRuleNotFound
}
if err != nil {
return nil, fmt.Errorf("load rule by submission_code %q: %w", submissionCode, err)
}
return &rule, nil
}
// loadProceedingType fetches the proceeding type row for the project's
// proceeding_type_id. Tolerates a nil id (returns nil, nil) so projects
// without a bound proceeding still render a meaningful template — the
// {{project.proceeding.*}} placeholders just resolve to the missing
// marker.
func (s *SubmissionVarsService) loadProceedingType(ctx context.Context, id *int) (*models.ProceedingType, error) {
if id == nil {
return nil, nil
}
var pt models.ProceedingType
err := s.db.GetContext(ctx, &pt,
`SELECT `+proceedingTypeColumns+`
FROM paliad.proceeding_types
WHERE id = $1`, *id)
if errors.Is(err, sql.ErrNoRows) {
return nil, nil
}
if err != nil {
return nil, fmt.Errorf("load proceeding type %d: %w", *id, err)
}
return &pt, nil
}
// nextOpenDeadline finds the earliest pending paliad.deadlines row on
// the given project that maps to the chosen rule. Returns (nil, nil)
// when no matching deadline exists — common when the lawyer is drafting
// the submission before the system has computed its deadline row.
func (s *SubmissionVarsService) nextOpenDeadline(ctx context.Context, projectID, ruleID uuid.UUID) (*models.Deadline, error) {
var d models.Deadline
err := s.db.GetContext(ctx, &d,
`SELECT id, project_id, title, description, due_date, original_due_date,
warning_date, source, rule_id, rule_code, status, completed_at,
caldav_uid, caldav_etag, notes, created_by, created_at, updated_at,
approval_status, pending_request_id, approved_by, approved_at
FROM paliad.deadlines
WHERE project_id = $1
AND rule_id = $2
AND status = 'pending'
ORDER BY due_date ASC
LIMIT 1`, projectID, ruleID)
if errors.Is(err, sql.ErrNoRows) {
return nil, nil
}
if err != nil {
return nil, fmt.Errorf("load next deadline (project=%s rule=%s): %w", projectID, ruleID, err)
}
return &d, nil
}
// addFirmVars populates the firm.* namespace.
func addFirmVars(bag PlaceholderMap) {
bag["firm.name"] = branding.Name
// firm.signature_block is reserved for Phase 2; emit empty so
// templates that already reference it don't render the missing
// marker (less noisy for the lawyer).
bag["firm.signature_block"] = ""
}
// addTodayVars populates today.* in both DE and EN long forms. ISO
// short form is the default {{today}}.
func addTodayVars(bag PlaceholderMap, now time.Time) {
loc, _ := time.LoadLocation("Europe/Berlin")
if loc != nil {
now = now.In(loc)
}
bag["today"] = now.Format("2006-01-02")
bag["today.iso"] = now.Format("2006-01-02")
bag["today.long_de"] = formatLongDateDE(now)
bag["today.long_en"] = formatLongDateEN(now)
}
// addUserVars populates user.*.
func addUserVars(bag PlaceholderMap, u *models.User) {
bag["user.display_name"] = u.DisplayName
bag["user.email"] = u.Email
bag["user.office"] = u.Office
}
// addProjectVars populates project.* — title / case_number / court /
// patent_number / dates / our_side / proceeding metadata.
func addProjectVars(bag PlaceholderMap, p *models.Project, pt *models.ProceedingType, lang string) {
bag["project.title"] = p.Title
bag["project.reference"] = derefString(p.Reference)
bag["project.case_number"] = derefString(p.CaseNumber)
bag["project.court"] = derefString(p.Court)
bag["project.patent_number"] = derefString(p.PatentNumber)
// project.patent_number_upc is the UPC-brief convention — kind code
// parenthesised ("EP 1 234 567 (B1)") instead of the DE form
// ("EP 1 234 567 B1"). Pure-function rewrite; pass-through when no
// kind code is present so the lawyer's draft never sees a worse
// number than the source value.
bag["project.patent_number_upc"] = patentNumberUPC(derefString(p.PatentNumber))
bag["project.filing_date"] = formatDatePtr(p.FilingDate, "2006-01-02")
bag["project.grant_date"] = formatDatePtr(p.GrantDate, "2006-01-02")
bag["project.our_side"] = derefString(p.OurSide)
bag["project.our_side_de"] = ourSideDE(derefString(p.OurSide))
bag["project.our_side_en"] = ourSideEN(derefString(p.OurSide))
bag["project.instance_level"] = derefString(p.InstanceLevel)
bag["project.client_number"] = derefString(p.ClientNumber)
bag["project.matter_number"] = derefString(p.MatterNumber)
if pt != nil {
bag["project.proceeding.code"] = pt.Code
if strings.EqualFold(lang, "en") {
bag["project.proceeding.name"] = pt.NameEN
} else {
bag["project.proceeding.name"] = pt.Name
}
bag["project.proceeding.name_de"] = pt.Name
bag["project.proceeding.name_en"] = pt.NameEN
}
}
// addPartyVars populates parties.* using the first row of each role.
// Multi-claimant / multi-defendant suits use the first row in Slice 1
// per design §13.6; expanded grouping is Phase 2.
func addPartyVars(bag PlaceholderMap, parties []models.Party) {
var claimant, defendant, other *models.Party
for i := range parties {
role := strings.ToLower(strings.TrimSpace(derefString(parties[i].Role)))
switch role {
case "claimant", "kläger", "klaeger":
if claimant == nil {
claimant = &parties[i]
}
case "defendant", "beklagter", "beklagte":
if defendant == nil {
defendant = &parties[i]
}
default:
if other == nil {
other = &parties[i]
}
}
}
if claimant != nil {
bag["parties.claimant.name"] = claimant.Name
bag["parties.claimant.representative"] = derefString(claimant.Representative)
}
if defendant != nil {
bag["parties.defendant.name"] = defendant.Name
bag["parties.defendant.representative"] = derefString(defendant.Representative)
}
if other != nil {
bag["parties.other.name"] = other.Name
bag["parties.other.representative"] = derefString(other.Representative)
}
}
// addRuleVars populates rule.* — submission_code, name(_en),
// legal_source (+ pretty form), primary_party, event_type.
func addRuleVars(bag PlaceholderMap, r *models.DeadlineRule, lang string) {
bag["rule.submission_code"] = derefString(r.SubmissionCode)
if strings.EqualFold(lang, "en") {
bag["rule.name"] = r.NameEN
} else {
bag["rule.name"] = r.Name
}
bag["rule.name_de"] = r.Name
bag["rule.name_en"] = r.NameEN
bag["rule.legal_source"] = derefString(r.LegalSource)
bag["rule.legal_source_pretty"] = legalSourcePretty(derefString(r.LegalSource), lang)
bag["rule.primary_party"] = derefString(r.PrimaryParty)
bag["rule.event_type"] = derefString(r.EventType)
}
// addDeadlineVars populates deadline.* from the next pending row. When
// no row exists the values fall through to the missing marker — the
// lawyer sees [KEIN WERT: deadline.due_date] in Word and knows to fix.
func addDeadlineVars(bag PlaceholderMap, d *models.Deadline, p *models.Project, lang string) {
if d == nil {
return
}
bag["deadline.due_date"] = d.DueDate.Format("2006-01-02")
bag["deadline.due_date_long_de"] = formatLongDateDE(d.DueDate)
bag["deadline.due_date_long_en"] = formatLongDateEN(d.DueDate)
if d.OriginalDueDate != nil {
bag["deadline.original_due_date"] = d.OriginalDueDate.Format("2006-01-02")
}
// computed_from carries the human-readable anchor description
// (e.g. "Klagezustellung am 14.05.2026 + 6 Wochen"). Notes is
// the closest existing field — the calculator stores anchor
// metadata there. If empty we leave the placeholder unresolved.
if d.Notes != nil && strings.TrimSpace(*d.Notes) != "" {
bag["deadline.computed_from"] = strings.TrimSpace(*d.Notes)
}
bag["deadline.title"] = d.Title
bag["deadline.source"] = d.Source
_ = p // reserved for future shape decisions where the deadline
// var depends on project context.
_ = lang
}
// derefString returns *s or "" when s is nil.
func derefString(s *string) string {
if s == nil {
return ""
}
return *s
}
// formatDatePtr formats a *time.Time, returning "" for nil.
func formatDatePtr(t *time.Time, layout string) string {
if t == nil {
return ""
}
return t.Format(layout)
}
// ourSideDE returns the German legal-prose form of an our_side value.
func ourSideDE(side string) string {
switch strings.ToLower(side) {
case "claimant":
return "Klägerin"
case "defendant":
return "Beklagte"
case "court":
return "Gericht"
case "both":
return "Klägerin und Beklagte"
}
return ""
}
// ourSideEN returns the English legal-prose form of an our_side value.
func ourSideEN(side string) string {
switch strings.ToLower(side) {
case "claimant":
return "Claimant"
case "defendant":
return "Defendant"
case "court":
return "Court"
case "both":
return "Claimant and Defendant"
}
return ""
}
// formatLongDateDE renders a date in the German long form
// ("19. Mai 2026"). Pure function for unit testing.
func formatLongDateDE(t time.Time) string {
months := []string{
"Januar", "Februar", "März", "April", "Mai", "Juni",
"Juli", "August", "September", "Oktober", "November", "Dezember",
}
idx := int(t.Month()) - 1
if idx < 0 || idx >= len(months) {
return t.Format("2006-01-02")
}
return fmt.Sprintf("%d. %s %d", t.Day(), months[idx], t.Year())
}
// formatLongDateEN renders a date in the English long form
// ("19 May 2026").
func formatLongDateEN(t time.Time) string {
return t.Format("2 January 2006")
}
// legalSourcePretty rewrites the shorthand stored on deadline_rules
// (DE.ZPO.276.1, UPC.RoP.23.1, …) into the form a lawyer would type
// in a brief ("§ 276 Abs. 1 ZPO", "Rule 23.1 RoP UPC"). Unknown
// prefixes pass through unchanged — preferring the raw shorthand over
// an incorrect prettification.
//
// Lang controls the language of connective words (Abs / Section,
// Regel / Rule, …). The pretty table covers the prefixes used by the
// 254 published rules in the corpus today; new prefixes default to
// pass-through and a follow-up CL extends the table.
func legalSourcePretty(src, lang string) string {
src = strings.TrimSpace(src)
if src == "" {
return ""
}
parts := strings.Split(src, ".")
en := strings.EqualFold(lang, "en")
switch {
case len(parts) == 4 && parts[0] == "DE" && parts[1] == "ZPO":
if en {
return fmt.Sprintf("Section %s(%s) ZPO", parts[2], parts[3])
}
return fmt.Sprintf("§ %s Abs. %s ZPO", parts[2], parts[3])
case len(parts) == 3 && parts[0] == "DE" && parts[1] == "ZPO":
if en {
return fmt.Sprintf("Section %s ZPO", parts[2])
}
return fmt.Sprintf("§ %s ZPO", parts[2])
case len(parts) == 4 && parts[0] == "UPC" && parts[1] == "RoP":
if en {
return fmt.Sprintf("Rule %s.%s RoP UPC", parts[2], parts[3])
}
return fmt.Sprintf("Regel %s.%s VerfO UPC", parts[2], parts[3])
case len(parts) == 3 && parts[0] == "UPC" && parts[1] == "RoP":
if en {
return fmt.Sprintf("Rule %s RoP UPC", parts[2])
}
return fmt.Sprintf("Regel %s VerfO UPC", parts[2])
case len(parts) >= 3 && parts[0] == "DE" && parts[1] == "PatG":
if en {
return fmt.Sprintf("Section %s PatG", parts[2])
}
return fmt.Sprintf("§ %s PatG", parts[2])
case len(parts) == 2 && parts[0] == "EPC":
if en {
return fmt.Sprintf("Art. %s EPC", parts[1])
}
return fmt.Sprintf("Art. %s EPÜ", parts[1])
}
return src
}
// patentNumberKindCodeRegex matches a trailing kind code on a patent
// number: a whitespace-separated single uppercase letter followed by
// a single digit (B1, A1, A2, B2, B9, C1, T2, U1, …). Capturing
// groups split the base from the kind code so the formatter can
// parenthesise the kind without touching the rest of the number.
var patentNumberKindCodeRegex = regexp.MustCompile(`^(.*?)\s+([A-Z]\d)$`)
// patentNumberUPC reformats a patent number from the DE convention
// ("EP 1 234 567 B1") to the UPC-brief convention
// ("EP 1 234 567 (B1)"). The kind code is parenthesised; everything
// else is preserved verbatim. Numbers without a recognised trailing
// kind code pass through unchanged so a lawyer's draft never sees a
// number worse than the source value.
//
// Recognised inputs:
//
// "EP 1 234 567 B1" → "EP 1 234 567 (B1)"
// "EP 4 056 049 A1" → "EP 4 056 049 (A1)"
// "DE 10 2020 123 456 A1" → "DE 10 2020 123 456 (A1)"
// " EP 1 234 567 B1 " → "EP 1 234 567 (B1)" (trimmed)
//
// Pass-through:
//
// "EP 1 234 567" → "EP 1 234 567"
// "WO/2023/123456" → "WO/2023/123456" (no kind code shape)
// "" → ""
//
// Pure function; unit-tested in submission_vars_test.go.
func patentNumberUPC(s string) string {
s = strings.TrimSpace(s)
if s == "" {
return ""
}
if m := patentNumberKindCodeRegex.FindStringSubmatch(s); m != nil {
base := strings.TrimSpace(m[1])
kind := m[2]
if base == "" {
return s
}
return base + " (" + kind + ")"
}
return s
}

126
internal/services/target_service.go
View File

@@ -1,126 +0,0 @@
package services
import (
"context"
"database/sql"
"errors"
"fmt"
"github.com/google/uuid"
"github.com/jmoiron/sqlx"
"mgit.msbls.de/m/paliad/internal/models"
)
// AppointmentTargetService — CRUD on paliad.appointment_caldav_targets.
//
// Each row is the per-(appointment, binding) push state: the caldav_uid
// PUT into that binding's calendar (canonical per Appointment) plus the
// ETag returned by the server on the last successful PUT. Replaces the
// scalar paliad.appointments.caldav_uid / caldav_etag columns for the
// post-Slice-2a sync engine; those scalars stay populated for back-compat
// through Slice 4.
type AppointmentTargetService struct {
db *sqlx.DB
}
func NewAppointmentTargetService(db *sqlx.DB) *AppointmentTargetService {
return &AppointmentTargetService{db: db}
}
const targetColumns = `appointment_id, binding_id, caldav_uid, caldav_etag, last_pushed_at`
// UpsertAfterPush records the result of a successful PUT to the binding's
// calendar. Called by CalDAVService.pushAll after each PUT.
func (s *AppointmentTargetService) UpsertAfterPush(ctx context.Context, appointmentID, bindingID uuid.UUID, uid, etag string) error {
var etagPtr *string
if etag != "" {
etagPtr = &etag
}
_, err := s.db.ExecContext(ctx,
`INSERT INTO paliad.appointment_caldav_targets
(appointment_id, binding_id, caldav_uid, caldav_etag, last_pushed_at)
VALUES ($1, $2, $3, $4, NOW())
ON CONFLICT (appointment_id, binding_id)
DO UPDATE SET caldav_uid = EXCLUDED.caldav_uid,
caldav_etag = EXCLUDED.caldav_etag,
last_pushed_at = NOW()`,
appointmentID, bindingID, uid, etagPtr)
if err != nil {
return fmt.Errorf("upsert caldav target: %w", err)
}
return nil
}
// FindByUIDAndBinding returns the target row matching this (uid, binding)
// pair, or nil when no such row exists.
func (s *AppointmentTargetService) FindByUIDAndBinding(ctx context.Context, uid string, bindingID uuid.UUID) (*models.AppointmentCalDAVTarget, error) {
var t models.AppointmentCalDAVTarget
err := s.db.GetContext(ctx, &t,
`SELECT `+targetColumns+`
FROM paliad.appointment_caldav_targets
WHERE caldav_uid = $1 AND binding_id = $2`, uid, bindingID)
if errors.Is(err, sql.ErrNoRows) {
return nil, nil
}
if err != nil {
return nil, fmt.Errorf("find target by uid+binding: %w", err)
}
return &t, nil
}
// ListForBinding returns every target row attached to this binding.
// Used by the pull-reconciliation pass to detect remote deletions.
func (s *AppointmentTargetService) ListForBinding(ctx context.Context, bindingID uuid.UUID) ([]models.AppointmentCalDAVTarget, error) {
rows := []models.AppointmentCalDAVTarget{}
if err := s.db.SelectContext(ctx, &rows,
`SELECT `+targetColumns+`
FROM paliad.appointment_caldav_targets
WHERE binding_id = $1`, bindingID); err != nil {
return nil, fmt.Errorf("list targets for binding: %w", err)
}
return rows, nil
}
// DeleteByAppointmentAndBinding removes one specific target row.
// Used after a successful remote DELETE.
func (s *AppointmentTargetService) DeleteByAppointmentAndBinding(ctx context.Context, appointmentID, bindingID uuid.UUID) error {
_, err := s.db.ExecContext(ctx,
`DELETE FROM paliad.appointment_caldav_targets
WHERE appointment_id = $1 AND binding_id = $2`, appointmentID, bindingID)
if err != nil {
return fmt.Errorf("delete target: %w", err)
}
return nil
}
// StaleForBinding returns target rows whose appointment_id is no longer
// in the in-scope set. Used by the post-pull cleanup pass to delete
// appointments that left the binding's scope (e.g. project unshared,
// scope_kind PATCHed). currentAppointmentIDs may be empty — in that
// case every target row is considered stale.
func (s *AppointmentTargetService) StaleForBinding(ctx context.Context, bindingID uuid.UUID, currentAppointmentIDs []uuid.UUID) ([]models.AppointmentCalDAVTarget, error) {
rows := []models.AppointmentCalDAVTarget{}
if len(currentAppointmentIDs) == 0 {
if err := s.db.SelectContext(ctx, &rows,
`SELECT `+targetColumns+`
FROM paliad.appointment_caldav_targets
WHERE binding_id = $1`, bindingID); err != nil {
return nil, fmt.Errorf("stale-targets all: %w", err)
}
return rows, nil
}
query, args, err := sqlx.In(
`SELECT `+targetColumns+`
FROM paliad.appointment_caldav_targets
WHERE binding_id = ?
AND appointment_id NOT IN (?)`, bindingID, currentAppointmentIDs)
if err != nil {
return nil, fmt.Errorf("stale-targets prepare: %w", err)
}
query = s.db.Rebind(query)
if err := s.db.SelectContext(ctx, &rows, query, args...); err != nil {
return nil, fmt.Errorf("stale-targets exec: %w", err)
}
return rows, nil
}

5
internal/services/view_service.go
View File

@@ -569,11 +569,6 @@ func approvalRowSubtitle(r ApprovalRequestView) string {
return "Abgelehnt"
case "revoked":
return "Widerrufen"
case "changes_requested":
if r.DeciderName != nil {
return fmt.Sprintf("Abgelehnt mit Vorschlag von %s", *r.DeciderName)
}
return "Abgelehnt mit Vorschlag"
}
return r.Status
}

219
internal/services/widget_catalog.go
View File

@@ -1,219 +0,0 @@
package services
// Widget catalog for the configurable dashboard (t-paliad-219).
//
// Design: docs/design-dashboard-configurable-2026-05-20.md §4 (catalog) and
// §18 Note B (settings schema).
//
// The catalog is the source of truth for which widgets a user can pick.
// Adding a new widget = add a WidgetKey const + append a WidgetDef in
// WidgetCatalog. Frontend has its own mirror in
// frontend/src/client/widgets/registry.ts; the two must stay in sync.
//
// Versioning rule (design §10): unknown keys in a user's saved layout are
// dropped silently at read time; write paths validate against the catalog.
import (
"encoding/json"
"fmt"
"slices"
)
// WidgetKey is the catalog identifier for a single widget.
type WidgetKey string
const (
WidgetDeadlineSummary WidgetKey = "deadline-summary"
WidgetMatterSummary WidgetKey = "matter-summary"
WidgetUpcomingDeadlines WidgetKey = "upcoming-deadlines"
WidgetUpcomingAppointments WidgetKey = "upcoming-appointments"
WidgetInlineAgenda WidgetKey = "inline-agenda"
WidgetRecentActivity WidgetKey = "recent-activity"
WidgetInboxApprovals WidgetKey = "inbox-approvals"
WidgetPinnedProjects WidgetKey = "pinned-projects"
)
// KnownWidgetKeys is the canonical order used when seeding the factory
// default layout. New entries land at the bottom by default.
var KnownWidgetKeys = []WidgetKey{
WidgetDeadlineSummary,
WidgetMatterSummary,
WidgetUpcomingDeadlines,
WidgetUpcomingAppointments,
WidgetInlineAgenda,
WidgetRecentActivity,
WidgetInboxApprovals,
// WidgetPinnedProjects ships in Slice C (catalog expansion) — not in
// the Slice A1 baseline. Keep the const above for forward-compat;
// omit from KnownWidgetKeys until the widget module lands.
}
// WidgetSettingsSchema declares which knobs a widget exposes. nil = no
// per-widget settings (the gear icon is hidden in edit mode).
type WidgetSettingsSchema struct {
// CountOptions lists permitted "count" values. Empty = no count knob.
CountOptions []int
// HorizonOptions lists permitted "horizon_days" values. Empty = no
// horizon knob.
HorizonOptions []int
// CountAllowsAll is true when "all" is a legal value for count
// (rendered as the literal -1 in the JSON). pinned-projects uses this.
CountAllowsAll bool
}
// Validate enforces the schema against a raw settings blob. nil schema
// rejects any non-empty settings; empty settings always pass.
func (sch *WidgetSettingsSchema) Validate(raw json.RawMessage) error {
if len(raw) == 0 || string(raw) == "null" {
return nil
}
if sch == nil {
return fmt.Errorf("%w: widget has no settings; got %s", ErrInvalidInput, string(raw))
}
var parsed struct {
Count *int `json:"count,omitempty"`
HorizonDays *int `json:"horizon_days,omitempty"`
}
if err := json.Unmarshal(raw, &parsed); err != nil {
return fmt.Errorf("%w: widget settings decode: %v", ErrInvalidInput, err)
}
if parsed.Count != nil {
if len(sch.CountOptions) == 0 {
return fmt.Errorf("%w: widget has no count knob", ErrInvalidInput)
}
if !(sch.CountAllowsAll && *parsed.Count == -1) && !slices.Contains(sch.CountOptions, *parsed.Count) {
return fmt.Errorf("%w: count %d not in %v", ErrInvalidInput, *parsed.Count, sch.CountOptions)
}
}
if parsed.HorizonDays != nil {
if len(sch.HorizonOptions) == 0 {
return fmt.Errorf("%w: widget has no horizon knob", ErrInvalidInput)
}
if !slices.Contains(sch.HorizonOptions, *parsed.HorizonDays) {
return fmt.Errorf("%w: horizon_days %d not in %v", ErrInvalidInput, *parsed.HorizonDays, sch.HorizonOptions)
}
}
return nil
}
// WidgetDef is one entry in the catalog. Title/description fields are the
// translation-key seeds; frontend resolves them via the i18n registry.
type WidgetDef struct {
Key WidgetKey `json:"key"`
TitleDE string `json:"title_de"`
TitleEN string `json:"title_en"`
DescriptionDE string `json:"description_de"`
DescriptionEN string `json:"description_en"`
DefaultVisible bool `json:"default_visible"`
DefaultCount *int `json:"default_count,omitempty"`
DefaultHorizon *int `json:"default_horizon_days,omitempty"`
Settings *WidgetSettingsSchema `json:"settings,omitempty"`
}
// WidgetCatalog returns the v1 catalog. Returned by value (small struct
// slice) so callers can freely append i18n overrides for the wire format.
func WidgetCatalog() []WidgetDef {
listCounts := []int{1, 3, 5, 10, 20}
listHorizon := []int{7, 14, 30, 60}
inboxCounts := []int{1, 3, 5, 10}
agendaHorizon := []int{14, 30, 60}
tenDefault := 10
threeDefault := 3
thirtyDefault := 30
return []WidgetDef{
{
Key: WidgetDeadlineSummary,
TitleDE: "Fristen auf einen Blick",
TitleEN: "Deadlines at a glance",
DescriptionDE: "Ampel-Karten für überfällige, heutige und kommende Fristen.",
DescriptionEN: "Traffic-light cards for overdue, today, and upcoming deadlines.",
DefaultVisible: true,
},
{
Key: WidgetMatterSummary,
TitleDE: "Meine Akten",
TitleEN: "My Matters",
DescriptionDE: "Aktiv-, archiviert- und Gesamtzahl deiner sichtbaren Akten.",
DescriptionEN: "Active, archived and total counts of your visible matters.",
DefaultVisible: true,
},
{
Key: WidgetUpcomingDeadlines,
TitleDE: "Kommende Fristen",
TitleEN: "Upcoming deadlines",
DescriptionDE: "Liste der nächsten Fristen — Anzahl und Zeitraum konfigurierbar.",
DescriptionEN: "List of upcoming deadlines — count and horizon configurable.",
DefaultVisible: true,
DefaultCount: &tenDefault,
DefaultHorizon: &thirtyDefault,
Settings: &WidgetSettingsSchema{
CountOptions: listCounts,
HorizonOptions: listHorizon,
},
},
{
Key: WidgetUpcomingAppointments,
TitleDE: "Kommende Termine",
TitleEN: "Upcoming appointments",
DescriptionDE: "Liste der nächsten Termine — Anzahl und Zeitraum konfigurierbar.",
DescriptionEN: "List of upcoming appointments — count and horizon configurable.",
DefaultVisible: true,
DefaultCount: &tenDefault,
DefaultHorizon: &thirtyDefault,
Settings: &WidgetSettingsSchema{
CountOptions: listCounts,
HorizonOptions: listHorizon,
},
},
{
Key: WidgetInlineAgenda,
TitleDE: "Agenda",
TitleEN: "Agenda",
DescriptionDE: "30-Tage-Agenda mit Fristen und Terminen kombiniert.",
DescriptionEN: "30-day agenda combining deadlines and appointments.",
DefaultVisible: true,
DefaultHorizon: &thirtyDefault,
Settings: &WidgetSettingsSchema{
HorizonOptions: agendaHorizon,
},
},
{
Key: WidgetRecentActivity,
TitleDE: "Letzte Aktivität",
TitleEN: "Recent activity",
DescriptionDE: "Verlauf der letzten Ereignisse in deinen sichtbaren Akten.",
DescriptionEN: "Recent events across your visible matters.",
DefaultVisible: true,
DefaultCount: &tenDefault,
Settings: &WidgetSettingsSchema{
CountOptions: listCounts,
},
},
{
Key: WidgetInboxApprovals,
TitleDE: "Offene Freigaben",
TitleEN: "Open approvals",
DescriptionDE: "Deine offenen Freigaben mit Anzahl und einer kurzen Liste.",
DescriptionEN: "Your open approval requests with count and a short list.",
DefaultVisible: true,
DefaultCount: &threeDefault,
Settings: &WidgetSettingsSchema{
CountOptions: inboxCounts,
},
},
}
}
// LookupWidgetDef returns the catalog entry for a key, or false if unknown.
func LookupWidgetDef(key WidgetKey) (WidgetDef, bool) {
for _, def := range WidgetCatalog() {
if def.Key == key {
return def, true
}
}
return WidgetDef{}, false
}