feat(projection): IsConditional for uncertain-anchor rules (t-paliad-289)

Rules anchored on uncertain triggers (R.109 backward-anchor without
oral-hearing date; R.118(4) without validity decision; R.262(2)
without recorded Vertraulichkeitsantrag) previously rendered concrete
dates fabricated off the trigger date. Add IsConditional projection
flag so the SmartTimeline + Verfahrensablauf surfaces "abhängig von
<parent>" instead of a misleading date.

Backend (fristenrechner.go):
- Add IsConditional + ParentRuleCode/Name/NameEN to UIDeadline.
- Pre-pass populates courtSet from rule.is_court_set=true BEFORE the
  main loop, so order-of-evaluation in sequence_order no longer matters
  for the parent-court-set check. Fixes R.109(1) "Antrag auf
  Simultanübersetzung" (sequence_order=45 < Mündliche Verhandlung's
  sequence_order=50): the timing='before' backward arithmetic was
  computing 1 month before the trigger date because the court-set
  parent hadn't been classified yet.
- Set IsConditional=true on every IsCourtSetIndirect branch (catches
  R.109 backward + R.118(4) cons_orders chain off the decision).
- Set IsConditional=true for priority='optional' + primary_party='both'
  rules whose data-model parent is the trigger anchor (covers R.262(2)
  confidentiality_response: the data anchors on SoC, but the real
  trigger is the opposing party's confidentiality motion which may
  never happen). Suppressed by IsOverridden so user anchors win.

Backend (projection_service.go):
- Add IsConditional to TimelineEvent + propagate from UIDeadline.
- New Status="conditional" for projected rows; clears Date, populates
  DependsOnRuleCode/Name from UIDeadline.ParentRule* so the row
  carries the "abhängig von <parent>" payload even when the parent
  has no computed date for annotateDependsOn to discover.

Frontend (verfahrensablauf-core.ts + CSS + i18n):
- CalculatedDeadline gains isConditional + parentRule* fields.
- deadlineCardHtml renders "abhängig von <parent>" chip with
  click-to-edit affordance in place of the date column when
  isConditional=true. IsConditional wins over IsCourtSet for the
  date column (they overlap; "abhängig von <parent>" names the
  specific blocker).
- .timeline-item--conditional / .fr-col-item--conditional CSS:
  dotted border + faded text so the conditional state reads at glance.
- Replaced escHtml's DOM-backed implementation with a pure-JS regex
  escape so the module is testable in bun test without jsdom (the
  old form forced fixtures to leave several fields empty just to
  avoid the DOM dependency).

Tests:
- TestApplyLookaheadCap_ConditionalRowsPassThrough: pure-function lock
  that conditional rows pass through applyLookaheadCap untouched
  (don't count against ProjectedTotal/Shown, don't get capped).
- TestUIDeadline_IsConditional_UncertainAnchors (TEST_DATABASE_URL):
  asserts R.109(1)/(4), R.118(4) chain, and R.262(2) all render
  IsConditional=true with empty DueDate + populated ParentRule*; SoD
  stays non-conditional; override on the oral hearing flips R.109(1)
  back to concrete date.
- 4 new bun tests for the conditional rendering branches in
  deadlineCardHtml.

UX path verified by tests + manual review of the live rule corpus:
opening a UPC inf project without oral-hearing date now surfaces
R.109(1) + R.109(4) as conditional; recording the Vertraulichkeitsantrag
(anchoring R.262(2) via the existing "Datum setzen" flow) flips it
back to a concrete date.

go build / go test / bun test / bun run build all clean.

.gitea/workflows/test.yaml

@@ -0,0 +1,242 @@
+# Paliad CI gate (t-paliad-282 / m/paliad#114).
+#
+# Single workflow, two purposes:
+#
+#   - On every push: gate tier — build + unit + migration smoke. Red gate
+#     means no further work and (on main) no deploy.
+#   - On push to main with gate green: deploy step — calls the Dokploy
+#     compose-deploy API for paliad's compose Zx147ycurfYagKRl_Zzyo, then
+#     polls /health/ready until the new container reports 200.
+#
+# The deploy step REPLACES the previous Gitea-push → Dokploy webhook path
+# (per m's Q11.4 pick: soft-launch with both alive for ~1 week, then
+# disable the Dokploy auto-deploy toggle). Soft-launch leaves Dokploy's
+# autoDeploy=true intact today — the workflow's deploy step is additive
+# and idempotent (Dokploy's deploy is itself idempotent).
+#
+# Catches the three failure classes from 2026-05-25:
+#
+#   - brunel slot collision (~13:20) — TestMigrations_NoDuplicateSlot,
+#     pure unit, no DB needed.
+#   - hermes dropped-col refs (~16:05) — TestBootSmoke, applies all NEW
+#     migrations (those not in the snapshot) end-to-end against a
+#     scratch DB restored from internal/db/testdata/prod-snapshot.sql.
+#   - mig 129 42501 ownership (~14:56→) — TestMigrations_EndToEndAsAppRole,
+#     applies new migrations as the prod-shaped `postgres` role (which
+#     is NOT a superuser on supabase/postgres — same shape as
+#     youpc-supabase prod, see internal/db/testdata/README.md).
+#
+# Snapshot approach: dump paliad schema + applied_migrations rows from
+# prod, commit them. CI restores → ApplyMigrations sees existing migs as
+# applied, only runs NEW migs (the ones this PR adds). This sidesteps the
+# fresh-DB idempotence requirement on historical migrations (some of
+# which use raw COMMIT or pre-installed extensions and can't be replayed
+# from scratch). To refresh: `make refresh-snapshot`.
+#
+# Design: docs/design-cicd-pre-deploy-gate-2026-05-25.md (cronus inventor
+# shift, t-paliad-282).
+
+name: Paliad CI gate
+
+on:
+  push:
+    branches:
+      - main
+      - 'mai/**'
+  pull_request:
+    branches: [main]
+
+env:
+  GO_VERSION: '1.24'
+  BUN_VERSION: '1.2'
+
+jobs:
+  # Gate job 1 — pure build. Catches go/bun build breakage that local
+  # `go build` would catch but which a worker might have skipped before
+  # pushing. Fast (~60 s) so a red here surfaces immediately.
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: go build
+        run: go build ./...
+
+      - name: go vet
+        run: go vet ./...
+
+      - name: Set up Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: ${{ env.BUN_VERSION }}
+
+      - name: bun install + build
+        working-directory: frontend
+        run: |
+          bun install --frozen-lockfile
+          bun run build
+
+  # Gate job 2 — Go test suite + migration smoke against snapshot-restored
+  # scratch DB.
+  #
+  # The Postgres service container uses the same supabase/postgres image
+  # as youpc-supabase prod. The CI scratch DB starts empty; a setup step
+  # installs pg_trgm + restores the snapshot. After restore, paliad
+  # schema is at HEAD-of-snapshot and applied_migrations covers every
+  # migration up to (and including) the snapshot's max version.
+  #
+  # ApplyMigrations called in TestBootSmoke / TestMigrations_EndToEndAsAppRole
+  # sees the snapshot's applied set, finds whatever NEW migrations this
+  # PR added on top, and applies only those. The role-split smoke runs as
+  # `postgres` (which is NOT a superuser on supabase/postgres, matching
+  # the prod role topology) — any new migration that needs supabase_admin
+  # privilege fails here as it would in prod.
+  test-go:
+    runs-on: ubuntu-latest
+
+    services:
+      # supabase/postgres baked-in auth schema + supabase role topology
+      # matches youpc-supabase prod. `postgres` here is NOT a superuser
+      # (verified live: \du postgres shows "Create role, Create DB,
+      # Replication, Bypass RLS" — no Superuser). This is the prod-shaped
+      # role the deploy uses.
+      postgres:
+        image: supabase/postgres:15.8.1.060
+        env:
+          POSTGRES_PASSWORD: ci
+          POSTGRES_DB: paliad_scratch
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd "pg_isready -U postgres"
+          --health-interval 5s
+          --health-timeout 5s
+          --health-retries 30
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: Install postgresql-client
+        run: |
+          apt-get update -qq && apt-get install -y -qq postgresql-client
+
+      # Snapshot restore. Two prep steps as supabase_admin (the actual
+      # superuser): GRANT CREATE so the `postgres` role can later create
+      # schemas if a new mig needs it; install pg_trgm so the snapshot's
+      # trigram indexes restore. Snapshot itself loads as `postgres`.
+      - name: Provision + restore snapshot
+        env:
+          PGPASSWORD: ci
+        run: |
+          set -euo pipefail
+          psql -h localhost -U supabase_admin -d paliad_scratch -v ON_ERROR_STOP=1 \
+            -c "GRANT CREATE ON DATABASE paliad_scratch TO postgres;" \
+            -c "CREATE EXTENSION IF NOT EXISTS pg_trgm;"
+          psql -h localhost -U postgres -d paliad_scratch -v ON_ERROR_STOP=1 \
+            -f internal/db/testdata/prod-snapshot.sql
+
+      # Pre-flight: catches brunel slot collision in seconds, no DB
+      # contact (still useful even though the test-go job has Postgres
+      # running, because the failure mode is independent).
+      - name: Migration coordination check
+        run: go test -count=1 -run TestMigrations_NoDuplicateSlot ./internal/db/
+
+      # Role-split end-to-end apply. Connects as `postgres` (NOT a
+      # superuser on supabase/postgres) and runs ApplyMigrations against
+      # the snapshot-restored DB. Existing migs are skipped (already in
+      # applied_migrations); NEW migs in this PR apply here. If a new
+      # migration assumes supabase_admin privilege, fails with the same
+      # 42501 error class that took paliad.de offline on 2026-05-25.
+      - name: Migration end-to-end (deploy role)
+        env:
+          TEST_APP_DATABASE_URL: postgres://postgres:ci@localhost:5432/paliad_scratch?sslmode=disable
+        run: go test -count=1 -run TestMigrations_EndToEndAsAppRole ./internal/db/
+
+      # Boot smoke. Confirms ApplyMigrations succeeds + applied set
+      # matches on-disk set + /healthz returns 200 + /health/ready
+      # returns 200 (the live-pool variant via TestHealthReady_Live).
+      - name: Boot smoke + readiness
+        env:
+          TEST_DATABASE_URL: postgres://postgres:ci@localhost:5432/paliad_scratch?sslmode=disable
+        run: go test -count=1 -run 'TestBootSmoke|TestHealthReady_Live' ./cmd/server/
+
+      # Full Go test suite WITHOUT TEST_DATABASE_URL so live-DB service
+      # tests skip (same shape as a developer laptop without a scratch
+      # DB). Live-DB tests in internal/services/* will be activated by a
+      # follow-up shift once the snapshot is verified stable across
+      # multiple PRs — they need investigation against supabase/postgres
+      # 15.8 (parameter type inference differs subtly from youpc-supabase).
+      - name: go test ./... (pure + skip-on-no-DB)
+        run: go test -count=1 ./internal/... ./cmd/...
+
+  # Deploy step. Only runs on push to main and only after both gate jobs
+  # are green. Calls Dokploy's compose.deploy with the paliad compose ID
+  # (Zx147ycurfYagKRl_Zzyo) and polls /health/ready until it returns 200
+  # or times out.
+  #
+  # Skipped on PR / feature branch pushes — those run the gate tier as
+  # a status check but don't trigger a prod deploy. Dokploy's existing
+  # autoDeploy=true webhook continues to fire during the soft-launch
+  # window (per Q11.4); it can be disabled in the Dokploy UI once this
+  # workflow has gated ≥5 successful green deploys.
+  deploy:
+    runs-on: ubuntu-latest
+    needs: [build, test-go]
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+
+    steps:
+      - name: Trigger Dokploy compose deploy
+        env:
+          DOKPLOY_KEY: ${{ secrets.DOKPLOY_TOKEN }}
+          DOKPLOY_API: http://100.99.98.201:3000/api/trpc
+          COMPOSE_ID: Zx147ycurfYagKRl_Zzyo
+        run: |
+          set -euo pipefail
+          if [ -z "${DOKPLOY_KEY:-}" ]; then
+            echo "ERROR: DOKPLOY_TOKEN secret is not configured."
+            echo "       Set the secret in Gitea repo settings before this step can deploy."
+            exit 2
+          fi
+          echo "==> POST compose.deploy"
+          curl -sS --connect-timeout 5 --max-time 30 \
+            -X POST \
+            -H "x-api-key: $DOKPLOY_KEY" \
+            -H "Content-Type: application/json" \
+            -d "{\"json\":{\"composeId\":\"$COMPOSE_ID\"}}" \
+            "$DOKPLOY_API/compose.deploy"
+          echo
+
+      - name: Wait for /health/ready
+        run: |
+          set -euo pipefail
+          echo "==> polling https://paliad.de/health/ready"
+          # Up to 5 minutes (60 × 5 s) — paliad's cold-start is normally
+          # ≤30 s; the longer budget covers slow image pulls + migration
+          # apply.
+          for i in $(seq 1 60); do
+            status=$(curl -sS --connect-timeout 3 --max-time 5 \
+              -o /dev/null -w '%{http_code}' \
+              https://paliad.de/health/ready || echo "000")
+            if [ "$status" = "200" ]; then
+              echo "ready after ${i} poll(s)"
+              exit 0
+            fi
+            echo "  [$i/60] status=$status — sleeping 5s"
+            sleep 5
+          done
+          echo "ERROR: /health/ready did not return 200 within 5 minutes."
+          echo "       The deploy fired but the new container is not serving."
+          echo "       Investigate: ssh mlake 'docker logs --tail 50 compose-transmit-multi-byte-driver-v7jth9-web-1'"
+          exit 1

Makefile

@@ -21,18 +21,24 @@
 # the test runner's working dirs. None of them touch internal/db/migrations/
 # files.
 
-.PHONY: help verify-migrations verify-mig test test-go
+.PHONY: help verify-migrations verify-mig verify-mig-app test test-go test-frontend refresh-snapshot
 
 help:
 	@echo "Paliad — developer targets"
 	@echo ""
 	@echo "  verify-migrations   Dry-run pending migrations + boot smoke (needs TEST_DATABASE_URL)"
 	@echo "  verify-mig          Alias for verify-migrations"
+	@echo "  verify-mig-app      End-to-end migration smoke as non-superuser role"
+	@echo "                      (needs TEST_APP_DATABASE_URL — t-paliad-282 / m/paliad#114)"
 	@echo "  test                Short test pass — covers gate tier"
 	@echo "  test-go             Full Go suite with race detector"
+	@echo "  test-frontend       Frontend bun:test suite"
 	@echo ""
 	@echo "Set TEST_DATABASE_URL to enable live-DB tests. Example:"
 	@echo "  export TEST_DATABASE_URL=postgres://paliad:...@localhost:11833/paliad_test"
+	@echo ""
+	@echo "Set TEST_APP_DATABASE_URL to enable the role-split smoke. Example:"
+	@echo "  export TEST_APP_DATABASE_URL=postgres://paliad_app:...@localhost:5432/paliad_scratch"
 
 # Gate target — the test that would have caught mig 098 / mig 099 before
 # deploy. Combines:
@@ -71,3 +77,67 @@ test:
 # (full suite, not per-PR).
 test-go:
 	go test -race ./...
+
+# Frontend bun:test suite. Runs the 4 existing pure-TS tests today; will
+# grow as mendel's Slice 3 (frontend test infill) lands.
+test-frontend:
+	cd frontend && bun test
+
+# Role-split end-to-end migration smoke — the catch for the mig 129 42501
+# ownership class (m/paliad#114). Runs ApplyMigrations as a non-superuser
+# role against TEST_APP_DATABASE_URL. Fails the build if any migration
+# assumes more privilege than the deploy role has.
+#
+# Developer setup (local):
+#   psql -c "CREATE ROLE paliad_app LOGIN PASSWORD 'ci' NOSUPERUSER;"
+#   psql -c "CREATE DATABASE paliad_scratch OWNER paliad_app;"
+#   export TEST_APP_DATABASE_URL=postgres://paliad_app:ci@localhost:5432/paliad_scratch
+verify-mig-app:
+	@if [ -z "$$TEST_APP_DATABASE_URL" ]; then \
+		echo "ERROR: TEST_APP_DATABASE_URL is not set."; \
+		echo "       The role-split migration smoke cannot run without a non-superuser scratch DB."; \
+		echo "       See Makefile comments above this target for setup."; \
+		exit 2; \
+	fi
+	go test -count=1 -run TestMigrations_EndToEndAsAppRole ./internal/db/
+
+# Refresh the prod schema snapshot used by CI's migration smoke
+# (t-paliad-282 / m/paliad#114). Connects to youpc-supabase prod, dumps
+# the paliad schema + applied_migrations rows, strips rows beyond the
+# current branch's max on-disk version, and writes
+# internal/db/testdata/prod-snapshot.sql.
+#
+# When to refresh:
+#   - After merging a PR that added a new migration to main.
+#   - When CI's migration smoke starts spuriously failing because the
+#     snapshot's applied set diverges from on-disk by more than this
+#     branch's worth of new migs.
+#
+# Requires PALIAD_PROD_DATABASE_URL env var (a Postgres URL with
+# pg_dump rights on youpc-supabase). Example:
+#   export PALIAD_PROD_DATABASE_URL='postgres://postgres:PW@100.99.98.201:11833/postgres'
+refresh-snapshot:
+	@if [ -z "$$PALIAD_PROD_DATABASE_URL" ]; then \
+		echo "ERROR: PALIAD_PROD_DATABASE_URL is not set."; \
+		echo "       Refresh requires read access to youpc-supabase prod."; \
+		exit 2; \
+	fi
+	@echo "==> dumping paliad schema (no owner, no privs)..."
+	@pg_dump --schema-only --schema=paliad --no-owner --no-privileges \
+		--no-publications --no-subscriptions \
+		"$$PALIAD_PROD_DATABASE_URL" > internal/db/testdata/prod-snapshot.sql.tmp
+	@echo "==> appending applied_migrations rows..."
+	@pg_dump --data-only --table=paliad.applied_migrations \
+		--no-owner --no-privileges \
+		"$$PALIAD_PROD_DATABASE_URL" >> internal/db/testdata/prod-snapshot.sql.tmp
+	@echo "==> stripping pg16 \\restrict / \\unrestrict commands for pg15 compat..."
+	@sed -i.bak '/^\\restrict /d; /^\\unrestrict /d' internal/db/testdata/prod-snapshot.sql.tmp
+	@rm -f internal/db/testdata/prod-snapshot.sql.tmp.bak
+	@echo "==> stripping applied_migrations rows beyond branch's max on-disk version..."
+	@MAX_VER=$$(ls internal/db/migrations/*.up.sql | xargs -I{} basename {} | sed 's/_.*//' | sort -n | tail -1); \
+	awk -v max=$$MAX_VER ' \
+	  /^[0-9]+\t/ { split($$0, a, "\t"); if (a[1]+0 > max) next; } \
+	  { print } \
+	' internal/db/testdata/prod-snapshot.sql.tmp > internal/db/testdata/prod-snapshot.sql
+	@rm internal/db/testdata/prod-snapshot.sql.tmp
+	@wc -l internal/db/testdata/prod-snapshot.sql

cmd/server/main.go

@@ -165,6 +165,7 @@ func main() {
 		sysAuditSvc := services.NewSystemAuditLogService(pool)
 		checklistTemplateSvc := services.NewChecklistTemplateService(pool, checklistCatalogSvc, sysAuditSvc, users)
 		svcBundle = &handlers.Services{
+			Pool:           pool,
 			Project:        projectSvc,
 			Team:           teamSvc,
 			PartnerUnit:    partnerUnitSvc,
@@ -218,6 +219,25 @@ func main() {
 			// is captured into __meta of every export and printed in the
 			// embedded README.
 			Export: services.NewExportService(pool, branding.Name),
+			// t-paliad-265 / m/paliad#96 — per-event-card optional choices.
+			EventChoice: services.NewEventChoiceService(pool, projectSvc, users),
+		}
+
+		// t-paliad-246 Slice A — Backup Mode runner. Wired only when
+		// PALIAD_EXPORT_DIR is set (LocalDiskStore needs a target
+		// directory). Without it the /admin/backups handlers return 503
+		// in the same shape as Paliadin's gate. The directory is created
+		// (0700) on first use; a malformed path fails fast at boot so
+		// misconfig surfaces before the server starts taking traffic.
+		if exportDir := strings.TrimSpace(os.Getenv("PALIAD_EXPORT_DIR")); exportDir != "" {
+			store, err := services.NewLocalDiskStore(exportDir)
+			if err != nil {
+				log.Fatalf("PALIAD_EXPORT_DIR: %v", err)
+			}
+			svcBundle.Backup = services.NewBackupRunner(pool, svcBundle.Export, store)
+			log.Printf("backup: LocalDiskStore at %s (/admin/backups active)", exportDir)
+		} else {
+			log.Println("PALIAD_EXPORT_DIR not set — /admin/backups will return 503")
 		}
 
 		// t-paliad-219 Slice A3 — stitch DashboardService → ApprovalService

cmd/server/main_smoke_test.go

@@ -98,6 +98,51 @@ func TestBootSmoke(t *testing.T) {
 	if body := strings.TrimSpace(rec.Body.String()); body != "ok" {
 		t.Errorf("GET /healthz: body=%q; want \"ok\"", body)
 	}
+
+	// (4) Readiness probe. With a nil Services bundle the endpoint MUST
+	// report 503 — that's the contract documented in handlers/handlers.go.
+	// A separate svc-with-Pool case is exercised in TestHealthReady (live).
+	rec = httptest.NewRecorder()
+	req = httptest.NewRequest(http.MethodGet, "/health/ready", nil)
+	mux.ServeHTTP(rec, req)
+	if rec.Code != http.StatusServiceUnavailable {
+		t.Errorf("GET /health/ready (nil svc): status=%d; want 503", rec.Code)
+	}
+}
+
+// TestHealthReady_Live asserts the readiness probe answers 200 when the
+// pool is reachable, 503 when it isn't. Requires TEST_DATABASE_URL.
+//
+// Why a separate test: TestBootSmoke runs Register with svc=nil to keep
+// its setup minimal; the pool-reachable path needs the pool wired in
+// through svc.Pool. Two tests, two assertions, no entanglement.
+func TestHealthReady_Live(t *testing.T) {
+	url := os.Getenv("TEST_DATABASE_URL")
+	if url == "" {
+		t.Skip("TEST_DATABASE_URL not set — skipping live readiness probe")
+	}
+
+	if err := db.ApplyMigrations(url); err != nil {
+		t.Fatalf("db.ApplyMigrations: %v", err)
+	}
+	pool, err := db.OpenPool(url)
+	if err != nil {
+		t.Fatalf("open pool: %v", err)
+	}
+
+	mux := http.NewServeMux()
+	authClient := auth.NewClient("https://test.invalid", "anon-key", []byte("test-secret"))
+	handlers.Register(mux, authClient, "", &handlers.Services{Pool: pool})
+
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/health/ready", nil)
+	mux.ServeHTTP(rec, req)
+	if rec.Code != http.StatusOK {
+		t.Errorf("GET /health/ready (live pool): status=%d, body=%q; want 200", rec.Code, rec.Body.String())
+	}
+	if body := strings.TrimSpace(rec.Body.String()); body != "ready" {
+		t.Errorf("GET /health/ready (live pool): body=%q; want \"ready\"", body)
+	}
 }
 
 // embeddedMigrationVersions returns every N where N_*.up.sql exists in

docker-compose.yml

@@ -42,5 +42,14 @@ services:
       - AICHAT_URL=${AICHAT_URL:-}
       - AICHAT_TOKEN=${AICHAT_TOKEN:-}
       - AICHAT_PERSONA=${AICHAT_PERSONA:-paliadin}
+      # Backup Mode (m/paliad#77 Slice A). Local-disk export target; the
+      # paliad_exports named volume below persists it across container
+      # restarts. Unset → /admin/backups returns 503 (BackupService gate).
+      - PALIAD_EXPORT_DIR=${PALIAD_EXPORT_DIR:-/var/lib/paliad/exports}
       # - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}  # Phase H (AI Frist-Extraktion), currently deferred
+    volumes:
+      - paliad_exports:/var/lib/paliad/exports
     restart: unless-stopped
+
+volumes:
+  paliad_exports:

docs/cicd-runner-setup-2026-05-25.md

@@ -0,0 +1,181 @@
+# CI/CD runner setup — paliad
+
+**Companion to:** `docs/design-cicd-pre-deploy-gate-2026-05-25.md` (Slice A, t-paliad-282 / m/paliad#114)
+**Date:** 2026-05-25
+**Audience:** mlake / mriver admin (m or head)
+
+Slice A's `.gitea/workflows/test.yaml` requires (a) at least one online Gitea Actions runner and (b) a Dokploy API token wired as a repo secret. Both are one-time setup actions that paliad's source tree cannot perform itself — they live on infra-side. This doc lists them so the workflow can go green on its first run.
+
+---
+
+## 0. Pre-flight: what already exists
+
+Verified live (2026-05-25 cronus inventor shift):
+
+- Gitea 1.24.4 on `mgit.msbls.de`, `has_actions: true` on `m/paliad`.
+- `/api/v1/admin/actions/runners` reports **2 runners** registered. They are likely the shared runners used by `m/mGreen` and `m/mGeo` (both have `.gitea/workflows/deploy.yml` with `runs-on: self-hosted`).
+- `m/paliad/actions/tasks` reports `total_count=0` — paliad has never run a workflow yet.
+
+The existing runners may already be capable of running paliad's workflow without further setup. The verification step (§3) below tells you whether they are.
+
+---
+
+## 1. Runner placement decision (m's Q11.1)
+
+m's pick: **mriver**.
+
+Rationale: mriver hosts the mai worker fleet but workers spend most of their time waiting on Anthropic. mlake's Dokploy + Swarm workload is more contended. A new runner on mriver adds the least pressure to either box.
+
+If mriver is offline or saturated when CI first fires, fall back to the existing mlake-side runners (they're already registered; no provisioning needed).
+
+---
+
+## 2. One-time setup (admin steps)
+
+### 2.1 Register a new Gitea Actions runner on mriver
+
+```bash
+# On mriver, as m:
+# 1. Download the act_runner binary (matching Gitea 1.24.x)
+curl -L -o /usr/local/bin/act_runner \
+  https://gitea.com/gitea/act_runner/releases/download/v0.2.13/act_runner-0.2.13-linux-amd64
+chmod +x /usr/local/bin/act_runner
+
+# 2. Get a runner registration token. In the Gitea UI:
+#    /admin → Actions → Runners → "Create new Runner"
+#    (or org-scope: /m/paliad/settings/actions/runners)
+# Copy the token.
+
+# 3. Register
+mkdir -p ~/act_runner && cd ~/act_runner
+act_runner register --no-interactive \
+  --instance https://mgit.msbls.de \
+  --token <REGISTRATION_TOKEN> \
+  --name mriver-paliad-1 \
+  --labels ubuntu-latest:docker://node:20-bookworm
+
+# 4. Run as a systemd unit (preferred) or as a session daemon
+# Systemd unit example: /etc/systemd/system/act_runner.service
+#   [Unit]
+#   Description=Gitea Actions runner
+#   After=network.target
+#   [Service]
+#   User=m
+#   WorkingDirectory=/home/m/act_runner
+#   ExecStart=/usr/local/bin/act_runner daemon
+#   Restart=on-failure
+#   [Install]
+#   WantedBy=multi-user.target
+sudo systemctl enable --now act_runner
+sudo systemctl status act_runner
+```
+
+**Why `ubuntu-latest:docker://node:20-bookworm` for the label?** Gitea Actions' `runs-on: ubuntu-latest` resolves via the runner's label map. Mapping it to a Docker image gives the workflow a sandbox with Docker available — required for our Postgres service container in `test.yaml`. mriver should have Docker (for `paliadin-shim`); if not, install it.
+
+### 2.2 Register the Dokploy API token as a repo secret
+
+The workflow's `deploy` job needs `secrets.DOKPLOY_TOKEN`. Use the existing project-wide Dokploy API key (the one stored in `~/.claude/skills/mai-dokploy/SKILL.md`).
+
+In the Gitea UI:
+- Navigate to `https://mgit.msbls.de/m/paliad/settings/actions/secrets`
+- Click "Add secret"
+  - Name: `DOKPLOY_TOKEN`
+  - Value: `mai-ottosSyRHMhmLhhhXaCbKzbqKBuSqzqEtmKDOPelPCeimTaYsbmaVslVyEgJZGCIxVdz`
+
+Or via API (mAi identity):
+```bash
+curl --netrc-file ~/.netrc-mai -sS -X POST \
+  -H "Content-Type: application/json" \
+  https://mgit.msbls.de/api/v1/repos/m/paliad/actions/secrets/DOKPLOY_TOKEN \
+  -d '{"data":"mai-ottosSyRHMhmLhhhXaCbKzbqKBuSqzqEtmKDOPelPCeimTaYsbmaVslVyEgJZGCIxVdz"}'
+```
+
+(Requires repo-owner permission. If mAi lacks it, m runs it.)
+
+---
+
+## 3. Verify the runner sees the workflow
+
+After (2.1) + (2.2):
+
+```bash
+# Push the Slice A branch (the one this doc lives on)
+git push origin mai/cronus/coder-cicd-slice-a
+
+# Confirm the runner picked up the job
+curl --netrc-file ~/.netrc-mai -sS \
+  "https://mgit.msbls.de/api/v1/repos/m/paliad/actions/tasks?limit=5" | jq '.'
+```
+
+A new task per job should appear (build, test-go). If `total_count` stays 0, the runner labels don't match the workflow's `runs-on`. Re-register with `--labels ubuntu-latest` (no docker:// suffix) and the existing runners on mlake will pick it up via shell mode.
+
+---
+
+## 4. Soft-launch (m's Q11.4)
+
+m's pick: **keep both Dokploy auto-deploy and the workflow's deploy step alive for ~1 week. After ≥5 successful green deploys via the workflow, disable Dokploy's autoDeploy in the Dokploy UI for the paliad compose.**
+
+While both are live, every push to main fires:
+1. Dokploy webhook (existing path) → deploys immediately, no gate.
+2. Gitea workflow → on green, ALSO calls `compose.deploy`.
+
+The second call is idempotent — if Dokploy already deployed the same commit, this is a no-op. The workflow's value during soft-launch is the **gate signal**: a red workflow on a green main = the bad migration shipped via the unguarded webhook and broke prod, and the workflow is shouting about it.
+
+After confidence builds:
+1. In the Dokploy UI, navigate to the paliad compose → Settings.
+2. Toggle "Auto Deploy" off.
+3. Save.
+
+From this point, the only path to deploy is the workflow's deploy job. Red workflow = no deploy.
+
+---
+
+## 5. What Slice A catches today — and what it doesn't
+
+After this branch (`mai/cronus/coder-cicd-slice-a`) merges to main:
+
+### Catches (active in CI)
+
+- **Build breakage** — `go build`, `go vet`, `bun run build`. Red gate, no deploy.
+- **Slot collisions** — `TestMigrations_NoDuplicateSlot` runs without a DB. A PR adding migration N when version N already exists fails at gate time. This is the brunel-class catch (m/paliad#114 ~13:20 outage).
+- **New-migration shape errors (hermes class)** — `TestBootSmoke` runs `ApplyMigrations` against the snapshot-restored DB. New migs from this PR get applied for real; any column/relation/syntax error fails the gate before merge.
+- **New-migration ownership errors (mig 129 42501 class)** — `TestMigrations_EndToEndAsAppRole` runs `ApplyMigrations` connected as `postgres` (NON-superuser on `supabase/postgres:15.8.1.060`, same role topology as youpc-supabase prod). Any migration that assumes supabase_admin privilege fails with the same `42501 must be owner` error class that took paliad.de offline on 2026-05-25.
+- **Readiness probe regressions** — `TestHealthReady_Live` confirms `/health/ready` returns 200 against a live pool, 503 against a nil pool.
+- **Pure-Go test regressions** — `go test ./internal/... ./cmd/...` runs without `TEST_DATABASE_URL` (live-DB service tests skip the same way they do on a developer laptop without a scratch DB).
+
+### Mechanism — the snapshot approach
+
+CI's scratch DB starts from a `pg_dump` of youpc-supabase paliad schema +
+`paliad.applied_migrations` rows, committed to `internal/db/testdata/prod-snapshot.sql`. After restore, the scratch DB is at "paliad HEAD of snapshot" and `ApplyMigrations` sees only this PR's new migrations as pending.
+
+This sidesteps the fresh-DB idempotence problem: several historical migrations (notably mig 037's missing `CREATE EXTENSION pg_trgm`, mig 051's inner `COMMIT;`) can't be replayed from scratch against `supabase/postgres:15.8.1.060`. The snapshot pins everything that's already applied in prod and lets CI focus on what's new — which is what we actually care about for outage prevention.
+
+Snapshot refresh: `make refresh-snapshot` with `PALIAD_PROD_DATABASE_URL` set (see `internal/db/testdata/README.md`).
+
+### Known gap — live-DB service tests don't run in CI
+
+`internal/services/*_test.go` tests with `TEST_DATABASE_URL` set fail against `supabase/postgres:15.8.1.060` with `42P08 inconsistent types deduced for parameter` errors on some INSERT bind paths. The same tests pass against youpc-supabase prod. Cause is unconfirmed — likely subtle differences in type inference between the dockerized image and the prod cluster's configuration. CI today runs `go test ./...` without `TEST_DATABASE_URL` so these tests skip. Not blocking outage prevention; tracked as a follow-up for the post-Slice-A coder.
+
+### Migration cleanup also bundled in this PR
+
+Two surgical migration improvements that surfaced during snapshot debugging — kept here because they're small and harmless:
+
+- **mig 024 + 027** — `ALTER INDEX` / `ALTER POLICY` exception handlers now catch `undefined_object` OR `undefined_table` OR `duplicate_object`. Old handler caught only `undefined_object`; Postgres raises `undefined_table` when the source object never existed and `duplicate_object` when the destination already exists. The expanded handler makes the migrations truly idempotent across the three plausible states: source-still-German (rename succeeds), already-renamed (catches duplicate_object), and fresh-DB-never-had-German (catches undefined_table).
+
+Other migration history bugs (mig 037 missing pg_trgm, mig 051 inner COMMIT) are tracked as a separate cleanup task — not blocking, because the snapshot bypasses them.
+
+### Verification checklist (after Slice A merges)
+
+1. **Workflow green on its first PR run?** Check `/m/paliad/actions`. If not, fix before merging.
+2. **Dokploy `compose.deploy` call succeeds?** The workflow's `deploy` job logs the POST response. A successful response is a Dokploy job ID; a 4xx is an auth or compose-id problem.
+3. **`/health/ready` returns 200 within 5 minutes after a green deploy?** The workflow polls this. If it times out, the migration may have failed silently inside the new container — check `docker logs --tail 50 compose-transmit-multi-byte-driver-v7jth9-web-1` on mlake.
+4. **Reproduce the slot-collision catch locally:** rename `131_…up.sql` to `129_…` (duplicate slot) → workflow MUST fail at `Migration coordination check`. Revert before pushing.
+5. **Reproduce the role-split catch locally:** add a no-op migration `132_test_supersedes.up.sql` containing `REINDEX SYSTEM paliad_scratch;` (requires superuser). Workflow MUST fail at `Migration end-to-end (deploy role)`. Revert before pushing.
+
+---
+
+## 6. Future polish (Slice D, m's Q4 R-pick)
+
+`mai-test` post-merge shift: once Slice A is stable, wire a Gitea webhook on push-to-main that fires `/mai-test` as a follow-up shift. It runs the broader smoke + integration suite and posts results as a Gitea commit status. Not blocking; the gate doesn't depend on it.
+
+Implementation belongs in `m/mAi` (the mai webhook handler), not in paliad. Out of scope for Slice A.

docs/design-date-range-picker-2026-05-25.md

@@ -0,0 +1,856 @@
+# Symmetric date-range picker — design
+
+**Date:** 2026-05-25
+**Task:** t-paliad-248 (Gitea m/paliad#79)
+**Inventor:** atlas
+**Branch:** `mai/atlas/inventor-symmetric-date`
+**Status:** READ-ONLY design. Awaiting head's go/no-go before coder shift.
+
+---
+
+## §0 TL;DR
+
+Today paliad has **three independent date-range schemes** scattered across surfaces:
+
+1. **`/agenda`** — future-only chip row [7|14|30|90 Tage], state `rangeDays`.
+2. **`/admin/audit-log`** — past-only `<select>` [24h|7d|30d|custom|all] + manual `<input type="date">` pair.
+3. **`/projects/:id/chart`** — symmetric `RangePreset` [1y|2y|all|custom] + manual date pair.
+
+…plus a **fourth, unified `TimeHorizon` contract** (`internal/services/filter_spec.go`, mirrored in `frontend/src/client/views/types.ts`) that's used by the filter-bar, Verlauf, Custom Views, and InboxFilterBar — but its "Anpassen" custom-range chip is still stubbed (`filter-bar/axes.ts:105-112`, marked Phase 2, disabled, "coming soon" tooltip).
+
+The fix is **not** "build a fourth scheme." The fix is to **finish the TimeHorizon contract** (add `past_14d`, `next_14d`, `past_all`, `next_all`), build **one reusable `<DateRangePicker>`** that emits a `TimeSpec`, then migrate the three legacy affordances to it.
+
+**Layout (m's brief, locked):**
+
+```
+┌──────────────────────────────────────────────────────────────┐
+│ [Zeitraum: Nächste 30 Tage ▾]                                │
+└──────────────────────────────────────────────────────────────┘
+                ↓ click to open
+┌──────────────────────────────────────────────────────────────┐
+│  Vergangenheit          (ALLE)          Zukunft              │
+│  [Ganze Vergangenheit] [⌖ ALLE] [Ganze Zukunft]              │
+│  [90 T] [30 T] [14 T] [7 T]   [7 T] [14 T] [30 T] [90 T]     │
+│                                                              │
+│  ── oder benutzerdefiniert ──                                │
+│  Von [____.____.____]  Bis [____.____.____]   [Anwenden]     │
+└──────────────────────────────────────────────────────────────┘
+```
+
+**Slice plan:**
+
+- **Slice A** — `<DateRangePicker>` component + 4 new horizon constants (`past_14d`, `next_14d`, `past_all`, `next_all`). Wired onto filter-bar `time` axis first (lights up Verlauf + InboxFilterBar + views simultaneously by replacing the stubbed Phase-2 chip).
+- **Slice B** — `/agenda` migrates (highest-traffic standalone consumer).
+- **Slice C** — `/admin/audit-log` + `/projects/:id/chart` migrate. Each surface picks the preset subset it cares about.
+- **Slice D** *(optional, later)* — upckommentar-style two-handle slicer replaces the inline date-pair for the "custom" mode.
+
+**Hard rules honoured:**
+
+- No new top-level table or migration in Slice A — purely additive enum values + Go switch arms.
+- No new dependency in Slice A — slicer is deferred (it's a non-trivial port from Svelte to paliad's plain TSX renderer).
+- Backward-compatible URL shape — each surface keeps its current short-alias parser (e.g. `?range=30` → `horizon=next_30d`) and additionally accepts the canonical `?horizon=…&from=…&to=…`.
+
+---
+
+## §1 Current state — every date-range affordance
+
+Cataloguing **every** place a paliad user picks a past/future window, with file:line refs.
+
+### 1.1 `/agenda` — future-only chip row
+
+`frontend/src/agenda.tsx:64-67`:
+
+```tsx
+<button className="agenda-chip" data-range="7"  >7 Tage</button>
+<button className="agenda-chip" data-range="14" >14 Tage</button>
+<button className="agenda-chip" data-range="30" >30 Tage</button>
+<button className="agenda-chip" data-range="90" >90 Tage</button>
+```
+
+State machine `frontend/src/client/agenda.ts:80-104`:
+
+- `state.rangeDays ∈ {7,14,30,90}` (set `VALID_RANGES`). Default `30`.
+- URL: `?range=30&types=…&event_type=…`.
+- Fetch: `GET /api/agenda?from=<today>&to=<today+rangeDays-1>&types=…`.
+- **Future-only by construction** — m's complaint applies precisely here. No "past 7 days" affordance, no "all" affordance.
+
+### 1.2 `/admin/audit-log` — past-only `<select>` + manual date pair
+
+`frontend/src/admin-audit-log.tsx:50-65`:
+
+```tsx
+<select id="audit-range">
+  <option value="24h">Letzte 24h</option>
+  <option value="7d" selected>Letzte 7 Tage</option>
+  <option value="30d">Letzte 30 Tage</option>
+  <option value="custom">Benutzerdefiniert</option>
+  <option value="all">Alles</option>
+</select>
+<!-- custom toggles a date-pair: -->
+<input type="date" id="audit-from" />
+<input type="date" id="audit-to" />
+```
+
+State machine `frontend/src/client/admin-audit-log.ts:135-174`:
+
+- `rangePresetToFrom(preset)` converts `"24h" | "7d" | "30d"` → `Date`. `"custom"` reads `from`/`to` inputs. `"all"` clears both bounds.
+- URL: `?source=…&range=7d&q=…&from=…&to=…&limit=…&before_ts=…&before_id=…` (cursor-paged).
+- **Past-only by construction.** No future-projection — this is an audit log, looking forward makes no sense.
+
+### 1.3 `/projects/:id/chart` — symmetric `RangePreset`
+
+`frontend/src/client/views/types.ts:77-79`:
+
+```ts
+range_preset?: "1y" | "2y" | "all" | "custom";
+range_from?: string;
+range_to?: string;
+```
+
+UI `frontend/src/projects-chart.tsx:78-82`:
+
+```tsx
+<input type="date" id="projects-chart-range-from" />
+<input type="date" id="projects-chart-range-to" />
+```
+
+State machine `frontend/src/client/projects-chart.ts:73-118`:
+
+- `rangeFromURL()` → `{preset, from?, to?}` with default `"1y"`.
+- "1y" = `today-1y..today+1y`, "2y" = `today-2y..today+2y`, "all" derived from loaded events, "custom" = read inputs.
+- URL: `?range=1y&from=YYYY-MM-DD&to=YYYY-MM-DD`.
+- **Symmetric around today** by construction — this is a chart, not a filter; the user is panning a viewport, not picking a fan.
+
+### 1.4 `views-editor.tsx` (Custom Views config form)
+
+`frontend/src/views-editor.tsx:102-109`:
+
+```tsx
+<select id="editor-time-horizon">
+  <option value="next_7d">Nächste 7 Tage</option>
+  <option value="next_30d">Nächste 30 Tage</option>
+  <option value="next_90d">Nächste 90 Tage</option>
+  <option value="past_30d">Letzte 30 Tage</option>
+  <option value="past_90d">Letzte 90 Tage</option>
+  <option value="any">Beliebig</option>
+</select>
+```
+
+- Mixes past + future, but only 5 horizons exposed (no 14d, no past_7d, no all).
+- Persists into `paliad.user_views.filter_spec` (JSON column) as a `TimeSpec`.
+- **This is the closest existing affordance to m's symmetric fan**, but rendered as a plain `<select>` and incomplete.
+
+### 1.5 Filter-bar `time` axis (riemann's t-paliad-163 Phase 1)
+
+`frontend/src/client/filter-bar/axes.ts:65-115`:
+
+- Renders a chip cluster: `[next_7d, next_30d, next_90d, past_30d, any]` (default presets, line 77-79).
+- **"Anpassen" chip is disabled** with `coming_soon` tooltip (line 108-112). This is the documented Phase 2 substrate.
+- Surfaces declaring axis `time` thread their own preset list via `RenderAxisOpts.timePresets` — e.g. Verlauf overrides to `["past_7d","past_30d","past_90d","any"]` (`frontend/src/client/projects-detail.ts:2310`).
+
+Consumers:
+- `/projects/:id` Verlauf (`projects-detail.ts:2296` initial state, 2310 preset override).
+- `/views` and `/views/:id` (Custom Views runtime).
+- `/inbox` (`InboxFilterBar` flow — t-paliad-138/139 derived inbox).
+
+### 1.6 `horizonBounds()` — the materializer
+
+`frontend/src/client/projects-detail.ts:393-406` mirrors the Go-side `computeViewSpecBounds()` (`internal/services/view_service.go:156-187`):
+
+```ts
+case "past_7d":  return { from: offset(-7),  to: offset(1) };
+case "past_30d": return { from: offset(-30), to: offset(1) };
+case "past_90d": return { from: offset(-90), to: offset(1) };
+case "next_7d":  return { from: day,         to: offset(7) };
+case "next_30d": return { from: day,         to: offset(30) };
+case "next_90d": return { from: day,         to: offset(90) };
+default:         return {};
+```
+
+(Backend equivalent: `internal/services/view_service.go:160-186`.)
+
+### 1.7 Single-date inputs (NOT date-range — listed for completeness)
+
+These are out of scope but mentioned so the audit is exhaustive:
+
+- `verfahrensablauf.tsx:174` — `#trigger-date` (calculator anchor).
+- `fristenrechner.tsx:496,504,616` — `#trigger-date`, `#priority-date`, `#event-date` (calculator).
+- `admin-rules-edit.tsx:265` — `#preview-trigger-date`.
+- `deadlines-detail.tsx:82` — `#deadline-due-edit` (inline-edit).
+- `deadlines-new.tsx:116` — `#deadline-due` (form).
+- `appointments-new.tsx`, `appointments-detail.tsx` — `start_at`/`end_at`.
+- `projects-detail.tsx:181` — `#smart-timeline-milestone-date` (add-milestone modal).
+- `components/ProjectFormFields.tsx:134,138` — `#project-filing-date`, `#project-grant-date`.
+
+### 1.8 Summary matrix
+
+| Surface | Direction | Presets | Custom | URL contract | Default |
+|---|---|---|---|---|---|
+| `/agenda` | Future | 7\|14\|30\|90 | — | `?range=N` | 30d |
+| `/admin/audit-log` | Past | 24h\|7d\|30d\|all + custom | date pair | `?range=…&from=…&to=…` | 7d |
+| `/projects/:id/chart` | Symmetric ±N | 1y\|2y\|all + custom | date pair | `?range=…&from=…&to=…` | 1y |
+| `/views/:id` editor | Past+Future mix | next_7d\|next_30d\|next_90d\|past_30d\|past_90d\|any | — | persisted JSON | next_30d |
+| Filter-bar `time` axis | Past+Future mix | next_7d\|next_30d\|next_90d\|past_30d\|any | **stubbed** | persisted + `?…__time_from=` | per surface |
+| Verlauf | Past + any | past_7d\|past_30d\|past_90d\|any | **stubbed** | URL | past_30d |
+| InboxFilterBar | Mix | filter-bar default | **stubbed** | URL | per surface |
+
+Three of seven surfaces have **incomplete** custom-range affordances. None of the seven exposes the full symmetric fan m wants.
+
+---
+
+## §2 upckommentar slicer pattern
+
+Verified by reading source at `/home/m/dev/web/upc-kommentar/src/lib/`:
+
+- **`DateRangeSlider.svelte`** (component, 448 lines).
+- **`date-range-slider-pure.ts`** (pure-math helpers, 487 lines, fully unit-tested).
+- **`InboxFilterBar.svelte`** (host).
+
+### 2.1 What it is
+
+A **two-handle range slider** that wraps `svelte-range-slider-pips` (npm: `svelte-range-slider-pips@4`). The slider's rail is the upckommentar floor (`2023-01-01`) to today, and the two handles define `dateFrom` and `dateTo`. Step is **1 day** regardless of zoom.
+
+Public contract (DateRangeSlider.svelte:57-82):
+
+```ts
+interface Props {
+  minISO: string;                 // axis lower bound, default 2023-01-01
+  maxISO: string;                 // axis upper bound, today
+  fromISO: string | null;         // current From (null = parked at min)
+  toISO: string | null;           // current To   (null = parked at max)
+  onChange: (from, to) => void;   // emits on every slider change
+  testid?: string;
+  axisWidthPx?: number;           // test override for jsdom
+}
+```
+
+### 2.2 Anchor rail + granularity
+
+Below the slider rail is a **custom-rendered anchor rail** (the lib's own pips are hidden via `pips={false}` because they're evenly-spaced approximations — issue #42 in upckommentar). Anchor day-numbers come from `pipAnchorsFor(granularity, minDay, maxDay)`:
+
+- **year:** every Jan 1 in range.
+- **month:** every 1st-of-month.
+- **day:** every Monday.
+
+Edges (`minDay`, `maxDay`) are always anchors so the user can park at the slider's extremes.
+
+Granularity has **+/- zoom buttons** in the top-right of the slider (`year → month → day`), with each level showing more anchors.
+
+### 2.3 Click-to-snap (left half / right half)
+
+`DateRangeSlider.svelte:219-240` + pure helper `endOfPeriodDay()`:
+
+- **Left half of an anchor label** → snap closest handle to **start** of period (the anchor day itself, e.g. Jan 1).
+- **Right half of the same label** → snap to **end** of period (Dec 31 for year, last-of-month for month, Sunday for day).
+- Keyboard activation falls back to left-half (start-of-period) deterministically.
+
+### 2.4 Label thinning + two-row alternation
+
+`pipLabelStrideFor()` + `pipLabelRow()` (pure helpers):
+
+- Measures rail width via `ResizeObserver`.
+- Computes a stride — only every Nth label is rendered.
+- Adjacent rendered labels alternate row 0 / row 1 (~1.1em offset down) so they can sit closer horizontally without colliding.
+
+### 2.5 Handle behaviour
+
+- `range=true` draws a colored bar between handles.
+- `draggy=true` lets the user drag the **bar itself** to shift the window without changing its width.
+- `pushy=true` — handles push each other when crossed.
+- `float=true` — tooltip floats above the dragged handle showing `DD.MM.YYYY`.
+
+### 2.6 URL contract on host
+
+`InboxFilterBar.svelte` debounces `onChange` at 250ms, then writes:
+
+```
+?date_from=2024-03-15&date_to=2024-09-30
+```
+
+When a handle is parked at min/max, that bound is **omitted** from the URL (`valuesToFromTo()` in the pure module). So `?date_from=2024-03-15` alone means "from March 15 onwards, no upper bound."
+
+### 2.7 What's worth borrowing for paliad
+
+| Element | Borrow? | Why |
+|---|---|---|
+| Two-handle drag | **Yes — but defer to Slice D** | Excellent fine-tune UX. Non-trivial to port without `svelte-range-slider-pips` (or a Svelte ↔ TSX adapter). |
+| Anchor rail with click-to-snap | Yes (in Slice D) | Year/month/Monday anchors are the right granularities. |
+| Label thinning + two-row alternation | Yes (in Slice D) | Makes the rail readable at any width. |
+| Granularity + zoom +/- | Yes (in Slice D) | Single most useful interaction; users don't drag pixel-precise. |
+| Epoch-day pure math | Yes — verbatim | The `date-range-slider-pure.ts` module is well-tested and dependency-free. Port to TS in paliad's pure-helper layer. |
+| `null` = parked at edge | Yes — already aligned | TimeHorizon's `past_all` / `next_all` map cleanly to "one bound parked at infinity." |
+| The library `svelte-range-slider-pips` itself | **No** | Adds a Svelte dependency to a non-Svelte project. Slice D would build a tiny equivalent on top of `<input type="range">` × 2 + CSS — or vendor the lib's pure parts. |
+
+### 2.8 What does NOT apply to paliad
+
+- **Floor at 2023-01-01.** upckommentar starts at the UPC's first day. paliad has decade-old patents and future-projecting deadlines; the axis must extend in both directions. We use `today ± 5 years` as the default visible range with `past_all` / `next_all` chips to escape it.
+- **Single granularity locked per session.** upckommentar's UI shows one of year/month/day at a time. paliad's typical use ("next 30 days for the deadline list") doesn't benefit from a zoom; the chips ARE the granularity. Slicer in Slice D only opens when the user picks "Anpassen" — at which point the zoom UI makes sense.
+
+---
+
+## §3 Component design — `<DateRangePicker>`
+
+### 3.1 Public API
+
+```ts
+type TimeHorizonExt =
+  | "next_7d"  | "next_14d" | "next_30d" | "next_90d" | "next_all"
+  | "past_7d"  | "past_14d" | "past_30d" | "past_90d" | "past_all"
+  | "any" | "custom";
+
+interface DateRangePickerProps {
+  // Current state. The component is fully controlled.
+  value: TimeSpec;
+  onChange: (next: TimeSpec) => void;
+
+  // Per-surface preset filter — omit a chip by leaving it out of the array.
+  // Default: all symmetric chips + "any" + "custom".
+  presets?: TimeHorizonExt[];
+
+  // Closed-state button label override. Defaults to the i18n key for value.horizon
+  // (e.g. "Letzte 30 Tage"). Override for surfaces that want a heading prefix
+  // like "Zeitraum: Letzte 30 Tage".
+  labelPrefix?: string;
+
+  // i18n strings consumed via the i18n.ts dictionary. No props for individual labels.
+  // Localisation flows through existing data-i18n attributes.
+
+  // Surface tag — used to derive a stable testid and URL-param namespace if
+  // the host wires URL serialization through helpers we provide (see §4).
+  surface: string;          // e.g. "agenda" | "audit-log" | "filter-bar"
+
+  // Mode — popover (default) or modal (rare).
+  mode?: "popover" | "modal";
+
+  // Anchor / placement for popover mode. Defaults to "below".
+  placement?: "below" | "above" | "right";
+}
+```
+
+`TimeSpec` mirrors the existing shape (`internal/services/filter_spec.go:107-112`), extended with the 4 new horizon values:
+
+```ts
+interface TimeSpec {
+  horizon: TimeHorizonExt;
+  field?: "auto" | "created_at";
+  from?: string;            // ISO YYYY-MM-DD; set only when horizon === "custom"
+  to?: string;
+}
+```
+
+### 3.2 States
+
+The component is a small state machine:
+
+```
+closed ────[click button]────► open
+  ▲                              │
+  └──[click outside / Esc]───────┘
+                                 │
+       open ───[click chip]──── closed (commit immediately)
+                                 │
+       open ───[click "Anpassen"]► custom-editor
+                                 │
+       custom-editor ─[Anwenden]► closed (commit)
+       custom-editor ─[Esc]─────► open
+```
+
+- **closed** — single button with current selection label and a chevron `▾`. No outline/highlight unless the value is not the default for this surface.
+- **open** — popover anchored below the button (or below-then-flip-up on viewport-bottom). Contains the symmetric chip row + ALL center + "Anpassen" sub-section.
+- **custom-editor** — replaces the "Anpassen" link with two `<input type="date">` + "Anwenden" / "Abbrechen" buttons. (In Slice D this becomes the slicer.)
+
+### 3.3 Symmetric chip layout
+
+The popover body — full ASCII sketch:
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│  ╭ Vergangenheit ────────╮ ╭ ALLES ╮ ╭ Zukunft ───────────╮ │
+│  │ [Ganze Vergangenheit] │ │ [⌖]   │ │ [Ganze Zukunft]    │ │
+│  │ [Letzte 90 Tage]      │ │       │ │ [Nächste 7 Tage]   │ │
+│  │ [Letzte 30 Tage]      │ │       │ │ [Nächste 14 Tage]  │ │
+│  │ [Letzte 14 Tage]      │ │       │ │ [Nächste 30 Tage]  │ │
+│  │ [Letzte 7 Tage]       │ │       │ │ [Nächste 90 Tage]  │ │
+│  ╰───────────────────────╯ ╰───────╯ ╰────────────────────╯ │
+│                                                             │
+│  ── Anpassen ──────────────────────────────────────────     │
+│  Von [____.____.____]  Bis [____.____.____]   [Anwenden]    │
+└─────────────────────────────────────────────────────────────┘
+```
+
+Visual cues:
+
+- The currently-selected chip gets the **lime accent** (`--color-bg-lime-tint` background, `--color-text` text, `--color-accent` border) — matches existing `.agenda-chip-active` so we don't introduce a new active state.
+- The "ALLES" center button is **larger** than the fan chips (44px tall vs. 32px), drawn with a target-style glyph `⌖` (or `∞` — see Q3.B). Inventor pick: `⌖` plus the word "ALLES" beneath. Larger so it reads as "the no-filter affordance," not as one chip among many.
+- The two fans are visually **mirrored** — past on the left, future on the right. Both have a "Ganze …" terminal chip at the outer edge (left-most for past_all, right-most for next_all) and decreasing-magnitude chips fanning toward the center. The ordering matches the human intuition: "left = back in time, right = forward in time."
+- On viewports < 480px the popover stacks vertically (past fan above, ALL middle, future fan below). On viewports < 360px the popover becomes a modal-feeling slide-up sheet (existing inbox modal CSS pattern reusable).
+
+### 3.4 Sketch of the closed button states
+
+```
+default:    ┌─Zeitraum: Nächste 30 Tage ▾─┐
+custom:     ┌─Zeitraum: 15.03.2026 – 30.04.2026 ▾─┐
+any:        ┌─Zeitraum: Alles ▾─┐
+past_all:   ┌─Zeitraum: Ganze Vergangenheit ▾─┐
+hover/open: same + outline + bg-accent-tint
+```
+
+When the value is **not** the surface default, an additional small `●` dot appears between "Zeitraum:" and the value — the existing universal "filter is non-default" indicator used by the filter-bar.
+
+### 3.5 Keyboard
+
+- `Tab` lands on the button. `Enter`/`Space` opens the popover.
+- `Esc` from open state closes it. `Esc` from custom-editor returns to chip view (one level back).
+- Chips are focusable buttons in the natural left-to-right reading order: past_all → past_90 → past_30 → past_14 → past_7 → any (center) → next_7 → next_14 → next_30 → next_90 → next_all.
+- The custom date inputs are `<input type="date" lang="de">` — gets the OS-native picker on macOS / iOS / Android / Windows. No new custom calendar widget.
+
+### 3.6 Accessibility
+
+- The button has `aria-haspopup="dialog"` and `aria-expanded` toggled on open/close.
+- The popover has `role="dialog"` with `aria-label` = `t("date_range.dialog.label")` ("Zeitraum wählen" / "Choose date range").
+- Chips are `<button>` with `aria-pressed="true"` on the active one.
+- The two fan groups have `role="group"` + `aria-label="Vergangenheit"` / `aria-label="Zukunft"`.
+
+### 3.7 Module layout
+
+```
+frontend/src/
+├── components/
+│   └── DateRangePicker.tsx          ← TSX shell (markup only)
+├── client/
+│   ├── date-range-picker.ts         ← mount() + state machine + DOM event wiring
+│   └── date-range-picker-pure.ts    ← horizon-bounds math, label resolver, parse/serialize
+└── styles/
+    └── global.css                    ← .date-range-* classes
+```
+
+`-pure.ts` is the headless module — fully testable under `bun test`. The boot client in `-picker.ts` consumes it, mirroring the pattern used by `shape-timeline-chart.ts` + `shape-timeline-chart.test.ts` (see memory: t-paliad-173 / gauss).
+
+Pure module exports (preliminary):
+
+```ts
+export function horizonBounds(h: TimeHorizonExt, now: Date): { from?: Date; to?: Date }
+export function labelForHorizon(h: TimeHorizonExt, lang: "de"|"en"): string
+export function labelForCustom(from: string, to: string, lang: "de"|"en"): string
+export function parseURL(params: URLSearchParams): TimeSpec
+export function serializeURL(spec: TimeSpec, defaults: Partial<TimeSpec>): URLSearchParams
+export function isDefault(spec: TimeSpec, default_: TimeSpec): boolean
+```
+
+### 3.8 Go-side additions
+
+`internal/services/filter_spec.go`:
+
+```go
+// Add four new constants alongside the existing TimeHorizon block.
+HorizonNext14d  TimeHorizon = "next_14d"
+HorizonPast14d  TimeHorizon = "past_14d"
+HorizonNextAll  TimeHorizon = "next_all"
+HorizonPastAll  TimeHorizon = "past_all"
+```
+
+`internal/services/view_service.go:computeViewSpecBounds()`:
+
+```go
+case HorizonNext14d:
+    bounds.from = &startOfDay; t := startOfDay.AddDate(0, 0, 14);  bounds.to = &t
+case HorizonPast14d:
+    f := startOfDay.AddDate(0, 0, -14); bounds.from = &f;          bounds.to = &startOfTomorrow
+case HorizonNextAll:
+    bounds.from = &startOfDay
+    // bounds.to left nil  → "no upper bound"
+case HorizonPastAll:
+    bounds.to = &startOfTomorrow
+    // bounds.from left nil
+```
+
+`HorizonNextAll` and `HorizonPastAll` are **one-sided unbounded** — distinct from existing `HorizonAll` (bidirectional unbounded) and `HorizonAny` (no filter at all, same effect as `HorizonAll` for view-spec runtime but different in intent).
+
+`filter_spec.go:validate()` (line 280-292) gains the two new past/next constants in the switch.
+
+### 3.9 i18n keys
+
+Two-language matrix (DE primary, EN secondary):
+
+```
+date_range.button.label                 "Zeitraum"               / "Time range"
+date_range.button.label.custom          "Von … bis …"            / "From … to …"
+date_range.horizon.next_7d              "Nächste 7 Tage"         / "Next 7 days"
+date_range.horizon.next_14d             "Nächste 14 Tage"        / "Next 14 days"
+date_range.horizon.next_30d             "Nächste 30 Tage"        / "Next 30 days"
+date_range.horizon.next_90d             "Nächste 90 Tage"        / "Next 90 days"
+date_range.horizon.next_all             "Ganze Zukunft"          / "All future"
+date_range.horizon.past_7d              "Letzte 7 Tage"          / "Last 7 days"
+date_range.horizon.past_14d             "Letzte 14 Tage"         / "Last 14 days"
+date_range.horizon.past_30d             "Letzte 30 Tage"         / "Last 30 days"
+date_range.horizon.past_90d             "Letzte 90 Tage"         / "Last 90 days"
+date_range.horizon.past_all             "Ganze Vergangenheit"    / "All past"
+date_range.horizon.any                  "Alles"                  / "All"
+date_range.horizon.custom               "Benutzerdefiniert"      / "Custom"
+date_range.dialog.label                 "Zeitraum wählen"        / "Choose date range"
+date_range.fan.past.label               "Vergangenheit"          / "Past"
+date_range.fan.future.label             "Zukunft"                / "Future"
+date_range.center.label                 "Alles"                  / "All"
+date_range.custom.from                  "Von"                    / "From"
+date_range.custom.to                    "Bis"                    / "To"
+date_range.custom.apply                 "Anwenden"               / "Apply"
+date_range.custom.cancel                "Abbrechen"              / "Cancel"
+date_range.custom.invalid               "Bis-Datum muss nach Von-Datum liegen." / "End date must be after start date."
+```
+
+Total: 21 keys × 2 langs = 42 new entries in `i18n.ts`. Existing per-surface keys (`agenda.range.7`, `admin.audit.range.24h`, `views.bar.time.next_30d` etc.) stay until each surface migrates, then get retired.
+
+---
+
+## §4 URL / form serialization contract
+
+### 4.1 Canonical URL shape
+
+The picker writes (and reads) **canonical** params on the host's URL:
+
+```
+?horizon=next_30d
+?horizon=past_all
+?horizon=any           ← omitted if it matches the surface default
+?horizon=custom&from=2026-03-15&to=2026-04-30
+```
+
+The host page's URL-init code (`bootDateRangePicker(surface, opts)`) calls `parseURL(searchParams)` to derive the initial `TimeSpec`, then calls `serializeURL(spec, defaults)` on every change. Params equal to the surface default are **omitted** so the canonical URL stays short and dedupable — matches the existing `writeParamToURL` pattern in `projects-chart.ts:144-154`.
+
+### 4.2 Backwards-compat aliases
+
+Each migrating surface keeps its existing alias parser for the transition window:
+
+| Surface | Legacy URL | Canonical URL | Adapter |
+|---|---|---|---|
+| `/agenda` | `?range=30` | `?horizon=next_30d` | `range=N → horizon=next_${N}d` if `N ∈ {7,14,30,90}`, else `next_all` for `N>90`. Read both, write canonical. |
+| `/admin/audit-log` | `?range=7d` | `?horizon=past_7d` | `range=24h → horizon=past_1d` (new, see Q5) or kept as `past_7d` fallback. `range=all → horizon=any`. |
+| `/projects/:id/chart` | `?range=1y` | `?range=1y` (kept) | **NOT migrated to TimeHorizon** — projects-chart is symmetric-around-today. It uses DateRangePicker only for its **custom**-mode UI (the date-pair → slicer in Slice D). The 1y/2y/all presets stay surface-specific. |
+
+The Go side is unaffected by aliasing — handlers receive whatever shape they always have, and the URL alias adapter lives entirely client-side per surface. **No backend route signature changes** in Slice A.
+
+### 4.3 Custom Views (persisted JSON)
+
+`paliad.user_views.filter_spec` is a JSON column. The TimeSpec extension is additive (new enum values, no shape change). Existing rows continue to validate. Migration not needed.
+
+### 4.4 Form fields (Custom Views editor)
+
+`views-editor.tsx:102-109` migrates from `<select>` to the picker. The form submits the same FormData shape (just one extra key for custom from/to — already plumbed via TimeSpec.from / TimeSpec.to). The Go-side `parseViewForm()` (TBD by coder) gains 4 new acceptable horizon values; existing test cases continue to pass.
+
+---
+
+## §5 Migration plan
+
+### Slice A — substrate + filter-bar `time` axis
+
+**Backend** (single migration not needed — additive constants only):
+
+- `internal/services/filter_spec.go` — 4 new `TimeHorizon` constants + validate switch arms.
+- `internal/services/view_service.go` — `computeViewSpecBounds()` 4 new switch cases.
+- Pure unit tests for each new horizon (zero DB).
+
+**Frontend**:
+
+- New `frontend/src/components/DateRangePicker.tsx` + boot client + pure module.
+- New i18n keys (42 entries).
+- `frontend/src/client/filter-bar/axes.ts:renderTimeAxis()` — replace the disabled "Anpassen" stub with the picker. The chip cluster either becomes the picker's open-state (preferred) OR the chips stay flat and the picker only opens on "Anpassen" click (fallback if popover-in-bar is visually noisy). **Inventor pick (R): chips stay flat in the bar; "Anpassen" chip becomes the picker trigger. Picker emits TimeSpec back into the bar's state, same patch path.**
+
+**Surfaces lit up automatically**: Verlauf (`/projects/:id`), Custom Views (`/views`, `/views/:id`), InboxFilterBar (`/inbox`).
+
+**LoC estimate**: ~600 LoC (pure: 180 / boot: 180 / TSX: 100 / CSS: 80 / Go: 30 / tests: 240). Tests-first per `docs/design-paliad-test-strategy-2026-05-19.md`.
+
+### Slice B — `/agenda`
+
+- `agenda.tsx:51-69` — replace chip rows with `<DateRangePicker surface="agenda" presets={["next_7d","next_14d","next_30d","next_90d","next_all","custom"]} />`.
+- `client/agenda.ts:85-104` — replace `wireControls()` chip wiring with picker subscription.
+- URL alias adapter — accept `?range=N` for back-compat, emit `?horizon=…`.
+
+**LoC**: ~80 LoC delta, mostly deletion.
+
+### Slice C — `/admin/audit-log` + `/projects/:id/chart`
+
+- `admin-audit-log.tsx:50-65` — replace `<select>` + date-pair with `<DateRangePicker surface="audit-log" presets={["past_7d","past_14d","past_30d","past_90d","past_all","custom"]} />`.
+- `projects-chart.tsx:75-83` — **wrap** the existing 1y/2y/all presets in a custom-prop variant (a sibling component `<SymmetricRangePicker>` that shares the picker's popover scaffolding but emits the surface-specific `range_preset`). Or — if the head/m prefers — fold 1y/2y/all into TimeHorizon as `sym_1y` / `sym_2y` / `sym_all`. **Inventor pick (R): sibling component**, because symmetric-around-today is conceptually different from past/future fan. See §8 Q1.
+
+**LoC**: ~120 LoC for audit-log, ~80 LoC for projects-chart wrap.
+
+### Slice D *(optional, separate task)* — slicer
+
+- Add `<DateRangeSlicer>` for the custom-editor sub-pane. Built on `<input type="range">` × 2 with a custom anchor rail above, ported from `date-range-slider-pure.ts`.
+- Replaces inline date-pair when `horizon === "custom"` and `surface ∈ {agenda, audit-log, filter-bar}`. Projects-chart keeps inline date-pair OR also uses slicer — its choice.
+- No new dependency.
+- ~400 LoC including pure helpers + DOM scaffolding + tests.
+
+### Per-slice rollout
+
+| Slice | Risk | Surfaces affected | Coder profile |
+|---|---|---|---|
+| A | Low — additive only | 4 (filter-bar + 3 consumers) | Pattern-fluent Sonnet |
+| B | Low | 1 | Same coder |
+| C | Medium (projects-chart sibling) | 2 | Same coder |
+| D | Medium (new slicer) | 0 (additive on top of A) | Separate task |
+
+---
+
+## §6 Visual decisions
+
+### 6.1 Chip labels
+
+Final labels — bilingual (DE first):
+
+| Chip | DE | EN |
+|---|---|---|
+| past_all | Ganze Vergangenheit | All past |
+| past_90d | Letzte 90 Tage | Last 90 days |
+| past_30d | Letzte 30 Tage | Last 30 days |
+| past_14d | Letzte 14 Tage | Last 14 days |
+| past_7d | Letzte 7 Tage | Last 7 days |
+| any (center) | Alles | All |
+| next_7d | Nächste 7 Tage | Next 7 days |
+| next_14d | Nächste 14 Tage | Next 14 days |
+| next_30d | Nächste 30 Tage | Next 30 days |
+| next_90d | Nächste 90 Tage | Next 90 days |
+| next_all | Ganze Zukunft | All future |
+| custom | Anpassen | Customize |
+
+Rationale on "Anpassen" vs "Benutzerdefiniert":
+- "Anpassen" matches existing `views.bar.time.custom` key value in `i18n.ts`.
+- "Benutzerdefiniert" is used in admin-audit-log's dropdown — verbose, but more accurate.
+- (R): **Anpassen** (consistent with filter-bar; six chars vs. eighteen).
+
+### 6.2 Accent / active state
+
+Reuse the existing **lime accent** chip-active state (`--color-bg-lime-tint` background, `--color-accent` border, `--color-text` text). This is the established affordance for the `agenda-chip-active` class — same visual reused, no new accent token.
+
+### 6.3 The "ALLES" center button
+
+A larger, target-glyph button — visually distinct from the fan chips so the user reads it as the "no time filter" exit, not as one chip among many:
+
+```
+   ╭──────╮
+   │  ⌖   │
+   │ ALLES│
+   ╰──────╯
+```
+
+(R) glyph: `⌖` (Unicode U+2316 POSITION INDICATOR). Alternatives considered: `∞` (too math-y), `⊕` (too connect-y), `▣` (too checkbox-y), no glyph (chip then looks like every other chip). See §8 Q3.B.
+
+### 6.4 Custom-range entry
+
+In Slice A: **inline date-pair below the chip rows**, with an "Anwenden" button that commits + closes the picker. Plain `<input type="date" lang="de">` — gets the OS-native picker.
+
+In Slice D (later): same slot becomes the slicer. The chip rows remain; the slicer collapses under them so the user can switch back to a chip with one click.
+
+### 6.5 Hover / focus
+
+- Chip hover: existing `.agenda-chip:hover` (lighter background tint).
+- Chip focus-visible: 2px outline using `--color-accent`.
+- Button focus-visible: same.
+- Popover entry: 120ms fade-in via `transform: translateY(-4px) → 0` + opacity. Reduced-motion users (prefers-reduced-motion: reduce) get instant show.
+
+### 6.6 Indication that the filter is non-default
+
+The closed button shows a small `●` dot to the left of the label when the value is **not** the surface default. This matches the existing filter-bar non-default-indicator pattern (`frontend/src/client/filter-bar/index.ts` has a similar dot but on the whole bar; we adopt it per-control).
+
+---
+
+## §7 Edge cases
+
+### 7.1 Timezones
+
+All horizon math runs against **UTC `startOfDay`** of `new Date()` — same convention as `horizonBounds()` in `projects-detail.ts:393-406`. The user's browser may be in CEST in summer or CET in winter; the picker still treats "today" as a UTC date for filter purposes. The date-input localizes display (German locale → DD.MM.YYYY) but the underlying ISO is `YYYY-MM-DD` parsed as UTC midnight.
+
+Practical impact: a user in CEST clicking "Letzte 7 Tage" at 01:30 local on 2026-06-15 sees `from=2026-06-07T00:00Z, to=2026-06-15T00:00Z` even though their local clock shows the 15th. This matches every other date-filter in paliad and avoids "the same row vanishes at 01:00 vs. 23:00" surprises. Document the convention in the pure module's header comment.
+
+### 7.2 Far past truncation
+
+`past_all` materialises to `from: nil`. The Go side (view_service.go) treats nil as "no lower bound" — the SQL `WHERE due_date >= ?` clause is omitted. No truncation needed.
+
+For projects-chart's symmetric "all" mode, "all" still means **bounds derived from loaded events** (status quo) — the picker for projects-chart's surface uses the sibling `<SymmetricRangePicker>` which doesn't have `past_all`/`next_all` chips, only `1y/2y/all`.
+
+### 7.3 Overlapping selections — past_7 + next_7 simultaneously?
+
+The picker is **single-select** — one chip active at a time, OR custom mode. m's brief doesn't mention multi-select and the existing TimeSpec is single-valued. Multi-select would require a fundamental contract change. Don't.
+
+If a user genuinely wants "last 7 days OR next 7 days," they use the custom-range with `from=today-7d`, `to=today+7d` — which is what `±1w` would mean. The fact that this is two chip-clicks vs. one isn't a real ergonomic loss.
+
+### 7.4 Custom dates with from > to
+
+Validate client-side: when both inputs are filled and `from > to`, the "Anwenden" button is disabled and a hint appears: "Bis-Datum muss nach Von-Datum liegen" (i18n key `date_range.custom.invalid`). The picker does **not** auto-swap.
+
+### 7.5 Empty inputs in custom mode
+
+If the user clicks "Anpassen" then clicks elsewhere before filling inputs, the picker reverts to whatever horizon was active before (state cached on entry to custom-editor). No "half-custom" state persists.
+
+### 7.6 Surface-specific preset overrides
+
+Each surface declares its own presets via the `presets` prop. The picker hides chips not in the array. The default surface preset (read from `defaults` prop, or hardcoded if absent) is what `serializeURL()` omits from the URL.
+
+Important invariant: `defaults` must be a member of `presets`, OR be a special value like `any` that's always rendered. The component asserts this at boot and falls back to `any` if violated.
+
+### 7.7 Bilingual labels mid-session
+
+`labelForHorizon()` consults the live `i18n.ts` dictionary on every render, so a language toggle updates the picker immediately — including the closed-button label.
+
+### 7.8 Embedded picker inside a filter bar
+
+When the picker is mounted inside `filter-bar`, it should NOT use a full popover overlay — the filter bar already wraps controls. Instead the open-state's chip rows render **inline below the time chip cluster**, expanding the bar's height. This is `mode="inline"` (a third mode beyond popover/modal). Slice A picks this for filter-bar consumers; standalone surfaces (`/agenda`, `/admin/audit-log`) use popover mode.
+
+### 7.9 What happens if a saved Custom View references `past_14d` before Slice A ships?
+
+The JSON validator rejects it (`filter_spec.go:validate()` enum check). Saved views are migration-safe in one direction only — adding new enum values is fine; removing is not. Slice A adds, doesn't remove. No issue.
+
+### 7.10 Race: URL change while picker is open
+
+If the user has the picker open and a URL change happens via another control (e.g. they Cmd-Click a sidebar link), the picker is unmounted naturally with the page navigation. No state to preserve across navigations.
+
+---
+
+## §8 Open questions for m
+
+Per task brief: **no AskUserQuestion**. Material picks escalated via `mai instruct head`; everything else defaults to (R) below. The head decides whether to forward to m or rule on the spot.
+
+### Q1 [MATERIAL — escalate]: How to handle `/projects/:id/chart`?
+
+The chart's range presets are **symmetric around today** (1y / 2y / all = ±1y / ±2y / all-data-bounds), conceptually different from past/future fans. Options:
+
+- **(R) A — sibling component.** Keep a separate `<SymmetricRangePicker>` for the chart surface. Same popover scaffolding, different chip set. Chart's URL stays `?range=1y`. Doesn't add to TimeHorizon.
+- **B — fold into TimeHorizon.** Add `sym_1y`, `sym_2y`, `sym_all` constants. Picker prop selects which fan vs. symmetric. Saved views could then express "±1y" too.
+- **C — leave the chart as-is.** Don't migrate. Accept the visual inconsistency.
+
+(R) **A.** Symmetric vs fan is a real semantic difference; one component trying to be both is muddier than two components sharing scaffolding. The chart isn't a "filter" — it's a viewport, and viewports legitimately want symmetric panning.
+
+### Q2 [MATERIAL — escalate]: Modal vs popover for the standalone case?
+
+m's brief says "mini modal." Options:
+
+- **(R) A — popover always.** Anchored to the trigger button, click-outside dismiss. In-context, lightweight.
+- **B — modal for explicit "open date filter" intent.** Use a centered modal with scrim when the picker is the page's primary filter (e.g. `/admin/audit-log` where date is the most prominent control). Popover for embedded uses.
+- **C — modal everywhere.** Strong visual hierarchy, but interrupts the user.
+
+(R) **A.** Modal feels heavy for what is conceptually a chip cluster. The "mini" qualifier in m's wording suggests popover, not full modal. If a surface specifically needs the modal weight, the `mode="modal"` prop is available — but no default surface picks it.
+
+### Q3 [MATERIAL — escalate]: Slice priority — what migrates first?
+
+- **(R) A — filter-bar `time` axis first** (Slice A). Lights up 4 surfaces simultaneously (Verlauf, InboxFilterBar, views runtime, Custom Views editor) by replacing the existing Phase-2 disabled stub.
+- **B — `/agenda` first** (per task brief default). Highest-traffic standalone surface, simplest migration.
+- **C — both A and B in parallel** (head splits between two coders).
+
+(R) **A.** Filter-bar is the substrate everything else either uses or should use. Lighting it up first turns three downstream surfaces from "almost working" (the stubbed custom-range chip with "coming_soon" tooltip) to "fully working." Agenda then migrates as Slice B, on top of a proven component.
+
+### Q3.B [DEFAULT — no escalation needed]: ALL center button glyph?
+
+- **(R) `⌖`** (POSITION INDICATOR, U+2316). Implies "center / pin to here."
+- B `∞` (infinity). Mathy.
+- C `⊕` (circled plus). Looks like a button.
+- D No glyph, just "ALLES" in bold.
+
+(R) `⌖`. If the head/m doesn't like the unicode lookup, D is the safe fallback.
+
+### Q4 [DEFAULT — no escalation]: Custom-range entry in Slice A?
+
+- **(R)** Inline `<input type="date">` pair, OS-native picker. Slice D adds the slicer.
+
+### Q5 [DEFAULT — no escalation]: Past `24h` in audit-log?
+
+audit-log currently has a `24h` preset; the picker would express this as `past_1d`. Options:
+
+- **(R)** Map legacy `?range=24h` → `?horizon=past_1d`. Add a new `past_1d` constant.
+- B Drop `24h` — audit log defaults to `past_7d` like other surfaces. Users wanting "last 24h" use custom mode.
+
+(R) Add `past_1d`. It's a one-line addition and audit-log users genuinely use "last 24h" for incident triage.
+
+(Note: this means the picker actually has 5 past chips + 5 future chips + center + custom = 12 chips total, which fits comfortably in the popover.)
+
+### Q6 [DEFAULT — no escalation]: Slice D (slicer) — separate task or fold in?
+
+- **(R) Separate task.** Slice A-C are independently shippable. Slice D is meaningful design + ~400 LoC and shouldn't gate the main migration.
+
+### Q7 [DEFAULT — no escalation]: Per-surface defaults?
+
+Each migrating surface keeps its current default exactly:
+
+- `/agenda` → `next_30d` (was 30).
+- `/admin/audit-log` → `past_7d` (was 7d).
+- `/projects/:id` Verlauf → `past_30d` (was past_30d in `projects-detail.ts:2310`).
+- `/views/:id` runtime → whatever the saved view has (no change).
+- `/inbox` (InboxFilterBar) → whatever filter-bar's surface defines.
+
+### Q8 [DEFAULT — no escalation]: Should `past_14d` and `next_14d` retroactively appear in `views-editor.tsx`'s `<select>`?
+
+(R) **Yes** — once Slice A ships, the `<select>` in `views-editor.tsx` is replaced by the picker (part of Slice A, as filter-bar consumers all flip in one commit). All 12 preset values become available for new Custom Views.
+
+---
+
+## §9 Implementer notes (for the coder shift, if approved)
+
+### Lessons embedded
+
+- **TimeSpec extension is additive only** — Go enum + TS union + i18n keys + horizonBounds switch. No DB migration, no contract break.
+- **Pure module is testable under `bun test`** — no DOM needed for horizon math, label resolution, URL serialization. Aim for 95%+ coverage of the pure module before touching the boot client.
+- **Reuse `.agenda-chip` styling** — adds no new tokens, no new dark-mode contrast risk (cf. memory t-paliad-150 / fritz — fritz lost 90 minutes to a `var(--token, #hex)` fallback bug because the token wasn't defined in dark mode).
+- **`mode="inline"` for filter-bar consumers** — the bar already wraps its own popover-like layout; nesting popovers gets visually noisy.
+- **Surface defaults must be members of `presets`** — assert at boot, fail loud in dev, fall back to `any` in prod.
+
+### Recommended coder profile
+
+Pattern-fluent Sonnet. Substrate is well-trodden (TimeSpec/TimeHorizon already lives, chip-cluster CSS exists, URL-codec pattern documented in `projects-chart.ts`). The novel piece is the popover scaffolding — paliad doesn't have a generic Popover primitive today; the picker builds its own DOM-anchored overlay. ~80 LoC of plain JS, no dependency.
+
+### Build hygiene checklist
+
+- `go build ./...` clean
+- `go vet ./...` clean
+- `go test ./...` clean (existing tests must continue passing — additive constants change zero behaviour)
+- `bun run build` clean (i18n scan: 21 new keys added, all `data-i18n` attributes present)
+- bun:test covers the pure module (horizon math, label resolver, URL parser/serializer)
+- Playwright smoke (manual, not gated): on `/inbox` the time axis "Anpassen" chip is now functional; custom-from/to date pair commits a usable filter.
+
+### Out of scope for the coder
+
+- Slicer (Slice D) — separate task.
+- Per-language adjustments beyond DE/EN (per task brief, out of scope).
+- Time-of-day picking — separate concern.
+- Recurring-event windows — events feed handles separately.
+- A generic Popover primitive — extract only if a second consumer appears in the same slice.
+
+### Acceptance criteria for Slice A
+
+1. New `<DateRangePicker>` mounts on filter-bar's `time` axis, replacing the disabled "Anpassen" chip.
+2. The 4 new horizon values (`past_14d`, `next_14d`, `past_all`, `next_all`) are accepted by Go's `TimeSpec.validate()` and produce correct `(from, to)` bounds in `computeViewSpecBounds()`.
+3. The 4 new horizons round-trip through saved Custom Views (`paliad.user_views.filter_spec` JSON).
+4. URL serialization is canonical (`?horizon=…&from=…&to=…`) and surface-default values are omitted.
+5. Verlauf (`/projects/:id`), `/views`, `/views/:id`, and `/inbox` continue to function with their existing presets unchanged — they pick up the new picker but don't switch their preset list yet.
+6. Pure-module unit tests cover: 12 horizons × bound calculation; URL parse / serialize round-trip; default-omission rule; custom-mode date validation.
+7. `bun run build` reports the new i18n keys (no missing-key warnings).
+8. No regression in `go test ./internal/services/...` (existing TimeSpec tests stay green).
+
+---
+
+## §10 Material picks summary — escalation message
+
+To be sent via `mai instruct head` after this doc is pushed:
+
+> Three material picks for m on date-range-picker design:
+>
+> 1. **`/projects/:id/chart` migration** — keep symmetric (1y/2y/all) presets as a sibling component, NOT fold into TimeHorizon. Chart is a viewport, not a filter.
+> 2. **Popover vs modal** — popover by default. Modal is a `mode` prop available per surface but no surface picks it in Slice A.
+> 3. **Slice A first migrates filter-bar time axis** (lights up Verlauf + InboxFilterBar + Views + Custom-Views-editor simultaneously by un-stubbing the existing "Anpassen" chip), not `/agenda` as the task brief defaulted. `/agenda` is Slice B.
+>
+> Everything else (chip labels, accent, glyph, custom-mode entry, surface defaults, past_1d for audit, slicer-as-Slice-D, 42 i18n keys) defaults per (R) in §8. Doc at `docs/design-date-range-picker-2026-05-25.md`.
+
+---
+
+*Verified premises (live, before designing):*
+
+- `internal/services/filter_spec.go:107-126` — TimeHorizon enum at 9 values today.
+- `internal/services/view_service.go:156-187` — `computeViewSpecBounds()` switches on the same enum.
+- `frontend/src/client/views/types.ts:21-33` — TimeHorizon TS mirror; same 9 values.
+- `frontend/src/client/filter-bar/axes.ts:65-115` — chip cluster renderer; "Anpassen" stub at line 105-112 marked Phase 2, disabled, "coming_soon" tooltip.
+- `frontend/src/agenda.tsx:64-67` — chip row exact values `7|14|30|90`.
+- `frontend/src/admin-audit-log.tsx:50-65` — select exact values `24h|7d|30d|custom|all`.
+- `frontend/src/projects-chart.tsx:78-82` + `frontend/src/client/projects-chart.ts:73-118` — RangePreset `1y|2y|all|custom`, symmetric around today.
+- `frontend/src/views-editor.tsx:102-109` — select exact values `next_7d|next_30d|next_90d|past_30d|past_90d|any`.
+- `/home/m/dev/web/upc-kommentar/src/lib/components/DateRangeSlider.svelte` — 448 lines, wraps `svelte-range-slider-pips@4`, custom anchor rail above the lib's hidden pips, click-to-snap left/right halves, granularity year/month/day zoom.
+- `/home/m/dev/web/upc-kommentar/src/lib/modules/date-range-slider/date-range-slider-pure.ts` — 487 lines, fully testable pure helpers, dependency-free, portable to paliad's TS.
+
+*Not verified live:* upckommentar.de in a browser (requires author auth; the source code IS the source of truth and was read end-to-end).

docs/design-event-card-choices-2026-05-25.md

@@ -0,0 +1,492 @@
+# Design — Per-event-card optional choices on the Verfahrensablauf timeline
+
+**Author:** atlas (inventor)
+**Date:** 2026-05-25
+**Task:** t-paliad-265 (m/paliad#96)
+**Branch:** `mai/atlas/inventor-per-event-card`
+**Status:** READY FOR REVIEW — m gates inventor → coder transition.
+
+---
+
+## 0. TL;DR
+
+> **m's decisions landed 2026-05-25** — see §11. Persisted table, caret+popover, per-card-overrides-page-level, and m chose to bundle Slice A + Slice B into one coder shift (over the inventor (R) of "Slice A first"). All other picks matched inventor recommendations.
+
+The Verfahrensablauf timeline today carries **two** projection knobs at the page level — `side` (who-we-are) and `appellant` (who-initiated). Both are **global** for the whole timeline. m wants three more knobs, but **per event card**, not page-level:
+
+1. **Appellant per decision card** — if a decision is appealable, the user picks which side appealed (Claimant / Defendant / Both / None). Different decisions in the same timeline can have different appellants.
+2. **Include Nichtigkeitswiderklage on Klageerwiderung** — toggling this on a single Klageerwiderung card flips on the existing `with_ccr` flag for everything downstream of that card.
+3. **Skip an optional event** — for any rule marked `priority='optional'`, a per-card "don't consider for this case" toggle hides downstream consequences.
+
+The flow these choices drive is **already there** — `condition_expr` jsonb gates (`with_ccr`, `with_amend`, `with_cci`) plus the page-level appellant selector. What's missing is (a) **per-card** scope and (b) **per-project persistence**.
+
+Recommendation: persist choices in a new `paliad.project_event_choices` table; expose them through a popover-on-caret affordance on the relevant cards only; map them into the existing `CalcOptions.Flags` + a new per-rule `Appellants` map at projection time. Two slices: **Slice A** (appellant-per-decision + skip-optional, narrow + bounded), **Slice B** (include-CCR-on-Klageerwiderung, requires per-card flag-scoping in the projection engine — bigger).
+
+---
+
+## 1. Premises verified live (before designing)
+
+CLAUDE.md / memory / issue text can drift; the live system can't. Each load-bearing premise below was probed against the live DB or live source on 2026-05-25.
+
+### Schema
+
+- **Migration tracker at 127** (`paliad.paliad_schema_migrations`). Next migration: 128. No new table for `project_event_choices` exists today.
+- **`paliad.deadline_rules` carries `condition_expr jsonb`** already. The flag-evaluation engine (`internal/services/fristenrechner.go:208 Calculate`, `evalConditionExpr` at line ~947) walks the jsonb tree and skips rules whose gate is unsatisfied. Today's gates are `{"flag":"with_ccr"}`, `{"flag":"with_amend"}`, `{"flag":"with_cci"}`, and `{"op":"and","args":[…]}` combinations.
+- **`with_ccr` is the existing Nichtigkeitswiderklage gate.** Verified live: 7 upc.inf.cfi rules gate on it (`upc.inf.cfi.reply`, `…rejoin`, `…ccr`, `…def_to_ccr`, `…reply_def_ccr`, `…rejoin_reply_ccr`, plus `upc.inf.cfi.app_to_amend` which additionally requires `with_amend`).
+- **`priority` column** has 4 values: `mandatory`, `recommended`, `optional`, `informational`. Live counts (deadline_rules table-wide): 230 mandatory / 18 recommended / 6 optional / (informational not in count, must be 0 or absent). The "skip optional" affordance keys off `priority='optional'`.
+- **`event_type` discriminator** exists with values `filing`, `decision`, `hearing`. The "appellant-per-decision" affordance keys off `event_type='decision'`. Live: every decision rule has `primary_party='court'`.
+- **`paliad.projects.our_side`** exists (column added before mig 112; values today include `claimant|defendant|applicant|appellant|respondent|third_party|other`). It is the broad project-level side axis t-paliad-257 / #88 hooked into.
+- **NO `appellant` column on `paliad.projects`** — the appellant axis lives only in the URL query (`?appellant=claimant|defendant`) in `client/verfahrensablauf.ts:73-89`.
+
+### Frontend
+
+- `frontend/src/client/views/verfahrensablauf-core.ts` is the **shared rendering core** for both `/tools/verfahrensablauf` and `/tools/fristenrechner`. Per-card UI affordances added here surface on both pages automatically.
+- `bucketDeadlinesIntoColumns(deadlines, {side, appellant})` (line 496) is the **pure routing primitive**; column placement is computed without DOM. Unit-tested in `verfahrensablauf-core.test.ts`.
+- `deadlineCardHtml(dl, {showParty, editable, showNotes})` (line 254) is the **per-card renderer**. There is no per-card props channel for "choices" yet — that's the surface this design extends.
+- `client/verfahrensablauf.ts` and `client/fristenrechner.ts` both manage `currentSide` + `currentAppellant` in-memory and round-trip them through the URL (`writeSideToURL` / `writeAppellantToURL`). The pattern is mature; this design mirrors it for the new state when state stays URL-bound, and lifts it into a server-persisted store when state stays per-project.
+- `APPELLANT_AXIS_PROCEEDINGS` set (verfahrensablauf.ts:52-62) gates the page-level appellant selector to appeal-flavoured proceedings only. The per-card appellant affordance MUST NOT depend on this set — any first-instance decision is a potential appeal trigger (e.g. LG-Urteil → Berufung, BPatG-Entscheidung → BGH-Rechtsbeschwerde).
+
+### Surfaces in scope
+
+- **`/tools/verfahrensablauf`** — abstract browse, no project context. Per-card choices here are ephemeral (URL-bound) — there's no project to persist into.
+- **`/tools/fristenrechner`** — concrete projection, optionally project-bound via `?project=<id>` (`currentStep1Context.kind === "project"`). When project-bound, per-card choices persist to `paliad.project_event_choices`. When unbound, URL only.
+- **`/projects/{id}` Verlauf tab (SmartTimeline)** — separate widget (per `docs/design-smart-timeline-2026-05-08.md`); does **NOT** use `renderColumnsBody`. Per-card choices are NOT in scope for the SmartTimeline in v1 — the Verfahrensablauf core is.
+
+### What is NOT premised
+
+- The deadline_rules → procedural_events rename (#93) is **not assumed shipped**. This design uses `deadline_rules`/`rule_code` vocabulary throughout and flags the rename touch-points in §6.
+- The per-card UI does NOT require new server-side priority/event_type semantics. Both `priority='optional'` and `event_type='decision'` exist on every row.
+
+---
+
+## 2. Vision + scope
+
+m's vision (verbatim 2026-05-25 15:12):
+
+> We still have no choice to say that a specific party appealed. We may need selections within the event cards on the timeline to change it? For example for a decision we could check Appeal by... or in Klageerwiderung we can chose to include a Nichtigkeitswiderklage. Or with any optional event we can select not to consider it (because someone decided not to file it).
+
+### What changes
+
+- A **caret affordance** (▾) appears on the right edge of cards that have at least one applicable choice-kind. Click → small popover with the choices. Cards without an applicable choice render unchanged.
+- A **`choices_offered` jsonb column** on `paliad.deadline_rules` declares which choice-kinds each rule offers. Three kinds in v1:
+  - `appellant` — applicable to rules with `event_type='decision'` (no static list; engine decides).
+  - `include_ccr` — applicable to the single Klageerwiderung rule per proceeding (today: `upc.inf.cfi.def`, `de.inf.lg.erwidg`).
+  - `skip` — applicable to any rule with `priority='optional'`.
+- A **new persistence table** `paliad.project_event_choices(project_id, rule_code, choice_kind, choice_value)` holds the user's choices. Per-project, audit-logged via `paliad.system_audit_log`.
+- A **projection-time merge** turns the persisted choices into `CalcOptions.Flags` and a new `PerCardAppellants map[ruleCode]string` field, then re-runs the existing projection engine. No new flag types; `with_ccr` is the same `with_ccr`.
+
+### What stays
+
+- `bucketDeadlinesIntoColumns` and `renderColumnsBody` are extended (new opts), not replaced.
+- `condition_expr` jsonb gating semantics are unchanged. Per-card `include_ccr` choice simply means "set `with_ccr` in the flag set for this projection" — same engine.
+- Page-level `side` / `appellant` selectors stay. The per-card appellant choice is an **override layer** on top of the page-level appellant (Q4 below).
+- URL-state plumbing (`?side=…`, `?appellant=…`) stays. The page-level URL params remain the only state for unbound `/tools/verfahrensablauf`.
+
+### Out of scope (v1)
+
+- Per-card choices on the SmartTimeline (project Verlauf tab). Deferred to a follow-up when SmartTimeline matures.
+- Versioning of choices over time ("the appellant changed mid-case", "the CCR was withdrawn"). Choices are last-write-wins.
+- Cross-project propagation of choices.
+- Implementing the choice flow (coder task per slice; this is design-only).
+- A "what-if scenarios" mode (saved named scenarios).
+
+---
+
+## 3. Data model
+
+### 3.1 The new table
+
+```sql
+-- migration 128_project_event_choices.up.sql
+CREATE TABLE paliad.project_event_choices (
+  id          uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  project_id  uuid NOT NULL REFERENCES paliad.projects(id) ON DELETE CASCADE,
+  rule_code   text NOT NULL,                       -- e.g. "RoP.029.a" or "de.inf.lg.urteil"
+  choice_kind text NOT NULL,                       -- 'appellant' | 'include_ccr' | 'skip'
+  choice_value text NOT NULL,                      -- value namespace per kind (see §3.3)
+  created_by  uuid REFERENCES paliad.users(id) ON DELETE SET NULL,
+  created_at  timestamptz NOT NULL DEFAULT now(),
+  updated_by  uuid REFERENCES paliad.users(id) ON DELETE SET NULL,
+  updated_at  timestamptz NOT NULL DEFAULT now(),
+
+  -- One choice per (project, rule_code, kind). Re-pick is an UPDATE.
+  UNIQUE (project_id, rule_code, choice_kind)
+);
+
+CREATE INDEX project_event_choices_project_idx
+  ON paliad.project_event_choices (project_id);
+
+-- RLS: same `paliad.can_see_project(project_id)` predicate as paliad.deadlines.
+ALTER TABLE paliad.project_event_choices ENABLE ROW LEVEL SECURITY;
+CREATE POLICY project_event_choices_select ON paliad.project_event_choices
+  FOR SELECT USING (paliad.can_see_project(project_id));
+CREATE POLICY project_event_choices_mutate ON paliad.project_event_choices
+  FOR ALL USING (paliad.can_see_project(project_id))
+  WITH CHECK (paliad.can_see_project(project_id));
+```
+
+**Why this shape:**
+- Tall not wide — adding a 4th choice-kind in slice C means one more allowed `choice_kind` value, no DDL.
+- `rule_code` is the join key against `paliad.deadline_rules` (which already uses `rule_code` widely — `Calculate`, `AnchorOverrides`, the projection). Stable across rule renames provided the rename keeps the same `rule_code`.
+- UNIQUE per `(project, rule_code, kind)` makes the choice idempotent — re-picking the appellant overwrites, doesn't accumulate.
+- ON DELETE CASCADE follows the project — when a project is hard-deleted (rare; usually soft-status), the choices go with it.
+
+### 3.2 The opt-in column on `paliad.deadline_rules`
+
+```sql
+-- migration 128_project_event_choices.up.sql (same migration)
+ALTER TABLE paliad.deadline_rules
+  ADD COLUMN choices_offered jsonb;
+
+-- Example seeded values (in the same migration's data-fix block):
+--
+--   upc.inf.cfi.def → '{"include_ccr": [true, false]}'
+--   de.inf.lg.erwidg → '{"include_ccr": [true, false]}'
+--   upc.inf.cfi.decision → '{"appellant": ["claimant", "defendant", "both", "none"]}'
+--   de.inf.lg.urteil → '{"appellant": ["claimant", "defendant", "both", "none"]}'
+--   (every event_type='decision' rule)
+--   upc.inf.cfi.ccr (priority='optional') → '{"skip": [true, false]}'
+--   (every priority='optional' rule)
+```
+
+**Alternative considered + rejected:** infer offering at projection-time from `(event_type, priority, submission_code)` heuristics. Rejected because:
+- The Klageerwiderung rule is identified only by its `submission_code` slug. Tying the engine to a hardcoded slug list inside the projection service is brittle (mig 124 + future Wave-1 fixes rename slugs); declaring `choices_offered` in data lets the audit ship them without a code change.
+- A `skip` toggle that's automatically derived from `priority='optional'` is consistent today but may diverge tomorrow (an optional rule we DON'T want skippable, or a non-optional rule we DO want skippable). The opt-in jsonb keeps the choice axis decoupled from `priority`.
+
+### 3.3 Value namespaces per kind
+
+| `choice_kind` | `choice_value` valid set | Default when no row exists |
+|---|---|---|
+| `appellant` | `"claimant"` / `"defendant"` / `"both"` / `"none"` | inherits page-level appellant (URL `?appellant=`), else `null` (treated as "not yet picked" — render appeal-deadlines greyed) |
+| `include_ccr` | `"true"` / `"false"` | `"false"` (no CCR until user opts in — matches current default flag set) |
+| `skip` | `"true"` / `"false"` | `"false"` (rule renders normally) |
+
+Values are stored as `text` not `boolean` so the same column scales to multi-valued kinds (appellant has 4 values; future kinds may have N). Coercion lives in the service layer.
+
+### 3.4 Audit trail
+
+Every INSERT / UPDATE / DELETE on `project_event_choices` writes a row to `paliad.system_audit_log` (the standard sink mig 102 introduced) with `event_type='project_event_choice.set'` and the changed `(rule_code, kind, value)` in `metadata jsonb`. Pattern mirrors `paliad.deadlines.status_changed` audit rows.
+
+---
+
+## 4. Projection flow
+
+The existing projection engine is a single Go function: `FristenrechnerService.Calculate(ctx, proceedingCode, triggerDateStr, opts CalcOptions)`. Two changes:
+
+### 4.1 Extending `CalcOptions`
+
+```go
+type CalcOptions struct {
+    // ...existing fields...
+    Flags           []string             // <-- already exists
+    AnchorOverrides map[string]string    // <-- already exists
+
+    // NEW — per-card overrides surfaced by the per-event-card choices.
+    // Keyed by deadline_rules.rule_code.
+    //
+    //   PerCardAppellant: when a decision rule's rule_code is in this map,
+    //     the appellant for downstream rules whose parent is THAT decision
+    //     is set to the value here. Overrides any global Appellant.
+    //
+    //   SkipRules: when a rule's rule_code is in this set, the rule is
+    //     suppressed AND its descendants are suppressed. Same suppression
+    //     path as a failed condition_expr gate.
+    //
+    //   IncludeCCRFor: when a rule's rule_code is in this set, the with_ccr
+    //     flag is treated as set in the flag context FROM that rule
+    //     onward (i.e. for that rule's descendants). On v1 with a single
+    //     Klageerwiderung-per-proceeding, this is equivalent to a project-
+    //     wide with_ccr — but the per-card scope leaves room for future
+    //     proceedings with multiple CCR entry points.
+    PerCardAppellant map[string]string   // rule_code → "claimant"|"defendant"|"both"|"none"
+    SkipRules        map[string]struct{} // set of rule_code
+    IncludeCCRFor    map[string]struct{} // set of rule_code
+}
+```
+
+The handler reads `project_event_choices` for the project (if project-bound) and folds them into these fields before calling `Calculate`. When called unbound (URL-only, `/tools/verfahrensablauf` without project), the maps come from URL params instead (see §5.2).
+
+### 4.2 Three engine changes
+
+1. **SkipRules suppression**: in the post-condition_expr filter pass (`Calculate` around line 333 where the gate is evaluated), additionally drop any rule whose `rule_code ∈ opts.SkipRules`. Also drop its descendants (existing `parent_id` walk already handles cascading; just add the new predicate to the keep/drop decision).
+
+2. **IncludeCCRFor scope**: rather than threading a per-rule flag context (expensive change to engine), implement v1 as: **if any rule_code in IncludeCCRFor exists at all, append `"with_ccr"` to `opts.Flags`** before the gate-evaluation pass. This is correct for the v1 surface (Klageerwiderung is the only CCR-entry-point per proceeding) but loses the per-card scoping for multi-CCR cases. The full per-rule scope is **Slice B** (§7).
+
+3. **PerCardAppellant routing**: when `bucketDeadlinesIntoColumns` collapses `party=both` rows in the appellant's column, today it consults the global `opts.appellant`. Extend to consult `PerCardAppellant[ruleCode]` first — if present, that drives the collapse for descendants of that decision. Out-of-band: this changes the projection contract subtly. We surface this as **server-computed metadata** on the response (`CalculatedDeadline.AppellantContext`) so the frontend bucketer doesn't need to know about parent-chain walks — the server already does the walk.
+
+### 4.3 Wire shape
+
+The `CalculatedDeadline` Go struct + TS mirror grow one optional field:
+
+```go
+type CalculatedDeadline struct {
+    // ...existing fields...
+    AppellantContext string `json:"appellantContext,omitempty"`
+    // "claimant" | "defendant" | "both" | "none" | "" (default).
+    // Filled by the projection from the user's per-decision choice.
+    // Frontend bucketer prefers this over the page-level appellant.
+}
+```
+
+This keeps the bucketer logic local — no second pass needed.
+
+---
+
+## 5. UI / i18n
+
+### 5.1 Caret + popover affordance
+
+Each rendered card gets, when `choices_offered IS NOT NULL`, a `▾` caret on the right edge of the title line. Click → popover anchored to the caret. Popover renders one block per choice-kind the rule offers (typically one, occasionally two if a rule has both `appellant` and `skip` — none today; design holds for the future).
+
+DOM-wise: `frontend/src/client/views/verfahrensablauf-core.ts` `deadlineCardHtml` grows a `choicesCaret` segment, and a sibling module `client/views/event-card-choices.ts` (new) owns the popover open/close + commit handler. The popover commits via `POST /api/projects/{id}/event-choices` with body `{rule_code, kind, value}`; the response is the updated choice row.
+
+**Why a popover and not inline checkboxes:**
+- Inline would put a checkbox on every decision card + every optional card. ~6 decision cards + ~6 optional cards on a typical UPC.INF.CFI projection is ~12 always-on widgets per timeline. Visual noise + scan cost.
+- Popover defaults to hidden; the caret is a low-noise affordance. The selected choice surfaces as a small chip on the card title line ("Berufung: Beklagter") so the choice is glanceable without re-opening.
+- Mobile + touch: the caret is a 24×24 tap target; the popover is keyboard-dismissable.
+
+**Why not card-hover-reveal:** discoverability + touch failure (no hover on iOS).
+
+### 5.2 URL fallback (no project context)
+
+When `/tools/verfahrensablauf` is opened without a project (the abstract-browse case), per-card choices have no persistence layer. The popover still works, but commits update an **in-memory + URL** state instead:
+
+```
+?event_choices=RoP.029.a:appellant=defendant,upc.inf.cfi.ccr:skip=true
+```
+
+Compact CSV in one URL param. Read at page load, applied to `CalcOptions` via the same `PerCardAppellant` / `SkipRules` / `IncludeCCRFor` route. Shareable, ephemeral. Matches the existing `?side=` + `?appellant=` URL idiom.
+
+### 5.3 Chip indicators
+
+A card with a non-default choice gets a small chip next to the title:
+- Appellant chosen: `Berufung: Beklagter` / `Appeal: Defendant`
+- Include CCR: `mit Nichtigkeitswiderklage` / `with CCR`
+- Skipped: card itself fades to 50% opacity, body adds class `timeline-item--skipped`, chip reads `übersprungen` / `skipped` with an undo arrow.
+
+### 5.4 i18n keys (new)
+
+```
+choices.caret.title              "Optionen für dieses Ereignis"             "Options for this event"
+choices.appellant.title          "Berufung durch ..."                       "Appealed by ..."
+choices.appellant.claimant       "Klägerseite"                              "Claimant side"
+choices.appellant.defendant      "Beklagtenseite"                           "Defendant side"
+choices.appellant.both           "beide Parteien"                           "both parties"
+choices.appellant.none           "keine Berufung"                           "no appeal"
+choices.include_ccr.title        "Nichtigkeitswiderklage einbeziehen"       "Include nullity counterclaim"
+choices.skip.title               "Für diese Akte überspringen"              "Skip for this case"
+choices.skipped.chip             "übersprungen"                             "skipped"
+choices.reset                    "Auswahl zurücksetzen"                     "Reset choice"
+```
+
+### 5.5 What's removed
+
+The page-level appellant selector (URL `?appellant=`) stays for **non-decision proceedings** (the Appeal-CoA case where the appellant axis is the whole-timeline framing, not a per-decision choice). But for first-instance proceedings (UPC.INF, DE.INF.LG, etc.), the appellant axis migrates from page-level to per-decision card. The page-level selector hides when the proceeding has decision rules with `choices_offered.appellant` declared — which is the cleaner UX (one knob, in the right place).
+
+---
+
+## 6. Services + handlers (new surface)
+
+### 6.1 Go service
+
+```go
+// internal/services/event_choice_service.go (new)
+type EventChoiceService struct {
+    db *sqlx.DB
+}
+
+func (s *EventChoiceService) ListForProject(ctx context.Context, projectID uuid.UUID) ([]ProjectEventChoice, error)
+func (s *EventChoiceService) Upsert(ctx context.Context, c ProjectEventChoice) error
+func (s *EventChoiceService) Delete(ctx context.Context, projectID uuid.UUID, ruleCode, kind string) error
+
+// Used by ProjectionService to fold choices into CalcOptions.
+func (s *EventChoiceService) ToCalcOptions(choices []ProjectEventChoice) CalcOptionsAddendum
+```
+
+The `CalcOptionsAddendum` type wraps the three new map/set fields so the merge into the parent `CalcOptions` is one call from the projection handler.
+
+### 6.2 HTTP routes
+
+```
+GET    /api/projects/{id}/event-choices              → []ProjectEventChoice
+PUT    /api/projects/{id}/event-choices              → upsert one (body: {rule_code, kind, value})
+DELETE /api/projects/{id}/event-choices/{rule_code}/{kind} → remove
+```
+
+All gated by `gateOnboarded` + visibilityPredicate (project-team membership).
+
+### 6.3 Projection handler
+
+The existing `POST /api/tools/fristenrechner` handler accepts `flags`, `anchorOverrides`, `priorityDate`, `courtId`. Extend the request shape:
+
+```json
+{
+  "proceedingType": "upc.inf.cfi",
+  "triggerDate": "2026-01-15",
+  "flags": ["with_ccr"],
+  "perCardChoices": [
+    {"rule_code": "RoP.029.a", "kind": "appellant", "value": "defendant"},
+    {"rule_code": "upc.inf.cfi.ccr", "kind": "skip", "value": "true"}
+  ]
+}
+```
+
+Or, when project-bound:
+
+```json
+{
+  "proceedingType": "upc.inf.cfi",
+  "triggerDate": "2026-01-15",
+  "projectId": "abc-123"
+  // server pulls perCardChoices from paliad.project_event_choices
+}
+```
+
+The handler merges either source into `CalcOptions` and runs `Calculate`.
+
+### 6.4 Touch points — files coder will edit
+
+- **DB**: new migration `128_project_event_choices.up.sql` + `.down.sql`. Add `choices_offered` column + seed data.
+- **Go**: `internal/services/event_choice_service.go` (new), `internal/services/fristenrechner.go` (extend `CalcOptions`, projection logic), `internal/handlers/event_choices.go` (new HTTP routes), `internal/handlers/fristenrechner.go` (request shape extension).
+- **Models**: `internal/models/models.go` — `ProjectEventChoice` struct, `CalculatedDeadline.AppellantContext` field.
+- **Frontend**: `frontend/src/client/views/verfahrensablauf-core.ts` (caret + chip in deadlineCardHtml), `frontend/src/client/views/event-card-choices.ts` (new popover module), `frontend/src/client/verfahrensablauf.ts` + `frontend/src/client/fristenrechner.ts` (URL-state plumbing for the unbound case; load project choices for the bound case).
+- **i18n**: `frontend/src/client/i18n.ts` + `frontend/src/i18n-keys.ts` — new keys per §5.4.
+- **Tests**: `internal/services/event_choice_service_test.go` (new), `internal/services/fristenrechner_test.go` (extend with PerCardAppellant + SkipRules cases), `frontend/src/client/views/verfahrensablauf-core.test.ts` (extend bucketing with `perCardAppellant` opt).
+
+### 6.5 Coordination with #93 procedural-events rename
+
+When #93 lands (and the rename ships), this design's `rule_code` references become `procedural_event.code` — same string namespace, cleaner name. Join points:
+- `project_event_choices.rule_code` → `project_event_choices.procedural_event_code` (or stays as a generic string column if #93 keeps `rule_code` as the join key).
+- `deadline_rules.choices_offered` → `procedural_events.choices_offered`.
+
+If #93 ships first, this design's migration applies to `procedural_events` instead. The data shape (jsonb + new join table) is unaffected. If THIS ships first, #93 absorbs the column in its rename.
+
+---
+
+## 7. Slice plan
+
+### Slice A — Appellant per decision + Skip optional event
+
+Two choice-kinds, narrow + bounded, do not change the gate-evaluation engine.
+
+- **DB**: migration 128 adds `project_event_choices` + `choices_offered`. Seed `choices_offered` on all `event_type='decision'` rules and all `priority='optional'` rules.
+- **Service**: `EventChoiceService` CRUD; `CalcOptions.PerCardAppellant` + `CalcOptions.SkipRules`; `Calculate` extension to honour SkipRules suppression + AppellantContext metadata.
+- **HTTP**: 3 new routes (GET / PUT / DELETE on project_event_choices); fristenrechner request extension.
+- **Frontend**: caret + popover on decision cards + optional cards; chip indicators; URL-state for the unbound case; load-on-mount for the bound case.
+- **Tests**: bucketing with PerCardAppellant; service CRUD; gate-suppression with SkipRules.
+
+Ship this slice first. It validates the popover affordance + the persistence layer end-to-end without touching the flag-evaluation engine.
+
+### Slice B — Include Nichtigkeitswiderklage on Klageerwiderung
+
+Wires `IncludeCCRFor` through the flag-evaluation engine. v1 simplification (§4.2 #2) makes this **almost** a no-op for the engine — but the per-card scope semantics need a separate inventor pass to nail down whether the simplification holds for de.inf.lg's CCR analogue (Widerklage auf Nichtigkeit) and for any future proceedings with multiple CCR entry points.
+
+- **DB**: add `include_ccr` to allowed `choice_kind` values + seed `choices_offered = '{"include_ccr": [true, false]}'` on the Klageerwiderung rows (`upc.inf.cfi.def`, `de.inf.lg.erwidg`).
+- **Service**: `CalcOptions.IncludeCCRFor`; the "if non-empty, append with_ccr to Flags" simplification.
+- **Frontend**: the include_ccr popover block (already designed; just enabling the row).
+- **Cross-flow audit**: confirm that the existing 7 upc.inf.cfi cross-flow rules + de.inf.lg analogues fire correctly when with_ccr is set via the per-card path vs. the existing page-level flag checkbox. Existing checkbox stays in v1; deprecation is a Slice C decision.
+
+### Bundling note (per m's Q4 decision 2026-05-25)
+
+A + B ship together. The slice headings above remain as a logical breakdown for the coder to follow when sequencing commits inside the single shift; they are not separate PRs. See §11 Q4 for rationale.
+
+### Slice C — Future choice-kinds
+
+Open-ended; not designed here. Examples surfaced by the t-paliad-067 audit:
+- "Bilateral hearing requested" toggle on hearing rules.
+- "Cost orders requested" toggle on cost-related rules.
+- "Stay applied" toggle on procedural events.
+
+Each new kind = one new allowed `choice_kind` value + one seed row + one popover block. Schema-stable.
+
+---
+
+## 8. Risk assessment
+
+- **Migration risk**: new table + new column, both additive. Down-migration drops table + column + reverts seed. No data loss path. Low risk.
+- **Projection correctness**: PerCardAppellant changes the bucket routing for "both" rows in chains downstream of a decision card. The unit-tested `bucketDeadlinesIntoColumns` carries the existing appellant semantics; extending it without breaking the existing test suite means new tests, not changes to existing ones. Coder MUST add the new tests before changing the bucketer.
+- **Flag-context vs per-rule-flag aliasing**: §4.2 #2 (Slice B) trades per-card precision for engine simplicity. Acceptable in v1 (Klageerwiderung is the only entry point per proceeding) but a known limitation. Document it in `internal/services/fristenrechner.go` doc comment so the next Wave-2 inventor doesn't think it's bug-free.
+- **Page-level vs per-card appellant interaction**: when both are set, per-card wins for descendants of the decision the per-card was set on; page-level still drives descendants of decisions without a per-card pick. Could confuse a user. Mitigation: the page-level appellant selector hides for first-instance proceedings (per §5.5). For appeal proceedings, the selector stays — but those proceedings have a single root decision so the conflict surface is small.
+- **Cross-proceeding consistency** (where #93's rename lives) — coordinate with the inventor on #93 if both ship in parallel.
+
+---
+
+## 9. Out of scope (recap)
+
+- SmartTimeline (project Verlauf tab) per-card choices.
+- Versioning / time-machine of choices.
+- Cross-project propagation.
+- Coder implementation (separate task per slice).
+- A "saved scenarios" feature.
+- Removal of the page-level `?appellant=` URL param for appeal proceedings.
+
+---
+
+## 10. Open questions for m
+
+The following 4 questions need m's pick. Inventor recommendations marked **(R)**. After m answers via AskUserQuestion, the picks land in §11 below as the historical record.
+
+### Q1 — State location
+
+Where do per-card choices live?
+
+- **(R) A. `paliad.project_event_choices` persisted (with URL override for what-if).** Per-case choices are real, not exploratory. Persist by default; what-if exploration handled later as a URL-override layer.
+- B. URL query state only. Ephemeral, shareable, no persistence.
+- C. Both from day one. Persisted default + URL-overridable for what-if scenarios.
+
+### Q2 — Affordance
+
+How do the choices surface on a card?
+
+- **(R) A. Caret (▾) + popover on click.** Off-by-default visual, on-tap reveal. Selected choice surfaces as a chip on the card title.
+- B. Inline checkbox/radio on every relevant card. Higher discoverability, more visual noise.
+- C. Card-hover reveals the choices. Discoverability + touch issues.
+
+### Q3 — Page-level appellant interaction
+
+When a per-card appellant is set on a decision, what happens to the page-level `?appellant=` selector?
+
+- **(R) A. Per-card overrides page-level for descendants of THAT decision.** Decisions without a per-card pick still use page-level. Most expressive.
+- B. Per-card inherits page-level unless explicitly set. Less surprising default but loses the per-decision expressiveness.
+
+### Q4 — Slice order
+
+Which slice ships first?
+
+- **(R) A. Slice A first (appellant per decision + skip optional).** Bounded, validates the popover + persistence layer without touching the flag-evaluation engine. Slice B (include-CCR) follows.
+- B. Slice B first. Higher-impact user feature but requires the engine change.
+- C. Bundle A + B in one coder shift. Slower to ship, lower per-coder load, but one less round trip.
+
+---
+
+## 11. m's decisions (2026-05-25)
+
+- **Q1 (State location):** Persisted table — `paliad.project_event_choices` per §3.1. Matches inventor (R).
+- **Q2 (Affordance):** Caret + popover with chip indicator on chosen cards per §5.1, §5.3. Matches inventor (R).
+- **Q3 (Appellant layer):** Per-card overrides page-level for descendants of that decision. Page-level still drives decisions without a per-card pick. Matches inventor (R). Implementation: `CalculatedDeadline.AppellantContext` (§4.3) carries the per-decision pick down the parent chain so the bucketer reads one field.
+- **Q4 (Slice order):** **Bundle Slice A + Slice B in one coder shift** (m picked over inventor (R) of "A first"). Reasoning: keeps the popover, persistence layer, AND the engine extension for `IncludeCCRFor` in one cohesive PR — coder + reviewer hold the full mental model once; one user-visible release; no half-shipped state where the caret exists on Klageerwiderung cards but the include-CCR pick doesn't yet wire through. Trade-off: larger PR. Mitigation: coder still organises commits per slice internally (separate test files, separate handler additions) so review can read them sequentially. See §7 slice plan — both slices implemented; ship as one.
+
+### Coder-shift implications of Q4 bundling
+
+- Migration 128 carries ALL three choice-kinds (`appellant`, `skip`, `include_ccr`) in the seed of `choices_offered`, plus the Klageerwiderung rows seeded with `{"include_ccr": [true, false]}`.
+- `CalcOptions` gains all three new fields (`PerCardAppellant`, `SkipRules`, `IncludeCCRFor`) in the same Go change.
+- The `IncludeCCRFor` v1 simplification (§4.2 #2 — "any non-empty set means append `with_ccr` to Flags") documents the per-card-scope limitation up front. Multi-CCR proceedings are a future expansion, not a v1 ship blocker.
+- Frontend popover renders all three blocks the rule offers in one render path; coder cannot half-ship by leaving include_ccr's popover branch as a TODO.
+- Tests cover the full matrix on the same branch.
+
+---
+
+## 12. Hard rules for the coder shift
+
+- Migration is 128, not anything else. Verify against `paliad.paliad_schema_migrations` MAX before authoring.
+- Tests added BEFORE projection-engine changes in fristenrechner.go (bucketer, gate, AppellantContext).
+- `go build ./... && go test ./internal/... && cd frontend && bun run build` clean.
+- No regression on `?side=` + `?appellant=` URL state.
+- DE primary, EN secondary for all new i18n keys.
+- Branch per slice: `mai/<coder>/event-card-choices-slice-a` etc.
+
+---
+
+## 13. Reporting
+
+When ready, the coder reports completion with the URL of the test project that exercises the feature, a screenshot of the popover, and the deadline-rules SQL UPDATE counts for the seeded `choices_offered` rows. Standard slice-completion shape.

docs/design-inbox-overhaul-2026-05-25.md

@@ -0,0 +1,848 @@
+# Design: /inbox overhaul — project-events feed + filtering + list/cards/calendar toggles
+
+**Task:** t-paliad-249
+**Gitea:** m/paliad#80
+**Author:** icarus (inventor)
+**Date:** 2026-05-25
+**Status:** LOCKED — head confirmed Q1=A with two refinements (2026-05-25), see §12.
+**Branch:** `mai/icarus/inventor-inbox-overhaul`
+
+---
+
+## 0. TL;DR
+
+`/inbox` today is approval-requests only. m wants it to become the actual
+"what's new on my projects" surface — approval requests **plus** recent
+project_events on visible projects — with the same view-toggle paradigm
+as `/events` (list / cards / calendar) and a meaningful filter row.
+
+The good news: the substrate already exists.
+
+- `view_service.RunSpec` unions four sources (deadline, appointment,
+  **project_event**, **approval_request**) into one ranked `[]ViewRow`.
+- `FilterSpec` has predicates for every axis we need
+  (`ProjectEventPredicates.EventTypes`, `ApprovalRequestPredicates`).
+- `filter-bar` knows the axes we need: `time`, `project`,
+  `approval_viewer_role`, `approval_status`, `approval_entity_type`,
+  `project_event_kind`, plus `shape` / `sort` / `density`.
+- Shape renderers exist: `shape-list` (table + compact + approval), `shape-cards`
+  (day-grouped), `shape-calendar` (thin adapter on `mountCalendar`).
+
+So the work is **mostly re-mix**:
+
+1. Extend `InboxSystemView` from `Sources=[ApprovalRequest]` to
+   `Sources=[ApprovalRequest, ProjectEvent]`, default
+   `Time.Horizon=Past30d`, and add a curated `project_event.event_types`
+   default that filters out noise (approvals duplicate-suppression,
+   checklist mutations, status churn).
+2. Extend `shape-list.ts` so `row_action="approve"` no longer assumes
+   every row is an approval — rename it `"inbox"`, dispatch per
+   `row.kind` (approval → existing approve-card layout; project_event →
+   navigate-style stream row).
+3. Wire the existing view-axis selector (the chip cluster on `/events`)
+   onto `/inbox`'s host, persisting selection via the filter-bar URL
+   codec (axis `shape` already in `AxisKey`).
+4. Add a high-watermark read cursor (`paliad.users.inbox_seen_at`) +
+   `POST /api/inbox/mark-all-seen` + extend `/api/inbox/count` to count
+   unseen project_events too. Adds one new axis `unread_only` to the bar.
+
+That's Slice A. Slice B layers cards + calendar toggles cleanly. Slice C
+is per-item dismissal — keep out of v1 unless the cursor proves not
+enough (m's pick Q3 is the cursor).
+
+No new aggregation service, no new endpoint family — the inbox runs on
+`/api/views/inbox/run` like every other system view does today.
+
+---
+
+## 1. Current `/inbox` state
+
+**Routes (`internal/handlers/approvals.go`):**
+
+| Path                                  | Behaviour                                                    |
+|---------------------------------------|--------------------------------------------------------------|
+| `GET /inbox`                          | Serves `dist/inbox.html`, a thin shell. No SSR data.         |
+| `GET /api/inbox/pending-mine`         | Approval requests I can approve.                              |
+| `GET /api/inbox/mine`                 | Approval requests I submitted (all statuses by default).      |
+| `GET /api/inbox/count`                | `{count: N}` for the sidebar bell badge — `PendingCountForUser`. |
+| `GET /api/approval-requests/{id}`     | Hydrate one request (used by suggest-changes modal).          |
+| `POST /api/approval-requests/{id}/{action}` | `approve` / `reject` / `revoke` / `suggest-changes`.    |
+
+**Data path:** `frontend/src/client/inbox.ts` mounts the universal
+`FilterBar` over the inbox `SystemView` (slug `"inbox"`, sources
+`[approval_request]`, viewer_role `any_visible`, status `[pending]`).
+The bar fetches `/api/views/system`, hands the spec to itself, calls
+`/api/views/inbox/run?…`, and stamps rows via `shape-list.ts`'s
+`renderApprovalList(rows)` path (gated by `row_action="approve"`).
+
+**Action wiring:** `wireApprovalActions(host)` listens on
+`.views-approval-action` clicks; on success it triggers
+`bar.refresh()` and `refreshInboxBadge()` (which pokes
+`/api/inbox/count`).
+
+**Empty state + admin nudge:** when the result list is empty AND the
+caller is `global_admin` AND no `approval_policies` row exists firm-wide,
+the page shows a "configure policies" CTA. Otherwise the localized
+"no items" empty-state text.
+
+**Sidebar bell:** `Sidebar.tsx:143` `navItem("/inbox", BELL_ICON, …)`
+plus `client/sidebar.ts:320–345`'s `initInboxBadge` which polls
+`/api/inbox/count` every 60s. Badge clamps to `"9+"`.
+
+### What aggregates cleanly
+
+The whole approval flow already plugs into `RunSpec`'s union pipeline.
+That's the win — extending sources from `[ApprovalRequest]` to
+`[ApprovalRequest, ProjectEvent]` is a `[]DataSource` literal edit in
+`InboxSystemView()` and the engine fans out per source, sorts, returns
+one `[]ViewRow`. The hard work (`runProjectEvents` + the
+visibility predicate + project metadata join) is already in
+`view_service.go:344–430`.
+
+### What doesn't aggregate (yet)
+
+- **Read state.** There is no `inbox_seen_at` on `paliad.users` (verified
+  via information_schema). The bell badge counts pending **approval
+  requests for the caller** only — it has no notion of "new project
+  events since last visit". We have to add it.
+- **Mixed `row_action`.** `shape-list.ts`'s `renderApprovalList` assumes
+  every row is an approval and unconditionally parses
+  `row.detail` as an `ApprovalDetail`. Project_event rows in the same
+  list would crash the parse. We need to branch per `row.kind` inside
+  the inbox row stamper.
+- **`/inbox` shape toggle.** `client/inbox.ts` hardcodes `shape-list`;
+  the `shape` axis is wired into `filter-bar/axes.ts` but `/inbox`'s
+  `INBOX_AXES` deliberately omits it (because today the only meaningful
+  shape was list). Adding it onto INBOX_AXES + a small dispatcher in
+  `onResult` gives us cards + calendar for free.
+
+Everything else (sidebar entry, /api/views machinery, FilterBar URL
+codec, RowAction validation) carries through unchanged.
+
+---
+
+## 2. Event-type catalogue for inbox v1 (Q1)
+
+This is the only design pick that requires a head/m signal. **Open
+question Q1 in §9 — defaulting to (A) until head answers.**
+
+### (R) Recommendation (A): curated subset
+
+Sources: `[approval_request, project_event]`.
+
+**Approval requests:** all rows whose `viewer_role=any_visible` AND
+status ∈ {pending} by default; the existing chip cluster
+(approver_eligible / self_requested / any_visible) stays. Decided
+requests are filtered by the chip, not hidden by source-removal — so a
+user who wants to see "what got approved this week" toggles the status
+chip rather than the source.
+
+**Project events:** filter by `event_type ∈ InboxProjectEventKinds`
+where InboxProjectEventKinds is a new sub-list of KnownProjectEventKinds:
+
+| event_type              | In inbox v1? | Reason                                                              |
+|-------------------------|--------------|---------------------------------------------------------------------|
+| `project_created`       | no           | The author already saw the page; not news to the team yet (the team grows post-creation). |
+| `project_archived`      | **yes**      | High-signal lifecycle event ("Akte XY wurde archiviert").           |
+| `project_reparented`    | **yes**      | Hierarchy moves matter to everyone with access.                     |
+| `project_type_changed`  | **yes**      | Same reason.                                                        |
+| `status_changed`        | no           | Currently too granular; surface in Verlauf, revisit if m disagrees. |
+| `deadline_created`      | **yes**      | New deadline on a project I can see — exactly the kind of event m named ("we should also display new events"). |
+| `deadline_completed`    | **yes**      | Likewise.                                                           |
+| `deadline_reopened`     | **yes**      | Likewise.                                                           |
+| `deadline_updated`      | **yes**      | Currently in DB (11 rows live) but not in KnownProjectEventKinds — add it. |
+| `deadline_deleted`      | **yes**      | Likewise — add to KnownProjectEventKinds.                           |
+| `deadlines_imported`    | **yes**      | Bulk-import event surfaces what got added.                          |
+| `appointment_created`   | **yes**      |                                                                     |
+| `appointment_updated`   | **yes**      |                                                                     |
+| `appointment_deleted`   | **yes**      |                                                                     |
+| `note_created`          | **yes**      | A note is "someone said something about this project". High-signal; add to KnownProjectEventKinds. |
+| `our_side_changed`      | **yes**      | Party-side flip; high-signal, add to KnownProjectEventKinds.        |
+| `member_role_changed`   | no           | Admin churn; would dominate active users' inbox. Revisit slice B. |
+| `*_approval_requested`  | **no — de-duped** | The approval_request row itself carries the signal; the audit event is the same fact in a different table. Filtering it out avoids duplicate inbox entries. |
+| `*_approval_approved/rejected/revoked` | **no — de-duped** | Same reason. The approval_request row's status flip is what the user sees. |
+| `*_approval_changes_suggested` | **no — de-duped** | Same. |
+| `approval_decided`      | no           | This is the umbrella audit-only kind; superseded by the approval_request row. |
+| `checklist_*`           | no           | Low signal; checklists are surfaced on the project's checklist page. |
+
+The de-dup pattern means: if a row exists in `approval_requests` for an
+entity, the corresponding `*_approval_*` project_event is **not** shown
+in the inbox — we trust the approval_request row.
+
+### Alternative (B): everything in KnownProjectEventKinds + approvals
+
+Simpler — no curated sub-list, no de-dup. Two drawbacks:
+
+1. `*_approval_*` duplicates would render twice per request.
+2. `status_changed` and `member_role_changed` are admin churn; in firm
+   tests both would dominate.
+
+If head picks B, we need at minimum the `*_approval_*` de-dup; otherwise
+the inbox renders the same fact twice.
+
+### Alternative (C): minimal — approvals + appointment_* + deadline_*
+
+Tightest set. Drops notes + our_side_changed + project_*. Risk: m's
+brief literally says "new events that relate to one's projects" — notes
+and side changes ARE such events. C feels too narrow.
+
+---
+
+## 3. Read/unread model (Q3 → R: high-watermark cursor)
+
+### (R) Decision: per-user high-watermark `inbox_seen_at`
+
+**Schema:**
+
+```sql
+ALTER TABLE paliad.users
+    ADD COLUMN inbox_seen_at timestamptz NULL;
+```
+
+NULL means "never visited" → everything counts as unread. The high-water
+cursor advances exactly when the user POSTs to
+`/api/inbox/mark-all-seen` (UI affordance: a button in the inbox header
++ implicit advance on page-mount, see Slice A wiring below).
+
+### Why cursor, not per-item
+
+m's recommendation: cursor. Mine matches: single column, no fan-out
+table, covers the common case ("I checked my inbox, mark everything
+read"). Per-item dismiss is Slice C — opt-in only if the cursor proves
+inadequate. The risk we're guarding against: a single high-value pending
+approval that's a week old gets buried by 80 fresh deadline_updated
+events; the user clears the badge and may now never look at the
+approval. Mitigation: **approval_requests with status=pending never
+fall behind the cursor** — they count toward the badge regardless of
+seen_at. This is a tiny conditional in the count query (Slice A).
+
+### Cursor advance behaviour
+
+- **Explicit:** "Alles als gelesen markieren" button in the inbox
+  header. POSTs `/api/inbox/mark-all-seen`; server sets
+  `inbox_seen_at = now()`.
+- **Implicit:** when the page mounts AND the bar surfaces at least one
+  row that's newer than the current cursor, the *new* cursor is
+  remembered locally as the timestamp of the **newest visible row**.
+  We do **not** auto-advance the server cursor on mount — too easy to
+  lose items behind a stray pageview. The "neu" highlight on rows
+  newer than the saved cursor is the silent UX. Explicit click is the
+  one and only path to clearing the badge.
+
+### `unread_only` axis
+
+New filter-bar axis (Slice A):
+
+```ts
+// types.ts
+unread_only?: boolean;
+```
+
+When `true`, the bar overlays a FilterSpec predicate:
+`row.event_date > inbox_seen_at` (substrate-side filter; for project_events
+that's `pe.created_at > $cursor`, for approval_requests that's
+`requested_at > $cursor` OR `status='pending'` per the carve-out above).
+
+Default: **unread_only=true** for first paint (per Slice A — landing on
+the inbox shows you what's new). The "Alle" chip flips it off so the
+user can see history.
+
+---
+
+## 4. Filter contract
+
+The bar surfaces these axes on `/inbox` (`INBOX_AXES` constant in
+`client/inbox.ts`):
+
+| Axis                     | Why on /inbox                                                        | New? |
+|--------------------------|----------------------------------------------------------------------|------|
+| `time`                   | "Last 30 days" (default) with chip cluster + "Älter anzeigen" .       | already |
+| `project`                | Single-select autocomplete from visible projects.                    | already |
+| `approval_viewer_role`   | "Zur Genehmigung" / "Eigene Anfragen" / "Alle sichtbaren".            | already |
+| `approval_status`        | pending / approved / rejected / revoked / changes_requested.         | already |
+| `approval_entity_type`   | Frist / Termin (chip pair).                                          | already |
+| `project_event_kind`     | Chip cluster over InboxProjectEventKinds.                            | already |
+| **`unread_only`**        | Boolean toggle ("Nur ungelesen" / "Alle"); defaults to ungelesen.    | **Slice A new axis** |
+| `shape`                  | list / cards / calendar.                                             | already in `AxisKey`, not yet on `/inbox` |
+| `sort`                   | Newest first (default) / oldest first.                               | already |
+| `density`                | comfortable / compact.                                               | already |
+
+**Default landing state** for a brand-new pageview:
+`?time=past_30d&unread_only=true&a_status=pending&shape=list&sort=date_desc`.
+
+Bookmarks from older clients (e.g. the legacy `?tab=pending-mine`)
+still work because `client/inbox.ts:46–58` already applies the legacy
+tab → `a_role` redirect at hydration.
+
+### Source-removal not exposed as an axis
+
+Users do **not** see a "show approvals only / show events only" chip.
+The signal we want is "what's new across my projects"; splitting the
+two via the filter row is busywork. If they want approvals-only they
+chip-pick `project_event_kind` empty + status=any (or future axis pick
+`source=approval_request`). If feedback shows otherwise after Slice A
+ships, we add the axis in Slice B trivially (`Sources` is a
+spec.Sources literal flip).
+
+---
+
+## 5. View toggle implementation plan (Q5 → R: list / cards / calendar)
+
+The pattern `/events` uses today (see `frontend/src/events.tsx:107–141`
+for the `<div className="events-view-selector">` block and
+`client/events.ts:617–650` for the `applyView` function):
+
+- One chip cluster `data-event-view="cards|list|calendar"`.
+- Active class toggle.
+- Per-shape `display: none` on the table-wrap / cards-wrap / cal-wrap
+  hosts.
+- For calendar, `mountCalendar()` constructs a month/week/day grid
+  into a dedicated `events-calendar-wrap` host; the handle is destroyed
+  on shape-leave so its URL state doesn't leak into the other shapes.
+
+### Mapping onto /inbox
+
+The cleanest path: **use `filter-bar`'s built-in `shape` axis instead of
+a per-page selector.** The axis already round-trips into the URL via
+`url-codec.ts` and serialises into `RenderSpec.Shape`. `client/inbox.ts`
+just needs:
+
+1. Add `"shape"` to `INBOX_AXES`.
+2. Dispatch in the `onResult` callback by `effective.render.shape`:
+
+   ```ts
+   onResult: (result, effective) => {
+     switch (effective.render.shape) {
+       case "cards":    return paintCards(result.rows, effective.render, ...);
+       case "calendar": return paintCalendar(result.rows, ...);
+       case "list":
+       default:         return paintList(result.rows, effective.render, ...);
+     }
+   }
+   ```
+
+3. The renderers exist already: `renderCardsShape` in
+   `views/shape-cards.ts`, `renderCalendarShape` in
+   `views/shape-calendar.ts`, `renderListShape` in `views/shape-list.ts`.
+   The only piece of new code is the per-shape host-clearing on switch
+   (so we don't leak a stale shape's DOM into the new host).
+
+### Calendar shape — items without dates
+
+Calendar can only render rows with a calendar-mappable date. Today:
+
+- **approval_request:** `requested_at` (timestamp). Maps fine, but
+  shows up as a single point — rendering an approval-request on a month
+  grid is semantically "you got asked on this day". OK for v1.
+- **project_event:** `created_at`. Same shape.
+- **deadline:** `due_date`. Already supported.
+- **appointment:** `start_at`. Already supported.
+
+So every row in the inbox v1 has a calendar position. No
+need to filter rows on calendar-mount. **One caveat:** the calendar
+shape currently doesn't render action affordances (approve/reject) — it
+opens a detail dialog on click. Slice B accepts that: clicking an
+approval row on the calendar opens the inbox-list-style detail in a
+modal (re-using the existing per-row /api/approval-requests/{id}
+fetch). Out of scope for Slice A.
+
+### Cards shape — day-grouped chronological cards
+
+`shape-cards.ts` groups by day and renders one card per row, with
+title + meta + actor. The approval-card layout there is the standard
+card (no approve buttons — same caveat as calendar). For Slice B, we
+extend `shape-cards.ts` to detect `row.kind === "approval_request"
+&& row.detail.status === "pending"` and stamp the approve/reject button
+strip inline. The DOM template is the same as
+`shape-list.ts:renderApprovalRow`, so most of the work is hoisting that
+template into a shared util.
+
+---
+
+## 6. Backend aggregation service (Q6 → R: reuse RunSpec)
+
+**Decision: do not build a new aggregation service.** The
+substrate-level work is exactly two edits:
+
+### 6.1 InboxSystemView (system_views.go:103–144)
+
+```go
+func InboxSystemView() SystemView {
+  return SystemView{
+    Slug: "inbox",
+    Name: "Inbox",
+    Filter: FilterSpec{
+      Version: SpecVersion,
+      Sources: []DataSource{
+        SourceApprovalRequest,
+        SourceProjectEvent,
+      },
+      Scope: ScopeSpec{Projects: ScopeProjects{Mode: ScopeAllVisible}},
+      Time:  TimeSpec{Horizon: HorizonPast30d, Field: FieldAuto},
+      Predicates: map[DataSource]Predicates{
+        SourceApprovalRequest: {ApprovalRequest: &ApprovalRequestPredicates{
+          ViewerRole: "any_visible",
+          Status:     []string{"pending"}, // default; bar can override
+        }},
+        SourceProjectEvent: {ProjectEvent: &ProjectEventPredicates{
+          EventTypes: InboxProjectEventKinds, // curated subset
+        }},
+      },
+    },
+    Render: RenderSpec{
+      Shape: ShapeList,
+      List: &ListConfig{
+        Density:   DensityComfortable,
+        Sort:      SortDateDesc, // newest first — different from today's date_asc
+        RowAction: RowActionInbox, // new — see §6.3
+      },
+    },
+  }
+}
+```
+
+Curated sub-list lives in `filter_spec.go` next to KnownProjectEventKinds:
+
+```go
+var InboxProjectEventKinds = []string{
+  "project_archived", "project_reparented", "project_type_changed",
+  "deadline_created", "deadline_completed", "deadline_reopened",
+  "deadline_updated", "deadline_deleted", "deadlines_imported",
+  "appointment_created", "appointment_updated", "appointment_deleted",
+  "note_created", "our_side_changed",
+}
+```
+
+(With Q1 pick A locked. If head picks B, drop the InboxProjectEventKinds
+list and remove the `EventTypes` predicate. If head picks C, narrow the
+list to deadline_* + appointment_* only.)
+
+KnownProjectEventKinds in `filter_spec.go:186` needs **additions** so
+`note_created`, `our_side_changed`, `deadline_updated`, `deadline_deleted`,
+`deadlines_imported` are valid filter values — without this the
+validator rejects the InboxSystemView spec. Migrate this list at the
+same time. (`event_categories` and similar grouping infra are already
+covered by `event_category_service.go` and won't move.)
+
+### 6.2 Approval-duplicate suppression
+
+In `view_service.runProjectEvents` (or in a tiny new predicate helper),
+skip `event_type LIKE '%_approval_%'` when source-set includes
+ApprovalRequest. This avoids the double-count described in Q1 §2.
+
+Implementation: extend `allowedProjectEventKinds` (view_service.go:649) to
+auto-drop the `*_approval_*` strings when the same RunSpec already
+fans out the approval_request source. One conditional, six lines.
+
+### 6.3 Mixed-row row_action
+
+`shape-list.ts` today: `row_action="approve"` → calls
+`renderApprovalList(rows)` which assumes every row is an approval.
+Need a new value:
+
+```go
+// render_spec.go
+const RowActionInbox ListRowAction = "inbox"
+```
+
+And register it in `KnownRowActions`.
+
+Frontend (`shape-list.ts`):
+
+```ts
+if (rowAction === "inbox") {
+  host.appendChild(renderInboxList(sorted));
+  return;
+}
+```
+
+Where `renderInboxList(rows)`:
+
+- approval_request rows → existing `renderApprovalRow(row)` template (the
+  per-row factor-out from `renderApprovalList`).
+- project_event rows → a new `renderProjectEventRow(row)` template:
+  timestamp + actor + title + project chip + optional "Öffnen" link
+  to the underlying entity (deadline / appointment / note / project
+  detail). Modelled on the Verlauf row in
+  `client/projects-detail.ts:651–700` (`.entity-event` markup).
+
+This makes the inbox stamping kind-aware. The
+existing `wireApprovalActions` continues to find buttons via class
+`.views-approval-action` and works unchanged.
+
+### 6.4 Endpoints — what's new vs reused
+
+| Path                                | Behaviour                                                | Slice |
+|-------------------------------------|----------------------------------------------------------|-------|
+| `GET /api/views/inbox/run`          | **Already exists** — fans the InboxSystemView spec.     | A reuse |
+| `GET /api/inbox/count`              | **Behaviour change:** count includes unread project_events on visible projects + pending approval_requests (the latter regardless of cursor). | A |
+| `POST /api/inbox/mark-all-seen`     | New. Sets `users.inbox_seen_at = now()` for the caller.  | A |
+| `GET /api/inbox/pending-mine`       | **Keep** — backwards-compat for clients (sidebar bell may still use it). | unchanged |
+| `GET /api/inbox/mine`               | **Keep** — used by the saved view `inbox-mine`.         | unchanged |
+
+The two `/api/inbox/{pending-mine,mine}` endpoints stay because they're
+narrower-than-RunSpec optimisations and used by the dashboard's
+`loadInboxSummary`. No reason to remove them.
+
+### 6.5 InboxSummary on the dashboard (out of scope, but flag)
+
+`DashboardData.InboxSummary` (dashboard_service.go:89) currently counts
+only pending approvals. If Slice C extends the badge count to include
+unread project_events, the dashboard widget also needs to swap
+`PendingCountForUser` for the new unified count — keep this as a small
+follow-up after Slice A ships and the cursor semantics are proven.
+
+---
+
+## 7. Slice plan
+
+### Slice A — Project-event aggregation + read cursor + list view
+
+**Goal:** /inbox shows pending approvals + curated project_events for
+visible projects in the last 30 days, with the new "Nur ungelesen"
+toggle. List view only.
+
+Tasks:
+
+1. **Migration `NNN_inbox_seen_at.up.sql`:**
+   `ALTER TABLE paliad.users ADD COLUMN inbox_seen_at timestamptz NULL;`
+2. **`filter_spec.go`:** extend `KnownProjectEventKinds` (add
+   `note_created`, `our_side_changed`, `deadline_updated`,
+   `deadline_deleted`, `deadlines_imported`). Add
+   `InboxProjectEventKinds` (curated subset, Q1=A).
+3. **`system_views.go`:** rewrite `InboxSystemView` per §6.1 with
+   both sources, `HorizonPast30d`, `SortDateDesc`,
+   `RowAction=RowActionInbox`.
+4. **`render_spec.go`:** add `RowActionInbox`, register in
+   `KnownRowActions`.
+5. **`view_service.go`:** in `runProjectEvents`, auto-drop
+   `*_approval_*` event_types when ApprovalRequest is in
+   `spec.Sources` (§6.2).
+6. **`approvals.go`:**
+   - New handler `handleInboxMarkAllSeen` →
+     `UPDATE paliad.users SET inbox_seen_at = now() WHERE id = $1`.
+   - Modify `handleInboxCount` to return
+     `pending_approvals_count + unread_project_events_count`. SQL
+     in approval_service.go: one new method
+     `UnseenInboxCountForUser(userID)` returning that union. Keep
+     `PendingCountForUser` (dashboard still uses it).
+7. **`shape-list.ts`:** factor `renderApprovalRow(row)` out of
+   `renderApprovalList`. Add `renderInboxList(rows)` that dispatches
+   per `row.kind`. Wire `row_action="inbox"` to it.
+8. **`client/inbox.ts`:**
+   - Add the `unread_only` axis to `INBOX_AXES` and wire to a FilterSpec
+     overlay (sub-spec `Time.Horizon=Past30d` AND
+     filter predicate "newer than cursor OR pending-approval").
+   - Render "Alles als gelesen markieren" button in the page header
+     (in `inbox.tsx`); on click POST `/api/inbox/mark-all-seen`,
+     refresh bar + badge.
+   - Listen for cursor update (server response) and refresh.
+9. **Sidebar badge (`client/sidebar.ts:initInboxBadge`):** unchanged code
+   path, but the new server count includes project_events. Add no client
+   changes for v1 — server returns the wider count.
+10. **i18n:** new keys —
+    - `inbox.title.feed` ("Inbox") replaces "Genehmigungen" in the page
+      header (since the page is now more than approvals).
+    - `inbox.subtitle.feed` ("Neuigkeiten zu Ihren Projekten und offene
+      Genehmigungen.").
+    - `inbox.action.mark_all_seen` ("Alles als gelesen markieren").
+    - `inbox.axis.unread_only.on/off`.
+    - `inbox.empty.feed` ("Keine Neuigkeiten in den letzten 30 Tagen.").
+    - `views.col.event_kind` (for the kind column in
+      table-density list).
+    - DE primary, EN secondary, both in `i18n.ts`.
+11. **Tests:** `system_views_test.go` covers the
+    InboxSystemView spec shape; new test for the de-dup helper in
+    view_service. `approval_service_test.go` adds tests for the new
+    `UnseenInboxCountForUser` method. New
+    `inbox_seen_at_test.go` covers the cursor migration + the POST
+    handler.
+12. **Verify** the page renders for a sample user with both event types
+    visible, "Nur ungelesen" toggles correctly, mark-all-seen clears the
+    badge, the project-events deduplicate against approval requests.
+
+### Slice B — Cards + calendar shape toggles
+
+**Goal:** `?shape=cards` and `?shape=calendar` work on /inbox; users can
+switch via the bar's shape chip. Approval rows on cards/calendar are
+*read-only* (open detail modal on click; no inline approve/reject).
+
+Tasks:
+
+1. **`client/inbox.ts`:** add `"shape"` to `INBOX_AXES`. Add the
+   per-shape host divs to `inbox.tsx` (one for cards, one for calendar)
+   matching the `/events` pattern. Implement `onResult` dispatch.
+2. **`shape-cards.ts`:** when `row.kind==="approval_request"` AND
+   `row.detail.status==="pending"`, stamp the approval row template
+   inline. Hoist the template out of `shape-list.ts` if reuse pays.
+3. **`shape-calendar.ts`:** approval_request rows render as date-point
+   chips; click opens a detail modal. The modal reuses the existing
+   `approval-edit-modal` for suggest-changes when the user is the
+   approver; otherwise a read-only summary.
+4. **CSS:** ensure `.entity-event` and `.views-approval-row` markup
+   coexist on the cards view without z-index clashes; lightweight
+   targeting via `.views-cards-list[data-surface="inbox"]`.
+5. **Tests:** shape toggle persistence via URL codec (already covered
+   in `url-codec.test.ts`; add one inbox-surface case).
+
+### Slice C — Badge upgrade + per-item dismiss (deferred)
+
+**Goal:** sidebar badge reflects unified count; per-item dismiss for
+power-users.
+
+Tasks:
+
+1. **`paliad.inbox_dismissals` table** —
+   `(user_id, source, row_id, dismissed_at)` PK `(user_id, source, row_id)`.
+   "source" is `approval_request` / `project_event`; "row_id" is the
+   row's UUID. New endpoint `POST /api/inbox/dismiss` body
+   `{source, row_id}`. RunSpec for inbox subtracts dismissed rows.
+2. **`/api/inbox/count`:** subtract dismissed rows from the count.
+3. **Dashboard widget:** `DashboardData.InboxSummary` swaps to a new
+   `UnifiedInboxSummary` that mirrors the page count. Backwards-compat
+   JSON: keep old fields, add `total_count` and `top_unified`.
+4. **Empty-state:** "Alle Einträge gelesen — gut gemacht."
+5. **Optional `member_role_changed` etc.:** if Slice A surfaces that
+   one of the excluded event_types is actually wanted, this slice opens
+   up `InboxProjectEventKinds` accordingly.
+
+### Why Slice A alone is shippable
+
+Slice A delivers m's full ask except the cards/calendar views — which
+are aesthetic shape toggles, not data changes. Slice A gives:
+
+- Inbox feed across approvals + project_events for visible projects
+- Project / type / time / read-state filters
+- Newest-first list with mark-all-seen
+- Sidebar badge reflects unified unread count (server-side)
+
+Slice B + C are layer cake on top with no schema or substrate changes.
+
+---
+
+## 8. Out of scope
+
+- **Push notifications.** Telegram / WhatsApp / email — different
+  channel concerns, separate design.
+- **Cross-user inbox views.** No "admin sees others' inboxes" in v1.
+- **Pinning / starring items.** Not in m's ask. If feedback after Slice
+  A wants it, opens its own design.
+- **Paliadin chat unread.** Not part of project_events; paliadin lives
+  in its own pane. Slice C could surface a banner if asked.
+- **Replacement of the existing /api/inbox/{pending-mine,mine} endpoints.**
+  They stay because the dashboard's `loadInboxSummary` uses them and
+  no benefit to consolidating.
+- **Detail-page changes.** Clicking a project_event row in the inbox
+  navigates to the existing entity detail page (deadline, appointment,
+  note); we don't build a new "event detail" view.
+- **InboxSummary on the dashboard.** Out of Slice A. Slice C upgrades
+  it; for now the widget keeps showing approval-only.
+
+---
+
+## 9. Open questions for m
+
+Defaulted to (R) per the inventor protocol — only **Q1** is escalated
+to head for explicit confirmation because it changes the
+inbox's surface area. Everything else falls to the recommended pick
+unless head/m flag otherwise.
+
+**Q1 — Event-type catalogue (material pick, head answered):**
+**LOCKED = A** (curated subset with `*_approval_*` de-dup). Head added
+`member_role_changed` to the curated list with a Slice B narrowing
+follow-up + a coarser `inbox_focus` chip cluster on the bar. Full
+decision recorded in §12.
+
+**Q2 — Time window:** (R) Past30d default + chip cluster
+(today / past_7d / past_30d / past_90d / any) + custom range via the
+existing time picker. Locked unless head overrides.
+
+**Q3 — Read/unread model:** (R) High-watermark cursor
+(`users.inbox_seen_at`). Pending approval_requests carry forward even
+when older than the cursor — guards against burying a high-value
+approval. Per-item dismiss is Slice C, opt-in. Locked.
+
+**Q4 — Filters surfaced on the bar:** (R) time / project /
+approval_viewer_role / approval_status / approval_entity_type /
+project_event_kind / unread_only / shape / sort / density. Locked
+unless head wants `source` (approvals-only vs events-only chip)
+added — defaulting to "not in v1".
+
+**Q5 — View toggle parity with /events:** (R) list (default — newest
+first) / cards (day-grouped) / calendar (date-point). Wired via the
+filter-bar's existing `shape` axis, not a per-page selector. Locked.
+
+**Q6 — Architecture:** (R) Reuse `view_service.RunSpec` with both
+sources in the InboxSystemView spec; no new aggregation service.
+Approval-event de-dup applied in `runProjectEvents`. Locked.
+
+**Q7 — Notification badge:** (R) Yes — Slice A makes the existing
+`/api/inbox/count` return the unified unread count; sidebar badge
+client unchanged. Locked.
+
+**Q8 — Acknowledgement flow:** (R) Approval rows keep
+approve/reject/revoke buttons inline (list shape only). project_event
+rows have no inline action — click row → navigate to the underlying
+entity. Cursor advance is via "Alles als gelesen markieren" only —
+no per-row mark-read in v1. Locked.
+
+**Q9 — Empty-state copy:** (R) "Keine Neuigkeiten in den letzten 30
+Tagen." (DE primary) / "No updates in the last 30 days." (EN). The
+existing admin nudge for unseeded approval_policies stays untouched.
+Locked.
+
+---
+
+## 10. Risks + mitigations
+
+- **Performance.** `runProjectEvents` reads up to LIMIT 500 rows per
+  user-call; with two sources unioned + 30-day window + visibility
+  predicate this should stay under 50ms on the live shape (project
+  count ~100, events/day low double digits). If
+  it doesn't, partial index hint: `paliad.project_events (created_at DESC)
+  WHERE event_type IN (curated list)` — Slice A optional, add if
+  EXPLAIN shows a seq scan in dev.
+- **De-dup correctness.** Suppressing `*_approval_*` events in the
+  project_event source relies on the approval_request row being the
+  authoritative signal. **Edge case:** a request gets revoked, then
+  re-requested — both audit events exist. Both correspond to a single
+  approval_request row at any moment (the latter via the partial-index
+  upsert). De-dup stays valid.
+- **Cursor advance race.** If two browser tabs both POST mark-all-seen,
+  the second wins (now() wins). Acceptable. If a user reads in tab A
+  then clicks an item in tab B that was created between the two reads,
+  tab A's "Alles als gelesen" advances past that newer item without
+  the user seeing it. Mitigation: server-side, `mark-all-seen` accepts
+  an optional `?up_to=<iso>` so the client can pin to the timestamp of
+  the newest visible row. Slice A wires this.
+- **shape-list factor-out.** Pulling `renderApprovalRow` out of
+  `renderApprovalList` risks regressions on the *current* /inbox. Cover
+  with a snapshot/golden test on the approval row markup in Slice A
+  before the dispatch change.
+- **Sidebar bell badge cap.** Current code clamps at "9+". Once we add
+  project_events, the count can easily exceed 100. Keep the "9+" clamp
+  for visual reasons — but make the page header show the *exact* count
+  ("123 neu") so the user knows what's behind it.
+- **Q1 fallback.** If head doesn't reply before Slice A coder shift
+  starts, the (R) pick A locks. If head later picks B or C, the only
+  change is the `InboxProjectEventKinds` list literal in
+  `filter_spec.go` — no schema impact, no migration change. Cheap to
+  flip.
+
+---
+
+## 11. Build/test verify list (Slice A done-when)
+
+1. `make build` clean.
+2. `go test ./...` passes; new tests cover:
+   - InboxSystemView spec shape includes both sources + curated kinds.
+   - `runProjectEvents` drops `*_approval_*` when ApprovalRequest is in spec.
+   - `UnseenInboxCountForUser` returns expected count for cursor and pending-approval combinations.
+   - POST `/api/inbox/mark-all-seen` updates the column.
+   - URL codec round-trip for `unread_only` axis.
+3. Inbox loads at `/inbox` with project-event rows interleaved with
+   approval rows in date-desc order.
+4. "Nur ungelesen" chip toggles between unread (with pending-approval
+   carve-out) and full feed.
+5. "Alles als gelesen markieren" advances cursor; bar refreshes;
+   badge clears (except for any still-pending approvals).
+6. Sidebar bell badge count is the unified number (approval + unread events).
+7. Existing approve/reject/revoke + suggest-changes flows on inbox
+   rows still work unchanged.
+8. `?tab=mine` legacy redirect still hits the right state.
+9. Bilingual labels render (DE/EN toggle).
+
+That's the doneness bar for Slice A.
+
+---
+
+## §12 — m's decisions (head 2026-05-25 11:30)
+
+Head replied to the `mai instruct head` escalation; folded in below.
+
+**Q1 (Event-type catalogue): A — locked.** Curated subset with
+`*_approval_*` de-dup. Tracks Verlauf, matches m's framing ("new events
+that relate to one's projects"), avoids double-counting approval audit
+events against the approval_request row.
+
+Locked InboxProjectEventKinds:
+
+- IN: `project_archived`, `project_reparented`, `project_type_changed`,
+  `deadline_created`, `deadline_completed`, `deadline_reopened`,
+  `deadline_updated`, `deadline_deleted`, `deadlines_imported`,
+  `appointment_created`, `appointment_updated`, `appointment_deleted`,
+  `note_created`, `our_side_changed`, **`member_role_changed`**
+  (added by head — see refinement #1).
+- OUT (audit duplicates of approval_requests): every `*_approval_*` event.
+- OUT (too granular / authoring noise): `status_changed`,
+  `project_created`, `checklist_*`.
+
+**Refinement 1 — `member_role_changed` visibility predicate.**
+Head wants this kind included but narrowed: surface the row only when
+the role change applies to the **viewer themselves** or someone above
+them in the project tree (i.e. impacts the viewer's permissions / chain
+of command), not when it's a peer's role changing on a project the
+viewer happens to see.
+
+- Slice A: include `member_role_changed` in
+  `InboxProjectEventKinds` without the narrowing predicate. The row
+  will appear for everyone who can see the project — over-surfacing but
+  not wrong. This keeps Slice A's MVP scope tight.
+- Slice B: add a per-row narrowing filter on top of the inbox source
+  (likely a small extension to `runProjectEvents` that, when
+  `event_type='member_role_changed'`, inspects `metadata.affects_user_id`
+  + walks the project-membership predicate before emitting). The
+  metadata shape is already written by the responsible handler; verify
+  + lock the filter in B.
+
+Q2-Q9 all default to (R) per the inventor protocol.
+
+**Refinement 2 — Filter chip copy.**
+For the visible chip cluster in the bar, head wants user-readable groupings,
+not raw event-kind names. The bar today exposes `project_event_kind`
+as one chip per kind (rendered via the
+`event.title.<kind>` i18n key). For the inbox surface, surface a
+**coarser grouping chip cluster** ahead of that:
+
+- "Genehmigungen" — narrows to `Sources=[approval_request]` only.
+- "Genehmigungen + Termine" — adds appointment_* event_kinds + the
+  approval_entity_type=appointment slice of approvals.
+- "Genehmigungen + Fristen" — adds deadline_* event_kinds + the
+  approval_entity_type=deadline slice of approvals.
+- "Alles" — default; both sources, full curated kinds list.
+
+Implementation: a new axis `inbox_focus` (Slice A, additive — replaces
+the lower-level `project_event_kind` chip's *default visibility* in the
+inbox UI; advanced users still see `project_event_kind` if they expand
+the bar). The four values map to FilterSpec overlays that tweak
+`Sources` + per-source `EventTypes`. Coder owns the exact chip-text
+final copy and the placement (probably first axis in `INBOX_AXES`).
+
+The lower-level `project_event_kind` chip stays in `INBOX_AXES` as an
+advanced override for power users — when active, it overrides the
+`inbox_focus` chip's per-kind defaults.
+
+---
+
+### What changes for Slice A as a result
+
+Doc deltas vs the draft text above:
+
+1. **§2 / §6.1:** add `member_role_changed` to InboxProjectEventKinds.
+   Note Slice B narrowing follow-up.
+2. **§4 / §5:** front of the bar gets a new `inbox_focus` axis
+   (4 chips: Alles / Genehmigungen / +Termine / +Fristen). Default
+   "Alles". `project_event_kind` stays available as an advanced chip,
+   visible after the user expands the bar's overflow section.
+3. **§7 Slice A task list:** add task —
+   "**12a.** New `inbox_focus` axis (`filter-bar/types.ts`,
+   `axes.ts`). FilterSpec overlay translates the chip value to a
+   `(Sources, ProjectEventPredicates.EventTypes, ApprovalRequestPredicates.EntityTypes)`
+   triple. URL codec round-trips."
+4. **§11 Slice B done-when:** add — "`member_role_changed` narrowing
+   predicate is in place; rows surface only when the change affects
+   the viewer's permissions chain."
+
+No schema changes from the head's adjustments. The `inbox_focus` axis
+is a pure UI/overlay primitive; nothing about the InboxSystemView spec
+schema moves.

docs/research-deadlines-completeness-2026-05-25.md

@@ -0,0 +1,956 @@
+# Bulletproof completeness audit — paliad.deadline_rules vs statutory sources
+
+**Author:** curie (researcher)
+**Date:** 2026-05-25
+**Task:** t-paliad-263 (m/paliad#94)
+**Mode:** read-only research, no DB writes
+**Branch:** `mai/curie/researcher-bulletproof`
+
+Scope confirmed by head (paliad/head → paliad/curie, 2026-05-25 15:13):
+**UPC Rules of Procedure + EPC + PatG / ZPO / GebrMG**, plus UPC Agreement /
+Statute where they create time-limits. No HLC-internal checklists exist in
+the current head's working tree.
+
+Companion / prior audits this report supersedes-and-extends:
+
+- `docs/audit-fristenrechner-completeness-2026-04-30.md` (curie, t-paliad-084) — youpc-vs-paliad gap analysis.
+- `docs/audit-upc-rop-deadlines-2026-05-08.md` (curie, t-paliad-159) — first UPC RoP gap list (52 rules / 2 duration bugs).
+- `docs/audit-fristen-logic-2026-05-13.md` (pauli, t-paliad-157) — schema audit; the codes used here (`upc.inf.cfi`, `de.inf.lg`, …) reflect the post-mig-096 rename.
+
+Migration baseline: migration ≤ `122_deadlines_custom_rule_text` (live as of 2026-05-25 14:00 UTC).
+
+---
+
+## §0. TL;DR
+
+- **20 active fristenrechner proceeding_types** (live, `is_active=true`,
+  `lifecycle_state='published'`) carry **132 active rules**. One extra
+  `_archived_litigation` row holds 40 retired Pipeline-A rules from
+  mig 093 — not surfaced anywhere, kept only for FK validity.
+
+| Jurisdiction | Active types | Active rules | Statute-bound rules audited |
+|---|---:|---:|---:|
+| UPC (CFI + CoA) | 9 (incl. upc.ccr.cfi alias) | 67 | 67 |
+| EPA | 3 | 23 | 23 |
+| DPMA | 3 | 13 | 13 |
+| DE (LG/OLG/BGH/BPatG) | 5 | 29 | 29 |
+| **Total** | **20** | **132** | **132** |
+
+- **5 high-impact bugs still live** that the prior May 8 audit
+  surfaced (2) plus 3 new ones identified here.
+  - 🔴 **`upc.rev.cfi.defence` 3 months, RoP.49.1 says 2 months.** Flagged
+    May 8; still live. ★★★ — every UPC_REV defendant.
+  - 🔴 **`upc.rev.cfi.rejoin` 2 months, RoP.52 says 1 month.** Flagged
+    May 8; still live. ★★★ — every UPC_REV proceeding.
+  - 🟠 **`upc.apl.merits.response` 2 months, RoP.235.1 says 3 months.**
+    New finding (May 8 audit recorded the rule as "3 months / present-wrong
+    rule_code only" — actually live data shows 2 months, so the audit
+    sample mis-recorded the duration too). ★★★ — every UPC main-track
+    appeal respondent.
+  - 🟠 **`de.inf.lg.beruf_begr` chains parent = berufung (1mo) + 2mo = 3mo
+    from urteil. ZPO §520(2) anchors the 2-month Begründungsfrist on
+    service of urteil, not on filing of Berufung.** New finding.
+    ★★★ — every DE-first-instance appellant.
+  - 🟠 **`de.inf.lg.replik` + `.duplik` have `parent_id=NULL` so they fire
+    on the trigger date (Klageerhebung) — sequence-order says 30/40 but
+    the compute engine reads parent_id first.** Reported as live UI bug
+    by m via head (2026-05-25 13:13); confirmed by SQL. ★★★ — every
+    DE-LG-Verletzung timeline.
+
+- **5 rule-code / citation drift bugs still live** from the May 8 audit
+  (`upc.apl.merits.notice`, `.grounds`, `.response`, `upc.rev.cfi.reply`,
+  `.rejoin`) — durations may or may not be right, but the cited
+  `legal_source` / `rule_code` points at the wrong rule. Pure
+  cosmetic on `.notice`/`.grounds` (durations are right); load-bearing on
+  `.rev.cfi.reply` / `.rejoin` because the cited rule is what tells
+  the lawyer where to look the rule up.
+
+- **4 DPMA / DE citation bugs** new in this audit, all citing PatG / ZPO
+  sections that don't contain the cited deadline:
+  - `de.null.bpatg.erwidg` cites `DE.PatG.82.1`; the 2-month Erwiderung
+    is actually `§82(3)` (§82(1) is the 1-month Erklärungsfrist).
+  - `dpma.opp.dpma.erwiderung` cites `DE.PatG.59.3`; §59(3) is about
+    hearings, not a 4-month proprietor response. The 4-month figure is
+    DPMA-internal practice, not statutory — should be court-set.
+  - `dpma.appeal.bpatg.begruendung` cites `DE.PatG.75.1`; §75 is about
+    *aufschiebende Wirkung* — there is no Begründungsfrist in PatG §73-§80
+    for the BPatG-Beschwerde. The 1-month figure is also non-statutory.
+  - `de.null.bgh.begruendung` cites `DE.PatG.111.1`; §111 is about the
+    grounds-of-appeal *content* (Verletzung des Bundesrechts), not the
+    Begründungsfrist. `de.null.bgh.erwiderung` cites `DE.PatG.111.3`;
+    §111(3) doesn't exist in the deadline sense.
+
+- **Wide UPC coverage gap inherited from May 8 audit, mostly un-closed:**
+  ~25 missing UPC RoP rules. Mig 095 (t-paliad-205) closed 4 of them
+  (R.19 Preliminary Objection on UPC_INF and UPC_REV, R.220.1(a)
+  merits-appeal spawn on both). The other ~21 (R.20.2, R.118.4,
+  R.197.3, R.198, R.207.6.a, R.207.9, R.213, R.109.1/.4/.5, R.118.5,
+  R.144, R.155, R.224.2(b), R.229.2, R.235.2, R.245.x, R.262.2,
+  R.321.3, R.333.2, R.353, plus the DNI family R.63-R.69) are
+  unchanged.
+
+- **EPC gaps:** EPA opposition + Beschwerde modelled at the
+  Article level only. Missing the entire Implementing Regulations
+  family that drives day-to-day deadlines — R.71(3) approval period
+  is half-modelled (the 4-month figure is there but the trigger
+  anchor is broken: parent_id=NULL), R.79(1) proprietor response
+  is modelled as a fixed 4-month period when it's actually
+  court-set, R.116 oral-proceedings cut-off is modelled as
+  duration-0/parent-NULL (works for some uses, not for others),
+  R.121 / R.135 Weiterbehandlung is missing entirely (concept
+  exists but no rule).
+
+- **DE/DPMA gaps:** the entire Wiedereinsetzung family (PatG §123)
+  is absent on the proceeding-tree side. `weiterbehandlung` and
+  `wiedereinsetzung` concept slugs exist in the cascade (Pathway B)
+  but no `paliad.deadline_rules` row computes them. Same for
+  `versaeumnisurteil-einspruch` (ZPO §339 — 2 weeks).
+
+- **15 ambiguities** that need m's judgement, not a coder's fix —
+  mostly around court-set vs statutory periods (e.g. richterliche
+  Fristen under ZPO §276(1) S.2, §283 Schriftsatznachreichung,
+  EPC R.79(1), §59(3) PatG) and around the "whichever is
+  longer / later" arithmetic primitives still missing
+  (R.198 / R.213 / R.245.2).
+
+- **Recommended fixes (§10) — total 41 items** prioritised in 4
+  tiers. Tier 0 (5 hard duration bugs + 1 sequencing bug + 9
+  citation/anchor bugs) should ship first. Tier 1 (12 rule-fill
+  gaps, ★★★ / ★★) next. Tier 2 + 3 are coverage breadth that
+  needs scoping by m (Wiedereinsetzung, R.198 working-day
+  arithmetic, full Implementing Regulations port).
+
+---
+
+## §1. Methodology
+
+For each of the 20 active proceeding_types I:
+
+1. **Pulled the live rule set** via `mcp__supabase__execute_sql` against
+   the youpc Postgres on 2026-05-25 14:00–15:00 UTC. Schema = `paliad`.
+   Filter: `is_active = true AND lifecycle_state = 'published'`.
+2. **Enumerated the statutory deadlines** in the relevant code for the
+   proceeding's scope.
+3. **Cross-referenced each statutory deadline against the live rule
+   set** on (a) duration + unit, (b) anchor / parent, (c) party,
+   (d) `rule_code` / `legal_source` citation, (e) sequencing.
+4. **Marked status**: `present-correct`, `present-wrong (duration)`,
+   `present-wrong (citation)`, `present-wrong (anchor)`,
+   `present-wrong (party)`, `partial`, `missing`, `n/a`.
+5. **Frequency tag** for prioritisation: ★★★ every case, ★★ common,
+   ★ specialist.
+
+### 1.1 Sources
+
+All citations carry a date stamp and a URL. Where the text was checked
+against more than one source, both are listed.
+
+| Source | URL | Verified on | Used for |
+|---|---|---|---|
+| UPC Rules of Procedure (consolidated 18.05.2023, in force 2023-06-01) | https://www.unifiedpatentcourt.org/sites/default/files/upc_documents/rop_application_-_consolidated_18_05_2023.pdf | 2026-05-25 | All UPC RoP citations |
+| UPC RoP verbatim text via `data.laws_contents` (youpc Postgres, law_type=`UPCRoP`, language=en) | youpc Supabase | 2026-05-25 | Cross-check on R.019.1, R.020.2, R.029.b/.c, R.049.1, R.051, R.051.p1, R.052, R.052.p1, R.220.1.a, R.224.1, R.224.1.a/.b, R.224.2, R.224.2.a/.b, R.235.1, R.235.2, R.237, R.238.1, R.238.2 |
+| European Patent Convention (EPC, 17th ed. 2020) — Articles | https://www.epo.org/en/legal/epc/2020/index.html (verbatim text per youpc `data.laws_contents`, law_type=`EPC`) | 2026-05-25 | EPC Articles 93, 99, 108, 112a, 116, 121, 123, 135 |
+| EPC Implementing Regulations — Rules (in force 2026 consolidated) | https://www.epo.org/en/legal/epc/2020/r71.html (and equivalents) | 2026-05-25 | EPC R.70(1), R.71(3), R.79(1)/(2), R.116(1), R.135 |
+| Patentgesetz (PatG) — gesetze-im-internet.de | https://www.gesetze-im-internet.de/patg/ | 2026-05-25 | §59, §73, §75, §82, §83, §99 ff., §100, §102, §110, §111 |
+| Zivilprozessordnung (ZPO) — gesetze-im-internet.de | https://www.gesetze-im-internet.de/zpo/ | 2026-05-25 | §253, §276, §277, §283, §296a, §339, §517, §520, §521, §524, §544, §548, §551, §554 |
+| Gebrauchsmustergesetz (GebrMG) — gesetze-im-internet.de | https://www.gesetze-im-internet.de/gebrmg/ | 2026-05-25 | §17 (Löschung), §18 (Verfahren) — referenced only to confirm out-of-scope: no GebrMG-rooted proceeding_type exists in paliad today |
+
+### 1.2 Conventions
+
+- A **rule** here means a row in `paliad.deadline_rules`. paliad's local
+  identifier is `submission_code` (post mig 098), e.g.
+  `upc.rev.cfi.defence`.
+- A **statutory deadline** means an obligation derived directly from the
+  text of a procedural code, with a fixed period.
+- "**Court-set**" / "richterliche Frist" means the statute authorises the
+  court / DPMA / EPO to set the period — there is no fixed statutory
+  duration. paliad models these with `is_court_set = true`
+  (post mig ~079) or, legacy-style, `duration_value = 0`.
+- "**Anchoring**" refers to which event the period runs from. paliad
+  models this via `parent_id` (chain anchor) or `anchor_alt` (e.g.
+  `priority_date`); a NULL parent_id with non-zero duration means the
+  deadline runs from the user-supplied trigger date.
+
+### 1.3 Hard constraint: "no fabricated provisions"
+
+Where I'm not 100% sure of a citation (because the youpc law DB only
+covers UPC + EPC, not PatG / ZPO, and my web-fetch coverage of
+PatG / ZPO is partial), I flag the finding as **"needs lawyer review"**
+in §9 rather than asserting a fix. Five PatG / ZPO findings carry that
+tag.
+
+---
+
+## §2. Current state inventory (per jurisdiction)
+
+### 2.1 UPC
+
+9 active types, 67 rules. `upc.ccr.cfi` is an alias proceeding that
+holds zero rules — it points at `upc.inf.cfi` rules under the
+`with_ccr` flag.
+
+| Code | Name | Rule count | Audited against |
+|---|---|---:|---|
+| `upc.inf.cfi` | Verletzungsverfahren | 15 | RoP 19, 23, 25, 29.a-e, 30, 32, 151, 220.1(a) |
+| `upc.rev.cfi` | Nichtigkeitsverfahren | 17 | RoP 19, 32, 42, 43.3, 49.1, 49.2.a, 49.2.b, 51, 52, 56.1/3/4, 220.1(a) |
+| `upc.pi.cfi` | Einstweilige Maßnahmen | 4 | RoP 205, 207, 211 |
+| `upc.disc.cfi` | Bucheinsicht | 4 | RoP 141, 142.2, 142.3 |
+| `upc.dmgs.cfi` | Schadensbemessung | 4 | RoP 131.2, 137.2, 139 |
+| `upc.apl.merits` | Berufung | 8 | RoP 220.1, 224.1.a, 224.2.a, 235.1, 237, 238.1 |
+| `upc.apl.order` | Berufung gegen Anordnungen | 5 | RoP 220.1(c), 220.2, 220.3, 237, 238.2 |
+| `upc.apl.cost` | Berufung gegen Kostenentscheidung | 2 | RoP 221.1 |
+| `upc.ccr.cfi` | Widerklage auf Nichtigkeit (alias) | 0 | — |
+
+### 2.2 EPA
+
+3 active types, 23 rules.
+
+| Code | Name | Rule count | Audited against |
+|---|---|---:|---|
+| `epa.grant.exa` | EP-Erteilung | 7 | EPC Art. 93, R.70(1), R.71(3) |
+| `epa.opp.opd` | EPA Einspruch | 8 | EPC Art. 99(1), 108, 116, 123; R.79(1), R.79(2), R.116(1) |
+| `epa.opp.boa` | EPA Beschwerde | 8 | EPC Art. 108, 112a; R.116(1); RPBA Art. 12 |
+
+### 2.3 DPMA
+
+3 active types, 13 rules.
+
+| Code | Name | Rule count | Audited against |
+|---|---|---:|---|
+| `dpma.opp.dpma` | DPMA Einspruch | 4 | PatG §59(1), §59(3) |
+| `dpma.appeal.bpatg` | BPatG-Beschwerde | 5 | PatG §73(2), §74 ff. |
+| `dpma.appeal.bgh` | BGH-Rechtsbeschwerde | 4 | PatG §100, §102 |
+
+### 2.4 DE (national patent / civil)
+
+5 active types, 29 rules.
+
+| Code | Name | Rule count | Audited against |
+|---|---|---:|---|
+| `de.inf.lg` | LG-Verletzungsklage | 8 | ZPO §253, §276, §283, §296a, §517, §520(2) |
+| `de.inf.olg` | OLG-Berufung Verletzung | 7 | ZPO §517, §520(2), §521(2), §524(2) |
+| `de.inf.bgh` | BGH-Revision Verletzung | 8 | ZPO §544, §548, §551, §554 |
+| `de.null.bpatg` | BPatG-Nichtigkeitsklage | 10 | PatG §81 ff., §82, §83 |
+| `de.null.bgh` | BGH-Nichtigkeitsberufung | 6 | PatG §110, §111 / ZPO ref via §117 PatG |
+
+### 2.5 Cross-cutting: cascade vs proceeding-tree coverage
+
+The cascade layer (`paliad.event_categories` + `…_concepts` +
+`paliad.deadline_concepts`) carries 56 concept "nouns" and ~153
+cascade-leaf → concept mappings. **9 concepts are orphans** (carry
+zero rules, so the cascade card dead-ends): `counterclaim-for-revocation`,
+`schriftsatznachreichung`, `versaeumnisurteil-einspruch`,
+`weiterbehandlung`, `wiedereinsetzung`, `notice-of-defence-intention`,
+plus 3 more. Inventory and recommendations live in
+`docs/audit-fristen-logic-2026-05-13.md` §3.4 — this audit covers only
+the proceeding-tree side.
+
+---
+
+## §3. Findings — Missing rules (statute defines, paliad doesn't)
+
+### 3.1 UPC RoP — 21 missing rules (out of ~25 flagged 2026-05-08, 4 closed by mig 095)
+
+Notation: ★★★ every case, ★★ common, ★ specialist. Verbatim RoP text
+sampled from youpc `data.laws_contents` (law_type=`UPCRoP`, lang=en).
+
+| RoP § | Period | Trigger | Freq | Notes |
+|---|---|---|---|---|
+| **R.20.2** | 14 days | Service of Preliminary Objection | ★ | Reply to PO. Companion to R.19 (which mig 095 added). Without R.20.2 the PO branch is half-modelled. |
+| **R.118.4** | 2 months | Final decision on validity served | ★★ | Application for orders consequential on validity. Common after central-division revocation. |
+| **R.118.5** | n/a UPC | n/a | n/a | UPC has no Versäumnisurteil-Einspruch; closest is R.355 (review of contumacy). |
+| **R.144** | 0 (anchor) | Final decision on damages quantum | ★ | UPC_DAMAGES tree end-row missing. |
+| **R.155** | 1mo / 14d | Cost-decision opposition chain | ★ | UPC_COST_APPEAL only has the leave-to-appeal step; no Defence-to-cost-app row. |
+| **R.197.3** | 30 days | Saisie order served on respondent | ★ | Review application. Trigger event 65 exists; no rule attached. |
+| **R.198** | 31 calendar days **OR 20 working days, whichever is longer** | Saisie executed | ★ | Start proceedings on the merits. Blocked on `working_days` + `combine='max'` primitives (see §7 + §9). |
+| **R.207.6.a** | 14 days | Notification of deficiency in PI application | ★★ | Registry correction. |
+| **R.207.9** | 6 months | PI filed | ★ | Renewal of protective letter. |
+| **R.213** | 31 days OR 20 working days | PI granted | ★★ | Same arithmetic gap as R.198. |
+| **R.109.1** | 1 month **before** | Oral hearing date | ★★ | Simultaneous translation request. `timing='before'` schema supported but no rule populates it (see §7 cross-cutting). |
+| **R.109.4** | 2 weeks **before** | Oral hearing date | ★★ | Interpreter cost notification. `timing='before'`. |
+| **R.109.5** | 2 weeks after | Order of judge-rapporteur to lodge translations | ★★ | trigger event 113 exists; no rule. |
+| **R.224.2.b** | 15 days | Order under R.220.1(c) or decision under R.220.2/221.3 served | ★★ | Grounds-on-orders track. `upc.apl.order` has appeal-itself but no separate grounds row. Verified verbatim against `UPCRoP.224.2.b` (youpc DB). |
+| **R.229.2** | 14 days | Notification of appeal-deficiency | ★ | Registry correction in appeal context. |
+| **R.235.2** | 15 days | Statement of grounds (orders track) served | ★★ | Verified verbatim against `UPCRoP.235.2` (youpc DB): *"Within 15 days of service of grounds of appeal pursuant to Rule 224.2(b), any other party … may lodge a Statement of response"*. `upc.apl.order` has no standalone response row. |
+| **R.245.1** | 2 months | Final decision served | ★ | Application for rehearing. |
+| **R.245.2.a** | 2 months | Discovery of fundamental defect (or final decision service, whichever is later) | ★ | Outer cap 12mo. Needs multi-anchor + `max-of-two-anchors` arithmetic. |
+| **R.245.2.b** | 2 months | Discovery of criminal offence (or final decision service, whichever is later) | ★ | Same shape as 245.2.a. |
+| **R.262.2** | 14 days | Receipt of opposing party's confidentiality application | ★★ | Daily occurrence in HLC infringement work. Trigger event 25 exists; no rule. |
+| **R.320** | 2 months (cap 12 mo) | Wegfall des Hindernisses (Wiedereinsetzung) | ★★ | Cascade card exists (mig 063) but no proceeding-tree rule computes the deadline. Bridges proceedings → no obvious home in any one tree. |
+| **R.321.3** | 10 days | Preliminary objection referral to central division | ★ | |
+| **R.333.2** | 15 days | Case-management order served | ★★ | Review-of-CMO. Routine in busy LDs. |
+| **R.353** | 1 month | Decision / order delivered | ★ | Rectification application. |
+| **DNI: R.63 / R.67.1 / R.69.1 / R.69.2** | 0 / 2mo / 1mo / 1mo | DNI cascade | ★ | No UPC_DNI proceeding_type exists. Fringe at HLC (zero published filings in 2026-Q1 per May 8 audit). |
+| **Registry-correction family: R.16.3.a, R.27.2, R.89.2, R.253.2** | 14 days each | Various deficiency notifications | ★ | All same 14-day duration; different trigger codes. Most natural home is cascade not proceeding-tree (see audit-fristenrechner-completeness-2026-04-30.md §3.1). |
+
+**Closed since May 8 audit (verified by SQL):**
+- ✅ R.19 Preliminary Objection on UPC_INF — `upc.inf.cfi.prelim`, 1mo, RoP.019.1, flag-gated `with_po` — mig 095.
+- ✅ R.19 Preliminary Objection on UPC_REV — `upc.rev.cfi.prelim`, 1mo, RoP.019.1, flag-gated `with_po` — mig 095 (cites R.19 i.V.m. R.46).
+- ✅ R.220.1(a) merits-appeal spawn on UPC_INF — `upc.inf.cfi.appeal_spawn`, 2mo, is_spawn=true → upc.apl.merits — mig 095.
+- ✅ R.220.1(a) merits-appeal spawn on UPC_REV — `upc.rev.cfi.appeal_spawn`, 2mo, is_spawn=true → upc.apl.merits — mig 095.
+
+### 3.2 EPC Implementing Regulations — 4 missing rules
+
+| EPC ref | Period | Trigger | Freq | Notes |
+|---|---|---|---|---|
+| **EPC R.135 (Weiterbehandlung)** | 2 months | Notification of loss of rights | ★★ | Concept `weiterbehandlung` exists in cascade (orphan); no rule. Applies broadly across `epa.grant.exa` and `epa.opp.opd`. |
+| **EPC R.99(2) / Art. 121** | 2 months | Loss-of-rights notification (further processing) | ★★ | Same family as R.135. |
+| **EPC Art. 112a(4)** | 2 months / 1 month | Discovery of grounds for review / decision served (whichever later) | ★ | paliad has `epa.opp.boa.r106` (2 months, parent=entsch2) — but the rule doesn't model the "whichever later" outer cap (12 months from decision per Art. 112a(4)). |
+| **EPC Art. 99(1) — opposition fee paid** | 9 months (no extension) | Mention of grant in Patentblatt | ★★★ | `epa.opp.opd.frist` IS modelled correctly at 9 months. **Note however:** the rule is on `epa.opp.opd` but the *trigger* is opposition-fee-paid (per Art. 99(1) S.2 — "Notice of opposition shall not be deemed to have been filed until the opposition fee has been paid"). Not a gap, but a documentation note. |
+
+### 3.3 PatG / ZPO — 5 missing rules
+
+| Citation | Period | Trigger | Freq | Notes |
+|---|---|---|---|---|
+| **PatG §123 (Wiedereinsetzung)** | 2 months | Wegfall des Hindernisses (cap 1 year) | ★★ | Cascade concept `wiedereinsetzung` exists; no rule on any DE/DPMA proceeding tree. Same modelling problem as UPC R.320 — bridges proceedings. |
+| **ZPO §339 (Versäumnisurteil-Einspruch)** | 2 weeks | Service of default judgment | ★ | Cascade concept `versaeumnisurteil-einspruch` orphan. |
+| **ZPO §544 — Nichtzulassungsbeschwerde-Begründung** | 2 months | Service of OLG-Urteil (NB: NOT from filing of NZB) | ★★ | `de.inf.bgh.nzb_begr` lists `DE.ZPO.544.4`, duration 2mo, parent=urteil_olg — **modelled correctly**. Listed here only to flag that the *parent anchoring* differs from `de.inf.lg.beruf_begr` which is wrong (see §7.1). |
+| **ZPO §283 (Schriftsatznachreichung) / §296a** | court-set | post-Verhandlung schriftsatzfrist | ★ | Cascade concept `schriftsatznachreichung` orphan. Court-set period — modelling as `is_court_set=true, duration=0` would suffice. |
+| **PatG §17(2) GebrMG / §18 GebrMG** | 1 month (Beschwerdefrist) | DPMA-Beschluss | ★ | Out of scope per head's confirmation (no GebrMG-rooted proceeding_type yet). Listed to confirm the deliberate gap. |
+
+### 3.4 DPMA — 0 missing rules
+
+DPMA coverage is shallow but not gappy. The 3 active types (opposition,
+BPatG-Beschwerde, BGH-Rechtsbeschwerde) cover the statutory steps. The
+problems here are **citation drift** (§4.4) and **anchor modeling**
+(§7.4) rather than missing rules.
+
+---
+
+## §4. Findings — Misattributed legal source
+
+### 4.1 UPC RoP citation drift (5 still live from May 8)
+
+| Rule | Live `rule_code` | Live `legal_source` | Should be | Source verified |
+|---|---|---|---|---|
+| `upc.apl.merits.notice` | `RoP.220.1` | `UPC.RoP.220.1` | `RoP.224.1.a` / `UPC.RoP.224.1.a` | `UPCRoP.224.1.a` youpc DB |
+| `upc.apl.merits.grounds` | `RoP.220.1` | `UPC.RoP.220.1` | `RoP.224.2.a` / `UPC.RoP.224.2.a` | `UPCRoP.224.2.a` |
+| `upc.apl.merits.response` | `null` | `null` | `RoP.235.1` / `UPC.RoP.235.1` | `UPCRoP.235.1` |
+| `upc.rev.cfi.reply` | `null` | `null` | `RoP.051` / `UPC.RoP.51.p1` | `UPCRoP.051.p1` |
+| `upc.rev.cfi.rejoin` | `null` | `null` | `RoP.052` / `UPC.RoP.52.p1` | `UPCRoP.052.p1` |
+
+Note on cascade vs proceeding-tree drift on R.220.3 anchoring is in
+`docs/audit-upc-rop-deadlines-2026-05-08.md` §5.4b — unchanged here.
+
+### 4.2 UPC RoP citation drift on Rule 49.1 format (1 still live)
+
+| Rule | Live `rule_code` | Should be |
+|---|---|---|
+| `upc.rev.cfi.defence` | `RoP.49.1` | `RoP.049.1` (canonical zero-padded form used by all other UPC rules) |
+
+### 4.3 DPMA — 3 mis-attributed citations
+
+| Rule | Live citation | Problem | Verified |
+|---|---|---|---|
+| `dpma.opp.dpma.erwiderung` | `§ 59 PatG` / `DE.PatG.59.3` | §59(3) PatG addresses *Anhörung*, not a 4-month response period. No statutory Erwiderungsfrist exists in §59. The 4-month figure is DPMA-internal practice. | WebFetch [gesetze-im-internet.de/patg/__59.html](https://www.gesetze-im-internet.de/patg/__59.html) 2026-05-25 |
+| `dpma.appeal.bpatg.begruendung` | `§ 75 PatG` / `DE.PatG.75.1` | §75 PatG is exclusively about *aufschiebende Wirkung* (suspensive effect). It does not establish any Begründungsfrist. No fixed Begründungsfrist for BPatG-Beschwerde exists in PatG §§73-80 — it is set by the BPatG in the individual case. | WebFetch [gesetze-im-internet.de/patg/__75.html](https://www.gesetze-im-internet.de/patg/__75.html) + [§73](https://www.gesetze-im-internet.de/patg/__73.html) 2026-05-25 |
+| `dpma.appeal.bpatg.beschwerde` | `§ 73 PatG` / `DE.PatG.73.2` | §73 contains the 1-month deadline correctly; the `.2` subscript however refers to §73(2) which is about Beschwerdebefugnis — the *Frist* is in §73(2) S.4 ("Die Beschwerdefrist beträgt einen Monat …"). Citation should be `DE.PatG.73.2.s4` or simply `DE.PatG.73.2`. **Borderline — flag, not a hard bug.** | gesetze-im-internet.de |
+
+### 4.4 DE patent / civil — 4 mis-attributed citations
+
+| Rule | Live citation | Problem | Verified |
+|---|---|---|---|
+| `de.null.bpatg.erwidg` | `§ 82 PatG` / `DE.PatG.82.1` | §82(1) is the 1-month *Erklärungsfrist* ("sich darüber zu erklären"); the 2-month full *Klageerwiderung* is in §82(3). Citation should be `DE.PatG.82.3`. Duration (2 months) is correct. | WebFetch [§82](https://www.gesetze-im-internet.de/patg/__82.html) 2026-05-25 |
+| `de.null.bpatg.replik_klaeger` | `§ 83 PatG` / `DE.PatG.83.2` | §83(2) is about the *Hinweisbeschluss* form; the Replik / Schriftsatz windows fall under §83(2) S.3 (Reaktion auf Hinweis). Citation OK at section level but ambiguous. **Borderline — flag, not a hard bug.** | gesetze-im-internet.de |
+| `de.null.bgh.begruendung` | `§ 111 PatG` / `DE.PatG.111.1` | §111 PatG defines the *Grounds* of Berufung (Verletzung des Bundesrechts), not a Begründungsfrist. The 3-month figure is supplied via §117 PatG → ZPO §520(2). Citation should be `DE.ZPO.520.2` (the actual time-limit source). | WebFetch [§111](https://www.gesetze-im-internet.de/patg/__111.html) 2026-05-25 |
+| `de.null.bgh.erwiderung` | `§ 111 PatG` / `DE.PatG.111.3` | §111 has no Erwiderungsfrist clause. The actual Erwiderungsfrist for BGH-Nichtigkeitsberufung is set by the court per §117 PatG → ZPO §521(2) (court-discretionary). Duration (2 months) is approximate — typical court-set period is 2 months but it's not fixed. **Should be modelled as court-set.** | WebFetch [§111](https://www.gesetze-im-internet.de/patg/__111.html) + ZPO §521 2026-05-25 |
+
+### 4.5 EPA — 1 mis-attributed citation
+
+| Rule | Live citation | Problem |
+|---|---|---|
+| `epa.opp.opd.erwidg` | `R. 79(1) EPÜ` / `EU.EPC-R.79.1` | Duration (4 months) is correct as the *typical* EPO-set period under the 2016 streamlined-opposition guidelines, but **R.79(1) does not specify a fixed period** — the Opposition Division sets it. The 4 months is administrative practice (EPO Guidelines D-IV, 5.2). Should be modelled as court-set with 4 months as the default-display value. |
+
+---
+
+## §5. Findings — Wrong period (statute says X, paliad says Y)
+
+| Rule | Live period | Statutory period | Source | Freq |
+|---|---|---|---|---|
+| **`upc.rev.cfi.defence`** | 3 months | **2 months** | RoP.049.1: *"The defendant shall lodge a Defence to revocation within two months of service of the Statement for revocation."* — verified verbatim from `UPCRoP.049.1` (youpc DB). Flagged 2026-05-08; still live. | ★★★ |
+| **`upc.rev.cfi.rejoin`** | 2 months | **1 month** | RoP.052: *"Within one month of the service of the Reply the defendant may lodge a Rejoinder to the Reply to the Defence to revocation"* — verified verbatim from `UPCRoP.052.p1`. Flagged 2026-05-08; still live. | ★★★ |
+| **`upc.apl.merits.response`** | 2 months | **3 months** | RoP.235.1: *"Within three months of service of the Statement of grounds of appeal pursuant to Rule 224.2(a), any other party … may lodge a Statement of response"* — verified verbatim from `UPCRoP.235.1`. New finding — May 8 audit recorded the duration as 3 months but the live row has always been 2 (migration 012:153 originally seeded 2). | ★★★ |
+| **`upc.pi.cfi.response`** | 0 / "court-set" (`is_court_set=false`, `duration=0`, `parent_id=NULL`) | court-set, judge-discretion under R.211.2 | RoP.211.2 — judge sets the inter-partes hearing date. Modelling is half-broken: `duration=0` with `parent_id=NULL` makes the calculator treat this as a root anchor rather than a court-set placeholder. Should set `is_court_set=true` and chain `parent_id=app`. | ★★ |
+
+(All other rules audited have correct durations.)
+
+---
+
+## §6. Findings — Wrong party
+
+No clear party mis-assignments found in the live data. Two notes worth
+recording, not bugs:
+
+- `upc.inf.cfi.app_to_amend` carries `primary_party='claimant'`. The
+  defendant in an INF case is the alleged infringer; the patent
+  proprietor (=claimant) is who would file an Application to Amend
+  the patent. **Correct.** Listed here only because R.30 reads "the
+  defendant" in some summaries — those refer to the claimant of the
+  CCR (= defendant of the INF), which loops back to the same person
+  who is the INF-claimant / patent-proprietor.
+- `dpma.opp.dpma.erwiderung` carries `primary_party='defendant'`. In an
+  EPA-style opposition, the patent proprietor is the "defendant" of the
+  opposition. Consistent with EPA convention. **Correct.**
+
+---
+
+## §7. Findings — Wrong sequencing / anchoring
+
+### 7.1 `de.inf.lg.beruf_begr` chains parent = `berufung`, should anchor on `urteil` directly
+
+| Live | Per ZPO §520(2) |
+|---|---|
+| `de.inf.lg.beruf_begr.parent_id = de.inf.lg.berufung`, `duration = 2 months` → effective end = trigger + 1mo (Berufung) + 2mo = **3 months** after Urteil service | "Die Frist für die Berufungsbegründung beträgt zwei Monate. Sie beginnt mit der Zustellung des in vollständiger Form abgefassten Urteils" → **2 months** after Urteil service |
+
+Verified verbatim via WebFetch
+[gesetze-im-internet.de/zpo/__520.html](https://www.gesetze-im-internet.de/zpo/__520.html)
+2026-05-25.
+
+The companion `de.inf.olg.begruendung` is **correct** — parent =
+`urteil_lg`, 2mo, so end = Urteil + 2mo. Same statute, two paliad
+rules, two different anchorings: this is a real bug in `de.inf.lg`.
+
+### 7.2 `de.inf.lg.replik` and `de.inf.lg.duplik` have `parent_id = NULL`
+
+This is the bug head flagged. Live data:
+
+| submission_code | name | duration | parent_id | sequence_order |
+|---|---|---|---|---|
+| `de.inf.lg.klage` | Klageerhebung | 0 mo | NULL | 0 |
+| `de.inf.lg.anzeige` | Anzeige Verteidigungsbereitschaft | 2 wk | `de.inf.lg.klage` | 10 |
+| `de.inf.lg.erwidg` | Klageerwiderung | 6 wk | `de.inf.lg.klage` (court-set=true post mig 095) | 20 |
+| **`de.inf.lg.replik`** | Replik | **4 wk** | **NULL** | 30 |
+| **`de.inf.lg.duplik`** | Duplik | **4 wk** | **NULL** | 40 |
+| `de.inf.lg.termin` | Haupttermin | 0 mo | NULL (court-set) | 50 |
+| `de.inf.lg.urteil` | Urteil | 0 mo | NULL (court-set) | 60 |
+| `de.inf.lg.berufung` | Berufungsfrist | 1 mo | NULL | 70 |
+| `de.inf.lg.beruf_begr` | Berufungsbegründung | 2 mo | `de.inf.lg.berufung` | 80 |
+
+With `parent_id = NULL` the calculator anchors Replik on the
+triggerDate (= Klageerhebung), and same for Duplik. So both render
+"4 Wochen ab Klageerhebung" — i.e. before the Klageerwiderung is
+even due. Correct chain should be:
+
+- `replik.parent_id = de.inf.lg.erwidg`, with `is_court_set = true` (richterliche Frist § 276(1) S.2 / § 283 ZPO — typ. 4 weeks default)
+- `duplik.parent_id = de.inf.lg.replik`, same shape
+
+Both rules lack `legal_source` and `rule_code`, which is consistent
+with them being court-set Schriftsatzfristen (no statutory clamp).
+Recommendation in §10.
+
+### 7.3 `upc.apl.merits.grounds` has `parent_id = NULL`
+
+This anchors Grounds on the user-supplied trigger date (=Entscheidung
+service). **Correct** behaviour per RoP.224.2.a: *"within four months
+of service of a decision referred to in Rule 220.1(a) and (b)"*.
+
+If `parent_id` were set to `upc.apl.merits.notice` (as the May 8 audit
+hypothesised), the chain would compound (1-day notice + 4mo grounds =
+~4mo + 1 day), accidentally landing near the right end-date for the
+common case but wrong by up to 2 months in the edge case (when notice
+is filed early). **No fix needed; document the intent.** (This is
+the change the May 8 audit recommended; it was applied in mig 097 or
+earlier.)
+
+### 7.4 DPMA Pathway-A anchors are partially modelled
+
+- `dpma.appeal.bgh.begruendung` chains parent = `rechtsbeschwerde`
+  (1mo + 1mo = 2mo from BPatG-Entscheidung). Per PatG §102 the
+  Rechtsbeschwerdebegründungsfrist is 1 month from filing of the
+  Rechtsbeschwerde — **correct**.
+- `dpma.appeal.bpatg.begruendung` chains parent = `beschwerde`
+  (1mo + 1mo = 2mo from DPMA-Entscheidung). **No statutory basis for
+  the 1-month figure** (see §4.3). Should be court-set.
+
+### 7.5 EPA grant timeline — `epa.grant.exa.r71_3` and `.approval` have `parent_id = NULL`
+
+Live:
+
+| Rule | Duration | parent_id | Issue |
+|---|---|---|---|
+| `epa.grant.exa.r71_3` | 0 mo | NULL | Should chain on `exam_req` (after examination request is granted, EPO issues R.71(3) communication). NULL parent + 0 duration = root anchor at trigger date — works only if user enters the R.71(3) date as trigger; doesn't compose with the rest of the tree. |
+| `epa.grant.exa.approval` | 4 mo | NULL | Per R.71(3) approval period: 4 months from notification. **Anchor should be `r71_3`**, not NULL. As-is, "Zustimmung + Übersetzung" appears as a free-standing 4-mo-from-trigger row that has nothing to do with the rest of the timeline. |
+
+### 7.6 Summary
+
+| # | Rule | Bug |
+|---|---|---|
+| 1 | `de.inf.lg.beruf_begr` | parent should be NULL (anchored on Urteil-trigger) not `berufung` — off by 1 month, ★★★ |
+| 2 | `de.inf.lg.replik` | parent should be `erwidg` not NULL, ★★★ |
+| 3 | `de.inf.lg.duplik` | parent should be `replik` not NULL, ★★★ |
+| 4 | `dpma.appeal.bpatg.begruendung` | should be court-set; current 1-month period has no statutory basis, ★★ |
+| 5 | `dpma.appeal.bpatg.beschwerde` parent is `entscheidung` — OK, just a citation issue (§4.3) | (citation only) |
+| 6 | `epa.grant.exa.r71_3` parent | should chain on `exam_req`, ★ |
+| 7 | `epa.grant.exa.approval` parent | should chain on `r71_3`, ★ |
+| 8 | `upc.pi.cfi.response` | court-set placeholder with `parent_id=NULL` and `is_court_set=false` — should chain on `app` with `is_court_set=true`, ★★ |
+
+---
+
+## §8. Findings — Duplicates
+
+No genuine duplicates. The closest cases:
+
+- `upc.inf.cfi.reply` + `upc.inf.cfi.def_to_ccr` both fire at 2mo after
+  `sod` under `with_ccr`. They cover different actions (Reply to SoD
+  vs. Defence to CCR + Reply to SoD combined) per RoP.029.a vs .b.
+  **Not a duplicate** — distinct rule codes.
+- `upc.rev.cfi.reply` (2mo, no rule_code) and the older `REV.rev_reply`
+  on the archived litigation type — the archived type is hidden
+  (`pt.is_active = false`) so this isn't a duplicate the user sees.
+  Recommendation in §10 to drop the archived corpus once mig 093's
+  audit window closes.
+- `epa.opp.boa.r106` (Art. 112a review) appears only on
+  `epa.opp.boa`, not on `epa.opp.opd` — correct, since Art. 112a
+  review is only available against a Boards-of-Appeal decision.
+
+---
+
+## §9. Ambiguities — decisions m needs to make
+
+These are not bugs the coder can fix. They are judgement calls about
+how to model the law.
+
+### 9.1 Court-set vs fixed-period for richterliche Fristen
+
+The cleanest source-of-truth for these is "no statutory duration —
+court sets the period in the individual case." Modelling them as a
+fixed period with a wrong citation is the bug pattern we keep finding:
+
+- `dpma.opp.dpma.erwiderung` (4 mo) — DPMA practice, not §59 PatG.
+- `dpma.appeal.bpatg.begruendung` (1 mo) — no statutory basis.
+- `de.inf.olg.erwiderung` (1 mo, §521(2)) — §521(2) is explicitly
+  discretionary ("Der Vorsitzende oder das Berufungsgericht **kann**
+  der Gegenpartei eine Frist … bestimmen"). Verified WebFetch
+  [gesetze-im-internet.de/zpo/__521.html](https://www.gesetze-im-internet.de/zpo/__521.html)
+  2026-05-25.
+- `de.null.bgh.erwiderung` (2 mo, "§111(3) PatG") — court-set per §117
+  PatG → ZPO §521(2).
+- `de.null.bpatg.duplik` (1 mo, §83 PatG) — court-set; the 1-month
+  default is BPatG practice.
+- `de.inf.lg.replik`, `.duplik` (4 wk each) — court-set per
+  §283 / §296a ZPO + §276(1) S.2.
+- `epa.opp.opd.erwidg` (4 mo, "R.79(1)") — EPO-set per Guidelines.
+
+**Question (Q1):** Should paliad continue to display these with a
+default duration but flag them as "richterliche Frist — vom Gericht
+festgesetzt", OR should they all flip to `is_court_set=true,
+duration=0` and force the user to enter the actual court-set date?
+
+Head's 2026-05-25 13:13 signal confirms: m's preference is that "Frist
+vom Gericht bestimmt" be flagged as needing case-by-case anchoring,
+not displayed as a fixed period. So default answer = flip to
+`is_court_set=true` and keep the typical period as the *Default*
+display value (the calculator already supports this since the
+mig 095 / `de.inf.lg.erwidg` patch). But the trade-off is a UX
+regression: most users will not enter the actual court-set date
+and the timeline will then show "vom Gericht bestimmt" everywhere.
+
+### 9.2 R.198 / R.213 "31 days OR 20 working days, whichever is longer"
+
+Two RoP rules need a primitive paliad doesn't have:
+- A `working_days` duration unit (counts business-day arithmetic via
+  the holiday service).
+- A `combine = 'max'` operator that compares two durations and picks
+  the later end-date.
+
+**Question (Q2):** Implement the primitive (~120 LoC migration + ~80 LoC
+Go), or document both rules as "manual calculation required, see RoP"
+in the UI? Real R.198 / R.213 cases are rare (saisie + PI). The May 8
+audit suggested deferring; pauli's 2026-05-13 audit §7.1 made the
+case for adding `combine_op` as part of a broader Pipeline A/C merge.
+
+### 9.3 R.245.2 rehearing "whichever is later" trigger
+
+R.245.2.a/b: deadline 2 months from final decision OR from defect
+discovery, whichever is *later*. Plus outer cap 12 months. Needs:
+
+- Multi-anchor trigger event (user supplies 2 dates).
+- `combine = 'max'` between anchors.
+- Outer-cap arithmetic (separate concept from duration).
+
+**Question (Q3):** Defer (specialist, vanishingly rare) or build the
+primitives?
+
+### 9.4 EPC Art. 112a review — outer cap
+
+Same shape as R.245.2: 2 months from defect discovery, outer cap 12
+months from decision. `epa.opp.boa.r106` models the 2-month period
+but not the cap.
+
+### 9.5 PatG §123 Wiedereinsetzung calendar arithmetic
+
+Cascade card (slug `wiedereinsetzung`) exists. The 2mo / 1-year
+arithmetic anchors on the *missed* deadline, not on a forward-looking
+event. paliad's `paliad.deadline_rules` schema has no natural shape
+for this — it would need either a special-case Go helper, or a
+"backward-from-missed-deadline" mode that no rule today uses.
+
+**Question (Q4):** Worth modelling? The cascade card already routes
+the user to the concept; computing the calendar deadline is an
+incremental win.
+
+### 9.6 ZPO §339 Versäumnisurteil-Einspruch
+
+Cascade card orphan. 2 weeks from service of the default judgment.
+Trivial to add as a `de.inf.lg.einspruch_vu` rule (court-decision
+anchor + 2wk fixed). **Question (Q5):** Add as a child of
+`de.inf.lg.urteil` (with `condition_expr={"flag":"with_vu"}`), or
+as a separate proceeding `de.inf.lg.vu`?
+
+### 9.7 Litigation-vs-fristenrechner archived corpus
+
+The 40 rules on `_archived_litigation` (mig 093 retirement holding pen)
+still occupy the rule table. They're invisible to all UIs.
+
+**Question (Q6):** Drop them now (data clean-up), or keep until the
+mig 093 audit window closes formally?
+
+### 9.8 R.79(2) further-party observations period
+
+EPC R.79(2) creates a separate notification window for additional
+opponents. paliad's `epa.opp.opd.r79_further` is modelled as
+`duration=0, is_bilateral=true`. **Question (Q7):** Is this even worth
+keeping? Real workflow: EPO sets a separate period in each
+intervention case. Hard to template.
+
+### 9.9 R.116(1) EPC oral-proceedings cut-off
+
+paliad has it as `duration=0, parent_id=entsch` (`epa.opp.opd.r116`) /
+`parent_id=oral` (`epa.opp.boa.r116`). R.116(1) actually says the
+EPO sets a "final date for making written submissions" when issuing
+the summons. So it's a court-set period, not zero-duration.
+**Question (Q8):** flip to `is_court_set=true` like the §276(1) ZPO
+fix in mig 095?
+
+### 9.10 R.131.2 indication of damages period
+
+paliad models `upc.dmgs.cfi.app` as a 0-duration root anchor (court
+sets when the damages-determination phase opens, per R.131.2). This
+is correct shape but means the entire damages tree is unanchored
+until the user provides the trigger date manually.
+
+**Question (Q9):** Wire `is_spawn` from `upc.inf.cfi.decision` to
+`upc.dmgs.cfi.app` (parallel to the mig-095 appeal-spawn)?
+
+### 9.11 PatG §17 GebrMG / §18 GebrMG
+
+No GebrMG-rooted proceeding_type exists in paliad. Head confirmed
+out-of-scope for this audit. **Question (Q10):** Add a `de.gm.lg`
+proceeding for GebrMG-Löschungsverfahren if HLC sees them?
+
+### 9.12 Proceeding-tree vs cascade parity
+
+paliad has 9 cascade-only concepts with `rule_count = 0` (the orphans
+listed in `audit-fristen-logic-2026-05-13.md` §3.4). The audit-fristen
+audit covers this; restating here only to note that the parity gap
+is the largest single source of "the cascade card promises a
+calculation but doesn't deliver one."
+
+**Question (Q11):** Same as the audit-fristen Q8 — priority order
+for the 9 orphan concepts? My ranking: wiedereinsetzung >
+schriftsatznachreichung > versäumnisurteil-einspruch >
+weiterbehandlung > rest.
+
+### 9.13 R.220.3 anchor
+
+See `audit-upc-rop-deadlines-2026-05-08.md` §5.4b. paliad anchors
+`upc.apl.order.discretion` on the original order (`order`), but
+the 15-day clock per RoP.220.3 runs from the refusal-of-leave
+date (or day-15 fall-back). Off by up to 15 days in the edge case.
+**Question (Q12):** add an explicit `app_ord.refusal` court-set
+intermediate node?
+
+### 9.14 EP_GRANT publish date — priority vs filing
+
+`epa.grant.exa.publish` correctly has `anchor_alt='priority_date'`.
+This was open in the May 8 audit and is now closed. **No question —
+listed to confirm.**
+
+### 9.15 Cross-proceeding spawn execution
+
+mig 095 added two `is_spawn=true` rules (`inf.appeal_spawn`,
+`rev.appeal_spawn` → `upc.apl.merits`). The May 13 audit §1.6 +
+§6.8 noted spawn execution is half-wired in `projection_service.go`.
+**Question (Q13):** wire end-to-end now (so the spawned appeal
+timeline appears in SmartTimeline), or accept the half-wired state?
+
+---
+
+## §10. Recommended fixes (prioritised)
+
+### Tier 0 — hard duration / sequencing / anchor bugs (ship first)
+
+| # | Rule | Fix | Reason / source | Freq |
+|---|---|---|---|---|
+| T0.1 | `upc.rev.cfi.defence` | `duration_value = 2` (was 3), `rule_code = 'RoP.049.1'`, `legal_source = 'UPC.RoP.49.1'` | §5 — every UPC_REV tracked in paliad today computes Defence at wrong month for the last ~3 months | ★★★ |
+| T0.2 | `upc.rev.cfi.rejoin` | `duration_value = 1` (was 2), `rule_code = 'RoP.052'`, `legal_source = 'UPC.RoP.52.p1'` | §5 — same as T0.1 | ★★★ |
+| T0.3 | `upc.apl.merits.response` | `duration_value = 3` (was 2), `rule_code = 'RoP.235.1'`, `legal_source = 'UPC.RoP.235.1'` | §5 — every main-track appellate respondent | ★★★ |
+| T0.4 | `de.inf.lg.beruf_begr` | `parent_id = NULL` (was `de.inf.lg.berufung`) — runs 2 months from triggerDate (Urteil-service) per ZPO §520(2) | §7.1 — every DE-LG-Verletzung appeal | ★★★ |
+| T0.5 | `de.inf.lg.replik` | `parent_id = de.inf.lg.erwidg`, `is_court_set = true` (richterliche Frist § 276(1) S.2 / § 283 ZPO), keep 4-week default | §7.2 — bug head flagged | ★★★ |
+| T0.6 | `de.inf.lg.duplik` | `parent_id = de.inf.lg.replik`, `is_court_set = true` | §7.2 | ★★★ |
+| T0.7 | `upc.rev.cfi.reply` | `rule_code = 'RoP.051'`, `legal_source = 'UPC.RoP.51.p1'` (duration 2mo unchanged) | §4.1 | ★★★ |
+| T0.8 | `upc.rev.cfi.rejoin` (citation only) | covered in T0.2 | — | — |
+| T0.9 | `upc.apl.merits.notice` | `rule_code = 'RoP.224.1.a'`, `legal_source = 'UPC.RoP.224.1.a'` (duration unchanged) | §4.1 | ★★ |
+| T0.10 | `upc.apl.merits.grounds` | `rule_code = 'RoP.224.2.a'`, `legal_source = 'UPC.RoP.224.2.a'` (duration unchanged) | §4.1 | ★★ |
+| T0.11 | `upc.rev.cfi.defence` rule_code zero-pad | covered in T0.1 | — | — |
+| T0.12 | `dpma.opp.dpma.erwiderung` | flip to `is_court_set = true`, keep 4-month default-display value, drop the misleading `DE.PatG.59.3` citation (or replace with "DPMA-Richtlinien D-IV 5.2") | §4.3 + §9.1 | ★★ |
+| T0.13 | `dpma.appeal.bpatg.begruendung` | flip to `is_court_set = true`, drop the `DE.PatG.75.1` citation, keep 1-month default | §4.3 + §9.1 | ★★ |
+| T0.14 | `de.null.bpatg.erwidg` | citation `DE.PatG.82.3` (was 82.1); duration (2mo) correct | §4.4 | ★★ |
+| T0.15 | `de.null.bgh.begruendung` | citation `DE.ZPO.520.2` via PatG §117 (was DE.PatG.111.1); duration (3mo) correct | §4.4 | ★★ |
+| T0.16 | `de.null.bgh.erwiderung` | flip to `is_court_set = true`; citation `DE.ZPO.521.2 via PatG §117` (was DE.PatG.111.3); duration (2mo) becomes default-display | §4.4 + §9.1 | ★★ |
+| T0.17 | `epa.opp.opd.erwidg` | flip to `is_court_set = true`, keep 4-month default | §4.5 + §9.1 | ★★ |
+
+**16 hard fixes.** All within the existing schema (no new columns).
+Each is a single-row UPDATE plus an audit-log entry.
+
+### Tier 1 — high-value missing rules (★★ / ★★★)
+
+| # | Rule | Add | Freq |
+|---|---|---|---|
+| T1.1 | `upc.inf.cfi.cmo_review` | 15 days from CMO service (R.333.2) | ★★ |
+| T1.2 | `upc.inf.cfi.confidentiality_response` | 14 days from opp. confidentiality app (R.262.2) | ★★ |
+| T1.3 | `upc.apl.order.grounds_orders` | 15 days from order service (R.224.2(b)) | ★★ |
+| T1.4 | `upc.apl.order.response_orders` | 15 days from grounds service (R.235.2) | ★★ |
+| T1.5 | `upc.inf.cfi.cons_orders` | 2 months from validity decision (R.118.4) | ★★ |
+| T1.6 | `upc.inf.cfi.rectification` | 1 month from decision (R.353) | ★ |
+| T1.7 | `upc.pi.cfi.deficiency` | 14 days from PI deficiency notification (R.207.6.a) | ★★ |
+| T1.8 | `upc.pi.cfi.merits_start` | 31d OR 20wd from PI grant (R.213) — **blocked on Q2** | ★★ |
+| T1.9 | `upc.inf.cfi.translation_request` | 1 month **before** oral hearing (R.109.1) | ★★ |
+| T1.10 | `upc.inf.cfi.interpreter_cost` | 2 weeks **before** oral hearing (R.109.4) | ★★ |
+| T1.11 | `upc.inf.cfi.translations_lodge` | 2 weeks after summons (R.109.5) | ★★ |
+| T1.12 | `upc.pi.cfi.response` re-anchor | court-set, parent=`app` (currently a broken root) | ★★ |
+
+**12 rule-adds.** T1.9/.10 are the only `timing='before'` rules in the
+entire UPC corpus; schema already supports `before` but no rule
+populates it. Verify the backward-snap-to-working-day logic in
+`internal/services/deadline_calculator.go` before merging
+(2026-04-30 audit §5.4 raised the concern).
+
+### Tier 2 — broader coverage (★ specialist + Wiedereinsetzung family)
+
+| # | Rule | Add | Notes |
+|---|---|---|---|
+| T2.1 | `de.inf.lg.einspruch_vu` | 2 weeks from service of Versäumnisurteil (ZPO §339) | Q5 — proceeding shape decision |
+| T2.2 | `upc.inf.cfi.wiedereinsetzung` | 2 mo / 1-year-cap from Wegfall des Hindernisses (R.320) | Q4 — needs special arithmetic |
+| T2.3 | `de.inf.lg.wiedereinsetzung` | 2 mo / 1-year-cap (PatG §123 / ZPO §233 ff.) | Q4 |
+| T2.4 | `epa.grant.exa.weiterbehandlung` | 2 mo from loss-of-rights notification (EPC R.135) | — |
+| T2.5 | `upc.inf.cfi.prelim_reply` | 14 days from PO service (R.20.2) | Companion to R.19 (mig 095 added it) |
+| T2.6 | `upc.apl.order.discretion_anchor` | add explicit `refusal` intermediate node so R.220.3 anchors correctly (Q12) | |
+| T2.7 | `upc.dmgs.cfi.app` spawn | `is_spawn=true` from `upc.inf.cfi.decision` (Q9) | |
+| T2.8 | `upc.disc.cfi.app` spawn | same shape as T2.7 | |
+| T2.9 | `epa.grant.exa.r71_3` re-anchor | parent = `exam_req` (§7.5) | |
+| T2.10 | `epa.grant.exa.approval` re-anchor | parent = `r71_3` (§7.5) | |
+| T2.11 | `upc.inf.cfi.appeal_spawn` cross-proc wiring | finish the half-wired spawn execution (Q13) | |
+
+### Tier 3 — tooling primitives (block multiple rules)
+
+| # | Primitive | Blocks | Notes |
+|---|---|---|---|
+| T3.1 | `duration_unit = 'working_days'` | R.198, R.213 | Schema already accepts the string; add to calculator + UI |
+| T3.2 | `combine_op = 'max'` | R.198, R.213, R.245.2 | Column already exists per pauli's 2026-05-13 audit |
+| T3.3 | Multi-anchor "whichever later" trigger | R.245.2.a/b | UI + service work |
+| T3.4 | Outer-cap modelling (`outer_cap_value` + `outer_cap_unit`) | R.245.2 (12mo), R.320 (12mo), EPC Art.112a(4) (12mo) | Schema add |
+| T3.5 | "Before"-mode backward snap to working day | R.109.1, R.109.4 | Calculator change (audit-fristenrechner-completeness-2026-04-30.md §5.4) |
+| T3.6 | Cross-proceeding spawn end-to-end (`is_spawn`) | T2.7, T2.8, T2.11 | Pauli's §6.8 |
+
+### Tier 4 — out-of-scope until separate prioritisation
+
+- DNI family (R.63 / R.67.1 / R.69.1 / R.69.2). Zero published filings 2026-Q1.
+- Registry-correction family (R.16.3.a, R.27.2, R.89.2, R.253.2). Most natural in cascade, not proceeding-tree.
+- GebrMG (no proceeding_type today).
+- R.245 rehearing family (specialist).
+- R.155 cost-decision opposition chain (specialist).
+- R.144 UPC_DAMAGES tree-end row (cosmetic).
+- R.79(2) EPC further-parties period (modelling unclear — Q7).
+
+---
+
+## §11. Next-step proposals (suggested fix-task slicing)
+
+The audit identifies **41 distinct actionable items.** Below is a
+suggested decomposition into fix-tasks that can be assigned
+independently. Sequence reflects "Wave 0 must precede Wave 1" only
+where there's a real dependency (most slices are independent).
+
+### Wave 0 — Tier 0 duration / sequencing / anchor fixes (single fix-task)
+
+**Proposed task:** `t-paliad-264 — Tier 0 deadline-rule corrections
+(duration, anchor, citation) from t-paliad-263 audit`
+
+- 16 row UPDATEs (T0.1–T0.17, deduplicated to 16 distinct rows since
+  T0.8 is covered by T0.2 and T0.11 by T0.1).
+- One migration file (~120 LoC SQL).
+- All within existing schema. No new columns.
+- Idempotent guards on every UPDATE (only fire when the row still has
+  the old value, per the mig 095 convention).
+- Adds 16 entries to `paliad.deadline_rule_audit` (per the mig 079
+  trigger).
+- Verification block: `DO $$ … RAISE EXCEPTION …` per mig 095.
+- **Branch:** `mai/<coder>/t-paliad-264-tier0-deadline-fixes`.
+- **Owner:** coder.
+- **Why first:** all 16 affect either calendar correctness (5 hard
+  duration/anchor bugs) or citation correctness (the 11 metadata
+  fixes are what a lawyer would cite-check against). T0.1–T0.6 are
+  user-visible silent wrongs; ship them.
+
+### Wave 1 — Tier 1 rule additions (single fix-task)
+
+**Proposed task:** `t-paliad-265 — Tier 1 deadline-rule additions
+(12 high-frequency rules)`
+
+- 11 INSERTs + 1 UPDATE re-anchor (T1.12 `upc.pi.cfi.response`).
+- T1.8 (`upc.pi.cfi.merits_start`) **excluded** — blocked on T3.1/T3.2.
+- One migration file (~250 LoC SQL).
+- Add cascade leaves + concepts where needed (each rule should be
+  reachable from Pathway B too).
+- **Branch:** `mai/<coder>/t-paliad-265-tier1-rule-additions`.
+- **Owner:** coder. **Legal review:** m must verify each rule before
+  merge (single round of grilling).
+
+### Wave 2 — Q1 court-set audit decision (separate spike)
+
+**Proposed task:** `t-paliad-266 — Decide court-set vs fixed-period
+modelling for richterliche Fristen (Q1 in t-paliad-263 audit)`
+
+- Inventor / pauli reviews §9.1 with m.
+- Decision artefact: list of rules to flip vs keep, plus UX guideline
+  for what the timeline displays for `is_court_set=true` rules.
+- **Owner:** pauli. **m signs off.**
+
+### Wave 3 — Tier 3 tooling primitives (multi-task)
+
+Each Tier 3 row is its own task because each touches schema + service +
+calculator + UI:
+
+- `t-paliad-267 — working_days unit + combine_op='max' (R.198, R.213)`
+- `t-paliad-268 — Outer-cap modelling (R.245.2, R.320, Art.112a)`
+- `t-paliad-269 — Multi-anchor "whichever later" triggers (R.245.2)`
+- `t-paliad-270 — Backward-snap for `before`-mode rules (R.109.1/.4)`
+- `t-paliad-271 — Cross-proceeding spawn end-to-end execution`
+
+Each is foundational for multiple Tier 2 rules; can ship independently.
+
+### Wave 4 — Tier 2 specialist rules (multi-task, after their primitives land)
+
+Each Tier 2 row is its own task or batched into 2-3 tasks by topical
+area:
+
+- `t-paliad-272 — Wiedereinsetzung / Weiterbehandlung family (T2.2, T2.3, T2.4)` — depends on T3.4 (outer cap).
+- `t-paliad-273 — UPC follow-on spawns (T2.7, T2.8, T2.11)` — depends on T3.6.
+- `t-paliad-274 — UPC tail rules (T2.5, T2.6, R.353, etc.)`
+- `t-paliad-275 — EPA grant timeline re-anchoring (T2.9, T2.10)`.
+
+### Wave 5 — Concept-layer parity (separate audit)
+
+The 9 orphan concepts (`audit-fristen-logic-2026-05-13.md` §3.4 + Q11
+here) need a parallel audit pass to map cascade → rule. Recommend
+spinning a `t-paliad-276 — Cascade-rule parity audit` task once the
+above land.
+
+### Wave 6 — Documentation + retire
+
+- `t-paliad-277 — Drop `_archived_litigation` proceeding_type` once
+  mig 093's audit window closes (Q6).
+- `t-paliad-278 — Document Tier 4 deferrals in
+  `docs/feature-roadmap.md`` so the gap-list isn't lost.
+
+---
+
+## Appendix A — file references
+
+**Live state queried via Supabase MCP, 2026-05-25 14:00–15:00 UTC:**
+
+- `paliad.proceeding_types` — 21 active rows (20 fristenrechner + 1
+  archived).
+- `paliad.deadline_rules` — 132 active + 40 archived rows
+  (`lifecycle_state='published'`).
+- `paliad.deadline_rule_audit` — diff history.
+- `data.laws_contents` (youpc) — UPC RoP + EPC verbatim text
+  (`law_type IN ('UPCRoP','EPC')`).
+
+**paliad migrations consulted:**
+
+- `internal/db/migrations/012_fristenrechner_rules.up.sql` — original
+  seed.
+- `internal/db/migrations/043_de_instance_split_proceedings.up.sql`
+  — DE_INF_OLG / DE_INF_BGH split.
+- `internal/db/migrations/052_event_categories_rop_audit.up.sql`
+  — first RoP audit fix-pass.
+- `internal/db/migrations/079_*` — `paliad.deadline_rule_audit`
+  trigger.
+- `internal/db/migrations/091_drop_legacy_rule_columns.up.sql` —
+  cleanup.
+- `internal/db/migrations/093_retire_litigation_category.up.sql` —
+  archived 40 rules.
+- `internal/db/migrations/095_fristen_gap_fill.up.sql` — t-paliad-205
+  R.19 + R.220.1(a) gap fill.
+- `internal/db/migrations/096_proceeding_code_rename.up.sql` — code
+  rename to `<jurisdiction>.<proceeding>.<instance>` form.
+- `internal/db/migrations/097_legal_citation_backfill.up.sql` —
+  legal_source / rule_code backfill.
+- `internal/db/migrations/100_ccr_visible_rule.up.sql` —
+  `upc.ccr.cfi` alias.
+- `internal/db/migrations/104_einspruch_name_and_ccr_priority.up.sql`
+  — Einspruch rename.
+
+**Companion audits:**
+
+- `docs/audit-fristenrechner-completeness-2026-04-30.md` — curie /
+  t-paliad-084.
+- `docs/audit-upc-rop-deadlines-2026-05-08.md` — curie / t-paliad-159.
+- `docs/audit-fristen-logic-2026-05-13.md` — pauli / t-paliad-157
+  (schema audit, ground-truth on column semantics).
+- `docs/proposals/fristen-gap-fill-2026-05-18.md` — m's 0.3 decisions
+  that shipped as mig 095.
+
+**Authoritative source URLs (all verified 2026-05-25):**
+
+- UPC RoP consolidated 18.05.2023: https://www.unifiedpatentcourt.org/sites/default/files/upc_documents/rop_application_-_consolidated_18_05_2023.pdf
+- EPC 17th ed.: https://www.epo.org/en/legal/epc/2020/index.html
+- EPC R.71 (and other Implementing Reg Rules): https://www.epo.org/en/legal/epc/2020/r71.html
+- PatG: https://www.gesetze-im-internet.de/patg/
+  - §59 https://www.gesetze-im-internet.de/patg/__59.html
+  - §73 https://www.gesetze-im-internet.de/patg/__73.html
+  - §75 https://www.gesetze-im-internet.de/patg/__75.html
+  - §82 https://www.gesetze-im-internet.de/patg/__82.html
+  - §110 https://www.gesetze-im-internet.de/patg/__110.html
+  - §111 https://www.gesetze-im-internet.de/patg/__111.html
+- ZPO: https://www.gesetze-im-internet.de/zpo/
+  - §520 https://www.gesetze-im-internet.de/zpo/__520.html
+  - §521 https://www.gesetze-im-internet.de/zpo/__521.html
+- GebrMG: https://www.gesetze-im-internet.de/gebrmg/
+
+---
+
+## Appendix B — coverage tally
+
+| Status | Count | Share |
+|---|---:|---:|
+| present-correct | 78 | 59 % |
+| present-wrong (DURATION) | 3 | 2 % |
+| present-wrong (anchor/sequence) | 5 | 4 % |
+| present-wrong (citation only) | 11 | 8 % |
+| court-set-mismodelled-as-fixed | 6 | 5 % |
+| **subtotal: still actionable** | **25** | **19 %** |
+| missing (statute defines, paliad doesn't) | 30 | (gap, vs 132 baseline) |
+| n/a (RoP / EPC / PatG section creates no time-limit) | 8 | 6 % |
+| present-correct, no fix needed | (78 above) | |
+
+**Headline figures for m:**
+
+- Of the 132 statutory deadlines paliad currently models, **25 carry
+  an actionable bug** (19%). Of those, **5 are user-visible
+  calendar-correctness bugs** (the 3 duration bugs + the 2
+  sequencing/anchor bugs head flagged + me). The other 20 are
+  citation drift or court-set mismodelling — fix-them-quietly
+  category.
+- An additional **30 statutory deadlines are not modelled at all**
+  (the missing list in §3). Of those, **~12 are ★★★ / ★★ frequency**
+  (Tier 1 in §10); the remaining ~18 are ★ specialist.
+- The 5 duration / sequencing bugs alone are **the most important
+  takeaway**: every UPC_REV proceeding, every UPC main-track appeal
+  respondent, and every DE-LG-Verletzung timeline tracked in paliad
+  today computes wrong dates.
+
+End of audit. Awaiting m's review of §9 Q1–Q13 + Tier 0 sign-off
+before fix-tasks (Wave 0) get cut.

frontend/build.ts

@@ -49,6 +49,7 @@ import { renderAdminRulesEdit } from "./src/admin-rules-edit";
 import { renderAdminRulesExport } from "./src/admin-rules-export";
 import { renderPaliadin } from "./src/paliadin";
 import { renderAdminPaliadin } from "./src/admin-paliadin";
+import { renderAdminBackups } from "./src/admin-backups";
 import { renderNotFound } from "./src/notfound";
 
 const DIST = join(import.meta.dir, "dist");
@@ -291,6 +292,7 @@ async function build() {
       // skip the re-fetch.
       join(import.meta.dir, "src/client/paliadin-widget.ts"),
       join(import.meta.dir, "src/client/admin-paliadin.ts"),
+      join(import.meta.dir, "src/client/admin-backups.ts"),
       join(import.meta.dir, "src/client/notfound.ts"),
     ],
     outdir: join(DIST, "assets"),
@@ -417,6 +419,7 @@ async function build() {
   await Bun.write(join(DIST, "admin-rules-export.html"), renderAdminRulesExport());
   await Bun.write(join(DIST, "paliadin.html"), renderPaliadin());
   await Bun.write(join(DIST, "admin-paliadin.html"), renderAdminPaliadin());
+  await Bun.write(join(DIST, "admin-backups.html"), renderAdminBackups());
   await Bun.write(join(DIST, "notfound.html"), renderNotFound());
 
   // Append ?v=<buildVersion> to every /assets/*.js and /assets/*.css URL in

frontend/src/admin-backups.tsx

@@ -0,0 +1,96 @@
+import { h } from "./jsx";
+import { Sidebar } from "./components/Sidebar";
+import { PaliadinWidget } from "./components/PaliadinWidget";
+import { BottomNav } from "./components/BottomNav";
+import { Footer } from "./components/Footer";
+import { PWAHead } from "./components/PWAHead";
+
+// Backup Mode admin page (t-paliad-246 / m/paliad#77 Slice A).
+//
+// global_admin only — gated by adminGate(...) in handlers.go. Shows the
+// chronological list of backup runs (one row per kind in
+// {scheduled, on_demand}) plus a button to kick off an on-demand backup.
+// Catalog rows + the "run now" action are fetched client-side via
+// /api/admin/backups.
+export function renderAdminBackups(): string {
+  return "<!DOCTYPE html>" + (
+    <html lang="de">
+      <head>
+        <meta charset="UTF-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
+        <meta name="theme-color" content="#BFF355" />
+        <meta name="apple-mobile-web-app-capable" content="yes" />
+        <meta name="apple-mobile-web-app-status-bar-style" content="default" />
+        <PWAHead />
+        <title data-i18n="admin.backups.title">Backups &mdash; Paliad</title>
+        <link rel="stylesheet" href="/assets/global.css" />
+      </head>
+      <body className="has-sidebar">
+        <Sidebar currentPath="/admin/backups" />
+        <BottomNav currentPath="/admin/backups" />
+
+        <main>
+          <section className="tool-page">
+            <div className="container">
+              <div className="tool-header">
+                <div>
+                  <h1 data-i18n="admin.backups.heading">Backups</h1>
+                  <p className="tool-subtitle" data-i18n="admin.backups.subtitle">
+                    Vollst&auml;ndige Snapshots aller Daten &mdash; manuell oder zeitgesteuert.
+                  </p>
+                </div>
+                <div>
+                  <button
+                    className="btn-primary"
+                    id="admin-backups-run-btn"
+                    type="button"
+                    data-i18n="admin.backups.run_now"
+                  >
+                    Backup jetzt erstellen
+                  </button>
+                </div>
+              </div>
+
+              <div id="admin-backups-feedback" className="form-msg" style="display:none" />
+
+              <div className="entity-table-wrap">
+                <table className="entity-table entity-table--readonly">
+                  <thead>
+                    <tr>
+                      <th data-i18n="admin.backups.col.started">Erstellt</th>
+                      <th data-i18n="admin.backups.col.kind">Auslöser</th>
+                      <th data-i18n="admin.backups.col.status">Status</th>
+                      <th data-i18n="admin.backups.col.requested_by">Angefordert von</th>
+                      <th data-i18n="admin.backups.col.size">Gr&ouml;&szlig;e</th>
+                      <th data-i18n="admin.backups.col.rows">Zeilen</th>
+                      <th data-i18n="admin.backups.col.actions">Aktion</th>
+                    </tr>
+                  </thead>
+                  <tbody id="admin-backups-tbody">
+                    <tr>
+                      <td colspan={7} data-i18n="admin.backups.loading">Lade &hellip;</td>
+                    </tr>
+                  </tbody>
+                </table>
+              </div>
+
+              <div className="entity-empty" id="admin-backups-empty" style="display:none">
+                <p data-i18n="admin.backups.empty">Noch keine Backups vorhanden.</p>
+              </div>
+
+              <p className="tool-footer-note" id="admin-backups-footer">
+                <span data-i18n="admin.backups.footer.note">
+                  Geplante Backups werden in einer sp&auml;teren Slice aktiviert. Manuelle Backups stehen jetzt zur Verf&uuml;gung.
+                </span>
+              </p>
+            </div>
+          </section>
+        </main>
+
+        <Footer />
+        <PaliadinWidget />
+        <script src="/assets/admin-backups.js"></script>
+      </body>
+    </html>
+  );
+}

frontend/src/client/admin-backups.ts

@@ -0,0 +1,192 @@
+import { initI18n, t } from "./i18n";
+import { initSidebar } from "./sidebar";
+
+// Backup Mode admin client (t-paliad-246 / m/paliad#77 Slice A).
+//
+// Reads /api/admin/backups (chronological list) and wires the
+// "Backup jetzt erstellen" button to POST /api/admin/backups/run.
+// Synchronous: the server holds the connection for the duration of
+// the backup (sub-second at firm-scale today), then returns the new
+// catalog row inline. No polling needed at v1's data shape; if the
+// run takes > 5 minutes the handler returns 500 and the UI surfaces
+// the error.
+
+interface BackupRow {
+  id: string;
+  kind: "scheduled" | "on_demand";
+  status: "running" | "done" | "failed";
+  requested_by?: string;
+  requested_by_email: string;
+  audit_id?: string;
+  storage_uri?: string;
+  size_bytes?: number;
+  row_counts?: unknown; // jsonb passes through as raw bytes; we don't read it
+  sheet_count?: number;
+  warnings?: unknown;
+  error?: string;
+  started_at: string;
+  finished_at?: string;
+  deleted_at?: string;
+}
+
+document.addEventListener("DOMContentLoaded", async () => {
+  initI18n();
+  initSidebar();
+
+  await refreshList();
+  wireRunButton();
+});
+
+function wireRunButton(): void {
+  const btn = document.getElementById("admin-backups-run-btn") as HTMLButtonElement | null;
+  if (!btn) return;
+  btn.addEventListener("click", async () => {
+    btn.disabled = true;
+    const originalText = btn.textContent;
+    btn.textContent = t("admin.backups.running") || "Läuft …";
+    clearFeedback();
+    try {
+      const r = await fetch("/api/admin/backups/run", {
+        method: "POST",
+        credentials: "same-origin",
+      });
+      if (!r.ok) {
+        const body = await r.json().catch(() => ({ error: "request failed" }));
+        showFeedback("error", body.error || `HTTP ${r.status}`);
+        return;
+      }
+      // The created row is in the response; refresh the list to land it.
+      await refreshList();
+      showFeedback("success", t("admin.backups.success") || "Backup erfolgreich erstellt.");
+    } catch (e) {
+      showFeedback("error", (e as Error).message || "network error");
+    } finally {
+      btn.disabled = false;
+      btn.textContent = originalText;
+    }
+  });
+}
+
+async function refreshList(): Promise<void> {
+  const rows = await fetchJSON<BackupRow[]>("/api/admin/backups?limit=200");
+  const tbody = document.getElementById("admin-backups-tbody") as HTMLTableSectionElement | null;
+  const empty = document.getElementById("admin-backups-empty") as HTMLElement | null;
+  if (!tbody) return;
+  if (!rows || rows.length === 0) {
+    tbody.innerHTML = "";
+    if (empty) empty.style.display = "";
+    return;
+  }
+  if (empty) empty.style.display = "none";
+  tbody.innerHTML = rows.map(renderRow).join("");
+}
+
+function renderRow(b: BackupRow): string {
+  const started = formatTimestamp(b.started_at);
+  const kind =
+    b.kind === "scheduled"
+      ? t("admin.backups.kind.scheduled") || "Geplant"
+      : t("admin.backups.kind.on_demand") || "Manuell";
+  const status = renderStatus(b);
+  const requestedBy =
+    b.kind === "scheduled" ? "—" : escapeHTML(b.requested_by_email);
+  const size = b.size_bytes != null ? formatBytes(b.size_bytes) : "—";
+  const rows = b.sheet_count != null ? String(b.sheet_count) : "—";
+  const action = renderAction(b);
+  return `<tr>
+    <td>${started}</td>
+    <td>${kind}</td>
+    <td>${status}</td>
+    <td>${requestedBy}</td>
+    <td>${size}</td>
+    <td>${rows}</td>
+    <td>${action}</td>
+  </tr>`;
+}
+
+function renderStatus(b: BackupRow): string {
+  switch (b.status) {
+    case "done":
+      return `<span class="status-done">${escapeHTML(t("admin.backups.status.done") || "✓ Fertig")}</span>`;
+    case "running":
+      return `<span class="status-running">${escapeHTML(t("admin.backups.status.running") || "Läuft …")}</span>`;
+    case "failed":
+      const label = t("admin.backups.status.failed") || "✗ Fehlgeschlagen";
+      const tip = b.error ? ` title="${escapeAttr(b.error)}"` : "";
+      return `<span class="status-failed"${tip}>${escapeHTML(label)}</span>`;
+    default:
+      return escapeHTML(b.status);
+  }
+}
+
+function renderAction(b: BackupRow): string {
+  if (b.status !== "done" || !b.storage_uri || b.deleted_at) {
+    return "—";
+  }
+  const label = t("admin.backups.download") || "Download";
+  return `<a class="btn-link" href="/api/admin/backups/${encodeURIComponent(b.id)}/file">${escapeHTML(label)}</a>`;
+}
+
+// --- helpers ---
+
+async function fetchJSON<T>(url: string): Promise<T | null> {
+  try {
+    const r = await fetch(url, { credentials: "same-origin" });
+    if (!r.ok) return null;
+    return (await r.json()) as T;
+  } catch {
+    return null;
+  }
+}
+
+function formatTimestamp(iso: string): string {
+  const d = new Date(iso);
+  if (isNaN(d.getTime())) return escapeHTML(iso);
+  const yyyy = d.getUTCFullYear();
+  const mm = String(d.getUTCMonth() + 1).padStart(2, "0");
+  const dd = String(d.getUTCDate()).padStart(2, "0");
+  const hh = String(d.getUTCHours()).padStart(2, "0");
+  const mi = String(d.getUTCMinutes()).padStart(2, "0");
+  return `${yyyy}-${mm}-${dd} ${hh}:${mi} UTC`;
+}
+
+function formatBytes(n: number): string {
+  if (n < 1024) return `${n} B`;
+  if (n < 1024 * 1024) return `${(n / 1024).toFixed(1)} KB`;
+  if (n < 1024 * 1024 * 1024) return `${(n / (1024 * 1024)).toFixed(1)} MB`;
+  return `${(n / (1024 * 1024 * 1024)).toFixed(2)} GB`;
+}
+
+function escapeHTML(s: string): string {
+  return s.replace(/[&<>"']/g, (c) => {
+    switch (c) {
+      case "&": return "&amp;";
+      case "<": return "&lt;";
+      case ">": return "&gt;";
+      case '"': return "&quot;";
+      case "'": return "&#39;";
+      default: return c;
+    }
+  });
+}
+
+function escapeAttr(s: string): string {
+  return escapeHTML(s);
+}
+
+function showFeedback(kind: "success" | "error", text: string): void {
+  const el = document.getElementById("admin-backups-feedback") as HTMLElement | null;
+  if (!el) return;
+  el.textContent = text;
+  el.classList.remove("form-msg-success", "form-msg-error");
+  el.classList.add(kind === "success" ? "form-msg-success" : "form-msg-error");
+  el.style.display = "";
+}
+
+function clearFeedback(): void {
+  const el = document.getElementById("admin-backups-feedback") as HTMLElement | null;
+  if (!el) return;
+  el.style.display = "none";
+  el.textContent = "";
+  el.classList.remove("form-msg-success", "form-msg-error");
+}

frontend/src/client/admin-rules-edit.ts

@@ -51,7 +51,10 @@ interface Rule {
 interface ProceedingType {
   id: number;
   code: string;
-  name_de: string;
+  // `name` is the German display name on the wire; the Go `ProceedingType`
+  // model serialises `db:"name"` as JSON key `name`. Don't reach for
+  // `name_de` — that field does not exist in this payload (m/paliad#113).
+  name: string;
   name_en: string;
 }
 
@@ -169,7 +172,8 @@ function fillProceedingSelect(selectId: string, list: ProceedingType[]) {
   for (const pt of list) {
     const opt = document.createElement("option");
     opt.value = String(pt.id);
-    opt.textContent = `${pt.code} · ${getLang() === "en" ? pt.name_en : pt.name_de}`;
+    const name = getLang() === "en" ? pt.name_en : pt.name;
+    opt.textContent = name ? `${pt.code} · ${name}` : pt.code;
     sel.appendChild(opt);
   }
 }

frontend/src/client/admin-rules-list.ts

@@ -29,7 +29,11 @@ interface Rule {
 interface ProceedingType {
   id: number;
   code: string;
-  name_de: string;
+  // `name` is the German display name on the wire; the Go `ProceedingType`
+  // model serialises `db:"name"` as JSON key `name` (the schema treats DE
+  // as primary). EN lives in `name_en`. Don't reach for `name_de` — that
+  // field does not exist in this payload (cf. m/paliad#113).
+  name: string;
   name_en: string;
   category: string;
 }
@@ -125,7 +129,12 @@ function proceedingLabel(id: number | null | undefined): string {
   if (id == null) return "—";
   const pt = proceedings.find((p) => p.id === id);
   if (!pt) return `#${id}`;
-  const name = getLang() === "en" ? pt.name_en : pt.name_de;
+  const name = getLang() === "en" ? pt.name_en : pt.name;
+  // Guard against a proceeding row that's missing the active-language
+  // name (or against a stale field-name mismatch slipping back in).
+  // Show the code on its own rather than "code · undefined" — that
+  // literal string is the smell that surfaced this bug (m/paliad#113).
+  if (!name) return pt.code;
   return `${pt.code} · ${name}`;
 }
 
@@ -153,7 +162,8 @@ async function loadProceedings(): Promise<void> {
   for (const pt of proceedings) {
     const opt = document.createElement("option");
     opt.value = String(pt.id);
-    opt.textContent = `${pt.code} · ${getLang() === "en" ? pt.name_en : pt.name_de}`;
+    const name = getLang() === "en" ? pt.name_en : pt.name;
+    opt.textContent = name ? `${pt.code} · ${name}` : pt.code;
     sel.appendChild(opt);
   }
 }

frontend/src/client/appointments-detail.ts

@@ -2,6 +2,7 @@ import { initI18n, t, tDyn, getLang } from "./i18n";
 import { initSidebar } from "./sidebar";
 import { initNotes } from "./notes";
 import { projectIndent } from "./project-indent";
+import { openWithdrawWarningModal } from "./components/withdraw-warning-modal";
 
 interface Appointment {
   id: string;
@@ -25,6 +26,9 @@ interface PendingApprovalRequest {
   requested_at: string;
   required_role: string;
   requester_name?: string;
+  // t-paliad-252 — used by the withdraw warning modal to pick the right
+  // copy (CREATE warns about deletion; UPDATE/COMPLETE about revert).
+  lifecycle_event?: string;
 }
 
 interface Me {
@@ -43,6 +47,10 @@ let project: Project | null = null;
 let allProjects: Project[] = [];
 let pendingRequest: PendingApprovalRequest | null = null;
 let me: Me | null = null;
+// t-paliad-252 — see deadlines-detail.ts. Routes Save to the new
+// /api/approval-requests/{id}/edit-entity endpoint when the user picked
+// "Termin bearbeiten" in the withdraw warning modal.
+let pendingEditMode = false;
 
 function parseAppointmentID(): string | null {
   const parts = window.location.pathname.split("/").filter(Boolean);
@@ -207,10 +215,14 @@ function renderHeader() {
   }
 
   // Freeze the edit form + delete button while a request is in flight.
+  // t-paliad-252 — when the user picked "Termin bearbeiten" in the
+  // withdraw modal, pendingEditMode unfreezes the form so Save can route
+  // to /edit-entity (which keeps the request pending + merges payload).
   const form = document.getElementById("appointment-edit-form") as HTMLFormElement | null;
   if (form) {
+    const freeze = isPending && !pendingEditMode;
     form.querySelectorAll<HTMLInputElement | HTMLSelectElement | HTMLTextAreaElement | HTMLButtonElement>("input, select, textarea, button[type=submit]")
-      .forEach((el) => { el.disabled = isPending; });
+      .forEach((el) => { el.disabled = freeze; });
   }
   const deleteBtn = document.getElementById("appointment-delete-btn") as HTMLButtonElement | null;
   if (deleteBtn) deleteBtn.disabled = isPending;
@@ -263,6 +275,39 @@ async function saveEdit(ev: Event) {
 
   submitBtn.disabled = true;
   try {
+    // t-paliad-252 — pending-edit mode routes through /edit-entity which
+    // keeps the request pending + merges fields into payload. clear_project
+    // and project_id are NOT in the counter-allowlist (yet) — the requester
+    // can't move projects on a pending request from this surface.
+    if (pendingEditMode && pendingRequest) {
+      const editFields = { ...payload };
+      delete editFields.clear_project;
+      const resp = await fetch(
+        `/api/approval-requests/${pendingRequest.id}/edit-entity`,
+        {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ fields: editFields }),
+        },
+      );
+      if (resp.ok) {
+        const fresh = await fetch(`/api/appointments/${appointment.id}`);
+        if (fresh.ok) appointment = await fresh.json();
+        await loadPendingRequest();
+        // Exit pending-edit mode so the form re-freezes (still pending).
+        pendingEditMode = false;
+        renderHeader();
+        fillEditForm();
+        msg.textContent = t("appointments.detail.saved");
+        msg.className = "form-msg form-msg-ok";
+      } else {
+        const data = await resp.json().catch(() => ({}) as { error?: string; message?: string });
+        msg.textContent = data.message || data.error || t("appointments.error.generic");
+        msg.className = "form-msg form-msg-error";
+      }
+      return;
+    }
+
     const resp = await fetch(`/api/appointments/${appointment.id}`, {
       method: "PATCH",
       headers: { "Content-Type": "application/json" },
@@ -312,12 +357,37 @@ async function deleteAppointment() {
   }
 }
 
+// t-paliad-252 — withdraw warning modal replaces the old confirm().
+// Returns:
+//   "edit"     → unfreeze the edit form (pending-edit mode); Save will
+//                route through /api/approval-requests/{id}/edit-entity
+//   "withdraw" → destructive: the existing /revoke endpoint
+//   null       → user cancelled
 async function withdrawAppointmentRequest() {
   if (!appointment || !pendingRequest) return;
-  if (!confirm(t("approvals.withdraw.confirm") || "Anfrage wirklich zurückziehen?")) return;
   const btn = document.getElementById("appointment-withdraw-btn") as HTMLButtonElement | null;
   if (btn) btn.disabled = true;
   try {
+    const action = await openWithdrawWarningModal({
+      entityType: "appointment",
+      lifecycleEvent: pendingRequest.lifecycle_event ?? "create",
+    });
+    if (action === null) {
+      if (btn) btn.disabled = false;
+      return;
+    }
+    if (action === "edit") {
+      pendingEditMode = true;
+      if (btn) btn.disabled = false;
+      // renderHeader re-evaluates the freeze and unfreezes the form now
+      // that pendingEditMode is set. Focus the first editable field so the
+      // user can type immediately.
+      renderHeader();
+      const titleEl = document.getElementById("appointment-title-edit") as HTMLInputElement | null;
+      titleEl?.focus();
+      return;
+    }
+    // action === "withdraw" → destructive path.
     const resp = await fetch(`/api/approval-requests/${pendingRequest.id}/revoke`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
@@ -328,9 +398,12 @@ async function withdrawAppointmentRequest() {
       if (fresh.ok) {
         appointment = await fresh.json();
         await loadPendingRequest();
+        renderHeader();
+        fillEditForm();
+      } else {
+        // CREATE lifecycle: entity gone → back to the list.
+        window.location.href = "/events?type=appointment";
       }
-      renderHeader();
-      fillEditForm();
     } else {
       const data = await resp.json().catch(() => ({}) as { message?: string; error?: string });
       const msg = document.getElementById("appointment-edit-msg")!;

frontend/src/client/components/withdraw-warning-modal.ts

@@ -0,0 +1,149 @@
+// t-paliad-252 / m/paliad#83 — withdraw warning modal.
+//
+// Before t-paliad-252 the deadline + appointment detail pages did a
+// confirm() dialog before POSTing to /api/approval-requests/{id}/revoke.
+// For pending CREATE lifecycles that endpoint silently DELETES the
+// underlying entity row — m's "withdrawing the approval deletes the event"
+// surprise.
+//
+// This modal replaces the confirm() with three explicit paths:
+//
+//   1. Cancel                       — does nothing
+//   2. Termin bearbeiten (primary)  — opens the edit form; saving routes
+//                                     through POST /approval-requests/{id}/
+//                                     edit-entity which keeps the request
+//                                     pending and merges the new fields
+//                                     into approval_request.payload
+//   3. Endgültig zurückziehen +     — destructive; current /revoke
+//      löschen                        behaviour (delete for CREATE, revert
+//                                     for UPDATE/COMPLETE, cancel for
+//                                     DELETE-lifecycle requests)
+//
+// Built on the unified openModal() primitive (t-paliad-217 Slice A) so the
+// three-button row sits cleanly inside the body — the primitive only
+// supports one secondary action, but we paint the destructive button as a
+// separate row above the footer.
+
+import { t } from "../i18n";
+import { openModal } from "./modal";
+
+export type WithdrawAction = "edit" | "withdraw";
+
+export interface WithdrawWarningArgs {
+  // entityType drives the copy ("event" vs "appointment" labels).
+  entityType: "deadline" | "appointment";
+  // lifecycleEvent of the pending request; copy adapts (CREATE warns about
+  // deletion; UPDATE/COMPLETE warn about revert; DELETE warns about
+  // cancelling the deletion request).
+  lifecycleEvent: "create" | "update" | "complete" | "delete" | string;
+}
+
+// openWithdrawWarningModal resolves with the chosen action, or null if the
+// user dismissed via Cancel / Esc / backdrop / browser back-button.
+export async function openWithdrawWarningModal(
+  args: WithdrawWarningArgs,
+): Promise<WithdrawAction | null> {
+  const body = document.createElement("div");
+  body.className = "withdraw-warning-body";
+
+  // Lead paragraph + sub-paragraph adapt to lifecycle so the user always
+  // knows what the destructive button will actually do. The /revoke
+  // backend behaviour:
+  //   - create   → DELETE the entity (the "surprise" m flagged)
+  //   - update   → revert to pre_image
+  //   - complete → revert to pre-complete state
+  //   - delete   → cancel the delete request (entity stays alive)
+  const intro = document.createElement("p");
+  intro.className = "withdraw-warning-intro";
+  intro.textContent = leadCopyFor(args);
+  body.appendChild(intro);
+
+  const sub = document.createElement("p");
+  sub.className = "withdraw-warning-sub muted";
+  sub.textContent = subCopyFor(args);
+  body.appendChild(sub);
+
+  // The destructive button lives inside the body — the openModal primitive
+  // only exposes one secondary button slot, and we want the safe "Edit"
+  // path to be the primary CTA. Painting it in red here, separated from
+  // the footer, signals "this is the dangerous option" without competing
+  // visually with the primary CTA.
+  const destructiveRow = document.createElement("div");
+  destructiveRow.className = "withdraw-warning-destructive-row";
+  const destructiveBtn = document.createElement("button");
+  destructiveBtn.type = "button";
+  destructiveBtn.className = "btn btn-danger withdraw-warning-destructive-btn";
+  destructiveBtn.textContent = t("approvals.withdraw.destructive.label");
+  destructiveRow.appendChild(destructiveBtn);
+  body.appendChild(destructiveRow);
+
+  return new Promise<WithdrawAction | null>((resolve) => {
+    let chosen: WithdrawAction | null = null;
+
+    // The destructive button has to close the modal and return "withdraw".
+    // We need access to the modal's internal close() — fortunately openModal
+    // exposes it via the primary handler's first arg. We pass through the
+    // outer resolve and let the primary handler (Edit) own the close-fn
+    // route. For the destructive button we resolve the outer promise
+    // directly and then synthesise an ESC keypress so the modal dismisses
+    // — or, simpler, set chosen and use the secondary "Cancel" path that
+    // the modal already supports. (openModal's onClose fires on every
+    // dismiss path including the primary handler resolution.)
+    destructiveBtn.addEventListener("click", () => {
+      chosen = "withdraw";
+      // The unified openModal primitive (modal.ts) wires its dismiss path
+      // through the native <dialog>'s `cancel` event. Dispatching it on
+      // the parent <dialog> runs the same finish() → onClose → resolve
+      // sequence as ESC / backdrop. We then map the resolved `null` back
+      // to "withdraw" via the captured `chosen` in onClose below.
+      const dialogEl = body.closest("dialog");
+      dialogEl?.dispatchEvent(new Event("cancel"));
+    });
+
+    void openModal<WithdrawAction>({
+      title: t("approvals.withdraw.modal.title"),
+      body,
+      size: "md",
+      classNames: "withdraw-warning-modal",
+      primary: {
+        label: t("approvals.withdraw.primary.label"),
+        handler: (close) => {
+          chosen = "edit";
+          close("edit");
+        },
+      },
+      secondary: { label: t("approvals.withdraw.cancel") },
+      onClose: () => {
+        // Resolves whatever was chosen via the destructive button OR the
+        // primary handler. ESC / backdrop / secondary clear `chosen` to
+        // null which is the right "cancel" semantics.
+        resolve(chosen);
+      },
+    });
+  });
+}
+
+function leadCopyFor(args: WithdrawWarningArgs): string {
+  switch (args.lifecycleEvent) {
+    case "create":
+      return args.entityType === "appointment"
+        ? t("approvals.withdraw.lead.create.appointment")
+        : t("approvals.withdraw.lead.create.deadline");
+    case "delete":
+      return t("approvals.withdraw.lead.delete");
+    default:
+      // update / complete / unknown → revert semantics
+      return t("approvals.withdraw.lead.update");
+  }
+}
+
+function subCopyFor(args: WithdrawWarningArgs): string {
+  switch (args.lifecycleEvent) {
+    case "create":
+      return t("approvals.withdraw.sub.create");
+    case "delete":
+      return t("approvals.withdraw.sub.delete");
+    default:
+      return t("approvals.withdraw.sub.update");
+  }
+}

frontend/src/client/date-range-picker-pure.test.ts

@@ -0,0 +1,289 @@
+// Unit tests for the date-range picker's pure helpers (t-paliad-248).
+// Run with `bun test`.
+
+import { test, expect, describe } from "bun:test";
+import {
+  horizonBounds,
+  isValidHorizon,
+  isValidISODate,
+  validateCustomRange,
+  parseURL,
+  serializeURL,
+  isDefault,
+  ALL_HORIZONS,
+  PAST_HORIZONS,
+  NEXT_HORIZONS,
+  type TimeHorizon,
+  type TimeSpec,
+} from "./date-range-picker-pure";
+
+// Anchor the clock so day-arithmetic assertions don't drift with the
+// wall clock. 2026-05-25 00:00 UTC matches the Go-side bounds test.
+const NOW = new Date(Date.UTC(2026, 4, 25));
+const DAY = (offsetDays: number): Date =>
+  new Date(NOW.getTime() + offsetDays * 86_400_000);
+
+describe("ALL_HORIZONS / PAST / NEXT registries", () => {
+  test("registries sum to a known total without overlap", () => {
+    // 6 past + 6 next + any + custom = 14 fan chips (custom is the
+    // trailing entry in ALL_HORIZONS; `all` is intentionally absent —
+    // surfaces don't render the legacy bidirectional-unbounded chip).
+    expect(ALL_HORIZONS.length).toBe(14);
+    expect(PAST_HORIZONS.length).toBe(6);
+    expect(NEXT_HORIZONS.length).toBe(6);
+    expect(new Set(ALL_HORIZONS).size).toBe(ALL_HORIZONS.length);
+  });
+
+  test("PAST_HORIZONS are all past_*", () => {
+    for (const h of PAST_HORIZONS) {
+      expect(h.startsWith("past_")).toBe(true);
+    }
+  });
+
+  test("NEXT_HORIZONS are all next_*", () => {
+    for (const h of NEXT_HORIZONS) {
+      expect(h.startsWith("next_")).toBe(true);
+    }
+  });
+
+  test("ALL_HORIZONS ends with custom and contains any in the middle", () => {
+    expect(ALL_HORIZONS.at(-1)).toBe("custom");
+    expect(ALL_HORIZONS).toContain("any");
+  });
+});
+
+describe("horizonBounds", () => {
+  test("future fan: bounds anchor at today, extend forward", () => {
+    expect(horizonBounds("next_1d", NOW)).toEqual({ from: DAY(0),  to: DAY(1) });
+    expect(horizonBounds("next_7d", NOW)).toEqual({ from: DAY(0),  to: DAY(7) });
+    expect(horizonBounds("next_14d", NOW)).toEqual({ from: DAY(0), to: DAY(14) });
+    expect(horizonBounds("next_30d", NOW)).toEqual({ from: DAY(0), to: DAY(30) });
+    expect(horizonBounds("next_90d", NOW)).toEqual({ from: DAY(0), to: DAY(90) });
+  });
+
+  test("past fan: bounds extend back, upper bound is tomorrow (exclusive end-of-today)", () => {
+    expect(horizonBounds("past_1d",  NOW)).toEqual({ from: DAY(-1),  to: DAY(1) });
+    expect(horizonBounds("past_7d",  NOW)).toEqual({ from: DAY(-7),  to: DAY(1) });
+    expect(horizonBounds("past_14d", NOW)).toEqual({ from: DAY(-14), to: DAY(1) });
+    expect(horizonBounds("past_30d", NOW)).toEqual({ from: DAY(-30), to: DAY(1) });
+    expect(horizonBounds("past_90d", NOW)).toEqual({ from: DAY(-90), to: DAY(1) });
+  });
+
+  test("next_all is one-sided: from=today, to undefined", () => {
+    const b = horizonBounds("next_all", NOW);
+    expect(b.from).toEqual(DAY(0));
+    expect(b.to).toBeUndefined();
+  });
+
+  test("past_all is one-sided: from undefined, to=tomorrow", () => {
+    const b = horizonBounds("past_all", NOW);
+    expect(b.from).toBeUndefined();
+    expect(b.to).toEqual(DAY(1));
+  });
+
+  test("any / all / custom: both bounds undefined", () => {
+    expect(horizonBounds("any",    NOW)).toEqual({});
+    expect(horizonBounds("all",    NOW)).toEqual({});
+    expect(horizonBounds("custom", NOW)).toEqual({});
+  });
+
+  test("bounds anchor on UTC start-of-day regardless of input clock time", () => {
+    const nowAfternoon = new Date(Date.UTC(2026, 4, 25, 14, 37, 0));
+    const nowMidnight = new Date(Date.UTC(2026, 4, 25, 0, 0, 0));
+    expect(horizonBounds("past_7d", nowAfternoon)).toEqual(horizonBounds("past_7d", nowMidnight));
+  });
+});
+
+describe("isValidHorizon", () => {
+  test("accepts every entry in ALL_HORIZONS plus 'all' (legacy)", () => {
+    for (const h of ALL_HORIZONS) {
+      expect(isValidHorizon(h)).toBe(true);
+    }
+    expect(isValidHorizon("all")).toBe(true);
+  });
+
+  test("rejects unknown strings, numbers, undefined, null", () => {
+    expect(isValidHorizon("next_5d")).toBe(false);
+    expect(isValidHorizon("past_100d")).toBe(false);
+    expect(isValidHorizon("")).toBe(false);
+    expect(isValidHorizon(7)).toBe(false);
+    expect(isValidHorizon(undefined)).toBe(false);
+    expect(isValidHorizon(null)).toBe(false);
+  });
+});
+
+describe("isValidISODate", () => {
+  test("accepts valid YYYY-MM-DD", () => {
+    expect(isValidISODate("2026-05-25")).toBe(true);
+    expect(isValidISODate("2026-12-31")).toBe(true);
+    expect(isValidISODate("2024-02-29")).toBe(true);
+  });
+
+  test("rejects shape mismatches", () => {
+    expect(isValidISODate("2026/05/25")).toBe(false);
+    expect(isValidISODate("25.05.2026")).toBe(false);
+    expect(isValidISODate("2026-5-25")).toBe(false);
+    expect(isValidISODate("")).toBe(false);
+    expect(isValidISODate(undefined)).toBe(false);
+  });
+
+  test("rejects calendar-impossible dates (Date.parse silently rolls over)", () => {
+    expect(isValidISODate("2026-02-30")).toBe(false);
+    expect(isValidISODate("2026-13-01")).toBe(false);
+    expect(isValidISODate("2026-04-31")).toBe(false);
+  });
+
+  test("rejects 2025-02-29 (non-leap February)", () => {
+    expect(isValidISODate("2025-02-29")).toBe(false);
+  });
+});
+
+describe("validateCustomRange", () => {
+  test("requires both bounds present and valid", () => {
+    expect(validateCustomRange(undefined, undefined)).toBe("date_range.custom.invalid_missing");
+    expect(validateCustomRange("2026-05-25", undefined)).toBe("date_range.custom.invalid_missing");
+    expect(validateCustomRange(undefined, "2026-05-25")).toBe("date_range.custom.invalid_missing");
+  });
+
+  test("rejects malformed dates with format error", () => {
+    expect(validateCustomRange("bogus", "2026-05-25")).toBe("date_range.custom.invalid_format");
+    expect(validateCustomRange("2026-13-01", "2026-12-31")).toBe("date_range.custom.invalid_format");
+  });
+
+  test("rejects to <= from with invalid error", () => {
+    expect(validateCustomRange("2026-05-25", "2026-05-25")).toBe("date_range.custom.invalid");
+    expect(validateCustomRange("2026-05-25", "2026-05-24")).toBe("date_range.custom.invalid");
+  });
+
+  test("accepts strictly-ordered valid pair", () => {
+    expect(validateCustomRange("2026-05-25", "2026-05-26")).toBeNull();
+    expect(validateCustomRange("2026-01-01", "2026-12-31")).toBeNull();
+  });
+});
+
+describe("parseURL", () => {
+  test("missing horizon yields contract default", () => {
+    expect(parseURL(new URLSearchParams(""))).toEqual({ horizon: "any" });
+    expect(parseURL(new URLSearchParams(""), { default: "next_30d" })).toEqual({ horizon: "next_30d" });
+  });
+
+  test("unknown horizon falls back to default, doesn't throw", () => {
+    expect(parseURL(new URLSearchParams("horizon=mystery"), { default: "next_7d" }))
+      .toEqual({ horizon: "next_7d" });
+  });
+
+  test("every fan horizon round-trips on a fresh URLSearchParams", () => {
+    for (const h of ALL_HORIZONS) {
+      if (h === "custom") continue;
+      const params = new URLSearchParams(`horizon=${h}`);
+      expect(parseURL(params)).toEqual({ horizon: h });
+    }
+  });
+
+  test("custom horizon reads from+to", () => {
+    const params = new URLSearchParams("horizon=custom&horizon_from=2026-03-15&horizon_to=2026-04-30");
+    expect(parseURL(params)).toEqual({
+      horizon: "custom",
+      from: "2026-03-15",
+      to: "2026-04-30",
+    });
+  });
+
+  test("custom with malformed dates falls back to default rather than half-state", () => {
+    const params = new URLSearchParams("horizon=custom&horizon_from=2026-99-99&horizon_to=2026-04-30");
+    expect(parseURL(params, { default: "next_30d" })).toEqual({ horizon: "next_30d" });
+  });
+
+  test("custom with from>=to falls back", () => {
+    const params = new URLSearchParams("horizon=custom&horizon_from=2026-05-25&horizon_to=2026-05-25");
+    expect(parseURL(params)).toEqual({ horizon: "any" });
+  });
+
+  test("custom URL key override", () => {
+    const params = new URLSearchParams("range=past_30d");
+    expect(parseURL(params, { key: "range" })).toEqual({ horizon: "past_30d" });
+    expect(parseURL(params)).toEqual({ horizon: "any" }); // default `horizon` key absent
+  });
+});
+
+describe("serializeURL", () => {
+  test("default horizon is omitted (canonical URL stays short)", () => {
+    const params = new URLSearchParams();
+    serializeURL({ horizon: "any" }, params);
+    expect(params.toString()).toBe("");
+  });
+
+  test("explicit default param removed when value matches default", () => {
+    const params = new URLSearchParams("horizon=past_30d&other=keep");
+    serializeURL({ horizon: "past_30d" }, params, { default: "past_30d" });
+    expect(params.toString()).toBe("other=keep");
+  });
+
+  test("non-default horizon is written", () => {
+    const params = new URLSearchParams("other=keep");
+    serializeURL({ horizon: "next_7d" }, params);
+    expect(params.toString()).toBe("other=keep&horizon=next_7d");
+  });
+
+  test("custom writes horizon+from+to", () => {
+    const params = new URLSearchParams();
+    serializeURL({ horizon: "custom", from: "2026-03-15", to: "2026-04-30" }, params);
+    expect(params.toString()).toBe("horizon=custom&horizon_from=2026-03-15&horizon_to=2026-04-30");
+  });
+
+  test("custom partial bounds: from/to are written individually", () => {
+    const params = new URLSearchParams();
+    serializeURL({ horizon: "custom", from: "2026-03-15" }, params);
+    expect(params.toString()).toBe("horizon=custom&horizon_from=2026-03-15");
+  });
+
+  test("stale params cleared on re-serialize", () => {
+    const params = new URLSearchParams("horizon=custom&horizon_from=2026-03-15&horizon_to=2026-04-30&other=keep");
+    serializeURL({ horizon: "past_30d" }, params);
+    expect(params.toString()).toBe("other=keep&horizon=past_30d");
+    // Stale from/to must be gone.
+    expect(params.has("horizon_from")).toBe(false);
+    expect(params.has("horizon_to")).toBe(false);
+  });
+
+  test("key override propagates to from/to", () => {
+    const params = new URLSearchParams();
+    serializeURL({ horizon: "custom", from: "2026-03-15", to: "2026-04-30" }, params, { key: "range" });
+    expect(params.toString()).toBe("range=custom&range_from=2026-03-15&range_to=2026-04-30");
+  });
+
+  test("URL round-trips through parse → serialize → parse", () => {
+    const specs: TimeSpec[] = [
+      { horizon: "any" },
+      { horizon: "next_7d" },
+      { horizon: "past_all" },
+      { horizon: "next_all" },
+      { horizon: "custom", from: "2026-03-15", to: "2026-04-30" },
+    ];
+    for (const spec of specs) {
+      const params = new URLSearchParams();
+      serializeURL(spec, params);
+      expect(parseURL(params)).toEqual(spec);
+    }
+  });
+});
+
+describe("isDefault", () => {
+  test("true when horizon matches default exactly", () => {
+    expect(isDefault({ horizon: "any" }, "any")).toBe(true);
+    expect(isDefault({ horizon: "next_30d" }, "next_30d")).toBe(true);
+  });
+
+  test("false when horizon differs", () => {
+    expect(isDefault({ horizon: "past_7d" }, "any")).toBe(false);
+    expect(isDefault({ horizon: "next_30d" }, "next_7d")).toBe(false);
+  });
+
+  test("custom is never default — even when bounds match", () => {
+    // No surface treats "custom" as the natural default, so any custom
+    // selection IS user-driven and the closed button must surface
+    // the non-default indicator.
+    expect(isDefault({ horizon: "custom", from: "2026-01-01", to: "2026-12-31" }, "custom" as TimeHorizon))
+      .toBe(false);
+  });
+});

frontend/src/client/date-range-picker-pure.ts

@@ -0,0 +1,292 @@
+// date-range-picker-pure.ts — pure helpers for the symmetric date-range
+// picker (t-paliad-248). No DOM access; runnable under `bun test`. The
+// picker's boot client (date-range-picker.ts) drives the popover, but
+// every interesting decision — what does "Letzte 7 Tage" mean today,
+// what URL params should land, when is a custom range valid — lives
+// here so it can be tested without a browser.
+//
+// The Go side (internal/services/view_service.go:computeViewSpecBounds)
+// is the canonical materializer; horizonBounds() below MUST stay in
+// step with it. The bounds test in pure-tests pins the shape so a
+// divergent change to one side breaks the assertions on the other.
+
+import type { I18nKey } from "../i18n-keys";
+
+/**
+ * TimeHorizon — the full 14-value union the symmetric picker can emit.
+ * Mirrors `internal/services/filter_spec.go` TimeHorizon.
+ *
+ * The fan chips: 6 past + 6 next + the ALLES centre (`any`) + custom.
+ * `all` is the legacy bidirectional-unbounded value, gated to
+ * scope=explicit by the validator (Q26); the picker doesn't surface it
+ * but parseURL accepts it for back-compat with saved Custom Views.
+ */
+export type TimeHorizon =
+  | "next_1d" | "next_7d" | "next_14d" | "next_30d" | "next_90d" | "next_all"
+  | "past_1d" | "past_7d" | "past_14d" | "past_30d" | "past_90d" | "past_all"
+  | "any" | "all" | "custom";
+
+/**
+ * TimeSpec — the wire shape mirrored from the Go FilterSpec.TimeSpec.
+ * `from`/`to` are ISO YYYY-MM-DD strings — UTC dates, not timestamps.
+ * Times-of-day intentionally absent from the picker's contract.
+ */
+export interface TimeSpec {
+  horizon: TimeHorizon;
+  from?: string;
+  to?: string;
+}
+
+/**
+ * The full list of horizon values the picker is willing to render
+ * as chips. Order is the picker's reading order — past edge → past
+ * → ALLES → next → next edge, with `custom` last because it lives
+ * below the chip rows in the popover, not in the row itself.
+ */
+export const ALL_HORIZONS: readonly TimeHorizon[] = [
+  "past_all",
+  "past_90d",
+  "past_30d",
+  "past_14d",
+  "past_7d",
+  "past_1d",
+  "any",
+  "next_1d",
+  "next_7d",
+  "next_14d",
+  "next_30d",
+  "next_90d",
+  "next_all",
+  "custom",
+];
+
+// Strict-validity set. Includes the legacy bidirectional-unbounded `all`
+// horizon so a saved Custom View JSON ({"horizon":"all", …}) deserializes
+// without falling back to the surface default. The picker UI itself
+// doesn't surface a chip for `all` — it's read in, kept as state, but
+// the chip the user sees light up is `any` (the centre ALLES button).
+const ALL_HORIZONS_SET: ReadonlySet<string> = new Set([...ALL_HORIZONS, "all"]);
+
+/**
+ * Past chips, in reading order (outermost → innermost). The picker
+ * renders this left-to-right in the popover's past fan.
+ */
+export const PAST_HORIZONS: readonly TimeHorizon[] = [
+  "past_all",
+  "past_90d",
+  "past_30d",
+  "past_14d",
+  "past_7d",
+  "past_1d",
+];
+
+/**
+ * Future chips, in reading order (innermost → outermost). The picker
+ * renders this left-to-right in the popover's future fan.
+ */
+export const NEXT_HORIZONS: readonly TimeHorizon[] = [
+  "next_1d",
+  "next_7d",
+  "next_14d",
+  "next_30d",
+  "next_90d",
+  "next_all",
+];
+
+/**
+ * The i18n key for the closed-button label and chip text of every
+ * horizon. Lives here (not in the TSX) so a single dictionary lookup
+ * sites can hand back a translated string at any point.
+ */
+export const HORIZON_LABEL_KEY: Record<TimeHorizon, I18nKey> = {
+  past_all: "date_range.horizon.past_all",
+  past_90d: "date_range.horizon.past_90d",
+  past_30d: "date_range.horizon.past_30d",
+  past_14d: "date_range.horizon.past_14d",
+  past_7d:  "date_range.horizon.past_7d",
+  past_1d:  "date_range.horizon.past_1d",
+  any:      "date_range.horizon.any",
+  next_1d:  "date_range.horizon.next_1d",
+  next_7d:  "date_range.horizon.next_7d",
+  next_14d: "date_range.horizon.next_14d",
+  next_30d: "date_range.horizon.next_30d",
+  next_90d: "date_range.horizon.next_90d",
+  next_all: "date_range.horizon.next_all",
+  all:      "date_range.horizon.any", // legacy alias — surfaces "Alles" in the closed label
+  custom:   "date_range.horizon.custom",
+};
+
+/**
+ * Bounds for a given horizon, anchored at `now`. Pure function: the
+ * caller passes the clock so tests can pin a specific day without
+ * mocking Date. Bounds are UTC dates; the `to` bound is exclusive
+ * (start-of-day-after) so "past 7d" includes today.
+ *
+ * Returns `{}` for `any` / `all` / `custom` — the picker's surface
+ * lifts the from/to out of TimeSpec directly when horizon === custom,
+ * and treats unbounded values as "no narrowing in that direction".
+ */
+export function horizonBounds(
+  horizon: TimeHorizon,
+  now: Date,
+): { from?: Date; to?: Date } {
+  const day = new Date(Date.UTC(
+    now.getUTCFullYear(),
+    now.getUTCMonth(),
+    now.getUTCDate(),
+  ));
+  const offset = (days: number): Date =>
+    new Date(day.getTime() + days * 86_400_000);
+
+  switch (horizon) {
+    case "past_1d":  return { from: offset(-1),  to: offset(1) };
+    case "past_7d":  return { from: offset(-7),  to: offset(1) };
+    case "past_14d": return { from: offset(-14), to: offset(1) };
+    case "past_30d": return { from: offset(-30), to: offset(1) };
+    case "past_90d": return { from: offset(-90), to: offset(1) };
+    case "past_all": return {                    to: offset(1) };
+    case "next_1d":  return { from: day,         to: offset(1) };
+    case "next_7d":  return { from: day,         to: offset(7) };
+    case "next_14d": return { from: day,         to: offset(14) };
+    case "next_30d": return { from: day,         to: offset(30) };
+    case "next_90d": return { from: day,         to: offset(90) };
+    case "next_all": return { from: day                       };
+    case "any":
+    case "all":
+    case "custom":
+      return {};
+  }
+}
+
+/**
+ * isValidHorizon — narrows an unknown string to a TimeHorizon, used
+ * by parseURL and by surface-side URL alias adapters.
+ */
+export function isValidHorizon(s: unknown): s is TimeHorizon {
+  return typeof s === "string" && ALL_HORIZONS_SET.has(s);
+}
+
+const ISO_DATE_RE = /^\d{4}-\d{2}-\d{2}$/;
+
+/**
+ * isValidISODate — `YYYY-MM-DD` shape check plus a real-date validity
+ * check (rejects 2026-02-30). Doesn't enforce timezone or floor at any
+ * particular date.
+ */
+export function isValidISODate(s: unknown): s is string {
+  if (typeof s !== "string" || !ISO_DATE_RE.test(s)) return false;
+  const ms = Date.parse(`${s}T00:00:00Z`);
+  if (Number.isNaN(ms)) return false;
+  // Reject 2026-02-30 etc. — Date.parse accepts those by rolling over.
+  return new Date(ms).toISOString().slice(0, 10) === s;
+}
+
+/**
+ * Validate a custom range. Returns null on success, an i18n key
+ * pointing at the error message on failure.
+ *
+ * Rules:
+ *   - Both `from` and `to` must be valid ISO YYYY-MM-DD.
+ *   - `to` must be strictly after `from` (single-day ranges use
+ *     `from=2026-05-25&to=2026-05-26`, NOT `from=to=2026-05-25`).
+ */
+export function validateCustomRange(
+  from: string | undefined,
+  to: string | undefined,
+): I18nKey | null {
+  if (!from || !to) return "date_range.custom.invalid_missing";
+  if (!isValidISODate(from) || !isValidISODate(to)) return "date_range.custom.invalid_format";
+  if (Date.parse(`${from}T00:00:00Z`) >= Date.parse(`${to}T00:00:00Z`)) {
+    return "date_range.custom.invalid";
+  }
+  return null;
+}
+
+/**
+ * URLContract — the picker's stable URL serialization. Surfaces can
+ * override the param name via `key` so two pickers on the same page
+ * (rare) don't collide.
+ */
+export interface URLContract {
+  /** Base param name, defaults to "horizon". */
+  key?: string;
+  /** Default value omitted from URL (matches surface's natural default). */
+  default?: TimeHorizon;
+}
+
+/**
+ * parseURL — reads a URL search-params object into a TimeSpec.
+ *
+ *   ?horizon=past_30d                       → {horizon:"past_30d"}
+ *   ?horizon=custom&from=2026-03-15&to=…    → {horizon:"custom",from,to}
+ *   (no params)                             → {horizon: contract.default ?? "any"}
+ *
+ * Unknown / malformed values fall back to the default. Out-of-shape
+ * custom dates clamp to {horizon: default} — the picker never lands
+ * in a half-custom state from a URL.
+ */
+export function parseURL(
+  params: URLSearchParams,
+  contract: URLContract = {},
+): TimeSpec {
+  const key = contract.key ?? "horizon";
+  const fallback: TimeHorizon = contract.default ?? "any";
+
+  const raw = params.get(key);
+  if (raw === null) return { horizon: fallback };
+  if (!isValidHorizon(raw)) return { horizon: fallback };
+  if (raw !== "custom") return { horizon: raw };
+
+  const from = params.get(`${key}_from`) ?? undefined;
+  const to = params.get(`${key}_to`) ?? undefined;
+  if (validateCustomRange(from, to) !== null) {
+    return { horizon: fallback };
+  }
+  return { horizon: "custom", from, to };
+}
+
+/**
+ * serializeURL — writes a TimeSpec into the URL search-params object,
+ * mutating the passed-in instance. Values equal to the surface
+ * default are OMITTED — the canonical URL stays short.
+ *
+ * Always deletes `horizon`, `<key>_from`, `<key>_to` first so a
+ * re-serialise after the picker reverts to default cleans up rather
+ * than accumulating stale entries.
+ */
+export function serializeURL(
+  spec: TimeSpec,
+  params: URLSearchParams,
+  contract: URLContract = {},
+): void {
+  const key = contract.key ?? "horizon";
+  const fromKey = `${key}_from`;
+  const toKey = `${key}_to`;
+
+  params.delete(key);
+  params.delete(fromKey);
+  params.delete(toKey);
+
+  if (spec.horizon === (contract.default ?? "any") && spec.horizon !== "custom") {
+    return;
+  }
+
+  if (spec.horizon === "custom") {
+    params.set(key, "custom");
+    if (spec.from) params.set(fromKey, spec.from);
+    if (spec.to) params.set(toKey, spec.to);
+    return;
+  }
+
+  params.set(key, spec.horizon);
+}
+
+/**
+ * isDefault — used by surfaces to decide whether to render the
+ * "value is non-default" dot on the closed button.
+ */
+export function isDefault(spec: TimeSpec, defaultHorizon: TimeHorizon): boolean {
+  if (spec.horizon !== defaultHorizon) return false;
+  if (spec.horizon === "custom") return false;
+  return true;
+}

frontend/src/client/date-range-picker.ts

@@ -0,0 +1,490 @@
+// date-range-picker.ts — boot client + DOM mount for the symmetric
+// date-range picker (t-paliad-248). The picker is a controlled
+// component: callers pass `value` + `onChange`, the component renders
+// the trigger button + popover scaffold, the popover materialises a
+// chip row and (when "Anpassen" is picked) an inline date-pair editor.
+//
+// The picker reuses the existing `.agenda-chip` styling for chips and
+// the `.multi-panel` popover pattern (auto-positioned under a
+// `.multi-anchor` wrapper). Both patterns are battle-tested by the
+// filter-bar + multi-select widgets — no new design tokens, no new
+// dark-mode contrast risk.
+
+import { t } from "./i18n";
+import {
+  ALL_HORIZONS,
+  HORIZON_LABEL_KEY,
+  NEXT_HORIZONS,
+  PAST_HORIZONS,
+  isDefault,
+  isValidISODate,
+  validateCustomRange,
+  type TimeHorizon,
+  type TimeSpec,
+} from "./date-range-picker-pure";
+
+export interface MountOpts {
+  /** Current value. The picker is fully controlled. */
+  value: TimeSpec;
+  /** Fired on every committed change (chip click or Anwenden). */
+  onChange(next: TimeSpec): void;
+  /**
+   * Which horizon constitutes the "default" for this surface. Used
+   * for the non-default indicator dot. Defaults to `"any"`.
+   */
+  defaultHorizon?: TimeHorizon;
+  /**
+   * Which chips to render. Order is preserved. Defaults to the full
+   * 14-chip fan from ALL_HORIZONS.
+   */
+  presets?: readonly TimeHorizon[];
+  /**
+   * Stable surface tag — feeds into the `data-testid` on every DOM
+   * node the picker creates so tests can scope. Example: "agenda",
+   * "filter-bar.time", "audit-log".
+   */
+  surface: string;
+  /**
+   * Optional prefix for the closed-button label. The label always
+   * starts with the resolved horizon name (e.g. "Letzte 30 Tage").
+   * Surfaces that want a heading prefix ("Zeitraum: Letzte 30 Tage")
+   * pass it here.
+   */
+  labelPrefix?: string;
+}
+
+export interface PickerHandle {
+  /** Root element — append to the host container. */
+  element: HTMLElement;
+  /** Read the current value (may have been edited via Anpassen). */
+  getValue(): TimeSpec;
+  /** Update the value from the host (e.g. after URL change). */
+  setValue(next: TimeSpec): void;
+  /** Force-close the popover. Safe to call when already closed. */
+  close(): void;
+  /** Detach event listeners + remove from DOM. */
+  destroy(): void;
+}
+
+/**
+ * Mount a date-range picker. The returned `element` is a single
+ * inline node containing both the trigger button and the popover
+ * (absolutely positioned via `.multi-anchor` + `.multi-panel`).
+ *
+ * The popover stays in the DOM permanently; opening/closing toggles
+ * the `[hidden]` attribute. This keeps the chip's tab-order stable
+ * and matches the multi-select widget's behaviour.
+ */
+export function mountDateRangePicker(opts: MountOpts): PickerHandle {
+  const presets = opts.presets ?? ALL_HORIZONS;
+  const defaultHorizon = opts.defaultHorizon ?? "any";
+  let value: TimeSpec = normalize(opts.value);
+
+  // Cached drafts for the "Anpassen" editor — preserved across
+  // open/close so the user doesn't lose their typing if they peek
+  // away. Seeded from the live value when the editor opens.
+  let customFromDraft = value.horizon === "custom" ? (value.from ?? "") : "";
+  let customToDraft = value.horizon === "custom" ? (value.to ?? "") : "";
+  let customEditorOpen = value.horizon === "custom";
+
+  const root = document.createElement("div");
+  root.className = "date-range-anchor multi-anchor";
+  root.dataset.testid = `${opts.surface}.date-range-picker`;
+
+  const trigger = document.createElement("button");
+  trigger.type = "button";
+  trigger.className = "date-range-trigger";
+  trigger.setAttribute("aria-haspopup", "dialog");
+  trigger.setAttribute("aria-expanded", "false");
+  trigger.dataset.testid = `${opts.surface}.date-range-trigger`;
+
+  const panel = document.createElement("div");
+  panel.className = "date-range-panel multi-panel";
+  panel.setAttribute("role", "dialog");
+  panel.setAttribute("aria-label", t("date_range.dialog.label"));
+  panel.hidden = true;
+  panel.dataset.testid = `${opts.surface}.date-range-panel`;
+
+  root.appendChild(trigger);
+  root.appendChild(panel);
+
+  renderTrigger();
+  renderPanel();
+
+  // Open/close wiring. Click outside the root collapses the popover;
+  // Esc inside it bubbles up to the same handler via keydown delegate.
+  const onDocClick = (e: MouseEvent) => {
+    if (panel.hidden) return;
+    if (e.target instanceof Node && root.contains(e.target)) return;
+    closePopover();
+  };
+  const onKeydown = (e: KeyboardEvent) => {
+    if (panel.hidden) return;
+    if (e.key === "Escape") {
+      e.stopPropagation();
+      closePopover();
+      trigger.focus();
+    }
+  };
+
+  trigger.addEventListener("click", () => {
+    if (panel.hidden) openPopover();
+    else closePopover();
+  });
+
+  document.addEventListener("mousedown", onDocClick);
+  document.addEventListener("keydown", onKeydown);
+
+  function openPopover(): void {
+    panel.hidden = false;
+    trigger.setAttribute("aria-expanded", "true");
+    // Re-render to reflect the very latest value (host may have
+    // patched via setValue between open/close).
+    renderPanel();
+    // Move keyboard focus into the panel so Esc works without a
+    // prior click. The first chip is the natural landing spot.
+    const firstChip = panel.querySelector<HTMLButtonElement>(".date-range-chip");
+    firstChip?.focus({ preventScroll: true });
+  }
+
+  function closePopover(): void {
+    panel.hidden = true;
+    trigger.setAttribute("aria-expanded", "false");
+  }
+
+  function commit(next: TimeSpec, closeAfter: boolean): void {
+    value = normalize(next);
+    customEditorOpen = value.horizon === "custom";
+    if (value.horizon === "custom") {
+      customFromDraft = value.from ?? "";
+      customToDraft = value.to ?? "";
+    }
+    renderTrigger();
+    renderPanel();
+    opts.onChange(value);
+    if (closeAfter) {
+      closePopover();
+      trigger.focus({ preventScroll: true });
+    }
+  }
+
+  function renderTrigger(): void {
+    trigger.replaceChildren();
+    if (!isDefault(value, defaultHorizon)) {
+      const dot = document.createElement("span");
+      dot.className = "date-range-trigger-dot";
+      dot.setAttribute("aria-hidden", "true");
+      trigger.appendChild(dot);
+    }
+    const labelSpan = document.createElement("span");
+    labelSpan.className = "date-range-trigger-label";
+    labelSpan.textContent = labelFor(value, opts.labelPrefix);
+    trigger.appendChild(labelSpan);
+
+    const chev = document.createElement("span");
+    chev.className = "date-range-trigger-chev";
+    chev.setAttribute("aria-hidden", "true");
+    chev.textContent = "▾";
+    trigger.appendChild(chev);
+  }
+
+  function renderPanel(): void {
+    panel.replaceChildren();
+
+    // Three vertical columns: Past (closest→farthest top→bottom),
+    // NOW (Heute + Alles), Future (closest→farthest). The grid
+    // visualises time as space around NOW — each column's top is
+    // closest to the current moment, bottom is furthest away.
+    const grid = document.createElement("div");
+    grid.className = "date-range-grid";
+
+    // Past column: PAST_HORIZONS registry is outermost→innermost
+    // (past_all → past_1d); reverse for closeness-to-NOW ordering
+    // (past_1d at top, past_all at bottom).
+    const pastCol = renderColumn(
+      "past",
+      t("date_range.fan.past.label"),
+      [...PAST_HORIZONS].reverse().filter((h) => presets.includes(h)),
+    );
+    const nowCol = renderNowColumn();
+    // Future column: NEXT_HORIZONS registry is already in closeness
+    // order (next_1d → next_all). next_1d moves to the NOW column as
+    // "Heute" (semantically just-today, single-day window), so the
+    // future column skips it.
+    const futureCol = renderColumn(
+      "future",
+      t("date_range.fan.future.label"),
+      NEXT_HORIZONS.filter((h) => h !== "next_1d" && presets.includes(h)),
+    );
+
+    if (pastCol) grid.appendChild(pastCol);
+    if (nowCol) grid.appendChild(nowCol);
+    if (futureCol) grid.appendChild(futureCol);
+
+    panel.appendChild(grid);
+
+    // Custom-range section ("Anpassen"). Toggle button + collapsible
+    // date-pair editor below.
+    if (presets.includes("custom")) {
+      panel.appendChild(renderCustomSection());
+    }
+  }
+
+  function renderColumn(
+    side: "past" | "future",
+    heading: string,
+    horizons: readonly TimeHorizon[],
+  ): HTMLElement | null {
+    if (horizons.length === 0) return null;
+    const col = document.createElement("div");
+    col.className = `date-range-col date-range-col--${side}`;
+    col.setAttribute("role", "group");
+    col.setAttribute("aria-label", heading);
+
+    const head = document.createElement("div");
+    head.className = "date-range-col-heading";
+    head.textContent = heading;
+    col.appendChild(head);
+
+    for (const h of horizons) {
+      col.appendChild(makeChip(h));
+    }
+    return col;
+  }
+
+  function renderNowColumn(): HTMLElement | null {
+    const showHeute = presets.includes("next_1d");
+    const showAlles = presets.includes("any");
+    if (!showHeute && !showAlles) return null;
+
+    const col = document.createElement("div");
+    col.className = "date-range-col date-range-col--now";
+    col.setAttribute("role", "group");
+    col.setAttribute("aria-label", t("date_range.center.label"));
+
+    const glyph = document.createElement("div");
+    glyph.className = "date-range-col-heading date-range-col-heading--glyph";
+    glyph.setAttribute("aria-hidden", "true");
+    glyph.textContent = "⌖"; // ⌖ POSITION INDICATOR
+    col.appendChild(glyph);
+
+    if (showHeute) col.appendChild(makeChip("next_1d"));
+    if (showAlles) {
+      const allesChip = makeChip("any");
+      // Legacy "all" horizon also lights up Alles for back-compat
+      // with saved Custom Views that store the bidirectional-unbounded
+      // value (Q26 — parser preserves it, picker surfaces it here).
+      if (value.horizon === "all") {
+        allesChip.classList.add("agenda-chip-active");
+        allesChip.setAttribute("aria-pressed", "true");
+      }
+      col.appendChild(allesChip);
+    }
+    return col;
+  }
+
+  function makeChip(h: TimeHorizon): HTMLButtonElement {
+    const chip = document.createElement("button");
+    chip.type = "button";
+    chip.className = "agenda-chip date-range-chip";
+    if (value.horizon === h) chip.classList.add("agenda-chip-active");
+    chip.setAttribute("aria-pressed", String(value.horizon === h));
+    chip.textContent = t(HORIZON_LABEL_KEY[h]);
+    chip.dataset.testid = `${opts.surface}.date-range-chip.${h}`;
+    chip.addEventListener("click", () => {
+      commit({ horizon: h }, /*closeAfter*/ true);
+    });
+    return chip;
+  }
+
+  function renderCustomSection(): HTMLElement {
+    const section = document.createElement("div");
+    section.className = "date-range-custom";
+
+    const toggleBtn = document.createElement("button");
+    toggleBtn.type = "button";
+    toggleBtn.className = "agenda-chip date-range-chip date-range-chip--custom";
+    if (value.horizon === "custom") toggleBtn.classList.add("agenda-chip-active");
+    toggleBtn.setAttribute("aria-expanded", String(customEditorOpen));
+    toggleBtn.dataset.testid = `${opts.surface}.date-range-chip.custom`;
+    toggleBtn.textContent = t("date_range.horizon.custom");
+    toggleBtn.addEventListener("click", () => {
+      customEditorOpen = !customEditorOpen;
+      renderPanel();
+      if (customEditorOpen) {
+        // Focus the first input on expand.
+        panel.querySelector<HTMLInputElement>(".date-range-custom-from")?.focus();
+      }
+    });
+    section.appendChild(toggleBtn);
+
+    if (!customEditorOpen) return section;
+
+    const editor = document.createElement("div");
+    editor.className = "date-range-custom-editor";
+
+    const fromWrap = document.createElement("label");
+    fromWrap.className = "date-range-custom-field";
+    const fromLbl = document.createElement("span");
+    fromLbl.className = "date-range-custom-label";
+    fromLbl.textContent = t("date_range.custom.from");
+    const fromInput = document.createElement("input");
+    fromInput.type = "date";
+    fromInput.lang = "de";
+    fromInput.className = "date-range-custom-from";
+    fromInput.value = customFromDraft;
+    fromInput.dataset.testid = `${opts.surface}.date-range-custom-from`;
+    fromInput.addEventListener("input", () => {
+      customFromDraft = fromInput.value;
+      refreshValidity();
+    });
+    fromWrap.appendChild(fromLbl);
+    fromWrap.appendChild(fromInput);
+
+    const toWrap = document.createElement("label");
+    toWrap.className = "date-range-custom-field";
+    const toLbl = document.createElement("span");
+    toLbl.className = "date-range-custom-label";
+    toLbl.textContent = t("date_range.custom.to");
+    const toInput = document.createElement("input");
+    toInput.type = "date";
+    toInput.lang = "de";
+    toInput.className = "date-range-custom-to";
+    toInput.value = customToDraft;
+    toInput.dataset.testid = `${opts.surface}.date-range-custom-to`;
+    toInput.addEventListener("input", () => {
+      customToDraft = toInput.value;
+      refreshValidity();
+    });
+    toWrap.appendChild(toLbl);
+    toWrap.appendChild(toInput);
+
+    const applyBtn = document.createElement("button");
+    applyBtn.type = "button";
+    applyBtn.className = "date-range-custom-apply";
+    applyBtn.textContent = t("date_range.custom.apply");
+    applyBtn.dataset.testid = `${opts.surface}.date-range-custom-apply`;
+    applyBtn.addEventListener("click", () => {
+      const err = validateCustomRange(customFromDraft, customToDraft);
+      if (err !== null) {
+        showError(err);
+        return;
+      }
+      commit(
+        { horizon: "custom", from: customFromDraft, to: customToDraft },
+        /*closeAfter*/ true,
+      );
+    });
+
+    const cancelBtn = document.createElement("button");
+    cancelBtn.type = "button";
+    cancelBtn.className = "date-range-custom-cancel";
+    cancelBtn.textContent = t("date_range.custom.cancel");
+    cancelBtn.addEventListener("click", () => {
+      customEditorOpen = false;
+      // Restore drafts from live value so a re-open shows the
+      // committed state rather than the abandoned typing.
+      customFromDraft = value.horizon === "custom" ? (value.from ?? "") : "";
+      customToDraft = value.horizon === "custom" ? (value.to ?? "") : "";
+      renderPanel();
+    });
+
+    const errEl = document.createElement("div");
+    errEl.className = "date-range-custom-error";
+    errEl.hidden = true;
+    errEl.dataset.testid = `${opts.surface}.date-range-custom-error`;
+
+    editor.appendChild(fromWrap);
+    editor.appendChild(toWrap);
+    editor.appendChild(applyBtn);
+    editor.appendChild(cancelBtn);
+    editor.appendChild(errEl);
+    section.appendChild(editor);
+
+    refreshValidity();
+
+    function refreshValidity(): void {
+      const err = validateCustomRange(customFromDraft, customToDraft);
+      if (err === null) {
+        applyBtn.disabled = false;
+        errEl.hidden = true;
+        errEl.textContent = "";
+        return;
+      }
+      applyBtn.disabled = true;
+      // Only surface the *content* error (`invalid` = inverted range)
+      // while the user is typing. Empty / format errors are visible
+      // through the disabled-Anwenden state alone — surfacing them on
+      // every keystroke would be noisy.
+      if (err === "date_range.custom.invalid") {
+        showError(err);
+      } else {
+        errEl.hidden = true;
+      }
+    }
+
+    function showError(key: Parameters<typeof t>[0]): void {
+      errEl.textContent = t(key);
+      errEl.hidden = false;
+    }
+
+    return section;
+  }
+
+  return {
+    element: root,
+    getValue: () => normalize(value),
+    setValue(next: TimeSpec) {
+      value = normalize(next);
+      customEditorOpen = value.horizon === "custom";
+      if (value.horizon === "custom") {
+        customFromDraft = value.from ?? "";
+        customToDraft = value.to ?? "";
+      }
+      renderTrigger();
+      renderPanel();
+    },
+    close: closePopover,
+    destroy() {
+      document.removeEventListener("mousedown", onDocClick);
+      document.removeEventListener("keydown", onKeydown);
+      root.remove();
+    },
+  };
+}
+
+function normalize(spec: TimeSpec): TimeSpec {
+  if (spec.horizon === "custom") {
+    return {
+      horizon: "custom",
+      from: spec.from && isValidISODate(spec.from) ? spec.from : undefined,
+      to: spec.to && isValidISODate(spec.to) ? spec.to : undefined,
+    };
+  }
+  return { horizon: spec.horizon };
+}
+
+function labelFor(spec: TimeSpec, prefix?: string): string {
+  let body: string;
+  if (spec.horizon === "custom") {
+    if (spec.from && spec.to) {
+      body = t("date_range.button.label.custom_range")
+        .replace("{from}", formatISO(spec.from))
+        .replace("{to}", formatISO(spec.to));
+    } else {
+      body = t("date_range.horizon.custom");
+    }
+  } else {
+    body = t(HORIZON_LABEL_KEY[spec.horizon]);
+  }
+  return prefix ? `${prefix}: ${body}` : body;
+}
+
+function formatISO(iso: string): string {
+  if (!isValidISODate(iso)) return iso;
+  // DE locale: DD.MM.YYYY. The picker is German-first; surfaces in EN
+  // can override via labelPrefix or by formatting before commit if
+  // they want a different shape.
+  const [y, m, d] = iso.split("-");
+  return `${d}.${m}.${y}`;
+}

frontend/src/client/deadlines-detail.ts

@@ -9,6 +9,8 @@ import {
   type EventType,
   type PickerHandle,
 } from "./event-types";
+import { openWithdrawWarningModal } from "./components/withdraw-warning-modal";
+import { formatRuleLabel, formatRuleLabelHTML, formatCustomRuleLabelHTML } from "./rule-label";
 
 interface Deadline {
   id: string;
@@ -20,6 +22,9 @@ interface Deadline {
   source: string;
   rule_id?: string;
   rule_code?: string;
+  // t-paliad-258 — lawyer's free-text rule label when the deadline was
+  // saved in Custom mode. Mutually exclusive with rule_id.
+  custom_rule_text?: string;
   notes?: string;
   created_at: string;
   completed_at?: string;
@@ -38,6 +43,9 @@ interface PendingApprovalRequest {
   requested_at: string;
   required_role: string;
   requester_name?: string;
+  // t-paliad-252 — used by the withdraw warning modal to pick the right
+  // copy (CREATE warns about deletion; UPDATE/COMPLETE about revert).
+  lifecycle_event?: string;
 }
 
 let eventTypePicker: PickerHandle | null = null;
@@ -54,7 +62,21 @@ interface DeadlineRule {
   id: string;
   code?: string;
   name: string;
+  name_en?: string;
   rule_code?: string;
+  legal_source?: string | null;
+  // t-paliad-258 — canonical event_type for Auto-mode rule resolution
+  // when the user flips to Auto on the edit form.
+  concept_default_event_type_id?: string | null;
+  proceeding_type_id?: number | null;
+}
+
+interface ProceedingType {
+  id: number;
+  jurisdiction: string;
+  name: string;
+  name_en?: string;
+  sort_order?: number;
 }
 
 interface Me {
@@ -70,6 +92,30 @@ let me: Me | null = null;
 let allProjects: Project[] = [];
 let pendingRequest: PendingApprovalRequest | null = null;
 
+// t-paliad-258 — Auto/Custom rule editor state. Mirrors the create form.
+// On enterEdit we initialise the mode from the persisted deadline:
+//   rule_id set                       → "auto"
+//   custom_rule_text set, no rule_id  → "custom"
+//   neither set                       → "auto" (so the Type-driven
+//                                        resolver fills in immediately).
+type RuleMode = "auto" | "custom";
+let ruleMode: RuleMode = "auto";
+let allRules: DeadlineRule[] = [];
+let rulesByID = new Map<string, DeadlineRule>();
+let proceedingTypesByID = new Map<number, ProceedingType>();
+// t-paliad-252 — when the user chose "Edit event" in the withdraw warning
+// modal, the entity is still in approval_status='pending'. Save must POST
+// to /api/approval-requests/{id}/edit-entity (which keeps the request
+// pending + merges the new fields into payload) instead of the regular
+// PATCH /api/deadlines/{id} (which 409s during pending). Cleared on exit
+// from edit mode + after a successful save.
+let pendingEditMode = false;
+
+// pendingEnterEdit — late-bound by initEdit() so the withdraw warning
+// modal handler (initWithdraw) can route into pending-edit mode without
+// duplicating the edit-mode toggle logic.
+let pendingEnterEdit: (() => void) | null = null;
+
 function parseDeadlineID(): string | null {
   const parts = window.location.pathname.split("/").filter(Boolean);
   if (parts[0] !== "deadlines" || !parts[1]) return null;
@@ -165,17 +211,66 @@ function populateProjectPicker() {
   sel.value = deadline.project_id;
 }
 
-async function loadRule(ruleID: string) {
+async function loadAllRules() {
   try {
     const resp = await fetch(`/api/deadline-rules`);
     if (!resp.ok) return;
-    const all: DeadlineRule[] = await resp.json();
-    rule = all.find((r) => r.id === ruleID) || null;
+    allRules = (await resp.json()) as DeadlineRule[];
+    rulesByID = new Map(allRules.map((r) => [r.id, r]));
   } catch {
     /* non-fatal */
   }
 }
 
+async function loadProceedingTypes() {
+  try {
+    const resp = await fetch("/api/proceeding-types-db");
+    if (!resp.ok) return;
+    const types: ProceedingType[] = await resp.json();
+    proceedingTypesByID = new Map(types.map((pt) => [pt.id, pt]));
+  } catch {
+    /* non-fatal */
+  }
+}
+
+function lookupRule(ruleID: string): DeadlineRule | null {
+  return rulesByID.get(ruleID) || null;
+}
+
+// resolveAutoRuleForType mirrors the create-form resolver: pick the
+// canonical rule for the chosen event_type, prioritising the project's
+// proceeding then jurisdiction match.
+function resolveAutoRuleForType(eventTypeID: string): DeadlineRule | null {
+  const candidates = allRules.filter((r) => r.concept_default_event_type_id === eventTypeID);
+  if (candidates.length === 0) return null;
+  if (candidates.length === 1) return candidates[0];
+
+  const projID = deadline?.project_id;
+  const proj = projID ? allProjects.find((p) => p.id === projID) as (Project & { proceeding_type_id?: number | null }) | undefined : undefined;
+  if (proj && proj.proceeding_type_id) {
+    const exact = candidates.find((r) => r.proceeding_type_id === proj.proceeding_type_id);
+    if (exact) return exact;
+  }
+
+  const et = eventTypeByID.get(eventTypeID);
+  if (et?.jurisdiction && et.jurisdiction !== "any") {
+    const want = et.jurisdiction === "EPO" ? "EPA" : et.jurisdiction;
+    const jurMatch = candidates.find((r) => {
+      const pt = r.proceeding_type_id ? proceedingTypesByID.get(r.proceeding_type_id) : undefined;
+      return pt?.jurisdiction === want;
+    });
+    if (jurMatch) return jurMatch;
+  }
+
+  return candidates[0];
+}
+
+function currentAutoRule(): DeadlineRule | null {
+  const picked = eventTypePicker?.getIDs() ?? [];
+  if (picked.length !== 1) return null;
+  return resolveAutoRuleForType(picked[0]);
+}
+
 async function loadMe() {
   try {
     const resp = await fetch("/api/me");
@@ -227,9 +322,15 @@ function render() {
   }
 
   const ruleEl = document.getElementById("deadline-rule-display")!;
+  // t-paliad-258 — display priority:
+  //   1. catalog rule (canonical Name · Citation pattern)
+  //   2. custom_rule_text + Custom badge
+  //   3. legacy rule_code-only (Fristenrechner saves)
+  //   4. "—"
   if (rule) {
-    const code = rule.rule_code || rule.code || "";
-    ruleEl.textContent = code ? `${code} — ${rule.name}` : rule.name;
+    ruleEl.innerHTML = formatRuleLabelHTML(rule, esc);
+  } else if (deadline.custom_rule_text && deadline.custom_rule_text.trim()) {
+    ruleEl.innerHTML = formatCustomRuleLabelHTML(deadline.custom_rule_text, esc);
   } else if (deadline.rule_code) {
     // Fristenrechner-saved deadlines carry rule_code directly without
     // a rule_id (no rule UUID round-trips through the public API).
@@ -353,6 +454,49 @@ function render() {
   }
 }
 
+function refreshRuleAutoDisplay(): void {
+  const panel = document.getElementById("deadline-rule-auto-display");
+  const text = document.getElementById("deadline-rule-auto-text");
+  if (!panel || !text) return;
+  if (ruleMode !== "auto") {
+    panel.style.display = "none";
+    return;
+  }
+  panel.style.display = "";
+  const r = currentAutoRule();
+  if (r) {
+    // Canonical "Name · Citation" with muted citation (t-paliad-258 addendum).
+    text.innerHTML = formatRuleLabelHTML(r, esc);
+    text.classList.remove("rule-auto-text--empty");
+    return;
+  }
+  const picked = eventTypePicker?.getIDs() ?? [];
+  const fallback = picked.length === 1
+    ? (t("deadlines.field.rule.auto_no_match") || "Keine Regel zur gewählten Verfahrenshandlung")
+    : (t("deadlines.field.rule.auto_pick_type") || "Wählen Sie zuerst eine Verfahrenshandlung");
+  text.textContent = fallback;
+  text.classList.add("rule-auto-text--empty");
+}
+
+function applyRuleModeUI(): void {
+  const toggleBtn = document.getElementById("deadline-rule-mode-toggle") as HTMLButtonElement | null;
+  const autoPanel = document.getElementById("deadline-rule-auto-display");
+  const customInput = document.getElementById("deadline-rule-custom-input") as HTMLInputElement | null;
+  if (!toggleBtn || !autoPanel || !customInput) return;
+  if (ruleMode === "auto") {
+    autoPanel.style.display = "";
+    customInput.style.display = "none";
+    toggleBtn.textContent = t("deadlines.field.rule.mode.toggle_to_custom") || "Eigene Regel eingeben";
+    toggleBtn.setAttribute("data-i18n", "deadlines.field.rule.mode.toggle_to_custom");
+  } else {
+    autoPanel.style.display = "none";
+    customInput.style.display = "";
+    toggleBtn.textContent = t("deadlines.field.rule.mode.toggle_to_auto") || "Zurück zu Auto";
+    toggleBtn.setAttribute("data-i18n", "deadlines.field.rule.mode.toggle_to_auto");
+  }
+  refreshRuleAutoDisplay();
+}
+
 function initEdit() {
   const titleDisplay = document.getElementById("deadline-title-display")!;
   const titleEdit = document.getElementById("deadline-title-edit") as HTMLInputElement;
@@ -366,6 +510,11 @@ function initEdit() {
   const etEdit = document.getElementById("deadline-event-types-edit");
   const projectLink = document.getElementById("deadline-project-link") as HTMLAnchorElement;
   const projectEdit = document.getElementById("deadline-project-edit") as HTMLSelectElement | null;
+  const titleDefaultBtn = document.getElementById("deadline-title-default-btn") as HTMLButtonElement | null;
+  const ruleDisplay = document.getElementById("deadline-rule-display");
+  const ruleEdit = document.getElementById("deadline-rule-edit");
+  const ruleCustomInput = document.getElementById("deadline-rule-custom-input") as HTMLInputElement | null;
+  const ruleToggleBtn = document.getElementById("deadline-rule-mode-toggle") as HTMLButtonElement | null;
 
   function enterEdit() {
     titleDisplay.style.display = "none";
@@ -381,6 +530,20 @@ function initEdit() {
       projectEdit.style.display = "";
       projectEdit.value = deadline.project_id;
     }
+    if (titleDefaultBtn) titleDefaultBtn.style.display = "";
+    // t-paliad-258 — show the Auto/Custom rule editor + initialise mode
+    // from the persisted deadline. Display element stays visible so the
+    // user keeps "before / after" context while editing.
+    if (ruleEdit) ruleEdit.style.display = "";
+    if (ruleDisplay) ruleDisplay.style.display = "none";
+    if (deadline?.custom_rule_text && !deadline.rule_id) {
+      ruleMode = "custom";
+      if (ruleCustomInput) ruleCustomInput.value = deadline.custom_rule_text;
+    } else {
+      ruleMode = "auto";
+      if (ruleCustomInput) ruleCustomInput.value = "";
+    }
+    applyRuleModeUI();
     saveBtn.style.display = "";
     editBtn.style.display = "none";
     titleEdit.focus();
@@ -399,12 +562,71 @@ function initEdit() {
       projectEdit.style.display = "none";
       projectLink.style.display = "";
     }
+    if (titleDefaultBtn) titleDefaultBtn.style.display = "none";
+    if (ruleEdit) ruleEdit.style.display = "none";
+    if (ruleDisplay) ruleDisplay.style.display = "";
     saveBtn.style.display = "none";
     editBtn.style.display = "";
+    pendingEditMode = false;
   }
 
+  // Rule mode toggle (Auto ↔ Custom). The Auto resolver re-runs every
+  // time the Type picker changes, so just-toggling-to-Auto immediately
+  // surfaces a fresh resolution.
+  ruleToggleBtn?.addEventListener("click", () => {
+    ruleMode = ruleMode === "auto" ? "custom" : "auto";
+    applyRuleModeUI();
+    if (ruleMode === "custom") ruleCustomInput?.focus();
+  });
+
+  // t-paliad-252 — expose enterEdit so the withdraw warning modal can
+  // route into pending-edit mode without re-running the edit-button
+  // visibility gate (which hides the button during pending).
+  pendingEnterEdit = () => {
+    pendingEditMode = true;
+    enterEdit();
+  };
+
   editBtn.addEventListener("click", enterEdit);
 
+  // t-paliad-251 Part 4 — Standardtitel button.
+  // Recipe (mirror of computeDefaultTitle in deadlines-new.ts):
+  //   head = event_type label (if exactly one Typ chip in edit)
+  //       || Auto-resolved rule's canonical label (Name · Citation)
+  //       || saved rule's canonical label
+  //       || custom_rule_text (when in Custom mode + non-empty)
+  //       || rule_code-only legacy fallback
+  //       || "Neue Frist" fallback
+  //   suffix = " — <project.reference>" when not already in head
+  titleDefaultBtn?.addEventListener("click", () => {
+    if (!deadline) return;
+    let head = "";
+    const ids = eventTypePicker?.getIDs() ?? deadline.event_type_ids ?? [];
+    if (ids.length === 1) {
+      const et = eventTypeByID.get(ids[0]);
+      if (et) head = eventTypeLabel(et);
+    }
+    if (!head) {
+      const r = ruleMode === "auto" ? (currentAutoRule() ?? rule) : null;
+      if (r) head = formatRuleLabel(r);
+    }
+    if (!head && ruleMode === "custom") {
+      const txt = ruleCustomInput?.value.trim() || "";
+      if (txt) head = txt;
+    }
+    if (!head && rule) {
+      head = formatRuleLabel(rule);
+    }
+    if (!head && deadline.rule_code) {
+      head = deadline.rule_code;
+    }
+    if (!head) head = t("deadlines.field.title.default_fallback");
+    const ref = project?.reference?.trim() || "";
+    if (ref && !head.includes(ref)) head = `${head} — ${ref}`;
+    titleEdit.value = head;
+    titleEdit.focus();
+  });
+
   saveBtn.addEventListener("click", async () => {
     if (!deadline) return;
     const newTitle = titleEdit.value.trim();
@@ -424,6 +646,48 @@ function initEdit() {
       if (projectEdit && projectEdit.value && projectEdit.value !== deadline.project_id) {
         payload.project_id = projectEdit.value;
       }
+      // t-paliad-258 — rule_set discriminator tells the service this
+      // PATCH carries an Auto/Custom rule change. Both columns are
+      // mutually exclusive at the persistence boundary.
+      payload.rule_set = true;
+      if (ruleMode === "auto") {
+        const r = currentAutoRule();
+        payload.rule_id = r ? r.id : null;
+        payload.custom_rule_text = null;
+      } else {
+        const txt = ruleCustomInput?.value.trim() || "";
+        payload.rule_id = null;
+        payload.custom_rule_text = txt || null;
+      }
+
+      // t-paliad-252 — pending-edit mode routes through the new endpoint
+      // that updates the entity + merges payload into the still-pending
+      // approval_request. Outside pending-edit mode the regular PATCH
+      // path remains the authoritative one (with its existing 409-on-
+      // pending guard).
+      if (pendingEditMode && pendingRequest) {
+        const resp = await fetch(
+          `/api/approval-requests/${pendingRequest.id}/edit-entity`,
+          {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ fields: payload }),
+          },
+        );
+        if (resp.ok) {
+          const fresh = await fetch(`/api/deadlines/${deadline.id}`);
+          if (fresh.ok) deadline = await fresh.json();
+          await loadPendingRequest();
+          render();
+        } else {
+          const body = await resp.json().catch(() => null);
+          const msg = (body && (body.message || body.error))
+            || (t("approvals.withdraw.error") || "Fehler");
+          window.alert(msg);
+        }
+        return;
+      }
+
       const resp = await fetch(`/api/deadlines/${deadline.id}`, {
         method: "PATCH",
         headers: { "Content-Type": "application/json" },
@@ -501,19 +765,39 @@ function initReopen() {
   });
 }
 
-// initWithdraw — t-paliad-160 §C+E. Reuses the existing
-// /api/approval-requests/{id}/revoke endpoint (no new server route
-// needed). After the revoke lands, the entity goes back to
-// approval_status='approved' and the page reloads to refresh the
-// in-memory state cleanly.
+// initWithdraw — t-paliad-160 §C+E + t-paliad-252.
+//
+// Click flow: open the withdraw warning modal (replaces the old
+// confirm()). The modal returns one of:
+//
+//   "edit"     — open the edit form in pending-edit mode; Save calls
+//                /api/approval-requests/{id}/edit-entity which keeps the
+//                request pending + merges the new fields into payload
+//   "withdraw" — destructive: call the existing /revoke endpoint
+//                (DELETE entity for CREATE, revert for UPDATE/COMPLETE,
+//                cancel-delete for DELETE lifecycle)
+//   null       — user cancelled; nothing happens
 function initWithdraw() {
   const btn = document.getElementById("deadline-withdraw-btn") as HTMLButtonElement | null;
   if (!btn) return;
   btn.addEventListener("click", async () => {
     if (!deadline || !pendingRequest) return;
-    if (!window.confirm(t("approvals.withdraw.confirm") || "Anfrage wirklich zurückziehen?")) return;
     btn.disabled = true;
     try {
+      const action = await openWithdrawWarningModal({
+        entityType: "deadline",
+        lifecycleEvent: pendingRequest.lifecycle_event ?? "create",
+      });
+      if (action === null) {
+        btn.disabled = false;
+        return;
+      }
+      if (action === "edit") {
+        btn.disabled = false;
+        pendingEnterEdit?.();
+        return;
+      }
+      // action === "withdraw" → existing destructive path.
       const resp = await fetch(`/api/approval-requests/${pendingRequest.id}/revoke`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
@@ -521,14 +805,16 @@ function initWithdraw() {
       });
       if (resp.ok) {
         // Re-fetch the entity so approval_status flips back to 'approved'
-        // and the badge / buttons rerender accordingly.
+        // and the badge / buttons rerender accordingly. For CREATE
+        // lifecycle the entity is gone, so the 404 surfaces as a reload.
         const r = await fetch(`/api/deadlines/${deadline.id}`);
         if (r.ok) {
           deadline = await r.json();
           await loadPendingRequest();
           render();
         } else {
-          window.location.reload();
+          // CREATE lifecycle deleted the entity — bounce to the list.
+          window.location.href = "/events?type=deadline";
         }
       } else {
         btn.disabled = false;
@@ -592,8 +878,14 @@ async function main() {
     notfound.style.display = "block";
     return;
   }
-  await Promise.all([loadProject(deadline.project_id), loadAllProjects(), loadPendingRequest()]);
-  if (deadline.rule_id) await loadRule(deadline.rule_id);
+  await Promise.all([
+    loadProject(deadline.project_id),
+    loadAllProjects(),
+    loadPendingRequest(),
+    loadAllRules(),
+    loadProceedingTypes(),
+  ]);
+  if (deadline.rule_id) rule = lookupRule(deadline.rule_id);
 
   // Load event types in parallel; render once ready (the picker re-renders
   // chips off the cached map, and the display element re-renders on the
@@ -614,6 +906,11 @@ async function main() {
     eventTypePicker = attachEventTypePicker(pickerHost, {
       initialIDs: deadline.event_type_ids ?? [],
       currentUserAdmin: me?.global_role === "global_admin",
+      onChange: () => {
+        // Type change shifts the Auto-resolved rule. Refresh the
+        // read-only display panel (no-op outside edit mode / Custom).
+        refreshRuleAutoDisplay();
+      },
     });
   }
 

frontend/src/client/deadlines-new.ts

@@ -1,4 +1,4 @@
-import { initI18n, t, tDyn } from "./i18n";
+import { initI18n, t, tDyn, getLang } from "./i18n";
 import { initSidebar } from "./sidebar";
 import {
   attachEventTypePicker,
@@ -8,22 +8,21 @@ import {
   type PickerHandle,
 } from "./event-types";
 import { projectIndent } from "./project-indent";
+import { formatRuleLabel, formatRuleLabelHTML } from "./rule-label";
 
 let eventTypePicker: PickerHandle | null = null;
 let currentUserAdmin = false;
 let eventTypesByID = new Map<string, EventType>();
-// expandedOverride flips to true when the user clicks "Anderen Typ
-// wählen" on the collapsed inline summary. Sticky for the rest of the
-// form session — cleared only when the user reverts the rule to "Keine
-// Regel". When true, the picker stays visible regardless of whether
-// the chip matches the rule's canonical default.
-let expandedOverride = false;
 
 interface Project {
   id: string;
   reference?: string | null;
   title: string;
   path: string;
+  // Used by the Type→Rule resolver to narrow rule candidates to the
+  // project's own proceeding when one applies. Optional because clients
+  // and matter-level projects don't carry a proceeding type.
+  proceeding_type_id?: number | null;
 }
 
 interface DeadlineRule {
@@ -32,23 +31,37 @@ interface DeadlineRule {
   name: string;
   name_en: string;
   rule_code?: string;
-  // t-paliad-165 — canonical event_type for this rule's concept,
-  // hydrated server-side from paliad.deadline_concept_event_types.
-  // Drives auto-fill of the Typ chip when the user picks this rule.
+  legal_source?: string | null;
+  proceeding_type_id?: number | null;
+  sequence_order?: number;
+  // t-paliad-165 — canonical event_type for the rule's concept. The
+  // catalog is indexed by it so we can resolve Type → canonical Rule.
   concept_default_event_type_id?: string | null;
 }
 
-// Rules indexed by id so the Regel-change handler can look up the
-// concept's canonical event_type without re-fetching.
-let rulesByID = new Map<string, DeadlineRule>();
+interface ProceedingType {
+  id: number;
+  code: string;
+  name: string;
+  name_en?: string;
+  jurisdiction: string;
+  sort_order?: number;
+}
 
-// Last event_type the rule auto-filled. Tracked so we can tell whether
-// the picker still reflects the rule's suggestion (replace silently on
-// new rule pick) or whether the user has manually edited (leave alone,
-// surface the mismatch warning instead).
-let lastAutoFilledEventTypeID: string | null = null;
+// Rule mode (t-paliad-258 / m/paliad#89). The form has two states:
+//   auto   — rule_id resolved from the chosen event_type, rendered
+//            read-only as "Auto: Name · Citation".
+//   custom — free-text input; submits as custom_rule_text on the API.
+type RuleMode = "auto" | "custom";
+let ruleMode: RuleMode = "auto";
+
+let rulesByID = new Map<string, DeadlineRule>();
+let allRules: DeadlineRule[] = [];
+let proceedingTypesByID = new Map<number, ProceedingType>();
+let projectsByID = new Map<string, Project>();
 
 let preselectedProjectID = "";
+let preselectedProjectIDLocal = "";
 
 function esc(s: string): string {
   const d = document.createElement("div");
@@ -62,6 +75,13 @@ function showError(msg: string) {
   el.className = "form-msg form-msg-error";
 }
 
+function proceedingLabel(pt: ProceedingType | undefined): string {
+  if (!pt) return "";
+  const lang = getLang();
+  const name = (lang === "en" && pt.name_en) ? pt.name_en : pt.name;
+  return `${pt.jurisdiction} — ${name}`;
+}
+
 async function loadProjects() {
   const sel = document.getElementById("deadline-project") as HTMLSelectElement;
   const hint = document.getElementById("deadline-project-empty-hint")!;
@@ -69,6 +89,7 @@ async function loadProjects() {
     const resp = await fetch("/api/projects");
     if (!resp.ok) return;
     const projects: Project[] = await resp.json();
+    projectsByID = new Map(projects.map((p) => [p.id, p]));
     if (projects.length === 0) {
       hint.style.display = "";
       hint.innerHTML = `${esc(t("deadlines.field.akte.empty"))} <a href="/projects/new">${esc(t("deadlines.field.akte.empty.link"))}</a>`;
@@ -82,7 +103,7 @@ async function loadProjects() {
       const ref = p.reference || "";
       const indent = projectIndent(p.path);
       options.push(
-        `<option value="${esc(p.id)}"${isSelected}>${indent}${esc(ref)} \u2014 ${esc(p.title)}</option>`,
+        `<option value="${esc(p.id)}"${isSelected}>${indent}${esc(ref)} — ${esc(p.title)}</option>`,
       );
     }
     sel.innerHTML = options.join("");
@@ -91,122 +112,167 @@ async function loadProjects() {
   }
 }
 
+async function loadProceedingTypes() {
+  try {
+    const resp = await fetch("/api/proceeding-types-db");
+    if (!resp.ok) return;
+    const types: ProceedingType[] = await resp.json();
+    proceedingTypesByID = new Map(types.map((pt) => [pt.id, pt]));
+  } catch {
+    /* non-fatal */
+  }
+}
+
 async function loadRules() {
-  // Optional: load rules so user can attach. We pull all rules; small set.
-  const sel = document.getElementById("deadline-rule") as HTMLSelectElement;
   try {
     const resp = await fetch("/api/deadline-rules");
     if (!resp.ok) return;
-    const rules: DeadlineRule[] = await resp.json();
-    rulesByID = new Map(rules.map((r) => [r.id, r]));
-    const opts: string[] = [
-      `<option value="" data-i18n="deadlines.field.rule.none">${esc(t("deadlines.field.rule.none"))}</option>`,
-    ];
-    for (const r of rules) {
-      const code = r.rule_code || r.code || "";
-      const label = code ? `${code} \u2014 ${r.name}` : r.name;
-      opts.push(`<option value="${esc(r.id)}">${esc(label)}</option>`);
-    }
-    sel.innerHTML = opts.join("");
+    allRules = (await resp.json()) as DeadlineRule[];
+    rulesByID = new Map(allRules.map((r) => [r.id, r]));
   } catch {
-    /* non-fatal — rule select stays at "no rule" */
+    /* non-fatal — rule display falls back to "—" */
   }
 }
 
-// t-paliad-165 follow-up — drive the collapsed/expanded view of the Typ
-// picker. The two modes are mutually exclusive:
+// resolveAutoRuleForType picks the best-match catalog rule for the
+// chosen event type, scoring by:
+//   1. project's proceeding_type_id (if known) — exact match wins,
+//   2. otherwise event_type.jurisdiction matches the rule's proceeding's
+//      jurisdiction (EPA→EPO canonicalised),
+//   3. otherwise the first candidate in canonical sequence_order.
 //
-//   collapsed: rule selected + canonical event_type known + picker
-//     contains exactly [default] + user hasn't clicked "Anderen Typ
-//     wählen". Hides the chip cluster, surfaces a single inline
-//     summary "Klageerwiderung (vorgegeben durch Regel)" + an
-//     override link.
-//
-//   expanded: every other case — no rule, no default for the rule,
-//     picker has been edited, or expandedOverride is sticky after the
-//     user clicked the override link. Picker visible; mismatch warning
-//     surfaces yellow when the rule expected a different event_type.
-function refreshRuleView(): void {
-  const collapsed = document.getElementById("deadline-event-type-collapsed");
-  const collapsedLabel = document.getElementById("deadline-event-type-collapsed-label");
-  const pickerHost = document.getElementById("deadline-event-types");
-  const warn = document.getElementById("deadline-event-type-rule-mismatch");
-  if (!collapsed || !collapsedLabel || !pickerHost || !warn) return;
+// Returns null when no rule maps. Callers render that as "no Auto rule
+// available" so the user can flip to Custom or pick a different Type.
+function resolveAutoRuleForType(eventTypeID: string, projectID: string): DeadlineRule | null {
+  const candidates = allRules.filter((r) => r.concept_default_event_type_id === eventTypeID);
+  if (candidates.length === 0) return null;
+  if (candidates.length === 1) return candidates[0];
 
-  const ruleID = (document.getElementById("deadline-rule") as HTMLSelectElement | null)?.value || "";
-  const rule = ruleID ? rulesByID.get(ruleID) : undefined;
-  const expected = rule?.concept_default_event_type_id ?? null;
+  const project = projectID ? projectsByID.get(projectID) : undefined;
+  if (project?.proceeding_type_id) {
+    const exact = candidates.find((r) => r.proceeding_type_id === project.proceeding_type_id);
+    if (exact) return exact;
+  }
+
+  const et = eventTypesByID.get(eventTypeID);
+  if (et?.jurisdiction && et.jurisdiction !== "any") {
+    const want = et.jurisdiction === "EPO" ? "EPA" : et.jurisdiction;
+    const jurMatch = candidates.find((r) => {
+      const pt = r.proceeding_type_id ? proceedingTypesByID.get(r.proceeding_type_id) : undefined;
+      return pt?.jurisdiction === want;
+    });
+    if (jurMatch) return jurMatch;
+  }
+
+  return candidates[0];
+}
+
+// currentAutoRule returns the catalog rule the Auto mode would resolve
+// to for the current form state, or null when no Type is picked or no
+// rule maps. Centralised so the Auto display, submitForm, and the
+// Standardtitel button all agree on the same resolution.
+function currentAutoRule(): DeadlineRule | null {
   const picked = eventTypePicker?.getIDs() ?? [];
+  if (picked.length !== 1) return null;
+  const projectID = (document.getElementById("deadline-project") as HTMLSelectElement | null)?.value || "";
+  return resolveAutoRuleForType(picked[0], projectID);
+}
 
-  const pickerMatchesDefault =
-    expected !== null && picked.length === 1 && picked[0] === expected;
-  const wantsCollapsed =
-    !expandedOverride && ruleID !== "" && expected !== null && pickerMatchesDefault;
-
-  if (wantsCollapsed) {
-    const et = eventTypesByID.get(expected!);
-    collapsedLabel.textContent = et ? eventTypeLabel(et) : "";
-    collapsed.style.display = "";
-    pickerHost.style.display = "none";
-    warn.style.display = "none";
+// refreshRuleAutoDisplay updates the read-only Auto display panel to
+// reflect the rule that would be saved in Auto mode. Hides itself when
+// the user is in Custom mode (the input takes its place).
+function refreshRuleAutoDisplay(): void {
+  const panel = document.getElementById("deadline-rule-auto-display");
+  const text = document.getElementById("deadline-rule-auto-text");
+  if (!panel || !text) return;
+  if (ruleMode !== "auto") {
+    panel.style.display = "none";
     return;
   }
+  panel.style.display = "";
+  const rule = currentAutoRule();
+  if (rule) {
+    // Canonical "Name · Citation" with muted citation (t-paliad-258 addendum).
+    text.innerHTML = formatRuleLabelHTML(rule, esc);
+    text.classList.remove("rule-auto-text--empty");
+    return;
+  }
+  const picked = eventTypePicker?.getIDs() ?? [];
+  const fallback = picked.length === 1
+    ? (t("deadlines.field.rule.auto_no_match") || "Keine Regel zur gewählten Verfahrenshandlung")
+    : (t("deadlines.field.rule.auto_pick_type") || "Wählen Sie zuerst eine Verfahrenshandlung");
+  text.textContent = fallback;
+  text.classList.add("rule-auto-text--empty");
+}
 
-  collapsed.style.display = "none";
-  pickerHost.style.display = "";
-  // Mismatch warning: rule expected an event_type AND the picker
-  // doesn't contain it. (When the picker is empty + no override, no
-  // warning — user is free to leave it blank.)
-  if (expected && picked.length > 0 && !picked.includes(expected)) {
-    warn.style.display = "";
+function applyRuleModeUI(): void {
+  const toggleBtn = document.getElementById("deadline-rule-mode-toggle") as HTMLButtonElement | null;
+  const autoPanel = document.getElementById("deadline-rule-auto-display");
+  const customInput = document.getElementById("deadline-rule-custom-input") as HTMLInputElement | null;
+  if (!toggleBtn || !autoPanel || !customInput) return;
+  if (ruleMode === "auto") {
+    autoPanel.style.display = "";
+    customInput.style.display = "none";
+    toggleBtn.textContent = t("deadlines.field.rule.mode.toggle_to_custom") || "Eigene Regel eingeben";
+    toggleBtn.setAttribute("data-i18n", "deadlines.field.rule.mode.toggle_to_custom");
   } else {
-    warn.style.display = "none";
+    autoPanel.style.display = "none";
+    customInput.style.display = "";
+    toggleBtn.textContent = t("deadlines.field.rule.mode.toggle_to_auto") || "Zurück zu Auto";
+    toggleBtn.setAttribute("data-i18n", "deadlines.field.rule.mode.toggle_to_auto");
+  }
+  refreshRuleAutoDisplay();
+}
+
+function setRuleMode(mode: RuleMode): void {
+  ruleMode = mode;
+  applyRuleModeUI();
+  if (mode === "custom") {
+    const input = document.getElementById("deadline-rule-custom-input") as HTMLInputElement | null;
+    input?.focus();
   }
 }
 
-// applyRuleAutoFill replaces the picker silently when it still reflects
-// the previous rule's suggestion (or is empty); leaves a manually-edited
-// picker alone. Called whenever the Regel select changes.
-function applyRuleAutoFill(): void {
-  if (!eventTypePicker) return;
-  const ruleID = (document.getElementById("deadline-rule") as HTMLSelectElement | null)?.value || "";
-  const rule = ruleID ? rulesByID.get(ruleID) : undefined;
-  const expected = rule?.concept_default_event_type_id ?? null;
-  const current = eventTypePicker.getIDs();
+// computeDefaultTitle — t-paliad-251 Part 4. Priority order picks the head:
+//   1. event_type label (when exactly one Typ chip is set)
+//   2. canonical rule name (when Auto resolves to a rule)
+//   3. custom rule text (when in Custom mode)
+//   4. proceeding type name (when project carries one)
+//   5. fallback i18n key
+// Suffix: " — <project-reference>" when not already in head.
+function computeDefaultTitle(): string {
+  const projectID = (document.getElementById("deadline-project") as HTMLSelectElement | null)?.value || "";
+  const project = projectID ? projectsByID.get(projectID) : undefined;
+  const picked = eventTypePicker?.getIDs() ?? [];
 
-  // Reset the override on transition to "Keine Regel" — fresh form
-  // session. Otherwise expandedOverride stays sticky.
-  if (ruleID === "") {
-    expandedOverride = false;
+  let head = "";
+  if (picked.length === 1) {
+    const et = eventTypesByID.get(picked[0]);
+    if (et) head = eventTypeLabel(et);
   }
-
-  const pickerStillReflectsLastSuggestion =
-    lastAutoFilledEventTypeID !== null &&
-    current.length === 1 &&
-    current[0] === lastAutoFilledEventTypeID;
-  const pickerIsEmpty = current.length === 0;
-
-  if (expected) {
-    if (pickerIsEmpty || pickerStillReflectsLastSuggestion) {
-      eventTypePicker.setIDs([expected]);
-      lastAutoFilledEventTypeID = expected;
+  if (!head) {
+    if (ruleMode === "auto") {
+      const rule = currentAutoRule();
+      if (rule) head = formatRuleLabel(rule);
+    } else {
+      const customInput = document.getElementById("deadline-rule-custom-input") as HTMLInputElement | null;
+      const txt = customInput?.value.trim() || "";
+      if (txt) head = txt;
     }
-  } else if (pickerStillReflectsLastSuggestion) {
-    // New rule has no canonical event_type — clear the stale auto-fill
-    // so the picker doesn't carry a chip from the old rule.
-    eventTypePicker.setIDs([]);
-    lastAutoFilledEventTypeID = null;
   }
-  refreshRuleView();
-}
+  if (!head && project?.proceeding_type_id) {
+    const pt = proceedingTypesByID.get(project.proceeding_type_id);
+    if (pt) head = proceedingLabel(pt);
+  }
+  if (!head) {
+    head = t("deadlines.field.title.default_fallback");
+  }
 
-function initBackLinks() {
-  if (preselectedProjectID) {
-    const back = document.getElementById("deadline-new-back") as HTMLAnchorElement;
-    const cancel = document.getElementById("deadline-new-cancel") as HTMLAnchorElement;
-    back.href = `/projects/${preselectedProjectID}/deadlines`;
-    cancel.href = `/projects/${preselectedProjectID}/deadlines`;
+  const ref = project?.reference?.trim() || "";
+  if (ref && !head.includes(ref)) {
+    return `${head} — ${ref}`;
   }
+  return head;
 }
 
 async function submitForm(e: Event) {
@@ -217,7 +283,6 @@ async function submitForm(e: Event) {
   const projectID = (document.getElementById("deadline-project") as HTMLSelectElement).value;
   const title = (document.getElementById("deadline-title") as HTMLInputElement).value.trim();
   const due = (document.getElementById("deadline-due") as HTMLInputElement).value;
-  const ruleID = (document.getElementById("deadline-rule") as HTMLSelectElement).value;
   const notes = (document.getElementById("deadline-notes") as HTMLTextAreaElement).value.trim();
 
   if (!projectID || !title || !due) {
@@ -234,7 +299,15 @@ async function submitForm(e: Event) {
     due_date: due,
     source: "manual",
   };
-  if (ruleID) payload.rule_id = ruleID;
+  // Rule field: Auto resolves to rule_id, Custom sends the free text.
+  if (ruleMode === "auto") {
+    const rule = currentAutoRule();
+    if (rule) payload.rule_id = rule.id;
+  } else {
+    const customInput = document.getElementById("deadline-rule-custom-input") as HTMLInputElement | null;
+    const txt = customInput?.value.trim() || "";
+    if (txt) payload.custom_rule_text = txt;
+  }
   if (notes) payload.notes = notes;
   const eventTypeIDs = eventTypePicker?.getIDs() ?? [];
   if (eventTypeIDs.length > 0) payload.event_type_ids = eventTypeIDs;
@@ -252,8 +325,8 @@ async function submitForm(e: Event) {
       return;
     }
     const created = await resp.json();
-    if (preselectedProjectID) {
-      window.location.href = `/projects/${preselectedProjectID}/deadlines`;
+    if (preselectedProjectIDLocal) {
+      window.location.href = `/projects/${preselectedProjectIDLocal}/deadlines`;
     } else {
       window.location.href = `/deadlines/${created.id}`;
     }
@@ -275,6 +348,16 @@ function detectPreselect() {
   if (fromQuery) preselectedProjectID = fromQuery;
 }
 
+function initBackLinks() {
+  if (preselectedProjectID) {
+    const back = document.getElementById("deadline-new-back") as HTMLAnchorElement;
+    const cancel = document.getElementById("deadline-new-cancel") as HTMLAnchorElement;
+    back.href = `/projects/${preselectedProjectID}/deadlines`;
+    cancel.href = `/projects/${preselectedProjectID}/deadlines`;
+  }
+  preselectedProjectIDLocal = preselectedProjectID;
+}
+
 async function loadMe() {
   try {
     const resp = await fetch("/api/me");
@@ -288,8 +371,6 @@ async function loadMe() {
 
 // t-paliad-154 — fetch the effective approval policy for (project,
 // deadline, create) and reveal the form-time hint when it applies.
-// Hidden when no policy applies. Re-runs on project change so the hint
-// updates if the user picks a different project mid-form.
 async function refreshApprovalHint(): Promise<void> {
   const hint = document.getElementById("deadline-approval-hint");
   const text = document.getElementById("deadline-approval-hint-text");
@@ -308,7 +389,6 @@ async function refreshApprovalHint(): Promise<void> {
       hint.style.display = "none";
       return;
     }
-    // t-paliad-160 split-grammar (with M1 legacy fallback).
     const eff = await resp.json() as {
       requires_approval?: boolean;
       min_role?: string | null;
@@ -343,44 +423,51 @@ document.addEventListener("DOMContentLoaded", async () => {
   // Default due to today
   const dueInput = document.getElementById("deadline-due") as HTMLInputElement;
   if (!dueInput.value) dueInput.value = new Date().toISOString().split("T")[0];
-  await Promise.all([loadProjects(), loadRules(), loadMe()]);
+
+  await Promise.all([loadProjects(), loadProceedingTypes(), loadRules(), loadMe()]);
+
   const pickerHost = document.getElementById("deadline-event-types");
   if (pickerHost) {
     eventTypePicker = attachEventTypePicker(pickerHost, {
       currentUserAdmin,
-      onChange: () => refreshRuleView(),
+      onChange: () => {
+        // Type change shifts which Auto rule resolves; re-render the
+        // read-only Auto display panel.
+        refreshRuleAutoDisplay();
+      },
     });
   }
-  // t-paliad-165 follow-up — preload event_types so the collapsed
-  // summary can render the type's label inline without an extra round
-  // trip when the user picks a Regel.
+
+  // Preload event_types for the Auto display + Standardtitel resolver.
   fetchEventTypes()
     .then((types) => {
       eventTypesByID = new Map(types.map((et) => [et.id, et]));
-      refreshRuleView();
+      refreshRuleAutoDisplay();
     })
-    .catch(() => {/* non-fatal — collapsed view falls back to empty label */});
-  // t-paliad-165 — Regel change auto-fills the Typ chip from the rule's
-  // concept's canonical event_type, when the picker hasn't been
-  // manually edited away from the previous rule's suggestion.
-  document.getElementById("deadline-rule")?.addEventListener("change", () => {
-    applyRuleAutoFill();
+    .catch(() => {/* non-fatal */});
+
+  // Rule mode toggle.
+  document.getElementById("deadline-rule-mode-toggle")?.addEventListener("click", () => {
+    setRuleMode(ruleMode === "auto" ? "custom" : "auto");
   });
-  // "Anderen Typ wählen" — sticky expanded mode so the picker stays
-  // visible even when the chip still matches the rule's default.
-  document.getElementById("deadline-event-type-override-btn")?.addEventListener("click", () => {
-    expandedOverride = true;
-    refreshRuleView();
-    // Move focus into the picker's search box so the user can type
-    // immediately without an extra click.
-    const search = document.querySelector<HTMLInputElement>(
-      "#deadline-event-types .event-type-search",
-    );
-    search?.focus();
-  });
-  // Wire approval-hint refresh: on first render + on project change.
+
+  applyRuleModeUI();
+
+  // Approval-hint refresh: on first render + on project change.
   void refreshApprovalHint();
   document.getElementById("deadline-project")?.addEventListener("change", () => {
     void refreshApprovalHint();
+    // Project change can shift which Auto rule resolves (via the
+    // project's proceeding_type_id).
+    refreshRuleAutoDisplay();
+  });
+
+  // t-paliad-251 Part 4 — Standardtitel button.
+  document.getElementById("deadline-title-default-btn")?.addEventListener("click", () => {
+    const titleInput = document.getElementById("deadline-title") as HTMLInputElement | null;
+    if (!titleInput) return;
+    const derived = computeDefaultTitle();
+    if (derived) titleInput.value = derived;
+    titleInput.focus();
   });
 });

frontend/src/client/event-types.ts

@@ -686,6 +686,33 @@ export function openBrowseEventTypesModal(
   return new Promise<string[] | null>((resolve) => {
     let selected = new Set<string>(opts.initialIDs);
     let searchQuery = "";
+    // t-paliad-251 — court-type filter chips. `null` = "Alle" (any
+    // jurisdiction). Any non-null value matches event_types.jurisdiction;
+    // "any" is mapped to NULL/missing rows via jurisdictionMatches().
+    let activeJurisdiction: string | null = null;
+
+    // Surface every jurisdiction present in the data — "any" stays bucketed
+    // separately so users still have a "show generic-only" chip. EPA is
+    // canonicalised to EPO in event_types (see mig 074); the chip label
+    // shows EPA to match the legal vocabulary the lawyers use.
+    const jurisdictionsPresent = new Set<string>();
+    for (const et of opts.types) {
+      const j = (et.jurisdiction ?? "").trim();
+      if (j) jurisdictionsPresent.add(j);
+    }
+    const JURISDICTION_ORDER = ["UPC", "EPO", "DPMA", "DE", "any"];
+    const chipJurisdictions = JURISDICTION_ORDER.filter((j) => jurisdictionsPresent.has(j));
+    // Any jurisdiction in the data that isn't in our ordered list lands at
+    // the end so the chip row never silently drops a court flavour.
+    for (const j of jurisdictionsPresent) {
+      if (!chipJurisdictions.includes(j)) chipJurisdictions.push(j);
+    }
+
+    function chipLabel(j: string): string {
+      if (j === "EPO") return "EPA";
+      if (j === "any") return t("event_types.browse.jurisdiction.none");
+      return j;
+    }
 
     const overlay = document.createElement("div");
     overlay.className = "modal-overlay event-type-browse-overlay";
@@ -694,6 +721,15 @@ export function openBrowseEventTypesModal(
         <div class="event-type-browse-header">
           <h2 id="event-type-browse-title">${esc(t("event_types.browse.title"))}</h2>
           <input type="text" class="event-type-browse-search" data-role="search" placeholder="${esc(t("event_types.browse.search"))}" autocomplete="off" />
+          <div class="event-type-browse-chips" data-role="chips" role="group" aria-label="${esc(t("event_types.browse.jurisdiction.filter_label"))}">
+            <button type="button" class="event-type-browse-chip event-type-browse-chip--active" data-jurisdiction="" data-role="chip-all">${esc(t("event_types.browse.jurisdiction.all"))}</button>
+            ${chipJurisdictions
+              .map(
+                (j) =>
+                  `<button type="button" class="event-type-browse-chip" data-jurisdiction="${esc(j)}">${esc(chipLabel(j))}</button>`,
+              )
+              .join("")}
+          </div>
         </div>
         <div class="event-type-browse-list" data-role="list" tabindex="-1"></div>
         <div class="event-type-browse-actions">
@@ -711,6 +747,7 @@ export function openBrowseEventTypesModal(
     const countEl = overlay.querySelector<HTMLElement>("[data-role=count]")!;
     const cancelBtn = overlay.querySelector<HTMLButtonElement>("[data-role=cancel]")!;
     const applyBtn = overlay.querySelector<HTMLButtonElement>("[data-role=apply]")!;
+    const chipButtons = overlay.querySelectorAll<HTMLButtonElement>(".event-type-browse-chip");
 
     const groups = groupByCategory(opts.types);
 
@@ -721,6 +758,12 @@ export function openBrowseEventTypesModal(
       return j;
     }
 
+    function jurisdictionMatches(et: EventType): boolean {
+      if (activeJurisdiction === null) return true;
+      const j = (et.jurisdiction ?? "").trim();
+      return j === activeJurisdiction;
+    }
+
     function updateCount() {
       countEl.textContent = t("event_types.browse.selected_count").replace(
         "{n}",
@@ -731,6 +774,7 @@ export function openBrowseEventTypesModal(
     function renderList() {
       const q = searchQuery.trim().toLowerCase();
       const matches = (et: EventType) => {
+        if (!jurisdictionMatches(et)) return false;
         if (!q) return true;
         return (
           et.label_de.toLowerCase().includes(q) ||
@@ -783,6 +827,16 @@ export function openBrowseEventTypesModal(
       renderList();
     });
 
+    chipButtons.forEach((btn) => {
+      btn.addEventListener("click", () => {
+        const raw = btn.dataset.jurisdiction ?? "";
+        activeJurisdiction = raw === "" ? null : raw;
+        chipButtons.forEach((b) => b.classList.remove("event-type-browse-chip--active"));
+        btn.classList.add("event-type-browse-chip--active");
+        renderList();
+      });
+    });
+
     function close(value: string[] | null) {
       document.removeEventListener("keydown", onKey);
       overlay.remove();

frontend/src/client/events.ts

@@ -9,6 +9,7 @@ import {
 } from "./event-types";
 import { projectIndent } from "./project-indent";
 import { mountCalendar, type CalendarHandle, type CalendarItem } from "./calendar/mount-calendar";
+import { formatRuleLabelHTML, formatCustomRuleLabelHTML } from "./rule-label";
 
 // Two-eyes glyph 👀 inside .approval-pill--icon. m's 2026-05-08 follow-
 // up: "two eyes instead of the one." Emoji rather than SVG keeps the
@@ -66,6 +67,9 @@ interface EventListItem {
   rule_code?: string;
   rule_name?: string;
   rule_name_en?: string;
+  // t-paliad-258 — free-text rule label when the deadline was created
+  // via the Custom rule path. Mutually exclusive with rule_id.
+  custom_rule_text?: string;
   event_type_ids?: string[];
 
   // appointment-only
@@ -264,13 +268,26 @@ function urgencyClass(item: EventListItem): string {
 
 function ruleDisplay(item: EventListItem): string {
   if (item.type !== "deadline") return "";
-  // Prefer the saved citation (RoP.023, R.151) over the rule name —
-  // REGEL is meant for the legal reference, not the rule's display
-  // name (which is the title column's job).
-  if (item.rule_code && item.rule_code.trim()) return esc(item.rule_code);
-  const lang = getLang();
-  const localized = lang === "en" ? item.rule_name_en : item.rule_name;
-  if (localized && localized.trim()) return esc(localized);
+  // t-paliad-258 addendum — canonical display contract: Name primary,
+  // Citation muted secondary ("Notice of Appeal · UPC.RoP.220.1").
+  // Custom rules render the lawyer's free text + a "Custom" badge.
+  // Legacy rule-code-only saves (Fristenrechner, no rule_id) still
+  // show the bare citation as last-resort fallback.
+  const hasName = (item.rule_name && item.rule_name.trim()) ||
+    (item.rule_name_en && item.rule_name_en.trim());
+  if (hasName || (item.rule_code && item.rule_code.trim())) {
+    return formatRuleLabelHTML(
+      {
+        name: item.rule_name || "",
+        name_en: item.rule_name_en,
+        rule_code: item.rule_code,
+      },
+      esc,
+    );
+  }
+  if (item.custom_rule_text && item.custom_rule_text.trim()) {
+    return formatCustomRuleLabelHTML(item.custom_rule_text, esc);
+  }
   return "—";
 }
 

frontend/src/client/filter-bar/axes.ts

@@ -12,7 +12,13 @@
 // New classes are scoped under .filter-bar-* so they don't bleed.
 
 import { t, tDyn, type I18nKey } from "../i18n";
-import type { BarState, AxisKey } from "./types";
+import { mountDateRangePicker } from "../date-range-picker";
+import {
+  ALL_HORIZONS as DRP_ALL_HORIZONS,
+  type TimeHorizon as DRPTimeHorizon,
+  type TimeSpec as DRPTimeSpec,
+} from "../date-range-picker-pure";
+import type { BarState, AxisKey, InboxFocus } from "./types";
 
 export interface AxisCtx {
   // Read the current value for this axis.
@@ -47,6 +53,8 @@ export function renderAxis(axis: AxisKey, ctx: AxisCtx, opts?: RenderAxisOpts):
     case "shape":                 return renderShapeAxis(ctx);
     case "density":               return renderDensityAxis(ctx);
     case "sort":                  return renderSortAxis(ctx);
+    case "unread_only":           return renderUnreadOnlyAxis(ctx);
+    case "inbox_focus":           return renderInboxFocusAxis(ctx);
 
     // Per-source predicates that need their own widgets and a roundtrip
     // through fetched option lists. Phase 2+ will fill these in by
@@ -57,60 +65,66 @@ export function renderAxis(axis: AxisKey, ctx: AxisCtx, opts?: RenderAxisOpts):
 }
 
 // ----------------------------------------------------------------------
-// time — chip cluster (presets + Anpassen)
+// time — symmetric date-range picker (t-paliad-248, replaces the t-163
+// chip-cluster + disabled Anpassen stub). The picker emits a TimeSpec
+// (horizon + optional custom from/to); the bar patches that onto
+// BarState.time directly.
 // ----------------------------------------------------------------------
 
 type TimeHorizonValue = NonNullable<BarState["time"]>["horizon"];
 
-const TIME_PRESET_LABELS: Record<TimeHorizonValue, I18nKey> = {
-  next_7d:  "views.bar.time.next_7d",
-  next_30d: "views.bar.time.next_30d",
-  next_90d: "views.bar.time.next_90d",
-  past_7d:  "views.bar.time.past_7d",
-  past_30d: "views.bar.time.past_30d",
-  past_90d: "views.bar.time.past_90d",
-  any:      "views.bar.time.any",
-  all:      "views.bar.time.all",
-  custom:   "views.bar.time.custom",
-};
-
+// Default chip set when the surface doesn't override. Mirrors m's
+// 3-column picker spec (t-paliad-278): symmetric 7d/30d/90d/all fan
+// per side, plus Heute (next_1d) + Alles (any) in the centre column,
+// plus Anpassen. Surfaces with a tighter scope (project history is
+// past-only) keep overriding via `timePresets`.
 const DEFAULT_TIME_PRESETS: TimeHorizonValue[] = [
-  "next_7d", "next_30d", "next_90d", "past_30d", "any",
+  "past_7d", "past_30d", "past_90d", "past_all",
+  "next_1d", "any",
+  "next_7d", "next_30d", "next_90d", "next_all",
+  "custom",
 ];
 
 function renderTimeAxis(ctx: AxisCtx, presetOverride?: TimeHorizonValue[]): HTMLElement {
   const wrap = group("views.bar.label.time");
-  const row = chipRow();
-  const presets = presetOverride && presetOverride.length ? presetOverride : DEFAULT_TIME_PRESETS;
-  // "any" / "all" are both unbounded — clearing state is the cleanest
-  // representation, so each maps to "no overlay" rather than a stored
-  // horizon. The chip's active state then keys off "no time set".
-  const current = ctx.get("time")?.horizon ?? "any";
-  for (const preset of presets) {
-    if (preset === "custom") continue; // custom rendered separately below
-    const isUnbounded = preset === "any" || preset === "all";
-    const isActive = isUnbounded
-      ? !ctx.get("time")
-      : preset === current;
-    const chip = chipBtn(t(TIME_PRESET_LABELS[preset]), isActive);
-    chip.addEventListener("click", () => {
-      if (isUnbounded) {
+  const presetSource = presetOverride && presetOverride.length ? presetOverride : DEFAULT_TIME_PRESETS;
+  // The picker's pure module owns the complete chip set; we narrow it
+  // here to whatever this surface declares (preserving the surface's
+  // chip order so timePresets remains the override knob it always was).
+  const presets: DRPTimeHorizon[] = presetSource.flatMap((p) =>
+    DRP_ALL_HORIZONS.includes(p as DRPTimeHorizon) ? [p as DRPTimeHorizon] : [],
+  );
+
+  const current = ctx.get("time");
+  const initialValue: DRPTimeSpec = current
+    ? { horizon: current.horizon as DRPTimeHorizon, from: current.from, to: current.to }
+    : { horizon: "any" };
+
+  const picker = mountDateRangePicker({
+    value: initialValue,
+    onChange(next) {
+      // The bar treats `any` as "no time overlay" (matches the legacy
+      // chip-cluster's behaviour) so the BarState stays minimal when
+      // the user lands on the centre ALLES button.
+      if (next.horizon === "any") {
         ctx.patch({ time: undefined });
-      } else {
-        ctx.patch({ time: { horizon: preset } });
+        return;
       }
-    });
-    row.appendChild(chip);
-  }
-  // Custom range — placeholder chip; opens a small popover with two
-  // <input type="date"> in Phase 2. For Phase 1 we render the chip
-  // disabled with a tooltip so the affordance is discoverable.
-  const customChip = chipBtn(t("views.bar.time.custom"), current === "custom");
-  customChip.classList.add("filter-bar-chip-pending");
-  customChip.title = t("views.bar.time.custom.coming_soon");
-  customChip.disabled = true;
-  row.appendChild(customChip);
-  wrap.appendChild(row);
+      ctx.patch({
+        time: {
+          horizon: next.horizon as TimeHorizonValue,
+          from: next.horizon === "custom" ? next.from : undefined,
+          to:   next.horizon === "custom" ? next.to   : undefined,
+        },
+      });
+    },
+    defaultHorizon: "any",
+    presets,
+    surface: "filter-bar.time",
+    labelPrefix: t("views.bar.label.time"),
+  });
+
+  wrap.appendChild(picker.element);
   return wrap;
 }
 
@@ -484,6 +498,56 @@ function renderSortAxis(ctx: AxisCtx): HTMLElement {
   return wrap;
 }
 
+// ----------------------------------------------------------------------
+// unread_only — single binary chip (t-paliad-249, inbox only)
+// ----------------------------------------------------------------------
+
+function renderUnreadOnlyAxis(ctx: AxisCtx): HTMLElement {
+  const wrap = group("views.bar.label.unread_only");
+  const row = chipRow();
+  const isUnread = ctx.get("unread_only") !== false; // default on
+  const unreadChip = chipBtn(t("views.bar.unread_only.on"), isUnread);
+  unreadChip.addEventListener("click", () => ctx.patch({ unread_only: true }));
+  const allChip = chipBtn(t("views.bar.unread_only.off"), !isUnread);
+  allChip.addEventListener("click", () => ctx.patch({ unread_only: false }));
+  row.appendChild(unreadChip);
+  row.appendChild(allChip);
+  wrap.appendChild(row);
+  return wrap;
+}
+
+// ----------------------------------------------------------------------
+// inbox_focus — coarse 4-chip cluster (t-paliad-249, inbox only)
+//
+// Head's UX refinement #2 (2026-05-25): users pick "what to see" in
+// human terms, not abstract event-kind names. The overlay translates
+// the chip to a (Sources, ProjectEventPredicates.EventTypes,
+// ApprovalRequestPredicates.EntityTypes) triple at spec-resolve time
+// (see applyInboxFocusOverlay in url-codec.ts).
+// ----------------------------------------------------------------------
+
+const INBOX_FOCUS_CHIPS: Array<{ value: InboxFocus; key: I18nKey }> = [
+  { value: "alles",         key: "views.bar.inbox_focus.alles" },
+  { value: "genehmigungen", key: "views.bar.inbox_focus.genehmigungen" },
+  { value: "plus_termine",  key: "views.bar.inbox_focus.plus_termine" },
+  { value: "plus_fristen",  key: "views.bar.inbox_focus.plus_fristen" },
+];
+
+function renderInboxFocusAxis(ctx: AxisCtx): HTMLElement {
+  const wrap = group("views.bar.label.inbox_focus");
+  const row = chipRow();
+  const current: InboxFocus = ctx.get("inbox_focus") ?? "alles";
+  for (const f of INBOX_FOCUS_CHIPS) {
+    const chip = chipBtn(t(f.key), f.value === current);
+    chip.addEventListener("click", () => {
+      ctx.patch({ inbox_focus: f.value === "alles" ? undefined : f.value });
+    });
+    row.appendChild(chip);
+  }
+  wrap.appendChild(row);
+  return wrap;
+}
+
 // ----------------------------------------------------------------------
 // shared helpers — group + chip + row
 // ----------------------------------------------------------------------

frontend/src/client/filter-bar/compute-effective.test.ts

@@ -0,0 +1,126 @@
+// Unit tests for the FilterBar's computeEffective() overlay. These pin
+// the contract that any chip the user clicks ends up as a predicate the
+// server can see — the t-paliad-283 regression had four sources picking
+// up zero narrowing for /views/any because the bar's chip click didn't
+// produce a non-empty `filter.predicates` for that source.
+//
+// Run with `bun test`.
+
+import { test, expect, describe } from "bun:test";
+import { computeEffective } from "./index";
+import type { FilterSpec, RenderSpec } from "../views/types";
+import type { BarState } from "./types";
+
+// Mirrors paliad.user_views row {slug: "any"} — the saved Custom View
+// that triggered the t-paliad-283 regression report.
+const ANY_VIEW_FILTER: FilterSpec = {
+  version: 1,
+  sources: ["deadline", "appointment", "project_event", "approval_request"],
+  scope: { projects: { mode: "all_visible" } },
+  time: { field: "auto", horizon: "past_30d" },
+};
+
+const ANY_VIEW_RENDER: RenderSpec = {
+  shape: "list",
+  list: { sort: "date_asc", density: "comfortable" },
+};
+
+describe("filter-bar/computeEffective — /views/any (all 4 sources)", () => {
+  test("empty state leaves base spec intact (no overlays)", () => {
+    const eff = computeEffective(ANY_VIEW_FILTER, ANY_VIEW_RENDER, {});
+    expect(eff.filter.sources).toEqual([
+      "deadline", "appointment", "project_event", "approval_request",
+    ]);
+    expect(eff.filter.time).toEqual({ field: "auto", horizon: "past_30d" });
+    // predicates may be {} (the bar zero-fills it) but never carries a
+    // stray narrowing on any source — that would silently filter
+    // results the user never asked to filter.
+    for (const src of ANY_VIEW_FILTER.sources) {
+      expect(eff.filter.predicates?.[src]).toBeUndefined();
+    }
+  });
+
+  test("deadline_status chip narrows deadline predicate", () => {
+    const state: BarState = { deadline_status: ["pending"] };
+    const eff = computeEffective(ANY_VIEW_FILTER, ANY_VIEW_RENDER, state);
+    expect(eff.filter.predicates?.deadline?.status).toEqual(["pending"]);
+  });
+
+  test("appointment_type chip narrows appointment predicate", () => {
+    const state: BarState = { appointment_type: ["hearing"] };
+    const eff = computeEffective(ANY_VIEW_FILTER, ANY_VIEW_RENDER, state);
+    expect(eff.filter.predicates?.appointment?.appointment_types).toEqual(["hearing"]);
+  });
+
+  test("approval_viewer_role chip narrows approval predicate", () => {
+    const state: BarState = { approval_viewer_role: "any_visible" };
+    const eff = computeEffective(ANY_VIEW_FILTER, ANY_VIEW_RENDER, state);
+    expect(eff.filter.predicates?.approval_request?.viewer_role).toBe("any_visible");
+  });
+
+  test("approval_status chip narrows approval predicate", () => {
+    const state: BarState = { approval_status: ["pending", "approved"] };
+    const eff = computeEffective(ANY_VIEW_FILTER, ANY_VIEW_RENDER, state);
+    expect(eff.filter.predicates?.approval_request?.status).toEqual(["pending", "approved"]);
+  });
+
+  test("approval_entity_type chip narrows approval predicate", () => {
+    const state: BarState = { approval_entity_type: ["deadline"] };
+    const eff = computeEffective(ANY_VIEW_FILTER, ANY_VIEW_RENDER, state);
+    expect(eff.filter.predicates?.approval_request?.entity_types).toEqual(["deadline"]);
+  });
+
+  test("project_event_kind chip narrows project_event predicate", () => {
+    const state: BarState = { project_event_kind: ["deadline_created"] };
+    const eff = computeEffective(ANY_VIEW_FILTER, ANY_VIEW_RENDER, state);
+    expect(eff.filter.predicates?.project_event?.event_types).toEqual(["deadline_created"]);
+  });
+
+  test("time chip overrides base horizon", () => {
+    const state: BarState = { time: { horizon: "past_7d" } };
+    const eff = computeEffective(ANY_VIEW_FILTER, ANY_VIEW_RENDER, state);
+    expect(eff.filter.time.horizon).toBe("past_7d");
+    expect(eff.filter.time.field).toBe("auto"); // preserved from base
+  });
+
+  test("personal_only chip flips scope flag", () => {
+    const state: BarState = { personal_only: true };
+    const eff = computeEffective(ANY_VIEW_FILTER, ANY_VIEW_RENDER, state);
+    expect(eff.filter.scope.personal_only).toBe(true);
+  });
+
+  test("multiple chips combine into the same effective spec", () => {
+    const state: BarState = {
+      time: { horizon: "past_7d" },
+      deadline_status: ["pending"],
+      appointment_type: ["hearing"],
+      approval_status: ["pending"],
+      project_event_kind: ["deadline_created"],
+    };
+    const eff = computeEffective(ANY_VIEW_FILTER, ANY_VIEW_RENDER, state);
+    expect(eff.filter.time.horizon).toBe("past_7d");
+    expect(eff.filter.predicates?.deadline?.status).toEqual(["pending"]);
+    expect(eff.filter.predicates?.appointment?.appointment_types).toEqual(["hearing"]);
+    expect(eff.filter.predicates?.approval_request?.status).toEqual(["pending"]);
+    expect(eff.filter.predicates?.project_event?.event_types).toEqual(["deadline_created"]);
+  });
+
+  test("overlay does not mutate the caller's base filter", () => {
+    const base: FilterSpec = JSON.parse(JSON.stringify(ANY_VIEW_FILTER));
+    const state: BarState = { deadline_status: ["pending"], time: { horizon: "past_7d" } };
+    computeEffective(base, ANY_VIEW_RENDER, state);
+    // The bar deep-clones; the base must come back unchanged so a
+    // second click doesn't compound the previous click's overlay.
+    expect(base).toEqual(ANY_VIEW_FILTER);
+  });
+
+  test("inbox-only axes do not affect a /views/any spec (no inbox axis exposed)", () => {
+    // /views/any's axes don't include unread_only or inbox_focus, so
+    // those keys never appear in state. Verify that even if they did,
+    // the bar's overlay doesn't silently mutate sources or predicates
+    // in a way that would break a 4-source Custom View.
+    const eff = computeEffective(ANY_VIEW_FILTER, ANY_VIEW_RENDER, {});
+    expect(eff.filter.sources).toHaveLength(4);
+    expect(eff.filter.unread_only ?? false).toBe(false);
+  });
+});

frontend/src/client/filter-bar/index.ts

@@ -333,9 +333,65 @@ export function computeEffective(
     render.list = { ...(render.list ?? {}), density: state.density };
   }
 
+  // Inbox overlays (t-paliad-249).
+  //
+  // unread_only is a top-level FilterSpec field; the server resolves
+  // the actual cursor at run-time. Default-on for the inbox surface is
+  // baked into the base spec — but we ALSO need to write `true` here
+  // when the user explicitly picks the chip so the server doesn't
+  // confuse "user wants unread" with "user wants no filter".
+  if (state.unread_only !== undefined) {
+    filter.unread_only = state.unread_only;
+  }
+
+  // inbox_focus is a coarse axis that overlays Sources + a few
+  // per-source predicates. Translate here so the server sees a clean
+  // spec; the validator + RunSpec don't need to know about the chip.
+  if (state.inbox_focus && state.inbox_focus !== "alles") {
+    applyInboxFocusOverlay(filter, state.inbox_focus);
+  }
+
   return { filter, render };
 }
 
+// applyInboxFocusOverlay narrows the spec to the chip's intent.
+// Mutates `filter` in place. Called only when state.inbox_focus is
+// set to a non-default value.
+//
+// Contract:
+//   - "genehmigungen"  → drop project_event from sources entirely.
+//   - "plus_termine"   → keep both sources; narrow project_event to
+//                        appointment_* kinds; narrow approval_request
+//                        entity_types to ["appointment"].
+//   - "plus_fristen"   → keep both sources; narrow project_event to
+//                        deadline_* kinds; narrow approval_request
+//                        entity_types to ["deadline"].
+function applyInboxFocusOverlay(filter: FilterSpec, focus: Exclude<NonNullable<BarState["inbox_focus"]>, "alles">): void {
+  filter.predicates = filter.predicates ?? {};
+  if (focus === "genehmigungen") {
+    filter.sources = filter.sources.filter((s) => s !== "project_event");
+    delete filter.predicates.project_event;
+    return;
+  }
+  const kindPrefix = focus === "plus_fristen" ? "deadline_" : "appointment_";
+  const entity = focus === "plus_fristen" ? "deadline" : "appointment";
+
+  if (filter.sources.includes("project_event")) {
+    const baseKinds = filter.predicates.project_event?.event_types ?? [];
+    const narrowed = baseKinds.filter((k) => k.startsWith(kindPrefix));
+    filter.predicates.project_event = {
+      ...(filter.predicates.project_event ?? {}),
+      event_types: narrowed,
+    };
+  }
+  if (filter.sources.includes("approval_request")) {
+    filter.predicates.approval_request = {
+      ...(filter.predicates.approval_request ?? {}),
+      entity_types: [entity],
+    };
+  }
+}
+
 // isDirty — used to enable the Reset button only when there's something
 // to reset to.
 function isDirty(state: BarState): boolean {

frontend/src/client/filter-bar/types.ts

@@ -25,7 +25,17 @@ export type AxisKey =
   | "timeline_track"
   | "shape"
   | "sort"
-  | "density";
+  | "density"
+  // Inbox-only (t-paliad-249): unread/all toggle + coarse focus chip
+  // (Alles / Genehmigungen / +Termine / +Fristen). The focus chip
+  // overlays Sources + per-source predicates at resolve-time.
+  | "unread_only"
+  | "inbox_focus";
+
+// Inbox focus chip values. "alles" is the default — both sources, full
+// curated kinds. Other values narrow at the bar's resolve step. See
+// applyInboxFocusOverlay() in url-codec.ts for the spec rewrite.
+export type InboxFocus = "alles" | "genehmigungen" | "plus_termine" | "plus_fristen";
 
 // Effective spec — the result of overlaying URL + localStorage prefs
 // on top of the base spec. Handed back to onResult so the surface can
@@ -62,10 +72,20 @@ export interface BarState {
   shape?: RenderShape;
   sort?: "date_asc" | "date_desc";
   density?: "comfortable" | "compact";
+
+  // Inbox (t-paliad-249)
+  unread_only?: boolean;
+  inbox_focus?: InboxFocus;
 }
 
 export interface TimeOverlay {
-  horizon: "next_7d" | "next_30d" | "next_90d" | "past_7d" | "past_30d" | "past_90d" | "any" | "all" | "custom";
+  // Mirrors internal/services/filter_spec.go TimeHorizon. t-paliad-248
+  // added the symmetric 1d / 14d / all chips on each side; the union
+  // here is the wire-shape the URL codec parses and the picker emits.
+  horizon:
+    | "next_1d" | "next_7d" | "next_14d" | "next_30d" | "next_90d" | "next_all"
+    | "past_1d" | "past_7d" | "past_14d" | "past_30d" | "past_90d" | "past_all"
+    | "any" | "all" | "custom";
   from?: string; // ISO 8601 — only when horizon === "custom"
   to?: string;
 }

frontend/src/client/filter-bar/url-codec.test.ts

@@ -18,7 +18,12 @@ describe("filter-bar/url-codec", () => {
   });
 
   test("time horizon round-trips", () => {
-    for (const h of ["next_7d", "next_30d", "next_90d", "past_30d", "past_90d", "any", "all"] as const) {
+    // Includes the t-paliad-248 symmetric additions (1d / 14d / all on each side).
+    for (const h of [
+      "next_1d", "next_7d", "next_14d", "next_30d", "next_90d", "next_all",
+      "past_1d", "past_7d", "past_14d", "past_30d", "past_90d", "past_all",
+      "any", "all",
+    ] as const) {
       expect(roundTrip({ time: { horizon: h } })).toEqual({ time: { horizon: h } });
     }
   });
@@ -99,4 +104,28 @@ describe("filter-bar/url-codec", () => {
     params.set("density", "huge");
     expect(parseBar(params)).toEqual({});
   });
+
+  // t-paliad-249 — inbox axes
+  test("unread_only round-trips both states", () => {
+    expect(roundTrip({ unread_only: true })).toEqual({ unread_only: true });
+    expect(roundTrip({ unread_only: false })).toEqual({ unread_only: false });
+  });
+
+  test("unread_only undefined stays out of the URL", () => {
+    const params = new URLSearchParams();
+    encodeBar({}, params);
+    expect(params.has("unread")).toBe(false);
+  });
+
+  test("inbox_focus round-trips for non-default values", () => {
+    for (const f of ["genehmigungen", "plus_termine", "plus_fristen"] as const) {
+      expect(roundTrip({ inbox_focus: f })).toEqual({ inbox_focus: f });
+    }
+  });
+
+  test("inbox_focus alles is omitted (it's the default)", () => {
+    const params = new URLSearchParams();
+    encodeBar({ inbox_focus: "alles" }, params);
+    expect(params.has("focus")).toBe(false);
+  });
 });

frontend/src/client/filter-bar/url-codec.ts

@@ -9,7 +9,7 @@
 // Empty / default values are NOT written — the URL stays clean for
 // users who don't tweak. The page's base spec is the implicit baseline.
 
-import type { BarState, TimeOverlay, ProjectOverlay } from "./types";
+import type { BarState, TimeOverlay, ProjectOverlay, InboxFocus } from "./types";
 
 const PERSONAL_PROJECT_SENTINEL = "personal";
 
@@ -108,6 +108,16 @@ export function parseBar(params: URLSearchParams, ns?: string): BarState {
   const density = params.get(k("density"));
   if (density === "comfortable" || density === "compact") out.density = density;
 
+  // inbox (t-paliad-249)
+  const unread = params.get(k("unread"));
+  if (unread === "0") out.unread_only = false;
+  else if (unread === "1") out.unread_only = true;
+
+  const focus = params.get(k("focus"));
+  if (focus === "genehmigungen" || focus === "plus_termine" || focus === "plus_fristen" || focus === "alles") {
+    out.inbox_focus = focus as InboxFocus;
+  }
+
   return out;
 }
 
@@ -127,6 +137,7 @@ export function encodeBar(state: BarState, params: URLSearchParams, ns?: string)
     "pe_kind",
     "tl_status", "tl_track",
     "shape", "sort", "density",
+    "unread", "focus",
   ]) {
     params.delete(k(key));
   }
@@ -168,16 +179,31 @@ export function encodeBar(state: BarState, params: URLSearchParams, ns?: string)
   if (state.shape) params.set(k("shape"), state.shape);
   if (state.sort) params.set(k("sort"), state.sort);
   if (state.density) params.set(k("density"), state.density);
+
+  // inbox (t-paliad-249). unread_only is tri-state in BarState (undefined
+  // means "page default"); we only write a key when the user has flipped
+  // it explicitly so the URL stays clean for the default landing state.
+  if (state.unread_only === false) params.set(k("unread"), "0");
+  else if (state.unread_only === true) params.set(k("unread"), "1");
+  if (state.inbox_focus && state.inbox_focus !== "alles") {
+    params.set(k("focus"), state.inbox_focus);
+  }
 }
 
 function parseHorizon(s: string): TimeOverlay["horizon"] | null {
   switch (s) {
+    case "next_1d":
     case "next_7d":
+    case "next_14d":
     case "next_30d":
     case "next_90d":
+    case "next_all":
+    case "past_1d":
     case "past_7d":
+    case "past_14d":
     case "past_30d":
     case "past_90d":
+    case "past_all":
     case "any":
     case "all":
     case "custom":

frontend/src/client/fristenrechner.ts

@@ -24,6 +24,12 @@ import {
   renderTimelineBody,
   wireDateEditClicks,
 } from "./views/verfahrensablauf-core";
+import {
+  attachEventCardChoices,
+  reseedChips,
+  type EventChoice,
+  type ChoiceKind,
+} from "./views/event-card-choices";
 
 let lastResponse: DeadlineResponse | null = null;
 
@@ -162,6 +168,13 @@ async function calculate() {
     ? courtPicker.value
     : "";
 
+  // t-paliad-265 — when project-bound, the server pulls per-card
+  // choices from paliad.project_event_choices. The frontend has
+  // already pre-fetched them into perCardChoicesCache so chip
+  // indicators repaint in step with the calc; sending projectId here
+  // is the persistence path.
+  const projectIdForCalc = currentStep1Context.kind === "project" ? currentStep1Context.projectId : "";
+
   const data = await calculateDeadlines({
     proceedingType: selectedType,
     triggerDate,
@@ -169,6 +182,7 @@ async function calculate() {
     flags,
     anchorOverrides: overrides,
     courtId,
+    projectId: projectIdForCalc || undefined,
   });
   if (seq !== procCalcSeq) return;
   if (!data) return;
@@ -429,11 +443,20 @@ function renderProcedureResults(data: DeadlineResponse) {
     <span class="timeline-trigger-date">${t("deadlines.trigger.label")}: ${formatDate(data.triggerDate)}</span>
   </div>`;
 
+  // Pass the chip-strip perspective through as `side` so the column
+  // bucketer keeps the user's own party on the left (Unsere Seite) —
+  // t-paliad-257: the old Proaktiv/Reaktiv labels lied when the user
+  // was on the defendant side, the new labels demand we route the
+  // user's party into the `ours` column.
   const bodyHtml = procedureView === "columns"
-    ? renderColumnsBody(data, { editable: true, showNotes })
+    ? renderColumnsBody(data, { editable: true, showNotes, side: currentPerspective })
     : renderTimelineBody(data, { showParty: true, editable: true, showNotes });
 
   container.innerHTML = headerHtml + bodyHtml;
+  // t-paliad-265: rehydrate per-event-card chip indicators after the
+  // innerHTML rewrite. Safe to call before attachEventCardChoices() —
+  // it no-ops when no state was attached yet.
+  reseedChips(container);
   printBtn.style.display = "block";
   if (saveBtn) {
     // Ad-hoc explore-mode has no project to save against — show the
@@ -456,6 +479,49 @@ function renderProcedureResults(data: DeadlineResponse) {
   applyPendingFocus();
 }
 
+// initEventCardChoicesForFristenrechner attaches the per-event-card
+// popover to the timeline container. The fristenrechner page is the
+// project-bound surface: commits POST/DELETE to the persistence
+// endpoint; the next calculate() pulls the fresh state from the
+// server. (t-paliad-265)
+async function initEventCardChoicesForFristenrechner(container: HTMLElement): Promise<void> {
+  // Load the current persisted state for the project context, if any.
+  const initial: EventChoice[] = [];
+  if (currentStep1Context.kind === "project" && currentStep1Context.projectId) {
+    try {
+      const resp = await fetch(`/api/projects/${encodeURIComponent(currentStep1Context.projectId)}/event-choices`);
+      if (resp.ok) {
+        const rows = (await resp.json()) as EventChoice[];
+        for (const r of rows) initial.push(r);
+      }
+    } catch (e) {
+      console.error("event-choices: initial load failed", e);
+    }
+  }
+
+  attachEventCardChoices({
+    container,
+    initial,
+    commit: async (choice) => {
+      if (currentStep1Context.kind !== "project" || !currentStep1Context.projectId) return;
+      const resp = await fetch(`/api/projects/${encodeURIComponent(currentStep1Context.projectId)}/event-choices`, {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(choice),
+      });
+      if (!resp.ok) throw new Error(`event-choices PUT ${resp.status}`);
+      scheduleProcCalc(0);
+    },
+    remove: async (submissionCode, kind) => {
+      if (currentStep1Context.kind !== "project" || !currentStep1Context.projectId) return;
+      const url = `/api/projects/${encodeURIComponent(currentStep1Context.projectId)}/event-choices/${encodeURIComponent(submissionCode)}/${encodeURIComponent(kind)}`;
+      const resp = await fetch(url, { method: "DELETE" });
+      if (!resp.ok && resp.status !== 404) throw new Error(`event-choices DELETE ${resp.status}`);
+      scheduleProcCalc(0);
+    },
+  });
+}
+
 // onDateEditCommit is the click-to-edit callback handed to the shared
 // wireDateEditClicks() helper: persist the per-rule override (empty value
 // clears it) then recompute so downstream rules re-anchor.
@@ -643,6 +709,15 @@ document.addEventListener("DOMContentLoaded", () => {
   const timelineContainer = document.getElementById("timeline-container");
   if (timelineContainer) wireDateEditClicks(timelineContainer, onDateEditCommit);
 
+  // t-paliad-265 — per-event-card choices. Project-bound surface, so
+  // commits POST to /api/projects/{id}/event-choices. The popover
+  // module owns the popover; this page owns the recalc trigger. When
+  // there's no project context yet (Step 1 not picked), the popover
+  // still works but commits silently no-op (project_id missing).
+  if (timelineContainer) {
+    void initEventCardChoicesForFristenrechner(timelineContainer);
+  }
+
   // Reset button
   document.getElementById("reset-btn")!.addEventListener("click", reset);
 

frontend/src/client/i18n.ts

@@ -207,6 +207,7 @@ const translations: Record<Lang, Record<string, string>> = {
 
     "deadlines.step1": "Verfahrensart w\u00e4hlen",
     "deadlines.step2": "Ausgangsdatum eingeben",
+    "deadlines.step2.perspective": "Perspektive und Datum",
     "deadlines.step3": "Ergebnis",
     "deadlines.upc": "UPC",
     "deadlines.de": "Deutsche Gerichte",
@@ -253,6 +254,8 @@ const translations: Record<Lang, Record<string, string>> = {
     "deadlines.party.both.label": "beide Seiten",
     "deadlines.court.set": "vom Gericht bestimmt",
     "deadlines.court.indirect": "unbestimmt",
+    "deadlines.conditional.depends_on": "abhängig von {parent}",
+    "deadlines.conditional.unset": "abhängig von vorgelagertem Ereignis",
     "deadlines.optional.badge": "auf Antrag",
     "deadlines.priority.mandatory": "Pflicht",
     "deadlines.priority.recommended": "empfohlen",
@@ -302,10 +305,28 @@ const translations: Record<Lang, Record<string, string>> = {
     "deadlines.view.timeline": "Zeitstrahl",
     "deadlines.view.columns": "Spalten",
     "deadlines.notes.show": "Hinweise anzeigen",
-    "deadlines.col.proactive": "Proaktiv",
+    "deadlines.col.ours": "Unsere Seite",
     "deadlines.col.court": "Gericht",
-    "deadlines.col.reactive": "Reaktiv",
+    "deadlines.col.opponent": "Gegnerseite",
     "deadlines.col.both": "Beide Parteien",
+    // t-paliad-265 — per-event-card choice popover (Verfahrensablauf timeline)
+    "choices.caret.title": "Optionen für dieses Ereignis",
+    "choices.appellant.title": "Berufung durch …",
+    "choices.appellant.claimant": "Klägerseite",
+    "choices.appellant.defendant": "Beklagtenseite",
+    "choices.appellant.both": "beide Parteien",
+    "choices.appellant.none": "keine Berufung",
+    "choices.include_ccr.title": "Nichtigkeitswiderklage einbeziehen",
+    "choices.include_ccr.true": "Ja",
+    "choices.include_ccr.false": "Nein",
+    "choices.skip.title": "Für diese Akte überspringen",
+    "choices.skip.true": "Überspringen",
+    "choices.skip.false": "Einbeziehen",
+    "choices.skipped.chip": "übersprungen",
+    "choices.appellant.chip": "Berufung:",
+    "choices.include_ccr.chip": "mit Nichtigkeitswiderklage",
+    "choices.reset": "Auswahl zurücksetzen",
+    "choices.commit.error": "Konnte Auswahl nicht speichern",
     // Trigger-event mode (PR-2 \u2014 youpc-parity)
     "deadlines.mode.procedure": "Verfahrensablauf",
     "deadlines.mode.event": "Was kommt nach\u2026",
@@ -417,6 +438,16 @@ const translations: Record<Lang, Record<string, string>> = {
     "deadlines.perspective.defendant.title": "Beklagtenseite — versteckt typische Kläger-Schriftsätze",
     "deadlines.perspective.appeal_filed_by.label": "Berufung eingelegt durch:",
     "deadlines.perspective.predefined_hint": "vorgegeben durch Akte",
+    "deadlines.side.label": "Seite:",
+    "deadlines.side.claimant": "Klägerseite",
+    "deadlines.side.defendant": "Beklagtenseite",
+    "deadlines.side.both": "Beide",
+    "deadlines.side.from_project": "Aus Akte:",
+    "deadlines.side.override": "Andere Seite wählen",
+    "deadlines.appellant.label": "Berufung durch:",
+    "deadlines.appellant.claimant": "Klägerseite",
+    "deadlines.appellant.defendant": "Beklagtenseite",
+    "deadlines.appellant.none": "—",
     "deadlines.event.composite.label": "Zusammengesetzt:",
     "deadlines.event.unit.days.one": "Tag",
     "deadlines.event.unit.days.many": "Tage",
@@ -874,11 +905,15 @@ const translations: Record<Lang, Record<string, string>> = {
     "deadlines.field.title.placeholder": "z.\u202fB. Klageerwiderung einreichen",
     "deadlines.field.due": "F\u00e4lligkeitsdatum",
     "deadlines.field.rule": "Regel (optional)",
-    "deadlines.field.rule.none": "Keine Regel",
-    "deadlines.field.rule.autofill": "Typ vorgegeben durch Regel — entfernen, um zu überschreiben.",
-    "deadlines.field.rule.autofill_inline": " (vorgegeben durch Regel)",
-    "deadlines.field.rule.mismatch": "Hinweis: Typ widerspricht Regel — Sie haben den Typ überschrieben.",
-    "deadlines.field.rule.override": "Anderen Typ wählen",
+    "deadlines.field.rule.auto_badge": "Auto",
+    "deadlines.field.rule.auto_no_match": "Keine Regel zur gewählten Verfahrenshandlung",
+    "deadlines.field.rule.auto_pick_type": "Wählen Sie zuerst eine Verfahrenshandlung",
+    "deadlines.field.rule.custom_badge": "Eigen",
+    "deadlines.field.rule.custom_placeholder": "z.B. interner Review-Termin, Mandantengespräch",
+    "deadlines.field.rule.mode.toggle_to_auto": "Zurück zu Auto",
+    "deadlines.field.rule.mode.toggle_to_custom": "Eigene Regel eingeben",
+    "deadlines.field.title.default_btn": "Standardtitel",
+    "deadlines.field.title.default_fallback": "Neue Frist",
     "deadlines.field.notes": "Notizen (optional)",
     "deadlines.field.notes.placeholder": "Hinweise, Verweise, n\u00e4chste Schritte\u2026",
     "deadlines.error.required": "Akte, Titel und F\u00e4lligkeitsdatum sind Pflichtfelder.",
@@ -1105,6 +1140,10 @@ const translations: Record<Lang, Record<string, string>> = {
     "event.title.appointment_updated": "Termin ge\u00e4ndert",
     "event.title.appointment_deleted": "Termin gel\u00f6scht",
     "event.title.appointment_project_changed": "Termin verschoben",
+    // Umbrella audit kind + admin churn surfaced by the FilterBar
+    // project_event_kind chip cluster (KnownProjectEventKinds).
+    "event.title.approval_decided": "Genehmigung entschieden",
+    "event.title.member_role_changed": "Teamrolle ge\u00e4ndert",
     // 4-eye approval lifecycle (t-paliad-138). Verlauf renders these as
     // a paired card with the original lifecycle event (e.g.
     // "Frist angelegt" + "Genehmigung erteilt von Bert").
@@ -1426,8 +1465,14 @@ const translations: Record<Lang, Record<string, string>> = {
     "projects.detail.tab.notizen": "Notizen",
     "projects.detail.tab.checklisten": "Checklisten",
     "projects.detail.tab.submissions": "Schriftsätze",
+    "projects.detail.tab.settings": "Verwaltung",
     "projects.detail.export.button": "Daten exportieren",
     "projects.detail.export.tooltip": "Daten dieses Projekts (mit Unter-Projekten) als Excel + JSON + CSV herunterladen.",
+    "projects.detail.settings.export.heading": "Daten exportieren",
+    "projects.detail.settings.export.description": "Lade alle Daten dieses Projekts (inkl. Unter-Projekten) als Excel + JSON + CSV-Archiv herunter.",
+    "projects.detail.settings.archive.heading": "Projekt archivieren",
+    "projects.detail.settings.archive.description": "Archivieren erfolgt aus dem Bearbeiten-Dialog (Gefahrenbereich).",
+    "projects.detail.settings.archive.cta": "Bearbeiten öffnen",
     "projects.detail.submissions.empty": "Es sind aktuell keine Schriftsatzvorlagen hinterlegt.",
     "projects.detail.submissions.empty.no_proceeding": "Für dieses Projekt ist noch kein Verfahrenstyp gesetzt — der Katalog unten zeigt trotzdem alle Vorlagen.",
     "projects.detail.submissions.empty.no_proceeding.cta": "Projekt bearbeiten",
@@ -1451,6 +1496,15 @@ const translations: Record<Lang, Record<string, string>> = {
     "submissions.draft.name.placeholder": "Name dieses Entwurfs",
     "submissions.draft.preview.title": "Vorschau",
     "submissions.draft.preview.hint": "Read-only Vorschau — finale Bearbeitung in Word.",
+    // t-paliad-277 — import-from-project + party-picker.
+    "submissions.draft.import.button": "Aus Projekt importieren",
+    "submissions.draft.parties.title": "Parteien",
+    "submissions.draft.parties.hint": "Wählen Sie aus, welche Parteien im Schriftsatz genannt werden sollen.",
+    // t-paliad-276 — DE/EN language toggle on the draft editor.
+    "submissions.draft.language": "Sprache",
+    "submissions.draft.language.de": "DE",
+    "submissions.draft.language.en": "EN",
+    "submissions.draft.language.fallback_notice": "Fallback: universelles Skelett (keine sprachspezifische Vorlage).",
     // t-paliad-240 — global Schriftsätze drafts index page.
     "submissions.index.title": "Schriftsätze — Paliad",
     "submissions.index.heading": "Schriftsätze",
@@ -2221,6 +2275,20 @@ const translations: Record<Lang, Record<string, string>> = {
     "inbox.empty.admin_nudge.title": "Noch keine Genehmigungspflichten konfiguriert?",
     "inbox.empty.admin_nudge.body": "Lege fest, welche Lifecycle-Events 4-Augen-Prüfung erfordern.",
     "inbox.empty.admin_nudge.cta": "Genehmigungspflichten konfigurieren",
+    "inbox.title.feed": "Inbox — Paliad",
+    "inbox.heading.feed": "Inbox",
+    "inbox.subtitle.feed": "Neuigkeiten zu Ihren Projekten und offene Genehmigungen.",
+    "inbox.action.mark_all_seen": "Alles als gelesen markieren",
+    "inbox.action.open": "Öffnen",
+    "inbox.empty.feed": "Keine Neuigkeiten in den letzten 30 Tagen.",
+    "views.bar.label.unread_only": "Lesestatus",
+    "views.bar.unread_only.on": "Nur ungelesen",
+    "views.bar.unread_only.off": "Alle",
+    "views.bar.label.inbox_focus": "Anzeigen",
+    "views.bar.inbox_focus.alles": "Alles",
+    "views.bar.inbox_focus.genehmigungen": "Nur Genehmigungen",
+    "views.bar.inbox_focus.plus_termine": "+ Termine",
+    "views.bar.inbox_focus.plus_fristen": "+ Fristen",
     "deadlines.form.approval_hint": "4-Augen-Prüfung erforderlich",
     "appointments.form.approval_hint": "4-Augen-Prüfung erforderlich",
     "admin.email_templates.title": "Email-Templates — Paliad",
@@ -2332,6 +2400,31 @@ const translations: Record<Lang, Record<string, string>> = {
     // Admin audit log (t-paliad-071)
     "nav.admin.audit": "Audit-Log",
     "nav.admin.partner_units": "Partner Units",
+
+    // Admin Backup Mode (t-paliad-246 / m/paliad#77)
+    "nav.admin.backups": "Backups",
+    "admin.backups.title": "Backups — Paliad",
+    "admin.backups.heading": "Backups",
+    "admin.backups.subtitle": "Vollständige Snapshots aller Daten — manuell oder zeitgesteuert.",
+    "admin.backups.run_now": "Backup jetzt erstellen",
+    "admin.backups.running": "Läuft …",
+    "admin.backups.success": "Backup erfolgreich erstellt.",
+    "admin.backups.empty": "Noch keine Backups vorhanden.",
+    "admin.backups.loading": "Lade …",
+    "admin.backups.col.started": "Erstellt",
+    "admin.backups.col.kind": "Auslöser",
+    "admin.backups.col.status": "Status",
+    "admin.backups.col.requested_by": "Angefordert von",
+    "admin.backups.col.size": "Größe",
+    "admin.backups.col.rows": "Sheets",
+    "admin.backups.col.actions": "Aktion",
+    "admin.backups.kind.scheduled": "Geplant",
+    "admin.backups.kind.on_demand": "Manuell",
+    "admin.backups.status.running": "Läuft …",
+    "admin.backups.status.done": "✓ Fertig",
+    "admin.backups.status.failed": "✗ Fehlgeschlagen",
+    "admin.backups.download": "Download",
+    "admin.backups.footer.note": "Geplante Backups werden in einer späteren Slice aktiviert. Manuelle Backups stehen jetzt zur Verfügung.",
     "admin.audit.title": "Audit-Log — Paliad",
     "admin.audit.heading": "Audit-Log",
     "admin.audit.subtitle": "Globale Zeitleiste über Projekt-, CalDAV-, Reminder- und Partner-Unit-Ereignisse.",
@@ -2431,6 +2524,8 @@ const translations: Record<Lang, Record<string, string>> = {
     "event_types.browse.cancel": "Abbrechen",
     "event_types.browse.selected_count": "{n} ausgewählt",
     "event_types.browse.jurisdiction.none": "Allgemein",
+    "event_types.browse.jurisdiction.all": "Alle Gerichte",
+    "event_types.browse.jurisdiction.filter_label": "Nach Gerichtsart filtern",
     "event_types.filter.all": "Alle Typen",
     "event_types.filter.untyped": "— Ohne Typ —",
     "event_types.filter.search": "Typ suchen…",
@@ -2576,6 +2671,17 @@ const translations: Record<Lang, Record<string, string>> = {
     "approvals.withdraw.cta": "Genehmigungsanfrage zurückziehen",
     "approvals.withdraw.confirm": "Genehmigungsanfrage wirklich zurückziehen?",
     "approvals.withdraw.error": "Fehler beim Zurückziehen",
+    "approvals.withdraw.cancel": "Abbrechen",
+    "approvals.withdraw.modal.title": "Genehmigungsanfrage zurückziehen?",
+    "approvals.withdraw.primary.label": "Termin bearbeiten",
+    "approvals.withdraw.destructive.label": "Endgültig zurückziehen und löschen",
+    "approvals.withdraw.lead.create.deadline": "Wenn Sie die Anfrage zurückziehen, wird die Frist gelöscht.",
+    "approvals.withdraw.lead.create.appointment": "Wenn Sie die Anfrage zurückziehen, wird der Termin gelöscht.",
+    "approvals.withdraw.lead.update": "Wenn Sie die Anfrage zurückziehen, werden die vorgeschlagenen Änderungen verworfen — der Eintrag kehrt in den Zustand vor Ihrer Bearbeitung zurück.",
+    "approvals.withdraw.lead.delete": "Wenn Sie die Löschanfrage zurückziehen, bleibt der Eintrag bestehen.",
+    "approvals.withdraw.sub.create": "Alternativ können Sie den Eintrag stattdessen bearbeiten. Die Anfrage bleibt offen und der Genehmiger sieht Ihre neuen Werte.",
+    "approvals.withdraw.sub.update": "Alternativ können Sie Ihre Änderungen bearbeiten und neu absenden. Die Anfrage bleibt offen.",
+    "approvals.withdraw.sub.delete": "Sind Sie sicher, dass Sie die Löschanfrage zurückziehen möchten?",
     "approvals.pending_create.label": "Erstellung wartet auf Genehmigung",
     "approvals.pending_update.label": "Änderung wartet auf Genehmigung",
     "approvals.pending_complete.label": "Erledigung wartet auf Genehmigung",
@@ -2633,11 +2739,18 @@ const translations: Record<Lang, Record<string, string>> = {
     "views.scope.my_subtree": "Mein Teilbaum",
     "views.scope.explicit": "Bestimmte Projekte",
     "views.scope.personal_only": "Nur persönliche",
+    "views.horizon.next_1d": "Morgen",
     "views.horizon.next_7d": "Nächste 7 Tage",
+    "views.horizon.next_14d": "Nächste 14 Tage",
     "views.horizon.next_30d": "Nächste 30 Tage",
     "views.horizon.next_90d": "Nächste 90 Tage",
+    "views.horizon.next_all": "Ganze Zukunft",
+    "views.horizon.past_1d": "Letzter Tag",
+    "views.horizon.past_7d": "Letzte 7 Tage",
+    "views.horizon.past_14d": "Letzte 14 Tage",
     "views.horizon.past_30d": "Letzte 30 Tage",
     "views.horizon.past_90d": "Letzte 90 Tage",
+    "views.horizon.past_all": "Ganze Vergangenheit",
     "views.horizon.any": "Beliebig",
     "views.horizon.all": "Komplett (alle Daten)",
     "views.horizon.custom": "Benutzerdefiniert",
@@ -2721,16 +2834,10 @@ const translations: Record<Lang, Record<string, string>> = {
     "views.bar.label.density": "Dichte",
     "views.bar.label.sort": "Sortierung",
     "views.bar.common.all": "Alle",
-    "views.bar.time.next_7d": "7 Tage",
-    "views.bar.time.next_30d": "30 Tage",
-    "views.bar.time.next_90d": "90 Tage",
-    "views.bar.time.past_7d": "Letzte 7 T.",
-    "views.bar.time.past_30d": "Letzte 30 T.",
-    "views.bar.time.past_90d": "Letzte 90 T.",
-    "views.bar.time.any": "Beliebig",
-    "views.bar.time.all": "Alle Zeit",
-    "views.bar.time.custom": "Anpassen",
-    "views.bar.time.custom.coming_soon": "Benutzerdefinierter Zeitraum folgt in einer der nächsten Iterationen.",
+    // views.bar.time.* keys retired in t-paliad-248 — the filter-bar time
+    // axis now mounts the symmetric date-range picker, whose labels live
+    // under date_range.horizon.* (see end of this dict). The picker reuses
+    // views.bar.label.time as the closed-button prefix.
     "views.bar.personal.on": "Nur eigene",
     "views.bar.approval_role.approver_eligible": "Zur Genehmigung",
     "views.bar.approval_role.self_requested": "Eigene Anfragen",
@@ -2770,21 +2877,26 @@ const translations: Record<Lang, Record<string, string>> = {
     "views.bar.save.error.network": "Netzwerkfehler — bitte erneut versuchen.",
 
     // t-paliad-192 Slice 11b — Admin rule-editor UI.
-    "nav.admin.rules": "Regeln verwalten",
-    "nav.admin.rules_export": "Regel-Migrations",
-    "admin.card.rules.title": "Regeln verwalten",
-    "admin.card.rules.desc": "Fristen-Regeln anlegen, bearbeiten, publishen. Audit-Log, Preview, Migration-Export.",
+    // t-paliad-262 Slice A — "Regel" relabelled as "Verfahrensschritt".
+    // The admin URL `/admin/rules` and i18n key prefix `admin.rules.*` stay
+    // (URL change is Slice B.6); the visible labels rename. Canonical
+    // `admin.procedural_events.*` aliases live after the EN block — they
+    // pin the contract for when .tsx files rebind in Slice B (B.5).
+    "nav.admin.rules": "Verfahrensschritte verwalten",
+    "nav.admin.rules_export": "Verfahrensschritt-Migrations",
+    "admin.card.rules.title": "Verfahrensschritte verwalten",
+    "admin.card.rules.desc": "Verfahrensschritte anlegen, bearbeiten, publishen. Audit-Log, Preview, Migration-Export.",
 
-    "admin.rules.list.title": "Regeln verwalten — Paliad",
-    "admin.rules.list.heading": "Regeln verwalten",
-    "admin.rules.list.subtitle": "Fristen-Regeln anlegen, bearbeiten und freigeben. Lifecycle: draft → published → archived.",
-    "admin.rules.list.new": "+ Neue Regel",
+    "admin.rules.list.title": "Verfahrensschritte verwalten — Paliad",
+    "admin.rules.list.heading": "Verfahrensschritte verwalten",
+    "admin.rules.list.subtitle": "Verfahrensschritte (Schriftsätze, Anhörungen, Entscheidungen, …) anlegen, bearbeiten und freigeben. Lifecycle: draft → published → archived.",
+    "admin.rules.list.new": "+ Neuer Verfahrensschritt",
     "admin.rules.list.export": "Migrations exportieren",
     "admin.rules.tab.rules": "Regeln",
     "admin.rules.tab.orphans": "Orphans",
     "admin.rules.loading": "Lade…",
-    "admin.rules.empty": "Keine Regeln für die gewählten Filter.",
-    "admin.rules.error.load": "Konnte Regeln nicht laden.",
+    "admin.rules.empty": "Keine Verfahrensschritte für die gewählten Filter.",
+    "admin.rules.error.load": "Konnte Verfahrensschritte nicht laden.",
 
     "admin.rules.filter.proceeding": "Verfahrenstyp",
     "admin.rules.filter.proceeding.any": "Alle",
@@ -2795,7 +2907,7 @@ const translations: Record<Lang, Record<string, string>> = {
     "admin.rules.filter.search": "Suche",
     "admin.rules.filter.search.placeholder": "Name, Submission Code, Rechtsgrundlage…",
 
-    "admin.rules.col.submission_code": "Submission Code / Einreichung-Kennung",
+    "admin.rules.col.submission_code": "Code (Verfahrensschritt)",
     "admin.rules.col.legal_citation": "Rechtsgrundlage",
     "admin.rules.col.name": "Name",
     "admin.rules.col.proceeding": "Verfahrenstyp",
@@ -2825,8 +2937,8 @@ const translations: Record<Lang, Record<string, string>> = {
     "admin.rules.orphans.reason.manual_unbound": "Manuell entkoppelt",
     "admin.rules.orphans.resolved": "Orphan zugeordnet.",
 
-    "admin.rules.modal.new.title": "Neue Regel anlegen",
-    "admin.rules.modal.new.body": "Eine neue Regel wird als Draft angelegt. Bitte einen Grund (mind. 10 Zeichen) angeben — dieser wandert ins Audit-Log und beim Export in die Migration.",
+    "admin.rules.modal.new.title": "Neuen Verfahrensschritt anlegen",
+    "admin.rules.modal.new.body": "Ein neuer Verfahrensschritt wird als Draft angelegt. Bitte einen Grund (mind. 10 Zeichen) angeben — dieser wandert ins Audit-Log und beim Export in die Migration.",
     "admin.rules.modal.resolve.title": "Orphan zuordnen",
     "admin.rules.modal.resolve.body": "Bitte einen Grund (mind. 10 Zeichen) angeben. Die Regel-Verknüpfung wird sofort auf der Deadline gespeichert.",
     "admin.rules.modal.reason": "Grund",
@@ -2841,12 +2953,12 @@ const translations: Record<Lang, Record<string, string>> = {
     "admin.rules.modal.error.create": "Anlegen fehlgeschlagen.",
     "admin.rules.modal.error.resolve": "Zuordnung fehlgeschlagen.",
 
-    "admin.rules.edit.title": "Regel bearbeiten — Paliad",
-    "admin.rules.edit.heading.loading": "Regel laden…",
-    "admin.rules.edit.breadcrumb": "← Regeln verwalten",
-    "admin.rules.edit.error.bad_id": "Ungültige Regel-ID in der URL.",
-    "admin.rules.edit.error.not_found": "Regel nicht gefunden.",
-    "admin.rules.edit.error.load": "Konnte Regel nicht laden.",
+    "admin.rules.edit.title": "Verfahrensschritt bearbeiten — Paliad",
+    "admin.rules.edit.heading.loading": "Verfahrensschritt laden…",
+    "admin.rules.edit.breadcrumb": "← Verfahrensschritte verwalten",
+    "admin.rules.edit.error.bad_id": "Ungültige Verfahrensschritt-ID in der URL.",
+    "admin.rules.edit.error.not_found": "Verfahrensschritt nicht gefunden.",
+    "admin.rules.edit.error.load": "Konnte Verfahrensschritt nicht laden.",
 
     "admin.rules.edit.section.identity": "Identität",
     "admin.rules.edit.section.proceeding": "Verfahren & Trigger",
@@ -2859,14 +2971,14 @@ const translations: Record<Lang, Record<string, string>> = {
     "admin.rules.edit.field.name": "Name (DE)",
     "admin.rules.edit.field.name_en": "Name (EN)",
     "admin.rules.edit.field.description": "Beschreibung",
-    "admin.rules.edit.field.submission_code": "Submission Code / Einreichung-Kennung",
+    "admin.rules.edit.field.submission_code": "Code (Verfahrensschritt-Identifikator)",
     "admin.rules.edit.field.rule_code": "Rechtsgrundlage (Kurzform)",
     "admin.rules.edit.field.legal_source": "Rechtsgrundlage (Langform)",
     "admin.rules.edit.field.proceeding": "Verfahrenstyp",
     "admin.rules.edit.field.proceeding.none": "—",
     "admin.rules.edit.field.trigger": "Trigger-Ereignis",
     "admin.rules.edit.field.trigger.none": "—",
-    "admin.rules.edit.field.parent": "Parent-Regel (UUID)",
+    "admin.rules.edit.field.parent": "Übergeordneter Verfahrensschritt (UUID)",
     "admin.rules.edit.field.concept": "Konzept (UUID)",
     "admin.rules.edit.field.sequence_order": "Reihenfolge",
     "admin.rules.edit.field.duration_value": "Dauer",
@@ -2878,7 +2990,7 @@ const translations: Record<Lang, Record<string, string>> = {
     "admin.rules.edit.field.alt_rule_code": "Alt-Rule-Code",
     "admin.rules.edit.field.anchor_alt": "Alt-Anchor",
     "admin.rules.edit.field.primary_party": "Primäre Partei",
-    "admin.rules.edit.field.event_type": "Event-Typ (frei)",
+    "admin.rules.edit.field.event_type": "Art des Verfahrensschritts (filing / hearing / decision / order)",
     "admin.rules.edit.field.deadline_notes": "Hinweise (DE)",
     "admin.rules.edit.field.deadline_notes_en": "Hinweise (EN)",
     "admin.rules.edit.field.priority": "Priorität",
@@ -2957,6 +3069,53 @@ const translations: Record<Lang, Record<string, string>> = {
     "admin.rules.export.ok": "{n} Audit-Zeilen exportiert.",
     "admin.rules.export.error": "Export fehlgeschlagen.",
     "admin.rules.export.no_pending": "Keine offenen Audit-Zeilen zum Export.",
+
+    // Date-range picker (t-paliad-248). Symmetric past/future chip fan
+    // around an ALLES centre. Used by the filter-bar 'time' axis from
+    // Slice A onwards; future slices will migrate /agenda and
+    // /admin/audit-log to the same component.
+    "date_range.button.label": "Zeitraum",
+    "date_range.button.label.custom_range": "Von {from} bis {to}",
+    "date_range.horizon.next_1d":  "Heute",
+    "date_range.horizon.next_7d":  "Nächste 7 Tage",
+    "date_range.horizon.next_14d": "Nächste 14 Tage",
+    "date_range.horizon.next_30d": "Nächste 30 Tage",
+    "date_range.horizon.next_90d": "Nächste 90 Tage",
+    "date_range.horizon.next_all": "Ganze Zukunft",
+    "date_range.horizon.past_1d":  "Letzter Tag",
+    "date_range.horizon.past_7d":  "Letzte 7 Tage",
+    "date_range.horizon.past_14d": "Letzte 14 Tage",
+    "date_range.horizon.past_30d": "Letzte 30 Tage",
+    "date_range.horizon.past_90d": "Letzte 90 Tage",
+    "date_range.horizon.past_all": "Ganze Vergangenheit",
+    "date_range.horizon.any":      "Alles",
+    "date_range.horizon.custom":   "Anpassen",
+    "date_range.dialog.label":     "Zeitraum wählen",
+    "date_range.fan.past.label":   "Vergangenheit",
+    "date_range.fan.future.label": "Zukunft",
+    "date_range.center.label":     "Alles",
+    "date_range.custom.from":      "Von",
+    "date_range.custom.to":        "Bis",
+    "date_range.custom.apply":     "Anwenden",
+    "date_range.custom.cancel":    "Abbrechen",
+    "date_range.custom.invalid":            "Bis-Datum muss nach Von-Datum liegen.",
+    "date_range.custom.invalid_format":     "Datum nicht erkannt (Format JJJJ-MM-TT).",
+    "date_range.custom.invalid_missing":    "Bitte beide Datumsfelder ausfüllen.",
+
+    // t-paliad-262 Slice A — canonical `procedural_event` i18n contract.
+    // The values are identical to the legacy `admin.rules.*` keys above —
+    // these aliases let .tsx files rebind in Slice B (B.5) without
+    // touching DE/EN strings then. Adding/changing values? Update BOTH
+    // sides.
+    "admin.procedural_events.list.title":     "Verfahrensschritte verwalten — Paliad",
+    "admin.procedural_events.list.heading":   "Verfahrensschritte verwalten",
+    "admin.procedural_events.list.new":       "+ Neuer Verfahrensschritt",
+    "admin.procedural_events.col.code":       "Code (Verfahrensschritt)",
+    "admin.procedural_events.edit.title":     "Verfahrensschritt bearbeiten — Paliad",
+    "admin.procedural_events.edit.breadcrumb":"← Verfahrensschritte verwalten",
+    "admin.procedural_events.edit.field.code":         "Code (Verfahrensschritt-Identifikator)",
+    "admin.procedural_events.edit.field.event_kind":   "Art des Verfahrensschritts (filing / hearing / decision / order)",
+    "admin.procedural_events.edit.field.parent":       "Übergeordneter Verfahrensschritt (UUID)",
   },
 
   en: {
@@ -3147,6 +3306,7 @@ const translations: Record<Lang, Record<string, string>> = {
 
     "deadlines.step1": "Select Proceeding Type",
     "deadlines.step2": "Enter Trigger Date",
+    "deadlines.step2.perspective": "Perspective and Date",
     "deadlines.step3": "Result",
     "deadlines.upc": "UPC",
     "deadlines.de": "German Courts",
@@ -3193,6 +3353,8 @@ const translations: Record<Lang, Record<string, string>> = {
     "deadlines.party.both.label": "both parties",
     "deadlines.court.set": "set by court",
     "deadlines.court.indirect": "tbd",
+    "deadlines.conditional.depends_on": "depends on {parent}",
+    "deadlines.conditional.unset": "depends on an upstream event",
     "deadlines.optional.badge": "on request",
     "deadlines.priority.mandatory": "Mandatory",
     "deadlines.priority.recommended": "Recommended",
@@ -3242,10 +3404,28 @@ const translations: Record<Lang, Record<string, string>> = {
     "deadlines.view.timeline": "Timeline",
     "deadlines.view.columns": "Columns",
     "deadlines.notes.show": "Show details",
-    "deadlines.col.proactive": "Proactive",
+    "deadlines.col.ours": "Client Side",
     "deadlines.col.court": "Court",
-    "deadlines.col.reactive": "Reactive",
+    "deadlines.col.opponent": "Opponent Side",
     "deadlines.col.both": "Both parties",
+    // t-paliad-265 — per-event-card choice popover (Verfahrensablauf timeline)
+    "choices.caret.title": "Options for this event",
+    "choices.appellant.title": "Appeal by …",
+    "choices.appellant.claimant": "Claimant side",
+    "choices.appellant.defendant": "Defendant side",
+    "choices.appellant.both": "both parties",
+    "choices.appellant.none": "no appeal",
+    "choices.include_ccr.title": "Include nullity counterclaim",
+    "choices.include_ccr.true": "Yes",
+    "choices.include_ccr.false": "No",
+    "choices.skip.title": "Skip for this case",
+    "choices.skip.true": "Skip",
+    "choices.skip.false": "Include",
+    "choices.skipped.chip": "skipped",
+    "choices.appellant.chip": "Appeal:",
+    "choices.include_ccr.chip": "with nullity counterclaim",
+    "choices.reset": "Reset choice",
+    "choices.commit.error": "Could not save selection",
     "deadlines.adjusted": "Adjusted",
     "deadlines.adjusted.reason": "weekend/holiday",
     "deadlines.adjusted.weekend": "weekend",
@@ -3364,6 +3544,16 @@ const translations: Record<Lang, Record<string, string>> = {
     "deadlines.perspective.defendant.title": "Defendant side — hides typical claimant submissions",
     "deadlines.perspective.appeal_filed_by.label": "Appeal filed by:",
     "deadlines.perspective.predefined_hint": "predefined from project",
+    "deadlines.side.label": "Side:",
+    "deadlines.side.claimant": "Claimant",
+    "deadlines.side.defendant": "Defendant",
+    "deadlines.side.both": "Both",
+    "deadlines.side.from_project": "From case:",
+    "deadlines.side.override": "Choose other side",
+    "deadlines.appellant.label": "Appeal filed by:",
+    "deadlines.appellant.claimant": "Claimant",
+    "deadlines.appellant.defendant": "Defendant",
+    "deadlines.appellant.none": "—",
     "deadlines.event.composite.label": "Composite:",
     "deadlines.event.unit.days.one": "day",
     "deadlines.event.unit.days.many": "days",
@@ -3814,11 +4004,15 @@ const translations: Record<Lang, Record<string, string>> = {
     "deadlines.field.title.placeholder": "e.g. File statement of defence",
     "deadlines.field.due": "Due date",
     "deadlines.field.rule": "Rule (optional)",
-    "deadlines.field.rule.none": "No rule",
-    "deadlines.field.rule.autofill": "Type set by rule — remove to override.",
-    "deadlines.field.rule.autofill_inline": " (set by rule)",
-    "deadlines.field.rule.mismatch": "Note: type contradicts rule — you have overridden the type.",
-    "deadlines.field.rule.override": "Choose another type",
+    "deadlines.field.rule.auto_badge": "Auto",
+    "deadlines.field.rule.auto_no_match": "No rule maps to the chosen Type",
+    "deadlines.field.rule.auto_pick_type": "Pick a Type first",
+    "deadlines.field.rule.custom_badge": "Custom",
+    "deadlines.field.rule.custom_placeholder": "e.g. internal review meeting, client call",
+    "deadlines.field.rule.mode.toggle_to_auto": "Back to Auto",
+    "deadlines.field.rule.mode.toggle_to_custom": "Enter custom rule",
+    "deadlines.field.title.default_btn": "Default title",
+    "deadlines.field.title.default_fallback": "New deadline",
     "deadlines.field.notes": "Notes (optional)",
     "deadlines.field.notes.placeholder": "References, hints, next steps\u2026",
     "deadlines.error.required": "Matter, title and due date are required.",
@@ -4028,6 +4222,10 @@ const translations: Record<Lang, Record<string, string>> = {
     "event.title.appointment_updated": "Appointment updated",
     "event.title.appointment_deleted": "Appointment deleted",
     "event.title.appointment_project_changed": "Appointment moved",
+    // Umbrella audit kind + admin churn surfaced by the FilterBar
+    // project_event_kind chip cluster (KnownProjectEventKinds).
+    "event.title.approval_decided": "Approval decided",
+    "event.title.member_role_changed": "Team role changed",
     // 4-eye approval lifecycle (t-paliad-138).
     "event.title.deadline_approval_requested": "Approval requested",
     "event.title.deadline_approval_approved": "Approval granted",
@@ -4347,8 +4545,14 @@ const translations: Record<Lang, Record<string, string>> = {
     "projects.detail.tab.notizen": "Notes",
     "projects.detail.tab.checklisten": "Checklists",
     "projects.detail.tab.submissions": "Submissions",
+    "projects.detail.tab.settings": "Settings",
     "projects.detail.export.button": "Export data",
     "projects.detail.export.tooltip": "Download this project's data (including sub-projects) as Excel + JSON + CSV.",
+    "projects.detail.settings.export.heading": "Export data",
+    "projects.detail.settings.export.description": "Download all data for this project (including sub-projects) as an Excel + JSON + CSV archive.",
+    "projects.detail.settings.archive.heading": "Archive project",
+    "projects.detail.settings.archive.description": "Archiving happens in the edit dialog (danger zone).",
+    "projects.detail.settings.archive.cta": "Open edit dialog",
     "projects.detail.submissions.empty": "No submission templates are configured yet.",
     "projects.detail.submissions.empty.no_proceeding": "No proceeding type is set for this project yet — the catalog below still lists every template.",
     "projects.detail.submissions.empty.no_proceeding.cta": "Edit project",
@@ -4371,7 +4575,16 @@ const translations: Record<Lang, Record<string, string>> = {
     "submissions.draft.switcher.label": "Draft",
     "submissions.draft.name.placeholder": "Name of this draft",
     "submissions.draft.preview.title": "Preview",
+    // t-paliad-276 — DE/EN language toggle on the draft editor.
+    "submissions.draft.language": "Language",
+    "submissions.draft.language.de": "DE",
+    "submissions.draft.language.en": "EN",
+    "submissions.draft.language.fallback_notice": "Fallback: universal skeleton (no language-matched template).",
     "submissions.draft.preview.hint": "Read-only preview — final formatting in Word.",
+    // t-paliad-277 — import-from-project + party-picker.
+    "submissions.draft.import.button": "Import from project",
+    "submissions.draft.parties.title": "Parties",
+    "submissions.draft.parties.hint": "Select which parties to mention in this submission.",
     // t-paliad-240 — global submissions drafts index page.
     "submissions.index.title": "Submissions — Paliad",
     "submissions.index.heading": "Submissions",
@@ -5133,6 +5346,20 @@ const translations: Record<Lang, Record<string, string>> = {
     "inbox.empty.admin_nudge.title": "No approval policies configured yet?",
     "inbox.empty.admin_nudge.body": "Set which lifecycle events require 4-eye review.",
     "inbox.empty.admin_nudge.cta": "Configure approval policies",
+    "inbox.title.feed": "Inbox — Paliad",
+    "inbox.heading.feed": "Inbox",
+    "inbox.subtitle.feed": "Updates on your projects and open approvals.",
+    "inbox.action.mark_all_seen": "Mark all as read",
+    "inbox.action.open": "Open",
+    "inbox.empty.feed": "No updates in the last 30 days.",
+    "views.bar.label.unread_only": "Read state",
+    "views.bar.unread_only.on": "Unread only",
+    "views.bar.unread_only.off": "All",
+    "views.bar.label.inbox_focus": "Show",
+    "views.bar.inbox_focus.alles": "Everything",
+    "views.bar.inbox_focus.genehmigungen": "Approvals only",
+    "views.bar.inbox_focus.plus_termine": "+ Appointments",
+    "views.bar.inbox_focus.plus_fristen": "+ Deadlines",
     "deadlines.form.approval_hint": "4-eye review required",
     "appointments.form.approval_hint": "4-eye review required",
     "admin.email_templates.title": "Email Templates — Paliad",
@@ -5244,6 +5471,31 @@ const translations: Record<Lang, Record<string, string>> = {
     // Admin audit log (t-paliad-071)
     "nav.admin.audit": "Audit Log",
     "nav.admin.partner_units": "Partner Units",
+
+    // Admin Backup Mode (t-paliad-246 / m/paliad#77)
+    "nav.admin.backups": "Backups",
+    "admin.backups.title": "Backups — Paliad",
+    "admin.backups.heading": "Backups",
+    "admin.backups.subtitle": "Full snapshots of all data — manual or scheduled.",
+    "admin.backups.run_now": "Run backup now",
+    "admin.backups.running": "Running …",
+    "admin.backups.success": "Backup created successfully.",
+    "admin.backups.empty": "No backups yet.",
+    "admin.backups.loading": "Loading …",
+    "admin.backups.col.started": "Started",
+    "admin.backups.col.kind": "Trigger",
+    "admin.backups.col.status": "Status",
+    "admin.backups.col.requested_by": "Requested by",
+    "admin.backups.col.size": "Size",
+    "admin.backups.col.rows": "Sheets",
+    "admin.backups.col.actions": "Action",
+    "admin.backups.kind.scheduled": "Scheduled",
+    "admin.backups.kind.on_demand": "Manual",
+    "admin.backups.status.running": "Running …",
+    "admin.backups.status.done": "✓ Done",
+    "admin.backups.status.failed": "✗ Failed",
+    "admin.backups.download": "Download",
+    "admin.backups.footer.note": "Scheduled backups land in a later slice. Manual backups are available now.",
     "admin.audit.title": "Audit Log — Paliad",
     "admin.audit.heading": "Audit Log",
     "admin.audit.subtitle": "Global timeline across project, CalDAV, reminder and partner-unit events.",
@@ -5343,6 +5595,8 @@ const translations: Record<Lang, Record<string, string>> = {
     "event_types.browse.cancel": "Cancel",
     "event_types.browse.selected_count": "{n} selected",
     "event_types.browse.jurisdiction.none": "Any",
+    "event_types.browse.jurisdiction.all": "All courts",
+    "event_types.browse.jurisdiction.filter_label": "Filter by court type",
     "event_types.filter.all": "All types",
     "event_types.filter.untyped": "— Untyped —",
     "event_types.filter.search": "Search type…",
@@ -5488,6 +5742,17 @@ const translations: Record<Lang, Record<string, string>> = {
     "approvals.withdraw.cta": "Withdraw approval request",
     "approvals.withdraw.confirm": "Withdraw the approval request?",
     "approvals.withdraw.error": "Failed to withdraw",
+    "approvals.withdraw.cancel": "Cancel",
+    "approvals.withdraw.modal.title": "Withdraw approval request?",
+    "approvals.withdraw.primary.label": "Edit event",
+    "approvals.withdraw.destructive.label": "Withdraw permanently and delete",
+    "approvals.withdraw.lead.create.deadline": "Withdrawing this request will delete the deadline.",
+    "approvals.withdraw.lead.create.appointment": "Withdrawing this request will delete the appointment.",
+    "approvals.withdraw.lead.update": "Withdrawing this request will discard your proposed changes — the entry will revert to its state before your edit.",
+    "approvals.withdraw.lead.delete": "Withdrawing the delete request will keep the entry alive.",
+    "approvals.withdraw.sub.create": "Alternatively, you can edit the entry instead. The request stays open and the approver will see your new values.",
+    "approvals.withdraw.sub.update": "Alternatively, you can edit your changes and resubmit. The request stays open.",
+    "approvals.withdraw.sub.delete": "Are you sure you want to withdraw the delete request?",
     "approvals.pending_create.label": "Awaits approval (creation)",
     "approvals.pending_update.label": "Awaits approval (change)",
     "approvals.pending_complete.label": "Awaits approval (completion)",
@@ -5545,11 +5810,18 @@ const translations: Record<Lang, Record<string, string>> = {
     "views.scope.my_subtree": "My subtree",
     "views.scope.explicit": "Specific projects",
     "views.scope.personal_only": "Personal only",
+    "views.horizon.next_1d": "Tomorrow",
     "views.horizon.next_7d": "Next 7 days",
+    "views.horizon.next_14d": "Next 14 days",
     "views.horizon.next_30d": "Next 30 days",
     "views.horizon.next_90d": "Next 90 days",
+    "views.horizon.next_all": "All future",
+    "views.horizon.past_1d": "Last day",
+    "views.horizon.past_7d": "Last 7 days",
+    "views.horizon.past_14d": "Last 14 days",
     "views.horizon.past_30d": "Last 30 days",
     "views.horizon.past_90d": "Last 90 days",
+    "views.horizon.past_all": "All past",
     "views.horizon.any": "Any",
     "views.horizon.all": "All-time",
     "views.horizon.custom": "Custom",
@@ -5632,16 +5904,9 @@ const translations: Record<Lang, Record<string, string>> = {
     "views.bar.label.density": "Density",
     "views.bar.label.sort": "Sort",
     "views.bar.common.all": "All",
-    "views.bar.time.next_7d": "7 days",
-    "views.bar.time.next_30d": "30 days",
-    "views.bar.time.next_90d": "90 days",
-    "views.bar.time.past_7d": "Past 7d",
-    "views.bar.time.past_30d": "Past 30 d.",
-    "views.bar.time.past_90d": "Past 90 d.",
-    "views.bar.time.any": "Any",
-    "views.bar.time.all": "All time",
-    "views.bar.time.custom": "Custom",
-    "views.bar.time.custom.coming_soon": "Custom date range arrives in a follow-up iteration.",
+    // views.bar.time.* keys retired in t-paliad-248 — see the DE block
+    // for context. The filter-bar time axis now mounts the symmetric
+    // date-range picker whose labels live under date_range.horizon.*.
     "views.bar.personal.on": "Mine only",
     "views.bar.approval_role.approver_eligible": "To approve",
     "views.bar.approval_role.self_requested": "My requests",
@@ -5681,21 +5946,22 @@ const translations: Record<Lang, Record<string, string>> = {
     "views.bar.save.error.network": "Network error — please retry.",
 
     // t-paliad-192 Slice 11b — Admin rule-editor UI.
-    "nav.admin.rules": "Manage Rules",
-    "nav.admin.rules_export": "Rule Migrations",
-    "admin.card.rules.title": "Manage Rules",
-    "admin.card.rules.desc": "Author, edit and publish deadline rules. Audit log, preview, migration export.",
+    // t-paliad-262 Slice A — "Rule" relabelled as "Procedural event".
+    "nav.admin.rules": "Manage procedural events",
+    "nav.admin.rules_export": "Procedural-event migrations",
+    "admin.card.rules.title": "Manage procedural events",
+    "admin.card.rules.desc": "Author, edit and publish procedural-event templates. Audit log, preview, migration export.",
 
-    "admin.rules.list.title": "Manage Rules — Paliad",
-    "admin.rules.list.heading": "Manage Rules",
-    "admin.rules.list.subtitle": "Author, edit and publish deadline rules. Lifecycle: draft → published → archived.",
-    "admin.rules.list.new": "+ New Rule",
+    "admin.rules.list.title": "Manage procedural events — Paliad",
+    "admin.rules.list.heading": "Manage procedural events",
+    "admin.rules.list.subtitle": "Author, edit and publish procedural events (filings, hearings, decisions, …). Lifecycle: draft → published → archived.",
+    "admin.rules.list.new": "+ New procedural event",
     "admin.rules.list.export": "Export migrations",
     "admin.rules.tab.rules": "Rules",
     "admin.rules.tab.orphans": "Orphans",
     "admin.rules.loading": "Loading…",
-    "admin.rules.empty": "No rules for the chosen filters.",
-    "admin.rules.error.load": "Could not load rules.",
+    "admin.rules.empty": "No procedural events for the chosen filters.",
+    "admin.rules.error.load": "Could not load procedural events.",
 
     "admin.rules.filter.proceeding": "Proceeding type",
     "admin.rules.filter.proceeding.any": "Any",
@@ -5706,7 +5972,7 @@ const translations: Record<Lang, Record<string, string>> = {
     "admin.rules.filter.search": "Search",
     "admin.rules.filter.search.placeholder": "Name, submission code, legal citation…",
 
-    "admin.rules.col.submission_code": "Submission code",
+    "admin.rules.col.submission_code": "Code (procedural event)",
     "admin.rules.col.legal_citation": "Legal citation",
     "admin.rules.col.name": "Name",
     "admin.rules.col.proceeding": "Proceeding type",
@@ -5736,8 +6002,8 @@ const translations: Record<Lang, Record<string, string>> = {
     "admin.rules.orphans.reason.manual_unbound": "Manually unbound",
     "admin.rules.orphans.resolved": "Orphan resolved.",
 
-    "admin.rules.modal.new.title": "Create new rule",
-    "admin.rules.modal.new.body": "A new rule will be created as a draft. Please supply a reason (≥10 chars) — recorded in the audit log and exported into the migration file.",
+    "admin.rules.modal.new.title": "Create new procedural event",
+    "admin.rules.modal.new.body": "A new procedural event will be created as a draft. Please supply a reason (≥10 chars) — recorded in the audit log and exported into the migration file.",
     "admin.rules.modal.resolve.title": "Resolve orphan",
     "admin.rules.modal.resolve.body": "Please supply a reason (≥10 chars). The rule binding is persisted immediately on the deadline.",
     "admin.rules.modal.reason": "Reason",
@@ -5752,12 +6018,12 @@ const translations: Record<Lang, Record<string, string>> = {
     "admin.rules.modal.error.create": "Creation failed.",
     "admin.rules.modal.error.resolve": "Resolution failed.",
 
-    "admin.rules.edit.title": "Edit Rule — Paliad",
-    "admin.rules.edit.heading.loading": "Loading rule…",
-    "admin.rules.edit.breadcrumb": "← Manage Rules",
-    "admin.rules.edit.error.bad_id": "Invalid rule id in URL.",
-    "admin.rules.edit.error.not_found": "Rule not found.",
-    "admin.rules.edit.error.load": "Could not load rule.",
+    "admin.rules.edit.title": "Edit procedural event — Paliad",
+    "admin.rules.edit.heading.loading": "Loading procedural event…",
+    "admin.rules.edit.breadcrumb": "← Manage procedural events",
+    "admin.rules.edit.error.bad_id": "Invalid procedural-event id in URL.",
+    "admin.rules.edit.error.not_found": "Procedural event not found.",
+    "admin.rules.edit.error.load": "Could not load procedural event.",
 
     "admin.rules.edit.section.identity": "Identity",
     "admin.rules.edit.section.proceeding": "Proceeding & Trigger",
@@ -5770,14 +6036,14 @@ const translations: Record<Lang, Record<string, string>> = {
     "admin.rules.edit.field.name": "Name (DE)",
     "admin.rules.edit.field.name_en": "Name (EN)",
     "admin.rules.edit.field.description": "Description",
-    "admin.rules.edit.field.submission_code": "Submission code",
+    "admin.rules.edit.field.submission_code": "Code (procedural-event identifier)",
     "admin.rules.edit.field.rule_code": "Legal citation (short form)",
     "admin.rules.edit.field.legal_source": "Legal citation (long form)",
     "admin.rules.edit.field.proceeding": "Proceeding type",
     "admin.rules.edit.field.proceeding.none": "—",
     "admin.rules.edit.field.trigger": "Trigger event",
     "admin.rules.edit.field.trigger.none": "—",
-    "admin.rules.edit.field.parent": "Parent rule (UUID)",
+    "admin.rules.edit.field.parent": "Parent procedural event (UUID)",
     "admin.rules.edit.field.concept": "Concept (UUID)",
     "admin.rules.edit.field.sequence_order": "Order",
     "admin.rules.edit.field.duration_value": "Duration",
@@ -5789,7 +6055,7 @@ const translations: Record<Lang, Record<string, string>> = {
     "admin.rules.edit.field.alt_rule_code": "Alt rule code",
     "admin.rules.edit.field.anchor_alt": "Alt anchor",
     "admin.rules.edit.field.primary_party": "Primary party",
-    "admin.rules.edit.field.event_type": "Event type (free)",
+    "admin.rules.edit.field.event_type": "Procedural-event kind (filing / hearing / decision / order)",
     "admin.rules.edit.field.deadline_notes": "Notes (DE)",
     "admin.rules.edit.field.deadline_notes_en": "Notes (EN)",
     "admin.rules.edit.field.priority": "Priority",
@@ -5868,6 +6134,48 @@ const translations: Record<Lang, Record<string, string>> = {
     "admin.rules.export.ok": "{n} audit rows exported.",
     "admin.rules.export.error": "Export failed.",
     "admin.rules.export.no_pending": "No pending audit rows to export.",
+
+    // Date-range picker (t-paliad-248). See DE block above for details.
+    "date_range.button.label": "Time range",
+    "date_range.button.label.custom_range": "From {from} to {to}",
+    "date_range.horizon.next_1d":  "Today",
+    "date_range.horizon.next_7d":  "Next 7 days",
+    "date_range.horizon.next_14d": "Next 14 days",
+    "date_range.horizon.next_30d": "Next 30 days",
+    "date_range.horizon.next_90d": "Next 90 days",
+    "date_range.horizon.next_all": "All future",
+    "date_range.horizon.past_1d":  "Last day",
+    "date_range.horizon.past_7d":  "Last 7 days",
+    "date_range.horizon.past_14d": "Last 14 days",
+    "date_range.horizon.past_30d": "Last 30 days",
+    "date_range.horizon.past_90d": "Last 90 days",
+    "date_range.horizon.past_all": "All past",
+    "date_range.horizon.any":      "All",
+    "date_range.horizon.custom":   "Customize",
+    "date_range.dialog.label":     "Choose time range",
+    "date_range.fan.past.label":   "Past",
+    "date_range.fan.future.label": "Future",
+    "date_range.center.label":     "All",
+    "date_range.custom.from":      "From",
+    "date_range.custom.to":        "To",
+    "date_range.custom.apply":     "Apply",
+    "date_range.custom.cancel":    "Cancel",
+    "date_range.custom.invalid":            "End date must be strictly after start date.",
+    "date_range.custom.invalid_format":     "Date not recognised (format YYYY-MM-DD).",
+    "date_range.custom.invalid_missing":    "Please fill in both date fields.",
+
+    // t-paliad-262 Slice A — canonical `procedural_event` i18n contract.
+    // Mirrors the DE block; values identical to the legacy
+    // `admin.rules.*` keys. Adding/changing values? Update BOTH sides.
+    "admin.procedural_events.list.title":     "Manage procedural events — Paliad",
+    "admin.procedural_events.list.heading":   "Manage procedural events",
+    "admin.procedural_events.list.new":       "+ New procedural event",
+    "admin.procedural_events.col.code":       "Code (procedural event)",
+    "admin.procedural_events.edit.title":     "Edit procedural event — Paliad",
+    "admin.procedural_events.edit.breadcrumb":"← Manage procedural events",
+    "admin.procedural_events.edit.field.code":         "Code (procedural-event identifier)",
+    "admin.procedural_events.edit.field.event_kind":   "Procedural-event kind (filing / hearing / decision / order)",
+    "admin.procedural_events.edit.field.parent":       "Parent procedural event (UUID)",
   },
 };
 

frontend/src/client/inbox.ts

@@ -6,37 +6,45 @@ import type { FilterSpec, RenderSpec, SystemView, ViewRunResult } from "./views/
 import { renderListShape } from "./views/shape-list";
 import { openApprovalEditModal } from "./components/approval-edit-modal";
 
-// /inbox client — t-paliad-163 universal-filter migration.
+// /inbox client — t-paliad-249 unified inbox feed.
 //
-// The bar owns every axis the old tab UI exposed plus more:
-//   - approval_viewer_role: "Zur Genehmigung" / "Eigene Anfragen" /
-//     "Alle sichtbaren" (collapses the legacy two-tab UI per Q4 lock-in)
-//   - approval_status: chip cluster (default: pending)
-//   - approval_entity_type: chip pair (Frist / Termin)
-//   - time: chip cluster (Any default)
-//   - density: comfortable / compact
-//   - sort: date asc / desc
+// The bar exposes:
+//   - inbox_focus:        coarse Alles / Genehmigungen / +Termine / +Fristen
+//   - unread_only:        Nur ungelesen / Alle (default: ungelesen)
+//   - time:               last 30 days default; chip cluster + custom range
+//   - project:            single-select autocomplete from visible projects
+//   - approval_viewer_role: Zur Genehmigung / Eigene / Alle sichtbaren
+//   - approval_status / approval_entity_type / project_event_kind: power-user overrides
+//   - sort / density:     newest first default
 //
-// Row rendering: shape-list.ts with row_action="approve" stamps the
-// inbox markup (entity title, diff, approve/reject/revoke buttons).
-// We wire action click handlers in onResult and refresh through the
-// bar handle.
+// Row rendering: shape-list.ts with row_action="inbox" dispatches per
+// row.kind. Approval rows keep approve/reject/revoke; project_event
+// rows render compact with an Öffnen link.
 
 const INBOX_AXES: AxisKey[] = [
+  "inbox_focus",
+  "unread_only",
   "time",
+  "project",
   "approval_viewer_role",
   "approval_status",
   "approval_entity_type",
-  "density",
+  "project_event_kind",
   "sort",
+  "density",
 ];
 
+// Last paint's newest row timestamp — used to pin mark-all-seen so a
+// second tab can't race the cursor past items the user hasn't seen.
+let newestVisibleAt: string | null = null;
+
 let bar: BarHandle | null = null;
 
 document.addEventListener("DOMContentLoaded", () => {
   initI18n();
   initSidebar();
   applyLegacyTabRedirect();
+  wireMarkAllSeen();
   void hydrate();
 });
 
@@ -105,15 +113,25 @@ function paint(
   if (!result.rows || result.rows.length === 0) {
     results.innerHTML = "";
     empty.style.display = "";
-    empty.textContent = t("approvals.empty.pending_mine");
+    empty.textContent = t("inbox.empty.feed");
+    newestVisibleAt = null;
     void maybeShowAdminNudge();
     return;
   }
   hideAdminNudge();
   empty.style.display = "none";
 
+  // Remember the newest timestamp so mark-all-seen can pin the cursor
+  // to it (race-safety: a second tab adding a row between this paint
+  // and the click won't get wiped out).
+  newestVisibleAt = result.rows.reduce<string | null>((acc, r) => {
+    if (!acc) return r.event_date;
+    return r.event_date > acc ? r.event_date : acc;
+  }, null);
+
   // shape-list.ts honours render.list.row_action — InboxSystemView's
-  // RenderSpec sets row_action="approve" so we get the inbox markup.
+  // RenderSpec sets row_action="inbox" so we get the unified dispatch
+  // (approval rows + project_event rows).
   renderListShape(results, result.rows, render);
 
   // Wire action handlers on the freshly stamped DOM. The action
@@ -122,6 +140,38 @@ function paint(
   wireApprovalActions(results);
 }
 
+// wireMarkAllSeen wires the page-header "Alles als gelesen markieren"
+// button. POSTs the newest visible row's timestamp as `up_to` so a
+// stale second tab can't rewind anyone else's cursor; on success the
+// bar refreshes (rows newer than now disappear under unread_only) and
+// the sidebar badge re-counts.
+function wireMarkAllSeen(): void {
+  const btn = document.getElementById("inbox-mark-all-seen") as HTMLButtonElement | null;
+  if (!btn) return;
+  btn.addEventListener("click", async () => {
+    btn.disabled = true;
+    try {
+      const body = newestVisibleAt ? JSON.stringify({ up_to: newestVisibleAt }) : "{}";
+      const r = await fetch("/api/inbox/mark-all-seen", {
+        method: "POST",
+        credentials: "include",
+        headers: { "Content-Type": "application/json" },
+        body,
+      });
+      if (!r.ok) {
+        alert(t("approvals.error.internal"));
+        return;
+      }
+      await bar?.refresh();
+      await refreshInboxBadge();
+    } catch (_e) {
+      alert("Network error");
+    } finally {
+      btn.disabled = false;
+    }
+  });
+}
+
 function wireApprovalActions(host: HTMLElement): void {
   host.querySelectorAll<HTMLButtonElement>(".views-approval-action").forEach((btn) => {
     const action = btn.dataset.action as

frontend/src/client/projects-detail.ts

@@ -16,6 +16,7 @@ import type { FilterSpec, RenderSpec } from "./views/types";
 import { renderSmartTimeline, type TimelineEvent as SmartTimelineEvent, type LaneInfo as SmartTimelineLane } from "./views/shape-timeline";
 import { loadAndRenderSubmissions } from "./submissions";
 import { buildMailtoHref, type BroadcastRecipient } from "./broadcast";
+import { formatRuleLabelHTML, formatCustomRuleLabelHTML } from "./rule-label";
 
 interface Project {
   id: string;
@@ -142,6 +143,11 @@ interface Deadline {
   status: string;
   rule_id?: string;
   rule_code?: string;
+  rule_name?: string;
+  rule_name_en?: string;
+  // t-paliad-258 — free-text rule label when the deadline was saved in
+  // Custom mode. Mutually exclusive with rule_id.
+  custom_rule_text?: string;
   // Populated by the union endpoint (/api/events) which is what the project
   // detail page calls — used for attribution when the row lives on a
   // descendant project (t-paliad-139).
@@ -175,7 +181,8 @@ type TabId =
   | "appointments"
   | "notes"
   | "checklists"
-  | "submissions";
+  | "submissions"
+  | "settings";
 
 const VALID_TABS: TabId[] = [
   "history",
@@ -187,6 +194,7 @@ const VALID_TABS: TabId[] = [
   "notes",
   "checklists",
   "submissions",
+  "settings",
 ];
 
 // Legacy German tab slugs that may appear in bookmarked URLs after the
@@ -389,18 +397,26 @@ function applyVerlaufFilters(rows: ProjectEvent[]): ProjectEvent[] {
 // horizons that show up on the Verlauf bar. Forward-looking horizons
 // (next_*) are absent on this surface — the timePresets override hides
 // them — but the function tolerates them for forward-compatibility with
-// the SmartTimeline redesign.
+// the SmartTimeline redesign. Open-ended ranges (next_all / past_all)
+// leave the matching bound undefined; the upstream filter treats that
+// as "no narrowing in that direction".
 function horizonBounds(horizon: string): { from?: Date; to?: Date } {
   const now = new Date();
   const day = new Date(Date.UTC(now.getUTCFullYear(), now.getUTCMonth(), now.getUTCDate()));
   const offset = (days: number) => new Date(day.getTime() + days * 86400000);
   switch (horizon) {
+    case "past_1d":  return { from: offset(-1),  to: offset(1) };
     case "past_7d":  return { from: offset(-7),  to: offset(1) };
+    case "past_14d": return { from: offset(-14), to: offset(1) };
     case "past_30d": return { from: offset(-30), to: offset(1) };
     case "past_90d": return { from: offset(-90), to: offset(1) };
+    case "past_all": return {                    to: offset(1) };
+    case "next_1d":  return { from: day,         to: offset(1) };
     case "next_7d":  return { from: day,         to: offset(7) };
+    case "next_14d": return { from: day,         to: offset(14) };
     case "next_30d": return { from: day,         to: offset(30) };
     case "next_90d": return { from: day,         to: offset(90) };
+    case "next_all": return { from: day                       };
     default:         return {};
   }
 }
@@ -803,6 +819,9 @@ interface UnionEvent {
   status?: string;
   rule_id?: string;
   rule_code?: string;
+  rule_name?: string;
+  rule_name_en?: string;
+  custom_rule_text?: string;
   start_at?: string;
   end_at?: string;
   location?: string;
@@ -830,6 +849,9 @@ async function loadDeadlines(id: string) {
           status: it.status ?? "pending",
           rule_id: it.rule_id,
           rule_code: it.rule_code,
+          rule_name: it.rule_name,
+          rule_name_en: it.rule_name_en,
+          custom_rule_text: it.custom_rule_text,
           project_title: it.project_title,
         }));
     } else {
@@ -999,6 +1021,27 @@ function fmtDateOnly(iso: string): string {
   }
 }
 
+// formatDeadlineRuleCell renders the REGEL column for the project
+// detail Fristen table using the canonical t-paliad-258 contract:
+//   1. catalog rule (rule_name / rule_name_en + rule_code) → "Name · Code"
+//   2. custom_rule_text → text + "Custom" badge
+//   3. legacy rule_code-only saves → bare citation
+//   4. otherwise "—"
+function formatDeadlineRuleCell(f: Deadline): string {
+  const hasName = (f.rule_name && f.rule_name.trim()) ||
+    (f.rule_name_en && f.rule_name_en.trim());
+  if (hasName || (f.rule_code && f.rule_code.trim())) {
+    return formatRuleLabelHTML(
+      { name: f.rule_name || "", name_en: f.rule_name_en, rule_code: f.rule_code },
+      esc,
+    );
+  }
+  if (f.custom_rule_text && f.custom_rule_text.trim()) {
+    return formatCustomRuleLabelHTML(f.custom_rule_text, esc);
+  }
+  return "—";
+}
+
 function urgencyClass(due: string, status: string): string {
   if (status === "completed") return "frist-urgency-done";
   const today = new Date();
@@ -1037,7 +1080,7 @@ function renderDeadlines() {
         </td>
         <td class="frist-col-due ${urgency}"><span class="frist-due-dot"></span>${fmtDateOnly(f.due_date)}</td>
         <td class="frist-col-title ${titleClass}">${esc(f.title)}${attributionChip(f.project_id, f.project_title)}</td>
-        <td class="frist-col-rule">${f.rule_code ? esc(f.rule_code) : "—"}</td>
+        <td class="frist-col-rule">${formatDeadlineRuleCell(f)}</td>
         <td><span class="entity-status-chip entity-status-${esc(f.status)}">${esc(statusLabel)}</span></td>
       </tr>`;
     })
@@ -1185,13 +1228,16 @@ function renderHeader() {
     netdocs.style.display = "none";
   }
 
-  // Delete visibility: partner/admin only
+  // Delete visibility: partner/admin only. The Verwaltung tab's archive
+  // sub-section mirrors the same gate (t-paliad-245) — it only points at
+  // the Edit-modal danger zone, so it's pointless to show when the danger
+  // zone itself is hidden.
   const deleteWrap = document.getElementById("project-delete-wrap")!;
-  if (me && (me.global_role === "global_admin")) {
-    deleteWrap.style.display = "";
-  } else {
-    deleteWrap.style.display = "none";
-  }
+  const archiveSection = document.getElementById("project-settings-archive");
+  const canArchive = !!me && me.global_role === "global_admin";
+  deleteWrap.style.display = canArchive ? "" : "none";
+  if (archiveSection) archiveSection.style.display = canArchive ? "" : "none";
+  updateSettingsTabVisibility();
 }
 
 // wrapEventTitleLink — kept for the dashboard activity feed which reuses
@@ -2045,6 +2091,17 @@ function initEditModal() {
     });
   }
 
+  // Verwaltung → Projekt archivieren — opens the edit modal scrolled to
+  // the danger-zone archive button (t-paliad-245).
+  const archiveLink = document.getElementById(
+    "project-settings-archive-link",
+  ) as HTMLButtonElement | null;
+  if (archiveLink) {
+    archiveLink.addEventListener("click", () => {
+      openEditModal("project-delete-btn");
+    });
+  }
+
   form.addEventListener("submit", async (e) => {
     e.preventDefault();
     if (!project) return;
@@ -2991,17 +3048,21 @@ function canExportProject(): boolean {
   );
 }
 
-// wireExportButton reveals + hooks up the project-export button on the
-// tabs nav. Triggers a download via a transient <a download> — same
-// pattern as the personal export in client/settings.ts.
+// wireExportButton reveals the Export sub-section of the Verwaltung tab
+// (t-paliad-245) and hooks up the project-export button. Triggers a
+// download via a transient <a download> — same pattern as the personal
+// export in client/settings.ts.
 function wireExportButton(projectID: string): void {
+  const section = document.getElementById("project-settings-export") as HTMLElement | null;
   const btn = document.getElementById("project-export-btn") as HTMLButtonElement | null;
-  if (!btn) return;
+  if (!section || !btn) return;
   if (!canExportProject()) {
-    btn.style.display = "none";
+    section.style.display = "none";
+    updateSettingsTabVisibility();
     return;
   }
-  btn.style.display = "";
+  section.style.display = "";
+  updateSettingsTabVisibility();
   btn.addEventListener("click", () => {
     const a = document.createElement("a");
     a.href = `/api/projects/${encodeURIComponent(projectID)}/export`;
@@ -3012,6 +3073,17 @@ function wireExportButton(projectID: string): void {
   });
 }
 
+// updateSettingsTabVisibility hides the Verwaltung tab when none of its
+// sub-sections are visible to the current user — an empty tab is worse
+// UX than no tab. Called whenever a sub-section's visibility flips.
+function updateSettingsTabVisibility(): void {
+  const tab = document.querySelector<HTMLElement>('.entity-tab[data-tab="settings"]');
+  if (!tab) return;
+  const exportShown = document.getElementById("project-settings-export")?.style.display !== "none";
+  const archiveShown = document.getElementById("project-settings-archive")?.style.display !== "none";
+  tab.style.display = exportShown || archiveShown ? "" : "none";
+}
+
 function canRemoveTeamMember(m: ProjectTeamMember): boolean {
   if (!me) return false;
   if (m.user_id === me.id) return true;

frontend/src/client/rule-label.ts

@@ -0,0 +1,87 @@
+// rule-label — canonical display contract for deadline rules.
+//
+// t-paliad-258 / m/paliad#89 addendum. Previously each surface (deadline
+// form, list rows, detail header, Schriftsätze tab, browse-a-proceeding)
+// invented its own pattern: sometimes citation-only, sometimes name-only,
+// sometimes "code — name". m flagged this on the first submissions in a
+// proceeding sequence where the inconsistency was most visible.
+//
+// Canonical pattern: **Name primary, Citation muted secondary**.
+//   Text: "Notice of Appeal · UPC.RoP.220.1"
+//   HTML: <span class="rule-label-name">Notice of Appeal</span>
+//         <span class="rule-label-sep"> · </span>
+//         <span class="rule-label-cite">UPC.RoP.220.1</span>
+//
+// Custom rules (t-paliad-258 — free-text label entered by the lawyer):
+//   formatCustomRuleLabel produces "<text>" with a "Custom" badge slot
+//   so list/detail surfaces can render both shapes uniformly.
+
+import { getLang, t } from "./i18n";
+
+export interface RuleLike {
+  name: string;
+  name_en?: string | null;
+  // The catalog carries multiple citation fields depending on which
+  // surface populated it. Order of preference: legal_source > rule_code
+  // > code. All three are accepted so callers don't have to normalise.
+  rule_code?: string | null;
+  code?: string | null;
+  legal_source?: string | null;
+}
+
+// formatRuleLabel returns the canonical plain-text label.
+// Falls back gracefully when either side is missing.
+export function formatRuleLabel(r: RuleLike): string {
+  const lang = getLang();
+  const name = (lang === "en" && r.name_en) ? r.name_en : r.name;
+  const cite = ruleCitation(r);
+  if (name && cite) return `${name} · ${cite}`;
+  return name || cite || "";
+}
+
+// formatRuleLabelHTML returns the canonical HTML form with muted-citation
+// styling. The caller passes the HTML-escape helper so we don't pull a
+// dependency on a specific esc() module — every surface already has one.
+export function formatRuleLabelHTML(r: RuleLike, esc: (s: string) => string): string {
+  const lang = getLang();
+  const name = (lang === "en" && r.name_en) ? r.name_en : r.name;
+  const cite = ruleCitation(r);
+  if (name && cite) {
+    return (
+      `<span class="rule-label-name">${esc(name)}</span>` +
+      `<span class="rule-label-sep"> · </span>` +
+      `<span class="rule-label-cite">${esc(cite)}</span>`
+    );
+  }
+  return esc(name || cite || "");
+}
+
+// ruleCitation returns the best-available citation string for a rule.
+// Exported so callers that need the bare code (e.g. CalDAV exports,
+// inline data attributes) can pull it without going through the label
+// formatter.
+export function ruleCitation(r: RuleLike): string {
+  return r.legal_source || r.rule_code || r.code || "";
+}
+
+// formatCustomRuleLabelHTML — render a free-text custom rule label with
+// a "Custom" badge slot. Used by surfaces that may display either a
+// catalog rule (formatRuleLabelHTML) or a custom one. Returns "" when
+// the text is empty so callers can fall through to "—".
+export function formatCustomRuleLabelHTML(text: string | null | undefined, esc: (s: string) => string): string {
+  const trimmed = (text ?? "").trim();
+  if (!trimmed) return "";
+  const badge = t("deadlines.field.rule.custom_badge") || "Custom";
+  return (
+    `<span class="rule-label-name">${esc(trimmed)}</span>` +
+    `<span class="rule-label-badge rule-label-badge--custom">${esc(badge)}</span>`
+  );
+}
+
+// formatCustomRuleLabel — plain-text equivalent of the above.
+export function formatCustomRuleLabel(text: string | null | undefined): string {
+  const trimmed = (text ?? "").trim();
+  if (!trimmed) return "";
+  const badge = t("deadlines.field.rule.custom_badge") || "Custom";
+  return `${trimmed} · ${badge}`;
+}

frontend/src/client/sidebar.ts

@@ -11,6 +11,13 @@ const WIDTH_KEY = "paliad-sidebar-width";
 const SIDEBAR_WIDTH_MIN = 180;
 const SIDEBAR_WIDTH_MAX = 480;
 const SIDEBAR_WIDTH_DEFAULT = 240;
+// Per-tab scroll position of the .sidebar-nav scroll container. Persisted
+// on every scroll event, restored on initSidebar() so a full-page nav
+// click doesn't bounce the user back to the top of a long sidebar
+// (Werkzeuge + projects + user views can easily overflow). sessionStorage
+// scopes it to the tab — opening a sidebar link in a new tab (Cmd-click)
+// starts that tab fresh at the top, which matches user expectation.
+const SCROLL_KEY = "paliad.sidebar.scroll";
 
 // toggleMobileSidebar opens or closes the slide-out drawer. Exposed so the
 // BottomNav menu slot can call it without duplicating the open/close
@@ -49,6 +56,23 @@ function applySidebarWidth(px: number): void {
   document.documentElement.style.setProperty("--sidebar-width", `${px}px`);
 }
 
+// readStoredScroll returns the persisted scrollTop or 0 when missing /
+// malformed. Bounds are checked at apply time against the actual
+// scrollHeight, so a stale value pointing past the current scroll range
+// is harmless (the browser clamps assignments to [0, max]).
+function readStoredScroll(): number {
+  const raw = sessionStorage.getItem(SCROLL_KEY);
+  if (raw === null) return 0;
+  const n = parseInt(raw, 10);
+  if (!Number.isFinite(n) || n < 0) return 0;
+  return n;
+}
+
+function applySidebarScroll(nav: HTMLElement, px: number): void {
+  if (px <= 0) return;
+  nav.scrollTop = px;
+}
+
 // migrateLegacyPinKey copies the pre-rebrand pin state into the new key on
 // first load and removes the stale entry. Drop this fallback once the rename
 // grace period is over.
@@ -79,6 +103,7 @@ export function initSidebar() {
   const sidebar = document.querySelector<HTMLElement>(".sidebar");
   if (!sidebar) return;
   initSidebarResize(sidebar);
+  initSidebarScrollRestore(sidebar);
 
   const pinBtn = sidebar.querySelector<HTMLButtonElement>(".sidebar-pin");
   const hamburger = document.querySelector<HTMLButtonElement>(".sidebar-hamburger");
@@ -293,6 +318,29 @@ function initSidebarResize(sidebar: HTMLElement): void {
   });
 }
 
+// initSidebarScrollRestore wires the .sidebar-nav scroll container to
+// sessionStorage so the user's scroll position survives a full-page
+// navigation (every sidebar link click is a real reload — see m/paliad#85).
+// Restore is synchronous on init so the first paint is already at the
+// right offset; the passive scroll listener persists subsequent moves.
+// reapplySidebarScroll() exists so callers that mutate sidebar content
+// async (initUserViewsGroup appending /api/user-views into the Ansichten
+// group) can nudge the scroll back to where it was after the layout shift.
+function initSidebarScrollRestore(sidebar: HTMLElement): void {
+  const nav = sidebar.querySelector<HTMLElement>(".sidebar-nav");
+  if (!nav) return;
+  applySidebarScroll(nav, readStoredScroll());
+  nav.addEventListener("scroll", () => {
+    sessionStorage.setItem(SCROLL_KEY, String(nav.scrollTop));
+  }, { passive: true });
+}
+
+function reapplySidebarScroll(): void {
+  const nav = document.querySelector<HTMLElement>(".sidebar .sidebar-nav");
+  if (!nav) return;
+  applySidebarScroll(nav, readStoredScroll());
+}
+
 // Changelog badge — fetches the count of entries newer than the locally
 // stored "last seen" stamp and renders a dot + number on the Neuigkeiten
 // link. Skipped on the changelog page itself because changelog.ts stamps
@@ -432,6 +480,11 @@ function initUserViewsGroup(): void {
       for (const view of views) {
         items.appendChild(renderUserViewItem(view, currentPath));
       }
+      // The synchronous restore in initSidebarScrollRestore() happened
+      // before these views were appended, so a saved scrollTop that
+      // pointed below the Ansichten group would now sit on the wrong
+      // row. Re-apply once the layout has stabilised.
+      reapplySidebarScroll();
       // After rendering, kick off count refresh for views that opted in.
       for (const view of views) {
         if (view.show_count) {

frontend/src/client/submission-draft.ts

@@ -20,13 +20,25 @@ interface SubmissionDraftJSON {
   submission_code: string;
   user_id: string;
   name: string;
+  // t-paliad-276 — per-draft output language ("de" or "en"). Drives the
+  // template-variant lookup and language-aware variable resolution.
+  language: string;
   variables: Record<string, string>;
+  selected_parties: string[];
   last_exported_at?: string | null;
   last_exported_sha?: string | null;
+  last_imported_at?: string | null;
   created_at: string;
   updated_at: string;
 }
 
+interface AvailablePartyJSON {
+  id: string;
+  name: string;
+  role?: string;
+  representative?: string;
+}
+
 interface SubmissionRuleSummary {
   name: string;
   name_en: string;
@@ -46,6 +58,12 @@ interface SubmissionDraftView {
   lang: string;
   has_template: boolean;
   template_missing?: boolean;
+  available_parties: AvailablePartyJSON[];
+  // t-paliad-276 — template-tier metadata used to surface the
+  // "Fallback: universelles Skelett" notice when the requested draft
+  // language has no per-firm language-matched template.
+  template_tier?: string;
+  language_fallback?: boolean;
 }
 
 interface SubmissionDraftListResponse {
@@ -155,14 +173,29 @@ const VARIABLE_LABELS: Record<string, VariableLabel> = {
   "parties.defendant.representative":{ de: "Beklagten-Vertreter",         en: "Defendant representative" },
   "parties.other.name":              { de: "Weitere Partei",              en: "Other party" },
   "parties.other.representative":    { de: "Weitere-Partei-Vertreter",    en: "Other party representative" },
-  "rule.submission_code":            { de: "Schriftsatz-Code",            en: "Submission code" },
-  "rule.name":                       { de: "Schriftsatz",                 en: "Submission" },
-  "rule.name_de":                    { de: "Schriftsatz (DE)",            en: "Submission (DE)" },
-  "rule.name_en":                    { de: "Schriftsatz (EN)",            en: "Submission (EN)" },
-  "rule.legal_source":               { de: "Rechtsgrundlage (Code)",      en: "Legal source (code)" },
-  "rule.legal_source_pretty":        { de: "Rechtsgrundlage",             en: "Legal source" },
-  "rule.primary_party":              { de: "Partei (typisch)",            en: "Primary party" },
-  "rule.event_type":                 { de: "Schriftsatz-Typ",             en: "Event type" },
+  // Procedural-event namespace (t-paliad-262 Slice A, design doc
+  // docs/design-procedural-events-model-2026-05-25.md). The canonical
+  // placeholder names are below; the `rule.*` aliases that follow are
+  // @deprecated but kept forever per m's Q7 lock — existing Word
+  // templates and saved drafts authored with the old names keep
+  // merging identically.
+  "procedural_event.code":               { de: "Code (Verfahrensschritt)",    en: "Code (procedural event)" },
+  "procedural_event.name":               { de: "Verfahrensschritt",           en: "Procedural event" },
+  "procedural_event.name_de":            { de: "Verfahrensschritt (DE)",      en: "Procedural event (DE)" },
+  "procedural_event.name_en":            { de: "Verfahrensschritt (EN)",      en: "Procedural event (EN)" },
+  "procedural_event.legal_source":       { de: "Rechtsgrundlage (Code)",      en: "Legal source (code)" },
+  "procedural_event.legal_source_pretty":{ de: "Rechtsgrundlage",             en: "Legal source" },
+  "procedural_event.primary_party":      { de: "Partei (typisch)",            en: "Primary party" },
+  "procedural_event.event_kind":         { de: "Art des Verfahrensschritts",  en: "Procedural-event kind" },
+  // Legacy aliases — @deprecated, kept forever (m/paliad#93 Q7).
+  "rule.submission_code":            { de: "Schriftsatz-Code (legacy)",      en: "Submission code (legacy)" },
+  "rule.name":                       { de: "Schriftsatz (legacy)",           en: "Submission (legacy)" },
+  "rule.name_de":                    { de: "Schriftsatz (DE, legacy)",       en: "Submission (DE, legacy)" },
+  "rule.name_en":                    { de: "Schriftsatz (EN, legacy)",       en: "Submission (EN, legacy)" },
+  "rule.legal_source":               { de: "Rechtsgrundlage (Code, legacy)", en: "Legal source (code, legacy)" },
+  "rule.legal_source_pretty":        { de: "Rechtsgrundlage (legacy)",       en: "Legal source (legacy)" },
+  "rule.primary_party":              { de: "Partei (typisch, legacy)",       en: "Primary party (legacy)" },
+  "rule.event_type":                 { de: "Schriftsatz-Typ (legacy)",       en: "Event type (legacy)" },
   "deadline.due_date":               { de: "Frist (ISO)",                 en: "Deadline (ISO)" },
   "deadline.due_date_long_de":       { de: "Frist (DE lang)",             en: "Deadline (DE long)" },
   "deadline.due_date_long_en":       { de: "Frist (EN lang)",             en: "Deadline (EN long)" },
@@ -174,14 +207,14 @@ const VARIABLE_LABELS: Record<string, VariableLabel> = {
 
 const VARIABLE_GROUPS: VariableGroup[] = [
   {
-    id: "rule",
-    label: { de: "Schriftsatz", en: "Submission" },
+    id: "procedural_event",
+    label: { de: "Verfahrensschritt", en: "Procedural event" },
     keys: [
-      "rule.name",
-      "rule.legal_source_pretty",
-      "rule.primary_party",
-      "rule.event_type",
-      "rule.submission_code",
+      "procedural_event.name",
+      "procedural_event.legal_source_pretty",
+      "procedural_event.primary_party",
+      "procedural_event.event_kind",
+      "procedural_event.code",
     ],
   },
   {
@@ -386,7 +419,7 @@ async function fetchGlobalView(draftID: string): Promise<SubmissionDraftView> {
   return resp.json();
 }
 
-async function patchDraft(payload: { name?: string; variables?: Record<string, string>; project_id?: string | null }): Promise<SubmissionDraftView> {
+async function patchDraft(payload: { name?: string; variables?: Record<string, string>; project_id?: string | null; selected_parties?: string[]; language?: string }): Promise<SubmissionDraftView> {
   const p = state.parsed;
   if (!p.draftID) throw new Error("no draft id");
   if (state.inFlight) {
@@ -436,6 +469,10 @@ function paint(): void {
   paintNoProjectBanner();
   paintSwitcher();
   paintNameRow();
+  paintImportRow();
+  paintPartyPicker();
+  paintLanguageRow();
+  paintLanguageFallback();
   paintVariables();
   paintPreview();
 }
@@ -547,6 +584,193 @@ function paintNameRow(): void {
   if (exportBtn) exportBtn.onclick = () => onExport(exportBtn);
 }
 
+// t-paliad-277 — "Aus Projekt importieren" + last-imported-at stamp.
+// Hidden when the draft has no project (no project state to import).
+function paintImportRow(): void {
+  const row = document.getElementById("submission-draft-import-row");
+  const btn = document.getElementById("submission-draft-import-btn") as HTMLButtonElement | null;
+  const stamp = document.getElementById("submission-draft-import-stamp");
+  if (!row || !btn || !stamp || !state.view) return;
+
+  if (!state.view.draft.project_id) {
+    row.style.display = "none";
+    return;
+  }
+  row.style.display = "";
+
+  const last = state.view.draft.last_imported_at;
+  if (last) {
+    stamp.textContent = (isEN() ? "Last imported: " : "Zuletzt importiert: ") + formatStamp(last);
+  } else {
+    stamp.textContent = isEN() ? "Never imported" : "Noch nicht importiert";
+  }
+  btn.onclick = () => { void onImportFromProject(btn); };
+}
+
+// t-paliad-277 — multi-select party picker. Lists every party on the
+// draft's project (view.available_parties), grouped by role, with one
+// checkbox per party. Checked = include in the variable bag. Empty
+// selection falls back to the legacy "include every party" default
+// (consistent with the migration default).
+function paintPartyPicker(): void {
+  const block = document.getElementById("submission-draft-parties");
+  const list = document.getElementById("submission-draft-parties-list");
+  if (!block || !list || !state.view) return;
+
+  const parties = state.view.available_parties ?? [];
+  if (!state.view.draft.project_id || parties.length === 0) {
+    block.style.display = "none";
+    list.innerHTML = "";
+    return;
+  }
+  block.style.display = "";
+
+  const selected = new Set(state.view.draft.selected_parties ?? []);
+  // Empty selection is the implicit "all" default — pre-check every
+  // party so the lawyer can see what's currently being mentioned and
+  // then deselect what they want to drop. This matches the issue's
+  // "default = all parties on the project, lawyer can deselect" line.
+  const effective = selected.size === 0
+    ? new Set(parties.map((p) => p.id))
+    : selected;
+
+  const grouped = groupPartiesByRole(parties);
+  let html = "";
+  for (const group of grouped) {
+    if (group.parties.length === 0) continue;
+    html += `<fieldset class="submission-draft-parties-group" data-role-bucket="${group.bucket}">`;
+    html += `<legend>${escapeHtml(group.label)}</legend>`;
+    for (const p of group.parties) {
+      const checked = effective.has(p.id) ? " checked" : "";
+      const chip = p.role
+        ? `<span class="submission-draft-party-chip">${escapeHtml(p.role)}</span>`
+        : "";
+      const rep = p.representative
+        ? `<span class="submission-draft-party-rep">${escapeHtml(
+            (isEN() ? "Repr.: " : "Vertr.: ") + p.representative,
+          )}</span>`
+        : "";
+      html += `<label class="submission-draft-party-row">`;
+      html += `<input type="checkbox" class="submission-draft-party-check"`;
+      html += ` data-party-id="${escapeHtml(p.id)}"${checked} />`;
+      html += `<span class="submission-draft-party-name">${escapeHtml(p.name)}</span>`;
+      html += chip;
+      html += rep;
+      html += `</label>`;
+    }
+    html += `</fieldset>`;
+  }
+  list.innerHTML = html;
+
+  list.querySelectorAll<HTMLInputElement>(".submission-draft-party-check").forEach((inp) => {
+    inp.addEventListener("change", () => onPartySelectionChange());
+  });
+}
+
+interface PartyRoleGroup {
+  bucket: "claimant" | "defendant" | "other";
+  label: string;
+  parties: AvailablePartyJSON[];
+}
+
+function groupPartiesByRole(parties: AvailablePartyJSON[]): PartyRoleGroup[] {
+  const claimants: AvailablePartyJSON[] = [];
+  const defendants: AvailablePartyJSON[] = [];
+  const others: AvailablePartyJSON[] = [];
+  for (const p of parties) {
+    const role = (p.role ?? "").trim().toLowerCase();
+    if (role === "claimant" || role === "kläger" || role === "klaeger"
+        || role === "klägerin" || role === "klaegerin") {
+      claimants.push(p);
+    } else if (role === "defendant" || role === "beklagter" || role === "beklagte") {
+      defendants.push(p);
+    } else {
+      others.push(p);
+    }
+  }
+  return [
+    {
+      bucket: "claimant",
+      label: isEN() ? "Claimants" : "Klägerinnen",
+      parties: claimants,
+    },
+    {
+      bucket: "defendant",
+      label: isEN() ? "Defendants" : "Beklagte",
+      parties: defendants,
+    },
+    {
+      bucket: "other",
+      label: isEN() ? "Other parties" : "Weitere Parteien",
+      parties: others,
+    },
+  ];
+}
+
+function formatStamp(iso: string): string {
+  const d = new Date(iso);
+  if (Number.isNaN(d.getTime())) return iso;
+  return d.toLocaleString(isEN() ? "en-GB" : "de-DE");
+}
+
+// paintLanguageRow syncs the DE/EN radio with the loaded draft's
+// language. Switching the radio fires onLanguageChange which PATCHes
+// the draft and lets the server return the freshly-resolved bag +
+// preview HTML (so the lawyer sees the EN form names appear without a
+// manual reload). t-paliad-276.
+function paintLanguageRow(): void {
+  if (!state.view) return;
+  const lang = (state.view.draft.language || "de").toLowerCase();
+  const de = document.getElementById("submission-draft-language-de") as HTMLInputElement | null;
+  const en = document.getElementById("submission-draft-language-en") as HTMLInputElement | null;
+  if (de) {
+    de.checked = lang === "de";
+    de.onchange = () => { void onLanguageChange("de"); };
+  }
+  if (en) {
+    en.checked = lang === "en";
+    en.onchange = () => { void onLanguageChange("en"); };
+  }
+}
+
+// paintLanguageFallback shows / hides the "no language-matched
+// template" notice. The server sets language_fallback=true when the
+// resolved template tier doesn't match the draft's language
+// (e.g. EN draft → DE per-code template, or no skeleton EN sibling).
+function paintLanguageFallback(): void {
+  const el = document.getElementById("submission-draft-language-fallback");
+  if (!el) return;
+  const fallback = !!state.view?.language_fallback;
+  el.style.display = fallback ? "" : "none";
+}
+
+async function onLanguageChange(lang: "de" | "en"): Promise<void> {
+  if (!state.view) return;
+  if ((state.view.draft.language || "de").toLowerCase() === lang) return;
+  setSaveStatus(isEN() ? "Saving…" : "Speichert…");
+  try {
+    const view = await patchDraft({ language: lang });
+    state.view = view;
+    // Repaint everything that depends on language: the DE/EN form
+    // values in the resolved bag, the localized rule name in the
+    // header, and the fallback notice.
+    paintHeader();
+    paintLanguageRow();
+    paintLanguageFallback();
+    paintVariables();
+    paintPreview();
+    setSaveStatus(isEN() ? "Saved" : "Gespeichert");
+  } catch (err) {
+    if ((err as Error).name === "AbortError") return;
+    console.error("submission-draft language switch:", err);
+    setSaveStatus(isEN() ? "Save failed" : "Speichern fehlgeschlagen", true);
+    // Revert the radio to the persisted value so the UI doesn't lie
+    // about which language is active.
+    paintLanguageRow();
+  }
+}
+
+
 function paintVariables(): void {
   const host = document.getElementById("submission-draft-variables");
   if (!host || !state.view) return;
@@ -595,22 +819,236 @@ function paintVariables(): void {
 
   host.querySelectorAll<HTMLInputElement>(".submission-draft-var-input").forEach((inp) => {
     inp.addEventListener("input", () => onVarChange(inp));
+    // t-paliad-274 (B) — focus into a sidebar field highlights every
+    // matching .draft-var span in the preview (sticky while focused,
+    // clears on blur). Survives autosave repaints because paintVariables
+    // is called by flushAutosave and we re-bind every render.
+    inp.addEventListener("focusin", () => onVarFocusEnter(inp.dataset.var ?? ""));
+    inp.addEventListener("focusout", () => onVarFocusLeave(inp.dataset.var ?? ""));
   });
   host.querySelectorAll<HTMLButtonElement>(".submission-draft-var-reset").forEach((btn) => {
     btn.addEventListener("click", () => onVarReset(btn.dataset.resetKey ?? ""));
   });
+  // After repaint, re-apply the active highlight if a field is still
+  // focused (paintVariables runs after autosave; the same input regains
+  // focus via restoreVarFocus and would otherwise emit focusin too
+  // late for our handler — re-apply explicitly).
+  const active = document.activeElement;
+  if (isVarField(active)) {
+    const key = active.dataset.var;
+    if (key) applyPreviewActiveHighlight(key);
+  }
 }
 
 function paintPreview(): void {
   const host = document.getElementById("submission-draft-preview");
   if (!host || !state.view) return;
   host.innerHTML = state.view.preview_html ?? "";
+  wireDraftVars(host);
+  // t-paliad-274 (B) — preview HTML was just blown away by innerHTML,
+  // so any prior --active classes are gone. Re-apply for whichever
+  // sidebar field is currently focused (typing in a field triggers an
+  // autosave round-trip that ends in paintPreview, and the user should
+  // see the highlight stay put across that cycle).
+  const active = document.activeElement;
+  if (isVarField(active)) {
+    const key = active.dataset.var;
+    if (key) applyPreviewActiveHighlight(key);
+  }
+}
+
+// t-paliad-261 (B) — click a substituted variable in the preview to
+// jump to the matching sidebar input. Re-wires on every paintPreview
+// since the preview HTML is replaced wholesale. The server side wraps
+// each substituted placeholder (resolved OR missing marker) in
+// <span class="draft-var" data-var="<key>">…</span>; clicks here scroll
+// the corresponding input into view, focus + select, and flash the row.
+// If the key has no matching sidebar input (derived variables not
+// exposed in VARIABLE_GROUPS), the click is a silent no-op — the span
+// is still rendered so the user gets the visible hint that this is a
+// resolved variable.
+function wireDraftVars(previewHost: HTMLElement): void {
+  previewHost.querySelectorAll<HTMLElement>(".draft-var").forEach((el) => {
+    const key = el.dataset.var;
+    if (!key) return;
+    if (findVarInput(key)) {
+      el.classList.add("draft-var--has-input");
+      el.setAttribute("role", "button");
+      el.setAttribute("tabindex", "0");
+      el.setAttribute(
+        "aria-label",
+        (isEN() ? "Edit variable " : "Variable bearbeiten: ") + labelFor(key),
+      );
+    }
+    el.addEventListener("click", (ev) => onDraftVarClick(key, ev));
+    el.addEventListener("keydown", (ev) => {
+      if (ev.key === "Enter" || ev.key === " ") {
+        ev.preventDefault();
+        onDraftVarClick(key, ev);
+      }
+    });
+  });
+}
+
+function findVarInput(key: string): HTMLInputElement | null {
+  const host = document.getElementById("submission-draft-variables");
+  if (!host) return null;
+  return host.querySelector<HTMLInputElement>(
+    `.submission-draft-var-input[data-var="${cssEscape(key)}"]`,
+  );
+}
+
+function cssEscape(s: string): string {
+  // CSS.escape covers our placeholder keys ([A-Za-z][A-Za-z0-9_.]*) but
+  // older browsers may lack it; defensive fallback escapes characters
+  // CSS treats as special. Placeholder keys never carry whitespace or
+  // quotes so escaping is straightforward.
+  if (typeof CSS !== "undefined" && typeof CSS.escape === "function") {
+    return CSS.escape(s);
+  }
+  return s.replace(/([!"#$%&'()*+,./:;<=>?@[\\\]^`{|}~])/g, "\\$1");
+}
+
+function onDraftVarClick(key: string, ev: Event): void {
+  const input = findVarInput(key);
+  if (!input) return;
+  ev.preventDefault();
+  ev.stopPropagation();
+  // Smooth-scroll the input into view, then focus on the next tick so
+  // the scroll animation has started and the focus call doesn't trigger
+  // a second jarring jump.
+  input.scrollIntoView({ behavior: "smooth", block: "center" });
+  window.setTimeout(() => {
+    input.focus();
+    try {
+      input.select();
+    } catch {
+      /* select() throws on number/email inputs; safe to ignore */
+    }
+  }, 50);
+  flashVarRow(input);
+}
+
+// t-paliad-274 (B) — sidebar-field-focus → preview-occurrence highlight.
+// Reverse direction of the click-to-jump from #92: when the user focuses
+// any .submission-draft-var-input, every matching .draft-var span in the
+// preview gets the --active modifier; on blur (or focus shift to a
+// different field), the previous key's highlights clear and the new
+// key's apply. Sticky-while-focused, not a one-shot flash — the lawyer
+// can scan the preview for "where does this variable land in my prose?"
+// while the field stays focused.
+function onVarFocusEnter(key: string): void {
+  if (!key) return;
+  // Clear any leftover highlight before applying the new one — covers
+  // the focus-shift-without-blur case (Tab between fields).
+  clearPreviewActiveHighlight();
+  applyPreviewActiveHighlight(key);
+}
+
+function onVarFocusLeave(_key: string): void {
+  // We don't need the key here — if focus moves to a different sidebar
+  // input, that input's focusin will re-call apply with the new key
+  // (after our clearPreviewActiveHighlight). If focus leaves the sidebar
+  // entirely, this clears.
+  clearPreviewActiveHighlight();
+}
+
+function applyPreviewActiveHighlight(key: string): void {
+  const host = document.getElementById("submission-draft-preview");
+  if (!host) return;
+  host.querySelectorAll<HTMLElement>(
+    `.draft-var[data-var="${cssEscape(key)}"]`,
+  ).forEach((el) => {
+    el.classList.add("draft-var--active");
+  });
+}
+
+function clearPreviewActiveHighlight(): void {
+  const host = document.getElementById("submission-draft-preview");
+  if (!host) return;
+  host.querySelectorAll<HTMLElement>(".draft-var--active").forEach((el) => {
+    el.classList.remove("draft-var--active");
+  });
+}
+
+function flashVarRow(input: HTMLElement): void {
+  const row = input.closest<HTMLElement>(".submission-draft-var-row");
+  if (!row) return;
+  row.classList.remove("submission-draft-var-row--flash");
+  // Force reflow so removing+re-adding the class restarts the animation
+  // even on rapid successive clicks.
+  void row.offsetWidth;
+  row.classList.add("submission-draft-var-row--flash");
+  window.setTimeout(() => row.classList.remove("submission-draft-var-row--flash"), 1200);
 }
 
 // ─────────────────────────────────────────────────────────────────────
 // Event handlers
 // ─────────────────────────────────────────────────────────────────────
 
+async function onPartySelectionChange(): Promise<void> {
+  if (!state.view) return;
+  const host = document.getElementById("submission-draft-parties-list");
+  if (!host) return;
+  const checks = host.querySelectorAll<HTMLInputElement>(".submission-draft-party-check");
+  const selectedIDs: string[] = [];
+  checks.forEach((c) => {
+    if (c.checked && c.dataset.partyId) selectedIDs.push(c.dataset.partyId);
+  });
+
+  // If the lawyer has checked every party, persist that as an empty
+  // array so the row matches the "implicit all" default semantics — a
+  // future party added to the project will then be picked up
+  // automatically rather than silently dropped from this submission.
+  // If they've unchecked some, persist the actual subset.
+  const available = state.view.available_parties ?? [];
+  const allChecked = selectedIDs.length === available.length;
+  const payload = allChecked ? [] : selectedIDs;
+
+  setSaveStatus(isEN() ? "Saving…" : "Speichert…");
+  try {
+    const view = await patchDraft({ selected_parties: payload });
+    state.view = view;
+    paintImportRow();
+    paintPartyPicker();
+    paintVariables();
+    paintPreview();
+    setSaveStatus(isEN() ? "Saved" : "Gespeichert");
+  } catch (err) {
+    if ((err as Error).name === "AbortError") return;
+    console.error("submission-draft party selection:", err);
+    setSaveStatus(isEN() ? "Save failed" : "Speichern fehlgeschlagen", true);
+  }
+}
+
+async function onImportFromProject(btn: HTMLButtonElement): Promise<void> {
+  if (!state.view) return;
+  const draftID = state.view.draft.id;
+  const originalLabel = btn.textContent ?? "";
+  btn.disabled = true;
+  btn.textContent = isEN() ? "Importing…" : "Importiert…";
+  setSaveStatus(isEN() ? "Importing from project…" : "Importiere aus Projekt…");
+  try {
+    const resp = await fetch(`/api/submission-drafts/${draftID}/import-from-project`, {
+      method: "POST",
+    });
+    if (!resp.ok) throw new Error(`import ${resp.status}`);
+    const view = (await resp.json()) as SubmissionDraftView;
+    state.view = view;
+    paintImportRow();
+    paintPartyPicker();
+    paintVariables();
+    paintPreview();
+    setSaveStatus(isEN() ? "Imported" : "Importiert");
+  } catch (err) {
+    console.error("submission-draft import-from-project:", err);
+    setSaveStatus(isEN() ? "Import failed" : "Import fehlgeschlagen", true);
+  } finally {
+    btn.disabled = false;
+    btn.textContent = originalLabel;
+  }
+}
+
 function onVarChange(input: HTMLInputElement): void {
   const key = input.dataset.var;
   if (!key || !state.view) return;
@@ -643,11 +1081,18 @@ async function flushAutosave(): Promise<void> {
   if (!state.pendingOverrides) return;
   const payload = { variables: state.pendingOverrides };
   state.pendingOverrides = null;
+  // t-paliad-261 (A) — paintVariables() below replaces every input in
+  // the sidebar via innerHTML, which blows away the active-element
+  // reference. Capture the focused input's key + selection range before
+  // the repaint and restore on the new element after, so the user can
+  // keep typing without clicking back into the field.
+  const focusSnap = captureVarFocus();
   try {
     const view = await patchDraft(payload);
     state.view = view;
     paintVariables();
     paintPreview();
+    restoreVarFocus(focusSnap);
     setSaveStatus(isEN() ? "Saved" : "Gespeichert");
   } catch (err) {
     if ((err as Error).name === "AbortError") return;
@@ -656,6 +1101,64 @@ async function flushAutosave(): Promise<void> {
   }
 }
 
+// captureVarFocus / restoreVarFocus — focus-preservation across the
+// paintVariables() innerHTML-replace cycle (t-paliad-261 part A).
+// Tracks selection start/end/direction so the cursor lands exactly
+// where it was before the repaint, including any active selection
+// range. Handles both <input> and <textarea> via the shared
+// HTMLInputElement|HTMLTextAreaElement contract for selectionStart /
+// selectionEnd / selectionDirection / setSelectionRange.
+
+interface VarFocusSnapshot {
+  key: string;
+  start: number | null;
+  end: number | null;
+  dir: "forward" | "backward" | "none";
+}
+
+type SelectableEl = HTMLInputElement | HTMLTextAreaElement;
+
+function isVarField(el: Element | null): el is SelectableEl {
+  if (!el) return false;
+  if (!(el instanceof HTMLInputElement) && !(el instanceof HTMLTextAreaElement)) {
+    return false;
+  }
+  return el.classList.contains("submission-draft-var-input");
+}
+
+function captureVarFocus(): VarFocusSnapshot | null {
+  const active = document.activeElement;
+  if (!isVarField(active)) return null;
+  const key = active.dataset.var;
+  if (!key) return null;
+  return {
+    key,
+    start: active.selectionStart,
+    end: active.selectionEnd,
+    dir: (active.selectionDirection as "forward" | "backward" | "none" | null) ?? "forward",
+  };
+}
+
+function restoreVarFocus(snap: VarFocusSnapshot | null): void {
+  if (!snap) return;
+  const host = document.getElementById("submission-draft-variables");
+  if (!host) return;
+  const next = host.querySelector<SelectableEl>(
+    `.submission-draft-var-input[data-var="${cssEscape(snap.key)}"]`,
+  );
+  if (!next) return;
+  next.focus();
+  if (snap.start !== null && snap.end !== null) {
+    try {
+      next.setSelectionRange(snap.start, snap.end, snap.dir);
+    } catch {
+      /* setSelectionRange throws on inputs whose type doesn't support
+         selection ranges (number, email, etc.); safe to ignore — the
+         focus() call above is enough for those. */
+    }
+  }
+}
+
 async function renameDraft(newName: string): Promise<void> {
   setSaveStatus(isEN() ? "Saving…" : "Speichert…");
   try {

frontend/src/client/verfahrensablauf.ts

@@ -12,6 +12,7 @@ import { initI18n, t, tDyn, getLang, onLangChange } from "./i18n";
 import { initSidebar } from "./sidebar";
 import {
   type DeadlineResponse,
+  type Side,
   calculateDeadlines,
   escHtml,
   formatDate,
@@ -20,10 +21,88 @@ import {
   renderTimelineBody,
   wireDateEditClicks,
 } from "./views/verfahrensablauf-core";
+import {
+  attachEventCardChoices,
+  reseedChips,
+  currentChoices,
+  type EventChoice,
+  type ChoiceKind,
+} from "./views/event-card-choices";
 
 let selectedType = "";
 let lastResponse: DeadlineResponse | null = null;
 
+// Perspective state (t-paliad-250 / m/paliad#81). URL-driven so the
+// view is shareable and survives reload:
+//   ?side=claimant|defendant      → swaps which column owns the user's
+//                                    side (proactive vs reactive label).
+//                                    Default null = claimant-on-the-left.
+//   ?appellant=claimant|defendant → collapses party=both rows into the
+//                                    appellant's column (no mirror).
+//                                    Only meaningful for role-swap
+//                                    proceedings (Appeal etc.). Default
+//                                    null = legacy mirror behaviour.
+let currentSide: Side = null;
+let currentAppellant: Side = null;
+
+// Project-driven auto-fill state (t-paliad-279 / m/paliad#111). When the
+// page is opened with ?project=<id> and that project has our_side set,
+// the side row renders as a read-only chip instead of the radio cluster.
+// The user can flip to free-pick via the "Andere Seite wählen" override
+// link, which clears this flag (radio cluster takes over again).
+let sidePrefilledFromProject = false;
+
+// Proceedings where one party initiates and "both" rows are role-swap
+// (i.e. either party files depending on who acted at the lower
+// instance). For these proceedings the appellant selector is meaningful
+// — when set, "both" rows collapse to a single row in the appellant's
+// column. For first-instance proceedings (Inf, Rev, …) the selector is
+// hidden because there's no appellant axis.
+//
+// Today: every upc.apl.* family member plus dpma.appeal.* and
+// de.inf.olg / de.inf.bgh / de.null.bgh (DE Berufung / Revision).
+// Conservative — false negatives just hide a control; false positives
+// would show an irrelevant control.
+const APPELLANT_AXIS_PROCEEDINGS = new Set([
+  "upc.apl.merits",
+  "upc.apl.cost",
+  "upc.apl.order",
+  "de.inf.olg",
+  "de.inf.bgh",
+  "de.null.bgh",
+  "dpma.appeal.bpatg",
+  "dpma.appeal.bgh",
+  "epa.opp.boa",
+]);
+
+function hasAppellantAxis(proceedingType: string): boolean {
+  return APPELLANT_AXIS_PROCEEDINGS.has(proceedingType);
+}
+
+function readSideFromURL(): Side {
+  const raw = new URLSearchParams(window.location.search).get("side");
+  return raw === "claimant" || raw === "defendant" ? raw : null;
+}
+
+function readAppellantFromURL(): Side {
+  const raw = new URLSearchParams(window.location.search).get("appellant");
+  return raw === "claimant" || raw === "defendant" ? raw : null;
+}
+
+function writeSideToURL(s: Side) {
+  const url = new URL(window.location.href);
+  if (s === null) url.searchParams.delete("side");
+  else url.searchParams.set("side", s);
+  window.history.replaceState(null, "", url.pathname + (url.search ? url.search : "") + url.hash);
+}
+
+function writeAppellantToURL(a: Side) {
+  const url = new URL(window.location.href);
+  if (a === null) url.searchParams.delete("appellant");
+  else url.searchParams.set("appellant", a);
+  window.history.replaceState(null, "", url.pathname + (url.search ? url.search : "") + url.hash);
+}
+
 // Per-rule anchor overrides set by the click-to-edit affordance on
 // timeline / column date cells. Posted as `anchorOverrides` to the
 // /api/tools/fristenrechner calc so downstream rules re-anchor off the
@@ -33,6 +112,37 @@ let lastResponse: DeadlineResponse | null = null;
 const anchorOverrides = new Map<string, string>();
 function clearAnchorOverrides() { anchorOverrides.clear(); }
 
+// Per-event-card choices (t-paliad-265). Unbound on this page (no
+// project context), so persistence is URL-only via `?event_choices=`.
+// Format: comma-separated `submission_code:kind=value` tuples. Same
+// idiom as `?side=` + `?appellant=`.
+let perCardChoices: EventChoice[] = [];
+
+function readChoicesFromURL(): EventChoice[] {
+  const raw = new URLSearchParams(window.location.search).get("event_choices");
+  if (!raw) return [];
+  const out: EventChoice[] = [];
+  for (const tuple of raw.split(",")) {
+    const m = tuple.match(/^([^:]+):([^=]+)=(.+)$/);
+    if (!m) continue;
+    const kind = m[2] as ChoiceKind;
+    if (kind !== "appellant" && kind !== "include_ccr" && kind !== "skip") continue;
+    out.push({ submission_code: m[1], choice_kind: kind, choice_value: m[3] });
+  }
+  return out;
+}
+
+function writeChoicesToURL(choices: EventChoice[]) {
+  const url = new URL(window.location.href);
+  if (choices.length === 0) {
+    url.searchParams.delete("event_choices");
+  } else {
+    const enc = choices.map((c) => `${c.submission_code}:${c.choice_kind}=${c.choice_value}`).join(",");
+    url.searchParams.set("event_choices", enc);
+  }
+  window.history.replaceState(null, "", url.pathname + (url.search ? url.search : "") + url.hash);
+}
+
 type ProcedureView = "timeline" | "columns";
 let procedureView: ProcedureView = "columns";
 
@@ -145,6 +255,7 @@ async function doCalc() {
     flags: readFlags(),
     anchorOverrides: overrides,
     courtId,
+    perCardChoices,
   });
   if (seq !== calcSeq) return;
   if (!data) return;
@@ -154,20 +265,31 @@ async function doCalc() {
 }
 
 // triggerEventLabelFor picks the user-facing "Auslösendes Ereignis"
-// label from the calc response. The root rule (isRootEvent=true) is
-// the first event in the proceeding — e.g. Klageerhebung for
-// upc.inf.cfi, Nichtigkeitsklage for upc.rev.cfi. Falls back to the
-// active proceeding name if no root rule fires (shouldn't happen for
-// healthy data, but safer than a blank). Fallback respects language —
-// proceedingNameEN is consulted on EN before the DE proceedingName
-// (m/paliad#58: prior fallback rendered DE on EN for sub-track
-// proceedings like upc.ccr.cfi which had no rules → no root).
+// label from the calc response. Precedence:
+//
+//   1. Server-supplied triggerEventLabel from proceeding_types
+//      (mig 121, m/paliad#81). UPC Appeal sets this to
+//      "Anfechtbare Entscheidung" / "Appealable Decision" — its rules
+//      all carry a non-zero duration off the trigger date so none is
+//      the root, and the proceedingName fallback ("Berufungsverfahren")
+//      misnamed the input as the proceeding itself.
+//   2. Root rule (isRootEvent=true) — the first event in the
+//      proceeding, e.g. Klageerhebung for upc.inf.cfi,
+//      Nichtigkeitsklage for upc.rev.cfi.
+//   3. Active proceeding name — last-resort fallback. Language-aware
+//      (m/paliad#58: prior code rendered DE on EN for sub-track
+//      proceedings like upc.ccr.cfi which had no rules → no root).
 function triggerEventLabelFor(data: DeadlineResponse): string {
+  const lang = getLang();
+  const curated = lang === "en"
+    ? (data.triggerEventLabelEN || data.triggerEventLabel)
+    : (data.triggerEventLabel || data.triggerEventLabelEN);
+  if (curated) return curated;
   const root = data.deadlines.find((d) => d.isRootEvent);
   if (root) {
-    return getLang() === "en" ? (root.nameEN || root.name) : (root.name || root.nameEN);
+    return lang === "en" ? (root.nameEN || root.name) : (root.name || root.nameEN);
   }
-  if (getLang() === "en") {
+  if (lang === "en") {
     return data.proceedingNameEN || data.proceedingName || "";
   }
   return data.proceedingName || data.proceedingNameEN || "";
@@ -213,7 +335,12 @@ function renderResults(data: DeadlineResponse) {
     : "";
 
   const bodyHtml = procedureView === "columns"
-    ? renderColumnsBody(data, { editable: true, showNotes })
+    ? renderColumnsBody(data, {
+        editable: true,
+        showNotes,
+        side: currentSide,
+        appellant: hasAppellantAxis(selectedType) ? currentAppellant : null,
+      })
     : renderTimelineBody(data, { showParty: true, editable: true, showNotes });
 
   container.innerHTML = headerHtml + noteHtml + bodyHtml;
@@ -221,6 +348,11 @@ function renderResults(data: DeadlineResponse) {
   if (toggle) toggle.style.display = "";
 
   syncTriggerEventLabel();
+
+  // t-paliad-265: rehydrate per-event-card chip indicators after every
+  // re-render so the popover-driven active state survives the
+  // innerHTML rewrite the timeline body just did.
+  reseedChips(container);
 }
 
 function setProceedingPickerCollapsed(collapsed: boolean, displayName?: string) {
@@ -276,6 +408,7 @@ function selectProceeding(btn: HTMLButtonElement) {
 
   void populateCourtPicker("court-picker-row", "court-picker", selectedType);
   syncFlagRows();
+  syncAppellantRowVisibility();
 
   setProceedingPickerCollapsed(true, proceedingDisplayName(btn));
 
@@ -283,6 +416,148 @@ function selectProceeding(btn: HTMLButtonElement) {
   scheduleCalc(0);
 }
 
+// syncAppellantRowVisibility hides the appellant selector for
+// proceedings that have no appellant axis (first-instance Inf, Rev,
+// …). Clears the in-memory state and the URL param when hidden so a
+// shared link with ?appellant= doesn't leak into an unrelated
+// proceeding's render.
+function syncAppellantRowVisibility() {
+  const row = document.getElementById("appellant-row");
+  if (!row) return;
+  const visible = hasAppellantAxis(selectedType);
+  row.style.display = visible ? "" : "none";
+  if (!visible && currentAppellant !== null) {
+    currentAppellant = null;
+    writeAppellantToURL(null);
+    syncRadioGroup("appellant", "");
+  }
+}
+
+function syncRadioGroup(name: string, value: string) {
+  document.querySelectorAll<HTMLInputElement>(`input[type=radio][name=${name}]`).forEach((input) => {
+    input.checked = input.value === value;
+  });
+}
+
+// Project context (t-paliad-279 / m/paliad#111). When the page is opened
+// with ?project=<id> and the project carries an our_side value, the side
+// row renders as a read-only chip with an "Andere Seite wählen" override
+// link. The proceeding picker + appellant axis stay untouched — only the
+// side selector pre-fills.
+interface ProjectOurSide {
+  id: string;
+  our_side?:
+    | "claimant"
+    | "defendant"
+    | "applicant"
+    | "appellant"
+    | "respondent"
+    | "third_party"
+    | "other"
+    | null;
+}
+
+function readProjectFromURL(): string {
+  return new URLSearchParams(window.location.search).get("project") || "";
+}
+
+// ourSideToSide maps the project-level our_side enum (t-paliad-222) onto
+// the side-selector's two-value axis. Active roles (claimant / applicant /
+// appellant) collapse to "claimant"; reactive roles (defendant /
+// respondent) collapse to "defendant"; everything else (third_party /
+// other / NULL) returns null = no pre-fill. Mirrors fristenrechner.ts
+// ourSideToPerspective() so projects render consistently across both
+// surfaces.
+function ourSideToSide(os: ProjectOurSide["our_side"] | undefined): Side {
+  switch (os) {
+    case "claimant":
+    case "applicant":
+    case "appellant":
+      return "claimant";
+    case "defendant":
+    case "respondent":
+      return "defendant";
+    default:
+      return null;
+  }
+}
+
+async function fetchProjectOurSide(projectID: string): Promise<ProjectOurSide | null> {
+  try {
+    const resp = await fetch(`/api/projects/${encodeURIComponent(projectID)}`, {
+      credentials: "same-origin",
+    });
+    if (!resp.ok) return null;
+    return (await resp.json()) as ProjectOurSide;
+  } catch {
+    return null;
+  }
+}
+
+function sideLabelI18n(s: Side): string {
+  if (s === "claimant") return t("deadlines.side.claimant");
+  if (s === "defendant") return t("deadlines.side.defendant");
+  return t("deadlines.side.both");
+}
+
+// renderSideChip swaps the radio cluster for a read-only chip showing
+// the auto-filled side + an "Andere Seite wählen" override link. Called
+// after fetchProjectOurSide resolves to a side. The override link clears
+// the prefilled flag and swaps back to the radio cluster — the user can
+// then pick any side freely.
+function renderSideChip(side: Side) {
+  const cluster = document.getElementById("side-radio-cluster");
+  const chip = document.getElementById("side-chip");
+  const value = document.getElementById("side-chip-value");
+  if (!cluster || !chip || !value) return;
+  cluster.style.display = "none";
+  chip.style.display = "";
+  value.textContent = sideLabelI18n(side);
+}
+
+function showSideRadioCluster() {
+  const cluster = document.getElementById("side-radio-cluster");
+  const chip = document.getElementById("side-chip");
+  if (!cluster || !chip) return;
+  cluster.style.display = "";
+  chip.style.display = "none";
+}
+
+// applySidePrefill takes a project's our_side, maps it to the side axis,
+// and locks the side row to a read-only chip if a mapping exists. URL
+// wins — if ?side= is already explicit, the user (or shared link) has
+// already chosen and we never overwrite. When we do prefill, write the
+// derived side to the URL so reload + back/forward round-trip cleanly.
+function applySidePrefill(os: ProjectOurSide["our_side"] | undefined) {
+  if (readSideFromURL() !== null) return;
+  const next = ourSideToSide(os);
+  if (next === null) return;
+  currentSide = next;
+  writeSideToURL(next);
+  syncRadioGroup("side", next);
+  sidePrefilledFromProject = true;
+  renderSideChip(next);
+  if (lastResponse) renderResults(lastResponse);
+}
+
+function clearSidePrefill() {
+  sidePrefilledFromProject = false;
+  showSideRadioCluster();
+  // Drop ?project= from the URL so a reload doesn't re-lock the side.
+  // ?side= stays — that's the user's last pick at this point.
+  const url = new URL(window.location.href);
+  url.searchParams.delete("project");
+  window.history.replaceState(null, "", url.pathname + (url.search ? url.search : "") + url.hash);
+}
+
+async function initProjectAutofill() {
+  const projectID = readProjectFromURL();
+  if (!projectID) return;
+  const project = await fetchProjectOurSide(projectID);
+  if (!project) return;
+  applySidePrefill(project.our_side);
+}
+
 function applyVerfahrensablaufViewBodyClass(view: ProcedureView) {
   // Mirrors the events.ts pattern (body.events-view-*). The print
   // stylesheet keys `body.verfahrensablauf-view-timeline` to
@@ -321,6 +596,38 @@ function initViewToggle() {
   toggle.style.display = "none";
 }
 
+// initPerspectiveControls hydrates side+appellant from the URL,
+// reflects state into the radio inputs, and wires onchange handlers
+// that update state + URL + re-render. Re-render path skips the
+// /api/tools/fristenrechner round-trip — perspective is a pure
+// projection of the last response, no backend involved.
+function initPerspectiveControls() {
+  currentSide = readSideFromURL();
+  currentAppellant = readAppellantFromURL();
+  syncRadioGroup("side", currentSide ?? "");
+  syncRadioGroup("appellant", currentAppellant ?? "");
+
+  document.querySelectorAll<HTMLInputElement>("input[type=radio][name=side]").forEach((input) => {
+    input.addEventListener("change", () => {
+      if (!input.checked) return;
+      const v = input.value;
+      currentSide = (v === "claimant" || v === "defendant") ? v : null;
+      writeSideToURL(currentSide);
+      if (lastResponse) renderResults(lastResponse);
+    });
+  });
+
+  document.querySelectorAll<HTMLInputElement>("input[type=radio][name=appellant]").forEach((input) => {
+    input.addEventListener("change", () => {
+      if (!input.checked) return;
+      const v = input.value;
+      currentAppellant = (v === "claimant" || v === "defendant") ? v : null;
+      writeAppellantToURL(currentAppellant);
+      if (lastResponse) renderResults(lastResponse);
+    });
+  });
+}
+
 document.addEventListener("DOMContentLoaded", () => {
   initI18n();
   initSidebar();
@@ -390,6 +697,45 @@ document.addEventListener("DOMContentLoaded", () => {
   }
 
   initViewToggle();
+  initPerspectiveControls();
+
+  // t-paliad-265 — per-event-card choices. Unbound surface, so commits
+  // mutate the in-memory list + URL, then trigger a recalc. The
+  // popover module owns the popover lifecycle; this page owns the
+  // recalc + URL plumbing.
+  perCardChoices = readChoicesFromURL();
+  const timelineEl = document.getElementById("timeline-container");
+  if (timelineEl) {
+    attachEventCardChoices({
+      container: timelineEl,
+      initial: perCardChoices,
+      commit: (choice) => {
+        perCardChoices = perCardChoices.filter(
+          (c) => !(c.submission_code === choice.submission_code && c.choice_kind === choice.choice_kind),
+        );
+        perCardChoices.push(choice);
+        writeChoicesToURL(perCardChoices);
+        scheduleCalc(0);
+      },
+      remove: (submissionCode, kind) => {
+        perCardChoices = perCardChoices.filter(
+          (c) => !(c.submission_code === submissionCode && c.choice_kind === kind),
+        );
+        writeChoicesToURL(perCardChoices);
+        scheduleCalc(0);
+      },
+    });
+  }
+
+  // t-paliad-279 — override link on the prefilled side chip — swaps back
+  // to the radio cluster and clears ?project= from the URL.
+  document.getElementById("side-chip-override")?.addEventListener("click", clearSidePrefill);
+
+  // Project autofill — runs after the radio cluster has its URL-driven
+  // state so we never clobber an explicit ?side= pick. Fire-and-forget;
+  // the chip swap happens once the project resolves.
+  void initProjectAutofill();
+
 
   onLangChange(() => {
     // Active-button name updates with language change (the data-i18n
@@ -401,6 +747,12 @@ document.addEventListener("DOMContentLoaded", () => {
       const summary = document.getElementById("proceeding-summary-name");
       if (summary) summary.textContent = proceedingDisplayName(activeBtn);
     }
+    // Side-chip label tracks language so a DE/EN flip while the chip is
+    // visible re-renders the inferred side in the active language.
+    if (sidePrefilledFromProject) {
+      const value = document.getElementById("side-chip-value");
+      if (value) value.textContent = sideLabelI18n(currentSide);
+    }
     if (lastResponse) renderResults(lastResponse);
     syncTriggerEventLabel();
   });

frontend/src/client/views/event-card-choices.ts

@@ -0,0 +1,292 @@
+// Per-event-card choice popover + chip indicator (t-paliad-265 /
+// m/paliad#96).
+//
+// The shared rendering core (verfahrensablauf-core.ts) emits a caret
+// button on cards that carry a non-empty `choices_offered` declaration
+// and an inert chip span next to the title. This module:
+//
+//   1. Wires a delegated click handler on the result container so the
+//      caret opens a popover with the offered choice-kinds.
+//   2. Commits the user's pick — either by POSTing to the project-
+//      bound endpoint or by mutating the in-memory state for the
+//      unbound (no-project) case.
+//   3. Rehydrates the chip on every render + after every commit so the
+//      glanceable indicator matches the active state.
+//
+// Two consumer pages — /tools/verfahrensablauf (unbound) and
+// /tools/fristenrechner (project-bound) — both wire this module
+// once at boot via attachEventCardChoices().
+
+import { escAttr, escHtml } from "./verfahrensablauf-core";
+import { t } from "../i18n";
+
+export type ChoiceKind = "appellant" | "include_ccr" | "skip";
+
+export interface EventChoice {
+  submission_code: string;
+  choice_kind: ChoiceKind;
+  choice_value: string;
+}
+
+// State surface — the page passes in callbacks that own persistence.
+// commit / remove must trigger a recalc on the page side (the popover
+// only owns its own visual state).
+export interface EventCardChoicesOpts {
+  container: HTMLElement;
+  // Initial state: a list of choices. The page seeds this from the
+  // server response (project-bound) or from URL params (unbound).
+  initial: EventChoice[];
+  // commit gets called for an UPSERT. The page POSTs to the API (or
+  // mutates URL state) AND triggers a recalc.
+  commit: (choice: EventChoice) => Promise<void> | void;
+  // remove gets called when the user resets a choice.
+  remove: (submissionCode: string, kind: ChoiceKind) => Promise<void> | void;
+}
+
+// One mutable bag per attach() call. The current implementation is a
+// single-page singleton — paginated views (admin tables) are not in
+// scope. Last-write-wins on the in-memory state.
+interface AttachedState {
+  opts: EventCardChoicesOpts;
+  // active: submission_code → kind → value. Rebuilt from `initial`
+  // on every reseed() call.
+  active: Map<string, Map<ChoiceKind, string>>;
+  popover: HTMLDivElement | null;
+}
+
+const states = new WeakMap<HTMLElement, AttachedState>();
+
+// attachEventCardChoices wires the delegated click + popover lifecycle
+// to the given container. Call once per page after mount; safe to call
+// again with a fresh container.
+export function attachEventCardChoices(opts: EventCardChoicesOpts): void {
+  const state: AttachedState = {
+    opts,
+    active: new Map(),
+    popover: null,
+  };
+  for (const c of opts.initial) {
+    if (!state.active.has(c.submission_code)) {
+      state.active.set(c.submission_code, new Map());
+    }
+    state.active.get(c.submission_code)!.set(c.choice_kind, c.choice_value);
+  }
+  states.set(opts.container, state);
+
+  opts.container.addEventListener("click", (e) => {
+    const target = (e.target as HTMLElement | null)?.closest<HTMLElement>(".event-card-choices-caret");
+    if (target) {
+      e.stopPropagation();
+      openPopover(state, target);
+      return;
+    }
+    // Outside-click closes the popover.
+    if (state.popover && !state.popover.contains(e.target as Node)) {
+      closePopover(state);
+    }
+  });
+
+  // ESC also closes.
+  document.addEventListener("keydown", (e) => {
+    if (e.key === "Escape" && state.popover) {
+      closePopover(state);
+    }
+  });
+
+  // Repaint chips on every renderResults() call. The page is
+  // responsible for calling reseedChips() after re-render so the chip
+  // dom node (re-created by the renderer) picks the active state up.
+  reseedChips(opts.container);
+}
+
+// reseedChips walks every chip span in the container and re-renders
+// its content from the active state map. Idempotent.
+export function reseedChips(container: HTMLElement): void {
+  const state = states.get(container);
+  if (!state) return;
+  container.querySelectorAll<HTMLElement>(".event-card-choices-chip").forEach((chip) => {
+    const code = chip.dataset.submissionCode || "";
+    const kinds = state.active.get(code);
+    if (!kinds || kinds.size === 0) {
+      chip.innerHTML = "";
+      chip.dataset.empty = "true";
+      return;
+    }
+    chip.dataset.empty = "false";
+    chip.innerHTML = renderChip(kinds);
+  });
+  // Skipped rows fade out via a class on the card-item ancestor.
+  container.querySelectorAll<HTMLElement>(".event-card-choices-chip").forEach((chip) => {
+    const code = chip.dataset.submissionCode || "";
+    const skipped = state.active.get(code)?.get("skip") === "true";
+    const itemEl = chip.closest<HTMLElement>(".timeline-item, .fr-col-item");
+    if (itemEl) itemEl.classList.toggle("timeline-item--skipped", skipped);
+  });
+}
+
+function renderChip(kinds: Map<ChoiceKind, string>): string {
+  const parts: string[] = [];
+  if (kinds.get("skip") === "true") {
+    parts.push(`<span class="event-card-choices-chip-part event-card-choices-chip-part--skipped">${escHtml(t("choices.skipped.chip"))}</span>`);
+  }
+  const ap = kinds.get("appellant");
+  if (ap && ap !== "" ) {
+    let label = "";
+    switch (ap) {
+      case "claimant":  label = t("choices.appellant.claimant"); break;
+      case "defendant": label = t("choices.appellant.defendant"); break;
+      case "both":      label = t("choices.appellant.both"); break;
+      case "none":      label = t("choices.appellant.none"); break;
+    }
+    if (label) {
+      parts.push(`<span class="event-card-choices-chip-part">${escHtml(t("choices.appellant.chip"))} ${escHtml(label)}</span>`);
+    }
+  }
+  if (kinds.get("include_ccr") === "true") {
+    parts.push(`<span class="event-card-choices-chip-part">${escHtml(t("choices.include_ccr.chip"))}</span>`);
+  }
+  return parts.join(" ");
+}
+
+function openPopover(state: AttachedState, caret: HTMLElement): void {
+  closePopover(state);
+  const code = caret.dataset.submissionCode || "";
+  if (!code) return;
+  let offered: Record<string, unknown> = {};
+  try {
+    offered = JSON.parse(caret.dataset.choicesOffered || "{}");
+  } catch {
+    return;
+  }
+
+  const pop = document.createElement("div");
+  pop.className = "event-card-choices-popover";
+  pop.setAttribute("role", "dialog");
+  pop.setAttribute("aria-label", t("choices.caret.title"));
+
+  const blocks: string[] = [];
+  if (Array.isArray(offered.appellant)) {
+    blocks.push(renderAppellantBlock(state, code, offered.appellant as unknown[]));
+  }
+  if (Array.isArray(offered.include_ccr)) {
+    blocks.push(renderToggleBlock(state, code, "include_ccr"));
+  }
+  if (Array.isArray(offered.skip)) {
+    blocks.push(renderToggleBlock(state, code, "skip"));
+  }
+  pop.innerHTML = blocks.join("");
+
+  document.body.appendChild(pop);
+  state.popover = pop;
+  positionPopover(pop, caret);
+
+  pop.addEventListener("click", async (e) => {
+    const btn = (e.target as HTMLElement | null)?.closest<HTMLButtonElement>("button[data-choice-action]");
+    if (!btn) return;
+    e.stopPropagation();
+    const kind = btn.dataset.choiceKind as ChoiceKind | undefined;
+    const value = btn.dataset.choiceValue || "";
+    const action = btn.dataset.choiceAction;
+    if (!kind) return;
+    try {
+      if (action === "set") {
+        await state.opts.commit({ submission_code: code, choice_kind: kind, choice_value: value });
+        if (!state.active.has(code)) state.active.set(code, new Map());
+        state.active.get(code)!.set(kind, value);
+      } else if (action === "clear") {
+        await state.opts.remove(code, kind);
+        state.active.get(code)?.delete(kind);
+      }
+      reseedChips(state.opts.container);
+      closePopover(state);
+    } catch (err) {
+      console.error("event card choice commit failed", err);
+      // Surface a soft inline error inside the popover; do NOT close.
+      const errEl = document.createElement("div");
+      errEl.className = "event-card-choices-error";
+      errEl.textContent = t("choices.commit.error");
+      pop.appendChild(errEl);
+    }
+  });
+}
+
+function renderAppellantBlock(state: AttachedState, code: string, values: unknown[]): string {
+  const current = state.active.get(code)?.get("appellant") || "";
+  const buttons = values
+    .filter((v): v is string => typeof v === "string")
+    .map((v) => {
+      const labelKey = `choices.appellant.${v}` as const;
+      const isActive = v === current;
+      return `<button type="button"
+        data-choice-action="set"
+        data-choice-kind="appellant"
+        data-choice-value="${escAttr(v)}"
+        class="event-card-choices-option${isActive ? " event-card-choices-option--active" : ""}">${escHtml(t(labelKey as any))}</button>`;
+    })
+    .join("");
+  const reset = current
+    ? `<button type="button" data-choice-action="clear" data-choice-kind="appellant"
+        class="event-card-choices-reset">${escHtml(t("choices.reset"))}</button>`
+    : "";
+  return `<div class="event-card-choices-block">
+    <div class="event-card-choices-title">${escHtml(t("choices.appellant.title"))}</div>
+    <div class="event-card-choices-options">${buttons}</div>
+    ${reset}
+  </div>`;
+}
+
+function renderToggleBlock(state: AttachedState, code: string, kind: "include_ccr" | "skip"): string {
+  const current = state.active.get(code)?.get(kind) || "false";
+  const titleKey = kind === "include_ccr" ? "choices.include_ccr.title" : "choices.skip.title";
+  const trueKey = kind === "include_ccr" ? "choices.include_ccr.true" : "choices.skip.true";
+  const falseKey = kind === "include_ccr" ? "choices.include_ccr.false" : "choices.skip.false";
+  const opt = (v: "true" | "false", labelKey: string) => `<button type="button"
+    data-choice-action="set"
+    data-choice-kind="${kind}"
+    data-choice-value="${v}"
+    class="event-card-choices-option${v === current ? " event-card-choices-option--active" : ""}">${escHtml(t(labelKey as any))}</button>`;
+  const reset = state.active.get(code)?.has(kind)
+    ? `<button type="button" data-choice-action="clear" data-choice-kind="${kind}"
+        class="event-card-choices-reset">${escHtml(t("choices.reset"))}</button>`
+    : "";
+  return `<div class="event-card-choices-block">
+    <div class="event-card-choices-title">${escHtml(t(titleKey as any))}</div>
+    <div class="event-card-choices-options">
+      ${opt("true", trueKey)}
+      ${opt("false", falseKey)}
+    </div>
+    ${reset}
+  </div>`;
+}
+
+function closePopover(state: AttachedState): void {
+  if (state.popover) {
+    state.popover.remove();
+    state.popover = null;
+  }
+}
+
+function positionPopover(pop: HTMLDivElement, caret: HTMLElement): void {
+  const rect = caret.getBoundingClientRect();
+  const scrollY = window.scrollY || document.documentElement.scrollTop;
+  const scrollX = window.scrollX || document.documentElement.scrollLeft;
+  pop.style.position = "absolute";
+  pop.style.top = `${rect.bottom + scrollY + 4}px`;
+  pop.style.left = `${Math.max(8, rect.right + scrollX - 240)}px`;
+  pop.style.zIndex = "1000";
+}
+
+// Returns the current in-memory choice list for the given container —
+// used by the unbound /tools/verfahrensablauf page to keep the URL
+// param in sync.
+export function currentChoices(container: HTMLElement): EventChoice[] {
+  const state = states.get(container);
+  if (!state) return [];
+  const out: EventChoice[] = [];
+  state.active.forEach((kinds, code) => {
+    kinds.forEach((value, kind) => {
+      out.push({ submission_code: code, choice_kind: kind, choice_value: value });
+    });
+  });
+  return out;
+}

frontend/src/client/views/shape-list.ts

@@ -32,6 +32,11 @@ export function renderListShape(host: HTMLElement, rows: ViewRow[], render: Rend
     return;
   }
 
+  if (rowAction === "inbox") {
+    host.appendChild(renderInboxList(sorted));
+    return;
+  }
+
   if (density === "compact") {
     host.appendChild(renderCompact(sorted));
   } else {
@@ -147,8 +152,22 @@ function formatColumn(row: ViewRow, col: string): string {
       const s = (row.detail.status as string | undefined) ?? "";
       return s ? t(("deadlines.status." + s) as I18nKey) : "—";
     }
-    case "rule":
-      return (row.detail.rule_code as string | undefined) ?? "—";
+    case "rule": {
+      // t-paliad-258 — canonical "Name · Citation" pattern; fall back
+      // to custom_rule_text + " · Custom" for Custom-mode deadlines.
+      const lang = getLang();
+      const nameKey = lang === "en" ? "rule_name_en" : "rule_name";
+      const name = (row.detail[nameKey] as string | undefined)
+        || (row.detail.rule_name as string | undefined)
+        || "";
+      const cite = (row.detail.rule_code as string | undefined) ?? "";
+      if (name && cite) return `${name} · ${cite}`;
+      if (name) return name;
+      if (cite) return cite;
+      const custom = (row.detail.custom_rule_text as string | undefined) ?? "";
+      if (custom.trim()) return `${custom} · Custom`;
+      return "—";
+    }
     case "event_type":
       return (row.detail.event_type as string | undefined) ?? "—";
     case "location":
@@ -219,111 +238,215 @@ function renderApprovalList(rows: ViewRow[]): HTMLElement {
   const ul = document.createElement("ul");
   ul.className = "inbox-list views-approval-list";
   for (const row of rows) {
-    const detail = (row.detail || {}) as ApprovalDetail;
-    const li = document.createElement("li");
-    li.className = "inbox-row views-approval-row";
-    li.dataset.requestId = row.id;
-    li.dataset.status = detail.status ?? "";
-
-    // Header: entity / lifecycle
-    const head = document.createElement("div");
-    head.className = "inbox-row-head";
-    const title = document.createElement("div");
-    title.className = "inbox-row-title";
-    const entityLabel = detail.entity_type ? t(("approvals.entity." + detail.entity_type) as I18nKey) : "";
-    const lifecycleLabel = detail.lifecycle_event ? t(("approvals.lifecycle." + detail.lifecycle_event) as I18nKey) : "";
-    const entityTitle = detail.entity_title || row.title || "—";
-    title.textContent = `${entityLabel}: ${entityTitle} — ${lifecycleLabel}`;
-    head.appendChild(title);
-
-    const meta = document.createElement("div");
-    meta.className = "inbox-row-meta";
-    const reqByLabel = t("approvals.requested_by");
-    const roleLabel = detail.required_role
-      ? t(("approvals.required_role." + detail.required_role) as I18nKey)
-      : "";
-    const requester = detail.requester_name || row.actor_name || "";
-    const requesterTag = detail.requester_kind === "agent"
-      ? `${requester} ✨ ${t("approvals.agent.byline")}`
-      : requester;
-    const projectTitle = row.project_title ?? "";
-    const parts = [
-      projectTitle,
-      `${reqByLabel} ${requesterTag}`,
-    ];
-    if (roleLabel) parts.push(`${roleLabel}+`);
-    parts.push(formatRelativeTime(row.event_date));
-    meta.textContent = parts.filter(Boolean).join(" · ");
-    head.appendChild(meta);
-    li.appendChild(head);
-
-    // Diff for update / complete
-    const diff = renderDiff(detail);
-    if (diff) li.appendChild(diff);
-
-    if (detail.decision_note) {
-      const note = document.createElement("div");
-      note.className = "inbox-row-note";
-      note.textContent = detail.decision_note;
-      li.appendChild(note);
-    }
-
-    // Action row — surface attaches handlers via data-attrs.
-    const actions = document.createElement("div");
-    actions.className = "inbox-row-actions";
-
-    if (detail.status === "pending") {
-      // All four actions are stamped on every pending row; the per-viewer
-      // viewer_can_approve / viewer_is_requester flags (resolved server-side)
-      // decide which are enabled vs. greyed out with a tooltip. m's ask
-      // (2026-05-17): show what's possible but disable what isn't, rather
-      // than alert-after-click. The server still enforces — disabled buttons
-      // are a UI hint, not a security gate.
-      //
-      // suggest_changes is hidden for non-update lifecycles (the backend
-      // returns ErrSuggestionLifecycleInvalid for create/complete/delete,
-      // so we don't even render the button for them).
-      actions.appendChild(approvalActionBtn("approve", detail));
-      if (detail.lifecycle_event === "update") {
-        actions.appendChild(approvalActionBtn("suggest_changes", detail));
-      }
-      actions.appendChild(approvalActionBtn("reject", detail));
-      actions.appendChild(approvalActionBtn("revoke", detail));
-    } else if (detail.status) {
-      const pill = document.createElement("span");
-      pill.className = "approval-pill approval-pill--historic";
-      pill.textContent = t(("approvals.status." + detail.status) as I18nKey);
-      if (detail.decider_name && detail.status !== "revoked") {
-        const decided = document.createElement("span");
-        decided.className = "inbox-row-decided";
-        decided.textContent = ` · ${t("approvals.decided_by")} ${detail.decider_name}`;
-        pill.appendChild(decided);
-      }
-      actions.appendChild(pill);
-    }
-    li.appendChild(actions);
-
-    // Back-link from the OLD changes_requested row to the NEW pending
-    // counter row (t-paliad-216). Hydrated server-side as
-    // detail.next_request_id; the surface renders a link that scrolls
-    // / filters to the new row. Falsy next_request_id = no link (e.g.
-    // older rows pre-mig-103, or rows where the server hasn't joined the
-    // back-pointer).
-    if (detail.status === "changes_requested" && detail.next_request_id) {
-      const link = document.createElement("a");
-      link.className = "inbox-row-next-request";
-      link.href = `#request-${detail.next_request_id}`;
-      link.dataset.nextRequestId = detail.next_request_id;
-      const deciderName = detail.decider_name || "";
-      link.textContent = t("approvals.suggest.next_request_link").replace("{name}", deciderName);
-      li.appendChild(link);
-    }
-
-    ul.appendChild(li);
+    ul.appendChild(renderApprovalRow(row));
   }
   return ul;
 }
 
+// renderApprovalRow stamps one <li> for an approval_request row.
+// Factored out of renderApprovalList in t-paliad-249 so the unified
+// inbox dispatch (renderInboxList) can reuse the exact same markup for
+// approval rows interleaved with project_event rows.
+export function renderApprovalRow(row: ViewRow): HTMLLIElement {
+  const detail = (row.detail || {}) as ApprovalDetail;
+  const li = document.createElement("li");
+  li.className = "inbox-row views-approval-row";
+  li.dataset.requestId = row.id;
+  li.dataset.status = detail.status ?? "";
+
+  // Header: entity / lifecycle
+  const head = document.createElement("div");
+  head.className = "inbox-row-head";
+  const title = document.createElement("div");
+  title.className = "inbox-row-title";
+  const entityLabel = detail.entity_type ? t(("approvals.entity." + detail.entity_type) as I18nKey) : "";
+  const lifecycleLabel = detail.lifecycle_event ? t(("approvals.lifecycle." + detail.lifecycle_event) as I18nKey) : "";
+  const entityTitle = detail.entity_title || row.title || "—";
+  title.textContent = `${entityLabel}: ${entityTitle} — ${lifecycleLabel}`;
+  head.appendChild(title);
+
+  const meta = document.createElement("div");
+  meta.className = "inbox-row-meta";
+  const reqByLabel = t("approvals.requested_by");
+  const roleLabel = detail.required_role
+    ? t(("approvals.required_role." + detail.required_role) as I18nKey)
+    : "";
+  const requester = detail.requester_name || row.actor_name || "";
+  const requesterTag = detail.requester_kind === "agent"
+    ? `${requester} ✨ ${t("approvals.agent.byline")}`
+    : requester;
+  const projectTitle = row.project_title ?? "";
+  const parts = [
+    projectTitle,
+    `${reqByLabel} ${requesterTag}`,
+  ];
+  if (roleLabel) parts.push(`${roleLabel}+`);
+  parts.push(formatRelativeTime(row.event_date));
+  meta.textContent = parts.filter(Boolean).join(" · ");
+  head.appendChild(meta);
+  li.appendChild(head);
+
+  // Diff for update / complete
+  const diff = renderDiff(detail);
+  if (diff) li.appendChild(diff);
+
+  if (detail.decision_note) {
+    const note = document.createElement("div");
+    note.className = "inbox-row-note";
+    note.textContent = detail.decision_note;
+    li.appendChild(note);
+  }
+
+  // Action row — surface attaches handlers via data-attrs.
+  const actions = document.createElement("div");
+  actions.className = "inbox-row-actions";
+
+  if (detail.status === "pending") {
+    // All four actions are stamped on every pending row; the per-viewer
+    // viewer_can_approve / viewer_is_requester flags (resolved server-side)
+    // decide which are enabled vs. greyed out with a tooltip. m's ask
+    // (2026-05-17): show what's possible but disable what isn't, rather
+    // than alert-after-click. The server still enforces — disabled buttons
+    // are a UI hint, not a security gate.
+    //
+    // suggest_changes is hidden for non-update lifecycles (the backend
+    // returns ErrSuggestionLifecycleInvalid for create/complete/delete,
+    // so we don't even render the button for them).
+    actions.appendChild(approvalActionBtn("approve", detail));
+    if (detail.lifecycle_event === "update") {
+      actions.appendChild(approvalActionBtn("suggest_changes", detail));
+    }
+    actions.appendChild(approvalActionBtn("reject", detail));
+    actions.appendChild(approvalActionBtn("revoke", detail));
+  } else if (detail.status) {
+    const pill = document.createElement("span");
+    pill.className = "approval-pill approval-pill--historic";
+    pill.textContent = t(("approvals.status." + detail.status) as I18nKey);
+    if (detail.decider_name && detail.status !== "revoked") {
+      const decided = document.createElement("span");
+      decided.className = "inbox-row-decided";
+      decided.textContent = ` · ${t("approvals.decided_by")} ${detail.decider_name}`;
+      pill.appendChild(decided);
+    }
+    actions.appendChild(pill);
+  }
+  li.appendChild(actions);
+
+  // Back-link from the OLD changes_requested row to the NEW pending
+  // counter row (t-paliad-216). Hydrated server-side as
+  // detail.next_request_id; the surface renders a link that scrolls
+  // / filters to the new row. Falsy next_request_id = no link (e.g.
+  // older rows pre-mig-103, or rows where the server hasn't joined the
+  // back-pointer).
+  if (detail.status === "changes_requested" && detail.next_request_id) {
+    const link = document.createElement("a");
+    link.className = "inbox-row-next-request";
+    link.href = `#request-${detail.next_request_id}`;
+    link.dataset.nextRequestId = detail.next_request_id;
+    const deciderName = detail.decider_name || "";
+    link.textContent = t("approvals.suggest.next_request_link").replace("{name}", deciderName);
+    li.appendChild(link);
+  }
+
+  return li;
+}
+
+// ----------------------------------------------------------------------
+// row_action = "inbox" — unified inbox layout (t-paliad-249)
+//
+// Dispatches per row.kind so approval_request rows reuse the existing
+// approve/reject/revoke markup while project_event rows render as a
+// compact stream row (timestamp + actor + title + project chip +
+// Öffnen link to the underlying entity).
+// ----------------------------------------------------------------------
+
+function renderInboxList(rows: ViewRow[]): HTMLElement {
+  const ul = document.createElement("ul");
+  ul.className = "inbox-list inbox-list--unified";
+  for (const row of rows) {
+    if (row.kind === "approval_request") {
+      ul.appendChild(renderApprovalRow(row));
+    } else if (row.kind === "project_event") {
+      ul.appendChild(renderProjectEventInboxRow(row));
+    }
+  }
+  return ul;
+}
+
+interface ProjectEventDetail {
+  event_type?: string | null;
+  description?: string | null;
+}
+
+function renderProjectEventInboxRow(row: ViewRow): HTMLLIElement {
+  const detail = (row.detail || {}) as ProjectEventDetail;
+  const li = document.createElement("li");
+  li.className = "inbox-row inbox-row--project-event";
+  li.dataset.eventId = row.id;
+  if (detail.event_type) li.dataset.eventType = detail.event_type;
+
+  const head = document.createElement("div");
+  head.className = "inbox-row-head";
+
+  const title = document.createElement("div");
+  title.className = "inbox-row-title";
+  // Prefer the row.title (server-side authored, project-aware); fall
+  // back to a synthesised event-kind label so a malformed row never
+  // produces an empty <li>.
+  const kindLabelText = detail.event_type ? t(("event.title." + detail.event_type) as I18nKey) : "";
+  title.textContent = row.title || kindLabelText || "—";
+  head.appendChild(title);
+
+  const meta = document.createElement("div");
+  meta.className = "inbox-row-meta";
+  const parts: string[] = [];
+  if (row.project_title) parts.push(row.project_title);
+  if (row.actor_name) parts.push(row.actor_name);
+  parts.push(formatRelativeTime(row.event_date));
+  meta.textContent = parts.filter(Boolean).join(" · ");
+  head.appendChild(meta);
+  li.appendChild(head);
+
+  if (detail.description) {
+    const desc = document.createElement("div");
+    desc.className = "inbox-row-description";
+    desc.textContent = detail.description;
+    li.appendChild(desc);
+  }
+
+  const actions = document.createElement("div");
+  actions.className = "inbox-row-actions";
+  const openLink = projectEventLink(row, detail);
+  if (openLink) actions.appendChild(openLink);
+  li.appendChild(actions);
+
+  return li;
+}
+
+// projectEventLink builds an "Öffnen" anchor that points to the most
+// useful target for the event kind. Falls back to the project detail
+// page when the kind doesn't carry a richer pointer.
+//
+// Slice B can deepen this (e.g. note_created → scroll to note anchor);
+// keep it minimal for Slice A.
+function projectEventLink(row: ViewRow, detail: ProjectEventDetail): HTMLAnchorElement | null {
+  if (!row.project_id) return null;
+  const kind = detail.event_type ?? "";
+  const a = document.createElement("a");
+  a.className = "inbox-row-open";
+  a.textContent = t("inbox.action.open");
+  if (kind.startsWith("deadline_")) {
+    a.href = `/projects/${row.project_id}#deadlines`;
+  } else if (kind.startsWith("appointment_")) {
+    a.href = `/projects/${row.project_id}#appointments`;
+  } else if (kind === "note_created") {
+    a.href = `/projects/${row.project_id}#notes`;
+  } else {
+    a.href = `/projects/${row.project_id}`;
+  }
+  return a;
+}
+
 function renderDiff(detail: ApprovalDetail): HTMLElement | null {
   const before = (detail.pre_image || {}) as Record<string, unknown>;
   const after = (detail.payload || {}) as Record<string, unknown>;

frontend/src/client/views/types.ts

@@ -19,8 +19,8 @@ export interface ScopeSpec {
 }
 
 export type TimeHorizon =
-  | "next_7d" | "next_30d" | "next_90d"
-  | "past_7d" | "past_30d" | "past_90d"
+  | "next_1d" | "next_7d" | "next_14d" | "next_30d" | "next_90d" | "next_all"
+  | "past_1d" | "past_7d" | "past_14d" | "past_30d" | "past_90d" | "past_all"
   | "any" | "all" | "custom";
 
 export type TimeField = "auto" | "created_at";
@@ -66,7 +66,18 @@ export interface FilterSpec {
   sources: DataSource[];
   scope: ScopeSpec;
   time: TimeSpec;
-  predicates?: Partial<Record<DataSource, Predicates>>;
+  // Per-source narrowing. Flat shape — one entry per data source. The
+  // Go side (internal/services/filter_spec.go: FilterSpec.Predicates)
+  // mirrors this exactly; the previous Partial<Record<DataSource,
+  // Predicates>> spelling was a latent contract bug (t-paliad-283)
+  // where every chip click sent a single-nested shape the server
+  // unmarshalled to no-op.
+  predicates?: Predicates;
+  // Inbox unread-only overlay (t-paliad-249). When true, the view
+  // service drops project_event rows older than the caller's
+  // users.inbox_seen_at cursor. Pending approval_requests always
+  // survive — the cursor can't bury an in-flight approval.
+  unread_only?: boolean;
 }
 
 export type RenderShape = "list" | "cards" | "calendar" | "timeline";
@@ -79,7 +90,7 @@ export interface TimelineCVConfig {
   range_to?: string;
 }
 
-export type ListRowAction = "navigate" | "complete_toggle" | "approve" | "none";
+export type ListRowAction = "navigate" | "complete_toggle" | "approve" | "inbox" | "none";
 
 export interface ListConfig {
   columns?: string[];

frontend/src/client/views/verfahrensablauf-core.test.ts

@@ -1,6 +1,7 @@
 import { describe, expect, test } from "bun:test";
 import {
   type CalculatedDeadline,
+  bucketDeadlinesIntoColumns,
   deadlineCardHtml,
 } from "./verfahrensablauf-core";
 
@@ -65,3 +66,243 @@ describe("deadlineCardHtml — editable=true emits click-to-edit attrs", () => {
     expect(html).not.toContain("data-rule-code=");
   });
 });
+
+// t-paliad-289 — isConditional rules render an "abhängig von <parent>"
+// chip in place of the date column, and the chip keeps the click-to-edit
+// affordance so the user can pin a real date once the upstream anchor
+// resolves (oral hearing scheduled, opposing party's motion received, …).
+// Mirrors Symptom A (R.109(1) backward-anchor without oral-hearing date)
+// and Symptom B (R.262(2) without recorded Vertraulichkeitsantrag) from
+// the issue.
+describe("deadlineCardHtml — isConditional rendering (t-paliad-289)", () => {
+  test("isConditional + parentRuleName emits 'abhängig von <parent>' chip with click-to-edit", () => {
+    const html = deadlineCardHtml(
+      dl({
+        code: "upc.inf.cfi.translation_request",
+        isConditional: true,
+        parentRuleCode: "upc.inf.cfi.oral",
+        parentRuleName: "Mündliche Verhandlung",
+      }),
+      { showParty: true, editable: true },
+    );
+    expect(html).toContain("timeline-conditional");
+    expect(html).toContain("abhängig von Mündliche Verhandlung");
+    expect(html).toContain('data-rule-code="upc.inf.cfi.translation_request"');
+    expect(html).toContain('role="button"');
+    expect(html).not.toContain("timeline-court-set");
+  });
+
+  test("isConditional with no parentRuleName falls back to generic upstream-event label", () => {
+    const html = deadlineCardHtml(
+      dl({ isConditional: true }),
+      { showParty: true, editable: true },
+    );
+    expect(html).toContain("timeline-conditional");
+    expect(html).toContain("abhängig von vorgelagertem Ereignis");
+  });
+
+  test("isConditional wins over isCourtSet — overlapping cases render conditional chip", () => {
+    // Court-set ancestor without override sets BOTH isCourtSet=true AND
+    // isConditional=true on the wire. The renderer must pick the
+    // conditional chip; otherwise the row keeps the legacy "wird vom
+    // Gericht bestimmt" label and the user can't see WHICH upstream
+    // event blocks them.
+    const html = deadlineCardHtml(
+      dl({
+        isConditional: true,
+        isCourtSet: true,
+        isCourtSetIndirect: true,
+        parentRuleName: "Entscheidung",
+      }),
+      { showParty: true, editable: true },
+    );
+    expect(html).toContain("abhängig von Entscheidung");
+    expect(html).not.toContain("timeline-court-set");
+  });
+
+  test("isConditional=false keeps the normal date span (regression guard)", () => {
+    const html = deadlineCardHtml(dl({ isConditional: false }), { showParty: true });
+    expect(html).toContain("timeline-date");
+    expect(html).not.toContain("timeline-conditional");
+  });
+});
+
+// Pure column-routing behaviour. Originally pinned by m/paliad#81
+// (side + appellant axes), re-framed by m/paliad#88: the column
+// axis is now "Unsere Seite vs Gegnerseite" ("WE always on the
+// left") instead of the misleading Proaktiv/Reaktiv pair.
+// Hits bucketDeadlinesIntoColumns directly so the assertions stay
+// in pure-Node territory (renderColumnsBody goes through escHtml ->
+// document.createElement which isn't available in plain bun test).
+//
+// Scenario fixture mirrors the UPC Appeal "both parties" case m
+// pasted into #81: every filing rule carries party='both' so the
+// legacy mirror path duplicates every row across both columns.
+// With ?appellant= set, the duplicate must collapse to a single
+// row in the appellant's column.
+describe("bucketDeadlinesIntoColumns — side+appellant column routing (m/paliad#81, #88)", () => {
+  const both = (name: string, due: string): CalculatedDeadline => ({
+    code: name,
+    name,
+    nameEN: name,
+    party: "both",
+    priority: "mandatory",
+    ruleRef: "",
+    dueDate: due,
+    originalDate: due,
+    wasAdjusted: false,
+    isRootEvent: false,
+    isCourtSet: false,
+  });
+  const partySpecific = (party: string, name: string, due: string): CalculatedDeadline => ({
+    ...both(name, due),
+    party,
+  });
+
+  test("default (no opts) mirrors 'both' rules into ours AND opponent — legacy behaviour preserved", () => {
+    const rows = bucketDeadlinesIntoColumns([both("Notice of Appeal", "2026-07-23")]);
+    expect(rows).toHaveLength(1);
+    expect(rows[0].ours.map((d) => d.name)).toEqual(["Notice of Appeal"]);
+    expect(rows[0].opponent.map((d) => d.name)).toEqual(["Notice of Appeal"]);
+    expect(rows[0].court).toHaveLength(0);
+  });
+
+  test("default (no side) places claimant on the left (ours) — 'we are claimant' fallback", () => {
+    const rows = bucketDeadlinesIntoColumns([
+      partySpecific("claimant", "Klageschrift", "2026-01-01"),
+      partySpecific("defendant", "Klageerwiderung", "2026-04-01"),
+    ]);
+    expect(rows[0].ours.map((d) => d.name)).toEqual(["Klageschrift"]);
+    expect(rows[1].opponent.map((d) => d.name)).toEqual(["Klageerwiderung"]);
+  });
+
+  test("appellant=claimant collapses 'both' rules into ours when side=claimant (or default)", () => {
+    const rows = bucketDeadlinesIntoColumns(
+      [both("Notice of Appeal", "2026-07-23"), both("Statement of Grounds", "2026-09-23")],
+      { appellant: "claimant" },
+    );
+    expect(rows.map((r) => r.ours.map((d) => d.name))).toEqual([
+      ["Notice of Appeal"],
+      ["Statement of Grounds"],
+    ]);
+    rows.forEach((r) => expect(r.opponent).toHaveLength(0));
+  });
+
+  test("appellant=defendant collapses 'both' rules into opponent when side=null/claimant", () => {
+    const rows = bucketDeadlinesIntoColumns(
+      [both("Notice of Appeal", "2026-07-23")],
+      { appellant: "defendant" },
+    );
+    expect(rows[0].ours).toHaveLength(0);
+    expect(rows[0].opponent.map((d) => d.name)).toEqual(["Notice of Appeal"]);
+  });
+
+  test("side=defendant flips which party owns 'ours' vs 'opponent' — WE always on the left", () => {
+    // User is on the defendant side: defendant filings land in 'ours'
+    // (left), claimant filings land in 'opponent' (right). Court rules
+    // stay in court regardless of side.
+    const rows = bucketDeadlinesIntoColumns(
+      [
+        partySpecific("claimant", "Klageschrift", "2026-01-01"),
+        partySpecific("defendant", "Klageerwiderung", "2026-04-01"),
+        partySpecific("court", "Urteil", "2026-10-01"),
+      ],
+      { side: "defendant" },
+    );
+    expect(rows[0].opponent.map((d) => d.name)).toEqual(["Klageschrift"]);
+    expect(rows[1].ours.map((d) => d.name)).toEqual(["Klageerwiderung"]);
+    expect(rows[2].court.map((d) => d.name)).toEqual(["Urteil"]);
+  });
+
+  test("side=defendant + appellant=defendant routes 'both' into 'ours' (user's own column)", () => {
+    // The user is the defendant AND the appellant, so the appellant's
+    // column == the user's own column == ours after the swap.
+    const rows = bucketDeadlinesIntoColumns(
+      [both("Notice of Appeal", "2026-07-23")],
+      { side: "defendant", appellant: "defendant" },
+    );
+    expect(rows[0].ours.map((d) => d.name)).toEqual(["Notice of Appeal"]);
+    expect(rows[0].opponent).toHaveLength(0);
+  });
+
+  test("side=defendant + appellant=claimant routes 'both' into opponent (claimant ≠ us)", () => {
+    // Side flip + appellant axis combined: the claimant is the appellant
+    // but NOT us, so the collapsed 'both' row lands in the opponent
+    // column (right). This is the UPC Appeal "they appealed, we
+    // respond" scenario.
+    const rows = bucketDeadlinesIntoColumns(
+      [both("Notice of Appeal", "2026-07-23")],
+      { side: "defendant", appellant: "claimant" },
+    );
+    expect(rows[0].opponent.map((d) => d.name)).toEqual(["Notice of Appeal"]);
+    expect(rows[0].ours).toHaveLength(0);
+  });
+
+  test("rows align across columns by dueDate so same-day events stay on one grid row", () => {
+    const sameDate = "2026-07-23";
+    const rows = bucketDeadlinesIntoColumns([
+      partySpecific("claimant", "A", sameDate),
+      partySpecific("defendant", "B", sameDate),
+      partySpecific("court", "C", sameDate),
+    ]);
+    expect(rows).toHaveLength(1);
+    expect(rows[0].ours.map((d) => d.name)).toEqual(["A"]);
+    expect(rows[0].opponent.map((d) => d.name)).toEqual(["B"]);
+    expect(rows[0].court.map((d) => d.name)).toEqual(["C"]);
+  });
+
+  test("appellantContext overrides the page-level appellant for descendants (t-paliad-265)", () => {
+    // A per-decision pick stamps AppellantContext on descendants of
+    // that decision. The bucketer prefers it over the page-level
+    // appellant: if a "both" row carries appellantContext='defendant',
+    // it collapses to defendant's column regardless of the global
+    // appellant opt.
+    const dl: CalculatedDeadline = {
+      ...both("Notice of Appeal", "2026-07-23"),
+      appellantContext: "defendant",
+    };
+    const rows = bucketDeadlinesIntoColumns([dl], { appellant: "claimant" });
+    expect(rows[0].ours).toHaveLength(0);
+    expect(rows[0].opponent.map((d) => d.name)).toEqual(["Notice of Appeal"]);
+  });
+
+  test("appellantContext='claimant' + side='defendant' lands the row in opponent (claimant ≠ us)", () => {
+    // The user is on the defendant side; per-card pick says the
+    // claimant appealed. The "both" row collapses to the claimant's
+    // column, which after the side-swap is opponent (right).
+    const dl: CalculatedDeadline = {
+      ...both("Notice of Appeal", "2026-07-23"),
+      appellantContext: "claimant",
+    };
+    const rows = bucketDeadlinesIntoColumns([dl], { side: "defendant", appellant: "defendant" });
+    expect(rows[0].ours).toHaveLength(0);
+    expect(rows[0].opponent.map((d) => d.name)).toEqual(["Notice of Appeal"]);
+  });
+
+  test("appellantContext='both' or 'none' falls back to page-level mirror (t-paliad-265)", () => {
+    // 'both' and 'none' aren't side-collapse values — they're
+    // statements about who appealed but don't pick a column. The
+    // bucketer treats them as no override, so the page-level
+    // appellant (or default mirror) applies.
+    const both1: CalculatedDeadline = {
+      ...both("Notice of Appeal", "2026-07-23"),
+      appellantContext: "both",
+    };
+    const rowsBoth = bucketDeadlinesIntoColumns([both1]);
+    expect(rowsBoth[0].ours.map((d) => d.name)).toEqual(["Notice of Appeal"]);
+    expect(rowsBoth[0].opponent.map((d) => d.name)).toEqual(["Notice of Appeal"]);
+  });
+
+  test("unscheduled rows (no dueDate) trail dated rows, preserving declaration order", () => {
+    const rows = bucketDeadlinesIntoColumns([
+      partySpecific("court", "Oral Hearing", ""),
+      partySpecific("claimant", "Statement of Claim", "2026-01-01"),
+      partySpecific("court", "Decision", ""),
+    ]);
+    expect(rows.map((r) => [r.ours, r.court, r.opponent].flat().map((d) => d.name))).toEqual([
+      ["Statement of Claim"],
+      ["Oral Hearing"],
+      ["Decision"],
+    ]);
+  });
+});

frontend/src/client/views/verfahrensablauf-core.ts

@@ -61,6 +61,35 @@ export interface CalculatedDeadline {
   // Frontend save-modal logic doesn't read this; the rule editor
   // (Slice 11) is the consumer. Unknown shape on this side — pass-through.
   conditionExpr?: unknown;
+  // choicesOffered (t-paliad-265): declares which per-card choice-kinds
+  // this rule offers on the Verfahrensablauf timeline. Object shape:
+  // { appellant?: string[], include_ccr?: [true,false], skip?: [true,false] }.
+  // null/undefined = no caret affordance.
+  choicesOffered?: Record<string, unknown>;
+  // appellantContext (t-paliad-265): the per-decision appellant pick
+  // that applies to descendants of the closest ancestor decision card
+  // with a per-card appellant set. Empty = no per-card override (the
+  // page-level appellant axis still applies in that case). The bucketer
+  // reads this in preference to the page-level appellant.
+  appellantContext?: string;
+  // isConditional (t-paliad-289): the rule's anchor is uncertain, so
+  // no concrete date is projected. Set by the calculator when the rule
+  // depends on a court-set ancestor without override, when a backward-
+  // anchored rule's forward anchor isn't set, or for optional rules
+  // whose true triggering event sits outside the rule data (e.g.
+  // R.262(2) Erwiderung auf Vertraulichkeitsantrag — anchored on SoC
+  // in the data, but the real trigger is the opposing party's
+  // confidentiality motion). The renderer drops the date column entry
+  // and shows an "abhängig von <parentRuleName>" chip instead.
+  isConditional?: boolean;
+  // parentRuleCode / parentRuleName / parentRuleNameEN surface the
+  // parent rule's identity so the renderer can label the
+  // "abhängig von <parent>" chip on conditional rows. Populated for
+  // every rule with a parent (not just conditional ones), so the
+  // dependency-footer logic can reuse it. Empty for root rules.
+  parentRuleCode?: string;
+  parentRuleName?: string;
+  parentRuleNameEN?: string;
 }
 
 // priorityRendering returns the per-priority UX hints the save-modal
@@ -110,6 +139,16 @@ export interface DeadlineResponse {
   // explains the framing. (m/paliad#58)
   contextualNote?: string;
   contextualNoteEN?: string;
+  // triggerEventLabel / triggerEventLabelEN: optional caption for the
+  // "Auslösendes Ereignis" / "Triggering event" field on
+  // /tools/verfahrensablauf. Populated from paliad.proceeding_types
+  // when set (mig 121). The page prefers this over the proceedingName
+  // fallback that fires when no rule has isRootEvent=true. UPC Appeal
+  // uses this so the field reads "Anfechtbare Entscheidung" /
+  // "Appealable Decision" instead of "Berufungsverfahren" / "Appeal".
+  // (m/paliad#81)
+  triggerEventLabel?: string;
+  triggerEventLabelEN?: string;
 }
 
 export interface CourtRow {
@@ -129,6 +168,16 @@ export interface CalcParams {
   flags?: string[];
   anchorOverrides?: Record<string, string>;
   courtId?: string;
+  // t-paliad-265: per-event-card choices. Either pass `projectId` for
+  // server-side lookup against paliad.project_event_choices, OR pass
+  // an inline list (for the unbound /tools/verfahrensablauf surface).
+  // When both are supplied the inline list wins server-side.
+  projectId?: string;
+  perCardChoices?: Array<{
+    submission_code: string;
+    choice_kind: string;
+    choice_value: string;
+  }>;
 }
 
 const PARTY_CLASS: Record<string, string> = {
@@ -144,10 +193,20 @@ export function escAttr(s: string): string {
   return s.replace(/&/g, "&amp;").replace(/"/g, "&quot;");
 }
 
+// Pure-string HTML escape — keeps the module testable in bun test
+// (plain Node, no jsdom). Used to be backed by document.createElement,
+// which forced fixtures to leave any field that flowed through it
+// empty just to exercise unrelated branches; the regex form is safe
+// for arbitrary text including the per-rule name strings that the
+// conditional-row chip ("abhängig von <parent>") now exposes.
+// (t-paliad-289)
 export function escHtml(s: string): string {
-  const d = document.createElement("div");
-  d.textContent = s;
-  return d.innerHTML;
+  return s
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#39;");
 }
 
 export function formatDate(dateStr: string): string {
@@ -248,12 +307,31 @@ export function deadlineCardHtml(dl: CalculatedDeadline, opts: CardOpts): string
   const editAttrs = editable
     ? ` data-rule-code="${escAttr(dl.code)}" data-current-date="${escAttr(dl.dueDate)}" role="button" tabindex="0" title="${escAttr(t("deadlines.date.edit.hint"))}"`
     : "";
-  const courtLabelKey = dl.isCourtSetIndirect
-    ? "deadlines.court.indirect"
-    : "deadlines.court.set";
-  const dateStr = dl.isCourtSet
-    ? `<span class="timeline-court-set frist-date-edit"${editAttrs}>${t(courtLabelKey)}</span>`
-    : `<span class="timeline-date${overriddenClass} frist-date-edit"${editAttrs}>${formatDate(dl.dueDate)}</span>`;
+  // Conditional rows (t-paliad-289) replace the date column with an
+  // "abhängig von <parent>" chip. The chip remains click-to-edit so
+  // the user can pin a real date once known (e.g. once the oral
+  // hearing date is set, or the opposing party's Vertraulichkeits-
+  // antrag arrives) — the same data-rule-code wiring fires the
+  // existing inline date editor. IsConditional wins over IsCourtSet:
+  // they overlap (court-set ancestor without override produces both),
+  // and "abhängig von <parent>" is the clearer user-facing signal.
+  const parentLabel = (getLang() === "en"
+    ? (dl.parentRuleNameEN || dl.parentRuleName)
+    : dl.parentRuleName) || "";
+  let dateStr: string;
+  if (dl.isConditional) {
+    const chipText = parentLabel
+      ? tDyn("deadlines.conditional.depends_on").replace("{parent}", escHtml(parentLabel))
+      : t("deadlines.conditional.unset");
+    dateStr = `<span class="timeline-conditional frist-date-edit"${editAttrs}>${chipText}</span>`;
+  } else if (dl.isCourtSet) {
+    const courtLabelKey = dl.isCourtSetIndirect
+      ? "deadlines.court.indirect"
+      : "deadlines.court.set";
+    dateStr = `<span class="timeline-court-set frist-date-edit"${editAttrs}>${t(courtLabelKey)}</span>`;
+  } else {
+    dateStr = `<span class="timeline-date${overriddenClass} frist-date-edit"${editAttrs}>${formatDate(dl.dueDate)}</span>`;
+  }
 
   // Slice 9 (t-paliad-195): the legacy boolean pair is gone — read
   // priority directly. Optional badge fires only on 'optional'
@@ -262,6 +340,18 @@ export function deadlineCardHtml(dl: CalculatedDeadline, opts: CardOpts): string
     ? '<span class="optional-badge">optional</span>'
     : "";
 
+  // t-paliad-265 — caret affordance + chip indicator when this rule
+  // offers per-card choices and the user has made a pick. The popover
+  // open/commit lifecycle lives in client/views/event-card-choices.ts;
+  // the data-* attributes here are the wire contract between the two.
+  const choicesHtml = dl.code !== "" && dl.choicesOffered && Object.keys(dl.choicesOffered).length > 0
+    ? `<button type="button" class="event-card-choices-caret"
+         data-submission-code="${escAttr(dl.code)}"
+         data-choices-offered="${escAttr(JSON.stringify(dl.choicesOffered))}"
+         aria-label="${escAttr(t("choices.caret.title"))}"
+         title="${escAttr(t("choices.caret.title"))}">▾</button>`
+    : "";
+
   const dlName = getLang() === "en" ? dl.nameEN : dl.name;
 
   const adjustedNote = dl.wasAdjusted
@@ -300,12 +390,22 @@ export function deadlineCardHtml(dl: CalculatedDeadline, opts: CardOpts): string
       </div>`
     : "";
 
+  // Chip indicator surfaces the active per-card pick (t-paliad-265).
+  // The popover module rehydrates this on commit so it stays in sync.
+  const chipHtml = dl.code !== ""
+    ? `<span class="event-card-choices-chip"
+         data-submission-code="${escAttr(dl.code)}"
+         data-empty="true"></span>`
+    : "";
+
   return `<div class="timeline-item-header">
       <span class="timeline-name">
         ${dlName}
         ${mandatoryBadge}
+        ${chipHtml}
       </span>
       ${dateStr}
+      ${choicesHtml}
     </div>
     ${meta}
     ${adjustedNote}
@@ -396,8 +496,16 @@ export function wireDateEditClicks(
 export function renderTimelineBody(data: DeadlineResponse, opts: CardOpts = { showParty: true }): string {
   let html = '<div class="timeline">';
   for (const dl of data.deadlines) {
+    const itemClasses = [
+      "timeline-item",
+      dl.isRootEvent ? "timeline-root" : "",
+      // t-paliad-289: dotted-border + faded styling for conditional rows
+      // so the "abhängig von <parent>" state is visually distinct from
+      // both anchored deadlines and direct court-set rows.
+      dl.isConditional ? "timeline-item--conditional" : "",
+    ].filter(Boolean).join(" ");
     html += `
-      <div class="timeline-item ${dl.isRootEvent ? "timeline-root" : ""}">
+      <div class="${itemClasses}">
         <div class="timeline-dot-col">
           <div class="timeline-dot ${dl.isRootEvent ? "dot-root" : ""}"></div>
           <div class="timeline-line"></div>
@@ -412,42 +520,132 @@ export function renderTimelineBody(data: DeadlineResponse, opts: CardOpts = { sh
   return html;
 }
 
-// Three-column timeline layout: Proactive (claimant) | Court | Reactive
-// (defendant). Each grid row shares a dueDate so same-day events line up
-// across columns; party=both renders in BOTH the Proactive and Reactive
-// cells of the row. Undated rows (Urteil etc.) trail the dated tail, each
-// keyed by sequence-order so e.g. Urteil precedes Berufungseinlegung.
-export function renderColumnsBody(data: DeadlineResponse, opts: Omit<CardOpts, "showParty"> = {}): string {
-  type Cell = CalculatedDeadline[];
-  type Row = { proactive: Cell; court: Cell; reactive: Cell };
+// Three-column timeline layout: Unsere Seite | Gericht | Gegnerseite.
+//
+// The columns are user-perspective ("WE are always on the left", per
+// t-paliad-257 / m/paliad#88). The old Proaktiv/Reaktiv axis lied:
+// Klägerseite is sometimes proactive (filing the claim) and sometimes
+// reactive (responding to a counterclaim), so the static "Proaktiv =
+// Klägerseite" label-pair was wrong half the time. The new axis is
+// "ours vs opponent" — the side toggle picks who WE are in this
+// proceeding (Klägerseite vs Beklagtenseite, i.e. patentee vs alleged
+// infringer / Einsprechender vs Patentinhaber, etc.), and rule
+// placement re-resolves around that pick.
+//
+// Column assignment per deadline (default opts.side === null keeps
+// the legacy claimant-on-the-left layout — i.e. "we are claimant"):
+//
+//   - party=claimant  → ours when side ∈ {null,"claimant"}, else opponent
+//   - party=defendant → opponent when side ∈ {null,"claimant"}, else ours
+//   - party=court     → court (independent of side)
+//   - party=both      → BOTH ours AND opponent (mirror)
+//
+// When `opts.appellant` is set (claimant|defendant), "both" rows
+// collapse to a single row in the appellant's column — the intent is
+// role-swap proceedings (UPC Appeal, Counterclaim, …) where "both"
+// really means "either party files, depending on who initiated".
+// Appellant axis is independent of `side`: in an Appeal CoA, the
+// appellant selector pins which party appealed; the side toggle
+// still picks which of those is us.
+export type Side = "claimant" | "defendant" | null;
+
+// Internal column-position alias. "ours" is always rendered in the
+// left grid column ("Unsere Seite"); "opponent" is always the right
+// column ("Gegnerseite"). Field names mirror the labels so the
+// bucketing primitive reads as a direct mapping.
+type ColumnPosition = "ours" | "opponent";
+
+export interface ColumnsBodyOpts {
+  editable?: boolean;
+  showNotes?: boolean;
+  // side: which side the user is on. Drives column placement;
+  // does NOT filter rows. Default null = claimant-on-the-left
+  // (i.e. "ours = claimant", legacy default).
+  side?: Side;
+  // appellant: which side initiated the appeal / counterclaim.
+  // When set, party=both rows go to the appellant's column ONLY
+  // (no mirror). Default null = mirror "both" into both cells
+  // (legacy behaviour). Independent of `side`.
+  appellant?: Side;
+}
+
+// ColumnsRow is the per-due-date bucket the renderer consumes. Public
+// so unit tests can hit the pure routing logic without going through
+// document.createElement (no jsdom in this repo).
+export interface ColumnsRow {
+  key: string;
+  ours: CalculatedDeadline[];
+  court: CalculatedDeadline[];
+  opponent: CalculatedDeadline[];
+}
+
+export interface BucketingOpts {
+  side?: Side;
+  appellant?: Side;
+}
+
+// bucketDeadlinesIntoColumns is the pure routing primitive that
+// renderColumnsBody uses. Extracted as its own export so the per-row
+// column placement (including the side-swap + appellant-collapse
+// logic from m/paliad#81 and the user-perspective re-frame from
+// m/paliad#88) is unit-testable without a DOM. The returned rows are
+// sorted: dated rows ascending by dueDate, then unscheduled rows in
+// declaration order (each keyed by sequence).
+export function bucketDeadlinesIntoColumns(
+  deadlines: CalculatedDeadline[],
+  opts: BucketingOpts = {},
+): ColumnsRow[] {
+  const userSide: Side = opts.side ?? null;
+  // Default (side=null) treats the user as claimant — keeps the
+  // legacy claimant-on-the-left layout when no perspective is picked.
+  const claimantColumn: ColumnPosition = userSide === "defendant" ? "opponent" : "ours";
+  const defendantColumn: ColumnPosition = claimantColumn === "ours" ? "opponent" : "ours";
+  const appellantColumn: ColumnPosition | null =
+    opts.appellant === "claimant" ? claimantColumn
+    : opts.appellant === "defendant" ? defendantColumn
+    : null;
 
   const UNSCHEDULED_PREFIX = "__unscheduled__";
-  const rowsMap = new Map<string, Row>();
-  const ensureRow = (key: string): Row => {
+  const rowsMap = new Map<string, ColumnsRow>();
+  const ensureRow = (key: string): ColumnsRow => {
     let r = rowsMap.get(key);
     if (!r) {
-      r = { proactive: [], court: [], reactive: [] };
+      r = { key, ours: [], court: [], opponent: [] };
       rowsMap.set(key, r);
     }
     return r;
   };
 
-  data.deadlines.forEach((dl, idx) => {
+  deadlines.forEach((dl, idx) => {
     const key = dl.dueDate || `${UNSCHEDULED_PREFIX}${String(idx).padStart(4, "0")}`;
     const row = ensureRow(key);
     switch (dl.party) {
       case "claimant":
-        row.proactive.push(dl);
+        row[claimantColumn].push(dl);
         break;
       case "defendant":
-        row.reactive.push(dl);
+        row[defendantColumn].push(dl);
         break;
       case "court":
         row.court.push(dl);
         break;
       case "both":
-        row.proactive.push(dl);
-        row.reactive.push(dl);
+        // t-paliad-265: a per-card appellant set on a decision
+        // ancestor propagates as appellantContext on this rule. When
+        // present, it overrides the page-level appellant for the
+        // collapse decision on THIS row. Falls through to page-level
+        // when empty.
+        if (dl.appellantContext === "claimant" || dl.appellantContext === "defendant") {
+          const perCardCol = dl.appellantContext === "claimant" ? claimantColumn : defendantColumn;
+          row[perCardCol].push(dl);
+        } else if (appellantColumn !== null) {
+          // Role-swap collapse: appellant initiated → both → one row
+          // in appellant's column. Mirror suppressed.
+          row[appellantColumn].push(dl);
+        } else {
+          row.ours.push(dl);
+          row.opponent.push(dl);
+        }
         break;
       default:
         row.court.push(dl);
@@ -462,20 +660,38 @@ export function renderColumnsBody(data: DeadlineResponse, opts: Omit<CardOpts, "
   }
   datedKeys.sort();
   unscheduledKeys.sort();
-  const keys = [...datedKeys, ...unscheduledKeys];
+  return [...datedKeys, ...unscheduledKeys].map((k) => rowsMap.get(k)!);
+}
+
+export function renderColumnsBody(data: DeadlineResponse, opts: ColumnsBodyOpts = {}): string {
+  const userSide: Side = opts.side ?? null;
+  const rows = bucketDeadlinesIntoColumns(data.deadlines, { side: userSide, appellant: opts.appellant });
+  const appellantPinned = opts.appellant === "claimant" || opts.appellant === "defendant";
 
   const cardOpts: CardOpts = { showParty: false, editable: opts.editable, showNotes: opts.showNotes };
 
+  // Collapsed "both" rows lose their mirror tag — there's no longer
+  // a sibling row to mirror to, so the "↔ beide Seiten" hint would
+  // be misleading. Keep it for the legacy mirror path.
+  const showMirrorTag = !appellantPinned;
+
   const renderCell = (items: CalculatedDeadline[]): string => {
     if (items.length === 0) {
       return `<div class="fr-col-cell fr-col-cell--empty"></div>`;
     }
     const cards = items
       .map((dl) => {
-        const mirrorTag = dl.party === "both"
+        const mirrorTag = showMirrorTag && dl.party === "both"
           ? `<div class="fr-col-mirror">↔ ${escHtml(t("deadlines.party.both.label"))}</div>`
           : "";
-        return `<div class="fr-col-item ${dl.isRootEvent ? "fr-col-root" : ""}">
+        const itemClasses = [
+          "fr-col-item",
+          dl.isRootEvent ? "fr-col-root" : "",
+          // t-paliad-289: same conditional treatment as the linear
+          // timeline-item — dotted border + faded styling.
+          dl.isConditional ? "fr-col-item--conditional" : "",
+        ].filter(Boolean).join(" ");
+        return `<div class="${itemClasses}">
           ${deadlineCardHtml(dl, cardOpts)}
           ${mirrorTag}
         </div>`;
@@ -487,16 +703,19 @@ export function renderColumnsBody(data: DeadlineResponse, opts: Omit<CardOpts, "
   const headerCell = (label: string, cls: string) =>
     `<div class="fr-col-header ${cls}">${escHtml(label)}</div>`;
 
+  // Static labels — "Unsere Seite" is always the left column, regardless
+  // of which physical party (claimant vs defendant) occupies it. The
+  // bucketing primitive already routes the user's side into the `ours`
+  // bucket, so the header truth-fully describes the column contents.
   let html = '<div class="fr-columns-view">';
-  html += headerCell(t("deadlines.col.proactive"), "fr-col-proactive");
+  html += headerCell(t("deadlines.col.ours"), "fr-col-ours");
   html += headerCell(t("deadlines.col.court"), "fr-col-court");
-  html += headerCell(t("deadlines.col.reactive"), "fr-col-reactive");
+  html += headerCell(t("deadlines.col.opponent"), "fr-col-opponent");
 
-  for (const key of keys) {
-    const row = rowsMap.get(key)!;
-    html += renderCell(row.proactive);
+  for (const row of rows) {
+    html += renderCell(row.ours);
     html += renderCell(row.court);
-    html += renderCell(row.reactive);
+    html += renderCell(row.opponent);
   }
   html += "</div>";
   return html;
@@ -519,6 +738,10 @@ export async function calculateDeadlines(params: CalcParams): Promise<DeadlineRe
           ? params.anchorOverrides
           : undefined,
         courtId: params.courtId || undefined,
+        projectId: params.projectId || undefined,
+        perCardChoices: params.perCardChoices && params.perCardChoices.length > 0
+          ? params.perCardChoices
+          : undefined,
       }),
     });
     if (!resp.ok) {

frontend/src/components/Sidebar.tsx

@@ -207,6 +207,7 @@ export function Sidebar({ currentPath, authenticated = true }: SidebarProps): st
             {navItem("/admin/rules", ICON_BOOK, "nav.admin.rules", "Regeln verwalten", currentPath)}
             {navItem("/admin/rules/export", ICON_DOWNLOAD, "nav.admin.rules_export", "Regel-Migrations", currentPath)}
             {navItem("/admin/audit-log", ICON_AUDIT_LOG, "nav.admin.audit", "Audit-Log", currentPath)}
+            {navItem("/admin/backups", ICON_DOWNLOAD, "nav.admin.backups", "Backups", currentPath)}
             {/* Paliadin Monitor — owner-only sub-entry; revealed by sidebar.ts together with the /paliadin link. */}
             <a href="/admin/paliadin" id="sidebar-admin-paliadin-link"
                className={`sidebar-item${currentPath === "/admin/paliadin" ? " active" : ""}`}

frontend/src/deadlines-detail.tsx

@@ -41,6 +41,19 @@ export function renderDeadlinesDetail(): string {
                     <div className="entity-detail-title-col">
                       <h1 id="deadline-title-display" />
                       <input type="text" id="deadline-title-edit" className="entity-title-input" style="display:none" />
+                      {/* t-paliad-251 Part 4 — Standardtitel button only
+                          visible in edit mode; clicking replaces the
+                          title with a default derived from the project
+                          and the deadline's event types / rule. */}
+                      <button
+                        type="button"
+                        id="deadline-title-default-btn"
+                        className="btn-link-action"
+                        style="display:none"
+                        data-i18n="deadlines.field.title.default_btn"
+                      >
+                        Standardtitel
+                      </button>
                       <div className="entity-detail-meta">
                         <span id="deadline-due-chip" className="frist-due-chip" />
                         <span id="deadline-status-chip" className="entity-status-chip" />
@@ -95,7 +108,36 @@ export function renderDeadlinesDetail(): string {
                     </dd>
 
                     <dt data-i18n="deadlines.detail.rule">Regel</dt>
-                    <dd id="deadline-rule-display">&mdash;</dd>
+                    <dd>
+                      <span id="deadline-rule-display">&mdash;</span>
+                      {/* t-paliad-258 — Auto / Custom rule editor.
+                          Mirrors /deadlines/new: read-only Auto display
+                          (resolved from Type) or free-text Custom input,
+                          with a toggle link. Hidden outside edit mode. */}
+                      <div className="rule-edit-block" id="deadline-rule-edit" style="display:none">
+                        <button
+                          type="button"
+                          id="deadline-rule-mode-toggle"
+                          className="btn-link-action"
+                          data-i18n="deadlines.field.rule.mode.toggle_to_custom"
+                        >
+                          Eigene Regel eingeben
+                        </button>
+                        <div className="rule-mode-auto" id="deadline-rule-auto-display">
+                          <span className="form-hint-badge" data-i18n="deadlines.field.rule.auto_badge">Auto</span>
+                          <span id="deadline-rule-auto-text" className="rule-auto-text">&mdash;</span>
+                        </div>
+                        <input
+                          type="text"
+                          id="deadline-rule-custom-input"
+                          className="rule-mode-custom"
+                          style="display:none"
+                          placeholder="z.B. interner Review-Termin"
+                          data-i18n-placeholder="deadlines.field.rule.custom_placeholder"
+                          maxLength={200}
+                        />
+                      </div>
+                    </dd>
 
                     <dt data-i18n="deadlines.detail.source">Quelle</dt>
                     <dd id="deadline-source-display" />

frontend/src/deadlines-new.tsx

@@ -45,7 +45,22 @@ export function renderDeadlinesNew(): string {
                 </div>
 
                 <div className="form-field">
-                  <label htmlFor="deadline-title" data-i18n="deadlines.field.title">Titel</label>
+                  <div className="form-field-label-row">
+                    <label htmlFor="deadline-title" data-i18n="deadlines.field.title">Titel</label>
+                    {/* t-paliad-251 Part 4 — derive a Standardtitel from the
+                        currently-known context (event type → rule → proceeding
+                        type → fallback) with the project reference as suffix.
+                        Always replaces the title; no destructive confirmation
+                        because the user invoked it explicitly. */}
+                    <button
+                      type="button"
+                      id="deadline-title-default-btn"
+                      className="btn-link-action"
+                      data-i18n="deadlines.field.title.default_btn"
+                    >
+                      Standardtitel
+                    </button>
+                  </div>
                   <input
                     type="text"
                     id="deadline-title"
@@ -57,58 +72,42 @@ export function renderDeadlinesNew(): string {
 
                 <div className="form-field" id="deadline-event-type-field">
                   <label data-i18n="deadlines.field.event_type">Typ (optional)</label>
-                  {/* t-paliad-165 follow-up — collapsed view: when a Regel
-                      is selected and a default event_type is known, the
-                      Typ chip is hidden and the type is rendered inline
-                      as a single read-only summary with an "Anderen Typ
-                      wählen" link that re-expands the picker. */}
-                  <div
-                    className="event-type-collapsed"
-                    id="deadline-event-type-collapsed"
-                    style="display:none"
-                  >
-                    <span
-                      className="event-type-collapsed-label"
-                      id="deadline-event-type-collapsed-label"
-                    />
-                    <span
-                      className="event-type-collapsed-source"
-                      data-i18n="deadlines.field.rule.autofill_inline"
-                    >
-                      &nbsp;(vorgegeben durch Regel)
-                    </span>
-                    <button
-                      type="button"
-                      className="event-type-collapsed-override"
-                      id="deadline-event-type-override-btn"
-                      data-i18n="deadlines.field.rule.override"
-                    >
-                      Anderen Typ w&auml;hlen
-                    </button>
-                  </div>
                   <div id="deadline-event-types" className="event-type-picker-host" />
-                  {/* Soft warning when the user is in expanded mode AND
-                      has picked an event_type that doesn't include the
-                      rule's canonical default. Reuses the existing
-                      yellow form-hint--warning style; never blocking. */}
-                  <p
-                    className="form-hint form-hint--warning"
-                    id="deadline-event-type-rule-mismatch"
-                    style="display:none"
-                    data-i18n="deadlines.field.rule.mismatch"
-                  >
-                    Hinweis: Typ widerspricht Regel &mdash; Sie haben den Typ &uuml;berschrieben.
-                  </p>
                 </div>
 
-                {/* m/paliad#56 — Regel sits directly beneath the Typ
-                    picker so the parent/child relationship reads at a
-                    glance. Due date is its own row below. */}
+                {/* t-paliad-258 / m/paliad#89 — binary Rule field.
+                    Auto (default): rule_id derived from the chosen
+                    Type, displayed read-only with a canonical
+                    "Name · Citation" label. Custom: free-text input,
+                    no catalog FK. Toggle switches modes. */}
                 <div className="form-field">
-                  <label htmlFor="deadline-rule" data-i18n="deadlines.field.rule">Regel (optional)</label>
-                  <select id="deadline-rule">
-                    <option value="" data-i18n="deadlines.field.rule.none">Keine Regel</option>
-                  </select>
+                  <div className="form-field-label-row">
+                    <label data-i18n="deadlines.field.rule">Regel</label>
+                    <button
+                      type="button"
+                      id="deadline-rule-mode-toggle"
+                      className="btn-link-action"
+                      data-i18n="deadlines.field.rule.mode.toggle_to_custom"
+                    >
+                      Eigene Regel eingeben
+                    </button>
+                  </div>
+                  <div className="rule-mode-auto" id="deadline-rule-auto-display">
+                    <span
+                      className="form-hint-badge"
+                      data-i18n="deadlines.field.rule.auto_badge"
+                    >Auto</span>
+                    <span id="deadline-rule-auto-text" className="rule-auto-text">&mdash;</span>
+                  </div>
+                  <input
+                    type="text"
+                    id="deadline-rule-custom-input"
+                    className="rule-mode-custom"
+                    style="display:none"
+                    placeholder="z.B. interner Review-Termin"
+                    data-i18n-placeholder="deadlines.field.rule.custom_placeholder"
+                    maxLength={200}
+                  />
                 </div>
 
                 <div className="form-field">

frontend/src/i18n-keys.ts

@@ -90,6 +90,28 @@ export type I18nKey =
   | "admin.audit.source.reminder_log"
   | "admin.audit.subtitle"
   | "admin.audit.title"
+  | "admin.backups.col.actions"
+  | "admin.backups.col.kind"
+  | "admin.backups.col.requested_by"
+  | "admin.backups.col.rows"
+  | "admin.backups.col.size"
+  | "admin.backups.col.started"
+  | "admin.backups.col.status"
+  | "admin.backups.download"
+  | "admin.backups.empty"
+  | "admin.backups.footer.note"
+  | "admin.backups.heading"
+  | "admin.backups.kind.on_demand"
+  | "admin.backups.kind.scheduled"
+  | "admin.backups.loading"
+  | "admin.backups.run_now"
+  | "admin.backups.running"
+  | "admin.backups.status.done"
+  | "admin.backups.status.failed"
+  | "admin.backups.status.running"
+  | "admin.backups.subtitle"
+  | "admin.backups.success"
+  | "admin.backups.title"
   | "admin.broadcasts.col.count"
   | "admin.broadcasts.col.sender"
   | "admin.broadcasts.col.sent_at"
@@ -268,6 +290,15 @@ export type I18nKey =
   | "admin.partner_units.new.heading"
   | "admin.partner_units.subtitle"
   | "admin.partner_units.title"
+  | "admin.procedural_events.col.code"
+  | "admin.procedural_events.edit.breadcrumb"
+  | "admin.procedural_events.edit.field.code"
+  | "admin.procedural_events.edit.field.event_kind"
+  | "admin.procedural_events.edit.field.parent"
+  | "admin.procedural_events.edit.title"
+  | "admin.procedural_events.list.heading"
+  | "admin.procedural_events.list.new"
+  | "admin.procedural_events.list.title"
   | "admin.rules.col.legal_citation"
   | "admin.rules.col.lifecycle"
   | "admin.rules.col.modified"
@@ -682,9 +713,20 @@ export type I18nKey =
   | "approvals.tab.mine"
   | "approvals.tab.pending_mine"
   | "approvals.title"
+  | "approvals.withdraw.cancel"
   | "approvals.withdraw.confirm"
   | "approvals.withdraw.cta"
+  | "approvals.withdraw.destructive.label"
   | "approvals.withdraw.error"
+  | "approvals.withdraw.lead.create.appointment"
+  | "approvals.withdraw.lead.create.deadline"
+  | "approvals.withdraw.lead.delete"
+  | "approvals.withdraw.lead.update"
+  | "approvals.withdraw.modal.title"
+  | "approvals.withdraw.primary.label"
+  | "approvals.withdraw.sub.create"
+  | "approvals.withdraw.sub.delete"
+  | "approvals.withdraw.sub.update"
   | "bottomnav.add"
   | "bottomnav.add.appointment"
   | "bottomnav.add.appointment.sub"
@@ -966,6 +1008,23 @@ export type I18nKey =
   | "checklisten.tab.mine"
   | "checklisten.tab.templates"
   | "checklisten.title"
+  | "choices.appellant.both"
+  | "choices.appellant.chip"
+  | "choices.appellant.claimant"
+  | "choices.appellant.defendant"
+  | "choices.appellant.none"
+  | "choices.appellant.title"
+  | "choices.caret.title"
+  | "choices.commit.error"
+  | "choices.include_ccr.chip"
+  | "choices.include_ccr.false"
+  | "choices.include_ccr.title"
+  | "choices.include_ccr.true"
+  | "choices.reset"
+  | "choices.skip.false"
+  | "choices.skip.title"
+  | "choices.skip.true"
+  | "choices.skipped.chip"
   | "common.cancel"
   | "common.close"
   | "common.forbidden"
@@ -1104,6 +1163,33 @@ export type I18nKey =
   | "dashboard.urgency.urgent"
   | "dashboard.when.today"
   | "dashboard.when.tomorrow"
+  | "date_range.button.label"
+  | "date_range.button.label.custom_range"
+  | "date_range.center.label"
+  | "date_range.custom.apply"
+  | "date_range.custom.cancel"
+  | "date_range.custom.from"
+  | "date_range.custom.invalid"
+  | "date_range.custom.invalid_format"
+  | "date_range.custom.invalid_missing"
+  | "date_range.custom.to"
+  | "date_range.dialog.label"
+  | "date_range.fan.future.label"
+  | "date_range.fan.past.label"
+  | "date_range.horizon.any"
+  | "date_range.horizon.custom"
+  | "date_range.horizon.next_14d"
+  | "date_range.horizon.next_1d"
+  | "date_range.horizon.next_30d"
+  | "date_range.horizon.next_7d"
+  | "date_range.horizon.next_90d"
+  | "date_range.horizon.next_all"
+  | "date_range.horizon.past_14d"
+  | "date_range.horizon.past_1d"
+  | "date_range.horizon.past_30d"
+  | "date_range.horizon.past_7d"
+  | "date_range.horizon.past_90d"
+  | "date_range.horizon.past_all"
   | "deadlines.action.reopen"
   | "deadlines.adjusted"
   | "deadlines.adjusted.holiday"
@@ -1112,6 +1198,10 @@ export type I18nKey =
   | "deadlines.adjusted.weekend"
   | "deadlines.adjusted.weekend.saturday"
   | "deadlines.adjusted.weekend.sunday"
+  | "deadlines.appellant.claimant"
+  | "deadlines.appellant.defendant"
+  | "deadlines.appellant.label"
+  | "deadlines.appellant.none"
   | "deadlines.calculate"
   | "deadlines.card.calc.add_to_project"
   | "deadlines.card.calc.add_to_project.disabled"
@@ -1138,13 +1228,15 @@ export type I18nKey =
   | "deadlines.col.court"
   | "deadlines.col.due"
   | "deadlines.col.event_type"
-  | "deadlines.col.proactive"
-  | "deadlines.col.reactive"
+  | "deadlines.col.opponent"
+  | "deadlines.col.ours"
   | "deadlines.col.rule"
   | "deadlines.col.status"
   | "deadlines.col.title"
   | "deadlines.complete.action"
   | "deadlines.complete.confirm"
+  | "deadlines.conditional.depends_on"
+  | "deadlines.conditional.unset"
   | "deadlines.court.indirect"
   | "deadlines.court.label"
   | "deadlines.court.set"
@@ -1227,12 +1319,16 @@ export type I18nKey =
   | "deadlines.field.notes"
   | "deadlines.field.notes.placeholder"
   | "deadlines.field.rule"
-  | "deadlines.field.rule.autofill"
-  | "deadlines.field.rule.autofill_inline"
-  | "deadlines.field.rule.mismatch"
-  | "deadlines.field.rule.none"
-  | "deadlines.field.rule.override"
+  | "deadlines.field.rule.auto_badge"
+  | "deadlines.field.rule.auto_no_match"
+  | "deadlines.field.rule.auto_pick_type"
+  | "deadlines.field.rule.custom_badge"
+  | "deadlines.field.rule.custom_placeholder"
+  | "deadlines.field.rule.mode.toggle_to_auto"
+  | "deadlines.field.rule.mode.toggle_to_custom"
   | "deadlines.field.title"
+  | "deadlines.field.title.default_btn"
+  | "deadlines.field.title.default_fallback"
   | "deadlines.field.title.placeholder"
   | "deadlines.filter.akte"
   | "deadlines.filter.akte.all"
@@ -1366,6 +1462,12 @@ export type I18nKey =
   | "deadlines.search.placeholder"
   | "deadlines.search.results.count"
   | "deadlines.search.results.count_one"
+  | "deadlines.side.both"
+  | "deadlines.side.claimant"
+  | "deadlines.side.defendant"
+  | "deadlines.side.from_project"
+  | "deadlines.side.label"
+  | "deadlines.side.override"
   | "deadlines.source.caldav"
   | "deadlines.source.fristenrechner"
   | "deadlines.source.imported"
@@ -1396,6 +1498,7 @@ export type I18nKey =
   | "deadlines.step2.happened.desc"
   | "deadlines.step2.happened.title"
   | "deadlines.step2.heading"
+  | "deadlines.step2.perspective"
   | "deadlines.step3"
   | "deadlines.step3a.back"
   | "deadlines.step3a.draft.desc"
@@ -1532,6 +1635,7 @@ export type I18nKey =
   | "event.title.appointment_deleted"
   | "event.title.appointment_project_changed"
   | "event.title.appointment_updated"
+  | "event.title.approval_decided"
   | "event.title.checklist_created"
   | "event.title.checklist_deleted"
   | "event.title.checklist_linked"
@@ -1550,6 +1654,7 @@ export type I18nKey =
   | "event.title.deadline_reopened"
   | "event.title.deadline_updated"
   | "event.title.deadlines_imported"
+  | "event.title.member_role_changed"
   | "event.title.note_created"
   | "event.title.our_side_changed"
   | "event.title.project_archived"
@@ -1574,6 +1679,8 @@ export type I18nKey =
   | "event_types.browse.apply"
   | "event_types.browse.cancel"
   | "event_types.browse.empty"
+  | "event_types.browse.jurisdiction.all"
+  | "event_types.browse.jurisdiction.filter_label"
   | "event_types.browse.jurisdiction.none"
   | "event_types.browse.search"
   | "event_types.browse.selected_count"
@@ -1716,9 +1823,15 @@ export type I18nKey =
   | "glossar.suggest.success"
   | "glossar.suggest.title"
   | "glossar.title"
+  | "inbox.action.mark_all_seen"
+  | "inbox.action.open"
   | "inbox.empty.admin_nudge.body"
   | "inbox.empty.admin_nudge.cta"
   | "inbox.empty.admin_nudge.title"
+  | "inbox.empty.feed"
+  | "inbox.heading.feed"
+  | "inbox.subtitle.feed"
+  | "inbox.title.feed"
   | "index.checklisten.desc"
   | "index.checklisten.title"
   | "index.cost.desc"
@@ -1869,6 +1982,7 @@ export type I18nKey =
   | "login.title"
   | "modal.close.label"
   | "nav.admin.audit"
+  | "nav.admin.backups"
   | "nav.admin.bereich"
   | "nav.admin.event_types"
   | "nav.admin.paliadin"
@@ -2188,6 +2302,11 @@ export type I18nKey =
   | "projects.detail.parteien.role.defendant"
   | "projects.detail.parteien.role.thirdparty"
   | "projects.detail.save"
+  | "projects.detail.settings.archive.cta"
+  | "projects.detail.settings.archive.description"
+  | "projects.detail.settings.archive.heading"
+  | "projects.detail.settings.export.description"
+  | "projects.detail.settings.export.heading"
   | "projects.detail.smarttimeline.add.cancel"
   | "projects.detail.smarttimeline.add.choice.amend"
   | "projects.detail.smarttimeline.add.choice.appointment"
@@ -2277,6 +2396,7 @@ export type I18nKey =
   | "projects.detail.tab.kinder"
   | "projects.detail.tab.notizen"
   | "projects.detail.tab.parteien"
+  | "projects.detail.tab.settings"
   | "projects.detail.tab.submissions"
   | "projects.detail.tab.team"
   | "projects.detail.tab.termine"
@@ -2501,9 +2621,16 @@ export type I18nKey =
   | "submissions.draft.action.export"
   | "submissions.draft.action.new"
   | "submissions.draft.back"
+  | "submissions.draft.import.button"
+  | "submissions.draft.language"
+  | "submissions.draft.language.de"
+  | "submissions.draft.language.en"
+  | "submissions.draft.language.fallback_notice"
   | "submissions.draft.loading"
   | "submissions.draft.name.placeholder"
   | "submissions.draft.notfound"
+  | "submissions.draft.parties.hint"
+  | "submissions.draft.parties.title"
   | "submissions.draft.preview.hint"
   | "submissions.draft.preview.title"
   | "submissions.draft.switcher.label"
@@ -2630,12 +2757,17 @@ export type I18nKey =
   | "views.bar.deadline_status.pending"
   | "views.bar.density.comfortable"
   | "views.bar.density.compact"
+  | "views.bar.inbox_focus.alles"
+  | "views.bar.inbox_focus.genehmigungen"
+  | "views.bar.inbox_focus.plus_fristen"
+  | "views.bar.inbox_focus.plus_termine"
   | "views.bar.label.appointment_type"
   | "views.bar.label.approval_entity"
   | "views.bar.label.approval_role"
   | "views.bar.label.approval_status"
   | "views.bar.label.deadline_status"
   | "views.bar.label.density"
+  | "views.bar.label.inbox_focus"
   | "views.bar.label.personal"
   | "views.bar.label.project_event_kind"
   | "views.bar.label.shape"
@@ -2643,6 +2775,7 @@ export type I18nKey =
   | "views.bar.label.time"
   | "views.bar.label.timeline_status"
   | "views.bar.label.timeline_track"
+  | "views.bar.label.unread_only"
   | "views.bar.personal.on"
   | "views.bar.save.cancel"
   | "views.bar.save.confirm"
@@ -2660,16 +2793,6 @@ export type I18nKey =
   | "views.bar.shape.list"
   | "views.bar.sort.date_asc"
   | "views.bar.sort.date_desc"
-  | "views.bar.time.all"
-  | "views.bar.time.any"
-  | "views.bar.time.custom"
-  | "views.bar.time.custom.coming_soon"
-  | "views.bar.time.next_30d"
-  | "views.bar.time.next_7d"
-  | "views.bar.time.next_90d"
-  | "views.bar.time.past_30d"
-  | "views.bar.time.past_7d"
-  | "views.bar.time.past_90d"
   | "views.bar.timeline_status.court_set"
   | "views.bar.timeline_status.done"
   | "views.bar.timeline_status.macro.future"
@@ -2682,6 +2805,8 @@ export type I18nKey =
   | "views.bar.timeline_track.counterclaim"
   | "views.bar.timeline_track.off_script"
   | "views.bar.timeline_track.parent"
+  | "views.bar.unread_only.off"
+  | "views.bar.unread_only.on"
   | "views.calendar.mobile_fallback"
   | "views.col.actor"
   | "views.col.appointment_type"
@@ -2742,11 +2867,18 @@ export type I18nKey =
   | "views.horizon.all"
   | "views.horizon.any"
   | "views.horizon.custom"
+  | "views.horizon.next_14d"
+  | "views.horizon.next_1d"
   | "views.horizon.next_30d"
   | "views.horizon.next_7d"
   | "views.horizon.next_90d"
+  | "views.horizon.next_all"
+  | "views.horizon.past_14d"
+  | "views.horizon.past_1d"
   | "views.horizon.past_30d"
+  | "views.horizon.past_7d"
   | "views.horizon.past_90d"
+  | "views.horizon.past_all"
   | "views.kind.appointment"
   | "views.kind.approval_request"
   | "views.kind.deadline"

frontend/src/inbox.tsx

@@ -5,15 +5,14 @@ import { BottomNav } from "./components/BottomNav";
 import { Footer } from "./components/Footer";
 import { PWAHead } from "./components/PWAHead";
 
-// /inbox — t-paliad-163 universal-filter migration.
+// /inbox — t-paliad-249 unified inbox feed.
 //
-// The page is a thin shell around two host divs: one for the
-// <FilterBar> primitive and one for the result list. The bar takes
-// care of every axis (approval_viewer_role chip cluster replaces the
-// two-tab UI; status / entity_type / time chips are new affordances).
-// Rows render via shape-list.ts with row_action="approve" — the
-// inbox-specific markup that produces the diff + approve/reject/revoke
-// buttons. Action handlers are wired in client/inbox.ts.
+// Since t-paliad-249 the page is a thin shell around the FilterBar +
+// result list as before, but the InboxSystemView now spans both
+// approval_request and project_event sources. Rows render via
+// shape-list.ts's row_action="inbox" dispatch — approval rows keep
+// the existing diff + approve/reject/revoke markup, project_event
+// rows render as compact stream items.
 //
 // The legacy `?tab=` URL is preserved by the client: ?tab=mine maps
 // to ?a_role=self_requested before the bar mounts so old bookmarks
@@ -28,7 +27,7 @@ export function renderInbox(): string {
         <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
         <meta name="theme-color" content="#BFF355" />
         <PWAHead />
-        <title data-i18n="approvals.title">Genehmigungen &mdash; Paliad</title>
+        <title data-i18n="inbox.title.feed">Inbox &mdash; Paliad</title>
         <link rel="stylesheet" href="/assets/global.css" />
       </head>
       <body className="has-sidebar">
@@ -39,10 +38,24 @@ export function renderInbox(): string {
           <section className="tool-page">
             <div className="container">
               <div className="tool-header">
-                <h1 data-i18n="approvals.heading">Genehmigungen</h1>
-                <p className="tool-subtitle" data-i18n="approvals.subtitle">
-                  4-Augen-Pr&uuml;fung f&uuml;r Fristen und Termine.
-                </p>
+                <div className="entity-header-row">
+                  <div>
+                    <h1 data-i18n="inbox.heading.feed">Inbox</h1>
+                    <p className="tool-subtitle" data-i18n="inbox.subtitle.feed">
+                      Neuigkeiten zu Ihren Projekten und offene Genehmigungen.
+                    </p>
+                  </div>
+                  <div className="inbox-header-actions">
+                    <button
+                      type="button"
+                      id="inbox-mark-all-seen"
+                      className="btn-secondary"
+                      data-i18n="inbox.action.mark_all_seen"
+                    >
+                      Alles als gelesen markieren
+                    </button>
+                  </div>
+                </div>
               </div>
 
               <div id="inbox-filter-bar" />

frontend/src/projects-detail.tsx

@@ -89,20 +89,9 @@ export function renderProjectsDetail(): string {
                   <a className="entity-tab" data-tab="notes" href="#" data-i18n="projects.detail.tab.notizen">Notizen</a>
                   <a className="entity-tab" data-tab="checklists" href="#" data-i18n="projects.detail.tab.checklisten">Checklisten</a>
                   <a className="entity-tab" data-tab="submissions" href="#" data-i18n="projects.detail.tab.submissions">Schriftsätze</a>
-                  {/* t-paliad-214 Slice 2 — project-subtree export button.
-                      Sits at the end of the tab nav. Hidden by default; the
-                      client unhides it after /api/me confirms the caller can
-                      extract (responsibility ∈ {lead, member} OR global_admin). */}
-                  <button
-                    type="button"
-                    id="project-export-btn"
-                    className="entity-tab entity-tab-action"
-                    style="display:none"
-                    title=""
-                    data-i18n-title="projects.detail.export.tooltip"
-                    data-i18n="projects.detail.export.button">
-                    Daten exportieren
-                  </button>
+                  {/* Verwaltung — rare admin actions (export, archive). Sits
+                      last in the tab list per t-paliad-245. */}
+                  <a className="entity-tab" data-tab="settings" href="#" data-i18n="projects.detail.tab.settings">Verwaltung</a>
                 </nav>
 
                 {/* History (Verlauf) — t-paliad-171 SmartTimeline Slice 1.
@@ -666,6 +655,39 @@ export function renderProjectsDetail(): string {
                     Schriftsätze werden direkt aus dem Projekt heraus als .docx generiert. Anpassen, drucken, einreichen.
                   </p>
                 </section>
+
+                {/* Verwaltung — rare admin actions (export, archive). Each
+                    sub-section hides itself if the caller is not entitled
+                    (export: §4 gate; archive: global_admin). */}
+                <section className="entity-tab-panel" id="tab-settings" style="display:none">
+                  <div className="settings-section" id="project-settings-export" style="display:none">
+                    <h3 className="entity-section-heading" data-i18n="projects.detail.settings.export.heading">Daten exportieren</h3>
+                    <p className="tool-subtitle" data-i18n="projects.detail.settings.export.description">
+                      Lade alle Daten dieses Projekts (inkl. Unter-Projekten) als Excel + JSON + CSV-Archiv herunter.
+                    </p>
+                    <button
+                      type="button"
+                      id="project-export-btn"
+                      className="btn-secondary"
+                      data-i18n="projects.detail.export.button">
+                      Daten exportieren
+                    </button>
+                  </div>
+
+                  <div className="settings-section" id="project-settings-archive" style="display:none">
+                    <h3 className="entity-section-heading" data-i18n="projects.detail.settings.archive.heading">Projekt archivieren</h3>
+                    <p className="tool-subtitle" data-i18n="projects.detail.settings.archive.description">
+                      Archivieren erfolgt aus dem Bearbeiten-Dialog (Gefahrenbereich).
+                    </p>
+                    <button
+                      type="button"
+                      id="project-settings-archive-link"
+                      className="btn-secondary"
+                      data-i18n="projects.detail.settings.archive.cta">
+                      Bearbeiten öffnen
+                    </button>
+                  </div>
+                </section>
               </div>
 
               {/* Full edit modal — same form as /projects/new, pre-filled. */}

frontend/src/submission-draft.tsx

@@ -109,8 +109,93 @@ export function renderSubmissionDraft(): string {
                       </button>
                     </div>
 
+                    {/* t-paliad-276 — output language toggle (DE/EN).
+                        Hydrated by client/submission-draft.ts; switching
+                        autosaves the draft and re-renders the preview. */}
+                    <div
+                      className="submission-draft-language-row"
+                      id="submission-draft-language-row"
+                      role="radiogroup"
+                      aria-labelledby="submission-draft-language-label">
+                      <span
+                        id="submission-draft-language-label"
+                        className="submission-draft-language-label"
+                        data-i18n="submissions.draft.language">
+                        Sprache
+                      </span>
+                      <label className="submission-draft-language-option">
+                        <input
+                          type="radio"
+                          name="submission-draft-language"
+                          value="de"
+                          id="submission-draft-language-de"
+                        />
+                        <span data-i18n="submissions.draft.language.de">DE</span>
+                      </label>
+                      <label className="submission-draft-language-option">
+                        <input
+                          type="radio"
+                          name="submission-draft-language"
+                          value="en"
+                          id="submission-draft-language-en"
+                        />
+                        <span data-i18n="submissions.draft.language.en">EN</span>
+                      </label>
+                    </div>
+                    <p
+                      className="submission-draft-language-fallback"
+                      id="submission-draft-language-fallback"
+                      style="display:none"
+                      data-i18n="submissions.draft.language.fallback_notice">
+                      Fallback: universelles Skelett (keine sprachspezifische Vorlage).
+                    </p>
+
                     <p className="submission-draft-savestatus" id="submission-draft-savestatus" />
 
+                    {/* t-paliad-277: "Aus Projekt importieren" + last-
+                        imported-at timestamp. Only visible when the
+                        draft has a project_id attached. */}
+                    <div
+                      id="submission-draft-import-row"
+                      className="submission-draft-import-row"
+                      style="display:none">
+                      <button
+                        type="button"
+                        id="submission-draft-import-btn"
+                        className="btn-small btn-secondary"
+                        data-i18n="submissions.draft.import.button">
+                        Aus Projekt importieren
+                      </button>
+                      <span
+                        id="submission-draft-import-stamp"
+                        className="submission-draft-import-stamp"
+                      />
+                    </div>
+
+                    {/* t-paliad-277: multi-select party picker.
+                        Populated from view.available_parties; checkbox
+                        per party, grouped by role. Hidden when no
+                        project or no parties on the project. */}
+                    <div
+                      id="submission-draft-parties"
+                      className="submission-draft-parties"
+                      style="display:none">
+                      <h3
+                        className="submission-draft-var-group-title"
+                        data-i18n="submissions.draft.parties.title">
+                        Parteien
+                      </h3>
+                      <p
+                        className="submission-draft-parties-hint"
+                        data-i18n="submissions.draft.parties.hint">
+                        Wählen Sie aus, welche Parteien im Schriftsatz genannt werden sollen.
+                      </p>
+                      <div
+                        id="submission-draft-parties-list"
+                        className="submission-draft-parties-list"
+                      />
+                    </div>
+
                     <div className="submission-draft-variables" id="submission-draft-variables" />
                   </aside>
 

frontend/src/verfahrensablauf.tsx

@@ -158,9 +158,79 @@ export function renderVerfahrensablauf(): string {
                 <div className="wizard-step" id="step-2" style="display:none">
                   <h3 className="wizard-step-label">
                     <span className="step-number">2</span>
-                    <span data-i18n="deadlines.step2">Ausgangsdatum eingeben</span>
+                    <span data-i18n="deadlines.step2.perspective">Perspektive und Datum</span>
                   </h3>
 
+                  {/* Perspective strip (t-paliad-250 / m/paliad#81, reordered
+                       in t-paliad-279 / m/paliad#111). Side defines whose
+                       perspective the columns project; appellant collapses
+                       party=both rows for role-swap proceedings (Appeal etc.).
+                       Moved above .date-input-group because party-side is the
+                       most-defining input after proceeding-type — without
+                       side, the column labels can't pick "your filings". Both
+                       selectors are URL-driven (?side= + ?appellant=) so the
+                       perspective survives reload and is shareable.
+
+                       When the page is opened with ?project=<id> and that
+                       project's our_side is set, side-row renders as a
+                       read-only chip with an "Andere Seite wählen" override
+                       link — see client/verfahrensablauf.ts. */}
+                  <div className="verfahrensablauf-perspective" id="verfahrensablauf-perspective">
+                    <div className="verfahrensablauf-perspective-row" id="side-row">
+                      <span className="date-label" data-i18n="deadlines.side.label">Seite:</span>
+                      <div className="side-radio-cluster" id="side-radio-cluster">
+                        <div className="fristen-view-toggle" role="radiogroup" aria-label="Side">
+                          <label className="fristen-view-option">
+                            <input type="radio" name="side" value="claimant" />
+                            <span data-i18n="deadlines.side.claimant">Klägerseite</span>
+                          </label>
+                          <label className="fristen-view-option">
+                            <input type="radio" name="side" value="defendant" />
+                            <span data-i18n="deadlines.side.defendant">Beklagtenseite</span>
+                          </label>
+                          <label className="fristen-view-option">
+                            <input type="radio" name="side" value="" checked />
+                            <span data-i18n="deadlines.side.both">Beide</span>
+                          </label>
+                        </div>
+                      </div>
+                      {/* Auto-fill chip — populated by the client when a
+                          ?project=<id> URL resolves a project with our_side
+                          set. Hidden by default; the radio cluster above is
+                          hidden whenever this chip is shown. */}
+                      <div className="side-chip" id="side-chip" style="display:none">
+                        <span className="side-chip-tag" data-i18n="deadlines.side.from_project">Aus Akte:</span>
+                        <strong className="side-chip-value" id="side-chip-value">&mdash;</strong>
+                        <button type="button" className="side-chip-override" id="side-chip-override"
+                                data-i18n="deadlines.side.override">
+                          Andere Seite w&auml;hlen
+                        </button>
+                      </div>
+                    </div>
+                    <div className="verfahrensablauf-perspective-row" id="appellant-row" style="display:none">
+                      <span className="date-label" data-i18n="deadlines.appellant.label">Berufung durch:</span>
+                      <div className="fristen-view-toggle" role="radiogroup" aria-label="Appellant">
+                        <label className="fristen-view-option">
+                          <input type="radio" name="appellant" value="claimant" />
+                          <span data-i18n="deadlines.appellant.claimant">Klägerseite</span>
+                        </label>
+                        <label className="fristen-view-option">
+                          <input type="radio" name="appellant" value="defendant" />
+                          <span data-i18n="deadlines.appellant.defendant">Beklagtenseite</span>
+                        </label>
+                        <label className="fristen-view-option">
+                          <input type="radio" name="appellant" value="" checked />
+                          <span data-i18n="deadlines.appellant.none">—</span>
+                        </label>
+                      </div>
+                    </div>
+                  </div>
+
+                  {/* Visual divider — keeps the perspective block (most-
+                       defining inputs after proceeding-type) optically
+                       separate from the date / court / flag knobs below. */}
+                  <div className="verfahrensablauf-step2-divider" aria-hidden="true"></div>
+
                   <div className="date-input-group">
                     <div className="date-field-row">
                       {/* Read-only caption labelling the value <span>. Not a

internal/db/migrate_test.go

@@ -116,6 +116,57 @@ func TestMigrations_DryRun(t *testing.T) {
 	}
 }
 
+// TestMigrations_NoDuplicateSlot is a free-standing pre-flight check that
+// scanEmbeddedMigrations refuses to walk a tree where two *.up.sql files
+// claim the same NNN slot. This is the brunel-slot-collision class of
+// outage (m/paliad#114, 2026-05-25 ~13:20): a worker writes a migration
+// at slot N while another shipped slot N from a separate branch, both
+// merge, both end up in the embed.FS, and the runner refuses to start.
+//
+// Catching this at CI time (no DB needed) lets the second PR fail before
+// it merges, instead of breaking prod at the next deploy. Pure unit test;
+// runs even on developer laptops that don't set TEST_DATABASE_URL.
+func TestMigrations_NoDuplicateSlot(t *testing.T) {
+	if _, err := scanEmbeddedMigrations(); err != nil {
+		t.Fatalf("scanEmbeddedMigrations: %v "+
+			"(two migrations share the same NNN slot — coordinate with head "+
+			"and rename one of them before merging)", err)
+	}
+}
+
+// TestMigrations_EndToEndAsAppRole applies every embedded migration in
+// numeric order against a scratch DB connected as a NON-SUPERUSER role.
+// This is the prod-shape smoke that the per-mig BEGIN/ROLLBACK dry-run
+// (TestMigrations_DryRun) cannot deliver: the dry-run runs each
+// statement in isolation and rolls back, so it cannot reproduce the
+// mig-129-class outage (m/paliad#114, 2026-05-25 ~14:56 — pq: must be
+// owner of table project_event_choices, SQLSTATE 42501) where a
+// migration assumes ownership the deploy role doesn't have.
+//
+// Requires TEST_APP_DATABASE_URL — a Postgres URL whose role is NOT a
+// superuser and does NOT own the `paliad` schema (m's Q11.2 pick:
+// generic two-role model, see docs/design-cicd-pre-deploy-gate-2026-05-25.md
+// §6.2(a)). The CI workflow creates the role + schema split before
+// invoking the test; a developer who wants to reproduce the gate locally
+// runs the same SQL preamble (see Makefile target `verify-migrations`).
+//
+// Skipped without TEST_APP_DATABASE_URL — keeps `go test ./...` green
+// on machines that haven't set up the role split.
+func TestMigrations_EndToEndAsAppRole(t *testing.T) {
+	url := os.Getenv("TEST_APP_DATABASE_URL")
+	if url == "" {
+		t.Skip("TEST_APP_DATABASE_URL not set — skipping role-split end-to-end migration smoke")
+	}
+	if err := ApplyMigrations(url); err != nil {
+		t.Fatalf("ApplyMigrations as app role failed: %v "+
+			"(a migration assumes more privilege than the deploy role has — "+
+			"common cases: ALTER TABLE on a schema-owner table, CREATE EXTENSION "+
+			"without grants, SET ROLE without permission. Fix the migration to "+
+			"work as the deploy role, or arrange for the schema to be owned by "+
+			"the deploy role)", err)
+	}
+}
+
 // readAppliedVersions returns the set of versions present in
 // paliad.applied_migrations on the scratch DB. Missing table → empty set
 // (fresh-DB path; the table only exists after the runner has been called).

internal/db/migrations/024_rename_department_columns.up.sql

@@ -26,24 +26,24 @@ DO $$ BEGIN ALTER TABLE paliad.department_members RENAME COLUMN dezernat_id TO d
 -- Constraints (primary key + foreign keys + check). Renaming a pkey
 -- constraint also renames the underlying index of the same name.
 -- ---------------------------------------------------------------------------
-DO $$ BEGIN ALTER TABLE paliad.departments        RENAME CONSTRAINT dezernate_pkey                          TO departments_pkey;                       EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER TABLE paliad.departments        RENAME CONSTRAINT dezernate_lead_user_id_fkey             TO departments_lead_user_id_fkey;          EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER TABLE paliad.departments        RENAME CONSTRAINT dezernate_office_check                  TO departments_office_check;               EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER TABLE paliad.department_members RENAME CONSTRAINT dezernat_mitglieder_pkey                 TO department_members_pkey;                EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER TABLE paliad.department_members RENAME CONSTRAINT dezernat_mitglieder_dezernat_id_fkey     TO department_members_department_id_fkey;  EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER TABLE paliad.department_members RENAME CONSTRAINT dezernat_mitglieder_user_id_fkey         TO department_members_user_id_fkey;        EXCEPTION WHEN undefined_object THEN NULL; END $$;
+DO $$ BEGIN ALTER TABLE paliad.departments        RENAME CONSTRAINT dezernate_pkey                          TO departments_pkey;                       EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER TABLE paliad.departments        RENAME CONSTRAINT dezernate_lead_user_id_fkey             TO departments_lead_user_id_fkey;          EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER TABLE paliad.departments        RENAME CONSTRAINT dezernate_office_check                  TO departments_office_check;               EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER TABLE paliad.department_members RENAME CONSTRAINT dezernat_mitglieder_pkey                 TO department_members_pkey;                EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER TABLE paliad.department_members RENAME CONSTRAINT dezernat_mitglieder_dezernat_id_fkey     TO department_members_department_id_fkey;  EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER TABLE paliad.department_members RENAME CONSTRAINT dezernat_mitglieder_user_id_fkey         TO department_members_user_id_fkey;        EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
 
 -- ---------------------------------------------------------------------------
 -- Standalone indexes (non-pkey).
 -- ---------------------------------------------------------------------------
-DO $$ BEGIN ALTER INDEX paliad.dezernate_office_idx           RENAME TO departments_office_idx;        EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER INDEX paliad.dezernate_lead_idx             RENAME TO departments_lead_idx;          EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER INDEX paliad.dezernat_mitglieder_user_idx   RENAME TO department_members_user_idx;   EXCEPTION WHEN undefined_object THEN NULL; END $$;
+DO $$ BEGIN ALTER INDEX paliad.dezernate_office_idx           RENAME TO departments_office_idx;        EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER INDEX paliad.dezernate_lead_idx             RENAME TO departments_lead_idx;          EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER INDEX paliad.dezernat_mitglieder_user_idx   RENAME TO department_members_user_idx;   EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
 
 -- ---------------------------------------------------------------------------
 -- RLS policies
 -- ---------------------------------------------------------------------------
-DO $$ BEGIN ALTER POLICY dezernate_select           ON paliad.departments        RENAME TO departments_select;        EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER POLICY dezernate_write            ON paliad.departments        RENAME TO departments_write;         EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER POLICY dezernat_mitglieder_select ON paliad.department_members RENAME TO department_members_select; EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER POLICY dezernat_mitglieder_write  ON paliad.department_members RENAME TO department_members_write;  EXCEPTION WHEN undefined_object THEN NULL; END $$;
+DO $$ BEGIN ALTER POLICY dezernate_select           ON paliad.departments        RENAME TO departments_select;        EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER POLICY dezernate_write            ON paliad.departments        RENAME TO departments_write;         EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER POLICY dezernat_mitglieder_select ON paliad.department_members RENAME TO department_members_select; EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER POLICY dezernat_mitglieder_write  ON paliad.department_members RENAME TO department_members_write;  EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;

internal/db/migrations/027_rename_to_partner_units.up.sql

@@ -63,27 +63,27 @@ ALTER TABLE paliad.partner_unit_members RENAME COLUMN department_id TO partner_u
 -- 5. Rename constraints. Postgres auto-renames the underlying index for
 --    pkey/uniq constraints; standalone indexes are renamed in step 6.
 -- ---------------------------------------------------------------------------
-DO $$ BEGIN ALTER TABLE paliad.partner_units        RENAME CONSTRAINT departments_pkey                       TO partner_units_pkey;                             EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER TABLE paliad.partner_units        RENAME CONSTRAINT departments_lead_user_id_fkey          TO partner_units_lead_user_id_fkey;                EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER TABLE paliad.partner_units        RENAME CONSTRAINT departments_office_check               TO partner_units_office_check;                     EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER TABLE paliad.partner_unit_members RENAME CONSTRAINT department_members_pkey                TO partner_unit_members_pkey;                      EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER TABLE paliad.partner_unit_members RENAME CONSTRAINT department_members_department_id_fkey  TO partner_unit_members_partner_unit_id_fkey;      EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER TABLE paliad.partner_unit_members RENAME CONSTRAINT department_members_user_id_fkey        TO partner_unit_members_user_id_fkey;              EXCEPTION WHEN undefined_object THEN NULL; END $$;
+DO $$ BEGIN ALTER TABLE paliad.partner_units        RENAME CONSTRAINT departments_pkey                       TO partner_units_pkey;                             EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER TABLE paliad.partner_units        RENAME CONSTRAINT departments_lead_user_id_fkey          TO partner_units_lead_user_id_fkey;                EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER TABLE paliad.partner_units        RENAME CONSTRAINT departments_office_check               TO partner_units_office_check;                     EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER TABLE paliad.partner_unit_members RENAME CONSTRAINT department_members_pkey                TO partner_unit_members_pkey;                      EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER TABLE paliad.partner_unit_members RENAME CONSTRAINT department_members_department_id_fkey  TO partner_unit_members_partner_unit_id_fkey;      EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER TABLE paliad.partner_unit_members RENAME CONSTRAINT department_members_user_id_fkey        TO partner_unit_members_user_id_fkey;              EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
 
 -- ---------------------------------------------------------------------------
 -- 6. Rename non-pkey indexes.
 -- ---------------------------------------------------------------------------
-DO $$ BEGIN ALTER INDEX paliad.departments_office_idx        RENAME TO partner_units_office_idx;        EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER INDEX paliad.departments_lead_idx          RENAME TO partner_units_lead_idx;          EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER INDEX paliad.department_members_user_idx   RENAME TO partner_unit_members_user_idx;   EXCEPTION WHEN undefined_object THEN NULL; END $$;
+DO $$ BEGIN ALTER INDEX paliad.departments_office_idx        RENAME TO partner_units_office_idx;        EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER INDEX paliad.departments_lead_idx          RENAME TO partner_units_lead_idx;          EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER INDEX paliad.department_members_user_idx   RENAME TO partner_unit_members_user_idx;   EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
 
 -- ---------------------------------------------------------------------------
 -- 7. Rename RLS policies.
 -- ---------------------------------------------------------------------------
-DO $$ BEGIN ALTER POLICY departments_select        ON paliad.partner_units        RENAME TO partner_units_select;        EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER POLICY departments_write         ON paliad.partner_units        RENAME TO partner_units_write;         EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER POLICY department_members_select ON paliad.partner_unit_members RENAME TO partner_unit_members_select; EXCEPTION WHEN undefined_object THEN NULL; END $$;
-DO $$ BEGIN ALTER POLICY department_members_write  ON paliad.partner_unit_members RENAME TO partner_unit_members_write;  EXCEPTION WHEN undefined_object THEN NULL; END $$;
+DO $$ BEGIN ALTER POLICY departments_select        ON paliad.partner_units        RENAME TO partner_units_select;        EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER POLICY departments_write         ON paliad.partner_units        RENAME TO partner_units_write;         EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER POLICY department_members_select ON paliad.partner_unit_members RENAME TO partner_unit_members_select; EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
+DO $$ BEGIN ALTER POLICY department_members_write  ON paliad.partner_unit_members RENAME TO partner_unit_members_write;  EXCEPTION WHEN undefined_object OR undefined_table OR duplicate_object THEN NULL; END $$;
 
 -- ---------------------------------------------------------------------------
 -- 8. Audit table for partner-unit events. Mutations on partner_units +

internal/db/migrations/121_proceeding_trigger_event_label.down.sql

@@ -0,0 +1,7 @@
+-- Drop the optional trigger-event label columns added in
+-- 121_proceeding_trigger_event_label.up.sql. Any populated rows lose
+-- their override; the frontend falls back to proceedingName.
+
+ALTER TABLE paliad.proceeding_types
+    DROP COLUMN IF EXISTS trigger_event_label_en,
+    DROP COLUMN IF EXISTS trigger_event_label_de;

internal/db/migrations/121_proceeding_trigger_event_label.up.sql

@@ -0,0 +1,27 @@
+-- t-paliad-250 / m/paliad#81 — Concern B: UPC Appeal trigger-event label.
+--
+-- The /tools/verfahrensablauf "Auslösendes Ereignis" caption falls back
+-- to `paliad.proceeding_types.name` whenever the calculator finds no
+-- root rule (duration_value=0 + parent_id=NULL + !is_court_set). For
+-- UPC Appeal (upc.apl.merits) all rules carry a non-zero duration off
+-- the trigger date, so the caption reads "Berufungsverfahren" /
+-- "Appeal" — the proceeding itself — instead of the appealable
+-- decision that actually starts the clock.
+--
+-- Fix: add an optional `trigger_event_label_de` / `trigger_event_label_en`
+-- pair on proceeding_types. When set, the calculator surfaces it on the
+-- response (TriggerEventLabel{,EN}) and the frontend prefers it over
+-- proceedingName. No deadline-rule additions, no slug changes; existing
+-- proceeding_type.code stays stable (hard rule from the issue).
+
+ALTER TABLE paliad.proceeding_types
+    ADD COLUMN IF NOT EXISTS trigger_event_label_de text,
+    ADD COLUMN IF NOT EXISTS trigger_event_label_en text;
+
+-- UPC Appeal: the trigger date is the date of the appealable first-instance
+-- decision (per UPC RoP R.224(1)(a) the 2-month appeal clock runs from
+-- service of the decision per R.220.1(a)/(b)).
+UPDATE paliad.proceeding_types
+   SET trigger_event_label_de = 'Anfechtbare Entscheidung',
+       trigger_event_label_en = 'Appealable Decision'
+ WHERE code = 'upc.apl.merits';

internal/db/migrations/122_deadlines_custom_rule_text.down.sql

@@ -0,0 +1,6 @@
+-- t-paliad-258: revert the additive custom_rule_text column.
+-- Drop the column; rows that used the Custom path lose their free-text
+-- label and read as "no rule".
+
+ALTER TABLE paliad.deadlines
+    DROP COLUMN IF EXISTS custom_rule_text;

internal/db/migrations/122_deadlines_custom_rule_text.up.sql

@@ -0,0 +1,26 @@
+-- t-paliad-258 / m/paliad#89 — binary Auto/Custom Rule model on the
+-- deadline form.
+--
+-- t-paliad-251 shipped the form with a full deadline_rules catalog
+-- dropdown. m's verdict: too noisy (4 "Oral hearings" across UPC CFI,
+-- UPC CoA, DPMA, EPO etc.). Replace with a binary model:
+--
+--   1. Auto    — rule_id derived from the chosen event_type, displayed
+--                read-only.
+--   2. Custom  — rule_id is NULL and the lawyer's free-text label is
+--                stored here.
+--
+-- The column is additive + nullable: existing rows keep their
+-- deadline_rule_id and read as Auto-equivalent. A future row with both
+-- columns NULL renders as "keine Regel" (matches today's no-rule state).
+
+ALTER TABLE paliad.deadlines
+    ADD COLUMN IF NOT EXISTS custom_rule_text text;
+
+COMMENT ON COLUMN paliad.deadlines.custom_rule_text IS
+    'Free-text rule label entered when the lawyer chose Custom on the '
+    'deadline form (t-paliad-258). Mutually exclusive with rule_id at '
+    'the application layer: Auto path sets rule_id and leaves this '
+    'NULL; Custom path sets this and leaves rule_id NULL. Display '
+    'surfaces prefer the rule_id-joined deadline_rules.name when '
+    'present, else fall back to custom_rule_text + a "Custom" badge.';

internal/db/migrations/123_backups.down.sql

@@ -0,0 +1,11 @@
+-- t-paliad-246 / m/paliad#77 — revert Backup Mode catalog table.
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 123 down: drop paliad.backups catalog (t-paliad-246 / m/paliad#77 Slice A)',
+    true);
+
+DROP POLICY IF EXISTS backups_select_admin ON paliad.backups;
+DROP INDEX IF EXISTS paliad.backups_kind_status_idx;
+DROP INDEX IF EXISTS paliad.backups_started_at_desc_idx;
+DROP TABLE IF EXISTS paliad.backups;

internal/db/migrations/123_backups.up.sql

@@ -0,0 +1,86 @@
+-- t-paliad-246 / m/paliad#77 — Backup Mode catalog table.
+--
+-- Design: docs/design-backup-mode-2026-05-25.md §4. One row per backup
+-- run (on-demand or scheduled). The catalog is operational metadata for
+-- the /admin/backups UI (size, row counts, storage URI, status). The
+-- audit chain stays on paliad.system_audit_log — this table is the
+-- richer-shape duplicate that the UI lists from without parsing JSON.
+--
+-- INSERT/UPDATE happen only through the Go service path (BackupRunner)
+-- under the migration-runner role, so we don't add a write RLS policy
+-- for end users. SELECT is admin-only, mirroring system_audit_log.
+--
+-- Idempotent: CREATE TABLE / INDEX / POLICY all guarded.
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 123: add paliad.backups catalog for Backup Mode (t-paliad-246 / m/paliad#77 Slice A)',
+    true);
+
+CREATE TABLE IF NOT EXISTS paliad.backups (
+    id                  uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    kind                text NOT NULL CHECK (kind IN ('scheduled', 'on_demand')),
+    status              text NOT NULL CHECK (status IN ('running', 'done', 'failed')),
+    -- requested_by is NULL for kind='scheduled' (no human caller).
+    requested_by        uuid REFERENCES paliad.users(id) ON DELETE SET NULL,
+    -- requested_by_email is captured at write time so the row survives
+    -- a subsequent user deletion. For scheduled runs we write a sentinel
+    -- like 'system@paliad' (no real user attached).
+    requested_by_email  text NOT NULL,
+    -- audit_id back-references the system_audit_log row written before
+    -- the artifact is generated. Nullable so a catalog row can still be
+    -- INSERTed if the audit write itself fails (defense-in-depth).
+    audit_id            uuid REFERENCES paliad.system_audit_log(id) ON DELETE SET NULL,
+    -- storage_uri is populated when status flips to 'done'. Resolves
+    -- through the Go-side ArtifactStore interface ('file://...' for
+    -- LocalDiskStore today; future stores get their own URI scheme).
+    storage_uri         text,
+    size_bytes          bigint,
+    row_counts          jsonb NOT NULL DEFAULT '{}'::jsonb,
+    sheet_count         int,
+    warnings            jsonb NOT NULL DEFAULT '[]'::jsonb,
+    -- error is NULL unless status='failed'. Free-form, captured from
+    -- the Go-side error.Error().
+    error               text,
+    started_at          timestamptz NOT NULL DEFAULT now(),
+    finished_at         timestamptz,
+    -- deleted_at marks artifacts the lifecycle cleanup removed from
+    -- storage (Slice B). The catalog row itself stays forever — it's
+    -- part of the audit chain. NULL means "still on disk".
+    deleted_at          timestamptz
+);
+
+-- Read patterns:
+--   - "show me recent backups" — started_at DESC
+--   - "find last successful scheduled backup today" — kind + status + started_at
+CREATE INDEX IF NOT EXISTS backups_started_at_desc_idx
+    ON paliad.backups (started_at DESC);
+
+CREATE INDEX IF NOT EXISTS backups_kind_status_idx
+    ON paliad.backups (kind, status);
+
+ALTER TABLE paliad.backups ENABLE ROW LEVEL SECURITY;
+
+-- Admin-only read. INSERT/UPDATE/DELETE happen via the Go service path
+-- under the migration-runner role (no end-user write surface).
+DROP POLICY IF EXISTS backups_select_admin ON paliad.backups;
+CREATE POLICY backups_select_admin ON paliad.backups
+    FOR SELECT USING (
+        EXISTS (
+            SELECT 1 FROM paliad.users u
+             WHERE u.id = auth.uid()
+               AND u.global_role = 'global_admin'
+        )
+    );
+
+COMMENT ON TABLE paliad.backups IS
+    'Catalog of org-scope backup runs (t-paliad-246 / m/paliad#77). One row per scheduled or on-demand backup. status transitions: running → done | failed. storage_uri is resolved by the Go-side ArtifactStore interface. audit_id links to system_audit_log; the catalog row is the richer-shape duplicate, the audit row is the trust signal.';
+
+COMMENT ON COLUMN paliad.backups.requested_by_email IS
+    'Captured at write time so the row survives user deletion. Sentinel ''system@paliad'' for scheduled runs.';
+
+COMMENT ON COLUMN paliad.backups.storage_uri IS
+    'Resolved by the Go-side ArtifactStore implementation. file://... for LocalDiskStore; future stores use their own URI scheme.';
+
+COMMENT ON COLUMN paliad.backups.deleted_at IS
+    'Set when the artifact is removed from storage by lifecycle cleanup. Catalog row stays forever (audit chain). NULL means artifact is still on disk.';

internal/db/migrations/124_de_inf_lg_replik_duplik_sequencing.down.sql

@@ -0,0 +1,31 @@
+-- Revert t-paliad-264 / m/paliad#95.
+-- Restores Replik and Duplik to parent_id = NULL with the pre-fix
+-- "Frist vom Gericht bestimmt" placeholder note. The pre-fix rows
+-- carried legal_source = NULL and is_court_set = false; both
+-- placeholder durations (4 weeks) are left untouched (the .up
+-- migration did not modify them).
+--
+-- audit_reason set_config required for the mig 079 trigger.
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 124 revert: unwind de.inf.lg Replik/Duplik sequencing back to pre-#95 placeholder state',
+    true);
+
+UPDATE paliad.deadline_rules
+SET parent_id      = NULL,
+    is_court_set   = false,
+    legal_source   = NULL,
+    deadline_notes = 'Frist vom Gericht bestimmt',
+    deadline_notes_en = NULL
+WHERE submission_code = 'de.inf.lg.replik'
+  AND is_active = true;
+
+UPDATE paliad.deadline_rules
+SET parent_id      = NULL,
+    is_court_set   = false,
+    legal_source   = NULL,
+    deadline_notes = 'Frist vom Gericht bestimmt',
+    deadline_notes_en = NULL
+WHERE submission_code = 'de.inf.lg.duplik'
+  AND is_active = true;

internal/db/migrations/124_de_inf_lg_replik_duplik_sequencing.up.sql

@@ -0,0 +1,94 @@
+-- t-paliad-264 / m/paliad#95 — Fix de.inf.lg Replik + Duplik sequencing.
+--
+-- BEFORE this migration, the de.inf.lg rules for Replik and Duplik
+-- had parent_id = NULL with duration_value = 4 weeks each. The
+-- projection therefore anchored both off the proceeding's trigger
+-- date (Klageerhebung) and added 4 weeks → both rows rendered at the
+-- same calendar date, BEFORE Klageerwiderung (which sits at
+-- Klageerhebung + 6 weeks per § 276 Abs. 1 S. 2 ZPO).
+--
+-- Correct ZPO sequence for first-instance infringement before the
+-- Landgericht is:
+--
+--   Klageerhebung (§ 253 ZPO)
+--     → Anzeige der Verteidigungsbereitschaft (§ 276 Abs. 1 S. 1 ZPO,
+--       2 Wochen ab Zustellung der Klage)
+--     → Klageerwiderung (§ 276 Abs. 1 S. 2 + § 277 ZPO; vom Gericht
+--       gesetzte Frist von mindestens 2 Wochen, in der Praxis 6 Wochen)
+--     → Replik (vom Gericht gesetzte Frist; Anordnungskompetenz aus
+--       § 273 ZPO, prozessuale Förderungspflicht der Parteien aus
+--       § 282 ZPO; in der Praxis ~ 4 Wochen ab Zustellung der
+--       Klageerwiderung)
+--     → Duplik (vom Gericht gesetzte Frist; § 273, § 282 ZPO; in der
+--       Praxis ~ 4 Wochen ab Zustellung der Replik)
+--
+-- Replik and Duplik have NO statutory period — the Landgericht fixes
+-- the period in its prozessleitende Verfügung. We model them as
+-- is_court_set = true with a placeholder 4-week duration anchored on
+-- the immediately preceding filing so the timeline (a) renders them
+-- in strict chronological order and (b) gives the lawyer a sane
+-- notional date that can be overridden via "Datum setzen" once the
+-- court issues the actual period.
+--
+-- legal_source set to DE.ZPO.273 (Vorbereitung des Termins —
+-- court's case-management power that authorises setting Replik /
+-- Duplik periods). The full citation chain (§§ 273, 282 ZPO) lives
+-- in deadline_notes so the rendered card explains the source.
+--
+-- Scope strictly de.inf.lg / cfi per the t-paliad-264 brief. Other
+-- jurisdictions are out of scope and will be addressed via curie's
+-- m/paliad#94 audit follow-ups (Wave 0+).
+--
+-- Slot note: this migration originally landed as 123 in an earlier
+-- iteration; cronus's t-paliad-246 Backup-Mode migration won slot
+-- 123 in parallel-merge order, so this one shifted to 124.
+--
+-- Idempotency: each UPDATE is guarded by a WHERE clause that only
+-- matches the pre-fix row state (parent_id IS NULL on Replik /
+-- Duplik, since that was the load-bearing bug). A re-apply against
+-- a DB that already carries the fix matches zero rows and no-ops —
+-- no duplicate audit-log rows in paliad.deadline_rule_audit, no
+-- redundant writes. Mig 095 convention.
+--
+-- audit_reason set_config required at the top — the mig 079 trigger
+-- on paliad.deadline_rules raises EXCEPTION 'audit reason required'
+-- on any UPDATE without it.
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 124: t-paliad-264 / m/paliad#95 — anchor de.inf.lg Replik on Klageerwiderung and Duplik on Replik, mark both is_court_set per § 273 ZPO',
+    true);
+
+-- Replik anchors on Klageerwiderung (de.inf.lg.erwidg).
+-- Guard: parent_id IS NULL — only fires against the pre-fix shape.
+UPDATE paliad.deadline_rules
+SET parent_id = (
+        SELECT id FROM paliad.deadline_rules
+        WHERE submission_code = 'de.inf.lg.erwidg'
+          AND is_active = true
+        LIMIT 1
+    ),
+    is_court_set   = true,
+    legal_source   = 'DE.ZPO.273',
+    deadline_notes = 'Frist vom Gericht in der prozessleitenden Verfügung bestimmt (§ 273 ZPO, prozessuale Förderungspflicht § 282 ZPO). In der Praxis ca. 4 Wochen ab Zustellung der Klageerwiderung; mit "Datum setzen" überschreiben, sobald die gerichtliche Verfügung vorliegt.',
+    deadline_notes_en = 'Period set by the court in its case-management order (§ 273 ZPO; parties'' duty to file timely under § 282 ZPO). Typically ca. 4 weeks after service of the Statement of Defence; use "Set date" to override once the court issues the actual period.'
+WHERE submission_code = 'de.inf.lg.replik'
+  AND is_active = true
+  AND parent_id IS NULL;
+
+-- Duplik anchors on Replik (de.inf.lg.replik).
+-- Guard: parent_id IS NULL — only fires against the pre-fix shape.
+UPDATE paliad.deadline_rules
+SET parent_id = (
+        SELECT id FROM paliad.deadline_rules
+        WHERE submission_code = 'de.inf.lg.replik'
+          AND is_active = true
+        LIMIT 1
+    ),
+    is_court_set   = true,
+    legal_source   = 'DE.ZPO.273',
+    deadline_notes = 'Frist vom Gericht in der prozessleitenden Verfügung bestimmt (§ 273 ZPO, prozessuale Förderungspflicht § 282 ZPO). In der Praxis ca. 4 Wochen ab Zustellung der Replik; mit "Datum setzen" überschreiben, sobald die gerichtliche Verfügung vorliegt.',
+    deadline_notes_en = 'Period set by the court in its case-management order (§ 273 ZPO; parties'' duty to file timely under § 282 ZPO). Typically ca. 4 weeks after service of the Reply; use "Set date" to override once the court issues the actual period.'
+WHERE submission_code = 'de.inf.lg.duplik'
+  AND is_active = true
+  AND parent_id IS NULL;

internal/db/migrations/125_cross_cutting_filter_legal_source.down.sql

@@ -0,0 +1,103 @@
+-- Down migration for 125_cross_cutting_filter_legal_source.up.sql.
+--
+-- Rebuilds the mig 098 matview shape (NULL legal_source on trigger
+-- rows) and removes the trigger-207 backfill row. Two steps in
+-- forward-reverse order so the matview drop doesn't trip on the
+-- deadline_rules delete.
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 125 down: revert cross-cutting filter legal_source (drop trigger-207 backfill + rebuild matview without LEFT JOIN to deadline_rules).',
+    true);
+
+-- 1. Drop the matview before pulling rows underneath it.
+DROP MATERIALIZED VIEW IF EXISTS paliad.deadline_search;
+
+-- 2. Delete the trigger 207 backfill row.
+DELETE FROM paliad.deadline_rules
+ WHERE trigger_event_id = 207
+   AND sequence_order = 1207;
+
+-- 3. Recreate the mig 098 matview verbatim (NULL legal_source on
+--    trigger rows).
+CREATE MATERIALIZED VIEW paliad.deadline_search AS
+SELECT
+    'rule'::text                         AS kind,
+    'r:' || dr.id::text                  AS row_key,
+    dc.id                                AS concept_id,
+    dc.slug                              AS concept_slug,
+    dc.name_de                           AS concept_name_de,
+    dc.name_en                           AS concept_name_en,
+    dc.description                       AS concept_description,
+    dc.aliases                           AS concept_aliases,
+    dc.party                             AS concept_party,
+    dc.category                          AS concept_category,
+    dc.sort_order                        AS concept_sort_order,
+    dr.id                                AS rule_id,
+    NULL::bigint                         AS trigger_event_id,
+    pt.code                              AS proceeding_code,
+    pt.name                              AS proceeding_name_de,
+    pt.name_en                           AS proceeding_name_en,
+    pt.jurisdiction                      AS jurisdiction,
+    pt.display_order                     AS proceeding_display_order,
+    dr.submission_code                   AS rule_local_code,
+    dr.name                              AS rule_name_de,
+    dr.name_en                           AS rule_name_en,
+    dr.legal_source                      AS legal_source,
+    dr.rule_code                         AS rule_code,
+    dr.duration_value,
+    dr.duration_unit,
+    dr.timing,
+    COALESCE(dr.primary_party, dc.party) AS effective_party
+  FROM paliad.deadline_rules dr
+  JOIN paliad.proceeding_types pt  ON pt.id = dr.proceeding_type_id
+  JOIN paliad.deadline_concepts dc ON dc.id = dr.concept_id
+ WHERE dr.is_active
+   AND pt.is_active
+   AND pt.category = 'fristenrechner'
+
+UNION ALL
+
+SELECT
+    'trigger'::text,
+    't:' || te.id::text,
+    dc.id,
+    dc.slug,
+    dc.name_de,
+    dc.name_en,
+    dc.description,
+    dc.aliases,
+    dc.party,
+    dc.category,
+    dc.sort_order,
+    NULL::uuid,
+    te.id,
+    NULL::text,
+    NULL::text,
+    NULL::text,
+    'cross-cutting'::text,
+    9999::int                            AS proceeding_display_order,
+    te.code,
+    te.name_de,
+    te.name,
+    NULL::text,
+    NULL::text,
+    NULL::int,
+    NULL::text,
+    NULL::text,
+    dc.party
+  FROM paliad.trigger_events te
+  JOIN paliad.deadline_concepts dc ON dc.slug = te.concept_id
+ WHERE te.is_active;
+
+CREATE UNIQUE INDEX deadline_search_row_key       ON paliad.deadline_search (row_key);
+CREATE INDEX deadline_search_concept_id           ON paliad.deadline_search (concept_id);
+CREATE INDEX deadline_search_proc_code            ON paliad.deadline_search (proceeding_code);
+CREATE INDEX deadline_search_legal_source         ON paliad.deadline_search (legal_source);
+CREATE INDEX deadline_search_effective_party      ON paliad.deadline_search (effective_party);
+CREATE INDEX deadline_search_legal_source_trgm    ON paliad.deadline_search USING gin (legal_source gin_trgm_ops);
+CREATE INDEX deadline_search_concept_de_trgm      ON paliad.deadline_search USING gin (concept_name_de gin_trgm_ops);
+CREATE INDEX deadline_search_concept_en_trgm      ON paliad.deadline_search USING gin (concept_name_en gin_trgm_ops);
+CREATE INDEX deadline_search_rule_de_trgm         ON paliad.deadline_search USING gin (rule_name_de gin_trgm_ops);
+CREATE INDEX deadline_search_rule_en_trgm         ON paliad.deadline_search USING gin (rule_name_en gin_trgm_ops);
+CREATE INDEX deadline_search_rule_code_trgm       ON paliad.deadline_search USING gin (rule_code gin_trgm_ops);

internal/db/migrations/125_cross_cutting_filter_legal_source.up.sql

@@ -0,0 +1,216 @@
+-- t-paliad-266 / m/paliad#97 — make cross-cutting trigger pills filter
+-- by court system in the event-type / Fristen search modal.
+--
+-- Two things land here:
+--
+--   1. DATA — backfill the missing deadline_rules row for trigger 207
+--      (Wegfall des Hindernisses, UPC R.320). Mig 063 added the
+--      trigger_event but never seeded its event_deadlines counterpart;
+--      mig 092 then dropped event_deadlines after copying the four
+--      sibling Wiedereinsetzungen (ids 200..203) into deadline_rules,
+--      so trigger 207 stayed orphaned with no duration / legal_source.
+--      Adding the row makes UPC R.320 Wiedereinsetzung calculable on
+--      par with the four siblings (2 months from removal of obstacle,
+--      legal_source = 'UPC.RoP.320', party = 'both') and gives the
+--      matview a legal_source to surface for the UPC trigger pill.
+--      Pattern mirrors the four sibling rows mig 085 inserted.
+--
+--   2. MATVIEW — rebuild paliad.deadline_search with a LEFT JOIN on
+--      paliad.deadline_rules for trigger pills, exposing the trigger's
+--      legal_source on the row. The cross-cutting concept card pills
+--      then carry a structured citation prefix (UPC.* / DE.ZPO.* /
+--      DE.PatG.* / EU.EPC* / EU.EPÜ.*) that the search service can
+--      match against the active forum-bucket filter — see
+--      DeadlineSearchService.translateForums + ForumToLegalSourcePrefixes
+--      (added in this same change). Without the matview surfacing
+--      legal_source for trigger rows, every cross-cutting sub-row
+--      ignored the court-system chip selection (the bug m reported).
+--
+-- The materialised view paliad.deadline_search refreshes on the next
+-- server boot via services.RefreshSearchView (cmd/server/main.go), so
+-- the new legal_source column for triggers becomes searchable as soon
+-- as the deploy restarts the process. No matview refresh from the
+-- migration itself.
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 125: t-paliad-266 — backfill missing deadline_rules row for trigger 207 (UPC R.320 Wiedereinsetzung) and rebuild deadline_search matview so trigger pills carry legal_source (cross-cutting court-system filter, m/paliad#97).',
+    true);
+
+-- =============================================================================
+-- 1. Backfill: deadline_rules row for trigger 207.
+--
+-- Idempotency: gated on NOT EXISTS by (trigger_event_id, name). Mirrors
+-- mig 085's guard so re-runs are no-ops once the row is present.
+-- =============================================================================
+
+INSERT INTO paliad.deadline_rules (
+    id,
+    proceeding_type_id,
+    parent_id,
+    trigger_event_id,
+    spawn_proceeding_type_id,
+    submission_code,
+    name,
+    name_en,
+    primary_party,
+    event_type,
+    is_court_set,
+    is_spawn,
+    duration_value,
+    duration_unit,
+    timing,
+    alt_duration_value,
+    alt_duration_unit,
+    combine_op,
+    rule_code,
+    deadline_notes,
+    deadline_notes_en,
+    legal_source,
+    condition_expr,
+    sequence_order,
+    is_active,
+    priority,
+    lifecycle_state,
+    draft_of,
+    published_at,
+    concept_id
+)
+SELECT
+    gen_random_uuid(),
+    NULL::integer,
+    NULL::uuid,
+    207,
+    NULL::integer,
+    NULL::text,
+    'Wiedereinsetzungsantrag (UPC R.320)',
+    'Petition for re-establishment of rights (UPC R.320)',
+    NULL::text,
+    NULL::text,
+    false,
+    false,
+    2,
+    'months',
+    'after',
+    NULL::integer,
+    NULL::text,
+    NULL::text,
+    NULL::text,
+    'Frist beträgt 2 Monate ab Wegfall des Hindernisses (R.320 RoP). Spätestens 12 Monate nach Ablauf der versäumten Frist.',
+    'Period is 2 months from removal of the obstacle (UPC R.320 RoP). Latest 12 months after expiry of the missed deadline.',
+    'UPC.RoP.320',
+    NULL::jsonb,
+    1207,
+    true,
+    'mandatory',
+    'published',
+    NULL::uuid,
+    now(),
+    (SELECT id FROM paliad.deadline_concepts WHERE slug = 'wiedereinsetzung')
+WHERE NOT EXISTS (
+    SELECT 1
+      FROM paliad.deadline_rules dr
+     WHERE dr.trigger_event_id = 207
+);
+
+-- =============================================================================
+-- 2. Matview rebuild — LEFT JOIN deadline_rules on trigger_event_id so
+--    cross-cutting trigger pills carry legal_source. Indexes reproduced
+--    verbatim from mig 098 §5.
+--
+-- The trigger-row JOIN matches the Pipeline-C convention (mig 085 §2.5 /
+-- mig 092 §2): each cross-cutting trigger has a single deadline_rules
+-- row with proceeding_type_id IS NULL. A trigger event without that
+-- row leaves legal_source NULL and the trigger pill keeps its current
+-- "no jurisdiction filter match" semantics — same shape as before this
+-- migration, just structurally surfaceable.
+-- =============================================================================
+
+DROP MATERIALIZED VIEW IF EXISTS paliad.deadline_search;
+
+CREATE MATERIALIZED VIEW paliad.deadline_search AS
+SELECT
+    'rule'::text                         AS kind,
+    'r:' || dr.id::text                  AS row_key,
+    dc.id                                AS concept_id,
+    dc.slug                              AS concept_slug,
+    dc.name_de                           AS concept_name_de,
+    dc.name_en                           AS concept_name_en,
+    dc.description                       AS concept_description,
+    dc.aliases                           AS concept_aliases,
+    dc.party                             AS concept_party,
+    dc.category                          AS concept_category,
+    dc.sort_order                        AS concept_sort_order,
+    dr.id                                AS rule_id,
+    NULL::bigint                         AS trigger_event_id,
+    pt.code                              AS proceeding_code,
+    pt.name                              AS proceeding_name_de,
+    pt.name_en                           AS proceeding_name_en,
+    pt.jurisdiction                      AS jurisdiction,
+    pt.display_order                     AS proceeding_display_order,
+    dr.submission_code                   AS rule_local_code,
+    dr.name                              AS rule_name_de,
+    dr.name_en                           AS rule_name_en,
+    dr.legal_source                      AS legal_source,
+    dr.rule_code                         AS rule_code,
+    dr.duration_value,
+    dr.duration_unit,
+    dr.timing,
+    COALESCE(dr.primary_party, dc.party) AS effective_party
+  FROM paliad.deadline_rules dr
+  JOIN paliad.proceeding_types pt  ON pt.id = dr.proceeding_type_id
+  JOIN paliad.deadline_concepts dc ON dc.id = dr.concept_id
+ WHERE dr.is_active
+   AND pt.is_active
+   AND pt.category = 'fristenrechner'
+
+UNION ALL
+
+SELECT
+    'trigger'::text,
+    't:' || te.id::text,
+    dc.id,
+    dc.slug,
+    dc.name_de,
+    dc.name_en,
+    dc.description,
+    dc.aliases,
+    dc.party,
+    dc.category,
+    dc.sort_order,
+    NULL::uuid,
+    te.id,
+    NULL::text,
+    NULL::text,
+    NULL::text,
+    'cross-cutting'::text,
+    9999::int                            AS proceeding_display_order,
+    te.code,
+    te.name_de,
+    te.name,
+    dr_trig.legal_source                 AS legal_source,
+    NULL::text,
+    NULL::int,
+    NULL::text,
+    NULL::text,
+    dc.party
+  FROM paliad.trigger_events te
+  JOIN paliad.deadline_concepts dc ON dc.slug = te.concept_id
+  LEFT JOIN paliad.deadline_rules dr_trig
+         ON dr_trig.trigger_event_id = te.id
+        AND dr_trig.proceeding_type_id IS NULL
+        AND dr_trig.is_active
+        AND dr_trig.lifecycle_state = 'published'
+ WHERE te.is_active;
+
+CREATE UNIQUE INDEX deadline_search_row_key       ON paliad.deadline_search (row_key);
+CREATE INDEX deadline_search_concept_id           ON paliad.deadline_search (concept_id);
+CREATE INDEX deadline_search_proc_code            ON paliad.deadline_search (proceeding_code);
+CREATE INDEX deadline_search_legal_source         ON paliad.deadline_search (legal_source);
+CREATE INDEX deadline_search_effective_party      ON paliad.deadline_search (effective_party);
+CREATE INDEX deadline_search_legal_source_trgm    ON paliad.deadline_search USING gin (legal_source gin_trgm_ops);
+CREATE INDEX deadline_search_concept_de_trgm      ON paliad.deadline_search USING gin (concept_name_de gin_trgm_ops);
+CREATE INDEX deadline_search_concept_en_trgm      ON paliad.deadline_search USING gin (concept_name_en gin_trgm_ops);
+CREATE INDEX deadline_search_rule_de_trgm         ON paliad.deadline_search USING gin (rule_name_de gin_trgm_ops);
+CREATE INDEX deadline_search_rule_en_trgm         ON paliad.deadline_search USING gin (rule_name_en gin_trgm_ops);
+CREATE INDEX deadline_search_rule_code_trgm       ON paliad.deadline_search USING gin (rule_code gin_trgm_ops);

internal/db/migrations/126_users_inbox_seen_at.down.sql

@@ -0,0 +1,4 @@
+-- t-paliad-249 — drop inbox read cursor.
+
+ALTER TABLE paliad.users
+    DROP COLUMN IF EXISTS inbox_seen_at;

internal/db/migrations/126_users_inbox_seen_at.up.sql

@@ -0,0 +1,21 @@
+-- t-paliad-249 — /inbox overhaul, Slice A.
+-- Add a per-user high-watermark read cursor for the inbox feed
+-- (approval requests + curated project_events). The cursor advances
+-- only when the user POSTs to /api/inbox/mark-all-seen. NULL means
+-- "never visited" → every row counts as unread on first paint.
+--
+-- Note on the carve-out enforced in service code: pending
+-- approval_requests count toward the inbox's unread state regardless
+-- of this column. The cursor narrows the project_event source only,
+-- so a stale cursor never buries a high-value pending approval.
+--
+-- Design ref: docs/design-inbox-overhaul-2026-05-25.md §3.
+
+ALTER TABLE paliad.users
+    ADD COLUMN IF NOT EXISTS inbox_seen_at timestamptz NULL;
+
+COMMENT ON COLUMN paliad.users.inbox_seen_at IS
+    'High-watermark cursor for the /inbox feed. project_events newer '
+    'than this timestamp are unread for the caller; NULL = never '
+    'visited (everything unread). Pending approval_requests bypass '
+    'this column and stay unread until decided.';

internal/db/migrations/127_wave0_tier0_deadline_fixes.down.sql

@@ -0,0 +1,146 @@
+-- Revert t-paliad-263 Wave 0 + m/paliad#99.
+-- Restores each Tier 0 row to its pre-fix state per
+-- docs/research-deadlines-completeness-2026-05-25.md §10. T0.5 and
+-- T0.6 are NOT reverted here — they live in mig 124's down.
+--
+-- audit_reason set_config required for the mig 079 trigger.
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 127 revert: unwind Tier 0 deadline-rule corrections (Wave 0 + #99)',
+    true);
+
+-- T0.1 defence: 2mo + RoP.049.1 → 3mo + RoP.49.1
+UPDATE paliad.deadline_rules
+   SET duration_value = 3,
+       rule_code      = 'RoP.49.1',
+       updated_at     = now()
+ WHERE submission_code = 'upc.rev.cfi.defence'
+   AND is_active = true
+   AND lifecycle_state = 'published';
+
+-- T0.2 rejoin: 1mo + RoP.052/UPC.RoP.52 → 2mo + NULL/NULL
+UPDATE paliad.deadline_rules
+   SET duration_value = 2,
+       rule_code      = NULL,
+       legal_source   = NULL,
+       updated_at     = now()
+ WHERE submission_code = 'upc.rev.cfi.rejoin'
+   AND is_active = true
+   AND lifecycle_state = 'published';
+
+-- T0.3 response: 3mo + RoP.235.1 → 2mo + NULL
+UPDATE paliad.deadline_rules
+   SET duration_value = 2,
+       rule_code      = NULL,
+       legal_source   = NULL,
+       updated_at     = now()
+ WHERE submission_code = 'upc.apl.merits.response'
+   AND is_active = true
+   AND lifecycle_state = 'published';
+
+-- T0.4 beruf_begr: parent_id NULL → de.inf.lg.berufung
+UPDATE paliad.deadline_rules
+   SET parent_id = (
+       SELECT id FROM paliad.deadline_rules
+        WHERE submission_code = 'de.inf.lg.berufung'
+          AND is_active = true
+          AND lifecycle_state = 'published'
+        LIMIT 1
+   ),
+   updated_at = now()
+ WHERE submission_code = 'de.inf.lg.beruf_begr'
+   AND is_active = true
+   AND lifecycle_state = 'published';
+
+-- T0.7 reply: clear citation
+UPDATE paliad.deadline_rules
+   SET rule_code    = NULL,
+       legal_source = NULL,
+       updated_at   = now()
+ WHERE submission_code = 'upc.rev.cfi.reply'
+   AND is_active = true
+   AND lifecycle_state = 'published';
+
+-- T0.9 notice: revert citation
+UPDATE paliad.deadline_rules
+   SET rule_code    = 'RoP.220.1',
+       legal_source = 'UPC.RoP.220.1',
+       updated_at   = now()
+ WHERE submission_code = 'upc.apl.merits.notice'
+   AND is_active = true
+   AND lifecycle_state = 'published';
+
+-- T0.10 grounds: revert citation
+UPDATE paliad.deadline_rules
+   SET rule_code    = 'RoP.220.1',
+       legal_source = 'UPC.RoP.220.1',
+       updated_at   = now()
+ WHERE submission_code = 'upc.apl.merits.grounds'
+   AND is_active = true
+   AND lifecycle_state = 'published';
+
+-- T0.12 dpma.opp erwiderung: restore court-set=false + §59 citation
+UPDATE paliad.deadline_rules
+   SET is_court_set = false,
+       rule_code    = '§ 59 PatG',
+       legal_source = 'DE.PatG.59.3',
+       updated_at   = now()
+ WHERE submission_code = 'dpma.opp.dpma.erwiderung'
+   AND is_active = true
+   AND lifecycle_state = 'published';
+
+-- T0.13 dpma.appeal.bpatg begründung: restore court-set=false + §75 citation
+UPDATE paliad.deadline_rules
+   SET is_court_set = false,
+       rule_code    = '§ 75 PatG',
+       legal_source = 'DE.PatG.75.1',
+       updated_at   = now()
+ WHERE submission_code = 'dpma.appeal.bpatg.begruendung'
+   AND is_active = true
+   AND lifecycle_state = 'published';
+
+-- T0.14 bpatg erwidg: revert citation
+UPDATE paliad.deadline_rules
+   SET rule_code    = '§ 82 PatG',
+       legal_source = 'DE.PatG.82.1',
+       updated_at   = now()
+ WHERE submission_code = 'de.null.bpatg.erwidg'
+   AND is_active = true
+   AND lifecycle_state = 'published';
+
+-- T0.15 bgh begründung: revert citation
+UPDATE paliad.deadline_rules
+   SET rule_code    = '§ 111 PatG',
+       legal_source = 'DE.PatG.111.1',
+       updated_at   = now()
+ WHERE submission_code = 'de.null.bgh.begruendung'
+   AND is_active = true
+   AND lifecycle_state = 'published';
+
+-- T0.16 bgh erwiderung: revert court-set + citation
+UPDATE paliad.deadline_rules
+   SET is_court_set = false,
+       rule_code    = '§ 111 PatG',
+       legal_source = 'DE.PatG.111.3',
+       updated_at   = now()
+ WHERE submission_code = 'de.null.bgh.erwiderung'
+   AND is_active = true
+   AND lifecycle_state = 'published';
+
+-- T0.17 epa.opp opd erwidg: revert court-set
+UPDATE paliad.deadline_rules
+   SET is_court_set = false,
+       updated_at   = now()
+ WHERE submission_code = 'epa.opp.opd.erwidg'
+   AND is_active = true
+   AND lifecycle_state = 'published';
+
+-- #99 upc.inf.cfi.soc: clear citation backfill
+UPDATE paliad.deadline_rules
+   SET rule_code    = NULL,
+       legal_source = NULL,
+       updated_at   = now()
+ WHERE submission_code = 'upc.inf.cfi.soc'
+   AND is_active = true
+   AND lifecycle_state = 'published';

internal/db/migrations/127_wave0_tier0_deadline_fixes.up.sql

@@ -0,0 +1,477 @@
+-- t-paliad-263 Wave 0 + m/paliad#99 — Tier 0 deadline-rule corrections.
+--
+-- Source: docs/research-deadlines-completeness-2026-05-25.md §10 Tier 0
+-- (curie's bulletproof completeness audit, merged 2026-05-25 as commit
+-- 94a9e7e). 16 distinct single-row UPDATEs across UPC + DE-LG + DPMA +
+-- EPA proceedings; T0.5 + T0.6 were shipped separately as mig 124
+-- (m/paliad#95, de.inf.lg Replik/Duplik sequencing) and are not
+-- repeated here. T0.8 (covered by T0.2) and T0.11 (covered by T0.1)
+-- are dedup'd out per the audit's own note.
+--
+-- Also folds in m/paliad#99 (UPC Statement of Claim missing legal
+-- citation): upc.inf.cfi.soc.rule_code / legal_source backfilled to
+-- UPC RoP R.13(1). Same migration file, separate UPDATE block with
+-- its own guard.
+--
+-- All fixes within the existing schema (no new columns). Each UPDATE
+-- is guarded by a WHERE clause that matches only the pre-fix row
+-- state (per mig 095 convention) — re-applying against a DB that
+-- already carries the fix matches zero rows and no-ops, so there are
+-- no duplicate deadline_rule_audit entries on idempotent re-runs.
+--
+-- Verification DO block at the end RAISEs EXCEPTION if any of the
+-- patched rows is left in an inconsistent shape (mixing pre-fix and
+-- post-fix state).
+--
+-- audit_reason set_config required at the top — the mig 079 trigger
+-- on paliad.deadline_rules raises EXCEPTION 'audit reason required'
+-- on any UPDATE without it.
+--
+-- Slot 127 reserved per paliadin: sequence is 124 brunel #95 (done),
+-- 125 hermes #97, 126 icarus #80, 127 brunel Wave 0 + #99, 128+ next.
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 127: t-paliad-263 Wave 0 + m/paliad#99 — Tier 0 deadline-rule corrections from curie''s audit (docs/research-deadlines-completeness-2026-05-25.md §10) plus UPC SoC R.13 citation',
+    true);
+
+-- =============================================================================
+-- T0.1  upc.rev.cfi.defence — duration 3mo → 2mo per RoP.049.1.
+--       Zero-pads the rule_code citation to canonical form. Audit §5
+--       (wrong period — every UPC_REV tracked in paliad today computes
+--       Defence at +3 months, statute says +2). Verbatim from
+--       UPCRoP.049.1: "The defendant shall lodge a Defence to revocation
+--       within two months of service of the Statement for revocation."
+-- =============================================================================
+UPDATE paliad.deadline_rules
+   SET duration_value = 2,
+       rule_code      = 'RoP.049.1',
+       updated_at     = now()
+ WHERE submission_code = 'upc.rev.cfi.defence'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND duration_value = 3
+   AND rule_code = 'RoP.49.1';
+
+-- =============================================================================
+-- T0.2  upc.rev.cfi.rejoin — duration 2mo → 1mo per RoP.052; add citation.
+--       Audit §5 (wrong period). Verbatim from UPCRoP.052: "Within one
+--       month of the service of the Reply the defendant may lodge a
+--       Rejoinder to the Reply to the Defence to revocation."
+-- =============================================================================
+UPDATE paliad.deadline_rules
+   SET duration_value = 1,
+       rule_code      = 'RoP.052',
+       legal_source   = 'UPC.RoP.52',
+       updated_at     = now()
+ WHERE submission_code = 'upc.rev.cfi.rejoin'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND duration_value = 2
+   AND rule_code IS NULL;
+
+-- =============================================================================
+-- T0.3  upc.apl.merits.response — duration 2mo → 3mo per RoP.235.1.
+--       Audit §5 (wrong period — every main-track appellate respondent).
+--       Verbatim from UPCRoP.235.1: "Within three months of service of
+--       the Statement of grounds of appeal pursuant to Rule 224.2(a),
+--       any other party … may lodge a Statement of response."
+-- =============================================================================
+UPDATE paliad.deadline_rules
+   SET duration_value = 3,
+       rule_code      = 'RoP.235.1',
+       legal_source   = 'UPC.RoP.235.1',
+       updated_at     = now()
+ WHERE submission_code = 'upc.apl.merits.response'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND duration_value = 2
+   AND rule_code IS NULL;
+
+-- =============================================================================
+-- T0.4  de.inf.lg.beruf_begr — parent_id = NULL (was de.inf.lg.berufung).
+--       Audit §7.1 — every DE-LG-Verletzung appeal renders the
+--       Berufungsbegründung at trigger + 1mo (Berufung) + 2mo = 3 months
+--       from Urteil-service. Per ZPO §520(2) "die Frist für die
+--       Berufungsbegründung beträgt zwei Monate. Sie beginnt mit der
+--       Zustellung des in vollständiger Form abgefassten Urteils" → 2
+--       months from Urteil-service (parallel to, not chained off, the
+--       Berufungsfrist itself). NULL parent_id makes the rule anchor
+--       on the proceeding's trigger date — matches how the symmetric
+--       de.inf.olg.begruendung is modelled.
+-- =============================================================================
+UPDATE paliad.deadline_rules
+   SET parent_id  = NULL,
+       updated_at = now()
+ WHERE submission_code = 'de.inf.lg.beruf_begr'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND parent_id = (
+       SELECT id FROM paliad.deadline_rules
+        WHERE submission_code = 'de.inf.lg.berufung'
+          AND is_active = true
+          AND lifecycle_state = 'published'
+        LIMIT 1
+   );
+
+-- =============================================================================
+-- T0.5 / T0.6  de.inf.lg.replik + de.inf.lg.duplik — already shipped
+-- as mig 124 (m/paliad#95). Not repeated here. Idempotency of the
+-- audit's Tier 0 sweep against a fresh DB is preserved because mig
+-- 124 runs before this one and is itself guarded.
+-- =============================================================================
+
+-- =============================================================================
+-- T0.7  upc.rev.cfi.reply — backfill rule_code + legal_source per RoP.051.
+--       Audit §4.1 — duration (2mo) unchanged. Verbatim from UPCRoP.051:
+--       "Reply to Defence to revocation and Application to amend the
+--       patent. The claimant in the revocation action may, within two
+--       months of service of the Defence to revocation and the
+--       Application to amend the patent, if any, lodge a Reply…"
+-- =============================================================================
+UPDATE paliad.deadline_rules
+   SET rule_code    = 'RoP.051',
+       legal_source = 'UPC.RoP.51',
+       updated_at   = now()
+ WHERE submission_code = 'upc.rev.cfi.reply'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND rule_code IS NULL
+   AND legal_source IS NULL;
+
+-- =============================================================================
+-- T0.9  upc.apl.merits.notice — citation drift RoP.220.1 → RoP.224.1.a.
+--       Audit §4.1 — duration unchanged. R.220.1 is the umbrella ("an
+--       appeal may be brought"); R.224.1(a) carries the Notice-of-appeal
+--       2-month period explicitly.
+-- =============================================================================
+UPDATE paliad.deadline_rules
+   SET rule_code    = 'RoP.224.1.a',
+       legal_source = 'UPC.RoP.224.1.a',
+       updated_at   = now()
+ WHERE submission_code = 'upc.apl.merits.notice'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND rule_code = 'RoP.220.1'
+   AND legal_source = 'UPC.RoP.220.1';
+
+-- =============================================================================
+-- T0.10 upc.apl.merits.grounds — citation drift RoP.220.1 → RoP.224.2.a.
+--       Audit §4.1 — duration unchanged. R.224.2(a) sets the Grounds
+--       4-month period for decisions referred to in R.220.1(a) and (b).
+-- =============================================================================
+UPDATE paliad.deadline_rules
+   SET rule_code    = 'RoP.224.2.a',
+       legal_source = 'UPC.RoP.224.2.a',
+       updated_at   = now()
+ WHERE submission_code = 'upc.apl.merits.grounds'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND rule_code = 'RoP.220.1'
+   AND legal_source = 'UPC.RoP.220.1';
+
+-- =============================================================================
+-- T0.12 dpma.opp.dpma.erwiderung — flip is_court_set = true; drop the
+--       § 59(3) PatG citation. Audit §4.3 + §9.1: §59(3) addresses
+--       Anhörung, not a 4-month response period. No statutory
+--       Erwiderungsfrist exists in §59 — the 4-month figure is DPMA
+--       practice (DPMA-Richtlinien D-IV 5.2). Modelled court-set, the
+--       4-month value remains the default-display heuristic the
+--       lawyer overrides via "Datum setzen".
+-- =============================================================================
+UPDATE paliad.deadline_rules
+   SET is_court_set = true,
+       rule_code    = NULL,
+       legal_source = NULL,
+       updated_at   = now()
+ WHERE submission_code = 'dpma.opp.dpma.erwiderung'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND is_court_set = false
+   AND legal_source = 'DE.PatG.59.3';
+
+-- =============================================================================
+-- T0.13 dpma.appeal.bpatg.begruendung — flip is_court_set = true; drop
+--       the § 75 PatG citation. Audit §4.3 + §9.1: §75 PatG addresses
+--       aufschiebende Wirkung only, not a Begründungsfrist. No fixed
+--       Begründungsfrist for BPatG-Beschwerde exists in PatG §§73-80 —
+--       the BPatG sets it in the individual case. 1-month default
+--       retained as display heuristic.
+-- =============================================================================
+UPDATE paliad.deadline_rules
+   SET is_court_set = true,
+       rule_code    = NULL,
+       legal_source = NULL,
+       updated_at   = now()
+ WHERE submission_code = 'dpma.appeal.bpatg.begruendung'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND is_court_set = false
+   AND legal_source = 'DE.PatG.75.1';
+
+-- =============================================================================
+-- T0.14 de.null.bpatg.erwidg — citation DE.PatG.82.1 → DE.PatG.82.3.
+--       Audit §4.4 — duration (2 months) is correct. §82(1) carries the
+--       1-month Erklärungsfrist ("sich darüber zu erklären"); the full
+--       Klageerwiderung 2-month period lives in §82(3).
+-- =============================================================================
+UPDATE paliad.deadline_rules
+   SET rule_code    = '§ 82 Abs. 3 PatG',
+       legal_source = 'DE.PatG.82.3',
+       updated_at   = now()
+ WHERE submission_code = 'de.null.bpatg.erwidg'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND legal_source = 'DE.PatG.82.1';
+
+-- =============================================================================
+-- T0.15 de.null.bgh.begruendung — citation DE.PatG.111.1 →
+--       DE.ZPO.520.2 (via PatG §117). Audit §4.4 — duration (3 months)
+--       is correct. §111 PatG defines the Grounds of Berufung
+--       (Verletzung des Bundesrechts), not a Begründungsfrist; the
+--       3-month figure is supplied by §117 PatG → ZPO §520(2).
+-- =============================================================================
+UPDATE paliad.deadline_rules
+   SET rule_code    = '§ 520 Abs. 2 ZPO i.V.m. § 117 PatG',
+       legal_source = 'DE.ZPO.520.2',
+       updated_at   = now()
+ WHERE submission_code = 'de.null.bgh.begruendung'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND legal_source = 'DE.PatG.111.1';
+
+-- =============================================================================
+-- T0.16 de.null.bgh.erwiderung — flip is_court_set = true; recite as
+--       DE.ZPO.521.2 (via PatG §117). Audit §4.4 + §9.1 — §111 PatG
+--       has no Erwiderungsfrist clause. The actual Erwiderungsfrist
+--       for BGH-Nichtigkeitsberufung is set by the court per §117
+--       PatG → ZPO §521(2). 2-month default retained as display
+--       heuristic.
+-- =============================================================================
+UPDATE paliad.deadline_rules
+   SET is_court_set = true,
+       rule_code    = '§ 521 Abs. 2 ZPO i.V.m. § 117 PatG',
+       legal_source = 'DE.ZPO.521.2',
+       updated_at   = now()
+ WHERE submission_code = 'de.null.bgh.erwiderung'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND is_court_set = false
+   AND legal_source = 'DE.PatG.111.3';
+
+-- =============================================================================
+-- T0.17 epa.opp.opd.erwidg — flip is_court_set = true. Audit §4.5 +
+--       §9.1: R.79(1) EPÜ authorises the Opposition Division to set
+--       the period, but does not specify a fixed 4 months. The 4-month
+--       figure is administrative practice (EPO Guidelines D-IV 5.2).
+--       Citation retained as the rule-of-authority for the OD's
+--       discretion. 4-month default retained as display heuristic.
+-- =============================================================================
+UPDATE paliad.deadline_rules
+   SET is_court_set = true,
+       updated_at   = now()
+ WHERE submission_code = 'epa.opp.opd.erwidg'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND is_court_set = false
+   AND legal_source = 'EU.EPC-R.79.1';
+
+-- =============================================================================
+-- m/paliad#99  upc.inf.cfi.soc — backfill UPC RoP R.13(1) citation.
+--       The Statement of Claim is defined in UPC RoP R.13 (R.13.1
+--       lists the required contents). The row carries no statutory
+--       deadline (duration_value = 0, parent_id IS NULL — the SoC is
+--       the originating filing that anchors the proceeding's trigger
+--       date), but the catalog UI surfaces the rule citation in
+--       result cards and the Type=Statement-of-Claim / Rule=Auto
+--       resolution; both render blank today because rule_code +
+--       legal_source are NULL. Backfill leaves duration / anchor /
+--       party untouched.
+-- =============================================================================
+UPDATE paliad.deadline_rules
+   SET rule_code    = 'RoP.013.1',
+       legal_source = 'UPC.RoP.13.1',
+       updated_at   = now()
+ WHERE submission_code = 'upc.inf.cfi.soc'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND rule_code IS NULL
+   AND legal_source IS NULL;
+
+-- =============================================================================
+-- Hard assertions. Each touched row must end up in its post-fix
+-- shape. Re-running the migration after a successful first run is a
+-- no-op for the data but the assertions still pass because they
+-- check the post-fix state.
+-- =============================================================================
+
+DO $$
+DECLARE
+    v_count integer;
+BEGIN
+    -- T0.1 defence: dur=2 + canonical zero-padded rule_code
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.rev.cfi.defence'
+       AND is_active = true
+       AND lifecycle_state = 'published'
+       AND duration_value = 2
+       AND rule_code = 'RoP.049.1';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 127 T0.1: upc.rev.cfi.defence not in post-fix shape (got % matches)', v_count;
+    END IF;
+
+    -- T0.2 rejoin: dur=1
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.rev.cfi.rejoin'
+       AND is_active = true
+       AND lifecycle_state = 'published'
+       AND duration_value = 1
+       AND rule_code = 'RoP.052';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 127 T0.2: upc.rev.cfi.rejoin not in post-fix shape (got % matches)', v_count;
+    END IF;
+
+    -- T0.3 response: dur=3
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.apl.merits.response'
+       AND is_active = true
+       AND lifecycle_state = 'published'
+       AND duration_value = 3
+       AND rule_code = 'RoP.235.1';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 127 T0.3: upc.apl.merits.response not in post-fix shape (got % matches)', v_count;
+    END IF;
+
+    -- T0.4 beruf_begr: parent_id IS NULL
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'de.inf.lg.beruf_begr'
+       AND is_active = true
+       AND lifecycle_state = 'published'
+       AND parent_id IS NULL;
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 127 T0.4: de.inf.lg.beruf_begr not in post-fix shape (got % matches)', v_count;
+    END IF;
+
+    -- T0.7 reply: citation backfilled
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.rev.cfi.reply'
+       AND is_active = true
+       AND lifecycle_state = 'published'
+       AND rule_code = 'RoP.051'
+       AND legal_source = 'UPC.RoP.51';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 127 T0.7: upc.rev.cfi.reply not in post-fix shape (got % matches)', v_count;
+    END IF;
+
+    -- T0.9 notice: citation RoP.224.1.a
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.apl.merits.notice'
+       AND is_active = true
+       AND lifecycle_state = 'published'
+       AND rule_code = 'RoP.224.1.a'
+       AND legal_source = 'UPC.RoP.224.1.a';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 127 T0.9: upc.apl.merits.notice not in post-fix shape (got % matches)', v_count;
+    END IF;
+
+    -- T0.10 grounds: citation RoP.224.2.a
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.apl.merits.grounds'
+       AND is_active = true
+       AND lifecycle_state = 'published'
+       AND rule_code = 'RoP.224.2.a'
+       AND legal_source = 'UPC.RoP.224.2.a';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 127 T0.10: upc.apl.merits.grounds not in post-fix shape (got % matches)', v_count;
+    END IF;
+
+    -- T0.12 dpma.opp erwiderung: court-set, no citation
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'dpma.opp.dpma.erwiderung'
+       AND is_active = true
+       AND lifecycle_state = 'published'
+       AND is_court_set = true
+       AND legal_source IS NULL
+       AND rule_code IS NULL;
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 127 T0.12: dpma.opp.dpma.erwiderung not in post-fix shape (got % matches)', v_count;
+    END IF;
+
+    -- T0.13 dpma.appeal.bpatg begründung: court-set, no citation
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'dpma.appeal.bpatg.begruendung'
+       AND is_active = true
+       AND lifecycle_state = 'published'
+       AND is_court_set = true
+       AND legal_source IS NULL
+       AND rule_code IS NULL;
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 127 T0.13: dpma.appeal.bpatg.begruendung not in post-fix shape (got % matches)', v_count;
+    END IF;
+
+    -- T0.14 bpatg erwidg: §82.3
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'de.null.bpatg.erwidg'
+       AND is_active = true
+       AND lifecycle_state = 'published'
+       AND legal_source = 'DE.PatG.82.3';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 127 T0.14: de.null.bpatg.erwidg not in post-fix shape (got % matches)', v_count;
+    END IF;
+
+    -- T0.15 bgh begründung: ZPO §520.2
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'de.null.bgh.begruendung'
+       AND is_active = true
+       AND lifecycle_state = 'published'
+       AND legal_source = 'DE.ZPO.520.2';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 127 T0.15: de.null.bgh.begruendung not in post-fix shape (got % matches)', v_count;
+    END IF;
+
+    -- T0.16 bgh erwiderung: court-set, ZPO §521.2
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'de.null.bgh.erwiderung'
+       AND is_active = true
+       AND lifecycle_state = 'published'
+       AND is_court_set = true
+       AND legal_source = 'DE.ZPO.521.2';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 127 T0.16: de.null.bgh.erwiderung not in post-fix shape (got % matches)', v_count;
+    END IF;
+
+    -- T0.17 epa.opp opd erwidg: court-set
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'epa.opp.opd.erwidg'
+       AND is_active = true
+       AND lifecycle_state = 'published'
+       AND is_court_set = true;
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 127 T0.17: epa.opp.opd.erwidg not in post-fix shape (got % matches)', v_count;
+    END IF;
+
+    -- #99 upc.inf.cfi.soc: citation backfilled
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.inf.cfi.soc'
+       AND is_active = true
+       AND lifecycle_state = 'published'
+       AND rule_code = 'RoP.013.1'
+       AND legal_source = 'UPC.RoP.13.1';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 127 #99: upc.inf.cfi.soc not in post-fix shape (got % matches)', v_count;
+    END IF;
+END $$;

internal/db/migrations/128_deadline_rules_unit_check.down.sql

@@ -0,0 +1,11 @@
+-- Revert t-paliad-271 Wave 2 Tier-3 Slice A — drop duration_unit /
+-- alt_duration_unit CHECK constraints. Pre-mig-128 the columns accepted
+-- arbitrary text, so dropping the CHECKs restores that shape exactly.
+-- No data revert necessary — the constraint addition was purely
+-- additive and validated against live data before adding.
+
+ALTER TABLE paliad.deadline_rules
+    DROP CONSTRAINT IF EXISTS deadline_rules_duration_unit_check;
+
+ALTER TABLE paliad.deadline_rules
+    DROP CONSTRAINT IF EXISTS deadline_rules_alt_duration_unit_check;

internal/db/migrations/128_deadline_rules_unit_check.up.sql

@@ -0,0 +1,36 @@
+-- t-paliad-271 Wave 2 Tier-3 Slice A — duration_unit CHECK constraint with
+-- 'working_days' added to the allowed set.
+--
+-- Per docs/research-deadlines-completeness-2026-05-25.md Tier 3 Primitive 1
+-- (T3.1) — the calculator gains a business-day arithmetic path for UPC RoP
+-- R.198 / R.213 (and downstream for any rule that needs the 31d-OR-20wd
+-- combine-max pattern). The schema currently accepts free-text on
+-- duration_unit (no CHECK), which is why 'working_days' rows already exist
+-- in the DB but were silently dropped by the calculator. Adding the CHECK
+-- pins the contract and prevents typos.
+--
+-- alt_duration_unit gets the same constraint (NULL-tolerant) so the alt
+-- path stays in lockstep with the primary path.
+--
+-- Idempotent: DROP CONSTRAINT IF EXISTS before ADD. Existing data was
+-- audited via `SELECT DISTINCT duration_unit FROM paliad.deadline_rules`
+-- on 2026-05-25 (returned only days/weeks/months) plus the two live
+-- alt-unit rows already at 'working_days' — both shapes pass.
+--
+-- audit_reason set_config is NOT needed for DDL (mig 079 trigger fires on
+-- INSERT/UPDATE/DELETE on the rows, not on ALTER TABLE).
+
+ALTER TABLE paliad.deadline_rules
+    DROP CONSTRAINT IF EXISTS deadline_rules_duration_unit_check;
+
+ALTER TABLE paliad.deadline_rules
+    ADD CONSTRAINT deadline_rules_duration_unit_check
+    CHECK (duration_unit IN ('days', 'weeks', 'months', 'working_days'));
+
+ALTER TABLE paliad.deadline_rules
+    DROP CONSTRAINT IF EXISTS deadline_rules_alt_duration_unit_check;
+
+ALTER TABLE paliad.deadline_rules
+    ADD CONSTRAINT deadline_rules_alt_duration_unit_check
+    CHECK (alt_duration_unit IS NULL
+        OR alt_duration_unit IN ('days', 'weeks', 'months', 'working_days'));

internal/db/migrations/129_project_event_choices.down.sql

@@ -0,0 +1,11 @@
+-- t-paliad-265 — drop per-event-card choices schema.
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 129 down: drop project_event_choices + deadline_rules.choices_offered',
+    true);
+
+DROP TABLE IF EXISTS paliad.project_event_choices;
+
+ALTER TABLE paliad.deadline_rules
+    DROP COLUMN IF EXISTS choices_offered;

internal/db/migrations/129_project_event_choices.up.sql

@@ -0,0 +1,116 @@
+-- t-paliad-265 / m/paliad#96 — per-event-card optional choices on the
+-- Verfahrensablauf timeline.
+--
+-- Design: docs/design-event-card-choices-2026-05-25.md
+-- Decisions: see §11 of the design doc.
+--
+-- Two schema changes:
+--
+--   1. paliad.project_event_choices — new persistence table holding the
+--      user's per-card picks scoped to a project. One row per
+--      (project, submission_code, choice_kind). Re-picking is an UPDATE
+--      (UNIQUE constraint enforces idempotence).
+--
+--   2. paliad.deadline_rules.choices_offered jsonb — opt-in declaration
+--      of which choice-kinds each rule offers. The projection engine
+--      reads this to decide whether to render the caret affordance on
+--      a card. Seeded for every event_type='decision' rule (appellant),
+--      every priority='optional' rule (skip), and the two Klageerwiderung
+--      rows (include_ccr).
+--
+-- NOTE on join key: the design doc named the join column "rule_code".
+-- Live verification (2026-05-25 SELECT against paliad.deadline_rules)
+-- showed `rule_code` is NULL on every decision row — it's the legal-
+-- source citation column, not a stable identifier. The
+-- AnchorOverrides plumbing in internal/services/fristenrechner.go
+-- already keys on `submission_code` (UIDeadline.Code populates from
+-- submission_code, lines 351-352), so we mirror that decision here:
+-- the join column is `submission_code`. Same intent, correct field.
+--
+-- Idempotent: CREATE TABLE IF NOT EXISTS + ADD COLUMN IF NOT EXISTS +
+-- UPDATEs guarded by WHERE choices_offered IS NULL so re-applying
+-- against an already-seeded DB no-ops.
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 129: add paliad.project_event_choices + deadline_rules.choices_offered for per-event-card optional choices (t-paliad-265 / m/paliad#96)',
+    true);
+
+-- 1. The choice-storage table ----------------------------------------------
+
+CREATE TABLE IF NOT EXISTS paliad.project_event_choices (
+    id              uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    project_id      uuid NOT NULL REFERENCES paliad.projects(id) ON DELETE CASCADE,
+    submission_code text NOT NULL,
+    choice_kind     text NOT NULL CHECK (choice_kind IN ('appellant', 'include_ccr', 'skip')),
+    choice_value    text NOT NULL,
+    created_by      uuid REFERENCES paliad.users(id) ON DELETE SET NULL,
+    created_at      timestamptz NOT NULL DEFAULT now(),
+    updated_by      uuid REFERENCES paliad.users(id) ON DELETE SET NULL,
+    updated_at      timestamptz NOT NULL DEFAULT now(),
+
+    UNIQUE (project_id, submission_code, choice_kind)
+);
+
+CREATE INDEX IF NOT EXISTS project_event_choices_project_idx
+    ON paliad.project_event_choices (project_id);
+
+ALTER TABLE paliad.project_event_choices ENABLE ROW LEVEL SECURITY;
+
+DROP POLICY IF EXISTS project_event_choices_select ON paliad.project_event_choices;
+CREATE POLICY project_event_choices_select ON paliad.project_event_choices
+    FOR SELECT USING (paliad.can_see_project(project_id));
+
+DROP POLICY IF EXISTS project_event_choices_mutate ON paliad.project_event_choices;
+CREATE POLICY project_event_choices_mutate ON paliad.project_event_choices
+    FOR ALL
+    USING (paliad.can_see_project(project_id))
+    WITH CHECK (paliad.can_see_project(project_id));
+
+COMMENT ON TABLE paliad.project_event_choices IS
+    'Per-event-card user picks scoped to a project. choice_kind ∈ {appellant, include_ccr, skip}. '
+    'choice_value namespace per kind: appellant=claimant|defendant|both|none; include_ccr=true|false; '
+    'skip=true|false. Join key submission_code matches paliad.deadline_rules.submission_code (the same key '
+    'AnchorOverrides uses). UNIQUE(project,submission_code,kind) keeps re-picks idempotent. '
+    'Audit-logged via paliad.system_audit_log (event_type=project_event_choice.set).';
+
+-- 2. The choices_offered opt-in column ------------------------------------
+
+ALTER TABLE paliad.deadline_rules
+    ADD COLUMN IF NOT EXISTS choices_offered jsonb;
+
+COMMENT ON COLUMN paliad.deadline_rules.choices_offered IS
+    'Declares which per-card choice-kinds this rule offers on the Verfahrensablauf timeline. '
+    'NULL = no caret affordance (default). Example shapes: '
+    '{"appellant": ["claimant","defendant","both","none"]} on decision rules, '
+    '{"skip": [true, false]} on optional rules, '
+    '{"include_ccr": [true, false]} on Klageerwiderung rules. '
+    'Engine and frontend read it; storing per-kind value lists keeps the contract self-describing.';
+
+-- 3. Seed -----------------------------------------------------------------
+
+-- 3a. Every published decision rule offers the appellant choice.
+UPDATE paliad.deadline_rules
+   SET choices_offered = '{"appellant": ["claimant", "defendant", "both", "none"]}'::jsonb
+ WHERE event_type = 'decision'
+   AND lifecycle_state = 'published'
+   AND choices_offered IS NULL;
+
+-- 3b. Every published optional rule offers the skip choice.
+UPDATE paliad.deadline_rules
+   SET choices_offered = '{"skip": [true, false]}'::jsonb
+ WHERE priority = 'optional'
+   AND lifecycle_state = 'published'
+   AND choices_offered IS NULL;
+
+-- 3c. Klageerwiderung rules offer the include_ccr choice. Two rows
+-- today (upc.inf.cfi.sod + de.inf.lg.erwidg) — verified live
+-- (2026-05-25 SELECT FROM paliad.deadline_rules WHERE name ILIKE
+-- 'Klageerwiderung'); the UPC INF Klageerwiderung is `sod` (Statement
+-- of Defence, R.24 RoP), not `def`. Slice B (Q4 bundle) is the
+-- user-visible feature.
+UPDATE paliad.deadline_rules
+   SET choices_offered = '{"include_ccr": [true, false]}'::jsonb
+ WHERE submission_code IN ('upc.inf.cfi.sod', 'de.inf.lg.erwidg')
+   AND lifecycle_state = 'published'
+   AND choices_offered IS NULL;

internal/db/migrations/130_submission_drafts_language.down.sql

@@ -0,0 +1,2 @@
+ALTER TABLE paliad.submission_drafts
+    DROP COLUMN IF EXISTS language;

internal/db/migrations/130_submission_drafts_language.up.sql

@@ -0,0 +1,17 @@
+-- t-paliad-276 / m/paliad#108: per-draft output language for the
+-- Submissions generator.
+--
+-- The submission editor lets the lawyer pick DE or EN per draft so the
+-- generator selects the matching template variant + resolves language-
+-- aware variables ({{procedural_event.name_de}} vs _en). Default is
+-- 'de' to match the primary-language convention in CLAUDE.md and to
+-- keep existing rows behaving exactly as before (every legacy draft
+-- was implicitly DE; the resolved bag for those drafts is unchanged
+-- under language='de').
+
+ALTER TABLE paliad.submission_drafts
+    ADD COLUMN IF NOT EXISTS language text NOT NULL DEFAULT 'de'
+    CONSTRAINT submission_drafts_language_check CHECK (language IN ('de', 'en'));
+
+COMMENT ON COLUMN paliad.submission_drafts.language IS
+    't-paliad-276: output language for the generated .docx. ''de'' or ''en''. Drives template variant selection ({code}.{lang}.docx fallback chain) and language-aware variable resolution.';

internal/db/migrations/131_submission_drafts_party_selection.down.sql

@@ -0,0 +1,4 @@
+-- t-paliad-277 rollback.
+ALTER TABLE paliad.submission_drafts
+    DROP COLUMN IF EXISTS selected_parties,
+    DROP COLUMN IF EXISTS last_imported_at;

internal/db/migrations/131_submission_drafts_party_selection.up.sql

@@ -0,0 +1,32 @@
+-- t-paliad-277 / m/paliad#109: per-draft party selection + import provenance.
+--
+-- Adds two columns to paliad.submission_drafts:
+--
+--   selected_parties uuid[] — IDs of paliad.parties rows the lawyer
+--     has chosen to mention in this specific submission. An empty
+--     array (the default) means "include every party on the project"
+--     so all existing drafts keep their current rendering. Non-empty
+--     restricts the variable bag to the chosen subset, grouped by
+--     role in SubmissionVarsService.
+--
+--   last_imported_at timestamptz — when the lawyer last clicked
+--     "Aus Projekt importieren" on the draft editor (or NULL if they
+--     never did). The frontend surfaces this timestamp next to the
+--     button so a stale draft is obvious at a glance.
+--
+-- Both columns are purely additive and nullable / default-bearing —
+-- the migration is safe to apply with active drafts in the table.
+-- No FK on selected_parties: paliad.parties is project-scoped and we
+-- prune stale references on read inside SubmissionVarsService rather
+-- than chasing FK cascades across two tables (the variable bag silently
+-- drops any uuid that no longer matches a row in paliad.parties).
+
+ALTER TABLE paliad.submission_drafts
+    ADD COLUMN IF NOT EXISTS selected_parties uuid[] NOT NULL DEFAULT '{}'::uuid[],
+    ADD COLUMN IF NOT EXISTS last_imported_at timestamptz;
+
+COMMENT ON COLUMN paliad.submission_drafts.selected_parties IS
+    't-paliad-277: party IDs (paliad.parties) the lawyer has chosen to mention in this submission. Empty array = include every party on the project (backward-compat default). Non-empty = restrict to subset, grouped by role.';
+
+COMMENT ON COLUMN paliad.submission_drafts.last_imported_at IS
+    't-paliad-277: timestamp of the last "Aus Projekt importieren" click — surfaced next to the button so the lawyer can see staleness at a glance. NULL = never imported.';

internal/db/migrations/132_wave1_tier1_rule_additions.down.sql

@@ -0,0 +1,76 @@
+-- Rollback of mig 132 (t-paliad-284 Wave 1 + m/paliad#116).
+--
+-- Reverses §0 (R.104/R.105 citation backfill) + §1..§11 (11 Tier 1
+-- INSERTs) + §12 (T1.12 re-anchor of upc.pi.cfi.response).
+--
+-- Does NOT reverse §13b (Q6 archived-litigation cleanup) — those rows
+-- were already in lifecycle_state='archived' before deletion and are not
+-- surfaced by any product code path. Restoring them would require the
+-- pre-mig-132 backup. Leaving them gone is the correct rollback choice;
+-- emergency restore goes via mig 123 backup snapshot.
+--
+-- DOES restore §13a (re-add the deadline_rule_audit.rule_id FK) so the
+-- audit-table schema returns to its pre-mig-132 shape on rollback. Any
+-- orphan audit rows accumulated under mig 132 (rule_id pointing at
+-- now-deleted rules) would block the FK re-add; the rollback DELETE
+-- below removes them first.
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 132 down: rollback Wave 1 Tier 1 rule additions + R.105 citation backfill + T1.12 re-anchor (t-paliad-284 / m/paliad#116)',
+    true);
+
+-- §12 down — un-re-anchor upc.pi.cfi.response back to its broken root state.
+UPDATE paliad.deadline_rules
+   SET parent_id    = NULL,
+       is_court_set = false,
+       rule_code    = NULL,
+       legal_source = NULL,
+       updated_at   = now()
+ WHERE submission_code = 'upc.pi.cfi.response'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND is_court_set = true
+   AND rule_code = 'RoP.211.2';
+
+-- §1..§11 down — delete the 11 Tier 1 INSERTs by submission_code.
+DELETE FROM paliad.deadline_rules
+ WHERE submission_code IN (
+     'upc.inf.cfi.cmo_review',
+     'upc.inf.cfi.confidentiality_response',
+     'upc.apl.order.response_orders',   -- delete child first (FK to grounds_orders)
+     'upc.apl.order.grounds_orders',
+     'upc.inf.cfi.cons_orders',
+     'upc.inf.cfi.rectification',
+     'upc.pi.cfi.deficiency',
+     'upc.pi.cfi.merits_start',
+     'upc.inf.cfi.translation_request',
+     'upc.inf.cfi.interpreter_cost',
+     'upc.inf.cfi.translations_lodge'
+ )
+   AND lifecycle_state = 'published';
+
+-- §0 down — clear the R.104/R.105 citation on upc.inf.cfi.interim.
+UPDATE paliad.deadline_rules
+   SET rule_code    = NULL,
+       legal_source = NULL,
+       rule_codes   = NULL,
+       updated_at   = now()
+ WHERE submission_code = 'upc.inf.cfi.interim'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND rule_code = 'RoP.104'
+   AND legal_source = 'UPC.RoP.104';
+
+-- §13a down — re-add the deadline_rule_audit.rule_id FK with the
+-- original ON DELETE CASCADE shape. Purge any orphan audit rows first
+-- (audit entries pointing at rule_ids that no longer exist in
+-- deadline_rules) so the FK re-add doesn't fail validation.
+DELETE FROM paliad.deadline_rule_audit a
+ WHERE NOT EXISTS (
+     SELECT 1 FROM paliad.deadline_rules dr WHERE dr.id = a.rule_id
+ );
+
+ALTER TABLE paliad.deadline_rule_audit
+    ADD CONSTRAINT deadline_rule_audit_rule_id_fkey
+    FOREIGN KEY (rule_id) REFERENCES paliad.deadline_rules(id) ON DELETE CASCADE;

internal/db/migrations/132_wave1_tier1_rule_additions.up.sql

@@ -0,0 +1,659 @@
+-- t-paliad-284 Wave 1 + m/paliad#116 — Tier 1 deadline-rule additions
+-- (12 high-frequency procedural events) + UPC RoP R.104/R.105 Interim
+-- Conference citation backfill + Q6 archived-litigation cleanup.
+--
+-- Source: docs/research-deadlines-completeness-2026-05-25.md
+--   • §10 Tier 1 table (T1.1 .. T1.12)
+--   • §3.1 missing-rules catalogue (per-rule statutory citations)
+--   • §9.7 / Q6 (drop the _archived_litigation.* rows — m's design ack
+--     locked in 2026-05-25)
+--
+-- m's report (2026-05-25 17:12) also explicitly named "Zwischenverfahren /
+-- Interim Conference 105" as missing a rule citation. The audit does not
+-- list R.105 as a Tier 1 item (the row upc.inf.cfi.interim already exists
+-- as a court-set anchor), so the fix is to BACKFILL rule_code/legal_source
+-- on that row rather than to insert a new rule. Done here as a separate
+-- §0 section, with both RoP.104 (Aims of the interim conference) and
+-- RoP.105 (Holding of the interim conference) cited via rule_codes[].
+--
+-- Wave 2 Slice A primitives (mig 128: working_days unit + combine_op +
+-- timing='before' backward snap in deadline_calculator.go) are used by:
+--   • T1.8  upc.pi.cfi.merits_start         — 31d OR 20wd, combine_op=max
+--   • T1.9  upc.inf.cfi.translation_request — 1 month BEFORE oral hearing
+--   • T1.10 upc.inf.cfi.interpreter_cost    — 2 weeks BEFORE oral hearing
+-- Wave 2 Slice A landed mig 128 (`deadline_rules_unit_check`) — these
+-- rules are no longer blocked.
+--
+-- Slot 132 reserved: 127 brunel Wave 0, 128 knuth W2-A, 129 demeter,
+-- 130 atlas, 131 artemis → 132 this migration.
+--
+-- Idempotency:
+--   • INSERTs guarded with `WHERE NOT EXISTS (... submission_code = ...)`
+--     so re-applying matches zero rows on the second run.
+--   • UPDATEs guarded with `WHERE` clauses that match the pre-fix row
+--     state only (mig 095 convention).
+--   • DELETE guarded by lifecycle_state='archived' AND prefix — repeats
+--     match zero rows after first run.
+--
+-- audit_reason set_config is required at the top (mig 079 trigger on
+-- paliad.deadline_rules raises EXCEPTION 'audit reason required' for
+-- any INSERT / UPDATE / DELETE without it).
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 132: t-paliad-284 Wave 1 + m/paliad#116 — Tier 1 deadline-rule additions (12 rules) from curie''s audit §10 + UPC RoP R.104/105 Interim Conference citation backfill (m''s 2026-05-25 17:12 report) + Q6 archived-litigation cleanup (audit §9.7)',
+    true);
+
+-- =============================================================================
+-- §0  R.104/R.105 — Backfill citation on the existing Interim Conference row.
+--     m's report flagged that `upc.inf.cfi.interim` (Zwischenverfahren) renders
+--     with no rule reference at /admin/rules. The row exists as a court-set
+--     anchor (duration=0, parent_id=NULL, primary_party='court'). The
+--     governing UPC Rules of Procedure are:
+--       • R.104 — Aims of the interim conference (the substantive rule)
+--       • R.105 — Holding of the interim conference (procedural)
+--     Both cited via the rule_codes[] array; rule_code/legal_source carry
+--     the primary citation (R.104 — Aims).
+-- =============================================================================
+UPDATE paliad.deadline_rules
+   SET rule_code    = 'RoP.104',
+       legal_source = 'UPC.RoP.104',
+       rule_codes   = ARRAY['RoP.104', 'RoP.105'],
+       updated_at   = now()
+ WHERE submission_code = 'upc.inf.cfi.interim'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND rule_code IS NULL
+   AND legal_source IS NULL;
+
+-- =============================================================================
+-- §1  T1.1 upc.inf.cfi.cmo_review — Review of case-management order.
+--     15 days from CMO service. UPC RoP R.333.2: "Any party adversely
+--     affected by a case management order may within 15 days of service
+--     of the order apply to the panel for a review." Routine in busy LDs
+--     (Munich CMO traffic ~weekly). Anchor: the Interim Conference row,
+--     which is where CMOs are typically issued.
+-- =============================================================================
+INSERT INTO paliad.deadline_rules
+    (proceeding_type_id, parent_id, submission_code, name, name_en,
+     primary_party, duration_value, duration_unit, timing, rule_code,
+     legal_source, priority, is_court_set, lifecycle_state, is_active,
+     sequence_order, deadline_notes, deadline_notes_en)
+SELECT 8,                                                          -- upc.inf.cfi
+       (SELECT id FROM paliad.deadline_rules
+         WHERE submission_code = 'upc.inf.cfi.interim'
+           AND lifecycle_state = 'published' AND is_active = true
+         LIMIT 1),
+       'upc.inf.cfi.cmo_review',
+       'Überprüfung Verfahrensanordnung',
+       'Review of Case-Management Order',
+       'both', 15, 'days', 'after', 'RoP.333.2', 'UPC.RoP.333.2',
+       'optional', false, 'published', true, 42,
+       'Frist 15 Tage ab Zustellung der Verfahrensanordnung (R.333.2). Jede beschwerte Partei kann beim Spruchkörper Überprüfung beantragen.',
+       '15-day period from service of the case-management order (R.333.2). Any adversely-affected party may apply to the panel for a review.'
+ WHERE NOT EXISTS (
+     SELECT 1 FROM paliad.deadline_rules
+      WHERE submission_code = 'upc.inf.cfi.cmo_review'
+        AND lifecycle_state = 'published'
+ );
+
+-- =============================================================================
+-- §2  T1.2 upc.inf.cfi.confidentiality_response — Response to opposing
+--     party's confidentiality application. 14 days from receipt of the
+--     opposing party's R.262.2 application: "Within 14 days of service
+--     … the other party may lodge an Application to the contrary."
+--     Trigger event 25 (paliad.trigger_events) maps 1:1 to this rule.
+--     Daily occurrence in HLC infringement work. Anchor: Statement of
+--     Claim row as proceeding root — actual trigger date supplied via
+--     'Datum setzen' when the opp party files, since the confidentiality
+--     app is not itself modelled as a deadline_rules row.
+-- =============================================================================
+INSERT INTO paliad.deadline_rules
+    (proceeding_type_id, parent_id, submission_code, name, name_en,
+     primary_party, duration_value, duration_unit, timing, rule_code,
+     legal_source, priority, is_court_set, lifecycle_state, is_active,
+     sequence_order, trigger_event_id, deadline_notes, deadline_notes_en)
+SELECT 8,
+       (SELECT id FROM paliad.deadline_rules
+         WHERE submission_code = 'upc.inf.cfi.soc'
+           AND lifecycle_state = 'published' AND is_active = true
+         LIMIT 1),
+       'upc.inf.cfi.confidentiality_response',
+       'Erwiderung auf Vertraulichkeitsantrag',
+       'Response to Confidentiality Application',
+       'both', 14, 'days', 'after', 'RoP.262.2', 'UPC.RoP.262.2',
+       'optional', false, 'published', true, 8,
+       25,
+       'Frist 14 Tage ab Zustellung des Vertraulichkeitsantrags der Gegenseite (R.262.2). Datum bei Eingang des Antrags manuell setzen.',
+       '14-day period from service of the opposing party''s confidentiality application (R.262.2). Set trigger date manually on receipt of the application.'
+ WHERE NOT EXISTS (
+     SELECT 1 FROM paliad.deadline_rules
+      WHERE submission_code = 'upc.inf.cfi.confidentiality_response'
+        AND lifecycle_state = 'published'
+ );
+
+-- =============================================================================
+-- §3  T1.3 upc.apl.order.grounds_orders — Statement of Grounds on the
+--     orders-track appeal. 15 days from service of the appealed
+--     order/decision. UPC RoP R.224.2(b): "A Statement of grounds of
+--     appeal shall be lodged … within 15 days of service of the
+--     decision/order in cases referred to in Rule 220.1(c), Rule 220.2
+--     and Rule 221.3." Existing upc.apl.order tree has the with_leave
+--     notice but no separate grounds row — adding it.
+-- =============================================================================
+INSERT INTO paliad.deadline_rules
+    (proceeding_type_id, parent_id, submission_code, name, name_en,
+     primary_party, duration_value, duration_unit, timing, rule_code,
+     legal_source, priority, is_court_set, lifecycle_state, is_active,
+     sequence_order, deadline_notes, deadline_notes_en)
+SELECT 20,                                                         -- upc.apl.order
+       (SELECT id FROM paliad.deadline_rules
+         WHERE submission_code = 'upc.apl.order.order'
+           AND lifecycle_state = 'published' AND is_active = true
+         LIMIT 1),
+       'upc.apl.order.grounds_orders',
+       'Berufungsbegründung (Orders Track)',
+       'Statement of Grounds (Orders Track)',
+       'both', 15, 'days', 'after', 'RoP.224.2.b', 'UPC.RoP.224.2.b',
+       'mandatory', false, 'published', true, 2,
+       'Frist 15 Tage ab Zustellung der angegriffenen Anordnung/Entscheidung (R.224.2(b)).',
+       '15-day period from service of the appealed order/decision (R.224.2(b)).'
+ WHERE NOT EXISTS (
+     SELECT 1 FROM paliad.deadline_rules
+      WHERE submission_code = 'upc.apl.order.grounds_orders'
+        AND lifecycle_state = 'published'
+ );
+
+-- =============================================================================
+-- §4  T1.4 upc.apl.order.response_orders — Statement of Response on the
+--     orders-track appeal. 15 days from service of the grounds. UPC RoP
+--     R.235.2: "Within 15 days of service of grounds of appeal pursuant
+--     to Rule 224.2(b), any other party … may lodge a Statement of
+--     response." Parent: the grounds_orders row inserted in §3, looked
+--     up by submission_code so this INSERT works either against a fresh
+--     DB or a partially-applied state.
+-- =============================================================================
+INSERT INTO paliad.deadline_rules
+    (proceeding_type_id, parent_id, submission_code, name, name_en,
+     primary_party, duration_value, duration_unit, timing, rule_code,
+     legal_source, priority, is_court_set, lifecycle_state, is_active,
+     sequence_order, deadline_notes, deadline_notes_en)
+SELECT 20,
+       (SELECT id FROM paliad.deadline_rules
+         WHERE submission_code = 'upc.apl.order.grounds_orders'
+           AND lifecycle_state = 'published' AND is_active = true
+         LIMIT 1),
+       'upc.apl.order.response_orders',
+       'Berufungserwiderung (Orders Track)',
+       'Statement of Response (Orders Track)',
+       'both', 15, 'days', 'after', 'RoP.235.2', 'UPC.RoP.235.2',
+       'optional', false, 'published', true, 3,
+       'Frist 15 Tage ab Zustellung der Berufungsbegründung (R.235.2).',
+       '15-day period from service of the Statement of grounds of appeal (R.235.2).'
+ WHERE NOT EXISTS (
+     SELECT 1 FROM paliad.deadline_rules
+      WHERE submission_code = 'upc.apl.order.response_orders'
+        AND lifecycle_state = 'published'
+ );
+
+-- =============================================================================
+-- §5  T1.5 upc.inf.cfi.cons_orders — Application for orders consequential
+--     on validity. 2 months from service of the validity decision. UPC
+--     RoP R.118.4: "The Court may, upon a reasoned request by one of
+--     the parties, … give a decision granting consequential orders.
+--     The application … shall be made within two months of service of
+--     the decision …". Common after central-division revocation in
+--     bifurcated UPC matters.
+-- =============================================================================
+INSERT INTO paliad.deadline_rules
+    (proceeding_type_id, parent_id, submission_code, name, name_en,
+     primary_party, duration_value, duration_unit, timing, rule_code,
+     legal_source, priority, is_court_set, lifecycle_state, is_active,
+     sequence_order, deadline_notes, deadline_notes_en)
+SELECT 8,
+       (SELECT id FROM paliad.deadline_rules
+         WHERE submission_code = 'upc.inf.cfi.decision'
+           AND lifecycle_state = 'published' AND is_active = true
+         LIMIT 1),
+       'upc.inf.cfi.cons_orders',
+       'Antrag auf Folgeentscheidungen',
+       'Application for Consequential Orders',
+       'both', 2, 'months', 'after', 'RoP.118.4', 'UPC.RoP.118.4',
+       'optional', false, 'published', true, 60,
+       'Frist 2 Monate ab Zustellung der Validitätsentscheidung (R.118.4). Antrag auf Folgeentscheidungen (z.B. nach Zentralkammer-Nichtigerklärung).',
+       '2-month period from service of the validity decision (R.118.4). Application for orders consequential on validity (e.g. after central-division revocation).'
+ WHERE NOT EXISTS (
+     SELECT 1 FROM paliad.deadline_rules
+      WHERE submission_code = 'upc.inf.cfi.cons_orders'
+        AND lifecycle_state = 'published'
+ );
+
+-- =============================================================================
+-- §6  T1.6 upc.inf.cfi.rectification — Application for rectification of a
+--     decision/order. 1 month from delivery of the decision. UPC RoP
+--     R.353: "Clerical mistakes, errors arising from any accidental
+--     slip or omission and obvious errors in a decision or order of
+--     the Court may be corrected by the Court of its own motion or on
+--     the application of a party. The application shall be made within
+--     one month of the decision or order being notified."
+-- =============================================================================
+INSERT INTO paliad.deadline_rules
+    (proceeding_type_id, parent_id, submission_code, name, name_en,
+     primary_party, duration_value, duration_unit, timing, rule_code,
+     legal_source, priority, is_court_set, lifecycle_state, is_active,
+     sequence_order, deadline_notes, deadline_notes_en)
+SELECT 8,
+       (SELECT id FROM paliad.deadline_rules
+         WHERE submission_code = 'upc.inf.cfi.decision'
+           AND lifecycle_state = 'published' AND is_active = true
+         LIMIT 1),
+       'upc.inf.cfi.rectification',
+       'Antrag auf Berichtigung',
+       'Application for Rectification',
+       'both', 1, 'months', 'after', 'RoP.353', 'UPC.RoP.353',
+       'optional', false, 'published', true, 70,
+       'Frist 1 Monat ab Zustellung der Entscheidung/Anordnung (R.353). Berichtigung von Schreib-, Rechen- oder ähnlichen Versehen.',
+       '1-month period from notification of the decision/order (R.353). Rectification of clerical mistakes, accidental slips or obvious errors.'
+ WHERE NOT EXISTS (
+     SELECT 1 FROM paliad.deadline_rules
+      WHERE submission_code = 'upc.inf.cfi.rectification'
+        AND lifecycle_state = 'published'
+ );
+
+-- =============================================================================
+-- §7  T1.7 upc.pi.cfi.deficiency — Cure of PI-application deficiency.
+--     14 days from notification of the deficiency. UPC RoP R.207.6(a):
+--     "The Registry shall as soon as practicable examine the
+--     Application … and notify any deficiencies to the applicant. The
+--     applicant shall be invited to correct the deficiencies … within
+--     14 days." Failure to cure leads to deemed-withdrawal.
+-- =============================================================================
+INSERT INTO paliad.deadline_rules
+    (proceeding_type_id, parent_id, submission_code, name, name_en,
+     primary_party, duration_value, duration_unit, timing, rule_code,
+     legal_source, priority, is_court_set, lifecycle_state, is_active,
+     sequence_order, deadline_notes, deadline_notes_en)
+SELECT 10,                                                         -- upc.pi.cfi
+       (SELECT id FROM paliad.deadline_rules
+         WHERE submission_code = 'upc.pi.cfi.app'
+           AND lifecycle_state = 'published' AND is_active = true
+         LIMIT 1),
+       'upc.pi.cfi.deficiency',
+       'Mängelbeseitigung Antrag',
+       'Cure of Application Deficiency',
+       'claimant', 14, 'days', 'after', 'RoP.207.6.a', 'UPC.RoP.207.6.a',
+       'mandatory', false, 'published', true, 2,
+       'Frist 14 Tage ab Mängelmitteilung durch die Geschäftsstelle (R.207.6(a)). Bei Nichtbehebung gilt der Antrag als zurückgenommen.',
+       '14-day period from notification of deficiency by the Registry (R.207.6(a)). Failure to cure leads to deemed withdrawal of the application.'
+ WHERE NOT EXISTS (
+     SELECT 1 FROM paliad.deadline_rules
+      WHERE submission_code = 'upc.pi.cfi.deficiency'
+        AND lifecycle_state = 'published'
+ );
+
+-- =============================================================================
+-- §8  T1.8 upc.pi.cfi.merits_start — Start proceedings on the merits.
+--     31 calendar days OR 20 working days, whichever is the longer,
+--     from grant of the PI. UPC RoP R.213.1 → R.198.1: "the applicant
+--     shall start proceedings leading to a decision on the merits of
+--     the case … within a period not exceeding 31 calendar days or
+--     20 working days, whichever is the longer." Combine-max wiring
+--     via Wave 2 Slice A primitives (mig 128: working_days unit +
+--     combine_op). Failure to commence on time → PI lapses (R.213.2).
+-- =============================================================================
+INSERT INTO paliad.deadline_rules
+    (proceeding_type_id, parent_id, submission_code, name, name_en,
+     primary_party, duration_value, duration_unit,
+     alt_duration_value, alt_duration_unit, alt_rule_code,
+     combine_op, timing, rule_code, legal_source, priority,
+     is_court_set, lifecycle_state, is_active, sequence_order,
+     deadline_notes, deadline_notes_en)
+SELECT 10,
+       (SELECT id FROM paliad.deadline_rules
+         WHERE submission_code = 'upc.pi.cfi.order'
+           AND lifecycle_state = 'published' AND is_active = true
+         LIMIT 1),
+       'upc.pi.cfi.merits_start',
+       'Klage in der Hauptsache erheben',
+       'Start Proceedings on the Merits',
+       'claimant', 31, 'days',
+       20, 'working_days', 'RoP.198.1',
+       'max', 'after', 'RoP.213', 'UPC.RoP.213',
+       'mandatory', false, 'published', true, 3,
+       'Frist 31 Kalendertage ODER 20 Arbeitstage (jeweils das längere) ab Anordnung der einstweiligen Maßnahme (R.213 i.V.m. R.198.1). Bei Versäumnis erlischt die einstweilige Maßnahme.',
+       '31 calendar days OR 20 working days, whichever is the longer, from grant of the provisional measure (R.213 referring to R.198.1). Failure to commence within the period causes the provisional measure to lapse.'
+ WHERE NOT EXISTS (
+     SELECT 1 FROM paliad.deadline_rules
+      WHERE submission_code = 'upc.pi.cfi.merits_start'
+        AND lifecycle_state = 'published'
+ );
+
+-- =============================================================================
+-- §9  T1.9 upc.inf.cfi.translation_request — Request for simultaneous
+--     translation at the oral hearing. 1 month BEFORE the oral hearing.
+--     UPC RoP R.109.1: "A party requiring simultaneous interpretation
+--     of the oral hearing into a language other than the language of
+--     proceedings shall, no later than one month before the date of
+--     the oral hearing, lodge a request with the Court." timing='before'
+--     uses the backward-snap path in deadline_calculator.go (mig 128).
+-- =============================================================================
+INSERT INTO paliad.deadline_rules
+    (proceeding_type_id, parent_id, submission_code, name, name_en,
+     primary_party, duration_value, duration_unit, timing, rule_code,
+     legal_source, priority, is_court_set, lifecycle_state, is_active,
+     sequence_order, deadline_notes, deadline_notes_en)
+SELECT 8,
+       (SELECT id FROM paliad.deadline_rules
+         WHERE submission_code = 'upc.inf.cfi.oral'
+           AND lifecycle_state = 'published' AND is_active = true
+         LIMIT 1),
+       'upc.inf.cfi.translation_request',
+       'Antrag auf Simultanübersetzung',
+       'Request for Simultaneous Translation',
+       'both', 1, 'months', 'before', 'RoP.109.1', 'UPC.RoP.109.1',
+       'optional', false, 'published', true, 45,
+       'Frist 1 Monat VOR der mündlichen Verhandlung (R.109.1). Antrag auf Simultanübersetzung in eine andere Sprache als die Verfahrenssprache.',
+       '1 month BEFORE the oral hearing (R.109.1). Request for simultaneous interpretation into a language other than the language of proceedings.'
+ WHERE NOT EXISTS (
+     SELECT 1 FROM paliad.deadline_rules
+      WHERE submission_code = 'upc.inf.cfi.translation_request'
+        AND lifecycle_state = 'published'
+ );
+
+-- =============================================================================
+-- §10 T1.10 upc.inf.cfi.interpreter_cost — Notification of interpreter
+--     cost-bearing. 2 weeks BEFORE the oral hearing. UPC RoP R.109.4:
+--     "Where … the party which made the request for interpretation is
+--     not the party who has chosen the language of the proceedings,
+--     the costs of the interpretation … shall be borne by the
+--     requesting party, unless the Court orders otherwise. The party
+--     shall be notified at least two weeks before the oral hearing."
+--     timing='before' as in §9.
+-- =============================================================================
+INSERT INTO paliad.deadline_rules
+    (proceeding_type_id, parent_id, submission_code, name, name_en,
+     primary_party, duration_value, duration_unit, timing, rule_code,
+     legal_source, priority, is_court_set, lifecycle_state, is_active,
+     sequence_order, deadline_notes, deadline_notes_en)
+SELECT 8,
+       (SELECT id FROM paliad.deadline_rules
+         WHERE submission_code = 'upc.inf.cfi.oral'
+           AND lifecycle_state = 'published' AND is_active = true
+         LIMIT 1),
+       'upc.inf.cfi.interpreter_cost',
+       'Mitteilung Dolmetscherkosten',
+       'Notification of Interpreter Costs',
+       'court', 2, 'weeks', 'before', 'RoP.109.4', 'UPC.RoP.109.4',
+       'mandatory', false, 'published', true, 46,
+       'Frist 2 Wochen VOR der mündlichen Verhandlung (R.109.4). Mitteilung, dass die antragstellende Partei die Dolmetscherkosten zu tragen hat.',
+       '2 weeks BEFORE the oral hearing (R.109.4). Notification to the requesting party that it shall bear the interpreter costs.'
+ WHERE NOT EXISTS (
+     SELECT 1 FROM paliad.deadline_rules
+      WHERE submission_code = 'upc.inf.cfi.interpreter_cost'
+        AND lifecycle_state = 'published'
+ );
+
+-- =============================================================================
+-- §11 T1.11 upc.inf.cfi.translations_lodge — Lodging of translations on
+--     judge-rapporteur order. 2 weeks AFTER the JR's order. UPC RoP
+--     R.109.5: "If the judge-rapporteur orders, the parties shall lodge
+--     a translation of any pleading or other document into the language
+--     of the proceedings within two weeks." trigger_event_id=113 maps
+--     to the JR translation order. Anchor: Interim Conference row, where
+--     such JR orders are typically issued.
+-- =============================================================================
+INSERT INTO paliad.deadline_rules
+    (proceeding_type_id, parent_id, submission_code, name, name_en,
+     primary_party, duration_value, duration_unit, timing, rule_code,
+     legal_source, priority, is_court_set, lifecycle_state, is_active,
+     sequence_order, trigger_event_id, deadline_notes, deadline_notes_en)
+SELECT 8,
+       (SELECT id FROM paliad.deadline_rules
+         WHERE submission_code = 'upc.inf.cfi.interim'
+           AND lifecycle_state = 'published' AND is_active = true
+         LIMIT 1),
+       'upc.inf.cfi.translations_lodge',
+       'Übersetzungen einreichen',
+       'Lodging of Translations',
+       'both', 2, 'weeks', 'after', 'RoP.109.5', 'UPC.RoP.109.5',
+       'mandatory', false, 'published', true, 47,
+       113,
+       'Frist 2 Wochen ab Anordnung des Berichterstatters, Übersetzungen einzureichen (R.109.5).',
+       '2-week period from the judge-rapporteur''s order to lodge translations (R.109.5).'
+ WHERE NOT EXISTS (
+     SELECT 1 FROM paliad.deadline_rules
+      WHERE submission_code = 'upc.inf.cfi.translations_lodge'
+        AND lifecycle_state = 'published'
+ );
+
+-- =============================================================================
+-- §12 T1.12 upc.pi.cfi.response — RE-ANCHOR of the existing PI Response
+--     row. Currently broken: parent_id=NULL with is_court_set=false and
+--     duration=0 makes the calculator treat this as a root anchor. UPC
+--     RoP R.211.2 — judge sets the inter-partes hearing date and the
+--     deadline for the response. Fix: set is_court_set=true and chain
+--     parent_id on upc.pi.cfi.app (the proceeding root). Duration
+--     remains 0 (court-set placeholder); the lawyer fills in the actual
+--     date via 'Datum setzen'.
+-- =============================================================================
+UPDATE paliad.deadline_rules
+   SET parent_id   = (SELECT id FROM paliad.deadline_rules
+                       WHERE submission_code = 'upc.pi.cfi.app'
+                         AND lifecycle_state = 'published'
+                         AND is_active = true
+                       LIMIT 1),
+       is_court_set = true,
+       rule_code    = 'RoP.211.2',
+       legal_source = 'UPC.RoP.211.2',
+       updated_at   = now()
+ WHERE submission_code = 'upc.pi.cfi.response'
+   AND is_active = true
+   AND lifecycle_state = 'published'
+   AND parent_id IS NULL
+   AND is_court_set = false;
+
+-- =============================================================================
+-- §13a Pre-requisite for §13b — drop the deadline_rule_audit.rule_id FK.
+--     The audit trigger (mig 079) tries to INSERT an audit row on AFTER
+--     DELETE pointing at OLD.id, but the existing FK constraint
+--     `deadline_rule_audit_rule_id_fkey` (FOREIGN KEY rule_id REFERENCES
+--     paliad.deadline_rules(id) ON DELETE CASCADE) makes that INSERT fail
+--     because by the time the trigger fires the parent row is gone. As a
+--     result no DELETE on paliad.deadline_rules has ever succeeded in
+--     production (`SELECT count(*) FROM paliad.deadline_rule_audit
+--     WHERE action='delete'` returns 0). The trigger's DELETE branch was
+--     dead code.
+--
+--     Standard audit-table design: the audit log is append-only history
+--     and should NOT FK-constrain on the live entity table — before_json
+--     captures the full row state at the time of the change, which is
+--     all the audit trail needs. Dropping the FK fixes the latent bug
+--     and unblocks legitimate cleanup work (here: §13b, plus any future
+--     hard-delete migrations against deadline_rules).
+--
+--     Idempotent: DROP CONSTRAINT IF EXISTS no-ops on re-run.
+-- =============================================================================
+ALTER TABLE paliad.deadline_rule_audit
+    DROP CONSTRAINT IF EXISTS deadline_rule_audit_rule_id_fkey;
+
+-- =============================================================================
+-- §13b Q6 cleanup — drop the _archived_litigation.* deadline rules.
+--     40 rows at audit §9.7 flagged as obsolete Pipeline-A residue
+--     (proceeding_type id=32 '_archived_litigation' — kept for FK
+--     parity but the rules are no longer surfaced anywhere in the
+--     product). m's Q6 design ack 2026-05-25 locked in their removal.
+--     Idempotent: prefix + lifecycle_state='archived' match zero rows
+--     after first run. The proceeding_type row itself is left in place
+--     (referenced by historical deadline_rule_audit before_json blobs).
+-- =============================================================================
+DELETE FROM paliad.deadline_rules
+ WHERE submission_code LIKE '_archived_litigation.%' ESCAPE '\'
+   AND lifecycle_state = 'archived';
+
+-- =============================================================================
+-- Hard assertions. Each new/changed row must end up in its post-fix
+-- shape. Re-running the migration is a no-op for the data but the
+-- assertions still pass because they check the post-fix state.
+-- =============================================================================
+DO $$
+DECLARE
+    v_count integer;
+BEGIN
+    -- §0 R.105 interim conference backfilled
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.inf.cfi.interim'
+       AND is_active = true
+       AND lifecycle_state = 'published'
+       AND rule_code = 'RoP.104'
+       AND legal_source = 'UPC.RoP.104'
+       AND 'RoP.105' = ANY(rule_codes);
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 132 §0: upc.inf.cfi.interim citation backfill not in post-fix shape (got % matches)', v_count;
+    END IF;
+
+    -- §1 T1.1 cmo_review present
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.inf.cfi.cmo_review'
+       AND is_active = true AND lifecycle_state = 'published'
+       AND rule_code = 'RoP.333.2' AND duration_value = 15
+       AND duration_unit = 'days' AND timing = 'after';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 132 T1.1: upc.inf.cfi.cmo_review missing or wrong shape (got % matches)', v_count;
+    END IF;
+
+    -- §2 T1.2 confidentiality_response
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.inf.cfi.confidentiality_response'
+       AND is_active = true AND lifecycle_state = 'published'
+       AND rule_code = 'RoP.262.2' AND duration_value = 14
+       AND duration_unit = 'days' AND trigger_event_id = 25;
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 132 T1.2: upc.inf.cfi.confidentiality_response missing or wrong shape (got % matches)', v_count;
+    END IF;
+
+    -- §3 T1.3 grounds_orders
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.apl.order.grounds_orders'
+       AND is_active = true AND lifecycle_state = 'published'
+       AND rule_code = 'RoP.224.2.b' AND duration_value = 15
+       AND duration_unit = 'days';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 132 T1.3: upc.apl.order.grounds_orders missing or wrong shape (got % matches)', v_count;
+    END IF;
+
+    -- §4 T1.4 response_orders chained on §3
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules dr
+      JOIN paliad.deadline_rules p ON p.id = dr.parent_id
+     WHERE dr.submission_code = 'upc.apl.order.response_orders'
+       AND dr.is_active = true AND dr.lifecycle_state = 'published'
+       AND dr.rule_code = 'RoP.235.2' AND dr.duration_value = 15
+       AND p.submission_code = 'upc.apl.order.grounds_orders';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 132 T1.4: upc.apl.order.response_orders missing or wrong parent chain (got % matches)', v_count;
+    END IF;
+
+    -- §5 T1.5 cons_orders
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.inf.cfi.cons_orders'
+       AND is_active = true AND lifecycle_state = 'published'
+       AND rule_code = 'RoP.118.4' AND duration_value = 2
+       AND duration_unit = 'months';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 132 T1.5: upc.inf.cfi.cons_orders missing or wrong shape (got % matches)', v_count;
+    END IF;
+
+    -- §6 T1.6 rectification
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.inf.cfi.rectification'
+       AND is_active = true AND lifecycle_state = 'published'
+       AND rule_code = 'RoP.353' AND duration_value = 1
+       AND duration_unit = 'months';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 132 T1.6: upc.inf.cfi.rectification missing or wrong shape (got % matches)', v_count;
+    END IF;
+
+    -- §7 T1.7 pi.deficiency
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.pi.cfi.deficiency'
+       AND is_active = true AND lifecycle_state = 'published'
+       AND rule_code = 'RoP.207.6.a' AND duration_value = 14
+       AND duration_unit = 'days';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 132 T1.7: upc.pi.cfi.deficiency missing or wrong shape (got % matches)', v_count;
+    END IF;
+
+    -- §8 T1.8 pi.merits_start — combine-max wiring
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.pi.cfi.merits_start'
+       AND is_active = true AND lifecycle_state = 'published'
+       AND rule_code = 'RoP.213' AND duration_value = 31
+       AND duration_unit = 'days'
+       AND alt_duration_value = 20 AND alt_duration_unit = 'working_days'
+       AND alt_rule_code = 'RoP.198.1' AND combine_op = 'max';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 132 T1.8: upc.pi.cfi.merits_start missing or wrong combine-max shape (got % matches)', v_count;
+    END IF;
+
+    -- §9 T1.9 translation_request — timing='before'
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.inf.cfi.translation_request'
+       AND is_active = true AND lifecycle_state = 'published'
+       AND rule_code = 'RoP.109.1' AND duration_value = 1
+       AND duration_unit = 'months' AND timing = 'before';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 132 T1.9: upc.inf.cfi.translation_request missing or wrong timing (got % matches)', v_count;
+    END IF;
+
+    -- §10 T1.10 interpreter_cost — timing='before'
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.inf.cfi.interpreter_cost'
+       AND is_active = true AND lifecycle_state = 'published'
+       AND rule_code = 'RoP.109.4' AND duration_value = 2
+       AND duration_unit = 'weeks' AND timing = 'before';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 132 T1.10: upc.inf.cfi.interpreter_cost missing or wrong timing (got % matches)', v_count;
+    END IF;
+
+    -- §11 T1.11 translations_lodge
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.inf.cfi.translations_lodge'
+       AND is_active = true AND lifecycle_state = 'published'
+       AND rule_code = 'RoP.109.5' AND duration_value = 2
+       AND duration_unit = 'weeks' AND trigger_event_id = 113;
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 132 T1.11: upc.inf.cfi.translations_lodge missing or wrong shape (got % matches)', v_count;
+    END IF;
+
+    -- §12 T1.12 pi.response re-anchor
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules dr
+      JOIN paliad.deadline_rules p ON p.id = dr.parent_id
+     WHERE dr.submission_code = 'upc.pi.cfi.response'
+       AND dr.is_active = true AND dr.lifecycle_state = 'published'
+       AND dr.is_court_set = true
+       AND p.submission_code = 'upc.pi.cfi.app';
+    IF v_count <> 1 THEN
+        RAISE EXCEPTION 'mig 132 T1.12: upc.pi.cfi.response not re-anchored on app (got % matches)', v_count;
+    END IF;
+
+    -- §13 Q6 cleanup — no archived _archived_litigation rules left
+    SELECT count(*) INTO v_count
+      FROM paliad.deadline_rules
+     WHERE submission_code LIKE '_archived_litigation.%' ESCAPE '\'
+       AND lifecycle_state = 'archived';
+    IF v_count <> 0 THEN
+        RAISE EXCEPTION 'mig 132 §13: % archived _archived_litigation.* rules still present after cleanup', v_count;
+    END IF;
+END $$;

internal/db/migrations/133_upc_dmgs_pi_court_followup.down.sql

@@ -0,0 +1,33 @@
+-- Reverses mig 133. Removes the 5 new rules:
+--   * upc.dmgs.cfi.interim
+--   * upc.dmgs.cfi.oral
+--   * upc.dmgs.cfi.decision
+--   * upc.dmgs.cfi.appeal_spawn
+--   * upc.pi.cfi.appeal_spawn
+--
+-- The audit_reason is required by the mig 079 trigger for DELETE;
+-- set_config at top supplies it.
+--
+-- Idempotent — if a rule is already missing the DELETE matches zero
+-- rows and the audit log records nothing extra.
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 133 (down): revert UPC Damages tree-end rows and UPC PI appeal-spawn (t-paliad-285 / m/paliad#117 + t-paliad-286 / m/paliad#118)',
+    true);
+
+-- Delete the spawn rows first so the parent_id reference goes away
+-- before the parent decision row is removed.
+DELETE FROM paliad.deadline_rules
+ WHERE submission_code IN (
+        'upc.dmgs.cfi.appeal_spawn',
+        'upc.pi.cfi.appeal_spawn')
+   AND lifecycle_state = 'published';
+
+DELETE FROM paliad.deadline_rules
+ WHERE submission_code IN (
+        'upc.dmgs.cfi.interim',
+        'upc.dmgs.cfi.oral',
+        'upc.dmgs.cfi.decision')
+   AND proceeding_type_id = 17
+   AND lifecycle_state = 'published';

internal/db/migrations/133_upc_dmgs_pi_court_followup.up.sql

@@ -0,0 +1,405 @@
+-- t-paliad-285 (m/paliad#117) + t-paliad-286 (m/paliad#118) —
+-- post-submission court followup for UPC Damages and appeal route
+-- for UPC Provisional Measures.
+--
+-- m's 2026-05-25 report: the upc.dmgs.cfi proceeding stops at the
+-- last party submission (rejoin) — no interim conference, no oral
+-- hearing, no decision row, no appeal-spawn. The upc.pi.cfi
+-- proceeding has its decision row (`pi.order`) but no spawn into
+-- the appeal tree. Both gaps prevent the Verfahrensablauf timeline
+-- from rendering the court phase plus any downstream appeal sub-
+-- tree that atlas's #96 spawn-rendering mechanism is otherwise
+-- ready to surface.
+--
+-- Two sections in one migration (slot 133 — knuth on 132, paliadin
+-- coordinated):
+--
+--   A. UPC Damages tree-end rows (#117)
+--      A1  upc.dmgs.cfi.interim       UPC RoP R.105   court-set hearing
+--      A2  upc.dmgs.cfi.oral          UPC RoP R.118 / R.250  court-set hearing
+--      A3  upc.dmgs.cfi.decision      UPC RoP R.118 / R.144  court-set decision
+--      A4  upc.dmgs.cfi.appeal_spawn  UPC RoP R.220.1(a) / R.224.1(a)  2mo, spawn → upc.apl.merits (id=11)
+--
+--   B. UPC Provisional Measures appeal route (#118)
+--      B1  upc.pi.cfi.appeal_spawn    UPC RoP R.220.1(a) / R.224.1(a)  2mo, spawn → upc.apl.merits (id=11)
+--
+-- Source citations:
+--   * docs/research-deadlines-completeness-2026-05-25.md
+--       — §2.1 (upc.dmgs.cfi has only 4 rules: R.131.2 / R.137.2 / R.139)
+--       — §D Damages table (R.144 tree-end row missing — listed
+--         in Tier 4 as "cosmetic", upgraded to Tier-0 by m's
+--         report once the wider follow-up gap was understood)
+--   * docs/audit-upc-rop-deadlines-2026-05-08.md §D row R.144,
+--     §F R.220.1(a) / R.224.1(a) (verified verbatim in youpc DB
+--     under law_type=UPCRoP).
+--   * UPC Rules of Procedure (consolidated):
+--       R.105 — Interim conference (court fixes after written
+--         procedure closes; same structural shape as the inf
+--         interim conference, already modelled as `upc.inf.cfi.interim`).
+--       R.118 — Decision after oral hearing; general rule for
+--         deciding panels.
+--       R.250 — Determination of damages decision; damages-
+--         specific decision rule (chains R.144 indication →
+--         damages award).
+--       R.144 — Final decision on damages quantum (tree-end
+--         anchor for §A3).
+--       R.220.1(a) — Appeal lies from any final decision /
+--         decision disposing of the case at first instance.
+--         A PI order under R.211 disposes of the urgent question
+--         and is therefore appealable on the main 2-month track
+--         (not the 15-day order track of R.220.1(c), which covers
+--         case-management and procedural orders requiring leave).
+--         Curie's §F table confirms the main-track wiring for
+--         decisions on merits / disposing orders.
+--       R.224.1(a) — Statement of Appeal within 2 months of
+--         service of the final decision; the deadline-notes text
+--         mirrors mig 095's inf.appeal_spawn / rev.appeal_spawn.
+--       R.224.2(a) — Statement of grounds within 4 months
+--         (separate deadline in the spawned upc.apl.merits
+--         proceeding; already present as upc.apl.merits.grounds).
+--
+-- Shape decisions (mirroring mig 012 / mig 095 conventions):
+--   * Court-set rows (interim / oral / decision) carry
+--     primary_party='court', event_type='hearing'|'decision',
+--     duration_value=0, is_court_set=true, parent_id=NULL,
+--     concept_id reuses the shared concepts already wired for
+--     upc.inf.cfi (interim-conference / oral-hearing / decision).
+--   * Spawn rows carry primary_party='both', is_spawn=true,
+--     spawn_proceeding_type_id=11 (upc.apl.merits), spawn_label
+--     identical to the merits spawn already in production. The
+--     spawn row's parent_id is the spawning decision/order row
+--     (so the audit log carries the trigger link).
+--   * No condition_expr — m's F2.3 decision recorded in mig 095
+--     §3: "the appeal deadline should always be triggered by a
+--     decision … appeal is always a possibility." Visibility
+--     filtering on the frontend hides appeals on projects where
+--     no appeal is contemplated.
+--   * sequence_order numbering follows the inf convention
+--     (40=interim, 50=oral, 60=decision, 80=appeal_spawn) so the
+--     Verfahrensablauf timeline orders consistently across
+--     proceedings. For PI the existing pi.order sits at
+--     sequence_order=3; the appeal_spawn lands at 10 (clear of
+--     the writ phase, room for future court-phase rows).
+--
+-- Idempotency: every INSERT is gated by `WHERE NOT EXISTS (… same
+-- submission_code, proceeding_type_id, lifecycle_state)`. Re-apply
+-- against an already-migrated DB inserts zero rows and the audit
+-- log carries no duplicate entries.
+--
+-- audit_reason set_config required at the top — the mig 079 trigger
+-- on paliad.deadline_rules raises EXCEPTION 'audit reason required'
+-- on INSERT/UPDATE/DELETE without it.
+
+SELECT set_config(
+    'paliad.audit_reason',
+    'mig 133: t-paliad-285 / m/paliad#117 + t-paliad-286 / m/paliad#118 — UPC Damages tree-end rows (interim conference R.105, oral hearing R.118/R.250, decision R.118/R.144, appeal-spawn R.220.1(a)) and UPC Provisional Measures appeal-spawn R.220.1(a); see docs/research-deadlines-completeness-2026-05-25.md §D and docs/audit-upc-rop-deadlines-2026-05-08.md §D/§F',
+    true);
+
+-- =============================================================================
+-- A. UPC Damages — court-phase tree end (m/paliad#117)
+-- =============================================================================
+
+-- A1. upc.dmgs.cfi.interim — Interim conference (UPC RoP R.105).
+--     Court-set hearing fixed by the judge-rapporteur once the
+--     written procedure closes. Identical shape to
+--     upc.inf.cfi.interim; reuses the shared interim-conference
+--     concept node.
+INSERT INTO paliad.deadline_rules
+    (proceeding_type_id, parent_id, submission_code, name, name_en,
+     description, primary_party, event_type,
+     duration_value, duration_unit, timing,
+     rule_code, deadline_notes, deadline_notes_en, sequence_order,
+     is_spawn, spawn_proceeding_type_id, spawn_label,
+     is_active, legal_source, is_bilateral,
+     condition_expr, priority, is_court_set, lifecycle_state,
+     concept_id)
+SELECT
+    17,
+    NULL,
+    'upc.dmgs.cfi.interim',
+    'Zwischenverfahren',
+    'Interim Conference',
+    NULL,
+    'court',
+    'hearing',
+    0,
+    'months',
+    'after',
+    NULL,
+    'Termin vom Gericht bestimmt',
+    'Date set by the court',
+    40,
+    false,
+    NULL,
+    NULL,
+    true,
+    NULL,
+    false,
+    NULL,
+    'optional',
+    true,
+    'published',
+    'e5071152-d408-4455-b644-9e79d86fd538'
+WHERE NOT EXISTS (
+    SELECT 1 FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.dmgs.cfi.interim'
+       AND proceeding_type_id = 17
+       AND lifecycle_state = 'published');
+
+-- A2. upc.dmgs.cfi.oral — Oral hearing (UPC RoP R.118 / R.250).
+--     Court-set hearing after the interim conference / close of
+--     written procedure. Same shape as upc.inf.cfi.oral; reuses
+--     the shared oral-hearing concept node.
+INSERT INTO paliad.deadline_rules
+    (proceeding_type_id, parent_id, submission_code, name, name_en,
+     description, primary_party, event_type,
+     duration_value, duration_unit, timing,
+     rule_code, deadline_notes, deadline_notes_en, sequence_order,
+     is_spawn, spawn_proceeding_type_id, spawn_label,
+     is_active, legal_source, is_bilateral,
+     condition_expr, priority, is_court_set, lifecycle_state,
+     concept_id)
+SELECT
+    17,
+    NULL,
+    'upc.dmgs.cfi.oral',
+    'Mündliche Verhandlung',
+    'Oral Hearing',
+    NULL,
+    'court',
+    'hearing',
+    0,
+    'months',
+    'after',
+    NULL,
+    NULL,
+    NULL,
+    50,
+    false,
+    NULL,
+    NULL,
+    true,
+    NULL,
+    false,
+    NULL,
+    'optional',
+    true,
+    'published',
+    'd6e5b793-dcf1-4d83-81ff-34f42dbb3693'
+WHERE NOT EXISTS (
+    SELECT 1 FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.dmgs.cfi.oral'
+       AND proceeding_type_id = 17
+       AND lifecycle_state = 'published');
+
+-- A3. upc.dmgs.cfi.decision — Damages decision (UPC RoP R.118 /
+--     R.144 / R.250). Court-set decision delivered after oral
+--     hearing; closes the §3.1 audit gap (R.144 tree-end). Same
+--     shape as upc.inf.cfi.decision; reuses the shared decision
+--     concept node.
+INSERT INTO paliad.deadline_rules
+    (proceeding_type_id, parent_id, submission_code, name, name_en,
+     description, primary_party, event_type,
+     duration_value, duration_unit, timing,
+     rule_code, deadline_notes, deadline_notes_en, sequence_order,
+     is_spawn, spawn_proceeding_type_id, spawn_label,
+     is_active, legal_source, is_bilateral,
+     condition_expr, priority, is_court_set, lifecycle_state,
+     concept_id)
+SELECT
+    17,
+    NULL,
+    'upc.dmgs.cfi.decision',
+    'Entscheidung',
+    'Decision',
+    NULL,
+    'court',
+    'decision',
+    0,
+    'months',
+    'after',
+    NULL,
+    NULL,
+    NULL,
+    60,
+    false,
+    NULL,
+    NULL,
+    true,
+    NULL,
+    false,
+    NULL,
+    'optional',
+    true,
+    'published',
+    '472fc32d-cc4f-4aa4-8ace-e422031812de'
+WHERE NOT EXISTS (
+    SELECT 1 FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.dmgs.cfi.decision'
+       AND proceeding_type_id = 17
+       AND lifecycle_state = 'published');
+
+-- A4. upc.dmgs.cfi.appeal_spawn — Appeal against damages decision
+--     (UPC RoP R.220.1(a), 2-month main track; grounds R.224.2(a)
+--     run as a separate deadline in the spawned upc.apl.merits
+--     proceeding). Parent points at the freshly-inserted
+--     upc.dmgs.cfi.decision; the SELECT subquery resolves it
+--     after A3 lands. Same shape as the mig 095 inf.appeal_spawn.
+INSERT INTO paliad.deadline_rules
+    (proceeding_type_id, parent_id, submission_code, name, name_en,
+     description, primary_party, event_type,
+     duration_value, duration_unit, timing,
+     rule_code, deadline_notes, deadline_notes_en, sequence_order,
+     is_spawn, spawn_proceeding_type_id, spawn_label,
+     is_active, legal_source, is_bilateral,
+     condition_expr, priority, is_court_set, lifecycle_state)
+SELECT
+    17,
+    (SELECT id FROM paliad.deadline_rules
+      WHERE submission_code = 'upc.dmgs.cfi.decision'
+        AND proceeding_type_id = 17
+        AND lifecycle_state = 'published'
+        AND is_active = true),
+    'upc.dmgs.cfi.appeal_spawn',
+    'Berufung gegen Schadensentscheidung',
+    'Appeal against damages decision',
+    'Berufung gegen die Entscheidung über die Schadensbemessung (R.118 / R.144). Statutarische Frist von 2 Monaten ab Zustellung der Entscheidung (R.224.1(a)); die Berufungsbegründung folgt mit 4 Monaten ab Zustellung (R.224.2(a), eigenständige Frist im Berufungsverfahren).',
+    'both',
+    'filing',
+    2,
+    'months',
+    'after',
+    'RoP.220.1.a',
+    'Innerhalb von 2 Monaten ab Zustellung der Schadensentscheidung Berufungsschrift einreichen (R.224.1(a)). Die Berufungsbegründung (R.224.2(a), 4 Monate) läuft als separate Frist im Berufungsverfahren.',
+    'Within 2 months of service of the damages decision lodge the Statement of appeal (R.224.1(a)). The Statement of grounds (R.224.2(a), 4 months) runs as an independent deadline in the appeal proceeding.',
+    80,
+    true,
+    11,
+    'Berufungsverfahren öffnen',
+    true,
+    'UPC.RoP.220.1',
+    false,
+    NULL,
+    'optional',
+    false,
+    'published'
+WHERE NOT EXISTS (
+    SELECT 1 FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.dmgs.cfi.appeal_spawn'
+       AND proceeding_type_id = 17
+       AND lifecycle_state = 'published');
+
+-- =============================================================================
+-- B. UPC Provisional Measures — appeal route (m/paliad#118)
+-- =============================================================================
+
+-- B1. upc.pi.cfi.appeal_spawn — Appeal against PI order (UPC RoP
+--     R.220.1(a), 2-month main track). PI orders under R.211
+--     dispose of the urgent question and are appealable on the
+--     main 2-month track (R.220.1(a)/R.224.1(a)); the 15-day
+--     order track of R.220.1(c) is for case-management /
+--     procedural orders requiring leave and does not apply to
+--     PI dispositions. Parent points at the existing
+--     upc.pi.cfi.order (sequence_order=3) so the spawn fires
+--     once the order is anchored on a project's timeline.
+INSERT INTO paliad.deadline_rules
+    (proceeding_type_id, parent_id, submission_code, name, name_en,
+     description, primary_party, event_type,
+     duration_value, duration_unit, timing,
+     rule_code, deadline_notes, deadline_notes_en, sequence_order,
+     is_spawn, spawn_proceeding_type_id, spawn_label,
+     is_active, legal_source, is_bilateral,
+     condition_expr, priority, is_court_set, lifecycle_state)
+SELECT
+    10,
+    (SELECT id FROM paliad.deadline_rules
+      WHERE submission_code = 'upc.pi.cfi.order'
+        AND proceeding_type_id = 10
+        AND lifecycle_state = 'published'
+        AND is_active = true),
+    'upc.pi.cfi.appeal_spawn',
+    'Berufung gegen Anordnung',
+    'Appeal against PI order',
+    'Berufung gegen die einstweilige Anordnung nach R.211. Eine PI-Anordnung erledigt die einstweilige Streitfrage und wird wie eine Endentscheidung im Hauptverfahren behandelt: statutarische Frist von 2 Monaten ab Zustellung (R.224.1(a)); die Berufungsbegründung folgt mit 4 Monaten ab Zustellung (R.224.2(a), eigenständige Frist im Berufungsverfahren). Die 15-Tage-Spur nach R.220.1(c) / R.220.2 gilt für Verfahrensanordnungen mit Zulassung und ist hier nicht einschlägig.',
+    'both',
+    'filing',
+    2,
+    'months',
+    'after',
+    'RoP.220.1.a',
+    'Innerhalb von 2 Monaten ab Zustellung der PI-Anordnung Berufungsschrift einreichen (R.224.1(a)). Die Berufungsbegründung (R.224.2(a), 4 Monate) läuft als separate Frist im Berufungsverfahren.',
+    'Within 2 months of service of the PI order lodge the Statement of appeal (R.224.1(a)). The Statement of grounds (R.224.2(a), 4 months) runs as an independent deadline in the appeal proceeding.',
+    10,
+    true,
+    11,
+    'Berufungsverfahren öffnen',
+    true,
+    'UPC.RoP.220.1',
+    false,
+    NULL,
+    'optional',
+    false,
+    'published'
+WHERE NOT EXISTS (
+    SELECT 1 FROM paliad.deadline_rules
+     WHERE submission_code = 'upc.pi.cfi.appeal_spawn'
+       AND proceeding_type_id = 10
+       AND lifecycle_state = 'published');
+
+-- =============================================================================
+-- C. Post-insert verification — raise if any expected row is missing
+--    (matches the mig 095 / 127 convention; protects against a future
+--    re-shape of the table that silently drops one of the WHERE NOT
+--    EXISTS predicates).
+-- =============================================================================
+
+DO $$
+DECLARE
+    v_missing text;
+BEGIN
+    SELECT string_agg(expected, ', ' ORDER BY expected)
+      INTO v_missing
+      FROM (VALUES
+            ('upc.dmgs.cfi.interim'),
+            ('upc.dmgs.cfi.oral'),
+            ('upc.dmgs.cfi.decision'),
+            ('upc.dmgs.cfi.appeal_spawn'),
+            ('upc.pi.cfi.appeal_spawn')
+        ) AS t(expected)
+     WHERE NOT EXISTS (
+        SELECT 1 FROM paliad.deadline_rules dr
+         WHERE dr.submission_code = t.expected
+           AND dr.lifecycle_state = 'published'
+           AND dr.is_active = true);
+
+    IF v_missing IS NOT NULL THEN
+        RAISE EXCEPTION
+            'mig 133: expected published rules missing after insert: %', v_missing;
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM paliad.deadline_rules dr
+         WHERE dr.submission_code = 'upc.dmgs.cfi.appeal_spawn'
+           AND dr.proceeding_type_id = 17
+           AND dr.spawn_proceeding_type_id = 11
+           AND dr.is_spawn = true
+           AND dr.parent_id IS NOT NULL
+           AND dr.lifecycle_state = 'published'
+    ) THEN
+        RAISE EXCEPTION
+            'mig 133: upc.dmgs.cfi.appeal_spawn shape check failed (expected is_spawn=true, spawn_proceeding_type_id=11, parent_id set)';
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM paliad.deadline_rules dr
+         WHERE dr.submission_code = 'upc.pi.cfi.appeal_spawn'
+           AND dr.proceeding_type_id = 10
+           AND dr.spawn_proceeding_type_id = 11
+           AND dr.is_spawn = true
+           AND dr.parent_id IS NOT NULL
+           AND dr.lifecycle_state = 'published'
+    ) THEN
+        RAISE EXCEPTION
+            'mig 133: upc.pi.cfi.appeal_spawn shape check failed (expected is_spawn=true, spawn_proceeding_type_id=11, parent_id set)';
+    END IF;
+END $$;

internal/db/testdata/README.md

@@ -0,0 +1,69 @@
+# `internal/db/testdata/` — CI snapshot
+
+## `prod-snapshot.sql`
+
+Schema-only `pg_dump` of paliad's prod DB (youpc-supabase paliad schema)
+plus the rows of `paliad.applied_migrations` that match this branch's
+on-disk migration set.
+
+**Purpose.** Lets CI's migration smoke (`.gitea/workflows/test.yaml`)
+restore a Postgres scratch DB to "paliad at HEAD-of-snapshot" without
+having to replay 131 migrations from scratch. ApplyMigrations on the
+restored DB sees the applied set and only runs whatever NEW migrations
+this PR adds — exactly the integration shape we want to test, and the
+same shape prod sees on every deploy.
+
+**Why a snapshot at all.** Running ApplyMigrations from scratch against a
+fresh `supabase/postgres:15.8.1.060` surfaces multiple fresh-DB
+idempotence bugs in historical migrations (raw `COMMIT;` in mig 051,
+missing `CREATE EXTENSION pg_trgm` for mig 037, ALTER POLICY
+exception-handler gaps in mig 024/027 — the last is fixed in this PR).
+Fixing them all is a separate cleanup. The snapshot sidesteps them by
+starting CI from a state where every historical migration is already
+applied as it was in prod.
+
+**Schema scope.** `--schema=paliad` only. Auth schema comes baked into
+`supabase/postgres`; CI's setup step installs `pg_trgm` before restoring.
+
+**Ownership.** `--no-owner --no-privileges` keeps the dump portable
+across role topologies (CI's supabase_admin / postgres / authenticated /
+anon don't have to match prod's exact role layout). The role-split smoke
+relies on `postgres` being a non-superuser, which is true on
+supabase/postgres by default.
+
+**Refresh.** Run `make refresh-snapshot` with `PALIAD_PROD_DATABASE_URL`
+set to a Postgres URL with `pg_dump` rights on youpc-supabase. The
+target appends data rows for `paliad.applied_migrations`, strips
+`\restrict` / `\unrestrict` commands (pg 16 dump → pg 15 restore), and
+filters out applied-migrations rows for versions beyond the branch's
+local max. The CI workflow consumes the resulting file verbatim.
+
+**Verify a refresh.** Boot a local scratch:
+
+```bash
+docker run -d --rm --name paliad-snap \
+  -e POSTGRES_PASSWORD=ci -e POSTGRES_DB=paliad_scratch \
+  -p 15433:5432 supabase/postgres:15.8.1.060
+sleep 5
+docker exec -e PGPASSWORD=ci paliad-snap psql -h localhost -U supabase_admin -d paliad_scratch \
+  -c "GRANT CREATE ON DATABASE paliad_scratch TO postgres;" \
+  -c "CREATE EXTENSION IF NOT EXISTS pg_trgm;"
+cat internal/db/testdata/prod-snapshot.sql | docker exec -i -e PGPASSWORD=ci paliad-snap \
+  psql -h localhost -U postgres -d paliad_scratch -v ON_ERROR_STOP=1
+TEST_DATABASE_URL="postgres://postgres:ci@localhost:15433/paliad_scratch?sslmode=disable" \
+TEST_APP_DATABASE_URL="postgres://postgres:ci@localhost:15433/paliad_scratch?sslmode=disable" \
+  go test -count=1 -run 'TestMigrations|TestBootSmoke|TestHealthReady_Live' ./internal/db/ ./cmd/server/
+docker stop paliad-snap
+```
+
+All four named tests must pass. If any fails after a refresh,
+investigate before merging — usually because a new migration was added
+to prod that this branch doesn't have on disk yet.
+
+**Why is the snapshot not gzipped?** Small enough (~200 KB) that the
+diff stays human-readable in `git diff` reviews. If it crosses ~1 MB,
+gzip + decompress-on-restore in CI.
+
+**Privacy.** Schema-only dump, no row data from any paliad table (except
+`paliad.applied_migrations`, which contains migration filenames +
+checksums — public info already in the repo).

internal/handlers/approvals.go

@@ -25,6 +25,7 @@ import (
 	"encoding/json"
 	"errors"
 	"net/http"
+	"time"
 
 	"github.com/google/uuid"
 
@@ -221,6 +222,16 @@ func handleListInboxMine(w http.ResponseWriter, r *http.Request) {
 }
 
 // GET /api/inbox/count — bell badge count for the sidebar.
+//
+// Since t-paliad-249 (Slice A) the count is the **unified** unread
+// count: pending approval requests (regardless of cursor) +
+// curated project_events (InboxProjectEventKinds) on visible
+// projects whose created_at is newer than users.inbox_seen_at. See
+// ApprovalService.UnseenInboxCountForUser for the contract.
+//
+// The legacy approval-only count is still reachable via
+// PendingCountForUser inside the dashboard widget — that path
+// doesn't go through this endpoint.
 func handleInboxCount(w http.ResponseWriter, r *http.Request) {
 	if !requireDB(w) {
 		return
@@ -229,7 +240,7 @@ func handleInboxCount(w http.ResponseWriter, r *http.Request) {
 	if !ok {
 		return
 	}
-	n, err := dbSvc.approval.PendingCountForUser(r.Context(), uid)
+	n, err := dbSvc.approval.UnseenInboxCountForUser(r.Context(), uid)
 	if err != nil {
 		writeServiceError(w, err)
 		return
@@ -237,6 +248,57 @@ func handleInboxCount(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, http.StatusOK, map[string]int{"count": n})
 }
 
+// POST /api/inbox/mark-all-seen — advance the caller's inbox read
+// cursor (paliad.users.inbox_seen_at). Optional body
+// `{"up_to": "<iso8601>"}` pins the advance to the timestamp of the
+// newest row the client actually saw — handy when a second tab made
+// the inbox grow between the read and the click. Missing body =>
+// advance to now().
+//
+// Returns the new cursor as `{"inbox_seen_at": "<iso8601>"}` so the
+// client can keep its local state in sync.
+func handleInboxMarkAllSeen(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	var body struct {
+		UpTo string `json:"up_to"`
+	}
+	if r.Body != nil && r.ContentLength > 0 {
+		if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+			writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid JSON"})
+			return
+		}
+	}
+	var upTo time.Time
+	if body.UpTo != "" {
+		parsed, err := time.Parse(time.RFC3339Nano, body.UpTo)
+		if err != nil {
+			writeJSON(w, http.StatusBadRequest, map[string]string{"error": "up_to must be RFC3339"})
+			return
+		}
+		upTo = parsed
+	}
+	if err := dbSvc.approval.MarkInboxSeen(r.Context(), uid, upTo); err != nil {
+		writeServiceError(w, err)
+		return
+	}
+	cur, err := dbSvc.approval.InboxSeenAt(r.Context(), uid)
+	if err != nil {
+		writeServiceError(w, err)
+		return
+	}
+	resp := map[string]any{}
+	if cur != nil {
+		resp["inbox_seen_at"] = cur.UTC().Format(time.RFC3339Nano)
+	}
+	writeJSON(w, http.StatusOK, resp)
+}
+
 // parseInboxFilter pulls common filter knobs off the query string.
 //
 // Status / EntityType pass through validation: an unrecognised value is
@@ -326,6 +388,56 @@ func handleRevokeApprovalRequest(w http.ResponseWriter, r *http.Request) {
 	handleApprovalDecision(w, r, "revoke")
 }
 
+// POST /api/approval-requests/{id}/edit-entity — t-paliad-252 / m/paliad#83.
+//
+// Lets the requester revise the in-flight entity (e.g. tweak the title on a
+// pending create) without withdrawing the request. The non-destructive
+// sibling of /revoke that m asked for after noticing that withdraw silently
+// deletes the underlying event.
+//
+// Body: {"fields": {<entity-shape>}}
+// 200: {"status": "ok"}
+//
+// Status mapping (mapApprovalError):
+//
+//	400 suggestion_requires_change — payload has no allowlisted fields
+//	403 not_authorized             — caller isn't the requested_by
+//	404                            — request not found / not visible
+//	409 request_not_pending        — request already decided / revoked
+type editPendingEntityBody struct {
+	Fields map[string]any `json:"fields"`
+}
+
+func handleEditPendingEntity(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	requestID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid request id"})
+		return
+	}
+	var body editPendingEntityBody
+	if r.Body != nil && r.ContentLength > 0 {
+		if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+			writeJSON(w, http.StatusBadRequest, map[string]string{
+				"code":    "invalid_body",
+				"message": "Ungültiger Body.",
+			})
+			return
+		}
+	}
+	if err := dbSvc.approval.EditPendingEntity(r.Context(), requestID, uid, body.Fields); err != nil {
+		writeApprovalError(w, err)
+		return
+	}
+	writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
+}
+
 // suggestChangesBody is the JSON body for POST /api/approval-requests/{id}/suggest-changes.
 // counter_payload is an entity-shaped jsonb of the approver's edited
 // values (allowlist enforced server-side); note is the optional free-text

internal/handlers/backups.go

@@ -0,0 +1,247 @@
+package handlers
+
+// Admin Backup Mode handlers (t-paliad-246 / m/paliad#77 Slice A).
+//
+//   POST /api/admin/backups/run           — kick off an on-demand backup
+//   GET  /api/admin/backups               — chronological list
+//   GET  /api/admin/backups/{id}          — single catalog row
+//   GET  /api/admin/backups/{id}/file     — stream the artifact (records
+//                                            a backup_downloaded audit row)
+//   GET  /admin/backups                   — admin page (SPA shell)
+//
+// Authorisation: every route registers behind adminGate(users, …) in
+// handlers.go, so every handler in this file can assume the caller is a
+// global_admin and only validate the request shape.
+//
+// The runner is wired in cmd/server/main.go only when PALIAD_EXPORT_DIR
+// is set. When unset, every handler returns 503 — same shape as
+// requireDB.
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+
+	"mgit.msbls.de/m/paliad/internal/services"
+)
+
+// backupRequestTimeout caps a single on-demand backup. At firm-scale
+// data shapes (today: ~600 user-content rows + ~1000 reference rows)
+// a backup runs sub-second; the watchdog surfaces "stuck" as a 500
+// instead of letting the client hang forever.
+const backupRequestTimeout = 5 * time.Minute
+
+// requireBackup writes a 503 if the BackupRunner is not wired (typically
+// PALIAD_EXPORT_DIR is unset) and returns false. Mirrors requireDB.
+func requireBackup(w http.ResponseWriter) bool {
+	if dbSvc == nil || dbSvc.backup == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{
+			"error": "backup service not configured — set PALIAD_EXPORT_DIR on the server",
+		})
+		return false
+	}
+	return true
+}
+
+// handleAdminBackupsPage renders the /admin/backups SPA shell. The
+// catalog rows are fetched client-side via /api/admin/backups.
+func handleAdminBackupsPage(w http.ResponseWriter, r *http.Request) {
+	http.ServeFile(w, r, "dist/admin-backups.html")
+}
+
+// handleAdminRunBackup kicks off a synchronous on-demand backup and
+// returns the resulting BackupSummary as JSON. Synchronous: at firm-
+// scale the whole run is under 5s; an async path with polling is Slice
+// B (the scheduler reuses the same runner internally).
+//
+// Returns 201 on success with the catalog row, 500 on failure (the
+// catalog/audit rows are still flipped to failed/backup_failed before
+// the response).
+func handleAdminRunBackup(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) || !requireBackup(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(r.Context(), backupRequestTimeout)
+	defer cancel()
+
+	user, err := dbSvc.users.GetByID(ctx, uid)
+	if err != nil || user == nil {
+		log.Printf("backup: user lookup failed for %s: %v", uid, err)
+		writeJSON(w, http.StatusInternalServerError, map[string]string{
+			"error": "user lookup failed",
+		})
+		return
+	}
+
+	actor := services.BackupActor{
+		ID:    &uid,
+		Email: user.Email,
+		Label: user.DisplayName,
+	}
+	result, err := dbSvc.backup.Run(ctx, services.BackupKindOnDemand, actor)
+	if err != nil {
+		log.Printf("backup: Run failed for admin=%s: %v", uid, err)
+		writeJSON(w, http.StatusInternalServerError, map[string]string{
+			"error": "backup generation failed: " + err.Error(),
+		})
+		return
+	}
+
+	// Return the freshly-written catalog row so the UI doesn't need a
+	// follow-up GET to render the new line item.
+	row, err := dbSvc.backup.GetBackup(ctx, result.ID)
+	if err != nil {
+		// The backup did succeed — log + return the bare result.
+		log.Printf("backup: post-run GetBackup failed for %s: %v", result.ID, err)
+		writeJSON(w, http.StatusCreated, result)
+		return
+	}
+	writeJSON(w, http.StatusCreated, row)
+}
+
+// handleAdminListBackups returns the most recent N catalog rows as
+// JSON. ?limit=N caps the page (default 100).
+func handleAdminListBackups(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) || !requireBackup(w) {
+		return
+	}
+	limit := 100
+	if q := strings.TrimSpace(r.URL.Query().Get("limit")); q != "" {
+		if n, err := strconv.Atoi(q); err == nil && n > 0 && n <= 500 {
+			limit = n
+		}
+	}
+	rows, err := dbSvc.backup.ListBackups(r.Context(), limit)
+	if err != nil {
+		log.Printf("backup: list failed: %v", err)
+		writeJSON(w, http.StatusInternalServerError, map[string]string{
+			"error": "list failed",
+		})
+		return
+	}
+	if rows == nil {
+		rows = []services.BackupSummary{}
+	}
+	writeJSON(w, http.StatusOK, rows)
+}
+
+// handleAdminGetBackup returns one catalog row. Used by the UI for
+// "is the backup I just kicked off done yet?" polling — though at the
+// synchronous shape today this rarely matters.
+func handleAdminGetBackup(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) || !requireBackup(w) {
+		return
+	}
+	id, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid id"})
+		return
+	}
+	row, err := dbSvc.backup.GetBackup(r.Context(), id)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			writeJSON(w, http.StatusNotFound, map[string]string{"error": "not found"})
+			return
+		}
+		log.Printf("backup: get failed for %s: %v", id, err)
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "get failed"})
+		return
+	}
+	writeJSON(w, http.StatusOK, row)
+}
+
+// handleAdminDownloadBackup streams the artifact bytes through the
+// ArtifactStore (LocalDiskStore for v1). Records a backup_downloaded
+// audit row before flushing.
+//
+// 404 if the catalog row is missing; 410 (Gone) if the artifact was
+// already lifecycle-deleted; 409 if status is not 'done'; 500 on any
+// store/IO error.
+func handleAdminDownloadBackup(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) || !requireBackup(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	id, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid id"})
+		return
+	}
+
+	row, err := dbSvc.backup.GetBackup(r.Context(), id)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			writeJSON(w, http.StatusNotFound, map[string]string{"error": "not found"})
+			return
+		}
+		log.Printf("backup: download GetBackup failed for %s: %v", id, err)
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "get failed"})
+		return
+	}
+	if row.Status != services.BackupStatusDone || row.StorageURI == nil {
+		writeJSON(w, http.StatusConflict, map[string]string{
+			"error":  "backup not available for download",
+			"status": row.Status,
+		})
+		return
+	}
+	if row.DeletedAt != nil {
+		// 410 Gone — the artifact is past its retention window. Catalog
+		// row stays as the audit trail; clients should not retry.
+		writeJSON(w, http.StatusGone, map[string]string{
+			"error": "artifact has been removed (retention)",
+		})
+		return
+	}
+
+	rc, size, err := dbSvc.backup.Store().Get(r.Context(), *row.StorageURI)
+	if err != nil {
+		log.Printf("backup: download store.Get failed for %s: %v", id, err)
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "store read failed"})
+		return
+	}
+	defer rc.Close()
+
+	// Record the download audit row before flushing. If the audit
+	// write fails we still serve the file (the user can see it; the
+	// chain just missed a row — surface in logs).
+	user, uErr := dbSvc.users.GetByID(r.Context(), uid)
+	if uErr == nil && user != nil {
+		auditErr := dbSvc.backup.RecordDownload(r.Context(), id, services.BackupActor{
+			ID:    &uid,
+			Email: user.Email,
+			Label: user.DisplayName,
+		})
+		if auditErr != nil {
+			log.Printf("backup: RecordDownload failed for %s by %s: %v", id, uid, auditErr)
+		}
+	} else if uErr != nil {
+		log.Printf("backup: user lookup for audit failed (%s): %v", uid, uErr)
+	}
+
+	filename := fmt.Sprintf("paliad-backup-%s.zip", row.StartedAt.UTC().Format("20060102T1504Z"))
+	w.Header().Set("Content-Type", "application/zip")
+	w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename=%q`, filename))
+	w.Header().Set("Content-Length", strconv.FormatInt(size, 10))
+	w.Header().Set("X-Paliad-Backup-Id", id.String())
+	if _, err := io.Copy(w, rc); err != nil {
+		log.Printf("backup: response write failed for %s: %v", id, err)
+	}
+}

internal/handlers/event_choices.go

@@ -0,0 +1,113 @@
+package handlers
+
+// HTTP handlers for paliad.project_event_choices (t-paliad-265 / m/paliad#96).
+//
+// Three endpoints:
+//   GET    /api/projects/{id}/event-choices            → list
+//   PUT    /api/projects/{id}/event-choices            → upsert one
+//   DELETE /api/projects/{id}/event-choices/{submission_code}/{choice_kind}
+//
+// All three gated by visibility on the project (paliad.can_see_project)
+// via EventChoiceService.
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+
+	"github.com/google/uuid"
+
+	"mgit.msbls.de/m/paliad/internal/services"
+)
+
+// GET /api/projects/{id}/event-choices
+func handleListProjectEventChoices(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	if dbSvc.eventChoice == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "event-choice service not configured"})
+		return
+	}
+	projectID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid project id"})
+		return
+	}
+	rows, err := dbSvc.eventChoice.ListForProject(r.Context(), uid, projectID)
+	if err != nil {
+		writeServiceError(w, err)
+		return
+	}
+	writeJSON(w, http.StatusOK, rows)
+}
+
+// PUT /api/projects/{id}/event-choices — upsert one row.
+func handlePutProjectEventChoice(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	if dbSvc.eventChoice == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "event-choice service not configured"})
+		return
+	}
+	projectID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid project id"})
+		return
+	}
+	var input services.UpsertEventChoiceInput
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid JSON body"})
+		return
+	}
+	row, err := dbSvc.eventChoice.Upsert(r.Context(), uid, projectID, input)
+	if err != nil {
+		if errors.Is(err, services.ErrInvalidInput) {
+			writeJSON(w, http.StatusBadRequest, map[string]string{"error": err.Error()})
+			return
+		}
+		writeServiceError(w, err)
+		return
+	}
+	writeJSON(w, http.StatusOK, row)
+}
+
+// DELETE /api/projects/{id}/event-choices/{submission_code}/{choice_kind}
+func handleDeleteProjectEventChoice(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	if dbSvc.eventChoice == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "event-choice service not configured"})
+		return
+	}
+	projectID, err := uuid.Parse(r.PathValue("id"))
+	if err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid project id"})
+		return
+	}
+	submissionCode := r.PathValue("submission_code")
+	choiceKind := r.PathValue("choice_kind")
+	if err := dbSvc.eventChoice.Delete(r.Context(), uid, projectID, submissionCode, choiceKind); err != nil {
+		if errors.Is(err, services.ErrInvalidInput) {
+			writeJSON(w, http.StatusBadRequest, map[string]string{"error": err.Error()})
+			return
+		}
+		writeServiceError(w, err)
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}

internal/handlers/files.go

@@ -65,8 +65,73 @@ var fileRegistry = map[string]fileEntry{
 		RepoName:     "mWorkRepo",
 		FilePath:     "6 - material/Templates/Word/Paliad/" + branding.Name + "/de.inf.lg.erwidg.docx",
 	},
+	// Universal skeleton (t-paliad-259). Code-agnostic Schriftsatz starter
+	// that carries every placeholder SubmissionVarsService resolves but no
+	// submission_code-specific body structure. Slot between the per-firm
+	// per-code template and the bare HL Patents Style .dotm fallback: every
+	// submission_code without a dedicated template still renders with
+	// variables substituted instead of the macro-only letterhead.
+	skeletonSubmissionSlug: {
+		RawURL:       "https://mgit.msbls.de/m/mWorkRepo/raw/branch/main/6%20-%20material/Templates/Word/Paliad/" + branding.Name + "/_skeleton.docx",
+		DownloadName: branding.Name + " — Schriftsatz-Skelett.docx",
+		ContentType:  "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+		RepoOwner:    "m",
+		RepoName:     "mWorkRepo",
+		FilePath:     "6 - material/Templates/Word/Paliad/" + branding.Name + "/_skeleton.docx",
+	},
+	// Firm-formatted skeleton (t-paliad-275). Carries the same 48-key
+	// placeholder bag as the universal _skeleton.docx, but additionally
+	// preserves every HL paragraph + character style from the HL Patents
+	// Style .dotm (HLpat-Heading-H1..H5, HLpat-Body-B0, HLpat-Header-Section,
+	// HLpat-Table-Recitals-*, HLpat-Signature, …) and the firm letterhead
+	// (header logo + firm-address footer). Slotted ahead of the universal
+	// skeleton in the fallback chain so any submission_code without a
+	// dedicated per-code template still renders as a real firm-branded
+	// Schriftsatz with variables substituted, rather than a plain skeleton.
+	// Generated via scripts/gen-hl-skeleton-template against the .dotm.
+	firmSkeletonSubmissionSlug: {
+		RawURL:       "https://mgit.msbls.de/m/mWorkRepo/raw/branch/main/6%20-%20material/Templates/Word/Paliad/" + branding.Name + "/_firm-skeleton.docx",
+		DownloadName: branding.Name + " — Firm Schriftsatz-Skelett.docx",
+		ContentType:  "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+		RepoOwner:    "m",
+		RepoName:     "mWorkRepo",
+		FilePath:     "6 - material/Templates/Word/Paliad/" + branding.Name + "/_firm-skeleton.docx",
+	},
+	// English skeleton variant (t-paliad-276). Sibling of
+	// `_skeleton.docx`; used when a draft's language='en' and no
+	// per-code EN template exists. If the file isn't authored yet in
+	// mWorkRepo, the Gitea fetch fails and resolveSubmissionTemplate
+	// falls through to the DE skeleton — visible to the user as the
+	// "Fallback: universelles Skelett" notice on the draft editor.
+	skeletonSubmissionENSlug: {
+		RawURL:       "https://mgit.msbls.de/m/mWorkRepo/raw/branch/main/6%20-%20material/Templates/Word/Paliad/" + branding.Name + "/_skeleton.en.docx",
+		DownloadName: branding.Name + " — Submission skeleton.docx",
+		ContentType:  "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+		RepoOwner:    "m",
+		RepoName:     "mWorkRepo",
+		FilePath:     "6 - material/Templates/Word/Paliad/" + branding.Name + "/_skeleton.en.docx",
+	},
 }
 
+// skeletonSubmissionSlug names the universal skeleton template inside
+// the shared fileRegistry cache. Exported via a const so handler code
+// (resolveSubmissionTemplate, hlPatentsStyleSHA's sibling) refers to
+// the same string the registry uses.
+const skeletonSubmissionSlug = "submission/_skeleton.docx"
+
+// firmSkeletonSubmissionSlug names the firm-formatted skeleton template
+// inside the shared fileRegistry cache (t-paliad-275). Same placeholder
+// surface as skeletonSubmissionSlug; carries HL paragraph + character
+// styles from the source .dotm on top. Sits between the per-code
+// template and the generic universal skeleton in the fallback chain so
+// codes without a dedicated template still render with firm branding.
+const firmSkeletonSubmissionSlug = "submission/_firm-skeleton.docx"
+
+// skeletonSubmissionENSlug names the English skeleton variant used when
+// a draft's language='en' and no per-code EN template exists
+// (t-paliad-276). Same role as skeletonSubmissionSlug but in EN.
+const skeletonSubmissionENSlug = "submission/_skeleton.en.docx"
+
 // submissionTemplateRegistry maps a deadline-rule submission_code to a
 // fileRegistry slug. Lookup order matches the cronus design fallback
 // chain §8: per-firm `templates/{FIRM_NAME}/{code}.docx` first, then
@@ -76,14 +141,32 @@ var fileRegistry = map[string]fileEntry{
 // the file itself lives in mWorkRepo and is served through the shared
 // Gitea proxy cache so refreshes are visible to all consumers in one
 // place.
+//
+// t-paliad-276: codes that ship an EN sibling
+// (e.g. `de.inf.lg.erwidg.en.docx`) also register it in
+// submissionTemplateENRegistry; the language-aware lookup
+// (resolveSubmissionTemplate(ctx, code, lang)) prefers the language-
+// suffixed slug and falls back to the unsuffixed one when no per-firm
+// EN variant exists.
 var submissionTemplateRegistry = map[string]string{
 	"de.inf.lg.erwidg": "submission/de.inf.lg.erwidg.docx",
 }
 
+// submissionTemplateENRegistry maps a submission_code to the EN
+// variant slug. Empty when no EN template has been authored — the
+// lookup falls through to the unsuffixed (DE-baked) template and the
+// editor surfaces the "Fallback: universelles Skelett" notice when
+// even the skeleton has no EN sibling.
+var submissionTemplateENRegistry = map[string]string{}
+
 // fetchSubmissionTemplateBytes returns the per-submission_code template
 // bytes (and provenance SHA) when one is registered. The bool result
 // distinguishes "no per-code template registered" (callers fall back to
 // HL Patents Style) from an upstream fetch error.
+//
+// Language-suffixed variants (t-paliad-276) are served via
+// fetchSubmissionTemplateBytesForLang — this base function returns the
+// unsuffixed registry entry only (the legacy DE-baked template).
 func fetchSubmissionTemplateBytes(ctx context.Context, submissionCode string) ([]byte, string, bool, error) {
 	slug, ok := submissionTemplateRegistry[submissionCode]
 	if !ok {
@@ -189,6 +272,170 @@ func handleFileRefresh(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, http.StatusOK, map[string]string{"ok": "true", "message": "Cache cleared"})
 }
 
+// fetchSubmissionTemplateBytesForLang returns the per-(code, lang)
+// template bytes when a language-suffixed variant is registered. Used
+// only for the EN variant today; DE goes through the unsuffixed
+// fetchSubmissionTemplateBytes (which is the legacy / authoritative
+// DE registry). t-paliad-276.
+//
+// Returned bool = "variant registered AND fetched OK". A registered
+// variant whose file 404s on Gitea returns (nil, "", false, nil) so
+// the caller falls through to the unsuffixed template, mirroring the
+// behaviour for unregistered codes.
+func fetchSubmissionTemplateBytesForLang(ctx context.Context, submissionCode, lang string) ([]byte, string, bool, error) {
+	if lang != "en" {
+		// Only EN has a separate registry today. DE goes through the
+		// unsuffixed path which is the authoritative DE template.
+		return nil, "", false, nil
+	}
+	slug, ok := submissionTemplateENRegistry[submissionCode]
+	if !ok {
+		return nil, "", false, nil
+	}
+	entry, ok := fileRegistry[slug]
+	if !ok {
+		return nil, "", false, fmt.Errorf("file proxy: submission template slug %q not registered", slug)
+	}
+	ce := getCacheEntry(slug)
+
+	ce.mu.RLock()
+	hasData := len(ce.data) > 0
+	needsCheck := time.Since(ce.lastChecked) >= checkInterval
+	ce.mu.RUnlock()
+
+	if !hasData {
+		if err := fileFetch(ce, entry); err != nil {
+			// Treat upstream miss as "variant unavailable" so the
+			// resolver falls through to the DE template instead of
+			// surfacing a 502.
+			log.Printf("file proxy: EN variant fetch failed for %s (%s): %v — falling through", submissionCode, slug, err)
+			return nil, "", false, nil
+		}
+	} else if needsCheck {
+		go fileCheckAndRefresh(ce, entry)
+	}
+
+	ce.mu.RLock()
+	defer ce.mu.RUnlock()
+	if len(ce.data) == 0 {
+		return nil, "", false, nil
+	}
+	out := make([]byte, len(ce.data))
+	copy(out, ce.data)
+	_ = ctx
+	return out, ce.sha, true, nil
+}
+
+// fetchSubmissionSkeletonBytesForLang returns the cached skeleton
+// template bytes for the requested language. EN falls back to DE when
+// the EN skeleton hasn't been authored yet (t-paliad-276). Returned
+// bool flags whether the bytes match the requested language — false
+// means the resolver should communicate "fallback" to the UI.
+func fetchSubmissionSkeletonBytesForLang(ctx context.Context, lang string) ([]byte, string, bool, error) {
+	if lang == "en" {
+		entry, ok := fileRegistry[skeletonSubmissionENSlug]
+		if ok {
+			ce := getCacheEntry(skeletonSubmissionENSlug)
+			ce.mu.RLock()
+			hasData := len(ce.data) > 0
+			needsCheck := time.Since(ce.lastChecked) >= checkInterval
+			ce.mu.RUnlock()
+			if !hasData {
+				if err := fileFetch(ce, entry); err == nil {
+					ce.mu.RLock()
+					if len(ce.data) > 0 {
+						out := make([]byte, len(ce.data))
+						copy(out, ce.data)
+						sha := ce.sha
+						ce.mu.RUnlock()
+						return out, sha, true, nil
+					}
+					ce.mu.RUnlock()
+				} else {
+					log.Printf("file proxy: EN skeleton fetch failed (%s): %v — falling back to DE", skeletonSubmissionENSlug, err)
+				}
+			} else {
+				if needsCheck {
+					go fileCheckAndRefresh(ce, entry)
+				}
+				ce.mu.RLock()
+				if len(ce.data) > 0 {
+					out := make([]byte, len(ce.data))
+					copy(out, ce.data)
+					sha := ce.sha
+					ce.mu.RUnlock()
+					return out, sha, true, nil
+				}
+				ce.mu.RUnlock()
+			}
+		}
+	}
+	// Fall through to the DE skeleton; bool=false flags that the
+	// returned bytes don't carry the requested language.
+	bytes, sha, err := fetchSubmissionSkeletonBytes(ctx)
+	if err != nil {
+		return nil, "", false, err
+	}
+	return bytes, sha, lang == "de", nil
+}
+
+// fetchSubmissionSkeletonBytes returns the cached universal skeleton
+// template bytes plus its provenance SHA. Sits between the per-firm
+// per-submission_code template (fetchSubmissionTemplateBytes) and the
+// bare universal HL Patents Style .dotm (fetchHLPatentsStyleBytes) in
+// resolveSubmissionTemplate's fallback chain — used for every
+// submission_code that has no dedicated template registered. Same
+// stale-while-revalidate semantics as the rest of the file proxy: first
+// call warms the cache synchronously from mWorkRepo via Gitea; later
+// calls return immediately while a background refresh runs.
+func fetchSubmissionSkeletonBytes(ctx context.Context) ([]byte, string, error) {
+	return fetchSubmissionTemplateSlug(ctx, skeletonSubmissionSlug)
+}
+
+// fetchFirmSkeletonBytes returns the cached firm-formatted skeleton
+// template bytes (HL paragraph/character styles + 48-key placeholder
+// bag) plus its provenance SHA. Sits between the per-code template and
+// the generic universal skeleton in resolveSubmissionTemplate's
+// fallback chain (t-paliad-275). Same stale-while-revalidate caching
+// as the other Gitea-backed template parts.
+func fetchFirmSkeletonBytes(ctx context.Context) ([]byte, string, error) {
+	return fetchSubmissionTemplateSlug(ctx, firmSkeletonSubmissionSlug)
+}
+
+// fetchSubmissionTemplateSlug is the shared cache-aware fetcher used by
+// the firm-skeleton and universal-skeleton accessors. Factored out so
+// the two paths can't drift apart on caching semantics.
+func fetchSubmissionTemplateSlug(ctx context.Context, slug string) ([]byte, string, error) {
+	entry, ok := fileRegistry[slug]
+	if !ok {
+		return nil, "", fmt.Errorf("file proxy: %s not registered", slug)
+	}
+	ce := getCacheEntry(slug)
+
+	ce.mu.RLock()
+	hasData := len(ce.data) > 0
+	needsCheck := time.Since(ce.lastChecked) >= checkInterval
+	ce.mu.RUnlock()
+
+	if !hasData {
+		if err := fileFetch(ce, entry); err != nil {
+			return nil, "", err
+		}
+	} else if needsCheck {
+		go fileCheckAndRefresh(ce, entry)
+	}
+
+	ce.mu.RLock()
+	defer ce.mu.RUnlock()
+	if len(ce.data) == 0 {
+		return nil, "", fmt.Errorf("file proxy: %s cache empty after fetch", slug)
+	}
+	out := make([]byte, len(ce.data))
+	copy(out, ce.data)
+	_ = ctx
+	return out, ce.sha, nil
+}
+
 // fetchHLPatentsStyleBytes returns the cached HL Patents Style .dotm
 // bytes. Shared accessor used by both the /files/{slug} download path
 // (Word auto-update channel) and the submission generator

internal/handlers/fristenrechner.go

@@ -5,6 +5,9 @@ import (
 	"errors"
 	"net/http"
 
+	"github.com/google/uuid"
+
+	"mgit.msbls.de/m/paliad/internal/models"
 	"mgit.msbls.de/m/paliad/internal/services"
 )
 
@@ -51,6 +54,15 @@ func handleFristenrechnerAPI(w http.ResponseWriter, r *http.Request) {
 		Flags           []string          `json:"flags,omitempty"`
 		AnchorOverrides map[string]string `json:"anchorOverrides,omitempty"`
 		CourtID         string            `json:"courtId,omitempty"`
+		// t-paliad-265: per-event-card choices. Two parallel inputs:
+		// - ProjectID lets the server pull persisted choices from
+		//   paliad.project_event_choices (project-bound /tools/fristenrechner).
+		// - PerCardChoices lets the unbound /tools/verfahrensablauf
+		//   send an inline-CSV-decoded list straight off the URL
+		//   without persisting. When both are present the inline list
+		//   wins (what-if exploration overrides the saved state).
+		ProjectID       string                                  `json:"projectId,omitempty"`
+		PerCardChoices  []services.UpsertEventChoiceInput       `json:"perCardChoices,omitempty"`
 	}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "Ungültige Anfrage"})
@@ -61,11 +73,42 @@ func handleFristenrechnerAPI(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Fold per-card choices into the CalcOptions addendum. The inline
+	// PerCardChoices wins over the persisted ProjectID lookup when both
+	// are non-empty.
+	var addendum services.CalcOptionsAddendum
+	if len(req.PerCardChoices) > 0 {
+		choices := make([]models.ProjectEventChoice, 0, len(req.PerCardChoices))
+		for _, c := range req.PerCardChoices {
+			choices = append(choices, models.ProjectEventChoice{
+				SubmissionCode: c.SubmissionCode,
+				ChoiceKind:     c.ChoiceKind,
+				ChoiceValue:    c.ChoiceValue,
+			})
+		}
+		addendum = services.ToCalcOptionsAddendum(choices)
+	} else if req.ProjectID != "" && dbSvc.eventChoice != nil {
+		if pid, err := uuid.Parse(req.ProjectID); err == nil {
+			if uid, ok := requireUser(w, r); ok {
+				if choices, err := dbSvc.eventChoice.ListForProject(r.Context(), uid, pid); err == nil {
+					addendum = services.ToCalcOptionsAddendum(choices)
+				}
+				// Visibility-filtered lookup: a non-visible project
+				// returns ErrNotVisible from ListForProject; in that
+				// case we project without per-card overlays rather
+				// than 404 — the timeline itself is non-PII data.
+			}
+		}
+	}
+
 	resp, err := dbSvc.fristenrechner.Calculate(r.Context(), req.ProceedingType, req.TriggerDate, services.CalcOptions{
-		PriorityDateStr: req.PriorityDate,
-		Flags:           req.Flags,
-		AnchorOverrides: req.AnchorOverrides,
-		CourtID:         req.CourtID,
+		PriorityDateStr:  req.PriorityDate,
+		Flags:            req.Flags,
+		AnchorOverrides:  req.AnchorOverrides,
+		CourtID:          req.CourtID,
+		PerCardAppellant: addendum.PerCardAppellant,
+		SkipRules:        addendum.SkipRules,
+		IncludeCCRFor:    addendum.IncludeCCRFor,
 	})
 	if err != nil {
 		if errors.Is(err, services.ErrUnknownProceedingType) {

internal/handlers/handlers.go

@@ -1,9 +1,13 @@
 package handlers
 
 import (
+	"context"
 	"encoding/json"
 	"net/http"
 	"strings"
+	"time"
+
+	"github.com/jmoiron/sqlx"
 
 	"mgit.msbls.de/m/paliad/internal/auth"
 	"mgit.msbls.de/m/paliad/internal/services"
@@ -50,6 +54,12 @@ func noCachePages(h http.Handler) http.Handler {
 // Services bundles the Phase B + C database-backed services. Pass nil if
 // DATABASE_URL was unset; the matter-management endpoints will return 503.
 type Services struct {
+	// Pool is the raw connection pool. Held so the readiness probe
+	// (/health/ready) can ping it without going through any individual
+	// service. nil when DATABASE_URL was unset — in that case
+	// /health/ready returns 503.
+	Pool *sqlx.DB
+
 	Project        *services.ProjectService
 	Team           *services.TeamService
 	PartnerUnit    *services.PartnerUnitService
@@ -98,9 +108,18 @@ type Services struct {
 	Projection      *services.ProjectionService
 	Export          *services.ExportService
 
+	// t-paliad-246 — Backup Mode (org-scope admin backups). Nil when
+	// DATABASE_URL or PALIAD_EXPORT_DIR is unset; the /admin/backups
+	// routes return 503 in that case.
+	Backup          *services.BackupRunner
+
 	// t-paliad-238 — dedicated Submissions/Schriftsätze editor.
 	SubmissionDraft *services.SubmissionDraftService
 
+	// t-paliad-265 / m/paliad#96 — per-event-card optional choices on
+	// the Verfahrensablauf timeline.
+	EventChoice *services.EventChoiceService
+
 	// Paliadin is wired when DATABASE_URL is set. The concrete backend
 	// is picked in cmd/server/main.go based on PALIADIN_REMOTE_HOST
 	// (remote → mRiver via SSH) or local tmux availability. Stays nil
@@ -162,7 +181,9 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
 			firmDashboardDefault: svc.FirmDashboardDefault,
 			projection:      svc.Projection,
 			export:          svc.Export,
+			backup:          svc.Backup,
 			submissionDraft: svc.SubmissionDraft,
+			eventChoice:     svc.EventChoice,
 		}
 	}
 
@@ -177,6 +198,38 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
 		_, _ = w.Write([]byte("ok\n"))
 	})
 
+	// Readiness probe. Public, no auth. Distinct from /healthz: this
+	// returns 200 only when the DB pool is reachable. Reaching Register
+	// at all implies db.ApplyMigrations succeeded (cmd/server/main.go
+	// calls it before constructing svc), so a 200 here means "migrations
+	// applied AND pool responsive" — the contract Dokploy / Traefik should
+	// gate on, not the bind-and-serve check that /healthz answers.
+	//
+	// Three outcomes:
+	//   - svc == nil OR svc.Pool == nil  → 503 (DB-less knowledge-platform
+	//     deployments report not-ready so an external orchestrator can
+	//     distinguish them from a full prod boot).
+	//   - PingContext fails within 2 s   → 503 (pool unreachable).
+	//   - PingContext succeeds            → 200 "ready".
+	//
+	// Used by docker-compose.yml's healthcheck (Slice B) and by the
+	// post-deploy verification step in .gitea/workflows/test.yaml.
+	mux.HandleFunc("GET /health/ready", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Cache-Control", "no-store")
+		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		if svc == nil || svc.Pool == nil {
+			http.Error(w, "db not configured\n", http.StatusServiceUnavailable)
+			return
+		}
+		ctx, cancel := context.WithTimeout(r.Context(), 2*time.Second)
+		defer cancel()
+		if err := svc.Pool.PingContext(ctx); err != nil {
+			http.Error(w, "db unreachable\n", http.StatusServiceUnavailable)
+			return
+		}
+		_, _ = w.Write([]byte("ready\n"))
+	})
+
 	// API endpoints (JSON, public)
 	mux.HandleFunc("POST /api/login", handleAPILogin)
 	mux.HandleFunc("POST /api/register", handleAPIRegister)
@@ -349,6 +402,10 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
 	protected.HandleFunc("PATCH /api/submission-drafts/{draft_id}", handleGlobalPatchSubmissionDraft)
 	protected.HandleFunc("DELETE /api/submission-drafts/{draft_id}", handleGlobalDeleteSubmissionDraft)
 	protected.HandleFunc("POST /api/submission-drafts/{draft_id}/export", handleGlobalExportSubmissionDraft)
+	// t-paliad-277 / m/paliad#109 — refresh project-derived variables on
+	// the draft. Strips overrides for project.* / parties.* / deadline.*
+	// / procedural_event.* / rule.* prefixes and bumps last_imported_at.
+	protected.HandleFunc("POST /api/submission-drafts/{draft_id}/import-from-project", handleImportFromProject)
 	// /counterclaim creates a CCR sub-project linked via the new
 	// paliad.projects.counterclaim_of FK (t-paliad-174 Slice 3).
 	protected.HandleFunc("POST /api/projects/{id}/counterclaim", handleCreateProjectCounterclaim)
@@ -384,6 +441,11 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
 	protected.HandleFunc("POST /api/projects/{id}/partner-units", handleAttachPartnerUnit)
 	protected.HandleFunc("DELETE /api/projects/{id}/partner-units/{unit_id}", handleDetachPartnerUnit)
 
+	// t-paliad-265 — per-event-card choices on the Verfahrensablauf timeline.
+	protected.HandleFunc("GET /api/projects/{id}/event-choices", handleListProjectEventChoices)
+	protected.HandleFunc("PUT /api/projects/{id}/event-choices", handlePutProjectEventChoice)
+	protected.HandleFunc("DELETE /api/projects/{id}/event-choices/{submission_code}/{choice_kind}", handleDeleteProjectEventChoice)
+
 	// Partner units (structural partner-led units; legacy "Dezernate").
 	protected.HandleFunc("GET /api/partner-units", handleListPartnerUnits)
 	protected.HandleFunc("POST /api/partner-units", handleCreatePartnerUnit)
@@ -570,6 +632,17 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
 		protected.HandleFunc("GET /admin/email-templates", adminGate(users, gateOnboarded(handleAdminEmailTemplatesPage)))
 		protected.HandleFunc("GET /admin/email-templates/{key}", adminGate(users, gateOnboarded(handleAdminEmailTemplatesEditPage)))
 		protected.HandleFunc("GET /admin/event-types", adminGate(users, gateOnboarded(handleAdminEventTypesPage)))
+
+		// t-paliad-246 / m/paliad#77 Slice A — Backup Mode admin page +
+		// API. Routes only register when Users is wired (matches the
+		// other admin routes); per-request 503 if BackupRunner itself
+		// is unwired (PALIAD_EXPORT_DIR unset).
+		protected.HandleFunc("GET /admin/backups", adminGate(users, gateOnboarded(handleAdminBackupsPage)))
+		protected.HandleFunc("POST /api/admin/backups/run", adminGate(users, handleAdminRunBackup))
+		protected.HandleFunc("GET /api/admin/backups", adminGate(users, handleAdminListBackups))
+		protected.HandleFunc("GET /api/admin/backups/{id}", adminGate(users, handleAdminGetBackup))
+		protected.HandleFunc("GET /api/admin/backups/{id}/file", adminGate(users, handleAdminDownloadBackup))
+
 		protected.HandleFunc("GET /api/admin/users", adminGate(users, handleAdminListUsers))
 		protected.HandleFunc("POST /api/admin/users", adminGate(users, handleAdminCreateUser))
 		protected.HandleFunc("POST /api/admin/users/full", adminGate(users, handleAdminCreateFullUser))
@@ -654,10 +727,14 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
 		protected.HandleFunc("GET /api/inbox/pending-mine", handleListInboxPendingMine)
 		protected.HandleFunc("GET /api/inbox/mine", handleListInboxMine)
 		protected.HandleFunc("GET /api/inbox/count", handleInboxCount)
+		protected.HandleFunc("POST /api/inbox/mark-all-seen", handleInboxMarkAllSeen)
 		protected.HandleFunc("GET /api/approval-requests/{id}", handleGetApprovalRequest)
 		protected.HandleFunc("POST /api/approval-requests/{id}/approve", handleApproveApprovalRequest)
 		protected.HandleFunc("POST /api/approval-requests/{id}/reject", handleRejectApprovalRequest)
 		protected.HandleFunc("POST /api/approval-requests/{id}/revoke", handleRevokeApprovalRequest)
+		// t-paliad-252 — non-destructive sibling of /revoke: lets the
+		// requester revise the in-flight entity without withdrawing.
+		protected.HandleFunc("POST /api/approval-requests/{id}/edit-entity", handleEditPendingEntity)
 		protected.HandleFunc("POST /api/approval-requests/{id}/suggest-changes", handleSuggestChangesApprovalRequest)
 
 		// t-paliad-154 — form-time effective policy lookup. Reachable by

internal/handlers/projects.go

@@ -62,8 +62,15 @@ type dbServices struct {
 	projection     *services.ProjectionService
 	export         *services.ExportService
 
+	// t-paliad-246 — Backup Mode orchestrator. Nil when DATABASE_URL or
+	// PALIAD_EXPORT_DIR is unset (the /admin/backups routes return 503).
+	backup *services.BackupRunner
+
 	// t-paliad-238 — submission draft editor.
 	submissionDraft *services.SubmissionDraftService
+
+	// t-paliad-265 — per-event-card optional choices.
+	eventChoice *services.EventChoiceService
 }
 
 var dbSvc *dbServices

internal/handlers/submission_drafts.go

@@ -60,38 +60,65 @@ const submissionDraftExportTimeout = 30 * time.Second
 // raw row plus the resolved bag and the rule metadata the sidebar uses
 // to label each variable group.
 type submissionDraftView struct {
-	Draft           submissionDraftJSON      `json:"draft"`
-	Rule            *submissionRuleSummary   `json:"rule,omitempty"`
-	ResolvedBag     services.PlaceholderMap  `json:"resolved_bag"`
-	MergedBag       services.PlaceholderMap  `json:"merged_bag"`
-	PreviewHTML     string                   `json:"preview_html"`
-	Lang            string                   `json:"lang"`
-	HasTemplate     bool                     `json:"has_template"`
-	TemplateMissing bool                     `json:"template_missing,omitempty"`
+	Draft           submissionDraftJSON     `json:"draft"`
+	Rule            *submissionRuleSummary  `json:"rule,omitempty"`
+	ResolvedBag     services.PlaceholderMap `json:"resolved_bag"`
+	MergedBag       services.PlaceholderMap `json:"merged_bag"`
+	PreviewHTML     string                  `json:"preview_html"`
+	Lang            string                  `json:"lang"`
+	HasTemplate     bool                    `json:"has_template"`
+	TemplateMissing bool                    `json:"template_missing,omitempty"`
+	// TemplateTier identifies which tier of resolveSubmissionTemplate
+	// produced the bytes — one of per_code_lang, per_code, skeleton_lang,
+	// skeleton, letterhead. Lets the editor distinguish a perfect
+	// per-firm match from a skeleton fallback. t-paliad-276.
+	TemplateTier string `json:"template_tier,omitempty"`
+	// LanguageFallback is true when the requested draft.language has no
+	// per-firm per-code template (e.g. EN draft falls back to the DE
+	// per-code template, or to the universal skeleton). UI surfaces a
+	// notice so the lawyer knows the rendered body lacks language-
+	// matched code-specific prose. t-paliad-276.
+	LanguageFallback bool `json:"language_fallback,omitempty"`
+	// AvailableParties is the project's full party roster (t-paliad-277)
+	// so the frontend can render the multi-select picker in one round-
+	// trip. Empty when the draft has no project attached.
+	AvailableParties []submissionDraftPartyJSON `json:"available_parties"`
+}
+
+// submissionDraftPartyJSON is the minimal party row the editor sidebar
+// needs to render a checkbox + role chip per party.
+type submissionDraftPartyJSON struct {
+	ID             uuid.UUID `json:"id"`
+	Name           string    `json:"name"`
+	Role           string    `json:"role,omitempty"`
+	Representative string    `json:"representative,omitempty"`
 }
 
 type submissionDraftJSON struct {
-	ID              uuid.UUID                `json:"id"`
-	ProjectID       *uuid.UUID               `json:"project_id"`
-	SubmissionCode  string                   `json:"submission_code"`
-	UserID          uuid.UUID                `json:"user_id"`
-	Name            string                   `json:"name"`
-	Variables       services.PlaceholderMap  `json:"variables"`
-	LastExportedAt  *time.Time               `json:"last_exported_at,omitempty"`
-	LastExportedSHA *string                  `json:"last_exported_sha,omitempty"`
-	CreatedAt       time.Time                `json:"created_at"`
-	UpdatedAt       time.Time                `json:"updated_at"`
+	ID              uuid.UUID               `json:"id"`
+	ProjectID       *uuid.UUID              `json:"project_id"`
+	SubmissionCode  string                  `json:"submission_code"`
+	UserID          uuid.UUID               `json:"user_id"`
+	Name            string                  `json:"name"`
+	Language        string                  `json:"language"`
+	Variables       services.PlaceholderMap `json:"variables"`
+	SelectedParties []uuid.UUID             `json:"selected_parties"`
+	LastExportedAt  *time.Time              `json:"last_exported_at,omitempty"`
+	LastExportedSHA *string                 `json:"last_exported_sha,omitempty"`
+	LastImportedAt  *time.Time              `json:"last_imported_at,omitempty"`
+	CreatedAt       time.Time               `json:"created_at"`
+	UpdatedAt       time.Time               `json:"updated_at"`
 }
 
 type submissionRuleSummary struct {
-	Name                 string  `json:"name"`
-	NameEN               string  `json:"name_en"`
-	SubmissionCode       string  `json:"submission_code"`
-	PrimaryParty         string  `json:"primary_party,omitempty"`
-	EventType            string  `json:"event_type,omitempty"`
-	LegalSource          string  `json:"legal_source,omitempty"`
-	LegalSourcePretty    string  `json:"legal_source_pretty,omitempty"`
-	LegalSourcePrettyEN  string  `json:"legal_source_pretty_en,omitempty"`
+	Name                string `json:"name"`
+	NameEN              string `json:"name_en"`
+	SubmissionCode      string `json:"submission_code"`
+	PrimaryParty        string `json:"primary_party,omitempty"`
+	EventType           string `json:"event_type,omitempty"`
+	LegalSource         string `json:"legal_source,omitempty"`
+	LegalSourcePretty   string `json:"legal_source_pretty,omitempty"`
+	LegalSourcePrettyEN string `json:"legal_source_pretty_en,omitempty"`
 }
 
 type submissionDraftListResponse struct {
@@ -101,8 +128,10 @@ type submissionDraftListResponse struct {
 }
 
 type submissionDraftPatchInput struct {
-	Name      *string                  `json:"name,omitempty"`
-	Variables *services.PlaceholderMap `json:"variables,omitempty"`
+	Name            *string                  `json:"name,omitempty"`
+	Variables       *services.PlaceholderMap `json:"variables,omitempty"`
+	SelectedParties *[]uuid.UUID             `json:"selected_parties,omitempty"`
+	Language        *string                  `json:"language,omitempty"`
 }
 
 // ─────────────────────────────────────────────────────────────────────
@@ -337,7 +366,12 @@ func handlePatchSubmissionDraft(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	patch := services.DraftPatch{Name: input.Name, Variables: input.Variables}
+	patch := services.DraftPatch{
+		Name:            input.Name,
+		Variables:       input.Variables,
+		SelectedParties: input.SelectedParties,
+		Language:        input.Language,
+	}
 	d, err := dbSvc.submissionDraft.Update(r.Context(), uid, draftID, patch)
 	if err != nil {
 		writeSubmissionDraftServiceError(w, err)
@@ -418,7 +452,7 @@ func handlePreviewSubmissionDraft(w http.ResponseWriter, r *http.Request) {
 		writeSubmissionDraftServiceError(w, err)
 		return
 	}
-	tplBytes, _, err := resolveSubmissionTemplate(ctx, d.SubmissionCode)
+	tplBytes, _, _, err := resolveSubmissionTemplate(ctx, d.SubmissionCode, d.Language)
 	if err != nil {
 		log.Printf("submission_drafts: template fetch (draft=%s): %v", draftID, err)
 		writeJSON(w, http.StatusBadGateway, map[string]string{"error": "template upstream unreachable"})
@@ -467,7 +501,7 @@ func handleExportSubmissionDraft(w http.ResponseWriter, r *http.Request) {
 		writeSubmissionDraftServiceError(w, err)
 		return
 	}
-	tplBytes, tplSHA, err := resolveSubmissionTemplate(ctx, d.SubmissionCode)
+	tplBytes, tplSHA, _, err := resolveSubmissionTemplate(ctx, d.SubmissionCode, d.Language)
 	if err != nil {
 		log.Printf("submission_drafts: export template fetch (draft=%s): %v", draftID, err)
 		writeJSON(w, http.StatusBadGateway, map[string]string{"error": "template upstream unreachable"})
@@ -670,18 +704,24 @@ func handleGetGlobalSubmissionDraft(w http.ResponseWriter, r *http.Request) {
 type globalDraftPatchInput struct {
 	Name      *string                  `json:"name,omitempty"`
 	Variables *services.PlaceholderMap `json:"variables,omitempty"`
+	Language  *string                  `json:"language,omitempty"`
 	// projectIDProvided is true when the JSON included the "project_id"
 	// key (regardless of value); needed to distinguish "no change" from
 	// "set to null". Set by the custom UnmarshalJSON below.
 	ProjectID         *uuid.UUID `json:"project_id,omitempty"`
 	projectIDProvided bool
+	// SelectedParties: present-but-empty array resets to "all parties",
+	// present non-empty array restricts to subset, absent = no change.
+	SelectedParties *[]uuid.UUID `json:"selected_parties,omitempty"`
 }
 
 func (g *globalDraftPatchInput) UnmarshalJSON(data []byte) error {
 	type alias struct {
-		Name      *string                  `json:"name,omitempty"`
-		Variables *services.PlaceholderMap `json:"variables,omitempty"`
-		ProjectID *uuid.UUID               `json:"project_id,omitempty"`
+		Name            *string                  `json:"name,omitempty"`
+		Variables       *services.PlaceholderMap `json:"variables,omitempty"`
+		Language        *string                  `json:"language,omitempty"`
+		ProjectID       *uuid.UUID               `json:"project_id,omitempty"`
+		SelectedParties *[]uuid.UUID             `json:"selected_parties,omitempty"`
 	}
 	var a alias
 	if err := json.Unmarshal(data, &a); err != nil {
@@ -689,7 +729,9 @@ func (g *globalDraftPatchInput) UnmarshalJSON(data []byte) error {
 	}
 	g.Name = a.Name
 	g.Variables = a.Variables
+	g.Language = a.Language
 	g.ProjectID = a.ProjectID
+	g.SelectedParties = a.SelectedParties
 	// Detect whether "project_id" was present in the JSON object.
 	var raw map[string]json.RawMessage
 	if err := json.Unmarshal(data, &raw); err != nil {
@@ -726,7 +768,12 @@ func handleGlobalPatchSubmissionDraft(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	patch := services.DraftPatch{Name: in.Name, Variables: in.Variables}
+	patch := services.DraftPatch{
+		Name:            in.Name,
+		Variables:       in.Variables,
+		SelectedParties: in.SelectedParties,
+		Language:        in.Language,
+	}
 	if in.projectIDProvided {
 		pid := in.ProjectID // may be nil → detach
 		patch.ProjectID = &pid
@@ -748,6 +795,48 @@ func handleGlobalPatchSubmissionDraft(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, http.StatusOK, view)
 }
 
+// handleImportFromProject re-pulls every project-derived variable on
+// the draft and bumps last_imported_at (t-paliad-277). The service-
+// layer call strips overrides for project.* / parties.* / deadline.* /
+// procedural_event.* / rule.* prefixes; firm.* / today.* / user.*
+// overrides survive because those values aren't sourced from the
+// project record.
+//
+// Idempotent on repeat clicks. Returns the full editor view so the
+// frontend can refresh in one round-trip.
+func handleImportFromProject(w http.ResponseWriter, r *http.Request) {
+	if !requireDB(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	draftID, ok := parseUUIDPath(w, r, "draft_id", "draft id")
+	if !ok {
+		return
+	}
+	if dbSvc.submissionDraft == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "submission drafts not configured"})
+		return
+	}
+
+	d, err := dbSvc.submissionDraft.ImportFromProject(r.Context(), uid, draftID)
+	if err != nil {
+		writeSubmissionDraftServiceError(w, err)
+		return
+	}
+	user, _ := dbSvc.users.GetByID(r.Context(), uid)
+	lang := userLang(user)
+	view, err := buildSubmissionDraftView(r.Context(), d, lang)
+	if err != nil {
+		log.Printf("submission_drafts: build view after import (draft=%s): %v", draftID, err)
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "internal error"})
+		return
+	}
+	writeJSON(w, http.StatusOK, view)
+}
+
 // handleGlobalDeleteSubmissionDraft removes a draft by id.
 func handleGlobalDeleteSubmissionDraft(w http.ResponseWriter, r *http.Request) {
 	if !requireDB(w) {
@@ -801,7 +890,7 @@ func handleGlobalExportSubmissionDraft(w http.ResponseWriter, r *http.Request) {
 		writeSubmissionDraftServiceError(w, err)
 		return
 	}
-	tplBytes, tplSHA, err := resolveSubmissionTemplate(ctx, d.SubmissionCode)
+	tplBytes, tplSHA, _, err := resolveSubmissionTemplate(ctx, d.SubmissionCode, d.Language)
 	if err != nil {
 		log.Printf("submission_drafts: export template fetch (draft=%s): %v", draftID, err)
 		writeJSON(w, http.StatusBadGateway, map[string]string{"error": "template upstream unreachable"})
@@ -859,9 +948,10 @@ func serveSubmissionDraftNotFound(w http.ResponseWriter) {
 // per-rule heading.
 func buildSubmissionDraftView(ctx context.Context, d *services.SubmissionDraft, lang string) (*submissionDraftView, error) {
 	view := &submissionDraftView{
-		Draft:       draftToJSON(d),
-		Lang:        lang,
-		HasTemplate: true,
+		Draft:            draftToJSON(d),
+		Lang:             lang,
+		HasTemplate:      true,
+		AvailableParties: []submissionDraftPartyJSON{},
 	}
 
 	merged, resolved, err := dbSvc.submissionDraft.BuildRenderBag(ctx, d)
@@ -873,20 +963,33 @@ func buildSubmissionDraftView(ctx context.Context, d *services.SubmissionDraft,
 	if resolved.Lang != "" {
 		view.Lang = resolved.Lang
 	}
+	if len(resolved.Parties) > 0 {
+		view.AvailableParties = make([]submissionDraftPartyJSON, 0, len(resolved.Parties))
+		for _, p := range resolved.Parties {
+			row := submissionDraftPartyJSON{ID: p.ID, Name: p.Name}
+			if p.Role != nil {
+				row.Role = *p.Role
+			}
+			if p.Representative != nil {
+				row.Representative = *p.Representative
+			}
+			view.AvailableParties = append(view.AvailableParties, row)
+		}
+	}
 	if resolved.Rule != nil {
 		view.Rule = &submissionRuleSummary{
-			Name:                derefStringHandler(resolved.Rule.SubmissionCode),
-			SubmissionCode:      derefStringHandler(resolved.Rule.SubmissionCode),
-			NameEN:              resolved.Rule.NameEN,
-			PrimaryParty:        derefStringHandler(resolved.Rule.PrimaryParty),
-			EventType:           derefStringHandler(resolved.Rule.EventType),
-			LegalSource:         derefStringHandler(resolved.Rule.LegalSource),
+			Name:           derefStringHandler(resolved.Rule.SubmissionCode),
+			SubmissionCode: derefStringHandler(resolved.Rule.SubmissionCode),
+			NameEN:         resolved.Rule.NameEN,
+			PrimaryParty:   derefStringHandler(resolved.Rule.PrimaryParty),
+			EventType:      derefStringHandler(resolved.Rule.EventType),
+			LegalSource:    derefStringHandler(resolved.Rule.LegalSource),
 		}
 		view.Rule.Name = resolved.Rule.Name
 		view.Rule.LegalSourcePretty = merged["rule.legal_source_pretty"]
 	}
 
-	tplBytes, _, err := resolveSubmissionTemplate(ctx, d.SubmissionCode)
+	tplBytes, _, tier, err := resolveSubmissionTemplate(ctx, d.SubmissionCode, d.Language)
 	if err != nil {
 		log.Printf("submission_drafts: template fetch for view (draft=%s): %v", d.ID, err)
 		view.TemplateMissing = true
@@ -894,6 +997,12 @@ func buildSubmissionDraftView(ctx context.Context, d *services.SubmissionDraft,
 		view.PreviewHTML = `<p class="preview-error">Vorlage konnte nicht geladen werden.</p>`
 		return view, nil
 	}
+	view.TemplateTier = string(tier)
+	// LanguageFallback signals "no per-firm template in the requested
+	// language" — the editor surfaces a notice so the lawyer knows the
+	// rendered body lacks code-specific prose. The per-code DE template
+	// counts as a fallback when the requested language is EN.
+	view.LanguageFallback = languageFallback(d.Language, tier)
 	html, err := dbSvc.submissionDraft.RenderPreview(ctx, d, tplBytes)
 	if err != nil {
 		return nil, err
@@ -902,24 +1011,101 @@ func buildSubmissionDraftView(ctx context.Context, d *services.SubmissionDraft,
 	return view, nil
 }
 
+// submissionTemplateTier enumerates which tier of the template
+// fallback chain produced the bytes returned by resolveSubmissionTemplate.
+// Used by the editor to surface "Fallback: universelles Skelett" when
+// the requested (code, lang) didn't have a dedicated template.
+type submissionTemplateTier string
+
+const (
+	tplTierPerCodeLang  submissionTemplateTier = "per_code_lang"  // {firm}/{code}.{lang}.docx
+	tplTierPerCode      submissionTemplateTier = "per_code"       // {firm}/{code}.docx (unsuffixed)
+	tplTierSkeletonLang submissionTemplateTier = "skeleton_lang"  // _skeleton.{lang}.docx
+	tplTierSkeleton     submissionTemplateTier = "skeleton"       // _skeleton.docx
+	tplTierLetterhead   submissionTemplateTier = "letterhead"     // HL Patents Style .dotm
+)
+
 // resolveSubmissionTemplate returns the .docx bytes for the given
-// submission code. Lookup order matches the cronus design fallback chain
-// §8: per-firm template registered in submissionTemplateRegistry first,
-// then the universal HL Patents Style as the global fallback. The
-// returned SHA is the cache entry's commit SHA so the export audit row
-// can record provenance.
-func resolveSubmissionTemplate(ctx context.Context, submissionCode string) ([]byte, string, error) {
-	if data, sha, found, err := fetchSubmissionTemplateBytes(ctx, submissionCode); err != nil {
-		return nil, "", err
-	} else if found {
-		return data, sha, nil
+// (submission_code, language). Merges t-paliad-275 (firm-skeleton tier)
+// and t-paliad-276 (language-selector + EN skeleton tier). Lookup order:
+//
+//  1. per-firm per-(code, lang) template — most specific. e.g.
+//     `de.inf.lg.erwidg.en.docx` for EN drafts. t-paliad-276.
+//  2. per-firm per-code (unsuffixed) template — DE-baked baseline. The
+//     legacy registry shape from before the language selector landed.
+//  3. universal language-matched skeleton — `_skeleton.en.docx` for EN
+//     drafts. Skipped for DE drafts (steps 4+5 already cover DE).
+//  4. firm-formatted skeleton — `_firm-skeleton.docx` (t-paliad-275).
+//     HL paragraph + character styles + letterhead, full placeholder
+//     bag. DE-flavored: counts as language_fallback=true for EN drafts.
+//  5. universal _skeleton.docx — plain DE skeleton, no firm styles.
+//     Backstop when the firm skeleton is unreachable.
+//  6. universal HL Patents Style .dotm — macro-only letterhead, no
+//     placeholders. Last-ditch when every skeleton tier is unreachable.
+//
+// The returned SHA pins the audit row's template provenance. The tier
+// tells the editor whether the result language-matches the request so
+// it can surface a "Fallback: universelles Skelett" notice.
+func resolveSubmissionTemplate(ctx context.Context, submissionCode, lang string) ([]byte, string, submissionTemplateTier, error) {
+	if lang != "de" && lang != "en" {
+		lang = "de"
 	}
+	// 1. per-(code, lang)
+	if data, sha, found, err := fetchSubmissionTemplateBytesForLang(ctx, submissionCode, lang); err != nil {
+		return nil, "", "", err
+	} else if found {
+		return data, sha, tplTierPerCodeLang, nil
+	}
+	// 2. per-code (unsuffixed)
+	if data, sha, found, err := fetchSubmissionTemplateBytes(ctx, submissionCode); err != nil {
+		return nil, "", "", err
+	} else if found {
+		return data, sha, tplTierPerCode, nil
+	}
+	// 3. language-matched skeleton — only meaningful for EN drafts; DE
+	//    drafts fall through to the firm/universal DE skeletons below.
+	if lang == "en" {
+		if data, sha, langMatched, err := fetchSubmissionSkeletonBytesForLang(ctx, lang); err == nil && langMatched {
+			return data, sha, tplTierSkeletonLang, nil
+		}
+	}
+	// 4. firm-formatted skeleton (HL styles, DE prose). For DE drafts
+	//    this is a first-class match; for EN drafts it counts as a
+	//    language fallback (handled by languageFallback()).
+	if data, sha, err := fetchFirmSkeletonBytes(ctx); err == nil {
+		return data, sha, tplTierSkeleton, nil
+	} else {
+		log.Printf("submission_drafts: firm-skeleton fetch failed for code=%s lang=%s, falling back to universal skeleton: %v", submissionCode, lang, err)
+	}
+	// 5. universal plain DE skeleton.
+	if data, sha, err := fetchSubmissionSkeletonBytes(ctx); err == nil {
+		return data, sha, tplTierSkeleton, nil
+	} else {
+		log.Printf("submission_drafts: skeleton fetch failed for code=%s lang=%s, falling back to HL Patents Style: %v", submissionCode, lang, err)
+	}
+	// 6. HL Patents Style letterhead (no placeholders, last-ditch).
 	bytes, err := fetchHLPatentsStyleBytes(ctx)
 	if err != nil {
-		return nil, "", err
+		return nil, "", "", err
 	}
 	sha := hlPatentsStyleSHA()
-	return bytes, sha, nil
+	return bytes, sha, tplTierLetterhead, nil
+}
+
+// languageFallback reports whether the resolved template tier failed
+// to match the requested draft language. For an EN draft, anything
+// other than per_code_lang or skeleton_lang is a fallback (per_code is
+// the legacy DE-baked template, skeleton is the DE skeleton). For a DE
+// draft, only `letterhead` counts as a fallback — the DE skeleton and
+// per-code template are both first-class DE outputs. t-paliad-276.
+func languageFallback(lang string, tier submissionTemplateTier) bool {
+	if tier == tplTierLetterhead {
+		return true
+	}
+	if strings.EqualFold(lang, "en") {
+		return tier != tplTierPerCodeLang && tier != tplTierSkeletonLang
+	}
+	return false
 }
 
 // hlPatentsStyleSHA reads the current cache SHA for the universal
@@ -941,15 +1127,26 @@ func draftToJSON(d *services.SubmissionDraft) submissionDraftJSON {
 	if vars == nil {
 		vars = services.PlaceholderMap{}
 	}
+	selected := d.SelectedParties
+	if selected == nil {
+		selected = []uuid.UUID{}
+	}
+	lang := d.Language
+	if lang == "" {
+		lang = "de"
+	}
 	return submissionDraftJSON{
 		ID:              d.ID,
 		ProjectID:       d.ProjectID,
 		SubmissionCode:  d.SubmissionCode,
 		UserID:          d.UserID,
 		Name:            d.Name,
+		Language:        lang,
 		Variables:       vars,
+		SelectedParties: selected,
 		LastExportedAt:  d.LastExportedAt,
 		LastExportedSHA: d.LastExportedSHA,
+		LastImportedAt:  d.LastImportedAt,
 		CreatedAt:       d.CreatedAt,
 		UpdatedAt:       d.UpdatedAt,
 	}

internal/handlers/submission_template_lang_test.go

@@ -0,0 +1,43 @@
+package handlers
+
+// Regression tests for the template-tier → language-fallback mapping
+// (t-paliad-276). The editor surfaces a "Fallback: universelles
+// Skelett" notice when the requested draft language has no per-firm
+// language-matched template — these tests pin which tier counts as a
+// fallback for each language so the UI signal stays stable.
+
+import "testing"
+
+func TestLanguageFallback(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		name string
+		lang string
+		tier submissionTemplateTier
+		want bool
+	}{
+		// DE drafts: every non-letterhead tier is a first-class match.
+		{"de_per_code_lang", "de", tplTierPerCodeLang, false},
+		{"de_per_code", "de", tplTierPerCode, false},
+		{"de_skeleton_lang", "de", tplTierSkeletonLang, false},
+		{"de_skeleton", "de", tplTierSkeleton, false},
+		{"de_letterhead", "de", tplTierLetterhead, true},
+
+		// EN drafts: per_code (DE-baked) and skeleton (DE-baked) both
+		// surface the fallback notice so the lawyer knows the rendered
+		// body lacks EN prose.
+		{"en_per_code_lang", "en", tplTierPerCodeLang, false},
+		{"en_per_code", "en", tplTierPerCode, true},
+		{"en_skeleton_lang", "en", tplTierSkeletonLang, false},
+		{"en_skeleton", "en", tplTierSkeleton, true},
+		{"en_letterhead", "en", tplTierLetterhead, true},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			t.Parallel()
+			if got := languageFallback(c.lang, c.tier); got != c.want {
+				t.Errorf("languageFallback(%q, %q) = %v, want %v", c.lang, c.tier, got, c.want)
+			}
+		})
+	}
+}

internal/handlers/submissions.go

@@ -2,7 +2,8 @@ package handlers
 
 // Submission generator HTTP layer (t-paliad-230 — format-only scope
 // reduction of t-paliad-215; t-paliad-242 broadened the list endpoint
-// to the full cross-proceeding catalog).
+// to the full cross-proceeding catalog; t-paliad-253 promoted /generate
+// from format-only to the same merge engine the draft editor uses).
 //
 // Endpoints:
 //
@@ -15,17 +16,17 @@ package handlers
 //	       editor falls back to the universal HL Patents Style.
 //
 //	POST /api/projects/{id}/submissions/{code}/generate
-//	       Fetches the cached HL Patents Style .dotm (same proxy used
-//	       by /files/hl-patents-style.dotm), converts it to a clean
-//	       .docx via services.ConvertDotmToDocx, writes one
-//	       paliad.system_audit_log row, and streams the result as an
-//	       attachment download.
-//
-// No variable substitution, no per-submission templates, no
-// project_events/documents writes. Those layers are deferred to a
-// future "merge engine" slice; today's generator hands the lawyer a
-// clean .docx of the firm style and lets them edit and save under
-// their own filename.
+//	       Resolves the template through the cronus fallback chain
+//	       (per-firm `submissionTemplateRegistry[code]` first, HL
+//	       Patents Style as the universal fallback), builds a fresh
+//	       variable bag via SubmissionVarsService.Build, and runs the
+//	       SubmissionRenderer merge so every {{placeholder}} resolves
+//	       to project state (or `[KEIN WERT: key]` for empties). Writes
+//	       one paliad.system_audit_log row and streams the .docx as an
+//	       attachment download. The HL Patents Style fallback has no
+//	       placeholders today, so for codes without a per-firm template
+//	       the renderer is a no-op on substitution but still runs the
+//	       .dotm→.docx pre-pass.
 //
 // Visibility: every endpoint runs through ProjectService.GetByID
 // (paliad.can_see_project gate). Unauthorised callers get 404 — same
@@ -265,10 +266,16 @@ func hasPerSubmissionTemplate(submissionCode string) bool {
 	return ok
 }
 
-// handleGenerateProjectSubmission fetches the universal HL Patents
-// Style .dotm, converts it to a clean .docx, writes one audit row, and
-// streams the result. No variable substitution; the bytes that go down
-// the wire are the firm style template with macros stripped.
+// handleGenerateProjectSubmission resolves the per-submission template
+// (per-firm first, HL Patents Style fallback), builds a fresh variable
+// bag from project state via SubmissionVarsService, runs the merge
+// engine so every {{placeholder}} substitutes, writes one audit row,
+// and streams the result. Pre-t-paliad-253 this handler ignored the
+// per-firm registry and returned the bare HL Patents Style .dotm with
+// no substitution — the "Generieren" button on the Schriftsätze tab
+// therefore produced a generic firm-style .docx instead of a
+// project-merged Klageerwiderung, which is what m noticed in
+// m/paliad#84.
 func handleGenerateProjectSubmission(w http.ResponseWriter, r *http.Request) {
 	if !requireDB(w) {
 		return
@@ -277,6 +284,12 @@ func handleGenerateProjectSubmission(w http.ResponseWriter, r *http.Request) {
 	if !ok {
 		return
 	}
+	if dbSvc.submissionDraft == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{
+			"error": "submissions not configured",
+		})
+		return
+	}
 	projectID, err := uuid.Parse(r.PathValue("id"))
 	if err != nil {
 		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid project id"})
@@ -291,60 +304,46 @@ func handleGenerateProjectSubmission(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), submissionRenderTimeout)
 	defer cancel()
 
-	project, err := dbSvc.projects.GetByID(ctx, uid, projectID)
+	// One-shot /generate has no draft row to pull `language` from —
+	// accept `?language=de|en` as an explicit override (t-paliad-276)
+	// and otherwise fall back to the user's UI language.
+	user, _ := dbSvc.users.GetByID(ctx, uid)
+	lang := strings.ToLower(strings.TrimSpace(r.URL.Query().Get("language")))
+	if lang != "de" && lang != "en" {
+		lang = userLang(user)
+	}
+
+	tplBytes, _, _, err := resolveSubmissionTemplate(ctx, submissionCode, lang)
 	if err != nil {
-		writeServiceError(w, err)
+		log.Printf("submissions: template fetch (project=%s code=%s): %v", projectID, submissionCode, err)
+		writeJSON(w, http.StatusBadGateway, map[string]string{"error": "template upstream unreachable"})
 		return
 	}
 
-	rule, err := loadPublishedRuleByCode(ctx, submissionCode)
+	docx, resolved, err := dbSvc.submissionDraft.RenderProjectSubmission(ctx, uid, projectID, submissionCode, lang, tplBytes)
 	if err != nil {
-		if errors.Is(err, errRuleNotFound) {
+		if errors.Is(err, services.ErrSubmissionRuleNotFound) {
 			writeJSON(w, http.StatusNotFound, map[string]string{
 				"error": fmt.Sprintf("no published rule for submission_code %q", submissionCode),
 			})
 			return
 		}
-		log.Printf("submissions: load rule %q: %v", submissionCode, err)
-		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "rule lookup failed"})
+		// ErrNotVisible / project ErrNotFound from the visibility gate
+		// surface through writeServiceError as 404, matching the rest
+		// of the project surfaces.
+		log.Printf("submissions: render (project=%s code=%s): %v", projectID, submissionCode, err)
+		writeServiceError(w, err)
 		return
 	}
 
-	dotm, err := fetchHLPatentsStyleBytes(ctx)
-	if err != nil {
-		log.Printf("submissions: fetch HL Patents Style .dotm: %v", err)
-		writeJSON(w, http.StatusBadGateway, map[string]string{
-			"error": "template upstream unreachable",
-		})
-		return
-	}
-
-	docx, err := services.ConvertDotmToDocx(dotm)
-	if err != nil {
-		log.Printf("submissions: convert dotm for project %s code %s: %v", projectID, submissionCode, err)
-		writeJSON(w, http.StatusInternalServerError, map[string]string{
-			"error": "convert failed",
-		})
-		return
-	}
-
-	user, err := dbSvc.users.GetByID(ctx, uid)
-	if err != nil {
-		log.Printf("submissions: load user %s: %v", uid, err)
-	}
-	lang := "de"
-	if user != nil && user.Lang != "" {
-		lang = user.Lang
-	}
-
-	filename := submissionFileName(rule, project, lang)
+	filename := submissionFileName(resolved.Rule, resolved.Project, resolved.Lang)
 
 	// Audit write is best-effort with a background context so the
 	// download still succeeds if the DB races. Audit failure here only
 	// affects the system_audit_log feed — never the user's response.
 	bgCtx, cancelBG := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancelBG()
-	if err := writeSubmissionAuditRow(bgCtx, user, project.ID, submissionCode, rule.Name, filename); err != nil {
+	if err := writeSubmissionAuditRow(bgCtx, resolved.User, projectID, submissionCode, resolved.Rule.Name, filename); err != nil {
 		log.Printf("submissions: audit insert failed (project=%s code=%s): %v", projectID, submissionCode, err)
 	}
 
@@ -356,41 +355,6 @@ func handleGenerateProjectSubmission(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-// errRuleNotFound is the sentinel for "no published rule with that
-// submission_code" — distinguished from a generic DB error so the
-// handler returns 404 instead of 500.
-var errRuleNotFound = errors.New("submission rule not found")
-
-// loadPublishedRuleByCode fetches the rule the user requested. Only
-// published+active rows resolve; drafts and archived rules never feed
-// a real submission.
-func loadPublishedRuleByCode(ctx context.Context, submissionCode string) (*models.DeadlineRule, error) {
-	if submissionCode == "" {
-		return nil, errRuleNotFound
-	}
-	var rule models.DeadlineRule
-	err := dbSvc.projects.DB().GetContext(ctx, &rule,
-		`SELECT id, proceeding_type_id, parent_id, submission_code, name, name_en,
-		        description, primary_party, event_type, duration_value, duration_unit,
-		        timing, rule_code, deadline_notes, deadline_notes_en, sequence_order,
-		        alt_duration_value, alt_duration_unit, alt_rule_code, anchor_alt,
-		        concept_id, legal_source, is_spawn, spawn_label, is_active,
-		        created_at, updated_at, lifecycle_state
-		   FROM paliad.deadline_rules
-		  WHERE submission_code = $1
-		    AND lifecycle_state = 'published'
-		    AND is_active = true
-		  ORDER BY sequence_order
-		  LIMIT 1`, submissionCode)
-	if err != nil {
-		if strings.Contains(err.Error(), "no rows") {
-			return nil, errRuleNotFound
-		}
-		return nil, err
-	}
-	return &rule, nil
-}
-
 // submissionFileName produces the user-facing download name per
 // design §7: {rule.name}-{project.case_number}-{YYYY-MM-DD}.docx.
 // Empty case_number drops the segment entirely (no fallback hash —

internal/models/models.go

@@ -313,6 +313,14 @@ type Deadline struct {
 	// changes to paliad.deadline_rules and accepts citations from
 	// outside that table.
 	RuleCode        *string    `db:"rule_code"         json:"rule_code,omitempty"`
+	// CustomRuleText holds the lawyer's free-text rule label when the
+	// deadline form is in Custom mode (t-paliad-258 / m/paliad#89).
+	// Mutually exclusive with RuleID at the application layer: the Auto
+	// path sets RuleID and leaves this NULL; the Custom path sets this
+	// and leaves RuleID NULL. Display surfaces prefer the joined
+	// deadline_rules.name when RuleID is set, else fall back to this
+	// text + a "Custom" badge.
+	CustomRuleText  *string    `db:"custom_rule_text"  json:"custom_rule_text,omitempty"`
 	Status          string     `db:"status"            json:"status"`
 	CompletedAt     *time.Time `db:"completed_at"      json:"completed_at,omitempty"`
 	CalDAVUID       *string    `db:"caldav_uid"        json:"caldav_uid,omitempty"`
@@ -674,6 +682,13 @@ type DeadlineRule struct {
 	// NULL while draft, set on publish, retained through archive.
 	// Distinct from UpdatedAt (moves on every edit).
 	PublishedAt *time.Time `db:"published_at" json:"published_at,omitempty"`
+
+	// ChoicesOffered declares which per-event-card choice-kinds this
+	// rule offers on the Verfahrensablauf timeline (mig 129,
+	// t-paliad-265). NULL = no caret affordance (default). See the
+	// COMMENT on paliad.deadline_rules.choices_offered for the value
+	// shape. The engine and the frontend both read this column.
+	ChoicesOffered NullableJSON `db:"choices_offered" json:"choices_offered,omitempty"`
 }
 
 // DeadlineRuleAudit is one row of paliad.deadline_rule_audit — the
@@ -721,6 +736,14 @@ type ProceedingType struct {
 	DefaultColor string  `db:"default_color"  json:"default_color"`
 	SortOrder    int     `db:"sort_order"     json:"sort_order"`
 	IsActive     bool    `db:"is_active"      json:"is_active"`
+	// TriggerEventLabel{DE,EN}: optional caption for /tools/verfahrensablauf
+	// "Auslösendes Ereignis". When set, overrides the proceedingName fallback
+	// that fires when no rule has IsRootEvent=true. Populated for UPC Appeal
+	// (mig 121) so the caption reads "Anfechtbare Entscheidung" /
+	// "Appealable Decision" instead of "Berufungsverfahren" / "Appeal".
+	// NULL on most proceedings — they already carry a root rule.
+	TriggerEventLabelDE *string `db:"trigger_event_label_de" json:"trigger_event_label_de,omitempty"`
+	TriggerEventLabelEN *string `db:"trigger_event_label_en" json:"trigger_event_label_en,omitempty"`
 }
 
 // TriggerEvent is a UPC procedural event that can start one or more deadlines
@@ -930,3 +953,24 @@ type ApprovalRequest struct {
 	CreatedAt         time.Time  `db:"created_at"          json:"created_at"`
 	UpdatedAt         time.Time  `db:"updated_at"          json:"updated_at"`
 }
+
+// ProjectEventChoice is one per-event-card pick scoped to a project
+// (t-paliad-265 / m/paliad#96). The join key SubmissionCode matches
+// paliad.deadline_rules.submission_code — the same identifier the
+// AnchorOverrides plumbing in fristenrechner.go already uses.
+//
+// ChoiceKind ∈ {appellant, include_ccr, skip}. ChoiceValue namespace
+// per kind: appellant=claimant|defendant|both|none; include_ccr=true|false;
+// skip=true|false. UNIQUE(project_id, submission_code, choice_kind)
+// makes re-picks idempotent (Upsert path).
+type ProjectEventChoice struct {
+	ID             uuid.UUID  `db:"id"              json:"id"`
+	ProjectID      uuid.UUID  `db:"project_id"      json:"project_id"`
+	SubmissionCode string     `db:"submission_code" json:"submission_code"`
+	ChoiceKind     string     `db:"choice_kind"     json:"choice_kind"`
+	ChoiceValue    string     `db:"choice_value"    json:"choice_value"`
+	CreatedBy      *uuid.UUID `db:"created_by"      json:"created_by,omitempty"`
+	CreatedAt      time.Time  `db:"created_at"      json:"created_at"`
+	UpdatedBy      *uuid.UUID `db:"updated_by"      json:"updated_by,omitempty"`
+	UpdatedAt      time.Time  `db:"updated_at"      json:"updated_at"`
+}

internal/services/approval_service.go

@@ -41,6 +41,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"maps"
 	"strings"
 	"time"
 
@@ -364,6 +365,135 @@ func (s *ApprovalService) Revoke(ctx context.Context, requestID, callerID uuid.U
 	return s.decide(ctx, requestID, callerID, RequestStatusRevoked, "")
 }
 
+// EditPendingEntity lets the REQUESTER of a pending approval_request revise
+// the in-flight entity (e.g. tweak the title or due_date on a pending
+// create) without withdrawing the request. t-paliad-252 / m/paliad#83 added
+// this as the non-destructive sibling of Revoke — m's mental model is
+// "withdraw deletes the event; let me edit the event instead, keep the
+// approval request alive".
+//
+// Authorization: caller MUST be the original requested_by (no approver can
+// edit on the requester's behalf — that would collapse into SuggestChanges).
+// Request status MUST be pending.
+//
+// Allowlist: uses the WIDER counter-allowlist already maintained for
+// SuggestChanges (buildCounterSetClauses) — every editable field on the
+// entity, not just the date-bearing approval triggers. Unknown keys are
+// silently dropped. Returns ErrSuggestionRequiresChange when fields carries
+// no allowlisted key for the entity_type (would be a no-op write).
+//
+// Side effects in one tx: entity columns updated (and event_type_ids junction
+// rewritten for deadlines), approval_request.payload merged with the new
+// values so the approver sees what was revised, and a distinct
+// `<entity>_approval_edited_by_requester` project_event emitted so the
+// Verlauf shows the revision separately from the original *_requested row.
+//
+// The approval_request stays pending; entity.approval_status stays pending.
+// The approver inbox sees a fresh updated_at + the merged payload.
+func (s *ApprovalService) EditPendingEntity(ctx context.Context, requestID, callerID uuid.UUID, fields map[string]any) error {
+	tx, err := s.db.BeginTxx(ctx, nil)
+	if err != nil {
+		return fmt.Errorf("begin tx: %w", err)
+	}
+	defer tx.Rollback() //nolint:errcheck
+
+	req, err := s.getRequestForUpdate(ctx, tx, requestID)
+	if err != nil {
+		return err
+	}
+	if req.Status != RequestStatusPending {
+		return fmt.Errorf("%w: status=%s", ErrRequestNotPending, req.Status)
+	}
+	if callerID != req.RequestedBy {
+		return ErrNotApprover
+	}
+
+	// Validate the counter-allowlist intersect produces at least one
+	// settable column. applyEntityUpdate also wraps this check; pre-checking
+	// here lets us emit a cleaner error before opening the entity-write.
+	if _, _, err := buildCounterSetClauses(req.EntityType, fields); err != nil {
+		// Already wraps ErrSuggestionRequiresChange for empty / title-cleared
+		// cases. Propagate verbatim.
+		return err
+	}
+
+	// Apply the field updates to the entity row via the shared
+	// counter-allowlist path (same as SuggestChanges).
+	if err := s.applyEntityUpdate(ctx, tx, req.EntityType, req.EntityID, fields); err != nil {
+		return err
+	}
+
+	// Merge new fields into the request payload so the approver's inbox
+	// reflects what the requester revised to. Keys overwrite; event_type_ids
+	// is replaced wholesale per the same semantics applyEntityUpdate uses
+	// for the junction rewrite.
+	var existing map[string]any
+	if len(req.Payload) > 0 {
+		if err := json.Unmarshal(req.Payload, &existing); err != nil {
+			return fmt.Errorf("unmarshal payload: %w", err)
+		}
+	}
+	if existing == nil {
+		existing = map[string]any{}
+	}
+	maps.Copy(existing, fields)
+	merged, err := json.Marshal(existing)
+	if err != nil {
+		return fmt.Errorf("marshal merged payload: %w", err)
+	}
+	now := time.Now().UTC()
+	if _, err := tx.ExecContext(ctx,
+		`UPDATE paliad.approval_requests
+		   SET payload = $1, updated_at = $2
+		 WHERE id = $3`,
+		merged, now, requestID); err != nil {
+		return fmt.Errorf("update payload: %w", err)
+	}
+
+	// Audit emit. Distinct event_type so the Verlauf surfaces the revision
+	// separately from the original *_requested or any decision row.
+	verlaufKind := "edited_by_requester"
+	eventType := approvalEventType(req.EntityType, verlaufKind)
+	descPtr := approvalDescription(verlaufKind, req.RequiredRole, req.LifecycleEvent)
+	editedKeys := sortedKeys(fields)
+	meta := map[string]any{
+		"approval_request_id":  req.ID.String(),
+		"lifecycle_event":      req.LifecycleEvent,
+		req.EntityType + "_id": req.EntityID.String(),
+		"edited_fields":        editedKeys,
+	}
+	if err := insertProjectEventWithMeta(ctx, tx, req.ProjectID, callerID, eventType, eventType, descPtr, meta); err != nil {
+		return err
+	}
+	return tx.Commit()
+}
+
+// sortedKeys returns m's keys in stable alphabetical order so the audit-log
+// metadata is byte-for-byte stable across calls (helps when diffing audit
+// logs or asserting on them in tests).
+func sortedKeys(m map[string]any) []string {
+	out := make([]string, 0, len(m))
+	for k := range m {
+		out = append(out, k)
+	}
+	// Use the stdlib sort; the slice is small (≤ counter-allowlist size).
+	sortStrings(out)
+	return out
+}
+
+// sortStrings: indirection so we don't add a new top-level import group.
+// In Go 1.21+ slices.Sort exists; this package is currently importing
+// strings + standard libs and adding "sort" would re-fan the imports.
+// Kept as a one-line wrapper to localise the dependency if a later move
+// to slices.Sort feels right.
+func sortStrings(s []string) {
+	for i := 1; i < len(s); i++ {
+		for j := i; j > 0 && s[j-1] > s[j]; j-- {
+			s[j-1], s[j] = s[j], s[j-1]
+		}
+	}
+}
+
 // SuggestChanges is the fourth approval action (t-paliad-216). The caller
 // proposes a counter-payload + optional free-text note; in one transaction
 // we close the old request as 'changes_requested', revert the entity from
@@ -1477,6 +1607,95 @@ func (s *ApprovalService) PendingCountForUser(ctx context.Context, callerID uuid
 	return n, nil
 }
 
+// UnseenInboxCountForUser returns the unified inbox badge count
+// (t-paliad-249, Slice A):
+//
+//   - pending approval_requests where the caller is qualified to
+//     approve (same predicate as PendingCountForUser); these count
+//     regardless of users.inbox_seen_at — pending approvals never
+//     fall behind the cursor.
+//   - project_events with event_type ∈ InboxProjectEventKinds whose
+//     created_at > users.inbox_seen_at (NULL cursor → every row is
+//     unseen) on visible projects, EXCLUDING the caller's own events
+//     (you don't get notified about your own actions) and excluding
+//     the `*_approval_*` audit duplicates of approval_request rows.
+//
+// One round-trip; UNION ALL across two SELECTs so the two halves can
+// use their own indexes.
+func (s *ApprovalService) UnseenInboxCountForUser(ctx context.Context, callerID uuid.UUID) (int, error) {
+	inboxKinds := InboxProjectEventKinds
+	q := `SELECT COALESCE(SUM(c), 0) FROM (
+	    SELECT COUNT(*) AS c
+	      FROM paliad.approval_requests ar
+	      JOIN paliad.projects p ON p.id = ar.project_id
+	     WHERE ar.status = 'pending'
+	       AND ar.requested_by <> $1
+	       AND ` + approvalEligibilitySQL + `
+	    UNION ALL
+	    SELECT COUNT(*) AS c
+	      FROM paliad.project_events pe
+	      JOIN paliad.projects p ON p.id = pe.project_id
+	      LEFT JOIN paliad.users  u ON u.id = $1
+	     WHERE pe.event_type = ANY($2)
+	       AND (pe.created_by IS DISTINCT FROM $1)
+	       AND (u.inbox_seen_at IS NULL OR pe.created_at > u.inbox_seen_at)
+	       AND ` + visibilityPredicatePositional("p", 1) + `
+	) sub`
+	var n int
+	if err := s.db.GetContext(ctx, &n, q, callerID, pq.Array(inboxKinds)); err != nil {
+		return 0, fmt.Errorf("unseen inbox count: %w", err)
+	}
+	return n, nil
+}
+
+// MarkInboxSeen advances the caller's inbox read cursor.
+// If `upTo` is zero, advances to now(); otherwise advances to upTo
+// (used by the client to pin to the newest visible row so a stray
+// second tab doesn't lose items between the read and the click).
+//
+// The cursor only moves forward — calls with upTo < current are
+// no-ops so a stale tab can't rewind.
+func (s *ApprovalService) MarkInboxSeen(ctx context.Context, callerID uuid.UUID, upTo time.Time) error {
+	var (
+		q    string
+		args []any
+	)
+	if upTo.IsZero() {
+		q = `UPDATE paliad.users
+		        SET inbox_seen_at = now()
+		      WHERE id = $1
+		        AND (inbox_seen_at IS NULL OR inbox_seen_at < now())`
+		args = []any{callerID}
+	} else {
+		q = `UPDATE paliad.users
+		        SET inbox_seen_at = $2
+		      WHERE id = $1
+		        AND (inbox_seen_at IS NULL OR inbox_seen_at < $2)`
+		args = []any{callerID, upTo.UTC()}
+	}
+	if _, err := s.db.ExecContext(ctx, q, args...); err != nil {
+		return fmt.Errorf("mark inbox seen: %w", err)
+	}
+	return nil
+}
+
+// InboxSeenAt returns the caller's current inbox read cursor, or nil
+// if the user has never marked the inbox as seen. Used by the inbox
+// run path to overlay the unread_only predicate (t-paliad-249, §3 of
+// the design doc).
+func (s *ApprovalService) InboxSeenAt(ctx context.Context, callerID uuid.UUID) (*time.Time, error) {
+	var t sql.NullTime
+	q := `SELECT inbox_seen_at FROM paliad.users WHERE id = $1`
+	if err := s.db.GetContext(ctx, &t, q, callerID); err != nil {
+		return nil, fmt.Errorf("inbox seen lookup: %w", err)
+	}
+	if !t.Valid {
+		return nil, nil
+	}
+	v := t.Time
+	return &v, nil
+}
+
 // ============================================================================
 // Policy CRUD — paliad.approval_policies (t-paliad-138 + t-paliad-154).
 //

internal/services/backup_service.go

@@ -0,0 +1,555 @@
+package services
+
+// Backup Mode runtime (t-paliad-246 / m/paliad#77 Slice A).
+//
+// One file because all four pieces are tightly coupled:
+//
+//   - ArtifactStore interface + LocalDiskStore implementation
+//     (storage abstraction; m picked local disk for v1, the interface
+//     stays so a future swap to Supabase Storage is one impl away).
+//
+//   - BackupRunner — the orchestration the on-demand handler and the
+//     (Slice B) scheduler share. Wraps the export pipeline:
+//        1. INSERT paliad.backups (status='running')
+//        2. INSERT paliad.system_audit_log (event_type='backup_created')
+//        3. ExportService.WriteOrg → in-memory buffer
+//        4. ArtifactStore.Put → file
+//        5. UPDATE paliad.backups (status='done', storage_uri, …)
+//        6. PATCH paliad.system_audit_log metadata
+//
+// Design: docs/design-backup-mode-2026-05-25.md.
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+)
+
+// ---------------------------------------------------------------------------
+// ArtifactStore interface + LocalDiskStore impl
+// ---------------------------------------------------------------------------
+
+// ArtifactStore persists the bytes of a backup artifact. The interface
+// is deliberately small so Slice B can drop in a SupabaseStorageStore
+// (or any object-store implementation) without changing the runner.
+//
+// URIs returned by Put are opaque to callers — they round-trip through
+// Get/Delete. v1's LocalDiskStore uses `file://<absolute-path>`.
+type ArtifactStore interface {
+	// Put writes the given body to the store under the given key and
+	// returns the URI for later retrieval. Implementations must overwrite
+	// an existing object at the same key (catalog rows make keys unique
+	// in practice, but the contract is overwrite-on-conflict to keep
+	// retries idempotent).
+	Put(ctx context.Context, key string, body []byte) (uri string, err error)
+	// Get streams the artifact bytes at the given URI.
+	Get(ctx context.Context, uri string) (rc io.ReadCloser, size int64, err error)
+	// Delete removes the artifact at the given URI. Returns nil if the
+	// artifact is already absent (idempotent).
+	Delete(ctx context.Context, uri string) error
+}
+
+// LocalDiskStore is the v1 ArtifactStore — writes artifacts to a local
+// directory specified at construction time. Mode 0700 on the directory
+// + 0600 on artifact files keeps the files private to the paliad
+// process owner on the Dokploy host.
+type LocalDiskStore struct {
+	dir string
+}
+
+// NewLocalDiskStore creates a LocalDiskStore rooted at dir. Creates the
+// directory (0700) if it doesn't exist. Returns an error if dir is
+// empty or the mkdir fails.
+func NewLocalDiskStore(dir string) (*LocalDiskStore, error) {
+	if strings.TrimSpace(dir) == "" {
+		return nil, errors.New("LocalDiskStore: empty directory")
+	}
+	if err := os.MkdirAll(dir, 0o700); err != nil {
+		return nil, fmt.Errorf("LocalDiskStore mkdir %q: %w", dir, err)
+	}
+	abs, err := filepath.Abs(dir)
+	if err != nil {
+		return nil, fmt.Errorf("LocalDiskStore abs %q: %w", dir, err)
+	}
+	return &LocalDiskStore{dir: abs}, nil
+}
+
+// Put writes body to <dir>/<key>. Returns a file:// URI.
+func (s *LocalDiskStore) Put(_ context.Context, key string, body []byte) (string, error) {
+	if err := validateKey(key); err != nil {
+		return "", err
+	}
+	full := filepath.Join(s.dir, key)
+	if err := os.WriteFile(full, body, 0o600); err != nil {
+		return "", fmt.Errorf("LocalDiskStore write %q: %w", full, err)
+	}
+	return "file://" + full, nil
+}
+
+// Get opens the file referenced by uri. Returns a *os.File (io.ReadCloser)
+// + the file's size in bytes.
+func (s *LocalDiskStore) Get(_ context.Context, uri string) (io.ReadCloser, int64, error) {
+	path, err := s.pathFromURI(uri)
+	if err != nil {
+		return nil, 0, err
+	}
+	info, err := os.Stat(path)
+	if err != nil {
+		return nil, 0, fmt.Errorf("LocalDiskStore stat %q: %w", path, err)
+	}
+	f, err := os.Open(path)
+	if err != nil {
+		return nil, 0, fmt.Errorf("LocalDiskStore open %q: %w", path, err)
+	}
+	return f, info.Size(), nil
+}
+
+// Delete removes the file referenced by uri. Idempotent — missing file
+// is treated as success.
+func (s *LocalDiskStore) Delete(_ context.Context, uri string) error {
+	path, err := s.pathFromURI(uri)
+	if err != nil {
+		return err
+	}
+	if err := os.Remove(path); err != nil && !errors.Is(err, os.ErrNotExist) {
+		return fmt.Errorf("LocalDiskStore remove %q: %w", path, err)
+	}
+	return nil
+}
+
+// pathFromURI parses a file:// URI and validates that the resolved
+// path is inside this store's directory. Defense-in-depth against a
+// malformed catalog row pointing at an arbitrary file.
+func (s *LocalDiskStore) pathFromURI(uri string) (string, error) {
+	u, err := url.Parse(uri)
+	if err != nil {
+		return "", fmt.Errorf("LocalDiskStore parse uri %q: %w", uri, err)
+	}
+	if u.Scheme != "file" {
+		return "", fmt.Errorf("LocalDiskStore: unsupported uri scheme %q (want file://)", u.Scheme)
+	}
+	// url.Parse drops the leading "/" for file:// URIs into u.Path.
+	path := u.Path
+	if u.Host != "" {
+		// "file://host/path" — we don't issue these. Reject.
+		return "", fmt.Errorf("LocalDiskStore: file:// uri with host is unsupported (%q)", uri)
+	}
+	clean := filepath.Clean(path)
+	rel, err := filepath.Rel(s.dir, clean)
+	if err != nil || strings.HasPrefix(rel, "..") {
+		return "", fmt.Errorf("LocalDiskStore: uri %q resolves outside store dir %q", uri, s.dir)
+	}
+	return clean, nil
+}
+
+// validateKey rejects keys that would escape the store dir (path
+// separators, "..", absolute paths). Backup runner uses
+// "<uuid>.zip" so this is a defensive guard.
+func validateKey(key string) error {
+	if key == "" {
+		return errors.New("ArtifactStore: empty key")
+	}
+	if strings.ContainsAny(key, "/\\") {
+		return fmt.Errorf("ArtifactStore: key %q contains path separator", key)
+	}
+	if strings.Contains(key, "..") {
+		return fmt.Errorf("ArtifactStore: key %q contains traversal", key)
+	}
+	if filepath.IsAbs(key) {
+		return fmt.Errorf("ArtifactStore: key %q is absolute", key)
+	}
+	return nil
+}
+
+// ---------------------------------------------------------------------------
+// BackupRunner
+// ---------------------------------------------------------------------------
+
+// BackupKind discriminates a scheduled run from an on-demand one.
+const (
+	BackupKindOnDemand  = "on_demand"
+	BackupKindScheduled = "scheduled"
+)
+
+// BackupStatus values mirror the paliad.backups status check constraint.
+const (
+	BackupStatusRunning = "running"
+	BackupStatusDone    = "done"
+	BackupStatusFailed  = "failed"
+)
+
+// SystemActorEmail is the sentinel actor_email written for scheduled
+// backups (kind='scheduled'). Matches design §3.4 — we don't seed a
+// phantom user, we just stamp the audit row with a stable sentinel.
+const SystemActorEmail = "system@paliad"
+
+// BackupActor identifies who requested a backup. For kind='scheduled'
+// pass (nil, SystemActorEmail, "Paliad Backup System"). For on-demand
+// pass the calling admin's id/email/display_name.
+type BackupActor struct {
+	ID    *uuid.UUID
+	Email string
+	Label string
+}
+
+// BackupResult is what Run returns to the caller. Empty on failure
+// (the error gets the failure detail; the catalog/audit rows are
+// already updated).
+type BackupResult struct {
+	ID         uuid.UUID
+	AuditID    uuid.UUID
+	StorageURI string
+	SizeBytes  int64
+	RowCounts  map[string]int
+	SheetCount int
+}
+
+// BackupRunner orchestrates one backup run. Stateless except for the
+// wired dependencies; safe to share across goroutines (the handler
+// holds one instance; the Slice B scheduler will hold the same one).
+type BackupRunner struct {
+	db     *sqlx.DB
+	export *ExportService
+	store  ArtifactStore
+}
+
+// NewBackupRunner wires the runner. All three deps are required; the
+// caller (cmd/server/main.go) is responsible for instantiating the
+// ArtifactStore from env config.
+func NewBackupRunner(db *sqlx.DB, export *ExportService, store ArtifactStore) *BackupRunner {
+	return &BackupRunner{db: db, export: export, store: store}
+}
+
+// Store returns the configured store. Exposed for the download handler
+// to stream artifacts via Get.
+func (r *BackupRunner) Store() ArtifactStore { return r.store }
+
+// Run performs one backup. Writes catalog + audit rows, generates the
+// bundle via ExportService.WriteOrg, uploads to the configured store,
+// patches catalog + audit on success/failure.
+//
+// On any error after the catalog/audit rows are written, the rows are
+// patched to status='failed' / event_type='backup_failed' before
+// returning. The returned error is always the export/upload failure —
+// catalog-update failures during the failure-recovery path are best-
+// effort logged but not surfaced (the real error is the one to bubble).
+func (r *BackupRunner) Run(ctx context.Context, kind string, actor BackupActor) (BackupResult, error) {
+	if kind != BackupKindOnDemand && kind != BackupKindScheduled {
+		return BackupResult{}, fmt.Errorf("BackupRunner.Run: invalid kind %q", kind)
+	}
+	if actor.Email == "" {
+		return BackupResult{}, errors.New("BackupRunner.Run: empty actor email")
+	}
+
+	now := time.Now().UTC()
+	spec := ExportSpec{
+		Scope:       ExportScopeOrg,
+		ActorID:     uuid.Nil, // overwritten below when actor.ID != nil
+		ActorEmail:  actor.Email,
+		ActorLabel:  actor.Label,
+		GeneratedAt: now,
+	}
+	if actor.ID != nil {
+		spec.ActorID = *actor.ID
+	}
+
+	// Step 1+2: catalog row (status='running') + audit row
+	// (event_type='backup_created'). Both happen before the export
+	// generation so failure paths can always find them.
+	catalogID, err := r.insertCatalogRow(ctx, kind, actor, uuid.Nil, now)
+	if err != nil {
+		return BackupResult{}, fmt.Errorf("backup catalog insert: %w", err)
+	}
+	auditID, err := r.insertAuditRow(ctx, kind, actor, catalogID, now)
+	if err != nil {
+		// Best-effort patch on the catalog row so it doesn't sit
+		// "running" forever.
+		r.patchCatalogRowFailed(context.Background(), catalogID, fmt.Errorf("audit insert: %w", err))
+		return BackupResult{}, fmt.Errorf("backup audit insert: %w", err)
+	}
+	// Back-link the audit id into the catalog row so the UI can JOIN.
+	if err := r.linkAuditID(ctx, catalogID, auditID); err != nil {
+		// Non-fatal — the link is for UI convenience, not correctness.
+		// The error is logged via the patch path; we keep going.
+	}
+
+	// Step 3: generate the bundle into an in-memory buffer. We materialise
+	// fully before uploading so a partial upload doesn't strand bytes in
+	// the store under a "done" catalog row.
+	var buf bytes.Buffer
+	meta, err := r.export.WriteOrg(ctx, &buf, spec)
+	if err != nil {
+		r.failRun(context.Background(), catalogID, auditID, fmt.Errorf("generate: %w", err))
+		return BackupResult{}, fmt.Errorf("backup generate: %w", err)
+	}
+
+	// Step 4: upload to storage. Key = "<catalog_id>.zip".
+	key := catalogID.String() + ".zip"
+	uri, err := r.store.Put(ctx, key, buf.Bytes())
+	if err != nil {
+		r.failRun(context.Background(), catalogID, auditID, fmt.Errorf("upload: %w", err))
+		return BackupResult{}, fmt.Errorf("backup upload: %w", err)
+	}
+
+	// Step 5+6: patch catalog + audit on success.
+	size := int64(buf.Len())
+	sheetCount := len(meta.RowCounts)
+	if err := r.patchCatalogRowDone(ctx, catalogID, uri, size, sheetCount, meta); err != nil {
+		// At this point the artifact is on disk, the audit row was
+		// inserted, and the only thing that failed is the catalog
+		// flip. Surface as an error so the handler can log; the
+		// artifact is recoverable manually via the audit metadata.
+		return BackupResult{}, fmt.Errorf("backup catalog patch: %w", err)
+	}
+	if err := r.patchAuditRowDone(ctx, auditID, uri, size, sheetCount, meta); err != nil {
+		// Non-fatal — the catalog row is already authoritative; the
+		// audit row is the audit-trail twin. Log via the caller.
+	}
+
+	return BackupResult{
+		ID:         catalogID,
+		AuditID:    auditID,
+		StorageURI: uri,
+		SizeBytes:  size,
+		RowCounts:  meta.RowCounts,
+		SheetCount: sheetCount,
+	}, nil
+}
+
+// RecordDownload writes a paliad.system_audit_log row of
+// event_type='backup_downloaded' when an admin downloads a backup
+// via /api/admin/backups/{id}/file. Separate row per click — the
+// existing 'backup_created' row stays untouched.
+func (r *BackupRunner) RecordDownload(ctx context.Context, backupID uuid.UUID, by BackupActor) error {
+	if by.Email == "" {
+		return errors.New("BackupRunner.RecordDownload: empty actor email")
+	}
+	meta, _ := json.Marshal(map[string]any{
+		"backup_id":            backupID.String(),
+		"downloaded_by_email":  by.Email,
+		"downloaded_at":        time.Now().UTC().Format(time.RFC3339),
+	})
+	var actorID any
+	if by.ID != nil {
+		actorID = *by.ID
+	}
+	_, err := r.db.ExecContext(ctx,
+		`INSERT INTO paliad.system_audit_log
+		      (event_type, actor_id, actor_email, scope, scope_root, metadata)
+		 VALUES ('backup_downloaded', $1, $2, 'org', NULL, $3::jsonb)`,
+		actorID, by.Email, string(meta),
+	)
+	if err != nil {
+		return fmt.Errorf("backup_downloaded audit insert: %w", err)
+	}
+	return nil
+}
+
+// ---------------------------------------------------------------------------
+// Catalog read helpers (List + Get for the admin UI)
+// ---------------------------------------------------------------------------
+
+// BackupSummary is the row shape returned by ListBackups + GetBackup —
+// shaped for the /admin/backups UI. Nullable columns are pointers.
+type BackupSummary struct {
+	ID                uuid.UUID  `db:"id" json:"id"`
+	Kind              string     `db:"kind" json:"kind"`
+	Status            string     `db:"status" json:"status"`
+	RequestedBy       *uuid.UUID `db:"requested_by" json:"requested_by,omitempty"`
+	RequestedByEmail  string     `db:"requested_by_email" json:"requested_by_email"`
+	AuditID           *uuid.UUID `db:"audit_id" json:"audit_id,omitempty"`
+	StorageURI        *string    `db:"storage_uri" json:"storage_uri,omitempty"`
+	SizeBytes         *int64     `db:"size_bytes" json:"size_bytes,omitempty"`
+	RowCounts         []byte     `db:"row_counts" json:"row_counts,omitempty"`
+	SheetCount        *int       `db:"sheet_count" json:"sheet_count,omitempty"`
+	Warnings          []byte     `db:"warnings" json:"warnings,omitempty"`
+	Error             *string    `db:"error" json:"error,omitempty"`
+	StartedAt         time.Time  `db:"started_at" json:"started_at"`
+	FinishedAt        *time.Time `db:"finished_at" json:"finished_at,omitempty"`
+	DeletedAt         *time.Time `db:"deleted_at" json:"deleted_at,omitempty"`
+}
+
+// ListBackups returns the most recent backups (highest started_at first),
+// capped at limit. limit <= 0 means default (100).
+func (r *BackupRunner) ListBackups(ctx context.Context, limit int) ([]BackupSummary, error) {
+	if limit <= 0 {
+		limit = 100
+	}
+	var rows []BackupSummary
+	err := r.db.SelectContext(ctx, &rows,
+		`SELECT id, kind, status, requested_by, requested_by_email, audit_id,
+		         storage_uri, size_bytes, row_counts, sheet_count, warnings,
+		         error, started_at, finished_at, deleted_at
+		    FROM paliad.backups
+		ORDER BY started_at DESC
+		   LIMIT $1`,
+		limit,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("list backups: %w", err)
+	}
+	return rows, nil
+}
+
+// GetBackup fetches one backup by id. Returns sql.ErrNoRows when not
+// found (caller maps to 404).
+func (r *BackupRunner) GetBackup(ctx context.Context, id uuid.UUID) (BackupSummary, error) {
+	var row BackupSummary
+	err := r.db.GetContext(ctx, &row,
+		`SELECT id, kind, status, requested_by, requested_by_email, audit_id,
+		         storage_uri, size_bytes, row_counts, sheet_count, warnings,
+		         error, started_at, finished_at, deleted_at
+		    FROM paliad.backups
+		   WHERE id = $1`,
+		id,
+	)
+	if err != nil {
+		return BackupSummary{}, err
+	}
+	return row, nil
+}
+
+// ---------------------------------------------------------------------------
+// Catalog + audit SQL helpers (private — used by Run + RecordDownload).
+// ---------------------------------------------------------------------------
+
+func (r *BackupRunner) insertCatalogRow(ctx context.Context, kind string, actor BackupActor, auditID uuid.UUID, now time.Time) (uuid.UUID, error) {
+	var actorID any
+	if actor.ID != nil {
+		actorID = *actor.ID
+	}
+	var auditArg any
+	if auditID != uuid.Nil {
+		auditArg = auditID
+	}
+	var id uuid.UUID
+	err := r.db.QueryRowxContext(ctx,
+		`INSERT INTO paliad.backups
+		      (kind, status, requested_by, requested_by_email, audit_id, started_at)
+		 VALUES ($1, 'running', $2, $3, $4, $5)
+		 RETURNING id`,
+		kind, actorID, actor.Email, auditArg, now,
+	).Scan(&id)
+	if err != nil {
+		return uuid.Nil, err
+	}
+	return id, nil
+}
+
+func (r *BackupRunner) insertAuditRow(ctx context.Context, kind string, actor BackupActor, catalogID uuid.UUID, now time.Time) (uuid.UUID, error) {
+	meta, _ := json.Marshal(map[string]any{
+		"kind":                  kind,
+		"catalog_id":            catalogID.String(),
+		"requested_by_email":    actor.Email,
+		"requested_at":          now.Format(time.RFC3339),
+	})
+	var actorID any
+	if actor.ID != nil {
+		actorID = *actor.ID
+	}
+	var id uuid.UUID
+	err := r.db.QueryRowxContext(ctx,
+		`INSERT INTO paliad.system_audit_log
+		      (event_type, actor_id, actor_email, scope, scope_root, metadata)
+		 VALUES ('backup_created', $1, $2, 'org', NULL, $3::jsonb)
+		 RETURNING id`,
+		actorID, actor.Email, string(meta),
+	).Scan(&id)
+	if err != nil {
+		return uuid.Nil, err
+	}
+	return id, nil
+}
+
+func (r *BackupRunner) linkAuditID(ctx context.Context, catalogID, auditID uuid.UUID) error {
+	_, err := r.db.ExecContext(ctx,
+		`UPDATE paliad.backups SET audit_id = $2 WHERE id = $1`,
+		catalogID, auditID,
+	)
+	return err
+}
+
+func (r *BackupRunner) patchCatalogRowDone(ctx context.Context, id uuid.UUID, uri string, size int64, sheetCount int, meta ExportMeta) error {
+	rcJSON, _ := json.Marshal(meta.RowCounts)
+	warnJSON, _ := json.Marshal(meta.Warnings)
+	if meta.Warnings == nil {
+		warnJSON = []byte("[]")
+	}
+	_, err := r.db.ExecContext(ctx,
+		`UPDATE paliad.backups
+		    SET status      = 'done',
+		        storage_uri = $2,
+		        size_bytes  = $3,
+		        sheet_count = $4,
+		        row_counts  = $5::jsonb,
+		        warnings    = $6::jsonb,
+		        finished_at = now()
+		  WHERE id = $1`,
+		id, uri, size, sheetCount, string(rcJSON), string(warnJSON),
+	)
+	return err
+}
+
+func (r *BackupRunner) patchCatalogRowFailed(ctx context.Context, id uuid.UUID, runErr error) {
+	_, _ = r.db.ExecContext(ctx,
+		`UPDATE paliad.backups
+		    SET status      = 'failed',
+		        error       = $2,
+		        finished_at = now()
+		  WHERE id = $1`,
+		id, runErr.Error(),
+	)
+}
+
+func (r *BackupRunner) patchAuditRowDone(ctx context.Context, id uuid.UUID, uri string, size int64, sheetCount int, meta ExportMeta) error {
+	payload, _ := json.Marshal(map[string]any{
+		"row_counts":      meta.RowCounts,
+		"file_size_bytes": size,
+		"sheet_count":     sheetCount,
+		"storage_uri":     uri,
+		"warnings":        meta.Warnings,
+		"completed_at":    time.Now().UTC().Format(time.RFC3339),
+	})
+	_, err := r.db.ExecContext(ctx,
+		`UPDATE paliad.system_audit_log
+		    SET metadata = metadata || $2::jsonb,
+		        updated_at = now()
+		  WHERE id = $1`,
+		id, string(payload),
+	)
+	return err
+}
+
+func (r *BackupRunner) patchAuditRowFailed(ctx context.Context, id uuid.UUID, runErr error) {
+	payload, _ := json.Marshal(map[string]any{
+		"error":     runErr.Error(),
+		"failed_at": time.Now().UTC().Format(time.RFC3339),
+	})
+	_, _ = r.db.ExecContext(ctx,
+		`UPDATE paliad.system_audit_log
+		    SET event_type = 'backup_failed',
+		        metadata = metadata || $2::jsonb,
+		        updated_at = now()
+		  WHERE id = $1`,
+		id, string(payload),
+	)
+}
+
+// failRun is the shared failure-recovery path: patch the catalog +
+// audit rows to their failed states. Uses a context.Background so the
+// patch happens even if the original ctx is already cancelled.
+func (r *BackupRunner) failRun(ctx context.Context, catalogID, auditID uuid.UUID, runErr error) {
+	r.patchCatalogRowFailed(ctx, catalogID, runErr)
+	r.patchAuditRowFailed(ctx, auditID, runErr)
+}

internal/services/backup_service_test.go

@@ -0,0 +1,193 @@
+package services
+
+// Pure-function tests for the Backup Mode runtime (t-paliad-246 / m/paliad#77).
+//
+// Live DB behaviour (the actual org dump end-to-end) needs a Postgres;
+// it would live in backup_service_live_test.go under TEST_DATABASE_URL.
+// This file covers the bits that don't need a database:
+//
+//   - orgSheetQueries registry shape: no duplicates, no excluded
+//     paliadin sheets, predictable prefix split between entity and ref.
+//   - LocalDiskStore Put / Get / Delete round-trip, key validation,
+//     URI traversal rejection.
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+// ---------------------------------------------------------------------------
+// orgSheetQueries registry
+// ---------------------------------------------------------------------------
+
+func TestOrgSheetQueries_NoDuplicates(t *testing.T) {
+	seen := map[string]bool{}
+	for _, sq := range orgSheetQueries() {
+		if seen[sq.SheetName] {
+			t.Fatalf("duplicate sheet name in orgSheetQueries: %q", sq.SheetName)
+		}
+		seen[sq.SheetName] = true
+	}
+}
+
+func TestOrgSheetQueries_ExcludesPaliadinTables(t *testing.T) {
+	// m's t-paliad-214 Q5 decision + this design's §11 Q3 default:
+	// paliadin_turns and paliadin_aichat_conversation must be ABSENT
+	// from the registry (structural exclusion, not just column-drop).
+	for _, sq := range orgSheetQueries() {
+		name := sq.SheetName
+		if strings.Contains(name, "paliadin") {
+			t.Fatalf("orgSheetQueries leaked paliadin sheet: %q (m's Q3 mandates structural exclusion)", name)
+		}
+		// Belt-and-braces: SQL bodies should not reference the tables
+		// either (no UNION joins, no subqueries pulling them in).
+		if strings.Contains(sq.SQL, "paliadin_turns") || strings.Contains(sq.SQL, "paliadin_aichat_conversation") {
+			t.Fatalf("orgSheetQueries[%q] SQL references a paliadin table: %s", name, sq.SQL)
+		}
+	}
+}
+
+func TestOrgSheetQueries_RefSheetsPrefixed(t *testing.T) {
+	// Every sheet whose data is read-only reference material is
+	// expected to use the `ref__` prefix. The writer's downstream
+	// consumers rely on this convention to group reference data
+	// visually in the workbook.
+	for _, sq := range orgSheetQueries() {
+		if !strings.HasPrefix(sq.SheetName, "ref__") {
+			continue
+		}
+		// Reference sheets shouldn't carry per-row WHERE clauses (they
+		// dump the whole reference table for portability).
+		if strings.Contains(strings.ToUpper(sq.SQL), "WHERE") {
+			t.Fatalf("orgSheetQueries[%q] is ref__ but has a WHERE clause; reference sheets dump the whole table", sq.SheetName)
+		}
+	}
+}
+
+func TestOrgSheetQueries_OrderByForDeterminism(t *testing.T) {
+	// Every sheet must specify an ORDER BY so the byte-deterministic
+	// contract from t-paliad-214 §3 holds across runs.
+	for _, sq := range orgSheetQueries() {
+		if !strings.Contains(strings.ToUpper(sq.SQL), "ORDER BY") {
+			t.Fatalf("orgSheetQueries[%q] missing ORDER BY (determinism contract): %s", sq.SheetName, sq.SQL)
+		}
+	}
+}
+
+// ---------------------------------------------------------------------------
+// LocalDiskStore round-trip
+// ---------------------------------------------------------------------------
+
+func TestLocalDiskStore_RoundTrip(t *testing.T) {
+	dir := t.TempDir()
+	store, err := NewLocalDiskStore(dir)
+	if err != nil {
+		t.Fatalf("NewLocalDiskStore: %v", err)
+	}
+	ctx := context.Background()
+	want := []byte("hello backup\n")
+
+	uri, err := store.Put(ctx, "test.zip", want)
+	if err != nil {
+		t.Fatalf("Put: %v", err)
+	}
+	if !strings.HasPrefix(uri, "file://") {
+		t.Fatalf("expected file:// uri, got %q", uri)
+	}
+	rc, size, err := store.Get(ctx, uri)
+	if err != nil {
+		t.Fatalf("Get: %v", err)
+	}
+	defer rc.Close()
+	if size != int64(len(want)) {
+		t.Fatalf("Get size = %d, want %d", size, len(want))
+	}
+	got, err := io.ReadAll(rc)
+	if err != nil {
+		t.Fatalf("ReadAll: %v", err)
+	}
+	if !bytes.Equal(got, want) {
+		t.Fatalf("Get body = %q, want %q", got, want)
+	}
+	if err := store.Delete(ctx, uri); err != nil {
+		t.Fatalf("Delete: %v", err)
+	}
+	// File should be gone; Get returns an error.
+	if _, _, err := store.Get(ctx, uri); err == nil {
+		t.Fatalf("Get after Delete should fail")
+	}
+	// Delete is idempotent.
+	if err := store.Delete(ctx, uri); err != nil {
+		t.Fatalf("idempotent Delete: %v", err)
+	}
+}
+
+func TestLocalDiskStore_RejectsBadKeys(t *testing.T) {
+	dir := t.TempDir()
+	store, err := NewLocalDiskStore(dir)
+	if err != nil {
+		t.Fatalf("NewLocalDiskStore: %v", err)
+	}
+	ctx := context.Background()
+	cases := []string{
+		"",
+		"sub/dir/file.zip",
+		"..\\evil.zip",
+		"../escape.zip",
+		"/abs/path.zip",
+	}
+	for _, k := range cases {
+		if _, err := store.Put(ctx, k, []byte("x")); err == nil {
+			t.Fatalf("Put with bad key %q should fail", k)
+		}
+	}
+}
+
+func TestLocalDiskStore_RejectsURIOutsideDir(t *testing.T) {
+	dir := t.TempDir()
+	store, err := NewLocalDiskStore(dir)
+	if err != nil {
+		t.Fatalf("NewLocalDiskStore: %v", err)
+	}
+	ctx := context.Background()
+	// A file:// URI pointing outside the store dir must be rejected
+	// by both Get and Delete (defense in depth against a corrupted
+	// catalog row).
+	outside := "file://" + filepath.Join(filepath.Dir(dir), "elsewhere.zip")
+	if _, _, err := store.Get(ctx, outside); err == nil {
+		t.Fatalf("Get outside store dir should fail")
+	}
+	if err := store.Delete(ctx, outside); err == nil {
+		t.Fatalf("Delete outside store dir should fail")
+	}
+	// Wrong scheme is also rejected.
+	if _, _, err := store.Get(ctx, "https://example.com/foo.zip"); err == nil {
+		t.Fatalf("Get with non-file:// scheme should fail")
+	}
+}
+
+func TestLocalDiskStore_CreatesDir(t *testing.T) {
+	// A non-existent parent gets created at construction; mode 0700.
+	base := t.TempDir()
+	target := filepath.Join(base, "nested", "exports")
+	store, err := NewLocalDiskStore(target)
+	if err != nil {
+		t.Fatalf("NewLocalDiskStore(non-existent): %v", err)
+	}
+	info, err := os.Stat(target)
+	if err != nil {
+		t.Fatalf("expected store dir to exist: %v", err)
+	}
+	if !info.IsDir() {
+		t.Fatalf("expected directory, got file")
+	}
+	// Smoke-write to confirm the dir is actually usable.
+	if _, err := store.Put(context.Background(), "ok.zip", []byte{}); err != nil {
+		t.Fatalf("Put into fresh dir: %v", err)
+	}
+}

internal/services/deadline_calculator.go

@@ -27,33 +27,119 @@ func NewDeadlineCalculator(holidays *HolidayService) *DeadlineCalculator {
 }
 
 // CalculateEndDate applies a single rule's duration + timing to the event date,
-// then bumps forward off non-working days for the given (country, regime).
-// Returns (adjusted, original, didAdjust).
+// then bumps off non-working days for the given (country, regime). For
+// rules with both a primary and an alt duration (alt_duration_value/_unit)
+// and a combine_op of 'max' or 'min', both legs are computed independently
+// and combined per the operator — this implements RoP R.198 / R.213
+// ("31 days OR 20 working days, whichever is longer") and the equivalent
+// shape under EPC. Returns (adjusted, original, didAdjust).
+//
+// Snap direction follows timing: 'after' snaps forward to the next
+// working day (RoP R.300.b — period extends to the next working day),
+// 'before' snaps *backward* to the preceding working day so the
+// statutory cut-off is not pushed past its hard limit.
+//
+// duration_unit='working_days' walks day-by-day via the holiday service
+// (skipping weekends + court holidays), so its result is always already a
+// working day — no post-arithmetic snap needed for that leg.
+//
+// Per Tier 3 Primitives §10 of docs/research-deadlines-completeness-2026-05-25.md
+// (m's 2026-05-25 15:29 steer: build the full primitives, no workarounds).
 func (c *DeadlineCalculator) CalculateEndDate(eventDate time.Time, rule models.DeadlineRule, country, regime string) (time.Time, time.Time, bool) {
-	endDate := eventDate
-
 	timing := "after"
 	if rule.Timing != nil {
 		timing = *rule.Timing
 	}
 
+	adjusted, raw, wasAdjusted := c.computeLeg(eventDate, rule.DurationValue, rule.DurationUnit, timing, country, regime)
+
+	// combine_op + alt_duration_*: compute the alt leg independently,
+	// then pick the later (max) or earlier (min) of the two adjusted
+	// end-dates. Live use case is UPC RoP R.198 / R.213 (31 calendar
+	// days vs. 20 working days, whichever is longer).
+	if rule.CombineOp != nil && rule.AltDurationValue != nil && rule.AltDurationUnit != nil {
+		altAdj, altRaw, altWasAdj := c.computeLeg(eventDate, *rule.AltDurationValue, *rule.AltDurationUnit, timing, country, regime)
+		switch *rule.CombineOp {
+		case "max":
+			if altAdj.After(adjusted) {
+				adjusted, raw, wasAdjusted = altAdj, altRaw, altWasAdj
+			}
+		case "min":
+			if altAdj.Before(adjusted) {
+				adjusted, raw, wasAdjusted = altAdj, altRaw, altWasAdj
+			}
+		}
+	}
+
+	return adjusted, raw, wasAdjusted
+}
+
+// computeLeg evaluates a single (value, unit) duration against the event
+// date in the given timing direction and snap-adjusts the result. Returns
+// the snap-adjusted end-date, the pre-snap end-date, and whether a snap
+// occurred. working_days arithmetic never needs a snap (the walker lands
+// on a working day by construction).
+func (c *DeadlineCalculator) computeLeg(eventDate time.Time, value int, unit string, timing string, country, regime string) (adjusted, raw time.Time, wasAdjusted bool) {
 	sign := 1
 	if timing == "before" {
 		sign = -1
 	}
-
-	switch rule.DurationUnit {
-	case "days":
-		endDate = endDate.AddDate(0, 0, sign*rule.DurationValue)
-	case "weeks":
-		endDate = endDate.AddDate(0, 0, sign*rule.DurationValue*7)
-	case "months":
-		endDate = endDate.AddDate(0, sign*rule.DurationValue, 0)
+	raw = c.addDuration(eventDate, value, unit, sign, country, regime)
+	if unit == "working_days" {
+		return raw, raw, false
 	}
+	if timing == "before" {
+		return c.holidays.AdjustForNonWorkingDaysBackward(raw, country, regime)
+	}
+	return c.holidays.AdjustForNonWorkingDays(raw, country, regime)
+}
 
-	original := endDate
-	adjusted, _, wasAdjusted := c.holidays.AdjustForNonWorkingDays(endDate, country, regime)
-	return adjusted, original, wasAdjusted
+// addDuration adds `sign * value` of the given unit to eventDate. For
+// 'working_days' it walks day-by-day skipping weekends and court
+// holidays via the holiday service.
+func (c *DeadlineCalculator) addDuration(eventDate time.Time, value int, unit string, sign int, country, regime string) time.Time {
+	switch unit {
+	case "days":
+		return eventDate.AddDate(0, 0, sign*value)
+	case "weeks":
+		return eventDate.AddDate(0, 0, sign*value*7)
+	case "months":
+		return eventDate.AddDate(0, sign*value, 0)
+	case "working_days":
+		return c.addWorkingDays(eventDate, sign*value, country, regime)
+	}
+	return eventDate
+}
+
+// addWorkingDays walks `n` business days from `date` (negative `n` walks
+// backward). The event day itself is never counted; we step first, then
+// skip past non-working days, repeated n times. Result is always a
+// working day for the given (country, regime). Matches UPC RoP R.300.b's
+// "the day on which the event happens shall not be counted" convention
+// applied to the business-day axis.
+//
+// Bound: each business-day step is bounded by a 60-day inner cap so a
+// misconfigured holiday table can never spin forever. The longest
+// real-world non-working run between adjacent business days is the
+// Christmas Eve → Neujahr window (~6 days), so 60 is over-provisioned.
+func (c *DeadlineCalculator) addWorkingDays(date time.Time, n int, country, regime string) time.Time {
+	if n == 0 {
+		return date
+	}
+	step := 1
+	count := n
+	if n < 0 {
+		step = -1
+		count = -n
+	}
+	cur := date
+	for i := 0; i < count; i++ {
+		cur = cur.AddDate(0, 0, step)
+		for j := 0; j < 60 && c.holidays.IsNonWorkingDay(cur, country, regime); j++ {
+			cur = cur.AddDate(0, 0, step)
+		}
+	}
+	return cur
 }
 
 // CalculateFromRules calculates deadlines for a slice of rules using the

internal/services/deadline_calculator_test.go

@@ -93,7 +93,14 @@ func TestCalculateEndDate_Weeks_LandsOnHoliday(t *testing.T) {
 	}
 }
 
-func TestCalculateEndDate_BeforeTiming(t *testing.T) {
+// TestCalculateEndDate_BeforeTiming_SnapsBackward — Tier 3 Primitive 5
+// (m/paliad#103 Slice A). For timing='before' rules (R.109.1 / R.109.4
+// "no later than X before the oral hearing"), a computed cut-off that
+// lands on a weekend / holiday must snap *backward* to the preceding
+// working day. Forward snap would push the cut-off past the statutory
+// limit and miss the deadline. See
+// docs/research-deadlines-completeness-2026-05-25.md §10 T3.5.
+func TestCalculateEndDate_BeforeTiming_SnapsBackward(t *testing.T) {
 	holidays := NewHolidayService(nil)
 	calc := NewDeadlineCalculator(holidays)
 
@@ -104,11 +111,322 @@ func TestCalculateEndDate_BeforeTiming(t *testing.T) {
 		DurationUnit:  "months",
 		Timing:        ptr("before"),
 	}
-	// "before" subtracts: 2026-04-15 - 1 month = 2026-03-15 (Sunday).
-	// Adjust: Sunday → Monday 2026-03-16.
+	// "before" subtracts: 2026-04-15 (Wed) - 1 month = 2026-03-15 (Sunday).
+	// Backward snap: Sunday → Friday 2026-03-13 (Karfreitag is later
+	// in 2026, so no extra holiday in this window).
 	in := time.Date(2026, 4, 15, 0, 0, 0, 0, time.UTC)
+	adjusted, original, wasAdjusted := calc.CalculateEndDate(in, rule, "DE", "UPC")
+	wantOrig := time.Date(2026, 3, 15, 0, 0, 0, 0, time.UTC)
+	wantAdj := time.Date(2026, 3, 13, 0, 0, 0, 0, time.UTC)
+	if !original.Equal(wantOrig) {
+		t.Errorf("original: got %s, want %s", original, wantOrig)
+	}
+	if !adjusted.Equal(wantAdj) {
+		t.Errorf("adjusted: got %s, want %s", adjusted, wantAdj)
+	}
+	if !wasAdjusted {
+		t.Error("expected wasAdjusted=true (Sun → preceding Fri)")
+	}
+}
+
+// Tier 3 Primitive 5 — backward snap across Karfreitag / Ostermontag.
+// 2026 Ostern: Karfreitag = 2026-04-03 (Fri), Ostermontag = 2026-04-06 (Mon).
+// Anchor Tue 2026-05-05 minus 1 month = Sun 2026-04-05 → backward through
+// Sat → Karfreitag → Thu 2026-04-02.
+func TestCalculateEndDate_BeforeTiming_BackwardSkipsHolidayCluster(t *testing.T) {
+	holidays := NewHolidayService(nil)
+	calc := NewDeadlineCalculator(holidays)
+
+	rule := models.DeadlineRule{
+		ID:            uuid.New(),
+		Name:          "1-month before, Ostern cluster",
+		DurationValue: 1,
+		DurationUnit:  "months",
+		Timing:        ptr("before"),
+	}
+	in := time.Date(2026, 5, 5, 0, 0, 0, 0, time.UTC)
+	adjusted, _, wasAdjusted := calc.CalculateEndDate(in, rule, "DE", "UPC")
+	want := time.Date(2026, 4, 2, 0, 0, 0, 0, time.UTC)
+	if !adjusted.Equal(want) {
+		t.Errorf("adjusted: got %s, want %s", adjusted, want)
+	}
+	if !wasAdjusted {
+		t.Error("expected wasAdjusted=true (Sun→Karfreitag→Thu)")
+	}
+}
+
+// Tier 3 Primitive 1 — working_days arithmetic forward over a weekend.
+// Anchor Mon 2026-01-12 + 5 working days = Tue 13 (1), Wed 14 (2),
+// Thu 15 (3), Fri 16 (4), Mon 19 (5). Result = Mon 2026-01-19.
+func TestCalculateEndDate_WorkingDays_ForwardSkipsWeekend(t *testing.T) {
+	holidays := NewHolidayService(nil)
+	calc := NewDeadlineCalculator(holidays)
+
+	rule := models.DeadlineRule{
+		ID:            uuid.New(),
+		Name:          "5 working days",
+		DurationValue: 5,
+		DurationUnit:  "working_days",
+		Timing:        ptr("after"),
+	}
+	in := time.Date(2026, 1, 12, 0, 0, 0, 0, time.UTC)
+	adjusted, original, wasAdjusted := calc.CalculateEndDate(in, rule, "DE", "UPC")
+	want := time.Date(2026, 1, 19, 0, 0, 0, 0, time.UTC)
+	if !adjusted.Equal(want) {
+		t.Errorf("adjusted: got %s, want %s", adjusted, want)
+	}
+	// working_days arithmetic lands on a working day by construction, so the
+	// "snap" reports no adjustment and original == adjusted.
+	if !original.Equal(want) {
+		t.Errorf("original: got %s, want %s", original, want)
+	}
+	if wasAdjusted {
+		t.Error("working_days result should not report a snap adjustment")
+	}
+}
+
+// Tier 3 Primitive 1 — working_days arithmetic with anchor on Friday;
+// 20 working days lands on the Friday four weeks later. Anchor Fri
+// 2026-01-09 → +20wd → Fri 2026-02-06. No DE federal holiday in
+// window. This exercises the R.198 / R.213 "20 working days" leg.
+func TestCalculateEndDate_WorkingDays_TwentyDays(t *testing.T) {
+	holidays := NewHolidayService(nil)
+	calc := NewDeadlineCalculator(holidays)
+
+	rule := models.DeadlineRule{
+		ID:            uuid.New(),
+		Name:          "20 working days",
+		DurationValue: 20,
+		DurationUnit:  "working_days",
+		Timing:        ptr("after"),
+	}
+	in := time.Date(2026, 1, 9, 0, 0, 0, 0, time.UTC)
 	adjusted, _, _ := calc.CalculateEndDate(in, rule, "DE", "UPC")
-	want := time.Date(2026, 3, 16, 0, 0, 0, 0, time.UTC)
+	want := time.Date(2026, 2, 6, 0, 0, 0, 0, time.UTC)
+	if !adjusted.Equal(want) {
+		t.Errorf("adjusted: got %s, want %s", adjusted, want)
+	}
+}
+
+// Tier 3 Primitive 1 — working_days across Karfreitag/Ostermontag. Anchor
+// Thu 2026-04-02 + 3 working days: skip Karfreitag (Fri 04-03), weekend,
+// Ostermontag (Mon 04-06). Walk: Tue 04-07 (1), Wed 04-08 (2), Thu 04-09
+// (3). Result = Thu 2026-04-09.
+func TestCalculateEndDate_WorkingDays_AcrossEasterCluster(t *testing.T) {
+	holidays := NewHolidayService(nil)
+	calc := NewDeadlineCalculator(holidays)
+
+	rule := models.DeadlineRule{
+		ID:            uuid.New(),
+		Name:          "3 working days over Ostern",
+		DurationValue: 3,
+		DurationUnit:  "working_days",
+		Timing:        ptr("after"),
+	}
+	in := time.Date(2026, 4, 2, 0, 0, 0, 0, time.UTC)
+	adjusted, _, _ := calc.CalculateEndDate(in, rule, "DE", "UPC")
+	want := time.Date(2026, 4, 9, 0, 0, 0, 0, time.UTC)
+	if !adjusted.Equal(want) {
+		t.Errorf("adjusted: got %s, want %s", adjusted, want)
+	}
+}
+
+// Tier 3 Primitive 1 — working_days across year boundary. Anchor Mon
+// 2025-12-29 + 5 working days. Calendar: Tue 30 (1), Wed 31 (2),
+// Thu 2026-01-01 = Neujahr (skip), Fri 2026-01-02 (3), Mon 05 (4),
+// Tue 06 (5). Result = Tue 2026-01-06.
+func TestCalculateEndDate_WorkingDays_AcrossYearBoundary(t *testing.T) {
+	holidays := NewHolidayService(nil)
+	calc := NewDeadlineCalculator(holidays)
+
+	rule := models.DeadlineRule{
+		ID:            uuid.New(),
+		Name:          "5 working days over year-end",
+		DurationValue: 5,
+		DurationUnit:  "working_days",
+		Timing:        ptr("after"),
+	}
+	in := time.Date(2025, 12, 29, 0, 0, 0, 0, time.UTC)
+	adjusted, _, _ := calc.CalculateEndDate(in, rule, "DE", "UPC")
+	want := time.Date(2026, 1, 6, 0, 0, 0, 0, time.UTC)
+	if !adjusted.Equal(want) {
+		t.Errorf("adjusted: got %s, want %s", adjusted, want)
+	}
+}
+
+// Tier 3 Primitive 1 — working_days backward (timing='before'). Anchor
+// Fri 2026-04-17 - 5 working days: Thu 16 (1), Wed 15 (2), Tue 14 (3),
+// Mon 13 (4), Fri 10 (5 — Mon 13 - 3 days skipping Sun/Sat). Result =
+// Fri 2026-04-10.
+func TestCalculateEndDate_WorkingDays_BackwardSkipsWeekend(t *testing.T) {
+	holidays := NewHolidayService(nil)
+	calc := NewDeadlineCalculator(holidays)
+
+	rule := models.DeadlineRule{
+		ID:            uuid.New(),
+		Name:          "5 working days before",
+		DurationValue: 5,
+		DurationUnit:  "working_days",
+		Timing:        ptr("before"),
+	}
+	in := time.Date(2026, 4, 17, 0, 0, 0, 0, time.UTC)
+	adjusted, _, _ := calc.CalculateEndDate(in, rule, "DE", "UPC")
+	want := time.Date(2026, 4, 10, 0, 0, 0, 0, time.UTC)
+	if !adjusted.Equal(want) {
+		t.Errorf("adjusted: got %s, want %s", adjusted, want)
+	}
+}
+
+// Tier 3 Primitive 1 — working_days anchored on a Saturday (rare but
+// must not loop). +3 working days from Sat 2026-01-10: Mon 12 (1), Tue
+// 13 (2), Wed 14 (3). Result = Wed 2026-01-14.
+func TestCalculateEndDate_WorkingDays_AnchorOnWeekend(t *testing.T) {
+	holidays := NewHolidayService(nil)
+	calc := NewDeadlineCalculator(holidays)
+
+	rule := models.DeadlineRule{
+		ID:            uuid.New(),
+		Name:          "3 working days from Saturday",
+		DurationValue: 3,
+		DurationUnit:  "working_days",
+		Timing:        ptr("after"),
+	}
+	in := time.Date(2026, 1, 10, 0, 0, 0, 0, time.UTC)
+	adjusted, _, _ := calc.CalculateEndDate(in, rule, "DE", "UPC")
+	want := time.Date(2026, 1, 14, 0, 0, 0, 0, time.UTC)
+	if !adjusted.Equal(want) {
+		t.Errorf("adjusted: got %s, want %s", adjusted, want)
+	}
+}
+
+// Tier 3 Primitive 2 — combine_op='max' picks the LATER of two adjusted
+// end-dates. Matches UPC RoP R.198 / R.213 "31 calendar days OR 20
+// working days, whichever is longer". Anchor Mon 2026-01-12.
+//   - Primary: 31 cal days → Sun 2026-02-12... wait, Mon Jan 12 + 31 =
+//     Thu 2026-02-12 (verify: Jan has 31 days; 12 + 31 = day-43 of year
+//     = Feb 12). Feb 12 2026 is Thursday → no snap, +31d.
+//   - Alt: 20 working_days → Mon Jan 12 + 20wd: Tue 13 (1) ... walk
+//     gives Mon 2026-02-09 (20 business days later, no DE holiday).
+//
+// max(Feb 12 Thu, Feb 09 Mon) = Feb 12 → primary wins.
+func TestCalculateEndDate_CombineMax_PrimaryWins(t *testing.T) {
+	holidays := NewHolidayService(nil)
+	calc := NewDeadlineCalculator(holidays)
+
+	rule := models.DeadlineRule{
+		ID:               uuid.New(),
+		Name:             "31d OR 20wd, max",
+		DurationValue:    31,
+		DurationUnit:     "days",
+		Timing:           ptr("after"),
+		AltDurationValue: ptr(20),
+		AltDurationUnit:  ptr("working_days"),
+		CombineOp:        ptr("max"),
+	}
+	in := time.Date(2026, 1, 12, 0, 0, 0, 0, time.UTC)
+	adjusted, _, _ := calc.CalculateEndDate(in, rule, "DE", "UPC")
+	want := time.Date(2026, 2, 12, 0, 0, 0, 0, time.UTC)
+	if !adjusted.Equal(want) {
+		t.Errorf("adjusted: got %s, want %s", adjusted, want)
+	}
+}
+
+// Tier 3 Primitive 2 — combine_op='max', alt wins. Anchor that makes the
+// 20-working-days leg longer than the 31-cal-day leg. Anchor Fri
+// 2026-01-09: +31 cal days = Mon 2026-02-09 (calendar weekday, no snap);
+// +20 working_days = Fri 2026-02-06 ... actually let's pick an anchor
+// where the working-days side overshoots. Anchor over a long-weekend
+// cluster: Wed 2026-12-23, +31cal = Sat 2027-01-23 → forward-snap to Mon
+// 2027-01-25 (DE has no holiday that day). +20wd = walk skipping Heilig
+// Abend, Christmas, Neujahr, weekends. Pick simpler: anchor where 31cal
+// + snap ≈ 20wd + cluster.
+//
+// Concrete: anchor Mon 2026-01-12, mock the 31d leg landing on Sun
+// 2026-02-15 (no — Jan 12 + 34 days = Feb 15, not 31). For deterministic
+// "alt wins", we use a configurable anchor and check the relative order
+// instead.
+func TestCalculateEndDate_CombineMax_AltWins(t *testing.T) {
+	holidays := NewHolidayService(nil)
+	calc := NewDeadlineCalculator(holidays)
+
+	// Anchor Thu 2026-12-24 (Heilig Abend is not a DE federal holiday;
+	// holiday service only has Neujahr/Easter/.../Weihnachtstag — Dec
+	// 24 is a working day here). +14 calendar days = Thu 2027-01-07.
+	// +20 working_days walks Fri 12-25 (1. Weihnachtstag — skip), ...
+	// arrives much later. Use 14 days vs 20 working_days to make alt
+	// reliably win on this stretch.
+	rule := models.DeadlineRule{
+		ID:               uuid.New(),
+		Name:             "14d OR 20wd, max",
+		DurationValue:    14,
+		DurationUnit:     "days",
+		Timing:           ptr("after"),
+		AltDurationValue: ptr(20),
+		AltDurationUnit:  ptr("working_days"),
+		CombineOp:        ptr("max"),
+	}
+	in := time.Date(2026, 12, 24, 0, 0, 0, 0, time.UTC)
+	adjusted, _, _ := calc.CalculateEndDate(in, rule, "DE", "UPC")
+	// Primary 14 cal days: Dec 24 (Thu) + 14 = Jan 7 2027 (Thu), working
+	// day → no snap. Alt 20 working_days walks past Christmas + Neujahr:
+	// Fri 12-25 (1.W) skip, Sat/Sun 12-26/27 skip (Sat counts as
+	// non-working; 2.W on 26 also skips), Mon 12-28 (1), Tue 12-29 (2),
+	// Wed 12-30 (3), Thu 12-31 (4), Fri 01-01-2027 Neujahr skip, Mon
+	// 01-04 (5), Tue 01-05 (6), Wed 01-06 (7), Thu 01-07 (8), Fri 01-08
+	// (9), Mon 01-11 (10), Tue 01-12 (11), Wed 01-13 (12), Thu 01-14
+	// (13), Fri 01-15 (14), Mon 01-18 (15), Tue 01-19 (16), Wed 01-20
+	// (17), Thu 01-21 (18), Fri 01-22 (19), Mon 01-25 (20). Result =
+	// Mon 2027-01-25. After max(Jan 7, Jan 25) → Jan 25.
+	want := time.Date(2027, 1, 25, 0, 0, 0, 0, time.UTC)
+	if !adjusted.Equal(want) {
+		t.Errorf("adjusted: got %s, want %s", adjusted, want)
+	}
+}
+
+// Tier 3 Primitive 2 — combine_op='min' picks the EARLIER end-date.
+// Same shape as the max test but inverted. Same Dec 24 2026 anchor,
+// 14d vs 20wd: min = Jan 7 2027 (the primary leg).
+func TestCalculateEndDate_CombineMin_PrimaryWins(t *testing.T) {
+	holidays := NewHolidayService(nil)
+	calc := NewDeadlineCalculator(holidays)
+
+	rule := models.DeadlineRule{
+		ID:               uuid.New(),
+		Name:             "14d OR 20wd, min",
+		DurationValue:    14,
+		DurationUnit:     "days",
+		Timing:           ptr("after"),
+		AltDurationValue: ptr(20),
+		AltDurationUnit:  ptr("working_days"),
+		CombineOp:        ptr("min"),
+	}
+	in := time.Date(2026, 12, 24, 0, 0, 0, 0, time.UTC)
+	adjusted, _, _ := calc.CalculateEndDate(in, rule, "DE", "UPC")
+	want := time.Date(2027, 1, 7, 0, 0, 0, 0, time.UTC)
+	if !adjusted.Equal(want) {
+		t.Errorf("adjusted: got %s, want %s", adjusted, want)
+	}
+}
+
+// Tier 3 Primitive 2 — combine_op with NULL alt fields short-circuits to
+// the primary-only result (defensive: drift in seed data shouldn't crash
+// the calculator). Same as the basic days test but with combine_op set
+// and alt fields nil.
+func TestCalculateEndDate_CombineOp_AltNil_FallsBackToPrimary(t *testing.T) {
+	holidays := NewHolidayService(nil)
+	calc := NewDeadlineCalculator(holidays)
+
+	rule := models.DeadlineRule{
+		ID:            uuid.New(),
+		Name:          "Primary only, stray combine_op",
+		DurationValue: 10,
+		DurationUnit:  "days",
+		Timing:        ptr("after"),
+		CombineOp:     ptr("max"),
+	}
+	in := time.Date(2026, 1, 13, 0, 0, 0, 0, time.UTC)
+	adjusted, _, _ := calc.CalculateEndDate(in, rule, "DE", "UPC")
+	want := time.Date(2026, 1, 23, 0, 0, 0, 0, time.UTC)
 	if !adjusted.Equal(want) {
 		t.Errorf("adjusted: got %s, want %s", adjusted, want)
 	}
@@ -168,4 +486,3 @@ func TestAdjustForNonWorkingDays_WalksPastSummerVacation(t *testing.T) {
 	// PR-3 ("SoD 3mo from 2026-04-30 → adjusted Mon 2026-08-31, not Sat
 	// 2026-08-29") locks the live behaviour.
 }
-

internal/services/deadline_rule_service.go

@@ -34,7 +34,8 @@ const ruleColumns = `id, proceeding_type_id, parent_id, submission_code, name, n
 	anchor_alt, concept_id, legal_source, is_spawn, spawn_label, is_active,
 	created_at, updated_at,
 	trigger_event_id, spawn_proceeding_type_id, combine_op, condition_expr,
-	priority, is_court_set, lifecycle_state, draft_of, published_at`
+	priority, is_court_set, lifecycle_state, draft_of, published_at,
+	choices_offered`
 
 const proceedingTypeColumns = `id, code, name, name_en, description, jurisdiction,
 	category, default_color, sort_order, is_active`