paliad/docs/improvement-audit.md

Paliad — Product Audit & Improvement Roadmap

Prepared by cronus (inventor) on 2026-04-18 for task t-paliad-015. Scope: complete code, UX, content, architecture, and ops audit after the 17 000-line KanzlAI → Paliad integration (Phases A–J, April 2026).

Audit posture: first-real-user (HLC patent lawyer, Munich) and long-term architect. Items are prioritised and actionable — each has a file reference and a suggested fix. No hour estimates; effort is expressed as S / M / L (small / medium / large).

• S = <1 day of focused work; single file or localised change
• M = multi-file change, migration, or non-trivial design
• L = new subsystem, cross-cutting rework, or external dep

---

TL;DR — the two things to fix today

1. The session middleware does not verify JWT signatures and the Go backend extracts auth.uid() from that unverified token to gate every database read and write. A forged cookie with any sub and a future exp gives an attacker access to any user's Akten, including admin. See C-1 below. internal/auth/auth.go:178 + internal/auth/user.go:60.
2. The dashboard leaks every user's personal Termine to every other logged-in user for the next 7 days (title, location, description, start/end). internal/services/dashboard_service.go:245. See C-2.

Both are one-file fixes and must ship before this audit reaches a wider pilot group.

---

1 — Critical (fix immediately)

C-1. Session JWTs are not signature-verified

File: internal/auth/auth.go:178, internal/auth/user.go:60 Severity: Critical (authZ bypass) Effort: M

Client.Middleware accepts the session cookie, parses exp via DecodeJWTExpiry, and calls next if the token is unexpired. The signature is never checked. WithUserID then base64-decodes the sub claim straight into the request context. AkteService.GetByID and every other service trusts that UUID as the authenticated user.

Exploit: craft any JWT with exp in the future and sub = <admin-user-uuid>. Set it as the patholo_session cookie. The Go backend uses a service-role Postgres connection, so RLS policies do not run and the app-level visibility check sees the forged UUID as a real admin. Effectively: anyone with a Paliad cookie can impersonate anyone.

Fix:

• Fetch the Supabase project's JWT signing key (JWKS endpoint: ${SUPABASE_URL}/auth/v1/.well-known/jwks.json) or the shared SUPABASE_JWT_SECRET and verify the token in Middleware before trusting any claim.
• Cache the JWKS for 1 hour; rotate on kid mismatch.
• WithUserID should read the verified claims, not re-decode the raw cookie.
• Consider github.com/golang-jwt/jwt/v5 — already idiomatic for Go.

Related: internal/services/akte_service.go:18-24 explicitly documents that RLS "does not kick in because the backend does not provide a JWT-backed auth.uid()" — so the app-layer predicate is the only gate. The JWT must therefore be trusted.

---

C-2. Dashboard leaks every user's personal Termine cross-user

File: internal/services/dashboard_service.go:232-256 Severity: Critical (privacy / confidentiality) Effort: S

WHERE t.start_at >= $4
  AND t.start_at <  ($4 + interval '7 days')
  AND (t.akte_id IS NULL              -- ← ANY personal Termin, any user
       OR a.firm_wide_visible = true
       OR a.owning_office = $1
       OR $2::uuid = ANY (a.collaborators)
       OR $3 = 'admin')

Personal Termine (akte_id IS NULL) are creator-only by contract (TerminService.canSee enforces created_by = userID). The dashboard forgets this filter and returns up to 10 such rows for any user — title, location, description, times included.

In practice an associate's "Bewerbungsgespräch bei Kanzlei X" is visible to partners and vice-versa.

Fix: change the personal-Termin branch to (t.akte_id IS NULL AND t.created_by = $2::uuid) — mirrors the already- correct rule in termin_service.go:103.

---

C-3. Any user with visibility can delete Akte children (Parteien, Termine)

File:

• internal/services/parteien_service.go:93-111 — Delete has no role gate.
• internal/services/termin_service.go:357-398 — Akte-linked Termine: only personal Termine check creator; Akte-linked pass through with just visibility.

Severity: Critical (data loss; inconsistent with Fristen policy) Effort: S

An associate in London, viewing a Munich firm-wide Akte, can DELETE /api/parteien/{id} and erase the Klägerin-record, or delete any hearing from the Akte's calendar. FristService.Delete already scopes to partner|admin only — the other child services should follow suit.

Fix: require user.Role in {partner, admin} (or created_by = userID) for delete on ParteienService and TerminService. Apply the same rule to Update on both.

---

C-4. Email gate still pins to @hoganlovells.com

File: internal/handlers/auth.go:113-116 Severity: Critical (post-merger lockout) Effort: S

HLC email domains (@hlc.com, @hlc.de) cannot register or log in. Login-form placeholders still say name@hoganlovells.com.

Fix:

• Replace isHoganLovellsEmail with an env-configurable whitelist, default hoganlovells.com,hlc.com,hlc.de (design §2 already requested this).
• Update placeholders in frontend/src/login.tsx:26,34 + the login.hint i18n key (de + en).
• Error strings ("Zugang nur für @hoganlovells.com …") should become "… für autorisierte HLC-E-Mail-Adressen."

---

C-5. CALDAV_ENCRYPTION_KEY not wired into production compose

File: docker-compose.yml:4-12 Severity: Critical in effect (feature silently disabled) Effort: S

The compose file declares SUPABASE_URL, SUPABASE_ANON_KEY, GITEA_TOKEN, DATABASE_URL. It does not pass CALDAV_ENCRYPTION_KEY. On the Dokploy compose (Zx147ycurfYagKRl_Zzyo) this means cmd/server/main.go:66 logs "CALDAV_ENCRYPTION_KEY not set — CalDAV endpoints will return 501" and the entire Termine-sync feature is dead on paliad.de. Users who save their CalDAV settings see a 501 from /api/caldav-config and conclude the product is broken.

Fix: add - CALDAV_ENCRYPTION_KEY=${CALDAV_ENCRYPTION_KEY} (and while we're at it, a placeholder ANTHROPIC_API_KEY commented out so Phase H reactivation is one uncomment). Set the actual key on Dokploy.

---

2 — Important (fix this week)

I-1. Dokumente tab on Akten detail is a dead placeholder

File: frontend/src/akten-detail.tsx:215-222, frontend/src/client/i18n.ts:468,1241 Severity: Important (visible UI dead-end; leaks internal phase names) Effort: S

The tab is rendered, clickable, and shows the text "Dokumenten-Upload folgt in Phase H." — a strong UX signal that the product is unfinished. Phase H is deferred indefinitely.

Fix (pick one):

• Hide the Dokumente tab entirely until there is real content — drop it from the VALID_TABS list in akten-detail.ts:62 and the TSX tabs strip.
• Or keep it visible but replace the copy with a neutral "Dokumenten- Upload in Planung" (no phase leak) and a discreet CTA to vote/express interest (write to paliad_feature_interest).

I'd hide it — dead tabs are worse than missing features.

I-2. Office labels in German not translated to English

File: frontend/src/index.tsx:122-128 Severity: Important (i18n regression visible on landing page) Effort: S

Only index.munich has a data-i18n key. Düsseldorf, Hamburg, Amsterdam, London, Paris, Mailand render raw German in EN mode. "Mailand" → "Milan" is the most obvious miss; Düsseldorf/London/Paris are correct in both languages but the fact that only one is i18n'd is a consistency bug waiting for the next new office.

Fix: add index.office.munich|duesseldorf|hamburg|amsterdam|london| paris|milan keys (de: "München / Düsseldorf / Hamburg / Amsterdam / London / Paris / Mailand"; en: "Munich / Düsseldorf / Hamburg / Amsterdam / London / Paris / Milan").

I-3. Gerichtsverzeichnis UPC URLs redirect

File: internal/handlers/gerichte.go (45 occurrences of unifiedpatentcourt.org, no hyphens) Severity: Important (one redirect per link click; flagged as wrong by link-checkers) Effort: S

Canonical UPC website is https://www.unified-patent-court.org (with hyphens). The no-hyphen form returns HTTP 403 challenge pages from Cloudflare on naive curl but does resolve to the same destination. internal/handlers/links.go uses the canonical form — the two files are inconsistent. Pick one. Canonical (hyphenated) is safer.

Fix: sed-replace unifiedpatentcourt.org → unified-patent-court.org across gerichte.go (and re-verify the deep paths still resolve — some /en/court/court-appeal style URLs may have moved).

I-4. loadRecentActivity omits personal Termine audit rows (not a bug yet, but will be)

File: internal/services/dashboard_service.go:259-287 Severity: Medium-Important (correctness risk) Effort: S

loadRecentActivity joins akten_events → akten, so only Akte-attached events appear. That is correct today because personal Termine explicitly skip the audit (per Phase F memory). If a future contributor adds a personal-Termin event type without reading the design, this query will silently drop it — add a comment or switch to LEFT JOIN + WHERE a.id IS NULL OR <visibility>.

I-5. /api/akten/{id}/events has no pagination or size limit

File: internal/services/akte_service.go:368-383 Severity: Important (scalability; long-running Akten) Effort: M

ListEvents returns every row ever written to akten_events for an Akte. A three-year litigation with CalDAV sync and daily notizen edits could easily reach 5–10 k rows. The Verlauf tab will then ship 2 MB of JSON on each tab-click.

Fix: add ?before=<uuid>&limit=50 cursor pagination and render "Load more" in the Verlauf tab. Already noted in the Phase E followup list, never actioned.

I-6. Glossar is missing FRAND / SEP / related commercial-patent terms

File: internal/handlers/glossar.go:33-118 (~86 entries) Severity: Important (content gap for the target audience) Effort: S

HLC's patent practice is a heavy SEP/FRAND shop; the glossary has zero entries for: FRAND, SEP, Standard-essentielles Patent, Patentpool, Anti- Anti-Suit Injunction, Injunction gap, Orange-Book-Verfahren, Huawei/ZTE-Verhandlungsmuster, RAND, ETSI IPR Policy, Patent-Hold-up, Patent-Hold-out. These are table-stakes for the intended user.

Fix: add ~12 entries under a new SEP/FRAND category (or stretch Litigation). Pull definitions from the canonical CJEU/BGH case law.

I-7. README is out of date

File: README.md:30-43,107 Severity: Important (onboarding drag) Effort: S

• Migration list stops at 013; 014 (checklist_instances) is live.
• Line 107 says "Phase I (Notizen) pending — service and UI aren't built yet"; it shipped on mai/knuth/phase-i-notizen (commit 5a9f8e5, 2026-04-17) with full service + handlers + UI.

Fix: refresh the migrations block (014_checklist_instances …) and the status paragraph. Phase I ✅ Done, Phase J docs-only done, infra retirement pending.

I-8. Legacy "patholo_" names everywhere

File: internal/auth/auth.go:17-18, internal/handlers/links.go:315, frontend/src/client/i18n.ts:6 (STORAGE_KEY = "patholo-lang"), frontend/src/client/*.ts (other localStorage keys), paliad_link_suggestions / paliad_link_feedback table names (compare vs. the older patholo_* references in the code). Severity: Important (brand inconsistency; minor confusion) Effort: M

Cookie name patholo_session, storage key patholo-lang, Supabase tables patholo_link_suggestions / patholo_link_feedback. Memory notes a deliberate decision to keep the cookie name so users aren't logged out — that's fine — but storage keys and table names can migrate without user impact.

Fix: plan a single branch that:

• Renames STORAGE_KEY → paliad-lang with a one-shot migration from the old key (read old, write new, delete old) in i18n.ts init.
• Renames tables to paliad_link_suggestions / paliad_link_feedback (migration + update callers in handlers/links.go).
• Leaves the cookie name alone or migrates it with a dual-read grace period.

---

3 — Polish (nice to have)

P-1. HL Intern links are stubs

internal/handlers/links.go:206-219 — two entries with URL: "#" render as clickable cards that go nowhere.

Fix: either remove the entries until real URLs land, or add a "Coming soon — suggest a URL" flag + disabled styling.

P-2. Dashboard says "Meine Mandate" but the nav and URL say "Akten"

frontend/src/dashboard.tsx:82, i18n key dashboard.matters.heading. The project's naming convention (CLAUDE.md) mandates Akten throughout — the term "Mandate" is explicitly historical. The dashboard heading should read "Meine Akten" / "My Matters".

Fix: change i18n text to "Meine Akten" (DE) and leave "My Matters" (EN). Rename i18n key if desired.

P-3. Login page placeholder still says name@hoganlovells.com

Covered by C-4. Mentioned again here because the hint "Nur für @hoganlovells.com Adressen." is a polish concern even after the whitelist change — update to "Nur für autorisierte HLC-Adressen."

P-4. Landing page footer reads "Hogan Lovells Patent Practice"

frontend/src/components/Footer.tsx:7. Brand reads as old on every page. Switch to "HLC Patent Practice" post-merger (or drop the firm name entirely since Paliad is supposed to survive renames).

P-5. No explicit empty-state copy on Fristen-Kalender / Termine-Kalender

Check frontend/src/fristen-kalender.tsx, termine-kalender.tsx. Calendars with no events render an empty grid — add a subtle "Keine Fristen / Termine im ausgewählten Zeitraum." string.

P-6. Office names in AkteService.isValidOffice diverge from UI labels

akte_service.go:403-408 accepts keys munich, duesseldorf, hamburg, amsterdam, london, paris, milan. The models.go user has the same list. But the UI (landing page) writes "München", "Düsseldorf", "Mailand". Currently fine because admins edit office via internal role only, but any future user-facing office selector must map label → key — add a single source of truth (internal/calc/offices.go or similar: {key: "munich", labelDE: "München", labelEN: "Munich"}).

P-7. Glossar CSVs hard-coded in one file (230 lines)

Not a bug, but as the list grows toward 150+ terms it wants to move out of Go source into internal/handlers/glossar_data.go or a JSON blob in internal/data/glossar.json. Easier for non-devs to edit.

P-8. Dockerfile lacks HEALTHCHECK and runs as root

Dockerfile:13-19. No HEALTHCHECK, no USER nonroot. Both are easy wins for Dokploy's health surface and container hardening.

# before the CMD
HEALTHCHECK --interval=30s --timeout=3s CMD wget -qO- http://localhost:8080/ || exit 1
RUN addgroup -S paliad && adduser -S -G paliad paliad
USER paliad

Add a GET /healthz route that returns 200 without auth; current / redirects and wgets a 200 anyway, but an explicit probe is cleaner.

P-9. Landing-page copy still frames Paliad as "Paliad — Patentwissen für Hogan Lovells"

frontend/src/client/i18n.ts:38-48. With Phase 0 shipped, Paliad is more than a knowledge hub — it's the Aktenverwaltung. The hero section should call that out. Proposed: "Paliad — alles für den Patentalltag: Akten, Fristen, Termine und Wissen."

P-10. Kostenrechner PDF and Checklisten print — not verified by audit

The design says PDF export works. I did not test it; please verify after any CSS change that affects .tool-page / .print\:hide. Consider adding a visual-regression snapshot to the build.

---

4 — Features (prioritised backlog)

F-1. Global search (Ctrl-K / Cmd-K)

Impact: Very High Effort: M

A single keystroke that searches across Akten, Fristen, Termine, Parteien, Glossar, Gerichte, Links. Patent lawyers hop between matters constantly; the current UX requires clicking through 2 sidebar entries to find anything. Index on the backend with tsvector + pg_trgm, or build a client-side Lunr index for the static content and a single /api/search?q=… that fans out for user data. Match by Aktenzeichen, party name, Frist title.

F-2. Verfahrensleitfäden (procedure guides)

Impact: Very High (per the original roadmap, never shipped) Effort: L

Step-by-step UPC / BPatG / EPO workflows that stitch together checklists, deadline rules, and recommended templates. This is the biggest original-roadmap item still missing.

F-3. Expand the Downloads registry

Impact: High (2/10 on the roadmap, partial) Effort: M

Only HL Patents Style.dotm is wired up. mWorkRepo has more templates. Wire Vollmacht.dotm, Unterlassungserklärung.dotm, UPC-Klageschrift-Skeleton.dotm — mirror the existing proxy pattern.

F-4. Benachrichtigungen (notifications)

Impact: Medium-High Effort: L

Email digest of today's overdue/due Fristen + tomorrow's Termine, sent at 07:00 CET per user. Supabase pg_cron + Edge Functions or a Go scheduler in the Paliad binary. Opt-in per user.

F-5. What's New / Changelog in-app

Impact: Medium Effort: S

docs/changelog.md rendered under /whatsnew with a red dot on the sidebar when there's an entry newer than the user's last_seen_changelog timestamp. Cheap way to communicate feature releases.

F-6. Akten-Kurzinfo on hover (pop-over)

Impact: Medium Effort: S

Hovering an Aktenzeichen in any list (Dashboard activity, Fristen, Termine) shows a tooltip with matter title, court, next Frist. Reduces tab-switching.

F-7. Parteien mit Kontaktkarten (Update endpoint)

Impact: Medium Effort: S

Currently ParteienService only supports Create + Delete. No Update. Typos in a party name force a delete + re-add and lose the ID. Add PATCH /api/parteien/{id}.

F-8. Fristenrechner — "Als Frist speichern" mit Wiedervorlage

Impact: Medium Effort: S

When creating a Frist with a Rule, also derive a Wiedervorlage-Frist (warning-date = due - 14 d) and offer to create both in one click.

F-9. Dark mode

Impact: Low (but free with CSS variables) Effort: S

global.css already uses CSS variables heavily. Add a @media (prefers-color-scheme: dark) block + a manual toggle in the sidebar.

F-10. Document upload without AI (revisit Phase H)

Impact: Medium (still open per memory episode) Effort: M

The Supabase Storage upload path already works; only the AI-extraction part was rejected. A plain "upload PDF to Akte" with no auto-extraction is still useful and unblocks the Dokumente tab.

F-11. Akten-Tags / Labels

Impact: Medium Effort: M

Free-form tags on Akten (e.g., SEP, OLG-Düsseldorf, Q4-Priority) with a filter UI. Cheaper than a full custom-fields system and used extensively at comparable firms.

---

5 — Technical Debt

T-1. RLS policies exist but are never enforced

internal/db/migrations/007_rls_policies.up.sql defines full office- scoped RLS keyed off auth.uid(). The Go backend uses a service-role connection (db.OpenPool with DATABASE_URL), so those policies never evaluate — every query bypasses RLS by design.

This is correct today (service-role means app-level checks must be bulletproof, which they mostly are) but it means the RLS layer is dead weight that increases surface for a migration bug to produce a silently-wrong policy. Decide:

• Option A: accept the "belt-and-braces" position, keep RLS, document loudly that it's not active in prod.
• Option B: drop the RLS migration and policies — less code, less false sense of security.
• Option C: switch to PostgREST-style per-request JWT connections so RLS actually runs. This is the most defensive but a substantial rewrite.

My recommendation: Option A, with an internal/db/RLS_NOTE.md and a SET row_security = off; (or equivalent) in the service-role connection so the policies don't quietly cost perf.

T-2. Go module path still mgit.msbls.de/m/patholo

go.mod:1 + every import statement. Not breaking, but a daily reminder of the old name. Rename on the next big refactor, not now — every file in the repo would churn.

T-3. calDAVClient hand-rolls iCal + WebDAV

Documented in the Phase F memory as a deliberate choice. Fine for now, but re-evaluate when any of these lands:

• Importing foreign UIDs (currently skipped)
• RRULE / VTIMEZONE / DTSTART-with-tzid
• Multi-calendar support per user

At that point switch to github.com/emersion/go-ical + github.com/emersion/go-webdav.

T-4. _dev/mock_supabase_auth.sql lives inside migrations/

internal/db/migrations/_dev/. Embed.FS includes all files under migrations/ — the _dev directory is probably ignored by iofs.New (directories not matching the pattern NNN_*.sql are filtered) but it's one hop from a build bug. Move to internal/db/devtools/ or similar, outside the embed root.

T-5. Client-side duplicated helpers

Memory's Phase E followup notes: urgency-color + date-format JS helpers are duplicated across fristen.ts, fristen-detail.ts, fristen-kalender.ts, akten-detail.ts. Extract to frontend/src/client/fristen-shared.ts. Not urgent, but next time anyone touches the Fristen UI: do this first.

T-6. /api/fristen?status=all returns everything client-side filters

Per Phase E memory: fine at current volumes, but a partner with 500 completed Fristen will see the full 500 on every calendar load. Add server-side date-range filtering before that's a support ticket.

T-7. No error monitoring

The server logs to stdout (which Dokploy captures), but there is no Sentry / log-based alert wiring. Nobody knows when something breaks in prod until a user complains. Options:

• Wire Supabase log drain (if Dokploy supports it).
• Self-host a lightweight OpenTelemetry collector on mlake.
• At minimum: GET /metrics (Prometheus text) with basic counters, and a cron that posts to Gotify when error-rate crosses a threshold.

Pick the cheapest now — we can evolve later.

T-8. No structured logging

Mixed log.Printf + slog.Info across the codebase. Pick one, default to slog with a JSON handler in prod. Pre-populate user-id and request-id in the context for correlation.

T-9. No backup verification for paliad schema

Supabase's automatic backups cover the whole instance, but paliad.paliad_schema_migrations collision history (memory episode "paliad migration bootstrap collision") suggests the shared-Postgres posture is fragile. Add a weekly pg_dump --schema=paliad cron on mlake that writes to an offsite bucket and a monthly restore-smoke-test (into an ephemeral Postgres container).

T-10. Test coverage gaps

Only akte_service_test.go, deadline_calculator_test.go, holidays_test.go, fees_test.go exist. Missing: FristService, TerminService, NotizService, CalDAVService (unit tests for iCal encode / decode, encrypt / decrypt, visibility edge-cases). The CalDAV crypto in particular should have a table-driven test with known vectors.

T-11. internal/models/models.go is one big file

Not inherently bad, but it's the dumping ground for 14 types. Split by domain (user.go, akte.go, frist.go, termin.go, …) next time it's touched.

T-12. Dockerfile build cache hygiene

Every COPY . . invalidates on any source change, forcing a full go mod download. Move go.mod/go.sum copy + go mod download before COPY . . — already done. But also consider FROM golang:1.24-alpine AS backend → golang:1.24 with CGO_ENABLED=0 so libc-less alpine runtime doesn't fight any future pgx upgrade. Minor; today it's fine.

T-13. frontend/build.ts has 24 hand-maintained render-and-write pairs

Any new page requires edits in 4 places (build.ts, handlers.go registration, i18n keys, CSS). Consider a page-manifest — an array [{slug, render, clientEntry}] — that the build script iterates over. Less ceremony; harder to forget one of the four places.

T-14. Gitea-backed file proxy has no ETag / If-Modified-Since

internal/handlers/files.go caches bytes and the commit SHA in memory but never sets an ETag or Last-Modified response header, so every browser re-downloads a 500 KB .dotm on each click. Add: w.Header().Set("ETag", entry.sha) + handle If-None-Match with a 304. Cheap win.

---

Delivery suggestion

• Week 1 (critical): C-1, C-2, C-3, C-4, C-5. All small- to medium-effort and gates production readiness.
• Week 2 (important): I-1, I-2, I-3, I-7, I-8. Polish the post-merger brand story.
• Week 3 (features, pick 2): F-1 (global search) gives the biggest daily-use win; F-2 (Verfahrensleitfäden) is the biggest content win; F-3 (Downloads) closes a roadmap item cheaply.
• Always-on (tech debt): pick one T-item per sprint until they're gone.

None of the critical items are theoretical — the JWT signature bypass and the dashboard Termine leak are real exploit-paths I could walk through today with a curl command and a Paliad cookie. Fix those two first.