From 0a5a37d1699d202741638b0d8ee8c15c91cbcd69 Mon Sep 17 00:00:00 2001
From: Thomas Reitz <T.Reitz@xinion.de>
Date: Sun, 15 Mar 2026 09:08:36 +0100
Subject: [PATCH] =?UTF-8?q?docs:=20Stand.md=20aktualisiert=20=E2=80=94=20v?=
 =?UTF-8?q?ollst=C3=A4ndiger=20Feature-=C3=9Cberblick=20Stand=202026-03-15?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Alle implementierten Features dokumentiert: Auth, M365 Integration, Dashboard,
CRM Phase 1-2.5 inkl. Kanban + Berechtigungsmodell, Expertenprofil, Profilzugriff,
Admin-Bereich, Login-Branding, API-Endpunkte.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 docs/Stand.md | 170 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 170 insertions(+)

diff --git a/docs/Stand.md b/docs/Stand.md
index e69de29..c0d1666 100644
--- a/docs/Stand.md
+++ b/docs/Stand.md
@@ -0,0 +1,170 @@
+# INSIGHT MVP — Aktueller Implementierungsstand
+*Stand: 2026-03-15*
+
+---
+
+## Alle Services live und gesund
+
+| Service | Container | Status |
+|---------|-----------|--------|
+| Core Service | `insight-core` | ✅ healthy |
+| CRM Service | `insight-crm` | ✅ healthy |
+| Frontend | `insight-frontend` | ✅ healthy |
+| PostgreSQL | `insight-postgres` | ✅ healthy |
+| PgBouncer | `insight-pgbouncer` | ✅ healthy |
+| Redis | `insight-redis` | ✅ healthy |
+| Traefik | `insight-traefik` | ✅ healthy |
+| step-ca | `insight-step-ca` | ✅ healthy |
+
+---
+
+## Implementierte Features (vollständig deployed)
+
+### Auth & Benutzer
+- ✅ Login (lokal + SSO via Microsoft Entra ID)
+- ✅ JWT (RS256, Access in Memory, Refresh HttpOnly Cookie)
+- ✅ 2FA (TOTP)
+- ✅ Silent Refresh
+- ✅ Passwort ändern
+- ✅ Profilbild-Upload
+
+### Microsoft 365 Integration
+- ✅ OAuth2-Flow (`/auth/integrations/microsoft-365`)
+- ✅ Token-Storage verschlüsselt (AES-256-GCM) in `user_integrations`
+- ✅ Token-Refresh automatisch
+- ✅ Scopes: Mail.Read, Calendars.Read, Tasks.ReadWrite, offline_access
+- ✅ O365-Profilfelder: jobTitle, department, companyName, officeLocation
+- ✅ Profilbild-Sync aus O365 (96x96, nur wenn kein INSIGHT-Avatar)
+- ✅ Auto-Sync beim Login (`useO365ProfileSync` Hook)
+
+### Dashboard
+- ✅ Home-Tab: Analoguhr, 3-Tage-Wetter-Prognose, Spruch des Tages, kompakte Widgets
+- ✅ E-Mail-Tab (O365 Inbox mit Lesefenster)
+- ✅ Kalender-Tab (O365 Events)
+- ✅ Aufgaben-Tab (O365 + CRM bidirektional)
+- ✅ Kontakte-Tab (O365 + CRM verknüpft)
+
+### CRM (Phase 1–2.5)
+- ✅ Companies, Contacts, Deals, Activities (vollständiges CRUD)
+- ✅ Pipelines & Stages
+- ✅ Custom Fields
+- ✅ Kanban-Board (`/crm/kanban`) mit Drag & Drop (@dnd-kit)
+- ✅ Forecast-Ansicht
+- ✅ Lexware Office Integration (Kontakte, Belege)
+- ✅ North Data Enrichment
+- ✅ **CRM Berechtigungsmodell (Phase 2.5)**:
+  - Sichtbarkeitsfilter OWN/TEAM/ALL pro Entity (COMPANY, CONTACT, DEAL, ACTIVITY)
+  - JWT enthält `tenantRole` + `department`
+  - ReadonlyGuard für READONLY-Rolle
+  - Admin-Einstellungsseite `/admin/crm-settings`
+  - Redis-Cache für Visibility-Settings (5 Min TTL)
+
+### Expertenprofil
+- ✅ Skills, Erfahrungen, Projekte, Zertifizierungen, Sprachen, Anhänge
+- ✅ 3-Spalten-Layout
+- ✅ PDF-Export (Timeline, Logo, Akzentfarbe aus Branding)
+- ✅ Word-Export (DOCX)
+
+### Profilzugriff (Admin)
+- ✅ `ProfileAccessGroup` + `ProfileAccessGroupMember` Modelle
+- ✅ Benutzergruppen mit canView/canExport/canEdit Berechtigungen
+- ✅ Admin-UI `/admin/profile-access`:
+  - Tab "Gruppen": CRUD + Mitglieder verwalten
+  - Tab "Profile": alle User mit Aktionen (Ansehen, PDF, DOCX, Bearbeiten)
+- ✅ Admin-Detailseite `/admin/profiles/:userId` (Profil im Admin-Kontext bearbeiten)
+- ✅ Admin-Endpoints für alle Profil-Mutationen (`/expert-profile/admin/users/...`)
+
+### Admin-Bereich
+- ✅ Benutzerverwaltung (`/admin/users`)
+- ✅ SSO-Konfiguration (`/admin/sso`)
+- ✅ Externe Links (`/admin/external-links`)
+- ✅ **Anpassungen (`/admin/customize`)**:
+  - Sidebar-Breite, Logo, Farben
+  - Login-Hintergrund (Farbverlauf / Einfarbig / Hintergrundbild)
+- ✅ Firmendaten (`/admin/company`)
+- ✅ Events (`/admin/events`)
+- ✅ SSL/Domain (`/admin/ssl`)
+- ✅ Profilzugriff (`/admin/profile-access`)
+- ✅ CRM Sichtbarkeit (`/admin/crm-settings`)
+
+### Login-Screen-Branding
+- ✅ Dynamischer Hintergrund aus Branding-Einstellungen
+- ✅ Logo auf Login-Seite (statt "INSIGHT"-Text)
+- ✅ Typen: Farbverlauf, Einfarbig, Hintergrundbild (max 2MB)
+
+---
+
+## Technische Infrastruktur
+
+| Komponente | Version/Details |
+|------------|-----------------|
+| Backend | NestJS 10, TypeScript strict |
+| Frontend | React 18, Vite |
+| Datenbank | PostgreSQL 16, Prisma ORM |
+| Cache | Redis 7 (Pub/Sub + Cache) |
+| Connection Pool | PgBouncer |
+| API Gateway | Traefik 3 |
+| Auth | RS256 JWT, bcrypt Cost 12 |
+| mTLS | step-ca (Smallstep) |
+| Container | Docker Compose |
+
+### Prisma-Schemas
+- `core.schema.prisma` — User, Auth, Profile, Tenant, Integrations, ProfileAccess
+- `crm.schema.prisma` — CRM-Entities, Pipelines, CustomFields, Contracts, Visibility
+
+### Branching
+- Aktiver Branch: `feature/crm-service`
+- 200 Commits seit Initial
+
+---
+
+## API-Endpunkte (Core Service)
+
+```
+POST   /api/v1/auth/login
+POST   /api/v1/auth/refresh
+POST   /api/v1/auth/logout
+GET    /api/v1/auth/integrations/microsoft-365          ← OAuth-Flow
+GET    /api/v1/auth/integrations/microsoft-365/callback
+
+GET    /api/v1/users/me
+PATCH  /api/v1/users/me
+GET    /api/v1/users/team-members
+GET    /api/v1/users/me/integrations
+DELETE /api/v1/users/me/integrations/microsoft-365
+
+GET    /api/v1/expert-profile/me
+PATCH  /api/v1/expert-profile/me/skills
+POST   /api/v1/expert-profile/me/experiences
+...    (Projekte, Zertifizierungen, Sprachen, Anhänge)
+GET    /api/v1/expert-profile/me/export/pdf
+GET    /api/v1/expert-profile/me/export/docx
+GET    /api/v1/expert-profile/admin/users
+GET    /api/v1/expert-profile/admin/users/:userId
+GET    /api/v1/expert-profile/admin/users/:userId/export/pdf
+...    (alle Profil-Mutationen für Admin)
+
+GET    /api/v1/profile-access/groups
+POST   /api/v1/profile-access/groups
+PATCH  /api/v1/profile-access/groups/:id
+DELETE /api/v1/profile-access/groups/:id
+GET/POST/DELETE /api/v1/profile-access/groups/:id/members/:userId
+
+GET    /api/v1/settings/branding
+POST   /api/v1/settings/branding
+GET    /api/v1/settings/company
+POST   /api/v1/settings/company
+```
+
+## API-Endpunkte (CRM Service)
+
+```
+Companies, Contacts, Deals, Activities, Pipelines, ... (vollständiges CRUD)
+GET    /api/v1/crm/visibility-settings
+PUT    /api/v1/crm/visibility-settings/:entity
+GET    /api/v1/crm/office365/emails
+GET    /api/v1/crm/office365/calendar
+GET    /api/v1/crm/office365/tasks
+POST   /api/v1/crm/office365/tasks
+GET    /api/v1/crm/office365/profile
+```