Merge branch 'master' of https://gitea.bizmatch.net/tknuth/stadtwerke

2026-03-08 11:28:53 +01:00 · 2026-03-08 11:28:53 +01:00 · d93f43bf01
parent 7b22fdbc22 37bc8170db
commit d93f43bf01
41 changed files with 849 additions and 162 deletions
--- a/README.md
+++ b/README.md
@ -5,6 +5,14 @@

 ---

+## Technisches Setup
+
+Die aktuelle und verbindliche Anleitung fuer Start, Docker-Deployment, Migrationen und Seeding liegt in:
+
+- `innungsapp/README.md`
+
+Dieses Root-README ist eine Produkt- und Strategieuebersicht.
+
 ## Was ist InnungsApp?

 InnungsApp ist eine mobile-first SaaS-Plattform, die Innungen und Kreishandwerkerschaften digitalisiert. Sie löst zwei akute Probleme gleichzeitig:
@ -56,7 +64,7 @@ InnungsApp ist eine mobile-first SaaS-Plattform, die Innungen und Kreishandwerke
 - **Hosting:** Vercel
 - **Analytics:** PostHog

-## Quickstart
+## Quickstart (Legacy, nicht der aktuelle Betriebsweg)

 ```bash
 # Repo klonen
@ -78,3 +86,5 @@ pnpm --filter @innungsapp/admin dev -- --port 3032
 npx expo start --clear

 Demo: admin@demo.de / demo1234
+
+Hinweis: Fuer den aktuellen lokalen/produktiven Betrieb bitte `innungsapp/README.md` verwenden.
--- a/innungsapp/.env.example
+++ b/innungsapp/.env.example
@ -1,9 +1,10 @@
 # =============================================
-# DATABASE (SQLite — kein externer DB-Server nötig)
-# Dev:  file:../../packages/shared/prisma/dev.db
-# Prod: file:./prisma/prod.db
+# DATABASE (PostgreSQL)
 # =============================================
-DATABASE_URL="file:../../packages/shared/prisma/dev.db"
+POSTGRES_DB="innungsapp"
+POSTGRES_USER="innungsapp"
+POSTGRES_PASSWORD="innungsapp"
+DATABASE_URL="postgresql://innungsapp:innungsapp@localhost:5432/innungsapp?schema=public"

 # =============================================
 # BETTER-AUTH
@ -28,6 +29,12 @@ NEXT_PUBLIC_APP_URL="http://localhost:3000"
 NEXT_PUBLIC_POSTHOG_KEY=""
 NEXT_PUBLIC_POSTHOG_HOST="https://us.i.posthog.com"

+# =============================================
+# SUPERADMIN SEED
+# =============================================
+SUPERADMIN_EMAIL="superadmin@innungsapp.de"
+SUPERADMIN_PASSWORD="change-me-strong-password"
+
 # =============================================
 # MOBILE APP (Expo)
 # =============================================
--- a/innungsapp/.env.production.example
+++ b/innungsapp/.env.production.example
@ -3,6 +3,12 @@
 # Kopieren als: innungsapp/.env
 # =============================================

+# Database (PostgreSQL)
+POSTGRES_DB="innungsapp"
+POSTGRES_USER="innungsapp"
+POSTGRES_PASSWORD="change-this-db-password"
+DATABASE_URL="postgresql://innungsapp:change-this-db-password@postgres:5432/innungsapp?schema=public"
+
 # Auth — UNBEDINGT ändern!
 BETTER_AUTH_SECRET="min-32-zeichen-langer-zufalls-string"
 BETTER_AUTH_URL="https://yourdomain.com"
@ -20,5 +26,9 @@ NEXT_PUBLIC_APP_URL="https://yourdomain.com"
 NEXT_PUBLIC_POSTHOG_KEY=""
 NEXT_PUBLIC_POSTHOG_HOST="https://us.i.posthog.com"

+# Superadmin Seed
+SUPERADMIN_EMAIL="superadmin@yourdomain.com"
+SUPERADMIN_PASSWORD="change-this-superadmin-password"
+
 # Uploads
 UPLOAD_MAX_SIZE_MB="10"
--- a/innungsapp/.gitignore
+++ b/innungsapp/.gitignore
@ -21,9 +21,6 @@ out
 # Uploads (local file storage)
 apps/admin/uploads/

-# Prisma
-packages/shared/prisma/migrations/
-
 # Expo
 apps/mobile/.expo
 apps/mobile/android
--- a/innungsapp/README.md
+++ b/innungsapp/README.md
@ -11,7 +11,7 @@ Digitale Plattform fuer Innungen mit Admin-Dashboard (Next.js) und Mobile App (E
 | Mobile App | Expo + React Native |
 | API | tRPC v11 |
 | Auth | better-auth (magic links + credential login) |
-| Database | SQLite + Prisma ORM |
+| Database | PostgreSQL + Prisma ORM (`jsonb` fuer Landing-Page-Felder) |
 | Styling | Tailwind CSS (admin), NativeWind (mobile) |

 ## Projektstruktur
@ -30,6 +30,11 @@ innungsapp/

 ## Local Setup

+Port-Hinweis:
+
+- Ohne Docker (lokales `pnpm dev`): App typischerweise auf `http://localhost:3000`
+- Mit Docker Compose: App auf `http://localhost:3010` (Container-intern weiter `3000`)
+
 ### Voraussetzungen

 - Node.js >= 20
@ -45,13 +50,21 @@ pnpm install
 ### 2. Umgebungsvariablen setzen (Admin lokal)

 ```bash
-cp .env.example apps/admin/.env.local
+cp .env.example .env
 ```

-Danach `apps/admin/.env.local` anpassen (mindestens `BETTER_AUTH_SECRET`, SMTP-Werte).
+Danach `.env` anpassen (mindestens `DATABASE_URL`, `BETTER_AUTH_SECRET`, SMTP-Werte).

 ### 3. DB vorbereiten (lokal)

+Lokale PostgreSQL-DB starten (nur falls noch nicht aktiv):
+
+```bash
+docker compose up -d postgres
+```
+
+Prisma vorbereiten:
+
 ```bash
 pnpm db:generate
 pnpm db:push
@ -61,6 +74,7 @@ Optional Demo-Daten:

 ```bash
 pnpm db:seed
+pnpm db:seed-superadmin
 ```

 ### 4. Entwicklung starten
@ -102,6 +116,10 @@ cp .env.production.example .env

 Pflichtwerte in `.env`:

+- `DATABASE_URL` (PostgreSQL DSN, z. B. `postgresql://innungsapp:...@postgres:5432/innungsapp?schema=public`)
+- `POSTGRES_DB`
+- `POSTGRES_USER`
+- `POSTGRES_PASSWORD`
 - `BETTER_AUTH_SECRET` (mindestens 32 Zeichen)
 - `BETTER_AUTH_URL` (z. B. `https://app.deine-innung.de`)
 - `NEXT_PUBLIC_APP_URL` (gleich wie `BETTER_AUTH_URL`)
@ -111,6 +129,8 @@ Pflichtwerte in `.env`:
 - `SMTP_SECURE`
 - `SMTP_USER`
 - `SMTP_PASS`
+- `SUPERADMIN_EMAIL`
+- `SUPERADMIN_PASSWORD`

 ### 3. Container bauen und starten

@ -127,10 +147,14 @@ Hinweis zum DB-Start:

 ```bash
 docker compose logs -f admin
-curl -fsS http://localhost:3000/api/health
+curl -fsS http://localhost:3010/api/health
 ```

-Erwartet: JSON mit `status: "ok"`.
+Erwartet: JSON mit `"status":"ok"`, z. B.
+
+```json
+{"status":"ok","timestamp":"2026-03-04T12:34:56.789Z"}
+```

 ### 5. Superadmin anlegen (nur beim ersten Start)

@ -138,16 +162,20 @@ Erwartet: JSON mit `status: "ok"`.
 docker compose exec -w /app admin node packages/shared/prisma/seed-superadmin.js
 ```

-Default Login:
+Login-Daten kommen aus `.env`:

- E-Mail: `superadmin@innungsapp.de`
- Passwort: `demo1234`
+- E-Mail: `SUPERADMIN_EMAIL`
+- Passwort: `SUPERADMIN_PASSWORD`

-Passwort direkt nach dem ersten Login aendern.
+Hinweis:
+
+- In `NODE_ENV=production` bricht der Seed ab, wenn `SUPERADMIN_PASSWORD` fehlt.
+- In Entwicklung wird ohne `SUPERADMIN_PASSWORD` als Fallback `demo1234` genutzt.
+- Der Seed ist idempotent (`upsert`) und kann bei Bedarf erneut ausgefuehrt werden.

 ### 6. HTTPS (Reverse Proxy)

-Nginx sollte auf `localhost:3000` weiterleiten und TLS terminieren.
+Nginx sollte auf `localhost:3010` weiterleiten und TLS terminieren.
 Beispiel:

 ```nginx
@ -165,7 +193,7 @@ server {
  ssl_certificate_key /etc/letsencrypt/live/app.deine-innung.de/privkey.pem;

  location / {
-    proxy_pass http://localhost:3000;
+    proxy_pass http://localhost:3010;
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
@ -188,7 +216,7 @@ docker compose logs -f admin
 Vorher die exakten Volumenamen pruefen:

 ```bash
-docker volume ls | grep db_data
+docker volume ls | grep pg_data
 docker volume ls | grep uploads_data
 ```

@ -197,9 +225,9 @@ Backup:
 ```bash
 mkdir -p backups
 docker run --rm \
-  -v innungsapp_db_data:/volume \
+  -v innungsapp_pg_data:/volume \
  -v "$(pwd)/backups:/backup" \
-  alpine sh -c "tar czf /backup/db_data_$(date +%F_%H%M).tar.gz -C /volume ."
+  alpine sh -c "tar czf /backup/pg_data_$(date +%F_%H%M).tar.gz -C /volume ."
 ```

 Restore (nur bei gestoppter App):
@ -207,12 +235,59 @@ Restore (nur bei gestoppter App):
 ```bash
 docker compose down
 docker run --rm \
-  -v innungsapp_db_data:/volume \
+  -v innungsapp_pg_data:/volume \
  -v "$(pwd)/backups:/backup" \
  alpine sh -c "rm -rf /volume/* && tar xzf /backup/<backup-file>.tar.gz -C /volume"
 docker compose up -d
 ```

+### 9. Verifizierte Kommandos (Stand 4. Maerz 2026)
+
+Die folgenden Befehle wurden in dieser Umgebung erfolgreich ausgefuehrt:
+
+```bash
+# 1) Postgres starten (falls noch nicht aktiv)
+docker compose up -d postgres
+
+# 2) Prisma Client generieren
+(cd packages/shared && npx prisma generate)
+
+# 3) Initiale PostgreSQL-Migration erstellen (einmalig)
+(cd packages/shared && \
+  DATABASE_URL="postgresql://innungsapp:innungsapp@localhost:5432/innungsapp?schema=public" \
+  npx prisma migrate dev --name init_postgres --schema=prisma/schema.prisma --create-only)
+
+# 4) Migration anwenden
+(cd packages/shared && \
+  DATABASE_URL="postgresql://innungsapp:innungsapp@localhost:5432/innungsapp?schema=public" \
+  npx prisma migrate deploy --schema=prisma/schema.prisma)
+
+# 5) Gesamtes Setup bauen und starten
+docker compose up -d --build
+
+# 6) Superadmin seeden (mit ENV-Werten)
+docker compose exec -e SUPERADMIN_EMAIL=superadmin@innungsapp.de \
+  -e SUPERADMIN_PASSWORD='demo1234' \
+  -w /app admin node packages/shared/prisma/seed-superadmin.js
+
+# 7) Laufzeitstatus pruefen
+docker compose ps
+docker compose logs --tail 80 admin
+curl -fsS http://localhost:3010/api/health
+```
+
+Optionale SQL-Verifikation (wurde ebenfalls erfolgreich getestet):
+
+```bash
+# JSONB-Spalten pruefen
+docker compose exec -T postgres psql -U innungsapp -d innungsapp -c \
+"SELECT column_name, data_type FROM information_schema.columns WHERE table_name = 'organizations' AND column_name IN ('landing_page_features','landing_page_footer') ORDER BY column_name;"
+
+# Seeded Superadmin pruefen
+docker compose exec -T postgres psql -U innungsapp -d innungsapp -c \
+"SELECT u.email, u.role, u.email_verified, a.provider_id, (a.password IS NOT NULL) AS has_password FROM \"user\" u LEFT JOIN account a ON a.user_id = u.id AND a.provider_id = 'credential' WHERE u.email = 'superadmin@innungsapp.de';"
+```
+
 ## Mobile Release (EAS)

 ```bash
@ -231,14 +306,14 @@ Wichtig:
 ### `migrate deploy` oder `db push` fehlschlaegt

 - `DATABASE_URL` pruefen
- Rechte auf `/app/data` pruefen
+- `postgres` Container Healthcheck pruefen (`docker compose ps`)
 - Logs: `docker compose logs -f admin`

 ### Healthcheck liefert Fehler

 - Containerstatus: `docker compose ps`
 - App-Logs lesen
- Reverse Proxy testweise umgehen und direkt `localhost:3000` pruefen
+- Reverse Proxy testweise umgehen und direkt `http://localhost:3010/api/health` pruefen

 ### Login funktioniert nicht nach Seed

--- a/innungsapp/apps/admin/Dockerfile
+++ b/innungsapp/apps/admin/Dockerfile
@ -79,6 +79,10 @@ COPY --from=builder /app/apps/admin/public ./apps/admin/public
 # Copy Prisma schema + migrations for runtime migrations
 COPY --from=builder /app/packages/shared/prisma ./packages/shared/prisma

+# Copy Prisma Client package for runtime seed scripts.
+COPY --from=builder /app/node_modules/.pnpm/@prisma+client@5.22.0_prisma@5.22.0/node_modules/@prisma ./node_modules/@prisma
+COPY --from=builder /app/node_modules/.pnpm/@prisma+client@5.22.0_prisma@5.22.0/node_modules/.prisma ./node_modules/.prisma
+
 # Copy Prisma Engine binaries directly to .next/server (where Next.js looks for them)
 COPY --from=builder /app/node_modules/.pnpm/@prisma+client@5.22.0_prisma@5.22.0/node_modules/.prisma/client/libquery_engine-debian-openssl-3.0.x.so.node /app/apps/admin/.next/server/
 COPY --from=builder /app/node_modules/.pnpm/@prisma+client@5.22.0_prisma@5.22.0/node_modules/.prisma/client/schema.prisma /app/apps/admin/.next/server/
@ -89,9 +93,6 @@ RUN npm install -g prisma@5.22.0
 # Create uploads directory
 RUN mkdir -p /app/uploads && chown nextjs:nodejs /app/uploads

-# Create SQLite data directory
-RUN mkdir -p /app/data && chown nextjs:nodejs /app/data
-
 # Copy entrypoint
 COPY --from=builder /app/apps/admin/docker-entrypoint.sh ./docker-entrypoint.sh
 RUN chmod +x ./docker-entrypoint.sh
--- a/innungsapp/apps/admin/app/[slug]/actions.ts
+++ b/innungsapp/apps/admin/app/[slug]/actions.ts
@ -2,7 +2,6 @@

 import { auth, getSanitizedHeaders } from '@/lib/auth'
 import { prisma } from '@innungsapp/shared'
-import { redirect } from 'next/navigation'
 // @ts-ignore
 import { hashPassword } from 'better-auth/crypto'

@ -25,7 +24,6 @@ export async function changePasswordAndDisableMustChange(prevState: any, formDat
    }

    const userId = session.user.id
-    const slug = formData.get('slug') as string

    // Hash and save new password directly — user is already authenticated so no old password needed
    const newHash = await hashPassword(newPassword)
@ -64,5 +62,9 @@ export async function changePasswordAndDisableMustChange(prevState: any, formDat
        // ignore
    }

-    redirect(`/login?message=password_changed&callbackUrl=/${slug}/dashboard`)
+    return {
+        success: true,
+        error: '',
+        redirectTo: `/login?message=password_changed&callbackUrl=/dashboard`,
+    }
 }
--- a/innungsapp/apps/admin/app/[slug]/dashboard/ForcePasswordChange.tsx
+++ b/innungsapp/apps/admin/app/[slug]/dashboard/ForcePasswordChange.tsx
@ -1,10 +1,17 @@
 'use client'

+import { useEffect } from 'react'
 import { useActionState } from 'react'
 import { changePasswordAndDisableMustChange } from '../actions'

 export function ForcePasswordChange({ slug }: { slug: string }) {
-    const [state, action, isPending] = useActionState(changePasswordAndDisableMustChange, { success: false, error: '' })
+    const [state, action, isPending] = useActionState(changePasswordAndDisableMustChange, { success: false, error: '', redirectTo: '' })
+
+    useEffect(() => {
+        if (state?.success && state?.redirectTo) {
+            window.location.href = state.redirectTo
+        }
+    }, [state?.success, state?.redirectTo])

    return (
        <div className="bg-white border rounded-xl p-8 max-w-md w-full shadow-sm">
--- a/innungsapp/apps/admin/app/[slug]/page.tsx
+++ b/innungsapp/apps/admin/app/[slug]/page.tsx
@ -2,6 +2,24 @@ import { prisma } from '@innungsapp/shared'
 import { notFound } from 'next/navigation'
 import Link from 'next/link'

+function jsonToText(value: unknown): string {
+    if (value == null) {
+        return ''
+    }
+
+    if (typeof value === 'string') {
+        return value
+    }
+
+    if (Array.isArray(value)) {
+        return value
+            .map((item) => (typeof item === 'string' ? item : JSON.stringify(item)))
+            .join('\n')
+    }
+
+    return JSON.stringify(value)
+}
+
 export default async function TenantLandingPage({
    params,
 }: {
@ -26,8 +44,8 @@ export default async function TenantLandingPage({
    const secondaryColor = org.secondaryColor || undefined
    const title = org.landingPageTitle || org.name || 'Zukunft durch Handwerk'
    const text = org.landingPageText || 'Wir sind Ihre lokale Vertretung des Handwerks. Mit starker Gemeinschaft und klaren Zielen setzen wir uns für die Betriebe in unserer Region ein.'
-    const features = org.landingPageFeatures || '✅ Exzellente Ausbildung\n✅ Starke Gemeinschaft\n✅ Politische Interessenvertretung'
-    const footer = org.landingPageFooter || `© ${new Date().getFullYear()} ${org.name}`
+    const features = jsonToText(org.landingPageFeatures) || '✅ Exzellente Ausbildung\n✅ Starke Gemeinschaft\n✅ Politische Interessenvertretung'
+    const footer = jsonToText(org.landingPageFooter) || `© ${new Date().getFullYear()} ${org.name}`
    const sectionTitle = org.landingPageSectionTitle || `${org.name || 'Ihre Innung'} – Gemeinsam stark fürs Handwerk`
    const buttonText = org.landingPageButtonText || 'Jetzt App laden'

--- a/innungsapp/apps/admin/app/api/ai/generate-landing-page/route.ts
+++ b/innungsapp/apps/admin/app/api/ai/generate-landing-page/route.ts
@ -39,9 +39,32 @@ function getModel(provider: LlmProvider): string {
    return process.env.OPENAI_MODEL || 'gpt-4o-mini'
 }

+function hasApiKey(provider: LlmProvider): boolean {
+    if (provider === 'openrouter') return !!process.env.OPENROUTER_API_KEY
+    return !!process.env.OPENAI_API_KEY
+}
+
+function buildFallbackLandingContent(orgName: string, context: string) {
+    const cleanOrg = orgName.trim()
+    const cleanContext = context.trim().replace(/\s+/g, ' ')
+    const shortContext = cleanContext.slice(0, 180)
+    const detailSentence = shortContext
+        ? `Dabei stehen insbesondere ${shortContext}.`
+        : 'Dabei stehen regionale Vernetzung, starke Ausbildung und praxisnahe Unterstützung im Mittelpunkt.'
+
+    return {
+        title: `${cleanOrg} - Stark im Handwerk`,
+        text: `${cleanOrg} verbindet Betriebe, stärkt die Gemeinschaft und setzt sich für die Interessen des Handwerks vor Ort ein. ${detailSentence}`,
+        fallbackUsed: true,
+    }
+}
+
 export async function POST(req: Request) {
+    let parsedBody: any = null
+
    try {
        const body = await req.json()
+        parsedBody = body
        const { orgName, context } = body

        if (!orgName || !context) {
@ -49,9 +72,14 @@ export async function POST(req: Request) {
        }

        const provider = getProvider()
-        const client = createClient(provider)
        const model = getModel(provider)

+        if (!hasApiKey(provider)) {
+            return NextResponse.json(buildFallbackLandingContent(orgName, context))
+        }
+
+        const client = createClient(provider)
+
        const systemMessage = `Sie sind ein professioneller Copywriter für eine moderne deutsche Innung oder Kreishandwerkerschaft.
 Erstellen Sie eine moderne, ansprechende Überschrift (Heading) und einen Einleitungstext für eine Landingpage.

@ -89,6 +117,10 @@ WICHTIG: Geben Sie AUSSCHLIESSLICH ein valides JSON-Objekt zurück, komplett ohn

    } catch (error: any) {
        console.error('Error generating AI landing page content:', error)
+        if (parsedBody?.orgName && parsedBody?.context) {
+            return NextResponse.json(buildFallbackLandingContent(parsedBody.orgName, parsedBody.context))
+        }
+
        return NextResponse.json({ error: error?.message || 'Failed to generate content' }, { status: 500 })
    }
 }
--- a/innungsapp/apps/admin/app/api/auth/clear-must-change-password/route.ts
+++ b/innungsapp/apps/admin/app/api/auth/clear-must-change-password/route.ts
@ -1,10 +1,9 @@
 import { NextResponse } from 'next/server'
-import { auth } from '@/lib/auth'
+import { auth, getSanitizedHeaders } from '@/lib/auth'
 import { prisma } from '@innungsapp/shared'
-import { headers } from 'next/headers'

 export async function POST() {
-  const session = await auth.api.getSession({ headers: await headers() })
+  const session = await auth.api.getSession({ headers: await getSanitizedHeaders() })
  if (!session?.user?.id) {
    return NextResponse.json({ error: 'Nicht eingeloggt' }, { status: 401 })
  }
--- a/innungsapp/apps/admin/app/api/auth/force-set-password/route.ts
+++ b/innungsapp/apps/admin/app/api/auth/force-set-password/route.ts
@ -1,12 +1,11 @@
 import { NextRequest, NextResponse } from 'next/server'
-import { auth } from '@/lib/auth'
+import { auth, getSanitizedHeaders } from '@/lib/auth'
 import { prisma } from '@innungsapp/shared'
-import { headers } from 'next/headers'
 // @ts-ignore
 import { hashPassword } from 'better-auth/crypto'

 export async function POST(req: NextRequest) {
-  const session = await auth.api.getSession({ headers: await headers() })
+  const session = await auth.api.getSession({ headers: await getSanitizedHeaders() })
  if (!session?.user?.id) {
    return NextResponse.json({ error: 'Nicht eingeloggt' }, { status: 401 })
  }
--- a/innungsapp/apps/admin/app/api/export/termin/[id]/route.ts
+++ b/innungsapp/apps/admin/app/api/export/termin/[id]/route.ts
@ -1,9 +1,9 @@
 import { NextRequest } from 'next/server'
-import { auth } from '@/lib/auth'
+import { auth, getSanitizedHeaders } from '@/lib/auth'
 import { prisma } from '@innungsapp/shared'

 export async function GET(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
-  const session = await auth.api.getSession({ headers: req.headers })
+  const session = await auth.api.getSession({ headers: await getSanitizedHeaders(req.headers) })
  if (!session?.user) {
    return new Response('Unauthorized', { status: 401 })
  }
--- a/innungsapp/apps/admin/app/api/push-token/route.ts
+++ b/innungsapp/apps/admin/app/api/push-token/route.ts
@ -1,9 +1,9 @@
 import { NextRequest, NextResponse } from 'next/server'
-import { auth } from '@/lib/auth'
+import { auth, getSanitizedHeaders } from '@/lib/auth'
 import { prisma } from '@innungsapp/shared'

 export async function POST(req: NextRequest) {
-  const session = await auth.api.getSession({ headers: req.headers })
+  const session = await auth.api.getSession({ headers: await getSanitizedHeaders(req.headers) })
  if (!session?.user) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
--- a/innungsapp/apps/admin/app/api/setup/route.ts
+++ b/innungsapp/apps/admin/app/api/setup/route.ts
@ -1,6 +1,6 @@
 /**
 * DEV-ONLY: Sets a password for the demo admin user via better-auth.
- * Call once after seeding: GET http://localhost:3032/api/setup
+ * Call once after seeding: GET http://localhost:3010/api/setup
 * Remove this file before going to production.
 */
 import { NextResponse } from 'next/server'
--- a/innungsapp/apps/admin/app/api/upload/route.ts
+++ b/innungsapp/apps/admin/app/api/upload/route.ts
@ -2,14 +2,21 @@ import { NextRequest, NextResponse } from 'next/server'
 import { writeFile, mkdir } from 'fs/promises'
 import path from 'path'
 import { randomUUID } from 'crypto'
-import { auth } from '@/lib/auth'
+import { auth, getSanitizedHeaders } from '@/lib/auth'

-const UPLOAD_DIR = process.env.UPLOAD_DIR ?? './uploads'
+const UPLOAD_DIR = process.env.UPLOAD_DIR ?? (process.env.NODE_ENV === 'production' ? '/app/uploads' : './uploads')
 const MAX_SIZE_BYTES = Number(process.env.UPLOAD_MAX_SIZE_MB ?? 10) * 1024 * 1024

+function getUploadRoot() {
+  if (path.isAbsolute(UPLOAD_DIR)) {
+    return UPLOAD_DIR
+  }
+  return path.resolve(process.cwd(), UPLOAD_DIR)
+}
+
 export async function POST(req: NextRequest) {
  // Auth check
-  const session = await auth.api.getSession({ headers: req.headers })
+  const session = await auth.api.getSession({ headers: await getSanitizedHeaders(req.headers) })
  if (!session?.user) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
@ -39,7 +46,7 @@ export async function POST(req: NextRequest) {

  const ext = path.extname(file.name)
  const fileName = `${randomUUID()}${ext}`
-  const uploadPath = path.join(process.cwd(), UPLOAD_DIR)
+  const uploadPath = getUploadRoot()

  await mkdir(uploadPath, { recursive: true })
  const buffer = Buffer.from(await file.arrayBuffer())
--- a/innungsapp/apps/admin/app/api/uploads/[...path]/route.ts
+++ b/innungsapp/apps/admin/app/api/uploads/[...path]/route.ts
@ -2,21 +2,28 @@ import { NextRequest, NextResponse } from 'next/server'
 import { readFile } from 'fs/promises'
 import path from 'path'

-const UPLOAD_DIR = process.env.UPLOAD_DIR ?? './uploads'
-// Added comment to force recompile after ENOSPC
+const UPLOAD_DIR = process.env.UPLOAD_DIR ?? (process.env.NODE_ENV === 'production' ? '/app/uploads' : './uploads')
+
+function getUploadRoot() {
+  if (path.isAbsolute(UPLOAD_DIR)) {
+    return UPLOAD_DIR
+  }
+  return path.resolve(process.cwd(), UPLOAD_DIR)
+}

 export async function GET(
  req: NextRequest,
  { params }: { params: Promise<{ path: string[] }> }
 ) {
  try {
-    const { path: filePathParams } = await params;
-    const filePath = path.join(process.cwd(), UPLOAD_DIR, ...filePathParams)
+    const { path: filePathParams } = await params
+    const uploadRoot = getUploadRoot()
+    const filePath = path.join(uploadRoot, ...filePathParams)

    // Security: prevent path traversal
    const resolved = path.resolve(filePath)
-    const uploadDir = path.resolve(path.join(process.cwd(), UPLOAD_DIR))
-    if (!resolved.startsWith(uploadDir)) {
+    const uploadDir = path.resolve(uploadRoot)
+    if (!resolved.startsWith(uploadDir + path.sep) && resolved !== uploadDir) {
      return new NextResponse('Forbidden', { status: 403 })
    }

--- a/innungsapp/apps/admin/app/dashboard/page.tsx
+++ b/innungsapp/apps/admin/app/dashboard/page.tsx
@ -1,4 +1,4 @@
-import { auth } from '@/lib/auth'
+import { auth, getSanitizedHeaders } from '@/lib/auth'
 import { prisma } from '@innungsapp/shared'
 import { headers } from 'next/headers'
 import Link from 'next/link'
@ -7,7 +7,7 @@ import { redirect } from 'next/navigation'
 export default async function GlobalDashboardRedirect() {
    const headerList = await headers()
    const host = headerList.get('host') || ''
-    const session = await auth.api.getSession({ headers: headerList })
+    const session = await auth.api.getSession({ headers: await getSanitizedHeaders(headerList) })

    if (!session?.user) {
        redirect('/login')
@ -93,9 +93,8 @@ export default async function GlobalDashboardRedirect() {

                <form action={async () => {
                    'use server'
-                    const { auth } = await import('@/lib/auth')
-                    const { headers } = await import('next/headers')
-                    await auth.api.signOut({ headers: await headers() })
+                    const { auth, getSanitizedHeaders } = await import('@/lib/auth')
+                    await auth.api.signOut({ headers: await getSanitizedHeaders() })
                    redirect('/login')
                }}>
                    <button type="submit" className="text-sm font-medium text-brand-600 hover:text-brand-700">
--- a/innungsapp/apps/admin/app/passwort-aendern/page.tsx
+++ b/innungsapp/apps/admin/app/passwort-aendern/page.tsx
@ -6,7 +6,7 @@ import { createAuthClient } from 'better-auth/react'
 const authClient = createAuthClient({
  baseURL: typeof window !== 'undefined'
    ? window.location.origin
-    : (process.env.NEXT_PUBLIC_APP_URL ?? 'http://localhost:3032'),
+    : (process.env.NEXT_PUBLIC_APP_URL ?? 'http://localhost:3010'),
 })

 export default function PasswortAendernPage() {
--- a/innungsapp/apps/admin/app/superadmin/CreateOrgForm.tsx
+++ b/innungsapp/apps/admin/app/superadmin/CreateOrgForm.tsx
@ -86,6 +86,9 @@ export function CreateOrgForm() {
    }

    const [isHeroUploading, setIsHeroUploading] = useState(false)
+    const appBaseUrl = (typeof window !== 'undefined'
+        ? window.location.origin
+        : (process.env.NEXT_PUBLIC_APP_URL ?? 'http://localhost:3010')).replace(/\/$/, '')

    const handleHeroUpload = async (e: React.ChangeEvent<HTMLInputElement>) => {
        const file = e.target.files?.[0]
@ -182,7 +185,7 @@ export function CreateOrgForm() {
                            <div>
                                <label className="block text-xs font-semibold text-gray-400 uppercase tracking-widest mb-2">Kurzbezeichnung (Slug)</label>
                                <input type="text" name="slug" required value={formData.slug} onChange={handleChange} placeholder="z.B. tischler-berlin" pattern="^[a-z0-9\-]+$" className="w-full px-4 py-3 border border-gray-200 rounded-xl focus:ring-2 focus:ring-[#E63946] focus:border-[#E63946] outline-none transition-all placeholder:text-gray-300" />
-                                <p className="text-[11px] text-gray-400 mt-2 leading-relaxed">Landingpage unter: <span className="text-[#E63946] font-medium">{formData.slug ? `${formData.slug}.localhost:3032` : 'ihr-slug.localhost:3032'}</span></p>
+                                <p className="text-[11px] text-gray-400 mt-2 leading-relaxed">Landingpage unter: <span className="text-[#E63946] font-medium">{formData.slug ? `${appBaseUrl}/${formData.slug}` : `${appBaseUrl}/ihr-slug`}</span></p>
                            </div>
                            <div>
                                <label className="block text-xs font-semibold text-gray-400 uppercase tracking-widest mb-2">Planungs-Modell</label>
@ -407,8 +410,8 @@ export function CreateOrgForm() {

                            <div className="bg-[#F8FEFB] p-6 rounded-2xl border border-[#E1F5EA] text-left mb-8">
                                <p className="text-[10px] font-bold text-[#8CAB99] uppercase tracking-[0.15em] mb-4">Ihre neue Landingpage (Localhost) / Subdomain</p>
-                                <a href={`http://${formData.slug}.localhost:3032`} target="_blank" rel="noreferrer" className="text-[#E63946] font-bold text-lg hover:underline block break-all">
-                                    {formData.slug}.localhost:3032
+                                <a href={`${appBaseUrl}/${formData.slug}`} target="_blank" rel="noreferrer" className="text-[#E63946] font-bold text-lg hover:underline block break-all">
+                                    {appBaseUrl}/{formData.slug}
                                </a>
                            </div>

--- a/innungsapp/apps/admin/app/superadmin/actions.ts
+++ b/innungsapp/apps/admin/app/superadmin/actions.ts
@ -1,10 +1,9 @@
 'use server'

-import { prisma } from '@innungsapp/shared'
-import { auth } from '@/lib/auth'
+import { prisma, Prisma } from '@innungsapp/shared'
+import { auth, getSanitizedHeaders } from '@/lib/auth'
 import { revalidatePath } from 'next/cache'
 import { redirect } from 'next/navigation'
-import { headers } from 'next/headers'
 import { z } from 'zod'
 import { sendAdminCredentialsEmail } from '@/lib/email'
 // @ts-ignore
@ -14,6 +13,14 @@ function normalizeEmail(email: string | null | undefined): string {
  return (email ?? '').trim().toLowerCase()
 }

+function toJsonbText(value: string | undefined): Prisma.InputJsonValue | Prisma.NullableJsonNullValueInput {
+  if (!value) {
+    return Prisma.DbNull
+  }
+
+  return value
+}
+
 /**
 * Sets a credential (email+password) account for a user.
 * Uses direct DB write with better-auth's hashPassword for compatibility.
@ -39,7 +46,7 @@ async function setCredentialPassword(userId: string, password: string) {


 async function requireSuperAdmin() {
-  const session = await auth.api.getSession({ headers: await headers() })
+  const session = await auth.api.getSession({ headers: await getSanitizedHeaders() })
  const superAdminEmail = process.env.SUPERADMIN_EMAIL || 'superadmin@innungsapp.de'

  // An admin is either specifically the superadmin email OR has the 'admin' role from better-auth admin plugin
@ -165,8 +172,8 @@ export async function createOrganization(prevState: any, formData: FormData) {
        landingPageHeroImage: validatedData.landingPageHeroImage || null,
        // @ts-ignore
        landingPageHeroOverlayOpacity: validatedData.landingPageHeroOverlayOpacity,
-        landingPageFeatures: validatedData.landingPageFeatures || null,
-        landingPageFooter: validatedData.landingPageFooter || null,
+        landingPageFeatures: toJsonbText(validatedData.landingPageFeatures),
+        landingPageFooter: toJsonbText(validatedData.landingPageFooter),
        landingPageSectionTitle: validatedData.landingPageSectionTitle || null,
        landingPageButtonText: validatedData.landingPageButtonText || null,
        appStoreUrl: validatedData.appStoreUrl || null,
@ -221,7 +228,7 @@ export async function createOrganization(prevState: any, formData: FormData) {
            adminName: user.name || validatedData.adminEmail.split('@')[0],
            orgName: org.name,
            password: validatedData.adminPassword,
-            loginUrl: process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3032',
+            loginUrl: process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3010',
          })
        } catch (emailError) {
          console.error('E-Mail konnte nicht gesendet werden:', emailError)
@ -276,8 +283,8 @@ export async function updateOrganization(id: string, prevState: any, formData: F
        landingPageTitle: validatedData.landingPageTitle || null,
        landingPageText: validatedData.landingPageText || null,
        landingPageHeroImage: validatedData.landingPageHeroImage || null,
-        landingPageFeatures: validatedData.landingPageFeatures || null,
-        landingPageFooter: validatedData.landingPageFooter || null,
+        landingPageFeatures: toJsonbText(validatedData.landingPageFeatures),
+        landingPageFooter: toJsonbText(validatedData.landingPageFooter),
        landingPageSectionTitle: validatedData.landingPageSectionTitle || null,
        landingPageButtonText: validatedData.landingPageButtonText || null,
        appStoreUrl: validatedData.appStoreUrl || null,
@ -383,7 +390,7 @@ export async function createAdmin(prevState: any, formData: FormData) {
        adminName: validatedData.name,
        orgName: org?.name || 'Ihre Innung',
        password: validatedData.password,
-        loginUrl: process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3032',
+        loginUrl: process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3010',
      })
    } catch (emailError) {
      console.error('E-Mail konnte nicht gesendet werden (Admin wurde trotzdem angelegt):', emailError)
--- a/innungsapp/apps/admin/app/superadmin/layout.tsx
+++ b/innungsapp/apps/admin/app/superadmin/layout.tsx
@ -1,5 +1,4 @@
-import { auth } from '@/lib/auth'
-import { headers } from 'next/headers'
+import { auth, getSanitizedHeaders } from '@/lib/auth'
 import { redirect } from 'next/navigation'
 import Link from 'next/link'

@ -8,7 +7,7 @@ export default async function SuperAdminLayout({
 }: {
    children: React.ReactNode
 }) {
-    const session = await auth.api.getSession({ headers: await headers() })
+    const session = await auth.api.getSession({ headers: await getSanitizedHeaders() })

    if (!session?.user) {
        redirect('/login')
--- a/innungsapp/apps/admin/app/superadmin/organizations/[id]/EditOrgForm.tsx
+++ b/innungsapp/apps/admin/app/superadmin/organizations/[id]/EditOrgForm.tsx
@ -3,6 +3,24 @@
 import { useActionState, useState } from 'react'
 import { updateOrganization } from '../../actions'

+function jsonToText(value: unknown): string {
+    if (value == null) {
+        return ''
+    }
+
+    if (typeof value === 'string') {
+        return value
+    }
+
+    if (Array.isArray(value)) {
+        return value
+            .map((item) => (typeof item === 'string' ? item : JSON.stringify(item)))
+            .join('\n')
+    }
+
+    return JSON.stringify(value)
+}
+
 interface Props {
    org: {
        id: string
@ -18,8 +36,8 @@ interface Props {
        landingPageButtonText: string | null
        landingPageHeroImage: string | null
        landingPageHeroOverlayOpacity: number | null
-        landingPageFeatures: string | null
-        landingPageFooter: string | null
+        landingPageFeatures: unknown
+        landingPageFooter: unknown
        appStoreUrl: string | null
        playStoreUrl: string | null
    }
@ -36,19 +54,8 @@ export function EditOrgForm({ org }: Props) {
    const [themeColor, setThemeColor] = useState(org.primaryColor || '#E63946')
    const [secondaryColor, setSecondaryColor] = useState(org.secondaryColor || '#FFFFFF')

-    let initialFeatures = ''
-    try {
-        if (org.landingPageFeatures) {
-            const parsed = JSON.parse(org.landingPageFeatures)
-            if (Array.isArray(parsed)) {
-                initialFeatures = parsed.join('\n')
-            } else {
-                initialFeatures = org.landingPageFeatures
-            }
-        }
-    } catch {
-        initialFeatures = org.landingPageFeatures || ''
-    }
+    const initialFeatures = jsonToText(org.landingPageFeatures)
+    const initialFooter = jsonToText(org.landingPageFooter)

    const handleUpload = async (e: React.ChangeEvent<HTMLInputElement>, type: 'logo' | 'hero') => {
        const file = e.target.files?.[0]
@ -321,7 +328,7 @@ export function EditOrgForm({ org }: Props) {
                        <label className="block text-sm font-medium text-gray-700 mb-1">Footer Text</label>
                        <textarea
                            name="landingPageFooter"
-                            defaultValue={org.landingPageFooter ?? ''}
+                            defaultValue={initialFooter}
                            rows={2}
                            placeholder="© 2024 Innung. Alle Rechte vorbehalten."
                            className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-brand-500"
--- a/innungsapp/apps/admin/components/auth/LoginForm.tsx
+++ b/innungsapp/apps/admin/components/auth/LoginForm.tsx
@ -7,7 +7,7 @@ const authClient = createAuthClient({
    // Keep auth requests on the current origin (important for tenant subdomains).
    baseURL: typeof window !== 'undefined'
        ? window.location.origin
-        : (process.env.NEXT_PUBLIC_APP_URL ?? 'http://localhost:3032'),
+        : (process.env.NEXT_PUBLIC_APP_URL ?? 'http://localhost:3010'),
 })

 interface LoginFormProps {
@ -52,7 +52,25 @@ export function LoginForm({ primaryColor = '#C99738' }: LoginFormProps) {
        // mustChangePassword is handled by the dashboard ForcePasswordChange component
        const params = new URLSearchParams(window.location.search)
        const callbackUrl = params.get('callbackUrl')
-        window.location.href = callbackUrl || '/dashboard'
+
+        let target = '/dashboard'
+        if (callbackUrl?.startsWith('/')) {
+            target = callbackUrl
+
+            // Normalize stale tenant-prefixed callback URLs like /test/dashboard
+            // when already on the tenant subdomain test.localhost.
+            const hostname = window.location.hostname
+            const parts = hostname.split('.')
+            const isTenantSubdomain =
+                parts.length > 2 || (parts.length === 2 && parts[1] === 'localhost')
+            const tenantSlug = isTenantSubdomain ? parts[0] : null
+
+            if (tenantSlug && target.startsWith(`/${tenantSlug}/`)) {
+                target = target.slice(tenantSlug.length + 1) || '/dashboard'
+            }
+        }
+
+        window.location.href = target
    }

    return (
--- a/innungsapp/apps/admin/components/layout/Header.tsx
+++ b/innungsapp/apps/admin/components/layout/Header.tsx
@ -8,7 +8,7 @@ const authClient = createAuthClient({
  // Keep auth requests on the current origin (important for tenant subdomains).
  baseURL: typeof window !== 'undefined'
    ? window.location.origin
-    : (process.env.NEXT_PUBLIC_APP_URL ?? 'http://localhost:3032'),
+    : (process.env.NEXT_PUBLIC_APP_URL ?? 'http://localhost:3010'),
 })

 const PAGE_TITLES: Record<string, string> = {
--- a/innungsapp/apps/admin/docker-entrypoint.sh
+++ b/innungsapp/apps/admin/docker-entrypoint.sh
@ -2,7 +2,7 @@
 set -e

 # Keep DATABASE_URL consistent for every Prisma command
-export DATABASE_URL="${DATABASE_URL:-file:/app/data/prod.db}"
+export DATABASE_URL="${DATABASE_URL:-postgresql://innungsapp:innungsapp@postgres:5432/innungsapp?schema=public}"
 MIGRATIONS_DIR="./packages/shared/prisma/migrations"

 # Debug: Check environment variables
@ -22,14 +22,34 @@ echo "NODE_ENV: ${NODE_ENV:-[not set]}"
 echo "========================================"
 echo ""

+run_with_retries() {
+  attempt=1
+  max_attempts=20
+
+  while [ "$attempt" -le "$max_attempts" ]; do
+    if "$@"; then
+      return 0
+    fi
+
+    if [ "$attempt" -eq "$max_attempts" ]; then
+      echo "Command failed after ${max_attempts} attempts."
+      return 1
+    fi
+
+    echo "Database not ready yet. Retry ${attempt}/${max_attempts} in 3s..."
+    attempt=$((attempt + 1))
+    sleep 3
+  done
+}
+
 # Prefer migration-based deploys. Fall back to db push when no migrations exist yet.
 set -- "$MIGRATIONS_DIR"/*/migration.sql
 if [ -f "$1" ]; then
  echo "Applying Prisma migrations..."
-  npx prisma migrate deploy --schema=./packages/shared/prisma/schema.prisma
+  run_with_retries npx prisma migrate deploy --schema=./packages/shared/prisma/schema.prisma
 else
  echo "No Prisma migrations found. Syncing schema with db push..."
-  npx prisma db push --skip-generate --schema=./packages/shared/prisma/schema.prisma
+  run_with_retries npx prisma db push --skip-generate --schema=./packages/shared/prisma/schema.prisma
 fi

 echo "Starting Next.js server..."
--- a/innungsapp/apps/admin/lib/auth.ts
+++ b/innungsapp/apps/admin/lib/auth.ts
@ -9,7 +9,7 @@ import { headers } from 'next/headers'

 export const auth = betterAuth({
  database: prismaAdapter(prisma, {
-    provider: 'sqlite',
+    provider: 'postgresql',
  }),
  emailAndPassword: {
    enabled: true,
@ -17,13 +17,13 @@ export const auth = betterAuth({
  secret: process.env.BETTER_AUTH_SECRET!,
  baseURL: process.env.BETTER_AUTH_URL!,
  trustedOrigins: [
-    process.env.NEXT_PUBLIC_APP_URL ?? 'http://localhost:3032',
-    process.env.EXPO_PUBLIC_API_URL ?? 'http://localhost:3032',
+    process.env.NEXT_PUBLIC_APP_URL ?? 'http://localhost:3010',
+    process.env.EXPO_PUBLIC_API_URL ?? 'http://localhost:3010',
    'http://localhost:3000',
    'http://localhost:3001',
-    'http://localhost:3032',
+    'http://localhost:3010',
    'http://localhost:8081',
-    'http://*.localhost:3032',
+    'http://*.localhost:3010',
    'http://*.localhost:3000',
    'https://*.innungsapp.de',
    'https://*.innungsapp.com',
@ -55,17 +55,17 @@ export const auth = betterAuth({

 export type Auth = typeof auth

-export async function getSanitizedHeaders() {
-  const allHeaders = await headers()
-  const sanitizedHeaders = new Headers(allHeaders)
+export async function getSanitizedHeaders(sourceHeaders?: HeadersInit) {
+  const baseHeaders = sourceHeaders ? new Headers(sourceHeaders) : new Headers(await headers())
+  const sanitizedHeaders = new Headers(baseHeaders)
  
  // Avoid ENOTFOUND by forcing host to localhost for internal better-auth fetches
  // We use the host defined in BETTER_AUTH_URL
  try {
-    const betterAuthUrl = new URL(process.env.BETTER_AUTH_URL || 'http://localhost:3032')
+    const betterAuthUrl = new URL(process.env.BETTER_AUTH_URL || 'http://localhost:3010')
    sanitizedHeaders.set('host', betterAuthUrl.host)
  } catch (e) {
-    sanitizedHeaders.set('host', 'localhost:3032')
+    sanitizedHeaders.set('host', 'localhost:3010')
  }
  
  return sanitizedHeaders
--- a/innungsapp/apps/admin/lib/email.ts
+++ b/innungsapp/apps/admin/lib/email.ts
@ -1,7 +1,10 @@
 import nodemailer from 'nodemailer'

+const SMTP_HOST = (process.env.SMTP_HOST ?? '').trim()
+const SMTP_HOST_IS_PLACEHOLDER = SMTP_HOST === '' || SMTP_HOST.toLowerCase() === 'smtp.example.com'
+
 const transporter = nodemailer.createTransport({
-  host: process.env.SMTP_HOST,
+  host: SMTP_HOST,
  port: Number(process.env.SMTP_PORT) || 587,
  secure: process.env.SMTP_SECURE === 'true',
  auth:
@ -10,6 +13,16 @@ const transporter = nodemailer.createTransport({
      : undefined,
 })

+async function sendMailOrSkip(mailOptions: any, emailType: string) {
+  if (SMTP_HOST_IS_PLACEHOLDER) {
+    const target = typeof mailOptions?.to === 'string' ? mailOptions.to : 'unknown-recipient'
+    console.warn(`[email] SMTP not configured. Skipping ${emailType} email to ${target}.`)
+    return
+  }
+
+  await transporter.sendMail(mailOptions)
+}
+
 export async function sendMagicLinkEmail({
  to,
  magicUrl,
@ -17,7 +30,7 @@ export async function sendMagicLinkEmail({
  to: string
  magicUrl: string
 }) {
-  await transporter.sendMail({
+  await sendMailOrSkip({
    from: process.env.EMAIL_FROM ?? 'noreply@innungsapp.de',
    to,
    subject: 'Ihr Login-Link für InnungsApp',
@ -44,7 +57,7 @@ export async function sendMagicLinkEmail({
        </div>
      </div>
    `,
-  })
+  }, 'magic link')
 }

 export async function sendInviteEmail({
@ -61,7 +74,7 @@ export async function sendInviteEmail({
  // Generate magic link for the invite
  const signInUrl = `${apiUrl}/login?email=${encodeURIComponent(to)}&invited=true`

-  await transporter.sendMail({
+  await sendMailOrSkip({
    from: process.env.EMAIL_FROM ?? 'noreply@innungsapp.de',
    to,
    subject: `Einladung zur InnungsApp — ${orgName}`,
@ -86,7 +99,7 @@ export async function sendInviteEmail({
        </div>
      </div>
    `,
-  })
+  }, 'invite')
 }

 export async function sendAdminCredentialsEmail({
@ -102,7 +115,7 @@ export async function sendAdminCredentialsEmail({
  password: string
  loginUrl: string
 }) {
-  await transporter.sendMail({
+  await sendMailOrSkip({
    from: process.env.EMAIL_FROM ?? 'noreply@innungsapp.de',
    to,
    subject: `Admin-Zugang für — ${orgName}`,
@ -134,5 +147,5 @@ export async function sendAdminCredentialsEmail({
        </div>
      </div>
    `,
-  })
+  }, 'admin credentials')
 }
--- a/innungsapp/apps/admin/middleware.ts
+++ b/innungsapp/apps/admin/middleware.ts
@ -4,6 +4,7 @@ import type { NextRequest } from 'next/server'
 const PUBLIC_PREFIXES = [
  '/login',
  '/api/auth',
+  '/api/health',
  '/api/trpc/stellen.listPublic',
  '/api/setup',
  '/registrierung',
@ -11,6 +12,7 @@ const PUBLIC_PREFIXES = [
  '/datenschutz',
 ]
 const PUBLIC_EXACT_PATHS = ['/']
+const TENANT_SHARED_PATHS = ['/login', '/api', '/superadmin', '/registrierung', '/impressum', '/datenschutz', '/passwort-aendern']

 // Reserved subdomains that shouldn't be treated as tenant slugs
 const RESERVED_SUBDOMAINS = [
@ -40,6 +42,19 @@ export function middleware(request: NextRequest) {
    }
  }

+  // Normalize stale tenant-prefixed shared paths like /test/login to /login
+  // before auth checks, otherwise callbackUrl can get stuck on /test/login.
+  if (slug) {
+    for (const sharedPath of TENANT_SHARED_PATHS) {
+      const prefixedPath = `/${slug}${sharedPath}`
+      if (pathname === prefixedPath || pathname.startsWith(`${prefixedPath}/`)) {
+        const canonicalUrl = request.nextUrl.clone()
+        canonicalUrl.pathname = pathname.replace(prefixedPath, sharedPath)
+        return NextResponse.redirect(canonicalUrl)
+      }
+    }
+  }
+
  // Allow static files from /public
  const isStaticFile = pathname.includes('.') && !pathname.startsWith('/api')
  const isPublic =
@ -62,8 +77,7 @@ export function middleware(request: NextRequest) {
  if (slug) {
    // Paths that should not be rewritten into the slug folder
    // because they are shared across the entire app
-    const SHARED_PATHS = ['/login', '/api', '/superadmin', '/registrierung', '/impressum', '/datenschutz', '/passwort-aendern']
-    const isSharedPath = SHARED_PATHS.some((p) => pathname.startsWith(p)) ||
+    const isSharedPath = TENANT_SHARED_PATHS.some((p) => pathname.startsWith(p)) ||
                         pathname.startsWith('/_next') ||
                         /\.(png|jpg|jpeg|gif|svg|webp|ico|txt|xml)$/i.test(pathname)

--- a/innungsapp/apps/admin/server/context.ts
+++ b/innungsapp/apps/admin/server/context.ts
@ -1,9 +1,9 @@
 import { type FetchCreateContextFnOptions } from '@trpc/server/adapters/fetch'
-import { auth } from '@/lib/auth'
+import { auth, getSanitizedHeaders } from '@/lib/auth'
 import { prisma } from '@innungsapp/shared'

 export async function createContext({ req }: FetchCreateContextFnOptions) {
-  const session = await auth.api.getSession({ headers: req.headers })
+  const session = await auth.api.getSession({ headers: await getSanitizedHeaders(req.headers) })
  return {
    req,
    session,
--- a/innungsapp/apps/admin/server/routers/members.ts
+++ b/innungsapp/apps/admin/server/routers/members.ts
@ -1,6 +1,5 @@
 import { z } from 'zod'
 import { router, memberProcedure, adminProcedure } from '../trpc'
-import { auth, getSanitizedHeaders } from '@/lib/auth'
 import { sendInviteEmail, sendAdminCredentialsEmail } from '@/lib/email'
 import crypto from 'node:crypto'
 import { prisma } from '@innungsapp/shared'
@ -51,7 +50,8 @@ const nonEmptyString = (min = 2) =>
 const MemberInput = z.object({
  name: z.string().min(2),
  betrieb: z.preprocess((v) => (v === '' ? undefined : v), z.string().optional()),
-  sparte: z.preprocess((v) => (v === '' ? undefined : v), z.string().optional()),
+  // Member.sparte is required in Prisma; map "not selected" to a safe default.
+  sparte: z.preprocess((v) => (v === '' ? undefined : v), z.string().optional().default('Sonstiges')),
  ort: z.preprocess((v) => (v === '' ? undefined : v), z.string().optional()),
  telefon: z.string().optional(),
  email: z.string().email(),
@ -216,14 +216,17 @@ export const membersRouter = router({

    // 1. Create the member record
    const member = await ctx.prisma.member.create({
-      data: { ...rest, orgId: ctx.orgId } as any,
+      data: {
+        ...rest,
+        sparte: rest.sparte || 'Sonstiges',
+        orgId: ctx.orgId,
+      } as any,
    })

    // 2. Create a User account if a password was provided OR role is 'admin',
    //    so the role is always persisted (no email sent here).
    if (password || role === 'admin') {
      try {
-        const authHeaders = await getSanitizedHeaders()
        const existing = await ctx.prisma.user.findUnique({ where: { email: input.email } })
        let userId: string | undefined = existing?.id
        const effectivePassword = password || crypto.randomBytes(8).toString('hex')
@ -279,11 +282,14 @@ export const membersRouter = router({
    .input(MemberInput)
    .mutation(async ({ ctx, input }) => {
      const { role, password, ...memberData } = input
-      const authHeaders = await getSanitizedHeaders()

      // 1. Create member record
      const member = await ctx.prisma.member.create({
-        data: { ...memberData, orgId: ctx.orgId } as any,
+        data: {
+          ...memberData,
+          sparte: memberData.sparte || 'Sonstiges',
+          orgId: ctx.orgId,
+        } as any,
      })

      const org = await ctx.prisma.organization.findUniqueOrThrow({
--- a/innungsapp/apps/admin/tsconfig.tsbuildinfo
+++ b/innungsapp/apps/admin/tsconfig.tsbuildinfo
--- a/innungsapp/docker-compose.yml
+++ b/innungsapp/docker-compose.yml
@ -1,4 +1,23 @@
 services:
+  postgres:
+    image: postgres:16-alpine
+    container_name: innungsapp-postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: "${POSTGRES_DB:-innungsapp}"
+      POSTGRES_USER: "${POSTGRES_USER:-innungsapp}"
+      POSTGRES_PASSWORD: "${POSTGRES_PASSWORD:-innungsapp}"
+    ports:
+      - "5432:5432"
+    volumes:
+      - pg_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-innungsapp} -d ${POSTGRES_DB:-innungsapp}"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 20s
+
  admin:
    build:
      context: .
@ -10,11 +29,14 @@ services:
        NEXT_PUBLIC_APP_URL: "${NEXT_PUBLIC_APP_URL:-https://innungsapp.com}"
    container_name: innungsapp-admin
    restart: unless-stopped
+    depends_on:
+      postgres:
+        condition: service_healthy
    ports:
      - "3010:3000"
    environment:
-      # Database — SQLite file inside the named volume
-      DATABASE_URL: "file:/app/data/prod.db"
+      # Database — PostgreSQL
+      DATABASE_URL: "${DATABASE_URL:-postgresql://innungsapp:innungsapp@postgres:5432/innungsapp?schema=public}"

      # Auth — CHANGE THESE in production!
      BETTER_AUTH_SECRET: "${BETTER_AUTH_SECRET}"
@ -29,6 +51,10 @@ services:
      SMTP_USER: "${SMTP_USER}"
      SMTP_PASS: "${SMTP_PASS}"

+      # Superadmin seed defaults (override in .env)
+      SUPERADMIN_EMAIL: "${SUPERADMIN_EMAIL:-superadmin@innungsapp.de}"
+      SUPERADMIN_PASSWORD: "${SUPERADMIN_PASSWORD:-}"
+
      # Public URLs
      NEXT_PUBLIC_APP_URL: "${NEXT_PUBLIC_APP_URL:-https://yourdomain.com}"
      NEXT_PUBLIC_POSTHOG_KEY: "${NEXT_PUBLIC_POSTHOG_KEY:-}"
@ -40,18 +66,19 @@ services:

      # Node
      NODE_ENV: "production"
+    pids_limit: 512
+    ulimits:
+      nproc: 65535
    volumes:
-      # SQLite database — persists across restarts
-      - db_data:/app/data
      # Uploaded files — persists across restarts
      - uploads_data:/app/uploads
    healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:3000/api/health"]
+      test: ["CMD-SHELL", "wget -qO- http://localhost:3000/api/health | grep -q '\"status\":\"ok\"'"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s

 volumes:
-  db_data:
+  pg_data:
  uploads_data:
--- a/innungsapp/package.json
+++ b/innungsapp/package.json
@ -11,6 +11,7 @@
    "db:push": "pnpm --filter @innungsapp/shared prisma:push",
    "db:studio": "pnpm --filter @innungsapp/shared prisma:studio",
    "db:seed": "pnpm --filter @innungsapp/shared prisma:seed",
+    "db:seed-superadmin": "pnpm --filter @innungsapp/shared prisma:seed-superadmin",
    "db:reset": "pnpm --filter @innungsapp/shared prisma:migrate -- --reset"
  },
  "devDependencies": {
--- a/innungsapp/packages/shared/package.json
+++ b/innungsapp/packages/shared/package.json
@ -14,6 +14,7 @@
    "prisma:push": "prisma db push",
    "prisma:studio": "prisma studio",
    "prisma:seed": "tsx prisma/seed.ts",
+    "prisma:seed-superadmin": "tsx prisma/seed-superadmin.ts",
    "prisma:seed-admin": "tsx prisma/seed-admin-password.ts",
    "prisma:seed-demo-members": "tsx prisma/seed-demo-members.ts"
  },
--- a/innungsapp/packages/shared/prisma/migrations/20260304080529_init_postgres/migration.sql
+++ b/innungsapp/packages/shared/prisma/migrations/20260304080529_init_postgres/migration.sql
@ -0,0 +1,350 @@
+-- CreateTable
+CREATE TABLE "user" (
+    "id" TEXT NOT NULL,
+    "name" TEXT NOT NULL,
+    "email" TEXT NOT NULL,
+    "email_verified" BOOLEAN NOT NULL DEFAULT false,
+    "image" TEXT,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL,
+    "role" TEXT,
+    "banned" BOOLEAN DEFAULT false,
+    "ban_reason" TEXT,
+    "ban_expires" TIMESTAMP(3),
+    "must_change_password" BOOLEAN DEFAULT false,
+
+    CONSTRAINT "user_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "session" (
+    "id" TEXT NOT NULL,
+    "expires_at" TIMESTAMP(3) NOT NULL,
+    "token" TEXT NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL,
+    "ip_address" TEXT,
+    "user_agent" TEXT,
+    "user_id" TEXT NOT NULL,
+
+    CONSTRAINT "session_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "account" (
+    "id" TEXT NOT NULL,
+    "account_id" TEXT NOT NULL,
+    "provider_id" TEXT NOT NULL,
+    "user_id" TEXT NOT NULL,
+    "access_token" TEXT,
+    "refresh_token" TEXT,
+    "id_token" TEXT,
+    "access_token_expires_at" TIMESTAMP(3),
+    "refresh_token_expires_at" TIMESTAMP(3),
+    "scope" TEXT,
+    "password" TEXT,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "account_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "verification" (
+    "id" TEXT NOT NULL,
+    "identifier" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "expires_at" TIMESTAMP(3) NOT NULL,
+    "created_at" TIMESTAMP(3) DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3),
+
+    CONSTRAINT "verification_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "organizations" (
+    "id" TEXT NOT NULL,
+    "name" TEXT NOT NULL,
+    "slug" TEXT NOT NULL,
+    "plan" TEXT NOT NULL DEFAULT 'pilot',
+    "logo_url" TEXT,
+    "primary_color" TEXT NOT NULL DEFAULT '#E63946',
+    "secondary_color" TEXT,
+    "contact_email" TEXT,
+    "avv_accepted" BOOLEAN NOT NULL DEFAULT false,
+    "avv_accepted_at" TIMESTAMP(3),
+    "landing_page_title" TEXT,
+    "landing_page_text" TEXT,
+    "landing_page_section_title" TEXT,
+    "landing_page_button_text" TEXT,
+    "landing_page_hero_image" TEXT,
+    "landing_page_hero_overlay_opacity" INTEGER DEFAULT 50,
+    "landing_page_features" JSONB,
+    "landing_page_footer" JSONB,
+    "app_store_url" TEXT,
+    "play_store_url" TEXT,
+    "ai_enabled" BOOLEAN NOT NULL DEFAULT false,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "organizations_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "members" (
+    "id" TEXT NOT NULL,
+    "org_id" TEXT NOT NULL,
+    "user_id" TEXT,
+    "name" TEXT NOT NULL,
+    "betrieb" TEXT NOT NULL,
+    "sparte" TEXT NOT NULL,
+    "ort" TEXT NOT NULL,
+    "telefon" TEXT,
+    "email" TEXT NOT NULL,
+    "status" TEXT NOT NULL DEFAULT 'aktiv',
+    "ist_ausbildungsbetrieb" BOOLEAN NOT NULL DEFAULT false,
+    "seit" INTEGER,
+    "avatar_url" TEXT,
+    "push_token" TEXT,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "members_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "user_roles" (
+    "id" TEXT NOT NULL,
+    "org_id" TEXT NOT NULL,
+    "user_id" TEXT NOT NULL,
+    "role" TEXT NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "user_roles_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "news" (
+    "id" TEXT NOT NULL,
+    "org_id" TEXT NOT NULL,
+    "author_id" TEXT,
+    "title" TEXT NOT NULL,
+    "body" TEXT NOT NULL,
+    "kategorie" TEXT NOT NULL,
+    "published_at" TIMESTAMP(3),
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "news_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "news_reads" (
+    "id" TEXT NOT NULL,
+    "news_id" TEXT NOT NULL,
+    "user_id" TEXT NOT NULL,
+    "read_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "news_reads_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "news_attachments" (
+    "id" TEXT NOT NULL,
+    "news_id" TEXT NOT NULL,
+    "name" TEXT NOT NULL,
+    "storage_path" TEXT NOT NULL,
+    "mime_type" TEXT,
+    "size_bytes" INTEGER,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "news_attachments_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "stellen" (
+    "id" TEXT NOT NULL,
+    "org_id" TEXT NOT NULL,
+    "member_id" TEXT NOT NULL,
+    "sparte" TEXT NOT NULL,
+    "stellen_anz" INTEGER NOT NULL DEFAULT 1,
+    "verguetung" TEXT,
+    "lehrjahr" TEXT,
+    "beschreibung" TEXT,
+    "kontakt_email" TEXT NOT NULL,
+    "kontakt_name" TEXT,
+    "aktiv" BOOLEAN NOT NULL DEFAULT true,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "stellen_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "termine" (
+    "id" TEXT NOT NULL,
+    "org_id" TEXT NOT NULL,
+    "titel" TEXT NOT NULL,
+    "datum" TIMESTAMP(3) NOT NULL,
+    "uhrzeit" TEXT,
+    "ende_datum" TIMESTAMP(3),
+    "ende_uhrzeit" TEXT,
+    "ort" TEXT,
+    "adresse" TEXT,
+    "typ" TEXT NOT NULL,
+    "beschreibung" TEXT,
+    "max_teilnehmer" INTEGER,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "termine_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "termin_anmeldungen" (
+    "id" TEXT NOT NULL,
+    "termin_id" TEXT NOT NULL,
+    "member_id" TEXT NOT NULL,
+    "angemeldet_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "termin_anmeldungen_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "conversations" (
+    "id" TEXT NOT NULL,
+    "org_id" TEXT NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "conversations_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "conversation_members" (
+    "id" TEXT NOT NULL,
+    "conversation_id" TEXT NOT NULL,
+    "member_id" TEXT NOT NULL,
+    "last_read_at" TIMESTAMP(3),
+
+    CONSTRAINT "conversation_members_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "messages" (
+    "id" TEXT NOT NULL,
+    "conversation_id" TEXT NOT NULL,
+    "sender_id" TEXT NOT NULL,
+    "body" TEXT NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "messages_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "user_email_key" ON "user"("email");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "session_token_key" ON "session"("token");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "organizations_slug_key" ON "organizations"("slug");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "members_user_id_key" ON "members"("user_id");
+
+-- CreateIndex
+CREATE INDEX "members_org_id_idx" ON "members"("org_id");
+
+-- CreateIndex
+CREATE INDEX "members_status_idx" ON "members"("status");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "user_roles_org_id_user_id_key" ON "user_roles"("org_id", "user_id");
+
+-- CreateIndex
+CREATE INDEX "news_org_id_idx" ON "news"("org_id");
+
+-- CreateIndex
+CREATE INDEX "news_published_at_idx" ON "news"("published_at");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "news_reads_news_id_user_id_key" ON "news_reads"("news_id", "user_id");
+
+-- CreateIndex
+CREATE INDEX "stellen_org_id_idx" ON "stellen"("org_id");
+
+-- CreateIndex
+CREATE INDEX "stellen_aktiv_idx" ON "stellen"("aktiv");
+
+-- CreateIndex
+CREATE INDEX "termine_org_id_idx" ON "termine"("org_id");
+
+-- CreateIndex
+CREATE INDEX "termine_datum_idx" ON "termine"("datum");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "termin_anmeldungen_termin_id_member_id_key" ON "termin_anmeldungen"("termin_id", "member_id");
+
+-- CreateIndex
+CREATE INDEX "conversations_org_id_idx" ON "conversations"("org_id");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "conversation_members_conversation_id_member_id_key" ON "conversation_members"("conversation_id", "member_id");
+
+-- CreateIndex
+CREATE INDEX "messages_conversation_id_idx" ON "messages"("conversation_id");
+
+-- AddForeignKey
+ALTER TABLE "session" ADD CONSTRAINT "session_user_id_fkey" FOREIGN KEY ("user_id") REFERENCES "user"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "account" ADD CONSTRAINT "account_user_id_fkey" FOREIGN KEY ("user_id") REFERENCES "user"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "members" ADD CONSTRAINT "members_org_id_fkey" FOREIGN KEY ("org_id") REFERENCES "organizations"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "members" ADD CONSTRAINT "members_user_id_fkey" FOREIGN KEY ("user_id") REFERENCES "user"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "user_roles" ADD CONSTRAINT "user_roles_org_id_fkey" FOREIGN KEY ("org_id") REFERENCES "organizations"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "user_roles" ADD CONSTRAINT "user_roles_user_id_fkey" FOREIGN KEY ("user_id") REFERENCES "user"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "news" ADD CONSTRAINT "news_org_id_fkey" FOREIGN KEY ("org_id") REFERENCES "organizations"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "news" ADD CONSTRAINT "news_author_id_fkey" FOREIGN KEY ("author_id") REFERENCES "members"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "news_reads" ADD CONSTRAINT "news_reads_news_id_fkey" FOREIGN KEY ("news_id") REFERENCES "news"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "news_attachments" ADD CONSTRAINT "news_attachments_news_id_fkey" FOREIGN KEY ("news_id") REFERENCES "news"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "stellen" ADD CONSTRAINT "stellen_org_id_fkey" FOREIGN KEY ("org_id") REFERENCES "organizations"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "stellen" ADD CONSTRAINT "stellen_member_id_fkey" FOREIGN KEY ("member_id") REFERENCES "members"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "termine" ADD CONSTRAINT "termine_org_id_fkey" FOREIGN KEY ("org_id") REFERENCES "organizations"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "termin_anmeldungen" ADD CONSTRAINT "termin_anmeldungen_termin_id_fkey" FOREIGN KEY ("termin_id") REFERENCES "termine"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "termin_anmeldungen" ADD CONSTRAINT "termin_anmeldungen_member_id_fkey" FOREIGN KEY ("member_id") REFERENCES "members"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "conversation_members" ADD CONSTRAINT "conversation_members_conversation_id_fkey" FOREIGN KEY ("conversation_id") REFERENCES "conversations"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "conversation_members" ADD CONSTRAINT "conversation_members_member_id_fkey" FOREIGN KEY ("member_id") REFERENCES "members"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "messages" ADD CONSTRAINT "messages_conversation_id_fkey" FOREIGN KEY ("conversation_id") REFERENCES "conversations"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "messages" ADD CONSTRAINT "messages_sender_id_fkey" FOREIGN KEY ("sender_id") REFERENCES "members"("id") ON DELETE CASCADE ON UPDATE CASCADE;
--- a/innungsapp/packages/shared/prisma/migrations/migration_lock.toml
+++ b/innungsapp/packages/shared/prisma/migrations/migration_lock.toml
@ -0,0 +1,3 @@
+# Please do not edit this file manually
+# It should be added in your version-control system (i.e. Git)
+provider = "postgresql"
--- a/innungsapp/packages/shared/prisma/schema.prisma
+++ b/innungsapp/packages/shared/prisma/schema.prisma
@ -1,14 +1,12 @@
 // InnungsApp — Prisma Schema
-// Stack: SQLite + Prisma ORM + better-auth
-// Note: SQLite has no native enum support — enum fields are stored as String.
-//       Valid values are enforced at the application layer (Zod).
+// Stack: PostgreSQL + Prisma ORM + better-auth

 generator client {
  provider = "prisma-client-js"
 }

 datasource db {
-  provider = "sqlite"
+  provider = "postgresql"
  url      = env("DATABASE_URL")
 }

@ -108,8 +106,8 @@ model Organization {
  landingPageButtonText String? @map("landing_page_button_text")
  landingPageHeroImage String? @map("landing_page_hero_image")
  landingPageHeroOverlayOpacity Int? @default(50) @map("landing_page_hero_overlay_opacity")
-  landingPageFeatures  String? @map("landing_page_features")
-  landingPageFooter    String? @map("landing_page_footer")
+  landingPageFeatures  Json? @map("landing_page_features") @db.JsonB
+  landingPageFooter    Json? @map("landing_page_footer") @db.JsonB
  appStoreUrl      String? @map("app_store_url")
  playStoreUrl     String? @map("play_store_url")
  aiEnabled    Boolean   @default(false) @map("ai_enabled")
--- a/innungsapp/packages/shared/prisma/seed-superadmin.js
+++ b/innungsapp/packages/shared/prisma/seed-superadmin.js
@ -16,32 +16,53 @@ async function hashPassword(password) {
  return `${salt}:${key.toString('hex')}`
 }

-async function main() {
-  const email = 'superadmin@innungsapp.de'
-  const password = 'demo1234'
-  const userId = 'superadmin-user-id'
-  const accountId = 'superadmin-account-id'
+function getEnv(name) {
+  return (process.env[name] || '').trim()
+}

-  console.log('Seeding superadmin...')
+async function main() {
+  const email = (getEnv('SUPERADMIN_EMAIL') || 'superadmin@innungsapp.de').toLowerCase()
+  const name = getEnv('SUPERADMIN_NAME') || 'Super Admin'
+  const userId = getEnv('SUPERADMIN_USER_ID') || 'superadmin-user-id'
+  const accountId = getEnv('SUPERADMIN_ACCOUNT_ID') || 'superadmin-account-id'
+
+  let password = getEnv('SUPERADMIN_PASSWORD')
+  if (!password) {
+    if (process.env.NODE_ENV === 'production') {
+      throw new Error('SUPERADMIN_PASSWORD must be set in production.')
+    }
+
+    password = 'demo1234'
+    console.warn('SUPERADMIN_PASSWORD not set. Using development fallback password.')
+  }
+
+  console.log(`Seeding superadmin user for ${email}...`)
  const hash = await hashPassword(password)

  const user = await prisma.user.upsert({
    where: { email },
    update: {
-      name: 'Super Admin',
+      name,
      emailVerified: true,
+      role: 'admin',
    },
    create: {
      id: userId,
-      name: 'Super Admin',
+      name,
      email,
      emailVerified: true,
+      role: 'admin',
    },
  })

  await prisma.account.upsert({
    where: { id: accountId },
-    update: { password: hash },
+    update: {
+      accountId: user.id,
+      providerId: 'credential',
+      userId: user.id,
+      password: hash,
+    },
    create: {
      id: accountId,
      accountId: user.id,
--- a/innungsapp/packages/shared/prisma/seed-superadmin.ts
+++ b/innungsapp/packages/shared/prisma/seed-superadmin.ts
@ -13,27 +13,55 @@ async function hashPassword(password: string): Promise<string> {
    return `${salt}:${key.toString('hex')}`
 }

+function getEnv(name: string): string {
+    return (process.env[name] ?? '').trim()
+}
+
 async function main() {
-    console.log('Seeding superadmin...')
-    const hash = await hashPassword('demo1234')
-    console.log('Hash generated.')
+    const email = getEnv('SUPERADMIN_EMAIL').toLowerCase() || 'superadmin@innungsapp.de'
+    const name = getEnv('SUPERADMIN_NAME') || 'Super Admin'
+    const userId = getEnv('SUPERADMIN_USER_ID') || 'superadmin-user-id'
+    const accountId = getEnv('SUPERADMIN_ACCOUNT_ID') || 'superadmin-account-id'
+
+    let password = getEnv('SUPERADMIN_PASSWORD')
+    if (!password) {
+        if (process.env.NODE_ENV === 'production') {
+            throw new Error('SUPERADMIN_PASSWORD must be set in production.')
+        }
+
+        password = 'demo1234'
+        console.warn('SUPERADMIN_PASSWORD not set. Using development fallback password.')
+    }
+
+    console.log(`Seeding superadmin user for ${email}...`)
+    const hash = await hashPassword(password)

    const superAdminUser = await prisma.user.upsert({
-        where: { email: 'superadmin@innungsapp.de' },
-        update: {},
-        create: {
-            id: 'superadmin-user-id',
-            name: 'Super Admin',
-            email: 'superadmin@innungsapp.de',
+        where: { email },
+        update: {
+            name,
            emailVerified: true,
+            role: 'admin',
+        },
+        create: {
+            id: userId,
+            name,
+            email,
+            emailVerified: true,
+            role: 'admin',
        },
    })

    await prisma.account.upsert({
-        where: { id: 'superadmin-account-id' },
-        update: { password: hash },
+        where: { id: accountId },
+        update: {
+            accountId: superAdminUser.id,
+            userId: superAdminUser.id,
+            providerId: 'credential',
+            password: hash,
+        },
        create: {
-            id: 'superadmin-account-id',
+            id: accountId,
            accountId: superAdminUser.id,
            providerId: 'credential',
            userId: superAdminUser.id,
@ -41,7 +69,7 @@ async function main() {
        },
    })

-    console.log('Done! Login: superadmin@innungsapp.de / demo1234')
+    console.log(`Done. Login: ${email} / ${password}`)
 }

 main()
--- a/innungsapp/packages/shared/src/index.ts
+++ b/innungsapp/packages/shared/src/index.ts
@ -1,2 +1,3 @@
 export { prisma } from './lib/prisma'
+export { Prisma } from '@prisma/client'
 export * from './types/index'