fix(ui): rollenbasierte Navigation + domain_auditor-Support

- useAuth.ts: domain_auditor (Level 3) in roleLevels ergänzt
- navbar.tsx: IMAP/POP3-Links nur noch für user + domain_admin;
  domain_auditor bekommt Zugang zum Admin-Bereich
- UserNav.tsx: Rollenbezeichnung deutsch + leserlich (domain_auditor →
  "Domain-Auditor"); Badge ausgeblendet wenn Username = Rollenname

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/components/UserNav.tsx

@@ -21,7 +21,16 @@ interface UserNavProps {
 export function UserNav({ username, role }: UserNavProps) {
   const router = useRouter();
 
-  const ADMIN_ROLES = ["auditor", "admin", "domain_admin", "superadmin"];
+  const ADMIN_ROLES = ["auditor", "domain_auditor", "admin", "domain_admin", "superadmin"];
+
+  const ROLE_LABELS: Record<string, string> = {
+    user: "Benutzer",
+    auditor: "Auditor",
+    domain_auditor: "Domain-Auditor",
+    admin: "Admin",
+    domain_admin: "Domain-Admin",
+    superadmin: "Superadmin",
+  };
 
   async function handleLogout() {
     try {
@@ -42,9 +51,11 @@ export function UserNav({ username, role }: UserNavProps) {
           aria-label="Benutzermenu"
         >
           <span className="text-sm font-medium">{username}</span>
+          {username !== role && (
             <Badge variant="secondary" className="text-xs">
-            {role}
+              {ROLE_LABELS[role] ?? role}
             </Badge>
+          )}
           <ChevronDown className="h-4 w-4 opacity-50" />
         </Button>
       </DropdownMenuTrigger>

src/components/navbar.tsx

@@ -31,7 +31,7 @@ export function Navbar({ username, role }: NavbarProps) {
               Suche
             </Link>
           )}
-          {role !== "superadmin" && (
+          {(role === "user" || role === "domain_admin") && (
             <Link
               href="/imap"
               className="text-sm text-muted-foreground hover:text-foreground transition-colors"
@@ -39,7 +39,7 @@ export function Navbar({ username, role }: NavbarProps) {
               IMAP Import
             </Link>
           )}
-          {role !== "superadmin" && (
+          {(role === "user" || role === "domain_admin") && (
             <Link
               href="/pop3"
               className="text-sm text-muted-foreground hover:text-foreground transition-colors"
@@ -47,7 +47,7 @@ export function Navbar({ username, role }: NavbarProps) {
               POP3 Import
             </Link>
           )}
-          {(role === "admin" || role === "domain_admin" || role === "superadmin") && (
+          {(role === "admin" || role === "domain_admin" || role === "domain_auditor" || role === "superadmin") && (
             <Link
               href="/admin"
               className="text-sm text-muted-foreground hover:text-foreground transition-colors"

src/hooks/useAuth.ts

@@ -7,11 +7,12 @@ import { getCachedUser, setCachedUser } from "@/lib/auth-cache";
 
 export { clearAuthCache } from "@/lib/auth-cache";
 
-// Role hierarchy: superadmin(5) > domain_admin(4) > admin(3) > auditor(2) > user(1)
+// Role hierarchy: superadmin(5) > domain_admin(4) > domain_auditor(3) > auditor(2) > user(1)
 const roleLevels: Record<string, number> = {
   user: 1,
   auditor: 2,
-  admin: 3,
+  domain_auditor: 3,
+  admin: 3,        // legacy alias
   domain_admin: 4,
   superadmin: 5,
 };