Initial commit – TimeMaster Zeiterfassung & HR-Tool

Stand: agent-06 (Audit-Log), agent-05 (Krankmeldung), agent-07 Phase 1 (Personalnummer),
Busylight-Pull-Integration, TOTP/2FA, Abwesenheiten, Zeiterfassung, Kiosk-Grundgerüst.
Migrations 0001–0023 deployed auf 192.168.1.137 + .164.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/schemas/user.py

@@ -0,0 +1,112 @@
+import uuid
+from datetime import datetime
+
+from pydantic import BaseModel, EmailStr, Field, model_validator
+
+from app.models.user import AuthProvider, UserRole
+
+
+PERSONNEL_NUMBER_PATTERN = r"^[0-9]+$"
+
+
+class UserOut(BaseModel):
+    model_config = {"from_attributes": True}
+
+    id: uuid.UUID
+    company_id: uuid.UUID | None
+    department_id: uuid.UUID | None
+    email: str
+    first_name: str
+    last_name: str
+    full_name: str
+    role: UserRole
+    auth_provider: AuthProvider
+    is_active: bool
+    last_login: datetime | None
+    created_at: datetime
+    kuerzel: str | None = None
+    personnel_number: str | None = None
+    can_manual_time_entry: bool = False
+
+
+class UserUpdate(BaseModel):
+    first_name: str | None = Field(None, min_length=1, max_length=100)
+    last_name: str | None = Field(None, min_length=1, max_length=100)
+    department_id: uuid.UUID | None = None
+    role: UserRole | None = None
+    work_schedule_id: uuid.UUID | None = None
+    kuerzel: str | None = Field(None, max_length=20)
+    personnel_number: str | None = Field(None, max_length=50, pattern=PERSONNEL_NUMBER_PATTERN)
+    can_manual_time_entry: bool | None = None
+    is_active: bool | None = None
+
+
+class InviteRequest(BaseModel):
+    email: EmailStr
+    first_name: str = Field(min_length=1, max_length=100)
+    last_name: str = Field(min_length=1, max_length=100)
+    role: UserRole = UserRole.EMPLOYEE
+    department_id: uuid.UUID | None = None
+    personnel_number: str | None = Field(None, max_length=50, pattern=PERSONNEL_NUMBER_PATTERN)
+    # Wenn gesetzt → User wird sofort aktiv (kein Invite-E-Mail nötig)
+    initial_password: str | None = Field(None, min_length=8, max_length=128)
+
+    @model_validator(mode="after")
+    def password_strength(self):
+        pw = self.initial_password
+        if pw is None:
+            return self
+        if not any(c.isupper() for c in pw):
+            raise ValueError("initial_password must contain at least one uppercase letter")
+        if not any(c.isdigit() for c in pw):
+            raise ValueError("initial_password must contain at least one digit")
+        return self
+
+
+class InviteAccept(BaseModel):
+    token: str
+    password: str = Field(min_length=8, max_length=128)
+
+    @model_validator(mode="after")
+    def password_strength(self):
+        pw = self.password
+        if not any(c.isupper() for c in pw):
+            raise ValueError("Password must contain at least one uppercase letter")
+        if not any(c.isdigit() for c in pw):
+            raise ValueError("Password must contain at least one digit")
+        return self
+
+
+class UserListResponse(BaseModel):
+    total: int
+    items: list[UserOut]
+
+
+class SetKioskPinRequest(BaseModel):
+    pin: str = Field(min_length=4, max_length=6, pattern=r"^\d+$")
+
+
+class NextPersonnelNumberResponse(BaseModel):
+    next: str
+
+
+class UserImportRowError(BaseModel):
+    row: int
+    email: str | None = None
+    message: str
+
+
+class UserImportRowResult(BaseModel):
+    row: int
+    email: str
+    personnel_number: str | None = None
+    action: str  # "created" | "reactivated" | "skipped" | "error"
+    message: str | None = None
+
+
+class UserImportResult(BaseModel):
+    total_rows: int
+    created: int
+    reactivated: int
+    errors: int
+    items: list[UserImportRowResult]