From f2d749ba3fde18d7bc157a44393a5f27a9592a65 Mon Sep 17 00:00:00 2001
From: Sebastian Serfling <serfling@itdata-gera.de>
Date: Tue, 21 Apr 2026 15:10:35 +0200
Subject: [PATCH] feat: initial ImapSync Manager setup

---
 README.md                 |   94 +++
 backend/Dockerfile        |   16 +
 backend/main.py           |  444 +++++++++++++
 backend/requirements.txt  |    8 +
 backend/static/index.html | 1258 +++++++++++++++++++++++++++++++++++++
 docker-compose.yml        |   37 ++
 worker/Dockerfile         |   15 +
 worker/worker.py          |  215 +++++++
 8 files changed, 2087 insertions(+)
 create mode 100644 README.md
 create mode 100644 backend/Dockerfile
 create mode 100644 backend/main.py
 create mode 100644 backend/requirements.txt
 create mode 100644 backend/static/index.html
 create mode 100644 docker-compose.yml
 create mode 100644 worker/Dockerfile
 create mode 100644 worker/worker.py

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..cb084ef
--- /dev/null
+++ b/README.md
@@ -0,0 +1,94 @@
+# ImapSync Manager
+
+Docker-basiertes System für IMAP-E-Mail-Migrationen mit Web-GUI.
+
+## Features
+
+- **Web-GUI** – Dashboard, Job-Verwaltung, Log-Viewer, Statistiken
+- **Authentifizierung** – MD5-Passwörter in SQLite, JWT-Token
+- **Rollensystem** – Admin / Operator / Viewer
+- **Job-Scheduler** – Manuell oder per Cron-Zeitplan
+- **Auftragsverwalter (Worker)** – Führt imapsync-Jobs sequenziell aus
+- **Log-Archiv** – Vollständige imapsync-Logs pro Ausführung
+
+## Schnellstart
+
+```bash
+# Starten
+docker compose up -d
+
+# Logs verfolgen
+docker compose logs -f
+
+# Zugriff
+http://localhost:8080
+```
+
+**Standard-Login:** `admin` / `admin`  
+→ Passwort sofort nach dem ersten Login ändern!
+
+## Verzeichnisstruktur
+
+```
+imapsync-docker/
+├── docker-compose.yml
+├── backend/           ← FastAPI + Web-GUI
+│   ├── Dockerfile
+│   ├── main.py
+│   ├── requirements.txt
+│   └── static/
+│       └── index.html
+├── worker/            ← imapsync-Ausführung
+│   ├── Dockerfile
+│   └── worker.py
+└── data/              ← Persistente Daten (auto-erstellt)
+    ├── imapsync.db    ← SQLite-Datenbank
+    └── logs/          ← imapsync-Logdateien
+```
+
+## Sicherheit
+
+- Passwörter werden als MD5-Hash in SQLite gespeichert
+- JWT-Token läuft nach 12h ab
+- SECRET_KEY in docker-compose.yml anpassen!
+
+## Cron-Beispiele
+
+| Ausdruck      | Bedeutung               |
+|---------------|-------------------------|
+| `0 2 * * *`   | Täglich um 02:00 Uhr    |
+| `0 */6 * * *` | Alle 6 Stunden          |
+| `0 2 * * 0`   | Wöchentlich, So 02:00   |
+| `30 1 * * 1-5`| Mo-Fr um 01:30 Uhr      |
+
+## Rollen
+
+| Rolle    | Benutzer | Jobs | Start/Stop | Logs |
+|----------|----------|------|-----------|------|
+| admin    | ✅        | ✅   | ✅         | ✅   |
+| operator | ✗         | ✅   | ✅         | ✅   |
+| viewer   | ✗         | ✗    | ✗          | ✅   |
+
+## Umgebungsvariablen
+
+### Web-Container
+| Variable     | Standard           | Beschreibung          |
+|--------------|--------------------|-----------------------|
+| DB_PATH      | /data/imapsync.db  | Pfad zur SQLite-DB    |
+| LOG_DIR      | /data/logs         | Log-Verzeichnis       |
+| SECRET_KEY   | (Pflicht ändern!)  | JWT-Signaturschlüssel |
+
+### Worker-Container
+| Variable      | Standard | Beschreibung                 |
+|---------------|----------|------------------------------|
+| POLL_INTERVAL | 15       | Sekunden zwischen DB-Abfragen |
+
+## Datensicherung
+
+```bash
+# DB sichern
+cp data/imapsync.db data/imapsync.db.bak
+
+# Komplettes Backup
+tar -czf imapsync-backup-$(date +%Y%m%d).tar.gz data/
+```
diff --git a/backend/Dockerfile b/backend/Dockerfile
new file mode 100644
index 0000000..fca5485
--- /dev/null
+++ b/backend/Dockerfile
@@ -0,0 +1,16 @@
+FROM python:3.12-slim
+
+WORKDIR /app
+
+RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/*
+
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY . .
+
+RUN mkdir -p /data/logs
+
+EXPOSE 8080
+
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8080"]
diff --git a/backend/main.py b/backend/main.py
new file mode 100644
index 0000000..cfbf6b8
--- /dev/null
+++ b/backend/main.py
@@ -0,0 +1,444 @@
+import os
+import sqlite3
+import hashlib
+import secrets
+from datetime import datetime, timedelta
+from typing import Optional
+from contextlib import asynccontextmanager
+
+from fastapi import FastAPI, HTTPException, Depends, status, Request
+from fastapi.responses import HTMLResponse, JSONResponse
+from fastapi.staticfiles import StaticFiles
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from pydantic import BaseModel
+from jose import JWTError, jwt
+
+# ── Config ──────────────────────────────────────────────────────────────────
+DB_PATH = os.environ.get("DB_PATH", "/data/imapsync.db")
+LOG_DIR = os.environ.get("LOG_DIR", "/data/logs")
+SECRET_KEY = os.environ.get("SECRET_KEY", "dev-secret-change-me")
+ALGORITHM = "HS256"
+TOKEN_EXPIRE_HOURS = 12
+
+os.makedirs(LOG_DIR, exist_ok=True)
+
+# ── DB ───────────────────────────────────────────────────────────────────────
+def get_db():
+    conn = sqlite3.connect(DB_PATH, check_same_thread=False)
+    conn.row_factory = sqlite3.Row
+    conn.execute("PRAGMA journal_mode=WAL")
+    return conn
+
+def init_db():
+    conn = get_db()
+    conn.executescript("""
+        CREATE TABLE IF NOT EXISTS users (
+            id       INTEGER PRIMARY KEY AUTOINCREMENT,
+            username TEXT UNIQUE NOT NULL,
+            password_md5 TEXT NOT NULL,
+            role     TEXT NOT NULL DEFAULT 'viewer',
+            created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+        );
+
+        CREATE TABLE IF NOT EXISTS sync_jobs (
+            id          INTEGER PRIMARY KEY AUTOINCREMENT,
+            name        TEXT NOT NULL,
+            src_host    TEXT NOT NULL,
+            src_port    INTEGER DEFAULT 993,
+            src_ssl     INTEGER DEFAULT 1,
+            src_user    TEXT NOT NULL,
+            src_password TEXT NOT NULL,
+            dst_host    TEXT NOT NULL,
+            dst_port    INTEGER DEFAULT 993,
+            dst_ssl     INTEGER DEFAULT 1,
+            dst_user    TEXT NOT NULL,
+            dst_password TEXT NOT NULL,
+            extra_args  TEXT DEFAULT '',
+            schedule    TEXT DEFAULT NULL,
+            enabled     INTEGER DEFAULT 1,
+            status      TEXT DEFAULT 'idle',
+            last_run    DATETIME,
+            created_at  DATETIME DEFAULT CURRENT_TIMESTAMP,
+            created_by  TEXT
+        );
+
+        CREATE TABLE IF NOT EXISTS job_runs (
+            id              INTEGER PRIMARY KEY AUTOINCREMENT,
+            job_id          INTEGER NOT NULL,
+            started_at      DATETIME DEFAULT CURRENT_TIMESTAMP,
+            finished_at     DATETIME,
+            status          TEXT DEFAULT 'running',
+            log_file        TEXT,
+            messages_synced INTEGER DEFAULT 0,
+            messages_skipped INTEGER DEFAULT 0,
+            errors          INTEGER DEFAULT 0,
+            duration_sec    INTEGER DEFAULT 0,
+            FOREIGN KEY (job_id) REFERENCES sync_jobs(id)
+        );
+
+        CREATE TABLE IF NOT EXISTS sessions (
+            token      TEXT PRIMARY KEY,
+            username   TEXT NOT NULL,
+            expires_at DATETIME NOT NULL
+        );
+    """)
+    # Create default admin if no users exist
+    cur = conn.execute("SELECT COUNT(*) FROM users")
+    if cur.fetchone()[0] == 0:
+        pw_md5 = hashlib.md5("admin".encode()).hexdigest()
+        conn.execute(
+            "INSERT INTO users (username, password_md5, role) VALUES (?, ?, ?)",
+            ("admin", pw_md5, "admin")
+        )
+    conn.commit()
+    conn.close()
+
+# ── Auth ──────────────────────────────────────────────────────────────────────
+def md5_hash(pw: str) -> str:
+    return hashlib.md5(pw.encode()).hexdigest()
+
+def create_token(username: str, role: str) -> str:
+    expire = datetime.utcnow() + timedelta(hours=TOKEN_EXPIRE_HOURS)
+    payload = {"sub": username, "role": role, "exp": expire}
+    return jwt.encode(payload, SECRET_KEY, algorithm=ALGORITHM)
+
+def decode_token(token: str) -> dict:
+    try:
+        return jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+    except JWTError:
+        raise HTTPException(status_code=401, detail="Token ungültig oder abgelaufen")
+
+security = HTTPBearer()
+
+def get_current_user(credentials: HTTPAuthorizationCredentials = Depends(security)):
+    return decode_token(credentials.credentials)
+
+def require_admin(user=Depends(get_current_user)):
+    if user.get("role") != "admin":
+        raise HTTPException(status_code=403, detail="Nur Admins erlaubt")
+    return user
+
+# ── App ───────────────────────────────────────────────────────────────────────
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+    init_db()
+    yield
+
+app = FastAPI(title="ImapSync Manager", lifespan=lifespan)
+
+# ── Schemas ───────────────────────────────────────────────────────────────────
+class LoginRequest(BaseModel):
+    username: str
+    password: str
+
+class UserCreate(BaseModel):
+    username: str
+    password: str
+    role: str = "viewer"  # admin | operator | viewer
+
+class UserUpdate(BaseModel):
+    password: Optional[str] = None
+    role: Optional[str] = None
+
+class SyncJobCreate(BaseModel):
+    name: str
+    src_host: str
+    src_port: int = 993
+    src_ssl: bool = True
+    src_user: str
+    src_password: str
+    dst_host: str
+    dst_port: int = 993
+    dst_ssl: bool = True
+    dst_user: str
+    dst_password: str
+    extra_args: str = ""
+    schedule: Optional[str] = None
+    enabled: bool = True
+
+class SyncJobUpdate(BaseModel):
+    name: Optional[str] = None
+    src_host: Optional[str] = None
+    src_port: Optional[int] = None
+    src_ssl: Optional[bool] = None
+    src_user: Optional[str] = None
+    src_password: Optional[str] = None
+    dst_host: Optional[str] = None
+    dst_port: Optional[int] = None
+    dst_ssl: Optional[bool] = None
+    dst_user: Optional[str] = None
+    dst_password: Optional[str] = None
+    extra_args: Optional[str] = None
+    schedule: Optional[str] = None
+    enabled: Optional[bool] = None
+
+# ── Health ────────────────────────────────────────────────────────────────────
+@app.get("/api/health")
+def health():
+    return {"status": "ok", "time": datetime.utcnow().isoformat()}
+
+# ── Auth Endpoints ────────────────────────────────────────────────────────────
+@app.post("/api/auth/login")
+def login(req: LoginRequest):
+    conn = get_db()
+    row = conn.execute(
+        "SELECT * FROM users WHERE username = ? AND password_md5 = ?",
+        (req.username, md5_hash(req.password))
+    ).fetchone()
+    conn.close()
+    if not row:
+        raise HTTPException(status_code=401, detail="Ungültige Zugangsdaten")
+    token = create_token(row["username"], row["role"])
+    return {"token": token, "username": row["username"], "role": row["role"]}
+
+@app.get("/api/auth/me")
+def me(user=Depends(get_current_user)):
+    return user
+
+# ── User Endpoints ────────────────────────────────────────────────────────────
+@app.get("/api/users")
+def list_users(user=Depends(require_admin)):
+    conn = get_db()
+    rows = conn.execute(
+        "SELECT id, username, role, created_at FROM users ORDER BY created_at DESC"
+    ).fetchall()
+    conn.close()
+    return [dict(r) for r in rows]
+
+@app.post("/api/users", status_code=201)
+def create_user(req: UserCreate, user=Depends(require_admin)):
+    conn = get_db()
+    try:
+        conn.execute(
+            "INSERT INTO users (username, password_md5, role) VALUES (?, ?, ?)",
+            (req.username, md5_hash(req.password), req.role)
+        )
+        conn.commit()
+    except sqlite3.IntegrityError:
+        raise HTTPException(status_code=409, detail="Benutzername bereits vergeben")
+    finally:
+        conn.close()
+    return {"message": f"Benutzer '{req.username}' erstellt"}
+
+@app.put("/api/users/{user_id}")
+def update_user(user_id: int, req: UserUpdate, user=Depends(require_admin)):
+    conn = get_db()
+    row = conn.execute("SELECT * FROM users WHERE id = ?", (user_id,)).fetchone()
+    if not row:
+        raise HTTPException(status_code=404, detail="Benutzer nicht gefunden")
+    updates = {}
+    if req.password:
+        updates["password_md5"] = md5_hash(req.password)
+    if req.role:
+        updates["role"] = req.role
+    if updates:
+        set_clause = ", ".join(f"{k} = ?" for k in updates)
+        conn.execute(
+            f"UPDATE users SET {set_clause} WHERE id = ?",
+            (*updates.values(), user_id)
+        )
+        conn.commit()
+    conn.close()
+    return {"message": "Benutzer aktualisiert"}
+
+@app.delete("/api/users/{user_id}")
+def delete_user(user_id: int, user=Depends(require_admin)):
+    conn = get_db()
+    row = conn.execute("SELECT username FROM users WHERE id = ?", (user_id,)).fetchone()
+    if not row:
+        raise HTTPException(status_code=404, detail="Benutzer nicht gefunden")
+    if row["username"] == user["sub"]:
+        raise HTTPException(status_code=400, detail="Eigenen Account nicht löschbar")
+    conn.execute("DELETE FROM users WHERE id = ?", (user_id,))
+    conn.commit()
+    conn.close()
+    return {"message": "Benutzer gelöscht"}
+
+# ── Sync Job Endpoints ────────────────────────────────────────────────────────
+@app.get("/api/jobs")
+def list_jobs(user=Depends(get_current_user)):
+    conn = get_db()
+    rows = conn.execute("""
+        SELECT j.*,
+               (SELECT COUNT(*) FROM job_runs r WHERE r.job_id = j.id) as run_count,
+               (SELECT SUM(messages_synced) FROM job_runs r WHERE r.job_id = j.id) as total_synced
+        FROM sync_jobs j ORDER BY j.created_at DESC
+    """).fetchall()
+    conn.close()
+    result = []
+    for r in rows:
+        d = dict(r)
+        d.pop("src_password", None)
+        d.pop("dst_password", None)
+        result.append(d)
+    return result
+
+@app.post("/api/jobs", status_code=201)
+def create_job(req: SyncJobCreate, user=Depends(get_current_user)):
+    if user.get("role") == "viewer":
+        raise HTTPException(status_code=403, detail="Keine Berechtigung")
+    conn = get_db()
+    cur = conn.execute("""
+        INSERT INTO sync_jobs
+          (name,src_host,src_port,src_ssl,src_user,src_password,
+           dst_host,dst_port,dst_ssl,dst_user,dst_password,
+           extra_args,schedule,enabled,created_by)
+        VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)
+    """, (req.name, req.src_host, req.src_port, int(req.src_ssl), req.src_user, req.src_password,
+          req.dst_host, req.dst_port, int(req.dst_ssl), req.dst_user, req.dst_password,
+          req.extra_args, req.schedule, int(req.enabled), user["sub"]))
+    conn.commit()
+    job_id = cur.lastrowid
+    conn.close()
+    return {"message": "Job erstellt", "id": job_id}
+
+@app.get("/api/jobs/{job_id}")
+def get_job(job_id: int, user=Depends(get_current_user)):
+    conn = get_db()
+    row = conn.execute("SELECT * FROM sync_jobs WHERE id = ?", (job_id,)).fetchone()
+    conn.close()
+    if not row:
+        raise HTTPException(status_code=404, detail="Job nicht gefunden")
+    d = dict(row)
+    if user.get("role") == "viewer":
+        d.pop("src_password", None)
+        d.pop("dst_password", None)
+    return d
+
+@app.put("/api/jobs/{job_id}")
+def update_job(job_id: int, req: SyncJobUpdate, user=Depends(get_current_user)):
+    if user.get("role") == "viewer":
+        raise HTTPException(status_code=403, detail="Keine Berechtigung")
+    conn = get_db()
+    row = conn.execute("SELECT id FROM sync_jobs WHERE id = ?", (job_id,)).fetchone()
+    if not row:
+        raise HTTPException(status_code=404, detail="Job nicht gefunden")
+    fields = {k: v for k, v in req.model_dump().items() if v is not None}
+    if "src_ssl" in fields:
+        fields["src_ssl"] = int(fields["src_ssl"])
+    if "dst_ssl" in fields:
+        fields["dst_ssl"] = int(fields["dst_ssl"])
+    if "enabled" in fields:
+        fields["enabled"] = int(fields["enabled"])
+    if fields:
+        set_clause = ", ".join(f"{k} = ?" for k in fields)
+        conn.execute(
+            f"UPDATE sync_jobs SET {set_clause} WHERE id = ?",
+            (*fields.values(), job_id)
+        )
+        conn.commit()
+    conn.close()
+    return {"message": "Job aktualisiert"}
+
+@app.delete("/api/jobs/{job_id}")
+def delete_job(job_id: int, user=Depends(get_current_user)):
+    if user.get("role") == "viewer":
+        raise HTTPException(status_code=403, detail="Keine Berechtigung")
+    conn = get_db()
+    conn.execute("DELETE FROM job_runs WHERE job_id = ?", (job_id,))
+    conn.execute("DELETE FROM sync_jobs WHERE id = ?", (job_id,))
+    conn.commit()
+    conn.close()
+    return {"message": "Job gelöscht"}
+
+@app.post("/api/jobs/{job_id}/trigger")
+def trigger_job(job_id: int, user=Depends(get_current_user)):
+    if user.get("role") == "viewer":
+        raise HTTPException(status_code=403, detail="Keine Berechtigung")
+    conn = get_db()
+    row = conn.execute("SELECT status FROM sync_jobs WHERE id = ?", (job_id,)).fetchone()
+    if not row:
+        raise HTTPException(status_code=404, detail="Job nicht gefunden")
+    if row["status"] in ("queued", "running"):
+        raise HTTPException(status_code=409, detail="Job läuft bereits oder ist in der Warteschlange")
+    conn.execute("UPDATE sync_jobs SET status = 'queued' WHERE id = ?", (job_id,))
+    conn.commit()
+    conn.close()
+    return {"message": "Job in Warteschlange eingereiht"}
+
+@app.post("/api/jobs/{job_id}/stop")
+def stop_job(job_id: int, user=Depends(get_current_user)):
+    if user.get("role") == "viewer":
+        raise HTTPException(status_code=403, detail="Keine Berechtigung")
+    conn = get_db()
+    conn.execute(
+        "UPDATE sync_jobs SET status = 'idle' WHERE id = ? AND status = 'queued'",
+        (job_id,)
+    )
+    conn.commit()
+    conn.close()
+    return {"message": "Job aus Warteschlange entfernt (wenn möglich)"}
+
+# ── Run / Log Endpoints ───────────────────────────────────────────────────────
+@app.get("/api/jobs/{job_id}/runs")
+def get_job_runs(job_id: int, limit: int = 50, user=Depends(get_current_user)):
+    conn = get_db()
+    rows = conn.execute("""
+        SELECT * FROM job_runs WHERE job_id = ?
+        ORDER BY started_at DESC LIMIT ?
+    """, (job_id, limit)).fetchall()
+    conn.close()
+    return [dict(r) for r in rows]
+
+@app.get("/api/runs/{run_id}/log")
+def get_run_log(run_id: int, user=Depends(get_current_user)):
+    conn = get_db()
+    row = conn.execute("SELECT log_file FROM job_runs WHERE id = ?", (run_id,)).fetchone()
+    conn.close()
+    if not row or not row["log_file"]:
+        raise HTTPException(status_code=404, detail="Kein Log gefunden")
+    log_path = os.path.join(LOG_DIR, row["log_file"])
+    if not os.path.exists(log_path):
+        raise HTTPException(status_code=404, detail="Logdatei nicht vorhanden")
+    with open(log_path, "r", errors="replace") as f:
+        return {"content": f.read()}
+
+# ── Stats Endpoint ────────────────────────────────────────────────────────────
+@app.get("/api/stats")
+def get_stats(user=Depends(get_current_user)):
+    conn = get_db()
+    total_jobs = conn.execute("SELECT COUNT(*) FROM sync_jobs").fetchone()[0]
+    active_jobs = conn.execute("SELECT COUNT(*) FROM sync_jobs WHERE enabled=1").fetchone()[0]
+    running = conn.execute("SELECT COUNT(*) FROM sync_jobs WHERE status='running'").fetchone()[0]
+    queued = conn.execute("SELECT COUNT(*) FROM sync_jobs WHERE status='queued'").fetchone()[0]
+    total_runs = conn.execute("SELECT COUNT(*) FROM job_runs").fetchone()[0]
+    failed_runs = conn.execute("SELECT COUNT(*) FROM job_runs WHERE status='failed'").fetchone()[0]
+    total_synced = conn.execute("SELECT COALESCE(SUM(messages_synced),0) FROM job_runs").fetchone()[0]
+    total_errors = conn.execute("SELECT COALESCE(SUM(errors),0) FROM job_runs").fetchone()[0]
+
+    # Last 14 days activity
+    daily = conn.execute("""
+        SELECT DATE(started_at) as day,
+               COUNT(*) as runs,
+               COALESCE(SUM(messages_synced),0) as synced,
+               COALESCE(SUM(errors),0) as errors
+        FROM job_runs
+        WHERE started_at >= DATE('now', '-14 days')
+        GROUP BY day ORDER BY day
+    """).fetchall()
+
+    # Recent runs
+    recent = conn.execute("""
+        SELECT r.id, r.job_id, j.name as job_name, r.started_at, r.finished_at,
+               r.status, r.messages_synced, r.errors, r.duration_sec
+        FROM job_runs r
+        JOIN sync_jobs j ON j.id = r.job_id
+        ORDER BY r.started_at DESC LIMIT 10
+    """).fetchall()
+
+    conn.close()
+    return {
+        "jobs": {"total": total_jobs, "active": active_jobs, "running": running, "queued": queued},
+        "runs": {"total": total_runs, "failed": failed_runs},
+        "messages": {"synced": total_synced, "errors": total_errors},
+        "daily": [dict(d) for d in daily],
+        "recent_runs": [dict(r) for r in recent],
+    }
+
+# ── Static Frontend ───────────────────────────────────────────────────────────
+app.mount("/static", StaticFiles(directory="static"), name="static")
+
+@app.get("/{full_path:path}", response_class=HTMLResponse)
+async def serve_spa(full_path: str):
+    with open("static/index.html", "r") as f:
+        return HTMLResponse(f.read())
diff --git a/backend/requirements.txt b/backend/requirements.txt
new file mode 100644
index 0000000..710dbb2
--- /dev/null
+++ b/backend/requirements.txt
@@ -0,0 +1,8 @@
+fastapi==0.115.0
+uvicorn[standard]==0.32.0
+python-multipart==0.0.12
+pydantic==2.9.2
+python-jose[cryptography]==3.3.0
+passlib==1.7.4
+croniter==3.0.3
+aiofiles==24.1.0
diff --git a/backend/static/index.html b/backend/static/index.html
new file mode 100644
index 0000000..d093981
--- /dev/null
+++ b/backend/static/index.html
@@ -0,0 +1,1258 @@
+<!DOCTYPE html>
+<html lang="de">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>ImapSync Manager</title>
+<style>
+  @import url('https://fonts.googleapis.com/css2?family=IBM+Plex+Mono:wght@300;400;500;600&family=IBM+Plex+Sans:wght@300;400;500;600&display=swap');
+
+  :root {
+    --bg:        #0d1117;
+    --surface:   #161b22;
+    --surface2:  #1c2128;
+    --border:    #30363d;
+    --border2:   #21262d;
+    --text:      #e6edf3;
+    --muted:     #7d8590;
+    --accent:    #2ea043;
+    --accent-dim:#1a6629;
+    --blue:      #388bfd;
+    --blue-dim:  #1b3d6e;
+    --warn:      #d29922;
+    --danger:    #f85149;
+    --danger-dim:#5c1a18;
+    --mono:      'IBM Plex Mono', monospace;
+    --sans:      'IBM Plex Sans', sans-serif;
+  }
+
+  * { box-sizing: border-box; margin: 0; padding: 0; }
+
+  body {
+    font-family: var(--sans);
+    background: var(--bg);
+    color: var(--text);
+    min-height: 100vh;
+    font-size: 14px;
+  }
+
+  /* ── Login ── */
+  #login-screen {
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    min-height: 100vh;
+    background: var(--bg);
+  }
+  .login-box {
+    width: 360px;
+    background: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: 8px;
+    padding: 40px;
+  }
+  .login-logo {
+    text-align: center;
+    margin-bottom: 32px;
+  }
+  .login-logo .brand {
+    font-family: var(--mono);
+    font-size: 11px;
+    letter-spacing: 4px;
+    text-transform: uppercase;
+    color: var(--muted);
+    display: block;
+    margin-bottom: 8px;
+  }
+  .login-logo h1 {
+    font-family: var(--mono);
+    font-size: 22px;
+    font-weight: 600;
+    color: var(--accent);
+  }
+  .login-logo .pulse {
+    display: inline-block;
+    width: 8px; height: 8px;
+    background: var(--accent);
+    border-radius: 50%;
+    margin-left: 8px;
+    animation: pulse 2s infinite;
+  }
+  @keyframes pulse {
+    0%,100% { opacity: 1; transform: scale(1); }
+    50%      { opacity: 0.4; transform: scale(0.8); }
+  }
+
+  /* ── App Shell ── */
+  #app { display: none; min-height: 100vh; }
+  #app.visible { display: flex; }
+
+  .sidebar {
+    width: 220px;
+    background: var(--surface);
+    border-right: 1px solid var(--border);
+    display: flex;
+    flex-direction: column;
+    padding: 0;
+    flex-shrink: 0;
+  }
+  .sidebar-header {
+    padding: 20px 20px 16px;
+    border-bottom: 1px solid var(--border2);
+  }
+  .sidebar-header .brand {
+    font-family: var(--mono);
+    font-size: 10px;
+    letter-spacing: 3px;
+    color: var(--muted);
+    text-transform: uppercase;
+  }
+  .sidebar-header h2 {
+    font-family: var(--mono);
+    font-size: 16px;
+    font-weight: 600;
+    color: var(--accent);
+    margin-top: 4px;
+  }
+  .sidebar-header h2 .dot {
+    display: inline-block;
+    width: 6px; height: 6px;
+    background: var(--accent);
+    border-radius: 50%;
+    margin-left: 6px;
+    animation: pulse 2s infinite;
+    vertical-align: middle;
+    margin-bottom: 2px;
+  }
+
+  nav { flex: 1; padding: 12px 0; }
+  nav a {
+    display: flex;
+    align-items: center;
+    gap: 10px;
+    padding: 9px 20px;
+    color: var(--muted);
+    text-decoration: none;
+    font-size: 13px;
+    font-weight: 500;
+    border-left: 2px solid transparent;
+    transition: all 0.15s;
+    cursor: pointer;
+  }
+  nav a:hover { color: var(--text); background: var(--surface2); }
+  nav a.active { color: var(--text); border-left-color: var(--accent); background: var(--surface2); }
+  nav a .icon { font-size: 15px; width: 18px; text-align: center; }
+  nav .nav-section {
+    font-family: var(--mono);
+    font-size: 10px;
+    letter-spacing: 2px;
+    color: var(--muted);
+    padding: 16px 20px 6px;
+    text-transform: uppercase;
+  }
+
+  .sidebar-footer {
+    padding: 16px 20px;
+    border-top: 1px solid var(--border2);
+    display: flex;
+    align-items: center;
+    gap: 10px;
+  }
+  .user-avatar {
+    width: 28px; height: 28px;
+    background: var(--accent-dim);
+    border-radius: 50%;
+    display: flex; align-items: center; justify-content: center;
+    font-family: var(--mono);
+    font-size: 11px;
+    color: var(--accent);
+    font-weight: 600;
+    flex-shrink: 0;
+  }
+  .user-info { flex: 1; min-width: 0; }
+  .user-info .name { font-size: 12px; font-weight: 500; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; }
+  .user-info .role { font-size: 10px; font-family: var(--mono); color: var(--muted); text-transform: uppercase; letter-spacing: 1px; }
+  .logout-btn {
+    background: none; border: none; color: var(--muted); cursor: pointer;
+    font-size: 14px; padding: 4px; border-radius: 4px;
+    transition: color 0.15s;
+  }
+  .logout-btn:hover { color: var(--danger); }
+
+  /* ── Main Content ── */
+  .main { flex: 1; display: flex; flex-direction: column; overflow: hidden; }
+  .topbar {
+    height: 52px;
+    border-bottom: 1px solid var(--border);
+    display: flex;
+    align-items: center;
+    padding: 0 24px;
+    gap: 12px;
+    background: var(--surface);
+  }
+  .page-title {
+    flex: 1;
+    font-size: 14px;
+    font-weight: 600;
+    font-family: var(--mono);
+    letter-spacing: 0.5px;
+  }
+
+  .content { flex: 1; overflow-y: auto; padding: 24px; }
+
+  /* ── Cards / Grid ── */
+  .stat-grid {
+    display: grid;
+    grid-template-columns: repeat(auto-fill, minmax(180px, 1fr));
+    gap: 12px;
+    margin-bottom: 24px;
+  }
+  .stat-card {
+    background: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: 6px;
+    padding: 16px 18px;
+  }
+  .stat-card .label {
+    font-family: var(--mono);
+    font-size: 10px;
+    letter-spacing: 2px;
+    color: var(--muted);
+    text-transform: uppercase;
+    margin-bottom: 8px;
+  }
+  .stat-card .value {
+    font-family: var(--mono);
+    font-size: 28px;
+    font-weight: 600;
+    line-height: 1;
+  }
+  .stat-card .sub { font-size: 11px; color: var(--muted); margin-top: 4px; }
+  .stat-card.green .value { color: var(--accent); }
+  .stat-card.blue .value { color: var(--blue); }
+  .stat-card.yellow .value { color: var(--warn); }
+  .stat-card.red .value { color: var(--danger); }
+
+  /* ── Panel ── */
+  .panel {
+    background: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: 6px;
+    margin-bottom: 20px;
+  }
+  .panel-header {
+    padding: 14px 18px;
+    border-bottom: 1px solid var(--border2);
+    display: flex;
+    align-items: center;
+    gap: 10px;
+  }
+  .panel-header h3 {
+    flex: 1;
+    font-family: var(--mono);
+    font-size: 12px;
+    letter-spacing: 1px;
+    text-transform: uppercase;
+    color: var(--muted);
+  }
+  .panel-body { padding: 0; }
+
+  /* ── Table ── */
+  table { width: 100%; border-collapse: collapse; }
+  th {
+    text-align: left;
+    padding: 10px 18px;
+    font-family: var(--mono);
+    font-size: 10px;
+    letter-spacing: 1.5px;
+    color: var(--muted);
+    text-transform: uppercase;
+    border-bottom: 1px solid var(--border2);
+    font-weight: 500;
+  }
+  td { padding: 11px 18px; border-bottom: 1px solid var(--border2); vertical-align: middle; }
+  tr:last-child td { border-bottom: none; }
+  tr:hover td { background: var(--surface2); }
+
+  /* ── Badges ── */
+  .badge {
+    display: inline-flex;
+    align-items: center;
+    gap: 5px;
+    padding: 3px 8px;
+    border-radius: 4px;
+    font-family: var(--mono);
+    font-size: 10px;
+    font-weight: 500;
+    letter-spacing: 0.5px;
+    text-transform: uppercase;
+  }
+  .badge-dot { width: 5px; height: 5px; border-radius: 50%; }
+  .badge.idle     { background: rgba(125,133,144,0.15); color: var(--muted); }
+  .badge.idle .badge-dot { background: var(--muted); }
+  .badge.queued   { background: rgba(210,153,34,0.15); color: var(--warn); }
+  .badge.queued .badge-dot { background: var(--warn); animation: pulse 1s infinite; }
+  .badge.running  { background: rgba(56,139,253,0.15); color: var(--blue); }
+  .badge.running .badge-dot { background: var(--blue); animation: pulse 0.8s infinite; }
+  .badge.done     { background: rgba(46,160,67,0.15); color: var(--accent); }
+  .badge.done .badge-dot { background: var(--accent); }
+  .badge.failed   { background: rgba(248,81,73,0.15); color: var(--danger); }
+  .badge.failed .badge-dot { background: var(--danger); }
+  .badge.admin    { background: rgba(56,139,253,0.15); color: var(--blue); }
+  .badge.operator { background: rgba(210,153,34,0.15); color: var(--warn); }
+  .badge.viewer   { background: rgba(125,133,144,0.15); color: var(--muted); }
+  .badge.enabled  { background: rgba(46,160,67,0.15); color: var(--accent); }
+  .badge.disabled { background: rgba(125,133,144,0.15); color: var(--muted); }
+
+  /* ── Buttons ── */
+  .btn {
+    display: inline-flex;
+    align-items: center;
+    gap: 6px;
+    padding: 7px 14px;
+    border-radius: 5px;
+    border: 1px solid transparent;
+    font-family: var(--sans);
+    font-size: 13px;
+    font-weight: 500;
+    cursor: pointer;
+    transition: all 0.15s;
+    white-space: nowrap;
+    text-decoration: none;
+  }
+  .btn-primary { background: var(--accent); color: #fff; border-color: var(--accent); }
+  .btn-primary:hover { background: #3fb950; }
+  .btn-outline { background: transparent; color: var(--text); border-color: var(--border); }
+  .btn-outline:hover { background: var(--surface2); border-color: var(--muted); }
+  .btn-danger { background: transparent; color: var(--danger); border-color: var(--danger-dim); }
+  .btn-danger:hover { background: rgba(248,81,73,0.1); }
+  .btn-sm { padding: 4px 10px; font-size: 12px; }
+  .btn-icon { padding: 5px 8px; font-size: 14px; }
+
+  /* ── Forms ── */
+  .form-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 14px; }
+  .form-group { display: flex; flex-direction: column; gap: 6px; }
+  .form-group.full { grid-column: 1 / -1; }
+  label { font-size: 12px; font-weight: 500; color: var(--muted); font-family: var(--mono); letter-spacing: 0.5px; }
+  input, select, textarea {
+    background: var(--bg);
+    border: 1px solid var(--border);
+    border-radius: 5px;
+    color: var(--text);
+    padding: 8px 12px;
+    font-family: var(--sans);
+    font-size: 13px;
+    transition: border-color 0.15s;
+    width: 100%;
+  }
+  input:focus, select:focus, textarea:focus {
+    outline: none;
+    border-color: var(--blue);
+  }
+  input[type="checkbox"] { width: auto; }
+  textarea { resize: vertical; min-height: 80px; font-family: var(--mono); font-size: 12px; }
+  select option { background: var(--surface); }
+  .form-actions { display: flex; gap: 10px; justify-content: flex-end; margin-top: 20px; padding-top: 16px; border-top: 1px solid var(--border2); }
+  .section-divider {
+    grid-column: 1 / -1;
+    padding-top: 8px;
+    border-top: 1px solid var(--border2);
+    font-family: var(--mono);
+    font-size: 10px;
+    letter-spacing: 2px;
+    color: var(--muted);
+    text-transform: uppercase;
+  }
+
+  /* ── Modal ── */
+  .modal-overlay {
+    position: fixed; inset: 0;
+    background: rgba(0,0,0,0.7);
+    display: flex; align-items: center; justify-content: center;
+    z-index: 100;
+    backdrop-filter: blur(2px);
+  }
+  .modal {
+    background: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: 8px;
+    width: 620px;
+    max-width: 95vw;
+    max-height: 90vh;
+    overflow-y: auto;
+  }
+  .modal-header {
+    padding: 18px 22px;
+    border-bottom: 1px solid var(--border2);
+    display: flex; align-items: center; gap: 12px;
+  }
+  .modal-header h3 { flex: 1; font-family: var(--mono); font-size: 14px; }
+  .modal-body { padding: 22px; }
+  .modal-close { background: none; border: none; color: var(--muted); cursor: pointer; font-size: 18px; padding: 4px; }
+  .modal-close:hover { color: var(--text); }
+
+  /* ── Log viewer ── */
+  .log-viewer {
+    background: #0a0d10;
+    border: 1px solid var(--border);
+    border-radius: 5px;
+    padding: 16px;
+    font-family: var(--mono);
+    font-size: 11px;
+    line-height: 1.7;
+    color: #8b949e;
+    max-height: 500px;
+    overflow-y: auto;
+    white-space: pre-wrap;
+    word-break: break-all;
+  }
+  .log-viewer .log-ok   { color: var(--accent); }
+  .log-viewer .log-err  { color: var(--danger); }
+  .log-viewer .log-warn { color: var(--warn); }
+  .log-viewer .log-info { color: var(--blue); }
+
+  /* ── Chart ── */
+  .chart-area { padding: 16px 18px; }
+  .bar-chart { display: flex; align-items: flex-end; gap: 4px; height: 80px; }
+  .bar-col { flex: 1; display: flex; flex-direction: column; align-items: center; gap: 3px; }
+  .bar { width: 100%; border-radius: 2px 2px 0 0; min-height: 2px; background: var(--accent-dim); transition: background 0.15s; }
+  .bar:hover { background: var(--accent); }
+  .bar-label { font-family: var(--mono); font-size: 9px; color: var(--muted); white-space: nowrap; }
+  .chart-legend { display: flex; gap: 16px; margin-top: 10px; }
+  .legend-item { display: flex; align-items: center; gap: 5px; font-size: 11px; color: var(--muted); }
+  .legend-dot { width: 8px; height: 8px; border-radius: 2px; }
+
+  /* ── Toast ── */
+  .toast-container {
+    position: fixed; bottom: 24px; right: 24px; z-index: 200;
+    display: flex; flex-direction: column; gap: 8px;
+  }
+  .toast {
+    padding: 12px 16px;
+    border-radius: 6px;
+    font-size: 13px;
+    border: 1px solid;
+    max-width: 320px;
+    animation: slideIn 0.2s ease;
+  }
+  @keyframes slideIn { from { transform: translateX(20px); opacity: 0; } }
+  .toast.success { background: rgba(46,160,67,0.2); border-color: var(--accent); color: var(--accent); }
+  .toast.error   { background: rgba(248,81,73,0.2); border-color: var(--danger); color: var(--danger); }
+  .toast.info    { background: rgba(56,139,253,0.2); border-color: var(--blue); color: var(--blue); }
+
+  /* ── Misc ── */
+  .mono { font-family: var(--mono); }
+  .text-muted { color: var(--muted); }
+  .text-sm { font-size: 12px; }
+  .flex { display: flex; align-items: center; }
+  .gap-8 { gap: 8px; }
+  .gap-12 { gap: 12px; }
+  .ml-auto { margin-left: auto; }
+  .empty-state { text-align: center; padding: 48px; color: var(--muted); }
+  .empty-state .icon { font-size: 36px; margin-bottom: 12px; }
+  .spinner { display: inline-block; width: 14px; height: 14px; border: 2px solid var(--border); border-top-color: var(--accent); border-radius: 50%; animation: spin 0.6s linear infinite; }
+  @keyframes spin { to { transform: rotate(360deg); } }
+
+  /* ── Activity feed ── */
+  .activity-item { display: flex; align-items: flex-start; gap: 10px; padding: 10px 18px; border-bottom: 1px solid var(--border2); }
+  .activity-item:last-child { border-bottom: none; }
+  .activity-dot { width: 6px; height: 6px; border-radius: 50%; margin-top: 5px; flex-shrink: 0; }
+  .activity-dot.done { background: var(--accent); }
+  .activity-dot.failed { background: var(--danger); }
+  .activity-dot.running { background: var(--blue); animation: pulse 0.8s infinite; }
+  .activity-meta { font-size: 11px; color: var(--muted); font-family: var(--mono); margin-top: 2px; }
+</style>
+</head>
+<body>
+
+<!-- Login -->
+<div id="login-screen">
+  <div class="login-box">
+    <div class="login-logo">
+      <span class="brand">IMAP Sync Manager</span>
+      <h1>▸ IMS <span class="pulse"></span></h1>
+    </div>
+    <div class="form-group" style="margin-bottom:14px">
+      <label>BENUTZERNAME</label>
+      <input id="login-user" type="text" placeholder="admin" autocomplete="username">
+    </div>
+    <div class="form-group" style="margin-bottom:20px">
+      <label>PASSWORT</label>
+      <input id="login-pass" type="password" placeholder="••••••••" autocomplete="current-password">
+    </div>
+    <button class="btn btn-primary" style="width:100%;justify-content:center" onclick="doLogin()">Anmelden</button>
+    <div id="login-error" style="color:var(--danger);font-size:12px;text-align:center;margin-top:12px;display:none"></div>
+    <div style="text-align:center;margin-top:20px;font-size:11px;color:var(--muted);font-family:var(--mono)">
+      Standard: admin / admin
+    </div>
+  </div>
+</div>
+
+<!-- App -->
+<div id="app">
+  <aside class="sidebar">
+    <div class="sidebar-header">
+      <div class="brand">IMAP Sync</div>
+      <h2>Manager <span class="dot"></span></h2>
+    </div>
+    <nav>
+      <div class="nav-section">Übersicht</div>
+      <a onclick="navigate('dashboard')" data-page="dashboard" class="active">
+        <span class="icon">◈</span> Dashboard
+      </a>
+      <div class="nav-section">Aufträge</div>
+      <a onclick="navigate('jobs')" data-page="jobs">
+        <span class="icon">⟳</span> Sync-Jobs
+      </a>
+      <a onclick="navigate('runs')" data-page="runs">
+        <span class="icon">◎</span> Verlauf
+      </a>
+      <div class="nav-section" id="admin-nav" style="display:none">Administration</div>
+      <a onclick="navigate('users')" data-page="users" id="admin-link" style="display:none">
+        <span class="icon">◉</span> Benutzer
+      </a>
+    </nav>
+    <div class="sidebar-footer">
+      <div class="user-avatar" id="user-avatar">A</div>
+      <div class="user-info">
+        <div class="name" id="sidebar-username">-</div>
+        <div class="role" id="sidebar-role">-</div>
+      </div>
+      <button class="logout-btn" onclick="logout()" title="Abmelden">⏻</button>
+    </div>
+  </aside>
+
+  <div class="main">
+    <div class="topbar">
+      <span class="page-title" id="page-title">◈ DASHBOARD</span>
+      <div id="topbar-actions"></div>
+    </div>
+    <div class="content" id="content"></div>
+  </div>
+</div>
+
+<!-- Modals -->
+<div id="modal-container"></div>
+
+<!-- Toasts -->
+<div class="toast-container" id="toasts"></div>
+
+<script>
+// ── State ──────────────────────────────────────────────────────────────────
+let state = { token: null, user: null, refreshTimer: null };
+
+// ── API ────────────────────────────────────────────────────────────────────
+const api = {
+  async req(method, path, body = null) {
+    const opts = {
+      method,
+      headers: { 'Content-Type': 'application/json' }
+    };
+    if (state.token) opts.headers['Authorization'] = 'Bearer ' + state.token;
+    if (body) opts.body = JSON.stringify(body);
+    const res = await fetch('/api' + path, opts);
+    if (res.status === 401) { logout(); return; }
+    const data = await res.json();
+    if (!res.ok) throw new Error(data.detail || 'API-Fehler');
+    return data;
+  },
+  get: (p) => api.req('GET', p),
+  post: (p, b) => api.req('POST', p, b),
+  put: (p, b) => api.req('PUT', p, b),
+  delete: (p) => api.req('DELETE', p),
+};
+
+// ── Auth ───────────────────────────────────────────────────────────────────
+async function doLogin() {
+  const u = document.getElementById('login-user').value.trim();
+  const p = document.getElementById('login-pass').value;
+  if (!u || !p) return;
+  try {
+    const data = await api.post('/auth/login', { username: u, password: p });
+    state.token = data.token;
+    state.user = { username: data.username, role: data.role };
+    localStorage.setItem('ims_token', data.token);
+    startApp();
+  } catch(e) {
+    const el = document.getElementById('login-error');
+    el.textContent = e.message;
+    el.style.display = 'block';
+  }
+}
+
+document.getElementById('login-pass').addEventListener('keydown', e => {
+  if (e.key === 'Enter') doLogin();
+});
+
+function logout() {
+  state.token = null; state.user = null;
+  localStorage.removeItem('ims_token');
+  if (state.refreshTimer) clearInterval(state.refreshTimer);
+  document.getElementById('app').classList.remove('visible');
+  document.getElementById('login-screen').style.display = 'flex';
+}
+
+function startApp() {
+  document.getElementById('login-screen').style.display = 'none';
+  document.getElementById('app').classList.add('visible');
+
+  // Sidebar user info
+  document.getElementById('sidebar-username').textContent = state.user.username;
+  document.getElementById('sidebar-role').textContent = state.user.role;
+  document.getElementById('user-avatar').textContent = state.user.username[0].toUpperCase();
+
+  if (state.user.role === 'admin') {
+    document.getElementById('admin-nav').style.display = '';
+    document.getElementById('admin-link').style.display = '';
+  }
+
+  navigate('dashboard');
+}
+
+// Check saved token
+(async () => {
+  const saved = localStorage.getItem('ims_token');
+  if (saved) {
+    state.token = saved;
+    try {
+      const me = await api.get('/auth/me');
+      state.user = { username: me.sub, role: me.role };
+      startApp();
+    } catch { logout(); }
+  }
+})();
+
+// ── Navigation ──────────────────────────────────────────────────────────────
+function navigate(page) {
+  document.querySelectorAll('nav a').forEach(a => a.classList.remove('active'));
+  const link = document.querySelector(`nav a[data-page="${page}"]`);
+  if (link) link.classList.add('active');
+  if (state.refreshTimer) clearInterval(state.refreshTimer);
+
+  const titles = { dashboard:'◈ DASHBOARD', jobs:'⟳ SYNC-JOBS', runs:'◎ VERLAUF', users:'◉ BENUTZER' };
+  document.getElementById('page-title').textContent = titles[page] || page.toUpperCase();
+  document.getElementById('topbar-actions').innerHTML = '';
+
+  const pages = { dashboard: renderDashboard, jobs: renderJobs, runs: renderRuns, users: renderUsers };
+  if (pages[page]) pages[page]();
+}
+
+// ── Toast ──────────────────────────────────────────────────────────────────
+function toast(msg, type = 'success') {
+  const t = document.createElement('div');
+  t.className = `toast ${type}`;
+  t.textContent = msg;
+  document.getElementById('toasts').appendChild(t);
+  setTimeout(() => t.remove(), 3500);
+}
+
+// ── Modal ──────────────────────────────────────────────────────────────────
+function openModal(html) {
+  const overlay = document.createElement('div');
+  overlay.className = 'modal-overlay';
+  overlay.innerHTML = html;
+  overlay.addEventListener('click', e => { if (e.target === overlay) overlay.remove(); });
+  document.getElementById('modal-container').appendChild(overlay);
+  return overlay;
+}
+function closeModal() {
+  document.querySelector('.modal-overlay')?.remove();
+}
+
+// ── Dashboard ──────────────────────────────────────────────────────────────
+async function renderDashboard() {
+  const content = document.getElementById('content');
+  content.innerHTML = '<div class="empty-state"><div class="spinner"></div></div>';
+  try {
+    const s = await api.get('/stats');
+    let dailyChart = '';
+    if (s.daily && s.daily.length > 0) {
+      const maxVal = Math.max(...s.daily.map(d => d.synced), 1);
+      dailyChart = s.daily.map(d => {
+        const h = Math.max(4, Math.round((d.synced / maxVal) * 76));
+        const label = d.day.substring(5); // MM-DD
+        return `<div class="bar-col">
+          <div class="bar" style="height:${h}px" title="${d.day}: ${d.synced} msgs, ${d.runs} runs"></div>
+          <div class="bar-label">${label}</div>
+        </div>`;
+      }).join('');
+    } else {
+      dailyChart = '<div style="color:var(--muted);font-size:12px;padding:24px 0">Noch keine Daten</div>';
+    }
+
+    const recentRows = (s.recent_runs || []).map(r => `
+      <div class="activity-item">
+        <div class="activity-dot ${r.status}"></div>
+        <div style="flex:1;min-width:0">
+          <div class="flex gap-8">
+            <span style="font-weight:500;font-size:13px">${esc(r.job_name)}</span>
+            <span class="badge ${r.status}">${r.status}</span>
+          </div>
+          <div class="activity-meta">
+            ${fmtDate(r.started_at)} &nbsp;·&nbsp;
+            ${r.messages_synced} Nachrichten
+            ${r.duration_sec ? '&nbsp;·&nbsp;' + fmtDuration(r.duration_sec) : ''}
+          </div>
+        </div>
+      </div>
+    `).join('') || '<div class="empty-state" style="padding:24px">Keine Ausführungen</div>';
+
+    content.innerHTML = `
+      <div class="stat-grid">
+        <div class="stat-card blue">
+          <div class="label">Sync-Jobs</div>
+          <div class="value">${s.jobs.total}</div>
+          <div class="sub">${s.jobs.active} aktiv</div>
+        </div>
+        <div class="stat-card ${s.jobs.running > 0 ? 'blue' : ''}">
+          <div class="label">Laufend</div>
+          <div class="value">${s.jobs.running}</div>
+          <div class="sub">${s.jobs.queued} in Warteschlange</div>
+        </div>
+        <div class="stat-card green">
+          <div class="label">Nachr. synchronisiert</div>
+          <div class="value">${fmtNum(s.messages.synced)}</div>
+          <div class="sub">${s.runs.total} Ausführungen gesamt</div>
+        </div>
+        <div class="stat-card ${s.runs.failed > 0 ? 'red' : ''}">
+          <div class="label">Fehlgeschlagen</div>
+          <div class="value">${s.runs.failed}</div>
+          <div class="sub">Ausführungen</div>
+        </div>
+      </div>
+
+      <div style="display:grid;grid-template-columns:1fr 1fr;gap:16px">
+        <div class="panel">
+          <div class="panel-header"><h3>Aktivität (14 Tage)</h3></div>
+          <div class="chart-area">
+            <div class="bar-chart">${dailyChart}</div>
+            <div class="chart-legend">
+              <div class="legend-item"><div class="legend-dot" style="background:var(--accent)"></div> Sync. Nachrichten</div>
+            </div>
+          </div>
+        </div>
+        <div class="panel">
+          <div class="panel-header">
+            <h3>Letzte Ausführungen</h3>
+            <button class="btn btn-outline btn-sm" onclick="navigate('runs')">Alle →</button>
+          </div>
+          <div class="panel-body">${recentRows}</div>
+        </div>
+      </div>
+    `;
+
+    // Auto-refresh every 30s
+    state.refreshTimer = setInterval(renderDashboard, 30000);
+  } catch(e) {
+    content.innerHTML = `<div class="empty-state"><div>Fehler: ${e.message}</div></div>`;
+  }
+}
+
+// ── Jobs ───────────────────────────────────────────────────────────────────
+async function renderJobs() {
+  const content = document.getElementById('content');
+  const canEdit = state.user.role !== 'viewer';
+
+  if (canEdit) {
+    document.getElementById('topbar-actions').innerHTML =
+      `<button class="btn btn-primary" onclick="showJobModal()">+ Neuer Job</button>`;
+  }
+
+  content.innerHTML = '<div class="empty-state"><div class="spinner"></div></div>';
+  try {
+    const jobs = await api.get('/jobs');
+    if (!jobs.length) {
+      content.innerHTML = `<div class="empty-state">
+        <div class="icon">⟳</div>
+        <div>Noch keine Sync-Jobs konfiguriert</div>
+        ${canEdit ? '<button class="btn btn-primary" style="margin-top:16px" onclick="showJobModal()">+ Ersten Job erstellen</button>' : ''}
+      </div>`;
+      return;
+    }
+
+    content.innerHTML = `
+      <div class="panel">
+        <div class="panel-header"><h3>${jobs.length} Jobs</h3></div>
+        <table>
+          <thead>
+            <tr>
+              <th>Name</th>
+              <th>Quelle → Ziel</th>
+              <th>Status</th>
+              <th>Zeitplan</th>
+              <th>Letzte Ausführung</th>
+              <th>Synced</th>
+              <th></th>
+            </tr>
+          </thead>
+          <tbody>
+            ${jobs.map(j => `
+              <tr>
+                <td>
+                  <div style="font-weight:500">${esc(j.name)}</div>
+                  <div class="text-muted text-sm mono">#${j.id}</div>
+                </td>
+                <td>
+                  <div class="mono text-sm">${esc(j.src_host)} → ${esc(j.dst_host)}</div>
+                  <div class="text-muted text-sm">${esc(j.src_user)} → ${esc(j.dst_user)}</div>
+                </td>
+                <td>
+                  <div>${statusBadge(j.status)}</div>
+                  <div style="margin-top:4px">${j.enabled ? '<span class="badge enabled">aktiv</span>' : '<span class="badge disabled">deaktiviert</span>'}</div>
+                </td>
+                <td class="mono text-sm">${j.schedule ? esc(j.schedule) : '<span class="text-muted">manuell</span>'}</td>
+                <td class="text-sm text-muted">${j.last_run ? fmtDate(j.last_run) : '—'}</td>
+                <td class="mono">${fmtNum(j.total_synced || 0)}</td>
+                <td>
+                  <div class="flex gap-8">
+                    ${canEdit && j.status === 'idle' ? `<button class="btn btn-outline btn-sm" onclick="triggerJob(${j.id})">▶ Start</button>` : ''}
+                    ${canEdit && j.status === 'queued' ? `<button class="btn btn-outline btn-sm" onclick="stopJob(${j.id})">■ Stop</button>` : ''}
+                    <button class="btn btn-outline btn-sm" onclick="navigate('runs');showRunsForJob(${j.id},'${esc(j.name)}')">Logs</button>
+                    ${canEdit ? `<button class="btn btn-outline btn-sm" onclick="showJobModal(${j.id})">✎</button>` : ''}
+                    ${canEdit ? `<button class="btn btn-danger btn-sm" onclick="deleteJob(${j.id}, '${esc(j.name)}')">✕</button>` : ''}
+                  </div>
+                </td>
+              </tr>
+            `).join('')}
+          </tbody>
+        </table>
+      </div>
+    `;
+
+    // Auto-refresh every 15s
+    state.refreshTimer = setInterval(renderJobs, 15000);
+  } catch(e) {
+    content.innerHTML = `<div class="empty-state">Fehler: ${e.message}</div>`;
+  }
+}
+
+async function showJobModal(jobId = null) {
+  let job = null;
+  if (jobId) {
+    try { job = await api.get(`/jobs/${jobId}`); } catch(e) { toast(e.message, 'error'); return; }
+  }
+  const title = job ? `Job bearbeiten: ${job.name}` : 'Neuer Sync-Job';
+  const overlay = openModal(`
+    <div class="modal">
+      <div class="modal-header">
+        <h3>⟳ ${title}</h3>
+        <button class="modal-close" onclick="closeModal()">✕</button>
+      </div>
+      <div class="modal-body">
+        <div class="form-grid">
+          <div class="form-group full">
+            <label>JOB-NAME</label>
+            <input id="j-name" type="text" value="${esc(job?.name||'')}" placeholder="z.B. Max Mustermann Migration">
+          </div>
+
+          <div class="section-divider">Quell-Server (Source)</div>
+          <div class="form-group">
+            <label>HOST</label>
+            <input id="j-s-host" type="text" value="${esc(job?.src_host||'')}" placeholder="mail.example.com">
+          </div>
+          <div class="form-group">
+            <label>PORT</label>
+            <input id="j-s-port" type="number" value="${job?.src_port||993}">
+          </div>
+          <div class="form-group">
+            <label>BENUTZER</label>
+            <input id="j-s-user" type="text" value="${esc(job?.src_user||'')}" placeholder="user@example.com">
+          </div>
+          <div class="form-group">
+            <label>PASSWORT</label>
+            <input id="j-s-pass" type="password" value="${esc(job?.src_password||'')}" placeholder="••••••••">
+          </div>
+          <div class="form-group">
+            <label>SSL/TLS</label>
+            <select id="j-s-ssl">
+              <option value="1" ${(!job||job.src_ssl)?'selected':''}>SSL (empfohlen)</option>
+              <option value="0" ${(job&&!job.src_ssl)?'selected':''}>Kein SSL</option>
+            </select>
+          </div>
+
+          <div class="section-divider">Ziel-Server (Destination)</div>
+          <div class="form-group">
+            <label>HOST</label>
+            <input id="j-d-host" type="text" value="${esc(job?.dst_host||'')}" placeholder="mail.ziel.com">
+          </div>
+          <div class="form-group">
+            <label>PORT</label>
+            <input id="j-d-port" type="number" value="${job?.dst_port||993}">
+          </div>
+          <div class="form-group">
+            <label>BENUTZER</label>
+            <input id="j-d-user" type="text" value="${esc(job?.dst_user||'')}" placeholder="user@ziel.com">
+          </div>
+          <div class="form-group">
+            <label>PASSWORT</label>
+            <input id="j-d-pass" type="password" value="${esc(job?.dst_password||'')}" placeholder="••••••••">
+          </div>
+          <div class="form-group">
+            <label>SSL/TLS</label>
+            <select id="j-d-ssl">
+              <option value="1" ${(!job||job.dst_ssl)?'selected':''}>SSL (empfohlen)</option>
+              <option value="0" ${(job&&!job.dst_ssl)?'selected':''}>Kein SSL</option>
+            </select>
+          </div>
+
+          <div class="section-divider">Zeitplan & Optionen</div>
+          <div class="form-group">
+            <label>CRON-ZEITPLAN (optional)</label>
+            <input id="j-schedule" type="text" value="${esc(job?.schedule||'')}" placeholder="0 2 * * * (täglich 2 Uhr)">
+          </div>
+          <div class="form-group">
+            <label>STATUS</label>
+            <select id="j-enabled">
+              <option value="1" ${(!job||job.enabled)?'selected':''}>Aktiviert</option>
+              <option value="0" ${(job&&!job.enabled)?'selected':''}>Deaktiviert</option>
+            </select>
+          </div>
+          <div class="form-group full">
+            <label>EXTRA ARGUMENTE (imapsync)</label>
+            <input id="j-extra" type="text" value="${esc(job?.extra_args||'')}" placeholder="z.B. --delete2 --addheader">
+          </div>
+        </div>
+        <div class="form-actions">
+          <button class="btn btn-outline" onclick="closeModal()">Abbrechen</button>
+          <button class="btn btn-primary" onclick="saveJob(${jobId||'null'})">
+            ${job ? 'Speichern' : 'Job erstellen'}
+          </button>
+        </div>
+      </div>
+    </div>
+  `);
+}
+
+async function saveJob(jobId) {
+  const data = {
+    name:         document.getElementById('j-name').value.trim(),
+    src_host:     document.getElementById('j-s-host').value.trim(),
+    src_port:     parseInt(document.getElementById('j-s-port').value),
+    src_ssl:      document.getElementById('j-s-ssl').value === '1',
+    src_user:     document.getElementById('j-s-user').value.trim(),
+    src_password: document.getElementById('j-s-pass').value,
+    dst_host:     document.getElementById('j-d-host').value.trim(),
+    dst_port:     parseInt(document.getElementById('j-d-port').value),
+    dst_ssl:      document.getElementById('j-d-ssl').value === '1',
+    dst_user:     document.getElementById('j-d-user').value.trim(),
+    dst_password: document.getElementById('j-d-pass').value,
+    schedule:     document.getElementById('j-schedule').value.trim() || null,
+    enabled:      document.getElementById('j-enabled').value === '1',
+    extra_args:   document.getElementById('j-extra').value.trim(),
+  };
+  if (!data.name || !data.src_host || !data.src_user || !data.dst_host || !data.dst_user) {
+    toast('Bitte alle Pflichtfelder ausfüllen', 'error'); return;
+  }
+  try {
+    if (jobId) {
+      await api.put(`/jobs/${jobId}`, data);
+      toast('Job aktualisiert');
+    } else {
+      await api.post('/jobs', data);
+      toast('Job erstellt');
+    }
+    closeModal();
+    renderJobs();
+  } catch(e) { toast(e.message, 'error'); }
+}
+
+async function triggerJob(id) {
+  try {
+    await api.post(`/jobs/${id}/trigger`);
+    toast('Job gestartet');
+    renderJobs();
+  } catch(e) { toast(e.message, 'error'); }
+}
+
+async function stopJob(id) {
+  try {
+    await api.post(`/jobs/${id}/stop`);
+    toast('Job gestoppt');
+    renderJobs();
+  } catch(e) { toast(e.message, 'error'); }
+}
+
+async function deleteJob(id, name) {
+  if (!confirm(`Job "${name}" wirklich löschen? Alle Verlaufs-Einträge werden ebenfalls gelöscht.`)) return;
+  try {
+    await api.delete(`/jobs/${id}`);
+    toast('Job gelöscht');
+    renderJobs();
+  } catch(e) { toast(e.message, 'error'); }
+}
+
+// ── Runs ───────────────────────────────────────────────────────────────────
+let activeJobFilter = null;
+
+function showRunsForJob(jobId, jobName) {
+  activeJobFilter = { id: jobId, name: jobName };
+  renderRuns();
+}
+
+async function renderRuns() {
+  const content = document.getElementById('content');
+  content.innerHTML = '<div class="empty-state"><div class="spinner"></div></div>';
+
+  try {
+    let runs = [];
+    if (activeJobFilter) {
+      runs = await api.get(`/jobs/${activeJobFilter.id}/runs?limit=100`);
+      document.getElementById('topbar-actions').innerHTML =
+        `<span class="text-muted text-sm">Filter: ${esc(activeJobFilter.name)}</span>
+         <button class="btn btn-outline btn-sm" onclick="activeJobFilter=null;renderRuns()">✕ Filter</button>`;
+    } else {
+      // Load all jobs and their runs
+      document.getElementById('topbar-actions').innerHTML = '';
+      const jobs = await api.get('/jobs');
+      for (const j of jobs.slice(0, 20)) {
+        const jRuns = await api.get(`/jobs/${j.id}/runs?limit=10`);
+        runs.push(...jRuns.map(r => ({...r, job_name: j.name})));
+      }
+      runs.sort((a, b) => b.started_at > a.started_at ? 1 : -1);
+    }
+
+    if (!runs.length) {
+      content.innerHTML = '<div class="empty-state"><div class="icon">◎</div><div>Keine Ausführungen gefunden</div></div>';
+      return;
+    }
+
+    content.innerHTML = `
+      <div class="panel">
+        <div class="panel-header"><h3>${runs.length} Ausführungen</h3></div>
+        <table>
+          <thead>
+            <tr>
+              <th>Run-ID</th>
+              <th>Job</th>
+              <th>Status</th>
+              <th>Gestartet</th>
+              <th>Dauer</th>
+              <th>Synced</th>
+              <th>Fehler</th>
+              <th></th>
+            </tr>
+          </thead>
+          <tbody>
+            ${runs.map(r => `
+              <tr>
+                <td class="mono text-muted text-sm">#${r.id}</td>
+                <td>${esc(r.job_name || `Job #${r.job_id}`)}</td>
+                <td>${statusBadge(r.status)}</td>
+                <td class="text-sm text-muted">${fmtDate(r.started_at)}</td>
+                <td class="mono text-sm">${r.duration_sec ? fmtDuration(r.duration_sec) : r.status === 'running' ? '<span class="spinner"></span>' : '—'}</td>
+                <td class="mono">${fmtNum(r.messages_synced)}</td>
+                <td class="mono ${r.errors > 0 ? 'text-sm' : ''}" style="${r.errors > 0 ? 'color:var(--danger)' : ''}">${r.errors || 0}</td>
+                <td>
+                  <button class="btn btn-outline btn-sm" onclick="showLog(${r.id})">📄 Log</button>
+                </td>
+              </tr>
+            `).join('')}
+          </tbody>
+        </table>
+      </div>
+    `;
+  } catch(e) {
+    content.innerHTML = `<div class="empty-state">Fehler: ${e.message}</div>`;
+  }
+}
+
+async function showLog(runId) {
+  try {
+    const data = await api.get(`/runs/${runId}/log`);
+    const highlighted = highlightLog(data.content);
+    openModal(`
+      <div class="modal" style="width:780px">
+        <div class="modal-header">
+          <h3>📄 Log — Run #${runId}</h3>
+          <button class="modal-close" onclick="closeModal()">✕</button>
+        </div>
+        <div class="modal-body">
+          <div class="log-viewer">${highlighted}</div>
+        </div>
+      </div>
+    `);
+  } catch(e) { toast('Log nicht verfügbar: ' + e.message, 'error'); }
+}
+
+function highlightLog(text) {
+  return esc(text)
+    .replace(/(ERR[A-Z]*|FAILED|ERROR)/gi, '<span class="log-err">$1</span>')
+    .replace(/(OK|SUCCESS|DONE|Synced|Transferred)/gi, '<span class="log-ok">$1</span>')
+    .replace(/(WARN[A-Z]*|SKIP[A-Z]*)/gi, '<span class="log-warn">$1</span>')
+    .replace(/(--[a-z]+[a-z0-9]*)/g, '<span class="log-info">$1</span>');
+}
+
+// ── Users ──────────────────────────────────────────────────────────────────
+async function renderUsers() {
+  if (state.user.role !== 'admin') {
+    document.getElementById('content').innerHTML =
+      '<div class="empty-state">Keine Berechtigung</div>';
+    return;
+  }
+
+  document.getElementById('topbar-actions').innerHTML =
+    `<button class="btn btn-primary" onclick="showUserModal()">+ Benutzer erstellen</button>`;
+
+  const content = document.getElementById('content');
+  content.innerHTML = '<div class="empty-state"><div class="spinner"></div></div>';
+
+  try {
+    const users = await api.get('/users');
+    content.innerHTML = `
+      <div class="panel">
+        <div class="panel-header"><h3>${users.length} Benutzer</h3></div>
+        <table>
+          <thead>
+            <tr>
+              <th>Benutzer</th>
+              <th>Rolle</th>
+              <th>Erstellt am</th>
+              <th>Berechtigungen</th>
+              <th></th>
+            </tr>
+          </thead>
+          <tbody>
+            ${users.map(u => `
+              <tr>
+                <td>
+                  <div class="flex gap-8">
+                    <div class="user-avatar" style="width:24px;height:24px;font-size:10px">${u.username[0].toUpperCase()}</div>
+                    <span style="font-weight:500">${esc(u.username)}</span>
+                    ${u.username === state.user.username ? '<span class="text-muted text-sm">(ich)</span>' : ''}
+                  </div>
+                </td>
+                <td><span class="badge ${u.role}">${u.role}</span></td>
+                <td class="text-sm text-muted">${fmtDate(u.created_at)}</td>
+                <td class="text-sm text-muted">${roleDesc(u.role)}</td>
+                <td>
+                  <div class="flex gap-8">
+                    <button class="btn btn-outline btn-sm" onclick="showUserModal(${u.id},'${esc(u.username)}','${u.role}')">✎ Bearbeiten</button>
+                    ${u.username !== state.user.username ?
+                      `<button class="btn btn-danger btn-sm" onclick="deleteUser(${u.id},'${esc(u.username)}')">✕</button>` : ''}
+                  </div>
+                </td>
+              </tr>
+            `).join('')}
+          </tbody>
+        </table>
+      </div>
+
+      <div class="panel" style="margin-top:16px">
+        <div class="panel-header"><h3>Rollenbeschreibung</h3></div>
+        <div style="padding:18px;display:grid;grid-template-columns:repeat(3,1fr);gap:16px">
+          <div>
+            <span class="badge admin" style="margin-bottom:8px">admin</span>
+            <div class="text-sm text-muted" style="margin-top:8px">Vollzugriff: Benutzer, Jobs, Logs erstellen/löschen</div>
+          </div>
+          <div>
+            <span class="badge operator" style="margin-bottom:8px">operator</span>
+            <div class="text-sm text-muted" style="margin-top:8px">Jobs erstellen/starten, Logs einsehen. Keine Benutzerverwaltung.</div>
+          </div>
+          <div>
+            <span class="badge viewer" style="margin-bottom:8px">viewer</span>
+            <div class="text-sm text-muted" style="margin-top:8px">Nur Lesezugriff: Statistiken und Logs ansehen</div>
+          </div>
+        </div>
+      </div>
+    `;
+  } catch(e) {
+    content.innerHTML = `<div class="empty-state">Fehler: ${e.message}</div>`;
+  }
+}
+
+function showUserModal(id = null, username = '', role = 'viewer') {
+  const isEdit = id !== null;
+  openModal(`
+    <div class="modal">
+      <div class="modal-header">
+        <h3>${isEdit ? `Benutzer bearbeiten: ${username}` : 'Neuer Benutzer'}</h3>
+        <button class="modal-close" onclick="closeModal()">✕</button>
+      </div>
+      <div class="modal-body">
+        <div class="form-grid">
+          ${!isEdit ? `
+            <div class="form-group full">
+              <label>BENUTZERNAME</label>
+              <input id="u-name" type="text" placeholder="benutzername">
+            </div>
+          ` : ''}
+          <div class="form-group ${!isEdit ? '' : 'full'}">
+            <label>${isEdit ? 'NEUES PASSWORT (leer = unverändert)' : 'PASSWORT'}</label>
+            <input id="u-pass" type="password" placeholder="••••••••">
+          </div>
+          <div class="form-group ${!isEdit ? '' : 'full'}">
+            <label>ROLLE</label>
+            <select id="u-role">
+              <option value="admin"    ${role==='admin'?'selected':''}>Admin</option>
+              <option value="operator" ${role==='operator'?'selected':''}>Operator</option>
+              <option value="viewer"   ${role==='viewer'?'selected':''}>Viewer</option>
+            </select>
+          </div>
+        </div>
+        <div class="form-actions">
+          <button class="btn btn-outline" onclick="closeModal()">Abbrechen</button>
+          <button class="btn btn-primary" onclick="saveUser(${id||'null'})">
+            ${isEdit ? 'Speichern' : 'Erstellen'}
+          </button>
+        </div>
+      </div>
+    </div>
+  `);
+}
+
+async function saveUser(id) {
+  const pass = document.getElementById('u-pass').value;
+  const role = document.getElementById('u-role').value;
+  try {
+    if (id) {
+      const body = {};
+      if (pass) body.password = pass;
+      body.role = role;
+      await api.put(`/users/${id}`, body);
+      toast('Benutzer aktualisiert');
+    } else {
+      const name = document.getElementById('u-name').value.trim();
+      if (!name || !pass) { toast('Name und Passwort erforderlich', 'error'); return; }
+      await api.post('/users', { username: name, password: pass, role });
+      toast('Benutzer erstellt');
+    }
+    closeModal();
+    renderUsers();
+  } catch(e) { toast(e.message, 'error'); }
+}
+
+async function deleteUser(id, name) {
+  if (!confirm(`Benutzer "${name}" wirklich löschen?`)) return;
+  try {
+    await api.delete(`/users/${id}`);
+    toast('Benutzer gelöscht');
+    renderUsers();
+  } catch(e) { toast(e.message, 'error'); }
+}
+
+// ── Helpers ────────────────────────────────────────────────────────────────
+function esc(str) {
+  return String(str || '').replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;').replace(/'/g,'&#39;');
+}
+function fmtNum(n) { return Number(n||0).toLocaleString('de-DE'); }
+function fmtDate(d) {
+  if (!d) return '—';
+  return new Date(d + (d.includes('Z')||d.includes('+') ? '' : 'Z'))
+    .toLocaleString('de-DE', { day:'2-digit', month:'2-digit', year:'2-digit', hour:'2-digit', minute:'2-digit' });
+}
+function fmtDuration(sec) {
+  if (sec < 60) return sec + 's';
+  if (sec < 3600) return Math.floor(sec/60) + 'm ' + (sec%60) + 's';
+  return Math.floor(sec/3600) + 'h ' + Math.floor((sec%3600)/60) + 'm';
+}
+function statusBadge(s) {
+  const labels = { idle:'Bereit', queued:'Warteschlange', running:'Läuft', done:'Fertig', failed:'Fehler' };
+  return `<span class="badge ${s}"><span class="badge-dot"></span>${labels[s]||s}</span>`;
+}
+function roleDesc(r) {
+  const d = { admin:'Vollzugriff', operator:'Jobs verwalten', viewer:'Nur Lesen' };
+  return d[r] || r;
+}
+</script>
+</body>
+</html>
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..af460af
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,37 @@
+version: '3.8'
+
+services:
+  web:
+    build: ./backend
+    container_name: imapsync-web
+    ports:
+      - "8080:8080"
+    volumes:
+      - ./data:/data
+    environment:
+      - DB_PATH=/data/imapsync.db
+      - LOG_DIR=/data/logs
+      - SECRET_KEY=change-me-in-production
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/api/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  worker:
+    build: ./worker
+    container_name: imapsync-worker
+    volumes:
+      - ./data:/data
+    environment:
+      - DB_PATH=/data/imapsync.db
+      - LOG_DIR=/data/logs
+      - POLL_INTERVAL=15
+    restart: unless-stopped
+    depends_on:
+      web:
+        condition: service_healthy
+
+volumes:
+  data:
diff --git a/worker/Dockerfile b/worker/Dockerfile
new file mode 100644
index 0000000..b5ea63a
--- /dev/null
+++ b/worker/Dockerfile
@@ -0,0 +1,15 @@
+FROM debian:bookworm-slim
+
+# Install imapsync and dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    imapsync \
+    python3 \
+    python3-pip \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+COPY worker.py .
+
+RUN mkdir -p /data/logs
+
+CMD ["python3", "-u", "worker.py"]
diff --git a/worker/worker.py b/worker/worker.py
new file mode 100644
index 0000000..698c068
--- /dev/null
+++ b/worker/worker.py
@@ -0,0 +1,215 @@
+#!/usr/bin/env python3
+"""
+ImapSync Worker
+---------------
+Polls SQLite for queued jobs, executes imapsync, parses output,
+updates run records and job status. Also handles cron schedules.
+"""
+
+import os
+import re
+import sqlite3
+import subprocess
+import time
+import logging
+from datetime import datetime
+
+DB_PATH = os.environ.get("DB_PATH", "/data/imapsync.db")
+LOG_DIR = os.environ.get("LOG_DIR", "/data/logs")
+POLL_INTERVAL = int(os.environ.get("POLL_INTERVAL", "15"))
+
+logging.basicConfig(
+    level=logging.INFO,
+    format="%(asctime)s [WORKER] %(levelname)s %(message)s",
+    datefmt="%Y-%m-%d %H:%M:%S",
+)
+log = logging.getLogger(__name__)
+
+os.makedirs(LOG_DIR, exist_ok=True)
+
+
+def get_db():
+    conn = sqlite3.connect(DB_PATH, timeout=30, check_same_thread=False)
+    conn.row_factory = sqlite3.Row
+    conn.execute("PRAGMA journal_mode=WAL")
+    return conn
+
+
+def parse_imapsync_output(text: str) -> dict:
+    """Extract stats from imapsync stdout/stderr."""
+    stats = {"messages_synced": 0, "messages_skipped": 0, "errors": 0}
+    m = re.search(r"Messages transferred:\s+(\d+)", text)
+    if m:
+        stats["messages_synced"] = int(m.group(1))
+    m = re.search(r"Messages skipped:\s+(\d+)", text)
+    if m:
+        stats["messages_skipped"] = int(m.group(1))
+    # Count error lines
+    stats["errors"] = len(re.findall(r"(?i)^\s*(error|err)\b", text, re.MULTILINE))
+    return stats
+
+
+def check_due_schedules():
+    """Queue jobs whose cron schedule is due (within last POLL_INTERVAL seconds)."""
+    try:
+        from croniter import croniter
+    except ImportError:
+        return  # croniter not installed in this image, skip
+
+    conn = get_db()
+    try:
+        now = datetime.utcnow()
+        rows = conn.execute(
+            "SELECT id, schedule, last_run FROM sync_jobs "
+            "WHERE enabled=1 AND schedule IS NOT NULL AND schedule != '' "
+            "AND status NOT IN ('running', 'queued')"
+        ).fetchall()
+
+        for row in rows:
+            try:
+                cron = croniter(row["schedule"])
+                last_run = datetime.fromisoformat(row["last_run"]) if row["last_run"] else datetime(2000, 1, 1)
+                prev_due = cron.get_prev(datetime)
+                # If last scheduled run is after last actual run, queue it
+                if prev_due > last_run:
+                    conn.execute(
+                        "UPDATE sync_jobs SET status='queued' WHERE id=?",
+                        (row["id"],)
+                    )
+                    log.info(f"Job {row['id']} scheduled run queued (cron: {row['schedule']})")
+            except Exception as e:
+                log.warning(f"Cron parse error for job {row['id']}: {e}")
+        conn.commit()
+    finally:
+        conn.close()
+
+
+def run_job(job: sqlite3.Row):
+    job_id = job["id"]
+    log.info(f"Starting job {job_id}: {job['name']}")
+
+    timestamp = datetime.utcnow().strftime("%Y%m%d_%H%M%S")
+    log_filename = f"job_{job_id}_{timestamp}.log"
+    log_path = os.path.join(LOG_DIR, log_filename)
+
+    conn = get_db()
+    conn.execute("UPDATE sync_jobs SET status='running', last_run=? WHERE id=?",
+                 (datetime.utcnow().isoformat(), job_id))
+    cur = conn.execute(
+        "INSERT INTO job_runs (job_id, log_file, status) VALUES (?, ?, 'running')",
+        (job_id, log_filename)
+    )
+    run_id = cur.lastrowid
+    conn.commit()
+    conn.close()
+
+    # Build imapsync command
+    ssl1 = "--ssl1" if job["src_ssl"] else "--nossl1"
+    ssl2 = "--ssl2" if job["dst_ssl"] else "--nossl2"
+    cmd = [
+        "imapsync",
+        "--host1", job["src_host"],
+        "--port1", str(job["src_port"]),
+        ssl1,
+        "--user1", job["src_user"],
+        "--password1", job["src_password"],
+        "--host2", job["dst_host"],
+        "--port2", str(job["dst_port"]),
+        ssl2,
+        "--user2", job["dst_user"],
+        "--password2", job["dst_password"],
+        "--nolog",
+    ]
+    if job["extra_args"]:
+        cmd += job["extra_args"].split()
+
+    started = time.time()
+    exit_code = 0
+    output = ""
+
+    try:
+        with open(log_path, "w") as lf:
+            lf.write(f"# ImapSync Job: {job['name']}\n")
+            lf.write(f"# Started: {datetime.utcnow().isoformat()}\n")
+            lf.write(f"# Command: {' '.join(cmd[:20])}...\n\n")
+            result = subprocess.run(
+                cmd,
+                stdout=lf,
+                stderr=subprocess.STDOUT,
+                timeout=7200,  # 2h max
+            )
+            exit_code = result.returncode
+        with open(log_path, "r", errors="replace") as lf:
+            output = lf.read()
+    except subprocess.TimeoutExpired:
+        log.error(f"Job {job_id} timed out after 2h")
+        exit_code = -1
+        output = "TIMEOUT after 2 hours"
+        with open(log_path, "a") as lf:
+            lf.write("\n\nTIMEOUT: Job exceeded 2 hour limit\n")
+    except Exception as e:
+        log.error(f"Job {job_id} exception: {e}")
+        exit_code = -2
+        output = str(e)
+        with open(log_path, "a") as lf:
+            lf.write(f"\n\nEXCEPTION: {e}\n")
+
+    duration = int(time.time() - started)
+    stats = parse_imapsync_output(output)
+    job_status = "done" if exit_code == 0 else "failed"
+
+    conn = get_db()
+    conn.execute("""
+        UPDATE job_runs SET
+            status=?, finished_at=?, messages_synced=?,
+            messages_skipped=?, errors=?, duration_sec=?
+        WHERE id=?
+    """, (job_status, datetime.utcnow().isoformat(),
+          stats["messages_synced"], stats["messages_skipped"],
+          stats["errors"], duration, run_id))
+    conn.execute(
+        "UPDATE sync_jobs SET status=? WHERE id=?",
+        ("idle", job_id)
+    )
+    conn.commit()
+    conn.close()
+
+    log.info(
+        f"Job {job_id} finished [{job_status}] in {duration}s — "
+        f"synced={stats['messages_synced']} skipped={stats['messages_skipped']} "
+        f"errors={stats['errors']}"
+    )
+
+
+def main():
+    log.info(f"Worker started. DB={DB_PATH} LOG_DIR={LOG_DIR} POLL={POLL_INTERVAL}s")
+    # Wait for DB to be initialized by the web container
+    for i in range(30):
+        if os.path.exists(DB_PATH):
+            break
+        log.info(f"Waiting for DB... ({i+1}/30)")
+        time.sleep(2)
+
+    while True:
+        try:
+            check_due_schedules()
+
+            conn = get_db()
+            job = conn.execute(
+                "SELECT * FROM sync_jobs WHERE status='queued' AND enabled=1 "
+                "ORDER BY created_at ASC LIMIT 1"
+            ).fetchone()
+            conn.close()
+
+            if job:
+                run_job(job)
+            else:
+                time.sleep(POLL_INTERVAL)
+
+        except Exception as e:
+            log.error(f"Worker loop error: {e}", exc_info=True)
+            time.sleep(POLL_INTERVAL)
+
+
+if __name__ == "__main__":
+    main()