feat: complete CMS v2 with Docker, Fischerei, Meetings, Verband modules + UX audit fixes

Major changes:
- Docker Compose: full Supabase stack (11 services) equivalent to supabase CLI
- Fischerei module: 16 DB tables, waters/species/stocking/catch books/competitions
- Sitzungsprotokolle module: meeting protocols, agenda items, task tracking
- Verbandsverwaltung module: federation management, member clubs, contacts, fees
- Per-account module activation via Modules page toggle
- Site Builder: live CMS data in Puck blocks (courses, events, membership registration)
- Public registration APIs: course signup, event registration, membership application
- Document generation: PDF member cards, Excel reports, HTML labels
- Landing page: real Com.BISS content (no filler text)
- UX audit fixes: AccountNotFound component, shared status badges, confirm dialog,
  pagination, duplicate heading removal, emoji→badge replacement, a11y fixes
- QA: healthcheck fix, API auth fix, enum mismatch fix, password required attribute

docker/db/dev-bootstrap.sh

@@ -0,0 +1,51 @@
+#!/bin/sh
+set -e
+
+# ===========================================================================
+# Docker dev bootstrap — runs AFTER app migrations
+# Seeds the DB, removes MFA, patches is_super_admin for local dev (no aal2).
+# ===========================================================================
+
+PSQL="psql -v ON_ERROR_STOP=0 --no-password --no-psqlrc -U supabase_admin -d postgres -h supabase-db"
+
+echo "🌱 Running seed.sql..."
+$PSQL -f /app-seed/seed.sql 2>&1 || true
+
+echo "🔓 Removing MFA factors for dev..."
+$PSQL -c "DELETE FROM auth.mfa_factors;" 2>&1 || true
+$PSQL -c "DELETE FROM auth.mfa_challenges;" 2>&1 || true
+
+echo "🔄 Fixing auth sequences after seed import..."
+$PSQL -c "SELECT setval('auth.refresh_tokens_id_seq', (SELECT COALESCE(MAX(id), 0) + 1 FROM auth.refresh_tokens));" 2>&1 || true
+$PSQL -c "SELECT setval(pg_get_serial_sequence('public.role_permissions', 'id'), (SELECT COALESCE(MAX(id), 0) + 1 FROM public.role_permissions));" 2>&1 || true
+
+echo "🔧 Patching is_super_admin() — skip aal2 for local dev..."
+cat <<'EOSQL' | $PSQL
+CREATE OR REPLACE FUNCTION public.is_super_admin() RETURNS boolean
+LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+declare r boolean;
+begin
+  select (auth.jwt() ->> 'app_metadata')::jsonb ->> 'role' = 'super-admin' into r;
+  return coalesce(r, false);
+end $fn$;
+EOSQL
+
+echo "🌐 Adding anon read policy for public club pages..."
+$PSQL -c "DO \$\$ BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_policy WHERE polname = 'accounts_public_read') THEN
+    CREATE POLICY accounts_public_read ON public.accounts FOR SELECT TO anon
+    USING (is_personal_account = false AND id IN (SELECT account_id FROM public.site_settings WHERE is_public = true));
+  END IF;
+  IF NOT EXISTS (SELECT 1 FROM pg_policy WHERE polname = 'events_public_read') THEN
+    CREATE POLICY events_public_read ON public.events FOR SELECT TO anon
+    USING (account_id IN (SELECT account_id FROM public.site_settings WHERE is_public = true));
+  END IF;
+  IF NOT EXISTS (SELECT 1 FROM pg_policy WHERE polname = 'courses_public_read') THEN
+    CREATE POLICY courses_public_read ON public.courses FOR SELECT TO anon
+    USING (account_id IN (SELECT account_id FROM public.site_settings WHERE is_public = true));
+  END IF;
+END \$\$;" 2>&1 || true
+$PSQL -c "GRANT SELECT ON public.events TO anon;" 2>&1 || true
+$PSQL -c "GRANT SELECT ON public.courses TO anon;" 2>&1 || true
+
+echo "✅ Dev bootstrap complete."

docker/db/zzz-role-passwords.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+set -e
+
+# ===========================================================================
+# Supabase role password bootstrap
+# 
+# Runs AFTER migrate.sh (zzz- prefix ensures alphabetical ordering).
+# By this point all roles exist (created by init-scripts/00000000000000-initial-schema.sql).
+# Sets passwords so PostgREST, Storage, Auth, and Studio can connect via TCP.
+# ===========================================================================
+
+psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U supabase_admin -d postgres <<-EOSQL
+  -- PostgREST connects as authenticator
+  ALTER ROLE authenticator WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';
+
+  -- Storage API connects as supabase_storage_admin
+  ALTER ROLE supabase_storage_admin WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';
+
+  -- GoTrue (Auth) connects as supabase_auth_admin
+  ALTER ROLE supabase_auth_admin WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';
+
+  -- Studio / pg_meta connects as dashboard_user
+  ALTER ROLE dashboard_user WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';
+
+  -- postgres (created by migrate.sh, needs password for TCP auth)
+  ALTER ROLE postgres WITH PASSWORD '${POSTGRES_PASSWORD}';
+
+  -- Realtime needs the _realtime schema
+  CREATE SCHEMA IF NOT EXISTS _realtime;
+  GRANT ALL ON SCHEMA _realtime TO supabase_admin;
+  GRANT USAGE ON SCHEMA _realtime TO postgres, anon, authenticated, service_role;
+EOSQL
+
+echo "✅ All Supabase role passwords set successfully."

docker/kong.yml

@@ -46,6 +46,17 @@ services:
             - anon
             - admin
 
+  # Realtime
+  - name: realtime-v1
+    url: http://supabase-realtime:4000/socket/
+    routes:
+      - name: realtime-v1-routes
+        strip_path: true
+        paths:
+          - /realtime/v1/
+    plugins:
+      - name: cors
+
   # Storage
   - name: storage-v1
     url: http://supabase-storage:5000/
@@ -56,3 +67,21 @@ services:
           - /storage/v1/
     plugins:
       - name: cors
+
+  # pg_meta
+  - name: meta
+    url: http://supabase-meta:8080/
+    routes:
+      - name: meta-routes
+        strip_path: true
+        paths:
+          - /pg/
+    plugins:
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin