pulse-crm-backend/docs/TECH-STACK.md

# Pulse CRM - Tech Stack

## Backend

| Komponente | Technologie | Version | Begründung |
|------------|-------------|---------|------------|
| Runtime | **Deno** | 2.x | Sicher by default, TypeScript nativ, moderne APIs |
| Framework | **Oak** | 17.x | Express-ähnlich, bewährt für Deno |
| Datenbank | **PostgreSQL** | 16.x | ACID, JSON-Support, Row-Level Security |
| ORM | **Drizzle ORM** | Latest | Type-safe, leichtgewichtig, gute DX |
| Auth | **JWT** | - | Stateless, skalierbar |
| Hashing | **Argon2** | - | Sicherster Passwort-Hash-Algorithmus |
| Validation | **Zod** | 3.x | Runtime type validation |
| Email | **Resend** | - | Moderne E-Mail API |

## Frontend

| Komponente | Technologie | Version | Begründung |
|------------|-------------|---------|------------|
| Framework | **Vue 3** | 3.5.x | Composition API, TypeScript, reaktiv |
| UI Library | **PrimeVue** | 4.x | Enterprise-ready, umfangreich |
| State | **Pinia** | 2.x | Offizieller Vue Store |
| Router | **Vue Router** | 4.x | SPA Navigation |
| HTTP | **Axios** | 1.x | HTTP Client |
| Build | **Vite** | 5.x | Schnell, HMR, optimiert |
| CSS | **TailwindCSS** | 3.x | Utility-first |
| i18n | **vue-i18n** | 9.x | Mehrsprachigkeit (DE/EN) |

## Infrastruktur

| Komponente | Technologie | Begründung |
|------------|-------------|------------|
| Hosting | **Hetzner Cloud** | DSGVO, Deutschland, günstig |
| Container | **Docker** | Portabilität, Reproduzierbarkeit |
| Reverse Proxy | **nginx** | Performance, SSL Termination |
| SSL | **Let's Encrypt** | Kostenlose Zertifikate |
| CI/CD | **Gitea Actions** | Self-hosted, integriert |
| Monitoring | **Prometheus + Grafana** | Open Source, bewährt |

## Datenbank Schema (Übersicht)

```sql
-- Multi-Tenant Core
organizations (id, name, settings, created_at)
users (id, org_id, email, password_hash, role, ...)

-- CRM Core
contacts (id, org_id, first_name, last_name, email, phone, company_id, ...)
companies (id, org_id, name, industry, website, ...)
deals (id, org_id, title, value, stage_id, contact_id, owner_id, ...)
pipelines (id, org_id, name, stages JSONB, ...)

-- Activities
activities (id, org_id, type, contact_id, deal_id, note, due_at, ...)

-- System
audit_logs (id, org_id, user_id, action, entity, entity_id, changes, ...)
```

## API Design

### RESTful Conventions

```
GET    /api/v1/contacts          # Liste
GET    /api/v1/contacts/:id      # Detail
POST   /api/v1/contacts          # Erstellen
PUT    /api/v1/contacts/:id      # Update
DELETE /api/v1/contacts/:id      # Löschen

# Nested Resources
GET    /api/v1/contacts/:id/activities
POST   /api/v1/deals/:id/move    # Custom Action
```

### Response Format

```json
{
  "success": true,
  "data": { ... },
  "meta": {
    "page": 1,
    "limit": 20,
    "total": 150
  }
}
```

### Error Format

```json
{
  "success": false,
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Invalid email format",
    "details": [...]
  }
}
```

## Security

- **Authentication:** JWT (Access Token 15min, Refresh Token 7d)
- **Password:** Argon2id, min 8 chars
- **Rate Limiting:** 100 req/min per IP, 1000 req/min per User
- **CORS:** Whitelist allowed origins
- **Input Validation:** Zod schemas for all inputs
- **SQL Injection:** Parameterized queries via ORM
- **XSS:** Content-Security-Policy headers
- **HTTPS:** Enforced, HSTS enabled

## DSGVO Compliance

- ✅ Hosting in Deutschland (Hetzner)
- ✅ Verschlüsselung (Transit + Rest)
- ✅ Audit Logging
- ✅ Datenexport (Art. 20)
- ✅ Löschkonzept (Art. 17)
- ✅ AVV-Vorlage für Kunden