feat(api): Phase 2 — REST-API MVP + CRUD für Domains/Backends/Routing

REST-API mit Response-Envelope (1:1 mail-gateway), HS256-JWT-Signer
(Secret persistent unter /var/lib/edgeguard/.jwt_fingerprint),
Setup-Wizard (Bcrypt-Admin-Passwort in setup.json), Auth-Middleware
(Cookie + Bearer), Setup-Gate. Update-Banner-Endpoints
/system/package-versions + /system/upgrade ab Tag 1 wired (Pattern
aus enconf-management-agent: systemd-run detached, HTTP-Response
geht VOR dem Self-Replace raus).

CRUD-Repos für domains/backends/routing_rules mit pgxpool +
handgeschriebenem SQL (mail-gateway-Pattern, kein GORM zur Laufzeit).
Audit-Log-Schreiber auf jede Mutation, NodeID aus /etc/machine-id.
DB-Pool öffnet best-effort — ohne erreichbare PG bleiben CRUD-Routen
unregistriert, Auth/Setup/System antworten weiter (Dev ohne PG).

End-to-end live-getestet gegen lokale postgres-16: Setup → Login →
POST/PUT/DELETE Backends + Domains + Routing-Rules → audit_log
schreibt 5 Zeilen mit korrektem actor/action/subject. Graceful
degrade ohne DB ebenfalls verifiziert.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/services/domains/domains.go

@@ -0,0 +1,115 @@
+// Package domains implements CRUD against the `domains` table.
+package domains
+
+import (
+	"context"
+	"errors"
+
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgxpool"
+
+	"git.netcell-it.de/projekte/edgeguard-native/internal/models"
+)
+
+var ErrNotFound = errors.New("domain not found")
+
+type Repo struct {
+	Pool *pgxpool.Pool
+}
+
+func New(pool *pgxpool.Pool) *Repo { return &Repo{Pool: pool} }
+
+const baseSelect = `
+SELECT id, name, active, primary_backend_id, http_to_https, hsts_enabled,
+       notes, created_at, updated_at
+FROM domains
+`
+
+func (r *Repo) List(ctx context.Context) ([]models.Domain, error) {
+	rows, err := r.Pool.Query(ctx, baseSelect+" ORDER BY name ASC")
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	out := make([]models.Domain, 0, 16)
+	for rows.Next() {
+		d, err := scanDomain(rows)
+		if err != nil {
+			return nil, err
+		}
+		out = append(out, *d)
+	}
+	return out, rows.Err()
+}
+
+func (r *Repo) Get(ctx context.Context, id int64) (*models.Domain, error) {
+	row := r.Pool.QueryRow(ctx, baseSelect+" WHERE id = $1", id)
+	d, err := scanDomain(row)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return nil, ErrNotFound
+		}
+		return nil, err
+	}
+	return d, nil
+}
+
+func (r *Repo) Create(ctx context.Context, d models.Domain) (*models.Domain, error) {
+	row := r.Pool.QueryRow(ctx, `
+INSERT INTO domains (name, active, primary_backend_id, http_to_https, hsts_enabled, notes)
+VALUES ($1, $2, $3, $4, $5, $6)
+RETURNING id, name, active, primary_backend_id, http_to_https, hsts_enabled,
+          notes, created_at, updated_at`,
+		d.Name, d.Active, d.PrimaryBackendID, d.HTTPToHTTPS, d.HSTSEnabled, d.Notes)
+	return scanDomain(row)
+}
+
+func (r *Repo) Update(ctx context.Context, id int64, d models.Domain) (*models.Domain, error) {
+	row := r.Pool.QueryRow(ctx, `
+UPDATE domains SET
+   name = $1,
+   active = $2,
+   primary_backend_id = $3,
+   http_to_https = $4,
+   hsts_enabled = $5,
+   notes = $6,
+   updated_at = NOW()
+WHERE id = $7
+RETURNING id, name, active, primary_backend_id, http_to_https, hsts_enabled,
+          notes, created_at, updated_at`,
+		d.Name, d.Active, d.PrimaryBackendID, d.HTTPToHTTPS, d.HSTSEnabled, d.Notes, id)
+	out, err := scanDomain(row)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return nil, ErrNotFound
+		}
+		return nil, err
+	}
+	return out, nil
+}
+
+func (r *Repo) Delete(ctx context.Context, id int64) error {
+	tag, err := r.Pool.Exec(ctx, `DELETE FROM domains WHERE id = $1`, id)
+	if err != nil {
+		return err
+	}
+	if tag.RowsAffected() == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
+// scanDomain accepts both pgx.Row (Get/Create/Update) and pgx.Rows
+// (List, via the Scanner shape). pgx exposes both as a single
+// Scan(...any) error method.
+func scanDomain(row interface{ Scan(...any) error }) (*models.Domain, error) {
+	var d models.Domain
+	if err := row.Scan(
+		&d.ID, &d.Name, &d.Active, &d.PrimaryBackendID,
+		&d.HTTPToHTTPS, &d.HSTSEnabled, &d.Notes,
+		&d.CreatedAt, &d.UpdatedAt,
+	); err != nil {
+		return nil, err
+	}
+	return &d, nil
+}