diff --git a/data.json b/data.json
new file mode 100644
index 0000000..fbc288e
--- /dev/null
+++ b/data.json
@@ -0,0 +1,87 @@
+{
+  "users": [
+    {
+      "username": "admin",
+      "password_hash": "/VpEC5P5RjBe9KaKoGka3IAyqEImtOH4DX9pa4fGq0s=:KSkNZvZGhywj3xKzn1T39w==",
+      "is_admin": true,
+      "created_at": 1759575291
+    }
+  ],
+  "reports": [
+    {
+      "id": 1,
+      "name": "B1tK1ll3r",
+      "status": "Gemeldet",
+      "reported_by": "admin",
+      "confirmed_by": "",
+      "created_at": 1759580762,
+      "confirmed_at": 0
+    }
+  ],
+  "audit": [
+    {
+      "time": 1759580868,
+      "actor": "admin",
+      "action": "login",
+      "details": "Erfolg",
+      "ip": "127.0.0.1"
+    },
+    {
+      "time": 1759580762,
+      "actor": "admin",
+      "action": "report",
+      "details": "ID 1 · B1tK1ll3r",
+      "ip": "127.0.0.1"
+    },
+    {
+      "time": 1759580750,
+      "actor": "admin",
+      "action": "login",
+      "details": "Erfolg",
+      "ip": "127.0.0.1"
+    },
+    {
+      "time": 1759580355,
+      "actor": "admin",
+      "action": "login",
+      "details": "Erfolg",
+      "ip": "127.0.0.1"
+    },
+    {
+      "time": 1759580347,
+      "actor": "admin",
+      "action": "login",
+      "details": "Fehlgeschlagen",
+      "ip": "127.0.0.1"
+    },
+    {
+      "time": 1759580244,
+      "actor": "admin",
+      "action": "login",
+      "details": "Erfolg",
+      "ip": "127.0.0.1"
+    },
+    {
+      "time": 1759579880,
+      "actor": "admin",
+      "action": "login",
+      "details": "Erfolg",
+      "ip": "127.0.0.1"
+    },
+    {
+      "time": 1759579770,
+      "actor": "",
+      "action": "logout",
+      "details": "",
+      "ip": "127.0.0.1"
+    },
+    {
+      "time": 1759579675,
+      "actor": "admin",
+      "action": "login",
+      "details": "Erfolg",
+      "ip": "127.0.0.1"
+    }
+  ],
+  "next_id": 2
+}
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..0af5b42
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,3 @@
+module git.send.nrw/sendnrw/advocacy-watchlist
+
+go 1.24.4
diff --git a/main.go b/main.go
new file mode 100644
index 0000000..6ae3f1a
--- /dev/null
+++ b/main.go
@@ -0,0 +1,771 @@
+// main.go
+// Go 1.21+
+// Einfache Webanwendung mit Login, Persistenz (JSON-Datei), Audit-Log,
+// und UI ohne externe Verweise. Nutzer können "Benutzernamen" melden,
+// Einträge starten mit Status "Gemeldet" und können von einem anderen
+// Nutzer bestätigt werden. Alles wird audit-geeignet protokolliert.
+//
+// Hinweise: Für Produktion TLS, CSRF, bcrypt/argon2id etc. ergänzen.
+
+package main
+
+import (
+	"context"
+	"crypto/hmac"
+	crand "crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"html/template"
+	"log"
+	mrand "math/rand"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+)
+
+// ======= Datenmodelle =======
+
+type User struct {
+	Username     string `json:"username"`
+	PasswordHash string `json:"password_hash"`
+	IsAdmin      bool   `json:"is_admin"`
+	CreatedAt    int64  `json:"created_at"`
+}
+
+type Status string
+
+const (
+	StatusGemeldet   Status = "Gemeldet"
+	StatusBestaetigt Status = "Bestätigt"
+)
+
+type Report struct {
+	ID          int64  `json:"id"`
+	Name        string `json:"name"`
+	Status      Status `json:"status"`
+	ReportedBy  string `json:"reported_by"`
+	ConfirmedBy string `json:"confirmed_by"`
+	CreatedAt   int64  `json:"created_at"`
+	ConfirmedAt int64  `json:"confirmed_at"`
+}
+
+type AuditEntry struct {
+	Time    int64  `json:"time"`
+	Actor   string `json:"actor"`
+	Action  string `json:"action"`
+	Details string `json:"details"`
+	IP      string `json:"ip"`
+}
+
+type DB struct {
+	Users   []User       `json:"users"`
+	Reports []Report     `json:"reports"`
+	Audit   []AuditEntry `json:"audit"`
+	NextID  int64        `json:"next_id"`
+}
+
+// ======= Globale Variablen =======
+
+var (
+	dataPath   = envOr("DATA_FILE", "data.json")
+	cookieName = envOr("COOKIE_NAME", "session")
+	secretKey  []byte // für HMAC der Session-Cookies
+
+	mu sync.Mutex
+	db DB
+
+	tpl *template.Template
+)
+
+// ======= Hilfsfunktionen =======
+
+func envOr(k, def string) string {
+	if v := os.Getenv(k); v != "" {
+		return v
+	}
+	return def
+}
+
+func loadDB() error {
+	mu.Lock()
+	defer mu.Unlock()
+
+	f, err := os.Open(dataPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			db = DB{NextID: 1}
+			return saveDB()
+		}
+		return err
+	}
+	defer f.Close()
+	decoder := json.NewDecoder(f)
+	return decoder.Decode(&db)
+}
+
+func saveDB() error {
+	f, err := os.CreateTemp(filepath.Dir(dataPath), "dbtmp-*.json")
+	if err != nil {
+		return err
+	}
+	enc := json.NewEncoder(f)
+	enc.SetIndent("", "  ")
+	if err := enc.Encode(db); err != nil {
+		f.Close()
+		os.Remove(f.Name())
+		return err
+	}
+	f.Close()
+	return os.Rename(f.Name(), dataPath)
+}
+
+// ======= Pseudo-PBKDF (nur Demo!) =======
+// Für Produktion: bcrypt/argon2id verwenden.
+
+func hashPassword(pw string, salt []byte) string {
+	h := sha256.New()
+	h.Write(salt)
+	h.Write([]byte(pw))
+	for i := 0; i < 100000; i++ { // 100k Runden
+		h.Write([]byte{byte(i)})
+	}
+	return base64.StdEncoding.EncodeToString(h.Sum(nil)) + ":" + base64.StdEncoding.EncodeToString(salt)
+}
+
+func verifyPassword(pw, stored string) bool {
+	parts := strings.Split(stored, ":")
+	if len(parts) != 2 {
+		return false
+	}
+	salt, err := base64.StdEncoding.DecodeString(parts[1])
+	if err != nil {
+		return false
+	}
+	return hashPassword(pw, salt) == stored
+}
+
+func newSalt() []byte { b := make([]byte, 16); crand.Read(b); return b }
+
+// ======= Sessions (signiertes Cookie) =======
+
+type Session struct {
+	Username string
+	Expires  int64
+}
+
+func sign(data []byte) string {
+	mac := hmac.New(sha256.New, secretKey)
+	mac.Write(data)
+	return base64.StdEncoding.EncodeToString(mac.Sum(nil))
+}
+
+func setSession(w http.ResponseWriter, username string) {
+	s := fmt.Sprintf("%s|%d", username, time.Now().Add(24*time.Hour).Unix())
+	sig := sign([]byte(s))
+	value := base64.StdEncoding.EncodeToString([]byte(s)) + "." + sig
+	http.SetCookie(w, &http.Cookie{
+		Name:     cookieName,
+		Value:    value,
+		Path:     "/",
+		HttpOnly: true,
+		Secure:   false, // In Produktion: true + HTTPS
+		SameSite: http.SameSiteLaxMode,
+	})
+}
+
+func clearSession(w http.ResponseWriter) {
+	http.SetCookie(w, &http.Cookie{Name: cookieName, Value: "", Path: "/", Expires: time.Unix(0, 0)})
+}
+
+func getSession(r *http.Request) (string, bool) {
+	c, err := r.Cookie(cookieName)
+	if err != nil {
+		return "", false
+	}
+	parts := strings.SplitN(c.Value, ".", 2)
+	if len(parts) != 2 {
+		return "", false
+	}
+	payloadB, err := base64.StdEncoding.DecodeString(parts[0])
+	if err != nil {
+		return "", false
+	}
+	if sign(payloadB) != parts[1] {
+		return "", false
+	}
+	payload := string(payloadB)
+	sp := strings.Split(payload, "|")
+	if len(sp) != 2 {
+		return "", false
+	}
+	exp, _ := strconv.ParseInt(sp[1], 10, 64)
+	if time.Now().Unix() > exp {
+		return "", false
+	}
+	return sp[0], true
+}
+
+// ======= Middleware =======
+
+type ctxKey string
+
+var userKey ctxKey = "user"
+
+func withAuth(h http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		u, ok := getSession(r)
+		if !ok {
+			http.Redirect(w, r, "/login", http.StatusFound)
+			return
+		}
+		ctx := context.WithValue(r.Context(), userKey, u)
+		r = r.WithContext(ctx)
+		h(w, r)
+	}
+}
+
+func currentUser(r *http.Request) string {
+	if v := r.Context().Value(userKey); v != nil {
+		if s, ok := v.(string); ok {
+			return s
+		}
+	}
+	return ""
+}
+
+// ======= Template & Assets =======
+
+var baseTpl = `{{define "base"}}
+<!doctype html>
+<html lang="de">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>{{block "title" .}}Meldesystem{{end}}</title>
+  <style>
+    :root { --bg:#0f172a; --card:#111827; --muted:#9ca3af; --text:#e5e7eb; --acc:#06b6d4; --ok:#10b981; --warn:#f59e0b; --err:#ef4444; }
+    *{box-sizing:border-box} body{margin:0;background:linear-gradient(180deg,#0b1220,#0f172a);color:var(--text);font:16px/1.45 system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial}
+    a{color:var(--acc);text-decoration:none} a:hover{text-decoration:underline}
+    .container{max-width:980px;margin:40px auto;padding:0 16px}
+    header{display:flex;align-items:center;justify-content:space-between;margin-bottom:24px}
+    .brand{font-weight:800;font-size:20px;letter-spacing:.2px}
+    .card{background:var(--card);border:1px solid #1f2937;border-radius:16px;box-shadow:0 10px 30px rgba(0,0,0,.25);padding:20px;margin-bottom:16px}
+    .row{display:flex;gap:16px;flex-wrap:wrap}
+    .grow{flex:1 1 300px}
+    input[type=text], input[type=password]{width:100%;padding:12px 14px;border:1px solid #273244;border-radius:12px;background:#0b1220;color:var(--text)}
+    button{padding:10px 14px;border:0;border-radius:12px;background:var(--acc);color:#001018;font-weight:700;cursor:pointer}
+    button.secondary{background:#1f2937;color:var(--text)}
+    .status{font-size:12px;padding:4px 8px;border-radius:999px;border:1px solid #2b374a}
+    .status.gemeldet{background:#0b1220;color:var(--warn)}
+    .status.bestaetigt{background:#0b1220;color:var(--ok)}
+    table{width:100%;border-collapse:separate;border-spacing:0}
+    th,td{padding:12px 10px;border-bottom:1px solid #1f2937;font-size:14px}
+    th{text-align:left;color:var(--muted);font-weight:600}
+    .right{text-align:right}
+    .muted{color:var(--muted)}
+    .badge{display:inline-flex;align-items:center;gap:6px;padding:4px 10px;border-radius:999px;background:#0b1220;border:1px solid #1f2937;color:var(--muted);font-size:12px}
+    .flex{display:flex;gap:8px;align-items:center}
+    .spacer{height:8px}
+    .danger{background:var(--err);color:#fff}
+    .notice{padding:10px;border:1px dashed #334155;border-radius:12px;color:var(--muted)}
+    footer{margin-top:24px;color:var(--muted);font-size:12px;text-align:center}
+  </style>
+</head>
+<body>
+  <div class="container">
+    <header>
+      <div class="brand">Meldesystem</div>
+      <div class="flex">
+        <span class="badge">👤 {{.User}}</span>
+        <form method="POST" action="/logout"><button class="secondary" type="submit">Logout</button></form>
+      </div>
+    </header>
+    {{template "content" .}}
+    <footer>Ohne externe Assets · Zeit: {{.Now}}</footer>
+  </div>
+</body>
+</html>
+{{end}}`
+
+var loginTpl = `{{define "login"}}
+<!doctype html>
+<html lang="de">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Login · Meldesystem</title>
+  <style>*{box-sizing:border-box} body{margin:0;display:grid;place-items:center;height:100vh;background:linear-gradient(180deg,#0b1220,#0f172a);color:#e5e7eb;font:16px/1.45 system-ui,-apple-system,Segoe UI,Roboto,Helvetica,Arial} .card{background:#111827;border:1px solid #1f2937;border-radius:16px;box-shadow:0 10px 30px rgba(0,0,0,.25);padding:24px;width:min(420px,94vw)} input{width:100%;max-width:100%;display:block;margin:0;border:1px solid #273244;border-radius:12px;background:#0b1220;color:#e5e7eb;padding:12px 14px} label{display:block;margin:8px 0 6px;color:#9ca3af} button{width:100%;margin-top:14px;padding:12px;border:0;border-radius:12px;background:#06b6d4;color:#001018;font-weight:800;cursor:pointer} .muted{color:#9ca3af;font-size:12px;text-align:center;margin-top:10px}</style>
+</head>
+<body>
+  <div class="card">
+    <h2 style="margin:0 0 8px">Anmeldung</h2>
+    <form method="POST" action="/login">
+      <label>Nutzername</label>
+      <input name="username" required />
+      <label>Passwort</label>
+      <input type="password" name="password" required />
+      <button type="submit">Einloggen</button>
+    </form>
+    {{if .Msg}}<div class="muted">{{.Msg}}</div>{{end}}
+    {{if .Setup}}
+      <div class="muted" style="margin-top:12px">Erstbenutzer: <b>{{.SetupUser}}</b> / Passwort: <b>{{.SetupPass}}</b> (bitte nach dem Login ändern)</div>
+    {{end}}
+  </div>
+</body>
+</html>
+{{end}}`
+
+var dashboardTpl = `{{define "dashboard"}}{{template "base" .}}{{end}}
+{{define "content"}}
+<div class="row">
+  <div class="card grow">
+    <h3 style="margin-top:0">Neuen Benutzernamen melden</h3>
+    <form method="POST" action="/report" class="row">
+      <input class="grow" type="text" name="name" placeholder="z.B. max.mustermann" required />
+      <button type="submit">Melden</button>
+    </form>
+    <div class="spacer"></div>
+    <div class="notice">Einträge starten mit Status <b>Gemeldet</b> und müssen von einem <u>anderen</u> Nutzer bestätigt werden.</div>
+  </div>
+  <div class="card grow">
+    <h3 style="margin-top:0">Audit-Log</h3>
+    <div class="muted">Letzte 8 Ereignisse</div>
+    <table>
+      <thead><tr><th>Zeit</th><th>Aktion</th><th>Details</th></tr></thead>
+      <tbody>
+      {{range .RecentAudit}}
+        <tr>
+          <td class="muted">{{.When}}</td>
+          <td>{{.Action}}</td>
+          <td class="muted">{{.Details}}</td>
+        </tr>
+      {{else}}
+        <tr><td colspan="3" class="muted">Noch keine Ereignisse</td></tr>
+      {{end}}
+      </tbody>
+    </table>
+  </div>
+</div>
+
+<div class="card">
+  <div class="row" style="align-items:center;justify-content:space-between">
+    <h3 style="margin:0">Gemeldete Benutzernamen</h3>
+    <form method="GET" action="/" class="row">
+      <input name="q" placeholder="Suche…" value="{{.Q}}" />
+      <button class="secondary" type="submit">Filtern</button>
+      <a class="badge" href="/audit">Gesamtes Audit</a>
+    </form>
+  </div>
+  <table>
+    <thead>
+      <tr><th>ID</th><th>Name</th><th>Status</th><th class="right">Aktionen</th></tr>
+    </thead>
+    <tbody>
+      {{range .Reports}}
+      <tr>
+        <td class="muted">#{{.ID}}</td>
+        <td>{{.Name}}</td>
+        <td>
+          {{if eq .Status "Gemeldet"}}
+            <span class="status gemeldet">Gemeldet</span>
+          {{else}}
+            <span class="status bestaetigt">Bestätigt</span>
+          {{end}}
+          <div class="muted">von {{.ReportedBy}} am {{.Created}}</div>
+          {{if .Confirmed}}
+            <div class="muted">bestätigt von {{.ConfirmedBy}} am {{.Confirmed}}</div>
+          {{end}}
+        </td>
+        <td class="right">
+          {{if eq .Status "Gemeldet"}}
+            <form style="display:inline" method="POST" action="/confirm">
+              <input type="hidden" name="id" value="{{.ID}}" />
+              <button type="submit">Bestätigen</button>
+            </form>
+          {{else}}
+            <span class="badge">✔ Bereits bestätigt</span>
+          {{end}}
+          {{if $.IsAdmin}}
+            <form style="display:inline" method="POST" action="/delete" onsubmit="return confirm('Wirklich löschen?')">
+              <input type="hidden" name="id" value="{{.ID}}" />
+              <button type="submit" class="danger">Löschen</button>
+            </form>
+          {{end}}
+        </td>
+      </tr>
+      {{else}}
+      <tr><td colspan="4" class="muted">Keine Einträge</td></tr>
+      {{end}}
+    </tbody>
+  </table>
+</div>
+{{end}}`
+
+var auditTpl = `{{define "audit_page"}}
+<!doctype html>
+<html lang="de">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Audit · Meldesystem</title>
+  <style>
+    :root { --bg:#0f172a; --card:#111827; --muted:#9ca3af; --text:#e5e7eb; --acc:#06b6d4; --ok:#10b981; --warn:#f59e0b; --err:#ef4444; }
+    *{box-sizing:border-box} body{margin:0;background:linear-gradient(180deg,#0b1220,#0f172a);color:var(--text);font:16px/1.45 system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial}
+    a{color:var(--acc);text-decoration:none} a:hover{text-decoration:underline}
+    .container{max-width:980px;margin:40px auto;padding:0 16px}
+    header{display:flex;align-items:center;justify-content:space-between;margin-bottom:24px}
+    .brand{font-weight:800;font-size:20px;letter-spacing:.2px}
+    .card{background:var(--card);border:1px solid #1f2937;border-radius:16px;box-shadow:0 10px 30px rgba(0,0,0,.25);padding:20px;margin-bottom:16px}
+    table{width:100%;border-collapse:separate;border-spacing:0}
+    th,td{padding:12px 10px;border-bottom:1px solid #1f2937;font-size:14px}
+    th{text-align:left;color:var(--muted);font-weight:600}
+    .muted{color:var(--muted)}
+    .badge{display:inline-flex;align-items:center;gap:6px;padding:4px 10px;border-radius:999px;background:#0b1220;border:1px solid #1f2937;color:var(--muted);font-size:12px}
+    .flex{display:flex;gap:8px;align-items:center}
+    button{padding:10px 14px;border:0;border-radius:12px;background:var(--acc);color:#001018;font-weight:700;cursor:pointer}
+    button.secondary{background:#1f2937;color:var(--text)}
+    footer{margin-top:24px;color:var(--muted);font-size:12px;text-align:center}
+  </style>
+</head>
+<body>
+  <div class="container">
+    <header>
+      <div class="brand">Meldesystem</div>
+      <div class="flex">
+        <span class="badge">👤 {{.User}}</span>
+        <form method="GET" action="/"><button class="secondary" type="submit">Zurück</button></form>
+      </div>
+    </header>
+
+    <div class="card">
+      <h3 style="margin:0 0 8px">Audit-Log (vollständig)</h3>
+      <table>
+        <thead><tr><th>Zeit</th><th>Nutzer</th><th>Aktion</th><th>Details</th><th>IP</th></tr></thead>
+        <tbody>
+          {{range .Rows}}
+            <tr>
+              <td class="muted">{{.When}}</td>
+              <td>{{.Actor}}</td>
+              <td>{{.Action}}</td>
+              <td class="muted">{{.Details}}</td>
+              <td class="muted">{{.IP}}</td>
+            </tr>
+          {{else}}
+            <tr><td colspan="5" class="muted">Noch keine Ereignisse</td></tr>
+          {{end}}
+        </tbody>
+      </table>
+    </div>
+
+    <footer>Ohne externe Assets · Zeit: {{.Now}}</footer>
+  </div>
+</body>
+</html>
+{{end}}`
+
+// ======= Server =======
+
+func main() {
+	log.SetFlags(log.LstdFlags | log.Lshortfile)
+
+	// Geheimschlüssel laden/erzeugen
+	if k := os.Getenv("APP_SECRET"); k != "" {
+		secretKey = []byte(k)
+	} else {
+		secretKey = make([]byte, 32)
+		if _, err := crand.Read(secretKey); err != nil {
+			log.Fatal(err)
+		}
+	}
+
+	if err := loadDB(); err != nil {
+		log.Fatal(err)
+	}
+
+	setupUser, setupPass, setup := ensureAdmin()
+
+	tpl = template.Must(template.New("base").Parse(baseTpl))
+	template.Must(tpl.New("dashboard_bundle").Parse(dashboardTpl))
+	template.Must(tpl.New("audit_bundle").Parse(auditTpl))
+
+	http.HandleFunc("/", withAuth(handleIndex))
+	http.HandleFunc("/report", withAuth(handleReport))
+	http.HandleFunc("/confirm", withAuth(handleConfirm))
+	http.HandleFunc("/delete", withAuth(handleDelete))
+	http.HandleFunc("/audit", withAuth(handleAudit))
+
+	http.HandleFunc("/login", func(w http.ResponseWriter, r *http.Request) {
+		if r.Method == http.MethodGet {
+			t := template.Must(template.New("login").Parse(loginTpl))
+			msg := r.URL.Query().Get("msg")
+			_ = t.ExecuteTemplate(w, "login", map[string]any{"Msg": msg, "Setup": setup, "SetupUser": setupUser, "SetupPass": setupPass})
+			return
+		}
+		if r.Method == http.MethodPost {
+			username := strings.TrimSpace(r.FormValue("username"))
+			password := r.FormValue("password")
+			if authenticate(username, password) {
+				setSession(w, username)
+				appendAudit(username, "login", "Erfolg", r)
+				http.Redirect(w, r, "/", http.StatusFound)
+				return
+			}
+			appendAudit(username, "login", "Fehlgeschlagen", r)
+			http.Redirect(w, r, "/login?msg=Ungültige%20Anmeldedaten", http.StatusFound)
+			return
+		}
+		w.WriteHeader(http.StatusMethodNotAllowed)
+	})
+
+	http.HandleFunc("/logout", func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			w.WriteHeader(http.StatusMethodNotAllowed)
+			return
+		}
+		u := currentUser(r)
+		clearSession(w)
+		appendAudit(u, "logout", "", r)
+		http.Redirect(w, r, "/login?msg=Abgemeldet", http.StatusFound)
+	})
+
+	addr := envOr("ADDR", ":8080")
+	log.Printf("Server läuft auf %s", addr)
+	log.Fatal(http.ListenAndServe(addr, nil))
+}
+
+// ======= Admin/Users =======
+
+func ensureAdmin() (string, string, bool) {
+	mu.Lock()
+	defer mu.Unlock()
+	if len(db.Users) > 0 {
+		return "", "", false
+	}
+	user := envOr("ADMIN_USER", "admin")
+	pass := os.Getenv("ADMIN_PASS")
+	if pass == "" {
+		pass = randomPassword(12)
+	}
+	h := hashPassword(pass, newSalt())
+	db.Users = append(db.Users, User{Username: user, PasswordHash: h, IsAdmin: true, CreatedAt: time.Now().Unix()})
+	if err := saveDB(); err != nil {
+		log.Fatal(err)
+	}
+	log.Printf("Erstbenutzer angelegt: %s / %s (bitte ändern)", user, pass)
+	return user, pass, true
+}
+
+func authenticate(username, password string) bool {
+	mu.Lock()
+	defer mu.Unlock()
+	for _, u := range db.Users {
+		if u.Username == username && verifyPassword(password, u.PasswordHash) {
+			return true
+		}
+	}
+	return false
+}
+
+func isAdmin(username string) bool {
+	mu.Lock()
+	defer mu.Unlock()
+	for _, u := range db.Users {
+		if u.Username == username {
+			return u.IsAdmin
+		}
+	}
+	return false
+}
+
+// ======= Audit =======
+
+func appendAudit(actor, action, details string, r *http.Request) {
+	mu.Lock()
+	defer mu.Unlock()
+	entry := AuditEntry{Time: time.Now().Unix(), Actor: actor, Action: action, Details: details, IP: clientIP(r)}
+	db.Audit = append([]AuditEntry{entry}, db.Audit...) // neueste oben
+	if len(db.Audit) > 5000 {
+		db.Audit = db.Audit[:5000]
+	}
+	_ = saveDB()
+}
+
+func clientIP(r *http.Request) string {
+	if x := r.Header.Get("X-Forwarded-For"); x != "" {
+		return strings.Split(x, ",")[0]
+	}
+	return strings.Split(r.RemoteAddr, ":")[0]
+}
+
+// ======= Handlers =======
+
+func handleIndex(w http.ResponseWriter, r *http.Request) {
+	q := strings.TrimSpace(r.URL.Query().Get("q"))
+	mu.Lock()
+	reports := make([]Report, 0, len(db.Reports))
+	for _, rep := range db.Reports {
+		if q == "" || strings.Contains(strings.ToLower(rep.Name), strings.ToLower(q)) {
+			reports = append(reports, rep)
+		}
+	}
+	mu.Unlock()
+
+	rows := make([]map[string]any, 0, len(reports))
+	for _, rep := range reports {
+		m := map[string]any{
+			"ID":         rep.ID,
+			"Name":       template.HTMLEscapeString(rep.Name),
+			"Status":     rep.Status,
+			"ReportedBy": rep.ReportedBy,
+			"Created":    time.Unix(rep.CreatedAt, 0).Format("02.01.2006 15:04"),
+		}
+		if rep.Status == StatusBestaetigt {
+			m["Confirmed"] = time.Unix(rep.ConfirmedAt, 0).Format("02.01.2006 15:04")
+			m["ConfirmedBy"] = rep.ConfirmedBy
+		}
+		rows = append(rows, m)
+	}
+
+	recent := recentAudit(8)
+	data := map[string]any{
+		"User":        currentUser(r),
+		"IsAdmin":     isAdmin(currentUser(r)),
+		"Reports":     rows,
+		"Q":           q,
+		"RecentAudit": recent,
+		"Now":         time.Now().Format("02.01.2006 15:04"),
+	}
+	_ = tpl.ExecuteTemplate(w, "dashboard", data)
+}
+
+func handleReport(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		return
+	}
+	name := strings.TrimSpace(r.FormValue("name"))
+	if name == "" {
+		http.Redirect(w, r, "/?msg=leer", http.StatusFound)
+		return
+	}
+	user := currentUser(r)
+
+	mu.Lock()
+	for _, rep := range db.Reports {
+		if strings.EqualFold(rep.Name, name) {
+			mu.Unlock()
+			appendAudit(user, "report_skip", fmt.Sprintf("Duplikat: %s", name), r)
+			http.Redirect(w, r, "/?msg=exists", http.StatusFound)
+			return
+		}
+	}
+	id := db.NextID
+	db.NextID++
+	rep := Report{ID: id, Name: name, Status: StatusGemeldet, ReportedBy: user, CreatedAt: time.Now().Unix()}
+	db.Reports = append([]Report{rep}, db.Reports...)
+	_ = saveDB()
+	mu.Unlock()
+
+	appendAudit(user, "report", fmt.Sprintf("ID %d · %s", rep.ID, rep.Name), r)
+	http.Redirect(w, r, "/", http.StatusFound)
+}
+
+func handleConfirm(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		return
+	}
+	id, _ := strconv.ParseInt(r.FormValue("id"), 10, 64)
+	user := currentUser(r)
+
+	mu.Lock()
+	defer mu.Unlock()
+	for i, rep := range db.Reports {
+		if rep.ID == id {
+			if rep.ReportedBy == user { // nicht selbst bestätigen
+				appendAudit(user, "confirm_denied", fmt.Sprintf("ID %d · eigener Eintrag", id), r)
+				break
+			}
+			if rep.Status == StatusBestaetigt {
+				break
+			}
+			rep.Status = StatusBestaetigt
+			rep.ConfirmedBy = user
+			rep.ConfirmedAt = time.Now().Unix()
+			db.Reports[i] = rep
+			_ = saveDB()
+			appendAudit(user, "confirm", fmt.Sprintf("ID %d · %s", rep.ID, rep.Name), r)
+			break
+		}
+	}
+	http.Redirect(w, r, "/", http.StatusFound)
+}
+
+func handleDelete(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		return
+	}
+	if !isAdmin(currentUser(r)) {
+		w.WriteHeader(http.StatusForbidden)
+		return
+	}
+	id, _ := strconv.ParseInt(r.FormValue("id"), 10, 64)
+	user := currentUser(r)
+
+	mu.Lock()
+	defer mu.Unlock()
+	for i, rep := range db.Reports {
+		if rep.ID == id {
+			db.Reports = append(db.Reports[:i], db.Reports[i+1:]...)
+			_ = saveDB()
+			appendAudit(user, "delete", fmt.Sprintf("ID %d · %s", rep.ID, rep.Name), r)
+			break
+		}
+	}
+	http.Redirect(w, r, "/", http.StatusFound)
+}
+
+func handleAudit(w http.ResponseWriter, r *http.Request) {
+	rows := recentAudit(1000)
+	data := map[string]any{"User": currentUser(r), "Rows": rows, "Now": time.Now().Format("02.01.2006 15:04"), "IsAdmin": isAdmin(currentUser(r))}
+	_ = tpl.ExecuteTemplate(w, "audit_page", data)
+}
+
+func recentAudit(n int) []map[string]any {
+	mu.Lock()
+	defer mu.Unlock()
+	limit := n
+	if len(db.Audit) < n {
+		limit = len(db.Audit)
+	}
+	out := make([]map[string]any, 0, limit)
+	for _, a := range db.Audit[:limit] {
+		out = append(out, map[string]any{
+			"When":    time.Unix(a.Time, 0).Format("02.01.2006 15:04:05"),
+			"Actor":   a.Actor,
+			"Action":  a.Action,
+			"Details": a.Details,
+			"IP":      a.IP,
+		})
+	}
+	return out
+}
+
+// ======= Utilities =======
+
+func randomPassword(n int) string {
+	letters := []rune("ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz23456789@#%")
+	b := make([]rune, n)
+	s := mrand.New(mrand.NewSource(time.Now().UnixNano()))
+	for i := range b {
+		b[i] = letters[s.Intn(len(letters))]
+	}
+	return string(b)
+}