Phase 9c: Parent accounts, magic-link login + parent timetable view

Backend (school-service):
  - parent_account, parent_child, parent_magic_link, parent_session
    tables. Tokens are sha256-hashed in DB; raw goes back exactly
    once to the inviting teacher.
  - InviteParent upserts the parent account, links a child to a tt_
    class, mints a 7-day magic link. Returns the link path so the
    teacher can paste it into Matrix/Email.
  - RedeemMagicLink validates + marks used + mints a 30-day session,
    sets HttpOnly bp_parent_session cookie.
  - ParentSessionMiddleware reads the cookie and resolves the parent.
    Lives in its own router group /api/v1/parent — totally separate
    from the teacher JWT path.
  - ParentMe returns the account + list of children (with class name).
  - ParentTimetable returns the latest completed tt_solution's lessons
    for the requested child's class, with full authorization check
    (parent must own a child in that class).

Frontend (studio-v2):
  - lib/calendar/subject-i18n.ts maps 22 German subject names to 8
    parent locales (de/en/tr/ar/uk/ru/pl/fr). Falls back to German
    for custom subjects.
  - ParentManager component on the Schulkalender page lets the teacher
    invite parents via email + child name + class + language. Newly
    minted magic-link is shown with a copy-to-clipboard button.
  - app/api/parent/[...path]/route.ts proxies parent-side endpoints
    via the cookie so HttpOnly survives the Next.js round-trip.
  - /eltern/login?token=… redeems and redirects to /eltern.
  - /eltern shows a Wochengrid with German days + translated subject
    names in the parent's preferred language. Headings and weekday
    labels also localised (de/en/tr/ar/uk/ru/pl/fr).

Tests:
  - 3 new Go unit tests (random token, hash stability, invite-request
    validator). 83 subtests gesamt.
  - studio-v2: e2e/eltern.spec.ts mit 7 tests across ParentManager,
    /eltern/login, /eltern overview, subject-i18n end-to-end.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

school-service/cmd/server/main.go

@@ -258,6 +258,31 @@ func main() {
 		api.POST("/calendar/events", handler.CreateSchoolEvent)
 		api.DELETE("/calendar/events/:id", handler.DeleteSchoolEvent)
 		api.POST("/calendar/school-year-rollover", handler.RolloverSchoolYear)
+
+		// Phase 9c: parent invitations (teacher side).
+		api.GET("/calendar/parents", handler.ListParentInvites)
+		api.POST("/calendar/parents/invite", handler.InviteParent)
+		api.DELETE("/calendar/parents/children/:id", handler.DeleteParentInvite)
+	}
+
+	// Phase 9c: parent-side endpoints. Auth is the parent session cookie,
+	// NOT the teacher JWT. /parent/auth/redeem creates the cookie; the
+	// other routes require it via ParentSessionMiddleware.
+	parentAPI := router.Group("/api/v1/parent")
+	{
+		parentAPI.POST("/auth/redeem", handler.RedeemMagicLink)
+
+		authed := parentAPI.Group("/")
+		authed.Use(middleware.ParentSessionMiddleware(func(ctx context.Context, token string) (string, string, string, error) {
+			p, err := handler.ParentService().ParentFromSession(ctx, token)
+			if err != nil {
+				return "", "", "", err
+			}
+			return p.ID.String(), p.Email, p.PreferredLanguage, nil
+		}))
+		authed.GET("/me", handler.ParentMe)
+		authed.GET("/me/timetable", handler.ParentTimetable)
+		authed.POST("/auth/logout", handler.ParentLogout)
 	}
 
 	// Start server