2026-05-07 - 2026-05-14
Overview
45 Pull requests merged by 1 user
Merged
#565 ci: restrict push trigger to main — eliminate duplicate CI runs
Merged
#564 fix(ci): run client coverage even when server coverage fails
Merged
#563 fix(tests): use native element clicks in layout dropdown spec
Merged
#561 fix(ci): add IMPORT_HOST_DIR stub to compose-idempotency job
Merged
#558 ci(devops): downgrade upload-artifact v4 → v3 + ADR-014 + grep guard
Merged
#559 chore(coverage): drop client branches threshold 80→75 to unblock CI
Merged
#555 fix(#553): close [birpc] rpc is closed race — sync-factory invariant + duplicate-ID guard + PR #10267 backport
Merged
#552 fix(notification): replace view-all anchor with button to prevent iframe navigation
Merged
#550 fix(pdf-viewer): eliminate real pdfjs-dist loading from browser tests — stop birpc teardown race
Merged
#549 fix(pdf-viewer): remove banned vi.mock('pdfjs-dist') — ADR 012 enforcement (issue #546)
Merged
#548 fix(test): NotificationDropdown iframe navigation crash + Tailwind CI noise
Merged
#547 test: fix flaky browser-mode tests in AnnotationShape and OcrTrainingCard specs
Merged
#536 fix(#535): eliminate vi.mock(pdfjs-dist) birpc teardown race via libLoader injection
Merged
#544 fix(ci): replace iproute2 ip with /proc/net/route for gateway detection
Merged
#540 fix(ci): resolve smoke test host via bridge gateway, not 127.0.0.1
Merged
#537 ci(nightly): reload Caddy before smoke test
Merged
#505 test(coverage): drive browser tests to 80% on all metrics (#496)
Merged
#526 feat(infra): bind-mount /import for backend mass-import endpoint
Merged
#525 fix(infra): frontend healthcheck on 127.0.0.1, not localhost
Merged
#521 fix(security): promote auth_token cookie to Authorization header (#520)
Merged
#519 fix(user): findOrCreate Administrators group instead of blind-INSERT (#518)
Merged
#517 fix(caddy): wrap actuator block in handle so it takes precedence over catch-all (#512)
Merged
#516 fix(user): rename yaml key username→email so admin seed reads APP_ADMIN_USERNAME (#513)
Merged
#515 fix(frontend): disable prerender crawl so protected routes aren't baked to login-bounces (#514)
Merged
#511 fix(compose): mark create-buckets as one-shot for up --wait (#510)
Merged
#509 fix(workflows): match runner label — runs-on ubuntu-latest (#508)
Merged
#507 fix(minio): bake bootstrap.sh into image instead of bind-mounting (#506)
Merged
#504 fix(fail2ban): pin polling backend so jail actually reads Caddy access log (#503)
Merged
#499 feat(infra): production deployment pipeline — Caddy, staging, Gitea Actions (#497)
Merged
#495 fix(test): make browser-project tests contribute to coverage measurement
Merged
#488 fix(fts): paginate FTS match-set in SQL instead of loading all matching IDs
Merged
#491 fix(db): add indexes on documents.sender_id and document_comments.author_id (#470)
Merged
#493 fix(a11y): increase PdfControls touch targets to 44×44px (#354)
Merged
#494 fix(ci): resolve date-buckets timezone + Testcontainers Docker failures (#476)
Merged
#490 fix(user): replace Math.abs(hashCode()) with Math.floorMod in computeColor
Merged
#489 fix(comment): declare missing @PathVariable params on block comment endpoints
Merged
#492 fix(db): add PRIMARY KEY to group_permissions and promote tbmp UNIQUE to PK (#469)
Merged
#487 fix(documents): filter inputs don't sync with URL on navigation (#482)
Merged
#486 fix(build): unbreak production build — /hilfe/transkription prerender unreachable behind /login
Merged
#484 feat(dashboard): reader dashboard spec alignment #483
Merged
#477 feat(#447): permission-gated reader dashboard
Merged
#478 feat(documents): timeline date-range filter with density bars (#385)
Merged
#475 feat(chronik): add commentPreview to ActivityFeedItemDTO (#454)
Merged
#456 cleanup(legibility): repo hygiene, TODO cleanup, and test flakiness fixes
Merged
#455 cleanup(legibility): polish — CLEANUP-2, CLEANUP-3, CLEANUP-4
40 Issues closed from 1 user
Closed
#557 ci(devops): downgrade actions/upload-artifact v4 → v3 (re-regression — needs ADR to prevent future re-upgrade)
Closed
#554 audit: factory mocks → prop injection migration (sveltest pattern)
Closed
#556 ci(coverage): drop client-project branches threshold 80 → 70 to unblock CI
Closed
#553 Unit & Component Tests job exits 1 — birpc teardown race resurfaces from async vi.mock factory with dynamic import
Closed
#551 fix(test): NotificationDropdown view-all click navigates iframe — breaks vitest coverage
Closed
#546 test: PdfViewer.svelte.test.ts re-introduces banned vi.mock('pdfjs-dist') factory — restores birpc teardown race
Closed
#545 fix(test): NotificationDropdown "view-all link" test causes iframe navigation crash in CI
Closed
#541 test: fix flaky browser-mode tests in AnnotationShape and OcrTrainingCard specs
Closed
#535 Unit & Component Tests job exits 1 from vitest-browser teardown race — every test green but CI red
Closed
#496 Increase browser component test coverage to ≥ 80% on all metrics (statements, lines, branches, functions)
Closed
#522 tech-debt(auth): replace cookie-promotion glue with a proper session-based auth model
Closed
#520 bug(security): browser-side /api/* requests miss Authorization in production → browser shows Basic-auth popup
Closed
#518 bug(user): UserDataInitializer blind-INSERTs Administrators group; fails on retry (HIGH, prod-blocking)
Closed
#512 bug(caddy): respond @actuator 404 swallowed by catch-all handle; /actuator/health returns 302
Closed
#513 bug(user): admin seed ignores APP_ADMIN_USERNAME / PASSWORD — falls back to defaults (HIGH, prod-blocking)
Closed
#514 bug(frontend): SvelteKit prerender-crawl bakes redirect-to-login into static HTML for protected routes (HIGH, prod-blocking)
Closed
#510 bug(compose): up -d --wait treats create-buckets exit(0) as failure
Closed
#508 bug(workflows): deploy workflows use runs-on: self-hosted but runner advertises ubuntu-latest — jobs never picked up
Closed
#506 bug(infra/minio): create-buckets bootstrap.sh bind-mount fails on DooD runner (Is a directory)
Closed
#503 bug(infra/fail2ban): jail defaults to systemd backend on Debian, never inspects Caddy access log
Closed
#497 devops: production deployment — Caddy, staging env, and Gitea Actions CI/CD
Closed
#367 security(transcription): CWE-79 — escapeHtml required for @mention rendering in PR-B
Closed
#425 fix(test): make browser-project tests contribute to coverage measurement
Closed
#468 fix(documents): paginate FTS match-set in SQL instead of loading all matching IDs
Closed
#470 fix(db): add indexes on documents.sender_id and document_comments.author_id
Closed
#423 fix(test): resolve pre-existing TranscriptionEditView and Richtlinien test failures
Closed
#115 fix(ui): replace localStorage panel state restore with SvelteKit snapshot API to eliminate flash on load
Closed
#354 fix(a11y): increase annotation toggle touch target to 44×44px minimum
Closed
#476 fix(ci): two persistent CI failures — date-buckets timezone + Testcontainers Docker
Closed
#471 fix(user): replace Math.abs(hashCode()) in AppUser.computeColor (negative on Integer.MIN_VALUE)
Closed
#473 fix(api): add explicit @PathVariable name on transcription-block comment endpoints
Closed
#469 fix(db): add primary key to group_permissions to prevent duplicate grants
Closed
#482 fix(documents): filter inputs don't sync with URL — Sender/Receiver blank on load, fields don't clear on reset
Closed
#472 fix(build): unbreak production build — /hilfe/transkription prerender unreachable behind /login
Closed
#483 fix(dashboard): align reader dashboard with reader-dashboard-final spec
Closed
#447 feat(dashboard): permission-gated reader dashboard for READ_ALL / BLOG_WRITE users
Closed
#385 feat(documents): timeline date-range filter with density bars
Closed
#454 feat(chronik): add commentPreview field to ActivityFeedItemDTO
Closed
#416 audit(legibility): re-run readiness scorecard; ratify "ready for evaluation"
Closed
#411 epic(legibility): polish — remove smells surfaced by audits
64 Issues created by 1 user
Opened
#457 security(deps): bump Spring Boot to 4.0.6 to clear 2 CRIT + 17 HIGH CVEs
Opened
#458 security(deps): bump @sveltejs/kit + vite to clear BODY_SIZE_LIMIT bypass + 5 high devDep CVEs
Opened
#459 security(ocr): run OCR container as non-root user (CIS Docker §4.1)
Opened
#460 security(history): scrub admin:admin123 from .claude/skills/transcribe/SKILL.md git history
Opened
#461 devops(ci): add SAST/SCA/secret-scan/container-scan gates to .gitea/workflows/ci.yml
Opened
#462 feat(observability): add handleError hook with structured stdout sink
Opened
#463 feat(resilience): wrap OCR client with Resilience4j retry + circuit-breaker + time-limiter
Opened
#464 security(uploads): integrate ClamAV scan before persisting documents to MinIO
Opened
#465 refactor(frontend): replace raw fetch with event.fetch in admin/enrich routes (handleFetch bypass)
Opened
#466 refactor(api): migrate GlobalExceptionHandler to RFC 9457 ProblemDetail
Opened
#467 refactor(document): switch Document.tags + receivers + trainingLabels to LAZY + @EntityGraph
Opened
#468 fix(documents): paginate FTS match-set in SQL instead of loading all matching IDs
Opened
#469 fix(db): add primary key to group_permissions to prevent duplicate grants
Opened
#470 fix(db): add indexes on documents.sender_id and document_comments.author_id
Opened
#471 fix(user): replace Math.abs(hashCode()) in AppUser.computeColor (negative on Integer.MIN_VALUE)
Opened
#472 fix(build): unbreak production build — /hilfe/transkription prerender unreachable behind /login
Opened
#473 fix(api): add explicit @PathVariable name on transcription-block comment endpoints
Opened
#474 cleanup(ocr): use %n instead of \n in TrainingDataExportService format string
Opened
#476 fix(ci): two persistent CI failures — date-buckets timezone + Testcontainers Docker
Opened
#479 feat(documents): keyboard-accessible range zoom for timeline
Opened
#480 test(documents): timeline density Playwright coverage
Opened
#481 perf(documents): move density aggregation into SQL when documents > 50k
Opened
#482 fix(documents): filter inputs don't sync with URL — Sender/Receiver blank on load, fields don't clear on reset
Opened
#483 fix(dashboard): align reader dashboard with reader-dashboard-final spec
Opened
#496 Increase browser component test coverage to ≥ 80% on all metrics (statements, lines, branches, functions)
Opened
#497 devops: production deployment — Caddy, staging env, and Gitea Actions CI/CD
Opened
#498 devops: production observability stack — Prometheus, Loki, Grafana, Alertmanager
Opened
#500 devops: bootstrap Renovate config for production deps (MinIO, mc, Postgres, Node, Caddy, mailpit)
Opened
#501 test(ci): production image smoke-test job — boot frontend + backend images, curl /login
Opened
#502 devops: nightly backup pipeline — pg_dump + mc mirror over Tailscale to heim-nas
Opened
#503 bug(infra/fail2ban): jail defaults to systemd backend on Debian, never inspects Caddy access log
Opened
#506 bug(infra/minio): create-buckets bootstrap.sh bind-mount fails on DooD runner (Is a directory)
Opened
#508 bug(workflows): deploy workflows use runs-on: self-hosted but runner advertises ubuntu-latest — jobs never picked up
Opened
#510 bug(compose): up -d --wait treats create-buckets exit(0) as failure
Opened
#512 bug(caddy): respond @actuator 404 swallowed by catch-all handle; /actuator/health returns 302
Opened
#513 bug(user): admin seed ignores APP_ADMIN_USERNAME / PASSWORD — falls back to defaults (HIGH, prod-blocking)
Opened
#514 bug(frontend): SvelteKit prerender-crawl bakes redirect-to-login into static HTML for protected routes (HIGH, prod-blocking)
Opened
#518 bug(user): UserDataInitializer blind-INSERTs Administrators group; fails on retry (HIGH, prod-blocking)
Opened
#520 bug(security): browser-side /api/* requests miss Authorization in production → browser shows Basic-auth popup
Opened
#522 tech-debt(auth): replace cookie-promotion glue with a proper session-based auth model
Opened
#523 feat(auth): server-side session model replacing Basic-auth cookie promotion
Opened
#524 feat(auth): defense-in-depth — CSRF, session revocation, login rate limit
Opened
#527 "Unsaved changes" banner appears after creating a group/user — users think save failed
Opened
#528 security(import): harden DocumentBuilderFactory against XXE in MassImportService
Opened
#529 security(import): validate PDF magic bytes in MassImportService before S3 upload
Opened
#530 security(import): reject path-traversal filenames from ODS in MassImportService.processRows
Opened
#531 ci(nightly): post-deploy smoke test for /api/admin/import-status
Opened
#532 ci(nightly): assert backend container can read /import after deploy
Opened
#533 ui(admin/system): improve mass-import status card (loading state, i18n, font size)
Opened
#534 spec(import): decide and document mass-import operator policy (3 open questions)
Opened
#535 Unit & Component Tests job exits 1 from vitest-browser teardown race — every test green but CI red
Opened
#538 bug(test): flaky browser-mode test — admin edit-user unsaved-changes guard
Opened
#539 ci: extract Reload Caddy step into a composite action
Opened
#541 test: fix flaky browser-mode tests in AnnotationShape and OcrTrainingCard specs
Opened
#542 test: share fakePdfjs fixture across viewer test files
Opened
#543 UX: PDF viewer has no loading indicator or error state when pdfjs-dist fails to initialise
Opened
#545 fix(test): NotificationDropdown "view-all link" test causes iframe navigation crash in CI
Opened
#546 test: PdfViewer.svelte.test.ts re-introduces banned vi.mock('pdfjs-dist') factory — restores birpc teardown race
Opened
#551 fix(test): NotificationDropdown view-all click navigates iframe — breaks vitest coverage
Opened
#553 Unit & Component Tests job exits 1 — birpc teardown race resurfaces from async vi.mock factory with dynamic import
Opened
#554 audit: factory mocks → prop injection migration (sveltest pattern)
Opened
#556 ci(coverage): drop client-project branches threshold 80 → 70 to unblock CI
Opened
#557 ci(devops): downgrade actions/upload-artifact v4 → v3 (re-regression — needs ADR to prevent future re-upgrade)
Opened
#560 audit report: factory vi.mock → prop-injection / __mocks__ migration (87 call sites, 12 modules)
33 Unresolved Conversations
Open
#386
feat(documents): calendar view with appointment-style document rows
Open
#327
feat(transcribe): keyboard shortcuts for the transcribe power path + cheatsheet overlay
Open
#323
feat(persons): visually distinguish incomplete placeholder persons + filter by completeness on /persons
Open
#363
devops: add Playwright E2E job to CI for stammbaum spec
Open
#380
feat(transcription): decouple @mention display text from person search
Open
#355
feat(transcription): E2E test for bulk "Alle als fertig markieren" action
Open
#356
ux(transcription): show error toast when bulk "Alle als fertig markieren" fails
Open
#353
test(a11y): add axe-playwright E2E gate for PDF viewer WCAG 2.1 AA compliance
Open
#424
refactor(frontend): move statusDotClass/statusLabel from person/ to document/
Open
#431
test(e2e): follow-up gaps from legibility pre-flight (#402)
Open
#427
refactor(backend): ArchUnit Rule 5 — enforce controller @RequestMapping URL prefix per domain
Open
#453
refactor(admin): dedicated /api/admin/stats endpoint returning counts only
Open
#335
feat(admin): activity panel on admin dashboard — system-wide weekly contribution counts
Open
#306
feature(persons): Korrespondenz-Überblick dashboard on /persons/[id]
Open
#321
feat(transcribe): show visible per-document transcription progress in the panel header
Open
#322
fix(document-viewer): surface error + retry when file load stalls instead of spinning forever
Open
#368
feat(persons): audit + complete person-merge flow for all data domains
Open
#83
fix(security): remove hardcoded fallback admin credentials in application.yaml
Open
#318
feat(mobile): reader surfaces (Home · /documents · /briefwechsel · /persons) pass mobile-first bar at 375 px
Open
#84
fix(security): validate file upload MIME type from magic bytes, not client header
Open
#140
Add Prometheus + Loki + Grafana monitoring stack
Open
#142
Add build-and-push and deploy jobs to CI workflow
Open
#124
Add Playwright visual regression tests at 320px, 768px, and 1440px breakpoints
Open
#87
fix(security): explicitly restrict Spring Boot Actuator endpoints in production config
Open
#134
Build production-ready multi-stage Dockerfile for the backend
Open
#135
Build production-ready multi-stage Dockerfile for the frontend
Open
#137
Add application-prod.yaml with secure Spring Boot production defaults
Open
#138
Add automated PostgreSQL backup script with offsite upload
Open
#139
Create .env.example and DEPLOYMENT.md for production onboarding
Open
#141
Add Hetzner VPS to Tailscale tailnet for private deployment access
Open
#116
fix(security): add Content-Security-Policy headers to SvelteKit responses
Open
#111
fix(security): add rate limiting to login and password-reset endpoints
Open
#86
fix(security): set secure: true on auth cookie for production (HTTPS)