docs: round-3 currency pass

- extractText.ts states the real safety invariant (output is text-only;
  JOURNEY intros arrive unsanitised by design)
- geschichte README: stale glyph/pill cells updated, formatAuthorName no
  longer claims an email fallback, formatDocumentMetaLine documented
- reader spec HTMLs: bg-white list-card cell and the mobile BottomSheet
  rows struck with the implemented decision (inline metabar actions)

Review round 3: Nora (2), Markus (2), Felix, Elicit (3).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

frontend/src/lib/shared/utils/extractText.ts

@@ -1,13 +1,18 @@
 /**
- * **Not a sanitizer.** This module extracts visible text from a (presumed
- * already-sanitised) HTML string for excerpt rendering. It is safe ONLY
- * because the Geschichte body is sanitised against the OWASP allow-list
- * on the server before persistence, and via DOMPurify on render.
+ * **Not a sanitizer.** This module extracts visible text from an HTML (or
+ * plain-text) string for excerpt rendering. The safety invariant is: the
+ * OUTPUT must only ever be rendered via Svelte text interpolation — never
+ * `{@html}`. The DOMParser document is inert (scripts don't execute), but
+ * the returned string is whatever text the input carried.
+ *
+ * Note on inputs: STORY bodies are additionally sanitised against the OWASP
+ * allow-list on the server; JOURNEY intros are stored VERBATIM (unsanitised
+ * by design — see GeschichteService.bodyForType) and arrive here untrusted.
  *
  * Do not use these helpers to defend against XSS — `safeHtml()` in
  * `./sanitize.ts` is the only sanitiser. Calling `extractText()` on
- * untrusted input that has not been sanitised does not protect against
- * `javascript:` URLs, event-handler attributes, or `<svg/onload>` payloads.
+ * untrusted input does not protect against `javascript:` URLs,
+ * event-handler attributes, or `<svg/onload>` payloads.
  */
 
 /**