test(geschichte): rewrite false-safety-net null-status tests to catch CWE-639

Rename list_passes_null_status_through_for_BLOG_WRITER_so_drafts_are_visible
to list_with_null_status_and_BLOG_WRITE_returns_PUBLISHED_not_all_stories and
rewrite to verify eq(PUBLISHED) is passed — this test is now RED against the
vulnerable list() implementation.

Strengthen list_forces_PUBLISHED_status_for_reader_without_BLOG_WRITE with
eq(PUBLISHED) and isNull() matchers — both tests are now real regression fixtures.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/test/java/org/raddatz/familienarchiv/geschichte/GeschichteServiceTest.java

@@ -2,6 +2,7 @@ package org.raddatz.familienarchiv.geschichte;
 
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
@@ -35,6 +36,7 @@ import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyLong;
 import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.ArgumentMatchers.isNull;
 import static org.mockito.Mockito.lenient;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.never;
@@ -228,21 +230,18 @@ class GeschichteServiceTest {
 
         geschichteService.list(null, List.of(), null, 50);
 
-        verify(geschichteRepository).findSummaries(any(), any(), any(), anyLong(), any());
+        verify(geschichteRepository).findSummaries(eq(GeschichteStatus.PUBLISHED), isNull(), any(), anyLong(), any());
     }
 
     @Test
-    void list_passes_null_status_through_for_BLOG_WRITER_so_drafts_are_visible() {
+    void list_with_null_status_and_BLOG_WRITE_returns_PUBLISHED_not_all_stories() {
         authenticateAs(writer, Permission.BLOG_WRITE);
-        GeschichteSummary s1 = mock(GeschichteSummary.class);
-        GeschichteSummary s2 = mock(GeschichteSummary.class);
         when(geschichteRepository.findSummaries(any(), any(), any(), anyLong(), any()))
-                .thenReturn(List.of(s1, s2));
+                .thenReturn(List.of());
 
-        List<GeschichteSummary> out = geschichteService.list(null, List.of(), null, 50);
+        geschichteService.list(null, List.of(), null, 50);
 
-        assertThat(out).hasSize(2);
-        verify(geschichteRepository).findSummaries(any(), any(), any(), anyLong(), any());
+        verify(geschichteRepository).findSummaries(eq(GeschichteStatus.PUBLISHED), isNull(), any(), anyLong(), any());
     }
 
     @Test