Creates the full groups section under /admin/groups/:
- +layout.server.ts: loads groups list via GET /api/groups
- GroupsListPanel.svelte: left list panel (name + permission count, active state)
- +layout.svelte: composes list panel + children slot
- +page.svelte: empty selection prompt
- [id]/+page.server.ts: update (PATCH) and delete actions
- [id]/+page.svelte: edit detail panel with Standard/Administrative permission sections
- new/+page.svelte and +page.server.ts: create group form
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Fixes IDOR: the endpoint was publicly accessible to any authenticated user.
Now requires ADMIN_USER permission, matching all other user management endpoints.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Resolved conflicts in messages/de.json, en.json, es.json by keeping
both the persons-redesign keys (feature branch) and the notification
keys (main) in all three locale files.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The panel was restoring its open/tab/height state from localStorage,
causing the discussion drawer to reopen on every subsequent page visit
even without a ?commentId= param. Removed all LS_KEY_* constants, the
savedOpen/savedTab/savedHeight restore logic, and the persistence
$effect. The panel now always starts closed (or opens to metadata when
the document has no file yet), and the discussion tab opens exclusively
via the commentId deep-link query param.
Also add .svelte-kit-backup/ to .gitignore and .prettierignore to
prevent lint failures from the root-owned Docker-generated directory.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
SVG icons are black by default; on the navy primary button they need
invert in light theme (white icon) and invert-0 in dark theme (dark
icon on lighter button background).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- CoCorrespondentsList: white card wrapper with navy initials circles in chips
- PersonDocumentList: flat row-divider pattern with variant-tinted icons (sent=navy, received=teal)
- Add variant prop (sent/received) to PersonDocumentList and wire up in page
- Add person_correspondents_hint i18n key to all three message files
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Cast PersonSummaryDTO array to concrete type in +page.server.ts (all
fields are optional in the generated type but always populated at runtime)
- Cast mockLocals/mockLocalsWriter to `any` in persons detail spec to
match the pre-existing test pattern used throughout the codebase
- Add .svelte-kit-backup/ to .gitignore and .prettierignore to prevent
lint failures from Docker-owned leftover .svelte-kit directory
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New edit route with WRITE_ALL guard; PersonEditForm (6 fields), sticky
PersonEditSaveBar, collapsed PersonDangerZone with PersonMergePanel.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Load /api/stats in parallel; PersonsStatsBar shows totals; person cards
show alias, life date range, and document count badge.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Unit tests for both; i18n keys for doc status and person stats bar;
PERSON_NOT_FOUND added to frontend ErrorCode type.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Native queries compute sender + receiver document count in one SQL call,
eliminating N+1. GET /api/persons now returns PersonSummaryDTO list.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
createPerson now takes PersonUpdateDTO, persisting birthYear, deathYear,
notes in addition to firstName, lastName, alias.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Added PERSON_NOT_FOUND to ErrorCode; getById, updatePerson, mergePersons
now throw DomainException.notFound for missing persons.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
birthYear and deathYear must be positive integers; extracted shared
validateYears() method for reuse in createPerson.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
firstName/lastName max 100, alias max 200, notes max 5000 chars.
PUT /api/persons/{id} returns 400 for oversized fields.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
POST /api/persons, PUT /api/persons/{id}, POST /api/persons/{id}/merge
now return 403 for READ_ALL-only users.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
underline decoration-accent/60 was forcing a permanent underline.
The global a:hover rule already handles underline + accent color on hover.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adding the link div after the {#each} broke last:border-0 — the last
mention item was no longer the last child, so it kept its border-b,
creating a double line with the link's border-t. Wrapping the each in
its own div restores correct last:border-0 targeting.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
bg-canvas matched the page background making rows invisible against it.
bg-surface gives each row the correct card/surface color (white in light,
dark panel in dark mode), matching what was always intended.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The <a> inside each row has transparent background by default — CSS
background-color does not inherit. Putting bg-canvas only on the <ul>
was not enough; browsers still painted items white. Setting bg-canvas
on the <li> itself ensures the canvas color is explicitly applied to
each row in both light and dark mode.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Notification items now correctly show the canvas background instead
of white (bg-surface). Screenshots updated across all 18 combinations.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The <ul> had bg-surface (white), causing unread rows to inherit white
instead of blending with the canvas background. Read rows already set
bg-canvas explicitly, so they looked fine. Unread rows were white.
Fix: set bg-canvas on the <ul> so all rows inherit the page background.
The redundant explicit bg-canvas on read rows is removed.
Unread items remain visually distinct via the left accent border + dot only.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Empty state now correctly shows zero notifications (bell icon + body text).
Previous screenshots were taken with DB data present, causing the filtered
URL to still return results.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
18 screenshots: empty state, list view (~20 items), load-more view (~40 items)
across 320/768/1440 px viewports in light and dark themes.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
SvelteKit reserves all + prefixed files as route files. The spec was named
+page.server.spec.ts which caused a 500 on /notifications in the dev server.
Renamed to page.server.spec.ts following the convention in the rest of src/routes/.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New route with server load function (reads URL params, derives unreadCount from
the page, single API call per Sara's architecture requirement), mark-all form
action, and the full page UI: filter pills with ARIA radiogroup, notification
rows with border+dot unread indicators (WCAG 1.4.1), "Ältere laden" client-side
append, and empty state. Includes all de/en/es translation keys.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Extracted from NotificationBell.svelte into $lib/utils/notifications.ts so the
history page can reuse them. relativeTime() now accepts an optional `now` param
for deterministic unit testing. Added parseNotificationEvent() for SSE payload
shape validation (NullX Finding 3).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
NullX Finding 2: unbounded size param allowed full table scan. Added
spring-boot-starter-validation, @Validated on the controller, @Min(1) @Max(100)
on the size param, and ConstraintViolationException → 400 in GlobalExceptionHandler.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Notification rows in the history page need the document title. Added
findTitlesByIds(Collection<UUID>) to DocumentService (one query via a new
JPQL projection on DocumentRepository). NotificationService.getNotifications()
now fetches all titles for the page in a single extra query and maps them into
the DTO. documentTitle is null when the document has been deleted.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
NullX Finding 1: GET /api/notifications?read=false with no type param fell through
to the all-notifications branch, silently ignoring the read filter. Added
findByRecipientIdAndReadFalseOrderByCreatedAtDesc to NotificationRepository and
the missing Boolean.FALSE.equals(read) branch in NotificationService.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Wireframe spec for the Persons section redesign (issue #157):
- Enriched person cards with alias, life dates, document count
- 2-column detail layout (person info sidebar + activity area)
- Dedicated /persons/[id]/edit route with sticky save bar
- Danger Zone accordion for merge (collapsed by default)
- All fields on new person form (birth year, death year, notes)
- Full coverage: list, detail, edit, new, edge cases, implementation notes
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Grid only splits to two columns when both DashboardMentions and
DashboardNeedsMetadata have content to show.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Moved the "hat erwähnt / hat geantwortet" span outside the <a> so
hover:underline only applies to the actor name, not the muted label.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Move text-decoration-thickness/underline-offset into the global a:hover
base rule so every link that shows an underline on hover gets identical
treatment: 2px thick, 4px offset, accent colour.
Remove the now-redundant per-component decoration-brand-mint / decoration-
accent / decoration-2 / underline-offset-{2,4} utilities from DocumentList,
enrich, persons, PersonDocumentList, and PanelMetadata.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Any link that renders an underline on hover now gets the brand accent
colour (--c-accent) as its decoration colour. Links that suppress
underlines (nav, back-links, button-style anchors) are unaffected.
Dark mode already maps --c-accent to the stronger turquoise (#00c7b1).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Box content links (document titles, actor names) raised from text-sm to
text-lg for improved readability and touch target size. "Show all" stays
at text-sm to maintain hierarchy — box links are the primary action.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- DocumentService.getRecentActivity: replace findAll(Sort)+stream().limit()
with findAll(PageRequest) so LIMIT is pushed to the database
- +page.svelte: collapse two-column grid to single column when mentions is empty
- DashboardNeedsMetadata: raise "show all" link from text-xs (12px) to text-sm
(14px) and add hover:underline for WCAG 1.4.1
- DashboardRecentDocuments: add comment explaining why T12:00:00 noon-anchor
is absent (updatedAt is a full ISO datetime, not a date-only string)
- DocumentServiceTest: update getRecentActivity tests to assert PageRequest
usage instead of findAll(Sort)
- DocumentRepositoryTest: add @DataJpaTest verifying findAll(PageRequest)
returns only size rows, not the full table
- DocumentControllerTest: add test for default size=5 when param is omitted
- NotificationServiceTest: add test documenting that type+read=true falls
through to the type-only query (intentional)
- page.server.spec.ts: replace stale tests with full dashboard-mode coverage
- DashboardMentions.svelte.spec.ts: add tests for REPLY type and absent documentId
- DashboardResumeStrip.svelte.spec.ts: add corrupt localStorage test
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- captureProofshots() now accepts an optional setup(page) callback that
runs before each screenshot's page.goto(), so localStorage can be
injected reliably without loading a backend-dependent page
- dashboard-screenshots.spec.ts seeds 2 notifications (MENTION + REPLY)
for admin via direct DB insert in beforeAll, cleans up in afterAll
- localStorage.familienarchiv.lastVisited injected directly via
page.evaluate() — no fragile document page navigation needed
- Updated screenshots committed (all 6 now show all 4 widgets)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
