- Add isDashboard flag (true when no search filters active)
- In dashboard mode: fetch mentions, incompleteDocs, recentDocs via
Promise.allSettled so widget failures don't crash the page
- In search mode: skip widget fetches for performance
- Replace incomplete-count fetch with list fetch (derive count from
list.length)
- Update enrich page to use IncompleteDocumentDTO (id + title only)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds type, read (notifications) and status (documents/search),
size (documents/incomplete) to the generated TypeScript types.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds NotificationType filter params, IncompleteDocumentDTO, and status
param on document search.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Fixes dark mode rendering: list stayed white and text stayed dark because
bg-white, text-brand-navy, border-brand-sand were not theme-aware.
Replace with bg-surface, text-ink/ink-2/ink-3, border-line, bg-muted.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Kept our version of accessibility.spec.ts (color-contrast rule enabled,
exclusion comment removed) over main's disabled version — the contrast
fixes in this branch make the exclusion unnecessary.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
text-ink/60 produces an opacity-blended colour whose contrast is
background-dependent: it passes on white (4.8:1) but fails on the sandy
canvas #f0efe9 (3.97:1, below WCAG AA 4.5:1). Replace every occurrence
with text-ink-2 (#4b5563, 6.6:1 on canvas — WCAG AA ✓).
Also adds a warning comment above --c-accent in layout.css to prevent
the text-accent misuse from recurring.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
--c-accent (#a1dcd8 light / #00c7b1 dark) is a decorative mint token —
1.52:1 on white, nowhere near WCAG AA. Every place it appeared as the
colour of a text label or interactive button is switched to text-primary
(#012851, 16.8:1 on white) with hover:text-ink-2 for consistency.
Affected: UsersTab, GroupsTab, CommentThread (Reply), DocumentList
(Clear search), PdfViewer (Direkt öffnen link).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Introduces the wcag2a/wcag2aa E2E suite from the test-suite branch with
the color-contrast rule active — no disableRules exclusion. Also adds
/coverage/ to .prettierignore so generated lcov reports don't fail the
lint hook.
This commit intentionally fails the axe suite until the contrast fixes
land in the next commits.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
upload_label was referenced but never added to messages — caused a
500 on every page render. Reuses the existing doc_file_upload_label
key ("Datei hochladen" / "Upload file") which has the same meaning.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces hardcoded German strings with Paraglide message keys
(page_title_home/persons/admin/login/error) across de/en/es.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add <svelte:head><title> to home, persons, admin, login, and error pages
- Add aria-label to hidden file input in DropZone (sr-only but must be labelled)
- Add aria-label to search input in SearchFilterBar
- Create +error.svelte so error pages always have a document title
- axe-core spec: add buildAxe() helper, disable color-contrast (brand palette, tracked separately)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs @axe-core/playwright and adds e2e/accessibility.spec.ts covering:
- home, persons, admin (authenticated via stored admin session)
- login (unauthenticated context)
Uses wcag2a + wcag2aa tags. Violations are logged with impact level and
node count before the assertion fails, so the first run against the live
stack will produce a clear inventory of any issues to fix or exclude.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs @vitest/coverage-v8 and configures coverage measurement over
src/lib/utils/** and src/lib/server/** — the utility and server-side
logic that is meaningful to measure in the Node test project.
Svelte component files and generated code (api/**, paraglide/**) are
excluded; those run in the browser project.
Baseline: 87.87% branch coverage — already above the 80% threshold.
Adds test:coverage script for local runs; produces lcov report for CI.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds server-project spec files for the four priority routes:
- routes/+page.server (home/search) — happy path, 401 redirect, network error fallback
- routes/documents/[id]/+page.server — happy path, comments fetch failure, 401/403/404
- routes/persons/[id]/+page.server — happy path, partial API failure, 403/404
- routes/admin/+page.server — ADMIN permission gate (none/read-only/undefined/no groups)
All tests run in Node environment with vi.mock() for createApiClient and
$env/dynamic/private. No real network calls; total suite runs in < 1 second.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Deletes the npm create svelte scaffold file that tested arithmetic
instead of application code. Inflated the test count and added noise
to coverage reports.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Notifications are already fetched lazily inside toggleDropdown() when
the user opens the dropdown. Only fetchUnreadCount() is needed on mount
to show the badge.
Closes#725
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaced one-way checked={...} with bind:group={selected} driven by a
writable $derived. In Svelte 5, the $derived pattern guarantees the DOM
checked state is always in sync at FormData capture time, so groupIds
is never accidentally sent as [] when the admin edits their own profile.
Sending groupIds:[] causes adminUpdateUser to clear all groups, which
revokes the admin's own permissions on the next request.
Tests: UserServiceTest (+4 for adminUpdateUser group behaviour),
page.svelte.spec.ts (+1 FormData assertion at submit time).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- AnnotationSidePanel: cover visibility (null vs set annotationId),
close button callback, and targetCommentId forwarding
- layout.svelte.spec: mock $env/static/public to satisfy
PUBLIC_NOTIFICATION_POLL_MS import from NotificationBell
- mention.spec: update assertion to match span-based mention rendering
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Mention spans injected via {@html} need global CSS since scoped styles
don't reach dynamically inserted content. Uses ink text on accent-bg
background for visible but subtle chip appearance.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Profile page now greys out the notification checkboxes and save button when
the user has no email set, with a hint to add one first.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- NotificationBell now includes annotationId in the deep-link URL when available
- +page.svelte reads ?annotationId= param and sets activeAnnotationId on mount,
opening the side panel instead of the bottom discussion drawer
- AnnotationSidePanel accepts and forwards targetCommentId to CommentThread
so the specific comment is highlighted when navigating via a notification
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove @RequirePermission(READ_ALL) from NotificationController class level so
authenticated users with any permission (or none) can access their own notifications
- Add V19 migration, annotationId field to Notification entity and NotificationDTO
- NotificationService now stores annotationId from comment on both REPLY and MENTION
- Update controller tests: permission tests now expect 200, DTO constructor includes annotationId
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
BLOCKERs:
- Remove direct AppUserRepository/CommentRepository access from CommentService and
NotificationService — replaced with UserService.findAllById() and UserService
(fixes layering contract from CLAUDE.md)
- Switch Optional<JavaMailSender> constructor injection — removes @Autowired(required=false)
field and ReflectionTestUtils hack in tests
- Add @RequirePermission(READ_ALL) to UserSearchController — prevents user enumeration
without read access
Data bug:
- Promote actorName from @Transient to persisted VARCHAR column (V18 migration)
- Set actorName in notifyReply and notifyMentions from comment.getAuthorName()
Architecture:
- Add @RequirePermission(READ_ALL) to NotificationController
- Introduce NotificationDTO — controller returns DTO instead of Notification entity,
eliminating lazy-load N+1 and AppUser field leakage
- Change mentions FetchType to EAGER — fixes LazyInitializationException outside transaction
- Add @Transactional(propagation=REQUIRES_NEW) to notifyReply/notifyMentions so a
notification failure cannot roll back the parent comment
- N+1 fix: replace per-ID findById loops with single findAllById bulk fetch
- Move collectParticipantIds to CommentService; notifyReply accepts Set<UUID> directly
Security:
- Escape displayName before injecting into renderBody HTML span
- Replace <a href="#"> with <span class="mention"> — no profile page to link to, and
the anchor's scroll-to-top behaviour is harmful
Tests added/fixed:
- markRead_throwsNotFound, markAllRead_delegatesToRepository, countUnread_delegatesToRepository
- markOneRead_returns401, @RequirePermission 403 coverage for both controllers
- postComment/replyToComment_triggersNotifyMentions_whenMentionedUserIdsProvided
- search_returnsAtMostTenResults now asserts $.length() <= 10
- XSS regression test for escaped displayName in mention.spec.ts
Frontend minors:
- relativeTime() uses Intl.RelativeTimeFormat (locale-aware, not German-hardcoded)
- aria-label uses m.notification_unread() Paraglide key (de/en/es added)
- <div role="button"> replaced with <button> (native Enter+Space handling)
- onDestroy clears debounceTimer in MentionEditor
- setTimeout(100) replaced with await tick() + requestAnimationFrame in CommentThread
- Notification prefs form uses checkbox name attributes + formData.has() pattern
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- +page.svelte: read ?commentId= from URL; on mount, if present open bottom panel to discussion tab
- CommentThread: add targetCommentId prop — scrolls to comment on mount (scrollIntoView), applies ring highlight, removes highlight on first user interaction (click/keydown/scroll)
- CommentThread: add data-comment-id attributes to thread root and reply divs
- PanelDiscussion / DocumentBottomPanel: thread targetCommentId prop through the chain
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- NotificationBell.svelte: bell icon in header with unread badge, dropdown showing last 10 notifications, mark-all-read, click-outside close, keyboard Escape support, polls every PUBLIC_NOTIFICATION_POLL_MS ms
- Wire NotificationBell into +layout.svelte between ThemeToggle and UserMenu (authenticated users only)
- Profile page: add notification preferences card with notifyOnReply / notifyOnMention toggles, loaded via GET and saved via PUT /api/users/me/notification-preferences
- i18n: de/en/es message keys for bell, notifications list, and preference labels
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add touch-action:none to container when in annotate mode so the
browser doesn't intercept touch gestures for scroll/pan
- Replace onmouseenter/onmouseleave with onpointerenter/onpointerleave
so the highlight effect also fires on touch/stylus
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Removes duplicated locale logic from +layout.svelte and AppNav.svelte.
Context-specific sizing (text-xs/min-h-[44px]) stays in the wrapper
via [&_button]: selectors so the component itself is layout-agnostic.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- AppNav: hide entire logo div (incl. mr-10 margin) below md: breakpoint
to eliminate the phantom whitespace left of the hamburger button
- admin: 2×2 grid on mobile → flex row at sm:, so "Schlagworte" fits
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
On mobile the header is now cleaner — language buttons move to the
bottom of the hamburger panel. Desktop header is unchanged (sm:flex).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Matches the FileSectionNew design: upload arrow icon, hidden <input>,
styled label as the click target, shows selected filename on pick.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaced position:fixed on the bottom panel with shrink-0 flex child,
so the viewer (flex-1) naturally stops at the panel top instead of
extending behind it.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
At 320px, showing "Annotieren" + "Bearbeiten" + download pushed the
toolbar past its bounds. Icon-only at mobile, labels revealed at sm:.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Wrap tabs in overflow-x-auto container with hidden scrollbar so all 4
German labels ("Transkription" etc.) are reachable at 320px. Close
button stays pinned outside the scroll area, always visible.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- DropZone: raise border opacity from /20 to /30 for dashed drop zone
- layout.css: bump dark mode --c-line from #2e2e2e to #3d3d3d (was
~1.3:1 contrast on #1a1a1a surface, effectively invisible)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
On mobile the text consumed most of the header width, leaving no room
for the hamburger, theme toggle, and user menu. Uses hidden sm:inline —
aria-label on the anchor preserves screen reader access at all sizes.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Long button labels (e.g. German "Speichern & Als überprüft markieren")
require ~515px at text-xs tracking-widest — impossible at 320px inline.
Both save bars (new document + edit document) now use flex-col on mobile
with w-full buttons and flex-row on sm+. Primary actions appear first
(top on mobile, right on desktop). Also fixes hardcoded border-gray-300/
text-gray-600 → border-line/text-ink-2 and bg-brand-navy/text-white →
bg-primary/text-primary-fg in these two components.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
In dark mode --c-primary switches from navy (#012851) to mint (#a1dcd8).
Buttons using bg-primary+text-white showed white text on mint at 1.4:1
contrast — invisible. bg-brand-navy buttons were also invisible (navy on
near-black canvas, 1.3:1).
Replaced in 28 components app-wide:
- bg-primary ... text-white → text-primary-fg
- hover:bg-primary hover:text-white → hover:text-primary-fg
- bg-brand-navy ... text-white + hover:bg-brand-navy/90 →
bg-primary ... text-primary-fg + hover:bg-primary/90
Light mode is unchanged: primary-fg = white in light mode.
Dark mode: primary-fg = navy (#012851) on mint bg = readable.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
enrich/+page.svelte back link: text-gray-500 → text-ink-2 / hover:text-ink
enrich/done/+page.svelte body text: text-gray-500 → text-ink-2
enrich/done/+page.svelte list link: text-gray-400 (2.6:1, fails AA) → text-ink-2
Root fix for section label contrast (text-ink-3 uppercase pattern used
app-wide) is in PR #107 via the ink-3 token value change.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Light mode:
- ink-2 #6b7280 → #4b5563 (gray-600): was 4.2:1 on canvas — now 6.6:1 ✓
- ink-3 #9ca3af → #6b7280 (gray-500): was 2.6:1 on white — now 4.8:1 ✓
Dark mode:
- ink-3 #6b7280 → #8b97a5: was 4.0:1 on dark surface — now 6.5:1 ✓
- ink-2 #9ca3af unchanged (already 7.5:1 — WCAG AAA)
Both the media-query and manual-override dark sections updated.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Home and Admin had no horizontal padding below the sm breakpoint (640px),
causing content to bleed to viewport edges. Admin's flex justify-between
row with h1 + 4 tab buttons overflowed by ~110px at 320px.
- +page.svelte: add px-4 to <main> (sm:px-6 lg:px-8 unchanged)
- admin/+page.svelte: add px-4 to outer container; stack header row
vertically on mobile (flex-col sm:flex-row); reduce tab button padding
to px-2 on mobile (sm:px-4 on desktop)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The h-1 bg-brand-purple strip (#b4b9ff) is not a De Gruyter brand
color and was added as a rough placeholder. Removed from +layout.svelte
and the three auth pages (login, forgot-password, reset-password).
Also removed the unused --palette-purple and --color-brand-purple CSS
tokens from layout.css.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Nav links were completely hidden on mobile (sm:flex / hidden split).
Adds a 44×44px hamburger toggle, a fixed overlay panel with full-width
nav links (min-h-[44px] touch targets), backdrop-click and Escape to
close, and a $effect that auto-closes on route change.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
documents.spec.ts: replace getByText with getByRole('heading') to avoid
Svelte's #svelte-announcer matching the same text (strict mode violation).
SaveBar.svelte: move <form id="mark-for-review-form"> out of the component
and into +page.svelte as a sibling of delete-form. The form was previously
nested inside <form id="update-form">, which is invalid HTML. The browser
auto-repaired it, causing a Svelte hydration mismatch that broke the edit
form's use:enhance, preventing version snapshots from being recorded —
leaving history tests with 0 versions instead of the expected 2.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The native browser file input showed an untranslatable "Browse…" button
and "No file selected" text. The input is now sr-only; the large upload
zone label acts as the sole click target. When a file is selected its
name replaces the prompt text inside the zone.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Restructure the "New Document" page so users can save quickly:
- FileSectionNew becomes the first element, redesigned as a prominent
upload zone with an icon and large click target
- Title field is rendered standalone below the upload zone; it
auto-populates from the filename (via parseFilename + stripExtension
fallback) unless the user has already typed something
- All remaining metadata (who/when, description, transcription) moves
into a collapsible "Weitere Details" section that auto-expands when
URL prefill data or a form error is present, or when filename parsing
detects a date/person
- title is no longer required — the form can be saved with only a file
- DescriptionSection gains a `hideTitle` prop for use in this layout
- `form_label_title` translation key no longer carries a hardcoded `*`;
the asterisk is rendered by the template only when `titleRequired` is
set (currently only the edit form)
- E2E tests added for all three scenarios from the issue
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Test 6 (delete annotation): the mouse-draw test can create multiple
annotations in CI. Changed the assertion to `countBefore - 1` instead
of a hard-coded 0, so the test is resilient to any pre-existing count.
Test 7 (hash versioning): `[data-testid^="annotation-"]` matched both
real annotation elements AND `annotation-outdated-notice` (which also
starts with "annotation-"), inflating the count to 2 instead of 0.
Added `:not([data-testid="annotation-outdated-notice"])` to exclude the
notice from the count assertion.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
