ci(dates): widen {@html} raw-date guard to cover the raw prop

DocumentDate.svelte passes the untrusted raw value via a prop named `raw`,
but the guard only matched metaDateRaw/documentDateRaw/rawDate — so a future
{@html raw} would slip past. Add `\braw\b` to the token list and a self-test
asserting the guard catches {@html raw}. Code is currently safe ({raw}); this
closes the defense-in-depth gap in the guard itself.

Refs #666
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -72,10 +72,15 @@ jobs:
           # Svelte default escaping, never {@html}. This guard flags any {@html ...}
           # whose expression references a raw-date variable. A comment mentioning
           # "{@html}" without a raw token inside the braces does NOT match.
-          pattern='\{@html[^}]*(metaDateRaw|documentDateRaw|rawDate)'
+          # The token list MUST cover every variable that carries the raw value:
-          # Self-test: the regex must catch the dangerous form and ignore the comment form.
+          # DocumentDate.svelte exposes it via the `raw` prop, so `\braw\b` is included.
+          # Grow this list whenever a new raw-bearing variable name is introduced.
+          pattern='\{@html[^}]*(metaDateRaw|documentDateRaw|rawDate|\braw\b)'
+          # Self-test: the regex must catch the dangerous forms and ignore the comment form.
           printf '{@html doc.metaDateRaw}\n' | grep -qP "$pattern" \
             || { echo "FAIL: guard self-test — regex missed the unsafe {@html metaDateRaw} form"; exit 1; }
+          printf '{@html raw}\n' | grep -qP "$pattern" \
+            || { echo "FAIL: guard self-test — regex missed the unsafe {@html raw} form (DocumentDate prop)"; exit 1; }
           printf 'never use {@html} for this\n' | grep -qvP "$pattern" \
             || { echo "FAIL: guard self-test — regex wrongly flagged a {@html} comment"; exit 1; }
           if grep -rPln "$pattern" --include='*.svelte' frontend/src/; then

backend/src/main/java/org/raddatz/familienarchiv/document/DocumentService.java

@@ -378,9 +378,7 @@ public class DocumentService {
         // 1. Einfache Felder Update
         doc.setTitle(dto.getTitle());
         doc.setDocumentDate(dto.getDocumentDate());
-        doc.setMetaDatePrecision(dto.getMetaDatePrecision());
+        applyDatePrecision(doc, dto);
-        doc.setMetaDateEnd(dto.getMetaDateEnd());
-        doc.setMetaDateRaw(dto.getMetaDateRaw());
         doc.setLocation(dto.getLocation());
         doc.setTranscription(dto.getTranscription());
         doc.setSummary(dto.getSummary());
@@ -449,6 +447,25 @@ public class DocumentService {
         return saved;
     }
 
+    /**
+     * Applies the three date-precision fields only when the DTO carries them.
+     * A null field means "not submitted" — overwriting the stored value with null
+     * would fabricate a precision the user never chose, the exact dishonesty #666
+     * exists to prevent. A row with a genuinely-unknown precision must keep it when
+     * an unrelated edit (e.g. a location typo) is saved.
+     */
+    private void applyDatePrecision(Document doc, DocumentUpdateDTO dto) {
+        if (dto.getMetaDatePrecision() != null) {
+            doc.setMetaDatePrecision(dto.getMetaDatePrecision());
+        }
+        if (dto.getMetaDateEnd() != null) {
+            doc.setMetaDateEnd(dto.getMetaDateEnd());
+        }
+        if (dto.getMetaDateRaw() != null) {
+            doc.setMetaDateRaw(dto.getMetaDateRaw());
+        }
+    }
+
     @Transactional
     public Document updateDocumentTags(UUID docId, List<String> tagNames) {
         Document doc = documentRepository.findById(docId)

backend/src/test/java/org/raddatz/familienarchiv/document/DocumentControllerTest.java

@@ -294,6 +294,34 @@ class DocumentControllerTest {
                 .andExpect(status().isOk());
     }
 
+    @Test
+    @WithMockUser(authorities = "WRITE_ALL")
+    void updateDocument_bindsPrecisionFormFields_toDTO() throws Exception {
+        // Pins the wire contract: the edit form's metaDatePrecision / metaDateEnd /
+        // metaDateRaw multipart field names must bind to DocumentUpdateDTO. A rename
+        // on either side silently drops the precision edit; this captures the DTO.
+        UUID id = UUID.randomUUID();
+        Document doc = Document.builder().id(id).title("Brief").originalFilename("brief.pdf").build();
+        when(userService.findByEmail(any())).thenReturn(AppUser.builder().id(UUID.randomUUID()).build());
+
+        org.mockito.ArgumentCaptor<DocumentUpdateDTO> captor =
+                org.mockito.ArgumentCaptor.forClass(DocumentUpdateDTO.class);
+        when(documentService.updateDocument(eq(id), captor.capture(), any(), any())).thenReturn(doc);
+
+        mockMvc.perform(multipart("/api/documents/" + id)
+                        .param("metaDatePrecision", "RANGE")
+                        .param("metaDateEnd", "1917-01-11")
+                        .param("metaDateRaw", "10.–11. Januar 1917")
+                        .with(req -> { req.setMethod("PUT"); return req; }).with(csrf()))
+                .andExpect(status().isOk());
+
+        DocumentUpdateDTO bound = captor.getValue();
+        org.assertj.core.api.Assertions.assertThat(bound.getMetaDatePrecision()).isEqualTo(DatePrecision.RANGE);
+        org.assertj.core.api.Assertions.assertThat(bound.getMetaDateEnd())
+                .isEqualTo(java.time.LocalDate.of(1917, 1, 11));
+        org.assertj.core.api.Assertions.assertThat(bound.getMetaDateRaw()).isEqualTo("10.–11. Januar 1917");
+    }
+
     // ─── DELETE /api/documents/{id} ──────────────────────────────────────────
 
     @Test

backend/src/test/java/org/raddatz/familienarchiv/document/DocumentServiceTest.java

@@ -164,6 +164,33 @@ class DocumentServiceTest {
         assertThat(doc.getMetaDateRaw()).isEqualTo("10.–11. Januar 1917");
     }
 
+    @Test
+    void updateDocument_preservesStoredPrecision_whenDtoOmitsIt() throws Exception {
+        // Editing a doc (e.g. fixing a location typo) without touching the precision
+        // controls must NOT fabricate a precision. The form omits the three precision
+        // fields → they arrive null on the DTO → the stored values must be preserved.
+        UUID id = UUID.randomUUID();
+        Document doc = Document.builder()
+                .id(id)
+                .metaDatePrecision(DatePrecision.MONTH)
+                .metaDateEnd(LocalDate.of(1916, 6, 30))
+                .metaDateRaw("Juni 1916")
+                .receivers(new HashSet<>())
+                .tags(new HashSet<>())
+                .build();
+        when(documentRepository.findById(id)).thenReturn(Optional.of(doc));
+        when(documentRepository.save(any())).thenReturn(doc);
+
+        DocumentUpdateDTO dto = new DocumentUpdateDTO();
+        dto.setLocation("Berlin"); // unrelated edit; precision fields left null
+
+        documentService.updateDocument(id, dto, null, null);
+
+        assertThat(doc.getMetaDatePrecision()).isEqualTo(DatePrecision.MONTH);
+        assertThat(doc.getMetaDateEnd()).isEqualTo(LocalDate.of(1916, 6, 30));
+        assertThat(doc.getMetaDateRaw()).isEqualTo("Juni 1916");
+    }
+
     // ─── deleteTagCascading ───────────────────────────────────────────────────
 
     @Test