refactor(frontend): replace all as-unknown-as error casts with extractErrorCode

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/java/org/raddatz/familienarchiv/document/Document.java

@@ -25,11 +25,14 @@ import java.util.UUID;
 @NamedEntityGraph(name = "Document.full", attributeNodes = {
         @NamedAttributeNode("sender"),
         @NamedAttributeNode("receivers"),
-        @NamedAttributeNode("tags")
+        @NamedAttributeNode("tags"),
+        @NamedAttributeNode("trainingLabels")
 })
 @NamedEntityGraph(name = "Document.list", attributeNodes = {
         @NamedAttributeNode("sender"),
-        @NamedAttributeNode("tags")
+        @NamedAttributeNode("receivers"),
+        @NamedAttributeNode("tags"),
+        @NamedAttributeNode("trainingLabels")
 })
 @Entity
 @Table(name = "documents")

backend/src/main/java/org/raddatz/familienarchiv/document/transcription/TranscriptionBlockController.java

@@ -43,7 +43,7 @@ public class TranscriptionBlockController {
 
     @PostMapping
     @ResponseStatus(HttpStatus.CREATED)
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public TranscriptionBlock createBlock(
             @PathVariable UUID documentId,
             @Valid @RequestBody CreateTranscriptionBlockDTO dto,
@@ -53,7 +53,7 @@ public class TranscriptionBlockController {
     }
 
     @PutMapping("/{blockId}")
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public TranscriptionBlock updateBlock(
             @PathVariable UUID documentId,
             @PathVariable UUID blockId,
@@ -65,7 +65,7 @@ public class TranscriptionBlockController {
 
     @DeleteMapping("/{blockId}")
     @ResponseStatus(HttpStatus.NO_CONTENT)
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public void deleteBlock(
             @PathVariable UUID documentId,
             @PathVariable UUID blockId) {
@@ -73,7 +73,7 @@ public class TranscriptionBlockController {
     }
 
     @PutMapping("/reorder")
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public List<TranscriptionBlock> reorderBlocks(
             @PathVariable UUID documentId,
             @RequestBody ReorderTranscriptionBlocksDTO dto) {
@@ -82,7 +82,7 @@ public class TranscriptionBlockController {
     }
 
     @PutMapping("/{blockId}/review")
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public TranscriptionBlock reviewBlock(
             @PathVariable UUID documentId,
             @PathVariable UUID blockId,
@@ -92,7 +92,7 @@ public class TranscriptionBlockController {
     }
 
     @PutMapping("/review-all")
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public List<TranscriptionBlock> markAllBlocksReviewed(
             @PathVariable UUID documentId,
             Authentication authentication) {

frontend/messages/de.json

@@ -522,6 +522,7 @@
 	"notification_filter_unread": "Ungelesen",
 	"notification_filter_mention": "Erwähnung",
 	"notification_filter_reply": "Antwort",
+	"notification_error_generic": "Aktion fehlgeschlagen. Bitte versuche es erneut.",
 	"notification_mark_all_read_aria": "Alle Benachrichtigungen als gelesen markieren",
 	"notification_load_more": "Ältere laden",
 	"notification_empty_history": "Keine Benachrichtigungen",

frontend/messages/en.json

@@ -522,6 +522,7 @@
 	"notification_filter_unread": "Unread",
 	"notification_filter_mention": "Mention",
 	"notification_filter_reply": "Reply",
+	"notification_error_generic": "Action failed. Please try again.",
 	"notification_mark_all_read_aria": "Mark all notifications as read",
 	"notification_load_more": "Load older",
 	"notification_empty_history": "No notifications",

frontend/messages/es.json

@@ -522,6 +522,7 @@
 	"notification_filter_unread": "No leídas",
 	"notification_filter_mention": "Mención",
 	"notification_filter_reply": "Respuesta",
+	"notification_error_generic": "La acción ha fallado. Por favor, inténtalo de nuevo.",
 	"notification_mark_all_read_aria": "Marcar todas las notificaciones como leídas",
 	"notification_load_more": "Cargar anteriores",
 	"notification_empty_history": "Sin notificaciones",

frontend/src/lib/activity/ChronikFuerDichBox.svelte

@@ -1,4 +1,5 @@
 <script lang="ts">
+import { enhance } from '$app/forms';
 import * as m from '$lib/paraglide/messages.js';
 import { relativeTime } from '$lib/shared/utils/time';
 import type { NotificationItem } from '$lib/notification/notifications.svelte';
@@ -6,11 +7,13 @@ import { buildCommentHref } from '$lib/shared/discussion/commentDeepLink';
 
 interface Props {
 	unread: NotificationItem[];
-	onMarkRead: (n: NotificationItem) => void;
-	onMarkAllRead: () => void;
+	optimisticMarkRead: (id: string) => void;
+	optimisticMarkAllRead: () => void;
 }
 
-const { unread, onMarkRead, onMarkAllRead }: Props = $props();
+const { unread, optimisticMarkRead, optimisticMarkAllRead }: Props = $props();
+
+let errorMessage: string | null = $state(null);
 
 function verb(type: NotificationItem['type'], actor: string): string {
 	return type === 'REPLY'
@@ -24,6 +27,9 @@ function href(n: NotificationItem): string {
 </script>
 
 <section class="rounded-sm border border-line bg-surface p-5">
+	{#if errorMessage}
+		<p role="alert" class="px-4 py-2 text-sm text-red-600">{errorMessage}</p>
+	{/if}
 	{#if unread.length === 0}
 		<div data-testid="chronik-inbox-zero" class="flex flex-col items-center gap-3 py-6 text-center">
 			<svg
@@ -66,14 +72,28 @@ function href(n: NotificationItem): string {
 					{m.chronik_for_you_count({ count: unread.length })}
 				</span>
 			</div>
-			<button
-				type="button"
-				data-testid="chronik-mark-all-read"
-				onclick={onMarkAllRead}
-				class="font-sans text-xs font-medium text-ink-3 transition-colors hover:text-ink"
+			<form
+				action="/aktivitaeten?/mark-all-read"
+				method="POST"
+				use:enhance={() => {
+					errorMessage = null;
+					optimisticMarkAllRead();
+					return async ({ result, update }) => {
+						if (result.type === 'failure' || result.type === 'error') {
+							errorMessage = m.notification_error_generic();
+							await update({ reset: false, invalidateAll: false });
+						}
+					};
+				}}
 			>
-				{m.chronik_mark_all_read()}
-			</button>
+				<button
+					type="submit"
+					data-testid="chronik-mark-all-read"
+					class="font-sans text-xs font-medium text-ink-3 transition-colors hover:text-ink"
+				>
+					{m.chronik_mark_all_read()}
+				</button>
+			</form>
 		</div>
 
 		<ul role="list" class="flex flex-col gap-2">
@@ -89,7 +109,7 @@ function href(n: NotificationItem): string {
 							aria-hidden="true"
 							class="mt-0.5 inline-flex h-6 w-6 shrink-0 items-center justify-center rounded-full bg-accent-bg font-sans text-xs font-bold text-accent"
 						>
-							{n.type === 'MENTION' ? '@' : '\u21A9'}
+							{n.type === 'MENTION' ? '@' : '↩'}
 						</span>
 						<div class="min-w-0 flex-1">
 							<p class="font-sans text-sm leading-snug text-ink">
@@ -100,25 +120,40 @@ function href(n: NotificationItem): string {
 							</p>
 						</div>
 					</a>
-					<button
-						type="button"
-						data-testid="chronik-fuerdich-dismiss"
-						aria-label={m.chronik_mark_read_aria()}
-						onclick={() => onMarkRead(n)}
-						class="mt-0.5 shrink-0 rounded-sm p-1 text-ink-3 transition-colors hover:bg-muted hover:text-ink focus-visible:ring-2 focus-visible:ring-focus-ring focus-visible:outline-none"
+					<form
+						action="/aktivitaeten?/dismiss-notification"
+						method="POST"
+						use:enhance={() => {
+							errorMessage = null;
+							optimisticMarkRead(n.id);
+							return async ({ result, update }) => {
+								if (result.type === 'failure' || result.type === 'error') {
+									errorMessage = m.notification_error_generic();
+									await update({ reset: false, invalidateAll: false });
+								}
+							};
+						}}
 					>
-						<svg
-							xmlns="http://www.w3.org/2000/svg"
-							class="h-4 w-4"
-							fill="none"
-							viewBox="0 0 24 24"
-							stroke="currentColor"
-							stroke-width="2"
-							aria-hidden="true"
+						<input type="hidden" name="notificationId" value={n.id} />
+						<button
+							type="submit"
+							data-testid="chronik-fuerdich-dismiss"
+							aria-label={m.chronik_mark_read_aria()}
+							class="mt-0.5 shrink-0 rounded-sm p-1 text-ink-3 transition-colors hover:bg-muted hover:text-ink focus-visible:ring-2 focus-visible:ring-focus-ring focus-visible:outline-none"
 						>
-							<path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12" />
-						</svg>
-					</button>
+							<svg
+								xmlns="http://www.w3.org/2000/svg"
+								class="h-4 w-4"
+								fill="none"
+								viewBox="0 0 24 24"
+								stroke="currentColor"
+								stroke-width="2"
+								aria-hidden="true"
+							>
+								<path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12" />
+							</svg>
+						</button>
+					</form>
 				</li>
 			{/each}
 		</ul>

frontend/src/lib/activity/ChronikFuerDichBox.svelte.spec.ts

@@ -5,7 +5,36 @@ import { page, userEvent } from 'vitest/browser';
 import ChronikFuerDichBox from './ChronikFuerDichBox.svelte';
 import type { NotificationItem } from '$lib/notification/notifications.svelte';
 
-afterEach(cleanup);
+const mockFormResult = vi.hoisted(() => ({ type: 'success' as string }));
+
+vi.mock('$app/forms', () => ({
+	enhance(
+		node: HTMLFormElement,
+		submit?: (opts: {
+			formData: FormData;
+		}) => (opts: {
+			result: { type: string; data?: Record<string, unknown> };
+			update: () => Promise<void>;
+		}) => Promise<void>
+	) {
+		const handler = async (e: Event) => {
+			e.preventDefault();
+			const cb = submit?.({ formData: new FormData(node) } as never);
+			if (typeof cb === 'function') {
+				await (
+					cb as (o: { result: typeof mockFormResult; update: () => Promise<void> }) => Promise<void>
+				)({ result: mockFormResult, update: async () => {} });
+			}
+		};
+		node.addEventListener('submit', handler);
+		return { destroy: () => node.removeEventListener('submit', handler) };
+	}
+}));
+
+afterEach(() => {
+	cleanup();
+	mockFormResult.type = 'success';
+});
 
 function notif(partial: Partial<NotificationItem>): NotificationItem {
 	return {
@@ -26,8 +55,8 @@ describe('ChronikFuerDichBox', () => {
 	it('renders inbox-zero state when there are no unread items', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [],
-			onMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
 		});
 		const zero = document.querySelector('[data-testid="chronik-inbox-zero"]');
 		expect(zero).not.toBeNull();
@@ -37,8 +66,8 @@ describe('ChronikFuerDichBox', () => {
 	it('links to the archived mentions in the inbox-zero state', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [],
-			onMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
 		});
 		const link = document.querySelector('a[href="/aktivitaeten?filter=fuer-dich"]');
 		expect(link).not.toBeNull();
@@ -47,8 +76,8 @@ describe('ChronikFuerDichBox', () => {
 	it('renders the count badge with correct total when unread exists', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [notif({ id: 'a' }), notif({ id: 'b' })],
-			onMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
 		});
 		await expect.element(page.getByText('2 neu')).toBeInTheDocument();
 	});
@@ -56,8 +85,8 @@ describe('ChronikFuerDichBox', () => {
 	it('count badge has aria-live=polite when unread exists', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [notif({ id: 'a' })],
-			onMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
 		});
 		// Wait for render
 		await expect.element(page.getByText('1 neu')).toBeInTheDocument();
@@ -69,8 +98,8 @@ describe('ChronikFuerDichBox', () => {
 	it('does not render the "Alle gelesen" button when there are no unread items', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [],
-			onMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
 		});
 		await expect.element(page.getByText('Keine neuen Erwähnungen')).toBeInTheDocument();
 		const all = document.querySelector('[data-testid="chronik-mark-all-read"]');
@@ -80,38 +109,38 @@ describe('ChronikFuerDichBox', () => {
 	it('renders the "Alle gelesen" button when unread exists', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [notif({ id: 'a' })],
-			onMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
 		});
 		await expect.element(page.getByText('Alle gelesen')).toBeInTheDocument();
 	});
 
-	it('calls onMarkAllRead when the "Alle gelesen" button is clicked', async () => {
-		const onMarkAllRead = vi.fn();
+	it('calls optimisticMarkAllRead when the "Alle gelesen" button is submitted', async () => {
+		const optimisticMarkAllRead = vi.fn();
 		render(ChronikFuerDichBox, {
 			unread: [notif({ id: 'a' })],
-			onMarkRead: vi.fn(),
-			onMarkAllRead
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead
 		});
 		await userEvent.click(page.getByText('Alle gelesen'));
-		expect(onMarkAllRead).toHaveBeenCalledTimes(1);
+		expect(optimisticMarkAllRead).toHaveBeenCalledTimes(1);
 	});
 
-	it('calls onMarkRead (and not navigation) when a per-item Dismiss button is clicked', async () => {
-		const onMarkRead = vi.fn();
+	it('calls optimisticMarkRead with the notification id when its dismiss button is submitted', async () => {
+		const optimisticMarkRead = vi.fn();
 		const n = notif({ id: 'xyz' });
 		render(ChronikFuerDichBox, {
 			unread: [n],
-			onMarkRead,
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead,
+			optimisticMarkAllRead: vi.fn()
 		});
 		const dismiss = document.querySelector(
 			'[data-testid="chronik-fuerdich-dismiss"]'
 		) as HTMLButtonElement | null;
 		expect(dismiss).not.toBeNull();
 		dismiss?.click();
-		expect(onMarkRead).toHaveBeenCalledTimes(1);
-		expect(onMarkRead.mock.calls[0][0]).toEqual(n);
+		expect(optimisticMarkRead).toHaveBeenCalledTimes(1);
+		expect(optimisticMarkRead.mock.calls[0][0]).toBe('xyz');
 	});
 
 	it('mention row href includes both commentId and annotationId when annotationId is present', async () => {
@@ -124,8 +153,8 @@ describe('ChronikFuerDichBox', () => {
 					annotationId: 'annot-9'
 				})
 			],
-			onMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
 		});
 		const link = document.querySelector(
 			'a[href="/documents/doc-42?commentId=comment-7&annotationId=annot-9"]'
@@ -136,8 +165,8 @@ describe('ChronikFuerDichBox', () => {
 	it('Dismiss button is a sibling of the document link, never nested inside <a>', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [notif({ id: 'x' })],
-			onMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
 		});
 		const dismiss = document.querySelector('[data-testid="chronik-fuerdich-dismiss"]');
 		expect(dismiss).not.toBeNull();
@@ -145,4 +174,22 @@ describe('ChronikFuerDichBox', () => {
 		// Prevents the senior-audience tap-drag bug flagged by Leonie.
 		expect(dismiss?.closest('a')).toBeNull();
 	});
+
+	it('shows an accessible error banner when the dismiss action returns a failure', async () => {
+		mockFormResult.type = 'failure';
+		render(ChronikFuerDichBox, {
+			unread: [notif({ id: 'err-1' })],
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
+		});
+		const dismiss = document.querySelector(
+			'[data-testid="chronik-fuerdich-dismiss"]'
+		) as HTMLButtonElement | null;
+		expect(dismiss).not.toBeNull();
+		dismiss?.click();
+		// Allow microtask queue to flush
+		await new Promise((r) => setTimeout(r, 0));
+		const alert = document.querySelector('[role="alert"]');
+		expect(alert).not.toBeNull();
+	});
 });

frontend/src/lib/activity/ChronikFuerDichBox.svelte.test.ts

@@ -4,7 +4,36 @@ import { page } from 'vitest/browser';
 import ChronikFuerDichBox from './ChronikFuerDichBox.svelte';
 import type { NotificationItem } from '$lib/notification/notifications';
 
-afterEach(cleanup);
+const mockFormResult = vi.hoisted(() => ({ type: 'success' as string }));
+
+vi.mock('$app/forms', () => ({
+	enhance(
+		node: HTMLFormElement,
+		submit?: (opts: {
+			formData: FormData;
+		}) => (opts: {
+			result: { type: string; data?: Record<string, unknown> };
+			update: () => Promise<void>;
+		}) => Promise<void>
+	) {
+		const handler = async (e: Event) => {
+			e.preventDefault();
+			const cb = submit?.({ formData: new FormData(node) } as never);
+			if (typeof cb === 'function') {
+				await (
+					cb as (o: { result: typeof mockFormResult; update: () => Promise<void> }) => Promise<void>
+				)({ result: mockFormResult, update: async () => {} });
+			}
+		};
+		node.addEventListener('submit', handler);
+		return { destroy: () => node.removeEventListener('submit', handler) };
+	}
+}));
+
+afterEach(() => {
+	cleanup();
+	mockFormResult.type = 'success';
+});
 
 const mention = (overrides: Partial<NotificationItem> = {}): NotificationItem => ({
 	id: 'n-1',
@@ -22,7 +51,7 @@ const mention = (overrides: Partial<NotificationItem> = {}): NotificationItem =>
 describe('ChronikFuerDichBox', () => {
 	it('renders the inbox-zero state when there are no unread', async () => {
 		render(ChronikFuerDichBox, {
-			props: { unread: [], onMarkRead: () => {}, onMarkAllRead: () => {} }
+			props: { unread: [], optimisticMarkRead: () => {}, optimisticMarkAllRead: () => {} }
 		});
 
 		await expect.element(page.getByText(/keine neuen erwähnungen/i)).toBeVisible();
@@ -34,8 +63,8 @@ describe('ChronikFuerDichBox', () => {
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention(), mention({ id: 'n-2' }), mention({ id: 'n-3' })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {}
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {}
 			}
 		});
 
@@ -47,8 +76,8 @@ describe('ChronikFuerDichBox', () => {
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention({ id: 'n-m', type: 'MENTION' }), mention({ id: 'n-r', type: 'REPLY' })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {}
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {}
 			}
 		});
 
@@ -62,8 +91,8 @@ describe('ChronikFuerDichBox', () => {
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention({ actorName: 'Bertha' })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {}
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {}
 			}
 		});
 
@@ -76,8 +105,8 @@ describe('ChronikFuerDichBox', () => {
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention({ type: 'REPLY', actorName: 'Carl' })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {}
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {}
 			}
 		});
 
@@ -86,11 +115,11 @@ describe('ChronikFuerDichBox', () => {
 			.toBeVisible();
 	});
 
-	it('calls onMarkRead with the notification when its dismiss button is clicked', async () => {
-		const onMarkRead = vi.fn();
+	it('calls optimisticMarkRead with the notification id when its dismiss button is clicked', async () => {
+		const optimisticMarkRead = vi.fn();
 		const item = mention({ id: 'n-7' });
 		render(ChronikFuerDichBox, {
-			props: { unread: [item], onMarkRead, onMarkAllRead: () => {} }
+			props: { unread: [item], optimisticMarkRead, optimisticMarkAllRead: () => {} }
 		});
 
 		const dismiss = document.querySelector(
@@ -98,35 +127,55 @@ describe('ChronikFuerDichBox', () => {
 		) as HTMLElement;
 		dismiss.click();
 
-		expect(onMarkRead).toHaveBeenCalledWith(item);
+		expect(optimisticMarkRead).toHaveBeenCalledWith('n-7');
 	});
 
-	it('calls onMarkAllRead when the mark-all-read button is clicked', async () => {
-		const onMarkAllRead = vi.fn();
+	it('calls optimisticMarkAllRead when the mark-all-read button is clicked', async () => {
+		const optimisticMarkAllRead = vi.fn();
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention()],
-				onMarkRead: () => {},
-				onMarkAllRead
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead
 			}
 		});
 
 		const btn = document.querySelector('[data-testid="chronik-mark-all-read"]') as HTMLElement;
 		btn.click();
 
-		expect(onMarkAllRead).toHaveBeenCalledOnce();
+		expect(optimisticMarkAllRead).toHaveBeenCalledOnce();
 	});
 
 	it('builds a deep-link href to the comment for each notification', async () => {
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention({ documentId: 'doc-x', referenceId: 'ref-y', annotationId: null })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {}
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {}
 			}
 		});
 
 		const link = document.querySelector('ul[role="list"] li a') as HTMLAnchorElement;
 		expect(link.getAttribute('href')).toContain('doc-x');
 	});
+
+	it('shows an accessible error banner when the dismiss action returns a failure', async () => {
+		mockFormResult.type = 'failure';
+		render(ChronikFuerDichBox, {
+			props: {
+				unread: [mention({ id: 'err-1' })],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {}
+			}
+		});
+
+		const dismiss = document.querySelector(
+			'[data-testid="chronik-fuerdich-dismiss"]'
+		) as HTMLElement;
+		dismiss.click();
+		// Allow microtask queue to flush
+		await new Promise((r) => setTimeout(r, 0));
+		const alert = document.querySelector('[role="alert"]');
+		expect(alert).not.toBeNull();
+	});
 });

frontend/src/lib/document/BulkDocumentEditLayout.svelte

@@ -17,6 +17,7 @@ import PdfViewer from '$lib/document/viewer/PdfViewer.svelte';
 import { bulkTitleFromFilename } from '$lib/document/filename';
 import type { Tag } from '$lib/tag/TagInput.svelte';
 import type { components } from '$lib/generated/api';
+import { withCsrf } from '$lib/shared/cookies';
 
 type Person = components['schemas']['Person'];
 
@@ -183,7 +184,10 @@ async function saveUpload() {
 		// FormData with per-chunk progress. Session cookie is sent automatically
 		// by the browser for same-origin requests.
 		try {
-			const res = await fetch('/api/documents/quick-upload', { method: 'POST', body: formData });
+			const res = await fetch(
+				'/api/documents/quick-upload',
+				withCsrf({ method: 'POST', body: formData })
+			);
 			const body = await res.json().catch(() => ({ errors: [] }));
 			const errorFilenames = new Set<string>(
 				(body.errors ?? []).map((err: { filename: string }) => err.filename)

frontend/src/lib/document/transcription/TranscriptionEditView.svelte

@@ -6,6 +6,7 @@ import TranscribeCoachEmptyState from '$lib/shared/help/TranscribeCoachEmptyStat
 import type { PersonMention, TranscriptionBlockData } from '$lib/shared/types';
 import { createBlockAutoSave } from '$lib/document/transcription/useBlockAutoSave.svelte';
 import { createBlockDragDrop } from '$lib/document/transcription/useBlockDragDrop.svelte';
+import { withCsrf } from '$lib/shared/cookies';
 
 type Props = {
 	documentId: string;
@@ -109,11 +110,14 @@ function handleDelete(blockId: string) {
 
 async function reorder(newOrder: string[]) {
 	try {
-		const res = await fetch(`/api/documents/${documentId}/transcription-blocks/reorder`, {
-			method: 'PUT',
-			headers: { 'Content-Type': 'application/json' },
-			body: JSON.stringify({ blockIds: newOrder })
-		});
+		const res = await fetch(
+			`/api/documents/${documentId}/transcription-blocks/reorder`,
+			withCsrf({
+				method: 'PUT',
+				headers: { 'Content-Type': 'application/json' },
+				body: JSON.stringify({ blockIds: newOrder })
+			})
+		);
 		if (!res.ok) return;
 		const updated = await res.json();
 		for (const b of updated) {

frontend/src/lib/document/transcription/useBlockAutoSave.svelte.ts

@@ -1,5 +1,6 @@
 import { SvelteMap } from 'svelte/reactivity';
 import type { PersonMention } from '$lib/shared/types';
+import { withCsrf } from '$lib/shared/cookies';
 
 export type SaveState = 'idle' | 'saving' | 'saved' | 'fading' | 'error';
 
@@ -116,12 +117,15 @@ export function createBlockAutoSave({ saveFn, documentId }: Options) {
 		for (const [blockId, text] of pendingTexts) {
 			const mentions = pendingMentions.get(blockId) ?? [];
 			clearDebounce(blockId);
-			void fetch(`/api/documents/${documentId}/transcription-blocks/${blockId}`, {
-				method: 'PUT',
-				headers: { 'Content-Type': 'application/json' },
-				body: JSON.stringify({ text, mentionedPersons: mentions }),
-				keepalive: true
-			});
+			void fetch(
+				`/api/documents/${documentId}/transcription-blocks/${blockId}`,
+				withCsrf({
+					method: 'PUT',
+					headers: { 'Content-Type': 'application/json' },
+					body: JSON.stringify({ text, mentionedPersons: mentions }),
+					keepalive: true
+				})
+			);
 			pendingTexts.delete(blockId);
 			pendingMentions.delete(blockId);
 		}

frontend/src/lib/document/transcription/useTranscriptionBlocks.svelte.ts

@@ -2,6 +2,7 @@
    lastEditedAt's $derived are scope-local to one computation; they're never
    stored on $state. */
 import type { TranscriptionBlockData, PersonMention } from '$lib/shared/types';
+import { makeCsrfFetch } from '$lib/shared/cookies';
 import { saveBlockWithConflictRetry } from './saveBlockWithConflictRetry';
 import { BlockConflictResolvedError } from './blockConflictMerge';
 
@@ -41,7 +42,7 @@ export function createTranscriptionBlocks(
 	options: TranscriptionBlocksOptions
 ): TranscriptionBlocksController {
 	const { documentId } = options;
-	const fetchImpl = options.fetchImpl ?? fetch;
+	const fetchImpl = makeCsrfFetch(options.fetchImpl ?? fetch);
 
 	let blocks = $state<TranscriptionBlockData[]>([]);
 	let annotationReloadKey = $state(0);

frontend/src/lib/notification/NotificationBell.svelte

@@ -1,10 +1,8 @@
 <script lang="ts">
 import { onMount, onDestroy } from 'svelte';
-import { goto } from '$app/navigation';
 import { m } from '$lib/paraglide/messages.js';
 import { clickOutside } from '$lib/shared/actions/clickOutside';
 import { notificationStore } from '$lib/notification/notifications.svelte';
-import { buildCommentHref } from '$lib/shared/discussion/commentDeepLink';
 import NotificationDropdown from './NotificationDropdown.svelte';
 
 let open = $state(false);
@@ -30,17 +28,6 @@ function closeDropdown() {
 	bellButtonEl?.focus();
 }
 
-async function handleMarkRead(notification: Parameters<typeof stream.markRead>[0]) {
-	await stream.markRead(notification);
-	const url = buildCommentHref(
-		notification.documentId,
-		notification.referenceId,
-		notification.annotationId
-	);
-	closeDropdown();
-	goto(url);
-}
-
 function handleKeydown(event: KeyboardEvent) {
 	if (event.key === 'Escape' && open) {
 		event.stopPropagation();
@@ -113,8 +100,8 @@ onDestroy(() => {
 	{#if open}
 		<NotificationDropdown
 			notifications={stream.notifications}
-			onMarkRead={handleMarkRead}
-			onMarkAllRead={stream.markAllRead}
+			optimisticMarkRead={stream.optimisticMarkRead}
+			optimisticMarkAllRead={stream.optimisticMarkAllRead}
 			onClose={closeDropdown}
 		/>
 	{/if}

frontend/src/lib/notification/NotificationBell.svelte.spec.ts

@@ -3,10 +3,18 @@ import { cleanup, render } from 'vitest-browser-svelte';
 import type { NotificationItem } from '$lib/notification/notifications';
 import NotificationBell from './NotificationBell.svelte';
 
-const gotoMock = vi.hoisted(() => vi.fn());
-vi.mock('$app/navigation', () => ({ goto: gotoMock, beforeNavigate: vi.fn() }));
+vi.mock('$app/navigation', () => ({ goto: vi.fn(), beforeNavigate: vi.fn() }));
+vi.mock('$app/forms', () => ({
+	enhance(node: HTMLFormElement, submit?: (opts: { formData: FormData }) => unknown) {
+		const handler = (e: Event) => {
+			e.preventDefault();
+			submit?.({ formData: new FormData(node) } as never);
+		};
+		node.addEventListener('submit', handler);
+		return { destroy: () => node.removeEventListener('submit', handler) };
+	}
+}));
 
-const mockMarkRead = vi.hoisted(() => vi.fn().mockResolvedValue(undefined));
 const mockNotificationList = vi.hoisted((): { value: NotificationItem[] } => ({ value: [] }));
 
 vi.mock('$lib/notification/notifications.svelte', () => ({
@@ -17,18 +25,17 @@ vi.mock('$lib/notification/notifications.svelte', () => ({
 		get unreadCount() {
 			return mockNotificationList.value.length;
 		},
-		markRead: mockMarkRead,
+		optimisticMarkRead: vi.fn(),
+		optimisticMarkAllRead: vi.fn(),
 		fetchNotifications: vi.fn().mockResolvedValue(undefined),
 		init: vi.fn(),
-		destroy: vi.fn(),
-		markAllRead: vi.fn()
+		destroy: vi.fn()
 	}
 }));
 
 afterEach(() => {
 	cleanup();
-	gotoMock.mockClear();
-	mockMarkRead.mockClear();
+	vi.clearAllMocks();
 	mockNotificationList.value = [];
 });
 
@@ -45,16 +52,6 @@ const makeNotification = (overrides: Partial<NotificationItem> = {}): Notificati
 	...overrides
 });
 
-async function openDropdownAndClickFirstNotification() {
-	const bellButton = document.querySelector<HTMLButtonElement>('button[aria-haspopup="true"]')!;
-	bellButton.click();
-	await vi.waitFor(() => {
-		expect(document.querySelector('[role="dialog"]')).not.toBeNull();
-	});
-	const notifButton = document.querySelector<HTMLButtonElement>('[role="list"] button')!;
-	notifButton.click();
-}
-
 describe('NotificationBell — cursor and tooltip', () => {
 	it('bell button has cursor-pointer class', async () => {
 		render(NotificationBell);
@@ -82,29 +79,3 @@ describe('NotificationBell — cursor and tooltip', () => {
 		expect(btn.getAttribute('aria-label')).toBe(btn.getAttribute('title'));
 	});
 });
-
-describe('NotificationBell', () => {
-	it('handleMarkRead navigates to URL including annotationId when notification has annotationId', async () => {
-		mockNotificationList.value = [makeNotification({ annotationId: 'annot-1' })];
-		render(NotificationBell);
-
-		await openDropdownAndClickFirstNotification();
-
-		await vi.waitFor(() => {
-			expect(gotoMock).toHaveBeenCalledWith(
-				'/documents/doc-1?commentId=ref-1&annotationId=annot-1'
-			);
-		});
-	});
-
-	it('handleMarkRead navigates to commentId-only URL when annotationId is absent', async () => {
-		mockNotificationList.value = [makeNotification({ annotationId: null })];
-		render(NotificationBell);
-
-		await openDropdownAndClickFirstNotification();
-
-		await vi.waitFor(() => {
-			expect(gotoMock).toHaveBeenCalledWith('/documents/doc-1?commentId=ref-1');
-		});
-	});
-});

frontend/src/lib/notification/NotificationDropdown.svelte

@@ -1,17 +1,21 @@
 <script lang="ts">
 import { goto } from '$app/navigation';
+import { enhance } from '$app/forms';
 import { m } from '$lib/paraglide/messages.js';
 import { relativeTime } from '$lib/shared/utils/time';
+import { buildCommentHref } from '$lib/shared/discussion/commentDeepLink';
 import type { NotificationItem } from '$lib/notification/notifications.svelte';
 
 type Props = {
 	notifications: NotificationItem[];
-	onMarkRead: (notification: NotificationItem) => void;
-	onMarkAllRead: () => void;
+	optimisticMarkRead: (id: string) => void;
+	optimisticMarkAllRead: () => void;
 	onClose: () => void;
 };
 
-let { notifications, onMarkRead, onMarkAllRead, onClose }: Props = $props();
+let { notifications, optimisticMarkRead, optimisticMarkAllRead, onClose }: Props = $props();
+
+let errorMessage = $state<string | null>(null);
 
 function handleViewAll() {
 	onClose(); // close first — avoids stale dropdown during navigation transition
@@ -31,16 +35,35 @@ function handleViewAll() {
 			{m.notification_bell_label()}
 		</span>
 		{#if notifications.length > 0}
-			<button
-				type="button"
-				onclick={onMarkAllRead}
-				class="text-xs font-medium text-ink-3 transition-colors hover:text-ink"
+			<form
+				action="/aktivitaeten?/mark-all-read"
+				method="POST"
+				use:enhance={() => {
+					errorMessage = null;
+					optimisticMarkAllRead();
+					return async ({ result, update }) => {
+						if (result.type === 'failure' || result.type === 'error') {
+							errorMessage = (result as { data?: { error?: string } }).data?.error ?? m.notification_error_generic();
+							await update({ reset: false, invalidateAll: false });
+						}
+					};
+				}}
 			>
-				{m.notification_mark_all_read()}
-			</button>
+				<button
+					type="submit"
+					class="text-xs font-medium text-ink-3 transition-colors hover:text-ink"
+				>
+					{m.notification_mark_all_read()}
+				</button>
+			</form>
 		{/if}
 	</div>
 
+	<!-- Error banner (shown when a dismiss or mark-all action fails) -->
+	{#if errorMessage}
+		<p role="alert" class="px-4 py-2 text-sm text-red-600">{errorMessage}</p>
+	{/if}
+
 	<!-- Notification list -->
 	{#if notifications.length === 0}
 		<!-- Empty state -->
@@ -66,67 +89,93 @@ function handleViewAll() {
 		<ul role="list" class="max-h-[24rem] overflow-y-auto">
 			{#each notifications as notification (notification.id)}
 				<li>
-					<button
-						type="button"
-						onclick={() => onMarkRead(notification)}
-						class="flex w-full cursor-pointer items-start gap-3 border-b border-line px-4 py-3 text-left last:border-b-0 hover:bg-canvas
-							{!notification.read ? 'bg-accent-bg/20' : ''}"
+					<form
+						action="/aktivitaeten?/dismiss-notification"
+						method="POST"
+						class="contents"
+						use:enhance={() => {
+							errorMessage = null;
+							optimisticMarkRead(notification.id);
+							return async ({ result, update }) => {
+								if (result.type === 'failure' || result.type === 'error') {
+									errorMessage = (result as { data?: { error?: string } }).data?.error ?? m.notification_error_generic();
+									await update({ reset: false, invalidateAll: false });
+								} else {
+									// Navigate away — no need to update the store since we're leaving the page
+									onClose();
+									goto(
+										buildCommentHref(
+											notification.documentId,
+											notification.referenceId,
+											notification.annotationId
+										)
+									);
+								}
+							};
+						}}
 					>
-						<!-- Type icon -->
-						<span class="mt-0.5 shrink-0 text-ink-3" aria-hidden="true">
-							{#if notification.type === 'REPLY'}
-								<!-- Reply icon -->
-								<svg
-									xmlns="http://www.w3.org/2000/svg"
-									class="h-4 w-4"
-									fill="none"
-									viewBox="0 0 24 24"
-									stroke="currentColor"
-									stroke-width="2"
-								>
-									<path
-										stroke-linecap="round"
-										stroke-linejoin="round"
-										d="M3 10h10a8 8 0 018 8v2M3 10l6 6m-6-6l6-6"
-									/>
-								</svg>
-							{:else}
-								<!-- Mention icon -->
-								<svg
-									xmlns="http://www.w3.org/2000/svg"
-									class="h-4 w-4"
-									fill="none"
-									viewBox="0 0 24 24"
-									stroke="currentColor"
-									stroke-width="2"
-								>
-									<path
-										stroke-linecap="round"
-										stroke-linejoin="round"
-										d="M16 12a4 4 0 10-8 0 4 4 0 008 0zm0 0v1.5a2.5 2.5 0 005 0V12a9 9 0 10-9 9m4.5-1.206a8.959 8.959 0 01-4.5 1.207"
-									/>
-								</svg>
+						<input type="hidden" name="notificationId" value={notification.id} />
+						<button
+							type="submit"
+							class="flex w-full cursor-pointer items-start gap-3 border-b border-line px-4 py-3.5 text-left last:border-b-0 hover:bg-canvas
+								{!notification.read ? 'bg-accent-bg/20' : ''}"
+						>
+							<!-- Type icon -->
+							<span class="mt-0.5 shrink-0 text-ink-3" aria-hidden="true">
+								{#if notification.type === 'REPLY'}
+									<!-- Reply icon -->
+									<svg
+										xmlns="http://www.w3.org/2000/svg"
+										class="h-4 w-4"
+										fill="none"
+										viewBox="0 0 24 24"
+										stroke="currentColor"
+										stroke-width="2"
+									>
+										<path
+											stroke-linecap="round"
+											stroke-linejoin="round"
+											d="M3 10h10a8 8 0 018 8v2M3 10l6 6m-6-6l6-6"
+										/>
+									</svg>
+								{:else}
+									<!-- Mention icon -->
+									<svg
+										xmlns="http://www.w3.org/2000/svg"
+										class="h-4 w-4"
+										fill="none"
+										viewBox="0 0 24 24"
+										stroke="currentColor"
+										stroke-width="2"
+									>
+										<path
+											stroke-linecap="round"
+											stroke-linejoin="round"
+											d="M16 12a4 4 0 10-8 0 4 4 0 008 0zm0 0v1.5a2.5 2.5 0 005 0V12a9 9 0 10-9 9m4.5-1.206a8.959 8.959 0 01-4.5 1.207"
+										/>
+									</svg>
+								{/if}
+							</span>
+
+							<!-- Text + time -->
+							<div class="min-w-0 flex-1">
+								<p class="text-sm leading-snug text-ink">
+									{notification.type === 'REPLY'
+										? m.notification_type_reply({ actor: notification.actorName })
+										: m.notification_type_mention({ actor: notification.actorName })}
+								</p>
+								<p class="mt-1 text-xs text-ink-3">{relativeTime(notification.createdAt)}</p>
+							</div>
+
+							<!-- Unread dot -->
+							{#if !notification.read}
+								<span
+									class="mt-1.5 h-2 w-2 shrink-0 rounded-full bg-primary"
+									aria-label={m.notification_unread()}
+								></span>
 							{/if}
-						</span>
-
-						<!-- Text + time -->
-						<div class="min-w-0 flex-1">
-							<p class="text-sm leading-snug text-ink">
-								{notification.type === 'REPLY'
-									? m.notification_type_reply({ actor: notification.actorName })
-									: m.notification_type_mention({ actor: notification.actorName })}
-							</p>
-							<p class="mt-1 text-xs text-ink-3">{relativeTime(notification.createdAt)}</p>
-						</div>
-
-						<!-- Unread dot -->
-						{#if !notification.read}
-							<span
-								class="mt-1.5 h-2 w-2 shrink-0 rounded-full bg-primary"
-								aria-label={m.notification_unread()}
-							></span>
-						{/if}
-					</button>
+						</button>
+					</form>
 				</li>
 			{/each}
 		</ul>

frontend/src/lib/notification/NotificationDropdown.svelte.test.ts

@@ -6,9 +6,38 @@ import NotificationDropdown from './NotificationDropdown.svelte';
 
 vi.mock('$app/navigation', () => ({ goto: vi.fn() }));
 
+// Configurable result for the enhance mock — tests that need failure set
+// mockFormResult.type = 'failure' before clicking.
+const mockFormResult = vi.hoisted(() => ({ type: 'success' as string }));
+
+// Invoke the SubmitFunction and always call the returned result callback with
+// mockFormResult so tests can exercise both success and failure branches.
+vi.mock('$app/forms', () => ({
+	enhance(
+		node: HTMLFormElement,
+		submit?: (opts: {
+			formData: FormData;
+		}) => (opts: {
+			result: { type: string; data?: Record<string, unknown> };
+			update: () => Promise<void>;
+		}) => Promise<void>
+	) {
+		const handler = async (e: Event) => {
+			e.preventDefault();
+			const cb = submit?.({ formData: new FormData(node) } as never);
+			if (typeof cb === 'function') {
+				await cb({ result: mockFormResult, update: async () => {} } as never);
+			}
+		};
+		node.addEventListener('submit', handler);
+		return { destroy: () => node.removeEventListener('submit', handler) };
+	}
+}));
+
 afterEach(() => {
 	cleanup();
 	vi.clearAllMocks();
+	mockFormResult.type = 'success'; // reset to default after each test
 });
 
 const makeNotification = (overrides: Record<string, unknown> = {}) => ({
@@ -29,8 +58,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -42,8 +71,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -55,8 +84,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -70,8 +99,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification()],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -83,8 +112,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification({ type: 'REPLY', actorName: 'Bert' })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -98,8 +127,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification({ type: 'MENTION', actorName: 'Clara' })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -116,8 +145,8 @@ describe('NotificationDropdown', () => {
 					makeNotification({ id: 'n1', read: false }),
 					makeNotification({ id: 'n2', read: true })
 				],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -126,37 +155,100 @@ describe('NotificationDropdown', () => {
 		expect(unreadDots.length).toBe(1);
 	});
 
-	it('calls onMarkRead with the notification when an item is clicked', async () => {
-		const onMarkRead = vi.fn();
+	it('each notification row is wrapped in a form posting to the dismiss action', async () => {
+		render(NotificationDropdown, {
+			props: {
+				notifications: [makeNotification({ id: 'n42' })],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose: () => {}
+			}
+		});
+
+		const form = document.querySelector('form[action="/aktivitaeten?/dismiss-notification"]');
+		expect(form).not.toBeNull();
+		expect(form?.getAttribute('method')).toBe('POST');
+	});
+
+	it('the dismiss form has a hidden notificationId input with the notification id', async () => {
+		render(NotificationDropdown, {
+			props: {
+				notifications: [makeNotification({ id: 'n42' })],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose: () => {}
+			}
+		});
+
+		const input = document.querySelector<HTMLInputElement>(
+			'form[action="/aktivitaeten?/dismiss-notification"] input[name="notificationId"]'
+		);
+		expect(input?.value).toBe('n42');
+	});
+
+	it('calls optimisticMarkRead with the notification id when a row is submitted', async () => {
+		const optimisticMarkRead = vi.fn();
 		const n = makeNotification({ id: 'n42', actorName: 'Anna' });
 		render(NotificationDropdown, {
 			props: {
 				notifications: [n],
-				onMarkRead,
-				onMarkAllRead: () => {},
+				optimisticMarkRead,
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
 
 		await page.getByRole('button', { name: /Anna hat auf deinen/i }).click();
 
-		expect(onMarkRead).toHaveBeenCalledWith(n);
+		expect(optimisticMarkRead).toHaveBeenCalledWith('n42');
 	});
 
-	it('calls onMarkAllRead when the mark-all-read button is clicked', async () => {
-		const onMarkAllRead = vi.fn();
+	it('the mark-all-read control is a form posting to the mark-all-read action', async () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification()],
-				onMarkRead: () => {},
-				onMarkAllRead,
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose: () => {}
+			}
+		});
+
+		const form = document.querySelector('form[action="/aktivitaeten?/mark-all-read"]');
+		expect(form).not.toBeNull();
+		expect(form?.getAttribute('method')).toBe('POST');
+	});
+
+	it('calls optimisticMarkAllRead when the mark-all-read button is submitted', async () => {
+		const optimisticMarkAllRead = vi.fn();
+		render(NotificationDropdown, {
+			props: {
+				notifications: [makeNotification()],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead,
 				onClose: () => {}
 			}
 		});
 
 		await page.getByRole('button', { name: /alle gelesen/i }).click();
 
-		expect(onMarkAllRead).toHaveBeenCalledOnce();
+		expect(optimisticMarkAllRead).toHaveBeenCalledOnce();
+	});
+
+	it('shows a role=alert error banner when mark-all-read returns a failure', async () => {
+		mockFormResult.type = 'failure';
+		render(NotificationDropdown, {
+			props: {
+				notifications: [makeNotification()],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose: () => {}
+			}
+		});
+
+		await page.getByRole('button', { name: /alle gelesen/i }).click();
+
+		const alert = document.querySelector('[role="alert"]');
+		expect(alert).not.toBeNull();
 	});
 
 	it('calls onClose when the view-all button is clicked', async () => {
@@ -164,8 +256,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose
 			}
 		});
@@ -179,8 +271,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -193,12 +285,15 @@ describe('NotificationDropdown', () => {
 	it('calls onClose before navigating to /aktivitaeten', async () => {
 		const callOrder: string[] = [];
 		const onClose = vi.fn(() => callOrder.push('close'));
-		vi.mocked(goto).mockImplementation(() => callOrder.push('goto'));
+		vi.mocked(goto).mockImplementation(() => {
+			callOrder.push('goto');
+			return Promise.resolve();
+		});
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose
 			}
 		});
@@ -212,8 +307,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification({ id: 'm1', type: 'MENTION', actorName: 'Anna' })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -225,8 +320,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification({ id: 'r1', type: 'REPLY', actorName: 'Bert' })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -242,14 +337,78 @@ describe('NotificationDropdown', () => {
 					makeNotification({ id: 'n1', actorName: 'First' }),
 					makeNotification({ id: 'n2', actorName: 'Second' })
 				],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
 
-		const items = document.querySelectorAll('button[type="button"]');
-		// At least 2 items + mark-all button
-		expect(items.length).toBeGreaterThanOrEqual(2);
+		const forms = document.querySelectorAll('form[action="/aktivitaeten?/dismiss-notification"]');
+		expect(forms.length).toBe(2);
+	});
+
+	it('calls onClose and goto with the deep-link URL after a successful dismiss', async () => {
+		const onClose = vi.fn();
+		const n = makeNotification({
+			id: 'n42',
+			documentId: 'd1',
+			referenceId: 'c1',
+			annotationId: null,
+			actorName: 'Anna'
+		});
+		render(NotificationDropdown, {
+			props: {
+				notifications: [n],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose
+			}
+		});
+
+		await page.getByRole('button', { name: /Anna hat auf deinen/i }).click();
+
+		expect(onClose).toHaveBeenCalledOnce();
+		expect(goto).toHaveBeenCalledWith('/documents/d1?commentId=c1');
+	});
+
+	it('does NOT call onClose or goto when the dismiss action returns a failure', async () => {
+		mockFormResult.type = 'failure';
+		const onClose = vi.fn();
+		const n = makeNotification({ id: 'n99', actorName: 'Bob' });
+		render(NotificationDropdown, {
+			props: {
+				notifications: [n],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose
+			}
+		});
+
+		await page.getByRole('button', { name: /Bob hat auf deinen/i }).click();
+
+		expect(onClose).not.toHaveBeenCalled();
+		expect(goto).not.toHaveBeenCalled();
+	});
+
+	it('calls goto with annotationId appended when the notification has an annotationId', async () => {
+		const n = makeNotification({
+			id: 'n55',
+			documentId: 'd1',
+			referenceId: 'c1',
+			annotationId: 'a1',
+			actorName: 'Eva'
+		});
+		render(NotificationDropdown, {
+			props: {
+				notifications: [n],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose: () => {}
+			}
+		});
+
+		await page.getByRole('button', { name: /Eva hat auf deinen/i }).click();
+
+		expect(goto).toHaveBeenCalledWith('/documents/d1?commentId=c1&annotationId=a1');
 	});
 });

frontend/src/lib/notification/notifications.svelte.spec.ts

@@ -108,12 +108,46 @@ describe('notificationStore (singleton)', () => {
 		expect(notificationStore.unreadCount).toBe(1);
 	});
 
-	it('markAllRead resets unreadCount', async () => {
-		mockFetch.mockResolvedValue(new Response(null, { status: 200 }));
-		await notificationStore.markAllRead();
+	it('optimisticMarkRead marks the notification read and decrements unreadCount without fetching', () => {
+		notificationStore.init();
+		const notification = makeNotification({ id: 'sse-1', read: false });
+		lastEventSource!.simulate('notification', JSON.stringify(notification));
+		mockFetch.mockReset(); // clear the fetchUnreadCount call from init
 
-		expect(mockFetch).toHaveBeenCalledWith('/api/notifications/read-all', { method: 'POST' });
+		notificationStore.optimisticMarkRead('sse-1');
+
+		expect(notificationStore.notifications[0].read).toBe(true);
 		expect(notificationStore.unreadCount).toBe(0);
+		expect(mockFetch).not.toHaveBeenCalled();
+	});
+
+	it('optimisticMarkRead on an already-read notification does not decrement unreadCount below 0', () => {
+		notificationStore.init();
+		const notification = makeNotification({ id: 'sse-1', read: true });
+		lastEventSource!.simulate('notification', JSON.stringify(notification));
+
+		notificationStore.optimisticMarkRead('sse-1');
+
+		expect(notificationStore.unreadCount).toBe(0);
+	});
+
+	it('optimisticMarkAllRead resets unreadCount and marks all notifications read without fetching', () => {
+		notificationStore.init();
+		lastEventSource!.simulate(
+			'notification',
+			JSON.stringify(makeNotification({ id: 'n1', read: false }))
+		);
+		lastEventSource!.simulate(
+			'notification',
+			JSON.stringify(makeNotification({ id: 'n2', read: false }))
+		);
+		mockFetch.mockReset();
+
+		notificationStore.optimisticMarkAllRead();
+
+		expect(notificationStore.unreadCount).toBe(0);
+		expect(notificationStore.notifications.every((n) => n.read)).toBe(true);
+		expect(mockFetch).not.toHaveBeenCalled();
 	});
 });
 

frontend/src/lib/notification/notifications.svelte.ts

@@ -35,28 +35,19 @@ async function fetchUnreadCount(): Promise<void> {
 	}
 }
 
-async function markRead(notification: NotificationItem): Promise<void> {
-	if (!notification.read) {
-		try {
-			await fetch(`/api/notifications/${notification.id}/read`, { method: 'PATCH' });
-			notification.read = true;
-			unreadCount = Math.max(0, unreadCount - 1);
-		} catch (e) {
-			console.error('Failed to mark notification as read', e);
-		}
+function optimisticMarkRead(id: string): void {
+	const notification = notifications.find((n) => n.id === id);
+	if (notification && !notification.read) {
+		notification.read = true;
+		unreadCount = Math.max(0, unreadCount - 1);
 	}
 }
 
-async function markAllRead(): Promise<void> {
-	try {
-		await fetch('/api/notifications/read-all', { method: 'POST' });
-		for (const n of notifications) {
-			n.read = true;
-		}
-		unreadCount = 0;
-	} catch (e) {
-		console.error('Failed to mark all notifications as read', e);
+function optimisticMarkAllRead(): void {
+	for (const n of notifications) {
+		n.read = true;
 	}
+	unreadCount = 0;
 }
 
 function init(): void {
@@ -123,8 +114,8 @@ export const notificationStore = {
 	},
 	fetchNotifications,
 	fetchUnreadCount,
-	markRead,
-	markAllRead,
+	optimisticMarkRead,
+	optimisticMarkAllRead,
 	init,
 	destroy
 };

frontend/src/lib/ocr/OcrTrainingCard.svelte

@@ -2,6 +2,7 @@
 import TrainingHistory from './TrainingHistory.svelte';
 import { m } from '$lib/paraglide/messages.js';
 import type { TrainingRun } from '$lib/ocr/training.js';
+import { withCsrf } from '$lib/shared/cookies';
 
 interface TrainingInfo {
 	availableBlocks?: number;
@@ -33,7 +34,7 @@ async function startTraining() {
 	successMessage = null;
 	errorMessage = null;
 	try {
-		const res = await fetch('/api/ocr/train', { method: 'POST' });
+		const res = await fetch('/api/ocr/train', withCsrf({ method: 'POST' }));
 		if (res.ok) {
 			successMessage = m.training_success();
 			setTimeout(() => {

frontend/src/lib/ocr/SegmentationTrainingCard.svelte

@@ -2,6 +2,7 @@
 import TrainingHistory from './TrainingHistory.svelte';
 import { m } from '$lib/paraglide/messages.js';
 import type { TrainingRun } from '$lib/ocr/training.js';
+import { withCsrf } from '$lib/shared/cookies';
 
 interface TrainingInfo {
 	availableSegBlocks?: number;
@@ -27,7 +28,7 @@ async function startTraining() {
 	training = true;
 	successMessage = null;
 	try {
-		const res = await fetch('/api/ocr/segtrain', { method: 'POST' });
+		const res = await fetch('/api/ocr/segtrain', withCsrf({ method: 'POST' }));
 		if (res.ok) {
 			successMessage = m.training_success();
 			setTimeout(() => {

frontend/src/lib/shared/cookies.ts

@@ -1,3 +1,46 @@
+/**
+ * Reads the XSRF-TOKEN cookie set by Spring Security's CookieCsrfTokenRepository.
+ * Returns null outside the browser or when the cookie is absent.
+ */
+export function getCsrfToken(): string | null {
+	if (typeof document === 'undefined') return null;
+	const match = document.cookie.match(/(?:^|;\s*)XSRF-TOKEN=([^;]+)/);
+	return match ? decodeURIComponent(match[1]) : null;
+}
+
+/**
+ * Merges the X-XSRF-TOKEN header into a RequestInit so Spring Security's
+ * CSRF filter accepts the request. Safe to call server-side (no-op when the
+ * cookie is absent).
+ */
+export function withCsrf(init?: RequestInit): RequestInit {
+	const token = getCsrfToken();
+	if (!token) return init ?? {};
+	const headers = new Headers(init?.headers);
+	headers.set('X-XSRF-TOKEN', token);
+	return { ...init, headers };
+}
+
+/**
+ * Wraps a fetch implementation so that every state-mutating call (POST, PUT,
+ * PATCH, DELETE) automatically includes the X-XSRF-TOKEN header. GET/HEAD
+ * requests pass through unchanged.
+ *
+ * Used to CSRF-protect client-side hooks that accept an injectable fetchImpl.
+ * In unit tests the injected mock is wrapped but getCsrfToken() returns null
+ * (no browser cookie), so no header is added and existing test expectations
+ * are unaffected.
+ */
+export function makeCsrfFetch(inner: typeof fetch): typeof fetch {
+	return (input: RequestInfo | URL, init?: RequestInit): Promise<Response> => {
+		const method = (init?.method ?? 'GET').toUpperCase();
+		if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(method)) {
+			return inner(input, withCsrf(init));
+		}
+		return inner(input, init);
+	};
+}
+
 /**
  * Extracts the fa_session cookie value from a list of Set-Cookie response headers.
  *

frontend/src/routes/aktivitaeten/+page.server.ts

@@ -1,4 +1,6 @@
-import { createApiClient } from '$lib/shared/api.server';
+import { fail } from '@sveltejs/kit';
+import { createApiClient, extractErrorCode } from '$lib/shared/api.server';
+import { getErrorMessage } from '$lib/shared/errors';
 import type { components, operations } from '$lib/generated/api';
 
 type ActivityFeedItemDTO = components['schemas']['ActivityFeedItemDTO'];
@@ -65,3 +67,33 @@ export async function load({ fetch, url }) {
 		loadError
 	};
 }
+
+export const actions = {
+	'dismiss-notification': async ({ request, fetch }) => {
+		const data = await request.formData();
+		const raw = data.get('notificationId');
+		const notificationId = typeof raw === 'string' ? raw : null;
+		if (!notificationId) return fail(400, { error: getErrorMessage(undefined) });
+		const api = createApiClient(fetch);
+		const result = await api.PATCH('/api/notifications/{id}/read', {
+			params: { path: { id: notificationId } }
+		});
+		if (!result.response.ok) {
+			return fail(result.response.status, {
+				error: getErrorMessage(extractErrorCode(result.error))
+			});
+		}
+		return { success: true };
+	},
+
+	'mark-all-read': async ({ fetch }) => {
+		const api = createApiClient(fetch);
+		const result = await api.POST('/api/notifications/read-all');
+		if (!result.response.ok) {
+			return fail(result.response.status, {
+				error: getErrorMessage(extractErrorCode(result.error))
+			});
+		}
+		return { success: true };
+	}
+};

frontend/src/routes/aktivitaeten/+page.svelte

@@ -76,14 +76,6 @@ async function onFilterChange(v: FilterValue) {
 	});
 }
 
-async function onMarkRead(n: NotificationItem) {
-	await notificationStore.markRead(n);
-}
-
-async function onMarkAllRead() {
-	await notificationStore.markAllRead();
-}
-
 const displayFeed = $derived(applyClientFilter(data.activityFeed, data.filter));
 
 const isEmpty = $derived(displayFeed.length === 0);
@@ -108,7 +100,11 @@ function retry() {
 	{#if data.loadError === 'activity'}
 		<ChronikErrorCard onRetry={retry} />
 	{:else}
-		<ChronikFuerDichBox unread={unread} onMarkRead={onMarkRead} onMarkAllRead={onMarkAllRead} />
+		<ChronikFuerDichBox
+			unread={unread}
+			optimisticMarkRead={notificationStore.optimisticMarkRead}
+			optimisticMarkAllRead={notificationStore.optimisticMarkAllRead}
+		/>
 
 		<div class="mt-6">
 			<ChronikFilterPills value={data.filter} onChange={onFilterChange} />

frontend/src/routes/aktivitaeten/page.server.spec.ts

@@ -1,8 +1,10 @@
 import { beforeEach, describe, expect, it, vi } from 'vitest';
-import { load } from './+page.server';
+import { load, actions } from './+page.server';
 
 const mockApi = {
-	GET: vi.fn()
+	GET: vi.fn(),
+	PATCH: vi.fn(),
+	POST: vi.fn()
 };
 
 vi.mock('$lib/shared/api.server', () => ({
@@ -173,3 +175,84 @@ describe('aktivitaeten/load — kinds param per filter', () => {
 		expect(call[1].params.query.kinds).toHaveLength(2);
 	});
 });
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function makeActionEvent(formData: FormData): any {
+	return {
+		request: new Request('http://localhost/aktivitaeten', { method: 'POST', body: formData }),
+		fetch
+	};
+}
+
+describe('aktivitaeten/actions — dismiss-notification', () => {
+	it('returns fail(400, { error }) and does NOT call PATCH when notificationId is missing', async () => {
+		const result = await actions['dismiss-notification'](makeActionEvent(new FormData()));
+
+		expect(result).toMatchObject({ status: 400 });
+		expect(mockApi.PATCH).not.toHaveBeenCalled();
+	});
+
+	it('calls PATCH /api/notifications/{id}/read with the form-supplied notificationId', async () => {
+		mockApi.PATCH.mockResolvedValue({ response: { ok: true }, data: {} });
+		const fd = new FormData();
+		fd.set('notificationId', 'n-abc');
+
+		await actions['dismiss-notification'](makeActionEvent(fd));
+
+		expect(mockApi.PATCH).toHaveBeenCalledWith('/api/notifications/{id}/read', {
+			params: { path: { id: 'n-abc' } }
+		});
+	});
+
+	it('returns { success: true } when the API responds ok', async () => {
+		mockApi.PATCH.mockResolvedValue({ response: { ok: true }, data: {} });
+		const fd = new FormData();
+		fd.set('notificationId', 'n-abc');
+
+		const result = await actions['dismiss-notification'](makeActionEvent(fd));
+
+		expect(result).toEqual({ success: true });
+	});
+
+	it('returns fail(status, { error }) when the API responds non-ok', async () => {
+		mockApi.PATCH.mockResolvedValue({
+			response: { ok: false, status: 403 },
+			error: { code: 'NOTIFICATION_NOT_FOUND' }
+		});
+		const fd = new FormData();
+		fd.set('notificationId', 'n-abc');
+
+		const result = await actions['dismiss-notification'](makeActionEvent(fd));
+
+		expect(result).toMatchObject({ status: 403 });
+	});
+});
+
+describe('aktivitaeten/actions — mark-all-read', () => {
+	it('calls POST /api/notifications/read-all', async () => {
+		mockApi.POST.mockResolvedValue({ response: { ok: true }, data: null });
+
+		await actions['mark-all-read'](makeActionEvent(new FormData()));
+
+		expect(mockApi.POST).toHaveBeenCalledWith('/api/notifications/read-all');
+	});
+
+	it('returns { success: true } when the API responds ok', async () => {
+		mockApi.POST.mockResolvedValue({ response: { ok: true }, data: null });
+
+		const result = await actions['mark-all-read'](makeActionEvent(new FormData()));
+
+		expect(result).toEqual({ success: true });
+	});
+
+	it('returns fail(status, { error }) when the API responds non-ok', async () => {
+		mockApi.POST.mockResolvedValue({
+			response: { ok: false, status: 500 },
+			error: { code: 'INTERNAL_ERROR' }
+		});
+
+		const result = await actions['mark-all-read'](makeActionEvent(new FormData()));
+
+		expect(result).toMatchObject({ status: 500 });
+	});
+});