docs(ocr): explain why two metrics tests skip fresh_metrics fixture

Sara's cycle-2 S2: clarify the latent (but not actual) cross-test state
risk on the two metrics tests that hit the global REGISTRY instead of
the per-test fresh_metrics fixture. Migrating them would actually break
them — the /metrics endpoint is served by prometheus-fastapi-instrumentator
which binds to the default REGISTRY at app-construction time, and the
http_requests_total assertion only finds counters on that global
registry. Both tests already assert response shape only (status code,
content-type substring, body substrings), not numeric values, so the
shared-registry caveat is documented for future readers rather than
treated as a bug to fix.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -13,7 +13,7 @@ jobs:
     name: Unit & Component Tests
     runs-on: ubuntu-latest
     container:
-      image: mcr.microsoft.com/playwright:v1.58.2-noble
+      image: mcr.microsoft.com/playwright:v1.60.0-noble
     steps:
       - uses: actions/checkout@v4
 
@@ -29,6 +29,10 @@ jobs:
         run: npm ci
         working-directory: frontend
 
+      - name: Security audit (no dev deps)
+        run: npm audit --audit-level=high --omit=dev
+        working-directory: frontend
+
       - name: Compile Paraglide i18n
         run: npx @inlang/paraglide-js compile --project ./project.inlang --outdir ./src/lib/paraglide
         working-directory: frontend

.gitea/workflows/nightly.yml

@@ -79,6 +79,7 @@ jobs:
           IMPORT_HOST_DIR=/srv/familienarchiv-staging/import
           POSTGRES_USER=archiv
           SENTRY_DSN=${{ secrets.SENTRY_DSN }}
+          VITE_SENTRY_DSN=${{ secrets.VITE_SENTRY_DSN }}
           EOF
 
       - name: Verify backend /import:ro mount is wired
@@ -252,20 +253,20 @@ jobs:
           URL="https://$HOST"
           HOST_IP=$(awk 'NR>1 && $2=="00000000"{h=$3;printf "%d.%d.%d.%d\n",strtonum("0x"substr(h,7,2)),strtonum("0x"substr(h,5,2)),strtonum("0x"substr(h,3,2)),strtonum("0x"substr(h,1,2));exit}' /proc/net/route)
           [ -n "$HOST_IP" ] || { echo "ERROR: could not detect Docker bridge gateway via /proc/net/route"; exit 1; }
-          RESOLVE="--resolve $HOST:443:$HOST_IP"
+          RESOLVE=(--resolve "$HOST:443:$HOST_IP")
           echo "Smoke test: $URL (pinned to $HOST_IP via bridge gateway)"
-          curl -fsS "$RESOLVE" --max-time 10 "$URL/login" -o /dev/null
+          curl -fsS "${RESOLVE[@]}" --max-time 10 "$URL/login" -o /dev/null
           # Pin the preload-list-eligible HSTS value, not just header presence:
           # a degraded `max-age=1` or a dropped `includeSubDomains; preload` must
           # fail this check rather than pass it silently.
-          curl -fsS "$RESOLVE" --max-time 10 -I "$URL/" \
+          curl -fsS "${RESOLVE[@]}" --max-time 10 -I "$URL/" \
             | grep -Eqi 'strict-transport-security:[[:space:]]*max-age=31536000.*includeSubDomains.*preload'
           # Permissions-Policy denies APIs the app does not use (camera,
           # microphone, geolocation). A regression that loosens or drops the
           # header now fails the smoke step.
-          curl -fsS "$RESOLVE" --max-time 10 -I "$URL/" \
+          curl -fsS "${RESOLVE[@]}" --max-time 10 -I "$URL/" \
             | grep -Eqi 'permissions-policy:[[:space:]]*camera=\(\),[[:space:]]*microphone=\(\),[[:space:]]*geolocation=\(\)'
-          status=$(curl -s "$RESOLVE" -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health")
+          status=$(curl -s "${RESOLVE[@]}" -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health")
           [ "$status" = "404" ] || { echo "expected 404 from /actuator/health, got $status"; exit 1; }
           echo "All smoke checks passed"
 

.gitea/workflows/release.yml

@@ -181,28 +181,31 @@ jobs:
 
       - name: Smoke test deployed environment
         # See nightly.yml — same three checks, against the prod vhost.
-        # --resolve pins to the bridge gateway IP (the host), not 127.0.0.1
+        # --resolve stored as a Bash array so "${RESOLVE[@]}" expands to two
-        # — see nightly.yml for the full network topology explanation.
+        # separate arguments; a quoted string would pass the flag and its value
+        # as one token and curl would reject it as an unknown option.
+        # Gateway detection via /proc/net/route — no iproute2 dependency.
+        # See nightly.yml for the full network topology explanation.
         run: |
           set -e
           HOST="archiv.raddatz.cloud"
           URL="https://$HOST"
-          HOST_IP=$(ip route show default | awk '/default/ {print $3}')
+          HOST_IP=$(awk 'NR>1 && $2=="00000000"{h=$3;printf "%d.%d.%d.%d\n",strtonum("0x"substr(h,7,2)),strtonum("0x"substr(h,5,2)),strtonum("0x"substr(h,3,2)),strtonum("0x"substr(h,1,2));exit}' /proc/net/route)
-          [ -n "$HOST_IP" ] || { echo "ERROR: could not detect Docker bridge gateway via 'ip route'"; exit 1; }
+          [ -n "$HOST_IP" ] || { echo "ERROR: could not detect Docker bridge gateway via /proc/net/route"; exit 1; }
-          RESOLVE="--resolve $HOST:443:$HOST_IP"
+          RESOLVE=(--resolve "$HOST:443:$HOST_IP")
           echo "Smoke test: $URL (pinned to $HOST_IP via bridge gateway)"
-          curl -fsS "$RESOLVE" --max-time 10 "$URL/login" -o /dev/null
+          curl -fsS "${RESOLVE[@]}" --max-time 10 "$URL/login" -o /dev/null
           # Pin the preload-list-eligible HSTS value, not just header presence:
           # a degraded `max-age=1` or a dropped `includeSubDomains; preload` must
           # fail this check rather than pass it silently.
-          curl -fsS "$RESOLVE" --max-time 10 -I "$URL/" \
+          curl -fsS "${RESOLVE[@]}" --max-time 10 -I "$URL/" \
             | grep -Eqi 'strict-transport-security:[[:space:]]*max-age=31536000.*includeSubDomains.*preload'
           # Permissions-Policy denies APIs the app does not use (camera,
           # microphone, geolocation). A regression that loosens or drops the
           # header now fails the smoke step.
-          curl -fsS "$RESOLVE" --max-time 10 -I "$URL/" \
+          curl -fsS "${RESOLVE[@]}" --max-time 10 -I "$URL/" \
             | grep -Eqi 'permissions-policy:[[:space:]]*camera=\(\),[[:space:]]*microphone=\(\),[[:space:]]*geolocation=\(\)'
-          status=$(curl -s "$RESOLVE" -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health")
+          status=$(curl -s "${RESOLVE[@]}" -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health")
           [ "$status" = "404" ] || { echo "expected 404 from /actuator/health, got $status"; exit 1; }
           echo "All smoke checks passed"
 

CLAUDE.md

@@ -77,7 +77,7 @@ npm run generate:api  # Regenerate TypeScript API types from OpenAPI spec
 ```
 backend/src/main/java/org/raddatz/familienarchiv/
 ├── audit/               Audit logging
-├── auth/                AuthService, AuthSessionController, LoginRequest (Spring Session JDBC)
+├── auth/                AuthService, AuthSessionController, LoginRequest, LoginRateLimiter, RateLimitProperties (Spring Session JDBC)
 ├── config/              Infrastructure config (Minio, Async, Web)
 ├── dashboard/           Dashboard analytics + StatsController/StatsService
 ├── document/            Document domain (entities, controller, service, repository, DTOs)
@@ -160,7 +160,7 @@ Input DTOs live flat in the domain package. Response types are the model entitie
 
 → See [CONTRIBUTING.md §Error handling](./CONTRIBUTING.md#error-handling)
 
-**LLM reminder:** use `DomainException.notFound/forbidden/conflict/internal()` from service methods — never throw raw exceptions. When adding a new `ErrorCode`: (1) add to `ErrorCode.java`, (2) add to `ErrorCode` type in `frontend/src/lib/shared/errors.ts`, (3) add a `case` in `getErrorMessage()`, (4) add i18n keys in `messages/{de,en,es}.json`.
+**LLM reminder:** use `DomainException.notFound/forbidden/conflict/internal()` from service methods — never throw raw exceptions. When adding a new `ErrorCode`: (1) add to `ErrorCode.java`, (2) add to `ErrorCode` type in `frontend/src/lib/shared/errors.ts`, (3) add a `case` in `getErrorMessage()`, (4) add i18n keys in `messages/{de,en,es}.json`. Valid error codes include: `TOO_MANY_LOGIN_ATTEMPTS` (returned by `LoginRateLimiter` as HTTP 429 when a brute-force threshold is exceeded).
 
 ### Security / Permissions
 
@@ -267,7 +267,7 @@ Back button pattern — use the shared `<BackButton>` component from `$lib/share
 
 → See [CONTRIBUTING.md §Error handling](./CONTRIBUTING.md#error-handling)
 
-**LLM reminder:** when adding a new `ErrorCode`: (1) add to `ErrorCode.java`, (2) add to `ErrorCode` type in `frontend/src/lib/shared/errors.ts`, (3) add a `case` in `getErrorMessage()`, (4) add i18n keys in `messages/{de,en,es}.json`.
+**LLM reminder:** when adding a new `ErrorCode`: (1) add to `ErrorCode.java`, (2) add to `ErrorCode` type in `frontend/src/lib/shared/errors.ts`, (3) add a `case` in `getErrorMessage()`, (4) add i18n keys in `messages/{de,en,es}.json`. Valid error codes include: `TOO_MANY_LOGIN_ATTEMPTS` (returned by `LoginRateLimiter` as HTTP 429 when a brute-force threshold is exceeded).
 
 ---
 

CONTRIBUTING.md

@@ -263,7 +263,7 @@ if (!result.response.ok) {
 return { person: result.data! }; // non-null assertion is safe after the ok check
 ```
 
-For multipart/form-data (file uploads): bypass the typed client and use raw `fetch` — the client cannot handle it.
+For multipart/form-data (file uploads): bypass the typed client and use `event.fetch` directly — never global `fetch`. The typed client cannot handle multipart bodies, but `event.fetch` is still required so that `handleFetch` injects the session cookie.
 
 ### Date handling
 

backend/CLAUDE.md

@@ -97,7 +97,10 @@ public class MyEntity {
 
 - Annotated with `@Service`, `@RequiredArgsConstructor`, optionally `@Slf4j`.
 - Write methods: `@Transactional`.
-- Read methods: no annotation (default non-transactional).
+- Read methods: no annotation (default non-transactional) — **except** when the method returns
+  an entity whose lazy associations must remain accessible to the caller after the method
+  returns. In that case, use `@Transactional(readOnly = true)` to keep the Hibernate session
+  open. Removing this annotation causes `LazyInitializationException` in production. See ADR-022.
 - Cross-domain access goes through the other domain's service, never its repository.
 
 ## Error Handling

backend/src/main/java/org/raddatz/familienarchiv/auth/AuthService.java

@@ -7,12 +7,10 @@ import org.raddatz.familienarchiv.audit.AuditService;
 import org.raddatz.familienarchiv.exception.DomainException;
 import org.raddatz.familienarchiv.user.AppUser;
 import org.raddatz.familienarchiv.user.UserService;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.session.jdbc.JdbcIndexedSessionRepository;
 import org.springframework.stereotype.Service;
 
 import java.util.Map;
@@ -26,20 +24,10 @@ public class AuthService {
     private final AuthenticationManager authenticationManager;
     private final UserService userService;
     private final AuditService auditService;
+    private final LoginRateLimiter loginRateLimiter;
+    private final SessionRevocationPort sessionRevocationPort;
 
-    @Autowired(required = false)
-    private JdbcIndexedSessionRepository sessionRepository;
-
-    @Autowired(required = false)
-    private LoginRateLimiter loginRateLimiter;
-
-    /**
-     * Validates credentials and returns the authenticated user plus the Spring Security
-     * Authentication object. The caller is responsible for persisting the Authentication
-     * to the session via SecurityContextRepository.
-     */
     public LoginResult login(String email, String password, String ip, String ua) {
-        if (loginRateLimiter != null) {
         try {
             loginRateLimiter.checkAndConsume(ip, email);
         } catch (DomainException ex) {
@@ -48,7 +36,6 @@ public class AuthService {
                     "email", email));
             throw ex;
         }
-        }
         try {
             Authentication auth = authenticationManager.authenticate(
                     new UsernamePasswordAuthenticationToken(email, password));
@@ -58,9 +45,7 @@ public class AuthService {
                     "userId", user.getId().toString(),
                     "ip", ip,
                     "ua", truncateUa(ua)));
-            if (loginRateLimiter != null) {
             loginRateLimiter.invalidateOnSuccess(ip, email);
-            }
             return new LoginResult(user, auth);
         } catch (AuthenticationException ex) {
             // Audit login failure — intentionally does NOT log the attempted password.
@@ -75,22 +60,11 @@ public class AuthService {
     }
 
     public int revokeOtherSessions(String currentSessionId, String principalName) {
-        if (sessionRepository == null) return 0;
+        return sessionRevocationPort.revokeOtherSessions(currentSessionId, principalName);
-        int count = 0;
-        for (String id : sessionRepository.findByPrincipalName(principalName).keySet()) {
-            if (!id.equals(currentSessionId)) {
-                sessionRepository.deleteById(id);
-                count++;
-            }
-        }
-        return count;
     }
 
     public int revokeAllSessions(String principalName) {
-        if (sessionRepository == null) return 0;
+        return sessionRevocationPort.revokeAllSessions(principalName);
-        var sessions = sessionRepository.findByPrincipalName(principalName);
-        sessions.keySet().forEach(sessionRepository::deleteById);
-        return sessions.size();
     }
 
     public void logout(String email, String ip, String ua) {

backend/src/main/java/org/raddatz/familienarchiv/auth/JdbcSessionRevocationAdapter.java

@@ -0,0 +1,29 @@
+package org.raddatz.familienarchiv.auth;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.session.jdbc.JdbcIndexedSessionRepository;
+
+@RequiredArgsConstructor
+class JdbcSessionRevocationAdapter implements SessionRevocationPort {
+
+    private final JdbcIndexedSessionRepository sessionRepository;
+
+    @Override
+    public int revokeOtherSessions(String currentSessionId, String principalName) {
+        int count = 0;
+        for (String id : sessionRepository.findByPrincipalName(principalName).keySet()) {
+            if (!id.equals(currentSessionId)) {
+                sessionRepository.deleteById(id);
+                count++;
+            }
+        }
+        return count;
+    }
+
+    @Override
+    public int revokeAllSessions(String principalName) {
+        var sessions = sessionRepository.findByPrincipalName(principalName);
+        sessions.keySet().forEach(sessionRepository::deleteById);
+        return sessions.size();
+    }
+}

backend/src/main/java/org/raddatz/familienarchiv/auth/LoginRateLimiter.java

@@ -10,6 +10,7 @@ import org.raddatz.familienarchiv.exception.ErrorCode;
 import org.springframework.stereotype.Service;
 
 import java.time.Duration;
+import java.util.Locale;
 import java.util.concurrent.TimeUnit;
 
 @Service
@@ -41,20 +42,22 @@ public class LoginRateLimiter {
     // For the current single-VPS setup this is the correct, simplest implementation.
 
     public void checkAndConsume(String ip, String email) {
-        if (!byIpEmail.get(ip + ":" + email).tryConsume(1)) {
+        long retryAfterSeconds = windowMinutes * 60L;
+        String key = ip + ":" + email.toLowerCase(Locale.ROOT);
+        if (!byIpEmail.get(key).tryConsume(1)) {
             throw DomainException.tooManyRequests(ErrorCode.TOO_MANY_LOGIN_ATTEMPTS,
-                    "Too many login attempts from " + ip);
+                    "Too many login attempts from " + ip, retryAfterSeconds);
         }
         if (!byIp.get(ip).tryConsume(1)) {
             // Refund the ipEmail token so IP-level blocking does not erode the per-email quota.
-            byIpEmail.get(ip + ":" + email).addTokens(1);
+            byIpEmail.get(key).addTokens(1);
             throw DomainException.tooManyRequests(ErrorCode.TOO_MANY_LOGIN_ATTEMPTS,
-                    "Too many login attempts from " + ip);
+                    "Too many login attempts from " + ip, retryAfterSeconds);
         }
     }
 
     public void invalidateOnSuccess(String ip, String email) {
-        byIpEmail.invalidate(ip + ":" + email);
+        byIpEmail.invalidate(ip + ":" + email.toLowerCase(Locale.ROOT));
         byIp.invalidate(ip);
     }
 

backend/src/main/java/org/raddatz/familienarchiv/auth/NoOpSessionRevocationAdapter.java

@@ -0,0 +1,14 @@
+package org.raddatz.familienarchiv.auth;
+
+class NoOpSessionRevocationAdapter implements SessionRevocationPort {
+
+    @Override
+    public int revokeOtherSessions(String currentSessionId, String principalName) {
+        return 0;
+    }
+
+    @Override
+    public int revokeAllSessions(String principalName) {
+        return 0;
+    }
+}

backend/src/main/java/org/raddatz/familienarchiv/auth/SessionRevocationConfig.java

@@ -0,0 +1,19 @@
+package org.raddatz.familienarchiv.auth;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.session.jdbc.JdbcIndexedSessionRepository;
+
+@Configuration
+class SessionRevocationConfig {
+
+    @Bean
+    SessionRevocationPort sessionRevocationPort(
+            @Autowired(required = false) JdbcIndexedSessionRepository sessionRepository) {
+        if (sessionRepository != null) {
+            return new JdbcSessionRevocationAdapter(sessionRepository);
+        }
+        return new NoOpSessionRevocationAdapter();
+    }
+}

backend/src/main/java/org/raddatz/familienarchiv/auth/SessionRevocationPort.java

@@ -0,0 +1,6 @@
+package org.raddatz.familienarchiv.auth;
+
+public interface SessionRevocationPort {
+    int revokeOtherSessions(String currentSessionId, String principalName);
+    int revokeAllSessions(String principalName);
+}

backend/src/main/java/org/raddatz/familienarchiv/config/RateLimitInterceptor.java

@@ -28,6 +28,7 @@ public class RateLimitInterceptor implements HandlerInterceptor {
         AtomicInteger count = requestCounts.get(ip, k -> new AtomicInteger(0));
         if (count.incrementAndGet() > MAX_REQUESTS_PER_MINUTE) {
             response.setStatus(HttpStatus.TOO_MANY_REQUESTS.value());
+            response.setHeader("Retry-After", "60");
             response.getWriter().write("{\"code\":\"RATE_LIMIT_EXCEEDED\",\"message\":\"Too many requests\"}");
             return false;
         }

backend/src/main/java/org/raddatz/familienarchiv/document/Document.java

@@ -2,6 +2,7 @@ package org.raddatz.familienarchiv.document;
 
 import jakarta.persistence.*;
 import lombok.*;
+import org.hibernate.annotations.BatchSize;
 import org.hibernate.annotations.CreationTimestamp;
 import org.hibernate.annotations.UpdateTimestamp;
 
@@ -21,6 +22,18 @@ import java.util.HashSet;
 import java.util.Set;
 import java.util.UUID;
 
+@NamedEntityGraph(name = "Document.full", attributeNodes = {
+        @NamedAttributeNode("sender"),
+        @NamedAttributeNode("receivers"),
+        @NamedAttributeNode("tags"),
+        @NamedAttributeNode("trainingLabels")
+})
+@NamedEntityGraph(name = "Document.list", attributeNodes = {
+        @NamedAttributeNode("sender"),
+        @NamedAttributeNode("receivers"),
+        @NamedAttributeNode("tags"),
+        @NamedAttributeNode("trainingLabels")
+})
 @Entity
 @Table(name = "documents")
 @Data // Lombok: Generiert Getter, Setter, ToString, etc.
@@ -118,24 +131,27 @@ public class Document {
     @Builder.Default
     private ScriptType scriptType = ScriptType.UNKNOWN;
 
-    @ManyToMany(fetch = FetchType.EAGER)
+    @ManyToMany(fetch = FetchType.LAZY)
     @JoinTable(name = "document_receivers", joinColumns = @JoinColumn(name = "document_id"), inverseJoinColumns = @JoinColumn(name = "person_id"))
+    @BatchSize(size = 50)
     @Builder.Default
     private Set<Person> receivers = new HashSet<>();
 
-    @ManyToOne
+    @ManyToOne(fetch = FetchType.LAZY)
     @JoinColumn(name = "sender_id")
     private Person sender;
 
-    @ManyToMany(fetch = FetchType.EAGER)
+    @ManyToMany(fetch = FetchType.LAZY)
     @JoinTable(name = "document_tags", joinColumns = @JoinColumn(name = "document_id"), inverseJoinColumns = @JoinColumn(name = "tag_id"))
+    @BatchSize(size = 50)
     @Builder.Default
     private Set<Tag> tags = new HashSet<>();
 
-    @ElementCollection(fetch = FetchType.EAGER)
+    @ElementCollection(fetch = FetchType.LAZY)
     @CollectionTable(name = "document_training_labels", joinColumns = @JoinColumn(name = "document_id"))
     @Column(name = "label")
     @Enumerated(EnumType.STRING)
+    @BatchSize(size = 50)
     @Builder.Default
     private Set<TrainingLabel> trainingLabels = new HashSet<>();
 

backend/src/main/java/org/raddatz/familienarchiv/document/DocumentRepository.java

@@ -7,6 +7,8 @@ import org.raddatz.familienarchiv.document.DocumentStatus;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
 import org.springframework.data.domain.Sort;
+import org.springframework.data.jpa.domain.Specification;
+import org.springframework.data.jpa.repository.EntityGraph;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.data.jpa.repository.JpaSpecificationExecutor;
 import org.springframework.data.jpa.repository.Query;
@@ -23,6 +25,18 @@ import java.util.UUID;
 @Repository
 public interface DocumentRepository extends JpaRepository<Document, UUID>, JpaSpecificationExecutor<Document> {
 
+    @EntityGraph("Document.full")
+    Optional<Document> findById(UUID id);
+
+    @EntityGraph("Document.list")
+    Page<Document> findAll(Specification<Document> spec, Pageable pageable);
+
+    @EntityGraph("Document.list")
+    List<Document> findAll(Specification<Document> spec);
+
+    @EntityGraph("Document.list")
+    Page<Document> findAll(Pageable pageable);
+
     // Findet ein Dokument anhand des ursprünglichen Dateinamens
     // Wichtig für den Abgleich beim Excel-Import & Datei-Upload
     Optional<Document> findByOriginalFilename(String originalFilename);
@@ -30,17 +44,21 @@ public interface DocumentRepository extends JpaRepository<Document, UUID>, JpaSp
     // Wie oben, gibt aber nur das erste Ergebnis zurück — sicher wenn doppelte Dateinamen existieren
     Optional<Document> findFirstByOriginalFilename(String originalFilename);
 
-    // Findet alle Dokumente mit einem bestimmten Status
+    // Callers access only status/id scalar fields — no graph needed.
-    // z.B. um alle offenen "PLACEHOLDER" zu finden
     List<Document> findByStatus(DocumentStatus status);
 
     // Prüft effizient, ob ein Dateiname schon existiert (gibt true/false zurück)
     boolean existsByOriginalFilename(String originalFilename);
 
+    // lazy – @BatchSize(50) fallback active; see ADR-022
+    @EntityGraph("Document.full")
     List<Document> findBySenderId(UUID senderId);
 
+    // lazy – @BatchSize(50) fallback active; see ADR-022
+    @EntityGraph("Document.full")
     List<Document> findByReceiversId(UUID receiverId);
 
+    // Callers access only doc.getTags() to mutate the set — receivers/sender not touched; no graph needed.
     List<Document> findByTags_Id(UUID tagId);
 
     @Query("SELECT d FROM Document d WHERE d.id NOT IN (SELECT DISTINCT dv.documentId FROM DocumentVersion dv)")
@@ -55,12 +73,15 @@ public interface DocumentRepository extends JpaRepository<Document, UUID>, JpaSp
 
     long countByMetadataCompleteFalse();
 
+    // No production callers — only used if a future export path iterates the full list; no graph needed.
     List<Document> findByMetadataCompleteFalse(Sort sort);
 
+    // Callers map to IncompleteDocumentDTO using only scalar fields (id, title, createdAt) — no graph needed.
     Page<Document> findByMetadataCompleteFalse(Pageable pageable);
 
     Optional<Document> findFirstByMetadataCompleteFalseAndIdNot(UUID id, Sort sort);
 
+    @EntityGraph("Document.full")
     @Query("SELECT DISTINCT d FROM Document d " +
             "JOIN d.receivers r " +
             "WHERE " +
@@ -75,6 +96,7 @@ public interface DocumentRepository extends JpaRepository<Document, UUID>, JpaSp
             @Param("to") LocalDate to,
             Sort sort);
 
+    @EntityGraph("Document.full")
     @Query("SELECT DISTINCT d FROM Document d " +
             "LEFT JOIN d.receivers r " +
             "WHERE (d.sender.id = :personId OR r.id = :personId) " +

backend/src/main/java/org/raddatz/familienarchiv/document/DocumentService.java

@@ -447,6 +447,7 @@ public class DocumentService {
         return saved;
     }
 
+    @Transactional
     public Document updateDocumentTags(UUID docId, List<String> tagNames) {
         Document doc = documentRepository.findById(docId)
                 .orElseThrow(() -> DomainException.notFound(ErrorCode.DOCUMENT_NOT_FOUND, "Document not found: " + docId));
@@ -635,7 +636,7 @@ public class DocumentService {
         return saved;
     }
 
-    // 0. Zuletzt aktive Dokumente (sortiert nach updatedAt DESC)
+    @Transactional(readOnly = true)
     public List<Document> getRecentActivity(int size) {
         return documentRepository.findAll(
                 PageRequest.of(0, size, Sort.by(Sort.Direction.DESC, "updatedAt"))
@@ -843,6 +844,7 @@ public class DocumentService {
         documentRepository.save(doc);
     }
 
+    @Transactional(readOnly = true)
     public Document getDocumentById(UUID id) {
         Document doc = documentRepository.findById(id)
                 .orElseThrow(() -> DomainException.notFound(ErrorCode.DOCUMENT_NOT_FOUND, "Document not found: " + id));

backend/src/main/java/org/raddatz/familienarchiv/document/transcription/TranscriptionBlockController.java

@@ -43,7 +43,7 @@ public class TranscriptionBlockController {
 
     @PostMapping
     @ResponseStatus(HttpStatus.CREATED)
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public TranscriptionBlock createBlock(
             @PathVariable UUID documentId,
             @Valid @RequestBody CreateTranscriptionBlockDTO dto,
@@ -53,7 +53,7 @@ public class TranscriptionBlockController {
     }
 
     @PutMapping("/{blockId}")
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public TranscriptionBlock updateBlock(
             @PathVariable UUID documentId,
             @PathVariable UUID blockId,
@@ -65,7 +65,7 @@ public class TranscriptionBlockController {
 
     @DeleteMapping("/{blockId}")
     @ResponseStatus(HttpStatus.NO_CONTENT)
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public void deleteBlock(
             @PathVariable UUID documentId,
             @PathVariable UUID blockId) {
@@ -73,7 +73,7 @@ public class TranscriptionBlockController {
     }
 
     @PutMapping("/reorder")
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public List<TranscriptionBlock> reorderBlocks(
             @PathVariable UUID documentId,
             @RequestBody ReorderTranscriptionBlocksDTO dto) {
@@ -82,7 +82,7 @@ public class TranscriptionBlockController {
     }
 
     @PutMapping("/{blockId}/review")
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public TranscriptionBlock reviewBlock(
             @PathVariable UUID documentId,
             @PathVariable UUID blockId,
@@ -92,7 +92,7 @@ public class TranscriptionBlockController {
     }
 
     @PutMapping("/review-all")
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public List<TranscriptionBlock> markAllBlocksReviewed(
             @PathVariable UUID documentId,
             Authentication authentication) {

backend/src/main/java/org/raddatz/familienarchiv/exception/DomainException.java

@@ -10,11 +10,21 @@ public class DomainException extends RuntimeException {
 
     private final ErrorCode code;
     private final HttpStatus status;
+    /** Seconds until the rate-limit window resets; {@code null} when not applicable. */
+    private final Long retryAfterSeconds;
 
     public DomainException(ErrorCode code, HttpStatus status, String developerMessage) {
         super(developerMessage);
         this.code = code;
         this.status = status;
+        this.retryAfterSeconds = null;
+    }
+
+    private DomainException(ErrorCode code, HttpStatus status, String developerMessage, Long retryAfterSeconds) {
+        super(developerMessage);
+        this.code = code;
+        this.status = status;
+        this.retryAfterSeconds = retryAfterSeconds;
     }
 
     public ErrorCode getCode() {
@@ -25,6 +35,11 @@ public class DomainException extends RuntimeException {
         return status;
     }
 
+    /** Returns the {@code Retry-After} value in seconds, or {@code null} if not set. */
+    public Long getRetryAfterSeconds() {
+        return retryAfterSeconds;
+    }
+
     // --- Static factories for common cases ---
 
     public static DomainException notFound(ErrorCode code, String message) {
@@ -59,4 +74,8 @@ public class DomainException extends RuntimeException {
     public static DomainException tooManyRequests(ErrorCode code, String message) {
         return new DomainException(code, HttpStatus.TOO_MANY_REQUESTS, message);
     }
+
+    public static DomainException tooManyRequests(ErrorCode code, String message, long retryAfterSeconds) {
+        return new DomainException(code, HttpStatus.TOO_MANY_REQUESTS, message, retryAfterSeconds);
+    }
 }

backend/src/main/java/org/raddatz/familienarchiv/exception/GlobalExceptionHandler.java

@@ -23,9 +23,11 @@ public class GlobalExceptionHandler {
 
     @ExceptionHandler(DomainException.class)
     public ResponseEntity<ErrorResponse> handleDomain(DomainException ex) {
-        return ResponseEntity
+        var builder = ResponseEntity.status(ex.getStatus());
-            .status(ex.getStatus())
+        if (ex.getRetryAfterSeconds() != null) {
-            .body(new ErrorResponse(ex.getCode(), ex.getMessage()));
+            builder = builder.header("Retry-After", String.valueOf(ex.getRetryAfterSeconds()));
+        }
+        return builder.body(new ErrorResponse(ex.getCode(), ex.getMessage()));
     }
 
     @ExceptionHandler(MethodArgumentNotValidException.class)

backend/src/main/java/org/raddatz/familienarchiv/importing/MassImportService.java

@@ -1,6 +1,8 @@
 package org.raddatz.familienarchiv.importing;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import io.swagger.v3.oas.annotations.media.Schema;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.poi.ss.usermodel.*;
@@ -31,6 +33,7 @@ import javax.xml.parsers.DocumentBuilderFactory;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
@@ -53,9 +56,41 @@ public class MassImportService {
 
     public enum State { IDLE, RUNNING, DONE, FAILED }
 
-    public record ImportStatus(State state, String statusCode, @JsonIgnore String message, int processed, LocalDateTime startedAt) {}
+    public enum SkipReason {
+        INVALID_FILENAME_PATH_TRAVERSAL,
+        INVALID_PDF_SIGNATURE,
+        FILE_READ_ERROR,
+        ALREADY_EXISTS,
+        S3_UPLOAD_FAILED
+    }
 
-    private volatile ImportStatus currentStatus = new ImportStatus(State.IDLE, "IMPORT_IDLE", "Kein Import gestartet.", 0, null);
+    public record SkippedFile(
+            @Schema(requiredMode = Schema.RequiredMode.REQUIRED) String filename,
+            @Schema(requiredMode = Schema.RequiredMode.REQUIRED) SkipReason reason
+    ) {}
+
+    public record ImportStatus(
+            @Schema(requiredMode = Schema.RequiredMode.REQUIRED) State state,
+            @Schema(requiredMode = Schema.RequiredMode.REQUIRED) String statusCode,
+            @JsonIgnore String message,
+            @Schema(requiredMode = Schema.RequiredMode.REQUIRED) int processed,
+            @Schema(requiredMode = Schema.RequiredMode.REQUIRED) List<SkippedFile> skippedFiles,
+            LocalDateTime startedAt
+    ) {
+        // Note: @Schema on a record accessor method is not picked up by SpringDoc; the
+        // "skipped" count is a computed convenience field derived from skippedFiles.size().
+        @JsonProperty("skipped")
+        public int skipped() { return skippedFiles.size(); }
+
+        /** Defensive-copy constructor — callers cannot mutate the stored list after construction. */
+        public ImportStatus {
+            skippedFiles = List.copyOf(skippedFiles);
+        }
+    }
+
+    record ProcessResult(int processed, List<SkippedFile> skippedFiles) {}
+
+    private volatile ImportStatus currentStatus = new ImportStatus(State.IDLE, "IMPORT_IDLE", "Kein Import gestartet.", 0, List.of(), null);
 
     public ImportStatus getStatus() {
         return currentStatus;
@@ -117,22 +152,22 @@ public class MassImportService {
         if (currentStatus.state() == State.RUNNING) {
             throw DomainException.conflict(ErrorCode.IMPORT_ALREADY_RUNNING, "A mass import is already in progress");
         }
-        currentStatus = new ImportStatus(State.RUNNING, "IMPORT_RUNNING", "Import läuft...", 0, LocalDateTime.now());
+        currentStatus = new ImportStatus(State.RUNNING, "IMPORT_RUNNING", "Import läuft...", 0, List.of(), LocalDateTime.now());
         try {
             File spreadsheet = findSpreadsheetFile();
             log.info("Starte Massenimport aus: {}", spreadsheet.getAbsolutePath());
-            int processed = processRows(readSpreadsheet(spreadsheet));
+            ProcessResult result = processRows(readSpreadsheet(spreadsheet));
             currentStatus = new ImportStatus(State.DONE, "IMPORT_DONE",
-                    "Import abgeschlossen. " + processed + " Dokumente verarbeitet.",
+                    "Import abgeschlossen. " + result.processed() + " Dokumente verarbeitet.",
-                    processed, currentStatus.startedAt());
+                    result.processed(), result.skippedFiles(), currentStatus.startedAt());
         } catch (NoSpreadsheetException e) {
             log.error("Massenimport fehlgeschlagen: keine Tabellendatei", e);
             currentStatus = new ImportStatus(State.FAILED, "IMPORT_FAILED_NO_SPREADSHEET",
-                    "Fehler: " + e.getMessage(), 0, currentStatus.startedAt());
+                    "Fehler: " + e.getMessage(), 0, List.of(), currentStatus.startedAt());
         } catch (Exception e) {
             log.error("Massenimport fehlgeschlagen", e);
             currentStatus = new ImportStatus(State.FAILED, "IMPORT_FAILED_INTERNAL",
-                    "Fehler: " + e.getMessage(), 0, currentStatus.startedAt());
+                    "Fehler: " + e.getMessage(), 0, List.of(), currentStatus.startedAt());
         }
     }
 
@@ -254,30 +289,94 @@ public class MassImportService {
 
     // --- Import logic (works on neutral List<String> rows) ---
 
-    private int processRows(List<List<String>> rows) {
+    private ProcessResult processRows(List<List<String>> rows) {
-        int count = 0;
+        int processed = 0;
+        List<SkippedFile> skippedFiles = new ArrayList<>();
+
         for (int i = 1; i < rows.size(); i++) { // skip header row
             List<String> cells = rows.get(i);
             String index = getCell(cells, colIndex);
             if (index.isBlank()) continue;
 
             String filename = index.contains(".") ? index : index + ".pdf";
+            if (!isValidImportFilename(filename)) {
+                log.warn("Skipping import row {}: filename rejected — {}", i, filename);
+                skippedFiles.add(new SkippedFile(filename, SkipReason.INVALID_FILENAME_PATH_TRAVERSAL));
+                continue;
+            }
             Optional<File> fileOnDisk = findFileRecursive(filename);
             if (fileOnDisk.isEmpty()) {
                 log.warn("Datei nicht gefunden, importiere nur Metadaten: {}", filename);
             }
-            importSingleDocument(cells, fileOnDisk, filename, index);
+
-            count++;
+            if (fileOnDisk.isPresent()) {
+                try {
+                    if (!isPdfMagicBytes(fileOnDisk.get())) {
+                        log.warn("Überspringe {}: Datei beginnt nicht mit %PDF-Signatur", filename);
+                        skippedFiles.add(new SkippedFile(filename, SkipReason.INVALID_PDF_SIGNATURE));
+                        continue;
+                    }
+                } catch (IOException e) {
+                    log.error("Fehler beim Prüfen der Magic-Bytes für {}", filename, e);
+                    skippedFiles.add(new SkippedFile(filename, SkipReason.FILE_READ_ERROR));
+                    continue;
                 }
-        return count;
             }
 
+            Optional<SkipReason> skipReason = importSingleDocument(cells, fileOnDisk, filename, index);
+            if (skipReason.isPresent()) {
+                skippedFiles.add(new SkippedFile(filename, skipReason.get()));
+            } else {
+                processed++;
+            }
+        }
+        return new ProcessResult(processed, skippedFiles);
+    }
+
+    private boolean isValidImportFilename(String filename) {
+        if (filename == null || filename.isBlank()) return false;
+        if (filename.contains("/")) return false;
+        if (filename.contains("\\")) return false;
+        if (filename.contains("∕")) return false;  // U+2215 DIVISION SLASH
+        if (filename.contains("／")) return false;  // U+FF0F FULLWIDTH SOLIDUS
+        if (filename.contains("⧵")) return false;  // U+29F5 REVERSE SOLIDUS OPERATOR
+        if (filename.contains("..")) return false;
+        if (filename.equals(".")) return false;
+        if (filename.contains("\0")) return false;
+        // Paths.get() is safe here on Linux for all inputs that passed the checks above;
+        // it may throw InvalidPathException for OS-specific illegal chars on Windows,
+        // but those are not reachable in production.
+        if (Paths.get(filename).isAbsolute()) return false;
+        return true;
+    }
+
+    // package-private: Mockito spy in tests can override to inject IOException
+    InputStream openFileStream(File file) throws IOException {
+        return new FileInputStream(file);
+    }
+
+    private boolean isPdfMagicBytes(File file) throws IOException {
+        try (InputStream is = openFileStream(file)) {
+            byte[] header = is.readNBytes(4);
+            return header.length == 4
+                    && header[0] == 0x25  // %
+                    && header[1] == 0x50  // P
+                    && header[2] == 0x44  // D
+                    && header[3] == 0x46; // F
+        }
+    }
+
+    /**
+     * Imports a single document row.
+     *
+     * @return empty Optional on success; an Optional containing the skip reason on failure/skip.
+     */
     @Transactional
-    protected void importSingleDocument(List<String> cells, Optional<File> file, String originalFilename, String index) {
+    protected Optional<SkipReason> importSingleDocument(List<String> cells, Optional<File> file, String originalFilename, String index) {
         Optional<Document> existing = documentService.findByOriginalFilename(originalFilename);
         if (existing.isPresent() && existing.get().getStatus() != DocumentStatus.PLACEHOLDER) {
             log.info("Dokument {} existiert bereits, überspringe.", originalFilename);
-            return;
+            return Optional.of(SkipReason.ALREADY_EXISTS);
         }
 
         String archiveBox    = getCell(cells, colBox);
@@ -313,7 +412,7 @@ public class MassImportService {
                 status = DocumentStatus.UPLOADED;
             } catch (Exception e) {
                 log.error("S3 Upload Fehler für {}", file.get().getName(), e);
-                return;
+                return Optional.of(SkipReason.S3_UPLOAD_FAILED);
             }
         }
 
@@ -355,6 +454,7 @@ public class MassImportService {
             thumbnailAsyncRunner.dispatchAfterCommit(saved.getId());
         }
         log.info("Importiert{}: {}", file.isEmpty() ? " (nur Metadaten)" : "", originalFilename);
+        return Optional.empty();
     }
 
     // --- Helpers ---
@@ -390,11 +490,18 @@ public class MassImportService {
     }
 
     private Optional<File> findFileRecursive(String filename) {
-        try (Stream<Path> walk = Files.walk(Paths.get(importDir))) {
+        File baseDir = new File(importDir);
-            return walk.filter(p -> !Files.isDirectory(p))
+        try (Stream<Path> walk = Files.walk(baseDir.toPath())) {
+            Optional<Path> match = walk.filter(p -> !Files.isDirectory(p))
                     .filter(p -> p.getFileName().toString().equals(filename))
-                    .map(Path::toFile)
                     .findFirst();
+            if (match.isEmpty()) return Optional.empty();
+            File candidate = match.get().toFile();
+            String baseDirCanonical = baseDir.getCanonicalPath();
+            if (!candidate.getCanonicalPath().startsWith(baseDirCanonical + File.separator)) {
+                throw DomainException.internal(ErrorCode.INTERNAL_ERROR, "Path escape detected: " + candidate);
+            }
+            return Optional.of(candidate);
         } catch (IOException e) {
             return Optional.empty();
         }

backend/src/main/java/org/raddatz/familienarchiv/person/Person.java

@@ -1,6 +1,7 @@
 package org.raddatz.familienarchiv.person;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import io.swagger.v3.oas.annotations.media.Schema;
 import jakarta.persistence.*;
 import lombok.*;
@@ -9,6 +10,9 @@ import org.raddatz.familienarchiv.user.DisplayNameFormatter;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.UUID;
+
+// prevents infinite recursion in JSON serialization; see ADR-022 for lazy-fetch context
+@JsonIgnoreProperties({"hibernateLazyInitializer", "handler"})
 @Entity
 @Table(name = "persons")
 @Data

backend/src/main/java/org/raddatz/familienarchiv/tag/Tag.java

@@ -2,10 +2,13 @@ package org.raddatz.familienarchiv.tag;
 
 import java.util.UUID;
 
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import io.swagger.v3.oas.annotations.media.Schema;
 import jakarta.persistence.*;
 import lombok.*;
 
+// prevents infinite recursion in JSON serialization; see ADR-022 for lazy-fetch context
+@JsonIgnoreProperties({"hibernateLazyInitializer", "handler"})
 @Entity
 @Data
 @NoArgsConstructor

backend/src/main/java/org/raddatz/familienarchiv/user/InviteListItemDTO.java

@@ -31,5 +31,6 @@ public class InviteListItemDTO {
     private String status;
     @Schema(requiredMode = Schema.RequiredMode.REQUIRED)
     private LocalDateTime createdAt;
+    @Schema(requiredMode = Schema.RequiredMode.REQUIRED)
     private String shareableUrl;
 }

backend/src/main/java/org/raddatz/familienarchiv/user/UserController.java

@@ -30,15 +30,15 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.bind.annotation.RestController;
 
-import lombok.AllArgsConstructor;
+import lombok.RequiredArgsConstructor;
 
 @RestController
 @RequestMapping("/api/")
-@AllArgsConstructor
+@RequiredArgsConstructor
 public class UserController {
-    private UserService userService;
+    private final UserService userService;
-    private AuthService authService;
+    private final AuthService authService;
-    private AuditService auditService;
+    private final AuditService auditService;
 
     @GetMapping("users/me")
     public ResponseEntity<AppUser> getCurrentUser(Authentication authentication) {

backend/src/test/java/org/raddatz/familienarchiv/auth/AuthServiceTest.java

@@ -15,17 +15,10 @@ import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
-import org.springframework.session.jdbc.JdbcIndexedSessionRepository;
-import org.raddatz.familienarchiv.exception.ErrorCode;
 
-import java.util.HashMap;
-import java.util.Map;
 import java.util.Set;
 import java.util.UUID;
 
-import org.junit.jupiter.api.BeforeEach;
-import org.springframework.test.util.ReflectionTestUtils;
-
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.ArgumentMatchers.*;
@@ -37,19 +30,13 @@ class AuthServiceTest {
     @Mock AuthenticationManager authenticationManager;
     @Mock UserService userService;
     @Mock AuditService auditService;
-    @Mock JdbcIndexedSessionRepository sessionRepository;
     @Mock LoginRateLimiter loginRateLimiter;
+    @Mock SessionRevocationPort sessionRevocationPort;
     @InjectMocks AuthService authService;
 
     private static final String IP = "127.0.0.1";
     private static final String UA = "Mozilla/5.0 (Test)";
 
-    @BeforeEach
-    void injectOptionalFields() {
-        ReflectionTestUtils.setField(authService, "sessionRepository", sessionRepository);
-        ReflectionTestUtils.setField(authService, "loginRateLimiter", loginRateLimiter);
-    }
-
     @Test
     void login_returns_user_on_valid_credentials() {
         UUID userId = UUID.randomUUID();
@@ -159,7 +146,6 @@ class AuthServiceTest {
 
     @Test
     void login_fires_LOGIN_RATE_LIMITED_audit_when_rate_limited() {
-        UUID userId = UUID.randomUUID();
         doThrow(DomainException.tooManyRequests(ErrorCode.TOO_MANY_LOGIN_ATTEMPTS, "rate limited"))
             .when(loginRateLimiter).checkAndConsume(IP, "user@test.de");
 
@@ -183,55 +169,23 @@ class AuthServiceTest {
         verify(loginRateLimiter).invalidateOnSuccess(IP, "user@test.de");
     }
 
-    @SuppressWarnings("unchecked")
     @Test
-    void revokeOtherSessions_preserves_current_and_deletes_N_minus_1() {
+    void revokeOtherSessions_delegates_to_port() {
-        var sessions = new HashMap<String, Object>();
+        when(sessionRevocationPort.revokeOtherSessions("session-keep", "user@test.de")).thenReturn(2);
-        sessions.put("session-keep", null);
-        sessions.put("session-del-1", null);
-        sessions.put("session-del-2", null);
-        doReturn(sessions).when(sessionRepository).findByPrincipalName("user@test.de");
 
         int count = authService.revokeOtherSessions("session-keep", "user@test.de");
 
         assertThat(count).isEqualTo(2);
-        verify(sessionRepository, never()).deleteById("session-keep");
+        verify(sessionRevocationPort).revokeOtherSessions("session-keep", "user@test.de");
-        verify(sessionRepository).deleteById("session-del-1");
-        verify(sessionRepository).deleteById("session-del-2");
     }
 
-    @SuppressWarnings("unchecked")
     @Test
-    void revokeAllSessions_deletes_all_sessions_for_principal() {
+    void revokeAllSessions_delegates_to_port() {
-        var sessions = new HashMap<String, Object>();
+        when(sessionRevocationPort.revokeAllSessions("user@test.de")).thenReturn(3);
-        sessions.put("session-1", null);
-        sessions.put("session-2", null);
-        doReturn(sessions).when(sessionRepository).findByPrincipalName("user@test.de");
 
         int count = authService.revokeAllSessions("user@test.de");
 
-        assertThat(count).isEqualTo(2);
+        assertThat(count).isEqualTo(3);
-        verify(sessionRepository).deleteById("session-1");
+        verify(sessionRevocationPort).revokeAllSessions("user@test.de");
-        verify(sessionRepository).deleteById("session-2");
-    }
-
-    // ─── null-guard when sessionRepository is unavailable ────────────────────
-
-    @Test
-    void revokeAllSessions_returns_zero_when_sessionRepository_is_null() {
-        ReflectionTestUtils.setField(authService, "sessionRepository", null);
-
-        int count = authService.revokeAllSessions("user@test.de");
-
-        assertThat(count).isEqualTo(0);
-    }
-
-    @Test
-    void revokeOtherSessions_returns_zero_when_sessionRepository_is_null() {
-        ReflectionTestUtils.setField(authService, "sessionRepository", null);
-
-        int count = authService.revokeOtherSessions("session-keep", "user@test.de");
-
-        assertThat(count).isEqualTo(0);
     }
 }

backend/src/test/java/org/raddatz/familienarchiv/auth/AuthSessionIntegrationTest.java

@@ -119,6 +119,21 @@ class AuthSessionIntegrationTest {
         assertThat(me.getStatusCode().value()).isEqualTo(401);
     }
 
+    // ─── Task: CSRF rejection at integration layer ────────────────────────────
+
+    @Test
+    void post_without_csrf_token_returns_403_CSRF_TOKEN_MISSING() {
+        HttpHeaders headers = new HttpHeaders();
+        headers.setContentType(MediaType.APPLICATION_JSON);
+        // Deliberately omit XSRF-TOKEN cookie and X-XSRF-TOKEN header
+        ResponseEntity<String> response = http.postForEntity(
+                baseUrl + "/api/auth/logout",
+                new HttpEntity<>("{}", headers), String.class);
+
+        assertThat(response.getStatusCode().value()).isEqualTo(403);
+        assertThat(response.getBody()).contains("CSRF_TOKEN_MISSING");
+    }
+
     // ─── helpers ─────────────────────────────────────────────────────────────
 
     /**

backend/src/test/java/org/raddatz/familienarchiv/auth/JdbcSessionRevocationAdapterIntegrationTest.java

@@ -0,0 +1,136 @@
+package org.raddatz.familienarchiv.auth;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.raddatz.familienarchiv.PostgresContainerConfig;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.context.annotation.Import;
+import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.bean.override.mockito.MockitoBean;
+import org.springframework.transaction.support.TransactionTemplate;
+import software.amazon.awssdk.services.s3.S3Client;
+
+import java.time.Instant;
+import java.util.UUID;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Integration test for {@link JdbcSessionRevocationAdapter} that verifies
+ * session rows are actually written to / removed from the {@code spring_session}
+ * table backed by a real PostgreSQL container.
+ *
+ * <p>Sessions are inserted via raw JDBC to avoid the module-access restriction on
+ * {@code JdbcIndexedSessionRepository.JdbcSession}. The {@link SessionRevocationPort}
+ * bean injected here is the real {@link JdbcSessionRevocationAdapter} wired by Spring.
+ */
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+@ActiveProfiles("test")
+@Import(PostgresContainerConfig.class)
+class JdbcSessionRevocationAdapterIntegrationTest {
+
+    @MockitoBean S3Client s3Client;
+
+    @Autowired SessionRevocationPort adapter;
+    @Autowired JdbcTemplate jdbcTemplate;
+    @Autowired TransactionTemplate transactionTemplate;
+
+    private static final String PRINCIPAL = "revocation-it@test.de";
+
+    @BeforeEach
+    void clearSessions() {
+        // spring_session_attributes cascades on delete
+        transactionTemplate.execute(status -> {
+            jdbcTemplate.update("DELETE FROM spring_session");
+            return null;
+        });
+    }
+
+    // ── helper ─────────────────────────────────────────────────────────────────
+
+    /**
+     * Inserts a minimal {@code spring_session} row attributed to {@value #PRINCIPAL}
+     * and returns its opaque primary-key ID (the value the repository uses as the
+     * session identifier, not the {@code SESSION_ID} column which holds the public token).
+     *
+     * <p>Column layout mirrors the Flyway-managed schema shipped with the app:
+     * PRIMARY_ID, SESSION_ID, CREATION_TIME, LAST_ACCESS_TIME, MAX_INACTIVE_INTERVAL,
+     * EXPIRY_TIME, PRINCIPAL_NAME.
+     */
+    /**
+     * Inserts a persisted session row for {@value #PRINCIPAL} and returns the
+     * {@code SESSION_ID} column value — this is the opaque identifier that
+     * {@link JdbcIndexedSessionRepository} uses as the session's public key
+     * (returned by {@code JdbcSession.getId()} and expected by
+     * {@link JdbcIndexedSessionRepository#deleteById}).
+     *
+     * <p>The inserts run inside a {@link TransactionTemplate} so the rows are
+     * committed before {@code findByPrincipalName} opens its own transaction and
+     * can see the data via Read Committed isolation.
+     */
+    private String insertSession() {
+        String primaryId = UUID.randomUUID().toString();
+        // SESSION_ID is the value used by JdbcSession.getId() and findByPrincipalName map keys.
+        String sessionId  = UUID.randomUUID().toString();
+        long   now        = Instant.now().toEpochMilli();
+        long   expiry     = now + 8L * 3600 * 1000; // 8-hour TTL
+        transactionTemplate.execute(status -> {
+            jdbcTemplate.update("""
+                    INSERT INTO spring_session
+                        (PRIMARY_ID, SESSION_ID, CREATION_TIME, LAST_ACCESS_TIME,
+                         MAX_INACTIVE_INTERVAL, EXPIRY_TIME, PRINCIPAL_NAME)
+                    VALUES (?, ?, ?, ?, ?, ?, ?)
+                    """,
+                    primaryId, sessionId, now, now, 28800, expiry, PRINCIPAL);
+            // Spring Session's listSessionsByPrincipalName query joins spring_session_attributes;
+            // insert a minimal attribute row so the session appears in the result set.
+            jdbcTemplate.update("""
+                    INSERT INTO spring_session_attributes
+                        (SESSION_PRIMARY_ID, ATTRIBUTE_NAME, ATTRIBUTE_BYTES)
+                    VALUES (?, ?, ?)
+                    """,
+                    primaryId, "test_attr", new byte[]{0});
+            return null;
+        });
+        return sessionId;  // the public key used by JdbcSession.getId() and deleteById()
+    }
+
+    // ── tests ──────────────────────────────────────────────────────────────────
+
+    @Test
+    void revokeAllSessions_removes_every_row_from_spring_session_table() {
+        insertSession();
+        insertSession();
+
+        int count = adapter.revokeAllSessions(PRINCIPAL);
+
+        assertThat(count).isEqualTo(2);
+        assertThat(jdbcTemplate.queryForObject(
+                "SELECT COUNT(*) FROM spring_session WHERE PRINCIPAL_NAME = ?",
+                Long.class, PRINCIPAL))
+            .isZero();
+    }
+
+    @Test
+    void revokeOtherSessions_deletes_non_current_rows_and_keeps_current_session() {
+        String keepId = insertSession();
+        insertSession();
+        insertSession();
+
+        int count = adapter.revokeOtherSessions(keepId, PRINCIPAL);
+
+        assertThat(count).isEqualTo(2);
+        // The current session row must still be present (keyed by SESSION_ID)
+        assertThat(jdbcTemplate.queryForObject(
+                "SELECT COUNT(*) FROM spring_session WHERE SESSION_ID = ?",
+                Long.class, keepId))
+            .isEqualTo(1L);
+        // The total for this principal is now exactly 1
+        assertThat(jdbcTemplate.queryForObject(
+                "SELECT COUNT(*) FROM spring_session WHERE PRINCIPAL_NAME = ?",
+                Long.class, PRINCIPAL))
+            .isEqualTo(1L);
+    }
+}

backend/src/test/java/org/raddatz/familienarchiv/auth/JdbcSessionRevocationAdapterTest.java

@@ -0,0 +1,52 @@
+package org.raddatz.familienarchiv.auth;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.session.jdbc.JdbcIndexedSessionRepository;
+
+import java.util.HashMap;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.*;
+
+@ExtendWith(MockitoExtension.class)
+class JdbcSessionRevocationAdapterTest {
+
+    @Mock JdbcIndexedSessionRepository sessionRepository;
+    @InjectMocks JdbcSessionRevocationAdapter adapter;
+
+    @SuppressWarnings("unchecked")
+    @Test
+    void revokeOtherSessions_preserves_current_and_deletes_N_minus_1() {
+        var sessions = new HashMap<String, Object>();
+        sessions.put("session-keep", null);
+        sessions.put("session-del-1", null);
+        sessions.put("session-del-2", null);
+        doReturn(sessions).when(sessionRepository).findByPrincipalName("user@test.de");
+
+        int count = adapter.revokeOtherSessions("session-keep", "user@test.de");
+
+        assertThat(count).isEqualTo(2);
+        verify(sessionRepository, never()).deleteById("session-keep");
+        verify(sessionRepository).deleteById("session-del-1");
+        verify(sessionRepository).deleteById("session-del-2");
+    }
+
+    @SuppressWarnings("unchecked")
+    @Test
+    void revokeAllSessions_deletes_all_sessions_for_principal() {
+        var sessions = new HashMap<String, Object>();
+        sessions.put("session-1", null);
+        sessions.put("session-2", null);
+        doReturn(sessions).when(sessionRepository).findByPrincipalName("user@test.de");
+
+        int count = adapter.revokeAllSessions("user@test.de");
+
+        assertThat(count).isEqualTo(2);
+        verify(sessionRepository).deleteById("session-1");
+        verify(sessionRepository).deleteById("session-2");
+    }
+}

backend/src/test/java/org/raddatz/familienarchiv/auth/LoginRateLimiterTest.java

@@ -5,8 +5,9 @@ import org.junit.jupiter.api.Test;
 import org.raddatz.familienarchiv.exception.DomainException;
 import org.raddatz.familienarchiv.exception.ErrorCode;
 
-import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatNoException;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 class LoginRateLimiterTest {
 
@@ -37,10 +38,22 @@ class LoginRateLimiterTest {
 
         assertThatThrownBy(() -> rateLimiter.checkAndConsume("1.2.3.4", "user@example.com"))
             .isInstanceOf(DomainException.class)
-            .satisfies(ex -> org.assertj.core.api.Assertions.assertThat(((DomainException) ex).getCode())
+            .satisfies(ex -> assertThat(((DomainException) ex).getCode())
                 .isEqualTo(ErrorCode.TOO_MANY_LOGIN_ATTEMPTS));
     }
 
+    @Test
+    void blocked_attempt_carries_retry_after_seconds_equal_to_window_duration() {
+        for (int i = 0; i < 10; i++) {
+            rateLimiter.checkAndConsume("1.2.3.4", "user@example.com");
+        }
+
+        assertThatThrownBy(() -> rateLimiter.checkAndConsume("1.2.3.4", "user@example.com"))
+            .isInstanceOf(DomainException.class)
+            .satisfies(ex -> assertThat(((DomainException) ex).getRetryAfterSeconds())
+                .isEqualTo(15 * 60L));  // windowMinutes=15 → 900 seconds
+    }
+
     @Test
     void success_after_10_failures_resets_ip_email_bucket() {
         for (int i = 0; i < 10; i++) {
@@ -61,7 +74,7 @@ class LoginRateLimiterTest {
 
         assertThatThrownBy(() -> rateLimiter.checkAndConsume("1.2.3.4", "attacker@example.com"))
             .isInstanceOf(DomainException.class)
-            .satisfies(ex -> org.assertj.core.api.Assertions.assertThat(((DomainException) ex).getCode())
+            .satisfies(ex -> assertThat(((DomainException) ex).getCode())
                 .isEqualTo(ErrorCode.TOO_MANY_LOGIN_ATTEMPTS));
     }
 
@@ -78,6 +91,30 @@ class LoginRateLimiterTest {
             () -> rateLimiter.checkAndConsume("1.2.3.4", "other@example.com"));
     }
 
+    @Test
+    void email_lookup_is_case_insensitive_so_mixed_case_shares_the_same_bucket() {
+        for (int i = 0; i < 10; i++) {
+            rateLimiter.checkAndConsume("1.2.3.4", "User@Example.COM");
+        }
+
+        assertThatThrownBy(() -> rateLimiter.checkAndConsume("1.2.3.4", "user@example.com"))
+            .isInstanceOf(DomainException.class)
+            .satisfies(ex -> assertThat(((DomainException) ex).getCode())
+                .isEqualTo(ErrorCode.TOO_MANY_LOGIN_ATTEMPTS));
+    }
+
+    @Test
+    void invalidateOnSuccess_is_case_insensitive_so_mixed_case_clears_the_bucket() {
+        for (int i = 0; i < 10; i++) {
+            rateLimiter.checkAndConsume("1.2.3.4", "user@example.com");
+        }
+
+        rateLimiter.invalidateOnSuccess("1.2.3.4", "User@Example.COM");
+
+        assertThatNoException().isThrownBy(
+            () -> rateLimiter.checkAndConsume("1.2.3.4", "user@example.com"));
+    }
+
     @Test
     void ip_exhaustion_does_not_consume_ipEmail_tokens_for_blocked_attempts() {
         // Use a tighter limiter so the phantom-consumption effect is observable.

backend/src/test/java/org/raddatz/familienarchiv/config/RateLimitInterceptorTest.java

@@ -45,6 +45,15 @@ class RateLimitInterceptorTest {
         verify(response).setStatus(HttpStatus.TOO_MANY_REQUESTS.value());
     }
 
+    @Test
+    void blocked_response_includes_retry_after_header() throws Exception {
+        for (int i = 0; i < 10; i++) {
+            interceptor.preHandle(request, response, null);
+        }
+        interceptor.preHandle(request, response, null);
+        verify(response).setHeader("Retry-After", "60");
+    }
+
     @Test
     void different_ips_have_independent_limits() throws Exception {
         HttpServletRequest other = mock(HttpServletRequest.class);

backend/src/test/java/org/raddatz/familienarchiv/document/DocumentLazyLoadingTest.java

@@ -0,0 +1,178 @@
+package org.raddatz.familienarchiv.document;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+import org.raddatz.familienarchiv.PostgresContainerConfig;
+import org.raddatz.familienarchiv.audit.AuditLogQueryService;
+import org.raddatz.familienarchiv.dashboard.DashboardService;
+import org.raddatz.familienarchiv.person.Person;
+import org.raddatz.familienarchiv.person.PersonRepository;
+import org.raddatz.familienarchiv.tag.Tag;
+import org.raddatz.familienarchiv.tag.TagRepository;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.context.annotation.Import;
+import org.springframework.data.domain.PageRequest;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.bean.override.mockito.MockitoBean;
+import software.amazon.awssdk.services.s3.S3Client;
+
+import java.util.HashSet;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import java.util.UUID;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatCode;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
+
+/**
+ * Verifies that lazy-loaded associations on {@link Document} are accessible after a service
+ * method returns — i.e. no {@link org.hibernate.LazyInitializationException} is thrown outside
+ * the Hibernate session that loaded the entity.
+ *
+ * <p><b>Known limitation:</b> calling {@code getDocumentById} (or any other service method) from
+ * within an already-open transaction is not covered here. When an outer transaction is active,
+ * the service's own {@code @Transactional} merges into it and Hibernate keeps the same session
+ * open, so the lazy-init guard behaves differently than in a non-transactional caller. This is a
+ * known constraint of the test setup, not a bug in the production code.
+ */
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.NONE)
+@ActiveProfiles("test")
+@Import(PostgresContainerConfig.class)
+class DocumentLazyLoadingTest {
+
+    @MockitoBean
+    S3Client s3Client;
+
+    @Autowired
+    DocumentRepository documentRepository;
+
+    @Autowired
+    PersonRepository personRepository;
+
+    @Autowired
+    TagRepository tagRepository;
+
+    @Autowired
+    DocumentService documentService;
+
+    @Autowired
+    DashboardService dashboardService;
+
+    @MockitoBean
+    AuditLogQueryService auditLogQueryService;
+
+    @AfterEach
+    void cleanup() {
+        documentRepository.deleteAll();
+        tagRepository.deleteAll();
+        personRepository.deleteAll();
+    }
+
+    @Test
+    void getDocumentById_tagsAndReceiversAccessible_afterReturnFromService() {
+        Person sender = savedPerson("Max", "LzSender");
+        Person receiver = savedPerson("Anna", "LzReceiver");
+        Tag tag = savedTag("LzTag");
+        Document doc = savedDocument("LazyTest", "lazy_test.pdf", sender, Set.of(receiver), Set.of(tag));
+
+        Document result = documentService.getDocumentById(doc.getId());
+
+        // Only the collection access itself is in assertThatCode — guards against LazyInitializationException.
+        // Value assertions live outside so failures surface as AssertionError, not as unexpected exception.
+        assertThatCode(() -> {
+            result.getTags().size();
+            result.getReceivers().size();
+        }).doesNotThrowAnyException();
+        assertThat(result.getTags()).isNotEmpty();
+        result.getTags().forEach(t -> assertThat(t.getName()).isNotNull());
+        assertThat(result.getReceivers()).isNotEmpty();
+        result.getReceivers().forEach(r -> assertThat(r.getLastName()).isNotNull());
+    }
+
+    @Test
+    void getRecentActivity_collectionsAccessibleAfterReturn() {
+        Person sender = savedPerson("Hans", "RaSender");
+        Tag tag = savedTag("RaTag");
+        for (int i = 0; i < 3; i++) {
+            savedDocument("RaDoc " + i, "ra_doc" + i + ".pdf", sender, Set.of(), Set.of(tag));
+        }
+
+        List<Document> results = documentService.getRecentActivity(3);
+
+        // Access lazy fields inside assertThatCode — guards against LazyInitializationException.
+        // Value assertions live outside so failures surface as AssertionError, not as unexpected exception.
+        assertThatCode(() -> {
+            results.forEach(d -> d.getSender().getLastName());
+            results.forEach(d -> d.getTags().size());
+        }).doesNotThrowAnyException();
+        results.forEach(d -> assertThat(d.getSender()).isNotNull());
+        results.forEach(d -> assertThat(d.getSender().getLastName()).isNotNull());
+        results.forEach(d -> assertThat(d.getTags()).isNotEmpty());
+    }
+
+    @Test
+    void searchDocuments_receiverSort_doesNotThrowLazyInitializationException() {
+        Person sender = savedPerson("Hans", "SrSender");
+        Person receiver = savedPerson("Anna", "SrReceiver");
+        Tag tag = savedTag("SrTag");
+        savedDocument("SrDoc", "sr_doc.pdf", sender, Set.of(receiver), Set.of(tag));
+
+        DocumentSearchResult result = documentService.searchDocuments(
+                null, null, null, null, null, null, null, null,
+                DocumentSort.RECEIVER, "asc", null,
+                PageRequest.of(0, 20));
+        assertThat(result.totalElements()).isGreaterThan(0);
+        assertThatCode(() ->
+                result.items().forEach(i -> i.document().getSender().getLastName()))
+                .doesNotThrowAnyException();
+    }
+
+    @Test
+    void searchDocuments_senderSort_doesNotThrowLazyInitializationException() {
+        Person sender = savedPerson("Hans", "SsSender");
+        Tag tag = savedTag("SsTag");
+        savedDocument("SsDoc", "ss_doc.pdf", sender, Set.of(), Set.of(tag));
+
+        assertThatCode(() -> documentService.searchDocuments(
+                null, null, null, null, null, null, null, null,
+                DocumentSort.SENDER, "asc", null,
+                PageRequest.of(0, 20)))
+                .doesNotThrowAnyException();
+    }
+
+    @Test
+    void dashboardService_getResume_accessesReceiversViaGetDocumentById_withoutException() {
+        Person sender = savedPerson("Max", "DsSender");
+        Person receiver = savedPerson("Anna", "DsReceiver");
+        Document doc = savedDocument("DashboardTest", "dashboard_test.pdf", sender, Set.of(receiver), Set.of());
+        UUID fakeUserId = UUID.randomUUID();
+        when(auditLogQueryService.findMostRecentDocumentForUser(any())).thenReturn(Optional.of(doc.getId()));
+        when(auditLogQueryService.findRecentContributorsPerDocument(any())).thenReturn(java.util.Map.of());
+
+        assertThatCode(() -> dashboardService.getResume(fakeUserId))
+                .doesNotThrowAnyException();
+    }
+
+    private Person savedPerson(String firstName, String lastName) {
+        return personRepository.save(Person.builder().firstName(firstName).lastName(lastName).build());
+    }
+
+    private Tag savedTag(String name) {
+        return tagRepository.save(Tag.builder().name(name).build());
+    }
+
+    private Document savedDocument(String title, String filename, Person sender,
+                                   Set<Person> receivers, Set<Tag> tags) {
+        return documentRepository.save(Document.builder()
+                .title(title).originalFilename(filename)
+                .status(DocumentStatus.UPLOADED)
+                .sender(sender)
+                .receivers(new HashSet<>(receivers))
+                .tags(new HashSet<>(tags))
+                .build());
+    }
+}

backend/src/test/java/org/raddatz/familienarchiv/document/DocumentRepositoryTest.java

@@ -1,5 +1,9 @@
 package org.raddatz.familienarchiv.document;
 
+import jakarta.persistence.EntityManager;
+import jakarta.persistence.EntityManagerFactory;
+import org.hibernate.SessionFactory;
+import org.hibernate.stat.Statistics;
 import org.junit.jupiter.api.Test;
 import org.raddatz.familienarchiv.PostgresContainerConfig;
 import org.raddatz.familienarchiv.config.FlywayConfig;
@@ -21,6 +25,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.jdbc.test.autoconfigure.AutoConfigureTestDatabase;
 import org.springframework.boot.data.jpa.test.autoconfigure.DataJpaTest;
 import org.springframework.context.annotation.Import;
+import org.springframework.data.jpa.domain.Specification;
 
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.PageRequest;
@@ -55,6 +60,12 @@ class DocumentRepositoryTest {
     @Autowired
     private TranscriptionBlockRepository transcriptionBlockRepository;
 
+    @Autowired
+    private EntityManagerFactory entityManagerFactory;
+
+    @Autowired
+    private EntityManager entityManager;
+
     // ─── save and findById ────────────────────────────────────────────────────
 
     @Test
@@ -490,6 +501,117 @@ class DocumentRepositoryTest {
         assertThat(ids).containsExactlyInAnyOrder(grandparent.getId(), parent2.getId(), child2.getId());
     }
 
+    // ─── query-count — entity-graph assertions ────────────────────────────────
+
+    @Test
+    void findAll_withSpecAndPageable_loadsDocumentsInAtMostFiveStatements() {
+        Person sender = personRepository.save(Person.builder().firstName("Hans").lastName("QcSender").build());
+        Person receiver = personRepository.save(Person.builder().firstName("Anna").lastName("QcReceiver").build());
+        Tag tag = tagRepository.save(Tag.builder().name("QcTag").build());
+        for (int i = 0; i < 10; i++) {
+            documentRepository.save(Document.builder()
+                    .title("QcDoc " + i).originalFilename("qcdoc" + i + ".pdf")
+                    .status(DocumentStatus.UPLOADED)
+                    .sender(sender)
+                    .receivers(new HashSet<>(Set.of(receiver)))
+                    .tags(new HashSet<>(Set.of(tag)))
+                    .build());
+        }
+        entityManager.flush();
+        entityManager.clear();
+        Statistics stats = entityManagerFactory.unwrap(SessionFactory.class).getStatistics();
+        stats.setStatisticsEnabled(true);
+        stats.clear();
+
+        Specification<Document> allDocs = (root, query, cb) -> null;
+        documentRepository.findAll(allDocs, PageRequest.of(0, 10));
+
+        assertThat(stats.getPrepareStatementCount())
+                .as("@EntityGraph(Document.list) must load 10 docs in ≤5 statements, not N+1")
+                .isLessThanOrEqualTo(5);
+    }
+
+    @Test
+    void findById_loadsSenderReceiversAndTagsInAtMostTwoStatements() {
+        Person sender = personRepository.save(Person.builder().firstName("Max").lastName("FbSender").build());
+        Set<Person> receivers = new HashSet<>();
+        for (int i = 0; i < 3; i++) {
+            receivers.add(personRepository.save(
+                    Person.builder().firstName("R" + i).lastName("FbReceiver").build()));
+        }
+        Set<Tag> tags = new HashSet<>();
+        for (int i = 0; i < 5; i++) {
+            tags.add(tagRepository.save(Tag.builder().name("FbTag" + i).build()));
+        }
+        Document doc = documentRepository.save(Document.builder()
+                .title("FindByIdQc").originalFilename("findbyid_qc.pdf")
+                .status(DocumentStatus.UPLOADED)
+                .sender(sender).receivers(receivers).tags(tags)
+                .build());
+        entityManager.flush();
+        entityManager.clear();
+        Statistics stats = entityManagerFactory.unwrap(SessionFactory.class).getStatistics();
+        stats.setStatisticsEnabled(true);
+        stats.clear();
+
+        documentRepository.findById(doc.getId());
+
+        assertThat(stats.getPrepareStatementCount())
+                .as("@EntityGraph(Document.full) must load sender+receivers+tags in ≤2 statements, not 4")
+                .isLessThanOrEqualTo(2);
+    }
+
+    @Test
+    void findAll_withPageable_loadsSenderWithoutNPlusOne() {
+        Person sender = personRepository.save(Person.builder().firstName("Maria").lastName("RaSender").build());
+        Tag tag = tagRepository.save(Tag.builder().name("RaTag2").build());
+        for (int i = 0; i < 5; i++) {
+            documentRepository.save(Document.builder()
+                    .title("RaDoc2 " + i).originalFilename("radoc2_" + i + ".pdf")
+                    .status(DocumentStatus.UPLOADED)
+                    .sender(sender)
+                    .tags(new HashSet<>(Set.of(tag)))
+                    .build());
+        }
+        entityManager.flush();
+        entityManager.clear();
+        Statistics stats = entityManagerFactory.unwrap(SessionFactory.class).getStatistics();
+        stats.setStatisticsEnabled(true);
+        stats.clear();
+
+        documentRepository.findAll(PageRequest.of(0, 5, Sort.by(Sort.Direction.DESC, "updatedAt")));
+
+        assertThat(stats.getPrepareStatementCount())
+                .as("@EntityGraph(Document.list) via findAll(Pageable) must not N+1 sender for 5 docs")
+                .isLessThanOrEqualTo(5);
+    }
+
+    @Test
+    void findAll_withSpecOnly_appliesEntityGraphInAtMostFiveStatements() {
+        Person sender = personRepository.save(Person.builder().firstName("Otto").lastName("SoSender").build());
+        Tag tag = tagRepository.save(Tag.builder().name("SoTag").build());
+        for (int i = 0; i < 5; i++) {
+            documentRepository.save(Document.builder()
+                    .title("SoDoc " + i).originalFilename("sodoc_" + i + ".pdf")
+                    .status(DocumentStatus.UPLOADED)
+                    .sender(sender)
+                    .tags(new HashSet<>(Set.of(tag)))
+                    .build());
+        }
+        entityManager.flush();
+        entityManager.clear();
+        Statistics stats = entityManagerFactory.unwrap(SessionFactory.class).getStatistics();
+        stats.setStatisticsEnabled(true);
+        stats.clear();
+
+        Specification<Document> allDocs = (root, query, cb) -> null;
+        documentRepository.findAll(allDocs);
+
+        assertThat(stats.getPrepareStatementCount())
+                .as("@EntityGraph(Document.list) via findAll(Spec) must not N+1 sender for 5 docs")
+                .isLessThanOrEqualTo(5);
+    }
+
     // ─── seeding helpers ─────────────────────────────────────────────────────
 
     private Document uploaded(String title) {

backend/src/test/java/org/raddatz/familienarchiv/importing/MassImportServiceTest.java

@@ -135,7 +135,7 @@ class MassImportServiceTest {
     @Test
     void runImportAsync_throwsConflict_whenAlreadyRunning() {
         MassImportService.ImportStatus running = new MassImportService.ImportStatus(
-                MassImportService.State.RUNNING, "IMPORT_RUNNING", "Running...", 0, LocalDateTime.now());
+                MassImportService.State.RUNNING, "IMPORT_RUNNING", "Running...", 0, List.of(), LocalDateTime.now());
         ReflectionTestUtils.setField(service, "currentStatus", running);
 
         assertThatThrownBy(() -> service.runImportAsync())
@@ -154,9 +154,76 @@ class MassImportServiceTest {
                 .build();
         when(documentService.findByOriginalFilename("doc001.pdf")).thenReturn(Optional.of(existing));
 
-        service.importSingleDocument(minimalCells("doc001.pdf"), Optional.empty(), "doc001.pdf", "doc001");
+        Optional<MassImportService.SkipReason> result = service.importSingleDocument(minimalCells("doc001.pdf"), Optional.empty(), "doc001.pdf", "doc001");
 
         verify(documentService, never()).save(any());
+        assertThat(result).isPresent().contains(MassImportService.SkipReason.ALREADY_EXISTS);
+    }
+
+    // ─── importSingleDocument — already-exists guard fires before file I/O ─────
+
+    @Test
+    void importSingleDocument_skipsWithAlreadyExists_whenDocumentUploadedAndFileIsPresent(@TempDir Path tempDir) throws Exception {
+        // Document already exists with status UPLOADED (not PLACEHOLDER).
+        // A physical PDF file is also present on disk (valid magic bytes).
+        // Expected: ALREADY_EXISTS is returned and no S3 upload is attempted —
+        // the guard fires before any file I/O, so no partial processing occurs.
+        Document existing = Document.builder()
+                .id(UUID.randomUUID())
+                .originalFilename("present.pdf")
+                .status(DocumentStatus.UPLOADED)
+                .build();
+        when(documentService.findByOriginalFilename("present.pdf")).thenReturn(Optional.of(existing));
+
+        Path physicalFile = tempDir.resolve("present.pdf");
+        byte[] pdfHeader = {0x25, 0x50, 0x44, 0x46, 0x2D}; // %PDF-
+        Files.write(physicalFile, pdfHeader);
+
+        Optional<MassImportService.SkipReason> result = service.importSingleDocument(
+                minimalCells("present.pdf"), Optional.of(physicalFile.toFile()), "present.pdf", "present");
+
+        assertThat(result).isPresent().contains(MassImportService.SkipReason.ALREADY_EXISTS);
+        verify(s3Client, never()).putObject(any(PutObjectRequest.class), any(RequestBody.class));
+        verify(documentService, never()).save(any());
+    }
+
+    // ─── importSingleDocument — S3 failure surfaced in skippedFiles ──────────
+
+    @Test
+    void runImportAsync_addsS3UploadFailed_toSkippedFiles_whenS3Throws(@TempDir Path tempDir) throws Exception {
+        byte[] pdfHeader = {0x25, 0x50, 0x44, 0x46, 0x2D}; // %PDF-
+        Files.write(tempDir.resolve("upload_fail.pdf"), pdfHeader);
+        buildMinimalImportXlsx(tempDir, "upload_fail.pdf");
+        ReflectionTestUtils.setField(service, "importDir", tempDir.toString());
+        when(documentService.findByOriginalFilename("upload_fail.pdf")).thenReturn(Optional.empty());
+        doThrow(new RuntimeException("S3 unavailable"))
+                .when(s3Client).putObject(any(PutObjectRequest.class), any(RequestBody.class));
+
+        service.runImportAsync();
+
+        assertThat(service.getStatus().skipped()).isEqualTo(1);
+        assertThat(service.getStatus().skippedFiles())
+                .extracting(MassImportService.SkippedFile::filename, MassImportService.SkippedFile::reason)
+                .containsExactly(org.assertj.core.groups.Tuple.tuple("upload_fail.pdf", MassImportService.SkipReason.S3_UPLOAD_FAILED));
+    }
+
+    @Test
+    void runImportAsync_addsAlreadyExists_toSkippedFiles_whenDocumentAlreadyUploaded(@TempDir Path tempDir) throws Exception {
+        buildMinimalImportXlsx(tempDir, "existing.pdf");
+        ReflectionTestUtils.setField(service, "importDir", tempDir.toString());
+        Document existing = Document.builder()
+                .id(UUID.randomUUID())
+                .originalFilename("existing.pdf")
+                .status(DocumentStatus.UPLOADED)
+                .build();
+        when(documentService.findByOriginalFilename("existing.pdf")).thenReturn(Optional.of(existing));
+
+        service.runImportAsync();
+
+        assertThat(service.getStatus().skipped()).isEqualTo(1);
+        assertThat(service.getStatus().skippedFiles())
+                .extracting(MassImportService.SkippedFile::reason)
+                .containsExactly(MassImportService.SkipReason.ALREADY_EXISTS);
     }
 
     // ─── importSingleDocument — create new document (metadata only) ───────────
@@ -208,7 +275,7 @@ class MassImportServiceTest {
     }
 
     @Test
-    void importSingleDocument_returnsEarly_whenS3UploadFails(@TempDir Path tempDir) throws Exception {
+    void importSingleDocument_returnsS3UploadFailed_whenS3UploadFails(@TempDir Path tempDir) throws Exception {
         Path tempFile = tempDir.resolve("fail.pdf");
         Files.write(tempFile, "data".getBytes());
 
@@ -216,10 +283,11 @@ class MassImportServiceTest {
         doThrow(new RuntimeException("S3 error"))
                 .when(s3Client).putObject(any(PutObjectRequest.class), any(RequestBody.class));
 
-        service.importSingleDocument(
+        Optional<MassImportService.SkipReason> result = service.importSingleDocument(
                 minimalCells("fail.pdf"), Optional.of(tempFile.toFile()), "fail.pdf", "fail");
 
         verify(documentService, never()).save(any());
+        assertThat(result).isPresent().contains(MassImportService.SkipReason.S3_UPLOAD_FAILED);
     }
 
     // ─── importSingleDocument — sender handling ───────────────────────────────
@@ -325,8 +393,8 @@ class MassImportServiceTest {
     @Test
     void processRows_returnsZero_whenOnlyHeaderRow() {
         List<List<String>> rows = List.of(List.of("header", "col1"));
-        Integer result = ReflectionTestUtils.invokeMethod(service, "processRows", rows);
+        MassImportService.ProcessResult result = ReflectionTestUtils.invokeMethod(service, "processRows", rows);
-        assertThat(result).isEqualTo(0);
+        assertThat(result.processed()).isEqualTo(0);
     }
 
     @Test
@@ -335,8 +403,8 @@ class MassImportServiceTest {
                 List.of("header"),
                 minimalCells("")  // blank index
         );
-        Integer result = ReflectionTestUtils.invokeMethod(service, "processRows", rows);
+        MassImportService.ProcessResult result = ReflectionTestUtils.invokeMethod(service, "processRows", rows);
-        assertThat(result).isEqualTo(0);
+        assertThat(result.processed()).isEqualTo(0);
         verify(documentService, never()).findByOriginalFilename(any());
     }
 
@@ -349,9 +417,9 @@ class MassImportServiceTest {
                 List.of("header"),
                 minimalCells("doc001")  // no dot → appends ".pdf"
         );
-        Integer result = ReflectionTestUtils.invokeMethod(service, "processRows", rows);
+        MassImportService.ProcessResult result = ReflectionTestUtils.invokeMethod(service, "processRows", rows);
 
-        assertThat(result).isEqualTo(1);
+        assertThat(result.processed()).isEqualTo(1);
         verify(documentService).findByOriginalFilename("doc001.pdf");
     }
 
@@ -364,12 +432,116 @@ class MassImportServiceTest {
                 List.of("header"),
                 minimalCells("doc002.pdf")  // has dot → used as-is
         );
-        Integer result = ReflectionTestUtils.invokeMethod(service, "processRows", rows);
+        MassImportService.ProcessResult result = ReflectionTestUtils.invokeMethod(service, "processRows", rows);
 
-        assertThat(result).isEqualTo(1);
+        assertThat(result.processed()).isEqualTo(1);
         verify(documentService).findByOriginalFilename("doc002.pdf");
     }
 
+    // ─── isValidImportFilename — security regression — do not remove ─────────
+
+    @Test
+    void isValidImportFilename_returnsFalse_whenFilenameIsNull() {
+        boolean result = ReflectionTestUtils.invokeMethod(service, "isValidImportFilename", (String) null);
+        assertThat(result).isFalse();
+    }
+
+    @Test
+    void isValidImportFilename_returnsFalse_whenFilenameIsBlank() {
+        boolean result = ReflectionTestUtils.invokeMethod(service, "isValidImportFilename", "   ");
+        assertThat(result).isFalse();
+    }
+
+    @Test
+    void isValidImportFilename_returnsFalse_whenFilenameContainsForwardSlash() {
+        boolean result = ReflectionTestUtils.invokeMethod(service, "isValidImportFilename", "etc/passwd");
+        assertThat(result).isFalse();
+    }
+
+    @Test
+    void isValidImportFilename_returnsFalse_whenFilenameContainsBackslash() {
+        boolean result = ReflectionTestUtils.invokeMethod(service, "isValidImportFilename", "..\\etc\\passwd");
+        assertThat(result).isFalse();
+    }
+
+    @Test
+    void isValidImportFilename_returnsFalse_whenFilenameContainsDotDot() {
+        boolean result = ReflectionTestUtils.invokeMethod(service, "isValidImportFilename", "doc..evil.pdf");
+        assertThat(result).isFalse();
+    }
+
+    @Test
+    void isValidImportFilename_returnsFalse_whenFilenameIsDotDot() {
+        boolean result = ReflectionTestUtils.invokeMethod(service, "isValidImportFilename", "..");
+        assertThat(result).isFalse();
+    }
+
+    @Test
+    void isValidImportFilename_returnsFalse_whenFilenameIsAbsolutePath() {
+        boolean result = ReflectionTestUtils.invokeMethod(service, "isValidImportFilename", "/etc/passwd");
+        assertThat(result).isFalse();
+    }
+
+    @Test
+    void isValidImportFilename_returnsFalse_whenFilenameContainsNullByte() {
+        boolean result = ReflectionTestUtils.invokeMethod(service, "isValidImportFilename", "file\0.pdf");
+        assertThat(result).isFalse();
+    }
+
+    @Test
+    void isValidImportFilename_returnsTrue_whenFilenameIsPlainBasename() {
+        boolean result = ReflectionTestUtils.invokeMethod(service, "isValidImportFilename", "document.pdf");
+        assertThat(result).isTrue();
+    }
+
+    @Test
+    void isValidImportFilename_returnsFalse_whenFilenameContainsUnicodeDivisionSlash() {
+        boolean result = ReflectionTestUtils.invokeMethod(service, "isValidImportFilename", "foo∕bar.pdf");
+        assertThat(result).isFalse();
+    }
+
+    @Test
+    void isValidImportFilename_returnsFalse_whenFilenameContainsFullwidthSlash() {
+        boolean result = ReflectionTestUtils.invokeMethod(service, "isValidImportFilename", "foo／bar.pdf");
+        assertThat(result).isFalse();
+    }
+
+    @Test
+    void isValidImportFilename_returnsFalse_whenFilenameContainsUnicodeReverseSolidus() {
+        boolean result = ReflectionTestUtils.invokeMethod(service, "isValidImportFilename", "foo⧵bar.pdf");
+        assertThat(result).isFalse();
+    }
+
+    @Test
+    void isValidImportFilename_returnsTrue_whenFilenameHasLeadingDot() {
+        boolean result = ReflectionTestUtils.invokeMethod(service, "isValidImportFilename", ".hidden.pdf");
+        assertThat(result).isTrue();
+    }
+
+    @Test
+    void isValidImportFilename_returnsTrue_whenFilenameHasSpaces() {
+        boolean result = ReflectionTestUtils.invokeMethod(service, "isValidImportFilename", "Brief an Oma.pdf");
+        assertThat(result).isTrue();
+    }
+
+    @Test
+    void processRows_skipsRowAndContinues_whenFilenameIsPathTraversal() {
+        when(documentService.findByOriginalFilename("legitimate.pdf")).thenReturn(Optional.empty());
+        when(documentService.save(any())).thenAnswer(inv -> inv.getArgument(0));
+
+        List<List<String>> rows = List.of(
+                List.of("header"),
+                minimalCells("../evil"),       // row 1: path traversal — should be skipped
+                minimalCells("legitimate.pdf") // row 2: valid — should be processed
+        );
+        MassImportService.ProcessResult result = ReflectionTestUtils.invokeMethod(service, "processRows", rows);
+
+        assertThat(result.processed()).isEqualTo(1);
+        assertThat(result.skippedFiles())
+                .extracting(MassImportService.SkippedFile::reason)
+                .containsExactly(MassImportService.SkipReason.INVALID_FILENAME_PATH_TRAVERSAL);
+    }
+
     // ─── importSingleDocument — non-blank optional fields ────────────────────
 
     @Test
@@ -525,6 +697,82 @@ class MassImportServiceTest {
         assertThat(result).isEqualTo("hello");
     }
 
+    // ─── PDF magic byte validation regression ─────────────────────────────────
+
+    @Test
+    void runImportAsync_uploadsValidPdf_andSkipsFakeOne(@TempDir Path tempDir) throws Exception {
+        setupOneValidOneFakeImport(tempDir);
+
+        service.runImportAsync();
+
+        verify(s3Client, times(1)).putObject(any(PutObjectRequest.class), any(RequestBody.class));
+    }
+
+    @Test
+    void runImportAsync_setsSkippedCount_toOne_whenOneFakeFile(@TempDir Path tempDir) throws Exception {
+        setupOneValidOneFakeImport(tempDir);
+
+        service.runImportAsync();
+
+        assertThat(service.getStatus().skipped()).isEqualTo(1);
+    }
+
+    @Test
+    void runImportAsync_includesRejectedFilename_inSkippedFiles(@TempDir Path tempDir) throws Exception {
+        setupOneValidOneFakeImport(tempDir);
+
+        service.runImportAsync();
+
+        assertThat(service.getStatus().skippedFiles())
+                .extracting(MassImportService.SkippedFile::filename)
+                .contains("fake.pdf");
+    }
+
+    @Test
+    void runImportAsync_skipsFile_whenShorterThanFourBytes(@TempDir Path tempDir) throws Exception {
+        Files.write(tempDir.resolve("tiny.pdf"), new byte[]{0x25, 0x50, 0x44}); // only 3 bytes
+        buildMinimalImportXlsx(tempDir, "tiny.pdf");
+        ReflectionTestUtils.setField(service, "importDir", tempDir.toString());
+        lenient().when(documentService.findByOriginalFilename(any())).thenReturn(Optional.empty());
+
+        service.runImportAsync();
+
+        assertThat(service.getStatus().skipped()).isEqualTo(1);
+    }
+
+    @Test
+    void runImportAsync_skipsFile_whenMagicBytesCheckThrowsIOException(@TempDir Path tempDir) throws Exception {
+        Files.writeString(tempDir.resolve("unreadable.pdf"), "some content");
+        buildMinimalImportXlsx(tempDir, "unreadable.pdf");
+        ReflectionTestUtils.setField(service, "importDir", tempDir.toString());
+        lenient().when(documentService.findByOriginalFilename(any())).thenReturn(Optional.empty());
+
+        MassImportService spyService = spy(service);
+        doThrow(new java.io.IOException("simulated read error")).when(spyService).openFileStream(any(File.class));
+
+        spyService.runImportAsync();
+
+        assertThat(spyService.getStatus().skipped()).isEqualTo(1);
+        assertThat(spyService.getStatus().skippedFiles())
+                .extracting(MassImportService.SkippedFile::reason)
+                .containsExactly(MassImportService.SkipReason.FILE_READ_ERROR);
+    }
+
+    // ─── findFileRecursive — symlink escape security regression — do not remove ─
+
+    @Test
+    void findFileRecursive_throwsDomainException_whenSymlinkEscapesImportDir(
+            @TempDir Path importDirPath, @TempDir Path outsideDir) throws Exception {
+        Path outsideFile = outsideDir.resolve("secret.pdf");
+        Files.writeString(outsideFile, "sensitive content");
+        Files.createSymbolicLink(importDirPath.resolve("secret.pdf"), outsideFile);
+
+        ReflectionTestUtils.setField(service, "importDir", importDirPath.toString());
+
+        assertThatThrownBy(() -> ReflectionTestUtils.invokeMethod(service, "findFileRecursive", "secret.pdf"))
+                .isInstanceOf(DomainException.class);
+    }
+
     // ─── readOds — XXE security regression ───────────────────────────────────
 
     // Security regression — do not remove.
@@ -621,4 +869,28 @@ class MassImportServiceTest {
         }
         return destination.toFile();
     }
+
+    private void setupOneValidOneFakeImport(Path tempDir) throws Exception {
+        byte[] pdfHeader = {0x25, 0x50, 0x44, 0x46, 0x2D}; // %PDF-
+        Files.write(tempDir.resolve("real.pdf"), pdfHeader);
+        Files.writeString(tempDir.resolve("fake.pdf"), "not a pdf");
+        buildMinimalImportXlsx(tempDir, "real.pdf", "fake.pdf");
+        ReflectionTestUtils.setField(service, "importDir", tempDir.toString());
+        when(documentService.findByOriginalFilename(any())).thenReturn(Optional.empty());
+        when(documentService.save(any())).thenAnswer(inv -> inv.getArgument(0));
+    }
+
+    private void buildMinimalImportXlsx(Path dir, String... filenames) throws Exception {
+        Path xlsx = dir.resolve("import.xlsx");
+        try (XSSFWorkbook wb = new XSSFWorkbook()) {
+            org.apache.poi.ss.usermodel.Sheet sheet = wb.createSheet("Sheet1");
+            sheet.createRow(0).createCell(0).setCellValue("Index");
+            for (int i = 0; i < filenames.length; i++) {
+                sheet.createRow(i + 1).createCell(0).setCellValue(filenames[i]);
+            }
+            try (OutputStream out = Files.newOutputStream(xlsx)) {
+                wb.write(out);
+            }
+        }
+    }
 }

backend/src/test/java/org/raddatz/familienarchiv/user/AdminControllerTest.java

@@ -47,7 +47,7 @@ class AdminControllerTest {
     @WithMockUser(authorities = "ADMIN")
     void importStatus_returns200_withStatusCode_whenAdmin() throws Exception {
         MassImportService.ImportStatus status = new MassImportService.ImportStatus(
-                MassImportService.State.IDLE, "IMPORT_IDLE", "Kein Import gestartet.", 0, null);
+                MassImportService.State.IDLE, "IMPORT_IDLE", "Kein Import gestartet.", 0, List.of(), null);
         when(massImportService.getStatus()).thenReturn(status);
 
         mockMvc.perform(get("/api/admin/import-status"))
@@ -61,7 +61,7 @@ class AdminControllerTest {
     @WithMockUser(authorities = "ADMIN")
     void importStatus_messageField_notPresentInApiResponse() throws Exception {
         MassImportService.ImportStatus status = new MassImportService.ImportStatus(
-                MassImportService.State.IDLE, "IMPORT_IDLE", "Kein Import gestartet.", 0, null);
+                MassImportService.State.IDLE, "IMPORT_IDLE", "Kein Import gestartet.", 0, List.of(), null);
         when(massImportService.getStatus()).thenReturn(status);
 
         mockMvc.perform(get("/api/admin/import-status"))

backend/src/test/java/org/raddatz/familienarchiv/user/UserControllerTest.java

@@ -20,6 +20,8 @@ import org.springframework.test.web.servlet.MockMvc;
 import java.util.UUID;
 
 import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
@@ -178,7 +180,7 @@ class UserControllerTest {
                         .content("{\"currentPassword\":\"old\",\"newPassword\":\"new123!\"}"))
                 .andExpect(status().isNoContent());
 
-        org.mockito.Mockito.verify(authService).revokeOtherSessions(any(), org.mockito.ArgumentMatchers.eq("user@example.com"));
+        verify(authService).revokeOtherSessions(any(), eq("user@example.com"));
     }
 
     @Test
@@ -189,6 +191,16 @@ class UserControllerTest {
                 .andExpect(status().isUnauthorized());
     }
 
+    @Test
+    @WithMockUser(username = "user@example.com")
+    void changePassword_without_csrf_returns_403_CSRF_TOKEN_MISSING() throws Exception {
+        mockMvc.perform(post("/api/users/me/password")
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content("{\"currentPassword\":\"old\",\"newPassword\":\"new123!\"}"))
+                .andExpect(status().isForbidden())
+                .andExpect(jsonPath("$.code").value("CSRF_TOKEN_MISSING"));
+    }
+
     // ─── POST /api/users/{id}/force-logout ────────────────────────────────────
 
     @Test
@@ -230,4 +242,12 @@ class UserControllerTest {
         mockMvc.perform(post("/api/users/" + targetId + "/force-logout").with(csrf()))
                 .andExpect(status().isNotFound());
     }
+
+    @Test
+    @WithMockUser(username = "admin@example.com", authorities = "ADMIN_USER")
+    void forceLogout_without_csrf_returns_403_CSRF_TOKEN_MISSING() throws Exception {
+        mockMvc.perform(post("/api/users/" + UUID.randomUUID() + "/force-logout"))
+                .andExpect(status().isForbidden())
+                .andExpect(jsonPath("$.code").value("CSRF_TOKEN_MISSING"));
+    }
 }

docker-compose.prod.yml

@@ -252,6 +252,8 @@ services:
       OTEL_METRICS_EXPORTER: none
       MANAGEMENT_METRICS_TAGS_APPLICATION: Familienarchiv
       MANAGEMENT_TRACING_SAMPLING_PROBABILITY: ${MANAGEMENT_TRACING_SAMPLING_PROBABILITY:-0.1}
+      SENTRY_DSN: ${SENTRY_DSN:-}
+      LOGGING_STRUCTURED_FORMAT_CONSOLE: ecs
     networks:
       - archiv-net
     healthcheck:
@@ -266,6 +268,10 @@ services:
     build:
       context: ./frontend
       target: production
+      args:
+        # Vite build-time variable — baked into the JS bundle at build time.
+        # Empty default so deploys succeed before the secret is configured.
+        VITE_SENTRY_DSN: ${VITE_SENTRY_DSN:-}
     restart: unless-stopped
     depends_on:
       backend:
@@ -276,6 +282,9 @@ services:
       # SSR fetches go inside the docker network; clients hit https://${APP_DOMAIN}
       API_INTERNAL_URL: http://backend:8080
       ORIGIN: https://${APP_DOMAIN}
+      # Enforce upload size limit in the adapter-node layer (fixes GHSA-2crg-3p73-43xp bypass).
+      # Must be ≤ client_max_body_size in the Caddy reverse proxy to avoid 413 mismatches.
+      BODY_SIZE_LIMIT: 50M
     networks:
       - archiv-net
     healthcheck:

docker-compose.yml

@@ -228,6 +228,9 @@ services:
       API_INTERNAL_URL: http://backend:8080
       # Vite dev proxy forwards /api from browser to the backend container
       API_PROXY_TARGET: http://backend:8080
+      # Upload size limit for adapter-node (production target). Not enforced by Vite dev server
+      # but kept here to match docker-compose.prod.yml and prevent config drift.
+      BODY_SIZE_LIMIT: 50M
     ports:
       - "${PORT_FRONTEND}:5173"
     networks:

docs/ARCHITECTURE.md

@@ -63,7 +63,7 @@ Members of the cross-cutting layer have no entity of their own, no user-facing C
 | `audit` | Append-only event store (`audit_log`) for all domain mutations. Feeds the activity feed and Family Pulse dashboard. | Consumed by 5+ domains; no user-facing CRUD of its own |
 | `config` | Infrastructure bean definitions: `MinioConfig`, `AsyncConfig`, `WebConfig` | Framework infra; no business logic |
 | `dashboard` | Stats aggregation for the admin dashboard and Family Pulse widget | Aggregates from 3+ domains; no owned entities |
-| `exception` | `DomainException`, `ErrorCode` enum, `GlobalExceptionHandler` | Framework infra; consumed by every controller and service. Adding a new `ErrorCode` requires matching updates in `frontend/src/lib/shared/errors.ts` and all three `messages/*.json` locale files. |
+| `exception` | `DomainException`, `ErrorCode` enum, `GlobalExceptionHandler` | Framework infra; consumed by every controller and service. Adding a new `ErrorCode` requires matching updates in `frontend/src/lib/shared/errors.ts` and all three `messages/*.json` locale files. Current security-related codes: `CSRF_TOKEN_MISSING` (403 on mutating request without valid `X-XSRF-TOKEN` header), `TOO_MANY_LOGIN_ATTEMPTS` (429 when login rate limit exceeded). |
 | `filestorage` | `FileService` — MinIO/S3 upload, download, presigned-URL generation | Generic service; consumed by `document` and `ocr` |
 | `importing` | `MassImportService` — async ODS/Excel batch import | Orchestrates across `person`, `tag`, `document` |
 | `security` | `SecurityConfig`, `Permission` enum, `@RequirePermission` annotation, `PermissionAspect` (AOP) | Framework infra; enforced globally across all controllers |
@@ -117,7 +117,7 @@ Controllers never call repositories directly. Services never reach into another
 ### Permission system
 Permissions are enforced via `@RequirePermission(Permission.X)` on controller methods, checked at runtime by `PermissionAspect` (Spring AOP). The `Permission` enum defines the available capabilities (`READ_ALL`, `WRITE_ALL`, `ADMIN`, `ADMIN_USER`, `ADMIN_TAG`, `ADMIN_PERMISSION`, `ANNOTATE_ALL`, `BLOG_WRITE`). This is not Spring Security's `@PreAuthorize` — do not mix the two mechanisms.
 
-Sessions use a Base64-encoded Basic Auth token stored in an `httpOnly`, `SameSite=strict` cookie (`auth_token`, maxAge=86400 s). CSRF protection is disabled because this cookie configuration structurally prevents cross-origin credential theft. See [docs/security-guide.md](security-guide.md) for the full security reference.
+Sessions use a Spring Session JDBC-backed cookie (`fa_session`, `httpOnly`, `SameSite=strict`, maxAge=86400 s). CSRF protection uses the double-submit cookie pattern: Spring Security sets an `XSRF-TOKEN` cookie (readable by JS); SvelteKit's `handleFetch` injects the value as `X-XSRF-TOKEN` on every mutating request; a missing or mismatched token returns `403 CSRF_TOKEN_MISSING`. See [ADR-022](adr/022-csrf-session-revocation-rate-limiting.md) and [docs/security-guide.md](security-guide.md) for the full security reference.
 
 ---
 

docs/GLOSSARY.md

@@ -57,6 +57,10 @@ _See also [Annotation](#annotation-documentannotation)._
 
 **Mass import** — an asynchronous batch process (`MassImportService`) that reads an Excel or ODS file and creates `Person`s, `Tag`s, and `PLACEHOLDER` `Document`s in one shot. Only one import can run at a time (`IMPORT_ALREADY_RUNNING` error if attempted concurrently).
 
+**SkippedFile** (`MassImportService.SkippedFile`) — a file that was presented for import but not processed, recorded with a `filename` and a `reason` code. Possible reasons: `INVALID_PDF_SIGNATURE` (magic-byte validation failed), `S3_UPLOAD_FAILED` (file upload to MinIO/S3 threw an exception), `FILE_READ_ERROR` (the file could not be opened for reading), or `ALREADY_EXISTS` (a document with the same filename already exists in the archive with a status other than `PLACEHOLDER`).
+
+**skipped count** — the total number of `SkippedFile` entries accumulated during a single import run (`ImportStatus.skipped()`). Shown in the amber warning section of the Import Status Card in the admin UI; a value of zero suppresses the section entirely.
+
 **Transcription queue** — the set of `Document`s and `TranscriptionBlock`s awaiting work, computed on-the-fly from `Document`/`Block` status. Three views: segmentation queue, transcription queue, ready-to-read queue. NOT a persistent entity — no `transcription_queues` table exists.
 _See also [DocumentStatus lifecycle](#documentstatus-lifecycle)._
 
@@ -76,6 +80,14 @@ _See also [DocumentStatus lifecycle](#documentstatus-lifecycle)._
 
 **Sütterlin** — A specific standardized style of Kurrent taught in German schools from 1915 to 1941.
 
+**Illegible word** — a word whose recognition confidence falls below the configured threshold; replaced with the literal token `[unleserlich]` in the rendered block text and counted in the `ocr_illegible_words_total` Prometheus counter.
+
+**Models-ready gauge** — the `ocr_models_ready` Prometheus gauge, flipped from `0` to `1` once the FastAPI lifespan startup has finished loading the Kraken model and the spell-checker. Used both for the `/health` endpoint and as the supervised signal for the `ocr_models_ready < 1 for 2m` alert.
+
+**Recognition model accuracy** — the accuracy reported by `ketos train` for the recognition (text-line) model, exposed as `ocr_model_accuracy{kind="recognition"}`. Sourced from `_parse_best_checkpoint` on the highest-scoring checkpoint after training.
+
+**Segmentation model accuracy** — the accuracy reported by `ketos segtrain` for the baseline layout analysis (`blla`) model, exposed as `ocr_model_accuracy{kind="segmentation"}`. Distinct from recognition accuracy because the two models are trained and improved independently.
+
 ---
 
 ## Other Domain Terms

docs/OBSERVABILITY.md

@@ -118,11 +118,14 @@ To find a trace for a specific request in staging/production, either increase th
 
 ## Metrics (Prometheus → Grafana)
 
-Prometheus scrapes the backend management endpoint every 15 s:
+Prometheus scrapes two targets every 15 s:
 
 ```
 Target: backend:8081/actuator/prometheus
 Labels: job="spring-boot", application="Familienarchiv"
+
+Target: ocr:8000/metrics
+Labels: job="ocr-service"
 ```
 
 All Spring Boot metrics carry the `application="Familienarchiv"` tag, which is how the Grafana Spring Boot Observability dashboard (ID 17175) filters to this service.
@@ -146,6 +149,70 @@ jvm_memory_used_bytes{area="heap", application="Familienarchiv"}
 hikaricp_connections_active
 ```
 
+### OCR-service custom metrics
+
+Exposed at `ocr:8000/metrics` by `prometheus-fastapi-instrumentator`. The
+`http_*` metrics describe the FastAPI request layer; the `ocr_*` series are
+domain-specific. **Never label these with PII or document content** — labels
+have unbounded cardinality risk and are visible to anyone with Grafana access.
+
+| Metric | Type | Labels | Unit | What it tracks |
+|---|---|---|---|---|
+| `ocr_jobs_total` | Counter | `engine` (`surya`/`kraken`), `script_type` | jobs | OCR jobs that started after a successful PDF download |
+| `ocr_pages_total` | Counter | `engine` | pages | Successfully OCR'd pages in the streaming generator |
+| `ocr_skipped_pages_total` | Counter | — | pages | Pages skipped because the engine raised on them |
+| `ocr_words_total` | Counter | — | words | Recognized words summed across every block |
+| `ocr_illegible_words_total` | Counter | — | words | Words below the confidence threshold (rendered as `[unleserlich]`) |
+| `ocr_processing_seconds` | Histogram | `engine` | seconds | Per-page (stream) or per-document (`/ocr`) engine time, excluding preprocessing |
+| `ocr_training_runs_total` | Counter | `kind` (`recognition`/`segmentation`), `outcome` (`success`/`error`) | runs | Completed training runs |
+| `ocr_model_accuracy` | Gauge | `kind` | ratio (0–1) | Latest accuracy reported by a successful training run |
+| `ocr_models_ready` | Gauge | — | 0\|1 | 1 once the lifespan startup has finished loading models |
+
+Canonical example queries (the same ones referenced in issue #652):
+
+```promql
+# OCR throughput by engine
+sum by (engine) (rate(ocr_pages_total[5m]))
+
+# Share of words rendered as [unleserlich]
+sum(rate(ocr_illegible_words_total[5m]))
+  / sum(rate(ocr_words_total[5m]))
+
+# p95 page processing time per engine
+histogram_quantile(0.95, sum by (engine, le) (
+  rate(ocr_processing_seconds_bucket[5m])
+))
+
+# Training error rate
+sum(rate(ocr_training_runs_total{outcome="error"}[1h]))
+  / sum(rate(ocr_training_runs_total[1h]))
+
+# Latest recognition vs segmentation accuracy
+ocr_model_accuracy
+```
+
+### Internal-only endpoints
+
+`/metrics` is exposed by the OCR service over plain HTTP without
+authentication. The container is reachable only on the internal Docker
+network — Caddy never proxies to it directly. If the service is ever
+exposed (e.g. a `ports:` mapping is added), block the endpoint at the
+reverse proxy:
+
+```caddy
+ocr.example.com {
+    @internal_only path /metrics /health
+    respond @internal_only 404
+    reverse_proxy ocr:8000
+}
+```
+
+The `MetricsPathFilter` in `ocr-service/main.py` suppresses uvicorn's
+**stdout** access log lines for `/metrics` and `/health` so the container
+console stays focused on real OCR traffic. Promtail/Loki still receive
+access lines from any other source. Treat the filter as console
+noise-control, not an audit-suppression mechanism.
+
 ## Errors (GlitchTip)
 
 GlitchTip receives errors from both the backend (via Sentry Java SDK) and the frontend (via Sentry JavaScript SDK). It groups events by fingerprint, tracks first/last seen times, and links to the release that introduced the error.

docs/adr/022-csrf-session-revocation-rate-limiting.md

@@ -104,3 +104,12 @@ source.
   because `@WebMvcTest` slices exclude `JacksonAutoConfiguration`. The response
   only serialises a fixed String key (`"code"`) so naming strategy and custom
   modules are irrelevant.
+- IP extraction uses `HttpServletRequest.getRemoteAddr()`. In deployments behind
+  a reverse proxy the `X-Forwarded-For` header is not trusted — doing so would
+  let clients spoof their IP and trivially bypass the per-IP limit. Trusting
+  proxy headers requires separate work (e.g. Spring's `ForwardedHeaderFilter`
+  with an allowlist of trusted proxy addresses).
+- IPv6 and IPv4-mapped addresses (e.g. `::ffff:1.2.3.4`) are not normalised to
+  a canonical form. An attacker with access to multiple IPv6 addresses could
+  rotate addresses to bypass the per-IP bucket. This is a known limitation of
+  address-based rate limiting and is acceptable for the current deployment.

docs/adr/022-eager-to-lazy-fetch-strategy.md

@@ -0,0 +1,110 @@
+# ADR-022 — EAGER→LAZY Fetch Strategy for Document Collections
+
+**Date:** 2026-05-18
+**Status:** Accepted
+**Issue:** #467
+**PR:** #622
+
+---
+
+## Context
+
+A pre-production query audit of 24 HTTP requests to the document list and detail endpoints
+produced **2,733 SQL statements** — primarily N+1 queries caused by `FetchType.EAGER` on
+`Document.receivers`, `Document.tags`, `Document.trainingLabels`, and `Document.sender`.
+
+With EAGER fetch, every `Document` loaded by any repository method immediately triggers
+additional `SELECT` statements for each associated collection, regardless of whether the
+caller needs those associations. For a list of 100 documents, this means up to 400 extra
+queries for `receivers` alone.
+
+---
+
+## Decision
+
+Switch all four associations to `FetchType.LAZY` and use a two-tier strategy to load exactly
+what each code path needs:
+
+**Tier 1 — Named entity graphs on `Document` + `@EntityGraph` overrides on `DocumentRepository`:**
+
+- `Document.full` — loads `sender`, `receivers`, `tags` — used by `findById` (detail view)
+- `Document.list` — loads `sender`, `tags` — used by `findAll(Spec, Pageable)`,
+  `findAll(Spec)`, and `findAll(Pageable)` (list/search/dashboard paths)
+
+Each repository method that is called from a hot code path has an `@EntityGraph` override
+that declares exactly which associations to JOIN-fetch, collapsing N+1 into 1–2 queries.
+
+**Tier 2 — `@BatchSize(50)` fallback on all four associations:**
+
+For any lazy access path not covered by an entity graph (e.g., a future ad-hoc query or an
+in-memory sort that touches `trainingLabels`), Hibernate batches the secondary `SELECT` to
+at most one statement per 50 entities instead of one per entity.
+
+**Session lifetime for post-return lazy access:**
+
+`getDocumentById` and `getRecentActivity` return entities to callers that may access lazy
+associations after the repository call returns. Both methods are annotated
+`@Transactional(readOnly = true)` to keep the Hibernate session open until the service method
+returns, making those post-return accesses safe.
+
+This is an intentional exception to the project convention that read methods are not annotated
+(see `CLAUDE.md §Services`). The convention remains correct for all other read methods; this
+exception applies only to methods that serve lazy-initialized associations to their callers.
+
+---
+
+## Alternatives Considered
+
+### `@BatchSize`-only (no entity graphs)
+
+`@BatchSize(50)` on all associations would eliminate the worst N+1 cases (100 documents → 2
+batch queries instead of 100 individual queries) without requiring repository overrides. Simpler
+to maintain — no named graph definitions, no per-method overrides.
+
+Rejected because batch loading is best-effort: it depends on what Hibernate happens to find in
+the first-level cache and produces a variable number of statements. Entity graphs produce a
+deterministic, verifiable statement count that can be asserted in tests. The query-count test
+suite (`DocumentRepositoryTest`) validates the exact statement bounds on every CI run.
+
+### Single unified entity graph (`Document.full` everywhere)
+
+Loading `receivers` on every list query is wasteful — the document list view only needs
+`sender` and `tags`. `receivers` is a `@ManyToMany` collection that, when JOIN-fetched together
+with `tags`, forces Hibernate to split into two queries anyway (to avoid Cartesian product).
+Using a single graph on list paths would load data the UI does not display.
+
+Rejected in favour of two graphs with distinct scopes: `Document.list` for list paths
+(sender + tags), `Document.full` for detail paths (sender + receivers + tags).
+
+### `@Transactional` on the Spring Data repository methods
+
+Spring Data allows `@Transactional` on repository interfaces directly. This would keep the
+session open for all calls to those methods without touching the service layer.
+
+Rejected because the transaction boundary belongs at the service layer — repositories should
+not own transaction lifecycle. The service methods are the natural scope for "keep the session
+open long enough for the caller to use the result."
+
+---
+
+## Consequences
+
+- **Query count reduced from ~2,733 to ≤10 statements per 24 HTTP requests** — verified by
+  `DocumentRepositoryTest` query-count assertions and `DocumentLazyLoadingTest` smoke tests.
+- **Read methods that return lazily-initialized entities must carry `@Transactional(readOnly = true)`.**
+  Any future service method that loads a `Document` and returns it to a caller that accesses
+  lazy associations must follow this pattern. Removing the annotation causes
+  `LazyInitializationException` in production.
+- **New lazy code paths need an entity graph or `@BatchSize` review.** Any new
+  `DocumentRepository` method added to a hot code path should be assessed for N+1 risk and
+  given an `@EntityGraph` override if warranted.
+- **`@JsonIgnoreProperties({"hibernateLazyInitializer", "handler"})` required on serialized lazy-proxy entities.**
+  `Person` and `Tag` carry this annotation to prevent Jackson from attempting to serialize
+  Hibernate proxy internals when the association is not initialized. Any new entity that is
+  used as a lazy association and serialized directly (without a DTO) needs the same annotation.
+- **Named graph strings in `Document.java` and `DocumentRepository.java` must stay in sync.**
+  The `@NamedEntityGraph(name = "Document.full")` / `@NamedEntityGraph(name = "Document.list")`
+  definitions on `Document` are referenced by string in every `@EntityGraph(value = "...")` on
+  `DocumentRepository`. If the names diverge (e.g. a graph is renamed in one place but not the
+  other), Spring Data throws at application startup. Always update both files together when
+  renaming or restructuring a named graph.

docs/adr/023-prometheus-instrumentator-and-metrics-registry-injection.md

@@ -0,0 +1,94 @@
+# ADR-023: Prometheus Instrumentator and Metrics Registry Injection
+
+## Status
+
+Accepted
+
+## Context
+
+Until issue #652 the OCR service exposed no `/metrics` endpoint. The
+observability stack already scrapes the Spring Boot backend's actuator
+endpoint, but it had nothing to scrape on the Python side. Without HTTP-
+and domain-level metrics from `ocr-service` we cannot answer questions
+like "what is the share of words rendered as `[unleserlich]`" or
+"is the training error rate above its budget" from Grafana.
+
+Two implementation requirements influenced the design:
+
+1. **Counter / gauge isolation in tests.** `prometheus_client` collectors
+   are module-level singletons keyed by name on the global `REGISTRY`.
+   Re-importing or naively re-instantiating them raises a duplicated-
+   collector error and cross-test state leaks (a `.inc()` in test A is
+   still readable by test B). A test harness needs a way to swap the
+   active container for a fresh per-test instance.
+
+2. **Minimal blast radius on the request path.** We did not want to
+   hand-instrument every endpoint with FastAPI middleware. The
+   `prometheus-fastapi-instrumentator` library already provides
+   `http_requests_total`, `http_request_duration_seconds`, and the
+   `/metrics` exposition route, all idiomatic Prometheus names.
+
+## Decision
+
+- Add `prometheus-fastapi-instrumentator==7.0.0` and pin its transitive
+  dependency `prometheus-client==0.25.0` explicitly in
+  `ocr-service/requirements.txt`.
+- Mount the instrumentator once at module load:
+  `Instrumentator(excluded_handlers=["/health", "/metrics"]).instrument(app).expose(app)`.
+  This adds `/metrics` and an HTTP-level dashboard surface without
+  changing any endpoint code.
+- Define every domain metric (`ocr_jobs_total`, `ocr_pages_total`,
+  `ocr_processing_seconds`, …) inside a `build_metrics(registry)`
+  factory in `ocr-service/metrics.py` that returns a frozen `OcrMetrics`
+  dataclass. Production code binds the container to the default
+  `REGISTRY` once: `metrics: OcrMetrics = build_metrics(REGISTRY)`.
+- Tests use a `fresh_metrics` fixture that builds a new
+  `CollectorRegistry()` per test and monkeypatches `main.metrics` with
+  a container bound to it. The endpoint code keeps reading
+  `metrics.<name>` without knowing whether it is talking to the global
+  registry or a per-test one.
+
+## Consequences
+
+**Positive**
+
+- One reusable factory captures the metric definitions; future metrics
+  go in one place.
+- Tests run with full counter isolation. Cross-test state leakage is
+  impossible because each test sees its own dataclass instance.
+- The instrumentator gives us `http_*` metrics for free, including a
+  Grafana-ready histogram that pairs with the Spring Boot one.
+
+**Negative**
+
+- One extra level of indirection: any test that asserts on metric
+  values must remember to monkeypatch `main.metrics`, not the registry
+  directly. Rebinding through the registry is harmless but useless —
+  the dataclass holds references to the original collectors.
+- `prometheus-client` is now pinned. Upgrading it requires an explicit
+  bump and re-checking the instrumentator's compatibility range.
+- `/metrics` is exposed unauthenticated and relies on the Docker
+  internal network for confidentiality. See
+  [docs/OBSERVABILITY.md §Internal-only endpoints](../OBSERVABILITY.md)
+  for the Caddy snippet that must be added if the service ever gets a
+  host-side port mapping.
+
+## Alternatives considered
+
+- **Hand-roll the `/metrics` endpoint.** Rejected: would have meant
+  duplicating what `prometheus-fastapi-instrumentator` ships, plus
+  middleware for the HTTP histograms.
+- **Skip the factory; pass `registry` as a function argument
+  everywhere.** Rejected: clutters every endpoint signature and breaks
+  the symmetry with the Spring Boot side, which also relies on a
+  process-global Micrometer registry.
+- **Use a `pytest` autouse fixture that resets `REGISTRY` between
+  tests.** Rejected: `prometheus_client` does not expose a clean
+  "unregister all" hook, and we would be relying on private APIs.
+
+## References
+
+- Issue: [#652](https://git.raddatz.cloud/marcel/familienarchiv/issues/652)
+- Library: <https://github.com/trallnag/prometheus-fastapi-instrumentator>
+- Code: `ocr-service/metrics.py`, `ocr-service/main.py`,
+  `ocr-service/test_metrics.py`

docs/architecture/c4/l2-containers.puml

@@ -43,6 +43,8 @@ Rel(ocr, storage, "Fetches PDF via presigned URL", "HTTP / S3 presigned")
 Rel(mc, storage, "Bootstraps bucket + service account on startup", "MinIO Client CLI")
 Rel(promtail, loki, "Pushes log streams", "HTTP/Loki push API")
 Rel(backend, tempo, "Sends distributed traces via OTLP", "HTTP / OTLP / port 4318 (archiv-net)")
+Rel(prometheus, backend, "Scrapes JVM + HTTP metrics", "HTTP 8081 /actuator/prometheus")
+Rel(prometheus, ocr, "Scrapes OCR + http_* metrics", "HTTP 8000 /metrics")
 Rel(grafana, prometheus, "Queries metrics", "HTTP 9090")
 Rel(grafana, loki, "Queries logs", "HTTP 3100")
 Rel(grafana, tempo, "Queries traces", "HTTP 3200")

docs/architecture/c4/l3-backend-3a-security.puml

@@ -9,18 +9,23 @@ ContainerDb(db, "PostgreSQL", "PostgreSQL 16")
 System_Boundary(backend, "API Backend (Spring Boot)") {
     Component(authCtrl, "AuthSessionController", "@RestController org.raddatz.familienarchiv.auth", "POST /api/auth/login validates credentials, rotates the session ID via SessionAuthenticationStrategy (CWE-384 defense), attaches the SecurityContext to the new session. POST /api/auth/logout invalidates the session unconditionally, then best-effort audits.")
     Component(authSvc, "AuthService", "@Service org.raddatz.familienarchiv.auth", "Delegates credential validation to AuthenticationManager (DaoAuthenticationProvider — timing-equalised via dummy BCrypt on misses). Emits LOGIN_SUCCESS / LOGIN_FAILED / LOGOUT audit entries without ever logging the password attempt.")
-    Component(secFilter, "Security Filter Chain", "Spring Security", "Permits /api/auth/login, /api/auth/forgot-password, /api/auth/reset-password, /api/auth/invite/**, /api/auth/register; everything else requires an authenticated session. Returns 401 (not 302) on missing/expired session. CSRF is disabled pending #524.")
+    Component(secFilter, "Security Filter Chain", "Spring Security", "Permits /api/auth/login, /api/auth/forgot-password, /api/auth/reset-password, /api/auth/invite/**, /api/auth/register; everything else requires an authenticated session. Returns 401 (not 302) on missing/expired session. CSRF enabled: double-submit cookie pattern (CookieCsrfTokenRepository.withHttpOnlyFalse + CsrfTokenRequestAttributeHandler). Custom AccessDeniedHandler returns JSON {\"code\":\"CSRF_TOKEN_MISSING\"}.")
-    Component(sessionRepo, "Spring Session JDBC", "spring-boot-starter-session-jdbc", "Persists sessions in spring_session / spring_session_attributes (Flyway V67). 8-hour idle timeout. Cookie name fa_session, SameSite=Strict, HttpOnly, Secure behind Caddy. Indexes the session by Principal name for revocation in #524.")
+    Component(sessionRepo, "Spring Session JDBC", "spring-boot-starter-session-jdbc", "Persists sessions in spring_session / spring_session_attributes (Flyway V67). 8-hour idle timeout. Cookie name fa_session, SameSite=Strict, HttpOnly, Secure behind Caddy. Indexes the session by Principal name for revocation.")
     Component(permAspect, "PermissionAspect", "Spring AOP", "Intercepts methods annotated with @RequirePermission. Checks the authenticated user's granted authorities against the required permission. Throws 401/403 if denied.")
     Component(secConf, "SecurityConfig", "Spring @Configuration", "Wires the filter chain, BCryptPasswordEncoder, DaoAuthenticationProvider, AuthenticationManager, and the ChangeSessionIdAuthenticationStrategy bean used by AuthSessionController.")
     Component(userDetails, "CustomUserDetailsService", "Spring Security UserDetailsService", "Loads AppUser by email from DB. Converts group permissions to Spring GrantedAuthority objects.")
+    Component(rateLimiter, "LoginRateLimiter", "@Component org.raddatz.familienarchiv.auth", "Dual Bucket4j/Caffeine in-memory rate limiting: per ip:email bucket and per ip bucket. checkAndConsume() throws TOO_MANY_LOGIN_ATTEMPTS (429) when either bucket is exhausted. invalidateOnSuccess() resets both buckets on successful login. Buckets expire after idle windowMinutes.")
+    Component(rateLimitProps, "RateLimitProperties", "@ConfigurationProperties(\"rate-limit.login\") org.raddatz.familienarchiv.auth", "Externalized config for login rate limiting: maxAttemptsPerIpEmail (default 10), maxAttemptsPerIp (default 20), windowMinutes (default 15). Bound from application.yaml rate-limit.login block.")
 }
 
 Rel(frontend, authCtrl, "POST /api/auth/login + /logout", "HTTPS, JSON")
-Rel(frontend, secFilter, "All other API calls", "HTTPS + fa_session cookie")
+Rel(frontend, secFilter, "All other API calls", "HTTPS + fa_session cookie + X-XSRF-TOKEN header")
 Rel(authCtrl, authSvc, "Validate creds + audit")
 Rel(authCtrl, sessionRepo, "getSession() / invalidate()")
 Rel(authSvc, userDetails, "Authenticates via AuthenticationManager")
+Rel(authSvc, rateLimiter, "checkAndConsume() / invalidateOnSuccess()")
+Rel(authSvc, sessionRepo, "revokeOtherSessions() / revokeAllSessions()")
+Rel(rateLimiter, rateLimitProps, "Reads config")
 Rel(secFilter, sessionRepo, "Resolves session by fa_session cookie")
 Rel(secFilter, permAspect, "Authenticated requests reach guarded service methods")
 Rel(secConf, userDetails, "Wires as UserDetailsService")

frontend/Dockerfile

@@ -16,6 +16,10 @@ CMD ["npm", "run", "dev"]
 # Compiles the SvelteKit Node-adapter output to /app/build.
 FROM node:20.19.0-alpine3.21 AS build
 WORKDIR /app
+# VITE_SENTRY_DSN is a build-time variable — Vite bakes it into the bundle.
+# Passed via docker-compose build.args; empty string disables the SDK.
+ARG VITE_SENTRY_DSN
+ENV VITE_SENTRY_DSN=$VITE_SENTRY_DSN
 COPY package.json package-lock.json ./
 RUN npm ci
 COPY . .

frontend/e2e/lang.spec.ts

@@ -58,3 +58,20 @@ test.describe('Language selector', () => {
 		await expect(deBtn).toHaveClass(/font-bold/);
 	});
 });
+
+test.describe('Mobile nav — i18n', () => {
+	test('hamburger button aria-label translates to EN on narrow viewport', async ({ browser }) => {
+		const context = await browser.newContext({
+			viewport: { width: 375, height: 812 },
+			storageState: 'e2e/.auth/user.json'
+		});
+		const page = await context.newPage();
+		await page.goto('/');
+		await page.waitForSelector('[data-hydrated]');
+		await page.getByRole('banner').getByRole('button', { name: 'EN', exact: true }).click();
+
+		await expect(page.getByRole('button', { name: 'Open menu' })).toBeVisible();
+
+		await context.close();
+	});
+});

frontend/eslint.config.js

@@ -106,6 +106,31 @@ export default defineConfig(
 			]
 		}
 	},
+	{
+		// Forbid test fixtures (*.test-fixture.svelte) from being imported by
+		// production code. Tree-shaking keeps them out of the production bundle
+		// today (no route reaches them), but a lint rule makes the boundary
+		// explicit so an accidental autocomplete import in a route or component
+		// fails fast. Test files (*.spec.ts / *.test.ts) and the fixtures
+		// themselves are exempt — see the next block. Nora #2 on PR #629
+		// round 3.
+		files: ['**/*.svelte', '**/*.svelte.ts', '**/*.svelte.js', '**/*.ts'],
+		ignores: ['**/*.spec.ts', '**/*.test.ts', '**/*.test-fixture.svelte'],
+		rules: {
+			'no-restricted-imports': [
+				'error',
+				{
+					patterns: [
+						{
+							group: ['**/*.test-fixture.svelte'],
+							message:
+								'Test fixtures (*.test-fixture.svelte) are test-only — do not import from production code. Tracked by #637.'
+						}
+					]
+				}
+			]
+		}
+	},
 	{
 		plugins: { boundaries },
 		settings: {

frontend/messages/de.json

@@ -28,6 +28,8 @@
 	"nav_conversations": "Briefwechsel",
 	"nav_admin": "Admin",
 	"nav_logout": "Abmelden",
+	"layout_menu_open": "Menü öffnen",
+	"layout_menu_close": "Menü schließen",
 	"theme_toggle_to_light": "Zu hellem Design wechseln",
 	"theme_toggle_to_dark": "Zu dunklem Design wechseln",
 	"btn_save": "Speichern",
@@ -352,6 +354,11 @@
 	"admin_system_import_status_running": "Import läuft…",
 	"admin_system_import_status_done": "Import abgeschlossen",
 	"admin_system_import_status_done_label": "Dokumente verarbeitet",
+	"admin_system_import_skipped_label": "übersprungen",
+	"import_reason_invalid_pdf_signature": "Keine gültige PDF-Signatur",
+	"import_reason_file_read_error": "Fehler beim Lesen der Datei",
+	"import_reason_s3_upload_failed": "Upload-Fehler (S3)",
+	"import_reason_already_exists": "Bereits importiert",
 	"admin_system_import_status_failed": "Import fehlgeschlagen",
 	"admin_system_import_failed_no_spreadsheet": "Keine Tabellendatei gefunden.",
 	"admin_system_import_failed_internal": "Interner Fehler beim Import.",
@@ -389,6 +396,10 @@
 	"doc_panel_discussion_annotation_tab": "Annotation · Seite {page}",
 	"pdf_annotations_show": "Annotierungen anzeigen",
 	"pdf_annotations_hide": "Annotierungen verbergen",
+	"viewer_previous_page": "Zurück",
+	"viewer_next_page": "Weiter",
+	"viewer_zoom_out": "Verkleinern",
+	"viewer_zoom_in": "Vergrößern",
 	"upload_action": "Hochladen",
 	"upload_drop_hint": "Einzeln oder mehrere Dateien auf einmal hochladen",
 	"upload_accepted_types": "PDF, JPEG, PNG, TIFF",
@@ -434,8 +445,12 @@
 	"person_mention_load_error": "Person konnte nicht geladen werden.",
 	"person_mention_loading": "Lade Person…",
 	"person_mention_popup_empty": "Keine Personen gefunden",
+	"person_mention_search_label": "Person suchen",
+	"person_mention_search_prompt": "Namen eingeben…",
 	"person_mention_btn_label": "Person verlinken",
 	"person_mention_create_new": "Neue Person anlegen",
+	"person_mention_results_count_singular": "1 Person gefunden",
+	"person_mention_results_count_plural": "{count} Personen gefunden",
 	"transcription_editor_aria_label": "Transkriptionstext",
 	"person_born_name_prefix": "geb.",
 	"page_title_home": "Archiv",
@@ -511,6 +526,7 @@
 	"notification_filter_unread": "Ungelesen",
 	"notification_filter_mention": "Erwähnung",
 	"notification_filter_reply": "Antwort",
+	"notification_error_generic": "Aktion fehlgeschlagen. Bitte versuche es erneut.",
 	"notification_mark_all_read_aria": "Alle Benachrichtigungen als gelesen markieren",
 	"notification_load_more": "Ältere laden",
 	"notification_empty_history": "Keine Benachrichtigungen",
@@ -622,6 +638,9 @@
 	"transcription_block_review": "Als geprüft markieren",
 	"transcription_block_unreview": "Markierung aufheben",
 	"transcription_reviewed_count": "{reviewed} von {total} geprüft",
+	"transcription_mark_all_reviewed": "Alle als fertig markieren",
+	"transcription_mark_all_reviewed_disabled": "Alle Blöcke sind bereits als fertig markiert",
+	"transcription_mark_all_reviewed_error": "Markierung fehlgeschlagen. Bitte versuchen Sie es erneut.",
 	"training_ocr_heading": "Kurrent-Erkennung trainieren",
 	"training_ocr_description": "Starte ein neues Training mit den bisher geprüften OCR-Blöcken, um die Erkennungsgenauigkeit für Kurrentschrift zu verbessern.",
 	"training_ocr_blocks_ready": "{blocks} geprüfte Blöcke bereit / {docs} Dokumente",
@@ -650,6 +669,7 @@
 	"transcription_block_segmentation_only": "Nur Segmentierung",
 	"training_chip_kurrent": "Kurrent-Erkennung",
 	"training_chip_segmentation": "Segmentierung",
+	"transcribe_mark_for_training": "Für Training vormerken",
 	"training_col_type": "Typ",
 	"training_type_base": "Basis",
 	"training_type_personalized": "Personalisiert",

frontend/messages/en.json

@@ -28,6 +28,8 @@
 	"nav_conversations": "Letters",
 	"nav_admin": "Admin",
 	"nav_logout": "Sign out",
+	"layout_menu_open": "Open menu",
+	"layout_menu_close": "Close menu",
 	"theme_toggle_to_light": "Switch to light mode",
 	"theme_toggle_to_dark": "Switch to dark mode",
 	"btn_save": "Save",
@@ -352,6 +354,11 @@
 	"admin_system_import_status_running": "Import running…",
 	"admin_system_import_status_done": "Import complete",
 	"admin_system_import_status_done_label": "Documents processed",
+	"admin_system_import_skipped_label": "skipped",
+	"import_reason_invalid_pdf_signature": "Invalid PDF signature",
+	"import_reason_file_read_error": "File read error",
+	"import_reason_s3_upload_failed": "Upload error (S3)",
+	"import_reason_already_exists": "Already imported",
 	"admin_system_import_status_failed": "Import failed",
 	"admin_system_import_failed_no_spreadsheet": "No spreadsheet file found.",
 	"admin_system_import_failed_internal": "Import failed due to an internal error.",
@@ -389,6 +396,10 @@
 	"doc_panel_discussion_annotation_tab": "Annotation · Page {page}",
 	"pdf_annotations_show": "Show annotations",
 	"pdf_annotations_hide": "Hide annotations",
+	"viewer_previous_page": "Previous page",
+	"viewer_next_page": "Next page",
+	"viewer_zoom_out": "Zoom out",
+	"viewer_zoom_in": "Zoom in",
 	"upload_action": "Upload",
 	"upload_drop_hint": "Drop one or multiple files at once",
 	"upload_accepted_types": "PDF, JPEG, PNG, TIFF",
@@ -434,8 +445,12 @@
 	"person_mention_load_error": "Could not load person.",
 	"person_mention_loading": "Loading person…",
 	"person_mention_popup_empty": "No persons found",
+	"person_mention_search_label": "Search for a person",
+	"person_mention_search_prompt": "Enter a name…",
 	"person_mention_btn_label": "Link person",
 	"person_mention_create_new": "Create new person",
+	"person_mention_results_count_singular": "1 person found",
+	"person_mention_results_count_plural": "{count} persons found",
 	"transcription_editor_aria_label": "Transcription text",
 	"person_born_name_prefix": "née",
 	"page_title_home": "Archive",
@@ -511,6 +526,7 @@
 	"notification_filter_unread": "Unread",
 	"notification_filter_mention": "Mention",
 	"notification_filter_reply": "Reply",
+	"notification_error_generic": "Action failed. Please try again.",
 	"notification_mark_all_read_aria": "Mark all notifications as read",
 	"notification_load_more": "Load older",
 	"notification_empty_history": "No notifications",
@@ -622,6 +638,9 @@
 	"transcription_block_review": "Mark as reviewed",
 	"transcription_block_unreview": "Unmark as reviewed",
 	"transcription_reviewed_count": "{reviewed} of {total} reviewed",
+	"transcription_mark_all_reviewed": "Mark all as reviewed",
+	"transcription_mark_all_reviewed_disabled": "All blocks are already marked as reviewed",
+	"transcription_mark_all_reviewed_error": "Failed to mark all as reviewed. Please try again.",
 	"training_ocr_heading": "Train Kurrent recognition",
 	"training_ocr_description": "Start a new training run using the reviewed OCR blocks to improve recognition accuracy for Kurrent script.",
 	"training_ocr_blocks_ready": "{blocks} reviewed blocks ready / {docs} documents",
@@ -650,6 +669,7 @@
 	"transcription_block_segmentation_only": "Segmentation only",
 	"training_chip_kurrent": "Kurrent recognition",
 	"training_chip_segmentation": "Segmentation",
+	"transcribe_mark_for_training": "Mark for OCR training",
 	"training_col_type": "Type",
 	"training_type_base": "Base",
 	"training_type_personalized": "Personalized",

frontend/messages/es.json

@@ -28,6 +28,8 @@
 	"nav_conversations": "Cartas",
 	"nav_admin": "Admin",
 	"nav_logout": "Cerrar sesión",
+	"layout_menu_open": "Abrir menú",
+	"layout_menu_close": "Cerrar menú",
 	"theme_toggle_to_light": "Cambiar a modo claro",
 	"theme_toggle_to_dark": "Cambiar a modo oscuro",
 	"btn_save": "Guardar",
@@ -352,6 +354,11 @@
 	"admin_system_import_status_running": "Importación en curso…",
 	"admin_system_import_status_done": "Importación completada",
 	"admin_system_import_status_done_label": "Documentos procesados",
+	"admin_system_import_skipped_label": "omitidos",
+	"import_reason_invalid_pdf_signature": "Firma PDF no válida",
+	"import_reason_file_read_error": "Error al leer el archivo",
+	"import_reason_s3_upload_failed": "Error de carga (S3)",
+	"import_reason_already_exists": "Ya importado",
 	"admin_system_import_status_failed": "Importación fallida",
 	"admin_system_import_failed_no_spreadsheet": "No se encontró ninguna hoja de cálculo.",
 	"admin_system_import_failed_internal": "Error interno durante la importación.",
@@ -389,6 +396,10 @@
 	"doc_panel_discussion_annotation_tab": "Anotación · Página {page}",
 	"pdf_annotations_show": "Mostrar anotaciones",
 	"pdf_annotations_hide": "Ocultar anotaciones",
+	"viewer_previous_page": "Página anterior",
+	"viewer_next_page": "Página siguiente",
+	"viewer_zoom_out": "Reducir",
+	"viewer_zoom_in": "Ampliar",
 	"upload_action": "Subir",
 	"upload_drop_hint": "Uno o varios archivos a la vez",
 	"upload_accepted_types": "PDF, JPEG, PNG, TIFF",
@@ -434,8 +445,12 @@
 	"person_mention_load_error": "No se pudo cargar la persona.",
 	"person_mention_loading": "Cargando persona…",
 	"person_mention_popup_empty": "No se encontraron personas",
+	"person_mention_search_label": "Buscar persona",
+	"person_mention_search_prompt": "Escribe un nombre…",
 	"person_mention_btn_label": "Vincular persona",
 	"person_mention_create_new": "Crear nueva persona",
+	"person_mention_results_count_singular": "1 persona encontrada",
+	"person_mention_results_count_plural": "{count} personas encontradas",
 	"transcription_editor_aria_label": "Texto de transcripción",
 	"person_born_name_prefix": "n.",
 	"page_title_home": "Archivo",
@@ -511,6 +526,7 @@
 	"notification_filter_unread": "No leídas",
 	"notification_filter_mention": "Mención",
 	"notification_filter_reply": "Respuesta",
+	"notification_error_generic": "La acción ha fallado. Por favor, inténtalo de nuevo.",
 	"notification_mark_all_read_aria": "Marcar todas las notificaciones como leídas",
 	"notification_load_more": "Cargar anteriores",
 	"notification_empty_history": "Sin notificaciones",
@@ -622,6 +638,9 @@
 	"transcription_block_review": "Marcar como revisado",
 	"transcription_block_unreview": "Desmarcar como revisado",
 	"transcription_reviewed_count": "{reviewed} de {total} revisados",
+	"transcription_mark_all_reviewed": "Marcar todo como revisado",
+	"transcription_mark_all_reviewed_disabled": "Todos los bloques ya están marcados como revisados",
+	"transcription_mark_all_reviewed_error": "Error al marcar como revisado. Intente de nuevo.",
 	"training_ocr_heading": "Entrenar reconocimiento Kurrent",
 	"training_ocr_description": "Inicia un nuevo entrenamiento con los bloques OCR revisados para mejorar la precisión de reconocimiento del script Kurrent.",
 	"training_ocr_blocks_ready": "{blocks} bloques revisados listos / {docs} documentos",
@@ -650,6 +669,7 @@
 	"transcription_block_segmentation_only": "Solo segmentación",
 	"training_chip_kurrent": "Reconocimiento Kurrent",
 	"training_chip_segmentation": "Segmentación",
+	"transcribe_mark_for_training": "Marcar para entrenamiento de OCR",
 	"training_col_type": "Tipo",
 	"training_type_base": "Base",
 	"training_type_personalized": "Personalizado",

frontend/package.json

@@ -16,7 +16,7 @@
 		"lint:boundary-demo": "eslint src/lib/tag/__fixtures__/",
 		"test:unit": "vitest",
 		"test": "npm run test:unit -- --run",
-		"test:coverage": "vitest run --coverage --project=server; vitest run -c vitest.client-coverage.config.ts --coverage",
+		"test:coverage": "vitest run --coverage --project=server && vitest run -c vitest.client-coverage.config.ts --coverage",
 		"test:e2e": "playwright test",
 		"test:e2e:headed": "playwright test --headed",
 		"test:e2e:ui": "playwright test --ui",
@@ -24,9 +24,9 @@
 	},
 	"dependencies": {
 		"@sentry/sveltekit": "^10.53.1",
-		"@tiptap/core": "3.22.5",
+		"@tiptap/core": "3.23.4",
-		"@tiptap/extension-mention": "3.22.5",
+		"@tiptap/extension-mention": "3.23.4",
-		"@tiptap/starter-kit": "3.22.5",
+		"@tiptap/starter-kit": "3.23.4",
 		"diff": "^8.0.3",
 		"isomorphic-dompurify": "^3.12.0",
 		"openapi-fetch": "^0.13.5",
@@ -37,9 +37,9 @@
 		"@eslint/compat": "^1.4.0",
 		"@eslint/js": "^9.39.1",
 		"@inlang/paraglide-js": "^2.5.0",
-		"@playwright/test": "^1.58.2",
+		"@playwright/test": "^1.60.0",
-		"@sveltejs/adapter-node": "^5.4.0",
+		"@sveltejs/adapter-node": "^5.5.4",
-		"@sveltejs/kit": "^2.48.5",
+		"@sveltejs/kit": "^2.60.1",
 		"@sveltejs/vite-plugin-svelte": "^6.2.1",
 		"@tailwindcss/forms": "^0.5.10",
 		"@tailwindcss/typography": "^0.5.19",
@@ -57,7 +57,7 @@
 		"globals": "^16.5.0",
 		"openapi-typescript": "^7.8.0",
 		"patch-package": "^8.0.0",
-		"playwright": "^1.56.1",
+		"playwright": "^1.60.0",
 		"prettier": "^3.6.2",
 		"prettier-plugin-svelte": "^3.4.0",
 		"prettier-plugin-tailwindcss": "^0.7.1",
@@ -66,7 +66,7 @@
 		"tailwindcss": "^4.1.17",
 		"typescript": "^5.9.3",
 		"typescript-eslint": "^8.47.0",
-		"vite": "^7.2.2",
+		"vite": "^7.3.3",
 		"vite-plugin-devtools-json": "^1.0.0",
 		"vitest": "^4.0.10",
 		"vitest-browser-svelte": "^2.0.1"

frontend/patches/@vitest+browser-playwright+4.1.6.patch

@@ -1,30 +1,30 @@
 diff --git a/node_modules/@vitest/browser-playwright/dist/index.js b/node_modules/@vitest/browser-playwright/dist/index.js
-index 5d0d37b..821d7b4 100644
+index c01e754..f1bb7be 100644
 --- a/node_modules/@vitest/browser-playwright/dist/index.js
 +++ b/node_modules/@vitest/browser-playwright/dist/index.js
-@@ -935,7 +935,7 @@ class PlaywrightBrowserProvider {
+@@ -936,7 +936,7 @@ class PlaywrightBrowserProvider {
  	createMocker() {
- 		const idPreficates = new Map();
+ 		const idPredicates = new Map();
  		const sessionIds = new Map();
 -		function createPredicate(sessionId, url) {
 +		function createPredicate(url) {
  			const moduleUrl = new URL(url, "http://localhost");
  			const predicate = (url) => {
  				if (url.searchParams.has("_vitest_original")) {
-@@ -960,11 +960,7 @@ class PlaywrightBrowserProvider {
+@@ -961,11 +961,7 @@ class PlaywrightBrowserProvider {
  				}
  				return true;
  			};
 -			const ids = sessionIds.get(sessionId) || [];
 -			ids.push(moduleUrl.href);
 -			sessionIds.set(sessionId, ids);
--			idPreficates.set(predicateKey(sessionId, moduleUrl.href), predicate);
+-			idPredicates.set(predicateKey(sessionId, moduleUrl.href), predicate);
 -			return predicate;
 +			return { url: moduleUrl.href, predicate };
  		}
  		function predicateKey(sessionId, url) {
  			return `${sessionId}:${url}`;
-@@ -972,7 +968,23 @@ class PlaywrightBrowserProvider {
+@@ -973,7 +969,23 @@ class PlaywrightBrowserProvider {
  		return {
  			register: async (sessionId, module) => {
  				const page = this.getPage(sessionId);
@@ -37,19 +37,19 @@ index 5d0d37b..821d7b4 100644
 +				// duplicate-id mocks (e.g. '$lib/foo.svelte' + '$lib/foo.svelte.js')
 +				// leak an orphan route whose handler crashes after the next
 +				// session's birpc channel closes.
-+				const existingPredicate = idPreficates.get(key);
++				const existingPredicate = idPredicates.get(key);
 +				if (existingPredicate) {
 +					await page.context().unroute(existingPredicate);
 +				}
 +				const ids = sessionIds.get(sessionId) ?? new Set();
 +				ids.add(moduleUrl);
 +				sessionIds.set(sessionId, ids);
-+				idPreficates.set(key, predicate);
++				idPredicates.set(key, predicate);
 +				await page.context().route(predicate, async (route) => {
  					if (module.type === "manual") {
  						const exports$1 = Object.keys(await module.resolve());
  						const body = createManualModuleSource(module.url, exports$1);
-@@ -1033,8 +1045,8 @@ class PlaywrightBrowserProvider {
+@@ -1034,8 +1046,8 @@ class PlaywrightBrowserProvider {
  			},
  			clear: async (sessionId) => {
  				const page = this.getPage(sessionId);
@@ -58,5 +58,5 @@ index 5d0d37b..821d7b4 100644
 +				const ids = sessionIds.get(sessionId) ?? new Set();
 +				const promises = [...ids].map((id) => {
  					const key = predicateKey(sessionId, id);
- 					const predicate = idPreficates.get(key);
+ 					const predicate = idPredicates.get(key);
  					if (predicate) {

frontend/src/hooks.server.ts

@@ -111,7 +111,7 @@ const PUBLIC_API_PATHS = [
 
 export const handleFetch: HandleFetch = async ({ event, request, fetch }) => {
 	const apiUrl = env.API_INTERNAL_URL || 'http://localhost:8080';
-	const isApi = request.url.startsWith(apiUrl) || request.url.includes('/api/');
+	const isApi = request.url.startsWith(apiUrl) || new URL(request.url).pathname.startsWith('/api/');
 
 	if (!isApi) return fetch(request);
 
@@ -131,14 +131,13 @@ export const handleFetch: HandleFetch = async ({ event, request, fetch }) => {
 	if (sessionId) cookieParts.push(`fa_session=${sessionId}`);
 	if (xsrfToken) cookieParts.push(`XSRF-TOKEN=${xsrfToken}`);
 
-	if (cookieParts.length === 0 && !xsrfToken) {
+	if (cookieParts.length === 0) {
 		return fetch(request);
 	}
 
 	// Clone first so the body stream is preserved on the new Request.
 	const cloned = request.clone();
-	const extraHeaders: Record<string, string> = {};
+	const extraHeaders: Record<string, string> = { Cookie: cookieParts.join('; ') };
-	if (cookieParts.length > 0) extraHeaders['Cookie'] = cookieParts.join('; ');
 	if (xsrfToken) extraHeaders['X-XSRF-TOKEN'] = xsrfToken;
 
 	const modified = new Request(cloned, {

frontend/src/lib/activity/ChronikFuerDichBox.svelte

@@ -1,4 +1,5 @@
 <script lang="ts">
+import { enhance } from '$app/forms';
 import * as m from '$lib/paraglide/messages.js';
 import { relativeTime } from '$lib/shared/utils/time';
 import type { NotificationItem } from '$lib/notification/notifications.svelte';
@@ -6,11 +7,13 @@ import { buildCommentHref } from '$lib/shared/discussion/commentDeepLink';
 
 interface Props {
 	unread: NotificationItem[];
-	onMarkRead: (n: NotificationItem) => void;
+	optimisticMarkRead: (id: string) => void;
-	onMarkAllRead: () => void;
+	optimisticMarkAllRead: () => void;
 }
 
-const { unread, onMarkRead, onMarkAllRead }: Props = $props();
+const { unread, optimisticMarkRead, optimisticMarkAllRead }: Props = $props();
+
+let errorMessage: string | null = $state(null);
 
 function verb(type: NotificationItem['type'], actor: string): string {
 	return type === 'REPLY'
@@ -24,6 +27,9 @@ function href(n: NotificationItem): string {
 </script>
 
 <section class="rounded-sm border border-line bg-surface p-5">
+	{#if errorMessage}
+		<p role="alert" class="px-4 py-2 text-sm text-red-600">{errorMessage}</p>
+	{/if}
 	{#if unread.length === 0}
 		<div data-testid="chronik-inbox-zero" class="flex flex-col items-center gap-3 py-6 text-center">
 			<svg
@@ -66,14 +72,28 @@ function href(n: NotificationItem): string {
 					{m.chronik_for_you_count({ count: unread.length })}
 				</span>
 			</div>
+			<form
+				action="/aktivitaeten?/mark-all-read"
+				method="POST"
+				use:enhance={() => {
+					errorMessage = null;
+					optimisticMarkAllRead();
+					return async ({ result, update }) => {
+						if (result.type === 'failure' || result.type === 'error') {
+							errorMessage = m.notification_error_generic();
+							await update({ reset: false, invalidateAll: false });
+						}
+					};
+				}}
+			>
 				<button
-				type="button"
+					type="submit"
 					data-testid="chronik-mark-all-read"
-				onclick={onMarkAllRead}
 					class="font-sans text-xs font-medium text-ink-3 transition-colors hover:text-ink"
 				>
 					{m.chronik_mark_all_read()}
 				</button>
+			</form>
 		</div>
 
 		<ul role="list" class="flex flex-col gap-2">
@@ -89,7 +109,7 @@ function href(n: NotificationItem): string {
 							aria-hidden="true"
 							class="mt-0.5 inline-flex h-6 w-6 shrink-0 items-center justify-center rounded-full bg-accent-bg font-sans text-xs font-bold text-accent"
 						>
-							{n.type === 'MENTION' ? '@' : '\u21A9'}
+							{n.type === 'MENTION' ? '@' : '↩'}
 						</span>
 						<div class="min-w-0 flex-1">
 							<p class="font-sans text-sm leading-snug text-ink">
@@ -100,11 +120,25 @@ function href(n: NotificationItem): string {
 							</p>
 						</div>
 					</a>
+					<form
+						action="/aktivitaeten?/dismiss-notification"
+						method="POST"
+						use:enhance={() => {
+							errorMessage = null;
+							optimisticMarkRead(n.id);
+							return async ({ result, update }) => {
+								if (result.type === 'failure' || result.type === 'error') {
+									errorMessage = m.notification_error_generic();
+									await update({ reset: false, invalidateAll: false });
+								}
+							};
+						}}
+					>
+						<input type="hidden" name="notificationId" value={n.id} />
 						<button
-						type="button"
+							type="submit"
 							data-testid="chronik-fuerdich-dismiss"
 							aria-label={m.chronik_mark_read_aria()}
-						onclick={() => onMarkRead(n)}
 							class="mt-0.5 shrink-0 rounded-sm p-1 text-ink-3 transition-colors hover:bg-muted hover:text-ink focus-visible:ring-2 focus-visible:ring-focus-ring focus-visible:outline-none"
 						>
 							<svg
@@ -119,6 +153,7 @@ function href(n: NotificationItem): string {
 								<path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12" />
 							</svg>
 						</button>
+					</form>
 				</li>
 			{/each}
 		</ul>

frontend/src/lib/activity/ChronikFuerDichBox.svelte.spec.ts

@@ -5,7 +5,36 @@ import { page, userEvent } from 'vitest/browser';
 import ChronikFuerDichBox from './ChronikFuerDichBox.svelte';
 import type { NotificationItem } from '$lib/notification/notifications.svelte';
 
-afterEach(cleanup);
+const mockFormResult = vi.hoisted(() => ({ type: 'success' as string }));
+
+vi.mock('$app/forms', () => ({
+	enhance(
+		node: HTMLFormElement,
+		submit?: (opts: {
+			formData: FormData;
+		}) => (opts: {
+			result: { type: string; data?: Record<string, unknown> };
+			update: () => Promise<void>;
+		}) => Promise<void>
+	) {
+		const handler = async (e: Event) => {
+			e.preventDefault();
+			const cb = submit?.({ formData: new FormData(node) } as never);
+			if (typeof cb === 'function') {
+				await (
+					cb as (o: { result: typeof mockFormResult; update: () => Promise<void> }) => Promise<void>
+				)({ result: mockFormResult, update: async () => {} });
+			}
+		};
+		node.addEventListener('submit', handler);
+		return { destroy: () => node.removeEventListener('submit', handler) };
+	}
+}));
+
+afterEach(() => {
+	cleanup();
+	mockFormResult.type = 'success';
+});
 
 function notif(partial: Partial<NotificationItem>): NotificationItem {
 	return {
@@ -26,8 +55,8 @@ describe('ChronikFuerDichBox', () => {
 	it('renders inbox-zero state when there are no unread items', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [],
-			onMarkRead: vi.fn(),
+			optimisticMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkAllRead: vi.fn()
 		});
 		const zero = document.querySelector('[data-testid="chronik-inbox-zero"]');
 		expect(zero).not.toBeNull();
@@ -37,8 +66,8 @@ describe('ChronikFuerDichBox', () => {
 	it('links to the archived mentions in the inbox-zero state', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [],
-			onMarkRead: vi.fn(),
+			optimisticMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkAllRead: vi.fn()
 		});
 		const link = document.querySelector('a[href="/aktivitaeten?filter=fuer-dich"]');
 		expect(link).not.toBeNull();
@@ -47,8 +76,8 @@ describe('ChronikFuerDichBox', () => {
 	it('renders the count badge with correct total when unread exists', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [notif({ id: 'a' }), notif({ id: 'b' })],
-			onMarkRead: vi.fn(),
+			optimisticMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkAllRead: vi.fn()
 		});
 		await expect.element(page.getByText('2 neu')).toBeInTheDocument();
 	});
@@ -56,8 +85,8 @@ describe('ChronikFuerDichBox', () => {
 	it('count badge has aria-live=polite when unread exists', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [notif({ id: 'a' })],
-			onMarkRead: vi.fn(),
+			optimisticMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkAllRead: vi.fn()
 		});
 		// Wait for render
 		await expect.element(page.getByText('1 neu')).toBeInTheDocument();
@@ -69,8 +98,8 @@ describe('ChronikFuerDichBox', () => {
 	it('does not render the "Alle gelesen" button when there are no unread items', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [],
-			onMarkRead: vi.fn(),
+			optimisticMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkAllRead: vi.fn()
 		});
 		await expect.element(page.getByText('Keine neuen Erwähnungen')).toBeInTheDocument();
 		const all = document.querySelector('[data-testid="chronik-mark-all-read"]');
@@ -80,38 +109,38 @@ describe('ChronikFuerDichBox', () => {
 	it('renders the "Alle gelesen" button when unread exists', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [notif({ id: 'a' })],
-			onMarkRead: vi.fn(),
+			optimisticMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkAllRead: vi.fn()
 		});
 		await expect.element(page.getByText('Alle gelesen')).toBeInTheDocument();
 	});
 
-	it('calls onMarkAllRead when the "Alle gelesen" button is clicked', async () => {
+	it('calls optimisticMarkAllRead when the "Alle gelesen" button is submitted', async () => {
-		const onMarkAllRead = vi.fn();
+		const optimisticMarkAllRead = vi.fn();
 		render(ChronikFuerDichBox, {
 			unread: [notif({ id: 'a' })],
-			onMarkRead: vi.fn(),
+			optimisticMarkRead: vi.fn(),
-			onMarkAllRead
+			optimisticMarkAllRead
 		});
 		await userEvent.click(page.getByText('Alle gelesen'));
-		expect(onMarkAllRead).toHaveBeenCalledTimes(1);
+		expect(optimisticMarkAllRead).toHaveBeenCalledTimes(1);
 	});
 
-	it('calls onMarkRead (and not navigation) when a per-item Dismiss button is clicked', async () => {
+	it('calls optimisticMarkRead with the notification id when its dismiss button is submitted', async () => {
-		const onMarkRead = vi.fn();
+		const optimisticMarkRead = vi.fn();
 		const n = notif({ id: 'xyz' });
 		render(ChronikFuerDichBox, {
 			unread: [n],
-			onMarkRead,
+			optimisticMarkRead,
-			onMarkAllRead: vi.fn()
+			optimisticMarkAllRead: vi.fn()
 		});
 		const dismiss = document.querySelector(
 			'[data-testid="chronik-fuerdich-dismiss"]'
 		) as HTMLButtonElement | null;
 		expect(dismiss).not.toBeNull();
 		dismiss?.click();
-		expect(onMarkRead).toHaveBeenCalledTimes(1);
+		expect(optimisticMarkRead).toHaveBeenCalledTimes(1);
-		expect(onMarkRead.mock.calls[0][0]).toEqual(n);
+		expect(optimisticMarkRead.mock.calls[0][0]).toBe('xyz');
 	});
 
 	it('mention row href includes both commentId and annotationId when annotationId is present', async () => {
@@ -124,8 +153,8 @@ describe('ChronikFuerDichBox', () => {
 					annotationId: 'annot-9'
 				})
 			],
-			onMarkRead: vi.fn(),
+			optimisticMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkAllRead: vi.fn()
 		});
 		const link = document.querySelector(
 			'a[href="/documents/doc-42?commentId=comment-7&annotationId=annot-9"]'
@@ -136,8 +165,8 @@ describe('ChronikFuerDichBox', () => {
 	it('Dismiss button is a sibling of the document link, never nested inside <a>', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [notif({ id: 'x' })],
-			onMarkRead: vi.fn(),
+			optimisticMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkAllRead: vi.fn()
 		});
 		const dismiss = document.querySelector('[data-testid="chronik-fuerdich-dismiss"]');
 		expect(dismiss).not.toBeNull();
@@ -145,4 +174,22 @@ describe('ChronikFuerDichBox', () => {
 		// Prevents the senior-audience tap-drag bug flagged by Leonie.
 		expect(dismiss?.closest('a')).toBeNull();
 	});
+
+	it('shows an accessible error banner when the dismiss action returns a failure', async () => {
+		mockFormResult.type = 'failure';
+		render(ChronikFuerDichBox, {
+			unread: [notif({ id: 'err-1' })],
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
+		});
+		const dismiss = document.querySelector(
+			'[data-testid="chronik-fuerdich-dismiss"]'
+		) as HTMLButtonElement | null;
+		expect(dismiss).not.toBeNull();
+		dismiss?.click();
+		// Allow microtask queue to flush
+		await new Promise((r) => setTimeout(r, 0));
+		const alert = document.querySelector('[role="alert"]');
+		expect(alert).not.toBeNull();
+	});
 });

frontend/src/lib/activity/ChronikFuerDichBox.svelte.test.ts

@@ -4,7 +4,36 @@ import { page } from 'vitest/browser';
 import ChronikFuerDichBox from './ChronikFuerDichBox.svelte';
 import type { NotificationItem } from '$lib/notification/notifications';
 
-afterEach(cleanup);
+const mockFormResult = vi.hoisted(() => ({ type: 'success' as string }));
+
+vi.mock('$app/forms', () => ({
+	enhance(
+		node: HTMLFormElement,
+		submit?: (opts: {
+			formData: FormData;
+		}) => (opts: {
+			result: { type: string; data?: Record<string, unknown> };
+			update: () => Promise<void>;
+		}) => Promise<void>
+	) {
+		const handler = async (e: Event) => {
+			e.preventDefault();
+			const cb = submit?.({ formData: new FormData(node) } as never);
+			if (typeof cb === 'function') {
+				await (
+					cb as (o: { result: typeof mockFormResult; update: () => Promise<void> }) => Promise<void>
+				)({ result: mockFormResult, update: async () => {} });
+			}
+		};
+		node.addEventListener('submit', handler);
+		return { destroy: () => node.removeEventListener('submit', handler) };
+	}
+}));
+
+afterEach(() => {
+	cleanup();
+	mockFormResult.type = 'success';
+});
 
 const mention = (overrides: Partial<NotificationItem> = {}): NotificationItem => ({
 	id: 'n-1',
@@ -22,7 +51,7 @@ const mention = (overrides: Partial<NotificationItem> = {}): NotificationItem =>
 describe('ChronikFuerDichBox', () => {
 	it('renders the inbox-zero state when there are no unread', async () => {
 		render(ChronikFuerDichBox, {
-			props: { unread: [], onMarkRead: () => {}, onMarkAllRead: () => {} }
+			props: { unread: [], optimisticMarkRead: () => {}, optimisticMarkAllRead: () => {} }
 		});
 
 		await expect.element(page.getByText(/keine neuen erwähnungen/i)).toBeVisible();
@@ -34,8 +63,8 @@ describe('ChronikFuerDichBox', () => {
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention(), mention({ id: 'n-2' }), mention({ id: 'n-3' })],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {}
+				optimisticMarkAllRead: () => {}
 			}
 		});
 
@@ -47,8 +76,8 @@ describe('ChronikFuerDichBox', () => {
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention({ id: 'n-m', type: 'MENTION' }), mention({ id: 'n-r', type: 'REPLY' })],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {}
+				optimisticMarkAllRead: () => {}
 			}
 		});
 
@@ -62,8 +91,8 @@ describe('ChronikFuerDichBox', () => {
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention({ actorName: 'Bertha' })],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {}
+				optimisticMarkAllRead: () => {}
 			}
 		});
 
@@ -76,8 +105,8 @@ describe('ChronikFuerDichBox', () => {
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention({ type: 'REPLY', actorName: 'Carl' })],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {}
+				optimisticMarkAllRead: () => {}
 			}
 		});
 
@@ -86,11 +115,11 @@ describe('ChronikFuerDichBox', () => {
 			.toBeVisible();
 	});
 
-	it('calls onMarkRead with the notification when its dismiss button is clicked', async () => {
+	it('calls optimisticMarkRead with the notification id when its dismiss button is clicked', async () => {
-		const onMarkRead = vi.fn();
+		const optimisticMarkRead = vi.fn();
 		const item = mention({ id: 'n-7' });
 		render(ChronikFuerDichBox, {
-			props: { unread: [item], onMarkRead, onMarkAllRead: () => {} }
+			props: { unread: [item], optimisticMarkRead, optimisticMarkAllRead: () => {} }
 		});
 
 		const dismiss = document.querySelector(
@@ -98,35 +127,55 @@ describe('ChronikFuerDichBox', () => {
 		) as HTMLElement;
 		dismiss.click();
 
-		expect(onMarkRead).toHaveBeenCalledWith(item);
+		expect(optimisticMarkRead).toHaveBeenCalledWith('n-7');
 	});
 
-	it('calls onMarkAllRead when the mark-all-read button is clicked', async () => {
+	it('calls optimisticMarkAllRead when the mark-all-read button is clicked', async () => {
-		const onMarkAllRead = vi.fn();
+		const optimisticMarkAllRead = vi.fn();
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention()],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead
+				optimisticMarkAllRead
 			}
 		});
 
 		const btn = document.querySelector('[data-testid="chronik-mark-all-read"]') as HTMLElement;
 		btn.click();
 
-		expect(onMarkAllRead).toHaveBeenCalledOnce();
+		expect(optimisticMarkAllRead).toHaveBeenCalledOnce();
 	});
 
 	it('builds a deep-link href to the comment for each notification', async () => {
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention({ documentId: 'doc-x', referenceId: 'ref-y', annotationId: null })],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {}
+				optimisticMarkAllRead: () => {}
 			}
 		});
 
 		const link = document.querySelector('ul[role="list"] li a') as HTMLAnchorElement;
 		expect(link.getAttribute('href')).toContain('doc-x');
 	});
+
+	it('shows an accessible error banner when the dismiss action returns a failure', async () => {
+		mockFormResult.type = 'failure';
+		render(ChronikFuerDichBox, {
+			props: {
+				unread: [mention({ id: 'err-1' })],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {}
+			}
+		});
+
+		const dismiss = document.querySelector(
+			'[data-testid="chronik-fuerdich-dismiss"]'
+		) as HTMLElement;
+		dismiss.click();
+		// Allow microtask queue to flush
+		await new Promise((r) => setTimeout(r, 0));
+		const alert = document.querySelector('[role="alert"]');
+		expect(alert).not.toBeNull();
+	});
 });

frontend/src/lib/document/BulkDocumentEditLayout.svelte

@@ -17,6 +17,7 @@ import PdfViewer from '$lib/document/viewer/PdfViewer.svelte';
 import { bulkTitleFromFilename } from '$lib/document/filename';
 import type { Tag } from '$lib/tag/TagInput.svelte';
 import type { components } from '$lib/generated/api';
+import { withCsrf } from '$lib/shared/cookies';
 
 type Person = components['schemas']['Person'];
 
@@ -183,7 +184,10 @@ async function saveUpload() {
 		// FormData with per-chunk progress. Session cookie is sent automatically
 		// by the browser for same-origin requests.
 		try {
-			const res = await fetch('/api/documents/quick-upload', { method: 'POST', body: formData });
+			const res = await fetch(
+				'/api/documents/quick-upload',
+				withCsrf({ method: 'POST', body: formData })
+			);
 			const body = await res.json().catch(() => ({ errors: [] }));
 			const errorFilenames = new Set<string>(
 				(body.errors ?? []).map((err: { filename: string }) => err.filename)

frontend/src/lib/document/transcription/TranscriptionBlock.svelte.spec.ts

@@ -1,7 +1,7 @@
 import { describe, it, expect, vi, afterEach } from 'vitest';
 import { cleanup, render } from 'vitest-browser-svelte';
 import { page } from 'vitest/browser';
-import TranscriptionBlockHost from './TranscriptionBlock.test-host.svelte';
+import TranscriptionBlockHost from './TranscriptionBlock.test-fixture.svelte';
 import type { ConfirmService } from '$lib/shared/services/confirm.svelte.js';
 
 afterEach(cleanup);

frontend/src/lib/document/transcription/TranscriptionEditView.svelte

@@ -6,6 +6,7 @@ import TranscribeCoachEmptyState from '$lib/shared/help/TranscribeCoachEmptyStat
 import type { PersonMention, TranscriptionBlockData } from '$lib/shared/types';
 import { createBlockAutoSave } from '$lib/document/transcription/useBlockAutoSave.svelte';
 import { createBlockDragDrop } from '$lib/document/transcription/useBlockDragDrop.svelte';
+import { withCsrf } from '$lib/shared/cookies';
 
 type Props = {
 	documentId: string;
@@ -49,6 +50,7 @@ let activeBlockId: string | null = $state(null);
 let localLabels: string[] = $derived.by(() => [...trainingLabels]);
 let listEl: HTMLElement | null = $state(null);
 let markingAllReviewed = $state(false);
+let markAllError = $state<string | null>(null);
 
 const sortedBlocks = $derived([...blocks].sort((a, b) => a.sortOrder - b.sortOrder));
 const hasBlocks = $derived(blocks.length > 0);
@@ -67,8 +69,11 @@ $effect(() => {
 async function handleMarkAllReviewed() {
 	if (!onMarkAllReviewed) return;
 	markingAllReviewed = true;
+	markAllError = null;
 	try {
 		await onMarkAllReviewed();
+	} catch {
+		markAllError = m.transcription_mark_all_reviewed_error();
 	} finally {
 		markingAllReviewed = false;
 	}
@@ -109,11 +114,14 @@ function handleDelete(blockId: string) {
 
 async function reorder(newOrder: string[]) {
 	try {
-		const res = await fetch(`/api/documents/${documentId}/transcription-blocks/reorder`, {
+		const res = await fetch(
+			`/api/documents/${documentId}/transcription-blocks/reorder`,
+			withCsrf({
 				method: 'PUT',
 				headers: { 'Content-Type': 'application/json' },
 				body: JSON.stringify({ blockIds: newOrder })
-		});
+			})
+		);
 		if (!res.ok) return;
 		const updated = await res.json();
 		for (const b of updated) {
@@ -169,7 +177,7 @@ async function handleLabelToggle(label: string) {
 					<button
 						onclick={handleMarkAllReviewed}
 						disabled={allReviewed || markingAllReviewed}
-						title={allReviewed ? 'Alle Blöcke sind bereits als fertig markiert' : undefined}
+						title={allReviewed ? m.transcription_mark_all_reviewed_disabled() : undefined}
 						class="flex min-h-[44px] items-center gap-1.5 rounded-sm px-3 font-sans text-xs font-medium text-brand-navy/80 transition-colors hover:text-brand-navy focus-visible:ring-2 focus-visible:ring-brand-navy disabled:opacity-40"
 					>
 						{#if markingAllReviewed}
@@ -207,7 +215,7 @@ async function handleLabelToggle(label: string) {
 								<path stroke-linecap="round" stroke-linejoin="round" d="M5 13l4 4L19 7" />
 							</svg>
 						{/if}
-						Alle als fertig markieren
+						{m.transcription_mark_all_reviewed()}
 					</button>
 				{/if}
 			</div>
@@ -217,6 +225,31 @@ async function handleLabelToggle(label: string) {
 					style="width: {reviewProgress}%"
 				></div>
 			</div>
+			{#if markAllError}
+				<div
+					role="alert"
+					class="mt-1.5 flex items-center gap-2 rounded-sm border border-red-200 bg-red-50 px-3 py-2 font-sans text-sm text-red-700"
+				>
+					<span class="flex-1">{markAllError}</span>
+					<button
+						onclick={() => (markAllError = null)}
+						aria-label={m.comp_dismiss()}
+						class="flex min-h-[44px] min-w-[44px] items-center justify-center rounded text-red-600 hover:text-red-700 focus-visible:ring-2 focus-visible:ring-red-500"
+					>
+						<svg
+							class="h-4 w-4"
+							fill="none"
+							stroke="currentColor"
+							stroke-width="2"
+							viewBox="0 0 24 24"
+							xmlns="http://www.w3.org/2000/svg"
+							aria-hidden="true"
+						>
+							<path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12" />
+						</svg>
+					</button>
+				</div>
+			{/if}
 		</div>
 		<div class="p-4">
 			<!-- svelte-ignore a11y_no_static_element_interactions -->
@@ -303,7 +336,9 @@ async function handleLabelToggle(label: string) {
 
 	{#if canWrite && hasBlocks}
 		<div class="border-t border-line px-4 py-3">
-			<p class="mb-2 font-sans text-xs font-medium text-ink-2">Für Training vormerken</p>
+			<p class="mb-2 font-sans text-xs font-medium text-ink-2">
+				{m.transcribe_mark_for_training()}
+			</p>
 			<div class="flex flex-wrap gap-2">
 				{#each [{ label: 'KURRENT_RECOGNITION', display: m.training_chip_kurrent() }, { label: 'KURRENT_SEGMENTATION', display: m.training_chip_segmentation() }] as chip (chip.label)}
 					<button

frontend/src/lib/document/transcription/TranscriptionEditView.svelte.spec.ts

@@ -3,6 +3,7 @@ import { cleanup, render } from 'vitest-browser-svelte';
 import { page, userEvent } from 'vitest/browser';
 import TranscriptionEditView from './TranscriptionEditView.svelte';
 import { createConfirmService, CONFIRM_KEY } from '$lib/shared/services/confirm.svelte.js';
+import { m } from '$lib/paraglide/messages.js';
 
 afterEach(cleanup);
 
@@ -312,14 +313,14 @@ describe('TranscriptionEditView — mark all reviewed', () => {
 			onMarkAllReviewed: vi.fn().mockResolvedValue(undefined)
 		});
 		await expect
-			.element(page.getByRole('button', { name: /Alle als fertig markieren/ }))
+			.element(page.getByRole('button', { name: m.transcription_mark_all_reviewed() }))
 			.toBeInTheDocument();
 	});
 
 	it('does not show "Alle als fertig markieren" button when onMarkAllReviewed is not provided', async () => {
 		renderView({ blocks: [unreviewedBlock1, unreviewedBlock2] });
 		await expect
-			.element(page.getByRole('button', { name: /Alle als fertig markieren/ }))
+			.element(page.getByRole('button', { name: m.transcription_mark_all_reviewed() }))
 			.not.toBeInTheDocument();
 	});
 
@@ -329,7 +330,7 @@ describe('TranscriptionEditView — mark all reviewed', () => {
 			onMarkAllReviewed: vi.fn().mockResolvedValue(undefined)
 		});
 		await expect
-			.element(page.getByRole('button', { name: /Alle als fertig markieren/ }))
+			.element(page.getByRole('button', { name: m.transcription_mark_all_reviewed() }))
 			.toBeDisabled();
 	});
 
@@ -343,7 +344,7 @@ describe('TranscriptionEditView — mark all reviewed', () => {
 		// userEvent.click() via Playwright CDP doesn't reliably trigger Svelte 5 onclick
 		// handlers when a TipTap editor is mounted in the same component tree.
 		const btn = (await page
-			.getByRole('button', { name: /Alle als fertig markieren/ })
+			.getByRole('button', { name: m.transcription_mark_all_reviewed() })
 			.element()) as HTMLButtonElement;
 		btn.dispatchEvent(new MouseEvent('click', { bubbles: true, cancelable: true }));
 		await vi.waitFor(() => expect(onMarkAllReviewed).toHaveBeenCalledTimes(1));
@@ -361,12 +362,83 @@ describe('TranscriptionEditView — mark all reviewed', () => {
 
 		// Same CDP click workaround: dispatch from browser JS to reliably fire Svelte 5 onclick
 		const btnEl = (await page
-			.getByRole('button', { name: /Alle als fertig markieren/ })
+			.getByRole('button', { name: m.transcription_mark_all_reviewed() })
 			.element()) as HTMLButtonElement;
 		btnEl.dispatchEvent(new MouseEvent('click', { bubbles: true, cancelable: true }));
 		await expect
-			.element(page.getByRole('button', { name: /Alle als fertig markieren/ }))
+			.element(page.getByRole('button', { name: m.transcription_mark_all_reviewed() }))
 			.toBeDisabled();
 		resolveMarkAll();
 	});
+
+	it('shows error message when onMarkAllReviewed callback rejects', async () => {
+		const onMarkAllReviewed = vi.fn().mockRejectedValue(new Error('INTERNAL_ERROR'));
+		renderView({ blocks: [unreviewedBlock1, unreviewedBlock2], onMarkAllReviewed });
+
+		const btnEl = (await page
+			.getByRole('button', { name: m.transcription_mark_all_reviewed() })
+			.element()) as HTMLButtonElement;
+		btnEl.dispatchEvent(new MouseEvent('click', { bubbles: true, cancelable: true }));
+
+		await expect.element(page.getByRole('alert')).toBeInTheDocument();
+		await expect
+			.element(page.getByRole('alert'))
+			.toHaveTextContent(m.transcription_mark_all_reviewed_error());
+	});
+
+	it('clears error when dismiss button is clicked', async () => {
+		const onMarkAllReviewed = vi.fn().mockRejectedValue(new Error('INTERNAL_ERROR'));
+		renderView({ blocks: [unreviewedBlock1, unreviewedBlock2], onMarkAllReviewed });
+
+		const btnEl = (await page
+			.getByRole('button', { name: m.transcription_mark_all_reviewed() })
+			.element()) as HTMLButtonElement;
+		btnEl.dispatchEvent(new MouseEvent('click', { bubbles: true, cancelable: true }));
+		await expect.element(page.getByRole('alert')).toBeInTheDocument();
+
+		const dismissEl = (await page
+			.getByRole('button', { name: m.comp_dismiss() })
+			.element()) as HTMLButtonElement;
+		dismissEl.dispatchEvent(new MouseEvent('click', { bubbles: true, cancelable: true }));
+
+		await expect.element(page.getByRole('alert')).not.toBeInTheDocument();
+	});
+
+	it('clears error on next successful markAllReviewed call', async () => {
+		const onMarkAllReviewed = vi
+			.fn()
+			.mockRejectedValueOnce(new Error('INTERNAL_ERROR'))
+			.mockResolvedValue(undefined);
+		renderView({ blocks: [unreviewedBlock1, unreviewedBlock2], onMarkAllReviewed });
+
+		const btnEl = (await page
+			.getByRole('button', { name: m.transcription_mark_all_reviewed() })
+			.element()) as HTMLButtonElement;
+		btnEl.dispatchEvent(new MouseEvent('click', { bubbles: true, cancelable: true }));
+		await expect.element(page.getByRole('alert')).toBeInTheDocument();
+		// Wait for the button to be re-enabled before the second click — ensures the first
+		// async rejection has fully settled and Svelte has flushed state changes
+		await expect
+			.element(page.getByRole('button', { name: m.transcription_mark_all_reviewed() }))
+			.not.toBeDisabled();
+
+		btnEl.dispatchEvent(new MouseEvent('click', { bubbles: true, cancelable: true }));
+
+		await expect.element(page.getByRole('alert')).not.toBeInTheDocument();
+	});
+
+	it('re-enables button after markAllReviewed failure', async () => {
+		const onMarkAllReviewed = vi.fn().mockRejectedValue(new Error('INTERNAL_ERROR'));
+		renderView({ blocks: [unreviewedBlock1, unreviewedBlock2], onMarkAllReviewed });
+
+		const btnEl = (await page
+			.getByRole('button', { name: m.transcription_mark_all_reviewed() })
+			.element()) as HTMLButtonElement;
+		btnEl.dispatchEvent(new MouseEvent('click', { bubbles: true, cancelable: true }));
+		await expect.element(page.getByRole('alert')).toBeInTheDocument();
+
+		await expect
+			.element(page.getByRole('button', { name: m.transcription_mark_all_reviewed() }))
+			.not.toBeDisabled();
+	});
 });

frontend/src/lib/document/transcription/useBlockAutoSave.svelte.ts

@@ -1,5 +1,6 @@
 import { SvelteMap } from 'svelte/reactivity';
 import type { PersonMention } from '$lib/shared/types';
+import { withCsrf } from '$lib/shared/cookies';
 
 export type SaveState = 'idle' | 'saving' | 'saved' | 'fading' | 'error';
 
@@ -116,12 +117,15 @@ export function createBlockAutoSave({ saveFn, documentId }: Options) {
 		for (const [blockId, text] of pendingTexts) {
 			const mentions = pendingMentions.get(blockId) ?? [];
 			clearDebounce(blockId);
-			void fetch(`/api/documents/${documentId}/transcription-blocks/${blockId}`, {
+			void fetch(
+				`/api/documents/${documentId}/transcription-blocks/${blockId}`,
+				withCsrf({
 					method: 'PUT',
 					headers: { 'Content-Type': 'application/json' },
 					body: JSON.stringify({ text, mentionedPersons: mentions }),
 					keepalive: true
-			});
+				})
+			);
 			pendingTexts.delete(blockId);
 			pendingMentions.delete(blockId);
 		}

frontend/src/lib/document/transcription/useTranscriptionBlocks.svelte.test.ts

@@ -259,12 +259,15 @@ describe('createTranscriptionBlocks.markAllReviewed', () => {
 		expect(ctrl.blocks.every((b) => b.reviewed)).toBe(true);
 	});
 
-	it('is a no-op when PUT returns non-OK', async () => {
+	it('throws and leaves blocks unchanged when PUT returns non-OK', async () => {
 		const fetchImpl = vi.fn(async (url: RequestInfo | URL, init?: RequestInit) => {
 			const u = url.toString();
 			const method = init?.method ?? 'GET';
 			if (u.includes('/review-all') && method === 'PUT') {
-				return new Response('', { status: 500 });
+				return new Response(JSON.stringify({ code: 'INTERNAL_ERROR' }), {
+					status: 500,
+					headers: { 'Content-Type': 'application/json' }
+				});
 			}
 			return new Response(JSON.stringify([baseBlock({ id: 'b-1', reviewed: false })]), {
 				status: 200,
@@ -274,7 +277,26 @@ describe('createTranscriptionBlocks.markAllReviewed', () => {
 
 		const ctrl = createTranscriptionBlocks({ documentId: () => 'doc-1', fetchImpl });
 		await ctrl.load();
-		await ctrl.markAllReviewed();
+		await expect(ctrl.markAllReviewed()).rejects.toThrow('INTERNAL_ERROR');
+		expect(ctrl.blocks[0].reviewed).toBe(false);
+	});
+
+	it('throws INTERNAL_ERROR when PUT returns non-JSON body (e.g. nginx 502)', async () => {
+		const fetchImpl = vi.fn(async (url: RequestInfo | URL, init?: RequestInit) => {
+			const u = url.toString();
+			const method = init?.method ?? 'GET';
+			if (u.includes('/review-all') && method === 'PUT') {
+				return new Response('Bad Gateway', { status: 502 });
+			}
+			return new Response(JSON.stringify([baseBlock({ id: 'b-1', reviewed: false })]), {
+				status: 200,
+				headers: { 'Content-Type': 'application/json' }
+			});
+		});
+
+		const ctrl = createTranscriptionBlocks({ documentId: () => 'doc-1', fetchImpl });
+		await ctrl.load();
+		await expect(ctrl.markAllReviewed()).rejects.toThrow('INTERNAL_ERROR');
 		expect(ctrl.blocks[0].reviewed).toBe(false);
 	});
 });

frontend/src/lib/document/transcription/useTranscriptionBlocks.svelte.ts

@@ -2,6 +2,7 @@
    lastEditedAt's $derived are scope-local to one computation; they're never
    stored on $state. */
 import type { TranscriptionBlockData, PersonMention } from '$lib/shared/types';
+import { makeCsrfFetch } from '$lib/shared/cookies';
 import { saveBlockWithConflictRetry } from './saveBlockWithConflictRetry';
 import { BlockConflictResolvedError } from './blockConflictMerge';
 
@@ -41,7 +42,7 @@ export function createTranscriptionBlocks(
 	options: TranscriptionBlocksOptions
 ): TranscriptionBlocksController {
 	const { documentId } = options;
-	const fetchImpl = options.fetchImpl ?? fetch;
+	const fetchImpl = makeCsrfFetch(options.fetchImpl ?? fetch);
 
 	let blocks = $state<TranscriptionBlockData[]>([]);
 	let annotationReloadKey = $state(0);
@@ -119,7 +120,11 @@ export function createTranscriptionBlocks(
 		const res = await fetchImpl(`/api/documents/${documentId()}/transcription-blocks/review-all`, {
 			method: 'PUT'
 		});
-		if (!res.ok) return;
+		if (!res.ok) {
+			const body = await res.json().catch(() => ({}));
+			// Never render body.message — route through getErrorMessage() to prevent leaking backend internals
+			throw new Error((body as { code?: string })?.code ?? 'INTERNAL_ERROR');
+		}
 		const updated = (await res.json()) as { id: string; reviewed: boolean }[];
 		for (const b of updated) {
 			const existing = blocks.find((x) => x.id === b.id);

frontend/src/lib/document/viewer/PdfControls.svelte

@@ -34,7 +34,7 @@ let {
 		<button
 			onclick={onPrev}
 			disabled={currentPage <= 1}
-			aria-label="Zurück"
+			aria-label={m.viewer_previous_page()}
 			class="min-h-[44px] min-w-[44px] rounded p-2 text-ink-3 transition hover:bg-surface/10 focus-visible:ring-2 focus-visible:ring-brand-navy focus-visible:ring-offset-1 disabled:opacity-40"
 		>
 			<svg class="h-4 w-4" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
@@ -51,7 +51,7 @@ let {
 		<button
 			onclick={onNext}
 			disabled={!isLoaded || currentPage >= totalPages}
-			aria-label="Weiter"
+			aria-label={m.viewer_next_page()}
 			class="min-h-[44px] min-w-[44px] rounded p-2 text-ink-3 transition hover:bg-surface/10 focus-visible:ring-2 focus-visible:ring-brand-navy focus-visible:ring-offset-1 disabled:opacity-40"
 		>
 			<svg class="h-4 w-4" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
@@ -64,7 +64,7 @@ let {
 	<div class="flex items-center gap-1">
 		<button
 			onclick={onZoomOut}
-			aria-label="Verkleinern"
+			aria-label={m.viewer_zoom_out()}
 			class="min-h-[44px] min-w-[44px] rounded p-2 text-ink-3 transition hover:bg-surface/10 focus-visible:ring-2 focus-visible:ring-brand-navy focus-visible:ring-offset-1"
 		>
 			<svg class="h-4 w-4" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
@@ -74,7 +74,7 @@ let {
 		</button>
 		<button
 			onclick={onZoomIn}
-			aria-label="Vergrößern"
+			aria-label={m.viewer_zoom_in()}
 			class="min-h-[44px] min-w-[44px] rounded p-2 text-ink-3 transition hover:bg-surface/10 focus-visible:ring-2 focus-visible:ring-brand-navy focus-visible:ring-offset-1"
 		>
 			<svg class="h-4 w-4" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">

frontend/src/lib/document/viewer/PdfControls.svelte.spec.ts

@@ -2,6 +2,7 @@ import { vi, describe, it, expect, afterEach } from 'vitest';
 import { cleanup, render } from 'vitest-browser-svelte';
 import { page } from 'vitest/browser';
 
+import { m } from '$lib/paraglide/messages.js';
 import PdfControls from './PdfControls.svelte';
 
 afterEach(cleanup);
@@ -23,28 +24,28 @@ describe('PdfControls — annotation toggle visibility', () => {
 	it('renders annotation toggle when annotationCount is greater than zero', async () => {
 		render(PdfControls, { ...defaultProps, annotationCount: 3 });
 		await expect
-			.element(page.getByRole('button', { name: /annotierungen anzeigen/i }))
+			.element(page.getByRole('button', { name: m.pdf_annotations_show() }))
 			.toBeInTheDocument();
 	});
 
 	it('does not render annotation toggle when annotationCount is zero', async () => {
 		render(PdfControls, { ...defaultProps, annotationCount: 0 });
 		await expect
-			.element(page.getByRole('button', { name: /annotierungen/i }))
+			.element(page.getByRole('button', { name: m.pdf_annotations_show() }))
 			.not.toBeInTheDocument();
 	});
 });
 
 describe('PdfControls — annotation toggle label', () => {
-	it('shows "Annotierungen anzeigen" label when annotations are hidden', async () => {
+	it('shows show-annotations label when annotations are hidden', async () => {
 		render(PdfControls, { ...defaultProps, annotationCount: 2, showAnnotations: false });
-		const btn = page.getByRole('button', { name: /annotierungen anzeigen/i });
+		const btn = page.getByRole('button', { name: m.pdf_annotations_show() });
 		await expect.element(btn).toBeInTheDocument();
 	});
 
-	it('shows "Annotierungen verbergen" label when annotations are visible', async () => {
+	it('shows hide-annotations label when annotations are visible', async () => {
 		render(PdfControls, { ...defaultProps, annotationCount: 2, showAnnotations: true });
-		const btn = page.getByRole('button', { name: /annotierungen verbergen/i });
+		const btn = page.getByRole('button', { name: m.pdf_annotations_hide() });
 		await expect.element(btn).toBeInTheDocument();
 	});
 });
@@ -58,7 +59,9 @@ describe('PdfControls — annotation toggle contrast (WCAG 2.1 AA)', () => {
 		});
 		const allButtons = container.querySelectorAll('button');
 		const annotationBtn = Array.from(allButtons).find((b) =>
-			b.getAttribute('aria-label')?.toLowerCase().includes('annotierungen')
+			[m.pdf_annotations_show(), m.pdf_annotations_hide()].includes(
+				b.getAttribute('aria-label') ?? ''
+			)
 		);
 		expect(annotationBtn).not.toBeNull();
 		expect(annotationBtn!.className).toContain('text-primary');
@@ -75,7 +78,9 @@ describe('PdfControls — focus rings (WCAG 2.1 §2.4.7)', () => {
 		});
 		const allButtons = container.querySelectorAll('button');
 		const annotationBtn = Array.from(allButtons).find((b) =>
-			b.getAttribute('aria-label')?.toLowerCase().includes('annotierungen')
+			[m.pdf_annotations_show(), m.pdf_annotations_hide()].includes(
+				b.getAttribute('aria-label') ?? ''
+			)
 		);
 		expect(annotationBtn).not.toBeNull();
 		expect(annotationBtn!.className).toContain('focus-visible:ring-2');
@@ -86,7 +91,12 @@ describe('PdfControls — focus rings (WCAG 2.1 §2.4.7)', () => {
 		const allButtons = container.querySelectorAll('button');
 		const iconOnlyButtons = Array.from(allButtons).filter((b) => {
 			const label = b.getAttribute('aria-label') ?? '';
-			return ['zurück', 'weiter', 'verkleinern', 'vergrößern'].includes(label.toLowerCase());
+			return [
+				m.viewer_previous_page(),
+				m.viewer_next_page(),
+				m.viewer_zoom_out(),
+				m.viewer_zoom_in()
+			].includes(label);
 		});
 		expect(iconOnlyButtons).toHaveLength(4);
 		for (const btn of iconOnlyButtons) {
@@ -104,7 +114,9 @@ describe('PdfControls — touch targets (WCAG 2.2 §2.5.8)', () => {
 		});
 		const allButtons = container.querySelectorAll('button');
 		const annotationBtn = Array.from(allButtons).find((b) =>
-			b.getAttribute('aria-label')?.toLowerCase().includes('annotierungen')
+			[m.pdf_annotations_show(), m.pdf_annotations_hide()].includes(
+				b.getAttribute('aria-label') ?? ''
+			)
 		);
 		expect(annotationBtn).not.toBeNull();
 		expect(annotationBtn!.className).toContain('min-h-[44px]');
@@ -118,7 +130,9 @@ describe('PdfControls — touch targets (WCAG 2.2 §2.5.8)', () => {
 		});
 		const allButtons = container.querySelectorAll('button');
 		const annotationBtn = Array.from(allButtons).find((b) =>
-			b.getAttribute('aria-label')?.toLowerCase().includes('annotierungen')
+			[m.pdf_annotations_show(), m.pdf_annotations_hide()].includes(
+				b.getAttribute('aria-label') ?? ''
+			)
 		);
 		expect(annotationBtn).not.toBeNull();
 		expect(annotationBtn!.className).toContain('min-w-[44px]');
@@ -131,7 +145,9 @@ describe('PdfControls — touch targets (WCAG 2.2 §2.5.8)', () => {
 			showAnnotations: false
 		});
 		const btn1 = Array.from(c1.querySelectorAll('button')).find((b) =>
-			b.getAttribute('aria-label')?.toLowerCase().includes('annotierungen')
+			[m.pdf_annotations_show(), m.pdf_annotations_hide()].includes(
+				b.getAttribute('aria-label') ?? ''
+			)
 		);
 		expect(btn1!.getAttribute('aria-pressed')).toBe('false');
 		cleanup();
@@ -142,7 +158,9 @@ describe('PdfControls — touch targets (WCAG 2.2 §2.5.8)', () => {
 			showAnnotations: true
 		});
 		const btn2 = Array.from(c2.querySelectorAll('button')).find((b) =>
-			b.getAttribute('aria-label')?.toLowerCase().includes('annotierungen')
+			[m.pdf_annotations_show(), m.pdf_annotations_hide()].includes(
+				b.getAttribute('aria-label') ?? ''
+			)
 		);
 		expect(btn2!.getAttribute('aria-pressed')).toBe('true');
 	});
@@ -152,7 +170,12 @@ describe('PdfControls — touch targets (WCAG 2.2 §2.5.8)', () => {
 		const allButtons = container.querySelectorAll('button');
 		const iconOnlyButtons = Array.from(allButtons).filter((b) => {
 			const label = b.getAttribute('aria-label') ?? '';
-			return ['zurück', 'weiter', 'verkleinern', 'vergrößern'].includes(label.toLowerCase());
+			return [
+				m.viewer_previous_page(),
+				m.viewer_next_page(),
+				m.viewer_zoom_out(),
+				m.viewer_zoom_in()
+			].includes(label);
 		});
 		expect(iconOnlyButtons).toHaveLength(4);
 		for (const btn of iconOnlyButtons) {
@@ -165,7 +188,12 @@ describe('PdfControls — touch targets (WCAG 2.2 §2.5.8)', () => {
 		const allButtons = container.querySelectorAll('button');
 		const iconOnlyButtons = Array.from(allButtons).filter((b) => {
 			const label = b.getAttribute('aria-label') ?? '';
-			return ['zurück', 'weiter', 'verkleinern', 'vergrößern'].includes(label.toLowerCase());
+			return [
+				m.viewer_previous_page(),
+				m.viewer_next_page(),
+				m.viewer_zoom_out(),
+				m.viewer_zoom_in()
+			].includes(label);
 		});
 		expect(iconOnlyButtons).toHaveLength(4);
 		for (const btn of iconOnlyButtons) {

frontend/src/lib/generated/api.ts

@@ -180,6 +180,22 @@ export interface paths {
         patch?: never;
         trace?: never;
     };
+    "/api/users/{id}/force-logout": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        get?: never;
+        put?: never;
+        post: operations["forceLogout"];
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
     "/api/users/me/password": {
         parameters: {
             query?: never;
@@ -580,6 +596,38 @@ export interface paths {
         patch?: never;
         trace?: never;
     };
+    "/api/auth/logout": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        get?: never;
+        put?: never;
+        post: operations["logout"];
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
+    "/api/auth/login": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        get?: never;
+        put?: never;
+        post: operations["login"];
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
     "/api/auth/forgot-password": {
         parameters: {
             query?: never;
@@ -1849,7 +1897,7 @@ export interface components {
             status: string;
             /** Format: date-time */
             createdAt: string;
-            shareableUrl?: string;
+            shareableUrl: string;
         };
         GroupDTO: {
             name?: string;
@@ -2011,13 +2059,17 @@ export interface components {
             lastName?: string;
             notifyOnMention?: boolean;
         };
+        LoginRequest: {
+            email?: string;
+            password?: string;
+        };
         ForgotPasswordRequest: {
             email?: string;
         };
         ImportStatus: {
             /** @enum {string} */
             state?: "IDLE" | "RUNNING" | "DONE" | "FAILED";
-            message?: string;
+            statusCode?: string;
             /** Format: int32 */
             processed?: number;
             /** Format: date-time */
@@ -2255,14 +2307,14 @@ export interface components {
             /** Format: int32 */
             totalPages?: number;
             pageable?: components["schemas"]["PageableObject"];
-            first?: boolean;
-            last?: boolean;
             /** Format: int32 */
             size?: number;
             content?: components["schemas"]["NotificationDTO"][];
             /** Format: int32 */
             number?: number;
             sort?: components["schemas"]["SortObject"];
+            first?: boolean;
+            last?: boolean;
             /** Format: int32 */
             numberOfElements?: number;
             empty?: boolean;
@@ -2410,7 +2462,7 @@ export interface components {
         };
         ActivityFeedItemDTO: {
             /** @enum {string} */
-            kind: "FILE_UPLOADED" | "STATUS_CHANGED" | "METADATA_UPDATED" | "TEXT_SAVED" | "BLOCK_REVIEWED" | "ANNOTATION_CREATED" | "COMMENT_ADDED" | "MENTION_CREATED" | "USER_CREATED" | "USER_DELETED" | "GROUP_MEMBERSHIP_CHANGED";
+            kind: "FILE_UPLOADED" | "STATUS_CHANGED" | "METADATA_UPDATED" | "TEXT_SAVED" | "BLOCK_REVIEWED" | "ANNOTATION_CREATED" | "COMMENT_ADDED" | "MENTION_CREATED" | "USER_CREATED" | "USER_DELETED" | "GROUP_MEMBERSHIP_CHANGED" | "LOGIN_SUCCESS" | "LOGIN_FAILED" | "LOGOUT" | "ADMIN_FORCE_LOGOUT" | "LOGIN_RATE_LIMITED";
             actor?: components["schemas"]["ActivityActorDTO"];
             /** Format: uuid */
             documentId: string;
@@ -2954,6 +3006,30 @@ export interface operations {
             };
         };
     };
+    forceLogout: {
+        parameters: {
+            query?: never;
+            header?: never;
+            path: {
+                id: string;
+            };
+            cookie?: never;
+        };
+        requestBody?: never;
+        responses: {
+            /** @description OK */
+            200: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content: {
+                    "*/*": {
+                        [key: string]: unknown;
+                    };
+                };
+            };
+        };
+    };
     changePassword: {
         parameters: {
             query?: never;
@@ -3547,6 +3623,7 @@ export interface operations {
             query?: never;
             header?: never;
             path: {
+                documentId: string;
                 blockId: string;
             };
             cookie?: never;
@@ -3597,6 +3674,7 @@ export interface operations {
             header?: never;
             path: {
                 documentId: string;
+                blockId: string;
                 commentId: string;
             };
             cookie?: never;
@@ -3791,6 +3869,48 @@ export interface operations {
             };
         };
     };
+    logout: {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        requestBody?: never;
+        responses: {
+            /** @description OK */
+            200: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content?: never;
+            };
+        };
+    };
+    login: {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["LoginRequest"];
+            };
+        };
+        responses: {
+            /** @description OK */
+            200: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content: {
+                    "*/*": components["schemas"]["AppUser"];
+                };
+            };
+        };
+    };
     forgotPassword: {
         parameters: {
             query?: never;
@@ -4985,7 +5105,7 @@ export interface operations {
                     [name: string]: unknown;
                 };
                 content: {
-                    "*/*": components["schemas"]["DocumentDensityResult"];
+                    "application/json": components["schemas"]["DocumentDensityResult"];
                 };
             };
         };
@@ -5061,7 +5181,7 @@ export interface operations {
             query?: {
                 limit?: number;
                 /** @description Filter by audit kinds; omit for all rollup-eligible kinds */
-                kinds?: ("FILE_UPLOADED" | "STATUS_CHANGED" | "METADATA_UPDATED" | "TEXT_SAVED" | "BLOCK_REVIEWED" | "ANNOTATION_CREATED" | "COMMENT_ADDED" | "MENTION_CREATED" | "USER_CREATED" | "USER_DELETED" | "GROUP_MEMBERSHIP_CHANGED")[];
+                kinds?: ("FILE_UPLOADED" | "STATUS_CHANGED" | "METADATA_UPDATED" | "TEXT_SAVED" | "BLOCK_REVIEWED" | "ANNOTATION_CREATED" | "COMMENT_ADDED" | "MENTION_CREATED" | "USER_CREATED" | "USER_DELETED" | "GROUP_MEMBERSHIP_CHANGED" | "LOGIN_SUCCESS" | "LOGIN_FAILED" | "LOGOUT" | "ADMIN_FORCE_LOGOUT" | "LOGIN_RATE_LIMITED")[];
             };
             header?: never;
             path?: never;

frontend/src/lib/messages.spec.ts

@@ -0,0 +1,43 @@
+import { describe, it, expect } from 'vitest';
+import de from '../../messages/de.json';
+import en from '../../messages/en.json';
+import es from '../../messages/es.json';
+
+describe('message key parity', () => {
+	it('de, en, and es have identical key sets', () => {
+		const deKeys = Object.keys(de).sort();
+		const enKeys = Object.keys(en).sort();
+		const esKeys = Object.keys(es).sort();
+		expect(enKeys).toEqual(deKeys);
+		expect(esKeys).toEqual(deKeys);
+	});
+
+	it('viewer navigation keys are present in all locales', () => {
+		const requiredViewerKeys = [
+			'viewer_previous_page',
+			'viewer_next_page',
+			'viewer_zoom_out',
+			'viewer_zoom_in'
+		];
+		for (const key of requiredViewerKeys) {
+			expect(de, `missing key in de: ${key}`).toHaveProperty(key);
+			expect(en, `missing key in en: ${key}`).toHaveProperty(key);
+			expect(es, `missing key in es: ${key}`).toHaveProperty(key);
+		}
+	});
+
+	it('transcribe mark-for-training key is present in all locales', () => {
+		expect(de).toHaveProperty('transcribe_mark_for_training');
+		expect(en).toHaveProperty('transcribe_mark_for_training');
+		expect(es).toHaveProperty('transcribe_mark_for_training');
+	});
+
+	it('layout menu open/close keys are present in all locales', () => {
+		expect(de).toHaveProperty('layout_menu_open');
+		expect(de).toHaveProperty('layout_menu_close');
+		expect(en).toHaveProperty('layout_menu_open');
+		expect(en).toHaveProperty('layout_menu_close');
+		expect(es).toHaveProperty('layout_menu_open');
+		expect(es).toHaveProperty('layout_menu_close');
+	});
+});

frontend/src/lib/notification/NotificationBell.svelte

@@ -1,10 +1,8 @@
 <script lang="ts">
 import { onMount, onDestroy } from 'svelte';
-import { goto } from '$app/navigation';
 import { m } from '$lib/paraglide/messages.js';
 import { clickOutside } from '$lib/shared/actions/clickOutside';
 import { notificationStore } from '$lib/notification/notifications.svelte';
-import { buildCommentHref } from '$lib/shared/discussion/commentDeepLink';
 import NotificationDropdown from './NotificationDropdown.svelte';
 
 let open = $state(false);
@@ -30,17 +28,6 @@ function closeDropdown() {
 	bellButtonEl?.focus();
 }
 
-async function handleMarkRead(notification: Parameters<typeof stream.markRead>[0]) {
-	await stream.markRead(notification);
-	const url = buildCommentHref(
-		notification.documentId,
-		notification.referenceId,
-		notification.annotationId
-	);
-	closeDropdown();
-	goto(url);
-}
-
 function handleKeydown(event: KeyboardEvent) {
 	if (event.key === 'Escape' && open) {
 		event.stopPropagation();
@@ -113,8 +100,8 @@ onDestroy(() => {
 	{#if open}
 		<NotificationDropdown
 			notifications={stream.notifications}
-			onMarkRead={handleMarkRead}
+			optimisticMarkRead={stream.optimisticMarkRead}
-			onMarkAllRead={stream.markAllRead}
+			optimisticMarkAllRead={stream.optimisticMarkAllRead}
 			onClose={closeDropdown}
 		/>
 	{/if}

frontend/src/lib/notification/NotificationBell.svelte.spec.ts

@@ -3,10 +3,18 @@ import { cleanup, render } from 'vitest-browser-svelte';
 import type { NotificationItem } from '$lib/notification/notifications';
 import NotificationBell from './NotificationBell.svelte';
 
-const gotoMock = vi.hoisted(() => vi.fn());
+vi.mock('$app/navigation', () => ({ goto: vi.fn(), beforeNavigate: vi.fn() }));
-vi.mock('$app/navigation', () => ({ goto: gotoMock, beforeNavigate: vi.fn() }));
+vi.mock('$app/forms', () => ({
+	enhance(node: HTMLFormElement, submit?: (opts: { formData: FormData }) => unknown) {
+		const handler = (e: Event) => {
+			e.preventDefault();
+			submit?.({ formData: new FormData(node) } as never);
+		};
+		node.addEventListener('submit', handler);
+		return { destroy: () => node.removeEventListener('submit', handler) };
+	}
+}));
 
-const mockMarkRead = vi.hoisted(() => vi.fn().mockResolvedValue(undefined));
 const mockNotificationList = vi.hoisted((): { value: NotificationItem[] } => ({ value: [] }));
 
 vi.mock('$lib/notification/notifications.svelte', () => ({
@@ -17,18 +25,17 @@ vi.mock('$lib/notification/notifications.svelte', () => ({
 		get unreadCount() {
 			return mockNotificationList.value.length;
 		},
-		markRead: mockMarkRead,
+		optimisticMarkRead: vi.fn(),
+		optimisticMarkAllRead: vi.fn(),
 		fetchNotifications: vi.fn().mockResolvedValue(undefined),
 		init: vi.fn(),
-		destroy: vi.fn(),
+		destroy: vi.fn()
-		markAllRead: vi.fn()
 	}
 }));
 
 afterEach(() => {
 	cleanup();
-	gotoMock.mockClear();
+	vi.clearAllMocks();
-	mockMarkRead.mockClear();
 	mockNotificationList.value = [];
 });
 
@@ -45,16 +52,6 @@ const makeNotification = (overrides: Partial<NotificationItem> = {}): Notificati
 	...overrides
 });
 
-async function openDropdownAndClickFirstNotification() {
-	const bellButton = document.querySelector<HTMLButtonElement>('button[aria-haspopup="true"]')!;
-	bellButton.click();
-	await vi.waitFor(() => {
-		expect(document.querySelector('[role="dialog"]')).not.toBeNull();
-	});
-	const notifButton = document.querySelector<HTMLButtonElement>('[role="list"] button')!;
-	notifButton.click();
-}
-
 describe('NotificationBell — cursor and tooltip', () => {
 	it('bell button has cursor-pointer class', async () => {
 		render(NotificationBell);
@@ -82,29 +79,3 @@ describe('NotificationBell — cursor and tooltip', () => {
 		expect(btn.getAttribute('aria-label')).toBe(btn.getAttribute('title'));
 	});
 });
-
-describe('NotificationBell', () => {
-	it('handleMarkRead navigates to URL including annotationId when notification has annotationId', async () => {
-		mockNotificationList.value = [makeNotification({ annotationId: 'annot-1' })];
-		render(NotificationBell);
-
-		await openDropdownAndClickFirstNotification();
-
-		await vi.waitFor(() => {
-			expect(gotoMock).toHaveBeenCalledWith(
-				'/documents/doc-1?commentId=ref-1&annotationId=annot-1'
-			);
-		});
-	});
-
-	it('handleMarkRead navigates to commentId-only URL when annotationId is absent', async () => {
-		mockNotificationList.value = [makeNotification({ annotationId: null })];
-		render(NotificationBell);
-
-		await openDropdownAndClickFirstNotification();
-
-		await vi.waitFor(() => {
-			expect(gotoMock).toHaveBeenCalledWith('/documents/doc-1?commentId=ref-1');
-		});
-	});
-});

frontend/src/lib/notification/NotificationDropdown.svelte

@@ -1,17 +1,21 @@
 <script lang="ts">
 import { goto } from '$app/navigation';
+import { enhance } from '$app/forms';
 import { m } from '$lib/paraglide/messages.js';
 import { relativeTime } from '$lib/shared/utils/time';
+import { buildCommentHref } from '$lib/shared/discussion/commentDeepLink';
 import type { NotificationItem } from '$lib/notification/notifications.svelte';
 
 type Props = {
 	notifications: NotificationItem[];
-	onMarkRead: (notification: NotificationItem) => void;
+	optimisticMarkRead: (id: string) => void;
-	onMarkAllRead: () => void;
+	optimisticMarkAllRead: () => void;
 	onClose: () => void;
 };
 
-let { notifications, onMarkRead, onMarkAllRead, onClose }: Props = $props();
+let { notifications, optimisticMarkRead, optimisticMarkAllRead, onClose }: Props = $props();
+
+let errorMessage = $state<string | null>(null);
 
 function handleViewAll() {
 	onClose(); // close first — avoids stale dropdown during navigation transition
@@ -31,16 +35,35 @@ function handleViewAll() {
 			{m.notification_bell_label()}
 		</span>
 		{#if notifications.length > 0}
+			<form
+				action="/aktivitaeten?/mark-all-read"
+				method="POST"
+				use:enhance={() => {
+					errorMessage = null;
+					optimisticMarkAllRead();
+					return async ({ result, update }) => {
+						if (result.type === 'failure' || result.type === 'error') {
+							errorMessage = (result as { data?: { error?: string } }).data?.error ?? m.notification_error_generic();
+							await update({ reset: false, invalidateAll: false });
+						}
+					};
+				}}
+			>
 				<button
-				type="button"
+					type="submit"
-				onclick={onMarkAllRead}
 					class="text-xs font-medium text-ink-3 transition-colors hover:text-ink"
 				>
 					{m.notification_mark_all_read()}
 				</button>
+			</form>
 		{/if}
 	</div>
 
+	<!-- Error banner (shown when a dismiss or mark-all action fails) -->
+	{#if errorMessage}
+		<p role="alert" class="px-4 py-2 text-sm text-red-600">{errorMessage}</p>
+	{/if}
+
 	<!-- Notification list -->
 	{#if notifications.length === 0}
 		<!-- Empty state -->
@@ -66,10 +89,35 @@ function handleViewAll() {
 		<ul role="list" class="max-h-[24rem] overflow-y-auto">
 			{#each notifications as notification (notification.id)}
 				<li>
+					<form
+						action="/aktivitaeten?/dismiss-notification"
+						method="POST"
+						class="contents"
+						use:enhance={() => {
+							errorMessage = null;
+							optimisticMarkRead(notification.id);
+							return async ({ result, update }) => {
+								if (result.type === 'failure' || result.type === 'error') {
+									errorMessage = (result as { data?: { error?: string } }).data?.error ?? m.notification_error_generic();
+									await update({ reset: false, invalidateAll: false });
+								} else {
+									// Navigate away — no need to update the store since we're leaving the page
+									onClose();
+									goto(
+										buildCommentHref(
+											notification.documentId,
+											notification.referenceId,
+											notification.annotationId
+										)
+									);
+								}
+							};
+						}}
+					>
+						<input type="hidden" name="notificationId" value={notification.id} />
 						<button
-						type="button"
+							type="submit"
-						onclick={() => onMarkRead(notification)}
+							class="flex w-full cursor-pointer items-start gap-3 border-b border-line px-4 py-3.5 text-left last:border-b-0 hover:bg-canvas
-						class="flex w-full cursor-pointer items-start gap-3 border-b border-line px-4 py-3 text-left last:border-b-0 hover:bg-canvas
 								{!notification.read ? 'bg-accent-bg/20' : ''}"
 						>
 							<!-- Type icon -->
@@ -127,6 +175,7 @@ function handleViewAll() {
 								></span>
 							{/if}
 						</button>
+					</form>
 				</li>
 			{/each}
 		</ul>

frontend/src/lib/notification/NotificationDropdown.svelte.test.ts

@@ -6,9 +6,38 @@ import NotificationDropdown from './NotificationDropdown.svelte';
 
 vi.mock('$app/navigation', () => ({ goto: vi.fn() }));
 
+// Configurable result for the enhance mock — tests that need failure set
+// mockFormResult.type = 'failure' before clicking.
+const mockFormResult = vi.hoisted(() => ({ type: 'success' as string }));
+
+// Invoke the SubmitFunction and always call the returned result callback with
+// mockFormResult so tests can exercise both success and failure branches.
+vi.mock('$app/forms', () => ({
+	enhance(
+		node: HTMLFormElement,
+		submit?: (opts: {
+			formData: FormData;
+		}) => (opts: {
+			result: { type: string; data?: Record<string, unknown> };
+			update: () => Promise<void>;
+		}) => Promise<void>
+	) {
+		const handler = async (e: Event) => {
+			e.preventDefault();
+			const cb = submit?.({ formData: new FormData(node) } as never);
+			if (typeof cb === 'function') {
+				await cb({ result: mockFormResult, update: async () => {} } as never);
+			}
+		};
+		node.addEventListener('submit', handler);
+		return { destroy: () => node.removeEventListener('submit', handler) };
+	}
+}));
+
 afterEach(() => {
 	cleanup();
 	vi.clearAllMocks();
+	mockFormResult.type = 'success'; // reset to default after each test
 });
 
 const makeNotification = (overrides: Record<string, unknown> = {}) => ({
@@ -29,8 +58,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -42,8 +71,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -55,8 +84,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -70,8 +99,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification()],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -83,8 +112,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification({ type: 'REPLY', actorName: 'Bert' })],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -98,8 +127,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification({ type: 'MENTION', actorName: 'Clara' })],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -116,8 +145,8 @@ describe('NotificationDropdown', () => {
 					makeNotification({ id: 'n1', read: false }),
 					makeNotification({ id: 'n2', read: true })
 				],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -126,37 +155,100 @@ describe('NotificationDropdown', () => {
 		expect(unreadDots.length).toBe(1);
 	});
 
-	it('calls onMarkRead with the notification when an item is clicked', async () => {
+	it('each notification row is wrapped in a form posting to the dismiss action', async () => {
-		const onMarkRead = vi.fn();
+		render(NotificationDropdown, {
+			props: {
+				notifications: [makeNotification({ id: 'n42' })],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose: () => {}
+			}
+		});
+
+		const form = document.querySelector('form[action="/aktivitaeten?/dismiss-notification"]');
+		expect(form).not.toBeNull();
+		expect(form?.getAttribute('method')).toBe('POST');
+	});
+
+	it('the dismiss form has a hidden notificationId input with the notification id', async () => {
+		render(NotificationDropdown, {
+			props: {
+				notifications: [makeNotification({ id: 'n42' })],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose: () => {}
+			}
+		});
+
+		const input = document.querySelector<HTMLInputElement>(
+			'form[action="/aktivitaeten?/dismiss-notification"] input[name="notificationId"]'
+		);
+		expect(input?.value).toBe('n42');
+	});
+
+	it('calls optimisticMarkRead with the notification id when a row is submitted', async () => {
+		const optimisticMarkRead = vi.fn();
 		const n = makeNotification({ id: 'n42', actorName: 'Anna' });
 		render(NotificationDropdown, {
 			props: {
 				notifications: [n],
-				onMarkRead,
+				optimisticMarkRead,
-				onMarkAllRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
 
 		await page.getByRole('button', { name: /Anna hat auf deinen/i }).click();
 
-		expect(onMarkRead).toHaveBeenCalledWith(n);
+		expect(optimisticMarkRead).toHaveBeenCalledWith('n42');
 	});
 
-	it('calls onMarkAllRead when the mark-all-read button is clicked', async () => {
+	it('the mark-all-read control is a form posting to the mark-all-read action', async () => {
-		const onMarkAllRead = vi.fn();
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification()],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead,
+				optimisticMarkAllRead: () => {},
+				onClose: () => {}
+			}
+		});
+
+		const form = document.querySelector('form[action="/aktivitaeten?/mark-all-read"]');
+		expect(form).not.toBeNull();
+		expect(form?.getAttribute('method')).toBe('POST');
+	});
+
+	it('calls optimisticMarkAllRead when the mark-all-read button is submitted', async () => {
+		const optimisticMarkAllRead = vi.fn();
+		render(NotificationDropdown, {
+			props: {
+				notifications: [makeNotification()],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead,
 				onClose: () => {}
 			}
 		});
 
 		await page.getByRole('button', { name: /alle gelesen/i }).click();
 
-		expect(onMarkAllRead).toHaveBeenCalledOnce();
+		expect(optimisticMarkAllRead).toHaveBeenCalledOnce();
+	});
+
+	it('shows a role=alert error banner when mark-all-read returns a failure', async () => {
+		mockFormResult.type = 'failure';
+		render(NotificationDropdown, {
+			props: {
+				notifications: [makeNotification()],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose: () => {}
+			}
+		});
+
+		await page.getByRole('button', { name: /alle gelesen/i }).click();
+
+		const alert = document.querySelector('[role="alert"]');
+		expect(alert).not.toBeNull();
 	});
 
 	it('calls onClose when the view-all button is clicked', async () => {
@@ -164,8 +256,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose
 			}
 		});
@@ -179,8 +271,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -193,12 +285,15 @@ describe('NotificationDropdown', () => {
 	it('calls onClose before navigating to /aktivitaeten', async () => {
 		const callOrder: string[] = [];
 		const onClose = vi.fn(() => callOrder.push('close'));
-		vi.mocked(goto).mockImplementation(() => callOrder.push('goto'));
+		vi.mocked(goto).mockImplementation(() => {
+			callOrder.push('goto');
+			return Promise.resolve();
+		});
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose
 			}
 		});
@@ -212,8 +307,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification({ id: 'm1', type: 'MENTION', actorName: 'Anna' })],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -225,8 +320,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification({ id: 'r1', type: 'REPLY', actorName: 'Bert' })],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -242,14 +337,78 @@ describe('NotificationDropdown', () => {
 					makeNotification({ id: 'n1', actorName: 'First' }),
 					makeNotification({ id: 'n2', actorName: 'Second' })
 				],
-				onMarkRead: () => {},
+				optimisticMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
 
-		const items = document.querySelectorAll('button[type="button"]');
+		const forms = document.querySelectorAll('form[action="/aktivitaeten?/dismiss-notification"]');
-		// At least 2 items + mark-all button
+		expect(forms.length).toBe(2);
-		expect(items.length).toBeGreaterThanOrEqual(2);
+	});
+
+	it('calls onClose and goto with the deep-link URL after a successful dismiss', async () => {
+		const onClose = vi.fn();
+		const n = makeNotification({
+			id: 'n42',
+			documentId: 'd1',
+			referenceId: 'c1',
+			annotationId: null,
+			actorName: 'Anna'
+		});
+		render(NotificationDropdown, {
+			props: {
+				notifications: [n],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose
+			}
+		});
+
+		await page.getByRole('button', { name: /Anna hat auf deinen/i }).click();
+
+		expect(onClose).toHaveBeenCalledOnce();
+		expect(goto).toHaveBeenCalledWith('/documents/d1?commentId=c1');
+	});
+
+	it('does NOT call onClose or goto when the dismiss action returns a failure', async () => {
+		mockFormResult.type = 'failure';
+		const onClose = vi.fn();
+		const n = makeNotification({ id: 'n99', actorName: 'Bob' });
+		render(NotificationDropdown, {
+			props: {
+				notifications: [n],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose
+			}
+		});
+
+		await page.getByRole('button', { name: /Bob hat auf deinen/i }).click();
+
+		expect(onClose).not.toHaveBeenCalled();
+		expect(goto).not.toHaveBeenCalled();
+	});
+
+	it('calls goto with annotationId appended when the notification has an annotationId', async () => {
+		const n = makeNotification({
+			id: 'n55',
+			documentId: 'd1',
+			referenceId: 'c1',
+			annotationId: 'a1',
+			actorName: 'Eva'
+		});
+		render(NotificationDropdown, {
+			props: {
+				notifications: [n],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose: () => {}
+			}
+		});
+
+		await page.getByRole('button', { name: /Eva hat auf deinen/i }).click();
+
+		expect(goto).toHaveBeenCalledWith('/documents/d1?commentId=c1&annotationId=a1');
 	});
 });

frontend/src/lib/notification/notifications.svelte.spec.ts

@@ -108,12 +108,46 @@ describe('notificationStore (singleton)', () => {
 		expect(notificationStore.unreadCount).toBe(1);
 	});
 
-	it('markAllRead resets unreadCount', async () => {
+	it('optimisticMarkRead marks the notification read and decrements unreadCount without fetching', () => {
-		mockFetch.mockResolvedValue(new Response(null, { status: 200 }));
+		notificationStore.init();
-		await notificationStore.markAllRead();
+		const notification = makeNotification({ id: 'sse-1', read: false });
+		lastEventSource!.simulate('notification', JSON.stringify(notification));
+		mockFetch.mockReset(); // clear the fetchUnreadCount call from init
 
-		expect(mockFetch).toHaveBeenCalledWith('/api/notifications/read-all', { method: 'POST' });
+		notificationStore.optimisticMarkRead('sse-1');
+
+		expect(notificationStore.notifications[0].read).toBe(true);
 		expect(notificationStore.unreadCount).toBe(0);
+		expect(mockFetch).not.toHaveBeenCalled();
+	});
+
+	it('optimisticMarkRead on an already-read notification does not decrement unreadCount below 0', () => {
+		notificationStore.init();
+		const notification = makeNotification({ id: 'sse-1', read: true });
+		lastEventSource!.simulate('notification', JSON.stringify(notification));
+
+		notificationStore.optimisticMarkRead('sse-1');
+
+		expect(notificationStore.unreadCount).toBe(0);
+	});
+
+	it('optimisticMarkAllRead resets unreadCount and marks all notifications read without fetching', () => {
+		notificationStore.init();
+		lastEventSource!.simulate(
+			'notification',
+			JSON.stringify(makeNotification({ id: 'n1', read: false }))
+		);
+		lastEventSource!.simulate(
+			'notification',
+			JSON.stringify(makeNotification({ id: 'n2', read: false }))
+		);
+		mockFetch.mockReset();
+
+		notificationStore.optimisticMarkAllRead();
+
+		expect(notificationStore.unreadCount).toBe(0);
+		expect(notificationStore.notifications.every((n) => n.read)).toBe(true);
+		expect(mockFetch).not.toHaveBeenCalled();
 	});
 });
 

frontend/src/lib/notification/notifications.svelte.ts

@@ -35,28 +35,19 @@ async function fetchUnreadCount(): Promise<void> {
 	}
 }
 
-async function markRead(notification: NotificationItem): Promise<void> {
+function optimisticMarkRead(id: string): void {
-	if (!notification.read) {
+	const notification = notifications.find((n) => n.id === id);
-		try {
+	if (notification && !notification.read) {
-			await fetch(`/api/notifications/${notification.id}/read`, { method: 'PATCH' });
 		notification.read = true;
 		unreadCount = Math.max(0, unreadCount - 1);
-		} catch (e) {
-			console.error('Failed to mark notification as read', e);
-		}
 	}
 }
 
-async function markAllRead(): Promise<void> {
+function optimisticMarkAllRead(): void {
-	try {
-		await fetch('/api/notifications/read-all', { method: 'POST' });
 	for (const n of notifications) {
 		n.read = true;
 	}
 	unreadCount = 0;
-	} catch (e) {
-		console.error('Failed to mark all notifications as read', e);
-	}
 }
 
 function init(): void {
@@ -123,8 +114,8 @@ export const notificationStore = {
 	},
 	fetchNotifications,
 	fetchUnreadCount,
-	markRead,
+	optimisticMarkRead,
-	markAllRead,
+	optimisticMarkAllRead,
 	init,
 	destroy
 };

frontend/src/lib/ocr/OcrTrainingCard.svelte

@@ -2,6 +2,7 @@
 import TrainingHistory from './TrainingHistory.svelte';
 import { m } from '$lib/paraglide/messages.js';
 import type { TrainingRun } from '$lib/ocr/training.js';
+import { withCsrf } from '$lib/shared/cookies';
 
 interface TrainingInfo {
 	availableBlocks?: number;
@@ -33,7 +34,7 @@ async function startTraining() {
 	successMessage = null;
 	errorMessage = null;
 	try {
-		const res = await fetch('/api/ocr/train', { method: 'POST' });
+		const res = await fetch('/api/ocr/train', withCsrf({ method: 'POST' }));
 		if (res.ok) {
 			successMessage = m.training_success();
 			setTimeout(() => {

frontend/src/lib/ocr/SegmentationTrainingCard.svelte

@@ -2,6 +2,7 @@
 import TrainingHistory from './TrainingHistory.svelte';
 import { m } from '$lib/paraglide/messages.js';
 import type { TrainingRun } from '$lib/ocr/training.js';
+import { withCsrf } from '$lib/shared/cookies';
 
 interface TrainingInfo {
 	availableSegBlocks?: number;
@@ -27,7 +28,7 @@ async function startTraining() {
 	training = true;
 	successMessage = null;
 	try {
-		const res = await fetch('/api/ocr/segtrain', { method: 'POST' });
+		const res = await fetch('/api/ocr/segtrain', withCsrf({ method: 'POST' }));
 		if (res.ok) {
 			successMessage = m.training_success();
 			setTimeout(() => {

frontend/src/lib/shared/api.server.spec.ts

@@ -0,0 +1,20 @@
+import { describe, it, expect } from 'vitest';
+import { extractErrorCode } from './api.server';
+
+describe('extractErrorCode', () => {
+	it('returns the code string when error has a code property', () => {
+		expect(extractErrorCode({ code: 'DOCUMENT_NOT_FOUND' })).toBe('DOCUMENT_NOT_FOUND');
+	});
+	it('returns undefined when error is undefined', () => {
+		expect(extractErrorCode(undefined)).toBeUndefined();
+	});
+	it('returns undefined when error is null', () => {
+		expect(extractErrorCode(null)).toBeUndefined();
+	});
+	it('returns undefined when error is a plain string', () => {
+		expect(extractErrorCode('oops')).toBeUndefined();
+	});
+	it('returns undefined when error object has no code property', () => {
+		expect(extractErrorCode({ message: 'fail' })).toBeUndefined();
+	});
+});

frontend/src/lib/shared/api.server.ts

@@ -23,3 +23,11 @@ export function createApiClient(fetch: typeof globalThis.fetch) {
 		fetch
 	});
 }
+
+export interface ApiError {
+	code?: string;
+}
+
+export function extractErrorCode(error: unknown): string | undefined {
+	return (error as ApiError | undefined)?.code;
+}

frontend/src/lib/shared/cookies.ts

@@ -1,3 +1,46 @@
+/**
+ * Reads the XSRF-TOKEN cookie set by Spring Security's CookieCsrfTokenRepository.
+ * Returns null outside the browser or when the cookie is absent.
+ */
+export function getCsrfToken(): string | null {
+	if (typeof document === 'undefined') return null;
+	const match = document.cookie.match(/(?:^|;\s*)XSRF-TOKEN=([^;]+)/);
+	return match ? decodeURIComponent(match[1]) : null;
+}
+
+/**
+ * Merges the X-XSRF-TOKEN header into a RequestInit so Spring Security's
+ * CSRF filter accepts the request. Safe to call server-side (no-op when the
+ * cookie is absent).
+ */
+export function withCsrf(init?: RequestInit): RequestInit {
+	const token = getCsrfToken();
+	if (!token) return init ?? {};
+	const headers = new Headers(init?.headers);
+	headers.set('X-XSRF-TOKEN', token);
+	return { ...init, headers };
+}
+
+/**
+ * Wraps a fetch implementation so that every state-mutating call (POST, PUT,
+ * PATCH, DELETE) automatically includes the X-XSRF-TOKEN header. GET/HEAD
+ * requests pass through unchanged.
+ *
+ * Used to CSRF-protect client-side hooks that accept an injectable fetchImpl.
+ * In unit tests the injected mock is wrapped but getCsrfToken() returns null
+ * (no browser cookie), so no header is added and existing test expectations
+ * are unaffected.
+ */
+export function makeCsrfFetch(inner: typeof fetch): typeof fetch {
+	return (input: RequestInfo | URL, init?: RequestInit): Promise<Response> => {
+		const method = (init?.method ?? 'GET').toUpperCase();
+		if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(method)) {
+			return inner(input, withCsrf(init));
+		}
+		return inner(input, init);
+	};
+}
+
 /**
  * Extracts the fa_session cookie value from a list of Set-Cookie response headers.
  *

frontend/src/lib/shared/discussion/MentionDropdown.svelte

@@ -2,7 +2,18 @@
 import type { components } from '$lib/generated/api';
 // eslint-disable-next-line boundaries/dependencies -- mention dropdown needs person date formatting; extract to shared if it becomes reusable
 import { formatLifeDateRange } from '$lib/person/personLifeDates';
+import { untrack } from 'svelte';
 import { m } from '$lib/paraglide/messages.js';
+// Layered defence cap on the @mention search query length (CWE-400
+// amplification). The <input maxlength> attribute below caps direct
+// user edits, but the editor-mirror path (Tiptap contenteditable -> mirror
+// $effect -> searchQuery) is not covered by `maxlength` since the
+// contenteditable has no such enforcement. Clipping at the mirror keeps
+// the cap honest from both paths. Tracked server-side separately.
+// Nora #1 on PR #629. Hoisted to mentionConstants.ts so the host editor
+// (PersonMentionEditor) can clip the inserted displayName to the same cap
+// — see Felix #3 on PR #629.
+import { MAX_QUERY_LENGTH } from './mentionConstants';
 
 type Person = components['schemas']['Person'];
 
@@ -17,7 +28,46 @@ type DropdownState = {
 	clientRect: (() => DOMRect | null) | null;
 };
 
-let { model }: { model: DropdownState } = $props();
+let {
+	model,
+	editorQuery = '',
+	onSearch = () => {}
+}: {
+	model: DropdownState;
+	/** Text typed after `@` in the host editor. Mirrors into the search input
+	 *  until the user takes manual ownership by typing into the input itself. */
+	editorQuery?: string;
+	onSearch?: (query: string) => void;
+} = $props();
+
+let searchQuery = $state(untrack(() => editorQuery.slice(0, MAX_QUERY_LENGTH)));
+let userHasEdited = $state(false);
+
+// Intent-revealing alias used by both the persistent aria-live announcer and
+// the visible empty-state copy. Folding the duplicated rule into one $derived
+// keeps the two branches in lockstep. Felix #3 on PR #629 round 4.
+const isQueryEmpty = $derived(searchQuery.trim() === '');
+
+// Mirror the editor's typed text until the user takes ownership.
+//
+// Why `$state + $effect` (not `$derived`): `searchQuery` is also written by
+// `bind:value` on the <input> below, so it needs to be a mutable `$state`.
+// A `$derived` would be read-only and would clobber direct user edits on
+// every editor keystroke. The `userHasEdited` latch pins ownership once the
+// user types into the input. Felix #1 on PR #629.
+$effect(() => {
+	if (!userHasEdited) {
+		searchQuery = editorQuery.slice(0, MAX_QUERY_LENGTH);
+	}
+});
+
+// Fire onSearch whenever the effective query changes — covers both the
+// editor mirror and direct input edits. This is the only place onSearch
+// fires; when the dropdown is unmounted, the effect is disposed and no
+// further fetches occur.
+$effect(() => {
+	onSearch(searchQuery);
+});
 
 // highlightedIndex must be both writable (keyboard handler mutates it) and
 // reset when `items` changes (so it never points past the end of a new list).
@@ -112,16 +162,70 @@ function selectItem(item: Person) {
 	unauthenticated users.
 -->
 <div
-	class="fixed z-50 w-72 overflow-hidden rounded-sm border border-line bg-surface shadow-lg"
+	class="fixed z-50 w-72 max-w-[calc(100vw-1rem)] overflow-hidden rounded-sm border border-line bg-surface shadow-lg"
 	role="listbox"
 	aria-label={m.person_mention_btn_label()}
 	style:top={position.top}
 	style:bottom={position.bottom}
 	style:left={position.left}
 >
+	<div class="border-b border-line px-3 py-2">
+		<label class="sr-only" for="mention-search">{m.person_mention_search_label()}</label>
+		<div class="flex items-center gap-2">
+			<svg
+				aria-hidden="true"
+				viewBox="0 0 24 24"
+				fill="none"
+				stroke="currentColor"
+				stroke-width="2"
+				class="h-5 w-5 shrink-0 text-ink-2"
+			>
+				<circle cx="11" cy="11" r="7" />
+				<path d="m20 20-3.5-3.5" stroke-linecap="round" />
+			</svg>
+			<input
+				id="mention-search"
+				type="search"
+				data-test-search-input
+				maxlength={MAX_QUERY_LENGTH}
+				class="min-h-[44px] w-full bg-transparent font-sans text-base text-ink placeholder:text-ink-3 focus:outline-none focus-visible:ring-2 focus-visible:ring-brand-navy focus-visible:ring-inset"
+				placeholder={m.person_mention_search_prompt()}
+				bind:value={searchQuery}
+				oninput={() => {
+					userHasEdited = true;
+				}}
+				onmousedown={(e) => e.stopPropagation()}
+			/>
+		</div>
+	</div>
+	<!--
+		Persistent aria-live region — lives ABOVE the conditional branches so the
+		element never unmounts when items transition between empty and populated.
+		VoiceOver in particular swallows announcements from freshly-mounted live
+		regions, and the previous (conditional-inside) markup silently dropped
+		the "N persons found" announcement when results populated. Leonie #3 on
+		PR #629 round 3.
+	-->
+	<p class="sr-only" aria-live="polite">
 		{#if model.items.length === 0}
-		<p class="px-3 py-2.5 font-sans text-sm text-ink-3">
+			{isQueryEmpty ? m.person_mention_search_prompt() : m.person_mention_popup_empty()}
-			{m.person_mention_popup_empty()}
+		{:else if model.items.length === 1}
+			{m.person_mention_results_count_singular()}
+		{:else}
+			{m.person_mention_results_count_plural({ count: model.items.length })}
+		{/if}
+	</p>
+	{#if model.items.length === 0}
+		<!--
+			Visible empty-state copy — visual-only. The persistent sr-only <p>
+			above is the sole AT announcer; this one is hidden from screen readers
+			via aria-hidden="true" so VoiceOver does not double-announce
+			(NVDA de-dups, VoiceOver does not). Leonie S-2 on PR #629 round 4.
+			Do NOT add an aria-live attribute here — that would re-introduce
+			the duplicate announcement.
+		-->
+		<p aria-hidden="true" class="px-3 py-2.5 font-sans text-sm text-ink-3">
+			{isQueryEmpty ? m.person_mention_search_prompt() : m.person_mention_popup_empty()}
 		</p>
 		<!--
 			Empty-state escape hatch — without it the transcriber has to close
@@ -132,7 +236,7 @@ function selectItem(item: Person) {
 		<a
 			href="/persons/new"
 			target="_blank"
-			rel="noopener"
+			rel="noopener noreferrer"
 			class="flex min-h-[44px] items-center gap-2 border-t border-line px-3 py-2.5 font-sans text-sm font-medium text-brand-navy hover:bg-canvas focus:bg-canvas focus:outline-none"
 			onmousedown={(e) => e.preventDefault()}
 		>

frontend/src/lib/shared/discussion/MentionDropdown.svelte.test.ts

@@ -1,22 +1,37 @@
 import { describe, it, expect, vi, afterEach } from 'vitest';
 import { cleanup, render } from 'vitest-browser-svelte';
-import { page } from 'vitest/browser';
+import { page, userEvent } from 'vitest/browser';
+import { flushSync, mount, tick, unmount } from 'svelte';
 import MentionDropdown from './MentionDropdown.svelte';
+import MentionDropdownFixture from './MentionDropdown.test-fixture.svelte';
+import { m } from '$lib/paraglide/messages.js';
+import type { components } from '$lib/generated/api';
+
+type Person = components['schemas']['Person'];
 
 afterEach(cleanup);
 
-const makePerson = (id: string, name: string, overrides: Record<string, unknown> = {}) => ({
+const makePerson = (id: string, name: string, overrides: Partial<Person> = {}): Person => {
+	const parts = name.split(' ');
+	return {
 		id,
-	firstName: name.split(' ')[0] ?? null,
+		firstName: parts[0],
-	lastName: name.split(' ').slice(1).join(' ') || name,
+		lastName: parts.slice(1).join(' ') || name,
 		displayName: name,
-	birthYear: null as number | null,
+		personType: 'PERSON',
-	deathYear: null as number | null,
+		familyMember: false,
 		...overrides
-});
+	};
+};
 
-const baseModel = (overrides: Record<string, unknown> = {}) => ({
+type DropdownState = {
-	items: [] as ReturnType<typeof makePerson>[],
+	items: Person[];
+	command: (item: Person) => void;
+	clientRect: (() => DOMRect | null) | null;
+};
+
+const baseModel = (overrides: Partial<DropdownState> = {}): DropdownState => ({
+	items: [],
 	command: vi.fn(),
 	clientRect: () => new DOMRect(100, 100, 0, 24),
 	...overrides
@@ -29,14 +44,32 @@ describe('MentionDropdown', () => {
 		await expect.element(page.getByRole('listbox', { name: /person verlinken/i })).toBeVisible();
 	});
 
-	it('renders the empty placeholder when items is empty', async () => {
+	it('shows the "enter a name" prompt when the search field is empty', async () => {
 		render(MentionDropdown, { props: { model: baseModel() } });
 
-		await expect.element(page.getByText('Keine Personen gefunden')).toBeVisible();
+		// Scope to the visible empty-state <p> (text-ink-3) — the persistent
+		// sr-only aria-live region above also contains the same prompt copy.
+		const visibleEmptyP = document.querySelector(
+			'[role="listbox"] p.text-ink-3'
+		) as HTMLElement | null;
+		expect(visibleEmptyP).not.toBeNull();
+		expect(visibleEmptyP!.textContent ?? '').toContain(m.person_mention_search_prompt());
+		expect(visibleEmptyP!.textContent ?? '').not.toContain(m.person_mention_popup_empty());
+	});
+
+	it('shows "no persons found" when the search has a query but the list is empty', async () => {
+		render(MentionDropdown, { props: { model: baseModel(), editorQuery: 'WdG' } });
+
+		const visibleEmptyP = document.querySelector(
+			'[role="listbox"] p.text-ink-3'
+		) as HTMLElement | null;
+		expect(visibleEmptyP).not.toBeNull();
+		expect(visibleEmptyP!.textContent ?? '').toContain(m.person_mention_popup_empty());
+		expect(visibleEmptyP!.textContent ?? '').not.toContain(m.person_mention_search_prompt());
 	});
 
 	it('shows the create-new escape hatch link in the empty state', async () => {
-		render(MentionDropdown, { props: { model: baseModel() } });
+		render(MentionDropdown, { props: { model: baseModel(), editorQuery: 'unknown' } });
 
 		const link = (await page
 			.getByRole('link', { name: /neue person anlegen/i })
@@ -44,6 +77,7 @@ describe('MentionDropdown', () => {
 		expect(link.href).toContain('/persons/new');
 		expect(link.target).toBe('_blank');
 		expect(link.rel).toContain('noopener');
+		expect(link.rel).toContain('noreferrer');
 	});
 
 	it('renders one option per item when populated', async () => {
@@ -104,3 +138,315 @@ describe('MentionDropdown', () => {
 		expect(dropdown.style.left).toBe('123px');
 	});
 });
+
+// ─── Search input — Issue #380 ────────────────────────────────────────────────
+
+describe('MentionDropdown — search input', () => {
+	it('renders a search input pre-filled with the editorQuery prop', async () => {
+		render(MentionDropdown, {
+			props: { model: baseModel(), editorQuery: 'WdG' }
+		});
+
+		await expect.element(page.getByRole('searchbox')).toHaveValue('WdG');
+	});
+
+	it('exposes a data-test-search-input attribute for E2E selectors', async () => {
+		render(MentionDropdown, { props: { model: baseModel() } });
+
+		const input = document.querySelector('[data-test-search-input]');
+		expect(input).not.toBeNull();
+		expect((input as HTMLInputElement).type).toBe('search');
+	});
+
+	it('search input wrapper meets the 44px touch target (WCAG 2.2 AA)', async () => {
+		render(MentionDropdown, { props: { model: baseModel() } });
+
+		const input = document.querySelector('[data-test-search-input]') as HTMLElement;
+		expect(input).not.toBeNull();
+		expect(input.className).toContain('min-h-[44px]');
+	});
+
+	it('renders a persistent aria-live="polite" region (does not remount on items transition; Leonie #3 on PR #629)', async () => {
+		render(MentionDropdown, { props: { model: baseModel() } });
+
+		const listbox = document.querySelector('[role="listbox"]');
+		expect(listbox).not.toBeNull();
+		const live = listbox!.querySelector('p[aria-live="polite"]');
+		expect(live).not.toBeNull();
+		// Empty + empty-query → "Namen eingeben…" prompt
+		expect(live!.textContent ?? '').toContain(m.person_mention_search_prompt());
+	});
+
+	it('announces the result count in the persistent live region when items populate (Leonie #3 on PR #629)', async () => {
+		render(MentionDropdown, {
+			props: {
+				model: baseModel({
+					items: [
+						makePerson('p1', 'Anna Schmidt'),
+						makePerson('p2', 'Bert Meier'),
+						makePerson('p3', 'Carl Vogel')
+					]
+				})
+			}
+		});
+
+		const listbox = document.querySelector('[role="listbox"]');
+		expect(listbox).not.toBeNull();
+		const live = listbox!.querySelector('p[aria-live="polite"]');
+		expect(live).not.toBeNull();
+		// Populated → "3 Personen gefunden" (plural)
+		expect(live!.textContent ?? '').toContain('3');
+	});
+
+	it('announces the singular form when exactly one item is present (Sara #4 on PR #629)', async () => {
+		render(MentionDropdown, {
+			props: {
+				model: baseModel({
+					items: [makePerson('p1', 'Anna Schmidt')]
+				})
+			}
+		});
+
+		const listbox = document.querySelector('[role="listbox"]');
+		expect(listbox).not.toBeNull();
+		const live = listbox!.querySelector('p[aria-live="polite"]');
+		expect(live).not.toBeNull();
+		// Singular branch — "1 Person gefunden" / "1 person found" / "1 persona encontrada"
+		// (locale-dependent; resolved via the Paraglide message helper).
+		expect(live!.textContent ?? '').toContain(m.person_mention_results_count_singular());
+	});
+
+	it('keeps the visible empty-state copy without its own aria-live and hides it from AT (Leonie #3 on PR #629 round 3; Leonie S-2 round 4)', async () => {
+		render(MentionDropdown, { props: { model: baseModel(), editorQuery: 'WdG' } });
+
+		// Visible empty-state <p> exists with the empty-result copy ...
+		const empty = document.querySelector('p.text-ink-3') as HTMLElement | null;
+		expect(empty).not.toBeNull();
+		expect(empty!.textContent ?? '').toContain(m.person_mention_popup_empty());
+		// ... but it must NOT carry its own aria-live (the persistent sr-only
+		// region above the conditional is the announcer now).
+		expect(empty!.hasAttribute('aria-live')).toBe(false);
+		// ... and it MUST be hidden from screen readers via aria-hidden="true"
+		// so VoiceOver does not double-announce (the persistent sr-only region
+		// is the sole AT source of truth). Leonie S-2 on PR #629 round 4.
+		expect(empty!.getAttribute('aria-hidden')).toBe('true');
+	});
+
+	it('renders the magnifier icon at h-5 w-5 with text-ink-2 (Leonie BLOCKER on PR #629)', async () => {
+		render(MentionDropdown, { props: { model: baseModel() } });
+
+		const icon = document.querySelector('[data-test-search-input]')
+			?.previousElementSibling as SVGElement | null;
+		expect(icon).not.toBeNull();
+		expect(icon!.tagName.toLowerCase()).toBe('svg');
+		expect(icon!.getAttribute('class') ?? '').toContain('h-5');
+		expect(icon!.getAttribute('class') ?? '').toContain('w-5');
+		expect(icon!.getAttribute('class') ?? '').toContain('text-ink-2');
+	});
+
+	it('caps the search input at maxlength=100 (CWE-400 amplification — Nora on PR #629)', async () => {
+		render(MentionDropdown, { props: { model: baseModel() } });
+
+		const input = document.querySelector('[data-test-search-input]') as HTMLInputElement;
+		expect(input).not.toBeNull();
+		expect(input.maxLength).toBe(100);
+	});
+
+	it('clips a long editorQuery mirror to 100 chars (CWE-400 layered — Nora #1 on PR #629)', async () => {
+		const longQuery = 'A'.repeat(200);
+		render(MentionDropdown, { props: { model: baseModel(), editorQuery: longQuery } });
+
+		const input = document.querySelector('[data-test-search-input]') as HTMLInputElement;
+		expect(input).not.toBeNull();
+		expect(input.value.length).toBe(100);
+		expect(input.value).toBe('A'.repeat(100));
+	});
+
+	it('caps the listbox width to the viewport (320 px reflow guard — Leonie FINDING-MENTION-005)', async () => {
+		render(MentionDropdown, { props: { model: baseModel() } });
+
+		const listbox = document.querySelector('[role="listbox"]') as HTMLElement;
+		expect(listbox).not.toBeNull();
+		expect(listbox.className).toContain('max-w-[calc(100vw-1rem)]');
+	});
+
+	it('renders the @mention search input at text-base (16 px senior-audience floor — Leonie FINDING-MENTION-006)', async () => {
+		render(MentionDropdown, { props: { model: baseModel() } });
+
+		const input = document.querySelector('[data-test-search-input]') as HTMLInputElement;
+		expect(input).not.toBeNull();
+		expect(input.className).toContain('text-base');
+		expect(input.className).not.toContain('text-sm');
+	});
+
+	it('invokes onSearch with the current value whenever the user types', async () => {
+		const onSearch = vi.fn();
+		render(MentionDropdown, { props: { model: baseModel(), onSearch } });
+
+		await userEvent.type(page.getByRole('searchbox'), 'Walter');
+
+		await vi.waitFor(() => {
+			expect(onSearch).toHaveBeenCalled();
+			expect(onSearch).toHaveBeenLastCalledWith('Walter');
+		});
+	});
+
+	it('keeps the user-edited search value when editorQuery changes after the takeover (Felix on PR #629)', async () => {
+		let setEditorQuery!: (q: string) => void;
+		render(MentionDropdownFixture, {
+			model: baseModel(),
+			initialEditorQuery: 'WdG',
+			onReady: (s: (q: string) => void) => {
+				setEditorQuery = s;
+			}
+		});
+
+		await expect.element(page.getByRole('searchbox')).toHaveValue('WdG');
+
+		await page.getByRole('searchbox').fill('Walter');
+		await expect.element(page.getByRole('searchbox')).toHaveValue('Walter');
+
+		setEditorQuery('WdGruyter');
+		// Flush pending Svelte reactivity so any (non-)update from the mirror
+		// $effect has landed before we assert. expect.element already polls, so
+		// no fixed-timeout fallback is needed. Sara on PR #629 round 3.
+		await tick();
+
+		await expect.element(page.getByRole('searchbox')).toHaveValue('Walter');
+	});
+});
+
+// ─── ArrowDown via exported onKeyDown (Sara #3 on PR #629) ──────────────────
+//
+// In production, Tiptap intercepts ArrowDown/ArrowUp/Enter at the editor level
+// and forwards them to the dropdown via its exported onKeyDown(event) function
+// — the dropdown itself has no DOM keydown listener. This test exercises the
+// same export so a regression in highlightedIndex/selection logic is caught
+// at the unit level. The full E2E focus-chain test is deferred to a separate
+// issue (Playwright).
+//
+// These unit tests directly invoke the exported `onKeyDown` to pin its
+// behaviour in isolation. They do NOT exercise the Tiptap forwarding
+// chain (PersonMentionEditor.suggestion.render() returning { onKeyDown })
+// — that integration is covered by the 'ArrowDown moves the highlight'
+// test in PersonMentionEditor.svelte.spec.ts. Sara on PR #629 round 3.
+
+describe('MentionDropdown — onKeyDown forwarding', () => {
+	// flushSync ensures Svelte reactivity propagation completes before
+	// asserting (uniform across all four key tests so the next reader
+	// doesn't have to figure out why some are wrapped and others aren't).
+	// Felix #1 suggestion on PR #629 round 3.
+
+	it('ArrowDown advances aria-selected to the next option in the listbox', async () => {
+		const container = document.createElement('div');
+		document.body.appendChild(container);
+		const instance = mount(MentionDropdown, {
+			target: container,
+			props: {
+				model: baseModel({
+					items: [makePerson('p1', 'Anna Schmidt'), makePerson('p2', 'Bert Meier')]
+				})
+			}
+		});
+		try {
+			const exports = instance as unknown as { onKeyDown: (e: KeyboardEvent) => boolean };
+
+			// First option starts highlighted.
+			const first = container.querySelector('[data-test-person-id="p1"]') as HTMLElement;
+			const second = container.querySelector('[data-test-person-id="p2"]') as HTMLElement;
+			expect(first.getAttribute('aria-selected')).toBe('true');
+			expect(second.getAttribute('aria-selected')).toBe('false');
+
+			let consumed = false;
+			flushSync(() => {
+				consumed = exports.onKeyDown(new KeyboardEvent('keydown', { key: 'ArrowDown' }));
+			});
+			expect(consumed).toBe(true);
+
+			expect(first.getAttribute('aria-selected')).toBe('false');
+			expect(second.getAttribute('aria-selected')).toBe('true');
+		} finally {
+			unmount(instance);
+			container.remove();
+		}
+	});
+
+	it('ArrowUp wraps from the first option to the last', async () => {
+		const container = document.createElement('div');
+		document.body.appendChild(container);
+		const instance = mount(MentionDropdown, {
+			target: container,
+			props: {
+				model: baseModel({
+					items: [makePerson('p1', 'Anna Schmidt'), makePerson('p2', 'Bert Meier')]
+				})
+			}
+		});
+		try {
+			const exports = instance as unknown as { onKeyDown: (e: KeyboardEvent) => boolean };
+
+			let consumed = false;
+			flushSync(() => {
+				consumed = exports.onKeyDown(new KeyboardEvent('keydown', { key: 'ArrowUp' }));
+			});
+			expect(consumed).toBe(true);
+
+			const second = container.querySelector('[data-test-person-id="p2"]') as HTMLElement;
+			expect(second.getAttribute('aria-selected')).toBe('true');
+		} finally {
+			unmount(instance);
+			container.remove();
+		}
+	});
+
+	it('Enter invokes model.command with the currently highlighted item', async () => {
+		const command = vi.fn();
+		const container = document.createElement('div');
+		document.body.appendChild(container);
+		const instance = mount(MentionDropdown, {
+			target: container,
+			props: {
+				model: baseModel({
+					items: [makePerson('p1', 'Anna Schmidt'), makePerson('p2', 'Bert Meier')],
+					command
+				})
+			}
+		});
+		try {
+			const exports = instance as unknown as { onKeyDown: (e: KeyboardEvent) => boolean };
+
+			let consumed = false;
+			flushSync(() => {
+				consumed = exports.onKeyDown(new KeyboardEvent('keydown', { key: 'Enter' }));
+			});
+			expect(consumed).toBe(true);
+			expect(command).toHaveBeenCalledTimes(1);
+			expect(command.mock.calls[0][0].id).toBe('p1');
+		} finally {
+			unmount(instance);
+			container.remove();
+		}
+	});
+
+	it('Escape returns false so the suggestion plugin can handle it', async () => {
+		const container = document.createElement('div');
+		document.body.appendChild(container);
+		const instance = mount(MentionDropdown, {
+			target: container,
+			props: {
+				model: baseModel({ items: [makePerson('p1', 'Anna Schmidt')] })
+			}
+		});
+		try {
+			const exports = instance as unknown as { onKeyDown: (e: KeyboardEvent) => boolean };
+			let consumed = true;
+			flushSync(() => {
+				consumed = exports.onKeyDown(new KeyboardEvent('keydown', { key: 'Escape' }));
+			});
+			expect(consumed).toBe(false);
+		} finally {
+			unmount(instance);
+			container.remove();
+		}
+	});
+});

frontend/src/lib/shared/discussion/MentionDropdown.test-fixture.svelte

@@ -0,0 +1,32 @@
+<script lang="ts">
+import { untrack } from 'svelte';
+import MentionDropdown from './MentionDropdown.svelte';
+import type { components } from '$lib/generated/api';
+
+type Person = components['schemas']['Person'];
+type DropdownState = {
+	items: Person[];
+	command: (item: Person) => void;
+	clientRect: (() => DOMRect | null) | null;
+};
+
+type Props = {
+	model: DropdownState;
+	initialEditorQuery: string;
+	/** Test hook: receives a setter for editorQuery so the test can mutate it. */
+	onReady?: (setEditorQuery: (q: string) => void) => void;
+	onSearch?: (q: string) => void;
+};
+
+let { model, initialEditorQuery, onReady, onSearch = () => {} }: Props = $props();
+
+let editorQuery = $state(untrack(() => initialEditorQuery));
+
+$effect(() => {
+	onReady?.((q) => {
+		editorQuery = q;
+	});
+});
+</script>
+
+<MentionDropdown model={model} editorQuery={editorQuery} onSearch={onSearch} />

frontend/src/lib/shared/discussion/PersonMentionEditor.svelte

@@ -7,7 +7,9 @@ import { m } from '$lib/paraglide/messages.js';
 import type { components } from '$lib/generated/api';
 import type { PersonMention } from '$lib/shared/types';
 import { deserialize, serialize } from '$lib/shared/discussion/mentionSerializer';
+import { debounce } from '$lib/shared/utils/debounce';
 import MentionDropdown from './MentionDropdown.svelte';
+import { MAX_QUERY_LENGTH, SEARCH_DEBOUNCE_MS, SEARCH_RESULT_LIMIT } from './mentionConstants';
 
 type Person = components['schemas']['Person'];
 
@@ -33,6 +35,13 @@ let {
 
 let editorEl: HTMLDivElement;
 let editor: Editor | null = null;
+// Hoisted so onDestroy can guarantee the imperatively-mounted dropdown is
+// torn down even if Tiptap's suggestion plugin onExit didn't fire (e.g. when
+// the host component is unmounted while the dropdown is still open).
+let mountedDropdown: object | null = null;
+// Hoisted so onDestroy can cancel any pending fetch — otherwise a trailing
+// debounced search can fire after the editor is gone and pollute later tests.
+let cancelPendingSearch: (() => void) | null = null;
 
 // Single reactive state object shared with MentionDropdown. Mutating these
 // fields propagates to the mounted dropdown via Svelte's $state proxy —
@@ -42,10 +51,12 @@ let dropdownState = $state<{
 	items: Person[];
 	command: (item: Person) => void;
 	clientRect: (() => DOMRect | null) | null;
+	editorQuery: string;
 }>({
 	items: [],
 	command: () => {},
-	clientRect: null
+	clientRect: null,
+	editorQuery: ''
 });
 
 type DropdownExports = {
@@ -138,16 +149,13 @@ onMount(() => {
 					// Nora #5618 #3 — separate issue tracks the GET /api/persons
 					// response-shape audit (PersonSummaryDTO leaks `notes`).
 					// ─────────────────────────────────────────────────────────────
-					items: async ({ query }: { query: string }) => {
+					// Tiptap's suggestion plugin requires an `items()` callback to keep
-						if (!query) return [];
+					// the dropdown alive, but the actual fetch is owned by `runSearch`
-						try {
+					// below — routed through the dropdown's search input via the
-							const res = await fetch(`/api/persons?q=${encodeURIComponent(query)}`);
+					// debounced `onSearch` channel. Returning `[]` here keeps Tiptap
-							if (!res.ok) return [];
+					// happy without firing a duplicate per-keystroke fetch.
-							return ((await res.json()) as Person[]).slice(0, 5);
+					// Markus #5616 / Felix / Nora / Sara on PR #629.
-						} catch {
+					items: async () => [],
-							return [];
-						}
-					},
 					// AC-1 fix: insert the typed query as displayName, not person.displayName.
 					command({ editor: ed, range, props }) {
 						const p = props as unknown as { personId: string; displayName: string };
@@ -165,7 +173,6 @@ onMount(() => {
 							.run();
 					},
 					render() {
-						let component: object | null = null;
 						let exports: DropdownExports | null = null;
 
 						// Tiptap's SuggestionProps types `command` against the default
@@ -178,25 +185,84 @@ onMount(() => {
 							clientRect?: (() => DOMRect | null) | null;
 						};
 
+						// Request-token guard: every onSearch invocation bumps `requestId`;
+						// runSearch captures the id active when its fetch starts and discards
+						// the response if a newer onSearch has fired since. Without this, a
+						// late response can repopulate the dropdown after the user cleared
+						// the search input. Sara on PR #629.
+						let requestId = 0;
+						const runSearch = async (query: string) => {
+							const id = requestId;
+							try {
+								// Defensive client-side cap — server-side enforcement is tracked
+								// separately. Markus on PR #629.
+								const res = await fetch(
+									`/api/persons?q=${encodeURIComponent(query)}&limit=${SEARCH_RESULT_LIMIT}`
+								);
+								if (id !== requestId) return;
+								if (!res.ok) {
+									dropdownState.items = [];
+									return;
+								}
+								const data = (await res.json()) as Person[];
+								if (id !== requestId) return;
+								dropdownState.items = data.slice(0, SEARCH_RESULT_LIMIT);
+							} catch {
+								if (id !== requestId) return;
+								dropdownState.items = [];
+							}
+						};
+						const debouncedSearch = debounce(runSearch, SEARCH_DEBOUNCE_MS);
+						cancelPendingSearch = () => debouncedSearch.cancel();
+						const onSearch = (query: string) => {
+							requestId++;
+							if (query.trim() === '') {
+								debouncedSearch.cancel();
+								dropdownState.items = [];
+								return;
+							}
+							debouncedSearch(query);
+						};
+
 						const updateState = (renderProps: LooseRenderProps) => {
-							dropdownState.items = renderProps.items as Person[];
+							// Clip once here so both the inserted displayName and the
+							// dropdown's editor-mirror see the same value. The dropdown
+							// already clips the mirror (Nora #1 CWE-400), but without
+							// clipping at the command boundary an unclipped query would
+							// still flow through as the inserted displayName — visible
+							// UI divergence between "what I searched" and "what was
+							// inserted". Felix #3 on PR #629.
+							const clippedQuery = renderProps.query.slice(0, MAX_QUERY_LENGTH);
 							// AC-1: pass typed query as displayName, not person.displayName
 							dropdownState.command = (item: Person) =>
 								renderProps.command({
 									personId: item.id,
-									displayName: renderProps.query
+									displayName: clippedQuery
 								});
 							dropdownState.clientRect = renderProps.clientRect ?? null;
+							dropdownState.editorQuery = clippedQuery;
 						};
 
 						return {
 							onStart(renderProps) {
-								updateState(renderProps as unknown as LooseRenderProps);
+								const loose = renderProps as unknown as LooseRenderProps;
+								updateState(loose);
+								// MentionDropdown reads `editorQuery` off the shared state
+								// proxy via its `editorQuery` prop binding below — this is
+								// the same pattern as `model.items`. We do not pass it as a
+								// separate prop because Svelte 5's mount() does not expose
+								// settable prop accessors, so we route through the proxy.
 								const mounted = mount(MentionDropdown, {
 									target: document.body,
-									props: { model: dropdownState }
+									props: {
+										model: dropdownState,
+										get editorQuery() {
+											return dropdownState.editorQuery;
+										},
+										onSearch
+									}
 								});
-								component = mounted as object;
+								mountedDropdown = mounted as object;
 								exports = mounted as unknown as DropdownExports;
 							},
 							onUpdate(renderProps) {
@@ -208,9 +274,16 @@ onMount(() => {
 								return exports?.onKeyDown(event) ?? false;
 							},
 							onExit() {
-								if (component) {
+								// Cancel any pending debounce so a closed dropdown's trailing
-									unmount(component);
+								// runSearch cannot fire against the *next* dropdown's state.
-									component = null;
+								// The hoisted `cancelPendingSearch` would be overwritten by
+								// the next render()'s onStart before the trailing call fires,
+								// so we cancel locally via the closure-scoped debouncedSearch.
+								// Felix #1 on PR #629.
+								debouncedSearch.cancel();
+								if (mountedDropdown) {
+									unmount(mountedDropdown);
+									mountedDropdown = null;
 									exports = null;
 								}
 							}
@@ -253,7 +326,15 @@ onMount(() => {
 });
 
 onDestroy(() => {
+	cancelPendingSearch?.();
 	editor?.destroy();
+	// Tiptap suggestion onExit usually unmounts the dropdown, but if the host
+	// component is destroyed while a suggestion is active the dropdown can
+	// outlive the editor — clean it up explicitly.
+	if (mountedDropdown) {
+		unmount(mountedDropdown);
+		mountedDropdown = null;
+	}
 });
 
 // Keep the data-placeholder attribute in sync with actual emptiness so the

frontend/src/lib/shared/discussion/PersonMentionEditor.svelte.spec.ts

@@ -8,29 +8,45 @@
 import { describe, it, expect, vi, afterEach } from 'vitest';
 import { cleanup, render } from 'vitest-browser-svelte';
 import { page, userEvent } from 'vitest/browser';
-import PersonMentionEditorHost from './PersonMentionEditor.test-host.svelte';
+import { tick } from 'svelte';
+import PersonMentionEditorHost from './PersonMentionEditor.test-fixture.svelte';
 import type { components } from '$lib/generated/api';
 import { m } from '$lib/paraglide/messages.js';
+// Single source of truth for the debounce window — imported from the shared
+// module so the test cannot drift from production. Sara on PR #629 round 3.
+import { SEARCH_DEBOUNCE_MS } from './mentionConstants';
 
 type Person = components['schemas']['Person'];
 type PersonMention = components['schemas']['PersonMention'];
 
+/**
+ * Headroom above SEARCH_DEBOUNCE_MS for the debounce-window wait
+ * assertions in this file. 350 ms is calibrated against CI-runner jitter
+ * we observed pre-#629; dropping it below ~200 ms reintroduces flake.
+ * See PR #629 round-2 review comment #10935 (Sara).
+ */
+const POST_DEBOUNCE_SLACK_MS = 350;
+
 const AUGUSTE: Person = {
 	id: 'p-aug',
 	firstName: 'Auguste',
 	lastName: 'Raddatz',
 	displayName: 'Auguste Raddatz',
+	personType: 'PERSON',
+	familyMember: false,
 	birthYear: 1882,
 	deathYear: 1944
-} as unknown as Person;
+};
 
 const ANNA: Person = {
 	id: 'p-anna',
 	firstName: 'Anna',
 	lastName: 'Schmidt',
 	displayName: 'Anna Schmidt',
+	personType: 'PERSON',
+	familyMember: false,
 	birthYear: 1860
-} as unknown as Person;
+};
 
 function mockFetchWithPersons(persons: Person[] = [AUGUSTE, ANNA]) {
 	vi.stubGlobal(
@@ -125,6 +141,20 @@ describe('PersonMentionEditor — typeahead', () => {
 		});
 	});
 
+	it('appends &limit=5 to the fetch URL (defensive client-side cap, Markus on PR #629)', async () => {
+		const fetchMock = vi
+			.fn()
+			.mockResolvedValue({ ok: true, json: vi.fn().mockResolvedValue([AUGUSTE]) });
+		vi.stubGlobal('fetch', fetchMock);
+		renderHost();
+
+		await userEvent.type(page.getByRole('textbox'), '@Aug');
+
+		await vi.waitFor(() => {
+			expect(fetchMock).toHaveBeenCalledWith(expect.stringContaining('limit=5'));
+		});
+	});
+
 	it('shows life dates next to the name in the dropdown', async () => {
 		mockFetchWithPersons();
 		renderHost();
@@ -142,8 +172,15 @@ describe('PersonMentionEditor — typeahead', () => {
 
 		await userEvent.type(page.getByRole('textbox'), '@xyz');
 
-		await vi.waitFor(async () => {
+		// The visible empty-state <p> (text-ink-3) shows the copy. The persistent
-			await expect.element(page.getByText('Keine Personen gefunden')).toBeInTheDocument();
+		// sr-only aria-live region also contains the same copy, so we scope to the
+		// visible element to avoid a multi-match resolution in expect.element.
+		await vi.waitFor(() => {
+			const visibleEmptyP = document.querySelector(
+				'[role="listbox"] p.text-ink-3'
+			) as HTMLElement | null;
+			expect(visibleEmptyP).not.toBeNull();
+			expect(visibleEmptyP!.textContent ?? '').toContain('Keine Personen gefunden');
 		});
 	});
 
@@ -161,6 +198,254 @@ describe('PersonMentionEditor — typeahead', () => {
 	});
 });
 
+// ─── AC-2/3: search input drives the person fetch (debounced) ───────────────
+
+describe('PersonMentionEditor — AC-2/3: search input drives fetch', () => {
+	it('editing the search input fires a debounced fetch with the new query', async () => {
+		const fetchMock = vi
+			.fn()
+			.mockResolvedValue({ ok: true, json: vi.fn().mockResolvedValue([AUGUSTE]) });
+		vi.stubGlobal('fetch', fetchMock);
+		renderHost();
+
+		// Open the dropdown so the search input is reachable.
+		await userEvent.type(page.getByRole('textbox'), '@');
+		await vi.waitFor(async () => {
+			await expect.element(page.getByRole('searchbox')).toBeVisible();
+		});
+
+		const fetchesBeforeSearch = fetchMock.mock.calls.length;
+
+		// `fill` simulates a single input event with the final value — sidesteps
+		// per-keystroke timing of userEvent.type so the test can deterministically
+		// assert that one input event collapses into one debounced fetch.
+		await page.getByRole('searchbox').fill('Walter');
+
+		await vi.waitFor(
+			() => {
+				expect(fetchMock).toHaveBeenCalledWith(expect.stringContaining('q=Walter'));
+			},
+			{ timeout: 1000 }
+		);
+
+		const fetchesAfterSearch = fetchMock.mock.calls.length - fetchesBeforeSearch;
+		expect(fetchesAfterSearch).toBe(1);
+	});
+
+	it('fires exactly one /api/persons fetch when the user searches for Walter (regression guard)', async () => {
+		// Regression guard: a previous version of PersonMentionEditor had a
+		// duplicated `items()` callback in the Tiptap suggestion config that
+		// fetched per-keystroke in addition to the debounced search-input fetch
+		// (Markus & Felix round-1). To catch that regression, we must NOT
+		// subtract any baseline — every fetch from render onwards counts.
+		// Sara on PR #629 round 3.
+		const fetchMock = vi
+			.fn()
+			.mockResolvedValue({ ok: true, json: vi.fn().mockResolvedValue([AUGUSTE]) });
+		vi.stubGlobal('fetch', fetchMock);
+		renderHost();
+
+		// Open the dropdown, then drive the search input via fill() — sidesteps
+		// per-keystroke timing of userEvent.type that Sara flagged round 2.
+		await userEvent.type(page.getByRole('textbox'), '@');
+		await vi.waitFor(async () => {
+			await expect.element(page.getByRole('searchbox')).toBeVisible();
+		});
+		await page.getByRole('searchbox').fill('Walter');
+
+		await new Promise((r) => setTimeout(r, SEARCH_DEBOUNCE_MS + POST_DEBOUNCE_SLACK_MS));
+
+		// No baseline subtraction — count ALL /api/persons fetches since render.
+		// If the legacy per-keystroke items() callback returns, typing `@` alone
+		// would already produce one fetch and `fill('Walter')` another, breaking
+		// this assertion.
+		const personsFetches = fetchMock.mock.calls.filter(
+			([url]) => typeof url === 'string' && url.startsWith('/api/persons')
+		);
+		expect(personsFetches.length).toBe(1);
+	});
+
+	it('clearing the search input clears the list without firing a fetch', async () => {
+		const fetchMock = vi
+			.fn()
+			.mockResolvedValue({ ok: true, json: vi.fn().mockResolvedValue([AUGUSTE]) });
+		vi.stubGlobal('fetch', fetchMock);
+		renderHost();
+
+		await userEvent.type(page.getByRole('textbox'), '@Aug');
+		await vi.waitFor(async () => {
+			await expect.element(page.getByText('Auguste Raddatz')).toBeInTheDocument();
+		});
+
+		const fetchesBeforeClear = fetchMock.mock.calls.length;
+
+		await userEvent.clear(page.getByRole('searchbox'));
+
+		// Negative assertion: wait past the debounce window to confirm no
+		// trailing fetch was scheduled. Removing this wait would mask a
+		// re-introduction of the keystroke-driven items() fetch.
+		await new Promise((r) => setTimeout(r, SEARCH_DEBOUNCE_MS + POST_DEBOUNCE_SLACK_MS));
+
+		expect(fetchMock.mock.calls.length).toBe(fetchesBeforeClear);
+		await expect.element(page.getByText('Auguste Raddatz')).not.toBeInTheDocument();
+	});
+});
+
+// ─── Whitespace-only query (Elicit AC-4 ambiguity on PR #629) ───────────────
+
+describe('PersonMentionEditor — whitespace-only query', () => {
+	it('keeps the "Namen eingeben…" prompt and fires no fetch when @ is followed only by spaces', async () => {
+		const fetchMock = vi.fn().mockResolvedValue({ ok: true, json: vi.fn().mockResolvedValue([]) });
+		vi.stubGlobal('fetch', fetchMock);
+		renderHost();
+
+		await userEvent.type(page.getByRole('textbox'), '@   ');
+		await vi.waitFor(async () => {
+			await expect.element(page.getByRole('searchbox')).toBeVisible();
+		});
+
+		await new Promise((r) => setTimeout(r, SEARCH_DEBOUNCE_MS + POST_DEBOUNCE_SLACK_MS));
+
+		// Scope to the visible empty-state <p> (text-ink-3) — the persistent
+		// sr-only aria-live region above contains the same copy.
+		const visibleEmptyP = document.querySelector(
+			'[role="listbox"] p.text-ink-3'
+		) as HTMLElement | null;
+		expect(visibleEmptyP).not.toBeNull();
+		expect(visibleEmptyP!.textContent ?? '').toContain(m.person_mention_search_prompt());
+		expect(fetchMock).not.toHaveBeenCalled();
+	});
+});
+
+// ─── Stale-response race (Sara on PR #629) ───────────────────────────────────
+
+describe('PersonMentionEditor — stale-response race', () => {
+	it('discards a stale response that resolves after the search has been cleared', async () => {
+		let resolveFetch!: (v: { ok: boolean; json: () => Promise<Person[]> }) => void;
+		const pendingResponse = new Promise<{ ok: boolean; json: () => Promise<Person[]> }>((r) => {
+			resolveFetch = r;
+		});
+		const fetchMock = vi.fn().mockReturnValue(pendingResponse);
+		vi.stubGlobal('fetch', fetchMock);
+		renderHost();
+
+		// Open the dropdown and let the debounce fire so a fetch is in flight.
+		await userEvent.type(page.getByRole('textbox'), '@Aug');
+		await vi.waitFor(() => {
+			expect(fetchMock).toHaveBeenCalledWith(expect.stringContaining('/api/persons?q=Aug'));
+		});
+
+		// Clear the search input *before* the fetch resolves.
+		await userEvent.clear(page.getByRole('searchbox'));
+		await expect.element(page.getByRole('searchbox')).toHaveValue('');
+
+		// The stale fetch now resolves with persons. The dropdown must stay empty.
+		resolveFetch({ ok: true, json: () => Promise.resolve([AUGUSTE]) });
+		// Flush pending Svelte reactivity so any (non-)update from the stale
+		// fetch resolution has landed before we assert. expect.element already
+		// polls, so no fixed-timeout fallback is needed. Sara on PR #629 round 4.
+		await tick();
+
+		await expect.element(page.getByText('Auguste Raddatz')).not.toBeInTheDocument();
+	});
+});
+
+// ─── Server failure characterization (Sara #2 on PR #629) ───────────────────
+
+describe('PersonMentionEditor — server failure', () => {
+	it('on 500 response keeps the dropdown open with the empty-state copy (silent failure pinned; distinct error UX tracked separately)', async () => {
+		const fetchMock = vi
+			.fn()
+			.mockResolvedValue({ ok: false, status: 500, json: vi.fn().mockResolvedValue({}) });
+		vi.stubGlobal('fetch', fetchMock);
+		renderHost();
+
+		await userEvent.type(page.getByRole('textbox'), '@Aug');
+		await new Promise((r) => setTimeout(r, SEARCH_DEBOUNCE_MS + POST_DEBOUNCE_SLACK_MS));
+
+		// Pins current silent-failure behaviour. The day someone implements a
+		// distinct error UX (toast / "Suche fehlgeschlagen" copy), this test
+		// goes red and forces them to update the assertion. Scope to the
+		// visible <p> (text-ink-3) — the persistent sr-only live region
+		// above contains the same copy.
+		const visibleEmptyP = document.querySelector(
+			'[role="listbox"] p.text-ink-3'
+		) as HTMLElement | null;
+		expect(visibleEmptyP).not.toBeNull();
+		expect(visibleEmptyP!.textContent ?? '').toContain(m.person_mention_popup_empty());
+	});
+
+	it('on a fetch reject (network failure) keeps the dropdown open with the empty-state copy', async () => {
+		const fetchMock = vi.fn().mockRejectedValue(new TypeError('NetworkError'));
+		vi.stubGlobal('fetch', fetchMock);
+		renderHost();
+
+		await userEvent.type(page.getByRole('textbox'), '@Aug');
+		await new Promise((r) => setTimeout(r, SEARCH_DEBOUNCE_MS + POST_DEBOUNCE_SLACK_MS));
+
+		const visibleEmptyP = document.querySelector(
+			'[role="listbox"] p.text-ink-3'
+		) as HTMLElement | null;
+		expect(visibleEmptyP).not.toBeNull();
+		expect(visibleEmptyP!.textContent ?? '').toContain(m.person_mention_popup_empty());
+	});
+});
+
+// ─── onExit cancels pending debounce (Felix #1 on PR #629) ───────────────────
+
+describe('PersonMentionEditor — onExit cancels pending debounce', () => {
+	it('cancels the pending debounced fetch when Escape closes the dropdown before the debounce fires', async () => {
+		const fetchMock = vi.fn().mockResolvedValue({ ok: true, json: vi.fn().mockResolvedValue([]) });
+		vi.stubGlobal('fetch', fetchMock);
+		renderHost();
+
+		// Open the dropdown by typing @ + a query in the editor.
+		await userEvent.type(page.getByRole('textbox'), '@A');
+		await vi.waitFor(async () => {
+			await expect.element(page.getByRole('searchbox')).toBeVisible();
+		});
+
+		// Wait for any in-flight fetch from opening the dropdown to settle.
+		await new Promise((r) => setTimeout(r, SEARCH_DEBOUNCE_MS + POST_DEBOUNCE_SLACK_MS));
+		const fetchesBeforeEscape = fetchMock.mock.calls.length;
+
+		// Trigger a new debounced search (queues runSearch after 150 ms), then
+		// immediately Escape *while focus is back in the editor* so Tiptap's
+		// suggestion-plugin Escape handler fires onExit before the debounce.
+		// Without onExit cancelling the pending debounce, runSearch executes
+		// against the now-unmounted dropdown's state.
+		await page.getByRole('searchbox').fill('Walter');
+		// Focus the editor so the Escape lands on Tiptap's suggestion handler.
+		(page.getByRole('textbox').element() as HTMLElement).focus();
+		await userEvent.keyboard('{Escape}');
+
+		// Wait past the debounce window. If onExit did not cancel the pending
+		// debounce, a fetch with q=Walter would still fire here.
+		await new Promise((r) => setTimeout(r, SEARCH_DEBOUNCE_MS + POST_DEBOUNCE_SLACK_MS));
+
+		const newFetches = fetchMock.mock.calls.slice(fetchesBeforeEscape);
+		const walterFetches = newFetches.filter(
+			([url]) => typeof url === 'string' && url.includes('q=Walter')
+		);
+		expect(walterFetches.length).toBe(0);
+	});
+});
+
+// ─── AC-1: search input prefilled with text typed after @ ───────────────────
+
+describe('PersonMentionEditor — AC-1: search input prefill', () => {
+	it('prefills the dropdown search input with the text typed after @', async () => {
+		mockFetchEmpty();
+		renderHost();
+
+		await userEvent.type(page.getByRole('textbox'), '@WdG');
+
+		await vi.waitFor(async () => {
+			await expect.element(page.getByRole('searchbox')).toHaveValue('WdG');
+		});
+	});
+});
+
 // ─── AC-1: typed text becomes displayName, not DB name ───────────────────────
 
 describe('PersonMentionEditor — AC-1: typed text as displayName', () => {
@@ -229,6 +514,39 @@ describe('PersonMentionEditor — AC-1: typed text as displayName', () => {
 		});
 	});
 
+	it('clips the inserted displayName to MAX_QUERY_LENGTH=100 chars (Felix #3 on PR #629)', async () => {
+		// CWE-400 amplification: the dropdown clips its search input + mirror at
+		// 100 chars (Nora #1), but the host editor was passing the unclipped
+		// renderProps.query straight through to displayName — so a 105-char
+		// @-suffix in the editor could insert a 105-char displayName into the
+		// sidecar even though the dropdown only searched the first 100.
+		mockFetchWithPersons();
+		const host = renderHost();
+
+		// Type @ + 105 'A' chars in the contenteditable. The renderProps.query
+		// fed into the command callback derives from the editor text after `@`,
+		// not the dropdown's searchbox — so we must drive the editor.
+		await userEvent.type(page.getByRole('textbox'), '@' + 'A'.repeat(105));
+
+		// The mocked /api/persons returns AUGUSTE for any query — wait for it.
+		await vi.waitFor(async () => {
+			await expect.element(page.getByRole('option', { name: /Auguste Raddatz/ })).toBeVisible();
+		});
+
+		const option = (await page
+			.getByRole('option', { name: /Auguste Raddatz/ })
+			.element()) as HTMLElement;
+		option.dispatchEvent(new MouseEvent('mousedown', { bubbles: true, cancelable: true }));
+
+		await vi.waitFor(() => {
+			expect(host.snapshot.mentionedPersons).toHaveLength(1);
+			// Tight assertion: input is 105 chars, cap is exactly 100. Using
+			// `toHaveLength(100)` discriminates "clip works" from "clip works
+			// AND nothing weakened it to e.g. 95". Sara on PR #629 round 4.
+			expect(host.snapshot.mentionedPersons[0].displayName).toHaveLength(100);
+		});
+	});
+
 	it('does not duplicate the sidecar entry when the same person is selected twice', async () => {
 		mockFetchWithPersons();
 		const host = renderHost({

frontend/src/lib/shared/discussion/mentionConstants.ts

@@ -0,0 +1,10 @@
+/** Shared knobs for the @mention typeahead. Single source of truth for
+ *  the dropdown component and the host editor — keeps the layered length
+ *  cap and the debounce window consistent across both files. */
+export const MAX_QUERY_LENGTH = 100;
+export const SEARCH_DEBOUNCE_MS = 150;
+/** Defensive client-side cap on the result list. Single consumer today
+ *  (PersonMentionEditor), kept here for symmetry with the other limit
+ *  knobs so the @mention configuration lives in one place. Felix #1 on
+ *  PR #629 round 4. */
+export const SEARCH_RESULT_LIMIT = 5;

frontend/src/lib/shared/services/confirm.svelte.test.ts

@@ -1,7 +1,7 @@
 import { describe, it, expect, afterEach } from 'vitest';
 import { cleanup, render } from 'vitest-browser-svelte';
 import { page, userEvent } from 'vitest/browser';
-import TestHost from './confirm.test-host.svelte';
+import TestHost from './confirm.test-fixture.svelte';
 import type { ConfirmService } from './confirm.svelte.js';
 
 afterEach(cleanup);

frontend/src/lib/shared/utils/debounce.ts

@@ -1,12 +1,25 @@
 /**
  * Returns a debounced version of fn that delays invocation until after
- * `delay` ms have elapsed since the last call.
+ * `delay` ms have elapsed since the last call. The returned function
+ * exposes a `cancel()` method that DROPS (does not flush) the pending
+ * trailing invocation — essential when the host context (a destroyed
+ * component, an unmounted editor) shouldn't fire the trailing call.
  */
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
-export function debounce<T extends (...args: any[]) => void>(fn: T, delay: number): T {
+export function debounce<T extends (...args: any[]) => void>(
-	let timer: ReturnType<typeof setTimeout>;
+	fn: T,
-	return ((...args: Parameters<T>) => {
+	delay: number
-		clearTimeout(timer);
+): T & { cancel: () => void } {
+	let timer: ReturnType<typeof setTimeout> | undefined;
+	const wrapped = ((...args: Parameters<T>) => {
+		if (timer !== undefined) clearTimeout(timer);
 		timer = setTimeout(() => fn(...args), delay);
-	}) as T;
+	}) as T & { cancel: () => void };
+	wrapped.cancel = () => {
+		if (timer !== undefined) {
+			clearTimeout(timer);
+			timer = undefined;
+		}
+	};
+	return wrapped;
 }

frontend/src/routes/AppNav.svelte

@@ -94,7 +94,7 @@ function handleOverlayKeydown(event: KeyboardEvent) {
 	<!-- Hamburger toggle (mobile only) -->
 	<button
 		class="ml-auto flex h-11 w-11 items-center justify-center self-center rounded text-white/70 transition-colors hover:bg-white/10 hover:text-white focus:outline-none focus-visible:ring-2 focus-visible:ring-focus-ring lg:hidden"
-		aria-label={mobileNavOpen ? 'Menü schließen' : 'Menü öffnen'}
+		aria-label={mobileNavOpen ? m.layout_menu_close() : m.layout_menu_open()}
 		aria-expanded={mobileNavOpen}
 		aria-controls="mobile-nav"
 		onclick={() => (mobileNavOpen = !mobileNavOpen)}

frontend/src/routes/admin/+layout.server.ts

@@ -1,6 +1,6 @@
 import { error } from '@sveltejs/kit';
 import { env } from '$env/dynamic/private';
-import { createApiClient } from '$lib/shared/api.server';
+import { createApiClient, extractErrorCode } from '$lib/shared/api.server';
 import { getErrorMessage } from '$lib/shared/errors';
 import type { components } from '$lib/generated/api';
 
@@ -34,16 +34,16 @@ export async function load({ fetch, locals }) {
 	]);
 
 	if (!usersResult.response.ok) {
-		const code = (usersResult.error as unknown as { code?: string })?.code;
+		throw error(usersResult.response.status, getErrorMessage(extractErrorCode(usersResult.error)));
-		throw error(usersResult.response.status, getErrorMessage(code));
 	}
 	if (!groupsResult.response.ok) {
-		const code = (groupsResult.error as unknown as { code?: string })?.code;
+		throw error(
-		throw error(groupsResult.response.status, getErrorMessage(code));
+			groupsResult.response.status,
+			getErrorMessage(extractErrorCode(groupsResult.error))
+		);
 	}
 	if (!tagsResult.response.ok) {
-		const code = (tagsResult.error as unknown as { code?: string })?.code;
+		throw error(tagsResult.response.status, getErrorMessage(extractErrorCode(tagsResult.error)));
-		throw error(tagsResult.response.status, getErrorMessage(code));
 	}
 
 	let inviteCount = 0;

frontend/src/routes/admin/groups/[id]/+page.server.ts

@@ -1,6 +1,6 @@
 import { error, fail, redirect } from '@sveltejs/kit';
 import type { PageServerLoad, Actions } from './$types';
-import { createApiClient } from '$lib/shared/api.server';
+import { createApiClient, extractErrorCode } from '$lib/shared/api.server';
 import { getErrorMessage } from '$lib/shared/errors';
 
 export const load: PageServerLoad = async ({ params, parent }) => {
@@ -24,8 +24,9 @@ export const actions: Actions = {
 		});
 
 		if (!result.response.ok) {
-			const code = (result.error as unknown as { code?: string })?.code;
+			return fail(result.response.status, {
-			return fail(result.response.status, { error: getErrorMessage(code) });
+				error: getErrorMessage(extractErrorCode(result.error))
+			});
 		}
 
 		return { success: true };
@@ -38,8 +39,9 @@ export const actions: Actions = {
 		});
 
 		if (!result.response.ok) {
-			const code = (result.error as unknown as { code?: string })?.code;
+			return fail(result.response.status, {
-			return fail(result.response.status, { error: getErrorMessage(code) });
+				error: getErrorMessage(extractErrorCode(result.error))
+			});
 		}
 
 		throw redirect(303, '/admin/groups');

frontend/src/routes/admin/groups/[id]/page.server.spec.ts

@@ -7,7 +7,8 @@ const mockApi = {
 };
 
 vi.mock('$lib/shared/api.server', () => ({
-	createApiClient: () => mockApi
+	createApiClient: () => mockApi,
+	extractErrorCode: (e: unknown) => (e as { code?: string } | undefined)?.code
 }));
 
 beforeEach(() => vi.clearAllMocks());

frontend/src/routes/admin/groups/layout.server.spec.ts

@@ -1,7 +1,10 @@
 import { describe, expect, it, vi, beforeEach } from 'vitest';
 import { load } from './+layout.server';
 
-vi.mock('$lib/shared/api.server', () => ({ createApiClient: vi.fn() }));
+vi.mock('$lib/shared/api.server', () => ({
+	createApiClient: vi.fn(),
+	extractErrorCode: (e: unknown) => (e as { code?: string } | undefined)?.code
+}));
 
 import { createApiClient } from '$lib/shared/api.server';
 
@@ -19,14 +22,22 @@ describe('admin/groups layout load', () => {
 			{ id: 'g1', name: 'Admins', permissions: ['ADMIN'] },
 			{ id: 'g2', name: 'Editors', permissions: ['WRITE_ALL'] }
 		]);
-		const result = await load({ fetch: vi.fn() as unknown as typeof fetch });
+		const result = await load({
+			fetch: vi.fn() as unknown as typeof fetch,
+			request: new Request('http://localhost/admin/groups'),
+			url: new URL('http://localhost/admin/groups')
+		});
 		expect(result.groups).toHaveLength(2);
 		expect(result.groups[0].name).toBe('Admins');
 	});
 
 	it('returns an empty array when the API returns nothing', async () => {
 		mockApi([]);
-		const result = await load({ fetch: vi.fn() as unknown as typeof fetch });
+		const result = await load({
+			fetch: vi.fn() as unknown as typeof fetch,
+			request: new Request('http://localhost/admin/groups'),
+			url: new URL('http://localhost/admin/groups')
+		});
 		expect(result.groups).toEqual([]);
 	});
 
@@ -35,7 +46,11 @@ describe('admin/groups layout load', () => {
 		vi.mocked(createApiClient).mockReturnValue({ GET: mockGet } as ReturnType<
 			typeof createApiClient
 		>);
-		await load({ fetch: vi.fn() as unknown as typeof fetch });
+		await load({
+			fetch: vi.fn() as unknown as typeof fetch,
+			request: new Request('http://localhost/admin/groups'),
+			url: new URL('http://localhost/admin/groups')
+		});
 		expect(mockGet).toHaveBeenCalledWith('/api/groups');
 	});
 });

frontend/src/routes/admin/groups/new/+page.server.ts

@@ -1,6 +1,6 @@
 import { fail, redirect } from '@sveltejs/kit';
 import type { Actions } from './$types';
-import { createApiClient } from '$lib/shared/api.server';
+import { createApiClient, extractErrorCode } from '$lib/shared/api.server';
 import { getErrorMessage } from '$lib/shared/errors';
 
 export const actions: Actions = {
@@ -16,8 +16,9 @@ export const actions: Actions = {
 		});
 
 		if (!result.response.ok) {
-			const code = (result.error as unknown as { code?: string })?.code;
+			return fail(result.response.status, {
-			return fail(result.response.status, { error: getErrorMessage(code) });
+				error: getErrorMessage(extractErrorCode(result.error))
+			});
 		}
 
 		throw redirect(303, '/admin/groups');

frontend/src/routes/admin/invites/+page.server.ts

@@ -1,50 +1,41 @@
 import { fail } from '@sveltejs/kit';
-import { env } from '$env/dynamic/private';
+import { createApiClient, extractErrorCode } from '$lib/shared/api.server';
-import { parseBackendError } from '$lib/shared/errors';
+import { getErrorMessage } from '$lib/shared/errors';
 import type { Actions, PageServerLoad } from './$types';
 import type { components } from '$lib/generated/api';
 
-export interface InviteListItem {
+export type InviteListItem = components['schemas']['InviteListItemDTO'];
-	id: string;
-	code: string;
-	displayCode: string;
-	label?: string;
-	useCount: number;
-	maxUses?: number;
-	expiresAt?: string;
-	revoked: boolean;
-	status: string;
-	createdAt: string;
-	shareableUrl: string;
-}
-
 export type UserGroup = components['schemas']['UserGroup'];
 
-export const load: PageServerLoad = async ({ url, fetch }) => {
+const VALID_STATUSES = ['ACTIVE', 'REVOKED', 'EXPIRED'] as const;
-	const status = url.searchParams.get('status') ?? 'active';
+type InviteStatus = (typeof VALID_STATUSES)[number];
-	const apiUrl = env.API_INTERNAL_URL || 'http://localhost:8080';
 
-	const [invitesRes, groupsRes] = await Promise.all([
+export const load: PageServerLoad = async ({ url, fetch }) => {
-		fetch(`${apiUrl}/api/invites?status=${encodeURIComponent(status)}`),
+	const rawStatus = url.searchParams.get('status');
-		fetch(`${apiUrl}/api/groups`)
+	const status: InviteStatus = VALID_STATUSES.includes(rawStatus as InviteStatus)
+		? (rawStatus as InviteStatus)
+		: 'ACTIVE';
+	const api = createApiClient(fetch);
+
+	const [invitesResult, groupsResult] = await Promise.all([
+		api.GET('/api/invites', { params: { query: { status } } }),
+		api.GET('/api/groups')
 	]);
 
 	let invites: InviteListItem[] = [];
 	let loadError: string | null = null;
-	if (!invitesRes.ok) {
+	if (!invitesResult.response.ok) {
-		const backendError = await parseBackendError(invitesRes);
+		loadError = extractErrorCode(invitesResult.error) ?? 'INTERNAL_ERROR';
-		loadError = backendError?.code ?? 'INTERNAL_ERROR';
 	} else {
-		invites = await invitesRes.json();
+		invites = (invitesResult.data ?? []) as InviteListItem[];
 	}
 
 	let groups: UserGroup[] = [];
 	let groupsLoadError: string | null = null;
-	if (!groupsRes.ok) {
+	if (!groupsResult.response.ok) {
-		const backendError = await parseBackendError(groupsRes);
+		groupsLoadError = extractErrorCode(groupsResult.error) ?? 'INTERNAL_ERROR';
-		groupsLoadError = backendError?.code ?? 'INTERNAL_ERROR';
 	} else {
-		const raw: UserGroup[] = await groupsRes.json();
+		const raw = groupsResult.data ?? [];
 		groups = [...raw].sort((a, b) => a.name.localeCompare(b.name));
 	}
 
@@ -63,42 +54,32 @@ export const actions = {
 		const expiresAt = (formData.get('expiresAt') as string) || undefined;
 		const groupIds = formData.getAll('groupIds') as string[];
 
-		const apiUrl = env.API_INTERNAL_URL || 'http://localhost:8080';
+		const api = createApiClient(fetch);
-		const res = await fetch(`${apiUrl}/api/invites`, {
+		const result = await api.POST('/api/invites', {
-			method: 'POST',
+			body: { label, maxUses, prefillFirstName, prefillLastName, prefillEmail, expiresAt, groupIds }
-			headers: { 'Content-Type': 'application/json' },
-			body: JSON.stringify({
-				label,
-				maxUses,
-				prefillFirstName,
-				prefillLastName,
-				prefillEmail,
-				expiresAt,
-				groupIds
-			})
 		});
 
-		if (!res.ok) {
+		if (!result.response.ok) {
-			const backendError = await parseBackendError(res);
+			return fail(result.response.status, {
-			return fail(res.status, { createError: backendError?.code ?? 'INTERNAL_ERROR' });
+				createError: extractErrorCode(result.error) ?? 'INTERNAL_ERROR'
+			});
 		}
 
-		const created: InviteListItem = await res.json();
+		return { created: result.data! as InviteListItem };
-		return { created };
 	},
 
 	revoke: async ({ request, fetch }) => {
 		const formData = await request.formData();
-		const id = formData.get('id') as string;
+		const id = formData.get('id') as string | null;
+		if (!id) return fail(400, { revokeError: getErrorMessage('VALIDATION_ERROR') });
 
-		const apiUrl = env.API_INTERNAL_URL || 'http://localhost:8080';
+		const api = createApiClient(fetch);
-		const res = await fetch(`${apiUrl}/api/invites/${encodeURIComponent(id)}`, {
+		const result = await api.DELETE('/api/invites/{id}', { params: { path: { id } } });
-			method: 'DELETE'
+
+		if (!result.response.ok) {
+			return fail(result.response.status, {
+				revokeError: extractErrorCode(result.error) ?? 'INTERNAL_ERROR'
 			});
-
-		if (!res.ok) {
-			const backendError = await parseBackendError(res);
-			return fail(res.status, { revokeError: backendError?.code ?? 'INTERNAL_ERROR' });
 		}
 
 		return { revoked: id };

frontend/src/routes/admin/invites/page.server.spec.ts

@@ -0,0 +1,284 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+vi.mock('$env/dynamic/private', () => ({
+	env: { API_INTERNAL_URL: 'http://localhost:8080' }
+}));
+
+import { load, actions } from './+page.server';
+import type { UserGroup } from './+page.server';
+
+// PageServerLoad annotates the return as `void | (...)`. This explicit shape avoids
+// the void and the Record<string, any> from the generic constraint.
+type LoadData = {
+	invites: unknown[];
+	status: string;
+	loadError: string | null;
+	groups: UserGroup[];
+	groupsLoadError: string | null;
+};
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+type AnyFetch = (...args: any[]) => any;
+
+function mockResponse(ok: boolean, body: unknown, status = 200) {
+	return {
+		ok,
+		status,
+		json: async () => body,
+		text: async () => JSON.stringify(body),
+		headers: new Headers({ 'content-type': 'application/json' })
+	} as unknown as Response;
+}
+
+describe('admin/invites load()', () => {
+	const mockFetch = vi.fn<AnyFetch>();
+
+	beforeEach(() => mockFetch.mockReset());
+
+	function event(status = 'active') {
+		const url = new URL(`http://localhost/admin/invites?status=${status}`);
+		return {
+			url,
+			request: new Request(url),
+			fetch: mockFetch as unknown as typeof fetch
+			// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		} as any;
+	}
+
+	it('returns groups array alongside invites when both succeed', async () => {
+		mockFetch.mockResolvedValueOnce(mockResponse(true, [])).mockResolvedValueOnce(
+			mockResponse(true, [
+				{ id: 'g-1', name: 'Familie', permissions: ['READ_ALL'] },
+				{ id: 'g-2', name: 'Administratoren', permissions: ['ADMIN'] }
+			])
+		);
+
+		const result = (await load(event())) as LoadData;
+
+		expect(result.groups).toHaveLength(2);
+		expect(result.groupsLoadError).toBeNull();
+	});
+
+	it('returns groups sorted alphabetically by name', async () => {
+		mockFetch.mockResolvedValueOnce(mockResponse(true, [])).mockResolvedValueOnce(
+			mockResponse(true, [
+				{ id: 'g-1', name: 'Zebra', permissions: [] },
+				{ id: 'g-2', name: 'Alfa', permissions: [] },
+				{ id: 'g-3', name: 'Mitte', permissions: [] }
+			])
+		);
+
+		const result = (await load(event())) as LoadData;
+
+		expect(result.groups.map((g) => g.name)).toEqual(['Alfa', 'Mitte', 'Zebra']);
+	});
+
+	it('returns groups: [] and non-null groupsLoadError when groups fetch is non-OK', async () => {
+		mockFetch
+			.mockResolvedValueOnce(mockResponse(true, []))
+			.mockResolvedValueOnce(mockResponse(false, { code: 'FORBIDDEN' }, 403));
+
+		const result = (await load(event())) as LoadData;
+
+		expect(result.groups).toEqual([]);
+		expect(result.groupsLoadError).toBe('FORBIDDEN');
+	});
+
+	it('falls back to INTERNAL_ERROR when groups error body has no code', async () => {
+		mockFetch
+			.mockResolvedValueOnce(mockResponse(true, []))
+			.mockResolvedValueOnce(mockResponse(false, null, 500));
+
+		const result = (await load(event())) as LoadData;
+
+		expect(result.groupsLoadError).toBe('INTERNAL_ERROR');
+	});
+
+	it('fetches invites and groups in parallel (both URLs called)', async () => {
+		mockFetch
+			.mockResolvedValueOnce(mockResponse(true, []))
+			.mockResolvedValueOnce(mockResponse(true, []));
+
+		await load(event());
+
+		expect(mockFetch).toHaveBeenCalledTimes(2);
+		// createApiClient calls fetch(Request, {}), not fetch(string, init)
+		const urls = mockFetch.mock.calls.map((call) => (call[0] as Request).url);
+		expect(urls).toEqual(
+			expect.arrayContaining([
+				expect.stringContaining('/api/invites'),
+				expect.stringContaining('/api/groups')
+			])
+		);
+	});
+});
+
+describe('admin/invites create action', () => {
+	const mockFetch = vi.fn<AnyFetch>();
+
+	beforeEach(() => mockFetch.mockReset());
+
+	const successBody = {
+		id: 'inv-1',
+		code: 'ABCDE12345',
+		displayCode: 'ABCDE-12345',
+		status: 'active',
+		revoked: false,
+		useCount: 0,
+		createdAt: '2026-01-01T00:00:00Z',
+		shareableUrl: 'http://localhost/register?code=ABCDE12345'
+	};
+
+	it('includes groupIds array in POST body when checkboxes are checked', async () => {
+		const fd = new FormData();
+		fd.append('groupIds', 'g-1');
+		fd.append('groupIds', 'g-2');
+		mockFetch.mockResolvedValueOnce(mockResponse(true, successBody, 201));
+
+		await actions.create({
+			request: new Request('http://localhost', { method: 'POST', body: fd }),
+			fetch: mockFetch as unknown as typeof fetch
+			// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		} as any);
+
+		// createApiClient calls fetch(Request, {}), not fetch(string, init)
+		const [req] = mockFetch.mock.calls[0] as [Request, unknown];
+		expect(req).toBeInstanceOf(Request);
+		expect(req.url).toContain('/api/invites');
+		const sent = await req.json();
+		expect(sent.groupIds).toEqual(['g-1', 'g-2']);
+	});
+
+	it('sends groupIds: [] when no checkboxes are checked', async () => {
+		const fd = new FormData();
+		mockFetch.mockResolvedValueOnce(mockResponse(true, successBody, 201));
+
+		await actions.create({
+			request: new Request('http://localhost', { method: 'POST', body: fd }),
+			fetch: mockFetch as unknown as typeof fetch
+			// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		} as any);
+
+		const [req] = mockFetch.mock.calls[0] as [Request, unknown];
+		expect(req).toBeInstanceOf(Request);
+		const sent = await req.json();
+		expect(sent.groupIds).toEqual([]);
+	});
+
+	it('returns created invite on success', async () => {
+		const fd = new FormData();
+		mockFetch.mockResolvedValueOnce(mockResponse(true, successBody, 201));
+
+		const result = await actions.create({
+			request: new Request('http://localhost', { method: 'POST', body: fd }),
+			fetch: mockFetch as unknown as typeof fetch
+			// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		} as any);
+
+		expect(result).toMatchObject({ created: expect.objectContaining({ id: 'inv-1' }) });
+	});
+
+	it('returns fail with backend error code when create returns non-OK', async () => {
+		const fd = new FormData();
+		mockFetch.mockResolvedValueOnce(mockResponse(false, { code: 'FORBIDDEN' }, 403));
+
+		const result = await actions.create({
+			request: new Request('http://localhost', { method: 'POST', body: fd }),
+			fetch: mockFetch as unknown as typeof fetch
+			// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		} as any);
+
+		expect(result).toMatchObject({ status: 403, data: { createError: 'FORBIDDEN' } });
+	});
+
+	it('falls back to INTERNAL_ERROR when create error body has no code', async () => {
+		const fd = new FormData();
+		mockFetch.mockResolvedValueOnce(mockResponse(false, null, 500));
+
+		const result = await actions.create({
+			request: new Request('http://localhost', { method: 'POST', body: fd }),
+			fetch: mockFetch as unknown as typeof fetch
+			// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		} as any);
+
+		expect(result).toMatchObject({ status: 500, data: { createError: 'INTERNAL_ERROR' } });
+	});
+
+	it('includes expiresAt in POST body when provided', async () => {
+		const fd = new FormData();
+		fd.append('expiresAt', '2026-12-31');
+		mockFetch.mockResolvedValueOnce(mockResponse(true, successBody, 201));
+
+		await actions.create({
+			request: new Request('http://localhost', { method: 'POST', body: fd }),
+			fetch: mockFetch as unknown as typeof fetch
+			// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		} as any);
+
+		const [req] = mockFetch.mock.calls[0] as [Request, unknown];
+		const sent = await req.json();
+		expect(sent.expiresAt).toBe('2026-12-31');
+	});
+});
+
+describe('admin/invites revoke action', () => {
+	const mockFetch = vi.fn<AnyFetch>();
+
+	beforeEach(() => mockFetch.mockReset());
+
+	it('calls DELETE /api/invites/{id} via createApiClient', async () => {
+		const fd = new FormData();
+		fd.append('id', 'inv-abc');
+		mockFetch.mockResolvedValueOnce(mockResponse(true, null, 200));
+
+		await actions.revoke({
+			request: new Request('http://localhost', { method: 'POST', body: fd }),
+			fetch: mockFetch as unknown as typeof fetch
+			// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		} as any);
+
+		const [req] = mockFetch.mock.calls[0] as [Request, unknown];
+		expect(req).toBeInstanceOf(Request);
+		expect(req.url).toContain('/api/invites/inv-abc');
+		expect(req.method).toBe('DELETE');
+	});
+
+	it('returns revoked id on success', async () => {
+		const fd = new FormData();
+		fd.append('id', 'inv-abc');
+		mockFetch.mockResolvedValueOnce(mockResponse(true, null, 200));
+
+		const result = await actions.revoke({
+			request: new Request('http://localhost', { method: 'POST', body: fd }),
+			fetch: mockFetch as unknown as typeof fetch
+			// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		} as any);
+
+		expect(result).toEqual({ revoked: 'inv-abc' });
+	});
+
+	it('returns fail with backend error code when revoke returns non-OK', async () => {
+		const fd = new FormData();
+		fd.append('id', 'inv-abc');
+		mockFetch.mockResolvedValueOnce(mockResponse(false, { code: 'NOT_FOUND' }, 404));
+
+		const result = await actions.revoke({
+			request: new Request('http://localhost', { method: 'POST', body: fd }),
+			fetch: mockFetch as unknown as typeof fetch
+			// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		} as any);
+
+		expect(result).toMatchObject({ status: 404, data: { revokeError: 'NOT_FOUND' } });
+	});
+
+	it('returns fail(400) when revoke id is missing', async () => {
+		const result = await actions.revoke({
+			request: new Request('http://localhost', { method: 'POST', body: new FormData() }),
+			fetch: mockFetch as unknown as typeof fetch
+			// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		} as any);
+
+		expect(mockFetch).not.toHaveBeenCalled();
+		expect(result).toMatchObject({ status: 400 });
+	});
+});

frontend/src/routes/admin/invites/page.server.test.ts

@@ -1,155 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest';
-
-vi.mock('$env/dynamic/private', () => ({
-	env: { API_INTERNAL_URL: 'http://localhost:8080' }
-}));
-
-import { load, actions } from './+page.server';
-import type { UserGroup } from './+page.server';
-
-// PageServerLoad annotates the return as `void | (...)`. This explicit shape avoids
-// the void and the Record<string, any> from the generic constraint.
-type LoadData = {
-	invites: unknown[];
-	status: string;
-	loadError: string | null;
-	groups: UserGroup[];
-	groupsLoadError: string | null;
-};
-
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-type AnyFetch = (...args: any[]) => any;
-
-function mockResponse(ok: boolean, body: unknown, status = 200) {
-	return {
-		ok,
-		status,
-		json: async () => body,
-		text: async () => JSON.stringify(body),
-		headers: new Headers({ 'content-type': 'application/json' })
-	} as unknown as Response;
-}
-
-describe('admin/invites load()', () => {
-	const mockFetch = vi.fn<AnyFetch>();
-
-	beforeEach(() => mockFetch.mockReset());
-
-	function event(status = 'active') {
-		return {
-			url: new URL(`http://localhost/admin/invites?status=${status}`),
-			fetch: mockFetch as unknown as typeof fetch
-			// eslint-disable-next-line @typescript-eslint/no-explicit-any
-		} as any;
-	}
-
-	it('returns groups array alongside invites when both succeed', async () => {
-		mockFetch.mockResolvedValueOnce(mockResponse(true, [])).mockResolvedValueOnce(
-			mockResponse(true, [
-				{ id: 'g-1', name: 'Familie', permissions: ['READ_ALL'] },
-				{ id: 'g-2', name: 'Administratoren', permissions: ['ADMIN'] }
-			])
-		);
-
-		const result = (await load(event())) as LoadData;
-
-		expect(result.groups).toHaveLength(2);
-		expect(result.groupsLoadError).toBeNull();
-	});
-
-	it('returns groups sorted alphabetically by name', async () => {
-		mockFetch.mockResolvedValueOnce(mockResponse(true, [])).mockResolvedValueOnce(
-			mockResponse(true, [
-				{ id: 'g-1', name: 'Zebra', permissions: [] },
-				{ id: 'g-2', name: 'Alfa', permissions: [] },
-				{ id: 'g-3', name: 'Mitte', permissions: [] }
-			])
-		);
-
-		const result = (await load(event())) as LoadData;
-
-		expect(result.groups.map((g) => g.name)).toEqual(['Alfa', 'Mitte', 'Zebra']);
-	});
-
-	it('returns groups: [] and non-null groupsLoadError when groups fetch is non-OK', async () => {
-		mockFetch
-			.mockResolvedValueOnce(mockResponse(true, []))
-			.mockResolvedValueOnce(mockResponse(false, { code: 'FORBIDDEN' }, 403));
-
-		const result = (await load(event())) as LoadData;
-
-		expect(result.groups).toEqual([]);
-		expect(result.groupsLoadError).toBe('FORBIDDEN');
-	});
-
-	it('falls back to INTERNAL_ERROR when groups error body has no code', async () => {
-		mockFetch
-			.mockResolvedValueOnce(mockResponse(true, []))
-			.mockResolvedValueOnce(mockResponse(false, null, 500));
-
-		const result = (await load(event())) as LoadData;
-
-		expect(result.groupsLoadError).toBe('INTERNAL_ERROR');
-	});
-
-	it('fetches invites and groups in parallel (both URLs called)', async () => {
-		mockFetch
-			.mockResolvedValueOnce(mockResponse(true, []))
-			.mockResolvedValueOnce(mockResponse(true, []));
-
-		await load(event());
-
-		expect(mockFetch).toHaveBeenCalledTimes(2);
-		expect(mockFetch).toHaveBeenCalledWith(expect.stringContaining('/api/invites'));
-		expect(mockFetch).toHaveBeenCalledWith(expect.stringContaining('/api/groups'));
-	});
-});
-
-describe('admin/invites create action', () => {
-	const mockFetch = vi.fn<AnyFetch>();
-
-	beforeEach(() => mockFetch.mockReset());
-
-	const successBody = {
-		id: 'inv-1',
-		code: 'ABCDE12345',
-		displayCode: 'ABCDE-12345',
-		status: 'active',
-		revoked: false,
-		useCount: 0,
-		createdAt: '2026-01-01T00:00:00Z',
-		shareableUrl: 'http://localhost/register?code=ABCDE12345'
-	};
-
-	it('includes groupIds array in POST body when checkboxes are checked', async () => {
-		const fd = new FormData();
-		fd.append('groupIds', 'g-1');
-		fd.append('groupIds', 'g-2');
-		mockFetch.mockResolvedValueOnce(mockResponse(true, successBody, 201));
-
-		await actions.create({
-			request: new Request('http://localhost', { method: 'POST', body: fd }),
-			fetch: mockFetch as unknown as typeof fetch
-			// eslint-disable-next-line @typescript-eslint/no-explicit-any
-		} as any);
-
-		const [, init] = mockFetch.mock.calls[0] as [string, RequestInit];
-		const sent = JSON.parse(init.body as string);
-		expect(sent.groupIds).toEqual(['g-1', 'g-2']);
-	});
-
-	it('sends groupIds: [] when no checkboxes are checked', async () => {
-		const fd = new FormData();
-		mockFetch.mockResolvedValueOnce(mockResponse(true, successBody, 201));
-
-		await actions.create({
-			request: new Request('http://localhost', { method: 'POST', body: fd }),
-			fetch: mockFetch as unknown as typeof fetch
-			// eslint-disable-next-line @typescript-eslint/no-explicit-any
-		} as any);
-
-		const [, init] = mockFetch.mock.calls[0] as [string, RequestInit];
-		const sent = JSON.parse(init.body as string);
-		expect(sent.groupIds).toEqual([]);
-	});
-});