From 85c13b3d4610d221ed6c56fa92cb56f34627374f Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Tue, 19 May 2026 22:51:08 +0200
Subject: [PATCH 01/14] feat(notification): add dismiss-notification and
 mark-all-read form actions to aktivitaeten

Adds two SvelteKit form actions to /aktivitaeten/+page.server.ts so the
notification bell can POST there instead of calling the backend directly
from the browser.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../src/routes/aktivitaeten/+page.server.ts   | 28 +++++++
 .../routes/aktivitaeten/page.server.spec.ts   | 80 ++++++++++++++++++-
 2 files changed, 106 insertions(+), 2 deletions(-)

diff --git a/frontend/src/routes/aktivitaeten/+page.server.ts b/frontend/src/routes/aktivitaeten/+page.server.ts
index 21df3e85..940cedb6 100644
--- a/frontend/src/routes/aktivitaeten/+page.server.ts
+++ b/frontend/src/routes/aktivitaeten/+page.server.ts
@@ -1,4 +1,6 @@
+import { fail } from '@sveltejs/kit';
 import { createApiClient } from '$lib/shared/api.server';
+import { getErrorMessage } from '$lib/shared/errors';
 import type { components, operations } from '$lib/generated/api';
 
 type ActivityFeedItemDTO = components['schemas']['ActivityFeedItemDTO'];
@@ -65,3 +67,29 @@ export async function load({ fetch, url }) {
 		loadError
 	};
 }
+
+export const actions = {
+	'dismiss-notification': async ({ request, fetch }) => {
+		const data = await request.formData();
+		const notificationId = data.get('notificationId') as string;
+		const api = createApiClient(fetch);
+		const result = await api.PATCH('/api/notifications/{id}/read', {
+			params: { path: { id: notificationId } }
+		});
+		if (!result.response.ok) {
+			const code = (result.error as unknown as { code?: string })?.code;
+			return fail(result.response.status, { error: getErrorMessage(code) });
+		}
+		return { success: true };
+	},
+
+	'mark-all-read': async ({ fetch }) => {
+		const api = createApiClient(fetch);
+		const result = await api.POST('/api/notifications/read-all');
+		if (!result.response.ok) {
+			const code = (result.error as unknown as { code?: string })?.code;
+			return fail(result.response.status, { error: getErrorMessage(code) });
+		}
+		return { success: true };
+	}
+};
diff --git a/frontend/src/routes/aktivitaeten/page.server.spec.ts b/frontend/src/routes/aktivitaeten/page.server.spec.ts
index 31a1619f..fbff2670 100644
--- a/frontend/src/routes/aktivitaeten/page.server.spec.ts
+++ b/frontend/src/routes/aktivitaeten/page.server.spec.ts
@@ -1,8 +1,10 @@
 import { beforeEach, describe, expect, it, vi } from 'vitest';
-import { load } from './+page.server';
+import { load, actions } from './+page.server';
 
 const mockApi = {
-	GET: vi.fn()
+	GET: vi.fn(),
+	PATCH: vi.fn(),
+	POST: vi.fn()
 };
 
 vi.mock('$lib/shared/api.server', () => ({
@@ -173,3 +175,77 @@ describe('aktivitaeten/load — kinds param per filter', () => {
 		expect(call[1].params.query.kinds).toHaveLength(2);
 	});
 });
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function makeActionEvent(formData: FormData): any {
+	return {
+		request: new Request('http://localhost/aktivitaeten', { method: 'POST', body: formData }),
+		fetch
+	};
+}
+
+describe('aktivitaeten/actions — dismiss-notification', () => {
+	it('calls PATCH /api/notifications/{id}/read with the form-supplied notificationId', async () => {
+		mockApi.PATCH.mockResolvedValue({ response: { ok: true }, data: {} });
+		const fd = new FormData();
+		fd.set('notificationId', 'n-abc');
+
+		await actions['dismiss-notification'](makeActionEvent(fd));
+
+		expect(mockApi.PATCH).toHaveBeenCalledWith('/api/notifications/{id}/read', {
+			params: { path: { id: 'n-abc' } }
+		});
+	});
+
+	it('returns { success: true } when the API responds ok', async () => {
+		mockApi.PATCH.mockResolvedValue({ response: { ok: true }, data: {} });
+		const fd = new FormData();
+		fd.set('notificationId', 'n-abc');
+
+		const result = await actions['dismiss-notification'](makeActionEvent(fd));
+
+		expect(result).toEqual({ success: true });
+	});
+
+	it('returns fail(status, { error }) when the API responds non-ok', async () => {
+		mockApi.PATCH.mockResolvedValue({
+			response: { ok: false, status: 403 },
+			error: { code: 'NOTIFICATION_NOT_FOUND' }
+		});
+		const fd = new FormData();
+		fd.set('notificationId', 'n-abc');
+
+		const result = await actions['dismiss-notification'](makeActionEvent(fd));
+
+		expect(result).toMatchObject({ status: 403 });
+	});
+});
+
+describe('aktivitaeten/actions — mark-all-read', () => {
+	it('calls POST /api/notifications/read-all', async () => {
+		mockApi.POST.mockResolvedValue({ response: { ok: true }, data: null });
+
+		await actions['mark-all-read'](makeActionEvent(new FormData()));
+
+		expect(mockApi.POST).toHaveBeenCalledWith('/api/notifications/read-all');
+	});
+
+	it('returns { success: true } when the API responds ok', async () => {
+		mockApi.POST.mockResolvedValue({ response: { ok: true }, data: null });
+
+		const result = await actions['mark-all-read'](makeActionEvent(new FormData()));
+
+		expect(result).toEqual({ success: true });
+	});
+
+	it('returns fail(status, { error }) when the API responds non-ok', async () => {
+		mockApi.POST.mockResolvedValue({
+			response: { ok: false, status: 500 },
+			error: { code: 'INTERNAL_ERROR' }
+		});
+
+		const result = await actions['mark-all-read'](makeActionEvent(new FormData()));
+
+		expect(result).toMatchObject({ status: 500 });
+	});
+});
-- 
2.49.1


From cdd5bfa318f9b433a53715fedc43d4aaceb59519 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Tue, 19 May 2026 22:59:01 +0200
Subject: [PATCH 02/14] refactor(notification): rename markRead/markAllRead to
 optimistic helpers without fetch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Removes raw fetch() calls from the store. optimisticMarkRead(id) and
optimisticMarkAllRead() now only mutate local $state — the actual API
calls move to SvelteKit form actions on /aktivitaeten.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../notification/notifications.svelte.spec.ts | 42 +++++++++++++++++--
 .../lib/notification/notifications.svelte.ts  | 31 +++++---------
 2 files changed, 49 insertions(+), 24 deletions(-)

diff --git a/frontend/src/lib/notification/notifications.svelte.spec.ts b/frontend/src/lib/notification/notifications.svelte.spec.ts
index f4bb1ca0..15345286 100644
--- a/frontend/src/lib/notification/notifications.svelte.spec.ts
+++ b/frontend/src/lib/notification/notifications.svelte.spec.ts
@@ -108,12 +108,46 @@ describe('notificationStore (singleton)', () => {
 		expect(notificationStore.unreadCount).toBe(1);
 	});
 
-	it('markAllRead resets unreadCount', async () => {
-		mockFetch.mockResolvedValue(new Response(null, { status: 200 }));
-		await notificationStore.markAllRead();
+	it('optimisticMarkRead marks the notification read and decrements unreadCount without fetching', () => {
+		notificationStore.init();
+		const notification = makeNotification({ id: 'sse-1', read: false });
+		lastEventSource!.simulate('notification', JSON.stringify(notification));
+		mockFetch.mockReset(); // clear the fetchUnreadCount call from init
 
-		expect(mockFetch).toHaveBeenCalledWith('/api/notifications/read-all', { method: 'POST' });
+		notificationStore.optimisticMarkRead('sse-1');
+
+		expect(notificationStore.notifications[0].read).toBe(true);
 		expect(notificationStore.unreadCount).toBe(0);
+		expect(mockFetch).not.toHaveBeenCalled();
+	});
+
+	it('optimisticMarkRead on an already-read notification does not decrement unreadCount below 0', () => {
+		notificationStore.init();
+		const notification = makeNotification({ id: 'sse-1', read: true });
+		lastEventSource!.simulate('notification', JSON.stringify(notification));
+
+		notificationStore.optimisticMarkRead('sse-1');
+
+		expect(notificationStore.unreadCount).toBe(0);
+	});
+
+	it('optimisticMarkAllRead resets unreadCount and marks all notifications read without fetching', () => {
+		notificationStore.init();
+		lastEventSource!.simulate(
+			'notification',
+			JSON.stringify(makeNotification({ id: 'n1', read: false }))
+		);
+		lastEventSource!.simulate(
+			'notification',
+			JSON.stringify(makeNotification({ id: 'n2', read: false }))
+		);
+		mockFetch.mockReset();
+
+		notificationStore.optimisticMarkAllRead();
+
+		expect(notificationStore.unreadCount).toBe(0);
+		expect(notificationStore.notifications.every((n) => n.read)).toBe(true);
+		expect(mockFetch).not.toHaveBeenCalled();
 	});
 });
 
diff --git a/frontend/src/lib/notification/notifications.svelte.ts b/frontend/src/lib/notification/notifications.svelte.ts
index 2ac49e4e..1e52cfe3 100644
--- a/frontend/src/lib/notification/notifications.svelte.ts
+++ b/frontend/src/lib/notification/notifications.svelte.ts
@@ -35,28 +35,19 @@ async function fetchUnreadCount(): Promise<void> {
 	}
 }
 
-async function markRead(notification: NotificationItem): Promise<void> {
-	if (!notification.read) {
-		try {
-			await fetch(`/api/notifications/${notification.id}/read`, { method: 'PATCH' });
-			notification.read = true;
-			unreadCount = Math.max(0, unreadCount - 1);
-		} catch (e) {
-			console.error('Failed to mark notification as read', e);
-		}
+function optimisticMarkRead(id: string): void {
+	const notification = notifications.find((n) => n.id === id);
+	if (notification && !notification.read) {
+		notification.read = true;
+		unreadCount = Math.max(0, unreadCount - 1);
 	}
 }
 
-async function markAllRead(): Promise<void> {
-	try {
-		await fetch('/api/notifications/read-all', { method: 'POST' });
-		for (const n of notifications) {
-			n.read = true;
-		}
-		unreadCount = 0;
-	} catch (e) {
-		console.error('Failed to mark all notifications as read', e);
+function optimisticMarkAllRead(): void {
+	for (const n of notifications) {
+		n.read = true;
 	}
+	unreadCount = 0;
 }
 
 function init(): void {
@@ -123,8 +114,8 @@ export const notificationStore = {
 	},
 	fetchNotifications,
 	fetchUnreadCount,
-	markRead,
-	markAllRead,
+	optimisticMarkRead,
+	optimisticMarkAllRead,
 	init,
 	destroy
 };
-- 
2.49.1


From 3d3c111c2b1c8137a54fe661121d662625c5134b Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Tue, 19 May 2026 23:15:56 +0200
Subject: [PATCH 03/14] refactor(notification): replace callback props with
 form actions in Dropdown and Bell
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

NotificationDropdown now wraps each row in a <form action="/aktivitaeten?/dismiss-notification">
and the mark-all control in <form action="/aktivitaeten?/mark-all-read">, wired via use:enhance
for optimistic UI. Props renamed onMarkRead/onMarkAllRead → optimisticMarkRead/optimisticMarkAllRead
to match the simplified store API. NotificationBell passes the store helpers directly; handleMarkRead
is removed.

Test mocks updated: $app/forms enhance mock fires SubmitFunction synchronously on form submit so
callback assertions work without a real HTTP round-trip.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../lib/notification/NotificationBell.svelte  |  17 +-
 .../NotificationBell.svelte.spec.ts           |  59 ++----
 .../notification/NotificationDropdown.svelte  | 168 +++++++++++-------
 .../NotificationDropdown.svelte.test.ts       | 141 ++++++++++-----
 4 files changed, 218 insertions(+), 167 deletions(-)

diff --git a/frontend/src/lib/notification/NotificationBell.svelte b/frontend/src/lib/notification/NotificationBell.svelte
index 3648f95f..3a04bb35 100644
--- a/frontend/src/lib/notification/NotificationBell.svelte
+++ b/frontend/src/lib/notification/NotificationBell.svelte
@@ -1,10 +1,8 @@
 <script lang="ts">
 import { onMount, onDestroy } from 'svelte';
-import { goto } from '$app/navigation';
 import { m } from '$lib/paraglide/messages.js';
 import { clickOutside } from '$lib/shared/actions/clickOutside';
 import { notificationStore } from '$lib/notification/notifications.svelte';
-import { buildCommentHref } from '$lib/shared/discussion/commentDeepLink';
 import NotificationDropdown from './NotificationDropdown.svelte';
 
 let open = $state(false);
@@ -30,17 +28,6 @@ function closeDropdown() {
 	bellButtonEl?.focus();
 }
 
-async function handleMarkRead(notification: Parameters<typeof stream.markRead>[0]) {
-	await stream.markRead(notification);
-	const url = buildCommentHref(
-		notification.documentId,
-		notification.referenceId,
-		notification.annotationId
-	);
-	closeDropdown();
-	goto(url);
-}
-
 function handleKeydown(event: KeyboardEvent) {
 	if (event.key === 'Escape' && open) {
 		event.stopPropagation();
@@ -113,8 +100,8 @@ onDestroy(() => {
 	{#if open}
 		<NotificationDropdown
 			notifications={stream.notifications}
-			onMarkRead={handleMarkRead}
-			onMarkAllRead={stream.markAllRead}
+			optimisticMarkRead={stream.optimisticMarkRead}
+			optimisticMarkAllRead={stream.optimisticMarkAllRead}
 			onClose={closeDropdown}
 		/>
 	{/if}
diff --git a/frontend/src/lib/notification/NotificationBell.svelte.spec.ts b/frontend/src/lib/notification/NotificationBell.svelte.spec.ts
index e73de0f0..0ab79577 100644
--- a/frontend/src/lib/notification/NotificationBell.svelte.spec.ts
+++ b/frontend/src/lib/notification/NotificationBell.svelte.spec.ts
@@ -3,10 +3,18 @@ import { cleanup, render } from 'vitest-browser-svelte';
 import type { NotificationItem } from '$lib/notification/notifications';
 import NotificationBell from './NotificationBell.svelte';
 
-const gotoMock = vi.hoisted(() => vi.fn());
-vi.mock('$app/navigation', () => ({ goto: gotoMock, beforeNavigate: vi.fn() }));
+vi.mock('$app/navigation', () => ({ goto: vi.fn(), beforeNavigate: vi.fn() }));
+vi.mock('$app/forms', () => ({
+	enhance(node: HTMLFormElement, submit?: (opts: { formData: FormData }) => unknown) {
+		const handler = (e: Event) => {
+			e.preventDefault();
+			submit?.({ formData: new FormData(node) } as never);
+		};
+		node.addEventListener('submit', handler);
+		return { destroy: () => node.removeEventListener('submit', handler) };
+	}
+}));
 
-const mockMarkRead = vi.hoisted(() => vi.fn().mockResolvedValue(undefined));
 const mockNotificationList = vi.hoisted((): { value: NotificationItem[] } => ({ value: [] }));
 
 vi.mock('$lib/notification/notifications.svelte', () => ({
@@ -17,18 +25,17 @@ vi.mock('$lib/notification/notifications.svelte', () => ({
 		get unreadCount() {
 			return mockNotificationList.value.length;
 		},
-		markRead: mockMarkRead,
+		optimisticMarkRead: vi.fn(),
+		optimisticMarkAllRead: vi.fn(),
 		fetchNotifications: vi.fn().mockResolvedValue(undefined),
 		init: vi.fn(),
-		destroy: vi.fn(),
-		markAllRead: vi.fn()
+		destroy: vi.fn()
 	}
 }));
 
 afterEach(() => {
 	cleanup();
-	gotoMock.mockClear();
-	mockMarkRead.mockClear();
+	vi.clearAllMocks();
 	mockNotificationList.value = [];
 });
 
@@ -45,16 +52,6 @@ const makeNotification = (overrides: Partial<NotificationItem> = {}): Notificati
 	...overrides
 });
 
-async function openDropdownAndClickFirstNotification() {
-	const bellButton = document.querySelector<HTMLButtonElement>('button[aria-haspopup="true"]')!;
-	bellButton.click();
-	await vi.waitFor(() => {
-		expect(document.querySelector('[role="dialog"]')).not.toBeNull();
-	});
-	const notifButton = document.querySelector<HTMLButtonElement>('[role="list"] button')!;
-	notifButton.click();
-}
-
 describe('NotificationBell — cursor and tooltip', () => {
 	it('bell button has cursor-pointer class', async () => {
 		render(NotificationBell);
@@ -82,29 +79,3 @@ describe('NotificationBell — cursor and tooltip', () => {
 		expect(btn.getAttribute('aria-label')).toBe(btn.getAttribute('title'));
 	});
 });
-
-describe('NotificationBell', () => {
-	it('handleMarkRead navigates to URL including annotationId when notification has annotationId', async () => {
-		mockNotificationList.value = [makeNotification({ annotationId: 'annot-1' })];
-		render(NotificationBell);
-
-		await openDropdownAndClickFirstNotification();
-
-		await vi.waitFor(() => {
-			expect(gotoMock).toHaveBeenCalledWith(
-				'/documents/doc-1?commentId=ref-1&annotationId=annot-1'
-			);
-		});
-	});
-
-	it('handleMarkRead navigates to commentId-only URL when annotationId is absent', async () => {
-		mockNotificationList.value = [makeNotification({ annotationId: null })];
-		render(NotificationBell);
-
-		await openDropdownAndClickFirstNotification();
-
-		await vi.waitFor(() => {
-			expect(gotoMock).toHaveBeenCalledWith('/documents/doc-1?commentId=ref-1');
-		});
-	});
-});
diff --git a/frontend/src/lib/notification/NotificationDropdown.svelte b/frontend/src/lib/notification/NotificationDropdown.svelte
index 363e4ee5..115fe4f7 100644
--- a/frontend/src/lib/notification/NotificationDropdown.svelte
+++ b/frontend/src/lib/notification/NotificationDropdown.svelte
@@ -1,17 +1,19 @@
 <script lang="ts">
 import { goto } from '$app/navigation';
+import { enhance } from '$app/forms';
 import { m } from '$lib/paraglide/messages.js';
 import { relativeTime } from '$lib/shared/utils/time';
+import { buildCommentHref } from '$lib/shared/discussion/commentDeepLink';
 import type { NotificationItem } from '$lib/notification/notifications.svelte';
 
 type Props = {
 	notifications: NotificationItem[];
-	onMarkRead: (notification: NotificationItem) => void;
-	onMarkAllRead: () => void;
+	optimisticMarkRead: (id: string) => void;
+	optimisticMarkAllRead: () => void;
 	onClose: () => void;
 };
 
-let { notifications, onMarkRead, onMarkAllRead, onClose }: Props = $props();
+let { notifications, optimisticMarkRead, optimisticMarkAllRead, onClose }: Props = $props();
 
 function handleViewAll() {
 	onClose(); // close first — avoids stale dropdown during navigation transition
@@ -31,13 +33,23 @@ function handleViewAll() {
 			{m.notification_bell_label()}
 		</span>
 		{#if notifications.length > 0}
-			<button
-				type="button"
-				onclick={onMarkAllRead}
-				class="text-xs font-medium text-ink-3 transition-colors hover:text-ink"
+			<form
+				action="/aktivitaeten?/mark-all-read"
+				method="POST"
+				use:enhance={() => {
+					optimisticMarkAllRead();
+					return async ({ update }) => {
+						await update({ reset: false, invalidateAll: false });
+					};
+				}}
 			>
-				{m.notification_mark_all_read()}
-			</button>
+				<button
+					type="submit"
+					class="text-xs font-medium text-ink-3 transition-colors hover:text-ink"
+				>
+					{m.notification_mark_all_read()}
+				</button>
+			</form>
 		{/if}
 	</div>
 
@@ -66,67 +78,87 @@ function handleViewAll() {
 		<ul role="list" class="max-h-[24rem] overflow-y-auto">
 			{#each notifications as notification (notification.id)}
 				<li>
-					<button
-						type="button"
-						onclick={() => onMarkRead(notification)}
-						class="flex w-full cursor-pointer items-start gap-3 border-b border-line px-4 py-3 text-left last:border-b-0 hover:bg-canvas
-							{!notification.read ? 'bg-accent-bg/20' : ''}"
+					<form
+						action="/aktivitaeten?/dismiss-notification"
+						method="POST"
+						class="contents"
+						use:enhance={() => {
+							optimisticMarkRead(notification.id);
+							onClose();
+							goto(
+								buildCommentHref(
+									notification.documentId,
+									notification.referenceId,
+									notification.annotationId
+								)
+							);
+							return async ({ update }) => {
+								await update({ reset: false, invalidateAll: false });
+							};
+						}}
 					>
-						<!-- Type icon -->
-						<span class="mt-0.5 shrink-0 text-ink-3" aria-hidden="true">
-							{#if notification.type === 'REPLY'}
-								<!-- Reply icon -->
-								<svg
-									xmlns="http://www.w3.org/2000/svg"
-									class="h-4 w-4"
-									fill="none"
-									viewBox="0 0 24 24"
-									stroke="currentColor"
-									stroke-width="2"
-								>
-									<path
-										stroke-linecap="round"
-										stroke-linejoin="round"
-										d="M3 10h10a8 8 0 018 8v2M3 10l6 6m-6-6l6-6"
-									/>
-								</svg>
-							{:else}
-								<!-- Mention icon -->
-								<svg
-									xmlns="http://www.w3.org/2000/svg"
-									class="h-4 w-4"
-									fill="none"
-									viewBox="0 0 24 24"
-									stroke="currentColor"
-									stroke-width="2"
-								>
-									<path
-										stroke-linecap="round"
-										stroke-linejoin="round"
-										d="M16 12a4 4 0 10-8 0 4 4 0 008 0zm0 0v1.5a2.5 2.5 0 005 0V12a9 9 0 10-9 9m4.5-1.206a8.959 8.959 0 01-4.5 1.207"
-									/>
-								</svg>
+						<input type="hidden" name="notificationId" value={notification.id} />
+						<button
+							type="submit"
+							class="flex w-full cursor-pointer items-start gap-3 border-b border-line px-4 py-3.5 text-left last:border-b-0 hover:bg-canvas
+								{!notification.read ? 'bg-accent-bg/20' : ''}"
+						>
+							<!-- Type icon -->
+							<span class="mt-0.5 shrink-0 text-ink-3" aria-hidden="true">
+								{#if notification.type === 'REPLY'}
+									<!-- Reply icon -->
+									<svg
+										xmlns="http://www.w3.org/2000/svg"
+										class="h-4 w-4"
+										fill="none"
+										viewBox="0 0 24 24"
+										stroke="currentColor"
+										stroke-width="2"
+									>
+										<path
+											stroke-linecap="round"
+											stroke-linejoin="round"
+											d="M3 10h10a8 8 0 018 8v2M3 10l6 6m-6-6l6-6"
+										/>
+									</svg>
+								{:else}
+									<!-- Mention icon -->
+									<svg
+										xmlns="http://www.w3.org/2000/svg"
+										class="h-4 w-4"
+										fill="none"
+										viewBox="0 0 24 24"
+										stroke="currentColor"
+										stroke-width="2"
+									>
+										<path
+											stroke-linecap="round"
+											stroke-linejoin="round"
+											d="M16 12a4 4 0 10-8 0 4 4 0 008 0zm0 0v1.5a2.5 2.5 0 005 0V12a9 9 0 10-9 9m4.5-1.206a8.959 8.959 0 01-4.5 1.207"
+										/>
+									</svg>
+								{/if}
+							</span>
+
+							<!-- Text + time -->
+							<div class="min-w-0 flex-1">
+								<p class="text-sm leading-snug text-ink">
+									{notification.type === 'REPLY'
+										? m.notification_type_reply({ actor: notification.actorName })
+										: m.notification_type_mention({ actor: notification.actorName })}
+								</p>
+								<p class="mt-1 text-xs text-ink-3">{relativeTime(notification.createdAt)}</p>
+							</div>
+
+							<!-- Unread dot -->
+							{#if !notification.read}
+								<span
+									class="mt-1.5 h-2 w-2 shrink-0 rounded-full bg-primary"
+									aria-label={m.notification_unread()}
+								></span>
 							{/if}
-						</span>
-
-						<!-- Text + time -->
-						<div class="min-w-0 flex-1">
-							<p class="text-sm leading-snug text-ink">
-								{notification.type === 'REPLY'
-									? m.notification_type_reply({ actor: notification.actorName })
-									: m.notification_type_mention({ actor: notification.actorName })}
-							</p>
-							<p class="mt-1 text-xs text-ink-3">{relativeTime(notification.createdAt)}</p>
-						</div>
-
-						<!-- Unread dot -->
-						{#if !notification.read}
-							<span
-								class="mt-1.5 h-2 w-2 shrink-0 rounded-full bg-primary"
-								aria-label={m.notification_unread()}
-							></span>
-						{/if}
-					</button>
+						</button>
+					</form>
 				</li>
 			{/each}
 		</ul>
diff --git a/frontend/src/lib/notification/NotificationDropdown.svelte.test.ts b/frontend/src/lib/notification/NotificationDropdown.svelte.test.ts
index 03e72e9d..91568d78 100644
--- a/frontend/src/lib/notification/NotificationDropdown.svelte.test.ts
+++ b/frontend/src/lib/notification/NotificationDropdown.svelte.test.ts
@@ -6,6 +6,19 @@ import NotificationDropdown from './NotificationDropdown.svelte';
 
 vi.mock('$app/navigation', () => ({ goto: vi.fn() }));
 
+// Invoke the SubmitFunction synchronously on form submit so tests can assert
+// that optimisticMarkRead / optimisticMarkAllRead are called.
+vi.mock('$app/forms', () => ({
+	enhance(node: HTMLFormElement, submit?: (opts: { formData: FormData }) => unknown) {
+		const handler = (e: Event) => {
+			e.preventDefault();
+			submit?.({ formData: new FormData(node) } as never);
+		};
+		node.addEventListener('submit', handler);
+		return { destroy: () => node.removeEventListener('submit', handler) };
+	}
+}));
+
 afterEach(() => {
 	cleanup();
 	vi.clearAllMocks();
@@ -29,8 +42,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -42,8 +55,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -55,8 +68,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -70,8 +83,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification()],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -83,8 +96,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification({ type: 'REPLY', actorName: 'Bert' })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -98,8 +111,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification({ type: 'MENTION', actorName: 'Clara' })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -116,8 +129,8 @@ describe('NotificationDropdown', () => {
 					makeNotification({ id: 'n1', read: false }),
 					makeNotification({ id: 'n2', read: true })
 				],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -126,37 +139,83 @@ describe('NotificationDropdown', () => {
 		expect(unreadDots.length).toBe(1);
 	});
 
-	it('calls onMarkRead with the notification when an item is clicked', async () => {
-		const onMarkRead = vi.fn();
+	it('each notification row is wrapped in a form posting to the dismiss action', async () => {
+		render(NotificationDropdown, {
+			props: {
+				notifications: [makeNotification({ id: 'n42' })],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose: () => {}
+			}
+		});
+
+		const form = document.querySelector('form[action="/aktivitaeten?/dismiss-notification"]');
+		expect(form).not.toBeNull();
+		expect(form?.getAttribute('method')).toBe('POST');
+	});
+
+	it('the dismiss form has a hidden notificationId input with the notification id', async () => {
+		render(NotificationDropdown, {
+			props: {
+				notifications: [makeNotification({ id: 'n42' })],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose: () => {}
+			}
+		});
+
+		const input = document.querySelector<HTMLInputElement>(
+			'form[action="/aktivitaeten?/dismiss-notification"] input[name="notificationId"]'
+		);
+		expect(input?.value).toBe('n42');
+	});
+
+	it('calls optimisticMarkRead with the notification id when a row is submitted', async () => {
+		const optimisticMarkRead = vi.fn();
 		const n = makeNotification({ id: 'n42', actorName: 'Anna' });
 		render(NotificationDropdown, {
 			props: {
 				notifications: [n],
-				onMarkRead,
-				onMarkAllRead: () => {},
+				optimisticMarkRead,
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
 
 		await page.getByRole('button', { name: /Anna hat auf deinen/i }).click();
 
-		expect(onMarkRead).toHaveBeenCalledWith(n);
+		expect(optimisticMarkRead).toHaveBeenCalledWith('n42');
 	});
 
-	it('calls onMarkAllRead when the mark-all-read button is clicked', async () => {
-		const onMarkAllRead = vi.fn();
+	it('the mark-all-read control is a form posting to the mark-all-read action', async () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification()],
-				onMarkRead: () => {},
-				onMarkAllRead,
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose: () => {}
+			}
+		});
+
+		const form = document.querySelector('form[action="/aktivitaeten?/mark-all-read"]');
+		expect(form).not.toBeNull();
+		expect(form?.getAttribute('method')).toBe('POST');
+	});
+
+	it('calls optimisticMarkAllRead when the mark-all-read button is submitted', async () => {
+		const optimisticMarkAllRead = vi.fn();
+		render(NotificationDropdown, {
+			props: {
+				notifications: [makeNotification()],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead,
 				onClose: () => {}
 			}
 		});
 
 		await page.getByRole('button', { name: /alle gelesen/i }).click();
 
-		expect(onMarkAllRead).toHaveBeenCalledOnce();
+		expect(optimisticMarkAllRead).toHaveBeenCalledOnce();
 	});
 
 	it('calls onClose when the view-all button is clicked', async () => {
@@ -164,8 +223,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose
 			}
 		});
@@ -179,8 +238,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -193,12 +252,15 @@ describe('NotificationDropdown', () => {
 	it('calls onClose before navigating to /aktivitaeten', async () => {
 		const callOrder: string[] = [];
 		const onClose = vi.fn(() => callOrder.push('close'));
-		vi.mocked(goto).mockImplementation(() => callOrder.push('goto'));
+		vi.mocked(goto).mockImplementation(() => {
+			callOrder.push('goto');
+			return Promise.resolve();
+		});
 		render(NotificationDropdown, {
 			props: {
 				notifications: [],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose
 			}
 		});
@@ -212,8 +274,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification({ id: 'm1', type: 'MENTION', actorName: 'Anna' })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -225,8 +287,8 @@ describe('NotificationDropdown', () => {
 		render(NotificationDropdown, {
 			props: {
 				notifications: [makeNotification({ id: 'r1', type: 'REPLY', actorName: 'Bert' })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
@@ -242,14 +304,13 @@ describe('NotificationDropdown', () => {
 					makeNotification({ id: 'n1', actorName: 'First' }),
 					makeNotification({ id: 'n2', actorName: 'Second' })
 				],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {},
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
 				onClose: () => {}
 			}
 		});
 
-		const items = document.querySelectorAll('button[type="button"]');
-		// At least 2 items + mark-all button
-		expect(items.length).toBeGreaterThanOrEqual(2);
+		const forms = document.querySelectorAll('form[action="/aktivitaeten?/dismiss-notification"]');
+		expect(forms.length).toBe(2);
 	});
 });
-- 
2.49.1


From 6f862243fd3854963093843717e1feeab98bc34f Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Tue, 19 May 2026 23:16:58 +0200
Subject: [PATCH 04/14] refactor(chronik): replace callback props with form
 actions in ChronikFuerDichBox
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Dismiss (X) button and mark-all-read button now submit forms to
/aktivitaeten?/dismiss-notification and /aktivitaeten?/mark-all-read respectively.
Props renamed onMarkRead/onMarkAllRead → optimisticMarkRead/optimisticMarkAllRead.

aktivitaeten/+page.svelte drops the now-deleted onMarkRead/onMarkAllRead wrapper functions
and passes notificationStore.optimisticMarkRead/optimisticMarkAllRead directly to the box.

Tests: $app/forms enhance mock added to both spec files so dismiss and mark-all assertions
work synchronously against form-submit events.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../lib/activity/ChronikFuerDichBox.svelte    | 78 ++++++++++++-------
 .../ChronikFuerDichBox.svelte.spec.ts         | 65 +++++++++-------
 .../ChronikFuerDichBox.svelte.test.ts         | 51 +++++++-----
 frontend/src/routes/aktivitaeten/+page.svelte | 14 ++--
 4 files changed, 124 insertions(+), 84 deletions(-)

diff --git a/frontend/src/lib/activity/ChronikFuerDichBox.svelte b/frontend/src/lib/activity/ChronikFuerDichBox.svelte
index 9cb94c24..fccf5892 100644
--- a/frontend/src/lib/activity/ChronikFuerDichBox.svelte
+++ b/frontend/src/lib/activity/ChronikFuerDichBox.svelte
@@ -1,4 +1,5 @@
 <script lang="ts">
+import { enhance } from '$app/forms';
 import * as m from '$lib/paraglide/messages.js';
 import { relativeTime } from '$lib/shared/utils/time';
 import type { NotificationItem } from '$lib/notification/notifications.svelte';
@@ -6,11 +7,11 @@ import { buildCommentHref } from '$lib/shared/discussion/commentDeepLink';
 
 interface Props {
 	unread: NotificationItem[];
-	onMarkRead: (n: NotificationItem) => void;
-	onMarkAllRead: () => void;
+	optimisticMarkRead: (id: string) => void;
+	optimisticMarkAllRead: () => void;
 }
 
-const { unread, onMarkRead, onMarkAllRead }: Props = $props();
+const { unread, optimisticMarkRead, optimisticMarkAllRead }: Props = $props();
 
 function verb(type: NotificationItem['type'], actor: string): string {
 	return type === 'REPLY'
@@ -66,14 +67,24 @@ function href(n: NotificationItem): string {
 					{m.chronik_for_you_count({ count: unread.length })}
 				</span>
 			</div>
-			<button
-				type="button"
-				data-testid="chronik-mark-all-read"
-				onclick={onMarkAllRead}
-				class="font-sans text-xs font-medium text-ink-3 transition-colors hover:text-ink"
+			<form
+				action="/aktivitaeten?/mark-all-read"
+				method="POST"
+				use:enhance={() => {
+					optimisticMarkAllRead();
+					return async ({ update }) => {
+						await update({ reset: false, invalidateAll: false });
+					};
+				}}
 			>
-				{m.chronik_mark_all_read()}
-			</button>
+				<button
+					type="submit"
+					data-testid="chronik-mark-all-read"
+					class="font-sans text-xs font-medium text-ink-3 transition-colors hover:text-ink"
+				>
+					{m.chronik_mark_all_read()}
+				</button>
+			</form>
 		</div>
 
 		<ul role="list" class="flex flex-col gap-2">
@@ -89,7 +100,7 @@ function href(n: NotificationItem): string {
 							aria-hidden="true"
 							class="mt-0.5 inline-flex h-6 w-6 shrink-0 items-center justify-center rounded-full bg-accent-bg font-sans text-xs font-bold text-accent"
 						>
-							{n.type === 'MENTION' ? '@' : '\u21A9'}
+							{n.type === 'MENTION' ? '@' : '↩'}
 						</span>
 						<div class="min-w-0 flex-1">
 							<p class="font-sans text-sm leading-snug text-ink">
@@ -100,25 +111,36 @@ function href(n: NotificationItem): string {
 							</p>
 						</div>
 					</a>
-					<button
-						type="button"
-						data-testid="chronik-fuerdich-dismiss"
-						aria-label={m.chronik_mark_read_aria()}
-						onclick={() => onMarkRead(n)}
-						class="mt-0.5 shrink-0 rounded-sm p-1 text-ink-3 transition-colors hover:bg-muted hover:text-ink focus-visible:ring-2 focus-visible:ring-focus-ring focus-visible:outline-none"
+					<form
+						action="/aktivitaeten?/dismiss-notification"
+						method="POST"
+						use:enhance={() => {
+							optimisticMarkRead(n.id);
+							return async ({ update }) => {
+								await update({ reset: false, invalidateAll: false });
+							};
+						}}
 					>
-						<svg
-							xmlns="http://www.w3.org/2000/svg"
-							class="h-4 w-4"
-							fill="none"
-							viewBox="0 0 24 24"
-							stroke="currentColor"
-							stroke-width="2"
-							aria-hidden="true"
+						<input type="hidden" name="notificationId" value={n.id} />
+						<button
+							type="submit"
+							data-testid="chronik-fuerdich-dismiss"
+							aria-label={m.chronik_mark_read_aria()}
+							class="mt-0.5 shrink-0 rounded-sm p-1 text-ink-3 transition-colors hover:bg-muted hover:text-ink focus-visible:ring-2 focus-visible:ring-focus-ring focus-visible:outline-none"
 						>
-							<path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12" />
-						</svg>
-					</button>
+							<svg
+								xmlns="http://www.w3.org/2000/svg"
+								class="h-4 w-4"
+								fill="none"
+								viewBox="0 0 24 24"
+								stroke="currentColor"
+								stroke-width="2"
+								aria-hidden="true"
+							>
+								<path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12" />
+							</svg>
+						</button>
+					</form>
 				</li>
 			{/each}
 		</ul>
diff --git a/frontend/src/lib/activity/ChronikFuerDichBox.svelte.spec.ts b/frontend/src/lib/activity/ChronikFuerDichBox.svelte.spec.ts
index f491dd06..44099b40 100644
--- a/frontend/src/lib/activity/ChronikFuerDichBox.svelte.spec.ts
+++ b/frontend/src/lib/activity/ChronikFuerDichBox.svelte.spec.ts
@@ -5,6 +5,17 @@ import { page, userEvent } from 'vitest/browser';
 import ChronikFuerDichBox from './ChronikFuerDichBox.svelte';
 import type { NotificationItem } from '$lib/notification/notifications.svelte';
 
+vi.mock('$app/forms', () => ({
+	enhance(node: HTMLFormElement, submit?: (opts: { formData: FormData }) => unknown) {
+		const handler = (e: Event) => {
+			e.preventDefault();
+			submit?.({ formData: new FormData(node) } as never);
+		};
+		node.addEventListener('submit', handler);
+		return { destroy: () => node.removeEventListener('submit', handler) };
+	}
+}));
+
 afterEach(cleanup);
 
 function notif(partial: Partial<NotificationItem>): NotificationItem {
@@ -26,8 +37,8 @@ describe('ChronikFuerDichBox', () => {
 	it('renders inbox-zero state when there are no unread items', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [],
-			onMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
 		});
 		const zero = document.querySelector('[data-testid="chronik-inbox-zero"]');
 		expect(zero).not.toBeNull();
@@ -37,8 +48,8 @@ describe('ChronikFuerDichBox', () => {
 	it('links to the archived mentions in the inbox-zero state', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [],
-			onMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
 		});
 		const link = document.querySelector('a[href="/aktivitaeten?filter=fuer-dich"]');
 		expect(link).not.toBeNull();
@@ -47,8 +58,8 @@ describe('ChronikFuerDichBox', () => {
 	it('renders the count badge with correct total when unread exists', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [notif({ id: 'a' }), notif({ id: 'b' })],
-			onMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
 		});
 		await expect.element(page.getByText('2 neu')).toBeInTheDocument();
 	});
@@ -56,8 +67,8 @@ describe('ChronikFuerDichBox', () => {
 	it('count badge has aria-live=polite when unread exists', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [notif({ id: 'a' })],
-			onMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
 		});
 		// Wait for render
 		await expect.element(page.getByText('1 neu')).toBeInTheDocument();
@@ -69,8 +80,8 @@ describe('ChronikFuerDichBox', () => {
 	it('does not render the "Alle gelesen" button when there are no unread items', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [],
-			onMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
 		});
 		await expect.element(page.getByText('Keine neuen Erwähnungen')).toBeInTheDocument();
 		const all = document.querySelector('[data-testid="chronik-mark-all-read"]');
@@ -80,38 +91,38 @@ describe('ChronikFuerDichBox', () => {
 	it('renders the "Alle gelesen" button when unread exists', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [notif({ id: 'a' })],
-			onMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
 		});
 		await expect.element(page.getByText('Alle gelesen')).toBeInTheDocument();
 	});
 
-	it('calls onMarkAllRead when the "Alle gelesen" button is clicked', async () => {
-		const onMarkAllRead = vi.fn();
+	it('calls optimisticMarkAllRead when the "Alle gelesen" button is submitted', async () => {
+		const optimisticMarkAllRead = vi.fn();
 		render(ChronikFuerDichBox, {
 			unread: [notif({ id: 'a' })],
-			onMarkRead: vi.fn(),
-			onMarkAllRead
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead
 		});
 		await userEvent.click(page.getByText('Alle gelesen'));
-		expect(onMarkAllRead).toHaveBeenCalledTimes(1);
+		expect(optimisticMarkAllRead).toHaveBeenCalledTimes(1);
 	});
 
-	it('calls onMarkRead (and not navigation) when a per-item Dismiss button is clicked', async () => {
-		const onMarkRead = vi.fn();
+	it('calls optimisticMarkRead with the notification id when its dismiss button is submitted', async () => {
+		const optimisticMarkRead = vi.fn();
 		const n = notif({ id: 'xyz' });
 		render(ChronikFuerDichBox, {
 			unread: [n],
-			onMarkRead,
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead,
+			optimisticMarkAllRead: vi.fn()
 		});
 		const dismiss = document.querySelector(
 			'[data-testid="chronik-fuerdich-dismiss"]'
 		) as HTMLButtonElement | null;
 		expect(dismiss).not.toBeNull();
 		dismiss?.click();
-		expect(onMarkRead).toHaveBeenCalledTimes(1);
-		expect(onMarkRead.mock.calls[0][0]).toEqual(n);
+		expect(optimisticMarkRead).toHaveBeenCalledTimes(1);
+		expect(optimisticMarkRead.mock.calls[0][0]).toBe('xyz');
 	});
 
 	it('mention row href includes both commentId and annotationId when annotationId is present', async () => {
@@ -124,8 +135,8 @@ describe('ChronikFuerDichBox', () => {
 					annotationId: 'annot-9'
 				})
 			],
-			onMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
 		});
 		const link = document.querySelector(
 			'a[href="/documents/doc-42?commentId=comment-7&annotationId=annot-9"]'
@@ -136,8 +147,8 @@ describe('ChronikFuerDichBox', () => {
 	it('Dismiss button is a sibling of the document link, never nested inside <a>', async () => {
 		render(ChronikFuerDichBox, {
 			unread: [notif({ id: 'x' })],
-			onMarkRead: vi.fn(),
-			onMarkAllRead: vi.fn()
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
 		});
 		const dismiss = document.querySelector('[data-testid="chronik-fuerdich-dismiss"]');
 		expect(dismiss).not.toBeNull();
diff --git a/frontend/src/lib/activity/ChronikFuerDichBox.svelte.test.ts b/frontend/src/lib/activity/ChronikFuerDichBox.svelte.test.ts
index 6b887a86..dfc271f6 100644
--- a/frontend/src/lib/activity/ChronikFuerDichBox.svelte.test.ts
+++ b/frontend/src/lib/activity/ChronikFuerDichBox.svelte.test.ts
@@ -4,6 +4,17 @@ import { page } from 'vitest/browser';
 import ChronikFuerDichBox from './ChronikFuerDichBox.svelte';
 import type { NotificationItem } from '$lib/notification/notifications';
 
+vi.mock('$app/forms', () => ({
+	enhance(node: HTMLFormElement, submit?: (opts: { formData: FormData }) => unknown) {
+		const handler = (e: Event) => {
+			e.preventDefault();
+			submit?.({ formData: new FormData(node) } as never);
+		};
+		node.addEventListener('submit', handler);
+		return { destroy: () => node.removeEventListener('submit', handler) };
+	}
+}));
+
 afterEach(cleanup);
 
 const mention = (overrides: Partial<NotificationItem> = {}): NotificationItem => ({
@@ -22,7 +33,7 @@ const mention = (overrides: Partial<NotificationItem> = {}): NotificationItem =>
 describe('ChronikFuerDichBox', () => {
 	it('renders the inbox-zero state when there are no unread', async () => {
 		render(ChronikFuerDichBox, {
-			props: { unread: [], onMarkRead: () => {}, onMarkAllRead: () => {} }
+			props: { unread: [], optimisticMarkRead: () => {}, optimisticMarkAllRead: () => {} }
 		});
 
 		await expect.element(page.getByText(/keine neuen erwähnungen/i)).toBeVisible();
@@ -34,8 +45,8 @@ describe('ChronikFuerDichBox', () => {
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention(), mention({ id: 'n-2' }), mention({ id: 'n-3' })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {}
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {}
 			}
 		});
 
@@ -47,8 +58,8 @@ describe('ChronikFuerDichBox', () => {
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention({ id: 'n-m', type: 'MENTION' }), mention({ id: 'n-r', type: 'REPLY' })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {}
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {}
 			}
 		});
 
@@ -62,8 +73,8 @@ describe('ChronikFuerDichBox', () => {
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention({ actorName: 'Bertha' })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {}
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {}
 			}
 		});
 
@@ -76,8 +87,8 @@ describe('ChronikFuerDichBox', () => {
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention({ type: 'REPLY', actorName: 'Carl' })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {}
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {}
 			}
 		});
 
@@ -86,11 +97,11 @@ describe('ChronikFuerDichBox', () => {
 			.toBeVisible();
 	});
 
-	it('calls onMarkRead with the notification when its dismiss button is clicked', async () => {
-		const onMarkRead = vi.fn();
+	it('calls optimisticMarkRead with the notification id when its dismiss button is clicked', async () => {
+		const optimisticMarkRead = vi.fn();
 		const item = mention({ id: 'n-7' });
 		render(ChronikFuerDichBox, {
-			props: { unread: [item], onMarkRead, onMarkAllRead: () => {} }
+			props: { unread: [item], optimisticMarkRead, optimisticMarkAllRead: () => {} }
 		});
 
 		const dismiss = document.querySelector(
@@ -98,31 +109,31 @@ describe('ChronikFuerDichBox', () => {
 		) as HTMLElement;
 		dismiss.click();
 
-		expect(onMarkRead).toHaveBeenCalledWith(item);
+		expect(optimisticMarkRead).toHaveBeenCalledWith('n-7');
 	});
 
-	it('calls onMarkAllRead when the mark-all-read button is clicked', async () => {
-		const onMarkAllRead = vi.fn();
+	it('calls optimisticMarkAllRead when the mark-all-read button is clicked', async () => {
+		const optimisticMarkAllRead = vi.fn();
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention()],
-				onMarkRead: () => {},
-				onMarkAllRead
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead
 			}
 		});
 
 		const btn = document.querySelector('[data-testid="chronik-mark-all-read"]') as HTMLElement;
 		btn.click();
 
-		expect(onMarkAllRead).toHaveBeenCalledOnce();
+		expect(optimisticMarkAllRead).toHaveBeenCalledOnce();
 	});
 
 	it('builds a deep-link href to the comment for each notification', async () => {
 		render(ChronikFuerDichBox, {
 			props: {
 				unread: [mention({ documentId: 'doc-x', referenceId: 'ref-y', annotationId: null })],
-				onMarkRead: () => {},
-				onMarkAllRead: () => {}
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {}
 			}
 		});
 
diff --git a/frontend/src/routes/aktivitaeten/+page.svelte b/frontend/src/routes/aktivitaeten/+page.svelte
index fa870696..7246e51e 100644
--- a/frontend/src/routes/aktivitaeten/+page.svelte
+++ b/frontend/src/routes/aktivitaeten/+page.svelte
@@ -76,14 +76,6 @@ async function onFilterChange(v: FilterValue) {
 	});
 }
 
-async function onMarkRead(n: NotificationItem) {
-	await notificationStore.markRead(n);
-}
-
-async function onMarkAllRead() {
-	await notificationStore.markAllRead();
-}
-
 const displayFeed = $derived(applyClientFilter(data.activityFeed, data.filter));
 
 const isEmpty = $derived(displayFeed.length === 0);
@@ -108,7 +100,11 @@ function retry() {
 	{#if data.loadError === 'activity'}
 		<ChronikErrorCard onRetry={retry} />
 	{:else}
-		<ChronikFuerDichBox unread={unread} onMarkRead={onMarkRead} onMarkAllRead={onMarkAllRead} />
+		<ChronikFuerDichBox
+			unread={unread}
+			optimisticMarkRead={notificationStore.optimisticMarkRead}
+			optimisticMarkAllRead={notificationStore.optimisticMarkAllRead}
+		/>
 
 		<div class="mt-6">
 			<ChronikFilterPills value={data.filter} onChange={onFilterChange} />
-- 
2.49.1


From 261cbbd867901f9bca21f2b81bfa85a0b18a0c16 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Tue, 19 May 2026 23:48:37 +0200
Subject: [PATCH 05/14] fix(notifications): guard against null notificationId
 in dismiss action

Casting null to string caused PATCH to fire against /api/notifications/null/read
when the field was absent. Added an early-return fail(400) and a test that
submitting an empty form returns 400 without calling the API.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/src/routes/aktivitaeten/+page.server.ts     | 3 ++-
 frontend/src/routes/aktivitaeten/page.server.spec.ts | 7 +++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/frontend/src/routes/aktivitaeten/+page.server.ts b/frontend/src/routes/aktivitaeten/+page.server.ts
index 940cedb6..aacab562 100644
--- a/frontend/src/routes/aktivitaeten/+page.server.ts
+++ b/frontend/src/routes/aktivitaeten/+page.server.ts
@@ -71,7 +71,8 @@ export async function load({ fetch, url }) {
 export const actions = {
 	'dismiss-notification': async ({ request, fetch }) => {
 		const data = await request.formData();
-		const notificationId = data.get('notificationId') as string;
+		const notificationId = data.get('notificationId') as string | null;
+		if (!notificationId) return fail(400, { error: 'Ungültige Benachrichtigungs-ID' });
 		const api = createApiClient(fetch);
 		const result = await api.PATCH('/api/notifications/{id}/read', {
 			params: { path: { id: notificationId } }
diff --git a/frontend/src/routes/aktivitaeten/page.server.spec.ts b/frontend/src/routes/aktivitaeten/page.server.spec.ts
index fbff2670..63ee881b 100644
--- a/frontend/src/routes/aktivitaeten/page.server.spec.ts
+++ b/frontend/src/routes/aktivitaeten/page.server.spec.ts
@@ -185,6 +185,13 @@ function makeActionEvent(formData: FormData): any {
 }
 
 describe('aktivitaeten/actions — dismiss-notification', () => {
+	it('returns fail(400, { error }) and does NOT call PATCH when notificationId is missing', async () => {
+		const result = await actions['dismiss-notification'](makeActionEvent(new FormData()));
+
+		expect(result).toMatchObject({ status: 400 });
+		expect(mockApi.PATCH).not.toHaveBeenCalled();
+	});
+
 	it('calls PATCH /api/notifications/{id}/read with the form-supplied notificationId', async () => {
 		mockApi.PATCH.mockResolvedValue({ response: { ok: true }, data: {} });
 		const fd = new FormData();
-- 
2.49.1


From dbf74cb91a02a65ce049560c7d91f5b002a759e7 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Tue, 19 May 2026 23:54:15 +0200
Subject: [PATCH 06/14] fix(notifications): move onClose/goto into enhance
 result callback

onClose() and goto() were firing before the server responded, making it
impossible for a fail() response to cancel navigation. Moved them inside
the result callback behind a result.type !== 'failure' guard.

Updated the $app/forms enhance mock to always invoke the returned async
callback with a configurable mockFormResult, and added three tests:
- success path calls onClose + goto with the correct deep-link URL
- failure path skips onClose and goto
- annotationId is appended to the URL when present

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../notification/NotificationDropdown.svelte  | 20 ++--
 .../NotificationDropdown.svelte.test.ts       | 91 ++++++++++++++++++-
 2 files changed, 97 insertions(+), 14 deletions(-)

diff --git a/frontend/src/lib/notification/NotificationDropdown.svelte b/frontend/src/lib/notification/NotificationDropdown.svelte
index 115fe4f7..903ed5ce 100644
--- a/frontend/src/lib/notification/NotificationDropdown.svelte
+++ b/frontend/src/lib/notification/NotificationDropdown.svelte
@@ -84,15 +84,17 @@ function handleViewAll() {
 						class="contents"
 						use:enhance={() => {
 							optimisticMarkRead(notification.id);
-							onClose();
-							goto(
-								buildCommentHref(
-									notification.documentId,
-									notification.referenceId,
-									notification.annotationId
-								)
-							);
-							return async ({ update }) => {
+							return async ({ result, update }) => {
+								if (result.type !== 'failure') {
+									onClose();
+									goto(
+										buildCommentHref(
+											notification.documentId,
+											notification.referenceId,
+											notification.annotationId
+										)
+									);
+								}
 								await update({ reset: false, invalidateAll: false });
 							};
 						}}
diff --git a/frontend/src/lib/notification/NotificationDropdown.svelte.test.ts b/frontend/src/lib/notification/NotificationDropdown.svelte.test.ts
index 91568d78..459bd72b 100644
--- a/frontend/src/lib/notification/NotificationDropdown.svelte.test.ts
+++ b/frontend/src/lib/notification/NotificationDropdown.svelte.test.ts
@@ -6,13 +6,28 @@ import NotificationDropdown from './NotificationDropdown.svelte';
 
 vi.mock('$app/navigation', () => ({ goto: vi.fn() }));
 
-// Invoke the SubmitFunction synchronously on form submit so tests can assert
-// that optimisticMarkRead / optimisticMarkAllRead are called.
+// Configurable result for the enhance mock — tests that need failure set
+// mockFormResult.type = 'failure' before clicking.
+const mockFormResult = vi.hoisted(() => ({ type: 'success' as string }));
+
+// Invoke the SubmitFunction and always call the returned result callback with
+// mockFormResult so tests can exercise both success and failure branches.
 vi.mock('$app/forms', () => ({
-	enhance(node: HTMLFormElement, submit?: (opts: { formData: FormData }) => unknown) {
-		const handler = (e: Event) => {
+	enhance(
+		node: HTMLFormElement,
+		submit?: (opts: {
+			formData: FormData;
+		}) => (opts: {
+			result: { type: string; data?: Record<string, unknown> };
+			update: () => Promise<void>;
+		}) => Promise<void>
+	) {
+		const handler = async (e: Event) => {
 			e.preventDefault();
-			submit?.({ formData: new FormData(node) } as never);
+			const cb = submit?.({ formData: new FormData(node) } as never);
+			if (typeof cb === 'function') {
+				await cb({ result: mockFormResult, update: async () => {} } as never);
+			}
 		};
 		node.addEventListener('submit', handler);
 		return { destroy: () => node.removeEventListener('submit', handler) };
@@ -22,6 +37,7 @@ vi.mock('$app/forms', () => ({
 afterEach(() => {
 	cleanup();
 	vi.clearAllMocks();
+	mockFormResult.type = 'success'; // reset to default after each test
 });
 
 const makeNotification = (overrides: Record<string, unknown> = {}) => ({
@@ -313,4 +329,69 @@ describe('NotificationDropdown', () => {
 		const forms = document.querySelectorAll('form[action="/aktivitaeten?/dismiss-notification"]');
 		expect(forms.length).toBe(2);
 	});
+
+	it('calls onClose and goto with the deep-link URL after a successful dismiss', async () => {
+		const onClose = vi.fn();
+		const n = makeNotification({
+			id: 'n42',
+			documentId: 'd1',
+			referenceId: 'c1',
+			annotationId: null,
+			actorName: 'Anna'
+		});
+		render(NotificationDropdown, {
+			props: {
+				notifications: [n],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose
+			}
+		});
+
+		await page.getByRole('button', { name: /Anna hat auf deinen/i }).click();
+
+		expect(onClose).toHaveBeenCalledOnce();
+		expect(goto).toHaveBeenCalledWith('/documents/d1?commentId=c1');
+	});
+
+	it('does NOT call onClose or goto when the dismiss action returns a failure', async () => {
+		mockFormResult.type = 'failure';
+		const onClose = vi.fn();
+		const n = makeNotification({ id: 'n99', actorName: 'Bob' });
+		render(NotificationDropdown, {
+			props: {
+				notifications: [n],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose
+			}
+		});
+
+		await page.getByRole('button', { name: /Bob hat auf deinen/i }).click();
+
+		expect(onClose).not.toHaveBeenCalled();
+		expect(goto).not.toHaveBeenCalled();
+	});
+
+	it('calls goto with annotationId appended when the notification has an annotationId', async () => {
+		const n = makeNotification({
+			id: 'n55',
+			documentId: 'd1',
+			referenceId: 'c1',
+			annotationId: 'a1',
+			actorName: 'Eva'
+		});
+		render(NotificationDropdown, {
+			props: {
+				notifications: [n],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose: () => {}
+			}
+		});
+
+		await page.getByRole('button', { name: /Eva hat auf deinen/i }).click();
+
+		expect(goto).toHaveBeenCalledWith('/documents/d1?commentId=c1&annotationId=a1');
+	});
 });
-- 
2.49.1


From 30efb54aac622152de382524e535c38a5a3adf53 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Tue, 19 May 2026 23:56:33 +0200
Subject: [PATCH 07/14] fix(notifications): surface action failures as an error
 banner

When dismiss-notification or mark-all-read returns a failure the dropdown
now shows a localised error message above the list. Added
notification_error_generic key (de/en/es) as the fallback when the
action response carries no explicit error string.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/messages/de.json                        |  1 +
 frontend/messages/en.json                        |  1 +
 frontend/messages/es.json                        |  1 +
 .../lib/notification/NotificationDropdown.svelte | 16 ++++++++++++++--
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/frontend/messages/de.json b/frontend/messages/de.json
index 37e25574..2835fccc 100644
--- a/frontend/messages/de.json
+++ b/frontend/messages/de.json
@@ -522,6 +522,7 @@
 	"notification_filter_unread": "Ungelesen",
 	"notification_filter_mention": "Erwähnung",
 	"notification_filter_reply": "Antwort",
+	"notification_error_generic": "Aktion fehlgeschlagen. Bitte versuche es erneut.",
 	"notification_mark_all_read_aria": "Alle Benachrichtigungen als gelesen markieren",
 	"notification_load_more": "Ältere laden",
 	"notification_empty_history": "Keine Benachrichtigungen",
diff --git a/frontend/messages/en.json b/frontend/messages/en.json
index b4b675c5..e679d061 100644
--- a/frontend/messages/en.json
+++ b/frontend/messages/en.json
@@ -522,6 +522,7 @@
 	"notification_filter_unread": "Unread",
 	"notification_filter_mention": "Mention",
 	"notification_filter_reply": "Reply",
+	"notification_error_generic": "Action failed. Please try again.",
 	"notification_mark_all_read_aria": "Mark all notifications as read",
 	"notification_load_more": "Load older",
 	"notification_empty_history": "No notifications",
diff --git a/frontend/messages/es.json b/frontend/messages/es.json
index 898b3e85..dcc948d3 100644
--- a/frontend/messages/es.json
+++ b/frontend/messages/es.json
@@ -522,6 +522,7 @@
 	"notification_filter_unread": "No leídas",
 	"notification_filter_mention": "Mención",
 	"notification_filter_reply": "Respuesta",
+	"notification_error_generic": "La acción ha fallado. Por favor, inténtalo de nuevo.",
 	"notification_mark_all_read_aria": "Marcar todas las notificaciones como leídas",
 	"notification_load_more": "Cargar anteriores",
 	"notification_empty_history": "Sin notificaciones",
diff --git a/frontend/src/lib/notification/NotificationDropdown.svelte b/frontend/src/lib/notification/NotificationDropdown.svelte
index 903ed5ce..09719c4a 100644
--- a/frontend/src/lib/notification/NotificationDropdown.svelte
+++ b/frontend/src/lib/notification/NotificationDropdown.svelte
@@ -15,6 +15,8 @@ type Props = {
 
 let { notifications, optimisticMarkRead, optimisticMarkAllRead, onClose }: Props = $props();
 
+let errorMessage = $state<string | null>(null);
+
 function handleViewAll() {
 	onClose(); // close first — avoids stale dropdown during navigation transition
 	goto('/aktivitaeten');
@@ -38,7 +40,10 @@ function handleViewAll() {
 				method="POST"
 				use:enhance={() => {
 					optimisticMarkAllRead();
-					return async ({ update }) => {
+					return async ({ result, update }) => {
+						if (result.type === 'failure') {
+							errorMessage = (result.data as { error?: string } | undefined)?.error ?? m.notification_error_generic();
+						}
 						await update({ reset: false, invalidateAll: false });
 					};
 				}}
@@ -53,6 +58,11 @@ function handleViewAll() {
 		{/if}
 	</div>
 
+	<!-- Error banner (shown when a dismiss or mark-all action fails) -->
+	{#if errorMessage}
+		<p class="px-4 py-2 text-sm text-red-600">{errorMessage}</p>
+	{/if}
+
 	<!-- Notification list -->
 	{#if notifications.length === 0}
 		<!-- Empty state -->
@@ -85,7 +95,9 @@ function handleViewAll() {
 						use:enhance={() => {
 							optimisticMarkRead(notification.id);
 							return async ({ result, update }) => {
-								if (result.type !== 'failure') {
+								if (result.type === 'failure') {
+									errorMessage = (result.data as { error?: string } | undefined)?.error ?? m.notification_error_generic();
+								} else {
 									onClose();
 									goto(
 										buildCommentHref(
-- 
2.49.1


From 978a2b3cdb66c4a7295d885ddf799deeeb0bdfce Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Wed, 20 May 2026 07:05:50 +0200
Subject: [PATCH 08/14] fix(notification-dropdown): handle error result type,
 add role=alert, fix update ordering

- Add role="alert" to error banner so screen-reader users hear failures
- Handle result.type === 'error' (network failure) alongside 'failure' in both enhance callbacks
- Clear errorMessage at the start of each submit so stale errors don't persist on retry
- On dismiss success: skip update() entirely since goto() navigates away from the page
- On dismiss failure: await update() then set error message
- On mark-all success: skip update() (optimistic state already applied)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../notification/NotificationDropdown.svelte    | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/frontend/src/lib/notification/NotificationDropdown.svelte b/frontend/src/lib/notification/NotificationDropdown.svelte
index 09719c4a..6d4f72de 100644
--- a/frontend/src/lib/notification/NotificationDropdown.svelte
+++ b/frontend/src/lib/notification/NotificationDropdown.svelte
@@ -39,12 +39,13 @@ function handleViewAll() {
 				action="/aktivitaeten?/mark-all-read"
 				method="POST"
 				use:enhance={() => {
+					errorMessage = null;
 					optimisticMarkAllRead();
 					return async ({ result, update }) => {
-						if (result.type === 'failure') {
-							errorMessage = (result.data as { error?: string } | undefined)?.error ?? m.notification_error_generic();
+						if (result.type === 'failure' || result.type === 'error') {
+							errorMessage = (result as { data?: { error?: string } }).data?.error ?? m.notification_error_generic();
+							await update({ reset: false, invalidateAll: false });
 						}
-						await update({ reset: false, invalidateAll: false });
 					};
 				}}
 			>
@@ -60,7 +61,7 @@ function handleViewAll() {
 
 	<!-- Error banner (shown when a dismiss or mark-all action fails) -->
 	{#if errorMessage}
-		<p class="px-4 py-2 text-sm text-red-600">{errorMessage}</p>
+		<p role="alert" class="px-4 py-2 text-sm text-red-600">{errorMessage}</p>
 	{/if}
 
 	<!-- Notification list -->
@@ -93,11 +94,14 @@ function handleViewAll() {
 						method="POST"
 						class="contents"
 						use:enhance={() => {
+							errorMessage = null;
 							optimisticMarkRead(notification.id);
 							return async ({ result, update }) => {
-								if (result.type === 'failure') {
-									errorMessage = (result.data as { error?: string } | undefined)?.error ?? m.notification_error_generic();
+								if (result.type === 'failure' || result.type === 'error') {
+									errorMessage = (result as { data?: { error?: string } }).data?.error ?? m.notification_error_generic();
+									await update({ reset: false, invalidateAll: false });
 								} else {
+									// Navigate away — no need to update the store since we're leaving the page
 									onClose();
 									goto(
 										buildCommentHref(
@@ -107,7 +111,6 @@ function handleViewAll() {
 										)
 									);
 								}
-								await update({ reset: false, invalidateAll: false });
 							};
 						}}
 					>
-- 
2.49.1


From 35fbaf815469965ea4e9b0d8e44da4fae23116ae Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Wed, 20 May 2026 07:06:15 +0200
Subject: [PATCH 09/14] fix(aktivitaeten): narrow File cast and use null
 payload for missing notificationId

Replace 'as string | null' cast (which silently accepts File values) with an explicit
typeof check. Use error: null instead of hardcoded German so the client falls through
to the generic i18n-keyed error banner.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/src/routes/aktivitaeten/+page.server.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/frontend/src/routes/aktivitaeten/+page.server.ts b/frontend/src/routes/aktivitaeten/+page.server.ts
index aacab562..8d5e3fb1 100644
--- a/frontend/src/routes/aktivitaeten/+page.server.ts
+++ b/frontend/src/routes/aktivitaeten/+page.server.ts
@@ -71,8 +71,9 @@ export async function load({ fetch, url }) {
 export const actions = {
 	'dismiss-notification': async ({ request, fetch }) => {
 		const data = await request.formData();
-		const notificationId = data.get('notificationId') as string | null;
-		if (!notificationId) return fail(400, { error: 'Ungültige Benachrichtigungs-ID' });
+		const raw = data.get('notificationId');
+		const notificationId = typeof raw === 'string' ? raw : null;
+		if (!notificationId) return fail(400, { error: null });
 		const api = createApiClient(fetch);
 		const result = await api.PATCH('/api/notifications/{id}/read', {
 			params: { path: { id: notificationId } }
-- 
2.49.1


From 728f9cd1b09d369b2137b45f8969b2cd1482be59 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Wed, 20 May 2026 07:06:58 +0200
Subject: [PATCH 10/14] fix(chronik): surface action failures in
 ChronikFuerDichBox with accessible error banner
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add $state errorMessage + role=alert banner to ChronikFuerDichBox. Both enhance callbacks
now inspect result.type and set the error message on 'failure' or 'error'; errorMessage
is cleared on each new submit attempt.

Upgrade both test files to the mockFormResult pattern (via vi.hoisted) so the result
callback is exercised. Add a failing-action test in each file that asserts role=alert
appears after a form submit with type='failure'.

Fix bare Function cast → explicit typed cast to satisfy @typescript-eslint/no-unsafe-function-type.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../lib/activity/ChronikFuerDichBox.svelte    | 17 ++++++-
 .../ChronikFuerDichBox.svelte.spec.ts         | 44 ++++++++++++++++--
 .../ChronikFuerDichBox.svelte.test.ts         | 46 +++++++++++++++++--
 3 files changed, 97 insertions(+), 10 deletions(-)

diff --git a/frontend/src/lib/activity/ChronikFuerDichBox.svelte b/frontend/src/lib/activity/ChronikFuerDichBox.svelte
index fccf5892..18c2edff 100644
--- a/frontend/src/lib/activity/ChronikFuerDichBox.svelte
+++ b/frontend/src/lib/activity/ChronikFuerDichBox.svelte
@@ -13,6 +13,8 @@ interface Props {
 
 const { unread, optimisticMarkRead, optimisticMarkAllRead }: Props = $props();
 
+let errorMessage: string | null = $state(null);
+
 function verb(type: NotificationItem['type'], actor: string): string {
 	return type === 'REPLY'
 		? m.notification_type_reply({ actor })
@@ -25,6 +27,9 @@ function href(n: NotificationItem): string {
 </script>
 
 <section class="rounded-sm border border-line bg-surface p-5">
+	{#if errorMessage}
+		<p role="alert" class="px-4 py-2 text-sm text-red-600">{errorMessage}</p>
+	{/if}
 	{#if unread.length === 0}
 		<div data-testid="chronik-inbox-zero" class="flex flex-col items-center gap-3 py-6 text-center">
 			<svg
@@ -71,8 +76,12 @@ function href(n: NotificationItem): string {
 				action="/aktivitaeten?/mark-all-read"
 				method="POST"
 				use:enhance={() => {
+					errorMessage = null;
 					optimisticMarkAllRead();
-					return async ({ update }) => {
+					return async ({ result, update }) => {
+						if (result.type === 'failure' || result.type === 'error') {
+							errorMessage = m.notification_error_generic();
+						}
 						await update({ reset: false, invalidateAll: false });
 					};
 				}}
@@ -115,8 +124,12 @@ function href(n: NotificationItem): string {
 						action="/aktivitaeten?/dismiss-notification"
 						method="POST"
 						use:enhance={() => {
+							errorMessage = null;
 							optimisticMarkRead(n.id);
-							return async ({ update }) => {
+							return async ({ result, update }) => {
+								if (result.type === 'failure' || result.type === 'error') {
+									errorMessage = m.notification_error_generic();
+								}
 								await update({ reset: false, invalidateAll: false });
 							};
 						}}
diff --git a/frontend/src/lib/activity/ChronikFuerDichBox.svelte.spec.ts b/frontend/src/lib/activity/ChronikFuerDichBox.svelte.spec.ts
index 44099b40..8ffd6713 100644
--- a/frontend/src/lib/activity/ChronikFuerDichBox.svelte.spec.ts
+++ b/frontend/src/lib/activity/ChronikFuerDichBox.svelte.spec.ts
@@ -5,18 +5,36 @@ import { page, userEvent } from 'vitest/browser';
 import ChronikFuerDichBox from './ChronikFuerDichBox.svelte';
 import type { NotificationItem } from '$lib/notification/notifications.svelte';
 
+const mockFormResult = vi.hoisted(() => ({ type: 'success' as string }));
+
 vi.mock('$app/forms', () => ({
-	enhance(node: HTMLFormElement, submit?: (opts: { formData: FormData }) => unknown) {
-		const handler = (e: Event) => {
+	enhance(
+		node: HTMLFormElement,
+		submit?: (opts: {
+			formData: FormData;
+		}) => (opts: {
+			result: { type: string; data?: Record<string, unknown> };
+			update: () => Promise<void>;
+		}) => Promise<void>
+	) {
+		const handler = async (e: Event) => {
 			e.preventDefault();
-			submit?.({ formData: new FormData(node) } as never);
+			const cb = submit?.({ formData: new FormData(node) } as never);
+			if (typeof cb === 'function') {
+				await (
+					cb as (o: { result: typeof mockFormResult; update: () => Promise<void> }) => Promise<void>
+				)({ result: mockFormResult, update: async () => {} });
+			}
 		};
 		node.addEventListener('submit', handler);
 		return { destroy: () => node.removeEventListener('submit', handler) };
 	}
 }));
 
-afterEach(cleanup);
+afterEach(() => {
+	cleanup();
+	mockFormResult.type = 'success';
+});
 
 function notif(partial: Partial<NotificationItem>): NotificationItem {
 	return {
@@ -156,4 +174,22 @@ describe('ChronikFuerDichBox', () => {
 		// Prevents the senior-audience tap-drag bug flagged by Leonie.
 		expect(dismiss?.closest('a')).toBeNull();
 	});
+
+	it('shows an accessible error banner when the dismiss action returns a failure', async () => {
+		mockFormResult.type = 'failure';
+		render(ChronikFuerDichBox, {
+			unread: [notif({ id: 'err-1' })],
+			optimisticMarkRead: vi.fn(),
+			optimisticMarkAllRead: vi.fn()
+		});
+		const dismiss = document.querySelector(
+			'[data-testid="chronik-fuerdich-dismiss"]'
+		) as HTMLButtonElement | null;
+		expect(dismiss).not.toBeNull();
+		dismiss?.click();
+		// Allow microtask queue to flush
+		await new Promise((r) => setTimeout(r, 0));
+		const alert = document.querySelector('[role="alert"]');
+		expect(alert).not.toBeNull();
+	});
 });
diff --git a/frontend/src/lib/activity/ChronikFuerDichBox.svelte.test.ts b/frontend/src/lib/activity/ChronikFuerDichBox.svelte.test.ts
index dfc271f6..2ee844e3 100644
--- a/frontend/src/lib/activity/ChronikFuerDichBox.svelte.test.ts
+++ b/frontend/src/lib/activity/ChronikFuerDichBox.svelte.test.ts
@@ -4,18 +4,36 @@ import { page } from 'vitest/browser';
 import ChronikFuerDichBox from './ChronikFuerDichBox.svelte';
 import type { NotificationItem } from '$lib/notification/notifications';
 
+const mockFormResult = vi.hoisted(() => ({ type: 'success' as string }));
+
 vi.mock('$app/forms', () => ({
-	enhance(node: HTMLFormElement, submit?: (opts: { formData: FormData }) => unknown) {
-		const handler = (e: Event) => {
+	enhance(
+		node: HTMLFormElement,
+		submit?: (opts: {
+			formData: FormData;
+		}) => (opts: {
+			result: { type: string; data?: Record<string, unknown> };
+			update: () => Promise<void>;
+		}) => Promise<void>
+	) {
+		const handler = async (e: Event) => {
 			e.preventDefault();
-			submit?.({ formData: new FormData(node) } as never);
+			const cb = submit?.({ formData: new FormData(node) } as never);
+			if (typeof cb === 'function') {
+				await (
+					cb as (o: { result: typeof mockFormResult; update: () => Promise<void> }) => Promise<void>
+				)({ result: mockFormResult, update: async () => {} });
+			}
 		};
 		node.addEventListener('submit', handler);
 		return { destroy: () => node.removeEventListener('submit', handler) };
 	}
 }));
 
-afterEach(cleanup);
+afterEach(() => {
+	cleanup();
+	mockFormResult.type = 'success';
+});
 
 const mention = (overrides: Partial<NotificationItem> = {}): NotificationItem => ({
 	id: 'n-1',
@@ -140,4 +158,24 @@ describe('ChronikFuerDichBox', () => {
 		const link = document.querySelector('ul[role="list"] li a') as HTMLAnchorElement;
 		expect(link.getAttribute('href')).toContain('doc-x');
 	});
+
+	it('shows an accessible error banner when the dismiss action returns a failure', async () => {
+		mockFormResult.type = 'failure';
+		render(ChronikFuerDichBox, {
+			props: {
+				unread: [mention({ id: 'err-1' })],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {}
+			}
+		});
+
+		const dismiss = document.querySelector(
+			'[data-testid="chronik-fuerdich-dismiss"]'
+		) as HTMLElement;
+		dismiss.click();
+		// Allow microtask queue to flush
+		await new Promise((r) => setTimeout(r, 0));
+		const alert = document.querySelector('[role="alert"]');
+		expect(alert).not.toBeNull();
+	});
 });
-- 
2.49.1


From 392097287c55f535adfc26c9858ab137befab1e7 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Wed, 20 May 2026 07:31:26 +0200
Subject: [PATCH 11/14] fix(notification): address review suggestions

- ChronikFuerDichBox: move update() inside the failure branch so success
  path skips it, matching NotificationDropdown's pattern
- NotificationDropdown test: add role=alert assertion for mark-all-read
  failure to match existing dismiss-failure coverage in ChronikFuerDichBox
- +page.server.ts: use getErrorMessage(undefined) instead of null so the
  missing-notificationId 400 goes through the same i18n pipeline as other errors

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../src/lib/activity/ChronikFuerDichBox.svelte  |  4 ++--
 .../NotificationDropdown.svelte.test.ts         | 17 +++++++++++++++++
 .../src/routes/aktivitaeten/+page.server.ts     |  2 +-
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/frontend/src/lib/activity/ChronikFuerDichBox.svelte b/frontend/src/lib/activity/ChronikFuerDichBox.svelte
index 18c2edff..ac893171 100644
--- a/frontend/src/lib/activity/ChronikFuerDichBox.svelte
+++ b/frontend/src/lib/activity/ChronikFuerDichBox.svelte
@@ -81,8 +81,8 @@ function href(n: NotificationItem): string {
 					return async ({ result, update }) => {
 						if (result.type === 'failure' || result.type === 'error') {
 							errorMessage = m.notification_error_generic();
+							await update({ reset: false, invalidateAll: false });
 						}
-						await update({ reset: false, invalidateAll: false });
 					};
 				}}
 			>
@@ -129,8 +129,8 @@ function href(n: NotificationItem): string {
 							return async ({ result, update }) => {
 								if (result.type === 'failure' || result.type === 'error') {
 									errorMessage = m.notification_error_generic();
+									await update({ reset: false, invalidateAll: false });
 								}
-								await update({ reset: false, invalidateAll: false });
 							};
 						}}
 					>
diff --git a/frontend/src/lib/notification/NotificationDropdown.svelte.test.ts b/frontend/src/lib/notification/NotificationDropdown.svelte.test.ts
index 459bd72b..bdbda7eb 100644
--- a/frontend/src/lib/notification/NotificationDropdown.svelte.test.ts
+++ b/frontend/src/lib/notification/NotificationDropdown.svelte.test.ts
@@ -234,6 +234,23 @@ describe('NotificationDropdown', () => {
 		expect(optimisticMarkAllRead).toHaveBeenCalledOnce();
 	});
 
+	it('shows a role=alert error banner when mark-all-read returns a failure', async () => {
+		mockFormResult.type = 'failure';
+		render(NotificationDropdown, {
+			props: {
+				notifications: [makeNotification()],
+				optimisticMarkRead: () => {},
+				optimisticMarkAllRead: () => {},
+				onClose: () => {}
+			}
+		});
+
+		await page.getByRole('button', { name: /alle gelesen/i }).click();
+
+		const alert = document.querySelector('[role="alert"]');
+		expect(alert).not.toBeNull();
+	});
+
 	it('calls onClose when the view-all button is clicked', async () => {
 		const onClose = vi.fn();
 		render(NotificationDropdown, {
diff --git a/frontend/src/routes/aktivitaeten/+page.server.ts b/frontend/src/routes/aktivitaeten/+page.server.ts
index 8d5e3fb1..368b7bc3 100644
--- a/frontend/src/routes/aktivitaeten/+page.server.ts
+++ b/frontend/src/routes/aktivitaeten/+page.server.ts
@@ -73,7 +73,7 @@ export const actions = {
 		const data = await request.formData();
 		const raw = data.get('notificationId');
 		const notificationId = typeof raw === 'string' ? raw : null;
-		if (!notificationId) return fail(400, { error: null });
+		if (!notificationId) return fail(400, { error: getErrorMessage(undefined) });
 		const api = createApiClient(fetch);
 		const result = await api.PATCH('/api/notifications/{id}/read', {
 			params: { path: { id: notificationId } }
-- 
2.49.1


From 7b282f699d20bd898361b634f621e7013ef9d152 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Wed, 20 May 2026 20:09:27 +0200
Subject: [PATCH 12/14] fix(document): add receivers+trainingLabels to
 Document.list entity graph

Document.list was missing receivers (caused LazyInitializationException
when sorting by receiver) and trainingLabels (latent crash for any
document with OCR training labels assigned). Document.full was missing
trainingLabels for the same reason. OSIV is disabled so every lazy
association used after the transaction closes must be in the graph.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../java/org/raddatz/familienarchiv/document/Document.java    | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/backend/src/main/java/org/raddatz/familienarchiv/document/Document.java b/backend/src/main/java/org/raddatz/familienarchiv/document/Document.java
index 21052240..387e3547 100644
--- a/backend/src/main/java/org/raddatz/familienarchiv/document/Document.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/document/Document.java
@@ -30,7 +30,9 @@ import java.util.UUID;
 })
 @NamedEntityGraph(name = "Document.list", attributeNodes = {
         @NamedAttributeNode("sender"),
-        @NamedAttributeNode("tags")
+        @NamedAttributeNode("receivers"),
+        @NamedAttributeNode("tags"),
+        @NamedAttributeNode("trainingLabels")
 })
 @Entity
 @Table(name = "documents")
-- 
2.49.1


From 909f960b2e471aab2c615f728ba14cf0ddcc9d62 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Wed, 20 May 2026 20:09:48 +0200
Subject: [PATCH 13/14] fix(transcription): allow ANNOTATE_ALL on block write
 endpoints

TranscriptionBlockController required WRITE_ALL exclusively, blocking
users with only ANNOTATE_ALL from saving, reviewing, or deleting blocks.
All write endpoints now accept {ANNOTATE_ALL, WRITE_ALL}, matching the
pattern already established in AnnotationController and CommentController.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../transcription/TranscriptionBlockController.java  | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/backend/src/main/java/org/raddatz/familienarchiv/document/transcription/TranscriptionBlockController.java b/backend/src/main/java/org/raddatz/familienarchiv/document/transcription/TranscriptionBlockController.java
index 0a2240a4..feb5e378 100644
--- a/backend/src/main/java/org/raddatz/familienarchiv/document/transcription/TranscriptionBlockController.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/document/transcription/TranscriptionBlockController.java
@@ -43,7 +43,7 @@ public class TranscriptionBlockController {
 
     @PostMapping
     @ResponseStatus(HttpStatus.CREATED)
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public TranscriptionBlock createBlock(
             @PathVariable UUID documentId,
             @Valid @RequestBody CreateTranscriptionBlockDTO dto,
@@ -53,7 +53,7 @@ public class TranscriptionBlockController {
     }
 
     @PutMapping("/{blockId}")
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public TranscriptionBlock updateBlock(
             @PathVariable UUID documentId,
             @PathVariable UUID blockId,
@@ -65,7 +65,7 @@ public class TranscriptionBlockController {
 
     @DeleteMapping("/{blockId}")
     @ResponseStatus(HttpStatus.NO_CONTENT)
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public void deleteBlock(
             @PathVariable UUID documentId,
             @PathVariable UUID blockId) {
@@ -73,7 +73,7 @@ public class TranscriptionBlockController {
     }
 
     @PutMapping("/reorder")
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public List<TranscriptionBlock> reorderBlocks(
             @PathVariable UUID documentId,
             @RequestBody ReorderTranscriptionBlocksDTO dto) {
@@ -82,7 +82,7 @@ public class TranscriptionBlockController {
     }
 
     @PutMapping("/{blockId}/review")
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public TranscriptionBlock reviewBlock(
             @PathVariable UUID documentId,
             @PathVariable UUID blockId,
@@ -92,7 +92,7 @@ public class TranscriptionBlockController {
     }
 
     @PutMapping("/review-all")
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public List<TranscriptionBlock> markAllBlocksReviewed(
             @PathVariable UUID documentId,
             Authentication authentication) {
-- 
2.49.1


From 19e2f65a2100ea96c0336b5fd638504951164368 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Wed, 20 May 2026 20:10:12 +0200
Subject: [PATCH 14/14] fix(csrf): send X-XSRF-TOKEN on all client-side
 mutating fetch calls

hooks.server.ts already forwards the CSRF token for server-side fetch
(form actions, load). Client-side XHR calls bypassed it, causing Spring
Security to return 403 before PermissionAspect even ran.

Adds getCsrfToken/withCsrf/makeCsrfFetch to cookies.ts.
useTranscriptionBlocks wraps its injectable fetchImpl with makeCsrfFetch
(covers all block mutations and saveBlockWithConflictRetry).
useBlockAutoSave, TranscriptionEditView, BulkDocumentEditLayout,
OcrTrainingCard, and SegmentationTrainingCard apply withCsrf inline.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../document/BulkDocumentEditLayout.svelte    |  6 ++-
 .../TranscriptionEditView.svelte              | 14 +++---
 .../transcription/useBlockAutoSave.svelte.ts  | 16 ++++---
 .../useTranscriptionBlocks.svelte.ts          |  3 +-
 frontend/src/lib/ocr/OcrTrainingCard.svelte   |  3 +-
 .../lib/ocr/SegmentationTrainingCard.svelte   |  3 +-
 frontend/src/lib/shared/cookies.ts            | 43 +++++++++++++++++++
 7 files changed, 73 insertions(+), 15 deletions(-)

diff --git a/frontend/src/lib/document/BulkDocumentEditLayout.svelte b/frontend/src/lib/document/BulkDocumentEditLayout.svelte
index b2623140..c4eaf2df 100644
--- a/frontend/src/lib/document/BulkDocumentEditLayout.svelte
+++ b/frontend/src/lib/document/BulkDocumentEditLayout.svelte
@@ -17,6 +17,7 @@ import PdfViewer from '$lib/document/viewer/PdfViewer.svelte';
 import { bulkTitleFromFilename } from '$lib/document/filename';
 import type { Tag } from '$lib/tag/TagInput.svelte';
 import type { components } from '$lib/generated/api';
+import { withCsrf } from '$lib/shared/cookies';
 
 type Person = components['schemas']['Person'];
 
@@ -183,7 +184,10 @@ async function saveUpload() {
 		// FormData with per-chunk progress. Session cookie is sent automatically
 		// by the browser for same-origin requests.
 		try {
-			const res = await fetch('/api/documents/quick-upload', { method: 'POST', body: formData });
+			const res = await fetch(
+				'/api/documents/quick-upload',
+				withCsrf({ method: 'POST', body: formData })
+			);
 			const body = await res.json().catch(() => ({ errors: [] }));
 			const errorFilenames = new Set<string>(
 				(body.errors ?? []).map((err: { filename: string }) => err.filename)
diff --git a/frontend/src/lib/document/transcription/TranscriptionEditView.svelte b/frontend/src/lib/document/transcription/TranscriptionEditView.svelte
index 87e9749a..225e1e4e 100644
--- a/frontend/src/lib/document/transcription/TranscriptionEditView.svelte
+++ b/frontend/src/lib/document/transcription/TranscriptionEditView.svelte
@@ -6,6 +6,7 @@ import TranscribeCoachEmptyState from '$lib/shared/help/TranscribeCoachEmptyStat
 import type { PersonMention, TranscriptionBlockData } from '$lib/shared/types';
 import { createBlockAutoSave } from '$lib/document/transcription/useBlockAutoSave.svelte';
 import { createBlockDragDrop } from '$lib/document/transcription/useBlockDragDrop.svelte';
+import { withCsrf } from '$lib/shared/cookies';
 
 type Props = {
 	documentId: string;
@@ -113,11 +114,14 @@ function handleDelete(blockId: string) {
 
 async function reorder(newOrder: string[]) {
 	try {
-		const res = await fetch(`/api/documents/${documentId}/transcription-blocks/reorder`, {
-			method: 'PUT',
-			headers: { 'Content-Type': 'application/json' },
-			body: JSON.stringify({ blockIds: newOrder })
-		});
+		const res = await fetch(
+			`/api/documents/${documentId}/transcription-blocks/reorder`,
+			withCsrf({
+				method: 'PUT',
+				headers: { 'Content-Type': 'application/json' },
+				body: JSON.stringify({ blockIds: newOrder })
+			})
+		);
 		if (!res.ok) return;
 		const updated = await res.json();
 		for (const b of updated) {
diff --git a/frontend/src/lib/document/transcription/useBlockAutoSave.svelte.ts b/frontend/src/lib/document/transcription/useBlockAutoSave.svelte.ts
index 4e538fbc..d2b0bb47 100644
--- a/frontend/src/lib/document/transcription/useBlockAutoSave.svelte.ts
+++ b/frontend/src/lib/document/transcription/useBlockAutoSave.svelte.ts
@@ -1,5 +1,6 @@
 import { SvelteMap } from 'svelte/reactivity';
 import type { PersonMention } from '$lib/shared/types';
+import { withCsrf } from '$lib/shared/cookies';
 
 export type SaveState = 'idle' | 'saving' | 'saved' | 'fading' | 'error';
 
@@ -116,12 +117,15 @@ export function createBlockAutoSave({ saveFn, documentId }: Options) {
 		for (const [blockId, text] of pendingTexts) {
 			const mentions = pendingMentions.get(blockId) ?? [];
 			clearDebounce(blockId);
-			void fetch(`/api/documents/${documentId}/transcription-blocks/${blockId}`, {
-				method: 'PUT',
-				headers: { 'Content-Type': 'application/json' },
-				body: JSON.stringify({ text, mentionedPersons: mentions }),
-				keepalive: true
-			});
+			void fetch(
+				`/api/documents/${documentId}/transcription-blocks/${blockId}`,
+				withCsrf({
+					method: 'PUT',
+					headers: { 'Content-Type': 'application/json' },
+					body: JSON.stringify({ text, mentionedPersons: mentions }),
+					keepalive: true
+				})
+			);
 			pendingTexts.delete(blockId);
 			pendingMentions.delete(blockId);
 		}
diff --git a/frontend/src/lib/document/transcription/useTranscriptionBlocks.svelte.ts b/frontend/src/lib/document/transcription/useTranscriptionBlocks.svelte.ts
index da864ad8..4adcc310 100644
--- a/frontend/src/lib/document/transcription/useTranscriptionBlocks.svelte.ts
+++ b/frontend/src/lib/document/transcription/useTranscriptionBlocks.svelte.ts
@@ -2,6 +2,7 @@
    lastEditedAt's $derived are scope-local to one computation; they're never
    stored on $state. */
 import type { TranscriptionBlockData, PersonMention } from '$lib/shared/types';
+import { makeCsrfFetch } from '$lib/shared/cookies';
 import { saveBlockWithConflictRetry } from './saveBlockWithConflictRetry';
 import { BlockConflictResolvedError } from './blockConflictMerge';
 
@@ -41,7 +42,7 @@ export function createTranscriptionBlocks(
 	options: TranscriptionBlocksOptions
 ): TranscriptionBlocksController {
 	const { documentId } = options;
-	const fetchImpl = options.fetchImpl ?? fetch;
+	const fetchImpl = makeCsrfFetch(options.fetchImpl ?? fetch);
 
 	let blocks = $state<TranscriptionBlockData[]>([]);
 	let annotationReloadKey = $state(0);
diff --git a/frontend/src/lib/ocr/OcrTrainingCard.svelte b/frontend/src/lib/ocr/OcrTrainingCard.svelte
index 3bb8eb6c..88ae1c1f 100644
--- a/frontend/src/lib/ocr/OcrTrainingCard.svelte
+++ b/frontend/src/lib/ocr/OcrTrainingCard.svelte
@@ -2,6 +2,7 @@
 import TrainingHistory from './TrainingHistory.svelte';
 import { m } from '$lib/paraglide/messages.js';
 import type { TrainingRun } from '$lib/ocr/training.js';
+import { withCsrf } from '$lib/shared/cookies';
 
 interface TrainingInfo {
 	availableBlocks?: number;
@@ -33,7 +34,7 @@ async function startTraining() {
 	successMessage = null;
 	errorMessage = null;
 	try {
-		const res = await fetch('/api/ocr/train', { method: 'POST' });
+		const res = await fetch('/api/ocr/train', withCsrf({ method: 'POST' }));
 		if (res.ok) {
 			successMessage = m.training_success();
 			setTimeout(() => {
diff --git a/frontend/src/lib/ocr/SegmentationTrainingCard.svelte b/frontend/src/lib/ocr/SegmentationTrainingCard.svelte
index cfd9c478..c1e2f50b 100644
--- a/frontend/src/lib/ocr/SegmentationTrainingCard.svelte
+++ b/frontend/src/lib/ocr/SegmentationTrainingCard.svelte
@@ -2,6 +2,7 @@
 import TrainingHistory from './TrainingHistory.svelte';
 import { m } from '$lib/paraglide/messages.js';
 import type { TrainingRun } from '$lib/ocr/training.js';
+import { withCsrf } from '$lib/shared/cookies';
 
 interface TrainingInfo {
 	availableSegBlocks?: number;
@@ -27,7 +28,7 @@ async function startTraining() {
 	training = true;
 	successMessage = null;
 	try {
-		const res = await fetch('/api/ocr/segtrain', { method: 'POST' });
+		const res = await fetch('/api/ocr/segtrain', withCsrf({ method: 'POST' }));
 		if (res.ok) {
 			successMessage = m.training_success();
 			setTimeout(() => {
diff --git a/frontend/src/lib/shared/cookies.ts b/frontend/src/lib/shared/cookies.ts
index ca71e08d..3b2a273a 100644
--- a/frontend/src/lib/shared/cookies.ts
+++ b/frontend/src/lib/shared/cookies.ts
@@ -1,3 +1,46 @@
+/**
+ * Reads the XSRF-TOKEN cookie set by Spring Security's CookieCsrfTokenRepository.
+ * Returns null outside the browser or when the cookie is absent.
+ */
+export function getCsrfToken(): string | null {
+	if (typeof document === 'undefined') return null;
+	const match = document.cookie.match(/(?:^|;\s*)XSRF-TOKEN=([^;]+)/);
+	return match ? decodeURIComponent(match[1]) : null;
+}
+
+/**
+ * Merges the X-XSRF-TOKEN header into a RequestInit so Spring Security's
+ * CSRF filter accepts the request. Safe to call server-side (no-op when the
+ * cookie is absent).
+ */
+export function withCsrf(init?: RequestInit): RequestInit {
+	const token = getCsrfToken();
+	if (!token) return init ?? {};
+	const headers = new Headers(init?.headers);
+	headers.set('X-XSRF-TOKEN', token);
+	return { ...init, headers };
+}
+
+/**
+ * Wraps a fetch implementation so that every state-mutating call (POST, PUT,
+ * PATCH, DELETE) automatically includes the X-XSRF-TOKEN header. GET/HEAD
+ * requests pass through unchanged.
+ *
+ * Used to CSRF-protect client-side hooks that accept an injectable fetchImpl.
+ * In unit tests the injected mock is wrapped but getCsrfToken() returns null
+ * (no browser cookie), so no header is added and existing test expectations
+ * are unaffected.
+ */
+export function makeCsrfFetch(inner: typeof fetch): typeof fetch {
+	return (input: RequestInfo | URL, init?: RequestInit): Promise<Response> => {
+		const method = (init?.method ?? 'GET').toUpperCase();
+		if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(method)) {
+			return inner(input, withCsrf(init));
+		}
+		return inner(input, init);
+	};
+}
+
 /**
  * Extracts the fa_session cookie value from a list of Set-Cookie response headers.
  *
-- 
2.49.1