Marcel 687a2590c7 fix(auth): address PR #617 review feedback on CSRF/rate-limit implementation ...

- Remove unreachable `&& !xsrfToken` condition from `handleFetch` guard;
  simplify the redundant `cookieParts.length > 0` check that follows it
- Add `TOO_MANY_LOGIN_ATTEMPTS` to both Error Handling sections in CLAUDE.md
  (backend and frontend) so LLMs are aware of the code without looking it up
- Add reverse-proxy IP trust and IPv6 address-cycling caveats to ADR-022
  Consequences section

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-19 07:41:04 +02:00

..

001-ocr-python-microservice.md

docs(adr): add ADR-001 (OCR microservice) and ADR-002 (polygon JSONB)

2026-04-12 15:07:46 +02:00

002-polygon-jsonb-storage.md

docs(adr): add ADR-001 (OCR microservice) and ADR-002 (polygon JSONB)

2026-04-12 15:07:46 +02:00

003-chronik-unified-activity-feed.md

feat(chronik): add ADR-003 + Paraglide keys for /chronik page (de/en/es)

2026-04-20 20:38:10 +02:00

004-pdfbox-thumbnails.md

docs(adr): document layering exception and in-memory backfill state

2026-04-22 22:58:36 +02:00

005-thumbnail-aspect-and-page-count.md

docs(adr): ADR-005 thumbnailAspect + pageCount alongside the thumbnail

2026-04-23 21:38:56 +02:00

006-synchronous-domain-events-in-transaction.md

docs(adr): ADR-006 synchronous domain events inside the publisher's transaction

2026-04-28 21:42:03 +02:00

007-reader-dashboard-permission-discriminant.md

docs(adr): ADR-007 reader-dashboard permission discriminant

2026-05-08 15:56:47 +02:00

008-fts-sql-pagination.md

docs(adr): ADR-008 SQL-level FTS pagination via window-function CTE

2026-05-09 16:35:01 +02:00

009-standalone-compose-not-overlay.md

docs(adr): ADR-009 standalone docker-compose.prod.yml, not overlay

2026-05-11 13:14:58 +02:00

010-minio-self-hosted-not-hetzner-obs.md

docs(adr): ADR-010 MinIO stays self-hosted, Hetzner OBS deferred

2026-05-11 13:15:38 +02:00

011-single-tenant-gitea-runner.md

docs(adr): ADR-011 single-tenant Gitea runner with on-disk env-files

2026-05-11 13:16:20 +02:00

012-browser-test-mocking-strategy.md

docs(adr-012): document duplicate-id hazard and patch-package backport

2026-05-13 08:09:57 +02:00

012-nsenter-for-host-service-management-in-ci.md

docs(adr): ADR-012 — nsenter via privileged container for host service management in CI

2026-05-12 07:42:28 +02:00

013-client-branches-coverage-threshold.md

docs(adr-013): set exact baseline to 75% (confirmed in CI)

2026-05-14 09:03:45 +02:00

014-upload-artifact-v3-pin.md

docs(adr-014): record upload-artifact v3 pin and Gitea act_runner v4 limitation

2026-05-14 10:58:19 +02:00

015-dood-workspace-bind-mount.md

docs(adr): add ADR-015 for DooD workspace bind-mount approach

2026-05-15 19:38:18 +02:00

016-obs-stack-co-location-ci-push.md

docs(adr): correct ADR-016 Decision section to match two-source env model

2026-05-16 08:52:42 +02:00

017-management-port-security.md

docs(adr): add ADR-017 — Spring Boot 4.0 management port shares main security filter chain

2026-05-16 15:46:45 +02:00

018-glitchtip-frontend-error-tracking.md

docs(adr): add ADR-018 for GlitchTip frontend error tracking via @sentry/sveltekit

2026-05-17 10:27:46 +02:00

019-container-hardening-baseline.md

docs(adr): ADR-019 — container hardening baseline (non-root + read-only)

2026-05-17 17:33:06 +02:00

020-stateful-auth-via-spring-session-jdbc.md

docs(adr): ADR-020 — stateful auth via Spring Session JDBC

2026-05-17 19:15:51 +02:00

021-tmpdir-persistent-volume-staging.md

docs(ocr): document TMPDIR convention and add ADR-021

2026-05-18 10:58:10 +02:00

022-csrf-session-revocation-rate-limiting.md

fix(auth): address PR #617 review feedback on CSRF/rate-limit implementation

2026-05-19 07:41:04 +02:00