feat(auth): add server-side validation to signup form action

Validates displayName, email, password server-side before calling
the backend API. Handles null from formData.get() safely.
Returns structured field errors via fail(400, { errors }).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

frontend/src/routes/(public)/signup/+page.server.ts

@@ -5,17 +5,40 @@ import type { Actions } from './$types';
 export const actions = {
 	default: async ({ request, fetch }) => {
 		const formData = await request.formData();
-		const displayName = formData.get('displayName') as string;
-		const email = formData.get('email') as string;
-		const password = formData.get('password') as string;
+		const displayName = (formData.get('displayName') ?? '').toString().trim();
+		const email = (formData.get('email') ?? '').toString().trim();
+		const password = (formData.get('password') ?? '').toString();
+
+		const errors: Record<string, string> = {};
+
+		if (!displayName) {
+			errors.displayName = 'Name ist erforderlich';
+		}
+
+		const emailPattern = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+		if (!emailPattern.test(email)) {
+			errors.email = 'Ungültige E-Mail-Adresse';
+		}
+
+		if (password.length < 8) {
+			errors.password = 'Mindestens 8 Zeichen';
+		}
+
+		if (Object.keys(errors).length > 0) {
+			return fail(400, { errors, displayName, email });
+		}
 
 		const api = apiClient(fetch);
-		const { data, error } = await api.POST('/v1/auth/signup', {
+		const { error } = await api.POST('/v1/auth/signup', {
 			body: { displayName, email, password }
 		});
 
 		if (error) {
-			return fail(400, { error: 'Registrierung fehlgeschlagen. Bitte versuche es erneut.' });
+			return fail(400, {
+				errors: { form: 'Registrierung fehlgeschlagen. Bitte versuche es erneut.' },
+				displayName,
+				email
+			});
 		}
 
 		redirect(303, '/household/setup');