{ "task_id": "2026-04-24-action-csrf-centralization-step4", "issue_summary": "Nach Abschluss von pages/admin gab es in non-admin Core-Seiten noch direkte requestInput()->method() und Session::checkCsrfToken()-Nutzung. Ziel war die gleiche Zentralisierung auch für pages/auth, pages/page, pages/lang und pages/flash.", "affected_layers": ["pages", "tests"], "affected_files": [ { "path": "pages/lang().php", "role": "Locale switch endpoint (GET/POST mixed)" }, { "path": "pages/flash/dismiss($id).php", "role": "Flash dismiss POST endpoint" }, { "path": "pages/page/copy-language().php", "role": "Page content locale copy action" }, { "path": "pages/page/index($slug).php", "role": "Page edit submit flow with optional JSON response" }, { "path": "pages/auth/login().php", "role": "Multi-stage login action" }, { "path": "pages/auth/register().php", "role": "Registration action" }, { "path": "pages/auth/forgot().php", "role": "Password reset request action" }, { "path": "pages/auth/verify().php", "role": "Password reset verification code action" }, { "path": "pages/auth/verify-email().php", "role": "Email verification and resend action" }, { "path": "pages/auth/reset().php", "role": "Password reset completion action" }, { "path": "tests/Architecture/CorePageRequestGuardContractTest.php", "role": "Architecture contract to prevent legacy request/csrf checks in non-admin core pages" } ], "risks_discovered": [ "Auth/page flows rely on in-page error handling instead of redirect on CSRF mismatch in several places; helper use must preserve this behavior.", "Mixed GET/POST endpoints (lang, page/index) require conditional CSRF enforcement without breaking GET rendering paths." ] }