Phase 5: Föderations-Endpunkte — Cards ist föderierter Peer

Endpoints (alle Pfade aus app-manifest.json): - POST /api/v1/share/receive — User-JWT-Auth, ShareEnvelope-Strict- Validation (cross-user-forbidden), Recipient-Match, Type-Accept- Lookup über Manifest, Payload-Schema-Validation, Handler-Dispatch - POST /api/v1/tools/:name — User-JWT, dispatch nach `cards.create` und `cards.search` mit Tool-Schemas aus @cards/domain - GET /api/v1/search — User-JWT, ILIKE auf cards.fields jsonb + decks.name, baut SearchResultEnvelope für mana-search-Aggregator - GET /api/v1/dsgvo/export?user_id=… — Service-Key, voll-Bundle aller Cards-Daten des Users (decks, cards, reviews, study_sessions, tags, media_refs, import_jobs) - POST /api/v1/dsgvo/delete — Service-Key, kaskadiert via FK-Cascade decks → cards → reviews/media_refs/card_tags/tags/study_sessions plus separates Cleanup von import_jobs Share-Handlers (apps/api/src/share-handlers/): - create_card_from_quote (mana/quote → front=text, back=source) - save_link_as_card (mana/url → front=title, back=url+description) - create_card_from_text (mana/text → front=erste-zeile, back=rest) Alle landen via ensureInboxDeck() in einem auto-erstellten "Inbox"-Deck pro User, inklusive automatischer FSRS-Reviews-Init in Transaktion. Lokales Protocol-Mirror in @cards/domain/src/protocol/ (envelope, payloads, search): TEMPORARY-Markierung mit Swap-Plan auf @mana/shared-share-protocol via Verdaccio sobald NPM_AUTH_TOKEN da ist. Spec-strict — UUID für user_id, ULID für share_id, Crockford-Base32. Service-Key-Middleware mit constant-time-Compare gegen process.env.CARDS_DSGVO_SERVICE_KEY (Phase F-1: ersetzt durch mana-auth.app_service_keys-Lookup). Tests: - 70 Vitest-Tests grün (27 cards-domain + 43 apps/api): - share.test.ts: Auth-Gate, Cross-User-Sperre, User-Mismatch (403), Wrong-Recipient (422), Unknown-Type (422), Invalid-Payload (422), Wrapped { envelope, delivery_token }-Body akzeptiert - tools.test.ts: Auth, Unknown-Tool (404), cards.create-Validation, cards.search-Envelope-Shape - search.test.ts: Auth, Missing-Query (422), Query-too-long (422), Envelope-Version 0.1 + envelope-Felder - dsgvo.test.ts: Service-Key-Gate (401), Missing-User-ID (400), Export-Bundle-Shape, Delete-Counts, Key-not-configured (500) - pnpm run type-check ✅ 4/4 packages - E2E-Smoke gegen Postgres: Quote-Share→Inbox-Deck→Karte→Search-Hit→ DSGVO-Export+Delete-Roundtrip clean (alle 3 Tabellen 0 nach delete) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 17:10:35 +02:00 · 2026-05-08 17:10:35 +02:00 · 0328caa333
commit 0328caa333
parent 89a7a9250b
19 changed files with 1371 additions and 0 deletions
--- a/.env.example
+++ b/.env.example
@ -34,3 +34,11 @@ NPM_AUTH_TOKEN=
 # === MinIO (über mana-media) ===
 CARDS_MEDIA_BUCKET=cards-storage
 # === DSGVO Service-Key ===
 # X-Service-Key-Wert, mit dem mana-admin DSGVO-Export/Delete-Calls
 # autorisiert. In Prod aus mana-auth.app_service_keys.
 CARDS_DSGVO_SERVICE_KEY=msk_dev_change_me_dsgvo
 # === Public-URL für Deep-Links in Share-Handlers + Search-Hits ===
 CARDS_PUBLIC_URL=http://localhost:3082
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@ -6,6 +6,10 @@ import { healthRoute } from './routes/health.ts';
 import { decksRouter } from './routes/decks.ts';
 import { cardsRouter } from './routes/cards.ts';
 import { reviewsRouter } from './routes/reviews.ts';
 import { shareRouter } from './routes/share.ts';
 import { toolsRouter } from './routes/tools.ts';
 import { searchRouter } from './routes/search.ts';
 import { dsgvoRouter } from './routes/dsgvo.ts';
 const app = new Hono();
@ -31,6 +35,10 @@ app.route('/.well-known/mana-app.json', manifestRoute);
 app.route('/api/v1/decks', decksRouter());
 app.route('/api/v1/cards', cardsRouter());
 app.route('/api/v1/reviews', reviewsRouter());
 app.route('/api/v1/share', shareRouter());
 app.route('/api/v1/tools', toolsRouter());
 app.route('/api/v1/search', searchRouter());
 app.route('/api/v1/dsgvo', dsgvoRouter());
 app.get('/', (c) =>
 	c.json({
--- a/apps/api/src/lib/inbox-deck.ts
+++ b/apps/api/src/lib/inbox-deck.ts
@ -0,0 +1,40 @@
 import { and, eq } from 'drizzle-orm';
 import type { CardsDb } from '../db/connection.ts';
 import { decks } from '../db/schema/index.ts';
 import { ulid } from './ulid.ts';
 /** Stabiler Name des Inbox-Decks pro User. Auto-Created bei erstem Share. */
 export const INBOX_DECK_NAME = 'Inbox';
 /**
 * Holt das Inbox-Deck eines Users oder legt es neu an.
 * Wird von allen Share-Receive-Handlern benutzt — eingehende
 * Shares landen immer in der Inbox, der User kann sie später
 * in andere Decks umsortieren.
 */
 export async function ensureInboxDeck(db: CardsDb, userId: string) {
 	const [existing] = await db
 		.select()
 		.from(decks)
 		.where(and(eq(decks.userId, userId), eq(decks.name, INBOX_DECK_NAME)))
 		.limit(1);
 	if (existing) return existing;
 	const now = new Date();
 	const [created] = await db
 		.insert(decks)
 		.values({
 			id: ulid(),
 			userId,
 			name: INBOX_DECK_NAME,
 			description: 'Eingehende Shares aus anderen Apps. Sortiere sie in eigene Decks um.',
 			color: '#888888',
 			visibility: 'private',
 			fsrsSettings: {},
 			createdAt: now,
 			updatedAt: now,
 		})
 		.returning();
 	return created;
 }
--- a/apps/api/src/lib/search.ts
+++ b/apps/api/src/lib/search.ts
@ -0,0 +1,76 @@
 import { and, eq, sql } from 'drizzle-orm';
 import type { CardsDb } from '../db/connection.ts';
 import { cards, decks } from '../db/schema/index.ts';
 const APP_BASE_URL = process.env.CARDS_PUBLIC_URL ?? 'https://cardecky.mana.how';
 export type SearchHit = {
 	id: string;
 	type: 'card';
 	title: string;
 	snippet?: string;
 	link: string;
 	score: number;
 	created_at?: string;
 	updated_at?: string;
 };
 /**
 * MVP-Suche: case-insensitive ILIKE auf der `fields` JSONB-Spalte
 * und auf Deck-Name. Vector-/Trigram-Suche kommt später (eigener
 * Index, separate Phase).
 *
 * Score-Heuristik MVP: 1.0 für Treffer (kein Ranking), absteigend
 * sortiert nach updated_at. Echtes Scoring wenn pg_trgm/vector
 * eingerichtet sind.
 */
 export async function searchUserCards(
 	db: CardsDb,
 	userId: string,
 	query: string,
 	maxResults = 30
 ): Promise<{ hits: SearchHit[]; tookMs: number }> {
 	const t0 = Date.now();
 	const pattern = `%${query.replace(/[%_]/g, '\\$&')}%`;
 	const rows = await db
 		.select({
 			id: cards.id,
 			deckId: cards.deckId,
 			fields: cards.fields,
 			createdAt: cards.createdAt,
 			updatedAt: cards.updatedAt,
 			deckName: decks.name,
 		})
 		.from(cards)
 		.innerJoin(decks, eq(decks.id, cards.deckId))
 		.where(
 			and(
 				eq(cards.userId, userId),
 				sql`(${cards.fields}::text ILIKE ${pattern} OR ${decks.name} ILIKE ${pattern})`
 			)
 		)
 		.orderBy(sql`${cards.updatedAt} DESC`)
 		.limit(Math.min(maxResults, 200));
 	const hits = rows.map((r): SearchHit => {
 		const fields = r.fields as Record<string, string>;
 		const front = fields.front ?? '';
 		const back = fields.back ?? '';
 		const title = front.split('\n')[0]?.slice(0, 200) ?? r.deckName;
 		const snippet = back.slice(0, 200) || undefined;
 		return {
 			id: r.id,
 			type: 'card',
 			title: title || '(leer)',
 			snippet,
 			link: `${APP_BASE_URL}/c/${r.id}`,
 			score: 1.0,
 			created_at: r.createdAt.toISOString(),
 			updated_at: r.updatedAt.toISOString(),
 		};
 	});
 	return { hits, tookMs: Date.now() - t0 };
 }
--- a/apps/api/src/middleware/service-key.ts
+++ b/apps/api/src/middleware/service-key.ts
@ -0,0 +1,41 @@
 import type { MiddlewareHandler } from 'hono';
 /**
 * Service-Key-Middleware für DSGVO-Endpunkte und sonstige
 * service-zu-service-Calls.
 *
 * Heute (Phase 5): vergleicht `X-Service-Key`-Header per
 * constant-time-Compare gegen `process.env.CARDS_DSGVO_SERVICE_KEY`.
 *
 * Phase F-1: ersetzt durch Verifikation gegen mana-auth's
 * `apps.app_service_keys` Tabelle (caller-App = `mana-admin`).
 */
 function constantTimeEquals(a: string, b: string): boolean {
 	if (a.length !== b.length) return false;
 	let mismatch = 0;
 	for (let i = 0; i < a.length; i++) {
 		mismatch |= a.charCodeAt(i) ^ b.charCodeAt(i);
 	}
 	return mismatch === 0;
 }
 export function serviceKeyAuth(opts: { envVar: string }): MiddlewareHandler {
 	return async (c, next) => {
 		const expected = process.env[opts.envVar];
 		if (!expected) {
 			return c.json(
 				{
 					error: 'service_key_not_configured',
 					detail: `${opts.envVar} env-var is not set`,
 				},
 				500
 			);
 		}
 		const provided = c.req.header('X-Service-Key');
 		if (!provided || !constantTimeEquals(provided, expected)) {
 			return c.json({ error: 'service_key_invalid' }, 401);
 		}
 		await next();
 	};
 }
--- a/apps/api/src/routes/dsgvo.ts
+++ b/apps/api/src/routes/dsgvo.ts
@ -0,0 +1,121 @@
 import { eq } from 'drizzle-orm';
 import { Hono } from 'hono';
 import { getDb, type CardsDb } from '../db/connection.ts';
 import {
 	cards,
 	decks,
 	importJobs,
 	mediaRefs,
 	reviews,
 	studySessions,
 	tags,
 } from '../db/schema/index.ts';
 import { serviceKeyAuth } from '../middleware/service-key.ts';
 export type DsgvoDeps = { db?: CardsDb };
 /**
 * DSGVO-Endpunkte. Aufgerufen von mana-admin im Verein-DSGVO-
 * Fan-Out (Auskunft Art. 15/20 + Löschung Art. 17).
 *
 * Auth: Service-Key (`X-Service-Key` muss `CARDS_DSGVO_SERVICE_KEY`
 * matchen). Phase F-1: ersetzt durch mana-auth-Service-Key-Lookup.
 */
 export function dsgvoRouter(deps: DsgvoDeps = {}): Hono {
 	const r = new Hono();
 	const dbOf = () => deps.db ?? getDb();
 	r.use('*', serviceKeyAuth({ envVar: 'CARDS_DSGVO_SERVICE_KEY' }));
 	/**
 	 * Voll-Export aller Cards-Daten eines Users. Liefert serialisier-
 	 * bares JSON. mana-admin packt das mit den Antworten anderer Apps
 	 * in einen ZIP für den User.
 	 */
 	r.get('/export', async (c) => {
 		const userId = c.req.query('user_id');
 		if (!userId) return c.json({ error: 'missing_user_id' }, 400);
 		const db = dbOf();
 		const [decksRows, cardsRows, reviewsRows, sessionsRows, tagsRows, mediaRows, importsRows] =
 			await Promise.all([
 				db.select().from(decks).where(eq(decks.userId, userId)),
 				db.select().from(cards).where(eq(cards.userId, userId)),
 				db.select().from(reviews).where(eq(reviews.userId, userId)),
 				db.select().from(studySessions).where(eq(studySessions.userId, userId)),
 				db.select().from(tags).where(eq(tags.userId, userId)),
 				db.select().from(mediaRefs).where(eq(mediaRefs.userId, userId)),
 				db.select().from(importJobs).where(eq(importJobs.userId, userId)),
 			]);
 		return c.json({
 			user_id: userId,
 			exported_at: new Date().toISOString(),
 			app: 'cards',
 			app_version: process.env.CARDS_API_VERSION ?? '0.0.0',
 			data: {
 				decks: decksRows.map((d) => ({ ...d, createdAt: d.createdAt.toISOString(), updatedAt: d.updatedAt.toISOString() })),
 				cards: cardsRows.map((x) => ({
 					...x,
 					createdAt: x.createdAt.toISOString(),
 					updatedAt: x.updatedAt.toISOString(),
 				})),
 				reviews: reviewsRows.map((r) => ({
 					...r,
 					due: r.due.toISOString(),
 					lastReview: r.lastReview ? r.lastReview.toISOString() : null,
 				})),
 				study_sessions: sessionsRows.map((s) => ({
 					...s,
 					startedAt: s.startedAt.toISOString(),
 					finishedAt: s.finishedAt ? s.finishedAt.toISOString() : null,
 				})),
 				tags: tagsRows.map((t) => ({ ...t, createdAt: t.createdAt.toISOString() })),
 				media_refs: mediaRows.map((m) => ({ ...m, createdAt: m.createdAt.toISOString() })),
 				import_jobs: importsRows.map((j) => ({
 					...j,
 					createdAt: j.createdAt.toISOString(),
 					finishedAt: j.finishedAt ? j.finishedAt.toISOString() : null,
 				})),
 			},
 		});
 	});
 	/**
 	 * Vollständige Löschung aller Cards-Daten eines Users. FK-Cascades
 	 * räumen automatisch:
 	 *   decks → cards → reviews
 	 *           cards → media_refs
 	 *           cards → card_tags
 	 *           decks → tags
 	 *           decks → study_sessions
 	 * Verbleibend: import_jobs (eigene Tabelle ohne FK) — wird separat gelöscht.
 	 */
 	r.post('/delete', async (c) => {
 		const body = await c.req.json().catch(() => null);
 		const userId = (body as { user_id?: string } | null)?.user_id;
 		if (!userId) return c.json({ error: 'missing_user_id' }, 400);
 		const db = dbOf();
 		const [deletedDecks, deletedImports] = await db.transaction(async (tx) => {
 			const dd = await tx.delete(decks).where(eq(decks.userId, userId)).returning({ id: decks.id });
 			const di = await tx
 				.delete(importJobs)
 				.where(eq(importJobs.userId, userId))
 				.returning({ id: importJobs.id });
 			return [dd, di];
 		});
 		return c.json({
 			deleted: true,
 			user_id: userId,
 			counts: {
 				decks: deletedDecks.length,
 				import_jobs: deletedImports.length,
 			},
 		});
 	});
 	return r;
 }
--- a/apps/api/src/routes/search.ts
+++ b/apps/api/src/routes/search.ts
@ -0,0 +1,67 @@
 import { Hono } from 'hono';
 import {
 	SEARCH_ENVELOPE_VERSION,
 	type SearchResultEnvelope,
 } from '@cards/domain';
 import { getDb, type CardsDb } from '../db/connection.ts';
 import { authMiddleware, type AuthVars } from '../middleware/auth.ts';
 import { searchUserCards } from '../lib/search.ts';
 const APP_VERSION = process.env.CARDS_API_VERSION ?? '0.0.0';
 export type SearchDeps = { db?: CardsDb };
 /**
 * GET /api/v1/search?q=...
 *
 * Liefert eine `SearchResultEnvelope` (Phase 5.5 — MVP) im Format,
 * das der mana-search Aggregator erwartet. Aufrufer ist mana-search,
 * der parallel an alle App-Endpoints fan-outet.
 */
 export function searchRouter(deps: SearchDeps = {}): Hono<{ Variables: AuthVars }> {
 	const r = new Hono<{ Variables: AuthVars }>();
 	const dbOf = () => deps.db ?? getDb();
 	r.use('*', authMiddleware);
 	r.get('/', async (c) => {
 		const userId = c.get('userId');
 		const q = c.req.query('q')?.trim();
 		const limit = Number(c.req.query('limit') ?? 30);
 		if (!q) {
 			return c.json({ error: 'missing_query' }, 422);
 		}
 		if (q.length > 500) {
 			return c.json({ error: 'query_too_long', max: 500 }, 422);
 		}
 		const { hits, tookMs } = await searchUserCards(dbOf(), userId, q, limit);
 		const envelope: SearchResultEnvelope = {
 			envelope_version: SEARCH_ENVELOPE_VERSION,
 			query: q,
 			app: 'cards',
 			app_version: APP_VERSION,
 			results: hits.map((h) => ({
 				id: h.id,
 				type: 'card',
 				title: h.title,
 				snippet: h.snippet,
 				link: h.link,
 				score: h.score,
 				created_at: h.created_at,
 				updated_at: h.updated_at,
 			})),
 			total: hits.length,
 			partial: false,
 			took_ms: tookMs,
 		};
 		return c.json(envelope);
 	});
 	return r;
 }
--- a/apps/api/src/routes/share.ts
+++ b/apps/api/src/routes/share.ts
@ -0,0 +1,119 @@
 import { Hono } from 'hono';
 import { parseEnvelope, validatePayloadForType } from '@cards/domain';
 import manifest from '../../../../app-manifest.json' with { type: 'json' };
 import { getDb, type CardsDb } from '../db/connection.ts';
 import { authMiddleware, type AuthVars } from '../middleware/auth.ts';
 import { SHARE_HANDLERS, type ShareHandlerName } from '../share-handlers/index.ts';
 export type ShareDeps = { db?: CardsDb };
 /** Manifest-Lookup: Type → Handler-Name. */
 const ACCEPTS_BY_TYPE = new Map(manifest.accepts.map((a) => [a.type, a.handler] as const));
 export function shareRouter(deps: ShareDeps = {}): Hono<{ Variables: AuthVars }> {
 	const r = new Hono<{ Variables: AuthVars }>();
 	const dbOf = () => deps.db ?? getDb();
 	r.use('*', authMiddleware);
 	r.post('/receive', async (c) => {
 		const userId = c.get('userId');
 		// Body kann `{ envelope, delivery_token }` oder direkt der Envelope sein.
 		const body = await c.req.json().catch(() => null);
 		if (!body || typeof body !== 'object') {
 			return c.json({ accepted: false, reason: 'invalid_json' }, 400);
 		}
 		const wrapped = body as { envelope?: unknown; delivery_token?: string };
 		const rawEnvelope = wrapped.envelope ?? body;
 		// const deliveryToken = wrapped.delivery_token; // Phase F-1: validieren
 		// 1. Schema-Validierung (inkl. Cross-User-Sperre)
 		const parsed = parseEnvelope(rawEnvelope);
 		if (!parsed.success) {
 			return c.json(
 				{
 					accepted: false,
 					reason: 'envelope_invalid',
 					issues: parsed.error.issues.map(
 						(i) => `${i.path.join('.') || '<root>'}: ${i.message}`
 					),
 				},
 				422
 			);
 		}
 		const env = parsed.data;
 		// 2. User-Match
 		if (env.to.user_id !== userId) {
 			return c.json({ accepted: false, reason: 'user_id_mismatch' }, 403);
 		}
 		// 3. Empfänger-App-Match
 		if (env.to.app !== manifest.id) {
 			return c.json(
 				{
 					accepted: false,
 					reason: 'wrong_recipient',
 					expected: manifest.id,
 					actual: env.to.app,
 				},
 				422
 			);
 		}
 		// 4. Type akzeptiert?
 		const handlerName = ACCEPTS_BY_TYPE.get(env.type);
 		if (!handlerName) {
 			return c.json(
 				{ accepted: false, reason: 'type_not_accepted', type: env.type },
 				422
 			);
 		}
 		// 5. Payload validieren gegen sein eigenes Schema
 		const payloadCheck = validatePayloadForType(env.type, env.payload);
 		if (!payloadCheck.success) {
 			return c.json(
 				{
 					accepted: false,
 					reason: payloadCheck.error,
 					issues: 'issues' in payloadCheck ? payloadCheck.issues : undefined,
 				},
 				422
 			);
 		}
 		// 6. Handler holen + dispatchen
 		const handler = SHARE_HANDLERS[handlerName as ShareHandlerName];
 		if (!handler) {
 			return c.json(
 				{ accepted: false, reason: 'handler_not_registered', handler: handlerName },
 				501
 			);
 		}
 		try {
 			const result = await handler(dbOf(), userId, payloadCheck.data as never);
 			return c.json({
 				accepted: true,
 				target_link: result.target_link,
 				resulting_id: result.resulting_id,
 			});
 		} catch (e) {
 			return c.json(
 				{
 					accepted: false,
 					reason: 'handler_error',
 					message: (e as Error).message,
 				},
 				500
 			);
 		}
 	});
 	return r;
 }
--- a/apps/api/src/routes/tools.ts
+++ b/apps/api/src/routes/tools.ts
@ -0,0 +1,145 @@
 import { eq } from 'drizzle-orm';
 import { Hono } from 'hono';
 import {
 	CardsCreateInputSchema,
 	CardsSearchInputSchema,
 	newReview,
 	subIndexCount,
 } from '@cards/domain';
 import { getDb, type CardsDb } from '../db/connection.ts';
 import { cards, decks, reviews } from '../db/schema/index.ts';
 import { authMiddleware, type AuthVars } from '../middleware/auth.ts';
 import { ulid } from '../lib/ulid.ts';
 import { searchUserCards } from '../lib/search.ts';
 const APP_BASE_URL = process.env.CARDS_PUBLIC_URL ?? 'https://cardecky.mana.how';
 const APP_VERSION = process.env.CARDS_API_VERSION ?? '0.0.0';
 export type ToolsDeps = { db?: CardsDb };
 /**
 * Tool-Invoke-Endpoint für mana-mcp / Persona-Runner / Claude.
 * Dispatch nach `:name`. Auth: User-JWT (X-User-Id-Header im Dev-Stub).
 *
 * Phase F-1: zusätzlich Service-Key-Pfad für mcp-getriggerte Calls
 * mit user-on-behalf-of-Token.
 */
 export function toolsRouter(deps: ToolsDeps = {}): Hono<{ Variables: AuthVars }> {
 	const r = new Hono<{ Variables: AuthVars }>();
 	const dbOf = () => deps.db ?? getDb();
 	r.use('*', authMiddleware);
 	r.post('/:name', async (c) => {
 		const userId = c.get('userId');
 		const name = c.req.param('name');
 		const body = await c.req.json().catch(() => null);
 		if (body == null) return c.json({ error: 'invalid_json' }, 400);
 		switch (name) {
 			case 'cards.create': {
 				const parsed = CardsCreateInputSchema.safeParse(body);
 				if (!parsed.success) {
 					return c.json(
 						{ error: 'invalid_input', issues: parsed.error.issues.map((i) => i.message) },
 						422
 					);
 				}
 				const [deck] = await dbOf()
 					.select({ id: decks.id, userId: decks.userId })
 					.from(decks)
 					.where(eq(decks.id, parsed.data.deck_id))
 					.limit(1);
 				if (!deck) return c.json({ error: 'deck_not_found' }, 404);
 				if (deck.userId !== userId) return c.json({ error: 'deck_not_owned' }, 403);
 				const cardId = ulid();
 				const now = new Date();
 				const [row] = await dbOf().transaction(async (tx) => {
 					const [card] = await tx
 						.insert(cards)
 						.values({
 							id: cardId,
 							deckId: parsed.data.deck_id,
 							userId,
 							type: parsed.data.type,
 							fields: parsed.data.fields,
 							mediaRefs: parsed.data.media_refs ?? [],
 							createdAt: now,
 							updatedAt: now,
 						})
 						.returning();
 					const initial = Array.from(
 						{ length: subIndexCount(parsed.data.type) },
 						(_, i) => i
 					).map((subIndex) => {
 						const r = newReview({ userId, cardId, subIndex, now });
 						return {
 							cardId: r.card_id,
 							subIndex: r.sub_index,
 							userId: r.user_id,
 							due: new Date(r.due),
 							stability: r.stability,
 							difficulty: r.difficulty,
 							elapsedDays: r.elapsed_days,
 							scheduledDays: r.scheduled_days,
 							learningSteps: r.learning_steps,
 							reps: r.reps,
 							lapses: r.lapses,
 							state: r.state,
 							lastReview: r.last_review ? new Date(r.last_review) : null,
 						};
 					});
 					if (initial.length > 0) await tx.insert(reviews).values(initial);
 					return [card];
 				});
 				return c.json({
 					id: row.id,
 					deck_id: row.deckId,
 					user_id: row.userId,
 					type: row.type,
 					fields: row.fields,
 					media_refs: row.mediaRefs ?? [],
 					content_hash: row.contentHash,
 					created_at: row.createdAt.toISOString(),
 					updated_at: row.updatedAt.toISOString(),
 				});
 			}
 			case 'cards.search': {
 				const parsed = CardsSearchInputSchema.safeParse(body);
 				if (!parsed.success) {
 					return c.json(
 						{ error: 'invalid_input', issues: parsed.error.issues.map((i) => i.message) },
 						422
 					);
 				}
 				const max = parsed.data.max_results ?? 30;
 				const { hits, tookMs } = await searchUserCards(dbOf(), userId, parsed.data.query, max);
 				return c.json({
 					query: parsed.data.query,
 					results: hits.map((h) => ({
 						id: h.id,
 						type: 'card' as const,
 						title: h.title,
 						snippet: h.snippet,
 						link: h.link,
 						score: h.score,
 					})),
 					total: hits.length,
 					took_ms: tookMs,
 					app: 'cards',
 					app_version: APP_VERSION,
 					base_url: APP_BASE_URL,
 				});
 			}
 			default:
 				return c.json({ error: 'unknown_tool', name }, 404);
 		}
 	});
 	return r;
 }
--- a/apps/api/src/share-handlers/index.ts
+++ b/apps/api/src/share-handlers/index.ts
@ -0,0 +1,130 @@
 import { newReview, subIndexCount } from '@cards/domain';
 import type { QuotePayload, TextPayload, UrlPayload } from '@cards/domain';
 import type { CardsDb } from '../db/connection.ts';
 import { cards, reviews } from '../db/schema/index.ts';
 import { ensureInboxDeck } from '../lib/inbox-deck.ts';
 import { ulid } from '../lib/ulid.ts';
 /**
 * Antwort-Shape eines Share-Handlers — wird vom Receive-Endpoint
 * an den sendenden Peer zurückgegeben.
 */
 export type HandlerResult = {
 	target_link: string;
 	resulting_id: string;
 };
 const APP_BASE_URL = process.env.CARDS_PUBLIC_URL ?? 'https://cardecky.mana.how';
 /**
 * Legt eine basic-Karte mit (front,back) im Inbox-Deck an, inkl.
 * der ts-fsrs-Initial-Reviews. Gibt Karte-ID + Deep-Link zurück.
 */
 async function persistCardInInbox(
 	db: CardsDb,
 	userId: string,
 	front: string,
 	back: string
 ): Promise<HandlerResult> {
 	const inbox = await ensureInboxDeck(db, userId);
 	const cardId = ulid();
 	const now = new Date();
 	await db.transaction(async (tx) => {
 		await tx.insert(cards).values({
 			id: cardId,
 			deckId: inbox.id,
 			userId,
 			type: 'basic',
 			fields: { front, back },
 			mediaRefs: [],
 			createdAt: now,
 			updatedAt: now,
 		});
 		const initial = Array.from({ length: subIndexCount('basic') }, (_, i) => i).map(
 			(subIndex) => {
 				const r = newReview({ userId, cardId, subIndex, now });
 				return {
 					cardId: r.card_id,
 					subIndex: r.sub_index,
 					userId: r.user_id,
 					due: new Date(r.due),
 					stability: r.stability,
 					difficulty: r.difficulty,
 					elapsedDays: r.elapsed_days,
 					scheduledDays: r.scheduled_days,
 					learningSteps: r.learning_steps,
 					reps: r.reps,
 					lapses: r.lapses,
 					state: r.state,
 					lastReview: r.last_review ? new Date(r.last_review) : null,
 				};
 			}
 		);
 		if (initial.length > 0) {
 			await tx.insert(reviews).values(initial);
 		}
 	});
 	return {
 		target_link: `${APP_BASE_URL}/c/${cardId}`,
 		resulting_id: cardId,
 	};
 }
 /**
 * mana/quote → Karte. Front = Zitat-Text, Back = Quelle (URL bevorzugt,
 * sonst Source-String, sonst leer).
 */
 export async function createCardFromQuote(
 	db: CardsDb,
 	userId: string,
 	payload: QuotePayload
 ): Promise<HandlerResult> {
 	const front = payload.text;
 	const back = payload.source_url ?? payload.source ?? '';
 	return persistCardInInbox(db, userId, front, back);
 }
 /**
 * mana/url → Karte. Front = Titel (oder URL falls kein Titel),
 * Back = URL + Description/Snippet.
 */
 export async function saveLinkAsCard(
 	db: CardsDb,
 	userId: string,
 	payload: UrlPayload
 ): Promise<HandlerResult> {
 	const front = payload.title ?? payload.url;
 	const summary = payload.description ?? payload.snippet ?? '';
 	const back = summary ? `${payload.url}\n\n${summary}` : payload.url;
 	return persistCardInInbox(db, userId, front, back);
 }
 /**
 * mana/text → Karte. Front = erste Zeile (oder erste 200 Zeichen),
 * Back = Rest. Heuristisch — User kann später trennen.
 */
 export async function createCardFromText(
 	db: CardsDb,
 	userId: string,
 	payload: TextPayload
 ): Promise<HandlerResult> {
 	const text = payload.text.trim();
 	const firstNl = text.indexOf('\n');
 	const frontEnd = firstNl > 0 && firstNl < 200 ? firstNl : Math.min(200, text.length);
 	const front = text.slice(0, frontEnd).trim();
 	const back = text.slice(frontEnd).trim();
 	return persistCardInInbox(db, userId, front, back || '(weiter ausarbeiten)');
 }
 /** Manifest-Handler-Map. Key = `accepts[].handler` aus app-manifest.json. */
 export const SHARE_HANDLERS = {
 	create_card_from_quote: createCardFromQuote,
 	save_link_as_card: saveLinkAsCard,
 	create_card_from_text: createCardFromText,
 } as const;
 export type ShareHandlerName = keyof typeof SHARE_HANDLERS;
--- a/apps/api/tests/dsgvo.test.ts
+++ b/apps/api/tests/dsgvo.test.ts
@ -0,0 +1,110 @@
 import { describe, it, expect, beforeEach, afterEach } from 'vitest';
 import { Hono } from 'hono';
 import { dsgvoRouter } from '../src/routes/dsgvo.ts';
 import type { CardsDb } from '../src/db/connection.ts';
 const ORIG_ENV = process.env.CARDS_DSGVO_SERVICE_KEY;
 const TEST_KEY = 'msk_test_dsgvo_key_42';
 beforeEach(() => {
 	process.env.CARDS_DSGVO_SERVICE_KEY = TEST_KEY;
 });
 afterEach(() => {
 	if (ORIG_ENV === undefined) {
 		delete process.env.CARDS_DSGVO_SERVICE_KEY;
 	} else {
 		process.env.CARDS_DSGVO_SERVICE_KEY = ORIG_ENV;
 	}
 });
 function buildApp() {
 	const stub = {
 		select: () => ({ from: () => ({ where: () => [] as never[] }) }),
 		delete: () => ({ where: () => ({ returning: async () => [] }) }),
 		transaction: async (fn: (tx: unknown) => unknown) =>
 			fn({
 				delete: () => ({ where: () => ({ returning: async () => [] }) }),
 			}),
 	};
 	const app = new Hono();
 	app.route('/api/v1/dsgvo', dsgvoRouter({ db: stub as unknown as CardsDb }));
 	return { app };
 }
 describe('dsgvoRouter — Service-Key-Gate', () => {
 	it('GET /export ohne Service-Key ist 401', async () => {
 		const { app } = buildApp();
 		const res = await app.request('/api/v1/dsgvo/export?user_id=u-1');
 		expect(res.status).toBe(401);
 	});
 	it('POST /delete mit falschem Key ist 401', async () => {
 		const { app } = buildApp();
 		const res = await app.request('/api/v1/dsgvo/delete', {
 			method: 'POST',
 			headers: { 'X-Service-Key': 'wrong', 'Content-Type': 'application/json' },
 			body: JSON.stringify({ user_id: 'u-1' }),
 		});
 		expect(res.status).toBe(401);
 	});
 	it('GET /export mit Key + ohne user_id ist 400', async () => {
 		const { app } = buildApp();
 		const res = await app.request('/api/v1/dsgvo/export', {
 			headers: { 'X-Service-Key': TEST_KEY },
 		});
 		expect(res.status).toBe(400);
 	});
 	it('GET /export mit Key + user_id liefert JSON-Bundle', async () => {
 		const { app } = buildApp();
 		const res = await app.request('/api/v1/dsgvo/export?user_id=u-1', {
 			headers: { 'X-Service-Key': TEST_KEY },
 		});
 		expect(res.status).toBe(200);
 		const body = (await res.json()) as {
 			user_id: string;
 			app: string;
 			data: { decks: unknown[]; cards: unknown[]; reviews: unknown[] };
 		};
 		expect(body.user_id).toBe('u-1');
 		expect(body.app).toBe('cards');
 		expect(Array.isArray(body.data.decks)).toBe(true);
 		expect(Array.isArray(body.data.cards)).toBe(true);
 		expect(Array.isArray(body.data.reviews)).toBe(true);
 	});
 	it('POST /delete mit Key + user_id liefert counts', async () => {
 		const { app } = buildApp();
 		const res = await app.request('/api/v1/dsgvo/delete', {
 			method: 'POST',
 			headers: { 'X-Service-Key': TEST_KEY, 'Content-Type': 'application/json' },
 			body: JSON.stringify({ user_id: 'u-1' }),
 		});
 		expect(res.status).toBe(200);
 		const body = (await res.json()) as {
 			deleted: boolean;
 			user_id: string;
 			counts: { decks: number; import_jobs: number };
 		};
 		expect(body.deleted).toBe(true);
 		expect(body.user_id).toBe('u-1');
 		expect(body.counts.decks).toBe(0);
 		expect(body.counts.import_jobs).toBe(0);
 	});
 });
 describe('dsgvoRouter — Key-not-configured Pfad', () => {
 	it('Wenn ENV fehlt → 500 service_key_not_configured', async () => {
 		delete process.env.CARDS_DSGVO_SERVICE_KEY;
 		const { app } = buildApp();
 		const res = await app.request('/api/v1/dsgvo/export?user_id=u-1', {
 			headers: { 'X-Service-Key': 'whatever' },
 		});
 		expect(res.status).toBe(500);
 		const body = (await res.json()) as { error: string };
 		expect(body.error).toBe('service_key_not_configured');
 	});
 });
--- a/apps/api/tests/search.test.ts
+++ b/apps/api/tests/search.test.ts
@ -0,0 +1,67 @@
 import { describe, it, expect } from 'vitest';
 import { Hono } from 'hono';
 import { searchRouter } from '../src/routes/search.ts';
 import type { CardsDb } from '../src/db/connection.ts';
 function buildApp() {
 	const stub = {
 		select: () => ({
 			from: () => ({
 				innerJoin: () => ({
 					where: () => ({ orderBy: () => ({ limit: () => [] }) }),
 				}),
 			}),
 		}),
 	};
 	const app = new Hono();
 	app.route('/api/v1/search', searchRouter({ db: stub as unknown as CardsDb }));
 	return { app };
 }
 describe('searchRouter — Auth-Gate', () => {
 	it('GET ohne X-User-Id ist 401', async () => {
 		const { app } = buildApp();
 		const res = await app.request('/api/v1/search?q=foo');
 		expect(res.status).toBe(401);
 	});
 });
 describe('searchRouter — Query-Validation', () => {
 	it('GET ohne q ist 422', async () => {
 		const { app } = buildApp();
 		const res = await app.request('/api/v1/search', {
 			headers: { 'X-User-Id': 'u-1' },
 		});
 		expect(res.status).toBe(422);
 	});
 	it('GET mit q über 500 Zeichen ist 422', async () => {
 		const { app } = buildApp();
 		const long = 'x'.repeat(501);
 		const res = await app.request(`/api/v1/search?q=${encodeURIComponent(long)}`, {
 			headers: { 'X-User-Id': 'u-1' },
 		});
 		expect(res.status).toBe(422);
 	});
 	it('GET mit gültigem q liefert SearchResultEnvelope', async () => {
 		const { app } = buildApp();
 		const res = await app.request('/api/v1/search?q=Konfuzius', {
 			headers: { 'X-User-Id': 'u-1' },
 		});
 		expect(res.status).toBe(200);
 		const body = (await res.json()) as {
 			envelope_version: string;
 			query: string;
 			app: string;
 			results: unknown[];
 			partial: boolean;
 		};
 		expect(body.envelope_version).toBe('0.1');
 		expect(body.query).toBe('Konfuzius');
 		expect(body.app).toBe('cards');
 		expect(Array.isArray(body.results)).toBe(true);
 		expect(body.partial).toBe(false);
 	});
 });
--- a/apps/api/tests/share.test.ts
+++ b/apps/api/tests/share.test.ts
@ -0,0 +1,144 @@
 import { describe, it, expect } from 'vitest';
 import { Hono } from 'hono';
 import { shareRouter } from '../src/routes/share.ts';
 import type { CardsDb } from '../src/db/connection.ts';
 function buildApp() {
 	const stub = {} as CardsDb;
 	const app = new Hono();
 	app.route('/api/v1/share', shareRouter({ db: stub }));
 	return { app };
 }
 const userA = '00000000-0000-0000-0000-00000000aaaa';
 const userB = '00000000-0000-0000-0000-00000000bbbb';
 function envelope(overrides: Record<string, unknown> = {}) {
 	return {
 		envelope_version: '0.1',
 		share_id: '01HZ0EJW6V6N4SM3X5RHKR8B5T', // ULID-Pattern
 		from: {
 			app: 'zitate',
 			app_version: '1.0.0',
 			user_id: userA,
 			timestamp: new Date().toISOString(),
 		},
 		to: {
 			app: 'cards',
 			user_id: userA,
 		},
 		type: 'mana/quote',
 		payload: { text: 'Lernen ohne Nachdenken ist verlorene Mühe', source: 'Konfuzius' },
 		intent: 'user_action',
 		consent_recorded_at: new Date().toISOString(),
 		...overrides,
 	};
 }
 describe('shareRouter — Auth-Gate', () => {
 	it('POST /receive ohne X-User-Id ist 401', async () => {
 		const { app } = buildApp();
 		const res = await app.request('/api/v1/share/receive', {
 			method: 'POST',
 			body: JSON.stringify(envelope()),
 		});
 		expect(res.status).toBe(401);
 	});
 });
 describe('shareRouter — Envelope-Validation', () => {
 	it('Body kein JSON → 400', async () => {
 		const { app } = buildApp();
 		const res = await app.request('/api/v1/share/receive', {
 			method: 'POST',
 			headers: { 'X-User-Id': userA, 'Content-Type': 'application/json' },
 			body: 'not-json',
 		});
 		expect(res.status).toBe(400);
 	});
 	it('Cross-User-Share ist 422 (envelope_invalid)', async () => {
 		const { app } = buildApp();
 		const env = envelope({
 			to: { app: 'cards', user_id: userB }, // anderer User → Cross-User
 		});
 		const res = await app.request('/api/v1/share/receive', {
 			method: 'POST',
 			headers: { 'X-User-Id': userA, 'Content-Type': 'application/json' },
 			body: JSON.stringify(env),
 		});
 		expect(res.status).toBe(422);
 		const body = (await res.json()) as { reason: string };
 		expect(body.reason).toBe('envelope_invalid');
 	});
 	it('User-Mismatch (envelope.to.user_id != X-User-Id) ist 403', async () => {
 		const { app } = buildApp();
 		const env = envelope({
 			from: { ...envelope().from, user_id: userB },
 			to: { app: 'cards', user_id: userB },
 		});
 		const res = await app.request('/api/v1/share/receive', {
 			method: 'POST',
 			headers: { 'X-User-Id': userA, 'Content-Type': 'application/json' },
 			body: JSON.stringify(env),
 		});
 		expect(res.status).toBe(403);
 		const body = (await res.json()) as { reason: string };
 		expect(body.reason).toBe('user_id_mismatch');
 	});
 	it('Wrong-Recipient (to.app != cards) ist 422', async () => {
 		const { app } = buildApp();
 		const env = envelope({ to: { app: 'memoro', user_id: userA } });
 		const res = await app.request('/api/v1/share/receive', {
 			method: 'POST',
 			headers: { 'X-User-Id': userA, 'Content-Type': 'application/json' },
 			body: JSON.stringify(env),
 		});
 		expect(res.status).toBe(422);
 		const body = (await res.json()) as { reason: string };
 		expect(body.reason).toBe('wrong_recipient');
 	});
 	it('Unbekannter Type ist 422', async () => {
 		const { app } = buildApp();
 		const env = envelope({ type: 'mana/unknown-thing', payload: {} });
 		const res = await app.request('/api/v1/share/receive', {
 			method: 'POST',
 			headers: { 'X-User-Id': userA, 'Content-Type': 'application/json' },
 			body: JSON.stringify(env),
 		});
 		expect(res.status).toBe(422);
 		const body = (await res.json()) as { reason: string };
 		expect(body.reason).toBe('type_not_accepted');
 	});
 	it('Quote-Payload ohne text ist 422', async () => {
 		const { app } = buildApp();
 		const env = envelope({ payload: { source: 'X' } });
 		const res = await app.request('/api/v1/share/receive', {
 			method: 'POST',
 			headers: { 'X-User-Id': userA, 'Content-Type': 'application/json' },
 			body: JSON.stringify(env),
 		});
 		expect(res.status).toBe(422);
 		const body = (await res.json()) as { reason: string };
 		expect(body.reason).toBe('invalid_payload');
 	});
 	it('Wrapped Body { envelope, delivery_token } akzeptiert', async () => {
 		const { app } = buildApp();
 		const env = envelope({ to: { app: 'memoro', user_id: userA } });
 		const res = await app.request('/api/v1/share/receive', {
 			method: 'POST',
 			headers: { 'X-User-Id': userA, 'Content-Type': 'application/json' },
 			body: JSON.stringify({ envelope: env, delivery_token: 'tok_xyz' }),
 		});
 		// Wrong-Recipient nicht 422 → Wrapper wurde korrekt unwrapped (sonst wäre es envelope_invalid)
 		expect(res.status).toBe(422);
 		const body = (await res.json()) as { reason: string };
 		expect(body.reason).toBe('wrong_recipient');
 	});
 });
--- a/apps/api/tests/tools.test.ts
+++ b/apps/api/tests/tools.test.ts
@ -0,0 +1,96 @@
 import { describe, it, expect } from 'vitest';
 import { Hono } from 'hono';
 import { toolsRouter } from '../src/routes/tools.ts';
 import type { CardsDb } from '../src/db/connection.ts';
 function buildApp() {
 	const stub = {
 		select: () => ({
 			from: () => ({
 				where: () => ({ limit: () => [] }),
 				innerJoin: () => ({
 					where: () => ({ orderBy: () => ({ limit: () => [] }) }),
 				}),
 			}),
 		}),
 	};
 	const app = new Hono();
 	app.route('/api/v1/tools', toolsRouter({ db: stub as unknown as CardsDb }));
 	return { app };
 }
 describe('toolsRouter — Auth-Gate', () => {
 	it('POST /:name ohne X-User-Id ist 401', async () => {
 		const { app } = buildApp();
 		const res = await app.request('/api/v1/tools/cards.create', {
 			method: 'POST',
 			body: '{}',
 		});
 		expect(res.status).toBe(401);
 	});
 });
 describe('toolsRouter — Tool-Dispatch', () => {
 	it('Unbekanntes Tool ist 404', async () => {
 		const { app } = buildApp();
 		const res = await app.request('/api/v1/tools/cards.unknown', {
 			method: 'POST',
 			headers: { 'X-User-Id': 'u-1', 'Content-Type': 'application/json' },
 			body: '{}',
 		});
 		expect(res.status).toBe(404);
 		const body = (await res.json()) as { error: string };
 		expect(body.error).toBe('unknown_tool');
 	});
 	it('cards.create mit invalid input ist 422', async () => {
 		const { app } = buildApp();
 		const res = await app.request('/api/v1/tools/cards.create', {
 			method: 'POST',
 			headers: { 'X-User-Id': 'u-1', 'Content-Type': 'application/json' },
 			body: '{}',
 		});
 		expect(res.status).toBe(422);
 	});
 	it('cards.create mit gültigem Input erreicht Deck-Lookup (404 bei stub)', async () => {
 		const { app } = buildApp();
 		const res = await app.request('/api/v1/tools/cards.create', {
 			method: 'POST',
 			headers: { 'X-User-Id': 'u-1', 'Content-Type': 'application/json' },
 			body: JSON.stringify({
 				deck_id: 'd-1',
 				type: 'basic',
 				fields: { front: 'Q', back: 'A' },
 			}),
 		});
 		expect(res.status).toBe(404);
 		const body = (await res.json()) as { error: string };
 		expect(body.error).toBe('deck_not_found');
 	});
 	it('cards.search ohne query ist 422', async () => {
 		const { app } = buildApp();
 		const res = await app.request('/api/v1/tools/cards.search', {
 			method: 'POST',
 			headers: { 'X-User-Id': 'u-1', 'Content-Type': 'application/json' },
 			body: '{}',
 		});
 		expect(res.status).toBe(422);
 	});
 	it('cards.search mit gültigem query → 200 mit envelope-Shape', async () => {
 		const { app } = buildApp();
 		const res = await app.request('/api/v1/tools/cards.search', {
 			method: 'POST',
 			headers: { 'X-User-Id': 'u-1', 'Content-Type': 'application/json' },
 			body: JSON.stringify({ query: 'Konfuzius' }),
 		});
 		expect(res.status).toBe(200);
 		const body = (await res.json()) as { query: string; results: unknown[]; app: string };
 		expect(body.query).toBe('Konfuzius');
 		expect(Array.isArray(body.results)).toBe(true);
 		expect(body.app).toBe('cards');
 	});
 });
--- a/packages/cards-domain/src/index.ts
+++ b/packages/cards-domain/src/index.ts
@ -9,4 +9,5 @@
 export * from './schemas/index.ts';
 export * from './fsrs.ts';
 export * from './protocol/index.ts';
 // export * from './cloze.ts';  // Phase 8 oder später: Cloze-Parser
--- a/packages/cards-domain/src/protocol/envelope.ts
+++ b/packages/cards-domain/src/protocol/envelope.ts
@ -0,0 +1,69 @@
 // TEMPORARY MIRROR von @mana/shared-share-protocol/envelope.
 //
 // Solange `pkg.mana.how` für Cards nicht erreichbar ist (NPM_AUTH_TOKEN
 // in `~/.npmrc` fehlt), halten wir die Schemas hier lokal. Sobald
 // Verdaccio offen ist, wird diese Datei gegen einen Re-Export aus
 // `@mana/shared-share-protocol` getauscht — alle Imports sind in der
 // Form `import { ShareEnvelopeSchema } from '@cards/domain'` formuliert,
 // damit der Swap eine reine 1-Liner-Edit-Aufgabe ist.
 //
 // Bei jedem Update der mana-Spec muss diese Datei nachgezogen werden,
 // bis der Swap erfolgt. Stand: 2026-05-08, ENVELOPE_VERSION 0.1.
 import { z } from 'zod';
 export const ENVELOPE_VERSION = '0.1' as const;
 const ULID_REGEX = /^[0-9A-HJKMNP-TV-Z]{26}$/;
 const TYPE_NAME_REGEX = /^mana\/[a-z][a-z0-9-]+$/;
 const SignatureSchema = z.object({
 	algorithm: z.literal('eddsa'),
 	key_id: z.string().min(1),
 	signature: z.string().min(1),
 });
 export const ShareEnvelopeSchema = z.object({
 	envelope_version: z.literal(ENVELOPE_VERSION),
 	share_id: z.string().regex(ULID_REGEX, 'must be ULID'),
 	from: z.object({
 		app: z.string().min(1),
 		app_version: z.string().min(1),
 		user_id: z.string().uuid(),
 		timestamp: z.string().datetime(),
 		instance_id: z.string().max(120).optional(),
 	}),
 	to: z.object({
 		app: z.string().min(1),
 		user_id: z.string().uuid(),
 	}),
 	type: z.string().regex(TYPE_NAME_REGEX, 'must be "mana/<kind>"'),
 	payload: z.unknown(),
 	source_link: z.string().max(2000).optional(),
 	user_note: z.string().max(500).optional(),
 	ttl_seconds: z.number().int().positive().optional(),
 	intent: z.enum(['user_action', 'automation', 'agent_tool']).default('user_action'),
 	consent_recorded_at: z.string().datetime(),
 	signature: SignatureSchema.optional(),
 });
 export type ShareEnvelope = z.infer<typeof ShareEnvelopeSchema>;
 /** Strict-Variante: Cross-User-Shares hart verboten. */
 export const ShareEnvelopeStrictSchema = ShareEnvelopeSchema.refine(
 	(env) => env.from.user_id === env.to.user_id,
 	{
 		message: 'cross-user shares forbidden — from.user_id must equal to.user_id',
 		path: ['to', 'user_id'],
 	}
 );
 export function parseEnvelope(raw: unknown) {
 	return ShareEnvelopeStrictSchema.safeParse(raw);
 }
--- a/packages/cards-domain/src/protocol/index.ts
+++ b/packages/cards-domain/src/protocol/index.ts
@ -0,0 +1,7 @@
 // Public Re-Exports der lokalen Protocol-Mirror.
 // Wenn @mana/shared-share-protocol via Verdaccio verfügbar ist,
 // wird hier auf einen Re-Export aus dem npm-Paket umgestellt.
 export * from './envelope.ts';
 export * from './payloads.ts';
 export * from './search.ts';
--- a/packages/cards-domain/src/protocol/payloads.ts
+++ b/packages/cards-domain/src/protocol/payloads.ts
@ -0,0 +1,83 @@
 // TEMPORARY MIRROR — siehe envelope.ts.
 //
 // Payload-Schemas für die `accepts[]` aus dem Cards-Manifest:
 // `mana/quote`, `mana/url`, `mana/text`. Andere known types
 // (`mana/transcript`, `mana/link`, `mana/note`, etc.) werden wir
 // erst ergänzen, wenn Cards sie aktiv akzeptiert.
 import { z } from 'zod';
 export const MANA_TYPE_QUOTE = 'mana/quote' as const;
 export const MANA_TYPE_URL = 'mana/url' as const;
 export const MANA_TYPE_TEXT = 'mana/text' as const;
 export const QuotePayloadSchema = z
 	.object({
 		text: z.string().min(1).max(8000),
 		source: z.string().max(500).optional(),
 		source_url: z.string().url().optional(),
 		source_kind: z
 			.enum(['book', 'article', 'talk', 'conversation', 'transcript', 'link', 'manual', 'other'])
 			.optional(),
 		language: z
 			.string()
 			.regex(/^[a-z]{2}(-[A-Z]{2})?$/)
 			.optional(),
 		tags: z.array(z.string().max(64)).max(50).optional(),
 	})
 	.strict();
 export type QuotePayload = z.infer<typeof QuotePayloadSchema>;
 /**
 * `mana/url` — externe Web-Adresse mit optionalen OG-Metadaten.
 * (Mana-Spec nennt dies `mana/link`. Wir akzeptieren dieselben
 * Felder, aber unter unserem deklarierten Type-Namen `mana/url`.)
 */
 export const UrlPayloadSchema = z
 	.object({
 		url: z.string().url(),
 		title: z.string().max(500).optional(),
 		description: z.string().max(2000).optional(),
 		snippet: z.string().max(2000).optional(),
 		image_url: z.string().url().optional(),
 		site_name: z.string().max(200).optional(),
 		favicon_url: z.string().url().optional(),
 	})
 	.strict();
 export type UrlPayload = z.infer<typeof UrlPayloadSchema>;
 export const TextPayloadSchema = z
 	.object({
 		text: z.string().min(1).max(50000),
 		format: z.enum(['plain', 'markdown', 'html']).default('plain'),
 		source: z.string().max(500).optional(),
 		source_url: z.string().url().optional(),
 	})
 	.strict();
 export type TextPayload = z.infer<typeof TextPayloadSchema>;
 /** Map vom Type-String zum Payload-Schema. */
 export const PAYLOAD_SCHEMAS = {
 	[MANA_TYPE_QUOTE]: QuotePayloadSchema,
 	[MANA_TYPE_URL]: UrlPayloadSchema,
 	[MANA_TYPE_TEXT]: TextPayloadSchema,
 } as const;
 export type AcceptedShareType = keyof typeof PAYLOAD_SCHEMAS;
 export function validatePayloadForType(
 	type: string,
 	payload: unknown
 ): { success: true; data: unknown } | { success: false; error: 'unknown_type' | 'invalid_payload'; issues?: string[] } {
 	const schema = PAYLOAD_SCHEMAS[type as AcceptedShareType];
 	if (!schema) return { success: false, error: 'unknown_type' };
 	const r = schema.safeParse(payload);
 	if (!r.success) {
 		return {
 			success: false,
 			error: 'invalid_payload',
 			issues: r.error.issues.map((i) => `${i.path.join('.')}: ${i.message}`),
 		};
 	}
 	return { success: true, data: r.data };
 }
--- a/packages/cards-domain/src/protocol/search.ts
+++ b/packages/cards-domain/src/protocol/search.ts
@ -0,0 +1,39 @@
 // TEMPORARY MIRROR — siehe envelope.ts.
 import { z } from 'zod';
 export const SEARCH_ENVELOPE_VERSION = '0.1' as const;
 export const SearchHitSchema = z.object({
 	id: z.string().min(1),
 	type: z.string().min(1),
 	title: z.string().min(1).max(300),
 	snippet: z.string().max(1000).optional(),
 	link: z.string().min(1),
 	score: z.number().min(0).max(1),
 	highlights: z
 		.array(
 			z.object({
 				field: z.string().max(80),
 				fragment: z.string().max(500),
 			})
 		)
 		.max(10)
 		.optional(),
 	meta: z.record(z.string(), z.unknown()).optional(),
 	created_at: z.string().datetime().optional(),
 	updated_at: z.string().datetime().optional(),
 });
 export type SearchHit = z.infer<typeof SearchHitSchema>;
 export const SearchResultEnvelopeSchema = z.object({
 	envelope_version: z.literal(SEARCH_ENVELOPE_VERSION),
 	query: z.string().min(1).max(500),
 	app: z.string().min(1),
 	app_version: z.string().min(1),
 	results: z.array(SearchHitSchema).max(200),
 	total: z.number().int().nonnegative(),
 	partial: z.boolean(),
 	took_ms: z.number().int().nonnegative(),
 });
 export type SearchResultEnvelope = z.infer<typeof SearchResultEnvelopeSchema>;