feat(community): Phase 3.C — Identität (Avatar + Klarname-Toggle + Karma + Eulen-Profil)

Macht aus den Pseudonymen echte Charaktere ohne Klarnamen-Zwang.

Pixel-Identicon-Avatar (3.C.2):
- generateAvatarSvg(displayHash) — pure-function, deterministisch.
  5×5 left-mirrored Identicon mit HSL-Foreground/Background aus dem
  Hash. Inline-SVG, kein Storage, kein img-load-Flicker.
- <EulenAvatar> Component im Package, in ItemCard neben dem Pseudonym.

Klarname-Toggle (3.C.1):
- auth.users + community_show_real_name boolean (default off, opt-in).
- PATCH /api/v1/me/profile akzeptiert communityShowRealName.
- mana-analytics LEFT JOINs auth.users → bei opt-in liefert auth-
  required /public + /me/reacted Endpoints zusätzlich realName.
- Anonymous /api/v1/public/feedback/* zeigt realName NIE — auch nicht
  wenn opted-in. Public-Mirror bleibt für SEO + Privacy safe.
- Migration 008_community_identity.sql lokal + prod eingespielt.

Karma-System (3.C.3):
- auth.users + community_karma int. toggleReaction increment/decrement
  am Author-User (Self-Reactions zählen nicht — kein Self-Farming).
- KARMA_THRESHOLDS + tierFromKarma() im Package: Bronze (0-9) /
  Silver (10-49) / Gold (50-199) / Platin (200+).
- ItemCard zeigt Tier-Dot neben dem Pseudonym, Title-Tooltip mit
  Karma-Zahl. Floor-clamped at 0.

Eulen-Profil (3.C.4):
- GET /api/v1/public/feedback/eule/{hash} — alle public-Posts dieser
  Eule + aggregiertes Karma. SHA256-Format-Validation.
- /community/eule/[hash] Public-SSR-Route mit Avatar-Hero, Tier-Badge,
  Karma-Counter, Post-Liste. Author-Klick im ItemCard navigiert hin.
- publicFeedbackService.getEulenProfile() im Package.

PublicFeedbackItem erweitert um displayHash (public Pseudonym-ID,
SHA256 ist one-way → safe to expose) + karma + optional realName.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/mana/apps/web/src/lib/modules/community/components/ItemCard.svelte

@@ -6,8 +6,11 @@
 <script lang="ts">
 	import {
 		ReactionBar,
+		EulenAvatar,
 		FEEDBACK_CATEGORY_LABELS,
 		FEEDBACK_STATUS_CONFIG,
+		KARMA_TIER_CONFIG,
+		tierFromKarma,
 		type PublicFeedbackItem,
 		type ReactionEmoji,
 	} from '@mana/feedback';
@@ -24,6 +27,8 @@
 
 	let statusConfig = $derived(FEEDBACK_STATUS_CONFIG[item.status]);
 	let categoryLabel = $derived(FEEDBACK_CATEGORY_LABELS[item.category] ?? item.category);
+	let tier = $derived(tierFromKarma(item.karma ?? 0));
+	let tierCfg = $derived(KARMA_TIER_CONFIG[tier]);
 
 	function handleClick() {
 		if (onClick) onClick(item.id);
@@ -82,7 +87,19 @@
 	{/if}
 
 	<footer class="item-footer">
-		<span class="author">{item.displayName}</span>
+		<a
+			class="author-link"
+			href={`/community/eule/${item.displayHash}`}
+			onclick={(e) => e.stopPropagation()}
+			title={`Profil von ${item.displayName} öffnen · ${tierCfg.label}-Eule (${item.karma ?? 0} Karma)`}
+		>
+			<EulenAvatar displayHash={item.displayHash} size={24} title={item.displayName} />
+			<span class="author">
+				<span class="tier-dot" style:background-color={tierCfg.color} aria-hidden="true"></span>
+				{item.displayName}
+				{#if item.realName}<span class="real-name">· {item.realName}</span>{/if}
+			</span>
+		</a>
 		<ReactionBar
 			reactions={item.reactions}
 			myReactions={item.myReactions ?? []}
@@ -209,10 +226,41 @@
 		margin-top: 0.125rem;
 	}
 
+	.author-link {
+		display: inline-flex;
+		align-items: center;
+		gap: 0.4rem;
+		text-decoration: none;
+		color: inherit;
+		padding: 0.125rem 0.25rem;
+		margin: -0.125rem -0.25rem;
+		border-radius: 0.375rem;
+		transition: background 0.15s;
+	}
+
+	.author-link:hover {
+		background: hsl(var(--color-muted) / 0.4);
+	}
+
 	.author {
 		font-size: 0.75rem;
 		font-weight: 600;
 		color: hsl(var(--color-muted-foreground));
 		font-style: italic;
 	}
+
+	.real-name {
+		font-style: normal;
+		opacity: 0.7;
+	}
+
+	.tier-dot {
+		display: inline-block;
+		width: 0.5rem;
+		height: 0.5rem;
+		border-radius: 50%;
+		margin-right: 0.25rem;
+		box-shadow: 0 0 0 1px hsl(0 0% 0% / 0.08);
+		vertical-align: middle;
+	}
 </style>

apps/mana/apps/web/src/routes/community/eule/[hash]/+page.server.ts

@@ -0,0 +1,21 @@
+import { error } from '@sveltejs/kit';
+import { getManaAnalyticsUrl } from '$lib/api/config';
+import type { EulenProfileResponse } from '@mana/feedback';
+import type { PageServerLoad } from './$types';
+
+export const load: PageServerLoad = async ({ params, fetch, setHeaders }) => {
+	const { hash } = params;
+	if (!/^[0-9a-f]{32,64}$/i.test(hash)) error(404, 'Eulen-Profil nicht gefunden');
+
+	const res = await fetch(`${getManaAnalyticsUrl()}/api/v1/public/feedback/eule/${hash}`);
+	if (res.status === 400 || res.status === 404) error(404, 'Eulen-Profil nicht gefunden');
+	if (!res.ok) error(502, 'Fehler beim Laden');
+
+	const data = (await res.json()) as EulenProfileResponse;
+
+	setHeaders({
+		'cache-control': 'public, max-age=60, s-maxage=120, stale-while-revalidate=600',
+	});
+
+	return data;
+};

apps/mana/apps/web/src/routes/community/eule/[hash]/+page.svelte

@@ -0,0 +1,261 @@
+<script lang="ts">
+	import { goto } from '$app/navigation';
+	import {
+		EulenAvatar,
+		KARMA_TIER_CONFIG,
+		tierFromKarma,
+		FEEDBACK_STATUS_CONFIG,
+		type FeedbackStatus,
+	} from '@mana/feedback';
+
+	let { data } = $props();
+
+	let tier = $derived(tierFromKarma(data.karma));
+	let tierCfg = $derived(KARMA_TIER_CONFIG[tier]);
+
+	function statusOf(s: string) {
+		return FEEDBACK_STATUS_CONFIG[s as FeedbackStatus] ?? null;
+	}
+
+	function fmtDate(s: string): string {
+		try {
+			return new Date(s).toLocaleDateString('de-DE', {
+				day: '2-digit',
+				month: '2-digit',
+				year: '2-digit',
+			});
+		} catch {
+			return s.slice(0, 10);
+		}
+	}
+
+	function goToItem(id: string) {
+		void goto(`/community/${id}`);
+	}
+</script>
+
+<svelte:head>
+	<title>{data.displayName ?? 'Eule'} — Mana Community</title>
+	<meta
+		name="description"
+		content={`Profil von ${data.displayName ?? 'einer Eule'} mit ${data.items.length} Wünschen und ${data.karma} Karma.`}
+	/>
+</svelte:head>
+
+<div class="profile">
+	<a href="/community" class="back-link">← Zurück zum Feed</a>
+
+	<header class="hero">
+		<EulenAvatar displayHash={data.displayHash} size={96} title={data.displayName ?? ''} />
+		<div class="hero-meta">
+			<h1>{data.displayName ?? 'Anonym'}</h1>
+			<div class="badges">
+				<span class="tier" style:background-color="{tierCfg.color}22" style:color={tierCfg.color}>
+					<span class="tier-dot" style:background-color={tierCfg.color}></span>
+					{tierCfg.label}-Eule
+				</span>
+				<span class="karma">{data.karma} Karma</span>
+				<span class="post-count">{data.items.length} Wünsche</span>
+			</div>
+			<p class="lead">
+				Alle öffentlichen Beiträge dieser Eule. Anonym, aber konsistent — derselbe Mensch dahinter,
+				derselbe Avatar.
+			</p>
+		</div>
+	</header>
+
+	{#if data.items.length === 0}
+		<div class="state">Diese Eule hat noch nichts gepostet.</div>
+	{:else}
+		<div class="grid">
+			{#each data.items as item (item.id)}
+				{@const cfg = statusOf(item.status)}
+				<!-- svelte-ignore a11y_click_events_have_key_events -->
+				<!-- svelte-ignore a11y_no_static_element_interactions -->
+				<!-- svelte-ignore a11y_no_noninteractive_element_to_interactive_role -->
+				<article class="row" role="button" tabindex="0" onclick={() => goToItem(item.id)}>
+					<div class="row-meta">
+						{#if cfg}
+							<span class="status-pill" style:color={cfg.color} style:border-color={cfg.color}>
+								{cfg.label}
+							</span>
+						{/if}
+						{#if item.moduleContext}
+							<span class="badge module">{item.moduleContext}</span>
+						{/if}
+						<span class="muted">{fmtDate(item.createdAt)}</span>
+					</div>
+					{#if item.title}
+						<h3 class="row-title">{item.title}</h3>
+					{/if}
+					<p class="row-text">{item.feedbackText}</p>
+				</article>
+			{/each}
+		</div>
+	{/if}
+</div>
+
+<style>
+	.profile {
+		display: flex;
+		flex-direction: column;
+		gap: 1.5rem;
+	}
+
+	.back-link {
+		display: inline-flex;
+		align-items: center;
+		gap: 0.25rem;
+		color: hsl(var(--color-muted-foreground));
+		text-decoration: none;
+		font-size: 0.8125rem;
+		padding: 0.5rem 0;
+	}
+
+	.back-link:hover {
+		color: hsl(var(--color-foreground));
+	}
+
+	.hero {
+		display: flex;
+		align-items: center;
+		gap: 1.25rem;
+		padding: 1rem 0 0.5rem;
+	}
+
+	.hero-meta {
+		display: flex;
+		flex-direction: column;
+		gap: 0.5rem;
+	}
+
+	.hero-meta h1 {
+		margin: 0;
+		font-size: 1.75rem;
+		letter-spacing: -0.02em;
+	}
+
+	.badges {
+		display: flex;
+		flex-wrap: wrap;
+		align-items: center;
+		gap: 0.375rem;
+		font-size: 0.75rem;
+	}
+
+	.tier {
+		display: inline-flex;
+		align-items: center;
+		gap: 0.375rem;
+		padding: 0.25rem 0.625rem;
+		border-radius: 999px;
+		font-weight: 700;
+	}
+
+	.tier-dot {
+		display: inline-block;
+		width: 0.5rem;
+		height: 0.5rem;
+		border-radius: 50%;
+	}
+
+	.karma,
+	.post-count {
+		padding: 0.25rem 0.625rem;
+		border-radius: 999px;
+		background: hsl(var(--color-muted) / 0.4);
+		color: hsl(var(--color-muted-foreground));
+		font-weight: 600;
+		font-variant-numeric: tabular-nums;
+	}
+
+	.lead {
+		margin: 0;
+		font-size: 0.875rem;
+		color: hsl(var(--color-muted-foreground));
+		line-height: 1.5;
+		max-width: 60ch;
+	}
+
+	.grid {
+		display: flex;
+		flex-direction: column;
+		gap: 0.5rem;
+	}
+
+	.row {
+		display: flex;
+		flex-direction: column;
+		gap: 0.5rem;
+		padding: 0.875rem 1rem;
+		border: 1px solid hsl(var(--color-border));
+		background: hsl(var(--color-card));
+		border-radius: 0.875rem;
+		text-align: left;
+		cursor: pointer;
+		transition:
+			border-color 0.15s,
+			transform 0.15s;
+	}
+
+	.row:hover {
+		border-color: hsl(var(--color-primary) / 0.4);
+		transform: translateY(-1px);
+	}
+
+	.row-meta {
+		display: flex;
+		flex-wrap: wrap;
+		align-items: center;
+		gap: 0.375rem;
+		font-size: 0.6875rem;
+	}
+
+	.status-pill {
+		padding: 0.125rem 0.4375rem;
+		border: 1px solid currentColor;
+		border-radius: 999px;
+		font-weight: 700;
+		text-transform: uppercase;
+		letter-spacing: 0.04em;
+	}
+
+	.badge {
+		padding: 0.125rem 0.4375rem;
+		border-radius: 999px;
+		background: hsl(var(--color-muted) / 0.4);
+		font-weight: 600;
+		text-transform: uppercase;
+		letter-spacing: 0.04em;
+	}
+
+	.badge.module {
+		background: hsl(var(--color-primary) / 0.12);
+		color: hsl(var(--color-primary));
+	}
+
+	.muted {
+		color: hsl(var(--color-muted-foreground));
+		font-variant-numeric: tabular-nums;
+	}
+
+	.row-title {
+		margin: 0;
+		font-size: 0.9375rem;
+		font-weight: 700;
+	}
+
+	.row-text {
+		margin: 0;
+		font-size: 0.875rem;
+		line-height: 1.5;
+		white-space: pre-wrap;
+		word-break: break-word;
+	}
+
+	.state {
+		padding: 2rem 1rem;
+		text-align: center;
+		color: hsl(var(--color-muted-foreground));
+	}
+</style>

packages/feedback/src/EulenAvatar.svelte

@@ -0,0 +1,58 @@
+<!--
+  EulenAvatar — wraps the deterministic SVG avatar generator with sane
+  defaults for sizing and an optional name+tier-badge layout. Renders
+  inline SVG (no img-load, no flicker) — given the same display_hash
+  the same avatar appears everywhere.
+-->
+<script lang="ts">
+	import { generateAvatarSvg } from './avatar';
+
+	interface Props {
+		displayHash: string | null | undefined;
+		size?: number;
+		title?: string;
+	}
+
+	let { displayHash, size = 32, title }: Props = $props();
+
+	// Pre-compute once; same hash → same SVG, no need to re-derive on
+	// every reactive read.
+	let svg = $derived(displayHash ? generateAvatarSvg(displayHash) : null);
+</script>
+
+{#if svg}
+	<span
+		class="eulen-avatar"
+		style:width="{size}px"
+		style:height="{size}px"
+		{title}
+		aria-label={title ?? 'Avatar'}
+	>
+		{@html svg}
+	</span>
+{:else}
+	<span class="eulen-avatar fallback" style:width="{size}px" style:height="{size}px"></span>
+{/if}
+
+<style>
+	.eulen-avatar {
+		display: inline-flex;
+		align-items: center;
+		justify-content: center;
+		flex-shrink: 0;
+		border-radius: 25%;
+		overflow: hidden;
+		line-height: 0;
+		box-shadow: inset 0 0 0 1px hsl(0 0% 0% / 0.08);
+	}
+
+	.eulen-avatar :global(svg) {
+		width: 100%;
+		height: 100%;
+		display: block;
+	}
+
+	.eulen-avatar.fallback {
+		background: hsl(var(--color-muted) / 0.5);
+	}
+</style>

packages/feedback/src/api.ts

@@ -60,6 +60,13 @@ export interface PublicItemResponse {
 	replies: PublicFeedbackItem[];
 }
 
+export interface EulenProfileResponse {
+	displayHash: string;
+	displayName: string | null;
+	karma: number;
+	items: PublicFeedbackItem[];
+}
+
 export interface ReactionResponse {
 	reactions: Partial<Record<string, number>>;
 	score: number;

packages/feedback/src/avatar.ts

@@ -0,0 +1,97 @@
+/**
+ * Pixel-Identicon avatar generator — pure function, no storage.
+ *
+ * Derives a deterministic 5×5 left-mirrored pixel grid plus an HSL
+ * color from a `display_hash`, returns a self-contained SVG string.
+ * Same hash → same avatar, every time, on every device.
+ *
+ * Hash byte layout (we use the first 18 bytes / 36 hex chars):
+ *   bytes[0]      → hue        (0–360°)
+ *   bytes[1]      → saturation (50–90%)
+ *   bytes[2]      → lightness  (35–60%)
+ *   bytes[3..17]  → 15 cell on/off bits (3 cols × 5 rows, mirrored)
+ *
+ * The 5×5 grid is generated by computing the left 3 columns from the
+ * hash bits, then mirroring columns 0+1 onto 4+3 so the silhouette is
+ * always symmetric — the trick that makes Identicons feel like real
+ * faces/creatures even though they're random pixels.
+ */
+
+interface AvatarRendering {
+	cells: boolean[][]; // 5 rows × 5 cols
+	fg: string;
+	bg: string;
+}
+
+const GRID = 5;
+
+function hexToBytes(hex: string): number[] {
+	const cleaned = hex.replace(/[^0-9a-f]/gi, '');
+	const bytes: number[] = [];
+	for (let i = 0; i < cleaned.length; i += 2) {
+		bytes.push(parseInt(cleaned.slice(i, i + 2), 16) || 0);
+	}
+	return bytes;
+}
+
+function rendering(displayHash: string): AvatarRendering {
+	const bytes = hexToBytes(displayHash);
+	if (bytes.length < 18) {
+		// Pad short hashes — shouldn't happen with SHA256 (32 bytes), but
+		// defensive so the function never throws on a malformed input.
+		while (bytes.length < 18) bytes.push(0);
+	}
+
+	const hue = (bytes[0] / 255) * 360;
+	const sat = 50 + (bytes[1] / 255) * 40;
+	const light = 35 + (bytes[2] / 255) * 25;
+	const fg = `hsl(${hue.toFixed(0)}, ${sat.toFixed(0)}%, ${light.toFixed(0)}%)`;
+	const bg = `hsl(${hue.toFixed(0)}, ${sat.toFixed(0)}%, 92%)`;
+
+	const cells: boolean[][] = Array.from({ length: GRID }, () =>
+		Array.from({ length: GRID }, () => false)
+	);
+	let bitIdx = 0;
+	for (let row = 0; row < GRID; row++) {
+		for (let col = 0; col < 3; col++) {
+			const byteIdx = 3 + Math.floor(bitIdx / 8);
+			const bit = (bytes[byteIdx] >> (bitIdx % 8)) & 1;
+			const on = bit === 1;
+			cells[row][col] = on;
+			// Mirror cols 0+1 onto 4+3. Col 2 is the spine.
+			if (col < 2) cells[row][GRID - 1 - col] = on;
+			bitIdx++;
+		}
+	}
+	return { cells, fg, bg };
+}
+
+/**
+ * Render the avatar as an inline SVG string. Default 64×64 viewport.
+ * Width/height attributes are intentionally omitted so callers can
+ * size via CSS (`.avatar { width: 32px; height: 32px }` etc.).
+ */
+export function generateAvatarSvg(displayHash: string): string {
+	const { cells, fg, bg } = rendering(displayHash);
+	const rectSize = 100 / GRID;
+
+	let pixels = '';
+	for (let row = 0; row < GRID; row++) {
+		for (let col = 0; col < GRID; col++) {
+			if (!cells[row][col]) continue;
+			const x = (col * rectSize).toFixed(2);
+			const y = (row * rectSize).toFixed(2);
+			pixels += `<rect x="${x}" y="${y}" width="${rectSize.toFixed(2)}" height="${rectSize.toFixed(2)}"/>`;
+		}
+	}
+
+	return (
+		`<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100" role="img" aria-label="Avatar">` +
+		`<rect width="100" height="100" rx="14" fill="${bg}"/>` +
+		`<g fill="${fg}">${pixels}</g>` +
+		`</svg>`
+	);
+}
+
+/** Exported for tests. */
+export const __TEST__ = { rendering, hexToBytes, GRID };

packages/feedback/src/createPublicFeedbackService.ts

@@ -6,7 +6,12 @@
  * `createFeedbackService()` instead and pass a getAuthToken callback.
  */
 
-import type { PublicFeedListResponse, PublicItemResponse, FeedbackQueryParams } from './api';
+import type {
+	PublicFeedListResponse,
+	PublicItemResponse,
+	EulenProfileResponse,
+	FeedbackQueryParams,
+} from './api';
 import type { PublicFeedbackItem } from './feedback';
 import type { PublicFeedbackServiceConfig } from './types';
 
@@ -42,7 +47,11 @@ export function createPublicFeedbackService(config: PublicFeedbackServiceConfig)
 		return fetchPublic<PublicItemResponse>(`${publicEndpoint}/${id}`);
 	}
 
-	return { getFeed, getItem };
+	async function getEulenProfile(displayHash: string): Promise<EulenProfileResponse> {
+		return fetchPublic<EulenProfileResponse>(`${publicEndpoint}/eule/${displayHash}`);
+	}
+
+	return { getFeed, getItem, getEulenProfile };
 }
 
 export type PublicFeedbackService = ReturnType<typeof createPublicFeedbackService>;

packages/feedback/src/feedback.ts

@@ -54,6 +54,9 @@ export interface PublicFeedbackItem {
 	status: FeedbackStatus;
 	moduleContext: string | null;
 	parentId: string | null;
+	/** Pseudonym-ID — non-reversible SHA256(userId+secret). Stable
+	 *  across sessions, used for avatar generation and Eulen-Profil-URLs. */
+	displayHash: string;
 	displayName: string;
 	reactions: Partial<Record<string, number>>;
 	score: number;
@@ -62,6 +65,11 @@ export interface PublicFeedbackItem {
 	updatedAt: string;
 	/** Auth-only: which emojis the requesting user has reacted with. */
 	myReactions?: string[];
+	/** Auth-only + opt-in: post-author's real name when they enabled
+	 *  the Klarname-Toggle. Anonymous public-mirror NEVER includes this. */
+	realName?: string;
+	/** Author's community karma — public, drives the tier-badge. */
+	karma?: number;
 }
 
 /**
@@ -128,6 +136,34 @@ export const FEEDBACK_CATEGORY_LABELS: Record<FeedbackCategory, string> = {
 	other: 'Sonstiges',
 };
 
+/**
+ * Karma → Tier-Mapping. Bronze ist Default für jeden, Tier wird sichtbar
+ * neben dem Pseudonym in ItemCard.
+ */
+export type KarmaTier = 'bronze' | 'silver' | 'gold' | 'platinum';
+
+export const KARMA_THRESHOLDS = {
+	bronze: 0,
+	silver: 10,
+	gold: 50,
+	platinum: 200,
+} as const satisfies Record<KarmaTier, number>;
+
+export const KARMA_TIER_CONFIG: Record<KarmaTier, { label: string; emoji: string; color: string }> =
+	{
+		bronze: { label: 'Bronze', emoji: '🦉', color: '#a16207' },
+		silver: { label: 'Silver', emoji: '🦉', color: '#737373' },
+		gold: { label: 'Gold', emoji: '🦉', color: '#d97706' },
+		platinum: { label: 'Platin', emoji: '🦉', color: '#7c3aed' },
+	};
+
+export function tierFromKarma(karma: number): KarmaTier {
+	if (karma >= KARMA_THRESHOLDS.platinum) return 'platinum';
+	if (karma >= KARMA_THRESHOLDS.gold) return 'gold';
+	if (karma >= KARMA_THRESHOLDS.silver) return 'silver';
+	return 'bronze';
+}
+
 export const FEEDBACK_STATUS_CONFIG: Record<
 	FeedbackStatus,
 	{ label: string; color: string; icon: string }

packages/feedback/src/index.ts

@@ -15,12 +15,16 @@ export {
 	type Feedback,
 	type FeedbackNotification,
 	type NotificationKind,
+	type KarmaTier,
 	type PublicFeedbackItem,
 	type ReactionEmoji,
 	REACTION_EMOJIS,
 	REACTION_LABELS,
 	FEEDBACK_CATEGORY_LABELS,
 	FEEDBACK_STATUS_CONFIG,
+	KARMA_THRESHOLDS,
+	KARMA_TIER_CONFIG,
+	tierFromKarma,
 } from './feedback';
 
 export {
@@ -30,6 +34,7 @@ export {
 	type FeedbackListResponse,
 	type PublicFeedListResponse,
 	type PublicItemResponse,
+	type EulenProfileResponse,
 	type ReactionResponse,
 	type AdminPatchInput,
 	type ReactInput,
@@ -43,5 +48,9 @@ export {
 } from './createPublicFeedbackService';
 export type { FeedbackServiceConfig, PublicFeedbackServiceConfig } from './types';
 
+// Avatar
+export { generateAvatarSvg } from './avatar';
+
 // UI Components
 export { default as ReactionBar } from './ReactionBar.svelte';
+export { default as EulenAvatar } from './EulenAvatar.svelte';

services/mana-analytics/src/db/schema/auth-users.ts

@@ -0,0 +1,22 @@
+/**
+ * Read-only cross-schema view of auth.users for the public-community
+ * hub. mana-auth owns the table; we JOIN it from mana-analytics to
+ * enrich feed responses with the post-author's real-name opt-in and
+ * karma score. We never INSERT/UPDATE/DELETE here — that's
+ * mana-auth's job.
+ *
+ * The full auth.users schema is defined in
+ * services/mana-auth/src/db/schema/auth.ts; this file declares just
+ * the columns mana-analytics actually reads.
+ */
+
+import { pgSchema, text, boolean, integer } from 'drizzle-orm/pg-core';
+
+const authSchema = pgSchema('auth');
+
+export const authUsers = authSchema.table('users', {
+	id: text('id').primaryKey(),
+	name: text('name').notNull(),
+	communityShowRealName: boolean('community_show_real_name').default(false).notNull(),
+	communityKarma: integer('community_karma').default(0).notNull(),
+});

services/mana-analytics/src/routes/feedback.ts

@@ -44,6 +44,7 @@ export function createFeedbackRoutes(feedbackService: FeedbackService) {
 			status,
 			limit,
 			offset,
+			includeRealName: true,
 		});
 
 		const enriched = await Promise.all(
@@ -87,7 +88,7 @@ export function createFeedbackRoutes(feedbackService: FeedbackService) {
 	});
 
 	r.get('/:id/replies', async (c) => {
-		return c.json(await feedbackService.getReplies(c.req.param('id')));
+		return c.json(await feedbackService.getReplies(c.req.param('id'), { includeRealName: true }));
 	});
 
 	// ── Reactions ─────────────────────────────────────────────────────

services/mana-analytics/src/routes/public.ts

@@ -33,6 +33,15 @@ export function createPublicFeedbackRoutes(feedbackService: FeedbackService) {
 		return c.json({ items });
 	});
 
+	r.get('/eule/:hash', async (c) => {
+		const hash = c.req.param('hash');
+		// Display-hashes are 64-char hex (SHA256) — bail early on garbage.
+		if (!/^[0-9a-f]{32,64}$/i.test(hash)) {
+			return c.json({ error: 'invalid display_hash' }, 400);
+		}
+		return c.json(await feedbackService.getEulenProfile(hash));
+	});
+
 	r.get('/:id', async (c) => {
 		const item = await feedbackService.getPublicItem(c.req.param('id'));
 		if (!item) return c.json({ error: 'Not found' }, 404);

services/mana-analytics/src/services/feedback.ts

@@ -19,6 +19,7 @@ import {
 	feedbackGrantLog,
 	feedbackNotifications,
 } from '../db/schema/feedback';
+import { authUsers } from '../db/schema/auth-users';
 import type { Database } from '../db/connection';
 import { NotFoundError, BadRequestError } from '../lib/errors';
 import { createDisplayHash, generateDisplayName } from '../lib/pseudonym';
@@ -65,14 +66,32 @@ export type PublicFeedbackItem = {
 	status: string;
 	moduleContext: string | null;
 	parentId: string | null;
+	/** Public Pseudonym ID — SHA256 of userId+secret, one-way and
+	 *  safe to expose. Used for avatar generation and Eulen-Profil-URLs. */
+	displayHash: string;
 	displayName: string;
 	reactions: Record<string, number>;
 	score: number;
 	adminResponse: string | null;
 	createdAt: Date;
 	updatedAt: Date;
+	/** Author's community karma (public, drives tier-badge). */
+	karma: number;
+	/** Real name, only present when:
+	 *  - the post-author opted in via communityShowRealName=true, AND
+	 *  - the response is going to an authenticated caller (the
+	 *    anonymous /public endpoint always strips this).
+	 */
+	realName?: string;
 };
 
+type FeedbackRow = typeof userFeedback.$inferSelect;
+type AuthUserRow = {
+	name: string;
+	communityShowRealName: boolean;
+	communityKarma: number;
+} | null;
+
 export class FeedbackService {
 	constructor(
 		private db: Database,
@@ -213,9 +232,18 @@ export class FeedbackService {
 			status?: string;
 			limit?: number;
 			offset?: number;
+			includeRealName?: boolean;
 		} = {}
 	): Promise<PublicFeedbackItem[]> {
-		const { appId, moduleContext, category, status, limit = 50, offset = 0 } = opts;
+		const {
+			appId,
+			moduleContext,
+			category,
+			status,
+			limit = 50,
+			offset = 0,
+			includeRealName = false,
+		} = opts;
 
 		const conditions = [eq(userFeedback.isPublic, true), isNull(userFeedback.parentId)];
 		if (appId) conditions.push(eq(userFeedback.appId, appId));
@@ -224,34 +252,84 @@ export class FeedbackService {
 		if (status) conditions.push(eq(userFeedback.status, status as any));
 
 		const rows = await this.db
-			.select()
+			.select({ feedback: userFeedback, author: this.authorSelection() })
 			.from(userFeedback)
+			.leftJoin(authUsers, eq(authUsers.id, userFeedback.userId))
 			.where(and(...conditions))
 			.orderBy(desc(userFeedback.score), desc(userFeedback.createdAt))
 			.limit(limit)
 			.offset(offset);
 
-		return rows.map(redact);
+		return rows.map((r) => redact(r.feedback, r.author, { includeRealName }));
 	}
 
 	/** Replies for a single parent item (1-level threading). */
-	async getReplies(parentId: string): Promise<PublicFeedbackItem[]> {
+	async getReplies(
+		parentId: string,
+		opts: { includeRealName?: boolean } = {}
+	): Promise<PublicFeedbackItem[]> {
 		const rows = await this.db
-			.select()
+			.select({ feedback: userFeedback, author: this.authorSelection() })
 			.from(userFeedback)
+			.leftJoin(authUsers, eq(authUsers.id, userFeedback.userId))
 			.where(and(eq(userFeedback.parentId, parentId), eq(userFeedback.isPublic, true)))
 			.orderBy(userFeedback.createdAt);
-		return rows.map(redact);
+		return rows.map((r) =>
+			redact(r.feedback, r.author, { includeRealName: opts.includeRealName ?? false })
+		);
+	}
+
+	/**
+	 * Public Eulen-Profil — alle public-Posts unter dem display_hash plus
+	 * aggregierte Karma vom Author. Liefert auch ein leeres Array (kein
+	 * Throw), wenn der Hash nirgends auftaucht; das macht das Frontend
+	 * easier (keine 404-Race auf dynamic IDs).
+	 */
+	async getEulenProfile(displayHash: string): Promise<{
+		displayHash: string;
+		displayName: string | null;
+		karma: number;
+		items: PublicFeedbackItem[];
+	}> {
+		const rows = await this.db
+			.select({ feedback: userFeedback, author: this.authorSelection() })
+			.from(userFeedback)
+			.leftJoin(authUsers, eq(authUsers.id, userFeedback.userId))
+			.where(and(eq(userFeedback.displayHash, displayHash), eq(userFeedback.isPublic, true)))
+			.orderBy(desc(userFeedback.createdAt))
+			.limit(200);
+
+		const items = rows.map((r) => redact(r.feedback, r.author, { includeRealName: false }));
+		const displayName = items[0]?.displayName ?? null;
+		const karma = rows[0]?.author?.communityKarma ?? 0;
+
+		return { displayHash, displayName, karma, items };
 	}
 
 	/** Single public item by id. Returns null if not found / not public. */
-	async getPublicItem(id: string): Promise<PublicFeedbackItem | null> {
+	async getPublicItem(
+		id: string,
+		opts: { includeRealName?: boolean } = {}
+	): Promise<PublicFeedbackItem | null> {
 		const [row] = await this.db
-			.select()
+			.select({ feedback: userFeedback, author: this.authorSelection() })
 			.from(userFeedback)
+			.leftJoin(authUsers, eq(authUsers.id, userFeedback.userId))
 			.where(and(eq(userFeedback.id, id), eq(userFeedback.isPublic, true)))
 			.limit(1);
-		return row ? redact(row) : null;
+		return row
+			? redact(row.feedback, row.author, { includeRealName: opts.includeRealName ?? false })
+			: null;
+	}
+
+	/** Selection helper — picks the auth-user columns we need. Drizzle
+	 *  treats the missing-author case (deleted user, FK orphan) as null. */
+	private authorSelection() {
+		return {
+			name: authUsers.name,
+			communityShowRealName: authUsers.communityShowRealName,
+			communityKarma: authUsers.communityKarma,
+		};
 	}
 
 	// ── Authenticated reads ───────────────────────────────────────────
@@ -273,9 +351,10 @@ export class FeedbackService {
 	 */
 	async getMyReactedItems(userId: string, limit = 100): Promise<PublicFeedbackItem[]> {
 		const rows = await this.db
-			.selectDistinct({ feedback: userFeedback })
+			.selectDistinct({ feedback: userFeedback, author: this.authorSelection() })
 			.from(feedbackReactions)
 			.innerJoin(userFeedback, eq(feedbackReactions.feedbackId, userFeedback.id))
+			.leftJoin(authUsers, eq(authUsers.id, userFeedback.userId))
 			.where(
 				and(
 					eq(feedbackReactions.userId, userId),
@@ -286,7 +365,7 @@ export class FeedbackService {
 			.orderBy(desc(userFeedback.updatedAt))
 			.limit(limit);
 
-		return rows.map((r) => redact(r.feedback));
+		return rows.map((r) => redact(r.feedback, r.author, { includeRealName: true }));
 	}
 
 	/** Map of emoji → boolean for the requesting user on a feedback item. */
@@ -315,14 +394,20 @@ export class FeedbackService {
 			throw new BadRequestError(`Unsupported emoji: ${emoji}`);
 		}
 
-		// Ensure target item exists.
+		// Ensure target item exists + grab the author for karma tracking.
 		const [item] = await this.db
-			.select({ id: userFeedback.id })
+			.select({ id: userFeedback.id, authorId: userFeedback.userId })
 			.from(userFeedback)
 			.where(eq(userFeedback.id, feedbackId))
 			.limit(1);
 		if (!item) throw new NotFoundError('Feedback not found');
 
+		// Karma is per-react (not per-author-per-user). Self-reactions
+		// don't count — that would be self-promotion. Founder users also
+		// don't farm karma off each other since they tend to react on
+		// their own things; the author check below handles both cases.
+		const counts = item.authorId !== userId;
+
 		// Try to insert (react). If conflicting → user already reacted, so unreact.
 		const inserted = await this.db
 			.insert(feedbackReactions)
@@ -347,6 +432,21 @@ export class FeedbackService {
 			userHasReacted = true;
 		}
 
+		// Author karma: +1 on react, -1 on unreact (per emoji-toggle).
+		// Skipped when the reactor is the author themselves so people
+		// can't farm karma off their own posts. Floor-clamped at 0 so
+		// edge-cases (e.g. author deletes the row externally) don't go
+		// negative.
+		if (counts && item.authorId) {
+			const delta = userHasReacted ? 1 : -1;
+			await this.db
+				.update(authUsers)
+				.set({
+					communityKarma: sql`GREATEST(${authUsers.communityKarma} + ${delta}, 0)`,
+				})
+				.where(eq(authUsers.id, item.authorId));
+		}
+
 		// Recompute aggregated reactions + score for this item.
 		const aggregated = await this.recomputeReactions(feedbackId);
 		return { ...aggregated, userHasReacted };
@@ -643,8 +743,13 @@ export class FeedbackService {
 }
 
 /** Strips userId / displayHash / deviceInfo from a row. */
-function redact(row: typeof userFeedback.$inferSelect): PublicFeedbackItem {
+function redact(
-	return {
+	row: FeedbackRow,
+	author: AuthUserRow = null,
+	options: { includeRealName?: boolean } = {}
+): PublicFeedbackItem {
+	const includeReal = options.includeRealName ?? false;
+	const item: PublicFeedbackItem = {
 		id: row.id,
 		appId: row.appId,
 		title: row.title,
@@ -653,13 +758,21 @@ function redact(row: typeof userFeedback.$inferSelect): PublicFeedbackItem {
 		status: row.status,
 		moduleContext: row.moduleContext,
 		parentId: row.parentId,
+		// displayHash is the public Pseudonym-ID. One-way (SHA256 of
+		// userId+secret), safe to expose; userId itself never leaves.
+		displayHash: row.displayHash ?? '',
 		displayName: row.displayName ?? 'Anonym',
 		reactions: (row.reactions as Record<string, number>) ?? {},
 		score: row.score,
 		adminResponse: row.adminResponse,
 		createdAt: row.createdAt,
 		updatedAt: row.updatedAt,
+		karma: author?.communityKarma ?? 0,
 	};
+	if (includeReal && author?.communityShowRealName && author.name) {
+		item.realName = author.name;
+	}
+	return item;
 }
 
 export { ALLOWED_EMOJIS, REACTION_WEIGHTS };

services/mana-auth/sql/008_community_identity.sql

@@ -0,0 +1,20 @@
+-- 008_community_identity.sql
+--
+-- Phase 3.C von docs/plans/feedback-rewards-and-identity.md.
+--
+-- Community-Hub Opt-Ins für jeden User:
+--  - community_show_real_name: legt offen, ob der echte name neben
+--    der eulen-pseudonym im community-feed angezeigt wird (default off).
+--  - community_karma: counter — eine pro Reaction die jemand auf einen
+--    eigenen Post macht. Treibt die Bronze/Silver/Gold/Platin-Tier-Badge.
+--
+-- Apply manually:
+--   psql "$DATABASE_URL" -f services/mana-auth/sql/008_community_identity.sql
+
+BEGIN;
+
+ALTER TABLE auth.users
+	ADD COLUMN IF NOT EXISTS community_show_real_name boolean NOT NULL DEFAULT false,
+	ADD COLUMN IF NOT EXISTS community_karma integer NOT NULL DEFAULT 0;
+
+COMMIT;

services/mana-auth/src/db/schema/auth.ts

@@ -53,6 +53,14 @@ export const users = authSchema.table('users', {
 	// → Look → Templates). The flow is skippable, but even a skip sets
 	// this timestamp so we don't re-prompt. See docs/plans/onboarding-flow.md.
 	onboardingCompletedAt: timestamp('onboarding_completed_at', { withTimezone: true }),
+	// Community-Hub identity opt-ins (Phase 3.C of feedback-rewards-and-identity).
+	// Off by default — users stay anonymous as their tier-pseudonym ("Wachsame
+	// Eule #4528"). Opt-in shows the real `name` next to the pseudonym in the
+	// auth-required community feed only; the public-mirror NEVER exposes it.
+	communityShowRealName: boolean('community_show_real_name').default(false).notNull(),
+	// Karma += 1 per reaction received from another user, decremented on unreact.
+	// Drives the public Bronze/Silver/Gold/Platinum-Eulen tier badge.
+	communityKarma: integer('community_karma').default(0).notNull(),
 });
 
 // Sessions table (Better Auth schema)

services/mana-auth/src/routes/me.ts

@@ -72,9 +72,15 @@ export function createMeRoutes(userDataService: UserDataService, db: Database) {
 				const body = (await c.req.json().catch(() => ({}))) as {
 					name?: unknown;
 					image?: unknown;
+					communityShowRealName?: unknown;
 				};
 
-				const patch: { name?: string; image?: string; updatedAt: Date } = {
+				const patch: {
+					name?: string;
+					image?: string;
+					communityShowRealName?: boolean;
+					updatedAt: Date;
+				} = {
 					updatedAt: new Date(),
 				};
 				if (typeof body.name === 'string') {
@@ -87,8 +93,11 @@ export function createMeRoutes(userDataService: UserDataService, db: Database) {
 				if (typeof body.image === 'string') {
 					patch.image = body.image;
 				}
+				if (typeof body.communityShowRealName === 'boolean') {
+					patch.communityShowRealName = body.communityShowRealName;
+				}
 
-				if (!('name' in patch) && !('image' in patch)) {
+				if (!('name' in patch) && !('image' in patch) && !('communityShowRealName' in patch)) {
 					return c.json({ error: 'no fields to update' }, 400);
 				}
 
@@ -96,10 +105,19 @@ export function createMeRoutes(userDataService: UserDataService, db: Database) {
 					.update(users)
 					.set(patch)
 					.where(eq(users.id, user.userId))
-					.returning({ id: users.id, name: users.name, image: users.image });
+					.returning({
+						id: users.id,
+						name: users.name,
+						image: users.image,
+						communityShowRealName: users.communityShowRealName,
+					});
 
 				if (!updated) return c.json({ error: 'User not found' }, 404);
-				return c.json({ name: updated.name, image: updated.image });
+				return c.json({
+					name: updated.name,
+					image: updated.image,
+					communityShowRealName: updated.communityShowRealName,
+				});
 			})
 	);
 }