fix(security): PR-P G-22 + G-26 — minor polish (origin check, parent 403)

G-22 — same-origin check on `/api/lang`.
Lang switch isn't destructive but a CSRF-flipped cookie produces a
confusing locale flicker for the victim user. Reads the `Origin`
header (set by every modern browser for fetch/XHR) and rejects
mismatched origins with 403 `cross-origin`. Missing-origin requests
(curl, server-side scripts) still pass since the operation is
low-stakes — strict mode would block dev/test tooling.

G-26 — explicit 403 explainer on `/parent/[username]` for non-parent
visitors. Was `notFound()` (generic "page doesn't exist"); now
renders a clear "you're not linked to this child" card with a CTA
back to /rodzic to request an invite. Per-locale strings inline (PL/
UK/CS/EN) — small enough to skip the dict pipeline.

G-11 / G-17 / G-23 / G-24 — audit-only or covered elsewhere:
- G-11 6 production-leak TODOs reviewed — `lib/web3/client.ts:37,54`
  (subgraph + mint stubs) stay until web3 flag flips on; PDF export
  hint in `app/class/[code]/page.tsx:39` and the V5 stats TODO in
  `lib/class-roster.ts:40` are documented backlog items, not
  immediate bugs.
- G-17 PKO over-branding on /o-platforme — sponsorsThanks line is
  the dominant remaining mention; reduce was bundled implicitly
  with G-05 cleanup.
- G-23 useEffect cleanup spot-check — sample of 5 components
  audited, all have `clearTimeout` / `clearInterval` in cleanup.
- G-24 footer compare-loans link cleanup — already shipped with
  G-02 (footer HELP_LABELS migration to /miasto#hypoteka).

Validation:
- pnpm typecheck → 0 errors
- pnpm test → 719/719
- pnpm lint → 0 errors, 31 warnings (+2 vs baseline; both pre-existing
  pattern matches for set-state-in-effect on new ContactForm
  state setters — Pass-11 polish)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: B2JK-Industry

app/api/lang/route.ts

@@ -4,6 +4,28 @@ import { revalidatePath } from "next/cache";
 import { LANGS, COOKIE_NAME, type Lang } from "@/lib/i18n";
 
 export async function POST(req: NextRequest) {
+  // G-22 — same-origin check. Lang switch isn't destructive but a
+  // CSRF-flipped cookie produces a confusing locale flicker for the
+  // victim user. Origin header is set by every modern browser for
+  // fetch/XHR; missing-origin requests (e.g. curl) still pass
+  // since the operation is low-stakes — strict-strict mode would
+  // block legit dev/test tooling. Mismatched origin → 403.
+  const origin = req.headers.get("origin");
+  if (origin) {
+    try {
+      if (new URL(origin).host !== new URL(req.url).host) {
+        return Response.json(
+          { ok: false, error: "cross-origin" },
+          { status: 403 },
+        );
+      }
+    } catch {
+      return Response.json(
+        { ok: false, error: "bad-origin" },
+        { status: 403 },
+      );
+    }
+  }
   const body = (await req.json().catch(() => ({}))) as { lang?: string };
   const lang = body.lang;
   if (!lang || !(LANGS as readonly string[]).includes(lang)) {

app/parent/[username]/page.tsx

@@ -1,4 +1,5 @@
-import { notFound, redirect } from "next/navigation";
+import Link from "next/link";
+import { redirect } from "next/navigation";
 import { getSession } from "@/lib/session";
 import { getLang } from "@/lib/i18n-server";
 import { isParentOf, readChildParentPrivacy } from "@/lib/roles";
@@ -22,7 +23,46 @@ export default async function ParentChildView({
     getLang(),
   ]);
   if (!session) redirect("/login");
-  if (!(await isParentOf(session.username, username))) notFound();
+  // G-26 — explicit 403 explainer instead of generic notFound(). The
+  // page renders to authenticated parents only; a wrong username or
+  // a yet-unlinked relationship deserves a clear "request invite"
+  // pointer, not a confusing "page doesn't exist".
+  if (!(await isParentOf(session.username, username))) {
+    const t = {
+      pl: {
+        title: "Brak dostępu do tego profilu",
+        body: "Nie jesteś powiązany z tym kontem dziecka. Jeśli chcesz uzyskać dostęp, poproś o zaproszenie z poziomu sekcji Rodzic.",
+        cta: "Panel rodzica",
+      },
+      uk: {
+        title: "Немає доступу до цього профілю",
+        body: "Ти не пов'язаний з цим дитячим акаунтом. Запроси доступ через панель Батьки.",
+        cta: "Панель батьків",
+      },
+      cs: {
+        title: "Nemáš přístup k tomuto profilu",
+        body: "Nejsi propojen s tímto dětským účtem. Požádej o pozvánku v sekci Rodič.",
+        cta: "Panel rodiče",
+      },
+      en: {
+        title: "No access to this profile",
+        body: "You're not linked to this child account. Request an invite from the Parent dashboard.",
+        cta: "Parent dashboard",
+      },
+    }[lang];
+    return (
+      <main className="max-w-xl mx-auto py-12 flex flex-col items-center gap-4 text-center animate-slide-up">
+        <span aria-hidden className="text-5xl">
+          🚫
+        </span>
+        <h1 className="t-h2 text-[var(--accent)]">{t.title}</h1>
+        <p className="text-[var(--ink-muted)] max-w-md">{t.body}</p>
+        <Link href="/rodzic" className="btn btn-primary">
+          {t.cta}
+        </Link>
+      </main>
+    );
+  }
   const privacy = await readChildParentPrivacy(username);
   const [state, stats, achievements] = await Promise.all([
     getPlayerState(username),