Consolidated from the 2026-06-02 UI/UX review (the EN/TR toggle VL-1 and the missing common.* i18n keys are already FIXED on origin/main — verified — so they're excluded). Still-open polish:
Autofill / a11y (password-manager + mobile autofill):
- verify identifier field (
LoginMfaFlow) lacks name/autoComplete="email"/aria-label (the dashboard field sets all three).
- shared
PasswordStep sets name but no autoComplete="current-password".
- OTP steps (
EmailOtpStep/SmsOtpStep/TotpStep) lack autoComplete="one-time-code" → iOS/Android won't surface the SMS/email autofill chip.
- verify
/favicon.{ico,svg} 404s.
AuthFlowBuilder affordances:
- "Operation Type" dropdown is prominent but only categorizes (never injects/locks a step) → demote to a chip/helper-text or move to Advanced.
- Layers can't be reordered (no up/down) → add renumbering arrows.
- per-layer
timeout/maxAttempts are hardcoded (120s/3) with no UI → add an Advanced disclosure.
All low-risk UX; no security impact.
Consolidated from the 2026-06-02 UI/UX review (the EN/TR toggle VL-1 and the missing common.* i18n keys are already FIXED on origin/main — verified — so they're excluded). Still-open polish:
Autofill / a11y (password-manager + mobile autofill):
LoginMfaFlow) lacksname/autoComplete="email"/aria-label(the dashboard field sets all three).PasswordStepsetsnamebut noautoComplete="current-password".EmailOtpStep/SmsOtpStep/TotpStep) lackautoComplete="one-time-code"→ iOS/Android won't surface the SMS/email autofill chip./favicon.{ico,svg}404s.AuthFlowBuilder affordances:
timeout/maxAttemptsare hardcoded (120s/3) with no UI → add an Advanced disclosure.All low-risk UX; no security impact.