I asked Claude to have a look:

I'll review the diff focusing on the message files for translations and naming issues.

This is a one-shot review, so tasks aren't needed. Continuing the review.

Now I have enough to give a complete review. Here are the issues I found, focused on the message/translation files:

Issues Found

Patch 13 (replace-stale-credential)

1. Swedish — incoherent button translation

In both [sv/.../passkeys/replace-stale-credential/messages](src/identity-server/messages/core/sv/authenticator/passkeys/replace-stale-credential/messages) and [sv/.../webauthn/replace-stale-credential/messages](src/identity-server/messages/core/sv/authenticator/webauthn/replace-stale-credential/messages):

view.button.register=Registrera fler enheter

This means "Register more devices" (plural), but the English source says "Register new device" (singular). The existing webauthn/register/messages uses Registrera ny enhet (line 12-13 of the existing file) — that's the correct phrasing here.

2. Swedish — vocabulary inconsistency ("nyckel" vs "passkey")

view.description=Din nyckel är inte längre giltig ...

English uses "passkey" throughout, but the Swedish description translates it as just "nyckel" ("key"). Other parts of the codebase keep it as passkey (e.g., view.button.any-attachment=Fortsätt med en passkey). Should be aligned.

3. Portuguese — pt-pt is actually Brazilian Portuguese

[pt-pt/.../passkeys/replace-stale-credential/messages](src/identity-server/messages/core/pt-pt/authenticator/passkeys/replace-stale-credential/messages) is identical to the pt file and uses Brazilian spelling (registrar instead of European registar; Você deve instead of impersonal). This mirrors a pre-existing pattern in the repo (the existing pt and pt-pt webauthn/register/messages files are also byte-identical), so not strictly a regression — but worth flagging because the patch perpetuates it.

Patch 14 (*-success pages)

4. MAJOR — all non-English translations are missing

All 12 non-English message files (pt, pt-pt, sv × {passkeys, webauthn} × {replace-stale-credential-success, replace-previous-username-bound-credential-success}) contain the English source text verbatim. The files exist under language-specific directories but the content was never translated. Example — [sv/.../webauthn/replace-stale-credential-success/messages](src/identity-server/messages/core/sv/authenticator/webauthn/replace-stale-credential-success/messages):

view.description=Your new passkey has been registered successfully. ...
view.button.continue=Continue

This is the "wrong file names" issue — files placed in pt/, pt-pt/, sv/ directories but containing English content.

5. Orphan message files for replace-previous-username-bound-credential-success

The patch adds message files for path replace-previous-username-bound-credential-success (8 files across passkeys/webauthn and 4 langs) but creates no templates for that path. The templates added are only replace-stale-credential-success/get.vm for passkeys and webauthn. Either:

• a replace-previous-username-bound-credential-success/get.vm template is missing for both authenticators, or
• these 8 message files are dead and should be removed.

Also note: there's no replace-previous-username-bound-credential/ directory (without -success) — only the -success variant. So the "previous-username-bound" flow appears to have only a landing/success page and no entry page, while replace-stale-credential has both. This asymmetry suggests something is incomplete.

Minor

6. Copyright header drift

All new message files (patches 13 and 14) say Copyright (C) 2024 Curity AB, even though the commits are dated Feb–May 2026. Existing files in the repo use the year of authorship — should be 2026.