Lock display names at registration

TESTS.md

@@ -7,7 +7,7 @@ Purpose: full coverage of backend + critical UI flows using a mock (in-memory) S
 | Role | Suggest phase | Vote phase | Results phase | Anytime |
 | --- | --- | --- | --- | --- |
 | Unauthenticated visitor | No API access; only static assets | — | — | Health check only |
-| Player (non-admin) | Create/see own suggestions (≤5), edit all fields, delete own; can advance to Vote; title locks after leaving phase | View all suggestions, vote 0–10, finalize/unfinalize, use joker once to add a game; cannot go backward | Read leaderboard only when resultsOpen=true; no writes | Login/logout, set display name, read /state and /me |
+| Player (non-admin) | Create/see own suggestions (≤5), edit all fields, delete own; can advance to Vote; title locks after leaving phase | View all suggestions, vote 0–10, finalize/unfinalize, use joker once to add a game; cannot go backward | Read leaderboard only when resultsOpen=true; no writes | Login/logout, read /state and /me |
 | Admin (isAdmin=true) | Same as player; may edit/delete any suggestion | All player actions; may grant jokers, link/unlink games, delete players | Open/close results; sees leaderboard like player | Toggle results, reset/factory-reset DB, fetch vote status, move self backward |
 
 ## Phase/Permission Chart (for tests)
@@ -43,7 +43,7 @@ stateDiagram-v2
 - GetPhase auto-upgrades legacy Reveal -> Vote and realigns when resultsOpen toggles (to Results and back to Vote clearing votesFinal).
 - /me/phase/next: moves Suggest->Vote, Vote->Results only when resultsOpen true; clears votesFinal; rejects when results locked.
 - /me/phase/prev: admin only; moves back one step, clears votesFinal, rejects for player.
-- /me/name: trims/limits to 16, rejects blank; persists change.
+- Display name is immutable after registration; attempts to change via /api/me/name return 404.
 
 ### 3) Suggestions
 - GET /mine returns only caller’s suggestions ordered by CreatedAt.