cms: headless CMS vor Hugo (Supabase + Node-API + React-Admin)

All-in-One docker-compose-Stack (Muster von RAPPORT-SERVER gespiegelt):
db/auth/rest/kong + cms-Service (Node-API + Hugo-Binary 0.161.1 + Admin-SPA).

- DB-backed: posts-Tabelle kanonisch, MD ist generiertes Artefakt
- echte Hugo-Vorschau via draft:true + --buildDrafts → /_preview
- Publish: DB → content/library/<section>/<slug>.md → hugo build → live
- Bild-Upload nach static/images/, Supabase-Auth schützt /api/*
- Proxmox-LXC-Script: legt Container an, generiert Secrets, startet Stack

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

cms/api/src/auth.js

@@ -0,0 +1,15 @@
+import { supabase } from './supabase.js';
+
+// Verifiziert den Supabase-Access-Token aus dem Authorization-Header gegen den
+// Supabase-Auth-Server. Schützt alle /api/* ausser /api/health.
+export async function requireAuth(c, next) {
+  const header = c.req.header('Authorization') || '';
+  const token = header.startsWith('Bearer ') ? header.slice(7) : null;
+  if (!token) return c.json({ error: 'Nicht eingeloggt' }, 401);
+
+  const { data, error } = await supabase.auth.getUser(token);
+  if (error || !data?.user) return c.json({ error: 'Ungültiges Token' }, 401);
+
+  c.set('user', data.user);
+  await next();
+}