content: Datenschutz-Seite + Footer-Link

Deutsche Datenschutzerklärung an die tatsächliche Praxis angepasst (self-hosted, keine Tracker/Analytics, Server-Logs nur technisch, Dialog-Konto mit E-Mail/Name, revDSG-Rechte, EDÖB). Footer: Datenschutz neben Kontakt/Impressum. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
ui: Uhr-Icon explizit terracotta (Akzent), weiß beim Hover
2026-06-02 05:11:10 +02:00 · 2026-06-02 04:03:07 +02:00 · 2026-06-02 03:18:13 +02:00 · 2026-06-02 03:11:39 +02:00 · 2026-06-02 02:54:16 +02:00 · 2026-06-02 02:19:27 +02:00
84 changed files with 9927 additions and 417 deletions
@@ -1,5 +1,6 @@
 # Hugo
 /public/
+/preview/
 /resources/
 .hugo_build.lock
 hugo_stats.json
@@ -8,6 +9,9 @@ hugo_stats.json
 .DS_Store
 **/.DS_Store

+# Node (CMS)
+node_modules/
+
 # Editors
 .vscode/
 .idea/
@@ -18,3 +22,6 @@ hugo_stats.json
 .env
 .env.local
 hugo.local.yaml
+
+# DB-Backups (Dialog-Daten-Dumps)
+backups/
@@ -0,0 +1,41 @@
+# Kopiere nach .env und ersetze die markierten Werte. Niemals committen.
+
+# ═══ Pflicht: Secrets ═══
+# Zufallswerte: openssl rand -hex 32
+POSTGRES_PASSWORD=CHANGE-ME-mindestens-32-zufällige-zeichen
+JWT_SECRET=CHANGE-ME-mindestens-32-zufällige-zeichen
+# Aus JWT_SECRET ableiten: node scripts/generate-keys.mjs
+ANON_KEY=CHANGE-ME-aus-jwt-secret-abgeleitet
+SERVICE_ROLE_KEY=CHANGE-ME-aus-jwt-secret-abgeleitet
+
+# ═══ Pflicht: URLs ═══
+# Nur LAN:        SITE_URL=http://192.168.1.50:8080
+# Via Proxy:      SITE_URL=https://openbureau.ch
+SITE_URL=http://localhost:8080
+# Öffentliche Supabase-Adresse (Browser/Admin erreichen Kong hierüber).
+API_EXTERNAL_URL=http://localhost:8000
+
+# ═══ Rechte: wer ist Admin (sieht/bearbeitet ALLE Beiträge)? ═══
+# Komma-getrennte E-Mails. Alle anderen sehen nur Einträge, in denen ihre Mail
+# unter `authors` steht.
+ADMIN_EMAILS=karim@gabrielevarano.ch
+
+# ═══ Optional: Ports & Binding ═══
+# Auf welcher Host-Adresse lauschen die veröffentlichten Ports?
+#   127.0.0.1 (Standard) = nur lokal / hinter Reverse-Proxy mit TLS (empfohlen).
+#   0.0.0.0              = direkt im LAN erreichbar (ohne Proxy).
+# Bei 127.0.0.1 muss SITE_URL/API_EXTERNAL_URL über den Proxy laufen, sonst
+# erreicht der Browser :8000/:8080 nicht.
+BIND_ADDR=127.0.0.1
+APP_PORT=8080          # CMS: Site + /admin + /_preview + /api
+KONG_HTTP_PORT=8000    # Supabase-API-Gateway
+KONG_HTTPS_PORT=8443
+DB_PORT=5432
+
+# ═══ Optional: Git-Backup beim Publish ═══
+# true = CMS committet generierte MD nach Gitea (History + Notausgang).
+GIT_PUBLISH=false
+GIT_REMOTE=origin
+GIT_BRANCH=main
+GIT_AUTHOR_NAME=OPENBUREAU CMS
+GIT_AUTHOR_EMAIL=cms@openbureau.ch
@@ -0,0 +1,200 @@
+# OPENBUREAU CMS
+
+Headless CMS vor der Hugo-Engine. Hugo bleibt die Render-Engine; dieser Stack
+schreibt Content aus Supabase in `content/*.md`, baut die Site und serviert sie.
+
+## Architektur
+
+**Ein** docker-compose-Stack / ein LXC (Muster gespiegelt von RAPPORT-SERVER):
+
+```
+docker compose
+├── db        supabase/postgres   ← posts-Tabelle (schema.sql)
+├── auth      gotrue              ← Login
+├── rest      postgrest           ← supabase-js liest/schreibt posts
+├── kong      :8000               ← API-Gateway (/auth/v1, /rest/v1)
+└── cms       :8080  Node + Hugo-Binary + Admin-SPA
+                     ├─ /          live (public/)
+                     ├─ /_preview  Vorschau (preview/, --buildDrafts)
+                     ├─ /admin     React-Editor
+                     └─ /api       Backend (mountet Repo unter /site)
+```
+
+- **cms** hält das Hugo-Binary (0.161.1 extended, = lokal), mountet das Repo-Root
+  unter `/site`, serviert die Site selbst (kein separater nginx).
+- Server-seitig spricht `cms` Supabase intern über `http://kong:8000` (Service-Key);
+  die Admin-SPA nutzt browser-seitig `API_EXTERNAL_URL` + `ANON_KEY`.
+- **Abweichung von RAPPORT:** `realtime` + `storage` weggelassen (nutzt das CMS
+  nicht — Bild-Uploads gehen auf Platte nach `static/images/`). Nachrüstbar durch
+  Kopieren der Service-Blöcke aus RAPPORT-SERVER.
+
+## Quelle der Wahrheit: die `.md`-Dateien
+
+Dateibasiert. Die echten `content/**/*.md` sind kanonisch — das CMS liest und
+schreibt sie direkt (Frontmatter via gray-matter). Damit erscheinen **alle**
+bestehenden Inhalte im Editor: Beiträge (`library/<rubrik>/…`), Seiten
+(`manifest.md`, `colophon.md`) und Rubriken (`_index.md`).
+
+Supabase wird **nur noch für den Login** (GoTrue) gebraucht — keine Posts in der
+DB. Drafts liegen als `draft: true` in der Datei; der Live-Build lässt sie aus,
+der Preview-Build (`--buildDrafts`) zeigt sie.
+
+## Rechte & Kollaboration
+
+- **Admin** (E-Mails in `ADMIN_EMAILS`) sieht und bearbeitet **alle** Einträge.
+- **Autor:innen** sehen nur Einträge, in denen ihre Mail unter `authors:` steht.
+  Beim Anlegen wird der Ersteller automatisch eingetragen.
+- **Kollaboration**: im Editor weitere E-Mails ins Feld „Autor:innen" → beide
+  haben Zugriff auf denselben Beitrag.
+- Bestehende Beiträge/Seiten/Rubriken **ohne** `authors:` sind nur für Admins
+  sichtbar; ein Admin kann Autor:innen zuweisen, um sie freizugeben.
+- Hinweis: `authors:` landet im Frontmatter (öffentliches Repo) — also E-Mails,
+  die du dort einträgst, sind im Repo sichtbar.
+
+## Setup
+
+### Schnellweg: Proxmox-LXC
+
+`proxmox/create-openbureau-lxc.sh` auf dem Proxmox-Host ausführen — legt den LXC
+an, installiert Docker, zieht das (öffentliche) Repo, generiert alle Secrets und
+startet den Stack. Als Einzeiler:
+
+```bash
+bash <(curl -fsSL https://git.kgva.ch/karim/OPENBUREAU/raw/branch/main/cms/proxmox/create-openbureau-lxc.sh)
+```
+
+Fragt interaktiv nur Storage/Bridge/IP ab (Enter = Default). Kein Token nötig.
+`GIT_TOKEN` nur setzen, wenn das CMS per `GIT_PUBLISH` nach Gitea zurückschreiben soll.
+
+### Updaten (bestehender LXC)
+
+Nicht `git pull` von Hand — das vergisst CORS-Origin (kong.yml), Dateirechte
+(non-root) und den Neustart. Stattdessen im Container:
+
+```bash
+bash /opt/openbureau/cms/update.sh
+```
+
+Das macht: `git pull` → CORS-Origin aus `SITE_URL` in `kong.yml` rendern →
+`chown -R 1000:1000` → `docker compose up -d --build` + kong neu laden →
+Healthcheck. (Beim allerersten Mal das Skript per einmaligem `git pull` holen.)
+
+### Manuell (oder im Container)
+
+1. `cp .env.example .env`
+2. `POSTGRES_PASSWORD` + `JWT_SECRET` setzen: je `openssl rand -hex 32`
+3. Keys ableiten: `node scripts/generate-keys.mjs` → `ANON_KEY` + `SERVICE_ROLE_KEY` in `.env`
+4. `SITE_URL` + `API_EXTERNAL_URL` auf die LAN-/Domain-Adresse setzen
+5. `kong.yml`: Platzhalter `__CORS_ORIGIN__` durch `SITE_URL` (Browser-Origin) ersetzen
+6. `BIND_ADDR` in `.env`: `127.0.0.1` hinter Reverse-Proxy (Standard), `0.0.0.0` für LAN-Direktzugriff
+7. Repo dem Container-User (uid 1000) übereignen: `chown -R 1000:1000 <repo-root>`
+8. `docker compose up -d --build`  (Erststart: DB bootet + Schema/Migrations)
+9. Login-User anlegen (Self-Signup ist aus):
+   ```
+   source .env
+   curl -X POST "$API_EXTERNAL_URL/auth/v1/admin/users" \
+     -H "apikey: $SERVICE_ROLE_KEY" -H "Authorization: Bearer $SERVICE_ROLE_KEY" \
+     -H "Content-Type: application/json" \
+     -d '{"email":"du@example.ch","password":"…","email_confirm":true}'
+   ```
+
+Dann: Admin `…:8080/admin/` · Live `…:8080/` · Preview `…:8080/_preview/`
+
+### Lokale Entwicklung am Admin
+
+`cd admin && npm install && npm run dev` (Vite-Devserver, proxyt `/api` +
+`/_preview` an den laufenden Container auf :8080).
+
+Tests der API (ohne DB/Container, reine Logik): `cd api && npm test`
+(`node --test` — Pfad-Sicherheit, Rollen/Auth, Rate-Limit, Build-Coalescing).
+
+### Demo-Inhalt fürs Forum (optional)
+
+`db/seed-demo.sql` füllt die Forum-Kategorien mit ein paar Beispiel-Threads und
+-Wortmeldungen — bewusst **getrennt** von der Migration, damit die Produktion
+leer startet. Bei Bedarf manuell einspielen (idempotent, mehrfach lauffähig):
+
+```bash
+docker compose exec -T db psql -U supabase_admin -d postgres < db/seed-demo.sql
+```
+
+Wieder entfernen: DELETE-Block am Ende der Datei (auskommentiert).
+
+### Backup der Dialog-Daten
+
+⚠️ Foren, Threads und Wortmeldungen liegen **nur in Postgres** — anders als
+`content/*.md` (in Git) sind sie sonst nirgends gesichert. Das Proxmox-Script
+richtet ein **tägliches** Backup ein (`/etc/cron.d/openbureau-backup`, 3:15 Uhr).
+Manuell/sonst:
+
+```bash
+bash scripts/backup-db.sh          # → backups/openbureau-<TS>.sql.gz (rotiert, 14 Stk.)
+```
+
+Wiederherstellen:
+
+```bash
+gunzip -c backups/openbureau-<TS>.sql.gz \
+  | docker compose exec -T db psql -U supabase_admin -d postgres
+```
+
+## Sicherheit / Härtung
+
+Eingebaute Schutzmaßnahmen (Stand: Härtungs-Pass):
+
+- **Sicherheits-Header** auf allen Antworten (X-Frame-Options, nosniff,
+  Referrer-Policy, HSTS); Uploads unter `/images/*` mit strikter CSP +
+  `sandbox` → ein bösartiges SVG kann kein JavaScript im Origin ausführen.
+- **Rate-Limit** auf `/api/auth/login` (10 Versuche/IP pro 5 Min) gegen Brute-Force.
+- **Body-Limit** 256 KB auf JSON-`/api/*`, Bild-Upload max. 8 MB mit
+  Format-Verifikation (sharp-Metadaten bzw. SVG/GIF-Signatur).
+- **Comment-Limits** (Body ≤ 10 000 Zeichen) gegen DB-Bloat.
+- **Kein Info-Leak**: rohe DB-Fehler werden serverseitig geloggt, nach außen
+  nur generische Meldungen.
+- **Non-root**: der CMS-Container läuft als `node` (uid 1000).
+- **Port-Binding** über `BIND_ADDR` (Standard `127.0.0.1`), DB nur auf localhost.
+- **CORS** am Kong-Gateway auf die eigene `SITE_URL`-Origin beschränkt (kein `*`).
+
+### Migration eines bestehenden Containers
+
+Bei `git pull` auf einer schon laufenden Instanz greifen drei Änderungen, die
+sonst einen frischen Deploy voraussetzen — **vor** dem nächsten
+`docker compose up -d --build` von Hand nachziehen:
+
+1. **Non-root:** `chown -R 1000:1000 <repo-root>` — sonst kann Hugo `public/`
+   nicht mehr bauen (Permission denied).
+2. **CORS:** `kong.yml` enthält jetzt `__CORS_ORIGIN__`; auf einem bereits
+   initialisierten Container ersetzt das Proxmox-Script den Platzhalter nicht.
+   Manuell auf die `SITE_URL` setzen, sonst werden alle Browser-API-Calls
+   (inkl. Login) per CORS geblockt.
+3. **BIND_ADDR:** Key in `.env` ergänzen. Default `127.0.0.1` ist hinter einem
+   TLS-Proxy korrekt; für LAN-Direktzugriff `0.0.0.0` setzen.
+
+## API
+
+Alle `/api/*` (ausser `/health`) verlangen `Authorization: Bearer <supabase-token>`.
+
+| Methode | Pfad                          | Zweck                                  |
+|---------|-------------------------------|----------------------------------------|
+| GET     | `/api/health`                 | Healthcheck (offen)                    |
+| GET     | `/api/content`                | Alle Einträge listen (Beiträge/Seiten/Rubriken) |
+| GET     | `/api/content/entry?path=…`   | Einen Eintrag lesen (Frontmatter + Body) |
+| PUT     | `/api/content/entry`          | Eintrag anlegen/speichern (`{path, frontmatter, body}`) |
+| POST    | `/api/preview`                | Preview-Build (`--buildDrafts`), liefert `/_preview/…` |
+| POST    | `/api/publish`                | Public-Build → live + (opt.) git commit |
+| POST    | `/api/upload`                 | Bild → `static/images/`, liefert `/images/<name>` |
+
+## Stand
+
+- [x] api + Hugo-Binary, Ein-Container-Setup
+- [x] Publish-Flow (DB → MD → `hugo` → live)
+- [x] Echte Hugo-Vorschau (`--buildDrafts` → `/_preview`)
+- [x] React-Admin (`admin/`) — Login, Editor, Frontmatter-Formular, iframe-Preview
+- [x] Supabase-Auth-Middleware auf der API
+- [x] Bild-Upload für `cover_image`
+
+### Noch denkbar
+
+- nginx davor für Caching/TLS (oder über deinen bestehenden Reverse-Proxy)
+- Post löschen / Slug-Umbenennung (alte MD-Datei entfernen)
+- Mehrbenutzer + Rollen, wenn ein zweiter Autor dazukommt
@@ -0,0 +1,12 @@
+<!doctype html>
+<html lang="de">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>OPENBUREAU — CMS</title>
+  </head>
+  <body>
+    <div id="root"></div>
+    <script type="module" src="/src/main.jsx"></script>
+  </body>
+</html>
@@ -0,0 +1,21 @@
+{
+  "name": "openbureau-cms-admin",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "vite",
+    "build": "vite build",
+    "preview": "vite preview"
+  },
+  "dependencies": {
+    "@supabase/supabase-js": "^2.47.10",
+    "@toast-ui/editor": "^3.2.2",
+    "react": "^18.3.1",
+    "react-dom": "^18.3.1"
+  },
+  "devDependencies": {
+    "@vitejs/plugin-react": "^4.3.4",
+    "vite": "^6.0.7"
+  }
+}
@@ -0,0 +1,634 @@
+import { useEffect, useRef, useState } from 'react';
+import ToastEditor from '@toast-ui/editor';
+import '@toast-ui/editor/dist/toastui-editor.css';
+import { supabase } from './supabase.js';
+import { api } from './api.js';
+
+// OPENBUREAU-Palette (Hex aus assets/css/custom.css) — für Dropdown + Punkte.
+const COLORS = [
+  ['', 'keine', 'transparent'],
+  ['ajisai', 'Ajisai · Hortensie', '#A39EC4'],
+  ['sakura', 'Sakura · Kirschblüte', '#C49EC4'],
+  ['suna', 'Suna · Sand', '#C4C19E'],
+  ['ichigo', 'Ichigo · Erdbeere', '#C49EA0'],
+  ['yuyake', 'Yuyake · Sonnenuntergang', '#CEB188'],
+  ['sora', 'Sora · Himmel', '#9EC3C4'],
+  ['kusa', 'Kusa · Gras', '#9EC49F'],
+  ['kori', 'Kori · Eis', '#A5B4CB'],
+  ['amagumo', 'Amagumo · Regenwolke', '#4C4C4C'],
+  ['yuki', 'Yuki · Schnee', '#F0F0F0'],
+];
+const hexOf = (name) => (COLORS.find((c) => c[0] === name) || [])[2] || 'transparent';
+
+const LAYOUTS = ['', 'text', 'image', 'icon'];
+const SECTIONS = ['buerofuehrung', 'software', 'theorie'];
+const KIND_LABEL = { beitrag: 'Beiträge', seite: 'Seiten', rubrik: 'Rubriken' };
+
+const EMPTY = {
+  isNew: true, path: '', type: 'beitrag', section: 'software', slug: '',
+  title: '', date: new Date().toISOString().slice(0, 10), weight: '',
+  color: '', layout: 'text', tags: '', summary: '', description: '',
+  cover_image: '', external: '', authors: '', toc: false, draft: true, body: '',
+};
+
+export default function App() {
+  const [session, setSession] = useState(null);
+  const [loading, setLoading] = useState(true);
+  useEffect(() => {
+    supabase.auth.getSession().then(({ data }) => { setSession(data.session); setLoading(false); });
+    const { data: sub } = supabase.auth.onAuthStateChange((_e, s) => setSession(s));
+    return () => sub.subscription.unsubscribe();
+  }, []);
+  if (loading) return <div className="center muted">…</div>;
+  if (!session) return <Login />;
+  return <Dashboard email={session.user.email} />;
+}
+
+function Login() {
+  const [email, setEmail] = useState('');
+  const [password, setPassword] = useState('');
+  const [err, setErr] = useState(null);
+  async function submit(e) {
+    e.preventDefault(); setErr(null);
+    const { error } = await supabase.auth.signInWithPassword({ email, password });
+    if (error) setErr(error.message);
+  }
+  return (
+    <div className="center">
+      <form className="login" onSubmit={submit}>
+        <div className="login-brand">OPENBUREAU</div>
+        <div className="login-sub">Redaktion</div>
+        <input type="email" placeholder="E-Mail" value={email} onChange={(e) => setEmail(e.target.value)} autoFocus />
+        <input type="password" placeholder="Passwort" value={password} onChange={(e) => setPassword(e.target.value)} />
+        <button type="submit">Anmelden</button>
+        {err && <p className="err">{err}</p>}
+      </form>
+    </div>
+  );
+}
+
+function Dashboard({ email }) {
+  const [entries, setEntries] = useState([]);
+  const [current, setCurrent] = useState(null);
+  const [query, setQuery] = useState('');
+  const [view, setView] = useState('content');
+  const [me, setMe] = useState(null);
+  const [msg, setMsg] = useState(null);
+
+  async function refresh() {
+    try { setEntries(await api.list()); }
+    catch (e) { setMsg({ type: 'err', text: e.message }); }
+  }
+  useEffect(() => { refresh(); api.getMe().then(setMe).catch(() => {}); }, []);
+  useEffect(() => { if (!msg) return; const t = setTimeout(() => setMsg(null), 4000); return () => clearTimeout(t); }, [msg]);
+
+  async function open(entry) {
+    try { setCurrent(fromRead(await api.read(entry.path))); }
+    catch (err) { setMsg({ type: 'err', text: err.message }); }
+  }
+
+  const q = query.trim().toLowerCase();
+  const filtered = q ? entries.filter((e) => e.title.toLowerCase().includes(q) || (e.section || '').includes(q)) : entries;
+  const groups = { beitrag: [], seite: [], rubrik: [] };
+  for (const e of filtered) (groups[e.kind] || groups.seite).push(e);
+
+  return (
+    <div className="app">
+      <header className="topbar">
+        <span className="logo">OPENBUREAU</span>
+        <span className="logo-sub">Redaktion</span>
+        <nav className="nav">
+          <button className={view === 'content' ? 'active' : ''} onClick={() => setView('content')}>Inhalte</button>
+          <button className={view === 'profile' ? 'active' : ''} onClick={() => setView('profile')}>Profil</button>
+          {me?.canModerate && <button className={view === 'moderation' ? 'active' : ''} onClick={() => setView('moderation')}>Moderation</button>}
+          {me?.isAdmin && <button className={view === 'forums' ? 'active' : ''} onClick={() => setView('forums')}>Foren</button>}
+          {me?.isAdmin && <button className={view === 'users' ? 'active' : ''} onClick={() => setView('users')}>Autor:innen</button>}
+        </nav>
+        <span className="spacer" />
+        <span className="who">{email}</span>
+        <button className="ghost" onClick={() => supabase.auth.signOut()}>Abmelden</button>
+      </header>
+
+      <div className="body">
+        {view === 'profile' ? (
+          <Profile onMsg={setMsg} />
+        ) : view === 'users' ? (
+          <Users onMsg={setMsg} currentEmail={me?.email} />
+        ) : view === 'forums' ? (
+          <Forums onMsg={setMsg} />
+        ) : view === 'moderation' ? (
+          <Moderation onMsg={setMsg} />
+        ) : (
+          <>
+            <aside>
+              <button className="new" onClick={() => setCurrent({ ...EMPTY })}>＋ Neuer Beitrag</button>
+              <div className="search"><span>⌕</span><input placeholder="Suchen…" value={query} onChange={(e) => setQuery(e.target.value)} /></div>
+              {['beitrag', 'seite', 'rubrik'].map((kind) => groups[kind].length > 0 && (
+                <div className="group" key={kind}>
+                  <div className="group-title">{KIND_LABEL[kind]} <span>{groups[kind].length}</span></div>
+                  <ul className="list">
+                    {groups[kind].map((e) => (
+                      <li key={e.path} className={current?.path === e.path ? 'active' : ''} onClick={() => open(e)}>
+                        <span className="dot" style={{ background: e.color ? hexOf(e.color) : 'var(--line)' }} />
+                        <span className="t">
+                          <span className="t-title">{e.title}</span>
+                          <span className="t-meta">{[e.section, e.date].filter(Boolean).join(' · ')}</span>
+                        </span>
+                        {e.draft && <span className="draft-tag">Entwurf</span>}
+                      </li>
+                    ))}
+                  </ul>
+                </div>
+              ))}
+            </aside>
+            <main>
+              {current
+                ? <Editor key={current.path || 'new'} initial={current}
+                    onSaved={(loaded) => { setCurrent(loaded); refresh(); }} onMsg={setMsg} />
+                : <div className="empty"><p>Wähle links einen Eintrag — oder leg einen neuen Beitrag an.</p></div>}
+            </main>
+          </>
+        )}
+      </div>
+
+      {msg && <div className={`toast ${msg.type}`} onClick={() => setMsg(null)}>{msg.text}</div>}
+    </div>
+  );
+}
+
+function Editor({ initial, onSaved, onMsg }) {
+  const [f, setF] = useState(initial);
+  const [previewUrl, setPreviewUrl] = useState(null);
+  const [showPreview, setShowPreview] = useState(false);
+  const [pw, setPw] = useState(44);
+  const [busy, setBusy] = useState(false);
+  const editorRef = useRef(null);
+  const dragging = useRef(false);
+  const coverIn = useRef(null);
+  const set = (k) => (e) => setF({ ...f, [k]: e.target.type === 'checkbox' ? e.target.checked : e.target.value });
+
+  async function pickCover(ev) {
+    const file = ev.target.files?.[0]; ev.target.value = '';
+    if (!file) return;
+    setBusy(true);
+    try { const { url } = await api.upload(file); setF((p) => ({ ...p, cover_image: url })); }
+    catch (e) { onMsg({ type: 'err', text: e.message }); }
+    finally { setBusy(false); }
+  }
+
+  // Ziehbarer Trenner Editor ↔ Vorschau.
+  useEffect(() => {
+    function move(e) {
+      if (!dragging.current || !editorRef.current) return;
+      const r = editorRef.current.getBoundingClientRect();
+      setPw(Math.min(70, Math.max(25, ((r.right - e.clientX) / r.width) * 100)));
+    }
+    function up() { dragging.current = false; document.body.style.cursor = ''; document.body.style.userSelect = ''; }
+    window.addEventListener('mousemove', move);
+    window.addEventListener('mouseup', up);
+    return () => { window.removeEventListener('mousemove', move); window.removeEventListener('mouseup', up); };
+  }, []);
+  function startDrag(e) { dragging.current = true; document.body.style.cursor = 'col-resize'; document.body.style.userSelect = 'none'; e.preventDefault(); }
+
+  function currentPath(data = f) {
+    if (!data.isNew) return data.path;
+    const slug = (data.slug || '').trim();
+    if (!slug) return '';
+    return data.type === 'beitrag' ? `library/${data.section}/${slug}.md` : `${slug}.md`;
+  }
+
+  // overrides erlauben z.B. { draft: false } beim Publizieren.
+  async function save(overrides = {}) {
+    const data = { ...f, ...overrides };
+    const path = currentPath(data);
+    if (!path) { onMsg({ type: 'err', text: 'Bitte einen Slug angeben.' }); return null; }
+    if (!data.title.trim()) { onMsg({ type: 'err', text: 'Titel fehlt.' }); return null; }
+    setBusy(true);
+    try {
+      await api.save(path, buildFrontmatter(data), data.body);
+      const loaded = fromRead(await api.read(path));
+      onSaved(loaded); setF(loaded);
+      return path;
+    } catch (e) { onMsg({ type: 'err', text: e.message }); return null; }
+    finally { setBusy(false); }
+  }
+  async function preview() {
+    const path = await save(); if (!path) return;
+    setShowPreview(true); setBusy(true);
+    try { const res = await api.preview(path); setPreviewUrl(`${res.url}?t=${Date.now()}`); }
+    catch (e) { onMsg({ type: 'err', text: e.message }); }
+    finally { setBusy(false); }
+  }
+  async function publish() {
+    if (!confirm('Live publizieren? Der Beitrag wird aus „Entwurf“ genommen.')) return;
+    const path = await save({ draft: false }); // Publizieren = nicht mehr Entwurf
+    if (!path) return;
+    setBusy(true);
+    try { const res = await api.publish(path); onMsg({ type: 'ok', text: `Live: ${res.url}` }); }
+    catch (e) { onMsg({ type: 'err', text: e.message }); }
+    finally { setBusy(false); }
+  }
+
+  return (
+    <div className="editor" ref={editorRef}>
+      <div className="editor-main">
+        <div className="editor-head">
+          <div className="crumb">{f.isNew ? 'Neuer Eintrag' : f.path}</div>
+          <span className="spacer" />
+          {f.draft ? <span className="status draft">Entwurf</span> : <span className="status live">Veröffentlicht</span>}
+          <button className="toggle" onClick={() => setShowPreview((v) => !v)} title="Vorschau ein/aus">
+            {showPreview ? 'Vorschau ⤫' : 'Vorschau ⤢'}
+          </button>
+          <button onClick={() => save().then((p) => p && onMsg({ type: 'ok', text: 'Gespeichert.' }))} disabled={busy}>Speichern</button>
+          <button onClick={preview} disabled={busy}>Vorschau</button>
+          <button className="primary" onClick={publish} disabled={busy}>Publizieren</button>
+        </div>
+
+        <div className="fields">
+          {f.isNew && (
+            <div className="row">
+              <label className="sm">Typ
+                <select value={f.type} onChange={set('type')}>
+                  <option value="beitrag">Beitrag</option>
+                  <option value="seite">Seite</option>
+                </select>
+              </label>
+              {f.type === 'beitrag' && (
+                <label className="sm">Rubrik
+                  <select value={f.section} onChange={set('section')}>{SECTIONS.map((s) => <option key={s}>{s}</option>)}</select>
+                </label>
+              )}
+              <label>Slug<input value={f.slug} onChange={set('slug')} placeholder="z.B. neuer-beitrag" /></label>
+            </div>
+          )}
+
+          <label className="big">Titel<input value={f.title} onChange={set('title')} placeholder="Titel des Beitrags" /></label>
+
+          <div className="meta">
+            <label className="sm">Datum<input type="date" value={f.date} onChange={set('date')} /></label>
+            <label className="xs">Reihenfolge<input type="number" value={f.weight} onChange={set('weight')} placeholder="weight" /></label>
+            <label className="sm">Farbe
+              <div className="colorpick">
+                <span className="swatch" style={{ background: hexOf(f.color) }} />
+                <select value={f.color} onChange={set('color')}>{COLORS.map(([v, label]) => <option key={v} value={v}>{label}</option>)}</select>
+              </div>
+            </label>
+            <label className="sm">Layout
+              <select value={f.layout} onChange={set('layout')}>{LAYOUTS.map((l) => <option key={l} value={l}>{l || '(automatisch)'}</option>)}</select>
+            </label>
+            <label>Tags<input value={f.tags} onChange={set('tags')} placeholder="komma, getrennt" /></label>
+            <label className="check"><input type="checkbox" checked={f.toc} onChange={set('toc')} /> Inhaltsverz.</label>
+            <label className="check"><input type="checkbox" checked={f.draft} onChange={set('draft')} /> Entwurf</label>
+          </div>
+
+          <label>Kurztext (summary)<input value={f.summary} onChange={set('summary')} /></label>
+          <div className="row">
+            <label>Cover-Bild
+              <div className="cover-row">
+                <input value={f.cover_image} onChange={set('cover_image')} placeholder="/images/…jpg" />
+                <button type="button" onClick={() => coverIn.current?.click()} disabled={busy}>Hochladen</button>
+                <input ref={coverIn} type="file" accept="image/*" hidden onChange={pickCover} />
+                {f.cover_image && <span className="cover-thumb" style={{ backgroundImage: `url(${f.cover_image})` }} />}
+              </div>
+            </label>
+            <label>Externer Link<input value={f.external} onChange={set('external')} placeholder="https://…" /></label>
+          </div>
+          <label>Autor:innen (E-Mails, Komma — für gemeinsamen Zugriff)
+            <input value={f.authors} onChange={set('authors')} placeholder="du@…, kollege@…" />
+          </label>
+
+          <div className="rich">
+            <RichEditor value={f.body} onChange={(body) => setF((p) => ({ ...p, body }))}
+              onUpload={async (file) => (await api.upload(file)).url} />
+          </div>
+        </div>
+      </div>
+
+      {showPreview && <div className="splitter" onMouseDown={startDrag} />}
+      {showPreview && (
+        <div className="preview" style={{ width: pw + '%' }}>
+          {previewUrl
+            ? <iframe title="Vorschau" src={previewUrl} />
+            : <div className="empty small"><p>Auf „Vorschau“ klicken — die Seite erscheint hier in deinem echten Theme.</p></div>}
+        </div>
+      )}
+    </div>
+  );
+}
+
+// ── WYSIWYG-Editor (Toast UI, vanilla) — Formatierung live, speichert Markdown ──
+function RichEditor({ value, onChange, onUpload }) {
+  const el = useRef(null);
+  const inst = useRef(null);
+  // value/onChange/onUpload in Refs, damit der Editor nur EINMAL erzeugt wird.
+  const cb = useRef({ onChange, onUpload });
+  cb.current = { onChange, onUpload };
+
+  useEffect(() => {
+    inst.current = new ToastEditor({
+      el: el.current,
+      initialValue: value || '',
+      initialEditType: 'wysiwyg',
+      previewStyle: 'tab',
+      height: '100%',
+      usageStatistics: false,
+      autofocus: false,
+      toolbarItems: [
+        ['heading', 'bold', 'italic', 'strike'],
+        ['hr', 'quote'],
+        ['ul', 'ol'],
+        ['link', 'image'],
+        ['code', 'codeblock'],
+      ],
+      hooks: {
+        addImageBlobHook: async (blob, done) => {
+          try { done(await cb.current.onUpload(blob), blob.name || 'bild'); }
+          catch { /* Upload fehlgeschlagen */ }
+        },
+      },
+      events: { change: () => cb.current.onChange(inst.current.getMarkdown()) },
+    });
+    return () => { inst.current?.destroy(); inst.current = null; };
+  }, []);
+
+  return <div ref={el} className="rich-host" />;
+}
+
+// ── Profil ──────────────────────────────────────────────────────────────────
+function Profile({ onMsg }) {
+  const [p, setP] = useState(null);
+  const [busy, setBusy] = useState(false);
+  const fileIn = useRef(null);
+  useEffect(() => { api.getProfile().then(setP).catch((e) => onMsg({ type: 'err', text: e.message })); }, []);
+  if (!p) return <div className="empty">…</div>;
+  const set = (k) => (e) => setP({ ...p, [k]: e.target.value });
+
+  async function pickAvatar(ev) {
+    const file = ev.target.files?.[0]; ev.target.value = '';
+    if (!file) return;
+    setBusy(true);
+    try { const { url } = await api.upload(file); setP((x) => ({ ...x, avatar: url })); }
+    catch (e) { onMsg({ type: 'err', text: e.message }); }
+    finally { setBusy(false); }
+  }
+  async function save() {
+    setBusy(true);
+    try { await api.saveProfile({ name: p.name, bio: p.bio, avatar: p.avatar }); onMsg({ type: 'ok', text: 'Profil gespeichert.' }); }
+    catch (e) { onMsg({ type: 'err', text: e.message }); }
+    finally { setBusy(false); }
+  }
+
+  return (
+    <div className="profile">
+      <div className="profile-card">
+        <h2>Profil</h2>
+        <div className="avatar-row">
+          <div className="avatar" style={{ backgroundImage: p.avatar ? `url(${p.avatar})` : 'none' }}>{!p.avatar && '🙂'}</div>
+          <div>
+            <button onClick={() => fileIn.current?.click()} disabled={busy}>Profilbild wählen</button>
+            <input ref={fileIn} type="file" accept="image/*" hidden onChange={pickAvatar} />
+            <p className="muted who-mail">{p.email}</p>
+          </div>
+        </div>
+        <label>Name<input value={p.name} onChange={set('name')} placeholder="Dein Name" /></label>
+        <label>Über mich<textarea value={p.bio} onChange={set('bio')} rows={5} placeholder="Kurzer Text über dich…" /></label>
+        <div className="actions"><button className="primary" onClick={save} disabled={busy}>Speichern</button></div>
+      </div>
+    </div>
+  );
+}
+
+// ── Autor:innen-Verwaltung (nur Admin) ──────────────────────────────────────
+function Users({ onMsg, currentEmail }) {
+  const [list, setList] = useState(null);
+  const [email, setEmail] = useState('');
+  const [password, setPassword] = useState('');
+  const [busy, setBusy] = useState(false);
+
+  async function refresh() {
+    try { setList(await api.listUsers()); }
+    catch (e) { onMsg({ type: 'err', text: e.message }); }
+  }
+  useEffect(() => { refresh(); }, []);
+
+  async function create(e) {
+    e.preventDefault(); setBusy(true);
+    try { await api.createUser(email, password); onMsg({ type: 'ok', text: 'Autor:in angelegt.' }); setEmail(''); setPassword(''); refresh(); }
+    catch (err) { onMsg({ type: 'err', text: err.message }); }
+    finally { setBusy(false); }
+  }
+  async function remove(u) {
+    if (!confirm(`${u.email} löschen?`)) return;
+    try { await api.deleteUser(u.id); refresh(); }
+    catch (e) { onMsg({ type: 'err', text: e.message }); }
+  }
+  async function reset(u) {
+    const pw = prompt(`Neues Passwort für ${u.email}:`);
+    if (!pw) return;
+    try { await api.setPassword(u.id, pw); onMsg({ type: 'ok', text: 'Passwort gesetzt.' }); }
+    catch (e) { onMsg({ type: 'err', text: e.message }); }
+  }
+  async function changeRole(u, role) {
+    try { await api.setRole(u.id, role); onMsg({ type: 'ok', text: `Rolle: ${ROLE_LABEL[role]}` }); refresh(); }
+    catch (e) { onMsg({ type: 'err', text: e.message }); }
+  }
+
+  if (!list) return <div className="empty">…</div>;
+  return (
+    <div className="profile">
+      <div className="profile-card">
+        <h2>Autor:innen &amp; Rollen</h2>
+        <form className="userform" onSubmit={create}>
+          <input type="email" placeholder="E-Mail" value={email} onChange={(e) => setEmail(e.target.value)} required />
+          <input type="text" placeholder="Passwort" value={password} onChange={(e) => setPassword(e.target.value)} required />
+          <button className="primary" disabled={busy}>Anlegen</button>
+        </form>
+        <ul className="userlist">
+          {list.map((u) => (
+            <li key={u.id}>
+              <span className="t">{u.email}</span>
+              {u.fixedAdmin
+                ? <span className="status live">Admin (.env)</span>
+                : <select className="role-select" value={u.role} onChange={(e) => changeRole(u, e.target.value)}>
+                    <option value="user">User</option>
+                    <option value="editor">Redakteur</option>
+                    <option value="admin">Admin</option>
+                  </select>}
+              <button onClick={() => reset(u)}>Passwort</button>
+              {u.email !== currentEmail && !u.fixedAdmin && <button onClick={() => remove(u)}>Löschen</button>}
+            </li>
+          ))}
+        </ul>
+        <p className="muted who-mail"><b>User</b> schreiben nur im Forum · <b>Redakteur</b> moderiert · <b>Admin</b> verwaltet alles. Admins aus <code>ADMIN_EMAILS</code> sind fix.</p>
+      </div>
+    </div>
+  );
+}
+
+const ROLE_LABEL = { user: 'User', editor: 'Redakteur', admin: 'Admin' };
+
+// ── Foren-Verwaltung (nur Admin) ────────────────────────────────────────────
+function Forums({ onMsg }) {
+  const [list, setList] = useState(null);
+  const [draft, setDraft] = useState({ slug: '', name: '', sort: 50 });
+  const [busy, setBusy] = useState(false);
+
+  async function refresh() {
+    try { setList(await api.listForumsAdmin()); }
+    catch (e) { onMsg({ type: 'err', text: e.message }); }
+  }
+  useEffect(() => { refresh(); }, []);
+
+  async function create(e) {
+    e.preventDefault();
+    if (!draft.slug || !draft.name) return;
+    setBusy(true);
+    try { await api.createForum(draft); onMsg({ type: 'ok', text: 'Kategorie angelegt.' }); setDraft({ slug: '', name: '', sort: 50 }); refresh(); }
+    catch (err) { onMsg({ type: 'err', text: err.message }); }
+    finally { setBusy(false); }
+  }
+  async function save(f, patch) {
+    try { await api.updateForum(f.id, patch); refresh(); }
+    catch (e) { onMsg({ type: 'err', text: e.message }); }
+  }
+  async function remove(f) {
+    if (!confirm(`Kategorie „${f.name}“ löschen? Threads darin verschwinden.`)) return;
+    try { await api.deleteForum(f.id); onMsg({ type: 'ok', text: 'Gelöscht.' }); refresh(); }
+    catch (e) { onMsg({ type: 'err', text: e.message }); }
+  }
+
+  if (!list) return <div className="empty">…</div>;
+  return (
+    <div className="profile">
+      <div className="profile-card wide">
+        <h2>Foren / Kategorien</h2>
+        <form className="userform" onSubmit={create}>
+          <input placeholder="Name (z. B. Wettbewerbe)" value={draft.name}
+            onChange={(e) => setDraft({ ...draft, name: e.target.value, slug: draft.slug || slugify(e.target.value) })} required />
+          <input placeholder="slug" value={draft.slug} onChange={(e) => setDraft({ ...draft, slug: slugify(e.target.value) })} required />
+          <input type="number" placeholder="Sort" style={{ width: '5em' }} value={draft.sort} onChange={(e) => setDraft({ ...draft, sort: e.target.value })} />
+          <button className="primary" disabled={busy}>Anlegen</button>
+        </form>
+        <ul className="forumlist">
+          {list.map((f) => (
+            <li key={f.id} className={f.kind === 'library' ? 'is-library' : ''}>
+              <span className="fsort">{f.sort}</span>
+              <input className="fname" defaultValue={f.name} onBlur={(e) => e.target.value !== f.name && save(f, { name: e.target.value })} />
+              <input className="fcolor" type="color" value={/^#[0-9a-fA-F]{6}$/.test(f.color || '') ? f.color : '#cccccc'} onChange={(e) => save(f, { color: e.target.value })} title="Akzentfarbe" />
+              <span className="fslug">/{f.slug}</span>
+              {f.kind === 'library'
+                ? <span className="status">Library (auto)</span>
+                : <button onClick={() => remove(f)}>Löschen</button>}
+            </li>
+          ))}
+        </ul>
+        <p className="muted who-mail">„Beiträge“ ist die automatische Library-Kategorie und kann nicht gelöscht werden.</p>
+      </div>
+    </div>
+  );
+}
+
+// ── Moderation (Admin + Redakteur) ──────────────────────────────────────────
+function Moderation({ onMsg }) {
+  const [data, setData] = useState(null);
+
+  async function refresh() {
+    try { setData(await api.modOverview()); }
+    catch (e) { onMsg({ type: 'err', text: e.message }); }
+  }
+  useEffect(() => { refresh(); }, []);
+
+  async function delComment(c) {
+    if (!confirm('Wortmeldung löschen?')) return;
+    try { await api.deleteComment(c.id); onMsg({ type: 'ok', text: 'Gelöscht.' }); refresh(); }
+    catch (e) { onMsg({ type: 'err', text: e.message }); }
+  }
+  async function toggleLock(t) {
+    try { await api.lockThread(t.key, !t.locked); refresh(); }
+    catch (e) { onMsg({ type: 'err', text: e.message }); }
+  }
+  async function delThread(t) {
+    if (!confirm(`Thread „${t.title}“ ausblenden?`)) return;
+    try { await api.deleteThread(t.key); onMsg({ type: 'ok', text: 'Ausgeblendet.' }); refresh(); }
+    catch (e) { onMsg({ type: 'err', text: e.message }); }
+  }
+
+  if (!data) return <div className="empty">…</div>;
+  return (
+    <div className="moderation">
+      <div className="mod-col">
+        <h2>Letzte Wortmeldungen</h2>
+        <ul className="modlist">
+          {data.comments.map((c) => (
+            <li key={c.id}>
+              <div className="mod-head"><b>{c.author_name}</b>
+                <span className="muted"> · {c.forum_name || '—'} · {c.thread_title}</span></div>
+              <div className="mod-body">{c.body}</div>
+              <div className="mod-actions">
+                <a href={c.thread_url} target="_blank" rel="noreferrer">öffnen</a>
+                <button onClick={() => delComment(c)}>Löschen</button>
+              </div>
+            </li>
+          ))}
+          {!data.comments.length && <li className="muted">Noch keine Wortmeldungen.</li>}
+        </ul>
+      </div>
+      <div className="mod-col">
+        <h2>Threads</h2>
+        <ul className="modlist">
+          {data.threads.map((t) => (
+            <li key={t.key} className={t.deleted ? 'gone' : ''}>
+              <div className="mod-head"><b>{t.title}</b>
+                <span className="muted"> · {t.forum_name} · {t.count}</span>
+                {t.locked && <span className="status">gesperrt</span>}
+                {t.deleted && <span className="status">ausgeblendet</span>}</div>
+              <div className="mod-actions">
+                <a href={t.url} target="_blank" rel="noreferrer">öffnen</a>
+                {t.kind !== 'library' && <button onClick={() => toggleLock(t)}>{t.locked ? 'Entsperren' : 'Sperren'}</button>}
+                {!t.deleted && <button onClick={() => delThread(t)}>Ausblenden</button>}
+              </div>
+            </li>
+          ))}
+        </ul>
+      </div>
+    </div>
+  );
+}
+
+function slugify(s) {
+  return (s || '').toLowerCase().normalize('NFD').replace(/[̀-ͯ]/g, '')
+    .replace(/[^a-z0-9]+/g, '-').replace(/^-+|-+$/g, '');
+}
+
+// ── Mapping Datei-Lesart → Formular ────────────────────────────────────────
+function fromRead(r) {
+  const fm = r.frontmatter || {};
+  return {
+    isNew: false, path: r.path, type: 'beitrag', section: '', slug: '',
+    title: fm.title || '', date: fm.date ? String(fm.date).slice(0, 10) : '',
+    weight: fm.weight ?? '', color: fm.color || '', layout: fm.layout || '',
+    tags: Array.isArray(fm.tags) ? fm.tags.join(', ') : '',
+    summary: fm.summary || '', description: fm.description || '',
+    cover_image: fm.cover_image || '', external: fm.external || '',
+    authors: Array.isArray(fm.authors) ? fm.authors.join(', ') : (fm.authors || ''),
+    toc: !!fm.toc, draft: !!fm.draft, body: r.body || '',
+  };
+}
+function buildFrontmatter(f) {
+  const fm = { title: f.title };
+  if (f.date) fm.date = f.date;
+  if (f.weight !== '' && f.weight != null) fm.weight = Number(f.weight);
+  const tags = f.tags ? f.tags.split(',').map((t) => t.trim()).filter(Boolean) : [];
+  if (tags.length) fm.tags = tags;
+  if (f.summary) fm.summary = f.summary;
+  if (f.description) fm.description = f.description;
+  if (f.cover_image) fm.cover_image = f.cover_image;
+  if (f.layout) fm.layout = f.layout;
+  if (f.external) fm.external = f.external;
+  if (f.color) fm.color = f.color;
+  const authors = f.authors ? f.authors.split(',').map((t) => t.trim()).filter(Boolean) : [];
+  if (authors.length) fm.authors = authors;
+  if (f.toc) fm.toc = true;
+  if (f.draft) fm.draft = true;
+  return fm;
+}
@@ -0,0 +1,64 @@
+import { supabase } from './supabase.js';
+
+// Ruft die CMS-API (gleiche Origin) mit dem aktuellen Supabase-Token auf.
+async function call(path, options = {}) {
+  const { data } = await supabase.auth.getSession();
+  const token = data?.session?.access_token;
+  const res = await fetch(`/api${path}`, {
+    ...options,
+    headers: {
+      'Content-Type': 'application/json',
+      ...(token ? { Authorization: `Bearer ${token}` } : {}),
+      ...options.headers,
+    },
+  });
+  const json = await res.json().catch(() => ({}));
+  if (!res.ok) throw new Error(json.error || `HTTP ${res.status}`);
+  return json;
+}
+
+// Datei-Upload (multipart): Browser setzt den Header selbst.
+async function uploadFile(file) {
+  const { data } = await supabase.auth.getSession();
+  const token = data?.session?.access_token;
+  const form = new FormData();
+  form.append('file', file);
+  const res = await fetch('/api/upload', {
+    method: 'POST',
+    headers: token ? { Authorization: `Bearer ${token}` } : {},
+    body: form,
+  });
+  const json = await res.json().catch(() => ({}));
+  if (!res.ok) throw new Error(json.error || `HTTP ${res.status}`);
+  return json;
+}
+
+export const api = {
+  list: () => call('/content'),
+  read: (path) => call(`/content/entry?path=${encodeURIComponent(path)}`),
+  save: (path, frontmatter, body) =>
+    call('/content/entry', { method: 'PUT', body: JSON.stringify({ path, frontmatter, body }) }),
+  preview: (path) => call('/preview', { method: 'POST', body: JSON.stringify({ path }) }),
+  publish: (path) => call('/publish', { method: 'POST', body: JSON.stringify({ path }) }),
+  upload: uploadFile,
+  getProfile: () => call('/profile'),
+  saveProfile: (p) => call('/profile', { method: 'PUT', body: JSON.stringify(p) }),
+  getMe: () => call('/me'),
+  listUsers: () => call('/users'),
+  createUser: (email, password) => call('/users', { method: 'POST', body: JSON.stringify({ email, password }) }),
+  setPassword: (id, password) => call(`/users/${id}`, { method: 'PUT', body: JSON.stringify({ password }) }),
+  setRole: (id, role) => call(`/users/${id}`, { method: 'PUT', body: JSON.stringify({ role }) }),
+  deleteUser: (id) => call(`/users/${id}`, { method: 'DELETE' }),
+
+  // Foren-Verwaltung (Admin)
+  listForumsAdmin: () => call('/admin/forums'),
+  createForum: (f) => call('/admin/forums', { method: 'POST', body: JSON.stringify(f) }),
+  updateForum: (id, f) => call(`/admin/forums/${id}`, { method: 'PUT', body: JSON.stringify(f) }),
+  deleteForum: (id) => call(`/admin/forums/${id}`, { method: 'DELETE' }),
+
+  // Moderation (Admin + Redakteur)
+  modOverview: () => call('/mod/overview'),
+  lockThread: (key, locked) => call('/mod/thread-lock', { method: 'POST', body: JSON.stringify({ key, locked }) }),
+  deleteThread: (key) => call('/mod/thread-delete', { method: 'POST', body: JSON.stringify({ key }) }),
+  deleteComment: (id) => call(`/comments/${id}`, { method: 'DELETE' }),
+};
@@ -0,0 +1,10 @@
+import React from 'react';
+import { createRoot } from 'react-dom/client';
+import App from './App.jsx';
+import './styles.css';
+
+createRoot(document.getElementById('root')).render(
+  <React.StrictMode>
+    <App />
+  </React.StrictMode>,
+);
@@ -0,0 +1,190 @@
+@import url('https://fonts.bunny.net/css?family=newsreader:400,500,600,700|inter:400,500,600|space-grotesk:500,700|ibm-plex-mono:400,500');
+
+:root {
+  --serif: 'Newsreader', Georgia, serif;
+  --sans: 'Inter', system-ui, -apple-system, sans-serif;
+  --display: 'Space Grotesk', 'Inter', sans-serif;
+  --mono: 'IBM Plex Mono', ui-monospace, monospace;
+
+  --bg: hsl(35 14% 96%);
+  --panel: #fffdf9;
+  --panel-2: hsl(35 14% 93%);
+  --line: hsl(35 14% 86%);
+  --text: hsl(25 18% 12%);
+  --muted: hsl(25 8% 42%);
+
+  --accent: #b54a2c;
+  --accent-soft: #d97a5a;
+  --dark: #191919;
+  --dark-text: #f0f0f0;
+  --dark-muted: #a9a9a9;
+  --ok: #5d7d4b;
+  --amber: #b8902f;
+
+  --radius: 11px;
+  --pill: 22px;
+  --shadow: 0 10px 34px -22px rgba(40,20,10,.5);
+}
+
+* { box-sizing: border-box; }
+html, body, #root { height: 100%; }
+body { margin: 0; font-family: var(--sans); font-size: 14.5px; color: var(--text); background: var(--bg); }
+button, input, select, textarea { font-family: inherit; font-size: inherit; color: var(--text); }
+.muted { color: var(--muted); }
+.center { display: grid; place-items: center; height: 100%; }
+
+/* ── Login ── */
+.login { background: var(--panel); border: 1px solid var(--line); border-radius: var(--radius); padding: 36px 32px; width: 320px; display: flex; flex-direction: column; gap: 12px; box-shadow: var(--shadow); }
+.login-brand { font-family: var(--display); font-weight: 700; letter-spacing: .14em; font-size: 20px; }
+.login-sub { font-family: var(--serif); font-style: italic; color: var(--muted); margin-bottom: 10px; }
+.err { color: var(--accent); margin: 4px 0 0; font-size: 13px; }
+
+/* ── Inputs / Buttons (Pill) ── */
+input, select, textarea { background: var(--panel); border: 1px solid var(--line); border-radius: 9px; padding: 9px 11px; width: 100%; }
+/* Einheitliche, kompakte Höhe für einzeilige Felder (Dropdowns = Textfelder) */
+.fields input, .fields select { height: 32px; padding: 0 10px; font-size: 14px; }
+.fields label.big input { height: 46px; padding: 0 13px; font-size: 21px; }
+.login input, .profile-card input, .userform input { height: 36px; }
+input:focus, select:focus, textarea:focus { outline: none; border-color: var(--accent-soft); box-shadow: 0 0 0 3px rgba(181,74,44,.12); }
+button { background: var(--panel); border: 1px solid var(--line); border-radius: var(--pill); padding: 8px 16px; cursor: pointer; font-weight: 500; transition: .12s; white-space: nowrap; }
+button:hover { border-color: var(--accent-soft); }
+button:disabled { opacity: .5; cursor: default; }
+button.primary { background: var(--accent); border-color: var(--accent); color: #fff; }
+button.primary:hover { background: #a23f23; }
+button.ghost { background: transparent; border-color: transparent; color: var(--dark-muted); }
+button.ghost:hover { color: #fff; border-color: var(--dark-muted); }
+
+/* ── Topbar (schwarz wie Site-Masthead) ── */
+.app { display: flex; flex-direction: column; height: 100%; }
+.topbar { display: flex; align-items: center; gap: 12px; padding: 0 18px; height: 54px; background: var(--dark); color: var(--dark-text); flex: none; }
+.topbar .logo { font-family: var(--display); font-weight: 700; letter-spacing: .14em; }
+.topbar .logo-sub { font-family: var(--serif); font-style: italic; color: var(--dark-muted); font-size: 13px; }
+.topbar .spacer { flex: 1; }
+.topbar .who { color: var(--dark-muted); font-size: 13px; }
+.nav { display: flex; gap: 4px; margin-left: 16px; }
+.nav button { background: transparent; border: none; color: var(--dark-muted); padding: 6px 15px; border-radius: var(--pill); }
+.nav button:hover { color: #fff; }
+.nav button.active { background: rgba(255,255,255,.12); color: #fff; }
+
+.body { display: flex; flex: 1; min-height: 0; }
+
+/* ── Sidebar ── */
+aside { width: 290px; flex: none; border-right: 1px solid var(--line); background: var(--panel-2); padding: 14px; overflow: auto; }
+.new { width: 100%; margin-bottom: 12px; background: var(--accent); border-color: var(--accent); color: #fff; font-weight: 600; }
+.new:hover { background: #a23f23; }
+.search { display: flex; align-items: center; gap: 7px; background: var(--panel); border: 1px solid var(--line); border-radius: var(--pill); padding: 0 13px; margin-bottom: 16px; }
+.search span { color: var(--muted); font-size: 17px; }
+.search input { border: none; background: transparent; padding: 9px 0; }
+.search input:focus { box-shadow: none; }
+.group { margin-bottom: 18px; }
+.group-title { display: flex; align-items: center; gap: 7px; font-family: var(--display); font-size: 11px; font-weight: 700; letter-spacing: .12em; text-transform: uppercase; color: var(--muted); margin: 0 6px 8px; }
+.group-title span { background: var(--line); color: var(--muted); border-radius: 20px; padding: 1px 7px; font-size: 10px; letter-spacing: 0; }
+.list { list-style: none; margin: 0; padding: 0; }
+.list li { display: flex; align-items: center; gap: 10px; padding: 9px; border-radius: 10px; cursor: pointer; }
+.list li:hover { background: var(--panel); }
+.list li.active { background: var(--panel); box-shadow: inset 3px 0 0 var(--accent), var(--shadow); }
+.list .dot { width: 10px; height: 10px; border-radius: 50%; flex: none; border: 1px solid rgba(0,0,0,.12); }
+.list .t { flex: 1; min-width: 0; display: flex; flex-direction: column; gap: 1px; }
+.list .t-title { font-family: var(--serif); font-size: 15.5px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
+.list .t-meta { font-size: 11px; color: var(--muted); }
+.draft-tag { font-size: 10px; color: var(--amber); border: 1px solid var(--amber); border-radius: 20px; padding: 1px 7px; flex: none; }
+
+main { flex: 1; min-width: 0; }
+.empty { display: grid; place-items: center; height: 100%; color: var(--muted); font-family: var(--serif); font-style: italic; padding: 24px; text-align: center; }
+.empty.small { font-size: 14px; }
+
+/* ── Editor ── */
+.editor { display: flex; height: 100%; }
+.editor-main { flex: 1; min-width: 0; display: flex; flex-direction: column; }
+.editor-head { display: flex; align-items: center; gap: 9px; padding: 11px 22px; border-bottom: 1px solid var(--line); background: var(--panel); flex: none; }
+.editor-head .crumb { font-family: var(--mono); font-size: 12px; color: var(--muted); overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
+.editor-head .spacer { flex: 1; }
+.editor-head .toggle { background: transparent; border-color: transparent; color: var(--muted); }
+.editor-head .toggle:hover { color: var(--text); border-color: var(--line); }
+.status { font-size: 11px; border-radius: var(--pill); padding: 3px 11px; font-weight: 600; }
+.status.draft { color: var(--amber); background: rgba(184,144,47,.12); }
+.status.live { color: var(--ok); background: rgba(93,125,75,.14); }
+
+/* Metadaten kompakt oben, Schreibfeld groß darunter */
+.fields { flex: 1; min-height: 0; padding: 16px 22px; overflow: auto; display: flex; flex-direction: column; gap: 10px; }
+.row { display: flex; gap: 12px; align-items: flex-end; }
+.meta { display: flex; flex-wrap: wrap; gap: 9px 12px; align-items: flex-end; }
+label { display: flex; flex-direction: column; gap: 3px; font-size: 11.5px; color: var(--muted); flex: 1; }
+.meta label { flex: 0 0 auto; }
+.meta label.sm { width: 160px; } .meta label.xs { width: 100px; } .meta label:not(.sm):not(.xs):not(.check) { flex: 1; min-width: 140px; }
+label.check { flex-direction: row; align-items: center; gap: 7px; white-space: nowrap; padding-bottom: 7px; }
+label.check input { width: auto; height: auto; }
+label.big input { font-family: var(--serif); font-weight: 600; }
+.colorpick { display: flex; align-items: center; gap: 8px; }
+.colorpick .swatch { width: 32px; height: 32px; border-radius: 7px; border: 1px solid rgba(0,0,0,.15); flex: none; }
+.colorpick select { flex: 1; }
+
+/* Cover-Upload */
+.cover-row { display: flex; align-items: center; gap: 8px; }
+.cover-row input { flex: 1; }
+.cover-row button { height: 32px; flex: none; padding: 0 14px; }
+.cover-thumb { width: 32px; height: 32px; border-radius: 7px; border: 1px solid var(--line); background: center/cover no-repeat; flex: none; }
+
+/* Autor:innen-Verwaltung */
+.userform { display: flex; gap: 8px; }
+.userform input { flex: 1; }
+.userlist { list-style: none; margin: 0; padding: 0; display: flex; flex-direction: column; gap: 8px; }
+.userlist li { display: flex; align-items: center; gap: 10px; padding: 8px 12px; border: 1px solid var(--line); border-radius: 10px; }
+.userlist .t { flex: 1; display: flex; align-items: center; gap: 9px; font-family: var(--serif); }
+.userlist button { padding: 5px 12px; font-size: 13px; }
+.userlist .status { padding: 2px 9px; }
+
+/* WYSIWYG-Editor füllt den meisten Platz */
+.rich { flex: 1; min-height: 460px; display: flex; flex-direction: column; }
+.rich-host { flex: 1; min-height: 0; }
+.rich .toastui-editor-defaultUI { height: 100%; border: 1px solid var(--line); border-radius: var(--radius); overflow: hidden; box-shadow: var(--shadow); font-family: var(--sans); }
+.toastui-editor-contents { font-family: var(--serif); font-size: 16px; }
+.toastui-editor-defaultUI-toolbar { background: var(--panel-2); }
+.toastui-editor-toolbar { border-top-left-radius: var(--radius); border-top-right-radius: var(--radius); }
+
+/* ── Ziehbarer Trenner + Vorschau ── */
+.splitter { width: 7px; flex: none; cursor: col-resize; background: var(--line); }
+.splitter:hover { background: var(--accent-soft); }
+.preview { flex: none; background: #fff; }
+.preview iframe { width: 100%; height: 100%; border: 0; }
+
+/* ── Profil ── */
+.profile { width: 100%; overflow: auto; display: flex; justify-content: center; padding: 44px 20px; }
+.profile-card { width: 100%; max-width: 560px; height: max-content; background: var(--panel); border: 1px solid var(--line); border-radius: var(--radius); box-shadow: var(--shadow); padding: 28px 30px; display: flex; flex-direction: column; gap: 16px; }
+.profile-card h2 { font-family: var(--serif); margin: 0 0 4px; font-weight: 600; }
+.avatar-row { display: flex; align-items: center; gap: 18px; }
+.avatar { width: 92px; height: 92px; border-radius: 50%; background: var(--panel-2) center/cover no-repeat; border: 1px solid var(--line); display: grid; place-items: center; font-size: 34px; flex: none; }
+.who-mail { font-size: 12px; margin: 9px 0 0; }
+.profile-card textarea { font-family: var(--serif); font-size: 15px; line-height: 1.6; resize: vertical; }
+.profile-card .actions { display: flex; }
+
+.profile-card.wide { max-width: 760px; }
+.role-select { width: auto; height: 32px; padding: 4px 10px; font-size: 13px; }
+
+/* ── Foren-Verwaltung ── */
+.forumlist { list-style: none; margin: 0; padding: 0; display: flex; flex-direction: column; gap: 8px; }
+.forumlist li { display: flex; align-items: center; gap: 10px; padding: 7px 12px; border: 1px solid var(--line); border-radius: 10px; }
+.forumlist li.is-library { background: var(--panel-2); }
+.forumlist .fsort { width: 2.2em; text-align: center; color: var(--muted); font-size: 12px; flex: none; }
+.forumlist .fname { flex: 1; height: 32px; }
+.forumlist .fcolor { width: 34px; height: 32px; padding: 2px; flex: none; }
+.forumlist .fslug { color: var(--muted); font-size: 12px; font-family: var(--mono, monospace); flex: none; }
+.forumlist button { padding: 5px 12px; font-size: 13px; }
+
+/* ── Moderation (zweispaltig) ── */
+.moderation { width: 100%; overflow: auto; display: grid; grid-template-columns: 1fr 1fr; gap: 20px; padding: 30px 24px; align-content: start; }
+.mod-col h2 { font-family: var(--serif); font-weight: 600; margin: 0 0 12px; }
+.modlist { list-style: none; margin: 0; padding: 0; display: flex; flex-direction: column; gap: 10px; }
+.modlist li { padding: 10px 13px; border: 1px solid var(--line); border-radius: 11px; background: var(--panel); }
+.modlist li.gone { opacity: .5; }
+.mod-head { font-size: 13.5px; }
+.mod-head .status { margin-left: 6px; padding: 1px 8px; background: rgba(184,144,47,.14); color: var(--amber); }
+.mod-body { font-family: var(--serif); font-size: 14.5px; margin: 6px 0; color: var(--text); }
+.mod-actions { display: flex; align-items: center; gap: 12px; font-size: 13px; }
+.mod-actions a { color: var(--muted); }
+.mod-actions button { padding: 4px 11px; font-size: 12.5px; }
+
+/* ── Toast ── */
+.toast { position: fixed; bottom: 20px; right: 20px; padding: 11px 18px; border-radius: 11px; color: #fff; cursor: pointer; box-shadow: 0 10px 30px -12px rgba(0,0,0,.4); font-size: 13.5px; max-width: 380px; z-index: 50; }
+.toast.ok { background: var(--ok); }
+.toast.err { background: var(--accent); }
@@ -0,0 +1,8 @@
+import { createClient } from '@supabase/supabase-js';
+
+// Öffentliche Browser-Werte (zur Build-Zeit von Vite eingesetzt). Der anon-Key
+// ist per Design öffentlich; die echte Autorität liegt server-seitig.
+const url = import.meta.env.VITE_SUPABASE_URL;
+const anonKey = import.meta.env.VITE_SUPABASE_ANON_KEY;
+
+export const supabase = createClient(url, anonKey);
@@ -0,0 +1,15 @@
+import { defineConfig } from 'vite';
+import react from '@vitejs/plugin-react';
+
+// base /admin/ — die SPA wird vom CMS-Container unter /admin serviert.
+export default defineConfig({
+  plugins: [react()],
+  base: '/admin/',
+  server: {
+    // Dev: API + /_preview vom laufenden Container durchreichen.
+    proxy: {
+      '/api': 'http://localhost:8080',
+      '/_preview': 'http://localhost:8080',
+    },
+  },
+});
@@ -0,0 +1,51 @@
+# --- Stage 1: Admin-SPA bauen ---
+# (Build-Context ist cms/, siehe docker-compose.yml)
+FROM node:24-bookworm-slim AS admin
+WORKDIR /admin
+COPY admin/package.json admin/package-lock.json* ./
+RUN npm install --no-audit --no-fund
+COPY admin/ ./
+# Öffentliche Browser-Werte, zur Build-Zeit eingesetzt.
+ARG VITE_SUPABASE_URL
+ARG VITE_SUPABASE_ANON_KEY
+ENV VITE_SUPABASE_URL=$VITE_SUPABASE_URL
+ENV VITE_SUPABASE_ANON_KEY=$VITE_SUPABASE_ANON_KEY
+RUN npm run build
+
+# --- Stage 2: API + Hugo + serviert Site/Admin ---
+# Debian-slim statt Alpine: Hugo "extended" ist glibc-gelinkt.
+FROM node:24-bookworm-slim
+ARG HUGO_VERSION=0.161.1
+# Von BuildKit automatisch auf die Ziel-Arch gesetzt (amd64 auf dem LXC,
+# arm64 z.B. auf Apple-Silicon) — kein fester Default, sonst falsche Binary.
+ARG TARGETARCH
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends ca-certificates git curl \
+ && rm -rf /var/lib/apt/lists/* \
+ && case "${TARGETARCH}" in \
+      arm64) HUGO_ARCH=linux-arm64 ;; \
+      *)     HUGO_ARCH=linux-amd64 ;; \
+    esac \
+ && curl -sSL "https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_${HUGO_ARCH}.tar.gz" \
+      | tar -xz -C /usr/local/bin hugo \
+ && hugo version
+
+WORKDIR /app
+COPY api/package.json api/package-lock.json* ./
+RUN npm install --omit=dev --no-audit --no-fund
+COPY api/src ./src
+COPY api/entrypoint.sh ./entrypoint.sh
+COPY --from=admin /admin/dist ./admin-dist
+
+ENV NODE_ENV=production
+ENV ADMIN_DIR=/app/admin-dist
+
+# Als non-root laufen (das node-Image bringt den User `node`, uid/gid 1000 mit).
+# /app gehört dem Build (root, read-only zur Laufzeit — reicht zum Servieren).
+# Das gemountete Repo unter /site muss uid 1000 gehören (siehe Proxmox-Script:
+# chown -R 1000:1000), damit Hugo dort public/ bauen und content/ schreiben kann.
+USER node
+
+EXPOSE 3000
+CMD ["sh", "/app/entrypoint.sh"]
@@ -0,0 +1,16 @@
+#!/bin/sh
+# Beim Container-Start die Hugo-Site einmal bauen, damit die Live-Seite (/)
+# sofort steht — auch vor dem ersten Publish. public/ ist git-ignored und
+# existiert im frischen Clone nicht; ohne diesen Build gäbe es 404 auf /.
+set -e
+
+SITE_DIR="${SITE_DIR:-/site}"
+
+echo "→ Initialer Hugo-Build ($SITE_DIR → public/)…"
+if hugo --source "$SITE_DIR" --destination "$SITE_DIR/public" --cleanDestinationDir; then
+  echo "✓ Live-Seite gebaut."
+else
+  echo "WARN: Hugo-Build fehlgeschlagen — Live-Seite bleibt leer bis zum ersten Publish."
+fi
+
+exec node src/index.js
@@ -0,0 +1,783 @@
+{
+  "name": "openbureau-cms-api",
+  "version": "0.1.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "openbureau-cms-api",
+      "version": "0.1.0",
+      "dependencies": {
+        "@hono/node-server": "^1.13.7",
+        "@supabase/supabase-js": "^2.47.10",
+        "gray-matter": "^4.0.3",
+        "hono": "^4.6.14",
+        "marked": "^14.1.4",
+        "sharp": "^0.33.5"
+      }
+    },
+    "node_modules/@emnapi/runtime": {
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.10.0.tgz",
+      "integrity": "sha512-ewvYlk86xUoGI0zQRNq/mC+16R1QeDlKQy21Ki3oSYXNgLb45GV1P6A0M+/s6nyCuNDqe5VpaY84BzXGwVbwFA==",
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "tslib": "^2.4.0"
+      }
+    },
+    "node_modules/@hono/node-server": {
+      "version": "1.19.14",
+      "resolved": "https://registry.npmjs.org/@hono/node-server/-/node-server-1.19.14.tgz",
+      "integrity": "sha512-GwtvgtXxnWsucXvbQXkRgqksiH2Qed37H9xHZocE5sA3N8O8O8/8FA3uclQXxXVzc9XBZuEOMK7+r02FmSpHtw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.14.1"
+      },
+      "peerDependencies": {
+        "hono": "^4"
+      }
+    },
+    "node_modules/@img/sharp-darwin-arm64": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-darwin-arm64/-/sharp-darwin-arm64-0.33.5.tgz",
+      "integrity": "sha512-UT4p+iz/2H4twwAoLCqfA9UH5pI6DggwKEGuaPy7nCVQ8ZsiY5PIcrRvD1DzuY3qYL07NtIQcWnBSY/heikIFQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-darwin-arm64": "1.0.4"
+      }
+    },
+    "node_modules/@img/sharp-darwin-x64": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-darwin-x64/-/sharp-darwin-x64-0.33.5.tgz",
+      "integrity": "sha512-fyHac4jIc1ANYGRDxtiqelIbdWkIuQaI84Mv45KvGRRxSAa7o7d1ZKAOBaYbnepLC1WqxfpimdeWfvqqSGwR2Q==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-darwin-x64": "1.0.4"
+      }
+    },
+    "node_modules/@img/sharp-libvips-darwin-arm64": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-arm64/-/sharp-libvips-darwin-arm64-1.0.4.tgz",
+      "integrity": "sha512-XblONe153h0O2zuFfTAbQYAX2JhYmDHeWikp1LM9Hul9gVPjFY427k6dFEcOL72O01QxQsWi761svJ/ev9xEDg==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-darwin-x64": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-x64/-/sharp-libvips-darwin-x64-1.0.4.tgz",
+      "integrity": "sha512-xnGR8YuZYfJGmWPvmlunFaWJsb9T/AO2ykoP3Fz/0X5XV2aoYBPkX6xqCQvUTKKiLddarLaxpzNe+b1hjeWHAQ==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-arm": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm/-/sharp-libvips-linux-arm-1.0.5.tgz",
+      "integrity": "sha512-gvcC4ACAOPRNATg/ov8/MnbxFDJqf/pDePbBnuBDcjsI8PssmjoKMAz4LtLaVi+OnSb5FK/yIOamqDwGmXW32g==",
+      "cpu": [
+        "arm"
+      ],
+      "libc": [
+        "glibc"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-arm64": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm64/-/sharp-libvips-linux-arm64-1.0.4.tgz",
+      "integrity": "sha512-9B+taZ8DlyyqzZQnoeIvDVR/2F4EbMepXMc/NdVbkzsJbzkUjhXv/70GQJ7tdLA4YJgNP25zukcxpX2/SueNrA==",
+      "cpu": [
+        "arm64"
+      ],
+      "libc": [
+        "glibc"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-s390x": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-s390x/-/sharp-libvips-linux-s390x-1.0.4.tgz",
+      "integrity": "sha512-u7Wz6ntiSSgGSGcjZ55im6uvTrOxSIS8/dgoVMoiGE9I6JAfU50yH5BoDlYA1tcuGS7g/QNtetJnxA6QEsCVTA==",
+      "cpu": [
+        "s390x"
+      ],
+      "libc": [
+        "glibc"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-x64": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-x64/-/sharp-libvips-linux-x64-1.0.4.tgz",
+      "integrity": "sha512-MmWmQ3iPFZr0Iev+BAgVMb3ZyC4KeFc3jFxnNbEPas60e1cIfevbtuyf9nDGIzOaW9PdnDciJm+wFFaTlj5xYw==",
+      "cpu": [
+        "x64"
+      ],
+      "libc": [
+        "glibc"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linuxmusl-arm64": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-arm64/-/sharp-libvips-linuxmusl-arm64-1.0.4.tgz",
+      "integrity": "sha512-9Ti+BbTYDcsbp4wfYib8Ctm1ilkugkA/uscUn6UXK1ldpC1JjiXbLfFZtRlBhjPZ5o1NCLiDbg8fhUPKStHoTA==",
+      "cpu": [
+        "arm64"
+      ],
+      "libc": [
+        "musl"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linuxmusl-x64": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-x64/-/sharp-libvips-linuxmusl-x64-1.0.4.tgz",
+      "integrity": "sha512-viYN1KX9m+/hGkJtvYYp+CCLgnJXwiQB39damAO7WMdKWlIhmYTfHjwSbQeUK/20vY154mwezd9HflVFM1wVSw==",
+      "cpu": [
+        "x64"
+      ],
+      "libc": [
+        "musl"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-linux-arm": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm/-/sharp-linux-arm-0.33.5.tgz",
+      "integrity": "sha512-JTS1eldqZbJxjvKaAkxhZmBqPRGmxgu+qFKSInv8moZ2AmT5Yib3EQ1c6gp493HvrvV8QgdOXdyaIBrhvFhBMQ==",
+      "cpu": [
+        "arm"
+      ],
+      "libc": [
+        "glibc"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-arm": "1.0.5"
+      }
+    },
+    "node_modules/@img/sharp-linux-arm64": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm64/-/sharp-linux-arm64-0.33.5.tgz",
+      "integrity": "sha512-JMVv+AMRyGOHtO1RFBiJy/MBsgz0x4AWrT6QoEVVTyh1E39TrCUpTRI7mx9VksGX4awWASxqCYLCV4wBZHAYxA==",
+      "cpu": [
+        "arm64"
+      ],
+      "libc": [
+        "glibc"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-arm64": "1.0.4"
+      }
+    },
+    "node_modules/@img/sharp-linux-s390x": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-s390x/-/sharp-linux-s390x-0.33.5.tgz",
+      "integrity": "sha512-y/5PCd+mP4CA/sPDKl2961b+C9d+vPAveS33s6Z3zfASk2j5upL6fXVPZi7ztePZ5CuH+1kW8JtvxgbuXHRa4Q==",
+      "cpu": [
+        "s390x"
+      ],
+      "libc": [
+        "glibc"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-s390x": "1.0.4"
+      }
+    },
+    "node_modules/@img/sharp-linux-x64": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-x64/-/sharp-linux-x64-0.33.5.tgz",
+      "integrity": "sha512-opC+Ok5pRNAzuvq1AG0ar+1owsu842/Ab+4qvU879ippJBHvyY5n2mxF1izXqkPYlGuP/M556uh53jRLJmzTWA==",
+      "cpu": [
+        "x64"
+      ],
+      "libc": [
+        "glibc"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-x64": "1.0.4"
+      }
+    },
+    "node_modules/@img/sharp-linuxmusl-arm64": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-arm64/-/sharp-linuxmusl-arm64-0.33.5.tgz",
+      "integrity": "sha512-XrHMZwGQGvJg2V/oRSUfSAfjfPxO+4DkiRh6p2AFjLQztWUuY/o8Mq0eMQVIY7HJ1CDQUJlxGGZRw1a5bqmd1g==",
+      "cpu": [
+        "arm64"
+      ],
+      "libc": [
+        "musl"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linuxmusl-arm64": "1.0.4"
+      }
+    },
+    "node_modules/@img/sharp-linuxmusl-x64": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-x64/-/sharp-linuxmusl-x64-0.33.5.tgz",
+      "integrity": "sha512-WT+d/cgqKkkKySYmqoZ8y3pxx7lx9vVejxW/W4DOFMYVSkErR+w7mf2u8m/y4+xHe7yY9DAXQMWQhpnMuFfScw==",
+      "cpu": [
+        "x64"
+      ],
+      "libc": [
+        "musl"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linuxmusl-x64": "1.0.4"
+      }
+    },
+    "node_modules/@img/sharp-wasm32": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-wasm32/-/sharp-wasm32-0.33.5.tgz",
+      "integrity": "sha512-ykUW4LVGaMcU9lu9thv85CbRMAwfeadCJHRsg2GmeRa/cJxsVY9Rbd57JcMxBkKHag5U/x7TSBpScF4U8ElVzg==",
+      "cpu": [
+        "wasm32"
+      ],
+      "license": "Apache-2.0 AND LGPL-3.0-or-later AND MIT",
+      "optional": true,
+      "dependencies": {
+        "@emnapi/runtime": "^1.2.0"
+      },
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-win32-ia32": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-win32-ia32/-/sharp-win32-ia32-0.33.5.tgz",
+      "integrity": "sha512-T36PblLaTwuVJ/zw/LaH0PdZkRz5rd3SmMHX8GSmR7vtNSP5Z6bQkExdSK7xGWyxLw4sUknBuugTelgw2faBbQ==",
+      "cpu": [
+        "ia32"
+      ],
+      "license": "Apache-2.0 AND LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-win32-x64": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-win32-x64/-/sharp-win32-x64-0.33.5.tgz",
+      "integrity": "sha512-MpY/o8/8kj+EcnxwvrP4aTJSWw/aZ7JIGR4aBeZkZw5B7/Jn+tY9/VNwtcoGmdT7GfggGIU4kygOMSbYnOrAbg==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "Apache-2.0 AND LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@supabase/auth-js": {
+      "version": "2.106.2",
+      "resolved": "https://registry.npmjs.org/@supabase/auth-js/-/auth-js-2.106.2.tgz",
+      "integrity": "sha512-VcAjUErkHkhC5Jaf+g/G1qbkQrFh8edaCdHa7pxJmHUjkWKjT7UnYCtPA89XV0N0GIYRkEqJZw5V62CtOxTmBQ==",
+      "license": "MIT",
+      "dependencies": {
+        "tslib": "2.8.1"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      }
+    },
+    "node_modules/@supabase/functions-js": {
+      "version": "2.106.2",
+      "resolved": "https://registry.npmjs.org/@supabase/functions-js/-/functions-js-2.106.2.tgz",
+      "integrity": "sha512-oRnr0QrL8H+zTO1YyQ1QjiHZU/957jvubbxSJTUm2XLAgzoGGV9Tahfyd+uvLsBLRVmXLtpU3oyCjdQIvkGMOA==",
+      "license": "MIT",
+      "dependencies": {
+        "tslib": "2.8.1"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      }
+    },
+    "node_modules/@supabase/phoenix": {
+      "version": "0.4.2",
+      "resolved": "https://registry.npmjs.org/@supabase/phoenix/-/phoenix-0.4.2.tgz",
+      "integrity": "sha512-YSAGnmDAfuleFCVt3CeurQZAhxRfXWeZIIkwp7NhYzQ1UwW6ePSnzsFAiUm/mbCkfoCf70QQHKW/K6RKh52a4A==",
+      "license": "MIT"
+    },
+    "node_modules/@supabase/postgrest-js": {
+      "version": "2.106.2",
+      "resolved": "https://registry.npmjs.org/@supabase/postgrest-js/-/postgrest-js-2.106.2.tgz",
+      "integrity": "sha512-tDOzyPgp9pIRMR2x6C9+uDSJrnXSzxLtt3d7nC+Lrsy3jnJDHYfdQC/xcRyhJE/TOBJ0heSqRKR3UmejDjZxsw==",
+      "license": "MIT",
+      "dependencies": {
+        "tslib": "2.8.1"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      }
+    },
+    "node_modules/@supabase/realtime-js": {
+      "version": "2.106.2",
+      "resolved": "https://registry.npmjs.org/@supabase/realtime-js/-/realtime-js-2.106.2.tgz",
+      "integrity": "sha512-LdRGT7DNhyZkPjubUv5bSdAZ0jSEX8wTHvx7htj7+K59TOZRvz4TuQK7tL2RWxyIZVeFMRluL04SzWS61rKnUA==",
+      "license": "MIT",
+      "dependencies": {
+        "@supabase/phoenix": "^0.4.2",
+        "tslib": "2.8.1"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      }
+    },
+    "node_modules/@supabase/storage-js": {
+      "version": "2.106.2",
+      "resolved": "https://registry.npmjs.org/@supabase/storage-js/-/storage-js-2.106.2.tgz",
+      "integrity": "sha512-xgKCSYuev1YarV+iVqr+zlfgSyremnJtn8T0NCT8L4XmMv1CLtESc0Q6kNp8+mKWdX/8ND0nzm7OMKx08kwNAw==",
+      "license": "MIT",
+      "dependencies": {
+        "iceberg-js": "^0.8.1",
+        "tslib": "2.8.1"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      }
+    },
+    "node_modules/@supabase/supabase-js": {
+      "version": "2.106.2",
+      "resolved": "https://registry.npmjs.org/@supabase/supabase-js/-/supabase-js-2.106.2.tgz",
+      "integrity": "sha512-2/RZ/1fmJx/MRSEDG2Xk8+J4JVk5clM9V0uSI6kUTrcS32KA89DtqI5RUOC9r6mzY3WBC9qexLjssIHjbLyVJA==",
+      "license": "MIT",
+      "dependencies": {
+        "@supabase/auth-js": "2.106.2",
+        "@supabase/functions-js": "2.106.2",
+        "@supabase/postgrest-js": "2.106.2",
+        "@supabase/realtime-js": "2.106.2",
+        "@supabase/storage-js": "2.106.2"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      }
+    },
+    "node_modules/argparse": {
+      "version": "1.0.10",
+      "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz",
+      "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==",
+      "license": "MIT",
+      "dependencies": {
+        "sprintf-js": "~1.0.2"
+      }
+    },
+    "node_modules/color": {
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/color/-/color-4.2.3.tgz",
+      "integrity": "sha512-1rXeuUUiGGrykh+CeBdu5Ie7OJwinCgQY0bc7GCRxy5xVHy+moaqkpL/jqQq0MtQOeYcrqEz4abc5f0KtU7W4A==",
+      "license": "MIT",
+      "dependencies": {
+        "color-convert": "^2.0.1",
+        "color-string": "^1.9.0"
+      },
+      "engines": {
+        "node": ">=12.5.0"
+      }
+    },
+    "node_modules/color-convert": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
+      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+      "license": "MIT",
+      "dependencies": {
+        "color-name": "~1.1.4"
+      },
+      "engines": {
+        "node": ">=7.0.0"
+      }
+    },
+    "node_modules/color-name": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
+      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
+      "license": "MIT"
+    },
+    "node_modules/color-string": {
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/color-string/-/color-string-1.9.1.tgz",
+      "integrity": "sha512-shrVawQFojnZv6xM40anx4CkoDP+fZsw/ZerEMsW/pyzsRbElpsL/DBVW7q3ExxwusdNXI3lXpuhEZkzs8p5Eg==",
+      "license": "MIT",
+      "dependencies": {
+        "color-name": "^1.0.0",
+        "simple-swizzle": "^0.2.2"
+      }
+    },
+    "node_modules/detect-libc": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
+      "integrity": "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==",
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/esprima": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz",
+      "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==",
+      "license": "BSD-2-Clause",
+      "bin": {
+        "esparse": "bin/esparse.js",
+        "esvalidate": "bin/esvalidate.js"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/extend-shallow": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz",
+      "integrity": "sha512-zCnTtlxNoAiDc3gqY2aYAWFx7XWWiasuF2K8Me5WbN8otHKTUKBwjPtNpRs/rbUZm7KxWAaNj7P1a/p52GbVug==",
+      "license": "MIT",
+      "dependencies": {
+        "is-extendable": "^0.1.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/gray-matter": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/gray-matter/-/gray-matter-4.0.3.tgz",
+      "integrity": "sha512-5v6yZd4JK3eMI3FqqCouswVqwugaA9r4dNZB1wwcmrD02QkV5H0y7XBQW8QwQqEaZY1pM9aqORSORhJRdNK44Q==",
+      "license": "MIT",
+      "dependencies": {
+        "js-yaml": "^3.13.1",
+        "kind-of": "^6.0.2",
+        "section-matter": "^1.0.0",
+        "strip-bom-string": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=6.0"
+      }
+    },
+    "node_modules/hono": {
+      "version": "4.12.23",
+      "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.23.tgz",
+      "integrity": "sha512-eIaZ9qDgu7XV0pxOCrg7/WhnQ6Ivm22UcxhXx/A3dcbqbbYgBEkc6e/J/s7j2tS96zoB0S9VBdLwQNCWwUo4LA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=16.9.0"
+      }
+    },
+    "node_modules/iceberg-js": {
+      "version": "0.8.1",
+      "resolved": "https://registry.npmjs.org/iceberg-js/-/iceberg-js-0.8.1.tgz",
+      "integrity": "sha512-1dhVQZXhcHje7798IVM+xoo/1ZdVfzOMIc8/rgVSijRK38EDqOJoGula9N/8ZI5RD8QTxNQtK/Gozpr+qUqRRA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.0.0"
+      }
+    },
+    "node_modules/is-arrayish": {
+      "version": "0.3.4",
+      "resolved": "https://registry.npmjs.org/is-arrayish/-/is-arrayish-0.3.4.tgz",
+      "integrity": "sha512-m6UrgzFVUYawGBh1dUsWR5M2Clqic9RVXC/9f8ceNlv2IcO9j9J/z8UoCLPqtsPBFNzEpfR3xftohbfqDx8EQA==",
+      "license": "MIT"
+    },
+    "node_modules/is-extendable": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-0.1.1.tgz",
+      "integrity": "sha512-5BMULNob1vgFX6EjQw5izWDxrecWK9AM72rugNr0TFldMOi0fj6Jk+zeKIt0xGj4cEfQIJth4w3OKWOJ4f+AFw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/js-yaml": {
+      "version": "3.14.2",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz",
+      "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==",
+      "license": "MIT",
+      "dependencies": {
+        "argparse": "^1.0.7",
+        "esprima": "^4.0.0"
+      },
+      "bin": {
+        "js-yaml": "bin/js-yaml.js"
+      }
+    },
+    "node_modules/kind-of": {
+      "version": "6.0.3",
+      "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-6.0.3.tgz",
+      "integrity": "sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/marked": {
+      "version": "14.1.4",
+      "resolved": "https://registry.npmjs.org/marked/-/marked-14.1.4.tgz",
+      "integrity": "sha512-vkVZ8ONmUdPnjCKc5uTRvmkRbx4EAi2OkTOXmfTDhZz3OFqMNBM1oTTWwTr4HY4uAEojhzPf+Fy8F1DWa3Sndg==",
+      "license": "MIT",
+      "bin": {
+        "marked": "bin/marked.js"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/section-matter": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/section-matter/-/section-matter-1.0.0.tgz",
+      "integrity": "sha512-vfD3pmTzGpufjScBh50YHKzEu2lxBWhVEHsNGoEXmCmn2hKGfeNLYMzCJpe8cD7gqX7TJluOVpBkAequ6dgMmA==",
+      "license": "MIT",
+      "dependencies": {
+        "extend-shallow": "^2.0.1",
+        "kind-of": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/semver": {
+      "version": "7.8.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.1.tgz",
+      "integrity": "sha512-rkVq3IXh+4FDGch+KwzX3aV9W3kO54GyEgpvBzSyctDA6Xtd7RJQV1xmXbeQp5v7+VzLOfVqiutSE6GICgPFvg==",
+      "license": "ISC",
+      "bin": {
+        "semver": "bin/semver.js"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/sharp": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/sharp/-/sharp-0.33.5.tgz",
+      "integrity": "sha512-haPVm1EkS9pgvHrQ/F3Xy+hgcuMV0Wm9vfIBSiwZ05k+xgb0PkBQpGsAA/oWdDobNaZTH5ppvHtzCFbnSEwHVw==",
+      "hasInstallScript": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "color": "^4.2.3",
+        "detect-libc": "^2.0.3",
+        "semver": "^7.6.3"
+      },
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-darwin-arm64": "0.33.5",
+        "@img/sharp-darwin-x64": "0.33.5",
+        "@img/sharp-libvips-darwin-arm64": "1.0.4",
+        "@img/sharp-libvips-darwin-x64": "1.0.4",
+        "@img/sharp-libvips-linux-arm": "1.0.5",
+        "@img/sharp-libvips-linux-arm64": "1.0.4",
+        "@img/sharp-libvips-linux-s390x": "1.0.4",
+        "@img/sharp-libvips-linux-x64": "1.0.4",
+        "@img/sharp-libvips-linuxmusl-arm64": "1.0.4",
+        "@img/sharp-libvips-linuxmusl-x64": "1.0.4",
+        "@img/sharp-linux-arm": "0.33.5",
+        "@img/sharp-linux-arm64": "0.33.5",
+        "@img/sharp-linux-s390x": "0.33.5",
+        "@img/sharp-linux-x64": "0.33.5",
+        "@img/sharp-linuxmusl-arm64": "0.33.5",
+        "@img/sharp-linuxmusl-x64": "0.33.5",
+        "@img/sharp-wasm32": "0.33.5",
+        "@img/sharp-win32-ia32": "0.33.5",
+        "@img/sharp-win32-x64": "0.33.5"
+      }
+    },
+    "node_modules/simple-swizzle": {
+      "version": "0.2.4",
+      "resolved": "https://registry.npmjs.org/simple-swizzle/-/simple-swizzle-0.2.4.tgz",
+      "integrity": "sha512-nAu1WFPQSMNr2Zn9PGSZK9AGn4t/y97lEm+MXTtUDwfP0ksAIX4nO+6ruD9Jwut4C49SB1Ws+fbXsm/yScWOHw==",
+      "license": "MIT",
+      "dependencies": {
+        "is-arrayish": "^0.3.1"
+      }
+    },
+    "node_modules/sprintf-js": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
+      "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==",
+      "license": "BSD-3-Clause"
+    },
+    "node_modules/strip-bom-string": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/strip-bom-string/-/strip-bom-string-1.0.0.tgz",
+      "integrity": "sha512-uCC2VHvQRYu+lMh4My/sFNmF2klFymLX1wHJeXnbEJERpV/ZsVuonzerjfrGpIGF7LBVa1O7i9kjiWvJiFck8g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/tslib": {
+      "version": "2.8.1",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
+      "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
+      "license": "0BSD"
+    }
+  }
+}
@@ -0,0 +1,20 @@
+{
+  "name": "openbureau-cms-api",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "description": "Headless CMS backend für OPENBUREAU — schreibt Supabase-Posts in Hugo-content/, baut und serviert die Site.",
+  "scripts": {
+    "start": "node src/index.js",
+    "dev": "node --watch src/index.js",
+    "test": "node --test"
+  },
+  "dependencies": {
+    "@hono/node-server": "^1.13.7",
+    "@supabase/supabase-js": "^2.47.10",
+    "gray-matter": "^4.0.3",
+    "hono": "^4.6.14",
+    "marked": "^14.1.4",
+    "sharp": "^0.33.5"
+  }
+}
@@ -0,0 +1,72 @@
+import { verify } from 'hono/jwt';
+import { supabaseAuth } from './supabase.js';
+
+// Supabase-Tokens sind HS256-signiert. Mit dem JWT_SECRET verifizieren wir sie
+// lokal (Signatur + Ablauf) — das spart pro Request den Roundtrip zu GoTrue.
+// Ohne JWT_SECRET (z.B. Alt-Deploy) fällt requireAuth auf die Remote-Prüfung
+// zurück. Tokens sind kurzlebig (1h) und Self-Signup ist aus → kein
+// Sperr-Check nötig.
+const JWT_SECRET = process.env.JWT_SECRET || '';
+
+// Liefert ein User-Objekt {id,email,app_metadata} oder null.
+async function verifyToken(token) {
+  if (JWT_SECRET) {
+    try {
+      const p = await verify(token, JWT_SECRET, 'HS256');
+      if (!p?.sub) return null;
+      return { id: p.sub, email: p.email || '', app_metadata: p.app_metadata || {} };
+    } catch { return null; }
+  }
+  const { data, error } = await supabaseAuth.auth.getUser(token);
+  if (error || !data?.user) return null;
+  return data.user;
+}
+
+// Rollen-Hierarchie: admin > editor (Redakteur) > user.
+//  - admin:  alles (Foren verwalten, moderieren, Nutzer/Rollen, Inhalte)
+//  - editor: moderieren (Wortmeldungen ausblenden/löschen, Threads sperren)
+//  - user:   im Forum mitschreiben
+// Admins aus der .env (ADMIN_EMAILS=a@x,b@y) sind immer Admin (Bootstrap, damit
+// man sich nicht aussperrt). Zusätzlich kann eine Rolle in app_metadata.role
+// liegen (im Admin-UI vergeben).
+const ADMINS = (process.env.ADMIN_EMAILS || '')
+  .split(',').map((s) => s.trim().toLowerCase()).filter(Boolean);
+
+export function roleOf(user) {
+  const email = (user?.email || '').toLowerCase();
+  const meta = (user?.app_metadata?.role || '').toLowerCase();
+  if (ADMINS.includes(email) || meta === 'admin') return 'admin';
+  if (meta === 'editor') return 'editor';
+  return 'user';
+}
+
+// Verifiziert den Supabase-Access-Token und legt user/email/role im Kontext ab.
+export async function requireAuth(c, next) {
+  const header = c.req.header('Authorization') || '';
+  const token = header.startsWith('Bearer ') ? header.slice(7) : null;
+  if (!token) return c.json({ error: 'Nicht eingeloggt' }, 401);
+
+  const user = await verifyToken(token);
+  if (!user) return c.json({ error: 'Ungültiges Token' }, 401);
+
+  const email = (user.email || '').toLowerCase();
+  const role = roleOf(user);
+  c.set('user', user);
+  c.set('email', email);
+  c.set('role', role);
+  c.set('isAdmin', role === 'admin');
+  c.set('canModerate', role === 'admin' || role === 'editor');
+  await next();
+}
+
+// Nur Admins (nach requireAuth einsetzen).
+export async function requireAdmin(c, next) {
+  if (!c.get('isAdmin')) return c.json({ error: 'Nur für Admins' }, 403);
+  await next();
+}
+
+// Admins + Redakteure — fürs Moderieren (nach requireAuth einsetzen).
+export async function requireModerator(c, next) {
+  if (!c.get('canModerate')) return c.json({ error: 'Nur für Moderation' }, 403);
+  await next();
+}
@@ -0,0 +1,39 @@
+// Serialisiert asynchrone Aufgaben je `key` und koalesziert Wartende:
+// - Es läuft nie mehr als eine Aufgabe pro Key gleichzeitig.
+// - Kommen während eines Laufs weitere Aufrufe rein, wird GENAU EIN weiterer
+//   Durchlauf nachgelagert (egal wie viele warten) — sie teilen sich dessen
+//   Ergebnis. So sehen alle den jüngsten Stand, ohne einen Lauf-Sturm.
+//
+// Einsatz: teure, idempotente Vorgänge wie der Hugo-Build (siehe hugo.js).
+const state = new Map();
+
+export function coalesce(key, fn) {
+  let s = state.get(key);
+  if (!s) { s = { running: false, rerun: false, fn, waiters: [] }; state.set(key, s); }
+  s.fn = fn;   // jüngste Variante gewinnt für den nächsten Lauf
+  return new Promise((resolve, reject) => {
+    s.waiters.push({ resolve, reject });
+    if (!s.running) drain(key);
+    else s.rerun = true;
+  });
+}
+
+async function drain(key) {
+  const s = state.get(key);
+  s.running = true;
+  try {
+    do {
+      s.rerun = false;
+      const waiters = s.waiters;
+      s.waiters = [];
+      try {
+        const r = await s.fn();
+        waiters.forEach((w) => w.resolve(r));
+      } catch (e) {
+        waiters.forEach((w) => w.reject(e));
+      }
+    } while (s.rerun);
+  } finally {
+    s.running = false;
+  }
+}
@@ -0,0 +1,182 @@
+import { randomUUID } from 'node:crypto';
+import { readFile } from 'node:fs/promises';
+import path from 'node:path';
+import { supabase } from './supabase.js';
+import { listEntries } from './files.js';
+
+// Daten-Schicht für den Dialog (Foren + Threads + Wortmeldungen).
+// Alle DB-Zugriffe laufen über den Service-Client (umgeht RLS).
+
+const SITE_DIR = process.env.SITE_DIR || '/site';
+export const LIBRARY_SLUG = 'beitraege';
+
+export async function profileFor(email) {
+  try {
+    const all = JSON.parse(await readFile(path.join(SITE_DIR, 'data', 'authors.json'), 'utf8'));
+    return all[email] || null;
+  } catch { return null; }
+}
+
+// Library-Beiträge als Threads in der Kategorie „Beiträge" spiegeln, damit man
+// auf jeden Beitrag einen Dialog starten kann. Idempotent (upsert über key).
+//
+// Gedrosselt: Reads rufen das bei jedem Forum-Aufruf, aber der eigentliche
+// Sync (DB + Filesystem-Walk + Upsert) läuft höchstens alle SYNC_TTL ms.
+// `force: true` (z.B. nach Publish) überspringt die Drosselung.
+const SYNC_TTL = 60_000;
+let lastSync = 0;
+export async function syncLibrary({ force = false } = {}) {
+  if (!force && Date.now() - lastSync < SYNC_TTL) return;
+  lastSync = Date.now();
+  const { data: forum } = await supabase
+    .from('forums').select('id').eq('slug', LIBRARY_SLUG).single();
+  if (!forum) return;
+  let entries = [];
+  try { entries = (await listEntries()).filter((e) => e.kind === 'beitrag'); } catch { return; }
+  if (!entries.length) return;
+  const rows = entries.map((e) => ({
+    forum_id: forum.id, key: e.url, title: e.title, url: e.url, kind: 'library',
+  }));
+  // Nicht title überschreiben? Doch — Titel kann sich ändern. user_id/locked bleiben.
+  await supabase.from('threads').upsert(rows, { onConflict: 'key', ignoreDuplicates: false });
+}
+
+// Wortmeldungen pro Thread-Key aggregieren: { [key]: {count, last} }.
+// Aggregiert in Postgres (View comment_stats) statt alle Zeilen zu laden.
+async function commentStats() {
+  const { data } = await supabase.from('comment_stats').select('thread,count,last');
+  const map = {};
+  for (const r of data || []) map[r.thread] = { count: r.count, last: r.last };
+  return map;
+}
+
+// Alle Foren mit Thread-/Wortmeldungs-Zahl und letzter Aktivität.
+export async function forumsWithCounts() {
+  await syncLibrary();
+  const [{ data: forums }, { data: threads }, stats] = await Promise.all([
+    supabase.from('forums').select('*').order('sort'),
+    supabase.from('threads').select('id,forum_id,key,deleted'),
+    commentStats(),
+  ]);
+  const byForum = {};
+  for (const t of threads || []) {
+    if (t.deleted) continue;
+    const f = byForum[t.forum_id] || (byForum[t.forum_id] = { threads: 0, posts: 0, last: '' });
+    f.threads += 1;
+    const s = stats[t.key];
+    if (s) { f.posts += s.count; if (s.last > f.last) f.last = s.last; }
+  }
+  return (forums || []).map((f) => ({
+    ...f,
+    thread_count: byForum[f.id]?.threads || 0,
+    post_count: byForum[f.id]?.posts || 0,
+    last_at: byForum[f.id]?.last || null,
+  }));
+}
+
+// Ein Forum samt seiner Threads (nach letzter Aktivität sortiert).
+export async function forumWithThreads(slug) {
+  const { data: forum } = await supabase.from('forums').select('*').eq('slug', slug).single();
+  if (!forum) return null;
+  if (forum.kind === 'library') await syncLibrary();
+  const [{ data: threads }, stats] = await Promise.all([
+    supabase.from('threads').select('*').eq('forum_id', forum.id).eq('deleted', false),
+    commentStats(),
+  ]);
+  const list = (threads || []).map((t) => ({
+    key: t.key, title: t.title, url: t.url, kind: t.kind, locked: t.locked,
+    author_name: t.author_name, created_at: t.created_at,
+    count: stats[t.key]?.count || 0, last: stats[t.key]?.last || t.created_at,
+  })).sort((a, b) => (b.last || '').localeCompare(a.last || ''));
+  return { forum, threads: list };
+}
+
+// Letzte Wortmeldungen über alles — für die linke Spalte der Übersicht.
+export async function recentComments(limit = 20) {
+  await syncLibrary();
+  const [{ data: comments }, { data: threads }, { data: forums }] = await Promise.all([
+    supabase.from('comments').select('id,thread,author_name,body,created_at')
+      .eq('deleted', false).order('created_at', { ascending: false }).limit(limit),
+    supabase.from('threads').select('key,title,url,forum_id,kind'),
+    supabase.from('forums').select('id,slug,name'),
+  ]);
+  const tByKey = {}; for (const t of threads || []) tByKey[t.key] = t;
+  const fById = {}; for (const f of forums || []) fById[f.id] = f;
+  return (comments || []).map((c) => {
+    const t = tByKey[c.thread];
+    const f = t ? fById[t.forum_id] : null;
+    return {
+      id: c.id, body: c.body, author_name: c.author_name, created_at: c.created_at,
+      thread_title: t?.title || c.thread,
+      thread_url: t ? (t.kind === 'library' ? t.url : '/dialog/?thread=' + encodeURIComponent(c.thread)) : c.thread,
+      forum_name: f?.name || null, forum_slug: f?.slug || null,
+    };
+  });
+}
+
+// Moderations-Überblick: letzte Wortmeldungen + alle Threads (zum Sperren/Löschen).
+export async function recentForModeration() {
+  const [comments, { data: threads }, { data: forums }] = await Promise.all([
+    recentComments(50),
+    supabase.from('threads').select('key,title,url,kind,forum_id,locked,deleted,author_name,created_at')
+      .order('created_at', { ascending: false }),
+    supabase.from('forums').select('id,name,slug'),
+  ]);
+  const fById = {}; for (const f of forums || []) fById[f.id] = f;
+  const stats = await commentStats();
+  const t = (threads || []).map((x) => ({
+    key: x.key, title: x.title, url: x.url, kind: x.kind, locked: x.locked, deleted: x.deleted,
+    author_name: x.author_name, created_at: x.created_at,
+    forum_name: fById[x.forum_id]?.name || null,
+    count: stats[x.key]?.count || 0,
+  }));
+  return { comments, threads: t };
+}
+
+// Neuen Thread in einem Forum anlegen (+ erste Wortmeldung). Gibt den Thread zurück.
+export async function createThread({ forumId, forumSlug, title, body, user, email }) {
+  let fid = forumId;
+  if (!fid && forumSlug) {
+    const { data: f } = await supabase.from('forums').select('id,kind').eq('slug', forumSlug).single();
+    if (!f) return { error: 'Forum unbekannt' };
+    if (f.kind === 'library') return { error: 'In Beiträge entstehen Threads automatisch' };
+    fid = f.id;
+  }
+  if (!fid) return { error: 'Forum nötig' };
+  if (!title || !title.trim()) return { error: 'Titel nötig' };
+  if (!body || !body.trim()) return { error: 'Erster Beitrag nötig' };
+
+  const prof = await profileFor(email);
+  const name = prof?.name || email.split('@')[0];
+  const key = 't/' + randomUUID();
+  const { data: thread, error: e1 } = await supabase.from('threads').insert({
+    forum_id: fid, key, title: title.trim(), url: '/dialog/?thread=' + encodeURIComponent(key),
+    kind: 'forum', author_name: name, user_id: user.id,
+  }).select('*').single();
+  if (e1) return { error: e1.message };
+  const { error: e2 } = await supabase.from('comments').insert({
+    thread: key, user_id: user.id, author_name: name,
+    author_avatar: prof?.avatar || null, body: body.trim(),
+  });
+  if (e2) return { error: e2.message };
+  return { thread };
+}
+
+// Ist ein Thread gesperrt? (verhindert neue Wortmeldungen)
+export async function threadLocked(key) {
+  const { data } = await supabase.from('threads').select('locked').eq('key', key).single();
+  return !!data?.locked;
+}
+
+// Thread-Metadaten für die Thread-Ansicht (Titel, Forum-Rücklink, Lock-Status).
+export async function threadMeta(key) {
+  const { data: t } = await supabase
+    .from('threads').select('title,url,kind,locked,forum_id').eq('key', key).single();
+  if (!t) return null;
+  let forum = null;
+  if (t.forum_id) {
+    const { data: f } = await supabase.from('forums').select('slug,name').eq('id', t.forum_id).single();
+    forum = f || null;
+  }
+  return { title: t.title, url: t.url, kind: t.kind, locked: !!t.locked, forum };
+}
@@ -0,0 +1,119 @@
+import { readdir, readFile, writeFile, mkdir, stat } from 'node:fs/promises';
+import path from 'node:path';
+import matter from 'gray-matter';
+
+const SITE_DIR = process.env.SITE_DIR || '/site';
+const CONTENT = path.join(SITE_DIR, 'content');
+
+// Pfad-Sicherheit: relativer Pfad innerhalb content/, nur .md.
+export function safeRel(rel) {
+  if (!rel || typeof rel !== 'string') throw new Error('Pfad fehlt');
+  const norm = path.normalize(rel).split(path.sep).join('/');
+  if (norm.startsWith('..') || norm.startsWith('/') || norm.includes('../')) {
+    throw new Error('Ungültiger Pfad');
+  }
+  if (!norm.endsWith('.md')) throw new Error('Nur .md erlaubt');
+  return norm;
+}
+
+async function walk(dir) {
+  const out = [];
+  for (const e of await readdir(dir, { withFileTypes: true })) {
+    const full = path.join(dir, e.name);
+    if (e.isDirectory()) out.push(...(await walk(full)));
+    else if (e.name.endsWith('.md')) out.push(full);
+  }
+  return out;
+}
+
+// Beitrag (library/<section>/<slug>.md) | Rubrik (_index.md) | Seite (sonst).
+function classify(rel) {
+  const base = path.basename(rel);
+  const parts = rel.split('/');
+  if (base === '_index.md') {
+    const section = parts.length >= 2 ? parts[parts.length - 2] : 'home';
+    return { kind: 'rubrik', section };
+  }
+  if (parts[0] === 'library' && parts.length === 3) {
+    return { kind: 'beitrag', section: parts[1] };
+  }
+  return { kind: 'seite', section: null };
+}
+
+// authors-Frontmatter zu Array normalisieren (String oder Array erlaubt).
+export function normAuthors(a) {
+  if (Array.isArray(a)) return a.map(String).filter(Boolean);
+  if (a) return [String(a)];
+  return [];
+}
+
+// Hat diese E-Mail Zugriff (steht sie in der authors-Liste)?
+export function hasAccess(authors, email) {
+  const e = (email || '').toLowerCase();
+  return normAuthors(authors).some((a) => a.toLowerCase() === e);
+}
+
+// Hugo-URL aus dem relativen Pfad.
+export function urlFor(rel) {
+  let p = rel.replace(/\.md$/, '');
+  if (p === '_index') return '/';
+  p = p.replace(/\/_index$/, '');
+  return '/' + p + '/';
+}
+
+export async function listEntries() {
+  const files = await walk(CONTENT);
+  const items = [];
+  for (const full of files) {
+    const rel = path.relative(CONTENT, full).split(path.sep).join('/');
+    // Autor-Seiten werden über „Profil" verwaltet, nicht im Inhalts-Editor.
+    if (rel === 'authors' || rel.startsWith('authors/')) continue;
+    let data = {};
+    try { data = matter(await readFile(full, 'utf8')).data || {}; } catch {}
+    items.push({
+      path: rel,
+      title: data.title || rel,
+      ...classify(rel),
+      color: data.color || null,
+      layout: data.layout || null,
+      draft: !!data.draft,
+      date: data.date ? String(data.date).slice(0, 10) : null,
+      authors: normAuthors(data.authors),
+      url: urlFor(rel),
+    });
+  }
+  // Beiträge zuerst, dann Seiten, dann Rubriken; je nach Datum/Titel.
+  const order = { beitrag: 0, seite: 1, rubrik: 2 };
+  items.sort((a, b) =>
+    (order[a.kind] - order[b.kind]) ||
+    (b.date || '').localeCompare(a.date || '') ||
+    a.title.localeCompare(b.title));
+  return items;
+}
+
+export async function readEntry(rel) {
+  rel = safeRel(rel);
+  const { data, content } = matter(await readFile(path.join(CONTENT, rel), 'utf8'));
+  return { path: rel, url: urlFor(rel), frontmatter: data || {}, body: content || '' };
+}
+
+export async function entryExists(rel) {
+  try { await stat(path.join(CONTENT, safeRel(rel))); return true; }
+  catch { return false; }
+}
+
+export async function writeEntry(rel, frontmatter = {}, body = '') {
+  rel = safeRel(rel);
+  const full = path.join(CONTENT, rel);
+  await mkdir(path.dirname(full), { recursive: true });
+
+  // Leere Werte rauswerfen, damit das Frontmatter sauber bleibt.
+  const fm = {};
+  for (const [k, v] of Object.entries(frontmatter)) {
+    if (v === '' || v === null || v === undefined) continue;
+    if (Array.isArray(v) && v.length === 0) continue;
+    fm[k] = v;
+  }
+  await writeFile(full, matter.stringify(body || '', fm), 'utf8');
+  return rel;
+}
@@ -0,0 +1,49 @@
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+import { coalesce } from './coalesce.js';
+
+const execFileP = promisify(execFile);
+const SITE_DIR = process.env.SITE_DIR || '/site';
+
+// Baut die Site. dest ist relativ zum Repo-Root (z.B. "public" oder "preview").
+// drafts:true => --buildDrafts (für die Vorschau).
+export async function hugoBuild({ dest, drafts = false } = {}) {
+  const args = ['--source', SITE_DIR, '--destination', dest, '--cleanDestinationDir'];
+  if (drafts) args.push('--buildDrafts');
+  const { stdout, stderr } = await execFileP('hugo', args, {
+    cwd: SITE_DIR,
+    maxBuffer: 10 * 1024 * 1024,
+  });
+  return { stdout, stderr };
+}
+
+// Koaleszierter Build je Ziel: nie zwei `hugo`-Prozesse für dasselbe dest
+// parallel; schnelle Folge-Aufrufe lösen nur einen nachgelagerten Build aus.
+// Publish (public), Preview (preview) und Profil teilen sich diesen Weg.
+export function buildSite({ dest, drafts = false } = {}) {
+  return coalesce(`build:${dest}:${drafts ? 'd' : 'p'}`, () => hugoBuild({ dest, drafts }));
+}
+
+// Optionaler Git-Backup beim Publish (GIT_PUBLISH=true). Schlägt nie hart fehl —
+// das Publish soll an einem Git-Problem nicht scheitern.
+export async function gitCommit(message) {
+  if (process.env.GIT_PUBLISH !== 'true') return { skipped: true };
+
+  const env = {
+    ...process.env,
+    GIT_AUTHOR_NAME: process.env.GIT_AUTHOR_NAME || 'OPENBUREAU CMS',
+    GIT_AUTHOR_EMAIL: process.env.GIT_AUTHOR_EMAIL || 'cms@openbureau.ch',
+    GIT_COMMITTER_NAME: process.env.GIT_AUTHOR_NAME || 'OPENBUREAU CMS',
+    GIT_COMMITTER_EMAIL: process.env.GIT_AUTHOR_EMAIL || 'cms@openbureau.ch',
+  };
+  const git = (...args) => execFileP('git', ['-C', SITE_DIR, ...args], { env });
+
+  await git('add', 'content');
+  // Nichts zu committen? Dann ruhig raus.
+  const status = await git('status', '--porcelain', 'content');
+  if (!status.stdout.trim()) return { nothing: true };
+
+  await git('commit', '-m', message);
+  await git('push', process.env.GIT_REMOTE || 'origin', process.env.GIT_BRANCH || 'main');
+  return { committed: true };
+}
@@ -0,0 +1,125 @@
+import { serve } from '@hono/node-server';
+import { serveStatic } from '@hono/node-server/serve-static';
+import { Hono } from 'hono';
+import { secureHeaders } from 'hono/secure-headers';
+import { bodyLimit } from 'hono/body-limit';
+
+import { rateLimit } from './ratelimit.js';
+import content from './routes/content.js';
+import preview from './routes/preview.js';
+import publish from './routes/publish.js';
+import upload from './routes/upload.js';
+import profile from './routes/profile.js';
+import users from './routes/users.js';
+import { listComments, createComment, deleteComment, login } from './routes/comments.js';
+import history from './routes/history.js';
+import {
+  listForums, showForum, recent, threadInfo, newThread, mod, adminForums,
+} from './routes/dialog.js';
+import { requireAuth } from './auth.js';
+import { syncLibrary } from './dialog-store.js';
+
+const SITE_DIR = process.env.SITE_DIR || '/site';
+const ADMIN_DIR = process.env.ADMIN_DIR || '/app/admin-dist';
+const PORT = Number(process.env.PORT || 3000);
+
+const app = new Hono();
+
+// --- Sicherheits-Header (auf allem) ---
+// CSP bewusst zurückhaltend: Site + Admin-SPA + Dialog-Widget laufen same-origin.
+app.use('*', secureHeaders({
+  xFrameOptions: 'SAMEORIGIN',
+  xContentTypeOptions: 'nosniff',
+  referrerPolicy: 'strict-origin-when-cross-origin',
+  crossOriginOpenerPolicy: 'same-origin',
+  // HSTS nur sinnvoll hinter TLS-Proxy; schadet via HTTP nicht (Browser ignoriert).
+  strictTransportSecurity: 'max-age=31536000; includeSubDomains',
+}));
+
+// Hochgeladene Bilder strikt isolieren: ein bösartiges SVG kann so kein
+// JavaScript im Origin ausführen (sandbox + keine Skript-Quellen).
+app.use('/images/*', secureHeaders({
+  contentSecurityPolicy: { defaultSrc: ["'none'"], imgSrc: ["'self'"], styleSrc: ["'unsafe-inline'"], sandbox: [] },
+  xContentTypeOptions: 'nosniff',
+}));
+
+// Statische Assets cachen: Hugo fingerprintet CSS/JS, Uploads haben stabile,
+// eindeutige Namen. HTML bleibt ungecacht (Antwort ohne Header → immer frisch).
+app.use('*', async (c, next) => {
+  await next();
+  if (c.req.method === 'GET' && /\.(css|js|mjs|woff2?|ttf|otf|eot|svg|png|jpe?g|webp|avif|gif|ico)$/i.test(c.req.path)) {
+    c.header('Cache-Control', 'public, max-age=604800');   // 1 Woche
+  }
+});
+
+// --- API ---
+// Globales Limit gegen aufgeblähte JSON-Bodies (DoS / DB-Bloat). Der Upload-Pfad
+// ist ausgenommen — der bringt sein eigenes, größeres Bild-Limit mit.
+const jsonBodyLimit = bodyLimit({ maxSize: 256 * 1024, onError: (c) => c.json({ error: 'Anfrage zu groß' }, 413) });
+app.use('/api/*', (c, next) =>
+  c.req.path.startsWith('/api/upload') ? next() : jsonBodyLimit(c, next));
+
+app.get('/api/health', (c) => c.json({ ok: true, hugo: '0.161.1+extended' }));
+// Öffentlich (ohne Login): Dialog lesen, Übersicht, Login fürs Dialog-Widget.
+app.get('/api/comments', listComments);
+app.get('/api/forums', listForums);
+app.get('/api/forums/:slug', showForum);
+app.get('/api/recent', recent);
+app.get('/api/thread', threadInfo);
+// Öffentlich: Versionsverlauf der Beiträge (Git-History) — auf der Site anzeigbar.
+app.route('/api/history', history);
+// Login gegen Brute-Force drosseln: max. 10 Versuche/IP pro 5 Minuten.
+app.post('/api/auth/login', rateLimit({ max: 10, windowMs: 5 * 60_000 }), login);
+// Alles weitere unter /api/* braucht ein gültiges Supabase-Token.
+app.use('/api/*', requireAuth);
+// Schreibzugriffe drosseln (Spam-Schutz, auch bei gekapertem Token):
+// 60 Mutationen/Minute je Nutzer. Lesen (GET) bleibt frei.
+const mutateLimit = rateLimit({
+  max: 60, windowMs: 60_000,
+  keyFn: (c) => 'u:' + (c.get('user')?.id || c.req.header('x-forwarded-for') || 'anon'),
+});
+app.use('/api/*', (c, next) => (c.req.method === 'GET' ? next() : mutateLimit(c, next)));
+app.get('/api/me', (c) => c.json({ email: c.get('email'), role: c.get('role'), isAdmin: c.get('isAdmin'), canModerate: c.get('canModerate') }));
+app.post('/api/comments', createComment);
+app.delete('/api/comments/:id', deleteComment);
+app.post('/api/threads', newThread);
+app.route('/api/mod', mod);
+app.route('/api/admin/forums', adminForums);
+app.route('/api/content', content);
+app.route('/api/preview', preview);
+app.route('/api/publish', publish);
+app.route('/api/upload', upload);
+app.route('/api/profile', profile);
+app.route('/api/users', users);
+
+// --- Admin-SPA (im Container mitgebaut, unter /admin serviert) ---
+app.get('/admin', (c) => c.redirect('/admin/'));
+app.use(
+  '/admin/*',
+  serveStatic({
+    root: ADMIN_DIR,
+    rewriteRequestPath: (p) => p.replace(/^\/admin/, '') || '/',
+  }),
+);
+
+// --- Vorschau (gebaut nach preview/ mit --buildDrafts) ---
+app.use(
+  '/_preview/*',
+  serveStatic({
+    root: `${SITE_DIR}/preview`,
+    rewriteRequestPath: (p) => p.replace(/^\/_preview/, ''),
+  }),
+);
+
+// Hochgeladene Bilder direkt aus static/ servieren — sofort sichtbar
+// (Vorschau, Cover, Profilbild), ohne auf den nächsten Hugo-Build zu warten.
+app.use('/images/*', serveStatic({ root: `${SITE_DIR}/static` }));
+
+// --- Live-Site (gebaut nach public/) ---
+app.use('/*', serveStatic({ root: `${SITE_DIR}/public` }));
+
+serve({ fetch: app.fetch, port: PORT }, (info) => {
+  console.log(`OPENBUREAU CMS läuft auf :${info.port} — Site + API + /_preview`);
+  // Library-Beiträge als Threads in „Beiträge" spiegeln (nicht blockierend).
+  syncLibrary().catch((e) => console.error('syncLibrary:', e?.message || e));
+});
@@ -0,0 +1,34 @@
+// Einfacher In-Memory-Rate-Limiter (ein Container, eine Instanz → genügt).
+// Fixed-Window pro Schlüssel (Standard: Client-IP). Bei Überschreitung 429.
+// Hinter einem Reverse-Proxy liefert X-Forwarded-For die echte IP.
+
+const buckets = new Map(); // key -> { count, reset }
+
+function clientIp(c) {
+  const xff = c.req.header('x-forwarded-for');
+  if (xff) return xff.split(',')[0].trim();
+  return c.req.header('x-real-ip') || 'unknown';
+}
+
+// max Anfragen je windowMs. keyFn erlaubt eigene Schlüssel (z.B. IP+E-Mail).
+export function rateLimit({ max = 10, windowMs = 60_000, keyFn = clientIp } = {}) {
+  return async (c, next) => {
+    const key = keyFn(c);
+    const now = Date.now();
+    let b = buckets.get(key);
+    if (!b || now > b.reset) { b = { count: 0, reset: now + windowMs }; buckets.set(key, b); }
+    b.count += 1;
+    if (b.count > max) {
+      const retry = Math.ceil((b.reset - now) / 1000);
+      c.header('Retry-After', String(retry));
+      return c.json({ error: 'Zu viele Anfragen — bitte später erneut.' }, 429);
+    }
+    await next();
+  };
+}
+
+// Speicher sauber halten: abgelaufene Buckets periodisch wegräumen.
+setInterval(() => {
+  const now = Date.now();
+  for (const [k, b] of buckets) if (now > b.reset) buckets.delete(k);
+}, 5 * 60_000).unref?.();
@@ -0,0 +1,74 @@
+import { supabase, supabaseAuth } from '../supabase.js';
+import { roleOf } from '../auth.js';
+import { profileFor, threadLocked } from '../dialog-store.js';
+import { serverError } from '../util.js';
+
+// Dialog: flache Wortmeldungen pro Thread (= Thread-Key), optionaler Bezug.
+
+const COLS = 'id,thread,parent_id,author_name,author_avatar,author_role,body,created_at,deleted';
+const MAX_BODY = 10_000;     // Zeichen je Wortmeldung
+const MAX_THREAD = 512;      // Thread-Key-Länge
+
+// ÖFFENTLICH: Wortmeldungen eines Threads lesen.
+export async function listComments(c) {
+  const thread = c.req.query('thread');
+  if (!thread) return c.json({ error: 'thread fehlt' }, 400);
+  const { data, error } = await supabase
+    .from('comments').select(COLS).eq('thread', thread).order('created_at', { ascending: true });
+  if (error) return serverError(c, 'listComments', error);
+  const out = (data || []).map((r) => (r.deleted ? { ...r, body: '[gelöscht]', author_avatar: null } : r));
+  return c.json(out);
+}
+
+// EINGELOGGT: Wortmeldung schreiben.
+export async function createComment(c) {
+  const user = c.get('user');
+  const email = c.get('email');
+  const { thread, body, parent_id } = await c.req.json();
+  if (!thread || !body || !body.trim()) return c.json({ error: 'thread und Text nötig' }, 400);
+  if (typeof thread !== 'string' || thread.length > MAX_THREAD) return c.json({ error: 'Ungültiger Thread' }, 400);
+  if (typeof body !== 'string' || body.length > MAX_BODY) return c.json({ error: `Text zu lang (max. ${MAX_BODY} Zeichen)` }, 400);
+  if (await threadLocked(thread)) return c.json({ error: 'Thread ist gesperrt' }, 403);
+
+  const prof = await profileFor(email);
+  const row = {
+    thread,
+    parent_id: parent_id || null,
+    user_id: user.id,
+    author_name: prof?.name || email.split('@')[0],
+    author_avatar: prof?.avatar || null,
+    author_role: prof?.title || null,   // „Position bei OPENBUREAU" (aus data/authors.json)
+    body: body.trim(),
+  };
+  const { data, error } = await supabase.from('comments').insert(row).select(COLS).single();
+  if (error) return serverError(c, 'createComment', error, 400);
+  return c.json(data, 201);
+}
+
+// EINGELOGGT: eigene Wortmeldung löschen; Moderation (Admin/Redakteur) jede.
+export async function deleteComment(c) {
+  const user = c.get('user');
+  const canModerate = c.get('canModerate');
+  const id = c.req.param('id');
+  const { data: row, error: e1 } = await supabase.from('comments').select('user_id').eq('id', id).single();
+  if (e1 || !row) return c.json({ error: 'Nicht gefunden' }, 404);
+  if (!canModerate && row.user_id !== user.id) return c.json({ error: 'Kein Recht' }, 403);
+  const { error } = await supabase.from('comments').update({ deleted: true }).eq('id', id);
+  if (error) return serverError(c, 'deleteComment', error, 400);
+  return c.json({ ok: true });
+}
+
+// ÖFFENTLICH: Login fürs Dialog-Widget — gibt das User-Token zurück.
+export async function login(c) {
+  const { email, password } = await c.req.json();
+  if (!email || !password) return c.json({ error: 'E-Mail und Passwort nötig' }, 400);
+  const { data, error } = await supabaseAuth.auth.signInWithPassword({ email, password });
+  if (error) return c.json({ error: error.message }, 401);
+  const prof = await profileFor((data.user.email || '').toLowerCase());
+  return c.json({
+    access_token: data.session.access_token,
+    email: data.user.email,
+    name: prof?.name || (data.user.email || '').split('@')[0],
+    role: roleOf(data.user),
+  });
+}
@@ -0,0 +1,50 @@
+import { Hono } from 'hono';
+import { listEntries, readEntry, writeEntry, entryExists, hasAccess, normAuthors } from '../files.js';
+
+// Dateibasiert + Rechte: Admin sieht/bearbeitet alles, Autor:innen nur Einträge,
+// in denen ihre Mail unter `authors` steht.
+const content = new Hono();
+
+content.get('/', async (c) => {
+  const email = c.get('email'); const isAdmin = c.get('isAdmin');
+  try {
+    let items = await listEntries();
+    if (!isAdmin) items = items.filter((e) => hasAccess(e.authors, email));
+    return c.json(items);
+  } catch (e) { return c.json({ error: String(e.message || e) }, 500); }
+});
+
+content.get('/entry', async (c) => {
+  const email = c.get('email'); const isAdmin = c.get('isAdmin');
+  try {
+    const entry = await readEntry(c.req.query('path'));
+    if (!isAdmin && !hasAccess(entry.frontmatter.authors, email)) {
+      return c.json({ error: 'Kein Zugriff auf diesen Eintrag' }, 403);
+    }
+    return c.json(entry);
+  } catch (e) { return c.json({ error: String(e.message || e) }, 400); }
+});
+
+content.put('/entry', async (c) => {
+  const email = c.get('email'); const isAdmin = c.get('isAdmin');
+  const { path: rel, frontmatter, body } = await c.req.json();
+  try {
+    const exists = await entryExists(rel);
+    if (exists && !isAdmin) {
+      const cur = await readEntry(rel);
+      if (!hasAccess(cur.frontmatter.authors, email)) {
+        return c.json({ error: 'Kein Zugriff auf diesen Eintrag' }, 403);
+      }
+    }
+    // authors zusammenführen; Ersteller wird beim Anlegen automatisch Autor.
+    const authors = normAuthors(frontmatter.authors);
+    if (!exists && email && !authors.some((a) => a.toLowerCase() === email)) {
+      authors.unshift(email);
+    }
+    const fm = { ...frontmatter, authors };
+    const saved = await writeEntry(rel, fm, body);
+    return c.json({ ok: true, path: saved, created: !exists });
+  } catch (e) { return c.json({ error: String(e.message || e) }, 400); }
+});
+
+export default content;
@@ -0,0 +1,104 @@
+import { Hono } from 'hono';
+import { supabase } from '../supabase.js';
+import { requireAdmin, requireModerator } from '../auth.js';
+import { serverError } from '../util.js';
+import {
+  forumsWithCounts, forumWithThreads, recentComments, createThread, recentForModeration, threadMeta,
+} from '../dialog-store.js';
+
+// Fehlt die Tabelle (Migration noch nicht eingespielt), nicht mit einem rohen
+// SQL-Fehler antworten — leer zurückgeben und server-seitig laut loggen.
+function softFail(c, e, fallback) {
+  console.error('[dialog]', e?.message || e);
+  return c.json(fallback);
+}
+
+// ── Öffentliche Lese-Handler ─────────────────────────────────────────────
+export async function listForums(c) {
+  try { return c.json(await forumsWithCounts()); }
+  catch (e) { return softFail(c, e, []); }
+}
+export async function showForum(c) {
+  try {
+    const data = await forumWithThreads(c.req.param('slug'));
+    if (!data) return c.json({ error: 'Forum nicht gefunden' }, 404);
+    return c.json(data);
+  } catch (e) { return softFail(c, e, { forum: null, threads: [] }); }
+}
+export async function recent(c) {
+  try { return c.json(await recentComments(Number(c.req.query('limit')) || 20)); }
+  catch (e) { return softFail(c, e, []); }
+}
+export async function threadInfo(c) {
+  const key = c.req.query('key');
+  if (!key) return c.json({ error: 'key fehlt' }, 400);
+  const meta = await threadMeta(key);
+  if (!meta) return c.json({ error: 'Thread nicht gefunden' }, 404);
+  return c.json(meta);
+}
+
+// ── Eingeloggt: neuen Thread starten ─────────────────────────────────────
+export async function newThread(c) {
+  const user = c.get('user');
+  const email = c.get('email');
+  const { forum_id, forum_slug, title, body } = await c.req.json();
+  const res = await createThread({ forumId: forum_id, forumSlug: forum_slug, title, body, user, email });
+  if (res.error) return c.json({ error: res.error }, 400);
+  return c.json(res.thread, 201);
+}
+
+// ── Moderation (Admin + Redakteur) ───────────────────────────────────────
+export const mod = new Hono();
+mod.use('*', requireModerator);
+// Feed: letzte Wortmeldungen + alle Threads (zum Moderieren/Sperren).
+mod.get('/overview', async (c) => c.json(await recentForModeration()));
+// Thread sperren/entsperren.
+mod.post('/thread-lock', async (c) => {
+  const { key, locked } = await c.req.json();
+  if (!key) return c.json({ error: 'key nötig' }, 400);
+  const { error } = await supabase.from('threads').update({ locked: !!locked }).eq('key', key);
+  if (error) return serverError(c, 'dialog', error, 400);
+  return c.json({ ok: true });
+});
+// Thread ausblenden (löschen).
+mod.post('/thread-delete', async (c) => {
+  const { key } = await c.req.json();
+  if (!key) return c.json({ error: 'key nötig' }, 400);
+  const { error } = await supabase.from('threads').update({ deleted: true }).eq('key', key);
+  if (error) return serverError(c, 'dialog', error, 400);
+  return c.json({ ok: true });
+});
+
+// ── Foren-Verwaltung (nur Admin) ─────────────────────────────────────────
+export const adminForums = new Hono();
+adminForums.use('*', requireAdmin);
+adminForums.get('/', async (c) => {
+  const { data, error } = await supabase.from('forums').select('*').order('sort');
+  if (error) return serverError(c, 'dialog', error, 500);
+  return c.json(data || []);
+});
+adminForums.post('/', async (c) => {
+  const { slug, name, description, color, sort } = await c.req.json();
+  if (!slug || !name) return c.json({ error: 'slug und name nötig' }, 400);
+  const row = { slug: String(slug).trim(), name: String(name).trim(),
+    description: description || '', color: color || null, sort: Number(sort) || 0 };
+  const { data, error } = await supabase.from('forums').insert(row).select('*').single();
+  if (error) return serverError(c, 'dialog', error, 400);
+  return c.json(data, 201);
+});
+adminForums.put('/:id', async (c) => {
+  const patch = await c.req.json();
+  const allowed = {};
+  for (const k of ['name', 'description', 'color', 'sort', 'slug']) if (k in patch) allowed[k] = patch[k];
+  const { data, error } = await supabase.from('forums').update(allowed).eq('id', c.req.param('id')).select('*').single();
+  if (error) return serverError(c, 'dialog', error, 400);
+  return c.json(data);
+});
+adminForums.delete('/:id', async (c) => {
+  const id = c.req.param('id');
+  const { data: f } = await supabase.from('forums').select('kind').eq('id', id).single();
+  if (f?.kind === 'library') return c.json({ error: 'Beiträge-Kategorie kann nicht gelöscht werden' }, 400);
+  const { error } = await supabase.from('forums').delete().eq('id', id);
+  if (error) return serverError(c, 'dialog', error, 400);
+  return c.json({ ok: true });
+});
@@ -0,0 +1,83 @@
+import { Hono } from 'hono';
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+import matter from 'gray-matter';
+import { marked } from 'marked';
+import { safeRel } from '../files.js';
+
+// ÖFFENTLICH: Versionsverlauf eines Library-Beitrags aus der Git-History.
+// Der Container hat das Repo unter /site gemountet + git installiert. Wir
+// holen alte Fassungen on-demand (kein Vorbauen) und zeigen sie auf der Site.
+const execFileP = promisify(execFile);
+const SITE_DIR = process.env.SITE_DIR || '/site';
+const git = (...args) => execFileP('git', ['-C', SITE_DIR, ...args], { maxBuffer: 10 * 1024 * 1024 });
+const US = '\x1f'; // Feldtrenner (Unit Separator) — kommt in Commit-Daten nicht vor.
+
+const history = new Hono();
+
+// Liste der Versionen: neueste zuerst.
+history.get('/', async (c) => {
+  let rel;
+  try { rel = safeRel(c.req.query('path')); } catch { return c.json({ error: 'Ungültiger Pfad' }, 400); }
+  try {
+    const { stdout } = await git(
+      'log', '--follow', `--format=%H${US}%h${US}%aI${US}%an${US}%s`, '--', `content/${rel}`);
+    const versions = stdout.trim().split('\n').filter(Boolean).map((line) => {
+      const [rev, short, date, author, subject] = line.split(US);
+      return { rev, short, date, author, subject };
+    });
+    return c.json(versions);
+  } catch { return c.json({ error: 'Verlauf nicht verfügbar' }, 500); }
+});
+
+// Eine bestimmte Fassung gerendert (HTML), zum Anzeigen auf der Seite.
+history.get('/version', async (c) => {
+  let rel;
+  try { rel = safeRel(c.req.query('path')); } catch { return c.json({ error: 'Ungültiger Pfad' }, 400); }
+  const rev = c.req.query('rev') || '';
+  if (!/^[0-9a-f]{7,40}$/i.test(rev)) return c.json({ error: 'Ungültige Version' }, 400);
+  try {
+    const { stdout } = await git('show', `${rev}:content/${rel}`);
+    const { data, content } = matter(stdout);
+    return c.json({
+      rev,
+      title: data.title || '',
+      date: data.date ? new Date(data.date).toISOString().slice(0, 10) : null,
+      html: renderMarkdown(content),
+    });
+  } catch { return c.json({ error: 'Version nicht gefunden' }, 404); }
+});
+
+// Unified-Diff einer Fassung (was dieser Commit an der Datei geändert hat) —
+// fürs rot/grün-Diff auf der Seite. Roh-Diff; das Frontend färbt +/- ein.
+history.get('/diff', async (c) => {
+  let rel;
+  try { rel = safeRel(c.req.query('path')); } catch { return c.json({ error: 'Ungültiger Pfad' }, 400); }
+  const rev = c.req.query('rev') || '';
+  if (!/^[0-9a-f]{7,40}$/i.test(rev)) return c.json({ error: 'Ungültige Version' }, 400);
+  try {
+    const { stdout } = await git('show', '--format=', '--no-color', rev, '--', `content/${rel}`);
+    return c.json({ rev, diff: stdout });
+  } catch { return c.json({ error: 'Diff nicht verfügbar' }, 404); }
+});
+
+// Markdown → HTML. marked kennt Goldmarks Fußnoten ([^id]) nicht — daher
+// vorab: Definitionen einsammeln, Verweise zu <sup>-Nummern, „Quellen" anhängen
+// (greift dieselbe .footnotes-CSS wie die Live-Seite).
+function renderMarkdown(md) {
+  const defs = {}; const order = [];
+  md = md.replace(/^\[\^([^\]]+)\]:[ \t]*(.*)$/gm, (_, id, txt) => { defs[id] = txt; return ''; });
+  md = md.replace(/\[\^([^\]]+)\]/g, (_, id) => {
+    if (!order.includes(id)) order.push(id);
+    return `<sup class="footnote-ref">${order.indexOf(id) + 1}</sup>`;
+  });
+  let html = marked.parse(md);
+  if (order.length) {
+    html += '<div class="footnotes"><ol>'
+      + order.map((id) => `<li>${marked.parseInline(defs[id] || '')}</li>`).join('')
+      + '</ol></div>';
+  }
+  return html;
+}
+
+export default history;
@@ -0,0 +1,20 @@
+import { Hono } from 'hono';
+import { urlFor, safeRel } from '../files.js';
+import { buildSite } from '../hugo.js';
+
+// Echte Hugo-Vorschau: ganze Site mit --buildDrafts nach preview/ bauen und die
+// URL des Eintrags zurückgeben (so erscheinen auch draft:true-Einträge).
+const preview = new Hono();
+
+preview.post('/', async (c) => {
+  const { path: rel } = await c.req.json();
+  try {
+    const safe = safeRel(rel);
+    const build = await buildSite({ dest: 'preview', drafts: true });
+    return c.json({ ok: true, url: `/_preview${urlFor(safe)}`, hugo: build.stdout });
+  } catch (e) {
+    return c.json({ error: String(e.message || e) }, 500);
+  }
+});
+
+export default preview;
@@ -0,0 +1,56 @@
+import { Hono } from 'hono';
+import { readFile, writeFile, mkdir, stat } from 'node:fs/promises';
+import path from 'node:path';
+import matter from 'gray-matter';
+import { buildSite } from '../hugo.js';
+
+// Profile als Hugo-Data-Datei (data/authors.json) + öffentliche Autor-Seite
+// (content/authors/<slug>.md), gerendert von layouts/authors/single.html.
+const SITE_DIR = process.env.SITE_DIR || '/site';
+const FILE = path.join(SITE_DIR, 'data', 'authors.json');
+const AUTHORS_DIR = path.join(SITE_DIR, 'content', 'authors');
+
+async function readAll() {
+  try { return JSON.parse(await readFile(FILE, 'utf8')); } catch { return {}; }
+}
+// Muss zu Hugos `urlize` passen (Byline-Link).
+function slugify(s) {
+  return String(s || '').toLowerCase().trim().replace(/[^a-z0-9]+/g, '-').replace(/^-+|-+$/g, '');
+}
+async function exists(p) { try { await stat(p); return true; } catch { return false; } }
+
+const profile = new Hono();
+
+profile.get('/', async (c) => {
+  const email = c.get('user')?.email || 'default';
+  const all = await readAll();
+  return c.json({ email, name: '', bio: '', avatar: '', ...(all[email] || {}) });
+});
+
+profile.put('/', async (c) => {
+  const email = c.get('user')?.email || 'default';
+  const { name, bio, avatar } = await c.req.json();
+  const slug = slugify(name);
+
+  const all = await readAll();
+  all[email] = { name: name || '', bio: bio || '', avatar: avatar || '', slug };
+  await mkdir(path.dirname(FILE), { recursive: true });
+  await writeFile(FILE, JSON.stringify(all, null, 2) + '\n', 'utf8');
+
+  // Öffentliche Autor-Seite schreiben (nur mit Name).
+  if (slug) {
+    await mkdir(AUTHORS_DIR, { recursive: true });
+    const idx = path.join(AUTHORS_DIR, '_index.md');
+    if (!(await exists(idx))) {
+      await writeFile(idx, matter.stringify('', { title: 'Autor:innen' }), 'utf8');
+    }
+    const page = matter.stringify(bio || '', { title: name, avatar: avatar || '' });
+    await writeFile(path.join(AUTHORS_DIR, `${slug}.md`), page, 'utf8');
+    // Live bauen (koalesziert), damit die Seite + Byline-Links sofort wirken.
+    await buildSite({ dest: 'public', drafts: false }).catch((e) => console.error('[profile] build:', e?.message || e));
+  }
+
+  return c.json({ ok: true, slug });
+});
+
+export default profile;
@@ -0,0 +1,23 @@
+import { Hono } from 'hono';
+import { urlFor, safeRel } from '../files.js';
+import { buildSite, gitCommit } from '../hugo.js';
+import { syncLibrary } from '../dialog-store.js';
+
+// Publizieren: public/ neu bauen (ohne Drafts) → live. Optional git-commit.
+const publish = new Hono();
+
+publish.post('/', async (c) => {
+  const { path: rel } = await c.req.json();
+  try {
+    const safe = safeRel(rel);
+    const build = await buildSite({ dest: 'public', drafts: false });
+    // Neue/aktualisierte Library-Beiträge sofort als Dialog-Threads spiegeln.
+    await syncLibrary({ force: true }).catch(() => {});
+    const git = await gitCommit(`cms: publish ${safe}`).catch((e) => ({ error: String(e.message || e) }));
+    return c.json({ ok: true, url: urlFor(safe), git, hugo: build.stdout });
+  } catch (e) {
+    return c.json({ error: String(e.message || e) }, 500);
+  }
+});
+
+export default publish;
@@ -0,0 +1,83 @@
+import { Hono } from 'hono';
+import { mkdir, writeFile } from 'node:fs/promises';
+import path from 'node:path';
+import sharp from 'sharp';
+
+// Bild-Upload → static/images/. Raster-Bilder werden zu WebP konvertiert
+// (kleiner, web-optimiert), auf max. 2000px begrenzt, EXIF-Rotation korrigiert.
+// SVG/GIF bleiben unangetastet (Vektor/Animation erhalten).
+//
+// Sicherheit: hartes Größenlimit (DoS / Decompression-Bombs), Raster wird über
+// sharp-Metadaten als echtes Bild verifiziert, SVG nur wenn es wie SVG aussieht.
+// Hochgeladene Dateien werden zudem mit strikter CSP (sandbox) ausgeliefert
+// (siehe index.js, /images/*) → ein bösartiges SVG kann kein JS im Origin starten.
+const SITE_DIR = process.env.SITE_DIR || '/site';
+const MAX_UPLOAD = 8 * 1024 * 1024;   // 8 MB Rohdatei
+const ALLOWED_RASTER = new Set(['jpeg', 'png', 'webp', 'avif', 'tiff']);
+
+const upload = new Hono();
+
+upload.post('/', async (c) => {
+  const body = await c.req.parseBody();
+  const file = body['file'];
+  if (!file || typeof file === 'string') return c.json({ error: 'Keine Datei' }, 400);
+  if (typeof file.size === 'number' && file.size > MAX_UPLOAD) {
+    return c.json({ error: 'Datei zu groß (max. 8 MB)' }, 413);
+  }
+
+  const buffer = Buffer.from(await file.arrayBuffer());
+  if (buffer.length > MAX_UPLOAD) return c.json({ error: 'Datei zu groß (max. 8 MB)' }, 413);
+  if (!buffer.length) return c.json({ error: 'Leere Datei' }, 400);
+
+  const dir = path.join(SITE_DIR, 'static', 'images');
+  await mkdir(dir, { recursive: true });
+
+  const ext = path.extname(file.name || '').toLowerCase();
+  const base = `${safeBase(file.name)}-${uid()}`;
+
+  let outName, outBuf;
+  if (ext === '.svg') {
+    // Muss wie SVG aussehen (Magie/Marker), sonst ablehnen.
+    const head = buffer.subarray(0, 512).toString('utf8').trimStart().toLowerCase();
+    if (!head.startsWith('<?xml') && !head.startsWith('<svg')) {
+      return c.json({ error: 'Keine gültige SVG-Datei' }, 400);
+    }
+    outName = `${base}.svg`;
+    outBuf = buffer;
+  } else if (ext === '.gif') {
+    // GIF-Magie prüfen (kann kein Skript ausführen → Passthrough ok).
+    const sig = buffer.subarray(0, 6).toString('latin1');
+    if (sig !== 'GIF87a' && sig !== 'GIF89a') return c.json({ error: 'Keine gültige GIF-Datei' }, 400);
+    outName = `${base}.gif`;
+    outBuf = buffer;
+  } else {
+    // Raster: über sharp als echtes Bild verifizieren, dann zu WebP.
+    let meta;
+    try { meta = await sharp(buffer).metadata(); } catch { meta = null; }
+    if (!meta || !ALLOWED_RASTER.has(meta.format)) {
+      return c.json({ error: 'Kein unterstütztes Bildformat' }, 400);
+    }
+    outName = `${base}.webp`;
+    outBuf = await sharp(buffer)
+      .rotate()
+      .resize({ width: 2000, withoutEnlargement: true })
+      .webp({ quality: 82 })
+      .toBuffer();
+  }
+
+  await writeFile(path.join(dir, outName), outBuf);
+  return c.json({ url: `/images/${outName}` });
+});
+
+// Sicherer Basisname ohne Endung.
+function safeBase(raw) {
+  const base = path.basename(String(raw || 'bild')).replace(/\.[^.]+$/, '');
+  const cleaned = base.toLowerCase().replace(/[^a-z0-9._-]+/g, '-').replace(/^-+|-+$/g, '');
+  return cleaned || 'bild';
+}
+// Kurze eindeutige Endung, damit gleichnamige Uploads nicht kollidieren.
+function uid() {
+  return Date.now().toString(36).slice(-4) + Math.random().toString(36).slice(2, 5);
+}
+
+export default upload;
@@ -0,0 +1,58 @@
+import { Hono } from 'hono';
+import { supabase } from '../supabase.js';
+import { requireAdmin, roleOf } from '../auth.js';
+
+// Autoren-/Nutzerverwaltung über die GoTrue-Admin-API (Service-Key). Nur Admins.
+const ADMINS = (process.env.ADMIN_EMAILS || '')
+  .split(',').map((s) => s.trim().toLowerCase()).filter(Boolean);
+
+const users = new Hono();
+users.use('*', requireAdmin);
+
+users.get('/', async (c) => {
+  const { data, error } = await supabase.auth.admin.listUsers();
+  if (error) return c.json({ error: error.message }, 500);
+  const list = (data?.users || []).map((u) => {
+    const role = roleOf(u);
+    return {
+      id: u.id,
+      email: u.email,
+      created_at: u.created_at,
+      role,
+      isAdmin: role === 'admin',
+      // Admins aus der .env lassen sich nicht per UI herabstufen.
+      fixedAdmin: ADMINS.includes((u.email || '').toLowerCase()),
+    };
+  });
+  return c.json(list);
+});
+
+users.post('/', async (c) => {
+  const { email, password } = await c.req.json();
+  if (!email || !password) return c.json({ error: 'E-Mail und Passwort nötig' }, 400);
+  const { data, error } = await supabase.auth.admin.createUser({ email, password, email_confirm: true });
+  if (error) return c.json({ error: error.message }, 400);
+  return c.json({ ok: true, id: data.user.id });
+});
+
+users.put('/:id', async (c) => {
+  const { password, role } = await c.req.json();
+  const patch = {};
+  if (password) patch.password = password;
+  if (role) {
+    if (!['user', 'editor', 'admin'].includes(role)) return c.json({ error: 'Unbekannte Rolle' }, 400);
+    patch.app_metadata = { role };
+  }
+  if (!Object.keys(patch).length) return c.json({ error: 'Nichts zu ändern' }, 400);
+  const { error } = await supabase.auth.admin.updateUserById(c.req.param('id'), patch);
+  if (error) return c.json({ error: error.message }, 400);
+  return c.json({ ok: true });
+});
+
+users.delete('/:id', async (c) => {
+  const { error } = await supabase.auth.admin.deleteUser(c.req.param('id'));
+  if (error) return c.json({ error: error.message }, 400);
+  return c.json({ ok: true });
+});
+
+export default users;
@@ -0,0 +1,21 @@
+import { createClient } from '@supabase/supabase-js';
+
+const url = process.env.SUPABASE_URL;
+const key = process.env.SUPABASE_SERVICE_KEY;
+
+if (!url || !key) {
+  console.error('FEHLT: SUPABASE_URL und/oder SUPABASE_SERVICE_KEY in .env');
+  process.exit(1);
+}
+
+const opts = { auth: { persistSession: false, autoRefreshToken: false } };
+
+// Daten-Client: Service-Role-Key, umgeht RLS. NUR für DB-Zugriffe (from/insert/…).
+// Wichtig: hier niemals signInWithPassword aufrufen — das schaltet den
+// Authorization-Header des Clients prozessweit auf das User-Token um (SIGNED_IN),
+// wodurch anschließende Inserts als role=authenticated laufen und an RLS scheitern.
+export const supabase = createClient(url, key, opts);
+
+// Eigener Client nur für Auth (Login, Token-Prüfung). Getrennt, damit ein
+// signInWithPassword den Daten-Client oben nicht „vergiftet". Niemals ins Frontend.
+export const supabaseAuth = createClient(url, key, opts);
@@ -0,0 +1,6 @@
+// Serverfehler protokollieren, aber dem Client nur eine generische Meldung
+// geben — keine DB-/Stack-Interna nach außen (Info-Leak vermeiden).
+export function serverError(c, where, err, status = 500) {
+  console.error(`[${where}]`, err?.message || err);
+  return c.json({ error: 'Serverfehler' }, status);
+}
@@ -0,0 +1,68 @@
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+
+// Env vor dem Import setzen: supabase.js bricht ohne URL/Key ab, ADMIN_EMAILS
+// und JWT_SECRET werden beim Modul-Load gelesen.
+process.env.SUPABASE_URL ||= 'http://localhost';
+process.env.SUPABASE_SERVICE_KEY ||= 'dummy';
+process.env.JWT_SECRET = 'test-secret';
+process.env.ADMIN_EMAILS = 'boss@x.ch';
+
+const { roleOf, requireAuth } = await import('../src/auth.js');
+const { sign } = await import('hono/jwt');
+
+test('roleOf: Admin aus ADMIN_EMAILS', () => {
+  assert.equal(roleOf({ email: 'boss@x.ch' }), 'admin');
+  assert.equal(roleOf({ email: 'BOSS@X.CH' }), 'admin');
+});
+
+test('roleOf: Rolle aus app_metadata', () => {
+  assert.equal(roleOf({ email: 'a@x.ch', app_metadata: { role: 'admin' } }), 'admin');
+  assert.equal(roleOf({ email: 'a@x.ch', app_metadata: { role: 'editor' } }), 'editor');
+  assert.equal(roleOf({ email: 'a@x.ch' }), 'user');
+});
+
+// Minimaler Hono-Kontext-Stub.
+function fakeCtx(authHeader) {
+  const store = {};
+  return {
+    req: { header: (h) => (h === 'Authorization' ? authHeader : undefined) },
+    set: (k, v) => { store[k] = v; },
+    get: (k) => store[k],
+    json: (body, status = 200) => ({ __status: status, body }),
+  };
+}
+
+test('requireAuth: gültiges Token wird lokal verifiziert', async () => {
+  const token = await sign(
+    { sub: 'u1', email: 'A@x.ch', app_metadata: { role: 'editor' }, exp: Math.floor(Date.now() / 1000) + 60 },
+    'test-secret', 'HS256');
+  let passed = false;
+  const c = fakeCtx('Bearer ' + token);
+  await requireAuth(c, async () => { passed = true; });
+  assert.equal(passed, true);
+  assert.equal(c.get('email'), 'a@x.ch');           // kleingeschrieben
+  assert.equal(c.get('role'), 'editor');
+  assert.equal(c.get('canModerate'), true);
+  assert.equal(c.get('isAdmin'), false);
+});
+
+test('requireAuth: fehlendes Token → 401', async () => {
+  const c = fakeCtx('');
+  const r = await requireAuth(c, async () => { throw new Error('darf nicht laufen'); });
+  assert.equal(r.__status, 401);
+});
+
+test('requireAuth: kaputtes/falsch signiertes Token → 401', async () => {
+  const bad = await sign({ sub: 'u1', exp: Math.floor(Date.now() / 1000) + 60 }, 'falsches-secret', 'HS256');
+  for (const t of ['Bearer garbage', 'Bearer ' + bad]) {
+    const r = await requireAuth(fakeCtx(t), async () => { throw new Error('darf nicht laufen'); });
+    assert.equal(r.__status, 401);
+  }
+});
+
+test('requireAuth: abgelaufenes Token → 401', async () => {
+  const expired = await sign({ sub: 'u1', exp: Math.floor(Date.now() / 1000) - 10 }, 'test-secret', 'HS256');
+  const r = await requireAuth(fakeCtx('Bearer ' + expired), async () => { throw new Error('darf nicht laufen'); });
+  assert.equal(r.__status, 401);
+});
@@ -0,0 +1,46 @@
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+
+const { coalesce } = await import('../src/coalesce.js');
+
+const tick = (ms = 5) => new Promise((r) => setTimeout(r, ms));
+
+test('coalesce: nie mehr als ein Lauf gleichzeitig pro Key', async () => {
+  let active = 0, maxActive = 0, runs = 0;
+  const fn = async () => { active++; maxActive = Math.max(maxActive, active); await tick(10); runs++; active--; return runs; };
+
+  // 5 gleichzeitige Aufrufe.
+  await Promise.all(Array.from({ length: 5 }, () => coalesce('k1', fn)));
+  assert.equal(maxActive, 1, 'parallele Läufe');
+  // Erster Lauf bedient den ersten Aufruf; die 4 während des Laufs eingetroffenen
+  // teilen sich GENAU EINEN nachgelagerten Lauf → insgesamt 2.
+  assert.equal(runs, 2);
+});
+
+test('coalesce: Wartende teilen sich das Ergebnis des nachgelagerten Laufs', async () => {
+  let n = 0;
+  const fn = async () => { await tick(10); return ++n; };
+  const first = coalesce('k2', fn);          // startet sofort → Ergebnis 1
+  await tick(2);                              // sicherstellen, dass er läuft
+  const a = coalesce('k2', fn);              // wartet → nachgelagerter Lauf
+  const b = coalesce('k2', fn);              // wartet → selber Lauf wie a
+  assert.equal(await first, 1);
+  const [ra, rb] = await Promise.all([a, b]);
+  assert.equal(ra, 2);
+  assert.equal(rb, 2);                        // a und b teilen sich Lauf 2
+});
+
+test('coalesce: Fehler wird an die Wartenden propagiert, Key bleibt nutzbar', async () => {
+  let fail = true;
+  const fn = async () => { await tick(5); if (fail) throw new Error('boom'); return 'ok'; };
+  await assert.rejects(() => coalesce('k3', fn), /boom/);
+  fail = false;
+  assert.equal(await coalesce('k3', fn), 'ok');   // danach wieder verwendbar
+});
+
+test('coalesce: verschiedene Keys laufen unabhängig', async () => {
+  const fn = async () => { await tick(5); return 'done'; };
+  const [x, y] = await Promise.all([coalesce('kA', fn), coalesce('kB', fn)]);
+  assert.equal(x, 'done');
+  assert.equal(y, 'done');
+});
@@ -0,0 +1,41 @@
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+
+const { safeRel, normAuthors, hasAccess, urlFor } = await import('../src/files.js');
+
+test('safeRel: gültiger relativer .md-Pfad bleibt erhalten', () => {
+  assert.equal(safeRel('library/software/stack.md'), 'library/software/stack.md');
+  assert.equal(safeRel('a/./b.md'), 'a/b.md');
+});
+
+test('safeRel: Path-Traversal wird abgelehnt', () => {
+  assert.throws(() => safeRel('../etc/passwd.md'));
+  assert.throws(() => safeRel('a/../../b.md'));
+  assert.throws(() => safeRel('/absolut.md'));
+});
+
+test('safeRel: nur .md erlaubt, leer/falsch wirft', () => {
+  assert.throws(() => safeRel('note.txt'));
+  assert.throws(() => safeRel(''));
+  assert.throws(() => safeRel(null));
+});
+
+test('normAuthors: String/Array/Leer normalisieren', () => {
+  assert.deepEqual(normAuthors('a@x.ch'), ['a@x.ch']);
+  assert.deepEqual(normAuthors(['a@x.ch', 'b@y.ch']), ['a@x.ch', 'b@y.ch']);
+  assert.deepEqual(normAuthors(null), []);
+  assert.deepEqual(normAuthors([]), []);
+});
+
+test('hasAccess: case-insensitive Mitgliedschaft', () => {
+  assert.equal(hasAccess(['Karim@x.ch'], 'karim@x.ch'), true);
+  assert.equal(hasAccess(['a@x.ch'], 'b@y.ch'), false);
+  assert.equal(hasAccess([], 'a@x.ch'), false);
+});
+
+test('urlFor: Hugo-URLs aus relativem Pfad', () => {
+  assert.equal(urlFor('_index.md'), '/');
+  assert.equal(urlFor('manifest.md'), '/manifest/');
+  assert.equal(urlFor('library/software/stack.md'), '/library/software/stack/');
+  assert.equal(urlFor('software/_index.md'), '/software/');
+});
@@ -0,0 +1,44 @@
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+
+const { rateLimit } = await import('../src/ratelimit.js');
+
+function fakeCtx() {
+  const headers = {};
+  return {
+    req: { header: () => undefined },
+    header: (k, v) => { headers[k] = v; },
+    json: (body, status = 200) => ({ __status: status, body }),
+    _headers: headers,
+  };
+}
+
+test('rateLimit: blockt nach Überschreiten mit 429 + Retry-After', async () => {
+  const mw = rateLimit({ max: 2, windowMs: 10_000, keyFn: () => 'fix' });
+  let calls = 0;
+  const run = async () => { const c = fakeCtx(); const r = await mw(c, async () => { calls++; }); return { c, r }; };
+
+  assert.equal((await run()).r, undefined);   // 1 → durch (next, kein Return)
+  assert.equal((await run()).r, undefined);   // 2 → durch
+  const { c, r } = await run();               // 3 → blockiert
+  assert.equal(r.__status, 429);
+  assert.ok(c._headers['Retry-After']);
+  assert.equal(calls, 2);                      // next nur zweimal aufgerufen
+});
+
+test('rateLimit: getrennte Schlüssel zählen getrennt', async () => {
+  let key = 'a';
+  const mw = rateLimit({ max: 1, windowMs: 10_000, keyFn: () => key });
+  assert.equal((await mw(fakeCtx(), async () => {})), undefined);      // a:1 ok
+  assert.equal((await mw(fakeCtx(), async () => {})).__status, 429);   // a:2 blockiert
+  key = 'b';
+  assert.equal((await mw(fakeCtx(), async () => {})), undefined);      // b:1 ok
+});
+
+test('rateLimit: Fenster läuft ab → wieder frei', async () => {
+  const mw = rateLimit({ max: 1, windowMs: 30, keyFn: () => 'win' });
+  assert.equal((await mw(fakeCtx(), async () => {})), undefined);
+  assert.equal((await mw(fakeCtx(), async () => {})).__status, 429);
+  await new Promise((r) => setTimeout(r, 40));
+  assert.equal((await mw(fakeCtx(), async () => {})), undefined);      // Fenster neu
+});
@@ -0,0 +1,111 @@
+-- OPENBUREAU CMS — posts-Tabelle. In den Supabase-Stack einspielen
+-- (SQL-Editor oder psql). Spalten bilden das Hugo-Frontmatter ab.
+
+create extension if not exists "pgcrypto";
+
+create table if not exists public.posts (
+  id           uuid primary key default gen_random_uuid(),
+  section      text not null,            -- buerofuehrung | software | theorie
+  slug         text not null,            -- a-z0-9- (Dateiname ohne .md)
+  title        text not null,
+  date         date not null default current_date,
+  weight       int,
+  tags         text[] default '{}',
+  summary      text,
+  cover_image  text,
+  layout       text,                     -- z.B. "image" | "text"
+  external     text,                     -- externer Link (wie RAPPORT)
+  color        text,                     -- z.B. "kusa" | "yuyake"
+  body         text default '',          -- Markdown-Inhalt
+  status       text not null default 'draft',  -- draft | published
+  author       text,
+  created_at   timestamptz not null default now(),
+  updated_at   timestamptz not null default now(),
+  published_at timestamptz,
+  unique (section, slug)
+);
+
+create index if not exists posts_status_idx on public.posts (status);
+create index if not exists posts_section_idx on public.posts (section);
+
+-- RLS aktivieren; die api nutzt den Service-Key (umgeht RLS). Wenn das
+-- Frontend später direkt liest, hier gezielte Policies ergänzen.
+alter table public.posts enable row level security;
+
+-- ── Dialog / Diskussionen ───────────────────────────────────────────────
+-- Thread = Pfad des Beitrags (z.B. /library/software/stack/). Flache Wortmeldungen
+-- mit optionalem Bezug (parent_id). Idempotent — auf bestehende DB anwendbar.
+create table if not exists public.comments (
+  id            uuid primary key default gen_random_uuid(),
+  thread        text not null,
+  parent_id     uuid references public.comments(id) on delete cascade,
+  user_id       uuid,
+  author_name   text,
+  author_avatar text,
+  body          text not null,
+  created_at    timestamptz not null default now(),
+  deleted       boolean not null default false
+);
+-- Position/Rolle bei OPENBUREAU (optional, neben dem Namen angezeigt).
+alter table public.comments add column if not exists author_role text;
+create index if not exists comments_thread_idx on public.comments (thread, created_at);
+alter table public.comments enable row level security;
+grant all on public.comments to anon, authenticated, service_role;
+
+-- Aggregat je Thread (Anzahl + letzte Aktivität). Spart der API den Full-Table-
+-- Scan + JS-Aggregation bei jedem Forum-Aufruf; Postgres zählt direkt.
+create or replace view public.comment_stats as
+  select thread, count(*)::int as count, max(created_at) as last
+  from public.comments
+  where not deleted
+  group by thread;
+grant select on public.comment_stats to service_role;
+
+-- ── Foren / Subforen ────────────────────────────────────────────────────
+-- Kategorien, in denen Threads leben. Admin-verwaltet. `kind=library` ist die
+-- Sonder-Kategorie, in der die Library-Beiträge automatisch als Threads landen.
+create table if not exists public.forums (
+  id          uuid primary key default gen_random_uuid(),
+  slug        text not null unique,
+  name        text not null,
+  description text default '',
+  color       text,                       -- optionale Akzentfarbe
+  sort        int  not null default 0,
+  kind        text not null default 'forum',  -- forum | library
+  created_at  timestamptz not null default now()
+);
+alter table public.forums enable row level security;
+grant all on public.forums to anon, authenticated, service_role;
+
+-- ── Threads (Diskussionen) ──────────────────────────────────────────────
+-- key = stabiler Bezeichner, den comments.thread referenziert:
+--   Forum-Thread     → 't/<uuid>'
+--   Library-Beitrag  → Beitragspfad (z.B. /library/software/stack/)
+create table if not exists public.threads (
+  id          uuid primary key default gen_random_uuid(),
+  forum_id    uuid references public.forums(id) on delete cascade,
+  key         text not null unique,
+  title       text not null,
+  url         text,                       -- Ziel-Link (Library: Beitragspfad)
+  kind        text not null default 'forum',  -- forum | library
+  author_name text,
+  user_id     uuid,
+  locked      boolean not null default false,
+  deleted     boolean not null default false,
+  created_at  timestamptz not null default now()
+);
+create index if not exists threads_forum_idx on public.threads (forum_id);
+alter table public.threads enable row level security;
+grant all on public.threads to anon, authenticated, service_role;
+
+-- Seed-Kategorien (idempotent; im Admin umbenenn-/erweiterbar).
+insert into public.forums (slug, name, sort, kind) values
+  ('allgemein', 'Allgemein', 10, 'forum'),
+  ('projekte',  'Projekte',  20, 'forum'),
+  ('technik',   'Technik',   30, 'forum'),
+  ('off-topic', 'Off-Topic', 40, 'forum')
+on conflict (slug) do nothing;
+-- Sonder-Kategorie für die Library-Beiträge.
+insert into public.forums (slug, name, sort, kind) values
+  ('beitraege', 'Beiträge', 0, 'library')
+on conflict (slug) do nothing;
@@ -0,0 +1,142 @@
+-- OPENBUREAU — OPTIONALER Demo-Inhalt fürs Forum (Dialog).
+-- ─────────────────────────────────────────────────────────────────────────
+-- NICHT Teil der Migration: bewusst getrennt von schema.sql, damit die
+-- Produktion sauber bleibt. Nur bei Bedarf manuell einspielen, z.B.:
+--
+--   docker compose exec -T db \
+--     psql -U supabase_admin -d postgres < db/seed-demo.sql
+--
+-- Idempotent: feste UUIDs + ON CONFLICT DO NOTHING → mehrfaches Einspielen
+-- erzeugt keine Duplikate. Demo-Wortmeldungen haben user_id = NULL (keine
+-- echten Konten); author_name/author_role sind nur Anzeigetext.
+--
+-- Wieder entfernen: siehe DELETE-Block ganz unten (auskommentiert).
+-- ─────────────────────────────────────────────────────────────────────────
+
+-- ── Threads ───────────────────────────────────────────────────────────────
+insert into public.threads (id, forum_id, key, title, url, kind, author_name, created_at) values
+  ('a1111111-1111-1111-1111-111111111101',
+   (select id from public.forums where slug = 'allgemein'),
+   't/a1111111-1111-1111-1111-111111111101',
+   'Willkommen im OPENBUREAU-Dialog',
+   '/dialog/?thread=t%2Fa1111111-1111-1111-1111-111111111101',
+   'forum', 'Karim', now() - interval '9 days'),
+
+  ('a2222222-2222-2222-2222-222222222202',
+   (select id from public.forums where slug = 'projekte'),
+   't/a2222222-2222-2222-2222-222222222202',
+   'Altbausanierung Zürich — Materialwahl Innendämmung',
+   '/dialog/?thread=t%2Fa2222222-2222-2222-2222-222222222202',
+   'forum', 'Karim', now() - interval '6 days'),
+
+  ('a3333333-3333-3333-3333-333333333303',
+   (select id from public.forums where slug = 'technik'),
+   't/a3333333-3333-3333-3333-333333333303',
+   'Hugo-Build-Zeiten bei großen Bildmengen',
+   '/dialog/?thread=t%2Fa3333333-3333-3333-3333-333333333303',
+   'forum', 'Mara', now() - interval '3 days'),
+
+  ('a4444444-4444-4444-4444-444444444404',
+   (select id from public.forums where slug = 'off-topic'),
+   't/a4444444-4444-4444-4444-444444444404',
+   'Welches Architekturbuch hat euch geprägt?',
+   '/dialog/?thread=t%2Fa4444444-4444-4444-4444-444444444404',
+   'forum', 'Jonas', now() - interval '2 days')
+on conflict (key) do nothing;
+
+-- ── Wortmeldungen ─────────────────────────────────────────────────────────
+-- parent_id verweist auf eine andere Wortmeldung (Antwort-Bezug).
+insert into public.comments (id, thread, parent_id, author_name, author_role, body, created_at) values
+  -- Thread 1: Willkommen
+  ('c1111111-0000-0000-0000-000000000001',
+   't/a1111111-1111-1111-1111-111111111101', null, 'Karim', 'Gründer',
+   'Hallo zusammen — dieser Bereich ist für den offenen Austausch rund ums Büro: Projekte, Methoden, Werkzeuge. Lest euch ein, schreibt mit.',
+   now() - interval '9 days'),
+  ('c1111111-0000-0000-0000-000000000002',
+   't/a1111111-1111-1111-1111-111111111101',
+   'c1111111-0000-0000-0000-000000000001', 'Mara', 'Projektarchitektin',
+   'Schön, dass es losgeht. Gibt es eine Empfehlung, wie wir Projektdiskussionen von allgemeinem Plausch trennen?',
+   now() - interval '8 days'),
+  ('c1111111-0000-0000-0000-000000000003',
+   't/a1111111-1111-1111-1111-111111111101',
+   'c1111111-0000-0000-0000-000000000002', 'Karim', 'Gründer',
+   'Genau dafür gibt es die Kategorie „Projekte". „Off-Topic" ist für alles andere.',
+   now() - interval '8 days'),
+
+  -- Thread 2: Innendämmung
+  ('c2222222-0000-0000-0000-000000000001',
+   't/a2222222-2222-2222-2222-222222222202', null, 'Karim', 'Gründer',
+   'Beim Altbau an der Seestrasse steht die Innendämmung an. Kalziumsilikat oder mineralischer Dämmputz? Erfahrungen mit Feuchteverhalten?',
+   now() - interval '6 days'),
+  ('c2222222-0000-0000-0000-000000000002',
+   't/a2222222-2222-2222-2222-222222222202',
+   'c2222222-0000-0000-0000-000000000001', 'Mara', 'Projektarchitektin',
+   'Kalziumsilikat ist diffusionsoffen und kapillaraktiv — bei den Bestandswänden dort würde ich das vorziehen. Wichtig ist die Detailausbildung an den Holzbalkenköpfen.',
+   now() - interval '5 days'),
+  ('c2222222-0000-0000-0000-000000000003',
+   't/a2222222-2222-2222-2222-222222222202',
+   'c2222222-0000-0000-0000-000000000002', 'Jonas', 'Bauleiter',
+   'Plus eins für Kalziumsilikat. Ich hänge nächste Woche die hygrothermische Simulation an, dann sehen wir die Tauwasserbilanz.',
+   now() - interval '4 days'),
+
+  -- Thread 3: Hugo-Builds
+  ('c3333333-0000-0000-0000-000000000001',
+   't/a3333333-3333-3333-3333-333333333303', null, 'Mara', 'Projektarchitektin',
+   'Seit die Projektgalerien dazugekommen sind, dauert der Build spürbar länger. Hat jemand die Bildverarbeitung schon optimiert?',
+   now() - interval '3 days'),
+  ('c3333333-0000-0000-0000-000000000002',
+   't/a3333333-3333-3333-3333-333333333303',
+   'c3333333-0000-0000-0000-000000000001', 'Karim', 'Gründer',
+   'Hugo cached die Image-Resizes unter resources/. Solange der Ordner erhalten bleibt, werden nur neue Bilder neu gerechnet — das war bei uns der größte Hebel.',
+   now() - interval '2 days'),
+
+  -- Thread 4: Architekturbuch
+  ('c4444444-0000-0000-0000-000000000001',
+   't/a4444444-4444-4444-4444-444444444404', null, 'Jonas', 'Bauleiter',
+   'Bei mir war es „Atmosphären" von Peter Zumthor — schmal, aber prägend. Was hat euch geformt?',
+   now() - interval '2 days'),
+  ('c4444444-0000-0000-0000-000000000002',
+   't/a4444444-4444-4444-4444-444444444404',
+   'c4444444-0000-0000-0000-000000000001', 'Mara', 'Projektarchitektin',
+   '„Complexity and Contradiction" von Venturi — hat mein Verständnis von Fassaden komplett verschoben.',
+   now() - interval '1 day')
+on conflict (id) do nothing;
+
+-- ── Wortmeldungen auf den Musterbeiträgen (Dialog am Artikel) ─────────────
+-- thread = Beitrags-URL (Library-Beiträge werden als Threads gespiegelt).
+insert into public.comments (id, thread, parent_id, author_name, author_role, body, created_at) values
+  ('d1111111-0000-0000-0000-000000000001',
+   '/library/theorie/muster-typologie-fussnoten/', null, 'Mara', 'Projektarchitektin',
+   'Schöne Verdichtung. Würdest du Léon Krier hier dazustellen, oder ist das eine andere Debatte?',
+   now() - interval '4 days'),
+  ('d1111111-0000-0000-0000-000000000002',
+   '/library/theorie/muster-typologie-fussnoten/',
+   'd1111111-0000-0000-0000-000000000001', 'Karim', 'Gründer',
+   'Eigene Debatte — Krier zielt auf die Wiederherstellung der Stadt. Hier ging es mir nur um Typus vs. Modell.',
+   now() - interval '3 days'),
+
+  ('d2222222-0000-0000-0000-000000000001',
+   '/library/buerofuehrung/muster-offen-arbeiten/', null, 'Jonas', 'Bauleiter',
+   'Die Lizenzfrage unterschätzen viele. Gut, das einmal klar getrennt zu sehen.',
+   now() - interval '2 days'),
+
+  ('d3333333-0000-0000-0000-000000000001',
+   '/library/software/muster-werkzeugkette/', null, 'Mara', 'Projektarchitektin',
+   'Ein Befehl ist Gold wert. Läuft der Build bei euch auch im CMS-Container?',
+   now() - interval '1 day'),
+  ('d3333333-0000-0000-0000-000000000002',
+   '/library/software/muster-werkzeugkette/',
+   'd3333333-0000-0000-0000-000000000001', 'Karim', 'Gründer',
+   'Genau — der Container hat das Hugo-Binary, Publish baut public/ direkt.',
+   now() - interval '12 hours')
+on conflict (id) do nothing;
+
+-- ── Demo-Inhalt wieder entfernen (bei Bedarf auskommentieren) ──────────────
+-- delete from public.comments where id::text like 'c_______-0000-0000-0000-%';
+-- delete from public.comments where id::text like 'd_______-0000-0000-0000-%';
+-- delete from public.threads  where key in (
+--   't/a1111111-1111-1111-1111-111111111101',
+--   't/a2222222-2222-2222-2222-222222222202',
+--   't/a3333333-3333-3333-3333-333333333303',
+--   't/a4444444-4444-4444-4444-444444444404');
+-- (Musterbeitrag-Threads verschwinden mit den .md-Dateien automatisch.)
@@ -0,0 +1,182 @@
+# OPENBUREAU — Komplettstack für Self-Hosting (Muster gespiegelt von RAPPORT-SERVER).
+# ALLES in einem Stack / einem LXC: Supabase-Kern + CMS.
+#
+# Vor `docker compose up`:
+#   1. cp .env.example .env
+#   2. JWT_SECRET + POSTGRES_PASSWORD setzen (openssl rand -hex 32)
+#   3. node scripts/generate-keys.mjs   → ANON_KEY + SERVICE_ROLE_KEY in .env
+#   4. SITE_URL + API_EXTERNAL_URL auf die LAN-/Domain-Adresse setzen
+#   5. kong.yml: __CORS_ORIGIN__ durch SITE_URL ersetzen (Browser-Origin)
+#   6. BIND_ADDR: 127.0.0.1 hinter Reverse-Proxy, 0.0.0.0 für LAN-Direkt
+#
+# (Das Proxmox-Script erledigt 1–6 automatisch.)
+# Dann:  docker compose up -d --build
+#
+# Abweichung von RAPPORT: realtime + storage weggelassen (nutzt das CMS nicht).
+# Nachrüsten = die beiden Service-Blöcke aus RAPPORT-SERVER hier einfügen.
+
+services:
+  # ════════════════════════════════════════════════════════════════════════
+  # Postgres — Datenbank mit Supabase-Extensions
+  # ════════════════════════════════════════════════════════════════════════
+  db:
+    image: supabase/postgres:15.8.1.020
+    container_name: openbureau-db
+    restart: unless-stopped
+    environment:
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      POSTGRES_DB: postgres
+      JWT_SECRET: ${JWT_SECRET}
+      JWT_EXP: 3600
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+      # OPENBUREAU-Schema (posts-Tabelle) wird vom Post-Init eingespielt.
+      - ./db/schema.sql:/openbureau-schema.sql:ro
+      # Läuft als LETZTES Init-Script (zz-) — nach den supabase-internen.
+      - ./volumes/db/init/zz-openbureau-post-init.sh:/docker-entrypoint-initdb.d/zz-openbureau-post-init.sh:ro
+    ports:
+      # Nur localhost — Zugriff über Kong / interne Container-Kommunikation.
+      - "127.0.0.1:${DB_PORT:-5432}:5432"
+    healthcheck:
+      test: ["CMD", "pg_isready", "-U", "supabase_admin", "-d", "postgres"]
+      interval: 5s
+      timeout: 5s
+      retries: 20
+      start_period: 30s
+
+  # ════════════════════════════════════════════════════════════════════════
+  # Migrate — spielt das (idempotente) Schema bei jedem `up` nach, damit neue
+  # Tabellen/Spalten auch in eine BESTEHENDE DB kommen (Init-Scripts laufen nur
+  # beim allerersten Start). Läuft einmal und beendet sich. supabase_admin =
+  # Superuser → keine Owner-Konflikte. schema.sql ist idempotent.
+  # ════════════════════════════════════════════════════════════════════════
+  migrate:
+    image: supabase/postgres:15.8.1.020
+    container_name: openbureau-migrate
+    restart: "no"
+    depends_on:
+      db:
+        condition: service_healthy
+    environment:
+      PGPASSWORD: ${POSTGRES_PASSWORD}
+    volumes:
+      - ./db/schema.sql:/openbureau-schema.sql:ro
+    entrypoint: ["bash", "-c"]
+    command:
+      - >
+        psql -h db -U supabase_admin -d postgres -v ON_ERROR_STOP=1 -f /openbureau-schema.sql &&
+        psql -h db -U supabase_admin -d postgres -c "notify pgrst, 'reload schema';" &&
+        echo '✓ Schema migriert.'
+
+  # ════════════════════════════════════════════════════════════════════════
+  # GoTrue — Auth (Login für das CMS)
+  # ════════════════════════════════════════════════════════════════════════
+  auth:
+    image: supabase/gotrue:v2.158.1
+    container_name: openbureau-auth
+    restart: unless-stopped
+    depends_on:
+      db:
+        condition: service_healthy
+    environment:
+      GOTRUE_API_HOST: 0.0.0.0
+      GOTRUE_API_PORT: 9999
+      API_EXTERNAL_URL: ${API_EXTERNAL_URL}
+      GOTRUE_DB_DRIVER: postgres
+      GOTRUE_DB_DATABASE_URL: postgres://supabase_auth_admin:${POSTGRES_PASSWORD}@db:5432/postgres
+      GOTRUE_SITE_URL: ${SITE_URL}
+      GOTRUE_URI_ALLOW_LIST: ${SITE_URL},${SITE_URL}/
+      # Single-Author: Self-Signup aus. User wird per Admin-API angelegt
+      # (Kommando steht im README / LXC-Output).
+      GOTRUE_DISABLE_SIGNUP: "true"
+      GOTRUE_JWT_ADMIN_ROLES: service_role
+      GOTRUE_JWT_AUD: authenticated
+      GOTRUE_JWT_DEFAULT_GROUP_NAME: authenticated
+      GOTRUE_JWT_EXP: 3600
+      GOTRUE_JWT_SECRET: ${JWT_SECRET}
+      GOTRUE_EXTERNAL_EMAIL_ENABLED: "true"
+      GOTRUE_MAILER_AUTOCONFIRM: "true"
+
+  # ════════════════════════════════════════════════════════════════════════
+  # PostgREST — REST-API auf der DB (supabase-js spricht hierüber mit posts)
+  # ════════════════════════════════════════════════════════════════════════
+  rest:
+    image: postgrest/postgrest:v12.2.0
+    container_name: openbureau-rest
+    restart: unless-stopped
+    depends_on:
+      db:
+        condition: service_healthy
+    environment:
+      PGRST_DB_URI: postgres://authenticator:${POSTGRES_PASSWORD}@db:5432/postgres
+      PGRST_DB_SCHEMAS: public
+      PGRST_DB_ANON_ROLE: anon
+      PGRST_JWT_SECRET: ${JWT_SECRET}
+      PGRST_DB_USE_LEGACY_GUCS: "false"
+
+  # ════════════════════════════════════════════════════════════════════════
+  # Kong — API-Gateway: bündelt /auth/v1 + /rest/v1 unter einer URL
+  # ════════════════════════════════════════════════════════════════════════
+  kong:
+    image: kong:2.8.1
+    container_name: openbureau-kong
+    restart: unless-stopped
+    depends_on:
+      - auth
+      - rest
+    environment:
+      KONG_DATABASE: "off"
+      KONG_DECLARATIVE_CONFIG: /var/lib/kong/kong.yml
+      KONG_DNS_ORDER: LAST,A,CNAME
+      KONG_PLUGINS: request-transformer,cors,key-auth,acl,basic-auth
+    volumes:
+      - ./kong.yml:/var/lib/kong/kong.yml:ro
+    ports:
+      # Standard 127.0.0.1: nur lokal/Reverse-Proxy erreichbar. Für LAN-Direkt-
+      # zugriff ohne Proxy BIND_ADDR=0.0.0.0 in .env setzen.
+      - "${BIND_ADDR:-127.0.0.1}:${KONG_HTTP_PORT:-8000}:8000"
+      - "${BIND_ADDR:-127.0.0.1}:${KONG_HTTPS_PORT:-8443}:8443"
+
+  # ════════════════════════════════════════════════════════════════════════
+  # CMS — Node-API + Hugo-Binary + Admin-SPA, serviert die Site
+  # ════════════════════════════════════════════════════════════════════════
+  cms:
+    build:
+      context: .
+      dockerfile: api/Dockerfile
+      args:
+        # Browser-seitig (Admin-SPA, zur Build-Zeit): öffentliche Supabase-URL.
+        VITE_SUPABASE_URL: ${API_EXTERNAL_URL}
+        VITE_SUPABASE_ANON_KEY: ${ANON_KEY}
+    container_name: openbureau-cms
+    restart: unless-stopped
+    depends_on:
+      db:
+        condition: service_healthy
+      migrate:
+        condition: service_completed_successfully
+      kong:
+        condition: service_started
+    environment:
+      # Server-seitig: intern über Kong, mit Service-Key.
+      SUPABASE_URL: http://kong:8000
+      SUPABASE_SERVICE_KEY: ${SERVICE_ROLE_KEY}
+      # Für lokale JWT-Verifikation (kein GoTrue-Roundtrip pro Request).
+      JWT_SECRET: ${JWT_SECRET}
+      ADMIN_EMAILS: ${ADMIN_EMAILS:-}
+      SITE_DIR: /site
+      PORT: 3000
+      GIT_PUBLISH: ${GIT_PUBLISH:-false}
+      GIT_REMOTE: ${GIT_REMOTE:-origin}
+      GIT_BRANCH: ${GIT_BRANCH:-main}
+      GIT_AUTHOR_NAME: ${GIT_AUTHOR_NAME:-OPENBUREAU CMS}
+      GIT_AUTHOR_EMAIL: ${GIT_AUTHOR_EMAIL:-cms@openbureau.ch}
+    volumes:
+      # Repo-Root: api schreibt content/ und baut public/ + preview/.
+      - ..:/site
+    ports:
+      # Wie Kong: standardmäßig nur 127.0.0.1 (hinter Reverse-Proxy).
+      - "${BIND_ADDR:-127.0.0.1}:${APP_PORT:-8080}:3000"
+
+volumes:
+  postgres-data:
@@ -0,0 +1,47 @@
+# Kong-Konfiguration für den OPENBUREAU-Stack (gespiegelt von RAPPORT-SERVER).
+# Routet die genutzten Supabase-API-Pfade durch eine URL, damit Browser + api
+# nur eine Adresse kennen. (realtime/storage weggelassen — siehe compose.)
+
+_format_version: "2.1"
+_transform: true
+
+services:
+  - name: auth-v1
+    url: http://auth:9999/
+    routes:
+      - name: auth-v1-route
+        strip_path: true
+        paths:
+          - /auth/v1/
+    plugins:
+      - name: cors
+        config:
+          # Nur die eigene Browser-Origin erlauben (nicht „*"). __CORS_ORIGIN__
+          # wird beim Provisionieren auf SITE_URL gesetzt (siehe Proxmox-Script);
+          # bei Domain/HTTPS-Wechsel hier bzw. in .env mitziehen.
+          origins:
+            - __CORS_ORIGIN__
+          methods: [GET, POST, PUT, PATCH, DELETE, OPTIONS]
+          headers: [Accept, Authorization, Content-Type, apikey, x-client-info, x-supabase-api-version]
+          credentials: false
+          max_age: 3600
+
+  - name: rest-v1
+    url: http://rest:3000/
+    routes:
+      - name: rest-v1-route
+        strip_path: true
+        paths:
+          - /rest/v1/
+    plugins:
+      - name: cors
+        config:
+          # Nur die eigene Browser-Origin erlauben (nicht „*"). __CORS_ORIGIN__
+          # wird beim Provisionieren auf SITE_URL gesetzt (siehe Proxmox-Script);
+          # bei Domain/HTTPS-Wechsel hier bzw. in .env mitziehen.
+          origins:
+            - __CORS_ORIGIN__
+          methods: [GET, POST, PUT, PATCH, DELETE, OPTIONS]
+          headers: [Accept, Authorization, Content-Type, apikey, x-client-info, x-supabase-api-version]
+          credentials: false
+          max_age: 3600
@@ -0,0 +1,198 @@
+#!/usr/bin/env bash
+#
+# OPENBUREAU — All-in-One LXC für Proxmox VE (Supabase-Kern + CMS).
+#
+# AUSFÜHREN AUF DEM PROXMOX-HOST (nicht im Container), als root:
+#   bash create-openbureau-lxc.sh
+#
+# Legt einen unprivileged Debian-12-LXC an (Docker-fähig: nesting + keyctl),
+# installiert Docker, zieht das Repo, generiert alle Secrets (POSTGRES_PASSWORD,
+# JWT_SECRET, ANON_KEY, SERVICE_ROLE_KEY) und befüllt die .env. Optional baut
+# und startet es den Stack direkt.
+
+set -euo pipefail
+
+############################  CONFIG  ############################
+CTID="${CTID:-$(pvesh get /cluster/nextid)}"
+HOSTNAME="openbureau"
+
+# Storage
+TEMPLATE_STORAGE="local"
+ROOTFS_STORAGE="local-lvm"
+DISK_GB="20"            # Supabase + CMS
+
+# Ressourcen
+RAM_MB="4096"
+SWAP_MB="1024"
+CORES="2"
+
+# Netzwerk
+BRIDGE="vmbr0"
+IP="dhcp"               # "dhcp" ODER statisch z.B. "192.168.1.50/24"
+GATEWAY=""              # nur bei statischer IP
+
+# Zugang
+SSH_PUBKEY_FILE="${SSH_PUBKEY_FILE:-$HOME/.ssh/id_ed25519.pub}"
+ROOT_PASSWORD=""
+
+# Repo ist öffentlich → Clone braucht KEIN Token.
+# GIT_TOKEN nur setzen, wenn das CMS später per GIT_PUBLISH nach Gitea
+# zurückschreiben soll (git push braucht Auth). Format: "tokenname:tokenwert".
+GIT_TOKEN="${GIT_TOKEN:-}"
+REPO_HOST="git.kgva.ch/karim/OPENBUREAU.git"
+APP_DIR="/opt/openbureau"
+
+# Admin (sieht/bearbeitet ALLE Beiträge). Wird auch als erster Login-User vorgeschlagen.
+ADMIN_EMAIL="${ADMIN_EMAIL:-karim@gabrielevarano.ch}"
+
+# Stack nach dem Setup direkt bauen + starten?
+COMPOSE_UP="true"
+##################################################################
+
+say() { echo -e "\n\033[1;36m▸ $*\033[0m"; }
+
+# --- 0. Interaktiv nachfragen (Enter = Default) --------------------------
+# Übersprungen, wenn kein Terminal (z.B. CI) — dann gelten die Defaults oben
+# bzw. vorab gesetzte Umgebungsvariablen.
+if [ -t 0 ]; then
+  echo "OPENBUREAU LXC-Setup — Enter übernimmt den Default in [Klammern]."
+  read -rp "  Storage für die Disk         [${ROOTFS_STORAGE}]: " _x; ROOTFS_STORAGE="${_x:-$ROOTFS_STORAGE}"
+  read -rp "  Netzwerk-Bridge              [${BRIDGE}]: " _x; BRIDGE="${_x:-$BRIDGE}"
+  read -rp "  IP (dhcp | x.x.x.x/24)       [${IP}]: " _x; IP="${_x:-$IP}"
+  [ "$IP" != "dhcp" ] && { read -rp "  Gateway: " GATEWAY; }
+  read -rp "  Admin-E-Mail                 [${ADMIN_EMAIL}]: " _x; ADMIN_EMAIL="${_x:-$ADMIN_EMAIL}"
+fi
+
+# --- 1. Template sicherstellen -------------------------------------------
+say "Suche aktuelles Debian-12-Template…"
+pveam update >/dev/null || true
+TEMPLATE="$(pveam available --section system \
+  | awk '/debian-12-standard/{print $2}' | sort -V | tail -1)"
+[ -n "$TEMPLATE" ] || { echo "Kein debian-12-Template gefunden."; exit 1; }
+if ! pveam list "$TEMPLATE_STORAGE" | grep -q "$TEMPLATE"; then
+  say "Lade Template $TEMPLATE…"
+  pveam download "$TEMPLATE_STORAGE" "$TEMPLATE"
+fi
+TEMPLATE_REF="${TEMPLATE_STORAGE}:vztmpl/${TEMPLATE}"
+
+# --- 2. Netzwerk ----------------------------------------------------------
+if [ "$IP" = "dhcp" ]; then
+  NET="name=eth0,bridge=${BRIDGE},ip=dhcp"
+else
+  [ -n "$GATEWAY" ] || { echo "Statische IP, aber GATEWAY leer."; exit 1; }
+  NET="name=eth0,bridge=${BRIDGE},ip=${IP},gw=${GATEWAY}"
+fi
+
+# --- 3. Container erstellen ----------------------------------------------
+say "Erstelle LXC $CTID ($HOSTNAME)…"
+CREATE_ARGS=(
+  "$CTID" "$TEMPLATE_REF"
+  --hostname "$HOSTNAME"
+  --cores "$CORES" --memory "$RAM_MB" --swap "$SWAP_MB"
+  --rootfs "${ROOTFS_STORAGE}:${DISK_GB}"
+  --net0 "$NET"
+  --unprivileged 1
+  --features "nesting=1,keyctl=1"
+  --onboot 1
+)
+[ -n "$ROOT_PASSWORD" ] && CREATE_ARGS+=(--password "$ROOT_PASSWORD")
+[ -f "$SSH_PUBKEY_FILE" ] && CREATE_ARGS+=(--ssh-public-keys "$SSH_PUBKEY_FILE")
+pct create "${CREATE_ARGS[@]}"
+
+say "Starte Container…"
+pct start "$CTID"
+sleep 5
+
+# Clone-URL (mit Token, falls gesetzt)
+if [ -n "$GIT_TOKEN" ]; then
+  REPO_URL="https://${GIT_TOKEN}@${REPO_HOST}"
+else
+  REPO_URL="https://${REPO_HOST}"
+fi
+
+# --- 4. Provisionierung im Container -------------------------------------
+say "Installiere Docker + Git, ziehe Repo, generiere Secrets…"
+pct exec "$CTID" -- bash -euo pipefail -c "
+  export DEBIAN_FRONTEND=noninteractive
+  apt-get update -qq
+  apt-get install -y -qq ca-certificates curl git openssl >/dev/null
+  curl -fsSL https://get.docker.com | sh >/dev/null
+  systemctl enable --now docker
+
+  if [ ! -d '${APP_DIR}/.git' ]; then
+    git clone --quiet '${REPO_URL}' '${APP_DIR}' || {
+      echo 'WARN: Clone fehlgeschlagen (Token nötig?). Setup hier gestoppt.'; exit 0; }
+  fi
+
+  cd '${APP_DIR}/cms'
+  if [ ! -f .env ]; then
+    cp .env.example .env
+
+    # Secrets generieren
+    PW=\$(openssl rand -hex 32)
+    JWT=\$(openssl rand -hex 32)
+    sed -i \"s|^POSTGRES_PASSWORD=.*|POSTGRES_PASSWORD=\${PW}|\" .env
+    sed -i \"s|^JWT_SECRET=.*|JWT_SECRET=\${JWT}|\" .env
+
+    # ANON_KEY + SERVICE_ROLE_KEY via Wegwerf-Node-Container ableiten
+    KEYS=\$(docker run --rm -v \"\$PWD\":/w -w /w node:20-alpine \
+             node scripts/generate-keys.mjs \"\$JWT\" 2>/dev/null)
+    ANON=\$(echo \"\$KEYS\"    | sed -n 's/^ANON_KEY=//p')
+    SVC=\$(echo \"\$KEYS\"     | sed -n 's/^SERVICE_ROLE_KEY=//p')
+    sed -i \"s|^ANON_KEY=.*|ANON_KEY=\${ANON}|\" .env
+    sed -i \"s|^SERVICE_ROLE_KEY=.*|SERVICE_ROLE_KEY=\${SVC}|\" .env
+
+    # URLs auf die Container-IP setzen
+    HOSTIP=\$(hostname -I | awk '{print \$1}')
+    sed -i \"s|^SITE_URL=.*|SITE_URL=http://\${HOSTIP}:8080|\" .env
+    sed -i \"s|^API_EXTERNAL_URL=.*|API_EXTERNAL_URL=http://\${HOSTIP}:8000|\" .env
+    sed -i \"s|^ADMIN_EMAILS=.*|ADMIN_EMAILS=${ADMIN_EMAIL}|\" .env
+    # Out-of-box LAN-Direktzugriff (kein Reverse-Proxy) → auf allen Interfaces
+    # lauschen. Für Domain/HTTPS hinter Proxy: BIND_ADDR=127.0.0.1 setzen.
+    sed -i \"s|^BIND_ADDR=.*|BIND_ADDR=0.0.0.0|\" .env
+    # CORS auf die Browser-Origin (= SITE_URL) festnageln statt „*\".
+    sed -i \"s|__CORS_ORIGIN__|http://\${HOSTIP}:8080|g\" kong.yml
+    echo 'OK: .env generiert.'
+  fi
+
+  # Der CMS-Container läuft als non-root (uid 1000). Das gemountete Repo muss
+  # ihm gehören, damit Hugo public/ bauen und content/ schreiben kann.
+  chown -R 1000:1000 '${APP_DIR}'
+
+  if [ '${COMPOSE_UP}' = 'true' ]; then
+    echo '→ Baue + starte Stack (dauert beim ersten Mal ein paar Minuten)…'
+    docker compose up -d --build
+  fi
+
+  # Tägliches DB-Backup (3:15 Uhr) — Dialog-Daten liegen NUR in Postgres.
+  printf 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\n15 3 * * * root cd ${APP_DIR}/cms && bash scripts/backup-db.sh >> /var/log/openbureau-backup.log 2>&1\n' > /etc/cron.d/openbureau-backup
+  echo 'OK: tägliches DB-Backup eingerichtet (/etc/cron.d/openbureau-backup).'
+"
+
+# --- 5. Abschluss --------------------------------------------------------
+IPADDR="$(pct exec "$CTID" -- hostname -I 2>/dev/null | awk '{print $1}')"
+say "Fertig. LXC $CTID läuft${IPADDR:+ unter $IPADDR}."
+
+cat <<EOF
+
+Admin:    http://${IPADDR:-<ip>}:8080/admin/
+Live:     http://${IPADDR:-<ip>}:8080/
+Supabase: http://${IPADDR:-<ip>}:8000   (nur API-Gateway, keine Web-UI — / gibt 404, ist normal)
+
+Login-User anlegen (im Container, nach dem Start):
+  pct enter ${CTID}
+  cd ${APP_DIR}/cms
+  source .env
+  curl -s -X POST "http://localhost:8000/auth/v1/admin/users" \\
+    -H "apikey: \$SERVICE_ROLE_KEY" \\
+    -H "Authorization: Bearer \$SERVICE_ROLE_KEY" \\
+    -H "Content-Type: application/json" \\
+    -d '{"email":"${ADMIN_EMAIL}","password":"DEIN-PASSWORT","email_confirm":true}'
+
+Hinweise:
+  • :8000 ist das Supabase-API-Gateway (Kong), keine Web-Oberfläche.
+    Das Admin-Login (:8080/admin/) spricht im Hintergrund damit.
+  • Für Domain/HTTPS: SITE_URL + API_EXTERNAL_URL in .env auf die
+    öffentliche Adresse setzen und 'docker compose up -d --build' neu.
+  • Logs:  pct enter ${CTID}; cd ${APP_DIR}/cms; docker compose logs -f
+EOF
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# OPENBUREAU — Backup der Postgres-DB.
+#
+# WICHTIG: Foren, Threads und Wortmeldungen (Dialog) leben NUR in Postgres —
+# anders als content/*.md sind sie NICHT in Git. Ohne Backup sind sie beim
+# Verlust des Volumes weg. Dieses Skript dumpt die ganze DB komprimiert weg.
+#
+# Auf dem Host/LXC im cms/-Verzeichnis ausführen (oder per Cron, siehe README):
+#   bash scripts/backup-db.sh
+#
+# Wiederherstellen:
+#   gunzip -c backups/openbureau-<TS>.sql.gz \
+#     | docker compose exec -T db psql -U supabase_admin -d postgres
+set -euo pipefail
+
+# Ins cms/-Verzeichnis (eine Ebene über scripts/).
+cd "$(dirname "$0")/.."
+
+DIR="${BACKUP_DIR:-./backups}"
+KEEP="${BACKUP_KEEP:-14}"        # wie viele Dumps behalten
+mkdir -p "$DIR"
+
+TS="$(date +%Y%m%d-%H%M%S)"
+OUT="$DIR/openbureau-$TS.sql.gz"
+
+docker compose exec -T db pg_dump -U supabase_admin -d postgres | gzip > "$OUT"
+echo "✓ Backup: $OUT ($(du -h "$OUT" | cut -f1))"
+
+# Rotation: nur die letzten $KEEP Dumps behalten.
+ls -1t "$DIR"/openbureau-*.sql.gz 2>/dev/null | tail -n +$((KEEP + 1)) | xargs -r rm -f
@@ -0,0 +1,50 @@
+#!/usr/bin/env node
+// Generiert ANON_KEY und SERVICE_ROLE_KEY (JWTs, HS256) aus dem JWT_SECRET
+// in der .env. Ohne diese Keys können GoTrue und PostgREST nicht reden.
+// (Gespiegelt von RAPPORT-SERVER — generisch, nicht app-spezifisch.)
+//
+// Aufruf:
+//   node scripts/generate-keys.mjs          # liest JWT_SECRET aus .env
+//   node scripts/generate-keys.mjs <secret> # explizit übergeben
+
+import crypto from "node:crypto";
+import fs from "node:fs";
+
+function base64url(input) {
+  return Buffer.from(input).toString("base64")
+    .replace(/=+$/, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+
+function signJwt(payload, secret) {
+  const header = base64url(JSON.stringify({ alg: "HS256", typ: "JWT" }));
+  const body = base64url(JSON.stringify(payload));
+  const sig = base64url(crypto.createHmac("sha256", secret).update(`${header}.${body}`).digest());
+  return `${header}.${body}.${sig}`;
+}
+
+let secret = process.argv[2];
+if (!secret) {
+  try {
+    const env = fs.readFileSync(".env", "utf8");
+    const m = env.match(/^JWT_SECRET=(.+)$/m);
+    if (m) secret = m[1].trim().replace(/^["']|["']$/g, "");
+  } catch {}
+}
+
+if (!secret || secret.length < 32 || secret.includes("CHANGE-ME")) {
+  console.error("✗ Kein gültiges JWT_SECRET gefunden (mind. 32 Zeichen, nicht der Placeholder).");
+  console.error("  Setze JWT_SECRET in .env oder gib es als Argument:");
+  console.error("    node scripts/generate-keys.mjs $(openssl rand -hex 32)");
+  process.exit(1);
+}
+
+const now = Math.floor(Date.now() / 1000);
+const tenYears = now + 10 * 365 * 24 * 3600;
+
+const anonKey = signJwt({ role: "anon", iss: "supabase", iat: now, exp: tenYears }, secret);
+const serviceKey = signJwt({ role: "service_role", iss: "supabase", iat: now, exp: tenYears }, secret);
+
+console.log("ANON_KEY=" + anonKey);
+console.log("SERVICE_ROLE_KEY=" + serviceKey);
+console.error("");
+console.error("→ Werte in .env eintragen (überschreibt CHANGE-ME-Placeholder).");
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+# OPENBUREAU — Update im LXC in einem Rutsch.
+# Statt `git pull` direkt: holt den Code, rendert die Deploy-Config, setzt die
+# Dateirechte für den non-root-Container und startet den Stack neu.
+#
+# Im Container (als root) ausführen:
+#   bash /opt/openbureau/cms/update.sh
+set -euo pipefail
+
+# Repo-Root = eine Ebene über diesem Skript (cms/..).
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+cd "$ROOT"
+
+# Git läuft hier als root auf einem Repo, das dem Container-User (uid 1000)
+# gehört → ohne das meckert Git über „dubious ownership".
+git config --global --add safe.directory "$ROOT" 2>/dev/null || true
+
+echo "→ git pull…"
+# kong.yml wird beim Deploy lokal gerendert (CORS-Origin eingesetzt). Vor dem
+# Pull auf die versionierte Vorlage (mit __CORS_ORIGIN__) zurücksetzen, sonst
+# kollidiert der Pull mit der lokalen Änderung.
+git checkout -- cms/kong.yml 2>/dev/null || true
+git pull --ff-only
+
+cd "$ROOT/cms"
+
+# CORS-Origin aus SITE_URL (.env) in kong.yml einsetzen — eine Quelle der Wahrheit.
+ORIGIN="$(grep -E '^SITE_URL=' .env | head -1 | cut -d= -f2-)"
+if [ -n "${ORIGIN:-}" ]; then
+  sed -i "s|__CORS_ORIGIN__|${ORIGIN}|g" kong.yml
+  echo "✓ CORS-Origin gesetzt: ${ORIGIN}"
+else
+  echo "WARN: SITE_URL in .env nicht gefunden — kong.yml-Origin bleibt Platzhalter."
+fi
+
+# Der CMS-Container läuft als uid 1000 und muss das ganze Repo schreiben können
+# (Hugo baut public/, schreibt content/). git pull als root zieht neue Dateien
+# als root → hier wieder geradeziehen.
+chown -R 1000:1000 "$ROOT"
+echo "✓ Dateirechte (uid 1000) gesetzt."
+
+echo "→ docker compose up…"
+docker compose up -d --build
+# kong liest die declarative config nur beim Start — nach kong.yml-Änderung neu.
+docker compose restart kong
+echo "✓ Stack neu gestartet."
+
+# Kurzer Healthcheck (localhost im LXC, unabhängig von BIND_ADDR).
+PORT="$(grep -E '^APP_PORT=' .env | head -1 | cut -d= -f2-)"; PORT="${PORT:-8080}"
+sleep 2
+if curl -fsS -I "http://127.0.0.1:${PORT}/" >/dev/null 2>&1; then
+  echo "✓ Seite antwortet auf :${PORT}."
+else
+  echo "WARN: Seite antwortet (noch) nicht auf :${PORT} — 'docker compose ps' prüfen."
+fi
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+# Läuft als LETZTES File in /docker-entrypoint-initdb.d/ — nach den
+# supabase-internen Init-Scripts (auth-schema, postgrest-roles, …).
+# (Muster gespiegelt von RAPPORT-SERVER.)
+#
+# 1. Gleicht die Service-Rollen-Passwörter an POSTGRES_PASSWORD an
+#    (sonst SASL/MD5-Auth-Fehler bei GoTrue/PostgREST).
+# 2. Spielt das OPENBUREAU-Schema (posts-Tabelle) ein.
+
+set -euo pipefail
+
+echo "→ Setze Passwörter für Supabase-Service-Rollen auf POSTGRES_PASSWORD…"
+psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U supabase_admin -d "${POSTGRES_DB:-postgres}" <<EOF
+alter user authenticator              with password '${POSTGRES_PASSWORD}';
+alter user supabase_auth_admin        with password '${POSTGRES_PASSWORD}';
+alter user supabase_storage_admin     with password '${POSTGRES_PASSWORD}';
+alter user supabase_replication_admin with password '${POSTGRES_PASSWORD}';
+alter user supabase_read_only_user    with password '${POSTGRES_PASSWORD}';
+EOF
+echo "✓ Service-Rollen-Passwörter aktualisiert."
+
+SCHEMA=/openbureau-schema.sql
+if [ -f "$SCHEMA" ]; then
+  echo "→ Spiele OPENBUREAU-Schema ein ($SCHEMA)…"
+  psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U supabase_admin -d "${POSTGRES_DB:-postgres}" -f "$SCHEMA"
+  # PostgREST braucht Leserechte für die anon/authenticated-Rollen.
+  psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U supabase_admin -d "${POSTGRES_DB:-postgres}" <<'EOF'
+grant usage on schema public to anon, authenticated, service_role;
+grant all on all tables in schema public to anon, authenticated, service_role;
+grant all on all sequences in schema public to anon, authenticated, service_role;
+alter default privileges in schema public
+  grant all on tables to anon, authenticated, service_role;
+EOF
+  echo "✓ OPENBUREAU-Schema bereit."
+else
+  echo "→ $SCHEMA fehlt — Schema NICHT eingespielt."
+fi
@@ -0,0 +1,32 @@
+---
+title: "Datenschutz"
+toc: false
+showreadingtime: false
+---
+
+OPENBUREAU ist selbst-gehostet — ohne Werbung, ohne Tracker, ohne Analyse-Dienste Dritter. So wenig Daten wie möglich zu erheben, ist Teil der Idee.
+
+## Verantwortlich
+
+Karim Varano, Fluhmühlerain 1, 6015 Luzern.
+Kontakt: [karim@gabrielevarano.ch](mailto:karim@gabrielevarano.ch)
+
+## Beim Besuch der Seite
+
+Beim Aufruf werden technische Zugriffsdaten (IP-Adresse, Zeitpunkt, aufgerufene Seite, Browsertyp) kurzzeitig in Server-Logs erfasst — ausschließlich für Betrieb und Sicherheit. Diese Daten werden nicht mit anderen Quellen zusammengeführt, nicht für Werbung verwendet und nicht an Dritte weitergegeben.
+
+Es kommen **keine** Tracking-Cookies, **keine** Analyse-Werkzeuge (etwa Google Analytics) und **keine** Werbenetzwerke zum Einsatz.
+
+## Dialog (Mitschreiben)
+
+Lesen ist anonym. Wer im [Dialog](/dialog/) mitschreibt, legt ein Konto an: dafür werden eine E-Mail-Adresse und ein angezeigter Name gespeichert. Deine Wortmeldungen erscheinen mit diesem Namen öffentlich. Nach dem Login wird ein Sitzungs-Token lokal in deinem Browser (localStorage) abgelegt — kein serverseitiges Tracking.
+
+Diese Daten liegen auf eigener Infrastruktur in Luzern (self-hosted) und werden nicht an Dritte weitergegeben.
+
+## Deine Rechte
+
+Nach dem Schweizer Datenschutzgesetz (revDSG) hast du das Recht auf Auskunft, Berichtigung und Löschung deiner Daten — eine kurze Mail genügt. Beschwerden kannst du beim Eidgenössischen Datenschutz- und Öffentlichkeitsbeauftragten (EDÖB) einreichen.
+
+## Offenheit
+
+Die Seite ist quelloffen; der Code ist einsehbar. Zu Lizenzen und Technik siehe [Colophon](/colophon/).
@@ -0,0 +1,5 @@
+---
+title: Dialog
+layout: dialog
+toc: false
+---
@@ -0,0 +1,19 @@
+---
+title: "Kontakt / Impressum"
+toc: false
+showreadingtime: false
+---
+
+## Kontakt
+
+[karim@gabrielevarano.ch](mailto:karim@gabrielevarano.ch)
+
+Oder direkt im [Dialog](/dialog/).
+
+## Impressum
+
+Karim Varano\
+Fluhmühlerain 1\
+6015 Luzern
+
+Privatperson
@@ -0,0 +1,17 @@
+---
+title: "Im Offenen arbeiten"
+date: 2026-05-30
+tags: ["büroführung", "open-source", "muster"]
+summary: "Warum ein offenes Büro robuster ist — und wie Lizenzen das absichern. (Musterbeitrag mit Fußnoten.)"
+color: sakura
+layout: text
+---
+
+Offen zu arbeiten heißt nicht, alles zu verschenken. Es heißt, die Grundlagen so zu teilen, dass andere darauf aufbauen können — und dass die Arbeit den Wechsel von Werkzeugen, Mitarbeitenden und Jahren übersteht.
+
+Die rechtliche Absicherung dafür sind Lizenzen. Inhalte auf OPENBUREAU stehen unter CC BY-SA,[^ccbysa] der Code überwiegend unter AGPL oder MIT.[^agpl] Beide sorgen dafür, dass Offenheit weitergegeben wird, statt verloren zu gehen.
+
+Verwandt: Der [Werkzeug-Stack](/library/software/stack/) zeigt, womit wir das konkret tun.
+
+[^ccbysa]: Creative Commons, *Attribution-ShareAlike 4.0 International* (CC BY-SA 4.0), <https://creativecommons.org/licenses/by-sa/4.0/>.
+[^agpl]: Free Software Foundation, *GNU Affero General Public License v3.0*, 2007.
@@ -3,18 +3,20 @@ title: "Warum ein offenes Büro"
 date: 2026-05-22
 tags: ["büroführung", "praxis", "open-source"]
 summary: "Ein offenes Architekturbüro ist nicht karitativ — es ist praktischer, robuster, ehrlicher."
+color: sakura
+layout: text
 ---

-Architektur ist traditionell ein geschlossener Beruf. Wettbewerbe sind nicht-öffentlich, Verträge nicht-verhandelbar, Werkzeuge proprietär. Wissen wird gehortet, weil es als Wettbewerbsvorteil verstanden wird.
+Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

-Wir bezweifeln, dass das stimmt.
+Duis aute irure dolor in reprehenderit.

-**Offen** zu arbeiten heisst hier dreierlei:
+**Lorem ipsum** dolor sit amet:

-1. **Texte und Notizen sind öffentlich.** Wer mitlesen will, kann das.
-2. **Werkzeuge sind frei.** Programme wie DOSSIER und RAPPORT sind quelloffen, andere dürfen sie nutzen, anpassen, weiterbauen.
-3. **Verträge und Honorare sind dokumentiert.** Wir zeigen, wie ein offenes Büro sich finanziert, ohne das gegen sich zu drehen.
+1. **Consectetur adipiscing elit.** Sed do eiusmod tempor incididunt ut labore.
+2. **Ut enim ad minim veniam.** Quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
+3. **Duis aute irure dolor.** In reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

-Das ist kein karitatives Projekt. Es ist eine Wette darauf, dass **Offenheit produktiver ist als Abschottung** — für die Praxis, für die Kollegen, für die Disziplin.
+Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt — **mollit anim id est laborum** — sed ut perspiciatis unde omnis iste.

-— mehr dazu in den folgenden Notizen.
+— natus error sit voluptatem accusantium.
@@ -5,9 +5,12 @@ weight: 10
 tags: ["software", "eigene-werkzeuge"]
 summary: "Projektorganisation für ein Architekturbüro — von der Anfrage zur Übergabe."
 external: "https://dossier.gabrielevarano.ch"
+color: kori
+cover_image: /images/tokyo-metro.jpg
+layout: icon
 ---

-**DOSSIER** ist die Projektverwaltung von OPENBUREAU.
-Eine Anwendung, die ein Projekt von der ersten Anfrage bis zur Schlussrechnung begleitet — strukturiert, nachvollziehbar, offen.
+**Lorem ipsum dolor sit amet**, consectetur adipiscing elit.
+Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua — ut enim ad minim veniam, quis nostrud exercitation.

 → [dossier.gabrielevarano.ch](https://dossier.gabrielevarano.ch)
@@ -3,13 +3,15 @@ title: "Warum wir eigene Werkzeuge bauen"
 date: 2026-05-21
 tags: ["software", "praxis", "tools"]
 summary: "DOSSIER und RAPPORT sind keine Lifestyle-Projekte — sie sind Reaktion auf konkrete Lücken."
+color: yuyake
+layout: text
 ---

-Wir benutzen viel fremde Software. Aber an zwei Stellen kam keiner der existierenden Werkzeuge an die Praxis heran, die wir brauchten — also haben wir selbst gebaut.
+Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua — ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

- **[DOSSIER](https://dossier.gabrielevarano.ch)** organisiert Projekte: von der ersten Anfrage über Vertrag, Planstände, Rechnungen bis zur Übergabe. Strukturiert genug, um nichts zu verlieren; offen genug, um nicht im Weg zu stehen.
- **[RAPPORT](https://rapport.gabrielevarano.ch)** hält Stunden, Wege und Aufwand fest. Nicht als Überwachung, sondern als Material für die nächste Honoraroffert.
+- **[DOSSIER](https://dossier.gabrielevarano.ch)** — duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia.
+- **[RAPPORT](https://rapport.gabrielevarano.ch)** — sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam.

-Beide sind quelloffen. Beide sind im Aufbau. Beide sind so geschrieben, dass ein anderes Büro sie morgen für sich nutzen könnte.
+Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt.

-Eine vollständige Liste der **anderen** Werkzeuge, die wir empfehlen, findet sich unter [Werkzeuge](/library/werkzeuge).
+Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet — [Werkzeuge](/library/werkzeuge).
@@ -0,0 +1,21 @@
+---
+title: "Die Werkzeugkette"
+date: 2026-06-01
+tags: ["software", "werkzeuge", "muster"]
+summary: "Wie DOSSIER, RAPPORT und die Site zusammenspielen. (Musterbeitrag mit Fußnoten und Code.)"
+color: yuyake
+layout: text
+---
+
+Die Werkzeuge des Büros sind keine Inseln, sondern eine Kette: [DOSSIER](/library/software/dossier/) hält die Projektdaten, [RAPPORT](/library/software/rapport/) erzeugt Berichte daraus, und diese Site veröffentlicht, was öffentlich sein soll.
+
+Der Build ist bewusst banal — ein Befehl:[^hugo]
+
+```sh
+hugo --minify --destination public
+```
+
+Alles dateibasiert, alles versioniert. Wer den Stand von gestern braucht, fragt Git, nicht ein Backup.[^git]
+
+[^hugo]: Hugo, *The world's fastest framework for building websites*, <https://gohugo.io>.
+[^git]: Versionierung ersetzt kein Backup — aber sie macht jede Änderung nachvollziehbar; siehe „Verlauf" unter jedem Beitrag.
@@ -5,9 +5,11 @@ weight: 20
 tags: ["software", "eigene-werkzeuge"]
 summary: "Zeit- und Aufwandserfassung für ein Architekturbüro."
 external: "https://rapport.gabrielevarano.ch"
+color: kusa
+layout: text
 ---

-**RAPPORT** erfasst Stunden, Wege und Aufwand.
-Material für transparente Honorarofferten, nicht für Überwachung.
+**Lorem ipsum dolor sit amet**, consectetur adipiscing elit.
+Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

 → [rapport.gabrielevarano.ch](https://rapport.gabrielevarano.ch)
@@ -4,29 +4,31 @@ date: 2026-05-23
 weight: 30
 tags: ["software", "stack", "empfehlungen"]
 summary: "Programme und Dienste, die wir Tag für Tag benutzen — kuratiert und kommentiert."
+cover_image: /images/tokyo-metro.jpg
+layout: image
 ---

-Diese Liste wächst. Sie ist kein Inventar, sondern eine **Position**: jedes Werkzeug steht für eine Entscheidung über die Arbeitsweise des Büros.
+Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore — **lorem ipsum**: ut enim ad minim veniam, quis nostrud exercitation ullamco.

-## Zeichnen & Modellieren
+## Lorem Ipsum I

- **Rhino + Grasshopper** — das Rückgrat des geometrischen Arbeitens. Wir entwickeln eigene Plugins ([Rhino-Panel](https://gitea.kgva.ch)).
- **Blender** — für freie 3D-Arbeiten, Visualisierungen, Animation.
+- **Lorem ipsum** — dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor ([lorem ipsum](https://gitea.kgva.ch)).
+- **Dolor sit** — ut labore et dolore magna aliqua, ut enim ad minim veniam.

-## Schreiben & Dokumentieren
+## Lorem Ipsum II

- **Markdown + Hugo** — alle Texte, auch diese hier, sind `.md` und werden statisch generiert.
- **Zotero** — Literatur und Quellen.
+- **Consectetur** — quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo.
+- **Adipiscing** — duis aute irure dolor in reprehenderit.

-## Koordination
+## Lorem Ipsum III

- **Gitea** (selbst-gehostet) — Code, Texte, Repositories.
- **Flarum** (selbst-gehostet) — Diskussion und Gespräch.
- **Nextcloud** (selbst-gehostet) — Dateien, Kalender, Kontakte.
+- **Eiusmod tempor** (lorem ipsum) — incididunt ut labore et dolore magna.
+- **Ut enim ad minim** (lorem ipsum) — veniam, quis nostrud exercitation.
+- **Quis nostrud** (lorem ipsum) — ullamco laboris nisi ut aliquip.

-## Eigene Werkzeuge
+## Lorem Ipsum IV

- **[DOSSIER](/library/software/dossier/)** — Projektverwaltung.
- **[RAPPORT](/library/software/rapport/)** — Stundenerfassung.
+- **[DOSSIER](/library/software/dossier/)** — lorem ipsum.
+- **[RAPPORT](/library/software/rapport/)** — dolor sit amet.

-— diese Seite wird laufend erweitert.
+— sed ut perspiciatis unde omnis iste natus error sit voluptatem.
@@ -0,0 +1,18 @@
+---
+title: "Typus und Modell"
+date: 2026-05-28
+tags: ["theorie", "typologie", "muster"]
+summary: "Eine kurze Unterscheidung — und warum sie fürs Entwerfen praktisch ist. (Musterbeitrag mit Fußnoten.)"
+color: kusa
+layout: text
+---
+
+Quatremère de Quincy trennte im frühen 19. Jahrhundert *Typus* und *Modell*: Das Modell ist die exakte Vorlage zum Kopieren, der Typus dagegen ein Prinzip, das viele verschiedene Werke begründen kann.[^quatremere]
+
+Rafael Moneo griff diese Idee 1978 wieder auf und machte sie für die Praxis brauchbar — der Typus ist kein Käfig, sondern ein Ausgangspunkt, gegen den man entwirft.[^moneo] Aldo Rossi schließlich verband den Typus mit der Stadt: als dauerhaftes Element, das den Wandel überdauert.[^rossi]
+
+Fürs Büro heißt das konkret: Wer den Typus einer Aufgabe versteht, entwirft nicht aus dem Nichts, sondern variiert bewusst. Das spart Zeit und macht Entscheidungen begründbar.
+
+[^quatremere]: Antoine-Chrysostome Quatremère de Quincy, *Encyclopédie méthodique. Architecture*, Bd. 3, Paris 1825, Stichwort „Type".
+[^moneo]: Rafael Moneo, „On Typology", in: *Oppositions* 13 (1978), S. 22–45.
+[^rossi]: Aldo Rossi, *L'architettura della città*, Padua 1966.
@@ -3,12 +3,14 @@ title: "Typologie als Werkzeug"
 date: 2026-05-20
 tags: ["theorie", "typologie", "methode"]
 summary: "Erste Notiz über Typologie nicht als Katalog, sondern als operatives Werkzeug im Entwurf."
+color: ajisai
+layout: text
 ---

-Typologie wird oft als Inhaltsverzeichnis missverstanden: eine Liste von Grundrissen, sortiert nach Funktion. Diese Lesart ist bequem und falsch.
+Lorem ipsum dolor sit amet, consectetur adipiscing elit: sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.

-Eine Typologie ist ein **Denkwerkzeug**. Sie macht das Wiederkehrende sichtbar und damit das Besondere argumentierbar. Erst wenn wir das Übliche kennen, können wir das Eigentümliche begründen.
+Ullamco laboris nisi ut **aliquip ex ea commodo consequat**. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

-Im Entwurf bedeutet das: nicht "welcher Typ ist das?", sondern "**gegen welchen Typ** entwerfen wir hier?".
+Excepteur sint occaecat: nicht "cupidatat non proident?", sondern "**sunt in culpa** qui officia deserunt mollit?".

-— ein erster Notiz, weitere folgen.
+— sed ut perspiciatis, weitere folgen.
@@ -0,0 +1,11 @@
+---
+title: "Lizenzen"
+description: "Unter welchen Lizenzen OPENBUREAU steht."
+toc: false
+showreadingtime: false
+---
+
+OPENBUREAU ist komplett offen lizenziert:
+
+- **Code** — [GNU AGPL v3.0](/lizenz/agpl-3.0/)
+- **Inhalte (Texte, Bilder)** — [CC BY-SA 4.0](/lizenz/cc-by-sa-4.0/)
@@ -0,0 +1,673 @@
+---
+title: "GNU AGPL v3.0"
+description: "Lizenz des OPENBUREAU-Codes."
+toc: false
+showreadingtime: false
+---
+
+Der **Code** von OPENBUREAU steht unter der GNU Affero General Public License, Version 3.
+
+```text
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+  A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate.  Many developers of free software are heartened and
+encouraged by the resulting cooperation.  However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+  The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community.  It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server.  Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+  An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals.  This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU Affero General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Remote Network Interaction; Use with the GNU General Public License.
+
+  Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software.  This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time.  Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.
+
+```
@@ -0,0 +1,440 @@
+---
+title: "CC BY-SA 4.0"
+description: "Lizenz der OPENBUREAU-Inhalte."
+toc: false
+showreadingtime: false
+---
+
+Die **Inhalte** (Texte, Bilder) von OPENBUREAU stehen unter Creative Commons Namensnennung – Weitergabe unter gleichen Bedingungen 4.0 International.
+
+```text
+Attribution-ShareAlike 4.0 International
+
+=======================================================================
+
+Creative Commons Corporation ("Creative Commons") is not a law firm and
+does not provide legal services or legal advice. Distribution of
+Creative Commons public licenses does not create a lawyer-client or
+other relationship. Creative Commons makes its licenses and related
+information available on an "as-is" basis. Creative Commons gives no
+warranties regarding its licenses, any material licensed under their
+terms and conditions, or any related information. Creative Commons
+disclaims all liability for damages resulting from their use to the
+fullest extent possible.
+
+Using Creative Commons Public Licenses
+
+Creative Commons public licenses provide a standard set of terms and
+conditions that creators and other rights holders may use to share
+original works of authorship and other material subject to copyright
+and certain other rights specified in the public license below. The
+following considerations are for informational purposes only, are not
+exhaustive, and do not form part of our licenses.
+
+     Considerations for licensors: Our public licenses are
+     intended for use by those authorized to give the public
+     permission to use material in ways otherwise restricted by
+     copyright and certain other rights. Our licenses are
+     irrevocable. Licensors should read and understand the terms
+     and conditions of the license they choose before applying it.
+     Licensors should also secure all rights necessary before
+     applying our licenses so that the public can reuse the
+     material as expected. Licensors should clearly mark any
+     material not subject to the license. This includes other CC-
+     licensed material, or material used under an exception or
+     limitation to copyright. More considerations for licensors:
+    wiki.creativecommons.org/Considerations_for_licensors
+
+     Considerations for the public: By using one of our public
+     licenses, a licensor grants the public permission to use the
+     licensed material under specified terms and conditions. If
+     the licensor's permission is not necessary for any reason--for
+     example, because of any applicable exception or limitation to
+     copyright--then that use is not regulated by the license. Our
+     licenses grant only permissions under copyright and certain
+     other rights that a licensor has authority to grant. Use of
+     the licensed material may still be restricted for other
+     reasons, including because others have copyright or other
+     rights in the material. A licensor may make special requests,
+     such as asking that all changes be marked or described.
+     Although not required by our licenses, you are encouraged to
+     respect those requests where reasonable. More considerations
+     for the public:
+    wiki.creativecommons.org/Considerations_for_licensees
+
+=======================================================================
+
+Creative Commons Attribution-ShareAlike 4.0 International Public
+License
+
+By exercising the Licensed Rights (defined below), You accept and agree
+to be bound by the terms and conditions of this Creative Commons
+Attribution-ShareAlike 4.0 International Public License ("Public
+License"). To the extent this Public License may be interpreted as a
+contract, You are granted the Licensed Rights in consideration of Your
+acceptance of these terms and conditions, and the Licensor grants You
+such rights in consideration of benefits the Licensor receives from
+making the Licensed Material available under these terms and
+conditions.
+
+
+Section 1 -- Definitions.
+
+  a. Adapted Material means material subject to Copyright and Similar
+     Rights that is derived from or based upon the Licensed Material
+     and in which the Licensed Material is translated, altered,
+     arranged, transformed, or otherwise modified in a manner requiring
+     permission under the Copyright and Similar Rights held by the
+     Licensor. For purposes of this Public License, where the Licensed
+     Material is a musical work, performance, or sound recording,
+     Adapted Material is always produced where the Licensed Material is
+     synched in timed relation with a moving image.
+
+  b. Adapter's License means the license You apply to Your Copyright
+     and Similar Rights in Your contributions to Adapted Material in
+     accordance with the terms and conditions of this Public License.
+
+  c. BY-SA Compatible License means a license listed at
+     creativecommons.org/compatiblelicenses, approved by Creative
+     Commons as essentially the equivalent of this Public License.
+
+  d. Copyright and Similar Rights means copyright and/or similar rights
+     closely related to copyright including, without limitation,
+     performance, broadcast, sound recording, and Sui Generis Database
+     Rights, without regard to how the rights are labeled or
+     categorized. For purposes of this Public License, the rights
+     specified in Section 2(b)(1)-(2) are not Copyright and Similar
+     Rights.
+
+  e. Effective Technological Measures means those measures that, in the
+     absence of proper authority, may not be circumvented under laws
+     fulfilling obligations under Article 11 of the WIPO Copyright
+     Treaty adopted on December 20, 1996, and/or similar international
+     agreements.
+
+  f. Exceptions and Limitations means fair use, fair dealing, and/or
+     any other exception or limitation to Copyright and Similar Rights
+     that applies to Your use of the Licensed Material.
+
+  g. License Elements means the license attributes listed in the name
+     of a Creative Commons Public License. The License Elements of this
+     Public License are Attribution and ShareAlike.
+
+  h. Licensed Material means the artistic or literary work, database,
+     or other material to which the Licensor applied this Public
+     License.
+
+  i. Licensed Rights means the rights granted to You subject to the
+     terms and conditions of this Public License, which are limited to
+     all Copyright and Similar Rights that apply to Your use of the
+     Licensed Material and that the Licensor has authority to license.
+
+  j. Licensor means the individual(s) or entity(ies) granting rights
+     under this Public License.
+
+  k. Share means to provide material to the public by any means or
+     process that requires permission under the Licensed Rights, such
+     as reproduction, public display, public performance, distribution,
+     dissemination, communication, or importation, and to make material
+     available to the public including in ways that members of the
+     public may access the material from a place and at a time
+     individually chosen by them.
+
+  l. Sui Generis Database Rights means rights other than copyright
+     resulting from Directive 96/9/EC of the European Parliament and of
+     the Council of 11 March 1996 on the legal protection of databases,
+     as amended and/or succeeded, as well as other essentially
+     equivalent rights anywhere in the world.
+
+  m. You means the individual or entity exercising the Licensed Rights
+     under this Public License. Your has a corresponding meaning.
+
+
+Section 2 -- Scope.
+
+  a. License grant.
+
+       1. Subject to the terms and conditions of this Public License,
+          the Licensor hereby grants You a worldwide, royalty-free,
+          non-sublicensable, non-exclusive, irrevocable license to
+          exercise the Licensed Rights in the Licensed Material to:
+
+            a. reproduce and Share the Licensed Material, in whole or
+               in part; and
+
+            b. produce, reproduce, and Share Adapted Material.
+
+       2. Exceptions and Limitations. For the avoidance of doubt, where
+          Exceptions and Limitations apply to Your use, this Public
+          License does not apply, and You do not need to comply with
+          its terms and conditions.
+
+       3. Term. The term of this Public License is specified in Section
+          6(a).
+
+       4. Media and formats; technical modifications allowed. The
+          Licensor authorizes You to exercise the Licensed Rights in
+          all media and formats whether now known or hereafter created,
+          and to make technical modifications necessary to do so. The
+          Licensor waives and/or agrees not to assert any right or
+          authority to forbid You from making technical modifications
+          necessary to exercise the Licensed Rights, including
+          technical modifications necessary to circumvent Effective
+          Technological Measures. For purposes of this Public License,
+          simply making modifications authorized by this Section 2(a)
+          (4) never produces Adapted Material.
+
+       5. Downstream recipients.
+
+            a. Offer from the Licensor -- Licensed Material. Every
+               recipient of the Licensed Material automatically
+               receives an offer from the Licensor to exercise the
+               Licensed Rights under the terms and conditions of this
+               Public License.
+
+            b. Additional offer from the Licensor -- Adapted Material.
+               Every recipient of Adapted Material from You
+               automatically receives an offer from the Licensor to
+               exercise the Licensed Rights in the Adapted Material
+               under the conditions of the Adapter's License You apply.
+
+            c. No downstream restrictions. You may not offer or impose
+               any additional or different terms or conditions on, or
+               apply any Effective Technological Measures to, the
+               Licensed Material if doing so restricts exercise of the
+               Licensed Rights by any recipient of the Licensed
+               Material.
+
+       6. No endorsement. Nothing in this Public License constitutes or
+          may be construed as permission to assert or imply that You
+          are, or that Your use of the Licensed Material is, connected
+          with, or sponsored, endorsed, or granted official status by,
+          the Licensor or others designated to receive attribution as
+          provided in Section 3(a)(1)(A)(i).
+
+  b. Other rights.
+
+       1. Moral rights, such as the right of integrity, are not
+          licensed under this Public License, nor are publicity,
+          privacy, and/or other similar personality rights; however, to
+          the extent possible, the Licensor waives and/or agrees not to
+          assert any such rights held by the Licensor to the limited
+          extent necessary to allow You to exercise the Licensed
+          Rights, but not otherwise.
+
+       2. Patent and trademark rights are not licensed under this
+          Public License.
+
+       3. To the extent possible, the Licensor waives any right to
+          collect royalties from You for the exercise of the Licensed
+          Rights, whether directly or through a collecting society
+          under any voluntary or waivable statutory or compulsory
+          licensing scheme. In all other cases the Licensor expressly
+          reserves any right to collect such royalties.
+
+
+Section 3 -- License Conditions.
+
+Your exercise of the Licensed Rights is expressly made subject to the
+following conditions.
+
+  a. Attribution.
+
+       1. If You Share the Licensed Material (including in modified
+          form), You must:
+
+            a. retain the following if it is supplied by the Licensor
+               with the Licensed Material:
+
+                 i. identification of the creator(s) of the Licensed
+                    Material and any others designated to receive
+                    attribution, in any reasonable manner requested by
+                    the Licensor (including by pseudonym if
+                    designated);
+
+                ii. a copyright notice;
+
+               iii. a notice that refers to this Public License;
+
+                iv. a notice that refers to the disclaimer of
+                    warranties;
+
+                 v. a URI or hyperlink to the Licensed Material to the
+                    extent reasonably practicable;
+
+            b. indicate if You modified the Licensed Material and
+               retain an indication of any previous modifications; and
+
+            c. indicate the Licensed Material is licensed under this
+               Public License, and include the text of, or the URI or
+               hyperlink to, this Public License.
+
+       2. You may satisfy the conditions in Section 3(a)(1) in any
+          reasonable manner based on the medium, means, and context in
+          which You Share the Licensed Material. For example, it may be
+          reasonable to satisfy the conditions by providing a URI or
+          hyperlink to a resource that includes the required
+          information.
+
+       3. If requested by the Licensor, You must remove any of the
+          information required by Section 3(a)(1)(A) to the extent
+          reasonably practicable.
+
+  b. ShareAlike.
+
+     In addition to the conditions in Section 3(a), if You Share
+     Adapted Material You produce, the following conditions also apply.
+
+       1. The Adapter's License You apply must be a Creative Commons
+          license with the same License Elements, this version or
+          later, or a BY-SA Compatible License.
+
+       2. You must include the text of, or the URI or hyperlink to, the
+          Adapter's License You apply. You may satisfy this condition
+          in any reasonable manner based on the medium, means, and
+          context in which You Share Adapted Material.
+
+       3. You may not offer or impose any additional or different terms
+          or conditions on, or apply any Effective Technological
+          Measures to, Adapted Material that restrict exercise of the
+          rights granted under the Adapter's License You apply.
+
+
+Section 4 -- Sui Generis Database Rights.
+
+Where the Licensed Rights include Sui Generis Database Rights that
+apply to Your use of the Licensed Material:
+
+  a. for the avoidance of doubt, Section 2(a)(1) grants You the right
+     to extract, reuse, reproduce, and Share all or a substantial
+     portion of the contents of the database;
+
+  b. if You include all or a substantial portion of the database
+     contents in a database in which You have Sui Generis Database
+     Rights, then the database in which You have Sui Generis Database
+     Rights (but not its individual contents) is Adapted Material,
+     including for purposes of Section 3(b); and
+
+  c. You must comply with the conditions in Section 3(a) if You Share
+     all or a substantial portion of the contents of the database.
+
+For the avoidance of doubt, this Section 4 supplements and does not
+replace Your obligations under this Public License where the Licensed
+Rights include other Copyright and Similar Rights.
+
+
+Section 5 -- Disclaimer of Warranties and Limitation of Liability.
+
+  a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+     EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+     AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+     ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+     IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+     WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+     PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+     ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+     KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+     ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+  b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+     TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+     NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+     INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+     COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+     USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+     ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+     DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+     IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+  c. The disclaimer of warranties and limitation of liability provided
+     above shall be interpreted in a manner that, to the extent
+     possible, most closely approximates an absolute disclaimer and
+     waiver of all liability.
+
+
+Section 6 -- Term and Termination.
+
+  a. This Public License applies for the term of the Copyright and
+     Similar Rights licensed here. However, if You fail to comply with
+     this Public License, then Your rights under this Public License
+     terminate automatically.
+
+  b. Where Your right to use the Licensed Material has terminated under
+     Section 6(a), it reinstates:
+
+       1. automatically as of the date the violation is cured, provided
+          it is cured within 30 days of Your discovery of the
+          violation; or
+
+       2. upon express reinstatement by the Licensor.
+
+     For the avoidance of doubt, this Section 6(b) does not affect any
+     right the Licensor may have to seek remedies for Your violations
+     of this Public License.
+
+  c. For the avoidance of doubt, the Licensor may also offer the
+     Licensed Material under separate terms or conditions or stop
+     distributing the Licensed Material at any time; however, doing so
+     will not terminate this Public License.
+
+  d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
+     License.
+
+
+Section 7 -- Other Terms and Conditions.
+
+  a. The Licensor shall not be bound by any additional or different
+     terms or conditions communicated by You unless expressly agreed.
+
+  b. Any arrangements, understandings, or agreements regarding the
+     Licensed Material not stated herein are separate from and
+     independent of the terms and conditions of this Public License.
+
+
+Section 8 -- Interpretation.
+
+  a. For the avoidance of doubt, this Public License does not, and
+     shall not be interpreted to, reduce, limit, restrict, or impose
+     conditions on any use of the Licensed Material that could lawfully
+     be made without permission under this Public License.
+
+  b. To the extent possible, if any provision of this Public License is
+     deemed unenforceable, it shall be automatically reformed to the
+     minimum extent necessary to make it enforceable. If the provision
+     cannot be reformed, it shall be severed from this Public License
+     without affecting the enforceability of the remaining terms and
+     conditions.
+
+  c. No term or condition of this Public License will be waived and no
+     failure to comply consented to unless expressly agreed to by the
+     Licensor.
+
+  d. Nothing in this Public License constitutes or may be interpreted
+     as a limitation upon, or waiver of, any privileges and immunities
+     that apply to the Licensor or You, including from the legal
+     processes of any jurisdiction or authority.
+
+
+=======================================================================
+
+Creative Commons is not a party to its public
+licenses. Notwithstanding, Creative Commons may elect to apply one of
+its public licenses to material it publishes and in those instances
+will be considered the “Licensor.” The text of the Creative Commons
+public licenses is dedicated to the public domain under the CC0 Public
+Domain Dedication. Except for the limited purpose of indicating that
+material is shared under a Creative Commons public license or as
+otherwise permitted by the Creative Commons policies published at
+creativecommons.org/policies, Creative Commons does not authorize the
+use of the trademark "Creative Commons" or any other trademark or logo
+of Creative Commons without its prior written consent including,
+without limitation, in connection with any unauthorized modifications
+to any of its public licenses or any other arrangements,
+understandings, or agreements concerning use of licensed material. For
+the avoidance of doubt, this paragraph does not form part of the
+public licenses.
+
+Creative Commons may be contacted at creativecommons.org.
+
+
+```
@@ -0,0 +1,20 @@
+---
+title: "Spenden"
+description: "OPENBUREAU unterstützen."
+toc: false
+showreadingtime: false
+---
+
+![OPENBUREAU](/logo/LOGO-OB.svg)
+
+OPENBUREAU ist komplett Open Source — kein Abo, keine Werbung, keine Tracker. Die ganze Seite und alle Inhalte liegen offen.
+
+Mit einer Spende hilfst du, das am Laufen zu halten und auszubauen:
+
+- **Hosting & Domain** — der Server in Luzern, auf dem alles läuft
+- **Werkzeuge** — Zeit, um Programme wie DOSSIER und RAPPORT weiterzuentwickeln und offen zu teilen
+- **Inhalte** — neue Texte, Recherche und Pflege der Bibliothek
+
+Kein Druck, kein Muss — auch ein Hallo oder eine Wortmeldung im [Dialog](/dialog/) zählt.
+
+*(Konkrete Spendenmöglichkeit folgt hier in Kürze — Twint/PayPal/Ko-fi.)*
@@ -4,7 +4,7 @@ title: "OPENBUREAU"
 theme: "openbureau"

 enableRobotsTXT: true
-enableGitInfo: false
+enableGitInfo: true
 hasCJKLanguage: false

 defaultContentLanguage: de
@@ -72,17 +72,20 @@ menus:
    - name: MANIFEST
      pageRef: /manifest
      weight: 30
-    - name: FORUM
-      url: https://openstudio.kgva.ch
+    - name: DIALOG
+      pageRef: /dialog
      weight: 40
    - name: CODE
-      url: https://gitea.kgva.ch
+      url: https://git.openbureau.ch
      weight: 50

 params:
+  # Öffentliche Gitea-Repo-URL (für Provenance: Version → Commit, Verlauf).
+  repoURL: "https://git.openbureau.ch/karim/OPENBUREAU"
  author:
    name: "Karim Gabriele Varano"
    email: "karim@gabrielevarano.ch"
+    url: "https://gabrielevarano.ch"
  showreadingtime: true
  showlastmod: true
  comments: false
@@ -6,20 +6,22 @@
  <head>
    {{ partial "head.html" . }}
  </head>
-  <body>
+  <body{{ if .IsHome }} class="is-home"{{ end }}>
    <a href="#main-content" class="skip-link">Skip to content</a>
    <header role="banner" class="site-header">
-      <a href="{{ "/" | relURL }}" class="wordmark-link">OPENBUREAU</a>
+      <a href="{{ "/" | relURL }}" class="wordmark-link" aria-label="openbureau"></a>
      <nav class="site-nav" aria-label="Site">
        {{ partial "menu.html" (dict "menuID" "main" "page" .) }}
      </nav>
    </header>
-    <main id="main-content" role="main">{{ block "main" . }}{{ end }}</main>
+    <main id="main-content" role="main">
+      {{ block "main" . }}{{ end }}
      {{ if not .IsHome }}
        <nav class="page-foot-nav" aria-label="Breadcrumb">
          {{ partial "header.html" . }}
        </nav>
      {{ end }}
+    </main>
    <footer role="contentinfo">{{ partial "footer.html" . }}</footer>
  </body>
 </html>
@@ -0,0 +1,7 @@
+{{ define "main" }}
+  <div class="dialog-page">
+    <p class="dialog-back" id="dialog-context"></p>
+    <section id="ob-dialog"></section>
+  </div>
+  <script defer src="/dialog.js"></script>
+{{ end }}
@@ -1,19 +1,48 @@
 {{ define "main" }}
-  {{ partial "terms.html" (dict "taxonomy" "tags" "page" .) }}
+  {{ $section := "" }}
+  {{ with .Parent }}{{ $section = path.Base .RelPermalink }}{{ end }}
+  {{ $cover := .Params.cover_image }}
+  {{ $color := .Params.color }}

-  <article class="single">
+  {{/* Cover image first (full-bleed, directly under the masthead) */}}
+  {{ if $cover }}
+    <img class="single-hero-image" src="{{ $cover | relURL }}" alt="" loading="eager" />
+  {{ end }}
+
+  <article class="single" data-section="{{ $section }}"{{ with $color }} data-color="{{ . }}"{{ end }}>
    <header class="single-header">
      <h1>{{ .Title }}</h1>
+      {{ with .Params.summary }}
+        <p class="single-summary">{{ . }}</p>
+      {{ end }}
+      {{/* Byline + Meta nur bei Library-Beiträgen — Seiten wie Manifest,
+           Kontakt, Spenden brauchen weder Autor noch „Aktualisiert am". */}}
+      {{ if eq .Section "library" }}
        {{ $author := .Params.author | default site.Params.author.name }}
+        {{ $aslug := urlize $author }}
+        {{ if not .Params.author }}{{ with index site.Data.authors site.Params.author.email }}{{ with .slug }}{{ $aslug = . }}{{ end }}{{ end }}{{ end }}
+        {{ $authorPage := and (ne $aslug "") (site.GetPage (printf "/authors/%s" $aslug)) }}
        {{ if or $author .Date }}
          <p class="single-byline">
-          {{ with $author }}<span class="byline-author">von {{ . }}</span>{{ end }}
-          {{ if and $author .Date }} · {{ end }}
-          {{ if .Date }}<time class="byline-date" datetime="{{ .Date.Format "2006-01-02" }}">{{ .Date.Format "2006-01-02" }}</time>{{ end }}
+            {{- with $author -}}
+              {{- if $authorPage -}}<a class="byline-author" href="{{ $authorPage.RelPermalink }}">{{ . }}</a>
+              {{- else -}}<span class="byline-author">{{ . }}</span>{{- end -}}
+            {{- end -}}
+            {{- if and $author .Date -}}, {{ end -}}
+            {{- if .Date -}}<time class="byline-date" datetime="{{ .Date.Format "2006-01-02" }}">{{ .Date.Format "02.01.2006" }}</time>{{- end -}}
+          </p>
+        {{ end }}
+
+        {{/* Reading time + last-modified — Republik-style, directly below byline */}}
+        {{ $showReadingTime := .Params.showreadingtime | default site.Params.showreadingtime | default true }}
+        {{ $showLastMod := .Params.showlastmod | default site.Params.showlastmod | default false }}
+        {{ $hasLastmod := and $showLastMod .Lastmod (ne (.Lastmod.Format "2006-01-02") (.Date.Format "2006-01-02")) }}
+        {{ if or (and $showReadingTime .ReadingTime) $hasLastmod }}
+          <p class="single-meta">
+            {{ if and $showReadingTime .ReadingTime }}<span class="reading-time">{{ .ReadingTime }} min Lesezeit</span>{{ end }}
+            {{ if $hasLastmod }}{{ if and $showReadingTime .ReadingTime }} · {{ end }}<span class="lastmod">Aktualisiert am {{ .Lastmod.Format "02.01.2006" }}</span>{{ end }}
          </p>
        {{ end }}
-      {{ with .Params.summary }}
-        <p class="single-summary text-muted">{{ . }}</p>
      {{ end }}
    </header>

@@ -31,14 +60,20 @@
      {{ .Content }}
    </div>

-    {{ $showReadingTime := .Params.showreadingtime | default site.Params.showreadingtime | default true }}
-    {{ $showLastMod := .Params.showlastmod | default site.Params.showlastmod | default false }}
-    {{ $hasLastmod := and $showLastMod .Lastmod (ne (.Lastmod.Format "2006-01-02") (.Date.Format "2006-01-02")) }}
-    {{ if or (and $showReadingTime .ReadingTime) $hasLastmod }}
-      <div class="time">
-        {{ if and $showReadingTime .ReadingTime }}<span class="reading-time">{{ .ReadingTime }} min Lesezeit</span>{{ end }}
-        {{ if $hasLastmod }}{{ if and $showReadingTime .ReadingTime }} · {{ end }}<span class="lastmod">Zuletzt aktualisiert: {{ .Lastmod.Format "2006-01-02" }}</span>{{ end }}
-      </div>
+    {{/* Tags: bei Seiten (nicht-Library) wie bisher unter dem Text. Bei Library
+         wandern sie in die Aktionsreihe (rechts neben Dialog) im Partial. */}}
+    {{ if ne .Section "library" }}
+      {{- with .Params.tags }}
+        <ul class="tag-pills" aria-label="Tags">
+          {{- range . -}}<li><a href="/tags/{{ . | urlize }}/">{{ . }}</a></li>{{- end -}}
+        </ul>
+      {{- end }}
+    {{ end }}
+
+    {{/* Artikel-Fuß (zitieren, Dialog, Tags, Versionen) — nur bei Library. */}}
+    {{ if eq .Section "library" }}
+      {{ partial "provenance.html" . }}
+      <script src="/version-history.js"></script>
    {{ end }}
  </article>

@@ -0,0 +1 @@
+<time datetime="{{ . | time.Format "2006-01-02" }}">{{ . | time.Format "02.01.2006" }}</time>
@@ -1,17 +1,18 @@
 <div class="footer-grid">
-  <div class="footer-mark">OPENBUREAU</div>
-  <nav class="footer-nav" aria-label="Footer">
-    <ul>
-      <li><a href="/manifest/">Manifest</a></li>
-      <li><a href="/colophon/">Colophon</a></li>
-      <li><a href="https://openstudio.kgva.ch">Forum ↗</a></li>
-      <li><a href="https://gitea.kgva.ch">Code ↗</a></li>
-      <li><a href="/index.xml">RSS</a></li>
-    </ul>
-  </nav>
-  <p class="footer-tagline">
-    Sammlung, Plattform, Praxis.<br>
-    Texte unter <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.
+  <div class="footer-legal">
+    <p class="footer-licenses">
+      Code <a href="/lizenz/agpl-3.0/">AGPL-3.0</a>
+      · Inhalte <a href="/lizenz/cc-by-sa-4.0/">CC BY-SA 4.0</a>
    </p>
-  <p class="footer-credit">© {{ now.Year }} · Karim Gabriele Varano</p>
+    <p class="footer-hosted">
+      {{ with site.Params.author.url }}<a href="{{ . }}">Hosted in Lucerne</a>{{ else }}Hosted in Lucerne{{ end }}
+    </p>
+  </div>
+  <nav class="footer-links" aria-label="Footer">
+    <a href="/colophon/">Colophon</a>
+    <a href="/impressum/">Kontakt / Impressum</a>
+    <a href="/datenschutz/">Datenschutz</a>
+    <a href="/index.xml">RSS</a>
+    <a href="/spenden/">Spenden</a>
+  </nav>
 </div>
@@ -0,0 +1,33 @@
+{{/* Eine Journal-Karte. Kontext (.) = die Library-Seite. */}}
+{{ $section := "" }}
+{{ with .Parent }}{{ $section = path.Base .RelPermalink }}{{ end }}
+{{ $author := .Params.author | default site.Params.author.name }}
+{{ $cover := .Params.cover_image }}
+{{ $layout := .Params.layout }}
+{{ if not $layout }}{{ $layout = cond (ne $cover nil) "image" "text" }}{{ end }}
+<li class="journal-entry journal-entry--layout-{{ $layout }}"
+    data-section="{{ $section }}"
+    {{ with .Params.color }}data-color="{{ . }}"{{ end }}>
+  <a class="journal-entry-link" href="{{ .RelPermalink }}">
+    {{ if and $cover (eq $layout "image") }}
+      <img class="journal-bg-image" src="{{ $cover | relURL }}" alt="" loading="eager" />
+    {{ end }}
+    <div class="journal-entry-body">
+      {{ if and $cover (eq $layout "icon") }}
+        <img class="journal-icon-image" src="{{ $cover | relURL }}" alt="" loading="lazy" />
+      {{ end }}
+      {{ with .Parent }}
+        <p class="journal-rubric"><span class="journal-section">{{ .Title }}</span></p>
+      {{ end }}
+      <h3 class="journal-title">{{ .LinkTitle }}</h3>
+      {{ with .Params.summary }}
+        <p class="journal-summary">{{ . }}</p>
+      {{ end }}
+      <p class="journal-byline">
+        {{- with $author -}}<span class="journal-author">{{ . }}</span>{{- end -}}
+        {{- if and $author .Date -}}, {{ end -}}
+        <time class="journal-date" datetime="{{ .Date.Format "2006-01-02" }}">{{ .Date.Format "02.01.2006" }}</time>
+      </p>
+    </div>
+  </a>
+</li>
@@ -0,0 +1,117 @@
+{{/* Artikel-Fuß für Library-Beiträge: Quellenangabe (zitieren), Aktionsreihe
+     (Dialog links, Tags rechts) und der Versionsverlauf (eine Zeile darunter). */}}
+{{ $author := .Params.author | default site.Params.author.name }}
+
+{{/* Zitieren: schlichter Link direkt unter den Quellen. */}}
+<div class="cite">
+  <button type="button" class="cite-toggle" aria-expanded="false">zitieren <span class="cite-arrow">↗</span></button>
+  <div class="cite-box" hidden
+    data-title="{{ .Title }}"
+    data-author="{{ $author }}"
+    data-url="{{ .Permalink }}"
+    data-year="{{ .Date.Format "2006" }}"
+    {{ with .GitInfo }}data-version="{{ .AbbreviatedHash }}"{{ end }}>
+    <p class="cite-text"></p>
+    <div class="cite-actions">
+      <button type="button" class="cite-fmt is-active" data-fmt="ob">intern</button>
+      <button type="button" class="cite-fmt" data-fmt="apa">APA</button>
+      <button type="button" class="cite-fmt" data-fmt="din">DIN</button>
+      <button type="button" class="cite-copy">kopieren</button>
+      <span class="cite-status" role="status"></span>
+    </div>
+  </div>
+</div>
+
+{{/* Aktionsreihe: Dialog links, Tags ganz rechts. */}}
+<div class="article-actions">
+  <a class="prov-dialog" id="dialog-link" data-thread="{{ .RelPermalink }}" href="/dialog/?thread={{ .RelPermalink }}">→ Dialog</a>
+  {{ with .Params.tags }}
+    <ul class="tag-pills" aria-label="Tags">
+      {{- range . -}}<li><a href="/tags/{{ . | urlize }}/">{{ . }}</a></li>{{- end -}}
+    </ul>
+  {{ end }}
+</div>
+
+{{/* Versionen: eine Zeile darunter; öffnet den Verlauf direkt auf der Seite. */}}
+<div class="article-versions">
+  <button type="button" class="versions-toggle" id="version-badge" aria-expanded="false"
+    data-path="{{ .File.Path }}"><svg class="pill-icon" viewBox="0 0 24 24" width="14" height="14" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="12" cy="12" r="9"/><path d="M12 7.5V12l3 2"/></svg>Versionen</button>
+</div>
+
+<script>
+  /* Zitieren: APA/DIN umschaltbar, gesamthaft kopierbar. */
+  (function () {
+    if (window.__cite) return; window.__cite = 1;
+    var toggle = document.querySelector('.cite-toggle');
+    var box = document.querySelector('.cite-box');
+    if (!toggle || !box) return;
+    var textEl = box.querySelector('.cite-text');
+    var statusEl = box.querySelector('.cite-status');
+    var d = box.dataset;
+    var fmt = 'ob';
+
+    function nameParts(n) {
+      var p = (n || '').trim().split(/\s+/);
+      var last = p.pop() || '';
+      return { last: last, first: p.join(' '), initials: p.map(function (w) { return w.charAt(0) + '.'; }).join(' ') };
+    }
+    function today() { return new Date().toLocaleDateString('de-CH'); }
+    function build() {
+      var n = nameParts(d.author);
+      if (fmt === 'din') {
+        return (n.last ? n.last.toUpperCase() + ', ' + n.first + ': ' : '')
+          + d.title + '. OPENBUREAU. ' + d.url + ' (abgerufen am ' + today() + ').';
+      }
+      if (fmt === 'apa') {
+        return (n.last ? n.last + ', ' + n.initials + ' ' : '')
+          + '(' + d.year + '). ' + d.title + '. OPENBUREAU. Abgerufen am ' + today() + ', von ' + d.url;
+      }
+      // intern (OPENBUREAU-Hausformat): inkl. Version, weil Beiträge lebende Dokumente sind.
+      return (d.author ? d.author + ': ' : '') + d.title + '. OPENBUREAU'
+        + (d.version ? ', Version ' + d.version : '') + '. Abgerufen am ' + today() + ', ' + d.url;
+    }
+    function render() { textEl.textContent = build(); }
+    function copy() {
+      var t = build();
+      if (navigator.clipboard && navigator.clipboard.writeText) return navigator.clipboard.writeText(t);
+      return new Promise(function (res, rej) {
+        try {
+          var ta = document.createElement('textarea'); ta.value = t; ta.style.position = 'fixed'; ta.style.opacity = '0';
+          document.body.appendChild(ta); ta.select();
+          var ok = document.execCommand('copy'); document.body.removeChild(ta); ok ? res() : rej();
+        } catch (e) { rej(e); }
+      });
+    }
+    toggle.addEventListener('click', function () {
+      var open = box.hasAttribute('hidden');
+      if (open) { box.removeAttribute('hidden'); render(); } else { box.setAttribute('hidden', ''); }
+      toggle.setAttribute('aria-expanded', String(open));
+    });
+    box.querySelectorAll('.cite-fmt').forEach(function (b) {
+      b.addEventListener('click', function () {
+        fmt = b.dataset.fmt;
+        box.querySelectorAll('.cite-fmt').forEach(function (x) { x.classList.toggle('is-active', x === b); });
+        render();
+      });
+    });
+    box.querySelector('.cite-copy').addEventListener('click', function () {
+      copy().then(function () { statusEl.textContent = 'kopiert ✓'; })
+            .catch(function () {
+              statusEl.textContent = 'markieren & kopieren';
+              var r = document.createRange(); r.selectNodeContents(textEl);
+              var s = window.getSelection(); s.removeAllRanges(); s.addRange(r);
+            });
+      setTimeout(function () { statusEl.textContent = ''; }, 2500);
+    });
+  })();
+</script>
+<script>
+  /* Wortmeldungs-Zahl an die Dialog-Pill hängen (→ Dialog · 3). */
+  (function () {
+    var l = document.getElementById('dialog-link'); if (!l) return;
+    fetch('/api/comments?thread=' + encodeURIComponent(l.dataset.thread))
+      .then(function (r) { return r.ok ? r.json() : []; })
+      .then(function (d) { var n = d.filter(function (c) { return !c.deleted; }).length; if (n) l.textContent = '→ Dialog · ' + n; })
+      .catch(function () {});
+  })();
+</script>
@@ -0,0 +1,9 @@
+{{ define "main" }}
+  <article class="author-page">
+    {{ with .Params.avatar }}
+      <img class="author-photo" src="{{ . }}" alt="{{ $.Title }}" loading="eager" />
+    {{ end }}
+    <h1 class="author-name">{{ .Title }}</h1>
+    {{ with .Content }}<div class="author-bio">{{ . }}</div>{{ end }}
+  </article>
+{{ end }}
@@ -10,31 +10,16 @@
      <p class="text-muted">Was zuletzt geschrieben wurde.</p>
    </header>

+    {{/* Zwei eigenständig scrollbare Spalten: Einträge abwechselnd verteilt
+         (gerade Indizes links, ungerade rechts) → Lese-Reihenfolge links-rechts. */}}
+    <div class="journal-cols">
      <ol class="journal-list">
-      {{ range $journal }}
-        <li class="journal-entry">
-          {{ $author := .Params.author | default site.Params.author.name }}
-          <a class="journal-entry-link" href="{{ .RelPermalink }}">
-            <div class="journal-meta">
-              {{ with .Parent }}
-                <span class="journal-section">{{ .Title }}</span>
-              {{ end }}
-              <time class="journal-date" datetime="{{ .Date.Format "2006-01-02" }}">{{ .Date.Format "2006-01-02" }}</time>
-              {{ with $author }}<span class="journal-author">{{ . }}</span>{{ end }}
-            </div>
-            <h3 class="journal-title">{{ .LinkTitle }}</h3>
-            {{ with .Params.summary }}
-              <p class="journal-summary">{{ . }}</p>
-            {{ end }}
-            {{ with .Params.tags }}
-              <ul class="journal-tags">
-                {{ range . }}<li>#{{ . }}</li>{{ end }}
-              </ul>
-            {{ end }}
-          </a>
-        </li>
-      {{ end }}
+        {{ range $i, $e := $journal }}{{ if eq (mod $i 2) 0 }}{{ partial "journal-card.html" $e }}{{ end }}{{ end }}
      </ol>
+      <ol class="journal-list">
+        {{ range $i, $e := $journal }}{{ if eq (mod $i 2) 1 }}{{ partial "journal-card.html" $e }}{{ end }}{{ end }}
+      </ol>
+    </div>

    {{ if gt (len $library) 20 }}
      <p class="more"><a href="/library/">→ Alle Beiträge in der Library</a></p>
@@ -6,7 +6,8 @@
      {{/* Library root: Atlas — gruppiert nach Untersection */}}
      <section class="atlas">
        {{ range .Sections.ByWeight }}
-          <article class="atlas-section">
+          {{ $section := path.Base .RelPermalink }}
+          <article class="atlas-section" data-section="{{ $section }}">
            <h2><a href="{{ .RelPermalink }}">{{ .Title }}</a></h2>
            {{ with .Params.description }}<p class="text-muted">{{ . }}</p>{{ end }}
            <ul class="atlas-list">
@@ -37,7 +38,13 @@
      </section>
    {{ else }}
      {{/* Library subsection: chronologisch */}}
-      <div class="time-list">
+      {{ $section := path.Base .RelPermalink }}
+      <header class="section-header" data-section="{{ $section }}">
+        <p class="section-rubric">Library</p>
+        <h1 class="section-title">{{ .Title }}</h1>
+        {{ with .Params.description }}<p class="section-description">{{ . }}</p>{{ end }}
+      </header>
+      <div class="time-list" data-section="{{ $section }}">
        <ul>
          {{ range .RegularPages.ByDate.Reverse }}
            <li class="list-item">
@@ -0,0 +1,316 @@
+/* OPENBUREAU Dialog — Foren, Threads & flache Wortmeldungen.
+   Lesen öffentlich; Mitreden nach Login. Kein Build nötig.
+   Routen über Query-Parameter:
+     /dialog/                  → Übersicht (Split-View: letzte Beiträge | Foren)
+     /dialog/?forum=<slug>     → ein Forum mit seinen Threads
+     /dialog/?thread=<key>     → ein Thread mit Wortmeldungen
+*/
+(function () {
+  const root = document.getElementById('ob-dialog');
+  if (!root) return;
+  const ctxEl = document.getElementById('dialog-context');
+
+  const TKEY = 'ob_dialog_token', NKEY = 'ob_dialog_name', RKEY = 'ob_dialog_role';
+  let token = localStorage.getItem(TKEY);
+  let myName = localStorage.getItem(NKEY);
+  let myRole = localStorage.getItem(RKEY) || 'user';
+  const canModerate = () => token && (myRole === 'admin' || myRole === 'editor');
+
+  const params = new URLSearchParams(location.search);
+  const threadKey = params.get('thread');
+  const forumSlug = params.get('forum');
+
+  const el = (tag, cls, txt) => { const e = document.createElement(tag); if (cls) e.className = cls; if (txt != null) e.textContent = txt; return e; };
+  function fmt(ts) {
+    const d = new Date(ts), s = (Date.now() - d) / 1000;
+    if (s < 60) return 'gerade eben';
+    if (s < 3600) return Math.floor(s / 60) + ' Min.';
+    if (s < 86400) return Math.floor(s / 3600) + ' Std.';
+    return d.toLocaleDateString('de-CH');
+  }
+  // Volles Datum + Uhrzeit (für die Wortmeldungen in der Thread-Ansicht).
+  function fmtFull(ts) {
+    const d = new Date(ts);
+    return d.toLocaleDateString('de-CH') + ' · ' + d.toLocaleTimeString('de-CH', { hour: '2-digit', minute: '2-digit' });
+  }
+  const api = (p, opt) => fetch(p, opt).then(async (r) => ({ ok: r.ok, status: r.status, body: await r.json().catch(() => ({})) }));
+  const authHdr = () => ({ Authorization: 'Bearer ' + token });
+
+  // ── Auth ────────────────────────────────────────────────────────────────
+  async function doLogin(email, password, after) {
+    const r = await api('/api/auth/login', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ email, password }) });
+    if (!r.ok) { alert(r.body.error || 'Login fehlgeschlagen'); return; }
+    token = r.body.access_token; myName = r.body.name || ''; myRole = r.body.role || 'user';
+    localStorage.setItem(TKEY, token); localStorage.setItem(NKEY, myName); localStorage.setItem(RKEY, myRole);
+    if (after) after();
+  }
+  function logout(after) {
+    token = null; myName = null; myRole = 'user';
+    localStorage.removeItem(TKEY); localStorage.removeItem(NKEY); localStorage.removeItem(RKEY);
+    if (after) after();
+  }
+  // Subtiles Login: dezente Zeile, klappt zum kompakten Formular auf.
+  function loginInline(container, after, label) {
+    let open = false;
+    function paint() {
+      container.innerHTML = '';
+      if (!open) {
+        const link = el('button', 'dialog-loginlink', label || 'Zum Mitreden anmelden');
+        link.onclick = () => { open = true; paint(); };
+        container.appendChild(link);
+      } else {
+        const form = el('div', 'dialog-loginform');
+        const em = el('input', 'dialog-input'); em.type = 'email'; em.placeholder = 'E-Mail';
+        const pw = el('input', 'dialog-input'); pw.type = 'password'; pw.placeholder = 'Passwort';
+        const btn = el('button', 'dialog-send', 'Anmelden');
+        btn.onclick = () => doLogin(em.value, pw.value, after);
+        pw.onkeydown = (e) => { if (e.key === 'Enter') doLogin(em.value, pw.value, after); };
+        const cancel = el('button', 'dialog-loginlink dialog-logincancel', 'Abbrechen');
+        cancel.onclick = () => { open = false; paint(); };
+        form.append(em, pw, btn, cancel); container.appendChild(form); em.focus();
+      }
+    }
+    paint();
+  }
+
+  // ── Übersicht: Split-View ─────────────────────────────────────────────────
+  function renderOverview() {
+    if (ctxEl) ctxEl.textContent = '';
+    root.innerHTML = '';
+    const grid = el('div', 'dialog-split');
+    const left = el('div', 'dialog-recent');
+    const right = el('div', 'dialog-forums');
+    left.appendChild(el('h2', 'dialog-title', 'Letzte Wortmeldungen'));
+    right.appendChild(el('h2', 'dialog-title', 'Foren'));
+    grid.append(left, right); root.appendChild(grid);
+
+    api('/api/recent?limit=15').then((r) => {
+      const rows = r.body || [];
+      if (!rows.length) { left.appendChild(el('p', 'dialog-empty', 'Noch keine Wortmeldungen.')); return; }
+      const list = el('div', 'dialog-recent-list');
+      rows.forEach((c) => {
+        const a = el('a', 'dialog-recent-item'); a.href = c.thread_url;
+        const top = el('div', 'dialog-recent-top');
+        top.append(el('span', 'dialog-recent-author', c.author_name || 'Unbekannt'),
+          el('span', 'dialog-recent-meta', (c.forum_name ? c.forum_name + ' · ' : '') + fmt(c.created_at)));
+        const tt = el('div', 'dialog-recent-thread', c.thread_title);
+        const bd = el('div', 'dialog-recent-body', c.body);
+        a.append(top, tt, bd); list.appendChild(a);
+      });
+      left.appendChild(list);
+    });
+
+    api('/api/forums').then((r) => {
+      const rows = r.body || [];
+      const list = el('div', 'dialog-forum-list');
+      rows.forEach((f) => {
+        const a = el('a', 'dialog-forum-item'); a.href = '/dialog/?forum=' + encodeURIComponent(f.slug);
+        if (f.color) a.style.setProperty('--forum-accent', f.color);
+        const nm = el('span', 'dialog-forum-name', f.name);
+        const mt = el('span', 'dialog-forum-meta',
+          f.thread_count + (f.thread_count === 1 ? ' Thread' : ' Threads') + ' · ' + f.post_count + ' Beiträge');
+        a.append(nm, mt);
+        if (f.description) a.appendChild(el('span', 'dialog-forum-desc', f.description));
+        list.appendChild(a);
+      });
+      right.appendChild(list);
+    });
+  }
+
+  // ── Forum-Ansicht: Threads + neuer Thread ─────────────────────────────────
+  function renderForum(slug) {
+    root.innerHTML = '';
+    if (ctxEl) { ctxEl.innerHTML = ''; const c = el('nav', 'dialog-crumb'); const b = el('a', null, '← Dialoge'); b.href = '/dialog/'; c.appendChild(b); ctxEl.appendChild(c); }
+    api('/api/forums/' + encodeURIComponent(slug)).then((r) => {
+      if (!r.ok) { root.appendChild(el('p', 'dialog-empty', 'Forum nicht gefunden.')); return; }
+      const { forum, threads } = r.body;
+      const head = el('div', 'dialog-forum-head');
+      head.appendChild(el('h2', 'dialog-title', forum.name));
+      if (forum.color) head.style.setProperty('--forum-accent', forum.color);
+      root.appendChild(head);
+      if (forum.description) root.appendChild(el('p', 'dialog-forum-desc', forum.description));
+
+      // Neuer Thread (nur Forum-Kategorien, nicht „Beiträge").
+      if (forum.kind !== 'library') {
+        const newBox = el('div', 'dialog-newthread');
+        root.appendChild(newBox);
+        renderNewThread(newBox, forum.slug);
+      }
+
+      const list = el('div', 'dialog-thread-list');
+      if (!threads.length) list.appendChild(el('p', 'dialog-empty', 'Noch keine Threads — beginne einen.'));
+      threads.forEach((t) => {
+        const a = el('a', 'dialog-thread-item');
+        a.href = t.kind === 'library' ? t.url : '/dialog/?thread=' + encodeURIComponent(t.key);
+        const tt = el('span', 'dialog-thread-title', t.title);
+        if (t.locked) tt.appendChild(el('span', 'dialog-lock', ' 🔒'));
+        const mt = el('span', 'dialog-thread-meta',
+          (t.author_name ? t.author_name + ' · ' : '') + t.count + (t.count === 1 ? ' Wortmeldung' : ' Wortmeldungen') + ' · ' + fmt(t.last));
+        a.append(tt, mt); list.appendChild(a);
+      });
+      root.appendChild(list);
+    });
+  }
+
+  function renderNewThread(box, slug) {
+    box.innerHTML = '';
+    if (!token) { const c = el('div'); box.appendChild(c); loginInline(c, () => renderNewThread(box, slug), 'Anmelden, um einen Thread zu starten'); return; }
+    let open = false;
+    function paint() {
+      box.innerHTML = '';
+      if (!open) {
+        const b = el('button', 'dialog-newbtn', '＋ Neuer Thread');
+        b.onclick = () => { open = true; paint(); };
+        box.appendChild(b);
+        return;
+      }
+      const ti = el('input', 'dialog-input'); ti.placeholder = 'Titel des Threads';
+      const ta = el('textarea', 'dialog-textarea'); ta.placeholder = 'Erster Beitrag …';
+      const row = el('div', 'dialog-row');
+      const send = el('button', 'dialog-send', 'Thread starten');
+      const cancel = el('button', 'dialog-loginlink', 'Abbrechen'); cancel.onclick = () => { open = false; paint(); };
+      send.onclick = async () => {
+        if (!ti.value.trim() || !ta.value.trim()) return;
+        const r = await api('/api/threads', { method: 'POST', headers: { 'Content-Type': 'application/json', ...authHdr() }, body: JSON.stringify({ forum_slug: slug, title: ti.value, body: ta.value }) });
+        if (r.status === 401) { logout(); alert('Sitzung abgelaufen — bitte neu anmelden.'); paint(); return; }
+        if (!r.ok) { alert(r.body.error || 'Konnte Thread nicht anlegen'); return; }
+        location.href = '/dialog/?thread=' + encodeURIComponent(r.body.key);
+      };
+      row.append(send, cancel); box.append(ti, ta, row); ti.focus();
+    }
+    paint();
+  }
+
+  // ── Thread-Ansicht: Wortmeldungen ─────────────────────────────────────────
+  function renderThread(key) {
+    root.innerHTML = '';
+    const title = el('h2', 'dialog-title', 'Dialog');
+    const modbar = el('div', 'dialog-modbar');
+    const list = el('div', 'dialog-list');
+    const composer = el('div', 'dialog-composer');
+    root.append(title, modbar, list, composer);
+    let replyTo = null, textarea = null, locked = false;
+
+    // Kontext: Rücklink + Titel.
+    api('/api/thread?key=' + encodeURIComponent(key)).then((r) => {
+      if (!r.ok) return;
+      const m = r.body; title.textContent = m.title || 'Dialog'; locked = m.locked;
+      if (ctxEl) {
+        ctxEl.innerHTML = '';
+        if (m.kind === 'library') {
+          const back = el('a', null, '← zum Beitrag'); back.href = m.url; ctxEl.appendChild(back);
+        } else {
+          // Breadcrumb-Navigation oben: Dialoge › Forum (beide anklickbar).
+          const crumb = el('nav', 'dialog-crumb');
+          const a0 = el('a', null, 'Dialoge'); a0.href = '/dialog/'; crumb.appendChild(a0);
+          if (m.forum) {
+            crumb.appendChild(el('span', 'dialog-crumb-sep', '›'));
+            const a1 = el('a', null, m.forum.name); a1.href = '/dialog/?forum=' + encodeURIComponent(m.forum.slug);
+            crumb.appendChild(a1);
+          }
+          ctxEl.appendChild(crumb);
+        }
+      }
+      renderModbar(); renderComposer();
+    });
+
+    function renderModbar() {
+      modbar.innerHTML = '';
+      if (!canModerate()) return;
+      const lock = el('button', 'dialog-modbtn', locked ? 'Entsperren' : 'Sperren');
+      lock.onclick = async () => {
+        await api('/api/mod/thread-lock', { method: 'POST', headers: { 'Content-Type': 'application/json', ...authHdr() }, body: JSON.stringify({ key, locked: !locked }) });
+        locked = !locked; renderModbar(); renderComposer();
+      };
+      const del = el('button', 'dialog-modbtn', 'Thread ausblenden');
+      del.onclick = async () => {
+        if (!confirm('Thread ausblenden?')) return;
+        await api('/api/mod/thread-delete', { method: 'POST', headers: { 'Content-Type': 'application/json', ...authHdr() }, body: JSON.stringify({ key }) });
+        location.href = '/dialog/';
+      };
+      modbar.append(el('span', 'dialog-modlabel', 'Moderation:'), lock, del);
+    }
+
+    let lastSig = '';
+    async function load() {
+      const r = await api('/api/comments?thread=' + encodeURIComponent(key));
+      if (!r.ok) return;
+      const data = r.body;
+      const sig = (token ? 'in:' : 'out:') + (canModerate() ? 'm' : '') + data.map((c) => c.id + (c.deleted ? 'd' : '')).join(',');
+      if (sig !== lastSig) { lastSig = sig; render(data); }
+    }
+
+    function render(data) {
+      list.innerHTML = '';
+      const names = {}; data.forEach((c) => { names[c.id] = c.author_name; });
+      if (!data.length) { list.appendChild(el('p', 'dialog-empty', 'Noch keine Wortmeldungen — beginne den Dialog.')); return; }
+      data.forEach((c) => {
+        // Nüchtern: Avatar · Name (+ Position) · darunter Datum/Uhrzeit · Text.
+        const post = el('article', 'dialog-post');
+        const head = el('header', 'dialog-post-head');
+        const av = el('span', 'dialog-avatar');
+        if (c.author_avatar) av.style.backgroundImage = 'url(' + c.author_avatar + ')';
+        else av.textContent = (c.author_name || '?').slice(0, 1).toUpperCase();
+        const ident = el('div', 'dialog-ident');
+        const nameline = el('div', 'dialog-nameline');
+        nameline.appendChild(el('span', 'dialog-name', c.author_name || 'Unbekannt'));
+        if (c.author_role) nameline.appendChild(el('span', 'dialog-pos', c.author_role));
+        if (c.parent_id && names[c.parent_id]) nameline.appendChild(el('span', 'dialog-replyto', '↳ ' + names[c.parent_id]));
+        ident.append(nameline, el('time', 'dialog-time', fmtFull(c.created_at)));
+        head.append(av, ident); post.appendChild(head);
+        post.appendChild(el('div', 'dialog-body', c.body));
+        if (token && !c.deleted) {
+          const actions = el('div', 'dialog-actions');
+          if (!locked) { const rep = el('button', null, 'Antworten'); rep.onclick = () => { replyTo = { id: c.id, name: c.author_name }; renderComposer(); if (textarea) textarea.focus(); }; actions.appendChild(rep); }
+          const del = el('button', null, 'Löschen'); del.onclick = () => remove(c.id); actions.appendChild(del);
+          post.appendChild(actions);
+        }
+        list.appendChild(post);
+      });
+    }
+
+    function renderComposer() {
+      composer.innerHTML = '';
+      // Gesperrt: niemand schreibt (auch Moderation nicht — erst entsperren).
+      if (locked) {
+        composer.appendChild(el('p', 'dialog-locked', canModerate()
+          ? '🔒 Gesperrt — zum Schreiben oben entsperren.'
+          : '🔒 Dieser Thread ist gesperrt.'));
+        return;
+      }
+      if (!token) { loginInline(composer, () => { renderModbar(); renderComposer(); load(); }); return; }
+      if (replyTo) {
+        const r = el('button', 'dialog-replychip', 'Antwort auf ' + replyTo.name + '  ✕');
+        r.onclick = () => { replyTo = null; renderComposer(); };
+        composer.appendChild(r);
+      }
+      textarea = el('textarea', 'dialog-textarea'); textarea.placeholder = locked ? 'Thread gesperrt — nur Moderation …' : 'Deine Wortmeldung …';
+      const row = el('div', 'dialog-row');
+      const send = el('button', 'dialog-send', 'Senden'); send.onclick = submit;
+      const out = el('button', 'dialog-logout', 'Abmelden' + (myName ? ' · ' + myName : '')); out.onclick = () => logout(() => { renderModbar(); renderComposer(); load(); });
+      row.append(send, out); composer.append(textarea, row);
+    }
+
+    async function submit() {
+      const body = textarea.value.trim(); if (!body) return;
+      const r = await api('/api/comments', { method: 'POST', headers: { 'Content-Type': 'application/json', ...authHdr() }, body: JSON.stringify({ thread: key, body, parent_id: replyTo ? replyTo.id : null }) });
+      if (r.status === 401) { logout(); alert('Sitzung abgelaufen — bitte neu anmelden.'); renderComposer(); return; }
+      if (!r.ok) { alert(r.body.error || 'Senden fehlgeschlagen'); return; }
+      textarea.value = ''; replyTo = null; renderComposer(); load();
+    }
+    async function remove(id) {
+      if (!confirm('Wortmeldung löschen?')) return;
+      const r = await api('/api/comments/' + id, { method: 'DELETE', headers: authHdr() });
+      if (!r.ok) { alert(r.body.error || 'Löschen fehlgeschlagen'); return; }
+      load();
+    }
+
+    load();
+    setInterval(() => { if (!document.hidden) load(); }, 10000);
+  }
+
+  // ── Router ────────────────────────────────────────────────────────────────
+  if (threadKey) renderThread(threadKey);
+  else if (forumSlug) renderForum(forumSlug);
+  else renderOverview();
+})();
@@ -1,4 +1,5 @@
-/* OPENBUREAU — Flarum custom styles. Schriften via Custom Header laden. */
+/* OPENBUREAU — Flarum custom styles, matches the new Republik-style site:
+   dark masthead with serif wordmark, paper body, serif content. */

 :root {
  --ob-bg:           hsl(35, 14%, 96%);
@@ -9,6 +10,10 @@
  --ob-accent:       #b54a2c;
  --ob-accent-2:     #d97a5a;

+  --ob-dark:         #191919;       /* masthead bg, matches main site */
+  --ob-dark-text:    #f0f0f0;       /* warm white — matches main site */
+  --ob-dark-muted:   #a9a9a9;
+
  --ob-serif:   'Newsreader', Charter, 'Source Serif Pro', Georgia, serif;
  --ob-sans:    'Inter', system-ui, -apple-system, sans-serif;
  --ob-display: 'Space Grotesk', 'Inter', system-ui, sans-serif;
@@ -32,7 +37,7 @@ p, li, div, span, td, blockquote, .fa, em, strong {
 html, body, .App {
  background: var(--ob-bg) !important;
  color: var(--ob-text) !important;
-  font-size: 16.5px !important;
+  font-size: 19px !important;        /* matches new OPENBUREAU body */
  line-height: 1.55 !important;
 }

@@ -41,7 +46,7 @@ textarea, .Composer textarea, .Composer-body, .Composer-body *,
 .TextEditor, .TextEditor textarea, .ComposerBody-textarea,
 .RichEditor, .Post-body, .Post-body * {
  font-family: var(--ob-serif) !important;
-  font-size: 1.02rem !important;
+  font-size: 1.05rem !important;
  line-height: 1.55 !important;
 }

@@ -49,7 +54,7 @@ input, select, .FormControl, .Search-input {
  font-family: var(--ob-sans) !important;
 }

-/* Headlines — display sans */
+/* Headlines — serif (matches new OPENBUREAU article style) */
 h1, h2, h3, h4, h5,
 .DiscussionListItem-title,
 .DiscussionHero-title,
@@ -57,9 +62,9 @@ h1, h2, h3, h4, h5,
 .Post-header h3,
 .SignUpModal-title,
 .LogInModal-title {
-  font-family: var(--ob-display) !important;
-  font-weight: 600 !important;
-  letter-spacing: -0.01em !important;
+  font-family: var(--ob-serif) !important;
+  font-weight: 700 !important;
+  letter-spacing: -0.018em !important;
  color: var(--ob-text) !important;
 }

@@ -89,79 +94,130 @@ h1, h2, h3, h4, h5,
 }

 /* ------------------------------------------------------------------------
-   Header / Hero
+   Masthead — black bar mirroring openbureau.ch, white serif wordmark,
+   sans-serif nav items (Sign up / Log in / custom-added header links).
   ------------------------------------------------------------------------ */
 .App-header {
-  background: var(--ob-bg) !important;
-  border-bottom: 1px solid var(--ob-border) !important;
+  background: var(--ob-dark) !important;
+  border-bottom: none !important;
  box-shadow: none !important;
-  color: var(--ob-text) !important;
+  color: var(--ob-dark-text) !important;
 }
-.App-header .Button,
-.App-header .item-search input {
-  color: var(--ob-text) !important;
-  background: transparent !important;
-}
-.App-header .Header-title,
-.App-header .Header-title a {
-  font-family: var(--ob-display) !important;
-  font-weight: 700 !important;
-  font-size: 1.4rem !important;
-  letter-spacing: -0.01em !important;
-  color: var(--ob-text) !important;
-  text-transform: none !important;
+.App-header-primary { background: var(--ob-dark) !important; }
+.App-header-secondary { background: var(--ob-dark) !important; }
+
+/* Wordmark image (SVG logo from openbureau.ch) */
+.ob-wordmark-image {
+  display: block;
+  height: 1.8rem;
+  width: auto;
+  filter: none;
+  margin: 0;
 }

+/* Flarum's own wordmark is hidden via display:none — see masthead section */
+.App-header .Header-title,
+.App-header .Header-title a {
+  font-family: var(--ob-serif) !important;
+  font-weight: 700 !important;
+  font-size: clamp(1.4rem, 2.5vw, 1.8rem) !important;
+  letter-spacing: 0.02em !important;
+  color: var(--ob-dark-text) !important;
+  text-transform: uppercase !important;
+  border-bottom: none !important;
+}
+.App-header .Header-title a:hover { color: var(--ob-dark-text) !important; opacity: 0.85; }
+
+/* Header buttons / search field — white text on dark, no borders */
+.App-header .Button,
+.App-header .item-search input,
+.App-header-secondary .Button,
+.App-header-secondary a {
+  color: var(--ob-dark-muted) !important;
+  background: transparent !important;
+  border: none !important;
+  font-family: var(--ob-display) !important;
+  font-weight: 500 !important;
+  letter-spacing: 0.02em !important;
+  text-transform: uppercase !important;
+  font-size: 0.85rem !important;
+}
+.App-header .Button:hover,
+.App-header-secondary .Button:hover,
+.App-header-secondary a:hover {
+  color: var(--ob-dark-text) !important;
+  background: transparent !important;
+}
+.App-header .Button--primary {
+  color: var(--ob-dark-text) !important;
+  background: var(--ob-accent) !important;
+  border: none !important;
+}
+.App-header .Button--primary:hover { background: var(--ob-accent-2) !important; }
+
+/* Search input on the dark masthead */
+.App-header .Search-input {
+  background: rgba(255,255,255,0.08) !important;
+  color: var(--ob-dark-text) !important;
+  border: none !important;
+}
+.App-header .Search-input::placeholder { color: var(--ob-dark-muted) !important; }
+
+/* Hero (forum index) — clean editorial header, no heavy borders */
 .Hero, .IndexPage .Hero {
-  background: var(--ob-bg-2) !important;
+  background: var(--ob-bg) !important;
  color: var(--ob-text) !important;
-  border-bottom: 2px solid var(--ob-text) !important;
+  border-bottom: none !important;
  text-shadow: none !important;
-  padding: 2.5rem 1rem !important;
+  padding: 2.5rem 1rem 1.5rem !important;
 }
 .Hero-title {
  color: var(--ob-text) !important;
-  font-size: 2rem !important;
-  font-weight: 700 !important;
-  letter-spacing: -0.015em !important;
+  font-family: var(--ob-serif) !important;
+  font-size: clamp(2rem, 4vw, 2.8rem) !important;
+  font-weight: 800 !important;
+  letter-spacing: -0.026em !important;
+  line-height: 1.05 !important;
 }
 .Hero-subtitle {
  color: var(--ob-muted) !important;
-  font-style: italic;
  font-family: var(--ob-serif) !important;
-  font-size: 1.1rem !important;
-  margin-top: 0.4rem !important;
+  font-style: normal !important;
+  font-size: 1.25rem !important;
+  margin-top: 0.6rem !important;
 }

-/* Discussion page hero (when viewing a thread) — more present */
+/* Discussion page hero (single thread) — Republik-style clean header */
 .DiscussionHero {
-  background: var(--ob-bg-2) !important;
-  border-bottom: 2px solid var(--ob-text) !important;
+  background: var(--ob-bg) !important;
+  border-bottom: none !important;
  box-shadow: none !important;
-  padding: 1.8rem 1rem !important;
+  padding: 2rem 1rem 1.5rem !important;
 }
 .DiscussionHero-title {
  color: var(--ob-text) !important;
-  font-size: 1.8rem !important;
-  font-weight: 700 !important;
-  letter-spacing: -0.015em !important;
+  font-family: var(--ob-serif) !important;
+  font-size: clamp(1.8rem, 3.5vw, 2.4rem) !important;
+  font-weight: 800 !important;
+  letter-spacing: -0.024em !important;
+  line-height: 1.05 !important;
 }

-/* Tag badge above title (e.g. "General") — pill but sharper */
+/* Tag pill above title — terracotta-tinted, no #, rounded */
 .DiscussionHero .TagsLabel,
 .DiscussionHero .TagLabel {
  display: inline-block;
-  background: var(--ob-bg) !important;
-  border: 1px solid var(--ob-border) !important;
-  color: var(--ob-accent) !important;
-  text-transform: uppercase;
-  font-family: var(--ob-sans) !important;
-  font-size: 0.72rem !important;
-  font-weight: 600 !important;
-  letter-spacing: 0.06em !important;
-  padding: 0.2rem 0.55rem !important;
-  border-radius: 0 !important;
-  margin-bottom: 0.6rem !important;
+  background: color-mix(in oklab, var(--ob-accent) 14%, transparent) !important;
+  border: none !important;
+  color: var(--ob-text) !important;
+  text-transform: lowercase !important;
+  font-family: var(--ob-display) !important;
+  font-size: 0.78rem !important;
+  font-weight: 500 !important;
+  letter-spacing: 0.02em !important;
+  padding: 0.3rem 0.85rem !important;
+  border-radius: 999px !important;
+  margin-bottom: 0.8rem !important;
 }

 /* ------------------------------------------------------------------------
@@ -175,35 +231,55 @@ h1, h2, h3, h4, h5,
  box-shadow: none !important;
 }

+/* Discussion list items — like OPENBUREAU journal cards: clean separators */
 .DiscussionListItem {
  background: transparent !important;
-  border-bottom: 1px solid var(--ob-border) !important;
-  padding: 1rem 0.25rem !important;
+  border-top: 1px solid var(--ob-border) !important;
+  border-bottom: none !important;
+  padding: 1.4rem 0.25rem !important;
  margin: 0 !important;
 }
+.DiscussionListItem:last-child { border-bottom: 1px solid var(--ob-border) !important; }
 .DiscussionListItem:hover { background: var(--ob-bg-2) !important; }

 .DiscussionListItem-title {
-  font-size: 1.15rem !important;
-  line-height: 1.25 !important;
-  margin-bottom: 0.3rem !important;
+  font-family: var(--ob-serif) !important;
+  font-size: 1.4rem !important;
+  font-weight: 700 !important;
+  letter-spacing: -0.018em !important;
+  line-height: 1.2 !important;
+  margin-bottom: 0.45rem !important;
 }
 .DiscussionListItem-title a { color: var(--ob-text) !important; }
 .DiscussionListItem-title a:hover { color: var(--ob-accent) !important; }

 .DiscussionListItem-info {
  color: var(--ob-muted) !important;
-  font-size: 0.85rem !important;
+  font-family: var(--ob-sans) !important;
+  font-size: 0.9rem !important;
 }

 .DiscussionListItem-count {
-  background: transparent !important;
-  border: 1px solid var(--ob-border) !important;
-  border-radius: 0 !important;
-  color: var(--ob-muted) !important;
-  padding: 0.15rem 0.4rem !important;
+  background: color-mix(in oklab, var(--ob-accent) 14%, transparent) !important;
+  border: none !important;
+  border-radius: 999px !important;
+  color: var(--ob-text) !important;
+  font-family: var(--ob-display) !important;
+  font-size: 0.78rem !important;
+  font-weight: 500 !important;
+  padding: 0.25rem 0.7rem !important;
 }

+/* ------------------------------------------------------------------------
+   Below-header: subtle divider + paper bg continues for the content area
+   ------------------------------------------------------------------------ */
+.App-content { background: var(--ob-bg) !important; }
+
+/* Headlines size scale — matches OPENBUREAU sizes */
+h1 { font-size: clamp(2rem, 4vw, 2.8rem) !important; line-height: 1.05 !important; font-weight: 800 !important; }
+h2 { font-size: 1.6rem !important; line-height: 1.15 !important; }
+h3 { font-size: 1.3rem !important; line-height: 1.2 !important; }
+
 /* Avatar — squared, lightly desaturated, full color on hover */
 .Avatar {
  border-radius: 0 !important;
@@ -215,61 +291,67 @@ h1, h2, h3, h4, h5,
 .Post:hover .Avatar { filter: grayscale(0%) contrast(1); }

 /* ------------------------------------------------------------------------
-   Tags
+   Tags — pills (matches OPENBUREAU's tag pills)
   ------------------------------------------------------------------------ */
 .TagsLabel {
-  font-family: var(--ob-sans) !important;
+  font-family: var(--ob-display) !important;
  font-size: 0.78rem !important;
-  text-transform: uppercase !important;
-  letter-spacing: 0.04em !important;
+  font-weight: 500 !important;
+  letter-spacing: 0.02em !important;
 }
 .TagsLabel .tag {
-  background: transparent !important;
-  color: var(--ob-accent) !important;
-  border: 1px solid var(--ob-border) !important;
-  border-radius: 0 !important;
-  padding: 0.1rem 0.45rem !important;
+  display: inline-block;
+  background: color-mix(in oklab, var(--ob-accent) 14%, transparent) !important;
+  color: var(--ob-text) !important;
+  border: none !important;
+  border-radius: 999px !important;
+  padding: 0.3rem 0.85rem !important;
+  margin: 0 0.3rem 0.3rem 0 !important;
  font-weight: 500 !important;
+  text-transform: lowercase !important;
 }
 .TagsLabel .tag:hover {
-  background: var(--ob-bg-2) !important;
-  border-color: var(--ob-accent) !important;
+  background: color-mix(in oklab, var(--ob-accent) 30%, transparent) !important;
+  border: none !important;
 }

 .TagTile {
-  background: var(--ob-bg-2) !important;
-  border-radius: 0 !important;
-  border: 1px solid var(--ob-border) !important;
+  background: color-mix(in oklab, var(--ob-accent) 8%, transparent) !important;
+  border-radius: 4px !important;
+  border: none !important;
  color: var(--ob-text) !important;
  box-shadow: none !important;
 }
-.TagTile-info h4 { color: var(--ob-text) !important; }
-.TagTile-description { color: var(--ob-muted) !important; font-style: italic; font-family: var(--ob-serif) !important; }
+.TagTile-info h4 { color: var(--ob-text) !important; font-family: var(--ob-serif) !important; font-weight: 700 !important; }
+.TagTile-description { color: var(--ob-muted) !important; font-family: var(--ob-serif) !important; }

 /* ------------------------------------------------------------------------
-   Buttons
+   Buttons — softer, rounded, no heavy borders
   ------------------------------------------------------------------------ */
 .Button {
-  border-radius: 0 !important;
+  border-radius: 999px !important;
  font-family: var(--ob-display) !important;
  font-weight: 500 !important;
-  letter-spacing: 0.02em !important;
-  background: transparent !important;
+  letter-spacing: 0.01em !important;
+  background: color-mix(in oklab, var(--ob-text) 6%, transparent) !important;
  color: var(--ob-text) !important;
-  border: 1px solid var(--ob-border) !important;
+  border: none !important;
  box-shadow: none !important;
  text-transform: none !important;
+  padding: 0.45rem 1rem !important;
+}
+.Button:hover {
+  background: color-mix(in oklab, var(--ob-text) 12%, transparent) !important;
+  color: var(--ob-text) !important;
 }
-.Button:hover { background: var(--ob-bg-2) !important; border-color: var(--ob-text) !important; }

 .Button--primary {
  background: var(--ob-accent) !important;
  color: #fff !important;
-  border-color: var(--ob-accent) !important;
+  border: none !important;
 }
 .Button--primary:hover {
  background: var(--ob-accent-2) !important;
-  border-color: var(--ob-accent-2) !important;
  color: #fff !important;
 }

@@ -277,6 +359,7 @@ h1, h2, h3, h4, h5,
  border: none !important;
  background: transparent !important;
  color: var(--ob-text) !important;
+  padding: 0.45rem 0.6rem !important;
 }

 /* ------------------------------------------------------------------------
@@ -303,42 +386,36 @@ a:hover { color: var(--ob-accent); border-bottom-color: var(--ob-accent); }
 .notifications a { border-bottom: none !important; }

 /* ------------------------------------------------------------------------
-   Discussion / Post view
+   Discussion / Post view — Republik-style article header + clean post stream
   ------------------------------------------------------------------------ */
 .DiscussionPage-discussion {
  background: transparent !important;
 }
-.DiscussionHero {
-  background: var(--ob-bg-2) !important;
-  border-bottom: 1px solid var(--ob-border) !important;
-  box-shadow: none !important;
-}
-.DiscussionHero-title { color: var(--ob-text) !important; font-size: 1.6rem !important; }
-
 .PostStream { background: transparent !important; }

 .Post {
-  border-bottom: 1px solid var(--ob-border) !important;
-  padding: 1.5rem 0 !important;
+  border-top: 1px solid var(--ob-border) !important;
+  border-bottom: none !important;
+  padding: 1.8rem 0 !important;
 }
-.Post:first-child { border-top: 1px solid var(--ob-border) !important; }
+.Post:last-child { border-bottom: 1px solid var(--ob-border) !important; }
+
+/* Author + meta on each post: Inter sans (like OPENBUREAU byline) */
 .Post-header,
 .Post .PostUser,
-.Post .username {
-  font-family: var(--ob-mono) !important;
-  font-size: 0.85rem !important;
-  color: var(--ob-muted) !important;
-  font-weight: 500;
-}
-.Post .username { color: var(--ob-text) !important; }
+.Post .username,
 .Post .PostMeta time,
 .Post .Post-header time {
-  font-family: var(--ob-mono) !important;
+  font-family: var(--ob-sans) !important;
+  font-size: 0.95rem !important;
  color: var(--ob-muted) !important;
+  font-weight: 400;
 }
+.Post .username { color: var(--ob-text) !important; font-weight: 500 !important; }
+
 .Post-body {
  font-family: var(--ob-serif) !important;
-  font-size: 1.02rem !important;
+  font-size: 1.1rem !important;
  line-height: 1.55 !important;
  color: var(--ob-text) !important;
 }
@@ -353,9 +430,11 @@ a:hover { color: var(--ob-accent); border-bottom-color: var(--ob-accent); }
 .Post-body code, .Post-body pre {
  font-family: var(--ob-mono) !important;
  background: var(--ob-bg-2) !important;
-  border: 1px solid var(--ob-border) !important;
-  border-radius: 0 !important;
+  border: none !important;
+  border-radius: 4px !important;
+  padding: 0.1em 0.4em;
 }
+.Post-body pre { padding: 0.8rem 1rem; }

 /* ------------------------------------------------------------------------
   Sidebar (left rail with categories/tags)
@@ -430,5 +509,3 @@ a:hover { color: var(--ob-accent); border-bottom-color: var(--ob-accent); }
 .Badge { border-radius: 0 !important; font-family: var(--ob-mono) !important; }
 .Pagination-link { border-radius: 0 !important; font-family: var(--ob-mono) !important; }

-/* Remove dark/colored header bar in default Flarum */
-.App-header-primary { background: var(--ob-bg) !important; }
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="100%" height="100%" viewBox="0 0 1773 247" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;">
+    <g transform="matrix(1,0,0,1,-1,-25)">
+        <rect x="717" y="32" width="99" height="55" style="fill:rgb(240,240,240);"/>
+    </g>
+    <g transform="matrix(1,0,0,1,-1,-25)">
+        <rect x="191" y="223" width="91" height="40" style="fill:rgb(240,240,240);"/>
+    </g>
+    <g transform="matrix(1.905742,0,0,1,38.397616,-25)">
+        <rect x="-17" y="69" width="923" height="160" style="fill:rgb(240,240,240);"/>
+    </g>
+    <g transform="matrix(4.161487,0,0,4.161487,-877.670228,-2027.145952)">
+        <path d="M259.981,527.071L256.537,527.071L256.537,507.267L259.981,507.267L259.981,527.071ZM259.981,514.069L259.981,538.093L234.838,538.093L234.838,534.649L249.562,534.649C249.648,534.649 249.935,534.434 250.423,534.003C250.911,533.573 251.499,533.027 252.188,532.367C252.877,531.707 253.552,531.04 254.212,530.365C254.872,529.691 255.425,529.109 255.869,528.621C256.314,528.133 256.537,527.846 256.537,527.76L256.537,514.069L259.981,514.069ZM259.981,520.441L256.537,520.441L256.537,506.75C256.537,506.664 256.314,506.377 255.869,505.889C255.425,505.401 254.872,504.82 254.212,504.145C253.552,503.471 252.877,502.804 252.188,502.143C251.499,501.483 250.911,500.938 250.423,500.507C249.935,500.077 249.648,499.862 249.562,499.862L234.838,499.862L234.838,496.417L259.981,496.417L259.981,520.441ZM233.718,522.508L233.718,511.831C233.718,511.658 233.733,511.558 233.761,511.529C233.79,511.5 233.891,511.486 234.063,511.486L236.818,511.486C236.99,511.486 237.091,511.5 237.12,511.529C237.148,511.558 237.163,511.658 237.163,511.831L237.163,522.508C237.163,522.68 237.148,522.78 237.12,522.809C237.091,522.838 236.99,522.852 236.818,522.852L234.063,522.852C233.891,522.852 233.79,522.838 233.761,522.809C233.733,522.78 233.718,522.68 233.718,522.508ZM210.9,527.071L210.9,507.267L214.344,507.267L214.344,527.071L210.9,527.071ZM210.9,514.069L214.344,514.069L214.344,527.76C214.344,527.846 214.567,528.133 215.012,528.621C215.456,529.109 216.009,529.691 216.669,530.365C217.329,531.04 218.004,531.707 218.693,532.367C219.382,533.027 219.97,533.573 220.458,534.003C220.946,534.434 221.233,534.649 221.319,534.649L236.043,534.649L236.043,538.093L210.9,538.093L210.9,514.069ZM210.9,520.441L210.9,496.417L236.043,496.417L236.043,499.862L221.319,499.862C221.233,499.862 220.946,500.077 220.458,500.507C219.97,500.938 219.382,501.483 218.693,502.143C218.004,502.804 217.329,503.471 216.669,504.145C216.009,504.82 215.456,505.401 215.012,505.889C214.567,506.377 214.344,506.664 214.344,506.75L214.344,520.441L210.9,520.441Z" style="fill:rgb(15,15,15);fill-rule:nonzero;"/>
+        <path d="M303.322,527.158L299.877,527.158L299.877,507.353L303.322,507.353L303.322,527.158ZM303.322,520.441L299.877,520.441L299.877,506.75C299.877,506.664 299.655,506.377 299.21,505.889C298.765,505.401 298.213,504.82 297.552,504.145C296.892,503.471 296.218,502.804 295.529,502.143C294.84,501.483 294.252,500.938 293.764,500.507C293.276,500.077 292.989,499.862 292.903,499.862L278.178,499.862L278.178,496.417L303.322,496.417L303.322,520.441ZM254.241,521.905L257.685,521.905L257.685,543.432L277.576,543.432L277.576,534.649L292.903,534.649C293.017,534.649 293.326,534.434 293.828,534.003C294.331,533.573 294.919,533.027 295.593,532.367C296.268,531.707 296.935,531.04 297.595,530.365C298.256,529.691 298.801,529.109 299.231,528.621C299.662,528.133 299.877,527.846 299.877,527.76L299.877,521.13L303.322,521.13L303.322,538.093L281.02,538.093L281.02,546.876L254.241,546.876L254.241,521.905ZM254.241,520.441L254.241,496.417L279.384,496.417L279.384,499.862L257.685,499.862L257.685,520.441L254.241,520.441ZM277.059,522.594L277.059,511.917C277.059,511.744 277.073,511.644 277.102,511.615C277.131,511.587 277.231,511.572 277.403,511.572L280.159,511.572C280.331,511.572 280.431,511.587 280.46,511.615C280.489,511.644 280.503,511.744 280.503,511.917L280.503,522.594C280.503,522.766 280.489,522.867 280.46,522.895C280.431,522.924 280.331,522.938 280.159,522.938L277.403,522.938C277.231,522.938 277.131,522.924 277.102,522.895C277.073,522.867 277.059,522.766 277.059,522.594ZM254.241,507.353L257.685,507.353L257.685,527.158L254.241,527.158L254.241,507.353Z" style="fill:rgb(15,15,15);fill-rule:nonzero;"/>
+        <path d="M297.581,520.441L297.581,496.417L321.002,496.417L321.002,499.862L308,499.862C307.914,499.862 307.627,500.077 307.139,500.507C306.651,500.938 306.063,501.483 305.374,502.143C304.685,502.804 304.01,503.471 303.35,504.145C302.69,504.82 302.138,505.401 301.693,505.889C301.248,506.377 301.025,506.664 301.025,506.75L301.025,520.441L297.581,520.441ZM297.581,507.353L301.025,507.353L301.025,527.158L297.581,527.158L297.581,507.353ZM297.581,514.069L301.025,514.069L301.025,527.76C301.025,527.846 301.248,528.133 301.693,528.621C302.138,529.109 302.69,529.691 303.35,530.365C304.01,531.04 304.685,531.707 305.374,532.367C306.063,533.027 306.651,533.573 307.139,534.003C307.627,534.434 307.914,534.649 308,534.649L321.002,534.649L321.002,538.093L297.581,538.093L297.581,514.069ZM343.39,520.441L339.946,520.441L339.946,506.75C339.946,506.664 339.723,506.377 339.278,505.889C338.834,505.401 338.281,504.82 337.621,504.145C336.961,503.471 336.286,502.804 335.597,502.143C334.908,501.483 334.32,500.938 333.832,500.507C333.344,500.077 333.057,499.862 332.971,499.862L319.969,499.862L319.969,496.417L343.39,496.417L343.39,520.441ZM343.39,516.653L343.39,538.093L319.969,538.093L319.969,534.649L339.946,534.649L339.946,516.653L343.39,516.653ZM325.996,510.453C326.169,510.453 326.269,510.467 326.298,510.496C326.326,510.525 326.341,510.625 326.341,510.797L326.341,513.553C326.341,513.725 326.326,513.825 326.298,513.854C326.269,513.883 326.169,513.897 325.996,513.897L315.319,513.897C315.147,513.897 315.046,513.883 315.018,513.854C314.989,513.825 314.975,513.725 314.975,513.553L314.975,510.797C314.975,510.625 314.989,510.525 315.018,510.496C315.046,510.467 315.147,510.453 315.319,510.453L325.996,510.453ZM341.582,524.058L339.946,524.058L339.946,522.852C339.946,522.852 339.365,522.938 338.202,523.111C337.04,523.283 335.605,523.491 333.897,523.735C332.189,523.979 330.481,524.223 328.773,524.467C327.066,524.711 325.63,524.919 324.468,525.091C323.306,525.263 322.724,525.349 322.724,525.349C322.724,525.349 322.717,525.292 322.703,525.177C322.688,525.062 322.66,524.883 322.617,524.639C322.574,524.395 322.523,524.086 322.466,523.713C322.409,523.34 322.358,523.024 322.315,522.766C322.272,522.508 322.244,522.314 322.229,522.185C322.215,522.056 322.208,521.991 322.208,521.991C322.208,521.991 322.803,521.905 323.994,521.733C325.186,521.561 326.664,521.345 328.429,521.087C330.194,520.829 331.959,520.57 333.724,520.312C335.49,520.054 336.968,519.838 338.159,519.666C339.35,519.494 339.946,519.408 339.946,519.408L339.946,517.772L341.582,517.772L341.582,524.058Z" style="fill:rgb(15,15,15);fill-rule:nonzero;"/>
+        <path d="M386.731,527.071L383.286,527.071L383.286,507.267L386.731,507.267L386.731,527.071ZM337.65,527.071L337.65,507.267L341.094,507.267L341.094,527.071L337.65,527.071ZM386.731,520.441L383.286,520.441L383.286,506.75C383.286,506.664 383.064,506.377 382.619,505.889C382.174,505.401 381.622,504.82 380.961,504.145C380.301,503.471 379.627,502.804 378.938,502.143C378.249,501.483 377.661,500.938 377.173,500.507C376.685,500.077 376.398,499.862 376.312,499.862L361.587,499.862L361.587,496.417L386.731,496.417L386.731,520.441ZM386.731,514.069L386.731,538.093L361.587,538.093L361.587,534.649L383.286,534.649L383.286,514.069L386.731,514.069ZM337.65,514.069L341.094,514.069L341.094,534.649L362.793,534.649L362.793,538.093L337.65,538.093L337.65,514.069ZM337.65,520.441L337.65,496.417L362.793,496.417L362.793,499.862L341.094,499.862L341.094,520.441L337.65,520.441ZM363.762,535.252L360.619,535.252C360.576,535.252 360.54,535.237 360.511,535.209C360.482,535.18 360.468,535.144 360.468,535.101L360.468,516.48C360.468,516.365 360.475,516.287 360.489,516.244C360.504,516.2 360.532,516.172 360.576,516.157C360.619,516.143 360.698,516.136 360.812,516.136L363.568,516.136C363.683,516.136 363.762,516.143 363.805,516.157C363.848,516.172 363.876,516.2 363.891,516.244C363.905,516.287 363.912,516.365 363.912,516.48L363.912,535.101C363.912,535.144 363.898,535.18 363.869,535.209C363.84,535.237 363.805,535.252 363.762,535.252Z" style="fill:rgb(15,15,15);fill-rule:nonzero;"/>
+        <path d="M430.071,507.267L430.071,527.071L426.627,527.071L426.627,507.267L430.071,507.267ZM430.071,514.069L430.071,538.093L404.928,538.093L404.928,534.649L419.652,534.649C419.738,534.649 420.025,534.434 420.513,534.003C421.001,533.573 421.59,533.027 422.278,532.367C422.967,531.707 423.642,531.04 424.302,530.365C424.962,529.691 425.515,529.109 425.959,528.621C426.404,528.133 426.627,527.846 426.627,527.76L426.627,514.069L430.071,514.069ZM380.99,512.605L380.99,487.634L407.769,487.634L407.769,496.417L430.071,496.417L430.071,513.38L426.627,513.38L426.627,506.75C426.627,506.664 426.412,506.377 425.981,505.889C425.55,505.401 425.005,504.82 424.345,504.145C423.685,503.471 423.017,502.804 422.343,502.143C421.668,501.483 421.08,500.938 420.578,500.507C420.075,500.077 419.767,499.862 419.652,499.862L404.325,499.862L404.325,491.079L384.434,491.079L384.434,512.605L380.99,512.605ZM380.99,514.069L384.434,514.069L384.434,534.649L406.133,534.649L406.133,538.093L380.99,538.093L380.99,514.069ZM380.99,507.267L384.434,507.267L384.434,527.071L380.99,527.071L380.99,507.267ZM403.808,522.508L403.808,511.831C403.808,511.658 403.823,511.558 403.851,511.529C403.88,511.5 403.981,511.486 404.153,511.486L406.908,511.486C407.081,511.486 407.181,511.5 407.21,511.529C407.238,511.558 407.253,511.658 407.253,511.831L407.253,522.508C407.253,522.68 407.238,522.78 407.21,522.809C407.181,522.838 407.081,522.852 406.908,522.852L404.153,522.852C403.981,522.852 403.88,522.838 403.851,522.809C403.823,522.78 403.808,522.68 403.808,522.508Z" style="fill:rgb(15,15,15);fill-rule:nonzero;"/>
+        <path d="M424.331,507.353L427.775,507.353L427.775,527.158L424.331,527.158L424.331,507.353ZM473.412,507.353L473.412,527.158L469.967,527.158L469.967,507.353L473.412,507.353ZM424.331,514.069L427.775,514.069L427.775,527.76C427.775,527.846 427.997,528.133 428.442,528.621C428.887,529.109 429.44,529.691 430.1,530.365C430.76,531.04 431.434,531.707 432.123,532.367C432.812,533.027 433.401,533.573 433.889,534.003C434.376,534.434 434.663,534.649 434.75,534.649L449.474,534.649L449.474,538.093L424.331,538.093L424.331,514.069ZM424.331,520.441L424.331,496.417L449.474,496.417L449.474,499.862L427.775,499.862L427.775,520.441L424.331,520.441ZM473.412,520.441L469.967,520.441L469.967,499.862L448.268,499.862L448.268,496.417L473.412,496.417L473.412,520.441ZM473.412,514.069L473.412,538.093L448.268,538.093L448.268,534.649L469.967,534.649L469.967,514.069L473.412,514.069ZM447.3,499.689L450.443,499.689C450.486,499.689 450.522,499.704 450.55,499.732C450.579,499.761 450.593,499.797 450.593,499.84L450.593,518.461C450.593,518.576 450.586,518.655 450.572,518.698C450.557,518.741 450.529,518.769 450.486,518.784C450.443,518.798 450.364,518.805 450.249,518.805L447.493,518.805C447.379,518.805 447.3,518.798 447.257,518.784C447.214,518.769 447.185,518.741 447.171,518.698C447.156,518.655 447.149,518.576 447.149,518.461L447.149,499.84C447.149,499.797 447.163,499.761 447.192,499.732C447.221,499.704 447.257,499.689 447.3,499.689Z" style="fill:rgb(15,15,15);fill-rule:nonzero;"/>
+        <path d="M513.48,538.093L467.671,538.093L467.671,515.878L471.115,515.878L471.115,534.649L491.092,534.649L491.092,522.508L510.036,522.508L510.036,508.903L513.48,508.903L513.48,538.093ZM467.671,517.858L467.671,496.417L491.351,496.417L491.351,509.075C491.351,509.075 491.114,508.609 490.64,507.676C490.167,506.743 489.628,505.674 489.026,504.468C488.423,503.263 487.885,502.194 487.411,501.261C486.938,500.328 486.701,499.862 486.701,499.862L471.115,499.862L471.115,517.858L467.671,517.858ZM513.48,513.725L510.036,513.725L510.036,499.862L496.173,499.862C496.173,499.862 495.929,500.328 495.441,501.261C494.953,502.194 494.393,503.263 493.762,504.468C493.13,505.674 492.57,506.743 492.083,507.676C491.595,508.609 491.351,509.075 491.351,509.075C491.351,509.075 491.286,508.609 491.157,507.676C491.028,506.743 490.884,505.674 490.726,504.468C490.568,503.263 490.425,502.194 490.296,501.261C490.167,500.328 490.102,499.862 490.102,499.862L490.102,496.417L513.48,496.417L513.48,513.725Z" style="fill:rgb(15,15,15);fill-rule:nonzero;"/>
+        <path d="M507.74,520.441L507.74,496.417L531.161,496.417L531.161,499.862L518.159,499.862C518.072,499.862 517.785,500.077 517.298,500.507C516.81,500.938 516.221,501.483 515.532,502.143C514.843,502.804 514.169,503.471 513.509,504.145C512.849,504.82 512.296,505.401 511.851,505.889C511.406,506.377 511.184,506.664 511.184,506.75L511.184,520.441L507.74,520.441ZM507.74,507.353L511.184,507.353L511.184,527.158L507.74,527.158L507.74,507.353ZM507.74,514.069L511.184,514.069L511.184,527.76C511.184,527.846 511.406,528.133 511.851,528.621C512.296,529.109 512.849,529.691 513.509,530.365C514.169,531.04 514.843,531.707 515.532,532.367C516.221,533.027 516.81,533.573 517.298,534.003C517.785,534.434 518.072,534.649 518.159,534.649L531.161,534.649L531.161,538.093L507.74,538.093L507.74,514.069ZM553.549,520.441L550.104,520.441L550.104,506.75C550.104,506.664 549.882,506.377 549.437,505.889C548.992,505.401 548.44,504.82 547.779,504.145C547.119,503.471 546.445,502.804 545.756,502.143C545.067,501.483 544.479,500.938 543.991,500.507C543.503,500.077 543.216,499.862 543.13,499.862L530.127,499.862L530.127,496.417L553.549,496.417L553.549,520.441ZM553.549,516.653L553.549,538.093L530.127,538.093L530.127,534.649L550.104,534.649L550.104,516.653L553.549,516.653ZM536.155,510.453C536.327,510.453 536.428,510.467 536.456,510.496C536.485,510.525 536.499,510.625 536.499,510.797L536.499,513.553C536.499,513.725 536.485,513.825 536.456,513.854C536.428,513.883 536.327,513.897 536.155,513.897L525.478,513.897C525.305,513.897 525.205,513.883 525.176,513.854C525.148,513.825 525.133,513.725 525.133,513.553L525.133,510.797C525.133,510.625 525.148,510.525 525.176,510.496C525.205,510.467 525.305,510.453 525.478,510.453L536.155,510.453ZM551.74,524.058L550.104,524.058L550.104,522.852C550.104,522.852 549.523,522.938 548.361,523.111C547.198,523.283 545.763,523.491 544.055,523.735C542.347,523.979 540.64,524.223 538.932,524.467C537.224,524.711 535.789,524.919 534.627,525.091C533.464,525.263 532.883,525.349 532.883,525.349C532.883,525.349 532.876,525.292 532.861,525.177C532.847,525.062 532.818,524.883 532.775,524.639C532.732,524.395 532.682,524.086 532.625,523.713C532.567,523.34 532.517,523.024 532.474,522.766C532.431,522.508 532.402,522.314 532.388,522.185C532.373,522.056 532.366,521.991 532.366,521.991C532.366,521.991 532.962,521.905 534.153,521.733C535.344,521.561 536.822,521.345 538.587,521.087C540.353,520.829 542.118,520.57 543.883,520.312C545.648,520.054 547.126,519.838 548.318,519.666C549.509,519.494 550.104,519.408 550.104,519.408L550.104,517.772L551.74,517.772L551.74,524.058Z" style="fill:rgb(15,15,15);fill-rule:nonzero;"/>
+        <path d="M547.808,514.069L551.252,514.069L551.252,527.76C551.252,527.846 551.475,528.133 551.92,528.621C552.365,529.109 552.917,529.691 553.577,530.365C554.237,531.04 554.912,531.707 555.601,532.367C556.29,533.027 556.878,533.573 557.366,534.003C557.854,534.434 558.141,534.649 558.227,534.649L571.229,534.649L571.229,538.093L547.808,538.093L547.808,514.069ZM547.808,517.858L547.808,496.417L571.229,496.417L571.229,499.862L551.252,499.862L551.252,517.858L547.808,517.858ZM593.617,520.441L590.173,520.441L590.173,506.75C590.173,506.664 589.95,506.377 589.505,505.889C589.061,505.401 588.508,504.82 587.848,504.145C587.188,503.471 586.513,502.804 585.824,502.143C585.136,501.483 584.547,500.938 584.059,500.507C583.571,500.077 583.284,499.862 583.198,499.862L570.196,499.862L570.196,496.417L593.617,496.417L593.617,520.441ZM593.617,516.653L593.617,538.093L570.196,538.093L570.196,534.649L590.173,534.649L590.173,516.653L593.617,516.653ZM593.617,527.071L590.173,527.071L590.173,507.267L593.617,507.267L593.617,527.071ZM565.46,524.574C565.288,524.574 565.187,524.56 565.159,524.531C565.13,524.503 565.116,524.402 565.116,524.23L565.116,521.475C565.116,521.302 565.13,521.202 565.159,521.173C565.187,521.144 565.288,521.13 565.46,521.13L576.137,521.13C576.31,521.13 576.41,521.144 576.439,521.173C576.467,521.202 576.482,521.302 576.482,521.475L576.482,524.23C576.482,524.402 576.467,524.503 576.439,524.531C576.41,524.56 576.31,524.574 576.137,524.574L565.46,524.574ZM549.616,511.056L551.252,511.056L551.252,512.261C551.252,512.261 551.834,512.175 552.996,512.003C554.158,511.831 555.594,511.622 557.301,511.378C559.009,511.134 560.717,510.891 562.425,510.647C564.133,510.403 565.568,510.194 566.73,510.022C567.893,509.85 568.474,509.764 568.474,509.764C568.474,509.764 568.481,509.821 568.495,509.936C568.51,510.051 568.538,510.23 568.581,510.474C568.624,510.718 568.675,511.027 568.732,511.4C568.79,511.773 568.84,512.089 568.883,512.347C568.926,512.605 568.955,512.799 568.969,512.928C568.983,513.058 568.99,513.122 568.99,513.122C568.99,513.122 568.395,513.208 567.204,513.38C566.013,513.553 564.534,513.768 562.769,514.026C561.004,514.285 559.239,514.543 557.474,514.801C555.708,515.06 554.23,515.275 553.039,515.447C551.848,515.619 551.252,515.705 551.252,515.705L551.252,517.341L549.616,517.341L549.616,511.056Z" style="fill:rgb(15,15,15);fill-rule:nonzero;"/>
+        <path d="M587.877,507.353L591.321,507.353L591.321,527.158L587.877,527.158L587.877,507.353ZM636.958,507.353L636.958,527.158L633.513,527.158L633.513,507.353L636.958,507.353ZM587.877,514.069L591.321,514.069L591.321,527.76C591.321,527.846 591.543,528.133 591.988,528.621C592.433,529.109 592.986,529.691 593.646,530.365C594.306,531.04 594.98,531.707 595.669,532.367C596.358,533.027 596.947,533.573 597.434,534.003C597.922,534.434 598.209,534.649 598.296,534.649L613.02,534.649L613.02,538.093L587.877,538.093L587.877,514.069ZM587.877,520.441L587.877,496.417L613.02,496.417L613.02,499.862L591.321,499.862L591.321,520.441L587.877,520.441ZM636.958,520.441L633.513,520.441L633.513,499.862L611.814,499.862L611.814,496.417L636.958,496.417L636.958,520.441ZM636.958,514.069L636.958,538.093L611.814,538.093L611.814,534.649L633.513,534.649L633.513,514.069L636.958,514.069ZM610.846,499.689L613.989,499.689C614.032,499.689 614.067,499.704 614.096,499.732C614.125,499.761 614.139,499.797 614.139,499.84L614.139,518.461C614.139,518.576 614.132,518.655 614.118,518.698C614.103,518.741 614.075,518.769 614.032,518.784C613.989,518.798 613.91,518.805 613.795,518.805L611.039,518.805C610.925,518.805 610.846,518.798 610.803,518.784C610.76,518.769 610.731,518.741 610.716,518.698C610.702,518.655 610.695,518.576 610.695,518.461L610.695,499.84C610.695,499.797 610.709,499.761 610.738,499.732C610.767,499.704 610.803,499.689 610.846,499.689Z" style="fill:rgb(15,15,15);fill-rule:nonzero;"/>
+    </g>
+</svg>
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg width="100%" height="100%" viewBox="0 0 1772 284" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;"><g transform="matrix(358.333333,0,0,358.333333,1770.854115,264.122013)"></g><text x="-4.8px" y="264.122px" style="font-family:'PPRightSerifMono-Dark', 'PP Right Serif Mono';font-size:358.333px;fill:#f0f0f0;">O<tspan x="171.81px 348.42px 525.03px 701.64px 878.25px 1054.859px 1231.469px 1408.079px 1584.689px " y="264.122px 264.122px 264.122px 264.122px 264.122px 264.122px 264.122px 264.122px 264.122px ">PENBUREAU</tspan></text></svg>
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg width="100%" height="100%" viewBox="0 0 1412 231" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;"><path d="M0,57.547l19.196,0l0,-19.196l95.982,0l0,19.196l19.196,0l0,115.179l-19.196,0l0,19.196l-95.982,0l0,-19.196l-19.196,0l0,-115.179Zm95.982,19.196l-57.589,0l0,76.786l57.589,0l0,-76.786Z" style="fill:#fff;fill-rule:nonzero;"/><path d="M182.409,153.529l57.589,0l0,-76.786l-57.589,0l0,76.786Zm0,-95.982l19.196,0l0,-19.196l57.589,0l0,19.196l19.196,0l0,115.179l-19.196,0l0,19.196l-76.786,0l0,38.393l-38.393,0l0,-191.964l38.393,0l0,19.196Z" style="fill:#fff;fill-rule:nonzero;"/><path d="M288.032,57.547l19.196,0l0,-19.196l95.982,0l0,19.196l19.196,0l0,76.786l-95.982,0l0,19.196l95.982,0l0,19.196l-19.196,0l0,19.196l-95.982,0l0,-19.196l-19.196,0l0,-115.179Zm38.393,38.393l57.589,0l0,-19.196l-57.589,0l0,19.196Z" style="fill:#fff;fill-rule:nonzero;"/><path d="M470.44,57.547l19.196,0l0,-19.196l57.589,0l0,19.196l19.196,0l0,134.375l-38.393,0l0,-115.179l-57.589,0l0,115.179l-38.393,0l0,-153.571l38.393,0l0,19.196Z" style="fill:#fff;fill-rule:nonzero;"/><path d="M614.456,153.529l57.589,0l0,-76.786l-57.589,0l0,76.786Zm0,-95.982l19.196,0l0,-19.196l57.589,0l0,19.196l19.196,0l0,115.179l-19.196,0l0,19.196l-115.179,0l0,-191.964l38.393,0l0,57.589Z" style="fill:#fff;fill-rule:nonzero;"/><path d="M796.865,191.922l-57.589,0l0,-19.196l-19.196,0l0,-134.375l38.393,0l0,115.179l57.589,0l0,-115.179l38.393,0l0,153.571l-38.393,0l0,-19.196l-19.196,0l0,19.196Z" style="fill:#fff;fill-rule:nonzero;"/><path d="M940.881,76.744l-19.196,0l0,19.196l-19.196,0l0,95.982l-38.393,0l0,-153.571l38.393,0l0,19.196l19.196,0l0,-19.196l38.393,0l0,19.196l19.196,0l0,19.196l-19.196,0l0,19.196l-19.196,0l0,-19.196Z" style="fill:#fff;fill-rule:nonzero;"/><path d="M988.915,57.547l19.196,0l0,-19.196l95.982,0l0,19.196l19.196,0l0,76.786l-95.982,0l0,19.196l95.982,0l0,19.196l-19.196,0l0,19.196l-95.982,0l0,-19.196l-19.196,0l0,-115.179Zm38.393,38.393l57.589,0l0,-19.196l-57.589,0l0,19.196Z" style="fill:#fff;fill-rule:nonzero;"/><path d="M1152.127,172.726l-19.196,0l0,-57.589l19.196,0l0,-19.196l76.786,0l0,-19.196l-95.982,0l0,-19.196l19.196,0l0,-19.196l95.982,0l0,19.196l19.196,0l0,134.375l-38.393,0l0,-19.196l-19.196,0l0,19.196l-57.589,0l0,-19.196Zm19.196,-19.196l57.589,0l0,-19.196l-57.589,0l0,19.196Z" style="fill:#fff;fill-rule:nonzero;"/><path d="M1353.732,191.922l-57.589,0l0,-19.196l-19.196,0l0,-134.375l38.393,0l0,115.179l57.589,0l0,-115.179l38.393,0l0,153.571l-38.393,0l0,-19.196l-19.196,0l0,19.196Z" style="fill:#fff;fill-rule:nonzero;"/></svg>
@@ -0,0 +1,119 @@
+/* OPENBUREAU — Versionsverlauf eines Beitrags direkt auf der Seite.
+   Die Pill „Version vom …" öffnet die Liste der Fassungen (aus /api/history).
+   Auswahl zeigt standardmäßig den Diff (rot/grün, wie auf GitHub) aus
+   /api/history/diff; ein Toggle zeigt die ganze alte Fassung (/api/history/version).
+   Alles auf openbureau — keine externen Git-Links. */
+(function () {
+  var trigger = document.getElementById('version-badge');
+  if (!trigger) return;
+  var path = trigger.dataset.path;
+  var content = document.querySelector('.single-content');
+  var article = document.querySelector('article.single');
+  if (!path || !content || !article) return;
+
+  var originalHTML = content.innerHTML;
+  var panel = null, banner = null;
+
+  function api(p) { return fetch(p).then(function (r) { return r.ok ? r.json() : null; }).catch(function () { return null; }); }
+  function fmt(d) { try { return new Date(d).toLocaleDateString('de-CH'); } catch (e) { return d || ''; } }
+  function q(p, rev) { return p + '?path=' + encodeURIComponent(path) + '&rev=' + encodeURIComponent(rev); }
+  function toTop() { window.scrollTo({ top: 0, behavior: 'smooth' }); }
+
+  function closePanel() {
+    if (panel) { panel.remove(); panel = null; }
+    trigger.setAttribute('aria-expanded', 'false');
+  }
+  function restore() {
+    content.innerHTML = originalHTML;
+    if (banner) { banner.remove(); banner = null; }
+  }
+
+  // Unified-Diff → farbige Zeilen (rot gelöscht, grün neu, grau Hunk/Kontext).
+  function renderDiff(diff) {
+    var box = document.createElement('div');
+    box.className = 'diff';
+    diff.split('\n').forEach(function (ln) {
+      if (/^(diff --git|index |new file|deleted file|similarity |rename |--- |\+\+\+ )/.test(ln)) return;
+      var cls = 'd-ctx';
+      if (/^@@/.test(ln)) cls = 'd-hunk';
+      else if (ln.charAt(0) === '+') cls = 'd-add';
+      else if (ln.charAt(0) === '-') cls = 'd-del';
+      var row = document.createElement('div');
+      row.className = 'diff-line ' + cls;
+      row.textContent = ln || ' ';
+      box.appendChild(row);
+    });
+    return box;
+  }
+
+  function showBanner(v, mode) {
+    if (banner) banner.remove();
+    banner = document.createElement('div');
+    banner.className = 'version-banner';
+    banner.append((mode === 'diff' ? 'Änderungen' : 'Fassung') + ' vom ' + fmt(v.date) + ' · Version ' + v.short + '  ');
+    var toggle = document.createElement('button');
+    toggle.type = 'button'; toggle.className = 'version-toggle';
+    toggle.textContent = mode === 'diff' ? 'ganze Fassung anzeigen' : 'Änderungen anzeigen';
+    toggle.addEventListener('click', function () { mode === 'diff' ? loadVersion(v) : loadDiff(v); });
+    var back = document.createElement('button');
+    back.type = 'button'; back.className = 'version-back'; back.textContent = '→ zur aktuellen Fassung';
+    back.addEventListener('click', restore);
+    banner.append(toggle, ' ', back);
+    article.insertBefore(banner, article.firstChild);
+  }
+
+  function loadDiff(v) {
+    closePanel();
+    content.innerHTML = '<p class="version-loading">Lade Änderungen …</p>';
+    api(q('/api/history/diff', v.rev)).then(function (data) {
+      if (!data || data.diff == null) { restore(); return; }
+      content.innerHTML = '';
+      if (!data.diff.trim()) content.innerHTML = '<p class="version-empty">Keine Änderungen an dieser Datei in dieser Fassung.</p>';
+      else content.appendChild(renderDiff(data.diff));
+      showBanner(v, 'diff');
+      toTop();
+    });
+  }
+  function loadVersion(v) {
+    closePanel();
+    content.innerHTML = '<p class="version-loading">Lade Fassung …</p>';
+    api(q('/api/history/version', v.rev)).then(function (data) {
+      if (!data || !data.html) { restore(); return; }
+      content.innerHTML = data.html;
+      showBanner(v, 'full');
+      toTop();
+    });
+  }
+
+  function openPanel() {
+    api('/api/history?path=' + encodeURIComponent(path)).then(function (list) {
+      panel = document.createElement('div');
+      panel.className = 'version-panel';
+      if (!list || !list.length) {
+        panel.innerHTML = '<p class="version-empty">Kein Verlauf verfügbar.</p>';
+      } else {
+        var ol = document.createElement('ol');
+        ol.className = 'version-list';
+        list.forEach(function (v, i) {
+          var li = document.createElement('li');
+          var b = document.createElement('button');
+          b.type = 'button';
+          var date = document.createElement('span'); date.className = 'v-date'; date.textContent = fmt(v.date);
+          var subj = document.createElement('span'); subj.className = 'v-subject'; subj.textContent = v.subject || '';
+          var hash = document.createElement('span'); hash.className = 'v-hash'; hash.textContent = v.short + (i === 0 ? ' · aktuell' : '');
+          b.append(date, subj, hash);
+          if (i === 0) b.addEventListener('click', function () { restore(); closePanel(); });
+          else b.addEventListener('click', function () { loadDiff(v); });
+          li.appendChild(b);
+          ol.appendChild(li);
+        });
+        panel.appendChild(ol);
+      }
+      var host = trigger.closest('.article-versions') || trigger;
+      host.parentNode.insertBefore(panel, host.nextSibling);
+      trigger.setAttribute('aria-expanded', 'true');
+    });
+  }
+
+  trigger.addEventListener('click', function () { panel ? closePanel() : openPanel(); });
+})();
				`@@ -0,0 +1 @@`
				`<time datetime="{{ . \| time.Format "2006-01-02" }}">{{ . \| time.Format "02.01.2006" }}</time>`
				`@@ -0,0 +1 @@`
				<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg width="100%" height="100%" viewBox="0 0 1772 284" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;"><g transform="matrix(358.333333,0,0,358.333333,1770.854115,264.122013)"></g><text x="-4.8px" y="264.122px" style="font-family:'PPRightSerifMono-Dark', 'PP Right Serif Mono';font-size:358.333px;fill:#f0f0f0;">O<tspan x="171.81px 348.42px 525.03px 701.64px 878.25px 1054.859px 1231.469px 1408.079px 1584.689px " y="264.122px 264.122px 264.122px 264.122px 264.122px 264.122px 264.122px 264.122px 264.122px ">PENBUREAU</tspan></text></svg>