Kit-Bump auf 2.65 entfernte transitives @types/geojson aus dem Lockfile —
CI-tsc fand den globalen GeoJSON-Namespace nicht mehr. @types/geojson als
devDependency + explizite Type-Imports statt UMD-Namespace.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
SvelteKits CSRF-Check blockte multipart-POSTs (/api/mitmachen) mit 403:
ORIGIN env stand auf www, Caddy redirected aber www -> non-www — jeder
Besucher war auf non-www, Origin-Header passte nie. Env-Flip auf non-www
(secrets), hier: www als trustedOrigin-Fallback + Kit-Bump auf ^2.65
(trustedOrigins gibt es ab 2.23).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Neuer Endpoint /api/social/calendar/[slug] rendert Termin via satori +
resvg zu PNG. Formate: og (1200x630) und square (1080x1080).
Gebrandetes Layout mit Datum, Titel, Ort. Inter-Font lazy von gstatic,
10min In-Memory-Cache pro Slug+Format.
CalendarBlock: zwei Download-Buttons pro Termin (Bild quer / quadr.).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Neuer CMS-Block `wind_map` — platzierbar auf jeder Seite per Row-Content.
Fetcht wind_area-Einträge + GeoJSON-Asset client-side, rendert Leaflet-Karte
(CartoDB Light) mit farbcodierten Polygonen nach Planungsstatus. Klick auf
Gebiet öffnet Slide-in-Panel mit Kenndaten, Gemeinden, Stellungnahme-Link
und Puffer-Ringen (200/600/1000 m via Turf). Erweiterbar für 2. Entwurf 2026.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Lora -> Aleo dependency change in 4419742 left package-lock.json out of
sync, breaking `npm ci` in CI. Regenerated via `npm install --package-
lock-only`. Removed yarn.lock that came back with the same commit;
single source of truth is package-lock.json.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Toolchain hygiene:
- svelte-check is now a pinned devDep (was npx-fetched per CI run)
- vitest + coverage as devDeps; vitest.config.ts is separate from
vite.config.ts so vite build does not pull vitest
- $env stub for vitest (alias resolves $env/dynamic/{public,private}
to a process.env proxy) — keeps server modules testable without
booting SvelteKit
- npm scripts: check / check:watch / typecheck / test / test:watch
- drop yarn.lock + packageManager field; CI uses npm ci, single source
of truth is package-lock.json
- CI runs generate:icons + svelte-check + tsc --noEmit before deploy
Switch from raw process.env.X to $env/dynamic/{public,private} in
file-cache, image-cache, transform-cache and rusty-image.server. The
typed imports get tree-shaken correctly per server/client and fail
loudly at build time on accidental client-side use of private vars.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Added `class-variance-authority` version 0.7.1 to both package-lock.json and yarn.lock for enhanced styling capabilities.
- Removed outdated entries from yarn.lock to streamline dependencies and improve project maintainability.
- Added new dependencies: blurhash and sharp for enhanced image processing.
- Updated existing dependencies to their latest versions, including @emnapi/runtime and @emnapi/wasi-threads.
- Changed package resolution URLs to use npm registry for consistency across package management files.