Till JS 5a29dd9a8c security(cards): CSP report-only + service-key rotation playbook ... Folge-Hardening zu e1ddbf3, Cluster A2+A3 aus FEATURE_IDEAS. * hooks.server.ts: restriktive CSP im Report-Only-Modus (default-src 'self', script-src 'self', connect-src whitelist auf cardecky-api/auth.mana.how/share/mcp). CARDS_CSP_ENFORCE=true flippt auf den scharfen Header. * docs/playbooks/SERVICE_KEY_ROTATION.md: 5-Schritt-Rotation für CARDS_DSGVO_SERVICE_KEY bis Phase F-1 (mana-auth-managed Keys). Forensik der Bypass-Periode 2026-05-08 → 2026-05-12 ist abgeschlossen: nur 2 user_ids in der Cards-DB, beide legitim (tills95@gmail.com + Smoke-Test-Sentinel c1a5, letztere via DSGVO-Endpoint aufgeräumt). Kein ausgenutzter Bypass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>		2026-05-12 18:40:29 +02:00
..
lib	security(cards): fail-secure dev-stub, headers, rate-limit, dsgvo audit	2026-05-12 16:56:03 +02:00
routes	security(cards): fail-secure dev-stub, headers, rate-limit, dsgvo audit	2026-05-12 16:56:03 +02:00
app.css	feat(deps): migrate Header from @mana/shared-ui@0.1.x to shared-ui-2	2026-05-09 18:27:24 +02:00
app.d.ts	Phase 0+1: Repo-Skelett für Cards-Greenfield	2026-05-08 14:08:41 +02:00
app.html	feat(theming): forest variant from @mana/themes (sprint 9m)	2026-05-09 18:01:37 +02:00
hooks.server.ts	security(cards): CSP report-only + service-key rotation playbook	2026-05-12 18:40:29 +02:00