mporwoll/cms.c2sgmbh
1
0
Fork 0
mirror of https://github.com/complexcaresolutions/cms.c2sgmbh.git synced 2026-03-17 16:14:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
301 commits 17 branches 0 tags 17 MiB
Commit graph

301 commits

This branch
This branch
All branches
Author SHA1 Message Date
Martin Porwoll
46404f5daf Merge branch 'develop' 2026-02-28 15:44:35 +00:00
Martin Porwoll
5cd3f8a1b7 feat: add HtmlEmbedBlock and convert zweitmeinu.ng static pages to CMS 
Add html-embed-block for raw HTML/iframe embedding in Pages layout.
Update seed script with hero blocks for impressum/datenschutz and
alfright.eu iframe via html-embed-block for privacy policy page.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-28 15:44:13 +00:00
Martin Porwoll
7fc0d7c13a feat: add posts-list and contact-form blocks to sensualmoment home page seed 
Update home page layout with blog preview (posts-list-block) and
contact form (contact-form-block) sections. Replace image-text-block
with text-block since no media exists for tenant 13 yet.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-28 13:06:55 +00:00
Martin Porwoll
55ca63fb0c Merge branch 'develop' 2026-02-27 15:58:38 +00:00
Martin Porwoll
9e791648e9 fix: support slug and where[] query params in custom posts route 
The custom /api/posts route intercepted all post queries but only
supported listing parameters (category, type, page). Frontend detail
pages sending where[slug][equals]=X got all posts back, always
showing the latest post regardless of which article was clicked.

Now parses slug from both ?slug=X and ?where[slug][equals]=X format.
Replaced getPostsByCategory with direct payload.find using properly
typed Where conditions. Detail queries (with slug) include content
and readingTime in the response.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-27 15:58:32 +00:00
Martin Porwoll
6d13361ad4 feat: add blog post seed script for sensualmoment.de (tenant 13) 
8 boudoir photography journal posts covering topics like first
shooting experience, self-love, posing tips, behind the scenes,
gifting, body positivity, preparation, and photo albums.

Idempotent: skips existing posts based on slug + tenant match.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-27 15:43:17 +00:00
Martin Porwoll
f10b62c0f1 Merge branch 'develop' 2026-02-27 15:22:58 +00:00
Martin Porwoll
8cb04fd130 fix: enforce mandatory tenant parameter on frontend API routes 
Custom API routes at /api/posts, /api/search, and /api/search/suggestions
used payload.find() with overrideAccess:true (default) and optional tenant
filtering. Without a ?tenant= parameter, ALL data from ALL tenants was
returned — causing cross-tenant data leaks (e.g. sensualmoment.de Journal
showing blogwoman articles).

Now all three routes require a tenant parameter (400 error without it).
Also accepts where[tenant][equals] format for compatibility with
payload-contracts API clients. Removed debug logging from tenantAccess.ts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-27 15:22:48 +00:00
Martin Porwoll
eb31df112b feat: add seed script and implementation plan for sensualmoment.de (tenant 13) 
- Seed script creates: site-settings, 2 social-links, 3 testimonials, 12 FAQs,
  navigation, contact form, 10 pages with block layouts
- Implementation plan for full-stack frontend setup
- StatsBlock: add iconAlignment field to style group (schema synced)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-27 12:58:20 +00:00
Martin Porwoll
6eae3bfcc4 Merge branch 'develop' 2026-02-25 14:03:02 +00:00
Martin Porwoll
324bd1eb5f docs: add ModSecurity WAF documentation to CLAUDE.md 
Document the OWASP CRS 3.3.7 WAF on production nginx, including
exclusion rule IDs and the diagnostic curl method to distinguish
ModSecurity blocks from Payload 403 responses.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-25 14:02:12 +00:00
Martin Porwoll
ec46277c56 Merge branch 'develop' 2026-02-25 13:57:29 +00:00
Martin Porwoll
21f8ec2488 chore: remove obsolete screenshot 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-25 13:57:11 +00:00
Martin Porwoll
8cb9972b54 Merge branch 'develop' 2026-02-25 13:52:44 +00:00
Martin Porwoll
a5f8c43f81 revert: remove unnecessary serverActions.allowedOrigins 
The 403 "Forbidden" on production was caused by ModSecurity WAF
(OWASP CRS 3.3.7) blocking PATCH/POST requests at the nginx layer,
not by Next.js server actions CSRF. Nginx proxy_set_header Host $host
ensures Origin and Host always match, making allowedOrigins redundant.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-25 13:52:34 +00:00
Martin Porwoll
a77c2b747d fix: make SEO global read public to prevent 403 during admin SSR 
The SEO Settings global had `read: ({ req: { user } }) => Boolean(user)`
which requires authentication. During admin panel server-side rendering
(after saves), the user context is not propagated to global reads,
causing a Forbidden error that crashes the entire page render.

SEO data is not sensitive, so public read access is appropriate.
Also removes temporary debug logging.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-25 13:32:00 +00:00
Martin Porwoll
36823b2d9f debug: fix types for 403 interceptors 2026-02-25 13:13:10 +00:00
Martin Porwoll
26ceccbfb9 debug: add 403 interceptors to find which operation fails 2026-02-25 13:11:55 +00:00
Martin Porwoll
06999b2bd7 fix: add allowedOrigins for Next.js server actions behind reverse proxy 
Next.js has its own CSRF protection for server actions, separate from
Payload's csrf config. Without allowedOrigins, server actions from the
admin panel behind a reverse proxy are rejected because the Origin header
(cms.c2sgmbh.de) doesn't match the Host header (localhost:3001).

Also removes temporary debug logging from multiTenant access check.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-25 13:02:03 +00:00
Martin Porwoll
35bab1935a debug: add temporary logging to userHasAccessToAllTenants 2026-02-25 12:55:58 +00:00
Martin Porwoll
174314ad29 merge: develop into main (resolve dependabot workflow conflict) 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-25 12:35:11 +00:00
Martin Porwoll
47c6500679 fix: add cms.c2sgmbh.de to CORS/CSRF and save isSuperAdmin to JWT 
- Add pl.c2sgmbh.de and cms.c2sgmbh.de to cors and csrf arrays
  to fix Forbidden error on PATCH requests from these domains
- Add saveToJWT: true to isSuperAdmin field so multiTenantPlugin
  correctly grants super admins access to all tenants

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-25 12:32:51 +00:00
Martin Porwoll
bd174c8569 docs: update CLAUDE.md tech stack versions after dependency updates 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-23 10:36:26 +00:00
Martin Porwoll
06092335f3 deps: update remaining dependencies (react, dev-tools, bullmq) 
- react/react-dom 19.2.3 → 19.2.4
- @types/react 19.2.7 → 19.2.14
- @types/node 22.19.11 → 25.3.0
- @playwright/test + playwright 1.57.0 → 1.58.2
- vitest + @vitest/coverage-v8 4.0.15 → 4.0.18
- vite-tsconfig-paths 6.0.0 → 6.1.1
- bullmq 5.70.0 → 5.70.1
- jsdom 26.1.0 → 28.1.0

Resolves Dependabot PRs #19, #20, #28, #30, #31 (lockfile conflicts).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-23 09:15:25 +00:00
dependabot[bot]
e860ec3059
deps(dev)(deps-dev): bump eslint-config-next (#29) 
Bumps [eslint-config-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next) from 16.2.0-canary.41 to 16.2.0-canary.58.
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](https://github.com/vercel/next.js/commits/v16.2.0-canary.58/packages/eslint-config-next)

---
updated-dependencies:
- dependency-name: eslint-config-next
  dependency-version: 16.2.0-canary.58
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-23 10:08:09 +01:00
dependabot[bot]
38040a76cb
deps(deps): bump nodemailer from 7.0.13 to 8.0.1 (#27) 
Bumps [nodemailer](https://github.com/nodemailer/nodemailer) from 7.0.13 to 8.0.1.
- [Release notes](https://github.com/nodemailer/nodemailer/releases)
- [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodemailer/nodemailer/compare/v7.0.13...v8.0.1)

---
updated-dependencies:
- dependency-name: nodemailer
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-23 10:08:04 +01:00
dependabot[bot]
b55769f52e
deps(deps): bump googleapis from 170.1.0 to 171.4.0 (#26) 
Bumps [googleapis](https://github.com/googleapis/google-api-nodejs-client) from 170.1.0 to 171.4.0.
- [Release notes](https://github.com/googleapis/google-api-nodejs-client/releases)
- [Changelog](https://github.com/googleapis/google-api-nodejs-client/blob/main/release-please-config.json)
- [Commits](https://github.com/googleapis/google-api-nodejs-client/compare/googleapis-v170.1.0...googleapis-v171.4.0)

---
updated-dependencies:
- dependency-name: googleapis
  dependency-version: 171.4.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-23 10:08:02 +01:00
dependabot[bot]
8ffbb66679
deps(dev)(deps-dev): bump @vitejs/plugin-react from 4.5.2 to 5.1.4 (#25) 
Bumps [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react) from 4.5.2 to 5.1.4.
- [Release notes](https://github.com/vitejs/vite-plugin-react/releases)
- [Changelog](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite-plugin-react/commits/plugin-react@5.1.4/packages/plugin-react)

---
updated-dependencies:
- dependency-name: "@vitejs/plugin-react"
  dependency-version: 5.1.4
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-23 10:07:58 +01:00
dependabot[bot]
cfbd445e1b
deps(deps): bump next from 16.2.0-canary.41 to 16.2.0-canary.58 (#24) 
Bumps [next](https://github.com/vercel/next.js) from 16.2.0-canary.41 to 16.2.0-canary.58.
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](https://github.com/vercel/next.js/compare/v16.2.0-canary.41...v16.2.0-canary.58)

---
updated-dependencies:
- dependency-name: next
  dependency-version: 16.2.0-canary.58
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-23 10:07:55 +01:00
dependabot[bot]
511ffbbc88
deps(deps): bump @anthropic-ai/sdk from 0.71.2 to 0.78.0 (#23) 
Bumps [@anthropic-ai/sdk](https://github.com/anthropics/anthropic-sdk-typescript) from 0.71.2 to 0.78.0.
- [Release notes](https://github.com/anthropics/anthropic-sdk-typescript/releases)
- [Changelog](https://github.com/anthropics/anthropic-sdk-typescript/blob/main/CHANGELOG.md)
- [Commits](https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.71.2...sdk-v0.78.0)

---
updated-dependencies:
- dependency-name: "@anthropic-ai/sdk"
  dependency-version: 0.78.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-23 10:07:42 +01:00
dependabot[bot]
d26ff507c0
deps(deps): bump dotenv from 16.4.7 to 17.3.1 (#22) 
Bumps [dotenv](https://github.com/motdotla/dotenv) from 16.4.7 to 17.3.1.
- [Changelog](https://github.com/motdotla/dotenv/blob/master/CHANGELOG.md)
- [Commits](https://github.com/motdotla/dotenv/compare/v16.4.7...v17.3.1)

---
updated-dependencies:
- dependency-name: dotenv
  dependency-version: 17.3.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-23 10:07:35 +01:00
dependabot[bot]
ea3d5b78d4
deps(deps): bump cross-env from 7.0.3 to 10.1.0 (#21) 
Bumps [cross-env](https://github.com/kentcdodds/cross-env) from 7.0.3 to 10.1.0.
- [Release notes](https://github.com/kentcdodds/cross-env/releases)
- [Changelog](https://github.com/kentcdodds/cross-env/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kentcdodds/cross-env/compare/v7.0.3...v10.1.0)

---
updated-dependencies:
- dependency-name: cross-env
  dependency-version: 10.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-23 10:07:28 +01:00
dependabot[bot]
2e2dd8f3e6
deps(actions): bump actions/setup-node from 4 to 6 (#17) 
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v4...v6)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-23 10:06:27 +01:00
dependabot[bot]
9e630a274b
deps(actions): bump actions/upload-artifact from 4 to 6 (#16) 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 6.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v6)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-23 10:06:21 +01:00
dependabot[bot]
7f91fbfabd
deps(actions): bump actions/download-artifact from 4 to 7 (#15) 
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4 to 7.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/v4...v7)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-23 10:06:14 +01:00
dependabot[bot]
a3bb49e11a
deps(actions): bump pnpm/action-setup from 3 to 4 (#14) 
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 3 to 4.
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](https://github.com/pnpm/action-setup/compare/v3...v4)

---
updated-dependencies:
- dependency-name: pnpm/action-setup
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-23 10:06:06 +01:00
dependabot[bot]
90fc83d287
deps(actions): bump lewagon/wait-on-check-action from 1.3.4 to 1.5.0 (#13) 
Bumps [lewagon/wait-on-check-action](https://github.com/lewagon/wait-on-check-action) from 1.3.4 to 1.5.0.
- [Release notes](https://github.com/lewagon/wait-on-check-action/releases)
- [Changelog](https://github.com/lewagon/wait-on-check-action/blob/master/CHANGELOG.md)
- [Commits](https://github.com/lewagon/wait-on-check-action/compare/v1.3.4...v1.5.0)

---
updated-dependencies:
- dependency-name: lewagon/wait-on-check-action
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-23 10:05:59 +01:00
dependabot[bot]
1c9263b244
deps(deps): bump the payload-core group with 11 updates (#18) 
Bumps the payload-core group with 11 updates:

| Package | From | To |
| --- | --- | --- |
| [@payloadcms/db-postgres](https://github.com/payloadcms/payload/tree/HEAD/packages/db-postgres) | `3.76.1` | `3.77.0` |
| [@payloadcms/next](https://github.com/payloadcms/payload/tree/HEAD/packages/next) | `3.76.1` | `3.77.0` |
| [@payloadcms/plugin-form-builder](https://github.com/payloadcms/payload/tree/HEAD/packages/plugin-form-builder) | `3.76.1` | `3.77.0` |
| [@payloadcms/plugin-multi-tenant](https://github.com/payloadcms/payload/tree/HEAD/packages/plugin-multi-tenant) | `3.76.1` | `3.77.0` |
| [@payloadcms/plugin-nested-docs](https://github.com/payloadcms/payload/tree/HEAD/packages/plugin-nested-docs) | `3.76.1` | `3.77.0` |
| [@payloadcms/plugin-redirects](https://github.com/payloadcms/payload/tree/HEAD/packages/plugin-redirects) | `3.76.1` | `3.77.0` |
| [@payloadcms/plugin-seo](https://github.com/payloadcms/payload/tree/HEAD/packages/plugin-seo) | `3.76.1` | `3.77.0` |
| [@payloadcms/richtext-lexical](https://github.com/payloadcms/payload/tree/HEAD/packages/richtext-lexical) | `3.76.1` | `3.77.0` |
| [@payloadcms/translations](https://github.com/payloadcms/payload/tree/HEAD/packages/translations) | `3.76.1` | `3.77.0` |
| [@payloadcms/ui](https://github.com/payloadcms/payload/tree/HEAD/packages/ui) | `3.76.1` | `3.77.0` |
| [payload](https://github.com/payloadcms/payload/tree/HEAD/packages/payload) | `3.76.1` | `3.77.0` |


Updates `@payloadcms/db-postgres` from 3.76.1 to 3.77.0
- [Release notes](https://github.com/payloadcms/payload/releases)
- [Commits](https://github.com/payloadcms/payload/commits/v3.77.0/packages/db-postgres)

Updates `@payloadcms/next` from 3.76.1 to 3.77.0
- [Release notes](https://github.com/payloadcms/payload/releases)
- [Commits](https://github.com/payloadcms/payload/commits/v3.77.0/packages/next)

Updates `@payloadcms/plugin-form-builder` from 3.76.1 to 3.77.0
- [Release notes](https://github.com/payloadcms/payload/releases)
- [Commits](https://github.com/payloadcms/payload/commits/v3.77.0/packages/plugin-form-builder)

Updates `@payloadcms/plugin-multi-tenant` from 3.76.1 to 3.77.0
- [Release notes](https://github.com/payloadcms/payload/releases)
- [Commits](https://github.com/payloadcms/payload/commits/v3.77.0/packages/plugin-multi-tenant)

Updates `@payloadcms/plugin-nested-docs` from 3.76.1 to 3.77.0
- [Release notes](https://github.com/payloadcms/payload/releases)
- [Commits](https://github.com/payloadcms/payload/commits/v3.77.0/packages/plugin-nested-docs)

Updates `@payloadcms/plugin-redirects` from 3.76.1 to 3.77.0
- [Release notes](https://github.com/payloadcms/payload/releases)
- [Commits](https://github.com/payloadcms/payload/commits/v3.77.0/packages/plugin-redirects)

Updates `@payloadcms/plugin-seo` from 3.76.1 to 3.77.0
- [Release notes](https://github.com/payloadcms/payload/releases)
- [Commits](https://github.com/payloadcms/payload/commits/v3.77.0/packages/plugin-seo)

Updates `@payloadcms/richtext-lexical` from 3.76.1 to 3.77.0
- [Release notes](https://github.com/payloadcms/payload/releases)
- [Commits](https://github.com/payloadcms/payload/commits/v3.77.0/packages/richtext-lexical)

Updates `@payloadcms/translations` from 3.76.1 to 3.77.0
- [Release notes](https://github.com/payloadcms/payload/releases)
- [Commits](https://github.com/payloadcms/payload/commits/v3.77.0/packages/translations)

Updates `@payloadcms/ui` from 3.76.1 to 3.77.0
- [Release notes](https://github.com/payloadcms/payload/releases)
- [Commits](https://github.com/payloadcms/payload/commits/v3.77.0/packages/ui)

Updates `payload` from 3.76.1 to 3.77.0
- [Release notes](https://github.com/payloadcms/payload/releases)
- [Commits](https://github.com/payloadcms/payload/commits/v3.77.0/packages/payload)

---
updated-dependencies:
- dependency-name: "@payloadcms/db-postgres"
  dependency-version: 3.77.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: payload-core
- dependency-name: "@payloadcms/next"
  dependency-version: 3.77.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: payload-core
- dependency-name: "@payloadcms/plugin-form-builder"
  dependency-version: 3.77.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: payload-core
- dependency-name: "@payloadcms/plugin-multi-tenant"
  dependency-version: 3.77.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: payload-core
- dependency-name: "@payloadcms/plugin-nested-docs"
  dependency-version: 3.77.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: payload-core
- dependency-name: "@payloadcms/plugin-redirects"
  dependency-version: 3.77.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: payload-core
- dependency-name: "@payloadcms/plugin-seo"
  dependency-version: 3.77.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: payload-core
- dependency-name: "@payloadcms/richtext-lexical"
  dependency-version: 3.77.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: payload-core
- dependency-name: "@payloadcms/translations"
  dependency-version: 3.77.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: payload-core
- dependency-name: "@payloadcms/ui"
  dependency-version: 3.77.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: payload-core
- dependency-name: payload
  dependency-version: 3.77.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: payload-core
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-23 10:04:42 +01:00
Martin Porwoll
7d591ce22b deps: target develop branch for 
Dependabot PRs

  Aligns with git-flow: updates go through develop before main.

  Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-23 08:53:19 +00:00
Martin Porwoll
0065712752 deps: add Dependabot config for automated dependency updates 
- Daily npm dependency checks at 04:00 Europe/Berlin
  - Grouped updates: payload-core, react-nextjs, fullcalendar, dev-deps
  - Weekly GitHub Actions updates
  - Auto-merge workflow for patch updates after CI passes
  - Minor dev-dependency updates also auto-merged
  - Critical after CVE-2025-55182 incident on 2025-12-09
 2026-02-23 08:53:19 +00:00
Martin Porwoll
b62ca46133 chore: add zweitmeinung migration docs and GitHub protection script 
- docs/zweitmeinung/: Migration guide (Strapi → Payload), content
  inventory, website guide, and reference screenshots
- scripts/setup-github-protection.sh: Branch protection + Dependabot
  auto-merge setup for cms.c2sgmbh repo

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-23 07:16:15 +00:00
Martin Porwoll
1932ad26ef deps: target develop branch for 
Dependabot PRs

  Aligns with git-flow: updates go through develop before main.

  Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-22 16:53:50 +00:00
Martin Porwoll
c85cf22496 deps: add Dependabot config for automated dependency updates 
- Daily npm dependency checks at 04:00 Europe/Berlin
  - Grouped updates: payload-core, react-nextjs, fullcalendar, dev-deps
  - Weekly GitHub Actions updates
  - Auto-merge workflow for patch updates after CI passes
  - Minor dev-dependency updates also auto-merged
  - Critical after CVE-2025-55182 incident on 2025-12-09
 2026-02-22 16:43:42 +00:00
Martin Porwoll
a8a0bf3cb1 chore(deps): update dependencies and fix security vulnerabilities 
Updated: ioredis 5.9.3, nodemailer 7.0.13, recharts 3.7.0,
drizzle-kit 0.31.9, eslint 9.39.3, prettier 3.8.1,
@types/node 22.19.11, @types/nodemailer 7.0.11

Security overrides (pnpm.overrides):
- minimatch >=10.2.1 (CVE-2026-26996 ReDoS)
- esbuild >=0.25.0 (GHSA-67mh-4wv8-2f99)
- ajv >=8.18.0 (GHSA-2g4f-4pwh-qvx6 ReDoS)
- ioredis 5.9.3 (fix BullMQ type mismatch)

Added Codex CLI remote orchestration docs to CLAUDE.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-22 14:53:22 +00:00
Martin Porwoll
d234682539 feat(seed): populate service features, icons, and detailSections for zweitmeinung 
Add structured data (icon, features[], detailSections[]) to all 6 services
so the frontend can render benefits grids and checklists from CMS data.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-21 01:34:13 +00:00
Martin Porwoll
03c0e5e5d8 feat(seed): add CMS pages to zweitmeinung seed script 
Adds 9 pages with Payload blocks for tenant 12 (zweitmeinu.ng):
home, fachbereiche, faq, so-funktionierts, motivation, ueber-uns,
kontakt, impressum, datenschutz.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-21 00:59:53 +00:00
Martin Porwoll
ab4ee4bb70 fix(access): allow tenant resolution from query parameter in tenantScopedPublicRead 
Previously, tenantScopedPublicRead only resolved the tenant from the Host
header, which fails when frontend API clients call cms.c2sgmbh.de (the CMS
hostname doesn't match any tenant domain). Now falls back to extracting the
tenant ID from the where[tenant][equals] query parameter. The returned access
filter still enforces tenant isolation.

Also adds seed script for zweitmeinung (tenant 12) with all content:
site settings, 2 service categories, 6 services, 24 FAQs, navigation,
4 social links, and contact form.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-21 00:44:42 +00:00
Martin Porwoll
101ee0abed docs: update documentation for contact form multi-tenant refactoring 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 21:06:27 +00:00
Martin Porwoll
290c2af40f fix(cors): add sv-frontend IP to CORS and CSRF whitelist 
Add http://10.10.181.104:3000 (sv-frontend staging) to allow cross-origin
form submissions from the staging frontend to the CMS API.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 17:23:35 +00:00
Martin Porwoll
d90657c2cf fix: form submission hooks — tenant propagation + email notification 
- FormSubmissionsOverrides: fields must be a function (not array) for
  the form-builder plugin to merge them with defaultFields
- setSubmissionTenant: add overrideAccess for unauthenticated submissions
- sendFormNotification: handle populated form object (extract ID),
  add overrideAccess for tenant SMTP lookup

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 16:58:40 +00:00