chore(release): obfuscate and hash production assets [skip ci]

.gitea/workflows/obfuscate-main.yml

@@ -1,35 +1,27 @@
-name: Obfuscate Main Build
+name: Release Build (ci → main)
 
 on:
   push:
     branches:
-      - main
+      - ci
   workflow_dispatch:
 
 env:
-  # Gitea liefert intern oft eine IP; das SSL-Zertifikat gilt für den Hostnamen.
   GITEA_HOST: git.hexahost.dev
   REPO_PATH: smueller/HexaHost-Frontend
 
 jobs:
-  obfuscate:
+  release-build:
+    if: ${{ !contains(github.event.head_commit.message, '[skip ci]') }}
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout
+      - name: Checkout ci (Integration)
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
           repository-url: https://git.hexahost.dev/smueller/HexaHost-Frontend
-
-      - name: Skip loop commits
-        run: |
-          msg="$(git log -1 --pretty=%B)"
-          echo "Last commit message: $msg"
-          if echo "$msg" | grep -q "\[skip ci\]"; then
-            echo "Skip CI commit detected."
-            exit 0
-          fi
+          ref: ci
 
       - name: Setup Python
         uses: actions/setup-python@v5
@@ -44,17 +36,27 @@ jobs:
       - name: Run release obfuscation
         run: python scripts/obfuscate_release.py --root . --hash-assets
 
-      - name: Commit obfuscated build
+      - name: Publish release to main
         env:
           GITEA_TOKEN: ${{ github.token }}
         run: |
           git config user.name "gitea-actions"
           git config user.email "actions@local"
           git remote set-url origin "https://oauth2:${GITEA_TOKEN}@${GITEA_HOST}/${REPO_PATH}.git"
+          git fetch origin main ci
+
           git add -A
           if git diff --cached --quiet; then
-            echo "No build changes to commit."
+            echo "No release changes to publish."
             exit 0
           fi
-          git commit -m "chore(release): obfuscate and hash production assets [skip ci]"
-          git push origin HEAD:main
+
+          TREE=$(git write-tree)
+          MSG="chore(release): obfuscate and hash production assets [skip ci]"
+          if git show-ref --verify --quiet refs/remotes/origin/main; then
+            PARENT=$(git rev-parse origin/main)
+            COMMIT=$(git commit-tree "$TREE" -p "$PARENT" -m "$MSG")
+          else
+            COMMIT=$(git commit-tree "$TREE" -m "$MSG")
+          fi
+          git push origin "${COMMIT}:refs/heads/main"

.githooks/commit-msg

@@ -0,0 +1,29 @@
+#!/bin/sh
+# Validiert Commit-Messages nach Conventional Commits
+# https://www.conventionalcommits.org/
+
+commit_msg_file="$1"
+
+first_line=$(sed '/^#/d;/^$/d' "$commit_msg_file" | head -n 1)
+
+# Merge/Revert von Git erlauben
+case "$first_line" in
+  Merge\ *|Revert\ *)
+    exit 0
+    ;;
+esac
+
+pattern='^(feat|fix|docs|style|refactor|perf|test|build|ci|chore)(\([a-z0-9._-]+\))?!?: .+'
+
+if ! printf '%s\n' "$first_line" | grep -qE "$pattern"; then
+  echo >&2 "❌ Commit-Message entspricht nicht Conventional Commits."
+  echo >&2 ""
+  echo >&2 "  Format:  type(scope): description"
+  echo >&2 "  Beispiel: feat(products): hide vpc in navigation"
+  echo >&2 ""
+  echo >&2 "  Erlaubte types: feat, fix, docs, style, refactor, perf, test, build, ci, chore"
+  echo >&2 "  Überspringen: git commit --no-verify"
+  exit 1
+fi
+
+exit 0

.github/workflows/obfuscate-main.yml

@@ -1,44 +1,63 @@
-name: Obfuscate Main Build
+# Hinweis: Gitea nutzt .gitea/workflows/obfuscate-main.yml (identischer Ablauf).
+name: Release Build (ci → main)
 
 on:
   push:
     branches:
-      - main
+      - ci
   workflow_dispatch:
 
-permissions:
-  contents: write
+env:
+  GITEA_HOST: git.hexahost.dev
+  REPO_PATH: smueller/HexaHost-Frontend
 
 jobs:
-  obfuscate:
-    if: github.actor != 'github-actions[bot]'
+  release-build:
+    if: ${{ !contains(github.event.head_commit.message, '[skip ci]') }}
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout
+      - name: Checkout ci (Integration)
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          repository-url: https://git.hexahost.dev/smueller/HexaHost-Frontend
+          ref: ci
 
       - name: Setup Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.12'
+          python-version: "3.12"
 
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: "20"
 
       - name: Run release obfuscation
         run: python scripts/obfuscate_release.py --root . --hash-assets
 
-      - name: Commit obfuscated build
+      - name: Publish release to main
+        env:
+          GITEA_TOKEN: ${{ github.token }}
         run: |
+          git config user.name "gitea-actions"
+          git config user.email "actions@local"
+          git remote set-url origin "https://oauth2:${GITEA_TOKEN}@${GITEA_HOST}/${REPO_PATH}.git"
+          git fetch origin main ci
+
           git add -A
           if git diff --cached --quiet; then
-            echo "No build changes to commit."
+            echo "No release changes to publish."
             exit 0
           fi
-          git commit -m "chore(release): obfuscate and hash production assets [skip ci]"
-          git push
+
+          TREE=$(git write-tree)
+          MSG="chore(release): obfuscate and hash production assets [skip ci]"
+          if git show-ref --verify --quiet refs/remotes/origin/main; then
+            PARENT=$(git rev-parse origin/main)
+            COMMIT=$(git commit-tree "$TREE" -p "$PARENT" -m "$MSG")
+          else
+            COMMIT=$(git commit-tree "$TREE" -m "$MSG")
+          fi
+          git push origin "${COMMIT}:refs/heads/main"

.gitignore

@@ -13,6 +13,7 @@ build/
 # Environment variables
 .env
 .cursorrules
+.cursor/
 .cursorrules.txt
 .env.local
 .env.development.local

.gitmessage

@@ -0,0 +1,16 @@
+# Conventional Commits – nur die erste nicht-kommentierte Zeile wird verwendet
+# Format: type(scope): description
+#
+# feat     Neues Feature
+# fix      Bugfix
+# docs     Dokumentation
+# style    Formatierung (keine Logik)
+# refactor Umbau ohne Feature/Fix
+# perf     Performance
+# test     Tests
+# build    Build / Dependencies
+# ci       CI/CD
+# chore    Sonstiges
+#
+# Beispiel (diese Zeile anpassen und Kommentare löschen oder stehen lassen):
+# feat(products): hide vpc and vps in navigation

README.md

@@ -166,9 +166,38 @@ Für den Produktivbetrieb `public/` als Webroot konfigurieren.
 
 ### Production-Build & Veröffentlichung
 
-Der Quellcode bleibt auf `dev`, der veröffentlichte Stand liegt auf `main`.
+| Branch | Zweck |
+|--------|--------|
+| **`dev`** | Entwicklung (lesbarer Code, Kommentare) |
+| **`ci`** | Integration (du mergst `dev` hierher) |
+| **`main`** | Release/Produktion (obfuskiert, gehashte Assets — nur per Pipeline) |
 
-Bei jedem Push/Merge auf `main` läuft die GitHub Action `.github/workflows/obfuscate-main.yml` automatisch und führt aus:
+**Ablauf: `dev` → `ci` → `main`**
+
+1. Auf **`dev`** entwickeln und pushen
+2. **`dev` nach `ci` mergen** (manuell, z. B. in Gitea oder lokal)
+3. **`ci` pushen** → startet `.gitea/workflows/obfuscate-main.yml`
+4. Pipeline obfuskiert im Runner-Workspace und publiziert nach **`main`**
+
+```powershell
+# Nach fertigen Änderungen auf dev:
+git checkout ci
+git pull origin ci
+git merge dev
+git push origin ci
+```
+
+Bei jedem Push auf **`ci`**:
+
+1. Checkout von `ci` im temporären Runner-Workspace
+2. Obfuscation-Build (`scripts/obfuscate_release.py --hash-assets`)
+3. Ergebnis nach `main` pushen (Bot-Commit mit `[skip ci]`)
+
+**Nicht** `dev` oder `ci` direkt nach `main` mergen. Der Branch **`ci` bleibt lesbar** — Obfuscation wird nur nach `main` publiziert.
+
+`ci`-Branch einmalig anlegen (falls noch nicht vorhanden): `git checkout -b ci dev && git push -u origin ci`
+
+Der Build führt aus:
 
 - Entfernen von Kommentaren (inkl. Block-Kommentaren) in PHP/JS/CSS
 - Minify + Obfuscate für JavaScript
@@ -176,7 +205,7 @@ Bei jedem Push/Merge auf `main` läuft die GitHub Action `.github/workflows/obfu
 - Kein Source-Map-Output
 - Hashing von JS/CSS-Dateinamen + automatische Referenz-Anpassung
 
-Lokal ausführbar:
+Lokal testen (nur in Kopie, nicht committen):
 
 ```bash
 python scripts/obfuscate_release.py --root . --hash-assets

backend/config/mail-config.php

@@ -13,7 +13,7 @@ define('SMTP_TO_EMAIL', 'info@hexahost.de');
 
 define('ENABLE_CSRF_PROTECTION', true);            
 define('ENABLE_RATE_LIMITING', true);              
-define('MAX_REQUESTS_PER_HOUR', 10);               
+define('MAX_REQUESTS_PER_HOUR', 5);               
 
 
 define('ENABLE_SPAM_PROTECTION', true);            

backend/config/products-config.php

@@ -444,12 +444,45 @@ $PRODUCTS['webhosting'] = [
 ];
 
 
+$PRODUCT_VISIBILITY = [
+    'vpc' => false,
+    'vps' => false,
+    'mail-gateway' => false,
+    'webhosting' => true,
+];
 
 
 
 
 
 
+
+
+function isProductVisible(string $productId): bool {
+    global $PRODUCT_VISIBILITY;
+    return $PRODUCT_VISIBILITY[$productId] ?? true;
+}
+
+
+
+
+function productHiddenAttr(string $productId): string {
+    return isProductVisible($productId) ? '' : ' hidden';
+}
+
+
+
+
+
+
+function getVisibleProductPageIds(): array {
+    global $PRODUCT_VISIBILITY;
+    return array_keys(array_filter($PRODUCT_VISIBILITY, static fn(bool $visible): bool => $visible));
+}
+
+
+
+
 function getAllProducts() {
     global $PRODUCTS;
     return $PRODUCTS;

backend/includes/footer.php

@@ -15,10 +15,17 @@
                 <div class="footer-section">
                     <h4>Produkte</h4>
                     <ul>
-                        <li><a href="/vpc">Virtual Private Container</a></li>
-                        <li><a href="/vps">Virtual Private Server</a></li>
-                        <li><a href="/mail-gateway">Mail Gateway</a></li>
-                        <li><a href="/webhosting">Webhosting</a></li>
+                        <li<?php echo productHiddenAttr('vpc'); ?>><a href="/vpc">Virtual Private Container</a></li>
+                        <li<?php echo productHiddenAttr('vps'); ?>><a href="/vps">Virtual Private Server</a></li>
+                        <li<?php echo productHiddenAttr('mail-gateway'); ?>><a href="/mail-gateway">Mail Gateway</a></li>
+                        <li<?php echo productHiddenAttr('webhosting'); ?>><a href="/webhosting">Webhosting</a></li>
+                    </ul>
+                </div>
+                <div class="footer-section">
+                    <h4>Andere Dienste</h4>
+                    <ul>
+                        <li><a href="https://hexadns.de" target="_blank" rel="noopener noreferrer">hexadns.de</a></li>
+                        <li><a href="https://www.hexa-mail.de/" target="_blank" rel="noopener noreferrer">hexa-mail.de</a></li>
                     </ul>
                 </div>
                 <div class="footer-section">
@@ -156,8 +163,8 @@
     </script>
     <script async src="https://www.googletagmanager.com/gtag/js?id=G-EF0E9VPMTD"></script>
 
-    <script src="/assets/js/main.915e0206c30f.js" defer></script>
-    <script src="/assets/js/cookie-consent.de9e404f0700.js" defer></script>
+    <script src="/assets/js/main.9189c38109cf.js" defer></script>
+    <script src="/assets/js/cookie-consent.91c79812d22c.js" defer></script>
     <?php if (isset($additional_scripts)): ?>
         <?php foreach ($additional_scripts as $script): ?>
             <script src="<?php echo htmlspecialchars($script, ENT_QUOTES, 'UTF-8'); ?>" defer></script>

backend/includes/functions.php

@@ -3,6 +3,8 @@
 
 
 
+require_once __DIR__ . '/../config/products-config.php';
+
 
 if (session_status() === PHP_SESSION_NONE) {
     

backend/includes/header.php

@@ -33,7 +33,7 @@
     
     <!-- Main Stylesheets -->
     <link rel="stylesheet" href="/assets/css/style.d01979e8c871.css">
-    <link rel="stylesheet" href="/assets/css/custom.0bc6a878fec2.css">
+    <link rel="stylesheet" href="/assets/css/custom.d35eb3499212.css">
     
     <!-- Fonts -->
     <link href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700&family=Russo+One&family=Source+Sans+Pro:wght@300;400;600;700&display=swap" rel="stylesheet">
@@ -59,12 +59,12 @@
                 <ul class="nav-menu">
                     <li><a href="/" class="nav-link <?php echo ($current_page === 'home') ? 'active' : ''; ?>">Home</a></li>
                     <li class="nav-dropdown">
-                        <a href="#" class="nav-link <?php echo (in_array($current_page, ['vpc', 'vps', 'mail-gateway', 'webhosting'])) ? 'active' : ''; ?>">Produkte</a>
+                        <a href="#" class="nav-link <?php echo (in_array($current_page, getVisibleProductPageIds(), true)) ? 'active' : ''; ?>">Produkte</a>
                         <ul class="dropdown-menu">
-                            <li><a href="/vpc" class="<?php echo ($current_page === 'vpc') ? 'active' : ''; ?>">Virtual Private Container</a></li>
-                            <li><a href="/vps" class="<?php echo ($current_page === 'vps') ? 'active' : ''; ?>">Virtual Private Server</a></li>
-                            <li><a href="/mail-gateway" class="<?php echo ($current_page === 'mail-gateway') ? 'active' : ''; ?>">Mail Gateway</a></li>
-                            <li><a href="/webhosting" class="<?php echo ($current_page === 'webhosting') ? 'active' : ''; ?>">Webhosting</a></li>
+                            <li<?php echo productHiddenAttr('vpc'); ?>><a href="/vpc" class="<?php echo ($current_page === 'vpc') ? 'active' : ''; ?>">Virtual Private Container</a></li>
+                            <li<?php echo productHiddenAttr('vps'); ?>><a href="/vps" class="<?php echo ($current_page === 'vps') ? 'active' : ''; ?>">Virtual Private Server</a></li>
+                            <li<?php echo productHiddenAttr('mail-gateway'); ?>><a href="/mail-gateway" class="<?php echo ($current_page === 'mail-gateway') ? 'active' : ''; ?>">Mail Gateway</a></li>
+                            <li<?php echo productHiddenAttr('webhosting'); ?>><a href="/webhosting" class="<?php echo ($current_page === 'webhosting') ? 'active' : ''; ?>">Webhosting</a></li>
                         </ul>
                     </li>
                     <li><a href="/it-dienstleistungen" class="nav-link <?php echo ($current_page === 'it-dienstleistungen') ? 'active' : ''; ?>">IT-Dienstleistungen</a></li>

public/assets/css/custom.0bc6a878fec2.css

@@ -1 +0,0 @@
-.btn-tertiary{color:var(--text-primary);background:transparent;border:1px solid rgba(255,255,255,0.25);transition:all 0.3s ease;}.btn-tertiary:hover{border-color:var(--primary-color);color:var(--primary-color);background:rgba(255,81,249,0.08);}.it-services-actions{justify-content:center;margin-top:2rem;}.legal-hero,.legal-content{background:#ffffff;color:#000000;}.legal-hero{margin-top:70px;padding:2rem 0 1.5rem;border-bottom:1px solid #e5e5e5;}.legal-content{padding-top:2rem;}.legal-hero-title{background:none;-webkit-text-fill-color:#000000;color:#000000;margin-bottom:0.5rem;}.legal-hero-description,.legal-section h2,.legal-section h3,.legal-block p,.legal-block li,.breadcrumb,.breadcrumb span{color:#000000;}.legal-section,.legal-section.glass-card{background:transparent;border:none;box-shadow:none;backdrop-filter:none;-webkit-backdrop-filter:none;border-radius:0;padding:0;}.legal-section:hover,.legal-section.glass-card:hover{transform:none;box-shadow:none;border:none;background:transparent;}.legal-content .glass-card:hover{transform:none;box-shadow:none;}.legal-section h2{border-bottom:1px solid #e5e5e5;padding-bottom:0.5rem;margin-bottom:0.8rem;}.legal-block a,.breadcrumb a{color:#0b57d0;}.legal-block a:hover,.breadcrumb a:hover{color:#0b57d0;text-decoration:none;}.legal-hero *,.legal-content *,.legal-hero *:hover,.legal-content *:hover,.legal-hero *:focus,.legal-content *:focus,.legal-hero *:active,.legal-content *:active{transform:none !important;box-shadow:none !important;text-shadow:none !important;transition:none !important;animation:none !important;}

public/assets/css/custom.d35eb3499212.css

@@ -0,0 +1 @@
+.btn-tertiary{color:var(--text-primary);background:transparent;border:1px solid rgba(255,255,255,0.25);transition:all 0.3s ease;}.btn-tertiary:hover{border-color:var(--primary-color);color:var(--primary-color);background:rgba(255,81,249,0.08);}.it-services-actions{justify-content:center;margin-top:2rem;}.legal-hero,.legal-content{background:#ffffff;color:#000000;}.legal-hero{margin-top:70px;padding:2rem 0 1.5rem;border-bottom:1px solid #e5e5e5;}.legal-content{padding-top:2rem;}.legal-hero-title{background:none;-webkit-text-fill-color:#000000;color:#000000;margin-bottom:0.5rem;}.legal-hero-description,.legal-section h2,.legal-section h3,.legal-block p,.legal-block li,.legal-hero .breadcrumb,.legal-hero .breadcrumb span,.legal-content .breadcrumb,.legal-content .breadcrumb span{color:#000000;}.legal-section,.legal-section.glass-card{background:transparent;border:none;box-shadow:none;backdrop-filter:none;-webkit-backdrop-filter:none;border-radius:0;padding:0;}.legal-section:hover,.legal-section.glass-card:hover{transform:none;box-shadow:none;border:none;background:transparent;}.legal-content .glass-card:hover{transform:none;box-shadow:none;}.legal-section h2{border-bottom:1px solid #e5e5e5;padding-bottom:0.5rem;margin-bottom:0.8rem;}.legal-block a,.legal-hero .breadcrumb a,.legal-content .breadcrumb a{color:#0b57d0;}.legal-block a:hover,.legal-hero .breadcrumb a:hover,.legal-content .breadcrumb a:hover{color:#0b57d0;text-decoration:none;}.legal-hero *,.legal-content *,.legal-hero *:hover,.legal-content *:hover,.legal-hero *:focus,.legal-content *:focus,.legal-hero *:active,.legal-content *:active{transform:none !important;box-shadow:none !important;text-shadow:none !important;transition:none !important;animation:none !important;}

public/assets/js/contact.b058cc66d435.js

@@ -1,5 +0,0 @@
-[javascript-obfuscator-cli] Obfuscating file: public/assets/js/contact.b058cc66d435.js... 
-
-[javascript-obfuscator-cli] Obfuscating file: public/assets/js/cookie-consent.de9e404f0700.js... 
-
-[javascript-obfuscator-cli] Obfuscating file: public/assets/js/main.915e0206c30f.js...

public/contact.php

@@ -8,7 +8,7 @@ $preselected_subject = getPreselectedContactSubject();
 $page_title = 'Kontakt - HexaHost.de | Hosting aus Niederbayern';
 $page_description = 'Kontaktieren Sie HexaHost.de - Ihr Hosting-Partner aus Niederbayern. Persönlicher Support und kompetente Beratung.';
 $current_page = 'contact';
-$additional_scripts = ['assets/js/contact.b058cc66d435.js'];
+$additional_scripts = ['assets/js/contact.c2399194863d.js'];
 
 
 includeHeader($page_title, $page_description, $current_page, $additional_scripts);

public/index.php

@@ -54,7 +54,7 @@ includeHeader($page_title, $page_description, $current_page);
                 </p>
             </div>
             <div class="products-grid">
-                <div class="product-card glass-card">
+                <div class="product-card glass-card"<?php echo productHiddenAttr('vpc'); ?>>
                     <div class="product-icon">
                         <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
                             <path d="M4 7V4a2 2 0 0 1 2-2h8a2 2 0 0 1 2 2v3"/>
@@ -74,7 +74,7 @@ includeHeader($page_title, $page_description, $current_page);
                     </ul>
                     <a href="/vpc" class="btn btn-primary">Mehr erfahren</a>
                 </div>
-                <div class="product-card glass-card">
+                <div class="product-card glass-card"<?php echo productHiddenAttr('vps'); ?>>
                     <div class="product-icon">
                         <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
                             <rect x="2" y="3" width="20" height="14" rx="2" ry="2"/>
@@ -92,7 +92,7 @@ includeHeader($page_title, $page_description, $current_page);
                     </ul>
                     <a href="/vps" class="btn btn-primary">Mehr erfahren</a>
                 </div>
-                <div class="product-card glass-card">
+                <div class="product-card glass-card"<?php echo productHiddenAttr('mail-gateway'); ?>>
                     <div class="product-icon">
                         <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
                             <path d="M4 4h16c1.1 0 2 .9 2 2v12c0 1.1-.9 2-2 2H4c-1.1 0-2-.9-2-2V6c0-1.1.9-2 2-2z"/>

public/robots.txt

@@ -7,8 +7,8 @@ Disallow: /assets/css/
 
 # Allow CSS and JS files for better SEO
 Allow: /assets/css/style.d01979e8c871.css
-Allow: /assets/js/main.915e0206c30f.js
-Allow: /assets/js/contact.b058cc66d435.js
+Allow: /assets/js/main.9189c38109cf.js
+Allow: /assets/js/contact.c2399194863d.js
 
 # Sitemap location
 Sitemap: https://hexahost.de/sitemap.xml

scripts/obfuscate_release.py

@@ -3,15 +3,17 @@ from __future__ import annotations
 
 import argparse
 import hashlib
-import os
 import re
 import shutil
 import subprocess
 import sys
+import tempfile
+from collections import defaultdict
 from pathlib import Path
 
 
 TEXT_EXTENSIONS = {".php", ".html", ".htm", ".xml", ".txt", ".js", ".css"}
+HASH_SUFFIX_RE = re.compile(r"\.[a-f0-9]{12}$", re.I)
 
 
 def strip_comments_keep_strings(text: str) -> str:
@@ -174,42 +176,124 @@ def minify_js_fallback(text: str) -> str:
     return text.strip()
 
 
-def run_cmd(command: list[str], cwd: Path, input_text: str | None = None) -> str:
+def canonical_asset_base(stem: str) -> str:
+    name = stem
+    while HASH_SUFFIX_RE.search(name):
+        name = HASH_SUFFIX_RE.sub("", name)
+    return name
+
+
+def is_skipped_asset(path: Path) -> bool:
+    lowered = path.as_posix().lower()
+    if ".min." in path.name or ".obf." in path.name or ".deob." in path.name:
+        return True
+    if "deobfuscated" in lowered:
+        return True
+    return False
+
+
+def is_valid_source_content(content: str) -> bool:
+    if "[javascript-obfuscator-cli]" in content:
+        return False
+    return len(content.strip()) >= 20
+
+
+def collect_asset_groups(asset_root: Path) -> dict[tuple[Path, str, str], list[Path]]:
+    groups: dict[tuple[Path, str, str], list[Path]] = defaultdict(list)
+    for ext in (".js", ".css"):
+        for file_path in sorted(asset_root.rglob(f"*{ext}")):
+            if is_skipped_asset(file_path):
+                continue
+            base = canonical_asset_base(file_path.stem)
+            key = (file_path.parent, base, ext)
+            groups[key].append(file_path)
+    return groups
+
+
+def pick_source_file(paths: list[Path], base: str, ext: str) -> Path | None:
+    if not paths:
+        return None
+
+    parent = paths[0].parent
+    plain = parent / f"{base}{ext}"
+    ordered: list[Path] = []
+    if plain in paths:
+        ordered.append(plain)
+    for candidate in sorted(paths, key=lambda p: len(p.name)):
+        if candidate not in ordered:
+            ordered.append(candidate)
+
+    for candidate in ordered:
+        try:
+            content = candidate.read_text(encoding="utf-8")
+        except (OSError, UnicodeDecodeError):
+            continue
+        if is_valid_source_content(content):
+            return candidate
+    return None
+
+
+def cleanup_invalid_siblings(paths: list[Path], source: Path) -> None:
+    for path in paths:
+        if path == source or not path.exists():
+            continue
+        try:
+            content = path.read_text(encoding="utf-8")
+        except (OSError, UnicodeDecodeError):
+            content = ""
+        if not is_valid_source_content(content):
+            path.unlink()
+
+
+def run_cmd(command: list[str], cwd: Path) -> None:
     proc = subprocess.run(
         command,
         cwd=str(cwd),
-        input=input_text,
         text=True,
         capture_output=True,
         check=False,
     )
     if proc.returncode != 0:
-        raise RuntimeError(proc.stderr.strip() or "command failed")
-    return proc.stdout
+        raise RuntimeError(proc.stderr.strip() or proc.stdout.strip() or "command failed")
 
 
 def process_js(path: Path, cwd: Path) -> None:
     original = path.read_text(encoding="utf-8")
+    if not is_valid_source_content(original):
+        raise ValueError(
+            f"invalid or corrupted JS source: {path} "
+            f"(restore e.g. 'git checkout dev -- {path.as_posix()}')"
+        )
+
     if shutil.which("npx"):
+        tmpdir = Path(tempfile.mkdtemp())
         try:
-            minified = run_cmd(
+            src = tmpdir / "input.js"
+            out = tmpdir / "output.js"
+            src.write_text(original, encoding="utf-8")
+            run_cmd(
                 [
                     "npx",
                     "--yes",
                     "terser",
+                    str(src),
+                    "-o",
+                    str(src),
                     "--compress",
                     "--mangle",
                     "--comments",
                     "false",
                 ],
                 cwd,
-                input_text=original,
             )
-            obfuscated = run_cmd(
+            run_cmd(
                 [
                     "npx",
                     "--yes",
                     "javascript-obfuscator",
+                    str(src),
+                    "--output",
+                    str(out),
                     "--compact",
                     "true",
                     "--control-flow-flattening",
@@ -224,38 +308,51 @@ def process_js(path: Path, cwd: Path) -> None:
                     "browser-no-eval",
                     "--source-map",
                     "false",
-                    "--output",
-                    "stdout",
                 ],
                 cwd,
-                input_text=minified,
             )
-            path.write_text(obfuscated.strip() + "\n", encoding="utf-8")
+            if not out.exists():
+                raise RuntimeError("obfuscator produced no output file")
+            result = out.read_text(encoding="utf-8")
+            if not is_valid_source_content(result):
+                raise RuntimeError("obfuscator output looks invalid")
+            path.write_text(result.strip() + "\n", encoding="utf-8")
             return
         except Exception:
             pass
+        finally:
+            shutil.rmtree(tmpdir, ignore_errors=True)
+
     path.write_text(minify_js_fallback(original) + "\n", encoding="utf-8")
 
 
 def process_css(path: Path, cwd: Path) -> None:
     original = path.read_text(encoding="utf-8")
     if shutil.which("npx"):
+        tmpdir = Path(tempfile.mkdtemp())
         try:
-            minified = run_cmd(
+            src = tmpdir / "input.css"
+            out = tmpdir / "output.css"
+            src.write_text(original, encoding="utf-8")
+            run_cmd(
                 [
                     "npx",
                     "--yes",
                     "clean-css-cli",
+                    str(src),
+                    "-o",
+                    str(out),
                     "--skip-rebase",
                     "-O2",
                 ],
                 cwd,
-                input_text=original,
             )
-            path.write_text(minified.strip() + "\n", encoding="utf-8")
+            path.write_text(out.read_text(encoding="utf-8").strip() + "\n", encoding="utf-8")
             return
         except Exception:
             pass
+        finally:
+            shutil.rmtree(tmpdir, ignore_errors=True)
     path.write_text(minify_css_fallback(original) + "\n", encoding="utf-8")
 
 
@@ -266,8 +363,7 @@ def process_php(path: Path) -> None:
 
 
 def hash_file(path: Path) -> str:
-    digest = hashlib.sha256(path.read_bytes()).hexdigest()[:12]
-    return digest
+    return hashlib.sha256(path.read_bytes()).hexdigest()[:12]
 
 
 def replace_references(root: Path, mapping: dict[str, str]) -> None:
@@ -279,7 +375,7 @@ def replace_references(root: Path, mapping: dict[str, str]) -> None:
         except UnicodeDecodeError:
             continue
         updated = content
-        for src, dst in mapping.items():
+        for src, dst in sorted(mapping.items(), key=lambda item: len(item[0]), reverse=True):
             updated = updated.replace(src, dst)
             updated = updated.replace("/" + src, "/" + dst)
         if updated != content:
@@ -289,17 +385,32 @@ def replace_references(root: Path, mapping: dict[str, str]) -> None:
 def build_hash_mapping(public_root: Path) -> dict[str, str]:
     mapping: dict[str, str] = {}
     asset_root = public_root / "assets"
-    for ext in (".js", ".css"):
-        for file_path in sorted(asset_root.rglob(f"*{ext}")):
-            if ".min." in file_path.name or ".obf." in file_path.name:
+    if not asset_root.exists():
+        return mapping
+
+    groups = collect_asset_groups(asset_root)
+    for (parent, base, ext), paths in groups.items():
+        source = pick_source_file(paths, base, ext)
+        if source is None:
             continue
-            digest = hash_file(file_path)
-            new_name = f"{file_path.stem}.{digest}{file_path.suffix}"
-            new_path = file_path.with_name(new_name)
-            file_path.rename(new_path)
-            rel_old = file_path.relative_to(public_root).as_posix()
-            rel_new = new_path.relative_to(public_root).as_posix()
+        digest = hash_file(source)
+        target = parent / f"{base}.{digest}{ext}"
+        rel_new = target.relative_to(public_root).as_posix()
+
+        for old in paths:
+            rel_old = old.relative_to(public_root).as_posix()
+            if rel_old != rel_new:
                 mapping[rel_old] = rel_new
+
+        if source != target:
+            if target.exists():
+                target.unlink()
+            source.replace(target)
+
+        for old in paths:
+            if old != target and old.exists():
+                old.unlink()
+
     return mapping
 
 
@@ -316,11 +427,26 @@ def main() -> int:
         print("public directory not found", file=sys.stderr)
         return 1
 
-    for js in sorted(public_root.rglob("*.js")):
-        process_js(js, repo_root)
-    for css in sorted(public_root.rglob("*.css")):
-        process_css(css, repo_root)
-    for php in sorted((repo_root / "public").rglob("*.php")):
+    asset_root = public_root / "assets"
+    if asset_root.exists():
+        groups = collect_asset_groups(asset_root)
+        for (parent, base, ext), paths in sorted(groups.items()):
+            source = pick_source_file(paths, base, ext)
+            if source is None:
+                rel = (parent / f"{base}{ext}").relative_to(public_root)
+                print(
+                    f"ERROR: No valid source for {rel}. "
+                    f"Restore from dev, e.g.: git checkout dev -- {rel}",
+                    file=sys.stderr,
+                )
+                return 1
+            cleanup_invalid_siblings(paths, source)
+            if ext == ".js":
+                process_js(source, repo_root)
+            else:
+                process_css(source, repo_root)
+
+    for php in sorted(public_root.rglob("*.php")):
         process_php(php)
     for php in sorted((repo_root / "backend").rglob("*.php")):
         process_php(php)

scripts/setup-git-hooks.ps1

@@ -0,0 +1,17 @@
+# Einmal pro Clone ausführen: Commit-Template + Conventional-Commits-Hook aktivieren
+$ErrorActionPreference = "Stop"
+$repoRoot = Resolve-Path (Join-Path $PSScriptRoot "..")
+
+Push-Location $repoRoot
+try {
+    git config --local commit.template .gitmessage
+    git config --local core.hooksPath .githooks
+
+    Write-Host "Git Hooks aktiv:" -ForegroundColor Green
+    Write-Host "  commit.template = .gitmessage"
+    Write-Host "  core.hooksPath  = .githooks"
+    Write-Host ""
+    Write-Host "Commit-Format: feat(scope): beschreibung"
+} finally {
+    Pop-Location
+}

scripts/test-email.php

@@ -0,0 +1,48 @@
+<?php
+/**
+ * HexaHost.de E-Mail Test (nur CLI oder lokale Entwicklung)
+ */
+
+if (PHP_SAPI !== 'cli') {
+    $remoteAddr = $_SERVER['REMOTE_ADDR'] ?? '';
+    $isLocal = in_array($remoteAddr, ['127.0.0.1', '::1'], true)
+        || filter_var($remoteAddr, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false;
+
+    if (!$isLocal) {
+        http_response_code(403);
+        exit('Forbidden');
+    }
+}
+
+require_once __DIR__ . '/../backend/config/mail-config.php';
+
+function testEmail() {
+    $config = getHexaHostConfig();
+
+    $subject = '[HexaHost.de] Test-E-Mail';
+    $message = "Test-E-Mail von HexaHost.de\n\n";
+    $message .= "Zeitstempel: " . date('d.m.Y H:i:s') . "\n";
+
+    $headers = [
+        'From: ' . $config['from_name'] . ' <' . $config['from_email'] . '>',
+        'MIME-Version: 1.0',
+        'Content-Type: text/plain; charset=UTF-8',
+        'X-Mailer: HexaHost Test Email',
+    ];
+
+    return mail($config['to_email'], $subject, $message, implode("\r\n", $headers));
+}
+
+if (PHP_SAPI === 'cli') {
+    echo testEmail() ? "Test-E-Mail gesendet.\n" : "Fehler beim Senden.\n";
+    exit;
+}
+
+if (isset($_GET['test'])) {
+    echo testEmail()
+        ? 'Test-E-Mail wurde gesendet.'
+        : 'Fehler beim Senden der Test-E-Mail.';
+} else {
+    echo '<h1>HexaHost.de E-Mail Test</h1>';
+    echo '<p><a href="?test=1">Test-E-Mail senden</a></p>';
+}