Merge branch 'dev' into ci

stabilisiert das layout der zielgruppen-karten auf der it-dienstleistungen-seite durch seitenlokale overrides ohne auswirkungen auf andere seiten.

Co-authored-by: Cursor <cursoragent@cursor.com>

.gitea/workflows/obfuscate-main.yml

@@ -1,29 +1,27 @@
-name: Obfuscate Main Build
+name: Release Build (ci → main)
 
 on:
   push:
     branches:
-      - main
+      - ci
   workflow_dispatch:
 
+env:
+  GITEA_HOST: git.hexahost.dev
+  REPO_PATH: smueller/HexaHost-Frontend
+
 jobs:
-  obfuscate:
+  release-build:
+    if: ${{ !contains(github.event.head_commit.message, '[skip ci]') }}
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout
+      - name: Checkout ci (Integration)
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-
+          repository-url: https://git.hexahost.dev/smueller/HexaHost-Frontend
-      - name: Skip loop commits
+          ref: ci
-        run: |
-          msg="$(git log -1 --pretty=%B)"
-          echo "Last commit message: $msg"
-          if echo "$msg" | grep -q "\[skip ci\]"; then
-            echo "Skip CI commit detected."
-            exit 0
-          fi
 
       - name: Setup Python
         uses: actions/setup-python@v5
@@ -38,14 +36,27 @@ jobs:
       - name: Run release obfuscation
         run: python scripts/obfuscate_release.py --root . --hash-assets
 
-      - name: Commit obfuscated build
+      - name: Publish release to main
+        env:
+          GITEA_TOKEN: ${{ github.token }}
         run: |
           git config user.name "gitea-actions"
           git config user.email "actions@local"
+          git remote set-url origin "https://oauth2:${GITEA_TOKEN}@${GITEA_HOST}/${REPO_PATH}.git"
+          git fetch origin main ci
+
           git add -A
           if git diff --cached --quiet; then
-            echo "No build changes to commit."
+            echo "No release changes to publish."
             exit 0
           fi
-          git commit -m "chore(release): obfuscate and hash production assets [skip ci]"
+
-          git push
+          TREE=$(git write-tree)
+          MSG="chore(release): obfuscate and hash production assets [skip ci]"
+          if git show-ref --verify --quiet refs/remotes/origin/main; then
+            PARENT=$(git rev-parse origin/main)
+            COMMIT=$(git commit-tree "$TREE" -p "$PARENT" -m "$MSG")
+          else
+            COMMIT=$(git commit-tree "$TREE" -m "$MSG")
+          fi
+          git push origin "${COMMIT}:refs/heads/main"

.githooks/commit-msg

@@ -0,0 +1,29 @@
+#!/bin/sh
+# Validiert Commit-Messages nach Conventional Commits
+# https://www.conventionalcommits.org/
+
+commit_msg_file="$1"
+
+first_line=$(sed '/^#/d;/^$/d' "$commit_msg_file" | head -n 1)
+
+# Merge/Revert von Git erlauben
+case "$first_line" in
+  Merge\ *|Revert\ *)
+    exit 0
+    ;;
+esac
+
+pattern='^(feat|fix|docs|style|refactor|perf|test|build|ci|chore)(\([a-z0-9._-]+\))?!?: .+'
+
+if ! printf '%s\n' "$first_line" | grep -qE "$pattern"; then
+  echo >&2 "❌ Commit-Message entspricht nicht Conventional Commits."
+  echo >&2 ""
+  echo >&2 "  Format:  type(scope): description"
+  echo >&2 "  Beispiel: feat(products): hide vpc in navigation"
+  echo >&2 ""
+  echo >&2 "  Erlaubte types: feat, fix, docs, style, refactor, perf, test, build, ci, chore"
+  echo >&2 "  Überspringen: git commit --no-verify"
+  exit 1
+fi
+
+exit 0

.github/workflows/obfuscate-main.yml

@@ -1,44 +1,63 @@
-name: Obfuscate Main Build
+# Hinweis: Gitea nutzt .gitea/workflows/obfuscate-main.yml (identischer Ablauf).
+name: Release Build (ci → main)
 
 on:
   push:
     branches:
-      - main
+      - ci
   workflow_dispatch:
 
-permissions:
+env:
-  contents: write
+  GITEA_HOST: git.hexahost.dev
+  REPO_PATH: smueller/HexaHost-Frontend
 
 jobs:
-  obfuscate:
+  release-build:
-    if: github.actor != 'github-actions[bot]'
+    if: ${{ !contains(github.event.head_commit.message, '[skip ci]') }}
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout
+      - name: Checkout ci (Integration)
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          repository-url: https://git.hexahost.dev/smueller/HexaHost-Frontend
+          ref: ci
 
       - name: Setup Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.12'
+          python-version: "3.12"
 
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: "20"
 
       - name: Run release obfuscation
         run: python scripts/obfuscate_release.py --root . --hash-assets
 
-      - name: Commit obfuscated build
+      - name: Publish release to main
+        env:
+          GITEA_TOKEN: ${{ github.token }}
         run: |
+          git config user.name "gitea-actions"
+          git config user.email "actions@local"
+          git remote set-url origin "https://oauth2:${GITEA_TOKEN}@${GITEA_HOST}/${REPO_PATH}.git"
+          git fetch origin main ci
+
           git add -A
           if git diff --cached --quiet; then
-            echo "No build changes to commit."
+            echo "No release changes to publish."
             exit 0
           fi
-          git commit -m "chore(release): obfuscate and hash production assets [skip ci]"
+
-          git push
+          TREE=$(git write-tree)
+          MSG="chore(release): obfuscate and hash production assets [skip ci]"
+          if git show-ref --verify --quiet refs/remotes/origin/main; then
+            PARENT=$(git rev-parse origin/main)
+            COMMIT=$(git commit-tree "$TREE" -p "$PARENT" -m "$MSG")
+          else
+            COMMIT=$(git commit-tree "$TREE" -m "$MSG")
+          fi
+          git push origin "${COMMIT}:refs/heads/main"

.gitignore

@@ -13,6 +13,7 @@ build/
 # Environment variables
 .env
 .cursorrules
+.cursor/
 .cursorrules.txt
 .env.local
 .env.development.local

.gitmessage

@@ -0,0 +1,16 @@
+# Conventional Commits – nur die erste nicht-kommentierte Zeile wird verwendet
+# Format: type(scope): description
+#
+# feat     Neues Feature
+# fix      Bugfix
+# docs     Dokumentation
+# style    Formatierung (keine Logik)
+# refactor Umbau ohne Feature/Fix
+# perf     Performance
+# test     Tests
+# build    Build / Dependencies
+# ci       CI/CD
+# chore    Sonstiges
+#
+# Beispiel (diese Zeile anpassen und Kommentare löschen oder stehen lassen):
+# feat(products): hide vpc and vps in navigation

README.md

@@ -166,9 +166,38 @@ Für den Produktivbetrieb `public/` als Webroot konfigurieren.
 
 ### Production-Build & Veröffentlichung
 
-Der Quellcode bleibt auf `dev`, der veröffentlichte Stand liegt auf `main`.
+| Branch | Zweck |
+|--------|--------|
+| **`dev`** | Entwicklung (lesbarer Code, Kommentare) |
+| **`ci`** | Integration (du mergst `dev` hierher) |
+| **`main`** | Release/Produktion (obfuskiert, gehashte Assets — nur per Pipeline) |
 
-Bei jedem Push/Merge auf `main` läuft die GitHub Action `.github/workflows/obfuscate-main.yml` automatisch und führt aus:
+**Ablauf: `dev` → `ci` → `main`**
+
+1. Auf **`dev`** entwickeln und pushen
+2. **`dev` nach `ci` mergen** (manuell, z. B. in Gitea oder lokal)
+3. **`ci` pushen** → startet `.gitea/workflows/obfuscate-main.yml`
+4. Pipeline obfuskiert im Runner-Workspace und publiziert nach **`main`**
+
+```powershell
+# Nach fertigen Änderungen auf dev:
+git checkout ci
+git pull origin ci
+git merge dev
+git push origin ci
+```
+
+Bei jedem Push auf **`ci`**:
+
+1. Checkout von `ci` im temporären Runner-Workspace
+2. Obfuscation-Build (`scripts/obfuscate_release.py --hash-assets`)
+3. Ergebnis nach `main` pushen (Bot-Commit mit `[skip ci]`)
+
+**Nicht** `dev` oder `ci` direkt nach `main` mergen. Der Branch **`ci` bleibt lesbar** — Obfuscation wird nur nach `main` publiziert.
+
+`ci`-Branch einmalig anlegen (falls noch nicht vorhanden): `git checkout -b ci dev && git push -u origin ci`
+
+Der Build führt aus:
 
 - Entfernen von Kommentaren (inkl. Block-Kommentaren) in PHP/JS/CSS
 - Minify + Obfuscate für JavaScript
@@ -176,7 +205,7 @@ Bei jedem Push/Merge auf `main` läuft die GitHub Action `.github/workflows/obfu
 - Kein Source-Map-Output
 - Hashing von JS/CSS-Dateinamen + automatische Referenz-Anpassung
 
-Lokal ausführbar:
+Lokal testen (nur in Kopie, nicht committen):
 
 ```bash
 python scripts/obfuscate_release.py --root . --hash-assets

backend/config/mail-config.php

@@ -13,7 +13,7 @@ define('SMTP_TO_EMAIL', 'info@hexahost.de');       // Empfänger-E-Mail für Kon
 // Sicherheitseinstellungen
 define('ENABLE_CSRF_PROTECTION', true);            // CSRF-Schutz aktivieren
 define('ENABLE_RATE_LIMITING', true);              // Rate-Limiting aktivieren
-define('MAX_REQUESTS_PER_HOUR', 10);               // Max. Anfragen pro Stunde
+define('MAX_REQUESTS_PER_HOUR', 5);               // Max. Anfragen pro Stunde
 
 // Spam-Schutz Einstellungen
 define('ENABLE_SPAM_PROTECTION', true);            // Spam-Schutz aktivieren

backend/config/products-config.php

@@ -443,10 +443,43 @@ $PRODUCTS['webhosting'] = [
     ],
 ];
 
+// Sichtbarkeit in Navigation, Footer und auf der Startseite (Seiten bleiben per URL erreichbar)
+$PRODUCT_VISIBILITY = [
+    'vpc' => false,
+    'vps' => false,
+    'mail-gateway' => false,
+    'webhosting' => true,
+];
+
 // ============================================================================
 // HILFSFUNKTIONEN
 // ============================================================================
 
+/**
+ * Prüft, ob eine Produktkategorie in der Navigation angezeigt wird
+ */
+function isProductVisible(string $productId): bool {
+    global $PRODUCT_VISIBILITY;
+    return $PRODUCT_VISIBILITY[$productId] ?? true;
+}
+
+/**
+ * HTML hidden-Attribut für ausgeblendete Produktkategorien
+ */
+function productHiddenAttr(string $productId): string {
+    return isProductVisible($productId) ? '' : ' hidden';
+}
+
+/**
+ * Aktive Navigationsseiten für sichtbare Produktkategorien
+ *
+ * @return string[]
+ */
+function getVisibleProductPageIds(): array {
+    global $PRODUCT_VISIBILITY;
+    return array_keys(array_filter($PRODUCT_VISIBILITY, static fn(bool $visible): bool => $visible));
+}
+
 /**
  * Alle Produkte abrufen
  */

backend/includes/footer.php

@@ -15,10 +15,17 @@
                 <div class="footer-section">
                     <h4>Produkte</h4>
                     <ul>
-                        <li><a href="/vpc">Virtual Private Container</a></li>
+                        <li<?php echo productHiddenAttr('vpc'); ?>><a href="/vpc">Virtual Private Container</a></li>
-                        <li><a href="/vps">Virtual Private Server</a></li>
+                        <li<?php echo productHiddenAttr('vps'); ?>><a href="/vps">Virtual Private Server</a></li>
-                        <li><a href="/mail-gateway">Mail Gateway</a></li>
+                        <li<?php echo productHiddenAttr('mail-gateway'); ?>><a href="/mail-gateway">Mail Gateway</a></li>
-                        <li><a href="/webhosting">Webhosting</a></li>
+                        <li<?php echo productHiddenAttr('webhosting'); ?>><a href="/webhosting">Webhosting</a></li>
+                    </ul>
+                </div>
+                <div class="footer-section">
+                    <h4>Andere Dienste</h4>
+                    <ul>
+                        <li><a href="https://hexadns.de" target="_blank" rel="noopener noreferrer">hexadns.de</a></li>
+                        <li><a href="https://www.hexa-mail.de/" target="_blank" rel="noopener noreferrer">hexa-mail.de</a></li>
                     </ul>
                 </div>
                 <div class="footer-section">

backend/includes/functions.php

@@ -3,6 +3,8 @@
  * Helper functions for HexaHost.de
  */
 
+require_once __DIR__ . '/../config/products-config.php';
+
 // Sichere Session-Konfiguration
 if (session_status() === PHP_SESSION_NONE) {
     // Session-Cookie-Sicherheit

backend/includes/header.php

@@ -59,12 +59,12 @@
                 <ul class="nav-menu">
                     <li><a href="/" class="nav-link <?php echo ($current_page === 'home') ? 'active' : ''; ?>">Home</a></li>
                     <li class="nav-dropdown">
-                        <a href="#" class="nav-link <?php echo (in_array($current_page, ['vpc', 'vps', 'mail-gateway', 'webhosting'])) ? 'active' : ''; ?>">Produkte</a>
+                        <a href="#" class="nav-link <?php echo (in_array($current_page, getVisibleProductPageIds(), true)) ? 'active' : ''; ?>">Produkte</a>
                         <ul class="dropdown-menu">
-                            <li><a href="/vpc" class="<?php echo ($current_page === 'vpc') ? 'active' : ''; ?>">Virtual Private Container</a></li>
+                            <li<?php echo productHiddenAttr('vpc'); ?>><a href="/vpc" class="<?php echo ($current_page === 'vpc') ? 'active' : ''; ?>">Virtual Private Container</a></li>
-                            <li><a href="/vps" class="<?php echo ($current_page === 'vps') ? 'active' : ''; ?>">Virtual Private Server</a></li>
+                            <li<?php echo productHiddenAttr('vps'); ?>><a href="/vps" class="<?php echo ($current_page === 'vps') ? 'active' : ''; ?>">Virtual Private Server</a></li>
-                            <li><a href="/mail-gateway" class="<?php echo ($current_page === 'mail-gateway') ? 'active' : ''; ?>">Mail Gateway</a></li>
+                            <li<?php echo productHiddenAttr('mail-gateway'); ?>><a href="/mail-gateway" class="<?php echo ($current_page === 'mail-gateway') ? 'active' : ''; ?>">Mail Gateway</a></li>
-                            <li><a href="/webhosting" class="<?php echo ($current_page === 'webhosting') ? 'active' : ''; ?>">Webhosting</a></li>
+                            <li<?php echo productHiddenAttr('webhosting'); ?>><a href="/webhosting" class="<?php echo ($current_page === 'webhosting') ? 'active' : ''; ?>">Webhosting</a></li>
                         </ul>
                     </li>
                     <li><a href="/it-dienstleistungen" class="nav-link <?php echo ($current_page === 'it-dienstleistungen') ? 'active' : ''; ?>">IT-Dienstleistungen</a></li>

public/assets/css/custom.css

@@ -16,6 +16,26 @@
     margin-top: 2rem;
 }
 
+/* IT services page: center target-group cards without affecting other pages */
+.it-services-page .values .values-grid {
+    display: flex !important;
+    flex-wrap: wrap !important;
+    justify-content: center !important;
+    align-items: stretch;
+    grid-template-columns: none !important;
+    gap: 1.5rem !important;
+}
+
+.it-services-page .values .value-item {
+    flex: 0 1 320px !important;
+    max-width: 360px;
+    aspect-ratio: 1 / 1;
+    margin: 0 !important;
+    display: flex;
+    flex-direction: column;
+    justify-content: center;
+}
+
 /* Legal pages: plain white content with black text */
 .legal-hero,
 .legal-content {
@@ -45,8 +65,10 @@
 .legal-section h3,
 .legal-block p,
 .legal-block li,
-.breadcrumb,
+.legal-hero .breadcrumb,
-.breadcrumb span {
+.legal-hero .breadcrumb span,
+.legal-content .breadcrumb,
+.legal-content .breadcrumb span {
     color: #000000;
 }
 
@@ -81,12 +103,14 @@
 }
 
 .legal-block a,
-.breadcrumb a {
+.legal-hero .breadcrumb a,
+.legal-content .breadcrumb a {
     color: #0b57d0;
 }
 
 .legal-block a:hover,
-.breadcrumb a:hover {
+.legal-hero .breadcrumb a:hover,
+.legal-content .breadcrumb a:hover {
     color: #0b57d0;
     text-decoration: none;
 }
@@ -106,3 +130,41 @@
     transition: none !important;
     animation: none !important;
 }
+
+/* Keep footer sections in one row on desktop */
+.footer-content {
+    grid-template-columns: repeat(5, minmax(0, 1fr));
+    gap: 1.5rem 1.25rem;
+    align-items: start;
+}
+
+.footer-section h4 {
+    margin-bottom: 0.65rem;
+}
+
+.footer-section ul li {
+    margin-bottom: 0.4rem;
+}
+
+@media (max-width: 1100px) {
+    .footer-content {
+        grid-template-columns: repeat(3, minmax(0, 1fr));
+    }
+}
+
+@media (max-width: 768px) {
+    .footer-content {
+        grid-template-columns: repeat(2, minmax(0, 1fr));
+    }
+}
+
+@media (max-width: 520px) {
+    .footer-content {
+        grid-template-columns: 1fr;
+    }
+
+    .it-services-page .values .value-item {
+        flex-basis: 100%;
+        max-width: 100%;
+    }
+}

public/index.php

@@ -54,7 +54,7 @@ includeHeader($page_title, $page_description, $current_page);
                 </p>
             </div>
             <div class="products-grid">
-                <div class="product-card glass-card">
+                <div class="product-card glass-card"<?php echo productHiddenAttr('vpc'); ?>>
                     <div class="product-icon">
                         <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
                             <path d="M4 7V4a2 2 0 0 1 2-2h8a2 2 0 0 1 2 2v3"/>
@@ -74,7 +74,7 @@ includeHeader($page_title, $page_description, $current_page);
                     </ul>
                     <a href="/vpc" class="btn btn-primary">Mehr erfahren</a>
                 </div>
-                <div class="product-card glass-card">
+                <div class="product-card glass-card"<?php echo productHiddenAttr('vps'); ?>>
                     <div class="product-icon">
                         <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
                             <rect x="2" y="3" width="20" height="14" rx="2" ry="2"/>
@@ -92,7 +92,7 @@ includeHeader($page_title, $page_description, $current_page);
                     </ul>
                     <a href="/vps" class="btn btn-primary">Mehr erfahren</a>
                 </div>
-                <div class="product-card glass-card">
+                <div class="product-card glass-card"<?php echo productHiddenAttr('mail-gateway'); ?>>
                     <div class="product-icon">
                         <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
                             <path d="M4 4h16c1.1 0 2 .9 2 2v12c0 1.1-.9 2-2 2H4c-1.1 0-2-.9-2-2V6c0-1.1.9-2 2-2z"/>

public/it-dienstleistungen.php

@@ -10,7 +10,7 @@ $current_page = 'it-dienstleistungen';
 includeHeader($page_title, $page_description, $current_page);
 ?>
 
-<main id="main-content">
+<main id="main-content" class="it-services-page">
     <!-- Services Hero -->
     <section class="about-hero">
         <div class="container">

scripts/obfuscate_release.py

@@ -3,15 +3,17 @@ from __future__ import annotations
 
 import argparse
 import hashlib
-import os
 import re
 import shutil
 import subprocess
 import sys
+import tempfile
+from collections import defaultdict
 from pathlib import Path
 
 
 TEXT_EXTENSIONS = {".php", ".html", ".htm", ".xml", ".txt", ".js", ".css"}
+HASH_SUFFIX_RE = re.compile(r"\.[a-f0-9]{12}$", re.I)
 
 
 def strip_comments_keep_strings(text: str) -> str:
@@ -174,42 +176,124 @@ def minify_js_fallback(text: str) -> str:
     return text.strip()
 
 
-def run_cmd(command: list[str], cwd: Path, input_text: str | None = None) -> str:
+def canonical_asset_base(stem: str) -> str:
+    name = stem
+    while HASH_SUFFIX_RE.search(name):
+        name = HASH_SUFFIX_RE.sub("", name)
+    return name
+
+
+def is_skipped_asset(path: Path) -> bool:
+    lowered = path.as_posix().lower()
+    if ".min." in path.name or ".obf." in path.name or ".deob." in path.name:
+        return True
+    if "deobfuscated" in lowered:
+        return True
+    return False
+
+
+def is_valid_source_content(content: str) -> bool:
+    if "[javascript-obfuscator-cli]" in content:
+        return False
+    return len(content.strip()) >= 20
+
+
+def collect_asset_groups(asset_root: Path) -> dict[tuple[Path, str, str], list[Path]]:
+    groups: dict[tuple[Path, str, str], list[Path]] = defaultdict(list)
+    for ext in (".js", ".css"):
+        for file_path in sorted(asset_root.rglob(f"*{ext}")):
+            if is_skipped_asset(file_path):
+                continue
+            base = canonical_asset_base(file_path.stem)
+            key = (file_path.parent, base, ext)
+            groups[key].append(file_path)
+    return groups
+
+
+def pick_source_file(paths: list[Path], base: str, ext: str) -> Path | None:
+    if not paths:
+        return None
+
+    parent = paths[0].parent
+    plain = parent / f"{base}{ext}"
+    ordered: list[Path] = []
+    if plain in paths:
+        ordered.append(plain)
+    for candidate in sorted(paths, key=lambda p: len(p.name)):
+        if candidate not in ordered:
+            ordered.append(candidate)
+
+    for candidate in ordered:
+        try:
+            content = candidate.read_text(encoding="utf-8")
+        except (OSError, UnicodeDecodeError):
+            continue
+        if is_valid_source_content(content):
+            return candidate
+    return None
+
+
+def cleanup_invalid_siblings(paths: list[Path], source: Path) -> None:
+    for path in paths:
+        if path == source or not path.exists():
+            continue
+        try:
+            content = path.read_text(encoding="utf-8")
+        except (OSError, UnicodeDecodeError):
+            content = ""
+        if not is_valid_source_content(content):
+            path.unlink()
+
+
+def run_cmd(command: list[str], cwd: Path) -> None:
     proc = subprocess.run(
         command,
         cwd=str(cwd),
-        input=input_text,
         text=True,
         capture_output=True,
         check=False,
     )
     if proc.returncode != 0:
-        raise RuntimeError(proc.stderr.strip() or "command failed")
+        raise RuntimeError(proc.stderr.strip() or proc.stdout.strip() or "command failed")
-    return proc.stdout
 
 
 def process_js(path: Path, cwd: Path) -> None:
     original = path.read_text(encoding="utf-8")
+    if not is_valid_source_content(original):
+        raise ValueError(
+            f"invalid or corrupted JS source: {path} "
+            f"(restore e.g. 'git checkout dev -- {path.as_posix()}')"
+        )
+
     if shutil.which("npx"):
+        tmpdir = Path(tempfile.mkdtemp())
         try:
-            minified = run_cmd(
+            src = tmpdir / "input.js"
+            out = tmpdir / "output.js"
+            src.write_text(original, encoding="utf-8")
+            run_cmd(
                 [
                     "npx",
                     "--yes",
                     "terser",
+                    str(src),
+                    "-o",
+                    str(src),
                     "--compress",
                     "--mangle",
                     "--comments",
                     "false",
                 ],
                 cwd,
-                input_text=original,
             )
-            obfuscated = run_cmd(
+            run_cmd(
                 [
                     "npx",
                     "--yes",
                     "javascript-obfuscator",
+                    str(src),
+                    "--output",
+                    str(out),
                     "--compact",
                     "true",
                     "--control-flow-flattening",
@@ -224,38 +308,51 @@ def process_js(path: Path, cwd: Path) -> None:
                     "browser-no-eval",
                     "--source-map",
                     "false",
-                    "--output",
-                    "stdout",
                 ],
                 cwd,
-                input_text=minified,
             )
-            path.write_text(obfuscated.strip() + "\n", encoding="utf-8")
+            if not out.exists():
+                raise RuntimeError("obfuscator produced no output file")
+            result = out.read_text(encoding="utf-8")
+            if not is_valid_source_content(result):
+                raise RuntimeError("obfuscator output looks invalid")
+            path.write_text(result.strip() + "\n", encoding="utf-8")
             return
         except Exception:
             pass
+        finally:
+            shutil.rmtree(tmpdir, ignore_errors=True)
+
     path.write_text(minify_js_fallback(original) + "\n", encoding="utf-8")
 
 
 def process_css(path: Path, cwd: Path) -> None:
     original = path.read_text(encoding="utf-8")
     if shutil.which("npx"):
+        tmpdir = Path(tempfile.mkdtemp())
         try:
-            minified = run_cmd(
+            src = tmpdir / "input.css"
+            out = tmpdir / "output.css"
+            src.write_text(original, encoding="utf-8")
+            run_cmd(
                 [
                     "npx",
                     "--yes",
                     "clean-css-cli",
+                    str(src),
+                    "-o",
+                    str(out),
                     "--skip-rebase",
                     "-O2",
                 ],
                 cwd,
-                input_text=original,
             )
-            path.write_text(minified.strip() + "\n", encoding="utf-8")
+            path.write_text(out.read_text(encoding="utf-8").strip() + "\n", encoding="utf-8")
             return
         except Exception:
             pass
+        finally:
+            shutil.rmtree(tmpdir, ignore_errors=True)
     path.write_text(minify_css_fallback(original) + "\n", encoding="utf-8")
 
 
@@ -266,8 +363,7 @@ def process_php(path: Path) -> None:
 
 
 def hash_file(path: Path) -> str:
-    digest = hashlib.sha256(path.read_bytes()).hexdigest()[:12]
+    return hashlib.sha256(path.read_bytes()).hexdigest()[:12]
-    return digest
 
 
 def replace_references(root: Path, mapping: dict[str, str]) -> None:
@@ -279,7 +375,7 @@ def replace_references(root: Path, mapping: dict[str, str]) -> None:
         except UnicodeDecodeError:
             continue
         updated = content
-        for src, dst in mapping.items():
+        for src, dst in sorted(mapping.items(), key=lambda item: len(item[0]), reverse=True):
             updated = updated.replace(src, dst)
             updated = updated.replace("/" + src, "/" + dst)
         if updated != content:
@@ -289,17 +385,32 @@ def replace_references(root: Path, mapping: dict[str, str]) -> None:
 def build_hash_mapping(public_root: Path) -> dict[str, str]:
     mapping: dict[str, str] = {}
     asset_root = public_root / "assets"
-    for ext in (".js", ".css"):
+    if not asset_root.exists():
-        for file_path in sorted(asset_root.rglob(f"*{ext}")):
+        return mapping
-            if ".min." in file_path.name or ".obf." in file_path.name:
+
-                continue
+    groups = collect_asset_groups(asset_root)
-            digest = hash_file(file_path)
+    for (parent, base, ext), paths in groups.items():
-            new_name = f"{file_path.stem}.{digest}{file_path.suffix}"
+        source = pick_source_file(paths, base, ext)
-            new_path = file_path.with_name(new_name)
+        if source is None:
-            file_path.rename(new_path)
+            continue
-            rel_old = file_path.relative_to(public_root).as_posix()
+        digest = hash_file(source)
-            rel_new = new_path.relative_to(public_root).as_posix()
+        target = parent / f"{base}.{digest}{ext}"
-            mapping[rel_old] = rel_new
+        rel_new = target.relative_to(public_root).as_posix()
+
+        for old in paths:
+            rel_old = old.relative_to(public_root).as_posix()
+            if rel_old != rel_new:
+                mapping[rel_old] = rel_new
+
+        if source != target:
+            if target.exists():
+                target.unlink()
+            source.replace(target)
+
+        for old in paths:
+            if old != target and old.exists():
+                old.unlink()
+
     return mapping
 
 
@@ -316,11 +427,26 @@ def main() -> int:
         print("public directory not found", file=sys.stderr)
         return 1
 
-    for js in sorted(public_root.rglob("*.js")):
+    asset_root = public_root / "assets"
-        process_js(js, repo_root)
+    if asset_root.exists():
-    for css in sorted(public_root.rglob("*.css")):
+        groups = collect_asset_groups(asset_root)
-        process_css(css, repo_root)
+        for (parent, base, ext), paths in sorted(groups.items()):
-    for php in sorted((repo_root / "public").rglob("*.php")):
+            source = pick_source_file(paths, base, ext)
+            if source is None:
+                rel = (parent / f"{base}{ext}").relative_to(public_root)
+                print(
+                    f"ERROR: No valid source for {rel}. "
+                    f"Restore from dev, e.g.: git checkout dev -- {rel}",
+                    file=sys.stderr,
+                )
+                return 1
+            cleanup_invalid_siblings(paths, source)
+            if ext == ".js":
+                process_js(source, repo_root)
+            else:
+                process_css(source, repo_root)
+
+    for php in sorted(public_root.rglob("*.php")):
         process_php(php)
     for php in sorted((repo_root / "backend").rglob("*.php")):
         process_php(php)

scripts/setup-git-hooks.ps1

@@ -0,0 +1,17 @@
+# Einmal pro Clone ausführen: Commit-Template + Conventional-Commits-Hook aktivieren
+$ErrorActionPreference = "Stop"
+$repoRoot = Resolve-Path (Join-Path $PSScriptRoot "..")
+
+Push-Location $repoRoot
+try {
+    git config --local commit.template .gitmessage
+    git config --local core.hooksPath .githooks
+
+    Write-Host "Git Hooks aktiv:" -ForegroundColor Green
+    Write-Host "  commit.template = .gitmessage"
+    Write-Host "  core.hooksPath  = .githooks"
+    Write-Host ""
+    Write-Host "Commit-Format: feat(scope): beschreibung"
+} finally {
+    Pop-Location
+}

scripts/test-email.php

@@ -0,0 +1,48 @@
+<?php
+/**
+ * HexaHost.de E-Mail Test (nur CLI oder lokale Entwicklung)
+ */
+
+if (PHP_SAPI !== 'cli') {
+    $remoteAddr = $_SERVER['REMOTE_ADDR'] ?? '';
+    $isLocal = in_array($remoteAddr, ['127.0.0.1', '::1'], true)
+        || filter_var($remoteAddr, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false;
+
+    if (!$isLocal) {
+        http_response_code(403);
+        exit('Forbidden');
+    }
+}
+
+require_once __DIR__ . '/../backend/config/mail-config.php';
+
+function testEmail() {
+    $config = getHexaHostConfig();
+
+    $subject = '[HexaHost.de] Test-E-Mail';
+    $message = "Test-E-Mail von HexaHost.de\n\n";
+    $message .= "Zeitstempel: " . date('d.m.Y H:i:s') . "\n";
+
+    $headers = [
+        'From: ' . $config['from_name'] . ' <' . $config['from_email'] . '>',
+        'MIME-Version: 1.0',
+        'Content-Type: text/plain; charset=UTF-8',
+        'X-Mailer: HexaHost Test Email',
+    ];
+
+    return mail($config['to_email'], $subject, $message, implode("\r\n", $headers));
+}
+
+if (PHP_SAPI === 'cli') {
+    echo testEmail() ? "Test-E-Mail gesendet.\n" : "Fehler beim Senden.\n";
+    exit;
+}
+
+if (isset($_GET['test'])) {
+    echo testEmail()
+        ? 'Test-E-Mail wurde gesendet.'
+        : 'Fehler beim Senden der Test-E-Mail.';
+} else {
+    echo '<h1>HexaHost.de E-Mail Test</h1>';
+    echo '<p><a href="?test=1">Test-E-Mail senden</a></p>';
+}