ci(dates): widen {@html} raw-date guard to cover the raw prop

DocumentDate.svelte passes the untrusted raw value via a prop named `raw`,
but the guard only matched metaDateRaw/documentDateRaw/rawDate — so a future
{@html raw} would slip past. Add `\braw\b` to the token list and a self-test
asserting the guard catches {@html raw}. Code is currently safe ({raw}); this
closes the defense-in-depth gap in the guard itself.

Refs #666
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -72,10 +72,15 @@ jobs:
           # Svelte default escaping, never {@html}. This guard flags any {@html ...}
           # whose expression references a raw-date variable. A comment mentioning
           # "{@html}" without a raw token inside the braces does NOT match.
-          pattern='\{@html[^}]*(metaDateRaw|documentDateRaw|rawDate)'
-          # Self-test: the regex must catch the dangerous form and ignore the comment form.
+          # The token list MUST cover every variable that carries the raw value:
+          # DocumentDate.svelte exposes it via the `raw` prop, so `\braw\b` is included.
+          # Grow this list whenever a new raw-bearing variable name is introduced.
+          pattern='\{@html[^}]*(metaDateRaw|documentDateRaw|rawDate|\braw\b)'
+          # Self-test: the regex must catch the dangerous forms and ignore the comment form.
           printf '{@html doc.metaDateRaw}\n' | grep -qP "$pattern" \
             || { echo "FAIL: guard self-test — regex missed the unsafe {@html metaDateRaw} form"; exit 1; }
+          printf '{@html raw}\n' | grep -qP "$pattern" \
+            || { echo "FAIL: guard self-test — regex missed the unsafe {@html raw} form (DocumentDate prop)"; exit 1; }
           printf 'never use {@html} for this\n' | grep -qvP "$pattern" \
             || { echo "FAIL: guard self-test — regex wrongly flagged a {@html} comment"; exit 1; }
           if grep -rPln "$pattern" --include='*.svelte' frontend/src/; then