feat(geschichten): frontend foundation — canBlogWrite, sanitize util, nav, i18n

- Derives canBlogWrite in +layout.server.ts the same way as canAnnotate.
- Adds Geschichten link to AppNav (desktop + mobile, between Stammbaum and Admin).
- Adds error_geschichte_not_found mapping to errors.ts and translation keys
  for the Geschichten index, detail, editor, and confirmation copy in
  de/en/es.
- Adds isomorphic-dompurify-backed safeHtml() helper with allow-list
  matching the backend OWASP policy (p/br/strong/em/h2/h3/ul/ol/li),
  plus Vitest spec.
- Updates legacy spec test data so the new required canBlogWrite layout
  prop type-checks.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

frontend/src/routes/admin/users/[id]/page.svelte.spec.ts

@@ -41,6 +41,7 @@ const baseData = {
 	user: undefined,
 	canWrite: true,
 	canAnnotate: false,
+	canBlogWrite: false,
 	editUser: makeUser(),
 	groups
 };

frontend/src/routes/admin/users/new/page.svelte.spec.ts

@@ -10,7 +10,13 @@ const groups = [
 	{ id: 'g2', name: 'Admins', permissions: ['ADMIN'] }
 ];
 
-const baseData = { user: undefined, canWrite: true, canAnnotate: false, groups };
+const baseData = {
+	user: undefined,
+	canWrite: true,
+	canAnnotate: false,
+	canBlogWrite: false,
+	groups
+};
 
 afterEach(cleanup);