diff --git a/frontend/eslint.config.js b/frontend/eslint.config.js
index 037353b8..79384407 100644
--- a/frontend/eslint.config.js
+++ b/frontend/eslint.config.js
@@ -71,7 +71,13 @@ export default defineConfig(
 					message:
 						'text-accent is decorative-only (#a1dcd8 in light mode = 1.52:1 contrast — WCAG fail). Use text-primary or text-ink-2 for text labels.'
 				}
-			]
+			],
+			// Primary XSS guard: any {@html ...} block in a Svelte template is a potential
+			// injection sink. This rule replaces the regex CI guard's role as the primary
+			// defense (the CI regex stays as a backstop). For any legitimate use (e.g.
+			// trusted server-rendered Markdown), suppress with an inline
+			// `<!-- eslint-disable-next-line svelte/no-at-html-tags -->` and a justification.
+			'svelte/no-at-html-tags': 'error'
 		}
 	},
 	{