chore(lint): enable svelte/no-at-html-tags as primary XSS guard

Promote svelte/no-at-html-tags to project-wide error so any new
{@html} block fails lint locally and in CI — the primary XSS defense.
The existing .gitea/workflows/ci.yml raw-date regex guard stays in
place as layered defense (it covers the specific raw-date variable
names that must NEVER be rendered via {@html}).

Existing legitimate {@html} usages (renderBody mentions in
CommentMessage.svelte, sanitized Markdown in geschichten/[id]) already
carry justified inline `eslint-disable-next-line` comments. Lint stays
green; verified by running npm run lint.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

frontend/eslint.config.js

@@ -71,7 +71,13 @@ export default defineConfig(
 					message:
 						'text-accent is decorative-only (#a1dcd8 in light mode = 1.52:1 contrast — WCAG fail). Use text-primary or text-ink-2 for text labels.'
 				}
-			]
+			],
+			// Primary XSS guard: any {@html ...} block in a Svelte template is a potential
+			// injection sink. This rule replaces the regex CI guard's role as the primary
+			// defense (the CI regex stays as a backstop). For any legitimate use (e.g.
+			// trusted server-rendered Markdown), suppress with an inline
+			// `<!-- eslint-disable-next-line svelte/no-at-html-tags -->` and a justification.
+			'svelte/no-at-html-tags': 'error'
 		}
 	},
 	{