test(ci): assert prerender output is only /hilfe/transkription

Addresses Sara's review request on #515.

Without this gate, a future regression that turns prerender.crawl
back on (or adds a new prerender entry whose nav links into
protected routes) would silently bake /, /documents, /persons etc.
to "redirect-to-login" HTML and re-introduce #514.

Verified the script catches the current broken build state:
  $ find build/prerendered ... -not -path 'hilfe/*' ...
  build/prerendered/{index,documents,persons,geschichten,stammbaum}.html

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -59,6 +59,29 @@ jobs:
         run: npm run build
         working-directory: frontend
 
+      # ── Prerender output is exactly the public help page ───────────────────
+      # SvelteKit prerender + crawl follows nav links and bakes "redirect to
+      # /login" HTML for every protected route, served BEFORE runtime hooks
+      # (see #514). With `crawl: false` only the explicit entry should land
+      # in build/prerendered/. Anything else is a regression — fail the build.
+      - name: Assert prerender output is only /hilfe/transkription
+        run: |
+          cd frontend
+          set -e
+          extra=$(find build/prerendered -type f \
+                  -not -path 'build/prerendered/hilfe/*' \
+                  -not -name '*.br' -not -name '*.gz' \
+                  || true)
+          if [ -n "$extra" ]; then
+            echo "FAIL: unexpected prerendered files (would shadow runtime hooks):"
+            echo "$extra"
+            exit 1
+          fi
+          # And the help page must still be there.
+          test -f build/prerendered/hilfe/transkription.html \
+            || { echo "FAIL: /hilfe/transkription.html missing from prerender output"; exit 1; }
+          echo "PASS: only /hilfe/transkription.html prerendered."
+
       - name: Upload screenshots
         if: always()
         uses: actions/upload-artifact@v4

docker-compose.prod.yml

@@ -86,6 +86,10 @@ services:
     # runner container's CWD. See #506 + infra/minio/Dockerfile.
     build:
       context: ./infra/minio
+    # Declare one-shot intent so `docker compose up -d --wait` treats
+    # exited(0) as success rather than "not running, fail". Pair with
+    # backend's `service_completed_successfully` dependency below. See #510.
+    restart: "no"
     depends_on:
       minio:
         condition: service_healthy
@@ -160,6 +164,12 @@ services:
         condition: service_healthy
       ocr-service:
         condition: service_healthy
+      # Gate startup on the bucket bootstrap. Without this, backend
+      # starts in parallel with create-buckets and may race the policy
+      # bind. Also tells compose's `up -d --wait` that create-buckets
+      # is a one-shot that must complete successfully. See #510.
+      create-buckets:
+        condition: service_completed_successfully
     # Bound to localhost only — Caddy fronts external traffic.
     ports:
       - "127.0.0.1:${PORT_BACKEND}:8080"

frontend/svelte.config.js

@@ -8,7 +8,17 @@ const config = {
 	preprocess: vitePreprocess(),
 	kit: {
 		adapter: adapter(),
-		prerender: { entries: ['/hilfe/transkription'] }
+		prerender: {
+			entries: ['/hilfe/transkription'],
+			// Disable crawl: by default SvelteKit follows nav links from
+			// prerendered pages and prerenders the targets too. The targets
+			// (/, /documents, /persons, …) throw redirect('/login') during
+			// the build (no auth cookie), so SvelteKit bakes a
+			// `<script>location.href='/login'</script>` HTML page and serves
+			// it before the runtime hooks ever run. Result: authenticated
+			// users with a valid cookie still get bounced. See #514.
+			crawl: false
+		}
 	}
 };