Phase 8: CSV + ICS export, print view, MkDocs docs, SBOM + dev-mode auth

Auth (Test-Mode):
  - middleware.AuthMiddleware now takes a devMode flag. In dev,
    requests without Authorization fall back to a deterministic dev
    UUID (00000000-...-001) and role=teacher. ENVIRONMENT=production
    re-enables the strict 401 path.
  - main.go wires devMode = cfg.Environment != "production".
  - page.tsx replaces the red 'Anmeldung noch nicht integriert' banner
    with a softer Testumgebung notice; the manual-token form moves
    behind a nested details block.

Export endpoints (school-service):
  - LoadExportLessons joins tt_lesson with tt_period for wall-clock
    times; one query feeds both CSV and ICS.
  - WriteCSV streams 10 columns including pinned flag.
  - WriteICS emits one VEVENT per lesson anchored to a Monday — caller
    overridable via ?start=YYYY-MM-DD. RFC 5545 escapes for ',', ';',
    '\n' in icsEscape().
  - NextMonday helper for the default anchor.
  - GET /timetable/solutions/:id/export.{csv,ics} handlers attach
    Content-Disposition: attachment so browsers download instead of
    rendering.

Frontend:
  - lib/stundenplan/api.ts downloadSolutionExport() fetches as blob,
    triggers a synthetic <a download> click, and forwards the JWT when
    present.
  - PlanView gains CSV / ICS / Drucken buttons next to the perspective
    selector. The toolbar carries class 'no-print' so window.print()
    yields only the grid.
  - globals.css @media print rule hides chrome, forces white
    background, gives the table proper borders for A4.

Docs:
  - docs-src/services/stundenplan/{index,architecture,constraints,
    solver-tuning,export}.md with nav entry in mkdocs.yml under
    Services → Stundenplaner.
  - sbom/stundenplan/README.md lists manually-verified key dependencies
    and the policy reference. scripts/stundenplan-sbom.sh generates
    full machine-readable inventories via go-licenses + pip-licenses
    + license-checker when those tools are available.

Tests:
  - internal/services/timetable_exports_test.go: 4 unit tests covering
    CSV column layout + quoting, ICS structure + DTSTART formatting,
    icsEscape special chars, NextMonday weekday math.
  - studio-v2/e2e/stundenplan-export.spec.ts split out of the main spec
    file (LOC budget) — 3 tests for button render, CSV download,
    ICS download.
  - mockSchoolApi extended with export.csv + export.ics routes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

sbom/stundenplan/README.md

@@ -0,0 +1,34 @@
+# Stundenplan — SBOM
+
+Software Bill of Materials fuer den Stundenplaner-Stack.
+
+Erzeugt via `scripts/stundenplan-sbom.sh`.
+
+## Inhalt
+
+- `school-service-licenses.csv` — Go-Module von `school-service`
+- `timetable-solver-licenses.json` — Python-Pakete (incl. Timefold + JPype + asyncpg)
+- `studio-v2-licenses.json` — npm-Pakete im Production-Build von studio-v2
+
+## Lizenz-Whitelist
+
+Per `.claude/rules/open-source-policy.md`:
+- ✅ MIT, Apache-2.0, BSD-2/3-Clause, ISC, MPL-2.0, LGPL, CC0
+- ❌ GPL-2/3, AGPL, SSPL, BSL, „Non-Commercial"
+
+Bei Updates: SBOM neu generieren, gegen Whitelist pruefen.
+
+## Bekannt-relevante Dependencies (manuell verifiziert 2026-05-22)
+
+| Package | Version | Lizenz | OK? |
+|---------|---------|--------|-----|
+| timefold (Python) | 1.24.0b0 | Apache-2.0 | ✅ |
+| JPype1 | 1.5.1 | Apache-2.0 | ✅ |
+| FastAPI | 0.115.0 | MIT | ✅ |
+| asyncpg | 0.30.0 | Apache-2.0 | ✅ |
+| pydantic | 2.9.2 | MIT | ✅ |
+| gin-gonic/gin (Go) | latest | MIT | ✅ |
+| jackc/pgx/v5 (Go) | latest | MIT | ✅ |
+| golang-jwt/jwt/v5 (Go) | latest | MIT | ✅ |
+| Next.js (studio-v2) | 15.x | MIT | ✅ |
+| React | 19.x | MIT | ✅ |