fix: Security vulnerability - block malicious file requests

app/[locale]/layout.tsx

@@ -1,10 +1,19 @@
 import { NextIntlClientProvider } from "next-intl";
 import { setRequestLocale } from "next-intl/server";
 import React from "react";
+import { notFound } from "next/navigation";
 import ConsentBanner from "../components/ConsentBanner";
 import { getLocalizedMessage } from "@/lib/i18n-loader";
 
-async function loadEnhancedMessages(locale: string) {
+// Supported locales - must match middleware.ts
+const SUPPORTED_LOCALES = ["en", "de"] as const;
+type SupportedLocale = (typeof SUPPORTED_LOCALES)[number];
+
+function isValidLocale(locale: string): locale is SupportedLocale {
+  return SUPPORTED_LOCALES.includes(locale as SupportedLocale);
+}
+
+async function loadEnhancedMessages(locale: SupportedLocale) {
   // Lade basis JSON Messages
   const baseMessages = (await import(`../../messages/${locale}.json`)).default;
   
@@ -13,6 +22,11 @@ async function loadEnhancedMessages(locale: string) {
   return baseMessages;
 }
 
+// Define valid static params to prevent malicious path traversal
+export function generateStaticParams() {
+  return SUPPORTED_LOCALES.map((locale) => ({ locale }));
+}
+
 export default async function LocaleLayout({
   children,
   params,
@@ -21,6 +35,12 @@ export default async function LocaleLayout({
   params: Promise<{ locale: string }>;
 }) {
   const { locale } = await params;
+  
+  // Security: Validate locale to prevent malicious imports
+  if (!isValidLocale(locale)) {
+    notFound();
+  }
+  
   // Ensure next-intl actually uses the route segment locale for this request.
   setRequestLocale(locale);
   // Load messages explicitly by route locale to avoid falling back to the wrong