feat: auto-update sitemap when events are added/updated/removed

- Use tag-based cache for sitemap event list (events-sitemap)
- Add POST /api/revalidate endpoint (secret-protected) to trigger revalidation
- Backend calls revalidation after event create/update/delete
- Add REVALIDATE_SECRET to .env.example (frontend + backend)

Co-authored-by: Cursor <cursoragent@cursor.com>

frontend/src/app/api/revalidate/route.ts

@@ -0,0 +1,27 @@
+import { revalidateTag } from 'next/cache';
+import { NextRequest, NextResponse } from 'next/server';
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.json();
+    const { secret, tag } = body;
+
+    // Validate the revalidation secret
+    const revalidateSecret = process.env.REVALIDATE_SECRET;
+    if (!revalidateSecret || secret !== revalidateSecret) {
+      return NextResponse.json({ error: 'Invalid secret' }, { status: 401 });
+    }
+
+    // Validate tag
+    const allowedTags = ['events-sitemap'];
+    if (!tag || !allowedTags.includes(tag)) {
+      return NextResponse.json({ error: 'Invalid tag' }, { status: 400 });
+    }
+
+    revalidateTag(tag);
+
+    return NextResponse.json({ revalidated: true, tag, now: Date.now() });
+  } catch {
+    return NextResponse.json({ error: 'Failed to revalidate' }, { status: 500 });
+  }
+}