706b02545d
script-src drops unsafe-inline/blob/data/http/https (any-origin script exec is gone); the single inline shim in index.html is hash-pinned; object-src 'none', base-uri 'self'. Kept deliberately: 'unsafe-eval' (the window.eval native→web bridge + crypto wasm), broad connect-src (arbitrary homeservers), http: in img/media (plain-http homeservers), and review-added allowances for Google Fonts (VT323) and the OpenStreetMap location iframe. NEEDS RUNTIME SMOKE ON WINDOWS before release (CI can't catch CSP breakage): boot, avatars/media, VT323 renders, location map embeds, calls connect, deep links navigate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>