security: tighten CSP — drop provider wildcards, add object/frame/worker-src (#45)

Browser code never calls OpenAI/Azure/Gemini directly; all AI traffic is
server-side tRPC. connect-src is now locked to 'self'. Added object-src 'none',
frame-src 'none', media-src 'self', and worker-src 'self' blob:. style-src
keeps 'unsafe-inline' for React + @react-pdf/renderer (documented residual
risk — script-src is nonce-based so CSS injection cannot escalate to JS).

Added three regression tests covering connect-src no-wildcards, object/frame-src
'none', and worker-src scope.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs/security-architecture.md

@@ -137,7 +137,9 @@ injection attempts and to surface them as audit-log entries.
 
 ## 7. HTTP Security Headers
 
-Configured in `next.config.ts`:
+Static headers are configured in `next.config.ts`. The Content-Security-Policy
+is emitted per-request by `apps/web/src/middleware.ts` so it can carry a
+per-request nonce.
 
 | Header                    | Value                                          |
 | ------------------------- | ---------------------------------------------- |
@@ -149,6 +151,30 @@ Configured in `next.config.ts`:
 | Referrer-Policy           | `strict-origin-when-cross-origin`              |
 | Permissions-Policy        | Camera, microphone, geolocation disabled       |
 
+### Content-Security-Policy directives (production)
+
+| Directive         | Value                     | Rationale                                          |
+| ----------------- | ------------------------- | -------------------------------------------------- |
+| `default-src`     | `'self'`                  | Baseline deny-all-cross-origin.                    |
+| `script-src`      | `'self' 'nonce-<random>'` | No `unsafe-inline` / `unsafe-eval` in prod.        |
+| `style-src`       | `'self' 'unsafe-inline'`  | Accepted residual risk — see note below.           |
+| `img-src`         | `'self' data: blob:`      | Allow base64 previews and generated blobs only.    |
+| `font-src`        | `'self' data:`            | Data URLs for inline-embedded fonts.               |
+| `connect-src`     | `'self'`                  | All AI / third-party calls are server-side.        |
+| `frame-ancestors` | `'none'`                  | Clickjacking defence.                              |
+| `frame-src`       | `'none'`                  | No third-party iframes.                            |
+| `object-src`      | `'none'`                  | Blocks legacy `<object>` / Flash / applet vectors. |
+| `media-src`       | `'self'`                  | No cross-origin video / audio.                     |
+| `worker-src`      | `'self' blob:`            | Next.js runtime uses blob-URL workers.             |
+| `base-uri`        | `'self'`                  | Blocks `<base>` hijacks.                           |
+| `form-action`     | `'self'`                  | Blocks form-exfiltration to third parties.         |
+
+**Residual risk — `style-src 'unsafe-inline'`:** React inlines component-scoped
+style attributes and `@react-pdf/renderer` emits inline `<style>` blocks that
+cannot carry a nonce. A strict `style-src-elem` would break both. The risk is
+bounded because `script-src` is nonce-based — a pure CSS-injection attack
+cannot escalate to JS execution in this application.
+
 ## 8. Rate Limiting
 
 - **Per-IP rate limiting**: via middleware on all API routes