What
Flip Content-Security-Policy-Report-Only to enforced Content-Security-Policy after a one-week observation window confirms zero false-positive violations.
Why
The vault's extractable=false AES-256-GCM key prevents crypto.subtle.exportKey(), but same-origin script can still call crypto.subtle.decrypt() with the non-extractable handle. CSP enforcement is the right belt-and-braces defense.
Acceptance
- CSP is enforced (not report-only) on every response.
- Privy + Phala TEE + 0G RPC + Spline + 3d-force-graph CDN allow-listed.
- Inline-script nonce strategy for Next.js (or strict-dynamic).
- Documented in
docs/honest-limits.md (§19).
- Observation window evidence captured under
docs/audits/.
Refs
- v0.5 implementation:
app/next.config.ts (CSP_REPORT_ONLY)
- Deferral note:
docs/honest-limits.md §19
What
Flip
Content-Security-Policy-Report-Onlyto enforcedContent-Security-Policyafter a one-week observation window confirms zero false-positive violations.Why
The vault's
extractable=falseAES-256-GCM key preventscrypto.subtle.exportKey(), but same-origin script can still callcrypto.subtle.decrypt()with the non-extractable handle. CSP enforcement is the right belt-and-braces defense.Acceptance
docs/honest-limits.md(§19).docs/audits/.Refs
app/next.config.ts(CSP_REPORT_ONLY)docs/honest-limits.md§19