Embedded web UI CSP blocks the inline theme preload script

[MakingMofongo]

Repro

1. Run opencode web
2. Open the web UI through a remote/Tailscale URL instead of localhost
3. Sign in

The page hangs and the browser console shows:

Executing inline script violates the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'"...

Cause

packages/opencode/src/server/instance.ts already hashes the inline oc-theme-preload-script for proxied HTML, but the embedded UI path still returns the default CSP without that hash.

Expected

Embedded HTML should use the same hashed CSP logic as the proxied HTML path so the inline theme preload script can run.

[github-actions]

This issue might be a duplicate of existing issues. Please check:

• [Bug] CSP blocks Cloud Workstation auth manifest in web UI #18505: CSP blocks Cloud Workstation auth manifest in web UI (also a CSP issue in the web UI with similar root cause around missing CSP directives)
• [Opencode WEB] Unable to add another opencode server due to CSP violation #19949: Unable to add another opencode server due to CSP violation (CSP blocks requests in the web UI)

If your issue is distinct from these, feel free to keep it open and clarify the differences.

[mxl]

May be fixed by #25937