af open document viewer fails to render — Prism not defined (CSP blocks external scripts)

## Bug Description

Opening documents with `af open` shows the outer frame ("Switch to editing" button visible) but the document content area is blank.

## Console Errors

1. `Loading the stylesheet '<URL>' violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'"` — CSP blocks PrismJS stylesheet
2. `Loading the script '<URL>' violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' <URL>"` — CSP blocks PrismJS script (42 occurrences)
3. `Uncaught (in promise) ReferenceError: Prism is not defined` — at `renderFile` (line 919) and `init` (line 616)

## Root Cause

The document viewer (`open.html`) attempts to load PrismJS from an external CDN. The page's Content Security Policy blocks both the script and its stylesheet from loading. When the rendering code calls `Prism`, it's undefined because the script never loaded.

## Expected

Document content renders with syntax-highlighted code blocks.

## Actual

Blank content area. Outer chrome loads fine.

## Observed In

codev-cloud project, `af open` command.

## Fix Direction

Either:
- Add the CDN domain to the CSP allowlist, or
- Bundle PrismJS locally and serve from Tower's static files

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

af open document viewer fails to render — Prism not defined (CSP blocks external scripts) #269

Bug Description

Console Errors

Root Cause

Expected

Actual

Observed In

Fix Direction

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

af open document viewer fails to render — Prism not defined (CSP blocks external scripts) #269

Description

Bug Description

Console Errors

Root Cause

Expected

Actual

Observed In

Fix Direction

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions