Harden CSP and add CSP smoke regression checks

[tracygardner]

Motivation

• Reduce attack surface by tightening the Content Security Policy to explicit source lists while preserving runtime behaviour for analytics, third-party assets, and the in-page sandbox.
• Serve CSP primarily via response headers (server/preview) so it can be enforced by browsers, and keep a meta-tag fallback for environments that rely on the document fallback.
• Provide documentation and automated checks so CSP changes are reviewed and validated before merging.

Description

• Add a CSP meta fallback in index.html with explicit directives for script-src, connect-src, img-src, worker-src, media-src, frame-src, and related directives to permit required external origins (Google Analytics / GTM and unpkg.com).
• Move primary CSP enforcement into Vite response headers by adding CSP_POLICY and wiring it into server.headers and preview.headers in vite.config.mjs while keeping the meta tag as fallback.
• Add docs/CSP_POLICY.md documenting the observed runtime source inventory, per-origin rationale, the full policy, and regression expectations.
• Add a smoke validation script scripts/csp-smoke.mjs and an npm script test:csp-smoke to exercise core flows (app load, Blockly interaction, project import/export, sandboxed execution, analytics path) and fail on securitypolicyviolation events, and update README.md and CONTRIBUTING.md to reference the new checks.

Testing

• Built the app with npm run build, which completed successfully (Vite warnings non-blocking); build artifacts generated as expected.
• Attempted npm run test:csp-smoke in this environment, but Playwright browser installation failed due to upstream download (Playwright Chromium download returned HTTP 403), so the headless-run smoke script could not complete here.
• Executed an automated browser smoke flow against the local dev server (via a browser tool run that exercises app load, Blockly interaction, import/export, run-button sandbox path, and analytics); the final policy change (adding https://unpkg.com where required) produced no observed securitypolicyviolation events and produced a runtime source inventory which is recorded in docs/CSP_POLICY.md.
• Added scripts/csp-smoke.mjs which writes artifacts/csp-smoke-summary.json for CI use and will fail CI if violations or missing analytics path are detected (CI should run npx playwright install before npm run test:csp-smoke).

---

Codex Task