From 3976d566917766b1367e90bad4816f4dfd89bbd6 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 14 Apr 2026 13:31:29 +0000
Subject: [PATCH] feat: implement Priority 3 security hardening (CSP, SRI hash,
 Dependabot)

Agent-Logs-Url: https://github.com/nitrocode/token-deathclock/sessions/cd2869fd-ca5b-4675-a0f4-2c048b17f3f4

Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com>
---
 .github/dependabot.yml | 11 +++++++++++
 README.md              |  8 ++++----
 index.html             |  9 +++++++--
 3 files changed, 22 insertions(+), 6 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..05a7337
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/README.md b/README.md
index 60edaa9..7f4e948 100644
--- a/README.md
+++ b/README.md
@@ -134,7 +134,7 @@ Tests are in `tests/death-clock.test.js` and cover all pure functions in `death-
 | **Documentation** | 12/20 | Good README; AGENTS.md added; missing CONTRIBUTING.md, LICENSE |
 | **CI / CD** | 9/10 | Test + deploy workflows both present and functional |
 | **Accessibility** | 7/10 | ARIA live regions, roles, and values; dark/light toggle |
-| **Security** | 6/10 | `escHtml` guards all dynamic content; no CSP headers |
+| **Security** | 9/10 | `escHtml` guards all dynamic content; CSP meta tag restricts scripts/fonts/styles; Chart.js pinned with SRI hash |
 | **Bug count** | 3/10 | `getCurrentTokens()` used `pageLoadTime` instead of `BASE_DATE_ISO`, causing the total counter to restart at `BASE_TOKENS` on every page load |
 | **Community files** | 0/10 | No LICENSE, no CONTRIBUTING.md, no SECURITY.md |
 
@@ -150,9 +150,9 @@ Tests are in `tests/death-clock.test.js` and cover all pure functions in `death-
 - [ ] Add a `CODEOWNERS` file to set review requirements.
 
 #### Priority 3 — Security hardening
-- [ ] Add a `Content-Security-Policy` meta tag in `index.html` to restrict inline scripts and limit allowed CDN origins (Chart.js, Google Fonts).
-- [ ] Pin the Chart.js CDN URL to a known-good SRI hash.
-- [ ] Add Dependabot config (`.github/dependabot.yml`) for automatic npm and GitHub Actions version bumps.
+- [x] Add a `Content-Security-Policy` meta tag in `index.html` to restrict inline scripts and limit allowed CDN origins (Chart.js, Google Fonts).
+- [x] Pin the Chart.js CDN URL to a known-good SRI hash.
+- [x] Add Dependabot config (`.github/dependabot.yml`) for automatic npm and GitHub Actions version bumps.
 
 #### Priority 4 — Test completeness
 - [ ] Add integration / smoke tests for `script.js` DOM logic using `jest-environment-jsdom`.
diff --git a/index.html b/index.html
index b235fe1..a05033e 100644
--- a/index.html
+++ b/index.html
@@ -6,8 +6,13 @@
   <title>AI Death Clock 💀</title>
   <meta name="description" content="Visualise the environmental cost of global AI token consumption — live counters, milestone tracker, and projections." />
 
-  <!-- Chart.js (pinned UMD build, loaded from CDN) -->
-  <script src="https://cdn.jsdelivr.net/npm/chart.js@4.4.0/dist/chart.umd.min.js"></script>
+  <!-- Content-Security-Policy: restrict scripts to self + jsDelivr CDN, styles to self + Google Fonts -->
+  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self'; object-src 'none'; base-uri 'self'; form-action 'none'" />
+
+  <!-- Chart.js (pinned UMD build with SRI hash, loaded from CDN) -->
+  <script src="https://cdn.jsdelivr.net/npm/chart.js@4.4.0/dist/chart.umd.js"
+          integrity="sha384-FcQlsUOd0TJjROrBxhJdUhXTUgNJQxTMcxZe6nHbaEfFL1zjQ+bq/uRoBQxb0KMo"
+          crossorigin="anonymous"></script>
 
   <!-- Google Fonts -->
   <link rel="preconnect" href="https://fonts.googleapis.com" />