feat: Priority 3 — CSP, SRI hash for Chart.js, Dependabot

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

README.md

@@ -134,7 +134,7 @@ Tests are in `tests/death-clock.test.js` and cover all pure functions in `death-
 | **Documentation** | 12/20 | Good README; AGENTS.md added; missing CONTRIBUTING.md, LICENSE |
 | **CI / CD** | 9/10 | Test + deploy workflows both present and functional |
 | **Accessibility** | 7/10 | ARIA live regions, roles, and values; dark/light toggle |
-| **Security** | 6/10 | `escHtml` guards all dynamic content; no CSP headers |
+| **Security** | 9/10 | `escHtml` guards all dynamic content; CSP meta tag restricts scripts/fonts/styles; Chart.js pinned with SRI hash |
 | **Bug count** | 3/10 | `getCurrentTokens()` used `pageLoadTime` instead of `BASE_DATE_ISO`, causing the total counter to restart at `BASE_TOKENS` on every page load |
 | **Community files** | 0/10 | No LICENSE, no CONTRIBUTING.md, no SECURITY.md |
 
@@ -150,9 +150,9 @@ Tests are in `tests/death-clock.test.js` and cover all pure functions in `death-
 - [ ] Add a `CODEOWNERS` file to set review requirements.
 
 #### Priority 3 — Security hardening
-- [ ] Add a `Content-Security-Policy` meta tag in `index.html` to restrict inline scripts and limit allowed CDN origins (Chart.js, Google Fonts).
-- [ ] Pin the Chart.js CDN URL to a known-good SRI hash.
-- [ ] Add Dependabot config (`.github/dependabot.yml`) for automatic npm and GitHub Actions version bumps.
+- [x] Add a `Content-Security-Policy` meta tag in `index.html` to restrict inline scripts and limit allowed CDN origins (Chart.js, Google Fonts).
+- [x] Pin the Chart.js CDN URL to a known-good SRI hash.
+- [x] Add Dependabot config (`.github/dependabot.yml`) for automatic npm and GitHub Actions version bumps.
 
 #### Priority 4 — Test completeness
 - [ ] Add integration / smoke tests for `script.js` DOM logic using `jest-environment-jsdom`.

index.html

@@ -6,8 +6,13 @@
   <title>AI Death Clock 💀</title>
   <meta name="description" content="Visualise the environmental cost of global AI token consumption — live counters, milestone tracker, and projections." />
 
-  <!-- Chart.js (pinned UMD build, loaded from CDN) -->
-  <script src="https://cdn.jsdelivr.net/npm/chart.js@4.4.0/dist/chart.umd.min.js"></script>
+  <!-- Content-Security-Policy: restrict scripts to self + jsDelivr CDN, styles to self + Google Fonts -->
+  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self'; object-src 'none'; base-uri 'self'; form-action 'none'" />
+
+  <!-- Chart.js (pinned UMD build with SRI hash, loaded from CDN) -->
+  <script src="https://cdn.jsdelivr.net/npm/chart.js@4.4.0/dist/chart.umd.js"
+          integrity="sha384-FcQlsUOd0TJjROrBxhJdUhXTUgNJQxTMcxZe6nHbaEfFL1zjQ+bq/uRoBQxb0KMo"
+          crossorigin="anonymous"></script>
 
   <!-- Google Fonts -->
   <link rel="preconnect" href="https://fonts.googleapis.com" />