fixed security scan

[munishchouhan]

Summary

• Fix security scan CSP violation — The Wave security scan was broken because the browser's fetch() followed a redirect to the external Wave server, which was blocked by the
  Content-Security-Policy (connect-src falling back to default-src 'self'). Added a server-side scan proxy (POST /api/scan) that forwards requests to the Wave server and returns
  the redirect URL as JSON, keeping all fetch() traffic same-origin.
• Eliminate inline scripts for CSP compliance — Moved the inline dark-mode-init script to an external .js file and replaced all onclick/global function handlers (fetchScan,
  selectResult) with data-* attribute event delegation, so the page works under script-src 'self' without needing 'unsafe-inline' or nonces.
• Fix dark mode persistence — The extracted dark-mode-init.js file (loaded in ) restores the saved theme from localStorage before the body renders, preventing a white
  flash on page load. This file must be committed — without it, dark mode resets to light on every refresh.
• Proxy handler quality improvements — Reused http.Client across requests (with 30s timeout), used zero-copy bytes.NewReader, and added proper error handling for upstream
  response reads.

Test plan

• Commit pkg/static/assets/js/dark-mode-init.js (currently untracked)
• Start staticreg with --wave-server-url pointing to a Wave instance
• Navigate to a repository image page and click the scan icon — should open the Wave scan results in a new tab
• Verify no CSP errors in the browser console
• Toggle dark mode, refresh the page — dark mode should persist (no white flash)
• Verify search autocomplete selection still works (click and keyboard)
• Run go test ./pkg/server/... — all pass

[munishchouhan]

tested locally: