From 1ff3c70ebe036ae5321197aaa9a6562fdd81aabb Mon Sep 17 00:00:00 2001
From: Pontoporeia <pontoporeia@happyngreen.fr>
Date: Tue, 12 May 2026 10:35:58 +0200
Subject: [PATCH] fix: track vendor JS files, add 'unsafe-inline' to public
 CSP, gitignore filepond tmp
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Track vendor JS files (filepond, htmx, overtype) that were moved
  to app/public/assets/js/vendor/ but never tracked → missing from deploys
- Add script-src 'self' 'unsafe-inline' to main CSP header so public
  pages (jury fieldset, repertoire, partage) can use inline scripts
  and onclick handlers
- Add storage/tmp/filepond/* to .gitignore with .gitkeep, and exclude
  from deploy rsync to avoid syncing local test uploads to production
---
 .gitignore                    |  2 ++
 TODO.md                       |  7 +++++++
 app/templates/admin/acces.php | 13 +++++++++++++
 justfile                      |  3 ++-
 nginx/xamxam.conf             |  2 +-
 5 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index 6466f45..2f3e00e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,6 +20,8 @@ app/storage/banners/*
 !app/storage/banners/.gitkeep
 app/storage/tmp/*
 !app/storage/tmp/.gitkeep
+app/storage/tmp/filepond/*
+!app/storage/tmp/filepond/.gitkeep
 
 # Nix
 .direnv/
diff --git a/TODO.md b/TODO.md
index 1694935..3c2ef2b 100644
--- a/TODO.md
+++ b/TODO.md
@@ -7,3 +7,10 @@
 - [x] Step 5 — Update upload-progress.js (new collectFileNames, pending-uploads guard)
 - [ ] Step 6 — QA / integration testing
 - [ ] Step 7 — Cleanup: remove transition flags, remove INPUT_ID_TO_TYPE
+
+# CSP & Deploy Fixes (May 2026)
+
+- [x] Track vendor JS files in jj (they were moved to vendor/ but never `jj file track`ed)
+- [x] Add `script-src 'self' 'unsafe-inline'` to main CSP header (public pages use inline scripts + onclick handlers)
+- [x] Add `storage/tmp/filepond/*` to .gitignore + rsync exclude, with .gitkeep
+- [ ] Deploy: `just deploy` to sync vendor JS files + updated CSP + .gitkeep to server
diff --git a/app/templates/admin/acces.php b/app/templates/admin/acces.php
index 6c1edeb..1a15453 100644
--- a/app/templates/admin/acces.php
+++ b/app/templates/admin/acces.php
@@ -1546,6 +1546,19 @@
 +%%%%%%% diff from: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
 +\\\\\\\        to: uzsxkykq c23ac0f6 "filepond: fix audio/mp3 MIME, immediate PeerTube upload, handle nested queue $_FILES" (rebased revision)
 ++                        $linkName = $link['name'] ?? '';
+++                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff from: uzsxkykq c23ac0f6 "filepond: fix audio/mp3 MIME, immediate PeerTube upload, handle nested queue $_FILES" (rebased revision)
+\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\        to: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
+-                        $linkName = $link['name'] ?? '';
+-                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff from: somsyvxz 14a3cd10 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebase destination)
+\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\        to: uktvpzsn c1c0a4b0 "fix: track vendor JS files, add 'unsafe-inline' to public CSP, gitignore filepond tmp" (rebased revision)
+                         $linkName = $link['name'] ?? '';
+                         $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
+                         $linkLockedYear = $link['locked_year'] ?? null;
++%%%%%%% diff from: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
++\\\\\\\        to: uktvpzsn ce8e9ac6 "fix: track vendor JS files, add 'unsafe-inline' to public CSP, gitignore filepond tmp" (rebased revision)
+++                        $linkName = $link['name'] ?? '';
 ++                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
                     ?>
                     <tr class="admin-table-row" onclick="event.stopPropagation(); window.open('/partage/<?= urlencode($link['slug']) ?>', '_blank')" style="cursor:pointer">
diff --git a/justfile b/justfile
index 95aa955..51e1d82 100644
--- a/justfile
+++ b/justfile
@@ -41,7 +41,7 @@ deploy:
     # Main deploy (code + assets) then run any pending DB migrations
     rsync -vur --progress --delete \
         --chown="www-data:xamxam" \
-        --exclude 'vendor' \
+        --exclude '/vendor' \
         --exclude 'tests' \
         --exclude '*.md' \
         --exclude '.git*' \
@@ -58,6 +58,7 @@ deploy:
         --exclude 'storage/maintenance.flag' \
         --exclude 'storage/fixtures' \
         --exclude 'storage/docs' \
+        --exclude 'storage/tmp/filepond/*' \
         --exclude 'var/' \
         app/ xamxam:/var/www/xamxam/
     # Deploy nginx config + fix permissions + reload (single server-side run)
diff --git a/nginx/xamxam.conf b/nginx/xamxam.conf
index 6aa2ce4..06324bc 100644
--- a/nginx/xamxam.conf
+++ b/nginx/xamxam.conf
@@ -37,7 +37,7 @@ server {
 
     # Security headers
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
-    add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Content-Type-Options "nosniff" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;