fix: track vendor JS files, add 'unsafe-inline' to public CSP, gitignore filepond tmp

- Track vendor JS files (filepond, htmx, overtype) that were moved to app/public/assets/js/vendor/ but never tracked → missing from deploys - Add script-src 'self' 'unsafe-inline' to main CSP header so public pages (jury fieldset, repertoire, partage) can use inline scripts and onclick handlers - Add storage/tmp/filepond/* to .gitignore with .gitkeep, and exclude from deploy rsync to avoid syncing local test uploads to production
2026-06-25 16:19:19 +02:00 · 2026-05-12 10:35:58 +02:00
parent 2e9ebfc684
commit 1ff3c70ebe
5 changed files with 25 additions and 2 deletions
--- a/TODO.md
+++ b/TODO.md
@@ -7,3 +7,10 @@
 - [x] Step 5 — Update upload-progress.js (new collectFileNames, pending-uploads guard)
 - [ ] Step 6 — QA / integration testing
 - [ ] Step 7 — Cleanup: remove transition flags, remove INPUT_ID_TO_TYPE
+
+# CSP & Deploy Fixes (May 2026)
+
+- [x] Track vendor JS files in jj (they were moved to vendor/ but never `jj file track`ed)
+- [x] Add `script-src 'self' 'unsafe-inline'` to main CSP header (public pages use inline scripts + onclick handlers)
+- [x] Add `storage/tmp/filepond/*` to .gitignore + rsync exclude, with .gitkeep
+- [ ] Deploy: `just deploy` to sync vendor JS files + updated CSP + .gitkeep to server