From 21f16ee093ec54a625335371a43260d91196c785 Mon Sep 17 00:00:00 2001
From: Pontoporeia <pontoporeia@happyngreen.fr>
Date: Wed, 24 Jun 2026 14:49:08 +0200
Subject: [PATCH] chore: move #rep-polish to Completed, investigate
 #tighten-csp blockers

---
 TODO.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/TODO.md b/TODO.md
index d5825a5..32be616 100644
--- a/TODO.md
+++ b/TODO.md
@@ -8,9 +8,12 @@
 
 ## Pending
 - [ ] #rep-student-touch Replace hover student popover with tap-to-open drawer for mobile `(repertoire.php, repertoire.css, repertoire-student-popover.js)`
-- [x] #rep-polish Polish: scroll-position memory on HTMX swap, animation tuning `(repertoire.css)` ✓
+
+## Deferred / Blocked
+- [ ] #tighten-csp Tighten CSP to remove 'unsafe-inline' + 'unsafe-eval' from script-src — blocked on HTMX's use of new Function() for 'unsafe-eval'; 'unsafe-inline' needs OverType init + flash-warning inline scripts moved to external files, plus maintenance.php + validate-access.php inline styles extracted
 
 ## Completed
+- [x] #rep-polish Polish: scroll-position memory on HTMX swap, animation tuning `(repertoire.css)` ✓
 - [x] #icon-color-verify Verify icon colors render correctly across all pages (header, admin tables, forms, dialogs, cleanup modal) ✓
 - [x] #sec-open-redirect Fix open redirect in tag.php + language.php (protocol-relative URL bypass via str_starts_with) ✓
 - [x] #build-pipeline Setup biome + rolldown + lightningcss build pipeline ✓