Reintroduce TFE duration metadata: DB columns, form fields, controllers, views, and migration

Add 'unsafe-eval' to CSP script-src directives (htmx requires Function())

nginx/xamxam.conf

@@ -37,8 +37,8 @@ server {
 
     # Security headers
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
-    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
+    add_header X-Frame-Options "DENY" always;
     add_header X-Content-Type-Options "nosniff" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
@@ -115,12 +115,8 @@ server {
         deny all;
     }
 
-    # Admin panel - password protected
+    # Admin panel - password protected at the PHP layer (AdminAuth)
     location ^~ /admin/ {
-        # HTTP Basic Authentication (first layer)
-        auth_basic "Admin Access - XAMXAM";
-        auth_basic_user_file /etc/nginx/.htpasswd-xamxam;
-
         # Rate limiting for admin
         # 300r/m rate + burst=30 allows all concurrent HTMX fragments (up to ~12
         # on contenus.php) while still capping brute-force at 5 req/s sustained.
@@ -129,12 +125,13 @@ server {
         # Content-Security-Policy - Admin policy
         # script-src needs 'unsafe-inline' for the OverType editor init block
         # and the live-reload poller (dev only). Admin is already auth-gated.
-        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
+        # 'unsafe-eval' is required by htmx (uses Function() internally).
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
 
         # Disable directory listing
         autoindex off;
 
-        # PHP handling for admin (AdminAuth provides second layer)
+        # PHP handling for admin (AdminAuth provides auth layer)
         location ~ \.php$ {
             include snippets/fastcgi-php.conf;
             fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
@@ -168,8 +165,24 @@ server {
     }
 
     # /media — served by front controller (MediaController validates + streams)
+    # Override frame-ancestors to 'self' so Firefox's built-in PDF viewer
+    # can display PDFs inline (Firefox uses an internal iframe for PDF.js).
+    # Direct fastcgi_pass to /index.php (no try_files) so add_header survives —
+    # try_files triggers an internal redirect to location = /index.php, which
+    # loses this CSP override and inherits the server-block frame-ancestors 'none'.
     location = /media {
-        try_files $uri /index.php$is_args$args;
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'self';" always;
+        # Direct fastcgi_pass to /index.php (no try_files) so add_header survives.
+        # We can't use snippets/fastcgi-php.conf because its try_files
+        # $fastcgi_script_name =404 would fail — $fastcgi_script_name is /media
+        # (no .php extension). Include fastcgi.conf directly instead.
+        include fastcgi.conf;
+        fastcgi_param SCRIPT_FILENAME $document_root/index.php;
+        fastcgi_param SCRIPT_NAME /index.php;
+        fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
+        fastcgi_param PHP_VALUE "upload_max_filesize=8192M \n post_max_size=8192M";
+        fastcgi_read_timeout 600;
+        fastcgi_send_timeout 600;
     }
 
     # /live-reload — served by front controller