Document CSP directive rationale and strengthen inline-script assertion

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/middleware.test.ts

@@ -42,11 +42,13 @@ describe('buildSecurityHeaders', () => {
   });
 
   it('does not allow inline scripts', () => {
-    expect(headers['Content-Security-Policy']).not.toContain("'unsafe-inline' 'nonce-");
+    // Script directive must not include 'unsafe-inline' — find it explicitly and assert.
     const scriptDirective = headers['Content-Security-Policy']
       .split(';')
       .map(s => s.trim())
       .find(s => s.startsWith('script-src')) ?? '';
+    expect(scriptDirective).toContain("'self'");
     expect(scriptDirective).not.toContain("'unsafe-inline'");
+    expect(scriptDirective).not.toContain("'unsafe-eval'");
   });
 });