fix: switch to adapter-vercel and fix CSP nonce mismatch

[tazmeen24]

Summary

Fixes blank page on Vercel caused by CSP nonce mismatch. Switches from adapter-auto + nonce-based CSP to adapter-vercel + hash-based CSP, which is stable on serverless.

Closes #404

---

Type of Change

• Bug fix
• Security

---

What Changed

• Switched @sveltejs/adapter-auto → @sveltejs/adapter-vercel
• Changed CSP mode 'auto' → 'hash'
• Removed 'unsafe-inline' from script-src
• Added 'http://localhost:3000' to connect-src for local dev

Before

After

---

How to Test

cd apps/web
pnpm run build
pnpm run preview

Verify: JS files load in Network tab, page renders (not blank)

---

Checklist

• Code follows project style
• TypeScript compiles
• No debug statements

---

Additional Context

Backend CORS is hardcoded to localhost:5173 (the dev server port). The preview runs on port 4173 instead. For local testing, either:

• Update backend CORS to allow localhost:4173, OR
• Use pnpm dev to run web on localhost:5173

(This is a separate backend issue, not CSP-related)

[github-actions]

CI Results — ❌ Some checks failed

🖥️ Backend (⏭️ skipped)

Check	Status
Lint	⚪ unknown
Test	⚪ unknown
Typecheck	⚪ unknown

📱 Mobile (⏭️ skipped)

Check	Status
Lint	⚪ unknown
Test	⚪ unknown

🌐 Web (❌ failure)

Check	Status
Check	❌ failure
Build	✅ success

---

🕐 Last updated: Wed, 03 Jun 2026 11:23:39 GMT