From 3d38e428dc8902ee6e1a34bce807dac819020016 Mon Sep 17 00:00:00 2001
From: MorganOnCode <87934408+MorganOnCode@users.noreply.github.com>
Date: Fri, 15 May 2026 12:10:43 +0000
Subject: [PATCH] feat(landing): precompile JSX so CSP can drop 'unsafe-eval'

Closes audit #13. Replaces Babel-standalone in the browser with a
precompiled bundle so the production CSP can be tightened from:

  script-src: 'self' 'unsafe-inline' 'unsafe-eval'
              https://static.cloudflareinsights.com https://unpkg.com

to:

  script-src: 'self' https://static.cloudflareinsights.com

That removes the eval class of attack surface entirely (Babel was
compiling JSX in the browser via `new Function()`, which required
'unsafe-eval'), and drops the unpkg.com supply-chain dependency
since React + ReactDOM are now bundled.

## Approach

Zero source-file changes. The 8 .jsx files in landing/ still use the
familiar `React.useState` / `ReactDOM.createRoot` global API; nothing
was refactored to ESM imports. Instead a tiny `scripts/build-landing.mjs`
concatenates the files in their existing load order, prepends a shim
that imports React + ReactDOM, and feeds the result through esbuild.

This minimises the diff (the .jsx code is untouched), keeps the dev
workflow understandable (each component is still a self-contained .jsx
file), and gives us a clean production artifact (landing/dist/app.js,
~185 KiB minified, ~438 KiB sourcemap).

## Files

- `scripts/build-landing.mjs` -- new, ~80 lines, esbuild bundle of the
  concatenated .jsx with classic JSX transform
- `package.json` -- adds react@18.3.1 + react-dom@18.3.1 as runtime
  deps, @types/react + @types/react-dom + esbuild as dev deps, a
  `build:landing` script, and chains it into `build`
- `Dockerfile` -- build stage now copies `landing/` and the build
  script, runs `pnpm build` (both backend tsup AND landing esbuild),
  production stage pulls landing/ (including dist/) from the build
  stage instead of the host
- `landing/index.html` -- drops 3 unpkg.com `<script>` tags + 8
  `<script type="text/babel">` tags; adds a single
  `<script src="/dist/app.js" defer>`
- `src/server.ts` -- removes 'unsafe-eval', 'unsafe-inline', and
  unpkg.com from CSP script-src. style-src keeps 'unsafe-inline' for
  React's inline `style={{...}}` pattern and the inline `<style>`
  block (could be tightened in a future PR by extracting CSS, but
  the React-inline pattern is pervasive and not security-critical)
- `tests/integration/landing.test.ts` -- replaces two stale tests
  (which checked individual .jsx routes) with three new ones that
  verify the new bundle is referenced, Babel/unpkg are absent, and
  the CSP header is strict

`.gitignore` already excludes `landing/dist/` via the global `dist/`
rule. landing/dist/ is generated only by `pnpm build:landing`; the
production image gets it from the build stage where it's materialised.

## Local verification

- `pnpm build:landing` -- 184.8 KiB bundle in 63ms
- `pnpm typecheck` / `pnpm lint` / `pnpm test` -- 34 files / 460 tests
- `node --check landing/dist/app.js` -- syntax OK
- Docker image built side-by-side with prod, started clean, /health
  healthy, /dist/app.js served with `application/javascript`, CSP
  header confirmed strict (no unsafe-eval, no unpkg)

Production container was NOT touched during validation.

## What's NOT in this PR

- Inline `<style>` block in landing/index.html is unchanged. Removing
  it would let us drop 'unsafe-inline' from style-src too, but it's
  a bigger CSS refactor (the file has heavy inline-style usage and
  React inline styles still trigger style-src). Out of scope here.
- The 8 .jsx files keep using `React.useState` etc. globally. A
  future cleanup could convert them to ESM modules with named hook
  imports for better tooling support (autocomplete, jump-to-def).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 Dockerfile                        |  15 +++--
 landing/index.html                |  16 ++---
 package.json                      |   8 ++-
 pnpm-lock.yaml                    |  68 +++++++++++++++++++
 scripts/build-landing.mjs         | 105 ++++++++++++++++++++++++++++++
 src/server.ts                     |  20 +++---
 tests/integration/landing.test.ts |  41 +++++++-----
 7 files changed, 230 insertions(+), 43 deletions(-)
 create mode 100755 scripts/build-landing.mjs

diff --git a/Dockerfile b/Dockerfile
index 8604868..6c8323d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,11 +12,15 @@ COPY package.json pnpm-lock.yaml ./
 # Install all dependencies (including dev for build)
 RUN pnpm install --frozen-lockfile
 
-# Copy source code
+# Copy source code AND landing page AND build scripts so `pnpm build`
+# can produce both the backend dist/ and landing/dist/app.js bundle.
 COPY src/ src/
+COPY landing/ landing/
+COPY scripts/build-landing.mjs scripts/
 COPY tsconfig.json tsconfig.build.json tsup.config.ts ./
 
-# Build
+# `pnpm build` runs tsup (backend -> dist/) and build-landing
+# (landing JSX -> landing/dist/app.js, with React + ReactDOM bundled).
 RUN pnpm build
 
 # Stage 2: Production
@@ -39,8 +43,11 @@ RUN pnpm install --frozen-lockfile --prod --ignore-scripts
 # Copy built output from build stage
 COPY --from=build /app/dist ./dist
 
-# Copy landing page (served at / by @fastify/static)
-COPY landing/ ./landing/
+# Copy the landing page WITH its precompiled bundle from the build stage.
+# The host-side landing/ doesn't have landing/dist (it's gitignored and only
+# materialised during a build), so we pull the whole tree from the build
+# stage where the bundle exists at landing/dist/app.js.
+COPY --from=build /app/landing ./landing
 
 # Copy agent-discovery surface (served at /SKILL.md by the agent-discovery plugin)
 COPY SKILL.md ./SKILL.md
diff --git a/landing/index.html b/landing/index.html
index bb1c354..bb6c339 100644
--- a/landing/index.html
+++ b/landing/index.html
@@ -214,18 +214,10 @@
 
 <div id="root"></div>
 
-<script src="https://unpkg.com/react@18.3.1/umd/react.development.js" integrity="sha384-hD6/rw4ppMLGNu3tX5cjIb+uRZ7UkRJ6BPkLpg4hAu/6onKUg4lLsHAs9EBPT82L" crossorigin="anonymous"></script>
-<script src="https://unpkg.com/react-dom@18.3.1/umd/react-dom.development.js" integrity="sha384-u6aeetuaXnQ38mYT8rp6sbXaQe3NL9t+IBXmnYxwkUI2Hw4bsp2Wvmx4yRQF1uAm" crossorigin="anonymous"></script>
-<script src="https://unpkg.com/@babel/standalone@7.29.0/babel.min.js" integrity="sha384-m08KidiNqLdpJqLq95G/LEi8Qvjl/xUYll3QILypMoQ65QorJ9Lvtp2RXYGBFj1y" crossorigin="anonymous"></script>
-
-<script type="text/babel" src="hooks.jsx"></script>
-<script type="text/babel" src="components/HeroReceipt.jsx"></script>
-<script type="text/babel" src="components/HeroTerminal.jsx"></script>
-<script type="text/babel" src="components/LiveDemo.jsx"></script>
-<script type="text/babel" src="components/HowItWorks.jsx"></script>
-<script type="text/babel" src="components/UseCases.jsx"></script>
-<script type="text/babel" src="components/MorganBlock.jsx"></script>
-<script type="text/babel" src="app.jsx"></script>
+<!-- Precompiled by scripts/build-landing.mjs (bundled React 18.3.1 + app). -->
+<!-- Source files live in landing/*.jsx and landing/components/*.jsx.       -->
+<!-- CSP is strict: no inline scripts, no eval, no third-party script src.  -->
+<script src="/dist/app.js" defer></script>
 
 </body>
 </html>
diff --git a/package.json b/package.json
index 77dcf89..e8d06f3 100644
--- a/package.json
+++ b/package.json
@@ -35,7 +35,8 @@
   },
   "scripts": {
     "dev": "tsx watch --env-file-if-exists=.env --inspect src/index.ts",
-    "build": "tsup",
+    "build": "tsup && pnpm build:landing",
+    "build:landing": "node scripts/build-landing.mjs",
     "lint": "eslint src",
     "lint:fix": "eslint src --fix",
     "format": "prettier --write \"src/**/*.ts\"",
@@ -94,12 +95,17 @@
     "ioredis": "^5.10.1",
     "pino": "^10.3.1",
     "prom-client": "^15.1.3",
+    "react": "18.3.1",
+    "react-dom": "18.3.1",
     "zod": "^4.4.3"
   },
   "devDependencies": {
     "@eslint/js": "^9.39.4",
     "@types/node": "^25.8.0",
+    "@types/react": "^18.3",
+    "@types/react-dom": "^18.3",
     "@vitest/coverage-v8": "^4.0.18",
+    "esbuild": "^0.28.0",
     "eslint": "^9.39.4",
     "eslint-config-airbnb-extended": "^3.1.0",
     "eslint-plugin-import": "^2.32.0",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index f707789..56d8c0a 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -65,6 +65,12 @@ importers:
       prom-client:
         specifier: ^15.1.3
         version: 15.1.3
+      react:
+        specifier: 18.3.1
+        version: 18.3.1
+      react-dom:
+        specifier: 18.3.1
+        version: 18.3.1(react@18.3.1)
       zod:
         specifier: ^4.4.3
         version: 4.4.3
@@ -75,9 +81,18 @@ importers:
       '@types/node':
         specifier: ^25.8.0
         version: 25.8.0
+      '@types/react':
+        specifier: ^18.3
+        version: 18.3.28
+      '@types/react-dom':
+        specifier: ^18.3
+        version: 18.3.7(@types/react@18.3.28)
       '@vitest/coverage-v8':
         specifier: ^4.0.18
         version: 4.0.18(vitest@4.0.18(@opentelemetry/api@1.9.1)(@types/node@25.8.0)(tsx@4.22.0)(yaml@2.9.0))
+      esbuild:
+        specifier: ^0.28.0
+        version: 0.28.0
       eslint:
         specifier: ^9.39.4
         version: 9.39.4
@@ -1329,6 +1344,17 @@ packages:
   '@types/pg@8.15.6':
     resolution: {integrity: sha512-NoaMtzhxOrubeL/7UZuNTrejB4MPAJ0RpxZqXQf2qXuVlTPuG6Y8p4u9dKRaue4yjmC7ZhzVO2/Yyyn25znrPQ==}
 
+  '@types/prop-types@15.7.15':
+    resolution: {integrity: sha512-F6bEyamV9jKGAFBEmlQnesRPGOQqS2+Uwi0Em15xenOxHaf2hv6L8YCVn3rPdPJOiJfPiCnLIRyvwVaqMY3MIw==}
+
+  '@types/react-dom@18.3.7':
+    resolution: {integrity: sha512-MEe3UeoENYVFXzoXEWsvcpg6ZvlrFNlOQ7EOsvhI3CfAXwzPfO8Qwuxd40nepsYKqyyVQnTdEfv68q91yLcKrQ==}
+    peerDependencies:
+      '@types/react': ^18.0.0
+
+  '@types/react@18.3.28':
+    resolution: {integrity: sha512-z9VXpC7MWrhfWipitjNdgCauoMLRdIILQsAEV+ZesIzBq/oUlxk0m3ApZuMFCXdnS4U7KrI+l3WRUEGQ8K1QKw==}
+
   '@types/responselike@1.0.3':
     resolution: {integrity: sha512-H/+L+UkTV33uf49PH5pCAUBVPNj2nDBXTN+qS1dOwyyg24l3CcicicCA7ca+HMvJBZcFgl5r8e+RR6elsb4Lyw==}
 
@@ -1869,6 +1895,9 @@ packages:
     resolution: {integrity: sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==}
     engines: {node: '>= 8'}
 
+  csstype@3.2.3:
+    resolution: {integrity: sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ==}
+
   damerau-levenshtein@1.0.8:
     resolution: {integrity: sha512-sdQSFB7+llfUcQHUQO3+B8ERRj0Oa4w9POWMI/puGtuf7gFywGmkaLCElnudfTiKZV+NvHqL0ifzdrI8Ro7ESA==}
 
@@ -3276,9 +3305,18 @@ packages:
     resolution: {integrity: sha512-WuyALRjWPDGtt/wzJiadO5AXY+8hZ80hVpe6MyivgraREW751X3SbhRvG3eLKOYN+8VEvqLcf3wdnt44Z4S4SA==}
     engines: {node: '>=10'}
 
+  react-dom@18.3.1:
+    resolution: {integrity: sha512-5m4nQKp+rZRb09LNH59GM4BxTh9251/ylbKIbpe7TpGxfJ+9kv6BLkLBXIjjspbgbnIBNqlI23tRnTWT0snUIw==}
+    peerDependencies:
+      react: ^18.3.1
+
   react-is@16.13.1:
     resolution: {integrity: sha512-24e6ynE2H+OKt4kqsOvNd8kBpV65zoxbA4BVsEOB3ARVWQki/DHzaUoC5KuON/BiccDaCCTZBuOcfZs70kR8bQ==}
 
+  react@18.3.1:
+    resolution: {integrity: sha512-wS+hAgJShR0KhEvPJArfuPVN1+Hz1t0Y6n5jLrGQbkb4urgPE/0Rve+1kMB1v/oWgHgm4WIcV+i7F2pTVj+2iQ==}
+    engines: {node: '>=0.10.0'}
+
   readable-stream@2.3.8:
     resolution: {integrity: sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==}
 
@@ -3397,6 +3435,9 @@ packages:
     resolution: {integrity: sha512-b3rppTKm9T+PsVCBEOUR46GWI7fdOs00VKZ1+9c1EWDaDMvjQc6tUwuFyIprgGgTcWoVHSKrU8H31ZHA2e0RHA==}
     engines: {node: '>=10'}
 
+  scheduler@0.23.2:
+    resolution: {integrity: sha512-UOShsPwz7NrMUqhR6t0hWjFduvOzbtv7toDH1/hIrfRNIDBnnBWd0CwJTGvTpngVlmwGCdP9/Zl/tVrDqcuYzQ==}
+
   secure-json-parse@4.1.0:
     resolution: {integrity: sha512-l4KnYfEyqYJxDwlNVyRfO2E4NTHfMKAWdUuA8J0yve2Dz/E/PdBepY03RvyJpssIpRFwJoCD55wA+mEDs6ByWA==}
 
@@ -5291,6 +5332,17 @@ snapshots:
       pg-protocol: 1.11.0
       pg-types: 2.2.0
 
+  '@types/prop-types@15.7.15': {}
+
+  '@types/react-dom@18.3.7(@types/react@18.3.28)':
+    dependencies:
+      '@types/react': 18.3.28
+
+  '@types/react@18.3.28':
+    dependencies:
+      '@types/prop-types': 15.7.15
+      csstype: 3.2.3
+
   '@types/responselike@1.0.3':
     dependencies:
       '@types/node': 25.8.0
@@ -5872,6 +5924,8 @@ snapshots:
       shebang-command: 2.0.0
       which: 2.0.2
 
+  csstype@3.2.3: {}
+
   damerau-levenshtein@1.0.8: {}
 
   data-view-buffer@1.0.2:
@@ -7426,8 +7480,18 @@ snapshots:
 
   quick-lru@5.1.1: {}
 
+  react-dom@18.3.1(react@18.3.1):
+    dependencies:
+      loose-envify: 1.4.0
+      react: 18.3.1
+      scheduler: 0.23.2
+
   react-is@16.13.1: {}
 
+  react@18.3.1:
+    dependencies:
+      loose-envify: 1.4.0
+
   readable-stream@2.3.8:
     dependencies:
       core-util-is: 1.0.3
@@ -7586,6 +7650,10 @@ snapshots:
 
   safe-stable-stringify@2.5.0: {}
 
+  scheduler@0.23.2:
+    dependencies:
+      loose-envify: 1.4.0
+
   secure-json-parse@4.1.0: {}
 
   semver@6.3.1: {}
diff --git a/scripts/build-landing.mjs b/scripts/build-landing.mjs
new file mode 100755
index 0000000..f960324
--- /dev/null
+++ b/scripts/build-landing.mjs
@@ -0,0 +1,105 @@
+#!/usr/bin/env node
+// scripts/build-landing.mjs
+// Precompile the landing-page JSX so we can drop 'unsafe-eval' from CSP.
+//
+// Strategy: concatenate the existing 8 .jsx files in the order they were
+// loaded via <script type="text/babel"> (hooks first, components, app last),
+// prepend an `import React, ...` shim, then bundle with esbuild into a
+// single IIFE at landing/dist/app.js.
+//
+// No source changes needed in landing/*.jsx -- the global React.* references
+// resolve cleanly because the bundled module has React in scope, and the
+// classic JSX transform (jsxFactory: React.createElement) keeps the
+// generated calls identical to what Babel-standalone was producing in the
+// browser before.
+
+import { build } from 'esbuild';
+import { mkdirSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const REPO_ROOT = resolve(__dirname, '..');
+const LANDING = resolve(REPO_ROOT, 'landing');
+const DIST = resolve(LANDING, 'dist');
+
+// Concatenation order matches the original <script type="text/babel"> tags.
+// hooks first, then components in their previous load order, then app last
+// (since app.jsx calls ReactDOM.createRoot on the App component).
+const SOURCE_ORDER = [
+  'hooks.jsx',
+  'components/HeroReceipt.jsx',
+  'components/HeroTerminal.jsx',
+  'components/LiveDemo.jsx',
+  'components/HowItWorks.jsx',
+  'components/UseCases.jsx',
+  'components/MorganBlock.jsx',
+  'app.jsx',
+];
+
+const BANNER = `// AUTO-GENERATED. Do not edit landing/dist/*. Run \`pnpm build:landing\`.
+// Source: concatenated from landing/*.jsx and landing/components/*.jsx.
+
+import React, { useState, useEffect } from 'react';
+import { createRoot } from 'react-dom/client';
+
+// The original Babel-standalone build expected React and ReactDOM as
+// globals. We satisfy that surface without changing the source files.
+const ReactDOM = { createRoot };
+
+`;
+
+function makeVirtualEntry() {
+  const parts = [BANNER];
+  for (const rel of SOURCE_ORDER) {
+    const full = resolve(LANDING, rel);
+    const body = readFileSync(full, 'utf-8');
+    parts.push(`// ===== FILE: ${rel} =====\n`);
+    parts.push(body);
+    parts.push('\n');
+  }
+  return parts.join('\n');
+}
+
+async function main() {
+  mkdirSync(DIST, { recursive: true });
+
+  const virtual = makeVirtualEntry();
+  const entryPath = resolve(DIST, '.entry.jsx');
+  writeFileSync(entryPath, virtual);
+
+  try {
+    const result = await build({
+      entryPoints: [entryPath],
+      outfile: resolve(DIST, 'app.js'),
+      bundle: true,
+      format: 'iife',
+      loader: { '.jsx': 'jsx' },
+      jsxFactory: 'React.createElement',
+      jsxFragment: 'React.Fragment',
+      define: {
+        'process.env.NODE_ENV': '"production"',
+      },
+      minify: true,
+      sourcemap: true,
+      target: 'es2020',
+      logLevel: 'info',
+      metafile: true,
+    });
+
+    // Report bundle size for visibility
+    const out = result.metafile.outputs[Object.keys(result.metafile.outputs).find((k) =>
+      k.endsWith('app.js')
+    )];
+    const kb = (out.bytes / 1024).toFixed(1);
+    console.log(`\nLanding bundle: landing/dist/app.js (${kb} KiB)`);
+  } finally {
+    // Clean up the virtual entry so the dist dir only contains the compiled output
+    rmSync(entryPath, { force: true });
+  }
+}
+
+main().catch((err) => {
+  console.error('build-landing failed:', err);
+  process.exit(1);
+});
diff --git a/src/server.ts b/src/server.ts
index 6100c1e..9251078 100644
--- a/src/server.ts
+++ b/src/server.ts
@@ -84,15 +84,17 @@ export async function createServer(options: CreateServerOptions): Promise<Fastif
       : {
           useDefaults: true,
           directives: {
-            'script-src': [
-              "'self'",
-              "'unsafe-inline'",
-              // Babel standalone compiles JSX in the browser via new Function()
-              "'unsafe-eval'",
-              'https://static.cloudflareinsights.com',
-              // React, ReactDOM, Babel standalone CDN
-              'https://unpkg.com',
-            ],
+            // Strict script policy: no inline, no eval, no third-party scripts
+            // except the Cloudflare Web Analytics beacon. The landing app is
+            // precompiled to landing/dist/app.js (see scripts/build-landing.mjs)
+            // and bundles React + ReactDOM, so Babel-standalone and unpkg.com
+            // are no longer needed.
+            'script-src': ["'self'", 'https://static.cloudflareinsights.com'],
+            // 'unsafe-inline' on style-src remains for now: React's inline
+            // style={{...}} pattern and the inline <style> block in landing
+            // both depend on it. A future PR can extract the inline <style>
+            // to an external CSS file, but the React inline-style usage is
+            // pervasive and not worth refactoring for marginal hardening.
             'style-src': ["'self'", "'unsafe-inline'", 'https://fonts.googleapis.com'],
             'font-src': ["'self'", 'https://fonts.gstatic.com', 'data:'],
             'img-src': ["'self'", 'data:'],
diff --git a/tests/integration/landing.test.ts b/tests/integration/landing.test.ts
index f35a327..cb10dce 100644
--- a/tests/integration/landing.test.ts
+++ b/tests/integration/landing.test.ts
@@ -95,26 +95,33 @@ describe('Landing page', () => {
     expect(response.body).toContain('nav-drawer');
   });
 
-  it('serves the shared hooks bundle so components can read useIsMobile', async () => {
-    const response = await server.inject({ method: 'GET', url: '/hooks.jsx' });
+  it('references the precompiled landing bundle (drops Babel-in-browser)', async () => {
+    const response = await server.inject({ method: 'GET', url: '/' });
 
     expect(response.statusCode).toBe(200);
-    expect(response.body).toContain('useIsMobile');
-    expect(response.body).toContain('window.matchMedia');
+    // The new architecture loads a single precompiled bundle
+    expect(response.body).toMatch(/<script\s+src="\/dist\/app\.js"[^>]*defer/);
   });
 
-  it('serves component bundles', async () => {
-    const components = [
-      'components/HeroReceipt.jsx',
-      'components/HeroTerminal.jsx',
-      'components/LiveDemo.jsx',
-      'components/HowItWorks.jsx',
-      'components/UseCases.jsx',
-      'components/MorganBlock.jsx',
-    ];
-    for (const path of components) {
-      const r = await server.inject({ method: 'GET', url: `/${path}` });
-      expect(r.statusCode, `expected 200 for /${path}`).toBe(200);
-    }
+  it('does NOT load Babel standalone or any unpkg.com script (drops unsafe-eval)', async () => {
+    const response = await server.inject({ method: 'GET', url: '/' });
+
+    // Reverting to Babel-in-browser would force `unsafe-eval` back into the CSP.
+    expect(response.body).not.toContain('@babel/standalone');
+    expect(response.body).not.toContain('unpkg.com');
+    expect(response.body).not.toMatch(/type=["']text\/babel["']/);
+  });
+
+  it('ships a strict CSP without unsafe-eval and without third-party script sources', async () => {
+    const response = await server.inject({ method: 'GET', url: '/' });
+
+    const csp = response.headers['content-security-policy'];
+    expect(csp, 'CSP header should be set in non-dev env').toBeDefined();
+    const cspStr = String(csp);
+    // Hardened: the script-src directive must not allow eval or unpkg.com
+    expect(cspStr).not.toMatch(/script-src[^;]*'unsafe-eval'/);
+    expect(cspStr).not.toMatch(/script-src[^;]*unpkg\.com/);
+    // 'self' must still be present so /dist/app.js loads
+    expect(cspStr).toMatch(/script-src[^;]*'self'/);
   });
 });