diff --git a/docs/CSP_POLICY.md b/docs/CSP_POLICY.md
index 063ea864..9b3056b5 100644
--- a/docs/CSP_POLICY.md
+++ b/docs/CSP_POLICY.md
@@ -35,7 +35,7 @@ default-src 'self';
 base-uri 'self';
 form-action 'self';
 object-src 'none';
-script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval' https://www.googletagmanager.com https://unpkg.com;
+script-src 'self' 'wasm-unsafe-eval' https://www.googletagmanager.com https://unpkg.com;
 style-src 'self' 'unsafe-inline';
 img-src 'self' data: blob: https://www.google-analytics.com https://www.googletagmanager.com;
 font-src 'self' data:;
@@ -53,10 +53,16 @@ Meta fallback policy (for static hosting without headers): same as above but wit
 
 The policy uses strict defaults (`default-src 'self'`, `object-src 'none'`, explicit `connect-src`/`script-src`/`worker-src`) while preserving required runtime behavior.
 
-Two allowances remain intentionally broad enough for current implementation:
+One allowance remains intentionally broad:
 
-- `'unsafe-inline'` in `script-src` / `style-src` due to inline scripts/styles in `index.html` and iframe sandbox bootstrap.
-- `'unsafe-eval'` + `'wasm-unsafe-eval'` in `script-src` to support current sandbox/runtime execution stack.
+- `'unsafe-inline'` in `style-src` — required for Blockly's runtime-injected inline styles (block colours, toolbox layout). Dynamically injected styles cannot be hashed, so this cannot be removed without modifying Blockly's theming internals.
+
+`script-src` no longer requires `'unsafe-inline'` or `'unsafe-eval'`:
+
+- The Google Analytics initialisation script was moved from an inline `<script>` block to `ga-init.js` (served from `self`), eliminating the only inline script in `index.html`.
+- The `new Function(code)` syntax-check in `validateCode()` was removed; the AST-based `validateUserCodeAST()` already provides a stricter check before code reaches the sandbox.
+- WASM execution (Draco, Manifold) is covered by `'wasm-unsafe-eval'`, which allows only WASM compilation rather than arbitrary JS `eval`.
+- The sandbox iframe sets its own CSP (`script-src 'unsafe-inline' 'unsafe-eval'`) inside the iframe document — this is separate from the parent page's policy and governs only sandboxed user-code execution.
 
 ## CSP regression checks before merge
 
diff --git a/flock.js b/flock.js
index 3d1e531e..63164817 100644
--- a/flock.js
+++ b/flock.js
@@ -3,6 +3,7 @@
 // Flip Computing Limited - flipcomputing.com
 
 import * as acorn from "acorn";
+import ManifoldInit from "manifold-3d";
 import * as walk from "acorn-walk";
 import HavokPhysics from "@babylonjs/havok";
 import * as BABYLON from "@babylonjs/core";
@@ -386,13 +387,6 @@ export const flock = {
                         throw new Error("Code too long (max 100KB)");
                 }
 
-                // Basic syntax check
-                try {
-                        new Function(code); // Just check if it parses
-                } catch (e) {
-                        throw new Error(`Syntax error: ${e.message}`);
-                }
-
                 // Optional: Warn about patterns (don't block)
                 const warnings = [];
                 if (/eval\s*\(/.test(code)) {
@@ -670,19 +664,24 @@ export const flock = {
                                 sameOrigin: true,
                         });
 
-                        // --- load SES text in parent and inject inline into iframe (CSP allows inline) ---
-                        const sesResp = await fetch(
-                                "vendor/ses/lockdown.umd.min.js",
-                        );
-                        if (!sesResp.ok)
-                                throw new Error(
-                                        `Failed to fetch SES: ${sesResp.status}`,
-                                );
-                        const sesText = await sesResp.text();
-                        const sesScript = doc.createElement("script");
-                        sesScript.type = "text/javascript";
-                        sesScript.text = sesText;
-                        doc.head.appendChild(sesScript);
+                        // Load SES lockdown via src= so the parent's script-src 'self' policy
+                        // is satisfied — injecting inline text would require 'unsafe-inline'.
+                        await new Promise((resolve, reject) => {
+                                const sesScript = doc.createElement("script");
+                                sesScript.type = "text/javascript";
+                                sesScript.onload = resolve;
+                                sesScript.onerror = () =>
+                                        reject(
+                                                new Error(
+                                                        "Failed to load SES lockdown",
+                                                ),
+                                        );
+                                sesScript.src = new URL(
+                                        "vendor/ses/lockdown.umd.min.js",
+                                        document.baseURI,
+                                ).href;
+                                doc.head.appendChild(sesScript);
+                        });
 
                         // lockdown the iframe realm
                         win.lockdown();
@@ -1258,7 +1257,17 @@ export const flock = {
                 flock.abortController = new AbortController();
 
                 try {
-                        await flock.BABYLON.InitializeCSG2Async();
+                        // Pre-initialize manifold-3d here so we can pass the instances
+                        // directly to InitializeCSG2Async, bypassing its _LoadScriptModuleAsync
+                        // path which injects an inline <script type="module"> — blocked by CSP.
+                        const manifoldWasm = await ManifoldInit({
+                                locateFile: (f) => "./wasm/" + f,
+                        });
+                        manifoldWasm.setup();
+                        await flock.BABYLON.InitializeCSG2Async({
+                                manifoldInstance: manifoldWasm.Manifold,
+                                manifoldMeshInstance: manifoldWasm.Mesh,
+                        });
                 } catch (error) {
                         console.error("Error initializing CSG2:", error);
                 }
diff --git a/ga-init.js b/ga-init.js
new file mode 100644
index 00000000..9786c931
--- /dev/null
+++ b/ga-init.js
@@ -0,0 +1,7 @@
+window.dataLayer = window.dataLayer || [];
+function gtag() { dataLayer.push(arguments); }
+gtag('js', new Date());
+gtag('config', 'G-QCGT3X072N', {
+  client_storage: 'none',  // Prevents setting cookies
+  anonymize_ip: true       // Hides IP addresses for privacy
+});
diff --git a/index.html b/index.html
index e8ad94c1..51fdcd55 100644
--- a/index.html
+++ b/index.html
@@ -4,7 +4,7 @@
     <meta charset="UTF-8" />
     <meta
       http-equiv="Content-Security-Policy"
-      content="default-src 'self'; base-uri 'self'; form-action 'self'; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval' https://www.googletagmanager.com https://unpkg.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://www.google-analytics.com https://www.googletagmanager.com; font-src 'self' data:; connect-src 'self' https: https://www.googletagmanager.com https://www.google-analytics.com https://region1.google-analytics.com https://stats.g.doubleclick.net https://unpkg.com; media-src 'self' data: blob:; worker-src 'self' blob:; frame-src 'self'; manifest-src 'self'"
+      content="default-src 'self'; base-uri 'self'; form-action 'self'; object-src 'none'; script-src 'self' 'wasm-unsafe-eval' https://www.googletagmanager.com https://unpkg.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://www.google-analytics.com https://www.googletagmanager.com; font-src 'self' data:; connect-src 'self' https: https://www.googletagmanager.com https://www.google-analytics.com https://region1.google-analytics.com https://stats.g.doubleclick.net https://unpkg.com; media-src 'self' data: blob:; worker-src 'self' blob:; frame-src 'self'; manifest-src 'self'"
     />
     <title>Flock XR - Creative coding in 3D</title>
     <meta name="description" content="Flock XR: The free 3D coding and creation tool for young people.">
@@ -25,16 +25,7 @@
 
     <meta name="theme-color" content="#511d91" />
     <script async src="https://www.googletagmanager.com/gtag/js?id=G-QCGT3X072N"></script>
-    <script>
-      window.dataLayer = window.dataLayer || [];
-      function gtag(){dataLayer.push(arguments);}
-      gtag('js', new Date());
-
-      gtag('config', 'G-QCGT3X072N', {
-        'client_storage': 'none',  // Prevents setting cookies
-        'anonymize_ip': true  // Hides IP addresses for privacy
-      });
-    </script>
+    <script src="ga-init.js" defer></script>
 
     <link rel="stylesheet" href="style.css" />
     <style>
@@ -166,39 +157,7 @@
   </head>
 
   <body class="loading">
-    <script>
-    (function(){
-      if (!new URLSearchParams(window.location.search).has('touchDebug')) return;
-      const overlay = document.createElement('div');
-      Object.assign(overlay.style, {
-        position:'fixed', left:'0', bottom:'0', width:'100%', maxHeight:'45vh',
-        overflowY:'auto', background:'rgba(0,0,0,.8)', color:'#0f0',
-        font:'12px/1.4 monospace', padding:'8px', zIndex: 2147483647, display:'none'
-      });
-      document.addEventListener('touchstart', (e)=>{
-        if (e.touches.length >= 3) overlay.style.display = (overlay.style.display==='none'?'block':'none');
-      }, {passive:true});
-      document.body.appendChild(overlay);
-
-      const append = (tag, args) => {
-        const line = document.createElement('div');
-        line.textContent = `[${tag}] ` + args.map(a=>{
-          try { return typeof a==='string'?a:JSON.stringify(a); }
-          catch(_){ return String(a); }
-        }).join(' ');
-        overlay.appendChild(line);
-        overlay.scrollTop = overlay.scrollHeight;
-      };
-
-      const orig = { log:console.log, warn:console.warn, error:console.error };
-      console.log = (...a)=>{ append('log',a); orig.log.apply(console,a); };
-      console.warn = (...a)=>{ append('warn',a); orig.warn.apply(console,a); };
-      console.error = (...a)=>{ append('error',a); orig.error.apply(console,a); };
-
-      window.addEventListener('error', e => append('uncaught', [e.message, e.filename+':'+e.lineno]));
-      window.addEventListener('unhandledrejection', e => append('rejection', [String(e.reason)]));
-    })();
-    </script>
+    <script src="touch-debug.js"></script>
     <!-- Loading Screen -->
     <div id="loadingScreen" class="loading-screen" role="dialog" aria-modal="true" aria-labelledby="loading-title" aria-describedby="loading-description">
       <div class="loading-content">
@@ -436,373 +395,7 @@ <h2 id="modal-title" data-i18n="about_heading" style="margin-top: 0;">About Floc
               </div>
             </div>
           </div>
-          <script>
-            const menuBtn = document.getElementById("menuBtn");
-            const menuDropdown = document.getElementById("menuDropdown");
-            const openAbout = document.getElementById("about-menu-item");
-             const hubMenuItem = document.getElementById("hub-menu-item");
-            const infoModal = document.getElementById("infoModal");
-            const closeInfoModal = document.getElementById("closeInfoModal");
-          
-
-            class AccessibleFlyoutMenu {
-                constructor() {
-                    this.menuButton = document.getElementById('menuBtn');
-                    this.menuDropdown = document.getElementById('menuDropdown');
-                    this.menuItems = this.menuDropdown.querySelectorAll('.menu-item');
-                    this.isMenuOpen = false;
-                    this.currentFocus = -1;
-                    this.currentOpenSubmenu = null;
-
-                    this.init();
-                }
-
-                init() {
-                    // Main menu button events
-                    this.menuButton.addEventListener('click', (e) => {
-                        e.preventDefault();
-                        this.toggleMainMenu();
-                    });
-
-                    this.menuButton.addEventListener('keydown', (e) => {
-                        if (e.key === 'ArrowDown' || e.key === 'Enter' || e.key === ' ') {
-                            e.preventDefault();
-                            this.openMainMenu();
-                            this.focusFirstMenuItem();
-                        }
-                    });
-
-                    // Menu item events
-                    this.menuItems.forEach((item, index) => {
-                        // Mouse events (preserve existing functionality)
-                        item.addEventListener('mouseenter', () => {
-                            this.handleMouseEnter(item);
-                        });
-
-                        item.addEventListener('mouseleave', () => {
-                            this.handleMouseLeave(item);
-                        });
-
-                        // Keyboard events
-                        item.addEventListener('keydown', (e) => {
-                            this.handleMenuItemKeydown(e, item, index);
-                        });
-
-                        item.addEventListener('click', (e) => {
-                            this.handleMenuItemClick(e, item);
-                        });
-
-                        // Submenu events
-                        const submenu = item.querySelector('.submenu');
-                        if (submenu) {
-                            const submenuItems = submenu.querySelectorAll('a');
-                            submenuItems.forEach((subItem, subIndex) => {
-                                subItem.addEventListener('keydown', (e) => {
-                                    this.handleSubmenuKeydown(e, subItem, submenuItems, subIndex, item);
-                                });
-
-                                subItem.addEventListener('click', (e) => {
-                                    console.log(`Clicked: ${subItem.textContent}`);
-                                    this.closeAllMenus();
-                                });
-                            });
-                        }
-                    });
-
-                    // Close menu when clicking outside
-                    document.addEventListener('click', (e) => {
-                        if (!this.menuButton.contains(e.target) && !this.menuDropdown.contains(e.target)) {
-                            this.closeAllMenus();
-                        }
-                    });
-
-                    // Close menu on Escape
-                    document.addEventListener('keydown', (e) => {
-                        if (e.key === 'Escape' && this.isMenuOpen) {
-                            this.closeAllMenus();
-                            this.menuButton.focus();
-                        }
-                    });
-                }
-
-                toggleMainMenu() {
-                    if (this.isMenuOpen) {
-                        this.closeAllMenus();
-                    } else {
-                        this.openMainMenu();
-                    }
-                }
-
-                openMainMenu() {
-                    this.isMenuOpen = true;
-                    this.menuDropdown.classList.remove('hidden');
-                    this.menuButton.setAttribute('aria-expanded', 'true');
-                    this.currentFocus = -1;
-                }
-
-                closeAllMenus() {
-                    this.isMenuOpen = false;
-                    this.menuDropdown.classList.add('hidden');
-                    this.menuButton.setAttribute('aria-expanded', 'false');
-                    this.closeAllSubmenus();
-                    this.currentFocus = -1;
-                }
-
-                closeAllSubmenus() {
-                    this.menuItems.forEach(item => {
-                        const submenu = item.querySelector('.submenu');
-                        if (submenu) {
-                            submenu.hidden = true;
-                            item.setAttribute('aria-expanded', 'false');
-                        }
-                    });
-                    this.currentOpenSubmenu = null;
-                }
-
-                focusFirstMenuItem() {
-                    this.currentFocus = 0;
-                    this.menuItems[0].focus();
-                }
-
-                focusMenuItem(index) {
-                    if (index >= 0 && index < this.menuItems.length) {
-                        this.currentFocus = index;
-                        this.menuItems[index].focus();
-                    }
-                }
-
-                handleMouseEnter(item) {
-                    // Close other submenus
-                    this.closeAllSubmenus();
-
-                    // Open this submenu if it has one
-                    const submenu = item.querySelector('.submenu');
-                    if (submenu) {
-                        submenu.hidden = false;
-                        item.setAttribute('aria-expanded', 'true');
-                        this.currentOpenSubmenu = item;
-                    }
-                }
-
-                handleMouseLeave(item) {
-                    // Keep submenu open for keyboard navigation
-                    // Only close on mouse leave from the entire menu area
-                }
-
-                handleMenuItemClick(e, item) {
-                    const submenu = item.querySelector('.submenu');
-                    if (submenu) {
-                        e.preventDefault();
-                        this.toggleSubmenu(item);
-                    } else {
-                        // For leaf menu items (like "About"), trigger the actual click event
-                        // This will fire any existing click handlers you have attached
-                        if (e.type === 'keydown') {
-                            // If this was triggered by keyboard, create a synthetic click event
-                            const clickEvent = new MouseEvent('click', {
-                                bubbles: true,
-                                cancelable: true
-                            });
-                            item.dispatchEvent(clickEvent);
-                        }
-                        this.closeAllMenus();
-                    }
-                }
-
-                toggleSubmenu(item) {
-                    const submenu = item.querySelector('.submenu');
-                    const isOpen = !submenu.hidden;
-
-                    this.closeAllSubmenus();
-
-                    if (!isOpen) {
-                        submenu.hidden = false;
-                        item.setAttribute('aria-expanded', 'true');
-                        this.currentOpenSubmenu = item;
-                    }
-                }
-
-                handleMenuItemKeydown(e, item, index) {
-                    const submenu = item.querySelector('.submenu');
-
-                    switch (e.key) {
-                        case 'ArrowDown':
-                            e.preventDefault();
-                            this.focusMenuItem((index + 1) % this.menuItems.length);
-                            break;
-
-                        case 'ArrowUp':
-                            e.preventDefault();
-                            this.focusMenuItem(index === 0 ? this.menuItems.length - 1 : index - 1);
-                            break;
-
-                        case 'ArrowRight':
-                            if (submenu) {
-                                e.preventDefault();
-                                this.showSubmenu(item);
-                                const firstSubmenuItem = submenu.querySelector('a');
-                                if (firstSubmenuItem) {
-                                    firstSubmenuItem.focus();
-                                }
-                            }
-                            break;
-
-                        case 'Enter':
-                        case ' ':
-                            e.preventDefault();
-                            this.handleMenuItemClick(e, item);
-                            break;
-
-                        case 'Escape':
-                            this.closeAllMenus();
-                            this.menuButton.focus();
-                            break;
-                    }
-                }
-
-                showSubmenu(item) {
-                    this.closeAllSubmenus();
-                    const submenu = item.querySelector('.submenu');
-                    if (submenu) {
-                        submenu.hidden = false;
-                        item.setAttribute('aria-expanded', 'true');
-                        this.currentOpenSubmenu = item;
-                    }
-                }
-
-                handleSubmenuKeydown(e, subItem, submenuItems, subIndex, parentItem) {
-                    switch (e.key) {
-                        case 'ArrowDown':
-                            e.preventDefault();
-                            e.stopPropagation();
-                            const nextIndex = (subIndex + 1) % submenuItems.length;
-                            submenuItems[nextIndex].focus();
-                            break;
-
-                        case 'ArrowUp':
-                            e.preventDefault();
-                            e.stopPropagation();
-                            const prevIndex = subIndex === 0 ? submenuItems.length - 1 : subIndex - 1;
-                            submenuItems[prevIndex].focus();
-                            break;
-
-                        case 'ArrowLeft':
-                            e.preventDefault();
-                            e.stopPropagation();
-                            parentItem.focus();
-                            const submenu = parentItem.querySelector('.submenu');
-                            if (submenu) {
-                                submenu.hidden = true;
-                                parentItem.setAttribute('aria-expanded', 'false');
-                            }
-                            break;
-
-                        case 'Enter':
-                        case ' ':
-                            e.preventDefault();
-                            e.stopPropagation();
-                            subItem.click();
-                            break;
-
-                        case 'Escape':
-                            e.preventDefault();
-                            e.stopPropagation();
-                            this.closeAllMenus();
-                            this.menuButton.focus();
-                            break;
-                    }
-                }
-            }
-
-            // Initialize the menu when DOM is loaded
-            document.addEventListener('DOMContentLoaded', () => {
-                new AccessibleFlyoutMenu();
-            });
-
-            // Handle keyboard navigation within dropdown
-            openAbout.addEventListener("keydown", (e) => {
-              if (e.key === "Escape") {
-                e.preventDefault();
-                menuDropdown.classList.add("hidden");
-                menuBtn.setAttribute("aria-expanded", "false");
-                menuBtn.focus();
-              } 
-            });
-
-            hubMenuItem.addEventListener("click", (e) => {
-              e.preventDefault();
-              window.open("https://hub.flockxr.com/", "_blank", "noopener,noreferrer");
-              menuDropdown.classList.add("hidden");
-              menuBtn.setAttribute("aria-expanded", "false");
-            });
-
-            // Language menu interactions are now handled in main/translation.js
-
-            // Open modal when About is clicked
-            openAbout.addEventListener("click", (e) => {
-              e.preventDefault();
-              previouslyFocused = document.activeElement;
-              infoModal.classList.remove("hidden");
-              menuDropdown.classList.add("hidden");
-              menuBtn.setAttribute("aria-expanded", "false");
-
-              // Focus the close button in the modal
-              setTimeout(() => closeInfoModal.focus(), 0);
-            });
-
-            // Close modal on close button
-            closeInfoModal.addEventListener("click", () => {
-              infoModal.classList.add("hidden");
-              if (previouslyFocused) {
-                previouslyFocused.focus();
-                previouslyFocused = null;
-              }
-            });
-
-            // Handle keyboard events for modal
-            infoModal.addEventListener("keydown", (e) => {
-              if (e.key === "Escape") {
-                e.preventDefault();
-                closeInfoModal.click();
-              } else if (e.key === "Tab") {
-                // Trap focus within modal
-                const focusableElements = infoModal.querySelectorAll(
-                  'button, input, select, textarea, [href], [tabindex]:not([tabindex="-1"])'
-                );
-                const firstElement = focusableElements[0];
-                const lastElement = focusableElements[focusableElements.length - 1];
-
-                if (e.shiftKey && document.activeElement === firstElement) {
-                  e.preventDefault();
-                  lastElement.focus();
-                } else if (!e.shiftKey && document.activeElement === lastElement) {
-                  e.preventDefault();
-                  firstElement.focus();
-                }
-              }
-            });
-
-            // Close menu when clicking outside
-            window.addEventListener("click", (e) => {
-              if (!menuBtn.contains(e.target) && !menuDropdown.contains(e.target)) {
-                menuDropdown.classList.add("hidden");
-                menuBtn.setAttribute("aria-expanded", "false");
-              }
-
-              if (e.target === infoModal) {
-                closeInfoModal.click();
-              }
-            });
-
-            // Close menu on Escape key
-            document.addEventListener("keydown", (e) => {
-              if (e.key === "Escape" && !menuDropdown.classList.contains("hidden")) {
-                menuDropdown.classList.add("hidden");
-                menuBtn.setAttribute("aria-expanded", "false");
-                menuBtn.focus();
-              }
-            });
-          </script>
+          <script src="menu.js" defer></script>
           <button class="bigbutton" id="runCodeButton" data-i18n="run_code_button" title="Run your code" aria-label="Run your code">
             <div class="icon" aria-hidden="true">
               <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" width="24" height="24">
@@ -1003,27 +596,27 @@ <h2 id="modal-title" data-i18n="about_heading" style="margin-top: 0;">About Floc
                 <!-- Shape Row -->
                 <ul id="shape-row">
                   <li>
-                    <button onclick="selectShape('create_box')" aria-label="Create box shape">
+                    <button data-shape="create_box" aria-label="Create box shape">
                       <img src="./images/box.png" alt="Box" />
                     </button>
                   </li>
                   <li>
-                    <button onclick="selectShape('create_sphere')" aria-label="Create sphere shape">
+                    <button data-shape="create_sphere" aria-label="Create sphere shape">
                       <img src="./images/sphere.png" alt="Sphere" />
                     </button>
                   </li>
                   <li>
-                    <button onclick="selectShape('create_cylinder')" aria-label="Create cylinder shape">
+                    <button data-shape="create_cylinder" aria-label="Create cylinder shape">
                       <img src="./images/cylinder.png" alt="Cylinder" />
                     </button>
                   </li>
                   <li>
-                    <button onclick="selectShape('create_capsule')" aria-label="Create capsule shape">
+                    <button data-shape="create_capsule" aria-label="Create capsule shape">
                       <img src="./images/capsule.png" alt="Capsule" />
                     </button>
                   </li>
                   <li>
-                    <button onclick="selectShape('create_plane')" aria-label="Create plane shape">
+                    <button data-shape="create_plane" aria-label="Create plane shape">
                       <img src="./images/plane.png" alt="Plane" />
                     </button>
                   </li>
diff --git a/menu.js b/menu.js
new file mode 100644
index 00000000..7a69255e
--- /dev/null
+++ b/menu.js
@@ -0,0 +1,373 @@
+document.addEventListener('DOMContentLoaded', () => {
+  const menuBtn = document.getElementById("menuBtn");
+  const menuDropdown = document.getElementById("menuDropdown");
+  const openAbout = document.getElementById("about-menu-item");
+  const hubMenuItem = document.getElementById("hub-menu-item");
+  const infoModal = document.getElementById("infoModal");
+  const closeInfoModal = document.getElementById("closeInfoModal");
+  let previouslyFocused;
+
+  class AccessibleFlyoutMenu {
+    constructor() {
+      this.menuButton = document.getElementById('menuBtn');
+      this.menuDropdown = document.getElementById('menuDropdown');
+      this.menuItems = this.menuDropdown.querySelectorAll('.menu-item');
+      this.isMenuOpen = false;
+      this.currentFocus = -1;
+      this.currentOpenSubmenu = null;
+
+      this.init();
+    }
+
+    init() {
+      // Main menu button events
+      this.menuButton.addEventListener('click', (e) => {
+        e.preventDefault();
+        this.toggleMainMenu();
+      });
+
+      this.menuButton.addEventListener('keydown', (e) => {
+        if (e.key === 'ArrowDown' || e.key === 'Enter' || e.key === ' ') {
+          e.preventDefault();
+          this.openMainMenu();
+          this.focusFirstMenuItem();
+        }
+      });
+
+      // Menu item events
+      this.menuItems.forEach((item, index) => {
+        // Mouse events (preserve existing functionality)
+        item.addEventListener('mouseenter', () => {
+          this.handleMouseEnter(item);
+        });
+
+        item.addEventListener('mouseleave', () => {
+          this.handleMouseLeave(item);
+        });
+
+        // Keyboard events
+        item.addEventListener('keydown', (e) => {
+          this.handleMenuItemKeydown(e, item, index);
+        });
+
+        item.addEventListener('click', (e) => {
+          this.handleMenuItemClick(e, item);
+        });
+
+        // Submenu events
+        const submenu = item.querySelector('.submenu');
+        if (submenu) {
+          const submenuItems = submenu.querySelectorAll('a');
+          submenuItems.forEach((subItem, subIndex) => {
+            subItem.addEventListener('keydown', (e) => {
+              this.handleSubmenuKeydown(e, subItem, submenuItems, subIndex, item);
+            });
+
+            subItem.addEventListener('click', (e) => {
+              console.log(`Clicked: ${subItem.textContent}`);
+              this.closeAllMenus();
+            });
+          });
+        }
+      });
+
+      // Close menu when clicking outside
+      document.addEventListener('click', (e) => {
+        if (!this.menuButton.contains(e.target) && !this.menuDropdown.contains(e.target)) {
+          this.closeAllMenus();
+        }
+      });
+
+      // Close menu on Escape
+      document.addEventListener('keydown', (e) => {
+        if (e.key === 'Escape' && this.isMenuOpen) {
+          this.closeAllMenus();
+          this.menuButton.focus();
+        }
+      });
+    }
+
+    toggleMainMenu() {
+      if (this.isMenuOpen) {
+        this.closeAllMenus();
+      } else {
+        this.openMainMenu();
+      }
+    }
+
+    openMainMenu() {
+      this.isMenuOpen = true;
+      this.menuDropdown.classList.remove('hidden');
+      this.menuButton.setAttribute('aria-expanded', 'true');
+      this.currentFocus = -1;
+    }
+
+    closeAllMenus() {
+      this.isMenuOpen = false;
+      this.menuDropdown.classList.add('hidden');
+      this.menuButton.setAttribute('aria-expanded', 'false');
+      this.closeAllSubmenus();
+      this.currentFocus = -1;
+    }
+
+    closeAllSubmenus() {
+      this.menuItems.forEach(item => {
+        const submenu = item.querySelector('.submenu');
+        if (submenu) {
+          submenu.hidden = true;
+          item.setAttribute('aria-expanded', 'false');
+        }
+      });
+      this.currentOpenSubmenu = null;
+    }
+
+    focusFirstMenuItem() {
+      this.currentFocus = 0;
+      this.menuItems[0].focus();
+    }
+
+    focusMenuItem(index) {
+      if (index >= 0 && index < this.menuItems.length) {
+        this.currentFocus = index;
+        this.menuItems[index].focus();
+      }
+    }
+
+    handleMouseEnter(item) {
+      // Close other submenus
+      this.closeAllSubmenus();
+
+      // Open this submenu if it has one
+      const submenu = item.querySelector('.submenu');
+      if (submenu) {
+        submenu.hidden = false;
+        item.setAttribute('aria-expanded', 'true');
+        this.currentOpenSubmenu = item;
+      }
+    }
+
+    handleMouseLeave(item) {
+      // Keep submenu open for keyboard navigation
+      // Only close on mouse leave from the entire menu area
+    }
+
+    handleMenuItemClick(e, item) {
+      const submenu = item.querySelector('.submenu');
+      if (submenu) {
+        e.preventDefault();
+        this.toggleSubmenu(item);
+      } else {
+        // For leaf menu items (like "About"), trigger the actual click event
+        // This will fire any existing click handlers you have attached
+        if (e.type === 'keydown') {
+          // If this was triggered by keyboard, create a synthetic click event
+          const clickEvent = new MouseEvent('click', {
+            bubbles: true,
+            cancelable: true
+          });
+          item.dispatchEvent(clickEvent);
+        }
+        this.closeAllMenus();
+      }
+    }
+
+    toggleSubmenu(item) {
+      const submenu = item.querySelector('.submenu');
+      const isOpen = !submenu.hidden;
+
+      this.closeAllSubmenus();
+
+      if (!isOpen) {
+        submenu.hidden = false;
+        item.setAttribute('aria-expanded', 'true');
+        this.currentOpenSubmenu = item;
+      }
+    }
+
+    handleMenuItemKeydown(e, item, index) {
+      const submenu = item.querySelector('.submenu');
+
+      switch (e.key) {
+        case 'ArrowDown':
+          e.preventDefault();
+          this.focusMenuItem((index + 1) % this.menuItems.length);
+          break;
+
+        case 'ArrowUp':
+          e.preventDefault();
+          this.focusMenuItem(index === 0 ? this.menuItems.length - 1 : index - 1);
+          break;
+
+        case 'ArrowRight':
+          if (submenu) {
+            e.preventDefault();
+            this.showSubmenu(item);
+            const firstSubmenuItem = submenu.querySelector('a');
+            if (firstSubmenuItem) {
+              firstSubmenuItem.focus();
+            }
+          }
+          break;
+
+        case 'Enter':
+        case ' ':
+          e.preventDefault();
+          this.handleMenuItemClick(e, item);
+          break;
+
+        case 'Escape':
+          this.closeAllMenus();
+          this.menuButton.focus();
+          break;
+      }
+    }
+
+    showSubmenu(item) {
+      this.closeAllSubmenus();
+      const submenu = item.querySelector('.submenu');
+      if (submenu) {
+        submenu.hidden = false;
+        item.setAttribute('aria-expanded', 'true');
+        this.currentOpenSubmenu = item;
+      }
+    }
+
+    handleSubmenuKeydown(e, subItem, submenuItems, subIndex, parentItem) {
+      switch (e.key) {
+        case 'ArrowDown':
+          e.preventDefault();
+          e.stopPropagation();
+          submenuItems[(subIndex + 1) % submenuItems.length].focus();
+          break;
+
+        case 'ArrowUp':
+          e.preventDefault();
+          e.stopPropagation();
+          submenuItems[subIndex === 0 ? submenuItems.length - 1 : subIndex - 1].focus();
+          break;
+
+        case 'ArrowLeft':
+          e.preventDefault();
+          e.stopPropagation();
+          parentItem.focus();
+          const submenu = parentItem.querySelector('.submenu');
+          if (submenu) {
+            submenu.hidden = true;
+            parentItem.setAttribute('aria-expanded', 'false');
+          }
+          break;
+
+        case 'Enter':
+        case ' ':
+          e.preventDefault();
+          e.stopPropagation();
+          subItem.click();
+          break;
+
+        case 'Escape':
+          e.preventDefault();
+          e.stopPropagation();
+          this.closeAllMenus();
+          this.menuButton.focus();
+          break;
+      }
+    }
+  }
+
+  new AccessibleFlyoutMenu();
+
+  // Shape buttons — delegate from #shape-row to avoid per-button onclick attributes
+  const shapeRow = document.getElementById('shape-row');
+  if (shapeRow) {
+    shapeRow.addEventListener('click', (e) => {
+      const btn = e.target.closest('button[data-shape]');
+      if (btn && typeof window.selectShape === 'function') {
+        window.selectShape(btn.dataset.shape);
+      }
+    });
+  }
+
+  // Handle keyboard navigation within dropdown
+  openAbout.addEventListener("keydown", (e) => {
+    if (e.key === "Escape") {
+      e.preventDefault();
+      menuDropdown.classList.add("hidden");
+      menuBtn.setAttribute("aria-expanded", "false");
+      menuBtn.focus();
+    }
+  });
+
+  hubMenuItem.addEventListener("click", (e) => {
+    e.preventDefault();
+    window.open("https://hub.flockxr.com/", "_blank", "noopener,noreferrer");
+    menuDropdown.classList.add("hidden");
+    menuBtn.setAttribute("aria-expanded", "false");
+  });
+
+  // Language menu interactions are now handled in main/translation.js
+
+  // Open modal when About is clicked
+  openAbout.addEventListener("click", (e) => {
+    e.preventDefault();
+    previouslyFocused = document.activeElement;
+    infoModal.classList.remove("hidden");
+    menuDropdown.classList.add("hidden");
+    menuBtn.setAttribute("aria-expanded", "false");
+
+    // Focus the close button in the modal
+    setTimeout(() => closeInfoModal.focus(), 0);
+  });
+
+  // Close modal on close button
+  closeInfoModal.addEventListener("click", () => {
+    infoModal.classList.add("hidden");
+    if (previouslyFocused) {
+      previouslyFocused.focus();
+      previouslyFocused = null;
+    }
+  });
+
+  // Handle keyboard events for modal
+  infoModal.addEventListener("keydown", (e) => {
+    if (e.key === "Escape") {
+      e.preventDefault();
+      closeInfoModal.click();
+    } else if (e.key === "Tab") {
+      // Trap focus within modal
+      const focusableElements = infoModal.querySelectorAll(
+        'button, input, select, textarea, [href], [tabindex]:not([tabindex="-1"])'
+      );
+      const firstElement = focusableElements[0];
+      const lastElement = focusableElements[focusableElements.length - 1];
+
+      if (e.shiftKey && document.activeElement === firstElement) {
+        e.preventDefault();
+        lastElement.focus();
+      } else if (!e.shiftKey && document.activeElement === lastElement) {
+        e.preventDefault();
+        firstElement.focus();
+      }
+    }
+  });
+
+  // Close menu when clicking outside
+  window.addEventListener("click", (e) => {
+    if (!menuBtn.contains(e.target) && !menuDropdown.contains(e.target)) {
+      menuDropdown.classList.add("hidden");
+      menuBtn.setAttribute("aria-expanded", "false");
+    }
+
+    if (e.target === infoModal) {
+      closeInfoModal.click();
+    }
+  });
+
+  // Close menu on Escape key
+  document.addEventListener("keydown", (e) => {
+    if (e.key === "Escape" && !menuDropdown.classList.contains("hidden")) {
+      menuDropdown.classList.add("hidden");
+      menuBtn.setAttribute("aria-expanded", "false");
+      menuBtn.focus();
+    }
+  });
+});
diff --git a/touch-debug.js b/touch-debug.js
new file mode 100644
index 00000000..4fef326e
--- /dev/null
+++ b/touch-debug.js
@@ -0,0 +1,31 @@
+(function(){
+  if (!new URLSearchParams(window.location.search).has('touchDebug')) return;
+  const overlay = document.createElement('div');
+  Object.assign(overlay.style, {
+    position:'fixed', left:'0', bottom:'0', width:'100%', maxHeight:'45vh',
+    overflowY:'auto', background:'rgba(0,0,0,.8)', color:'#0f0',
+    font:'12px/1.4 monospace', padding:'8px', zIndex: 2147483647, display:'none'
+  });
+  document.addEventListener('touchstart', (e)=>{
+    if (e.touches.length >= 3) overlay.style.display = (overlay.style.display==='none'?'block':'none');
+  }, {passive:true});
+  document.body.appendChild(overlay);
+
+  const append = (tag, args) => {
+    const line = document.createElement('div');
+    line.textContent = `[${tag}] ` + args.map(a=>{
+      try { return typeof a==='string'?a:JSON.stringify(a); }
+      catch(_){ return String(a); }
+    }).join(' ');
+    overlay.appendChild(line);
+    overlay.scrollTop = overlay.scrollHeight;
+  };
+
+  const orig = { log:console.log, warn:console.warn, error:console.error };
+  console.log = (...a)=>{ append('log',a); orig.log.apply(console,a); };
+  console.warn = (...a)=>{ append('warn',a); orig.warn.apply(console,a); };
+  console.error = (...a)=>{ append('error',a); orig.error.apply(console,a); };
+
+  window.addEventListener('error', e => append('uncaught', [e.message, e.filename+':'+e.lineno]));
+  window.addEventListener('unhandledrejection', e => append('rejection', [String(e.reason)]));
+})();
diff --git a/vite.config.mjs b/vite.config.mjs
index 984709d0..3f13b82a 100644
--- a/vite.config.mjs
+++ b/vite.config.mjs
@@ -10,7 +10,7 @@ const isProduction = process.env.NODE_ENV === 'production';
 const BASE_URL = process.env.VITE_BASE_URL || '/';
 
 // `frame-ancestors` is only enforced from HTTP headers (ignored in CSP meta tags).
-const CSP_META_POLICY = "default-src 'self'; base-uri 'self'; form-action 'self'; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval' https://www.googletagmanager.com https://unpkg.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://www.google-analytics.com https://www.googletagmanager.com; font-src 'self' data:; connect-src 'self' https: https://www.googletagmanager.com https://www.google-analytics.com https://region1.google-analytics.com https://stats.g.doubleclick.net https://unpkg.com; media-src 'self' data: blob:; worker-src 'self' blob:; frame-src 'self'; manifest-src 'self'";
+const CSP_META_POLICY = "default-src 'self'; base-uri 'self'; form-action 'self'; object-src 'none'; script-src 'self' 'wasm-unsafe-eval' https://www.googletagmanager.com https://unpkg.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://www.google-analytics.com https://www.googletagmanager.com; font-src 'self' data:; connect-src 'self' https: https://www.googletagmanager.com https://www.google-analytics.com https://region1.google-analytics.com https://stats.g.doubleclick.net https://unpkg.com; media-src 'self' data: blob:; worker-src 'self' blob:; frame-src 'self'; manifest-src 'self'";
 const CSP_HEADER_POLICY = `${CSP_META_POLICY}; frame-ancestors 'self'`;
 
 export default {
@@ -21,6 +21,9 @@ export default {
     cssInjectedByJsPlugin(),
     viteStaticCopy({
       targets: [
+        { src: 'ga-init.js', dest: '.' },
+        { src: 'touch-debug.js', dest: '.' },
+        { src: 'menu.js', dest: '.' },
         { src: 'models/*.{glb,gltf}', dest: 'models' },
         { src: 'animations/*.{glb,gltf}', dest: 'animations' },
         { src: 'sounds/*.{ogg,mp3,aac,wav}', dest: 'sounds' },
@@ -240,6 +243,7 @@ export default {
   build: {
     assetsInlineLimit: 100000,   // include font files inline if needed
     cssCodeSplit: false,         // inline CSS into JS
+    modulePreload: { polyfill: false },  // avoid injecting an inline script that violates script-src CSP
     rollupOptions: { input: 'index.html' },
   }
 }