From 2f045bffa5012965e96468c57eb63f41d96ba468 Mon Sep 17 00:00:00 2001
From: "Rodrigo Rodriguez (Pragmatismo)" <me@rodrigorodriguez.com>
Date: Fri, 2 Jan 2026 17:54:36 -0300
Subject: [PATCH] Serve HTMX locally - no CDN dependencies

- Added /js/vendor route to serve local vendor JS files
- Downloaded htmx.min.js v1.9.10 to botserver-stack/static/js/vendor/
- Reverted CSP to strict 'self' only (no external CDN)
- Updated APP_GENERATOR_PROMPT to use /js/vendor/htmx.min.js
- Updated designer prompt to use local HTMX path
---
 src/auto_task/APP_GENERATOR_PROMPT.md | 4 ++--
 src/designer/mod.rs                   | 2 +-
 src/main.rs                           | 2 ++
 src/security/headers.rs               | 6 +++---
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/auto_task/APP_GENERATOR_PROMPT.md b/src/auto_task/APP_GENERATOR_PROMPT.md
index 50c483b6b..7e1cec36c 100644
--- a/src/auto_task/APP_GENERATOR_PROMPT.md
+++ b/src/auto_task/APP_GENERATOR_PROMPT.md
@@ -492,8 +492,8 @@ Every HTML page MUST include proper SEO meta tags:
     <title>{Page Title} - {App Name}</title>
     <!-- IMPORTANT: Use relative paths for app assets -->
     <link rel="stylesheet" href="styles.css">
-    <!-- HTMX from CDN - allowed by CSP -->
-    <script src="https://unpkg.com/htmx.org@1.9.10"></script>
+    <!-- HTMX served locally - NO external CDN -->
+    <script src="/js/vendor/htmx.min.js"></script>
     <script src="designer.js" defer></script>
 </head>
 ```
diff --git a/src/designer/mod.rs b/src/designer/mod.rs
index 13b2cabad..f914683d8 100644
--- a/src/designer/mod.rs
+++ b/src/designer/mod.rs
@@ -1144,7 +1144,7 @@ Guidelines:
 - Forms should use hx-post for submissions
 - Lists should use hx-get with pagination
 - IMPORTANT: Use RELATIVE paths for app assets (styles.css, app.js, NOT /static/styles.css)
-- For HTMX, use CDN: <script src="https://unpkg.com/htmx.org@1.9.10"></script>
+- For HTMX, use LOCAL: <script src="/js/vendor/htmx.min.js"></script> (NO external CDN)
 - CSS link should be: <link rel="stylesheet" href="styles.css">
 
 Respond with valid JSON only."#,
diff --git a/src/main.rs b/src/main.rs
index a437a5faf..47c232c61 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -314,6 +314,8 @@ async fn run_axum_server(
             auth_config.clone(),
             auth_middleware,
         ))
+        // Vendor JS files (htmx, etc.) served locally - no CDN
+        .nest_service("/js/vendor", ServeDir::new("./botserver-stack/static/js/vendor"))
         // Static files fallback for legacy /apps/* paths
         .nest_service("/static", ServeDir::new(&site_path))
         // Security middleware stack (order matters - first added is outermost)
diff --git a/src/security/headers.rs b/src/security/headers.rs
index 810fd5c96..8a9512cc1 100644
--- a/src/security/headers.rs
+++ b/src/security/headers.rs
@@ -24,10 +24,10 @@ impl Default for SecurityHeadersConfig {
         Self {
             content_security_policy: Some(
                 "default-src 'self'; \
-                 script-src 'self' 'unsafe-inline' 'unsafe-eval' https://unpkg.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; \
-                 style-src 'self' 'unsafe-inline' https://unpkg.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://fonts.googleapis.com; \
+                 script-src 'self' 'unsafe-inline' 'unsafe-eval'; \
+                 style-src 'self' 'unsafe-inline'; \
                  img-src 'self' data: https:; \
-                 font-src 'self' data: https://fonts.gstatic.com; \
+                 font-src 'self' data:; \
                  connect-src 'self' wss: https:; \
                  frame-ancestors 'self'; \
                  base-uri 'self'; \