fix: CSP and Permissions-Policy blocking GPS, geocoding, and map

- Permissions-Policy: geolocation=(self) instead of geolocation=()
  (was blocking all geolocation access)
- connect-src: added nominatim.openstreetmap.org for reverse geocoding
- script-src: added unpkg.com for Leaflet JS
- style-src: added unpkg.com for Leaflet CSS
- img-src: added *.tile.openstreetmap.org for map tiles

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/middleware/security.ts

@@ -8,13 +8,20 @@ export async function securityHeaders(
   reply.header('X-Content-Type-Options', 'nosniff');
   reply.header('X-Frame-Options', 'DENY');
   reply.header('Referrer-Policy', 'strict-origin-when-cross-origin');
-  reply.header('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
+  reply.header('Permissions-Policy', 'camera=(), microphone=(), geolocation=(self)');
 
   if (config.isProduction) {
     reply.header('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
     reply.header(
       'Content-Security-Policy',
-      "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'",
+      [
+        "default-src 'self'",
+        "script-src 'self' https://unpkg.com",
+        "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://unpkg.com",
+        "font-src 'self' https://fonts.gstatic.com",
+        "img-src 'self' data: blob: https://*.tile.openstreetmap.org",
+        "connect-src 'self' https://nominatim.openstreetmap.org",
+      ].join('; '),
     );
   }
 }