mnfst
diff --git a/‎CLAUDE.md‎
Lines changed: 15 additions & 0 deletions b/‎CLAUDE.md‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎packages/frontend/index.html‎
Lines changed: 1 addition & 1 deletion b/‎packages/frontend/index.html‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/frontend/public/fonts/boxicons/boxicons-duotone.min.css‎
Lines changed: 1 addition & 0 deletions b/‎packages/frontend/public/fonts/boxicons/boxicons-duotone.min.css‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/frontend/public/fonts/boxicons/boxicons-duotone.ttf‎
395 KB b/‎packages/frontend/public/fonts/boxicons/boxicons-duotone.ttf‎
395 KB
diff --git a/‎packages/frontend/public/fonts/boxicons/boxicons-duotone.woff‎
175 KB b/‎packages/frontend/public/fonts/boxicons/boxicons-duotone.woff‎
175 KB
@@ -272,6 +272,21 @@ See `packages/backend/.env.example` for all variables. Key ones:
 - **Tenant**: A user's data boundary. Created from `user.id` on first agent creation.
 - **Agent**: An AI agent owned by a tenant. Has a unique OTLP ingest key.
 
+## Content Security Policy (CSP)
+
+Helmet enforces a strict CSP in `main.ts`. The policy only allows `'self'` origins — **no external CDNs are permitted**.
+
+**Rule: Never load external resources from CDNs.** All assets (fonts, icons, stylesheets) must be self-hosted under `packages/frontend/public/`. This keeps the CSP strict and avoids third-party dependencies at runtime.
+
+Current self-hosted assets:
+- **Boxicons Duotone** — `public/fonts/boxicons/` (CSS + woff/ttf font files)
+
+To add a new font or icon library:
+1. Download the CSS and font files into `packages/frontend/public/`
+2. Rewrite any CDN URLs inside the CSS to use relative paths (`./filename.woff`)
+3. Reference the local CSS in `index.html` (e.g. `<link href="/fonts/..." />`)
+4. Do **not** add external domains to the CSP directives
+
 ## Architecture Notes
 
 - **Single-service**: In production, `@nestjs/serve-static` serves `frontend/dist/` with SPA fallback. API routes (`/api/*`, `/otlp/*`) are excluded.
 
@@ -4,7 +4,7 @@
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <link rel="icon" href="/favicon.ico" />
-    <link href="https://pro.boxicons.com/fonts/3.0.8/duotone/regular/200/boxicons-duotone.min.css?sig=ccbb17a30bbd11285764bc03d85132b669dfe25ae1c170743de4040a31577782" rel="stylesheet" />
+    <link href="/fonts/boxicons/boxicons-duotone.min.css" rel="stylesheet" />
     <title>Manifest</title>
     <meta name="description" content="AI agent observability platform — monitor costs, tokens, and performance." />
     <meta property="og:title" content="Manifest" />