fix(security): harden keychain iframe loading and keychain CSP

[Larkooo]

Summary

• Hardened controller iframe setup by validating keychain URLs (rejecting non-HTTPS/non-localhost HTTP and credentialed URLs), pinning Penpal child origin, and reducing iframe feature grants by default.
• Added focused unit tests for iframe URL validation and allow-list generation to prevent regressions.
• Added keychain CSP/security headers and removed inline scripts from index.html by moving logic into static JS assets.

Security Impact

• Reduces risk of loading unsafe iframe sources (javascript:, data:, remote http:).
• Reduces over-broad iframe permissions (local-network-access now localhost-only).
• Applies defense-in-depth content policy in keychain via CSP and baseline hardening headers.

Testing

• Ran pnpm lint:check
• Ran pnpm --filter @cartridge/controller test -- iframeSecurity
• Ran pnpm --filter @cartridge/controller test (fails on existing unrelated parseChainId.test.ts invalid URL case)
• Ran pnpm --filter @cartridge/keychain build (currently fails due pre-existing type export mismatches in keychain)

Self-Review

• Checked that localhost dev flow remains supported (http://localhost, 127.0.0.1, ::1).
• Kept required iframe sandbox flags for existing storage/session behavior while tightening target/origin handling.
• Ensured CSP changes avoid inline script requirements by externalizing boot scripts.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
controller-example-next	Ready	Preview	Feb 6, 2026 5:47pm
keychain	Ready	Preview	Feb 6, 2026 5:47pm
keychain-storybook	Ready	Preview	Feb 6, 2026 5:47pm

[claude]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.