Add unit tests for the securityHeaders CSP builder and origin extraction

[mikewheeleer]

Test buildCsp, originOf, and defaultSecurityHeaders

Description

src/lib/securityHeaders.ts constructs the Content-Security-Policy and the hardening header map served by every route via next.config.ts — including connect-src derived from the API origin, the dev-only 'unsafe-eval' script source, and the production-only Strict-Transport-Security header. A regression here silently weakens the dashboard's security posture, yet the module has no test. This issue adds coverage for the builder functions.

Requirements and context

• Repository scope: Agentpay-Org/Agentpay-frontend only.
• Assert originOf returns the correct origin for a valid base and falls back to the localhost default for an unparseable input.
• Assert buildCsp includes connect-src 'self' <apiOrigin>, frame-ancestors 'none', object-src 'none', base-uri 'self', and adds 'unsafe-eval' to script-src only when isDev is true.
• Assert defaultSecurityHeaders includes X-Content-Type-Options, Referrer-Policy, X-Frame-Options, Permissions-Policy, and only includes Strict-Transport-Security when not dev.

Suggested execution

• Fork the repo and create a branch
• git checkout -b test/testing-security-headers
• Implement changes
  • Write comprehensive tests in: create src/lib/__tests__/securityHeaders.test.ts.
  • Write code in: no source change expected (file a follow-up if a bug is found).
  • Add documentation: none beyond test descriptions.
  • Validate the CSP string is a single ; -joined directive list.
• Test and commit

Test and commit

• Run npm run lint, npm run typecheck, and npm test.
• Cover edge cases: dev vs prod script-src, HSTS presence, unparseable apiBase, and a custom https origin.
• Include the npm test output and coverage for securityHeaders.ts.

Example commit message

test(lib): cover buildCsp, originOf, and defaultSecurityHeaders

Guidelines

• Minimum 95 percent test coverage for securityHeaders.ts.
• Clear, reviewer-focused documentation.
• Timeframe: 96 hours.

Community & contribution rewards

• 💬 Join the AgentPay community on Discord for questions, reviews, and faster merges: https://discord.gg/eXvRKkgcv
• ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.

[gloskull]

Hello, I have 4 years of experience delivering solutions for projects like this, covering backend, frontend, and smart contract development. After carefully reviewing your requirements, I have a clear understanding of the task and am confident in my ability to deliver a clean, efficient, and thoroughly tested solution on time. I prioritize code quality, maintainability, and industry best practices throughout the development process.
My PR will be submitted in under 10hours.

[real-venus]

Hey, I've read through the issue and I understand it.

Could you assign it to me? I can finish this within 24 hrs.

[grantfox-oss]

🦊 GrantFox — @real-venus has been assigned to this issue as part of the Official Campaign campaign!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #145)
2. Your PR will be reviewed by the Agentpay-Org maintainers

Good luck! Track your progress on GrantFox.