fix(audience): set demo CSP to dev and sandbox audience API only

Locks the demo's Content-Security-Policy to the minimum needed to
run — audience API endpoints only, nothing else.

- default-src 'self'
- script-src 'self' (no inline scripts, no eval)
- style-src 'self' (no inline styles)
- connect-src limited to https://api.dev.immutable.com and
  https://api.sandbox.immutable.com

Explicitly NOT in connect-src: api.immutable.com. The @imtbl/metrics
SDK bundled into the CDN posts its own telemetry there, and those
calls will be blocked by the browser with a CSP violation log. That
is intentional — the demo is a harness, not a product, and the metrics
bundle travelling along with the audience SDK shouldn't phone home
from a localhost demo page. The violations do not affect demo
behaviour; the audience calls still succeed.

README's Security section explains this so the CSP violation lines
in the console aren't mistaken for a bug.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ImmutableJeffrey

packages/audience/sdk/demo/README.md

@@ -64,4 +64,4 @@ demo/
   README.md    # this file
 ```
 
-Security: all user-controlled inputs (event names, traits, publishable keys) are rendered via `textContent` / `createElement`. No `innerHTML` anywhere on user data. CSP meta tag restricts `connect-src` to the dev and sandbox API origins.
+Security: all user-controlled inputs (event names, traits, publishable keys) are rendered via `textContent` / `createElement`. No `innerHTML` anywhere on user data. The CSP meta tag restricts `connect-src` to the dev and sandbox audience API origins only (`api.dev.immutable.com`, `api.sandbox.immutable.com`). `@imtbl/metrics` SDK telemetry is bundled into the CDN and posts to `api.immutable.com`; those calls will be blocked by the browser with a CSP violation log, which is intentional and does not affect demo behavior.