fix: tighten CSP by removing unsafe-eval (not needed in production)

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Author: Copilot

apps/console/index.html

@@ -2,7 +2,13 @@
 <html lang="en">
   <head>
     <meta charset="UTF-8" />
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' ws: wss: http://localhost:* https://*.objectstack.io https://*.sentry.io; worker-src 'self' blob:; frame-src 'self';" />
+    <!--
+      Content Security Policy (CSP)
+      - 'unsafe-inline' is required for the process polyfill below and Tailwind/Radix inline styles.
+      - For stricter CSP, serve headers via your web server (see docs/deployment.md) and use
+        nonces or hashes instead of 'unsafe-inline'.
+    -->
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' ws: wss: http://localhost:* https://*.objectstack.io https://*.sentry.io; worker-src 'self' blob:; frame-src 'self';" />
     <link rel="icon" type="image/svg+xml" href="/vite.svg" id="favicon" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>ObjectStack Console - ObjectUI</title>