feat: Add integration tests and memory encryption strategy

README.md

@@ -88,6 +88,13 @@ SeedPGP is designed to protect against specific threats when used correctly:
 - Browser crash dumps may contain sensitive data in memory
 - The best practice is to minimize exposure time and use airgapped devices
 
+**Detailed Memory & Encryption Strategy:** See [MEMORY_STRATEGY.md](MEMORY_STRATEGY.md) for comprehensive documentation on:
+- Why JavaScript cannot guarantee memory zeroing
+- How SeedPGP's defense-in-depth approach mitigates memory risks
+- Optional React hook (`useEncryptedState`) for encrypting component state
+- Testing & validation procedures
+- Future enhancement recommendations
+
 ### 🏆 Best Practices for Maximum Security
 
 1. **Airgapped Workflow** (Recommended for large amounts):
@@ -324,24 +331,65 @@ bun run dev -- --host 127.0.0.1
 
 ### Test Suite
 ```bash
-# Run all tests
+# Run all tests (unit + integration)
 bun test
 
+# Run only unit tests
+bun test src/**/*.test.ts
+
+# Run integration tests (CSP, network, clipboard)
+bun test:integration
+
 # Run specific test categories
 bun test --test-name-pattern="Trezor"  # BIP39 test vectors
 bun test --test-name-pattern="CRC"     # Integrity checks
 bun test --test-name-pattern="Krux"    # Krux compatibility
+bun test --test-name-pattern="CSP Enforcement"  # Security policy tests
 
 # Watch mode (development)
 bun test --watch
 ```
 
 ### Test Coverage
-- ✅ **15 comprehensive tests** including edge cases
+- ✅ **20+ comprehensive tests** including security and edge cases
 - ✅ **8 official Trezor BIP39 test vectors**
 - ✅ **CRC16 integrity validation** (corruption detection)
+- ✅ **CSP enforcement tests** (restrictive headers verified)
+- ✅ **Network blocking tests** (all 5 network API mechanisms)
+- ✅ **Clipboard security tests** (auto-clear, event tracking)
+- ✅ **Session key rotation tests** (time + operation limits)
 - ✅ **Wrong key/password** rejection testing
-- ✅ **Frame format parsing** (malformed input handling)
+
+### Integration Tests
+
+Security-focused integration tests verify:
+
+**CSP Enforcement** ([src/integration.test.ts](src/integration.test.ts))
+- Restrictive CSP headers present in HTML
+- `connect-src 'none'` blocks all external connections
+- `script-src 'self'` prevents external script injection
+- Additional security headers (X-Frame-Options, X-Content-Type-Options)
+
+**Network Blocking** ([src/integration.test.ts](src/integration.test.ts))
+- User-controlled network toggle blocks 5 API mechanisms:
+  1. Fetch API
+  2. XMLHttpRequest
+  3. WebSocket
+  4. Beacon API
+  5. Image external resources
+  6. Service Worker registration
+
+**Clipboard Behavior** ([src/integration.test.ts](src/integration.test.ts))
+- Sensitive field detection (mnemonic, seed, password, private, key)
+- Auto-clear after 10 seconds with random garbage
+- Clipboard event audit trail tracking
+- Warning alerts for sensitive data copies
+
+**Session Key Management** ([src/integration.test.ts](src/integration.test.ts))
+- Key rotation every 5 minutes
+- Key rotation after 1000 operations
+- Key destruction with page visibility change
+- AES-256-GCM blob format validation
 
 ---