security improvement and bugs fixing; modify makefile

dist-tails/README.txt

@@ -0,0 +1,23 @@
+# SeedPGP Web - TailsOS Offline Build
+
+Built: Wed Feb 18 03:15:54 HKT 2026
+
+Usage Instructions:
+1. Copy this entire folder to a USB drive
+2. Boot TailsOS from your primary USB
+3. Insert this application USB drive
+4. Open Tor Browser (or regular browser if offline)
+5. Navigate to: file:///media/amnesia/USBNAME/index.html
+6. Enable JavaScript if prompted
+
+Security Features:
+- Content Security Policy enforced (no network access)
+- All assets relative (works offline)
+- No external dependencies or CDN calls
+- Session-only crypto keys (destroyed on tab close)
+
+SHA-256 Checksums:
+5cbbcb8adc7acc3b78a3fd31c76d573302705ff5fd714d03f5a2602591197cb5  ./assets/secp256k1-Cao5Swmf.wasm
+78cb021ce6777d4ca58fa225d60de2401a14624187297d4bc9f5394b0de6c05c  ./assets/index-DTLOeMVw.js
+aab3ea208db02b2cb40902850c203f23159f515288b26ca5a131e1188b4362af  ./assets/index-DW74Yc8k.css
+f8f37cb2c6c247c87b17cf50458150d81cd7fd15d354ab5b38f2a56e9f00cf32  ./index.html

dist-tails/index.html

@@ -0,0 +1,21 @@
+<!doctype html>
+<html lang="en">
+
+<head>
+<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'self' blob: data:; font-src 'self'; object-src 'none'; media-src 'self' blob:; base-uri 'self'; form-action 'none';" data-env="tails">
+  <meta charset="UTF-8" />
+  <link rel="icon" type="image/svg+xml" href="/vite.svg" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>SeedPGP Web</title>
+
+  <!-- CSP is enforced by _headers file in production deployment -->
+  <!-- No CSP in dev mode to allow Vite HMR -->
+  <script type="module" crossorigin src="./assets/index-DTLOeMVw.js"></script>
+  <link rel="stylesheet" crossorigin href="./assets/index-DW74Yc8k.css">
+</head>
+
+<body>
+  <div id="root"></div>
+</body>
+
+</html>