Harden CSP, bundle UI assets locally, add Node engines constraint, optimize countChainsByTag, add unit tests

[Copilot]

Addresses four items from the PR review: CSP was relaxed to allow third-party CDN origins (unpkg.com, Google Fonts, raw.githubusercontent.com) and unsafe-inline; countChainsByTag used redundant multi-pass filtering; no engines field declared; no unit tests for countChainsByTag.

CSP — restrict to 'self' only

script-src, style-src, font-src, and connect-src are now all 'self'. Previously allowed:

// Before
scriptSrc: ["'self'", "https://unpkg.com"],
styleSrc:  ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
fontSrc:   ["'self'", "https://fonts.gstatic.com"],
connectSrc: ["'self'", "https://raw.githubusercontent.com"],

// After
scriptSrc:  ["'self'"],
styleSrc:   ["'self'"],
fontSrc:    ["'self'"],
connectSrc: ["'self'"],

Bundle UI assets locally (public/)

To satisfy the strict CSP without breaking /ui/:

• 3d-force-graph.min.js downloaded and served from public/
• Inter font TTF files added to public/fonts/ with a local fonts/inter.css
• index.html updated to reference local paths
• app.js fallback changed from raw.githubusercontent.com to local export.json

package.json — declare Node engines

Added "engines": { "node": ">=20" } to surface the implicit requirement from @fastify/static's dependency tree (lru-cache@11 / glob@13).

countChainsByTag — single O(n) pass

Replaced four Array.filter() passes with one for...of loop computing all counters together.

Unit tests for countChainsByTag

Added 7 tests covering: empty input, no-tags → mainnet, per-tag counting (Testnet/L2/Beacon), mixed tags (e.g. Testnet+L2), and the "mainnet excludes Testnet/L2/Beacon" invariant.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.