# Bug Tracker ## Open ### BUG-004: CSP blocks all inline JavaScript — CRITICAL ROOT CAUSE - **Found by:** Hoid (QA via Playwright) - **Date:** 2026-02-14 - **Severity:** CRITICAL — blocks ALL frontend functionality - **Description:** Helmet middleware sets Content-Security-Policy that blocks inline scripts (`script-src 'self'`). The landing page uses inline `