docs: mark SEC_REVIEW F56 as fixed by F24 (193f646)

F56 noted that inline `<script>` blocks in five templates (ips/
detail.twig, categories/edit.twig, policies/edit.twig,
audit/index.twig, layout.twig) forced the CSP to keep
`'unsafe-inline'`.

The F24 CSP-tightening fix (commit 193f646) applied both migration
paths the review recommended:

  1. Per-page inline scripts in `pages/ips/detail.twig`,
     `pages/categories/edit.twig`, `pages/policies/edit.twig` and
     `pages/audit/index.twig` are gone — behaviour moved into
     Alpine components in the packaged `ui/resources/js/app.js`,
     loaded via `<script src="/assets/app.js" defer>` from
     layout.twig.
  2. The only remaining inline `<script>` (dark-mode FOUC
     preloader in layout.twig — has to stay inline because
     app.js is `defer`red and runs after layout paint) carries
     `nonce="{{ csp_nonce }}"`, where the nonce is minted per
     request by `App\Http\CspMiddleware`.

Result: `script-src` is `'self' 'nonce-…'` only —
`'unsafe-inline'` is gone. `grep -rn "<script" ui/resources/views`
returns exactly two hits, both in layout.twig (the nonced inline
preloader and the external app.js src).

Closing F56 for bookkeeping; no new code change needed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

doc/SEC_REVIEW.md

@@ -11,7 +11,7 @@
 >
 > Each finding is referenced as **F<N>** for later citation.
 >
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (23 fixed, 19 open).
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (24 fixed, 18 open).
 
 ---
 
@@ -1845,6 +1845,24 @@
   into a packaged `/assets/app.js`, lets the CSP drop the
   `'unsafe-inline'` token.
 - **Severity: 1**
+- **Status:** Fixed by the F24 fix (`193f646`). Both migration paths
+  the SEC_REVIEW recommended were applied:
+  1. Per-page inline scripts in `pages/ips/detail.twig`,
+     `pages/categories/edit.twig`, `pages/policies/edit.twig`, and
+     `pages/audit/index.twig` are gone — their behaviour was moved
+     into Alpine components in the packaged `ui/resources/js/app.js`,
+     loaded via `<script src="/assets/app.js" defer>` in `layout.twig`.
+  2. The single remaining inline `<script>` (the dark-mode FOUC
+     preloader in `layout.twig` — has to stay inline because `app.js`
+     is `defer`red and runs after layout) now carries
+     `nonce="{{ csp_nonce }}"`, where `csp_nonce` is minted per
+     request by `App\Http\CspMiddleware` and matched on the response's
+     `Content-Security-Policy` header.
+  Result: `script-src` is now `'self' 'nonce-…'` only —
+  `'unsafe-inline'` is gone. `grep -rn "<script" ui/resources/views`
+  returns exactly the two layout.twig hits (one inline-with-nonce,
+  one external src). Closing F56 for bookkeeping; no new code change
+  needed.
 
 ### F57 — Session cookie name lacks `__Host-` prefix
 - **File:** `ui/src/Auth/SessionManager.php:23, 54-62`