* fix(csp): allow cross-subdomain framing and add finance to frame-src
frame-ancestors 'self' blocked tech/finance variants from rendering
inside the Pro landing page iframe. Widen to *.worldmonitor.app.
Also adds missing finance.worldmonitor.app to frame-src.
Closes#1322
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(csp): remove conflicting X-Frame-Options and tighten frame-ancestors
X-Frame-Options: SAMEORIGIN contradicts the new frame-ancestors directive
that allows cross-subdomain framing. Modern browsers prioritize
frame-ancestors over X-Frame-Options, but sending both is contradictory
and gets flagged by security scanners. Remove X-Frame-Options entirely.
Also replace wildcard *.worldmonitor.app with explicit subdomain list
to limit the framing scope to known variants only.
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Elie Habib <elie.habib@gmail.com>
.dockerignore at repo root excludes scripts/, docs/, and e2e/ from the
build context. Nixpacks (and/or Railway's build system) respects this
file, causing all seed cron services to crash with "Cannot find module
'/app/scripts/...'" at runtime.
Moving .dockerignore into docker/ (alongside the Dockerfile) means:
- Railway Nixpacks builds get the full repo (scripts/ included)
- GHA Docker builds use context: . with file: docker/Dockerfile,
and Docker only reads .dockerignore from the build context root,
so docker/ placement is harmless for GHA
Railway auto-detects Dockerfiles at repo root and uses them for ALL
services, even those set to NIXPACKS. This caused all seed services
(ais-relay, seed-gpsjam, etc.) to build nginx-only containers with
no node binary, breaking every Railway service.
Move Dockerfile and related files to docker/ subdirectory. Railway
only checks the repo root for Dockerfiles, so this prevents
accidental detection. GHA workflow updated with explicit file: path.
