refactor(gateway): share Control UI bootstrap contract and CSP

src/gateway/control-ui-csp.ts

@@ -0,0 +1,15 @@
+export function buildControlUiCspHeader(): string {
+  // Control UI: block framing, block inline scripts, keep styles permissive
+  // (UI uses a lot of inline style attributes in templates).
+  return [
+    "default-src 'self'",
+    "base-uri 'none'",
+    "object-src 'none'",
+    "frame-ancestors 'none'",
+    "script-src 'self'",
+    "style-src 'self' 'unsafe-inline'",
+    "img-src 'self' data: https:",
+    "font-src 'self'",
+    "connect-src 'self' ws: wss:",
+  ].join("; ");
+}