feat(billingplan): Add Paddle v2 checkout support and backend config endpoint; add CSP headers and bump typedserver

ts/index.ts

@@ -8,6 +8,17 @@ export const runCli = async () => {
     feedMetadata: null,
     domain: 'idp.global',
     serveDir: paths.distWebDir,
+    securityHeaders: {
+      csp: {
+        defaultSrc: "'self'",
+        scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "https://cdn.paddle.com", "https://public.profitwell.com"],
+        styleSrc: ["'self'", "'unsafe-inline'", "https://cdn.paddle.com", "https://assetbroker.lossless.one"],
+        imgSrc: ["'self'", "data:", "https:"],
+        fontSrc: ["'self'", "data:"],
+        connectSrc: ["'self'", "https://*.paddle.com", "https://buy.paddle.com", "https://checkout.paddle.com", "https://checkout-service.paddle.com", "https://cdn.paddle.com", "https://*.sentry.io", "https://public.profitwell.com", "wss:"],
+        frameSrc: ["https://buy.paddle.com", "https://checkout.paddle.com", "https://*.paddle.com"],
+      },
+    },
     addCustomRoutes: async (typedserver) => {
       // Enable SPA fallback - serves index.html for non-file routes (e.g., /login, /dashboard)
       typedserver.options.spaFallback = true;