feat(security,ui): self-host React deps, Tailwind, fonts; strict CSP; local QR; better selection state

Replace CDN React/ReactDOM/Babel with local libs; remove Babel and inline scripts
Build Tailwind locally, add safelist; switch to assets/tailwind.css
Self-host Font Awesome and Inter (CSS + woff2); remove external font CDNs
Implement strict CSP (no unsafe-inline/eval; scripts/styles/fonts from self)
Extract inline handlers; move PWA scripts to external files
Add local QR code generation (qrcode lib) and remove api.qrserver.com
Improve SessionTypeSelector visual selection (highlighted background and ring)
Keep PWA working with service worker and offline assets
Refs: CSP hardening, offline-first, no external dependencies

node_modules/require-directory/.jshintrc

@@ -0,0 +1,67 @@
+{
+    "maxerr"        : 50,
+    "bitwise"       : true,
+    "camelcase"     : true,
+    "curly"         : true,
+    "eqeqeq"        : true,
+    "forin"         : true,
+    "immed"         : true,
+    "indent"        : 2,
+    "latedef"       : true,
+    "newcap"        : true,
+    "noarg"         : true,
+    "noempty"       : true,
+    "nonew"         : true,
+    "plusplus"      : true,
+    "quotmark"      : true,
+    "undef"         : true,
+    "unused"        : true,
+    "strict"        : true,
+    "trailing"      : true,
+    "maxparams"     : false,
+    "maxdepth"      : false,
+    "maxstatements" : false,
+    "maxcomplexity" : false,
+    "maxlen"        : false,
+    "asi"           : false,
+    "boss"          : false,
+    "debug"         : false,
+    "eqnull"        : true,
+    "es5"           : false,
+    "esnext"        : false,
+    "moz"           : false,
+    "evil"          : false,
+    "expr"          : true,
+    "funcscope"     : true,
+    "globalstrict"  : true,
+    "iterator"      : true,
+    "lastsemic"     : false,
+    "laxbreak"      : false,
+    "laxcomma"      : false,
+    "loopfunc"      : false,
+    "multistr"      : false,
+    "proto"         : false,
+    "scripturl"     : false,
+    "smarttabs"     : false,
+    "shadow"        : false,
+    "sub"           : false,
+    "supernew"      : false,
+    "validthis"     : false,
+    "browser"       : true,
+    "couch"         : false,
+    "devel"         : true,
+    "dojo"          : false,
+    "jquery"        : false,
+    "mootools"      : false,
+    "node"          : true,
+    "nonstandard"   : false,
+    "prototypejs"   : false,
+    "rhino"         : false,
+    "worker"        : false,
+    "wsh"           : false,
+    "yui"           : false,
+    "nomen"         : true,
+    "onevar"        : true,
+    "passfail"      : false,
+    "white"         : true
+}

node_modules/require-directory/.npmignore

@@ -0,0 +1 @@
+test/**

node_modules/require-directory/.travis.yml

@@ -0,0 +1,3 @@
+language: node_js
+node_js:
+  - 0.10

node_modules/require-directory/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2011 Troy Goode <troygoode@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be included
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

node_modules/require-directory/README.markdown

@@ -0,0 +1,184 @@
+# require-directory
+
+Recursively iterates over specified directory, `require()`'ing each file, and returning a nested hash structure containing those modules.
+
+**[Follow me (@troygoode) on Twitter!](https://twitter.com/intent/user?screen_name=troygoode)**
+
+[![NPM](https://nodei.co/npm/require-directory.png?downloads=true&stars=true)](https://nodei.co/npm/require-directory/)
+
+[![build status](https://secure.travis-ci.org/troygoode/node-require-directory.png)](http://travis-ci.org/troygoode/node-require-directory)
+
+## How To Use
+
+### Installation (via [npm](https://npmjs.org/package/require-directory))
+
+```bash
+$ npm install require-directory
+```
+
+### Usage
+
+A common pattern in node.js is to include an index file which creates a hash of the files in its current directory. Given a directory structure like so:
+
+* app.js
+* routes/
+  * index.js
+  * home.js
+  * auth/
+    * login.js
+    * logout.js
+    * register.js
+
+`routes/index.js` uses `require-directory` to build the hash (rather than doing so manually) like so:
+
+```javascript
+var requireDirectory = require('require-directory');
+module.exports = requireDirectory(module);
+```
+
+`app.js` references `routes/index.js` like any other module, but it now has a hash/tree of the exports from the `./routes/` directory:
+
+```javascript
+var routes = require('./routes');
+
+// snip
+
+app.get('/', routes.home);
+app.get('/register', routes.auth.register);
+app.get('/login', routes.auth.login);
+app.get('/logout', routes.auth.logout);
+```
+
+The `routes` variable above is the equivalent of this:
+
+```javascript
+var routes = {
+  home: require('routes/home.js'),
+  auth: {
+    login: require('routes/auth/login.js'),
+    logout: require('routes/auth/logout.js'),
+    register: require('routes/auth/register.js')
+  }
+};
+```
+
+*Note that `routes.index` will be `undefined` as you would hope.*
+
+### Specifying Another Directory
+
+You can specify which directory you want to build a tree of (if it isn't the current directory for whatever reason) by passing it as the second parameter. Not specifying the path (`requireDirectory(module)`) is the equivelant of `requireDirectory(module, __dirname)`:
+
+```javascript
+var requireDirectory = require('require-directory');
+module.exports = requireDirectory(module, './some/subdirectory');
+```
+
+For example, in the [example in the Usage section](#usage) we could have avoided creating `routes/index.js` and instead changed the first lines of `app.js` to:
+
+```javascript
+var requireDirectory = require('require-directory');
+var routes = requireDirectory(module, './routes');
+```
+
+## Options
+
+You can pass an options hash to `require-directory` as the 2nd parameter (or 3rd if you're passing the path to another directory as the 2nd parameter already). Here are the available options:
+
+### Whitelisting
+
+Whitelisting (either via RegExp or function) allows you to specify that only certain files be loaded.
+
+```javascript
+var requireDirectory = require('require-directory'),
+  whitelist = /onlyinclude.js$/,
+  hash = requireDirectory(module, {include: whitelist});
+```
+
+```javascript
+var requireDirectory = require('require-directory'),
+  check = function(path){
+    if(/onlyinclude.js$/.test(path)){
+      return true; // don't include
+    }else{
+      return false; // go ahead and include
+    }
+  },
+  hash = requireDirectory(module, {include: check});
+```
+
+### Blacklisting
+
+Blacklisting (either via RegExp or function) allows you to specify that all but certain files should be loaded.
+
+```javascript
+var requireDirectory = require('require-directory'),
+  blacklist = /dontinclude\.js$/,
+  hash = requireDirectory(module, {exclude: blacklist});
+```
+
+```javascript
+var requireDirectory = require('require-directory'),
+  check = function(path){
+    if(/dontinclude\.js$/.test(path)){
+      return false; // don't include
+    }else{
+      return true; // go ahead and include
+    }
+  },
+  hash = requireDirectory(module, {exclude: check});
+```
+
+### Visiting Objects As They're Loaded
+
+`require-directory` takes a function as the `visit` option that will be called for each module that is added to module.exports.
+
+```javascript
+var requireDirectory = require('require-directory'),
+  visitor = function(obj) {
+    console.log(obj); // will be called for every module that is loaded
+  },
+  hash = requireDirectory(module, {visit: visitor});
+```
+
+The visitor can also transform the objects by returning a value:
+
+```javascript
+var requireDirectory = require('require-directory'),
+  visitor = function(obj) {
+    return obj(new Date());
+  },
+  hash = requireDirectory(module, {visit: visitor});
+```
+
+### Renaming Keys
+
+```javascript
+var requireDirectory = require('require-directory'),
+  renamer = function(name) {
+    return name.toUpperCase();
+  },
+  hash = requireDirectory(module, {rename: renamer});
+```
+
+### No Recursion
+
+```javascript
+var requireDirectory = require('require-directory'),
+  hash = requireDirectory(module, {recurse: false});
+```
+
+## Run Unit Tests
+
+```bash
+$ npm run lint
+$ npm test
+```
+
+## License
+
+[MIT License](http://www.opensource.org/licenses/mit-license.php)
+
+## Author
+
+[Troy Goode](https://github.com/TroyGoode) ([troygoode@gmail.com](mailto:troygoode@gmail.com))
+

node_modules/require-directory/index.js

@@ -0,0 +1,86 @@
+'use strict';
+
+var fs = require('fs'),
+  join = require('path').join,
+  resolve = require('path').resolve,
+  dirname = require('path').dirname,
+  defaultOptions = {
+    extensions: ['js', 'json', 'coffee'],
+    recurse: true,
+    rename: function (name) {
+      return name;
+    },
+    visit: function (obj) {
+      return obj;
+    }
+  };
+
+function checkFileInclusion(path, filename, options) {
+  return (
+    // verify file has valid extension
+    (new RegExp('\\.(' + options.extensions.join('|') + ')$', 'i').test(filename)) &&
+
+    // if options.include is a RegExp, evaluate it and make sure the path passes
+    !(options.include && options.include instanceof RegExp && !options.include.test(path)) &&
+
+    // if options.include is a function, evaluate it and make sure the path passes
+    !(options.include && typeof options.include === 'function' && !options.include(path, filename)) &&
+
+    // if options.exclude is a RegExp, evaluate it and make sure the path doesn't pass
+    !(options.exclude && options.exclude instanceof RegExp && options.exclude.test(path)) &&
+
+    // if options.exclude is a function, evaluate it and make sure the path doesn't pass
+    !(options.exclude && typeof options.exclude === 'function' && options.exclude(path, filename))
+  );
+}
+
+function requireDirectory(m, path, options) {
+  var retval = {};
+
+  // path is optional
+  if (path && !options && typeof path !== 'string') {
+    options = path;
+    path = null;
+  }
+
+  // default options
+  options = options || {};
+  for (var prop in defaultOptions) {
+    if (typeof options[prop] === 'undefined') {
+      options[prop] = defaultOptions[prop];
+    }
+  }
+
+  // if no path was passed in, assume the equivelant of __dirname from caller
+  // otherwise, resolve path relative to the equivalent of __dirname
+  path = !path ? dirname(m.filename) : resolve(dirname(m.filename), path);
+
+  // get the path of each file in specified directory, append to current tree node, recurse
+  fs.readdirSync(path).forEach(function (filename) {
+    var joined = join(path, filename),
+      files,
+      key,
+      obj;
+
+    if (fs.statSync(joined).isDirectory() && options.recurse) {
+      // this node is a directory; recurse
+      files = requireDirectory(m, joined, options);
+      // exclude empty directories
+      if (Object.keys(files).length) {
+        retval[options.rename(filename, joined, filename)] = files;
+      }
+    } else {
+      if (joined !== m.filename && checkFileInclusion(joined, filename, options)) {
+        // hash node key shouldn't include file extension
+        key = filename.substring(0, filename.lastIndexOf('.'));
+        obj = m.require(joined);
+        retval[options.rename(key, joined, filename)] = options.visit(obj, joined, filename) || obj;
+      }
+    }
+  });
+
+  return retval;
+}
+
+module.exports = requireDirectory;
+module.exports.defaults = defaultOptions;

node_modules/require-directory/package.json

@@ -0,0 +1,40 @@
+{
+  "author": "Troy Goode <troygoode@gmail.com> (http://github.com/troygoode/)",
+  "name": "require-directory",
+  "version": "2.1.1",
+  "description": "Recursively iterates over specified directory, require()'ing each file, and returning a nested hash structure containing those modules.",
+  "keywords": [
+    "require",
+    "directory",
+    "library",
+    "recursive"
+  ],
+  "homepage": "https://github.com/troygoode/node-require-directory/",
+  "main": "index.js",
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/troygoode/node-require-directory.git"
+  },
+  "contributors": [
+    {
+      "name": "Troy Goode",
+      "email": "troygoode@gmail.com",
+      "web": "http://github.com/troygoode/"
+    }
+  ],
+  "license": "MIT",
+  "bugs": {
+    "url": "http://github.com/troygoode/node-require-directory/issues/"
+  },
+  "engines": {
+    "node": ">=0.10.0"
+  },
+  "devDependencies": {
+    "jshint": "^2.6.0",
+    "mocha": "^2.1.0"
+  },
+  "scripts": {
+    "test": "mocha",
+    "lint": "jshint index.js test/test.js"
+  }
+}