feat(security,ui): self-host React deps, Tailwind, fonts; strict CSP; local QR; better selection state

Replace CDN React/ReactDOM/Babel with local libs; remove Babel and inline scripts
Build Tailwind locally, add safelist; switch to assets/tailwind.css
Self-host Font Awesome and Inter (CSS + woff2); remove external font CDNs
Implement strict CSP (no unsafe-inline/eval; scripts/styles/fonts from self)
Extract inline handlers; move PWA scripts to external files
Add local QR code generation (qrcode lib) and remove api.qrserver.com
Improve SessionTypeSelector visual selection (highlighted background and ring)
Keep PWA working with service worker and offline assets
Refs: CSP hardening, offline-first, no external dependencies

src/components/ui/LightningPayment.jsx

@@ -39,8 +39,14 @@ const IntegratedLightningPayment = ({ sessionType, onSuccess, onCancel, paymentM
             setPaymentStatus('created');
 
             if (createdInvoice.paymentRequest) {
-                const qrUrl = `https://api.qrserver.com/v1/create-qr-code/?size=300x300&data=${encodeURIComponent(createdInvoice.paymentRequest)}`;
-                setQrCodeUrl(qrUrl);
+                try {
+                    const dataUrl = await window.generateQRCode(createdInvoice.paymentRequest, { size: 300, margin: 2, errorCorrectionLevel: 'M' });
+                    setQrCodeUrl(dataUrl);
+                } catch (e) {
+                    console.warn('QR local generation failed, showing placeholder');
+                    const dataUrl = await window.generateQRCode(createdInvoice.paymentRequest, { size: 300 });
+                    setQrCodeUrl(dataUrl);
+                }
             }
 
         } catch (err) {

src/components/ui/PaymentModal.jsx

@@ -211,8 +211,14 @@ const PaymentModal = ({ isOpen, onClose, sessionManager, onSessionPurchased }) =
             setInvoice(createdInvoice);
             setPaymentStatus('created');
 
-            const qrUrl = `https://api.qrserver.com/v1/create-qr-code/?size=300x300&data=${encodeURIComponent(createdInvoice.paymentRequest)}`;
-            setQrCodeUrl(qrUrl);
+            try {
+                const dataUrl = await window.generateQRCode(createdInvoice.paymentRequest, { size: 300, margin: 2, errorCorrectionLevel: 'M' });
+                setQrCodeUrl(dataUrl);
+            } catch (e) {
+                console.warn('QR local generation failed, showing placeholder');
+                const dataUrl = await window.generateQRCode(createdInvoice.paymentRequest, { size: 300 });
+                setQrCodeUrl(dataUrl);
+            }
 
             const expirationTime = 15 * 60 * 1000;
             setTimeLeft(expirationTime);

src/components/ui/SessionTypeSelector.jsx

@@ -179,9 +179,11 @@ const SessionTypeSelector = ({ onSelectType, onCancel, sessionManager }) => {
                 return React.createElement('div', {
                     key: type.id,
                     onClick: () => !isDisabled && handleTypeSelect(type.id),
-                    className: `relative card-minimal rounded-lg p-5 border-2 transition-all ${
-                        selectedType === type.id ? 'border-orange-500 bg-orange-500/10' : 'border-gray-600 hover:border-orange-400'
-                    } ${type.popular ? 'ring-2 ring-orange-500/30' : ''} ${
+                    className: `relative card-minimal ${selectedType === type.id ? 'card-minimal--selected' : ''} rounded-lg p-5 border-2 transition-all ${
+                        selectedType === type.id
+                            ? 'border-orange-500 bg-orange-500/15 ring-2 ring-orange-400 ring-offset-2 ring-offset-black/30'
+                            : 'border-gray-600 hover:border-orange-400'
+                    } ${type.popular && selectedType !== type.id ? 'ring-2 ring-orange-500/30' : ''} ${
                         isDisabled ? 'opacity-50 cursor-not-allowed' : 'cursor-pointer'
                     }`
                 }, [