security: add SRI hash to CDN-loaded Redoc script

[dmchaledev]

Problem

docs/index.html loads the Redoc UI library directly from a CDN with no integrity check:

<script src="https://cdn.jsdelivr.net/npm/redoc@2.5.3/bundles/redoc.standalone.js"></script>

Without a Subresource Integrity (SRI) hash, the browser accepts whatever bytes the CDN returns. A CDN-side compromise, cache poisoning, or accidental package mutation would silently execute malicious JavaScript in the browsers of every developer who visits the API docs site — with full access to the page's DOM and any credentials visible there.

Fix

Add an integrity attribute (SHA-384, computed from the live bundle) and the required crossorigin="anonymous" attribute:

<script src="https://cdn.jsdelivr.net/npm/redoc@2.5.3/bundles/redoc.standalone.js"
        integrity="sha384-xiEssMQFSpSfLbzRZCGfxxIM5QDb2DTrU6vyoZdp2sV1L6pmOMy6MpTtUoLbpC96"
        crossorigin="anonymous"></script>

The browser now verifies the script's byte-for-byte hash before executing it. Any deviation — tampered CDN, wrong version, partial response — causes the browser to block the script entirely rather than run it.

The hash was computed directly from the published bundle:

curl -s https://cdn.jsdelivr.net/npm/redoc@2.5.3/bundles/redoc.standalone.js \
  | openssl dgst -sha384 -binary | openssl base64 -A

Impact

• Zero functional change — Redoc renders identically
• Protects every visitor of hailbytes.github.io/hailbytes-api-docs from supply-chain attacks on the CDN

🤖 Generated with Claude Code

https://claude.ai/code/session_01XXMsynQpRizsmbZda5Xtmv

---

Generated by Claude Code