#23181: fix(gateway): allow Google Fonts in Control UI CSP header

## Summary - **Problem:** The Control UI Content Security Policy (CSP) header blocks Google Fonts, causing custom fonts to fail to load in the Dashboard. - **Why it matters:** The Dashboard UI may render with incorrect/fallback fonts, degrading visual quality. - **What changed:** Added \`fonts.googleapis.com\` and \`fonts.gstatic.com\` to the CSP \`style-src\` and \`font-src\` directives. - **What did NOT change:** Other CSP directives remain unchanged. No new external domains beyond Google Fonts. ## Change Type (select all) - [x] Bug fix - [ ] Feature - [ ] Refactor - [ ] Docs - [ ] Security hardening - [ ] Chore/infra ## Scope (select all touched areas) - [x] Gateway / orchestration - [ ] Skills / tool execution - [ ] Auth / tokens - [ ] Memory / storage - [ ] Integrations - [ ] API / contracts - [x] UI / DX - [ ] CI/CD / infra ## Linked Issue/PR - Related to Dashboard UI font loading ## User-visible / Behavior Changes - Google Fonts load correctly in the Control UI Dashboard ## Security Impact (required) - New permissions/capabilities? \`No\` - Secrets/tokens handling changed? \`No\` - New/changed network calls? \`Yes\` — allows loading fonts from \`fonts.googleapis.com\` and \`fonts.gstatic.com\` - Command/tool execution surface changed? \`No\` - Data access scope changed? \`No\` - If any Yes, explain risk + mitigation: Google Fonts is a widely trusted CDN. The CSP change is narrowly scoped to \`style-src\` and \`font-src\` only — no script execution is allowed from these domains. ## Repro + Verification ### Environment - OS: macOS 15.3 (arm64) - Runtime: Node v22+ - Integration/channel: Control UI Dashboard ### Steps 1. Open the Dashboard 2. Inspect browser console for CSP violations related to Google Fonts 3. Verify fonts load correctly ### Expected - No CSP violations; fonts load successfully ### Actual - Before fix: CSP blocks Google Fonts requests - After fix: Fonts load without violations ## Evidence CSP directives updated narrowly for font-related sources only. ## Human Verification (required) - Verified scenarios: Reviewed CSP header construction to confirm Google Fonts domains are added only to \`style-src\` and \`font-src\` - Edge cases checked: Other CSP directives unchanged; no script-src additions - What I did **not** verify: Live Dashboard with Google Fonts loading ## Compatibility / Migration - Backward compatible? \`Yes\` - Config/env changes? \`No\` - Migration needed? \`No\` ## Failure Recovery (if this breaks) - How to disable/revert this change quickly: Remove Google Fonts domains from CSP header - Known bad symptoms: None — reverting just restores the font loading block ## Risks and Mitigations - Risk: External dependency on Google Fonts CDN availability - Mitigation: Fonts are enhancement only; fallback system fonts render if CDN is unavailable