Fix SEC-10: add Permissions-Policy header

- Add Permissions-Policy header disabling camera, microphone,
  geolocation, and payment browser features
- Update assertSecurityHeaders test helper to verify the new header

Security: Permissions-Policy restricts browser APIs that this
application does not use, reducing attack surface from content
injection vulnerabilities. No crypto or auth flow changes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/ui/ui.go

@@ -545,6 +545,9 @@ const maxFormBytes = 1 << 20
 //     requests to this origin for two years, preventing TLS-strip on revisit.
 //   - Referrer-Policy: suppresses the Referer header on outbound navigations so
 //     JWTs or session identifiers embedded in URLs are not leaked to third parties.
+//   - Permissions-Policy: disables browser features (camera, microphone,
+//     geolocation, payment) that this application does not use, reducing the
+//     attack surface if a content-injection vulnerability is exploited.
 func securityHeaders(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		h := w.Header()
@@ -554,6 +557,7 @@ func securityHeaders(next http.Handler) http.Handler {
 		h.Set("X-Frame-Options", "DENY")
 		h.Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
 		h.Set("Referrer-Policy", "no-referrer")
+		h.Set("Permissions-Policy", "camera=(), microphone=(), geolocation=(), payment=()")
 		next.ServeHTTP(w, r)
 	})
 }

internal/ui/ui_test.go

@@ -79,6 +79,7 @@ func assertSecurityHeaders(t *testing.T, h http.Header, label string) {
 		{"X-Frame-Options", "DENY"},
 		{"Strict-Transport-Security", "max-age="},
 		{"Referrer-Policy", "no-referrer"},
+		{"Permissions-Policy", "camera=()"},
 	}
 	for _, c := range checks {
 		val := h.Get(c.header)