From 52cc979814a1bf41a785c24efe9b5399686067a6 Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Sun, 15 Mar 2026 19:19:29 -0700
Subject: [PATCH] Update PROGRESS.md: /docs swagger fix

Co-authored-by: Junie <junie@jetbrains.com>
---
 PROGRESS.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/PROGRESS.md b/PROGRESS.md
index 151ff5c..d9cc53d 100644
--- a/PROGRESS.md
+++ b/PROGRESS.md
@@ -4,6 +4,20 @@ Source of truth for current development state.
 ---
 All phases complete. **v1.0.0 tagged.** All packages pass `go test ./...`; `golangci-lint run ./...` clean (pre-existing warnings only).
 
+### 2026-03-15 — Fix /docs Swagger UI (bundle assets locally)
+
+**Problem:** `/docs` was broken because `docs.html` loaded `swagger-ui-bundle.js` and `swagger-ui.css` from `unpkg.com` CDN, which is blocked by the server's `Content-Security-Policy: default-src 'self'` header.
+
+**Solution:**
+- Downloaded `swagger-ui-dist@5.32.0` via npm and copied `swagger-ui-bundle.js` and `swagger-ui.css` into `web/static/` (embedded at build time).
+- Updated `docs.html` to reference `/static/swagger-ui-bundle.js` and `/static/swagger-ui.css`.
+- Added `GET /static/swagger-ui-bundle.js` and `GET /static/swagger-ui.css` handlers in `server.go` serving the embedded bytes with correct `Content-Type` headers.
+- No CSP changes required; strict `default-src 'self'` is preserved.
+
+**Verification:** `go build ./...`, `go test ./...`, `golangci-lint run ./...` all clean.
+
+---
+
 ### 2026-03-15 — Checkpoint: lint fixes
 
 **Task:** Checkpoint — lint clean, tests pass, commit.