fix: remove upgrade-insecure-requests CSP, protect stratagems via API auth

server.js

@@ -171,12 +171,13 @@ app.set('trust proxy', 1);
 app.use(helmet({
   contentSecurityPolicy: {
     directives: {
-      defaultSrc: ["'self'"],
-      scriptSrc:  ["'self'"],
-      styleSrc:   ["'self'", "'unsafe-inline'", 'https://fonts.googleapis.com'],
-      fontSrc:    ["'self'", 'https://fonts.gstatic.com'],
-      imgSrc:     ["'self'", 'data:'],
-      connectSrc: ["'self'", 'ws:', 'wss:'],
+      defaultSrc:              ["'self'"],
+      scriptSrc:               ["'self'"],
+      styleSrc:                ["'self'", "'unsafe-inline'", 'https://fonts.googleapis.com'],
+      fontSrc:                 ["'self'", 'https://fonts.gstatic.com'],
+      imgSrc:                  ["'self'", 'data:'],
+      connectSrc:              ["'self'", 'ws:', 'wss:'],
+      upgradeInsecureRequests: null, // Nginx handles HTTPS; this breaks HTTP on LAN/dev
     },
   },
 }));
@@ -409,7 +410,13 @@ app.get('/api/scores/me', requireAuth, (req, res) => {
   res.json({ practice, matches });
 });
 
-// ── Static files ──────────────────────────────────────────────────────────────
+// ── Stratagems API (authenticated) ────────────────────────────────────────────
+// Stratagem sequences are served via API – not as a public static file.
+app.get('/api/stratagems', requireAuth, (req, res) => {
+  res.json(STRATAGEMS);
+});
+
+// ── Public static files (index.html, styles.css, app.js) ─────────────────────
 app.use(express.static(path.join(__dirname, 'public'), {
   etag: false,
   setHeaders: (res) => res.setHeader('Cache-Control', 'no-store'),