fix: remove CSP nonce from style-src to unblock reagraph canvas

[0xNyk]

Summary

• Replace style-src 'self' 'nonce-X' with style-src 'self' 'unsafe-inline', style-src-elem 'self' 'unsafe-inline', and style-src-attr 'unsafe-inline' to support reagraph's runtime <style> injection
• Extend fitNodesInView retries from 2 to 4 (800ms, 2500ms, 5000ms, 8000ms) with animated: false for more reliable canvas sizing

Closes #414. Supersedes #415 — thanks @Brixyy for identifying the issue.

Risk Level

Low — CSP change is intentional relaxation for style-src only; script-src nonce remains strict.

Tests

• pnpm typecheck — passes
• pnpm test — 710/710 passing (CSP tests updated)

Contribution Checklist

• Tests added/updated for behavior changes
• Lint/typecheck/build passing
• Security review done if auth/data/crypto touched

Notes

CSP Level 3 spec: when a nonce is present in style-src, unsafe-inline is ignored. Since reagraph injects <style> without a nonce, the only option is to drop the nonce from style directives.

[github-actions]

📸 Screenshot Drift Check

This PR modifies UI source files. Please verify whether the README screenshots need refreshing:

• docs/mission-control-overview.png — main dashboard
• docs/mission-control-agents.png — agents panel
• docs/mission-control-memory-graph.png — memory graph

Changed UI files

src/components/panels/memory-graph.tsx

See docs/SCREENSHOT-GUIDE.md for instructions on capturing and optimising screenshots.

This comment is posted automatically and can be dismissed if no visual changes occurred.