Tor Browser bundle + xite script sandbox to prevent clearnet leaks

[MudDev]

Spun out from #10 (point 9, raised by @mx5kevin).

Problem

Xites can currently execute scripts that make outbound requests to clearnet endpoints, bypassing EpixNet's privacy model. A malicious or compromised site could deanonymize users even when they access EpixNet via Tor.

Tor routing is supported in core (TorManager, bundled + external Tor, SOCKS5), but:

• We don't ship a Tor Browser bundle, so users rely on their regular browser
• UiRequest has some cross-origin leak detection, but zite scripts aren't fully sandboxed from clearnet resources (fetch, XHR, WebSocket, img src, etc.)

Proposal

Part 1: Script sandbox / CSP for xites

• Apply a strict Content-Security-Policy to zite responses that blocks:
  • Outbound fetch/XHR to non-EpixNet origins
  • WebSocket connections outside the local EpixNet websocket
  • Loading media/images/fonts from clearnet origins
• Whitelist explicit opt-in via site permissions (like camera/media today)
• Document what sites can and can't do under the new policy

Part 2: Tor Browser bundle

• Ship an EpixNet + Tor Browser bundle for users who want a one-click private setup
• Tor Browser configured to point at the local EpixNet proxy
• Clear first-run guidance

Part 3: Leak detection / warnings

• Detect and warn (or block) xites that attempt obvious clearnet calls
• Surface this in the Sidebar so users can see which sites are "leaky"

Acceptance criteria

• CSP policy draft + list of xites that would break under it
• Per-site permission UI for granting clearnet access
• Tor Browser bundle build script (Linux first, then Win/Mac)
• Docs on the threat model and what the sandbox does/doesn't protect against

Credit: @mx5kevin in #10.