fix: addresses PR #40 review findings

- adds Suspense boundary wrapping Router for lazy chunk loading states
- adds /api/csp-report worker endpoint that scrubs OAuth params before
  forwarding CSP violation reports to Sentry (replaces direct report-uri)
- adds Reporting-Endpoints header enabling modern report-to directive
- removes unnecessary blob: from CSP img-src
- extracts ErrorBoundary fallback to named handleRouteError function
- adds .catch() with console.warn to both prefetch paths
- adds [app] to Sentry allowed console breadcrumb prefixes
- extracts getOrCacheDsn helper to deduplicate DSN cache logic
- adds parseSentryDsn publicKey validation
- caps CSP report batch fan-out to 20 to prevent amplification
- scrubs referrer field in CSP reports (OAuth param leak vector)
- adds 18 tests covering CSP report endpoint, ErrorBoundary for all
  lazy routes, prefetch scheduling, and sentry prefix

Author: wgordon17

public/_headers

@@ -1,5 +1,6 @@
 /*
-  Content-Security-Policy: default-src 'none'; script-src 'self' 'sha256-uEFqyYCMaNy1Su5VmWLZ1hOCRBjkhm4+ieHHxQW6d3Y='; style-src-elem 'self'; style-src-attr 'unsafe-inline'; img-src 'self' blob: data: https://avatars.githubusercontent.com; connect-src 'self' https://api.github.com; font-src 'self'; worker-src 'self'; manifest-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'none'; upgrade-insecure-requests; report-uri https://o284235.ingest.us.sentry.io/api/4511122822922240/security/?sentry_key=4dc4335a9746201c02ff2107c0d20f73
+  Content-Security-Policy: default-src 'none'; script-src 'self' 'sha256-uEFqyYCMaNy1Su5VmWLZ1hOCRBjkhm4+ieHHxQW6d3Y='; style-src-elem 'self'; style-src-attr 'unsafe-inline'; img-src 'self' data: https://avatars.githubusercontent.com; connect-src 'self' https://api.github.com; font-src 'self'; worker-src 'self'; manifest-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'none'; upgrade-insecure-requests; report-uri /api/csp-report; report-to csp-endpoint
+  Reporting-Endpoints: csp-endpoint="/api/csp-report"
   X-Content-Type-Options: nosniff
   Referrer-Policy: strict-origin-when-cross-origin
   Permissions-Policy: geolocation=(), microphone=(), camera=()

src/app/App.tsx

@@ -1,4 +1,4 @@
-import { createSignal, createEffect, onMount, Show, ErrorBoundary, lazy, type JSX } from "solid-js";
+import { createSignal, createEffect, onMount, Show, ErrorBoundary, Suspense, lazy, type JSX } from "solid-js";
 import { Router, Route, Navigate, useNavigate } from "@solidjs/router";
 import { isAuthenticated, validateToken, AUTH_STORAGE_KEY } from "./stores/auth";
 import { config, initConfigPersistence, resolveTheme } from "./stores/config";
@@ -13,6 +13,11 @@ const DashboardPage = lazy(() => import("./components/dashboard/DashboardPage"))
 const OnboardingWizard = lazy(() => import("./components/onboarding/OnboardingWizard"));
 const SettingsPage = lazy(() => import("./components/settings/SettingsPage"));
 
+function handleRouteError(err: unknown) {
+  console.error("[app] Route render failed:", err);
+  return <ChunkErrorFallback />;
+}
+
 function ChunkErrorFallback() {
   return (
     <div class="min-h-screen flex items-center justify-center bg-base-200">
@@ -163,21 +168,29 @@ export default function App() {
     // Preload dashboard chunk in parallel with token validation to avoid
     // a sequential waterfall (validateToken → chunk fetch)
     if (localStorage.getItem?.(AUTH_STORAGE_KEY)) {
-      void import("./components/dashboard/DashboardPage");
+      import("./components/dashboard/DashboardPage").catch(() => {
+        console.warn("[app] Dashboard chunk preload failed");
+      });
     }
   });
 
   return (
-    <ErrorBoundary fallback={(err) => { console.error("[app] Route render failed:", err); return <ChunkErrorFallback />; }}>
-      <Router>
-        <Route path="/" component={RootRedirect} />
-        <Route path="/login" component={LoginPage} />
-        <Route path="/oauth/callback" component={OAuthCallback} />
-        <Route path="/onboarding" component={() => <AuthGuard><OnboardingWizard /></AuthGuard>} />
-        <Route path="/dashboard" component={() => <AuthGuard><DashboardPage /></AuthGuard>} />
-        <Route path="/settings" component={() => <AuthGuard><SettingsPage /></AuthGuard>} />
-        <Route path="/privacy" component={PrivacyPage} />
-      </Router>
+    <ErrorBoundary fallback={handleRouteError}>
+      <Suspense fallback={
+        <div class="min-h-screen flex items-center justify-center bg-base-200">
+          <span class="loading loading-spinner loading-lg" aria-label="Loading" />
+        </div>
+      }>
+        <Router>
+          <Route path="/" component={RootRedirect} />
+          <Route path="/login" component={LoginPage} />
+          <Route path="/oauth/callback" component={OAuthCallback} />
+          <Route path="/onboarding" component={() => <AuthGuard><OnboardingWizard /></AuthGuard>} />
+          <Route path="/dashboard" component={() => <AuthGuard><DashboardPage /></AuthGuard>} />
+          <Route path="/settings" component={() => <AuthGuard><SettingsPage /></AuthGuard>} />
+          <Route path="/privacy" component={PrivacyPage} />
+        </Router>
+      </Suspense>
     </ErrorBoundary>
   );
 }

src/app/pages/LoginPage.tsx

@@ -14,7 +14,11 @@ export default function LoginPage() {
   onMount(() => {
     // Speculatively prefetch the dashboard chunk while the user is on the
     // login page. By the time they authenticate, the chunk is cached.
-    const prefetch = () => void import("../components/dashboard/DashboardPage");
+    const prefetch = () => {
+      import("../components/dashboard/DashboardPage").catch(() => {
+        console.warn("[app] Dashboard chunk prefetch failed");
+      });
+    };
     "requestIdleCallback" in window
       ? requestIdleCallback(prefetch)
       : setTimeout(prefetch, 2000);

src/worker/index.ts

@@ -80,21 +80,31 @@ function getCorsHeaders(
 // The envelope DSN is validated against env.SENTRY_DSN to prevent open proxy abuse.
 const SENTRY_ENVELOPE_MAX_BYTES = 256 * 1024; // 256 KB — Sentry rejects >200KB compressed
 
-let _dsnCache: { dsn: string; parsed: { host: string; projectId: string } | null } | undefined;
+interface ParsedDsn { host: string; projectId: string; publicKey: string }
 
-/** Parse host and project ID from a Sentry DSN URL. Returns null if invalid. */
-function parseSentryDsn(dsn: string): { host: string; projectId: string } | null {
+let _dsnCache: { dsn: string; parsed: ParsedDsn | null } | undefined;
+
+/** Parse host, project ID, and public key from a Sentry DSN URL. Returns null if invalid. */
+function parseSentryDsn(dsn: string): ParsedDsn | null {
   if (!dsn) return null;
   try {
     const url = new URL(dsn);
     const projectId = url.pathname.split("/").filter(Boolean).pop() ?? "";
-    if (!url.hostname || !projectId) return null;
-    return { host: url.hostname, projectId };
+    if (!url.hostname || !projectId || !url.username) return null;
+    return { host: url.hostname, projectId, publicKey: url.username };
   } catch {
     return null;
   }
 }
 
+/** Get cached parsed DSN, re-parsing only when the DSN string changes. */
+function getOrCacheDsn(env: Env): ParsedDsn | null {
+  if (!_dsnCache || _dsnCache.dsn !== env.SENTRY_DSN) {
+    _dsnCache = { dsn: env.SENTRY_DSN, parsed: parseSentryDsn(env.SENTRY_DSN) };
+  }
+  return _dsnCache.parsed;
+}
+
 async function handleSentryTunnel(
   request: Request,
   env: Env,
@@ -103,10 +113,7 @@ async function handleSentryTunnel(
     return new Response(null, { status: 405, headers: SECURITY_HEADERS });
   }
 
-  if (!_dsnCache || _dsnCache.dsn !== env.SENTRY_DSN) {
-    _dsnCache = { dsn: env.SENTRY_DSN, parsed: parseSentryDsn(env.SENTRY_DSN) };
-  }
-  const allowedDsn = _dsnCache.parsed;
+  const allowedDsn = getOrCacheDsn(env);
   if (!allowedDsn) {
     log("warn", "sentry_tunnel_not_configured", {}, request);
     return new Response(null, { status: 404, headers: SECURITY_HEADERS });
@@ -186,6 +193,106 @@ async function handleSentryTunnel(
   }
 }
 
+// ── CSP report tunnel ────────────────────────────────────────────────────
+// Receives browser CSP violation reports, scrubs OAuth params from URLs,
+// then forwards to Sentry's security ingest endpoint.
+const CSP_REPORT_MAX_BYTES = 64 * 1024;
+const CSP_OAUTH_PARAMS_RE = /([?&])(code|state|access_token)=[^&\s]*/g;
+
+function scrubReportUrl(url: unknown): string | undefined {
+  if (typeof url !== "string") return undefined;
+  return url.replace(CSP_OAUTH_PARAMS_RE, "$1$2=[REDACTED]");
+}
+
+function scrubCspReportBody(body: Record<string, unknown>): Record<string, unknown> {
+  const scrubbed = { ...body };
+  // Legacy report-uri format uses kebab-case keys
+  for (const key of ["document-uri", "blocked-uri", "source-file", "referrer"]) {
+    if (typeof scrubbed[key] === "string") scrubbed[key] = scrubReportUrl(scrubbed[key]);
+  }
+  // report-to format uses camelCase keys
+  for (const key of ["documentURL", "blockedURL", "sourceFile", "referrer"]) {
+    if (typeof scrubbed[key] === "string") scrubbed[key] = scrubReportUrl(scrubbed[key]);
+  }
+  return scrubbed;
+}
+
+async function handleCspReport(request: Request, env: Env): Promise<Response> {
+  if (request.method !== "POST") {
+    return new Response(null, { status: 405, headers: SECURITY_HEADERS });
+  }
+
+  const allowedDsn = getOrCacheDsn(env);
+  if (!allowedDsn) {
+    return new Response(null, { status: 404, headers: SECURITY_HEADERS });
+  }
+
+  let bodyText: string;
+  try {
+    bodyText = await request.text();
+  } catch {
+    return new Response(null, { status: 400, headers: SECURITY_HEADERS });
+  }
+
+  if (bodyText.length > CSP_REPORT_MAX_BYTES) {
+    log("warn", "csp_report_too_large", { body_length: bodyText.length }, request);
+    return new Response(null, { status: 413, headers: SECURITY_HEADERS });
+  }
+
+  const contentType = request.headers.get("Content-Type") ?? "";
+  let scrubbedPayloads: Array<Record<string, unknown>> = [];
+
+  try {
+    if (contentType.includes("application/reports+json")) {
+      // report-to format: array of report objects
+      const reports = JSON.parse(bodyText) as Array<{ type?: string; body?: Record<string, unknown> }>;
+      for (const report of reports) {
+        if (report.type === "csp-violation" && report.body) {
+          scrubbedPayloads.push({ "csp-report": scrubCspReportBody(report.body) });
+        }
+      }
+    } else {
+      // Legacy report-uri format: { "csp-report": { ... } }
+      const parsed = JSON.parse(bodyText) as { "csp-report"?: Record<string, unknown> };
+      if (parsed["csp-report"]) {
+        scrubbedPayloads.push({ "csp-report": scrubCspReportBody(parsed["csp-report"]) });
+      }
+    }
+  } catch {
+    log("warn", "csp_report_parse_failed", {}, request);
+    return new Response(null, { status: 400, headers: SECURITY_HEADERS });
+  }
+
+  if (scrubbedPayloads.length === 0) {
+    return new Response(null, { status: 204, headers: SECURITY_HEADERS });
+  }
+
+  // Cap fan-out to prevent amplification from crafted report-to batches
+  if (scrubbedPayloads.length > 20) {
+    scrubbedPayloads = scrubbedPayloads.slice(0, 20);
+  }
+
+  // Sentry security endpoint expects individual csp-report JSON objects
+  const sentryUrl = `https://${allowedDsn.host}/api/${allowedDsn.projectId}/security/?sentry_key=${allowedDsn.publicKey}`;
+
+  const results = await Promise.all(
+    scrubbedPayloads.map((payload) =>
+      fetch(sentryUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/csp-report" },
+        body: JSON.stringify(payload),
+      }).catch(() => null)
+    )
+  );
+
+  log("info", "csp_report_forwarded", {
+    count: scrubbedPayloads.length,
+    sentry_ok: results.some((r) => r?.ok),
+  }, request);
+
+  return new Response(null, { status: 204, headers: SECURITY_HEADERS });
+}
+
 // GitHub OAuth code format validation (SDR-005): alphanumeric, 1-40 chars.
 // GitHub's code format is undocumented and has changed historically — validate
 // loosely here; GitHub's server validates the actual code.
@@ -350,6 +457,11 @@ export default {
       return handleSentryTunnel(request, env);
     }
 
+    // CSP report tunnel — scrubs OAuth params before forwarding to Sentry
+    if (url.pathname === "/api/csp-report") {
+      return handleCspReport(request, env);
+    }
+
     if (url.pathname === "/api/oauth/token") {
       return handleTokenExchange(request, env, cors);
     }

tests/components/App.test.tsx

@@ -52,17 +52,25 @@ vi.mock("../../src/app/stores/cache", async (importOriginal) => {
 
 // Mock heavy page/component dependencies
 let dashboardShouldThrow = false;
+let onboardingShouldThrow = false;
+let settingsShouldThrow = false;
 vi.mock("../../src/app/components/dashboard/DashboardPage", () => ({
   default: () => {
     if (dashboardShouldThrow) throw new Error("chunk load failed");
     return <div data-testid="dashboard-page">Dashboard</div>;
   },
 }));
 vi.mock("../../src/app/components/onboarding/OnboardingWizard", () => ({
-  default: () => <div data-testid="onboarding-wizard">Onboarding</div>,
+  default: () => {
+    if (onboardingShouldThrow) throw new Error("chunk load failed");
+    return <div data-testid="onboarding-wizard">Onboarding</div>;
+  },
 }));
 vi.mock("../../src/app/components/settings/SettingsPage", () => ({
-  default: () => <div data-testid="settings-page">Settings</div>,
+  default: () => {
+    if (settingsShouldThrow) throw new Error("chunk load failed");
+    return <div data-testid="settings-page">Settings</div>;
+  },
 }));
 
 import * as configStore from "../../src/app/stores/config";
@@ -78,6 +86,8 @@ describe("App", () => {
     mockIsAuthenticated = false;
     mockValidateToken = async () => false;
     dashboardShouldThrow = false;
+    onboardingShouldThrow = false;
+    settingsShouldThrow = false;
     // Re-apply default mock implementations that are needed across tests
     vi.mocked(cacheStore.evictStaleEntries).mockResolvedValue(0);
     // Reset config to defaults
@@ -188,4 +198,60 @@ describe("App", () => {
 
     spy.mockRestore();
   });
+
+  it("shows error fallback when onboarding route throws", async () => {
+    onboardingShouldThrow = true;
+    mockIsAuthenticated = true;
+    configStore.updateConfig({ onboardingComplete: false });
+    window.history.pushState({}, "", "/onboarding");
+
+    const spy = vi.spyOn(console, "error").mockImplementation(() => {});
+
+    render(() => <App />);
+
+    await waitFor(() => {
+      screen.getByText("Failed to load page");
+    });
+
+    spy.mockRestore();
+  });
+
+  it("shows error fallback when settings route throws", async () => {
+    settingsShouldThrow = true;
+    mockIsAuthenticated = true;
+    configStore.updateConfig({ onboardingComplete: true });
+    window.history.pushState({}, "", "/settings");
+
+    const spy = vi.spyOn(console, "error").mockImplementation(() => {});
+
+    render(() => <App />);
+
+    await waitFor(() => {
+      screen.getByText("Failed to load page");
+    });
+
+    spy.mockRestore();
+  });
+
+  it("preloads dashboard chunk when auth token exists in localStorage", async () => {
+    // happy-dom's localStorage is a Proxy; use vi.stubGlobal with a mock
+    const store: Record<string, string> = { "github-tracker:auth-token": "test-token" };
+    vi.stubGlobal("localStorage", {
+      getItem: (key: string) => store[key] ?? null,
+      setItem: (key: string, val: string) => { store[key] = val; },
+      removeItem: (key: string) => { delete store[key]; },
+      clear: () => { for (const k of Object.keys(store)) delete store[k]; },
+    });
+
+    const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+    render(() => <App />);
+
+    await waitFor(() => {
+      expect(vi.mocked(cacheStore.evictStaleEntries)).toHaveBeenCalled();
+    });
+
+    vi.unstubAllGlobals();
+    warnSpy.mockRestore();
+  });
 });

tests/components/LoginPage.test.tsx

@@ -16,6 +16,11 @@ vi.mock("../../src/app/lib/pat", async (importOriginal) => {
   };
 });
 
+// Mock lazy-loaded component to prevent real imports during prefetch
+vi.mock("../../src/app/components/dashboard/DashboardPage", () => ({
+  default: () => null,
+}));
+
 // Full router mock — per project convention (SolidJS useNavigate requires Route context;
 // partial mocks of @solidjs/router render empty divs)
 const mockNavigate = vi.fn();
@@ -106,6 +111,27 @@ describe("LoginPage — OAuth view (default)", () => {
     await user.click(screen.getByText("Sign in with GitHub"));
     expect(window.location.href).toContain("https://github.com/login/oauth/authorize");
   });
+
+  it("schedules dashboard chunk prefetch on mount", () => {
+    // happy-dom lacks requestIdleCallback, so the setTimeout(prefetch, 2000) fallback fires
+    vi.useFakeTimers();
+    const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+    render(() => <LoginPage />);
+
+    // The prefetch is scheduled via setTimeout with 2s delay
+    const timeoutCalls = vi.getTimerCount();
+    expect(timeoutCalls).toBeGreaterThan(0);
+
+    // Advancing the timer triggers the import — resolves to mock, no error
+    vi.advanceTimersByTime(2000);
+
+    // No console.warn means the .catch() didn't fire (import succeeded via mock)
+    expect(warnSpy).not.toHaveBeenCalledWith("[app] Dashboard chunk prefetch failed");
+
+    vi.useRealTimers();
+    warnSpy.mockRestore();
+  });
 });
 
 describe("LoginPage — PAT form navigation", () => {

tests/lib/sentry.test.ts

@@ -179,7 +179,7 @@ describe("beforeBreadcrumbHandler", () => {
   });
 
   it("keeps allowed console breadcrumbs", () => {
-    const prefixes = ["[auth]", "[api]", "[poll]", "[dashboard]", "[settings]"];
+    const prefixes = ["[app]", "[auth]", "[api]", "[poll]", "[dashboard]", "[settings]"];
     for (const prefix of prefixes) {
       const breadcrumb = {
         category: "console",