The tickets code escaped HTML, but the logistics + fuel renderers and the error
banners interpolated API strings straight into innerHTML. Fuel Log fields
(driver, department, fuel_type, plate) come from WhatsApp messages and
vehicle/driver names from the Tracksolid registry — both user-controlled — so
this was a stored-XSS path into every dispatcher's browser.
- Hoist escapeHtml into HELPERS + add esc(); route every logistics/fuel renderer
and the three error banners through it (21 -> 37 escaped call sites).
- SRI integrity + crossorigin on Chart.js 4.4.1 and maplibre-gl 4.7.1 JS/CSS.
- Caddyfile: CSP (self + pinned CDNs + CARTO basemap + the two fleet APIs),
X-Content-Type-Options, Referrer-Policy, frame-ancestors 'none', -Server.
Validated with `caddy validate` inside the deployed image.
- loadLive(): check r.ok; pause the 15s live poll while hidden or off the Tickets
tab, refresh immediately on return (FO-BUG-01/02).
- Missing-API_BASE fallback flipped staging -> prod, matching the documented
design (FO-OPS-01).
Inline app script passes `node --check`. Audit + plan + work log in docs/260702_*.
Local only; not deployed.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>