fix: resolve CSP violations preventing UI interaction in VS Code extension (#18)

Fixes #17 - File selection UI was completely non-functional due to Content Security Policy violations.

Changes:
- Removed all inline event handlers (onclick, onload, onerror) from HTML
- Replaced with delegated event listeners using addEventListener()
- Added defer attribute to script tags for proper load sequencing
- Updated verification script to use DOMContentLoaded instead of setTimeout
- Added CSP-compliant nonce to all inline scripts

The webview now complies with VS Code's strict CSP requirements, allowing
folder expansion/collapse and all UI interactions to work properly.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Claude <noreply@anthropic.com>

Author: avivsinai

.promptcode/presets/csp-fix-testing.patterns

@@ -0,0 +1,24 @@
+# CSP Fix Testing Preset
+# Files needed to verify the Content Security Policy violations fix
+# for VS Code extension issue #17
+
+# Core webview files with CSP fixes
+src/webview/selectFilesTab.js
+src/webview/tabs/selectFilesTabContent.ts
+src/webviewProvider.ts
+
+# File explorer for context
+src/fileExplorer.ts
+
+# Test files to verify the fix
+src/test/suite/fileExplorerDecorationWebviewBug.test.ts
+src/test/decorationCache.test.ts
+
+# Extension entry point
+src/extension.ts
+
+# Package info
+package.json
+
+# Issue context
+.github/ISSUE_TEMPLATE/bug_report.md

src/webview/selectFilesTab.js

@@ -334,7 +334,7 @@ if (typeof window !== 'undefined') {
 
                             return `
                                 <div class="directory-section ${isExpanded ? '' : 'collapsed'}" data-dir-id="${id}" data-workspace-folder="${workspaceFolderName}">
-                                    <div class="directory-header" onclick="toggleDirectoryFiles(this)">
+                                    <div class="directory-header">
                                         <div class="header-left">
                                             <svg class="collapse-icon" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
                                                 <polyline points="9 6 15 12 9 18"></polyline>
@@ -842,6 +842,19 @@ if (typeof window !== 'undefined') {
                         });
                     }
 
+                    // Toggle a directory by clicking anywhere on its header (CSP-safe)
+                    selectedFilesListEl.addEventListener('click', (e) => {
+                        const header = e.target.closest('.directory-header');
+                        if (!header || !selectedFilesListEl.contains(header)) {return;}
+                        // Don't toggle if the click was on the remove button inside the header
+                        if (e.target.closest('.js-dir-remove')) {return;}
+                        e.preventDefault();
+                        e.stopPropagation();
+                        if (typeof window.toggleDirectoryFiles === 'function') {
+                            window.toggleDirectoryFiles(header);
+                        }
+                    });
+
                     // Add listener for preset updates from host
                     // This listener needs to be accessible to the global message handler
                     window.selectFilesTab.handlePresetUpdate = function(presets, selectPreset) {

src/webview/tabs/selectFilesTabContent.ts

@@ -158,9 +158,11 @@ export function renderDirectoryHeader(dirPath: string, workspaceFolderName: stri
   window.directoryMap[id] = dirPath || ROOT_DIR_KEY;
 
   return /* html */ `
-    <div class="directory-header flex items-center" onclick="toggleDirectoryFiles(this)" data-dir-id="${id}">
+    <div class="directory-header flex items-center" data-dir-id="${id}">
       <span class="folder-label truncate">${dirPath || 'workspace root'}</span>
-      <button class="trash-btn action-button ml-auto" title="Remove folder" onclick="event.stopPropagation(); removeDirectory('${dirPath || ''}', '${workspaceFolderName}');">
+      <button class="trash-btn action-button ml-auto js-dir-remove" title="Remove folder" 
+              data-dir="${dirPath || ''}" 
+              data-workspace="${workspaceFolderName}">
         <i class="codicon codicon-trash"></i>
       </button>
     </div>

src/webviewProvider.ts

@@ -873,58 +873,25 @@ export class PromptCodeWebViewProvider {
                     window.samplePrompts = ${promptsJson};
                 </script>
                 
-                <!-- Load selectFilesTab.js first -->
-                <script src="${selectFilesTabJsUri}" nonce="${nonce}"
-                    onload="window._scriptLoaded.selectFilesTab = true; console.log('selectFilesTab.js loaded')" 
-                    onerror="console.error('Failed to load selectFilesTab.js')">
-                </script>
-
-                <!-- Load instructionsTab.js next -->
-                <script src="${instructionsTabJsUri}" nonce="${nonce}"
-                    onload="window._scriptLoaded.instructionsTab = true; console.log('instructionsTab.js loaded')"
-                    onerror="console.error('Failed to load instructionsTab.js')">
-                </script>
-                
-                <!-- Load generatePromptTab.js -->
-                <script src="${generatePromptTabJsUri}" nonce="${nonce}"
-                    onload="window._scriptLoaded.generatePromptTab = true; console.log('generatePromptTab.js loaded')"
-                    onerror="console.error('Failed to load generatePromptTab.js')">
-                </script>
-
-                <!-- Load mergeTab.js -->
-                <script src="${mergeTabJsUri}" nonce="${nonce}"
-                    onload="window._scriptLoaded.mergeTab = true; console.log('mergeTab.js loaded')"
-                    onerror="console.error('Failed to load mergeTab.js')">
-                </script>
-
-                <!-- Then load webview.js which depends on them -->
-                <script src="${jsUri}" nonce="${nonce}"
-                    onload="window._scriptLoaded.webview = true; console.log('webview.js loaded')" 
-                    onerror="console.error('Failed to load webview.js')">
-                </script>
+                <!-- Load all scripts with defer for proper sequencing -->
+                <script src="${selectFilesTabJsUri}" nonce="${nonce}" defer></script>
+                <script src="${instructionsTabJsUri}" nonce="${nonce}" defer></script>
+                <script src="${generatePromptTabJsUri}" nonce="${nonce}" defer></script>
+                <script src="${mergeTabJsUri}" nonce="${nonce}" defer></script>
+                <script src="${jsUri}" nonce="${nonce}" defer></script>
                 
-                <!-- Verify everything loaded -->
-                <script>
-                    setTimeout(() => {
-                        if (!window._scriptLoaded.selectFilesTab) {
-                            console.error('selectFilesTab.js failed to load properly');
-                        }
-                        if (!window._scriptLoaded.instructionsTab) {
-                            console.error('instructionsTab.js failed to load properly');
-                        }
-                        if (!window._scriptLoaded.webview) {
-                            console.error('webview.js failed to load properly');
-                        }
-                        if (typeof window.initSelectFilesTab !== 'function') {
-                            console.error('initSelectFilesTab is not available');
-                        }
-                        if (typeof window.initInstructionsTab !== 'function') {
-                            console.error('initInstructionsTab is not available');
-                        }
-                        if (typeof window.initMergeTab !== 'function') {
-                            console.error('initMergeTab is not available');
-                        }
-                    }, 1000);
+                <!-- CSP-safe verification using DOMContentLoaded -->
+                <script nonce="${nonce}">
+                  window.addEventListener('DOMContentLoaded', () => {
+                    const checks = [
+                      ['initSelectFilesTab', typeof window.initSelectFilesTab === 'function'],
+                      ['initInstructionsTab', typeof window.initInstructionsTab === 'function'],
+                      ['initGeneratePromptTab', typeof window.initGeneratePromptTab === 'function'],
+                      ['initMergeTab', typeof window.initMergeTab === 'function'],
+                    ];
+                    const missing = checks.filter(([, ok]) => !ok).map(([name]) => name);
+                    if (missing.length) console.error('Missing webview boot functions:', missing);
+                  });
                 </script>
             </body>
             </html>