[Bugfix #269] Bundle vendor libraries locally to fix CSP-blocked document viewer

[waleedkadous]

Summary

Fixes #269

The document viewer (open.html) loaded PrismJS, marked, and DOMPurify from external CDNs (cdnjs.cloudflare.com, cdn.jsdelivr.net). When served through Codev Cloud, the Content Security Policy blocks these external scripts, causing:

• Blank content area in the document viewer
• Prism is not defined errors in console
• CSP violation warnings for blocked scripts and stylesheets

Root Cause

The page's CSP (set by the cloud infrastructure) restricts script-src and style-src to 'self' and 'unsafe-inline', blocking all external CDN domains.

Fix

• Bundled PrismJS (core + 9 language components + theme CSS), marked.js, and DOMPurify locally under templates/vendor/
• Added a vendor/* sub-route to the annotate handler in tower-routes.ts to serve these files with correct MIME types and caching headers
• Updated open.html to reference local vendor paths instead of CDN URLs
• Added path traversal protection and file extension validation on the vendor route

Test Plan

• Added 5 regression tests for the vendor route (JS content type, CSS content type, path traversal block, 404 for missing files, disallowed extensions)
• All 27 tower-routes tests pass (22 existing + 5 new)
• TypeScript type check passes
• Build succeeds
• No external CDN references remain in open.html