[AI] Address review feedback

- sync-server CSP: drop 'unsafe-eval' from the production script-src;
  the bundle has no genuine eval/new Function usage (only a defensive
  branch in setimmediate's polyfill that's never hit). Keep it on the
  dev branch where Vite's HMR runtime relies on it. Add a comment so
  it's obvious which branch needs it and why.
- bank-factory: widen the loader glob to ./banks/*_*.{ts,js} so
  TypeScript handlers are discovered too, mirroring migrations.ts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

packages/sync-server/src/app-gocardless/bank-factory.js

@@ -1,8 +1,8 @@
 import IntegrationBank from './banks/integration-bank';
 
-// Filename convention: <name>_<bic>.js (skips bank.interface, integration-bank,
-// and any other helper without an underscore).
-const bankLoaders = import.meta.glob('./banks/*_*.js');
+// Filename convention: <name>_<bic>.{ts,js} (skips bank.interface,
+// integration-bank, and any other helper without an underscore).
+const bankLoaders = import.meta.glob('./banks/*_*.{ts,js}');
 
 async function loadBanks() {
   const imports = await Promise.all(

packages/sync-server/src/app.ts

@@ -127,10 +127,13 @@ app.get('/metrics', (_req, res) => {
 // The web frontend.
 // Dev mode proxies to Vite, which injects inline preamble scripts and uses
 // a websocket for HMR. Loosen script-src and connect-src accordingly.
+// `'unsafe-eval'` is dev-only (Vite's HMR runtime needs it). Re-introduce
+// it in the non-dev branch only if a runtime dependency genuinely needs
+// `eval` / `new Function` — the bundle currently doesn't.
 const isDev = process.env.NODE_ENV === 'development';
 const scriptSrc = isDev
   ? "'self' 'unsafe-inline' 'unsafe-eval' blob:"
-  : "'self' 'unsafe-eval' blob:";
+  : "'self' blob:";
 const connectSrc = isDev ? "'self' ws: wss: http: https:" : 'http: https:';
 const csp = [
   "default-src 'self' blob:",