diff --git a/packages/sync-server/src/app-gocardless/bank-factory.js b/packages/sync-server/src/app-gocardless/bank-factory.js
index a99d6ddd48..34cdd51082 100644
--- a/packages/sync-server/src/app-gocardless/bank-factory.js
+++ b/packages/sync-server/src/app-gocardless/bank-factory.js
@@ -1,8 +1,8 @@
 import IntegrationBank from './banks/integration-bank';
 
-// Filename convention: <name>_<bic>.js (skips bank.interface, integration-bank,
-// and any other helper without an underscore).
-const bankLoaders = import.meta.glob('./banks/*_*.js');
+// Filename convention: <name>_<bic>.{ts,js} (skips bank.interface,
+// integration-bank, and any other helper without an underscore).
+const bankLoaders = import.meta.glob('./banks/*_*.{ts,js}');
 
 async function loadBanks() {
   const imports = await Promise.all(
diff --git a/packages/sync-server/src/app.ts b/packages/sync-server/src/app.ts
index a53163569b..a282ed6f02 100644
--- a/packages/sync-server/src/app.ts
+++ b/packages/sync-server/src/app.ts
@@ -127,10 +127,13 @@ app.get('/metrics', (_req, res) => {
 // The web frontend.
 // Dev mode proxies to Vite, which injects inline preamble scripts and uses
 // a websocket for HMR. Loosen script-src and connect-src accordingly.
+// `'unsafe-eval'` is dev-only (Vite's HMR runtime needs it). Re-introduce
+// it in the non-dev branch only if a runtime dependency genuinely needs
+// `eval` / `new Function` — the bundle currently doesn't.
 const isDev = process.env.NODE_ENV === 'development';
 const scriptSrc = isDev
   ? "'self' 'unsafe-inline' 'unsafe-eval' blob:"
-  : "'self' 'unsafe-eval' blob:";
+  : "'self' blob:";
 const connectSrc = isDev ? "'self' ws: wss: http: https:" : 'http: https:';
 const csp = [
   "default-src 'self' blob:",