xss fixes from audit:

- F1 case_detail.html: scheme-check source_ref href (block javascript: URLs)
- F2 admin.html / F3 admin_federation.html: replace inline onsubmit confirm()
  with data-attr + global handler in base.html (no more label/domain
  interpolation into onsubmit attribute string)
- federation.register_peer: validate hostname + fingerprint regex at ingest
- federation_explore.html: window.PSYC_EXPLORE via | tojson
- federation_network.js: DOMAIN_RE guard on peer-supplied domain before
  building cross-origin fetch URL (also closes open-redirect via 'open
  their explorer' button)
- app.py: nosniff + Referrer-Policy: no-referrer + X-Frame-Options: DENY
- sw.js: psyc-v11 cache bump

CSP deferred — needs inline scripts moved to external files first.
Tests: +2 cases, 245/245 green.

tests/test_federation.py

@@ -230,3 +230,33 @@ def test_peer_registry_crud(fresh_db, fed_dir):
 
     federation.remove_peer("peer.example")
     assert federation.list_peers() == []
+
+
+def test_register_peer_rejects_malformed_domain(fresh_db, fed_dir):
+    """XSS guard: domain must look like a hostname (+ optional :port)."""
+    import pytest
+    bad = [
+        "evil.com'); alert(1); //",
+        "evil.com<script>",
+        "evil.com onclick=alert(1)",
+        "",
+        "evil com",  # space
+        "/etc/passwd",
+        "evil.com/?phish=1",
+    ]
+    for d in bad:
+        with pytest.raises(ValueError):
+            federation.register_peer(d, "ff" * 16, "PEM")
+    # And good ones still pass:
+    for d in ["peer.example.com", "peer.example.com:8443", "peer-1.example", "127.0.0.1:8767"]:
+        federation.register_peer(d, "ff" * 16, "PEM")
+        federation.remove_peer(d)
+
+
+def test_register_peer_rejects_malformed_fingerprint(fresh_db, fed_dir):
+    """Defense-in-depth: fingerprint must be 32 hex chars."""
+    import pytest
+    with pytest.raises(ValueError):
+        federation.register_peer("peer.example", "not-hex", "PEM")
+    with pytest.raises(ValueError):
+        federation.register_peer("peer.example", "ff" * 8, "PEM")  # too short