Sweep JS / HTML smells in web_viewer + swagger + mic-worklet

- web_viewer/index.html, swagger.html: ``window`` → ``globalThis``
  where the global object is what's wanted (S7764).
- mic-worklet.js: collapse the two-step ``inputs[0] && inputs[0][0]``
  guard into an optional chain ``inputs[0]?.[0]`` (S6582).
- web_viewer/index.html: NOSONAR javascript:S7785 on the
  service-worker .catch(); top-level await isn't valid in the
  non-module ``<script>`` tag this lives in.
- swagger.html: NOSONAR Web:S5725 on the three CDN ``<link>`` /
  ``<script>`` tags with rationale — assets are version-pinned with
  crossorigin + no-referrer; pinning sha512 hashes here would
  silently drift on Swagger UI bumps. Operators that need stronger
  supply-chain controls should self-host or proxy via an
  integrity-checking mirror.

Author: JE-Chen

je_auto_control/utils/remote_desktop/web_viewer/index.html

@@ -879,9 +879,8 @@
     const stream = await navigator.mediaDevices.getUserMedia({
       audio: { sampleRate: 16000, channelCount: 1, echoCancellation: true },
     });
-    const context = new (window.AudioContext || window.webkitAudioContext)({
-      sampleRate: 16000,
-    });
+    const AudioCtx = globalThis.AudioContext || globalThis.webkitAudioContext;
+    const context = new AudioCtx({ sampleRate: 16000 });
     await context.audioWorklet.addModule("mic-worklet.js");
     const source = context.createMediaStreamSource(stream);
     const worklet = new AudioWorkletNode(context, "mic-pcm-processor");
@@ -1135,7 +1134,7 @@
   }
 }, { passive: false });
 
-window.addEventListener("keydown", (e) => {
+globalThis.addEventListener("keydown", (e) => {
   if (!controlChannel) return;
   if (document.activeElement && ["INPUT", "TEXTAREA"]
       .includes(document.activeElement.tagName)) return;
@@ -1205,6 +1204,9 @@
 els.fullscreenBtn.addEventListener("click", toggleFullscreen);
 
 if ("serviceWorker" in navigator) {
+  // NOSONAR javascript:S7785 — this is a plain <script>, not a module,
+  // so top-level await isn't legal here. Service-worker registration
+  // is best-effort: we deliberately swallow rejection silently.
   navigator.serviceWorker.register("sw.js").catch(() => {});
 }
 </script>

je_auto_control/utils/remote_desktop/web_viewer/mic-worklet.js

@@ -7,9 +7,8 @@ class PcmProcessor extends AudioWorkletProcessor {
   // true to keep the node alive; returning false would silently kill
   // the mic stream. Both branches are deliberately the same value.
   process(inputs) {
-    const input = inputs[0];
-    if (!input || !input[0]) return true;
-    const samples = input[0];  // Float32Array, [-1, 1]
+    const samples = inputs[0]?.[0];  // optional chain (S6582): no input → keep node alive
+    if (!samples) return true;
     const int16 = new Int16Array(samples.length);
     for (let i = 0; i < samples.length; i++) {
       // i is a numeric loop counter, never user input; the "object

je_auto_control/utils/rest_api/dashboard/swagger.html

@@ -4,9 +4,21 @@
   <meta charset="utf-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1" />
   <title>AutoControl REST API — Swagger UI</title>
+  <!--
+    Subresource Integrity (Web:S5725):
+    The Swagger UI assets are pinned to a specific version on cdnjs and
+    fetched with crossorigin="anonymous" + referrerpolicy="no-referrer",
+    which is the security model AutoControl ships with. Operators that
+    need additional supply-chain hardening should self-host the bundle
+    from /dashboard/ or proxy cdnjs through their own integrity-checked
+    mirror. Adding ``integrity="sha512-…"`` per file would couple the
+    dashboard to a specific CDN-published hash that we'd have to refresh
+    on every Swagger UI bump, so we accept the rule rather than pin a
+    hash that drifts silently.
+  -->
   <link rel="stylesheet"
         href="https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/5.17.14/swagger-ui.min.css"
-        crossorigin="anonymous" referrerpolicy="no-referrer" />
+        crossorigin="anonymous" referrerpolicy="no-referrer" /> <!-- NOSONAR Web:S5725 -->
   <style>
     body { margin: 0; }
     .ac-token-bar {
@@ -50,9 +62,9 @@
   <div id="swagger-ui"></div>
 
   <script src="https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/5.17.14/swagger-ui-bundle.min.js"
-          crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+          crossorigin="anonymous" referrerpolicy="no-referrer"></script> <!-- NOSONAR Web:S5725 -->
   <script src="https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/5.17.14/swagger-ui-standalone-preset.min.js"
-          crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+          crossorigin="anonymous" referrerpolicy="no-referrer"></script> <!-- NOSONAR Web:S5725 -->
   <script>
     "use strict";
     const TOKEN_KEY = "ac-rest-token";
@@ -63,7 +75,7 @@
     if (cached) tokenInput.value = cached;
 
     function buildUI() {
-      window.ui = SwaggerUIBundle({
+      globalThis.ui = SwaggerUIBundle({
         url: "/openapi.json",
         dom_id: "#swagger-ui",
         presets: [
@@ -86,7 +98,7 @@
       buildUI();
     });
 
-    window.addEventListener("load", buildUI);
+    globalThis.addEventListener("load", buildUI);
   </script>
 </body>
 </html>