feat(frontend): rename inj roles to sys-front-*, add sys-svc-cdn, cache-busting lookup

Introduce sys-svc-cdn (cdn_paths/cdn_urls/cdn_dirs) and ensure CDN directories + latest symlink.

Rename sys-srv-web-inj-* → sys-front-inj-*; update includes/templates; serve shared/per-app CSS & JS via CDN.

Add lookup_plugins/local_mtime_qs.py for mtime-based cache busting; split CSS into default.css/bootstrap.css + optional per-app style.css.

CSP: use style-src-elem; drop unsafe-inline for styles. Services: fix SYS_SERVICE_ALL_ENABLED bool and controlled flush.

BREAKING CHANGE: role names changed; replace includes and references accordingly.

Conversation: https://chatgpt.com/share/68b55494-9ec4-800f-b559-44707029141d

roles/sys-front-inj-desktop/tasks/01_deploy.yml

@@ -0,0 +1,7 @@
+- name: Deploy {{ INJ_DESKTOP_JS_FILE_NAME }}
+  template:
+    src:    "{{ INJ_DESKTOP_JS_FILE_NAME }}.j2"
+    dest:   "{{ INJ_DESKTOP_JS_FILE_DESTINATION }}"
+    owner:  "{{ NGINX.USER }}"
+    group:  "{{ NGINX.USER }}"
+    mode:   '0644'

roles/sys-front-inj-desktop/tasks/main.yml

@@ -0,0 +1,24 @@
+- block:
+  - name: Include dependency 'srv-core'
+    include_role:
+      name: srv-core
+    when: run_once_srv_core is not defined
+  - include_tasks: 01_deploy.yml
+  - include_tasks: utils/run_once.yml
+  when: run_once_sys_front_inj_desktop is not defined
+
+# --- Build tiny inline initializer (CSP-hashed) ---
+- name: "Load iFrame init code for '{{ application_id }}'"
+  set_fact:
+    iframe_init_code: "{{ lookup('template','iframe-init_one_liner.js.j2') }}"
+
+- name: "Collapse iFrame init code into one-liner for '{{ application_id }}'"
+  set_fact:
+    iframe_init_code_one_liner: "{{ iframe_init_code | to_one_liner }}"
+
+- name: "Append iFrame init CSP hash for '{{ application_id }}'"
+  set_fact:
+    applications: "{{ applications | append_csp_hash(application_id, iframe_init_code_one_liner) }}"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+  changed_when: false
+