feat(frontend): rename inj roles to sys-front-*, add sys-svc-cdn, cache-busting lookup

Introduce sys-svc-cdn (cdn_paths/cdn_urls/cdn_dirs) and ensure CDN directories + latest symlink.

Rename sys-srv-web-inj-* → sys-front-inj-*; update includes/templates; serve shared/per-app CSS & JS via CDN.

Add lookup_plugins/local_mtime_qs.py for mtime-based cache busting; split CSS into default.css/bootstrap.css + optional per-app style.css.

CSP: use style-src-elem; drop unsafe-inline for styles. Services: fix SYS_SERVICE_ALL_ENABLED bool and controlled flush.

BREAKING CHANGE: role names changed; replace includes and references accordingly.

Conversation: https://chatgpt.com/share/68b55494-9ec4-800f-b559-44707029141d

roles/sys-front-inj-javascript/README.md

@@ -0,0 +1,28 @@
+# 🌐 Global JavaScript Injector for Nginx
+
+## Description
+
+This Ansible role injects a custom JavaScript snippet into all HTML responses served by Nginx. It leverages Nginx’s `sub_filter` to seamlessly insert your application-specific script just before the closing `</head>` tag, ensuring that your code runs on every page load—perfect for global feature flags, analytics, or UI enhancements.
+
+## Features
+
+- **One-line Script Injection**  
+  Collapses your JavaScript into a single line and injects it via `sub_filter` for minimal footprint and maximal compatibility.
+
+- **Easy CSP Integration**  
+  Automatically computes and appends a CSP hash entry for your script, so you can lock down Content Security Policy without lifting a finger.
+
+- **Conditional Activation**  
+  Activates only when you enable the `javascript` feature for a given application, keeping your server blocks clean and performant.
+
+- **Debug Mode**  
+  Supports an `MODE_DEBUG` flag that appends optional `console.log` statements for easier troubleshooting in staging or development.
+
+## Author
+
+Developed by **Kevin Veen-Birkenbach**
+Consulting & Coaching Solutions — [veen.world](https://www.veen.world)
+
+---
+
+Happy automating! 🎉

roles/sys-front-inj-javascript/meta/main.yml

@@ -0,0 +1,25 @@
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Injects a custom JavaScript snippet into Nginx-served HTML responses via sub_filter."
+  company: |
+    Kevin Veen-Birkenbach  
+    Consulting & Coaching Solutions  
+    https://www.veen.world
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  min_ansible_version: "2.9"
+  platforms:
+  - name: Archlinux
+    versions:
+    - rolling
+  galaxy_tags:
+  - nginx
+  - javascript
+  - csp
+  - sub_filter
+  - injection
+  - global
+  repository: "https://s.infinito.nexus/code"
+  documentation: "https://docs.infinito.nexus"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+

roles/sys-front-inj-javascript/tasks/main.yml

@@ -0,0 +1,22 @@
+- block:
+
+  - name: Include dependency 'srv-core'
+    include_role:
+      name: srv-core
+    when: run_once_srv_core is not defined
+  - include_tasks: utils/run_once.yml
+  when: run_once_sys_front_inj_javascript is not defined
+
+- name: "Load JavaScript code for '{{ application_id }}'"
+  set_fact:
+    javascript_code: "{{ lookup('template', modifier_javascript_template_file) }}"
+
+- name: "Collapse Javascript code into one-liner for '{{ application_id }}'"
+  set_fact:
+    javascript_code_one_liner: "{{ javascript_code | to_one_liner }}"
+
+- name: "Append Javascript CSP hash for '{{ application_id }}'"
+  set_fact:
+    applications: "{{ applications | append_csp_hash(application_id, javascript_code_one_liner) }}"
+  changed_when: false
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"

roles/sys-front-inj-javascript/templates/head_sub.j2

@@ -0,0 +1 @@
+<script>{{ javascript_code_one_liner }}</script>

roles/sys-front-inj-javascript/vars/main.yml

@@ -0,0 +1 @@
+modifier_javascript_template_file: "{{ application_id | abs_role_path_by_application_id }}/templates/javascript.js.j2"