Deepen CSP, Permissions-Policy and cookie audits

Detect CSP weaknesses individually (unsafe-inline, unsafe-eval, missing
default-src/script-src, permissive sources on script-src or its
default-src fallback) instead of a single catch-all "unsafe" code, and
honour CSP3 fetch-directive fallback via EffectiveSources/WildcardSource
helpers. Validate Permissions-Policy values: warn when a powerful
feature (camera, microphone, geolocation, payment, sensors, …) is
granted to all origins. Add a SameSite aggregate state on cookie audits
so callers get the global ratio alongside per-cookie diagnostics.

checker/rules_modern_headers_test.go

@@ -57,8 +57,6 @@ func TestReferrerPolicyRule(t *testing.T) {
 }
 
 func TestPermissionsPolicyRule(t *testing.T) {
-	// Permissions-Policy has no Validate function: presence alone is OK,
-	// absence is Info (Required=false).
 	cases := []struct {
 		name  string
 		value string
@@ -66,8 +64,14 @@ func TestPermissionsPolicyRule(t *testing.T) {
 		code  string
 	}{
 		{"missing", "", sdk.StatusInfo, "http.permissions_policy.missing"},
-		{"present", "camera=(), microphone=()", sdk.StatusOK, "http.permissions_policy.ok"},
+		{"restrictive", "camera=(), microphone=()", sdk.StatusOK, "http.permissions_policy.ok"},
+		{"self only", "geolocation=(self)", sdk.StatusOK, "http.permissions_policy.ok"},
 		{"empty value treated as missing", "   ", sdk.StatusInfo, "http.permissions_policy.missing"},
+		{"camera wildcard", "camera=*", sdk.StatusWarn, "http.permissions_policy.invalid"},
+		{"microphone parenthesised wildcard", "microphone=(*)", sdk.StatusWarn, "http.permissions_policy.invalid"},
+		{"non-dangerous wildcard ignored", "fullscreen=(self), accelerometer=*", sdk.StatusWarn, "http.permissions_policy.invalid"},
+		{"unknown feature wildcard ignored", "totally-made-up=*", sdk.StatusOK, "http.permissions_policy.ok"},
+		{"malformed entry", "camera", sdk.StatusWarn, "http.permissions_policy.invalid"},
 	}
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {