fix: tighten CSP img-src, show initials instead of external avatar

Privacy-first: remove 'https:' from img-src CSP directive to prevent
IP leaks via external avatar URLs (Google/Gravatar). AccountCard now
shows user initials instead of loading a remote image.

Also remove .keys-temp/ from .gitignore (not relevant to this PR).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitignore

@@ -51,4 +51,3 @@ public/CHANGELOG.fr.md
 
 # Tauri generated
 src-tauri/gen/
-.keys-temp/

src-tauri/tauri.conf.json

@@ -18,7 +18,7 @@
       }
     ],
     "security": {
-      "csp": "default-src 'self'; script-src 'self'; connect-src 'self' https://api.lacompagniemaximus.com https://auth.lacompagniemaximus.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:"
+      "csp": "default-src 'self'; script-src 'self'; connect-src 'self' https://api.lacompagniemaximus.com https://auth.lacompagniemaximus.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:"
     }
   },
   "bundle": {

src/components/settings/AccountCard.tsx

@@ -26,13 +26,9 @@ export default function AccountCard() {
       {state.status === "authenticated" && state.account && (
         <div className="space-y-3">
           <div className="flex items-center gap-3">
-            {state.account.picture && (
-              <img
-                src={state.account.picture}
-                alt=""
-                className="w-10 h-10 rounded-full"
-              />
-            )}
+            <div className="w-10 h-10 rounded-full bg-[var(--primary)] text-white flex items-center justify-center font-semibold text-sm">
+              {(state.account.name || state.account.email).charAt(0).toUpperCase()}
+            </div>
             <div>
               <p className="font-medium">
                 {state.account.name || state.account.email}