Remove Replit plugins from production build

- Restrict Replit plugins to development + REPL_ID environment only
- This prevents Replit banner scripts from loading in production
- Fixes CSP violations for replit.com scripts in HF Spaces
- Keeps clean production builds without dev dependencies

server/index.ts

@@ -49,7 +49,9 @@ app.use(helmet({
   contentSecurityPolicy: {
     directives: {
       defaultSrc: ["'self'"],
-      scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"], // Allow for development
+      scriptSrc: process.env.NODE_ENV === 'production' 
+        ? ["'self'", "'unsafe-inline'", "'unsafe-eval'"]
+        : ["'self'", "'unsafe-inline'", "'unsafe-eval'", "https://replit.com"], // Allow Replit in dev
       styleSrc: ["'self'", "'unsafe-inline'"],
       imgSrc: ["'self'", "data:", "https:"],
       connectSrc: ["'self'", "https://api.studio.nebius.ai", "https://api.github.com"],

vite.config.ts

@@ -17,13 +17,13 @@ async function tryImport(moduleName: string, fallback = null) {
 export default defineConfig(async () => {
   const plugins = [react()];
 
-  // Add Replit plugins only if available (for development)
-  const runtimeErrorOverlay = await tryImport("@replit/vite-plugin-runtime-error-modal");
-  if (runtimeErrorOverlay) {
-    plugins.push(runtimeErrorOverlay.default());
-  }
+  // Add Replit plugins only in development and when running on Replit
+  if (process.env.NODE_ENV === "development" && process.env.REPL_ID !== undefined) {
+    const runtimeErrorOverlay = await tryImport("@replit/vite-plugin-runtime-error-modal");
+    if (runtimeErrorOverlay) {
+      plugins.push(runtimeErrorOverlay.default());
+    }
 
-  if (process.env.NODE_ENV !== "production" && process.env.REPL_ID !== undefined) {
     const cartographer = await tryImport("@replit/vite-plugin-cartographer");
     if (cartographer) {
       plugins.push(cartographer.cartographer());