fix: merge 5 PR-related improvements

- gateway_handler: pass ParsedRequest to RecordUsage + set in gin.Context
- channel_handler: add FeaturesConfig to CRUD (WebSearch channel toggle)
- channel_repo: features_config JSONB persistence (Create/Get/Update/List)
- security_headers: add Stripe CSP domains (script-src + frame-src)

backend/internal/server/middleware/security_headers.go

@@ -18,6 +18,8 @@ const (
 	NonceTemplate = "__CSP_NONCE__"
 	// CloudflareInsightsDomain is the domain for Cloudflare Web Analytics
 	CloudflareInsightsDomain = "https://static.cloudflareinsights.com"
+	// StripeDomain is the domain for Stripe.js SDK
+	StripeDomain = "https://*.stripe.com"
 )
 
 // GenerateNonce generates a cryptographically secure random nonce.
@@ -97,8 +99,9 @@ func isAPIRoutePath(c *gin.Context) bool {
 		strings.HasPrefix(path, "/responses")
 }
 
-// enhanceCSPPolicy ensures the CSP policy includes nonce support and Cloudflare Insights domain.
-// This allows the application to work correctly even if the config file has an older CSP policy.
+// enhanceCSPPolicy ensures the CSP policy includes nonce support, Cloudflare Insights,
+// and Stripe.js domains. This allows the application to work correctly even if the
+// config file has an older CSP policy.
 func enhanceCSPPolicy(policy string) string {
 	// Add nonce placeholder to script-src if not present
 	if !strings.Contains(policy, NonceTemplate) && !strings.Contains(policy, "'nonce-") {
@@ -110,6 +113,12 @@ func enhanceCSPPolicy(policy string) string {
 		policy = addToDirective(policy, "script-src", CloudflareInsightsDomain)
 	}
 
+	// Add Stripe.js domain to script-src and frame-src if not present
+	if !strings.Contains(policy, "stripe.com") {
+		policy = addToDirective(policy, "script-src", StripeDomain)
+		policy = addToDirective(policy, "frame-src", StripeDomain)
+	}
+
 	return policy
 }