test(csp): add regression tests for pushDirective duplication (#16594)

[web-dev0521]

Changes

• Fix pushDirective in the CSP runtime duplicating the new directive once per existing non-matching directive.
• Root cause: the else branch inside the loop pushed newDirective on every non-match instead of once after the loop. Replaced the deduplicated flag with a matched flag and moved the newDirective push outside the loop, guarded by !matched.
• Closes csp: pushDirective duplicates new directive on every non-matching iteration #16594.

Before: pushDirective(["img-src 'self'", "style-src 'self'"], "script-src 'self'") → ["img-src 'self'", "script-src 'self'", "style-src 'self'", "script-src 'self'"] (duplicated + interleaved)
After: → ["img-src 'self'", "style-src 'self'", "script-src 'self'"]

Also fixes Mode 2: a directive that merges with a later existing entry no longer leaves an unmerged copy in front of the merged result.

Don't forget a changeset! Run pnpm changeset. — Added: .changeset/fix-csp-push-directive-duplicate.md

Testing

• Added a regression: issue #16594 suite in packages/astro/test/units/csp/runtime.test.ts covering:
  • Mode 1 — non-matching new directive appended exactly once.
  • Mode 2 — merge with a later match, no unmerged copy left behind.
  • Empty input list edge case.
  • Many non-matches: directive-name uniqueness asserted via a Map count.
  • Table-driven sweep across "non-match", "match in middle", "match at end" shapes, asserting both length and Set-based name uniqueness.
• All 11 tests in csp/runtime.test.ts pass locally (node --test test/units/csp/runtime.test.ts).

Docs

No docs change required — pushDirective is internal CSP runtime; public insertDirective() semantics are unchanged (this restores them to the documented behavior).

[changeset-bot]

🦋 Changeset detected

Latest commit: 13d4045

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[codspeed-hq]

Merging this PR will not alter performance

✅ 18 untouched benchmarks

---

_{Comparing web-dev0521:fix/csp-push-directive-duplicate-16594 (13d4045) with main (78f305e)¹}

Footnotes

1. No successful run was found on main (774542d) during the generation of this report, so 78f305e was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩