fix: use CSS custom property for timing bar width to bypass CSP blocking

Inline style= attributes containing property:value pairs are blocked by
strict style-src-attr CSP. CSS custom properties (--foo:value) set via
style= are treated as data not styles and are not subject to this
restriction. The width is now resolved in the stylesheet via
var(--bar-w, 100%) so CSP cannot interfere.

public/app.js

@@ -710,7 +710,7 @@ function renderStatusPanel(data, panel) {
       html += `
           <div class="timing-row">
             <span class="timing-label">${escapeHtml(t.label)}</span>
-            <div class="timing-bar-bg"><div class="timing-bar" style="width:${barWidth.toFixed(1)}%"></div></div>
+            <div class="timing-bar-bg"><div class="timing-bar" style="--bar-w:${barWidth.toFixed(1)}%"></div></div>
             <span class="timing-value">${t.ms}ms</span>
           </div>`;
     }

public/style.css

@@ -952,6 +952,7 @@ body {
 
 .timing-bar {
   height: 100%;
+  width: var(--bar-w, 100%);
   background: var(--accent);
   border-radius: 4px;
   min-width: 2px;