feat: add allow insecure connections toggle in system settings

Block ws:// relay connections and http:// resource loading by default
to prevent browser mixed content warnings. When blocked, resources
show clickable URL links instead of error placeholders so users can
open them manually.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/lib/smart-pool.ts

@@ -1,5 +1,7 @@
+import storage from '@/services/local-storage.service'
 import { SimplePool } from 'nostr-tools'
 import { AbstractRelay } from 'nostr-tools/abstract-relay'
+import { isInsecureUrl } from './url'
 
 const DEFAULT_CONNECTION_TIMEOUT = 10 * 1000 // 10 seconds
 const CLEANUP_THRESHOLD = 15 // number of relays to trigger cleanup
@@ -17,6 +19,9 @@ export class SmartPool extends SimplePool {
   }
 
   ensureRelay(url: string): Promise<AbstractRelay> {
+    if (!storage.getAllowInsecureConnection() && isInsecureUrl(url)) {
+      return Promise.reject(new Error(`Insecure relay connection blocked: ${url}`))
+    }
     // If relay is new and we have many relays, trigger cleanup
     if (!this.relayIdleTracker.has(url) && this.relayIdleTracker.size > CLEANUP_THRESHOLD) {
       this.cleanIdleRelays()

src/lib/url.ts

@@ -7,6 +7,15 @@ export function isWebsocketUrl(url: string): boolean {
   }
 }
 
+export function isInsecureUrl(url: string): boolean {
+  try {
+    const protocol = new URL(url).protocol
+    return protocol === 'ws:' || protocol === 'http:'
+  } catch {
+    return false
+  }
+}
+
 export function isOnionUrl(url: string): boolean {
   try {
     const hostname = new URL(url).hostname