infra: switch frontend to certified-assets snapshot wasm + sync plugin

.github/workflows/deploy-ic.yml

@@ -37,7 +37,7 @@ jobs:
       - run: npm run build
 
       - name: Install icp-cli
-        run: npm i -g @icp-sdk/icp-cli@0.2.6 @icp-sdk/ic-wasm
+        run: npm i -g @icp-sdk/icp-cli@0.2.7 @icp-sdk/ic-wasm
 
       - name: Import deploy identity
         run: |

.github/workflows/preview-deployment.yml

@@ -41,7 +41,7 @@ jobs:
           python-version: "3.10"
 
       - name: Install icp-cli
-        run: npm i -g @icp-sdk/icp-cli@0.2.6 @icp-sdk/ic-wasm
+        run: npm i -g @icp-sdk/icp-cli@0.2.7 @icp-sdk/ic-wasm
 
       - run: npm ci
 

icp.yaml

@@ -1,10 +1,25 @@
+networks:
+  - name: local
+    mode: managed
+    gateway:
+      port: 0
+
 canisters:
   - name: frontend
-    recipe:
-      type: "@dfinity/asset-canister@v2.1.0"
-      configuration:
-        dir: dist
-        version: asset-canister-404-support
-        build:
-          - npm install
-          - npm run build
+    build:
+      steps:
+        - type: pre-built
+          url: https://github.com/dfinity/certified-assets/releases/download/snapshot-pr69-7571cba/canister.wasm
+          sha256: aaacb5c927deb57ebd1ec1108b22693b7622b2317ebf6f859f07b7b689aecf5b
+
+    sync:
+      steps:
+        - type: script
+          commands:
+            - npm install
+            - npm run build
+        - type: plugin
+          url: https://github.com/dfinity/certified-assets/releases/download/snapshot-pr69-7571cba/plugin.wasm
+          sha256: ee9a000ea6f3023f2996b4e9f7d2514298fe2c8fbd9e52e1c6fdf29536fa3628
+          dirs:
+            - dist

public/_headers

@@ -0,0 +1,38 @@
+# Cache-Control is intentionally NOT set on `/*` — `_headers` semantics
+# concatenate same-name headers across matching rules with `, `, so a global
+# default would corrupt the more-specific overrides below (e.g.
+# `public, max-age=0, must-revalidate, public, max-age=31536000, immutable`).
+# Pages not covered by a specific rule fall back to browser heuristic caching.
+#
+# Starlight uses inline <script> tags for theme toggle, mobile menu,
+# sidebar state, and search. 'unsafe-inline' is required for these.
+# Pagefind search uses WebAssembly, which requires 'wasm-unsafe-eval'.
+# 'unsafe-eval' is required by the Matomo Cloud tracker (matomo.js bundles
+# plugins such as Form Analytics or Heatmaps that call eval() internally).
+# Better long-term fix: disable those plugins in the Matomo Cloud dashboard
+# so the bundled matomo.js no longer needs eval(), then remove 'unsafe-eval'.
+/*
+  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval' https://cdn.matomo.cloud https://widget.kapa.ai https://metrics.kapa.ai https://hcaptcha.com https://*.hcaptcha.com; style-src 'self' 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com; img-src 'self' data: https://www.plantuml.com https://widget.kapa.ai https://www.google.com https://*.gstatic.com; font-src 'self' data:; connect-src 'self' https://icp0.io https://*.icp0.io https://internetcomputer.matomo.cloud https://proxy.kapa.ai https://metrics.kapa.ai https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://hcaptcha.com https://*.hcaptcha.com; frame-src https://hcaptcha.com https://*.hcaptcha.com; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; upgrade-insecure-requests
+  X-Content-Type-Options: nosniff
+  Referrer-Policy: strict-origin-when-cross-origin
+  Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
+
+# Astro hashed bundles — fingerprinted, safe to cache forever.
+/_astro/*
+  Cache-Control: public, max-age=31536000, immutable
+
+# Agent-friendly markdown endpoints — short cache so updates propagate quickly.
+/*.md
+  Cache-Control: public, max-age=300
+
+# llms.txt and other plain-text endpoints — short cache.
+/*.txt
+  Cache-Control: public, max-age=300
+
+# Install scripts — fetched fresh on every `curl | sh`, so no long-lived cache.
+/*.sh
+  Cache-Control: public, max-age=0, must-revalidate
+
+# Candid interface files (e.g., ic.did) — plain text
+/*.did
+  Content-Type: text/plain; charset=utf-8