infra: switch frontend to certified-assets snapshot wasm + sync plugin (#280)

## Summary
- Pulls `canister.wasm` and `plugin.wasm` from the
[dfinity/certified-assets `snapshot-pr69-7571cba`
release](https://github.com/dfinity/certified-assets/releases/tag/snapshot-pr69-7571cba)
via `url:` + `sha256:` so `icp` verifies integrity before use.
- Adds `public/_headers` and `public/_redirects` to exercise the new
asset-canister tooling's headers and redirects support.
- Drops `assets.toml` and the `files:` entry in `icp.yaml`. With
[certified-assets PR
#66](dfinity/certified-assets#66),
`Content-Type` is read directly from `_headers`, so the separate TOML
file is no longer needed. The single non-default override (`.did` →
`text/plain; charset=utf-8`) now lives in `public/_headers`.
- Drops `public/.ic-assets.json5` — the legacy `headers.Content-Type`
workaround (which produced duplicate `Content-Type` headers in the
certified response) is fully superseded.
- Bumps `icp-cli` to v0.2.7.

## Notes
- To demo cross-domain redirects: add a line like `/xxx
https://google.com 301` in `public/_redirects` and deploy — visiting
`/xxx` should bounce to `https://google.com`.

## Test plan
- [x] `icp deploy` downloads both wasms, verifies SHA256, and deploys
- [x] Headers in `public/_headers` are served on matching paths (CSP,
cache rules)
- [x] Same-origin redirects in `public/_redirects` resolve (e.g. `/*
/404.html 404`)
- [x] Cross-domain redirect works after adding `/xxx https://google.com
301`
- [x] `curl -I` on `*.md` returns `Content-Type: text/markdown;
charset=utf-8` (exactly one header)
- [x] `curl -I` on `*.did`, `*.sh`, and `llms.txt` returns
`Content-Type: text/plain; charset=utf-8` (exactly one header)

---------

Co-authored-by: Raymond Khalife <raymond.khalife@dfinity.org>

Author: lwshang

.github/workflows/deploy-ic.yml

@@ -37,7 +37,7 @@ jobs:
       - run: npm run build
 
       - name: Install icp-cli
-        run: npm i -g @icp-sdk/icp-cli@0.2.6 @icp-sdk/ic-wasm
+        run: npm i -g @icp-sdk/icp-cli@0.2.7 @icp-sdk/ic-wasm
 
       - name: Import deploy identity
         run: |

.github/workflows/preview-deployment.yml

@@ -41,7 +41,7 @@ jobs:
           python-version: "3.10"
 
       - name: Install icp-cli
-        run: npm i -g @icp-sdk/icp-cli@0.2.6 @icp-sdk/ic-wasm
+        run: npm i -g @icp-sdk/icp-cli@0.2.7 @icp-sdk/ic-wasm
 
       - run: npm ci
 

icp.yaml

@@ -1,10 +1,25 @@
+networks:
+  - name: local
+    mode: managed
+    gateway:
+      port: 0
+
 canisters:
   - name: frontend
-    recipe:
-      type: "@dfinity/asset-canister@v2.1.0"
-      configuration:
-        dir: dist
-        version: asset-canister-404-support
-        build:
-          - npm install
-          - npm run build
+    build:
+      steps:
+        - type: pre-built
+          url: https://github.com/dfinity/certified-assets/releases/download/snapshot-pr69-7571cba/canister.wasm
+          sha256: aaacb5c927deb57ebd1ec1108b22693b7622b2317ebf6f859f07b7b689aecf5b
+
+    sync:
+      steps:
+        - type: script
+          commands:
+            - npm install
+            - npm run build
+        - type: plugin
+          url: https://github.com/dfinity/certified-assets/releases/download/snapshot-pr69-7571cba/plugin.wasm
+          sha256: ee9a000ea6f3023f2996b4e9f7d2514298fe2c8fbd9e52e1c6fdf29536fa3628
+          dirs:
+            - dist

public/.ic-assets.json5

@@ -0,0 +1,38 @@
+# Cache-Control is intentionally NOT set on `/*` — `_headers` semantics
+# concatenate same-name headers across matching rules with `, `, so a global
+# default would corrupt the more-specific overrides below (e.g.
+# `public, max-age=0, must-revalidate, public, max-age=31536000, immutable`).
+# Pages not covered by a specific rule fall back to browser heuristic caching.
+#
+# Starlight uses inline <script> tags for theme toggle, mobile menu,
+# sidebar state, and search. 'unsafe-inline' is required for these.
+# Pagefind search uses WebAssembly, which requires 'wasm-unsafe-eval'.
+# 'unsafe-eval' is required by the Matomo Cloud tracker (matomo.js bundles
+# plugins such as Form Analytics or Heatmaps that call eval() internally).
+# Better long-term fix: disable those plugins in the Matomo Cloud dashboard
+# so the bundled matomo.js no longer needs eval(), then remove 'unsafe-eval'.
+/*
+  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval' https://cdn.matomo.cloud https://widget.kapa.ai https://metrics.kapa.ai https://hcaptcha.com https://*.hcaptcha.com; style-src 'self' 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com; img-src 'self' data: https://www.plantuml.com https://widget.kapa.ai https://www.google.com https://*.gstatic.com; font-src 'self' data:; connect-src 'self' https://icp0.io https://*.icp0.io https://internetcomputer.matomo.cloud https://proxy.kapa.ai https://metrics.kapa.ai https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://hcaptcha.com https://*.hcaptcha.com; frame-src https://hcaptcha.com https://*.hcaptcha.com; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; upgrade-insecure-requests
+  X-Content-Type-Options: nosniff
+  Referrer-Policy: strict-origin-when-cross-origin
+  Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
+
+# Astro hashed bundles — fingerprinted, safe to cache forever.
+/_astro/*
+  Cache-Control: public, max-age=31536000, immutable
+
+# Agent-friendly markdown endpoints — short cache so updates propagate quickly.
+/*.md
+  Cache-Control: public, max-age=300
+
+# llms.txt and other plain-text endpoints — short cache.
+/*.txt
+  Cache-Control: public, max-age=300
+
+# Install scripts — fetched fresh on every `curl | sh`, so no long-lived cache.
+/*.sh
+  Cache-Control: public, max-age=0, must-revalidate
+
+# Candid interface files (e.g., ic.did) — plain text
+/*.did
+  Content-Type: text/plain; charset=utf-8