fix(opencode): allow Ghostty WASM data URLs in web CSP

[mxl]

Issue for this PR

Closes #26001
Closes #21088

Related to #9185, #9420, and #5237.

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

Fixes web UI CSP handling for the embedded app and Ghostty web terminal.

Ghostty loads its WASM runtime from a data:application/wasm;base64,... URL. The current CSP blocks that through connect-src, so this PR allows data: there.

The embedded UI path also used a static CSP that did not include the hash for the inline oc-theme-preload-script. This PR generates embedded HTML CSP from the actual inline script body, matching the proxied HTML behavior.

It also avoids falling back to index.html for missing asset-like embedded paths, so missing .wasm, .js, .css, and /assets/... requests return 404 instead of HTML.

How did you verify your code works?

Ran:

• cd packages/app && bun typecheck
• cd packages/opencode && bun typecheck
• cd packages/opencode && bun test test/server/httpapi-ui.test.ts

The pre-push hook also ran bun turbo typecheck successfully.

The fix was also verified in browser against the reported failure: the terminal opens after allowing data: in connect-src.

Screenshots / recordings

No screenshot. This is a CSP/server response fix.

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

[github-actions]

Thanks for updating your PR! It now meets our contributing guidelines. 👍

[mxl]

Duplicates #25937