Harden unauthenticated asset routing
Pre-release
Pre-release
What's Changed
- Restricted unauthenticated static assets to explicit owned files and directories
- Blocked extension-suffixed protected API and upload paths before endpoint routing
- Restored the pre-login certificate bootstrap and flattened PWA icon aliases