Explorer + Snap: nginx /snap 200, runbook, apply-nginx script, verify docs

Co-authored-by: Cursor <cursoragent@cursor.com>

scripts/fix-nginx-serve-custom-frontend.sh

@@ -55,12 +55,25 @@ server {
     }
 
     # Serve custom frontend for root path (no-cache so fixes show after refresh)
+    # CSP with unsafe-eval required by ethers.js v5 (NPM proxies to port 80)
     location = / {
         root /var/www/html;
         add_header Cache-Control "no-store, no-cache, must-revalidate";
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://unpkg.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: https:; font-src 'self' https://cdnjs.cloudflare.com; connect-src 'self' https://explorer.d-bis.org wss://explorer.d-bis.org https://rpc-http-pub.d-bis.org wss://rpc-ws-pub.d-bis.org http://192.168.11.221:8545 ws://192.168.11.221:8546;" always;
         try_files /index.html =404;
     }
 
+    location = /favicon.ico {
+        root /var/www/html;
+        try_files /favicon.ico =404;
+        add_header Cache-Control "public, max-age=86400";
+    }
+    location = /apple-touch-icon.png {
+        root /var/www/html;
+        try_files /apple-touch-icon.png =404;
+        add_header Cache-Control "public, max-age=86400";
+    }
+
     # Serve static assets
     location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
         root /var/www/html;
@@ -105,6 +118,29 @@ server {
         try_files /index.html =404;
     }
 
+    # Chain 138 MetaMask Snap companion site (SPA at /snap/)
+    # /snap (no trailing slash) -> internal redirect so client gets 200 with content
+    location = /snap {
+        rewrite ^ /snap/ last;
+    }
+    location /snap/ {
+        alias /var/www/html/snap/;
+        try_files $uri $uri/ /snap/index.html;
+        add_header Cache-Control "no-store, no-cache, must-revalidate";
+    }
+
+    # Icons (exact match to avoid 404s)
+    location = /favicon.ico {
+        root /var/www/html;
+        try_files /favicon.ico =404;
+        add_header Cache-Control "public, max-age=86400";
+    }
+    location = /apple-touch-icon.png {
+        root /var/www/html;
+        try_files /apple-touch-icon.png =404;
+        add_header Cache-Control "public, max-age=86400";
+    }
+
     # Serve static assets
     location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
         root /var/www/html;
@@ -146,7 +182,7 @@ server {
         proxy_connect_timeout 75s;
     }
 
-    # All other paths serve custom frontend
+    # All other paths serve custom frontend (SPA fallback via try_files)
     location / {
         root /var/www/html;
         try_files $uri $uri/ /index.html;
@@ -221,10 +257,10 @@ else
     echo "   ./scripts/deploy-frontend-to-vmid5000.sh"
 fi
 
-# Test HTTP endpoint
+# Test HTTP endpoint (non-fatal: do not exit on curl/grep failure)
 echo ""
 echo "Testing HTTP endpoint:"
-HTTP_RESPONSE=$(curl -s http://localhost/ 2>/dev/null | head -5)
+HTTP_RESPONSE=$(curl -s --max-time 5 http://localhost/ 2>/dev/null | head -5) || true
 if echo "$HTTP_RESPONSE" | grep -q "SolaceScanScout\|<!DOCTYPE html"; then
     echo "✅ Custom frontend is accessible via HTTP"
 else