chore(docs): add Content-Security-Policy headers

[marc0olo]

The docs site currently has no CSP headers. The portal has a comprehensive CSP in its .ic-assets.json — we should add one for the docs site too.

Directives to account for:

• script-src: 'self', 'unsafe-inline' (Starlight head scripts), Matomo domains
• connect-src: 'self' (Pagefind), Matomo domains
• style-src: 'self', 'unsafe-inline' (Starlight inline styles)
• font-src: 'self' (CircularXX)
• img-src: 'self', data:
• default-src: 'self'
• object-src: 'none'
• base-uri: 'self'
• frame-ancestors: 'none'
• form-action: 'self'
• upgrade-insecure-requests

Reference: portal's CSP in static/.ic-assets.json