#21667: fix(canvas): add CSP and security headers to HTML responses

## Summary - Add `Content-Security-Policy`, `X-Frame-Options`, and `X-Content-Type-Options` headers to all HTML responses served by the canvas host in `src/canvas-host/server.ts`. - CSP allows `'unsafe-inline'` for scripts and styles because the injected action bridge (`injectCanvasLiveReload`) and the default index page use inline `<script>` and `<style>` blocks. - Headers are applied to both the normal HTML file serving path and the 404 "missing file" HTML fallback. ## Test plan - [x] Verified the injected live-reload/action-bridge script uses inline `<script>` tags, confirming `'unsafe-inline'` is needed in `script-src` - [x] Verified the default index HTML uses inline `<style>` tags, confirming `'unsafe-inline'` is needed in `style-src` - [x] Formatter and linter pass with no warnings <!-- greptile_comment --> <h3>Greptile Summary</h3> Added `Content-Security-Policy`, `X-Frame-Options`, and `X-Content-Type-Options` headers to all HTML responses served by the canvas host. The CSP policy correctly allows `'unsafe-inline'` for scripts and styles, which is necessary because the live-reload injection (`injectCanvasLiveReload`) adds inline `<script>` tags and the default index page includes inline `<style>` blocks. Headers are properly applied to both the normal HTML file serving path and the 404 fallback response. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with no identified risks - The security headers are correctly implemented with appropriate CSP directives that match the actual usage patterns (inline scripts/styles). The changes are minimal, focused, and properly cover all HTML response paths. Import reordering is cosmetic and follows standard conventions. - No files require special attention _{Last reviewed commit: 4f837f1} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->