fix(userfront): prevent public env asset request

test/userfront_loading_performance_policy_test.sh

@@ -13,6 +13,10 @@ if rg -n "FontLoader|assets/fonts/NotoSansKR|_loadBundledFonts" userfront/lib us
   fail "userfront must not block first render on bundled NotoSansKR font loading"
 fi
 
+if rg -n "dotenv\.load|touch \.env" userfront/lib/main.dart userfront/Dockerfile; then
+  fail "userfront web startup must not request or create public .env assets"
+fi
+
 if rg -n "fontFamily:\s*['\"]NotoSansKR['\"]" userfront/lib; then
   fail "userfront theme must use the platform default font"
 fi
@@ -34,6 +38,9 @@ rg -q "nginx-mod-http-brotli" userfront/Dockerfile || fail "runtime image must i
 rg -Fq "main\\.dart\\.[0-9a-f]{12}" userfront/nginx.conf || fail "hashed app entrypoints must use immutable cache"
 rg -q "brotli_static\s+on;" userfront/nginx.conf || fail "nginx must serve pre-compressed brotli assets"
 rg -q "brotliCompressSync" userfront/scripts/optimize-web-build.mjs || fail "Docker build optimization must generate brotli assets"
+rg -q "modulepreload" userfront/scripts/optimize-web-build.mjs || fail "Docker build optimization must preload wasm module entrypoints"
+rg -q "canvasKitBaseUrl:\"canvaskit/\"" userfront/scripts/optimize-web-build.mjs || fail "userfront web build must force local CanvasKit instead of fetching engine resources from a CDN"
+rg -q "_flutter\.loader\.load\(\{config:\{canvasKitBaseUrl:\"canvaskit/\"\}\}\);" userfront/scripts/optimize-web-build.mjs || fail "Flutter service worker registration must be removed from cold path"
 if rg -n "gzip|gzipSync|\\.gz" userfront/nginx.conf userfront/scripts/optimize-web-build.mjs; then
   fail "userfront web compression must be managed as brotli-only"
 fi