sx-http: block .assets/ and .map files from static serving

Prevents serving WASM build artifacts and source maps.
.assets/ directories and .map files return 403 Forbidden.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

hosts/ocaml/bin/sx_server.ml

@@ -1562,7 +1562,16 @@ let serve_static_file static_dir url_path =
     let rel = String.sub url_path 8 (String.length url_path - 8) in
     let rel = match String.index_opt rel '?' with
       | Some i -> String.sub rel 0 i | None -> rel in
-    if String.contains rel '\x00' || (String.length rel > 1 && String.sub rel 0 2 = "..") then
+    let has_substring s sub =
+      let slen = String.length s and sublen = String.length sub in
+      if sublen > slen then false
+      else let rec check i = if i > slen - sublen then false
+        else if String.sub s i sublen = sub then true else check (i + 1)
+      in check 0
+    in
+    if String.contains rel '\x00' || (String.length rel > 1 && String.sub rel 0 2 = "..")
+       || has_substring rel ".assets/"
+       || Filename.check_suffix rel ".map" then
       http_response ~status:403 "Forbidden"
     else
       let file_path = static_dir ^ "/" ^ rel in