feat: add custom branding, air-gapped deployment script, and updated self-hosting docs

docs/self-hosting/aws.md

@@ -23,7 +23,8 @@ aws s3 website s3://your-bentopdf-bucket \
 ## Step 2: Build and Upload
 
 ```bash
-# Build the project
+# Build the project (optionally with custom branding)
+# VITE_BRAND_NAME="AcmePDF" VITE_BRAND_LOGO="images/acme-logo.svg" npm run build
 npm run build
 
 # Sync to S3
@@ -56,6 +57,62 @@ Or use the AWS Console:
 4. Default root object: `index.html`
 5. Create distribution
 
+## Step 3b: Response Headers Policy (Required for LibreOffice WASM)
+
+LibreOffice-based conversions (Word, Excel, PowerPoint to PDF) require `SharedArrayBuffer`, which needs specific response headers. Create a CloudFront Response Headers Policy:
+
+1. Go to CloudFront → Policies → Response headers
+2. Create a custom policy with these headers:
+
+| Header                         | Value          |
+| ------------------------------ | -------------- |
+| `Cross-Origin-Embedder-Policy` | `require-corp` |
+| `Cross-Origin-Opener-Policy`   | `same-origin`  |
+| `Cross-Origin-Resource-Policy` | `cross-origin` |
+
+3. Attach the policy to your distribution's default cache behavior
+
+Or via CLI:
+
+```bash
+aws cloudfront create-response-headers-policy \
+  --response-headers-policy-config '{
+    "Name": "BentoPDF-COEP-COOP",
+    "CustomHeadersConfig": {
+      "Quantity": 3,
+      "Items": [
+        {"Header": "Cross-Origin-Embedder-Policy", "Value": "require-corp", "Override": true},
+        {"Header": "Cross-Origin-Opener-Policy", "Value": "same-origin", "Override": true},
+        {"Header": "Cross-Origin-Resource-Policy", "Value": "cross-origin", "Override": true}
+      ]
+    }
+  }'
+```
+
+## Step 3c: S3 Metadata for Pre-Compressed WASM Files
+
+The LibreOffice WASM files are pre-compressed (`.wasm.gz`, `.data.gz`). Set the correct Content-Type and Content-Encoding so browsers decompress them:
+
+```bash
+# Set correct headers for soffice.wasm.gz
+aws s3 cp s3://your-bentopdf-bucket/libreoffice-wasm/soffice.wasm.gz \
+  s3://your-bentopdf-bucket/libreoffice-wasm/soffice.wasm.gz \
+  --content-type "application/wasm" \
+  --content-encoding "gzip" \
+  --metadata-directive REPLACE
+
+# Set correct headers for soffice.data.gz
+aws s3 cp s3://your-bentopdf-bucket/libreoffice-wasm/soffice.data.gz \
+  s3://your-bentopdf-bucket/libreoffice-wasm/soffice.data.gz \
+  --content-type "application/octet-stream" \
+  --content-encoding "gzip" \
+  --metadata-directive REPLACE
+```
+
+::: warning Important
+Without the response headers policy, `SharedArrayBuffer` is unavailable and LibreOffice WASM conversions will hang at ~55%. Without the correct Content-Encoding on the `.gz` files, the browser receives raw gzip bytes and WASM compilation fails.
+:::
+
 ## Step 4: S3 Bucket Policy
 
 Allow CloudFront to access the bucket:
@@ -94,11 +151,11 @@ Configure 404 to return `index.html` for SPA routing:
 
 ## Cost Estimation
 
-| Resource | Estimated Cost |
-|----------|----------------|
-| S3 Storage (~500MB) | ~$0.01/month |
-| CloudFront (1TB transfer) | ~$85/month |
-| CloudFront (10GB transfer) | ~$0.85/month |
+| Resource                   | Estimated Cost |
+| -------------------------- | -------------- |
+| S3 Storage (~500MB)        | ~$0.01/month   |
+| CloudFront (1TB transfer)  | ~$85/month     |
+| CloudFront (10GB transfer) | ~$0.85/month   |
 
 ::: tip
 Use S3 Intelligent Tiering for cost optimization on infrequently accessed files.
@@ -117,15 +174,15 @@ resource "aws_cloudfront_distribution" "bentopdf" {
     domain_name = aws_s3_bucket.bentopdf.bucket_regional_domain_name
     origin_id   = "S3Origin"
   }
-  
+
   enabled             = true
   default_root_object = "index.html"
-  
+
   default_cache_behavior {
     allowed_methods  = ["GET", "HEAD"]
     cached_methods   = ["GET", "HEAD"]
     target_origin_id = "S3Origin"
-    
+
     viewer_protocol_policy = "redirect-to-https"
   }
 }