Adds the boolean field consumed by the upcoming Shadow DOM mount path.
Strict equality with the string "true" — anything else (absent, "false",
"1", "yes", empty) yields false, so accidental opt-in is impossible.
Tests cover the full parseConfig surface (required fields, server-url
derivation, position default) plus the new shadow attribute parsing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add vitest 4.1, jsdom 25, and @testing-library/preact as devDeps so the
widget gets a real test surface for the upcoming Shadow DOM mount work.
- vitest.config.ts mirrors the build aliases (preact/compat) and uses
jsdom for DOM-touching tests.
- tests/setup.ts is the place to add polyfills as the surface grows.
- tests/unit/smoke.test.ts confirms vitest runs, jsdom is wired, and
Shadow DOM API is available.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Match the bot-side hardening
(serge/messenger-bot feat/webchat-auth-hardening): credentials no longer
leak via URL query strings.
* WebSocket handshake uses Sec-WebSocket-Protocol subprotocols
(messenzy.v1, messenzy-bot.<id>, messenzy-visitor.<id>,
messenzy-key.<key>) — the browser WebSocket ctor doesn't accept
custom headers, so subprotocols are the standard pattern.
* HTTP fallback (/webchat/msg, /webchat/history) uses
`Authorization: Bearer <apiKey>` — fetch supports custom headers.
* botId/visitorId stay in body/query as public identifiers; only the
apiKey moves off the URL.
No public API change — `createTransport(opts)` takes the same
TransportOpts as before.