test: add E2E security tests for origin validation

Adds comprehensive E2E tests to verify security infrastructure:

1. Sandbox Security
   - Verifies valid messages are not rejected (asserts on rejection logs)
   - Verifies host does not log unknown source warnings
   - Tests app-to-host message reception
   - Checks iframe sandbox attributes on both outer and inner iframes

2. Host Resilience
   - Tests host UI loads with servers
   - Verifies server count display

3. Origin Validation Infrastructure
   - Tests CSP logging is active
   - Verifies round-trip app communication
   - Checks iframe isolation via sandbox attributes

4. Security Self-Test
   - Verifies sandbox security self-test passes (window.top inaccessible)
   - Confirms referrer validation allows localhost

Note: True cross-origin attack testing would require a multi-origin
test setup. These tests verify the security infrastructure is in place
and functioning correctly for valid communication paths.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: ochafik

src/message-transport.ts

@@ -73,7 +73,7 @@ export class PostMessageTransport implements Transport {
    */
   constructor(
     private eventTarget: Window = window.parent,
-    private eventSource?: MessageEventSource,
+    private eventSource: MessageEventSource,
   ) {
     this.messageListener = (event) => {
       if (eventSource && event.source !== this.eventSource) {

src/react/useApp.tsx

@@ -117,7 +117,10 @@ export function useApp({
 
     async function connect() {
       try {
-        const transport = new PostMessageTransport(window.parent);
+        const transport = new PostMessageTransport(
+          window.parent,
+          window.parent,
+        );
         const app = new App(appInfo, capabilities);
 
         // Register handlers BEFORE connecting