fix: avoid script dedup key collisions

[saschabuehrle]

Fixes #37

The script dedup key was truncated to 16 chars, which can collide for scripts with similar prefixes. This uses the full base64 key so different scripts no longer share the same exec marker.

Greetings, saschabuehrle

[JiwaniZakir]

The fix correctly addresses the dedup key collision by removing .slice(0, 16) in widget-renderer.tsx, but it introduces a different concern: btoa(key) can produce characters like +, /, and = that are technically invalid in HTML attribute names. While most browsers handle getAttribute/setAttribute leniently with these characters, relying on that behavior is fragile. Consider using a URL-safe base64 variant (replacing + with -, / with _, and stripping =) or a simple hash function instead.

Additionally, when scriptInfo.text contains a large inline script, the full base64 of that content becomes the attribute name — potentially a very long string. A short, collision-resistant hash (e.g., a 32-bit FNV or even a truncated SHA-256 via crypto.subtle) would be both safer and more efficient here. The original .slice(0, 16) was trying to keep attribute names manageable; the right fix is to use a proper hash rather than truncated base64.