cross-cutting: CORS/origin diagnostics + dev-mode snippet fetch

[productdevbook]

Wrong key, origin not whitelisted, CSP blocked — all fail silently. Surface them.

Evidence

• `Access From my Origin is Being Blocked By Cors Policy  tawk/tawk-messenger-react#15` — "CORS blocked" Access From my Origin is Being Blocked By Cors Policy  tawk/tawk-messenger-react#15
• `Error 400 https://ekr.zdassets.com/compose/ B3nnyL/react-zendesk#37`/`zendesk: JWT loginUser with callback + errorCallback (auth refresh flow) #20`
• `Erro 400 compose/key dansmaculotte/vue-zendesk#54`/`Design pillar: consent mode / GDPR-safe deferred load #7`
• Generic CSP: every provider

Tasks

• In dev, fetch the snippet URL once pre-load and report non-200s with human-readable cause
• Listen to `document.addEventListener('securitypolicyviolation', ...)` and warn if blocked directive comes from provider domain
• `ahize.diagnostics()` returns a report (latency, CSP violations, cookie state)

[productdevbook]

Implemented in this commit