Design pillar: CSP nonce support + per-provider directive catalog

[productdevbook]

Strict CSP breaks every competitor. We ship nonce-aware injection and a documented directive catalog per provider.

Evidence

• `Ability to add a nonce to the script tag crisp-im/crisp-sdk-web#31` — "Ability to add a nonce to the script tag" (closed without fix) Ability to add a nonce to the script tag crisp-im/crisp-sdk-web#31
• `Get A mirror in vue3 crisp-im/crisp-sdk-web#5` — "Refused to load l.js — violates CSP" Get A mirror in vue3 crisp-im/crisp-sdk-web#5
• `Add nonce support B3nnyL/react-zendesk#35` — "Add nonce support" Add nonce support B3nnyL/react-zendesk#35
• `Refused to connect to wss://widget-mediator.zopim.com/s/W/ws/xxxxxx/c/yyyyy because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy dansmaculotte/vue-zendesk#36` — "Refused to connect to wss://widget-mediator.zopim.com — connect-src" Refused to connect to wss://widget-mediator.zopim.com/s/W/ws/xxxxxx/c/yyyyy because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy dansmaculotte/vue-zendesk#36
• HubSpot Community — "CSP without unsafe-inline" https://community.hubspot.com/t5/APIs-Integrations/Content-Security-Policy-without-unsafe-inline-or-unsafe-hashes/m-p/1068354
• `fix: add postMessage origin validation in widget SDK chatwoot/chatwoot#13240` — postMessage origin validation in widget SDK fix: add postMessage origin validation in widget SDK chatwoot/chatwoot#13240

Contract

1. `load({ nonce: string })` applied to every `<script>` and injected `<style>` tag.
2. `cspDirectives(provider)` helper that returns per-provider `Record<'script-src' | 'connect-src' | 'frame-src' | 'style-src' | 'img-src', string[]>` — merge-able into the app's policy.
3. Documentation page `docs/csp.md` with exact directive set per provider including WSS endpoints (e.g. `wss://nexus-websocket-*.intercom.io`, `wss://client.relay.crisp.chat`, `wss://widget-mediator.zopim.com`, `wss:///cable`).
4. Runtime dev-mode warning if we detect a CSP blocked message via `securitypolicyviolation` event.

[productdevbook]

Implemented in this commit