feat(server): WEBJS_PUBLIC_* env vars accessible as process.env.* in browser

Adds an SSR-injected inline script that defines window.process.env
with all server-side env vars whose name starts with WEBJS_PUBLIC_,
plus NODE_ENV based on dev/prod mode. Counterpart of Next.js's
NEXT_PUBLIC_ convention, without a build step.

Two consequences:
* App code can write process.env.WEBJS_PUBLIC_API_URL in components
  and the value is available at runtime in the browser. No props
  threading required for things like Stripe publishable keys,
  analytics IDs, Sentry DSN.
* Vendor bundles that probe process.env.NODE_ENV (lit, react, etc.)
  no longer throw ReferenceError in the browser. Fixes a latent bug.

Security: only WEBJS_PUBLIC_* prefixed vars cross the wire. Other
server env vars stay on the server. Values are JSON-encoded and
'</' sequences are escaped so a value containing '</script>'
cannot terminate the inline script tag.

The shim emits before importMapTag() so it runs before any vendor
bundle or user module executes. CSP nonces, when present on the
request, propagate to the shim script tag.

Author: vivek7405

packages/server/src/ssr.js

@@ -601,6 +601,45 @@ function collectHoistedHeadTags(bodyHtml) {
  *
  * @param {{ metadata: Record<string,any>, moduleUrls: string[], dev: boolean, streaming: boolean, preloads?: string[], lazyComponents?: Record<string, string>, nonce?: string }} opts
  */
+/**
+ * Build an inline `<script>` that exposes server-side environment
+ * variables to the browser via `window.process.env`. Two purposes:
+ *
+ *   1. App code can read `process.env.WEBJS_PUBLIC_X` directly in
+ *      components (counterpart of Next.js's `NEXT_PUBLIC_` prefix,
+ *      but without a build step).
+ *   2. `process.env.NODE_ENV` is defined for vendor bundles that
+ *      probe it (lit, react, etc.) so they do not throw
+ *      ReferenceError in the browser.
+ *
+ * Only variables whose name starts with `WEBJS_PUBLIC_` are exposed.
+ * Other server env vars stay on the server.
+ *
+ * `</...` sequences in stringified values are escaped so an env value
+ * containing `</script>` cannot terminate the inline script tag.
+ *
+ * @param {{ dev: boolean, nonce?: string, env?: Record<string, string|undefined> }} opts
+ *   `env` defaults to `process.env`. Override for tests.
+ * @returns {string}
+ */
+export function publicEnvShim(opts) {
+  const source = opts.env || process.env;
+  /** @type {Record<string, string>} */
+  const env = {};
+  for (const [k, v] of Object.entries(source)) {
+    if (k.startsWith('WEBJS_PUBLIC_') && v !== undefined) {
+      env[k] = String(v);
+    }
+  }
+  env.NODE_ENV = opts.dev ? 'development' : 'production';
+  const json = JSON.stringify(env).replace(/<\//g, '<\\/');
+  const n = opts.nonce ? ` nonce="${escapeAttr(opts.nonce)}"` : '';
+  return `<script${n}>`
+    + `window.process=window.process||{};`
+    + `window.process.env=Object.assign(window.process.env||{},${json});`
+    + `</script>`;
+}
+
 function wrapHead(opts) {
   // CSP nonce: if provided, all inline <script> tags get nonce="…" so they
   // pass strict Content-Security-Policy headers. The nonce is extracted from
@@ -973,6 +1012,7 @@ function wrapHead(opts) {
 <meta charset="utf-8">
 ${metaTags.join('\n')}
 <title>${escapeHtml(title)}</title>
+${publicEnvShim({ dev: opts.dev, nonce: opts.nonce })}
 ${importMapTag()}
 ${linkTags.join('\n')}
 ${boot}