fix: harden web bridge connectivity

[kacy]

what changed

this bundles the recent web-shell fixes for direct browser access over tailscale.

• fixed the chat shell status so websocket failures stop masquerading as a permanent connecting state
• made the status badge say connected only when the live event stream is actually up
• surfaced websocket failure details in the shell so browser-side trust and routing problems are easier to spot
• refreshed the chat view toward a more imessage-like thread feel
• fixed the service worker shell caching so new deploys stop getting stuck behind a stale cached index.html
• require a browser-safe host for web pairing and session flows, instead of silently defaulting to raw bridge ips or :8443

why

cloudflare pages is only serving the static shell. the browser still connects directly to the user’s bridge. that means the browser path needs two things to be reliable:

• a websocket status model that tells the truth when the live stream is down
• host validation that steers browser clients toward a trusted *.ts.net endpoint instead of the bridge’s direct self-signed tls listener

without those safeguards, mobile/browser clients could appear half-connected or fail with opaque tls errors.

validation

• cd web && npm test
• cd web && npm run lint
• cd web && npm run build

notes

this pr intentionally leaves the existing local font changes out of scope.