feat(web-server): add frame guard, CORS-friendly client headers, and websocket payload fixes

[edusperoni]

Summary

Adds origin/header introspection for WebSocket clients, an optional anti-embedding
("frame guard") mode for the static server, and fixes the max_payload option that
was previously dead code. Also exports ServerStatus from common in the platform
entry points.

Changes

WebSocket client headers (origin + header(name))

• New Client.origin getter and Client.header(name) method (case-insensitive)
  exposed on both iOS and Android, backed by a new
  webserver_websocket_client_header FFI / clientHeader JNI binding.
• Fixed the Rust upgrade handler to capture the request headers (notably
  Origin) instead of the response headers — previously only the CSP header we
  appended was surfaced, so Origin was never available. The remote peer is also
  stashed under a synthetic x-peer-addr key for loopback/same-origin checks.
• Browsers always set (and can't forge) Origin, so callers can use it to
  allowlist connections from a known served origin.

Frame guard (anti-embedding) option

• New frameGuard config flag on Server. When enabled, every served response
  carries X-Frame-Options: DENY and CSP frame-ancestors 'self', preventing the
  content from being iframed by a third-party page.
• Threaded through the JS API, Kotlin/Swift wrappers, the C ABI
  (CStaticServiceOptions.frame_guard), and the JNI/FFI layers.

max_payload fix

• The configured max_payload was being ignored. Now applied to both
  max_frame_size (codec per-frame limit, defaulted to 64KB and silently dropped
  larger frames) and max_continuation_size (was hardcoded to 8MB). Both fall back
  to 100MB.

Misc

• Export ServerStatus from common in the Android and iOS entry points.
• Rebuilt iOS xcframework (now ios-arm64 + ios-arm64-simulator) and Android
  prebuilt .so / .aar artifacts.

Platforms

iOS and Android.