fix: wire iframe RPC handshake so WebView elements load merchant customizations

[arstiefel]

Description

Wire the iframe RPC handshake so the embedded WebView's BoltElements provider can resolve loadMerchantDetails and render merchant copy customizations. Without this, the iframe's withRPC call hangs forever and elements display default copy. A new BoltRpcHandler mirrors what the central iframe does in the web embedded app: it sends a setPort bootstrap envelope on bridge-ready, listens on the virtual port, and answers loadMerchantDetails by fetching from the public merchant API.

To support this, BoltBridgeDispatcher gains a sendBootstrapPort method (queues until ready, like other messages) and onReady now persists across reset/reload transitions so the handshake re-fires after a WebView reload. The injected bridge's VirtualMessagePort adds addEventListener/removeEventListener (storm's RPC registers via addEventListener, not .onmessage) and dispatches events with origin: '' to match real MessagePort spec — storm filters by portOrigin: ''.

Also bundled: rename the postal field placeholder from "Billing zip" to "Postal code" on iOS and Android (matches latest copy direction); make scripts/gen-bolt-config.js regenerate when env vars are set instead of always preserving the existing file; add example/src/boltConfig.ts to the clean script.

Testing

• New unit tests in src/__tests__/BoltRpcHandler.test.ts cover: setPort handshake on bridge ready, loadMerchantDetails happy path, error path, request caching, and the initialized no-op.
• New unit tests in src/__tests__/BoltBridgeDispatcher.test.ts cover: sendBootstrapPort envelope shape, queueing before ready, and onReady firing on every ready transition.
• Manual: run the example app, mount a WebView element with a publishable key whose merchant has copy customizations configured — verify the customized copy renders instead of defaults; reload the WebView and verify it still loads.
• Postal field placeholder change is visible in the credit card field on both iOS and Android example apps.

Security Review

Important

A security review is required for every PR in this repository to comply with PCI requirements.

• I have considered and reviewed security implications of this PR and included the summary below.

Security Impact Summary

This PR adds an RPC channel from the embedded iframe to the React Native host that currently exposes a single read-only operation: fetching public merchant details (description and copy_customizations) from the merchant public API using the configured publishable key. No PCI data, no authentication tokens, and no card details flow over this channel. The handler dispatches by an explicit allowlist (handlers map) — unknown request types are logged and ignored, never executed. The virtual port is identified by a fixed id (vp_rpc_main) and the iframe origin handshake (postMessage envelope) matches the existing bridge protocol that already authenticates source via the WebView boundary. No changes to auth, payment, or token-handling code paths.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.