fix(widgets): restore iframe content after drag, remove color-cycle button (#2368)

* fix(widgets): restore iframe content after drag, remove color-cycle button

- Fix drag-induced blank content: use WeakMap keyed by iframe element to persist
  HTML across DOM moves; persistent load listener (no {once}) re-posts on every
  browser re-navigation triggered by drag/drop repositioning
- Remove cycleAccentColor, ACCENT_COLORS, and colorBtn from CustomWidgetPanel
  header; chatBtn (sparkle) and PRO badge remain; applyAccentColor kept for
  saved specs
- Update tests: remove ACCENT_COLORS count test, saveWidget persistence test,
  and changeAccent i18n assertion (all for deleted feature)

* fix(widgets): use correct postMessage key 'html' not 'storedHtml'

* fix(widgets): remove duplicate panel title header, fix sandbox CSP beacon error

- System prompt: NEVER add .panel-header or title to widget body; outer panel
  frame already shows the title; updated both basic and PRO prompts
- widget-sanitizer: strip leading .panel-header from generated HTML as safety
  net in both wrapWidgetHtml and wrapProWidgetHtml
- vercel.json: add https://static.cloudflareinsights.com to sandbox script-src
  so Cloudflare beacon injection no longer triggers CSP console errors

* fix(widgets): correct iframe font by anchoring html+body font-family with !important

vercel.json

@@ -136,7 +136,7 @@
     {
       "source": "/wm-widget-sandbox.html",
       "headers": [
-        { "key": "Content-Security-Policy", "value": "default-src 'none'; script-src 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'unsafe-inline'; img-src data:; connect-src https://cdn.jsdelivr.net;" },
+        { "key": "Content-Security-Policy", "value": "default-src 'none'; script-src 'unsafe-inline' https://cdn.jsdelivr.net https://static.cloudflareinsights.com; style-src 'unsafe-inline'; img-src data:; connect-src https://cdn.jsdelivr.net;" },
         { "key": "Cache-Control", "value": "public, max-age=86400" }
       ]
     }