runtime update v0.1.19

Thread body

This round was mostly about tightening isolation and making capability handling more consistent in edge cases. I hardened URL resolution inside sandboxed iframes so things don’t break when window.location ends up as about:srcdoc. Popup requests, link navigation, and download flows now go through a consistent absolute URL resolver. It sounds small, but it closes a class of subtle sandbox issues. Download handling is also cleaner. Programmatic downloads (like <a download.click() flows) are now intercepted properly, and blob/data URLs go through a safer conversion path. Whether a file is static or dynamically generated, the capability prompt behaves the same way. I also bumped the runtime to v0.1.19 and rolled the new bundle set, refreshed cache busting, and aligned the runtime index so the hardening changes are actually what’s running in production. On the HTML runtime side, external scripts now execute through a safer fetch+blob flow with improved module specifier handling. This makes CSP behavior inside sandboxed frames more predictable and less fragile. Test coverage around script replay was expanded as part of that. No breaking changes. Just structural tightening so the runtime behaves consistently under isolation and doesn’t rely on lucky assumptions. Less visible work, more integrity under the hood.