feat: add WebView mode for Apple Pay

[arstiefel]

Description

Adds a mode prop to the <ApplePay /> component with 'webview' as the new default. In WebView mode, Apple Pay merchant validation and tokenization are handled server-side by the Bolt-hosted iframe, removing the need for an Apple Pay entitlement or merchant certificate in the consuming app. The existing native PassKit flow is preserved via mode="native". A new ApplePayWebView component manages the iframe lifecycle, bridge messaging, height sizing, referrer injection, and telemetry. The README is updated to document both modes with the WebView-first default.

Testing

• Verify <ApplePay /> renders the WebView-based Apple Pay button by default on iOS (no mode prop needed).
• Verify mode="native" still triggers the native PKPaymentButton + PassKit sheet flow with a valid merchant entitlement.
• Test the referrer prop is correctly injected into document.referrer inside the WebView and passed as the origin query param.
• Confirm onComplete fires with token, bin, expiration, boltReference, and billingContact after a successful WebView Apple Pay session.
• Confirm onError fires for non-cancellation errors; verify cancellation (error code 1006) is silently ignored.
• Confirm the component returns null on Android or when canMakePayments() returns false.
• Test handleShouldStartLoad allows sub-frame navigations (critical for 3DS flows within the iframe).
• Test iframe height resize messages (SetIFrameHeight) update the WebView container height dynamically.

Security Review

Important

A security review is required for every PR in this repository to comply with PCI requirements.

• I have considered and reviewed security implications of this PR and included the summary below.

Security Impact Summary

This PR introduces a WebView that loads a Bolt-hosted Apple Pay iframe and processes payment tokens. Security considerations: (1) The WebView URL is constructed from bolt.baseUrl with the publishable key — no secrets are embedded. (2) document.referrer is overridden via injected JS to provide the merchant origin for Apple's domain validation; this is limited to main-frame injection only (injectedJavaScriptBeforeContentLoadedForMainFrameOnly). (3) Navigation is restricted to bolt.baseUrl origins for top-frame loads, with sub-frame navigations explicitly allowed for 3DS. (4) Payment token data flows through the existing parseBoltMessage bridge — no new external integrations or storage. (5) The merchantId field on ApplePayConfig is now optional (only required for native mode), which is a type-level change with no runtime security impact.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.