[Phase 2 / Feature B / B-2] Extension passkey-crypto.ts: keypair gen, auth-data encode, DER signature

[gynet]

Parent: #9. Depends on #45 (B-1).

Scope

packages/extension/src/background/passkey/passkey-crypto.ts — pure, no DOM, SW-safe.

Implementation:

• `generatePasskeyKeypair(alg)` → ES256 only in Phase 2 (EdDSA deferred)
• `encodeAuthenticatorData(rpIdHash, flags, signCount, attestedCredData?)` per WebAuthn §6.1
• `p1363ToDerEcdsaSignature(p1363)` — single conversion point; Web Crypto returns P1363 (r||s), WebAuthn requires DER
• `encodeAttestationObjectNone(authData)` — CBOR with fmt='none', empty attStmt

Types fixed in `docs/phase2-interfaces.md` §4.

Why this is tricky

• Forgetting the P1363→DER conversion = silently broken signatures = RP backends reject = user-visible bug with no frontend error
• Flag byte packing (UP, UV, BE, BS, AT) is easy to miscompute — must match spec §6.1 bit layout
• CBOR encoding for attestation is easy to get subtly wrong (canonical form)

Acceptance

• Unit tests against WebAuthn spec test vectors (§6.1 informative examples)
• DER conversion round-trips 100 random signatures against browser `SubtleCrypto.verify`
• ≥95% line coverage for this file
• No DOM dependency (runs in SW)
• No new deps (use Web Crypto + native CBOR via small helper; if CBOR lib needed, check with TL first)