[Phase 2 / Feature B / B-3] Core passkey-authenticator-bridge.ts: handle protocol verbs, read/write NKW.Passkey.* fields

[gynet]

Parent: #9. Depends on #45 (B-1).

Scope

`packages/core/app/scripts/comp/passkey/passkey-authenticator-bridge.ts`.

Responsibilities:

• Register handlers for the 4 new protocol verbs
• Implement entry create/read/sign with the `NKW.Passkey.*` schema from `docs/phase2-interfaces.md` §2
• Protected fields (`UserHandle`, `PrivateKey`) must be stored as `ProtectedValue`
• On `passkey-sign`: increment SignCount, update LastUsedDate, mark file dirty, persist KDBX before returning signature (counter regression = RP lockout)
• Private key import: PKCS#8 → CryptoKey via `crypto.subtle.importKey`
• Validate every request against the active file (reject if no file open)

Target group selection

Read default from `AppSettings` (new setting: `passkeyDefaultTargetGroupUuid`). If not set, use the root group. Sub-issue B-7 ships the settings UI.

Acceptance

• All 4 verbs handled per contract
• Protected fields verified as ProtectedValue via `entry.fields.get().isProtected === true`
• Unit tests:
  • round-trip create → get → sign → verify with Web Crypto
  • counter increments exactly +1 per sign
  • refuses sign when `expectedSignCount` mismatches
  • refuses any verb when no file is open
• File is marked dirty exactly when state changed (for WebDAV sync)
• Round-trip test: create entry → save → reload KDBX → `passkey-get-by-rp` finds it with all fields intact