feat(ext/sw): create_vault handler (Plan C Phase 3)

Lifts the full create-vault flow out of setup.ts into the SW: embed image
secret, unlock, encrypt empty manifest + default settings, push the vault
layout (create-only), register this device + write devices.json, persist
config + reference image locally, and transition the SW to the unlocked
state (handle becomes SW-owned, enabling recoveryQrAvailable). On failure
the handle is locked then freed per Plan A's .free() policy; ownership only
transfers to the session on success.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

extension/src/service-worker/router/popup-only.ts

@@ -628,9 +628,12 @@ export async function handle(
       }
     }
 
-    // create_vault / attach_vault land in Phase 3 Tasks 3.2-3.3; get_vault_status
-    // in Phase 6 (Dev-C). Until each case lands, an unhandled popup message
-    // returns an explicit error rather than falling through with no return.
+    case 'create_vault':
+      return vault.handleCreateVault(msg, state);
+
+    // attach_vault lands in Task 3.3; get_vault_status in Phase 6 (Dev-C).
+    // Until each case lands, an unhandled popup message returns an explicit
+    // error rather than falling through with no return.
     default:
       return { ok: false, error: `unhandled popup message: ${(msg as { type: string }).type}` };
   }