feat(extension): update devices.ts for revoked.json + deploy keys

- Add createDeployKey/deleteDeployKey to GiteaHost
- Add RevokedEntry interface and readRevoked() to devices.ts
- Update revokeDevice() to write revoked.json alongside devices.json
- Update router to use new register_device WASM API (private keys internal)
- Pass revokedBy device name when revoking

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

extension/src/service-worker/router/popup-only.ts

@@ -359,17 +359,15 @@ export async function handle(
 
     case 'register_this_device': {
       if (!state.gitHost) return { ok: false, error: 'vault_locked' };
-      const keypair = state.wasm.generate_device_keypair() as {
-        public_key_hex: string;
-        private_key_base64: string;
+      // register_device keeps private keys internal — only public keys cross to JS
+      const keys = state.wasm.register_device(msg.name) as {
+        signing_public_key: string;
+        deploy_public_key: string;
       };
-      await chrome.storage.local.set({
-        device_name: msg.name,
-        device_private_key: keypair.private_key_base64,
-      });
+      await chrome.storage.local.set({ device_name: msg.name });
       await devices.addDevice(state.gitHost, {
         name: msg.name,
-        public_key: keypair.public_key_hex,
+        public_key: keys.signing_public_key,
         added_at: Math.floor(Date.now() / 1000),
       });
       return { ok: true };
@@ -377,7 +375,9 @@ export async function handle(
 
     case 'revoke_device': {
       if (!state.gitHost) return { ok: false, error: 'vault_locked' };
-      await devices.revokeDevice(state.gitHost, msg.name);
+      const stored = await chrome.storage.local.get(['device_name']);
+      const revokedBy = stored.device_name as string | undefined;
+      await devices.revokeDevice(state.gitHost, msg.name, revokedBy);
       return { ok: true };
     }