[Phase 2 / Feature B / B-5] Consent UI: popup for create(), in-page overlay for get()

[gynet]

Parent: #9. Depends on #48 (B-4).

Scope

Two UI surfaces per design §3.6:

Popup (`create()`)

• `browser.action.openPopup()` on create intent
• Shows: origin, `rp.id`, `rp.name`, user name, entry picker (default: active entry → new sibling)
• "Create passkey here" / "Cancel"
• Preact component, match existing extension UX

In-page overlay (`get()`)

• Injected by content script into closed ShadowRoot
• Shows: origin, `rp.id`, candidate entries (name + last-used date), "Sign in" / "Cancel"
• Closed ShadowRoot + pointer-events isolation + `element.focus()` capture to resist click-jacking from host page
• z-index management against page chrome

Why in-page for get() but popup for create():

• `get()` is in a promise race with the spec timeout — popping a window is jarring and may hit popup blockers
• `create()` is user-initiated by a button click on the page — popup is fine; user expects a prompt

Acceptance

• Popup appears on create intent, not on get
• Overlay appears on get intent, not on create
• Overlay cannot be hidden / styled by page CSS (ShadowRoot isolation test)
• Cancel path returns `NotAllowedError` per WebAuthn spec
• Screenshot regression test for both UIs (Playwright)
• i18n strings added to all supported locales (follow existing extension i18n pattern)