Add inline HTML previews to Orbit

[jgoecks]

Adds inline HTML preview support to Orbit’s File tab. HTML files now render in a sandboxed iframe with local assets resolved through the cwd-jailed orbit-artifact:// protocol, remain preview-only in the editor, and can still be opened in a hardened external window with Escape-to-close support.

[dannon]

This is solid -- cwd jail holds up (realpath both sides + the startsWith check), and the opaque-origin sandbox + CSP is the right boundary. Skipping DOMPurify is correct here; sanitizing would just strip the scripts reports need.

One follow-up, not blocking (Claude flagged this on a review pass): the CSP <meta> is injected by regex-matching the first <head>, and a crafted file can dodge it -- a <head> in a comment or attribute before the real head lands the meta in an inert spot and the doc parses with no CSP. Bounded (opaque origin + CORS still block reading other cwd files), but it'd let a malicious report exfil its own content to the network. Real fix is a CSP response header via a protocol handler instead of blob: + injected meta. I'll open an issue.

Merging -- thanks!