Build minimal approval web UI

[helixclaw]

Summary

Create a minimal web UI served by the 2kc Fastify server that displays approval request details and triggers WebAuthn assertion for approve/deny actions.

Context

When a grant request requires WebAuthn approval, the user receives a notification link. Clicking it opens this web page, which shows the request details and prompts for biometric verification.

Acceptance Criteria

• Add @simplewebauthn/browser as a bundled client dependency (or inline the minimal client JS)
• Static files served from src/server/public/ (or inlined in route handler):
  • GET /approve — serves the approval page (query params: requestId, token)
• Approval page displays:
  • Request details: secret refs, requester, reason, task, requested duration
  • Bound command (if applicable)
  • "Approve" button → triggers WebAuthn assertion → POST /api/approve/:requestId
  • "Deny" button → POST /api/deny/:requestId
  • Status feedback: "Approved", "Denied", "Error"
• Page is a single self-contained HTML file (minimal dependencies, no build tooling)
• Mobile-friendly (approval often happens on phone via Discord link)
• CSRF protection: token query param validated server-side
• Approval page only accessible for pending requests (expired/completed → error page)

Dependencies

• Add WebAuthn server endpoints for registration and assertion #66 (WebAuthn server endpoints)

Scope Boundaries

• No SPA framework (plain HTML + vanilla JS + @simplewebauthn/browser)
• No user management UI (enrollment is done via CLI)
• Styling is minimal/functional