refactor: migrate frontend to React + Tailwind, add Docker + tests

Replace the vanilla-TS innerHTML frontend with a type-checked React
component tree (React 19 + Tailwind v4 + Vite).

Frontend:
- 14 components: Header, Stepper, LoginPage, LoginModal, SignPage,
  DropZone, DevicePicker, ProgressCard, SavedAccountsList, TrustModal,
  TwoFactorModal, Button, Field, Chip, Modal
- lib/ extracts: storage (10 localStorage keys preserved), pair-record,
  account-session, log-parser, ids, use-log hook
- flows/ encapsulate async pair/login/sign/install with dependency injection
- Accounts page as main view with Add Account modal
- Fullscreen progress overlay during sign/install
- Account selector + device picker on Sign page
- Security notice in login modal (server trust warning)
- All addLog calls mirrored to console.log for devtools debugging

Build:
- bun run dev: submodule init + install + wasm dist + vite + wrangler
- bun run setup: one-shot project bootstrap
- Docker: multi-stage bun build → nginx on :3000
- build:wasm:dist copies pre-built src→dist (no Rust/Emscripten needed)
- jszip/node-forge/fflate pre-bundled for CJS→ESM conversion

Tests:
- 163 vitest tests (happy-dom): all lib, components, App integration,
  WASM dist artifact checks, libcurl Apple connectivity, anisette init
  error handling

Cleanup:
- Delete yarn.lock (bun.lock canonical), expand .gitignore
- Remove README.zh.md, rewrite README.md + AGENTS.md
- Update libcurl.js submodule to f65d440 (CI build artifacts)

nginx.conf

@@ -0,0 +1,51 @@
+server {
+    listen 3000;
+    server_name _;
+
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # MIME for WASM streaming compile.
+    types {
+        application/wasm wasm;
+    }
+
+    # Security headers.
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    # WebAssembly + crypto.subtle require secure-context; cross-origin isolation
+    # is needed for SharedArrayBuffer used by the signing WASM bundles.
+    add_header Cross-Origin-Opener-Policy "same-origin" always;
+    add_header Cross-Origin-Embedder-Policy "require-corp" always;
+
+    # Compression.
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 256;
+    gzip_types
+        application/javascript
+        application/json
+        application/wasm
+        application/xml
+        text/css
+        text/javascript
+        text/plain
+        image/svg+xml;
+
+    # Hashed assets (Vite emits /assets/* with content hashes) — cache forever.
+    location /assets/ {
+        add_header Cache-Control "public, max-age=31536000, immutable" always;
+        try_files $uri =404;
+    }
+
+    # Never cache the shell HTML.
+    location = /index.html {
+        add_header Cache-Control "no-cache" always;
+    }
+
+    # Hash routing (no server-side routes needed) — fall back to index.html.
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+}