feat: add vitest + 25 security tests for sender validation

Tests isExtensionSender, SENSITIVE_KINDS, and message routing:
- Extension popup/sidepanel → trusted
- Vault/profiles/settings in tabs → trusted (extension URL)
- Content scripts on web pages → blocked
- Wrong extension ID → blocked
- Firefox moz-extension:// → trusted
- Edge cases: empty URL, missing URL, fallback

These tests would have caught the v1.6.1 vault "Unauthorized sender" bug.

Author: vveerrgg