Invites: targeted open-device flow and sealed key handoff

[marcus-pousette]

Current baseline

The playground already has a working invite story, but it is split across two models:

1. Bearer invite links

   • Copy invite and the current shipped Open device flow mint a new replica keypair for the invited peer and package:
     • a subtree-scoped capability token
     • the invited replica signing secret key
     • the doc payload key
   • This is useful for demos and one-time sharing, but it is intentionally secret-bearing.

2. Targeted grants

   • Grant to pubkey and delegated resharing already exist.
   • This sends a subtree-scoped capability token to a known recipient key.
   • Today the payload key is still sent plaintext on the local broadcast channel.

There is already E2E coverage for bearer invite import, one-click Open device, and delegated resharing. Draft PR #79 is the first targeted Open device slice: open a join-only tab, wait for its replica pubkey, then send a targeted grant instead of putting secrets in the URL.

What this issue tracks now

• Ship the targeted Open device flow by default (land feat(playground): open device via grant request #79 or equivalent).
• Make the two invite types explicit in the UI/story:
  • bearer link
  • targeted grant
• Replace plaintext payload-key handoff with sealed key distribution for targeted grants, ideally aligned with the COSE_Encrypt-based confidentiality work in Confidentiality: subtree payload keys and COSE_Encrypt key distribution #40.
• Keep delegated resharing working with subtree-scoped capability tokens.

Acceptance criteria

• Open device joins the shared subtree without putting secret material in the URL by default.
• The UI clearly distinguishes bearer invites from targeted grants.
• Targeted grants do not send payload keys plaintext.
• E2E tests cover bearer import, targeted Open device flow, and delegated resharing.

Out of scope

• Key rotation and revocation (#78)
• General subtree key hierarchy / broader confidentiality design beyond the invite handoff path (#40)