Annotate duplicated shared/ modules pending cross-repo package extraction

[Loule95450]

Context

The task brief notes "shared/ between repos isn't yet a thing". Multiple modules in extension/src/shared/ are 1:1 forks of equivalent files in the desktop repo (motion presets, domain parsing, types, ProfileEditor, atoms.css).

Problem / Observation

High-confidence overlaps:

• extension/src/shared/types.ts — Profile / AccountEntry shapes used identically by desktop.
• extension/src/shared/domain.ts — registrableDomain() shared via tldts.
• extension/src/shared/ProfileEditor.tsx (216 lines) — likely duplicated.
• extension/src/shared/motion.ts, extension/src/shared/atoms.css, extension/src/shared/theme.css.
• The crypto core (extension/src/background/crypto/argon2.ts, derive.ts, render.ts, memorable.ts, wordlist.ts) is the most security-sensitive duplication: a fix here that misses the desktop produces silent password drift.

A drift bug today is invisible until a user opens the same site on both platforms.

Proposed approach

Stand up a private npm package (@keyfount/core or similar), version-pinned, that owns:

• Profile, AccountEntry, DerivationInputs
• derive, argon2, render, memorable, wordlist, fingerprint
• domain (registrable-domain extraction)
• sync/keys, sync/auth (client-side OPAQUE flow)

The package can live in keyfount/core repo or as a workspace dependency of both apps. Until then, add a // SYNC WITH desktop/src/... header comment to every duplicated file so future contributors at least know to update both.

Acceptance criteria

• Plan written up in docs/ (or this issue) for the eventual package.
• Header comment added to each duplicated file pointing to the desktop equivalent.
• A nightly CI job diffs the duplicated files against the desktop counterpart and posts a warning when they drift (out of scope for this issue, but mentioned as follow-up).