fix(ext): remove inline script (CSP violation) + CI enforcement (Closes #189)

[gHashTag]

Summary

Fixes the CSP violation in extension/sidepanel.html that causes Chrome to block the extension with "Executing inline script violates CSP directive 'script-src self'".

Changes

File	Change
extension/sidepanel.html	Remove inline <script type="module"> → use <script src="dist/bootstrap.js" type="module">
.github/workflows/ci.yml	Add CI check: reject inline <script> in HTML files

Root Cause

The previous PR merged inline <script type="module"> with import init from './dist/wasm/trios_ext.js' directly inside sidepanel.html. Chrome MV3 CSP blocks inline scripts → white screen.

Fix

• HTML now only references external script: <script src="dist/bootstrap.js" type="module">
• dist/bootstrap.js is a 3-line init stub (the only .js allowed outside dist/wasm/)
• CI physically blocks future inline scripts via grep check

Verification

cargo test -p trios-ext → 5/5 passed
cargo clippy -p trios-ext --target wasm32-unknown-unknown -- -D warnings → 0 warnings
grep '<script[^>]*>[^<]' extension/*.html | grep -v 'src=' → empty (no inline scripts)

Closes #189
Refs #156

[gHashTag]

Superseded by PR #195 (same fix, handles bg-sw.js stale file)