Add WebAuthn passkey login alongside email OTP

[rzueger]

Summary

Adds passkeys (WebAuthn) as an optional, faster sign-in mechanism alongside the existing email OTP flow. OTP remains the baseline and recovery path; passkeys are purely additive and feature-flagged per-environment.

Server (Cloud Functions, functions/auth/)

• generateRegistrationOptions / verifyRegistration — passkey enrolment
• generateAuthenticationOptions / verifyAuthentication — passkey sign-in, mints a Firebase custom token on success (same mechanism the OTP flow uses)
• removePasskey — user-initiated removal
• cleanupExpiredWebauthnChallenges — scheduled (hourly) cleanup
• webauthnHelpers — atomic challenge consume via RTDB transaction(), AuthError, RP config, ID-token verification

Client

• src/util/webauthn.ts — thin wrapper around @simplewebauthn/browser; does NOT import firebase/auth (saga reuses the existing requestFirebaseAuthentication flow)
• Login page: single "Mit Passkey anmelden" button (reused StyledOrContainer separator), conditionally rendered when __CONF__.passkeysEnabled && isPasskeySupported()
• Profile page: PasskeyManager section — list with device name, created date, last used date; remove via styled modal confirmation (matches MovementDeleteConfirmationDialog pattern)
• PostLoginPasskeyPrompt — post-login card shown to users without any passkey, styled identically to InstallCard; two-strike dismiss with "Später" → "Nicht mehr anzeigen" pattern; auto-labels from user agent (iPhone / iPad / Mac / Windows / Android / Linux)
• New auth module slice handles REGISTER_PASSKEY, LOGIN_WITH_PASSKEY, LOAD_PASSKEYS, REMOVE_PASSKEY with success/failure actions

Infra

• 3 new Realtime Database paths with locked-down rules: webauthnCredentials (read self/admin, writes server-only), webauthnChallenges (server-only), webauthnCredentialOwners (server-only index)
• @simplewebauthn/browser v13 added to root; @simplewebauthn/server v10 added to functions
• passkeysEnabled: false in projects/default.json; enabled via environments.<env>.passkeysEnabled: true (uses the env-merge capability from Merge selected environment config into __CONF__ #710)
• Runtime RP config via firebase functions:config:set webauthn.rpid=... webauthn.origins=...

Security posture

• Atomic challenge consume via RTDB .transaction() (prevents concurrent re-use)
• Counter clone detection on every authentication, spec-compliant handling of non-counting authenticators (iCloud Keychain, Google Password Manager, 1Password)
• Session-based auth for register/remove (valid ID token required); no step-up re-auth needed — low-stakes product with OTP fallback always available
• User enumeration mitigated: generateAuthenticationOptions returns plausible empty-allowList options for unknown emails

Test plan

• npm test — 1915 tests pass (includes new specs for webauthn.ts, PasskeyLoginButton, PasskeyManager, PostLoginPasskeyPrompt, all auth module additions)
• cd functions && npm test — 278 tests pass (6 new spec files for the webauthn functions)
• npm run typecheck clean
• Manual QA on lszm-test: enable passkey login via profile, sign out, sign back in with passkey, remove passkey, verify OTP still works
• Verify on an env with passkeysEnabled: false that the UI remains unchanged