feat: add trezor pin entry and hidden wallets

[coreyphillips]

Adds on-screen Trezor PIN entry and passphrase (hidden wallet) selection, built on the typed TrezorUiCallback from bitkit-core 0.1.62.

• Passphrase: WalletModeChooserDialog + PassphraseDialog let the user open the standard wallet or a hidden wallet, entering the passphrase on the phone (host) or on the Trezor. Modeled as TrezorWalletMode (STANDARD / PASSPHRASE_HOST / PASSPHRASE_DEVICE).

Bumps bitkit-core 0.1.58 -> 0.1.62.

Description

App-side adoption of the typed Trezor UI callback and per-connection wallet
selection from bitkit-core 0.1.62 (trezor-connect-rs 0.2.8 → 0.3.2). The
library replaced the stringly-typed passphrase callback — where "" was
overloaded to mean cancel, leaving no way to express the standard wallet
(Some("") on the device) — with a typed PassphraseResponse, and made each
connection declare which wallet it opens.

PIN entry

• PinEntryDialog renders the 3×3 matrix; the user maps it to the scrambled
  layout shown on the Trezor. onPinRequest blocks on a CountDownLatch
  (120s timeout) until the PIN is submitted or cancelled (empty string).

Passphrase / hidden wallets

• A WALLET row lets the user open the standard wallet or a hidden wallet.
  Devices reporting passphraseEntryCapable are offered a choice
  (WalletModeChooserDialog) of entering the passphrase on the phone (host,
  via PassphraseDialog) or on the Trezor; otherwise host entry is used.
  Modeled as TrezorWalletMode (STANDARD / PASSPHRASE_HOST /
  PASSPHRASE_DEVICE).
• onPassphraseRequest answers with PassphraseResponse.Standard /
  Hidden { value } / OnDevice from a single source of truth, so THP
  devices (Safe 5/7) — which bind the passphrase at session creation via the
  new WalletSelection passed to connect() — and legacy devices — asked
  mid-operation — stay in lockstep.

Transport / reconnect fixes

• Reconnect honors the tapped transport instead of overriding Bluetooth with
  USB; BLE falls back to getRemoteDevice(address) when there's no fresh scan
  handle; rejected sessions (wrong passphrase/on-device cancel) are treated
  as definitive failures rather than retried.

Adopts the breaking FFI changes from bitkit-core 0.1.62: onPassphraseRequest
now returns PassphraseResponse (was String) and trezorConnect takes a
required selection: WalletSelection.

QA Notes

Manual (PIN-protected device, ideally both a THP device — Safe 5/7 — and a legacy device):

• PIN: connect a PIN-protected device → the on-screen matrix maps to the
  scrambled layout on the Trezor; submit / delete / cancel / 120s timeout all
  behave.
• Standard wallet: keep/select Standard → operations proceed (the case the
  old ""-means-cancel encoding broke).
• Hidden wallet (host entry): Passphrase → On this phone, enter a
  passphrase → the hidden wallet's addresses differ from standard.
• On-device entry: Passphrase → On the Trezor → entry defers to the device
  and the matching wallet opens.
• Wallet switch: switch mode on a connected device → the session resets and
  the new mode applies on the next operation.
• Forget / disconnect: forget or disconnect, then reconnect → starts on the
  standard wallet.
• Transport: reconnect a device known over both BLE and USB via its BLE
  entry → it connects over BLE, not hijacked to USB.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fe9ab311c2

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Allow PINs longer than nine digits

Trezor PINs can be up to 50 digits according to the official PIN rules (https://trezor.io/learn/a/pin-protection-on-trezor-devices), but this guard stops accepting input after 9 positions. Users who configured a 10+ digit PIN in Trezor Suite can never submit their full PIN here, so every PIN-protected operation from the app fails for those devices.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Hide device-entry option when unsupported

When WalletModeRow is opened for a device with passphraseEntryCapable == false, it skips the chooser and shows this same host-entry dialog, but the dialog still always offers “Enter on Trezor instead”. Selecting it switches to PASSPHRASE_DEVICE even though the connected device reported that it cannot accept on-device passphrase entry, causing hidden-wallet connection to fail instead of keeping the user on the supported host-entry path.

Useful? React with 👍 / 👎.