feat(extension): Chrome Web Store readiness — popup UI, privacy policy, CSP

[jackwener]

Summary

Prepare the Chrome extension for Chrome Web Store submission.

Changes

• Popup UI — clicking the extension icon now shows daemon connection status:
  • Connected to daemon (green dot)
  • Reconnecting... (orange dot)
  • No daemon connected (red dot)
• Privacy Policy (PRIVACY.md) — covers all permissions, data flow, cookie access
• CSP — explicit content_security_policy in manifest.json
• Description — updated to be clearer for CWS reviewers
• Message API — background.ts exposes getStatus for popup communication

CWS Submission Notes

The debugger permission remains the main review risk. The privacy policy and popup UI should help justify it by showing:

1. This is a legitimate developer automation tool
2. All communication is localhost-only
3. Operations happen in isolated windows

Test plan

• tsc --noEmit passes
• vite build succeeds
• Load unpacked in Chrome → click extension icon → shows "No daemon connected"
• Start opencli daemon → popup shows "Connected to daemon"