feat: trusted-domains OAuth popups, og:image bookmark posters, periodic updater

- main.js: trusted-domains list with default Google/Yandex/GitHub/etc.;
  cross-domain confirmation skipped for trusted; setWindowOpenHandler
  returns action:'allow' for trusted so OAuth popups work (postMessage
  back to opener, popup self-closes). Fixes YouTube/Google login reset.
- main.js: get-page-meta IPC extracts og:image / twitter:image / JSON-LD
  image from current view; HDRezka also tries .b-sidecover img for hi-res.
- Header: bookmark button pulls og:image as poster and the page's title;
  duplicate detection switched from hostname to full URL so multiple
  movies from same site can coexist.
- BookmarksBar: site icon rendered next to source domain when distinct
  from poster; img onerror falls back to placeholder.
- Settings: trusted domains chip list with add/remove/reset.
- Updater: proper semver compare (only show if latest > current),
  direct installer URL detection per platform, hourly re-check.

Bookmark schema gains optional siteIcon; existing bookmarks remain valid.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

preload.js

@@ -21,6 +21,7 @@ contextBridge.exposeInMainWorld('electron', {
   forwardPage: () => ipcRenderer.send('forwardPage'),
   refreshPage: () => ipcRenderer.send('refreshPage'),
   getCurrentPage: () => ipcRenderer.invoke('get-current-page'),
+  getPageMeta: () => ipcRenderer.invoke('get-page-meta'),
   readConfig: () => ipcRenderer.invoke('read-config'),
   writeConfig: (data) => ipcRenderer.send('write-config', data),
   searchMovies: (query, sites) => ipcRenderer.invoke('search-movies', query, sites),