fix: harden wallet IPC, browser, and email flows

[nullxnothing]

Reopened during repo cleanup pass. Branch was 4 weeks stale with no open PR but contains real unmerged work:

test/services/BrowserService.test.ts | 44 ++++++++++++++++
test/services/ValidationService.test.ts | 28 +++++++++++
11 files changed, 354 insertions(+), 31 deletions(-)

CI will indicate whether this still applies cleanly against current main (post v3.1 reworks).

[nullxnothing]

Conflict scope: 7 files including electron/ipc/wallet.ts, BrowserService.ts, email.ts, release workflow. Security-critical — author should resolve to ensure hardening intent is preserved during merge.

[nullxnothing]

Cleanup pass — needs author rebase:

7-file conflict, security-critical content. Auto-resolution risks weakening hardening intent. Specifically:

File	Why conflict	Recommended owner
electron/services/BrowserService.ts	This branch adds CIDR/SSRF guards; main has different BrowserService changes	Author
electron/ipc/wallet.ts	New validation primitives vs main's wallet flow changes	Author
electron/ipc/email.ts	New email validators vs main version	Author
electron/ipc/deploy.ts	New deploy validators	Author
electron/ipc/vault.ts	Already exists on main with different content	Compare carefully
electron/services/ValidationService.ts	Already exists on main with different content	Compare carefully
.github/workflows/release.yml	Workflow drift	Probably accept main

Plus 1 of 2 commits is already in main (fix: stabilize release packaging workflow landed via separate path), so only the actual hardening commit needs to apply.

Recommend: extract just the hardening primitives (CIDR check, validators, tests) into a fresh PR against current main rather than rebasing this one.