PWA offline support + client-side encryption

- Service worker: caches app shell, network-first for HTML
- manifest.json for installable PWA
- IndexedDB: cache files locally, queue pending saves
- Offline fallback: open cached files when server unreachable
- Sync pending changes on reconnect (online event)
- Client-side AES-256-GCM encryption lib (PBKDF2 key derivation)
- Ready for Private Vault feature

frontend/public/sw.js

@@ -0,0 +1,49 @@
+const CACHE_NAME = 'markdownhub-v1'
+const STATIC_ASSETS = [
+  '/',
+  '/index.html',
+]
+
+self.addEventListener('install', (event) => {
+  event.waitUntil(
+    caches.open(CACHE_NAME).then((cache) => cache.addAll(STATIC_ASSETS))
+  )
+  self.skipWaiting()
+})
+
+self.addEventListener('activate', (event) => {
+  event.waitUntil(
+    caches.keys().then((keys) =>
+      Promise.all(keys.filter((k) => k !== CACHE_NAME).map((k) => caches.delete(k)))
+    )
+  )
+  self.clients.claim()
+})
+
+self.addEventListener('fetch', (event) => {
+  const { request } = event
+  const url = new URL(request.url)
+
+  // Don't cache API calls or WebSocket
+  if (url.pathname.startsWith('/api/') || url.pathname.startsWith('/ws/')) {
+    return
+  }
+
+  event.respondWith(
+    caches.match(request).then((cached) => {
+      // Network first for HTML, cache first for assets
+      if (request.destination === 'document') {
+        return fetch(request).then((response) => {
+          const clone = response.clone()
+          caches.open(CACHE_NAME).then((cache) => cache.put(request, clone))
+          return response
+        }).catch(() => cached)
+      }
+      return cached || fetch(request).then((response) => {
+        const clone = response.clone()
+        caches.open(CACHE_NAME).then((cache) => cache.put(request, clone))
+        return response
+      })
+    })
+  )
+})