Add OS keychain for persistent nsec sessions (roadmap #1)

- Rust: store_nsec / load_nsec / delete_nsec Tauri commands via keyring crate
  (macOS Keychain, Windows Credential Manager, Linux Secret Service)
- On nsec login: key is stored in OS keychain keyed by hex pubkey
- On startup: restoreSession() auto-loads nsec from keychain and re-establishes
  the NDK signer — no manual re-login required after restart
- On logout: keychain entry is deleted
- Graceful degradation: if keychain is unavailable (e.g. Linux without a Secret
  Service daemon), the app starts logged-out — same UX as before, no crash

Also updates ROADMAP.md with 4 new items from the Windows playtest (multi-account
switcher, NWC wizard, system tray, zap history view) and reorders the list.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/main.tsx

@@ -4,14 +4,8 @@ import App from "./App";
 import "./index.css";
 import { useUserStore } from "./stores/user";
 
-// Restore session from localStorage
-const savedPubkey = localStorage.getItem("wrystr_pubkey");
-const savedLoginType = localStorage.getItem("wrystr_login_type");
-if (savedPubkey && savedLoginType === "pubkey") {
-  useUserStore.getState().loginWithPubkey(savedPubkey);
-}
-// Note: nsec is never stored, so nsec sessions can't be auto-restored.
-// Future: restore via OS keychain.
+// Restore session — pubkey (read-only) or nsec via OS keychain
+useUserStore.getState().restoreSession();
 
 createRoot(document.getElementById("root") as HTMLElement).render(
   <StrictMode>