fix: persist offline unlock record during passkey PRF login

- Add fallbackKdfIterations parameter to completeLoginWithVaultKeys
- Save offline unlock record (email, profile, profileKey, kdfIterations)
  when completing vault-key-based login, ensuring offline unlock works
  after passkey (PRF) authentication
- Pass through fallbackIterations from performPasskeyLogin caller
- Add .reasonix/ to .gitignore

webapp/src/lib/app-auth.ts

@@ -363,7 +363,8 @@ function readPasskeyPrfOption(token: TokenSuccess): AccountPasskeyPrfOption | nu
 async function completeLoginWithVaultKeys(
   token: TokenSuccess,
   email: string,
-  keys: { symEncKey: string; symMacKey: string }
+  keys: { symEncKey: string; symMacKey: string },
+  fallbackKdfIterations: number
 ): Promise<CompletedLogin> {
   const normalizedEmail = email.trim().toLowerCase();
   const fallbackProfile = loadProfileSnapshot(normalizedEmail);
@@ -378,6 +379,12 @@ async function completeLoginWithVaultKeys(
     () => {}
   );
   const profile = buildTransientProfile(token, normalizedEmail, fallbackProfile);
+  saveOfflineUnlockRecord({
+    email: normalizedEmail,
+    profile,
+    profileKey: profile.key,
+    kdfIterations: kdfIterationsFromLogin(token, fallbackKdfIterations),
+  });
   return {
     session: { ...baseSession, ...keys },
     profile,
@@ -448,7 +455,7 @@ export async function performPasskeyLogin(fallbackIterations: number, expectedEm
       const keys = await unlockVaultKeyWithAccountPasskeyPrf(assertion.prfKey, prfOption);
       return {
         kind: 'success',
-        login: await completeLoginWithVaultKeys(token, email, keys),
+        login: await completeLoginWithVaultKeys(token, email, keys, fallbackIterations),
       };
     }