feat(library): M2 — adopt unified visibility system as the pilot module

First consumer of @mana/shared-privacy. Library entries now carry an
explicit VisibilityLevel the owner can flip from the detail view via
<VisibilityPicker>; embed resolver gates hard on canEmbedOnWebsite so
only entries the user marked 'public' appear on published websites.

Replaces the M1/old flow — the library embed used to pass-through
`filter.isFavorite` as a weak proxy for "show on my site". That filter
still works as an additional user-facing filter, but it can no longer
override the visibility gate (fixes a real leak: a favourited private
book would have ended up on the public snapshot).

Changes:
- @mana/shared-privacy added to the web-app's dependency list
- LocalLibraryEntry + LibraryEntry gain visibility / unlistedToken /
  visibilityChangedAt / visibilityChangedBy fields. Legacy rows
  (pre-migration) fall back to 'space' via the toLibraryEntry
  converter — matches the Dexie hook's existing structural default
  and maps to the space-foundation semantics unchanged
- libraryEntriesStore.createEntry stamps defaultVisibilityFor(active
  space.type) explicitly so personal-space entries default to
  'private' instead of the generic 'space' fallback
- libraryEntriesStore.setVisibility(id, level): flips the field,
  mints/clears the unlisted token on the transition boundary, emits
  the cross-module VisibilityChanged domain event
- Event catalog registers VisibilityChanged with the payload type
  re-exported from @mana/shared-privacy (kept under a dedicated
  "Visibility (Cross-Module)" section — this is the first of many
  modules that will emit it)
- Library DetailView header gains the <VisibilityPicker> next to the
  kind-pill, so "who sees this?" is visible at a glance
- embeds.ts resolveLibraryEntries replaces its favourite-proxy gate
  with canEmbedOnWebsite. User filters (kind/status/favorite) still
  stack on top but cannot relax the visibility requirement
- ListView's inline-create EntryForm seed ships with
  visibility: 'private' so the type asserts cleanly and the preview
  entry matches the safe default

No schema migration needed — the visibility column already exists on
every space-scoped Dexie record (Spaces-Foundation v28). The Dexie
hook's 'space' default still fires for rows the library store doesn't
pre-populate (e.g. legacy paths); setVisibility and createEntry now
own the intent.

What's verified:
- pnpm check (web): 7450 files, 0 errors, 0 warnings
- pnpm test library + website: 23/23 passing
- @mana/shared-privacy: 15/15 passing (re-ran after the dep pull)
- pnpm run validate:all: theme-tokens, theme-parity, crypto-registry,
  encrypted-tools all green

Next in the rollout: M3 Picture (swap the picture.board isPublic
flag for visibility and update the board embed to use
canEmbedOnWebsite). See docs/plans/visibility-system.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

pnpm-lock.yaml

@@ -546,6 +546,9 @@ importers:
       '@mana/shared-llm':
         specifier: workspace:*
         version: link:../../../../packages/shared-llm
+      '@mana/shared-privacy':
+        specifier: workspace:*
+        version: link:../../../../packages/shared-privacy
       '@mana/shared-stores':
         specifier: workspace:*
         version: link:../../../../packages/shared-stores