chore(deps): bump @e4a/pg-js to ^1.8.0

[rubenhensen]

Summary

• Bump @e4a/pg-js from ^1.6.2 to ^1.8.0 (pulls @e4a/pg-wasm 0.5.10 → 0.6.0 transitively).
• Picks up the 1.7.1 fix where Opened.decrypt({ uuid }) now unwraps data.bin from the zip — directly affects our /download flow (pg.open({ uuid }).decrypt(...)).
• Not wired: the 1.7.0 / 1.8.0 cross-restart resume primitives (resumeUpload, onUploadInit). The high-level Sealed.upload() has no entry point to consume a rehydrated FileState, and browser File handles don't survive a reload — users would have to reselect files anyway, so the UX value is zero. Skipped intentionally.

Test plan

• npm run check and npm run build pass locally on the bumped lockfile.
• Encrypt a file via / and verify the upload completes end-to-end.
• Open the resulting download URL and verify /download decrypts to the original file (regression check for the 1.7.1 zip-unwrap fix).

[rubenhensen]

/dobby review

[dobby-coder]

This agent is on it! Eager to review the pg-js 1.8 bump — checking CI, the lockfile, and the /download decrypt flow that the 1.7.1 fix touches. Will report back shortly.

[dobby-coder]

Approving. Pure dep bump to @e4a/pg-js@^1.8.0 (pulls @e4a/pg-wasm 0.6.0 transitively); no source changes.

Verified locally:

• npm ci --legacy-peer-deps clean.
• npm run check — 0 errors, 0 warnings.
• npm run build — succeeds.
• CI green (Build amd64/arm64, Lint, Svelte Check, Conventional Commit).

PR description accurately reflects upstream releases (confirmed against postguard-js v1.7.0/1.7.1/1.8.0 release notes):

• 1.7.1 zip-unwrap fix is the load-bearing change here — pg.open({ uuid }).decrypt(...) is hit at src/routes/(app)/download/+page.svelte:64,116 and src/lib/components/fallback/Decrypt.svelte:90,233. No call-site changes needed; the fix is transparent.
• Skipping 1.7.0 resumeUpload / 1.8.0 onUploadInit is the right call: browser File handles can't survive a reload, so users would have to reselect files anyway. Wiring them up here would be UX theater.

Worth a manual smoke (encrypt → download round-trip) before merge per the test plan, but no code-level blockers.

[dobby-coder]

Reviewed locally on chore/bump-pg-js-1.8:

• npm ci --legacy-peer-deps clean, npm run check 0 errors / 0 warnings, npm run build succeeds.
• All seven CI checks already green.
• Diff is the dep bump only (package.json + lockfile). No call-site changes needed: /download keeps casting to DecryptFileResult and Decrypt.svelte already branches on result.plaintext vs extractFromZip(blob, 'data.bin'), so the 1.7.1 unwrap fix just shifts more cases onto the plaintext branch — no regression surface.
• Skipping the 1.7.0/1.8.0 resume primitives is the right call: Sealed.upload() has no rehydration entry point and browser File handles don't survive reload anyway.

LGTM.