wafer-web: add set_prompter for a JS-backed READ-PASSWORD

Browser consumers (kelvar) need a host-provided password prompt so the
master never appears on the command line. Exposes a single method:

    WaferRepl::set_prompter(js_sys::Function) -> Result<(), JsError>

Given a JS function `(prompt: string) => string`, registers it as the
Forth word `READ-PASSWORD` with stack effect

    ( prompt-addr prompt-u -- pw-addr pw-u )

The returned bytes land in WAFER's PAD region. Enforces PAD_SIZE-1 as
a hard upper bound — a silent truncation would cause a derived password
to mismatch the one used during setup, which is exactly the failure
mode we are trying to avoid.

`js_sys::Function` is !Send/!Sync but `HostFn` requires both. In a
browser WASM build there is only ever one thread, so wrap it in
`send_wrapper::SendWrapper`, which panics if accessed off-thread — an
honest guard rather than a lie.

Cargo.lock

@@ -1410,6 +1410,12 @@ dependencies = [
  "serde_core",
 ]
 
+[[package]]
+name = "send_wrapper"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cd0b0ec5f1c1ca621c432a25813d8d60c88abe6d3e08a3eb9cf37d97a0fe3d73"
+
 [[package]]
 name = "serde"
 version = "1.0.228"
@@ -1771,9 +1777,11 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "js-sys",
+ "send_wrapper",
  "wafer-core",
  "wasm-bindgen",
  "wasm-bindgen-test",
+ "wasm-encoder 0.246.2",
 ]
 
 [[package]]