fix: clarify outer-vs-hidden credentials in hidden volume protection UI

[mvanhorn]

Summary

Reword the English string entries so the credential split is explicit: clarify the Mount Options "Hidden Volume Protection" section (IDT_HIDDEN_VOL_PROTECTION / IDT_HIDDEN_PROT_PASSWD) to state it expects the HIDDEN volume's password, and add a short clarifying note that the main password dialog must receive the OUTER volume password when protection is enabled. In src/Mount/Mount.c, in the Mount Options dialog handling (MountOptionsDlgProc, around the IDC_PROTECT_HIDDEN_VOL / IDT_HIDDEN_PROT_PASSWD handling) and where the mount-failure error is surfaced, conditionally present the clarified wording when ProtectHiddenVolume is set so the failure message explains the two credential sets rather than the generic PASSWORD_OR_KEYFILE_WRONG text. Adjust the corresponding static-control wording/sizing in src/Mount/Mount.rc only if the longer label requires it (text is loaded from Language.xml via LocalizeDialog, so most changes are string-only).

Why this matters

When mounting with "Protect hidden volume against damage" enabled in the Windows GUI, the main password dialog and the Mount Options protection section do not make clear which credential set goes where. The main dialog needs the OUTER (decoy) volume password while the Mount Options "Hidden Volume Protection" section needs the HIDDEN volume password, but the labels and the wrong-password error use generic text. This causes avoidable authentication failures (the reporter hit Error 9135) for correctly created volumes. The maintainer (idrassi) confirmed the requested behavior change (making the protection section ask for the outer password) would be incorrect, but explicitly agreed there is "a real UI ambiguity" and stated "We will consider improving the Windows GUI labels/error text to make this explicit." This plan implements only that maintainer-endorsed text/label clarification, not any behavior change.

See #1673.

Testing

• Happy path: enable "Protect hidden volume against damage", observe the protection section clearly states it needs the HIDDEN volume password and the main dialog clearly indicates the OUTER volume password is required; mounting the outer volume with protection succeeds as before. - Edge case: protection disabled - labels and dialogs render with original wording, no clarifying note shown, no layout regression. - Edge case: verify translated builds still load (non-English language files fall back to English keys; no missing-key crash) and the new/edited keys exist for all referenced controls. - Error path: enter wrong outer/hidden credentials with protection enabled and confirm the failure message now distinguishes the two credential sets instead of the generic incorrect-password text.

Fixes #1673

[idrassi]

Thank you for the PR. The direction is correct: hidden volume protection must continue to mount the outer volume while using the hidden volume credentials only to determine the protected range.

However, I can't merge this as-is because the new error message is currently only used in the “Auto-Mount All Devices” failure path, even though the PR description says the mount-failure error is clarified generally. The normal single volume mount path still reports ERR_PASSWORD_WRONG through GetWrongPasswordErrorMessage, so the main case described in #1673 would still show the generic password/keyfile/PIM/KDF error.

Also, the main dialog clarifies only the password label. Since the ambiguity also applies to PIM, KDF/PRF, and keyfiles, we should either add a clear note that the main dialog expects outer volume credentials, or conditionally clarify those labels too.

One style point: newly added entries in Language.xml should be appended at the bottom of the existing entries, not inserted in the middle. This makes it easier for translators to track new strings. Please move the newly added keys there.

Please update the PR accordingly.