feat: implement account recovery with encrypted backup bundles

Add recovery code generation (8 codes per setup), Argon2id key derivation,
ChaCha20-Poly1305 encrypted bundles, and server-side zero-knowledge storage.
Each code independently recovers the account. Includes core crypto module,
protobuf service (method IDs 750-752), server domain + handlers, SDK methods,
SQL migration, and CLI commands (/recovery setup, /recovery restore).

crates/quicproquo-proto/build.rs

@@ -51,6 +51,9 @@ fn main() {
         "qpq/v1/p2p.proto",
         "qpq/v1/federation.proto",
         "qpq/v1/push.proto",
+        "qpq/v1/group.proto",
+        "qpq/v1/moderation.proto",
+        "qpq/v1/recovery.proto",
     ];
 
     let full_paths: Vec<PathBuf> = proto_files.iter().map(|f| proto_dir.join(f)).collect();

crates/quicproquo-proto/src/lib.rs

@@ -97,6 +97,12 @@ pub mod method_ids {
     // Channel (400)
     pub const CREATE_CHANNEL: u16 = 400;
 
+    // Group management (410-413)
+    pub const REMOVE_MEMBER: u16 = 410;
+    pub const UPDATE_GROUP_METADATA: u16 = 411;
+    pub const LIST_GROUP_MEMBERS: u16 = 412;
+    pub const ROTATE_KEYS: u16 = 413;
+
     // User (500-501)
     pub const RESOLVE_USER: u16 = 500;
     pub const RESOLVE_IDENTITY: u16 = 501;
@@ -123,6 +129,18 @@ pub mod method_ids {
     pub const PROXY_RESOLVE_USER: u16 = 904;
     pub const FEDERATION_HEALTH: u16 = 905;
 
+    // Moderation (420-424)
+    pub const REPORT_MESSAGE: u16 = 420;
+    pub const BAN_USER: u16 = 421;
+    pub const UNBAN_USER: u16 = 422;
+    pub const LIST_REPORTS: u16 = 423;
+    pub const LIST_BANNED: u16 = 424;
+
+    // Recovery (750-752)
+    pub const STORE_RECOVERY_BUNDLE: u16 = 750;
+    pub const FETCH_RECOVERY_BUNDLE: u16 = 751;
+    pub const DELETE_RECOVERY_BUNDLE: u16 = 752;
+
     // Account (950)
     pub const DELETE_ACCOUNT: u16 = 950;