feat: Sprint 5 — encrypted file transfer with chunked upload/download

- Add uploadBlob (@21) and downloadBlob (@22) RPCs to Cap'n Proto
  schema with SHA-256 content addressing and chunked transfer
- Server blob handler: 256KB chunks, SHA-256 verification on finalize,
  .meta JSON sidecar, 50MB size limit, content-addressable storage
- Add FileRef (0x08) AppMessage variant with blob_id, filename,
  file_size, mime_type
- /send-file command: read file, compute hash, upload in chunks with
  progress display, send FileRef via MLS, MIME auto-detection
- /download command: fetch blob in chunks with progress, verify hash,
  save to disk with collision avoidance
- 2 new E2E tests: upload/download round-trip with partial reads,
  hash mismatch rejection (14 E2E tests total)
- New error codes: E024-E027 for blob operations

crates/quicproquo-client/src/client/rpc.rs

@@ -767,6 +767,70 @@ pub async fn create_channel(
     Ok((channel_id, was_new))
 }
 
+/// Upload a single chunk of a blob to the server.
+///
+/// `blob_hash` is the expected SHA-256 hash (32 bytes) of the complete blob.
+/// Returns the `blob_id` once the server has received and verified the final chunk.
+pub async fn upload_blob_chunk(
+    client: &node_service::Client,
+    blob_hash: &[u8],
+    chunk: &[u8],
+    offset: u64,
+    total_size: u64,
+    mime_type: &str,
+) -> anyhow::Result<Vec<u8>> {
+    let mut req = client.upload_blob_request();
+    {
+        let mut p = req.get();
+        let mut auth = p.reborrow().init_auth();
+        set_auth(&mut auth)?;
+        p.set_blob_hash(blob_hash);
+        p.set_chunk(chunk);
+        p.set_offset(offset);
+        p.set_total_size(total_size);
+        p.set_mime_type(mime_type);
+    }
+    let resp = req.send().promise.await.context("upload_blob RPC failed")?;
+    let blob_id = resp
+        .get()
+        .context("upload_blob: bad response")?
+        .get_blob_id()
+        .context("upload_blob: missing blob_id")?
+        .to_vec();
+    Ok(blob_id)
+}
+
+/// Download a single chunk of a blob from the server.
+///
+/// Returns `(chunk_bytes, total_size, mime_type)`.
+pub async fn download_blob_chunk(
+    client: &node_service::Client,
+    blob_id: &[u8],
+    offset: u64,
+    length: u32,
+) -> anyhow::Result<(Vec<u8>, u64, String)> {
+    let mut req = client.download_blob_request();
+    {
+        let mut p = req.get();
+        let mut auth = p.reborrow().init_auth();
+        set_auth(&mut auth)?;
+        p.set_blob_id(blob_id);
+        p.set_offset(offset);
+        p.set_length(length);
+    }
+    let resp = req.send().promise.await.context("download_blob RPC failed")?;
+    let reader = resp.get().context("download_blob: bad response")?;
+    let chunk = reader.get_chunk().context("download_blob: missing chunk")?.to_vec();
+    let total_size = reader.get_total_size();
+    let mime_type = reader
+        .get_mime_type()
+        .context("download_blob: missing mime_type")?
+        .to_str()
+        .unwrap_or("application/octet-stream")
+        .to_string();
+    Ok((chunk, total_size, mime_type))
+}
+
 /// Return the current Unix timestamp in milliseconds.
 pub fn current_timestamp_ms() -> u64 {
     std::time::SystemTime::now()