feat: add OpenWrt cross-compilation and packaging (Phase F7)

- packaging/openwrt/: opkg Makefile, procd init script, uci config
- scripts/cross-compile.sh: build for musl targets with size checks
- .github/workflows/openwrt.yml: CI cross-compile + 5 MB size gate
- docs/openwrt.md: installation and configuration guide
- Targets: x86_64-musl, armv7-musleabihf, aarch64-musl
- Uses cargo-zigbuild for Docker-free cross-compilation

packaging/openwrt/Makefile

@@ -0,0 +1,58 @@
+# OpenWrt package feed Makefile for quicproquo server.
+#
+# Usage:
+#   1. Add this directory as a custom feed in feeds.conf:
+#      src-link quicproquo /path/to/quicproquo/packaging/openwrt
+#   2. ./scripts/feeds update quicproquo && ./scripts/feeds install quicproquo
+#   3. make menuconfig  (select Network -> quicproquo)
+#   4. make package/quicproquo/compile V=s
+#
+# The binary is pre-built via cross-compilation (see scripts/cross-compile.sh)
+# and the Makefile simply installs it into the ipkg.
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=quicproquo
+PKG_VERSION:=0.1.0
+PKG_RELEASE:=1
+PKG_MAINTAINER:=quicproquo team
+PKG_LICENSE:=MIT
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/quicproquo
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=End-to-end encrypted group messenger (server)
+  DEPENDS:=+libpthread +librt
+  URL:=https://github.com/nicholasgasior/quicproquo
+endef
+
+define Package/quicproquo/description
+  Production-grade end-to-end encrypted group messenger using QUIC transport,
+  MLS (RFC 9420), ML-KEM-768 hybrid post-quantum KEM, and OPAQUE authentication.
+  This package installs the qpq-server daemon.
+endef
+
+define Package/quicproquo/conffiles
+/etc/config/quicproquo
+endef
+
+# Skip standard build — we use pre-compiled static musl binaries.
+define Build/Compile
+endef
+
+define Package/quicproquo/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/qpq-server $(1)/usr/bin/qpq-server
+
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/quicproquo.init $(1)/etc/init.d/quicproquo
+
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) ./files/quicproquo.uci $(1)/etc/config/quicproquo
+
+	$(INSTALL_DIR) $(1)/var/lib/quicproquo
+endef
+
+$(eval $(call BuildPackage,quicproquo))

packaging/openwrt/files/quicproquo.init

@@ -0,0 +1,45 @@
+#!/bin/sh /etc/rc.common
+# procd init script for quicproquo server.
+# Reads configuration from /etc/config/quicproquo (uci).
+
+START=95
+STOP=10
+USE_PROCD=1
+
+PROG=/usr/bin/qpq-server
+DATA_DIR=/var/lib/quicproquo
+
+start_service() {
+    local listen data_dir log_level tls_cert tls_key production
+
+    config_load quicproquo
+    config_get listen server listen '0.0.0.0:7000'
+    config_get data_dir server data_dir "$DATA_DIR"
+    config_get log_level server log_level 'info'
+    config_get tls_cert server tls_cert "${data_dir}/server-cert.der"
+    config_get tls_key server tls_key "${data_dir}/server-key.der"
+    config_get_bool production server production 1
+
+    [ -d "$data_dir" ] || mkdir -p "$data_dir"
+
+    procd_open_instance
+    procd_set_param command "$PROG"
+
+    procd_set_param env \
+        RUST_LOG="$log_level" \
+        QPQ_LISTEN="$listen" \
+        QPQ_DATA_DIR="$data_dir" \
+        QPQ_TLS_CERT="$tls_cert" \
+        QPQ_TLS_KEY="$tls_key" \
+        QPQ_PRODUCTION="$production"
+
+    procd_set_param respawn 3600 5 5
+    procd_set_param stderr 1
+    procd_set_param stdout 1
+    procd_set_param user qpq
+    procd_close_instance
+}
+
+service_triggers() {
+    procd_add_reload_trigger "quicproquo"
+}

packaging/openwrt/files/quicproquo.uci

@@ -0,0 +1,7 @@
+config server 'server'
+    option listen '0.0.0.0:7000'
+    option data_dir '/var/lib/quicproquo'
+    option log_level 'info'
+    option tls_cert '/var/lib/quicproquo/server-cert.der'
+    option tls_key '/var/lib/quicproquo/server-key.der'
+    option production '1'