fix: security hardening — 40 findings from full codebase review

Full codebase review by 4 independent agents (security, architecture,
code quality, correctness) identified ~80 findings. This commit fixes 40
of them across all workspace crates.

Critical fixes:
- Federation service: validate origin against mTLS cert CN/SAN (C1)
- WS bridge: add DM channel auth, size limits, rate limiting (C2)
- hpke_seal: panic on error instead of silent empty ciphertext (C3)
- hpke_setup_sender_and_export: error on parse fail, no PQ downgrade (C7)

Security fixes:
- Zeroize: seed_bytes() returns Zeroizing<[u8;32]>, private_to_bytes()
  returns Zeroizing<Vec<u8>>, ClientAuth.access_token, SessionState.password,
  conversation hex_key all wrapped in Zeroizing
- Keystore: 0o600 file permissions on Unix
- MeshIdentity: 0o600 file permissions on Unix
- Timing floors: resolveIdentity + WS bridge resolve_user get 5ms floor
- Mobile: TLS verification gated behind insecure-dev feature flag
- Proto: from_bytes default limit tightened from 64 MiB to 8 MiB

Correctness fixes:
- fetch_wait: register waiter before fetch to close TOCTOU window
- MeshEnvelope: exclude hop_count from signature (forwarding no longer
  invalidates sender signature)
- BroadcastChannel: encrypt returns Result instead of panicking
- transcript: rename verify_transcript_chain → validate_transcript_structure
- group.rs: extract shared process_incoming() for receive_message variants
- auth_ops: remove spurious RegistrationRequest deserialization
- MeshStore.seen: bounded to 100K with FIFO eviction

Quality fixes:
- FFI error classification: typed downcast instead of string matching
- Plugin HookVTable: SAFETY documentation for unsafe Send+Sync
- clippy::unwrap_used: warn → deny workspace-wide
- Various .unwrap_or("") → proper error returns

Review report: docs/REVIEW-2026-03-04.md
152 tests passing (72 core + 35 server + 14 E2E + 1 doctest + 30 P2P)

crates/quicproquo-core/src/transcript.rs

@@ -208,11 +208,17 @@ pub fn read_transcript(
     Ok((records, verdict))
 }
 
-/// Verify the hash chain without decrypting record contents.
+/// Validate the structural integrity of a transcript file without decrypting.
+///
+/// Checks that the file header is valid and that all length-prefixed
+/// ciphertext records can be parsed. Does **not** verify the inner
+/// `prev_hash` chain (which requires the decryption password) — only
+/// confirms that the file is well-formed and no records have been
+/// truncated or removed.
 ///
 /// Returns `Ok(ChainVerdict)` if the file header is valid; parsing errors
-/// return `Err`. The chain verdict indicates whether all hashes matched.
-pub fn verify_transcript_chain(data: &[u8]) -> Result<ChainVerdict, CoreError> {
+/// return `Err`.
+pub fn validate_transcript_structure(data: &[u8]) -> Result<ChainVerdict, CoreError> {
     let (_, mut rest) = parse_header(data)?;
 
     let mut expected_prev: [u8; 32] = [0u8; 32];
@@ -250,6 +256,12 @@ pub fn verify_transcript_chain(data: &[u8]) -> Result<ChainVerdict, CoreError> {
     Ok(ChainVerdict::Ok { records: count })
 }
 
+/// Deprecated alias for [`validate_transcript_structure`].
+#[deprecated(note = "renamed to validate_transcript_structure — this function only checks structure, not hashes")]
+pub fn verify_transcript_chain(data: &[u8]) -> Result<ChainVerdict, CoreError> {
+    validate_transcript_structure(data)
+}
+
 /// Result of hash-chain verification.
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub enum ChainVerdict {
@@ -515,7 +527,7 @@ mod tests {
                 .expect("write");
         }
 
-        let verdict = verify_transcript_chain(&buf).expect("verify");
+        let verdict = validate_transcript_structure(&buf).expect("verify");
         assert_eq!(verdict, ChainVerdict::Ok { records: 5 });
     }
 
@@ -537,7 +549,7 @@ mod tests {
 
         // Truncate the last few bytes — should fail parsing.
         let truncated = &buf[..buf.len() - 5];
-        let result = verify_transcript_chain(truncated);
+        let result = validate_transcript_structure(truncated);
         assert!(result.is_err(), "truncated file must be detected");
     }
 }