fix: security hardening — 40 findings from full codebase review

Full codebase review by 4 independent agents (security, architecture,
code quality, correctness) identified ~80 findings. This commit fixes 40
of them across all workspace crates.

Critical fixes:
- Federation service: validate origin against mTLS cert CN/SAN (C1)
- WS bridge: add DM channel auth, size limits, rate limiting (C2)
- hpke_seal: panic on error instead of silent empty ciphertext (C3)
- hpke_setup_sender_and_export: error on parse fail, no PQ downgrade (C7)

Security fixes:
- Zeroize: seed_bytes() returns Zeroizing<[u8;32]>, private_to_bytes()
  returns Zeroizing<Vec<u8>>, ClientAuth.access_token, SessionState.password,
  conversation hex_key all wrapped in Zeroizing
- Keystore: 0o600 file permissions on Unix
- MeshIdentity: 0o600 file permissions on Unix
- Timing floors: resolveIdentity + WS bridge resolve_user get 5ms floor
- Mobile: TLS verification gated behind insecure-dev feature flag
- Proto: from_bytes default limit tightened from 64 MiB to 8 MiB

Correctness fixes:
- fetch_wait: register waiter before fetch to close TOCTOU window
- MeshEnvelope: exclude hop_count from signature (forwarding no longer
  invalidates sender signature)
- BroadcastChannel: encrypt returns Result instead of panicking
- transcript: rename verify_transcript_chain → validate_transcript_structure
- group.rs: extract shared process_incoming() for receive_message variants
- auth_ops: remove spurious RegistrationRequest deserialization
- MeshStore.seen: bounded to 100K with FIFO eviction

Quality fixes:
- FFI error classification: typed downcast instead of string matching
- Plugin HookVTable: SAFETY documentation for unsafe Send+Sync
- clippy::unwrap_used: warn → deny workspace-wide
- Various .unwrap_or("") → proper error returns

Review report: docs/REVIEW-2026-03-04.md
152 tests passing (72 core + 35 server + 14 E2E + 1 doctest + 30 P2P)

crates/quicproquo-p2p/src/identity.rs

@@ -10,6 +10,9 @@ use std::path::Path;
 use quicproquo_core::IdentityKeypair;
 use serde::{Deserialize, Serialize};
 
+#[cfg(unix)]
+use std::os::unix::fs::PermissionsExt;
+
 /// Information about a known peer in the mesh network.
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct PeerInfo {
@@ -68,14 +71,25 @@ impl MeshIdentity {
         })
     }
 
-    /// Save this mesh identity to a JSON file.
+    /// Save this mesh identity to a JSON file with restrictive permissions.
+    ///
+    /// On Unix, the file is set to `0o600` (owner read/write only) since it
+    /// contains the Ed25519 seed in the clear.
     pub fn save(&self, path: &Path) -> anyhow::Result<()> {
         let file = IdentityFile {
-            seed: hex::encode(self.keypair.seed_bytes()),
+            seed: hex::encode(&*self.keypair.seed_bytes()),
             peers: self.known_peers.clone(),
         };
         let json = serde_json::to_string_pretty(&file)?;
         std::fs::write(path, json)?;
+
+        // Restrict permissions to owner-only on Unix.
+        #[cfg(unix)]
+        {
+            let perms = std::fs::Permissions::from_mode(0o600);
+            std::fs::set_permissions(path, perms)?;
+        }
+
         Ok(())
     }
 
@@ -91,7 +105,7 @@ impl MeshIdentity {
 
     /// Return the underlying seed (for deriving iroh `SecretKey`, etc.).
     pub fn seed_bytes(&self) -> [u8; 32] {
-        self.keypair.seed_bytes()
+        *self.keypair.seed_bytes()
     }
 
     /// Register or update a known peer.