fix: security hardening — 40 findings from full codebase review

Full codebase review by 4 independent agents (security, architecture,
code quality, correctness) identified ~80 findings. This commit fixes 40
of them across all workspace crates.

Critical fixes:
- Federation service: validate origin against mTLS cert CN/SAN (C1)
- WS bridge: add DM channel auth, size limits, rate limiting (C2)
- hpke_seal: panic on error instead of silent empty ciphertext (C3)
- hpke_setup_sender_and_export: error on parse fail, no PQ downgrade (C7)

Security fixes:
- Zeroize: seed_bytes() returns Zeroizing<[u8;32]>, private_to_bytes()
  returns Zeroizing<Vec<u8>>, ClientAuth.access_token, SessionState.password,
  conversation hex_key all wrapped in Zeroizing
- Keystore: 0o600 file permissions on Unix
- MeshIdentity: 0o600 file permissions on Unix
- Timing floors: resolveIdentity + WS bridge resolve_user get 5ms floor
- Mobile: TLS verification gated behind insecure-dev feature flag
- Proto: from_bytes default limit tightened from 64 MiB to 8 MiB

Correctness fixes:
- fetch_wait: register waiter before fetch to close TOCTOU window
- MeshEnvelope: exclude hop_count from signature (forwarding no longer
  invalidates sender signature)
- BroadcastChannel: encrypt returns Result instead of panicking
- transcript: rename verify_transcript_chain → validate_transcript_structure
- group.rs: extract shared process_incoming() for receive_message variants
- auth_ops: remove spurious RegistrationRequest deserialization
- MeshStore.seen: bounded to 100K with FIFO eviction

Quality fixes:
- FFI error classification: typed downcast instead of string matching
- Plugin HookVTable: SAFETY documentation for unsafe Send+Sync
- clippy::unwrap_used: warn → deny workspace-wide
- Various .unwrap_or("") → proper error returns

Review report: docs/REVIEW-2026-03-04.md
152 tests passing (72 core + 35 server + 14 E2E + 1 doctest + 30 P2P)

crates/quicproquo-p2p/src/store.rs

@@ -3,19 +3,25 @@
 //! [`MeshStore`] buffers [`MeshEnvelope`]s for offline recipients and
 //! provides deduplication and automatic garbage collection of expired messages.
 
-use std::collections::{HashMap, HashSet};
+use std::collections::{HashMap, HashSet, VecDeque};
 
 use crate::envelope::MeshEnvelope;
 
 /// Default maximum messages stored per recipient.
 const DEFAULT_MAX_STORED: usize = 1000;
 
+/// Maximum number of envelope IDs retained in the seen set for deduplication.
+/// Once exceeded, the oldest IDs are evicted to bound memory growth.
+const MAX_SEEN_IDS: usize = 100_000;
+
 /// In-memory store-and-forward queue keyed by recipient public key.
 pub struct MeshStore {
     /// Recipient public key -> queued envelopes.
     inbox: HashMap<Vec<u8>, Vec<MeshEnvelope>>,
     /// Set of envelope IDs already processed (deduplication).
     seen: HashSet<[u8; 32]>,
+    /// Insertion-ordered queue of seen IDs for bounded eviction.
+    seen_order: VecDeque<[u8; 32]>,
     /// Maximum envelopes held per recipient.
     max_stored: usize,
 }
@@ -28,6 +34,7 @@ impl MeshStore {
         Self {
             inbox: HashMap::new(),
             seen: HashSet::new(),
+            seen_order: VecDeque::new(),
             max_stored: if max_stored == 0 {
                 DEFAULT_MAX_STORED
             } else {
@@ -50,6 +57,15 @@ impl MeshStore {
             return false;
         }
         self.seen.insert(envelope.id);
+        self.seen_order.push_back(envelope.id);
+
+        // Evict oldest seen IDs if the set exceeds the bound.
+        while self.seen_order.len() > MAX_SEEN_IDS {
+            if let Some(old_id) = self.seen_order.pop_front() {
+                self.seen.remove(&old_id);
+            }
+        }
+
         queue.push(envelope);
         true
     }