fix: security hardening — 40 findings from full codebase review

Full codebase review by 4 independent agents (security, architecture,
code quality, correctness) identified ~80 findings. This commit fixes 40
of them across all workspace crates.

Critical fixes:
- Federation service: validate origin against mTLS cert CN/SAN (C1)
- WS bridge: add DM channel auth, size limits, rate limiting (C2)
- hpke_seal: panic on error instead of silent empty ciphertext (C3)
- hpke_setup_sender_and_export: error on parse fail, no PQ downgrade (C7)

Security fixes:
- Zeroize: seed_bytes() returns Zeroizing<[u8;32]>, private_to_bytes()
  returns Zeroizing<Vec<u8>>, ClientAuth.access_token, SessionState.password,
  conversation hex_key all wrapped in Zeroizing
- Keystore: 0o600 file permissions on Unix
- MeshIdentity: 0o600 file permissions on Unix
- Timing floors: resolveIdentity + WS bridge resolve_user get 5ms floor
- Mobile: TLS verification gated behind insecure-dev feature flag
- Proto: from_bytes default limit tightened from 64 MiB to 8 MiB

Correctness fixes:
- fetch_wait: register waiter before fetch to close TOCTOU window
- MeshEnvelope: exclude hop_count from signature (forwarding no longer
  invalidates sender signature)
- BroadcastChannel: encrypt returns Result instead of panicking
- transcript: rename verify_transcript_chain → validate_transcript_structure
- group.rs: extract shared process_incoming() for receive_message variants
- auth_ops: remove spurious RegistrationRequest deserialization
- MeshStore.seen: bounded to 100K with FIFO eviction

Quality fixes:
- FFI error classification: typed downcast instead of string matching
- Plugin HookVTable: SAFETY documentation for unsafe Send+Sync
- clippy::unwrap_used: warn → deny workspace-wide
- Various .unwrap_or("") → proper error returns

Review report: docs/REVIEW-2026-03-04.md
152 tests passing (72 core + 35 server + 14 E2E + 1 doctest + 30 P2P)

crates/quicproquo-plugin-api/src/lib.rs

@@ -182,10 +182,21 @@ pub struct HookVTable {
     pub destroy: Option<unsafe extern "C" fn(user_data: *mut core::ffi::c_void)>,
 }
 
-// Safety: user_data is an opaque pointer managed by the plugin. The plugin is
-// responsible for its own thread safety. The server only calls hook functions
-// one at a time per plugin (wrapped in a single Arc). Plugins that mutate
-// user_data through callbacks must use interior mutability.
+// SAFETY: `HookVTable` contains raw pointers (`user_data`, function pointers)
+// which are not inherently `Send`/`Sync`. These impls are sound because:
+//
+// 1. `user_data` is an opaque pointer managed entirely by the plugin. The plugin
+//    contract (documented in the module-level doc comment) requires that plugins
+//    use interior mutability (Mutex/RwLock) if `user_data` is mutated through
+//    callbacks. The server wraps each loaded plugin in an `Arc<HookVTable>` and
+//    may invoke hooks from any Tokio worker thread.
+//
+// 2. All function pointers are `unsafe extern "C" fn` — they are plain addresses
+//    with no captured state. The code they point to must be thread-safe per the
+//    plugin contract.
+//
+// 3. The server guarantees that `destroy` is called exactly once during shutdown,
+//    after which no further hook calls are made on the vtable.
 #[allow(unsafe_code)]
 unsafe impl Send for HookVTable {}
 #[allow(unsafe_code)]