fix: security hardening — 40 findings from full codebase review

Full codebase review by 4 independent agents (security, architecture,
code quality, correctness) identified ~80 findings. This commit fixes 40
of them across all workspace crates.

Critical fixes:
- Federation service: validate origin against mTLS cert CN/SAN (C1)
- WS bridge: add DM channel auth, size limits, rate limiting (C2)
- hpke_seal: panic on error instead of silent empty ciphertext (C3)
- hpke_setup_sender_and_export: error on parse fail, no PQ downgrade (C7)

Security fixes:
- Zeroize: seed_bytes() returns Zeroizing<[u8;32]>, private_to_bytes()
  returns Zeroizing<Vec<u8>>, ClientAuth.access_token, SessionState.password,
  conversation hex_key all wrapped in Zeroizing
- Keystore: 0o600 file permissions on Unix
- MeshIdentity: 0o600 file permissions on Unix
- Timing floors: resolveIdentity + WS bridge resolve_user get 5ms floor
- Mobile: TLS verification gated behind insecure-dev feature flag
- Proto: from_bytes default limit tightened from 64 MiB to 8 MiB

Correctness fixes:
- fetch_wait: register waiter before fetch to close TOCTOU window
- MeshEnvelope: exclude hop_count from signature (forwarding no longer
  invalidates sender signature)
- BroadcastChannel: encrypt returns Result instead of panicking
- transcript: rename verify_transcript_chain → validate_transcript_structure
- group.rs: extract shared process_incoming() for receive_message variants
- auth_ops: remove spurious RegistrationRequest deserialization
- MeshStore.seen: bounded to 100K with FIFO eviction

Quality fixes:
- FFI error classification: typed downcast instead of string matching
- Plugin HookVTable: SAFETY documentation for unsafe Send+Sync
- clippy::unwrap_used: warn → deny workspace-wide
- Various .unwrap_or("") → proper error returns

Review report: docs/REVIEW-2026-03-04.md
152 tests passing (72 core + 35 server + 14 E2E + 1 doctest + 30 P2P)

crates/quicproquo-proto/src/lib.rs

@@ -61,12 +61,27 @@ pub fn to_bytes<A: capnp::message::Allocator>(
 
 /// Deserialise unpacked wire bytes into a message with owned segments.
 ///
-/// Uses `ReaderOptions::new()` (default limits: 64 MiB, 512 nesting levels).
-/// Callers that receive data from untrusted peers should consider tightening
-/// the traversal limit via `ReaderOptions::traversal_limit_in_words`.
+/// Uses a stricter default traversal limit of 1 Mi words (~8 MiB) instead
+/// of the Cap'n Proto default of 64 MiB, reducing DoS amplification from
+/// untrusted input. Use [`from_bytes_with_options`] if you need a custom limit.
 pub fn from_bytes(
     bytes: &[u8],
 ) -> Result<capnp::message::Reader<capnp::serialize::OwnedSegments>, capnp::Error> {
+    let mut options = capnp::message::ReaderOptions::new();
+    options.traversal_limit_in_words(Some(1_048_576)); // 1 Mi words = ~8 MiB
     let mut cursor = std::io::Cursor::new(bytes);
-    capnp::serialize::read_message(&mut cursor, capnp::message::ReaderOptions::new())
+    capnp::serialize::read_message(&mut cursor, options)
+}
+
+/// Deserialise unpacked wire bytes with caller-specified [`ReaderOptions`].
+///
+/// Prefer [`from_bytes`] for typical use. Use this variant when you need to
+/// raise the traversal limit for large messages (e.g. blob transfers) or
+/// lower it further for tighter validation.
+pub fn from_bytes_with_options(
+    bytes: &[u8],
+    options: capnp::message::ReaderOptions,
+) -> Result<capnp::message::Reader<capnp::serialize::OwnedSegments>, capnp::Error> {
+    let mut cursor = std::io::Cursor::new(bytes);
+    capnp::serialize::read_message(&mut cursor, options)
 }