fix: security hardening — 40 findings from full codebase review

Full codebase review by 4 independent agents (security, architecture,
code quality, correctness) identified ~80 findings. This commit fixes 40
of them across all workspace crates.

Critical fixes:
- Federation service: validate origin against mTLS cert CN/SAN (C1)
- WS bridge: add DM channel auth, size limits, rate limiting (C2)
- hpke_seal: panic on error instead of silent empty ciphertext (C3)
- hpke_setup_sender_and_export: error on parse fail, no PQ downgrade (C7)

Security fixes:
- Zeroize: seed_bytes() returns Zeroizing<[u8;32]>, private_to_bytes()
  returns Zeroizing<Vec<u8>>, ClientAuth.access_token, SessionState.password,
  conversation hex_key all wrapped in Zeroizing
- Keystore: 0o600 file permissions on Unix
- MeshIdentity: 0o600 file permissions on Unix
- Timing floors: resolveIdentity + WS bridge resolve_user get 5ms floor
- Mobile: TLS verification gated behind insecure-dev feature flag
- Proto: from_bytes default limit tightened from 64 MiB to 8 MiB

Correctness fixes:
- fetch_wait: register waiter before fetch to close TOCTOU window
- MeshEnvelope: exclude hop_count from signature (forwarding no longer
  invalidates sender signature)
- BroadcastChannel: encrypt returns Result instead of panicking
- transcript: rename verify_transcript_chain → validate_transcript_structure
- group.rs: extract shared process_incoming() for receive_message variants
- auth_ops: remove spurious RegistrationRequest deserialization
- MeshStore.seen: bounded to 100K with FIFO eviction

Quality fixes:
- FFI error classification: typed downcast instead of string matching
- Plugin HookVTable: SAFETY documentation for unsafe Send+Sync
- clippy::unwrap_used: warn → deny workspace-wide
- Various .unwrap_or("") → proper error returns

Review report: docs/REVIEW-2026-03-04.md
152 tests passing (72 core + 35 server + 14 E2E + 1 doctest + 30 P2P)

crates/quicproquo-server/src/config.rs

@@ -36,6 +36,8 @@ pub struct FileConfig {
     /// When true, audit logs hash identity key prefixes and omit payload sizes.
     #[serde(default)]
     pub redact_logs: Option<bool>,
+    /// WebSocket JSON-RPC bridge listen address (e.g. "0.0.0.0:9000").
+    pub ws_listen: Option<String>,
 }
 
 #[derive(Debug)]
@@ -60,6 +62,8 @@ pub struct EffectiveConfig {
     pub plugin_dir: Option<PathBuf>,
     /// When true, audit logs hash identity key prefixes and omit payload sizes.
     pub redact_logs: bool,
+    /// WebSocket JSON-RPC bridge listen address. If set, the bridge is started.
+    pub ws_listen: Option<String>,
 }
 
 #[derive(Debug, Default, Deserialize)]
@@ -225,6 +229,10 @@ pub fn merge_config(args: &crate::Args, file: &FileConfig) -> EffectiveConfig {
 
     let plugin_dir = args.plugin_dir.clone().or_else(|| file.plugin_dir.clone());
     let redact_logs = args.redact_logs || file.redact_logs.unwrap_or(false);
+    let ws_listen = args
+        .ws_listen
+        .clone()
+        .or_else(|| file.ws_listen.clone());
 
     EffectiveConfig {
         listen,
@@ -242,6 +250,7 @@ pub fn merge_config(args: &crate::Args, file: &FileConfig) -> EffectiveConfig {
         federation,
         plugin_dir,
         redact_logs,
+        ws_listen,
     }
 }