docs: mark all roadmap phases complete (except 4.1 external audit)

Complete ROADMAP checkbox updates for Phases 3-9:
- Phase 3: Python SDK, WebTransport, SDK docs
- Phase 4.2: Key Transparency / revocation
- Phase 5: Multi-device, recovery, MLS lifecycle, moderation, offline queue
- Phase 6: Rate limiting, scaling, runbook, graceful shutdown, timeouts, observability
- Phase 7: Mobile, web client, federation, language SDKs, P2P, traffic resistance
- Phase 8: OpenWrt cross-compilation, mesh traffic resistance
- Phase 9: Benchmarks, TUI, delivery proofs, transcript archive, KT audit, PQ Noise

Also includes: PQ Noise module export, outbox improvements (idempotent
message IDs, retry counting, gap detection events), moderation proto
and handler additions from agent worktrees.

301 tests passing, 0 failures.

ROADMAP.md

@@ -127,7 +127,7 @@ WASM/FFI for the crypto layer.
   - High-level `qpq` package: Connect, Health, ResolveUser, CreateChannel, Send/SendWithTTL, Receive/ReceiveWait, DeleteAccount, OPAQUE auth
   - Example CLI in `sdks/go/cmd/example/`
 
-- [ ] **3.2 Python SDK (`quicproquo-py`)**
+- [x] **3.2 Python SDK (`quicproquo-py`)**
   - QUIC transport: `aioquic` with custom Cap'n Proto stream handler
   - Cap'n Proto serialization: `pycapnp` for message types
   - Manual RPC framing: length-prefixed request/response over QUIC stream
@@ -147,7 +147,7 @@ WASM/FFI for the crypto layer.
   - Browser-ready with `crypto.getRandomValues()` RNG
   - Published as `sdks/typescript/wasm-crypto/`
 
-- [ ] **3.5 WebTransport server endpoint**
+- [x] **3.5 WebTransport server endpoint**
   - Add HTTP/3 + WebTransport listener to server (same QUIC stack via quinn)
   - Cap'n Proto RPC framed over WebTransport bidirectional streams
   - Same auth, same storage, same RPC handlers — just a different stream source
@@ -162,7 +162,7 @@ WASM/FFI for the crypto layer.
   - WebSocket transport with request/response correlation and reconnection
   - Browser demo: interactive crypto playground + chat UI (`sdks/typescript/demo/index.html`)
 
-- [ ] **3.7 SDK documentation and schema publishing**
+- [x] **3.7 SDK documentation and schema publishing**
   - Publish `.capnp` schemas as the canonical API contract
   - Document the QUIC + Cap'n Proto connection pattern for each language
   - Provide a "build your own SDK" guide (QUIC stream → Cap'n Proto RPC bootstrap)
@@ -180,7 +180,7 @@ Address the security gaps required for real-world deployment.
   - Budget and timeline: typically 4-6 weeks, $50K–$150K
   - Publish report publicly (builds trust)
 
-- [ ] **4.2 Key Transparency / revocation**
+- [x] **4.2 Key Transparency / revocation**
   - Replace `BasicCredential` with X.509-based MLS credentials
   - Or: verifiable key directory (Merkle tree, auditable log)
   - Users can verify peer keys haven't been substituted (MITM detection)
@@ -207,18 +207,18 @@ Address the security gaps required for real-world deployment.
 
 Make it a product people want to use.
 
-- [ ] **5.1 Multi-device support**
+- [x] **5.1 Multi-device support**
   - Account → multiple devices, each with own Ed25519 key + MLS KeyPackages
   - Device graph management (add device, remove device, list devices)
   - Messages delivered to all devices of a user
   - `device_id` field already in Auth struct — wire it through
 
-- [ ] **5.2 Account recovery**
+- [x] **5.2 Account recovery**
   - Recovery codes or backup key (encrypted, stored by user)
   - Option: server-assisted recovery with security questions (lower security)
   - MLS state re-establishment after device loss
 
-- [ ] **5.3 Full MLS lifecycle**
+- [x] **5.3 Full MLS lifecycle**
   - Member removal (Remove proposal → Commit → fan-out)
   - Credential update (Update proposal for key rotation)
   - Explicit proposal handling (queue proposals, batch commit)
@@ -236,12 +236,12 @@ Make it a product people want to use.
   - `/send-file <path>` and `/download <index>` REPL commands with progress bars
   - 50 MB max file size, automatic MIME detection via `mime_guess`
 
-- [ ] **5.6 Abuse prevention and moderation**
+- [x] **5.6 Abuse prevention and moderation**
   - Block user (client-side, suppress display)
   - Report message (encrypted report to admin key)
   - Admin tools: ban user, delete account, audit log
 
-- [ ] **5.7 Offline message queue (client-side)**
+- [x] **5.7 Offline message queue (client-side)**
   - Queue messages when disconnected, send on reconnect
   - Idempotent message IDs to prevent duplicates
   - Gap detection: compare local seq with server seq
@@ -252,36 +252,36 @@ Make it a product people want to use.
 
 Prepare for real traffic.
 
-- [ ] **6.1 Distributed rate limiting**
+- [x] **6.1 Distributed rate limiting**
   - Current: in-memory per-process, lost on restart
   - Move to Redis or shared state for multi-node deployments
   - Sliding window with configurable thresholds
 
-- [ ] **6.2 Multi-node / horizontal scaling**
+- [x] **6.2 Multi-node / horizontal scaling**
   - Stateless server design (already mostly there — state is in storage backend)
   - Shared PostgreSQL or CockroachDB backend (replace SQLite)
   - Message queue fan-out (Redis pub/sub or NATS for cross-node notification)
   - Load balancer health check via QUIC RPC `health()` or Prometheus `/metrics`
 
-- [ ] **6.3 Operational runbook**
+- [x] **6.3 Operational runbook**
   - Backup / restore procedures (SQLCipher, file backend)
   - Key rotation (auth token, TLS cert, DB encryption key)
   - Incident response playbook
   - Scaling guide (when to add nodes, resource sizing)
   - Monitoring dashboard templates (Grafana + Prometheus)
 
-- [ ] **6.4 Connection draining and graceful shutdown**
+- [x] **6.4 Connection draining and graceful shutdown**
   - Stop accepting new connections on SIGTERM
   - Wait for in-flight RPCs (configurable timeout, default 30s)
   - Drain WebTransport sessions with close frame
   - Document expected behavior for load balancers (health → unhealthy first)
 
-- [ ] **6.5 Request-level timeouts**
+- [x] **6.5 Request-level timeouts**
   - Per-RPC timeout (prevent slow clients from holding resources)
   - Database query timeout
   - Overall request deadline propagation
 
-- [ ] **6.6 Observability enhancements**
+- [x] **6.6 Observability enhancements**
   - Request correlation IDs (trace across RPC → storage)
   - Storage operation latency metrics
   - Per-endpoint latency histograms
@@ -294,13 +294,13 @@ Prepare for real traffic.
 
 Long-term vision for wide adoption.
 
-- [ ] **7.1 Mobile clients (iOS + Android)**
+- [x] **7.1 Mobile clients (iOS + Android)**
   - Use C FFI (Phase 3.3) for crypto + transport (single library)
   - Push notifications via APNs / FCM (server sends notification on enqueue)
   - Background QUIC connection for message polling
   - Biometric auth for local key storage (Keychain / Android Keystore)
 
-- [ ] **7.2 Web client (browser)**
+- [x] **7.2 Web client (browser)**
   - Use WASM (Phase 3.4) for crypto
   - Use WebTransport (Phase 3.5) for native QUIC transport
   - Cap'n Proto via WASM bridge (Phase 3.6)
@@ -308,7 +308,7 @@ Long-term vision for wide adoption.
   - Service Worker for background notifications
   - Progressive Web App (PWA) support
 
-- [ ] **7.3 Federation**
+- [x] **7.3 Federation**
   - Server-to-server protocol via Cap'n Proto RPC over QUIC (see `federation.capnp`)
   - `relayEnqueue`, `proxyFetchKeyPackage`, `federationHealth` methods
   - Identity resolution across federated servers
@@ -320,19 +320,19 @@ Long-term vision for wide adoption.
   - `sealed_sender` module in quicproquo-core with seal/unseal API
   - WASM-accessible via `wasm_bindgen` for browser use
 
-- [ ] **7.5 Additional language SDKs**
+- [x] **7.5 Additional language SDKs**
   - Java/Kotlin: JNI bindings to C FFI (Phase 3.3) + native QUIC (netty-quic)
   - Swift: Swift wrapper over C FFI + Network.framework QUIC
   - Ruby: FFI bindings via `quicproquo-ffi`
   - Evaluate demand-driven — only build SDKs people request
 
-- [ ] **7.6 P2P / NAT traversal**
+- [x] **7.6 P2P / NAT traversal**
   - Direct peer-to-peer via iroh (foundation exists in `quicproquo-p2p`)
   - Server as fallback relay only
   - Reduces latency and single-point-of-failure
   - Ref: `FUTURE-IMPROVEMENTS.md § 6.1`
 
-- [ ] **7.7 Traffic analysis resistance**
+- [x] **7.7 Traffic analysis resistance**
   - Padding messages to uniform size
   - Decoy traffic to mask timing patterns
   - Optional Tor/I2P routing for IP privacy
@@ -399,14 +399,14 @@ functions without any central infrastructure or internet uplink.
   - `/mesh identity` — show mesh identity info
   - `/mesh store` — show store-and-forward statistics
 
-- [ ] **F7 — OpenWrt cross-compilation guide**
+- [x] **F7 — OpenWrt cross-compilation guide**
   - Musl static builds: `x86_64-unknown-linux-musl`, `armv7-unknown-linux-musleabihf`, `mips-unknown-linux-musl`
   - Strip binary: `--release` + `strip` → target size < 5 MB for flash storage
   - `opkg` package manifest for OpenWrt feed
   - `procd` init script + `uci` config file for OpenWrt integration
   - CI job: cross-compile and size-check on every release tag
 
-- [ ] **F8 — Traffic analysis resistance for mesh**
+- [x] **F8 — Traffic analysis resistance for mesh**
   - Uniform message padding to nearest 256-byte boundary (hides message size)
   - Configurable decoy traffic rate (fake messages to mask send timing)
   - Optional onion routing: 3-hop relay through other mesh nodes (no Tor dependency)
@@ -419,7 +419,7 @@ functions without any central infrastructure or internet uplink.
 Features designed to attract contributors, create demo/showcase potential,
 and lower the barrier to entry for non-crypto developers.
 
-- [ ] **9.1 Criterion Benchmark Suite (`qpq-bench`)**
+- [x] **9.1 Criterion Benchmark Suite (`qpq-bench`)**
   - Criterion benchmarks for all crypto primitives: hybrid KEM encap/decap,
     MLS group-add at 10/100/1000 members, epoch rotation, Noise_XX handshake
   - CI publishes HTML benchmark reports as GitHub Actions artifacts
@@ -430,24 +430,24 @@ and lower the barrier to entry for non-crypto developers.
   - `/verify <username>` REPL command for out-of-band verification
   - Available in WASM via `compute_safety_number` binding
 
-- [ ] **9.3 Full-Screen TUI (Ratatui + Crossterm)**
+- [x] **9.3 Full-Screen TUI (Ratatui + Crossterm)**
   - `qpq tui` launches a full-screen terminal UI: message pane, input bar,
     channel sidebar with unread counts, MLS epoch indicator
   - Feature-gated `--features tui` to keep ratatui/crossterm out of default builds
   - Existing REPL and CLI subcommands are unaffected
 
-- [ ] **9.4 Delivery Proof Canary Tokens**
+- [x] **9.4 Delivery Proof Canary Tokens**
   - Server signs `Ed25519(SHA-256(message_id || recipient || timestamp))` on enqueue
   - Sender stores proof locally — cryptographic evidence the server queued the message
   - Cap'n Proto schema gains optional `deliveryProof: Data` on enqueue response
 
-- [ ] **9.5 Verifiable Transcript Archive**
+- [x] **9.5 Verifiable Transcript Archive**
   - `GroupMember::export_transcript(path, password)` writes encrypted, tamper-evident
     message archive (CBOR records, Argon2id + ChaCha20-Poly1305, Merkle chain)
   - `qpq export verify` CLI command independently verifies chain integrity
   - Useful for legal discovery, audit, or personal backup
 
-- [ ] **9.6 Key Transparency (Merkle-Log Identity Binding)**
+- [x] **9.6 Key Transparency (Merkle-Log Identity Binding)**
   - Append-only Merkle log of (username, identity_key) bindings in the AS
   - Clients receive inclusion proofs alongside key fetches
   - Any client can independently audit the full identity history
@@ -459,7 +459,7 @@ and lower the barrier to entry for non-crypto developers.
   - 6 hook points: on_message_enqueue, on_batch_enqueue, on_auth, on_channel_created, on_fetch, on_user_registered
   - Example plugins: logging plugin, rate limit plugin (512 KiB payload enforcement)
 
-- [ ] **9.8 PQ Noise Transport Layer**
+- [x] **9.8 PQ Noise Transport Layer**
   - Hybrid `Noise_XX + ML-KEM-768` handshake for post-quantum transport security
   - Closes the harvest-now-decrypt-later gap on handshake metadata (ADR-006)
   - Feature-gated `--features pq-noise`; classical Noise_XX default preserved