feat: add delivery sequence numbers + major server/client refactor

Delivery sequence numbers (MLS epoch ordering fix):
- schemas/node.capnp: add Envelope{seq,data} struct; enqueue returns seq:UInt64;
  fetch/fetchWait return List(Envelope) instead of List(Data)
- storage.rs: Store trait enqueue returns u64; fetch/fetch_limited return
  Vec<(u64, Vec<u8>)>; FileBackedStore gains QueueMapV3 with per-inbox seq
  counters and V2→V3 on-disk migration
- migrations/002_add_seq.sql: seq column, delivery_seq_counters table, index
- sql_store.rs: atomic UPSERT counter via RETURNING, ORDER BY seq, SCHEMA_VERSION→3
- node_service/delivery.rs: builds Envelope list; returns seq from enqueue
- client/rpc.rs: enqueue→u64, fetch_all/fetch_wait→Vec<(u64,Vec<u8>)>
- client/commands.rs: sort-by-seq before MLS processing; retry loop in cmd_recv
  and receive_pending_plaintexts for correct epoch ordering

Server refactor:
- Split monolithic main.rs into node_service/{mod,delivery,auth_ops,key_ops,p2p_ops}
- Add auth.rs (token validation, rate limiting), config.rs, metrics.rs, tls.rs
- Add SQL migrations runner (001_initial.sql, 002_add_seq.sql)
- OPAQUE PAKE login/registration, sealed-sender mode, queue depth limit (1000)

Client refactor:
- Split lib.rs into client/{commands,rpc,state,retry,hex,mod}
- Add cmd_whoami, cmd_health, cmd_check_key, cmd_ping subcommands
- Add cmd_register_user, cmd_login (OPAQUE), cmd_refresh_keypackage
- Hybrid PQ envelope (X25519 + ML-KEM-768) on all send/recv paths
- E2E test suite expanded

Other:
- quicnprotochat-gui: Tauri 2 desktop GUI skeleton (backend + HTML UI)
- quicnprotochat-p2p: iroh-based P2P transport stub
- quicnprotochat-core: app_message, hybrid_crypto modules; GroupMember API updates
- .github/workflows/size-lint.yml: binary size regression check
- docs: protocol comparison, roadmap updates, fully-operational checklist

README.md

@@ -61,6 +61,9 @@ mdbook serve docs
 brew install capnp          # macOS
 # apt-get install capnproto # Debian/Ubuntu
 
+# GUI prerequisites (Linux only) — WebKitGTK + GTK3 for Tauri 2
+# sudo apt install -y libwebkit2gtk-4.1-dev libgtk-3-dev libglib2.0-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev patchelf
+
 # Build and test
 cargo build --workspace
 cargo test --workspace
@@ -81,9 +84,14 @@ db_key = ""
 EOF
 cargo run -p quicnprotochat-server -- --config quicnprotochat-server.toml
 
-# Run the Alice/Bob demo
+# Run the two-party demo
 cargo run -p quicnprotochat-client -- demo-group \
   --server 127.0.0.1:7000
+
+# Interactive 1:1 chat (after creating a group and inviting a peer)
+# Terminal 1: quicnprotochat chat --peer-key <other_identity_hex>
+# Terminal 2: quicnprotochat chat --peer-key <first_identity_hex>
+# Type messages and press Enter; incoming messages appear as [peer] <msg>. Ctrl+D to exit.
 ```
 
 See the [full demo walkthrough](docs/src/getting-started/demo-walkthrough.md) for a step-by-step guide.
@@ -97,10 +105,10 @@ See the [full demo walkthrough](docs/src/getting-started/demo-walkthrough.md) fo
 | M1 | QUIC/TLS transport | Done | QUIC + TLS 1.3 endpoint, length-prefixed framing, Ping/Pong |
 | M2 | Authentication Service | Done | Ed25519 identity, KeyPackage generation, AS upload/fetch |
 | M3 | Delivery Service + MLS groups | Done | DS relay, `GroupMember` create/join/add/send/recv |
-| M4 | Group CLI subcommands | Next | Persistent CLI (`create-group`, `invite`, `join`, `send`, `recv`) |
-| M5 | Multi-party groups | Planned | N > 2 members, Commit fan-out, Proposal handling |
-| M6 | Persistence | Planned | SQLite key store, durable group state |
-| M7 | Post-quantum | Planned | PQ hybrid for MLS/HPKE (X25519 + ML-KEM-768) |
+| M4 | Group CLI subcommands | Done | Persistent CLI (`create-group`, `invite`, `join`, `send`, `recv`), OPAQUE login |
+| M5 | Multi-party groups | Done | N > 2 members, Commit fan-out, send --all, epoch sync |
+| M6 | Persistence | Done | SQLite/SQLCipher, migrations, durable server + client state |
+| M7 | Post-quantum | Next | PQ hybrid for MLS/HPKE (X25519 + ML-KEM-768) |
 
 ---