feat: add delivery sequence numbers + major server/client refactor

Delivery sequence numbers (MLS epoch ordering fix):
- schemas/node.capnp: add Envelope{seq,data} struct; enqueue returns seq:UInt64;
  fetch/fetchWait return List(Envelope) instead of List(Data)
- storage.rs: Store trait enqueue returns u64; fetch/fetch_limited return
  Vec<(u64, Vec<u8>)>; FileBackedStore gains QueueMapV3 with per-inbox seq
  counters and V2→V3 on-disk migration
- migrations/002_add_seq.sql: seq column, delivery_seq_counters table, index
- sql_store.rs: atomic UPSERT counter via RETURNING, ORDER BY seq, SCHEMA_VERSION→3
- node_service/delivery.rs: builds Envelope list; returns seq from enqueue
- client/rpc.rs: enqueue→u64, fetch_all/fetch_wait→Vec<(u64,Vec<u8>)>
- client/commands.rs: sort-by-seq before MLS processing; retry loop in cmd_recv
  and receive_pending_plaintexts for correct epoch ordering

Server refactor:
- Split monolithic main.rs into node_service/{mod,delivery,auth_ops,key_ops,p2p_ops}
- Add auth.rs (token validation, rate limiting), config.rs, metrics.rs, tls.rs
- Add SQL migrations runner (001_initial.sql, 002_add_seq.sql)
- OPAQUE PAKE login/registration, sealed-sender mode, queue depth limit (1000)

Client refactor:
- Split lib.rs into client/{commands,rpc,state,retry,hex,mod}
- Add cmd_whoami, cmd_health, cmd_check_key, cmd_ping subcommands
- Add cmd_register_user, cmd_login (OPAQUE), cmd_refresh_keypackage
- Hybrid PQ envelope (X25519 + ML-KEM-768) on all send/recv paths
- E2E test suite expanded

Other:
- quicnprotochat-gui: Tauri 2 desktop GUI skeleton (backend + HTML UI)
- quicnprotochat-p2p: iroh-based P2P transport stub
- quicnprotochat-core: app_message, hybrid_crypto modules; GroupMember API updates
- .github/workflows/size-lint.yml: binary size regression check
- docs: protocol comparison, roadmap updates, fully-operational checklist

crates/quicnprotochat-server/src/metrics.rs

@@ -0,0 +1,49 @@
+//! Prometheus metrics for the server.
+//!
+//! All counters/histograms/gauges use the `metrics` crate and are exported
+//! via metrics-exporter-prometheus on a configurable HTTP port (e.g. /metrics).
+
+/// Record one enqueue (success). Call after a message is enqueued.
+pub fn record_enqueue_total() {
+    metrics::counter!("enqueue_total").increment(1);
+}
+
+/// Record enqueued payload size in bytes.
+pub fn record_enqueue_bytes(bytes: u64) {
+    metrics::counter!("enqueue_bytes_total").increment(bytes);
+}
+
+/// Record one fetch (success). Call when fetch returns.
+pub fn record_fetch_total() {
+    metrics::counter!("fetch_total").increment(1);
+}
+
+/// Record one fetch_wait (success). Call when fetch_wait returns.
+pub fn record_fetch_wait_total() {
+    metrics::counter!("fetch_wait_total").increment(1);
+}
+
+/// Set the delivery queue depth gauge (sample). Updated at enqueue/fetch time.
+pub fn record_delivery_queue_depth(depth: usize) {
+    metrics::gauge!("delivery_queue_depth").set(depth as f64);
+}
+
+/// Record one KeyPackage upload (success).
+pub fn record_key_package_upload_total() {
+    metrics::counter!("key_package_upload_total").increment(1);
+}
+
+/// Record successful auth login (session token issued).
+pub fn record_auth_login_success_total() {
+    metrics::counter!("auth_login_success_total").increment(1);
+}
+
+/// Record failed auth login attempt.
+pub fn record_auth_login_failure_total() {
+    metrics::counter!("auth_login_failure_total").increment(1);
+}
+
+/// Record rate limit hit (enqueue rejected).
+pub fn record_rate_limit_hit_total() {
+    metrics::counter!("rate_limit_hit_total").increment(1);
+}