DM channels (createChannel), channel authz, security/docs, future improvements

- Add createChannel RPC (node.capnp @18): create 1:1 channel, returns 16-byte channelId
- Store: create_channel(member_a, member_b), get_channel_members(channel_id)
- FileBackedStore: channels.bin; SqlStore: migration 003_channels, schema v4
- channel_ops: handle_create_channel (auth + identity, peerKey 32 bytes)
- Delivery authz: when channel_id.len() == 16, require caller and recipient are channel members (E022/E023)
- Error codes E022 CHANNEL_ACCESS_DENIED, E023 CHANNEL_NOT_FOUND
- SUMMARY: link Certificate lifecycle; security audit, future improvements, multi-agent plan docs
- Certificate lifecycle doc, SECURITY-AUDIT, FUTURE-IMPROVEMENTS, MULTI-AGENT-WORK-PLAN
- Client/core/tls/auth/server main: assorted fixes and updates from review and audit

Co-authored-by: Cursor <cursoragent@cursor.com>

docker/Dockerfile.chat-test

@@ -0,0 +1,71 @@
+# ── Stage 1: Builder ──────────────────────────────────────────────────────────
+#
+# Uses the official Rust image on Debian Bookworm.
+# capnproto is installed here because build.rs invokes `capnp` at compile time.
+FROM rust:bookworm AS builder
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends capnproto \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /build
+
+# Copy manifests first so dependency layers are cached independently of source.
+COPY Cargo.toml Cargo.lock ./
+COPY crates/quicnprotochat-core/Cargo.toml   crates/quicnprotochat-core/Cargo.toml
+COPY crates/quicnprotochat-proto/Cargo.toml  crates/quicnprotochat-proto/Cargo.toml
+COPY crates/quicnprotochat-server/Cargo.toml crates/quicnprotochat-server/Cargo.toml
+COPY crates/quicnprotochat-client/Cargo.toml crates/quicnprotochat-client/Cargo.toml
+COPY crates/quicnprotochat-p2p/Cargo.toml    crates/quicnprotochat-p2p/Cargo.toml
+
+# Create dummy source files so `cargo build` can resolve the dependency graph
+# and cache the compiled dependencies before copying real source.
+RUN mkdir -p \
+        crates/quicnprotochat-core/src \
+        crates/quicnprotochat-proto/src \
+        crates/quicnprotochat-server/src \
+        crates/quicnprotochat-client/src \
+        crates/quicnprotochat-p2p/src \
+    && echo 'fn main() {}' > crates/quicnprotochat-server/src/main.rs \
+    && echo 'fn main() {}' > crates/quicnprotochat-client/src/main.rs \
+    && touch crates/quicnprotochat-core/src/lib.rs \
+    && touch crates/quicnprotochat-proto/src/lib.rs \
+    && touch crates/quicnprotochat-p2p/src/lib.rs
+
+# Schemas must exist before the proto crate's build.rs runs.
+COPY schemas/ schemas/
+
+# Build dependencies only (source stubs mean this layer is cache-friendly).
+# The GUI crate is not included, so workspace resolution may fail — || true handles it.
+RUN cargo build --release --bin quicnprotochat-server --bin quicnprotochat 2>/dev/null || true
+
+# Copy real source and build for real.
+COPY crates/ crates/
+
+# Touch source to force re-compilation after copying real crates.
+RUN touch \
+        crates/quicnprotochat-core/src/lib.rs \
+        crates/quicnprotochat-proto/src/lib.rs \
+        crates/quicnprotochat-p2p/src/lib.rs \
+        crates/quicnprotochat-server/src/main.rs \
+        crates/quicnprotochat-client/src/main.rs
+
+RUN cargo build --release --bin quicnprotochat-server --bin quicnprotochat
+
+# ── Stage 2: Runtime ──────────────────────────────────────────────────────────
+#
+# Minimal Debian Bookworm image with both server and client binaries.
+FROM debian:bookworm-slim AS runtime
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=builder /build/target/release/quicnprotochat-server /usr/local/bin/quicnprotochat-server
+COPY --from=builder /build/target/release/quicnprotochat        /usr/local/bin/quicnprotochat
+
+RUN mkdir -p /chat
+
+EXPOSE 7000
+
+ENV RUST_LOG=info