DM channels (createChannel), channel authz, security/docs, future improvements

- Add createChannel RPC (node.capnp @18): create 1:1 channel, returns 16-byte channelId
- Store: create_channel(member_a, member_b), get_channel_members(channel_id)
- FileBackedStore: channels.bin; SqlStore: migration 003_channels, schema v4
- channel_ops: handle_create_channel (auth + identity, peerKey 32 bytes)
- Delivery authz: when channel_id.len() == 16, require caller and recipient are channel members (E022/E023)
- Error codes E022 CHANNEL_ACCESS_DENIED, E023 CHANNEL_NOT_FOUND
- SUMMARY: link Certificate lifecycle; security audit, future improvements, multi-agent plan docs
- Certificate lifecycle doc, SECURITY-AUDIT, FUTURE-IMPROVEMENTS, MULTI-AGENT-WORK-PLAN
- Client/core/tls/auth/server main: assorted fixes and updates from review and audit

Co-authored-by: Cursor <cursoragent@cursor.com>

docker/docker-compose.chat-test.yml

@@ -0,0 +1,79 @@
+# Docker Compose for interactive chat testing.
+# Usage: ./scripts/chat-test.sh  (wraps this file with tmux orchestration)
+
+networks:
+  chatnet:
+    driver: bridge
+
+volumes:
+  server-data:
+
+services:
+  server:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile.chat-test
+    command: >-
+      quicnprotochat-server
+        --listen 0.0.0.0:7000
+        --data-dir /data
+        --tls-cert /data/server-cert.der
+        --tls-key /data/server-key.der
+        --auth-token devtoken
+        --allow-insecure-auth
+    environment:
+      RUST_LOG: info
+    volumes:
+      - server-data:/data
+    networks:
+      - chatnet
+    healthcheck:
+      test: ["CMD", "bash", "-c", "echo '' > /dev/tcp/localhost/7000"]
+      interval: 3s
+      timeout: 2s
+      retries: 20
+      start_period: 5s
+
+  alice:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile.chat-test
+    stdin_open: true
+    tty: true
+    entrypoint: ["sleep", "infinity"]
+    environment:
+      RUST_LOG: warn
+      QUICNPROTOCHAT_ACCESS_TOKEN: devtoken
+      QUICNPROTOCHAT_CA_CERT: /data/server-cert.der
+      QUICNPROTOCHAT_SERVER_NAME: localhost
+      QUICNPROTOCHAT_SERVER: "server:7000"
+    volumes:
+      - server-data:/data:ro
+    working_dir: /chat
+    networks:
+      - chatnet
+    depends_on:
+      server:
+        condition: service_healthy
+
+  bob:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile.chat-test
+    stdin_open: true
+    tty: true
+    entrypoint: ["sleep", "infinity"]
+    environment:
+      RUST_LOG: warn
+      QUICNPROTOCHAT_ACCESS_TOKEN: devtoken
+      QUICNPROTOCHAT_CA_CERT: /data/server-cert.der
+      QUICNPROTOCHAT_SERVER_NAME: localhost
+      QUICNPROTOCHAT_SERVER: "server:7000"
+    volumes:
+      - server-data:/data:ro
+    working_dir: /chat
+    networks:
+      - chatnet
+    depends_on:
+      server:
+        condition: service_healthy