WIP: add OPAQUE password-authenticated key exchange

Add opaque-ke (v4, ristretto255) for password-based registration and
login. Extend NodeService schema with opaqueRegisterStart/Finish and
opaqueLoginStart/Finish RPCs. Add Store trait methods for OPAQUE server
setup and user records. Initial e2e integration test scaffolding.

Note: FileBackedStore does not yet implement the new Store trait
methods — server compilation is temporarily broken.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

crates/quicnprotochat-core/src/opaque_auth.rs

@@ -0,0 +1,22 @@
+//! Shared OPAQUE (RFC 9497) cipher suite configuration.
+//!
+//! Both client and server import this module to ensure they use exactly
+//! the same cryptographic parameters during registration and login.
+
+use opaque_ke::CipherSuite;
+
+/// OPAQUE cipher suite for quicnprotochat.
+///
+/// - **OPRF**: Ristretto255 (curve25519-based, ~128-bit security)
+/// - **Key exchange**: Triple-DH (3DH) over Ristretto255 with SHA-512
+/// - **KSF**: Identity (no key stretching; upgrade to Argon2 later)
+pub struct OpaqueSuite;
+
+impl CipherSuite for OpaqueSuite {
+    type OprfCs = opaque_ke::Ristretto255;
+    type KeyExchange = opaque_ke::key_exchange::tripledh::TripleDh<
+        opaque_ke::Ristretto255,
+        sha2::Sha512,
+    >;
+    type Ksf = opaque_ke::ksf::Identity;
+}