feat: Sprint 10+11 — privacy hardening and multi-device support

Privacy Hardening (Sprint 10):
- Server --redact-logs flag: SHA-256 hashed identity prefixes in audit
  logs, payload_len omitted when enabled
- Client /privacy command suite: redact-keys on|off, auto-clear with
  duration parsing, padding on|off for traffic analysis resistance
- Forward secrecy: /verify-fs checks MLS epoch advancement,
  /rotate-all-keys rotates MLS leaf + hybrid KEM keypair
- Dummy message type (0x09): constant-rate traffic padding every 30s,
  silently discarded by recipients, serialize_dummy() + parse support
- delete_messages_before() for auto-clear in ConversationStore

Multi-Device Support (Sprint 11):
- Device registry: registerDevice @24, listDevices @25, revokeDevice @26
  RPCs with Device struct (deviceId, deviceName, registeredAt)
- Server storage: devices table (migration 008), max 5 per identity,
  E029_DEVICE_LIMIT and E030_DEVICE_NOT_FOUND error codes
- Device cleanup integrated into deleteAccount transaction
- Client REPL: /devices, /register-device <name>, /revoke-device <id>

72 core + 35 server tests pass.

crates/quicproquo-server/migrations/008_devices.sql

@@ -0,0 +1,8 @@
+CREATE TABLE IF NOT EXISTS devices (
+    identity_key BLOB NOT NULL,
+    device_id BLOB NOT NULL,
+    device_name TEXT NOT NULL DEFAULT '',
+    registered_at INTEGER NOT NULL DEFAULT (strftime('%s','now')),
+    PRIMARY KEY (identity_key, device_id)
+);
+CREATE INDEX IF NOT EXISTS idx_devices_identity ON devices(identity_key);