feat: Sprint 10+11 — privacy hardening and multi-device support

Privacy Hardening (Sprint 10):
- Server --redact-logs flag: SHA-256 hashed identity prefixes in audit
  logs, payload_len omitted when enabled
- Client /privacy command suite: redact-keys on|off, auto-clear with
  duration parsing, padding on|off for traffic analysis resistance
- Forward secrecy: /verify-fs checks MLS epoch advancement,
  /rotate-all-keys rotates MLS leaf + hybrid KEM keypair
- Dummy message type (0x09): constant-rate traffic padding every 30s,
  silently discarded by recipients, serialize_dummy() + parse support
- delete_messages_before() for auto-clear in ConversationStore

Multi-Device Support (Sprint 11):
- Device registry: registerDevice @24, listDevices @25, revokeDevice @26
  RPCs with Device struct (deviceId, deviceName, registeredAt)
- Server storage: devices table (migration 008), max 5 per identity,
  E029_DEVICE_LIMIT and E030_DEVICE_NOT_FOUND error codes
- Device cleanup integrated into deleteAccount transaction
- Client REPL: /devices, /register-device <name>, /revoke-device <id>

72 core + 35 server tests pass.

crates/quicproquo-server/src/error_codes.rs

@@ -31,6 +31,8 @@ pub const E025_BLOB_HASH_LENGTH: &str = "E025";
 pub const E026_BLOB_HASH_MISMATCH: &str = "E026";
 pub const E027_BLOB_NOT_FOUND: &str = "E027";
 pub const E028_ACCOUNT_DELETION_FAILED: &str = "E028";
+pub const E029_DEVICE_LIMIT: &str = "E029";
+pub const E030_DEVICE_NOT_FOUND: &str = "E030";
 
 /// Build a `capnp::Error::failed()` with the structured code prefix.
 pub fn coded_error(code: &str, msg: impl std::fmt::Display) -> capnp::Error {