feat: Phase 9 — developer experience, extensibility, and community growth

New crates:
- quicproquo-bot: Bot SDK with polling API + JSON pipe mode
- quicproquo-kt: Key Transparency Merkle log (RFC 9162 subset)
- quicproquo-plugin-api: no_std C-compatible plugin vtable API
- quicproquo-gen: scaffolding tool (qpq-gen plugin/bot/rpc/hook)

Server features:
- ServerHooks trait wired into all RPC handlers (enqueue, fetch, auth,
  channel, registration) with plugin rejection support
- Dynamic plugin loader (libloading) with --plugin-dir config
- Delivery proof canary tokens (Ed25519 server signatures on enqueue)
- Key Transparency Merkle log with inclusion proofs on resolveUser

Core library:
- Safety numbers (60-digit HMAC-SHA256 key verification codes)
- Verifiable transcript archive (CBOR + ChaCha20-Poly1305 + hash chain)
- Delivery proof verification utility
- Criterion benchmarks (hybrid KEM, MLS, identity, sealed sender, padding)

Client:
- /verify REPL command for out-of-band key verification
- Full-screen TUI via Ratatui (feature-gated --features tui)
- qpq export / qpq export-verify CLI subcommands
- KT inclusion proof verification on user resolution

Also: ROADMAP Phase 9 added, bot SDK docs, server hooks docs,
crate-responsibilities updated, example plugins (rate_limit, logging).

schemas/node.capnp

@@ -17,11 +17,13 @@ interface NodeService {
   fetchKeyPackage  @1 (identityKey :Data, auth :Auth) -> (package :Data);
 
   # Enqueue an opaque payload for delivery to a recipient.
-  # channelId : Optional channel identifier (empty for default). A 16-byte UUID
-  #             is recommended for 1:1 channels.
-  # version   : Schema/wire version. Must be 1.
-  # Returns the monotonically increasing per-inbox sequence number assigned to this message.
-  enqueue @2 (recipientKey :Data, payload :Data, channelId :Data, version :UInt16, auth :Auth) -> (seq :UInt64);
+  # channelId    : Optional channel identifier (empty for default). A 16-byte UUID
+  #               is recommended for 1:1 channels.
+  # version      : Schema/wire version. Must be 1.
+  # Returns the monotonically increasing per-inbox sequence number assigned to this message,
+  # plus a cryptographic delivery proof (96 bytes: 32-byte SHA-256 preimage || 64-byte Ed25519
+  # signature). Old clients that do not read deliveryProof are unaffected (Cap'n Proto optional).
+  enqueue @2 (recipientKey :Data, payload :Data, channelId :Data, version :UInt16, auth :Auth) -> (seq :UInt64, deliveryProof :Data);
 
   # Fetch and drain all queued payloads for the recipient.
   # limit: max number of messages to return (0 = fetch all).
@@ -89,7 +91,11 @@ interface NodeService {
 
   # Resolve a username to its Ed25519 identity key (32 bytes).
   # Returns empty Data if the username is not registered.
-  resolveUser @19 (username :Text, auth :Auth) -> (identityKey :Data);
+  # inclusionProof : bincode-serialised InclusionProof from quicproquo-kt, proving the
+  #   (username, identityKey) binding is in the server's append-only Merkle log.
+  #   Empty when the log entry is not yet available (e.g. legacy server or new registration
+  #   that has not been committed to the log). Clients should verify when non-empty.
+  resolveUser @19 (username :Text, auth :Auth) -> (identityKey :Data, inclusionProof :Data);
 
   # Reverse lookup: resolve an Ed25519 identity key to the registered username.
   # Returns empty Text if the identity key is not associated with any user.