release(v4.0.1): strict-TS publishability fixes

4.0.0 shipped TypeScript source as published main/types, but several
files only compiled inside the monorepo. Consumer projects (Dispatch,
etc.) running their own strict tsc against our published source hit:

- @shade/key-transparency: 4 noUnusedLocals violations
  (IndexAbsenceProof, IndexInclusionProof, IndexProofWire, nodeHash)
- @shade/sdk: KT verifier callbacks returned Promise<unknown> instead
  of Promise<STHWire> / Promise<{ proof: string[] }>
- @shade/sdk: thumbnail.ts globalThis cast collided with consumer's
  lib.dom-supplied createImageBitmap signature
- @shade/files: cycle with @shade/sdk produced "this is not assignable
  to type 'Shade'" because hoisted node_modules layouts duplicated the
  Shade class. Broken by replacing `import type { Shade }` with a
  local structural ShadeBridge interface.
- @shade/storage-encrypted: KeyUsage (lib.dom) used under
  lib: ["ES2022"]
- @shade/transport-bridge: ReadableStreamDefaultReader<any> ↔
  <Uint8Array> mismatch
- @shade/keychain / @shade/dashboard / @shade/storage-encrypted
  tsconfig rootDir / include hygiene

Tooling: scripts/typecheck-all.ts runs `bunx tsc --noEmit` against
every workspace package's tsconfig and fails on any error. Wired into
publish:dry / publish:all and publish-shade.sh as a hard gate so this
class of bug cannot recur.

All 24 packages bumped to 4.0.1 in lockstep.

Migration: <ShadeFilesProvider> now requires an explicit `files` prop
(pass `shade.files`). Wire format unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

scripts/typecheck-all.ts

@@ -0,0 +1,75 @@
+#!/usr/bin/env bun
+/**
+ * Pre-publish gate — type-check every workspace package against the
+ * monorepo's strict tsconfig.
+ *
+ * Required before any publish. The Bun test runner is intentionally
+ * permissive (it transpiles, doesn't type-check), so without this gate
+ * a package can pass `bun test` and still ship code that fails to
+ * compile in a downstream consumer's strict TS project.
+ *
+ *   Usage:
+ *     bun run scripts/typecheck-all.ts          # check every package
+ *     bun run scripts/typecheck-all.ts core sdk # check only listed
+ *
+ * Exit code 0 if every package compiles, 1 otherwise.
+ */
+import { readdirSync, statSync, existsSync } from 'fs';
+import { join } from 'path';
+import { $ } from 'bun';
+
+const ROOT = join(import.meta.dir, '..');
+const PACKAGES_DIR = join(ROOT, 'packages');
+
+const filter = new Set(process.argv.slice(2));
+
+const packages = readdirSync(PACKAGES_DIR).filter((name) => {
+  const p = join(PACKAGES_DIR, name);
+  if (!statSync(p).isDirectory()) return false;
+  if (!existsSync(join(p, 'tsconfig.json'))) return false;
+  if (filter.size > 0 && !filter.has(name) && !filter.has(name.replace(/^shade-/, ''))) {
+    return false;
+  }
+  return true;
+});
+
+let failures = 0;
+const failed: { pkg: string; out: string }[] = [];
+
+for (const pkg of packages) {
+  const dir = join(PACKAGES_DIR, pkg);
+  const proc = Bun.spawnSync(['bunx', 'tsc', '--noEmit', '-p', 'tsconfig.json'], {
+    cwd: dir,
+    stdout: 'pipe',
+    stderr: 'pipe',
+  });
+  const stdout = proc.stdout.toString();
+  const stderr = proc.stderr.toString();
+  const out = (stdout + stderr)
+    .split('\n')
+    .filter((l) => !/^Resolving|^Resolved|^Saved/.test(l))
+    .join('\n')
+    .trim();
+
+  if (proc.exitCode === 0 && out.length === 0) {
+    console.log(`  ✓ ${pkg}`);
+  } else {
+    failures++;
+    failed.push({ pkg, out });
+    console.log(`  ✗ ${pkg}`);
+  }
+}
+
+console.log();
+if (failures === 0) {
+  console.log(`All ${packages.length} packages type-check cleanly.`);
+  process.exit(0);
+}
+
+console.error(`${failures} of ${packages.length} packages failed:\n`);
+for (const f of failed) {
+  console.error(`── ${f.pkg} ──`);
+  console.error(f.out);
+  console.error();
+}
+process.exit(1);