feat(hardening): M-Hard 1-5 — crypto, auth, rate limit, fingerprints, rotation

M-Hard 1: Cryptographic Hardening
- constantTimeEqual, zeroize, randomUint32 on CryptoProvider
- Fix Math.random() → crypto.randomUint32() for registrationId
- Zero message keys and chain keys after use in ratchet.ts
- Constant-time trust comparison in MemoryStorage + SQLiteStorage
- Timing variance test catches early-exit regressions

M-Hard 2: Self-Authenticated Prekey Server
- Ed25519 signature verification on all write routes
- signPayload/verifyPayload with canonical JSON, ±5 min replay window
- Address validation (NFKC, alphanumeric + :_-.)
- Global ShadeError → HTTP status mapping
- ShadeFetchTransport signs requests when signingPrivateKey provided
- Anonymous bundle fetches still allowed (read-only)

M-Hard 3: Rate Limiting + DoS Protection
- Token bucket rate limiter with pluggable store
- Per-route limits: register 5/h/IP, fetch 60/min/IP, replenish 10/min/id
- 64KB body size limit on POST
- Retry-After header on 429 responses

M-Hard 4: Auto-replenish + Fingerprints + Session Reset
- Safety numbers (12 groups × 5 digits, Signal-style)
- ensurePreKeyStock, resetSession, acceptIdentityChange
- verifyRemoteIdentity for out-of-band comparison

M-Hard 5: Identity Rotation with Grace Period
- rotateIdentity archives old identity, generates fresh signed prekey
- RetiredIdentity storage with addRetired/getRetired/pruneRetired
- 7-day default grace period for decrypting old sessions
- pruneExpiredIdentities for cleanup

M-Hard 8: Error Hierarchy
- New error types: Network, Storage, Validation, Timeout, RateLimit,
  Configuration, Unauthorized, Replay, IdentityRotation
- All errors have stable SHADE_* codes
- errorToHttpStatus for consistent HTTP mapping
- toJSON() for network serialization

188 tests passing, zero failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

packages/shade-crypto-web/src/memory-storage.ts

@@ -1,4 +1,5 @@
-import type { StorageProvider, IdentityKeyPair, SignedPreKey, OneTimePreKey, SessionState } from '@shade/core';
+import type { StorageProvider, IdentityKeyPair, SignedPreKey, OneTimePreKey, SessionState, RetiredIdentity } from '@shade/core';
+import { constantTimeEqual } from '@shade/core';
 
 /**
  * In-memory StorageProvider for testing and embedded use.
@@ -11,6 +12,7 @@ export class MemoryStorage implements StorageProvider {
   private oneTimePreKeys = new Map<number, OneTimePreKey>();
   private sessions = new Map<string, SessionState>();
   private trustedIdentities = new Map<string, Uint8Array>();
+  private retiredIdentities: RetiredIdentity[] = [];
 
   // ─── Identity ──────────────────────────────────────────────
 
@@ -81,18 +83,24 @@ export class MemoryStorage implements StorageProvider {
   async isTrustedIdentity(address: string, identityKey: Uint8Array): Promise<boolean> {
     const stored = this.trustedIdentities.get(address);
     if (!stored) return true; // TOFU: trust on first use
-    return arraysEqual(stored, identityKey);
+    return constantTimeEqual(stored, identityKey);
   }
 
   async saveTrustedIdentity(address: string, identityKey: Uint8Array): Promise<void> {
     this.trustedIdentities.set(address, identityKey);
   }
-}
 
-function arraysEqual(a: Uint8Array, b: Uint8Array): boolean {
-  if (a.length !== b.length) return false;
-  for (let i = 0; i < a.length; i++) {
-    if (a[i] !== b[i]) return false;
+  // ─── Identity History ─────────────────────────────────────
+
+  async addRetiredIdentity(identity: RetiredIdentity): Promise<void> {
+    this.retiredIdentities.push(identity);
+  }
+
+  async getRetiredIdentities(): Promise<RetiredIdentity[]> {
+    return [...this.retiredIdentities];
+  }
+
+  async pruneRetiredIdentities(olderThan: number): Promise<void> {
+    this.retiredIdentities = this.retiredIdentities.filter((r) => r.retiredAt >= olderThan);
   }
-  return true;
 }