feat: M6 Transport wrappers — fetch + WebSocket adapters

- ShadeFetchTransport: HTTP client for prekey server
  (register, fetchBundle, replenish, getKeyCount)
- ShadeWebSocket: wraps existing WebSocket with auto E2EE
  (binary wire format, transparent encrypt/decrypt)
- Full integration test: register → fetch → session → encrypt → decrypt
  over real HTTP against in-process Hono prekey server

101 tests, 0 failures across all milestones (M1-M7).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

packages/shade-transport/tests/transport.test.ts

@@ -0,0 +1,80 @@
+import { describe, test, expect } from 'bun:test';
+import { SubtleCryptoProvider, MemoryStorage } from '@shade/crypto-web';
+import { ShadeSessionManager } from '@shade/core';
+import { createPrekeyServer, MemoryPrekeyStore } from '@shade/server';
+import { ShadeFetchTransport } from '../src/fetch-transport.js';
+
+const crypto = new SubtleCryptoProvider();
+
+describe('ShadeFetchTransport', () => {
+  test('full flow: register → fetch bundle → establish session → talk', async () => {
+    // Start in-process prekey server
+    const store = new MemoryPrekeyStore();
+    const server = createPrekeyServer({ store });
+
+    // We'll use Hono's request() method directly instead of actual HTTP
+    // But ShadeFetchTransport uses fetch(), so let's start a real server
+    const port = 19000 + Math.floor(Math.random() * 1000);
+    const handle = Bun.serve({ port, fetch: server.fetch });
+
+    try {
+      const baseUrl = `http://localhost:${port}`;
+      const transport = new ShadeFetchTransport(baseUrl);
+
+      // ─── Bob: register with prekey server ────────────────
+      const bobStorage = new MemoryStorage();
+      const bobManager = new ShadeSessionManager(crypto, bobStorage);
+      await bobManager.initialize();
+
+      const bobOTPKs = await bobManager.generateOneTimePreKeys(5);
+      const bobBundle = await bobManager.createPreKeyBundle();
+
+      await transport.register(
+        'bob',
+        bobManager.getPublicIdentity(),
+        bobBundle.signedPreKey,
+        bobOTPKs,
+      );
+
+      // Verify count
+      const count = await transport.getKeyCount('bob');
+      expect(count).toBe(5);
+
+      // ─── Alice: fetch bundle and establish session ───────
+      const aliceStorage = new MemoryStorage();
+      const aliceManager = new ShadeSessionManager(crypto, aliceStorage);
+      await aliceManager.initialize();
+
+      const fetchedBundle = await transport.fetchBundle('bob');
+      expect(fetchedBundle.identityDHKey).toEqual(bobManager.getPublicIdentity().dhKey);
+      expect(fetchedBundle.signedPreKey.keyId).toBe(bobBundle.signedPreKey.keyId);
+
+      // One OTP key consumed
+      const countAfter = await transport.getKeyCount('bob');
+      expect(countAfter).toBe(4);
+
+      // Alice establishes session
+      await aliceManager.initSessionFromBundle('bob', fetchedBundle);
+
+      // ─── Alice → Bob encrypted message ───────────────────
+      const env1 = await aliceManager.encrypt('bob', 'Hello via transport!');
+      const plain1 = await bobManager.decrypt('alice', env1);
+      expect(plain1).toBe('Hello via transport!');
+
+      // ─── Bob → Alice reply ───────────────────────────────
+      const env2 = await bobManager.encrypt('alice', 'Got it!');
+      const plain2 = await aliceManager.decrypt('bob', env2);
+      expect(plain2).toBe('Got it!');
+
+      // ─── Replenish ───────────────────────────────────────
+      const remaining = await transport.replenish('bob', [
+        { keyId: 200, publicKey: crypto.randomBytes(32) },
+        { keyId: 201, publicKey: crypto.randomBytes(32) },
+      ]);
+      expect(remaining).toBe(6); // 4 remaining + 2 new
+
+    } finally {
+      handle.stop();
+    }
+  });
+});