release(v4.0.0): Shade GA — V3.x consolidation + audit prep

V3.1 → V3.12 consolidated and tagged for the first GA release. Wire
format unchanged from 0.4.x — 4.0 peers interoperate with 0.4.x peers
byte-for-byte. The version bump is semantic: audit-cycle complete,
opt-in surface fully exposed, threat model refreshed for every new
surface.

Highlights:
- All 24 @shade/* packages bumped to 4.0.0 in lockstep.
- CHANGELOG 4.0.0 section is the canonical manifest of what landed.
- THREAT-MODEL extended (§10 fingerprint gates, §11 WebRTC P2P, §12
  Web-Worker boundary) + residual-risks table refreshed.
- OpenAPI now covers all 27 routes: prekey, transfer, KT, inbox,
  bridge, observer, /metrics, /healthz, /ready.
- MIGRATION 0.3.x → 4.0 documented + smoke-tested against
  shade migrate-storage on a real SQLite DB.
- docs/audit/REVIEW-BUNDLE.md + SCOPE.md ready for external reviewer.
- scripts/soak.ts harness for the GA-stable 2-week soak window.
- All V*.md plans archived under docs/archive/ with Status: Done.
- Voice/Video carved out into V5.0; 4.0 audit focuses on the frozen
  non-realtime stack.

Tests: TS 1000/1000 + Kotlin 11/11 cross-platform vectors green.
Docker: gt.zyon.no/stian/shade-prekey:4.0.0 builds and reports
  version 4.0.0 on /health.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

packages/shade-widgets/tests/recovery.test.ts

@@ -0,0 +1,81 @@
+import { describe, test, expect } from 'bun:test';
+import { formatRecoveryCard } from '../src/components/recovery/RecoverySetup.js';
+import { createApprovalQueue } from '../src/components/recovery/RecoveryApprove.js';
+
+describe('formatRecoveryCard', () => {
+  test('renders all fields the user must keep', () => {
+    const text = formatRecoveryCard(
+      'alice@example',
+      {
+        setupId: 'sid-123',
+        threshold: 3,
+        guardianCount: 5,
+        deliveries: [],
+        allDelivered: true,
+        setupFingerprint: '11111 22222 33333 44444 55555 66666 77777 88888 99999 00000 11111 22222',
+      },
+      ['bob@example', 'carol@example', 'dan@example', 'eve@example', 'faythe@example'],
+    );
+    expect(text).toContain('alice@example');
+    expect(text).toContain('Threshold: 3 of 5');
+    expect(text).toContain('SetupId: sid-123');
+    expect(text).toContain('Setup fingerprint:');
+    expect(text).toContain('bob@example');
+    expect(text).toContain('faythe@example');
+  });
+});
+
+describe('createApprovalQueue', () => {
+  test('queues approve calls and resolves on user decision', async () => {
+    const q = createApprovalQueue();
+    const approvePromise = q.approve({
+      requesterAddress: 'alice2',
+      originalAddress: 'alice',
+      setupId: 'sid-1',
+      requesterFingerprint: 'aaa',
+      setupFingerprint: 'bbb',
+      depositCreatedAt: 0,
+      requestReceivedAt: 1,
+    });
+    const pending = q.pending();
+    expect(pending.length).toBe(1);
+    q.resolve(pending[0]!.id, true);
+    const decision = await approvePromise;
+    expect(decision).toBe(true);
+    expect(q.pending().length).toBe(0);
+  });
+
+  test('decline path resolves false', async () => {
+    const q = createApprovalQueue();
+    const p = q.approve({
+      requesterAddress: 'eve',
+      originalAddress: 'alice',
+      setupId: 'sid-1',
+      requesterFingerprint: 'aaa',
+      setupFingerprint: 'bbb',
+      depositCreatedAt: 0,
+      requestReceivedAt: 1,
+    });
+    q.resolve(q.pending()[0]!.id, false);
+    expect(await p).toBe(false);
+  });
+
+  test('subscribe fires on new pending + resolve', async () => {
+    const q = createApprovalQueue();
+    const events: string[] = [];
+    const unsub = q.subscribe(() => events.push('change'));
+    q.approve({
+      requesterAddress: 'a',
+      originalAddress: 'b',
+      setupId: 's',
+      requesterFingerprint: 'x',
+      setupFingerprint: 'y',
+      depositCreatedAt: 0,
+      requestReceivedAt: 1,
+    }).catch(() => {});
+    expect(events.length).toBe(1);
+    q.resolve(q.pending()[0]!.id, false);
+    expect(events.length).toBe(2);
+    unsub();
+  });
+});