v0.2.0: Security Audit + Encrypt-Then-Sign

Highlights

• Encrypt-then-sign (H-07): Messages are now encrypted before signing, enabling pre-authentication — receivers can verify sender identity without decrypting, preventing decryption-oracle attacks
• WebSocket migration (M-40): Migrated from nhooyr.io/websocket to github.com/coder/websocket
• Comprehensive security audit (R2-R6): Fixed 30+ findings including mandatory signature verification, DTLS fingerprint pinning, trust/reputation hardening, dead code removal

Breaking Changes

• Encrypted message format changed (encrypt-then-sign). All communicating agents must upgrade simultaneously.

Changes

• fix: mandatory signature verification and full-envelope signing (C-01, C-02)
• fix: Phase R2 security hardening (H-08, H-09, H-10, H-12)
• fix: Phase R3 security hardening (M-13)
• fix: Phase R4 security hardening across agent module
• fix: Phase R5 security hardening across agent module
• fix: Phase R6 security hardening — trust, reputation, DHT
• fix: DTLS fingerprint pinning and inbox channel race fix
• fix(security): H-07 encrypt-then-sign for pre-authentication
• fix(deps): M-40 migrate nhooyr.io/websocket to coder/websocket
• chore: remove dead code (DHT, transport selector, sandbox)
• chore(deps): bump peerclaw-core to v0.4.0