feat: F5 JPEG steganography support (#235)

## Summary

Adds JPEG steganography support using the F5 algorithm, enabling users
to hide and extract secret data in JPEG images alongside the existing
PNG and WAV support.

- JPEG hide/unveil works transparently via file extension detection
- Password serves dual purpose: encryption (ChaCha20-Poly1305) AND F5
permutation seed
- No public API changes — same builder pattern as PNG/WAV

## What is F5?

F5 is a steganographic algorithm designed specifically for JPEG images.
Unlike naive LSB embedding in spatial domain:

- **Frequency domain embedding**: Data is hidden in quantized DCT
coefficients, surviving JPEG's lossy compression
- **Matrix encoding**: Minimizes embedding changes using (1, n, k) codes
— on average only 1 coefficient change per k bits embedded
- **Permutation-based shuffling**: When a password is provided,
coefficients are accessed in a pseudorandom order derived from the
password, making extraction without the password computationally
infeasible

This makes F5 more statistically secure than naive approaches — changes
to the coefficient histogram are minimal and spread across the image.

## Usage Examples

### CLI

```bash
# Hide a message in a JPEG (without password)
stegano hide --in photo.jpg --out secret.jpg --message "Hello World"

# Hide with password (encrypted + shuffled)
stegano hide --in photo.jpg --out secret.jpg --message "Secret!" --password "MyPass123"

# Unveil
stegano unveil --in secret.jpg --out ./output/ --password "MyPass123"
cat ./output/secret-message.txt
```

### Rust API

```rust
use stegano_core::api::{hide, unveil};

// Hide with password
hide::prepare()
    .with_message("Secret message")
    .with_image("photo.jpg")
    .using_password("MyPassword")
    .with_output("stego.jpg")
    .execute()?;

// Unveil
unveil::prepare()
    .from_secret_file("stego.jpg")
    .using_password("MyPassword")
    .into_output_folder("./output/")
    .execute()?;
```

### Cross-format (PNG → JPEG)

```rust
hide::prepare()
    .with_message("From PNG to JPEG")
    .with_image("source.png")       // PNG input
    .with_output("output.jpg")      // JPEG output
    .execute()?;
```

## Security Model

| Mode | Encryption | Coefficient Access | Security |
|------|------------|-------------------|----------|
| No password | None | Sequential | Low — extraction is straightforward
|
| With password | ChaCha20-Poly1305 | Permuted (password-seeded) | High
— attacker needs password for both extraction order and decryption |

## Test Plan

- [x] Unit tests for JPEG hide/unveil with and without password
- [x] Wrong password fails extraction
- [x] Binary file roundtrip test
- [x] PNG→JPEG cross-format test
- [x] All existing PNG/WAV tests still pass (60 tests)
- [x] CLI smoke tests pass

---------

Signed-off-by: Sven Kanoldt <sven@d34dl0ck.me>

Author: sassman

.cargo/config.toml

@@ -5,3 +5,4 @@ lint = "clippy --all-targets"
 benchmarks = "bench --features benchmarks --locked"
 ntest = "nextest run --locked"
 coverage = "llvm-cov --workspace --codecov --output-path codecov.json"
+t = "nextest run --locked"

.github/workflows/build.yml

@@ -11,40 +11,138 @@ on:
         required: true
 
 jobs:
-  build:
-    uses: steganogram/.github/.github/workflows/build.yml@main
+  check:
+    name: check
+    strategy:
+      fail-fast: false
+      matrix:
+        os: ["macos-latest", "ubuntu-latest", "windows-latest"]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: setup | rust
+        uses: steganogram/.github/.github/actions/rust-toolchain@main
+      - run: cargo check
+
+  lint:
+    name: lint
+    strategy:
+      fail-fast: false
+      matrix:
+        os: ["macos-latest", "ubuntu-latest", "windows-latest"]
+        cargo-cmd:
+          - fmt --all -- --check
+          - clippy --all-targets -- -D warnings
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: setup | rust
+        uses: steganogram/.github/.github/actions/rust-toolchain@main
+      - run: cargo ${{ matrix['cargo-cmd'] }}
+
+  tests:
+    name: tests
+    strategy:
+      fail-fast: false
+      matrix:
+        os: ["macos-latest", "ubuntu-latest", "windows-latest"]
+        channel: ["nightly", "stable"]
+    runs-on: ${{ matrix.os }}
+    continue-on-error: ${{ matrix.channel == 'nightly' }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: setup | rust
+        uses: steganogram/.github/.github/actions/rust-toolchain@main
+        with:
+          channel: ${{ matrix.channel }}
+          default: true
+          profile: minimal
+      - name: cargo test
+        if: matrix.os != 'windows-latest'
+        run: |
+          if [ -f "Cargo.lock" ]; then
+            cargo test --all --locked
+          else
+            cargo test --all
+          fi
+      - name: cargo test
+        if: matrix.os == 'windows-latest'
+        run: |
+          if (Test-Path "Cargo.lock") {
+            cargo test --all --locked
+          } else {
+            cargo test --all
+          }
+
+  audit:
+    name: security audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: setup | rust
+        uses: steganogram/.github/.github/actions/rust-toolchain@main
+      - uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-deny
+      - name: audit
+        run: cargo deny check advisories bans sources
+        continue-on-error: true
+
+  docs:
+    name: docs
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: setup | rust
+        uses: steganogram/.github/.github/actions/rust-toolchain@main
+      - name: check documentation
+        env:
+          RUSTDOCFLAGS: -D warnings
+        run: cargo doc --no-deps
 
   coverage:
     name: code coverage
-    uses: steganogram/.github/.github/workflows/coverage.yml@main
-    secrets:
-      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: setup | rust
+        uses: steganogram/.github/.github/actions/rust-toolchain@main
+        with:
+          channel: nightly
+      - uses: taiki-e/install-action@cargo-llvm-cov
+      - name: run code coverage
+        run: cargo +nightly llvm-cov --all-features --workspace --lcov --output-path lcov.info
+      - name: upload to codecov.io
+        uses: codecov/codecov-action@v5
+        continue-on-error: true
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: lcov.info
+          fail_ci_if_error: true
 
   benchmark:
     name: benchmark
     runs-on: ubuntu-latest
     continue-on-error: true
     steps:
       - uses: actions/checkout@v4
+        with:
+          submodules: recursive
       - name: setup | rust
         uses: steganogram/.github/.github/actions/rust-toolchain@main
         with:
           channel: nightly
       - name: run benchmarks
         run: cargo +nightly benchmarks
-
-  # pkg-deb:
-  #   name: binaray package .deb
-  #   needs: check
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - uses: actions/checkout@v4
-  #     - name: cargo deb
-  #       uses: sassman/rust-deb-builder@v1
-  #       with:
-  #         package: stegano-cli
-  #     - name: Archive deb artifact
-  #       uses: actions/upload-artifact@v2
-  #       with:
-  #         name: stegano-cli-amd64-static.deb
-  #         path: target/x86_64-unknown-linux-musl/debian/stegano-cli*.deb

.gitignore

@@ -1,2 +1,3 @@
 target
 tmp
+.planning/

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "crates/stegano-f5-jpeg-decoder"]
+	path = crates/stegano-f5-jpeg-decoder
+	url = git@github.com:steganogram/stegano-f5-jpeg-decoder.git
+[submodule "crates/stegano-f5-jpeg-encoder"]
+	path = crates/stegano-f5-jpeg-encoder
+	url = git@github.com:steganogram/stegano-f5-jpeg-encoder.git