huddle 1.1.4 — security & robustness pass

A hardening release on top of 1.1.3 — no new product features. Adversarially reviewed; two HIGH findings fixed and regression-tested.

Breaking: the relay now enforces client authentication. Clients older than 1.1.4 can no longer connect to a 1.1.4 relay — upgrade the client and redeploy the relay together.

Relay (huddle-server)

• Enforced client auth (Ed25519 challenge–response). The relay greets with a 32-byte nonce; clients sign it with their identity key and present pubkey + signature in Hello. The fingerprint is re-derived from the pubkey and pinned to the connection, so a second Hello can't re-bind the socket to another identity (impersonation / mailbox theft).
• Safer mailbox delivery. Peek → deliver → delete-only-delivered over a bounded outbound queue, so a socket drop mid-drain no longer silently loses or double-delivers queued ciphertext.
• DoS defenses. Pre-auth handshake timeout + bounded per-connection queue.
• Age-based mailbox GC.

Core crypto

• X25519 small-order / contributory checks on both the DM key agreement and the SAS handshake.
• Zeroization of the DM secret scalar, the SHA-512 digest, and identity-seed copies.

Client

• Update check over Tor. The opt-in crates.io version poll now goes through the Tor SOCKS proxy (no clearnet IP leak); it skips cleanly when Tor is down.
• TUI live Dark/Light themes. Settings → Appearance, T to toggle; persisted via the shared theme setting (honors the GUI's value; system resolves to Dark in the terminal).
• Bounded ROOM_SALT_CACHE; wider AppEvent broadcast headroom; dead-code cleanup.

Docs

• New SECURITY.md and docs/ROADMAP-forward-secrecy-and-rekey.md; README changelog + 4-crate architecture; MANUAL_TESTING refresh.