huddle 2.0.1 — SAS post-quantum binding fix

Fix release. 2.0.0's F1 SAS post-quantum capability binding was asymmetric — each peer folded only the other peer's ML-KEM key into the SAS transcript, so two post-quantum-capable peers derived different safety numbers and could never complete out-of-band verification (and the verified_peers.pq_capable anchor could never be set). It failed closed — no MITM could forge a match and the channel was never weakened — but SAS verification between two 2.0 peers was effectively impossible.

2.0.1 binds both peers' ML-KEM keys in canonical byte-sorted order, so honest peers derive the same code again; a genuine capability mismatch, or a relay stripping one side's key, still makes the codes diverge (downgrade detection preserved).

• No wire-format or on-disk change. The relay and SAS against 1.3.x / classical / group peers are byte-for-byte unaffected — only client-side SAS derivation changed, so no relay redeploy is required.
• Both peers must be ≥2.0.1 to complete a PQ-bound SAS. No field peer had a successful PQ-bound SAS before (a match was impossible), so the fix strictly turns guaranteed failures into successes — nothing to stay backward-compatible with.
• Regression guard added (both_sides_distinct_eks_agree, modeling the real call sites); full huddle-core suite green (201 lib + 4 + 8 + 4).

All four crates published to crates.io at 2.0.1.