docs(security): document E2E gate None-arm and get_nsec key-scope caveat

Two comment-only fixes from Thufir's security review of PR #1185:

- ingest.rs: add explicit comment on the channel_id == None arm of the
  E2E latch gate explaining why the silent skip is safe (channel-less
  events cannot be latched; rejected downstream at insert).

- lib.rs: add comment near get_nsec registration scoping the 'private
  key never leaves Rust' property to the nip44_encrypt/decrypt commands
  and noting get_nsec as a tracked follow-on hardening item.

- check-file-sizes.mjs: bump lib.rs ceiling (1034 → 1044, +8 comment
  lines) and tauri.ts ceiling (1218 → 1231, main grew since rebase).

Co-authored-by: Will Pfleger <pfleger.will@gmail.com>
Signed-off-by: Will Pfleger <pfleger.will@gmail.com>

Author: npub1mn7jgtj4w2pd0g0zeuhxsa6jy6p0rewxz4kujt98my82ahfmp72sxjexk7

crates/buzz-relay/src/handlers/ingest.rs

@@ -1536,6 +1536,10 @@ pub async fn ingest_event(
                 }
             }
         }
+        // channel_id == None: channel-less events cannot be latched (the latch is
+        // set at create_dm time and keyed to a channel row). A channel-scoped kind
+        // with no `h` tag is rejected downstream at insert regardless, so skipping
+        // the latch check here is safe. The explicit arm keeps this intentional.
     }
 
     // Track pre-created channel UUID for compensation on insert failure.

desktop/scripts/check-file-sizes.mjs

@@ -62,9 +62,9 @@ const overrides = new Map([
   // threaded through Tauri invokes for configurable repos_dir, plus the
   // harness-persona-sync `harnessOverride` create-input bit — load-bearing
   // parameter plumbing, not generic debt growth. E2E DM crypto wiring adds
-  // further plumbing here; ceiling holds both. Approved override; still
+  // further plumbing here; ceiling holds all. Approved override; still
   // queued to split.
-  ["src/shared/api/tauri.ts", 1218],
+  ["src/shared/api/tauri.ts", 1231],
   // harness-persona-sync feature growth, queued to split in the resolver-unify
   // refactor followup. discovery.rs is dominated by the new test module
   // (the effective_agent_command / divergent / create-time override matrix);
@@ -83,8 +83,9 @@ const overrides = new Map([
   // persona-events rebase: boot-time event-sync wiring (run_boot_migrations
   // syncs team-dir edits before all personas.json readers; run_event_sync
   // signs the persona/team retention events post-identity) layered on top of
-  // main's growth. Load-bearing feature growth, queued to split with the list.
-  ["src-tauri/src/lib.rs", 1034],
+  // main's growth. E2E DM review fix adds a scoping comment near `get_nsec`
+  // (8 lines, load-bearing security documentation). Queued to split.
+  ["src-tauri/src/lib.rs", 1044],
   // onMarkRead + isUnread prop threading (mirrors the onMarkUnread prop
   // already here) for the single-toggle mark-read/unread menu item — a small
   // overage from load-bearing per-message plumbing, not generic debt growth.

desktop/src-tauri/src/lib.rs

@@ -748,6 +748,14 @@ pub fn run() {
         })
         .invoke_handler(tauri::generate_handler![
             get_identity,
+            // NOTE: `get_nsec` returns the raw bech32 private key to any frontend
+            // caller. The "private key never leaves Rust" property stated in the
+            // NIP-44 DM command design applies to the `nip44_encrypt_to_peer` /
+            // `nip44_decrypt_from_peer` API boundary — those commands accept
+            // plaintext/ciphertext and return only the result. `get_nsec` is a
+            // separate, pre-existing escape hatch used by identity import/export
+            // flows. Removing or access-gating `get_nsec` is tracked as a
+            // follow-on hardening item.
             get_nsec,
             import_identity,
             get_profile,