Add encrypted message history + cloud backup to Phase 2 roadmap

- History encrypted with key derived from seed (HKDF)
- No extra password needed (seed = access)
- Optional double encryption with passphrase
- Cloud targets: S3, Google Drive, WebDAV
- Backup is encrypted archive, provider sees only blobs
- Incremental sync, versioned, deduplicated
- Also marked WebSocket, TUI, Web WASM as done in Phase 2

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

DESIGN.md

@@ -442,8 +442,20 @@ warzone.wasm      # browser client (via wasm-pack)
   - ENS domain resolution (@vitalik.eth → 0xd8dA... → Warzone identity)
   - Crates: k256, tiny-keccak, ethers-rs/alloy for ENS resolution
   - Session key delegation from hardware wallet (sign once per 30 days)
-- [ ] TUI client (ratatui)
+- [x] TUI client (ratatui)
-- [ ] Web client (WASM)
+- [x] Web client (WASM)
+- [x] WebSocket real-time push
+- [ ] Encrypted local message history & cloud backup
+  - Messages encrypted at rest using key derived from seed (HKDF, info="warzone-history")
+  - No extra password needed — if you have your seed, you can read your history
+  - Optional passphrase for additional protection (double encryption)
+  - Browser: encrypted blob in IndexedDB, export as file
+  - CLI: encrypted sled DB (already has seed-encrypted keystore)
+  - Cloud backup targets: S3-compatible, Google Drive, WebDAV
+  - Backup format: encrypted archive (ChaCha20-Poly1305), versioned, deduplicated
+  - Restore: import backup + provide seed → decrypt and merge history
+  - Sync: periodic incremental backup (new messages since last backup)
+  - Privacy: backup provider sees only encrypted blobs, no metadata
 
 ### Phase 3 — Federation & Key Transparency
 - [ ] DNS TXT record format specification (server discovery + user key transparency)