feat(p2p): Phase 4 cross-relay direct calling over federation

Teaches the relay pair to route direct-call signaling across an
existing federation link. Alice on Relay A can now place a direct
call to Bob on Relay B if A and B are federation peers — the
wire protocol, call registry, and signal dispatch all learn to
track and route the cross-relay flow.

Phase 3.5's dual-path QUIC race then carries the media directly
peer-to-peer using the advertised reflex addrs, with zero
changes needed on the client side.

## Wire protocol (wzp-proto)

New `SignalMessage::FederatedSignalForward { inner, origin_relay_fp }`
envelope variant, appended at end of enum — JSON serde is
name-tagged so pre-Phase-4 relays just log "unknown variant" and
drop it. 2 new roundtrip tests (any-inner nesting + single
DirectCallOffer case).

## Call registry (wzp-relay)

`DirectCall.peer_relay_fp: Option<String>` — federation TLS fp
of the peer relay that forwarded the offer/answer for this call.
`None` on local calls, `Some` on cross-relay. Used by the answer
path to route the reply back through the same federation link
instead of trying (and failing) to deliver via local signal_hub.
New `set_peer_relay_fp` setter + 1 new unit test.

## FederationManager (wzp-relay)

Three new methods:
- `local_tls_fp()` — exposes the relay's own federation TLS fp
  so main.rs can build `origin_relay_fp` fields.
- `broadcast_signal(msg) -> usize` — fan out any signal message
  (in practice `FederatedSignalForward`) to every active peer
  link, returning the reach count. Used when Relay A doesn't
  know which peer has the target fingerprint.
- `send_signal_to_peer(fp, msg)` — targeted send for the reply
  path where the registry already knows which peer relay to
  hit.

Plus a new `cross_relay_signal_tx: Mutex<Option<Sender<...>>>`
field that `set_cross_relay_tx()` wires at startup so the
federation `handle_signal` can push unwrapped inner messages
into the main signal dispatcher.

## Federation handle_signal (wzp-relay)

New match arm for `FederatedSignalForward`:
- Loop prevention: drops forwards whose `origin_relay_fp` equals
  this relay's own fp (prevents A→B→A echo loops without needing
  TTL yet).
- Otherwise pulls the inner message out and pushes it through
  `cross_relay_signal_tx` so the main loop's dispatcher task
  handles it as if it had arrived locally.

## Main signal loop (wzp-relay)

### DirectCallOffer when target not local
Before falling through to Hangup, try the federation path:
- Wrap the offer in `FederatedSignalForward` with
  `origin_relay_fp = this relay's tls_fp`
- `fm.broadcast_signal(forward)` — returns peer count
- If any peers reached, stash the call in local registry with
  `caller_reflexive_addr` set, `peer_relay_fp` still None
  (broadcast — the answer-side will identify itself when it
  replies)
- Send `CallRinging` to caller immediately for UX feedback
- Only if no federation or no peers → legacy Hangup path

### DirectCallAnswer when peer is remote
- Registry lookup now reads both `peer_fingerprint` and
  `peer_relay_fp` in one acquisition
- If `peer_relay_fp.is_some()`:
  * Reject → forward a `Hangup` over federation via
    `send_signal_to_peer` instead of local signal_hub
  * Accept → wrap the raw answer in `FederatedSignalForward`,
    route to the specific origin peer, then emit the LOCAL
    CallSetup to our callee with `peer_direct_addr =
    caller_reflexive_addr` (caller is remote; this side only
    has the callee)
- If `peer_relay_fp.is_none()` → existing Phase 3 same-relay
  path with both CallSetups (caller + callee)

### Cross-relay signal dispatcher task
New long-running task reading `(inner, origin_relay_fp)` from
`cross_relay_rx`. In Phase 4 MVP handles:
- `DirectCallOffer` — if target is local, create the call in
  the registry with `peer_relay_fp = origin_relay_fp`, stash
  caller addr, deliver offer to local callee. If target isn't
  local, drop (no multi-hop in Phase 4 MVP).
- `DirectCallAnswer` — look up local caller by call_id, stash
  callee addr, forward raw answer to local caller via
  signal_hub, emit local CallSetup with `peer_direct_addr =
  callee_reflexive_addr` (peer is local now; this side only
  has the caller).
- `CallRinging` — best-effort forward to local caller for UX.
- `Hangup` — logged for now; Phase 4.1 will target by call_id.

## Integration tests

`crates/wzp-relay/tests/cross_relay_direct_call.rs` — 3 tests
that reproduce the main.rs cross-relay dispatcher logic inline
and assert the invariants without spinning up real binaries:

1. `cross_relay_offer_forwards_and_stashes_peer_relay_fp` —
   Relay A gets Alice's offer, broadcasts. Relay B's dispatcher
   creates the call with `peer_relay_fp = relay_a_tls_fp`.
2. `cross_relay_answer_crosswires_peer_direct_addrs` — full
   round trip; both CallSetups (one on each relay) carry the
   OTHER party's reflex addr.
3. `cross_relay_loop_prevention_drops_self_sourced_forward` —
   explicit loop-prevention check.

Full workspace test goes from 413 → 419 passing. Clippy clean
on touched files.

## Non-goals (deferred to Phase 4.1+)

- Relay-mediated media fallback across federation — if P2P
  direct fails (symmetric NAT on either side), the call errors
  out with "no media path". Making the existing federation
  media pipeline carry ephemeral call-<id> rooms is the Phase
  4.1 lift.
- Multi-hop federation (A → B → C). Phase 4 MVP supports a
  direct federation link between A and B only.
- Fingerprint → peer-relay routing gossip.

PRD: .taskmaster/docs/prd_phase4_cross_relay_p2p.txt
Tasks: 70-78 all completed

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

crates/wzp-relay/src/call_registry.rs

@@ -41,6 +41,15 @@ pub struct DirectCall {
     /// `AcceptTrusted` answers — privacy-mode answers leave this
     /// `None`. Fed into the caller's `CallSetup.peer_direct_addr`.
     pub callee_reflexive_addr: Option<String>,
+    /// Phase 4 (cross-relay): federation TLS fingerprint of the
+    /// PEER RELAY that forwarded the offer/answer for this call.
+    /// `None` for local calls — caller and callee both
+    /// registered on this relay. `Some(fp)` when one side of
+    /// the call is on a remote relay reached through the
+    /// federation link identified by `fp`. The
+    /// `DirectCallAnswer` handling uses this to route the reply
+    /// back through the SAME link instead of broadcasting again.
+    pub peer_relay_fp: Option<String>,
 }
 
 /// Registry of active direct calls.
@@ -69,11 +78,22 @@ impl CallRegistry {
             ended_at: None,
             caller_reflexive_addr: None,
             callee_reflexive_addr: None,
+            peer_relay_fp: None,
         };
         self.calls.insert(call_id.clone(), call);
         self.calls.get(&call_id).unwrap()
     }
 
+    /// Phase 4: stash the federation TLS fingerprint of the peer
+    /// relay that originated (or will receive) the cross-relay
+    /// forward for this call. Safe to call with `None` to clear
+    /// a previously-set value.
+    pub fn set_peer_relay_fp(&mut self, call_id: &str, fp: Option<String>) {
+        if let Some(call) = self.calls.get_mut(call_id) {
+            call.peer_relay_fp = fp;
+        }
+    }
+
     /// Phase 3: stash the caller's server-reflexive address read
     /// off a `DirectCallOffer`. Safe to call on any call state;
     /// a no-op if the call doesn't exist.
@@ -267,6 +287,29 @@ mod tests {
         reg.set_caller_reflexive_addr("does-not-exist", Some("x".into()));
     }
 
+    #[test]
+    fn call_registry_stores_peer_relay_fp() {
+        let mut reg = CallRegistry::new();
+        reg.create_call("c1".into(), "alice".into(), "bob".into());
+
+        // Default: no peer relay.
+        assert!(reg.get("c1").unwrap().peer_relay_fp.is_none());
+
+        // Cross-relay call: origin relay's fp is stashed.
+        reg.set_peer_relay_fp("c1", Some("relay-a-tls-fp".into()));
+        assert_eq!(
+            reg.get("c1").unwrap().peer_relay_fp.as_deref(),
+            Some("relay-a-tls-fp")
+        );
+
+        // Clearing with None is a valid no-op and empties the field.
+        reg.set_peer_relay_fp("c1", None);
+        assert!(reg.get("c1").unwrap().peer_relay_fp.is_none());
+
+        // Unknown call is a no-op, not a panic.
+        reg.set_peer_relay_fp("does-not-exist", Some("x".into()));
+    }
+
     #[test]
     fn call_registry_clearing_reflex_addr_works() {
         // Passing None to the setter must clear a previously-set value