feat(share): add encrypted Git-backed team sharing

[0xjunha]

Overview

This adds V1 team sharing for Darc: a local-first, Git-backed way to share selected, redacted session index data with team without uploading raw provider logs or the local SQLite index. Shared content is encrypted using age before it is written to Git, and Darc read commands remain local-only unless the caller explicitly opts into shared scope.

User-Facing Changes

• Add share management commands:
  • darc share status
  • darc share key
  • darc share identity
  • darc share policy manual|all
  • darc share include <session|--all>
  • darc share exclude <session|--all>
  • darc share recipient add|remove|list
• Add share remote commands:
  • darc remote add <name> <url>
  • darc remote list
• Add Git-style shared-index sync commands:
  • darc push <branch> [--remote <name>]
  • darc fetch <branch> [--remote <name>]
  • darc merge <branch> [--remote <name>]
  • darc pull <branch> [--remote <name>]
• Map user-facing share branch names like team to Git branches under darc/team.
• Add explicit shared query controls:
  • --shared
  • --scope local|shared|all
  • --author <user-id|email|display-name>
• Keep session-oriented reads local by default, including search, session lists, turn lists, session/turn show commands, and session-scoped file/stat reads.
• Add interactive progress output for share push and pull, including export/import progress and Git/LFS upload progress where available.

Implementation Details

• Add a new darc-share crate for the encrypted sharing capability.
• Add core/CLI integration around share configuration, selection, remotes, push/fetch/merge/pull workflows, and progress reporting.
• Add store support for:
  • shared session provenance
  • share users
  • project share policies
  • per-session share state
  • shared import/prune operations
• Add query support for local/shared/all origin scope and author filtering.
• Promote imported shared sessions to local provenance when the same session later appears in local archives.
• Preserve selected share configuration across rebuilds and reindexing.
• Use the system git executable for transport so Darc follows the user’s existing Git authentication setup.

Security And Privacy

• Export only a redacted index projection, not raw transcript archives or SQLite database files.
• Encrypt shared payloads with age X25519 recipients.
• Sign shared sync and turn payloads with a persistent Ed25519 signing identity.
• Derive stable share user ids from signing keys rather than email addresses.
• Authenticate manifests, sync metadata, chunk metadata, payload hashes, and exporter identity before import or pruning.
• Reject credential-bearing remote URLs and redact remote output.
• Reject unsafe artifact layouts, symlinked cache/key paths, unexpected plaintext files, malformed manifests, unsupported schema versions, and unsafe remote/cache state.
• Keep last-good imported shared data when replacement artifacts fail validation.
• Avoid re-exporting imported shared sessions by default.

Performance

• Store large exports as gzip-compressed encrypted chunks.
• Support optional Git LFS publishing with DARC_SHARE_ENABLE_LFS=1.
• Reuse unchanged export artifacts when the selected session set and signed source summaries match.
• Stream chunk writes during export instead of buffering the entire export in memory.
• Add scripts/bench-share-export.sh for measuring cold and unchanged share pushes against synthetic or scrubbed Darc roots.

Documentation

• Add the shared-index ADR at docs/adr/shared-index.md.
• Update the README with team sharing setup, remote usage, query examples, and privacy notes.
• Update the query protocol documentation for shared scope flags and provenance fields.
• Update the architecture diagram.
• Update the changelog under Unreleased.

Test Coverage

• Add share crate tests for branch naming, key handling, remote validation, encryption/decryption, artifact validation, chunked imports, LFS behavior, cache cleanup, retained manifest authentication, import pruning, duplicate manifests, and failure cases.
• Add store/query tests for shared provenance, local/shared/all scopes, author filters, shared exact search, pagination, and local promotion.
• Add CLI parser and integration tests for share commands, shared query flags, remote redaction, and progress rendering.