chore(security): upstream y-webrtc diff check — vendor fork audit

[qnbs]

Purpose

packages/collab-transport is a vendor fork of y-webrtc 10.3.0. Renovate/Dependabot do not pull upstream security patches — we are responsible for manual diffs.

Audit Checklist

• Check upstream releases for CVEs: https://github.com/yjs/y-webrtc/releases
• Diff crypto.js against upstream tag: git diff v10.3.0..<new-tag> -- src/crypto.js
• Diff y-webrtc.js against upstream
• Re-apply SC patches (PBKDF2 600k, extractable:false, return-fix)
• Bump package.json version to <upstream>-sc1
• Commit: chore(collab): vendor-fork sync y-webrtc <version>

SC Patches (C-1, 2026-05-28, crypto.js)

1. PBKDF2 100k→310k→600k (OWASP 2024 SHA-256 minimum)
2. extractable:false (prevents subtle.exportKey)
3. return before promise.reject() (was silent swallow)

Vendored: y-webrtc 10.3.0 | SC-Commit: 63afa69

This issue is a permanent reminder — do not close.