fix: surface clear error when joining encrypted room without invitation

- membership server returns 403 + human-readable message on missing sealed key (was leaking 'sql: no rows in result set')
- client doJSON unwraps the server's {"error"} field instead of pasting the raw HTTP envelope

pkg/membership/server.go

@@ -1,7 +1,9 @@
 package membership
 
 import (
+	"database/sql"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -235,7 +237,12 @@ func (s *Server) handleGetKey(w http.ResponseWriter, r *http.Request) {
 	}
 	ep, sealed, err := s.store.GetSealedKey(roomID, endpoint, epoch)
 	if err != nil {
-		writeErr(w, http.StatusNotFound, err.Error())
+		if errors.Is(err, sql.ErrNoRows) {
+			writeErr(w, http.StatusForbidden,
+				"not invited to this encrypted room: no key has been sealed for your identity. Ask the room owner to invite you before joining.")
+			return
+		}
+		writeErr(w, http.StatusInternalServerError, err.Error())
 		return
 	}
 	writeJSON(w, http.StatusOK, keyResp{Epoch: ep, SealedKey: sealed})