refactor: move PacketConnection trait to aura-proto; decouple tunnel from transport

Worktree isolation is unavailable in this environment, so make Wave 3 safe for
same-tree parallel work instead: the PacketConnection contract now lives in
aura-proto (stable) and aura-tunnel no longer depends on aura-transport. With
transport and tunnel both depending only on proto (and not each other), the two
crates are independent leaves and can be built/edited concurrently without one
breaking the other's build. proto: 13 tests still green.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

crates/aura-proto/Cargo.toml

@@ -26,6 +26,8 @@ x509-parser.workspace = true
 # The handshake and session are async over tokio::io::{AsyncRead, AsyncWrite}, so tokio must be a
 # normal dependency (available via the workspace `full` feature set), not only a dev-dependency.
 tokio.workspace = true
+async-trait.workspace = true
+anyhow.workspace = true
 
 [dev-dependencies]
 tokio.workspace = true

crates/aura-proto/src/conn.rs

@@ -0,0 +1,23 @@
+//! The full-duplex packet-connection abstraction shared by the transport and the tunnel router.
+//!
+//! [`PacketConnection`] is the seam between `aura-transport` (which carries packets over a
+//! QUIC-backed [`crate::Session`]) and `aura-tunnel`'s router. The router reads IP packets from the
+//! TUN device and `send_packet`s the ones routed through the VPN, while a second task `recv_packet`s
+//! decrypted IP packets to write back to the TUN. The methods take `&self` (not `&mut self`) so a
+//! single connection can be shared — e.g. behind `Arc<dyn PacketConnection>` — across the concurrent
+//! send and receive tasks.
+//!
+//! It lives in `aura-proto` (rather than `aura-transport`) so that `aura-tunnel` depends only on
+//! this stable contract and not on the transport crate, keeping the two independently buildable.
+
+use async_trait::async_trait;
+
+/// A bidirectional, encrypted packet pipe to the peer (one IP packet per call).
+#[async_trait]
+pub trait PacketConnection: Send + Sync {
+    /// Encrypt and send one IP packet to the peer.
+    async fn send_packet(&self, packet: &[u8]) -> anyhow::Result<()>;
+
+    /// Receive and decrypt one IP packet from the peer. Returns the plaintext IP packet.
+    async fn recv_packet(&self) -> anyhow::Result<Vec<u8>>;
+}

crates/aura-proto/src/lib.rs

@@ -41,13 +41,15 @@
 #![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
+pub mod conn;
 pub mod frame;
 pub mod handshake;
 pub mod session;
 
+pub use conn::PacketConnection;
 pub use frame::{Frame, MsgType};
 pub use handshake::{client_handshake, server_handshake};
-pub use session::Session;
+pub use session::{Session, SessionReceiver, SessionSender};
 
 use thiserror::Error;