refactor: move PacketConnection trait to aura-proto; decouple tunnel from transport

Worktree isolation is unavailable in this environment, so make Wave 3 safe for
same-tree parallel work instead: the PacketConnection contract now lives in
aura-proto (stable) and aura-tunnel no longer depends on aura-transport. With
transport and tunnel both depending only on proto (and not each other), the two
crates are independent leaves and can be built/edited concurrently without one
breaking the other's build. proto: 13 tests still green.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Cargo.lock

@@ -242,6 +242,8 @@ dependencies = [
 name = "aura-proto"
 version = "0.1.0"
 dependencies = [
+ "anyhow",
+ "async-trait",
  "aura-crypto",
  "aura-pki",
  "bincode",
@@ -281,9 +283,9 @@ name = "aura-tunnel"
 version = "0.1.0"
 dependencies = [
  "anyhow",
+ "async-trait",
  "aura-crypto",
  "aura-proto",
- "aura-transport",
  "bytes",
  "hickory-resolver",
  "ipnetwork",

crates/aura-proto/Cargo.toml

@@ -26,6 +26,8 @@ x509-parser.workspace = true
 # The handshake and session are async over tokio::io::{AsyncRead, AsyncWrite}, so tokio must be a
 # normal dependency (available via the workspace `full` feature set), not only a dev-dependency.
 tokio.workspace = true
+async-trait.workspace = true
+anyhow.workspace = true
 
 [dev-dependencies]
 tokio.workspace = true

crates/aura-proto/src/conn.rs

@@ -0,0 +1,23 @@
+//! The full-duplex packet-connection abstraction shared by the transport and the tunnel router.
+//!
+//! [`PacketConnection`] is the seam between `aura-transport` (which carries packets over a
+//! QUIC-backed [`crate::Session`]) and `aura-tunnel`'s router. The router reads IP packets from the
+//! TUN device and `send_packet`s the ones routed through the VPN, while a second task `recv_packet`s
+//! decrypted IP packets to write back to the TUN. The methods take `&self` (not `&mut self`) so a
+//! single connection can be shared — e.g. behind `Arc<dyn PacketConnection>` — across the concurrent
+//! send and receive tasks.
+//!
+//! It lives in `aura-proto` (rather than `aura-transport`) so that `aura-tunnel` depends only on
+//! this stable contract and not on the transport crate, keeping the two independently buildable.
+
+use async_trait::async_trait;
+
+/// A bidirectional, encrypted packet pipe to the peer (one IP packet per call).
+#[async_trait]
+pub trait PacketConnection: Send + Sync {
+    /// Encrypt and send one IP packet to the peer.
+    async fn send_packet(&self, packet: &[u8]) -> anyhow::Result<()>;
+
+    /// Receive and decrypt one IP packet from the peer. Returns the plaintext IP packet.
+    async fn recv_packet(&self) -> anyhow::Result<Vec<u8>>;
+}

crates/aura-proto/src/lib.rs

@@ -41,13 +41,15 @@
 #![forbid(unsafe_code)]
 #![warn(missing_docs)]
 
+pub mod conn;
 pub mod frame;
 pub mod handshake;
 pub mod session;
 
+pub use conn::PacketConnection;
 pub use frame::{Frame, MsgType};
 pub use handshake::{client_handshake, server_handshake};
-pub use session::Session;
+pub use session::{Session, SessionReceiver, SessionSender};
 
 use thiserror::Error;
 

crates/aura-transport/src/conn.rs

@@ -1,20 +0,0 @@
-//! The transport's full-duplex packet-connection abstraction.
-//!
-//! [`PacketConnection`] is the seam between this crate (QUIC transport + the post-handshake
-//! `aura_proto::Session`) and `aura-tunnel`'s router. The router reads IP packets from the TUN
-//! device and `send_packet`s the ones routed through the VPN, while a second task `recv_packet`s
-//! decrypted IP packets to write back to the TUN. The methods take `&self` (not `&mut self`) so a
-//! single connection can be shared — e.g. behind `Arc<dyn PacketConnection>` — across the
-//! concurrent send and receive tasks.
-
-use async_trait::async_trait;
-
-/// A bidirectional, encrypted packet pipe to the peer (one IP packet per call).
-#[async_trait]
-pub trait PacketConnection: Send + Sync {
-    /// Encrypt and send one IP packet to the peer.
-    async fn send_packet(&self, packet: &[u8]) -> anyhow::Result<()>;
-
-    /// Receive and decrypt one IP packet from the peer. Returns the plaintext IP packet.
-    async fn recv_packet(&self) -> anyhow::Result<Vec<u8>>;
-}

crates/aura-transport/src/lib.rs

@@ -1,9 +1,4 @@
-//! aura-transport — QUIC transport, HTTPS/H3 traffic mimicry, and the packet-connection seam.
+//! aura-transport — QUIC transport and HTTPS/H3 traffic mimicry (skeleton; implemented in Wave 3).
 //!
-//! Implemented in Wave 3. This file currently pins the cross-crate [`PacketConnection`] contract
+//! Implements `aura_proto::PacketConnection` over a QUIC-carried `aura_proto::Session`, and provides
-//! consumed by `aura-tunnel`'s router; the QUIC endpoint (quinn), mimicry, and padding land
+//! the quinn endpoint setup (`quic`), mimicry (`mimicry`), and packet padding (`padding`).
-//! alongside it in the `quic`, `mimicry`, and `padding` modules.
-
-pub mod conn;
-
-pub use conn::PacketConnection;

crates/aura-tunnel/Cargo.toml

@@ -6,9 +6,9 @@ license.workspace = true
 description = "Aura tunnel: cross-platform TUN, split-tunnel routing, DNS"
 
 [dependencies]
-aura-transport.workspace = true
 aura-proto.workspace = true
 aura-crypto.workspace = true
+async-trait.workspace = true
 tokio.workspace = true
 bytes.workspace = true
 ipnetwork.workspace = true