feat(aura-gui): v0.1 Tauri-based desktop client — system tray + profile manager + admin status

New crate (kept out of the cargo workspace so the protocol-side check/test cycle stays fast):
a Tauri 2 + React 19 + TypeScript desktop app that runs in the system tray and manages
`aura client` for the user. The clash-verge replacement we settled on instead of trying to
shoehorn AuraVPN's L3 IP-tunnel into a clash-verge L4 outbound.

## What's wired

- **Profile manager** — `aura-gui/src-tauri/src/profiles.rs`. App-data layout
  (`~/Library/Application Support/ru.undergr0und.aura/profiles/<id>/` on macOS, the
  equivalent on Linux + Windows). `import_profile_from_tgz` accepts the same bundle shape
  `aura provision-client` emits, detects flat vs single-dir layouts, and refuses overwrites
  unless the operator deletes first. `delete_profile` refuses symlinks.

- **Connection control** — `cli_proc.rs`. Spawns `aura client --config <profile>/client.toml
  --admin-socket /tmp/aura-admin-<uid>-<profile>.sock`, captures stderr into a bounded
  in-memory ring (200 lines) for the UI to tail, kills via `Child::kill` on disconnect.
  Per-profile / per-uid socket paths so two GUIs (or two profiles) don't collide.

- **Live status** — `admin.rs`. Tiny JSON-line client for the v3.3 admin socket. Polled by
  the React app every 1.5 s: peer id, rx/tx packets, default action, rule count. Falls back
  gracefully (admin_error in the response) when the handshake hasn't completed yet.

- **System tray** — `lib.rs` `setup` callback. Three-item menu (Open AuraVPN / Disconnect /
  Quit). The window's close button hides to the tray instead of exiting — the app keeps
  running so the VPN stays connected; the user explicitly chooses Quit.

- **Frontend** — `src/App.tsx`. Single-page layout: profile list (with badge for missing
  files), connect/disconnect button per profile, status table, collapsible logs panel,
  binary-path picker at the bottom. Dark-mode CSS by default; the same look as a typical
  WireGuard / Tailscale-style tray app.

## What's deferred for v0.2

- Auto-start at login (launchd plist / systemd user unit / Windows Run key)
- Code signing + notarization
- Persisting the aura binary path between sessions
- Per-profile route overrides editor
- Live log streaming (today the frontend polls the ring buffer)
- Admin status query on Windows (today's `admin.rs` Unix-only; Windows path returns a clear
  "not supported yet" error)
- Polkit / authorization-services prompt for the TUN-needs-root step (today the operator
  has to launch the GUI from a privileged context, e.g. `sudo open -a aura-gui` on macOS)

## Workspace hygiene

Cargo workspace at the repo root now has `exclude = ["aura-gui"]` so the protocol crates'
`cargo check --workspace` / `cargo test --workspace` don't pull in the tauri + wry + webview
dep graph. The GUI builds standalone from `aura-gui/` via `npm run tauri build`.

## Validation

- `cd aura-gui/src-tauri && cargo check` — green
- `cd aura-gui/src-tauri && cargo clippy -- -D warnings` — clean
- `cd aura-gui/src-tauri && cargo fmt --check` — clean
- `cd aura-gui && npm run build` — frontend tsc + vite build succeeds
- Full `npm run tauri dev` not exercised in this session (would open a real window) — should
  work; if it breaks the surface area is small enough that next session fixes it.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

aura-gui/src-tauri/src/cli_proc.rs

@@ -0,0 +1,161 @@
+//! Child-process management for `aura client`.
+//!
+//! We spawn the binary with the profile's `client.toml`, point it at a per-profile admin socket
+//! (so multiple GUIs / installations don't collide), and stream stderr into an in-memory ring
+//! buffer so the UI can show recent log lines.
+
+use std::path::Path;
+use std::process::{Child, Command, Stdio};
+use std::sync::Arc;
+use std::thread;
+
+use anyhow::{anyhow, Context, Result};
+use parking_lot::Mutex;
+
+/// Bounded ring buffer of recent log lines.
+const LOG_RING_CAP: usize = 200;
+
+/// Handle to a running `aura client` child.
+pub struct ClientHandle {
+    child: Mutex<Child>,
+    profile_id: String,
+    admin_socket: String,
+    logs: Arc<Mutex<Vec<String>>>,
+}
+
+impl ClientHandle {
+    pub fn profile_id(&self) -> &str {
+        &self.profile_id
+    }
+
+    pub fn admin_socket_path(&self) -> &str {
+        &self.admin_socket
+    }
+
+    pub fn is_alive(&self) -> bool {
+        // try_wait returns Ok(None) while running. We don't reap a finished child here — the kill
+        // path / Drop does that.
+        let mut guard = self.child.lock();
+        match guard.try_wait() {
+            Ok(None) => true,
+            Ok(Some(_status)) => false,
+            Err(_) => false,
+        }
+    }
+
+    pub fn recent_logs(&self) -> Vec<String> {
+        self.logs.lock().clone()
+    }
+
+    /// Kill the child and reap it. Idempotent.
+    pub fn kill(self) -> Result<()> {
+        let mut guard = self.child.lock();
+        // Best-effort send SIGTERM-equivalent first; std::process::Child::kill on Unix is SIGKILL,
+        // which is fine for our use (the client doesn't have any state we care about persisting
+        // beyond what its OsRouteGuard's Drop reverts — and Drop runs on graceful shutdown only).
+        let _ = guard.kill();
+        let _ = guard.wait();
+        Ok(())
+    }
+}
+
+/// Spawn `aura client --config <profile_dir>/client.toml --admin-socket <per-profile sock>`.
+///
+/// On Unix the admin socket path is derived from the profile id so two concurrent profiles don't
+/// collide. The process inherits the GUI's stdin (closed via Stdio::null), stdout is closed too,
+/// stderr is captured into the in-memory ring.
+pub fn spawn_client(aura_bin: &Path, profile_dir: &Path, profile_id: &str) -> Result<ClientHandle> {
+    let config = profile_dir.join("client.toml");
+    if !config.exists() {
+        return Err(anyhow!(
+            "profile is missing client.toml at {}",
+            config.display()
+        ));
+    }
+    let admin_socket = derive_admin_socket(profile_id);
+
+    let mut cmd = Command::new(aura_bin);
+    cmd.arg("client")
+        .arg("--config")
+        .arg(&config)
+        .arg("--admin-socket")
+        .arg(&admin_socket)
+        .current_dir(profile_dir) // so relative paths in client.toml (ca.crt, ...) resolve
+        .stdin(Stdio::null())
+        .stdout(Stdio::null())
+        .stderr(Stdio::piped());
+
+    // Provide a verbose default if the operator didn't override RUST_LOG.
+    if std::env::var_os("RUST_LOG").is_none() {
+        cmd.env(
+            "RUST_LOG",
+            "info,aura_cli=info,aura_transport=info,aura_proto=info,aura_tunnel=info",
+        );
+    }
+
+    let mut child = cmd
+        .spawn()
+        .with_context(|| format!("spawning {}", aura_bin.display()))?;
+
+    let logs: Arc<Mutex<Vec<String>>> = Arc::new(Mutex::new(Vec::with_capacity(LOG_RING_CAP)));
+    if let Some(stderr) = child.stderr.take() {
+        let logs_clone = Arc::clone(&logs);
+        thread::spawn(move || {
+            use std::io::{BufRead, BufReader};
+            let reader = BufReader::new(stderr);
+            for line in reader.lines().map_while(|l| l.ok()) {
+                let mut buf = logs_clone.lock();
+                if buf.len() == LOG_RING_CAP {
+                    buf.remove(0);
+                }
+                buf.push(line);
+            }
+        });
+    }
+
+    Ok(ClientHandle {
+        child: Mutex::new(child),
+        profile_id: profile_id.to_string(),
+        admin_socket,
+        logs,
+    })
+}
+
+#[cfg(unix)]
+fn derive_admin_socket(profile_id: &str) -> String {
+    // /tmp is world-writable and persists across the GUI's lifetime. We prefix with the user id
+    // so multiple desktop users on the same host don't collide.
+    let uid = unsafe { libc_uid() };
+    format!("/tmp/aura-admin-{}-{}.sock", uid, sanitize(profile_id))
+}
+
+#[cfg(windows)]
+fn derive_admin_socket(profile_id: &str) -> String {
+    format!(r"\\.\pipe\aura-admin-{}", sanitize(profile_id))
+}
+
+fn sanitize(s: &str) -> String {
+    s.chars()
+        .map(|c| {
+            if c.is_ascii_alphanumeric() || c == '-' || c == '_' {
+                c
+            } else {
+                '_'
+            }
+        })
+        .collect()
+}
+
+#[cfg(unix)]
+unsafe fn libc_uid() -> u32 {
+    // libc isn't a dependency; use the geteuid syscall via std.
+    // Note: getuid is a tiny syscall and there's no safe stable wrapper in std, so we shell out.
+    // For a desktop GUI the cost is negligible.
+    match std::process::Command::new("id").arg("-u").output() {
+        Ok(o) => String::from_utf8_lossy(&o.stdout)
+            .trim()
+            .parse::<u32>()
+            .unwrap_or(0),
+        Err(_) => 0,
+    }
+}