feat(singbox-aura,tools): Go port of Aura UDP client + KAT bridge to Rust

Lays the foundation for sing-box mobile clients (Option B from
docs/sing-box.md): an independent Go module that speaks the AuraVPN wire
protocol byte-for-byte. Proof of equivalence is in KAT tests cross-loaded
from a Rust-side deterministic vector exporter.

- tools/export-kat (new Rust bin in workspace): captures a handshake +
  derived keys + a sealed datagram record + a knock token using seeded
  RNGs (rand::rngs::StdRng + ml-kem's *_deterministic public API), emits
  JSON. Reproducible byte-for-byte.
- singbox-aura/ (new Go module, ~3000 LOC, 22 files):
  - aura/frame: 5-byte protocol header + Frame{Data,Ping,Pong,Close,
    Control} + magic envelope (0xAA,0xAA,0xC0,0x01) — encode/decode
    matching aura-proto::frame.
  - aura/crypto: hybrid X25519 + ML-KEM-768 (stdlib crypto/ecdh +
    crypto/mlkem on Go 1.24+; falls back to circl on older Go via a
    documented swap), HKDF-SHA256 derive_session_keys, ChaCha20-Poly1305
    with the **LE(u64 counter) || [0;4]** nonce scheme that matches
    aura-crypto::AeadKey/AeadSession.
  - aura/handshake: client_handshake state machine reproducing protocol.md
    §6.2 exactly (CH→SH→ServerAuth→ClientAuth→Finished×2; transcript hash;
    ECDSA-P256 transcript signature; HMAC-SHA256 Finished).
  - aura/session: DatagramSender/Receiver + 64-wide sliding replay window.
  - aura/transport: reliable HS-adapter (DTLS-flight retransmit) + UDP
    datagram data path + 16-byte HMAC port-knock with ±1-minute window.
  - aura/outbound: sing-box-shaped shim (interface signatures only — sing-
    box upstream registration is one more step, documented in README).
  - cmd/aura-client: standalone Go binary; reads client.toml via
    pelletier/go-toml/v2 and connects to a real aura server. Validates
    end-to-end interop with the Rust side.
- KAT: 6 comparisons against Rust vectors — session_keys (HKDF), hybrid
  KEM ek/encaps roundtrip, c2s + s2c Finished HMAC, sealed datagram
  record at seq=2 (incl. 16-byte Poly1305 tag), knock token. All byte-
  for-byte.

Go: 29 tests across 5 packages, all green. Only deps: golang.org/x/crypto
and pelletier/go-toml/v2. Rust: 293 tests still green; tools/export-kat
added to workspace members.

v1 limits documented in singbox-aura/README.md: UDP-only (no TCP/QUIC
fallback yet), no cell padding / cover traffic, no relay/exit role, no
multi-hop, sing-box upstream-registration sketch (vendor sagernet/sing-box +
init() RegisterOutbound) for follow-up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

singbox-aura/aura/session/session.go

@@ -0,0 +1,88 @@
+package session
+
+import (
+	"encoding/binary"
+	"errors"
+	"fmt"
+
+	"github.com/aura/singbox-aura/aura/crypto"
+	"github.com/aura/singbox-aura/aura/frame"
+)
+
+// SeqLen is the size of the per-record sequence-number prefix.
+const SeqLen = 8
+
+// PostHandshakeCounter is the AEAD counter at which the first application Data record starts,
+// because each direction sealed exactly two encrypted handshake messages before it.
+const PostHandshakeCounter uint64 = 2
+
+// DatagramSender holds the outbound explicit-nonce AEAD plus the next sequence number to
+// stamp. Produced by Session.IntoDatagramParts() after the handshake completes.
+type DatagramSender struct {
+	key *crypto.AeadKey
+	seq uint64
+}
+
+// NewDatagramSender wraps a 32-byte key starting at the given counter.
+func NewDatagramSender(rawKey []byte, startCounter uint64) (*DatagramSender, error) {
+	k, err := crypto.NewAeadKey(rawKey)
+	if err != nil {
+		return nil, err
+	}
+	return &DatagramSender{key: k, seq: startCounter}, nil
+}
+
+// Seal encodes f, seals it under the next sequence number, and returns the on-wire datagram
+// payload: seq(8 BE) || ciphertext.
+func (s *DatagramSender) Seal(f *frame.Frame) []byte {
+	seq := s.seq
+	enc := frame.EncodeFrame(f)
+	var seqBE [SeqLen]byte
+	binary.BigEndian.PutUint64(seqBE[:], seq)
+	ct := s.key.Seal(seq, enc, seqBE[:])
+	out := make([]byte, 0, SeqLen+len(ct))
+	out = append(out, seqBE[:]...)
+	out = append(out, ct...)
+	s.seq++
+	return out
+}
+
+// NextSeq is the sequence number the next Seal will use (test/diagnostic helper).
+func (s *DatagramSender) NextSeq() uint64 { return s.seq }
+
+// DatagramReceiver authenticates, replay-checks, and decodes incoming datagram payloads.
+type DatagramReceiver struct {
+	key    *crypto.AeadKey
+	replay *Replay
+}
+
+// NewDatagramReceiver wraps a 32-byte key plus a replay window primed at startCounter.
+func NewDatagramReceiver(rawKey []byte, startCounter uint64) (*DatagramReceiver, error) {
+	k, err := crypto.NewAeadKey(rawKey)
+	if err != nil {
+		return nil, err
+	}
+	return &DatagramReceiver{key: k, replay: NewReplay(startCounter)}, nil
+}
+
+// Open parses one datagram payload, runs the replay check first (so a duplicate cannot advance
+// the AEAD state), then verifies and decodes the inner Frame.
+func (r *DatagramReceiver) Open(datagram []byte) (*frame.Frame, error) {
+	if len(datagram) < SeqLen {
+		return nil, fmt.Errorf("aura/session: datagram shorter than seq prefix")
+	}
+	seqBE := datagram[:SeqLen]
+	seq := binary.BigEndian.Uint64(seqBE)
+	ct := datagram[SeqLen:]
+	if err := r.replay.CheckAndSet(seq); err != nil {
+		return nil, err
+	}
+	pt, err := r.key.Open(seq, ct, seqBE)
+	if err != nil {
+		return nil, err
+	}
+	return frame.DecodeFrame(pt)
+}
+
+// ErrUnexpectedMsg is returned by the stream half when the wire carries a non-Data record.
+var ErrUnexpectedMsg = errors.New("aura/session: unexpected message type")