feat(cli): auto-NAT + privilege drop + Windows named-pipe admin

Three v2-hardening features in aura-cli, one pass:

- nat::NatGuard: RAII auto-config of IP forwarding + MASQUERADE on server
  startup. Linux (sysctl ip_forward + iptables -t nat MASQUERADE) and
  macOS (sysctl ip.forwarding + pfctl with /tmp/aura-nat.conf). dry_run
  works on every platform (logs "would run: ..."). Reverts everything in
  Drop. New [server.nat] {auto, egress_iface, dry_run}; absent section =
  back-compat no-op. Removes v1's "manual NAT/forwarding" step.
- privdrop::drop_to_user: drop euid/gid after binding TUN + privileged
  ports. Linux setresuid/setresgid, macOS setgid+setuid (permanent drop),
  Windows no-op with warning. New [server] / [client] run_as = "..."
  (optional). Skipped with info-log if already non-root.
- admin: split transport into cfg(unix) Unix-socket and cfg(windows) Tokio
  named-pipe modules sharing one JSON-line serve/request flow over
  AsyncRead/AsyncWrite. DEFAULT_SOCKET = "/tmp/aura-admin.sock" on Unix,
  r"\\.\pipe\aura-admin" on Windows. Removes v1's "admin Unix-only".

Deps: nix 0.29 user feature under [target.'cfg(unix)'.dependencies] (cli-
local, not workspace). Workspace: 155 tests passed (+13), clippy -D warnings
clean, fmt clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

config/client.toml.example

@@ -9,6 +9,12 @@ server_addr = "203.0.113.10:443"
 # Outer-TLS SNI (camouflage hostname) presented to the server. Also the name verified
 # inside the Aura handshake against the server certificate's SAN.
 sni = "cdn.example.com"
+# Optional: drop privileges to this non-root user AFTER the TUN device has been brought up.
+# Recommended when `aura client` is launched via sudo so the long-running router loop runs
+# as an ordinary user. Linux uses setresuid/setresgid; macOS uses setgid/setuid; Windows is a
+# no-op (use a service account instead). When omitted (or already running as non-root) no
+# privilege change happens.
+# run_as = "nobody"
 
 [pki]
 # Trust anchor (the Aura CA) and this client's leaf cert/key, all PEM.

config/server.toml.example

@@ -8,6 +8,12 @@ name = "aura-edge-1"
 listen = "0.0.0.0:443"
 # Accept workers (advisory in v1).
 workers = 4
+# Optional: drop privileges to this non-root user AFTER the TUN, low-port sockets and any
+# [server.nat] commands have been applied. Recommended on production hosts so the long-running
+# accept loop does not stay as root. Linux uses setresuid/setresgid (full triple-drop); macOS
+# uses setgid/setuid; Windows is a no-op (use a service account instead). When omitted (or
+# already running as non-root) no privilege change happens.
+# run_as = "nobody"
 
 [pki]
 # Trust anchor (the Aura CA) and this server's leaf cert/key, all PEM.
@@ -49,6 +55,20 @@ strategy = "static_or_dynamic"
 # "phone-1"  = "10.7.0.20"
 # "laptop-1" = "10.7.0.21"
 
+# v2 auto-NAT: when `auto = true`, the server enables IPv4 forwarding at startup and adds a
+# MASQUERADE / pf-NAT rule for the address pool on the given egress interface, and rolls every
+# change back on shutdown (RAII guard inside `aura server`). Supported on Linux (sysctl +
+# iptables) and macOS (sysctl + pfctl). Omit the whole [server.nat] section to keep the v1
+# behaviour where the operator configures forwarding by hand. There is no egress-interface
+# auto-detection in v1 — `egress_iface` is required when `auto = true`.
+#
+# IPv6 forwarding / ip6tables / nftables are NOT configured in v1 (TODO for v3).
+#
+# [server.nat]
+# auto = true
+# egress_iface = "eth0"   # required when auto = true
+# dry_run = false         # set to true to only log the planned commands without executing them
+
 [mimicry]
 # Outer-TLS camouflage hostname the server presents/expects.
 sni = "cdn.example.com"