feat(cli): implement Wave 4 — aura binary (PKI, server/client, admin, bench)

aura-cli: clap command tree (pki init/issue-server/issue-client/revoke/list,
server, client, route add/list/remove, status, bench-crypto); TOML config with
~ expansion and split-tunnel rules -> RouteTable; JSON-over-Unix-socket admin
IPC; server/client data paths wiring transport + tunnel (TUN run needs root).
config/{server,client}.toml.example. 15 tests (pki roundtrip, config parse,
admin-socket roundtrip, loopback connection). Verified the real binary: --help,
bench-crypto, and a full CA->server->client cert workflow.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

config/client.toml.example

@@ -0,0 +1,53 @@
+# Aura VPN client configuration (project §9).
+# Copy to client.toml and adjust. Paths may begin with `~` (expands to your home directory).
+
+[client]
+# Human-readable client name / id.
+name = "laptop"
+# Server UDP socket address.
+server_addr = "203.0.113.10:443"
+# Outer-TLS SNI (camouflage hostname) presented to the server. Also the name verified
+# inside the Aura handshake against the server certificate's SAN.
+sni = "cdn.example.com"
+
+[pki]
+# Trust anchor (the Aura CA) and this client's leaf cert/key, all PEM.
+# Issue with: aura pki issue-client --id laptop --out ~/.aura --ca ~/.aura
+ca_cert = "~/.aura/ca.crt"
+cert    = "~/.aura/client.crt"
+key     = "~/.aura/client.key"
+
+[tunnel]
+# Requested TUN interface name (advisory on macOS, where the kernel assigns utunN).
+tun_name = "aura0"
+# Local address assigned to the TUN device, and its prefix length.
+local_ip = "10.7.0.2"
+prefix   = 24
+# TUN MTU.
+mtu = 1420
+# Tunnel resolver DNS (informational; the system resolver is used in v1).
+dns = "10.7.0.1"
+
+# Split-tunnel routing: the default action plus per-destination overrides.
+[tunnel.split]
+# Default for destinations matching no rule below: "VPN" or "DIRECT".
+default = "VPN"
+
+# Send these directly (bypass the tunnel): RFC1918 ranges stay on the LAN...
+[[tunnel.split.direct]]
+cidr = "192.168.0.0/16"
+
+[[tunnel.split.direct]]
+cidr = "10.0.0.0/8"
+
+# ...and a corporate domain egresses directly (resolved to host routes at startup).
+[[tunnel.split.direct]]
+domain = "intranet.example.com"
+
+# Force a more-specific range back through the VPN (longest-prefix wins over 10.0.0.0/8).
+[[tunnel.split.vpn]]
+cidr = "10.7.0.0/24"
+
+[mimicry]
+# Enable traffic padding to blend packet sizes into HTTPS buckets.
+padding = false

config/server.toml.example

@@ -0,0 +1,32 @@
+# Aura VPN server configuration (project §9).
+# Copy to server.toml and adjust. Paths may begin with `~` (expands to your home directory).
+
+[server]
+# Human-readable name (also the server's inner-handshake identity).
+name = "aura-edge-1"
+# UDP socket to listen on. ":443" mimics HTTPS; binding it needs privileges.
+listen = "0.0.0.0:443"
+# Accept workers (advisory in v1).
+workers = 4
+
+[pki]
+# Trust anchor (the Aura CA) and this server's leaf cert/key, all PEM.
+# Generate with: aura pki init --ca-name "Aura CA" --out ~/.aura
+#               aura pki issue-server --domain vpn.example.com --out ~/.aura --ca ~/.aura
+ca_cert = "~/.aura/ca.crt"
+cert    = "~/.aura/server.crt"
+key     = "~/.aura/server.key"
+
+[tunnel]
+# Address pool for clients; v1 uses a single shared server-side TUN on this network.
+pool_cidr = "10.7.0.0/24"
+# TUN MTU (leave headroom under the path MTU for QUIC + Aura framing).
+mtu = 1420
+# DNS server advertised to clients (informational in v1).
+dns = "10.7.0.1"
+
+[mimicry]
+# Outer-TLS camouflage hostname the server presents/expects.
+sni = "cdn.example.com"
+# Enable traffic padding to blend packet sizes into HTTPS buckets.
+padding = true