feat(cli): implement Wave 4 — aura binary (PKI, server/client, admin, bench)

aura-cli: clap command tree (pki init/issue-server/issue-client/revoke/list,
server, client, route add/list/remove, status, bench-crypto); TOML config with
~ expansion and split-tunnel rules -> RouteTable; JSON-over-Unix-socket admin
IPC; server/client data paths wiring transport + tunnel (TUN run needs root).
config/{server,client}.toml.example. 15 tests (pki roundtrip, config parse,
admin-socket roundtrip, loopback connection). Verified the real binary: --help,
bench-crypto, and a full CA->server->client cert workflow.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

crates/aura-cli/Cargo.toml

@@ -5,6 +5,10 @@ edition.workspace = true
 license.workspace = true
 description = "Aura CLI: client/server binary, PKI management, split-tunnel admin"
 
+[lib]
+name = "aura_cli"
+path = "src/lib.rs"
+
 [[bin]]
 name = "aura"
 path = "src/main.rs"
@@ -19,7 +23,17 @@ clap.workspace = true
 tokio.workspace = true
 toml.workspace = true
 serde.workspace = true
+# Admin IPC line protocol (JSON requests/responses over the Unix socket).
+serde_json = "1"
+# Parse CIDR rules from the split-tunnel config and the `route` admin commands.
+ipnetwork.workspace = true
 tracing.workspace = true
 tracing-subscriber.workspace = true
 anyhow.workspace = true
 uuid.workspace = true
+
+[dev-dependencies]
+tokio.workspace = true
+# Loopback + PKI-roundtrip tests build certificate chains for the verifier.
+rustls-pki-types.workspace = true
+x509-parser.workspace = true