feat(cli): implement Wave 4 — aura binary (PKI, server/client, admin, bench)

aura-cli: clap command tree (pki init/issue-server/issue-client/revoke/list,
server, client, route add/list/remove, status, bench-crypto); TOML config with
~ expansion and split-tunnel rules -> RouteTable; JSON-over-Unix-socket admin
IPC; server/client data paths wiring transport + tunnel (TUN run needs root).
config/{server,client}.toml.example. 15 tests (pki roundtrip, config parse,
admin-socket roundtrip, loopback connection). Verified the real binary: --help,
bench-crypto, and a full CA->server->client cert workflow.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

crates/aura-cli/src/lib.rs

@@ -0,0 +1,20 @@
+//! `aura-cli` library surface.
+//!
+//! The `aura` binary ([`main`](../main/index.html)) is a thin clap parser + dispatcher over the
+//! modules exposed here. They are public so the crate's integration tests (in `tests/`, which
+//! compile as separate crates) can drive the PKI handlers, the config parser, and the admin IPC
+//! protocol directly — without spawning the binary or needing root.
+//!
+//! Module map (project §10):
+//! * [`config`] — serde TOML structs, `~` expansion, PEM loading, `[tunnel.split]` -> `RouteTable`.
+//! * [`pki`]    — `aura pki` handlers (init / issue-server / issue-client / revoke / list).
+//! * [`admin`]  — the JSON-over-Unix-socket admin protocol (route management + status).
+//! * [`server`] / [`client`] — the `aura server` / `aura client` data paths.
+//! * [`bench`]  — the `aura bench-crypto` micro-benchmarks.
+
+pub mod admin;
+pub mod bench;
+pub mod client;
+pub mod config;
+pub mod pki;
+pub mod server;