feat(cli): select transport in config; server MultiServer + client dial handover

- aura-cli config gains [transport] (order + per-transport ports + obfuscate/
  masquerade); server binds all enabled transports via MultiServer, client uses
  dial() with UDP->TCP->QUIC handover. Config examples updated; backward-compatible
  (defaults to udp,tcp,quic). 21 cli tests incl. a real-UDP-transport loopback.
- docs/sing-box.md: integration approach note (process-bridge now; native Go
  outbound for phones, with crypto-library mapping + KAT requirement).
- Normalize rustfmt across the v2 transport files (tcp/dial/udp contract).

Whole workspace: 97 tests pass, clippy -D warnings clean, fmt clean. Deploy flow
(pki init/issue-server/issue-client) validated with the release binary.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

crates/aura-crypto/src/aead.rs

@@ -173,7 +173,12 @@ impl AeadKey {
     /// # Errors
     /// Returns [`CryptoError::AeadDecrypt`] if authentication fails (tampered ciphertext, wrong
     /// AAD, wrong key, or wrong counter).
-    pub fn open(&self, counter: u64, ciphertext: &[u8], aad: &[u8]) -> Result<Vec<u8>, CryptoError> {
+    pub fn open(
+        &self,
+        counter: u64,
+        ciphertext: &[u8],
+        aad: &[u8],
+    ) -> Result<Vec<u8>, CryptoError> {
         let nonce = AeadSession::nonce_for(counter);
         self.cipher()
             .decrypt(