feat(crypto,cli,docs): russian SNI palette + RF-billing deployment scenario

Adds a way to make the outer-TLS SNI rotate among popular Russian-language
domains so that Russian carriers — who may start metering "foreign traffic"
separately — see the user's first hop as a domestic CDN/site request, not
as an exotic foreign destination.

- aura-crypto::masks:
  - SNI_PALETTE_RUSSIAN (15 real domains: mail.yandex.ru, vk.com, www.ozon.ru,
    dzen.ru, ya.ru, www.gosuslugi.ru, www.wildberries.ru, rutube.ru,
    news.rambler.ru, hh.ru, www.tinkoff.ru, lenta.ru, www.kinopoisk.ru,
    afisha.yandex.ru, music.yandex.ru).
  - enum SniPalette { Default, Russian, Mixed } (Default = v2 behavior).
  - derive_mask_for_msk_date_with_palette(...): pick from chosen palette,
    Mixed flips ~50/50 by HKDF okm[8]&1. Old derive_mask_for_msk_date kept
    as a thin wrapper -> byte-for-byte unchanged Default.
- aura-cli::masks::MaskRotator gains new_with_palette(...); the spawn loop
  uses the stored palette. Old new() preserves Default.
- aura-cli config: [transport.masks] palette = "default"|"russian"|"mixed"
  (serde rename_all = "lowercase", default Default).
- server.rs/client.rs read cfg.transport.masks.palette and pass it to the
  rotator at startup; logged at INFO so the operator sees the choice.
- docs/deployment.md: new §7 "Сервер в РФ против тарификации иностранного
  трафика" — context, ASCII topology, recommended RF providers, full
  server.toml + client.toml examples wiring [server.relay] + russian
  palette + LE outer cert + multi-hop, plus an honest list of what this
  does and does not give.
- config/{server,client}.toml.example updated with palette = "default".

Workspace: 284 tests passed (+8 new = 4 crypto + 2 cli masks + 2 config),
clippy -D warnings clean, fmt clean. 276 baseline tests untouched.
Backward-compatible: configs without palette default to Default, identical
to v2 wire behavior.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

config/client.toml.example

@@ -115,6 +115,14 @@ masquerade = true
 # Existing connections keep the mask they connected with. Default: true.
 # When `false`, the static values above ([client] sni, [transport] obfuscate, ...) are used as-is.
 enabled = true
+# v3.2: which SNI palette the daily rotator picks from. Must generally match the server's
+# [transport.masks] palette so the daily SNI looks consistent across both sides' logs.
+#   "default" (back-compat) — global CDN-like names. Use against any foreign-hosted server.
+#   "russian"               — top Russian domains (vk.com / ozon.ru / mail.yandex.ru / ...).
+#                              Use when the entry-relay is a Russian VPS so the outer SNI looks
+#                              like ordinary HTTPS to a domestic site (see docs/deployment.md § 7).
+#   "mixed"                 — HKDF flips between Default and Russian per day for variety.
+palette = "default"
 
 [transport.knock]
 # UDP port-knocking. Must match the server's setting. Default: false.

config/server.toml.example

@@ -118,6 +118,16 @@ masquerade = true
 # needed. Existing connections keep the mask they accepted with. Default: true.
 # When `false`, the static values above ([mimicry] sni, [transport] obfuscate, ...) are used as-is.
 enabled = true
+# v3.2: which SNI palette the daily rotator picks from.
+#   "default" (back-compat) — global CDN-like names (cloudflare/akamai/aws). Use on any
+#                              foreign-hosted server. This is the pre-v3.2 default.
+#   "russian"               — top Russian domains (vk.com / ozon.ru / mail.yandex.ru / ...).
+#                              Use on an entry-relay hosted on a Russian VPS for the
+#                              "domestic traffic" deployment (see docs/deployment.md § 7).
+#   "mixed"                 — HKDF flips between Default and Russian per day for variety.
+# Server and client should generally agree on the palette (logs match; the wire itself does not
+# require coordination — every connection's SNI is per-side).
+palette = "default"
 
 [transport.knock]
 # UDP port-knocking. When `enabled = true`, the UDP transport demands a 16-byte HMAC prefix on