chore: scaffold Aura workspace skeleton (Stage 0)

- 6-crate Cargo workspace, dependency tree frozen (cargo check green in ~1m)
- ml-kem 0.3 (FIPS 203) replaces spec's pqcrypto-kyber for ML-KEM-768
- fix invalid target-gated workspace.dependencies: Windows deps (wintun/windows)
  declared untargeted, cfg-gated per-crate in aura-tunnel
- version bumps vs spec: tun 0.8, rcgen 0.14, wintun 0.5
- stub lib/main per crate; real implementations land wave by wave

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

crates/aura-cli/Cargo.toml

@@ -0,0 +1,25 @@
+[package]
+name = "aura-cli"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+description = "Aura CLI: client/server binary, PKI management, split-tunnel admin"
+
+[[bin]]
+name = "aura"
+path = "src/main.rs"
+
+[dependencies]
+aura-crypto.workspace = true
+aura-pki.workspace = true
+aura-proto.workspace = true
+aura-transport.workspace = true
+aura-tunnel.workspace = true
+clap.workspace = true
+tokio.workspace = true
+toml.workspace = true
+serde.workspace = true
+tracing.workspace = true
+tracing-subscriber.workspace = true
+anyhow.workspace = true
+uuid.workspace = true

crates/aura-cli/src/main.rs

@@ -0,0 +1,5 @@
+//! aura — client/server binary and PKI/admin CLI (skeleton; implemented in Wave 4).
+
+fn main() {
+    println!("aura: skeleton binary (implemented in Wave 4)");
+}

crates/aura-crypto/Cargo.toml

@@ -0,0 +1,23 @@
+[package]
+name = "aura-crypto"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+description = "Aura cryptographic core: hybrid X25519 + ML-KEM-768 KEM, HKDF, ChaCha20-Poly1305"
+
+[dependencies]
+ml-kem.workspace = true
+x25519-dalek.workspace = true
+hkdf.workspace = true
+hmac.workspace = true
+sha2.workspace = true
+chacha20poly1305.workspace = true
+rand.workspace = true
+rand_core.workspace = true
+zeroize.workspace = true
+subtle.workspace = true
+thiserror.workspace = true
+
+[dev-dependencies]
+hex.workspace = true
+criterion.workspace = true

crates/aura-crypto/src/lib.rs

@@ -0,0 +1 @@
+//! aura-crypto — cryptographic core (skeleton; implemented in Wave 1).

crates/aura-pki/Cargo.toml

@@ -0,0 +1,15 @@
+[package]
+name = "aura-pki"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+description = "Aura PKI: CA, X.509 issuance and mutual-auth verification"
+
+[dependencies]
+rcgen.workspace = true
+rustls.workspace = true
+rustls-pki-types.workspace = true
+x509-parser.workspace = true
+uuid.workspace = true
+thiserror.workspace = true
+anyhow.workspace = true

crates/aura-pki/src/lib.rs

@@ -0,0 +1 @@
+//! aura-pki — PKI: CA, certificate issuance and verification (skeleton; implemented in Wave 1).

crates/aura-proto/Cargo.toml

@@ -0,0 +1,22 @@
+[package]
+name = "aura-proto"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+description = "Aura protocol: wire format, hybrid PKI handshake state machine, session"
+
+[dependencies]
+aura-crypto.workspace = true
+aura-pki.workspace = true
+bytes.workspace = true
+serde.workspace = true
+bincode.workspace = true
+zeroize.workspace = true
+hmac.workspace = true
+sha2.workspace = true
+rand.workspace = true
+rustls-pki-types.workspace = true
+thiserror.workspace = true
+
+[dev-dependencies]
+tokio.workspace = true

crates/aura-proto/src/lib.rs

@@ -0,0 +1 @@
+//! aura-proto — protocol wire format and handshake (skeleton; implemented in Wave 2).

crates/aura-transport/Cargo.toml

@@ -0,0 +1,19 @@
+[package]
+name = "aura-transport"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+description = "Aura transport: QUIC (quinn) endpoint, HTTPS/H3 mimicry, padding"
+
+[dependencies]
+aura-proto.workspace = true
+aura-crypto.workspace = true
+quinn.workspace = true
+tokio.workspace = true
+bytes.workspace = true
+rustls.workspace = true
+rustls-pki-types.workspace = true
+rand.workspace = true
+tracing.workspace = true
+thiserror.workspace = true
+anyhow.workspace = true

crates/aura-transport/src/lib.rs

@@ -0,0 +1 @@
+//! aura-transport — QUIC transport and traffic mimicry (skeleton; implemented in Wave 3).

crates/aura-tunnel/Cargo.toml

@@ -0,0 +1,25 @@
+[package]
+name = "aura-tunnel"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+description = "Aura tunnel: cross-platform TUN, split-tunnel routing, DNS"
+
+[dependencies]
+aura-transport.workspace = true
+aura-proto.workspace = true
+aura-crypto.workspace = true
+tokio.workspace = true
+bytes.workspace = true
+ipnetwork.workspace = true
+hickory-resolver.workspace = true
+tracing.workspace = true
+thiserror.workspace = true
+anyhow.workspace = true
+
+[target.'cfg(not(windows))'.dependencies]
+tun.workspace = true
+
+[target.'cfg(windows)'.dependencies]
+wintun.workspace = true
+windows.workspace = true

crates/aura-tunnel/src/lib.rs

@@ -0,0 +1 @@
+//! aura-tunnel — TUN interface and split tunneling (skeleton; implemented in Wave 3).