feat: M1 — Noise transport, Cap'n Proto framing, Ping/Pong

Establishes the foundational transport layer for noiseml:

- Noise_XX_25519_ChaChaPoly_BLAKE2s handshake (initiator + responder)
  via `snow`; mutual authentication of static X25519 keys guaranteed
  before any application data flows.
- Length-prefixed frame codec (4-byte LE u32, max 65 535 B per Noise
  spec) implemented as a Tokio Encoder/Decoder pair.
- Cap'n Proto Envelope schema with MsgType enum (Ping, Pong, and
  future MLS message types defined but not yet dispatched).
- Server: TCP listener, one Tokio task per connection, Ping→Pong
  handler, fresh X25519 keypair logged at startup.
- Client: `ping` subcommand — handshake, send Ping, receive Pong,
  print RTT, exit 0.
- Integration tests: bidirectional Ping/Pong with mutual-auth
  verification; server keypair reuse across sequential connections.
- Docker multi-stage build (rust:bookworm → debian:bookworm-slim,
  non-root) and docker-compose with TCP healthcheck.

No MLS group state, no AS/DS, no persistence — out of scope for M1.

Cargo.toml

@@ -0,0 +1,60 @@
+[workspace]
+resolver = "2"
+members = [
+    "crates/noiseml-core",
+    "crates/noiseml-proto",
+    "crates/noiseml-server",
+    "crates/noiseml-client",
+]
+
+# Shared dependency versions — bump here to affect the whole workspace.
+[workspace.dependencies]
+
+# ── Crypto ────────────────────────────────────────────────────────────────────
+openmls            = { version = "0.5", default-features = false, features = ["crypto-subtle"] }
+openmls_rust_crypto = { version = "0.2" }
+openmls_basic_credential = { version = "0.2" }
+# ml-kem 0.2 is the current stable release (FIPS 203, ML-KEM-768).
+# All three parameter sets (512/768/1024) are compiled in by default — no feature flag needed.
+ml-kem             = { version = "0.2" }
+x25519-dalek       = { version = "2", features = ["static_secrets"] }
+ed25519-dalek      = { version = "2", features = ["rand_core"] }
+snow               = { version = "0.9", features = ["default-resolver"] }
+sha2               = { version = "0.10" }
+hkdf               = { version = "0.12" }
+zeroize            = { version = "1", features = ["derive"] }
+rand               = { version = "0.8" }
+
+# ── Serialisation + RPC ───────────────────────────────────────────────────────
+capnp              = { version = "0.19" }
+capnp-rpc          = { version = "0.19" }
+
+# ── Async / networking ────────────────────────────────────────────────────────
+tokio              = { version = "1", features = ["full"] }
+tokio-util         = { version = "0.7", features = ["codec"] }
+futures            = { version = "0.3" }
+
+# ── Server utilities ──────────────────────────────────────────────────────────
+dashmap            = { version = "5" }
+tracing            = { version = "0.1" }
+tracing-subscriber = { version = "0.3", features = ["env-filter"] }
+
+# ── Error handling ────────────────────────────────────────────────────────────
+anyhow             = { version = "1" }
+thiserror          = { version = "1" }
+
+# ── CLI ───────────────────────────────────────────────────────────────────────
+clap               = { version = "4", features = ["derive"] }
+
+# ── Build-time ────────────────────────────────────────────────────────────────
+capnpc             = { version = "0.19" }
+
+[profile.release]
+opt-level         = 3
+lto               = "thin"
+codegen-units     = 1
+strip             = "symbols"
+
+[profile.dev]
+opt-level         = 0
+debug             = true