feat: M1 — Noise transport, Cap'n Proto framing, Ping/Pong

Establishes the foundational transport layer for noiseml:

- Noise_XX_25519_ChaChaPoly_BLAKE2s handshake (initiator + responder)
  via `snow`; mutual authentication of static X25519 keys guaranteed
  before any application data flows.
- Length-prefixed frame codec (4-byte LE u32, max 65 535 B per Noise
  spec) implemented as a Tokio Encoder/Decoder pair.
- Cap'n Proto Envelope schema with MsgType enum (Ping, Pong, and
  future MLS message types defined but not yet dispatched).
- Server: TCP listener, one Tokio task per connection, Ping→Pong
  handler, fresh X25519 keypair logged at startup.
- Client: `ping` subcommand — handshake, send Ping, receive Pong,
  print RTT, exit 0.
- Integration tests: bidirectional Ping/Pong with mutual-auth
  verification; server keypair reuse across sequential connections.
- Docker multi-stage build (rust:bookworm → debian:bookworm-slim,
  non-root) and docker-compose with TCP healthcheck.

No MLS group state, no AS/DS, no persistence — out of scope for M1.

crates/noiseml-core/Cargo.toml

@@ -0,0 +1,32 @@
+[package]
+name        = "noiseml-core"
+version     = "0.1.0"
+edition     = "2021"
+description = "Crypto primitives, Noise_XX transport, MLS state machine, and Cap'n Proto frame codec for noiseml."
+license     = "MIT"
+
+[dependencies]
+# Crypto
+# openmls / openmls_rust_crypto / openmls_basic_credential — added in M2
+# ml-kem — added in M5 (hybrid PQ ciphersuite)
+x25519-dalek        = { workspace = true }
+ed25519-dalek       = { workspace = true }
+snow                = { workspace = true }
+sha2                = { workspace = true }
+hkdf                = { workspace = true }
+zeroize             = { workspace = true }
+rand                = { workspace = true }
+
+# Serialisation
+capnp               = { workspace = true }
+noiseml-proto       = { path = "../noiseml-proto" }
+
+# Async codec
+tokio-util          = { workspace = true }
+bytes               = { version = "1" }
+
+# Error handling
+thiserror           = { workspace = true }
+
+[dev-dependencies]
+tokio               = { workspace = true }