feat: M1 — Noise transport, Cap'n Proto framing, Ping/Pong

Establishes the foundational transport layer for noiseml:

- Noise_XX_25519_ChaChaPoly_BLAKE2s handshake (initiator + responder)
  via `snow`; mutual authentication of static X25519 keys guaranteed
  before any application data flows.
- Length-prefixed frame codec (4-byte LE u32, max 65 535 B per Noise
  spec) implemented as a Tokio Encoder/Decoder pair.
- Cap'n Proto Envelope schema with MsgType enum (Ping, Pong, and
  future MLS message types defined but not yet dispatched).
- Server: TCP listener, one Tokio task per connection, Ping→Pong
  handler, fresh X25519 keypair logged at startup.
- Client: `ping` subcommand — handshake, send Ping, receive Pong,
  print RTT, exit 0.
- Integration tests: bidirectional Ping/Pong with mutual-auth
  verification; server keypair reuse across sequential connections.
- Docker multi-stage build (rust:bookworm → debian:bookworm-slim,
  non-root) and docker-compose with TCP healthcheck.

No MLS group state, no AS/DS, no persistence — out of scope for M1.

crates/noiseml-proto/build.rs

@@ -0,0 +1,45 @@
+//! Build script for noiseml-proto.
+//!
+//! Invokes the `capnp` compiler to generate Rust types from `.capnp` schemas
+//! located in the workspace-root `schemas/` directory.
+//!
+//! # Prerequisites
+//!
+//! The `capnp` CLI must be installed and on `PATH`.
+//!
+//! Debian/Ubuntu:  apt-get install capnproto
+//! macOS:          brew install capnp
+//! Docker:         see docker/Dockerfile
+
+use std::{env, path::PathBuf};
+
+fn main() {
+    let manifest_dir = PathBuf::from(
+        env::var("CARGO_MANIFEST_DIR").expect("CARGO_MANIFEST_DIR not set by Cargo"),
+    );
+
+    // Workspace root is two levels above this crate (noiseml/crates/noiseml-proto).
+    let workspace_root = manifest_dir
+        .join("../..")
+        .canonicalize()
+        .expect("could not canonicalize workspace root path");
+
+    let schemas_dir = workspace_root.join("schemas");
+
+    // Re-run this build script whenever any schema file changes.
+    println!(
+        "cargo:rerun-if-changed={}",
+        schemas_dir.join("envelope.capnp").display()
+    );
+
+    capnpc::CompilerCommand::new()
+        // Treat `schemas/` as the include root so that inter-schema imports
+        // (e.g. `using import "/auth.capnp"`) resolve correctly in later milestones.
+        .src_prefix(&schemas_dir)
+        .file(schemas_dir.join("envelope.capnp"))
+        .run()
+        .expect(
+            "Cap'n Proto schema compilation failed. \
+             Is `capnp` installed? (apt-get install capnproto / brew install capnp)",
+        );
+}