feat: M1 — Noise transport, Cap'n Proto framing, Ping/Pong

Establishes the foundational transport layer for noiseml:

- Noise_XX_25519_ChaChaPoly_BLAKE2s handshake (initiator + responder)
  via `snow`; mutual authentication of static X25519 keys guaranteed
  before any application data flows.
- Length-prefixed frame codec (4-byte LE u32, max 65 535 B per Noise
  spec) implemented as a Tokio Encoder/Decoder pair.
- Cap'n Proto Envelope schema with MsgType enum (Ping, Pong, and
  future MLS message types defined but not yet dispatched).
- Server: TCP listener, one Tokio task per connection, Ping→Pong
  handler, fresh X25519 keypair logged at startup.
- Client: `ping` subcommand — handshake, send Ping, receive Pong,
  print RTT, exit 0.
- Integration tests: bidirectional Ping/Pong with mutual-auth
  verification; server keypair reuse across sequential connections.
- Docker multi-stage build (rust:bookworm → debian:bookworm-slim,
  non-root) and docker-compose with TCP healthcheck.

No MLS group state, no AS/DS, no persistence — out of scope for M1.

docker/Dockerfile

@@ -0,0 +1,71 @@
+# ── Stage 1: Builder ──────────────────────────────────────────────────────────
+#
+# Uses the official Rust image on Debian Bookworm.
+# capnproto is installed here because build.rs invokes `capnp` at compile time.
+FROM rust:bookworm AS builder
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends capnproto \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /build
+
+# Copy manifests first so dependency layers are cached independently of source.
+COPY Cargo.toml Cargo.lock ./
+COPY crates/noiseml-core/Cargo.toml   crates/noiseml-core/Cargo.toml
+COPY crates/noiseml-proto/Cargo.toml  crates/noiseml-proto/Cargo.toml
+COPY crates/noiseml-server/Cargo.toml crates/noiseml-server/Cargo.toml
+COPY crates/noiseml-client/Cargo.toml crates/noiseml-client/Cargo.toml
+
+# Create dummy source files so `cargo build` can resolve the dependency graph
+# and cache the compiled dependencies before copying real source.
+RUN mkdir -p \
+        crates/noiseml-core/src \
+        crates/noiseml-proto/src \
+        crates/noiseml-server/src \
+        crates/noiseml-client/src \
+    && echo 'fn main() {}' > crates/noiseml-server/src/main.rs \
+    && echo 'fn main() {}' > crates/noiseml-client/src/main.rs \
+    && touch crates/noiseml-core/src/lib.rs \
+    && touch crates/noiseml-proto/src/lib.rs
+
+# Schemas must exist before the proto crate's build.rs runs.
+COPY schemas/ schemas/
+
+# Build dependencies only (source stubs mean this layer is cache-friendly).
+RUN cargo build --release --bin noiseml-server 2>/dev/null || true
+
+# Copy real source and build for real.
+COPY crates/ crates/
+
+# Touch main.rs files to force re-compilation of the binary crates.
+RUN touch \
+        crates/noiseml-core/src/lib.rs \
+        crates/noiseml-proto/src/lib.rs \
+        crates/noiseml-server/src/main.rs \
+        crates/noiseml-client/src/main.rs
+
+RUN cargo build --release --bin noiseml-server
+
+# ── Stage 2: Runtime ──────────────────────────────────────────────────────────
+#
+# Minimal Debian Bookworm image — no Rust toolchain, no capnp compiler.
+FROM debian:bookworm-slim AS runtime
+
+# ca-certificates is included so future HTTPS calls (e.g. from M6 key sync)
+# work without further changes to this stage.
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=builder /build/target/release/noiseml-server /usr/local/bin/noiseml-server
+
+EXPOSE 7000
+
+ENV RUST_LOG=info \
+    NOISEML_LISTEN=0.0.0.0:7000
+
+# Run as a non-root user.
+USER nobody
+
+CMD ["noiseml-server"]