feat: relay peer end-to-end encryption via Noise IK handshake (#1960)

Enable encryption for non-direct nodes requiring relay forwarding.
When secure_mode is enabled, peers perform Noise IK handshake to
establish an encrypted PeerSession. Relay packets are encrypted at
the sender and decrypted at the receiver. Intermediate forwarding
nodes cannot read plaintext data.

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: KKRainbow <5665404+KKRainbow@users.noreply.github.com>

easytier/src/proto/peer_rpc.proto

@@ -29,6 +29,7 @@ message RoutePeerInfo {
   repeated PeerGroupInfo groups = 16;
 
   common.NatType tcp_nat_type = 17;
+  bytes noise_static_pubkey = 18;
 }
 
 message PeerIdVersion {
@@ -293,6 +294,27 @@ message PeerConnNoiseMsg2Pb {
   string server_encryption_algorithm = 10;
 }
 
+message RelayNoiseMsg1Pb {
+  uint32 version = 1;
+  string a_network_name = 2;
+  optional uint32 a_session_generation = 3;
+  common.UUID a_conn_id = 4;
+  string client_encryption_algorithm = 5;
+}
+
+message RelayNoiseMsg2Pb {
+  string b_network_name = 1;
+  uint32 role_hint = 2;
+  PeerConnSessionActionPb action = 3;
+  uint32 b_session_generation = 4;
+  optional bytes root_key_32 = 5;
+  uint32 initial_epoch = 6;
+  common.UUID b_conn_id = 7;
+  common.UUID a_conn_id_echo = 8;
+  optional bytes secret_proof_32 = 9;
+  string server_encryption_algorithm = 10;
+}
+
 message PeerConnNoiseMsg3Pb {
   common.UUID a_conn_id_echo = 1;
   common.UUID b_conn_id_echo = 2;