Rust client SDK: trait-based vector-core + vector-client + vector-cli

[L0STE]

Summary

A Rust client SDK for Vector, in three workspace crates, restructured from the existing crates/core into a trait-based, feature-gated design at parity with the TypeScript SDK — plus an async RPC client and a CLI.

Crate	Role
vector-core (crates/core, restructured)	Offline SDK: SchemeMeta/Signer/Verifier/Derivable/Registration traits, a Vector<S> facade, Op/Artifact + deterministic JSON wire, offline verify_artifact, chain/branch, HKDF sub-account lanes. All five schemes sign and verify. No I/O.
vector-client (crates/client, new)	Async (tokio + solana-rpc-client): nonce/status, artifact broadcast, fund-in-PDA migration builders, and scan_migration (authority-migration audit).
vector-cli (crates/cli, new, bin vector)	inspect/review/verify (offline) + nonce/advance/scan (RPC).

Modular by scheme

Per-scheme cargo features (ed25519/secp256k1/eip191 default; falcon512/hawk512 opt-in) gate each scheme's crypto, so --no-default-features genuinely excludes the post-quantum dependencies. The facade is generic over the scheme's Signer; construction is sync and offline (air-gap friendly), and only the client crate touches the network.

Cross-implementation parity (proven, not asserted)

Because Ed25519 / secp256k1 / EIP-191 sign deterministically, the test suite includes byte-for-byte fixtures generated by the TypeScript SDK: Rust deserializes a genuine TS artifact, verifies its signature offline, re-serializes it identically, and reproduces it bit-for-bit from the same seed — proving the advance digest, the signature, and the JSON wire all match across SDKs (the EIP-191 envelope is covered explicitly). Hawk-512 keygen-from-seed determinism is also pinned.

Trust hardening

• Faithful verification: verify_artifact checks the artifact's actual advance instruction (canonical shape + PDA binding) and recomputes the digest over the real layout, so "offline verify == will run on-chain" holds. It is panic-free on hostile input (bounds-checked digest/PDA, no debug-only asserts).
• Typed errors (thiserror): VerifyError, DeserializeError, ClientError — no stringly-typed errors in the library surface.
• Hygiene: #![forbid(unsafe_code)] on all three crates; #![deny(missing_docs)] on both libraries.
• Adversarial tests: forged artifacts (wrong identity, mispointed advance_index, mutated advance accounts, trailing bytes, zeroed sig, missing PQ pubkey) and malformed deserialize_artifact inputs are covered.

Testing

• vector-core: 35 unit + 7 cross-impl parity tests (all features).
• vector-client: 8 unit (+2 #[ignore] on-chain).
• vector-cli: 5 unit.
• The existing mollusk on-chain suite still passes 27/27 — the restructure is additive and doesn't change consensus.
• cargo fmt + cargo clippy --all-features --all-targets -D warnings clean across all three crates.

Notes

• The on-chain programs continue to share vector-common; the client digest/encoding is necessarily a separate implementation (zero-copy SBF vs host buffer-build), and the two are kept in agreement by the byte-for-byte parity fixtures above — not by a shared crate.
• cargo build-sbf is required to produce target/deploy/vector_falcon512.so before the Falcon mollusk tests run (CI/env concern, pre-existing).
• vector advance --scheme falcon512 returns a clear error: Falcon-512 has no seed-based keygen, so CLI advance is unsupported for it (use the SDK). All other schemes are supported.

Usage: per-crate README.md under crates/{core,client,cli}.