cargo: Move lockfile to cli crate

[felinira]

This removes the requirement for updating the magic-wormhole-rs crate on crates.io for library security issues in patch dependencies.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 39.34%. Comparing base (c511b45) to head (4770d8c).

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #223      +/-   ##
==========================================
- Coverage   39.38%   39.34%   -0.05%     
==========================================
  Files          18       18              
  Lines        3095     3088       -7     
==========================================
- Hits         1219     1215       -4     
+ Misses       1876     1873       -3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[felinira]

I had to revert this because it doesn't actually make sense what I was saying:

• Cargo ignores lockfiles of dependencies
• Cargo workspaces can only have a lockfile in the root directory, other lockfiles mostly get ignored for dependency resolution

I'll make a mental note that the lockfile in the workspace root does not actually mean anything.

https://doc.rust-lang.org/cargo/faq.html#why-have-cargolock-in-version-control

However, this determinism can give a false sense of security because Cargo.lock does not affect the consumers of your package, only Cargo.toml does that.