cargo: Move lockfile to cli crate

[felinira]

This removes the requirement for updating the magic-wormhole-rs crate on crates.io for library security issues in patch dependencies.

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 39.34%. Comparing base (c511b45) to head (4770d8c).

Additional details and impacted files

```diff @@ Coverage Diff @@ ## master #223 +/- ## ========================================== - Coverage 39.38% 39.34% -0.05% ========================================== Files 18 18 Lines 3095 3088 -7 ========================================== - Hits 1219 1215 -4 + Misses 1876 1873 -3 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

[felinira]

I had to revert this because it doesn't actually make sense what I was saying:

• Cargo ignores lockfiles of dependencies
• Cargo workspaces can only have a lockfile in the root directory, other lockfiles mostly get ignored for dependency resolution

I'll make a mental note that the lockfile in the workspace root does not actually mean anything.

https://doc.rust-lang.org/cargo/faq.html#why-have-cargolock-in-version-control

However, this determinism can give a false sense of security because Cargo.lock does not affect the consumers of your package, only Cargo.toml does that.