fix(deps): replace unmaintained rust-crypto with bitcoin::hashes::sha256, bump vulnerable deps

  rust-crypto 0.2 is unmaintained (last release 2016) and has a known AES
  miscomputation advisory (RUSTSEC-2022-0011). Its transitive dependency
  rustc-serialize has a stack overflow advisory (RUSTSEC-2022-0004) and is
  also unmaintained.

  Replace the three SHA-256 call sites (compute_script_hash in schema.rs
  and precache.rs, get_status_hash and hash_ip_with_salt in server.rs)
  with bitcoin::hashes::sha256, already re-exported from the bitcoin
  crate — avoids adding a new top-level dependency and keeps hashing
  consistent with the rest of the codebase.

  Also bumps tokio (1.49->1.52, RUSTSEC-2025-0023) and tar (0.4.44->0.4.45,
  RUSTSEC-2026-0068). Resolves 11 of 18 cargo-audit findings; the
  remaining 7 are pinned by upstream deps (electrum-client, electrumd,
  minreq) and require upstream releases.

  Adds NIST SHA-256 test vectors (empty, 'abc') verifying the new
  implementation against known-good values.

Author: EddieHouston