chore(deps): bump libdatadog to db05e1f and adapt to HttpClientTrait API (#1218)

## Summary

Bumps the `libdd-*` git revs in bottlecap from `c8121f42` (~v31.x) to
`db05e1f8408a76075efb37ecec544d2e74217e57` (current libdatadog `main`),
bumps the `dogstatsd` / `datadog-fips` revs to
`5b68f50f49c9defbfed4d25bd621e2a86405a972` (current
serverless-components `main`, which already sits on the same libdatadog
`db05e1f`), and adapts bottlecap to the breaking changes that ship
between those revs.

## What changed and why

### Upstream libdatadog changes that motivated this PR

- **DataDog/libdatadog#1555** *(feat: capability traits architecture for
HTTP)* — replaced the raw `hyper` client API with an `HttpClientTrait`
abstraction. `SendData::send` and `send_with_retry` now require `H:
HttpClientTrait`, and `stats_utils::send_stats_payload_with_client` was
removed in favor of a generic `send_stats_payload<H:
HttpClientTrait>(…)` that constructs its own client.
- **`ObfuscationConfig` restructured** — flat fields
(`http_remove_path_digits`, `obfuscate_memcached`, …) replaced with
nested per-engine structs (`http: HttpConfig`, `memcached:
MemcachedConfig`, `redis: RedisConfig`, plus `valkey`, `credit_cards`,
`sql`, `elasticsearch`, `opensearch`, `mongodb`).
- **DataDog/libdatadog#1816 + #1872 + #1943** *(crypto provider gating)*
— moved `ring` behind `libdd-common/https` and `aws-lc-rs` behind
`libdd-common/fips`, then progressively gated the internal crates
(`libdd-trace-utils`, `libdd-trace-obfuscation`,
`libdd-capabilities-impl`, `libdd-trace-stats`, `libdd-data-pipeline`,
`libdd-dogstatsd-client`, `libdd-telemetry`) so downstream consumers can
pick exactly one provider. **#1943 also added a workspace-wide CI
guard** in libdatadog that rejects any PR which puts both `ring` and
`aws-lc-rs` in the dep graph at the same time.

Other commits in the range (`c8121f42..db05e1f`) are sidecar / FFE /
tracer-flare / telemetry changes that don't touch surfaces bottlecap
consumes.

### Code changes in this PR

#### `bottlecap/src/traces/http_client.rs` — wrap the client to
implement `HttpClientTrait`

The bottlecap HTTP client must keep proxy + custom CA + skip-SSL support
(FIPS, `DD_PROXY_HTTPS`, `DD_TLS_CERT_FILE`, `DD_SKIP_SSL_VALIDATION`).
The upstream `DefaultHttpClient` from `libdd-capabilities-impl`
hardcodes `Connector::default()` and supports none of those — using it
would be a regression.

So `HttpClient` is now a newtype around
`GenericHttpClient<ProxyConnector<Connector>>` that implements
`libdd_capabilities::HttpClientTrait`. The trait's `request()` maps
`http::Request<Bytes>` → `Body::from_bytes(…)` → hyper request, then
collects the response body back to `Bytes`. ~30 lines, reuses
libdatadog's encoding/retry/header logic.

`HttpClientTrait::new_client()` is required by the trait but doesn't fit
our model (we need a configured client, not a default). It now routes
through `create_client(None, None, false)` so the failure surface is
consistent with the rest of the module — and it's never invoked on
production paths (we always go through `create_client(proxy, tls_cert,
skip_ssl)`).

#### `bottlecap/src/traces/stats_flusher.rs` — inline the stats POST

The new `send_stats_payload<H: HttpClientTrait>(data, target, api_key)`
calls `H::new_client()` internally — meaning callers can't supply a
pre-configured client anymore. That would lose Lambda's
`pool_max_idle_per_host(0)` tuning, which exists specifically to avoid
stale connections after Lambda freeze/resume cycles.

Replaced the removed call with a tiny in-module `send_stats_payload`
helper that builds the same POST request (msgpack + gzip + `DD-API-KEY`)
and invokes our `HttpClient`'s `request()` method directly. Per Copilot
review: each attempt is wrapped in
`tokio::time::timeout(target.timeout_ms, …)` so the retry loop stays
bounded by config, and the error-body capture is bounded to 512 bytes
(lossy UTF-8) with the HTTP status surfaced in the message instead of
silently emptying on non-UTF8 responses.

#### `bottlecap/src/bin/bottlecap/main.rs` — flatten → nested
`ObfuscationConfig`

Maps the two HTTP fields we configure
(`apm_config_obfuscation_http_remove_paths_with_digits`,
`apm_config_obfuscation_http_remove_query_string`) into the new
`HttpConfig`. Everything else flows through `..Default::default()`,
which preserves the previous behavior (memcached/redis disabled).

#### `bottlecap/Cargo.toml` + `bottlecap/Cargo.lock`

- Bumps all `libdd-*` revs to `db05e1f` and `dogstatsd` / `datadog-fips`
revs to `5b68f50` (serverless-components `main`).
- Adds `libdd-capabilities` (source of `HttpClientTrait`) and `http`
(now used directly in `stats_flusher`) as direct dependencies.
- Sets `default-features = false` on all `libdd-*` deps and forwards
`libdd-*/https` from bottlecap's `default` feature and `libdd-*/fips`
from bottlecap's `fips` feature — the consumer-side pattern that #1872's
description prescribed.

#### `bottlecap/LICENSE-3rdparty.csv`

Regenerated via `dd-rust-license-tool write` to include the new
`libdd-capabilities` / `libdd-capabilities-impl` /
`libdd-shared-runtime` / `http` entries.

## FIPS

Previously a known issue — the FIPS clippy job failed because
`libdd-trace-stats` (and `libdd-data-pipeline`) pulled
`libdd-capabilities-impl` with default features = `https = ring`, with
no downstream-side workaround possible. **DataDog/libdatadog#1943 fixed
this upstream**, and this PR now forwards `libdd-trace-stats/fips` from
the `fips` feature.

Verified locally:

```
$ cargo clippy --workspace --all-targets --no-default-features --features fips
warning: bottlecap@0.1.0: FIPS feature is enabled, checking for forbidden dependencies...
warning: bottlecap@0.1.0: No ring dependency found. FIPS compliance check passed
warning: bottlecap@0.1.0: No openssl dependency found. FIPS compliance check passed
warning: bottlecap@0.1.0: No boringssl dependency found. FIPS compliance check passed
warning: bottlecap@0.1.0: All dependency checks passed.
```

## Companion PRs (already merged)

- **DataDog/libdatadog#1943** — gates the internal libdatadog crates and
adds the workspace-wide CI guard.
- **DataDog/serverless-components#127** — bumps the `dogstatsd` /
`datadog-fips` source workspace to libdatadog `db05e1f`. This PR pins to
its merge SHA `5b68f50`, so the whole chain (libdatadog →
serverless-components → bottlecap) sits on a consistent baseline.

## Test plan

- [x] `cargo check --all-targets` (default features)
- [x] `cargo clippy --workspace --all-targets --features default`
- [x] `cargo clippy --workspace --all-targets --no-default-features
--features fips` — FIPS dependency check now passes locally (was the
long-standing CI blocker)
- [x] `cargo test --no-run`
- [x] `cargo fmt --all -- --check`
- [x] Production layer build via `ARCHITECTURE=arm64 FIPS=false
./scripts/build_bottlecap_layer.sh` — built successfully, binary 11.17
MiB stripped / layer zip 5.08 MiB (slightly smaller than `origin/main`'s
11.23 MiB / 5.11 MiB)
- [ ] End-to-end smoke test in a real Lambda environment

Author: duncanista