sdk: support explicit rustls provider choice

[shikhar]

Summary

Today the Rust SDK relies on rustls having a process-global default crypto provider already installed before S2::new(...) builds its connector. That is workable, but it is not a good long-term story if users want to choose a provider explicitly.

We closed #365 for now because hard-selecting aws-lc-rs inside the SDK connector is a policy decision, and we may want callers to control that choice.

Current behavior

• s2-sdk depends on hyper-rustls with aws-lc-rs enabled.
• The CLI and lite binaries install aws-lc-rs as the default rustls provider at process startup.
• SDK tests also install aws-lc-rs explicitly when needed.
• Plain SDK users may need to do the same in their application if rustls cannot auto-detect a provider.

Current workaround

Applications can call this once at startup before constructing S2:

let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();

That works, but it is process-global and not a great library API.

What we should decide

Pick and implement one of these directions:

1. Keep an explicit SDK default provider and document it clearly.
2. Expose a public connector / TLS-provider override for integrators.
3. Add a first-class S2Config knob for provider selection if we want to support multiple compiled-in providers.

Acceptance

• The intended provider-selection story for s2-sdk is explicit.
• Users do not have to discover the install_default() workaround by accident.
• If overrides are supported, they are public and documented.