fix(deps): swap aws-sdk-s3 off rustls 0.21 (legacy) onto rustls 0.23+

The two RUSTSEC advisories cargo-deny just surfaced (RUSTSEC-2026-0099
name-constraint bug, RUSTSEC-2026-0104 CRL panic) both live in
rustls-webpki 0.101.7. That version was pinned by rustls 0.21 which
itself was pulled in by aws-sdk-s3's `rustls` feature → expands to
aws-smithy-http-client/legacy-rustls-ring → rustls 0.21 + hyper 0.14 +
hyper-rustls 0.24 + tokio-rustls 0.24, all of which are the deprecated
"legacy" client stack maintained alongside the modern one.

The same SDK ships `default-https-client` as the modern path, which
routes through aws-smithy-http-client/rustls-aws-lc and lands on
rustls 0.23 + rustls-webpki 0.103. Switching to that feature for both
aws-config and aws-sdk-s3, plus dropping the unused
`connector-hyper-0-14-x` feature from aws-smithy-runtime, removes the
entire legacy stack from Cargo.lock.

Verified the s3 integration suite still passes locally (15/15) — the
SDK now uses the modern HTTPS client by default and the tests, which
only hit plain HTTP, are agnostic to the change.

Remaining cargo-deny noise: two upstream "unmaintained" notices
(atomic-polyfill via beyond-handoff, rustls-pemfile via the AWS SDK).
Both transitive, no CVE, no safe upgrade until the upstream chains
move. Suppressed in deny.toml with linked reasons so the next genuine
regression on either crate still trips the check.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: jaredLunde