fix(netd): support h2 for HTTPS credential interception

[laotoutou]

Summary

• advertise h2 for HTTPS terminate-reoriginate credential rules while keeping HTTP/1.1 preferred for dual-stack clients
• route negotiated h2 HTTPS requests through the existing HTTP/2 proxy path so injected headers are preserved upstream
• document that netd preserves the negotiated downstream ALPN and does not silently downgrade h2 to HTTP/1.1 upstream

Fixes #433

Tests

• go test ./netd/pkg/proxy -count=1 -timeout=3m
• go test ./netd/pkg/policy ./netd/pkg/proxy -count=1 -timeout=3m

[laotoutou]

Correction/update on validation:

I added real remote sandbox validation on the Aliyun Singapore kind environment after updating this PR:

• Synced the PR branch to the remote workspace, rebuilt sandbox0ai/infra:latest, loaded it into kind, and restarted both fullmode-netd pods.
• Confirmed both netd pods are 1/1 Running on the two worker nodes.
• Used a real claimed sandbox pod: rs-mrswmylvnr2a-default-x2ggl.
• Created a unique static_headers credential source and a sandbox network policy with:
  • protocol: https
  • tlsMode: terminate-reoriginate
  • domains: ["nghttp2.org"]
  • credentialRef: h2-curl-ref-1781175935
• Waited until sandbox0.ai/network-policy-hash matched sandbox0.ai/network-policy-applied-hash on the sandbox pod.
• Ran the request from inside the sandbox container with HTTP/2 enabled:

CURL_CA_BUNDLE=/tmp/sandbox0/netd-ca-bundle.crt \
  curl --http2 -fsS --max-time 20 \
  -w "\nCURL_HTTP_VERSION:%{http_version}\n" \
  https://nghttp2.org/httpbin/headers

Result from inside the sandbox:

{"headers":{"Accept":"*/*","Accept-Encoding":"gzip","Authorization":"Bearer real-curl-h2-token-1781175935","Host":"nghttp2.org","Transfer-Encoding":"chunked","User-Agent":"curl/8.5.0"}}

CURL_HTTP_VERSION:2
SANDBOX_REAL_CURL_H2_EGRESS_AUTH_OK sandbox=rs-mrswmylvnr2a-default-62pxp pod=rs-mrswmylvnr2a-default-x2ggl ref=h2-curl-ref-1781175935 token=real-curl-h2-token-1781175935 http_version=2

I also used a temporary h2-only Go client inside the sandbox (x/net/http2.Transport, ALPN only h2) before the ALPN ordering adjustment. That verified h2-only clients succeed through the real sandbox egress path and receive the injected header.

One behavior found during the real test: with ALPN ordered as http/1.1,h2, curl --http2 still negotiated HTTP/1.1. I updated the PR so HTTPS credential interception advertises h2,http/1.1; HTTP/1.1-only clients still negotiate HTTP/1.1, while clients offering HTTP/2 negotiate HTTP/2.

Cleanup: cleared the sandbox network policy, deleted the temporary credential source, and deleted the claimed sandbox.