Support dynamic client certificate resolution (ResolvesClientCert)

[brucearctor]

Support dynamic client certificate resolution (ResolvesClientCert)

What

Add a client_cert_resolver field to TlsOptions that accepts an Arc<dyn ResolvesClientCert> for dynamic, per-handshake client certificate selection. This enables transparent mTLS certificate rotation without requiring a process restart — useful for short-lived certificates managed by Vault agents, cert-manager sidecars, or HSM-backed signers.

Closes #1338

Why

The existing client_tls_options requires static (cert, key) bytes at connection time. Users with rotating certificates (e.g., Vault-issued certs with 24h TTLs) must restart the entire Temporal client to pick up new material. The Go SDK solves this with tls.Config.GetClientCertificate; this PR brings equivalent functionality to the Rust SDK.

How

Since tonic 0.14.6 does not expose rustls::ClientConfig::with_client_cert_resolver(), the implementation bypasses tonic's TLS layer when a resolver is present:

1. build_custom_rustls_config() — manually constructs a rustls::ClientConfig with the user's ResolvesClientCert, replicating tonic's security defaults (protocol versions, ALPN, native/custom CA roots)
2. DynamicTlsConnector — a tower::Service<Uri> that wraps TCP with TLS using tokio_rustls::TlsConnector, including connect timeouts and tracing
3. Endpoint::connect_with_connector() — used instead of connect() to wire the custom connector into tonic's channel

The resolver fires on each new TLS handshake (reconnections), not per-RPC over an existing HTTP/2 connection.

Key design decisions

• Mutually exclusive with static certs — setting both client_tls_options and client_cert_resolver returns InvalidConfig
• Re-exports — ResolvesClientCert, CertifiedKey, and SignatureScheme are re-exported at the crate root so users don't need to depend on tokio-rustls directly
• DNS load balancing — returns a clear error (not yet supported with dynamic certs due to balance_channel API constraints)
• Proxy — returns a clear error (not yet supported; would require composing connectors)
• C bridge — hardcodes client_cert_resolver: None (dynamic resolution from C callers needs a callback design in a follow-up)

Changes

File	Change
crates/client/src/options_structs.rs	Add client_cert_resolver field, update Debug impl
crates/client/src/lib.rs	TlsConfigResult enum, add_tls_to_channel branching, build_custom_rustls_config, DynamicTlsConnector, proxy/DNS validation, tracing
crates/client/src/dns.rs	Handle TlsConfigResult, reject resolver + DNS LB
crates/client/src/envconfig.rs	Add client_cert_resolver: None
crates/client/Cargo.toml	Add rustls-native-certs dep
crates/sdk-core-c-bridge/src/client.rs	Add client_cert_resolver: None
crates/sdk-core/tests/common/mod.rs	Update test struct literals
CHANGELOG.md	Add entry under [Unreleased] > Added

Tests (15 new, 134 total pass)

• Custom connector returned when resolver is set (explicit domain + inferred domain)
• Mutual exclusion: static + dynamic certs → error
• Resolver + custom ServerCertVerifier combination
• Resolver + custom CA certificate
• build_custom_rustls_config with/without resolver/verifier
• Debug output correctness for TlsOptions with resolver
• DynamicTlsConnector is Clone + Debug
• Default TlsOptions has no resolver
• No-TLS passthrough returns Standard
• IP host fallback for domain extraction
• Re-exports compile (CertifiedKey, SignatureScheme)

Future work

• SDK-owned convenience trait (decouple users from rustls types) — Provide SDK-owned trait for dynamic client certificates (decouple from rustls) #1341
• Connection max-lifetime for proactive cert rotation — Add connection max-lifetime for proactive mTLS certificate rotation #1342
• DNS load balancing + dynamic certs — Support dynamic client cert resolver with DNS load balancing #1343
• C bridge callback support — Expose dynamic client cert resolver via C bridge for language SDKs #1344
• FileWatchingCertResolver batteries-included implementation — Provide batteries-included FileWatchingCertResolver for common mTLS rotation #1345