crypto: add core crypto infrastructure (mz-ore crypto module)

[jasonhernandez]

Summary

• Add rustls/aws-lc-rs workspace dependencies (alongside existing OpenSSL deps)
• Add crypto feature to mz-ore with #[ctor::ctor] auto-install of aws-lc-rs CryptoProvider
• Add fork overrides for azure-sdk and launchdarkly-sdk-transport (rustls-compatible forks)
• Add CDLA-Permissive-2.0 to accepted licenses
• Remove rustls ban from deny.toml (migration in progress)

Part 1 of 7 in the crypto migration from native-tls/OpenSSL to rustls/aws-lc-rs.

Test plan

• cargo check --workspace passes
• cargo check -p mz-ore --features crypto passes
• cargo deny check licenses passes
• cargo deny check bans passes
• No existing deps removed — fully additive

🤖 Generated with Claude Code

[github-actions]

Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone.

PR title guidelines

• Use imperative mood: "Fix X" not "Fixed X" or "Fixes X"
• Be specific: "Fix panic in catalog sync when controller restarts" not "Fix bug" or "Update catalog code"
• Prefix with area if helpful: compute: , storage: , adapter: , sql:

Pre-merge checklist

• The PR title is descriptive and will make sense in the git log.
• This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
• If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).