chore(deps): resolve all open RUSTSEC advisories

Bumps and feature changes that drop the four advisories cargo-audit was
flagging:

- aws-sdk-s3: disable default features and pick the modern aws-lc-rs HTTPS
  path (sigv4a, http-1x, default-https-client, rt-tokio). The default
  feature set silently enables a legacy "rustls" feature that pulls
  rustls 0.21 / hyper-rustls 0.24 — the source of RUSTSEC-2026-0098,
  -0099, and -0104 (rustls-webpki name-constraint and CRL-parsing CVEs).
- testcontainers: 0.23 → 0.27 to drop the vulnerable tokio-tar 0.3.1
  (RUSTSEC-2025-0111, file smuggling) and unmaintained rustls-pemfile
  (RUSTSEC-2025-0134) from the dev-dep tree. No API changes needed.
- cargo update: ~200 transitive patch bumps.

Also pins cargo-audit in mise.toml so contributors run the same advisory
scanner CI does (per AGENTS.md: anything mise can manage, mise manages).

Verified: cargo audit clean, cargo test 84 passed, cargo clippy
--all-targets -- -D warnings clean, cargo fmt --check clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: eliebleton-manomano