Summary

Implements pluggable authentication for REST Namespace, with AWS SigV4 as the first provider. Closes #6583.

• Introduces RestAuthProvider trait with per-request authenticate() and connect-time initialize() for fail-fast credential validation
• Adds SigV4AuthProvider using the aws-sigv4 crate, with credentials resolved via explicit properties or the standard AWS chain (env vars, profile, IMDS)
• Supports explicit static credentials via rest.auth.sigv4.access-key-id, rest.auth.sigv4.secret-access-key, and rest.auth.sigv4.session-token properties, taking precedence over the AWS default chain
• Wires through Python (PyO3) and Java (JNI) bindings — properties like rest.auth.type=sigv4 pass transparently to Rust
• Includes x-amz-content-sha256 header for S3-compatible service support
• rest.auth.* and header.Authorization are mutually exclusive; misconfiguration is caught at build time

Configuration

rest.auth.type = sigv4
rest.auth.sigv4.region = us-east-1
rest.auth.sigv4.service = execute-api          # default
rest.auth.sigv4.access-key-id = AKIA...        # optional, overrides env
rest.auth.sigv4.secret-access-key = wJal...    # optional, overrides env
rest.auth.sigv4.session-token = FwoGZX...      # optional

Test plan

• Rust unit tests (14): AWS official test vectors, session token signing, explicit credentials via properties, injected provider precedence over static credentials, partial credentials rejection, host:port handling, auth conflict detection
• Signature correctness cross-verified against botocore (Python) for both GET and POST requests
• Python e2e tests (7): connect + operate, missing region error, botocore signature cross-verification, explicit credentials, session token, precedence over env, partial credentials rejection
• Java e2e tests (7): connect + operate, missing region error, header format verification, explicit credentials, session token, credentials regardless of env, partial credentials rejection
• cargo clippy and cargo test across feature matrix including --all-features