Fix cargo audit vulnerabilities (aws-lc-sys, rustls-webpki)

[squadgazzz]

Summary

Resolves all 7 cargo audit advisories by updating dependencies.

aws-lc-sys 0.35.0 → 0.39.0 — fixes 5 crypto-failure advisories (RUSTSEC-2026-{0044,0045,0046,0047,0048}) including PKCS7 verification bypasses (CVSS 7.5) and X.509 name constraint bypass. Updated via aws-lc-rs 1.15.2 → 1.16.2.

rustls-webpki 0.103.8 → 0.103.10 — fixes CRL distribution point matching (RUSTSEC-2026-0049). Direct cargo update.

rustls-webpki 0.101.7 (same RUSTSEC-2026-0049) — this old version was dragged in by aws-sdk-s3's rustls feature, which activates the legacy TLS path (aws-smithy-runtime/tls-rustls → legacy-rustls-ring → rustls 0.21 → rustls-webpki 0.101.7). The 0.101.x line has no patch. Fixed by switching aws-sdk-s3 from features = ["rustls"] to features = ["default-https-client"], which uses the modern rustls-aws-lc backend instead. This removes rustls 0.21 from the tree entirely.

recursion_limit — the AWS SDK update introduced slightly deeper type nesting that overflows the default compiler recursion limit (needs 130, default is 128) when building autopilot tests. Added #![recursion_limit = "160"] to autopilot.

Test plan

• cargo check --workspace and cargo check -p autopilot --tests pass
• cargo audit reports 0 vulnerabilities

[gemini-code-assist]

Code Review

This pull request primarily updates numerous AWS SDK for Rust dependencies in Cargo.lock to newer versions. Key changes include version bumps for aws-config, aws-runtime, various aws-sdk-* crates, and aws-smithy-* crates. It also adjusts the aws-sdk-s3 feature in crates/s3/Cargo.toml from rustls to default-https-client, indicating a change in the default HTTPS client configuration. No critical issues were found during the review.