feat(tonic-xds): node metadata & AddOrigin layer

[YutaoMa]

Motivation

tonic-xds doesn't currently interoperate with Istio's istiod. Two specific gaps surfaced during local Istio testing, and both affect any other real xDS control plane with the same shape:

1. Node metadata not sent. istiod gates its proxyless-gRPC-style config behind node.metadata.GENERATOR = "grpc" (gRFC A27). Without it, istiod serves sidecar-style config that doesn't fit.
2. Outgoing requests carry no :authority. The routing layer falls through to wildcard matches, so any control plane returning non-wildcard virtual hosts (Istio's *.svc.cluster.local, FQDN-based domains in general) doesn't route correctly. tonic's per-endpoint internal AddOrigin runs after LB selection (keyed by endpoint IP:port, not service authority), so it can't substitute at the routing layer.

Solution

• Node.metadata field & Bootstrap propagation (tonic-xds/src/xds/bootstrap.rs) —
  NodeConfig parses node.metadata from the bootstrap JSON;
  From<NodeConfig> for Node carries it through.
• AddOriginLayer (tonic-xds/src/client/add_origin.rs) — a tower
  service that rewrites each request's scheme + authority before
  forwarding. Wired as the outermost layer in the xDS service stack, with
  authority taken from the xDS target. Falls back to a no-op (with
  tracing::warn) if the target isn't a valid authority. (grpc-go does the equivalent in clientconn.go::initAuthority. )