feat: add direct AWS KMS encryption for cardholder data

[BenJanecke]

Summary

#162

Adds a new aws_kms mode for the external_key_manager config that delegates all cardholder data encryption to AWS KMS — no encryption keys are ever generated, stored, or handled locally. This shifts
cryptographic key management responsibilities to AWS KMS (a PCI DSS Level 1 validated service), significantly reducing the operator's PCI compliance scope and audit surface for key management controls.

• Implements KmsKeyManager / KmsCryptoManager behind the existing KeyProvider / CryptoOperationsManager trait abstraction, requiring zero changes to route handlers
• Uses KMS encryption context to cryptographically bind ciphertext to each entity, preventing cross-entity decryption
• Refactors AwsKmsClient to a single encrypt/decrypt API operating on raw bytes with optional encryption context; base64/UTF-8 handling moved to the SecretManager impl
• All new code gated behind the existing kms-aws feature flag with no new dependencies

Configuration

[external_key_manager]
mode = "aws_kms"

[tenant_secrets.my_tenant]
master_key = "unused_placeholder"
schema = "my_tenant"

[tenant_secrets.my_tenant.kms_data_key]
key_id = "arn:aws:kms:us-east-1:123456789:key/abcd-1234"
region = "us-east-1"

Test plan

• cargo build (default features) — compiles, KMS code fully gated
• cargo build --features kms-aws — compiles with KMS support
• cargo clippy --all-features --all-targets — no new warnings
• cargo test — all existing tests pass
• Deploy with aws_kms mode against a real KMS key, verify encrypt → store → retrieve → decrypt round-trip
• Verify encryption context binding: attempt decrypt with wrong entity_id fails