feat(client): support custom ServerCertVerifier in TlsOptions

[brucearctor]

Summary

Adds an optional server_cert_verifier field to TlsOptions that accepts an Arc<dyn ServerCertVerifier>. When set, the client uses tonic's tls_config_with_verifier() to replace the default WebPKI certificate verification.

Closes #1248

Motivation

The current TlsOptions API only supports static PEM-encoded certificates, which prevents advanced TLS patterns like:

• Certificate pinning — verifying a specific certificate fingerprint
• Custom trust-domain validation — e.g., SAN-URI extraction for SPIFFE/mesh environments
• Federated root certificate stores — composing multiple trust roots from different sources

What this PR does

1. Adds server_cert_verifier: Option<Arc<dyn ServerCertVerifier>> to TlsOptions
2. Updates add_tls_to_channel to call Endpoint::tls_config_with_verifier() when the custom verifier is set
3. Re-exports ServerCertVerifier from the crate root for user convenience
4. Handles Debug impl — dyn ServerCertVerifier doesn't implement Debug, so TlsOptions gets a manual Debug impl

What this does NOT cover

• ResolvesClientCert / dynamic client cert rotation — tonic 0.14 does not support injecting a pre-built Arc<rustls::ClientConfig>, so ResolvesClientCert cannot be passed through. This would require either:
  • An upstream change to tonic to accept Arc<rustls::ClientConfig> directly
  • Bypassing tonic's TLS config entirely to build the hyper/rustls connector manually

I scoped this PR to what tonic 0.14 supports today. If the maintainers want the full Arc<ClientConfig> passthrough, I'm happy to pursue the tonic upstream approach as a follow-up.

Design decisions

• Optional field vs enum: Chose an optional field on the existing struct over an enum wrapper to avoid breaking the public API. An enum-based ClientTlsConfig could be a follow-up if preferred.
• Feature-gating: Not feature-gated since tokio-rustls is already a transitive dependency via tonic. The ServerCertVerifier trait is always available when tonic's TLS features are enabled.
• server_root_ca_cert ignored when verifier is set: This matches tonic's behavior — tls_config_with_verifier errors if CA certs are also configured.

Example usage

use std::sync::Arc;
use temporalio_client::{TlsOptions, ServerCertVerifier};

// Implement your custom verifier
struct MyCertPinner { /* ... */ }
impl ServerCertVerifier for MyCertPinner { /* ... */ }

let tls = TlsOptions {
    server_cert_verifier: Some(Arc::new(MyCertPinner { /* ... */ })),
    domain: Some("my-temporal.example.com".to_string()),
    ..Default::default()
};

Testing

• cargo check — full workspace builds clean
• cargo fmt --all — no formatting changes
• cargo lint — no warnings
• cargo test -p temporalio-client — 112 tests + 1 doctest pass

[Sushisource]

We should probably just have these options be mutually exclusive (in the sense that this can just produce an error) rather than silently ignoring.

[Sushisource]

I think these can all just be dropped, very obvious tests.

[Sushisource]

I think we need to include some warning here about the fact that this allows you to make dangerously insecure connections

[Sushisource]

I'm not sure I want to re-export this specifically because this import path is communicating some important information with the danger segment. I think a little friction here isn't a bad thing.

[Sushisource]

@brucearctor Thanks again! Looks like there's one small rustfmt needed.

By the way, you've been making a lot of useful contributions and we really appreciate that. We have a program for highlighting top contributors, we can ship you some swag or something too. I didn't immediately see you in our community Slack. If you join, you can DM me and we can set it up! https://t.mp/slack

Alternatively feel free to find me on LinkedIn and send me a message there too. Thanks!