kms: require attestation for all KMS flows

[kvinwang]

Summary

Stacked on top of #573, this PR removes the KMS quote_enabled split and makes attestation mandatory for all KMS flows.

Changes:

• remove core.onboard.quote_enabled from KMS config
• always require self attestation during bootstrap / auto-bootstrap
• always embed attestation in KMS RPC certs
• always use attested / RA-TLS onboarding to source KMS
• always require attested callers on GetKmsKey
• change auth-simple so kms.mrAggregated = [] is deny-all for KMS, matching the allowlist semantics used by on-chain auth
• update deployment / auth-simple / manual-test docs to require an explicit KMS MR allowlist before bootstrap
• add tests/docs/kms-bootstrap-onboard.md and expand the manual test docs with bootstrap / onboard / trusted-RPC deny cases

Rationale

The old quote_enabled switch left KMS with two different security models:

• quoted KMS
• no-quote / compatibility mode

That made bootstrap / onboard / trusted RPC behavior harder to reason about, and produced awkward partial-compatibility cases where one side skipped a new check but another side still required attestation.

This PR makes the model explicit and uniform:

• KMS always requires attestation
• local development without TDX hardware should use sdk/simulator
• KMS authorization in auth-simple now uses a real MR allowlist instead of treating an empty list as "allow any"

Validation

• cargo fmt --all
• cargo check -p dstack-kms
• cargo clippy -p dstack-kms --all-targets -- -D warnings
• cd kms/auth-simple && bun run test:run
• cd kms/auth-simple && bun run lint
• manual teepod runbook validation for:
  • bootstrap deny / allow
  • onboard deny on receiver side
  • onboard deny on source side
  • runtime trusted-RPC self-auth deny

Notes

This is a stacked PR.

• base branch: kms-bootstrap-onboard-auth-checks
• after kms: check KMS authorization during bootstrap and onboard #573 merges, this PR should be retargeted to master