feat: per-part sha256 checksums on multipart uploads

[lee-reinhardt]

Summary

• Compute SHA-256 of each 50 MiB part before uploading and send as x-amz-checksum-sha256 header (base64-encoded) on every presigned PUT request
• Include per-part checksums in the /complete request payload (checksum_sha256 field on each part) so the API can forward them to S3's CompleteMultipartUpload XML
• Both upload paths covered: host-side (upload_artifacts) and container-side (upload_in_container)
• No new dependencies — sha2 and base64 crates already in Cargo.toml

API dependency — do not merge yet

The x-amz-checksum-sha256 header is an x-amz-* header, which means it must be included in X-Amz-SignedHeaders when generating presigned URLs (per AWS SigV4 spec). The API currently does not sign this header into presigned URLs — S3 will reject the PUT with a signature mismatch.

Before merging this PR, the API needs to:

1. Pass headers: [{"x-amz-checksum-sha256", "UNSIGNED-PAYLOAD"}] (or equivalent) when generating presigned part URLs in presign_part/4
2. Add ChecksumAlgorithm: SHA256 to CreateMultipartUpload in initiate_multipart/3
3. Include <ChecksumSHA256> per part in CompleteMultipartUpload XML in complete_multipart/4
4. Extract checksum_sha256 from the CLI's complete request in RuntimeController.complete/2

Tracked in ENG-1663. API integrity groundwork in peridio/avocado-connect-mono-repo#306.

Test plan

• cargo build — clean
• cargo clippy — no new warnings
• cargo test — 742 unit + 6 doc tests pass
• E2E: requires API presigning changes before upload will succeed against S3/MinIO