fix: ensure rustls backend is used for mTLS support

The mTLS implementation was failing with "tlsv13 alert certificate
required" errors despite certificates loading correctly. The root cause
was Cargo's feature unification - when multiple crates depend on
reqwest, Cargo enables the union of all requested features. Since some
crates were using default features (which includes native-tls) and
others specified rustls, both TLS backends were being compiled and
linked, causing unpredictable behavior during TLS handshakes.

The fix ensures rustls-only is used across the entire workspace by
setting `default-features = false` and explicitly specifying `features =
["rustls-tls"]` for all reqwest dependencies. This is important because
the mTLS code uses `Identity::from_pem()` which only exists with rustls.

Added a verification script (`just check-tls`) that fails if openssl-sys
appears in the dependency tree.

Author: asm89