Add DataDome server-side protection

[ChristianPavilonis]

Summary

• Adds DataDome server-side Protection API validation before route matching, with fail-open behavior and challenge short-circuiting.
• Adds request-filter infrastructure for integrations to mutate upstream request headers and final response headers.
• Moves the DataDome server-side key to runtime Secret Store configuration and documents staging/deployment behavior.

Changes

File	Change
crates/trusted-server-core/src/integrations/registry.rs	Adds integration request-filter traits, decisions, header effects, mutation semantics, and registry execution.
crates/trusted-server-core/src/integrations/datadome.rs	Adds DataDome protection config, Secret Store key references, auto-injection, and request-filter registration.
crates/trusted-server-core/src/integrations/datadome/protection.rs	Implements protection matching, payload construction, Secret Store key loading/cache, Protection API calls, response classification, and pointer-header extraction.
crates/trusted-server-adapter-fastly/src/main.rs	Runs request filters after basic auth and before route matching; applies response effects after finalization.
crates/trusted-server-adapter-fastly/src/platform.rs / crates/trusted-server-core/src/platform/types.rs	Extends client metadata with JA4/H2 fingerprint and edge server metadata.
crates/trusted-server-adapter-fastly/src/route_tests.rs	Adds route-level coverage for DataDome protection behavior.
crates/trusted-server-core/src/platform/test_support.rs / src/http_util.rs	Updates test support/default client metadata helpers.
crates/trusted-server-core/Cargo.toml	Adds dependencies needed by the DataDome protection implementation.
trusted-server.toml	Documents new DataDome protection, Secret Store, and auto-injection settings.
docs/guide/integrations/datadome.md	Documents first-party proxy, server-side protection, fail-open behavior, headers, Secret Store config, and GraphQL v1 limitation.
docs/superpowers/specs/2026-06-11-datadome-server-side-protection-design.md	Adds and updates the implementation spec/status for the DataDome server-side protection work.

Closes

Closes #317

Test plan

• cargo test --workspace
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo fmt --all -- --check
• JS tests: cd crates/js/lib && npx vitest run
• JS format: cd crates/js/lib && npm run format
• Docs format: cd docs && npm run format
• WASM build: cargo build --package trusted-server-adapter-fastly --release --target wasm32-wasip1
• Manual testing via fastly compute serve
• Other: cd docs && npx prettier --check guide/integrations/datadome.md superpowers/specs/2026-06-11-datadome-server-side-protection-design.md

Checklist

• Changes follow CLAUDE.md conventions
• No unwrap() in production code — use expect("should ...")
• Uses logging macros (not println!)
• New code has tests
• No secrets or credentials committed