Add SotoSignerCloudFront module for signed URLs and cookies

[sebsto]

Adds a new SotoSignerCloudFront module that generates CloudFront signed URLs and signed cookies using RSA PKCS#1 v1.5 signatures. This is a first-class implementation of the signing logic described in the CloudFront developer guide.

Closes #613

What's included

• New module: SotoSignerCloudFront (separate from SotoSignerV4 — uses _CryptoExtras for RSA)
• Canned policy: signed URLs and cookies with expiration
• Custom policy: wildcard resources, IP restrictions, optional start times
• SHA-1 and SHA-256: both hash algorithms supported (Hash-Algorithm param appended for SHA-256)
• Sendable: safe across concurrency domains, Swift 6 strict concurrency clean
• Cross-platform: macOS + Linux, verified on swift:amazonlinux2023

API

let signer = try CloudFrontSigner(keyPairId: "K2JCJMDEHXQW5F", privateKey: pemString)

// Canned policy
let url = try signer.signedURL(url: "https://d111.cloudfront.net/video.mp4", expires: .hours(1))

// Custom policy with wildcard + IP restriction
let policy = CloudFrontSigner.CustomPolicy(
    resource: "https://d111.cloudfront.net/premium/*",
    expires: .hours(24),
    ipAddress: "192.0.2.0/24"
)
let url = try signer.signedURL(url: "https://d111.cloudfront.net/premium/movie.mp4", policy: policy)

// Signed cookies
let cookies = try signer.signedCookies(url: "https://d111.cloudfront.net/file.mp4", expires: .hours(2))

Testing

• 33 unit tests covering all public API methods, edge cases, and error conditions
• Verified on macOS (local) and Linux (docker run swift:amazonlinux2023)
• End-to-end tested against a real CloudFront distribution — all 5 scenarios pass (canned SHA-1, canned SHA-256, custom wildcard, signed cookies, expired URL rejection)

Documentation

Includes Swift DocC documentation:

• Module overview with usage examples
• API reference for CloudFrontSigner
• End-to-end testing guide (SotoCore.docc/SotoSignerCloudFront/Articles/EndToEndTesting.md) with copy-pasteable AWS CLI commands to set up a test distribution, generate signed URLs, verify with curl, and clean up all resources

[codecov]

Codecov Report

❌ Patch coverage is 97.82609% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 81.55%. Comparing base (2c78153) to head (7d190eb).

Files with missing lines	Patch %	Lines
...toSignerCloudFront/CloudFrontSigner+Internal.swift	97.29%	1 Missing ⚠️
...nerCloudFront/CloudFrontSigner+SignedCookies.swift	97.61%	1 Missing ⚠️
...oSignerCloudFront/CloudFrontSigner+SignedURL.swift	97.72%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #696      +/-   ##
==========================================
+ Coverage   81.13%   81.55%   +0.41%     
==========================================
  Files          91       95       +4     
  Lines        6580     6718     +138     
==========================================
+ Hits         5339     5479     +140     
+ Misses       1241     1239       -2     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.