oidc-provider: optional `oidc_session_name` backend-option to override RoleSessionName derivation

[alukach]

Context

#83 makes AwsBackendAuth::resolve_aws derive the assumed-role RoleSessionName from the per-connection oidc_subject (scv1:conn:{id}), sanitized to AWS's [\w+=,.@-]{2,64} charset, instead of the constant s3-proxy. This gives consumers per-connection attribution in their CloudTrail.

The session name is currently non-overridable through the middleware: AwsBackendAuth builds the AwsExchange internally from backend_options, and while AwsExchange.session_name is a pub field, using it requires bypassing the middleware entirely (reimplementing the credential-resolution path). So a consumer that wants a different session-name format has no practical hook.

Proposed enhancement (deferred)

Read an optional oidc_session_name backend-option, falling back to the derived-from-subject default:

let session = config.option("oidc_session_name")
    .map(sts_session_name)                         // still sanitize — STS rejects bad input either way
    .unwrap_or_else(|| sts_session_name(subject));
exchange.session_name = session;

This reuses the existing string-option mechanism (oidc_role_arn, oidc_subject are passed exactly this way), so it's ~2 lines, adds no new public type/trait/closure, and is fully backward-compatible.

Why it is NOT being added now

• One consumer, one policy. The only known consumer is source-cooperative/data.source.coop (PR #147), and it wants exactly the derived-from-subject behavior. A configuration knob for a value that never varies is speculative generality.
• The default is essentially forced, not opinionated. AWS requires a valid RoleSessionName; "a sanitized rendering of the subject the caller already supplied" is the sane universal default, not one option among several competing strategies anyone has requested.
• Waiting costs nothing. Because backend_options is already an open string map, oidc_session_name can be added the day a second consumer (or a specific CloudTrail naming convention) actually needs a different format — as a non-breaking one-liner, with no redesign. Adding it now would ship an unused knob (YAGNI).

Trigger to revisit

Add the option when any of these becomes real:

• A second consumer of multistore-oidc-provider needs a session-name format other than the sanitized subject.
• A consumer needs the session name to encode something else (e.g. role name, a fixed prefix, a hash) to satisfy a CloudTrail / aws:userid convention or a resource-policy aws:RoleSessionName condition.
• The sanitization default proves lossy in practice (e.g. truncation collisions that matter for attribution).

Refs: #83