feat: support s3:// URL scheme for pre_boot and pre_shutdown hooks

[chaodu-agent]

Summary

Add s3:// support to the url field in [hooks.pre_boot] and [hooks.pre_shutdown]. Currently only https:// (with mandatory SHA-256) is supported.

Motivation

With [hooks.pre_seed] already supporting s3:// (PR #1189), it is natural to allow hook scripts to also be fetched from S3. This avoids:

• Maintaining publicly accessible HTTPS URLs for scripts
• Manually updating sha256 in config every time a script changes

Proposed Behavior

[hooks.pre_boot]
url = "s3://my-bucket/scripts/pre-boot.sh"
timeout_seconds = 60
on_failure = "abort"

• Auth: Standard AWS credential chain (same as pre_seed, config-s3, secrets-aws)
• Integrity: S3-native checksum auto-verified if object was uploaded with --checksum-algorithm SHA256
• SHA-256 field: Not required for s3:// (unlike https:// which mandates it due to MITM risk). S3 uses IAM + SigV4 which provides equivalent transport security.
• Size cap: Same MAX_SCRIPT_SIZE (1 MiB) applies

Comparison

Scheme	Auth	Integrity	sha256 required?
https://	None (public URL)	SHA-256 (mandatory)	Yes
s3://	IAM + SigV4	S3-native checksum (auto)	No

Implementation Notes

• Modify fetch_and_verify() in hooks.rs to detect s3:// scheme
• Reuse S3 client construction pattern from pre_seed or config-s3
• Skip sha256 requirement when scheme is s3://
• Consider sharing region/endpoint_url config (from [hooks.pre_seed] or a new [hooks.aws] section)

Related: #1188, #1189