feat(cli): support replication target TLS options

[houseme]

Summary

This PR adds replication target TLS options to rustfs/cli so bucket replication can be configured against HTTPS targets that use self-signed or private-CA certificates.

Related issues:

• rustfs/backlog#711
• rc bucket replication add: support --insecure or --ca-cert for self-signed TLS certificates rustfs#3422

What Changed

• Added --insecure to rc bucket replication add and rc bucket replication update
• Added --ca-cert <FILE> to rc bucket replication add and rc bucket replication update
• Read local PEM file content on the CLI machine and send it as caCertPem
• Added early CLI validation for:
  • missing or unreadable --ca-cert file
  • empty --ca-cert file
  • obviously non-PEM --ca-cert content
  • invalid --insecure and --ca-cert combination
• Extended the replication remote target request model with skipTlsVerify and caCertPem
• Updated help coverage and README examples to make the local-file upload semantics explicit

Why

The RustFS server-side API now supports target-scoped TLS configuration for replication remote targets, but rustfs/cli could not pass those fields through. As a result, operators had no supported CLI path for configuring replication against self-signed or private-CA HTTPS targets.

Impact

Operators can now:

• use --insecure for development or test replication targets with self-signed certificates
• use --ca-cert <FILE> to upload a local private CA bundle for production-style HTTPS replication targets

Existing replication behavior is unchanged when neither flag is set.

Validation

• cargo fmt --all
• cargo test -p rustfs-cli replicate
• cargo test -p rustfs-cli help_contract
• cargo clippy --workspace -- -D warnings
• cargo test --workspace

Notes

• This PR does not include a live RustFS end-to-end replication smoke test.