feat: C14N implementation (inclusive + exclusive)

[polaz]

Summary

Implement XML Canonicalization (C14N) — the foundation for XML Digital Signatures.

Scope

• Inclusive C14N 1.0 (with/without comments)
• Exclusive C14N 1.0 (with/without comments) + InclusiveNamespaces PrefixList
• Document-order tree walker on top of roxmltree
• Text/attribute value escaping per W3C spec
• Namespace rendering (inclusive: all in-scope; exclusive: visibly-utilized only)
• Attribute sorting (ns decls by prefix, then regular attrs by ns-uri + local-name)
• Document-level comment/PI separator handling

Acceptance Criteria

• canonicalize_xml() and canonicalize() public API
• All 6 algorithm URIs parsed and round-tripped
• Integration tests match xmllint reference output for:
  • Simple namespaced document (inclusive + exclusive)
  • Merlin-like nested namespace document (inclusive + exclusive)
  • Namespaced attribute sorting
  • Comments/PI handling
  • CDATA flattening
  • Idempotency
• Clippy clean, 0 warnings
• Doc-tests pass

Known Gaps (documented in ROADMAP)

• G001: xml:* attribute inheritance in document subsets — not needed for SAML
• G002: Merlin XPath-subset test vectors require XPath evaluator (Phase 4)
• G003: roxmltree ns enumeration edge case — monitor

References

• arch/c14n.md
• .refs/features/01-c14n-inclusive.md, 02-c14n-exclusive.md
• ROADMAP tasks: P1-001 through P1-012