Add default_symcrypt_provider_arc for cached provider access

[ismailhkose]

Summary

• Add default_symcrypt_provider_arc() -> Arc<CryptoProvider> returning a process-cached provider via std::sync::OnceLock. First call constructs once; subsequent calls are an atomic refcount bump.
• Bump MSRV 1.64.0 → 1.70.0 (required by OnceLock).
• Bump crate version 0.2.2 → 0.2.3.

Motivation

default_symcrypt_provider() allocates a fresh Vec<SupportedCipherSuite> and Vec<&dyn SupportedKxGroup> on every call. Code paths that need an Arc<CryptoProvider> (the shape rustls' ClientConfig::builder_with_provider accepts) end up writing Arc::new(default_symcrypt_provider()) and re-paying that cost per connection / per test / per config builder.

default_symcrypt_provider_arc() gives callers a zero-allocation hot path while leaving default_symcrypt_provider() untouched for callers that genuinely want a fresh, owned provider.

API

let provider = default_symcrypt_provider_arc();
let config = ClientConfig::builder_with_provider(provider)
    .with_safe_default_protocol_versions()?
    .with_root_certificates(root_store)
    .with_no_client_auth();

MSRV note

OnceLock is stable since 1.70.0. If keeping 1.64.0 is a hard requirement, the alternative is once_cell::sync::OnceCell (already a dev-dependency); happy to switch if preferred.

Test plan

• New unit test test_default_symcrypt_provider_arc_is_cached asserts Arc::ptr_eq across two calls and that the cached provider has the expected cipher suites / kx groups.
• cargo clippy --lib -- -Dwarnings clean.
• cargo test — existing tests unaffected.

[nnmkhang]

LGTM