refactor(ext/node): wire up native TLSWrap from JS (#33184)

Replace the `kStreamBaseField`-based TLS implementation with a native
`TLSWrap` cppgc object backed by rustls. This eliminates the async
stream-swap pattern where TLS upgrades worked by swapping
`handle[kStreamBaseField]` from a `TcpConn` to a `TlsConn`.

Key changes:
- Rewrite `_tls_wrap.js`: `TLSSocket` uses `tls_wrap.wrap()` to create
  a Rust-backed TLS interceptor between JS and the underlying TCP stream
- TLS server rewritten to use `net.Server` (matching Node.js) instead of
  `Deno.listenTls()` directly
- Add `JSStreamSocket` for TLS over arbitrary Duplex streams
- Certificate errors now use Node-style codes
  (`UNABLE_TO_VERIFY_LEAF_SIGNATURE`) instead of Deno-style
  (`InvalidData: invalid peer certificate: UnknownIssuer`)
- Explicit `ca` in SecureContext takes precedence over global
  `setDefaultCACertificates()`, matching Node.js behavior
- Strip trailing dot from servername before passing to rustls
- Remove all `Deno.*` API usage from `_tls_wrap.js`

Based on #32819 by @nathanwhit, adapted for incremental landing.
---------

Co-authored-by: Nathan Whitaker <user@example.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>