feat(clients): Add permission and expiry overrides to Session.mint_token

[lcian]

Summary

Allow callers to mint tokens with a subset of the session's permissions and/or a custom expiry, so they can hand out restricted tokens to downstream consumers.

Rust client

• Session::mint_token() returns a MintTokenBuilder with deferred error via internal Result, matching the ClientBuilder pattern.
• Builder exposes .permissions(&[Permission]) and .expiry_seconds(u64) setters.
• .mint() terminal method surfaces any accumulated errors.
• New error variants: NoTokenGenerator, PermissionEscalation.

let token = session.mint_token()
    .permissions(&[Permission::ObjectRead])
    .expiry_seconds(30)
    .mint()?;

Python client

• Session.mint_token(permissions=..., expiry_seconds=...) with optional overrides.
• Raises ValueError when no TokenGenerator is configured or when requested permissions exceed the generator's configured set.

token = session.mint_token(
    permissions=[Permission.OBJECT_READ],
    expiry_seconds=30,
)

Shared behavior

• Both clients now use a separate internal method for auth headers (auth_token / _auth_token), keeping mint_token as a public API exclusively for producing restricted tokens.
• Permission escalation is prevented: requesting permissions not granted to the generator is an error.

Test plan

• cargo test -p objectstore-client --all-features — all passing
• cargo clippy --workspace --all-targets --all-features --no-deps — clean
• uv run pytest tests/ -x -q — all 26 tests passing
• uv run ruff check && uv run mypy . — clean

[github-actions]

Semver Impact of This PR

🟡 Minor (new features)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

New Features ✨

• (clients) Add permission and expiry overrides to Session.mint_token by lcian in #432

---

_{🤖 This preview updates automatically when you update the PR.}