chore(deps): drop unmaintained rustls-pemfile; axum-server 0.7 -> 0.8

axum-server was used only for the plain-HTTP nvhttp listener, but we enabled
its tls-rustls feature (HTTPS is hand-rolled over tokio-rustls) — and that
feature was what pulled the unmaintained rustls-pemfile (RUSTSEC-2025-0134).
Drop the feature, bump axum-server to 0.8 (0.8 also no longer pulls it), and
move our own PEM parsing in gamestream/tls.rs to rustls-pki-types' PemObject
(the same path punktfunk-core/quic.rs already uses), removing our direct
rustls-pemfile dep too.

Net: rustls-pemfile fully gone; dependency graph trimmed 547 -> 529 crates
(the tls-rustls feature also dragged in prettyplease + a wasm-tooling chain).
cargo audit now reports only audiopus_sys + paste (transitive, latest, no
successor). 108 host tests + clippy + fmt green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

crates/punktfunk-host/Cargo.toml

@@ -35,9 +35,11 @@ base64 = "0.22"
 ureq = "2"
 rcgen = { version = "0.13", default-features = false, features = ["aws_lc_rs", "pem"] }
 x509-parser = "0.16"
-axum-server = { version = "0.7", features = ["tls-rustls"] }
+# Only used for the plain-HTTP nvhttp listener (`bind().serve()`); HTTPS/mTLS is hand-rolled over
+# tokio-rustls (axum-server can't surface the peer cert), so we do NOT enable `tls-rustls` — that
+# feature is what pulled the unmaintained `rustls-pemfile` (security-review dep hygiene).
+axum-server = "0.8"
 rustls = "0.23"
-rustls-pemfile = "2"
 # Manual HTTPS+mTLS serve loop for the mgmt API (axum-server can't surface the peer cert): a
 # tokio-rustls handshake exposes the client cert, then hyper serves the axum Router with the
 # verified fingerprint injected as a request extension. Versions match the workspace lock.

crates/punktfunk-host/src/gamestream/tls.rs

@@ -7,11 +7,12 @@
 //! fingerprint ([`PeerCertFingerprint`]) to each request, and the nvhttp/mgmt handlers reject
 //! callers whose fingerprint is not pinned (mirroring Apollo's post-handshake `get_verified_cert`).
 
-use anyhow::{anyhow, Context, Result};
+use anyhow::{Context, Result};
 use axum::Router;
 use rustls::client::danger::HandshakeSignatureValid;
 use rustls::crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider};
-use rustls::pki_types::{CertificateDer, UnixTime};
+use rustls::pki_types::pem::PemObject;
+use rustls::pki_types::{CertificateDer, PrivateKeyDer, UnixTime};
 use rustls::server::danger::{ClientCertVerified, ClientCertVerifier};
 use rustls::{DigitallySignedStruct, DistinguishedName, ServerConfig, SignatureScheme};
 use std::net::SocketAddr;
@@ -177,12 +178,12 @@ fn build_server_config(
     mandatory: bool,
 ) -> Result<Arc<ServerConfig>> {
     let provider = Arc::new(rustls::crypto::aws_lc_rs::default_provider());
-    let certs = rustls_pemfile::certs(&mut cert_pem.as_bytes())
+    // PEM parsing via rustls-pki-types (the same `PemObject` path punktfunk-core/quic.rs uses),
+    // so we don't pull the unmaintained `rustls-pemfile`.
+    let certs = CertificateDer::pem_slice_iter(cert_pem.as_bytes())
         .collect::<std::result::Result<Vec<_>, _>>()
         .context("parse host cert PEM")?;
-    let key = rustls_pemfile::private_key(&mut key_pem.as_bytes())
-        .context("parse host key PEM")?
-        .ok_or_else(|| anyhow!("no private key in host key PEM"))?;
+    let key = PrivateKeyDer::from_pem_slice(key_pem.as_bytes()).context("parse host key PEM")?;
 
     let verifier = Arc::new(AcceptAnyClientCert {
         provider: provider.clone(),