ci: create .duvet/config.toml

[camshaft]

Description of changes:

This change updates our duvet scripts to use the new config format from: awslabs/duvet#152.

$ ./compliance/generate_report.sh 
  Extracting requirements
   Extracted requirements from 8 specifications 40ms
    Scanning sources
     Scanned 1105 sources 56ms
     Parsing annotations
      Parsed 1368 annotations 216ms
     Loading specifications
      Loaded 18 specifications 9ms
     Mapping sections
      Mapped 219 sections 722µs
    Matching references
     Matched 4299 references 12ms
     Sorting references
      Sorted 4299 references 45ms
     Writing .duvet/reports/report.html
       Wrote .duvet/reports/report.html 8ms
     Writing .duvet/snapshot.txt
       Wrote .duvet/snapshot.txt 3ms

Callouts:

I split up the changes into 2 commits. The first creates the config, updates the scripts, and moves all of the requirement files from compliance/specs to .duvet/requirements: 132053b

The second commit pulls in the latest duvet extraction logic and updates the requirement files. This now preserves whitespace from the original RFC text: fcc7920

Testing:

Successful CI run here: https://github.com/aws/s2n-tls/actions/runs/12917769399/job/36024878800?pr=5055

The current mainline report is available here: https://d3fqnyekunr9xg.cloudfront.net/efb35006de554a9e9c0d74fb84e4fd74a039f144/compliance.html

Comparing the mainline report (on the left) to the new report (on the right), there is no change in requirement coverage:

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[lrstewart]

This is a big PR, but I'm not seeing where these are moving to. They were manually generated because there aren't any "MUST"s in the original. Is the JA4 spec still being checked?

[camshaft]

Ah I didn't realize they were done manually. I can fix those.

[lrstewart]

Could you add more to the "Testing" section? I assume we're not supposed to review 361 files manually, so how have you confirmed that we're generating the same (or a better?) report? Especially given #5055 (comment)