Fix CVE-2026-9648: require crypton-x509-validation >= 1.9.1

[ikaro1192]

Summary

• PureMyHA validates MySQL server certificates (verify-ca / verify-full modes) via crypton-x509-validation in src/PureMyHA/MySQL/TLS.hs.
• Versions of that library before 1.9.1 fail to enforce X.509 NameConstraints (CVE-2026-9648 / CWE-295), allowing a name-constrained sub-CA to issue certificates for domains outside its permitted subtree — enabling MITM / domain impersonation.
• The previous >= 1.6 lower bound permitted resolving a vulnerable version. Bumped to >= 1.9.1 (the patched release).
• skip-verify / disabled modes do not perform validation and are unaffected (they already emit a startup WARN).

Test plan

• cabal update then cabal build all resolves crypton-x509-validation-1.9.1 and links cleanly.
• cabal test passes (51/51).
• Verify TLS E2E (verify-ca / verify-full) still connects against the test MySQL container.

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.18%. Comparing base (a02b5ce) to head (648fb7f).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #205   +/-   ##
=======================================
  Coverage   97.18%   97.18%           
=======================================
  Files          50       50           
  Lines        8175     8175           
=======================================
  Hits         7945     7945           
  Misses        230      230           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.