feat: surface TLS error cause chain in forge_tls_client logs (refs #1…

[rpowers-nv]

Description

mTLS connection failures from forge_tls_client were logged as
'Unknown error', "client error (Connect)" with no indication TLS was
involved. Root cause: tonic::Status wraps the underlying transport
error in its source() chain, but the standard library Display impl
for errors doesn't recurse — so logging with {} (or to_string())
drops the rustls/hyper detail underneath.

This change adds a small private format_error_chain helper that walks
std::error::Error::source() and joins each level with : , then uses
it at the four log/wrap sites in crates/rpc/src/forge_tls_client.rs
(per-attempt log + Connection(String) wrapping, in both retry_build
and retry_build_nmx_c).

To exercise the change locally, we created a CA mismatch as a
representative mTLS failure mode. Same client log line, before vs. after:

Before:
... will retry: status: 'Unknown error', self: "client error (Connect)"

After:
... will retry: status: 'Unknown error', self: "client error (Connect)":
client error (Connect): invalid peer certificate: UnknownIssuer

The same code path is hit by every mTLS client of carbide-api (DHCP,
machine-a-tron, etc.) — they all funnel through
ForgeTlsClient::retry_build, so this benefits all of them.

Type of Change

• Add - New feature or capability
• Change - Changes in existing functionality
• Fix - Bug fixes
• Remove - Removed features or deprecated functionality
• Internal - Internal changes (refactoring, tests, docs, etc.)

Related Issues (Optional)

Closes #1088

Breaking Changes

• This PR contains breaking changes

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• No testing required (docs, internal refactor, etc.)

Two new unit tests verify format_error_chain walks a chain and handles
the no-source case. Manual end-to-end: reproduced the original failure
mode against machine-a-tron on a local kind cluster, captured before/
after log lines (shown above).

Additional Notes

The fix is generic — it surfaces whatever the underlying error chain
contains, not just cert errors. Other mTLS failures (handshake errors,
expired certs, hostname mismatches) will get the same treatment.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[poroh]

/ok to test 2b583fd

[poroh]

/ok to test 956b40b

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pull-request-1160.docs.buildwithfern.com/infra-controller

[ajf]

/ok to test e499a3f

[ajf]

/ok to test 815a6d4

[akorobkov-nvda]

Looks good to me

[ajf]

/ok to test 35fe69e

[rpowers-nv]

@ajf I am unable to merge myself so let me know if there is anything else I should do here.