feat: add iOS 18 system TLS fingerprint

[bekesibeni]

Closes #450. Builds on apify/rustls#NN (merged in 1ebb6d4).

Adds an iOS 18 system TLS fingerprint as Browser::Ios18 (string: "ios18").

Why "iOS" not "Safari"

On iOS, App Store policy forces every app to use the OS networking stack (NSURLSession / Network.framework / WKWebView). Captured Safari iOS 26.5 and Chrome iOS 148 on the same iOS 18.7 device - JA3, JA4, peetprint, and Akamai H/2 hashes were byte-identical. The single profile covers Safari, Chrome iOS, Firefox iOS, Edge iOS, and native iOS apps.

Verification

Tested via debug build of impit-node against https://tls.peet.ws/api/all:

• JA3: ecdf4f49dd59effc439639da29186671 - byte-identical to a real iPhone capture
• JA4: t13d2013h2_a09f3c656075_7f0f34a4126d - byte-identical to a real iPhone capture
• All 15 TLS extensions in correct order including the 2 GREASE bookends
• Cipher list includes the 3 legacy 3DES suites (advertise-only - pulled in via the rustls PR)
• compress_certificate with zlib emitted correctly (also pulled in via the rustls PR)

Known limitations (impit-wide, not iOS-specific)

• peetprint doesn't include GREASE in the supported_versions field - affects every browser profile in impit (rustls-side limitation in how SupportedProtocolVersions is encoded).
• akamai_fingerprint differs because Http2Fingerprint doesn't expose MAX_CONCURRENT_STREAMS / NO_RFC7540_PRIORITIES / SETTINGS frame ordering - same gap exists for all profiles

Happy to file follow-up issues for those if you want them tracked.

Wiring

• New file impit/src/fingerprint/database/safari.rs with ios_18 submodule (file named safari.rs to leave room for safari_macos_* later; inner module reflects what it actually captures)
• Exposed in database.rs
• 3 advertise-only 3DES variants added to CipherSuite enum + mod.rs dispatch arms (matching the new variants in apify/rustls#NN)
• Node binding: Browser::Ios18 (string "ios18")
• Python binding: "ios18" accepted by sync + async clients, added to Browser Literal