feat: forest-aware coercion + credential pairing in auto_ntlm_relay

[l50]

Key Changes:

• Implemented forest-aware selection of coercion sources and credentials for NTLM relay
• Allowed unauthenticated PetitPotam relays when no matching credentials exist
• Enhanced test coverage for cross-forest and credential-pairing logic
• Updated data models and logic to support optional credentials

Added:

• Forest-aware DC and credential pairing logic to ensure relays use domain controllers and credentials from the same forest as the relay target, improving reliability for NTLM relay and PetitPotam attacks
• Helper functions: same_forest_domain, host_domain_for_ip, find_coercion_source_for_forest, and pick_credential_for_forest to encapsulate domain/forest logic and credential selection
• Extensive tests covering parent-child domain trusts, fallback behavior, unauthenticated relays, and helper correctness

Changed:

• Modified relay dispatch logic to allow credential: None when no suitable credential is found, enabling unauthenticated PetitPotam relays
• Updated the relay work item structure to make credentials optional, reflecting the new unauthenticated relay path
• Refactored payload construction to include the credential field only when present
• Adjusted relay work collection to remove the short-circuit on empty credentials, ensuring unauthenticated relays are still attempted
• Improved prioritization for coercion source and credential selection, preferring same-forest matches but falling back to any available DC or unauthenticated relays as needed
• Revised and extended tests to verify new forest-aware behavior and credential selection logic

Removed:

• Obsolete test (collect_relay_work_no_credentials) that assumed no relay work is possible without credentials, replaced by tests verifying unauthenticated paths

[codecov]

Codecov Report

❌ Patch coverage is 89.21933% with 29 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.88%. Comparing base (1d559f3) to head (7d8a214).
⚠️ Report is 2 commits behind head on feat/more-attack-cov.

Files with missing lines	Patch %	Lines
ares-cli/src/orchestrator/automation/ntlm_relay.rs	89.21%	29 Missing ⚠️

Additional details and impacted files

@@                   Coverage Diff                    @@
##           feat/more-attack-cov     #315      +/-   ##
========================================================
+ Coverage                 77.69%   77.88%   +0.19%     
========================================================
  Files                       439      439              
  Lines                    121368   121877     +509     
========================================================
+ Hits                      94294    94927     +633     
+ Misses                    27074    26950     -124     

Files with missing lines	Coverage Δ
ares-cli/src/orchestrator/automation/ntlm_relay.rs	91.43% <89.21%> (+1.82%)	⬆️

... and 4 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.