test: Suite 6 — proxy + DoT coexistence, NUMA_DATA_DIR override

Adds integration test coverage for the realistic production shape
where both the HTTPS proxy and DoT are enabled simultaneously. This
was previously untested — every existing suite had either one or the
other, so the interaction path was implicit.

What Suite 6 verifies:
- Both listeners bind without panic
- DoT still resolves queries with the proxy enabled
- Proxy HTTPS handshake still works with DoT enabled
- Both certs validate against the same shared CA

To run non-root, adds a NUMA_DATA_DIR env var override to data_dir()
that lets callers point the CA/cert storage at any writable path.
Useful beyond tests: containerized deployments, CI runners, dev
testing without sudo. The fallback is the existing platform-specific
path (unix: /usr/local/var/numa, windows: %PROGRAMDATA%\numa).

Suite 6 sets NUMA_DATA_DIR=/tmp/numa-integration-data before
starting numa, then trusts the generated CA at $NUMA_DATA_DIR/ca.pem
for both kdig (DoT query) and openssl s_client (HTTPS proxy
handshake) verification.

All 6 suites, 32 checks, run non-root and pass locally.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/lib.rs

@@ -67,9 +67,14 @@ fn config_dir_unix() -> std::path::PathBuf {
 }
 
 /// System-wide data directory for TLS certs.
+/// Override with `NUMA_DATA_DIR` env var (useful for containerized
+/// deployments and integration tests that can't write to the default path).
 /// Unix: /usr/local/var/numa
 /// Windows: %PROGRAMDATA%\numa
 pub fn data_dir() -> std::path::PathBuf {
+    if let Ok(dir) = std::env::var("NUMA_DATA_DIR") {
+        return std::path::PathBuf::from(dir);
+    }
     #[cfg(windows)]
     {
         std::path::PathBuf::from(