Add TLS keylog AES-GCM decryption support

[keilogic]

Summary

Refs #11.

Adds a concrete first TLS keylog decryption path for NSS/SSLKEYLOGFILE captures:

• parses CLIENT_RANDOM keylog entries
• extracts ClientHello and ServerHello random/cipher metadata from TLS streams
• derives TLS 1.2 AES-GCM traffic keys for common RSA/ECDHE RSA/ECDHE ECDSA AES-GCM cipher suites
• decrypts TLS 1.2 AES-GCM encrypted records with pycryptodome
• attaches decrypted record metadata to TLSMeta when enough session/keylog data is available
• adds urlwatch --keylog captured.keylog so decrypted TLS record previews can be printed from the existing watcher

This intentionally does not claim full TLS coverage. TLS 1.3 traffic-secret reconstruction and full live HTTP request/response pairing across both directions remain follow-up work.

Verification

• py -m py_compile chains\utils\tls_keylog.py chains\utils\tls_keylog_test.py chains\links\tls_meta.py chains\links\tls_meta_keylog_test.py setup.py scripts\urlwatch
• py -m pytest chains\utils\tls_keylog_test.py chains\links\tls_meta_keylog_test.py -q
• py -m flake8 chains\utils\tls_keylog.py chains\utils\tls_keylog_test.py chains\links\tls_meta.py chains\links\tls_meta_keylog_test.py setup.py scripts\urlwatch
• git diff --check
• py setup.py --name

py -m pytest chains -q is blocked in this local Windows/Python 3.13 environment before reaching this change because pcapy and netifaces are not installed.