GHSA-m4w9-hjfw-vwj4: http4k: `HmacSha256.hash` (despite the `Hmac` naming) computed a plain unkeyed digest; clarified by deprecation in favour of `Sha256.hash` / `Sha256.hmac`

The HmacSha256 class contained two functions:

• hash(payload) — a plain unkeyed SHA-256 digest. The Hmac prefix in the class name was misleading; this function has no key parameter, so it could never have been an HMAC.
• hmacSHA256(key, data) — a properly keyed HMAC-SHA256.

A reader who didn’t engage with the function signature could in principle have assumed HmacSha256.hash(payload) was somehow keyed, but the absence of any key parameter made that misuse unlikely in practice.

Who is affected: any downstream caller who read the class name and used HmacSha256.hash as a message authentication code without noticing it takes no key. Verified at v6.47.2.0: zero internal misuse in http4k itself. Both production usages of HmacSha256.hash (AWS SigV4 canonical-request hashing in AwsSignatureV4Signer.kt and x-amz-content-sha256 in awsExtensions.kt) are AWS-spec-correct uses of plain SHA-256; every keyed hmacSHA256(key, data) call passes a real key. The advisory exists so any downstream caller relying on the misleadingly-named API knows to migrate.