feat(self-packaging #45): flapi pack / info / unpack subcommands

[jrosskopf]

Part of epic #40. Stacked on #54 which is stacked on #53 -> #52 -> #51.

Summary

Closes the loop on self-packaging. After #41-#44 the runtime can
serve a bundled config tree; this PR adds the producer so the
same binary that serves bundles also creates them. The same artifact
is server + packager.

• New library: src/{include/,}pack.cpp
• CLI: argparse subparsers for pack / info / unpack in
  src/main.cpp. Zero-subcommand invocation
  (./flapi -c flapi.yaml) still runs the server, so existing
  operators see no change.

Library API

PackResult Pack(in_dir, out_path, PackOptions{});
int        PrintBundleInfo(ostream&);
int        PrintBundleInfoForPath(binary, ostream&);
UnpackResult UnpackBundle(dst_dir);
UnpackResult UnpackBundleFromPath(binary, dst_dir);
bool       IsSecretExcluded(rel_path);

Pack() flow:

1. Copy host bytes from options.host_binary_override (defaults to
   GetSelfPath()). If the host already has a trailing ZIP, only the
   pre-bundle prefix is copied -- re-pack is idempotent.
2. Recursive walk of in_dir. Files matching the default secret
   deny list (*.env at any depth, secrets/ segment at any
   depth, *.pem, *.key) cause PackError unless
   options.allow_secrets is set.
3. archive_io::WriteArchive (feat(self-packaging #41): libarchive + archive_io RAII wrapper #51) with SOURCE_DATE_EPOCH stamping
   and sorted entries; appended to the output.
4. Best-effort exec-bit copy from host -> output (Unix only).

CLI

$ ./flapi --help
Subcommands:
  info     Print bundle info (offset, size, entries) for this binary.
  pack     Package a flapi config tree into a self-contained executable.
  unpack   Dump the bundle of this binary into a directory.

$ ./flapi pack --in examples --out /tmp/flapi-prod --allow-secrets
Packed 17 entries (12534 bytes) into /tmp/flapi-prod

$ /tmp/flapi-prod info
Binary: /tmp/flapi-prod
Bundle offset: 1751413104
Bundle size:   12534 bytes
Entries (17):
  flapi.yaml (1024 bytes)
  sqls/customers.yaml (412 bytes)
  ...

$ /tmp/flapi-prod unpack --to /tmp/unpacked
Unpacked 17 entries to /tmp/unpacked

Subcommand handlers return early; the server-mode code path is
only reached when no subcommand was given.

The host_binary_override testability seam

The sanitiser-instrumented test binary is ~1.7 GB. Copying it for
every test case would push runtime past several minutes per case.
PackOptions::host_binary_override lets tests substitute a 4-KiB
fake host (with the EOCD signature scrubbed so the locator can't
mistake it for an existing bundle). Production code never touches
this knob.

Tests (10 cases / 38 assertions)

#	Test	What it asserts
1	IsSecretExcluded	default deny list + non-matches (envoy.conf, foo.pemmed)
2	Pack produces a bundled binary	entry count, output exists, EOCD locatable
3	Pack round-trip	extract bundle slice -> ReadArchive -> entries match input
4	secret rejection	.env in input -> PackError; output not written
5	--allow-secrets	bypasses the deny list, bundles 5 entries
6	re-pack idempotence	pack -> pack -> pack with stacked outputs, file size stable
7	host prefix preservation	bytes 0..host_size byte-for-byte match the host file
8	PrintBundleInfo no bundle	exit 1, output contains "none"
9	PrintBundleInfoForPath	lists flapi.yaml, sqls/customers.sql, data/cities.csv
10	UnpackBundleFromPath	4 entries restored to disk, bytes equal

Filters: [pack]
All tests passed (38 assertions in 10 test cases)

Smoke test (real flapi binary, not test binary)

• flapi --help shows three subcommands.
• flapi info on unbundled binary -> "Bundle: none (filesystem mode)", exit 1.
• flapi pack --in <dir> with .env in input -> single-line stderr error, exit 1.
• flapi pack ... --allow-secrets -> Packed N entries (M bytes), exit 0.
• <bundled> info -> offset (~1.6 GB into the host), size, entry list.
• <bundled> unpack --to <dir> -> all files restored.

Test plan

• 10 new pack tests green (38 assertions).
• Smoke test against the actual flapi binary covers all three
  subcommands + happy + error paths.
• Existing argparse usage unchanged when no subcommand is given;
  ./flapi -c flapi.yaml still launches server mode.
• CI cross-platform once stack lands.

What's not in this PR (deferred)

• YAML path rewriting to embed:// -- the issue body mentions
  rewriting paths in YAML so the same configs work both unpacked
  and bundled. In practice the IFileProvider factory dispatch
  (feat(self-packaging #43): EmbeddedArchiveFileProvider + factory dispatch + startup wire-up #53) already handles non-remote paths transparently from a
  bundle, so this isn't needed for the IFileProvider side. It's
  still needed for SQL templates that contain read_csv('data/x.csv')
  (DuckDB-side reads bypass IFileProvider). Filing as follow-up
  rather than expanding this PR.
• Integration tests against the round-trip behaviour -- that's
  the explicit scope of Self-packaging #6: Integration tests — round-trip parity (spike behaviours 1-9) #46.

Closes #45. Part of #40. Stacked on #54 -> #53 -> #52 -> #51.