fix(release): stabilize upstream pinning and align AIO package tags

[JSONbored]

Summary

This PR finalizes sure-aio runtime/template coverage and hardens release/publish behavior so stable upstream tracking, AIO metadata, and package tags stay consistent and maintainable.

What changed

• Exposed remaining upstream runtime/self-host env options in sure-aio.xml so power users can configure them directly in Unraid without editing image internals.
• Reduced runtime image footprint and startup overhead while keeping full AIO functionality (web, worker, postgres, redis).
• Hardened startup/service behavior:
  • safer init ownership handling for /etc/postgresql presence/absence
  • fail-fast shell handling in DB setup init script
  • increased healthcheck start period to reduce false-unhealthy on first boot
• Added integrity verification for s6-overlay downloads via SHA256 checksums.
• Fixed upstream monitor logic so digest is resolved from the selected stable version tag (instead of latest), preventing prerelease digest drift.
• Added digest-only upstream refresh handling in sync workflow (branch/title/output wiring).
• Added explicit OCI labels for both layers:
  • upstream app metadata (io.jsonbored.upstream.*)
  • AIO wrapper metadata (io.jsonbored.wrapper.*)
• Updated package line tag logic to derive aio-vN from latest released revision for that upstream line:
  • e.g. v0.6.9-aio.3 release now maps to package tag v0.6.9-aio-v3
• Updated release/versioning docs to reflect current tag behavior.

Why

• Prevent accidental alpha/beta drift when stable pins are expected.
• Remove version/tag ambiguity between upstream app version and wrapper release revision.
• Keep AIO defaults beginner-friendly while preserving full power-user configurability in template.
• Improve operational reliability and long-term maintainability across CI/CD and releases.

Validation

• Local checks:
  • python3 scripts/validate-template.py
  • python3 scripts/check-upstream.py
  • bash -n scripts/smoke-test.sh
• Container validation:
  • local build succeeded for updated image
  • scripts/smoke-test.sh sure-aio:<local-tag> passed
  • verified embedded app version remains stable (0.6.9)
• CodeRabbit CLI:
  • review attempted; blocked by temporary API rate limiting during final pass.

Notes

• Merge to main will publish package tags (latest, upstream version, upstream-aio-vN, sha-*).
• GitHub Release/tag (v0.6.9-aio.3) still requires running the release workflow (prepare -> merge release PR -> publish).