feat: add optional Nix container flavor for docker-git projects

[skulidropek]

Summary

This PR implements a safe migration path toward Nix-based containers without breaking current users.

• Adds baseFlavor to project template config (ubuntu | nix), default = ubuntu
• Adds CLI options:
  • --base-flavor <ubuntu|nix>
  • --nix / --ubuntu shorthand
• Adds TUI create-flow support for selecting base flavor
• Adds Nix Dockerfile rendering path (nixos/nix + nix profile install ...) while keeping existing Ubuntu path intact
• Keeps SSH/entrypoint behavior stable by preserving expected binary paths (/usr/bin/zsh, /usr/sbin/sshd)
• Adds schema fallback so old docker-git.json (without baseFlavor) still works
• Updates docs and tests

Why this approach is practical

A hard switch to Nix for everyone is risky. This PR introduces a dual-mode system so teams can migrate project-by-project, compare stability/performance, and roll back instantly by switching flavor.

Proof (tests)

1) Parser supports new flags

pnpm --filter ./packages/app exec vitest run tests/docker-git/parser.test.ts
# ✓ tests/docker-git/parser.test.ts (28 tests)

2) Template generation supports Nix flavor

pnpm --filter ./packages/docker-git test
# ✓ tests/core/templates.test.ts (includes Nix flavor assertions)

3) Type/lint checks for changed packages

pnpm --filter ./packages/lib typecheck
pnpm --filter ./packages/app typecheck
pnpm --filter ./packages/lib lint:effect
pnpm --filter ./packages/app lint:effect
pnpm --filter ./packages/docker-git lint

Closes #36

[ezocomp118-source]

Design note 1/3 (feasibility):

A full immediate switch from Ubuntu -> Nix for all generated containers is not cost-effective right now because we would couple infrastructure migration with product behavior changes.

So this PR uses a dual-flavor architecture (ubuntu default + optional nix) to preserve backward compatibility while enabling controlled rollout per project. This reduces blast radius and keeps rollback trivial (--base-flavor ubuntu).

[ezocomp118-source]

Design note 2/3 (runtime compatibility):

Entrypoint logic expects legacy absolute paths (/usr/bin/zsh, /usr/sbin/sshd). Nix profiles place binaries under /nix/store/..., so the Nix Dockerfile path explicitly creates compatibility symlinks.

This preserves existing shell/SSH startup behavior and avoids unrelated refactors in the same migration change.

[ezocomp118-source]

Design note 3/3 (migration strategy):

Recommended rollout after merge:

1. Use --nix only for selected repos/issues.
2. Compare build/startup time and tool parity (docker, gh, codex, SSH).
3. Keep Ubuntu as default until parity is consistently stable.

This keeps team throughput high while collecting real-world data before any default-flavor flip.