Add --verifiable flag to stellar contract build

[fnando]

What

Adds a --verifiable flag to stellar contract build that performs a reproducible build inside a digest-pinned Docker container and stamps SEP-58 metadata (bldimg, source_rev, bldopt, plus the source-identification fields) into the resulting WASM so third parties can re-run the build and verify the output byte-for-byte.

New flags, all grouped under a Verifiable help section:

• --verifiable — opt in to the reproducible build mode; implies --locked and requires a clean git working tree.
• --image — override the auto-selected container image. Must be digest-pinned (...@sha256:...); tag-only refs are rejected.
• --source-repo + --source-rev — SEP-58 git-based source identification (HTTPS URL / github:user/repo plus the 40-char commit SHA).
• --tarball-url + --tarball-sha256 — SEP-58 tarball-based source identification, as an alternative to the git pair.
• -d/--docker-host (also reads DOCKER_HOST) — override the docker daemon endpoint.

Why

SEP-58 defines how to verify that a deployed contract WASM came from a specific source revision built with a specific toolchain image. Until now the CLI had no built-in way to produce such a build — users had to assemble the docker invocation, run cargo inside it, and stamp the custom sections by hand. This makes it a first-class option on stellar contract build.

Known limitations

N/A