fix(packages): PackageLoader accepts wheelsVersion constraint but never validates it

[bpamiri]

GA blocker (Bucket A6 in audit)

`PackageLoader.cfc` reads `wheelsVersion` from every package's `package.json` and stores it, but never checks it against the running Wheels version. A package built for Wheels 2.x that lands in `vendor/` is loaded and mixed in with no warning, risking silent API incompatibility.

Evidence

• vendor/wheels/PackageLoader.cfc:27 — `variables.wheelsVersion` stored at init.
• vendor/wheels/PackageLoader.cfc:486-503 — `$parseManifest()` validates `name` and `version`, nothing else.

Every first-party package ships a `wheelsVersion` constraint (e.g. `">=3.0"`) expecting this to be enforced. It isn't.

Fix

• Add a SemVer constraint matcher. Options: port a tiny SemVer impl, or call Lucee's built-in if available.
• In `$loadPackage()`, after parsing manifest, reject (skip + log) packages whose `wheelsVersion` constraint fails against the runtime version.
• Use the framework's existing per-package error isolation — a rejected package must not crash the app.
• Add tests: package with `">=99.0"` constraint → rejected with clear log. Package with `">=3.0"` → accepted on 4.0.

Acceptance

• Running 4.0 with a package declaring `"wheelsVersion": ">=99.0"` logs a rejection and skips load.
• Existing first-party packages (sentry, hotwire, basecoat, legacyadapter) still load on 4.0.

Refs: GA audit doc