feat(cli): add bundle workflows and dependency explainability

[ian-pascoe]

Summary

• add bundle export and bundle apply flows with deterministic planning/apply behavior, overlap protection across multi-target plans, strict bundle parsing, and dry-run/explain output support
• add package introspection and service/cache command coverage (outdated, depends, uses, why, services, cache) while preserving deterministic machine output contracts
• extend manifest and docs with description and guarded source_build metadata, plus --build-from-source fail-closed command guardrails

Verification

• rustup run stable cargo fmt --all --check
• rustup run stable cargo clippy --workspace --all-targets --all-features -- -D warnings
• rustup run stable cargo build --workspace --locked
• rustup run stable cargo test --workspace

[ian-pascoe]

@codex review for bugs and security issues

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 62dbdeaf24

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Thread build-from-source option through upgrade resolution

The upgrade flow hard-codes build_from_source to false, so any installed package version that only publishes source_build metadata (no matching binary artifact for the target) cannot be upgraded even though install/bundle can opt into source builds. In that case select_install_plan_for_target returns the "rerun with --build-from-source" error, but upgrade has no way to set that flag, making upgrades for those packages permanently fail.

Useful? React with 👍 / 👎.

[ian-pascoe]

Fixed in dd3e0ec.

• Added --build-from-source to upgrade CLI surface and threaded it through dispatch into upgrade resolution.
• Replaced hard-coded false in upgrade resolution paths with the option value for both single-package and grouped upgrade plans (dry-run + apply paths).
• Added regression coverage:
  • cli_parses_upgrade_with_build_from_source_flag
  • upgrade_build_from_source_opt_in_unblocks_source_only_upgrade_resolution

This now allows upgrade dry-runs/plans to resolve source-only packages when explicitly opted in, and still fails closed without the flag.