feat: Phase 1 foundations — kube-rs client, OpenBao HTTP client, self-update

kube.rs:
- KubeClient with lazy init from kubeconfig + context selection
- SSH tunnel via subprocess (port 2222, forward 16443->6443)
- Server-side apply for multi-document YAML via kube-rs discovery
- Secret get/create, namespace ensure, exec in pod, rollout restart
- Domain discovery from gitea-inline-config secret
- kustomize_build with embedded binary, domain/email/registry substitution
- kubectl and bao CLI passthrough commands

openbao.rs:
- Lightweight Vault/OpenBao HTTP API client using reqwest
- System ops: seal-status, init, unseal
- KV v2: get, put, patch, delete with proper response parsing
- Auth: enable method, write policy, write roles
- Database secrets engine: config, static roles
- Replaces all kubectl exec bao shell commands from Python version

update.rs:
- Self-update from latest mainline commit via Gitea API
- CI artifact download with SHA256 checksum verification
- Atomic self-replace (temp file + rename)
- Background update check with hourly cache (~/.local/share/sunbeam/)
- Enhanced version command with target triple and build date

build.rs:
- Added SUNBEAM_TARGET and SUNBEAM_BUILD_DATE env vars

35 tests pass.

build.rs

@@ -21,6 +21,11 @@ fn main() {
     let commit = git_commit_sha();
     println!("cargo:rustc-env=SUNBEAM_COMMIT={commit}");
 
+    // Build target triple and build date
+    println!("cargo:rustc-env=SUNBEAM_TARGET={target}");
+    let date = chrono::Utc::now().format("%Y-%m-%d").to_string();
+    println!("cargo:rustc-env=SUNBEAM_BUILD_DATE={date}");
+
     // Rebuild if git HEAD changes
     println!("cargo:rerun-if-changed=.git/HEAD");
 }