feat(wfectl): new CLI client + wfe-ci builder image

wfectl is a command-line client for wfe-server with 17 subcommands
covering the full workflow lifecycle:

* Auth: login (OAuth2 PKCE via Ory Hydra), logout, whoami
* Definitions: register (YAML → gRPC), validate (local compile),
  definitions list
* Instances: run, get, list, cancel, suspend, resume
* Events: publish
* Streaming: watch (lifecycle), logs, search-logs (full-text)

Key design points:

* `validate` compiles YAML locally via `wfe-yaml::load_workflow_from_str`
  with the full executor feature set enabled — instant feedback, no
  server round-trip, no auth required. Uses the same compile path as
  the server's `register` RPC so what passes validation is guaranteed
  to register.
* Lookup commands accept either UUID or human name; the server
  resolves the identifier for us. Display tables show both columns.
* `run --name <N>` lets users override the auto-generated
  `{def_id}-{N}` instance name when they want a sticky reference.
* Table and JSON output formats, shared bearer-token or cached-login
  auth path, direct token injection via `WFECTL_TOKEN`.
* 5 new unit tests for the validate command cover happy path, unknown
  step type rejection, and missing file handling.

Dockerfile.ci ships the prebuilt image used as the `image:` for
kubernetes CI steps: rust stable, cargo-nextest, cargo-llvm-cov,
sccache (configured via WFE_SCCACHE_* env), buildctl for in-cluster
buildkitd, kubectl, tea for Gitea releases, and git. Published to
`src.sunbeam.pt/studio/wfe-ci:latest`.

Dockerfile.ci

@@ -0,0 +1,55 @@
+# wfe-ci: Prebuilt image for running wfe CI workflows in Kubernetes.
+#
+# Contains:
+#   - Rust stable toolchain
+#   - cargo-nextest, cargo-llvm-cov
+#   - sccache (configured via env vars from Vault)
+#   - buildkit client (buildctl) for in-cluster buildkitd
+#   - tea CLI for Gitea release management
+#   - git, curl, kubectl
+#
+# Usage in workflows: type: kubernetes, image: src.sunbeam.pt/studio/wfe-ci:latest
+
+FROM rust:bookworm
+
+# System packages
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        ca-certificates \
+        curl \
+        git \
+        jq \
+        libssl-dev \
+        pkg-config \
+        protobuf-compiler \
+        unzip \
+        xz-utils \
+    && rm -rf /var/lib/apt/lists/*
+
+# Cargo tools
+RUN cargo install --locked cargo-nextest cargo-llvm-cov sccache && \
+    rm -rf /usr/local/cargo/registry
+
+# Buildkit client (buildctl)
+ARG BUILDKIT_VERSION=v0.28.0
+RUN curl -fsSL "https://github.com/moby/buildkit/releases/download/${BUILDKIT_VERSION}/buildkit-${BUILDKIT_VERSION}.linux-amd64.tar.gz" \
+      | tar -xz -C /usr/local --strip-components=1 bin/buildctl
+
+# kubectl
+RUN curl -fsSL "https://dl.k8s.io/release/$(curl -fsSL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
+      -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl
+
+# tea CLI for Gitea
+ARG TEA_VERSION=0.11.0
+RUN curl -fsSL "https://gitea.com/gitea/tea/releases/download/v${TEA_VERSION}/tea-${TEA_VERSION}-linux-amd64" \
+      -o /usr/local/bin/tea && chmod +x /usr/local/bin/tea
+
+# llvm tools (needed by cargo-llvm-cov)
+RUN rustup component add llvm-tools-preview
+
+# Sccache wrapper config — expects SCCACHE_S3_ENDPOINT, SCCACHE_BUCKET, etc. via env.
+ENV RUSTC_WRAPPER=/usr/local/cargo/bin/sccache \
+    CARGO_INCREMENTAL=0
+
+WORKDIR /workspace
+
+CMD ["bash"]