feat(macOS): add Homebrew trust/untrust support to mac_brew_pkg

[cdalvaro]

What does this PR do?

Adds support for Homebrew's brew trust and brew untrust commands to the mac_brew_pkg execution module, and introduces two new state functions (pkg.trusted / pkg.untrusted) to the pkg state module.

Homebrew introduced a trust system for non-official taps, formulae, casks and external commands so they can be explicitly allowed when $HOMEBREW_REQUIRE_TAP_TRUST is set. This PR brings that capability to Salt.

New execution module functions (salt.modules.mac_brew_pkg):

• pkg.list_trusted([type]) — returns all trusted items via brew trust --json=v1. Without a type filter, returns a dict keyed by taps, formulae, casks, commands. With a type filter, returns a plain list.
• pkg.trust(name, [type]) — trusts a tap, formula, cask or command. Accepts an optional type (tap, formula, cask, command); Homebrew auto-detects when omitted. Also accepts remote URLs for taps.
• pkg.untrust(name, [type]) — removes trust from a tap, formula, cask or command.
• pkg.is_trusted(name, [type]) — returns True if the item is currently trusted.

New state functions (salt.states.pkg):

• pkg.trusted — ensures an item is trusted (idempotent, supports test mode).
• pkg.untrusted — ensures an item is not trusted (idempotent, supports test mode).

Both state functions degrade gracefully on non-Homebrew package managers by returning result: False with an explanatory message.

What issues does this PR fix or reference?

Fixes

Related Homebrew PRs that introduced the trust feature:

• Add tap trust commands Homebrew/brew#22472 — brew trust / brew untrust commands
• tap: add trusted field to tap-info Homebrew/brew#22613 — trusted field in brew tap-info --json
• cmd/trust: add --json=v1 flag Homebrew/brew#22624 — brew trust --json=v1 machine-readable output
• trust: support trusting tap by remote URL Homebrew/brew#22611 — support trusting taps by remote URL

Previous Behavior

There was no way to manage Homebrew's trust list via Salt. Non-official taps, formulae, casks and external commands could not be trusted or untrusted programmatically, and their trust state could not be queried.

New Behavior

Salt can now manage Homebrew trust via the execution module:

# List all trusted items
salt '*' pkg.list_trusted

# List trusted taps only
salt '*' pkg.list_trusted type=tap

# Trust a tap
salt '*' pkg.trust cdalvaro/tap type=tap

# Untrust a formula
salt '*' pkg.untrust cdalvaro/tap/salt type=formula

# Check trust state
salt '*' pkg.is_trusted cdalvaro/tap

And via Salt states:

# Ensure a tap is trusted
cdalvaro/tap:
  pkg.trusted:
    - type: tap

# Ensure a formula is trusted
cdalvaro/tap/salt:
  pkg.trusted:
    - type: formula

# Ensure a tap is not trusted
untrusted_tap:
  pkg.untrusted:
    - name: cdalvaro/tap
    - type: tap

Merge requirements satisfied?

[NOTICE] Bug fixes or features added to Salt require tests.

• Docs
• Changelog - https://docs.saltproject.io/en/master/topics/development/changelog.html
• Tests written/updated

Tests added:

• tests/pytests/unit/modules/test_mac_brew_pkg.py — 15 new unit tests covering list_trusted, trust, untrust and is_trusted (success, failure, type validation and type filtering).
• tests/pytests/unit/states/test_pkg.py — 10 new unit tests covering pkg.trusted and pkg.untrusted (function unavailable, already in desired state, test mode, success, and failure).

Commits signed with GPG?

Yes