Add Applier for upgrading workloads in place

Detecting an available upgrade is only useful if users can apply it
while keeping their configuration. Add the apply path that the CLI and
API will drive.

Add upgrade.Applier: it reloads the workload's saved config, re-runs the
check on fresh state (so a stale result can never drive an apply),
resolves the candidate from the registry, and rebuilds the run config
preserving the full user configuration — auth, authz, audit, telemetry,
tools filters, volumes, secrets, ports, permission profile, and more —
changing only the image, merged env/secrets, and re-resolved registry
URLs. New required env vars surface through the injected validator.

Crucially, the candidate image is verified and pulled (and the policy
gate runs) before the destructive stop/delete/start, so a missing or
unverifiable image leaves the running workload untouched — there is no
rollback once UpdateWorkload begins. Verification uses the same path as
thv run.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: JAORMX