feat(stack): pluggable backend system with native k3s support

[bussyjd]

Summary

• Introduces a Backend interface that abstracts cluster lifecycle, enabling both k3d (default) and native k3s backends
• Native k3s is a prerequisite for TEE/Confidential Computing — k3d cannot provide the direct hardware access needed for AMD SEV-SNP, Intel TDX, or GPU TEE workloads
• Fixes pre-existing helmfile template issues (eRPC secretEnv type mismatch, obol-frontend escaped quotes, .Values.* unavailable during gotmpl first-pass rendering)

What changed

Area	Change
Backend interface	New Backend with Init, Up, Down, Destroy, IsRunning, DataDir — k3d extracted into K3dBackend, new K3sBackend added
k3s process management	PID tracking, sudo kill -0 liveness checks, process group signals, k3s-killall.sh cleanup, API server readiness polling
Helmfile templates	helmfile.yaml → helmfile.yaml.gotmpl, env vars replace .Values.* references, KUBECONFIG propagated to hooks
eRPC values	secretEnv changed from nested map to {}, secret injected via extraEnv with valueFrom.secretKeyRef
obol-frontend values	Replaced {{ printf \"...\" }} with direct interpolation and single-quoted env calls
Tests	26 unit tests (backend selection, PID parsing, config, Init templates) + 10 integration test scenarios behind //go:build integration

Test results

• Unit tests: 26/26 pass with -race
• K3s integration: 32/33 flow tests pass (11 scenarios: init, up, kubectl, idempotent, down, restart, purge)
• Helmfile deploy: All 10 releases succeed on k3s (base, reloader, monitoring, gateway-api-crds, traefik, cloudflared, erpc, erpc-httproute, obol-frontend, obol-frontend-httproute)

Test plan

• Unit tests pass (go test -race ./internal/stack/)
• K3s: stack init --backend k3s → stack up → full helmfile deploy
• K3s: stack down → stack up restart cycle
• K3s: stack purge --force full cleanup
• K3d: backward compatibility (blocked by local Docker/kernel issue, not code-related)
• Network install on k3s backend

Closes #134