feat(deploy): implement resumable deploy wizard

[wyattjoh]

Summary

This PR adds the first hidden clerk deploy implementation for guiding a linked Clerk app from development setup toward production. In human mode, the wizard validates clone compatibility, discovers enabled OAuth providers from the development instance config, asks for a user-owned production domain, creates a production instance, guides DNS setup, collects production OAuth credentials, and prints production next steps. In agent mode, the command still exits early with a structured deployment prompt for noninteractive use.

Details

• Registers a hidden clerk deploy command with --debug, --continue, and --abort.
• Adds deploy API-shaped mocks for the production-instance lifecycle: validate cloning, create production instance, deploy-status polling, SSL/mail retry hooks, and production config patching. These are intentionally isolated in commands/deploy/api.ts with FIXME(deploy) markers so each helper can be replaced by a live Platform API call later.
• Persists paused deploy state in the CLI profile, including app and development instance identity, production instance/domain ids, the active DNS or OAuth step, all enabled OAuth providers, and completed provider progress.
• Supports safe pause/resume behavior for DNS handoff, skipped OAuth setup, and prompt interruption. Plain clerk deploy refuses to start a second operation while a deploy bookmark exists, and --continue validates that the saved bookmark belongs to the currently linked project.
• Adds OAuth credential flows for Google, GitHub, Microsoft, Apple, and Linear. Google can import a downloaded OAuth JSON file, Apple validates the selected .p8 private key file, and provider walkthroughs show the required production origins and redirect URLs.
• Adds deploy-specific copy helpers for the plan summary, CNAME records, dashboard handoff, pause messaging, production summary, and post-deploy next steps.
• Extends spinner/log gutter rendering with tone-aware rails for active, paused, cancelled, failed, and successful command states, plus more robust prompt-exit handling.
• Replaces key-shaped mock deploy values with MOCKED_NOT_REAL_FIXME so the branch does not trip secret scanning.

Reviewer Notes

• This command is hidden for now.
• The deploy lifecycle API calls are mocked by design. The only live read in the wizard is development instance config discovery via existing PLAPI plumbing.
• Production OAuth writes are also mocked while the production instance returned by the deploy flow is fake.
• The deploy README was updated with the current mocked endpoint surface, sequence diagram, OAuth credential shapes, and resume/abort behavior.

Testing

• bun run scripts/run-tests.ts --pattern 'packages/cli-core/src/commands/deploy/index.test.ts' --concurrency 1